[00:16:10] csteipp: /srv/deployment/mediawiki/common/wikiversions.cdb [00:16:18] csteipp: that's missing on beta [00:16:22] any idea how that's generated? [00:16:43] Reedy would know for sure, but I think that's something we keep in synch manually [00:16:57] from wikiversions.dat [00:17:08] sync-wikiversions makes it and pushes to mediawiki-installation [00:18:12] from the .dat file? [00:18:20] ya [00:18:24] sync pushes both .dat and .cdb [00:18:28] but how is the .cdb generated? [00:18:47] and are we going to be checking that in locally or something? [00:18:48] $COMMONDIR/multiversion/refreshWikiversionsCDB [00:18:49] $COMMONDIR/multiversion/refreshWikiversionsCDB [00:19:01] /usr/local/bin/sync-wikiversions does the whole lot [00:19:02] I see it's on tin [00:19:05] was it checked in? [00:19:17] right, but we're getting rid of scap [00:19:33] Still essentially the same process (make, push, distribute) [00:19:39] the dat was before, I think I added the cdb on newdeploy [00:19:43] so we need to check it in locally [00:20:16] hmm, maybe I didn't [00:20:21] But yeah, if it's not already it does [00:20:37] what do you mean it does? [00:20:39] what does? [00:20:50] it does want checking in [00:20:54] heh [00:22:02] on tin it must be checked in [00:22:27] Invalid version dir '/srv/deployment/mediawiki/common/php-master' for wiki 'aawiki'. [00:22:27] it needs checking in? or it already is? :p [00:22:28] eh? [00:22:39] Because labs don't do the same thing [00:22:40] well, git status shows clean [00:22:41] and it's there [00:22:47] ……. [00:22:53] ok, you're not really being clear here [00:22:55] labs always uses master [00:23:02] it's not going to for now [00:23:24] until we add the deploment system to production beta will be running the same versions [00:24:09] https://gerrit.wikimedia.org/r/gitweb?p=operations/mediawiki-config.git;a=commitdiff;h=4b33c7ca13271336a26aa04cbd717d73bb9649f9 [00:24:13] Looks like antoine started [00:24:24] not sure why he only did 2 though [00:24:25] hm [00:24:34] ah, it uses a different file [00:24:49] Can you say hack? :D [00:25:01] well, I understand why [00:25:09] aye [00:25:21] Reedy: mind updating the labs one to point to the correct ones? [00:25:27] is it just a matter of copy/paste? [00:26:50] Why has antoine kept the php prefix? :/ [00:27:09] no clue :) [00:27:13] that's not correct [00:27:19] indeed [00:27:20] just replace all php-master with 1.21wmf7 in the file [00:27:24] * Reedy does [00:32:08] Done [00:33:16] thanks [00:34:44] So on the i10n stuff... it looks like mw-update-l10n updates the entire cache in one place, and then sync-l10nupdate-1 copies out the cache to the branch specific place on each apache [00:34:57] I'm guessing Brad didn't rewrite that piece yet? [00:35:04] I think he did [00:35:19] I think it's in his homedir on tin [00:35:26] the cron needs some work [00:35:39] because I need to put in logic for knowing when it can move past the fetch step [00:35:53] since it's automated [00:37:14] well, one thing that's fairly faster on labs is deployment [00:37:16] :) [00:37:23] RECOVERY Free ram is now: OK on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: OK: 24% free memory [00:37:32] though if it had 150 minions it would probably be much slower ;) [00:38:43] RECOVERY Free ram is now: OK on newprojectsfeed-bot.pmtpa.wmflabs 10.4.0.232 output: OK: 34% free memory [00:39:03] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 23% free memory [00:41:40] wikiversions.cdb has no version entry for `aawikibooks`. [00:41:43] -_- [00:42:22] indeed it does not [00:42:34] did the cdb get rebuilt? [00:42:44] yeah, it's missing in the .dat file too, though [00:43:12] where is that complaining? [00:43:16] on beta [00:43:30] first entry in the production .dat: aawikibooks 1.21wmf7 * [00:43:42] first entry for labs one: aawiki 1.21wmf7 [00:43:50] why the * in the production one? [00:44:00] I'm not sure, Aaron added it for some reason [00:44:11] I did hesitate when I made my changes [00:44:14] heh [00:44:29] maybe the labs one should be exactly like the production one for now? [00:44:33] https://gerrit.wikimedia.org/r/gitweb?p=operations/mediawiki-config.git;a=blob;f=wikiversions-labs.dat;h=a458491a92b207b5e80beb4b689bfa90563a4742;hb=HEAD [00:44:44] The one in master has none either [00:44:54] dewikivoyage php-master * [00:45:13] right at the end [00:45:22] hooray for consistency :D [00:45:32] I'd say for now let's make labs the same as production [00:45:35] Yeaaah [00:45:46] What was actually complaining about the lack of aawikibooks though? [00:45:51] yep [00:46:23] it's missing from the .dat file [00:47:08] And the script that was actually complaining? [00:47:18] ^ that's what I meant [00:47:33] /var/lib/git-deploy/dependencies/l10n [00:47:50] it's the new version of l10nupdate-quick [00:47:53] oh [00:48:00] I wonder if that's the wiki it's picking to use [00:48:05] well, not I wonder [00:48:15] Why aawikibooks when we use aawiki as our usual fallback? [00:48:19] mwVerDbSets=$($BINDIR/mwversionsinuse --withdb) [00:48:38] 1.21wmf7=aawikibooks 1.21wmf6=abwiki [00:49:36] is the current cdb built from production? [00:50:10] I'd imagine it's using the -labs.dat [00:51:01] since the cdb refresher complained about it when it had php-master in it [00:52:06] Array [00:52:06] ( [00:52:06] [ee_prototypewiki] => 101 [00:52:06] [labswiki] => 246 [00:52:06] [nnwikibooks] => 303 [00:52:06] ) [00:52:06] The above 3 wiki DBs are missing wikiversion rows. [00:52:15] reedy@tin:/srv/deployment/mediawiki/common$ multiversion/activeMWVersions --withdb [00:52:15] 1.21wmf7=aawiki 1.21wmf6=enwiktionary [00:52:15] that happens when I try to use the production one [00:52:28] weird. I wonder why its different in labs [00:52:32] ^ I just moved the labs.dat to the default .dat [00:52:44] rebuilt the cdb and then ran activeMWVersions again [00:53:18] multiversion/refreshWikiversionsCDB doesn't seem to take any account of whether we're on labs or not [00:53:24] unless getRealmSpecificFilename is suppose to.. [00:53:36] it must [00:54:04] ah, seems there's three wikis in beta that don't exist in production [00:54:53] PROBLEM host: ee-lwelling.pmtpa.wmflabs is DOWN address: 10.4.0.243 CRITICAL - Host Unreachable (10.4.0.243) [00:55:23] PROBLEM Free ram is now: WARNING on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: Warning: 14% free memory [00:55:38] hm. even after I rebuild it, it still comes back with: 1.21wmf7=aawikibooks 1.21wmf6=abwiki [00:57:48] mv wikiversions.dat wikiversions-prod.dat && mv wikiversions-labs.dat wikiversions.dat && ./multiversion/refreshWikiversionsCDB && ./multiversion/activeMWVersions --withdb [00:58:10] ah [00:58:12] wikiversions.dat? [00:58:21] wait [00:58:24] inore me [00:58:34] yeah [00:59:32] ah [00:59:35] wtf [00:59:43] I don't get that [01:00:02] it works now? [01:00:25] If so, I'd say multiversion/MWRealm.php is brokeneded [01:00:25] yes, and I don't understand wy [01:01:29] Are /etc/wikimedia-realm and /etc/wikimedia-site correct? [01:01:46] yep [01:03:32] ah. no private settings file now [01:03:34] that's progress [01:05:05] reedy@deployment-bastion:/srv/deployment/mediawiki/common$ php -a [01:05:06] Interactive shell [01:05:06] php > require_once( 'multiversion/MWRealm.php' ); [01:05:06] php > echo getRealmSpecificFilename( 'wikiversions.dat' ); [01:05:06] wikiversions-labs.dat [01:05:08] :| [01:06:43] PROBLEM Total processes is now: WARNING on bots-salebot.pmtpa.wmflabs 10.4.0.163 output: PROCS WARNING: 175 processes [01:07:06] php > echo getRealmSpecificFilename( '/srv/deployment/mediawiki/common/wikiversions.dat' ); [01:07:06] /srv/deployment/mediawiki/common/wikiversions-labs.dat [01:08:53] RECOVERY host: ee-lwelling.pmtpa.wmflabs is UP address: 10.4.0.243 PING OK - Packet loss = 0%, RTA = 11.65 ms [01:09:16] I guess it's going to be something daft [01:09:23] PROBLEM Total processes is now: CRITICAL on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: Connection refused by host [01:09:25] Fatal error: require(): Failed opening required '/srv/deployment/mediawiki/common/l10n-1.21wmf7/ExtensionMessages.php' [01:09:34] I thought that was moved [01:09:44] oh [01:09:44] they were in wmf-config [01:09:45] it hasn't been built yet [01:10:11] hm [01:10:18] shouldn't it write that file out, and then use it? [01:10:53] PROBLEM Current Load is now: CRITICAL on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: Connection refused by host [01:10:53] PROBLEM dpkg-check is now: CRITICAL on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: Connection refused by host [01:10:57] presumably, that's what scap did [01:11:11] I thought it did on tin, too [01:11:31] They're certainly there on Tin [01:11:33] PROBLEM Current Users is now: CRITICAL on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: Connection refused by host [01:11:43] yeah, it worked properly there [01:11:43] RECOVERY Total processes is now: OK on bots-salebot.pmtpa.wmflabs 10.4.0.163 output: PROCS OK: 100 processes [01:11:54] maybe it was because it did a full build accidentally the first time [01:12:12] before the backported change that anomie added to core [01:12:13] PROBLEM Disk Space is now: CRITICAL on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: Connection refused by host [01:13:03] PROBLEM Free ram is now: CRITICAL on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: Connection refused by host [01:20:52] RECOVERY Current Load is now: OK on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: OK - load average: 1.03, 1.14, 0.74 [01:20:52] RECOVERY dpkg-check is now: OK on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: All packages OK [01:21:32] RECOVERY Current Users is now: OK on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: USERS OK - 0 users currently logged in [01:22:12] RECOVERY Disk Space is now: OK on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: DISK OK [01:23:02] RECOVERY Free ram is now: OK on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: OK: 898% free memory [01:24:22] RECOVERY Total processes is now: OK on ee-lwelling.pmtpa.wmflabs 10.4.0.243 output: PROCS OK: 84 processes [01:41:43] PROBLEM Free ram is now: WARNING on newprojectsfeed-bot.pmtpa.wmflabs 10.4.0.232 output: Warning: 19% free memory [01:55:02] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 19% free memory [02:50:52] PROBLEM Current Load is now: WARNING on ve-roundtrip2.pmtpa.wmflabs 10.4.0.162 output: WARNING - load average: 4.11, 5.19, 5.06 [02:55:52] RECOVERY Current Load is now: OK on ve-roundtrip2.pmtpa.wmflabs 10.4.0.162 output: OK - load average: 4.65, 4.90, 4.98 [03:03:52] PROBLEM Current Load is now: WARNING on ve-roundtrip2.pmtpa.wmflabs 10.4.0.162 output: WARNING - load average: 6.26, 5.92, 5.41 [03:08:42] PROBLEM Current Load is now: WARNING on parsoid-roundtrip3.pmtpa.wmflabs 10.4.0.62 output: WARNING - load average: 8.53, 7.95, 6.18 [03:19:43] PROBLEM Current Load is now: WARNING on parsoid-roundtrip6-8core.pmtpa.wmflabs 10.4.0.222 output: WARNING - load average: 5.80, 5.90, 5.40 [03:44:44] RECOVERY Current Load is now: OK on parsoid-roundtrip6-8core.pmtpa.wmflabs 10.4.0.222 output: OK - load average: 3.96, 4.42, 4.94 [03:52:42] PROBLEM Current Load is now: WARNING on parsoid-roundtrip6-8core.pmtpa.wmflabs 10.4.0.222 output: WARNING - load average: 4.47, 5.03, 5.12 [04:18:44] RECOVERY Current Load is now: OK on parsoid-roundtrip3.pmtpa.wmflabs 10.4.0.62 output: OK - load average: 4.75, 4.64, 4.91 [04:34:31] !tunnel [04:34:31] ssh -f user@bastion.wmflabs.org -L :server: -N Example for sftp "ssh chewbacca@bastion.wmflabs.org -L 6000:bots-1:22 -N" will open bots-1:22 as localhost:6000 [04:40:22] RECOVERY Free ram is now: OK on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: OK: 20% free memory [04:41:43] RECOVERY Free ram is now: OK on newprojectsfeed-bot.pmtpa.wmflabs 10.4.0.232 output: OK: 34% free memory [04:58:53] RECOVERY Current Load is now: OK on ve-roundtrip2.pmtpa.wmflabs 10.4.0.162 output: OK - load average: 4.51, 4.34, 4.92 [05:08:27] PROBLEM Free ram is now: WARNING on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: Warning: 14% free memory [05:24:42] PROBLEM Free ram is now: WARNING on newprojectsfeed-bot.pmtpa.wmflabs 10.4.0.232 output: Warning: 19% free memory [06:14:43] PROBLEM Free ram is now: WARNING on dumps-bot1.pmtpa.wmflabs 10.4.0.4 output: Warning: 19% free memory [06:21:54] PROBLEM Free ram is now: WARNING on bots-nr1.pmtpa.wmflabs 10.4.1.2 output: Warning: 19% free memory [06:25:46] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 20% free memory [06:30:53] PROBLEM Total processes is now: WARNING on parsoid-roundtrip4-8core.pmtpa.wmflabs 10.4.0.39 output: PROCS WARNING: 151 processes [06:34:43] RECOVERY Free ram is now: OK on newprojectsfeed-bot.pmtpa.wmflabs 10.4.0.232 output: OK: 51% free memory [06:46:52] RECOVERY Free ram is now: OK on bots-nr1.pmtpa.wmflabs 10.4.1.2 output: OK: 20% free memory [06:48:52] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 18% free memory [06:50:54] RECOVERY Total processes is now: OK on parsoid-roundtrip4-8core.pmtpa.wmflabs 10.4.0.39 output: PROCS OK: 148 processes [06:51:34] RECOVERY dpkg-check is now: OK on conventionextension-trial.pmtpa.wmflabs 10.4.0.165 output: All packages OK [06:55:13] RECOVERY dpkg-check is now: OK on testing-arky.pmtpa.wmflabs 10.4.0.45 output: All packages OK [08:38:22] RECOVERY Free ram is now: OK on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: OK: 20% free memory [08:38:52] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 22% free memory [08:46:23] PROBLEM Free ram is now: WARNING on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: Warning: 14% free memory [09:02:42] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 154 processes [09:07:42] RECOVERY Total processes is now: OK on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS OK: 148 processes [09:26:52] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 18% free memory [09:47:42] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 156 processes [11:27:42] RECOVERY Current Load is now: OK on parsoid-roundtrip7-8core.pmtpa.wmflabs 10.4.1.26 output: OK - load average: 4.95, 4.81, 4.99 [11:38:42] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 158 processes [11:56:52] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 20% free memory [12:29:53] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 18% free memory [12:39:54] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 21% free memory [13:15:08] !log wikidata-dev wikidata-dev-8: client is still on wmf7, repo has been updated to 2013-01-14. Files WBpollForChanges_testclienten.continue and WBpollForChanges_testclienten.pid are now in /var/run and permissions had to be adapted for wikidata user to run pollForChanges. Katie also modified something else, see https://gerrit.wikimedia.org/r/#/c/44048/ [13:15:09] Logged the message, Master [13:17:13] PROBLEM Current Load is now: WARNING on bots-sql1.pmtpa.wmflabs 10.4.0.52 output: WARNING - load average: 5.09, 9.12, 5.11 [13:27:14] RECOVERY Current Load is now: OK on bots-sql1.pmtpa.wmflabs 10.4.0.52 output: OK - load average: 0.10, 2.69, 4.10 [13:27:54] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 18% free memory [14:19:53] PROBLEM host: gerrit-db.pmtpa.wmflabs is DOWN address: 10.4.0.47 CRITICAL - Host Unreachable (10.4.0.47) [14:19:53] PROBLEM host: gerrit-dev.pmtpa.wmflabs is DOWN address: 10.4.0.207 CRITICAL - Host Unreachable (10.4.0.207) [14:23:53] RECOVERY host: gerrit-dev.pmtpa.wmflabs is UP address: 10.4.0.207 PING OK - Packet loss = 0%, RTA = 0.86 ms [14:23:53] RECOVERY host: gerrit-db.pmtpa.wmflabs is UP address: 10.4.0.47 PING OK - Packet loss = 0%, RTA = 0.62 ms [14:24:23] PROBLEM Total processes is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: Connection refused by host [14:24:24] PROBLEM Total processes is now: CRITICAL on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: Connection refused by host [14:25:53] PROBLEM Current Load is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: Connection refused by host [14:25:53] PROBLEM dpkg-check is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: Connection refused by host [14:25:53] PROBLEM Current Load is now: CRITICAL on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: Connection refused by host [14:26:33] PROBLEM Current Users is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: Connection refused by host [14:26:33] PROBLEM Current Users is now: CRITICAL on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: Connection refused by host [14:26:33] PROBLEM dpkg-check is now: CRITICAL on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: Connection refused by host [14:27:19] PROBLEM Disk Space is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: Connection refused by host [14:27:19] PROBLEM Disk Space is now: CRITICAL on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: Connection refused by host [14:28:04] PROBLEM Free ram is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: Connection refused by host [14:28:04] PROBLEM Free ram is now: CRITICAL on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: Connection refused by host [14:33:02] RECOVERY Free ram is now: OK on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: OK: 2293% free memory [14:33:02] RECOVERY Free ram is now: OK on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: OK: 641% free memory [14:34:22] RECOVERY Total processes is now: OK on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: PROCS OK: 84 processes [14:34:23] RECOVERY Total processes is now: OK on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: PROCS OK: 100 processes [14:35:53] RECOVERY Current Load is now: OK on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: OK - load average: 0.14, 0.70, 0.61 [14:35:53] RECOVERY dpkg-check is now: OK on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: All packages OK [14:35:53] RECOVERY Current Load is now: OK on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: OK - load average: 0.23, 0.75, 0.60 [14:36:33] RECOVERY Current Users is now: OK on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: USERS OK - 0 users currently logged in [14:36:33] RECOVERY Current Users is now: OK on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: USERS OK - 0 users currently logged in [14:36:33] RECOVERY dpkg-check is now: OK on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: All packages OK [14:37:13] RECOVERY Disk Space is now: OK on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: DISK OK [14:37:13] RECOVERY Disk Space is now: OK on gerrit-dev.pmtpa.wmflabs 10.4.0.207 output: DISK OK [14:48:53] PROBLEM dpkg-check is now: CRITICAL on gerrit-db.pmtpa.wmflabs 10.4.0.47 output: DPKG CRITICAL dpkg reports broken packages [15:52:07] !log integration running puppet on integration-jenkins2 to find out how bad it is right now. [15:52:09] Logged the message, Master [15:54:38] !log integration -jenkins2 : reset hard /usr/local/src/zuul . It had a failed merge. That should make puppet bring up the latest Zuul version. [15:54:39] Logged the message, Master [15:55:25] !log integration -jenkins2 manually updated /etc/zuul/wikimedia repo [15:55:26] Logged the message, Master [15:56:44] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 153 processes [16:01:44] RECOVERY Total processes is now: OK on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS OK: 149 processes [16:14:44] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 153 processes [16:37:54] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 21% free memory [16:50:33] !log bots petrb: inserting wikivoyage.org subdomains to wm-bot db [16:50:34] Logged the message, Master [17:00:47] @system-rm RC [17:00:47] Unloaded module RC [17:00:59] File not found modules/modules/wmib_rc.bin [17:01:03] Loaded module modules/wmib_rc.bin [17:01:15] @recentchanges+ en_wikivoyage [17:01:15] Wiki inserted [17:01:27] @RC+ en_wikivoyage W* [17:01:28] Inserted new item to feed of changes [17:04:36] @RC+ en_wikivoyage U* [17:04:36] Inserted new item to feed of changes [17:04:44] meh, not a lot of changes there... [17:05:50] either that or bot is broken [17:05:53] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 18% free memory [17:08:52] @RC+ en_wikivoyage W* [17:08:52] There is already this string in a list of watched items [17:09:01] meh [17:09:03] @RC- en_wikivoyage W* [17:09:03] Deleted item from feed [17:09:05] @RC- en_wikivoyage U* [17:09:05] Deleted item from feed [17:09:11] who cares... will fix tommorow [17:09:14] see ya all [17:50:43] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 162 processes [17:51:33] PROBLEM Free ram is now: WARNING on mediawiki-bugfix-kozuch.pmtpa.wmflabs 10.4.0.26 output: Warning: 19% free memory [17:57:39] Morning all. I'm having difficulty creating a labs instance. Depending on which puppet groups I configure on it, I either get errors in the puppet run or I get access denied when I try to ssh in. Is there a known good combination? [17:58:20] lwelling: I believe people are encouraged to try and create an instance without any puppet groups first, then only install stuff on it after SSH is confirmed to work [17:58:26] Also, building an instance takes time, up to ~5 mins [17:58:39] As in, 5 minutes after it tells you it should be ready [17:59:25] Thanks Roan. It says it sends email when done, but I've not recieved one so I've looked at console output to guess [17:59:44] I've not tried ssh before adding to it, I'll try that now [18:04:52] PROBLEM host: eelwelling.pmtpa.wmflabs is DOWN address: 10.4.1.3 CRITICAL - Host Unreachable (10.4.1.3) [18:06:04] what's the deal with the token field for the labs login page? [18:08:54] RECOVERY host: eelwelling.pmtpa.wmflabs is UP address: 10.4.1.3 PING OK - Packet loss = 0%, RTA = 1.24 ms [18:09:24] PROBLEM Total processes is now: CRITICAL on eelwelling.pmtpa.wmflabs 10.4.1.3 output: Connection refused by host [18:10:52] PROBLEM Current Load is now: CRITICAL on eelwelling.pmtpa.wmflabs 10.4.1.3 output: Connection refused by host [18:10:52] PROBLEM dpkg-check is now: CRITICAL on eelwelling.pmtpa.wmflabs 10.4.1.3 output: Connection refused by host [18:11:32] PROBLEM Current Users is now: CRITICAL on eelwelling.pmtpa.wmflabs 10.4.1.3 output: Connection refused by host [18:12:12] PROBLEM Disk Space is now: CRITICAL on eelwelling.pmtpa.wmflabs 10.4.1.3 output: Connection refused by host [18:13:06] PROBLEM Free ram is now: CRITICAL on eelwelling.pmtpa.wmflabs 10.4.1.3 output: Connection refused by host [18:15:44] RECOVERY Total processes is now: OK on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS OK: 150 processes [18:18:04] RECOVERY Free ram is now: OK on eelwelling.pmtpa.wmflabs 10.4.1.3 output: OK: 620% free memory [18:19:24] RECOVERY Total processes is now: OK on eelwelling.pmtpa.wmflabs 10.4.1.3 output: PROCS OK: 84 processes [18:20:54] RECOVERY Current Load is now: OK on eelwelling.pmtpa.wmflabs 10.4.1.3 output: OK - load average: 0.17, 0.71, 0.62 [18:20:54] RECOVERY dpkg-check is now: OK on eelwelling.pmtpa.wmflabs 10.4.1.3 output: All packages OK [18:21:34] RECOVERY Current Users is now: OK on eelwelling.pmtpa.wmflabs 10.4.1.3 output: USERS OK - 0 users currently logged in [18:22:14] RECOVERY Disk Space is now: OK on eelwelling.pmtpa.wmflabs 10.4.1.3 output: DISK OK [18:24:04] <^demon|lunch> Ryan_Lane: Are the testlabs/* branches on ops/puppet used for anything? Curious what the acls are for. [18:24:12] <^demon|lunch> Oh, looks like yes. Hm. [18:24:44] I don't think anyone actually uses them, but they are there so that people can make remote branches [18:46:28] <^demon> Ryan_Lane: Well, one of my fears about the upgrade is resolved. I was afraid the ldap group conversion was messy and we'd have acls to clean up. [19:06:29] lwelling, having better luck with with instance creation/config now? [19:21:43] anyone here? [19:22:28] * hashar look around [19:22:40] benestar: go ahead and ask :-D [19:22:43] someone might eventually answer [19:22:49] :) [19:22:52] if all fail, we have a labs mailing list too :-] [19:23:07] there seems to be a problem with one of the webservers [19:23:29] http://bots.wmflabs.org/~bene/items_by_cat.php [19:23:45] one time it works, the other time I get an 403 error [19:44:46] PROBLEM Total processes is now: WARNING on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS WARNING: 152 processes [19:46:29] benestar, are you subscribed to labs-l? [19:47:00] andrewbogott: where to subscribe? [19:47:15] benestar, no idea if it's connected, but there was a recent discussion there about spontaneously-changing permissions on some bots machines. [19:47:36] benestar, here maybe? https://lists.wikimedia.org/mailman/listinfo/labs-l [19:47:45] thanks [19:48:10] The thread in question starts here: http://lists.wikimedia.org/pipermail/labs-l/2013-January/000706.html [19:51:19] andrewbogott: could be the reason [19:51:37] the permission was wrong so I changed it [19:52:00] but even now, after changing, it does not work everytime [19:52:14] Is that because the permissions are changing back? [19:52:38] just checked [19:52:45] the permission should be right [19:53:03] maybe it is an issue of the servers? [19:53:07] So maybe something in an Apache config [19:53:27] Yeah, I have roughly no idea how bots is set up [19:53:58] maybe petan is around… or damianz? [19:56:47] andrewbogott: seems not [19:57:15] then your guess is as good as mine :( [19:57:22] * addshore waves [19:57:31] whats the problem? [19:57:34] hi [19:57:46] there is a problem at bots [19:57:51] D: [19:57:54] http://bots.wmflabs.org/~bene/items_by_cat.php [19:58:08] O_o [19:58:17] this is a tool written by me and I cannot call it [19:59:02] addshore: any idea? [19:59:16] let me have a look [19:59:37] I had to change the permissoins (they were changed anyhow) but even now it does not work :7 [19:59:56] !tunnel [19:59:56] ssh -f user@bastion.wmflabs.org -L :server: -N Example for sftp "ssh chewbacca@bastion.wmflabs.org -L 6000:bots-1:22 -N" will open bots-1:22 as localhost:6000 [20:02:06] have you tried setting permissions to 755? [20:04:13] hmm, even 777 doesnt make a difference.. [20:04:25] re: tunnel https://labsconsole.wikimedia.org/wiki/Help:Access#Using_ProxyCommand_ssh_option [20:04:29] bblunch [20:06:18] sorry benestar, no idea [20:06:38] addshore: :( [20:39:42] RECOVERY Total processes is now: OK on bastion1.pmtpa.wmflabs 10.4.0.54 output: PROCS OK: 149 processes [20:40:52] RECOVERY Free ram is now: OK on swift-be3.pmtpa.wmflabs 10.4.0.124 output: OK: 22% free memory [20:41:22] RECOVERY Free ram is now: OK on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: OK: 23% free memory [20:41:32] RECOVERY Free ram is now: OK on mediawiki-bugfix-kozuch.pmtpa.wmflabs 10.4.0.26 output: OK: 34% free memory [20:49:22] PROBLEM Free ram is now: WARNING on bots-sql2.pmtpa.wmflabs 10.4.0.41 output: Warning: 14% free memory [21:00:13] PROBLEM Free ram is now: WARNING on sube.pmtpa.wmflabs 10.4.0.245 output: Warning: 8% free memory [21:04:28] https://plus.google.com/hangouts/_/b33de5d0cc90ed8a6cadb4b35ec53e30c22b0291?authuser=0&hl=en-US# [21:04:32] PROBLEM Free ram is now: CRITICAL on deployment-bastion.pmtpa.wmflabs 10.4.0.58 output: Critical: 5% free memory [21:04:40] https://plus.google.com/hangouts/_/b33de5d0cc90ed8a6cadb4b35ec53e30c22b0291?authuser=0&hl=en-US#https://plus.google.com/hangouts/_/b33de5d0cc90ed8a6cadbhttps://plus.google.com/hangouts/_/b33de5d0cc90ed8a6cadb4b35ec53e30c22b0291?authuser=0&hl=en-US#4b35ec53e30c22b0291?authuser=0&hl=en-US# [21:06:53] PROBLEM Current Load is now: WARNING on deployment-bastion.pmtpa.wmflabs 10.4.0.58 output: WARNING - load average: 5.08, 7.78, 5.60 [21:08:53] PROBLEM Free ram is now: WARNING on swift-be3.pmtpa.wmflabs 10.4.0.124 output: Warning: 17% free memory [21:09:33] RECOVERY Free ram is now: OK on deployment-bastion.pmtpa.wmflabs 10.4.0.58 output: OK: 407% free memory [21:11:53] RECOVERY Current Load is now: OK on deployment-bastion.pmtpa.wmflabs 10.4.0.58 output: OK - load average: 0.65, 3.16, 4.20 [21:12:14] * Damianz pats andrewbogott [21:44:33] PROBLEM Free ram is now: WARNING on mediawiki-bugfix-kozuch.pmtpa.wmflabs 10.4.0.26 output: Warning: 19% free memory [21:49:11] !log deployment prep renamed /data/project/apache/common-local to common-local.pre-git-deploy [21:49:11] deployment is not a valid project. [21:49:22] !log deployment-prep renamed /data/project/apache/common-local to common-local.pre-git-deploy [21:49:24] Logged the message, Master [21:49:38] !log deployment-prep ln -s /srv/deployment/mediawiki/common /data/project/apache/common-local [21:49:40] Logged the message, Master [21:51:03] andrewbogott hi [21:51:13] * andrewbogott waves [21:51:21] what did u need [21:51:54] benestar was having trouble with permissions on bots. I think he's gone now though... [21:52:01] ah [21:52:05] Oh, nope, he's still here! maybe. [21:52:08] petan: i am here [21:52:28] ok, what troubles did u have :D [21:52:36] petan: http://bots.wmflabs.org/~bene/items_by_cat.php [21:52:42] suddenly it did not work any more [21:53:04] I had to change the rights because they were changed anyhow [21:53:06] @labs-user Bene [21:53:06] Bene is member of 2 projects: Bastion, Bots, [21:53:30] benestar the permissions are changed by some script made by Damianz [21:53:41] well, it worked some times and other times not [21:53:43] hu? [21:53:56] why changes damianz the permissions? [21:54:10] because he wanted to chmod 000 users who are no longer in the project [21:54:18] so this script handles that automaticaly [21:54:20] it has bugs [21:54:46] doesn't have bugs [21:54:48] works as designed [21:54:50] petan, benestar, if I recall correctly, benestar was seeing that access problem with a file that still had readable permissions. [21:55:09] So we were thinking it was an apache setting rather than a filesystem priv. Although I confess that your explanation seems most likely in general [21:55:14] no [21:55:15] petrb@bots-1:/mnt/public_html$ ls -l [21:55:16] ls: cannot open directory .: Permission denied [21:55:23] this is definitely problem with the script [21:55:27] it happened in past [21:55:41] it kills my tool :/ [21:55:43] /mnt? [21:56:35] I think you'll find /data/project/public_html/petrb/ works fine [21:56:38] whoop, yep :) [21:56:43] Or ~petrb/public_html [21:57:10] Damianz ok, but it used to be in /mnt [21:57:24] ~petrb/public_html is not the best path [21:57:25] yeah, that's a symlink to data since mnt is local [21:57:32] Iknow [21:57:40] but still, apache is looking for that afaik [21:57:43] ~petrb/public_html is a symlink to /data/project/public_html/petrb/ [21:57:52] Apache was configured to look in data [21:57:54] however the problem was that /data/project/public_html was chmod 000 [21:57:56] unless you changed it [21:57:56] again [21:58:05] no I didn't [21:58:09] if I did I would log it [21:58:21] d-wxrw--wt 49 root root 8192 Jan 14 20:15 . isn't 000 [21:58:58] Damianz because I just changed it [21:59:01] few seconds ago [21:59:17] wtf is that [21:59:25] I've just re-run the script 5 times, it doesn't set it to 000 [21:59:26] I changed it to 755 [21:59:36] what you display is some borked permission [21:59:47] It's not borked, it's fine [21:59:52] are you sure [22:00:05] yeah [22:00:16] why the hell everyone has only rights to write but no read or execute? [22:00:38] xD [22:00:38] and root only to write and execute that doesn't make much sense to me [22:00:52] It's setting it to 0755 [22:00:58] and group root can write and read but not execute [22:01:08] but what you pasted is not 755 [22:01:54] this is: drwxr-xr-x [22:02:16] you pasted d-wxrw--wt [22:02:41] or I am on drugs or something [22:02:43] but I see that [22:03:35] Damianz when did you copy that line with that permission [22:03:35] d-wxrw--wt [22:03:40] Before I re-ran the script [22:03:53] mm, maybe that was the reason why it didn't work to him [22:04:00] brb stopping food burning [22:04:02] so after your script it fixed to 755? [22:04:16] mmmmm [22:04:18] yes - I think there is a 0 missing in one of the conditionalis, fixed that too [22:04:23] who changed it to that weird permission then [22:04:38] go fix ur food man [22:04:45] or u gonna burn lol [22:04:48] :D [22:09:09] [Tue Jan 15 22:08:40 2013] [error] [client 109.80.219.230] (13)Permission denied: file permissions deny server access: /home/bene/public_html/items_by_cat.php [22:09:10] [Tue Jan 15 22:08:41 2013] [error] [client 46.236.24.49] (13)Permission denied: file permissions deny server access: /home/richs/public_html/commonshelper.php [22:09:33] benestar I think it tries to access the files using your home path, which it can't access [22:09:41] because ur home is 700 or that [22:09:51] k [22:09:55] dunno why it happens [22:10:00] so how to fix that? [22:10:13] I will meditate on that [22:10:15] :D :D [22:10:19] :) [22:10:29] * Damianz tickles benestar [22:10:51] Damianz why it looks to /home/*/public_html is that configured somewhere? [22:10:55] I remember I removed that once [22:11:00] nope [22:11:01] in ancient times [22:11:03] ok [22:11:08] everything server side should point to /data/project [22:11:27] I think I will spam guys in #httpd telling them they suck [22:11:28] There's symlinks in home for the purpose of people not having to navigate to data which someone asked for donkeys years ago [22:11:47] It's apache, suckage is known [22:11:54] symlink is ok as long as server doesn't use it [22:12:22] RECOVERY Total processes is now: OK on aggregator1.pmtpa.wmflabs 10.4.0.79 output: PROCS OK: 150 processes [22:12:59] [Tue Jan 15 22:12:45 2013] [error] [client 109.80.219.230] Directory index forbidden by Options directive: /home/petrb/public_html/html/ [22:13:10] wtf [22:13:17] I think it's bug in apache [22:13:40] andrewbogott still having no luck on labs instances. I created eelwelling / i-00000581 this morning and have done nothing to it except tried to ssh in, rebooted and tried to ssh in again [22:13:54] root@bots-apache01:~# grep UserDir /etc/apache2/mods-enabled/userdir.conf [22:13:58] #UserDir public_html /mnt/public_html http://bots.wmflabs.org/ [22:14:00] UserDir public_html /data/project/public_html/ http://bots.wmflabs.org/ [22:14:04] UserDir disabled root [22:14:06] ^ It's configured right [22:14:48] LOL [22:15:00] petrb@bots-apache01:/etc/apache2$ grep home mods-enabled/* [22:15:00] mods-enabled/php5.conf: [22:15:02] wtf is that [22:15:35] that should never apply [22:15:37] it turns off php when ur in home? [22:15:48] apparently [22:15:53] yay to apache [22:15:54] of course it should never apply, it shouldn't be even there [22:16:14] it's like debian packages, what do you expect [22:16:14] :P [22:16:37] lwelling: OK! I will look... [22:16:45] why in the world it's still looking to /home/*/public_html it's like hard coded [22:16:57] what is even more weird is that this bug appears randomly [22:17:02] when ur hitting f5 [22:17:14] sometimes it works, sometimes it uses this hardcoded path [22:17:14] don't hit f5 then dammit [22:17:19] :D [22:17:25] sure the file isn't including somethign in that dir? [22:17:40] [Tue Jan 15 22:12:45 2013] [error] [client 109.80.219.230] Directory index forbidden by Options directive: /home/petrb/public_html/html/ [22:17:44] this is not even a php [22:17:49] it's just directory listing [22:18:02] tasty [22:18:13] randomly it tries /home/petrb/public_html or /data/project/public_html/petrb [22:18:44] that's almost same creep as that ssh bug which after number of attempts to login gave up and let you in even if ur password was wrong [22:19:08] heh [22:19:10] sounds like a pam issue [22:19:45] workaround is to change /home/* to chmod 755 [22:19:54] maybe [22:20:36] wait not [22:20:41] apache did have access to that folder [22:20:51] 751 would do it [22:20:54] it purposefuly rejected to open it [22:21:36] wtf is option directive [22:21:48] I am going to poke and later puke all over #httpd people [22:21:53] brb [22:23:07] Damianz, have a moment to talk about salt/keystone, or do you need to eat your dinner before it gets cold? [22:23:22] eating tho can talk [22:24:24] * Damianz slaps MJ94 with a wet fish [22:24:26] Hm… I only barely know enough to even know what my questions are... [22:24:32] abuse [22:24:50] Because I haven't actually used salt auth yet. But for background... [22:25:12] well... there's some flaws currently [22:25:19] does salt auth currently keep track of per-system auth at all, or does it just allow a given username/password to do either nothing or everything? [22:25:23] PROBLEM Total processes is now: WARNING on aggregator1.pmtpa.wmflabs 10.4.0.79 output: PROCS WARNING: 151 processes [22:25:48] So one authenticated you get a token, using that token you can do 'things' as defined in the ACL [22:26:04] The problem is currently the ACL is per user, I've put in a bug for group support, ear marked for .13 [22:26:33] when you say 'group' support we're talking about 'projects' in keystone speak, right? [22:26:37] Based upon a user you can allow specific modules to run on specific servers (wildcard as needed) [22:26:45] in our case - yes [22:26:52] each project has a group in ldap [22:27:00] so we'd want to limit on say sysadmins and members of a project [22:27:07] or all labs members [22:27:45] So you're thinking that we'd only use keystone to identify users, but /not/ use any of keystone's knowledge about project membership, right? [22:27:55] Because salt will have its own conception of 'projects'? [22:28:02] Well... [22:28:07] What's the difference between WM Labs and WM Deployment Labs? [22:28:15] 'deployment' as in beta? [22:28:30] MJ94: 'deployment' is one project within WM Labs. [22:28:31] Ignoring that we need a backend to handle token auth for osm integration, I /think/ we can use project tokens in salt [22:28:39] ah [22:28:47] http://deployment.wikimedia.beta.wmflabs.org/wiki/Main_Page [22:29:00] My idea was the auth module would have a 'find groups' function, for keystone that would be project members [22:29:19] Yeah that's beta - ie mediawiki master with production config [22:29:49] Talk to hashar if you want sexy details [22:30:00] beta is down [22:30:08] LIES [22:30:09] it's up [22:30:10] ;) [22:30:11] ongoing work to prepare the new datacenter + new deploy system [22:30:12] for once [22:30:22] we were talking about it in wikimedia-operations [22:30:38] more announce later on I guess [22:30:44] How's testing stable going with git-deploy? [22:31:03] * Damianz wonders if Ryan_Lane broke everything > 5 times yet [22:31:03] Do you still have spam issues on Deployment? [22:31:23] As in beta, yes, Damianz [22:32:28] Damianz: Sorry, I'm still not following how groups in salt would relate to projects in keystone [22:32:38] ok... [22:32:42] !log bots petrb: changing the apache configs per hints from apache people [22:32:43] Logged the message, Master [22:32:48] everything in keystone is ldap groups [22:32:53] You're saying that auth would allow me to get a list of groups for a given user? [22:32:56] !log bots petrb: the indians, of course [22:32:57] Logged the message, Master [22:33:14] ok... [22:33:16] a project is basically a group [22:33:23] yeah [22:33:26] roles exist underneath projects [22:34:01] Damianz: re git-deploy: http://en.wikipedia.beta.wmflabs.org/wiki/Special:Version [22:34:18] :o [22:34:40] Damianz fixed! [22:34:47] petan: Cool [22:34:54] apache people seems to know how teh apache works [22:35:09] problem was in both apache config and the mod config [22:35:20] Damianz, Ryan_Lane, sorry, it's not the terminology that puzzles me. It's what knowledge is stored in salt vs. what is stored in keystone. [22:35:28] Clearly the acls are in salt's scope [22:35:29] that public_html alone is alias for /home/*/public_html [22:35:36] lol [22:36:01] andrewbogott: So ignoring salt doesn't support groups yet, likely we'd query project membership via the keystone api (maybe using tokens) [22:36:19] Since it might not use ldap (in theory anyway), we should use the api [22:36:31] yep [22:36:36] ok I go sleep hopefully it will be ok [22:36:40] see ya :D [22:36:43] So salt will have two kinds of acl, host-specific and group-specific [22:36:57] So you'd authenticate -> salt would request your groups -> using your token it would pull your projects [22:37:04] Everything is 'host' specific [22:37:09] You can wildcard though [22:37:10] my cat is snoring like a gorilla [22:37:16] seriously [22:37:19] :/ [22:37:32] So an acl would look like testlabs: myinstace: module or testlabs: *: * or such [22:37:42] wildcarding doesn't quite work like that, but along those lines [22:37:52] http://docs.saltstack.org/en/latest/ref/clientacl.html [22:37:56] So the wildcard will only be group-wide not global. [22:38:01] imagine fred is a project [22:38:44] http://docs.saltstack.org/en/latest/topics/eauth/index.html < this is actually what keystone will use [22:38:50] and is a better example [22:38:53] as it actually shows hosts [22:38:54] derp [22:39:15] in that case imagine thatch is 'bots' and web is a wildcard host name match [22:39:29] test and network would be modules (test.ping for example) [22:40:54] thank you for being patient with me :) I'm going to try to state what I understand... [22:40:58] * Damianz notes he's good at making simple things confusing [22:41:42] For each (module, host) [22:42:06] permissions can be assigned to specific users [22:42:29] And what we want is... [22:42:44] permissions can be assigned to specific users /or/ members of specific projects [22:42:54] Is that the granularity we're talking about? [22:42:54] yep [22:43:30] So to accomplish that, the acl engine needs to have a conception of group permissions [22:43:39] and the auth system needs to have a concept of group membership [22:43:39] So salt wise there's 2 things we need - an auth backend that supports token based authentication (mine supports password based) and 'group' support in the auth check [22:44:43] And also the changes in how acls work, right? [22:45:06] yes - that function would at the very least need re-writing as it's quite basic currently [22:47:01] The alternative to this is we impliment acl restrictions in osm and use a static user that osm uses to talk to salt-api that can do everything.... which I think is bad and limits us to not exposing salt [22:47:48] ok. so, just to reconfirm -- we aren't making any use of keystone's knowledge of which hosts are in which projects -- only of which users are in which projects. [22:48:45] that is -- the knowledge about hosts-in-projects is duplicated, once in keystone and once in salt, and not necessarily in sync? [22:49:02] currently, nooope [22:49:08] now what would be interesting [22:49:15] is if we could limit the acl based on a grain [22:49:22] and set the project as a grain [22:49:42] since hostnames are not forced to any standard that include the project name [22:49:52] and it may be the case we don't want to restrict by host [22:49:59] say for example PaaS style mysql dbs [22:50:06] everyone can create one, don't care what project or what host [22:52:04] * andrewbogott digests, gradually [22:52:52] The whole external auth stuff is still a bit rough imo [22:54:01] If I want to hack on this, are things already broken up into bugs or is there just one big 'make this work' bug? [22:55:15] I added https://github.com/saltstack/salt/issues/3238, think there's a bz bug around for it somewhere... mostly just crazy people who got drunk and came up with ideas... you know, like how IT works [22:56:42] the monster in my closet is restless, it's very distracting [22:57:28] You should feed it cookies more often [22:57:52] The woman I'm subletting from told me not to go in there and put a padlock on the door. I trust her judgement. [22:59:00] So now I'm trying to think through the token part of this. At the moment, salt authenticates once with keystone and then issues a token, right? So it doesn't really need to check back with keystone after that? [22:59:28] nope [22:59:57] so our main usage would probably hook into mediawiki login stuff, after getting the keystone token grab the salt token and stash it in the db, much like it does for keystone atm [23:00:10] I can't tell if you're agreeing with me or disagreeing… I need to ease up on the negatively-phrased questions :) [23:00:41] well you asked 2 questions with different answers :P [23:00:54] I know, that's why I can't tell :) [23:01:22] But, so, basically the 'keystone token' part of this is just replacing the username/password interface with a 'keystone token you already have from elsewhere' interface [23:01:27] I believe the rest api issues a token like salt -T would and gives you that back [23:01:40] Not 100% sure, since most the docs are for using eauth via the cli rather than the rest api [23:01:48] yeah [23:02:01] so take my backend, change password to token, add a function for getting projects - ie groups, done [23:02:06] if only it was /that/ simple [23:02:15] OK. /that/ seems like a task I am up to without having to think very deeply about design. So perhaps I will work on that. [23:02:17] If you are not already. [23:02:37] I mean, presumably that change has to percolate through to the rest of salt in order to actually get the token from A to B [23:03:21] But salt will need to remember the keystone token, right? If it wants to check back later about project membership... [23:03:38] That or gather up and cache project membership from the outset [23:03:40] So authenticating via a keystone token is easy, group support is hardish [23:04:04] Yeah... it won't remember, so basically it will need an 'admin' login in the config or cache - probably the former [23:04:08] Though [23:04:15] I think there might be wider auth changes [23:04:35] I did suggest the ability to say if a user is authenticated via keystone to use /their/ login if calling the modules to say create a vm or a project resource [23:04:48] Not sure how that's gonna work though... all smoke currently [23:05:02] I'd just do it how you think and get yelled at, seem like nice enough guys [23:08:32] ok. I think I at least understand what the problems are now. Thank you for your patient explanation! [23:10:01] I got many problems and a few solutions :D [23:29:42] PROBLEM Current Load is now: WARNING on parsoid-roundtrip7-8core.pmtpa.wmflabs 10.4.1.26 output: WARNING - load average: 5.10, 5.12, 5.05 [23:57:55] Double sig ftl