[00:00:15] <MaxSem>	 LD time, I'd like to deploy first
[00:01:46] <icinga-wm>	 PROBLEM - gitblit.wikimedia.org on antimony is CRITICAL: HTTP CRITICAL: HTTP/1.1 500 Server Error - 1703 bytes in 7.627 second response time  
[00:05:45] <logmsgbot>	 !log reedy Finished scap: no op scap is no op? (duration: 39m 23s)
[00:05:53] <morebots>	 Logged the message, Master
[00:06:25] <grrrit-wm>	 (03CR) 10Hashar: "Pinged ops list to find out whether someone is available on monday morning :]" [operations/puppet] - 10https://gerrit.wikimedia.org/r/111917 (owner: 10BryanDavis)
[00:07:04] <logmsgbot>	 !log maxsem synchronized php-1.23wmf15/extensions/MobileFrontend  'https://gerrit.wikimedia.org/r/114644'
[00:07:12] <morebots>	 Logged the message, Master
[00:08:22] <Reedy>	 GOD DAMN IT
[00:09:24] <greg-g>	 :)
[00:09:46] <icinga-wm>	 RECOVERY - gitblit.wikimedia.org on antimony is OK: HTTP OK: HTTP/1.1 200 OK - 474404 bytes in 8.214 second response time  
[00:10:13] <ebernhardson>	 greg-g: can we get into the LD today?  we have one patch for 14 and 15 which fixes an issue where sometimes less than the requested number of items are returned in RecentChanges
[00:10:15] <logmsgbot>	 !log maxsem synchronized php-1.23wmf14/includes/api/ApiCreateAccount.php
[00:10:22] <morebots>	 Logged the message, Master
[00:10:24] <grrrit-wm>	 (03PS1) 10Reedy: Tampa is silly and should go away [operations/puppet] - 10https://gerrit.wikimedia.org/r/114664 
[00:10:48] <Jasper_Deng>	 didn't ptmpa go away long ago?
[00:11:06] <Reedy>	 No
[00:11:10] <Reedy>	 It's still breathing
[00:11:16] <ebernhardson>	 its as gone as wikitext :P
[00:11:19] <greg-g>	 ebernhardson: yeah, after MaxSem is done
[00:11:23] <ebernhardson>	 greg-g: excellent, thanks
[00:11:29] <MaxSem>	 didn't get enough kicking in the kidneys
[00:11:40] <grrrit-wm>	 (03CR) 10Reedy: [C: 031] Remove old Tampa srv* and mw* apaches from dsh groups [operations/puppet] - 10https://gerrit.wikimedia.org/r/108070 (owner: 10Chad)
[00:11:54] <grrrit-wm>	 (03Abandoned) 10Reedy: Tampa is silly and should go away [operations/puppet] - 10https://gerrit.wikimedia.org/r/114664 (owner: 10Reedy)
[00:12:14] <logmsgbot>	 !log maxsem synchronized php-1.23wmf14/extensions/ConfirmEdit/
[00:12:21] <MaxSem>	 greg-g, I'm done
[00:12:22] <morebots>	 Logged the message, Master
[00:12:28] <^d>	 Reedy: I think the people in Tampa might take issue with your commit summary.
[00:12:29] <greg-g>	 MaxSem: tested?
[00:12:34] <^d>	 If you're just taking out all of Tampa as a city :p
[00:13:38] <MaxSem>	 greg-g, https://en.wikipedia.org/wiki/Special:ApiSandbox#action=paraminfo&format=json&modules=createaccount
[00:15:16] <grrrit-wm>	 (03CR) 10Reedy: "The whole scap process includes the time taken to sync to tampa." [operations/puppet] - 10https://gerrit.wikimedia.org/r/108070 (owner: 10Chad)
[00:15:56] <greg-g>	 ebernhardson: go forth
[00:17:40] <Krinkle>	 !log Reloading zuul to deploy I37ce89455724ed15
[00:17:48] <morebots>	 Logged the message, Master
[00:23:08] <logmsgbot>	 !log ebernhardson synchronized php-1.23wmf14/extensions/Flow/
[00:23:16] <morebots>	 Logged the message, Master
[00:24:15] <greg-g>	 gotta run
[00:25:32] <logmsgbot>	 !log ebernhardson synchronized php-1.23wmf15/extensions/Flow/
[00:25:40] <morebots>	 Logged the message, Master
[00:26:43] <grrrit-wm>	 (03PS1) 10coren: Revert "Reenable redis for keystone in eqiad" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114670 
[00:26:49] <grrrit-wm>	 (03PS2) 10coren: Revert "Reenable redis for keystone in eqiad" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114670 
[00:27:58] <ebernhardson>	 during that last sync-dir new error i've never seen from sync-dir before:
[00:28:02] <ebernhardson>	 snapshot3: rsync: mkdir "/usr/local/apache/common-local/php-1.23wmf15/extensions/Flow" failed: No such file or directory (2)
[00:28:10] <ebernhardson>	 reoeated for snapshot{1,2,3,4}
[00:28:15] <grrrit-wm>	 (03CR) 10coren: [C: 032] "Revert." [operations/puppet] - 10https://gerrit.wikimedia.org/r/114670 (owner: 10coren)
[00:28:39] <ebernhardson>	 and : snapshot3: rsync error: error in file IO (code 11) at main.c(595) [Receiver=3.0.7]
[00:28:49] <Reedy>	 ignore those
[00:28:56] <ebernhardson>	 ok, excellent
[00:36:17] <ebernhardson>	 (all done, btw)
[00:36:38] <grrrit-wm>	 (03CR) 10Chad: [C: 031] "Everything Reedy said. Plus I'll expand on the "falling back trivially" bit." [operations/puppet] - 10https://gerrit.wikimedia.org/r/108070 (owner: 10Chad)
[09:51:08] <ori>	 i'm going to be very naughty and sync a trivial js fix
[09:51:17] <ori>	 don't tell anyone
[09:53:19] <logmsgbot>	 !log ori synchronized php-1.23wmf14/extensions/MultimediaViewer/resources/mmv/mmv.performance.js  'I41b6e975353: Backport fix for stats.bandwidth == Infinity'
[09:53:26] <ori>	 se4598: just saw your ping from earlier; i'll look now
[09:53:27] <morebots>	 Logged the message, Master
[10:04:35] <grrrit-wm>	 (03PS1) 10Ori.livneh: Set $wmfExtendedVersionNumber = $wmfVersionNumber [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114718 
[10:04:49] <grrrit-wm>	 (03CR) 10Ori.livneh: [C: 032] Set $wmfExtendedVersionNumber = $wmfVersionNumber [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114718 (owner: 10Ori.livneh)
[10:05:05] <grrrit-wm>	 (03Merged) 10jenkins-bot: Set $wmfExtendedVersionNumber = $wmfVersionNumber [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114718 (owner: 10Ori.livneh)
[10:05:35] <logmsgbot>	 !log ori updated /a/common to {{Gerrit|I10170d77c}}: Set $wmfExtendedVersionNumber = $wmfVersionNumber
[10:05:42] <morebots>	 Logged the message, Master
[10:06:40] <ori>	 se4598: fixed; sorry about that
[10:06:53] <se4598>	 thanks
[10:07:02] <grrrit-wm>	 (03PS1) 10Yuvipanda: Add GlobalCssJs extension to betalabs [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 
[10:07:14] <yuvipanda>	 legoktm: Gloria ^
[10:57:36] <grrrit-wm>	 (03PS1) 10Alexandros Kosiaris: Add asw-d-eqiad to rancid [operations/puppet] - 10https://gerrit.wikimedia.org/r/114724 
[11:06:39] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Add asw-d-eqiad to rancid [operations/puppet] - 10https://gerrit.wikimedia.org/r/114724 (owner: 10Alexandros Kosiaris)
[11:11:55] <grrrit-wm>	 (03PS1) 10Alexandros Kosiaris: Add asw-d-eqiad to torrus [operations/puppet] - 10https://gerrit.wikimedia.org/r/114727 
[11:13:29] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Add asw-d-eqiad to torrus [operations/puppet] - 10https://gerrit.wikimedia.org/r/114727 (owner: 10Alexandros Kosiaris)
[12:03:51] <grrrit-wm>	 (03PS1) 10Tim Landscheidt: Fix indentation in role::labs::instance [operations/puppet] - 10https://gerrit.wikimedia.org/r/114734 
[12:24:12] <grrrit-wm>	 (03PS1) 10Alexandros Kosiaris: Populate network.pp with eqiad row D networks [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 
[12:26:24] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: "I took the liberty of allocating networks for Row D @eqiad. I have not proceded with any changes to the equipment yet. Please verify or re" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 (owner: 10Alexandros Kosiaris)
[12:42:06] * mark  checks that :)

[12:43:27] <mark>	 akosiaris: you just used the eqiad labs prefix
[12:55:21] <grrrit-wm>	 (03CR) 10Mark Bergsma: [C: 04-2] "That's the eqiad labs floating IP prefix..." [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 (owner: 10Alexandros Kosiaris)
[12:57:19] <akosiaris>	 :-(
[13:01:19] <mark>	 eqiad ip space is pretty full
[13:01:29] <mark>	 seems like a /27 is the best we can do until we move some stuff around
[13:02:03] <akosiaris>	 do we document the IP space somewhere ? 
[13:02:16] <mark>	 in dns
[13:02:21] <akosiaris>	 ahaha
[13:02:21] <mark>	 and in private outlines
[13:02:34] <grrrit-wm>	 (03PS1) 10Tim Landscheidt: Fix paths in comments after modularization [operations/puppet] - 10https://gerrit.wikimedia.org/r/114736 
[13:02:48] <akosiaris>	 hmm I consulted observium before picking those. Seems like it is not enough
[13:02:50] <mark>	 ?
[13:02:54] <grrrit-wm>	 (03PS1) 10Mark Bergsma: Allocate /27 for public1-d-eqiad [operations/dns] - 10https://gerrit.wikimedia.org/r/114738 
[13:02:58] <mark>	 dns is pretty authoritative
[13:03:15] <akosiaris>	 yeah but too verbose as well
[13:03:50] <mark>	 i have always used an outliner for planning this hierarchically
[13:03:53] <mark>	 but it doesn't distribute well
[13:04:16] <mark>	 wiki tables are not great either
[13:04:30] <mark>	 but installing specialized software is a bit overkill too
[13:04:37] <akosiaris>	 like an IPAM ?
[13:04:42] <mark>	 yes
[13:05:15] <mark>	 there isn't a ton of ip space to manage ;)
[13:06:48] <grrrit-wm>	 (03PS1) 10Tim Landscheidt: Fix manage-keys-nfs misnomer in usage message [operations/puppet] - 10https://gerrit.wikimedia.org/r/114739 
[13:06:48] <akosiaris>	 observium says 208.80.155.65/26	Subnet sandbox1-b-eqiad, DNS says 208.80.155.64/28 Sandbox1-b-eqiad subnet
[13:06:55] <akosiaris>	 something is amiss here
[13:07:01] <mark>	 better check the routers
[13:07:11] <mark>	 if we're really using a /26 for sandbox, we're going to change that right now :)
[13:08:17] <akosiaris>	 seems like we do
[13:08:47] <grrrit-wm>	 (03PS1) 10Tim Landscheidt: ldap: Fix typo in usage messages [operations/puppet] - 10https://gerrit.wikimedia.org/r/114740 
[13:09:06] <mark>	 fcs
[13:09:21] <mark>	 ok
[13:09:25] <mark>	 can you just change that on the routers
[13:09:32] <mark>	 then ask the freenode people to adjust their one server later?
[13:09:36] <mark>	 it shouldn't harm much
[13:10:14] <akosiaris>	 ok, doing it now then
[13:10:29] <mark>	 perhaps even /29 is
[13:10:30] <mark>	 but yeah
[13:12:54] <akosiaris>	 ;208.80.155.64/26 Sandbox subnet
[13:12:54] <akosiaris>	 ;208.80.155.64/28 Sandbox1-b-eqiad subnet
[13:13:10] <akosiaris>	 seems like the idea was to have a big one and split it up ?
[13:13:14] <akosiaris>	 overkill though
[13:16:44] <paravoid>	 maybe they idea was sandbox subnets across DCs
[13:18:43] <mark>	 i think the idea was sandbox subnets for multiple rows
[13:18:53] <mark>	 but we don't have the ip space for that, we wouldn't do that
[13:29:03] <akosiaris>	 !log just resized 208.80.155.64/26 to 208.80.155.64/28. This is Sandbox1-b-eqiad subnet. dickson.freenode.net needs to have it's netmask changed. I will talk with coren, mutante
[13:29:12] <morebots>	 Logged the message, Master
[13:31:53] <mark>	 they need to do ip changes anyway
[13:31:58] <mark>	 for using the extra service ip
[13:33:15] <akosiaris>	 the extra service ip will be on the same /28 or another one ?
[13:33:38] <akosiaris>	 i just mailed coren, mutante about it. I also mentioned the extra service ip as well
[13:34:54] <mark>	 within the same /28
[13:35:01] <mark>	 they indicated that they wanted to keep the irc address the current one
[13:35:05] <akosiaris>	 mark: the v6s and the private on https://gerrit.wikimedia.org/r/#/c/114735/1/manifests/network.pp were ok ? Can I just amend it the public IPv4  with 208.80.155.96/27?
[13:35:06] <mark>	 and move the "system ip" to a new ip
[13:35:33] <mark>	 hmm
[13:35:58] <grrrit-wm>	 (03CR) 10Mark Bergsma: Populate network.pp with eqiad row D networks (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 (owner: 10Alexandros Kosiaris)
[13:35:59] <akosiaris>	 I am not sure what this will save them from. It will be the same ethernet interface that will be saturated on the next attack
[13:36:17] <mark>	 it's easier for us to filter that
[13:36:31] <mark>	 we can easily filter almost all traffic to the irc ip
[13:36:40] <mark>	 without blocking their own access and stuff
[13:37:27] * Coren  wakes.

[13:37:51] <Coren>	 mark: Exactly.  You cal literally block absolutely everything but the irc ports on the irc IP
[13:38:04] <akosiaris>	 yeah true. Still we will be a choke point but it is an improvement
[13:39:32] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: "Subnet analytics1-a-eqiad" (031 comment) [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 (owner: 10Alexandros Kosiaris)
[13:41:56] <mark>	 sure
[13:42:32] <mark>	 akosiaris: sigh. alright. then it's fine :)
[13:44:20] <grrrit-wm>	 (03PS2) 10Alexandros Kosiaris: Populate network.pp with eqiad row D networks [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 
[13:54:32] <grrrit-wm>	 (03CR) 10Alexandros Kosiaris: [C: 032] Populate network.pp with eqiad row D networks [operations/puppet] - 10https://gerrit.wikimedia.org/r/114735 (owner: 10Alexandros Kosiaris)
[13:55:09] <akosiaris>	 hmmm a patch with a +2 and a -2 ... gerrit seems to want some massaging to allow me to merge this
[14:01:18] <mark>	 just remove my -2?
[14:06:09] <akosiaris>	 yeah it worked :-)
[14:27:46] <icinga-wm>	 PROBLEM - Varnish HTCP daemon on cp1067 is CRITICAL: CHECK_NRPE: Socket timeout after 10 seconds.  
[14:27:46] <icinga-wm>	 PROBLEM - Varnish HTTP text-backend on cp1067 is CRITICAL: CRITICAL - Socket timeout after 10 seconds  
[14:27:56] <icinga-wm>	 PROBLEM - Varnish traffic logger on cp1067 is CRITICAL: CHECK_NRPE: Socket timeout after 10 seconds.  
[14:28:56] <icinga-wm>	 RECOVERY - Varnish traffic logger on cp1067 is OK: PROCS OK: 2 processes with command name varnishncsa  
[14:29:37] <icinga-wm>	 RECOVERY - Varnish HTCP daemon on cp1067 is OK: PROCS OK: 1 process with UID = 111 (vhtcpd), args vhtcpd  
[14:29:37] <icinga-wm>	 RECOVERY - Varnish HTTP text-backend on cp1067 is OK: HTTP OK: HTTP/1.1 200 OK - 188 bytes in 0.001 second response time  
[14:44:12] <andrewbogott>	 mark -- the other day we talked about allowing labs<->labs communication… is that still something that might be possible?
