openSUSE admin

For debugging, I am using the hel2.i.o.o proxy server (currently the internal backup and also where I attempted the glibc rollback) and the netbox1.i.o.o backend (very low traffic and not yet used for production).

tcpdump on a backend piped into Wireshark shows something like the following around the second HAProxy reports the health check failure:

6580    19:23:55.134169 2a07:de40:b27e:1211::a  2a07:de40:b27e:1203::11 TCP 94  [TCP Retransmission] 443 → 54390 [SYN, ACK] Seq=0 Ack=1 Win=64260 Len=0 MSS=1440 SACK_PERM TSval=2834215675 TSecr=1741091386 WS=128
6581    19:23:55.135931 2a07:de40:b27e:1203::11 2a07:de40:b27e:1211::a  TCP 74  54390 → 443 [RST] Seq=1 Win=0 Len=0

From what I read online, the RST is expected, it is what HAProxy uses to quickly end health checks.
The TCP Retransmission however does not seem quite right.

At one occurrence there was a duplicate ACK as well, but that does not seem to happen as often.

With this information, I also found something I did not spot in the monitoring before - the TCP Retransmission rate on the backend is visibly higher since when the problems started:

https://monitor.opensuse.org/grafana/d/rYdddlPWk/node-metrics?orgId=1&var-DS_PROMETHEUS=default&var-job=nodes&var-node=netbox1.infra.opensuse.org&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&from=1717349583894&to=1717522383894&viewPanel=104

(the orange part)

It's noticeable on the proxy server as well, but not as much:

https://monitor.opensuse.org/grafana/d/rYdddlPWk/node-metrics?orgId=1&var-DS_PROMETHEUS=default&var-job=nodes&var-node=hel2.infra.opensuse.org&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&from=1717349692329&to=1717522492329&viewPanel=104

This brings my attention to the firewall, asgard1:

https://monitor.opensuse.org/grafana/d/rYdddlPWk/node-metrics?orgId=1&var-DS_PROMETHEUS=default&var-job=nodes&var-node=asgard1.infra.opensuse.org&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&from=1717436163497&to=1717522563497&viewPanel=104

On the hypervisor running the backend and proxy server I am troubleshooting with, as well as on the hypervisor hosting the firewall, no issues with the network bonding are noticeable:

falkor22 (Hypervisor):~ # grep -E '^(MII S|Link)' /proc/net/bonding/bond-fib
MII Status: up
MII Status: up
Link Failure Count: 0
MII Status: up
Link Failure Count: 0

orbit20 (Hypervisor):~ # grep -E '^(MII S|Link)' /proc/net/bonding/bond-fib
MII Status: up
MII Status: up
Link Failure Count: 0
MII Status: up
Link Failure Count: 0

On the hypervisor running the firewall, some updates were installed as well:

orbit20 (Hypervisor):~ # grep ^2024-06-04 /var/log/zypp/history
2024-06-04 01:05:35|command|root@orbit20|'zypper' 'patch' '-y' '--auto-agree-with-product-licenses' '--category' 'security'|
2024-06-04 01:05:35|install|glibc|2.31-150300.83.1|x86_64||repo-sle-update|1278b347a1da5f21c19740d4f09cce456252985ae7f6f94302a4d12589f22ece|
2024-06-04 01:05:36|install|glibc-locale-base|2.31-150300.83.1|x86_64||repo-sle-update|782c994c42c27b7c1e8b1cf68ab61ea6a080d1e829594748789d9367fb5fbcc3|
2024-06-04 01:05:39|install|glibc-locale|2.31-150300.83.1|x86_64||repo-sle-update|a5bd9f6d2f87df5ab2eb3adef917fcd26f99eac3079c60e648fb7e2c83729353|
2024-06-04 01:05:39|patch  |openSUSE-SLE-15.5-2024-1895|1|noarch|repo-sle-update|important|security|needed|applied|

orbit20 (Hypervisor):~ # zypper ps -s
The following running processes use deleted files:

PID   | PPID | UID | User       | Command            | Service
------+------+-----+------------+--------------------+----------
1332  | 1    | 499 | messagebus | dbus-daemon        | dbus
20866 | 1    | 0   | root       | virtlogd           | virtlogd
21093 | 1    | 107 | qemu       | qemu-system-x86_64 |
21096 | 1    | 0   | root       | virtlockd          | virtlockd

Did full updates + reboot on firewalls and their hypervisors now (usually I would do this every other weekend, but maybe it helps here).

On a first glance (~20 minutes after the update/reboot dance), this seems to have done the trick. Monitoring shows no retransmissions since and neither did the health checks flap. But going to continue actively monitoring for a while ...

Same network behavior can be observed (increased amount of RetransSeg spikes):

https://monitor.opensuse.org/grafana/d/rYdddlPWk/node-metrics?orgId=1&var-DS_PROMETHEUS=default&var-job=nodes&var-node=asgard1.infra.opensuse.org&var-diskdevices=%5Ba-z%5D%2B%7Cnvme%5B0-9%5D%2Bn%5B0-9%5D%2B%7Cmmcblk%5B0-9%5D%2B&from=1718623624479&to=1718710024479&viewPanel=104

Curiously, this time no updates were installed in the last 1-2 days on any of the involved machines (proxy servers, backends, hypervisors - only the firewalls and their hypervisors received their 15.6 upgrade yesterday, but including a full reboot).

Behavior is still present, submitted https://gitlab.infra.opensuse.org/infra/salt/-/merge_requests/2115 to lower the alerting level until this is solved. Once it is, the patch should be reverted.