[11:25:32] <topranks>	 btullis: hey, I'm just trying to push some dns updates with the sre.dns.netbox cookbook 
[11:25:43] <topranks>	 system saying you have a lock on it now
[11:26:12] <topranks>	 which is fine, you may see a bunch of new entries for stuff in magru (Brazil POP) they are safe to proceed with 
[11:26:13] <btullis>	 Yes, I'm running a decom and I see your changes too. Are you happy for me to proceed?
[11:26:20] <topranks>	 yep fire away 
[11:26:22] <topranks>	 thanks!
[11:26:24] <btullis>	 Thanks. Doing so now.
[11:27:03] <topranks>	 just hoping the manual zone file edits I made the other day were complete, it may error on updating if not
[11:27:08] <topranks>	 let's see 
[11:27:24] <btullis>	 Looks clean, as far as I can see.
[11:27:42] <topranks>	 great!
[11:27:48] <topranks>	 yeah it'd be obvious if there was a problem 
[11:56:25] <brouberol>	 I've been asked by a data-products member to either a) provide them with a username/password to log to the Mediawiki Server Admin Log, or b) create a new username/password for the MW SAL. Does any of you know where to look? Thanks!
[11:58:21] <btullis>	 brouberol: I've never had to do this from k8s before, but I started by looking at the way `helmfile` logs to SAL when we run it. It uses this script. https://github.com/wikimedia/operations-puppet/blob/production/modules/helmfile/files/helmfile_log_sal.sh
[11:59:15] <jynus>	 I don't think "Mediawiki Server admin log" is a thing
[12:03:58] <claime>	 Is that referring to https://wikitech.wikimedia.org/wiki/Server_Admin_Log ?
[12:05:09] <jynus>	 My guess is either that or Mediawiki logging (kafka)?
[12:05:25] <jynus>	 or the mediawiki user activity log table
[12:06:03] <brouberol>	 My understanding is that it's either some specific SAL (_à la_ Prod/RelEng/etc), or there's a misunderstanding
[12:06:25] <btullis>	 I agree with jynus. I think that we probably need to go back and make sure that the requirements are clear. It may be that someone has said 'we want this app to log to SAL' when there might be better options, like eventstreams. https://wikitech.wikimedia.org/wiki/Irc.wikimedia.org#Avoid_new_use
[12:06:38] <jynus>	 yeah, please ask what they want to achive 0:-)
[12:07:06] <brouberol>	 haha, yep, my bad. I assumed I didn't know what he was asking for, but that the ask itself was valid
[12:07:22] <jynus>	 90% of the cases the intention is legitimate, but giving the wrong implementation
[12:08:55] <jynus>	 or maybe they just want to do something like irc logging, but for a separate project?
[12:12:48] <brouberol>	 The confusion came from https://sal.toolforge.org/analytics also being displayed at https://www.mediawiki.org/wiki/Analytics/Server_Admin_Log
[12:13:08] <brouberol>	 anyway, thanks, we're clarifying with them
[12:56:47] <jynus>	 topranks: I am finishing my week, as Chris is around you should be ok
[12:57:09] <jynus>	 cdanis: quiet day today
[12:57:22] <topranks>	 jynus: ok great - enjoy your weekend :)
[12:58:00] <jynus>	 cdanis: see if you can (and want) to ask urand*m about the expiration alerts for cassandra
[12:58:10] <btullis>	 Does anyone have any idea why I might be getting these CI failures on the puppet repo at the moment? https://gerrit.wikimedia.org/r/c/operations/puppet/+/1021901 Am I doing something stupid, or is there an issue?
[12:58:11] <jynus>	 when he is around
[12:59:26] <jynus>	 btullis: without looking too indepth I would suspect something related to the new dc setup
[13:00:08] <jynus>	 there may be some noise due to some cycle dependencies
[13:00:36] <btullis>	 jynus: Ah, thanks. Makes sense.
[13:01:24] <cdanis>	 jynus: Thanks!
[13:06:51] <topranks>	 btullis: indeed seems to be related somehow 
[13:07:00] <topranks>	 sukhe: maybe you can make sense of it?
[13:07:11] <topranks>	 might relate to the changes you made the other day 
[13:09:36] <topranks>	 more like some omission on our side but I'm not sure what 
[13:17:19] <btullis>	 cdanis: I know about those aqs certificate expiry alerts. They are genuine, related to T352647 - It is a coincidence that the 30 day warning fired on all hosts just before the old  were about to be replaced with PKI certificates. The codfw certs on aqs2* have been replaced this week, but eqiad certs will be done sometime next week.
[13:17:19] <stashbot>	 T352647: Move Cassandra clusters to PKI - https://phabricator.wikimedia.org/T352647
[13:18:05] <btullis>	 Should I add a silence for the aqs1* certificate alerts until next week, or would you prefer that I don't?
[13:18:39] <sukhe>	 topranks: thanks, looking though I don't see just yet how it is related to us yet
[13:24:37] <topranks>	 sukhe: I seen regex's of IP ranges and may have jumped to conclusions yeah
[13:30:07] <cdanis>	 btullis: Ah thanks! Yeah please do. 
[13:36:56] <sukhe>	 btullis: this doesn't seem to be related to the recent dc setup but modules/puppetmaster/spec/defines/puppetmaster_web_frontend_spec.rb is failing, even though the output seems to match
[13:37:58] <sukhe>	 I think might be worth filing a task about this. jhathaway ^ if you are around, see if you can spot something? I 
[13:38:04] <sukhe>	 have to step away for a bit
[14:31:18] <andrewbogott>	 effie: Not urgent but in case you missed it: the memcached exporter packaging needs a bit more work.  The issue in https://phabricator.wikimedia.org/T350807#9722593 will show up more and more as packages get upgraded.
[14:31:34] <andrewbogott>	 If you think the package is correct and puppet is wrong I'm happy to write a puppet patch
[14:34:30] <jhathaway>	 sukhe: sorry was in a meeting, looking
[14:37:16] <effie>	 andrewbogott: thank you for finding this, I will  sort it it as soon as I can, the package is a actually wrong, I should have renamed the binary as such 
[14:37:46] <effie>	 I dont know why I didnt get a notification for this
[14:37:54] <andrewbogott>	 ok! I'll leave it to you then, thanks.
[14:39:10] <jhathaway>	 btullis: ci looks odd indeed, I'll try to dig in and see what I can find
[14:41:49] <sukhe>	 jhathaway: thanks!
[14:46:17] <btullis>	 jhathaway: Also thanks.
[18:19:08] <mutante>	 a user has root on a production VM but not global root / no access to the puppetmaster and /sr/private. But they need to store private data somewhere (email addresses, names). we have 2 machines and want to sync that data between them. I am thinking just manual "git init" once somewhere in /srv and then puppetize rsync of that. 
[18:51:31] <inflatador>	 maybe object storage?
[18:51:40] <inflatador>	 but then they need pw for that
[18:58:16] <mutante>	 nod... currently looking for puppet abstraction like git::clone but just for creating it locally. but I guess it's just an Exec of git init 
[19:00:54] <mutante>	 could make something that inits it, sets permissions for the right group (not always wikidev) and also syncs it to another host
[19:03:22] <mutante>	 back in the old days would have been NFS mount :o
[19:14:42] <inflatador>	 we still have NFS to the dumps server, not sure if that would help in your case though
[19:18:30] <mutante>	 heh! thanks. yea, I don't think I want to become that special case though
[19:24:37] <mutante>	 a long long time ago when the bastion server was called "fenari", user homes were NFS mounted from nfs1.pmtpa.wmnet, the deployment server was also the bastion and when NFS went down we couldn't login.  Happy Friday 
[19:26:59] <inflatador>	 º╲˚\╭ᴖ_ᴖ╮/˚╱º   ＹＡＹ！
[19:50:31] <andrewbogott>	 pwstore working for anyone today? If so then I've no doubt forgotten how to use it again
[19:51:16] <andrewbogott>	 '.users file is not signed properly.' and when I check .users it tells me 'There is no indication that the signature belongs to the owner.'
[19:51:42] <taavi>	 is your ~/.pws-trusted-users up-to-date with https://office.wikimedia.org/wiki/Pwstore#User_database
[19:52:08] <andrewbogott>	 Yep, I just checked it.
[19:53:34] <taavi>	 does `pws update-keyring` help?
[19:54:22] <andrewbogott>	 nope, it won't run because '.users file is not signed properly.'
[19:54:53] <brett>	 I seem to recall this error
[19:56:22] <brett>	 wfm, trying to remember what had happened to me months ago...
[19:56:36] <taavi>	 what happens if you move `.keyring` to some other file name?
[19:57:52] <andrewbogott>	 that does a bunch of things but then ultimately fails and gets me back in the state I was in before
[19:58:00] <cdanis>	 andrewbogott: did you do the step with `gpg --import jmm.key jhathaway.key volans.key slyngshede.key`
[19:58:02] <cdanis>	 ?
[19:58:09] <andrewbogott>	 cdanis: I did
[19:58:09] <brett>	 ^aha, I think that was it
[19:58:12] <brett>	 oh :(
[19:58:22] <andrewbogott>	 but also, this is in an existing setup that has worked for years so surely I had their keys already?
[19:59:25] <brett>	 ~/.pw-trusted-users?
[20:00:59] <andrewbogott>	 brett: I think we did that one already :)
[20:01:06] <brett>	 sorry :(
[20:01:07] <andrewbogott>	 Is it possible this is happening because /my/ key is expired?
[20:01:30] * andrewbogott googles how to check that
[20:02:09] <taavi>	 andrewbogott: so what's the exact command you're running and the exact error you get?
[20:02:25] <andrewbogott>	 nope, my key isn't expired
[20:02:41] <taavi>	 since I think 'There is no indication that the signature belongs to the owner.' just means that you've not explicitely marked that key as verified, not that the signature itself is invalid or so
[20:03:11] <andrewbogott>	 The first sign of trouble was this:
[20:03:15] <andrewbogott>	 https://www.irccloud.com/pastebin/vM6ZqRYs/
[20:04:49] <taavi>	 `[GNUPG:] NO_PUBKEY ABA34714F5533665`
[20:05:12] <taavi>	 does `gpg --keyid-format long --list-key ABA34714F5533665` show jesse's key?
[20:05:57] <andrewbogott>	 yes
[20:06:22] <andrewbogott>	 Do I need to do gpg --keyserver    --recv-keys in some form?
[20:07:27] <taavi>	 what about `gpg --no-default-keyring --keyring ./.keyring --keyid-format long --list-key ABA34714F5533665` in the pws directory?
[20:07:44] <andrewbogott>	 Every time I want to complain about gpg I just remember that my tax dollars are paying to keep it difficult
[20:08:46] <andrewbogott>	 taavi: when you say 'the pws' dir do you mean where the pws binary is, or in our password repo? (which for some reason is checked out on my system as 'pw')
[20:08:51] <taavi>	 the password repo
[20:09:32] <andrewbogott>	 https://www.irccloud.com/pastebin/jVJBRC0i/
[20:10:25] <taavi>	 ok, try `gpg --no-default-keyring --keyring ./.keyring --import keys/jhathaway.key` and then `pws update-keyring`?
[20:11:36] <andrewbogott>	 hm, that produced a similar warning but I can use pws now
[20:12:23] <andrewbogott>	 So I think I'm fixed, thank you! Is that maneuver in the docs and I just skipped over it by mistake, or should I add docs?
[20:12:40] <taavi>	 good question
[20:12:41] <andrewbogott>	 (the docs being https://office.wikimedia.org/wiki/Pwstore)
[20:15:24] <taavi>	 so I think the failure mode is that you did not run anything that would have triggered a `pws update-keyring` (updating a file, basically) between Jesse's key being added and Jesse signing `.users` for the first time
[20:16:11] <taavi>	 ideally `pws update-keyring` would import the keys specified in ~/.pws-trusted-users regardless of whether it can verify the signature for .users or not
[20:16:20] <andrewbogott>	 yeah, ideally :)
[20:17:50] <andrewbogott>	 but shouldn't the gpg --import jmm.key jhathaway.key volans.key slyngshede.key bit have taken care of this?
[20:19:51] <jhathaway>	 that command wouldn't update the .keyring file in your pw repo though right?
[20:20:01] <jhathaway>	 sorry just read backscroll
[20:20:04] <taavi>	 yeah, for some reason pws maintains that separate keyring file that was out-of-date here
[20:20:12] <taavi>	 sorry for all the pings jhathaway :-)
[20:21:02] <jhathaway>	 no problem at all, taavi 
[20:21:47] <jhathaway>	 and it makes it a hidden file, so you don't even know its there ;)
[20:26:43] <andrewbogott>	 and of course wikitech-static has recovered on its own while I was looking for the rackspace password
[20:42:55] <volans|off>	 andrewbogott: for next time, from the alert hosts:  SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh -4 root@wikitech-static.wikimedia.org
[20:42:58] <volans|off>	 ;)
[20:43:59] <volans|off>	 unless you needed the rackspace management console
[20:44:01] <volans|off>	 ofc
[20:44:09] <andrewbogott>	 ssh wasn't responding so I needed mgmt to reboot
[20:44:23] <andrewbogott>	 but now it's back
[20:44:26] <volans|off>	 ineresting 20:44:18 up 95 days
[20:44:42] <andrewbogott>	 yeah, it was maybe under load
[20:44:45] <volans|off>	 OOM of mysql
[20:45:04] <volans|off>	 but maybe be long time ago, checking time (was from dmesg)
[20:45:43] <volans|off>	 nah, old thing
[20:45:49] <volans|off>	 maybe network?
[20:46:42] <andrewbogott>	 yeah, could've been network on my end or on wikitech-static's end.  Something kept the daily sync from working (which I'm rerunning now)
[20:46:50] * volans shouldn't be looking at this time, I'm clearly tired :)
[20:47:45] <volans>	 andrewbogott: mmmh / is full
[20:47:55] <andrewbogott>	 well that would do it
[20:47:59] <andrewbogott>	 I'll do some cleanup
[20:48:11] <volans>	 thanks
[20:50:06] <bd808>	 I've been wondering about a future for wikitech-static where we actually just bake a container image with all the bits and bobs in it and deploy that anywhere folks want.
[20:51:00] <bd808>	 mediawiki + apache + an sqlite db + local media files I think would be the bits and bobs
[20:51:27] <andrewbogott>	 You mean instead of daily sync we'd rebuild the container?
[20:51:33] <bd808>	 yeah
[20:52:01] <bd808>	 and then pull it from wherever. there is some nice magic in podman for setting that up
[20:52:27] <andrewbogott>	 that's appealing