[14:58:16] <mark>	 andrewbogott: yes, on my task list
[14:58:31] <andrewbogott>	 good enough for me :)
[15:00:15] <grrrit-wm>	 (03CR) 10Ottomata: "It will! This will be a git-submodule at that place in the ops/puppet repo." [operations/puppet/kafkatee] - 10https://gerrit.wikimedia.org/r/110650 (owner: 10Ottomata)
[15:10:06] <icinga-wm>	 PROBLEM - Host virt1002 is DOWN: PING CRITICAL - Packet loss = 100%  
[15:14:37] <icinga-wm>	 RECOVERY - Host virt1002 is UP: PING OK - Packet loss = 0%, RTA = 0.65 ms  
[15:30:16] <Jeff_Green>	 !log dist-upgrade and reboot boron
[15:30:23] <morebots>	 Logged the message, Master
[15:37:52] <Jeff_Green>	 garg. that didn't go well...
[16:21:25] <hoo>	 http://lists.wikimedia.org/pipermail/wikimedia-l/ gives 403...
[17:07:13] <odder>	 uuups
[17:18:03] <grrrit-wm>	 (03PS1) 10Ryan Lane: Use the Token keystone redis driver rather than the TokenNoList driver [operations/puppet] - 10https://gerrit.wikimedia.org/r/114756 
[17:19:18] <grrrit-wm>	 (03PS1) 10Ryan Lane: Revert "Revert "Reenable redis for keystone in eqiad"" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114757 
[17:20:45] <grrrit-wm>	 (03CR) 10Ryan Lane: [C: 032] Use the Token keystone redis driver rather than the TokenNoList driver [operations/puppet] - 10https://gerrit.wikimedia.org/r/114756 (owner: 10Ryan Lane)
[17:22:07] <grrrit-wm>	 (03CR) 10Ryan Lane: [C: 032] Revert "Revert "Reenable redis for keystone in eqiad"" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114757 (owner: 10Ryan Lane)
[17:26:16] <icinga-wm>	 RECOVERY - Puppet freshness on dysprosium is OK: puppet ran at Fri Feb 21 17:26:13 UTC 2014  
[17:28:46] <icinga-wm>	 RECOVERY - Varnish HTTP text-backend on cp1054 is OK: HTTP OK: HTTP/1.1 200 OK - 189 bytes in 0.011 second response time  
[17:31:38] <icinga-wm>	 PROBLEM - HTTP 5xx req/min on tungsten is CRITICAL: CRITICAL: reqstats.5xx [crit=500.000000  
[17:31:46] <icinga-wm>	 PROBLEM - Varnish HTTP text-backend on cp1054 is CRITICAL: Connection refused  
[17:31:56] <paravoid>	 bblack: ^ it died again
[17:32:29] <bblack>	 magical anti-varnish fairies at work?
[17:32:45] <bblack>	 Feb 21 17:28:54 cp1054 varnishd[9281]: Child (15891) Panic message: Assert error in BAN_RefBan(), cache_ban.c line 481:#012  Condition(t1 == t0) not true.#012thread = (persistence)#012ident = Linux,3.2.0-48-generic,x86_64,-spersistent,-spersistent,-spersistent,-spersistent,-smalloc,-hcritbit,epoll#012Backtrace:#012  0x4337b5: /usr/sbin/varnishd() [0x4337b5]#012  0x416446: /usr/sbin/varnishd(BAN_RefBan+0x96) [0x416446]#012  0x4545bf: /usr/
[17:32:54] <bblack>	 actually, looks like probably a corrupt persistent store
[17:34:32] <paravoid>	 ottomata: an1021 has a Kafka Broker Messages In CRITICAL alert
[17:34:59] <paravoid>	 (in case it wasn't obvious by me pinging people, I just opened Icinga's unhandled problems page :)
[17:36:26] <ottomata>	 oo hmm thanks
[17:37:04] <ottomata>	 hm!
[17:37:09] <ottomata>	 an22 is the leader for all topics
[17:37:10] <ottomata>	 WHY!?
[17:39:21] <paravoid>	 manybubbles: hello
[17:40:19] <bblack>	 ottomata: btw, I did finish auditing the rdkafka code, but I didn't turn up anything substantial.  One one-liner bugfix to an assert(), basically.  There was lots of sloppy linenoise that made static analysis confusing, but once you get through that, most of the warnings didn't amount to real, actionable runtime bugs.
[17:41:17] <bblack>	 (that's not to say it's bug-free, but it certainly survives substantial analysis at the source level :) )
[17:41:27] <paravoid>	 bblack: if the cache is corrupted, then let's just rm it
[17:41:27] <ottomata>	 aye ok, thanks bblack
[17:41:29] <ottomata>	 much appreciated
[17:41:56] <bblack>	 paravoid: I am, but XFS and/or varnish is being retarded - the varnish proc is stuck and XFS is very very very slowly deallocating space for the old files, etc
[17:42:02] <bblack>	 I may just have to reboot + cleanup
[17:42:15] <paravoid>	 oh, right, we've seen this before
[17:42:33] <paravoid>	 last time I think we just mkfs'ed it again :)
[17:42:59] <bblack>	 well right now I can't even unmount, because the varnish proc is holding open the FS and can't be killed :P
[17:43:06] <mark>	 nice
[17:43:28] <paravoid>	 haha
[17:43:33] <paravoid>	 nice
[17:43:40] <paravoid>	 btw, maybe upgrade to 3.0.5 while we're at it?
[17:43:40] <bblack>	 on the other hand, it's about 25% done deallocating, letting it run might be less trouble than the reboot
[17:44:06] <bblack>	 paravoid: yeah, I started that two days ago late at night and hit some snags (5xx spikes), and aborted and downgraded the ones I had already hit
[17:44:18] <paravoid>	 ooops
[17:44:20] <bblack>	 it's quite possible the cp1054 thing was related and the upgrades would've otherwise been fine
[17:44:45] <bblack>	 perhaps the corruption happened during the stop->upgrade->start
[17:44:56] <bblack>	 anyways, I'll retry again after sorting these out
[17:46:10] <bblack>	 re: cp4009, ever seen this before?
[17:46:13] <bblack>	 ERROR: Timeout while waiting for server to perform requested power action.
[17:46:17] <paravoid>	 lol
[17:46:21] <bblack>	 ^ does that on racadam powercycle and racadm hardreset
[17:46:22] <paravoid>	 I just saw that with another box
[17:46:28] <paravoid>	 like literally a few minutes ago
[17:47:04] * bblack  tries racadm serveraction pull-plug-and-kick-machine

[17:47:12] <greg-g>	 packages used in deployment discussion going on in -office :)
[17:51:37] <icinga-wm>	 RECOVERY - NTP on bast4001 is OK: NTP OK: Offset 0.00358748436 secs  
[17:59:20] <grrrit-wm>	 (03CR) 10PleaseStand: Fix CDB file generation (031 comment) [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114686 (owner: 10Ori.livneh)
[18:00:40] <grrrit-wm>	 (03CR) 10PleaseStand: Swiched from using dat to json files for wikiversions (031 comment) [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114687 (owner: 10Reedy)
[18:11:46] <icinga-wm>	 RECOVERY - Varnish HTTP text-backend on cp1054 is OK: HTTP OK: HTTP/1.1 200 OK - 189 bytes in 0.007 second response time  
[18:12:30] <bblack>	 paravoid: re: racadm power issues - the crux in my case seems to be "Description: The system board fail-safe voltage is outside of range.
[18:12:36] <bblack>	 " in the SEL
[18:12:44] <paravoid>	 oops
[18:12:53] <paravoid>	 RT ticket under the ulsfo queue
[18:13:10] <bblack>	 some dell manuals recommend either pulling the hard AC power from the machine for 10s, or clearing the SEL (as if the presence of the SEL entry might persistently prevent it from powering up)
[18:13:16] <paravoid>	 lol
[18:13:22] <bblack>	 I tried racadm racreset [hard], no avail
[18:13:31] <paravoid>	 yeah I did the same with ms-be1005
[18:13:39] <paravoid>	 with the same result
[18:13:43] <bblack>	 tried clrsel -> racreset as well, and it regenerates the voltage message after racreset hard - so the condition persists
[18:14:01] <paravoid>	 what's the command to read the SEL?
