Page MenuHomePhabricator
Create Task
Maniphest T323324

clouddumps1002: ferm is being started on every puppet run
Closed, ResolvedPublic
Actions

Description

For some reason on clouddumps1002, the ferm service is being started (corrective, stopped -> running) on every puppet run:

Notice: /Stage[main]/Ferm/Service[ferm]/ensure: ensure changed 'stopped' to 'running' (corrective)

This does not happen on other hosts. I just noticed it while verifying unrelated patches.

In general "resources change on every puppet run" used to be an Icinga alert and this being ferm-related seems to make it more important than other ones of this type.

Details

SubjectRepoBranchLines +/-
dumps::distribution::ferm: update to resolve hosts in puppetmasteroperations/puppetproduction+35 -5
Customize query in gerrit

Event Timeline

Dzahn created this task.Nov 17 2022, 10:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 17 2022, 10:15 PM
Dzahn added projects: Cloud-Services, Puppet.Nov 17 2022, 10:16 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptNov 17 2022, 10:16 PM
taavi edited projects, added cloud-services-team (Kanban), Data-Services; removed Cloud-Services.Nov 18 2022, 6:25 AM
JJMC89 moved this task from Backlog to Dumps on the Data-Services board.Dec 7 2022, 12:06 AM
Andrew subscribed.Jan 11 2023, 7:42 PM

via elimination I've convinced myself that the issue here is 10_dumps_rsyncd :

# Autogenerated by puppet. DO NOT EDIT BY HAND!
#
# 
&R_SERVICE(tcp, 873, @resolve((mwlog1002.eqiad.wmnet mwlog2002.codfw.wmnet phab1004.eqiad.wmnet dumpsdata1001.eqiad.wmnet dumpsdata1002.eqiad.wmnet dumpsdata1003.eqiad.wmnet clouddumps1001.wikimedia.org clouddumps1002.wikimedia.org stat1006.eqiad.wmnet stat1007.eqiad.wmnet wdqs1009.eqiad.wmnet wcqs2001.codfw.wmnet wdqs2009.codfw.wmnet sagres.c3sl.ufpr.br sagres.c3sl.ufpr.br poincare.acc.umu.se ftp.acc.umu.se mirror.accum.se poincare.acc.umu.se ftp.acc.umu.se mirror.accum.se ftpmirror.your.org ftpmirror-ae0-4.us.your.org ftpmirror.your.org crcdtn01.crc.nd.edu wmrsync.crc.nd.edu wikimedia.mirror.us.dev wikimedia.mirror.us.dev 65.19.157.35 wikimedia.bringyour.com wikimedia.bringyour.com mirror.clarkson.edu mirror.clarkson.edu wikipedia.mirror.pdapps.org wikipedia.mirror.pdapps.org)));

Likely because one or more of those can't be resolved.

Andrew added a comment.Jan 11 2023, 8:18 PM

The troublesome entries are:

ftp.acc.umu.se
mirror.accum.se
ftp.acc.umu.se
mirror.accum.se

And yeah, each is in there twice, but being in twice is not causing the issue.

Andrew added a comment.Jan 11 2023, 8:27 PM

I don't see any real problem with those hosts other than that they're duplicates of each other. Seems like a ferm bug.

Dzahn added a comment.EditedJan 11 2023, 8:50 PM

@Andrew Is it not maybe 65.19.157.35 ? Because that is the only IP in there and it fails to resolve:

[clouddumps1002:/etc/ferm/conf.d] $ host 65.19.157.35
Host 35.157.19.65.in-addr.arpa. not found: 3(NXDOMAIN)

all others work but this:

for host in mwlog1002.eqiad.wmnet mwlog2002.codfw.wmnet phab1004.eqiad.wmnet dumpsdata1001.eqiad.wmnet dumpsdata1002.eqiad.wmnet dumpsdata1003.eqiad.wmnet clouddumps1001.wikimedia.org clouddumps1002.wikimedia.org stat1006.eqiad.wmnet stat1007.eqiad.wmnet wdqs1009.eqiad.wmnet wcqs2001.codfw.wmnet wdqs2009.codfw.wmnet sagres.c3sl.ufpr.br sagres.c3sl.ufpr.br poincare.acc.umu.se ftp.acc.umu.se mirror.accum.se poincare.acc.umu.se ftp.acc.umu.se mirror.accum.se ftpmirror.your.org ftpmirror-ae0-4.us.your.org ftpmirror.your.org crcdtn01.crc.nd.edu wmrsync.crc.nd.edu wikimedia.mirror.us.dev wikimedia.mirror.us.dev 65.19.157.35 wikimedia.bringyour.com wikimedia.bringyour.com mirror.clarkson.edu mirror.clarkson.edu wikipedia.mirror.pdapps.org; do host $host; done | grep NX


