Page MenuHomePhabricator
Create Task
Maniphest T206951

Puppet doesn't restart ferm on failure
Closed, ResolvedPublic
Actions

Description

After the reboot of some eqsin hosts as described in the parent task, ferm failed to start on bast5001 and dns5001 due to a DNS lookup failure. The problem is that Puppet didn't restart it in any of the following runs, I had to manually do sudo systemctl start ferm and as a result the 2 hosts have been for ~1h without ferm rules applied.

We should improve this behaviour to ensure to minimize the potential exposure of a host without ferm rules applied on reboot, if ferm fails to start for any transient reason.

Details

SubjectRepoBranchLines +/-
sre.wdqs.data-transfer: fix syntax, simplify ruleoperations/cookbooksmaster+1 -2
sre.wdqs.data-transfer: use proper systemctl pathoperations/cookbooksmaster+4 -4
sre.wdqs.data-transfer: fix syntax, simplify ruleoperations/cookbooksmaster+1 -2
sre.wdqs.data-transfer: manage ferm rules required for transferoperations/cookbooksmaster+33 -6
ferm: enable ferm status scriptoperations/puppetproduction+5 -2
ferm: Add status checkoperations/puppetproduction+179 -1
ferm: add a very basic status checkoperations/puppetproduction+23 -3
ferm_status: use ip_network to normalise src and dst addressesoperations/puppetproduction+3 -9
ferm_status: store each chain in its own hashoperations/puppetproduction+3 -2
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedayounsiT206861 Power incident in eqsin
 ResolvedjbondT206951 Puppet doesn't restart ferm on failure

Event Timeline

Volans triaged this task as Medium priority.Oct 14 2018, 5:44 PM
Volans created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 14 2018, 5:44 PM
Paladox subscribed.Oct 14 2018, 6:41 PM
ema moved this task from Backlog to General on the Traffic board.Oct 22 2018, 8:37 AM
BBlack mentioned this in T206861: Power incident in eqsin.Nov 27 2018, 7:27 PM
greg added a project: Wikimedia-Incident.Nov 27 2018, 7:28 PM
greg moved this task from Active investigation to Follow-up prevention on the Wikimedia-Incident board.
Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 10:30 PM
GTirloni subscribed.Feb 9 2019, 1:09 AM

I don't know if this is related but today I noticed that, if iptables rules are cleared (iptables -F), subsequent puppet runs will not re-apply them. I also had to run systemctl restart ferm to get them re-applied.

Dzahn subscribed.Feb 9 2019, 1:11 AM
elukey subscribed.Feb 9 2019, 2:16 PM
GTirloni unsubscribed.Mar 21 2019, 9:11 PM
gerritbot added a comment.Feb 19 2020, 5:05 PM

Change 573335 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] ferm: add a very basic status check

https://gerrit.wikimedia.org/r/573335

gerritbot added a project: Patch-For-Review.Feb 19 2020, 5:05 PM
gerritbot added a comment.Mar 2 2020, 6:11 PM

Change 576101 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] ferm: Add status check

https://gerrit.wikimedia.org/r/576101

gerritbot added a comment.Mar 2 2020, 6:11 PM

Change 576102 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] ferm: enable ferm status script

https://gerrit.wikimedia.org/r/576102

gerritbot added a comment.Apr 16 2020, 12:11 PM

Change 589289 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/cookbooks@master] sre.wdqs.data-transfer: manage ferm rules required for transfer

https://gerrit.wikimedia.org/r/589289

gerritbot added a comment.Apr 17 2020, 10:48 AM

Change 576101 merged by Jbond:
[operations/puppet@production] ferm: Add status check

https://gerrit.wikimedia.org/r/576101

gerritbot added a comment.Apr 20 2020, 12:17 PM

Change 591036 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] ferm_status: store each chain in its own hash

https://gerrit.wikimedia.org/r/591036

gerritbot added a comment.Apr 20 2020, 12:21 PM

Change 591036 merged by Jbond:
[operations/puppet@production] ferm_status: store each chain in its own hash

https://gerrit.wikimedia.org/r/591036

gerritbot added a comment.Apr 20 2020, 1:28 PM

Change 591049 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] ferm_status: use ip_network to normalise src and dst addresses

https://gerrit.wikimedia.org/r/591049

gerritbot added a comment.Apr 20 2020, 1:31 PM

Change 591049 merged by Jbond:
[operations/puppet@production] ferm_status: use ip_network to normalise src and dst addresses

https://gerrit.wikimedia.org/r/591049

Krinkle edited projects, added Sustainability (Incident Followup); removed Wikimedia-Incident.Apr 28 2020, 9:50 PM
gerritbot added a comment.May 6 2020, 3:01 PM

