[03:56:28] 10Wikimedia-Apache-configuration, 10Operations, 10Wikimedia-Language-setup, 10Puppet, 10Wiki-Setup (Close): Redirect several wikis - https://phabricator.wikimedia.org/T169450#3815087 (10StevenJ81) BTW, @MarcoAurelio, I didn't mean to come off as combative (and don't think my comment actually was, to a na... [10:08:54] ema: did you see this changeset? https://gerrit.wikimedia.org/r/#/c/395076/ not urgent, just wanted to make sure it didn't slip through the cracks because it's on vagrant for now [10:09:30] 10Traffic, 10Operations, 10Performance-Team, 10Patch-For-Review: load.php response taking 160s (of which only 0.031s in Apache) - https://phabricator.wikimedia.org/T181315#3815381 (10Gilles) [10:19:09] gilles: hey :) A bit busy currently, but yes I've seen it [10:19:57] 👍 [11:37:09] 10Wikimedia-Apache-configuration, 10Operations, 10Wikimedia-Language-setup, 10Puppet, 10Wiki-Setup (Close): Redirect several wikis - https://phabricator.wikimedia.org/T169450#3398639 (10EddieGP) **Afaiui* nobody cares about the database still existing but nothing pointing to it. I read it as all the worr... [12:42:59] 10Wikimedia-Apache-configuration, 10Operations, 10Wikimedia-Language-setup, 10Puppet, 10Wiki-Setup (Close): Redirect several wikis - https://phabricator.wikimedia.org/T169450#3815834 (10MarcoAurelio) @StevenJ81 Sorry then for getting you wrong. @EddieGP Yes, I think we should not try to make exotic solu... [13:59:50] 10Wikimedia-Apache-configuration, 10Operations, 10Wikimedia-Language-setup, 10Puppet, 10Wiki-Setup (Close): Redirect several wikis - https://phabricator.wikimedia.org/T169450#3816024 (10EddieGP) >>! In T169450#3815834, @MarcoAurelio wrote: > @EddieGP Is it possible to avoid a "phantom wiki" and not messi... [14:10:49] 10Wikimedia-Apache-configuration, 10Operations, 10Wikimedia-Language-setup, 10Puppet, 10Wiki-Setup (Close): Redirect several wikis - https://phabricator.wikimedia.org/T169450#3816074 (10MarcoAurelio) @EddieGP I guess 1 was https://gerrit.wikimedia.org/r/#/c/393289/ and 2 is https://gerrit.wikimedia.org/r... [15:36:49] hello people [15:37:13] we are finally ready to accept TLS connections for producers to the new Kafka Jumbo cluster [15:37:38] and we'd like to try to move vk's configuration on cache::misc to TLS during the next days [15:38:18] the idea would be to generate one TLS client certificate with certgen for varnishkafka and deploy it on cache misc [15:38:43] and then force vk to use it to authenticate to the new kafka jumbo cluster [15:42:23] sounds great to me! [15:42:56] once we get to where we're happy with it all on the cache clusters and confident of no rollback on the TLS part, we can kill ipsec for cache<->kafka nodes, too [15:43:29] at least, it's an option to do so [15:43:56] (but I really hate our host<->host ipsec) [15:50:30] I am thinking to deploy a test varnishkafka instance on cache misc to simulate the webrequest one, adding the TLS config etc.. [15:50:56] so we'll be able to test TLS and the new Kafka cluster as a whole as well [15:51:10] (to be removed once the experiment is finished) [15:51:51] the vk memory/cpu footprint should not be a problem but I'd like to double check if it is ok with you first [15:58:15] yup [16:20:43] yay for less ipsec [16:26:08] all right, thanks! Will send patches during the next days :) [16:28:30] yum, patches [17:40:27] <_joe_> bblack: I hate IPSec. It's a leaky abstraction in general [17:40:42] <_joe_> and our implementation is not optimal either. [19:26:59] bblack: this change will create a new admin group "varnish-log-readers" which lets people sudo varnishlog* and varnishncsa*, it will be applied where we also apply perf-roots, that's all cache roles except misc, text/upload/canary. that's for the access request for Hoo for wikidata which was approved in meeting but we didn't want to re-use the perf-roots group [19:27:07] https://gerrit.wikimedia.org/r/#/c/394102/ sounds ok? [19:30:09] 10Traffic, 10Operations, 10Documentation: update the multicast purging documentation - https://phabricator.wikimedia.org/T82096#3817344 (10MarcoAurelio) [19:57:33] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/ySf8YHR6MpA/nxOmaP4oAwAJ [20:05:58] "An early round of measurement on beta showed a 1.7% baseline handshake failure rate towards a TLS-1.3-capable service turn into 7.7% failures!" [20:06:04] I hate middleboxes :P [20:06:33] but sounds like they got fixes into draft-22 [20:07:35] openssl master is still on draft-21, so we'll want to watch how this all plays out