[00:00:24] Yeah, I can't make anything but 'small' start up. [00:00:55] PiRCarre: is UTRS your project? [00:00:59] Nope. [00:01:07] I guess that means I'm done for the night and can start drinking beer and eating tacos :) [00:01:24] andrewbogott: I just saw it on [[w:WP:VPT]], a page I watch [00:01:36] PiRCarre: I switched it off yesterday as part of the migration. No one has claimed it, I presumed it to be abandoned. [00:01:44] I guess I'll respond on that page... [00:01:44] Oh. [00:01:50] Thanks :-) [00:06:33] andrewbogott: I think enwiki uses it a lot - https://en.wikipedia.org/wiki/Wikipedia:UTRS [00:06:45] * andrewbogott scowls [00:08:03] PiRCarre: Could it be that the project is no longer maintained, but still has users? There has been quite a lot series of announcements on various lists requesting people to take ownership of projects. No one has mentioned this one until just this second. [00:08:22] Hm, did you try poking the admins? [00:08:43] I suppose many people do not follow labs-l (but they should) [00:09:06] PiRCarre: Yes, I've send emails to labs-l, wikitech-l, and every user that has ever created a labs instance. [00:09:15] *sent [00:09:21] I have no idea, then. [00:10:20] Are all instances with no owners "switched off"? [00:11:01] So it seems my crontab disappeared (?) [00:11:50] PiRCarre: http://lists.wikimedia.org/pipermail/labs-l/2014-February/002152.html [00:16:49] PiRCarre: I hope that email makes sense, and that my post on village pump isn't too rude... [00:41:34] I've noticed it seems like the xmllint program is not available on job runners [01:36:53] Coren: andrewbogott: I've rebooted my new eqiad (to migrate from pmtpa) instance 3 times now (several hours apart), still unable to login. [01:37:20] what instance and project? [01:38:10] Krinkle: ? [01:39:49] cvn-app3 [01:40:01] but this has been reported for all new eqiad instances afaik for project after the switch [01:40:13] https://bugzilla.wikimedia.org/show_bug.cgi?id=62771 [01:40:23] channel 0: open failed: connect failed: Connection timed out [01:40:24] ssh_exchange_identification: Connection closed by remote host [01:43:12] Krinkle: which bastion are you using? [01:43:21] the one documented in ProxyCommand on wiki [01:43:44] https://github.com/Krinkle/dotfiles/blob/master/hosts/KrinkleMac/templates/sshconfig [01:43:44] Are you a project admin for this project? (If you are I can tell you want to fix, if not I can just fix it :) ) [01:43:55] *what [01:44:10] I'm an admin for this project [01:44:50] Has the source problem been fixed (e.g. does this apply only to instances created last week, or still for new instances? e.g. is new instance creation broken for eqiad, or was it and haven't fixed up those yet? [01:45:01] Hm, wait, actually, maybe this is something else... [01:45:15] If it's the latter, I'm happy to be told how to fix it, otherwise, I'd rather wait for the overal fix as I plan to create more instances during the migration. [01:45:27] nope, that was it. Try to ssh now? [01:45:47] works [01:45:55] If you are having access problems, please see:https://labsconsole.wikimedia.org/wiki/Access#Accessing_public_and_private_instances [01:45:55] Creating directory '/home/krinkle'. [01:45:56] Last login: Tue Mar 18 05:49:46 2014 from 10.4.1.85 [01:45:57] krinkle@cvn-app3:~$ [01:45:59] OK, so if you check out the security groups... [01:46:07] I just added a rule for 10.0.0.0/8 on port 22. [01:46:11] Looks like it has the motd of the old pmtpa template, it was changed to wikitech a while back. [01:46:11] That's what I changed. [01:46:34] andrewbogott: We're going to run into this over and over. How complicated do you think changing them would be wholesale? [01:46:48] Coren: I emailed you about that over the weekend :) [01:46:54] Or, tried to, maybe it got spam-trapped :( [01:47:05] You asked my opinion on whether we should; I need moar data to opine. :-) [01:47:35] I don't remember from back when I created the pmtpa instances, but iirc ssh worked by default there (via bastion) [01:47:37] I guess my principal worry is on what the risk of error is. [01:47:57] is there a concern for this in eqiad? like higher risk or something? [01:48:02] Krinkle: It did, because the default firewall rules allow it -- same rules being all wrong in eqiad. :-) [01:48:28] I did apply the default security group. [01:48:39] I guess that one is a different 'default' in eqiad at the moment [01:48:40] ! [01:48:40] hello :) [01:48:54] Coren: What do you mean by 'risk of error'? [01:48:58] Wait, those are /new/ instances? [01:49:14] andrewbogott: Opening up something we shouldn't -- or did you intend to do just port 22? [01:49:43] Krinkle: The issue is that the default still allows access. From pmtpa. :-) [01:50:13] Wiat, so that's why it broke when I updated my ProxyCommand config [01:50:22] Coren: I don't really know enough sql to do anything, hence my email. [01:50:26] it didn't add the new rule for eqiad [01:50:35] there was a rule for it, but it's changed from pmtpa bastion to eqiad [01:51:02] But, yeah, there are multiple options -- we could just do port 22 or we could just find every place that has a pmtpa-specific rule and change it to 10.0.0.0/8 [01:51:32] what does that place currently have if not 0./8 [01:51:35] I'm a little concerned the latter might do something that ends up being troublesome. [01:52:12] But just port 22 should be safe enough. [01:52:20] Especially since we don't do password auth. [01:52:40] The default group is 22 and 5666 -- shall we do both? [01:53:01] 5666 is monitoring, right? I say yes. That's also harmless. [01:53:09] Krinkle: the old rule was limited to just pmtpa labs. The new rule I've been using opens a pretty big hole, in order to encompass both eqiad and pmtpa labs. [01:53:23] Coren: is your sql-fu strong enough to just do that? Or feed me a query to do it? [01:53:39] andrewbogott: If you point me at the right DB, I can do. [01:54:35] Coren: virt1000, db name 'nova', table 'security_group_rules' [01:55:09] I /think/ that the auth is already set in the root environment on virt1000. If not, I'll dig up a password. [01:55:19] It is. [01:55:47] The rules are local to the host. So changes on virt1000 are limited to eqiad instances. [01:55:57] which is what we want [01:57:06] andrewbogott: *nod* All done. [01:57:12] For ports 22 and 5666 [01:57:25] * andrewbogott reloads [01:57:27] looks good! [01:57:32] What do you think about doing 80 as well? [01:57:45] If someone has 80 open for only pmtpa labs, that means they're using the dynamic proxy [01:57:56] Ah, there were a few 10.4.0.0/14; change those too? [01:58:13] huh, I don't know why that would be... [01:58:37] but, sure. Maybe that was an older default [01:59:14] Yeah, doing 80 too; limiting it to pmtpa is pointless now. [01:59:25] Btw, can I see the query line you're using? For the sake of learnin' [01:59:56] andrewbogott: btw, that fix for my instance, was that changed on your end in direct relation to that instance or more generic? [02:00:14] I know y'all are working on it as I speak, but if I were to create another instance now, would that one be fine? [02:00:19] Krinkle: security groups are project-wide. You can see them if you click on 'Manage Security Groups' [02:00:23] (I'm not doing that, will start on Monday) [02:00:37] andrewbogott: {{done}} [02:00:37] I thought those were baked into the instance upon creation thouguh [02:00:42] And, anyway, Coren just fixed it EVERYWHERE [02:00:54] Krinkle: It's weird. The assignment of groups to instances is fixed. [02:01:00] But the assigning of rules to groups, not fixed. [02:01:04] or maybe the wiki interface just doesn't expose the ability to change them after the fact [02:01:05] Does that make sense, sort of? [02:01:19] So, your instance is still in the default group. But the default group has changed. [02:01:27] Coren: thank you! [02:01:32] I've found myself deleting an instance and re-creating it because I forgot to give it the right security [02:01:40] andrewbogott: OK :) [02:03:16] k, preparing for my flight now, off for a day or two [02:03:28] bd808|BUFFER: It looks to me like only the default ('small') image type is working right now. I don't know why but probably won't sort it tonight. [02:03:30] Sorry for the hold-up. [02:20:50] coren, sorry I was away [02:21:05] the log file is upload.log for profile tools-magog [02:21:10] the crontab is in magog [02:21:14] (not tools-magog) [02:23:29] does anyone know if Coren will see this message, and if not, how to contact him off IRC? [02:23:41] Magog_the_Ogre: someone could call him if it's urgent [02:23:52] it's not THAT urgent [02:24:01] but I'd like it resolved in the next day or two if possible [02:24:05] why not just MemoServ, email, talk page, etc. ? [02:24:52] a) I'm a newb, don't know how to MemoServ b) unless IRC just provides emails somehow, can't do it, c) talk page on which project is reliable? [02:25:47] enwiki probably. or wikitech. idk [02:26:23] Magog_the_Ogre: memoserv is /msg MemoServ send Username write your message here [02:26:49] email would just be using the email address he uses (or EmailUser) [04:05:02] andrewbogott_afk: Ping [06:54:23] (03PS2) 10Adamw: add Extension:FundraisingChart; notify wikimedia-dev about FR commits [labs/tools/grrrit] - 10https://gerrit.wikimedia.org/r/119643 [06:55:03] (03PS3) 10Adamw: add Extension:FundraisingChart; notify wikimedia-dev about FR commits [labs/tools/grrrit] - 10https://gerrit.wikimedia.org/r/119643 [07:00:30] (03PS2) 10Adamw: Make the "blacklist" variable an array cos that's slightly nicer than a space-separated string [labs/tools/grrrit] - 10https://gerrit.wikimedia.org/r/119924 [13:49:52] (03PS1) 10Gerrit Patch Uploader: Various changes to wmt-ko [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120206 [13:49:55] (03CR) 10Gerrit Patch Uploader: "This commit was uploaded using the Gerrit Patch Uploader [1]." [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120206 (owner: 10Gerrit Patch Uploader) [13:52:43] (03PS1) 10Gerrit Patch Uploader: Add status checker to bot-operator [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120207 [13:52:46] (03CR) 10Gerrit Patch Uploader: "This commit was uploaded using the Gerrit Patch Uploader [1]." [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120207 (owner: 10Gerrit Patch Uploader) [13:53:09] Magog_the_Ogre: I've copied both in ~tool.magog/ (the crontab in magog.crontab). Please remember to not restore that crontab to your user account. [14:04:54] (03CR) 10PiRSquared17: [C: 032 V: 032] Various changes to wmt-ko [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120206 (owner: 10Gerrit Patch Uploader) [14:05:16] (03CR) 10PiRSquared17: [C: 032 V: 032] Add status checker to bot-operator [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120207 (owner: 10Gerrit Patch Uploader) [14:32:58] Coren: I'm trying the jmail pipe, but it doesn't seem to function. [14:33:41] Yeah, I'm still struggling with exim. That said, it /should/ work if you send the mail from within labs. [14:33:49] Ahhh. I see. [14:34:01] I'll wait some longer then :-) [14:34:04] At least, it worked for me. :-) So you can test while I'm beating exim up. :-) [14:40:29] Hi, it seems that tools.wmflabs.org's web service can't be accessed on -login. Is this the wrong way to do things?.. [14:44:13] jimmyxu: what are you trying to do? [14:44:33] Betacommand: to grab /wikiviewstats/ in a script [14:45:05] jimmyxu: your script shouldnt be executing on -login [14:46:17] Betacommand: well that's still work in progress. Besides, -dev fails also [14:46:26] jimmyxu: Also, however, from /inside/ tools you should use the hostname 'tools-webproxy' [14:46:53] jimmyxu: use jsub and have to run on one of the exc nodes [14:47:04] Coren: thanks/ [14:47:13] Coren: except tools-webproxy is an implementation detail, so one should not use that either. [14:47:45] there really is no reason why tools.wmflabs.org/* cannot just work [14:47:47] Coren: afaics this is not documented on wikitech? [14:47:59] be it via a hosts file or via iptables rules [14:48:01] Coren: those links should work [14:48:13] I had a ticket about that [14:48:30] otherwise some scripts become a nightmare to maintain [14:48:57] if is on labs do_foo() else do_bar() [14:49:09] makes for some really ugly code [14:50:14] Well, it can't be the same IP though I suppose I could do some uglies with /etc/hosts [15:21:17] FYI, I'm rejiggering the way cron is handled along the lines of a suggestion from Kernair that should greatly improve reliability. Yeay. [15:31:35] Coren: ?? [15:32:04] A seperate host to run cron jobs, with validation of the jobs proper. [15:33:25] validation of jobs? [15:33:55] probably blocking everything that's not jsub/qsub [15:34:24] valhallasw: that will really piss me off until cron is fixed [15:34:52] Ive got 1 script that I run that doesnt use jsub because I need the output emailed to me [15:34:58] have you noticed the part that said 'a seperate host'? [15:35:28] also, you can just ask SGE to mail you stdout [15:35:55] valhallasw: and SGE will probably say fuck you, hell no [15:36:10] Ive had too many issues [15:36:18] Yes, and you're being overly agressive again. Anything else you'd like to point out? [15:36:19] just ask coren [15:37:03] valhallasw: I end up getting most of the bugs so that the rest of you dont [15:37:35] It gets old fast [15:38:31] ok, so qsub does not support mailing stdout, unfortunately, but you can still just let the script pipe to 'mail betacommand' [15:39:26] sounds like a useful option for jsub, though. [15:40:01] valhallasw: thats one of several requests that Ive made and have been sitting on a shelf for 6 months [15:40:24] Betacommand: probably because the | mail betacommand option is fairly trivial to implement yourself [15:40:48] valhallasw: odds are it wont work most of the time [15:41:11] or some other unexpected issue will crop up [15:41:12] *shrug* then don't use the new server [17:12:25] (03CR) 10Siebrand: "Why merge a .orig file? That's what we have version control for." [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120206 (owner: 10Gerrit Patch Uploader) [17:21:17] (03PS1) 10John F. Lewis: Removed useless .orig file [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120222 [17:21:40] (03CR) 10John F. Lewis: [C: 032 V: 032] "Self-merge this" [labs/tools/WMT] - 10https://gerrit.wikimedia.org/r/120222 (owner: 10John F. Lewis) [18:53:16] pirsquared@tools-login:~$ sql zhwikivoyage [18:53:17] This is unknown db to me, if you don't like that, blame petan on freenode [18:53:19] Make sure to ask for a db in format of _p [18:53:28] zhwikivoyage_p, then ? [18:53:50] PiRCarre: I /think/ that someone changed that script [18:53:53] let me checks [18:56:01] PiRCarre: no there is indeed no such db, but that command it wrong, it should be blame Coren now [18:56:31] nowadays 98% of stuff can be fixed by Core n only because everything else is restricted :/ [19:03:37] PiRCarre: It looks like the alias zhwikivoyage.labsdb on which sql depends isn't there yet. Looking at meta_p.wiki, zhwikivoyage seems to sit in s3.labsdb, so "mysql -h s3.labsdb zhwiktionary_p" gets you to its database. [19:04:13] PiRCarre: I'll add the alias in a bit. [19:04:17] scfc_de: ok, thanks [19:36:36] PiRCarre: The alias should now work from all user-accessible hosts. [19:36:52] great, thank you [19:56:01] Hi [19:57:24] Hi. [19:57:53] I'd like to restore my bulk-copied tool (actually just a dumb library file), but I'm too stupid to connect to tools-login [19:58:02] Who can help me? [19:58:45] YMS: What host are you connecting to and which error message do you get? [19:59:54] tools-login.wmflabs.org [20:00:10] "Permission denied (publickey,hostbased)" [20:01:48] YMS: Your shell username in Labs is "yms"? Is that your username on your own machine as well? Otherwise, you need to "ssh yms@tools-login.wmflabs.org". [20:02:22] My shell username is yms, yes [20:02:55] ssh yms@tools-login.wmflabs.org is what I did [20:04:37] YMS, is your key on labsconsole? [20:04:39] er, wikitech* [20:04:41] Does ~/.ssh/id_rsa.pub on your own machine start with "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBeZNR2ou73DuEaYKzIAe0vKHMhHcQBsgprP8iBIUbAy0w3xGhN5DIK/q5Md0W7MIah0AHoPtT8K1MnR"? [20:04:45] Coren? [20:05:59] Magog_the_Ogre: hmm? [20:06:53] D'oh, that just might be the problem [20:06:59] did you get my memoserv and/or the messages I left last night, Coren [20:07:00] ? [20:07:18] I don't have a public key file stored in ~/.ssh [20:08:03] [09:53:09] Magog_the_Ogre: I've copied both in ~tool.magog/ (the crontab in magog.crontab). Please remember to not restore that crontab to your user account. [20:10:10] YMS: So you don't have any ssh key at the moment? Hmmm. [20:10:55] Just my private key [20:10:55] OK [20:10:55] could you restore upload.log as well? [20:11:08] That's what "both" meant\ [20:11:19] Next stupid question: Looks like I can't just copy my public key from the wikitech preferences, do I? [20:11:39] thanks, coren [20:15:04] YMS: *ughhh* I'm not sure if ~/.ssh/id_rsa.pub is actually needed by ssh as it's really needed on the server. But my bigger assumption is that your private and public key no longer match. So if you only used this key with Labs, I would generate a new one and upload the public part to wikitech. [20:16:25] coren, I'm still getting: [20:16:25] can't open or create /var/run/crond.pid: Permission denied [20:16:27] I do use them only here ... however, why should they no longer match? Both were untouched. [20:17:15] Magog_the_Ogre: ... that's perfectly normal. Why would you even try to write in /var/run? [20:17:38] oops I was typing cron instead of crontab [20:17:41] sorry [20:17:44] thanks again [20:17:50] Heh. No worries. :-) [20:18:33] YMS: General distrust in all things brittle :-). [20:18:59] YMS: you can check it with ssh-keygen -y [20:19:37] that should give you the same data as the contents in id_rsa.pub [20:35:44] Thanks guys! [20:35:57] I generated a new pair of public and private key and I'm in [20:45:07] Wikidata Label Collector up and running again :) [20:45:56] Maybe I'll move the whole tool to Labs some time, so I get more used to how things work here ;) [21:02:57] Thanks again & bye