2021-02-18T03:16:24  *** DanDan__ is now known as DanDan_
2021-02-18T08:16:02  *** antlarr2 is now known as antlarr
2021-02-18T09:46:53  <lcp> Conan Kudo: I had a look at seahorse and it had my stuff saved apparently
2021-02-18T09:47:05  <lcp> I really should have checked things better >:D
2021-02-18T11:42:07  <bmwiedemann> there are timeouts on download.opensuse.org
2021-02-18T11:45:23  <bmwiedemann> came back after rcapache2 restart
2021-02-18T12:34:17  <Eighth_Doctor> Sasi Olin: I'm building custom kernels to try to recover data from a damaged filesystem, so you're better off than me :)
2021-02-18T12:53:32  <lcp> lol
2021-02-18T12:54:05  <lcp> I updated centos and then switched it to stream
2021-02-18T12:54:13  <lcp> we are rolling I guess >:D
2021-02-18T13:01:28  <bmwiedemann> Eighth_Doctor: how did you damage your FS?
2021-02-18T13:02:14  <Eighth_Doctor> bmwiedemann: https://lore.kernel.org/linux-btrfs/CAEg-Je-DJW3saYKA2OBLwgyLU6j0JOF7NzXzECi0HJ5hft_5=A@mail.gmail.com/T/#u
2021-02-18T13:03:10  <bmwiedemann> ah, I still run all my machines on ext4 :-)
2021-02-18T13:03:57  <Eighth_Doctor> I guess not knowing that it's damaged might be better?
2021-02-18T13:04:43  <Eighth_Doctor> but yeah, kernel build timed out, so I extended the timeout and tried again: https://copr.fedorainfracloud.org/coprs/ngompa/btrfs-progs-neal-magic/build/1987802/
2021-02-18T14:04:00  <Martchus> Looks like the login on o3 is broken. On gets `You are being asked to login by http://localhost/`.
2021-02-18T14:12:04  <okurz[m][m]> bmwiedemann: ^^
2021-02-18T15:08:20  <lcp> ok, ipa replica is set up
2021-02-18T15:08:25  <lcp> we have freeipa2 now
2021-02-18T15:08:38  <lcp> without CA! that's worth remembering
2021-02-18T15:09:14  <lcp> https://freeipa2.infra.opensuse.org shows the UI, the services seem to work fine
2021-02-18T15:11:00  <lcp> setting up CA without killing the current master seems impossible though, since it really wants to migrate rather than create a new install
2021-02-18T15:28:11  <Eighth_Doctor> well, we can migrate everything except the CA to the new FreeIPA system, then kill the old master, then set up the CA again
2021-02-18T15:29:07  <lcp> yeah
2021-02-18T15:29:22  <lcp> the question is if the discovery will work from the clients
2021-02-18T15:29:43  <lcp> remember they aren't set up with freeipa client, but with salt and initial setup
2021-02-18T15:29:48  <Eighth_Doctor> chances are probably good that the answer is "no", but that's a question for ab
2021-02-18T15:30:57  <lcp> that should be easy to check tho, kill freeipa for 10 minutes and hope the infra doesn't blow up >:D
2021-02-18T15:31:06  <lcp> kill it for any longer and the vpn stops working
2021-02-18T15:32:56  <lcp> (this is not a serious suggestions, there are easier ways to check it)
2021-02-18T15:53:22  <bmwiedemann> kl_eisbaer: yay for full IPv6 dualstack.
2021-02-18T16:03:43  <bmwiedemann> Martchus: I havent changed anything on the openid server
2021-02-18T16:06:33  <bmwiedemann> but I can reproduce it.
2021-02-18T16:08:59  <bmwiedemann> okurz[m][m] / Martchus: it is now back after a haproxy restart on anna
2021-02-18T16:28:54  <Martchus> bmwiedemann: Seems to work, thanks
2021-02-18T16:52:36  <okurz[m][m]> Thx
2021-02-18T18:43:00  <Lars[m]> Regarding Freeipa: the main stuff from the old machine: accounts + DNS. Everything else had been moved away already.
2021-02-18T18:43:00  <Lars[m]> So if you want to migrate, think about giving the new machine the old IP. And make sure that the accounts still work.  DNS is not so critical: only new entries/ changes might not be deployed for some time.
2021-02-18T18:43:47  <Lars[m]> ... and about the DNSSec topic: I think we implement this outside Freeipa anyway.
2021-02-18T18:45:11  <cboltz> I'm quite sure about that - chip.i.o.o removes freeipa from the NS entry and would break DNSSec with that ;-)
2021-02-18T19:09:45  <bmwiedemann> kl_eisbaer: do you have an idea why haproxy on anna misbehaved until I restarted it?
2021-02-18T19:10:59  <bmwiedemann> last showed a short login from your IP at 14:50 UTC
2021-02-18T20:47:45  <kl_eisbaer> bmwiedemann: hm... good question. IMHO I just logged in to check which server is behind i18n
2021-02-18T20:48:29  <kl_eisbaer> cboltz: that's the reason why I would not use freeipa for the signing part. This can only happen at/behind chip
2021-02-18T20:50:01  <kl_eisbaer> bmwiedemann: but while we are on "misterious behavior": the storage behind provo-mirror.opensuse.org is a bit fishy at the moment. First the machine lost access (somehow?), and now - after a reboot - IO is very high (which might be a result of the mirror resyncing stuff, but I doubt this is the only reason).
2021-02-18T21:03:48  <bmwiedemann> maybe the huge tumbleweed update was not there yet?
2021-02-18T21:04:08  <bmwiedemann> iotop is such a nice tool
2021-02-18T21:04:30  <kl_eisbaer> iotop does not help if the storage is GONE
2021-02-18T21:05:14  <kl_eisbaer> but anyway: time to go home  ... s/home/bed/g ;-)
2021-02-18T21:05:24  <bmwiedemann> dito. gn