You are browsing a read-only backup copy of Wikitech. The live site can be found at


From Wikitech-static
< User:Jbond
Revision as of 14:48, 7 June 2022 by imported>Jbond (→‎mw server)
Jump to navigation Jump to search




Sampled-1000.json on centrallog1001

nice summary

tail -f sampled-1000.json | /home/legoktm/webreq-filter

Grep-able oputput

$ jq  -r "[.uri_path,.hostname,.user_agent,.ip] | @csv" /srv/log/webrequest/sampled-1000.json

Selecte all public_cloud nets with 429

$ tail -n10000 /srv/weblog/webrequest/sampled-1000.json | jq -r 'select(.http_status == "429") | select(.x_analytics | contains("public_cloud=1"))'

Select all requests with a specific user_agent and .referer

$ jq -r 'if .user_agent == "-" and .referer == "-" then [.uri_path,.hostname,.user_agent,.ip] else empty end | @csv' /srv/log/webrequest/sampled-1000.json

List of the top 10 IPs by response size

$ head -n 2560000 /srv/log/webrequest/sampled-1000.json | jq -r '.ip + " " + (.response_size | tostring)' | awk '{ sum[$1] += $2 } END { for (ip in sum) print sum[ip],ip }' | sort -nr | head -10



$ tail -f  /srv/log/webrequest/5xx.json | jq "[.uri_host, .uri_path, .uri_query, .http_method, .ip, .user_agent] | @csv"

mw server

list all ips which have made more the 100 large requests

$ awk '$2>60000 {print $11}' /var/log/apache2/other_vhosts_access.log | sort | uniq -c | awk '$1>100 {print}'

MediaWiki Shell

$ ssh mwmaint1002
$ mwscript maintenance/shell.php --wiki=enwiki


>>> var_dump($wgUpdateRowsPerQuery);
=> null

One of purge

On mwmaint1002, run:

$ echo '' | mwscript purgeList.php


LVS Server

Sample 100k pkts and list top talkers

$ sudo tcpdump -i enp4s0f0 -pn -c 100000 | sed -r 's/.* IP6? //;s/\.[^\.]+ .*//' | sort | uniq -c | sort -nr | head -20

Testig a site agains a specific lvs

$ curl --connect-to "::text-lb.${site}"$RANDOM

CP Server

Query for specific status code

$ sudo varnishncsa -n frontend -g request -q 'RespStatus eq 429'

Custom format with client IP address

$ sudo -i varnishncsa -n frontend -g request -q 'RespStatus eq 429' -F '%{X-Client-IP}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\" \"%{X-Forwarded-Proto}i\""'

Or the much more verbos version

$ sudo varnishlog -n frontend -g request -q 'RespStatus eq 429'

Check the connection tuples for the varnish

$ sudo ss -tan 'sport = :3120' | awk '{print $(NF)" "$(NF-1)}' | sed 's/:[^ ]*//g' | sort | uniq -c

The number of avaible ports which also maps to tuples is available from if the number above is equal to approaching the number of available ports from below then there could ba en issue

$ cat /proc/sys/net/ipv4/ip_local_port_range

Checking sites from CP server

You can use curl from the cp serveres to ensure you fiut the front end/back end cache and for it to hit fetch a specific site with the following commands

Using $RANDOM below prevents us from hitting the cache


$ curl --connect-to "::$HOSTNAME"$RANDOM


$ curl --connect-to "::$HOSTNAME:3128"   -H "X-Forwarded-Proto: https""$RANDOM

Proxed web service

Show all request and response headeres on loopback

$ sudo stdbuf -oL -eL /usr/sbin/tcpdump -Ai lo -s 10240 "tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)" | egrep -a --line-buffered ".+(GET |HTTP\/|POST )|^[A-Za-z0-9-]+: " | perl -nle 'BEGIN{$|=1} { s/.*?(GET |HTTP\/[0-9.]* |POST )/\n$1/g; print }'


show full body

$ sudo stdbuf -oL -eL /usr/sbin/tcpdump -Ai lo -s 10240 "tcp port 8001 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)"


Check the pooled state


$ confctl select service=thumbor get


$ confctl select dc=eqiad,cluster=cache_text,service=varnish-be,name=cp1052.eqiad.wmnet get



Check log files /var/log/pybal.log on lvs servers


display locks

SELECT a.datname,
         age(now(), a.query_start) AS "age",
FROM pg_stat_activity a
JOIN pg_locks l ON =
ORDER BY a.query_start;

show blocked by waiting on lock

SELECT     AS blocked_pid,
         blocked_activity.usename  AS blocked_user,     AS blocking_pid,
         blocking_activity.usename AS blocking_user,
         blocked_activity.query    AS blocked_statement,
         blocking_activity.query   AS current_statement_in_blocking_process
   FROM  pg_catalog.pg_locks         blocked_locks
    JOIN pg_catalog.pg_stat_activity blocked_activity  ON =
    JOIN pg_catalog.pg_locks         blocking_locks 
        ON blocking_locks.locktype = blocked_locks.locktype
        AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database
        AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation
        AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple
        AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid
        AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid
        AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid
        AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid
        AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid
        AND !=
    JOIN pg_catalog.pg_stat_activity blocking_activity ON =
   WHERE NOT blocked_locks.granted;

get table sizes

SELECT nspname || '.' || relname AS "relation",
      pg_size_pretty(pg_relation_size(C.oid)) AS "disk size", 
      pg_size_pretty( pg_total_relation_size(nspname || '.' || relname)) AS "size" 
    FROM pg_class C
    LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)
   WHERE nspname IN ('public')
    ORDER BY pg_relation_size(C.oid) DESC;


Use the following to capture DHCP traffic regarding a specific client mac. in the following the mac address was aa:00:00:d9:81:8a. We just use the last 4 bytes (00:d9:81:8a) in the filter below

$ sudo tcpdump -i ens5 -vvv -s 1500 '((port 67 or port 68) and (udp[38:4] = 0x00d9818a))'

iPXE cli

While booting press ctrl+b to drop you into the iPXE shell. you may be required to use the advanced console connections options