[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T373980

Hosts using nftables are not reachable via ssh from alert[12]002. Reboot needed.
Closed, ResolvedPublic
Actions

Description

In the parent task we're migrating alert hosts to new hardware. While checking outstanding alerts there are a few hosts that work on alert1001 (old hardware) but don't on alert2002. Specifically ssh not reachable:

durum1001
durum2002
durum3004
durum4001
durum5001
durum5002
durum6002
etherpad2002
gitlab1003
gitlab1004

Upon checking these hosts I noticed they all have nft enabled. I'll use alert2002 and etherpad2002 as an example. On etherpad2002 everything seems in order:

root@etherpad2002:~# grep -ir $(dig +short alert2002.wikimedia.org) /etc/nftables
/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft:ip saddr { 10.192.16.75, 10.192.32.67, 208.80.153.42, 208.80.153.84, 208.80.154.78, 208.80.154.88 } tcp dport 1-65535 accept
/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft:ip6 saddr { 2620:0:860:102:10:192:16:75, 2620:0:860:103:10:192:32:67, 2620:0:860:2:208:80:153:42, 2620:0:860:3:208:80:153:84, 2620:0:861:3:208:80:154:78, 2620:0:861:3:208:80:154:88 } tcp dport 1-65535 accept
/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft:ip saddr { 10.192.16.75, 10.192.32.67, 208.80.153.42, 208.80.153.84, 208.80.154.78, 208.80.154.88 } udp dport 1-65535 accept
/etc/nftables/input/10_full-monitoring-metrics-access-udp.nft:ip6 saddr { 2620:0:860:102:10:192:16:75, 2620:0:860:103:10:192:32:67, 2620:0:860:2:208:80:153:42, 2620:0:860:3:208:80:153:84, 2620:0:861:3:208:80:154:78, 2620:0:861:3:208:80:154:88 } udp dport 1-65535 accept
/etc/nftables/sets/MONITORING_HOSTS_ipv6.nft:                  2620:0:860:2:208:80:153:42
/etc/nftables/sets/MONITORING_HOSTS_ipv4.nft:                  208.80.153.42

And yet there's no answer from SYNs issued by alert2002:

root@etherpad2002:~# tcpdump -i any 'host alert2002.wikimedia.org'
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
08:58:54.229394 ens13 In  IP6 alert2002.wikimedia.org.34744 > etherpad2002.codfw.wmnet.ssh: Flags [S], seq 3918410496, win 43200, options [mss 1440,sackOK,TS val 1948470522 ecr 0,nop,wscale 9], length 0
08:58:55.246920 ens13 In  IP6 alert2002.wikimedia.org.34744 > etherpad2002.codfw.wmnet.ssh: Flags [S], seq 3918410496, win 43200, options [mss 1440,sackOK,TS val 1948471540 ecr 0,nop,wscale 9], length 0
08:58:57.262928 ens13 In  IP6 alert2002.wikimedia.org.34744 > etherpad2002.codfw.wmnet.ssh: Flags [S], seq 3918410496, win 43200, options [mss 1440,sackOK,TS val 1948473556 ecr 0,nop,wscale 9], length 0

I'm sure I'm missing something obvious here, though I can't quite figure out what! cc @Muehlenhoff

actions

Turns out we need to reboot the hosts that have switched from iptables to nftables per @Muehlenhoff

  • doc1003
  • doc2002
  • durum1001
  • durum1002
  • durum2001
  • durum2002
  • durum3003
  • durum3004
  • durum4001
  • durum4002
  • durum5001
  • durum5002
  • durum6001
  • durum6002
  • durum7001
  • durum7002
  • aphlict1002
  • aphlict2001
  • etherpad1004
  • etherpad2002
  • gerrit1003
  • gerrit2002
  • gerrit2003
  • gitlab1003
  • gitlab1004
  • gitlab2002
  • lists1004
  • lists2001
  • miscweb1003
  • miscweb2003
  • planet1003
  • planet2003

Related Objects
Search...

Event Timeline

fgiunchedi created this task.Wed, Sep 4, 9:00 AM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptWed, Sep 4, 9:00 AM
tappof subscribed.Wed, Sep 4, 10:12 AM
colewhite renamed this task from Hosts using nft are not reachable via ssh from alert[12]002 to Hosts using nftables are not reachable via ssh from alert[12]002.Wed, Sep 4, 2:18 PM
tappof added a comment.Wed, Sep 4, 3:34 PM
tappof@etherpad2002:~$ uname -a
Linux etherpad2002 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux

root@etherpad2002:/etc/nftables# nc -k -l 9600 -D -vvv

OK tappof@alert1001:~$ telnet -4 etherpad2002 9600
Trying 10.192.16.77...
Connected to etherpad2002.
Escape character is '^]'.

KO tappof@alert1002:~$ telnet -4 etherpad2002 9600
Trying 10.192.16.77...

OK tappof@alert2001:~$ telnet -4 etherpad2002 9600
Trying 10.192.16.77...
Connected to etherpad2002.
Escape character is '^]'.

KO tappof@alert2002:~$ telnet -4 etherpad2002 9600
Trying 10.192.16.77...

---

tappof@ganeti-test2001:~$ uname -a
Linux ganeti-test2001 5.10.0-30-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) x86_64 GNU/Linux

OK tappof@alert1001:~$ telnet -4 ganeti-test2001.codfw.wmnet 22
Trying 10.192.0.73...
Connected to ganeti-test2001.codfw.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

OK tappof@alert1002:~$ telnet -4 ganeti-test2001.codfw.wmnet 22
Trying 10.192.0.73...
Connected to ganeti-test2001.codfw.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

OK tappof@alert2001:~$ telnet -4 ganeti-test2001.codfw.wmnet 22
Trying 10.192.0.73...
Connected to ganeti-test2001.codfw.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

OK tappof@alert2002:~$ telnet -4 ganeti-test2001.codfw.wmnet 22
Trying 10.192.0.73...
Connected to ganeti-test2001.codfw.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

---

tappof@durum2002:~$ uname -a
Linux durum2002 6.1.0-17-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) x86_64 GNU/Linux

tappof@alert1001:~$ telnet -4 durum2002.codfw.wmnet 22
Trying 10.192.48.14...
Connected to durum2002.codfw.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3

tappof@alert1002:~$ telnet -4 durum2002.codfw.wmnet 22
Trying 10.192.48.14...

tappof@alert2001:~$ telnet -4 durum2002.codfw.wmnet 22
Trying 10.192.48.14...
Connected to durum2002.codfw.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3

tappof@alert2002:~$ telnet -4 durum2002.codfw.wmnet 22
Trying 10.192.48.14...

### further tests with /32 routed address

	...
	chain input {
		type filter hook input priority filter; policy drop;
		ct state established,related accept
		iifname "lo" accept
		meta pkttype multicast accept
		meta l4proto ipv6-icmp accept
		ip protocol icmp accept
		...
		tcp dport 443 accept # <-- rules without saddr check permit access (?)
		ip saddr { 10.192.16.75, 10.192.32.67, 208.80.153.42, 208.80.153.84, 208.80.154.78, 208.80.154.88 } tcp dport 1-65535 accept # <--- rules with saddr check do not permit access (?)
		ip6 saddr { 2620:0:860:2:208:80:153:42, 2620:0:860:3:208:80:153:84, 2620:0:860:102:10:192:16:75, 2620:0:860:103:10:192:32:67, 2620:0:861:3:208:80:154:78, 2620:0:861:3:208:80:154:88 } tcp dport 1-65535 accept
		...
	}
	...

tappof@alert1001:~$ telnet -4 185.71.138.139 443
Trying 185.71.138.139...
Connected to 185.71.138.139.
Escape character is '^]'.

tappof@alert1002:~$ telnet -4 185.71.138.139 443
Trying 185.71.138.139...
Connected to 185.71.138.139.
Escape character is '^]'.

tappof@alert2001:~$ telnet -4 185.71.138.139 443
Trying 185.71.138.139...
Connected to 185.71.138.139.
Escape character is '^]'.

tappof@alert2002:~$ telnet -4 185.71.138.139 443
Trying 185.71.138.139...
Connected to 185.71.138.139.
Escape character is '^]'.

