Page MenuHomePhabricator
Create Task
Maniphest T420975

Atlas no longer reachable from monitoring on routed ganeti
Closed, ResolvedPublic
Actions

Description

One unexpected outcome of the removal off conntracks on routed ganeti is that we were relying on them for blackbox probes of Ripe Atlas VMs. After the change we got this:

FIRING: [16x] ProbeDown: Ripe Atlas anchor atlas3001:80 is not returning HTTP 200 OK on port 80  - https://grafana.wikimedia.org/d/O0nHhdhnz/network-probes-overview?var-job=probes/custom&var-module=All - https://alerts.wikimedia.org/?q=alertname%3DProbeDown

The reason is previously a conntrack was added when monitoring connected to the Atlas VM, and the response from the VM was allowed back cos it matched the conntrack. Now the SYN is allowed out, but SYN/ACK is blocked because the destination is on WMF IP space.

We'll need to decide how to handle. A specific rule allow port 80 to monitoring I guess is required.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
routed-ganeti: allow sandbox replies to HTTP from install hostsoperations/puppetproduction+4 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedcmooneyT420975 Atlas no longer reachable from monitoring on routed ganeti

Event Timeline

cmooney created this task.Mar 23 2026, 5:38 PM
cmooney triaged this task as Medium priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 23 2026, 5:38 PM
cmooney added a parent task: Restricted Task.Mar 23 2026, 5:40 PM
gerritbot added a comment.Mar 24 2026, 11:25 AM

Change #1259935 had a related patch set uploaded (by Cathal Mooney; author: Cathal Mooney):

[operations/puppet@production] routed-ganeti: allow sandbox replies to HTTP from install hosts

https://gerrit.wikimedia.org/r/1259935

gerritbot added a project: Patch-For-Review.Mar 24 2026, 11:25 AM
gerritbot added a comment.Mar 24 2026, 12:07 PM

Change #1259935 merged by Cathal Mooney:

[operations/puppet@production] routed-ganeti: allow sandbox replies to HTTP from install hosts

https://gerrit.wikimedia.org/r/1259935

Maintenance_bot removed a project: Patch-For-Review.Mar 24 2026, 12:31 PM
cmooney closed this task as Resolved.Mar 24 2026, 12:42 PM
cmooney claimed this task.

This should now be working again. Big thanks to @ayounsi for the heavy-lifting with all the puppet patches to add the $INSTALL_HOSTS set.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits