[07:48:28] <Emperor>	 Who should I ask about getting software installed on the cumin nodes? It'd be useful to have s3cmd available there, but I figure I should Ask First :)
[07:49:19] <volans>	 to be used with swift?
[07:50:03] <Emperor>	 well, also the new apus ceph cluster; more for testing &c. than "production use"
[07:50:54] <volans>	 I like it has very little deps :D
[07:51:06] <volans>	 no objections from me, but you should ask I/F :D
[07:51:34] <Emperor>	 make CR, post link to their IRC channel?
[10:37:14] <XioNoX>	 head's up, Netbox upgrade at 12 UTC, be prepared to no do any Netbox related changes for 1 to 2 hours.
[12:03:41] <akosiaris>	 XioNoX: just as an fyi, I was trying to run homer to add the 2 new mw hosts to BGP and I met lvs2011 and lvs2012 being added as neighbors to cr*-codfw
[12:03:53] <XioNoX>	 topranks: ^
[12:03:56] <akosiaris>	 I am gonna back out since you got the netbox upgrade right now (nothing urgent on my side)
[12:04:02] <XioNoX>	 akosiaris: cool, thx
[12:04:43] <XioNoX>	 alright, doing a dump of the Netbox DB, please refrain from any NB change from now on
[12:27:30] <topranks>	 akosiaris: hmm... I was afk let me have a quick look 
[12:30:06] <topranks>	 seems I messed up when doing some changes yesterday - need to work out exactly how but let me patch it up 
[12:33:31] <topranks>	 XioNoX: doh I made some changes - don't worry I will double check them later and make sure 
[12:38:29] <topranks>	 TL;DR - something went wrong with the puppetdb import script I ran after the lvs maintenance last night - and it changed the untagged vlan on the switch ports in Netbox 
[15:14:50] <akosiaris>	 how did the netbox migration go btw?
[15:15:27] <cdanis>	 akosiaris: cookbooks are being tested/fixed now, I think
[15:15:40] <cdanis>	 some ongoing work in #-sre-foundations
[15:16:09] <elukey>	 exactly yes, last ones standing
[15:16:36] <akosiaris>	 ah, thanks
[15:29:07] <bblack>	 we still seem to have quite a few buster hosts
[15:33:16] <bblack>	 ~90
[15:36:50] <elukey>	 and a lot of pods running buster too :)
[15:38:21] <XioNoX>	 Netbox has (finally :)) been upgraded ! You can resume using it (directly and through cookbooks). There might still be bugs introduced by this upgrade, so please be careful and report to I/F any issues you might notice! Thanks
[15:42:21] <claime>	 gg!
[15:52:23] <volans>	 XioNoX:  the DNS repo on netbox1003 is behind the one on netbox1002
[15:52:34] <volans>	 by 6 days apparenty
[15:55:48] <XioNoX>	 volans: good point, let me run the dns cookbook, it should update it?
[15:55:57] <volans>	 no
[15:56:00] <volans>	 don't
[15:56:11] <volans>	 there is no way to ensure you're not modifying the DNS that way
[15:56:18] <volans>	 and you'll loose histopry
[15:56:27] <volans>	 first sync from netbox1002 (why was it not synced already???)
[15:56:37] <volans>	 then once you have it at the latest run before the migration
[15:56:43] <volans>	 you can run the cookbook (was it not tested?)
[15:56:45] <volans>	 and ensure it's a noop
[15:56:56] <volans>	 and doesn't remove/add any record compared to old netbox
[15:57:10] <volans>	 XioNoX: ^^^
[15:57:24] <XioNoX>	 volans: which commands should I run ? https://wikitech.wikimedia.org/wiki/DNS/Netbox
[15:58:08] <volans>	 https://gerrit.wikimedia.org/r/plugins/gitiles/operations/cookbooks/+/refs/heads/master/cookbooks/sre/dns/netbox.py#114
[15:58:24] <XioNoX>	 volans: lots of moving parts and not all documented in the same area :(
[15:59:12] <XioNoX>	 volans: that needs to be run from which hosts? which one is passive now? :)
[15:59:40] <volans>	 that needs to run on the new primary fetching from the old primary
[15:59:52] <volans>	 (or any of the old host that has the latest SHA)
[16:03:32] <XioNoX>	 volans: cool, done
[16:04:08] <XioNoX>	 volans: cookbook was run in dry mode, and was a noop
[16:04:25] <XioNoX>	 so probably why it didn't get caught
[16:05:31] <volans>	 XioNoX: what do you mean?
[16:06:29] <XioNoX>	 test runs of the dns cookbook were a noop, so probably why we didn't think of that extra sync step
[16:06:46] <volans>	 a test run 5 minutes ago had hundreds of diffs
[16:07:05] <XioNoX>	 weird
[16:07:19] <XioNoX>	 all good now
[19:12:38] <inflatador>	 If I wanted to see where a docker image hosted at docker-registry.wikimedia.org came from (like its source repo), what's the easiest way to do that? 
[19:26:11] <brett>	 https://gerrit.wikimedia.org/r/admin/repos/operations/docker-images/production-images,general ?
[19:26:27] <brett>	 inflatador: ^
[19:27:59] <inflatador>	 brett that doesn't seem to cover all of the images...like I picked https://docker-registry.wikimedia.org/wikimedia/operations-software-thumbor-plugins/tags/ at random and had to do some digging before I found its repo
[19:28:12] <inflatador>	 I don't think anything that uses Gitlab is hosted there either
[19:28:55] <brett>	 Well that's all I know! Sorry I can't help any more 🙃
[19:29:37] <inflatador>	 brett NP, I'm dreaming of better image metadata ;) Will get a phab task started
[19:37:57] <bd808>	 inflatador: dduvall recently built some support for SBOM stuff into blubber. That might be helpful to your cause.
[19:42:09] * inflatador starts reading thru https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md
[19:47:50] <dduvall>	 inflatador: provenance metadata is now supported as well
[19:48:03] <inflatador>	 bd808 thanks for the advice. I started T371549 and I'll probably start playing around with this on some of the images I control
[19:48:03] <stashbot>	 T371549: Publish more metadata tags with docker registry images - https://phabricator.wikimedia.org/T371549
[19:48:05] <dduvall>	 Judging by your comment that might be more useful here
[19:48:56] <inflatador>	 dduvall is https://github.com/in-toto/attestation the best place to learn more about the provenance standards? I'm new to all this
[19:50:17] <dduvall>	 At lunch but I will link you asap
[19:51:56] <dduvall>	 But yeah, in-toto attestations are used for both sbom and provenance
[19:53:42] <inflatador>	 no rush...my main goal is discoverability. It looks like there are some built-in gitlab vars we could use for the image repos on gitlab https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
[20:07:41] <dduvall>	 inflatador: https://docs.docker.com/build/attestations/slsa-provenance/#provenance-attestation-example shows an example provenance attestation. you can see vcs info (source repo, commit) under the metadata section. There is also information about base images used in both the build processes and the final image
[20:09:07] <dduvall>	 The attestations are stored alongside the image manifest as part of the same manifest index in the repo, so given an image ref, the attestations can be discovered by simply querying the ref and seeing whether it’s a manifest index and contains entries for the attestations
[20:10:48] <dduvall>	 It’s a nice model I think. The metadata is there in the registry if you need it, but it doesn’t bloat the actual image that gets pulled by typical runtime operations
[20:11:36] <dduvall>	 Which is more important when it comes to sboms since they’re quite large
[20:12:48] <dduvall>	 See https://github.com/moby/buildkit/blob/master/docs/attestations/attestation-storage.md
[20:14:23] <inflatador>	 still wrapping my head around this, but it sounds like you could find this attestation by doing a `docker image inspect`? Or do you need `docker buildx imagetools` to find it?
[20:15:47] <dduvall>	 The latter is easier but you can use `docker manifest inspect` to see whether the ref points to a manifest index or not
[20:16:10] <dduvall>	 Honestly I found using curl to be easier due to some weird edge cases
[20:17:02] <inflatador>	 It's good to hear that there is a schema for this at the very leasty
[20:19:13] <inflatador>	 and that blubber has the ability to do this automatically <3
[20:19:47] <inflatador>	 from there it shouldn't be all that difficult to expose the metadata on the docker-registry web UI
[20:53:31] <dduvall>	 inflatador: that would be awesome!
[20:57:30] <inflatador>	 dduvall yeah. I'm a little worried it's overkill for what I'm looking for, but on the other hand I'd rather use something that's a standard/understood outside of WMF. Do any of your images have the attestations? Just wondering what it "looks like" when blubber applies them
[20:58:22] <dduvall>	 good question. it's so new and i can't recall if i'd actually published an image with attestations yet
[20:58:39] <dduvall>	 kokkuri supports enabling provenance as a CI variable
[20:59:06] <dduvall>	 https://gitlab.wikimedia.org/repos/releng/kokkuri/-/blob/main/includes/images.yaml?ref_type=heads#L141
[21:50:05] <thcipriani>	 lurker +1 for adding: where did this image come from to the registry web page via image maniphests/metadata. That is the question I field most often about particular images and there have been a non-zero number of times where I didn't know the answer :)
[22:26:21] <dduvall>	 inflatador: i went ahead and did a minor version release of blubber and enabled provenance generation. you can see the general discovery process and raw attestation data here https://phabricator.wikimedia.org/P67172
[22:27:48] <dduvall>	 you can also use `docker buildx imagetools inspect docker-registry.wikimedia.org/repos/releng/blubber/buildkit:v1.0.1 --format '{{ json .Provenance }}'` but note that imagetools groups the provenance results by arch since blubber is published for both arm64 and amd64