[03:05:38] At what point will the Debian 11 VMs need to be turned off? [03:08:52] standard practice is deprecation 3 years after release and removal after 4 [03:10:05] https://wikitech.wikimedia.org/wiki/Operating_system_upgrade_policy#Policy says another year of full support, then a year of deprecation [11:59:48] !log tools deploy buildservice with aptfile support (T336669) [11:59:51] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [11:59:52] T336669: Decision request - How to provide a way to install system dependencies for buildpack-based images - https://phabricator.wikimedia.org/T336669 [12:04:42] !log tools deployed api-gateway with envvars endpoint support (T337538) [12:04:44] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [12:04:45] T337538: [toolforge] Create envvars management offering - https://phabricator.wikimedia.org/T337538 [12:11:18] !log tools deploy toolforge-envvars-cli (upgrades pthyon3-toolforge-weld) (T337538) [12:11:21] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [12:11:22] T337538: [toolforge] Create envvars management offering - https://phabricator.wikimedia.org/T337538 [14:21:45] !log tools fix gitlab merge settings for tools-webservice to match the agreed values (fast-forward, squash encouraged) [14:21:47] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL [17:33:00] !log tools.lexeme-forms deployed 3e76345eb5 (l10n updates: ba, id, nb, xmf) [17:33:02] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.lexeme-forms/SAL [17:33:46] whatever this was seems to be resolved now 🤷 (re @lucaswerkmeister: for some reason my tool seems to reliably need one more pod restart per deployment restart now) [18:27:30] !log tools.lexeme-forms deployed 7081d2769e (support language fallback and ?uselang) [18:27:32] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.lexeme-forms/SAL [20:34:18] Question: After being granted access to a cloud vps project, how long until i should be able to ssh into it? [20:34:47] i.e. Am I doing something wrong, or do i just need to wait more than 1 minute [20:35:42] it should be fast enough that you don't have to ask that :-) [20:35:43] almost certainly the latter [20:35:48] which instance/project? [20:35:58] wikiapiary.wikiapiary.eqiad1.wikimedia.cloud [20:36:09] (there are some caches involved, but those should be on the order of some minutes) [20:36:11] * taavi looks [20:36:31] I'm logging in the same way i do to other cloud vps projects: ssh -J bastion.wmcloud.org:22 wikiapiary.wikiapiary.eqiad1.wikimedia.cloud [20:37:33] I think the person who added you to the project made a typo, and added the user `bawolffa` and not `bawolff` [20:37:42] lol [20:37:48] * Reedy bans bawolff for socking [20:37:51] ok, I'll follow up. Thanks [20:39:11] Reedy: you're about five years late: https://wikitech.wikimedia.org/w/index.php?title=Special:Log&logid=910560 [20:41:41] heh [20:42:17] honestly, even i forgot i wasn't User:Bawolff on wikitech [20:46:34] ugh. we should delete the LDAP record for that blocked spoofer account so this doesn't happen again. [20:48:02] or update the horizon member panel to disallow granting access to a disabled user [20:49:43] taavi: that's probably a good idea too. Is that a panel that we invented or one that we tweak from upstream? [20:50:07] it's a custom one [20:50:54] https://gerrit.wikimedia.org/r/plugins/gitiles/openstack/horizon/wmf-member-dashboard/+/refs/heads/main/wikimediamemberdashboard/members.py would be the file to update, I think [20:52:18] I'll do T339968 now as that's relatively easy if you know where all the needed credentials are hidden. [20:52:19] T339968: Delete blocked spoofer uid=bawolffa Developer account - https://phabricator.wikimedia.org/T339968 [20:52:35] thanks :) [20:52:49] and only now I realize that it probably wasn't a typo, someone just typed 'Bawolff' to the wrong username field [20:53:15] if it was an option i would totally rename my account. having different names has caused a lot of confusion [20:53:44] you're not the only one wishing for such possibility :-P [20:55:02] bd808: I wonder if that will actually have the impact you think it will, now that Keystone has been made aware that user exists and so probably added some records to its mariadb database [20:56:44] taavi: that's a good question. dropping the LDAP record shouldn't change keystone as far as I understand the current setup. We may need more changes as well to really make that account go away. [20:57:27] at least there's a `os user delete` command [20:59:06] `os user show bawolffa` says 'no user exists' and `os user show Bawolff` shows the correct user, but I still see the fake account in LDAP. weird. [21:00:34] the role assignments in the wikiapiary project are still there, though [21:02:25] I mentioned it to cindy but she is AFK [21:03:38] taavi: I think the LDAP replication has dropped the uid=bawolffa record everywhere now. [21:05:49] I don't see the bogus account in the horizon dashboard for wikiapiary now either. [21:06:01] bd808: yeah, the user is definitely gone now, even from Keystone too. I manually removed the role assignments for that user, both from the wikiapiary and bastion projects. [21:06:15] awesome. thanks for the assist [21:12:54] taavi: it's possible that the block would have been enough if the block has happened after we invented Developer account locking in response to a block on wikitech. That particular account was blocked a year before we had that tech in-place. [21:13:07] * bd808 looks for a "properly" blocked account to test with [21:20:36] It seems that blocked Developer accounts do continue to lookup in OpenStack as long as they are in LDAP. We should figure out how to change that, ideally outside the Horizon dashboard and instead system wide. [23:08:31] !log wikistats - added user Aokoth as reader and member [23:08:33] Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikistats/SAL