[08:42:03] dunnoif there's something relevant to us, but I noticed a new pynetbox (6.6.0) was uploaded to Debian, so just an FYI: https://tracker.debian.org/news/1301019/accepted-python-pynetbox-660-1-source-into-unstable/ [08:44:37] moritzm: yes, I notice the release few days ago, I think the deb version is used only in spicerack, most of the other places have a venv (netbox-extras, homer) [08:44:53] and in the case of homer we cap it at <=5.3.1 for backward incompatibility changes [08:45:07] and we should revisit that once we upgrade netbox-next (and then netbox itself) [08:47:46] ok! [10:01:28] 10CAS-SSO, 10Infrastructure-Foundations: CAS sometimes sees me coming from a WMF IP - https://phabricator.wikimedia.org/T273858 (10JMeybohm) I think I misread the audit logs as it seems normal that some actions are logged with a WMF IP as client IP. My issue seems to be that I sometimes reach IDP via IPv6 and... [10:23:09] 10CAS-SSO, 10Infrastructure-Foundations: CAS sometimes sees me coming from a WMF IP - https://phabricator.wikimedia.org/T273858 (10jbond) @JMeybohm this is an artefact of how the TGT is generated, as the token is based on the client source IP addresses. i think @MoritzMuehlenhoff looked into this previously... [10:29:27] 10CAS-SSO, 10Infrastructure-Foundations: CAS sometimes sees me coming from a WMF IP - https://phabricator.wikimedia.org/T273858 (10MoritzMuehlenhoff) >>! In T273858#7696285, @jbond wrote: > @JMeybohm this is an artefact of how the TGT is generated, as the token is based on the client source IP addresses. i th... [14:15:40] 10Puppet, 10Infrastructure-Foundations: update hiera order ii produciton environment - https://phabricator.wikimedia.org/T301349 (10jbond) p:05Triage→03Medium [15:02:51] https://wikitech.wikimedia.org/wiki/VXLAN-EVPN_Network_Testing_-_Eqiad_Expansion interesting read - was there a strong preference for vxlan over l2tpv3? [15:36:43] topranks: XioNoX: cc ^^ [16:00:24] Southparkfan: Thanks! There is some more content to be added and some editing needed on that yet btw :) [16:00:44] Yeah VXLAN is strongly preferred over L2TPv3 I would say. [16:01:16] MPLS would have been the other option we considered, but we took the opinion if traffic engineering is not needed it is overkill. [16:02:26] A lot comes down to the hardware and software support. [16:02:50] EVPN+VXLAN is widely deployed and supported fully in the Broadcom ASICs that most vendors use. [16:03:47] The wide usage gives us more confidence in the software also, from what I know L2TPv3 isn't a very widely implemented approach [16:05:06] I'm not even sure if you can tie it to EVPN or use it on the QFX series switches we chose at all. [16:24:19] I see, must admit that besides VpnCloud/vpncloud.rs as a way to create virtual L2 networks between virtual machines across different providers, I have very little experience with standards like VXLAN or MPLS [16:26:22] what are the 'non-L3 support' edge-cases, though? I know the old example of vMotion (from vmware, yes), but even that seems to have received L3 support years ago [16:29:51] and I'll not comment on Juniper support of certain standards. unfortunately, all of my GNS3 / VMware experience is limited to Cisco and VyOS :-) [16:30:43] We've a design doc but it's not ready for public yet unfortunately - which has some discussion on this. [16:30:54] But yeah the exceptions are similar to what you've said. [16:31:13] Live VM motion between our Ganeti hypervisor hosts requires them to be connected to the same Vlan right now [16:31:41] Our layer-4 load-balancers need to be L2 adjacent to the realservers they hand off traffic to on the back-end also. [16:33:56] When VMware say they support L3 vMotion what they mean is the hypervisors can be on different subnets. [16:34:31] If the Vlans the VM's NICs are connected to aren't present on the destination hypervisor it won't work once it's moved though. [16:34:52] There are some solutions that reach into the guest and change the IP addressing. [16:35:15] I think the better paradigm for this kind of thing is "build new VM on alternate subnet" + "migrate service from old to new VM" [16:36:36] As for support the same goes for Cisco and all the major players. EVPN + VXLAN is what they are widely supporting, say on the Nexus 9000s with Cisco. [16:53:35] check, and re. vMotion, that limitation (vlans on destination hypervisor) makes sense to me. I'll give EVPN + VXLAN a try in my virtual environment. thanks! [16:54:35] cool! I have the configs from my own intitial GNS3 tests here if you want to look at the basic Juniper setup: https://github.com/topranks/eqlab [17:57:50] awesome, let's see if I can get it working.. [18:15:33] 10SRE-tools, 10Infrastructure-Foundations, 10Observability-Alerting: Spicerack: add support for Alertmanager - https://phabricator.wikimedia.org/T293209 (10Volans) Today @jbond and I joined the office hours of #sre_observability and discussed a bit the plan for the above. We agreed to split this into 2 phas... [18:30:26] 10Puppet, 10Cloud-VPS, 10Infrastructure-Foundations, 10Patch-For-Review: role::puppetmaster::puppetdb uses nginx as reverse proxy and cannot be used together with Apache applications - https://phabricator.wikimedia.org/T154105 (10Majavah) [18:35:20] 10netops, 10Data-Engineering, 10Infrastructure-Foundations, 10Product-Analytics, and 2 others: Maybe restrict domains accessible by webproxy - https://phabricator.wikimedia.org/T300977 (10fkaelin) This would affect the research team, especially if the stat machines are also included in this restriction. Fo... [18:53:39] 10netops, 10Infrastructure-Foundations: Improve Netbox import script to avoid port-number collisions in JunOS - https://phabricator.wikimedia.org/T301392 (10Reedy)