[00:45:17] <Ryan_Lane>	 Damianz: that's not very easy to implement
[00:45:33] <Damianz>	 It wouldn't be fun if it was easy ;)
[00:45:44] <Ryan_Lane>	 patches welcome ;)
[00:46:09] <Ryan_Lane>	 https://wiki.openstack.org/wiki/Main_Page?skin=strapping
[00:46:10] <Ryan_Lane>	 ;)
[00:46:27] <Ryan_Lane>	 wait
[00:46:27] <Ryan_Lane>	 https://wiki.openstack.org/wiki/Main_Page?useskin=strapping
[00:48:01] <Ryan_Lane>	 I need to update the CSS to make external links show differently
[00:48:35] <Ryan_Lane>	 navigation dropdown is slightly incorrect as well
[02:13:27] <Damianz>	 I seriously wonder what drugs you require to skin mediawiki sometimes
[02:43:54] <Ryan_Lane>	 Damianz: lots
[02:43:54] <Ryan_Lane>	 https://wiki.openstack.org/wiki/Main_Page
[02:43:58] <Ryan_Lane>	 now it's the default :)
[03:41:28] <FastLizard4>	 !log accounts-creation-assistance Getting strange puppet errors related to SSL on accounts-puppetmaster, going to try rebooting.
[03:41:28] <labs-morebots>	 accounts-creation-assistance is not a valid project.
[03:41:33] <FastLizard4>	 Derp
[03:41:35] <FastLizard4>	 !log account-creation-assistance Getting strange puppet errors related to SSL on accounts-puppetmaster, going to try rebooting.
[03:41:37] <labs-morebots>	 Logged the message, Master
[03:41:41] <FastLizard4>	 Danke, labs-morebots
[03:48:59] <FastLizard4>	 !log account-creation-assistance Scratch last log entry, error fixed by using `sudo puppetca --sign "i-000005c5.pmtpa.wmflabs"`
[03:49:00] <labs-morebots>	 Logged the message, Master
[04:49:54] <wm-bot>	 Change on 12mediawiki a page Wikimedia Labs/TODO was modified, changed by MPelletier (WMF) link https://www.mediawiki.org/w/index.php?diff=647904 edit summary: [-250] wip wip wip
[19:27:06] <Damianz>	 Ryan just has no love for YP
[19:28:42] <Ryan_Lane>	 I have less than no love for it
[19:41:52] <Coren>	 YP is teh satan.  Worse, it's an obsolete satan.  :-)
[19:43:11] <Ryan_Lane>	 indeed
[19:44:24] <Coren>	 NIS+ was sorta okay-ish, but make LDAP look like a simple and elegant design by comparison.
[19:44:36] <Ryan_Lane>	 yep
[19:44:45] <Ryan_Lane>	 NIS+ has been gone for a very, very long time, though
[19:45:21] <Coren>	 I remember using it in ~2000 last, and even then only because it was a Solaris shop.
[19:46:13] <Coren>	 But that's all moot anyways, there's no reason to not stuff those users in LDAP, just in a different OU.  (Hell, it's probably be wise to make having a per-project OU a general pattern)
[19:46:35] <Ryan_Lane>	 it's best to keep things flat
[19:46:56] <Ryan_Lane>	 did you see my reply?
[19:47:48] <Coren>	 Just did.  Am I allowed to think you're insane still while I'm not yet officially working or is that a privilege reserved for coworkers?  :-)
[19:48:27] <Ryan_Lane>	 :D
[19:48:56] <Coren>	 In my experience, "Keep things in a flat namespace" is the wrong answer no matter what the question is.  :-)
[19:49:01] <Ryan_Lane>	 how would normal user auth work without including both ous?
[19:49:09] <Ryan_Lane>	 then there's still clashes
[19:49:17] <Ryan_Lane>	 *and* hierarchy
[19:49:18] <Ryan_Lane>	 :)
[19:49:29] <Ryan_Lane>	 it's the worst of both worlds! :)
[19:49:41] <Coren>	 That's one... strange way of looking at it.  :-)
[19:50:20] <Ryan_Lane>	 how does hierarchy help here?
[19:50:32] <Ryan_Lane>	 (note that we do use hierarchy like this for sudo)
[19:50:49] <Ryan_Lane>	 each project has a sudo ou under its project cn
[19:50:58] <Coren>	 I think you want to have a generic prefix for per-project {user,group}names, certainly, but you want the hiarchy to allow the same ID ranges and names to be used in different projects.
[19:51:16] <Coren>	 So that one doesn't affect the others.
[19:51:29] <Ryan_Lane>	 I don't understand how that would work
[19:51:52] <Ryan_Lane>	 how does authentication work in that structure?
[19:52:15] <Coren>	 Well, let's way we set aside 20000-29999 for uid and gid per-project.
[19:52:34] <Coren>	 Wait, auth?  Why auth?  You can only auth against "real" users, not per-project UIDs.
[19:52:57] <Ryan_Lane>	 ah. ok. I see what you're getting at
[19:53:25] <Coren>	 Oh, and I see what you thought I meant.  :-)
[19:53:34] <Ryan_Lane>	 if we did that. I'd prefer it to be a completely separate ou
[19:53:38] <Ryan_Lane>	 not under ou=people
[19:53:47] <Coren>	 Oh, yeah, that'd work too.
[19:53:57] <Ryan_Lane>	 then have a per-project user base
[19:54:05] <Ryan_Lane>	 we'd still need to prefix the account names
[19:54:43] <Coren>	 Yeah, but it doesn't have to be complicated; we can even do something like a single character.
[19:55:07] <Ryan_Lane>	 we use project-<projectname> for project groups
[19:55:09] <Coren>	 I'd rather avoid usernames like 'complicatedproject-longservicename'
[19:55:35] <Coren>	 I would say 'local-' would work.
[19:55:40] <Ryan_Lane>	 does nslcd allow multiple separate ous for lookups?
[19:55:48] <Ryan_Lane>	 local- sounds good
[19:56:21] <Coren>	 PAM does, even if nscd didn't; but all you need to do IIRC is just specify a list of base DNs rather than just the one.
[19:56:31] <Ryan_Lane>	 pam?
[19:56:38] <Ryan_Lane>	 pam uses nslcd
[19:56:44] <Ryan_Lane>	 so does nss
[19:57:04] <Ryan_Lane>	 nslcd != nscd :)
[19:57:11] <Coren>	 Yeah, but with pam you could have more than one check sucessively with different parameters
[19:57:19] <Ryan_Lane>	 nslcd is the nssldap replacement
[19:57:37] <Ryan_Lane>	 pam is just used for authentication
[19:57:41] <Ryan_Lane>	 it's not involved in this at all
[19:57:46] <Ryan_Lane>	 only nss is
[19:57:55] <Ryan_Lane>	 using nslcd
[19:58:14] <Coren>	 Wait, wait, my own brain is failing -- I was going back to your 'how does authentication work' again.  :-)
[19:58:58] <Coren>	 base [MAP] DN
[19:58:59] <Coren>	 Specifies the base distinguished name (DN) to use as search base. This option may be supplied multiple times and all specified bases will be searched.
[19:58:59] <Coren>	  
[19:59:18] <Coren>	 So yeah, that'd work.
[19:59:32] <Ryan_Lane>	 yep
[19:59:49] <Ryan_Lane>	 we'd want to specify it for passwd and shadow
[20:00:11] <Ryan_Lane>	 maybe group as well, I guess
[20:01:02] <Ryan_Lane>	 we could allow projectadmin users to manage it as well
[20:01:05] <Coren>	 Of course group as well; you almost certainly want individual tools to have they own groups to allow for sgid directories
[20:01:13] <Ryan_Lane>	 yeah
[20:01:59] <Coren>	 I know I'd want those for labs, and allow sudoers to the tool-uid from members of the tool-gid.
