Page MenuHomePhabricator
Create Task
Maniphest T287265

profile::icinga::ircbot trying to run icinga-wm without proper password from monitoring Cloud VPS project
Closed, ResolvedPublic
Actions

Description

[16:18]  <    glguy> The misconfigured bot running on nat.cloudgw.eqiad1.wikimediacloud.org repeatedly failing to authenticate as icinga-wm is still going which risk getting the whole host banned if the SASL failure allow-rate changes

Some poking around points to the profile::icinga::ircbot being applied on pontoon-icinga-01.monitoring.eqiad1.wikimedia.cloud as the likely root problem here

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
icinga: fix ircbot::ensure logicoperations/puppetproduction+5 -3
pontoon: disable ircecho/ircbotoperations/puppetproduction+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Jul 23 2021, 4:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 23 2021, 4:37 PM
bd808 renamed this task from profile::icinga::ircbot trying to run icinga-wm without proper password to profile::icinga::ircbot trying to run icinga-wm without proper password from monitoring Cloud VPS project.Jul 23 2021, 4:38 PM
RhinosF1 subscribed.Jul 23 2021, 4:39 PM
bd808 added a comment.Jul 23 2021, 4:41 PM

I was going to try setting a hiera flag to disable the profile, but:

root@pontoon-icinga-01:/var/lib/puppet/state# puppet agent -tv
Notice: Skipping run of Puppet configuration client; administratively disabled (Reason: 'filippo - filippo');
Use 'puppet agent --enable' to re-enable.
bd808 added a comment.Jul 23 2021, 4:44 PM
root@pontoon-icinga-01:~# cat /etc/icinga/.irc_secret
dummy
Stashbot added a comment.Jul 23 2021, 4:45 PM

Mentioned in SAL (#wikimedia-cloud) [2021-07-23T16:45:38Z] <bd808> rm /usr/local/bin/ircecho as the worst fix for T287265

bd808 added a parent task: T278584: Promote use of SASL for Cloud VPS/Toolforge hosted Libera.chat / Freenode IRC bots.Jul 23 2021, 4:48 PM
Andrew mentioned this in T287269: pontoon: ever more Cloud VPS VMs unreachable via puppet or cumin.Jul 23 2021, 5:08 PM
fgiunchedi added a comment.Jul 26 2021, 8:58 AM

My bad! I'll make sure ircecho not starting is enforced by puppet

gerritbot added a comment.Jul 26 2021, 9:01 AM

Change 708043 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] pontoon: disable ircecho/ircbot

https://gerrit.wikimedia.org/r/708043

gerritbot added a project: Patch-For-Review.Jul 26 2021, 9:01 AM
gerritbot added a comment.Jul 26 2021, 9:05 AM

Change 708043 merged by Filippo Giunchedi:

[operations/puppet@production] pontoon: disable ircecho/ircbot

https://gerrit.wikimedia.org/r/708043

Maintenance_bot removed a project: Patch-For-Review.Jul 26 2021, 9:10 AM
gerritbot added a comment.Jul 26 2021, 9:43 AM

Change 708073 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] icinga: fix ircbot::ensure logic

https://gerrit.wikimedia.org/r/708073

gerritbot added a project: Patch-For-Review.Jul 26 2021, 9:43 AM
gerritbot added a comment.Jul 26 2021, 10:06 AM

Change 708073 merged by Filippo Giunchedi:

[operations/puppet@production] icinga: fix ircbot::ensure logic

https://gerrit.wikimedia.org/r/708073

fgiunchedi closed this task as Resolved.Jul 26 2021, 10:07 AM
fgiunchedi claimed this task.

Stubbed my toe into some active/passive logic and the hiera variable, ircecho is disabled for good now (and puppet runs again). Resolving but please reopen if sth is amiss

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits