[04:50:25] <bd808>	 !log tools.admin-test Stopped old, broken copy of tools.admin
[04:50:26] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.admin-test/SAL
[14:21:04] <andrewbogott>	 !log admin stopping old VPS proxies in eqiad — T213540
[14:21:07] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Admin/SAL
[14:21:07] <stashbot>	 T213540: Migrate nova proxies to eqiad1 - https://phabricator.wikimedia.org/T213540
[14:21:16] <andrewbogott>	 !log project-proxy stopping old VPS proxies in eqiad — T213540
[14:21:18] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Project-proxy/SAL
[14:23:59] <arturo>	 !log tools T213418 allocate floating IPs for tools-docker-registry-03 & 04
[14:24:01] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[14:24:01] <stashbot>	 T213418: Toolforge: move docker nodes from eqiad to eqiad1 - https://phabricator.wikimedia.org/T213418
[14:34:52] <arturo>	 !log tools T213418 point docker-registry.tools.wmflabs.org to tools-docker-registry-03 (was in -02)
[14:34:55] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[14:34:55] <stashbot>	 T213418: Toolforge: move docker nodes from eqiad to eqiad1 - https://phabricator.wikimedia.org/T213418
[15:36:38] <Lucas_WMDE>	 is the SAL tool currently not responding for anyone else? (e. g. https://tools.wmflabs.org/sal/)
[15:37:19] * gtirloni checking
[15:37:23] <Lucas_WMDE>	 I joined the channel to to ask if it’s a known problem that search doesn’t seem to work in other SALs (e. g. Cloud VPS projects), but now I can’t view the SALs at all ^^
[15:37:28] <Lucas_WMDE>	 (there’s still the on-wiki pages of course)
[15:37:52] <bd808>	 Lucas_WMDE: works for me?
[15:37:54] <Lucas_WMDE>	 ah, now it’s loading again
[15:37:57] <gtirloni>	 I don't know if someone restarted it just now, but it's working for me (it took a long time to load though)
[15:37:59] <Lucas_WMDE>	 oh well
[15:38:23] <Lucas_WMDE>	 in that case I can repeat my original question :)
[15:38:28] * bd808 needs to update that tool to use the php7.2 image
[15:38:35] <Lucas_WMDE>	 e. g. https://tools.wmflabs.org/sal/wikidata-dev?p=0&q=wikidata-constraints&d= doesn’t show just messages matching “wikidata-constraints”
[15:38:55] <Lucas_WMDE>	 but on the prod and releng SALs, search seems to work
[15:39:04] <gtirloni>	 add double quotes
[15:39:04] <gtirloni>	 https://tools.wmflabs.org/sal/wikidata-dev?p=0&q=%22wikidata-constraints%22&d=
[15:39:10] <bd808>	 yeah, that ^
[15:39:13] <Lucas_WMDE>	 ah, thanks
[15:39:23] <Lucas_WMDE>	 so was the wikidata part matching every message due to the project name? :D
[15:40:05] <gtirloni>	 I'm not sure :) text search isn't like in the old days of string matching, it's all very smart now :)
[15:40:15] <bd808>	 without the quotes the search tokenizer would turn 'wikidata-constraints' into 'wikidata OR contraints'
[15:40:19] <chasemp>	 "smart"
[15:40:27] <gtirloni>	 chasemp: use double quotes :P
[15:41:28] <bd808>	 SAL is backed by Elasticsearch and uses its 'simple query string query' syntax -- https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-simple-query-string-query.html
[15:41:44] <bd808>	 I should copy the help page from bash over to sal -- https://tools.wmflabs.org/bash/help
[15:50:47] <wm-bot>	 KPADSIBIJSWJREDMAQUIMNJKNJJHLCQNEEPGSNWJ Technical Advice IRC meeting starting in 10 minutes in channel #wikimedia-tech, hosts: @addshore & @CFisch_WMDE - all questions welcome, more infos: https://www.mediawiki.org/wiki/Technical_Advice_IRC_Meeting
[16:38:18] <arturo>	 !log tools T213418 shutdown tools-docker-registry-01 and 02. Will delete the instances in a week or so
[16:38:21] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[16:38:21] <stashbot>	 T213418: Toolforge: move docker nodes from eqiad to eqiad1 - https://phabricator.wikimedia.org/T213418
[17:15:14] <andrewbogott>	 !log bastion shutting down all bastions in the eqiad region
[17:15:15] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Bastion/SAL
[17:26:52] <andrewbogott>	 !log striker deleting VM striker-mwvdev
[17:26:54] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Striker/SAL
[17:29:36] <andrewbogott>	 !log tools depooling and moving tools-sgeexec-0904 tools-sgeexec-0906 tools-sgewebgrid-lighttpd-0904
[17:29:37] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[19:48:38] <addshore>	 \o
[19:48:53] <addshore>	 anyone know what is wrong with wmde-dashboards.wmde-dashboards.eqiad.wmflabs ?
[19:49:44] <Krenair>	 addshore, it doesn't appear to be responding to ping
[19:49:59] <addshore>	 ill give it a kick / reboot
[19:49:59] <Krenair>	 but it is theoretically ACTIVE
[19:50:06] <Krenair>	 you may want to look at the console log in horizon
[19:50:11] <Krenair>	 then reboot and look again
[19:50:31] <Krenair>	 looks like it was only created half an hour ago
[19:50:35] <Krenair>	 andrewbogott, ^
[19:50:55] <addshore>	 the console / log looked normal, and it seems to be in the default security group etc
[19:51:06] <addshore>	 i hit reboot, lets see what happens
[19:51:08] * andrewbogott looks
[19:51:41] <addshore>	 :D
[19:51:58] <addshore>	 log is at "wmde-dashboards login: " now
[19:53:33] <andrewbogott>	 mind if I add myself to the project so I can look around?
[19:53:46] <addshore>	 andrewbogott: go for it
[19:53:49] <addshore>	 tis currently empty
[19:55:18] <andrewbogott>	 port 22 is definitely not open in the default security group.  Let me set some defaults...
[19:55:49] <Krenair>	 you'll want ICMP too IIRC
[19:56:07] <andrewbogott>	 addshore: try now?
[19:56:13] <addshore>	 pinging is working now
[19:56:15] <Krenair>	 is this due to the project being created entirely within the new region?
[19:56:34] <addshore>	 and ssh works for me
[19:56:37] <addshore>	 GoranSM: ^^
[19:56:41] <andrewbogott>	 Krenair: I'm not sure.  addshore do you know when the project was created?
[19:56:49] <GoranSM>	 addshore: Got it, I'm in
[19:56:56] <addshore>	 andrewbogott: the project was created some time ago (let me find the ticket)
[19:57:00] <Krenair>	 huh okay
[19:57:15] <Krenair>	 was there ever any VMs in there until today addshore ?
[19:57:22] <GoranSM>	 Thanks wikimedia-cloud guys
[19:57:33] <addshore>	 andrewbogott: https://phabricator.wikimedia.org/T185429#3928759
[19:57:37] <GoranSM>	 Krenair: No no I've created this one some 30 mins ago
[19:57:39] <addshore>	 Krenair: no vms until today
[19:57:43] <Krenair>	 right
[19:57:46] <andrewbogott>	 Hm, a year ago, ok
[19:57:55] <Krenair>	 it's possible this got an entirely blank default security group in eqiad1-r
[19:58:00] <Krenair>	 and no migration was done, so
[19:58:04] <addshore>	 :D
[19:58:06] <andrewbogott>	 So because it was empty I never migrated anything over from the old region
[19:58:07] <Krenair>	 yeah
[19:58:18] <addshore>	 your welcome for being an edgecase ;)
[19:58:40] <Krenair>	 might be some more of those lurking about, would check but I don't think novaobserver can see security groups still
[19:59:08] <GoranSM>	 Krenair: I am about to run a bunch of installations on the new instance now - just let me know if I should not, for any reason
[19:59:24] <Krenair>	 should be fine AFAIK
[19:59:29] <Krenair>	 I don't even have access to the instance so
[19:59:33] <andrewbogott>	 petan|lounge: as part of our perpetual upgrade treadmill, I'd like to move wm-bot.wm-bot.eqiad.wmflabs to another host.  Are there good times or bad times for me to do that?  (Shouldn't be down for more than 30 minutes or so)
[19:59:34] <Krenair>	 don't worry about me
[20:00:03] <addshore>	 thanks for your help all (as always)
[20:00:05] <andrewbogott>	 GoranSM: it's all yours, all I did was change some of the network filtering rules in your project
[20:00:22] <GoranSM>	 andrewbogott: Thanks!
[20:00:50] <ricardosebastiao>	 http://informativoangolano.com
[20:01:13] <ricardosebastiao>	 informativo Angolano
[20:01:41] <ricardosebastiao>	 aude
[20:03:00] <ricardosebastiao>	 help
[20:19:30] <DatGuy>	 When I try to sudo, what password do I use?
[20:20:50] <valhallasw`cloud>	 DatGuy: if it asks for a password, you don't have admin rights on that host. What are you trying to do?
[20:21:11] <DatGuy>	 I might not be supposed to have permission for it in general, but I'm trying to install pyexiv2
[20:21:33] <DatGuy>	 which in turn requires exiv
[20:25:00] <valhallasw`cloud>	 DatGuy: Ok! Do you need this on toolsforge? Or on a cloud vps project?
[20:25:06] <DatGuy>	 Toolforge
[20:30:28] <valhallasw`cloud>	 DatGuy: Ok, for that the toolforge admins will have to install it. Could you create a phabricator ticket with the #toolforge tag, listing the package(s) that need to be installed, and on which hosts you need them (bastions / exec nodes / webgrid / kubernetes -- or just describe what you intend to do)?
[20:33:28] <DatGuy>	 https://phabricator.wikimedia.org/T213965 valhallasw`cloud looks good?
[20:34:16] <valhallasw`cloud>	 DatGuy: ah. Unfortunately, ppa's can't be used due to security concerns. But let me check something...
[20:34:48] <DatGuy>	 Would https://packages.ubuntu.com/trusty/python-pyexiv2 work?
[20:35:28] <valhallasw`cloud>	 yep, that should be OK. The other option is to pip install py3exiv2, and to have the dependencies installed using apt-get
[20:35:54] <DatGuy>	 need sudo access for that
[20:36:05] <DatGuy>	 https://pastebin.com/mpzCC6HX
[20:37:22] <GoranSM>	 andrewbogott: Do you have a minute to inspect an issue on the new wmde-dashboards instance with me?
[20:38:21] <bd808>	 DatGuy: we recommend using python virtual environments for things like this. That will let you `pip install ...` all you want but put the packages in a place where only your tool can see them
[20:38:35] <DatGuy>	 Does it not need special stuff?
[20:38:38] <DatGuy>	 such as scons
[20:38:43] <valhallasw`cloud>	 DatGuy: fwiw, python-pyexiv2 is already installed system-wide.
[20:38:49] <DatGuy>	 oh I see
[20:38:52] <DatGuy>	 that I did not know
[20:39:22] <valhallasw`cloud>	 but given that python2 is EOL in... a year or so, I think having the dev dependency installed might be the way to go
[20:47:53] <DatGuy>	 valhallasw`cloud: excuse me for being a bit rusty, but what command would I need to do to get pyexiv2 into my venv pip packages?
[20:48:45] <valhallasw`cloud>	 iirc you need to create the venv with something like --system-site-packages. But that means you get _all_ system site-packages, not just the lib you need
[20:53:24] <Hauskatze>	 oh hi valhallasw`cloud  :D
[20:53:51] <valhallasw`cloud>	 Hauskatze: *waves*
[20:54:51] <DatGuy>	 I found a pyvenv.cfg file and changed 'include-system-site-packages' from false to true, but not sure how to restart it so to say :p
[20:56:46] <andrewbogott>	 GoranSM: what's up?
[20:56:55] <GoranSM>	 andrewbogott: Hey
[20:57:23] <valhallasw`cloud>	 DatGuy: virtualenvs are black magic -- in my experience you have to recreate them for stuff like this to work
[20:57:25] <GoranSM>	 andrewbogott: Well, I have Rstudio Server installed and running on port 8787; all security groups set and applied to the new instance
[20:57:44] <GoranSM>	 However... http://wmde-dashboards.wmflabs.org/ - you can try it yourself
[20:57:50] <DatGuy>	 damn alright
[20:58:01] <GoranSM>	 andrewbogott: I've also allowed 8787 on ufw...
[20:58:33] <DatGuy>	 might just rewrite all the code as well, there's more spaghetti there than in an Italian restaurant
[20:58:59] <andrewbogott>	 GoranSM: looking...
[20:59:55] <GoranSM>	 andrewbogott: If it helps, we have the RStudio Server running on the same port on the wikidataconcepts instance which you can also access, but I really tried to make everything the same...
[21:00:06] <bd808>	 DatGuy: if you have an existing venv, you should be able to run `pip freeze > $SOMEFILE` to get the list of things you already have in there. Then you can add those same packages to a new venv with `pip install -r $SOMEFILE`
[21:00:40] <bd808>	 $SOMEFILE is often called requirements.txt but that's just a random convention
[21:00:42] <andrewbogott>	 ah, ok — GoranSM you opened 8787/tcp from 10.0.0.0/8  but the proxy gateway isn't in that range.  10.0.0.0/8 is the old 'eqiad' region which is mostly unused these days.
[21:00:45] <andrewbogott>	 the new region is 172.16.0.0/21
[21:02:03] <GoranSM>	 andrewbogott: So what I should I place there: 172.16.0.0/21 ?
[21:02:17] <andrewbogott>	 yep
[21:02:26] <GoranSM>	 andrewbogott: Let me try
[21:04:17] <GoranSM>	 andrewbogott: No change
[21:04:29] <andrewbogott>	 GoranSM: works for me!
[21:04:49] <GoranSM>	 andrewbogott: ?
[21:04:53] <GoranSM>	 Let me check again
[21:05:37] <GoranSM>	 andrewbogott: so, you're saying that http://wmde-dashboards.wmflabs.org/ returns a login page for RStudio Server in your browser?
[21:05:41] <bd808>	 GoranSM: works for me too. One thing that may have happened to you is local cache of a negative DNS lookup. That should expire soon in theory
[21:06:00] <GoranSM>	 bd808: Hm. Thanks!
[21:06:02] <bd808>	 GoranSM: yeah I get redirected to https://wmde-dashboards.wmflabs.org/auth-sign-in and see the form there
[21:06:24] <GoranSM>	 bd808: What I get is: Hmm. We’re having trouble finding that site. We can’t connect to the server at wmde-dashboards.wmflabs.org.
[21:07:27] <bd808>	 is that your browser's default DNS failure page?
[21:07:52] <bd808>	 Sounds like the built-in page in firefox
[21:07:56] <GoranSM>	 bd808: I'd say yes; that was Firefox. Chromium gives me: This site can’t be reachedwmde-dashboards.wmflabs.org’s server IP address could not be found.DNS_PROBE_FINISHED_NXDOMAIN
[21:08:05] <bd808>	 like http://foobar.bd808.com/ would give the same response
[21:08:16] <GoranSM>	 bd808: I think so.
[21:09:43] <bd808>	 yeah. cached negative lookup somewhere between our DNS server and you. That happens when you hit the URL before the DNS record is fully added by the proxy creation. From my local laptop I get: `host wmde-dashboards.wmflabs.org` -> "wmde-dashboards.wmflabs.org has address 185.15.56.49"
[21:09:44] <DatGuy>	 bd808, valhallasw`cloud: thank you! seems to import
[21:10:12] <bd808>	 GoranSM: I think we put a 5 or 10 minute TTL on negative responses
[21:11:52] <GoranSM>	 bd808: In translation to English, that means: wait 10 minutes or so and than try again, I guess?
[21:12:03] <bd808>	 :) yes
[21:12:09] <GoranSM>	 bd808: :) Thanks!
[21:12:22] <bd808>	 or lookup how to clear your local DNS cache if you are in a hurry
[21:12:44] <GoranSM>	 bd808: Well, not in a hurry but I could learn how to do that, why not
[21:16:21] <GoranSM>	 andrewbogott: RStudio Server up and running; thx
[21:16:27] <GoranSM>	 bd808: Thank you!
[21:42:50] <bd808>	 !log tools.sge-status Force killed orphan webservice grid job and restarted webservice
[21:42:51] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.sge-status/SAL
[21:53:41] <GoranSM>	 andrewbogott: Now this is silly: I cannot SSH to wmde-dashboards.eqiad.wmflabs anymore. 
[21:54:51] <andrewbogott>	 GoranSM: any chance you installed a firewall on that host by mistake?
[21:55:36] <Krenair>	 it looks like port 22 to that host from a bastion is blocked
[21:56:40] <andrewbogott>	 security groups look right to me, must be something installed on the host
[21:56:45] <andrewbogott>	 that will be hard to undo :(
[21:57:14] <andrewbogott>	 hm
[21:57:32] <Krenair>	 we could do this stuff if we had remote console access
[21:57:36] <andrewbogott>	 welp, I'm on my way out the door… good luck absent stranger
[21:57:55] <Krenair>	 he left it on the ticket: https://phabricator.wikimedia.org/T204695#4886191
[21:59:00] <bd808>	 no special puppet roles applied -- https://tools.wmflabs.org/openstack-browser/server/wmde-dashboards.wmde-dashboards.eqiad.wmflabs
[21:59:27] <Krenair>	 I did something dumb with ferm/iptables once that IIRC had the effect of breaking SSHd
[21:59:31] <Krenair>	 I think I restarted the instance
[21:59:32] <Krenair>	 could try that
[21:59:47] <Krenair>	 (or maybe Andrew restarted it that time, I forget)
[22:01:11] <Krenair>	 hi GoranSM 
[22:01:23] <GoranSM>	 Krenair: Hi
[22:01:37] <Krenair>	 was there any iptables or other firewall stuff on the instance?
[22:01:47] <GoranSM>	 Krenair: ufw installed
[22:02:07] <bd808>	 !log wmde-dashboard Added BryanDavis (self) as project admin to help debug ssh issues
[22:02:08] <stashbot>	 bd808: Unknown project "wmde-dashboard"
[22:02:21] <Krenair>	 bd808, plural
[22:02:24] <bd808>	 !log wmde-dashboards Added BryanDavis (self) as project admin to help debug ssh issues
[22:02:25] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wmde-dashboards/SAL
[22:02:35] <Krenair>	 GoranSM, and is it possible that started blocking SSHd?
[22:02:43] <bd808>	 if ufw installed that is probably the problem
[22:03:26] <GoranSM>	 Krenair: Well, I did not allow 22 from ufw manually, however, I have been logging in and out from that instance following the installation of ufw
[22:03:46] <GoranSM>	 Krenair: the only thing I've used ufw for was to allow for 8787 (RStudio Server default port)
[22:04:14] <bd808>	 which implies that there was a default block?
[22:04:55] <GoranSM>	 bd808: I wouldn't say so, because if so how could I login and out from that instance?
[22:05:21] <GoranSM>	 bd808: But better not rely on my understanding of networking services
[22:05:27] <bd808>	 why would you need to add a rule to allow a port if you weren't blocking ports?
[22:06:27] <GoranSM>	 bd808: Oh, I see - I understand the question now. No I did not want to have anything blocked - I was running into problems with RStudio Server on 8787 and thought that I might need to open the port manually.
[22:06:48] <GoranSM>	 bd808: That is why I have manually allowed 8787 from ufw (and installed ufw in the first place)
[22:06:48] <bd808>	 GoranSM: one thing we can try is rebooting and hoping that the instance local firewall is actually not setup to start on boot
[22:07:01] <GoranSM>	 bd808: I have already did a soft reboot
[22:07:13] <GoranSM>	 bd808: Nothing changed. Let me try just another thing please.
[22:07:19] <Krenair>	 maybe someone can mount the instance's disk and overwrite the rules etc.?
[22:08:26] <GoranSM>	 Krenair: No no wait
[22:08:30] <GoranSM>	 Solved.
[22:08:36] <bd808>	 Krenair: although possible in theory, in practice that instance would have to be full of bitcoin wallets to make it worthwhile ;)
[22:08:51] <Krenair>	 heh
[22:08:57] <GoranSM>	 I have access to the terminal through RStudio Server - I only forgot about it
[22:09:03] <GoranSM>	 and then... sudo ufw allow 22 
[22:09:22] <Krenair>	 this thing provides a remote shell?
[22:09:27] <GoranSM>	 So I can ssh there again. Silly of me to play with ufw, however, I needed 8787 in place. 
[22:09:49] <GoranSM>	 Krenair: Yes. And if you ask me, that is a *serious* security issue with RStudio Server. 
[22:10:13] <Krenair>	 depends whether you trust it as much as you trust SSHd
[22:10:15] <Krenair>	 I wouldn't though
[22:10:40] <GoranSM>	 Krenair: However, I can disable the RStudio Server terminal from the config files if that would match our security policy. Just let me know.
[22:11:16] <GoranSM>	 Krenair: However, as you can see, having me onboard exemplified that the feature is not useless at all :)
[22:11:34] <Krenair>	 I'm not aware of any particular rule that would disallow this
[22:11:46] <bd808>	 GoranSM: its up to you, but if somebody takes over your instance and does ugly things that will be your problem to clean up
[22:11:51] <GoranSM>	 Krenair: Ok than. Sorry for panicking 
[22:11:58] <Krenair>	 I would be careful with it
[22:12:09] <Krenair>	 I wouldn't allow anyone to use it that doesn't already have root on the instance
[22:12:21] <GoranSM>	 bd808: I understand. Well I will probably disable the terminal, I can do ssh there when I need to
[22:12:50] <GoranSM>	 bd808: And they need a Wikitech account to get there first, of course
[22:13:34] <bd808>	 GoranSM: a wikitech account? Is your authentication using the LDAP server?
[22:13:48] <GoranSM>	 bd808: I'd say so
[22:13:51] <Krenair>	 that's more concerning to hear
[22:14:00] <Krenair>	 how do they authenticate with this?
[22:14:05] <Krenair>	 do they input their LDAP credentials?
[22:14:10] <GoranSM>	 Krenair: what do you mean?
[22:14:21] <Krenair>	 when they go to the RStudio server interface
[22:14:28] <GoranSM>	 Krenair: Ok, I get your meaning
[22:14:28] <Krenair>	 what credentials do they use to login?
[22:14:51] <GoranSM>	 Krenair: to get to RStudio Server I use my instance (terminal, console) username, and then my Wikitech password
[22:15:04] <GoranSM>	 Krenair: It has always worked that way for me
[22:15:20] <Krenair>	 ... I'm pretty sure there either is or should be a rule against that
[22:15:34] <bd808>	 Using LDAP auth is against the Cloud Services TOU -- https://wikitech.wikimedia.org/wiki/Wikitech:Cloud_Services_Terms_of_use#What_uses_of_Cloud_Services_do_we_not_like?
[22:15:41] <bd808>	 "Use of Wikimedia's LDAP server for authentication: Even with end-user notification that is required for any service that handles passwords or other sensitive data, use of the Wikimedia LDAP server for password authentication from within the Cloud Services environment is strictly prohibited."
[22:15:54] <Krenair>	 Your instance is asking for some of the most sensitive passwords to which it has no right to see
[22:16:21] <bd808>	 you can use OAuth or local users/passwords, but not LDAP/Wikitech/Developer accounts
[22:16:23] <GoranSM>	 Krenair: Well, my onboarding with WMDE took place in March 2017; since then, that is how I use the CloudVPS instances (aka Labs)
[22:16:44] <GoranSM>	 Krenair: I mean: there is nothing that I did to make it work that way. 
[22:16:59] <Krenair>	 so how does it know what LDAP server etc. to authenticate with?
[22:17:04] <GoranSM>	 Krenair: Since I know for Labs/CloudVPS, the only password that ever worked there was that one
[22:17:14] <Krenair>	 did you register with it using that password?
[22:17:28] <GoranSM>	 Krenair: Registered with what?
[22:17:40] <Krenair>	 with the RStudioServer software running on your instance
[22:18:29] <GoranSM>	 Krenair: If you mean do I login to the RStudio Server instance running from our CloudVPS virtual machine, then yes
[22:18:46] <Krenair>	 Did you register with RStudioServer using the same password
[22:18:49] <GoranSM>	 Krenair: If you mean have I used my LDAP password to register anywhere outside our world, then no
[22:18:55] <Krenair>	 Or does RStudioServer communicate with LDAP to verify passwords?
[22:19:04] <GoranSM>	 Krenair: That I do not know
[22:19:10] <Krenair>	 Sorry but your LDAP password is already compromised, it has been seen by a labs instance
[22:19:27] <GoranSM>	 Krenair: Oh...
[22:20:04] <GoranSM>	 Krenair: How can you explain the following:
[22:20:07] <Krenair>	 And you are in the LDAP NDA group.
[22:20:17] <GoranSM>	 Krenair: Yes I have NDA
[22:20:39] <GoranSM>	 Krenair: So, on two virtual instances (wikidataconcepts, and now wmde-dashboards that was just created)
[22:20:47] <GoranSM>	 Krenair: without any intervention from my side
[22:21:04] <GoranSM>	 Krenair: RStudio Server, upon installation, accepts that and only that password?
[22:22:12] <bd808>	 looks like rstudio uses pam for other. Specifically the /etc/pam.d/other profile
[22:22:19] <Krenair>	 Maybe RStudioServer is reading your instance's ldap.conf or PAM
[22:22:25] <bd808>	 this is not exciting to find
[22:22:49] <Krenair>	 GoranSM, do you have logs showing who else has logged into this system?
[22:23:36] <GoranSM>	 Krenair: Where by "this system" you mean: the two instances of RStudio Server running on our two CloudVPS instances? 
[22:23:43] <Krenair>	 yes
[22:23:46] <Krenair>	 RStudio Server
[22:24:22] <GoranSM>	 Krenair: Let me take a look at the logs, but I would be very surprised to  learn that anyone ever reach them except me
[22:24:35] <Krenair>	 ok
[22:26:55] <GoranSM>	 Krenair: from https://support.rstudio.com/hc/en-us/articles/200554766-RStudio-Server-Application-Logs
[22:27:07] <GoranSM>	 Krenair: The RStudio Server log messages are located in the system log, typically located at:
[22:27:11] <GoranSM>	 /var/log/syslog
[22:27:57] <GoranSM>	 Krenair: So I can only download all syslog files from the wikidataconcepts instance (in use for approx. 2 years) and search for rstudio server messages there
[22:28:29] <Krenair>	 grep on that file might show it
[22:28:57] <GoranSM>	 Krenair: Let me try
[22:33:25] <GoranSM>	 Krenair: Well, I can't find nothing evil in the logs, but it also does not seem to log who accessed the system and when
[22:33:52] <Krenair>	 maybe auth.log?
[22:34:38] <GoranSM>	 Krenair: Would that also be found under /var/log
[22:34:52] <Krenair>	 yes
[22:35:15] <GoranSM>	 Krenair: Let me see
[22:38:25] <GoranSM>	 Krenair: No, it doesn't write such things there either