[09:28:58] <wikibugs>	 10serviceops, 10MediaWiki-General, 10Operations, 10Patch-For-Review, 10Service-Architecture: Create a service-to-service proxy for handling HTTP calls from services to other entities - https://phabricator.wikimedia.org/T244843 (10akosiaris) Copying from the last comment of https://gerrit.wikimedia.org/r/...
[13:10:27] <wikibugs>	 10serviceops, 10MediaWiki-General, 10Operations, 10Patch-For-Review, 10Service-Architecture: Create a service-to-service proxy for handling HTTP calls from services to other entities - https://phabricator.wikimedia.org/T244843 (10Ottomata) @akosiaris Hm, yes, let's try!  We are going to have issues with...
[13:28:31] <ottomata>	 akosiaris:  o/  shall we move some more evenstreams  clients to k8s?
[13:29:48] <akosiaris>	 ottomata: o/
[13:29:59] <akosiaris>	 sure
[13:30:41] <akosiaris>	 we are at ~2% right now
[13:30:53] <akosiaris>	 which isn't much. https://grafana.wikimedia.org/d/znIuUcsWz/eventstreams-k8s?orgId=1&refresh=1m&from=now-7d&to=now at least has almost nothing
[13:31:20] <ottomata>	 yeah
[13:31:49] <akosiaris>	 8% ?
[13:32:23] <ottomata>	 there are currently about 70 connected clients
[13:32:41] <ottomata>	 let's go to 20%
[13:34:06] <akosiaris>	 ok
[13:36:54] <akosiaris>	 ottomata: done. We are at 20%
[13:37:15] <akosiaris>	 but... with the longlived connections, we either have to force them to reconnect or just wait it out to happen on its own
[13:37:16] <_joe_>	 ottomata: can you add the tunable tls limits to eventgate though? I'd need that to happen this week
[13:37:59] <ottomata>	 akosiaris:  ya we could restart the service on an scb host or 2
[13:38:05] <ottomata>	 _joe_:  sure
[13:38:08] <ottomata>	 can do that
[13:38:35] <_joe_>	 <3
[13:38:37] <ottomata>	 I should do that rather than resolving the routing_tag stuff into templates? probably will be less resistence eh?
[13:39:21] <_joe_>	 whatever you prefer, I'm mainly interested in timeboxing the migration at this point
[13:39:30] <akosiaris>	 ottomata: probably faster indeed
[13:39:47] <ottomata>	 k
[13:40:01] <ottomata>	 akosiaris:  to move more es traffic ot k8s, is it just a matter of pooling more kube nodes?
[13:40:04] <ottomata>	 via confctl?
[13:40:44] <akosiaris>	 all are pooled now
[13:41:21] <ottomata>	 oh akosiaris  all I need to do is restart es on an scb  then?
[13:41:50] <akosiaris>	 it's a matter of calculating 6*x/6*x+46=wanted %, solving that and then sudo confctl select 'dc=eqiad,service=eventstreams,name=kubernetes.*' set/weight=2 on cumin1001
[13:42:13] <akosiaris>	 sorry
[13:42:19] <akosiaris>	 s/weight=2/weight=x/
[13:42:39] <akosiaris>	 and if you want to force the redistribution instead of waiting it out, yes, restart eventstreams
[13:43:02] <akosiaris>	 with 70 clients in all, I am this close to saying "just depool scb" tbh
[13:43:23] <akosiaris>	 I mean if we see nothing in logs today... let's just wrap it up?
[13:48:06] <ottomata>	 ah
[13:48:25] <ottomata>	 agree let's just get stuff over to k8s quickly if we can
[13:48:30] <ottomata>	 ok so to fix the port problem
[13:48:58] <ottomata>	 hmmm
[13:49:15] <ottomata>	 not as simple as the LVS renames with new ports we did when everything was in k8s
[13:49:22] <ottomata>	 there are different hosts and different ports
[13:49:30] <ottomata>	 e.g. check_https_lvs_on_port!eventstreams.discovery.wmnet!4892!/_info
[13:49:55] <ottomata>	 i think i need a new LVS IP, ya?
[13:53:53] <ottomata>	 akosiaris:  ^?
[13:54:51] <akosiaris>	 port, not IP
[13:55:00] <akosiaris>	 but yes, we need a new LVS service it seems
[13:55:11] <akosiaris>	 trying to thing another way out of this, but it doesn't seem easy
[13:55:25] <ottomata>	 OH right the port is given by the requestor always
[13:55:26] <ottomata>	 ok
[13:55:52] <akosiaris>	 the alternative is to have eventstreams on k8s move back to HTTP for a bit, finish the migration and then do exactly the same dance for the move to TLS
[13:56:02] <akosiaris>	 which I am not sure it really buys us something 
[13:56:29] <ottomata>	 oh so we could do a incremental rollover?
[13:56:34] <ottomata>	 hm since the client connections are long lived anyway
[13:57:03] <ottomata>	 can we just swap out the port for new connections
[13:57:07] <akosiaris>	 yeah we would be able to do the incremental rollover but we would also have to update the chart to publish both the TLS and the non TLS service 
[13:57:08] <akosiaris>	 sigh
[13:57:09] <ottomata>	 without having thhe old ones killed?
[13:57:40] <ottomata>	 if we change the port that ats routes to, will it break the existing connections?
[13:57:44] <akosiaris>	 not sure what ATS would do
[13:57:50] <akosiaris>	 ema ^ ?
[13:58:43] <akosiaris>	 what we are essentially discussing is allowing previously established connections to survive on a port that is not on ATS configuration
[13:58:56] <akosiaris>	 I would expect the software to honor the new configuration tbh
[14:00:10] <akosiaris>	 on the other hand... it's just 70 clients. Maybe just announce a maint window and just do it?
[14:00:42] <ottomata>	 ya, i feel fairly confident it will work
[14:00:50] <ottomata>	 (famous last words)(
[14:00:53] <akosiaris>	 lol
[14:05:57] <ottomata>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/578525
[14:05:58] <akosiaris>	 ottomata: ok, so here's a plan. We switchover LVS configuration in puppet and release it across the fleet but not restart pybal. icinga shouldn't page because there's the critical: false flag already. But we will anyway schedule downtime. 
[14:05:58] <ottomata>	 akosiaris:  ^
[14:06:26] <akosiaris>	 ah, you add a new service?
[14:06:33] <ottomata>	 oh ya, but i guess we could do it all at once
[14:06:41] <ottomata>	 thought ^ would make rollback easier, we just change the ats config
[14:06:41] <akosiaris>	 actually maybe it's better
[14:06:48] <ottomata>	 but maybe LVS siwtch is better?
[14:06:48] <ottomata>	 dunno
[14:06:55] <ottomata>	 whichever you think is best
[14:07:00] <akosiaris>	 just switching it is definitely riskier
[14:07:37] <ottomata>	 ya this way we have both lvs services up, and just choose which one to route frontends to 
[14:08:03] <ema>	 akosiaris, ottomata: I don't think we've ever tried, give it a go and let me know what happens :)
[14:08:11] <ottomata>	 hahah ok
[14:08:26] <akosiaris>	 lol
[14:08:33] <akosiaris>	 yeah, let's avoid that
[14:08:35] <ema>	 I'd expect persistent connections to keep on working, and new ones to be established using the new port
[14:08:35] <akosiaris>	        ProxyFetch:
[14:08:35] <akosiaris>	           url:
[14:08:35] <akosiaris>	           - http://localhost/_info
[14:08:41] <akosiaris>	 ottomata: https:// ?
[14:09:09] <akosiaris>	 ema: ah, so you expect the inverse from me. OK now you have me intrigued
[14:09:27] <akosiaris>	 but I ain't gonna try it in production :P
[14:10:10] <ottomata>	 ah ya
[14:10:18] <ottomata>	 oh akosiaris  doesn't pybal mangle that??..
[14:10:28] <ottomata>	 ah no you oare right
[14:10:29] <ottomata>	 https
[14:10:30] <ottomata>	 fixing
[14:10:46] <akosiaris>	 it mangles Host: and port. It doesn't mangle schema and url 
[14:19:53] <ottomata>	 akosiaris:  patched
[14:20:47] <akosiaris>	 merging
[14:21:41] <akosiaris>	 ottomata: ah wait, we can't switch over the traffic to TLS endpoints without the changes from https://gerrit.wikimedia.org/r/#/c/operations/deployment-charts/+/578478/ incorporated in the chart
[14:21:57] <akosiaris>	 or at least, it would not be prudent
[14:22:11] <akosiaris>	 it might work just fine with just 70 long lived connections
[14:22:35] <akosiaris>	 in fact, exactly because they are so few and long lived it probably would
[14:22:50] <ottomata>	 haha ok
[14:22:52] <akosiaris>	 but it would be prudent to first incorporate that
[14:22:53] <ottomata>	 well let me conquer that first
[14:22:55] <ottomata>	 gottaa do it anyway
[14:23:09] <akosiaris>	 I 'll setup LVS in the meantime
[14:23:59] <ottomata>	 k danke
[14:30:43] <ottomata>	 _joe_:  which are the 'tunable tls limits' are they all in _tls_helpers.tpl?
