[00:01:45] :(((((((((((((((((( [00:02:07] I point to a name though [00:06:00] I am wondering if I could setup iptables to have that public IP address to be rewritten to the internal IP address [00:07:13] you'd just be nating nat [00:07:50] like 208.80.153.219 (which is *beta.wmflabs.org pointing to the squid instance) to be rewritten to 10.4.0.17 which is the instance hosting squid [00:08:06] then I have to figure out how to puppetize that haha [00:15:13] Krenair: bleh [00:15:16] Krenair: fixes now [00:15:23] *fixed [00:15:37] seems filling up / so often likely corrupted the ldap server on nova-precise2 [00:15:52] it was saying an object didn't exist, even though it totally did [00:16:13] how did / get full? [00:16:13] those backups in /a or whatever it was? [00:16:17] yeah [00:16:19] I've fixed that [00:18:20] [bz] (NEW - created by: Antoine "hashar" Musso, priority: Unprioritized - normal) [Bug 45868] let search indexer access the squid public ip - https://bugzilla.wikimedia.org/show_bug.cgi?id=45868 [00:21:33] hooray, my patch works [00:21:35] after a single fix [00:21:50] review, anyone? https://gerrit.wikimedia.org/r/#/c/52592/ [00:22:00] OpenStackManager fix to add admins to project pages [00:46:14] !log deployment-prep upgrading all instances [00:46:16] Logged the message, Master [00:56:52] hooray. admins are now shown on project pages [00:57:29] Ryan_Lane, does that dynamically update? [00:59:14] yep [00:59:27] the maintenance script was just needed to make it happen immediately [01:58:52] [bz] (NEW - created by: Krinkle, priority: High - enhancement) [Bug 34250] [beta project] Set up search (tracking) - https://bugzilla.wikimedia.org/show_bug.cgi?id=34250 [03:32:01] About 2,5 h ago, I received a watchlist mail for changed content on wikitech (http://pastebin.com/WUa20T8R) that claims the page was edited by 127.0.0.1 and the server name is "localhost". Is this a known issue? [03:33:37] yeah :P [03:41:12] legoktm: Do you have some bug number to watch? [03:41:19] lemme find it [03:41:42] i think its https://bugzilla.wikimedia.org/show_bug.cgi?id=43701 [03:47:50] legoktm: Hmmm. I don't think that's the same issue. The edits in question seem to really have been made from 127.0.0.1 (cf. pages' histories), so the more important issue seem to be the wrong links to http://localhost/. [03:50:15] File a new bug then? [03:50:47] I'm not too familiar with Echo :/ [03:51:35] As Ryan seems to be offline and andrewbogott_afk afk, that's what I'll do :-). [04:09:52] https://bugzilla.wikimedia.org/show_bug.cgi?id=45883 [04:33:19] Coren: around? i have a quick question about db replication [06:27:41] Anyone know why http://nagios.wmflabs.org/cgi-bin/icinga/status.cgi?hostgroup=account-creation-assistance&style=detail is happening? [06:27:57] I've restarted NRPE on both instances [08:35:28] !log account-creation-assistance Going to try rebooting all systems to see if that fixes the NRPE problems. [08:35:30] Logged the message, Master [08:44:42] I can't apt-get upgrade instances in account-creation-assistance, brewster is refusing connections [08:47:14] !log account-creation-assistance Nope, reboots did not fix the errors. Interestingly, only application and database are showing errors (for load, disk, RAM, numprocs, and dpkg): "CHECK_NRPE: Error - Could not complete SSL handshake." Puppetmaster is reading all-green. [08:47:15] Logged the message, Master [09:08:36] wtf is going on [09:08:46] so many instances are down [09:08:53] !nagios [09:08:53] http://208.80.153.210/icinga http://icinga.wmflabs.org/ [09:10:45] FastLizard4 run sudo puppetd -tv [09:11:05] petan: Okay [09:11:15] petan: To fix which problems, though? :P [09:11:21] nagios [09:11:32] Okay [09:11:43] The server indicates that there was a successful puppet run 11 minutes ago, though [09:12:23] mhm in that case I have no idea what is wrong, but you should see it on your local logs [09:12:29] because that's problem of nrpe [09:12:42] maybe you changed some security rules? [09:12:48] there needs to be open port [09:12:52] so that nagios can see it [09:13:29] petan: I don't believe anything has changed in terms of security rules [09:13:34] However, I do see this in the puppet output: [09:13:34] Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.3.10-1ubuntu3.5_amd64.deb Could not connect to brewster.wikimedia.org:8080 (208.80.152.171). - connect (111: Connection refused) [09:13:35] Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.3.10-1ubuntu3.5_amd64.deb Unable to connect to brewster.wikimedia.org:8080: [09:13:35] Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.3.10-1ubuntu3.5_amd64.deb Unable to connect to brewster.wikimedia.org:8080: [09:13:35] Failed to fetch http://security.ubuntu.com/ubuntu/pool/universe/p/php5/libapache2-mod-php5filter_5.3.10-1ubuntu3.5_amd64.deb Unable to connect to brewster.wikimedia.org:8080: [09:13:35] Failed to fetch http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.3.10-1ubuntu3.5_amd64.deb Unable to connect to brewster.wikimedia.org:8080: [09:13:35] E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing? at /etc/puppet/manifests/webserver.pp:79 [09:14:08] there is somethinh with network [09:14:39] petan: 5666 is the NRPE port, right? [09:14:45] yes [09:15:09] 5666 through 5666 proto tcp open to 10.4.0.0/21 [09:15:44] * FastLizard4 shrugs [09:19:45] ok, so which instance is it? [09:20:55] petrb@nagios-main:~$ ping account-creation-assistance [09:20:56] ping: unknown host account-creation-assistance [09:21:45] @labs-project-instances account-creation-assistance [09:21:45] Following instances are in this project: accounts-application, accounts-database, accounts-puppetmaster, [09:23:24] petan: accounts-application and accounts-database are the ones giving NRPE errors [09:23:30] Interestingly, accounts-puppetmaster is not [09:23:36] http://nagios.wmflabs.org/cgi-bin/icinga/status.cgi?hostgroup=account-creation-assistance&style=detail [09:24:10] try to restart nrpe then? [09:25:04] I rebooted the servers not too long ago, didn't fix the problem [09:25:11] But lemme try restarting nrpe directly [09:25:12] is nrpe running? [09:25:19] petan: You have more than one commit that you are about to submit, what can I do to remove this message? [09:25:34] matanya huh? [09:25:40] you is me or you? :P [09:26:04] I'm trying to push something, and I get this message [09:26:07] ah [09:26:12] I only want to push one thing [09:26:26] petan: Yes [09:26:30] not really a gerrit expert... [09:26:33] @seenrx demon [09:26:33] petan: Last time I saw ^demon they were quitting the network with reason: Remote host closed the connection at 3/8/2013 1:16:04 AM (08:10:29.6974470 ago) (multiple results were found: ^demon|lunch, ^demon|away, ^demon|busy, ^demon|dinner, ^demon|brb and 5 more results) [09:26:36] * matanya is a git noob [09:26:51] fastlizard4@accounts-application:~$ ps aux | grep nrpe [09:26:51] 4294967295 986 0.0 0.1 23260 1136 ? Ss 08:38 0:00 /usr/sbin/nrpe -c /etc/icinga/nrpe.cfg -d [09:26:53] matanya maybe gerrit doesn't accept more than 1 commit? [09:26:53] o_o [09:27:14] matanya try #mediawiki [09:27:14] I can override it, but I don't want to [09:27:20] thanks [09:27:26] matanya who knows if you really can :P [09:27:30] gerrit might reject it [09:27:42] :) [09:27:55] FastLizard4 interesting... [09:28:06] FastLizard4 I probably know what is problem then [09:28:12] petan: Yeah, on both -application and -database, the running UID is -1 [09:28:20] FastLizard4 problem is that you are running icinga version [09:28:26] which isn't maintained by puppet [09:28:30] nagios version is [09:28:48] Ahh, okay [09:28:50] puppet is changing /etc/nagios files [09:28:56] So how do I switch back? :P [09:28:59] petan: icinga was merged last night, wasn't it? [09:29:05] matanya I don't know [09:29:14] matanya but whoever merged it, they did it wrong I guess [09:29:48] FastLizard4 just copy all files from /etc/nagios/nrpe* to /etc/icinga [09:29:56] then restart it [09:30:14] petan: Okay, stand by [09:33:36] Aha [09:33:38] There we go [09:33:49] petan: I had to manually killall nrpe before starting the daemon [09:33:52] aha [09:34:01] The running one wasn't responding to my stop commands [09:35:25] Yup, fixed it on both [09:36:19] !log account-creation-assistance Fixed incinga reporting by `sudo cp -R /etc/nagios/* /etc/icinga/ && sudo killall nrpe && sudo /etc/init.d/nagios-nrpe-server start` on -application and -database. [09:36:20] Logged the message, Master [09:36:30] Thanks petan! :) [09:36:34] np [09:42:56] btw matanya if you find out how to do what you need pls add it: https://www.mediawiki.org/wiki/User:Petrb/Git_for_idiots [09:43:01] I <3 this guide [09:43:37] yeah, I found, thanks :) not sure what I did, LOL [09:44:44] from guide: "Pushing - This is a biggest evil of git for us, idiots :)" [09:44:53] lol [09:44:59] oh yes! I agree [09:45:19] and i'm sort of a master in svn, but git gives me a hard time [09:45:32] heh [09:45:55] well, I'll learn at the end, I guess [10:48:13] petan: how much space does the database server have? i just realized im importing a rather large amount of data and should check to make sure i dont hit the limit [10:48:24] database server == bsql01 [10:49:29] right now some 120gb I think but it can be increased [10:51:30] how do i check how much space a db/table is using? [10:52:29] right now i'm at 61k / 500k done with the import so... [10:54:29] oh [10:54:30] lol [10:54:40] i'm at like 59MB [10:54:44] i wont come even close [10:56:11] legoktm ssh to bots-bsql01? [10:56:17] you will see how much space left [10:56:26] if you want to know per db [10:56:47] SELECT table_schema "DB Name", sum( data_length + index_length ) / 1024 / 1024 "DB Size in MB" [10:56:48] FROM information_schema.TABLES GROUP BY table_schema ; [10:56:49] Usage of /: 66.2% of 9.83GB Users logged in: 1 [10:56:55] lol no [10:56:58] /db [10:57:00] not / [10:57:24] you mean [10:57:25] legoktm@bots-bsql01:~$ du -hs /db [10:57:25] du: cannot read directory `/db': Permission denied [10:57:26] ? [10:57:29] no [10:57:31] type df [10:57:48] or df | grep db [10:57:51] nothing called db [10:57:57] petrb@bots-bsql01:~$ df | grep db [10:57:59] oh wait [10:58:05] /dev/mapper/vg-lvol1 148897792 9739824 137201024 7% /db [10:58:07] yes [10:58:17] * legoktm trouts himself [10:58:31] btw [10:58:37] how so i see other users databases? [10:58:40] do they have to add me? [10:58:43] yes [10:58:55] they need to grant you access to db [10:59:01] so that you can see how much it uses [10:59:04] ok [10:59:05] using the query I sent you [10:59:11] but tbh I don't think it's secret [10:59:39] is the "_p" thing that the toolserver uses for public databases a ts thing or mysql? [10:59:39] | addbot | 4830.93750000 | [10:59:40] | information_schema | 0.14062500 | [10:59:41] | legoktm | 59.57812500 | [10:59:42] | mysql | 0.73980331 | [10:59:43] | performance_schema | 0.00000000 | [10:59:44] | salebot | 3614.26486206 | [10:59:45] | wiki | 6.16044617 | [11:00:09] I think it's ts thing [11:01:02] ts [11:01:53] can we get something like that here too? its much easier to name a database than fiddle with mysql settings [11:08:21] legoktm maybe yes... [11:08:30] should i file a bug? :P [11:08:38] if you don't want me to forget then yes [11:08:40] :D [11:10:01] yes, the toolserver gives read access to everyone to dbs whose name ends with _p [11:10:17] and each user has full access to tables which begin with u_ + its username [11:10:33] it's pretty easy [11:11:09] grant select, usage on _p%.* to '%'.'%' [11:11:19] but it's also pretty insecure :D [11:13:31] petan: how so? [11:13:48] legoktm if user who creates such a db doesn't know it... [11:13:54] [bz] (NEW - created by: Legoktm, priority: Unprioritized - normal) [Bug 45895] Use "_p" suffix on databases to make them readable by all users - https://bugzilla.wikimedia.org/show_bug.cgi?id=45895 [11:14:36] i doubt that will happen, just have a help page explain it like tswiki has [11:18:12] legoktm can you try to use _ptest [11:18:40] ok, but wont i be able to automatically see any db i create? [11:19:01] yes [11:19:11] but this one you should see as ewll [11:19:16] mysql> create database legoktm_ptest; [11:19:16] ERROR 1044 (42000): Access denied for user 'legoktm'@'%' to database 'legoktm_ptest' [11:19:19] ? [11:19:38] oh lol [11:19:41] I meant _ptest [11:19:45] not legoktm_ptest [11:19:51] oh lol [11:20:05] also when you try to create such a db, you need to prefix _ with \ [11:20:13] because _ is special symbol in sql [11:20:26] err dont think so [11:20:34] doesn't work? [11:20:36] ERROR 1044 (42000): Access denied for user 'legoktm'@'%' to database '_ptest' [11:20:37] mysql> create database \_ptest; [11:20:37] ERROR: [11:20:37] Unknown command '\_'. [11:20:37] ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\_ptest' at line 1 [11:20:38] mysql> create database _ptest; [11:20:39] ERROR 1044 (42000): Access denied for user 'legoktm'@'%' to database '_ptest' [11:20:46] mhm [11:20:53] that database already exist - I created it [11:20:57] can you just try to use it [11:21:02] use _ptest; [11:21:07] mysql> use _ptest; [11:21:07] ERROR 1044 (42000): Access denied for user 'legoktm'@'%' to database '_ptest' [11:21:14] that's what I needed... [11:22:30] petan, that's a prefix, not a suffix [11:22:41] so you wanted a suffix? [11:22:47] I thought you want a prefix [11:22:50] read the bug summary :P [11:22:59] ah lol [11:23:11] i was wondering... [11:23:29] okay I now did it for _p [11:23:34] but I still think it will not work [11:23:58] legoktm try [11:24:00] use test_p; [11:24:12] nope [11:24:13] mysql> use test_p; [11:24:13] ERROR 1044 (42000): Access denied for user 'legoktm'@'%' to database 'test_p' [11:24:14] and undo the prefix grant? [11:24:28] huh? [11:25:15] I revoked it [11:25:29] ah, ok [11:25:33] GRANT SELECT ON `%\_p`.* TO '%'@'%' [11:25:41] this is what I see in show grants for '%'@'%'; [11:27:48] petan, on which server are you working? [11:28:08] bots-bsql01 [11:28:44] and why do i get this? [11:28:44] $ mysql -h bots-bsql01 [11:28:45] ERROR 1045 (28000): Access denied for user 'platonides'@'i-000000e5.pmtpa.wmflabs' (using password: NO) [11:31:22] petan, what if you do grant select, usage on `\_p%` . * to '%'@'%'; [11:31:26] argh [11:31:39] grant select on `%_p` . * to '%'@'%'; [11:33:01] I did select, usage [11:33:15] petan: Actually, looking at your patch on Gerrit, I think I found the real problem [11:33:26] I have the production IPs in my nrpe.cfg, not the labs IP [11:33:28] Platonides I executed exactly this [11:33:59] petan, I mean removing the usage [12:59:50] [bz] (NEW - created by: silke.meyer, priority: Unprioritized - normal) [Bug 45897] puppet - https://bugzilla.wikimedia.org/show_bug.cgi?id=45897 [13:58:49] petan: yes, true [13:59:00] um [13:59:06] ?? [13:59:07] :D [13:59:19] you are responding to which message [14:24:32] legoktm fixed [14:24:43] yay! [14:24:45] thanks :) [14:25:01] so just _p at the end? [14:25:06] yes [14:25:40] great [14:51:53] addrawr [14:51:59] . [14:52:03] @notify addrawr [14:52:03] This user is now online in #huggle so I will let you know when they show some activity (talk etc) [14:53:45] he should be back in an hour [14:59:55] btw Platonides I like you found a security hole in mysql and far bigger security hole you overlooked [15:00:21] which was to sudo su on any application server where everyone has root to get their credentials [15:00:35] I managed to fix that before anyone notice [15:00:36] :D [15:10:15] petan: im home ;p [15:10:32] I am wondering if we restart or not restart the sqld lol :/ [15:10:39] noooo [15:10:45] :P im using it too much now ;p [15:10:46] how it affect ur bot? [15:10:53] because that is only service running there atm :D [15:10:54] errrr [15:10:57] heh [15:11:01] legoktm no worries [15:11:02] is that bsql01? [15:11:09] I am just thinking of it in this moment :D [15:11:12] not doing it [15:11:25] addrawr I am still trying to figure out how that memory thing works [15:11:31] xD [15:11:31] virtual memory is 17GB now [15:11:36] i have an active db import running thats going to be done in a few more days hopefully [15:11:39] but physical is only about 6gb [15:11:47] legoktm aha it's ok then [15:11:53] don't worry [15:11:55] :) [15:11:57] we can restart it later [15:12:23] wow, it would appear I am skating near the edge of memory land in bnr1 [15:12:23] http://ganglia.wmflabs.org/latest/?r=2hr&cs=&ce=&c=bots&h=bots-bnr1&tab=m&vn=&mc=2&z=medium&metric_group=ALLGROUPS [15:12:41] a bunch of that is probably mine [15:12:52] lol nice load [15:13:13] we could actually create bnr2 but I would like to setup some scheduling before we do that [15:15:16] would be nice if we eventually did get some kind of job queue thing, i have like 10 screens running right now [15:15:24] yes I know [15:15:30] we could just setup that grid thing [15:15:31] :P [15:15:54] petan: legoktm I have a 380 line cron ;p [15:16:01] >.< [15:16:03] only 380? :P [15:16:12] xD [15:16:23] well 100 are commented out from my enwiki bot thats not currently running [15:16:24] but pah! [15:16:46] bbl [15:22:48] [bz] (NEW - created by: silke.meyer, priority: Unprioritized - normal) [Bug 45897] puppet has a problem with versions - https://bugzilla.wikimedia.org/show_bug.cgi?id=45897 [15:34:16] !log bots create new instance to play with grid scheduler [15:34:18] Logged the message, Master [15:38:50] :D [15:43:49] addrawr can I delete all your db's from sql3? [15:44:02] yep :) [15:44:05] ok [15:54:18] addrawr I will also build a kernel 3.8.2 for bsql01 [15:54:32] for performance reasons [15:54:39] btrfs had tons of improvements [15:54:44] and version 3.2 is very old [15:54:54] even some critical bugs [16:02:22] kk :) [16:45:09] @seen Beetstra [16:45:09] petan: Last time I saw Beetstra they were quitting the network with reason: Quit: Leaving N/A at 3/6/2013 1:38:21 PM (2.03:06:48.6771700 ago) [16:47:06] @notify Beetstra [16:47:06] I will notify you, when I see Beetstra around here [17:08:50] !log wikidata-dev wikidata-testrepo: Due to a version problem puppet sometimes refuses to run because it doesn't downgrade. To solve this, remove and then reinstall php5-mysql manually. [17:08:52] Logged the message, Master [17:19:34] I am not able to ssh -p 29418 to gerrit, and I have been troubleshooting this for awhile now. Could someone look at the ssh log on the server to see what error messages are appearing when I ssh in ? [17:21:30] I have a lab account setup, rachel99, and my public key is in there. Is there someone specific I should ask this question to? To check the ssh log on the server? [17:21:52] A wild Coren appears! [17:22:10] Hello- can you help me with this? [17:23:01] I am working with chrismcmahon on the QA testing, if that helps at all. [17:23:03] I don't think I can look at those logs, but I can try to help troubleshoot. [17:23:41] hi rachel99, thanks for asking here [17:24:20] Have you tried to ssh with -v so we have a better idea of where it fails? [17:24:54] Coren: yes I have done that with -v -v -v? Do you want me to dpaste the output? [17:25:24] rachel99: Just the last half-dozen lines should suffice, that should be enough to see the last thing it tried before giving up. [17:26:34] http://dpaste.com/1016287/ [17:28:13] Hm. [17:28:59] Anything jump out at you? [17:29:32] Well, it doesn't recognize your key clearly. You're saying that this is the key you use to log on bastion? [17:29:59] You did login to gerrit and set your key there as well, yes? [17:30:07] (Through the web interface) [17:30:25] Yes, I set it on gerrit. Haven't set it on bastion, I don't think. [17:31:04] Do you have the same username on gerrit as you do on labs? [17:31:16] Yes, its rachel99 [17:32:50] Well, you're in the bastion project. It'd probably help if you tried to log on there with ssh to see if your key is accepted. [17:33:41] is https://www.mediawiki.org/wiki/Wikimedia_Labs/Terms_of_use still 'draft'? [17:33:47] Coren: ^ [17:33:50] (No Ryan_Lane) [17:34:10] YuviPanda: Yes, I know Luis is currently looking at it and making something nicer. [17:34:24] ah, okay. [17:34:25] Coren: So, I would add it to the labs machine, and then ssh to bastion? Any particular port? [17:34:52] Just the default. You can add your key on wikitech. [17:35:03] [[Special:NovaKey]] [17:35:33] * Coren tries to hit git himself. [17:36:42] Yeah, okay, there's probably no problem with gerrit itself, my own key gets me through. [17:36:55] Coren: Ok. Will try it. I will need to run in a few minutes, so I will try it, and get back to you later this afternoon. (if you are here) [17:37:17] rachel99: I'm going to be here until at least 00:00 UTC. Don't hesitate to look me up. [17:37:28] Ok, Thanks. [17:39:23] Coren: what's your TZ? [17:50:48] YuviPanda: Nominally EST [17:51:00] YuviPanda: (UTC-5) [18:26:17] [bz] (NEW - created by: Antoine "hashar" Musso, priority: Unprioritized - major) [Bug 45908] review lsearch-global.conf for beta context - https://bugzilla.wikimedia.org/show_bug.cgi?id=45908 [18:29:28] thanks Coren ^^ [18:29:49] ... for not having been able to help yet? [18:29:52] :-) [18:31:31] Coren: just for being nice. I've been working with her, but I tried everything I could think of. ^demon checked and she seems to be OK on the gerrit server side. [18:32:45] Yeah, that side seemed to be okay. With the test on bastion we'll have a better idea if there is something wrong with her public key. [18:35:27] [bz] (NEW - created by: Krinkle, priority: High - enhancement) [Bug 34250] [beta project] Set up search (tracking) - https://bugzilla.wikimedia.org/show_bug.cgi?id=34250 [18:35:53] Coren: I know she's on Windows, which might be a factor. I haven't done ssh in anger on a Win box in a decade. [18:46:31] ... it was clearly openssh logs she gave me. Cygwin? [18:46:50] * Coren would recommend putty to Windows users as a rule. [18:47:02] Oh, wait, she's using it to pull git. Nevermind. [19:13:33] Ryan_Lane, if you do get spam with autoconfirmed protection you could always add the shell group as a protection level and use that [19:19:58] Krenair: is that possible? [19:20:14] I didn't see a way to allow groups other than admin and autoconfirmed in the protection interface [19:20:56] ptwiki does it with their 'autoreviewer' group [19:21:09] See https://www.mediawiki.org/wiki/Manual:$wgRestrictionLevels [19:21:28] petan: Did you really send me a message on 'Badoo' or is this spam? [19:21:38] spam [19:21:45] Damianz ^ [19:21:54] * Damianz terminates [19:22:04] that freaking shit hacked to my gmail using oauth and spammed all my contacts [19:22:49] rofl [19:25:51] bugger, this video is in french :( oh well, food then I'll move cb [19:27:45] yeah, I got one from him too :) [19:27:58] petan: have you not remove the authorization yet? [19:28:01] *remvoed [19:28:03] fuck it [19:51:54] https://pbs.twimg.com/media/BE0Id46CUAIP_x7.jpg:large < interesting claim [19:55:06] Ryan_Lane I don't even know where to do that [19:55:15] but I believe they copied it and keep it anyway [19:55:33] Damianz: well, they're running all open source for their cloud products [19:55:36] except for their dns [19:55:37] so removing authorization would only prevent them from getting new information [19:55:57] petan: I can show you how [19:56:02] ok [19:56:07] goto google.com [19:56:11] click on your user name [19:56:17] click account [19:56:27] there [19:56:36] on the sidebar, there's a section for "Password" [19:56:46] there's a "Manage security" link [19:57:12] on that page is a "Connected applications and sites" section [19:57:13] don't see [19:57:18] yes that I see [19:57:19] and a "Manage access" link [19:57:27] yay [19:57:40] WMFLabs Phabricator o.o [19:57:45] hahaha [19:58:30] thank you [19:58:31] :)) [19:59:26] Ryan_Lane: Yeah - but it's a bit of a bold claim, clearly marketing driven [20:00:14] Also talking of dns - anyone used markmonitor/ultra dns? They both have uber shitty interfaces imo, can't actually find anything in them :( [20:01:31] petan: yw [20:01:45] Damianz: we use markmonitor [20:10:39] <^demon> Ryaannnnnnnnn ;-) [20:10:46] <^demon> https://gerrit.wikimedia.org/r/#/c/52715/ [20:15:00] !log deployment-prep The search backend is apparently working now !!! {{bug|34250}} [20:15:03] Logged the message, Master [20:15:27] xyzram: I got a successful search query in beta!!! command + result at https://bugzilla.wikimedia.org/show_bug.cgi?id=34250#c3 [20:15:28] \O/ [20:17:55] hashar: Nice! [20:19:03] !logs [20:19:04] logs http://bots.wmflabs.org/~wm-bot/logs/%23wikimedia-labs [20:22:16] Type @commands for list of commands. This bot is running http://meta.wikimedia.org/wiki/WM-Bot version wikimedia bot v. 1.10.6.8 source code licensed under GPL and located at https://github.com/benapetr/wikimedia-bot [20:22:23] @commands [20:22:23] Commands: there is too many commands to display on one line, see http://meta.wikimedia.org/wiki/wm-bot for a list of commands and help [20:22:28] :-) [20:25:42] hehe [20:45:10] yay [20:45:13] * Damianz high fives hashar [20:48:54] Damianz any idea why nrpe doesn't work? :/ [20:49:11] Ryan_Lane I suppose that after merging a patch in gerrit there is no need to update something? [20:49:22] one guy from operations merged one patch of me today and didn't know [20:49:27] I thought it's all automatic [20:49:35] it is [20:49:39] ok [20:49:39] and hmm [20:49:40] interesting [20:49:46] because nrpe still doesn't work [20:50:04] what did you change for nrpe? [20:50:07] It was working ok [20:52:52] ip address [20:52:59] allowed host wasn't nagios [20:53:06] so it was rejecting it [20:57:05] ... why did the ip change? [21:02:48] petan: So basically restarts of that service just don't work [21:03:12] Damianz no idea [21:03:17] Ryan_Lane: Could you kill all the processes under the nrpe user and start nagios-nrpe-server on labs instances to fix it? [21:03:39] I tried restart on an instance and meh, killed the process and started it and it's fine -.- [21:04:01] you can actually make a script for that [21:04:30] Wonder why nrpe is trying to getend the icinga user though... meh w/e [21:04:46] I could - but I don't have access to all instances because I'm non-important :P [21:04:53] I know [21:04:55] also http://www.dailydot.com/lol/vibrating-butt-dildo-doctor-livetweet/ < rofl (nsfw) [21:05:03] I meant Ryan can make script :P [21:05:06] lol [21:05:15] what is nsfw [21:05:20] :D [21:06:13] not safe for w0rk [21:07:29] lol [21:13:14] Ryan_Lane: So, I'm making a tools:: module, with the config in role classes under that. Is SOP, yes? [21:23:18] Co [21:23:58] Coren: I added the public key to my labs account, but I can't get into that either. Can you check the ssh log on that machine? [21:24:37] Coren: You probably want to keep your top-level roles in the global puppet/manifests/role dir. [21:24:55] They'll get autoloaded and they can include your module. [21:26:58] rachel99: Hey again! Not directly, no (I'm not cool enough yet to be root on the bastion projects) :-) But it does help us in isolating the problem a great deal more! If you have a few minutes, I can help walk you through figuring things out. [21:27:19] Coren: Sure. [21:28:38] Coren: Do you want me to dpaste the verbose output from my ssh to bastion? [21:29:48] rachel99: Just the last half dozen lines should do, like last time. [21:32:38] Coren: Here it is. I also included the ssh line, so you can confim I got the syntax right. http://dpaste.com/1016522/ [21:32:41] rachel99: Just a silly question, of course, but you /are/ certain that you're using the public key that matches the private key you are using, right? I know that's on the "is your monitor turned on" grade, but it needs asking. :-) [21:32:53] Oh! [21:34:02] Wait, that username doesn't exist. [21:34:09] Your username is v-xxx [21:34:24] Coren: Really? [21:34:32] v-xxx:x:2878:500:Rachel99:/home/v-xxx:/bin/bash [21:34:48] Coren rachel99 hooray! [21:34:55] Not that I know why, mind you. :-) [21:35:22] Coren: How can I change that? [21:36:11] rachel99: Not trivially. Changing it in LDAP should be easy for any root, but that'd mess up your home and possibly other things that go by username rather than userid [21:36:36] rachel99: You can, however, just ssh v-xxx@foo and it'll work. :-) [21:37:27] Coren: Let me try that.. [21:37:38] Try on bastion first. [21:38:31] Coren: And for the xxx, I should substitute my account id? [21:38:54] rachel99: No, your username is, literally, 'v-xxx' (without the quotes) [21:39:24] Coren: OK. [21:40:27] rachel99: There you go! [21:40:44] That should also work for gerrit. [21:40:57] Coren: Yea! I can't believe that was the problem. [21:41:08] Coren: I will try on gerrit [21:42:08] Not sure why that's your username. I'm pretty sure I chose mine; though IIRC that was early enough in Labs history that Ryan created my account manually and asked. [21:43:23] Coren: I got into Gerrit too. Thanks so much! Maybe I added it thinking I was supposed to add my account number there. [21:43:57] rachel99: My pleasure! [21:44:15] Coren thanks very much! I'd been working with rachel99 and I was stumped. [21:44:58] Coren: Is there a way I could get that changed, or would you recommend I just leave it as is? [21:45:47] rachel99: You can ask Ryan, if it's possible at all in our infrastructure he's the one who can tell you (and do it). [21:46:19] rachel99: But honestly, there's not much point to it unless you really hate it -- it's just an arbitrary identifier; as long as you know what it is, it'll Just Work(tm) [21:47:10] Coren: Ok, then I'll just leave it as is. [21:47:12] so. much. backscroll. [21:47:17] My username is 'marc' mostly because that has been my username for some 20 years everywhere I've worked or on all my own infrastructure. :-) [21:48:27] Coren: sounds good. Thank you again for your help. [21:48:36] rachel99: No worries. Have fun. [21:49:23] Coren: v? [21:49:25] v-? [21:49:49] Ryan_Lane: Keep reading. Literally 'v-xxx' :-) [21:50:24] Ryan_Lane: Don't look at me, it was like that when I got here. :-P [21:53:12] Coren: is this a user's shell account name? [21:53:48] oh. that's rachel99's actuall shell account name [21:55:42] Ryan_Lane: Yep. [21:57:26] * Damianz thought Coren was called marc and that's why it's his shell name *confused* [21:57:46] Damianz: That's why I picked it originally, all those years ago. [21:58:02] lol [21:58:04] Damianz: Now it's just 'default' :-) [21:58:31] * Coren likes being able to just 'ssh host' without having to give a username. [21:59:04] marc@mordor:~$ ssh tools-login [21:59:49] one does not simply walk into mordor [21:59:51] Heh. [22:00:02] It's a desktop so people can't simply run into it. [22:00:13] walk* [22:00:41] For ONCE I could have made that joke and somebody would have understood it! [22:00:48] Coren: change your local username ;) [22:00:49] It almost always falls flat. [22:01:08] Ryan_Lane: Nevaar!!1! [22:01:17] or, more seriously, change your ssh config to specify your username for all wmflabs.org or *.*.wmflabs domains [22:01:46] I have a stupidly large .ssh/config file :( [22:01:59] Heh. I know, I know. My habit of using 'marc' dates from rsh days. :-) [22:02:11] ewww rsh [22:02:39] hmm [22:02:52] In my days, we didn't have those wussy secure programs; or fancy-pants lazy shortcuts like DNS. [22:02:55] Ryan_Lane: We totally should support telnet for auth. petan would love it :D [22:03:44] sure [22:03:45] My first sysadmin-like job was to fetch the hosts file once a week to put on the boxen. [22:03:48] encrypted telnet [22:03:51] with keys [22:04:01] Ryan_Lane: KERBEROS! [22:04:08] maybe some diffie helman support [22:04:11] I've wanted krb for like a year :P [22:04:21] krb is hard [22:04:29] for end users and admins [22:04:35] no one likes kdb [22:04:38] *krb [22:04:48] I do. I master krb, and I like it! [22:04:57] * Ryan_Lane shudders [22:04:59] * YuviPanda should offer http over snail mail to someone [22:05:00] telnet towel.blinkenlights.nl [22:05:05] we *could* actually use keys for krb [22:05:21] krb supports ssl client authentication [22:05:58] marc@mordor:~$ klist [22:05:58] Ticket cache: FILE:/tmp/krb5cc_1000 [22:05:58] Default principal: marc@UBERBOX.ORG [22:05:58] [22:05:58] Valid starting Expires Service principal [22:05:59] 07/03/2013 08:58 07/03/2013 18:58 krbtgt/UBERBOX.ORG@UBERBOX.ORG [22:05:59] renew until 08/03/2013 08:58 [22:05:59] it really kind of assumes a centralized PKI, though [22:06:00] ... [22:07:02] Ryan_Lane: Actually, why do you think kerberos is hard for endusers? [22:07:13] Ryan_Lane: I know of no OS that won't give you your TGT on login. [22:07:28] Ryan_Lane: and everything else is transparent from there. [22:08:25] Coren: what do you use on windows? [22:08:34] putty doesn't support it by default [22:08:35] No one sane uses windows [22:08:39] Ryan_Lane: ... the windows login gives you a TGT [22:08:39] unless that's changed recently [22:08:44] Coren: hahahaha [22:08:50] you expect people to modify their systems? [22:09:16] Ryan_Lane: Oh, if you don't want to, there's a systray program downloadable from MS to nab tickets. [22:09:28] You know, the funny thing is for fully managed systems that works awesomely.... have loads of winbind stuff using krb for transparant logins [22:09:33] gerrit doesn't support krb [22:09:38] Ryan_Lane: So it's about the same amount of trouble as pagent [22:09:59] so, we'd use keys for gerrit and krb for labs [22:10:02] <^demon> Ryan_Lane: auth.type = CUSTOM could let us do all kinds of freaky magic ;-) [22:10:09] ^demon: hm. true [22:10:13] I guess we could do it via apache [22:10:32] we'd need to change all of our docs for that [22:10:35] <^demon> Granted, it's a huge hack and upstream basically said "Yeah this is mainly for Google, ymmv" [22:10:37] <^demon> :) [22:10:38] Ryan_Lane: And the nice thing about krb5 tickets is the protecting against replay attacks and their limited lifetime if stolen. [22:10:38] and re-train everyone [22:10:59] yeah, I agree it's the most secure option [22:11:06] I'm saying it's not the most user-friendly [22:11:25] Ryan_Lane: But yeah, I'm not advocating deploying krb5 now. I'm just saying it would be quite feasible. [22:11:46] Ryan_Lane: In my experience, endusers find krb5 easier to use than ssh keys. [22:11:49] it's doable, but it's quite a project [22:12:11] I'm very much not a fan of using passwords for auth [22:12:15] and we'd need to do that for krb [22:12:18] Ryan_Lane: And you don't get the support calls of "I deleted my private key, can you give it back to me?" [22:12:26] Ryan_Lane: What? Why? [22:12:32] what else would we use? [22:12:39] Ryan_Lane: If you need to type your password, you're doing kerberos wrong. [22:12:56] you're assuming we'd provide keytabs to everyone? [22:13:11] Ryan_Lane: Of course not; I mean after you got your TGT for the day. [22:13:24] right, but you'd get the TGT with a password [22:13:26] That's done on your own workstation, like you'd do for a ssh key [22:14:12] I guess it's a similar security issue [22:14:29] since you can change your public ssh key by logging in with your password [22:14:31] Right, except the TGT, if compromised, has a limited lifetime. [22:14:37] though, you can limit that with two factor auth on the webserver [22:14:51] so does an ssh key, if you know it's compromised [22:14:57] you simply change the public key that's trusted [22:15:03] That's a big if, pardner. :-) [22:15:09] * Ryan_Lane nods [22:15:32] but you're still relying on passwords at that point [22:15:36] and people choose terrible passwords [22:15:46] it can't be combined with OATH, either [22:16:03] unless that's been added recently ;) [22:16:33] I know challenge response is supported. NRL's version has had that for ages [22:16:39] I not sure why it couldn't, but I'd have to look into it. I've quite the krb5 skillz, but I never playing eith OATH. [22:16:52] OATH is incredibly simple [22:17:01] I'd be surprised if it didn't speak gssapi, though. [22:17:30] Hark, I hear the bell toll of arriving pizza! BRB [22:17:57] pizza? pfft you need some dim sum and s/s pork balls [22:19:30] Damianz: Not when I don't have the time to appreciate them. Pizza is at-desk food. :-) [22:19:49] anyway, I'd rather not tackle an authentication problem right now :) [22:19:58] lots of other more pressing issues [22:20:29] Ryan_Lane: Oh, yeah, definitly. [22:21:15] Ryan_Lane: Like I said, I'm not advocating for a change WMF side; just smugly showing off my own infrastructure. :-) [22:21:44] heh [22:22:27] Coren: You don't have a distributed filesystem that can support multiple tb and hundreds of volumes in your infrastructure by chance? [22:22:31] * Damianz snort [22:22:35] :D [22:22:58] Damianz: I wish. I have a 40TB fileserver, but it just speaks NFS and CIFS. :-) [22:23:49] (The positive side of having an employer go bankrupt is that you get to buy stuff at the acution) [22:24:32] (Also, to be fair, it has a capacity of 40TB but I only got 12 populated atm) [22:24:53] Sily marketing [22:24:57] Need moar disks! [22:25:06] Like this 100tb san I have for testing that actually only have a 2tb array in it atm [22:25:07] I wish SAS drives weren't that expensive. [22:26:07] I just buy a couple when I run out of room and got the spare dough. :-) [22:26:23] Ryan_Lane: seen my patch ? I guess.. [22:26:38] https://gerrit.wikimedia.org/r/#/c/52776/ [22:26:52] Wikinaut: is this the one that was a draft? [22:27:38] yes, includes lates fixes by Platonides (unused globals) and wfMessage - tips by Nikerabbit (->escaped() ) [22:27:41] works great [22:28:10] live on http://openid-wiki.instance-proxy.wmflabs.org/wiki and http://openid-wiki2.instance-proxy.wmflabs.org/wiki/Main_Page [22:31:11] (uh; I'm ready for a longer break now, this was a Berlin Hackathon) [22:35:29] Ryan_Lane: extension is not yet proposed for deployment! Because I want to rework the weird storage of the "trust_array" (want only use JSON) [22:35:58] Wikinaut: Drunk php? :D [22:44:43] Wikinaut: this is missing qqq for messages [22:44:48] for new messages [22:44:58] oh wait [22:45:00] ok, will add [22:45:12] but need a fresh beer [22:45:14] or is the diff just not showing that there's changes in qqq? [22:45:33] it may just be the diff [22:45:34] you are the master ;-) [22:45:42] and can fix gerrit... [22:45:50] nah [22:45:53] (I hate gerrit, but drafts are "lecker") [22:46:01] lecker? [22:46:08] Dutch [22:46:16] or Deutsch [22:46:33] is lecker german for evil? [22:46:46] I thought it was yummy [22:46:50] yep [22:46:54] heh [22:47:05] I found a big advantages of drafts [22:47:18] I'm liking gerrit more now :D [22:47:20] rebasing is a single click [22:47:32] Esp with zuul, CI is beautiful with submits [22:47:38] and check out or cherry picking to instances [22:47:40] is great [22:47:52] quicker and easier than typing in the command line [22:47:58] ok, this was off-topic [22:48:23] but I asked to fix the gerrit draft-cannot-invite-reviewer bug [22:49:44] Wikinaut: you can do rebase with or without drafts [22:50:05] the rebase button is newish [22:50:18] yes, but I like it during testing [22:50:26] it is very convenient [22:50:34] to use during development [22:50:37] VERY [22:50:51] since you taught me to use -D [22:50:54] I like that [22:51:13] but off-topic ;-) [22:51:18] gerrit has a lot of useful features ;) [22:51:30] have you seen the OpenID Preference tab ? [22:51:36] s/the/the new/ [22:51:42] you showed me it [22:51:54] this was yesterday... [22:52:02] I added the tiny OpenID logo [22:52:15] at the own identity [22:52:34] missing: [22:52:39] perhaps a job for you [22:52:41] is: [22:52:58] https://bugzilla.wikimedia.org/show_bug.cgi?id=45914 [22:53:00] and [22:53:12] that https://bugzilla.wikimedia.org/show_bug.cgi?id=45323 [22:53:30] Ryan_Lane: Could you comment on https://bugzilla.wikimedia.org/show_bug.cgi?id=45883 whether the *server name* "localhost" is an artefact of your script (and in this case re-close the bug)? [23:07:26] Ryan_Lane: Thanks. [23:08:37] yw [23:53:58] !log account-creation-assistance is unexpectedly down, attempting a reboot to recover. Will investigate further when I get home. [23:54:00] Logged the message, Master [23:54:29] !log account-creation-assistance Supplemental: accounts-application is the instance that is unexpectedly down [23:54:30] Logged the message, Master [23:55:42] !log account-creation-assistance Supplemental: Reboot has fixed connectivity issues and application is back up. DHCP is probable culprit. [23:55:43] Logged the message, Master