Page MenuHomePhabricator
Create Task
Maniphest T344608

WMCS-roots paging responsibilities
Closed, DeclinedPublic
Actions

Description

While discussing T344599 it was requested that anyone with root privileges to the wikireplicas should also be paged. I'm not too familiar with the wiki-replicas servers and suspect that some of the issue there is around ownership and demarcation i.e. if something breaks on theses machines due to a misuse of root privileges (weather accidental or intentioned) then we require someone familiar with this service to also get paged and assist in fixing the machine. Some of theses issues may get resolved via the current ownership discussions.

That aside i wondered if we should have some general policy on uses granted wmcs-roots i.e. should they be added to the batphone paging group in victorops (im not even sure if wmcs has a batphone group)?

Personally i dont have a view on this i just wanted to raise the ticket and will leave the discussions for wmcs and wmcs-roots members

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedfnegriT337848 WMCS-roots wiki replica access
 ResolvedfnegriT344599 wikireplicas root access
 DeclinedfnegriT344608 WMCS-roots paging responsibilities

Event Timeline

jbond created this task.Aug 21 2023, 1:38 PM
Marostegui added a project: Data-Engineering.Aug 21 2023, 1:43 PM
Marostegui added subscribers: mark, KOfori.
Marostegui added subscribers: BTullis, odimitrijevic.

I am not sure what's the current status for wikireplicas alerts. I do know they do alert on IRC, but I am not sure if they already page cloud-services-team engineers or not.

jbond renamed this task from WMCS-roots pageing responibilities to WMCS-roots paging responsibilities .Aug 21 2023, 1:45 PM
fnegri subscribed.Aug 21 2023, 2:17 PM
fnegri added a comment.Aug 21 2023, 3:09 PM

That aside i wondered if we should have some general policy on uses granted wmcs-roots i.e. should they be added to the batphone paging group in victorops (im not even sure if wmcs has a batphone group)?

WMCS does not currently have a batphone group, but we have a wmcs team in VictorOps with a multi-step escalation policy, so I believe it could be reasonable to ask members of wmcs-roots to be added to the wmcs group in VictorOps. This is not true at the moment though, as we have a few people in wmcs-roots that are NOT part of the wmcs group in VictorOps.

I am not sure what's the current status for wikireplicas alerts. I do know they do alert on IRC, but I am not sure if they already page cloud-services-team engineers or not.

I believe they do alert on IRC and email, but they are not tagged with wmcs in Prometheus/VictorOps, hence they do not page cloud-services-team engineers. If you can find a recent wikireplica alert I can double check that.

Marostegui added a comment.Aug 21 2023, 3:16 PM

@fnegri keep in mind that wikireplicas do not page for SRE as well. The most recent alert I can think of are the ones related to the last outage T337446 which might have shown lag/replication broken, however I think I caught the first alert (sanitarium) and probably downtime the others to avoid noise. Sanitarium hosts should also be alerting, as they are part of the wiki replicas service (you can see the alert they triggered at https://wikitech.wikimedia.org/wiki/Incidents/2023-05-28_wikireplicas_lag)

fnegri added a comment.Aug 21 2023, 5:14 PM

I found that alert in Logstash, attached is the alert JSON data from Logstash.

"team": "sre" means that it didn't page WMCS, but shouldn't it have paged SREs as it has "alert_severity": "critical"?

alert.json2 KBDownload

Marostegui added a comment.Aug 23 2023, 6:18 AM

There are two possible reasons:

  1. I caught the alert too fast before it even paged.
  2. The host is marked as non critical (aka irc-alert only) somewhere else.
lbowmaker moved this task from Incoming (new tickets) to Tag with Radar on the Data-Engineering board.Feb 12 2024, 2:25 PM
fnegri updated the task description. (Show Details)Sep 4 2024, 5:13 PM
fnegri triaged this task as Medium priority.Sep 9 2024, 2:26 PM
fnegri added a parent task: T344599: wikireplicas root access.
fnegri closed this task as Declined.Sep 13 2024, 3:30 PM

In T344599: wikireplicas root access, it was decided members of wmcs-roots should not have root access to wiki replicas hosts (clouddbXXXX). This removes the original concern of having people with root access to wikireplicas that are not getting pages.

As far as I understand, the only thing that the wmcs-roots group does is giving its members root access to all cloud* bare metal hosts, excluding clouddb1* (wiki replicas).

we have a few people in wmcs-roots that are NOT part of the wmcs group in VictorOps.

This remains true as wmcs-roots is a group that extends to non-SREs and non-staff, so we cannot simply add everyone in that group to the on-call rota. We could consider removing people from that group (limiting their access to the Cloud infrastructure) but that is beyond the scope of this task.

The "wmcs" group in VictorOps (the people receiving on-call pages for WMCS alerts) is a smaller group that at the moment is managed ad-hoc and is not mapped to any group in either LDAP or modules/admin/data/data.yaml.

fnegri claimed this task.Sep 13 2024, 3:40 PM
fnegri edited projects, added cloud-services-team (FY2024/2025-Q1-Q2); removed cloud-services-team.
fnegri moved this task from Backlog to Done on the cloud-services-team (FY2024/2025-Q1-Q2) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits