[15:46:56] [[Tech]]; Wermey287; /* Fehler Meldung beim Öffnen der Seite uedemersv.de */ new section; https://meta.wikimedia.org/w/index.php?diff=30476309&oldid=30470964&rcid=39267074 [15:48:51] License number for MW? wat [16:04:33] heh, I be it's a license for Plesk or something like that [17:50:23] krinkle: re T424859: you've uploaded the patch now so we should probably review your patch, but FWIW i had claimed that task & was in the process of working on it :/ [17:50:23] T424859: The `og:image` tag for the wikipedia.org portal leads to a broken image thumbnail - https://phabricator.wikimedia.org/T424859 [17:53:52] oh... i see in https://gerrit.wikimedia.org/r/c/wikimedia/portals/+/1279434/1..2 that you added that task ID to the patch after having already uploaded it. so i guess it might've been a coincidental discovery of the same bug? [17:55:47] A_smart_kitten: yeah, didn't realize yours [17:55:52] sorry about that [17:56:18] saw your Fresh task, and found it linked there. [17:58:02] Krinkle: no worries :) apologies if i leapt to the non-AGF line of thinking as a first port of call. [17:58:09] it sucks slightly (given slightly duplicated work etc) but at least I learned more about using Fresh & running wikimedia/portals in a local dev env (and also put together a couple of small documentation improvement patches for the Portals repo that i'm about to push to Gerrit) :) [17:58:33] np, task looks fine to me [17:58:49] fresh has a usage doc when you run it with -help or incorrect args. [17:58:59] it doesnt' explain the options beyond stating their existence [17:59:35] The only place any of the options are documented, not just -net, is in the source. Those comments aren't code comments, they're written in a style that is very much intened as end-user documentation. [18:00:07] The security angle and minimal standalone nature of fresh is such that I expect its users to have at least skimmed the source code. Zero trust :) [18:00:26] But, it's a fair point that even if you do that, you should be able to get to it easily at a later time. [18:00:46] So yeah... wouldn't mind a patch adding a proper --help that prints those to stdout. [18:09:51] TBH the first place I looked for the docs on Fresh's `-net` option was the README at https://github.com/wikimedia/fresh#usage [18:11:15] I guess in my ideal world that I'm imagining, there'd also be some docs in Fresh/on the README that specifically tell me that I also need to enable the 'Enable host networking' within Docker Desktop [18:25:59] A_smart_kitten: not exactly, I think that's an accident. [18:26:13] -net is about allowing code inside fresh to connect to sometihng you installed outside fresh [18:26:41] for example if you run MediaWiki quickstart, or MediaWiki-Docker, whether something like qunit inside fresh can talk to MediaWiki localhost:4000 [18:27:29] Using "Enable host networking" has the accidental side-effect that this also means things running inside fresh can be talked to from the outside. That's not a supported use case right now. and I would generally not encourage enabling that for Docker Desktop [18:28:27] oh. i guess my task was written from a misunderstanding of fresh's intended behaviour then, lol [18:30:03] A_smart_kitten: does the portal code work fine if you open it direclty in your browser by drag and drop, e.g. file:///path/to/index.html [18:31:26] Krinkle: it seems like it? but i wouldn't be sure if there's something non-obvious that isn't working [18:31:38] if not, I'd recommend documenting portal project documents something like `python -m http.server 8000` instead (separate from the npm start/build command) which is ubiquitous (python is pre-installed most everywhere) and secure (serve static files only, and your browser is a sandbox already). [18:32:24] there's no reason to depend on a complex npm stack to serve static files [18:35:16] @web/dev-server has 176 dependencies total [18:35:26] not something you'd want to run outside fresh indeed [18:35:41] https://npm.anvaka.com/#/view/2d/%40web%2Fdev-server [18:35:59] a webserver in only 176 dependancies!? [18:37:20] https://gist.github.com/willurd/5720255 recommends https://npm.anvaka.com/#/view/2d/node-static which has only 5. Anyway, I'd choose something built-in like python instead given the choice :) [18:38:23] Krinkle: potentially a stupid question, bear with me :p Would I be correct in assuming that the reason I might not want 'Enable host networking' enabled is because then anything malicious running _inside_ fresh can then do more damage to the computer that's _running_ fresh? [18:38:40] A_smart_kitten: correct [18:38:45] right [18:39:00] i guess i did completely misunderstand the `-net` option then, lol [18:40:12] -net is already a fairly strong hammer. It means anything in fresh can talk to stuff outside it, e.g. your MW devserver, but also potentially unexpected thigns such as your chromecast TV, internet-of-tech fridge, home router, and anything else on your PC or home network that uses HTTP, TCP, or UDP for any reason. [18:41:22] But that can be defended against if you don't trust your local network anyway, e.g. protect/firewall such things. [18:42:19] with host networking it means something in fresh, that you're not aware of and thus can't firefall or pw-protect, can then be reachable from elsewhre. I can pw-protect my router and fridge. I can't pw-protect something malicious that started itself inside a container. [18:42:40] this would typically be exploited in two steps, e.g. a web page you visit wants to send data somewhere, and uses what you have in fresh as a relay. [18:43:03] The second reason, and the I'll shut up, is that "Enable host networking" is for everything you might run in docker, whereas Fresh -net is a one-time thing for that one time you're using Fresh. [18:43:56] and while I have a medium level of trust when running qunit or selenium in fresh on a MW project where we do a good job with security, that doesn't go for random github projects I contribute patches to that I run npm install+test for via fresh as well. [18:44:12] plus whatever else you might use docker for separate from mediawiki or fresh. [18:45:30] when you enable "host networking" in docker desktop, you don't need to pass -net to fresh anymore. [18:48:50] thank you for the explanations (& taking the time to explain) Krinkle :) appreciated. now i kinda feel i should basically rewrite the entire description of my fresh task :p [18:49:07] 'when you enable "host networking" in docker desktop, you don't need to pass -net to fresh anymore' -- interestingly, i just tested it now and (at least in my env) it seems like i still do [18:49:55] A_smart_kitten: interesting. Linux or Mac? [18:50:01] Mac [18:58:35] A_smart_kitten: me too. I have that option turned off. [19:19:29] A_smart_kitten: ok, so it seems some changed have taken place in docker desktop over the years (i.e. specific to mac/windows) [19:21:19] I'm not sure exactly how it worked before but basically docker desktop is a Linux VM (because docker as a concept is basically linux cgroups+namespaces, which are specific to Linux), and so --network=host is a toggle for disabling the default firewall around each container, but that means it is still inside the Linux VM. [19:21:46] This does mean that if the two things you want to have talking to each other, are both in docker, then fresh -env, or docker --network=host works. For example, having QUnit in Fresh -env talk to MediaWiki-Docker. [19:22:14] because on mac/windows, with docker desktop, the "host" in docker --network=host is the Linux VM. [19:23:09] if you additinally want to let it talk to, be be talked to, from things outside docker on your PC and home network, then you need to have the docker desktop linux VM also be using the host network. [19:23:20] There is a way around that if you want. [19:23:42] host.docker.internal is a hostname that code inside fresh/docker can use to reach your host (and only your host, not your fridge) [19:24:11] e.g. curl host.docker.internal:4000 works for me in a regular fresh session without -net and without "Enable host networking". and lets fresh talk to my baremetal MW server. [19:31:37] however, there isn't a straight forward way for the oppposite, to expose a container's service port on host, except by mapping it manually in the docker run command before launching the session, or via a docker-compose file. But that's not for ad-hoc stuff like fresh. [19:32:12] anyway, for a dev service like that, the project should probably have a dockerfile or docker-compose file in the repo (if such a service is needed) as for example mediawiki and other apps do. [19:32:27] Or, change the docs per earlier to encourage a simple static server outside the npm build process. [19:32:31] [20:22:12] [[Tech]]; AKlapper (WMF); /* Fehler Meldung beim Öffnen der Seite uedemersv.de */ Reply; https://meta.wikimedia.org/w/index.php?diff=30477346&oldid=30476309&rcid=39269636 [20:42:25] Krinkle: ack, thank you :)