[09:55:52] <hnowlan>	 should membership in the wmf ldap group still grant RO access to things like netbox (like wikitech says) or has something changed since moving to use CAS? 
[09:57:39] <volans>	 yes it should
[09:57:51] <volans>	 in general, do you have a specific use case?
[09:59:07] <volans>	 because IIRC there is still an issue in netbox with users that gets created with a hash username, but you should ask slyngs ( https://netbox.wikimedia.org/users/users/?sort=first_name )
[09:59:17] <matthieulec>	 that's for me, when I try to login to Logstash or Grafana I'm getting a `Authentication Failure Service access denied due to missing privileges.`
[09:59:38] <matthieulec>	 even though I'm part of `wmf` ldap group
[10:00:48] <slyngs>	 ops, netbox-readonly-access and wmf should grant Netbox access
[10:00:49] <matthieulec>	 same for netbox and libreNMS
[10:01:27] <slyngs>	 Logstash requires nda, logstash-access or ops, but not WMF
[10:04:21] <taavi>	 matthieulec: try logging out and back in at idp.wikimedia.org?
[10:04:27] <slyngs>	 matthieulec: You might need to sign out of CAS-SSO / idp.wikimedia.org and sign back in, if you haven't done so after getting wmf access
[10:06:10] <matthieulec>	 ok yes it solved the issue
[10:06:12] <matthieulec>	 thanks!
[10:06:29] <slyngs>	 Sorry, we really should find a way to make that clear :-)
[10:06:46] <volans>	 slyngs: automatically logging out peoole when groups are changed?
[10:07:00] <slyngs>	 That's a good idea
[10:07:16] <slyngs>	 Simple too 
[11:19:13] <vgutierrez>	 test-cookbook is failing in cumin1002 with sudo: cookbook: command not found
[11:19:31] <vgutierrez>	 what am I missing?
[11:19:32] <marostegui>	 vgutierrez: cumin1002 is about to be decommissioned I believe
[11:20:28] <volans>	 indeed (see tread from moritz [sre] New Cumin host: cumin1003.eqiad.wmnet )
[11:20:59] <moritzm>	 what's the patch? not sure how the test-cookbook is still using it
[11:21:06] <moritzm>	 test-cookbook CI
[11:21:41] <moritzm>	 cumin1002 no longer uses the cluster::management role, but maybe it's still hardcoded in some CI image
[11:24:04] <volans>	 moritzm: I think that valentin was trying to use test-cookbook manually
[11:25:26] <moritzm>	 ah, ok
[11:25:43] <moritzm>	 then the fix it simply to use cumin1003 ofc :-)
[11:26:47] <vgutierrez>	 yep
[14:56:46] <taavi>	 dpogorzelski: ok to merge your puppet change?
[15:04:37] <taavi>	 dpogorzelski: another ping, your puppet change https://gerrit.wikimedia.org/r/c/operations/puppet/+/1206402 was never puppet-merged
[15:05:18] <cdanis>	 maybe klausman is around?
[15:05:40] <klausman>	 let me look
[15:06:04] <klausman>	 yes, go ahead and merge it
[15:06:15] <taavi>	 thanks, doing
[15:32:47] <swfrench-wmf>	 FYI, I'm going to start getting set up for today's work on T352245, which will involve two etcd restarts in codfw (which will happen closer to 16:00).
[15:32:47] <swfrench-wmf>	 the work I'll be doing prior to that involves making those restarts less impactful (e.g., temporarily moving etcd replication to another node).
[15:32:47] <swfrench-wmf>	 cc: Raine jhathaway 
[15:32:47] <stashbot>	 T352245: Migrate the etcd main cluster to cfssl-based PKI - https://phabricator.wikimedia.org/T352245
[15:33:03] <swfrench-wmf>	 I'll be noisy in -operations as things progress
[15:33:08] <jhathaway>	 thanks swfrench-wmf 
[16:29:53] <swfrench-wmf>	 mutante: good to merge your patch?
[16:30:59] <swfrench-wmf>	 mutante: this would be https://gerrit.wikimedia.org/r/c/operations/puppet/+/1204982
[16:33:44] <swfrench-wmf>	 never mind - sorted in -operations
[16:48:16] <swfrench-wmf>	 FYI, I'll be poking around a bit to double-check some things, but my work is ~ done
[18:24:10] <andrewbogott>	 my ganeti host reimage is failing due to a puppetdb looking; is this familiar to anyone?
[18:24:13] <andrewbogott>	 https://www.irccloud.com/pastebin/eLR9Y22x/
[18:25:13] <andrewbogott>	 this is a second attempt after a failed install so I assume it's in some unanticipated halfway state
[18:26:44] <mutante>	 andrewbogott: does it have that "profile::puppet::agent::force_puppet7" in Hiera ?
[18:27:17] <andrewbogott>	 it does, but also that check should just warn me and wait for me to add it if it's not there
[18:27:24] <andrewbogott>	 https://gerrit.wikimedia.org/r/c/operations/puppet/+/1206932
[18:30:32] <mutante>	 andrewbogott: 2 things.. there was just an actual networking issue in that time.. so if the issue was it could not reach the puppetdb it might be incredible timing
[18:31:37] <mutante>	 and the other.. ..never mind.. best I have is .. repeat it and see if it happens twice first
[18:32:21] <andrewbogott>	 it happens more than twice
[18:32:43] <andrewbogott>	 of course if I set --new to force creation of the puppetdb entries it says they're already there and removes the --new
[18:33:21] <taavi>	 andrewbogott: which VM?
[18:33:37] <andrewbogott>	 it's brand new, has never worked properly
[18:33:40] <andrewbogott>	 sudo cookbook --no-locks sre.hosts.reimage --os trixie cloudidp2001-dev --new --force
[18:33:52] <andrewbogott>	 fqdn is cloudidp2001-dev.wikimedia.org
[18:34:22] <taavi>	 your site.pp entry is broken: https://phabricator.wikimedia.org/P85370
[18:35:26] <andrewbogott>	 bah, that's what I get for copy/paste
[18:35:27] <andrewbogott>	 thx