[00:09:40] <ToAruShiroiNeko>	 Betacommand tyvm
[00:10:09] * Betacommand  gumbles about ToAruShiroiNeko not writing that down last time

[00:11:15] <ToAruShiroiNeko>	 Sorry, I was gullable enough to think it would be fixed instantly :(
[00:21:35] <bd808>	 Coren: I should probably know this already, but how can I scp files between pmtpa and eqiad? I tried pushing from pmtpa to eqiad but got an "unknown host" error for the eqiad address. Same thing from bastion in pmtpa. bastion-eqiad.wmflabs.org gives "unknown host" for the pmtpa side.
[00:24:37] <bd808>	 Coren: Never mind. I figured it out. I can pull to the bastion and push from there just not an end to end copy.
[00:34:24] <Coren>	 bd808: You can also do end-to-end, but DNS won't work for the 'fake' .wmflabs addresses so you have to use IP
[00:48:27] <scfc_de>	 Someone already having experience with self-hosted puppetmasters in eqiad?  I get a lot of "Error 400 on SERVER: Not authorized to call find on /file_metadata/files/ssl/wmf-ca.pem" and ... labs-puppet-key with that, but too tired to debug this today.
[04:59:09] <dschwen>	 does anyone else have problems with the webproxy for instances on eqiad?
[05:00:20] <dschwen>	 I got bad gateway errors, deleted the proxy entry and recreated it, then it worked for a while and now it is back to throwing 502s again
[05:29:57] <andrewbogott>	 Cyberpower678: Here they are!
[05:30:12] <Cyberpower678>	 andrewbogott, yes.  More than 20. :p
[05:30:13] <andrewbogott>	 Creepy, right?
[05:30:22] <Cyberpower678>	 That's really wierd.
[05:30:46] <andrewbogott>	 morebots, are you here too?
[05:30:52] <Cyberpower678>	 Coren, so I get mysqli_connect(): (HY000/2003): Can't connect to MySQL server on 'tools-db' (99)
[05:30:55] <andrewbogott>	 nope :(
[06:32:07] <eranroz>	 hi, i just migrated my tool to eqiad. I can't find there the source for pywikpedia in the shared directory (my bot depend on pywikipedia). Should I clone it locally?
[06:45:48] <eranroz>	 according to ...MIGRATE STATUS pywikipedia already moved, but probably it isn't accessible (ls doesn't show files but only directories)
[06:56:41] <eranroz>	 (solved: cloned it locally. using shared isn't currently possible)
[07:19:54] <superm401>	 My mwui instance (a simple single node wiki proxied to http://mwui.wmflabs.org/wiki/Main_Page) stopped working again.
[07:20:02] <superm401>	 It's on eqiad, and I'm getting 502 Bad Gateway.
[07:20:09] <superm401>	 I used to be able to ssh to it, but now I can't.
[07:23:56] <superm401>	 Is bastion-eqiad.wmflabs.org the right bastion for me to use?
[07:40:29] <andrewbogott>	 superm401: that's the right bastion, sure.
[07:40:39] <andrewbogott>	 superm401: but, the 502 is… well, let me look.
[07:40:59] <andrewbogott>	 superm401: what is the project name?
[07:41:16] <superm401>	 editor-engagement
[07:41:56] <andrewbogott>	 OK, so -- we're talking about two different problems, right?  ssh and also http?
[07:42:31] <andrewbogott>	 The ssh issue is most likely this one:  https://wikitech.wikimedia.org/wiki/Labs_Eqiad_Migration_Howto#Security_Groups
[07:42:36] <andrewbogott>	 I can fix that for you if you would like.
[07:43:10] <andrewbogott>	 superm401: ?
[07:43:39] <superm401>	 andrewbogott, yeah, both, and both were working before. :)
[07:43:59] <andrewbogott>	 When you say 'working before'...
[07:44:07] <andrewbogott>	 you mean with the new eqiad instance?
[07:44:12] <superm401>	 andrewbogott, yes.
[07:44:24] <superm401>	 But not with bastion-eqiad.
[07:44:40] <superm401>	 I think it was bastion2.wmflabs.org
[07:44:51] <andrewbogott>	 Ah, sure, that's the difference.  For that bit at least.
[07:45:01] <andrewbogott>	 Do you want to read and understand the above link, or just have me fix it?
[07:45:07] <andrewbogott>	 (This is ssh. The http thing I don't know about yet.)
[07:46:06] <superm401>	 andrewbogott, which group name do I add it to?
[07:46:29] <andrewbogott>	 you'll want to ssh to everything, so change the rule in 'default' to allow from 10.0.0.0/8
[07:49:54] <superm401>	 andrewbogott, done, how long is it supposed to take?
[07:50:04] <andrewbogott>	 for ssh?  Should work right away.
[07:52:10] <superm401>	 andrewbogott, got it.  My local ssh config also wasn't quite right.
[07:52:36] <andrewbogott>	 cool.  OK, I'm working on the proxy right now anyway so I'll look at your http issue as well...
[07:52:50] <superm401>	 It says 'System restart required', FWIW.
[07:53:16] <superm401>	 andrewbogott, I can reboot through the wikitech UI if that doesn't interfere with you.
[07:53:35] <andrewbogott>	 hang on just a second...
[07:54:32] <andrewbogott>	 superm401: there's a dns issue… I think you've done everything properly with the proxy.
[07:54:34] <andrewbogott>	 I'm not sure what's up
[07:54:41] <andrewbogott>	 If you need to reboot for other reasons then that's fine.
[07:55:27] <andrewbogott>	 superm401: fixed.  Although I fear that DNS is dieing off every day or so :(
[07:55:31] <andrewbogott>	 Anyway, working for you now too?
[07:56:01] <superm401>	 andrewbogott, yep, thanks for your help.
[07:56:11] <andrewbogott>	 superm401: do you mind helping me test something?  It should be easy...
[07:56:18] <superm401>	 andrewbogott, sure.
[07:56:22] <andrewbogott>	 I've just changed wikitech to allow you to use a proxy in eqiad for eqiad instances...
[07:56:31] <andrewbogott>	 So, want to delete the current proxy for that box and create a new one in eqiad?
[07:56:35] <andrewbogott>	 Should be pretty obvious how to do it.
[07:56:40] <superm401>	 Okay, I better not tell anyone it's fixed yet. ;)
[07:57:03] <andrewbogott>	 Yeah, moving to a different proxy will require dns to propagate again...
[07:57:21] <superm401>	 I didn't even realize it was proxying between data centers before.
[07:57:21] <andrewbogott>	 (It can have the same name of course.)
[07:57:36] <superm401>	 I'll do a fun test first...
[07:57:37] <andrewbogott>	 Until an hour or so ago there was only one proxy, in tampa.
[07:57:40] <andrewbogott>	 Now there are two.
[07:58:24] <superm401>	 And now there are two proxies, both with mwui.wmflabs.org.
[07:58:30] <superm401>	 Probably shouldn't allow that, right?
[08:00:14] <superm401>	 ^ andrewbogott
[08:00:41] <andrewbogott>	 superm401: Huh, it should already prevent that.  I'll have a look.
[08:05:38] <andrewbogott>	 superm401: working ok other than that?
[08:06:05] <superm401>	 andrewbogott, yep.
[08:06:39] <andrewbogott>	 cool, thanks for testing!
[08:06:47] <andrewbogott>	 I'm going to disable creation of pmtpa proxies in just a minute...
[08:07:00] <superm401>	 No problem, looks like eqiad won, BTW.
[08:07:12] <andrewbogott>	 I bet it's random :(
[08:16:17] <SamB>	 isn't round-robin DNS *fun*?
[10:29:11] <GerardM->	 hoi, the backups that exist in /public/datasets/public/wikidatawiki are not present on eqiad
[10:29:30] <GerardM->	 they are run by a user called "backup"
[10:29:53] <GerardM->	 can someone fix this so that the new environment works fine ?
[11:54:54] <liangent>	 I didn't follow updates to Labs / Tool-Lab recently, but what's *OLD* in bash prompt?
[11:54:56] <liangent>	 local-liangent-py@*OLD*tools-login:~/scripts/updatedyk$ 
[12:03:22] <liangent>	 and regarding migration: is it fine (and actually better) not to touch them if I want my instances archived
[12:04:02] <liangent>	 so they don't need to keep running but I'll be able to get old data back at some point in the future
[13:43:52] <Coren>	 andrewbogott_afk: The nova-network dhcp/dns thing seems to be full of fail.
[13:44:12] <Coren>	 dhproxy.
[14:07:37] <Darkdadaah>	 Hi, I tried to migrate some tools (migrate-tool), but the webservice doesn't seem to restart. Do I need to do something else than "finish-migration"?
[14:08:12] <Coren>	 Darkdadaah: Well, possibly 'webservice start'
[14:08:15] <Coren>	 :-)
[14:08:33] <Darkdadaah>	 Ah, I did try that too.
[14:08:45] <Coren>	 Oh?  That /should/ have worked.  Let's see.
[14:09:12] <Coren>	 Oy!
[14:09:21] <Coren>	 We're already out of slots on webgrid.  :-)
[14:09:33] <Coren>	 (Not long or hard to fix)
[14:09:44] <Darkdadaah>	 Ouf
[14:17:34] <Coren>	 Darkdadaah: Should be started now.
[14:19:51] <Darkdadaah>	 Ok, it seems to work :)
[14:23:19] <andrewbogott>	 Coren, what's dhcp/dns doing?
[14:23:28] <Coren>	 andrewbogott: Sucking.
[14:23:35] <andrewbogott>	 Could you be more specific?
[14:24:03] <Coren>	 andrewbogott: We had the same problem in pmtpa, remember?  Where the dhrelay thing just drops a fraction of requests to /dev/null when it just vaguely looks like it's being lightly loaded.
[14:24:41] <andrewbogott>	 I only barely remember this...
[14:27:08] <andrewbogott>	 …which makes me think I must not have been the one who fixed it.
[14:27:16] <andrewbogott>	 Coren, Do you remember what the solution was, then?
[14:27:21] <ottomata>	 ok andrewbogott, trying proxy again
[14:27:27] <ottomata>	 getting 404 from nginx right now
[14:27:40] <ottomata>	 inside network direct to instance works
[14:27:49] <ottomata>	 curl http://archiva0.eqiad.wmflabs:8080
[14:28:01] <ottomata>	 but archiva.wmflabs.org does now
[14:28:02] <ottomata>	 not
[14:28:03] <ottomata>	 *
[14:28:21] <andrewbogott>	 ottomata, what project?
[14:28:21] <Coren>	 andrewbogott: There wasn't; or at least I never found one.  All I did was alleviate the problem by reducing the number of queries by setting up a local DNS in some projects, and adding entries in /etc/hosts in tools.  I was /hoping/ that the new version woulld fix this.
[14:28:34] <ottomata>	 analytics
[14:30:06] <andrewbogott>	 ottomata, archiva.wmflabs.org looks to be working for me.  Or, at least, I get 'Apache Archiva' and an icon up top.
[14:30:40] <andrewbogott>	 Coren:  ok… so which components are involved in this?  It's not just pdns?
[14:31:00] <andrewbogott>	 (Sorry to be clueless...)
[14:31:46] <ottomata>	 hm
[14:31:49] <ottomata>	 not working for me
[14:31:53] <ottomata>	 i get 404
[14:31:54] <ottomata>	 from nginx
[14:31:58] <Darkdadaah>	 Coren: how do I know what is the new name of my database after migration?
[14:31:59] <Coren>	 andrewbogott: I don't think it's pdns at all; I think it's dnsmasq
[14:32:02] <ottomata>	 is it hitting the wrong IP, maybe my dns is cached?
[14:32:23] <andrewbogott>	 ottomata: probably you're hitting the old proxy.  Or I am.
[14:32:43] <ottomata>	 hmm ok i think it might be my dns, i just curled from another server and it worked, k
[14:33:02] <Coren>	 Darkdadaah: The prefix will be the same as the username in replica.my.cnf
[14:33:18] <Coren>	 Darkdadaah: sXXXXX
[14:33:40] <andrewbogott>	 ottomata: if you get a 208.80.153 IP, that's still in tampa.
[14:33:44] <andrewbogott>	 .155 is eqiad
[14:33:45] <Darkdadaah>	 Coren: Yes but, what about the suffix? I used to have "localanagrimes" as a name.
[14:34:24] <ottomata>	 yeah i got that locally
[14:34:25] <ottomata>	 k
[14:34:29] <ottomata>	 trying to flush os x cache...
[14:34:41] <ottomata>	 thanks andrewbogott, looks like it is working after all, on it..
[14:34:53] <andrewbogott>	 Coren, so… is the dns problem causing immediate failures, or is it a longer-term/capacity issue?
[14:35:06] <andrewbogott>	 (Because I have an immediate problem which I want to change the subject to :)  )
[14:35:24] <Coren>	 andrewbogott: I think it's causing infrequent issues at this time; but it'll just increase
[14:35:39] <andrewbogott>	 Ok, I've certainly seen infrequent dns failure as well :(
[14:35:51] <mutante|away>	 same here
[14:36:06] <andrewbogott>	 But I will have to study up in order to understand what component to blame.
[14:36:12] <Coren>	 Darkdadaah: I see 's51045__anagrimes2'
[14:37:00] <Darkdadaah>	 Coren: this is an experimental and empty one that I just created.
[14:37:56] <Darkdadaah>	 (and I can access this one in eqiad)
[14:38:19] <Coren>	 Darkdadaah: That's the only one the automated system found.  You'll have to dump and restore any others you might have had that had different naming.
[14:38:51] <Darkdadaah>	 Ok. I suppose it's because it was created before we used the username for the db name.
[14:39:12] <Coren>	 Darkdadaah: Probably.  You'll also have to edit the dump to fix the name of the database, but that's easy.  :-)
[14:39:49] <Coren>	 andrewbogott: So, what subject did you want to change to?
[14:40:20] <andrewbogott>	 Coren:  I emailed.  Migrated images don't have /dev/sdb after I copy them over
[14:40:31] <Coren>	 andrewbogott: Ah that.
[14:40:34] <andrewbogott>	 I'm thinking since you've done some recent thinking in that area…
[14:40:35] <Darkdadaah>	 Ok, in the meantime I move back the old public_html to use the working db.
[14:41:36] <Coren>	 andrewbogott: I didn't think so much as observe that eqiad sets up "large vda" rather than "small vda and vdb for the rest".  It's easy to adapt, then.
[14:42:01] <Coren>	 andrewbogott: But if copying the image over loses the vdb, that's a more complicated matter.
[14:42:44] <Coren>	 andrewbogott: Do you have a running migrated instance that losts its vdb I can look at?
[14:42:47] <andrewbogott>	 sure.
[14:43:03] <andrewbogott>	 wikisource-dev.eqiad.wmflabs
[14:45:19] <ottomata>	 hiya YuviPanda?
[14:47:43] <Coren>	 andrewbogott: And things were going so wel...  as far as I can tell, the method you use to copy images doesn't actually carry the /dev/vdb with it at all.
[14:48:45] <Coren>	 andrewbogott: All the image seems to have is the small (16G) vda
[14:59:52] <andrewbogott>	 Coren, sorry, network downage
[15:00:22] <andrewbogott>	 So… the files that I copied over are… disk.local, 470M and disk, 8.6G
[15:00:30] <andrewbogott>	 I would expect that that latter is /dev/vdb
[15:00:39] <andrewbogott>	 Does that seem likely or unlikely?
[15:01:13] <Coren>	 ... that seems smallish.
[15:01:29] <Coren>	 470M in particular is too small to be vda
[15:01:34] <andrewbogott>	 hm, ok.
[15:04:02] <YuviPanda>	 hi ottomata.
[15:04:04] <YuviPanda>	 ottomata: sorry, only spoardoically available at the moment :(
[15:04:39] <ottomata>	 that's ok, i was just wondering about the ssl proxy you set up that we are usign for wikimetrics, i thought for a second it wasn't working in eqiad labs, but I think it is
[15:04:45] <ottomata>	 so , never mind! :)
[15:04:55] <YuviPanda>	 ottomata: ah :)
[15:05:03] <YuviPanda>	 ottomata: ok! :)
[15:05:03] <YuviPanda>	 ottomata: good to know!
[15:06:44] <andrewbogott>	 well, wait -- coren, it's copy-on-write.  So the 470M should just be the diff.
[15:07:31] <Coren>	 andrewbogott: Hm...  good point.
[15:07:47] <Coren>	 andrewbogott: Yeah, taking cow into account, the sizes would make sense.
[15:08:23] <andrewbogott>	 I see another instance where 'disk' is 9g and 'disk.local' is 20G
[15:08:59] <andrewbogott>	 So...
[15:09:20] <andrewbogott>	 Probably the same reason why new instances didn't have /deb/vdb.  Whatever that is.
[15:32:35] <gifti>	 are the dumps ('datasets') already in eqiad?
[15:37:00] <mutante>	 gifti: no, not yet
[15:37:12] <gifti>	 is there an estimate?
[15:37:17] <mutante>	 i heard it's 95% done
[15:37:26] <mutante>	 within March i'd say
[15:37:30] <gifti>	 uh, ok
[15:37:34] <gifti>	 who's responsible?
[15:37:37] <mutante>	 apergos
[15:37:49] <gifti>	 thx
[15:37:53] <mutante>	 yw
[15:38:16] <gifti>	 :)
[15:44:47] <Coren>	 andrewbogott: I don't think it's the /same/ reason; instances in eqiad get created with a variable-sized vda so it /is/ taking the instance size into request, just not the same way as in folsom
[15:57:52] <Coren>	 andrewbogott_afk: More importantly, we need to figure out a way around/through this.   Clearly, creating the instance in eqiad first then overwriting the image has openstack "fix" the image to fit the disks.
[15:58:05] <Coren>	 (As they were created)
[15:58:20] * Coren  ponders.

[15:58:54] <Coren>	 Obviously, people who create new instances won't have issues; they can simply use the labs_lvm thing and get their storage.
[15:59:40] <Coren>	 (Which means that making it the default might actually make sense then)
[16:06:43] <scfc_de>	 gifti: https://bugzilla.wikimedia.org/62296
[16:06:46] <scfc_de>	 ottomata: Have you tried running a self-hosted puppetmaster in eqiad?  It fails for me with "Error 400 on SERVER: Not authorized to call find on /file_metadata/files/ssl/wmf-ca.pem" & Co.  Any ideas?  I set the IP subnet for eqiad in master.pp, but that didn't help.
[16:07:00] <scfc_de>	 How many instances are we talking about, and what constitutes an instance besides a tar ball of the file system?
[16:08:50] <ottomata>	 hm, i have tried it and ahve not seen that
[16:09:01] <Cyberpower678>	 Coren, I'm stuck.
[16:09:47] <Cyberpower678>	 Coren, I seem to be getting mysqli_connect(): (HY000/2003): Can't connect to MySQL server on 'tools-db' (99) at random since the move to eqiad.
[16:10:13] <scfc_de>	 ottomata: One moment, I'll pastebin the log.
[16:11:02] <ottomata>	 scfc_de: are you doing self hosted puppet with no special puppetmaster setting?
[16:11:08] <ottomata>	 i.e. locally hosted self hosted puppet?
[16:11:21] <ottomata>	 (i haven't tried it in eqiad with a remote self hosted puppetmaster yet)
[16:11:45] <Cyberpower678>	 Coren, any ideas?
[16:12:31] <scfc_de>	 Oh, sorry, should have been clearer: role::puppet::self with $puppetmaster = FQDN (local for the moment, but planned as a puppetmaster for other instances later).
[16:12:41] <scfc_de>	 Let me see if $puppetmaster = empty works.
[16:13:09] <ottomata>	 ah ok, yeah i haven't tried setting that yet
[16:13:21] * Coren  reads scrollback.

[16:14:03] <Coren>	 Cyberpower678: "random"?
[16:14:06] <scfc_de>	 ottomata: Okay, clearing $puppetmaster on an instance with problems doesn't seem to be a good idea, let me set up puppetmaster3 :-).
[16:14:21] <Coren>	 Cyberpower678: Like, it works, then fails, then works again?
[16:14:22] <Cyberpower678>	 Coren, it sometimes works and sometimes doesn't
[16:15:00] <Cyberpower678>	 Coren, It doesn't work at all in a different but similar script.
[16:15:17] <Cyberpower678>	 $dblocal = mysqli_connect( 'tools-db', $toolserver_username, $toolserver_password, 's51059__cyberbot' );
[16:15:17] <Cyberpower678>	 $dbwiki = mysqli_connect( 'enwiki.labsdb', $toolserver_username, $toolserver_password, 'enwiki_p' );
[16:15:27] <Cyberpower678>	 $dblocal fails
[16:15:27] <mutante>	 scfc_de: worked for me yesterday or so, i put "localhost" in the form
[16:15:32] <Cyberpower678>	 $dbwiki works
[16:15:33] <mutante>	 and puppet::self worked
[16:15:50] <ottomata>	 ha, yeah scfc_de, i wouldn't recommend that :)
[16:16:02] <ottomata>	 you could get it to work eventually (clearing the setting), bu tit would be a pain
[16:16:22] <ottomata>	 yeah so, mutante 'localhost' and empty are equivalent
[16:16:27] <ottomata>	 it will infer localhost if you leave it empty
[16:16:35] <mutante>	 gotcha, ok
[16:16:40] <Cyberpower678>	 Coren, ^^^^^^^
[16:16:46] <ottomata>	 putting FQDN of a node there allows you to configure other labs instances as puppet clients of a self hosted puppet master
[16:16:47] <Coren>	 Cyberpower678: Yes, yes, I've read.
[16:16:52] <Cyberpower678>	 Ok.
[16:17:00] <Coren>	 Cyberpower678: Does dblocal fail always, or intermitently?
[16:17:04] <ottomata>	 if the value there matches $::fqdn when puppet runs
[16:17:09] <ottomata>	 then puppet will set up the node as the puppetmaster
[16:17:10] <Cyberpower678>	 Coren, it seems to be intermittent.
[16:17:36] <mutante>	 DNS related?
[16:17:44] * Coren  wishes the error message was less stupid than just 'can't connect'

