[03:10:52] * jeremyb  guesses OrenBochman is asleep...

[06:12:42] <Ayan_>	 +ayan
[06:12:57] <Ayan_>	 lalalalalalalala'
[06:13:03] <Ayan_>	 lalalalalalal
[06:13:10] <Ayan_>	 xtreme typist.
[06:13:34] <Ayan_>	 hip hop the floor
[06:13:41] <Ayan_>	 on the floor
[06:13:47] <Ayan_>	 dance the nigh away
[06:54:52] <labs-nagios-wm>	 PROBLEM Disk Space is now: WARNING on nova-production1 nova-production1 output: DISK WARNING - free space: / 521 MB (5% inode=86%):
[09:24:52] <labs-nagios-wm>	 PROBLEM Disk Space is now: CRITICAL on nova-production1 nova-production1 output: DISK CRITICAL - free space: / 285 MB (2% inode=86%):
[15:00:21] <OrenBochman>	 petan: are you available for help with labs
[15:05:55] <OrenBochman>	 anyone knows labs ?
[15:20:36] <Damianz>	 Kinda
[15:20:45] <Damianz>	 But if it's the same issue I don't know window
[15:20:46] <Damianz>	 s
[20:08:57] <jeremyb>	 so, oren's not here and last i heard from him (above) was <OrenBochman> how do I get a wiki installation
[20:09:19] <jeremyb>	 i think the windows issues may be real but in several cases have been a red herring
[20:10:04] <jeremyb>	 e.g. he needed to find the right page on the wiki to use to create an instance. same page and same process there regardless of your OS or browser
[20:10:24] <jeremyb>	 and now, installing a wiki is also not related to what OS you're ssh'ing from
[20:12:27] <Ryan_Lane>	 I told him a bunch of times that he needed to create an instance
[20:12:39] <Ryan_Lane>	 I think he assumes everything is already set up for him
[20:12:47] <Ryan_Lane>	 though I told him that he'd have to do everything himself
[20:13:15] <jeremyb>	 Ryan_Lane: well i told him ~4x before it sunk in from me
[20:13:28] <jeremyb>	 (about creating an instance)
[20:14:01] <Ryan_Lane>	 yeah
[20:14:13] <jeremyb>	 i probably once knew but now i can't remember what his background is :(
[20:14:24] <Ryan_Lane>	 he doesn't know how to create an instance
[20:14:31] <Ryan_Lane>	 but there's documentation....
[20:14:37] <Ryan_Lane>	 people don't seem to like to read docs
[20:14:38] <jeremyb>	 he does now (I hope) because he did it)
[20:14:44] <Ryan_Lane>	 oh. did he?
[20:14:56] <jeremyb>	 he said he could ssh to it
[20:15:23] <jeremyb>	 at first it was just the console he was getting but he couldn't ssh? and then he could. i think
[20:15:33] <jeremyb>	 and certainly nagios was talking about it
[20:16:15] <Ryan_Lane>	 well, it takes a bit for the instance to finish building
[20:16:17] <jeremyb>	 is there a nova endpoint ppl can use directly or just via mediawiki?
[20:16:23] <Ryan_Lane>	 just mediawiki right now
[20:16:32] <Ryan_Lane>	 we're working on making the endpoint available as well
[20:16:45] <jeremyb>	 i was just thinking e.g. if i wanted console on a shell instead of over the web
[20:16:46] <Ryan_Lane>	 labsconsole does some stuff nova doesn't support uet
[20:16:58] <Ryan_Lane>	 eh?
[20:17:00] <Ryan_Lane>	 what do you mean?
[20:17:25] <Ryan_Lane>	 there's no console access right now on instances
[20:17:30] <Ryan_Lane>	 there really isn't much reason to have consoles
[20:17:34] <jeremyb>	 there's console history
[20:17:37] <Ryan_Lane>	 no one has the root password on the instances
[20:17:40] <Ryan_Lane>	 ooooohhhhh
[20:17:44] <Ryan_Lane>	 you mean you console log
[20:18:16] <Ryan_Lane>	 well, that's possible, but it would also give you access to create instances via the command line tools too, and that would be problematic
[20:18:34] <jeremyb>	 i've gotten that via shell from amazon's ec2. i think in fact that's the only way to do it? or i guess everything's an API client and an API client can have any human interface you want
[20:19:02] <jeremyb>	 why problematic? because no associated wiki page would be created?
[20:19:06] <Ryan_Lane>	 yeah, mediawiki is using the ec2 endpoint on behalf of you
[20:19:20] <Ryan_Lane>	 no DNS entry, no puppet configuration, no mediawiki page
[20:19:34] <jeremyb>	 oh
[20:19:44] <Ryan_Lane>	 those are the three things nova doesn't support yet
[20:19:50] <Ryan_Lane>	 we are working on the first right now
[20:19:54] <Ryan_Lane>	 puppet stuff is next
[20:19:58] <Ryan_Lane>	 then mediawiki pages
[20:20:11] <Ryan_Lane>	 mediawiki pages are likely doable without nova directly supporting it
[20:20:33] <Ryan_Lane>	 I could run a cron that would check to see if an instance existed that doesn't have a page, and create the page
[20:20:57] <Ryan_Lane>	 but lack of puppet and dns are problematic
[20:21:54] <jeremyb>	 anyway, notpeter is talking about (or already started?) some search puppetizing work and i'm also interested in search (both puppet side and also the stuff oren's doing)
[20:22:10] <Ryan_Lane>	 yeah. I told Oren to work with peter
[20:22:24] <jeremyb>	 well they've also chatted directly with eachother
[20:22:45] <Ryan_Lane>	 wow. bots has a ton of instances :D
[20:22:51] <jeremyb>	 hehe
[20:22:59] <jeremyb>	 that's my other question
[20:23:06] <Ryan_Lane>	 that sure sprouted up quick
[20:24:37] <jeremyb>	 Ryan_Lane: i set up http://wiki.debian.org/MeetBot on the wikimediadc server for a meeting but then i was thinking it would be good to have in other places (#-office, #-dev, #-au, etc.) what do you think about putting that on labs?
