[12:43:49] <sDrewth>	 reedy, I am asking Inductiveload to come here so you don't have a dumbwaiter in between
[12:45:23] <sDrewth>	 Reedy guessing that video2commons is what they were using for wikimania 
[12:45:54] <sDrewth>	 inductiveload, https://commons.wikimedia.org/wiki/Commons:Video2commons
[12:47:17] <Reedy>	 I'm honestly not sure if that will work with non video
[12:47:43] <inductiveload>	 Speaking off wmcloud upload tools
[12:47:46] <inductiveload>	 https://phabricator.wikimedia.org/T287241
[12:47:57] <sDrewth>	 https://phabricator.wikimedia.org/T292096 
[12:48:23] <inductiveload>	 Files uploaded via the ia upload tool hang about there after failure
[12:50:17] <sDrewth>	 as mentioned, if we could get a pull from ia-upload.wmcloud.org that would be useful as the push has been failing or unreliable
[12:51:57] * urbanecm waves to sDrewth, inductiveload and Reedy 
[12:52:05] <inductiveload>	 Hi urbanecm 
[12:52:25] <sDrewth>	 (restate) as mentioned, if we could get a pull from ia-upload.wmcloud.org that would be useful as the push has been failing or unreliable
[12:52:46] <sDrewth>	 https://ia-upload.wmcloud.org/  shows that we have the files available
[12:53:01] <sDrewth>	 after the djvu have been created
[12:53:26] <sDrewth>	 and I am guessing failed to upload
[12:53:35] <urbanecm>	 in my experience, URL uploads tend to be bit more reliable, so doing T287241 would likely help
[12:53:36] <stashbot>	 T287241: Add https://ia-upload.wmcloud.org to the wgCopyUploadsDomains allowlist of Wikimedia Commons  - https://phabricator.wikimedia.org/T287241
[12:53:38] <urbanecm>	 can do that later in the day :)
[12:54:40] <Reedy>	 Of course, if it's a large file, downloading from a slow source... It might end up timing out too :D
[12:55:07] <urbanecm>	 copying it to ia-upload.wmcloud.org will likely be needed
[12:55:11] <urbanecm>	 to speed it up
[12:55:32] <urbanecm>	 a scratch storage should be reasonably easy (&fast) with cinder-based storage
[12:56:57] <sDrewth>	 the vast bulk of files can go via ia-upload as we are processing them,. inductiveload any reason we cannot default that if the djvus already exist, and be pending?
[12:57:29] <inductiveload>	 sDrewth: the djvus in that phab ticket are homemade
[12:58:05] <sDrewth>	 then you can fake them into the queue
[12:58:05] <inductiveload>	 They're only at the IA because I need to put them somewhere to request SSU
[12:58:35] <inductiveload>	 I can probably do that
[12:58:43] <inductiveload>	 Upload to in a then prod IA-Upload
[12:59:22] <inductiveload>	 My upload script is getting some wierd shit in it :D
[12:59:28] <sDrewth>	 that gives us control and responsiblity of getting them close to the heart
[12:59:54] <inductiveload>	 Sure I can do that (or try to)
[13:00:16] <inductiveload>	 Wonder if I can drive IA-Upload from python
[13:00:23] <sDrewth>	 and from there we can try via the allowlist method. and if that fails we can request database pull
[13:00:30] <inductiveload>	 Will need to be oauthed
[13:00:53] <urbanecm>	 please do not put the files in a restricted location
[13:01:02] <urbanecm>	 that makes them impossible to SSU them
[13:01:18] <inductiveload>	 What's a restricted location?
[13:01:28] <Reedy>	 >Length: 754984992 (720M) [image/x.djvu]
[13:01:36] * Reedy wonders how many more of these files are going to be much larger than 200M
[13:02:01] <urbanecm>	 inductiveload: for SSU to be possible, the files need to be in a location that doesn't have any authentication
[13:02:06] <inductiveload>	 I think the first couple are larger before I turned on the compressor
[13:02:53] <Reedy>	 21 was > 700. 22 was ~200. 23 is > 700
[13:03:24] <inductiveload>	 I think 21, 23, 24 went first for some reason
[13:03:41] <sDrewth>	 urbanecm, so web accessible like ia-upload is now
[13:03:45] <sDrewth>	 ?