[16:18:05] <mutante>	 couldn't the intermittent DNS issue also just cause this, can't resolve = can't connect?
[16:18:18] <Coren>	 mutante: It could; I wish I could know.
[16:18:22] <scfc_de>	 Try it with tools-doesnotexist?
[16:19:00] <mutante>	 Cyberpower678: if you type "host enwiki.labsdb" on that shell and repeat it a couple times, does it always return an IP?
[16:19:23] <scfc_de>	 mutante: enwiki.labsdb is resolved in /etc/hosts.
[16:19:45] <mutante>	 eh, then "tools-db"
[16:19:49] <Coren>	 So is tools-db actually.
[16:19:49] <mutante>	 the one that fails
[16:19:53] <Coren>	 So no dns.
[16:20:03] <mutante>	 ok
[16:20:11] <Coren>	 (tools-db is an alias for tools.labsdb)
[16:20:14] <mutante>	 unless nsswitch it set to ask DNS before files
[16:20:49] <Cyberpower678>	 Coren, http://tools.wmflabs.org/cyberbot/botlogs.php?bot=CyberbotII&task=spambot&type=err shows the last 10 MB of the stderr logs generated when in operation.  Scroll almost to the bottom.  You'll see it see all of the attempts it made and other time the bot completed a successful run.
[16:20:57] <Coren>	 mutante: Good idea.  But "hosts: files dns"
[16:21:07] <mutante>	 hmm,ok
[16:21:45] <Coren>	 "Can't connect to MySQL server".  What a useful, Microsoft-like error message.
[16:22:05] <Coren>	 "An error has occured."
[16:22:15] <Cyberpower678>	 :p
[16:22:32] <Coren>	 Can you reproduce the problem by hand at all?
[16:22:41] <mutante>	 does the GRANT for that contain a from IP range, and that is just Tampa?
[16:22:43] <Cyberpower678>	 mutante, Coren typing "host tools-db" returns nothing
[16:23:07] <Coren>	 Cyberpower678: host only checks DNS.
[16:23:41] <Cyberpower678>	 Coren, I just did what mutante asked me to do.
[16:23:58] <Coren>	 That's because he didn't know that those came from hosts.
[16:24:01] <mutante>	 Cyberpower678: it was a way to test DNS before i knew you had it in /etc/hosts
[16:24:14] <mutante>	 that's when i thought those problems could be related
[16:24:25] <hedonil>	 show global status for tools-db says
[16:24:27] <hedonil>	 | Aborted_clients                          | 505           |
[16:24:28] <hedonil>	 | Aborted_connects                         | 184  
[16:24:28] <Coren>	 mutante: My automatically created grants all have @'%'.  So not that either.
[16:24:36] <scfc_de>	 A while ago we had some connection issues with the replicas, and the error was in the DB servers being overloaded or something like that.  Don't remember the details, but if tools-db is now the same setup, Sean might be of help.
[16:25:12] <Coren>	 scfc_de: Hitting the connection limit is usually simple to debug because you normally get a specific message for this; but I'll check.
[16:25:50] <scfc_de>	 It was something different (network?).  IIRC January or so.
[16:26:03] <Cyberpower678>	 Coren, one of my scripts fails to connect to it entirely.  I tried copying and pasting the mysqli_connect command from the working script to the broken script, but it's still not working.
[16:26:33] <gifti>	 so, there is a documentation for intuition on tools/help. how can i use translatewiki without intuition/php?
[16:27:16] <gifti>	 i can't detect the underlying mechanism
[16:27:18] <ottomata>	 Coren: is there documentation somewhere about how to set up an app to use our ldap?
[16:27:47] <hedonil>	 Cyberpower678: for it works fine with hte test script https://tools.wmflabs.org/tools-info/?dblist=tools-db
[16:28:00] <Coren>	 ottomata: I don't know; I don't think so (at least I've never seen it).
[16:28:29] <mutante>	 he could likely copy from Icinga login
[16:28:44] <mutante>	 ottomata: 
[16:28:49] <hedonil>	 Cyberpower678: repeatedly called w/o connection errors
[16:28:55] <mutante>	 at least some other config to copy from i suppose
[16:29:09] <mutante>	 uses same LDAP for auth
[16:29:21] <Coren>	 Cyberpower678: I've been trying to get the error repeatedly as well, and I'm got getting issues.
[16:29:22] <Cyberpower678>	 hedonil, then perhaps somebody could look at my replica.my.cnf file?
[16:29:31] <mutante>	 if it uses Apache that is
[16:29:42] <ottomata>	 mutante: ?
[16:29:48] <ottomata>	 oh
[16:29:49] <ottomata>	 LDAP
[16:29:50] <ottomata>	 yeah
[16:29:55] <mutante>	 ottomata: you want to setup an app to use LDAP for auth, right
[16:30:00] <Cyberpower678>	 It makes no sense for one script to work and another to fail.
[16:30:04] <ottomata>	 yes, trying to see if I can make my archiva setup in labs use it
[16:30:06] <mutante>	 and it made me think of Icinga setup in puppet
[16:30:07] <scfc_de>	 Who knows how many databases are copied at various moments by the migrate-tool script; so there may be peaks.
[16:30:14] <mutante>	 so that should be the Apache module
[16:30:16] <mutante>	 for LDAP auth
[16:30:23] <Coren>	 Cyberpower678: Well, unless you have some bug in the way you read your credentials from the replica.my.cnf?
[16:30:27] <ottomata>	 i'm a little worried about the proxypass
[16:30:29] <mutante>	 mod_auth_ldap i thik
[16:30:31] <ottomata>	 since that comes from private
[16:30:36] <ottomata>	 not sure if I need that
[16:30:43] <Coren>	 scfc_de: It's one-at-a-time on purpose to avoid exactly that.
[16:30:54] <Cyberpower678>	 Coren, I haven't changed it.  It's always been the same so far.
[16:30:55] <hedonil>	 Cyberpower678: I use the brand new  replica.my.cnf  one
[16:31:02] <Cyberpower678>	 hedonil, same
[16:31:25] <Cyberpower678>	 database.inc reads the replica.my.cnf file.
[16:32:14] <mutante>	 does it work manually without reading any credentials from files?
[16:32:14] <Coren>	 Cyberpower678: cwd issues?  Does it read the file with an absolute path?
[16:32:54] <ottomata>	 mutante: i dunno, i'm not entirely sure what port to connect to
[16:32:57] <ottomata>	 or server
[16:33:02] <ottomata>	 virt1000.wikmedia.org
[16:33:06] <ottomata>	 port 1382?
[16:33:09] <ottomata>	 1389*
[16:33:09] <ottomata>	 ?
[16:33:13] <Cyberpower678>	 Coren, no
[16:33:30] <Cyberpower678>	 <?php
[16:33:30] <Cyberpower678>	 $toolserver_mycnf = parse_ini_file($_SERVER['HOME']."/replica.my.cnf");
[16:33:30] <Cyberpower678>	 $toolserver_username = $toolserver_mycnf['user'];
[16:33:30] <Cyberpower678>	 $toolserver_password = $toolserver_mycnf['password'];
[16:33:30] <Cyberpower678>	 unset($toolserver_mycnf);
[16:35:55] <hedonil>	 If it was the same issue as some weeks before (db connection aborted due to network issues) we'd have seen another error message (...lost connection during etc)
[16:37:29] * Coren  tries to reproduce the error.

[16:37:35] <mutante>	 ottomata: actually i meant Cyberpower678 for that one:) but the LDAP port should be 1389
[16:37:40] <mutante>	  opendj is configured to listen on ports 4444, 8989, 1636, 1389. 
[16:38:54] <mutante>	 Cyberpower678: how about   mysql -u user -p -h toolsdb enwiki   or so
[16:39:04] <mutante>	 and then interactively entering pass
[16:39:17] <Coren>	 Cyberpower678: That's not the bug but you should use process_section in your parse_ini_file as there could be more than just the [client] section.
[16:39:37] <Cyberpower678>	 mutante, what good will that do?
[16:39:48] * Coren  tries to go see if the logs on the DB are any more informative.

[16:40:21] <mutante>	 Cyberpower678: ruling out possible issues with include the credentials from files etc
[16:40:28] <mutante>	 just to get closer to the root cause
[16:41:43] <Cyberpower678>	 SQL wokrbench seems to work with those credentials.
[16:41:52] <ottomata>	 hm, mutante, am I allowed to talk to ldap from labs?
[16:42:11] <Coren>	 Cyberpower678: What's your tool's username?
[16:42:22] <Cyberpower678>	 cyberbot
[16:42:29] <Cyberpower678>	 on eqiad
[16:42:34] <Coren>	 ... DB username.  :-)
[16:43:38] <Coren>	 Oh, seriously?  That is SO useful mysql!
[16:43:38] <Cyberpower678>	 Coren, oh.  Be more specific. :p S51059
[16:43:39] <mutante>	 ottomata: i think you should be, but maybe not from eqiad instances yet? security group rules or so?
[16:43:42] <Coren>	 Mar  7 12:57:20 labsdb1005 mysqld: 140307 12:57:20 [Warning] Aborted connection 275787 to db: 's51059__cyberbot' user: 's51059' host: '10.68.16.39' (Unknown error)
[16:44:04] <Coren>	 "(Unknown error)"
[16:44:14] <mutante>	 yea, -u <username> <dbname>
[16:44:15] <mutante>	 :p
[16:44:16] * Coren  headdesks.

[16:44:51] <mutante>	 likes the "unknown" part
[16:45:23] * Cyberpower678  wonders how an error could be unknown, but still be recognized as an error.

[16:45:41] <ottomata>	 hm, mutante, i think security groups control incoming connections
[16:45:43] <ottomata>	 not outgoing,
[16:45:45] <ottomata>	 right?
[16:45:46] <mutante>	 well it knows it's an error it just doesn't know which kind:)
[16:45:51] <ottomata>	 and you are rightr, I can connect to 1389 from  a pmtpa instance
[16:46:08] <mutante>	 ottomata: but something must come back from LDAP to you incoming as well
[16:46:24] <ottomata>	 estabilshed shoudl be allowed, right?
[16:46:32] <ottomata>	 its not like the ldap server is going to open new sockets to my instance
[16:46:33] <ottomata>	 ?
[16:46:46] <ottomata>	 also, there are no 1389 security policies in pmtpa (in my project)
[16:46:49] <ottomata>	 or in eqiad
[16:46:51] <mutante>	 unless it's set to allow all the related traffic, like ESTABLISHED,RELATED -j ACCEPT
[16:46:53] <ottomata>	 but it works from pmtpa
[16:47:33] <mutante>	 well, then, i dunno, something networking related with eqiad
[16:48:11] <mutante>	 tcpdump?
[16:49:19] <mutante>	 ottomata: could the LDAP server itself be firewalled to only allow from pmtpa?
[16:49:30] <mutante>	 which you would not see in security groups in webui
[16:49:49] <ottomata>	 UHHH, now it is letting me telnet
[16:49:52] <ottomata>	 it was nto before
[16:50:59] <Coren>	 Cyberpower678: Google shows that there are some buggy php extensions that can interfere with database streams in some cases.  Are you using geophp in those scripts that fail?
[16:51:23] <Cyberpower678>	 Coren, not likely.  I'm using mysqli
[16:51:58] <mutante>	 ottomata: odd, we keep having intermittent issues it seems
[16:52:07] <Coren>	 What's mysqli?
[16:52:15] <ottomata>	 yeah, i've noticed my proxies someimtes work and sometimes not
[16:52:18] <Cyberpower678>	 Coren, my script should've just flooded some connections into the log.
[16:52:23] <Cyberpower678>	 Reconnecting to local DB...
[16:52:23] <Cyberpower678>	 Reconnecting to local DB...
[16:52:23] <Cyberpower678>	 Reconnecting to local DB...
[16:52:23] <Cyberpower678>	 Reconnecting to local DB...
[16:53:02] <mutante>	 mysqli replaced mysql_connect etc
[16:53:14] <mutante>	 might be worth seeing what happens with the old method..shrug
[16:53:35] <mutante>	 but when you use that PHP will tell you it's deprecated and you should switch ,,juts warnings though, still WFM
[16:54:09] <Cyberpower678>	 !newtoollabs
[16:54:11] <Coren>	 Logs actually show three users getting those errors.
[16:54:19] <Cyberpower678>	 !newlabs
[16:54:19] <wm-bot>	 The tools project in labs another version of toolserver.  Because people wanted it just like toolserver, an effort was made to create an almost identical environment.  Now users can enjoy replication, similar commands, and bear the burden of instabilities, just like Toolserver.
[16:54:21] <Coren>	 But only those users.
[16:54:57] <hedonil>	 Coren: So, what do they have in common?
[16:54:58] <Cyberpower678>	 Switching to my phone
[16:55:36] <Coren>	 hedonil: Absolutely nothing afaict.
[16:55:44] <CP678|iPhone>	 I'm an iPhone. :p
[16:56:56] <hedonil>	 CP678|iPhone: admit it, you compiled your own mysqli driver and it doesn't work
[16:57:01] <CP678|iPhone>	 Please ping me for my attention.
[16:59:23] <CP678|iPhone>	 hedonil: if I knew how to do that, I would've made work over SSH connections so I could debug DB dependent scripts on my computer more easily.
[16:59:57] <hedonil>	 CP678|iPhone: hehe
[17:00:39] <Coren>	 I have no idea what this could possibly be.  The client whines that it doesn't work without details, and the DB simply says that something went wrong without detail.
[17:00:44] <scfc_de>	 ottomata: role::puppet::self with empty $puppetmaster works, you're right.  I'll file a bug for the multi-instance bug.
[17:01:05] <scfc_de>	 ottomata: Re LDAP, if it is the same server as queried by "ldaplist -l passwd", this seems to work from eqiad flawlessly.
[17:02:22] <Coren>	 CP678|iPhone: Please try from the command line with the mysql client.
[17:02:28] <CP678|iPhone>	 Coren: makes it a little hard to fix doesn't it.
[17:02:44] <CP678|iPhone>	 Coren: no access right now.
[17:02:54] <valhallasw`cloud>	 CP678|iPhone: so do that when you're back home?
[17:03:11] <CP678|iPhone>	 valhallasw`cloud: no time. :/
[17:03:32] <valhallasw`cloud>	 or, you know, tomorrow, or next week, or whenever you have time.
[17:05:42] <hedonil>	 Coren: CP678|iPhone: here is an interesting thread  http://lists.mysql.com/mysql/204830
[17:06:35] <ottomata>	 yeah scfc_de, it is working right now, now trying to figure out how to configure my app
[17:06:36] <ottomata>	 ldap
[17:06:37] <hedonil>	 tells about 'running out of available outgoing ports'
[17:08:11] <hedonil>	 Coren: CP678|iPhone: maybe not properly closed connections or use of persistent-connections (although I can't see the latter in the cb-script) 
[17:08:37] <Coren>	 hedonil: Also, there are very few connections atm and no dangling ones; so that's not it.
[17:08:41] <petan>	 Coren: tool paste doesn't work for unknown reasons
[17:08:53] <petan>	 Coren: since I migrated it the webserver doesn't work
[17:09:06] <petan>	 http://tools.wmflabs.org/paste/
[17:09:14] <petan>	 it produces no error log whatsoever
[17:10:48] <Coren>	 petan: It'd probably help if you turned on request logging.
[17:11:16] <CP678|iPhone>	 Eqiad seems to be having unsolvable issues. :p
[17:11:40] <petan>	 Coren: what is "request logging"
[17:11:52] <petan>	 and how do I turn it on
[17:12:04] <Coren>	 https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Help/NewWeb#Enabling_request_logging
[17:12:15] <valhallasw`cloud>	 petan: https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/Help/NewWeb
[17:12:23] * valhallasw`cloud  <-- slowpoke

[17:12:23] <Coren>	 CP678|iPhone: It's not unsolvable if you'd take a minute to help isolate your problem.
[17:12:38] <hedonil>	 CP678|iPhone: my suggestion. in /data/project/cyberbot/bots/cyberbot-ii/externallinks.php  replace 'tools-db'  with 'p:tools-db'  see what happens
[17:13:11] <CP678|iPhone>	 hedonil: I can try it as soon as I can access labs again.
[17:13:23] <hedonil>	 CP678|iPhone: so it makes a persistant connection only once
[17:13:35] <CP678|iPhone>	 Coren: no computer with Internet = not possible.
[17:14:26] <CP678|iPhone>	 Coren: what am I supposed to isolate.
[17:14:37] <petan>	 Coren: I enabled it, what now?
[17:14:43] <petan>	 Coren: I don't see any error logs
[17:14:55] <Coren>	 petan: Did you restart the webservice?
[17:15:00] <petan>	 yes
[17:17:40] <Coren>	 petan: error_reporting(0); in your php script probably isn't helping either.
[17:18:00] <petan>	 Coren: can you convert this .htaccess to lighttpd format? http://etherpad.wikimedia.org/p/paste
[17:19:52] <petan>	 Coren: I changed that
[17:20:51] <petan>	 btw if anyone wants to become maintainer of that paste tool you are welcome
[17:22:52] <petan>	 Coren: btw I enabled error reporting and all that but, still see no php errors in any logfile :(
[17:33:26] <scfc_de>	 petan: If I look at ~tools.paste/error.log, I see "PHP Parse error:  syntax error, unexpected $end in /data/project/paste/public_html/fail.php on line 4".
[17:34:05] <mutante>	 etherpad as paste tool to paste config of paste tool
[17:34:11] <mutante>	 :)
[17:37:21] <Coren>	 scfc_de: That was a test of mine.  :-)
[17:38:08] <Coren>	 scfc_de: I wanted to make sure that the reason he didn't get error logs wasn't because of the lighttpd setup.
[17:42:03] <Coren>	 petan: So yeah; php errors /do/ end up in the log, and php gets executed correctly in your public_html
[17:45:24] <petan>	 scfc_de: where do you see that?
[17:45:29] <petan>	 scfc_de: I don't :(
[17:47:24] <petan>	 hm
[17:49:26] <scfc_de`>	 petan: What contains ~tools.paste/error.log for you?
[17:49:45] <petan>	 scfc_de: lot of lines like 2014-03-07 17:47:09: (response.c.720) Path         : /data/project/paste/public_html//
[17:49:55] <petan>	 however I did find this error using grep...
[17:50:21] <petan>	 for some reason it takes long time for errors being displayed in error.log
[17:50:28] <petan>	 maybe some nfs sync lag
[17:50:36] <petan>	 I did tail -f on it on -login
[17:50:47] <petan>	 it takes lot of time for error to display when I refresh in my browser
[18:00:48] <ottomata>	 Aaaahgh, and now my proxy isn't workign anymore
[18:01:30] <hedonil>	 Coren: back to CP's problem: mysqli_connect(): (HY000/2003): Can't connect to MySQL server on 'tools-db' (99)
[18:01:57] <hedonil>	 OS error code (99) indicates that the server is running out of resources
[18:02:51] <hedonil>	 if you issue $perror 99 on mysql host it should say something similar
[18:03:05] <Coren>	 hedonil: ... that's definitely broken.  There are 7(!) connections atm; and the box is completely idle.
[18:03:33] <Coren>	 Load is 0.18, and 24G free ram.
[18:04:15] <hedonil>	 Coren: hmmm 7 connections is not that much ;)
[18:04:28] <Coren>	 8 when I'm connecting to make a test.  :-)
[18:04:53] <petan>	 Coren, scfc_de: 2014-03-07 17:32:14: (mod_fastcgi.c.2701) FastCGI-stderr: PHP Parse error:  syntax error, unexpected $end in /data/project/paste/public_html/fail.php on line 4
[18:05:01] <petan>	 this make no sense there is no such a file
[18:05:25] <hedonil>	 Coren: but JFI  what does $perror 99  say on host tolls-db (Icant issue that command...) 
[18:05:25] <Coren>	 petan: <Coren> scfc_de: That was a test of mine.  :-)
[18:05:42] <Coren>	 OS error code  99:  Cannot assign requested address
[18:05:48] <petan>	 meh
[18:06:15] <ottomata>	 Coren, hmmm why can't reach 208.80.155.156 (eqiad proxy) from bastion-restricted1?
[18:06:18] <Coren>	 petan: I wanted to make sure php scripts generate errors without breaking yours.
[18:06:26] <Nemo_bis>	 andrewbogott_afk: as far as you know, is anyone managing to get any result from wikitech search?
[18:06:30] <hedonil>	 Coren: let's see if CP can fix this with a persistant connection
[18:06:37] <Coren>	 ottomata: You can't reach floating IPs from within the virtual network.
[18:07:09] <Coren>	 ottomata: You have to use the internal ip (tools-webproxy)
[18:07:26] <Coren>	 Oh, wait, that's the general proxy, not tools'
[18:07:30] <ottomata>	 yeha
[18:07:37] <ottomata>	 just curious, as the proxy is borked again right now
[18:07:44] <Coren>	 But same idea.  You can only reach the outside IPs from outside.  You'll have to use the local IP from the bastion.
[18:07:48] <ottomata>	 sometimes it works, sometimes it doesn't
[18:07:54] <ottomata>	 aye
[18:07:59] <ottomata>	 well, i can reach the local instance IP fine
[18:08:04] <ottomata>	 and the web service works just fine
[18:08:09] <Coren>	 Where's Yuvi when we need him?  :-)
[18:08:10] <ottomata>	 but, it does not through the proxy
[18:08:26] <ottomata>	 i can reach the proxy externally though, it just 502s
[18:28:41] <petan>	 Coren: is it possible it crash because of memory limit?
[18:28:55] <petan>	 Coren: there is no php error but I somewhat found where it die
[18:29:13] <Coren>	 ... not unless you managed to gobble up 4G of ram with a php script -- and if you do, I don't want it running on our servers.  :-)
[18:30:06] <petan>	 Coren: I doubt, it was running fine on apache before
[18:30:44] <Coren>	 What do you think the script is doing when it dies?
[18:31:00] <petan>	 it creates new instance of a class
[18:31:07] <petan>	 that is last thing that happen
[18:31:16] <petan>	 then it just... finish?
[18:31:18] <petan>	 wtf
[18:32:15] <petan>	 it's extremely hard to debug anything because of slow responses from nfs
[18:32:24] <petan>	 I have to wait 2 minutes for errors to get written in error.log
[18:32:51] <Coren>	 petan: That doesn't make sense.  NFS is synchronous.
[18:33:09] <petan>	 Coren: do tail -f error.log
[18:33:14] <petan>	 refresh the webpage
[18:33:22] <petan>	 it doesn't immediately show the error
[18:33:29] <petan>	 it takes long time for that to happen
[18:33:36] <Coren>	 Yeah, it takes a few seconds to show but it's (a) a couple seconds, and (b) lighttpd buffering.
[18:33:44] <petan>	 maybe
[18:33:55] <petan>	 however the last line before it die is: $CI = new $class();
[18:34:18] <petan>	 308 system/core/CodeIgniter.php
[18:34:45] <petan>	 I inserted some syntax nonsense after this line, it never reach it
[18:35:02] <petan>	 but if I put syntax error above this line it show in error.log
[18:35:12] <petan>	 so this line "fail with no error whatsoever"
[18:35:34] <petan>	 it looks like if the webserver just got killed with -9 or something
[18:35:45] <Coren>	 Or the script just ends in there.
[18:35:57] <Coren>	 And no, if the webserver got killed, you'd see /that/ in the logs.
[18:35:59] <petan>	 it doesn't because otherwise my syntax error would happen
[18:36:12] <petan>	 I put the syntax error on next line
[18:36:34] <Coren>	 Right, so obviously something happens in the class constructor.
[18:37:31] <petan>	 seriously, this thing worked perfectly on apache, now it doesn't on lighttpd
[18:37:45] <petan>	 this makes me think it's failure of lighttpd
[18:38:04] <Coren>	 petan: You're not making any sense.  lighttpd is a webserver.  It doesn't control what PHP does.
[18:38:18] <Coren>	 That's PHP runnning this script, not lighttpd.
[18:38:30] <petan>	 howcome the same php did work on apache then?
[18:39:04] <Coren>	 It didn't.  Apache is also a webserver; it doesn't run php scripts either.  (Well, kinda if you use mod_php, but we didn't so it didn't).
[18:40:10] <Coren>	 You've got some environmental dependency you need to track down; perhaps you're using a php extension that was never puppetized?
[18:40:51] <Coren>	 You might want to try to ini_set('display_errors', 'On');
[18:41:07] <Coren>	 It's not a good idea in production, but you're debugging.
[18:41:32] <Coren>	 You might also want to try to report E_ALL|E_STRICT instead of just E_ALL
[18:46:30] <Coren>	 memory_limit is set to 128M, which should be more than enough.
[18:53:48] <qchris>	 I am having trouble verifying the SSH Fingerprint of bastion-eqiad.wmflabs.org. Are it's fingerprints available on some known good page?
[18:55:04] <Coren>	 https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints/bastion-eqiad.wmflabs.org
[18:55:46] <qchris>	 Coren: Thanks.
[19:42:19] <awjr>	 saluton, labsians
[19:42:29] <Damianz>	 I totally read that as something else...
[19:42:30] <awjr>	 i am trying to migrate one of my tools on tool labs to eqiad
[19:42:38] <Damianz>	 Btw, did someone murder petan in the last few months?
[19:42:41] <awjr>	 lol Damianz, i did too after i wrote it :p
[19:43:00] <awjr>	 im trying to 'finish-migration' in eqiad for one of my tools, but i get the following error:
[19:43:01] <awjr>	 Proceed with finalization? (Yes/No): yes
[19:43:01] <awjr>	 sudo: sorry, a password is required to run sudo
[19:43:10] <Damianz>	 Coren sent an email about this - 1sec
[19:43:13] <awjr>	 ah
[19:43:37] <awjr>	 [Labs-l] Possible (minor) issue in migration of tools
[19:43:43] <awjr>	 i hadn't gotten to it in my inbox yet
[19:43:53] <Damianz>	 The tool's maintainer list was not synchronized correctly.  The fix is simple:  simply go to the wikitech interface to make any change to the list of maintainers (such as add or remove a maintainer) and save the change -- you can undo the modification immediately afterwards
[19:44:01] <awjr>	 aye
[19:44:03] <awjr>	 thanks Damianz
[19:44:39] <Damianz>	 np
[19:45:06] <Damianz>	 imo a fix-migration-bug-001 command would be better, but meh priorities
[19:45:11] <petan>	 Damianz: they tried
[19:45:49] <Damianz>	 Damn you're alive... :P
[19:46:15] <Damianz>	 Don't suppose you saw my thing about icinga or the other thing that I forgot
[19:46:24] <Coren>	 Damianz: It has to be done from the wikitech interface, so no commandline.
[19:46:36] <Damianz>	 Coren: Buuut it just edits ldap in the backend?
[19:47:05] <Damianz>	 Hmm I just installed Flux again... how do people work with funny colours like this =\
[19:47:25] <Coren>	 Damianz: As well as change its own status or whatever.
[19:47:50] <Damianz>	 :(
[19:48:22] <Damianz>	 In that case I re-argue the point of wikitech having a real api until such time that it just becomes a dumb client to openstack and I can just use my details directly
[19:48:42] <Coren>	 Iz not arguing.
[19:49:13] <Damianz>	 True... but seriously!? ;)
[19:49:48] <SamB>	 or maybe some sort of, um, "purge" command?
[19:50:08] <Damianz>	 Also... on a seperate note - any chance of tools-login or bastion listening on port 443 for ssh? Would make fixing bots from work possible without using corkscrew, which is horrid.
[19:51:33] <awjr>	 Damianz Coren: for some reason i am not seeing either of my tools (bingle and bugello) on tools.wmflabs.org
[19:51:39] <awjr>	 they used to be there...
[19:52:04] <Coren>	 "see on tools"?
[19:52:25] <mutante>	 Damianz: http://code.kryo.se/iodine/ ?
[19:52:46] <mutante>	 Damianz: i know it's not the answert, just wanted to add to the list of tools:)
[19:53:17] <awjr>	 Coren: under the list of 'hosted tools' on tools.wmflabs.org/?list
[19:53:33] <awjr>	 i need to update the maintainers for bugello since i got the sudo error during migration
[19:54:30] <Coren>	 awjr: You don't need to go to all that trouble:  https://wikitech.wikimedia.org/wiki/Special:NovaServiceGroup
[19:55:08] <Damianz>	 mutante: Cool - we block dns too. I mean I could bounce though to the internet via like 4 hosts internally over many restricted networks... but 80/443 just go straight though the proxy fine heh
[19:55:55] <Damianz>	 awjr: Are they on tools-eqiad.wmflabs.org? the proxy works great, but the indexes aren't merged
[19:56:19] <awjr>	 ah yeah they are Damianz
[19:56:35] <awjr>	 thanks Coren - that looks better 
[20:06:28] <apper>	 Coren: what are the possibilities to debug the lighttpd server? For one of my tools it suddenly stopped working, webservice restart does not work either. error.log has no info, access.log has no entries since the problem first occured. Calling a page doesn't give an error page but no page at all
[20:06:52] <Coren>	 "no page at all?"
[20:07:15] <Coren>	 apper: That means that whatever script is running isn't giving an error, just no output.  PHP?
[20:07:28] <apper>	 "Waiting for tools.wmflabs.org..."
[20:07:44] <apper>	 http://tools.wmflabs.org/wikihistory/test.php
[20:08:12] <apper>	 okay, it's php....
[20:08:15] <apper>	 http://tools.wmflabs.org/wikihistory/style.css works
[20:08:35] <bjelleklang>	 apper: There is no output because the script is running
[20:08:41] <apper>	 test.php is just <? print "Test; ?>
[20:09:00] <mutante>	 <?php phpinfo(); > ?
[20:09:08] <mutante>	 apper: missing " ?
[20:09:22] <apper>	 it's <? print "Test"; ?> of course ;)
[20:09:23] <Coren>	 apper: Well, obviously your lighttpd is currently stuck servicing previous requests.
[20:09:32] <apper>	 it worked hours ago
[20:09:47] <apper>	 Coren: hmm...
[20:09:49] <petan>	 Damianz: I barealy see anything. you need to repeat it :P
[20:09:58] <petan>	 Damianz: that means "repeat it when I am looking"
[20:10:02] <petan>	 I am looking now :3
[20:11:17] <apper>	 Coren: there are a lot of requests, which could run for some time (waiting for a job to be ready). But I have "if (connection_aborted()) exit;" in this waiting loop
[20:11:48] <apper>	 Coren: and at the moment all browser windows are closed, so they should be exited...
[20:11:54] <petan>	 @notify andre
[20:11:54] <wm-bot>	 I'll let you know when I see andre around here
[20:11:55] <petan>	 @notify andre_
[20:11:55] <wm-bot>	 I'll let you know when I see andre_ around here
[20:11:56] <Coren>	 apper: Lemme go see.
[20:11:59] <petan>	 @notify andre__
[20:11:59] <wm-bot>	 I'll let you know when I see andre__ around here
[20:12:03] <petan>	 :o
[20:12:21] <petan>	 that guy really should use less weird nicks
[20:12:39] <mutante>	 what do you need from Andre__
[20:12:52] <petan>	 mutante: he sent me private message
[20:13:02] <petan>	 mutante: I replied and then I figured he is offline
[20:13:40] <Coren>	 apper: Well, what I can tell you is that right now all five slots of your lighttpd are running scripts.
[20:13:41] <petan>	 he is one of those who join irc, ask a question and disappear to mysterious places
[20:13:41] <mutante>	 petan: got it, you could try memoserv. it will even send a message to him when he joins again
[20:13:54] <petan>	 nobody reads memoserv
[20:14:10] <petan>	 well. I don't, maybe some people do :)
[20:14:24] <mutante>	 i agree they should just leave their clients online:)
[20:14:43] <petan>	 I answered just 20 minutes late
[20:14:56] <apper>	 Coren: hmm... okay... than these scripts do not exit when the browser connection is closed, so connection_aborted() doesnt seem to work. I will check this and rewrite it another way
[20:15:02] <apper>	 Coren: thanks
[20:15:03] <petan>	 Damianz: now you disappeared to mysterious place
[20:15:27] <petan>	 Damianz: I am no longer looking send me a mail :]
[20:15:28] <Coren>	 apper: IIRC, connection_aborted() only works under limited conditions.
[20:15:29] <mutante>	 petan: maybe wmbot could mail people if it gets email addresses by nickname from somewhere :)
[20:15:37] <petan>	 hehe
[20:15:45] <petan>	 sounds like an idea
[20:16:03] <petan>	 or maybe it could control remote dron that would seek them and slap them with a message
[20:16:04] <ottomata>	 heya, does anyone know
[20:16:10] <mutante>	 petan: lol
[20:16:13] <ottomata>	 is the svn group / uid 550 special in ldap?
[20:16:14] <ottomata>	 somehow?
[20:16:14] <Coren>	 It /does/ sound like an idea.  A very bad one.
[20:16:28] <petan>	 Coren: hence my joke
[20:16:32] <mutante>	 Internal error
[20:16:33] <mutante>	 The URI you have requested, http://tools.wmflabs.org/wikihistory/test.php, appears to be non-functional at this time.
[20:16:37] <apper>	 Coren: why does "webservice restart" don't kill everything?
[20:17:06] <petan>	 apper: because webservice != killall5 :-)
[20:17:30] <petan>	 btw don't run killall5 just to figure out what it is pls
[20:17:47] <apper>	 petan: then: How can I kill php threads started by lighttpd webservice ;)
[20:18:02] <Damianz>	 apper: use <?php not <?....
[20:18:07] <petan>	 I am almost sure that qdel <id of lighttpd> should kill it
[20:18:12] <petan>	 Damianz: here you are meh
[20:18:15] <Damianz>	 petan: I sent you an email :P
[20:18:19] <petan>	 aha cool
[20:18:24] <Damianz>	 Like yesterday
[20:18:26] <Damianz>	 but anyway
[20:18:32] <petan>	 it didn't arrive
[20:18:35] <Damianz>	 hmm
[20:18:37] <petan>	 your e-mail is broken
[20:18:37] <Damianz>	 work email?
[20:18:40] <Damianz>	 probably
[20:18:41] <apper>	 Damianz: thanks for the reminder, I always forget about this, but normally I should know ;)
[20:18:48] <petan>	 work e-mail?
[20:18:55] <petan>	 you even know it?
[20:18:56] <Damianz>	 Could you add me to nagios as a project admin so I can build an instance in eqiad and fix the current broken one
[20:19:06] <petan>	 you aren't? o.O
[20:19:15] <Damianz>	 I use to be....
[20:19:19] <Damianz>	 petr.bena@acc....e.com
[20:19:22] <mutante>	 but seriously, it's no different from wiki mail 
[20:19:29] <mutante>	 even though i also wasnt serious
[20:20:24] <petan>	 Damianz: omg where do people get it from o.O it had to leak somewhere
[20:20:26] <petan>	 Damianz: fixed
[20:20:31] <Damianz>	 Thanks
[20:20:37] <apper>	 Coren: is there a possibility to manually kill all php processes created by lighttpd webservice?
[20:20:40] <Damianz>	 Pretty sure you emailed me from it sometime or something
[20:20:42] <petan>	 Damianz: you better use my personal mail
[20:20:49] <Damianz>	 gmail?
[20:20:50] <petan>	 Damianz: maybe linkedin
[20:20:52] <petan>	 yes
[20:20:59] * Damianz  updates his contacts for auto complete thing

[20:21:05] <petan>	 I think this is on my linkedin maybe
[20:21:12] <petan>	 that's where u got it from I guess
[20:21:16] <Coren>	 apper: 'webservice stop' should.
[20:21:22] <Damianz>	 No idea - it's the default in my contacts for you
[20:21:44] <apper>	 Coren: is "webservice stop" + "webservice start" something different than "webservice restart"?
[20:22:06] <Coren>	 It shouldn't be.
[20:22:21] <apper>	 Coren: okay, both seperate didn't work either...
[20:22:30] <Coren>	 Huh.  Interesting.
[20:23:12] <Coren>	 lemme murder them violently.
[20:23:26] <apper>	 Coren: I'm pretty sure it worked in tampa
[20:23:46] <apper>	 Coren: I had this problem some weeks ago, and a "webservice restart" did it
[20:23:52] <Coren>	 apper: Yeah, there's something wrong atm
[20:24:08] <Coren>	 Your CGI appear indestructible.  :-)
[20:24:13] <apper>	 hehe
[20:24:16] <Coren>	 Can you webservice stop for me?
[20:24:40] <apper>	 done
[20:24:53] <Coren>	 apper: Okay, they're all dead now.
[20:25:06] <apper>	 okay I'll restart
[20:25:07] <Damianz>	 mmmm murder
[20:25:29] <apper>	 thanks, works now
[20:25:49] <Coren>	 apper: Not sure how your phps could wedge themselves that hard, I had to kill -9 them
[20:26:04] <apper>	 uh
[20:26:44] <Coren>	 (BTW, if that ever happens and I'm not around, you are perfectly allowed to log onto tools-webgrid-01 and kill them)
[20:27:36] <apper>	 connection_aborted() doesn't work if no output is done before...
[20:27:48] <apper>	 I think that was the problem, I will do some tests
[20:27:50] <apper>	 thanks
[20:28:43] <Coren>	 I knew there were some gotchas with connection_aborted()
[20:28:52] <Damianz>	 I love the MOTDs
[20:40:31] <Damianz>	 Anyone around here an enwiki admin and want to do a quick edit on a restricted page (under a user I have access to)
[20:49:44] <Damianz>	 Coren: Are you dealing with labs puppet stuff or is andrewbogott_afk atm?
[20:56:50] * Damianz  sigh

[20:59:06] <mutante>	 Damianz: i'd say both
[20:59:11] <mutante>	 git log:)
[20:59:25] <Damianz>	 lol
[20:59:31] <Damianz>	 Well I have a general meh
[21:00:08] <Damianz>	 Refactoring things into modules is great, production manifests, great... puppet classes in wikitech are broken. Are we going to migrate the classes in the db to the new ones, so the interface is right and ldap so puppet is right?
[21:00:29] <Damianz>	 Right now misc::ircecho -> ircecho means puppet doesn't run, which makes me grumpy since I didn't break it and I can't edit the global classes
[21:00:39] <mutante>	 Damianz: "puppet classes in wikitech"?
[21:00:42] <Damianz>	 So I've got to add a custom class, copy all the settings etc to make ti work, when it should be migrated
[21:00:59] <Damianz>	 Yeah - the 'assign puppet classes to instance' thing
[21:01:03] <mutante>	 oh, you mean the puppet groups thing
[21:01:06] <mutante>	 to configure instances
[21:01:17] <Damianz>	 mhm
[21:01:17] <mutante>	 i wasn't aware they are broken
[21:01:23] <mutante>	 out of sync with the repo?
[21:01:28] <mutante>	 or how
[21:01:45] <mutante>	 because there is just a single one 
[21:01:51] <Damianz>	 Yeah - so for example misc::ircecho is now the module ircecho. Which needs fixing in the db (for the interface options), but also ldap (for actual puppet enc)
[21:01:53] <mutante>	 there isn't labs vs/ prod branch anymore
[21:02:12] <Damianz>	 Just an interface/assignement issue - but annoying because we have this desynced thing
[21:02:15] <mutante>	 uhm.. that sounds like a real issue
[21:02:21] <mutante>	 if that is not in sync
[21:02:26] <mutante>	 with the normal puppet repo
[21:02:55] <mutante>	 i just did not notice because i was using puppetmaster::self the other day
[21:03:02] <Damianz>	 Basically everytime something is moved, not only do the manifests in the repo need refactoring. But migrations for mysql/ldap need writing and running
[21:03:02] <mutante>	 i would have ran into it for sure
[21:03:30] <mutante>	 "something is moved" = any puppet merge?
[21:03:38] <Damianz>	 Potentially
[21:03:45] <Damianz>	 Required options changing, things moving, being renamed
[21:03:46] <mutante>	 well, i wouldn't know how else to explain it
[21:03:50] <Damianz>	 Anything that breaks anything =\
[21:03:55] <mutante>	 arg :(
[21:04:07] * Damianz  doesn't really like the split labs/prod thing... same as monitoring, refactoring is a PITA for keeping labs working

[21:04:22] <mutante>	 but the thing is , it's not split anymore
[21:04:33] <mutante>	 it should just be what is being merged
[21:04:36] <mutante>	 something broke
[21:04:42] <Damianz>	 Well - in git its not... usage is (exported resources, ENC vs nodes)
[21:04:51] <mutante>	 and i wonder how this can be without others like hashar complaining
[21:04:53] <mutante>	 in beta
[21:05:27] <mutante>	 what do you mean by refactoring?
[21:05:35] <mutante>	 adding a case for $realm ?
[21:06:06] <mutante>	 monitoring, that is totally unrelated isnt it
[21:06:17] <mutante>	 because labs nagios has never been prod. nagios
[21:06:25] <Damianz>	 Using $realm for stuff, just makes difference cases and diverges things more
[21:06:29] <mutante>	 which i keep pointing out as being really unfortunate since before it even existed
[21:06:36] <Damianz>	 I think beta gets away with it using a lot of $realm
[21:06:40] <fale>	 uhm... something happens to tools-login?
[21:06:54] <mutante>	 of course, $realm, but that's in every role class
[21:07:00] <mutante>	 how else are you going to do it
[21:07:09] <Damianz>	 oh fuck
[21:07:21] <Damianz>	 ircecho now takes a map... I can't pass maps from wikitech IIRC
[21:07:29] <mutante>	 example $apache_site="something.wikimedia.org"
[21:07:36] <mutante>	 vs. $apache_site="something.wmflabs.org"
[21:07:42] <mutante>	 you have to do some $realm thing
[21:07:54] <mutante>	 but that's usually it
[21:08:02] <Damianz>	 Or $domain - yeah, those cases aren't really avoidable
[21:08:05] <mutante>	 apache site name and maybe certificate
[21:08:30] <mutante>	 you should just have one of them in the role class
[21:08:36] <mutante>	 and the module should be independent
[21:09:03] <mutante>	 the $real case in /mainfests/role/something.pp and set the variables there
[21:09:20] <mutante>	 then let it call ./modules/something/init.pp
[21:09:24] <mutante>	 which can be generic
[21:09:33] <mutante>	 s/$real/$realm
[21:10:04] <Damianz>	 Ideally we should have production and labs hiera files and not use cases in the role files - but that's a different discussion
[21:10:10] <mutante>	 when configuring instances, just apply role class
[21:10:29] <mutante>	 yea, maybe, just saying how we all do it
[21:10:31] <mutante>	 not just beta
[21:10:49] <mutante>	 so back to the issue, if the puppetmaster is out of sync
[21:10:51] <mutante>	 that needs fixing
[21:10:57] <mutante>	 but is it really? are you sure?
[21:11:15] <mutante>	 because then i really wonder how hashar could work, we merged stuff for him
[21:12:40] <hashar>	 hi
[21:12:41] <Damianz>	 The puppetmaster is in sync with git
[21:12:51] <Damianz>	 Wikitech isn't in sync with the groups/classes
[21:13:04] <Damianz>	 And some changes made to git are not compatible with labs/wikitech AFAIK
[21:13:22] <mutante>	 then " Wikitech isn't in sync with the groups/classes" is a bug for sure
[21:13:29] <Damianz>	 So for example, misc::ircecho moving to ircecho broke puppet on labs instances, because the ENC was not updated
[21:13:56] <hashar>	 yeah because we dont keep back compatibility classes
[21:13:57] <Damianz>	 Also, because ircecho now takes a map for the channels, rather than a log and a channel value as a string... I can't use it - the ldap ENC doesn't support maps
[21:14:12] <mutante>	 in theory this would be the other way around, right
[21:14:20] <mutante>	 labs is for testing stuff that gets into prod :p
[21:14:24] <Damianz>	 Yeah
[21:14:38] <Damianz>	 But we can't do that - because labs and prod run off the same git branch
[21:14:54] <mutante>	 they used to be 2 separate branches
[21:14:58] <Damianz>	 Though apparently even when we test stuff it gets into prod broken *hehem varnish issue*
[21:14:59] <mutante>	 caused even more issues :p
[21:15:00] <hashar>	 if we had a dashboard/reporting  of puppet failures on labs instance, that would help catch up
[21:15:02] <liangent>	 petan: around?
[21:15:07] <mutante>	 that's why we stopped that
[21:15:14] <petan>	 liangent: no
[21:15:40] <liangent>	 :/
[21:15:43] <liangent>	 petan: add me to http://tools.wmflabs.org/paste/ ?
[21:16:03] <mutante>	 where does ircecho run?
[21:16:20] <Damianz>	 nagios-icinga
[21:16:25] <mutante>	 so, in labs
[21:16:25] * SamB  backs slowly away from whatever mess he just tab-switched into the middle of

[21:16:34] <SamB>	 (even if it is a tree widget rather than a tab bar!)
[21:16:43] <petan>	 done
[21:16:48] <mutante>	 Damianz: imho the root cause is wrong worklow
[21:16:51] <petan>	 liangent: u there
[21:16:55] <mutante>	 it should be tested in labs, and then run in prod
[21:17:05] <mutante>	 if it's .. well.. prod
[21:17:10] <liangent>	 petan: thanks
[21:17:17] <Damianz>	 It should be tested in labs, run in labs then run in prod
[21:17:29] <Damianz>	 But yeah - shits broken *grumpy*
[21:17:47] <mutante>	 yea, well, git blame the person who touched ircecho
[21:17:53] <mutante>	 and make them add a $realm case
[21:18:34] <Damianz>	 Won't fix the problem due to the lack of map support in the ldap enc... will need a misc class to handle a single chan/log ircecho instance, which is hacky
[21:18:59] <mutante>	 if you are saying something is impossible to run in labs
[21:19:06] <mutante>	 then that's another bug:)
[21:19:11] <Damianz>	 And people changing git, don't have access to wikitech to do real migrations and making them write real migrations is evil workflow... I think wikitech needs automated logic to handle that side
[21:19:30] <fale>	 why if I link to /blahblah it links to http://tools-webserver-02/blahblah instad of http://tools.wmflabs.org/blahblah?
[21:19:35] <Damianz>	 I might just spam lots of grumpy in bugzilla, then people can email slap me down
[21:19:43] <mutante>	 automatic logic = fix the sync 
[21:19:51] <mutante>	 and jenkins
[21:20:16] <Damianz>	 fale: using $_SERVER or something? that's the real hostname behind the proxy
[21:20:53] <Damianz>	 Going back to early bitching - if wikitech had an api, then jenkins could spin up instances to test puppet changes and avoid this
[21:21:04] <fale>	 Damianz: uhm... is possible that apache adds the $_SERVER?
[21:22:42] <Damianz>	 Sorry - I'm assuming you're using php
[21:22:51] <Damianz>	 Got a real url example?
[21:23:47] <fale>	 Damianz: http://tools.wmflabs.org/isbn2tpl/
[21:23:55] <fale>	 Damianz: yep, it's php :(
[21:24:18] <liangent>	 petan: I can't find anything strange now after local-paste@tools-dev:~$ mv ...DATA.public_html public_html
[21:24:41] <liangent>	 petan: new test paste http://tools.wmflabs.org/paste/view/73077ec0
[21:25:02] <petan>	 liangent: interesting, can you explain to me why it didn't work before
[21:25:24] <liangent>	 petan: because there was no public_html ?
[21:25:44] <petan>	 oh wait
[21:25:53] <petan>	 did you move it there on OLD tools?
[21:26:06] <petan>	 because I am trying to migrate this to new tools cluster
[21:26:53] <fale>	 petan: new tools cluster?
[21:27:02] <petan>	 fale: yes, eqiad one
[21:27:04] <Damianz>	 fale: You have the most complex index.php even... digging though the code
[21:27:16] <petan>	 Damianz: I have more complex one
[21:27:23] <Damianz>	 You write shit in c#
[21:27:30] <petan>	 :o
[21:27:39] <petan>	 I even write shit in assembler when I am bored
[21:28:08] <petan>	 recently I rewrote few of my drivers cuz they didn't work as well as I wanted :P
[21:29:09] <petan>	 Coren: how do I figure out which webservice is serving the webpage?
[21:29:21] <Damianz>	 fale: What is url set to in app config.php?
[21:29:22] <petan>	 Coren: if it was lighttpd or old apache from old cluster
[21:29:27] <SamB>	 petan: I'm assuming they still didn't work as well as you wanted afterwards
[21:29:37] <Damianz>	 That link_to function is using app('url')
[21:29:39] <SamB>	 or you're blessed with low expectations
[21:29:43] <Damianz>	 So I'm guessing some config is wrong
[21:29:46] <petan>	 SamB: they do perfectly work now
[21:30:13] <SamB>	 or you had some very nice hardware with shoddy drivers
[21:30:21] <petan>	 SamB: otherwise I wouldn't be even connected they were wi-fi drivers
[21:30:30] <petan>	 SamB: no I have too new hardware for linux :P
[21:30:41] <liangent>	 huh I was thinking about simply "making it running"
[21:30:59] <liangent>	 I even haven't read stuff about migration
[21:31:09] <SamB>	 oh, somehow I'd gotten the impression that you were hand-patching driver binaries ;-)
[21:31:13] <petan>	 liangent: yes, but in few weeks the old cluster will be mercilesly deleted and the tool will stop working if we don't migrate it
[21:31:18] <liangent>	 (or better to say, didn't read anything about ToolLab migration)
[21:31:35] <petan>	 liangent: you better read it if you run anythin there
[21:31:45] <petan>	 otherwise all your tools are in danger
[21:32:11] <liangent>	 but everything I saw is about instance migration
[21:32:49] <petan>	 liangent: are you even subscribed to labs-l
[21:32:52] <greg-g>	 random thought (sorry about the interjection): but would it be good to have a notice on wikitech.wikimedia.org about the transition?
[21:33:34] <liangent>	 petan: "[Labs-l] Tool Labs migration instructions" found it :)
[21:34:13] <petan>	 liangent: let's just create a new tool paste-test
[21:34:22] <petan>	 I will delete it once we make it work
[21:34:29] <petan>	 so that /paste works until we find the issue
[21:37:21] <liangent>	 petan: have you created it? become: no such tool 'paste-test'
[21:37:29] <petan>	 sec
[21:39:08] <petan>	 it's being created I guess
[21:39:28] <petan>	 no more toolwatcher on -login :/
[21:41:55] <greg-g>	 (is there a canonical "This is what the labs migration means to you" page?)
[21:43:23] <liangent>	 petan: in meantime... should I try to migrate my own tools first?
[21:43:33] <petan>	 I don't know
[21:43:35] <liangent>	 or should I wait for paste-test as a practice for me
[21:43:38] <petan>	 you probably should
[21:43:40] <hedonil>	 fale: this kind of url sometimes appears if the trailing / is missing. know issue
[21:43:44] <petan>	 but no guarantee it will work
[21:44:14] <^d>	 Any labs opsen about?
[21:44:45] <SamB>	 greg-g: like, a notice on all user pages, or what?
[21:44:59] <SamB>	 +talk
[21:45:24] <greg-g>	 SamB: I was thinking a site notice
[21:46:10] <SamB>	 did everyone who has a tool get emailed about this yet?
[21:46:51] <hedonil>	 SamB: Coren is on that. mail seems not to work yet
[21:46:59] * SamB  has no tool

[21:48:10] <petan>	 no tool? that is like not having a facebook profile
[21:48:16] <petan>	 you better got get some
[21:48:20] <petan>	 * go
[21:50:43] <hedonil>	 petan: what's the current problem with paste? it's still running in old labs.. and w/o https :(
[21:50:59] <hedonil>	 this is sooo sad
[21:51:09] <petan>	 x
[21:51:19] <petan>	 hedonil: I migrated today then I rolled it back
[21:51:37] <petan>	 hedonil: it doesn't work on new cluster, it doesn't produce any error. it just silently die
[21:51:42] <hedonil>	 petan: hmmm
[21:51:48] <liangent>	 what's tools-db databases ?
[21:51:49] <SamB>	 petan: hey, I only even got an account on wikitech because I wanted to use url2commons ... which then refused to work anyway, at least until it had been upgraded to support OAuth
[21:52:00] <petan>	 I say it's problem of new cluster, Coren say it's problem of tool.
[21:52:21] <petan>	 SamB: no tool, no facebook, poor you
[21:52:31] <hedonil>	 hehe
[21:53:37] <SamB>	 I was thinking of setting up a copy of url2commons so I could see WTH was going wrong, because all I got was an erorr message that looked vaguely equivalent to 5xx ...
[21:54:40] <hedonil>	 petan: mind, if I join the paste-debug-party?
[21:55:44] <petan>	 ok
[21:56:20] <hedonil>	 petan: so then add me to the maintainer's list
[21:56:42] <Damianz>	 petan: Can you add projects?
[21:56:51] <petan>	 Coren: I created new tools "paste-test" it just doesn't want to get working, I can't even become
[21:56:57] <petan>	 Damianz: I can barely login
[21:57:06] <petan>	 Damianz: but I can make sushi
[21:57:20] <Damianz>	 Mmmm I'd totally have sushi
[21:57:27] <petan>	 it doesn't look well but it taste so great
[21:58:00] <hedonil>	 petan: newly created tools are not sync'd automatically to eqiad. ha a similar issue which Coren fixed by hand
[21:58:19] <petan>	 ok I guess I have to wait for Coren because my hand lack powers
[21:59:03] <petan>	 I can forcefuly create it's home folder, but I can't setup the mysql etc, new cluster has even more secret db root account and regular admins don't have access to it
[21:59:12] <petan>	 I guess Core n have no trust in us :-)
[22:00:48] <petan>	 hedonil: I can add you to paste tool as well but it's not easily possible to debug problem in there
[22:01:05] <petan>	 hedonil: you would need to migrate the tool again which would break it and I don't like broken tools
[22:01:15] <petan>	 so I would prefer setup a clone of this tool
[22:01:19] <petan>	 on new cluster
[22:01:25] <hedonil>	 petan: weel if it would have been easy you'd already fixed it ;)
[22:01:30] <petan>	 and once the issue is fixed we just move the "production"
[22:02:03] <petan>	 paste-test is supposed to be this clone
[22:02:15] <petan>	 but it doesn't want to get created
[22:02:23] <hedonil>	 petan: If paste -test will disappear at the end of the test, let's try it by force
[22:02:40] <petan>	 so once Coren fix that I will clone the files of paste in there and we can start working on that
[22:02:48] <petan>	 hedonil: what you mean by force?
[22:03:04] <hedonil>	 petan: just create a tools folder in eqiad, 
[22:03:26] <petan>	 hedonil: I have no force. I am just an admin that implies "almost no powers" where user is "no powers" :P
[22:03:28] <Damianz>	 Is there some funky page somehwere to request wikipedia admins to make an edit?
[22:03:39] <petan>	 Damianz: edit to what
[22:04:00] <petan>	 Damianz: did you ask if I am admin on wikipedia before?
[22:04:03] <Damianz>	 cbng fpreport url to move to tools from the bots redirect that's broken
[22:04:16] <Damianz>	 I asked if there was any enwiki admins around that wanted to make a quick edit before
[22:04:24] <petan>	 aha I can do that
[22:04:26] <SamB>	 Damianz: isn't that just {{edit protected}} on the talk page of whatever thing?
[22:04:28] <petan>	 maybe
[22:04:56] <Damianz>	 Need https://en.wikipedia.org/wiki/User:ClueBot_NG/Warnings/FPReport changing from report.cluebot.cluenet.org/ to tools.wmflabs.org/cluebot/
[22:05:13] <petan>	 sec
[22:05:19] <Damianz>	 It's rather annoying that I can login as Cluebot_NG, but not edit the page under the user... stupid full protection
[22:06:12] <petan>	 Damianz: https://en.wikipedia.org/w/index.php?title=User:ClueBot_NG/Warnings/FPReport&diff=598608741&oldid=402309756
[22:06:25] <petan>	 Damianz: is it correct? I can also remove the protection if you need :P
[22:06:36] <Damianz>	 Yep - perfect. Tyvm
[22:06:44] <Damianz>	 Now the bot will stop reverting pages and linking people toa  404
[22:08:16] <petan>	 good :P
[22:08:24] <petan>	 Damianz: you gonna be at hackaton?
[22:09:09] <petan>	 I really need to hack into cluebot hehe
[22:09:11] <SamB>	 I don't suppose pages can have ad-hoc ACL rules, rather than requiring a certain clearance bit of any editor?
[22:10:26] <petan>	 SamB: they can't because everybody knows that role based security is better than stupid group-based crap mediawiki uses. And mediawiki always uses the worse solution :P. But just the second worse, so it's still ok XD
[22:10:29] <liangent>	 I think I've done migration for two of my tools...
[22:10:38] <liangent>	 the simplest two :p
[22:10:45] <Damianz>	 In Zürich? Hmm hadn't thought about it... will be about due a holiday then. I've got something I have to do on the 7th, but could make it.
[22:11:12] <Damianz>	 Would probably end up massivly refactoring cluebot or strangling someone from ops
[22:11:17] <petan>	 Damianz: lot of cookies and beer and stuff. maybe some programming too
[22:11:38] <SamB>	 petan: hey, at when I create pages they aren't marked as owned by a group named SamB
[22:11:41] <petan>	 oh yes we eventually do some wikimedia related work there too
[22:12:43] <petan>	 SamB: no but you can set up special protection levels that will give certain groups permissions to edit pages under this
[22:13:17] <petan>	 for example you can create group "suparpowar" and set up a protection level "suparpowaronly"
[22:13:33] <petan>	 if you protect the page using this, nobody except member of suparpowar will be able to edit this
[22:13:46] <petan>	 I think
[22:15:04] <petan>	 I definitely saw something like that, but in the end, mediawiki developers have this excuse "mediawiki was created for online encyclopedia that anyone can edit, so edit restrictions aren't very good. If you want better edit restrictions you need to use some proper corporate CMS" :P
[22:16:11] <SamB>	 and yet I don't seem to be able to edit other peoples' /*.{css,js} pages ;-P
[22:16:44] <petan>	 btw there are very poor role based security implementations even in linux kernel, so don't expect these in software which doesn't need them, when they aren't even in software that should have them
[22:16:48] <Damianz>	 user pages are user pages
[22:17:10] * Damianz  xss's SamB

[22:17:13] <petan>	 SamB: these are specially restricted using a nasty hack
[22:17:14] <petan>	 :P
[22:17:24] <SamB>	 Damianz: yes I know why, what do you think the ";-P" was for
[22:17:34] <petan>	 which is almost as ugly like the hack preventing people from deleting main page on enwp :P
[22:17:47] <SamB>	 yes I read about that
[22:18:15] <Damianz>	 I thought that was just protected
[22:18:22] <petan>	 lol no
[22:18:29] <petan>	 there 2 other protection layers
[22:18:38] <SamB>	 Damianz: no, someone actually deleted because someone else had told them it was impossible
[22:18:38] <petan>	 you can't delete main page on enwp, neither move it
[22:18:48] <petan>	 your computer would blow up if you tried
[22:18:53] <SamB>	 and they just had to see it not delete
[22:19:23] <Damianz>	 But they had to be an admin todo that first?
[22:19:27] <petan>	 Damianz: it's like hook_ondelete() { if ( $wikiname == "en.wikipedia" && $pagename == "Main_Page" ) { die(); } }
[22:19:33] <Damianz>	 o.0
[22:19:34] <petan>	 Damianz XD
[22:19:37] * ^d  skims the armchair criticism, then goes back to work

[22:19:39] <petan>	 Damianz seriusly let me find it
[22:20:27] <Damianz>	 ^d: It's easier to criticise than fix... php
[22:20:31] <liangent>	 petan: it seems uid and gid of paste-test's home on new login are incorrect?
[22:21:16] <^d>	 Meh, anyway we wouldn't have to have hacks against deleting the main page in wmf-config if people didn't think deleting main pages was a good idea.
[22:21:25] <^d>	 Because here's a hint: it's not :D
[22:21:31] <liangent>	 SamB: Ctrl+F for cant-delete-main-page  in https://noc.wikimedia.org/conf/CommonSettings.php.txt
[22:21:34] <Damianz>	 Can't fix stupid
[22:21:57] <petan>	 Damianz: I found it
[22:22:18] <petan>	 oh yes it's in that file liangent just sent
[22:23:07] <Damianz>	 I'd just remove the idiots access, that's just ugly
[22:23:10] <petan>	 look for "Only use this shitty hack for enwiki. Thanks."
[22:23:11] <Damianz>	 Hmm anyway
[22:23:32] <SamB>	 ^d: yes, I guess it's pretty much the same as looking down the barrel of gun you think isn't loaded ...
[22:23:53] <SamB>	 except you only kill the server and/or page, not a human being
[22:24:13] <^d>	 Damianz: Well sadly people like imitating idiots.
[22:24:14] <petan>	 no you only kill the page, which isn't even that important in the end
[22:24:18] <petan>	 who cares about the main page
[22:24:22] <^d>	 :)
[22:24:26] <Damianz>	 Coren: Since you're sorta lurking - do you have a min to create a new project for me?
[22:24:32] <^d>	 Anyway, deleting a page is easy.
[22:24:36] <Damianz>	 Doesn't everyone get to wikipedia pages via google?
[22:24:38] <^d>	 `mwscript eval.php enwiki`
[22:24:41] <SamB>	 so it's safe to delete a page with 4999 revs?
[22:24:49] <SamB>	 the server won't fall over?
[22:24:50] <petan>	 SamB: of course :P
[22:24:58] <^d>	 ;-)
[22:25:19] <liangent>	 SamB: counting that 5000 revs uses a function called estimate***
[22:25:22] <petan>	 Damianz: that's my point
[22:25:30] <petan>	 Damianz: I haven't visited main page for long
[22:25:36] <liangent>	 it might overestimate the number of there're 4999 revs :p
[22:25:39] <petan>	 google gets you where you need
[22:25:41] <liangent>	 *if
[22:25:50] <petan>	 it even gets you what you need in some cases :P
[22:25:54] <^d>	 liangent: That function is misnamed. It shouldn't be called estimateRowCount()
[22:25:58] <^d>	 Should be bullshitRowCount()
[22:26:02] <Damianz>	 lol
[22:26:20] <SamB>	 by 4999 I mean "as many as it can have and still be deleted"
[22:26:26] <petan>	 the body of function is { return random(); } anyway
[22:26:55] <^d>	 mt_rand() is the best way to do stats.
[22:26:58] <liangent>	 petan: hm what about the uid/gid issue?
[22:27:05] <SamB>	 IMO main page exists so that pages can be marked as featured after they've been shown on it
[22:27:10] <petan>	 liangent: where
[22:27:13] <liangent>	 petan: it seems uid and gid of paste-test's home on new login are incorrect?
[22:27:15] <^d>	 We did it in Special:Code for awhile when we didn't know how to count properly and just new max and min.
[22:27:15] <SamB>	 or, well, linked to from it
[22:27:22] <^d>	 So we mt_rand()'d the number of results.
[22:27:24] <petan>	 liangent: are they even there?
[22:27:28] <petan>	 liangent: they weren't last time
[22:27:38] <petan>	 liangent: like the folder wasn't even created
[22:27:51] <petan>	 wheeeee
[22:27:53] <petan>	 it's there
[22:28:06] <petan>	 what the hell
[22:28:11] <petan>	 it doesn't work
[22:28:13] <petan>	 but who cares
[22:28:18] <SamB>	 also, so people can't create a new main page with, say, the goatse image or a video of that Rick Astley video ...
[22:28:28] <liangent>	 huh it got fixed automatically?
[22:28:28] <hedonil>	 petan: so now we have a directory  paste-test & new db creds in eqiad.  you just need to chown /data/project/paste-test  to  tools.paste-test
[22:28:41] <liangent>	 so http://tools.wmflabs.org/paste-test/ seems working now
[22:28:47] <petan>	 hedonil: no we don't have new db creds, because it's broken
[22:28:54] <petan>	 we don't have any db creds :P
[22:29:11] <petan>	 tools.paste-test@tools-login:~$ mysql
[22:29:12] <petan>	 ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)
[22:29:16] <petan>	 wait...
[22:29:18] <petan>	 local? o.O
[22:29:39] <petan>	 tools.paste-test@tools-login:~/public_html$ mysql -h tools-db
[22:29:40] <petan>	 ERROR 1045 (28000): Access denied for user 'petrb'@'10.68.16.7' (using password: NO)
[22:29:47] <hedonil>	 petan: mysql --defaults-file=replica.my.cnf  -h tools-db works fine what issue?
[22:29:49] <petan>	 why petrb? o.O
[22:29:58] <petan>	 oh this
[22:30:09] <petan>	 I thought we created this as .my.cnf as well for some reason
[22:30:13] <petan>	 but that were just my tools
[22:30:42] <petan>	 hedonil: you can type `sql local`
[22:30:45] <petan>	 that is shorter
[22:31:00] <hedonil>	 petan: yep works
[22:31:00] <petan>	 ok you are right
[22:31:06] <petan>	 I will clone the files now
[22:32:12] <petan>	 ok it's all cloned
[22:32:37] <petan>	 and yes, the problem is replicated
[22:32:42] <petan>	 now we get error 500 again
[22:32:49] <petan>	 hedonil: start debugging!
[22:32:50] <petan>	 XD
[22:33:22] <petan>	 hedonil: btw the cloned files are using db credentials of "paste" you might want to replace them
[22:33:40] <hedonil>	 petan: on it. btw I did a migration to create the directories/files in eqiad
[22:33:50] <petan>	 aha
[22:33:51] <petan>	 interesting
[22:33:59] <petan>	 I would expect them to be created automaticaly there
[22:34:08] <petan>	 since new tools should be only on eqiad
[22:36:42] <petan>	 btw hedonil to save you work
[22:36:55] <hedonil>	 petan: yes?
[22:37:52] <petan>	 the problems start at line 308 system/core/CodeIgniter.php
[22:38:08] <petan>	 hedonil: $CI = new $class(); seems to be where problems start
[22:38:18] <petan>	 until then everything works
[22:38:45] <petan>	 but I didn't get further in debugging because I am lazy :P
[22:39:12] <petan>	 you do the hard work I will take the glory :P
[22:39:30] <hedonil>	 petan: ok. just checking the basic webs  (paths & variables) because that's almost the things that changed  http://tools.wmflabs.org/paste-test/index2.php
[22:39:51] <petan>	 I think that all paths should be same
[22:48:01] <liangent>	 petan: well I broke paste again by mv public_html ...DATA.public_html, because unless we migrate it again, new pastes will be lost...
[23:14:24] <liangent>	 petan: and http://tools.wmflabs.org/paste/ fixed on eqiad 
[23:15:29] <liangent>	 by setting db connection data and adding rewrite rules
[23:27:57] <hedonil>	 petan: it's getting verbose now  http://tools.wmflabs.org/paste-test/  
[23:28:28] <hedonil>	 petan: is the database already migrated  https://tools.wmflabs.org/tools-info/?dblist=tools-db  which is paste db?
[23:30:31] <hedonil>	 petan liangent. already fixed, didn't notice - what was the error
[23:32:38] <hedonil>	 petan: liangent: but still doesn't work with https (unsecure content blocked by browser)
[23:33:47] <SamB>	 needs more // ?