[00:01:28] <Jews>	 and as for security rules?
[00:01:54] <Ryan_Lane>	 security groups are firewall rules
[00:02:09] <Jews>	 I knew that
[00:02:10] <Ryan_Lane>	 basics of labs is that you can only use it for wikimedia related purposes
[00:06:28] <Jews>	 So I make a rule with 80 as the port, and incoming connections will be accepted on it?
[00:07:10] <Jews>	 (I'm sorry, I'm new to OpenStack and the like.)
[00:07:15] * Ryan_Lane  nods

[00:07:19] <Ryan_Lane>	 CIDR should be 0.0.0.0/0
[00:07:25] <Ryan_Lane>	 protocol should be tcp
[00:07:30] <Ryan_Lane>	 from 80 to 80
[00:07:45] <Jews>	 Thanks
[00:07:48] <Ryan_Lane>	 yw
[00:09:13] <andrewbogott>	 Ryan_Lane, where does nova-manage look for my admin password?
[00:09:28] <Ryan_Lane>	 nova-manage?
[00:09:33] <Ryan_Lane>	 umm
[00:09:43] <Ryan_Lane>	 I thought nova-manage doesn't take credentials at all
[00:09:57] <andrewbogott>	 I am trying to create a project.  It's failing, and the logfile says 'INVALID_CREDENTIALS'
[00:10:05] <Ryan_Lane>	 ah
[00:10:10] <andrewbogott>	 #nova-manage project create --project demo --user andrew
[00:10:29] <Ryan_Lane>	 if it is talking to ldap, then it's the LDAP configuration in nova.conf that needs to be fixed
[00:13:14] <andrewbogott>	 ldap_password in nova.conf looks right to me.  But, could be my ldap is still screwed up.
[00:13:31] <Ryan_Lane>	 can you do an ldap search against it manually using the credentials?
[00:15:37] <labs-nagios-wm>	 PROBLEM host: simplewikt is DOWN address: simplewikt PING CRITICAL - Packet loss = 100%
[00:15:37] <labs-nagios-wm>	 RECOVERY dpkg-check is now: OK on diablo-n-gluster diablo-n-gluster output: All packages OK
[00:20:08] <andrewbogott>	 hm... indeed, ldap is broken.  "SASL(-4): no mechanism available"
[00:20:30] <Ryan_Lane>	 use -x
[00:20:36] <Ryan_Lane>	 which is simple, rather than SASL
[00:21:04] <Jews>	 Ugh!
[00:21:16] <Ryan_Lane>	 Jews: ?
[00:21:26] <Jews>	 Not talking to you
[00:21:31] <andrewbogott>	 Ah, ok, that gets me a normal 'Invalid credentials"
[00:21:53] <Ryan_Lane>	 Jews: why not? did I do something to offend you?
[00:21:58] <Jews>	 No.
[00:21:59] * Ryan_Lane  likes trolling

[00:22:08] <Jews>	 lol :)
[00:23:14] <Jews>	 instance is timing out
[00:23:35] <Jews>	 stuck on pending... lol
[00:23:44] <Ryan_Lane>	 sometimes it takes a bit
[00:23:55] <Ryan_Lane>	 unless the system ran out of memory
[00:24:19] <Jews>	 k
[00:24:52] <Ryan_Lane>	 hmm. I need to more move instances to virt0
[00:24:59] <Ryan_Lane>	 err. virt1
[00:25:41] <Ryan_Lane>	 well, virt2 is reporting only about 1GB of memory left
[00:26:08] <Ryan_Lane>	 which instance is showing as pending/
[00:26:20] <Ryan_Lane>	 oh
[00:26:24] <Ryan_Lane>	 you mean this page?
[00:26:29] <Ryan_Lane>	 !instance I-00000148
[00:26:29] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Help:Instances
[00:26:33] <Jews>	 yes
[00:26:33] <Ryan_Lane>	 bah
[00:26:43] <Ryan_Lane>	 that's because that attribute doesn't properly get updated
[00:26:54] <Ryan_Lane>	 @instance
[00:27:01] <Ryan_Lane>	 @search instance
[00:27:01] <wm-bot>	 Results (found 4): instancelist, instance-json, access, instance, 
[00:27:12] <Ryan_Lane>	 !resource I-00000148
[00:27:18] * Ryan_Lane  rolls his eyes

[00:27:26] <Ryan_Lane>	 the instance list shows running
[00:28:06] <Jews>	 Timed out for me some time ago\
[00:28:27] <Jews>	 still timing out
[00:28:38] <Ryan_Lane>	 did you reboot it?
[00:28:51] <Jews>	 i'll try
[00:28:56] <Ryan_Lane>	 no. don't
[00:28:58] <Ryan_Lane>	 I was asking
[00:29:08] <Jews>	 already did
[00:29:14] <Jews>	 It might help
[00:29:41] <Jews>	 yep. :O
[00:29:59] <Ryan_Lane>	 well, I still can't ping it
[00:30:07] <Ryan_Lane>	 did you remove rules from the default security group?
[00:30:10] <Jews>	 I just deleted it
[00:30:16] <Jews>	 I didn't, I added rules
[00:30:25] <Ryan_Lane>	 why delete it?
[00:31:03] <Ryan_Lane>	 what made it die all of a sudden?
[00:31:19] <Jews>	 my reboot
[00:31:25] <Ryan_Lane>	 it came back up
[00:31:32] <Ryan_Lane>	 it wasn't replying to ping
[00:31:47] <Jews>	 Meh, I'm confused.
[00:32:00] <andrewbogott>	 Ryan_Lane:  I'm still jabbing at ldap but, meanwhile -- it occurs to me that I probably need some mysql stuff installed as well.  Do you know which classes I need for nova?
[00:32:09] <Jews>	 Ah, now I see
[00:32:10] <Ryan_Lane>	 so, before, when I asked if you had rebooted, had you *already* rebooted?
[00:32:19] <Jews>	 port 22 is not opened and all that fun stuff
[00:32:25] <Ryan_Lane>	 it should be
[00:32:28] <Jews>	 fixing
[00:32:35] <Ryan_Lane>	 it's open....
[00:32:50] <Ryan_Lane>	 the default security group has port 22
[00:32:51] <Ryan_Lane>	 and icmp
[00:33:12] <Ryan_Lane>	 andrewbogott: see nova-production1's configuration
[00:33:17] <Jews>	 I used a different ruleset
[00:33:24] <andrewbogott>	 'k
[00:33:32] <Jews>	 Now fixed
[00:33:39] <Ryan_Lane>	 Jews: *always* keep the default group checked
[00:33:44] <Jews>	 Okay.
[00:33:49] * Jews  forgot

[00:33:54] <Ryan_Lane>	 please read the docs :)
[00:33:55] <Ryan_Lane>	 !instance
[00:33:55] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Help:Instances
[00:34:32] <Jews>	 "In general" -- change it to "always" :P
[00:36:00] <Ryan_Lane>	 well, there's cases where you wouldn't want to
[00:36:20] <Ryan_Lane>	 but unless you know why you shouldn't, you should ;)
[00:36:37] <Ryan_Lane|away>	 back in a little bit
[00:44:56] <labs-nagios-wm>	 PROBLEM host: simplewikt is DOWN address: simplewikt CRITICAL - Host Unreachable (simplewikt)
[00:49:56] <Jews>	 Looks done now.
[00:50:48] <Jews>	 !log simplewiki After some confusion, added firewall rules correctly and made new instance. Hope it works now...
[00:50:49] <labs-morebots>	 Logged the message, Master
[00:52:28] <Jews>	 I'm ready for the IP now
[00:52:50] <Jews>	 Also, https://labsconsole.wikimedia.org/wiki/Nova_Resource:I-00000145 seems stray
[00:53:48] <Ryan_Lane>	 stray?
[00:53:50] <Ryan_Lane>	 what do you mean?
[00:54:15] <Jews>	 https://labsconsole.wikimedia.org/wiki/Nova_Resource:I-00000145
[00:54:27] <Ryan_Lane>	 yeah. I don't understand what you mean by stray?
[00:55:17] <Jews>	 Says pending and I can't SSH in, and my small instance is working now
[00:58:14] <ottomata>	 i think I'm figuring out gerrit a little bit…just figured out that it wanted me to interactively merge all of my previous master commits as part of a rebase just to merge from master into my branch
[00:58:20] <ottomata>	 now i want to merge my branch back to master
[00:58:38] <ottomata>	 but i'm afraid that it will try to do some kind of crazy rebase + review thing
[00:58:45] <ottomata>	 if I've already had my stuff reviewed in my branch
[00:58:48] <ottomata>	 and approved
[00:58:49] <andrewbogott>	 Ryan_Lane:  Before you vanish for good... any ideas about what's going on with ldap on my instance?  (I've twiddled so many puppet settings at this point that I'm tempted to start over from scratch.)
[00:58:52] <ottomata>	 how do I now put it back in master
[00:59:24] <ottomata>	 or. where is the appropriate place to ask this question?
[01:06:10] <andrewbogott>	 ottomata:  This is not a terrible place to ask, but I don't know the answer, and it's after 5pm in California which means you may need to re-ask next week.
[01:06:43] <Athlon>	 Ryan_Lane, main point is that my simplewikt instance is ready to demo
[01:08:12] <ottomata>	 thanks andrewbogott
[01:10:46] <labs-nagios-wm>	 RECOVERY host: simplewikt is UP address: simplewikt PING OK - Packet loss = 0%, RTA = 6.57 ms
[01:33:15] <Athlon>	 hello?
[02:39:06] <labs-nagios-wm>	 RECOVERY Free ram is now: OK on bots-sql3 bots-sql3 output: OK: 20% free memory
[02:41:46] <labs-nagios-wm>	 RECOVERY Free ram is now: OK on puppet-lucid puppet-lucid output: OK: 20% free memory
[02:42:36] <labs-nagios-wm>	 RECOVERY Current Users is now: OK on testing-ldap-build testing-ldap-build output: USERS OK - 0 users currently logged in
[02:44:06] <labs-nagios-wm>	 RECOVERY Disk Space is now: OK on testing-ldap-build testing-ldap-build output: DISK OK
[02:44:06] <labs-nagios-wm>	 RECOVERY dpkg-check is now: OK on testing-ldap-build testing-ldap-build output: All packages OK
[02:45:26] <labs-nagios-wm>	 RECOVERY Free ram is now: OK on testing-ldap-build testing-ldap-build output: OK: 61% free memory
[02:45:36] <labs-nagios-wm>	 RECOVERY Total Processes is now: OK on testing-ldap-build testing-ldap-build output: PROCS OK: 80 processes
[02:46:46] <labs-nagios-wm>	 RECOVERY Current Load is now: OK on testing-ldap-build testing-ldap-build output: OK - load average: 0.01, 0.09, 0.08
[02:57:39] <Hydriz>	 Ryan_Lane: Are you there?
[02:59:36] <Ryan_Lane>	 Hydriz: yes, but not for long
[02:59:50] <Hydriz>	 Can I get access back?
[02:59:57] <Hydriz>	 Or are you still on vacation :(
[03:00:22] <Ryan_Lane>	 got back recently
[03:12:06] <labs-nagios-wm>	 PROBLEM Free ram is now: WARNING on bots-sql3 bots-sql3 output: Warning: 18% free memory
[08:40:52] <Tpt>	 Hello, I'm admin of the French Wikisource and I would like to have a write access to http://wikisource-dev.wmflabs.org in order to try MW extensions before ask their installation in Wikisource. Zaran say me that I've to ask here. What should I do ?
[14:47:32] <Damianz>	 https://gerrit.wikimedia.org/r/gitweb?p=operations/puppet.git;a=commit;h=f6359eefead213987ca623553b5571d28ac8fe8a < Ryans meeting with the legal department not go well. 
[15:13:45] <labs-nagios-wm>	 PROBLEM Current Load is now: CRITICAL on diablo diablo output: CHECK_NRPE: Error - Could not complete SSL handshake.
[15:17:35] <labs-nagios-wm>	 PROBLEM dpkg-check is now: CRITICAL on diablo diablo output: DPKG CRITICAL dpkg reports broken packages
[15:18:45] <labs-nagios-wm>	 RECOVERY Current Load is now: OK on diablo diablo output: OK - load average: 0.31, 1.05, 0.85
[15:22:35] <labs-nagios-wm>	 RECOVERY dpkg-check is now: OK on diablo diablo output: All packages OK
[16:03:48] <labs-nagios-wm>	 PROBLEM Current Load is now: CRITICAL on gluster-devstack gluster-devstack output: Connection refused by host
[16:04:28] <labs-nagios-wm>	 PROBLEM Current Users is now: CRITICAL on gluster-devstack gluster-devstack output: Connection refused by host
[16:05:08] <labs-nagios-wm>	 PROBLEM Disk Space is now: CRITICAL on gluster-devstack gluster-devstack output: Connection refused by host
[16:05:48] <labs-nagios-wm>	 PROBLEM Free ram is now: CRITICAL on gluster-devstack gluster-devstack output: Connection refused by host
[16:06:58] <labs-nagios-wm>	 PROBLEM Total Processes is now: CRITICAL on gluster-devstack gluster-devstack output: CHECK_NRPE: Error - Could not complete SSL handshake.
[16:07:38] <labs-nagios-wm>	 PROBLEM dpkg-check is now: CRITICAL on gluster-devstack gluster-devstack output: CHECK_NRPE: Error - Could not complete SSL handshake.
[16:54:28] <labs-nagios-wm>	 RECOVERY Current Users is now: OK on gluster-devstack gluster-devstack output: USERS OK - 2 users currently logged in
[16:55:08] <labs-nagios-wm>	 RECOVERY Disk Space is now: OK on gluster-devstack gluster-devstack output: DISK OK
[16:55:38] <petan>	 I really hope that Ryan is going to arrive
[16:55:48] <labs-nagios-wm>	 RECOVERY Free ram is now: OK on gluster-devstack gluster-devstack output: OK: 67% free memory
[16:56:58] <labs-nagios-wm>	 RECOVERY Total Processes is now: OK on gluster-devstack gluster-devstack output: PROCS OK: 134 processes
[16:58:48] <labs-nagios-wm>	 RECOVERY Current Load is now: OK on gluster-devstack gluster-devstack output: OK - load average: 0.00, 0.10, 0.07
[17:01:00] * andrewbogott  wishes that nagios didn't send messages to IRC because of my standard development cycle.

[17:22:07] <Damianz>	 Ryan_Lane: Not enjoy your meeting yesterday? https://gerrit.wikimedia.org/r/gitweb?p=operations/puppet.git;a=commit;h=f6359eefead213987ca623553b5571d28ac8fe8a
[17:22:26] <Ryan_Lane>	 heh
[17:22:34] <Ryan_Lane>	 nah. thought my laptop was stolen
[17:22:37] <Ryan_Lane>	 seems it wasn't
[17:23:33] <Damianz>	 Ah, that would of sucked
[17:26:52] <petan>	 ji
[17:26:53] <petan>	 hi
[17:26:59] <petan>	 :)
[17:27:29] <Ryan_Lane>	 howdy
[17:27:38] <petan>	 cool
[17:28:06] <petan>	 gonna write notes http://etherpad.wikimedia.org/LabsIrcConf
[17:28:09] <petan>	 from conference
[17:28:14] * Ryan_Lane  nods

[17:28:18] <petan>	 k
[17:29:12] <Damianz>	 It's in half an hour or an hour an a half? Silly timezones
[17:32:42] <petan>	 huh
[17:35:54] <Ryan_Lane>	 I thought it was in 30 mins?
[17:37:46] <Ryan_Lane>	 yeah. it's in 30 mins
[17:37:56] <Ryan_Lane>	 it's 17:37 GMT right now
[17:56:23] <petan>	 I hope that people who do not already use wmf labs are going to join us too, at some point it should be some intro too
[17:58:16] <Damianz>	 I hope they're not all bot owners as 2/3 are raped daily :P
[17:58:26] <petan>	 really?
[17:58:41] <petan>	 I hope some "they" are here :)
[17:58:52] <Damianz>	 Well actually it might be fixed now as Beetstra was sorting her..(his?) bot.
[17:58:54] <petan>	 or it's gonna be a meeting of us 3
[18:00:09] <petan>	 *gong*
[18:00:14] <Ryan_Lane>	 :D
[18:00:15] <Beetstra>	 this they (singular) is somewhat around (having dinner)
[18:00:18] <Damianz>	 I assume it did get posted to say wikitech?
[18:00:23] <petan>	 yes
[18:00:24] <petan>	 it was
[18:00:42] <Damianz>	 Mmm dinner I wish but that would take me like 40min, might be lazy and just order pizza.
[18:01:04] <Ryan_Lane>	 petan: so, this is your thing, want to start it off?
[18:01:09] <petan>	 ok we can discuss food later :)
[18:01:23] <Beetstra>	 Why .. are bots more important than food?
[18:01:30] <petan>	 right I never really did any conference, online or any other, but I guess yes
[18:01:31] * Ryan_Lane  is hungry and wants breakfast ;)

[18:01:45] <Nikerabbit>	 and I just ate supper...
[18:02:03] <petan>	 I think we can start talk all points we have in pad
[18:02:26] <Damianz>	 So you're handing back to Ryan_Lane for 'tech specs'? :P
[18:02:27] <petan>	 the first part was meant to be some intro for newbies but I don't know if some are around
[18:02:38] <Ryan_Lane>	 link?
[18:02:44] <Damianz>	 http://etherpad.wikimedia.org/LabsIrcConf
[18:03:18] <Ryan_Lane>	 technical specs. right now we have 4 compute nodes, and one controller
[18:03:33] <petan>	 ok the compute nodes are "physical servers" right?
[18:03:43] <Ryan_Lane>	 the controller is as well
[18:03:52] <petan>	 what are technical specs of these servers?
[18:04:07] <petan>	 I've noticed there is nothing about it on wikitech
[18:04:24] <Ryan_Lane>	 the compute nodes have 48GB memory, two processors with 6 cores each
[18:04:53] <Ryan_Lane>	 and 1.2 TB of storage per node
[18:05:04] <Ryan_Lane>	 the storage is in a raid1
[18:05:05] <Ryan_Lane>	 err
[18:05:07] <Ryan_Lane>	 raid10
[18:05:14] <petan>	 ok, so we can have around 24 instances on one server
[18:05:17] <Damianz>	 What does labs relay on mwf production for (apart from network), just apt?
[18:05:32] <Ryan_Lane>	 and the nodes share storage with each other using gluster
[18:05:37] <Ryan_Lane>	 basically just apt
[18:05:46] <petan>	 why is svn firewalled on labs?
[18:05:49] <petan>	 ssh one
[18:05:52] <Damianz>	 ssh
[18:06:07] <Ryan_Lane>	 we may open that back up, or may just keep it closed until git transition
[18:06:20] <Ryan_Lane>	 all of labs is blocked from production for ssh
[18:06:47] <Ryan_Lane>	 it's to avoid hijacking of forwarded keys
[18:06:59] <Damianz>	 Is there still a rough plan to switch to gluster for project storage and move away from assigning public IPs directly to have a domain based forwarding on nginx/varnish/some nice proxy?
[18:07:15] <Ryan_Lane>	 both, ues
[18:07:17] <Ryan_Lane>	 *yes
[18:07:35] <Ryan_Lane>	 I have the gluster storage nodes installed, and they are running a glusterfs cluster that is peered
[18:07:43] <petan>	 ok, let's have a bit of explanation of vm's we have, the open stack support moving instances from one node to other right?
[18:07:48] <Ryan_Lane>	 I just need to write some code to make them share to the projects now
[18:07:55] <Damianz>	 :)
[18:08:14] <Ryan_Lane>	 work on a proxy solution hasn't started at all, but is planned
[18:08:21] <Ryan_Lane>	 petan: yes
[18:08:25] <Ryan_Lane>	 we can do live migrations
[18:08:31] <Ryan_Lane>	 I need to do some right now, in fact
[18:08:53] <Ryan_Lane>	 virt1 still doesn't have nearly as many instances as the others
[18:08:54] <petan>	 so in case that one node needs to be restarted it's possible to move all instances to running one
[18:09:01] <Ryan_Lane>	 yes, but it's painful
[18:09:13] <Ryan_Lane>	 current nova support for live migrations is kind of crap
[18:09:28] <Damianz>	 Can there not be logic that if we 'shutdown' a node via openstack it handles shifting all the vms off. Like XenServer does if you mark a server as broke
[18:09:34] <Ryan_Lane>	 you basically need to do one instance at a time, or the migrations fail in really shitty ways
[18:09:37] <petan>	 but in case there is outage of some node it's possible to quickly recover it?
[18:09:44] <petan>	 so there should not be long outages, taking days
[18:09:50] <Ryan_Lane>	 Damianz: I could write a script for it, yes
[18:10:29] <Ryan_Lane>	 well, I'm not sure if it's possible to do cold migrations
[18:10:47] <Ryan_Lane>	 I'll need to ask the openstack people about it. I don't see it in the docs and I haven't dug into the code
[18:11:03] <Ryan_Lane>	 in that situation, right now, we'd need to fix the node
[18:11:08] <petan>	 for example if one instance is rebooted on loaded node is it possible to move it automaticaly to node with low load?
[18:11:29] <Ryan_Lane>	 automatically? no
[18:11:33] <petan>	 ok
[18:11:35] <Ryan_Lane>	 it's a manual process
[18:11:44] <petan>	 so ballancing load between nodes is manual
[18:11:46] <Ryan_Lane>	 this will be less problematic with the next set of hardware
[18:12:10] <Ryan_Lane>	 I don't have the specs of the new hardware, but they are kind of great :)
[18:12:19] <Ryan_Lane>	 256GB of memory or so
[18:12:30] <Damianz>	 In relation to if it's broken - do we plan to have some form of labs<>production mailing list/jira instance etc (or do we have it now) where by say a node is physically down rather than nagios moaning someone from mwf ops will sort it. Not sure how to explain it but rather than the TS model of admins manage have a community/admins manage is strange for certain things.
[18:12:38] <Ryan_Lane>	 memory is our limiting factor right now
[18:12:57] <Ryan_Lane>	 CPU utilization is very low, but we are overallocated on memory, and the hosts are swapping
[18:13:15] <Damianz>	 In relation to re-balencing/migration - Once ganglia is live we probably should look at something where by if one node has some very cpu intence vms of live migrating them automagically.
[18:13:43] <Ryan_Lane>	 Damianz: labs is considered "quasi-production". we'll try to fix it quickly, but it may not be to the support level of production
[18:14:01] <Ryan_Lane>	 or do you mean things inside of labs?
[18:14:16] <Ryan_Lane>	 everything on the instances is community managed
[18:14:22] <Damianz>	 Well I think things inside say a project is down to the project manager/members which is community
[18:14:29] <Damianz>	 But the community can't fix say switches exploding.
[18:14:48] <Ryan_Lane>	 right. hardware and infrastructure that supports labs will be handled by ops
[18:15:16] <petan>	 I think there are many communication methods either bugzilla or mailing list we have
[18:15:33] <Ryan_Lane>	 indeed
[18:15:48] <petan>	 I believe that labs-l is watched by ops
[18:16:00] <Ryan_Lane>	 if something breaks with the hardware, we'll get alerted by production nagios
[18:16:09] <petan>	 another thing I wanted to sort out
[18:16:15] <petan>	 who all from ops is responsible for labs
[18:16:25] <Ryan_Lane>	 basically just me
[18:16:25] <Damianz>	 So say for a feature request - are we looking for bug tracker or sending a review of a puppet diff for merging into production?
[18:16:39] <Ryan_Lane>	 we are hiring another position for labs
[18:16:52] <petan>	 ok, so in case there is a problem with labs, we need to wait for you?
[18:17:02] <petan>	 including requests for new accounts etc
[18:17:05] <Ryan_Lane>	 Damianz:  I'd say both, usually
[18:17:21] <Damianz>	 I'm more thinking we have 2 groups of people - those who can write up manifests and they will get merged and those who notice bugs and not be able to fix them (and those that ask ops for roject issues..)
[18:17:22] <Ryan_Lane>	 anyone with the ability to make svn accounts can make labs accounts
[18:17:33] <Ryan_Lane>	 the dev process and labs are kind of mingled together
[18:18:15] <Ryan_Lane>	 also, if there is a problem with labs, and I'm not around, someone else on ops will likely take a look at it
[18:18:27] <Ryan_Lane>	 everyone works together on breakages, usually
[18:18:33] <petan>	 ok, so when we need to have an account or project created, we can basically ping anyone from ops? or certain people
[18:18:57] <Ryan_Lane>	 well, so far only a few have made projects and such, but they all have permissions
[18:19:22] <Damianz>	 We could look at something like AIAV or whatever it's called where account/project requests go and someone with access picks it up.
[18:19:27] <Ryan_Lane>	 we should really have some way of requesting project creations
[18:19:32] <petan>	 maybe on bz?
[18:19:44] <Ryan_Lane>	 I was also thinking of allowing anyone who is netadmin and sysadmin in a project to be able to create projects for others
[18:20:05] <Platonides>	 seems a good idea
[18:20:07] <Ryan_Lane>	 bz could work for it, yeah
[18:20:10] <petan>	 that would make sense but it's a bit security issue
[18:20:15] <Platonides>	 I think creating projects should b ereally easy
[18:20:23] <Ryan_Lane>	 well, actually not much of a security issue
[18:20:25] <petan>	 if u create 50 projects and 400 instance
[18:20:32] <Ryan_Lane>	 ah. true
[18:20:33] <petan>	 you get labs down
[18:20:34] <Damianz>	 You could easily limit projects/instances though
[18:20:42] <Ryan_Lane>	 right now projects are quota'd
[18:20:49] <petan>	 10 instances per project
[18:20:49] <Platonides>	 petan, if they can make a vm in an existing project, what do they gain creating projectgs?
[18:20:59] <petan>	 Platonides: override quota
[18:21:01] <Ryan_Lane>	 the ability to create an unlimited number
[18:21:13] <Platonides>	 throttling
[18:21:39] <Ryan_Lane>	 well, it's something to think about
[18:21:44] <Damianz>	 Maybe have a voting system or something where 2 people who are netadmin in projects can create a new project... or have an ccount over a certain age.
[18:22:25] <Ryan_Lane>	 it could be permission based, and auto-confirm based, yeah
[18:22:35] <Damianz>	 Tbh though if it's something that forces us to use the wiki then I'd rather not :P
[18:22:47] <Ryan_Lane>	 I wouldn't want to do that with other things, but I see no reason to limit project creation to the web interface
[18:22:52] <Ryan_Lane>	 err
[18:22:54] <Ryan_Lane>	 *not to limit
[18:23:15] <Ryan_Lane>	 I don't see any realistic way of letting people create projects from the cli
[18:23:17] <Damianz>	 Yeah, that's more 'specialised' though - day to day stuff would be a pain to restrict ourselves to the web interface.
[18:23:49] <Ryan_Lane>	 yes, we're working on moving OpenStackManager specific things into openstack so that we can allow people to use the cli
[18:24:14] <Ryan_Lane>	 but, project creation isn't one we plan on changing
[18:24:28] <petan>	 we skipped the rules part :)
[18:24:36] <Damianz>	 Rules? how boring :P
[18:24:39] <Ryan_Lane>	 heh
[18:24:44] <Ryan_Lane>	 well, we do need to discuss that
[18:24:50] <Ryan_Lane>	 so, I had a meeting with legal yesterday
[18:25:03] <petan>	 people in general don't know how to name their instances so we sometimes end up with a crazy ones, check nagios to see what all we have there
[18:25:03] <Ryan_Lane>	 we'll be writing up a terms of service, and a privacy policy soon
[18:25:19] <petan>	 so we could make a naming conventions for instances
[18:25:19] <Damianz>	 petan: Could we group nagios by project? :)
[18:25:23] <petan>	 Damianz: yes
[18:25:29] <Ryan_Lane>	 people will be required to accept the terms of service to login
[18:25:30] <petan>	 will be working on that
[18:25:51] <Ryan_Lane>	 also, it's looking like we won't require people to identify
[18:25:54] <petan>	 ok, can you make a list of most important parts of these terms?
[18:26:29] <Ryan_Lane>	 labs project will be required to display the privacy policy and terms of use, and they must show a warning to users anywhere information can be collected
[18:26:47] <Ryan_Lane>	 also, privacy information should simply not be kept where possible
[18:27:06] <petan>	 ok
[18:27:23] <petan>	 so that people can become a check users on test site, even if not identified to foundation
[18:27:35] <petan>	 example
[18:27:48] <Platonides>	 hmm... that could be unexpected
[18:27:49] <Ryan_Lane>	 we'll likely need to remove public IPs from projects that don't properly display terms of use and privacy policy, or don't display warnings, until the project complies
[18:27:56] <Platonides>	 if the users login in there aren't aware of that
[18:28:05] <Damianz>	 Will there be any project based terms or just labs?
[18:28:18] <Ryan_Lane>	 Platonides: it'll be displayed on the login page, in that situation
[18:28:36] <Ryan_Lane>	 Damianz: what do you mean?
[18:29:08] <petan>	 Ryan_Lane: is it possible to make exception in case all members of project are identified?
[18:29:17] <petan>	 so that there is no requirement to inform people etc
[18:29:27] <Ryan_Lane>	 I think we'd prefer to not have to identify people
[18:29:54] <petan>	 ok, but if the members of project chose to do that rather than changing code of sw to show the warnings etc
[18:29:57] <Ryan_Lane>	 it's an administrative burden
[18:29:59] <Damianz>	 For any projects taht say require storing private information - will they be restricted with seperate usage/terms stuff or not. For example (eventhough it shouldn't be dealing with live data) the donations stuff every year.
[18:31:03] <Ryan_Lane>	 so, access to any project that may hold production private data will require a signed confidentiality agreement with the foundation
[18:31:17] <Damianz>	 Makes sense
[18:31:46] <Ryan_Lane>	 access to those projects will require another role, so it won't technically be possible to log in, even if someone accidentally adds another person
[18:31:49] <petan>	 ok
[18:32:07] <Ryan_Lane>	 it also may be a separate hardware cluster, etc, etc
[18:32:18] <Ryan_Lane>	 we're still working out very sensitive data and labs
[18:32:44] <petan>	 can we get a basic rules of what is allowed / disallowed and how people should name their instances :)
[18:32:45] <Damianz>	 That won't affect the general stuff though? Like deleted diffs and having access to the production dbs for say bots.
[18:33:05] <petan>	 probably db should not content private data
[18:33:07] <petan>	 like TS
[18:33:20] <Ryan_Lane>	 sure. of course, this is all a precursor to the terms of service
[18:33:27] <Ryan_Lane>	 1. no hacking
[18:33:41] <Damianz>	 Ryan_Lane: *ehhem* cracking
[18:34:09] <Ryan_Lane>	 of course, authorized pen tests for things inside of labs may be OK, but only if an exception has been granted. meaning, you need to ask ops first.
[18:34:14] <Ryan_Lane>	 malicious hacking ;)
[18:34:31] <Ryan_Lane>	 2. No proprietary software
[18:34:44] <Ryan_Lane>	 of course, it should also be possible to get an exception to that rule too
[18:35:01] <Ryan_Lane>	 there's some cases where we need proprietary software for testing. like db2 or oracle
[18:35:13] <petan>	 ok
[18:35:17] <Ryan_Lane>	 3. No copyrighted data
[18:35:45] <petan>	 but even the gpl sw has some kind of copyright or not?
[18:35:49] <Ryan_Lane>	 again, exceptions can be made, but people need to ask
[18:35:55] <Ryan_Lane>	 fair use is also ok
[18:36:06] <petan>	 right
[18:36:08] <Damianz>	 You mean copyright without decent access like gpld stuff that someone holds the copyright for?
[18:36:12] <Ryan_Lane>	 sorry
[18:36:15] <Ryan_Lane>	 let me clarify :)
[18:36:27] <Ryan_Lane>	 only open source software, and open content licenses
[18:36:35] <Ryan_Lane>	 OSI approved open source licenses
[18:36:59] <Damianz>	 Awwww
[18:37:04] <petan>	 ok
[18:37:04] <Damianz>	 WTFPL isn't accepted by the OSI IIRC
[18:37:10] <Damianz>	 :P
[18:37:12] <Ryan_Lane>	 heh
[18:37:33] <Ryan_Lane>	 basically, we'd like to avoid getting sued by the RIAA or MPAA
[18:37:46] <Damianz>	 People get sued? I thought you just got raided by the FBI
[18:37:52] <Ryan_Lane>	 I have a feeling we didn't make friends with them with that whole SOPA thing ;)
[18:37:53] <petan>	 heh
[18:38:10] <Ryan_Lane>	 4. No torrenting
[18:38:19] <Damianz>	 Downloading or?
[18:38:22] <Ryan_Lane>	 either
[18:38:25] <Damianz>	 :(
[18:38:28] <Ryan_Lane>	 no bittorent
[18:38:37] <petan>	 even legal?
[18:38:42] <Damianz>	 Not even opensource stuff? Some things are only avaible for torrent download
[18:38:45] <petan>	 torrents of linux :)
[18:38:49] <petan>	 heh
[18:38:55] <Ryan_Lane>	 of course, there can be exceptions, but it'll require approaval
[18:38:59] <petan>	 No offering of illegal content
[18:39:04] <petan>	 I wrote this
[18:39:16] <Ryan_Lane>	 well, that goes into 3.
[18:39:17] <petan>	 feel free to fix it
[18:39:24] <petan>	 ok I write to epad
[18:39:44] <Ryan_Lane>	 but yes, no illegal content, as defined within the United States. Legal may change all of this wording, btw ;)
[18:39:50] <Ryan_Lane>	 s/may/likely will/
[18:40:09] <Ryan_Lane>	 4. No tor nodes
[18:40:11] <Damianz>	 Yeah I assume everything is 'as in the US' as the servers are over there and mwf is over there mainly.
[18:40:20] <Ryan_Lane>	 again, exceptions can be made to this policy
[18:40:25] <Ryan_Lane>	 Damianz: yep
[18:40:35] <Ryan_Lane>	 and we have no plans to have labs infrastructure outside of the US
[18:40:46] <Ryan_Lane>	 this is difficult enough, legally, without involving other countries
[18:41:26] <Ryan_Lane>	 5. Only Wikimedia related work is allowed
[18:41:31] <Damianz>	 Any thoughts on proxies in general? (not say socks for accessing labs but web etc, more along the lines of tor).
[18:41:35] <Ryan_Lane>	 of course, that's pretty broad
[18:42:12] <Ryan_Lane>	 #4 was no tor nodes ;)
[18:42:20] <Ryan_Lane>	 or anything related to that
[18:42:28] <Damianz>	 Open web proxies etc I assume you fall under tor
[18:42:36] <Ryan_Lane>	 no VPNs from labs to other networks, etc
[18:42:45] <Ryan_Lane>	 no open proxies. right
[18:43:44] <Ryan_Lane>	 if you guys could think of other things I should specifically mention, let me know
[18:43:53] <Beetstra>	 I may have a bit of a question here .. I am storing 'external link additions' in SQL, linked to who added which external link in which diff on Wikimedia projects .. that may be sensitive data
[18:43:55] <Ryan_Lane>	 there's no reason only the WMF can draft these :)
[18:44:08] <Ryan_Lane>	 Beetstra: is it publically available?
[18:44:13] <Damianz>	 'Abuse of recourses' which is very wide and could be nazi but just in gneeral if someone is taking the mickey
[18:44:23] <Ryan_Lane>	 meaning, is that data you are pulling from public sources?
[18:44:36] <Beetstra>	 In principle, yes .. I am pulling it out the live diffs 
[18:45:28] <Ryan_Lane>	 6. Actions deemed abuse can result in loss of privileges. This is at the discretion of the Labs staff and community.
[18:45:40] <Damianz>	 7
[18:45:45] <Ryan_Lane>	 yay for catch-alls! :D
[18:45:53] <Ryan_Lane>	 Beetstra: then it isn't private
[18:45:55] <Damianz>	 :P
[18:46:10] <Damianz>	 I still want a wikimedia email :P
[18:46:18] <Ryan_Lane>	 yes. we're working on that
[18:46:31] <petan>	 yay
[18:46:32] <jeblad>	 It should be possible to do penetesting as there are a few  (ehm) securityholes
[18:46:33] <petan>	 I want it too :D
[18:46:34] <Damianz>	 :D
[18:46:34] <Ryan_Lane>	 things are harder when thinking multi-tenant :)
[18:46:59] <Ryan_Lane>	 jeblad: yes, as mentioned, there can be exceptions for pen testing, but it will require approval
[18:47:42] <Ryan_Lane>	 in other words,  we need to know it's going on, otherwise it looks like malicious hacking
[18:47:42] <Beetstra>	 OK
[18:48:02] <petan>	 general rules to instances? how they should be named, resources etc
[18:48:03] <jeblad>	 ok,..
[18:48:08] <Ryan_Lane>	 so, the wikimedia related work rule needs to be clarified some
[18:48:14] <Damianz>	 If you want to do that it should probably go on the mailing list for community/op approval
[18:48:37] <Ryan_Lane>	 working on mediawiki, even if not work Wikimedia related projects, is still Wikimedia related, for instance
[18:49:08] <Damianz>	 Yeah...
[18:49:10] <Ryan_Lane>	 so, if anyone is confused about whether their work is Wikimedia related or not, they should ask :)
[18:49:15] <Damianz>	 But then it could be a patch of something commercial
[18:49:19] <jeblad>	 Just as a side comment, I'm not sure that anyone would detect the more advanced penetrations.. Just my 5¢
[18:49:30] <Ryan_Lane>	 jeblad: I don't disagree
[18:49:31] <Damianz>	 s/of/or/
[18:49:43] <Ryan_Lane>	 which actually brings up something that I wanted to mention :)
[18:49:59] <Ryan_Lane>	 everyone should be self-policing their projects
[18:50:14] <Ryan_Lane>	 if you add someone to a project, you should ensure they are doing what they said they'd be doing
[18:50:20] <jeblad>	 will labs be limited to mw related stuff or can it be used more like testing interesting technologies?
[18:50:32] <Ryan_Lane>	 jeblad: not limited to mediawiki
[18:50:46] <Ryan_Lane>	 anything that could be used for wikimedia related work
[18:50:47] <Damianz>	 Interesting tech stuff might be related to mwf work for ops etc
[18:51:03] <jeblad>	 For example, I have some wild ideas about stats and need a mongodb .. oki
[18:51:12] <Ryan_Lane>	 yep. that's totally fine
[18:51:36] <Ryan_Lane>	 so, going back to self-policing projects...
[18:51:46] <Ryan_Lane>	 I do some policing, but I don't scale terribly well
[18:51:55] * Damianz  makes Ryan_Lane multi threaded

[18:52:00] <Ryan_Lane>	 heh
[18:52:09] <jeblad>	 would it then be a vm and config left to the interested ones or would it be necessary to set på complete clone?
[18:52:28] <Ryan_Lane>	 jeblad: what do you mean?
[18:52:51] <jeblad>	 how much must be done by an ops at wmf
[18:52:57] <Ryan_Lane>	 nothing
[18:52:57] <Damianz>	 In regards to policing and going back to creating projects - who polices projects? ops, community or everyone?
[18:53:09] <Ryan_Lane>	 in labs, project members can do everything
[18:53:23] <Ryan_Lane>	 well, people with sysadmin and netadmin in a project can do everything
[18:53:26] <Ryan_Lane>	 excluding one thing
[18:53:36] <Ryan_Lane>	 they can't allocate public IP addresses
[18:53:46] <Ryan_Lane>	 since we are very short on them
[18:53:52] <Ryan_Lane>	 Damianz: everyone should
[18:53:54] * jeblad  plans to shot himself in both feets and then some more feets

[18:53:58] <Ryan_Lane>	 heh
[18:54:26] <Ryan_Lane>	 if someone sees something odd going on, send an email to security@wikimedia.org
[18:54:33] <Ryan_Lane>	 and we'll investigate further
[18:54:37] <Damianz>	 It might be interesting to have per project status and maybe some news of 'whats been going on in labs' or such.
[18:54:44] <Ryan_Lane>	 yeah, would be cool
[18:54:57] <Ryan_Lane>	 we have SMW on labs...
[18:55:19] <Ryan_Lane>	 so, we could add them there, and have it compile a monthly/weekly report
[18:55:20] <petan>	 + SAL
[18:55:29] <petan>	 that somehow reflect status heh
[18:55:34] <Ryan_Lane>	 yeah
[18:55:54] <Ryan_Lane>	 nice to see in human readable terms what people are doing, for the wider community
[18:56:09] <Ryan_Lane>	 so the idea of status updates is kind of cool
[18:56:17] <Ryan_Lane>	 not required, of course :)
[18:56:36] <Ryan_Lane>	 so, instance naming conventions....
[18:56:47] <Ryan_Lane>	 we should probably have some conventions :D
[18:56:55] <jeblad>	 I guess people somehow must hook up with eachother. Is there any plan on how to accomplish that?
[18:56:57] <Ryan_Lane>	 right now it's basically a free-for-all
[18:57:14] <Damianz>	 jeblad: Yell for help and someone will do stuff 
[18:57:21] <jeblad>	 peaople = those interested in a specific project
[18:57:22] <Ryan_Lane>	 jeblad: well, projects are documented with who's a member, basically, you just check out the project page and talk to some of the members
[18:57:26] <Ryan_Lane>	 !project bots
[18:57:26] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Nova_Resource:bots
[18:57:32] <Ryan_Lane>	 ^^ see that page, for instance
[18:58:06] <Damianz>	 Reminds me I should change CBNGs mysql pass...
[18:58:08] <Ryan_Lane>	 I don't necessarily have an issue with the instance naming free-for-all, but there's a few cases where instances are really poorly named
[18:58:28] <Ryan_Lane>	 Damianz: did it get logged in the SAL or something?
[18:58:39] <jeblad>	 Then a last question and I shall shut up, how will this interact with toolserver.org?
[18:58:44] <Damianz>	 Nah it's just something really crappy and we have a bots phpmyadmin somewhere.
[18:58:57] <jeblad>	 Not important, times up
[18:59:07] <Ryan_Lane>	 jeblad: as of now, it doesn't
[18:59:14] <Damianz>	 Not like I have it running mysqldumps on cron either :(
[18:59:21] <Ryan_Lane>	 an end-goal is a toolserver-like environment in labs
[18:59:24] <Damianz>	 Also is there any plan in regards to backups genreally?
[18:59:31] <Ryan_Lane>	 so, it's a replacement, more than anything
[18:59:42] <Ryan_Lane>	 Damianz: nope. in general we won't backup most things
[19:00:02] <Ryan_Lane>	 instances will never be backed up. they should be puppetized
[19:00:06] <Damianz>	 Most stuff should be re-dployable from puppet but stuff like mysql I assume will fall to per project/member
[19:00:14] <Ryan_Lane>	 mysql servers will have backup
[19:00:25] <Ryan_Lane>	 we'll do that on the server side
[19:00:37] <Damianz>	 :)
[19:00:46] <Ryan_Lane>	 we plan on having hardware mysql that's managable via a service
[19:01:03] <Damianz>	 Would be nice, vm disks are slow.
[19:01:16] <Ryan_Lane>	 yes. IO in virtualization sucks
[19:01:16] <petan>	 what kind of backup for sql
[19:01:19] <petan>	 online backups?
[19:01:23] <petan>	 or daily
[19:01:25] <Ryan_Lane>	 likely LVM snapshots
[19:01:28] <petan>	 ok
[19:01:36] <Ryan_Lane>	 though they'll probably be rotated often
[19:02:32] <Ryan_Lane>	 if project members want more long-lived backups, they can do dumps and store them in their gluster storage
[19:02:45] <Ryan_Lane>	 of course, that storage will be quota'd
[19:02:48] <jeblad>	 what if someone will te4st io intensive projects?
[19:02:54] <Damianz>	 Just thinking I'd rather not loose 2months of data for a bot again...
[19:02:59] <Ryan_Lane>	 jeblad: what do you mean?
[19:03:07] <Ryan_Lane>	 Damianz: yeah, I'd also prefer that :)
[19:03:19] <Ryan_Lane>	 I dislike data-loss with a passion
[19:03:31] <Damianz>	 Mhm
[19:03:35] <Ryan_Lane>	 the gluster storage can act as a storage area for backups of a project
[19:03:44] <Ryan_Lane>	 but, ops isn't going to do it for you ;)
[19:03:51] <jeblad>	 server - client traffic like a gadget interacting with a mongodb
[19:04:22] <Ryan_Lane>	 jeblad: in general, instances that eat a lot of resources mostly only affect themselves
[19:04:38] <Ryan_Lane>	 though if there are too many of those on one host, it's problematic
[19:04:47] <Ryan_Lane>	 we'll move the instances around to spread the load
[19:05:00] <andrewbogott>	 I have a question/suggesting regarding instance naming.  I've been annotating my instances with usage notes on the summary wiki (e.g. https://labsconsole.wikimedia.org/wiki/Nova_Resource:I-00000131)
[19:05:16] <andrewbogott>	 My question is -- is that page actually persistent, or will my notes get clobbered at random times?
[19:05:24] <Ryan_Lane>	 clobbered, unfortunately
[19:05:35] <Ryan_Lane>	 I'll add sub-page support for instance notes
[19:05:37] <andrewbogott>	 OK, that's not a good place to store that info, then :)
[19:05:39] <Ryan_Lane>	 so that it won't be clobbered
[19:05:41] <andrewbogott>	 Cool.
[19:05:51] <Ryan_Lane>	 similar to how documentation is done on project pages
[19:06:41] <Ryan_Lane>	 anything else to talk about? :)
[19:06:52] <Ryan_Lane>	 documentation?
[19:06:56] <Damianz>	 I'm going to assume probably not right now but do we have a way of deploying out the test cluster or are we looking to puppetize it properly when we split up the repo into project branches and re-do the merging stuff?
[19:07:21] <Ryan_Lane>	 we'd *very* much like to have it all puppetized fully
[19:07:24] <petan>	 yes
[19:07:40] <Ryan_Lane>	 because we plan on using it for automated infrastructure testing
[19:07:44] <petan>	 btw there is still a lot of stuff to talk :)
[19:08:01] <Ryan_Lane>	 oh yeah. project branches
[19:08:14] <Ryan_Lane>	 the test branch is basically fucked beyond repair right now
[19:08:30] <Damianz>	 It would be nice to be able to have say Jenkins build a cluster, deploy out mw how it in production, test stuff then murder its self.
[19:08:43] <Ryan_Lane>	 Damianz: yeah. that's the goal
[19:09:02] <Ryan_Lane>	 that way we can test to ensure both ops changes, and major mediawiki changes don't totally break things
[19:09:19] <Ryan_Lane>	 that would be an incredibly expensive test, so would likely not get run for most changes
[19:09:38] <Damianz>	 It would be good for testing major arch changes though
[19:09:43] <Ryan_Lane>	 yep
[19:10:12] <Ryan_Lane>	 so, with regards to the test branch...
[19:10:21] <Ryan_Lane>	 the way we are currently doing things sucks
[19:10:28] <Damianz>	 mhm
[19:10:42] <Ryan_Lane>	 I want to move us to per-project branches, where instances are configured to use that branch
[19:10:50] <Ryan_Lane>	 but also, where anyone can switch to another branch
[19:11:09] <Ryan_Lane>	 ideally, instances will usually run the test branch
[19:11:10] <Damianz>	 Having a centralised puppet server for labs with all branches there if needed?
[19:11:22] <Ryan_Lane>	 we'd like to get rid of the centralized puppet server
[19:11:34] <Ryan_Lane>	 and instead have the repo live on each instance
[19:12:00] <Damianz>	 How would that work for certain things like passwords/contacts which arn't in the repo but are linked when we merge production back into test?
[19:12:13] <Ryan_Lane>	 also, we'd like changes to project branches to be able to skip review
[19:12:38] <Ryan_Lane>	 Damianz: we're going to have to figure that out
[19:12:52] <Ryan_Lane>	 but we'll likely also just have the private repo on all instances too
[19:13:04] <Ryan_Lane>	 no reason we can't. everyone has access to it anyway
[19:13:23] <Ryan_Lane>	 (private labs repo, production one is only accessible to ops)
[19:13:34] <Ryan_Lane>	 s/,/./
[19:14:00] <Damianz>	 Yeah, we'd just need some op input to ensure production changes are replicated in labs so puppet doesn't freak out.
[19:14:19] <Ryan_Lane>	 well, puppet would be local
[19:14:27] <Ryan_Lane>	 so, when you ran it, you'd see it freak out
[19:14:43] <Ryan_Lane>	 if we see long-broken puppet in instances, we'll just switch the branch to test
[19:15:09] <Ryan_Lane>	 test will always be assumed to work
[19:15:22] <Ryan_Lane>	 and changes in test will be quickly cherry-picked to production
[19:15:42] <Damianz>	 I was more thinking if you stuck another var in private which the manifests refered to it would need someone to add it to the private labs repo so puppet didn't break when the manifests where merged back - if we're trying to keep test mergable with production.
[19:15:58] <Ryan_Lane>	 yep
[19:16:13] <Ryan_Lane>	 that'll be part of the testing process ;)
[19:17:20] <Ryan_Lane>	 petan: what's the next topic?
[19:17:22] <petan>	 let's move to tools?
[19:17:34] <petan>	 I mean the tool lab part
[19:17:47] <petan>	 there are no tools like on toolserver now because of lack of db
[19:18:22] <petan>	 but once we replicate production db to labs so that people access it, people would be able to create toolserver like tools on labs
[19:18:24] <Damianz>	 Db access would be highly amazing... relaying on the TS for stuff on labs just for out of date dbs is annoying.
[19:18:49] <petan>	 is it going to be managed like a project per tool
[19:19:04] <petan>	 because that would mean an instance per tool
[19:19:16] <petan>	 so a lot of resources while not needed
[19:19:26] <hoo|away>	 DB access would be amazing...
[19:19:44] <Ryan_Lane>	 we'll have replicated database access
[19:19:59] <Ryan_Lane>	 we haven't planned it out terribly well, yet
[19:20:12] <Damianz>	 Ryan_Lane: Hopefully it wont be hours out of date or broken many times a month :P
[19:20:13] <Ryan_Lane>	 and yes, we're planning an instance per-tool
[19:20:31] <Ryan_Lane>	 I believe we'll be monitoring it like the rest of the infrastructure
[19:20:41] <Ryan_Lane>	 and when master switches happen, it'll be updated with everything else
[19:20:48] <hoo|away>	 :))
[19:20:51] <Damianz>	 :D
[19:20:56] * hoo|away  is in love with Ryan_Lane again...

[19:21:08] <Ryan_Lane>	 it's likely going to take a while for us to get to this
[19:21:31] <Ryan_Lane>	 way too much stuff to do right now :)
[19:21:32] <Damianz>	 petan: 'Shared instances' apart from the bots that have their own instances so don't crash the others from being a usage whore?
[19:21:47] <petan>	 it's not requirement to have a shared instance
[19:21:50] <Ryan_Lane>	 Damianz: that's one of our reasons for wanting separate instances
[19:22:05] <Ryan_Lane>	 also, the hardware we are getting in will support thousands of instances
[19:22:13] <petan>	 but if a bot doesn't eat a lot of cpu / memory there is no need to have it on separate instance
[19:22:23] <petan>	 like wm-bot
[19:22:39] <Ryan_Lane>	 bots can more easily be handled in a shared way
[19:22:46] <Ryan_Lane>	 tools are more difficult
[19:22:49] <Damianz>	 Tbf I'd like in tests to be able to trash and re-launch my bot instances as needed to test stuff then merge into the labs 'production' stuff and have it update by puppet.
[19:23:01] <methecooldude>	 "the others from being a usage whore?" - /me stares at ClueBot :P
[19:23:02] <petan>	 we should have a scheduler which run a bot on isntance with lowest load
[19:23:09] <Ryan_Lane>	 +1
[19:23:20] <Platonides>	 SGE ?
[19:23:32] <Ryan_Lane>	 that may be excessive ;)
[19:23:35] <Ryan_Lane>	 but it's possible
[19:23:44] <Damianz>	 methecooldude: CB is going to get packages when I get bored so we can shift it about if needed.
[19:23:49] <Damianz>	 s/packages/packaged/
[19:24:26] <Ryan_Lane>	 I'd really like all bots to be packaged and puppetized
[19:24:28] <Damianz>	 In regards to bots - is the standard to run them under their own users or labs users? I'd say the former if we're going towards puppet.
[19:24:30] <Ryan_Lane>	 with init scripts and such
[19:24:43] <Ryan_Lane>	 their own system users
[19:24:52] <Ryan_Lane>	 if they are packaged, that's easy :)
[19:24:58] <Damianz>	 Yeah
[19:25:04] <petan>	 ok
[19:25:05] <Ryan_Lane>	 also, they should be installed on all bot-runners
[19:25:08] <Damianz>	 Like shifting cbng from supervisord to upstart would be cool
[19:25:27] <Ryan_Lane>	 then moving a bot is a matter of stopping it on one instance, and starting it on another
[19:25:30] <Damianz>	 It would be kinda nice if based on ganglia/nagios we could move or restart bots
[19:25:44] <Ryan_Lane>	 yeah. I could see that going badly, though ;)
[19:25:49] <Damianz>	 lol
[19:25:51] <Ryan_Lane>	 probably easier to move them manually
[19:26:18] <petan>	 we should move log to bots-1 btw
[19:26:30] <petan>	 because it's running on overloaded bots-2 and crashing
[19:26:38] <Damianz>	 Have a server dead, oh these bots are on there -> start them on other instance wouldn't be too bad... we'd need a STONITH approach though
[19:26:39] <petan>	 !log test
[19:26:41] <petan>	 like now
[19:26:43] <petan>	 it's gone
[19:27:23] <Ryan_Lane>	 Damianz: delete the instance ;)
[19:27:32] <Ryan_Lane>	 if all of the instances are the same, why not?
[19:27:38] <Damianz>	 Which as another note - do we plan on supporting being able to have access keys to openstack where we can have scripts pull stats/do stuff without our user key?
[19:27:44] <Ryan_Lane>	 that's about as STONITH as you can get ;)
[19:27:48] <Damianz>	 :D
[19:27:52] <Damianz>	 DIE!
[19:28:01] <Ryan_Lane>	 yes. cli access is in the plans
[19:28:04] <Ryan_Lane>	 it's hard, though
[19:28:24] <Ryan_Lane>	 because openstack doesn't support puppet or dns (though thanks to andrewbogott it will in essex)
[19:28:35] * Damianz  gives andrewbogott a cookie

[19:28:43] <Ryan_Lane>	 also, it doesn't support writing to mediawiki
[19:28:46] <Ryan_Lane>	 andrewbogott is working on all of these things
[19:28:58] <Ryan_Lane>	 as well as some other great things :)
[19:29:04] <andrewbogott>	 Actually, right now I'm eating lunch.
[19:29:08] <Damianz>	 Oh
[19:29:13] * Damianz  takes the cookie off andrewbogott until he does work

[19:29:14] <Ryan_Lane>	 :D
[19:30:12] <Ryan_Lane>	 petan: hm. the bot is dead again? that's odd
[19:30:30] <Ryan_Lane>	 I'd love to be able to restart it from labsconsole
[19:30:30] <petan>	 it's because it's running on heavily loaded server
[19:30:33] <Ryan_Lane>	 yeah
[19:30:33] <Damianz>	 It seems to be randomly diying for the past couple of weeks.
[19:30:44] <petan>	 it should be moved to bots-1
[19:30:58] <petan>	 another reason to have a load balancer
[19:31:05] <Damianz>	 Ryan_Lane: I'd like to be able to see all bot/tool status centrally and cull as required but that's more a project thing.
[19:31:09] <Ryan_Lane>	 I'll put some effort in to update the package (since I modified the code some, since then) and move it
[19:31:15] <petan>	 Damianz: nagios?
[19:31:27] <Ryan_Lane>	 we'll have ganglia soon
[19:31:29] <Damianz>	 petan: Are any bots monitored in nagios?
[19:31:35] <petan>	 I hope it will be
[19:31:37] <Damianz>	 Actual bots, I know mind arn't.
[19:31:56] <petan>	 if we create a class to nova, people could definte own services using console
[19:32:01] <petan>	 labs console :)
[19:32:15] <petan>	 nagios parses stuff using smw from wiki
[19:32:20] <Damianz>	 Hmmm
[19:32:43] <petan>	 so if there was a generic service where people would just pick and define the check it would be possible
[19:32:54] <Damianz>	 That would be shiny
[19:33:16] <petan>	 also I want to make access to nagios using ldap
[19:33:23] * Ryan_Lane  nods

[19:33:24] <petan>	 however I didn't find out how
[19:33:36] <Ryan_Lane>	 we'll have to talk about that
[19:33:40] <petan>	 ok
[19:33:56] <Ryan_Lane>	 we really need some form of web sso
[19:33:59] <Damianz>	 In regards to ldap, don't we have 2 ldap servers atm? As one that does some stuff and one that does other stuff rather than instances replicated.
[19:34:14] <Ryan_Lane>	 our ldap situation right now kind of sucks
[19:34:29] <Ryan_Lane>	 I need to rearchitect everything in production
[19:34:34] <Damianz>	 SSO for mw would be nice, being able to use wikipedia details reliablty would be amazing for project stuff :(
[19:34:38] <Ryan_Lane>	 for labs we currently have one LDAP server
[19:35:26] <Ryan_Lane>	 we also only have one DNS server ;)
[19:35:38] <Damianz>	 Oh awesome
[19:35:41] <Ryan_Lane>	 when I bring things up in eqiad, it'll all be redundant
[19:36:38] <Ryan_Lane>	 building a robust infrastructure takes time :)
[19:36:44] <Ryan_Lane>	 there's a reason we're still in closed beta. heh
[19:37:06] <petan>	 ok so let's discuss the sql server now
[19:37:12] * Ryan_Lane  nods

[19:37:22] <Ryan_Lane>	 so, we'll likely have two clusters
[19:37:35] <Ryan_Lane>	 one that is replicated from production, like toolserver
[19:37:46] <Ryan_Lane>	 and another that allows users to create/manage their own databases
[19:38:07] <petan>	 ok, is it going to be only one sql service, or would it be possible to have a server per project
[19:38:11] <Platonides>	 makes sense
[19:38:11] <Platonides>	 could they be joined
[19:38:13] <Platonides>	 ?
[19:38:17] <petan>	 so that people can have unique db's etc
[19:38:38] <Damianz>	 Is the plan to run Mariadb over MySQL?
[19:38:42] <petan>	 maria
[19:38:44] <Ryan_Lane>	 Platonides: hm. that may be difficult
[19:38:56] <Ryan_Lane>	 it was maria
[19:39:00] <Ryan_Lane>	 I'm not totally sure now
[19:39:20] <Ryan_Lane>	 I don't want people storing their ldap password on a filesystem
[19:39:35] <Ryan_Lane>	 and if we have LDAP auth, it's likely
[19:39:59] <Ryan_Lane>	 I think I'd really prefer a service that gives the user a password that is specific to the database, and can easily be changed
[19:40:09] <Platonides>	 Ryan_Lane, one big feature is to be able to join a user table with a cluster one
[19:40:12] <Damianz>	 Having something on labsconsole that lets you make a user wouldn't be that hard though.
[19:40:15] <Ryan_Lane>	 Platonides: ah
[19:40:24] <Ryan_Lane>	 Platonides: I'll keep that in mind, then
[19:40:45] <Ryan_Lane>	 Damianz: yeah, something along those lines would be nice
[19:41:00] <Ryan_Lane>	 of course, we need to ensure people can't delete/modify other people's databases...
[19:41:03] <Ryan_Lane>	 we also need quotas
[19:41:04] <Platonides>	 the toolserver does that with -user servers of the cluster, where you can create dbs
[19:41:12] <Ryan_Lane>	 having this per-project would be ideal
[19:41:36] <Ryan_Lane>	 Platonides: is it per-request, or do all users have the ability to make as many dbs as possible?
[19:41:38] <petan>	 so there is no plan of having a sql server per project?
[19:41:50] <petan>	 like people could have own databases and root access
[19:41:53] <Damianz>	 It would be kinda nice if you're a member of the project you can access all the dbs but I'm not sure how that would work auth wise.
[19:42:19] <Platonides>	 Ryan_Lane, for each wmf cluster you can connect with dns like s1-rr or s1-user
[19:42:28] <petan>	 I can't imagine how we make more production like wiki installations on shared sql server
[19:42:33] <Platonides>	 depending if you want to use the user server or are just interested in the data
[19:42:39] <petan>	 because db names will conflict etc
[19:42:51] <Platonides>	 I think you can create new databases if they begin with your user name
[19:43:05] <Ryan_Lane>	 petan: as mentioned, having it per-project would be nice
[19:43:11] <Ryan_Lane>	 ah
[19:43:16] <Damianz>	 We could do something crazy like have a proxy infront of them and per project prefixes on dbs but that would be insane.
[19:43:25] <petan>	 :D
[19:43:31] <Ryan_Lane>	 well, we do plan on using tungsten
[19:43:32] <Platonides>	 see https://wiki.toolserver.org/view/Database_access#User_databases
[19:44:09] <Damianz>	 Forced prefixes are annoying
[19:44:25] <Platonides>	 what's the problem in requiring to configure dbs with the proper name on each instance?
[19:44:26] <petan>	 indeed
[19:44:27] <Ryan_Lane>	 easiest way to avoid name conflicts, though
[19:44:37] <petan>	 Platonides: performance
[19:44:54] <petan>	 you can't have a dbs on instance because it's slow
[19:44:54] <Platonides>	 uh?
[19:44:59] <Ryan_Lane>	 I don't really like per-user databases...
[19:45:01] <Damianz>	 Also at some point we'd have to shared the physcail servers if labs gets busy..er.
[19:45:12] <petan>	 I mean, we have servers now and they are really slow
[19:45:16] <Platonides>	 petan, I don't mean installing a mysqld on each instance
[19:45:19] <petan>	 ah ok
[19:45:22] <Ryan_Lane>	 in fact, I *really* don't like it. I'd much prefer per-project databases
[19:45:23] <petan>	 nvm
[19:45:33] <Platonides>	 was talinking about configuring on each instance/project to which db it should connect
[19:45:48] <Platonides>	 instead of doing ugly things with a proxy prefixing dbs
[19:45:54] <Ryan_Lane>	 ah. yeah
[19:45:58] <Ryan_Lane>	 that's possible
[19:46:20] <Ryan_Lane>	 anyway, if anyone wants to work on this before we get to it… :)
[19:46:26] <Platonides>	 if needed, the app could eg. extract the prefix from the uname, or something similar
[19:46:58] <petan>	 I am a bit lost now, if someone could insert it to epad, would be cool
[19:47:27] <jeblad>	 one question; I was under the impression that labs was testing, but am I correct if it is more like "the place for all weird stuff"?
[19:47:39] <petan>	 heh
[19:47:47] <petan>	 define weird
[19:47:50] <Damianz>	 I think with some projects we're going to not fit into that model though - they are probably better using hadoop or some nosql server if they want 200GB dbs though I guess.
[19:48:15] <Ryan_Lane>	 jeblad: it's a community maintained environment that is mostly geared around testing
[19:48:17] <Damianz>	 s/we're/are'nt'/
[19:48:20] <Damianz>	 Really can't type tonight gah
[19:48:38] <Damianz>	 Closed beta testing env running production stuff!
[19:48:47] <Ryan_Lane>	 jeblad: some aspects of it are quasi-production
[19:48:55] <Ryan_Lane>	 well, not production from the WMF's POV ;)
[19:49:26] <jeblad>	 ok, .. quasi-production from vm-servers.. :-]
[19:49:34] <Damianz>	 If it was production we could wake Ryan_Lane up at 2am to fix stuff :D
[19:49:39] <petan>	 :)
[19:49:48] <Ryan_Lane>	 :d
[19:49:49] <Ryan_Lane>	 err
[19:49:50] <Ryan_Lane>	 :D
[19:50:04] <Ryan_Lane>	 notice none of you have my cell phone number :)
[19:50:08] <petan>	 we need to implement sms nagios :)
[19:50:23] <Damianz>	 Phone? So last year, I'd just annoy you on g+ :P
[19:50:25] <Ryan_Lane>	 I do get alerts if labs is done
[19:50:31] <Ryan_Lane>	 *down
[19:50:43] <petan>	 we'll test it at 2 am
[19:50:47] <Ryan_Lane>	 no thanks :)
[19:51:03] <Damianz>	 I like the production nagios alerts based on timezone
[19:51:05] * jeblad  writes note about writing an app for wake up call to Ryan_Lane with a big red button for every member on "labs"

[19:51:18] <Ryan_Lane>	 Damianz: yeah, we added that recently
[19:51:25] <Ryan_Lane>	 we have enough people for that to work now
[19:51:49] <Damianz>	 Yeah... I need more ops people in the us for that to work, my entire team is uk based :(
[19:51:49] <Ryan_Lane>	 jeblad: I'll retaliate with a stab button :)
[19:52:22] <petan>	 ok, so what are the expected limits on sql server
[19:52:28] <petan>	 I suppose certain queries will not be allowed
[19:52:42] <petan>	 + there will be timeouts for queries
[19:52:44] <Ryan_Lane>	 I unfortunately suck at mysql....
[19:52:57] <Damianz>	 MySQL is kinda dependant on what other commodity services we have though IMO.
[19:53:01] <Ryan_Lane>	 so hopefully someone else will be helping with this
[19:53:25] <Ryan_Lane>	 I haven't put a ton of thought into the mysql support
[19:53:39] <petan>	 ok
[19:54:08] <Ryan_Lane>	 we're hiring, though, so hopefully that person will have better knowledge of it. or maybe asher will help out.
[19:54:51] <petan>	 right let's discuss gluster storage now
[19:55:02] <Damianz>	 Tungsten looks cool, can't say I've ever used it but I've got some MySQL replication stuff coming up in projects :D
[19:55:11] <petan>	 I don't really know how gluster works at all
[19:55:19] <Ryan_Lane>	 Damianz: yeah, we want it for the multiplexing and filtering support
[19:55:30] <Damianz>	 Yeah binlog filtering sucks ass.
[19:55:50] <Ryan_Lane>	 gluster is a distributed block-based filesystem
[19:56:12] <petan>	 ok so there will be a huge filesystem right?
[19:56:16] <Damianz>	 Yeah
[19:56:20] <Ryan_Lane>	 yes
[19:56:24] <Ryan_Lane>	 we have 4 nodes
[19:56:26] <petan>	 each project will have assigned storage there
[19:56:30] <petan>	 with some quota
[19:56:34] <Ryan_Lane>	 each node has 40TB of storage, roughly
[19:56:45] <Ryan_Lane>	 gluster acts like a raid-1 across the network
[19:56:50] <petan>	 ok
[19:56:51] <jeblad>	 8D
[19:56:52] <Ryan_Lane>	 so, we have roughly 80TB of storage
[19:57:12] <petan>	 would it be possible to change quota on fly?
[19:57:24] <petan>	 like this project needs 80gb+
[19:57:25] <Ryan_Lane>	 we don't have any software written for any of this yet :)
[19:57:39] <Ryan_Lane>	 right now I'm going to write a script like we have for home directories
[19:57:47] <Damianz>	 Are the nodes in a 1<>1 or peered together (so less like a standard raid1 config)?
[19:57:52] <Ryan_Lane>	 andrewbogott is writing a nova volume driver for it, though
[19:58:02] <Ryan_Lane>	 peered
[19:58:03] <petan>	 ok, the performance of this gluster storage is going to be better than performance of current fs
[19:58:04] <petan>	 on instances
[19:58:13] <Ryan_Lane>	 very likely, yes
[19:58:41] <petan>	 how is it going to be mounted to intances
[19:58:50] <petan>	 there will be like a shared mountpoint on all instances?
[19:58:54] <Ryan_Lane>	 the way things look right now, it's: ext3 -> qcow2 -> gluster -> xfs -> lvm -> raid10
[19:58:56] <petan>	 like a nfs server?
[19:59:17] <Ryan_Lane>	 with volume storage it'll be: gluster -> xfs -> lvm -> raid10
[19:59:26] <Ryan_Lane>	 yes
[19:59:36] <Ryan_Lane>	 it'll be automounted, and that config will be in LDAP
[19:59:45] <petan>	 so basically each project will have a big folder mounted to each instance
[19:59:50] <Ryan_Lane>	 yep
[19:59:59] <petan>	 is it possible to split it
[20:00:21] <Ryan_Lane>	 in which way?
[20:00:21] <petan>	 like to have 2 separate gluster storages for 1 project
[20:00:26] <Ryan_Lane>	 ah
[20:00:31] <Damianz>	 I assume the nova driver will connect out to all nodes so if we shoot one in the foot it won't take down all the instances.
[20:00:35] <petan>	 if you for instance fill one up, the other still has space
[20:00:37] <Damianz>	 ..well bots.
[20:00:37] <Ryan_Lane>	 I kind of wanted the ability for projects to have x number of volumes
[20:00:43] <Ryan_Lane>	 where x is quota'd
[20:00:44] <petan>	 ok
[20:00:52] <Ryan_Lane>	 and each volume would be quota'd
[20:01:21] <Ryan_Lane>	 Damianz: well, the nova driver won't actually mount it on the instances
[20:01:28] <Ryan_Lane>	 it'll just make it available to the instances
[20:02:02] <Damianz>	 Ah
[20:02:03] <Ryan_Lane>	 automount will mount it
[20:02:16] <Damianz>	 Are you planning on keeping instance storage local or shifting it over?
[20:02:21] <Ryan_Lane>	 local
[20:02:28] <Damianz>	 :)
[20:02:29] <Ryan_Lane>	 I want them to be separate clusters
[20:02:37] <Ryan_Lane>	 also, it just makes a lot of sense :)
[20:02:45] <Damianz>	 Yeah
[20:05:52] <petan>	 ok, last point is documentation heh
[20:05:59] <petan>	 I started help:contents on labs
[20:06:00] <Damianz>	 We have documentation?
[20:06:09] <petan>	 I think it would be cool to move all to Help space
[20:06:16] <Ryan_Lane>	 Damianz: some :)
[20:06:21] <Ryan_Lane>	 petan: agreed
[20:06:31] <petan>	 also to insert it to Sidebar
[20:06:35] <Ryan_Lane>	 yep
[20:06:37] <petan>	 like a link to Contents
[20:06:51] <petan>	 it would be cool to have a link on each nova special page
[20:06:55] <petan>	 to specific manual page
[20:07:42] <Ryan_Lane>	 ah. yeah, that would be useful
[20:07:46] <Ryan_Lane>	 petan: I changed sidebar
[20:07:49] <petan>	 cool
[20:07:55] <petan>	 people can actually do this
[20:08:01] <petan>	 @search security
[20:08:01] <wm-bot>	 Results (found 1): security, 
[20:08:04] <petan>	 !security
[20:08:04] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Security_Groups
[20:08:08] <petan>	 :)
[20:08:17] <petan>	 but having a link directly on a page would be faster
[20:08:20] <Damianz>	 I'd kinda like per project or in the bots case, per bot docs.
[20:08:33] <petan>	 I meant a documentation for labs now
[20:08:34] <Damianz>	 Ideally anyone in a project should be able to fix other peoples stuff.
[20:08:39] <petan>	 but projects could have own docs too
[20:08:43] <Ryan_Lane>	 Unfortunately, we need to limit sysop access on labsconsole
[20:08:56] <Ryan_Lane>	 so, any admin related actions need to go through ops
[20:09:19] <petan>	 or just create a new usergourp in wiki, like with editinterface etc
[20:09:37] <petan>	 but I don't really think there is too much to do what require a sysop
[20:09:47] <petan>	 writing documentation can be done by regular users :)
[20:09:52] <Ryan_Lane>	 https://bugzilla.wikimedia.org/show_bug.cgi?id=34500
[20:10:06] <Ryan_Lane>	 petan: ah. right
[20:10:15] <Ryan_Lane>	 I forget that's possible :)
[20:11:21] <Ryan_Lane>	 is there anything you guys hate about the openstackmanager interface? features you'd like added?
[20:11:34] <Damianz>	 I hate it randomly decides people don't exist
[20:11:41] <Ryan_Lane>	 yeah. I hate that too
[20:11:50] <Ryan_Lane>	 I still haven't been able to track that bug down
[20:11:58] <petan>	 I think we should have improved interface so it can handle like thousands of projects
[20:12:02] <Damianz>	 Also being able to list instances in other projects would be nice
[20:12:07] <petan>	 in future it will be hard to navigate through
[20:12:07] <Ryan_Lane>	 petan: yep. working on that now :)
[20:12:11] <Damianz>	 I can find them by searching for their pages but no list :(
[20:12:19] <Ryan_Lane>	 by default no projects will be shown
[20:12:30] <Ryan_Lane>	 we'll have a project filter where you can select which projects you'd like shown
[20:12:42] <petan>	 ok
[20:12:49] <petan>	 maybe better error messages heh
[20:12:57] <petan>	 with instructions what is wrong
[20:12:57] <Ryan_Lane>	 yeah. the messages suck :(
[20:13:12] <petan>	 like people are coming here asking why they can't do this and that
[20:13:14] <Ryan_Lane>	 maybe I can pass through the openstack error messages, when they exist
[20:13:15] <Damianz>	 Also what's 'managed sudo policies' for? 
[20:13:26] <Ryan_Lane>	 Damianz: it's an admin specific thing
[20:13:29] <petan>	 Error: you can't insert new security rule because you aren't a netadmin in project "YAAY"
[20:13:29] <Ryan_Lane>	 we can manage sudo via LDAP
[20:13:40] <petan>	 instead of "Fail"
[20:13:44] <Damianz>	 ah
[20:13:55] <Ryan_Lane>	 well, I'm actually just removing those options, when a user doesn't have the rights :)
[20:14:07] <Damianz>	 :)
[20:14:15] <Ryan_Lane>	 it's a lot more user-friendly
[20:14:29] <Damianz>	 Apart from listing instances in other projects and the horrid table in table in table project screen I can't think of much else.
[20:14:35] <Ryan_Lane>	 heh
[20:14:43] <Ryan_Lane>	 I'm also changing the project list
[20:14:46] <Ryan_Lane>	 to be headings
[20:14:51] <petan>	 projects can be categorized in future
[20:15:04] <petan>	 like a matrix of projects etc
[20:15:20] <petan>	 people could click through to find an interesting project to work on
[20:15:25] <Ryan_Lane>	 ah. hm. I wonder how I can implement that...
[20:15:27] <jeblad>	 There should be some docs about how to be involved
[20:15:33] <Ryan_Lane>	 jeblad: indeed
[20:15:38] <petan>	 there should be some docs :)
[20:15:40] <Ryan_Lane>	 +1
[20:15:46] <Damianz>	 :)
[20:15:47] <Ryan_Lane>	 documentation is hard :)
[20:15:56] <Damianz>	 Code is self documenting!
[20:16:02] <Ryan_Lane>	 I disagree :D
[20:16:03] <petan>	 meh
[20:16:14] <jeblad>	 Now it seems like it is only about what you wnat to achieve and that it is a community effort, but nothing about how to involve the community
[20:16:15] <petan>	 Damianz: you didn't see my code
[20:16:24] <Damianz>	 Well.. sometimes it's quicker to browse the code than read the docs :P
[20:16:46] <petan>	 for (x in blah Blah) etc (really I name variables blah sometimes)
[20:16:50] <Damianz>	 jeblad: It's kinda like you annoy Ryan_Lane then someone else then do stuff... organisation is lacking.
[20:17:04] <Ryan_Lane>	 yep
[20:17:16] <Ryan_Lane>	 I know one possible help
[20:17:24] <Ryan_Lane>	 liquid threads, for one
[20:17:32] <Ryan_Lane>	 and project access requests on project talk pages
[20:17:39] <Damianz>	 That would be nice
[20:17:40] <petan>	 people should know that Ryan isn't only person who can help
[20:17:44] <petan>	 !ryan
[20:17:44] <Ryan_Lane>	 yes
[20:17:47] <petan>	 !Ryan
[20:17:47] <wm-bot>	 man of the all answers ever
[20:17:48] <Damianz>	 A general 'I have no idea what I'm doing' page would be good too
[20:17:51] <petan>	 !Ryan del
[20:17:51] <wm-bot>	 Successfully removed Ryan
[20:17:54] <Ryan_Lane>	 heh
[20:18:31] <petan>	 !Ryan is man of all answers ever (but there are others :))
[20:18:31] <wm-bot>	 Key was added!
[20:18:39] <Ryan_Lane>	 there's a log way back where I explained in great detail how things work
[20:18:43] <Ryan_Lane>	 in this channel
[20:18:51] <Ryan_Lane>	 I should take that and turn it into documentation :)
[20:18:59] <Damianz>	 petan: Oh also could you move the un-foldered logs into the folders... it's confusing :P
[20:19:15] <Ryan_Lane>	 we should link to this channel's IRC logs from labsconsole too
[20:19:24] <petan>	 unfoldered logs are from time we had wm-bot
[20:19:27] * Damianz  really should stop logging into apache1 and grep'ing petan's home dir for referce.

[20:19:29] <petan>	 * before we had
[20:19:45] <petan>	 Damianz: there is a project to make a search engine
[20:19:50] <Damianz>	 :D
[20:19:54] <petan>	 it's in wikimedia svn
[20:20:00] <petan>	 if you want to help, please make it :)
[20:20:04] <Damianz>	 Ooh shiny except I don't have a svn account :P
[20:20:12] <petan>	 that's a pain to ask for one
[20:20:30] <Ryan_Lane>	 well, you have a labs account, you just need to be added into an svn group
[20:20:38] <petan>	 it usually takes few weeks and you have to pass a test that you are proper programmer heh
[20:20:40] <Ryan_Lane>	 I'm going to let the devs handle that, though :)
[20:20:42] <Damianz>	 Though you might have given me an excuse to read how to ask for it.
[20:20:50] <Damianz>	 Meh 
[20:20:53] <Ryan_Lane>	 petan: with the switch to git, that all goes away
[20:20:57] <petan>	 I hope
[20:21:05] <Ryan_Lane>	 it's review before merge
[20:21:15] <Damianz>	 Pretty sure all my wikipedia rights have been from annoying admins I know :P
[20:21:45] <Ryan_Lane>	 so it doesn't matter if someone has no programming skills, we'll see it in the code
[20:21:46] * petan  thinks that rollback bit is less destructive than sudo reboot

[20:21:53] <Damianz>	 Ryan_Lane: Can't the svn stuff that's turning into git just use git review?
[20:22:08] <Ryan_Lane>	 yes
[20:22:45] <Damianz>	 :)
[20:22:58] <petan>	 Damianz: ur grepping my home?
[20:23:01] <petan>	 wondering what is there
[20:23:08] <petan>	 logs are in /mnt/public_html
[20:23:09] <Damianz>	 petan: Well public_html dir
[20:23:16] <petan>	 symlink :)
[20:23:19] <petan>	 true
[20:23:35] <petan>	 I was lazy to fix a bot so I fixed it using a link
[20:23:42] <Damianz>	 Lol
[20:23:51] <Damianz>	 We should patch Ryan_Lane's code to mount bind them :P
[20:25:50] <petan>	 Ryan_Lane: can you make an account to one huggle project coder
[20:25:56] <petan>	 for labs
[20:26:09] <Ryan_Lane>	 yeah. where's he at?
[20:26:16] <petan>	 I hope he come soon
[20:26:28] <Ryan_Lane>	 I need to eat lunch :)
[20:26:37] <Ryan_Lane>	 is meeting over?
[20:26:51] <petan>	 I guess yes unless someone has more questions
[20:27:04] <petan>	 I will try to summarize it all
[20:27:42] <Damianz>	 I need food :D
[20:28:09] <Damianz>	 I think the next meeting needs some noobs, maybe once we're not in closed beta anymore.
[20:28:11] <Ryan_Lane>	 cool. good meeting guys.
[20:28:20] <Ryan_Lane>	 want to have one every month or so?
[20:28:27] <petan>	 it would be cool
[20:28:35] <petan>	 like to have all people online :)
[20:28:44] <mmovchin>	 hello
[20:28:48] <petan>	 Ryan_Lane: mmovchin is that guy
[20:28:50] <Ryan_Lane>	 howdy
[20:28:55] <Ryan_Lane>	 mmovchin: you'll be working on huggle?
[20:29:08] <Ryan_Lane>	 !account-questions | mmovchin
[20:29:08] <wm-bot>	 mmovchin: I need the following info from you: 1. Your preferred wiki user name. This will also be your git username, so if you'd prefer this to be your real name, then provide your real name. 2. Your SVN account name, or your preferred shell account name, if you do not have SVN access. 3. Your preferred email address.
[20:29:15] <mmovchin>	 hello Ryan
[20:29:20] <mmovchin>	 yes, you're right
[20:29:21] <petan>	 he is actually developer of huggle now, but would like to have access to our instance
[20:29:26] <Ryan_Lane>	 ah. cool
[20:29:53] <mmovchin>	 Can 1 and 2 be the same?
[20:29:57] <Ryan_Lane>	 yes
[20:30:04] <mmovchin>	 1+2) mmovchin
[20:30:09] <mmovchin>	 3) michael@movchin.de
[20:30:10] <mmovchin>	 Thank you
[20:30:26] <petan>	 Damianz: can you improve the part of docs in pad
[20:30:31] <petan>	 the project docs
[20:30:38] <petan>	 I don't know what was your idea
[20:31:13] <Damianz>	 I was thinking more per project so for example how bots works, what runs on it etc so if something is borked I can go ah it's probably this <document>
[20:31:28] <petan>	 that should be a subpage of project I guess
[20:31:39] <petan>	 or maybe each project could have a page in main space
[20:31:49] <Ryan_Lane>	 !initial-login | mmovchin
[20:31:49] <wm-bot>	 mmovchin: https://labsconsole.wikimedia.org/wiki/Access#Initial_log_in
[20:32:03] <Ryan_Lane>	 ok. I'm off to get food and such
[20:32:07] * Ryan_Lane  waves

[20:32:15] <petan>	 ok :)
[20:32:47] <mmovchin>	 thank you, ryan
[20:32:50] <Ryan_Lane>	 yw
[20:32:52] * Damianz  waves at Ryan_Lane|food

[20:33:10] <mmovchin>	 petan: See #huggle
[20:35:53] <petan>	 mmovchin: let me know if you need any help
[20:35:59] <petan>	 with access to instance etc
[20:36:12] <labs-home-wm>	 02/18/2012 - 20:36:11 - Creating a home directory for mmovchin at /export/home/bastion/mmovchin
[20:38:12] <labs-home-wm>	 02/18/2012 - 20:38:12 - Creating a home directory for mmovchin at /export/home/huggle/mmovchin
[20:39:03] <mmovchin>	 petan: thanks
[20:39:12] <labs-home-wm>	 02/18/2012 - 20:39:11 - Updating keys for mmovchin
[20:39:49] <petan>	 mmovchin: what if we move to wikimedia bz
[20:39:58] <petan>	 rather than making own one
[20:40:06] <mmovchin>	 wikimedia bz?
[20:40:09] <mmovchin>	 bz?
[20:40:09] <petan>	 bugzilla
[20:40:15] <mmovchin>	 ah
[20:40:23] <mmovchin>	 That would be great
[20:40:28] <petan>	 ok
[20:40:31] <mmovchin>	 So we don't have to set up a own one
[20:40:35] <petan>	 yes
[20:40:42] <mmovchin>	 Could you realize that?
[20:40:49] <petan>	 :)
[20:40:54] <mmovchin>	 Or is everyone free to request a project on bugzilla?
[20:40:56] <petan>	 you mean if I can set it up?
[20:41:00] <mmovchin>	 yes
[20:41:05] <mmovchin>	 on wm bz
[20:41:07] <petan>	 I can ask someone who can
[20:41:12] <mmovchin>	 thank you :)
[20:41:26] <mmovchin>	 It would be great if it would be ready until the meeting
[20:41:50] <mmovchin>	 So I can move all issue we have on Googlecode to Bugzilla
[20:43:15] <mmovchin>	 *issues
[20:43:27] <petan>	 ok
[20:44:17] <mmovchin>	 thanks
[20:44:24] <mmovchin>	 FYI: Just send out the mail
[22:12:00] <Athlon>	 can i get an public ip for my nova instance now
[22:30:30] <methecooldude>	 Athlon: What instance is that?
[22:34:16] <Athlon>	 simplewikt
[22:36:06] <methecooldude>	 Athlon: I don't have access to that, so I can't help you sorry
[23:00:43] <Damianz>	 Athlon: Short answer, no
[23:00:47] <Damianz>	 Long answer, ask Ryan.
[23:01:19] <Ryan_Lane>	 Athlon: have you tested with a socks-proxy to make sure it works?
[23:02:10] <Athlon>	 yes
[23:02:38] <Ryan_Lane>	 ok. gimme a little bit :)
[23:02:48] <Ryan_Lane>	 in the middle of somethign else
[23:28:03] <Ryan_Lane>	 what's your tool called?
[23:28:50] <Ryan_Lane>	 Athlon: ^^
[23:31:12] <Athlon>	 simplewikt
[23:33:08] <Ryan_Lane>	 simplewikt.tools.wmflabs.org
[23:34:03] <Ryan_Lane>	 hm. can't ping it
[23:35:29] <Ryan_Lane>	 heh
[23:35:35] <Ryan_Lane>	 it's outside of the subnet
[23:35:41] <Ryan_Lane>	 we're out of public IPs for now
[23:35:44] <Ryan_Lane>	 so, you'll need to wait.
[23:36:11] <Damianz>	 Ryan_Lane: You should just get an ipv6 tunnel on one of the isntances and give out ips for free :P
[23:36:28] <Ryan_Lane>	 I need to enable IPv6 support in nova
[23:38:14] <Ryan_Lane>	 well, that surely didn't take long
[23:38:18] <Ryan_Lane>	 seems I need to work on that proxy soon
[23:39:10] <Damianz>	 Assuming we only want to support http/https..maybe ftp a varnish/nginx proxy wouldn't be that much work.
[23:39:32] <Ryan_Lane>	 yeah, I'd likely do an nginx proxy
[23:39:41] <Ryan_Lane>	 transparent. no caching
[23:40:45] <Damianz>	 We could probably do it with puppet and variables but that could get really messy if you wanted hundreds in I guess.
[23:40:55] <Ryan_Lane>	 nah. I'd prefer to make it like an openstack service
[23:41:30] <Ryan_Lane>	 hm. there's a load balancing service that already exists...
[23:41:41] <Ryan_Lane>	 I wonder if it can just to simple proxying
[23:41:54] <Ryan_Lane>	 http://wiki.openstack.org/Atlas-LB
[23:46:19] <Ryan_Lane>	 that doesn't seem appropriate. guess I'll need to write something
[23:47:32] <Damianz>	 Hmm that could be interesting
[23:48:00] <Damianz>	 It would be nice if you could have a bunch of boxes setup with like cryosync/pacemaker and make a cloudy lb/proxy thing.
[23:48:11] <Ryan_Lane>	 I hate pacemaker
[23:48:25] <Ryan_Lane>	 we use LVS for load balancing
[23:48:31] <Ryan_Lane>	 and BGP to failover between them
[23:48:45] <Ryan_Lane>	 it's reliable and simple :)
[23:49:38] <Damianz>	 BGP is a funny protocol
[23:49:48] <Damianz>	 Kinda really simple yet can cause weird routing issues
[23:50:27] * Ryan_Lane  nods

[23:50:39] <Damianz>	 Doing it in BGP in theory should have a lower risk factor as switching ips around/restarting services has a time betwean down and up... and also leaves the capacity side on one live box.
[23:51:25] <Ryan_Lane>	 yep
[23:52:55] <Damianz>	 What do you use LVS for then? Doing the monitoring with a hook to update BGP or a bunch of LVS instances above the squid boxes? I assume the squid then round robin on the apache instances or do they go back to routed ips based on lvs too? 
[23:53:05] * Damianz  thinks he read about this ages ago on wiki blog tech somewhere

[23:53:10] <Ryan_Lane>	 BGP directs the traffic to the LVS server
[23:53:17] <Ryan_Lane>	 the LVS server directs it to the real servers
[23:53:26] <Ryan_Lane>	 the real servers return traffic to the client
[23:53:46] <Damianz>	 So you're using direct routing in LVS rather than NAT/Proxying it it.
[23:53:54] <Ryan_Lane>	 yep
[23:53:59] <Damianz>	 Cool
[23:58:29] <Ryan_Lane>	 !account-questions
[23:58:29] <wm-bot>	 I need the following info from you: 1. Your preferred wiki user name. This will also be your git username, so if you'd prefer this to be your real name, then provide your real name. 2. Your SVN account name, or your preferred shell account name, if you do not have SVN access. 3. Your preferred email address.
[23:58:44] <Ryan_Lane>	 yes, I'm lazy enough to copy/paste this into an email
[23:59:17] <Damianz>	 You should just make wm-bot do the emailing :P
[23:59:33] <Ryan_Lane>	 heh