Incidents/2023-05-02 Phabricator outage during GitLab maintenance

document status: draft

Summary

Incident metadata (see Incident Scorecard)
Incident ID	2023-05-02 Phabricator outage during GitLab maintenance	Start	2023-05-02 08:14
Task	T333347	End	2023-05-02 08:24
People paged	0	Responder count	4
Coordinators	Eoghan, Jelto	Affected metrics/SLOs
Impact	For approximately 10 minutes Phabricator tasks were not loading when GitLab was in maintenance mode.

During a planned GitLab maintenance to switch the main GitLab host from codfw to eqiad Phabricator users noticed that they were not able to load tasks, instead seeing an ""Unhandled Exception ("RuntimeException")" message.

The following errors were observed in the logs:

Invalid argument supplied for foreach()` `called at [<wmf-ext-misc>/src/customfields/GitLabPatchesCustomField.php:113]

fatal: unable to access 'https://gitlab.wikimedia.org/toolforge-repos/toolpilot.git/': The requested URL returned error: 502

Based on the above findings a decision was made to abandon the planned maintenance and take GitLab out of maintenance mode. This resulted in Phabricator tasks loading as expected, other than a short caching period for already open tasks.

The most likely cause of the incident was a Phabricator widget deployed in T324149

Timeline

All times in UTC.

08:14 OUTAGE BEGINS: first notification of Phabricator outage on IRC
08:20 Decision is made to stop the GitLab maintenance, GitLab is restarted to bring up all the services
08:24 OUTAGE ENDS: confirmation that service has been restored

Detection

The issue was brought to our attention by users in the #wikimedia-operations IRC channel. There were no automated alerts as the Phabricator service was up and pages were loading, but displaying an error instead of expected contents

Conclusions

What went well?

Stoping the maintenance and restoring the service was quick and straightforward

What went poorly?

The Phabricator widget was deployed a few days after the previous longer GitLab maintenance (eqiad to codfw). Since then we had a few shorter downtimes (e.g. security updates) and even though they were noticed (see T333347), they were brief enough to not show on our radar.

Where did we get lucky?

There was a running conference call for the GitLab maintenance so it was easy to coordinate the troubleshooting, make a decision and restore service.

Links to relevant documentation

GitLab/Failover

Actionables

T333347 will be used to troublehoot the widget behavior.

Scorecard

Incident Engagement ScoreCard
	Question	Answer (yes/no)	Notes
People	Were the people responding to this incident sufficiently different than the previous five incidents?	yes
	Were the people who responded prepared enough to respond effectively	yes
	Were fewer than five people paged?	no	No pages
	Were pages routed to the correct sub-team(s)?	no	No pages
	Were pages routed to online (business hours) engineers? Answer “no” if engineers were paged after business hours.	no	No pages
Process	Was the "Incident status" section atop the Google Doc kept up-to-date during the incident?	no	No Google doc was necessary
	Was a public wikimediastatus.net entry created?	no
	Is there a phabricator task for the incident?	yes
	Are the documented action items assigned?	yes
	Is this incident sufficiently different from earlier incidents so as not to be a repeat occurrence?	yes
Tooling	To the best of your knowledge was the open task queue free of any tasks that would have prevented this incident? Answer “no” if there are open tasks that would prevent this incident or make mitigation easier if implemented.	no	T333347
	Were the people responding able to communicate effectively during the incident with the existing tooling?	yes
	Did existing monitoring notify the initial responders?	no
	Were the engineering tools that were to be used during the incident, available and in service?	yes
	Were the steps taken to mitigate guided by an existing runbook?	yes
Total score (count of all “yes” answers above)		8