---

root@sretest1001:~# uname -a
Linux sretest1001 5.10.0-32-amd64 #1 SMP Debian 5.10.223-1 (2024-08-10) x86_64 GNU/Linux

tappof@alert1001:~$ telnet -4 sretest1001.eqiad.wmnet 22
Trying 10.64.48.138...
Connected to sretest1001.eqiad.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

tappof@alert1002:~$ telnet -4 sretest1001.eqiad.wmnet 22
Trying 10.64.48.138...
Connected to sretest1001.eqiad.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

tappof@alert2001:~$ telnet -4 sretest1001.eqiad.wmnet 22
Trying 10.64.48.138...
Connected to sretest1001.eqiad.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

tappof@alert2002:~$ telnet -4 sretest1001.eqiad.wmnet 22
Trying 10.64.48.138...
Connected to sretest1001.eqiad.wmnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3

---

tappof@miscweb2003:~$ uname -a
Linux miscweb2003 5.10.0-30-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01) x86_64 GNU/Linux

acts like a 6.x kernel ( :( )

---
MoritzMuehlenhoff subscribed.Thu, Sep 5, 8:26 AM

Any host which switches from iptables/ferm to nftables strictly needs a reboot after the provider has been changed. Some of the kernel modules used by iptables cannot be unloaded at runtime without a reboot (I tried various -f hacks, but to no avail). If the old iptables kernel modules are still loaded the constants formerly defined by ferm still persist (and this is what we are seeing here: the hosts don't know about alert2002 being in the new global list of monitoring hosts).

I rebooted etherpad2002 and I can now SSH to it from alert2002 (obviously the pubkey exchange fails), we'll need to also reboot the remaining hosts, then it should all work (gitlab1003 e.g. also has an uptime of 93 days).

fgiunchedi renamed this task from Hosts using nftables are not reachable via ssh from alert[12]002 to Hosts using nftables are not reachable via ssh from alert[12]002. Reboot needed..Thu, Sep 5, 8:52 AM
fgiunchedi updated the task description. (Show Details)
Jelto added a project: collaboration-services.Thu, Sep 5, 9:02 AM
fgiunchedi updated the task description. (Show Details)Thu, Sep 5, 9:09 AM
MoritzMuehlenhoff updated the task description. (Show Details)Thu, Sep 5, 9:24 AM
MoritzMuehlenhoff triaged this task as High priority.Thu, Sep 5, 9:33 AM
MoritzMuehlenhoff updated the task description. (Show Details)
Jelto updated the task description. (Show Details)Thu, Sep 5, 9:37 AM
Jelto updated the task description. (Show Details)Thu, Sep 5, 9:44 AM
LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.Thu, Sep 5, 11:43 AM
ops-monitoring-bot added a comment.Thu, Sep 5, 11:46 AM

Host rebooted by jelto@cumin1002 with reason: None

MoritzMuehlenhoff updated the task description. (Show Details)Thu, Sep 5, 11:51 AM
Jelto updated the task description. (Show Details)Thu, Sep 5, 11:53 AM
eoghan updated the task description. (Show Details)Thu, Sep 5, 12:34 PM
fgiunchedi added a subscriber: eoghan.Thu, Sep 5, 1:13 PM

Thank you to all involved so far with the reboots -- much appreciated!

I can confirm the hosts are now reachable from alert2002, except lists1004 and lists2001. On these hosts, unlike the others, there is both nft and iptables, similarly there's /etc/ferm and /etc/nftables which I'm assuming is the cause of the problem (i.e. iptables and nftables together). Does that ring a bell @eoghan ?

MoritzMuehlenhoff added a comment.Thu, Sep 5, 2:17 PM
In T373980#10121443, @fgiunchedi wrote:

Thank you to all involved so far with the reboots -- much appreciated!

I can confirm the hosts are now reachable from alert2002, except lists1004 and lists2001. On these hosts, unlike the others, there is both nft and iptables, similarly there's /etc/ferm and /etc/nftables which I'm assuming is the cause of the problem (i.e. iptables and nftables together). Does that ring a bell @eoghan ?

Looking at Puppet it seems the host was moved to nftables and then back to iptables/ferm. There's no migration path in Puppet for the latter.

Cleaning up manually the following steps are needed:

  • stop nftables.service and following that uninstall the nftables package
  • remove /etc/nftables
  • reboot into a clean iptables/ferm setup

That should be the core of it, if there's other issues after the reboot, happy to have a closer look.

fgiunchedi added a subscriber: Dzahn.Thu, Sep 5, 2:47 PM
In T373980#10121709, @MoritzMuehlenhoff wrote:
In T373980#10121443, @fgiunchedi wrote:

Thank you to all involved so far with the reboots -- much appreciated!

I can confirm the hosts are now reachable from alert2002, except lists1004 and lists2001. On these hosts, unlike the others, there is both nft and iptables, similarly there's /etc/ferm and /etc/nftables which I'm assuming is the cause of the problem (i.e. iptables and nftables together). Does that ring a bell @eoghan ?

