2023-05-17: Unable to create repo in pre.gitlab.com
Current Status
QA pipelines started failing on a step to create repos on pre.gitlab.com. Initial discovery showed a lot of OOM kills from git processes. We tried to upgrade the instance type but now gitaly-01-sv-pre.c.gitlab-pre.internal is failing to get registered with chef with following permission errors:
May 17 02:48:02 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: + gcloud --project=gitlab-pre kms decrypt --keyring=gitlab-pre-bootstrap --location=global --key=gitlab-pre-bootstrap-validation --plaintext-file=/etc/chef/validation.pem --ciphertext-file=/tmp/validation.enc
May 17 02:48:02 gitaly-01-sv-pre systemd[1]: Started snap.google-cloud-sdk.gcloud.76a1cd80-65c3-4b11-94ce-37c0eb0bade2.scope.
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: ERROR: (gcloud.kms.decrypt) PERMISSION_DENIED: Request had insufficient authentication scopes.
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: - '@type': type.googleapis.com/google.rpc.ErrorInfo
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: domain: googleapis.com
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: metadata:
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: method: google.cloud.kms.v1.KeyManagementService.Decrypt
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: service: cloudkms.googleapis.com
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script: reason: ACCESS_TOKEN_SCOPE_INSUFFICIENT
May 17 02:48:04 gitaly-01-sv-pre google_metadata_script_runner[2458]: startup-script:This was fixed by assigning KMS API access scope: #14397 (comment 1393371263)
A revert of cgroup configs in gitaly pre was pushed to avoid Cgroup limits:: https://gitlab.com/gitlab-com/gl-infra/chef-repo/-/merge_requests/3490
Subsequent run of the QA pipeline on preprod succeeded: https://ops.gitlab.net/gitlab-org/quality/preprod/-/pipelines/1943913, indicating recovery of gitaly in pre
More information will be added as we investigate the issue. For customers believed to be affected by this incident, please subscribe to this issue or monitor our status page for further updates.
📚 References and helpful links
Recent Events (available internally only):
- Feature Flag Log - Chatops to toggle Feature Flags Documentation
- Infrastructure Configurations
- GCP Events (e.g. host failure)
Deployment Guidance
- Deployments Log | Gitlab.com Latest Updates
- Reach out to Release Managers for S1/S2 incidents to discuss Rollbacks, Hot Patching or speeding up deployments. | Rollback Runbook | Hot Patch Runbook
Use the following links to create related issues to this incident if additional work needs to be completed after it is resolved:
- Corrective action ❙ Infradev
- Incident Review ❙ Infra investigation followup
- Confidential Support contact ❙ QA investigation
Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in out handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.