Page MenuHomePhabricator
Create Task
Maniphest T354855

ferm sometimes fails to restart on Kubernetes workers via xtables lock held by kube-proxy
Closed, ResolvedPublic
Actions

Description

On Kubernetes workers ferm sometimes fails to restart (these restarts are e.g. triggered by Puppet if a central Ferm macro gets updated). One example:

Jan 03 19:30:08 mw1465 systemd[1]: Stopped ferm firewall configuration.
Jan 03 19:30:08 mw1465 systemd[1]: Starting ferm firewall configuration...
Jan 03 19:30:08 mw1465 ferm[1868235]: Starting Firewall: ferm
Jan 03 19:30:08 mw1465 ferm[1868274]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jan 03 19:30:08 mw1465 ferm[1868238]: Failed to run /usr/sbin/iptables-legacy-restore
Jan 03 19:30:08 mw1465 ferm[1868238]: Firewall rules rolled back.
Jan 03 19:30:08 mw1465 ferm[1868281]:  failed!
Jan 03 19:30:08 mw1465 systemd[1]: ferm.service: Main process exited, code=exited, status=1/FAILURE
Jan 03 19:30:08 mw1465 systemd[1]: ferm.service: Failed with result 'exit-code'.
Jan 03 19:30:08 mw1465 systemd[1]: Failed to start ferm firewall configuration.
Jan 08 15:18:08 mw1465 systemd[1]: Starting ferm firewall configuration...

These do not recover automatically with the subsequent Puppet run, apparently because this error condition does not get detected by ferm-status.

We could explore whether there's a way to pass -w to iptables-save/iptables-restore via Ferm (from a quick look that doesn't exist, needs a closer look at the sources)

Details

SubjectRepoBranchLines +/-
ferm: Check ferm.service status in ferm_status.pyoperations/puppetproduction+15 -4
Customize query in gerrit

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.Jan 11 2024, 1:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2024, 1:32 PM
MoritzMuehlenhoff triaged this task as Medium priority.Jan 11 2024, 1:32 PM
Stashbot added a comment.Jan 23 2024, 12:17 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-23T12:17:11Z] <claime> Restarting ferm.service on k8s node mw1495.eqiad.wmnet - T354855

Stashbot added a comment.Jan 25 2024, 11:26 AM

Mentioned in SAL (#wikimedia-operations) [2024-01-25T11:26:43Z] <claime> Restarting ferm.service on k8s node kubernetes2036.codfw.wmnet - T354855

Stashbot added a comment.Jan 29 2024, 1:26 PM

Mentioned in SAL (#wikimedia-operations) [2024-01-29T13:26:33Z] <claime> Restarting ferm.service on k8s node kubernetes2055 - T354855

Stashbot added a comment.Feb 2 2024, 12:16 PM

Mentioned in SAL (#wikimedia-operations) [2024-02-02T12:16:00Z] <claime> Restarting ferm.service on k8s node mw1424 - T354855

Stashbot added a comment.Feb 21 2024, 2:08 PM

Mentioned in SAL (#wikimedia-operations) [2024-02-21T14:08:25Z] <claime> restarted ferm.service on kubernetes2055.codfw.wmnet mw2440.codfw.wmnet mw2297.codfw.wmnet kubernetes2016.codfw.wmnet - T354855

gerritbot added a comment.Feb 23 2024, 1:17 PM

Change 1005978 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/puppet@production] ferm: Check ferm.service status in ferm_status.py

https://gerrit.wikimedia.org/r/1005978

gerritbot added a project: Patch-For-Review.Feb 23 2024, 1:17 PM
Stashbot added a comment.Mar 4 2024, 11:47 AM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T11:47:54Z] <claime> Disabling puppet on C:profile::firewall::log::ferm to deploy 1005978 - T354855

Stashbot added a comment.Mar 4 2024, 11:48 AM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T11:48:56Z] <claime> Disregard previous puppet disable message, waiting a bit T354855

Stashbot added a comment.Mar 4 2024, 12:22 PM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T12:22:51Z] <claime> Disabling puppet on C:profile::firewall::log::ferm to deploy new ferm_status.py - T354855

gerritbot added a comment.Mar 4 2024, 12:27 PM

Change 1005978 merged by Clément Goubert:

[operations/puppet@production] ferm: Check ferm.service status in ferm_status.py

https://gerrit.wikimedia.org/r/1005978

Stashbot added a comment.Mar 4 2024, 12:28 PM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T12:28:32Z] <claime> Enabling puppet on kubernetes2019 to test new ferm_status.py - T354855

Stashbot added a comment.Mar 4 2024, 12:30 PM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T12:30:53Z] <claime> Enabling puppet on mw2322 to test new ferm_status.py - T354855

Maintenance_bot removed a project: Patch-For-Review.Mar 4 2024, 12:31 PM
Stashbot added a comment.Mar 4 2024, 12:33 PM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T12:33:11Z] <claime> Enabling puppet on puppetboard2003 to test new ferm_status.py - T354855

Stashbot added a comment.Mar 4 2024, 12:38 PM

Mentioned in SAL (#wikimedia-operations) [2024-03-04T12:38:06Z] <claime> Re-enabling puppet on C:profile::firewall::log::ferm to deploy new ferm_status.py - T354855

Clement_Goubert closed this task as Resolved.Mar 4 2024, 12:43 PM
Clement_Goubert claimed this task.
Clement_Goubert subscribed.

Deployed, puppet now restarts ferm.service if the systemd unit's status is failed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL