[07:41:30] <hashar>	 is there a way to grant access to a systemd unit journal to a non root / non adm
[07:43:05] <hashar>	 specially, on the deployment server I'd like access to the journal of train-clean.service / train-presync
[07:43:50] <hashar>	 though we get the output sent to us by email, It would be nice to be able to do `systemctl status train-clean` and have the journal shown instead of: Warning: some journal files were not opened due to insufficient permissions.
[07:47:29] <moritzm>	 sure, via sudo rules, we have that for various access groups already. best to open a task with detailed instructions and tag it both ServiceOps and SRE-Access-Requests
[08:28:36] <volans>	 you probably just need "journactl -u NAME(s)" (with or without other options like -f) instead of status that gives you just the last few lines
[09:15:19] <hashar>	 moritzm: so it is either access to all or none? There is no fine grained permissions such as one service logs being readable by an extra group (on top of adm / systemd-journal)?
[09:15:25] <hashar>	 and one must rely on sudo?
[09:23:58] <moritzm>	 yeah, there's no permission management within journald itself, it's all reliant on the underlying filesystem permissions
[09:46:38] <hashar>	 I guess an alternative would be to have the timer/service to be owned by the user, then I could read from that user journal: sudo -u whatever journalctl --user
[09:46:51] <hashar>	 so might as well be granted `sudo journalctl -u whatever`
[09:46:54] <hashar>	 ;)
[09:46:58] <hashar>	 {solved}
[09:54:33] <Lucas_WMDE>	 there’s also journal namespaces, which AFAIK end up in separate files and could thus probably have different ACLs
[09:54:55] <Lucas_WMDE>	 but I think they’re pretty cumbersome to use (messages from other namespaces don’t show up in a normal `journalctl`), so probably not a good fit here
[10:04:10] <klausman>	 Is there a way to use systemd::environment (setting env vars machine-globally) from amodules/role/manifests/... ? It seems, only use from modules/profile is allowed.
[11:48:08] <dhinus>	 ck
[11:48:10] <dhinus>	 *ack
[11:48:20] <dhinus>	 sorry wrong channel :(
[15:16:59] <cdanis>	 klausman: can you say more about what you want to do?  you can always invoke it from the profile ofc
[15:22:55] <klausman>	 I just want to statically set a few env vars for all users on two machines (paths to ROCm binaires in /opt instead of /usr)
[15:25:45] <cdanis>	 so take the profile for that machine and make setting them conditional on a hiera flag, or on the hostname if you want really quick and dirty
[15:27:33] <klausman>	 hmm, that might work. I had just hoped to crib from other uses of the systemd::env class.
[15:29:09] <cdanis>	 if you're doing something messy like that, please also make sure you won't break anything on cloud hosts
[15:29:14] <cdanis>	 it's safer when such things are enabled from hiera
[15:29:30] <klausman>	 yeah, I definitely only want it for those two machines
[15:29:53] <cdanis>	 a per-host hieradata override is a good option for that, and also very easy to move around in the future
[15:30:19] <klausman>	 I'm surprised I seem to be the first to need this./
[15:31:28] <cdanis>	 just add a "custom env vars" hiera key for the profile and make it take the same data type that systemd::environment is
[15:31:36] <cdanis>	 and then do per-host hieradata
[15:59:23] <_joe_>	 klausman: you're not the first to need this and a hiera feature flag is the way to do it
[15:59:32] <klausman>	 ack, ty
[16:59:50] <hnowlan>	 heads-up, I am going to be deploying changes to mw-videoscaler to use the new job-running tool mercurius (https://gitlab.wikimedia.org/repos/sre/mercurius) to process one of the video transcoding jobs, and simultaneously temporarily disabling webVideoTranscodePrioritized in the jobqueue
[17:00:00] <cdanis>	 ty hnowlan !
[17:00:38] <hnowlan>	 not expecting this to hit anything that pages, and if things go wrong all that will happen is transcodes will be delayed and a (relatively quiet) queue will backlog a bit
[21:34:03] <denisse>	 Here.
[21:38:03] <cdanis>	 !incidents
[21:38:03] <sirenbot>	 5506 (ACKED)  Primary inbound port utilisation over 80%  (paged) global noc (asw2-b-eqiad.mgmt.eqiad.wmnet)
[21:38:03] <sirenbot>	 5505 (RESOLVED)  Primary inbound port utilisation over 80%  (paged) global noc (asw2-b-eqiad.mgmt.eqiad.wmnet)
[21:38:04] <sirenbot>	 5504 (RESOLVED)  Primary inbound port utilisation over 80%  (paged) global noc (cr1-esams.wikimedia.org)
[21:38:04] <sirenbot>	 5503 (RESOLVED)  Primary outbound port utilisation over 80%  (paged) global noc (cr2-eqiad.wikimedia.org)