Page MenuHomePhabricator
Create Task
Maniphest T257552

cloudnet: prometheus node exporter stopped collecting nf_conntrack_entries metric
Closed, ResolvedPublic
Actions

Description

On 2020-05-21 we reimaged cloudnet servers from Stretch to Buster.

Since then, the prometheus node exporter has been collecting bogus metrics about nf_conntrack, probably due to the linux kernel being upgraded and changing how these values are shared between network namespaces. Important nf_conntrack values are inside the auto-generated neutron netnamespace, and therefore:

aborrero@prometheus1003:~ $ curl cloudnet1003.eqiad.wmnet:9100/metrics | grep nf_conntrack
# HELP node_nf_conntrack_entries Number of currently allocated flow entries for connection tracking.
# TYPE node_nf_conntrack_entries gauge
node_nf_conntrack_entries 0
[..]

Our grafana panels showed no useful information: https://grafana.wikimedia.org/d/000000579/wmcs-openstack-eqiad1?panelId=32&fullscreen&orgId=1

A quick check in the server suggest we were having network problems indeed.

aborrero@cloudnet1003:~ $ sudo dmesg -T | tail
[Sat Jul  4 15:35:48 2020] nf_conntrack: nf_conntrack: table full, dropping packet
[Sat Jul  4 15:35:53 2020] nf_conntrack: nf_conntrack: table full, dropping packet
[Sat Jul  4 15:57:29 2020] nf_conntrack: nf_conntrack: table full, dropping packet
[..]

Actionables:

  • improve how we manage the values using puppet. Puppet won't check the live values in the kernel, just in the filesystem (/etc/sysctl.d/) We need some logic to ensure the desired values are actually read by the running kernel
  • namespace awareness. Neutron works in autogenerated namespaces. The nf_conntrack_buckets setting works for all namespaces. The nf_conntrack_max setting is per-namespace, but if not specified it will be computed using nf_conntrack_buckets * 4.
  • introduce new prometheus metrics, with namespace awareness
  • introduce icinga checks

Details

SubjectRepoBranchLines +/-
openstack: monitor: neutron: nf_conntrack: run the NRPE check as root using sudooperations/puppetproduction+6 -1
prometheus: node_neutron_namespace: disable explicit monitoringoperations/puppetproduction+7 -6
openstack: neutron: add NRPE plugin to check nf_conntrack statusoperations/puppetproduction+125 -0
cloud: prometheus neutron exporter: cleanup log messagesoperations/puppetproduction+2 -8
cloud: prometheus neutron collector: add "" characters for label valuesoperations/puppetproduction+1 -1
cloud: add prometheus neutron conntrack collectoroperations/puppetproduction+124 -0
cloud: network nodes: explicitly load nf_conntrack module on bootoperations/puppetproduction+5 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

aborrero created this task.Jul 9 2020, 9:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 9 2020, 9:07 AM
Stashbot added a comment.Jul 9 2020, 9:16 AM

Mentioned in SAL (#wikimedia-cloud) [2020-07-09T09:16:07Z] <arturo> manually increasing sysctl value of net.nf_conntrack_max in cloudnet servers (T257552)

aborrero added a comment.Jul 9 2020, 9:24 AM

note we might be interested only in the conntrack inside the neutron router netns:

aborrero@cloudnet1003:~ $ sudo ip netns exec qrouter-d93771ba-2711-4f88-804a-8df6fd03978a sysctl -a | egrep nf_conntrack_count\|nf_conntrack_max
net.netfilter.nf_conntrack_count = 172198
net.netfilter.nf_conntrack_max = 1048576
aborrero@cloudnet1003:~ $ sudo sysctl -a | egrep nf_conntrack_count\|nf_conntrack_max
net.netfilter.nf_conntrack_count = 0
net.netfilter.nf_conntrack_max = 1048576
net.nf_conntrack_max = 1048576
aborrero claimed this task.Jul 9 2020, 9:24 AM
aborrero triaged this task as High priority.
aborrero moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
aborrero added a comment.Jul 9 2020, 9:26 AM

I confirm this started happening when we reimaged cloudnet servers to buster in 2020-05-21.

aborrero added a parent task: T253124: Upgrade cloudnet2003 and cloudnet2004 to Debian Buster.Jul 9 2020, 9:29 AM
aborrero added a comment.Jul 9 2020, 10:02 AM

Also, the sysctl config we deploy via puppet (modules/openstack/manifests/neutron/l3_agent.pp) just deploys the file in the filesystem but doesn't apply it.

aborrero renamed this task from prometheus: node exporter stopped collecting nf_conntrack_entries metric to cloudnet: prometheus node exporter stopped collecting nf_conntrack_entries metric.Jul 9 2020, 10:46 AM
aborrero updated the task description. (Show Details)Jul 9 2020, 10:54 AM
aborrero mentioned this in T257534: CloudVPS: a VM is unable to contact floating IPs of other VMs.Jul 9 2020, 10:58 AM
Stashbot added a comment.Jul 9 2020, 11:11 AM

Mentioned in SAL (#wikimedia-cloud) [2020-07-09T11:11:53Z] <arturo> [codfw1dev] rebooting cloudnet2003-dev for testing sysct/puppet behavior (T257552)

MoritzMuehlenhoff subscribed.Jul 9 2020, 11:15 AM
Stashbot added a comment.Jul 9 2020, 11:23 AM

Mentioned in SAL (#wikimedia-cloud) [2020-07-09T11:23:47Z] <arturo> [codfw1dev] rebooting cloudnet2003-dev again for testing sysct/puppet behavior (T257552)

gerritbot added a comment.Jul 9 2020, 11:31 AM

Change 610775 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: network nodes: explicitly load nf_conntrack module on boot

https://gerrit.wikimedia.org/r/610775

gerritbot added a project: Patch-For-Review.Jul 9 2020, 11:31 AM
gerritbot added a comment.Jul 9 2020, 11:44 AM

Change 610775 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: network nodes: explicitly load nf_conntrack module on boot

https://gerrit.wikimedia.org/r/610775

aborrero updated the task description. (Show Details)Jul 9 2020, 11:48 AM
aborrero lowered the priority of this task from High to Medium.Jul 9 2020, 11:56 AM
Maintenance_bot removed a project: Patch-For-Review.Jul 9 2020, 12:11 PM
Bstorm added a comment.Jul 9 2020, 2:57 PM

Nice catch on this!

Bstorm added a comment.Jul 9 2020, 2:59 PM

There's a few other issues I am suddenly wondering if this has been affecting.

aborrero added a comment.Jul 10 2020, 9:06 AM
In T257552#6293603, @Bstorm wrote:

There's a few other issues I am suddenly wondering if this has been affecting.

Yes, this could have been silently affecting other stuff. Which ones do you have in mind? do we have phab tasks for them?

gerritbot added a comment.Jul 10 2020, 10:50 AM

Change 611262 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: add prometheus neutron conntrack collector

https://gerrit.wikimedia.org/r/611262

gerritbot added a project: Patch-For-Review.Jul 10 2020, 10:50 AM
gerritbot added a comment.Jul 10 2020, 11:20 AM

Change 611262 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: add prometheus neutron conntrack collector

https://gerrit.wikimedia.org/r/611262

gerritbot added a comment.Jul 10 2020, 11:29 AM

Change 611278 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: prometheus neutron collector: add "" characters for label values

https://gerrit.wikimedia.org/r/611278

gerritbot added a comment.Jul 10 2020, 11:30 AM

Change 611278 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: prometheus neutron collector: add "" characters for label values

https://gerrit.wikimedia.org/r/611278

gerritbot added a comment.Jul 10 2020, 11:35 AM

Change 611285 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] cloud: prometheus neutron exporter: cleanup log messages

https://gerrit.wikimedia.org/r/611285

gerritbot added a comment.Jul 10 2020, 11:37 AM

Change 611285 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] cloud: prometheus neutron exporter: cleanup log messages

https://gerrit.wikimedia.org/r/611285

Bstorm added a comment.Jul 10 2020, 3:23 PM

I was thinking of T249035: Requests to production are sometimes timing out or giving empty response because it's mysterious. It's hard to find phabs tasks for other bits of strangeness because they have tended to be scattered and possibly transient.

aborrero updated the task description. (Show Details)Jul 13 2020, 10:38 AM
aborrero updated the task description. (Show Details)Jul 13 2020, 10:48 AM
In T257552#6297063, @Bstorm wrote:

I was thinking of T249035: Requests to production are sometimes timing out or giving empty response because it's mysterious. It's hard to find phabs tasks for other bits of strangeness because they have tended to be scattered and possibly transient.

The timeline doesn't match. That ticket was opened on 2020-03-31 and I'm pretty sure the issue in here started on 2020-05-21.

aborrero updated the task description. (Show Details)Jul 13 2020, 12:37 PM
gerritbot added a comment.Jul 13 2020, 5:16 PM

Change 612390 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: neutron: add NRPE plugin to check nf_conntrack status

https://gerrit.wikimedia.org/r/612390

Stashbot added a comment.Jul 14 2020, 10:43 AM

Mentioned in SAL (#wikimedia-cloud) [2020-07-14T10:43:05Z] <arturo> icinga downtime cloudnet* hosts for 30 mins to introduce new check https://gerrit.wikimedia.org/r/c/operations/puppet/+/612390 (T257552)

gerritbot added a comment.Jul 14 2020, 10:44 AM

Change 612390 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: neutron: add NRPE plugin to check nf_conntrack status

https://gerrit.wikimedia.org/r/612390

gerritbot added a comment.Jul 14 2020, 10:52 AM

Change 612537 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] prometheus: node_neutron_namespace: disable explicit monitoring

https://gerrit.wikimedia.org/r/612537

gerritbot added a comment.Jul 14 2020, 10:54 AM

Change 612537 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] prometheus: node_neutron_namespace: disable explicit monitoring

https://gerrit.wikimedia.org/r/612537

gerritbot added a comment.Jul 14 2020, 11:14 AM

Change 612545 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] openstack: monitor: neutron: nf_conntrack: run the NRPE check as root using sudo

https://gerrit.wikimedia.org/r/612545

gerritbot added a comment.Jul 14 2020, 11:15 AM

Change 612545 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] openstack: monitor: neutron: nf_conntrack: run the NRPE check as root using sudo

https://gerrit.wikimedia.org/r/612545

aborrero updated the task description. (Show Details)Jul 14 2020, 11:48 AM
aborrero closed this task as Resolved.Jul 14 2020, 11:51 AM

I have some doubts about converting the new icinga check to critical (and let it page). I'm just unsure, so I will leave it as is for now (non-critical) and see how things evolve.
@Bstorm might have an opinion.

Other than that, all the work here is done, so closing task now.

aborrero added a comment.Jul 14 2020, 11:52 AM

Forgot to mention, I added docs for incident response here: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Troubleshooting#nf_conntrack_table_full_in_cloudnet_nodes in case this happens again.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL