@nuvlore/extension-bds 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/README.md +3 -0
- package/agents/bds-airflow-job-status-readonly.yaml +123 -0
- package/agents/bds-disk-investigator.yaml +112 -0
- package/agents/bds-inventory-readonly.yaml +60 -0
- package/agents/bds-oncall-reporter.yaml +113 -0
- package/agents/bds-prism-service-proxy-timeout-readonly.yaml +105 -0
- package/agents/bds-scylla-tenant-bucket-readonly.yaml +104 -0
- package/agents/bds-tenant-data-operation-log-readonly.yaml +98 -0
- package/agents/bds-yarn-app-health-readonly.yaml +114 -0
- package/agents/pharos-alert-investigator.yaml +81 -0
- package/package.json +60 -0
- package/skills/bds-airflow-job-status-investigation/SKILL.md +104 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-access-runbook.md +35 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-bas-dr-runbook.md +42 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-copy-and-migration-runbook.md +63 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-job-status-runbook.md +15 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-output-runbook.md +28 -0
- package/skills/bds-airflow-job-status-investigation/references/airflow-snapshot-runbook.md +38 -0
- package/skills/bds-disk-io-alert-investigation/SKILL.md +116 -0
- package/skills/bds-hadoop-review/SKILL.md +66 -0
- package/skills/bds-machine-inventory/SKILL.md +48 -0
- package/skills/bds-oncall-followup/SKILL.md +71 -0
- package/skills/bds-oncall-followup/references/oncall-followup-runbook.md +58 -0
- package/skills/bds-prism-service-proxy-timeout-investigation/SKILL.md +73 -0
- package/skills/bds-prism-service-proxy-timeout-investigation/references/service-proxy-timeout-runbook.md +48 -0
- package/skills/bds-scylla-tenant-bucket-investigation/SKILL.md +73 -0
- package/skills/bds-scylla-tenant-bucket-investigation/references/tenant-bucket-runbook.md +91 -0
- package/skills/bds-tenant-data-operation-log-investigation/SKILL.md +89 -0
- package/skills/bds-yarn-app-health-investigation/SKILL.md +77 -0
- package/skills/bds-yarn-app-health-investigation/references/yarn-app-health-runbook.md +53 -0
- package/skills/pharos-alert-investigation/SKILL.md +80 -0
- package/src/bds-atomic-log-tools.mjs +300 -0
- package/src/bds-team-membership-claude-output.mjs +36 -0
- package/src/bds-team-membership-quality.mjs +90 -0
- package/tools/bds_airflow_dag_log_read.mjs +24 -0
- package/tools/bds_airflow_job_status_command_pack.mjs +587 -0
- package/tools/bds_bas_log_read.mjs +23 -0
- package/tools/bds_bdm_httpd_log_read.mjs +24 -0
- package/tools/bds_chef_client_log_read.mjs +23 -0
- package/tools/bds_dashboard_links.mjs +178 -0
- package/tools/bds_dashboard_query_knowledge.mjs +258 -0
- package/tools/bds_dashboard_query_read.mjs +120 -0
- package/tools/bds_disk_io_alert_command_pack.mjs +287 -0
- package/tools/bds_environment_host_lookup.mjs +741 -0
- package/tools/bds_hdfs_datanode_log_read.mjs +23 -0
- package/tools/bds_hdfs_journalnode_log_read.mjs +23 -0
- package/tools/bds_hdfs_namenode_log_read.mjs +23 -0
- package/tools/bds_hdfs_path_knowledge.mjs +324 -0
- package/tools/bds_information_source_knowledge.mjs +356 -0
- package/tools/bds_kms_log_read.mjs +23 -0
- package/tools/bds_log_path_knowledge.mjs +267 -0
- package/tools/bds_machine_inventory.mjs +434 -0
- package/tools/bds_mapreduce_historyserver_log_read.mjs +23 -0
- package/tools/bds_migration_service_operation_command_pack.mjs +233 -0
- package/tools/bds_oncall_followup_payload_draft.mjs +285 -0
- package/tools/bds_pharos_query_pack.mjs +218 -0
- package/tools/bds_portal_operation_knowledge.mjs +212 -0
- package/tools/bds_prism_clone_status_links.mjs +129 -0
- package/tools/bds_prism_service_proxy_timeout_query_pack.mjs +224 -0
- package/tools/bds_public_cloud_pod_log_read.mjs +18 -0
- package/tools/bds_scylla_tenant_bucket_command_pack.mjs +323 -0
- package/tools/bds_service_proxy_log_read.mjs +23 -0
- package/tools/bds_spark_historyserver_log_read.mjs +32 -0
- package/tools/bds_spas_mt_log_read.mjs +23 -0
- package/tools/bds_tenant_data_operation_log_command_pack.mjs +321 -0
- package/tools/bds_yarn_app_health_command_pack.mjs +529 -0
- package/tools/bds_yarn_nodemanager_log_read.mjs +23 -0
- package/tools/bds_yarn_resourcemanager_log_read.mjs +23 -0
- package/tools/bds_zookeeper_log_read.mjs +23 -0
- package/tools/confluence_handoff_page_draft.mjs +173 -0
- package/vendor/dashboard/src/grafana-dashboard-query.mjs +61 -0
- package/vendor/extension-read-only-toolkit/LICENSE +202 -0
- package/vendor/extension-read-only-toolkit/README.md +29 -0
- package/vendor/extension-read-only-toolkit/package.json +46 -0
- package/vendor/extension-read-only-toolkit/src/devops-data-paths.mjs +222 -0
- package/vendor/extension-read-only-toolkit/src/devops-diagnostics.mjs +440 -0
- package/vendor/extension-read-only-toolkit/src/enterprise-api-read.mjs +180 -0
- package/vendor/extension-read-only-toolkit/src/read-only-command-pack.mjs +1 -0
- package/vendor/extension-read-only-toolkit/src/read-only-plan.mjs +45 -0
- package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.d.mts +26 -0
- package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.mjs +170 -0
- package/vendor/extension-workday-infra-access/LICENSE +202 -0
- package/vendor/extension-workday-infra-access/README.md +3 -0
- package/vendor/extension-workday-infra-access/agents/workday-infra-access-readonly.yaml +183 -0
- package/vendor/extension-workday-infra-access/package.json +49 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/SKILL.md +102 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-boundary-runbook.md +43 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-runbook.md +15 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-scylla-cloud-runbook.md +39 -0
- package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-spc-argo-runbook.md +99 -0
