[00:05:03] <bd808>	 tgr: https://phabricator.wikimedia.org/T120186 (Labs-vagrant cannot forward SSH agent) 
[00:05:18] <bd808>	 I'm tempted to close that as invalid.
[00:05:40] <bd808>	 Do we still allow ssh-agent forwarding into labs instances past the bastion?
[00:06:08] <bd808>	 but even if we did, forwarding agents into the VM is so sketchy
[00:13:27] <csteipp>	 bd808: Random n00b question-- in graphana, are the "count" metrics per minute? second?
[00:14:28] <tgr>	 bd808: AFAIUI agent forwarding is secure if used together with IdentitiesOnly so while it is unsafe by default it is not that horrible a practice
[00:14:47] <bd808>	 "count" is the number of events seen per ... something. Depends on what time scale you are looking at. Generally you want to use "sum" and it should be per minute I think for small time windows (less than a day?)
[00:15:12] <tgr>	 count is per pixel I think?
[00:15:21] <tgr>	 which is not super useful
[00:15:42] <csteipp>	 Oh, can I set the time period for sum?
[00:16:19] <bd808>	 in the statsd stats for counters "count" is the number of increment/decrement events but an event could be +1000 to -7 or whatever
[00:16:36] <bd808>	 so sum reflects the actual payload changes
[00:17:26] <tgr>	 bd808: the specific problem here is how to push code to gerrit after testing/developing on labs-vagrant
[00:17:46] <bd808>	 csteipp: no, I just mean that the interval for a measurement changes over time. These are time series dbs that compact over time to fewer and fewer data points
[00:18:07] <bd808>	 git format-patch && scp
[00:19:23] <tgr>	 that works but it's not exactly convenient
[00:26:28] <bd808>	 tgr: if you edit /usr/local/bin/mwvagrant and add SSH_AUTH_SOCK="$SSH_AUTH_SOCK" does that make things work right?
[00:28:55] <tgr>	 I was thinking of env_keep+=SSH_AUTH_SOCK in sudoers but yeah that should work too
[00:28:58] <tgr>	 let me test
[00:39:09] <tgr>	 bd808: does not seem to work
[00:39:48] <tgr>	 but exec sudo -u mwvagrant -n -- /usr/bin/env VAGRANT_HOME="/srv/vagrant-data" MWV_ENVIRONMENT="labs" SSH_AUTH_SOCK="$SSH_AUTH_SOCK" printenv | grep SSH_AUTH_SOCK does print the correct value
[00:40:30] <tgr>	 and I have enabled forwarding in vagrant, so not sure what's missing
[00:40:42] <bd808>	 Did we setup Vagrantfile to automatically forward the agent?
[00:40:49] <bd808>	 oh. ok
[00:41:12] <bd808>	 one question I guess would be if LXC even allows such a thing in the plugin
[00:41:30] <bd808>	 the "ssh" is not really ssh
[00:41:55] <tgr>	 fwiw if there was a command to sudo as vagrant that would be good enough since I could just do "as_vagrant git push..." on the labs machine
[00:41:58] <bd808>	 it's really lxc-attach I think
[00:43:04] <tgr>	 it's a bit harder for newbies since there is no git-review there though
[00:43:37] <bd808>	 n00bs should be on their laptops, not a Labs instance
[00:44:52] <bd808>	 this is one of those workflow questions that I hate trying to answer. I wouldn't want my key on the host so I wouldn't ever think of doing this
[00:45:10] <bd808>	 but I aslo don't use the tools the way you do back on my laptop
[00:47:48] <tgr>	 fair enough, if labs-vagrant is not intended to be beginner-facing, just decline the task
[01:02:28] <bd808>	 tgr: I don't see any obvious reason in the LXC provider and how it hooks into Vagrant that ssh agent forwarding wouldn't work if the settings are in place
[01:02:45] <bd808>	 it does use ssh and not lxc-attach as I assumed to talk to the vm
[01:03:28] <bd808>	 and all of the heavy lifting logic for hos the ssh command is crafted lives in Vagrant proper
[01:03:55] <bd808>	 https://github.com/mitchellh/vagrant/blob/5c4e71e317262b54f7ceace79fe7d8c66b3fda31/lib/vagrant/machine.rb#L447 -- https://github.com/mitchellh/vagrant/blob/master/lib/vagrant/util/ssh.rb#L153 
[01:17:11] <tgr>	 bd808: I was playing around with vagrant on the labs box and got "RuntimeError: The mediawiki-vagrant plugin hasn't been installed yet. Please run `setup.sh`."
[01:17:15] <tgr>	 is that normal?
[01:17:56] <tgr>	 well, I unaliased the command
[01:18:07] <tgr>	 I huess the plugin is per-user
[01:20:22] <bd808>	 yeah. it gets installed for the mwvagrant user. That's what the VAGRANT_HOME stuff is about partially
[01:20:50] <bd808>	 IN theory you could go to you home dir and get the plugin installed just for you etc and use it
[01:21:35] <bd808>	 but to make it "easier" to share ownership of an instance I did that shared user stuff
[01:22:28] <bd808>	 I can't remember if there will be problems because of the lxc area's ownership too or not