[14:59:56] godog: o/ [15:00:11] do you use authentication with kafka logging, or just TLS? [15:00:57] i think just ssl [15:04:20] ottomata: yup just tls [15:04:23] ok [15:04:26] easier to set up [18:32:07] heya is our Puppet CA cert public key ok to be in a public repo? [18:32:24] i need it in a k8s pod [18:32:39] trying to figure out where to put it and how to get it there [18:32:56] akosiaris: ^ ? [18:35:43] ottomata: I think it's already in the puppet repo under files/puppet/ca.production.pem ? [18:35:55] ah perfect good to know :) [19:02:48] ottomata: if you add something, please update T237259 too [19:02:49] T237259: Document all uses of the puppetCA certificate - https://phabricator.wikimedia.org/T237259 [19:03:00] volans: ah good to know [19:03:01] thank you [19:05:20] the rsyslog kafka producer uses it too, will add that [19:49:20] anyone have reading recommendations for creating a debian package? I've seen https://wikitech.wikimedia.org/wiki/Debian_Packaging but so far it only talks about rebuilding [19:49:37] better yet, anyone willing to give an onboarding talk? :D [19:50:13] https://wikitech.wikimedia.org/wiki/Category:Package_management [19:50:20] rlazarus: packaging what? it depends a lot [19:50:42] volans: a Go binary: https://github.com/Wikia/poolcounter-prometheus-exporter [19:51:01] oh no, that snowflake again (Go) [19:51:27] mutante: thanks, digging [19:51:29] AFAIK it's a bit of a mess and you can get inspiration from the other Go onesthat we have [19:51:38] but I'm not the one to ask for that, sorry [19:51:47] also dinner's ready, ttyl [19:51:52] 👋 [19:56:12] rlazarus: root@boron:~# for user in $(ls /home); do grep -e builder -e cow /home/${user}/.bash_history; done [19:56:23] :p there is pbuilder and cowbuilder [19:57:50] something around https://wiki.debian.org/cowbuilder https://wiki.debian.org/PbuilderTricks [19:58:13] that's what i meant about spying on the build host. boron.eqiad.wmnet [19:59:46] mutante: that's helpful for building, but I think rlazarus is talking about creating packaging (e.g. writing debian/rules and such)? [20:01:42] actually let me take a step back and avoid the XY problem -- what I actually want is, "this code is on github, I would like to install it in prod" :P [20:03:02] suppose it were on gerrit (reducing it to a problem that's already been solved? maybe?) ... nah, it's a binary, we only scap things that don't require a build I guess [20:03:34] if small enough: request project in gerrit, move code to gerrit (setup replication back to github), tell puppet to git::clone it on next run. done. [20:03:54] yeah but needs binary built [20:03:58] hmm, I would need puppet to git::clone and then compile it though [20:03:59] yeah [20:04:09] because Go and not Python, so there's actually a compiler involved :P [20:04:18] and that means a compiler and all the good stuff on whatever host which is a non-starter I'd say [20:06:26] I thought I saw some notes on golang packaging somewhere [20:06:57] oh, there is T220836 [20:07:00] T220836: Guidelines for Rust/Go tools deployment - https://phabricator.wikimedia.org/T220836 [20:07:18] which had... some discussion... [20:10:33] ~ git clone an existing repo under operations/debs/foo. look at the files ./debian/control and ./debian/changelog. edit them, run 'debuild -us -uc'.. see what breaks [20:34:47] what about [20:34:57] nope. not even going to start it. checking myself out right now in advance [21:09:53] anyone around who has some cergen experience? [21:13:53] I need to update the grafana.discovery.wmnet certificate to include grafana1002.eqiad.wmnet and also s/grafana-beta/grafana-next/ [21:17:01] cdanis: i can help with that [21:17:18] https://wikitech.wikimedia.org/wiki/Cergen#Update_a_certificate [21:17:48] mutante: and if I follow that procedure, I won't cause a grafana outage in the process? :D [21:18:19] just not sure if there's anything to worry about wrt: synchronization or sequencing of puppet runs [21:19:24] cdanis: i dont think so. but if you want to be extra careful you can stop puppet on grafana [21:19:58] you will have to first revoke the old cert before being able to add the new one though [21:20:29] this happened a bunch of times though for different services.. where we had to reissue to add a missing name [21:20:42] and i dont recall problems [22:09:01] anyone good with regexes? :) [22:09:10] pretty good [22:09:15] I'm trying to make something that matches IPv6 at least losely [22:09:29] ah jeeze [22:09:40] and is not stupidly long like https://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses [22:09:52] (\d{0,4}:){0,4} ? [22:09:57] hmm [22:10:07] oh with [22:10:10] so I have for example `^(?:(?:[\da-f]{0,4}:?))+$` [22:10:17] oh yah hex [22:10:51] ([A-Za-z0-9]{0,4}:){0,4}([A-Za-z0-9]{0,4} [22:10:52] but here if you make the last `:` optional, then it would validate a string like "bfd" [22:10:54] perhaps [22:10:56] go to the puppet module and copy that from stdlib [22:10:58] type ipv6 [22:11:05] err [22:11:19] ([A-Fa-f0-9]{0,4}:){0,4}([A-Fa-f0-9]{0,4} [22:11:24] /puppet/modules/stdlib/types/ipv6.pp [22:11:34] that's probably better :) [22:12:37] yeah, that's very long :) [22:13:00] it probably got longer and longer while the author tried to fix it :p [22:13:08] it's to be used in https://gerrit.wikimedia.org/r/c/operations/software/homer/+/551273/3/homer/config.py#51 [22:13:28] if its in python you could try makirng an ipaddress object with it and see if it works [22:14:20] chaomodus: I don't think it's possible, see like 53 of the CR above [22:14:29] (i'm sure there's some sort of validation in that library tbh) [22:14:39] try: [22:14:40] addr = ipaddress.IPv6Address(address) [22:14:41] ? [22:14:44] yah [22:15:32] I'm not familiar with this functionality in yaml [22:15:48] but if there's a standard interface you could provide an ipaddrless constrution to that interface [22:16:19] dunno :) [22:17:08] one sec [22:19:00] I think this works `^(?:[\da-f]{0,4}:){1,7}[\da-f]{0,4}$` [22:19:21] it captures: [22:19:21] 2002:4c0e:7e8a:e472:a096::71dd:7504 [22:19:21] :: [22:19:21] fe80::a9d8:7f5e:e0a2:7eb0 [22:19:21] fe80:: [22:19:55] but not `bfd` for example [22:20:13] it does match `bfd:` though [22:20:36] rlazarus: `^(?:[\da-f]{0,4}:){2,7}[\da-f]{0,4}$` [22:20:43] was thinking about it :) [22:20:58] ^ fixes it [22:21:30] that matches `a::b::c` [22:21:48] rlazarus: I think it's good enough [22:21:49] I agree pretty strongly with "validate by trying to make an ipv6 address out of it and see if it works" :) [22:22:07] rlazarus: if you know how to do it then sure :) [22:22:48] the think is that it's casted to the ipaddress lib, so it will show an error if it doesn't work [22:23:06] https://www.regextester.com/25 [22:26:55] looking -- yeah, that makes sense, and showing an error in that case is the right behavior anyway, right? [22:27:16] so better to have a super rough regex that matches all kinds of stuff, and just let the ipaddress constructor sort out what's a real ipv6 and what isn't [22:27:25] +1 [22:28:59] cool, thanks! [22:29:21] I'd misunderstood the problem statement, sorry :) I thought the regex was going to be the only step in telling valid ipv6 addresses apart from invalid ones, and I was nervous about that approach [22:29:42] yeah I agree! [23:19:53] hey folks, if you could check out some of your favorite dashboards on https://grafana-next.wikimedia.org/ and see if they look good, let me know. please post on https://phabricator.wikimedia.org/T220838 if you find anything wrong :) [23:50:30] Error: Facter: error while resolving custom facts in /var/lib/puppet/lib/facter/lvm_support.rb: command timed out after 60 seconds. [23:50:50] hmm.. reinstalled this server and not getting my additional IP on the interface