[01:52:31] <Krenair>	 krenair@deployment-certcentral02:/usr/local/lib/python3.5/dist-packages/certcentral$ apt-cache policy python3-acme
[01:52:31] <Krenair>	 python3-acme:
[01:52:31] <Krenair>	   Installed: 0.10.2-1
[01:52:32] <Krenair>	   Candidate: 0.10.2-1
[01:52:32] <Krenair>	   Version table:
[01:52:35] <Krenair>	      0.25.1-1~bpo9+1 100
[01:52:37] <Krenair>	         100 http://mirrors.wikimedia.org/debian stretch-backports/main amd64 Packages
[01:52:39] <Krenair>	  *** 0.10.2-1 500
[01:52:41] <Krenair>	         500 http://deb.debian.org/debian stretch/main amd64 Packages
[01:52:43] <Krenair>	         100 /var/lib/dpkg/status
[01:52:48] <Krenair>	 vgutierrez, this caused problems trying to run certcentral
[01:53:08] <Krenair>	 had to pin it. did it by version but origin is probably better
[07:30:09] <moritzm>	 vgutierrez: ok to reboot cp1008 for some microcode tests or are you currently using it?
[07:30:24] <vgutierrez>	 go for it
[07:30:31] <moritzm>	 k
[10:35:08] <Krenair>	 vgutierrez, any idea about python3-acme?
[10:35:32] <vgutierrez>	 Krenair: we should pin the stretch-backports version as you suggested
[10:36:29] <Krenair>	 vgutierrez, based on version or origin?
[10:36:39] <vgutierrez>	 origin
[10:36:49] <Krenair>	 hm ok
[10:36:51] <vgutierrez>	 BTW, we must consider https://phabricator.wikimedia.org/T180023 for certcentral
[10:39:35] <Krenair>	 vgutierrez, well I assume you'll be making a deb for prod
[10:41:06] <vgutierrez>	 right know we are fine with debian provided versions in stretch, so it's the saner option IMHO
[10:41:39] <vgutierrez>	 volans, _joe_ and moritzm have more experience than me in this particular thing, so his input would be appreciated though :)
[10:41:52] <vgutierrez>	 s/him/their
[10:42:39] <volans>	 the main goal of that task is that we want to basically get down to only 2 way of deploying python stuff, from the 4~5 we have now
[10:43:24] <volans>	 with preference for debian packages when possible, the deps are already in debian with at most few not yet there but easily packageable
[10:43:32] <volans>	 or backportable
[10:44:03] <vgutierrez>	 for certcentral, I've been running all the tests with stretch or stretch-backports versions
[10:44:17] <vgutierrez>	 actually IIRC the only one from stretch-backports is python3-acme
[10:44:42] <volans>	 ok, so so far the only criteria you met is the 3rd one, being deployed as a service
[10:44:49] <Krenair>	 and we expect to pin python3-acme to the mirrors.wikimedia.org origin
[10:45:42] <volans>	 Krenair: backports is not ok?
[10:45:48] <volans>	 I see 0.25.1-1~bpo9+1 in backports
[10:45:56] <vgutierrez>	 yup, 0.25.1 is what we expect
[10:46:18] <volans>	 so no issue there
[10:46:28] <vgutierrez>	 well.. we need to give preference to the backports version
[10:46:40] <Krenair>	 volans, our stretch-backports mirror has priority 100
[10:46:41] <volans>	 you'll get it in debian/control
[10:46:46] <volans>	 when building
[10:46:47] <Krenair>	 whereas the stretch one is 500
[10:46:50] <vgutierrez>	 right
[10:47:06] <vgutierrez>	 right now I want to deliver the logging feature
[10:47:14] <Krenair>	 maybe we pin 'release a=stretch-backports' ?
[10:47:15] <vgutierrez>	 after that I'll focus in delivering a nice .deb package
[10:47:23] <Krenair>	 instead of version/origin?
[10:48:22] <volans>	 we've already everything in puppet to pin stuff
[10:48:24] <volans>	 it's oneline
[10:48:27] <volans>	 so don't worry about that
[10:48:46] <Krenair>	 what is the line?
[10:49:17] <Krenair>	 the reason I ask is that I'm testing this from my puppet commit, so this is relevant now.
[10:50:04] <volans>	 apt::pin { 'foo': package  => 'space separated list of packages', pin      => 'release a=stretch-backports', priority => '1001', before   => [Package['certcentral']}
[10:50:24] <volans>	 ok, I cheated, it's not oneline, it's one call to a define :D
[10:50:32] <Krenair>	 alright so pretty much what I've done with 'release a=....' instead of version
[10:50:35] <Krenair>	 cool
[10:51:28] <Krenair>	 vgutierrez, volans: so we're agreed that certcentral itself should be deployed from a deb?
[10:52:25] <vgutierrez>	 right
[10:52:32] <volans>	 I still had some thoughts :)
[10:52:57] <volans>	 so as I was saying it seems that you just met the 3rd criteria, and that would lean towards the debian package
[10:53:05] <volans>	 but I would like to know more about the deamons
[10:53:21] <vgutierrez>	 sure
[10:53:36] <volans>	 which one you plan to have? nginx, uwsgi, etc...
[10:55:05] <Krenair>	 well
[10:55:11] <Krenair>	 there'll be two processes
[10:55:20] <Krenair>	 one for the API and one doing some backend work
[10:55:35] <Krenair>	 API will sit behind uwsgi and nginx
[10:55:58] <Krenair>	 backend runs through a systemd service
[10:56:36] <volans>	 2 binary packages one source package?
[10:57:08] <Krenair>	 well they need to run on the same machine etc. so I'm not sure you need 2 binary packages?
[10:57:51] <volans>	 what about the integration with uwsgi? we've a lot of puppet stuff there that does some magic, but IIRC it's all related to scap deployments
[10:58:00] <volans>	 so something you might want to check
[10:58:36] <Krenair>	 you can see my current config at https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/441991/17/modules/certcentral/manifests/central.pp
[10:59:26] <Krenair>	 can probably get rid of the enable-threads and master settings now actually
[10:59:31] <vgutierrez>	 volans: we could deliver certcentral-api and certcentral-daemon (or another cooler name)
[10:59:41] <Krenair>	 and the acme_tiny pythonpath entry
[10:59:51] <volans>	 vgutierrez: not sure, maybe 1 is good enough
[10:59:58] <vgutierrez>	 yup, we're acme_tiny free now :D
[11:00:25] <Krenair>	 I wonder if there's a better solution than adding '/usr/local/lib/python3.5/dist-packages/certcentral/' to the path
[11:00:43] <vgutierrez>	 volans: I'm not familiar with .deb rituals.. I'm still feel that I'm going to need a knife and a goat honestly
[11:00:58] <volans>	 you feel correctly!
[11:00:58] <Krenair>	 lol
[11:01:08] <Krenair>	 haven't heard that one before
[11:01:30] <volans>	 the /etc/certcentral* structure seems something that will be taken care by the deb package
[11:01:40] <Krenair>	 yeah
[11:01:42] <vgutierrez>	 yup, the code itself doesn't handle it
[11:01:52] <vgutierrez>	 (at least right now)
[11:01:53] <volans>	 so probably not needed in puppet
[11:01:57] <volans>	 apart the config ones
[11:02:06] <Krenair>	 right now I'm doing some stuff in puppet that should actually come from the de
[11:02:07] <Krenair>	 deb
[11:02:14] <Krenair>	 like deploying the actual application source
[11:02:33] <Krenair>	 and that
[11:03:14] <vgutierrez>	 BTW, there is no actual reason to run certcentral as root
[11:03:25] <Krenair>	 vgutierrez, I know, I've got it running as www-data
[11:03:53] <vgutierrez>	 so I guess we should provide a system user (certcentral) in the package
[11:03:57] <Krenair>	 yeah
[11:04:02] <volans>	 if you plan to use a deb, make the deb first instead of puppetizing a frankestein ;)
[11:04:11] <vgutierrez>	 well
[11:04:14] <volans>	 that is something in between a deployment and a deb
[11:04:18] <Krenair>	 volans, well I could try to make a deb but wouldn't be able to upload it anywhere
[11:04:25] <vgutierrez>	 to be fair, Krenair patch has been there for a while
[11:04:34] <Krenair>	 guess I could install it directly :/
[11:04:55] <Krenair>	 other problem is I am also unfamiliar with the .deb rituals
[11:05:15] * volans offers a goat
[11:05:19] <Krenair>	 :D
[11:05:32] <vgutierrez>	 we have nice examples in house
[11:05:39] <vgutierrez>	 of python apps delivered as .deb packages
[11:05:46] <vgutierrez>	 so we shouldn't have a lot of issues
[11:06:04] <Krenair>	 and yeah, my puppet commit predates certcentral.git being a tihng
[11:06:09] <Krenair>	 thing
[11:07:57] <Krenair>	 alright well I'll take a swing at making a .deb for it later and just testing it out with dpkg -i
[11:08:07] <Krenair>	 any recommended examples/docs?
[11:12:43] <vgutierrez>	 https://github.com/wikimedia/debmonitor can be used as an example
[11:12:56] <vgutierrez>	 but we need to refactor a little bit the python package
[11:13:00] <vgutierrez>	 provide a setup.py and so on
[11:13:13] <volans>	 vgutierrez: debmonitor is using the -deploy stuff, not deb package
[11:13:18] <vgutierrez>	 arg
[11:13:23] <Krenair>	 lol
[11:13:29] <volans>	 sorry for the confusion
[11:13:30] <volans>	 my bad
[11:13:47] <vgutierrez>	 gotta run now(lunch+gym)
[15:40:14] <wikibugs>	 10netops, 10Operations, 10Patch-For-Review: rancid pubkey auth to Junos 17.4 failure - https://phabricator.wikimedia.org/T202952 (10ayounsi) 05Open>03Resolved a:03ayounsi  cr2-eqdfw is now being pulled properly by Rancid. Thanks!
[15:45:04] <wikibugs>	 10Traffic, 10Gerrit, 10Operations, 10Patch-For-Review: Enable avatars in gerrit - https://phabricator.wikimedia.org/T191183 (10Paladox) @thcipriani or @mmodell wondering if you be able to comment here that releng supports this avatar change and maintaining it please.  (Ops need releng to comment)
[17:12:44] <wikibugs>	 10Traffic, 10netops, 10Operations, 10ops-ulsfo: ulsfo migration tracking - https://phabricator.wikimedia.org/T202433 (10faidon) Phew, that's a lot! So I think: - On Equinix, no LoA, but there was a thread with DR where they mentioned that they tracked it down and can hotcut it. @RobH was Cc'ed in that thre...
[17:45:25] <wikibugs>	 10Traffic, 10Operations, 10Performance-Team, 10Wikimedia-General-or-Unknown, and 2 others: Search engines continue to link to JS-redirect destination after Wikipedia copyright protest - https://phabricator.wikimedia.org/T199252 (10Krinkle) @Imarlier Hm.. might be unrelated, but I see that those are all m-d...
[17:51:42] <wikibugs>	 10Traffic, 10Operations, 10Performance-Team, 10Wikimedia-General-or-Unknown, and 2 others: Search engines continue to link to JS-redirect destination after Wikipedia copyright protest - https://phabricator.wikimedia.org/T199252 (10Imarlier) >>! In T199252#4543042, @Krinkle wrote: > @Imarlier Hm.. might be...
[18:02:11] <wikibugs>	 10netops, 10Operations, 10decommission, 10ops-eqiad: unrack/decom pfw1-eqiad and pfw2-eqiad - https://phabricator.wikimedia.org/T183390 (10Cmjohnson)
[18:07:14] <wikibugs>	 10netops, 10Operations, 10decommission, 10ops-eqiad: unrack/decom pfw1-eqiad and pfw2-eqiad - https://phabricator.wikimedia.org/T183390 (10Cmjohnson)
[18:07:51] <wikibugs>	 10netops, 10Operations, 10decommission, 10ops-eqiad: unrack/decom pfw1-eqiad and pfw2-eqiad - https://phabricator.wikimedia.org/T183390 (10Cmjohnson) 05Open>03Resolved These are off the racks, zeroized, the scs ports were re-used with the new frack switches and the port descriptions were updated.
[18:32:05] <wikibugs>	 10Traffic, 10Operations, 10decommission, 10ops-eqiad: Decommission radon - https://phabricator.wikimedia.org/T202040 (10Cmjohnson) @Vgutierrez Not sure if this is you but before I complete the decom process for this I see these smokeping entries in puppet.    modules/smokeping/files/config.d/Targets:+++ ra...
[20:06:01] <Krenair>	 It's occurred to me that a deb package installed via dpkg -i won't work very well if I want puppet to install
[20:06:14] <Krenair>	 luckily in beta there's a local apt repo I can probably use instead for testing this stuff
[20:06:27] <Krenair>	 I think it gets used to test scap stuff currently
[20:52:26] <Krenair>	 also great when you come across python documentation which feels the need to say 'included with Python 1.6 and later'
[21:47:33] <Krenair>	 now it's trying to sign my package and is realising I have no PGP key to give it on this machine :/
[21:47:56] <Krenair>	 I do have a key elsewhere but it's expired: https://pgp.mit.edu/pks/lookup?op=vindex&search=0xD81A3C9526752810
[21:52:21] <Krenair>	 hm sounds like I can extend it
[22:02:38] <Krenair>	 or could if I could remember the passphrase
[22:21:06] <Krenair>	 ok
[22:47:30] <Krenair>	 well my .deb appears to have the usr/share/doc stuff as well as egg-info
[22:47:34] <Krenair>	 but no actual code
[22:47:36] <Krenair>	 :/
[22:50:29] <volans>	 you can install it manually, no need to test that puppet require_package() does what is suppose to do ;)
[23:32:39] <Krenair>	 haven't even got a working package yet :\