[08:35:03] <moritzm>	 XioNoX, topranks: FYI; we're currently changing the signers for pwstore and I've added Riccardo and myself to the @netops group in pwstore (so that we're able to get the passphrase for homer after cumin reboots and to be able to re-encrypt the secrets if the users for @netops change)
[08:35:33] <XioNoX>	 great, thanks!
[08:36:08] <moritzm>	 this however requires you one (as a one time change) re-encrypt the following files (so that our new keys are added):
[08:36:10] <moritzm>	 ARIN  CLOUDINFRA_README gtt homer-key-passphrase management-scs network-root network-ztproot snmp-community Wikimedia-ARIN-RPKI.pem
[08:36:23] <moritzm>	 so 
[08:36:27] <moritzm>	 pws rc $filename
[08:36:51] <moritzm>	 some of those might also be related to the @dcops group, though
[08:40:59] <XioNoX>	 alright, on it
[08:43:29] <XioNoX>	 moritzm: even after updating the keyring I get "Warning: No key found for keyid 59E8F3AF321F239B"
[08:49:30] <moritzm>	 ah, sorry. you need to run "pws update-keyring" as well
[08:49:48] <moritzm>	 this regenerates the key db after the change to the .users file
[08:54:31] <XioNoX>	 running it a 3rd time solved that one too :)
[08:54:56] <XioNoX>	 I don't have access to CLOUDINFRA_README
[08:56:07] <XioNoX>	 moritzm: not an issue but I have to run it twice to not have the error
[08:56:23] <XioNoX>	 https://www.irccloud.com/pastebin/3CMaW70z/
[08:57:23] <moritzm>	 not sure what CLOUDINFRA_README actually contains, it was added by Andrew in 2019, he might have simply missed to set the correct access: header line, I'll ping him, it can probably just be removed
[08:57:31] <XioNoX>	 snmp-community also I don't have access
[08:57:38] <XioNoX>	 not like they're very secret :)
[08:59:02] <XioNoX>	 moritzm: alright, done, let me know how it is
[09:01:02] <moritzm>	 thanks! I think the issue with gtt was that is was previously signed with an older key of Faidon, which got replaced by a newer key (but that got resolved with the re-encypt)
[09:01:12] <moritzm>	 thanks! I can confirm I can access them all
[09:03:49] <topranks>	 Seems I missed the party
[09:04:30] <topranks>	 Fwiw I could never open the snmp community one, I’ve been grabbing it from the plaintext in the router config if I ever needed it ;)
[09:07:42] <moritzm>	 snmp-community is most certainly owned by the @dcops group
[09:08:16] <moritzm>	 it currently only has Papaul in there which isn't ideal either and if you both need it, we should just move it to be owned by netops as well?
[09:08:57] <XioNoX>	 not strictly needed but better to keep things clean
[09:10:40] <moritzm>	 could please raise this in the next dcops-IF syncup meeting with Papaul? I can help with making the actual ACL change once confirmed
[09:11:11] <XioNoX>	 moritzm: confirmed what?
[09:15:24] <moritzm>	 to just move the snmp-community secret to @netops (which Papaul is also part in as far as pwstore is concerned)
[09:16:42] <topranks>	 excuse my ignorance but can both groups have access?  Dc-ops probably need for some things?  PDU setup possibly?
[09:17:27] <volans>	 I can confirm too I can access those re-encrypted files
[09:17:30] <topranks>	 sry - you said only papaul is in there - so yeah moving to netops makes sense
[09:18:49] <moritzm>	 yeah, I guess that makes it all simpler
[09:38:56] <XioNoX>	 moritzm: I confirm :)
[09:39:03] <XioNoX>	 no need for a sync up meeting
[09:40:50] <moritzm>	 ok :-)
[09:42:07] <moritzm>	 I'll send a mail to Papaul, you, Cathal and Riccardo with the steps (Papaul needs to resign it given he's currently the only one with access)
[09:42:27] <XioNoX>	 thx!