[13:04:09] <urbanecm>	 well, yeah. We need a direct link that will immediately download the file to download
[13:04:16] <urbanecm>	 that makes things like Google Drive ineligible
[13:04:31] <urbanecm>	 (as you need to click the "skip antivirus" button for large files)
[13:04:46] <sDrewth>	 but if we can get them onto a WMF server that makes things easy for you
[13:04:51] <sDrewth>	 easier
[13:04:56] <inductiveload>	 IA-Upload provides that
[13:05:03] <urbanecm>	 we still need a web link though
[13:05:20] <urbanecm>	 production cannot (directly) connect to cloud servers
[13:05:27] <inductiveload>	 The link actually exists already on the IA upload failure list
[13:05:58] <inductiveload>	 You can download the djvu to your own machine, but then you'll likely hit an upload failure yourself so there's not much point
[13:06:21] * sDrewth struts as he chunk uploaded wtih success
[13:06:27] <inductiveload>	 There is a ticket for being able to access the description for the file too somewhere
[13:06:33] * inductiveload rummages
[13:07:12] <inductiveload>	 https://phabricator.wikimedia.org/T286702
[13:08:05] <sDrewth>	 T286702
[13:08:06] <stashbot>	 T286702: IA-Upload: allow access to the file description of a task - https://phabricator.wikimedia.org/T286702
[13:10:48] <Reedy>	 The Strand Magazine (Volume 23).djvu           38%[===================================>                                                           ] 276.23M   179KB/s    eta 15m 12s
[13:10:50] <Reedy>	 So fast
[13:11:08] <inductiveload>	 It's about that speed to upload them too
[13:11:23] <inductiveload>	 So it took literally days to upload that list
[13:11:42] <sDrewth>	 seems skipping IA will be a winner
[13:11:46] <Reedy>	 heh
[13:11:48] <inductiveload>	 Bearing in mind each of them also tried to upload to commons first
[13:11:52] <Reedy>	 Or having IA pull from WMF
[13:12:13] <sDrewth>	 we would still have those cxn Reedy?
[13:12:26] <sDrewth>	 I know we used to back in the days of my stewardry
[13:12:27] <Reedy>	 ?
[13:12:40] <sDrewth>	 contacts inside IA
[13:12:42] <inductiveload>	 It's all a very rube Goldberg way to skirt the upload bug though
[13:13:09] <Reedy>	 Go find people to fix that then ;D
[13:13:21] <inductiveload>	 I mean, I have tried
[13:13:49] <sDrewth>	 summer coders?
[13:13:50] <Reedy>	 Add "Make large uploads reliable and not suck" to the next community tech wishlist
[13:14:45] <inductiveload>	 I mean, if someone could vaguely indicate what the problem is, I can have a stab at fixing it
[13:15:16] <Reedy>	 I'm not sure. But I'd be surprised if it was just one issue
[13:15:23] <Reedy>	 I suspect it'll be numerous things working together
[13:15:41] <sDrewth>	 Reedy, who would we ask for the error/failure logs?
[13:15:45] <sDrewth>	 if there is such a thing
[13:15:54] <inductiveload>	 But I honestly don't even know where to start, and setting up a clone of wmf prod to play with will probably take me.... Some time
[13:16:11] <inductiveload>	 And even then, who knows if it would have the same problem
[13:16:13] <urbanecm>	 why set up a clone?
[13:16:14] <urbanecm>	 that...doesn't look like worth it
[13:16:36] <inductiveload>	 Because how else would I debug it?
[13:16:36] <urbanecm>	 sDrewth: there are logs, but in case of timeouts, they...mostly just tell you something timed out
[13:16:42] <Reedy>	 ^
[13:16:58] <Reedy>	 There might be simultaneous other logs from other systems that could help, but correlating can be hard
[13:17:03] <sDrewth>	 y. e. a.
[13:17:34] <inductiveload>	 I don't have access to any system (and since idk wtf I am doing at the best of times, I should not be given such access)
[13:17:50] <inductiveload>	 I only learned PHP like a couple of months ago
[13:18:04] <urbanecm>	 inductiveload: beta.wmflabs.org is the best WMF-like clone that exists, but it is VERY VERY far from actual parity
[13:18:08] <Reedy>	 There really should be a team at WMF that should own this stuff, but unfortuantely there isn't
[13:18:13] <Reedy>	 (anymore)
[13:18:21] <urbanecm>	 I'd say it's impossible to create a clone
[13:18:24] <inductiveload>	 Ok that's a lie, I did my stepmums website's wordpress skin
[13:18:44] <Reedy>	 urbanecm: miraheze mostly use our puppet stuff AIUI
[13:19:06] <urbanecm>	 not familiar with miraheze setup, granted
[13:19:12] <urbanecm>	 but i doubt it's the exact same setup
[13:19:25] <Reedy>	 It's not
[13:19:32] <majavah>	 they have their own repo, with a few modules imported from us I think
[13:19:32] <sDrewth>	 so we accept that the upload bug is not happening anytime soon
[13:21:42] <inductiveload>	 well honestly, I don't really care what the solution is, I'll do whatever people tell me to do
[13:21:53] <sDrewth>	 👍 
[13:22:02] <sDrewth>	 I like the art of what fworks
[13:22:48] <inductiveload>	 currently the script uploads to the IA, then files a phab ticket for an SSU, but I can ssh to the moon or print it out on microfilm and post it, as long as there's a python library
[13:23:18] <inductiveload>	 and actually even if there isn't I'll learn some other language and shell out to it if I have to
[13:25:08] <urbanecm>	 for me, the preferred solution would be to put the file to the ia-upload WMCS project itself, and put a link to that in the SSU ticket
[13:25:24] <urbanecm>	 to avoid downloading from IA
[13:25:28] <urbanecm>	 which is very slow apparently
[13:26:24] <inductiveload>	 ok, so I wonder if I can prod that from my scripts
[13:26:49] <inductiveload>	 it would make sense for the IA-Uplaod to actually accept a zip of images too
[13:27:04] <inductiveload>	 since that's how it works when there's no DJVU anyway
[13:27:12] <sDrewth>	 inductiveload, can't you pull from IA-upload shell login?
[13:27:30] <inductiveload>	 i don't have Ia-upload access
[13:27:35] <sDrewth>	 ah
[13:27:39] <urbanecm>	 aha!
[13:27:56] <sDrewth>	 then why don't we do it from wikisource-bot shell on toolforge
[13:27:56] <urbanecm>	 then you should likely pair with whoever maintains that part to allow local file storage
[13:28:00] <urbanecm>	 or that
[13:28:14] <sDrewth>	 You have access, and it has an html window
[13:28:17] <urbanecm>	 exact location doesn't matter much, as long as it's somewhere at WMCS :)
[13:28:35] <inductiveload>	 urbanecm: https://ia-upload.wmcloud.org/
[13:28:55] <inductiveload>	 the "Download DjVu" links: are they OK?
[13:29:07] <urbanecm>	 appear so
[13:29:15] <inductiveload>	 ok cool
[13:29:16] <urbanecm>	 i thought they point to archive.org for some reason
[13:29:41] <inductiveload>	 no, those ones are DJVUs that the tool made itself
[13:29:41] <sDrewth>	 sounds as if we can have multiple paths, via IA-UPLOAD if fail then inhale
[13:29:55] <sDrewth>	 if we create externally, then via WMCS wikisource-bot account
[13:30:52] <sDrewth>	 urbanecm, at IA-UPLOAD we have already brought them in from IA and converted to djvu or have as pdf
[13:31:01] <urbanecm>	 i see
[13:31:25] <sDrewth>	 depending on what the user wishes to work upon
[13:31:25] <inductiveload>	 yeah, if the DJVU is coming direct from the IA, it copy-uploads by URL
[13:31:51] <inductiveload>	 that usually works, because IA DJVU are compressed with black magic and are much smaller
[13:32:11] <inductiveload>	 (i.e. a LuraTech MRC compressor)
[13:32:44] <inductiveload>	 sadly they no longer make DJVUs or we would probably not be talking about this
[13:33:13] <inductiveload>	 i wonder how much a copy of lura tech is
[13:34:05] <inductiveload>	 can the WMF stretch to a license so we can provide DJVUs that aren't just c44-ed JPEGs (at 5 times the size)?
[13:35:01] <sDrewth>	 inductiveload, we probably just have to do a grant proposal
[13:35:12] <urbanecm>	 https://meta.wikimedia.org/wiki/Grants:Project/Rapid might be a way
[13:35:21] <urbanecm>	 I have no idea if they fund licenses though
[13:35:27] <inductiveload>	 i wooner if luratech still make it at all
[13:35:55] <inductiveload>	 they have a PDF compressor which I assume is the same general idea
[13:36:14] <inductiveload>	 they got bought by foxit
[13:36:35] <sDrewth>	 we can take that back to enWS and prepare the grant
[13:37:07] <sDrewth>	 If less than $2000 we can do a rapid grant application
[13:37:25] <inductiveload>	 http://djvu.com/djvu-sdk/
[13:37:32] <inductiveload>	 i guess it is this now
[13:38:24] <inductiveload>	 hmm https://www.cuminas.jp/en/downloads/download?pid=17
[13:38:41] <inductiveload>	 "Product Cathegory:" [sic] does not include linux
[13:38:43] <inductiveload>	 wrrryyyyy
[13:39:12] <sDrewth>	 inductiveload, what exactly am I asking djvu.com for?
[13:39:29] <inductiveload>	 i'm not sure
[13:39:53] <inductiveload>	 the IA used to use a LizardTech compressor, which used the LuraTech MRC compressor (AIUI)
[13:40:02] <sDrewth>	 something that super compacts djvus?
[13:40:07] <inductiveload>	 both those companies are now sold to others
[13:40:09] <inductiveload>	 yes
[13:40:14] <inductiveload>	 you know how the IA does it
[13:40:45] <sDrewth>	 dm your email address
[13:40:57] <inductiveload>	 username at gmail
[13:41:10] <sDrewth>	 k
[13:41:13] <inductiveload>	 (not very secret, it's on gerrit commits too :D)
[13:41:32] <sDrewth>	 I think that I probably have it somewhere
[13:43:27] <inductiveload>	 jesus the windows SDK is 600 MB
[13:43:57] <majavah>	 !log tools cleaning up unused kubernetes ingress objects for tools.wmflabs.org urls T292105
[13:44:01] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[13:44:01] <stashbot>	 T292105: Remove deprecated ingress objects from existing web services - https://phabricator.wikimedia.org/T292105
[13:56:48] <sDrewth>	 inductiveload reedy .  if we were going to install a copy of that software  which would we be asking for  http://djvu.com/djvu-sdk/  ?
[13:57:35] <Reedy>	 Install it where?
[13:57:55] <Reedy>	 Also, if it's non free, cloud won't be a good place
[13:58:06] <sDrewth>	 WMCM
[13:58:43] <sDrewth>	 I am writing to them to see whether they can gift us a license or we are going to have to write a grant
[13:59:17] <Reedy>	 Even if they'll give "us" a license, it's still non free software
[13:59:35] <sDrewth>	 if it is tucked away on ia-upload for generating djvu files?
[14:00:09] <Reedy>	 https://wikitech.wikimedia.org/wiki/Help:Cloud_Services_Introduction#Review_the_terms_and_conditions
[14:00:13] <Reedy>	 >Toolforge tools must be open source software licensed under an OSI approved license.
[14:00:24] <sDrewth>	 wmcloud?
[14:00:32] <majavah>	 applies to all of WMCS, not just Toolforge https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_uses_of_Cloud_Services_do_we_not_like?
[14:00:40] <sDrewth>	 okay
[14:01:01] <Reedy>	 >Exceptions to this list of prohibited uses can be requested for limited circumstances, such as testing compatibility with proprietary software. To request an exception, please submit a proposal to the Cloud Services administrators. 
[14:01:02] <sDrewth>	 it just says toolforge
[14:01:10] <Reedy>	 >You agree not to use Wikimedia Cloud Services for any of the following (“Prohibited Uses”): 
[14:01:13] <Reedy>	 >Proprietary software: Do not use or install any software unless the software is licensed under an Open Source license.
[14:01:29] <urbanecm>	 https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_uses_of_Cloud_Services_do_we_not_like? says "Wikimedia Cloud Services"
[14:01:57] <Reedy>	 It's not a blanket no, you can ask for an exception. But it's not guaranteed
[14:02:26] <sDrewth>	 okay, so there is another step in the process
[14:02:51] <Reedy>	 Yeah
[14:03:26] <Reedy>	 I would argue that "there is no free software available that can do this" (I've no idea if this is true, I haven't looked) would be reasonable grounds to request an exception
[14:03:39] <sDrewth>	 that is fine, I will get the information from them; so back to my question, what would I be asking for?
[14:03:57] <sDrewth>	 BTDT when I was in public service in getting software installed
[14:04:09] <sDrewth>	 and refreshed without going to tender again
[14:12:00] <sDrewth>	 is there a central log file roll and gzip script?
[14:12:12] <sDrewth>	 on toolforge
[14:18:42] <inductiveload>	 what is the canonical way to scp a file to a toolforge tool?
[14:19:22] <urbanecm>	 scp <path> login.toolforge.org:<path>?
[14:19:36] <urbanecm>	 you should be able to write to tool's directory directly (iirc, it's /data/project/toolname), but that file will be owned by your personal account, not tool account
[14:19:47] <urbanecm>	 you can run `take <filename>` as tool at toolforge to change ownership
[14:20:08] <inductiveload>	 righto, must just be perms then
[14:20:17] <urbanecm>	 yeah
[14:20:25] <urbanecm>	 you can always scp to your home
[14:20:28] <urbanecm>	 and copy at toolforge
[14:20:32] <urbanecm>	 (manually)
[14:21:32] <inductiveload>	 ah, there we go, missing a +w
[14:21:37] <inductiveload>	 sorry for being dense
[14:26:17] <sDrewth>	 it is /data/project/wikisource-bot
[14:27:03] <inductiveload>	 yep, I got it
[14:27:12] <sDrewth>	 <= slow
[14:27:32] * inductiveload tries to turn on dir listing
[14:27:52] <sDrewth>	 there are some things that I haven't done for 5+ years, on the server
[14:29:36] <inductiveload>	 aha
[14:29:41] <inductiveload>	 https://wikisource-bot.toolforge.org/ssu_request/
[14:30:31] <inductiveload>	 though actually that's unlikely to actually need SSU since a 75MB will probably go through 
[14:31:13] <urbanecm>	 very likely
[14:31:16] <urbanecm>	 always please try :-)
[14:31:22] <urbanecm>	 SSU is...costy (for people's time)
[14:31:32] <inductiveload>	 you can say that again
[14:32:00] <inductiveload>	 https://en.wikisource.org/wiki/Category:The_Strand_Magazine
[14:32:01] <inductiveload>	 the files that exist were successful
[14:32:05] <urbanecm>	 i mean it takes some human time :)
[14:32:09] <inductiveload>	 the files that don't, failed
[14:32:35] <inductiveload>	 i mean sure
[14:32:57] <inductiveload>	 adjusting the script to catch upload failures and upload to the IA took me like an entire day :-D
[14:33:10] <urbanecm>	 🙂
[14:33:16] <andrewbogott>	 Hey all, ldap logins were briefly broken for most cloud-vps servers.  I am pretty sure the issue is resolved but please ping me if you find something that still doesn't work.
[14:33:29] <andrewbogott>	 The outage should have had little to no effect on actual running services
[14:33:38] <inductiveload>	 maybe I'll retry the commons upload a few times first
[14:34:21] <andrewbogott>	 (and by 'ldap logins' I mean 'ssh logins' because they use ldap)
[14:34:32] <inductiveload>	 some binoomial thingy will tell me how often I need to try a 1/8 change of success to have >95% success
[14:34:36] <sDrewth>	 urbanecm/reedy, you were going to set up ia-upload to be accessible directly to comons to grab files?
[14:34:53] <sDrewth>	 there was nothing more that we needed to do?
[14:35:27] <urbanecm>	 the links like https://ia-upload.wmcloud.org/dli.ministry.15654.djvu look okay to me
[14:35:28] <sDrewth>	 andrewbogott, my shell login to toolforge bastion is working
[14:36:03] <sDrewth>	 urbanecm, yes, though for direct import to commons as required
[14:36:03] <andrewbogott>	 great, thanks for checking
[14:36:40] <inductiveload>	 this one: https://phabricator.wikimedia.org/T287241
[14:36:44] <inductiveload>	 https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/720058
[14:36:45] <sDrewth>	 had logged on, not paid attention, had logged on again so wasn't hard 
[14:37:24] <inductiveload>	 actually if it was wikisource-bot.wmcoud as well, that would let sDrewth and I self-service via copy-upload attempts
[14:38:07] <inductiveload>	 via urls like https://wikisource-bot.toolforge.org/ssu_request/The%20Atlantic%20Monthly%20Volume%20135.djvu
[14:42:01] <sDrewth>	 wikisource-bot is toolforge, not wmcloud
[14:43:02] <andrewbogott>	 !log admin ran sudo cumin --force --timeout 500 -o json  "A:all" "ps -ef | grep nslcd && service nslcd restart" to get nslcd happy again T292202
[14:43:07] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Admin/SAL
[14:43:08] <stashbot>	 T292202: Icinga/Getent speed check (cloudstore1008/1009) - https://phabricator.wikimedia.org/T292202
[14:45:55] <andrewbogott>	 !log sudo cumin  "cloud*" "ps -ef | grep nslcd && service nslcd restart" and sudo cumin  "lab*" "ps -ef | grep nslcd && service nslcd restart"  T292202
[14:45:56] <stashbot>	 andrewbogott: Unknown project "sudo"
[14:50:16] <andrewbogott>	 !log admin sudo cumin  "cloud*" "ps -ef | grep nslcd && service nslcd restart" and sudo cumin  "lab*" "ps -ef | grep nslcd && service nslcd restart"  T292202
[14:50:20] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Admin/SAL
[14:50:21] <stashbot>	 T292202: Icinga/Getent speed check (cloudstore1008/1009) - https://phabricator.wikimedia.org/T292202
[15:10:43] <sDrewth>	 urbanecm /reedy, just asking again before I sneak off to bed, whether there is anything further that I need to do
[15:30:23] <inductiveload>	 i can add to a backport slot if that helps?
[15:42:28] <urbanecm>	 inductiveload: yeah, that's the official way to request config deployment
[15:42:43] <urbanecm>	 but since it's a simple patch (the allowlist), i can try to remember to just do it myself in the evening
[16:44:15] <ebernhardson>	 having a pcc issue. Added a pseudo-secret to labs/private in https://gerrit.wikimedia.org/r/724831 and now (12+hr after merge) pcc still isn't finding that key in https://gerrit.wikimedia.org/r/724829 . Any ideas why?
[16:47:38] <andrewbogott>	 ebernhardson: there are a few things that could be happening. The first is that the patch may need another merge step, I'm checking that now
[16:48:01] <andrewbogott>	 nope, wasn't that
[16:48:35] <andrewbogott>	 the other possibility is that there's a disagreement with the hiera search path
[16:49:45] <andrewbogott>	 do you know for sure that e.g. hieradata/common.yaml:profile::query_service::oauth_settings is getting picked up by pcc?
[16:50:20] <ebernhardson>	 andrewbogott: the problem is it isn't, pcc reports Error: Function lookup() did not find a value for the name 'profile::query_service::oauth_consumer_secret'
[16:50:33] <ebernhardson>	 andrewbogott: oh, oauth_settings. hmm, 
[16:50:50] <andrewbogott>	 ebernhardson: yeah, just a basic 'well does any of this work?' question
[16:50:50] <ebernhardson>	 andrewbogott: it should be, it's pulled by the same code in the same place
[16:51:02] <ebernhardson>	 andrewbogott: and that one is run during the prod catalog
[16:51:08] <andrewbogott>	 can you link me to the pcc run that's failing?
[16:51:31] <ebernhardson>	 https://puppet-compiler.wmflabs.org/compiler1003/996/wcqs2001.codfw.wmnet/index.html
[16:52:07] <ebernhardson>	 this is mostly https://gerrit.wikimedia.org/r/c/operations/puppet/+/724829/5/modules/profile/manifests/query_service/wcqs.pp  in the prod catalog it's pulling oauth_settings, in change it should pull both
[16:53:24] <andrewbogott>	 yeah, hm
[16:53:46] * andrewbogott briefly thought that wcqs was a typo for wdqs
[16:54:21] <ebernhardson>	 following the MediaWiki/WikiMedia/Wiki* tradition of naming ;)
[16:55:31] <andrewbogott>	 I don't think this will help but I'm going to refresh the pcc facts since these are newish servers
[16:57:13] <andrewbogott>	 normally I would address this issue by just copying that key into a thousand other files until it works
[17:01:28] <ebernhardson>	 Hmm, which ones? commmon.yaml would usually be the fallback
[17:02:18] <andrewbogott>	 codfw.yaml/eqiad.yaml for starters
[17:02:24] <andrewbogott>	 and also possibly making a profile-specific file
[17:02:42] <andrewbogott>	 but I'm not saying that's the right solution, just that I'm frequently baffled by where hiera does and doesn't look
[17:04:11] * andrewbogott still waiting for facts to sync
[17:18:55] <andrewbogott>	 ebernhardson: I am still stumped but referring the question to a higher power (giuseppe) and will follow up if we find anything
[17:19:26] <ebernhardson>	 ok :) I can certainly try moving it around into different files, i suppose i thought common.yaml was the easiest and most likely to be found but never know :)
[17:24:51] <andrewbogott>	 ebernhardson: I need to step away but I would start by trying that key in private hieradata/common/profile/query_service.yaml
[17:25:07] <andrewbogott>	 I don't see a lot of evidence that private's common.yaml is ever parsed
[17:25:20] <andrewbogott>	 if that proves true then I encourage you to open a task seeking explanation :)
[17:26:21] <ebernhardson>	 huh, interesting! ok will try. Thanks!
[18:12:12] <wm-bot>	 !log tools.bridgebot <bd808> Adding #wikimedia-wikicon-na bridge (T292137)
[18:12:17] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.bridgebot/SAL
[18:30:38] <topranks>	 Folks just a heads up  - looks like I caused a bit of an issue as a result of T292097
[18:30:39] <stashbot>	 T292097: Netbox info missing on some WMCS elements - https://phabricator.wikimedia.org/T292097
[18:31:33] <topranks>	 Forward DNS entry for "cloudinstances2b-gw.openstack.eqiad1.wikimediacloud.org" got changed from 185.15.56.244 to 185.15.56.238 as a result.
[18:31:38] <topranks>	 About 5 mins ago.
[18:32:27] <topranks>	 I've removed the Netbox entry I added earlier and am re-running the "sre.dns.netbox" cookbook now to try to revert.
[18:46:27] <topranks>	 On further investigation it seems that hostname was always pointing to .238, there is a manual entry for it:
[18:46:29] <topranks>	 https://gerrit.wikimedia.org/r/plugins/gitiles/operations/dns/+/refs/heads/master/templates/wikimediacloud.org
[18:47:17] <topranks>	 I'll reach out tomorrow and see what we can do, probably want to remove that manual one, re-add the .238 in Netbox, and work out why Netbox also has an entry against 185.15.56.244 for that name.
[19:50:45] <Wur_gl>	 Hi! There seems to be some problem with SSL-Certificates DST Root CA X3 was valid until 30.9.2021 14:01:15 GMT and exactly at that time the trounle with my mono program on wikihistory.toolforge.org starts (see in german language https://heise.de/-6201155 ) Do I have to update some files or is this a server issue
[19:51:01] <Wur_gl>	 -trounle+trouble
[19:57:17] <RhinosF1>	 Wur_gl: what trouble
[19:57:40] <Wur_gl>	 An exception occurred: WebException: Error: TrustFailure (A call to SSPI failed, see inner exception.)
[19:57:59] <RhinosF1>	 Wur_gl: what exactly is the call too
[19:58:06] <RhinosF1>	 Full error?
[19:58:17] <RhinosF1>	 But likely related yes
[19:59:17] <Wur_gl>	 https://justpaste.it/2ph78
[19:59:57] <RhinosF1>	 Wur_gl: what exactly are you requesting?
[20:00:07] <RhinosF1>	 What software versions?
[20:00:26] <RhinosF1>	 Like specfic urls you're accessing
[20:01:27] <Wur_gl>	 I do not know if this an issue of server admins or if I have to upload install some local files. Sorry, mono is just another language and I have very, very, very little experiance
[20:01:56] <Wur_gl>	 The Urls I am accessing are just and only the wikipedia-API
[20:02:03] <RhinosF1>	 Ok
[20:02:06] <Wur_gl>	 Nothing outside
[20:02:13] <RhinosF1>	 Do you know what version of mono
[20:02:16] <bd808>	 I have a feeling that many folks will be finding that T283164 is breaking old things for them
[20:02:17] <stashbot>	 T283164: Let's Encrypt issuance chains update - https://phabricator.wikimedia.org/T283164
[20:02:33] <RhinosF1>	 Yes
[20:02:43] <Wur_gl>	 tools.wikihistory@tools-sgebastion-08:~$ mono -V
[20:02:43] <Wur_gl>	 Mono JIT compiler version 5.12.0.226 (tarball Thu May  3 09:49:46 UTC 2018)
[20:02:43] <Wur_gl>	 Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
[20:02:49] <RhinosF1>	 Ty
[20:03:15] <RhinosF1>	 I will message someone and get it on the broken list
[20:03:50] <Wur_gl>	 The exe was build on August, 28th last year
[20:04:47] <RhinosF1>	 Do you know how to update it
[20:05:07] <bd808>	 Wur_gl: I assume your mono job runs on the grid engine?
[20:05:25] <majavah>	 looks like we pull mono from their official repos, https://github.com/wikimedia/puppet/blob/aae12e6d84a8a3be310140fcc7b70c4436e18ac2/modules/aptrepo/files/updates#L140
[20:05:50] <Wur_gl>	 bd808: Yes
[20:06:09] <bd808>	 root cause is likely https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
[20:06:17] <bd808>	 the fix... yeah good question
[20:06:22] <majavah>	 I wonder if when was the last time we pulled updates to apt.wm.o, afaik that needs to be done manually
[20:06:26] <Wur_gl>	 And yes, I have the source, I can build it on some (old) virtual Windows 7
[20:06:43] <AntiComposite>	 I'm guessing it's similar to https://libera.chat/news/letsencrypt-ca-expiry
[20:07:43] <Reedy>	 Rebuilding the .NET tool probably won't help
[20:08:02] <bd808>	 AntiComposite: yup. The wikis use multiple ssl certs for provider redundancy and one of them is a LE cert
[20:08:50] <legoktm>	 moritzm mentioned elsewhere that mono uses a custom TLS library, and last time we had to specially upgrade it https://phabricator.wikimedia.org/T194665
[20:10:21] <legoktm>	 bd808: I got the link from Mortiz :)
[20:10:47] <Wur_gl>	 Personally: I hate mono. I have already replaced a few programs and rewritten them in php. But this one does a lot of string manipulation and most important: Uses threads to speed up, so it is a little bit harder to replace
[20:10:51] <bd808>	 legoktm: but you showed it to me! :) it's turtles all the way down
[20:11:33] <legoktm>	 Wur_gl: to give us a sense of urgency, how important is this bot?
[20:12:02] <Wur_gl>	 Not very important,
[20:12:21] <Reedy>	 I'm guessing there'll be other mono bots broken and just not realised yet
[20:12:53] <bd808>	 there are not numerically many of them, but I would guess all broke at the exact same moment
[20:13:38] <RhinosF1>	 I messaged Scott Helme so it'll probably end up on Twitter soon
[20:13:50] <RhinosF1>	 He's collating a list of broken stuff
[20:14:33] <RhinosF1>	 Which is half the internet from cloudflare to shopify to Facebook
[20:15:58] <legoktm>	 I assume if some super critical bot breaks we can help them spin up a temporary VPS and install newer mono in it
[20:16:03] <bd808>	 I think it is likely that Toolforge things running in the ancient jessie containers (php5.6, python 3.4, python 2.7) will be busted too
[20:16:05] <legoktm>	 Wur_gl: do you have a link to the source code?
[20:17:35] <Wur_gl>	 https://persondata.toolforge.org/WikiHistory_src.zip
[20:23:09] <wm-bot>	 !log tools.wikivoyage <root> Switch from php5.6 to php7.4 for webservice runtime (T292243)
[20:23:12] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.wikivoyage/SAL
[20:24:26] <bd808>	 RhinosF1: I think I fixed T292243 with that ^^
[20:24:27] <stashbot>	 T292243: POI/marker disappeared on Wikivoyage maps  - https://phabricator.wikimedia.org/T292243
[20:24:40] <RhinosF1>	 Ok
[20:33:51] <legoktm>	 do we have a tracker or listing of tools still using jessie containers?
[20:34:50] <bd808>	 legoktm: https://k8s-status.toolforge.org/images/ (i'm waiting for it to load now)
[20:35:37] <bd808>	 216 copies of toolforge-php5-sssd-web are running (that's 5.6 on jessie)
[20:36:12] * bd808 won't look for the ticket where legoktm promised to get everyone to move from 5.6 to 7.2 ;)
[20:36:22] * legoktm hides
[20:38:55] <bd808>	 on that k8s-status page, the node6-sssd*, php5-sssd*, python2-sssd*, python34-sssd*, and ruby21-sssd* images are all Jessie based.
[21:00:02] <subbu>	 Hmm ... i am getting authentication failures trying to log on to parsing-qa-01.eqiad.wmflabs ... i was on it just couple days back ... should i reboot the server from horizon and see if it fixes itself or did something change?
[21:05:05] <bd808>	 subbu: there was an LDAP outage earlier today that might cause that. A reboot of the instance would fix it if so.
[21:05:20] <subbu>	 ok. will do.
[21:05:55] <bd808>	 folks tried to reset all the broken LDAP caches, but it is very possible that some were missed
[21:07:39] <subbu>	 no dice ...
[21:07:59] * subbu has to look up what the origin of that term is
[21:09:08] <subbu>	 still failing.
[21:09:10] <bd808>	 subbu: "error: maximum authentication attempts exceeded for invalid user ssastry" in the auth.log there.
[21:09:52] <bd808>	 I also see "Invalid user ssastry" which I would guess was the LDAP problem?
[21:10:06] <subbu>	 ya ... but, not sure why ... nothing changed in my ssh keys on my end. i can still get onto scandium.eqiad.wmnet.
[21:11:00] <bd808>	 subbu: `id ssastry` is failing on that node too. It is still having LDAP lookup issues for some reason. I'll poke around a bit more.
[21:11:07] <subbu>	 ok. thx.
[21:43:26] <wm-bot>	 !log tools.bridgebot <bd808> Updating telegram channel id for #wikimedia-wikicon-na bridge (T292137)
[21:43:29] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.bridgebot/SAL
[21:58:55] <bd808>	 subbu: I have not awesome news about your parsing-qa-01.wikitextexp.eqiad.wmflabs instance. The problem seems to be the LE root signing cert expiration.
[21:59:09] <bd808>	 That instance appears to be Debian Stretch upgraded in-place to Debian Buster with some strange stretch-backports left in place. And we don't know how to fix it at the moment.
[21:59:50] <bd808>	 subbu: so if I asked you to replace the instance with a new one, how loudly will you complain and what help will you need?
[22:00:00] <subbu>	 ok ... given that it is already on an old debian distro ... what is involved with boot up a new instance (that one is special with a lot of compute and disk space) and transitioning over data?
[22:00:47] <subbu>	 if it were a regular instance, it would be almost trivial for me to do ... but one is special and so you all might have to provision the right one for me and I can take it from there.
[22:01:34] <subbu>	 but, i'll need access to the mysql data ... so, yes, we can spin up a new instance, i can set it up, and once we are all confirmed it works, we can shut this down.
[22:02:07] <bd808>	 subbu: we can help you move data. Those of us with "root" ssh keys can still get in.
[22:02:14] <subbu>	 ok.
[22:02:59] <bd808>	 And "easy" way to move data might be with a cinder volume actually. We can make one, attach it to the old server, fill it full of goodies, and then reattach it to a new instance
[22:03:29] <bd808>	 and I can bump quotas as needed in your project to do the replacement dance
[22:04:43] * bd808 is remembering things about the wikitextexp project
[22:05:31] <subbu>	 sounds good. right. this one has 12 vcpus with 32gb ram and 400gb disk ... and the project will definitely need a quota bump before a new equivalent instance can be stood up.
[22:05:36] <bstorm>	 That's kind of what cinder is for. As long as the database (and ideally the instance) is stopped at the time of detach, it should all be good.
[22:05:54] <bstorm>	 Sounds like it
[22:06:11] <bd808>	 subbu: can you make a phab task about the loss of access so we can track getting it all fixed?
[22:06:22] <subbu>	 will do.
[22:06:58] <bd808>	 Disk will be cinder on the new instance, but we will probably need to make a special flavor for the beefy cpu + ram
[22:08:17] <bd808>	 !log wikitextexp Added self (BryanDavis) to project to help with sad instances
[22:08:18] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikitextexp/SAL
[22:10:53] <subbu>	 I created T292264
[22:10:54] <stashbot>	 T292264: Loss of access to parsing-qa-01.eqiad.wmflabs - https://phabricator.wikimedia.org/T292264
[22:38:18] <bd808>	 subbu: should I build the new instance with Buster or Bullseye? Bullseye would be preferred unless there is some extra weird reason you need older software.
[22:38:33] <subbu>	 No, bullseye is good.
[22:38:42] <bd808>	 excellent
[22:39:33] * bd808 apparently did ram math wrong for the quota increase
[22:45:59] <bd808>	 !log wikitextexp Attaching volume "parsing" to parsing-qa-01 (T292264)
[22:46:02] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikitextexp/SAL
[22:46:02] <stashbot>	 T292264: Loss of access to parsing-qa-01.eqiad.wmflabs - https://phabricator.wikimedia.org/T292264
[23:00:56] <subbu>	 bd808, i am signing off for the evening ... so will pick up the threads tonight / tomorrow.
[23:01:30] <bd808>	 subbu: ack. I'm copying data now. I'll update the ticket with details when I stop.
[23:01:32] <subbu>	 tomorrow is fine for me ... so don't feel the need to work through this today. thanks for your (collective you) help with this.
[23:29:17] <wm-bb>	 <Apple> Start
[23:45:18] <wm-bb>	 <Apple> https://t.me/wmcloudirc
[23:45:44] <wm-bb>	 <Apple> Test