[20:24:56] <Ryan_Lane>	 it would be fine
[20:25:00] <Ryan_Lane>	 work with petan
[20:25:16] <Ryan_Lane>	 he and hyperon have been doing the bots stuff, mostly
[20:25:29] <jeremyb>	 can they add/remove ppl or only you?
[20:25:36] <Ryan_Lane>	 they can too
[20:25:46] <jeremyb>	 oh, cool (mild surprise)
[20:26:13] <Ryan_Lane>	 yeah, I want projects to be fairly self-sufficient
[20:26:23] <Ryan_Lane>	 it sucks to have to wait on ops for that kind of stuff
[20:26:44] <jeremyb>	 yeah, i just didn't know how far things had progressed
[20:26:59] <Ryan_Lane>	 that's always been a feature :)
[20:27:07] <jeremyb>	 hehe
[20:27:09] <Ryan_Lane>	 it was in the original design
[20:27:35] <Ryan_Lane>	 the idea is that people need ops very, very little for most things
[20:27:49] <Ryan_Lane>	 we control access to labs via bastion
[20:27:54] <jeremyb>	 so, for bots i'll talk to petan (i have to anyway, to learn how things are done there). for search, who do i talk to?
[20:28:15] <Ryan_Lane>	 oren and notpeter
[20:28:25] <jeremyb>	 okey
[20:28:37] <Ryan_Lane>	 remember with the bot, that labs is still closed beta
[20:28:54] <Ryan_Lane>	 we have occasional hiccups that may make your bot die
[20:29:07] <jeremyb>	 virt4? :)
[20:29:14] * jeremyb  is still trying to wrap his head around `ssh labs-mw1.pmtpa.wmflabs`

[20:29:28] <Ryan_Lane>	 I'm going change that documentation right now
[20:29:38] <jeremyb>	 is that supposed to be executed *on* bastion?
[20:30:06] <jeremyb>	 otherwise i don't get it. it's split view DNS right?
[20:30:22] <jeremyb>	 at any rate wmflabs ain't on the root servers :)
[20:30:23] <Ryan_Lane>	 not really
[20:30:51] <Ryan_Lane>	 if you make the request directly to the server, it'll return
[20:31:10] <Ryan_Lane>	 but wmflabs isn't a proper TLD, so of course it isn't going to return ;)
[20:31:45] <Ryan_Lane>	 dig @virt1.wikimedia.org bastion1.pmtpa.wmflabs
[20:32:16] <Damianz>	 Btw why do instances need a puppet page? Do you mean the page where you manage the instance (as I don't have any nova/reboot/vodo access)?
[20:32:19] <Ryan_Lane>	 we don't have zone transfers, but that's because the way we have DNS setup on the box it isn't possible
[20:32:19] <jeremyb>	 heh
[20:32:41] <Ryan_Lane>	 Damianz: instances need puppet configuration to build properly
[20:32:52] <Damianz>	 Err I mean mediawiki not puppet
[20:32:57] <Ryan_Lane>	 oh
[20:33:00] * Damianz  finds coffeee

[20:33:03] <Ryan_Lane>	 they don't actually *need* that
[20:33:06] <Ryan_Lane>	 but....
[20:33:16] <Ryan_Lane>	 it's how I track things properly
[20:33:33] <Ryan_Lane>	 for instance: https://labsconsole.wikimedia.org/wiki/Main_Page
[20:33:34] <jeremyb>	 then there will be a redlink in sematica results? or no row at all?
[20:33:42] <Ryan_Lane>	 the box on the main page tells me how much storage is allocated
[20:33:52] <Ryan_Lane>	 no row at all
[20:33:59] <Damianz>	 Ah
[20:34:08] <Ryan_Lane>	 the SMW results are important for us
[20:34:11] <Damianz>	 I thought that was just polled on a schedual from the api
[20:34:14] <Ryan_Lane>	 it's the only decent statistics we have
[20:34:21] <Ryan_Lane>	 nope. it's done on creation
[20:34:24] <Ryan_Lane>	 and modification
[20:34:35] <Damianz>	 That's a chunk of ram :D
[20:34:38] <Ryan_Lane>	 that's why we want to move that functionality to nova
[20:34:46] <Ryan_Lane>	 yeah, RAM is a limiting factor
[20:34:50] <Ryan_Lane>	 so is storage
[20:34:58] <Ryan_Lane>	 CPU I'm not terribly concerned with
[20:35:20] <Ryan_Lane>	 we have more storage allocated than is available, already
[20:35:28] <Damianz>	 I find disk speed to be quite limiting with ram for vms, for local storage anyway. Not sure on the io thoughput of gluster these days, I imagine quick as it can probably talk to multiple nodes.
[20:35:31] <Ryan_Lane>	 RAM is getting there
[20:35:46] <Ryan_Lane>	 every compute node is a gluster node
[20:35:59] <Ryan_Lane>	 and the compute nodes have raid10 for their storage
[20:36:03] <jeremyb>	 Ryan_Lane: http://www.statusq.org/archives/2008/07/03/1916/
[20:36:04] <Ryan_Lane>	 it should be relatively quick
[20:36:05] <Damianz>	 So you're replicating every image to every node?
[20:36:16] <Ryan_Lane>	 nah, it's gluster raid 1
[20:36:25] <Damianz>	 Ah
[20:36:36] <Ryan_Lane>	 I was told not to stripe
[20:36:36] <Damianz>	 So it's just instead of having a seperate storage cluster.
[20:36:48] <Ryan_Lane>	 yeah. we're going to have a separate storage cluster too
[20:36:52] <Ryan_Lane>	 but not for instance storage
[20:36:54] <Ryan_Lane>	 only for volume storage
[20:37:08] <Ryan_Lane>	 we'll be using less instance storage whenever we get volume storage anyway
[20:37:24] <jeremyb>	 you're using gluster already?
[20:37:29] * jeremyb  is confused

[20:37:31] <Ryan_Lane>	 jeremyb: yeah, it would be nice for us to use that
[20:37:38] <Ryan_Lane>	 the ssh proxycommand stuff
[20:37:41] <Ryan_Lane>	 yes, we have gluster
[20:37:47] <Damianz>	 Hmmm, have you considered using glusterfs' built in nfs stuff over the nfs vms? (If you're not allready)
[20:37:49] <Ryan_Lane>	 each compute node is running gluster
[20:38:06] <Ryan_Lane>	 well, I'd like to move away from NFS completely
[20:38:14] <Damianz>	 That would be cool too :P
[20:38:19] <Ryan_Lane>	 there's no reason every node can't have the gluster client stuff installed
[20:38:25] <Ryan_Lane>	 since they all support it
[20:38:38] <Ryan_Lane>	 so I'll just use glusterfs with autofs, like I'm doing with NFS right now
[20:39:06] <Ryan_Lane>	 I really need to make a labs mailing list
[20:39:11] * jeremyb  is still confused

[20:39:12] <jeremyb>	 hah
[20:39:18] <Ryan_Lane>	 I guess I have everyone's email address, but I hate to spam people
[20:39:32] <Ryan_Lane>	 jeremyb: how so?
[20:39:35] <jeremyb>	 make a list!
[20:39:46] <Ryan_Lane>	 yeah, will likely make a list
[20:39:49] <Damianz>	 You facy contributing to mailman day?
[20:39:59] <jeremyb>	 Damianz: MMLRD?
[20:40:01] <Damianz>	 Today *is* mailman day afterall
[20:40:20] <jeremyb>	 Ryan_Lane: where would gluster fit in on the client? what would be under gluster?
[20:41:00] <Ryan_Lane>	 jeremyb: ignoring our current use of gluster....
[20:41:20] <jeremyb>	 which i also don't know anything about
[20:41:31] <Damianz>	 All vm's hard disks are on gluster
[20:41:32] <Ryan_Lane>	 right now we have one instance, labs-nfs1, that shares home directories to all instances
[20:41:46] <Ryan_Lane>	 per-project, of course
[20:42:05] <Ryan_Lane>	 we are going to make a new glusterfs cluster soon
[20:42:08] <Ryan_Lane>	 whenever the hardware comes in
[20:43:02] <Ryan_Lane>	 so, we'll install the glusterfs client package on all instances
[20:43:28] <Ryan_Lane>	 and make the script I wrote make and share glusterfs volumes to the instances
[20:43:51] <Ryan_Lane>	 and mount the home directories via autofs like I'm doing with the NFS home directories right now
[20:44:20] <jeremyb>	 so, how will they access the underlying devices? what will the client do to execute a read or write? (e.g. is it over the network?)
[20:44:33] <Ryan_Lane>	 gluster mounts are just like nfs mounts
[20:44:37] <Ryan_Lane>	 except its distributed
[20:44:52] <jeremyb>	 maybe i'm thinking of a different filesystem
[20:44:54] <Ryan_Lane>	 so, if a gluster node goes down, the client requests go to the replica instead
[20:45:45] <Ryan_Lane>	 we are using gluster on the compute nodes right now just to store the instance's images
[20:45:48] <Damianz>	 Btw does gluster still have the need for you to stat everything in the volume if a node dies to get it back in sync? (which sucked for loads of small files or a few tb of them)
[20:45:52] <jeremyb>	 is there leader election?
[20:45:58] <Ryan_Lane>	 Damianz: I think so, es
[20:46:00] <Ryan_Lane>	 *yes
[20:46:21] <Ryan_Lane>	 jeremyb: I don't think there are leaders
[20:46:37] <Ryan_Lane>	 they all share some kind of index
[20:46:42] <Ryan_Lane>	 and they are all writable
[20:46:47] <hyperon>	 ah hello, what's up?
[20:46:56] <Ryan_Lane>	 hyperon: whoops. sorry for the ping
[20:46:59] <hyperon>	 did someone need something done on bots?
[20:47:12] <Ryan_Lane>	 jeremyb wanted to run a bot in the bots project
[20:47:35] <hyperon>	 ah ok. has it been dealt with?
[20:47:40] <Ryan_Lane>	 nope
[20:47:42] <jeremyb>	 no rush
[20:47:49] <Ryan_Lane>	 I wanted him to talk to you and pe tan
[20:47:51] <jeremyb>	 was for http://wiki.debian.org/MeetBot
[20:48:52] <hyperon>	 so it's an irc bot?
[20:49:01] <jeremyb>	 yes
[20:49:08] <jeremyb>	 let me fix it's rdns :)
[20:49:56] <hyperon>	 so i can set up an instance for it if you want
[20:50:18] <jeremyb>	 idk how things work
[20:50:28] <jeremyb>	 do ppl have multiple bots on the same instance?
[20:50:40] <Ryan_Lane>	 I'd like it to work that way at some point
[20:51:03] <hyperon>	 afaik it's one bot per instance so for
[20:51:03] <Ryan_Lane>	 I'd also like the database to be on real hardware
[20:51:04] <jeremyb>	 anyway, i'm happy with however you want
[20:51:14] <jeremyb>	 i expect it to be low resource use
[20:51:17] <Ryan_Lane>	 and the project storage to be in gluster volume storage, rather than NFS
[20:51:27] <Damianz>	 Ryan_Lane: Could we get real access to the wikipedia dbs too? :3
[20:51:30] <Ryan_Lane>	 but, we can work that way over time :)
[20:51:38] <Ryan_Lane>	 Damianz: that's the long term goal, yes
[20:51:52] <Ryan_Lane>	 slow and incremental steps are always best
[20:51:59] <hyperon>	 well we could create one instance for all the irc bots
[20:52:10] <Ryan_Lane>	 it's fine to have one per bot right now
[20:52:39] <Ryan_Lane>	 the bots project, right now, is really like the test/dev bots project
[20:52:48] <Ryan_Lane>	 at some point we'll want a "production" bots project
[20:52:56] <Ryan_Lane>	 where people don't have root
[20:53:10] <Ryan_Lane>	 changes happen in the test/dev one, then move to the "production" one
[20:53:21] <hyperon>	 isn't petan running a production enwiki bot on bots?
[20:53:25] <Ryan_Lane>	 yes
[20:53:25] <Damianz>	 I really should figure out deb control files and package cbng and move it's management to upstart/systemd/w/e ubuntu is using over supervisor and make it more generic rather than me being the only one knowing how to setup/fix it but some of that's gonna be a rewrite :(
[20:53:31] <Damianz>	 hyperon: So am I :P
[20:53:33] <Ryan_Lane>	 a couple people are
[20:53:46] <Damianz>	 You know that feeling when you have so much crap to do but like only 366days in the year
[20:53:53] <Ryan_Lane>	 Damianz: that would be cool
[20:53:59] <Ryan_Lane>	 I'd love to have all the bots debianized
[20:54:11] <jeremyb>	 Damianz: what is "it"?
[20:54:22] <Damianz>	 ?
[20:54:36] <Damianz>	 If you mean the bot, cbng
[20:54:46] <jeremyb>	 oh
[20:54:48] <Ryan_Lane>	 if all bots were debianized, we could install them on all of the bots nodes, then control where they run via puppet
[20:54:54] <jeremyb>	 i thought that was some kind of typo
[20:55:07] <Ryan_Lane>	 we could monitor the load of the instances via ganglia to see if we need to move bots around
[20:55:12] <jeremyb>	 ohhh, cluebot i guess
[20:55:14] <Ryan_Lane>	 or create new instances
[20:55:14] <Damianz>	 :D
[20:55:26] <Damianz>	 That would be cool
[20:55:38] <Ryan_Lane>	 it would be good for bot authors to have two accounts for their bots on wikis
[20:55:39] <jeremyb>	 Ryan_Lane: SGE? :-)
[20:55:47] <Ryan_Lane>	 <bot> and <bot>-testing
[20:55:51] <Ryan_Lane>	 or something like that
[20:56:07] <Damianz>	 I need to re-write certain parts so they don't screw up on restarting but everything can be packaged up apart from mysql. Actaully using mysql makes it easy to move the produciton bot around but with that said...
[20:56:11] <Ryan_Lane>	 so they can test their bot and know which bot is doing what
[20:56:33] <Damianz>	 Ryan_Lane: You know what petan was talking about queue wise - that would make it a LOT easier to shift bots around as currently restarting most loose a lot of data.
[20:56:39] <Ryan_Lane>	 Damianz: just make the mysql part configurable :)
[20:56:49] <Ryan_Lane>	 yep
[20:56:50] <Ryan_Lane>	 agreed
[20:56:55] <hyperon>	 jeremyb: i'm going to go grab lunch and i'll see about creating instances for the MeetBot if you'd like
[20:57:10] <Ryan_Lane>	 well, if you guys add jeremyb to the project, he can create his own
[20:57:20] <Ryan_Lane>	 I guess it needs access to the NFS storage, though
[20:57:27] <jeremyb>	 hyperon: sure. i'll be off and on todady (no big plans but i'll be eating at some point etc)
[20:57:37] <jeremyb>	 today*
[20:57:51] <hyperon>	 ah right, i'll add him to the project
[20:58:02] <Ryan_Lane>	 also add him as sysadmin and netadmin
[20:58:22] <Ryan_Lane>	 I should really add a dialog to add-project member that allows you to do that at the same time
[20:58:43] <hyperon>	 jeremyb: is your account called jeremyb on bots?
[20:58:55] <Ryan_Lane>	 oh. right
[20:59:00] <jeremyb>	 hyperon: s/bots/labs/ but yet
[20:59:02] <Ryan_Lane>	 the web interface uses the wiki name
[20:59:19] <Damianz>	 Imo setting the wiki+ldap username to the same would save a lot of confusion :PO
[20:59:39] <Ryan_Lane>	 yeah, but I was specifically asked to let people have different wiki names
[20:59:58] <Ryan_Lane>	 I guess I could make the dialogs accept either
[21:00:02] <Ryan_Lane>	 since they are both unique
[21:00:25] <Ryan_Lane>	 that's going to take some code refactoring, though :)
[21:00:53] <Damianz>	 The real confusing one is gerrit :( Which btw seems to only let me login if I'm logged into labsconsole.
[21:00:54] <Ryan_Lane>	 I should also display the shell names and wiki names in the dialogs too
[21:01:07] <Ryan_Lane>	 wiki name (shell name) <- like that
[21:01:07] <labs-home-wm>	 01/01/2012 - 21:01:06 - Creating a home directory for jeremyb at /export/home/bots/jeremyb
[21:01:25] * Damianz  pats labs-morebots and offers her a cookie

[21:01:32] <Ryan_Lane>	 Damianz: eh? really? you should be able to log into gerrit without logging into labsconsole
[21:01:44] <Ryan_Lane>	 they aren't linked at all, except for the fact that they both use ldap
[21:02:05] <Ryan_Lane>	 hmm. going to enter some bugs :)
[21:02:07] <labs-home-wm>	 01/01/2012 - 21:02:07 - Updating keys for jeremyb
[21:02:34] <Ryan_Lane>	 soon you guys will be able to modify puppet configuration :)
[21:02:48] <Ryan_Lane>	 meaning the puppet config in the instance configuration dialog
[21:02:51] <hyperon>	 jeremyb: alright, account has been made for you on bots with netadmin and sysadmin permissions
[21:02:54] <Ryan_Lane>	 so that you can add your own variables and classes
[21:02:54] <jeremyb>	 01 20:29:14  * jeremyb is still trying to wrap his head around `ssh labs-mw1.pmtpa.wmflabs`
[21:02:57] <jeremyb>	 01 20:29:38 < jeremyb> is that supposed to be executed *on* bastion?
[21:03:06] <Damianz>	 yes
[21:03:10] <Ryan_Lane>	 jeremyb: look at the documentation now
[21:03:15] <jeremyb>	 i saw your edits to [[access]] but it's still not clear
[21:03:19] <Ryan_Lane>	 bastion is a bastion host
[21:03:22] * jeremyb  will change it

[21:03:26] <Ryan_Lane>	 why change it?
[21:03:29] <Reedy>	 Would be awesome if we had the wmflabs TLD ;)
[21:03:37] <Ryan_Lane>	 Reedy: heh
[21:03:38] <Ryan_Lane>	 indeed
[21:03:42] <Reedy>	 and ipv6
[21:03:45] <Damianz>	 Hmm actually it seems to work now, wasn't last week and someone elses commented on it only working when logged into labs =/
[21:03:48] * Damianz  shrugs

[21:03:53] <Ryan_Lane>	 it would be even better if we had the wmlabs tld. I'm not a big fan of wmflabs
[21:04:02] <jeremyb>	 heh
[21:04:08] <jeremyb>	 and wmnet?
[21:04:13] <Ryan_Lane>	 we got wmflabs because wmlabs.com and wmlabs.net were taken
[21:04:21] <Ryan_Lane>	 nah wmnet is internal
[21:04:29] <Ryan_Lane>	 and always should be :)
[21:05:45] <Damianz>	 Alien converts an RPM package file into a Debian package file or Alien can install an RPM file directly. < This is so going to save me working out debian/*
[21:06:29] <jeremyb>	 Ryan_Lane: look at [[access]] now
[21:07:00] <Damianz>	 urgh
[21:07:16] <Ryan_Lane>	 !access
[21:07:16] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
[21:07:22] <Damianz>	 You know people are going to copy workstation $ then complain it breaks
[21:07:29] <Ryan_Lane>	 ah ok
[21:07:35] <Ryan_Lane>	 yep
[21:07:39] <Damianz>	 Well they are if they couldn't work it out before
[21:07:50] <jeremyb>	 Damianz: *i* didn't get it before
[21:08:06] <jeremyb>	 we could color code differnt pieces
[21:08:21] <jeremyb>	 and tell people which colors to type
[21:09:05] <jeremyb>	 different*
[21:09:25] <Ryan_Lane>	 Ok I edited it again
[21:09:27] <jeremyb>	 anyway, i'll set up my own proxycmd stuff and then put that on wiki too
[21:11:12] <Ryan_Lane>	 jeremyb wasn't the only person that was confused by the documentation
[21:11:14] <Ryan_Lane>	 this is clearer
[21:12:16] <hyperon>	 ...i really should finish puppetizing that other irc bot
[21:12:27] <hyperon>	 i finished but i never got git to work with gerrit
[21:12:59] <Damianz>	 I really should figure out how we are using nagios and delete/re-do my gerrit ticket
[21:15:02] <jeremyb>	 so, i logged out and back in. https://labsconsole.wikimedia.org/wiki/Special:NovaInstance doesn't say anything about creating an instance
[21:15:12] <Ryan_Lane>	 hyperon: well, push it to the test repo, and I'll code review it
[21:15:25] <Ryan_Lane>	 hmm
[21:15:28] <Ryan_Lane>	 lemme check your groups
[21:17:19] <Ryan_Lane>	 jeremyb: ok, it'll show up now
[21:17:25] <Ryan_Lane>	 you needed to be added to the global groups
[21:18:19] <hyperon>	 to get into labs we still ssh into bastion, right?
[21:18:25] <jeremyb>	 Ryan_Lane: oh, also bastion's pub key print should be published somewhere so i can verify it
[21:18:46] <Ryan_Lane>	 there's an open bug on that
[21:18:48] <Ryan_Lane>	 hyperon: yep
[21:19:42] <hyperon>	 hmm
[21:19:45] <Ryan_Lane>	 I'm more than happy to take patches for openstackmanager on the ssh fingerprint issue :)
[21:19:55] <Ryan_Lane>	 I can even give access to the testing instance. heh
[21:19:58] <hyperon>	 bastion.wmflabs.org, right?
[21:20:02] <Ryan_Lane>	 yep
[21:20:17] <jeremyb>	 Ryan_Lane: bastion in particular should just be hardcoded on a protected page for now
[21:20:29] <jeremyb>	 Ryan_Lane: that's the one that actually needs checking
[21:20:40] <Ryan_Lane>	 jeremyb: it can be on the "manage instances" 
[21:20:59] <Ryan_Lane>	 I can also just namespace protect all of the Nova_Resource namespace
[21:21:28] <jeremyb>	 hah
[21:23:07] <labs-home-wm>	 01/01/2012 - 21:23:07 - Updating keys for hyperon
[21:23:09] <labs-home-wm>	 01/01/2012 - 21:23:09 - Updating keys for hyperon
[21:23:11] <jeremyb>	 Ryan_Lane: i've not really been able to understand exactly what glance is for but do we use it or are we considering?
[21:23:19] <Ryan_Lane>	 we use glance
[21:23:27] <Ryan_Lane>	 only because it's required to use nova
[21:23:29] <jeremyb>	 does this labs-home-wm stuff get logged somewhere?
[21:23:34] <jeremyb>	 oh, hah
[21:23:41] <Ryan_Lane>	 otherwise I could give not a crap about glance
[21:23:56] <petan>	 hyperon: need help?
[21:24:07] <labs-home-wm>	 01/01/2012 - 21:24:06 - Updating keys for hyperon
[21:24:08] <petan>	 you inserted someone to bots project?
[21:24:08] <labs-home-wm>	 01/01/2012 - 21:24:08 - Updating keys for hyperon
[21:24:19] <Ryan_Lane>	 jeremyb has been added to it
[21:24:29] <Ryan_Lane>	 jeremyb: meh. no need to log it
[21:24:30] <petan>	 there is a script we need to run on nfs server
[21:24:33] <petan>	 I will do that
[21:24:51] <Ryan_Lane>	 jeremyb: it's just informational messages
[21:25:07] <jeremyb>	 Ryan_Lane: sure but sometimes you're not in the channel
[21:25:08] <Ryan_Lane>	 jeremyb: the wiki's recentchanges page logs the important part
[21:25:16] <hyperon>	 wow i was doing dumbness
[21:25:29] <jeremyb>	 not so much an issue for me because i'm always here :)
[21:25:44] <jeremyb>	 what are these security groups?
[21:25:48] <petan>	 done
[21:26:02] <jeremyb>	 i'll visit [[Special:NovaSecurityGroup]]
[21:26:09] <Ryan_Lane>	 jeremyb: https://labsconsole.wikimedia.org/w/index.php?title=Nova_Resource:Bots&curid=308&diff=1076&oldid=906&rcid=1242
[21:26:16] <Ryan_Lane>	 !log securitygroup
[21:26:16] <labs-morebots>	 Message missing. Nothing logged.
[21:26:22] <Ryan_Lane>	 !securitygroups
[21:26:26] <petan>	 !log bots added jeremyb to nfs
[21:26:27] <labs-morebots>	 Logged the message, Master
[21:26:28] <hyperon>	 Ryan_Lane: where is the running instance of morebots?
[21:26:28] <Ryan_Lane>	 !securitygroup
[21:26:37] <Ryan_Lane>	 hyperon: either bots-1 or bots-2
[21:26:43] <Ryan_Lane>	 !security
[21:26:43] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Security_Groups
[21:26:46] <Ryan_Lane>	 heh
[21:27:05] <Ryan_Lane>	 jeremyb: they are firewalls
[21:27:12] <jeremyb>	 yeah, i know
[21:27:21] <jeremyb>	 i just didn't know what the ones i was offered were
[21:27:37] <hyperon>	 do i need to do something after i update my ssh keys?
[21:27:40] <Ryan_Lane>	 eww. I need to fix the project page's infobox
[21:27:58] <Ryan_Lane>	 it should put members into an unordered list
[21:28:04] <Ryan_Lane>	 hyperon: nah
[21:28:09] <jeremyb>	 what's the deal with not allowing group changes after instance creation?
[21:28:15] <Ryan_Lane>	 hyperon: notice that the bot showed your keys changing
[21:28:25] <Ryan_Lane>	 jeremyb: it's an EC2 limitation
[21:28:44] <hyperon>	 hyperon@bastion1:~$ ssh hyperon@bots-1
[21:28:45] <Ryan_Lane>	 I need to see if the openstack api removes that limitation
[21:28:47] <hyperon>	 Permission denied (publickey).
[21:28:49] <Ryan_Lane>	 because it's *really* annoying
[21:28:56] <Ryan_Lane>	 hyperon: did you forward your key?
[21:29:02] <Ryan_Lane>	 err
[21:29:05] <Ryan_Lane>	 your agent
[21:29:38] <hyperon>	 not after i updated my keys, no
[21:29:55] <jeremyb>	 Ryan_Lane: do these instances lose their data on boot? do they stop existing immediately on shutdown?
[21:31:38] <Ryan_Lane>	 hyperon: after you update your key, you need to add the new one to your agent
[21:31:51] <Ryan_Lane>	 jeremyb: no. they are persistent
[21:31:59] <Ryan_Lane>	 jeremyb: if you reboot it, it'll still have its data
[21:32:05] <jeremyb>	 amazing!
[21:32:11] <jeremyb>	 how un-ec2 like
[21:32:18] <Ryan_Lane>	 if the underlying hardware dies, it'll also still have its data
[21:32:22] <Damianz>	 ec2 can be persistent
[21:32:33] <Ryan_Lane>	 ec2 can only be persistent if you use EBS volumes
[21:32:37] <Damianz>	 Ryan_Lane just won't demand x $ per month
[21:32:48] <Damianz>	 Welll unless it's poker night anyway
[21:32:53] <Ryan_Lane>	 it's a PITA to use EBS volumes
[21:33:12] <Ryan_Lane>	 also EBS is unreliable
[21:33:20] <Damianz>	 I really hate ec2 charge for ips and change the ip on reboot
[21:33:46] <jeremyb>	 ewww, they change it on boot?
[21:33:50] <Ryan_Lane>	 I want our infrastructure to be resilient, so volume storage is completely separate from instance storage
[21:33:56] <Ryan_Lane>	 that's kind of nasty
[21:34:00] <Ryan_Lane>	 ours don't change on reboot
[21:34:07] <Ryan_Lane>	 one an IP is assigned, it stays that way
[21:34:12] <Ryan_Lane>	 until the instance is terminated
[21:34:20] <jeremyb>	 Ryan_Lane: have you seen the ec2 gov region?
[21:34:25] <Ryan_Lane>	 eh?
[21:34:41] <Ryan_Lane>	 what's that?
[21:35:21] <jeremyb>	 http://aws.amazon.com/govcloud-us/
[21:37:30] <Damianz>	 o.0
[21:37:57] <Damianz>	 Who the fu** would give "sensitive" workloads to amazon, quick someone from wikileaks bribe a sysadmin.
[21:38:14] <Reedy>	 I think Ryan changed jobs to get away from shit like that :p
[21:38:18] <Ryan_Lane>	 heh
[21:39:44] <Ryan_Lane>	 the instance's storage is likely encrypted
[21:40:00] <Ryan_Lane>	 they likely have audit daemons that log to central log servers
[21:40:08] <Ryan_Lane>	 where the central log servers log to each other
[21:41:31] <jeremyb>	 is Ryan having fun?
[21:41:45] <Ryan_Lane>	 openstack is looking at adding support for trusted computing, where instances are signed and controlled via the TPM
[21:42:02] <jeremyb>	 uhuh
[21:42:27] <Ryan_Lane>	 so, you could launch agency A's instances and they'd only run on hardware cluster A
[21:43:27] <Ryan_Lane>	 there's also some selinux integration with TPM, so you could run agency A's instances and agency B's instances on the same hardware, and selinux's MLS would run them in different security contexts
[21:43:39] <Ryan_Lane>	 the TPM chip would enforce the selinux contexts
[21:48:52] <jeremyb>	 Ryan_Lane: any reason not to add proxycmd to the wiki now? i just tested it
[21:49:10] <Ryan_Lane>	 does it work for all internal instances?
[21:49:13] <Ryan_Lane>	 sure, go for it
[21:49:31] <jeremyb>	 i just ran `ssh bots-irc1.pmtpa.wmflabs` locally and it worked
[21:49:33] <jeremyb>	 idk about all
[21:49:55] <jeremyb>	 it's only pmtpa for now. will need update for other DCs (none other exist atm, right?)
[21:50:04] <Ryan_Lane>	 none others exist right now
[21:59:36] <jeremyb>	 Ryan_Lane: take a look
[22:00:11] <jeremyb>	 i'm not certain about the placement of User because i only have a shell with the same name as labs shell name handy
[22:00:14] <jeremyb>	 but i think it's right
[22:00:30] <Ryan_Lane>	 !access
[22:00:30] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
[22:00:55] <Ryan_Lane>	 I think you need to use agent forwarding for this too
[22:01:00] <jeremyb>	 i'm not
[22:01:09] <jeremyb>	 and i don't see why you would
[22:11:49] <Amgine>	 jeremyb: InnoDB
[22:12:11] <Ryan_Lane>	 stupid internet connection
[22:12:23] <Ryan_Lane>	 jeremyb: anyway, you need to have an agent configured, at minimum
[22:12:46] <Ryan_Lane>	 I just made the documentation a little better :)
[22:12:57] <jeremyb>	 Amgine: check *all* the tables...
[22:13:19] <jeremyb>	 Ryan_Lane: well how do you explain me getting in without one?
[22:13:27] <Ryan_Lane>	 I dunno. I couldn't
[22:13:28] <Ryan_Lane>	 oh
[22:13:29] <Ryan_Lane>	 I know
[22:13:48] <Ryan_Lane>	 my keyname isn't a default keyname
[22:14:07] <Ryan_Lane>	 so, without an agent, I used -i <keyname>
[22:14:11] <Ryan_Lane>	 and that wasn't passed through
[22:16:13] <Amgine>	 jeremyb: table hitcounter is MEMORY, else all are InnoDB
[22:17:03] <Ryan_Lane>	 jeremyb: ok. updated to note that you need an agent if you are using a non-default key
[22:17:21] <jeremyb>	 Ryan_Lane: you can set the key path in the ocnfig
[22:17:23] <jeremyb>	 config*
[22:17:37] <Ryan_Lane>	 true
[22:17:47] <jeremyb>	 Amgine: this isn't really relevant for here... i was bringing you here to talk search (eventually, no one is here)
[22:21:30] <Ryan_Lane>	 setting identityfile doesn't seem to help
[22:21:51] <Ryan_Lane>	 I take that back
[22:21:57] <Ryan_Lane>	 it does
[22:23:49] <jeremyb>	 i just did `SSH_AGENT_PID= SSH_AUTH_SOCK= ssh bots-irc1.pmtpa.wmflabs` and it worked. had to enter passphrase twice but it worked
[22:24:19] <Ryan_Lane>	 it's working fine
[22:24:19] <jeremyb>	 the only issue i see is 'Killed by signal 1.' every time i quit
[22:24:37] <jeremyb>	 even with `ssh host echo foo`
[22:25:21] <Ryan_Lane>	 I also see echo foo
[22:25:46] <jeremyb>	 do you see Killed by signal 1. ?
[22:26:03] <Ryan_Lane>	 yes
[22:26:11] <Ryan_Lane>	 ooooo. sweet
[22:26:11] <Ryan_Lane>	 IdentitiesOnly yes
[22:27:06] <jeremyb>	 ooh, i like it
[22:27:19] <Ryan_Lane>	 I can use a single agent for both labs and production with that option
[22:27:29] <Ryan_Lane>	 and it'll ensure I don't forward my agent
[22:27:31] <Ryan_Lane>	 wait
[22:27:32] <Ryan_Lane>	 maybe not
[22:27:37] <Ryan_Lane>	 I should test that
[22:27:54] <jeremyb>	 agent forwarding is off by default
[22:28:03] <Ryan_Lane>	 I know
[22:28:16] <Ryan_Lane>	 I forward my agent, then use screen
[22:28:47] <jeremyb>	 you could explicitly `ForwardAgent off`
[22:29:02] <jeremyb>	 screen on bastion1?
[22:29:17] <Ryan_Lane>	 but I *want* forwarding in labs ;)
[22:29:27] <Ryan_Lane>	 I like to keep my screen sessions open on bastion1
[22:29:47] <Ryan_Lane>	 damn
[22:29:50] <Ryan_Lane>	 it forwards both
[22:30:25] <jeremyb>	 don't want screen per host?
[22:31:27] <jeremyb>	 `ssh -t ${host} screen -Ux -d -RR -e ^${newcontrolchar}a`
[22:31:56] <Ryan_Lane>	 hmm. that would work...
[22:32:06] <Ryan_Lane>	 wait
[22:32:06] <Ryan_Lane>	 no
[22:32:09] <Ryan_Lane>	 I don't want that :)
[22:32:15] <Ryan_Lane>	 that would be a pain
[22:32:19] <Ryan_Lane>	 I want one screen
[22:32:48] * jeremyb  chuckles

[22:38:34] <jeremyb>	 Ryan_Lane: so, do i have convert to the nc method? :)
[22:38:51] <Ryan_Lane>	 eh? what do you mean?
[22:39:19] <jeremyb>	 i guess it doesn't really matter with you using screen
[22:39:31] <Ryan_Lane>	 you can use either or
[22:39:37] <Ryan_Lane>	 I prefer agent forwarding
[22:40:06] <Ryan_Lane>	 I like to be able to reconnect to my sessions, if my connection dies
[22:40:27] <Ryan_Lane>	 without having a million screens open
[22:40:29] <jeremyb>	 how is that related to ssh forwarding?
[22:40:30] <Ryan_Lane>	 err
[22:40:37] <Ryan_Lane>	 terminal windows or windows open
[22:40:52] <jeremyb>	 err, agent forwarding*
[22:41:07] <Ryan_Lane>	 if my connection dies, and I use the proxycommand thing, with screens, then I have to have a tab open for each one
[22:41:25] <Ryan_Lane>	 to reconnect to them
[22:41:39] <Ryan_Lane>	 hmm.
[22:41:40] <Ryan_Lane>	 wai
[22:41:41] <Ryan_Lane>	 wait
[22:41:53] <Ryan_Lane>	 I wonder if screen would work without forwarding with the proxycommand way
[22:43:08] <jeremyb>	 nope
[22:43:36] <Ryan_Lane>	 yeah. that's not gonna work ten
[22:43:37] <Ryan_Lane>	 *then
[22:44:28] <jeremyb>	 with proxycommand the only things running on bastion are nc and ssh to bastion. no ssh to the inside host. with screen you need ssh running from bastion to inside host
[22:44:38] <Ryan_Lane>	 yeah
[22:45:47] <Ryan_Lane>	 proxycommands are still useful for scp and such, though
[22:46:21] <jeremyb>	 ooh, i wonder if that works
[22:46:26] <Ryan_Lane>	 it does
[22:46:28] <Ryan_Lane>	 I just tried it
[22:48:41] <Ryan_Lane>	 I just changed the config to work for pmtpa and eqiad, too :)
[22:48:54] <Ryan_Lane>	 Host *.*.wmflabs
[22:49:08] <jeremyb>	 i'd change it back
[22:49:11] <jeremyb>	 different bastion
[22:49:12] <jeremyb>	 i bet
[22:49:28] <Ryan_Lane>	 ah. true
[22:49:29] <jeremyb>	 unless we know the bastion hostname now :)
[22:49:50] <jeremyb>	 i left it out intentionally
[22:51:23] <Ryan_Lane>	 added in one for eqiad
[22:51:32] <Ryan_Lane>	 we'll just name it bastion1.eqiad.wmflabs
[22:51:40] <Ryan_Lane>	 and its public name will be bastion2
[22:52:14] <Ryan_Lane>	 it'll be possible to access any instance from either of them
[22:52:25] <Ryan_Lane>	 it's just a secondary for the purposes of having a secondary
[22:52:37] <jeremyb>	 ok, we're omnisiscient
[22:52:56] <jeremyb>	 :)
[22:53:19] <Ryan_Lane>	 obviously it'll be faster using bastion.wmflabs.org for pmtpa and bastion2.wmflabs.org for eqiad
[22:53:25] <Ryan_Lane>	 but not *that* much faster
[22:54:10] <jeremyb>	 wtf. i just opened my config and found this. whooops!
[22:54:11] <jeremyb>	 > ProxyCommand ssh -e none bastion1.pmtpa.wmflabs exec nc -w 40 -w 40 -w 40 -w 40 -w 40 -w 40 -w 40 -w 40 -w 40 %h %p
[22:54:19] <Ryan_Lane>	 o.O
[22:54:27] <Ryan_Lane>	 wtf is that?
[22:54:58] <jeremyb>	 i must have hit a digit before hitting 'i-w 40<esc>'
[22:55:04] <Ryan_Lane>	 heh
[22:55:10] <Ryan_Lane>	 I changed the docs to use 36000
[22:55:13] <Ryan_Lane>	 err
[22:55:14] <Ryan_Lane>	 3600
[22:55:15] <Ryan_Lane>	 one hour
[22:55:20] <jeremyb>	 yeah, i saw
[22:55:23] <Ryan_Lane>	 otherwise you are going to get logged out after 40 seconds
[22:55:35] <jeremyb>	 i think it's timeout not total time
[22:56:00] <Ryan_Lane>	 right
[22:56:01] <jeremyb>	 yeah
[22:56:11] <Ryan_Lane>	 I mean after 40 seconds of inactivity
[22:56:12] <jeremyb>	 anyway, i can know to tweak that
[22:56:16] <Ryan_Lane>	 which is really short
[22:56:17] <jeremyb>	 other ppl, who knows
[22:56:44] <jeremyb>	 well in the top of my config i have
[22:56:44] <jeremyb>	 Host *
[22:56:44] <jeremyb>	 ServerAliveInterval 12
[22:56:44] <jeremyb>	 ServerAliveCountMax 4
[22:57:04] <jeremyb>	 so, something's wrong if there's no activity for that long
[22:57:43] <jeremyb>	 (that's what you need to get ssh out of the NYPL iirc. kaldari probably still has it in his config :) )
[22:58:03] <Ryan_Lane>	 ssh out of NYPL? eh?
[22:58:12] <jeremyb>	 new york public library
[22:58:19] <jeremyb>	 that's where glamcamp was
[22:58:20] <Ryan_Lane>	 ah
[22:58:53] <jeremyb>	 i've tweaked it for a few different odd places
[23:01:56] <jeremyb>	 Ryan_Lane: edited again
[23:02:24] <Ryan_Lane>	 ah. cool
[23:04:41] <jeremyb>	 so is there any kind of per project central host?
[23:05:06] <Ryan_Lane>	 no
[23:05:24] <Ryan_Lane>	 that would use too many instances
[23:05:30] <Ryan_Lane>	 we have 32 projects right now
[23:05:45] <jeremyb>	 i thought to do puppet stuff with or something
[23:05:51] <jeremyb>	 where's the puppetmaster?
[23:05:58] <Ryan_Lane>	 virt1.wikimedia.org
[23:06:05] <jeremyb>	 huh
[23:06:11] <Ryan_Lane>	 we are looking at changing how this works
[23:06:17] <Ryan_Lane>	 right now all instances only use one git branch
[23:06:18] <Ryan_Lane>	 test
[23:06:27] <Ryan_Lane>	 we want all project to have their own branch
[23:08:18] <Ryan_Lane>	 maybe we'll have some manifests pulled from a centralized branch, so that we can still push code updates when we need to
[23:08:37] <Ryan_Lane>	 hmm
[23:08:40] <Ryan_Lane>	 nah. that could cause conflicts
[23:39:20] <jeremyb>	 bbl