[16:37:05] <jynus>	 godog: we are not the first people to encounter it https://community.librenms.org/t/lnms-migrate-results-in-sql-query-error-syntax-error-or-access-violation-1118-row-size-too-large/10648/2
[16:38:36] <godog>	 oh interesting
[16:38:43] <godog>	 gotta run now, ttyl!
[19:18:01] <XioNoX>	 cdanis, volans, thx! https://www.irccloud.com/pastebin/PDookJTw/
[19:22:17] <cdanis>	 XioNoX: nice!
[19:30:23] <volans>	 XioNoX: ehehe nice :) we need to decide how to puppetize it, if we want to go the separate config route or just the ssh_config route
[19:30:46] <XioNoX>	 what's the ssh_config route?
[19:31:09] <volans>	 pro of the separate config is that we could set a different default backend once we have that has network devices (netbox), con is that you need to specify the different config both at CLI and from spicerack (that will need some tweak)
[19:31:31] <volans>	 the ssh_config route is to just create an ssh_config sith the options based on the hostname, like the one we have locally on our laptops
[19:32:13] <XioNoX>	 I see
[19:32:30] <volans>	 pro is that will be transparent, no need of special knowledge or input, con is that the default backend will be puppetdb so you have to specify either D{} or when we'll have it N{} for netbox
[19:32:39] <XioNoX>	 but the backend is decided by the selector letter, no?
[19:32:40] <volans>	 also it seems to me that you cheated
[19:33:06] <cdanis>	 volans: please, don't get salt-y
[19:33:10] <XioNoX>	 hahhaa
[19:33:13] <XioNoX>	 volans: why?
[19:33:24] <volans>	 passing the identify file of the key
[19:33:51] <volans>	 we should check with ssh -vvv what's happening there when in keyholder there are multiple keys
[19:34:05] <XioNoX>	 dunno, I followed the doc
[19:34:44] <volans>	 keyholder has doc? since when :D
[19:34:59] <cdanis>	 https://wikitech.wikimedia.org/wiki/Keyholder
[19:35:20] <XioNoX>	 yeah
[19:35:28] <XioNoX>	 but indeed it works without the "ssh_options"
[19:39:20] <volans>	 basically the second route, is have a single ssh option that is an ssh_config file
[19:39:36] <volans>	 and there separate the network devices
[19:39:52] <XioNoX>	 just for the different homer user?
[19:40:20] <volans>	 yes and any other fine tuning we might need
[19:40:38] <XioNoX>	 you're saying that like network devices need special care
[19:41:26] <volans>	 ahahah
[19:41:42] <volans>	 atm are the prod servers that need special care
[19:41:54] <XioNoX>	 volans: where is the doc to implementa netbox backend?
[19:42:02] <XioNoX>	 :)
[19:42:16] <volans>	 https://gerrit.wikimedia.org/r/c/operations/software/cumin/+/514840
[19:42:32] <volans>	 but it's pending the import of the dns names
[19:42:55] <XioNoX>	 niiiiice!
[19:43:04] <volans>	 otherwise it will not know where to connect, strictly speaking might use the IP
[19:43:13] <cdanis>	 nice
[19:43:14] <volans>	 XioNoX: also the known hosts bits needs to be fine-tuned
[19:43:33] <XioNoX>	 volans: network devices already have DNS names :)
[19:43:55] <volans>	 as the known host file is populated by puppet and we don't want to override it or to populate a custom one in root's home that will be outdated
[19:44:08] <volans>	 and if we want to use strict host checking we need to know the fingerprint before hand somehow
[19:47:01] <XioNoX>	 volans: is something strictly blocking https://gerrit.wikimedia.org/r/c/operations/software/cumin/+/514840  ?
[19:47:30] <XioNoX>	 like if we don't have DNS for servers, then we just can't use the N{} selector
[19:47:38] <XioNoX>	 or it's more complicated?
[19:47:58] <volans>	 that for sure, and probably get in back into shape, I totally forgot the current status
[19:48:23] <volans>	 netbox API have also changed in the meanwhile (slightly but need some tweaking)
[19:48:43] <volans>	 and are much slower, so we need to do something to optimize it, might need a netbox plugin to be written
[19:48:58] <volans>	 to avoid to do 1 or 2 API call per host
[19:49:37] <volans>	 and also the grammar was a simpler one to start with
[19:51:11] <XioNoX>	 ok
[19:52:03] <XioNoX>	 volans: so right now nothing prevents me to write an easy runbook if I can pass the cumin config as parameter and I only need to target 1 host at a time?
[19:53:45] <cdanis>	 I think D{} will take multiple hosts as well
[19:53:48] <XioNoX>	 using https://doc.wikimedia.org/spicerack/master/api/spicerack.remote.html
[19:53:57] <volans>	 XioNoX: you need to puppetize the config
[19:54:13] <volans>	 once that's done yes, you can write a cookbook (not a runbook ;) )
[19:54:17] <volans>	 that uses it
[19:54:39] <volans>	 if we go the config route might need some tweak on the spicerack side, if the ssh_config route surely not
[19:54:43] <cdanis>	 ✔️ cdanis@cumin1001.eqiad.wmnet ~ 🕓🍵 sudo cumin 'D{cr[1-2]-eqiad.wikimedia.org}'
[19:54:45] <cdanis>	 2 hosts will be targeted:
[19:54:47] <cdanis>	 cr[1-2]-eqiad.wikimedia.org
[19:54:49] <cdanis>	 DRY-RUN mode enabled, aborting
[19:55:08] <volans>	 D{} uses clustershell NodeSet
[19:55:23] <volans>	 so all it's features are supported
[19:55:27] <volans>	 *its
[19:55:57] <XioNoX>	 cool
[19:56:01] <XioNoX>	 yeah
[20:00:21] <XioNoX>	 volans: the ssh_config needs to be puppetized too?
[20:00:30] <volans>	 yes ofc
[20:00:34] <XioNoX>	 I mean puppetized or dynamically generated
[20:00:36] <XioNoX>	 ?
[20:00:43] <volans>	 puppetized
[20:01:21] <XioNoX>	 volans: is there any existing one already or it would be a new thing?
[20:01:38] <volans>	 there was one for wmcs, it should still be there
[20:01:40] <cdanis>	 can't be that hard to translate netbox api query into a .ssh/config ;)
[20:01:55] <volans>	 cdanis: ?
[20:02:17] <cdanis>	 oh I guess you can just glob match router hostnames, nevermind
[20:02:28] <volans>	 yes like we have locally
[20:02:31] <volans>	 it's all on wikitech
[20:02:34] <cdanis>	 indeed
[20:03:35] <XioNoX>	 I'm looking for an existing one but can't find it
[20:04:00] <volans>	 profile/openstack/eqiad1/cumin/ssh_config.erb
[20:04:05] <volans>	 modules/profile/manifests/openstack/eqiad1/cumin/master.pp
[20:04:29] <XioNoX>	 ah, I was looking for it on cumin1001
[20:05:22] <volans>	 don't forget the known hosts stuff too ;)
[20:06:18] <XioNoX>	 no idea how to deal with that
[20:06:27] <XioNoX>	 static file manually updated? :)
[20:07:49] <volans>	 1) make sure that cumin will not write over the puppet generated one or generate a new one in the root's home
[20:08:01] <volans>	 that allow to use it without strict host checking
[20:08:23] <volans>	 2) to enable strict checking, we need to generate a file with the fingerprints, how to do that TBD
[20:15:43] <XioNoX>	 volans: so for 1) I should pass a ssh config to either use dedicated file, or disable strict checking for now until 2) is figured out?
[20:16:19] <volans>	 1) almost
[20:17:00] <volans>	 UserKnownHostsFile /dev/null and LogLevel QUIET
[20:17:19] <volans>	 are the usual trick to make it silent and not spam files when using StrictHostKeyChecking no
[20:17:28] <volans>	 but we'd like to use it as yes, so better figure out 2) ;)
[20:19:02] <XioNoX>	 I'll think about 2), it's so few hosts that something kind of manual would be ok
[20:19:25] <cdanis>	 XioNoX: could just make it a raw file in puppet
[20:19:27] <volans>	 it's an info present on librenms?
[20:19:29] <XioNoX>	 eg. running a script and commiting the diff in puppet
[20:19:34] <XioNoX>	 volans: no
[20:19:35] <volans>	 or rancid
[20:20:01] <XioNoX>	 volans: neither
[20:21:25] <volans>	 ok, then I guess static file it is for now
[20:22:56] <XioNoX>	 cool
[20:23:22] <XioNoX>	 so much progress, thx! I'll try to do some of it tomorrow
[20:23:43] <volans>	 ofc we can use cumin with option 1)
[20:23:45] <volans>	 to gather them ;)
[20:24:49] <XioNoX>	 volans: and once it's there we can use them with homer too :)
[20:25:31] <XioNoX>	 not sure I have the magic 1 liner to get them all with 1)
[20:25:56] <volans>	 set a file, use strict host checking no
[20:25:59] <volans>	 ssh into all of them
[20:26:00] <volans>	 voila!
[20:26:27] <volans>	 but that way you're "trusting" them implicitely
[20:26:34] <XioNoX>	 ah, I see
[20:26:36] <volans>	 the other way is to ssh and get the fingerprint from within junos
[20:26:52] <volans>	 with some comamnd I dunno
[20:26:54] <XioNoX>	 I tried to look quickly but there is no easy way
[20:26:55] <volans>	 but maybe not worthed
[20:27:13] <XioNoX>	 there must be a way to go fetch the public key on the host but not worth it
[20:27:39] <cdanis>	 you don't even need cumin
[20:27:46] <cdanis>	 ✔️ cdanis@bast1002.wikimedia.org ~ 🕟🍵 ssh-keyscan cr{1,2,3,4}-{eqiad,eqsin,esams,knams,eqord,codfw,ulsfo}.wikimedia.org
[20:27:48] <cdanis>	 done
[20:28:02] <volans>	 cdanis: we need *all* the network devices
[20:28:06] <volans>	 but sure
[20:28:09] <volans>	 that too :D
[20:31:05] <XioNoX>	 I tried to run ssh-keyscan from my laptop, but it doesn't seem to listen to the ssh proxycommand
[20:31:57] <XioNoX>	 I was thinking of a bash script living in puppet/utils
[20:32:14] <cdanis>	 yeah, i did it from the bastion host
[20:32:37] <XioNoX>	 that generates the file each time you run it, so you can see the diff, optionally inspect it before sending a CR
[20:32:40] <volans>	 can be a script that lives on the puppetmasters and updates a file in the private repo
[20:32:51] <XioNoX>	 does it need to be private?
[20:32:55] <cdanis>	 no
[20:33:02] <volans>	 was easier to automate than gerrit ;)
[20:33:04] <cdanis>	 script could also be a `ssh bast1002.wikimedia.org 'ssh-keyscan ...'`
[20:33:29] <volans>	 the diff logic is in the update-known-hosts file if you want :-P
[20:34:06] <XioNoX>	 we can install ansible and run ssh-keyscan through it https://serverfault.com/questions/823687/ssh-keyscan-through-a-bastion
[20:34:15] <volans>	 go away :D
[20:34:19] <XioNoX>	 :)
[20:35:12] <volans>	 so you need to get the list of devices from netbox APIs
[20:35:22] <volans>	 and then do an ssh keyscan with that list
[20:36:02] <cdanis>	 i was sure i had some netbox api scrapes in my shell history but apparently i don't
[20:36:25] <volans>	 cdanis: why bother? just go to https://netbox.wikimedia.org/api/docs/ :D
[20:36:46] <cdanis>	 well yeah i got it from there
[20:36:47] <volans>	 dcim/devices with a filter on device_group
[20:37:11] <volans>	 sorry device_rolws
[20:37:24] <XioNoX>	 I'm sure cdanis is wondering if it can all fit in a 1 liner
[20:37:33] <volans>	 I will -2 that :D
[20:39:16] <paravoid>	 we can always install puppet for junos
[20:39:30] <XioNoX>	 paravoid: no :)
[20:39:34] <paravoid>	 :D
[20:39:43] <cdanis>	 omg that's a thing
[20:39:46] <volans>	 the troll is going out of control :-P
[20:39:54] <volans>	 cdanis: unfortunately yes
[20:40:07] <paravoid>	 they used to have just jpuppet, these days you can even do a Docker container
[21:40:39] <volans>	 and yet another netbox release :D
[22:13:22] <chaomodus>	 @#$
[22:13:25] <chaomodus>	 of course :)
[22:14:12] <chaomodus>	 some fixes that may be required but no interesting enhancements
[22:15:54] <chaomodus>	 can we pay them to release less often? :)