Wednesday, 2026-04-08

« Tuesday, 2026-04-07 Index Thursday, 2026-04-09 »
@clarkb:matrix.orgI wanted to remind everyone that https://grafana.opendev.org/d/1f6dfd6769/opendev-load-balancer?orgId=1&from=now-24h&to=now&timezone=utc exists as well since I also forgot00:20
@clarkb:matrix.orgbut you can see the time period where things went sideways pretty clearly in there. You can also see that currently things seem to be much better behaved after we made our chagnes and after we repplied them with ansible.00:21
@clarkb:matrix.orgI do note that we don't seem to capture the total number of backend servers in an up/down state. That might be a good improvement if anyone is interested in updating the little tool for that /me makes a note that coudl be a fun little programming task00:21
@jim:acmegating.comClark: fungi mnasiadka the resolute build job got better: https://review.opendev.org/98218201:07
that may lend support to Clark 's theory the problem was disk space (if that build landed on a node with a larger disk)
@jim:acmegating.comalso the free space dstat graph worked01:09
@harbott.osism.tech:regio.chatlooks like dib also needs opendev.org:06:30
```
2026-04-08 01:27:41.225 | Could not open project list url: 'https://opendev.org/openstack/project-config/raw/gerrit/projects.yaml'
```
@harbott.osism.tech:regio.chataccording to grafana we had a different type of burst from about 1-506:46
@harbott.osism.tech:regio.chatI'm testing devstack on resolute locally now and I noticed that Ubuntu offers two flavors of their cloud image now: amd64 vs. amd64v3 (see https://cloud-images.ubuntu.com/resolute/20260328/). I wonder whether we would want to do the same to  match our coverage. ofc this would imply having the v3 images only run on providers that have the appropriate hardware08:40
@priteau:matrix.orgI am afraid opendev.org is unreachable again11:13
@priteau:matrix.orgGetting 403 errors11:14
@mnasiadka:matrix.orgHaving a look, seems like another new bot attack11:40
@lajos_katona:matrix.orgyeah, I had to change to use local upper_constraint.txt to be able to run any tox -e.... command locally11:41
@harbott.osism.tech:regio.chatthat looks like the event from tonight again in grafana, not like yesterday. maybe time to go for anubis after all12:06
@mnasiadka:matrix.orgYeah, chasing the bots is great fun12:13
@mnasiadka:matrix.orgActually, added some bots to ua-filter, but it's still the same (in terms of the effect) - however there's a lot of git clients connections12:32
@mnasiadka:matrix.orgJens Harbott: any ideas? ;-)12:32
-@gerrit:opendev.org- Zuul merged on behalf of sean mooney: [openstack/project-config] 951395: Update nodeset for test-release-openstack https://review.opendev.org/c/openstack/project-config/+/95139512:53
@mnasiadka:matrix.orgPierre Riteau: lajoskatona seems it's better now, don't know if it's my user agent filtering or not 🤷13:20
@harbott.osism.tech:regio.chatI don't have any more ideas, just noting that "it", whatever it is, seems to just have stopped13:20
@harbott.osism.tech:regio.chatalso I have muted this channel, that also mutes pings, please ping me in IRC if needed13:21
@lajos_katona:matrix.orgthanks, I check it13:21
@mnasiadka:matrix.orgMaybe it's time to get Anubis patch rolling so we stop wasting time on battling such events13:23
@mnasiadka:matrix.orgLet me raise a patch on my ua-filter changes for reference13:23
-@gerrit:opendev.org- Michal Nasiadka proposed: [opendev/system-config] 983721: Add more ua-filters https://review.opendev.org/c/opendev/system-config/+/98372113:27
@harbott.osism.tech:regio.chatmnasiadka: hmm, that's four bots I did consider well-behaved before13:29
@mnasiadka:matrix.orgJens Harbott: I don't think it really fixed anything, more likely the ,,attacker'' got what they wanted - but I've seen hundreds of queries from these bots and that was the only thing standing out13:31
@fungicide:matrix.organy burst you saw on the graph in the 0100-0500z timeframe was possibly the daily periodic jobs thundering herd13:56
@mnasiadka:matrix.orgShouldn't these use Zuul cached repos?13:59
@fungicide:matrix.orgbased on the discussion in the openstack tc channel, sounds like a lot of projects have started running a precommit configuration that installs dependencies from git remotes14:05
@mnasiadka:matrix.orgUh oh14:06
-@gerrit:opendev.org- Stephen Finucane proposed: [openstack/project-config] 983728: Add GitHub mirroring for devstack-plugin-prometheus https://review.opendev.org/c/openstack/project-config/+/98372814:17
@harbott.osism.tech:regio.chatI don't think a couple of pep8 jobs could have caused this. also it only happened today, not the days before14:27
@mnasiadka:matrix.orgWell, that would sort of fit the theory I mainly have seen git clients fetching whole repositories (apart the bots in the change) — maybe we should check the amount of jobs that ran in the problematic timeframe14:29
@mnasiadka:matrix.orgAnd it would be fantastic if we would log real external ips in Gitea/Apache log (at least would be helpful to stop running around between haproxy and these two)14:30
@fungicide:matrix.orgyeah, Clark's proxy protocol change would give us that in theory, though anubis would break it since it doesn't support proxy protocol yet14:39
@clarkb:matrix.orgfungi: I think daily periodic jobs start at 0200? So that may not explain the spike in demand, but may explain the large numbers of git client requests?14:45
@mnasiadka:matrix.orgIt might have been both - the bots and git client requests14:45
@clarkb:matrix.orgfwiw looking at grafana it seems like this confirms our previous thought that the prior problem required both updates to make things better. Because I'm assuming now we're just running with more apache worker slots. Which makes things better but not good enough to keep up14:45
@clarkb:matrix.orgin particular we seem to be maxing out the haproxy allowed connections. Maxconn is set to 4k and we're sitting there14:46
@clarkb:matrix.orgif we assume a mostly even distribution of connections we've configured apache to allow 2048 connections per backend and we haev 6. That is 12288 connections theoretical. If we have backend resource room we could potentially increase the haproxy maxconn limit and see if that helps. It might also make things worse again by overwhelming the backends14:47
@mnasiadka:matrix.orgWell, load avg wise the backend didn’t look bad14:48
@clarkb:matrix.orgmnasiadka: ya so maybe increasing the haproxy maxconn limit is something we should try14:49
@clarkb:matrix.orgI also want to look at request logs during that timeperiod and see if anything jumps out to me. I agree that in general I think we should continue to push towards anubis though as I think that will help with the request fingerprinting and make it far more automatic14:49
@clarkb:matrix.orgso I think the ~3 things we should do are consider bumping haproxy maxconns, double check request logs during that time period to see if anything stands out to other eyeballs, and keep making progress towards anubis14:50
@fungicide:matrix.orgi'm going to go grab lunch real quick, but can help with those and/or get back to the pending gitea config changes in an hour-ish14:52
-@gerrit:opendev.org- Clark Boylan proposed: [opendev/system-config] 983740: Increase the gitea haproxy maxconn limit https://review.opendev.org/c/opendev/system-config/+/98374014:59
@clarkb:matrix.orgConsider that an RFC15:00
@clarkb:matrix.orgnow to go look at logs15:00
@mnasiadka:matrix.orgClark: just by looking at Grafana I think there was some spike exactly at 13:30 my time, which was the moment people reported problems with Gitea access - https://grafana.opendev.org/d/21a6e53ea4/zuul-status?orgId=1&from=now-6h&to=now&timezone=utc15:16
@clarkb:matrix.orgit looks like git clients were about half (maybe slightly more?) of the total traffic during 11:00-13:00 UTC which is the bulk of the prior episode. About 1/3 of the remaining traffic look to be blatant crawling. Then a good chunk of what is left is the haproxy healthchecks, internal gitea http calls back to itself, pip, more well behaved bots, and a few actual browsers15:18
@clarkb:matrix.orgI do wonder if this was a flood of git client requests which while generally cheaper a sufficient number of them would cause problems15:22
@clarkb:matrix.orgI note that OSA updates the git user agent to identify itself. Thank you for that!15:22
@mnasiadka:matrix.orgWould it make sense to do that for every project in some central place?15:31
@clarkb:matrix.orgI don't know if it can be centralized. I think it is some part of the git config? But yes adding that to zuul and kolla and anywhere else we potentially use a lot of git may be helpful15:32
@clarkb:matrix.orgfwiw it looks like we have a fairly steady amount of requests in the 09:00 hour with the vast majority being from git clients. Then there is a slight increase in the 10:00 hour up until about 10:30 ish and then it falls off like a cliff. This behavior does make me think like we're just slowly reaching our limits and then when things start to queue it all goes sideways?15:34
@clarkb:matrix.organd about 10:34-10:35 is when request counts drop off signficantly15:37
@mnasiadka:matrix.orgI guess so - wonder how bumping the max connections to 8k is going to behave15:37
@mnasiadka:matrix.orgKolla should not really do a lot of git clone things - we fetch tarballs during build15:39
@mnasiadka:matrix.orgBut I can check what might need tuning to use cached copies15:39
@clarkb:matrix.orgya I suspect it isn't kolla simply because we've never identify kolla as causing problems in the past15:39
@clarkb:matrix.orglooks like at around 10:59 the load balancer starts logging conntrack table full issues15:40
@clarkb:matrix.orgso I think we effectively start having things queue up because we're not keeping up15:40
@clarkb:matrix.orgthis is probably tolerated for some time but things slow down. Then we go over the cliff where the ability to keep up is outpaced by the requests coming in. Eventually contrack gets sad and things get worse15:40
@clarkb:matrix.orgif we increase the limits then maybe we can keep up better particularly if the backends are never really in trouble during the early portion of this situation15:41
@clarkb:matrix.orgbut of course a big enough ddos will likely tip things over again. But if we can give ourselves more breathing room I suspect that is worth a try15:41
@clarkb:matrix.orgI also notice that within a relatively short period of time (like half an hour) we've got a bunch of requests to update repos like python-barbicanclient that all send the same amount of data and have the same git version user agent. I wonder if this is less the web crawler dos and more the problem of having someone do an update of all their git repos in the datacenter for 10k nodes at the same time without a local cache. I'll see if I can classify some of these requests to narrow it down15:46
@mnasiadka:matrix.orgWell, there was a report from somebody on #zuul:opendev.org that their ,,private'' Zuul had problems updating git cache of opendev.org located repositories15:47
@mnasiadka:matrix.orgI haven't looked at my downstream Zuul, but I also have a lot of opendev repos defined to be able to run upstream defined jobs in my downstream forks15:47
@clarkb:matrix.orgmnasiadka: ya that was tristanC which I suspect is the softwarefactory zuul. I think that is one possibility too vs someone updating a bunch of deployment nodes or whatever. In theory zuul is good about caching things, but if you queue up enough zuul jobs then maybe15:48
@clarkb:matrix.orgbut if I can map a few IP addresses maybe we can say more definitively15:48
@clarkb:matrix.orgok it looks like trunk-builder-centos9.rdoproject.org may be the thing requesting python-barbican updates 100 times an hour. That said its overall requset count is quite low compared to the total so I'm less convinced this is part of the problem. Just one of the things happening when everything else is happening. I'15:55
@clarkb:matrix.org* ok it looks like trunk-builder-centos9.rdoproject.org may be the thing requesting python-barbican updates 100 times an hour. That said its overall requset count is quite low compared to the total so I'm less convinced this is part of the problem. Just one of the things happening when everything else is happening. I'll keep digging15:55
@fungicide:matrix.orgfwiw, i'm getting very slow responses for git operations at the moment16:16
@clarkb:matrix.orgaccording to https://grafana.opendev.org/d/1f6dfd6769/opendev-load-balancer?orgId=1&from=now-24h&to=now&timezone=utc we've reentered the bad behavior situation16:22
@clarkb:matrix.orgbut I've got a new theory for what is going on. Earlier when I was looking at logs I was looking at logs from gitea itself which means apache was prefiltering things which would explain why the vast majority of requests look good and also total request counts look ok16:22
@clarkb:matrix.orgdigging into the data on the load balancer the total requests per hour goes up by an order of magnitude. And it seems like there is a super super long tail on the ip addresses involved (so its a proper ddos)16:23
@clarkb:matrix.orgI think that maybe we don't have enough haproxy capacity to serve the 403s back and the crawlers are persistent. That is causing legit traffic to back up16:23
@clarkb:matrix.orgif there are no objections I think we can manually edit haproxy maxconn to 8000 as proposed in my change and restart haproxy to see if that changes things16:24
@clarkb:matrix.orgbut also I'm back to thinking this is crawlers and not git requests, ist just that the vast majority of valid traffic we let through to gitea is git16:24
@clarkb:matrix.orgalternatively I'm ready to take up farming16:24
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983757: Add an osh.openstack.org redirect site https://review.opendev.org/c/opendev/system-config/+/98375716:24
@fungicide:matrix.orgClark: sounds good to me16:26
@fungicide:matrix.orgeither haproxy tuning or farming. i'm partial go goats16:26
@clarkb:matrix.orgok I'll make those changes manually on gitea-lb03 now16:26
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983757: Add an osh.openstack.org redirect site https://review.opendev.org/c/opendev/system-config/+/98375716:27
@clarkb:matrix.orgthat is done. But we are also at the conntrack limit16:28
@fungicide:matrix.orgwhich may be a symptom of the other problem, so increasing it temporarily may be in order if restarting haproxy didn't help16:30
@clarkb:matrix.orgya we can check back in a few more minutes16:30
@clarkb:matrix.orgbut I think my assessment is this looks like a proper ddos to me the backends are idle because we're effectively saying no to the traffic that does make it that far. But the roadblock just up the way is plugged up first and not letting much through16:31
@clarkb:matrix.orgfungi: conntrack remains high and close to the limit16:33
@clarkb:matrix.orgall of our backends appear to be remaining up which is good and load there hasn't signficantly increased. Which I think continues to back up some of the thoughts/ideas/claims I've had this morning16:35
@clarkb:matrix.orgok conntrack numbers are lowest I've seen (still extremely high)16:35
@clarkb:matrix.orgoh and they are right back up at the limit again ugh16:35
@clarkb:matrix.orgbut this is the exact sort of traffic I was hoping the waf would address. Unfortunately it is also terrible at managing this sort of traffic16:37
@clarkb:matrix.orgalso looks like the napkin math between haproxy connection limits and apache worker counts is holding up16:41
@clarkb:matrix.orggitea09 is using about 2/3 of its apache worker capacity while we are at the 8k limit which is about 2/3 of the total aggregate apache limit16:42
@clarkb:matrix.orgfungi: things remain at the conntrack limit. Do you think we should increase it?16:42
@clarkb:matrix.orgI am able to navigate opendev.org just very slowly. So maybe we're ok to let it sit and see how it settles out?16:43
@fungicide:matrix.orgmemory and cpu on the lb look fine, so i don't see any reason we can't16:43
@mnasiadka:matrix.orgWell, if we want to block such things closer (on the haproxy level) - I've stumbled across haphash recently (https://github.com/dgl/haphash)16:44
@clarkb:matrix.orgmnasiadka: I think that would require us to terminate ssl on the haproxy. but maybe we've reached that point?16:44
@clarkb:matrix.orgthat said I feel like this is a losing battle no matter what we do16:44
@clarkb:matrix.orgeventually we'll need a bigger haproxy and bigger backends then they'll get a bigger botnet16:45
@clarkb:matrix.orgmakes me want to brainstorm bigger completely different ideas, But I've got none now so maybe that is a good next step16:46
@fungicide:matrix.orgi'm just hoping we can hold on until the bottom falls out of the llm training scraper market and they find something more profitable to do with those botnets that doesn't involve hammering our servers16:46
@clarkb:matrix.orgit kinda feels like we should be playing taps for the internet16:47
@fungicide:matrix.orgmnasiadka: yeah, the debian community is using a version of haphash (though they ported it to varnish for legacy reasons)16:47
@clarkb:matrix.orgall the incentives are wrong16:47
@clarkb:matrix.orgwe produce the data they want to train on, get nothing in return but more work and pain16:47
@fungicide:matrix.orgthat sounds like yet another version of how the tragedy of the commons has classically played out for open source anyway16:48
@clarkb:matrix.orgfungi: I'm comparing ss and conntrack output and there is an order of magnitude difference. ss should report not fully established connections too right?16:49
@clarkb:matrix.orgI'm mostly wondering if that is a sign that increasing the limit would be helpful16:49
@fungicide:matrix.orgthe most annoying part of this is that society had already started coming around to recognize that open source communities struggle and are woefully under-resourced, but especially in areas like code review/qa, vulnerability handling and infrastructure management, the exact activities that have gotten 10x harder with the "ai scourge"16:50
@clarkb:matrix.orgalso a single ip could git clone and fetch all refs in a reasonably small period of time. There is no reason for this16:50
@fungicide:matrix.orgss should also report half-open connections for local sockets, not necessarily anything that gets routed though (so in our case hopefully 1:1)16:51
@clarkb:matrix.org(basically the inverse of our gerrit replication to a new gitea backend which takes less than a day)16:51
@fungicide:matrix.orgbut conntrack might have leaked entries that it missed cleaning up for16:51
@fungicide:matrix.orgthat's why yesterday i suggested a reboot to completely reset the kernel's conntrack tables16:51
@fungicide:matrix.orgotherwise we have to wait for them to expire16:52
@clarkb:matrix.orgfungi: so `sudo sysctl -w net.netfilter.nf_conntrack_max=524288` to double the limit?16:52
@fungicide:matrix.orgoh, also conntrack can track sessions for non-stateful protocols (e.g. udp, icmp...)16:52
@fungicide:matrix.orgso ss won't have open sockets for those16:52
@fungicide:matrix.orgClark: yes, that ought to work16:53
@clarkb:matrix.orgbased on what I've seen I think these are largely tcp connections to the haproxy16:53
@clarkb:matrix.orgok I will try that. Current value is `net.netfilter.nf_conntrack_max = 262144` for the record16:53
@fungicide:matrix.orgit's entirely possible that the kernel times out incomplete socket handshake states faster than conntrack16:54
@fungicide:matrix.orgi don't know if there's a mechanism that synchronizes them or if they're expected to be tuned in tandem16:54
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983757: Add an osh.openstack.org redirect site https://review.opendev.org/c/opendev/system-config/+/98375717:44
@mnasiadka:matrix.orgfungi: if you have some time to merge this stack it would be nice - https://review.opendev.org/c/opendev/zone-opendev.org/+/983609 :-)17:46
@fungicide:matrix.orgi guess we still need to figure out why the launch-node script has stopped finding the ipv6 addresses of ovh server instances17:50
@clarkb:matrix.orgthey have always had a weird ipv6 setup and I wouldn't be surprised if that just never worked17:52
-@gerrit:opendev.org- Zuul merged on behalf of Michal Nasiadka: [opendev/zone-opendev.org] 983600: Remove DNS entries for mirror02.bhs1.ovh https://review.opendev.org/c/opendev/zone-opendev.org/+/98360017:52
-@gerrit:opendev.org- Zuul merged on behalf of Michal Nasiadka: [opendev/zone-opendev.org] 983609: Add mirror04.gra1.ovh https://review.opendev.org/c/opendev/zone-opendev.org/+/98360917:53
@mnasiadka:matrix.orgClark: the script output says it’s not doing ipv6 because it’s OVH - but then it gets autoassigned?17:54
@mnasiadka:matrix.orgMaybe we just need a note to fix the script to fetch ipv6 address on the next ovh node - happy to have a look17:55
@clarkb:matrix.orgoh I wonder if we hardcoded ti because ovh was weird to not do ipv6. And now ovh has since fixed things and we can drop that17:56
@mnasiadka:matrix.orgI can also have a look tomorrow and just boot a test node which I’ll remove afterwards17:56
@clarkb:matrix.orgmnasiadka: it wouldn't surprise me if ^ is the problem. I seem to recall that the neutron api had the info but then the systems themselves didn't get that data in the config drive (and maybe not via the metadata api) and there were no RAs so nothing autoconfigured it. You have to take the output of neutron api calls and manually configure things17:57
@fungicide:matrix.orgyeah, once upon a time the ipv6 addresses in ovh weren't reported by nova17:57
@clarkb:matrix.orgif things autoconfigure now that would imply that they are using RAs or that config drive/metadata has the info now17:57
@clarkb:matrix.orgso maybe we can just drop whatever rule we had in place there? we used our flavor right? /me double checks to make sure this isn't maybe flavor specific17:58
@clarkb:matrix.orgwe did use our flavor so it isn't flavor specific17:58
@clarkb:matrix.orgI suspect we can drop whatever hack we had in place there17:58
@mnasiadka:matrix.orgI’ll have a look tomorrow :)17:59
@clarkb:matrix.orgsounds good thanks17:59
@mnasiadka:matrix.orginfra-prod-service-nameserver failed on 983609 deploy18:06
@fungicide:matrix.org`Failed to download remote objects and refs:  fatal: unable to access 'https://opendev.org/opendev/zone-zuul-ci.org/': gnutls_handshake() failed: Error in the pull function.`18:12
@fungicide:matrix.orgfrom /var/log/ansible/service-nameserver.yaml.log on bridge18:12
@clarkb:matrix.orgwee18:14
@clarkb:matrix.orgwe can probably reenqueu that safely18:14
@clarkb:matrix.organd cross fingers18:14
@clarkb:matrix.orgthough I'm not sure we should expect a different result18:14
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983757: Add an osh.openstack.org redirect site https://review.opendev.org/c/opendev/system-config/+/98375718:15
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed on behalf of Clark Boylan: [opendev/system-config] 983740: Increase the gitea haproxy maxconn limit https://review.opendev.org/c/opendev/system-config/+/98374018:38
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983778: Double Apache workers/connections on Gitea backend https://review.opendev.org/c/opendev/system-config/+/98377818:38
@clarkb:matrix.orgfungi: can you see my comment about updating the default value too on https://review.opendev.org/c/opendev/system-config/+/983740 I'm not sure if it matters but I figure avoid problems and just bump it as well18:42
@dpanech:matrix.orgHi, Zuul posts job logs at URLs similar to https://storage.bhs.cloud.ovh.net and others. Can I find out the host names of such external storage services? Some of my users' firewall blocks these hosts. I'd like to give them a list of exceptions. I'm with the StarlingX project.  Example: "View log" hyperlinked from here: https://zuul.opendev.org/t/openstack/build/d44f33a177d14e92818b980bcab822c9 points to some place in https://storage.bhs.cloud.ovh.net/ .18:42
@clarkb:matrix.orgdavlet: we upload the logs to swift in the rackspace cloud and the ovh cloud. We don't manage or have any real insight into what those systems are. but they are public clouds hosting the files publickly18:44
@clarkb:matrix.orgdavlet: if people have problems with specific names then you can lookup that specific name. Alternatively you can see if ovh and rackspace publish any lists of Ips for these services18:45
@clarkb:matrix.orgfungi: or I can update the change really quickly18:45
@fungicide:matrix.orgi'm already working on it18:45
@clarkb:matrix.orgack18:45
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed on behalf of Clark Boylan: [opendev/system-config] 983740: Increase the gitea haproxy maxconn limit https://review.opendev.org/c/opendev/system-config/+/98374018:46
@clarkb:matrix.orgfungi: perfect +2 on both of those from me18:47
@fungicide:matrix.orgif nobody else is on hand to review those, i'll self-approve in a bit18:48
@clarkb:matrix.orgdavlet: it looks like `storage.bhs.cloud.ovh.net` resolves to a single IP address for me that is consistent in two different location in north america an in one location in europe18:49
@clarkb:matrix.orgI can't say definitively that they don't load balance that or have different IPs in different locations since I dont' run the service but it appears to be consistent for me18:50
@clarkb:matrix.orgdmsimard: may be able to confirm that18:50
@dpanech:matrix.orgClark:  ok thanks18:51
@clarkb:matrix.orgsimilarly `storage.gra.cloud.ovh.net` reports two Ips that seem consistent in the various locations I can check18:51
@clarkb:matrix.orgI think that is the other ovh location that we use for zuul log storage18:52
@dmsimard:matrix.orgHi, I'm not sure what's the question :)18:53
@clarkb:matrix.orgdmsimard: we were curious if OVH publishes IP addresses for public endpoints like the swift object storage system18:54
@dpanech:matrix.orgClark:  I haven't encountered this "gra" one. Do these host names show up in some form in any git-controlled configuration files/repos ? Or is it just the front end URLs? Ie when you upload you use some other target URL or method? I was wondering if there was a way to scrape some source code or config files somewhere.18:54
@fungicide:matrix.org(other than merely through dns, which does indeed counk as a kind of publicaiton of course)18:54
@clarkb:matrix.orgdmsimard: we store our zuul ci logs in OVH swift and apparently some corporate networks may be blocking access to them. So wondered if there was a list somewhere we could refer to18:54
@clarkb:matrix.orgdavlet: no we don't control any of those names. We upload the files and the systems says "your file is accessible here" aiui18:55
@fungicide:matrix.orgdavlet: we also serve logs in several rackspace classic regions at the moment (dfw, iad, ord). but these also are likely to change over time. that is the nature of public cloud object storage18:55
@clarkb:matrix.orgdavlet: here is one with logs in gra https://zuul.opendev.org/t/openstack/build/20f55c3d6c03499fb1649bb917e264b6/logs18:56
@dpanech:matrix.orgClark: ok thanks18:57
@fungicide:matrix.orgit's just like if we stored/distributed logs in amazon s3, the ip addresses and dns names would change over time outside our control18:58
@dmsimard:matrix.orgI don't know if we publish these IPs somewhere but storage.bhs.cloud.ovh.net is in Canada (Beauharnois) and storage.gra.cloud.ovh.net in France (Gravelines). It's likely that anycast routing/load-balancing may provide different routes based on source/destination but that's the only thing that comes to mind.18:58
@dpanech:matrix.orgOK I'll pass that along, thanks18:59
@clarkb:matrix.orgdmsimard: thanks!19:01
@fungicide:matrix.orgit looks like amazon centrally publishes ip address ranges for s3 (i doubt ovh or rackspace do the same for their swift endpoints but could be wrong): https://ip-ranges.amazonaws.com/ip-ranges.json19:05
@dpanech:matrix.orgfungi: sorry does this have any significance for Zuul logs I asked about ?19:07
@tafkamax:matrix.orgI suppose you could add the ip-ranges to ACL allow list for ze customer... 19:08
@fungicide:matrix.orgdavlet: tangentially, amazon s3 is similar to swift in openstack public clouds, i was noting that publishing ip address ranges in machine-readable format is something that amazon does but that i don't think openstack public cloud providers have done typically19:08
@tafkamax:matrix.orgOr give the tip to add these to allow list... 19:08
@dpanech:matrix.orgfungi: ok thanks19:09
@clarkb:matrix.orgTaavi Ansper: maybe. I would also argue that over zealous corporate firewall rules are not something we're every going to solve from the outside19:11
@clarkb:matrix.orgI think davlet asking questions about what the hosts are and taking that back to their network folks is about the best we can do19:11
@fungicide:matrix.orgcorporate internet security egress filters have always been at cross-purposes with employees collaborating in open, public systems and communities19:13
@mnasiadka:matrix.orgfungi: if we can merge https://review.opendev.org/c/opendev/system-config/+/983602 as well - then I can remove it tomorrow my morning from bhs1 cloud19:14
@fungicide:matrix.orgyep, that looks safe to go in now, thanks!19:15
@clarkb:matrix.orgfungi: I'm still eating lunch it looks like the changes may pass in ~15 minutes or so. YOu said you could approvethem?19:22
@fungicide:matrix.orgyeah, will do19:26
@clarkb:matrix.orglooks like changes passed. You still going to approve them or should I? I ended up getting distracted by my computer while eating19:42
@fungicide:matrix.orgapproved now19:44
@clarkb:matrix.orgheh I think we both approved the first one (which is fine)19:44
-@gerrit:opendev.org- Zuul merged on behalf of Michal Nasiadka: [opendev/system-config] 983602: Remove mirror02.bhs1.ovh https://review.opendev.org/c/opendev/system-config/+/98360219:57
@clarkb:matrix.orgfungi: would it be helpful if I took a quick stab at updating the gitea http refactor to restart on app.ini updates?20:27
@fungicide:matrix.orghah, i was just typing up a question for you on that20:27
@clarkb:matrix.orgI know you were going to look at that but everything sort of went sideways20:27
@clarkb:matrix.orgOh cool20:27
@fungicide:matrix.orgdo i need to move the "Get list of image IDs post pull" task into a handler?20:27
@clarkb:matrix.orgNo handlers run after all normal tasks and I think we want this running early20:28
@fungicide:matrix.orgor just expand the when condition in "Stop/Start gitea safely for Gerrit replication"20:28
@clarkb:matrix.orgI think you can add a register to the app.ini template task then update the when condition to say or when app.ini  is changed20:28
@fungicide:matrix.orgwhat's the common pattern for checking whether a file got updated?20:28
@fungicide:matrix.orgaha, that's what i was looking for20:28
@fungicide:matrix.orgthanks!20:28
@clarkb:matrix.orgYa the `changed` attribute of what you register should be true when the files updates. False when the file is the same20:29
@fungicide:matrix.organsible uses || and && for logical operations in compound conditionals?20:29
@clarkb:matrix.orghttps://docs.ansible.com/projects/ansible/latest/reference_appendices/common_return_values.html#changed20:30
@clarkb:matrix.orgIt's jinja https://jinja.palletsprojects.com/en/stable/templates/#logic so and and or I think20:31
@fungicide:matrix.orgthanks, i found examples of that in the repo20:33
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983134: Remove intermediate HTTPS layer for Gitea backends https://review.opendev.org/c/opendev/system-config/+/98313420:35
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983061: Apply Anubis to the Gitea backend servers https://review.opendev.org/c/opendev/system-config/+/98306120:37
@clarkb:matrix.orgThat looks about right. Let's see if zuul is happy with it20:38
@fungicide:matrix.orgi didn't move /var/lib/anubis to /var/anubis since there doesn't seem to be consensus (and also you used /var/lib for the anubis implementation with mailman)20:39
@clarkb:matrix.orgYup I think that's fine20:41
@clarkb:matrix.orgI wanted to note it as a thing but I don't feel strongly it should change20:41
@clarkb:matrix.orgfungi: any reason to not add inventory hostname to the domains list?20:42
@fungicide:matrix.orgoh, i missed that, lemme fix, thanks20:42
@fungicide:matrix.orgaha, i think the reason i didn't do it originally before i split the changes up is that anubis wants to know the domain name... i'll look at how that worked with mailman since we have multiple domains there so we must have made it work somehow20:44
@fungicide:matrix.orgmaybe it was only a warning? we didn't set `REDIRECT_DOMAINS` for the mailman version of this...20:46
@clarkb:matrix.orgYa I think you just do something like `opendev.org,{{ inventory_hostname }}`20:46
@clarkb:matrix.orgSetting it is probably a good idea but ya maybe they just warn us20:46
@fungicide:matrix.orgi don't see it in /var/log/containers/docker-anubis.log on lists01, so i'll try leaving it out20:47
@clarkb:matrix.orgfungi: https://anubis.techaro.lol/docs/admin/configuration/redirect-domains/ there is a security note here but I'm not sure I understand it20:49
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983061: Apply Anubis to the Gitea backend servers https://review.opendev.org/c/opendev/system-config/+/98306120:50
@fungicide:matrix.orgoh, now that i think about it, i remember seeing a vulnerability report about anubis integration in a hosting platform turning it into an open proxy20:50
@fungicide:matrix.organd setting `REDIRECT_DOMAINS` was the mitigation20:51
@fungicide:matrix.orghere we go: https://cvefeed.io/vuln/detail/CVE-2025-6158720:52
@fungicide:matrix.orgprobably not relevant for our situation20:52
@fungicide:matrix.organd was an open redirect not an open proxy, so not as bad20:53
@fungicide:matrix.orgoh, and the error message i was seeing in the log was misleading, corrected in development a few weeks ago by https://github.com/samjaninf/anubis/commit/c2ed62f20:58
@fungicide:matrix.orglooks like https://anubis.techaro.lol/docs/admin/configuration/redirect-domains/ explains the redirect logic20:59
@fungicide:matrix.orgso maybe we do want to set it for both mailman and gitea21:01
@fungicide:matrix.orgthough exploiting it looks rather convoluted21:01
@fungicide:matrix.org(for relatively little payoff)21:02
@clarkb:matrix.orgYa I think it isn't hard to set for either 21:04
@clarkb:matrix.orgIn the gitea case I have the example value above and for lists we can just list all the list domains in our variables and make it dynamic I think21:04
@fungicide:matrix.orgi'm looking to see if we have a jinja example already for how we'd do it dynamically with the mailman sites21:04
@clarkb:matrix.orgWe probably do somewhere21:05
@fungicide:matrix.orgsomething like https://opendev.org/opendev/system-config/src/commit/7de36ff/playbooks/roles/mailman3/templates/domain_aliases.j221:06
@fungicide:matrix.orgno, that's not it21:06
@clarkb:matrix.orghttps://opendev.org/opendev/system-config/src/commit/7de36ff/playbooks/roles/mailman3/templates/docker-compose.yaml.j2#L7221:07
@clarkb:matrix.orgThat maybe21:07
@fungicide:matrix.orgah, yes we have the list in https://opendev.org/opendev/system-config/src/commit/7de36ff/inventory/service/group_vars/mailman3.yaml#L87 so just need to swap `:` separators for `,`21:10
@fungicide:matrix.orgthat's simple enough21:11
@clarkb:matrix.orgyup and we're alreadydoing it in the file we want to edit for django21:12
@clarkb:matrix.orgso should be well tested arleady21:12
-@gerrit:opendev.org- Zuul merged on behalf of Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org: [opendev/system-config] 983778: Double Apache workers/connections on Gitea backend https://review.opendev.org/c/opendev/system-config/+/98377821:12
-@gerrit:opendev.org- Zuul merged on behalf of Clark Boylan: [opendev/system-config] 983740: Increase the gitea haproxy maxconn limit https://review.opendev.org/c/opendev/system-config/+/98374021:12
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983061: Apply Anubis to the Gitea backend servers https://review.opendev.org/c/opendev/system-config/+/98306121:15
@clarkb:matrix.orgI will check on ^ in a few21:15
@clarkb:matrix.orglooks liek gitea09 has already updated its apache configs21:16
-@gerrit:opendev.org- Jeremy Stanley https://matrix.to/#/@fungicide:matrix.org proposed: [opendev/system-config] 983802: Set REDIRECT_DOMAINS for Anubis with Mailman https://review.opendev.org/c/opendev/system-config/+/98380221:19
@clarkb:matrix.org+2 from me on ^ but we should check the logs from the check job before approving it21:20
@fungicide:matrix.orgof course21:22
@clarkb:matrix.orgok apache updates are done across the backends. Next deploy buildset should update haproxy21:23
@clarkb:matrix.orgthen its a matter of monitoring going forward to make sure we haven't overdone it. if we decide we have then we can put the hosts in the emergency file and tune things back quickly. Doing so on gitea-lb03 is likely most simple and effective21:23
@clarkb:matrix.orgthe load balancer ppears to have updated as well. we did a graceful reload of haproxy so the old process and new process are running side by side. I think the old one will go away at some point though21:28
@clarkb:matrix.orgI think the old haproxy process has gone away now and all connections are using the new config at this point21:34
@clarkb:matrix.orgfungi: hrm I'm not sure we capture the value of the anubis environment or the docker-compose.yaml file anywhere in our logs21:51
@clarkb:matrix.orgwe have a checksum we can check against: https://5dce13a5d17b3a355e81-5c64cb79e45e2166ffcdcfd3b17f7c1b.ssl.cf2.rackcdn.com/openstack/b33fe879f1c246eb8985359fe9b68bcc/bridge99.opendev.org/ara-report/results/372.html but that seems error prone21:53
@fungicide:matrix.orgwe could add the compose file to log collection i suppose21:54
@fungicide:matrix.orgassuming you're looking to find out if the list expansion worked as intended21:55
@clarkb:matrix.orgyes that was the main thing. The other thought I had was "add a testinfra test case that exercises this request as if you were a browser" then realized thats the thing everyone hitting anubis wants to do and isn't doing yet and I don't want to help them :)21:55
@fungicide:matrix.orgwe have one of those in the gitea testinfra, just not in mailman's22:05
@fungicide:matrix.orgwell, we have a test that sets a ua in curl to look like a generic graphical browser and then checks to see if it gets back content that looks like the anubis proxy challenge22:08
@fungicide:matrix.orgit's not an end-to-end exercise of the anubis challenge/response/redirect handshake no22:09
@fungicide:matrix.orgmerely enough to confirm that browsers will get anubis kicking in and plain curl will get passed straight through22:10
@clarkb:matrix.orgya I think to test the domain stuff you have to succeed with the challenge22:10
@fungicide:matrix.orgwhich also makes me wonder why more of these crawlers don't just masquerade as curl (or maybe they do and we simply haven't noticed)22:10
@clarkb:matrix.orgonce you succeed the challenge it goes to redirect you and if the redirect is not valid you get an error. At least that is what I recall from testing the held gitea99 node and going to gitea99.opendev.org via a socks proxy instead of opendev.org22:11
@fungicide:matrix.orgright, that would certainly be a lot harder, and is indeed what the crawlers would probably like to be doing themselves22:11
@fungicide:matrix.orgmaybe we could instrument it with selenium or similar22:11
@fungicide:matrix.orgi can also just add a dnm change on top of the stack and hold a node, but will save that for tomorrow, it's getting late here22:13
@clarkb:matrix.orgyup that may be simplest and yes you should take a break22:14
-@gerrit:opendev.org- Zuul merged on behalf of James E. Blair https://matrix.to/#/@jim:acmegating.com: [zuul/zuul-jobs] 983641: Record filesystem free space in dstat https://review.opendev.org/c/zuul/zuul-jobs/+/98364122:28
« Tuesday, 2026-04-07 Index Thursday, 2026-04-09 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!