[09:48:27] <moritzm>	 done, sent a mail
[09:55:56] <volans>	 thx
[11:19:20] <jbond>	 hi all, i just wanted to say i recived the gifts from you all.  Have not managed to play the game yet but definetly will this xmas looks right up our street.  and the book looks great cant wait to start working out way through thjanks you very much <3
[11:20:27] <volans>	 <3333
[11:21:39] <XioNoX>	 <3 enjoy!
[11:22:11] <volans>	 jbond: glad to hear, have a nice break (as you didn't got one :-P ) and enjoy!
[11:22:53] <jbond>	 lol yes last day tomorrow then a nice break :)
[11:27:23] <moritzm>	 enjoy and have a nice xmas break :-) 
[11:30:26] <jbond>	 thanks you too :)
[11:31:09] <volans>	 moritzm: we have a small problem with cumin1002... it doesn't have homer's ssh key because not yet homer-configured
[11:31:24] <volans>	 that means that all coolboks using ssh to connect to network devices aren't working
[11:31:53] <volans>	 that means at least the provision/decommission/configure-switch-interfaces ones
[11:32:11] <moritzm>	 then let's simply move forward with the move of the repo from cumin1001 to cumin1002? that would fix it
[11:32:27] <volans>	 yeah I think it's the easiest path, I can probably do it right now
[11:32:34] <volans>	 cc topranks as you wanted to be involved
[11:32:50] <moritzm>	 yeah, probably the cleanest and simplest way to fix
[11:33:50] <volans>	 either that or temporary "disable" cumin1002, but it was already communicated
[11:33:51] <topranks>	 sry yeah I was supposed to take a look at that 
[11:34:00] <topranks>	 let's take a look now 
[11:34:35] <volans>	 XioNoX: what are you thoughts?
[11:34:58] <XioNoX>	 yep, let's roll forward, and test it well before the break :)
[11:35:42] <volans>	 breaking for the break :D
[11:36:06] <XioNoX>	 :)
[11:36:07] <topranks>	 volans: what's the process exactly?
[11:36:13] <volans>	 ok I'm disabling puppet, scp'ing the repo, changing the remote 
[11:36:18] <topranks>	 I see there is "remote_peer" config in .git 
[11:36:20] <volans>	 can someone prepare the puppet patch to re-enable homer?
[11:36:58] <topranks>	 right so just scp from cumin1001 to cumin1002 and then change the remote on cumin2002?
[11:37:21] <volans>	 !log disabled puppet on cumin hosts for homer's private repo move
[11:37:21] <stashbot>	 volans: Not expecting to hear !log here
[11:37:29] <volans>	 yeah  I kno stashbot was a private logging :D
[11:37:43] <topranks>	 hahaha 
[11:41:34] <topranks>	 volans: I'm not 100% sure what the puppet patch needs to re-enable homer?
[11:41:53] <volans>	 check profile::homer::disable
[11:41:58] <topranks>	 ah
[11:44:52] <volans>	 copied repo, adjusted .git/config, adjusted permissions (I had to scp as rsync is not installed), updating /srv/homer/private/README to use it as a test commit
[11:46:15] <topranks>	 https://gerrit.wikimedia.org/r/c/operations/cookbooks/+/984642/
[11:46:43] <topranks>	 sorry that's the wrong link 
[11:46:46] <volans>	 +1ed
[11:46:54] <topranks>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/984820
[11:46:57] <topranks>	 ok 
[11:48:08] <volans>	 feel free to merge puppet is disabled
[11:48:35] <topranks>	 ok will do 
[11:48:48] <topranks>	 should we add "profile::homer::disable: true" for cumin1001 now as well?
[11:50:14] <volans>	 probably let's leave it for later
[11:50:56] <topranks>	 ok
[11:51:37] <volans>	 ok tested commits on both cumin1002 and cumin2002, they show up in the other peer
[11:51:49] <volans>	 topranks: let me know once that patch is puppet-merged
[11:52:17] <volans>	 I'm documenting what I did on the README in the privte repo (and used the update to commit)
[11:53:17] <volans>	 *used that update as test commit
[11:53:49] <topranks>	 voalns: merged now 
[11:54:06] <volans>	 great, running on cumin2002 first
[11:54:10] <topranks>	 ok
[11:54:20] <volans>	 it should be a noop
[11:54:32] <volans>	 wait a sec
[11:54:37] <volans>	 did we change cumin2002's hiera?
[11:55:01] <volans>	 topranks: hieradata/hosts/cumin2002.yaml needs to be updated too
[11:55:16] <volans>	 profile::homer::private_git_peer: cumin1001.eqiad.wmnet
[11:55:23] <volans>	 sorry I missed that
[11:56:19] <topranks>	 no my bad should have thought of it 
[11:56:23] <topranks>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/984821
[11:56:40] <volans>	 +1ed thx
[11:56:51] <topranks>	 cheers
[11:57:09] <topranks>	 merging now 
[11:57:13] * volans waiting for jenkins
[11:57:18] <volans>	 thx
[11:58:44] <topranks>	 volans: ok merged now if you want to try again 
[11:58:48] <volans>	 ack thx
[11:59:14] <volans>	 topranks, XioNoX: you both used cumin1001 for cookbooks, please stop and start using cumin1002/cumin2002
[11:59:28] <XioNoX>	 will try :)
[12:00:24] <topranks>	 Homer working on cumin1002 now :)
[12:00:26] <XioNoX>	 I removed it from .ssh/known_hosts.d/wmf-prod to get a nudge in case I forget
[12:01:03] <volans>	 topranks: I didn't yet run puppet nor armed keyholder...
[12:01:50] <topranks>	 keyholder was already armed when I checked 
[12:01:59] <volans>	 there was no key
[12:02:10] <volans>	 are you sure you weren't on 1001?
[12:02:37] <volans>	 still not there
[12:02:40] <topranks>	 yeah 100%
[12:02:46] <volans>	 no key in /etc/keyholder.d
[12:02:55] <volans>	 it's being added as we speak
[12:03:06] <topranks>	 sorry..... I was on 2002 
[12:04:55] <volans>	 running homer 'cr2-eqiad.wikimedia.org' diff
[12:07:48] <volans>	 still waiting, running another one against a switch with verbose
[12:08:04] <volans>	 we're doing WAYYYYY too many api calls to netbox
[12:08:19] <XioNoX>	 https://phabricator.wikimedia.org/T271864 :)
[12:08:33] <volans>	 I know, I opened it :D
[12:08:50] <volans>	 INFO:homer:Homer run completed successfully on 1 devices: ['asw2-a-eqiad.mgmt.eqiad.wmnet']
[12:08:53] <volans>	 yay
[12:08:56] <volans>	 waiting for the router
[12:09:05] <XioNoX>	 the more we get rid of row wide VCs, the less api calls we're going to do
[12:09:34] <XioNoX>	 356 API calls is not that bad as we have to query all servers connected to those switches
[12:09:55] <XioNoX>	 we should probably look at a "regular" switch, and a "regular" router to have a better idea
[12:10:44] <volans>	 but could probably be done with GQL in a better way
[12:11:00] <XioNoX>	 yep
[12:11:11] <XioNoX>	 but then it's quite a change
[12:11:38] <volans>	 sorry I'm stupid, it was on cumin2002 that it was successful, I was trying both old and new
[12:12:18] <XioNoX>	 GQL definitely speeds things up :) https://gerrit.wikimedia.org/r/c/operations/software/homer/+/928795/
[12:12:42] <XioNoX>	 https://phabricator.wikimedia.org/T341968 is relevant too
[12:13:03] <volans>	 ahem...
[12:13:09] <volans>	 if I don't deploy homer it will be hard to run it
[12:13:47] <volans>	 :facepalm:
[12:16:26] <topranks>	 volans: hahaha
[12:16:49] <topranks>	 I'm very glad you did that, I was feeling extremely stupid myself after doing so 
[12:17:53] <topranks>	 I was trying to work out what was wrong but that makes sense 
[12:18:09] <topranks>	 "/srv/deployment/homer/venv/bin/homer" wasn't there homer command was just hanging on me 
[12:18:27] <volans>	 now running homer for real
[12:18:27] <volans>	 :D
[12:19:10] <topranks>	 it works \o/
[12:19:29] <volans>	 INFO:homer:Homer run completed successfully on 1 devices: ['asw2-a-eqiad.mgmt.eqiad.wmnet']
[12:19:32] <volans>	 for real now
[12:19:36] <volans>	 re-trying my cookbok patch
[12:19:53] <moritzm>	 \o/
[12:20:50] <volans>	 XioNoX: you have a terminal open on asw2-a1-eqiad
[12:21:46] <XioNoX>	 closed, not sure it's a blocker though
[12:22:01] <volans>	 it's scary :D
[12:23:06] <XioNoX>	 how can we make sure people don't try to use cookbooks on cumin1001 anymore?
[12:23:22] <XioNoX>	 at least the network related ones
[12:23:30] <volans>	 https://phabricator.wikimedia.org/P54506
[12:25:05] <volans>	 bigger MOTD like deploy1002? :D I'm checking SAL/cumin  logs every couple of days
[12:25:34] <XioNoX>	 volans: can we prevent the unpriv cookbooks from running there?
[12:26:32] <volans>	 yes but prevents only some part of dcops, not sure how that helps the bgger problem
[12:28:26] <XioNoX>	 they're the team that uses the most the network related cookbooks
[12:30:45] <moritzm>	 or simply send a followup the mail I sent some days ago about cumin1002, telling folks that homer is now also moved and that means cookcooks really won't work?
[12:30:54] <moritzm>	 (if they use homer under the hood)
[13:25:57] <topranks>	 the cookbooks don't use homer under the hood 
[13:26:35] <topranks>	 they do rely on the Homer ssh key being in keyholder though, so if we de-arm that it would have similar result (cookbooks won't succeed)
[13:26:56] <moritzm>	 ack,ok
[15:45:55] <volans>	 FYI I just forced a run of check-homer-diff.service on cumin1002 to check if all works fine instead of discovering it tomorrow morning
[16:50:16] <volans>	 XioNoX, topranks: the check-homer-diff.service run was ok but I didn't get any email
[16:50:34] <volans>	 logs are not very helpful, at lest journalctl -u check-homer-diff.service
[16:50:58] <volans>	 I'm about to logoff, could you maybe have a look tomorrow if anyone of you is working?
[16:54:05] <topranks>	 I'm off tomorrow too but I'll  have a little look now see if I can work it out 
[16:54:16] <topranks>	 If we're not speaking have a great break and happy new year!
[16:59:26] <topranks>	 seems if I execute the "mail" command similar to the diff script the mail is accepted by mx1001
[17:00:07] <topranks>	 https://phabricator.wikimedia.org/P54508
[17:02:02] <topranks>	 volans: seems I got my test mail, but I also got a rancid-diff mail at 16:14 
[17:02:12] <topranks>	 which originated on cumin1002, so seems like it's working?
[17:04:11] <volans>	 doh
[17:04:34] <volans>	 how I missed that
[17:04:35] <volans>	 lol
[17:04:42] <volans>	 I marked it as read
[17:04:49] <volans>	 without noticing was the one I was looking for
[17:04:55] <volans>	 topranks: thanks for fact-checking me
[17:04:58] <volans>	 it all seems to work fine
[17:05:31] <topranks>	 ah no worries! 
[17:05:38] <topranks>	 better than it was left in a broken state for sure :)
[17:21:59] <jinxer-wm>	 (SystemdUnitFailed) firing: update-tails-mirror.service Failed on mirror1001:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed
[18:37:01] <jinxer-wm>	 (SystemdUnitFailed) resolved: update-tails-mirror.service Failed on mirror1001:9100 - https://wikitech.wikimedia.org/wiki/Monitoring/check_systemd_state - https://grafana.wikimedia.org/d/g-AaZRFWk/systemd-status - https://alerts.wikimedia.org/?q=alertname%3DSystemdUnitFailed