Host 35.157.19.65.in-addr.arpa. not found: 3(NXDOMAIN)
RhinosF1 subscribed.Jan 11 2023, 9:55 PM
Andrew added a comment.Jan 12 2023, 2:16 AM
In T323324#8517754, @Dzahn wrote:

@Andrew Is it not maybe 65.19.157.35 ? Because that is the only IP in there and it fails to resolve:

That was the first thing I tried! ferm-status is only satisfied if I remove ftp.acc.umu.se and mirror.accum.se -- removing 65.19.157.35 doesn't make a difference.

taavi subscribed.Jan 12 2023, 8:49 AM

can you try running ferm-status with --verbose?

Andrew added a comment.Jan 12 2023, 3:20 PM
In T323324#8518687, @taavi wrote:

can you try running ferm-status with --verbose?

Yeah, it doesn't produce any output. That's why I had to do a binary search to figure out which entries it didn't like.

jbond subscribed.Jan 12 2023, 5:33 PM
Dzahn added a comment.Jan 12 2023, 9:28 PM
In T323324#8518330, @Andrew wrote:
In T323324#8517754, @Dzahn wrote:

@Andrew Is it not maybe 65.19.157.35 ? Because that is the only IP in there and it fails to resolve:

That was the first thing I tried! ferm-status is only satisfied if I remove ftp.acc.umu.se and mirror.accum.se -- removing 65.19.157.35 doesn't make a difference.

Interesting! So what stands about these to me is:

  • mirror.accum.se is an alias for ftp.acc.umu.se., so basically it's just that one
  • ftp.acc.umu.se has multiple A records, which is unique among the other hosts in the list
;; ANSWER SECTION:
ftp.acc.umu.se.		478	IN	A	194.71.11.165
ftp.acc.umu.se.		478	IN	A	194.71.11.163
ftp.acc.umu.se.		478	IN	A	194.71.11.173

I would not be suprised if it's bug related to finding more than one A record.

I wonder if it would disappear if we use one of the 3 IP addresses instead of the host name. As the other IP in the list shows it should be ok to add IPs.

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 6:29 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
gerritbot added a comment.Apr 24 2023, 4:28 PM

Change 911338 had a related patch set uploaded (by Jbond; author: jbond):

[operations/puppet@production] dumps::distribution::ferm: update to resolve hosts in puppetmaster

https://gerrit.wikimedia.org/r/911338

gerritbot added a project: Patch-For-Review.Apr 24 2023, 4:28 PM
jbond added a comment.Apr 24 2023, 4:30 PM

Im unable to recreate this did you fix it. either way i think this would be more strict if you pushed the DNS resolution to the puppetmaster instead of ferm. this can prevent errors where the DNS changes between the time the rules where loaded and the ferm-status script checks. see https://gerrit.wikimedia.org/r/c/operations/puppet/+/911338

Dzahn added a comment.EditedApr 24 2023, 5:30 PM

I can confirm the issue that made me create this ticket is gone. So it's resolved. I don't know how it got resolved though.

Dzahn added a comment.Apr 24 2023, 5:32 PM

So, now the status is:

[clouddumps1002:~] $ host ftp.acc.umu.se
ftp.acc.umu.se has address 194.71.11.163
ftp.acc.umu.se has address 194.71.11.165

The IP "194.71.11.173" that was there in T323324#8521638 is gone.

So seems like this was technically resolved by someone controlling umu.se or so.

Dzahn closed this task as Resolved.Apr 24 2023, 5:33 PM
Dzahn claimed this task.
Dzahn removed Dzahn as the assignee of this task.
Dzahn added subscribers: Hokwelum, ArielGlenn.Apr 24 2023, 10:35 PM
gerritbot added a comment.May 10 2023, 2:30 PM

Change 911338 merged by Jbond:

[operations/puppet@production] dumps::distribution::ferm: update to resolve hosts in puppetmaster

https://gerrit.wikimedia.org/r/911338

Maintenance_bot removed a project: Patch-For-Review.May 10 2023, 3:10 PM
jbond claimed this task.May 11 2023, 8:58 AM
joanna_borun edited projects, added Puppet-Core; removed Puppet.May 22 2023, 1:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL