[07:13:55] <taavi>	 morning!
[07:55:29] <blancadesal>	 morning :)
[07:56:28] <arturo>	 morning!!
[08:12:39] <taavi>	 I have a couple of puppet patches for review: https://gerrit.wikimedia.org/r/961092 https://gerrit.wikimedia.org/r/961334 https://gerrit.wikimedia.org/r/960163 https://gerrit.wikimedia.org/r/960164
[08:16:03] <dcaro>	 morning
[09:26:59] <taavi>	 arturo: can you review https://gerrit.wikimedia.org/r/c/operations/homer/public/+/961336 and https://gerrit.wikimedia.org/r/c/operations/puppet/+/961345?
[09:27:59] <arturo>	 yes
[09:30:10] <arturo>	 done
[09:58:37] <arturo>	 what is the current status of codfw1dev? I see the bastion VM is down?
[09:59:32] <arturo>	 wow I get
[09:59:34] <arturo>	 https://www.irccloud.com/pastebin/IPbSEwNm/
[10:09:54] <dhinus>	 hmmm, the thing I know is that 1 out of 2 cloudservices hosts is broken, and me and a.ndrew are trying to sort out LDAP after the reimage
[10:10:45] <dhinus>	 so I expect the cluster to be in a bad state, but I'm not sure that explains the errors you are encountering
[10:11:07] <arturo>	 if LDAP is affected, we can consider the deployment to be definitely in bad shape
[10:11:22] <arturo>	 all auth is keystone-based, which in turns is backed by LDAP
[10:11:26] <dhinus>	 maybe we need a third cluster to experiment with upgrades and such, while we keep the dev cluster in a slightly more stable state :)
[10:11:39] <arturo>	 so effectively the whole control plane has a strong and direct dependency to LDAP
[10:12:29] <arturo>	 this happens all the time :-) I am definitely happy that we have a codfw1dev a dev environment
[11:04:02] <dhinus>	 I'd like to replace the current restricted bastion (bastion-restricted-eqiad1-02) with a new instance I created with more CPUs (that should help with T347428)
[11:04:03] <stashbot>	 T347428: cumin and cloud-vps instances not working - https://phabricator.wikimedia.org/T347428
[11:04:23] <dhinus>	 can I simply edit the DNS record set for restricted.bastion.wmcloud.org in Horizon->DNS?
[11:04:55] <dhinus>	 or should I follow a different procedure?
[11:07:25] <arturo>	 dhinus: yes, that'd be basically it. And reattaching the floating IP
[11:07:44] <arturo>	 well, reattaching the floating IP is all you need actually, since the DNS entry points to the floating IP, not the VM
[11:07:45] <arturo>	 no?
[11:08:02] <dhinus>	 probably yes, I didn't remember it was using a floating IP
[11:09:32] <dhinus>	 first I want to make sure the new instance is working correctly as a ssh proxy, and it looks like it isn't
[11:10:10] <arturo>	 you may need some special security groups
[11:10:13] <arturo>	 or even hiera changes
[11:10:26] <dhinus>	 I added some hiera from horizon
[11:10:40] <dhinus>	 and I could ssh to the new one, but now it's not working anymore :/
[11:11:02] <arturo>	 it worked briefly and then stopped working?
[11:11:03] <dhinus>	 maybe I just messed up my ssh-config
[11:11:10] <dhinus>	 trying to use it as the bastion
[11:11:21] <arturo>	 you won't be able to use it as a bastion without a floating IP
[11:11:31] <arturo>	 no?
[11:11:51] <dhinus>	 yes you're right that's the issue :)
[11:11:57] <dhinus>	 I need the other bastion to reach it atm
[11:12:16] <dhinus>	 so there's no way to test it really, I'll try moving the floating IP and if that doesn't work I'll revert it
[11:12:48] <arturo>	 you can create a temporal floating IP with a temporal DNS record pointing to it
[11:13:00] <arturo>	 then update your ssh_config to use this temporal DNS record
[11:13:14] <arturo>	 something like `bastion-next.whatever.wmcloud.org`
[11:13:40] <dhinus>	 makes sense
[11:15:23] <arturo>	 and maybe `!log` something to leave some traces for others
[11:18:07] <dhinus>	 yes, I will !log when I switch the DNS. using a temporary floating IP does not seem to work, maybe because only the other one has the right firewall config?
[11:18:27] <dhinus>	 I cannot ping or ssh to the temporary floating IP from my laptop
[11:18:57] <arturo>	 yes, you likely need a very specific security group for that VM
[11:19:41] <dhinus>	 the current bastion does not have any security group, so maybe it's configured somewhere else?
[11:20:42] <dhinus>	 current bastion: bastion-restricted-eqiad1-02, new bastion: bastion-restricted-eqiad1-3
[11:21:31] <taavi>	 there's a hiera key that lists all bastions for VMs with ferm firewall
[11:22:21] <taavi>	 also note that everyone using bastion-restricted will see host key warnings when the new bastion is put in use
[11:23:16] <dhinus>	 ouch, very good point. what did we do the last time that the bastion changed? maybe I should send an email to cloud a few days before?
[11:24:05] <dhinus>	 it's just the "restricted" bastion that should be used by cloud-roots only
[11:25:08] <arturo>	 maybe an email to cloud-admin@ is enough
[11:27:27] <taavi>	 or ops@. I think the docs recommend using restricted. for everyone with prod root
[11:27:47] * arturo brb
[11:32:13] <dhinus>	 taavi: correct https://wikitech.wikimedia.org/wiki/Help:Accessing_Cloud_VPS_instances#Accessing_Cloud_VPS_instances
[11:33:23] <dhinus>	 found the hiera that needs a change, I'll prepare a patch after lunch
[11:33:45] <dhinus>	 do we have any preference/convention on using -3 vs -03 as the suffix in the hostname?
[11:34:11] <dhinus>	 I created the instance with the cookbook wmcs.vps.create_instance_with_prefix that used "-3"
[11:34:32] <taavi>	 I'm fine with either. -3 is more in line with what we have elsewhere I think
[11:55:32] <taavi>	 turns out maintain-dbusers has been doing totally unnecessary work to convert PAWS user ids to user names, just to not do anything useful with them: https://gerrit.wikimedia.org/r/c/operations/puppet/+/961369/
[11:56:45] <arturo>	 not sure I understand, but good catch :-)
[11:57:11] <dcaro>	 I think there's a couple patches to handle that exact issue
[11:58:11] <dcaro>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/905243 probably
[12:01:36] <taavi>	 that's still doing much more than needed, ihmo
[12:04:03] <arturo>	 taavi: the cookbooks repo needs a refresh of the cloudcontrol FQDNs
[12:04:35] <taavi>	 good catch. one moment
[12:05:40] <taavi>	 arturo: https://gerrit.wikimedia.org/r/c/cloud/wmcs-cookbooks/+/961370/
[12:06:59] <arturo>	 taavi: there are a few more hardcodes, see
[12:07:00] <arturo>	 git grep cloudcontrol | grep wikimedia
[12:15:23] <taavi>	 arturo: thanks, updated
[12:17:10] <arturo>	 taavi: I don't see the update. Maybe you forgot to hit <enter>? :-P
[12:17:33] <taavi>	 indeed :/
[12:20:07] <arturo>	 also, I was running git grep on an old checkout of the repo
[12:20:26] <arturo>	 so, way less old references than I thought 
[12:26:57] <arturo>	 taavi: I just sent you an invite for a network meeting later today
[12:34:05] <taavi>	 ok!
[12:46:23] <taavi>	 arturo: ^ I assume those disconnects were a side effect of the cloudgw refactoring?
[13:00:53] <arturo>	 taavi: most likely, keepalived was restarted
[13:01:05] <arturo>	 I really want to move then to the BGP setup
[13:54:19] <XioNoX>	 fyi I won't be able to attend the "network sync" meeting today (cc topranks)
[14:04:47] <arturo>	 XioNoX: ack
[14:56:09] <dhinus>	 I am about to reimage cloudcumin1001 (T324986) so it will be unavailable for a few minutes. you can use cloudcumin2001 in the meantime, that I have already reimaged.
[14:58:09] <andrewbogott>	 thank you for working on cumin things dhinus, and sorry about the sudden change in priorities. I panicked a bit yesterday when I realized I couldn't maintain VMs :)
[14:58:28] <dhinus>	 I think it's important to get it fixed :)
[14:59:14] <dhinus>	 and it's related to work that was already in my radar anyway (T343330)
[14:59:15] <stashbot>	 T343330: WMCS cookbooks: provide shared hosts for people without global root privileges - https://phabricator.wikimedia.org/T343330
[15:47:51] <andrewbogott>	 dhinus: have time for a quick catch-up?
[15:48:03] <dhinus>	 sure
[17:11:39] <blancadesal>	 dcaro: thanks for working on lima-kilo, I will test your patch first thing tomorrow