Change 573335 abandoned by Jbond:
ferm: add a very basic status check

Reason:
we now have ferm-status.py

https://gerrit.wikimedia.org/r/573335

gerritbot added a comment.May 7 2020, 11:33 AM

Change 576102 merged by Jbond:
[operations/puppet@production] ferm: enable ferm status script

https://gerrit.wikimedia.org/r/576102

gerritbot added a comment.May 7 2020, 6:18 PM

Change 589289 merged by Ryan Kemper:
[operations/cookbooks@master] sre.wdqs.data-transfer: manage ferm rules required for transfer

https://gerrit.wikimedia.org/r/589289

Maintenance_bot removed a project: Patch-For-Review.May 7 2020, 7:10 PM
gerritbot added a comment.May 7 2020, 10:35 PM

Change 595061 had a related patch set uploaded (by Ryan Kemper; owner: Ryan Kemper):
[operations/cookbooks@master] sre.wdqs.data-transfer: fix missing commas

https://gerrit.wikimedia.org/r/595061

gerritbot added a project: Patch-For-Review.May 7 2020, 10:35 PM
gerritbot added a comment.May 11 2020, 9:02 PM

Change 595649 had a related patch set uploaded (by Ryan Kemper; owner: Ryan Kemper):
[operations/cookbooks@master] sre.wdqs.data-transfer: fix syntax, simplify rule

https://gerrit.wikimedia.org/r/595649

gerritbot added a comment.May 12 2020, 7:20 AM

Change 595061 merged by Gehel:
[operations/cookbooks@master] sre.wdqs.data-transfer: fix syntax, simplify rule

https://gerrit.wikimedia.org/r/595061

gerritbot added a comment.May 12 2020, 11:56 PM

Change 596073 had a related patch set uploaded (by Ryan Kemper; owner: Ryan Kemper):
[operations/cookbooks@master] sre.wdqs.data-transfer: use proper systemctl path

https://gerrit.wikimedia.org/r/596073

gerritbot added a comment.May 13 2020, 12:23 AM

Change 596073 merged by Ryan Kemper:
[operations/cookbooks@master] sre.wdqs.data-transfer: use proper systemctl path

https://gerrit.wikimedia.org/r/596073

gerritbot added a comment.Jun 1 2020, 11:12 PM

Change 595649 abandoned by Ryan Kemper:
sre.wdqs.data-transfer: fix syntax, simplify rule

Reason:
this is a "duplicate", a different gerrit patch of mine fixed this

https://gerrit.wikimedia.org/r/595649

Maintenance_bot removed a project: Patch-For-Review.Jun 2 2020, 12:10 AM
ayounsi unsubscribed.Jun 2 2020, 5:46 AM
Dzahn unsubscribed.Jun 2 2020, 6:42 AM
BBlack moved this task from General to Bug Reports on the Traffic board.Sep 29 2020, 8:37 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Sep 1 2021, 11:21 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

RKemper mentioned this in rCCKB549475c6ebd2: sre.wdqs.data-transfer: manage ferm rules required for transfer.Dec 14 2022, 3:25 PM
RKemper mentioned this in rCCKB1e031b51fedd: sre.wdqs.data-transfer: fix syntax, simplify rule.
RKemper mentioned this in rCCKBd297f6112349: sre.wdqs.data-transfer: use proper systemctl path.
akosiaris removed a project: SRE.Mar 14 2023, 5:47 PM
akosiaris subscribed.

Removing SRE, this has already been triaged to a specific subteam.

Kappakayala added a project: Traffic.Mar 14 2023, 6:05 PM
Vgutierrez closed this task as Resolved.Mar 21 2023, 9:44 AM
Vgutierrez assigned this task to jbond.
Vgutierrez edited projects, added SRE-Sprint-Week-Sustainability-March2023; removed Traffic-Icebox.
Vgutierrez subscribed.

This is actually already fixed by https://gerrit.wikimedia.org/r/c/operations/puppet/+/596157 (commit missed the Bug tag)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL