[06:51:51] <Majavah>	 !log toolsbeta depool toolsbeta-test-k8s-ingress-1
[06:51:53] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Toolsbeta/SAL
[09:44:16] <Lucas_WMDE>	 !log wikidata-dev wb-reconcile: created instance
[09:44:18] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikidata-dev/SAL
[09:53:04] <Lucas_WMDE>	 !log wikidata-dev wb-reconcile: installed MediaWiki + WikibaseReconcileEdit with Ansible; no HTTP server running yet AFAICT
[09:53:06] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikidata-dev/SAL
[10:22:40] <Lucas_WMDE>	 !log wikidata-dev wb-reconcile: fixed the Ansible setup; added wikibase-reconcile-testing.wmcloud.org proxy
[10:22:42] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Wikidata-dev/SAL
[10:44:13] <Majavah>	 !log tools create tools-k8s-ingress-[4-6] T264221
[10:44:17] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[10:44:17] <stashbot>	 T264221: Upgrade the nginx ingress controller in Toolforge (and likely PAWS) - https://phabricator.wikimedia.org/T264221
[11:09:12] <Majavah>	 !log tools deploy helm-based nginx ingress controller v0.46.0 to ingress-nginx-gen2 namespace T264221
[11:09:16] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[11:09:17] <stashbot>	 T264221: Upgrade the nginx ingress controller in Toolforge (and likely PAWS) - https://phabricator.wikimedia.org/T264221
[11:35:29] <Majavah>	 !log toolsbeta testing https://gerrit.wikimedia.org/r/c/operations/puppet/+/692875/
[11:35:32] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Toolsbeta/SAL
[12:15:09] <Majavah>	 !log tools rollback ingress-nginx-gen2
[12:15:15] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools/SAL
[12:29:54] <godog>	 hi, the bullseye VPS image works well -- thanks andrewbogott ! 
[12:30:30] <Steinsplitter>	 hm... why are imagemagic jobs getting killed?
[12:30:37] <Steinsplitter>	 is this on the grid engine as well?
[12:31:01] <godog>	 a followup question, I'm looking into porting swift to bullseye though in production runs on stretch, I'd like to have two VMs bullseye/stretch side by side; how much work would it be to re-activate the stretch image for 'swift' project only ? would it work out of the box with e.g. ceph andrewbogott ?
[12:46:03] <andrewbogott>	 godog: I can enable stretch temporarily; what project?
[12:47:46] <godog>	 andrewbogott: thank you! the 'swift' project
[12:51:23] <andrewbogott>	 godog: done
[12:52:38] <godog>	 andrewbogott: thank you! appreciate it
[12:54:00] <andrewbogott>	 sure thing, lmk if it doesn't work :)
[14:52:59] <legoktm>	 !log tools.wikibugs now running on irc.libera.chat via ~/libera directory
[14:53:02] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.wikibugs/SAL
[15:24:48] <godog>	 andrewbogott: got it working! seems fine, I had to wrestle a little with sudo/ldap etc, what's the "ldap client stack" supposed to be for stretch VMs ? for my use case atm is  "classic/sudoldap" and things seems to work, I can sudo passwordless no problem, but wanted to check if that's correct
[16:09:33] <Jdlrobson>	 Hey cloud team.  I need to be added as a maintainer of https://cssk.toolforge.org/ (context https://cs.wikipedia.org/wiki/Diskuse_s_wikipedistou:Blahma#Bug_in_https%3A%2F%2Fcssk.toolforge.org%2Fscripts%2Fcssk.js) can anybody help me with that?
[16:12:27] <andrewbogott>	 Jdlrobson: the official/approved way to get added to a tool is via an existing maintainer. If the tool is abandoned there's a different process for that.
[16:12:48] <andrewbogott>	 But of course I have not yet looked at the tool -- if it was exclusively maintained by no-longer-at-the-WMF staff then I can just add you :)
[16:13:15] <AntiComposite>	 https://admin.toolforge.org/tool/cssk looks like the person you were talking to, Blahma, is the sole maintainer. So you should try asking them first.
[16:13:41] <Jdlrobson>	 @AntiComposite  @andrewbogott that's the talk page
[16:13:50] <Jdlrobson>	 Blahma says "The extension has since been decommissioned, along with the linked wikiproject, which has lived past its horizon. What would be the best way to disenroll it from all the user scripts that are currently calling it? Feel free to take actions as you wish"
[16:14:13] <Jdlrobson>	 The action I'd like to take is to make that script 404
[16:14:35] <Jdlrobson>	 which requires access to https://cssk.toolforge.org/ so I can remove the scripts/cssk.js file
[16:17:02] <andrewbogott>	 Jdlrobson: The best way for you to take actions as you wish is for them to add you.  Is there some reason why they won't or can't?
[16:19:50] <Jdlrobson>	 Okay I'll follow up with them again :) Thanks
[16:21:47] <Majavah>	 Jdlrobson: if they don't reply, https://wikitech.wikimedia.org/wiki/Help:Toolforge/Abandoned_tool_policy is the official policy for that
[16:23:51] <Jdlrobson>	 Thanks Majavah it's only 1000 errors a day so not urgent. 
[16:23:53] <andrewbogott>	 Jdlrobson: sorry to stonewall you, this a standard "trying to avoid capricious WMF staff action in community space" thing
[16:24:18] <Jdlrobson>	 andrewbogott: no makes sense. The gadget/user script space is becoming more problematic though
[16:24:45] <Jdlrobson>	 we've had a few cases where bad scripts have caused JS errors for every user hitting our triggers and that becomes a staff issue now we have error logging..
[16:25:11] <Jdlrobson>	 if anyone is interested I did set up https://phabricator.wikimedia.org/T262493 to get some clarity here
[16:26:03] <Jdlrobson>	 (any input welcomed particularly from the cloud perspective)
[16:29:49] <Cyberpower678>	 Majavah: MacFan4000: did you part?
[16:29:55] <MacFan4000>	 yes
[16:30:02] <Majavah>	 yep
[16:30:16] <Cyberpower678>	 legoktm or bd808: go in now
[16:30:22] <Cyberpower678>	 or andrewbogott
[16:30:40] <Cyberpower678>	 Let us know when you are in.
[16:31:00] <Majavah>	 we're in
[16:31:01] <andrewbogott>	 worked
[16:32:54] <tgr_>	 people loading JS from abandoned toolforge tools seems not great from a security POV either.
[16:33:55] <Majavah>	 Jdlrobson: anything specific you're looking from us?
[16:46:06] <greg-g>	 andrewbogott: can I /join -cloud on libera? or should I just hold off and be happy I'm nick squatting
[16:46:23] <andrewbogott>	 greg-g: feel free
[16:51:44] <wm-bb>	 <Alex> Is wikimedia definitely headed to libera?
[16:52:23] <MacFan4000>	 seems like it
[16:52:34] <MacFan4000>	 we've got -cloud setup there
[16:52:35] <Majavah>	 likely yes, but officially there are not yet any decisions
[16:52:50] <Majavah>	 but the meta thread is mostly in favor of moving there
[16:53:45] <andrewbogott>	 wm-bb, MacFan4000, Majavah  WMCS staff will follow wherever the community leads.  I'm sitting in channels over there in case people show up but I'm not yet to the point of telling people they /should/ show up there :)
[16:54:01] <wm-bb>	 <Alex> Ok
[17:26:04] <AntiComposite>	 https://meta.wikimedia.org/w/index.php?title=Wikimedia_Forum&diff=21473927&oldid=21473429&diffmode=source is the most recent statement from the WMGCs
[17:26:53] <bd808>	 thanks for the update AntiComposite
[19:22:26] <ragesoss>	 How long does it take before a newly-added projectadmin can log in to Horizon?
[19:22:50] <ragesoss>	 I added someone about 15 minutes ago, but he still reports not being able to log in.
[19:32:16] <ragesoss>	 bd808: ^
[19:33:10] <bd808>	 ragesoss: able to login to horizon, or able to ssh to an instance in the project?
[19:33:24] <ragesoss>	 able to log into horizon.
[19:33:28] <ragesoss>	 he is able to ssh into an instance.
[19:33:35] <bd808>	 Horizon should be functionally immediate. ssh will need puppet to run on the instance
[19:33:49] <ragesoss>	 okay, so something else must be wrong?
[19:33:59] <bd808>	 Horizon does require 2FA for the Developer account
[19:34:14] <ragesoss>	 it sounds like he has that set up but I will confirm
[19:36:06] <ragesoss>	 He had said he entered the same creds and 2FA token as on wikitech.wikimedia.org but he gets 'Invalid credentials'
[19:36:29] <wm-bb>	 <chicocvenancio> ragesoss: they should always be able to login to horizon, btw irrespective of project adminship
[19:37:23] <ragesoss>	 chicocvenancio: this made me thing otherwise: https://wikitech.wikimedia.org/wiki/Help:Horizon_FAQ#Accessing_Horizon
[19:43:37] * chicocvenancio remembers accessing Horizon before being projectadmin... 
[19:44:16] <ragesoss>	 he is able to log into wikitech.wikimedia.org with 2FA, but he's still not able to get into horizon.
[19:45:49] <chicocvenancio>	 same username and password?
[19:51:29] <ragesoss>	 yes
[20:54:25] <bd808>	 ragesoss: sorry I wandered away. :( We have had issues in the past with particular usernames and Horizon's auth layer. Most of these have been related to non-ascii characters in the Developer account name and python being goofy. A phab task would be a good next step and then maybe andrewbogott or I can find logs helping to figure out what is busted.
[20:54:49] <ragesoss>	 okay
[20:55:06] <ragesoss>	 there don't appear to be any non-ascii characters in the name.
[20:55:18] <ragesoss>	 I
[20:55:26] <ragesoss>	 I'll Phile it tomorrow.
[20:59:10] <andrewbogott>	 ragesoss: the other thing that /sometimes/ messes up 2fa is if the clock on your phone is a little bit out of sync.  Restarting a phone never hurts.
[20:59:51] <ragesoss>	 andrewbogott: I've hit that before. but would it work differently between wikitech and horizon? because he can log into wikitech fine with 2FA.
[21:01:13] <andrewbogott>	 it could if they have different time limits.  But it shouldn't make much of a difference
[21:01:25] <andrewbogott>	 the 2fa validation is actually done on wikitech for Horizon
[21:01:29] <andrewbogott>	 so it should really behave the same
[21:01:44] <andrewbogott>	 It's also possible that one or the other site accepts shell name instead of wiki name, or the other way around
[21:01:59] <andrewbogott>	 Or there's some difference in case sensitivity (I'm just guessing now)
[21:02:17] <ragesoss>	 he tried all variants he could think of between his shell name and wikitech username.
[21:02:53] <ragesoss>	 we can just work with me setting up the new instances, but we've got no obvious clues as to why login isn't working for him.
[21:06:06] <andrewbogott>	 what username should I be looking for in the logs?
[21:06:23] <andrewbogott>	 (advance warning: the logs are never helpful)
[21:06:31] <ragesoss>	 Nate Berkopec
[21:10:59] <andrewbogott>	 ok, I see exactly one failed login in the logs
[21:11:03] <andrewbogott>	 with no additional info
[21:15:15] <mutante>	 I can login on Horizon and use it normal, but when I click on "Identity" -> "Roles" I get logged out 
[21:16:23] <andrewbogott>	 mutante: I'd welcome a phab task about that, but in the meantime "don't do that then" :)
[21:16:35] <mutante>	 clicking some other things either works or tells me I am not authorized. just this one does an actual log out
[21:17:27] <mutante>	 sure, won't do it then
[21:22:06] <andrewbogott>	 mutante: it used to be that basically anytime you hit an unauthorized UI Horizon would bounce you and make you re-login.  I guess they haven't fixed that one yet...
[21:22:42] <andrewbogott>	 I'll make a note for when I feel like working on more upstream things (although right now my other auth/policy upstream fixes are getting ignored)
[21:22:46] <mutante>	 andrewbogott: if it's supposed to be unauthorized, yea, ACK
[21:23:01] <mutante>	 expected it to just show me my own roles I guess
[21:24:41] <mutante>	 dont worry about it then, was just trying to check if there was a difference for me using different capitalization and stuff
[21:24:45] <andrewbogott>	 it's for managing roles, although it should really have a read-only mode for non-admins
[21:25:01] <mutante>	 gotcha, thanks
[21:25:11] <andrewbogott>	 Typically Horizon's approach to non-admins is to not know that there's such a thing as a non-admin :(
[23:17:55] <wm-bot>	 !log tools.bridgebot <bd808> Restarting to add libera.chat bridge for #wikimedia-cloud
[23:17:57] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.bridgebot/SAL
[23:22:13] <wm-bb>	 <bd808> test from libera network
[23:22:22] <bd808>	 ack from freenode
[23:24:30] <wm-bb>	 <MacFan4000> why is there a _ in the nick?
[23:26:25] <wm-bot>	 !log tools.bridgebot <bd808> Restart to add libera to #wmhack bridge
[23:26:27] <stashbot>	 Logged the message at https://wikitech.wikimedia.org/wiki/Nova_Resource:Tools.bridgebot/SAL
[23:27:26] <wm-bb>	 <bd808> MacFan4000: because I forgot to disconnect from the client I was using to setup it's account. And the sfotware that bot uses is not awesome at nick recovery.
[23:29:02] <chicocvenancio>	 bd808: this might be confusing on telegram https://usercontent.irccloud-cdn.com/file/j1vWV7d6/image.png
[23:29:18] <chicocvenancio>	 https://t.me/wmcloudirc/22492
[23:30:22] <bd808>	 chicocvenancio: It shows that the message came from outside telegram. On the other ends its the same. I dropped the remote id from the forwarded nick a while ago.
[23:30:59] <chicocvenancio>	 yeah, but when its a single source outside telegram we can be sure where its coming from
[23:31:29] <bd808>	 its been multi source for at least 6 months :)
[23:31:48] <chicocvenancio>	 it has? what are the other sources?
[23:32:18] <bd808>	 freenode<->telegram<->chat.wmcloud.org<->libera
[23:33:10] <bd808>	 I'd like to add a link into zulip too, and possibly discord
[23:33:10] <wm-bb>	 <AntiComposite> it's just that no one uses chat.wmcloud.org
[23:35:54] <chicocvenancio>	 my concern is impersonation attempts are less visible, but its probably not frequent enough that we should care
[23:36:28] <bd808>	 chicocvenancio: I'm totally willing to hear arguments about what would be "better". with the bot in the middle I'm not sure that we have identity verification anyway
[23:37:39] <bd808>	 there is a sketchy scripting language that I can use to do fancy things with the nick prefix as messages cross the bridges
[23:37:50] <wm-bb>	 <MacFan4000> It’s unclear how to register on chat.wmcloud.org
[23:37:59] <wm-bb>	 <MacFan4000> Doesn’t look like you can
[23:38:04] <wm-bb>	 <AntiComposite> you have to be invited
[23:38:09] <MacFan4000>	 Ah
[23:38:22] <wm-bb>	 <AntiComposite> I can invite you if you want
[23:38:35] <wm-bb>	 <MacFan4000> Nah it’s fine
[23:39:40] <bd808>	 some info at https://diff.wikimedia.org/2020/09/18/introducing-wikimedia-chat/
[23:39:53] <bd808>	 but it sounds like registration got closed to invite only?
[23:40:12] <wm-bb>	 <AntiComposite> yeah, without any real documentaion of that anywhere
[23:41:20] <bd808>	 To be fair to Amir1, the WMCS team gave him a lot of scary advice about running an open chat server
[23:42:15] <bd808>	 maybe somebody can figure out how to add-on OAuth for account creation during the hackathon :)
[23:42:55] <wm-bb>	 <AntiComposite> Warning: Mattermost is written in Golang
[23:43:31] <bd808>	 AntiComposite: doesn't stackoverflow cover that language? ;)
[23:44:06] * bd808 programs by web search a lot of the time
[23:53:36] <wm-bb>	 <hare> golang is good actually ;)