Looking at Puppet it seems the host was moved to nftables and then back to iptables/ferm. There's no migration path in Puppet for the latter.

Cleaning up manually the following steps are needed:

  • stop nftables.service and following that uninstall the nftables package
  • remove /etc/nftables
  • reboot into a clean iptables/ferm setup

That should be the core of it, if there's other issues after the reboot, happy to have a closer look.

Thank you @MoritzMuehlenhoff ! @eoghan @Dzahn would you mind trying the above on lists hosts to fully rollback to iptables? thank you !

eoghan added a comment.Thu, Sep 5, 3:42 PM

Yeah, that's right -- we moved from ferm to nftables, but then reverted because of T373637. I'll take a look at the cleanup later this afternoon.

eoghan mentioned this in T374096: SystemdUnitFailed (lists2001).Thu, Sep 5, 10:03 PM
Stashbot added a comment.Thu, Sep 5, 10:49 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-05T22:49:18Z] <mutante> gerrit-replica.wikimedia.org (gerrit2002) - rebooting T373980

Stashbot added a comment.Thu, Sep 5, 10:49 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-05T22:49:51Z] <dzahn@cumin2002> START - Cookbook sre.hosts.downtime for 0:10:00 on gerrit2002.wikimedia.org with reason: T373980

Stashbot added a comment.Thu, Sep 5, 10:50 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-05T22:50:05Z] <dzahn@cumin2002> END (PASS) - Cookbook sre.hosts.downtime (exit_code=0) for 0:10:00 on gerrit2002.wikimedia.org with reason: T373980

Dzahn updated the task description. (Show Details)Thu, Sep 5, 10:53 PM
Dzahn added a subscriber: ssingh.Thu, Sep 5, 11:34 PM

@ssingh Sorry we have to reboot the durum hosts. Maybe we can sync on IRC about it.

Stashbot added a comment.Fri, Sep 6, 11:00 AM

Mentioned in SAL (#wikimedia-operations) [2024-09-06T11:00:16Z] <eoghan@cumin1002> START - Cookbook sre.hosts.downtime for 0:20:00 on lists1004.wikimedia.org with reason: T373980

Stashbot added a comment.Fri, Sep 6, 11:00 AM

Mentioned in SAL (#wikimedia-operations) [2024-09-06T11:00:31Z] <eoghan@cumin1002> END (PASS) - Cookbook sre.hosts.downtime (exit_code=0) for 0:20:00 on lists1004.wikimedia.org with reason: T373980

ops-monitoring-bot added a comment.Fri, Sep 6, 11:00 AM

Host rebooted by jelto@cumin1002 with reason: reboot gitlab2002 for nftables alerting host fix

Jelto updated the task description. (Show Details)Fri, Sep 6, 11:07 AM
Jelto mentioned this in T374220: ProbeDown (gitlab2002).Fri, Sep 6, 11:28 AM
ops-monitoring-bot added a comment.Fri, Sep 6, 12:04 PM

Icinga downtime and Alertmanager silence (ID=3c4d183a-5187-4027-af86-2d68c6f2970a) set by jelto@cumin1002 for 0:15:00 on 1 host(s) and their services with reason: Gerrit reboot

gerrit1003.wikimedia.org
ops-monitoring-bot added a comment.Fri, Sep 6, 12:08 PM

Host rebooted by jelto@cumin1002 with reason: reboot gerrit1003 for nftables alerting host fix

Jelto updated the task description. (Show Details)Fri, Sep 6, 12:15 PM
Dzahn updated the task description. (Show Details)EditedFri, Sep 6, 4:08 PM

All durum hosts have been rebooted, using cookbook sre.dns.roll-restart-reboot-durum.

This ticket should be resolved now.

Dzahn added a comment.Fri, Sep 6, 4:10 PM

@andrea.denisse All hosts green on alert2002 now?

Dzahn closed this task as Resolved.Fri, Sep 6, 5:43 PM
Dzahn claimed this task.

per IRC all hosts can be pinged now, please reopen if any other issues

fgiunchedi added a comment.Mon, Sep 9, 8:21 AM

This is great, thank you all for your help!

ops-monitoring-bot added a comment.Mon, Sep 9, 8:35 AM

Host rebooted by jelto@cumin1002 with reason: reboot lists2001 to fix nftables/ferm issue

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits