Page MenuHomePhabricator
Create Task
Maniphest T221052

config file change canarying for logstash
Closed, ResolvedPublic
Actions

Description

It's possible for Puppet to deploy a bad configuration file and crash logstash everywhere. Oof.

While there is a hypothetically-easy fix of using logstash --config.test_and_exit this does not catch all errors that will cause a crash on startup.

Details

SubjectRepoBranchLines +/-
logstash: log safepoints only when running the daemonoperations/puppetproduction+7 -2
logstash: validate config filesoperations/puppetproduction+24 -7
Customize query in gerrit

Event Timeline

CDanis created this task.Apr 15 2019, 11:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 15 2019, 11:16 PM
CDanis added a project: SRE.Apr 15 2019, 11:16 PM
herron subscribed.Apr 15 2019, 11:23 PM
colewhite triaged this task as Medium priority.Apr 16 2019, 3:39 PM
fgiunchedi added a project: observability.Aug 19 2019, 2:29 PM
fgiunchedi moved this task from Inbox to Up next on the observability board.Dec 9 2019, 11:40 AM
ayounsi subscribed.Apr 8 2020, 12:40 PM

+1, this happened today.

gerritbot added a comment.Apr 9 2020, 9:40 AM

Change 587704 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] logstash: validate config files

https://gerrit.wikimedia.org/r/587704

gerritbot added a project: Patch-For-Review.Apr 9 2020, 9:40 AM

Change 587705 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] logstash: log safepoints only when running the daemon

https://gerrit.wikimedia.org/r/587705

gerritbot added a comment.Apr 14 2020, 9:49 AM

Change 587704 merged by Filippo Giunchedi:
[operations/puppet@production] logstash: validate config files

https://gerrit.wikimedia.org/r/587704

fgiunchedi subscribed.Apr 14 2020, 10:00 AM

Puppet will ask Logstash to validate individual config files before installing them via validate_cmd. The puppet run will fail if e.g. syntax is invalid and the new config file won't be installed. Likely Good Enough™ for now to bandaid production Logstash outages. Ideally we can test files at CI/review time as well to catch mistakes earlier.

gerritbot added a comment.Apr 27 2020, 8:52 AM

Change 587705 merged by Filippo Giunchedi:
[operations/puppet@production] logstash: log safepoints only when running the daemon

https://gerrit.wikimedia.org/r/587705

Maintenance_bot removed a project: Patch-For-Review.Apr 27 2020, 9:10 AM
fgiunchedi closed this task as Resolved.Apr 27 2020, 12:16 PM
fgiunchedi claimed this task.

I'm going to boldly resolve this, we're testing Logstash config at puppet run time now, which is meant to at least prevent logstash from starting with a syntactically invalid configuration.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL