[00:00:26] root@deployment-acme-chief04:/var/lib/puppet# ssh-keygen -lf /etc/ssh/userkeys/acme-chief [00:00:26] 256 SHA256:pf9LDsLA+r2noYae+qmRv6uQL3kB6GGo/gU3BIqs8TA root@deployment-puppetmaster03 (ED25519) [00:00:34] so the key matches [00:00:46] "sign_and_send_pubkey: signing failed: agent refused operation" [00:02:07] doesn't seem to matter whether I try to SSH out of root or acme-chief, `SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh acme-chief@deployment-acme-chief04` shows this [00:05:29] Krenair: sudo keyholder status [00:05:39] and restart the proxy one (if it's still there) [00:05:40] root@deployment-acme-chief03:~# keyholder status [00:05:41] keyholder-agent: active [00:05:41] - 256 SHA256:pf9LDsLA+r2noYae+qmRv6uQL3kB6GGo/gU3BIqs8TA root@deployment-puppetmaster03 (ED25519) [00:05:41] keyholder-proxy: active [00:05:41] - 256 SHA256:pf9LDsLA+r2noYae+qmRv6uQL3kB6GGo/gU3BIqs8TA root@deployment-puppetmaster03 (ED25519) [00:05:45] tried disarm/arm [00:06:08] you think I should restart the keyholder-proxy service volans ? [00:06:14] yep [00:06:33] on first installation by puppet it's needed [00:06:49] and I bet also in other occasions [00:07:00] fun [00:07:02] that did the trick [00:07:06] thanks for that volans [00:07:17] yw :) [00:08:16] now I have a new problem in the form of labs instance access restrictions, but at least I've dealt with that before [01:32:40] 10Acme-chief, 10Beta-Cluster-Infrastructure: Write designate integration script for certcentral DNS challenges - https://phabricator.wikimedia.org/T206922 (10Krenair) I finally got around to writing the basic script today (copy at deployment-acme-chief03:/usr/local/bin/acme-chief-designate-sync.py) and it pret... [02:02:00] * Krenair now has to remember how to package this [02:47:26] * Krenair grumbles [02:47:36] it's building *something* but not the version I want to test [02:52:06] there we go, my debian branch was missing some stuff [07:59:54] 10Traffic, 10Operations, 10Wikidata, 10Wikidata-Campsite, and 2 others: nuke_limit often reached on esams varnish frontends - https://phabricator.wikimedia.org/T216006 (10Addshore) 05Open→03Resolved a:03ema [13:46:30] Krenair: we had a little bit of a mess this morning, glad to see that the API CR worked for you as well :D [13:46:52] I saw [13:47:01] they vandalised a lot of my changes [13:47:05] but it looks like ops cleaned it up so thanks [13:47:26] yeah.. we've been working for that during EU morning [13:52:30] vgutierrez, I made some cherry-picks and a release commit ready [13:52:35] in case you want to do a release with what we have [13:53:04] I've seen that, I'll proceed soon [13:53:06] thx [13:54:57] I didn't go through the whole process of approving stuff in case you wanted to add more [14:00:08] 10netops, 10Operations: eqiad - eqord Telia link down - IC-314533 - https://phabricator.wikimedia.org/T218307 (10ayounsi) Opened a ticket with Equinix to check the X-connect. [14:03:24] Krenair: I'll hold that till 15 UTC, librenms renewal should be triggered by then on acmechief1001 [14:03:35] k [14:03:52] let's see how it goes, and if it works as expected I'll release 0.13 with those two commits [14:11:34] vgutierrez, oh I also did https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/497431/ [14:11:44] the stretch support one? [14:11:47] yep [14:12:07] yep.. I've seen that as soon as my gerrit dashboard got cleared :D [14:12:12] and I tested with https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/497430/ [14:12:13] cool [15:05:39] Krenair: needs a small fix but overall it went as expected: https://phabricator.wikimedia.org/P8225 [15:07:47] 10Acme-chief: acme-chief creates absolute symlinks for "live" and relative for "new" on certificate renewal - https://phabricator.wikimedia.org/T218685 (10Vgutierrez) p:05Triage→03Normal [15:10:54] let me see if I can submit a test for that as well [15:17:53] did you test that change vgutierrez ? [15:18:07] didn't you want abspath rather than basename? [15:23:15] Krenair: nope, the goal is a relative symlink, not an absolute one [15:23:37] oh right [15:23:47] I added a test in PS2 [15:23:58] to be sure that the live symlink is relative [15:24:04] I guess that I should test the new symlink as well :) [15:28:17] Krenair: please revert that :( [15:28:50] vgutierrez, ? [15:29:05] let me submit PS3 with a more complete test [15:29:10] ok [15:30:39] done, let me know if you want me to amend your release commit or you'll do it [15:31:49] I'll do it [15:32:46] thx [15:33:42] 10netops, 10Cognate, 10Growth-Team, 10Language-Team, and 6 others: Rack/cable/configure asw2-a-eqiad switch stack - https://phabricator.wikimedia.org/T187960 (10Marostegui) For the record, read only times on s2: Read only ON: 15:21:10 Read only OFF: 15:27:56 [15:35:50] Krenair: do you perform the cherry-pick action from the web UI or from git CLI? [15:36:01] if the latter.. please add -x to get the commit id on the commit msg [15:36:45] web ui [15:36:48] ack [15:38:06] vgutierrez, are the rights on the new repo broken? [15:38:13] I can't appear to create tags in the web UI [15:40:24] Krenair: you should be able to create an annotated tag [15:41:22] it gets the permissions from the group operations/software/certcentral, and you are listed as the unique member there [15:42:17] Maybe I'm misremembering how to do this in the UI [15:42:22] I thought there was a form at https://gerrit.wikimedia.org/r/#/admin/projects/operations/software/acme-chief,tags ? [15:42:45] dunno TBH, I go with "git tag -a..." [15:42:50] ok [15:44:04] let the release commit to be merged before tagging BTW [15:44:12] it was missing a rebase [15:45:20] yeah [15:46:55] vgutierrez, https://gerrit.wikimedia.org/g/operations/software/acme-chief/+/refs/tags/0.13 [15:47:06] managed to do it via the CLI, mucking about with permissions didn't seem to reveal the web UI form [15:47:51] hmmm [15:47:57] did you push the branch and the tag I'm afraid [15:48:23] ugh [15:48:36] git push origin --tag 0.13 is the proper way [15:48:44] vgutierrez, fixed [15:48:46] thx :D [15:48:47] no more branch [15:54:47] vgutierrez, so all gerrit stuff done I think [15:54:51] almost :) [15:54:56] we're missing the changelog commit [15:55:00] in the debian branc [15:55:02] *branch [15:55:30] something like https://gerrit.wikimedia.org/r/c/operations/software/acme-chief/+/497259 [15:55:47] wanna go for it or should I? [15:57:55] vgutierrez, doing [15:58:04] XioNoX: what's the context on all the lvs100x disable/enable? [15:58:04] gotta run, changelog commit is up for review [15:58:20] bblack: row A server move [15:58:28] https://phabricator.wikimedia.org/T187960 [15:58:58] why disable pybal though? [15:59:33] Krenair: ack [16:00:37] bblack: depool in case they are pooled (even though those are backup) [16:01:01] ok [16:11:07] UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 1742: ordinal not in range(128)... FFS [16:11:24] a damn unicode space character in the README breaks package building in boron [16:11:31] * vgutierrez breaths up to 10.... [16:45:57] 10Acme-chief: acme-chief creates absolute symlinks for "live" and relative for "new" on certificate renewal - https://phabricator.wikimedia.org/T218685 (10Vgutierrez) 05Open→03Resolved [18:00:40] hello people, as FYI conf1004 (etcd/zookeeper) is going to have a brief network outage for the maintenance that Arzhel is doing. It should all be fine but let's be vigilant in case Pybal doesn't like it [18:03:51] 10Traffic, 10Wikimedia-Apache-configuration, 10Operations, 10Patch-For-Review: Remove wildcard vhost for *.wikimedia.org - https://phabricator.wikimedia.org/T192206 (10EddieGP) 05Open→03Declined [18:46:04] 10netops, 10Cognate, 10Growth-Team, 10Language-Team, and 6 others: Rack/cable/configure asw2-a-eqiad switch stack - https://phabricator.wikimedia.org/T187960 (10ayounsi) [20:17:18] 10netops, 10Cognate, 10Growth-Team, 10Language-Team, and 6 others: Rack/cable/configure asw2-a-eqiad switch stack - https://phabricator.wikimedia.org/T187960 (10ayounsi) [20:17:25] 10netops, 10Operations: Increase network capacity (2018-19 Q3 Goal) - https://phabricator.wikimedia.org/T213122 (10ayounsi) [20:17:36] 10netops, 10Cognate, 10Growth-Team, 10Language-Team, and 6 others: Rack/cable/configure asw2-a-eqiad switch stack - https://phabricator.wikimedia.org/T187960 (10ayounsi) 05Open→03Resolved Everything here is done, thank you all for your help! [20:18:19] 10netops, 10Operations, 10decommission, 10ops-eqiad, 10Patch-For-Review: Decommission asw-c-eqiad - https://phabricator.wikimedia.org/T208734 (10ayounsi) [20:18:35] 10netops, 10Cognate, 10Growth-Team, 10Language-Team, and 6 others: Rack/cable/configure asw2-a-eqiad switch stack - https://phabricator.wikimedia.org/T187960 (10ayounsi) [20:19:08] 10netops, 10Operations, 10decommission, 10ops-eqiad, 10Patch-For-Review: Decommission asw-c-eqiad - https://phabricator.wikimedia.org/T208734 (10ayounsi) [20:19:25] 10netops, 10Cognate, 10Growth-Team, 10Language-Team, and 6 others: Rack/cable/configure asw2-a-eqiad switch stack - https://phabricator.wikimedia.org/T187960 (10ayounsi) [20:19:31] 10netops, 10Operations: Increase network capacity (2018-19 Q3 Goal) - https://phabricator.wikimedia.org/T213122 (10ayounsi) 05Open→03Resolved [22:27:10] 10Acme-chief, 10Patch-For-Review: CN + SNI list on config file doesn't match issued certificate on some scenarios - https://phabricator.wikimedia.org/T218418 (10Krenair) 05Open→03Resolved