[13:57:35] 10GitLab (Pipeline Services MigrationšŸ¤), 06collaboration-services, 10Wikidata, 10Wikidata Query UI, and 3 others: move commons-query.wikimedia.org and query.wikidata.org to kubernetes - https://phabricator.wikimedia.org/T350793#10371358 (10Jelto) Great thanks, I sent you an invite for tomorrow 14:00 CET. [15:01:08] 10GitLab (Pipeline Services MigrationšŸ¤), 10Citoid, 06Editing-team, 10Projects-Cleanup, 13Patch-For-Review: Archive Zotero gerrit repo as it's been replaced with gitlab - https://phabricator.wikimedia.org/T380259#10371648 (10Mvolz) [15:01:24] 10GitLab (Pipeline Services MigrationšŸ¤), 10Citoid, 06Editing-team, 10Projects-Cleanup, 13Patch-For-Review: Archive Zotero gerrit repo as it's been replaced with gitlab - https://phabricator.wikimedia.org/T380259#10371651 (10Mvolz) [15:15:52] 10GitLab (Pipeline Services MigrationšŸ¤), 10Citoid, 06Editing-team, 10Projects-Cleanup, 13Patch-For-Review: Archive Zotero gerrit repo as it's been replaced with gitlab - https://phabricator.wikimedia.org/T380259#10371791 (10Mvolz) [15:16:06] 10GitLab (Pipeline Services MigrationšŸ¤), 10Citoid, 06Editing-team, 10Projects-Cleanup, 13Patch-For-Review: Archive Zotero gerrit repo as it's been replaced with gitlab - https://phabricator.wikimedia.org/T380259#10371793 (10hashar) [15:17:55] 10GitLab (Pipeline Services MigrationšŸ¤), 10Citoid, 06Editing-team, 10Projects-Cleanup, 13Patch-For-Review: Archive Zotero gerrit repo as it's been replaced with gitlab - https://phabricator.wikimedia.org/T380259#10371841 (10Mvolz) [15:21:51] 10GitLab (Pipeline Services MigrationšŸ¤), 10Citoid, 06Editing-team, 10Projects-Cleanup, 13Patch-For-Review: Archive Zotero gerrit repo as it's been replaced with gitlab - https://phabricator.wikimedia.org/T380259#10371796 (10hashar) 05Openā†’03Resolved a:03Mvolz I have applied the change for CI, f... [20:56:50] Does anyone know if the firewall restrictions on the WMCS runners are documented anywhere? mhurd and I discovered today that these runners are configured to block outbound access to the WMCS IP space by default today. Upon finding the Puppet config (thanks for the hint taavi) I can reason about why this was done, but it was non-obvious. [20:58:22] A likely unplanned side effect is that you can actually do some things from the DO runners that you cannot from the WMCS runners. This is because we user split horizon DNS in WMCS and there are things that you would get a public IP for from DO (and be allowed to access) that you would get a private IP for from WMCS (and be denied access). [21:02:04] https://gerrit.wikimedia.org/g/operations/puppet/+/b4d4a849ef9944d41dfd7284ed04be610305340c/hieradata/cloud.yaml#189 seems to be the list of allowed things. The `profile::gitlab::runner::restrict_firewall: true` setting adds a default REJECT rule for 172.16.0.0/21 (all WMCS hosted instance IPs) [21:03:39] jelto: ^ I suppose if the firewall setup is documented you would have been the person to document it? [21:06:33] * bd808 finds a Phab task to comment on [21:46:38] Yes thats right and was a design choice. It could probably be added somewhere here https://wikitech.wikimedia.org/wiki/GitLab/Gitlab_Runner/Security_Evaluation#Firewall_configuration and/or in https://wikitech.wikimedia.org/wiki/GitLab/Gitlab_Runner/Shared_Runners [21:46:38] I can take a Look tomorrow [21:53:05] jelto: the possibly non-obvious issue was mostly that I assumed that being inside the WMCS network these runners could talk to other things inside WMCS assuming the Cloud VPS projects involved in the communication allowed the traffic via their Security Group settings. [21:53:52] I wasted some of mhurd's time as a result of this faulty assumption.