Incidents/2022-06-21 asw-a2-codfw accidental power cycle
document status: in-review
Summary
| Incident ID | 2022-06-21 asw-a2-codfw accidental power cycle | Start | 2022-06-21 14:32:00 |
|---|---|---|---|
| Task | T309957 | End | 2022-06-21 14:43:00 |
| People paged | 0 | Responder count | 4 |
| Coordinators | XioNoX | Affected metrics/SLOs | |
| Impact | For 11 minutes, one of the Codfw server racks lost network connectivity. Among the affected servers was an LVS host. Another LVS host in Codfw automatically took over its load balancing responsibility for wiki traffic. During the transition, there was a brief increase in latency for regions served by Codfw (Mexico, and parts of US/Canada). | ||
During regular maintenance, there was a (scheduled) loss of power redundancy on the codfw-A1 server rack around 14:32:00 UTC.
While the servers in this rack did not lose power (given a redundant power supply), they did fully lose network connectivity and thus effectively went down. This happened because the second power cable for the ASW network switch was not plugged all the way in, resulting in an unscheduled full loss of the switch for that rack, and hence the rack's network connectivity.
Happily, higher-level service redundancy worked as expected:
- regarding LVS, lvs2010 automatically took over from lvs2007, for CDN traffic to Codfw. There was a very temporary increase on response latency for on-the-fly Codfw requests until traffic stabilized.
- ns1 DNS server was automatically moved to Eqiad, should not have any user impact.
- Most A2 servers alerted about loss of power redundancy, but having 2 power supplies they didn't go down.
- App servers could have been affected more, latency-wise while they were automatically depooled, but they were not serving production traffic at this time as Eqiad is the primary DC.
After the secondary power cord was properly connected, connectivity recovered with no issues. Maintenance finished at 15:01.
Scorecard
| Question | Answer
(yes/no) |
Notes | |
|---|---|---|---|
| People | Were the people responding to this incident sufficiently different than the previous five incidents? | no | |
| Were the people who responded prepared enough to respond effectively | yes | ||
| Were fewer than five people paged? | yes | Not paging | |
| Were pages routed to the correct sub-team(s)? | no | Not paging | |
| Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours. | yes | Not paging | |
| Process | Was the incident status section actively updated during the incident? | no | No working doc |
| Was the public status page updated? | no | not user facing | |
| Is there a phabricator task for the incident? | yes | ||
| Are the documented action items assigned? | no | ||
| Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence? | yes | ||
| Tooling | To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are
open tasks that would prevent this incident or make mitigation easier if implemented. |
no | |
| Were the people responding able to communicate effectively during the incident with the existing tooling? | yes | ||
| Did existing monitoring notify the initial responders? | yes | ||
| Were the engineering tools that were to be used during the incident, available and in service? | yes | ||
| Were the steps taken to mitigate guided by an existing runbook? | no | ||
| Total score (count of all “yes” answers above) | 8 | ||