[14:30:48] <ottomata>	 if so, I think evenstreams has them already
[14:30:53] <ottomata>	 (eventgate does not)
[14:31:08] <ottomata>	 is it just {{ .Values.tls.upstream_timeout }} ?
[14:31:13] <_joe_>	 not just that
[14:31:18] <_joe_>	 the resource limits
[14:31:25] <_joe_>	 see the latest version of the helpers
[14:31:27] <_joe_>	 alex added it
[14:31:36] <ottomata>	 OH maybe i am not up todate
[14:32:09] <ottomata>	 ah yeah ok
[14:32:12] <ottomata>	 i see em
[14:38:36] <akosiaris>	 ottomata: didn't work btw, I had to rollback. pybal depooled all backends because of the conftool cluster change. But to the drawing board
[14:38:57] <ottomata>	 uhhhh ooook
[14:39:24] <akosiaris>	 https://grafana.wikimedia.org/d/000000336/eventstreams?orgId=1&refresh=1m&from=now-30m&to=now
[14:39:29] <akosiaris>	 at least they reconnect fast
[14:40:25] <ottomata>	 ah good, ya, most SSE clients have will auto reconnect. they also should auto-resume from where they left off! :)
[14:40:27] <ottomata>	 in the stream
[14:43:02] <ottomata>	 akosiaris:  should I make an e.g. common_templates/0.2-beta for a _tls_helpers.tpl used by eventstreams and eventgate and symlink them, or should I just copy/paste into each of those charts the stuff I need
[14:43:05] <ottomata>	 ?
[14:46:04] <akosiaris>	 I 'd say copy them over for now? And we probably want to revisit that and figure out which approach makes globally sense and bring into version 0.2 
[14:48:10] <ottomata>	 ok
[14:49:05] <ottomata>	 hm akosiaris the default tls limits is 500Mi, and i was setting eventsreams limits  to 1900Mi
[14:49:14] <ottomata>	 are those incompatible beacuse of a 2G global pod limit?
[14:49:39] <ottomata>	 evenstreams should work at 1500, it will just handle fewer clients, but probably be within our range.
[14:49:45] <ottomata>	 we could increase replicas a bit too if we have to(eventaully)
[14:49:49] <akosiaris>	 ah indeed. good point. 
[14:50:19] <ottomata>	 i'll juust do es at 1500 and we can modify things later if we need to
[14:50:24] <akosiaris>	 +1 
[14:52:01] <ottomata>	 is there a global CPU limit i'll bump into?
[14:52:22] <akosiaris>	 global? like a quota ?
[14:52:27] <ottomata>	 per pod
[14:52:28] <ottomata>	 like mem
[14:52:31] <akosiaris>	 ah yes
[14:52:39] <akosiaris>	 3 CPUs
[14:53:06] <ottomata>	 ok am under that then, es has 2000m as limit
[15:03:59] <ottomata>	 wee are really not consistent with our indentation of yaml arrays are we? :p
[15:04:13] <ottomata>	 do you guys havee a pref akosiaris ?  
[15:04:30] <ottomata>	 do you prefer indendent with name or with 2 extra spaces?
[15:04:30] <ottomata>	 e.g.
[15:04:32] <ottomata>	 array:
[15:04:34] <ottomata>	 oops
[15:04:46] <ottomata>	 array:
[15:04:47] <ottomata>	 - item1
[15:04:47] <ottomata>	 - item2
[15:04:47] <ottomata>	 OR
[15:04:59] <ottomata>	 array:
[15:04:59] <ottomata>	   - item1
[15:04:59] <ottomata>	   - item2
[15:05:00] <akosiaris>	 2 spaces please :P
[15:05:03] <ottomata>	 k
[15:05:16] <akosiaris>	 but in the charts I 've tried to be as consistent as possible
[15:05:25] <akosiaris>	 I think vim will even autocorrect these things for me
[15:06:09] <ottomata>	 i will fix things where i see them different in my charts then
[15:06:12] <ottomata>	 to use 2 spaces
[15:07:23] <akosiaris>	 fwiw, not my personal preference, but I 've "inherited" it and just decided to stick with it for consistency's sake
[15:12:05] <ottomata>	 ok akosiaris  https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/578537
[15:12:57] <akosiaris>	 ottomata: take #2. I 'll try not to create an outage now https://gerrit.wikimedia.org/r/#/c/578538/
[15:13:56] <ottomata>	 the outage was cased by the rename of the old one?
[15:14:02] <akosiaris>	 yes
[15:14:12] <ottomata>	 k, can we eeventaully rename? :)
[15:14:20] <akosiaris>	 they new "service" in conftool ended up being empty
[15:14:21] <ottomata>	 to just keep 'eventstreams' ?
[15:14:34] <akosiaris>	 yes, like we did with the other stuff
[15:14:36] <ottomata>	 cool
[15:15:01] <akosiaris>	 it looks like we are ok this time around
[15:21:28] <ottomata>	 coo
[17:21:43] <ottomata>	 hmmmm
[17:22:10] <ottomata>	 nm
[18:17:02] <wikibugs>	 10serviceops, 10Operations, 10Performance-Team, 10Core Platform Team Workboards (Clinic Duty Team), 10Wikimedia-production-error: Wiki diffs take over 15s to load - https://phabricator.wikimedia.org/T244058 (10Krinkle) I've gone through dozens of very old diffs from unpopular pages (hoping for a cache mi...
[18:17:50] <wikibugs>	 10serviceops, 10Operations, 10Performance-Team, 10Core Platform Team Workboards (Clinic Duty Team), 10Wikimedia-Incident: Strategy for storing parser output for "old revision" (Popular diffs and permalinks) - https://phabricator.wikimedia.org/T244058 (10Krinkle)
[18:18:21] <wikibugs>	 10serviceops, 10Operations, 10Core Platform Team Workboards (Clinic Duty Team), 10Performance-Team (Radar), 10Wikimedia-Incident: Strategy for storing parser output for "old revision" (Popular diffs and permalinks) - https://phabricator.wikimedia.org/T244058 (10Krinkle) a:05Krinkle→03None
[18:18:25] <wikibugs>	 10serviceops, 10Operations, 10Core Platform Team Workboards (Clinic Duty Team), 10Performance-Team (Radar), 10Wikimedia-Incident: Strategy for storing parser output for "old revision" (Popular diffs and permalinks) - https://phabricator.wikimedia.org/T244058 (10Krinkle)
[19:48:12] <wikibugs>	 10serviceops, 10MediaWiki-General, 10Operations, 10Patch-For-Review, 10Service-Architecture: Create a service-to-service proxy for handling HTTP calls from services to other entities - https://phabricator.wikimedia.org/T244843 (10Ottomata) @Joe @akosiaris all deployments of eventgate and eventstreams hav...
[20:19:15] <mutante>	 do we need more jobrunners or are we ok and use all new servers for appserver/API 
[20:29:40] <wikibugs>	 10serviceops, 10Operations, 10Patch-For-Review: move all 86 new codfw appservers into production (mw2[291-2377].codfw.wmnet) - https://phabricator.wikimedia.org/T247021 (10ops-monitoring-bot) Icinga downtime for 2:00:00 set by dzahn@cumin1001 on 27 host(s) and their services with reason: new_install ` mw[235...
[21:29:31] <wikibugs>	 10serviceops, 10Operations: move all 86 new codfw appservers into production (mw2[291-2377].codfw.wmnet) - https://phabricator.wikimedia.org/T247021 (10ops-monitoring-bot) Icinga downtime for 2:00:00 set by dzahn@cumin1001 on 27 host(s) and their services with reason: new_install ` mw[2350-2376].codfw.wmnet `
[23:11:38] <wikibugs>	 10serviceops, 10Operations: move all 86 new codfw appservers into production (mw2[291-2377].codfw.wmnet) - https://phabricator.wikimedia.org/T247021 (10ops-monitoring-bot) Icinga downtime for 2:00:00 set by dzahn@cumin1001 on 6 host(s) and their services with reason: new_install ` mw[2366,2368,2370,2372,2374,2...