[01:10:04] * legoktm  pokes Damianz 

[01:10:07] <legoktm>	 cluebot is down?
[01:28:19] <Coren>	 phe: You can still use qsub with happy fun -l h_vmem=$foo
[01:28:39] <Coren>	 phe: jsub is there for the newbies and the peeps who don't want to bother with qsub arcana.
[08:24:11] <petan>	 legoktm is it?
[08:24:53] <petan>	 @notify addwork
[08:24:53] <wm-bot>	 You already requested this user to be watched
[08:25:18] <legoktm>	 It is
[08:25:23] <petan>	 let me check
[08:25:24] <legoktm>	 Since a loooong time ago
[08:25:32] <petan>	 I have no idea how to restart it because there is no guide
[08:25:36] <petan>	 !botsdocs
[08:25:36] <wm-bot>	 https://labsconsole.wikimedia.org/wiki/Nova_Resource:Bots/Documentation
[08:26:03] <legoktm>	 last edit was
[08:26:04] <legoktm>	 20:25, 18 March 2013 (diff | hist) . . (-25)‎ . . m Nino Bravo ‎ (Reverting possible vandalism by 212.231.247.181 to version by Addbot. False positive? Report it. Thanks, ClueBot NG. (1561812) (Bot)) (current) [rollback: 1 edit] [rollback] [vandalism]
[08:26:39] <legoktm>	 !botsdocs is https://wikitech.wikimedia.org/wiki/Nova_Resource:Bots/Documentation
[08:26:39] <wm-bot>	 This key already exist - remove it, if you want to change it
[08:26:46] <legoktm>	 erm
[08:26:51] <legoktm>	 !botsdocs del
[08:26:51] <wm-bot>	 Successfully removed botsdocs
[08:26:54] <legoktm>	 !botsdocs is https://wikitech.wikimedia.org/wiki/Nova_Resource:Bots/Documentation
[08:26:54] <wm-bot>	 Key was added
[08:47:32] * Beetstra  does not understand anything of perl's setrlimit ... :-( .. his modules don't crash when he tests them with low values

[08:52:08] * Beetstra  looks at Coren|Sleep 

[08:52:33] <Beetstra>	 Coren|Sleep .. I think that the RSS memory limits are not implemented and hence ignored by the OS
[09:23:15] <hashar>	 !log deployment-prep created sudo policy for jenkins-deploy user. That is the user for the Jenkins slave running deployment-bastion
[09:23:18] <labs-morebots>	 Logged the message, Master
[09:37:41] <wm-bot>	 [bz] (ASSIGNED - created by: Antoine "hashar" Musso, priority: Immediate - normal) [Bug 45084] autoupdate the databases! - https://bugzilla.wikimedia.org/show_bug.cgi?id=45084
[10:01:42] <labs-logs-bottie>	 !log bots root: mysql: btrfs filesystem resize -10G /db
[10:01:44] <labs-morebots>	 Logged the message, Master
[10:03:07] <labs-logs-bottie>	 !log bots root: running online fsck
[10:03:08] <labs-morebots>	 Logged the message, Master
[10:05:28] <legoktm>	 o.O?
[10:13:04] <labs-logs-bottie>	 !log bots root: created /logs_db for binlogs
[10:13:06] <labs-morebots>	 Logged the message, Master
[10:13:33] <labs-logs-bottie>	 !log bots root: houston filesystem /db is broken - new kernel is needed to fix it
[10:13:34] <labs-morebots>	 Logged the message, Master
[10:13:55] <labs-logs-bottie>	 !log bots root: mysql is running fine though - just btrfsck is crashing
[10:13:57] <labs-morebots>	 Logged the message, Master
[10:20:17] <labs-logs-bottie>	 !log bots root: restart of mysql is needed to update configuration
[10:20:19] <labs-morebots>	 Logged the message, Master
[10:28:51] <labs-logs-bottie>	 !log bots petrb: updated some packages on sql
[10:28:53] <labs-morebots>	 Logged the message, Master
[10:31:00] <petan>	 btrfsck /db
[10:31:03] <petan>	 awesome XD
[10:31:20] <petan>	 Damianz that filesystem is kind of borked :P
[10:31:29] <petan>	 I mean so borked that fsck is crashing
[10:31:30] <Damianz>	 :(
[10:31:37] <petan>	 but on other way it seems to work
[10:31:44] <petan>	 mysql is not reporting any issues
[10:31:52] <petan>	 so maybe this is problem with some metadata
[10:31:56] <petan>	 which aren't important
[10:32:13] <petan>	 btw I was amazed by speed of btrfs online shrink
[10:32:17] <petan>	 took like 2 seconds
[10:32:18] <petan>	 :P
[10:32:49] <petan>	 we really need 3.8 kernel on that box
[10:35:07] <petan>	 lol btrfsck is crashing is similar way even on my laptop with 3.8.1 kernel
[10:35:15] <petan>	 I think this is some common problem then
[10:46:15] <Beetstra>	 petan, it seems that the box does not care about the memory-limits of the processes
[10:46:18] <petan>	 Damianz if you want to move binlogs we need to schedule outage of sql
[10:46:32] <Damianz>	 Doesn't need to move right now - just stop the disk filling
[10:46:32] <petan>	 Beetstra which box?
[10:46:38] <petan>	 Damianz sure I already did
[10:46:40] <Beetstra>	 whichever
[10:46:51] <petan>	 Beetstra did you supply the limit using qsub?
[10:46:53] <Beetstra>	 the bot that I am using to test runs on -bnr3
[10:46:58] <petan>	 Beetstra I am really no expert of grid, Coren|Sleep is
[10:47:27] <petan>	 Beetstra but there are no real memory limits configured per queue now, so if you need some you would need to specify them per task
[10:47:48] <Beetstra>	 I have specified them in perl for the specific modules ..
[10:47:48] <petan>	 btw on -bnr3 there is sooooo much free ram atm
[10:47:54] <Beetstra>	 not for the whole task
[10:47:54] <petan>	 ah
[10:48:01] <petan>	 in that case it's problem of perl
[10:48:06] <petan>	 maybe there is some library missing?
[10:48:18] <Beetstra>	 I just say, 'this perl module is not allowed to use more than 20M' .. but it happily uses 34M
[10:48:33] <Beetstra>	 #perl-people say that it is that the box does not care .. 
[10:48:59] <petan>	 that sounds weird - the box doesn't care because it's not supposed to, there are no memory limits atm
[10:49:00] <Beetstra>	 It just does not send a SIGKILL to the processes that violate
[10:49:18] <petan>	 it should be that perl module watching its own usage
[10:49:25] <Beetstra>	 The script sets them correctly
[10:49:36] <petan>	 box will not send sigkill because the box itself has no problem with processes eating lot of ram
[10:49:36] <Beetstra>	 No, because it tells the BSD
[10:49:57] <petan>	 hmm
[10:50:05] <petan>	 maybe it's some system option that needs to be set?
[10:50:11] <petan>	 is there some manual for that perl function 
[10:50:13] <Beetstra>	 I am using BSD::Resource::setrlimit
[10:50:25] <Beetstra>	 cpan, BSD::Resource
[10:50:34] <Beetstra>	 http://search.cpan.org/~jhi/BSD-Resource-1.2904/Resource.pm
[10:50:34] <petan>	 are you sure it doesn't require something that isn't installed?
[10:50:51] <Beetstra>	 I installed the perl module in cpan, otherwise it will not run
[10:51:02] <petan>	 hmm
[10:51:09] <petan>	 maybe we could install it using apt everywhere
[10:51:11] <petan>	 what is name
[10:51:16] <Beetstra>	 lets wait for Coren
[10:51:47] * Beetstra  pulls the bucket of ice cold water a bit closer to Coren

[10:52:56] <Beetstra>	 it says in the cpan-resource: "Soft or hard limit RLIM_INFINITY means as much as possible, the real hard limits are normally buried inside the kernel and are very system-dependent."
[10:52:57] <petan>	 I don't know if coren is perl guy
[10:53:16] <Beetstra>	 well, should be the same on python, way of doing this is exactly the same
[10:53:17] <petan>	 this is definitely something related to perl and not grid
[10:53:32] <Beetstra>	 At least, the code I saw yesterday is quite the same
[12:45:31] <Coren>	 The sleeper has awakened.  Somewhat.  (pre-coffee)
[12:46:46] <Coren>	 !Beetstra
[12:46:49] <Beetstra>	 Hey, Coren
[12:46:52] <Beetstra>	 Good morning
[12:46:59] <Coren>	 Woes of memory?
[12:47:06] <Beetstra>	 kind of
[12:48:10] <Beetstra>	 I have in each module the line "my $success = setrlimit(RLIMIT_RSS, $settings{'xxxx.memlow'},$settings{'xxxx.memhigh'});"
[12:48:24] <Beetstra>	 and reading out those values shows that they are set appropriately
[12:48:35] <Beetstra>	 But to whatever value I set them, the module never crashes
[12:48:43] <Beetstra>	 (perl-code)
[12:49:23] <Beetstra>	 in #perl they suggested that the box may not support it?
[12:49:39] <petan>	 question is "what" is it not supporting
[12:49:45] <petan>	 in terms of UNIX not terms of perl
[12:50:07] <Beetstra>	 in a way a good question
[12:50:30] <Coren>	 RLIMIT_RSS is an odd duck that doesn't behave like most people want.
[12:50:35] <Coren>	 You want RLIMIT_AS
[12:50:36] <Beetstra>	 oh
[12:51:06] <Coren>	 RLIMIT_RSS is only about locking memory down with madvise() (for things like crypto)
[12:51:06] <Beetstra>	 "(virtual) address space" ??
[12:51:13] <Coren>	 Beetstra: Right.
[12:52:07] <Coren>	 But that doesn't get your process killed regardless; hiting a memory limit just makes sbrk() fail (perl, though, dies if it fails to allocate memory IIRC)
[12:56:48] <Beetstra>	 the module crashes with "Out of memory!"
[12:57:10] <labs-logs-bottie>	 !log bots madman: deleting bots-2
[12:57:11] <labs-morebots>	 Logged the message, Master
[12:57:24] <Beetstra>	 so that works .. in perl
[12:57:25] <Coren>	 Not very polite error handling, but it's working.
[12:57:29] <labs-logs-bottie>	 !log bots petrb: previous message was supposed to be logged as me
[12:57:30] <labs-morebots>	 Logged the message, Master
[13:03:04] <Beetstra>	 hmm, interesting .. "libgcc_s.so.1 must be installed for pthread_cancel to work"
[13:25:57] <Coren>	 Beetstra: That's a symptom of low memory.
[13:26:15] <Coren>	 Beetstra: Ze limit.  She is tooo smalle!
[13:26:16] <Beetstra>	 yeah, I knew I was there between the limits
[13:26:34] <Beetstra>	 Hey .. Italian accents are for my wife to produce ;-)
[13:26:50] <Coren>	 *lots* of code is written presuming that memory allocation cannot fail.  Lots of lazy programmers.
[13:27:35] <Beetstra>	 I see the use of it, so I am trying to implement it now
[13:28:05] <Coren>	 Oh, I don't mean you.  Even in system libraries of language interpreters you see that.
[13:28:07] <Beetstra>	 and for the others on the same instance: "Thou shall not pass!!!!" (.. this memory limit) ;-)
[13:29:16] <Beetstra>	 It is also for me, learn new things with this
[13:31:27] <Coren>	 I'm a (realy) old school coder; I still believe in being careful with not wasting core memory and carefully desinging code to keep a low footprint.  The kids, these days, they spout the current common wisdom at me "ram is cheap, coder time is expensive", and then waste days tracking down problems.  :-)
[13:32:48] <Beetstra>	 I am just a hobby-programmer, but writing the linkwatchers is something that needs to run optimally if you want the data in real time
[13:32:59] <Beetstra>	 If only the mediawiki software would record the data itself
[13:33:23] <Jan_Luca>	 Beetstra: Why not write an extension for MW?
[13:34:04] <Beetstra>	 Jan_Luca .. that would take so much time .. which I don't have
[13:34:20] <Beetstra>	 This is something that runs and I just need every now and then an hour or so to tweak
[13:36:14] <Beetstra>	 Coren, so now what happens.  Say, I have a process that takes currently 50 Mb, with a hard-limit of 250 Mb.  Someone else runs a rogue bot .. will that bot run out of memory when it hits the outside of my 250 Mb hard limit, because my process has the right to use that 250 even if it does not?
[13:37:49] <Coren>	 Beetstra: Nope.  On a grid that enforces those limits, the others won't encroach on you because they hit /their/ limit before they can.
[13:38:13] <Coren>	 Beetstra: the rlimit doesn't allocate, it constrains.
[13:38:26] <Beetstra>	 So it takes only one rogue bot to still take down mine
[13:39:07] <Coren>	 Beetstra: Yes, unless the scheduler applies a limit to everything and doesn't overallocate.
[13:39:28] <Beetstra>	 OK
[13:39:37] <Coren>	 Beetstra: Which is why tools- is configured that way, unsurprisingly enough.  :-)
[13:41:16] <phe>	 overcommit_memory is set to 2 in tools- instance ?
[13:44:25] <Coren>	 phe: Yes, that too, but I meant the gridengine sets and enforces vmem-based allocation.
[13:47:36] <petan>	 !tooldocs
[13:47:36] <wm-bot>	 http://www.mediawiki.org/wiki/Wikimedia_Labs/Tool_Labs/Help
[13:47:49] <petan>	 Coren can you tell me how you configured the limits on grid
[13:48:03] <petan>	 or is it documented somewhere
[13:48:22] <Coren>	 petan: I have, the other day, you just didn't notice.  Make h_vmem consumable, and set a limit on the nodes.
[13:48:38] <petan>	 nodes? I thought limit is on queue
[13:48:53] <petan>	 that would mean that different nodes could have different limits? o.o
[13:48:56] <Coren>	 petan: You can have limits on either, but h_vmem makes no sense on queues.  :-)
[13:49:09] <petan>	 ah
[13:49:32] <petan>	 ok, so... you specified some default limit? and users can override it?
[13:49:36] <Coren>	 petan: Yes.  You'd obviously put the "real" amount of memory on the nodes (usually, you'd want physical-1G)
[13:49:38] <petan>	 by specifying different value?
[13:49:53] <Coren>	 petan: Right.  The default is just convenience.
[13:50:08] <petan>	 ok, users can override it how they want or is there a limit too?
[13:50:22] <petan>	 so you just set h_vmem to 256mb on nodes?
[13:50:42] <Coren>	 No, the setting on the node is the total quantity available.
[13:50:47] <Coren>	 Like, "7g"
[13:50:57] <petan>	 ah
[13:51:04] <petan>	 so where you set the 256mb?
[13:51:53] <Coren>	 In /var/lib/gridengine/default/common/sge_request.  Default values to there.
[13:51:58] <petan>	 ok
[13:52:01] <Coren>	 s/to/go/
[13:52:35] <Coren>	 (simple text file with one option per line so)
[13:52:47] <Coren>	 -l h_vmem=128m
[13:52:49] <Coren>	 (on one line)
[13:52:53] <petan>	 ok
[13:52:57] <Coren>	 Err, 256m
[13:53:07] <Coren>	 128 was my first attempt.  Too small for python.
[13:53:32] <petan>	 this should be in puppet variable so that we can use it on staging with same values
[13:54:05] <Coren>	 petan: Hm.  I was planning on just putting the sge_request file in puppet.
[13:54:19] <petan>	 we could either put whole config to puppet but that would complicate it to play with it on staging in order to test different conf
[13:54:36] <petan>	 because puppet would just override it
[13:54:39] <petan>	 whole
[13:55:09] <Coren>	 petan: Not unreasonable.
[14:01:08] <petan>	 btw Coren qtop is working on your grid as well...
[14:01:24] <petan>	 or it appears to me to work :P
[14:02:26] <petan>	 just cp -r /home/petrb/bin ~/bin
[14:05:06] <Coren>	 petan: I'll stuff it in /usr/local/bin.  Want to go doc it on the help page, then?
[14:05:48] <petan>	 sure
[14:06:11] <Coren>	 I see it needs qdisplayinfo.sh as well.
[14:06:30] <Coren>	 Do you intend that one to be directly usable as well?
[14:06:33] <petan>	 well, we could probably merge it
[14:06:45] <petan>	 qdisplay print the info once
[14:06:52] <petan>	 qtop refresh it every second
[14:07:01] <petan>	 qdisplay has that advantage it works in small screen
[14:07:09] <petan>	 while qtop will not display all text in small terminal
[14:07:20] <petan>	 qtop is just a wrapper for qdisplay
[14:07:30] <Coren>	 Hm.  Okay, I'll rename it to qdisplay then
[14:07:34] <petan>	 ok
[14:07:48] <scfc_de>	 Coren: BTW, it would be nice if *all* scripts & Co. have at least a one-liner licence so that there's no ambiguity.
[14:08:00] <Coren>	 scfc_de: Oh, good point!
[14:08:01] <petan>	 feel free to use any licence you want...
[14:08:10] <petan>	 I am fine with WTFPL :P
[14:08:18] <petan>	 or GPL
[14:08:41] <Coren>	 They're minuscule.  I was thinking CC-0
[14:09:08] <petan>	 I think WTFPL is even more liberal than CC-0 :P
[14:09:09] <Coren>	 Or DWTFWIWI  :-)
[14:09:17] <petan>	 that's probably same
[14:09:21] <petan>	 just longer name
[14:09:40] <Coren>	 Yeah, CC-0 is...  nicer.  :-)
[14:09:50] <scfc_de>	 Most of the scripts probably aren't copyrightable at all :-), but it's much nicer to sort this stuff out now then in five years when noone remembers who did what.
[14:10:59] <petan>	 Coren what is that "Why" header for
[14:11:08] <petan>	 * "How"
[14:11:13] <petan>	 2.1 How
[14:11:14] <petan>	 2.2 Simple utilities
[14:11:19] <petan>	 section 2.1 has no text
[14:11:48] <Coren>	 Yeah, I'm not done yet.  I want to give a summary of how submitting jobs work and what happens to them.
[14:12:04] <petan>	 ok maybe that qtop could go there in future
[14:12:08] <petan>	 no idea where to put docs for that
[14:12:18] <petan>	 it should be in "grid status" section or whatever
[14:12:23] <petan>	 or grid status overview
[14:13:06] * Coren  asks WMF legal for the right boilerplate.

[14:13:47] <Damianz>	 petan: bots-bsql01 down?
[14:13:55] <petan>	 Damianz since when?
[14:14:11] <Damianz>	 It pings but I can't connect to mysql or ssh to it
[14:14:18] <petan>	 o.O
[14:14:22] <Damianz>	 Bot last reverted something 2 hours ago
[14:14:38] <petan>	 let me check
[14:14:48] <petan>	 I can't ssh either :/
[14:14:48] <Damianz>	 [611760.713140] INFO: task mysqld:16620 blocked for more than 120 seconds.
[14:14:51] <Damianz>	 [611760.713755] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[14:14:54] <Damianz>	 *snort*
[14:15:07] <petan>	 I think it's a good time to schedule our restart of mysqld then :>
[14:15:28] <Damianz>	 the box probably
[14:15:48] <petan>	 !log bots -sql has some troubles - Damianz is responsible for sure :P
[14:15:50] <labs-morebots>	 Logged the message, Master
[14:16:03] <petan>	 wait
[14:16:07] <petan>	 don't reboot it yet
[14:16:13] <petan>	 I would like to find out what happened
[14:16:48] * Damianz  gives you 30min

[14:16:57] <petan>	 I am there :>
[14:16:58] <petan>	 sshed
[14:17:10] <petan>	 but still launching local shell
[14:17:50] <petan>	 hehe load 143
[14:18:25] <Damianz>	 That would be why the process is hung
[14:18:38] <petan>	 !log bots mysql db ate 31gb of ram
[14:18:39] <labs-morebots>	 Logged the message, Master
[14:18:46] <petan>	 that needs some investigation
[14:18:55] <petan>	 I am stopping mysqld now
[14:19:08] <petan>	 !log turning off mysqld to fix ram problems and moving binary logs
[14:19:09] <labs-morebots>	 turning is not a valid project.
[14:19:13] <petan>	 !log bots turning off mysqld to fix ram problems and moving binary logs
[14:19:14] <labs-morebots>	 Logged the message, Master
[14:19:56] <Coren>	 Anyone currently using the tools- queue?  I should reboot to reapply some security updates.
[14:20:26] <petan>	 Coren not me and qtop is telling me 0 jobs are running
[14:20:38] <petan>	 not that qtop is trustworth :P
[14:20:59] <petan>	 Damianz wow it takes some time to kill a process that eats 30+gb ram
[14:21:27] <Coren>	 !log tools reboot cycle (all instances) to apply security updates
[14:21:28] <labs-morebots>	 Logged the message, Master
[14:21:29] <petan>	 it just doesn't want to die
[14:22:20] <Coren>	 petan: Ah, the joys of swap.  :-P
[14:23:04] <petan>	 !log bots killing mysqld with -9 :|
[14:23:05] <labs-morebots>	 Logged the message, Master
[14:23:28] <petan>	 !log bots not that it would really worked :P
[14:23:29] <labs-morebots>	 Logged the message, Master
[14:25:18] <wm-bot>	 Unable to parse the feed from https://bugzilla.wikimedia.org/buglist.cgi?chfieldfrom=-4h&chfieldto=Now&list_id=151044&product=Wikimedia%20Labs&query_format=advanced&title=Bug%20List&ctype=atom this url is probably not a valid rss, the feed will be disabled, until you re-enable it by typing @rss+ bugzilla
[14:25:36] <scfc_de>	 These are just "user databases", aren't they?
[14:26:28] <labs-logs-bottie>	 !log bots root: restarting mysql server with new configuration
[14:26:29] <labs-morebots>	 Logged the message, Master
[14:28:01] <petan>	 !log bots started recovery of innodb.. will take some time
[14:28:03] <labs-morebots>	 Logged the message, Master
[14:28:28] <petan>	 that maria doesn't want to start, seems like data are corrupt
[14:28:35] <petan>	 fortunately we have binary logs :>
[14:29:43] <scfc_de>	 kill -9 can cause some damage.
[14:29:51] <Damianz>	 Bots back up anyway
[14:36:08] <petan>	 !log bots recovery finished, db is back :))
[14:36:10] <labs-morebots>	 Logged the message, Master
[14:36:55] <hashar>	 andrewbogott: hey :-]  Your puppet documentation root page seems to use Twitter bootstrap now https://doc.wikimedia.org/  =)
[14:37:25] <hashar>	 andrewbogott: well at least the main page.  The index file is somewhere under  integration/docroot.git .  I guess we will happily co maintain  it 
[14:37:32] <petan>	 scfc_de be sure I don't use kill -9 unless I have to :/
[14:37:49] <petan>	 that box would die on OOM if I didn't
[14:39:04] <andrewbogott>	 hashar:  I don't know enough about css to know what 'Twitter bootstrap' means...
[14:39:13] <andrewbogott>	 That front page should probably become a wiki page, someday
[14:39:50] <hashar>	 andrewbogott: maybe yeah :-]
[14:43:40] <petan>	 Damianz I am thinking of killing some swap on bsql01 and using that for lvol2 but not sure if that is a good idea
[14:43:58] <petan>	 meh... why we just can't have another virtual disk plugged to instance
[15:03:46] <labs-logs-bottie>	 !log nagios petrb: restarted ircecho
[15:03:47] <labs-morebots>	 Logged the message, Master
[15:04:22] <petan>	 !ping
[15:04:23] <wm-bot>	 pong
[15:08:41] <Jan_Luca>	 Coren: I have added to my list some questions for a sysadmin doc of tools: https://wikitech.wikimedia.org/wiki/User:Jan/Tools#Sysadmin_doc
[15:10:13] <Coren>	 Jan_Luca: Indeed, those are important questions.
[15:11:49] <Jan_Luca>	 Coren: Maybe petan could add questions he has
[15:12:25] <Coren>	 Jan_Luca: That would be wise indeed.  :-)  *hint, hint*
[15:36:47] <Jan_Luca>	 Coren: You write in your documantion only about CGI. Is FastCGI installed, too?
[15:38:31] <Coren>	 Jan_Luca: suphp; I know of no reliable way to deploy FastCGI in a compartimentalized fashion.
[15:40:39] <Jan_Luca>	 Coren: suexec?
[15:42:17] <Coren>	 Jan_Luca: That's explorable as a technique.  There's also the problem that I would very much prefer to not have long-running processes run on the webservers.  It's in the "would be nice - will look into it" slush pile.
[15:43:25] * Coren  would idealy prefer a scheme by which the fastcgi app runs on the grid, but that would require some unix socket /wedge/ on the webserver. Not impossible, just not trivial.

[15:43:59] <Jan_Luca>	 Coren: But if there are  tools using cgi with high access, every time a new cgi process will be created
[15:44:16] <Coren>	 Hence "would be nice"  :-)
[15:45:25] <Coren>	 Remote FastCGI would work, but the lack of certificates means that insulation is hard.
[15:48:11] <Jan_Luca>	 Coren: Maybe you could ask the Toolserver roots how they have set up FastCGI
[15:48:30] <Coren>	 Jan_Luca: I already know, by allowing the actual app to run on the webserver.
[15:48:46] <Coren>	 Jan_Luca: Which I do not want to do here for stability and security.
[15:49:09] <Jan_Luca>	 Coren: But using cgi makes no difference
[15:49:33] <Coren>	 Jan_Luca: In theory, it's not /especially/ hard to do it; but it takes some effort and it's not clear to me how many people need/use it.
[15:50:01] <Coren>	 Jan_Luca: Yes, but CGIs are short lived, and do not survive the connection; the issues with persistent daemons are not the same.
[15:50:43] <Coren>	 Jan_Luca: If you think there is a serious call for FastCGIs, I can arrange it.  I just didn't think there'd be that much demand for it.
[15:50:44] <Jan_Luca>	 Coren: When I unterstand you right you want to create a FastCGI daemon on another host like php-fpm?
[15:51:06] <Coren>	 Jan_Luca: Yes, using the gridengine for creation and dispatch.
[15:51:34] <Jan_Luca>	 Coren: Ah, you want to use proxy_fastcgi, now I get it
[15:53:51] <Coren>	 Not quite, actually, but the same principle.  (proxy_fastcgi is really hard to do right without sysadmin intervention to the apache configs, I want something the maintainers can do themselves)
[15:54:29] <Jan_Luca>	 Coren: A small wrapper that calls the right process?
[15:55:09] <Coren>	 Right, so that the fastcgi server is started on the grid instead of locally.
[15:56:12] <Jan_Luca>	 Coren: Ok, you're right, that would be a better way to enable FastCGI than my idea
[16:05:44] <scfc_de>	 Jan_Luca: Which Toolserver apps use FastCGI?
[16:06:20] <Jan_Luca>	 scfc_de: I don't know but maybe there are some
[16:07:53] <scfc_de>	 Jan_Luca: Then I'd suggest that we wait until someone actually requests it :-).
[16:08:25] <Jan_Luca>	 scfc_de: I only want to have a high compatibility to Toolserver :-)
[16:12:23] <scfc_de>	 Jan_Luca: I don't.  I hope Solaris dies.  I hope JIRA dies.  I hope all the other cruft that has accumulated over the years dies.  I hope for reliable, responsive, usable replicated databases.
[16:15:21] <Jan_Luca>	 scfc_de: I don't mean the thing you listed, I think of webserver envirment, SGE, ...
[16:15:40] <Jan_Luca>	 You're right that some thing should not be migrated
[16:20:18] <scfc_de>	 Jan_Luca: But FastCGI that - for the sake of this argument - isn't used, should be migrated?  Every astray from a "standard" setup means not only admin work setting it up, but also maintaining it and debugging it.  We've seen at Toolserver how a plethora of seldomly used services makes admin work unnecessarily complex.
[16:21:42] <Jan_Luca>	 scfc_de: I thought FastCGI is used because not everybody likes PHP and FastCGI is IHMO better than CGI
[16:22:28] <scfc_de>	 Jan_Luca: Do you use FastCGI? :-)
[16:23:15] <Jan_Luca>	 scfc_de: No, because I like PHP. ;-)
[16:23:37] <Jan_Luca>	 I only want to create a nice envirment for everybody
[16:23:56] <phe>	 I tried tu use fcgi with pyton on the TS and fallback to cgi as I was unable to get something working
[16:24:52] <scfc_de>	 Jan_Luca: Then you probably have some expertise in deploying PHP apps and can help Coren in this regard.
[16:25:08] <scfc_de>	 phe: Eh, did FastCGI work or not?
[16:25:37] <phe>	 scfc_de, I don't remember if the problem was on my side or on TS side :)
[16:27:18] <Coren>	 I suppose it's really mostly a matter of "does anyone /use/ it?"
[16:27:33] <scfc_de>	 phe: I never touched FastCGI as IIRC a FastCGI process is destroyed after a few seconds so it would only be useful for *really* heavy use while requiring a lot of rewriting the app.  Also, it would have required me to set up FastCGI on my local box as well.
[16:27:50] <Jan_Luca>	 scfc_de: I already asked Coren where I can help
[16:28:10] <Coren>	 I mean yes, I know ostensibly FastCGI is a better design, but unless people actually do use it, the effort of another component isn't a good idea.
[16:28:25] <Coren>	 The fewer things that are in place, the fewer things that can break.  :-)
[16:28:54] <Jan_Luca>	 He answered that at moment the best help would be things like questions for his documentation
[16:29:26] <Coren>	 Jan_Luca: Sure, but if you find some needed component you have expertise with, help is always welcome.
[16:30:35] <scfc_de>	 Jan_Luca: I meant finding any hiccups in the PHP setup that make app deployment more difficult/impossible.
[16:31:48] <scfc_de>	 Jan_Luca: (And if you don't find any, that's not a failure on your part.)
[16:32:48] <Jan_Luca>	 scfc_de: At moment I  have no good tools to test the system
[16:33:24] <Jan_Luca>	 I help at moment developping MW itself when I have time
[16:33:34] <scfc_de>	 Jan_Luca: Don't you maintain one of Magnus' tools, Commonshelper or something like that?
[16:34:35] <Jan_Luca>	 scfc_de: Yes, but since the Commons' admins disabled my bot the usbility is not as I want to
[16:36:31] <Jan_Luca>	 and it needs some review at moment
[16:36:32] <Jan_Luca>	 scfc_de: And CommonsHelper2 would need a replacement for TUSC to enable auto-uploads
[16:38:28] <Jan_Luca>	 scfc_de: And a replacement for TS-I18N ;-)
[16:38:57] <Jan_Luca>	 I have to rewrite some parts to get it running on Tools...
[16:39:37] <scfc_de>	 Jan_Luca: I think you should be able to port TUSC 1:1 to Tools (perhaps renaming it) if the wait for OpenID is too long.  But I would fix the Commons issues before.  A bot that is disabled on its wiki needs some work.
[16:41:07] <Jan_Luca>	 scfc_de: The tools itself works without the bot but it would be nicer when the auto-upload works
[16:41:54] <Jan_Luca>	 And TUSC is a tool of Magnus, he have to copy the database, too
[16:43:05] <scfc_de>	 Jan_Luca: Well, as a user, I wouldn't care if /some/ part of a tool works, if overall it fails :-).  For Tools User Screening Tool, you would obviously need to set up a new database and new credentials.
[17:17:08] <Jan_Luca>	 gerrit-wm seems to have a problem...
[17:27:43] <^demon>	 Jan_Luca: Known, have a patch up for it.
[17:27:49] <^demon>	 It's restarting each time puppet runs.
[17:36:46] <andrewbogott>	 Coren, Ryan_Lane, I'm making progress on the gui for service groups.  Do you have time to work on the other bits today?
[17:37:13] <andrewbogott>	 I'm imagining that Ryan_Lane will make the Schema changes and Coren can do whatever magic is required to actually implement things on the instances.
[17:42:00] <Coren>	 andrewbogott: o/~ it's some kind of magic o/~
[17:42:08] <Coren>	 (Sorry, was in a meeting with CT)
[17:43:16] <andrewbogott>	 Coren:  This is what I have, so far… https://wikitech-test.wmflabs.org/wiki/Special:NovaProject
[17:43:33] <andrewbogott>	 Ugly but consistent
[17:44:13] <Coren>	 andrewbogott: Yeah, I'll do the instance implementation part thing as soon as I have confirmation of the schema.
[17:45:00] <Coren>	 andrewbogott: I can't seem to create a TEST Coren account on the test
[17:45:31] <andrewbogott>	 Hm, what does it tell you?
[17:46:00] <Coren>	 There was either an authentication database error or you are not allowed to update your external account.
[17:47:53] <andrewbogott>	 Coren:  I just now created an acount successfully.  So… maybe TEST Coren already exists?
[17:48:50] <Coren>	 There is no user by the name "TEST Coren"
[17:49:11] <Coren>	 (Trying to passwd reset)
[17:50:02] <Coren>	 Same with case variations.
[17:50:29] <andrewbogott>	 Hm.
[17:50:36] <Coren>	 ... o_O
[17:50:40] <andrewbogott>	 Um… you can log into nova-precise2 to debug, or just skip it for now :)
[17:50:43] <Coren>	 and creating an account just worked now.
[17:50:49] <andrewbogott>	 Oh, well then!
[17:51:08] <Coren>	 No Nova credentials found for your account. (in a really BIG font)
[17:51:34] <andrewbogott>	 You can discuss the font with Ryan; I'm not a big fan of that theme.
[17:51:56] <andrewbogott>	 Let's see… for on thing you'll need to to run on two factor auth in order to do anything interesting.
[17:52:00] <Ryan_Lane>	 :D
[17:52:03] <andrewbogott>	 Also, I think I need to set a flag for you, lemme look.
[17:52:17] <andrewbogott>	 Coren, you're using 'TEST Coren' as your username?
[17:52:34] <Coren>	 andrewbogott: Yep
[17:52:38] <Ryan_Lane>	 we can switch the theme back if you'd like. it's for testing
[17:52:51] <Coren>	 No, it's pretty.  Just a bit... unusual.
[17:53:05] <Ryan_Lane>	 the font sizes need to be adjusted
[17:53:14] <Ryan_Lane>	 and the whitespace is a little weird
[17:53:36] <Coren>	 I say.  I think 72-odd points for "Access denied" looks a bit too much like MovieOS.  :-)
[17:53:41] <Ryan_Lane>	 heh
[17:53:46] <Ryan_Lane>	 it's a h1
[17:53:50] <Ryan_Lane>	 *an
[17:54:05] <Ryan_Lane>	 but yeah, the font sizes are huge
[17:54:16] <Ryan_Lane>	 this has saner font sizes: https://wiki.openstack.org/wiki/Main_Page
[17:54:18] <Ryan_Lane>	 it's the same skin
[17:54:24] <Ryan_Lane>	 different css
[17:54:36] <andrewbogott>	 Big fonts for the camera
[17:54:36] <Ryan_Lane>	 I also adjusted its whitespace
[17:54:55] <Ryan_Lane>	 for instance: https://wiki.openstack.org/wiki/Special:RecentChangesLinked/Main_Page
[17:54:56] <Ryan_Lane>	 normal sized h1 ;)
[17:55:11] <Coren>	 It does.  I do like the sober black bar.
[17:55:12] <Ryan_Lane>	 still larger than mediawiki's defaults, though
[17:55:20] <Ryan_Lane>	 yeah, I like the black theme
[17:55:31] <Ryan_Lane>	 this lighter theme goes better with openstack's other apps. though
[17:55:31] * andrewbogott  still likes sidebars better than pulldowns

[17:55:38] <andrewbogott>	 but can adjust
[17:55:48] <Ryan_Lane>	 sidebars waste so much space :)
[17:55:57] <Ryan_Lane>	 maybe if the sidebar was hidable
[17:56:03] <Coren>	 andrewbogott: I use my ipad a lot. Sidebars are a pain.
[17:56:21] <andrewbogott>	 Coren, you just need to rotate your ipad by 90 degrees
[17:56:37] <andrewbogott>	 Aren't pulldown menus also a pain, on a touch device?
[17:56:41] <Coren>	 Ryan_Lane: The best thing, of course, would be if that bar was absolute floating at the top.  :-)
[17:56:44] <Ryan_Lane>	 not ones that stick
[17:56:46] <Ryan_Lane>	 like this one
[17:56:49] <YuviPanda>	 did someone say mobile?
[17:56:55] <Ryan_Lane>	 YuviPanda: hahaha
[17:57:02] <Ryan_Lane>	 do you have a ping on the word mobile? :)
[17:57:04] <Coren>	 YuviPanda: Do you actually stalk "mobile"?  :-0
[17:57:10] <Ryan_Lane>	 YuviPanda: we were discussing the strapping theme
[17:57:22] <YuviPanda>	 no, I'm using LimeChat, it has this nice stalking feature.
[17:57:34] <YuviPanda>	 it scrolls messages from all channels on a secondary pane right under my primary one
[17:57:37] <YuviPanda>	 so... :)
[17:57:46] <andrewbogott>	 Ryan_Lane, I have the feeling I could be using projectadmin-create.py  to give coren privs on nova-precise2… ?
[17:58:01] * YuviPanda  reads backscroll on strapping

[17:58:26] <Ryan_Lane>	 andrewbogott: maybe I'm not totally sure it worked without some tweaks to the ldif file it generates
[17:58:49] <YuviPanda>	 damn, I thought we switched wikitext to strapping theme
[17:59:02] <Ryan_Lane>	 if you give him cloudadmin rights he can give himself projectadmin
[17:59:29] <Ryan_Lane>	 maybe bureaucrat too 
[17:59:38] <Coren>	 Actually, I just tried wikitech-test on my ipad and it's pretty nice.  If the fonts were just a wee bit smaller and the top bar stuck to the top of display, I'd use it by default.
[17:59:40] <Ryan_Lane>	 I hate that word. it's such a pain to type without typos
[18:00:03] <Ryan_Lane>	 yeah. it's adaptive
[18:00:10] <Ryan_Lane>	 so it automatically adjusts to the screen size
[18:00:38] <Ryan_Lane>	 the fact that I suck at frontend work, but can make a non-shitty skin speaks highly of bootstrap :)
[18:01:01] <YuviPanda>	 +1 ^
[18:01:22] <YuviPanda>	 Ryan_Lane: Bootstrap 3.0 is around the corner
[18:01:27] <Ryan_Lane>	 \o/
[18:01:48] <YuviPanda>	 Ryan_Lane: http://rc.getbootstrap.com/
[18:01:51] <YuviPanda>	 is 'mobile first'
[18:02:15] <YuviPanda>	 hmm, wrong link
[18:02:53] <YuviPanda>	 Ryan_Lane: hmm, https://github.com/twitter/bootstrap/pull/6342
[18:02:56] <YuviPanda>	 drops IE7 suppport
[18:03:13] <Ryan_Lane>	 well, that would make it difficult for us to adopt
[18:03:36] <YuviPanda>	 to say the least, yeah
[18:03:47] <YuviPanda>	 would that hinder adoption on even wikitech?
[18:03:49] <YuviPanda>	 bleh.
[18:03:59] <YuviPanda>	 I guess bootstrap currently already dropped IE6 support
[18:04:18] <YuviPanda>	 Ryan_Lane: also ff 3.6 support :|
[18:04:27] <Ryan_Lane>	 I'm not sure I want to add bootstrap to wikitech if we will never use it in production
[18:04:39] <YuviPanda>	 yeah,
[18:04:43] <YuviPanda>	  I can understand that
[18:04:49] <YuviPanda>	 but if it is dropping IE7 support...
[18:04:55] <andrewbogott>	 Ryan_Lane, can you give me a usage hint about projectadmin-create.py ?
[18:05:06] <YuviPanda>	 I'm unsure how that bodes for us adding it in production in the next... 5-7 years?
[18:05:14] <Ryan_Lane>	 andrewbogott: why use that, rather than just giving him rights via the interface?
[18:05:29] <Ryan_Lane>	 then he can give himself rights as necessary
[18:05:58] <Ryan_Lane>	 that script outputs ldif, and I think it's ldif is slightly wrong
[18:05:58] <Ryan_Lane>	 *its
[18:06:03] <Ryan_Lane>	 YuviPanda: heh
[18:06:11] <Ryan_Lane>	 YuviPanda: well, we could continue to use bootstrap 2 :)
[18:06:21] <andrewbogott>	 Ryan_Lane, oh, didn't know I could grant such privs.  Much easier.
[18:06:51] <YuviPanda>	 Ryan_Lane: well, bootstrap 2.0 doesn't support IE6 
[18:06:52] <YuviPanda>	 https://github.com/twitter/bootstrap/issues/76
[18:06:56] <YuviPanda>	 but I'm completely fine with that :D
[18:07:00] <andrewbogott>	 Coren, can you see the page I linked yet?
[18:07:01] <Ryan_Lane>	 heh
[18:07:18] <Coren>	 andrewbogott: There were no Nova credentials found for your user account. Please ask a Nova administrator to create credentials for you.
[18:07:30] <Ryan_Lane>	 Coren: log out and back in
[18:07:32] <andrewbogott>	 Coren, did you turn on two-factor auth?
[18:07:53] <Ryan_Lane>	 there's a bug on first login after account creation
[18:08:06] <Damianz>	 that really needs fixing
[18:08:07] <Coren>	 andrewbogott: ... no.
[18:08:10] * Damianz  grumbles at crapy ux

[18:08:24] <Ryan_Lane>	 Damianz: obviously
[18:08:30] <andrewbogott>	 Coren, I think most project admin stuff requires two-factor.  Although in theory it will tell you that.
[18:08:35] <Ryan_Lane>	 it's non-trivial to fix
[18:08:37] <Coren>	 It does, now.
[18:08:40] <Coren>	 Mleh.
[18:08:49] <Coren>	 I don't mind two-factor.  I hate your second factor.  :-)
[18:08:58] <Ryan_Lane>	 eh? you'd prefer sms?
[18:09:03] * Ryan_Lane  pukes

[18:09:11] <YuviPanda>	 postal mail, duh.
[18:09:14] <Ryan_Lane>	 :D
[18:09:16] <Damianz>	 I'd love a Yubi key as an option
[18:09:23] <YuviPanda>	 YuviKey?
[18:09:43] * YuviPanda  leaves the adults to their discussion

[18:09:49] <Ryan_Lane>	 meh. I don't want to add any more authentication options
[18:09:52] * Damianz  gives YuviPanda that look

[18:10:09] <YuviPanda>	 hey, I can make one bad joke a day!
[18:10:18] <Ryan_Lane>	 OATH is available on basically every mobile device
[18:10:36] <Damianz>	 What about my nokia 6410?
[18:10:53] <Ryan_Lane>	 is it a feature phone?
[18:10:58] <Ryan_Lane>	 does it support java me?
[18:11:11] <Ryan_Lane>	 if so, then yes
[18:11:11] <Damianz>	 Nope it's a brick used for when I'm in sandy places
[18:11:17] <Ryan_Lane>	 then no, you're screwed
[18:11:33] <Ryan_Lane>	 there's desktop apps too
[18:11:54] <Damianz>	 oreally
[18:11:57] <Damianz>	 I didn't know that
[18:12:02] <Ryan_Lane>	 if you can't access your two factor, then you probably shouldn't log in ;)
[18:15:48] <Coren>	 andrewbogott: I haz a success.
[18:16:47] <Coren>	 andrewbogott: Ah, you're putting it directly on the project admin page.  Makes sense.
[18:18:11] <andrewbogott>	 If it fits...
[18:18:13] <Coren>	 andrewbogott: So, Openstack question; can you call a hook of mine or do I need to watch for LDAP changes?
[18:18:32] <Coren>	 andrewbogott: Like, you know, with salt
[18:18:53] <andrewbogott>	 We don't have good salt integration at the moment, so you'll need to poll or use a puppet hook or something
[18:19:40] <Coren>	 Polling works, if a bit uglies.
[18:20:05] <Coren>	 It does have the advantage of being flexible.
[18:20:47] <Ryan_Lane>	 I believe you can also poll by modification time
[18:21:23] <Coren>	 Ryan_Lane: Would the modification time propagate up the hiarchy?
[18:21:40] <Ryan_Lane>	 no clue, but does it matter?
[18:22:03] <Coren>	 Ryan_Lane: If I can't just watch the whole OU, then I might as well just ldapsearch and diff.
[18:22:32] <Ryan_Lane>	 well, you don't watch
[18:22:42] <Ryan_Lane>	 you use a daemon, then when you poll, you request from the last timestamp
[18:22:44] <Coren>	 By "watch" I meant "compare modification time"
[18:23:11] <Ryan_Lane>	 we do full searches every time. I'd kind of like to switch to using modification time
[18:23:17] <Ryan_Lane>	 it's more efficient
[18:23:27] <Coren>	 It would be.  I don't think I ever did that.
[18:23:34] * Coren  goes to find doc and read.

[18:24:14] <Ryan_Lane>	 god damn it
[18:24:20] <Ryan_Lane>	 I can't find a list of operational attributes
[18:24:23] <Ryan_Lane>	 it's so annoying
[18:24:33] <Ryan_Lane>	 why does every directory server make these hard to find?
[18:24:41] <Jan_Luca>	 Ryan_Lane: Could you explain me what the difference is between OAuth und OATH
[18:25:40] <Ryan_Lane>	 Jan_Luca: OATH defines http://en.wikipedia.org/wiki/HOTP and http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
[18:26:13] <Ryan_Lane>	 both of which are used for one-time passwords
[18:26:19] <Ryan_Lane>	 (two-factor authentication)
[18:26:42] <Ryan_Lane>	 oAuth is a mechanism for allowing another application to act on your behalf, using tokens
[18:27:30] <Ryan_Lane>	 so, flickr could upload images directly to commons, using your account, if you allowed it to do so, using oAuth
[18:28:58] <Jan_Luca>	 Ryan_Lane: OK, thank you. Do you have a advice which client should I use on Android?
[18:29:29] <Damianz>	 google authenticator thing works great
[18:29:47] <Ryan_Lane>	 yep
[18:29:54] <Ryan_Lane>	 that's a good app for it
[18:30:30] <Jan_Luca>	 Ok, I will try it
[18:32:46] <Coren>	 Ryan_Lane: Did we ever decide what we do about sudoers for the service accounts?
[18:33:15] <Coren>	 Ryan_Lane: I can maintain a local sudoers from the info I scrape off LDAP, but I know you had another idea?
[18:36:06] <Jan_Luca>	 Damianz, Ryan_Lane: Thank you it works fine but can I use 2 devices for this
[18:36:43] <Damianz>	 Pretty sure it works with 2 devices, not actually tried tbh
[18:36:51] <Damianz>	 They use the same algo/key so it should work in theory I guess
[19:04:02] <Ryan_Lane>	 Coren: why a local sudoers?
[19:04:15] <Ryan_Lane>	 Coren: all of the instances are configured to use the project sudoers in ldap
[19:04:29] <Ryan_Lane>	 if you add a policy, it'll be enabled on the instances automatically
[19:04:45] <Ryan_Lane>	 the email I sent mentioned what we can do
[19:04:54] <Coren>	 Ryan_Lane: It makes customization easy.  Remember, in my case, I have rules of the type "%local-anagrimes ALL=(local-anagrimes) NOPASSWD: ALL"
[19:04:57] <Ryan_Lane>	 when a service user is created, a policy is automatically added for it
[19:05:03] <Coren>	 Ah, that works.
[19:05:11] * Coren  doesn't remember that email, though.

[19:05:42] <Ryan_Lane>	 "Per-project service users and groups" in labs-l
[19:06:15] <Coren>	 Ah.  I hadn't even noticed you talking about sudo.  :-)
[19:06:22] <Coren>	 So yeah, this answers that.  :-)
[19:06:48] <Ryan_Lane>	 heh
[19:15:16] <Wikinaut>	 Ryan_Lane: I have some time now for chatting. Yesterday, you proposed to me to show a warning, if a user fetches a page SpecialOpenIDIdentifier/id where (id != $wgUser->getID() || !isUser( id) )
[19:15:59] <Wikinaut>	 or positive: only to show him "this is your id page" if id === $wgUser->getID() 
[19:16:27] <Wikinaut>	 Shall I code that ?
[19:16:32] <Wikinaut>	 It is easy
[19:17:19] <Wikinaut>	 see https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/OpenID.git;a=blob;f=SpecialOpenIDIdentifier.body.php;h=d8270c4c4e63602fc3a00124feff3aa923ea1498;hb=HEAD#l61
[19:17:45] <Wikinaut>	 ... until line 111
[19:18:18] <Wikinaut>	 Ryan_Lane: 
[19:18:21] <Wikinaut>	 ^
[19:19:25] <Ryan_Lane>	 so, one of two things is occurring if the logged in user doesn't match the auth url
[19:19:31] <Ryan_Lane>	 1. Someone is being nasty
[19:19:59] <Ryan_Lane>	 2. Someone has more than one account, and they didn't realize they were already logged in with one of them while trying to use the other
[19:20:30] <Ryan_Lane>	 #2 is pretty problematic because people may accidentally associate the wrong account to an application
[19:20:37] <Ryan_Lane>	 well, there's also #3
[19:20:52] <Ryan_Lane>	 someone is using another person's computer and they try to login using their user page
[19:21:12] <Wikinaut>	 can I answer now ?
[19:21:16] <Ryan_Lane>	 sure
[19:21:27] <Wikinaut>	 well, first at all, I wanted to fix this problem:
[19:21:35] <Wikinaut>	 when someone crafts the url manually
[19:21:47] <Wikinaut>	 there should be a page output
[19:21:50] <Wikinaut>	 ok ?
[19:21:57] <Ryan_Lane>	 yes. saying this user doesn't exist
[19:22:02] <Wikinaut>	 this is _now_ fixed, there are three case
[19:22:09] <Wikinaut>	 let me explain pls
[19:22:22] <Wikinaut>	 case i) id == id(current user) 
[19:22:24] <Wikinaut>	 ==> ok
[19:22:37] <Wikinaut>	 case ii) id = id of a different user
[19:22:48] <Wikinaut>	 case iii) id = non existing user
[19:22:55] <Ryan_Lane>	 indeed
[19:23:03] <Wikinaut>	 Currently, all cases are correctly treated
[19:23:08] <Wikinaut>	 pls. check the url above
[19:23:13] <Ryan_Lane>	 yes. I saw that
[19:23:19] <Wikinaut>	 but we can now:
[19:23:23] <Wikinaut>	 do this:
[19:23:36] <Wikinaut>	 for case ii) and iii) show the same page
[19:23:37] <Wikinaut>	 saying
[19:23:49] <Wikinaut>	 "This is not your id page"
[19:23:55] <Wikinaut>	 that's all
[19:24:12] <Wikinaut>	 I fix that if you agree
[19:24:17] <Wikinaut>	 it's a pleasure for me
[19:24:18] <Ryan_Lane>	 Isn't it a little better to tell them a user doesn't exist in case iii?
[19:24:25] <Wikinaut>	 This is done !!!
[19:24:31] <Wikinaut>	 It IS in
[19:24:42] <Ryan_Lane>	 I'm not sure what the proposed change is, then?
[19:24:54] <Wikinaut>	 https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/OpenID.git;a=blob;f=SpecialOpenIDIdentifier.body.php;h=d8270c4c4e63602fc3a00124feff3aa923ea1498;hb=HEAD#l63
[19:25:05] <Wikinaut>	 not say in case ii)
[19:25:14] <Wikinaut>	 that this is the id of another user
[19:25:20] <Wikinaut>	 but simply say:
[19:25:26] <Wikinaut>	 This is not your id
[19:25:30] <Ryan_Lane>	 yeah. that's fine
[19:25:38] <Wikinaut>	 (you proposed that yesterday night)
[19:25:43] <Wikinaut>	 !
[19:25:43] <wm-bot>	 There are multiple keys, refine your input: !log, $realm, $site, *, :), access, account, account-questions, accountreq, addresses, addshore, afk, alert, amend, ask, b, bang, bastion, beta, blehlogging, blueprint-dns, bot, botrestart, bots, bots-bsql, botsdocs, broken, bug, bz, cmds, console, cookies, coren, credentials, cs, damianz, damianz's-reset, db, del, demon, deployment-beta-docs-1, deployment-prep, docs, documentation, domain, epad, etherpad, extension, -f, forwarding, gerrit, gerritsearch, gerrit-wm, ghsh, git, git-branches, git-puppet, gitweb, google, gridbots, group, help, hexmode, home, htmllogs, hyperon, icinga, info, initial-login, instance, instance-json, instancelist, instanceproject, keys, labs, labsconf, labsconsole, labsconsole.wiki, labs-home-wm, labs-morebots, labs-nagios-wm, labs-project, labswiki, leslie's-reset, link, linux, load, load-all, logs, mac, magic, mail, manage-projects, meh, mobile-cache, monitor, morebots, msys, msys-git, nagios.wmflabs.org, nagios-fix, newgrp, new-labsuser, new-ldapuser, nova-resource, op_on_duty, openstack-manager, origin/test, os-change, osm-bug, pageant, password, pastebin, pathconflict, petan, ping, pl, pong, port-forwarding, project-access, project-discuss, projects, puppet, puppetmaster::self, puppetmasterself, puppet-variables, putty, pxe, python, q1, queue, quilt, report, requests, resource, revision, rights, rt, Ryan, ryanland, sal, SAL, say, search, security, security-groups, sexytime, single-node-mediawiki, socks-proxy, ssh, sshkey, start, stucked, sudo, sudo-policies, sudo-policy, svn, terminology, test, test2, Thehelpfulone, tl, tooldocs, trout, tunnel, unicorn, whatIwant, whitespace, wiki, wikitech, wikiversity-sandbox, windows, wl, wm-bot, 
[19:25:48] <Wikinaut>	 uih
[19:26:01] <Ryan_Lane>	 "The URL provided does not match your identity"
[19:26:03] <Ryan_Lane>	 or something like that
[19:26:04] <Wikinaut>	 Yes
[19:26:14] <Wikinaut>	 I will fix that. Let me some time
[19:26:19] * Ryan_Lane  nods

[19:26:22] <Wikinaut>	 I have a "lecker" beer here
[19:26:25] <Wikinaut>	 lecker = yummy
[19:26:47] <Wikinaut>	 Something different.
[19:27:13] <Wikinaut>	 I added some of the open bugs to "block" the one other bugzilla, I guess, you have noticed
[19:27:23] <Wikinaut>	 don't feel pushed
[19:27:28] <Wikinaut>	 by that
[19:28:17] <Wikinaut>	 "the one other bugzilla" is https://bugzilla.wikimedia.org/show_bug.cgi?id=9604  <-- tracking bug, ok
[19:28:19] <Wikinaut>	 ???
[19:29:05] <Wikinaut>	 If you agree, I can rename or add that " (tracking bug)"
[19:29:53] <Wikinaut>	 I did that. Not waiting for Ryan
[19:30:41] <Wikinaut>	 (I have nothing else, and I am on standby. Bye)
[19:44:35] <Wikinaut>	 I leave it as it is. Otherwise, it will break. If we stop to add the invisible X-XRDS location urls, it will break the whole system
[19:44:40] <Wikinaut>	 Ryan_Lane: ^
[19:45:14] <Wikinaut>	 I would have to render the X-XRDS links, but show a text "this is not your open id"
[19:45:37] <Wikinaut>	 this is possible, but really, I think this not needed and, ugly.
[19:45:53] <Wikinaut>	 It woudl be nice if you test the current code on the openid-wiki instance
[19:46:00] <Wikinaut>	 then you see, what I mean
[19:47:00] <Wikinaut>	 Ryan_Lane: try that one http://openid-wiki.instance-proxy.wmflabs.org/wiki/Special:OpenIDIdentifier/1
[19:47:03] <Wikinaut>	 and http://openid-wiki.instance-proxy.wmflabs.org/wiki/Special:OpenIDIdentifier/0
[19:47:07] <Wikinaut>	 and http://openid-wiki.instance-proxy.wmflabs.org/wiki/Special:OpenIDIdentifier/1000
[19:47:17] <Wikinaut>	 and your userid 
[19:48:04] <Wikinaut>	 and http://openid-wiki.instance-proxy.wmflabs.org/wiki/Special:OpenIDIdentifier
[19:48:19] <Wikinaut>	 I think, it makes sense to leave it as it is.
[20:21:40] <Coren>	 andrewbogott: Reply't
[20:21:59] <andrewbogott>	 thanks
[20:25:20] <Coren>	 andrewbogott: And I just added a Q of my own.  /Can/ we assign 'service group' management to a role that is not 'projectadmin'?
[20:25:58] <Coren>	 If so, I would do that and s/project admin/users with that role/ through my entire reply.  :-)
[20:26:19] <andrewbogott>	 Coren, aren't you writing a script to create the service users anyway?  So if it detects the presence of a group it can just create the user
[20:26:59] <Coren>	 andrewbogott: I'd very much rather not have local users.  I /can/ do it, but it's ugly as sin and I'm pretty sure Ryan_Lane really wanted the users to be in LDAP.
[20:27:16] <andrewbogott>	 Ah, ok, makes sense.
[20:27:24] <andrewbogott>	 I thought that all of the user creation was going to be mediated by a script anyway.
[20:28:05] <Coren>	 That's my current ugly stopgap.  Creating local users in a for loop of ssh to the boxen is...  not my favorite thing.  :-)
[20:28:23] <Coren>	 The script will create homes, etc.
[20:28:44] <Coren>	 (Which is done exactly once, since it's on a shared filesystem)
[20:34:07] <andrewbogott>	 Oh, oops, my question about 'how' was not about privs but about how things are represented in ldap.
[20:35:45] <Ryan_Lane>	 lemme respond to the emails :)
[20:45:12] <Ryan_Lane>	 reply'd
[20:45:38] <Damianz>	 mailman is slow :(
[20:45:48] <Ryan_Lane>	 Coren: the script doesn't need to create homes
[20:45:52] <Ryan_Lane>	 pam_mkhomedir will do that
[20:47:46] <Coren>	 Oh, poop.  That's an implementation detail that needed to be said; tools have their homes in /data/project without the local- prefix, and have different permissions and skeletons than "normal" users.  I'd really rather they not be created by pam
[20:48:32] <Coren>	 They are g+s,o=rx for one, which is not "normal home" perms
[20:49:06] <Damianz>	 just make them in the script and pam_mkhomedir won't touch them heh
[20:57:21] <Ryan_Lane>	 ah
[20:57:22] <Ryan_Lane>	 right
[20:57:30] <andrewbogott>	 Ryan_Lane:  Sorry, my email must not've been clear on my actual question.  What I don't understand is:  How, in ldap, will group membership be represented?
[20:57:39] <Ryan_Lane>	 via groupofnames
[20:57:48] <Ryan_Lane>	 with DNs for users
[20:57:53] <Ryan_Lane>	 just like project membership
[20:57:59] <Ryan_Lane>	 or project groups
[20:58:44] <andrewbogott>	 ok.
[20:59:02] <andrewbogott>	 I maybe understand how to do that; will look at the existing code.
[20:59:17] <Ryan_Lane>	 we should probably refactor some
[20:59:36] <Ryan_Lane>	 adding/removing group code should go into LdapAuthentication
[20:59:41] <Ryan_Lane>	 and the other classes should call it
[21:11:57] <Coren>	 Ryan_Lane: Oh, noes, I really think the service account's primary group should be a global one that marks them as such.
[21:12:00] <Ryan_Lane>	 Coren: I don't understand why the service user's primary gid shouldn't be its service group?
[21:12:19] <Coren>	 Ryan_Lane: Well, on a purely practical level, SGE only looks at the primary gid.  :-)
[21:12:31] <Ryan_Lane>	 meaning...?
[21:12:46] <Coren>	 Ryan_Lane: That's how I separate humans from tools.  :-)
[21:13:20] <Ryan_Lane>	 it's less secure to use a group all tools are members of
[21:13:43] <Coren>	 Ryan_Lane: ... to say "it's a tool"?
[21:14:11] <Ryan_Lane>	 files written by the tool user will have "service" by default, not their service-group
[21:14:29] <Ryan_Lane>	 assuming the umask is 002, that's a problem
[21:14:53] <Coren>	 Ryan_Lane: Ah; not really, the tools' home are sgid for that very reason so that /every/ write in it is reachable to the maintainers.
[21:15:12] <Coren>	 Ryan_Lane: Besides, that's no different than humans being gid 500.
[21:15:18] * Ryan_Lane  nods

[21:15:28] <Ryan_Lane>	 I'm not a huge fan of everyone having the same primary gid right now, either
[21:15:33] <Coren>	 Ah.
[21:15:51] <Coren>	 I'm old school.  It's SOP to have a 'is a user', 'is a service', 'is a foo' primary group.
[21:15:52] <Coren>	 :-)
[21:16:04] <Ryan_Lane>	 that's what secondary groups are for
[21:16:15] <Damianz>	 s/old school/old/
[21:16:17] <Coren>	 I see those as roles, not nature.  :-)
[21:16:18] <Ryan_Lane>	 :D
[21:16:28] <Ryan_Lane>	 I see secondary groups as roles
[21:16:32] <Ryan_Lane>	 you can only have a single primary group
[21:16:51] <Ryan_Lane>	 and changing it has far reaching consequences
[21:17:01] <Coren>	 Right.  So that should be indicative of what kind of account it is rather than one of the (possibly many) roles the account may hold.
[21:17:02] <Platonides>	 Coren, what about files created in /tmp ?
[21:18:10] <Coren>	 Platonides: Same as any file created in /tmp -> should not have special privileges granted to group unless you /know/ you did a setegid() first.
[21:18:27] <Ryan_Lane>	 if umask is 002....
[21:18:46] <Ryan_Lane>	 which it needs to be
[21:19:28] <Ryan_Lane>	 this is the strength of user groups
[21:19:48] <Coren>	 Ryan_Lane: You're right, this is why the primary group should be an invariant (like, "it's a human", "it's a service account") and not a role.
[21:20:04] <Ryan_Lane>	 it should be the same as the user
[21:20:15] <Ryan_Lane>	 specifically for this reason
[21:20:26] <Ryan_Lane>	 no need to worry about group permissions
[21:20:40] <Coren>	 Ryan_Lane: Group ownership of files should /never/ be left to defaults.  Either to setegid(), or use sgid on directories you intend to use, or you change the creation mask.  Anything else is a bug waiting to happen.
[21:20:45] <Ryan_Lane>	 hahaha
[21:20:47] <Ryan_Lane>	 good luck on that
[21:21:03] <Ryan_Lane>	 I bank on people's ignorance
[21:21:35] <Damianz>	 s/ignorace/stupidity/
[21:21:45] <Coren>	 Ryan_Lane: Anyone who doesn't take those basic security precautions will have code full of MUCH bigger holes anyways.  You're plugging a single hole in a strainer.  :-)
[21:22:05] <Ryan_Lane>	 always assuming people will do the easier thing and not the right thing and changing your security to accommodate that is a good idea
[21:22:16] <Coren>	 Hm.
[21:22:16] <Ryan_Lane>	 that's not a basic security precaution, though
[21:22:25] <Ryan_Lane>	 people have to be taught that
[21:22:31] <Ryan_Lane>	 most people are used to user-groups
[21:22:39] <Ryan_Lane>	 and people *suck* at file permissions
[21:22:51] <Ryan_Lane>	 most people don't even know what sgid on directories does
[21:22:54] <Coren>	 What, not writing temporary files in a public directory without making at least sure that it doesn't have group write isn't basic?  :-P
[21:23:07] <Ryan_Lane>	 why can't it have group write?
[21:23:24] <Ryan_Lane>	 if you aren't adding every user into the same group it's not a problem
[21:23:35] <Coren>	 Because if you allow a group writing it, you should at /least/ know what group you're granting it to.
[21:23:37] <Ryan_Lane>	 in fact, it's a good idea
[21:23:58] <Coren>	 Of course it's a problem, unless you actually stat() the directory before creating the file then guard against a race condition.
[21:24:10] <Ryan_Lane>	 well, people should be using mktmpdir
[21:24:28] <Ryan_Lane>	 it's unsafe to use a tmp dir without it
[21:24:41] <Platonides>	 Ryan_Lane, I don't seem to have such tool...
[21:24:46] <Platonides>	 in which pkg is it?
[21:25:02] <Coren>	 If you allow group write on a file you put in a public directory, you never actually know what group will end up with write access to it since you can't guard against the directory being sgid unless it's yours.
[21:25:07] <Platonides>	 (you could change your umask, create the folder, then restore it...)
[21:25:13] <Ryan_Lane>	 Platonides: it's mktemp -d
[21:25:25] <Platonides>	 ah
[21:25:27] <Ryan_Lane>	 Coren: which is the purpose of mktemp -d
[21:25:46] <Ryan_Lane>	 it's unsafe to write into tmp without it
[21:25:49] <Coren>	 Ryan_Lane: In which case, you're not writing in a public directory anymore.  :-)
[21:26:02] <Ryan_Lane>	 you are still using tmp
[21:26:13] <Ryan_Lane>	 but a private directory in it
[21:26:24] <Ryan_Lane>	 but, directory permissions still apply there
[21:26:53] <Coren>	 Incidentally, mktmpdir protects only against some attacks.
[21:27:07] <Ryan_Lane>	 yes, but that's a different argument altogether ;)
[21:27:25] <Ryan_Lane>	 we can't assume that applications are going to properly set umask
[21:27:29] <Coren>	 No, since someone could sill make you end up writing your files in a directory sgid to them.
[21:27:38] <Ryan_Lane>	 Coren: how?
[21:28:44] <Ryan_Lane>	 anyway, what does a shared group really buy us?
[21:28:46] <Coren>	 By guessing the new dir name and making a symlink to a directory that isn't sticky in its place.
[21:28:51] <Ryan_Lane>	 that makes it worth the security risk
[21:29:09] <Ryan_Lane>	 mktemp -d creates the directory, then reports back
[21:29:17] <Ryan_Lane>	 then you use the directory that's reported back
[21:29:25] <Ryan_Lane>	 it's safe in that regard
[21:30:00] <Ryan_Lane>	 people can symlink all they want. it's not going to help for that ;)
[21:30:16] <Coren>	 They may have fixed the dereference race condition.  Anyways.
[21:31:13] <Coren>	 The common group simplifies management, IMO, and classifies accounts.  I'm not deadset against it, but I think the new one-role-per-user fad is misguided.  :-)
[21:31:43] <Ryan_Lane>	 the accounts are already classified. they start with local-
[21:32:05] <Ryan_Lane>	 I'm not sure how it simplified management. have any examples?
[21:32:09] <Coren>	 Making groups with a membership of one, IMO, is an attempt to circumvent a human problem with a technological hack -- those /never/ end up well.  :-0
[21:32:14] <Ryan_Lane>	 *simplifies
[21:32:55] <Ryan_Lane>	 it's actually a fairly effective way of handling an old problem of shared default groups :)
[21:32:56] <Coren>	 It's not as relevant as it once was; but there are still tools that cannot cope with group lists, and tools that have a limit on the number of extra groups.
[21:33:10] * Coren  chuckles.

[21:33:12] <Ryan_Lane>	 yeah, there's definitely still a limit on extra groups
[21:33:20] <Coren>	 I suppose, if you see shared default groups as a problem.
[21:33:25] <Coren>	 (Which I do not)
[21:33:47] <Ryan_Lane>	 you assume everyone knows well enough not to screw themselves :)
[21:33:53] <Ryan_Lane>	 or can even be taught
[21:34:20] <Ryan_Lane>	 I'm of the school of thought that we should protect people from screwing themselves, at our expense :)
[21:34:25] <Coren>	 Ow.  I didn't think anyone could have a worse default opinion of users than an old BOFH like me.  :-)
[21:35:17] <Ryan_Lane>	 you wouldn't believe how many people I've had to tell about sgid directories :D
[21:35:44] <Coren>	 I'm of the school of thought that protecting people from themselves never actually works; they'll just find another way to screw themselves but will have lost the opportunity to learn not to.
[21:35:56] <Ryan_Lane>	 screw it. let's use posix acls for everything
[21:36:10] <Ryan_Lane>	 Coren: ;)
[21:36:13] <Coren>	 If you remove all the "small" problems they can encounter, all that's left to them to learn is the big fuckups.  :-)
[21:36:54] <Ryan_Lane>	 well, this isn't necessarily a small problem
[21:36:57] <Coren>	 Heh.  I don't mind posix ACL, so long as I am allowed to point at you when people go WTF?  How do I ACL?  :-)
[21:37:16] <Ryan_Lane>	 people are going to end up writing their bot passwords in an insecure way
[21:37:31] <Ryan_Lane>	 if we're telling people that their passwords are protected, that's an issue
[21:37:38] <Coren>	 Ryan_Lane: They still will have o+r anyways; groups aren't going to help that.
[21:37:41] <Damianz>	 Lets all use selinux and be happy
[21:38:09] <Ryan_Lane>	 Coren: why would the home directory be o+rx?
[21:38:31] <Ryan_Lane>	 well, I see your point
[21:38:37] <Coren>	 Ryan_Lane: In more practical terms, however, I have noted at least twice as many users doing 777 in unique group setups.
[21:39:17] <Ryan_Lane>	 I don't see that being a major problem in this situation
[21:40:42] <Coren>	 It's still an issue.  You want to give users at least a minimal understanding of why permission matters, and a disclaimer that they'll shoot themselves if they are not careful.  Unique groups don't really help, because it gives a false sense of security about permissions that will just bite them harder.
[21:41:18] <Ryan_Lane>	 the people that understand permissions won't have an issue with it, and it protects them against applications
[21:42:22] <Ryan_Lane>	 their applications aren't going to know to write files and directories with a specific group
[21:42:48] <Ryan_Lane>	 I guess they could use newgrp before running the app, but I doubt people will know to do that
[21:43:15] <Ryan_Lane>	 also, using newgrp sucks
[21:44:57] <Coren>	 Heh.
[21:44:59] <Coren>	 It does.
[21:45:15] <Coren>	 But I would recommend against using /tmp anyways since it's instance-local
[21:45:30] * Ryan_Lane  nods

[21:45:31] <Coren>	 And the grid very much doesn't guarantee you'll stay on the same instance.
[21:45:52] <Ryan_Lane>	 I'd hope tmp files are only needed for while something is running and never again :)
[21:46:05] <Ryan_Lane>	 of course, I know better
[21:47:04] * Ryan_Lane  has little faith in humanity

[21:50:00] <petan>	 Coren /tmp is fine as well people are aware it's instance local
[21:50:21] <petan>	 most of sane processes will drop all tmp files after they finish
[21:51:31] <petan>	 Damianz LOLOOL
[21:51:36] <petan>	 selinux he say :D
[21:51:46] <Damianz>	 <3 selinux... so powerful
[21:51:49] <petan>	 hehe
[21:51:49] <Coren>	 Ryan_Lane: And, again, if anyone puts anything breakable in /tmp without taking care of permissions they are in trouble anyways and no group will save them.  :-)
[21:51:58] <petan>	 I though whole thing is deprecated for ages
[21:52:07] <Coren>	 petan: selinux?  Why should it be?
[21:52:11] <petan>	 or at least not actively developed
[21:52:25] <petan>	 most of distribution maintainers are stepping away from it
[21:52:33] <petan>	 including canonical etc
[21:53:11] <Ryan_Lane>	 hahaha
[21:53:14] <Coren>	 Ryan_Lane: Not worth debating further anyways; I can cope with tools being in strange primary groups.  It's just...  eeew.
[21:53:26] <Ryan_Lane>	 petan: it's very heavily developed by red hat
[21:53:34] <Ryan_Lane>	 it's superior to apparmor in lots of ways
[21:53:37] <Damianz>	 selinux is widly used in RHEL
[21:53:46] <petan>	 mhm...
[21:53:58] <Coren>	 petan: And, honestly, I use selinux on my own net exposed servers as well (though not RH's policies)
[21:53:59] <Ryan_Lane>	 and it has hundreds/thousands of policies written for it
[21:53:59] <petan>	 I don't see a reason why apparmor exist then
[21:54:03] <Ryan_Lane>	 and apparmor has almost none
[21:54:30] <Damianz>	 Apparmor is simpler but also suuucks
[21:54:32] <petan>	 what's the point of it then? why ubuntu doesn't use selinux over apparmor by default?
[21:54:52] <Coren>	 petan: apparmor is kinda sucky; it doesn't have the simplicity for anything more flexible than a simple desktop with trivial use.
[21:54:56] <Ryan_Lane>	 because they went with apparmor
[21:55:05] <petan>	 Ryan_Lane but why
[21:55:08] <Coren>	 simplicity <-> flexibility
[21:55:08] <Ryan_Lane>	 and are "invested" in it
[21:55:09] <petan>	 also what is license 
[21:55:12] <petan>	 of selinux
[21:55:21] <Ryan_Lane>	 petan: it's a kernel feature
[21:55:30] <Ryan_Lane>	 so, gpl2, I'd assume
[21:55:39] <Coren>	 petan: Maybe because they had nobody who groked selinux at the time?
[21:55:52] <Coren>	 Ryan_Lane: IIRC, the actual selinux code is PD-US
[21:56:01] <Coren>	 cuz, you know, NSA.
[21:56:02] <Damianz>	 remember selinux was contributed by the nsa and be happy with it for MLS
[21:56:04] <Ryan_Lane>	 ah. right
[21:56:49] <Ryan_Lane>	 Coren: that's sketchy from a licensing pov :)
[21:57:13] <Coren>	 Ryan_Lane: The current version is probably consumed of GPL by now as aggregate.
[21:57:18] <petan>	 well it always looked to me that canonical invested into stuff that has future, so for some reason they probably believe apparmor has better future
[21:57:21] <petan>	 than selinux
[21:57:23] <petan>	 who knows
[21:57:26] <Ryan_Lane>	 I never got a straight answer about my open source contributions when I was working for the government
[21:57:38] <Damianz>	 canonical take random shit like unity and throw it on people and hope it sticks
[21:57:46] <petan>	 heh
[21:57:51] <Damianz>	 Ryan_Lane: LOL
[21:58:06] <Coren>	 petan: Last I checked, no distro team had clairvoyance or infallibility.  :-)
[21:58:07] <Damianz>	 Just contribute under your own name and avoid all legal issues with company and releases etc
[21:58:24] <Ryan_Lane>	 Damianz: that doesn't really work when you are doing the work on behalf of the federal government
[21:58:28] <petan>	 Coren canonical is a huge company rather than distro team :P
[21:58:31] <petan>	 IMHO
[21:58:35] <petan>	 don't know them much though
[21:58:40] <Coren>	 petan: Same level of clairvoyance.  :-)
[21:58:43] <petan>	 but I don't like ubuntu anyway
[21:58:47] <Damianz>	 "They'll never know"
[21:59:13] <petan>	 it's how linux would look if microsoft made own distribution
[21:59:16] <petan>	 it would be ubunut
[21:59:20] <petan>	 * tu
[21:59:23] <Coren>	 petan: IMO, the ubuntu people do good work but sometimes take seriously boneheaded decision as to what are the right tools or default tools for some things.  :-)
[21:59:48] <petan>	 Coren I hate the philosophy...
[21:59:49] <Damianz>	 I like what ubuntu is trying to do... not totally what they are doing.
[21:59:55] <greg-g>	 Ryan_Lane: re Govt & open source/copyright: because the Feds want to reserve the right to enforce their copyrights in other jurisdictions. Its PD here in the US, but not anywhere else automatically. Which is why the wouldn't use CC0, from what a little birdy told me while I worked at CC :)
[21:59:58] <Damianz>	 Things like launchpad or w/e it's called just suck.
[21:59:58] <mutante>	 petan: http://en.wikipedia.org/wiki/Microsoft_vs._Lindows
[22:00:05] <Coren>	 (Although, to be fair, anyone who thinks Gnome has an edge on KDE obviously doesn't actually read the code)
[22:00:15] <petan>	 ubuntu is preventing people from being able to change stuff just to avoid potential troubles with stupid people breaking their system
[22:00:40] <Ryan_Lane>	 greg-g: hm. what about when what you are working on is derivative of gpl2 code, or links against it?
[22:00:45] <petan>	 Coren I am using gnome since it was introduced and I always liked it more than KDE :P
[22:00:53] <petan>	 maybe it's just how it looks
[22:01:02] <greg-g>	 Ryan_Lane: well, that is another matter, you have to follow the license or not use it, of course.
[22:01:04] <Coren>	 petan: "Preventing"?  WTH are you talking about?  I use Ubuntu exclusively, and I'm about as much of a "poweruser that leaves no default untouched" as anyone could get.
[22:01:06] <petan>	 first graphical env I had was enlightment
[22:01:10] <petan>	 or something like that :D
[22:01:20] <Ryan_Lane>	 greg-g: right. that's what I couldn't get a straight answer about :)
[22:01:25] <Coren>	 petan: Preference of looks is a good reason to chose it for oneself.
[22:01:31] <petan>	 Coren I mean the system is too restrictive, lot of options are hiden from users
[22:01:34] <greg-g>	 Ryan_Lane: but yeah, legal weird area, since "if there's no copyright, then how is it GPLwhatever?" ;)
[22:01:41] <Ryan_Lane>	 indeed
[22:01:43] <greg-g>	 Ryan_Lane: anywho.... </armchair_lawyer>
[22:01:46] <petan>	 Coren you can of course change them, but it's not as easy as doing it in debian for example
[22:01:54] <Ryan_Lane>	 and if it's gpl, then it obviously can't be public domain :)
[22:02:04] <Coren>	 petan: I've never met something I couldn't change with Ubuntu.
[22:02:17] <petan>	 Coren of course I never said you can't change it
[22:02:17] <Ryan_Lane>	 NASA released openstack nova apache2 licensed
[22:02:18] <petan>	 Coren I say it's harder
[22:02:20] <mutante>	 petan: Coren: see "Has the GNOME community gone crazy?"-talk at FOSDEM :)  https://www.irill.org/videos/fosdem-2013/main-tracks/Has_the_GNOME_community_gone_crazy_
[22:02:25] <Coren>	 petan: Example?
[22:02:37] <Ryan_Lane>	 the government obviously doesn't follow their own guidelines :)
[22:02:43] <greg-g>	 Ryan_Lane: yeah, good point.....
[22:03:12] <Ryan_Lane>	 it's all confusing to me. that's why I just released code and said "fuck it" :D
[22:03:28] <Ryan_Lane>	 if they cared, they would have told me to stop
[22:04:06] <Ryan_Lane>	 Coren: have you dealt with libvirt authentication before?
[22:04:35] <petan>	 Coren: eh, enabling suspending
[22:04:38] <Ryan_Lane>	 I was using x509 previously, but it was kind of a pain in the ass
[22:05:05] <petan>	 Coren basically enabling anything is annoying, the configuration tools are missing for purpose
[22:05:10] <petan>	 Coren compiz-config
[22:05:11] <petan>	 etc
[22:05:16] <Coren>	 Ryan_Lane: Not since 0.9; so I'm not sure how much of what I know is still relevant.
[22:05:27] <Ryan_Lane>	 I wonder if I can use x509 authentication using the same cert for all clients
[22:05:40] <petan>	 Coren you need to download all that stuff and override lot of stuff to be able to get somewhere
[22:05:47] <Coren>	 petan: Oh!  You use Gnome!  They're all there if you install kubuntu-complete.  :-)
[22:06:16] <petan>	 Coren and you know what suck most
[22:06:18] <petan>	 Coren installer
[22:06:23] <Ryan_Lane>	 well, I guess I'll try this in eqiad
[22:06:33] <petan>	 Coren I hate how I can't setup lvm from installer, I hate how it's all graphical shit
[22:07:01] <petan>	 Coren how you can't even find terminal version of installer easily (I know it exist but no idea how to get in that)
[22:07:39] <petan>	 Coren that installer offers almost no options to customize the installation vs debian installer which offers milion of options
[22:07:46] <Ryan_Lane>	 Coren: we need to get you shell in production eventually
[22:08:02] <petan>	 Ryan_Lane I want shell in prod too XD I want to break teh things
[22:08:16] <Ryan_Lane>	 heh
[22:08:39] <Ryan_Lane>	 that's what puppet gerrit changes are for ;)
[22:09:15] <petan>	 but I can't break stuff there everytime when I replace random lines with "rm -rf /" it get rejected :(
[22:09:48] <Ryan_Lane>	 ;)
[22:11:45] <Coren>	 Ryan_Lane: Yes!  My master plan is coming to frui^U  I mean, sure, eventually.
[22:11:47] <petan>	 btw Coren I also heard ubuntu dropped vi / vim as default editor. they don't even ship it in default installation. I can harder call their product unix anymore... bah
[22:12:08] <Platonides>	 sssh, petan, do /nick Coren at an appropiate time and then ask Ryan_Lane to give "you" shell
[22:12:26] <petan>	 these kids and their nano...
[22:12:45] <Coren>	 petan: sudo aptitude install vim-perl
[22:12:57] <petan>	 Coren why vim-perl :o
[22:13:33] <petan>	 Coren of course I can install and change everything so that it looks more like debian... or I could just install debian
[22:13:37] <Coren>	 Emacs have an editor in their lisp shell; I like perl in my editor.  :-)
[22:14:46] <Coren>	 Doh.
[22:14:50] <Coren>	 I meant vim-nox
[22:14:58] <petan>	 ah
[22:15:07] <Coren>	 Which is why I was confused by your question about perl and vim.  :-)
[22:15:07] <petan>	 Coren I was wondering why should I install perl syntax to vim :P
[22:15:29] <Coren>	 Because it's nice to have syntax highlighting?
[22:15:35] <petan>	 I don't use perl
[22:15:36] <petan>	 :P
[22:15:44] <petan>	 I use it
[22:15:48] <Coren>	 petan: And you dare call yourself a sysadmin?  :-P
[22:15:54] <petan>	 but I don't write perl programs
[22:16:09] <Ryan_Lane>	 hm. I guess I could create a virt*.pmtpa.wmnet cert
[22:16:17] <petan>	 Coren I use bourne shell, which was first here :P
[22:16:19] <Coren>	 I need some actual R&R tonight.  I shall now bail.
[22:16:20] <Ryan_Lane>	 and a virt*.eqiad.wmnet cert
[22:16:21] * Coren  waves.

[22:16:22] <petan>	 perl is not everywhere
[22:16:25] <Ryan_Lane>	 Coren: see ya
[22:16:27] <petan>	 /bin/sh is
[22:16:30] <petan>	 :P
[22:16:35] <Platonides>	 R&R?
[22:16:45] <^demon>	 rest & relaxation
[22:16:46] <Ryan_Lane>	 petan: for all intents and purposes perl and python exist on all linux systems :)
[22:16:52] <Platonides>	 oh
[22:16:57] <petan>	 Ryan_Lane but not on all UNIX systems
[22:16:57] <Platonides>	 I thought perhaps he meant K&R xD
[22:17:10] <petan>	 hp-ux doesn't ship that by default
[22:17:11] <Ryan_Lane>	 who uses unix anymore?
[22:17:24] <petan>	 Ryan_Lane like all large corporations? :D
[22:17:25] <^demon>	 Local governments.
[22:17:32] <^demon>	 Banks.
[22:17:34] <YuvarajPandianT>	 nobody, everyone is on iOS now
[22:17:35] <petan>	 yes
[22:17:37] <YuvarajPandianT>	 (oh wait!)
[22:17:38] <petan>	 LOL
[22:17:49] <YuvarajPandianT>	 actually no, everyone is on Android now
[22:17:51] <YuvarajPandianT>	 (oh wait!)
[22:18:01] <Platonides>	 i went once into compiling gcc because the installed gcc had a bug that prevented installing perl
[22:18:16] <Platonides>	 when I just wanted openssl but perl was needed for that
[22:18:17] <YuvarajPandianT>	 Platonides: no bootstrapping? pffft
[22:18:24] <petan>	 boxes I am working on have no pythong
[22:18:28] <petan>	 they don't even have bash
[22:18:33] <petan>	 only /bin/sh XD
[22:18:46] <petan>	 and /bin/ed
[22:18:46] <petan>	 as text editor
[22:18:46] <superm401>	 Is there a Redis intended for labs?
[22:18:46] <petan>	 :)
[22:18:47] <YuvarajPandianT>	 I hear pythongs are not secure at all
[22:18:58] <YuvarajPandianT>	 okay, that's second bad joke for the day
[22:19:02] <superm401>	 Also, where would I check the list of puppet packages meant for labs?
[22:19:04] * YuvarajPandianT  goes away

[22:19:24] <Platonides>	 YuvarajPandianT, it was an arm NAS
[22:19:27] <petan>	 YuvarajPandianT that is not the real problem of pythongs
[22:19:32] <Ryan_Lane>	 superm401: when you say labs, what do you mean?
[22:19:33] <Ryan_Lane>	 beta?
[22:19:34] <^demon>	 Ryan_Lane: As of like 2008-09, $localGovt still used AIX for some things. I assume that probably hasn't changed in the last 4 years.
[22:19:35] <petan>	 they eat all memory they can and all cpu
[22:19:52] <Ryan_Lane>	 ^demon: I was kidding :)
[22:19:56] <YuvarajPandianT>	 Platonides: wah. your ARM NAS shipped with a gcc?
[22:20:08] <superm401>	 Ryan_Lane, Wikimedia Labs.  I want to use it for http://toro.wmflabs.org/ and http://piramido.wmflabs.org/
[22:20:16] <^demon>	 Ryan_Lane: My sarcasm meter must be off.
[22:20:22] <superm401>	 It could be on the same node as the MW server (simpler) or a different one.
[22:20:35] <Ryan_Lane>	 superm401: you guys have root on those systems
[22:20:55] <Ryan_Lane>	 it's ubunty
[22:20:57] <Ryan_Lane>	 *ubuntu
[22:21:02] <superm401>	 Ryan_Lane, I know.  I'm trying to Do The Right Thing and use puppet if possible.
[22:21:12] <Ryan_Lane>	 use the redis puppet module, then
[22:21:38] <Platonides>	 YuvarajPandianT, a) it wasn't mine b) it was available as a package
[22:21:46] <Platonides>	 (luckily)
[22:21:47] <YuvarajPandianT>	 :)
[22:21:50] <YuvarajPandianT>	 indeed.
[22:21:55] <Ryan_Lane>	 and puppetize other missing things
[22:21:55] <YuvarajPandianT>	 bootstrapping gccwouldn't be fun, I guess
[22:21:57] <^demon>	 They decided on spring hackathon dates for gerrit :)
[22:22:02] <Platonides>	 it isn't
[22:22:09] <Platonides>	 you start needing one library after another
[22:22:42] <^demon>	 I've heard rumblings of a cool 2.7 feature. I hope people end up working on it.
[22:22:46] <^demon>	 (Won't be there to know :()
[22:23:07] <Platonides>	 night
[22:23:24] <superm401>	 Ryan_Lane, are there docs on how to use a puppet feature not listed on the configure screen in Labs?
[22:23:38] <superm401>	 Also, how much do you expect I would have to puppetize myself?
[22:23:45] <superm401>	 For Redis I mean.
[22:26:24] <Ryan_Lane>	 superm401: yes
[22:26:33] <Ryan_Lane>	 one sec
[22:27:05] <superm401>	 Ryan_Lane, thank you.  I know I'm asking basic questions.  I figured this would be an opportunity to learn a little puppet.
[22:27:05] <Ryan_Lane>	 superm401: https://wikitech.wikimedia.org/wiki/Help:Self-hosted_puppetmaster
[22:27:40] <Ryan_Lane>	 see: How do I get my puppet classes to display in labsconsole ?
[23:48:10] <superm401>	 Ryan_Lane, thank you for your help.  I got it showing up in configure.  I have to run, but I'll try to actually install it later.
[23:48:20] <superm401>	 I used the "redis" class.