- package/vendor/extension-workday-infra-access/src/workday-access-profiles.mjs +194 -0
- package/vendor/extension-workday-infra-access/tools/aws_cust_federated_readonly_command_pack.mjs +234 -0
- package/vendor/extension-workday-infra-access/tools/gcp_readonly_command_pack.mjs +167 -0
- package/vendor/extension-workday-infra-access/tools/public_cloud_access_status.mjs +48 -0
- package/vendor/extension-workday-infra-access/tools/workday_boundary_login.mjs +460 -0
- package/vendor/extension-workday-infra-access/tools/workday_private_cloud_sudo_readonly_command.mjs +386 -0
- package/vendor/extension-workday-infra-access/tools/workday_public_cloud_environment_map.mjs +189 -0
- package/vendor/extension-workday-infra-access/tools/workday_public_cloud_kubernetes_read.mjs +297 -0
- package/vendor/extension-workday-infra-access/tools/workday_public_cloud_spc_login.mjs +505 -0
- package/vendor/extension-workday-infra-access/tools/workday_spc_argo_readonly_command_pack.mjs +215 -0
- package/vendor/extension-workday-infra-access/workflows/public-cloud-readonly-investigation.js +99 -0
- package/workflows/bds-airflow-job-status-investigation.js +168 -0
- package/workflows/bds-disk-io-alert-investigation.js +173 -0
- package/workflows/bds-oncall-followup.js +112 -0
- package/workflows/bds-prism-service-proxy-timeout-investigation.js +69 -0
- package/workflows/bds-scylla-tenant-bucket-investigation.js +139 -0
- package/workflows/bds-tenant-data-operation-log-investigation.js +189 -0
- package/workflows/bds-yarn-app-health-investigation.js +217 -0
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: bds-prism-service-proxy-timeout-investigation
|
|
3
|
+
description: Use for Prism Spark on K8s driver BdsCipherClient generateKey/decrypt read timeouts against BDS bds-service-proxy, especially PRISM Delta commit failures with SocketTimeoutException or KMSClientException.
|
|
4
|
+
allowed-tools:
|
|
5
|
+
- Read
|
|
6
|
+
- Glob
|
|
7
|
+
- Grep
|
|
8
|
+
- mcp__devops_tool__bds_prism_service_proxy_timeout_query_pack
|
|
9
|
+
- mcp__devops_tool__jira_api_read
|
|
10
|
+
- mcp__devops_tool__kubernetes_status_snapshot
|
|
11
|
+
- mcp__devops_tool__remote_readonly_command
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
# BDS Prism Service-Proxy Timeout Investigation
|
|
15
|
+
|
|
16
|
+
Use this skill when a Prism ticket, Slack thread, or Chiron attachment shows
|
|
17
|
+
Prism Spark on K8s failing with `BdsCipherClient.generateKey`,
|
|
18
|
+
`BdsCipherClient.decrypt`, `java.net.SocketTimeoutException`,
|
|
19
|
+
`KMSClientException: Read timed out`, or Delta commit aborts while calling BDS
|
|
20
|
+
`bds-service-proxy`.
|
|
21
|
+
|
|
22
|
+
## System Boundary
|
|
23
|
+
|
|
24
|
+
The normal request path is:
|
|
25
|
+
|
|
26
|
+
`Prism Spark on K8s driver -> BdsCipherClient -> bds-service-proxy -> tenant key/decrypt backend`
|
|
27
|
+
|
|
28
|
+
A Prism driver `SocketTimeoutException` proves the client waited too long for a
|
|
29
|
+
response. It does not by itself prove `bds-service-proxy` was down or slow.
|
|
30
|
+
Correlate it with service-proxy logs before assigning BDS service impact.
|
|
31
|
+
|
|
32
|
+
Load `references/service-proxy-timeout-runbook.md` only for SPC/Jira access,
|
|
33
|
+
historical log retention, Prism/OMS RBAC, and output-table details.
|
|
34
|
+
|
|
35
|
+
## Rules
|
|
36
|
+
|
|
37
|
+
- Stay read-only. Do not mutate Jira, Kubernetes, pods, services, tenant state,
|
|
38
|
+
bucket data, or local cluster files.
|
|
39
|
+
- This skill defines the flow; the atomic helper tool only emits validated read-only
|
|
40
|
+
Jira/Kubernetes query inputs.
|
|
41
|
+
- Use Jira GET only and never print Jira tokens or Keychain payloads.
|
|
42
|
+
- For customer SPC sessions, use the plan/runbook path, verify Kubernetes
|
|
43
|
+
context, `auth whoami`, and namespace `auth can-i` before reading evidence.
|
|
44
|
+
- Do not rely on `kubectl logs` as negative evidence until the first returned
|
|
45
|
+
timestamp proves it covers the incident window.
|
|
46
|
+
- If Kubernetes logs start after the incident window, use the runbook's bounded
|
|
47
|
+
pod-local rotated-log reads. Do not copy logs out or write files.
|
|
48
|
+
- Separate client-side Prism timeout, service-side errors, same-tenant
|
|
49
|
+
traffic, and Prism/OMS wrapper errors.
|
|
50
|
+
|
|
51
|
+
## Workflow
|
|
52
|
+
|
|
53
|
+
1. Parse Jira key, cluster, tenant, CID, Spark appId, Prism pod label, activity
|
|
54
|
+
id, and incident UTC from Slack/Jira/Chiron.
|
|
55
|
+
2. Generate validated read-only query inputs with the atomic helper tool.
|
|
56
|
+
3. Read Jira issue metadata, comments, and bounded Chiron attachment snippets.
|
|
57
|
+
4. Connect through SPC and verify Kubernetes context/RBAC.
|
|
58
|
+
5. Check `bds-service-proxy` deployment, pods, endpoints, image, restarts, and
|
|
59
|
+
which pod covers the incident window.
|
|
60
|
+
6. Check `kubectl logs` retention; use pod-local rotated logs when needed.
|
|
61
|
+
7. Grep the incident minute for tenant, CID/appId where available,
|
|
62
|
+
`generatedek`, `generateKey`, `decrypt`, `SocketTimeout`, `KMSClientException`,
|
|
63
|
+
`503`, `ERROR`, and `WARN`.
|
|
64
|
+
8. Check Prism/OMS RBAC before trying to read Prism pod logs or OMS dump files.
|
|
65
|
+
9. Draft the Slack response. State whether BDS logs show service-side errors or
|
|
66
|
+
successful same-tenant traffic, then ask Prism to inspect Spark
|
|
67
|
+
driver/network/socket timeout behavior when BDS-side evidence is clean.
|
|
68
|
+
|
|
69
|
+
## Output Standard
|
|
70
|
+
|
|
71
|
+
Return Markdown with incident context, the system boundary, evidence table,
|
|
72
|
+
timeline, conclusion, suggested Slack reply, and evidence gaps. The conclusion
|
|
73
|
+
must distinguish client-side timeout evidence from service-side outage evidence.
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# BDS Prism Service-Proxy Timeout Runbook
|
|
2
|
+
|
|
3
|
+
This reference holds detailed access and log rules for
|
|
4
|
+
`bds-prism-service-proxy-timeout-investigation/SKILL.md`.
|
|
5
|
+
|
|
6
|
+
## Access Details
|
|
7
|
+
|
|
8
|
+
- Use Jira GET only. If the default Jira Keychain route is absent, the legacy
|
|
9
|
+
Jira Keychain alias emitted by the plan may be used as a secret source. Never
|
|
10
|
+
print the token.
|
|
11
|
+
- For customer SPC sessions, use `AWS_PROFILE=sso-cust`. If `spc connect` fails
|
|
12
|
+
before connecting with `ExpiredToken`, refresh with
|
|
13
|
+
`sso-cli aws --force --profile sso-cust`.
|
|
14
|
+
- Use `AWS_PROFILE=sso-cust spc connect cust <cluster>`, then verify
|
|
15
|
+
`kubectl --kubeconfig=$HOME/.kube/spc-config config current-context`,
|
|
16
|
+
`auth whoami`, and namespace `auth can-i` before reading evidence.
|
|
17
|
+
- Prefer `kubectl --kubeconfig=$HOME/.kube/spc-config -n bds ...` explicit
|
|
18
|
+
commands when `kcsb` is unavailable.
|
|
19
|
+
|
|
20
|
+
## Historical Logs And RBAC
|
|
21
|
+
|
|
22
|
+
- If Kubernetes logs start after the incident window, inspect pod-local rotated
|
|
23
|
+
logs inside the long-running `bds-service-proxy` pod:
|
|
24
|
+
`/opt/bds-service-proxy/log/bds-service-proxy.log` and
|
|
25
|
+
`/opt/bds-service-proxy/log/bds-service-proxy-audit.log`.
|
|
26
|
+
- Use bounded pod exec reads only: `ls`, `grep`, `head`, `tail`, `sed -n`. Do
|
|
27
|
+
not copy logs out or write files.
|
|
28
|
+
- Match timestamps using the file format. Pod-local service-proxy logs use ISO
|
|
29
|
+
timestamps such as `2026-06-05T15:38:02.028Z`, while Prism attachments may use
|
|
30
|
+
`2026-06-05 15:38:02,937`.
|
|
31
|
+
- For Prism/OMS dump references such as
|
|
32
|
+
`/usr/local/workday-oms/logs/dumps/<id>.dump`, first check RBAC for `prism`
|
|
33
|
+
and `oms` namespaces. If RBAC denies access, say direct dump inspection is
|
|
34
|
+
blocked and rely only on the Jira attachment excerpt.
|
|
35
|
+
|
|
36
|
+
## Output Details
|
|
37
|
+
|
|
38
|
+
- Jira/Chiron metadata: Delta commit path, manifest file, Spark appId, activity
|
|
39
|
+
id, OMS dump path, tenant, CID, and incident UTC.
|
|
40
|
+
- SPC/RBAC: current context, identity, `bds`, `prism`, and `oms` namespace
|
|
41
|
+
access checks.
|
|
42
|
+
- Service-proxy state: deployment, pods, endpoints, image, restart count, and
|
|
43
|
+
which pod covers the incident window.
|
|
44
|
+
- Service logs: Kubernetes retention boundary, pod-local log file checked,
|
|
45
|
+
tenant/CID/appId grep terms, service-side errors, successful same-tenant
|
|
46
|
+
traffic, and downstream wrapper errors.
|
|
47
|
+
- Conclusion should distinguish Prism Spark driver client-side timeout evidence
|
|
48
|
+
from BDS service-proxy service-side outage evidence.
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: bds-scylla-tenant-bucket-investigation
|
|
3
|
+
description: Use for Scylla BDS tenant health alerts and read-only tenant bucket checks where BDM pods, bucketdetails-config, and hadoop fs S3A inspection are needed.
|
|
4
|
+
allowed-tools:
|
|
5
|
+
- Read
|
|
6
|
+
- Glob
|
|
7
|
+
- Grep
|
|
8
|
+
- mcp__devops_tool__bds_scylla_tenant_bucket_command_pack
|
|
9
|
+
- mcp__devops_tool__bitbucket_api_read
|
|
10
|
+
- mcp__devops_tool__git_repo_read
|
|
11
|
+
- mcp__devops_tool__repo_text_index
|
|
12
|
+
- mcp__devops_tool__kubernetes_status_snapshot
|
|
13
|
+
- mcp__devops_tool__remote_readonly_command
|
|
14
|
+
- mcp__devops_tool__pharos_alert_read
|
|
15
|
+
- mcp__devops_tool__bds_dashboard_links
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
# BDS Scylla Tenant Bucket Investigation
|
|
19
|
+
|
|
20
|
+
Use this skill for Scylla BDS tenant health alerts, tenant bucket path checks,
|
|
21
|
+
missing tenant data questions, or BDM / bds-service-proxy image behavior after
|
|
22
|
+
HDFS CLI removal.
|
|
23
|
+
|
|
24
|
+
Load `references/tenant-bucket-runbook.md` only after generating the plan and
|
|
25
|
+
identifying the incident type.
|
|
26
|
+
|
|
27
|
+
## Hard Rules
|
|
28
|
+
|
|
29
|
+
- Stay read-only. Do not mutate Kubernetes resources, bucket objects, local pod
|
|
30
|
+
files, tenant state, or BDS service state.
|
|
31
|
+
- This skill defines the investigation flow. Use
|
|
32
|
+
`mcp__devops_tool__bds_scylla_tenant_bucket_command_pack` only to normalize
|
|
33
|
+
fields and produce validated read-only source/Kubernetes/S3A command inputs.
|
|
34
|
+
- Treat BDM source code as the first source of truth for tenant-health meaning.
|
|
35
|
+
Prefer `mcp__devops_tool__bitbucket_api_read` against
|
|
36
|
+
`https://bitbucket.workday.com/projects/BDS/repos/sirius/browse`; use
|
|
37
|
+
`git_repo_read`, `repo_text_index`, and local read-only grep only for a
|
|
38
|
+
human-reviewed cache.
|
|
39
|
+
- Build and verify the SPC/Kubernetes connection before remote checks. If
|
|
40
|
+
`kcsb` is unavailable, use the explicit read-only
|
|
41
|
+
`kubectl --kubeconfig=$HOME/.kube/spc-config -n bds ...` equivalent.
|
|
42
|
+
- Use the BDM pod and `hadoop fs` for S3A reads. Do not use `hdfs`, `aws s3`,
|
|
43
|
+
KDC pods, or `hadoop fs -get` for this workflow.
|
|
44
|
+
- Do not print tenant key material or decrypted tenant file contents unless the
|
|
45
|
+
operator explicitly asks and confirms the sensitivity boundary.
|
|
46
|
+
- Before claiming SIR, Galahad, OMS, or ORS pods/logs are down or missing,
|
|
47
|
+
verify namespace RBAC with `kubectl auth can-i`.
|
|
48
|
+
|
|
49
|
+
## Evidence Order
|
|
50
|
+
|
|
51
|
+
1. Parse alert name, cluster, source, environment, tenant, severity, and firing
|
|
52
|
+
or resolved time from Slack, PagerDuty, Solas, or Pharos context.
|
|
53
|
+
2. Confirm the operator already connected to the target Scylla environment; do
|
|
54
|
+
not run login retry loops.
|
|
55
|
+
3. Generate the validated read-only command pack.
|
|
56
|
+
4. Read BDM `BDS/sirius` source and record exact tenant-health file paths,
|
|
57
|
+
functions/classes, and predicates before interpreting bucket data.
|
|
58
|
+
5. Collect cluster context with `kcsb get pod` and
|
|
59
|
+
`kcsb get cm bucketdetails-config -o yaml`.
|
|
60
|
+
6. Count active BDS tenants separately from bucket tenant folders.
|
|
61
|
+
7. Map each source predicate to S3A evidence from `hadoop fs` read commands.
|
|
62
|
+
8. For decrypt/SIR failures, correlate BDM logs, bds-service-proxy logs,
|
|
63
|
+
front-door reachability, and backend namespace RBAC.
|
|
64
|
+
9. Compare with another active healthy tenant when available.
|
|
65
|
+
10. Return a concise RCA/current-state summary with evidence gaps and read-only
|
|
66
|
+
follow-ups.
|
|
67
|
+
|
|
68
|
+
## Output
|
|
69
|
+
|
|
70
|
+
Return alert context, source logic, evidence table, active-tenant versus
|
|
71
|
+
bucket-folder census, code-to-data comparison, key/decrypt logs, SIR/Galahad/OMS
|
|
72
|
+
boundary, healthy comparison, bucket path checked, confidence, and read-only next
|
|
73
|
+
checks. Separate direct command evidence from inference.
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
# BDS Scylla Tenant Bucket Runbook
|
|
2
|
+
|
|
3
|
+
This reference holds scenario details for
|
|
4
|
+
`bds-scylla-tenant-bucket-investigation/SKILL.md`.
|
|
5
|
+
|
|
6
|
+
## Source And Tenant Health Logic
|
|
7
|
+
|
|
8
|
+
- Search BDM source for `tenant health`, `TenantHealth`, `tenant_health`,
|
|
9
|
+
`unhealthy`, `brokenDsInfo`, `consistency_check`, and `operationsLog`; record
|
|
10
|
+
exact file paths, functions/classes, and predicates before interpreting data.
|
|
11
|
+
- Distinguish active BDS tenant count from tenant folders in the bucket. Bucket
|
|
12
|
+
folders can be stale, disabled, or test leftovers; active tenant evidence
|
|
13
|
+
should come from BDM metrics such as `bds_stats_tenant_*{isActiveTenant="true"}`
|
|
14
|
+
or from BDM/EMS active-tenant health-check behavior.
|
|
15
|
+
- For alerts on envops/test tenants, do not downplay the alert if the
|
|
16
|
+
environment is tier-0/customer-like. State both facts: environment criticality
|
|
17
|
+
and whether any real customer BDS tenant data impact was observed.
|
|
18
|
+
|
|
19
|
+
## Kubernetes And Bucket Evidence
|
|
20
|
+
|
|
21
|
+
- Use `kcsb get pod` and `kcsb get cm bucketdetails-config -o yaml` to anchor
|
|
22
|
+
pod names and bucket name before checking S3A paths.
|
|
23
|
+
- Tenant folders are discoverable by the rule
|
|
24
|
+
`data/tenants/<ENV_NAME>.<tenantName>`, for example
|
|
25
|
+
`data/tenants/WD504-IMPL.schellman1`.
|
|
26
|
+
- A normally discoverable tenant folder can contain `operationsLog.csv`, `ted`,
|
|
27
|
+
and `tmp`; use those as path-shape evidence, not as health proof.
|
|
28
|
+
- Inside the BDM pod, use only read commands such as `hadoop fs -ls`,
|
|
29
|
+
`hadoop fs -cat`, `hadoop fs -head`, `hadoop fs -du`, `hadoop fs -count`,
|
|
30
|
+
`hadoop fs -stat`, `hadoop fs -test`, and `hadoop fs -text`.
|
|
31
|
+
- Prefer status-only read/decrypt probes such as redirecting `hadoop fs -cat` to
|
|
32
|
+
`/dev/null` and reporting only exit status and sanitized errors.
|
|
33
|
+
- Do not use `aws s3` inside BDM or bds-service-proxy pods; observed behavior is
|
|
34
|
+
`NoCredentials`.
|
|
35
|
+
- Do not assume `hdfs` exists in BDM or bds-service-proxy pods. New images may
|
|
36
|
+
remove it; use `hadoop fs`.
|
|
37
|
+
- Do not use `hadoop fs -get` for listing or debugging. It downloads to local
|
|
38
|
+
disk and can fail with local mkdir errors.
|
|
39
|
+
- Do not use KDC pods as the default S3A inspection point. They may have `hdfs`
|
|
40
|
+
but lack `org.apache.hadoop.fs.s3a.S3AFileSystem`.
|
|
41
|
+
|
|
42
|
+
## Key Fetch And SIR Boundary
|
|
43
|
+
|
|
44
|
+
- For read/decrypt failures, correlate BDM logs with bds-service-proxy logs:
|
|
45
|
+
look for the SIR key endpoint, `Response code 503`, `Response status: 503`,
|
|
46
|
+
`BdsCipherClient Error in decrypt`, and `KMSClientException`.
|
|
47
|
+
- For SIR key-fetch 503 cases, separate front-door reachability from the real
|
|
48
|
+
authenticated business request. From a `bds-service-proxy` pod, verify DNS and
|
|
49
|
+
HTTP reachability to the SIR service such as `sir-<env>.sir:11710`.
|
|
50
|
+
- Treat manual unauthenticated 401 responses as reachability/auth-boundary
|
|
51
|
+
evidence only, not as the BDS business-flow result.
|
|
52
|
+
- Use `curl -k` only for HTTPS; the observed in-cluster SIR endpoint is HTTP.
|
|
53
|
+
- For SIR key-fetch 503, run bds-service-proxy-side reachability probes and RBAC
|
|
54
|
+
checks for `sir`, `galahad`, `ors`, and `oms`. If RBAC denies access, mark
|
|
55
|
+
direct backend inspection as blocked and route the tenant-specific 503 to the
|
|
56
|
+
owning channel.
|
|
57
|
+
|
|
58
|
+
## Interpretation
|
|
59
|
+
|
|
60
|
+
- Map each source-code predicate to concrete S3A evidence: object existence,
|
|
61
|
+
timestamp, content, empty/non-empty state, parse result, or missing path.
|
|
62
|
+
- Compare with at least one other active tenant when available. A successful
|
|
63
|
+
predefined-file read and `Tenant [...] is healthy` log on another tenant is
|
|
64
|
+
evidence against a cluster-wide BDM/bucket/service-proxy outage.
|
|
65
|
+
- Correlate with Pharos alert state and BDS dashboard links when the question is
|
|
66
|
+
alert-driven.
|
|
67
|
+
|
|
68
|
+
## Output Details
|
|
69
|
+
|
|
70
|
+
- Alert context: cluster, environment, tenant, source, severity, firing/resolved
|
|
71
|
+
window.
|
|
72
|
+
- Source logic: repo URL, commit/ref when known, file path, function/class, and
|
|
73
|
+
exact unhealthy predicates.
|
|
74
|
+
- Evidence table: command, target, result, interpretation.
|
|
75
|
+
- Tenant census: active BDS tenants versus bucket tenant folders, clearly
|
|
76
|
+
labeled with the source of each count.
|
|
77
|
+
- Code-to-data comparison: one row per predicate from source with matching S3A
|
|
78
|
+
evidence.
|
|
79
|
+
- Key/decrypt logs: concrete timestamped lines for the BDM read failure,
|
|
80
|
+
bds-service-proxy authenticated SIR key-fetch failure, decrypt failure, and
|
|
81
|
+
downstream 500/KMS error when present.
|
|
82
|
+
- SIR/Galahad/OMS boundary: SIR front-door DNS/HTTP reachability from
|
|
83
|
+
bds-service-proxy, manual unauthenticated probe result labeled as such, and
|
|
84
|
+
RBAC status for direct backend namespace inspection.
|
|
85
|
+
- Healthy comparison: another active tenant passing the same read/decrypt path
|
|
86
|
+
when available.
|
|
87
|
+
- Bucket path checked: bucket source, data root, tenant path, and consistency
|
|
88
|
+
file path when used.
|
|
89
|
+
- Cause or current hypothesis, with confidence.
|
|
90
|
+
- Read-only next checks and manual remediation notes, clearly marked as not
|
|
91
|
+
executed.
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: bds-tenant-data-operation-log-investigation
|
|
3
|
+
description: Use for read-only BDS tenant data operation log checks where TSS/OMS tenant state must be separated from PRISM/BDS HDFS data readiness.
|
|
4
|
+
allowed-tools:
|
|
5
|
+
- Read
|
|
6
|
+
- Glob
|
|
7
|
+
- Grep
|
|
8
|
+
- mcp__devops_tool__bds_tenant_data_operation_log_command_pack
|
|
9
|
+
- mcp__devops_tool__bitbucket_api_read
|
|
10
|
+
- mcp__devops_tool__git_repo_read
|
|
11
|
+
- mcp__devops_tool__repo_text_index
|
|
12
|
+
- mcp__devops_tool__bds_environment_host_lookup
|
|
13
|
+
- mcp__devops_tool__bds_machine_inventory
|
|
14
|
+
- mcp__devops_tool__remote_readonly_command
|
|
15
|
+
- mcp__devops_tool__workday_boundary_login
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
# BDS Tenant Data Operation Log Investigation
|
|
19
|
+
|
|
20
|
+
Use this skill to check tenant BDS data, `operationsLog.csv`, PRISM
|
|
21
|
+
enable/clone history, or release-state versus BDS HDFS data mismatch.
|
|
22
|
+
|
|
23
|
+
## Rules
|
|
24
|
+
|
|
25
|
+
- Stay read-only. Do not mutate tenant state, HDFS paths, crypto zones, BDM,
|
|
26
|
+
Kubernetes, local files, or Keychain.
|
|
27
|
+
- This skill defines the flow. Use
|
|
28
|
+
`mcp__devops_tool__bds_tenant_data_operation_log_command_pack` only for validated
|
|
29
|
+
read-only HDFS/source command inputs.
|
|
30
|
+
- Keep state domains separate: TSS/OMS state comes from tenant status APIs;
|
|
31
|
+
BDS/PRISM data state comes from HDFS tenant paths and `operationsLog.csv`.
|
|
32
|
+
- Never conclude BDS/PRISM data is ready only because TSS says
|
|
33
|
+
`RELEASED` / `health: OK`.
|
|
34
|
+
- Operation log path: `data/tenants/<ENV_NAME>.<tenantName>/operationsLog.csv`.
|
|
35
|
+
Normal BDS tenant paths commonly contain `operationsLog.csv`, `ted`, and
|
|
36
|
+
`tmp`; missing `operationsLog.csv` or `tmp` is important evidence.
|
|
37
|
+
- Read Sirius BDM source when endpoint or path semantics are unclear. Search
|
|
38
|
+
for `operationLog`, `operationLogPath`,
|
|
39
|
+
`getOperationLogRaw`, `/api/v3/bds/log`, `/v2/bds/log`, and
|
|
40
|
+
`TenantDataManager`.
|
|
41
|
+
- If BDM HTTP log routes return 403 from a jump host, verify the direct HDFS
|
|
42
|
+
`operationsLog.csv` path from an authorized datanode or BDM pod before
|
|
43
|
+
drawing conclusions.
|
|
44
|
+
- Before Boundary login or remote HDFS commands, resolve and confirm the
|
|
45
|
+
concrete datanode or BDM evidence host with
|
|
46
|
+
`mcp__devops_tool__bds_environment_host_lookup`. If a datanode host is
|
|
47
|
+
provided, confirm it belongs to the target cluster; if not, resolve
|
|
48
|
+
`datanode`, `bdm`, or `namenode` roles and choose the narrowest host that can
|
|
49
|
+
perform read-only HDFS checks.
|
|
50
|
+
- Do not invent host tools such as `workday_host_info`, `host_info`,
|
|
51
|
+
`host_query`, or `bds_enterprise_host_lookup`. Do not use local `grep`, `ls`,
|
|
52
|
+
`Read`, `Glob`, repository search, local `/hadoop` paths, local `hdfs`, or
|
|
53
|
+
local `curl` as a substitute for host lookup. If host lookup fails, stop and
|
|
54
|
+
report the exact tool/access gap.
|
|
55
|
+
- Keychain LDAP entries may be JSON. Extract only the top-level `token` field
|
|
56
|
+
locally and pass it through stdin. Never print passwords, tokens, raw
|
|
57
|
+
Keychain payloads, or sudo stdin.
|
|
58
|
+
- Use `sudo su -` and `kinit-workdayadmin` only when explicitly approved by the
|
|
59
|
+
operator and only for read commands.
|
|
60
|
+
- Allowed HDFS reads: `hdfs crypto -listZones`, `hdfs dfs -ls`, `-du`, `-cat`,
|
|
61
|
+
`-tail`, `-test`, `-count`, and `-stat`.
|
|
62
|
+
- Do not run `hdfs dfs -rm`, `-put`, `-get`, `-cp`, `-mv`, `-mkdir`, `-touchz`,
|
|
63
|
+
`-chmod`, or `-chown`.
|
|
64
|
+
|
|
65
|
+
## Workflow
|
|
66
|
+
|
|
67
|
+
1. Parse environment, tenant, target BDS cluster, datanode host, HDFS authority,
|
|
68
|
+
and related comparison tenants from the request.
|
|
69
|
+
2. Generate validated read-only command inputs with the atomic helper tool.
|
|
70
|
+
3. If source semantics are unclear, read Sirius BDM source and confirm the
|
|
71
|
+
operation log route and HDFS path construction.
|
|
72
|
+
4. Read TSS/OMS tenant state only as state-domain evidence.
|
|
73
|
+
5. Resolve and confirm the datanode or BDM evidence host with
|
|
74
|
+
`bds_environment_host_lookup`.
|
|
75
|
+
6. Establish datanode access and Kerberos/root context only through approved
|
|
76
|
+
credential handling.
|
|
77
|
+
7. Check crypto zones for the target and related tenants.
|
|
78
|
+
8. List the exact tenant data path and test for `operationsLog.csv`.
|
|
79
|
+
9. Tail `operationsLog.csv` only when it exists; otherwise report the missing
|
|
80
|
+
file as direct evidence.
|
|
81
|
+
10. Compare with related preview, gold, or numbered tenants when provided.
|
|
82
|
+
11. Separate direct HDFS evidence from inference.
|
|
83
|
+
|
|
84
|
+
## Output Standard
|
|
85
|
+
|
|
86
|
+
Return Markdown with scope, separated state domains, evidence table, path-shape
|
|
87
|
+
comparison, operation log timeline with exact `prism,Enable` / `prism,Clone`
|
|
88
|
+
rows when present, direct-evidence conclusion, inference confidence, and
|
|
89
|
+
read-only next checks. Remediation must be manual and human-reviewed.
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: bds-yarn-app-health-investigation
|
|
3
|
+
description: Read-only BDS YARN application host health workflow for Prism timeout requests, aggregated log host discovery, NodeManager health, and HDFS DataNode cross-checks.
|
|
4
|
+
allowed-tools:
|
|
5
|
+
- Read
|
|
6
|
+
- Glob
|
|
7
|
+
- Grep
|
|
8
|
+
- mcp__devops_tool__bds_yarn_app_health_command_pack
|
|
9
|
+
- mcp__devops_tool__bds_environment_host_lookup
|
|
10
|
+
- mcp__devops_tool__bds_machine_inventory
|
|
11
|
+
- mcp__devops_tool__remote_readonly_command
|
|
12
|
+
- mcp__devops_tool__workday_boundary_login
|
|
13
|
+
---
|
|
14
|
+
|
|
15
|
+
# BDS YARN App Health Investigation
|
|
16
|
+
|
|
17
|
+
Use this skill to cross-check YARN application host health, especially Prism
|
|
18
|
+
timeout cases with an app ID such as `application_1778917335863_0195`, a BDS
|
|
19
|
+
cluster, driver host, tenant, and incident UTC window.
|
|
20
|
+
|
|
21
|
+
Load `references/yarn-app-health-runbook.md` only for historical-window,
|
|
22
|
+
ResourceManager, aggregated-log, and output-detail rules.
|
|
23
|
+
|
|
24
|
+
## Hard Rules
|
|
25
|
+
|
|
26
|
+
- Strictly read-only. Do not kill YARN apps, decommission nodes, delete HDFS
|
|
27
|
+
files, copy/download full logs, restart services, edit configs, or mutate host
|
|
28
|
+
state.
|
|
29
|
+
- This skill defines the investigation flow. Use `bds_yarn_app_health_command_pack`
|
|
30
|
+
only to normalize inputs and produce bounded read-only command inputs.
|
|
31
|
+
- Before Boundary login or remote commands, resolve and confirm the concrete
|
|
32
|
+
driver/control host with `mcp__devops_tool__bds_environment_host_lookup`.
|
|
33
|
+
If a driver host is provided, confirm it belongs to the requested cluster. If
|
|
34
|
+
not, resolve a ResourceManager/NameNode/NodeManager/DataNode host suitable for
|
|
35
|
+
read-only YARN/HDFS status commands.
|
|
36
|
+
- Check Boundary/DC readiness with `workday_boundary_login action=status` when
|
|
37
|
+
host access is needed. Run `action=login` only after explicit operator
|
|
38
|
+
approval to use LDAP PROD from Keychain.
|
|
39
|
+
- Never ask for or print LDAP passwords, Keychain JSON, tokens, keytabs, or
|
|
40
|
+
sudo stdin.
|
|
41
|
+
- Use MCP-safe single-command inputs from the plan. Do not combine commands with
|
|
42
|
+
semicolons, `&&`, command substitution, sudo, shell redirection, or local
|
|
43
|
+
writes.
|
|
44
|
+
- Do not invent host tools such as `workday_host_info`, `host_info`,
|
|
45
|
+
`host_query`, or `bds_enterprise_host_lookup`. Do not pivot to disk alerts,
|
|
46
|
+
Jira, Bamboo, Pharos, local repository search, dashboards, local `yarn`, local
|
|
47
|
+
`hdfs`, or local `/hadoop` paths when host lookup or access is blocked.
|
|
48
|
+
Report the exact evidence gap.
|
|
49
|
+
|
|
50
|
+
## Evidence Order
|
|
51
|
+
|
|
52
|
+
1. Parse BDS cluster, driver host, app ID, tenant, prid/cid, and incident UTC
|
|
53
|
+
window.
|
|
54
|
+
2. Resolve and confirm the driver/control host with
|
|
55
|
+
`bds_environment_host_lookup`.
|
|
56
|
+
3. Check Boundary/DC readiness; login only with explicit approval.
|
|
57
|
+
4. Generate the validated read-only command pack with
|
|
58
|
+
`bds_yarn_app_health_command_pack`.
|
|
59
|
+
5. Confirm driver host identity, UTC time, and available `yarn`, `hdfs`, and
|
|
60
|
+
`kinit` commands.
|
|
61
|
+
6. Run Kerberos initialization from the existing keytab using `kinit -kt`.
|
|
62
|
+
7. Check `yarn application -status <appId>`.
|
|
63
|
+
8. Prefer `yarn logs -show_application_log_info` before any full `yarn logs`
|
|
64
|
+
read.
|
|
65
|
+
9. Use HDFS aggregated log file names as the app host list.
|
|
66
|
+
10. Cross-check each app host with `yarn node -status <host>:45454`.
|
|
67
|
+
11. Use `hdfs dfsadmin -report` for HDFS counters and to identify which app
|
|
68
|
+
hosts are also DataNodes.
|
|
69
|
+
12. If incident UTC is available, check the historical window with read-only
|
|
70
|
+
kernel, NodeManager, DataNode, and long-GC log filters.
|
|
71
|
+
|
|
72
|
+
## Output
|
|
73
|
+
|
|
74
|
+
Return app host list, current YARN NodeManager health, HDFS cluster counters,
|
|
75
|
+
DataNode matches, historical-window findings when checked, and evidence gaps.
|
|
76
|
+
If only current state was checked, clearly say current health is not proof of
|
|
77
|
+
historical health at the incident timestamp.
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
# BDS YARN App Health Runbook
|
|
2
|
+
|
|
3
|
+
This reference holds detailed rules for
|
|
4
|
+
`bds-yarn-app-health-investigation/SKILL.md`.
|
|
5
|
+
|
|
6
|
+
## Application State And Aggregated Logs
|
|
7
|
+
|
|
8
|
+
- Treat RM/Timeline not-found separately from HDFS aggregated log availability.
|
|
9
|
+
- Historical apps may be removed from RM/Timeline state. If
|
|
10
|
+
`yarn application -status` cannot find an old app, parse ResourceManager
|
|
11
|
+
`ApplicationSummary` logs instead of treating the app as absent.
|
|
12
|
+
- For ResourceManager failed-app spikes, filter `ApplicationSummary` lines in
|
|
13
|
+
the incident UTC window to `applicationType=SPARK`, `finalStatus=FAILED`, and
|
|
14
|
+
diagnostics containing `exitCode: 0`; return `finishTimeUtc`, `appId`, `name`,
|
|
15
|
+
`user`, `queue`, `finalStatus`, and `appMasterHost`.
|
|
16
|
+
- If owner or suffix is unknown, search only the YARN aggregated log root with
|
|
17
|
+
`hdfs dfs -find <logRoot> -name '*<appId>*'`.
|
|
18
|
+
- List and size the resolved app log directory with `hdfs dfs -ls` and
|
|
19
|
+
`hdfs dfs -du -h`.
|
|
20
|
+
- The tenant in Prism logs may be `WD1-PROD.<tenant>`, but the YARN app owner
|
|
21
|
+
can be a service account such as `wd1-prod_prism`.
|
|
22
|
+
- Aggregated logs may use `bucket-logs-tfile/<last4>/<applicationId>` rather
|
|
23
|
+
than `<owner>/logs/<applicationId>`.
|
|
24
|
+
- For `application_1778917335863_0195`, the bucket segment is `0195`.
|
|
25
|
+
- A host log file around tens of GB is a driver-log outlier and can explain
|
|
26
|
+
slow full `yarn logs` reads.
|
|
27
|
+
|
|
28
|
+
## Historical Incident Window
|
|
29
|
+
|
|
30
|
+
- If the requester asks whether checks were current-state or around the log
|
|
31
|
+
time, run a historical incident-window check before answering.
|
|
32
|
+
- Historical checks must be read-only host log reads: `journalctl -k` for the
|
|
33
|
+
exact UTC window plus bounded `grep`/`zgrep` over NodeManager and DataNode
|
|
34
|
+
logs.
|
|
35
|
+
- Filter routine noise such as `DFSUtil.*duration=0`, block deletion INFO,
|
|
36
|
+
`DataNode.clienttrace`, short GC pauses, and `PacketResponder terminating`.
|
|
37
|
+
- Do not include minor unrelated WARNs in requester-facing replies unless they
|
|
38
|
+
are in the incident window and plausibly tied to the HDFS/DataNode path.
|
|
39
|
+
- If a broad historical scan drops SSH, retry only incomplete hosts with
|
|
40
|
+
narrower file targets and no SSH multiplexing before marking the result
|
|
41
|
+
complete.
|
|
42
|
+
|
|
43
|
+
## Output Details
|
|
44
|
+
|
|
45
|
+
- App host list.
|
|
46
|
+
- Current YARN NodeManager state and health report summary for those hosts.
|
|
47
|
+
- Current HDFS cluster counters: live DataNodes, under-replicated blocks,
|
|
48
|
+
missing blocks, low-redundancy block groups, and corrupt replicas if present.
|
|
49
|
+
- Which app hosts also appear as HDFS DataNodes, with decommission status and
|
|
50
|
+
last contact when available.
|
|
51
|
+
- If historical logs were checked, say so explicitly and summarize whether
|
|
52
|
+
kernel / YARN NodeManager / HDFS DataNode health errors, disk/network errors,
|
|
53
|
+
DataNode unhealthy signals, or long GC pauses were found in that window.
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: pharos-alert-investigation
|
|
3
|
+
description: Read Pharos firing alerts, alert rules, active silences, and BDS observability links for alert detail investigation.
|
|
4
|
+
allowed-tools:
|
|
5
|
+
- Read
|
|
6
|
+
- Glob
|
|
7
|
+
- Grep
|
|
8
|
+
- mcp__devops_tool__bds_pharos_query_pack
|
|
9
|
+
- mcp__devops_tool__pharos_alert_read
|
|
10
|
+
- mcp__devops_tool__pharos_prometheus_read
|
|
11
|
+
- mcp__devops_tool__bds_dashboard_links
|
|
12
|
+
- mcp__devops_tool__bds_dashboard_query_knowledge
|
|
13
|
+
- mcp__devops_tool__bds_dashboard_query_read
|
|
14
|
+
- mcp__devops_tool__dashboard_query_knowledge
|
|
15
|
+
- mcp__devops_tool__bds_scylla_tenant_bucket_command_pack
|
|
16
|
+
- mcp__devops_tool__bds_disk_io_alert_command_pack
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
# Pharos Alert Investigation
|
|
20
|
+
|
|
21
|
+
Use this skill when an operator asks what BDS alerts are firing, wants Pharos
|
|
22
|
+
alert details, asks whether an alert is silenced, or needs BDS dashboard links
|
|
23
|
+
for a firing alert. Also use it for natural-language BDS Pharos questions such
|
|
24
|
+
as disk IO, YARN alerts, NameNode latency, or visible BDS clusters.
|
|
25
|
+
|
|
26
|
+
## Rules
|
|
27
|
+
|
|
28
|
+
- Use our own `mcp__devops_tool__pharos_alert_read` tool. Do not shell out to
|
|
29
|
+
`pharos_alerts_cli.py` for read workflows.
|
|
30
|
+
- Treat Pharos reads as read-only. Never create, delete, or update silences,
|
|
31
|
+
routes, rules, dashboards, or alertmanager config from this skill.
|
|
32
|
+
- Credentials must come from env or Keychain. Never ask for or print
|
|
33
|
+
`PHAROS_CLIENT_SECRET`.
|
|
34
|
+
- Use exact label filters from the alert when available:
|
|
35
|
+
`alertname`, `source`, `bds_cluster`, `severity`, and `wd_env_physical`.
|
|
36
|
+
- For natural-language requests, call `mcp__devops_tool__bds_pharos_query_pack`
|
|
37
|
+
first, then execute read-only steps until direct Pharos evidence is sufficient.
|
|
38
|
+
- Use `mcp__devops_tool__pharos_prometheus_read` for arbitrary BDS metric reads:
|
|
39
|
+
instant PromQL, range PromQL, label values, or series discovery.
|
|
40
|
+
- Use `mcp__devops_tool__bds_dashboard_links` for Grafana, Pharos alerting,
|
|
41
|
+
silence, and Solas links.
|
|
42
|
+
- Use `mcp__devops_tool__bds_dashboard_query_read` when the user asks what a
|
|
43
|
+
dashboard panel checks.
|
|
44
|
+
- Use `mcp__devops_tool__bds_dashboard_query_knowledge` to learn BDS metric
|
|
45
|
+
families from source-controlled dashboards; use generic
|
|
46
|
+
`mcp__devops_tool__dashboard_query_knowledge` for non-BDS dashboard repos.
|
|
47
|
+
- For `bds_bdm_tenant_tenant_health_status_alert` or Scylla tenant unhealthy
|
|
48
|
+
alerts, use `mcp__devops_tool__bds_scylla_tenant_bucket_command_pack` before
|
|
49
|
+
bucket drill-down. Inspect BDM source predicates, then map them to BDM pod plus
|
|
50
|
+
`hadoop fs` S3A reads. Do not use `aws s3`, `hdfs`, or `hadoop fs -get`.
|
|
51
|
+
- For DataNode failed-volume or BDS storage alerts, use Pharos only to confirm
|
|
52
|
+
alert/rule/metric context. Then hand the drill-down to
|
|
53
|
+
`bds-disk-io-alert-investigation` and its disk command pack, because the first
|
|
54
|
+
evidence boundary is the source host storage state.
|
|
55
|
+
|
|
56
|
+
## Workflow
|
|
57
|
+
|
|
58
|
+
1. Parse environment, namespace, alert name, source host, cluster, severity,
|
|
59
|
+
time range, and intent.
|
|
60
|
+
2. Call `bds_pharos_query_pack` unless the user already supplied an exact tool
|
|
61
|
+
action and PromQL query.
|
|
62
|
+
3. Read `firing_alerts` first with narrow filters when the request is alert-like.
|
|
63
|
+
4. Read `active_silences` with the same filters to identify suppression state.
|
|
64
|
+
5. Read `alert_rules` by `alertName` when the user asks why the alert fires or
|
|
65
|
+
needs expression/details.
|
|
66
|
+
6. Run `pharos_prometheus_read` when the request is metric-like or exploratory.
|
|
67
|
+
7. Generate BDS dashboard links from the same labels.
|
|
68
|
+
8. Return a compact summary with direct evidence, missing data, and next
|
|
69
|
+
read-only drill-down.
|
|
70
|
+
|
|
71
|
+
## Output Standard
|
|
72
|
+
|
|
73
|
+
Return concise Markdown:
|
|
74
|
+
|
|
75
|
+
- Alert: name, state, severity, source, cluster, activeAt.
|
|
76
|
+
- Rule: expression, duration, labels, annotations when requested or relevant.
|
|
77
|
+
- Silence: active silence id, matcher scope, createdBy, endsAt, comment.
|
|
78
|
+
- Links: BDS dashboard, alert rule search, active silence query, Solas.
|
|
79
|
+
- Metrics: PromQL used, result count, top values or trend summary.
|
|
80
|
+
- Evidence gaps: explicitly state what was not found or not read.
|