[20:02:14] <Coren>	 (so that services would be started as tool-uid)
[20:02:29] <Coren>	 for tools*
[20:03:13] <Ryan_Lane>	 how are you going to handle sudo membership for this?
[20:04:12] <Coren>	 From the group membership would be easiest.  %local-group hosts = (local-user) xxx
[20:07:34] <Ryan_Lane>	 ah. that's a good idea
[20:07:51] <Ryan_Lane>	 so global users could be added into the local group
[20:08:01] <Coren>	 Exactly.
[20:08:28] <Ryan_Lane>	 we have per-project sudo-ldap, btw
[20:08:34] <Coren>	 afk (fetching tea) brb
[20:08:35] <Ryan_Lane>	 could manage the policies there
[20:22:04] <Coren>	 back
[20:22:30] <Coren>	 Huh.  Didn't look into sudo implementation yet -- I had just presumed you did the "standard" /etc/sudoers from puppet template source.
[20:27:47] <Damianz>	 Even with a seperate ou, still gonna get dublicates
[20:28:01] <Damianz>	 same reason project groups are prefixed currently
[20:30:21] <Damianz>	 Coren: sudo-ldap
[20:30:39] <Damianz>	 also CAKE
[20:31:05] <Coren>	 damians, we agreed that 'local-' woudl suffice as prefix
[20:31:09] <Damianz>	 FastLizard4|zZzZ: Yes - I can make you a login then /login on the nagios page will give you access. ideally we'd use ldap but sec risk ssl wise... once oauth is in maybe 
[20:32:45] <Ryan_Lane>	 forced openid would be nice
[20:32:47] <Damianz>	 Too much text to read - but that sorta makes sense
[20:33:24] <Damianz>	 Ryan_Lane: Well for nagios ideally project admins would have access to their instances etc so oauth would do nice permission... openid+a bunch of ldap searching would do also though
[20:33:41] <Ryan_Lane>	 does nagios have oauth support?
[20:33:44] <Ryan_Lane>	 I kind of doubt it :)
[20:33:48] <Damianz>	 nope
[20:34:06] <Damianz>	 We can fix that though.... auth over the top - as long as you pass it a username it can handle perms
[20:34:17] <Damianz>	 The script needs updating to add usernames per project before that would work anyway
[20:34:20] * Ryan_Lane  nods

[20:35:59] <Damianz>	 When's asm? may?
[20:36:31] <Ryan_Lane>	 asm?
[20:37:12] <Damianz>	 err.. flip s and m around... ams
[20:37:34] <Ryan_Lane>	 ah
[20:37:37] <Ryan_Lane>	 yeah, may
[20:37:47] <Ryan_Lane>	 shit. I forgot to submit a talk for the openstack summit
[20:37:51] <Coren>	 'ams'?
[20:38:08] <Ryan_Lane>	 Amsterdam hackathon
[20:38:10] <Damianz>	 amsterdamn
[20:38:43] <Damianz>	 Wonder if I can find the motiviation to finish puppetizing bots stuff before then or just do it in May
[20:40:09] <Damianz>	 Hmmm portland for openstack... that's a long way, think I'm doing europython this year... next year I'll do the defcon/pycon/openstack cool confs
[20:54:00] <Wikinaut>	 Ryan_Lane: hi
[21:16:49] <Ryan_Lane>	 Coren: mind adding a bug for per-project user/groups?
[21:17:02] <Ryan_Lane>	 use the infrastructure component
[21:17:34] <Coren>	 Will do shortly.
[21:18:08] <Ryan_Lane>	 I know you have a TODO somewhere for the tool labs stuff
[21:18:22] <Coren>	 http://www.mediawiki.org/wiki/Wikimedia_Labs/TODO
[21:18:51] <Coren>	 But it's a preliminary skeleton / gesstimation.  None of what's on this is set in stone.
[21:18:53] <Ryan_Lane>	 I've been making "project" subpages
[21:18:56] <Ryan_Lane>	 like: http://www.mediawiki.org/wiki/Wikimedia_Labs/Stability_improvement_project
[21:19:16] <Ryan_Lane>	 and have been tracking the bugs in them
[21:19:58] <Ryan_Lane>	 can we rename TODO to a more specific project?
[21:20:26] <Ryan_Lane>	 Toolserver migration project, maybe?
[21:20:50] <Coren>	 Perhaps the more generic "/Wikimedia Labs/Tools Lab"?
[21:21:07] <Ryan_Lane>	 that's fine too
[21:22:43] <Coren>	 (Coren moved page Wikimedia Labs/TODO to Wikimedia Labs/Tools Lab: More generic, yet more precise. Crunchy, yet satisfying.)
[21:23:06] <Coren>	 I'm about to start prepping my food.  Will do the bug after?
[21:23:14] <wm-bot>	 Change on 12mediawiki a page Wikimedia Labs/Stability improvement project was modified, changed by Ryan lane link https://www.mediawiki.org/w/index.php?diff=648127 edit summary: [+88] /* Gluster */
[21:23:18] <Ryan_Lane>	 yeah. no rush
[21:24:04] <Coren>	 Politically saying "Toolserver migration" as focus is a poor fit; the point is to make a good Tools lab they'll *want* to migate to.  :-)
[21:24:11] <Ryan_Lane>	 indeed
[21:24:28] <wm-bot>	 Change on 12mediawiki a page Wikimedia Labs/Stability improvement project was modified, changed by Ryan lane link https://www.mediawiki.org/w/index.php?diff=648128 edit summary: [-14] /* Monitoring */
[21:25:58] <wm-bot>	 Change on 12mediawiki a page Wikimedia Labs/Stability improvement project was modified, changed by Ryan lane link https://www.mediawiki.org/w/index.php?diff=648129 edit summary: [+27] /* Gluster */
[21:26:38] <Ryan_Lane>	 Wikinaut: I haven't had time to make another wiki
[21:27:55] <Wikinaut>	 Ryan_Lane: I understand. My approach is this: to make a symlink-ed copy of the the root files of /srv/mediawiki, and to (try to) adapt the apache2 server settings.
[21:28:05] <Wikinaut>	 let me know, what your approach would be, pls
[21:28:23] <Ryan_Lane>	 I would honestly just create another instance
[21:30:02] <Wikinaut>	 can you then pls. simply make a clone openid-wiki2 from openid-wiki 
[21:30:12] <Wikinaut>	 if you have time 
[21:30:14] <Wikinaut>	 ty
[21:30:27] <Ryan_Lane>	 when I get a chance, yes
[21:30:29] <Wikinaut>	 pls. can you let me know by mail, if you don't forget this
[21:43:54] <Damianz>	 Ryan_Lane: Jelly! It would be more stable :D
[21:44:02] <Ryan_Lane>	 Damianz: :D
[21:44:11] <Ryan_Lane>	 I'd like to use out netapp for this
[21:44:16] <Damianz>	 Good luck stealing that
[21:44:32] <Ryan_Lane>	 and try a distributed filesystem again later, when they are usable for this use case
[21:44:42] <Ryan_Lane>	 we aren't using it for much
[21:45:49] <Damianz>	 I'm still really hoping Ceph comes though, but I've not seen enough real world usage off of ssds to jusity trialing it in prod... and I don't really have a case for dfs right now, since our replication challenges are db not fs
[21:46:15] <Ryan_Lane>	 well, it doesn't fit our usecase
[21:46:31] <Ryan_Lane>	 ah, you mean where you work
[21:46:38] <Damianz>	 Yeah
[21:46:55] <Damianz>	 The only place it would fit here is enabling us to failover/migrate vms - since now we'd just loose a few hundred
[21:47:04] <Damianz>	 But then meh hardware, cheap and relitlvy quick to replace
[21:47:21] <Damianz>	 relatively* totally can't type today
[21:47:30] <Ryan_Lane>	 adding in a dfs means that io issues on one node turn into io issues on all nodes
[21:47:48] <Ryan_Lane>	 I'd prefer to be able to do live migration without a shared filesystem
[21:47:56] <Ryan_Lane>	 it works in xen, apparently
[21:48:03] <Damianz>	 yeah it does
[21:48:11] <Damianz>	 Can do it in kvm I believe... never tried
[21:48:26] <Damianz>	 Basically pauses io for a few seconds on migration to sync memory state AFAIK
[21:49:12] <Ryan_Lane>	 it was broken very badly in kvm last time I tried, remember? :)
[21:49:16] <Damianz>	 It would be interesting to see how much io we cause just running puppet at the same time on everything without splay - bet it would cause a little laaaggggg
[21:49:24] <Ryan_Lane>	 and upstream keeps talking about removing the featuee
[21:49:28] <Ryan_Lane>	 *feature
[21:50:12] <Ryan_Lane>	 I've done that a couple times
[21:50:17] <Ryan_Lane>	 it's usually ok
[21:50:17] <Damianz>	 Weirdly though... I've used live cpu/ram resizes in kvm fine and it breaks for us under openstack :P Never sure where issues lie around here
[21:50:30] <Ryan_Lane>	 it does cause quite a jump in usage, though
[21:50:39] <Ryan_Lane>	 heh
[21:51:27] <Damianz>	 I remember the days when dumps ate the disks every few hours :D that was fun hah
[21:52:07] <Damianz>	 Though I'm not convinced beta is any better.... stuff doing git on the core repo is really ruddy slow, imagine it bottlenecks on io before you see wait though
[21:54:39] <Ryan_Lane>	 yeah
[21:54:53] <Ryan_Lane>	 when we switch deployment systems, we'll move away from using project data for that
[21:56:02] <Coren>	 Ryan_Lane: Honestly, Ryan, I'd look at LVMs over MDs over some iSCSI
[21:56:24] <Coren>	 Especially if you multipath
[21:57:35] <Damianz>	 urgh multipath...
[21:58:13] <Damianz>	 I had to configure an archaic fiber channel card for multipath the other day... wow was that not fun, stupid drivers
[21:58:14] <Coren>	 Meh, it's ugly but if you want never-down stuff it's the way to go.
[21:58:48] <Coren>	 In my experience, shared-disk filesystems end up being more reliable than distributed ones.
[21:58:57] <Ryan_Lane>	 yes
[21:58:58] <Ryan_Lane>	 they are
[22:01:49] <Damianz>	 I've seen a quite good vm implementation using NBD for storage - just point kvm straight to an ipv6 address that has a NBD serving up disk space for and boom, if you feel the need then also drdb your backends (but drdb is evil).
[22:02:23] <Ryan_Lane>	 drbd is evil, yes
[22:02:30] <Ryan_Lane>	 ganeti uses it extensively
[22:02:35] <Coren>	 Damianz: That's good for instance-local storage, but the current use case for gluster is the stuff that's /shared/
[22:02:45] <Ryan_Lane>	 they have a pretty interesting way of handling disk images
[22:02:48] <Damianz>	 I like the idea of ganeti but yeah... node to node drdb for failover made me cringe
[22:02:53] <Ryan_Lane>	 heh
[22:03:29] <Damianz>	 I'd suggest ocfs2 but oracle are bastards :D
[22:04:19] <Coren>	 They are.  CXFS is my fave, but it's not opensource.
[22:04:54] <Damianz>	 I nearly died when I saw how much our company pay oracle a year in licensing... multiples of millions =\
[22:05:54] <Coren>	 what's-his-name isn't rich because of Oracle's upstanding open source contributions.  :-)
[22:06:25] <Coren>	 But isn't OCFS2 mainline in the kernel since before 3.0?
[22:06:35] * Coren  needs to look into it.

[22:08:02] <Damianz>	 IIRC it was open and in kernel, then oracle pushed the new version and closed it up in licensing or something
[22:08:10] <Damianz>	 You know, like they do to mysql every few years
[22:11:12] <Coren>	 The suse peeps seem to like it.
[22:14:29] <Ryan_Lane>	 hm. ocfs2 looks like an interesting solution
[22:15:07] <Damianz>	 Oh god, what have I done
[22:15:09] <Damianz>	 :P
[22:15:10] <Ryan_Lane>	 :D
[22:15:40] <Platonides>	 !log webtools Installed sqlite3 on webtools-login per scfc_de request
[22:15:41] <labs-morebots>	 Logged the message, Master
[22:15:48] <Damianz>	 You know we could just use nfs and shard projects across storage nodes for io purposes :D
[22:15:52] * Damianz  hides

[22:16:18] <Ryan_Lane>	 I want to avoid a prolonged outage due to a hardware failure
[22:16:25] <Ryan_Lane>	 though at this point even that would be better
[22:20:27] <Ryan_Lane>	 meh for ocfs2
[22:20:55] <Platonides>	 !log webtools Installed libdbd-sqlite3-perl on webtools-apache1 per scfc_de request
[22:20:56] <labs-morebots>	 Logged the message, Master
[22:21:36] <Ryan_Lane>	 one of the biggest reasons I want to steal the netapp is because I don't want to have to manage a set of fileservers
[22:21:50] <Ryan_Lane>	 it's too time consuming.
[22:25:49] <Damianz>	 heh
[22:26:00] <Platonides>	 !log webtools Installed sudo apt-get install build-essential libtool autoconf on webtools-login, scfc_de wants libtool, and it already pulls most of the dependencies
[22:26:01] <labs-morebots>	 Logged the message, Master
[22:26:10] <Damianz>	 risk vs reward also...
[22:26:28] <Platonides>	 !log webtools Installed libdbd-sqlite3-perl on webtools-login per scfc_de request
[22:26:29] <labs-morebots>	 Logged the message, Master
[22:27:26] <Ryan_Lane>	 Damianz: risk vs reward?
[22:27:34] <Damianz>	 mhm
[22:27:50] <Damianz>	 risk of managing fileservers vs the reward you get from managing your own fileservers
[22:27:53] <Ryan_Lane>	 ah
[22:27:54] <Ryan_Lane>	 right
[22:27:55] <Ryan_Lane>	 indeed
[22:29:30] <Ryan_Lane>	 there's one downside. it eats up some political capitol
[22:29:56] <Ryan_Lane>	 since we're saying open source only, then using something proprietary
[22:32:16] <Damianz>	 true, but using that is less likely going to get us sued 
[22:32:28] <Ryan_Lane>	 yep
[22:32:34] <Platonides>	 !log webtools Installed apt-file on webtools-login per scfc_de request
[22:32:35] <labs-morebots>	 Logged the message, Master
[22:33:56] <Damianz>	 If we really wanted to be picky we'd argue over the level of openness and use maria over mysql etc
[22:55:39] <Coren>	 "Get us sued"?
[22:56:00] <Ryan_Lane>	 that was regarding the use of proprietary software
[22:56:01] * Coren  tries to figure out how using a Netapp box is less likely to get us sued.

[22:56:07] <Ryan_Lane>	 and allowing end-users to use it
[22:56:12] <Coren>	 Ah!
[22:56:39] <Coren>	 Yeah, tbh though, I can see Damianz point.  There /is/ something to be said for just plain ol' reliable NFS
[22:57:34] <Ryan_Lane>	 indeed
[23:04:38] <Platonides>	 !log webtools Installed libhtml-parser-perl libwww-perl liburi-perl on webtools-login and webtools-apache-1 per scfc_de request
[23:04:39] <labs-morebots>	 Logged the message, Master
[23:59:20] <FastLizard4>	 Damianz: Ahh, I see.  Well, if it's too much trouble, I'm fine waiting until the unified system is in place