[18:14:06] <bblack>	 racadm getsel
[18:14:12] <paravoid>	 heh
[18:14:59] <bblack>	 so either (a) after a glitchy power fail event, RAC can suck and need a true "pull the power plug" to reset something, or (b) the power is still borked somehow on these machines (PS damage?)
[18:15:57] <bblack>	 either way, I'm guessing site visit required
[18:16:08] <paravoid>	 huh, no I can't access ms-be1005's mgmt at all
[18:16:37] <paravoid>	 oh now I got in
[18:16:37] <paravoid>	 Severity:    Critical
[18:16:37] <paravoid>	 Description: CPU 1 has a thermal trip (over-temperature) event.
[18:16:41] <paravoid>	 fun
[18:17:35] <bblack>	 it sounds like, at least in some cases, critical events in the SEL prevent powerup, and "racadm clrsel" (+ maybe racadm racreset?) might allow it to try again....
[18:17:41] <bblack>	 but then, you lose the SEL for history :P
[18:19:12] <bblack>	 !log cp1054 healthy now, rebuilding persistent cache from scratch there...
[18:19:20] <morebots>	 Logged the message, Master
[18:19:35] <paravoid>	 bblack: RT ticket under ulsfo
[18:19:46] <bblack>	 working on it! :)
[18:19:55] <paravoid>	 and the magical DC fairy will fix it
[18:19:55] <paravoid>	 :P
[18:19:57] <mark>	 isn't this cp1054, so eqiad?
[18:20:08] <paravoid>	 different box
[18:20:12] <mark>	 ok
[18:20:16] <paravoid>	 two issues at once :)
[18:20:29] <paravoid>	 the other one is cp4009
[18:20:33] <paravoid>	 down since the power outage
[18:23:16] <bblack>	 https://rt.wikimedia.org/Ticket/Display.html?id=6890
[18:24:49] <manybubbles>	 paravoid: you pinged?  sorry, I was out and didn't |away myself
[18:24:55] <ottomata>	 !log initiating kafka preferred replica election to rebalance partition leaders
[18:24:57] <paravoid>	 I did
[18:25:02] <morebots>	 Logged the message, Master
[18:25:04] <paravoid>	 got a sec?
[18:26:46] <icinga-wm>	 RECOVERY - Kafka Broker Messages In on analytics1021 is OK: kafka.server.BrokerTopicMetrics.AllTopicsMessagesInPerSec.FifteenMinuteRate OKAY: 1868.80318074  
[18:27:58] <paravoid>	 manybubbles: my question was, IIRC way before we even installed ElasticSearch, there was the stated goal of using it for TTM too; is this still the plan? if so, is there any progress or roadmap for it?
[18:28:26] <manybubbles>	 paravoid: TTM is translation memory?
[18:28:29] <paravoid>	 yes
[18:28:47] <manybubbles>	 yeah, that is the goal but it is something I imagined I'd help with rather then implement myself
[18:29:00] <manybubbles>	 no progress, so far as I know
[18:29:19] <Nemo_bis>	 manybubbles: I was just about to reply to your email, which I didn't understand much
[18:29:33] <Nemo_bis>	 https://www.mediawiki.org/wiki/Mentorship_programs/Possible_projects#One_stop_translation_search
[18:30:09] <Nemo_bis>	 This project is also about superseding solr, but Nikerabbit would take that part out unless there is you or Chad co-mentoring
[18:30:24] <grrrit-wm>	 (03PS1) 10Brion VIBBER: Revert low-res .ogv transcode enable; player is picking too-small version by default [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114761 
[18:31:11] <grrrit-wm>	 (03PS2) 10Brion VIBBER: Revert low-res .ogv transcode enable; player is picking too-small version by default [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114761 
[18:31:30] <brion>	 at least we know they recode fast :D
[18:32:36] <manybubbles>	 Nemo_bis: my email?   I'm not sure which one.
[18:32:43] <paravoid>	 brion: this is temporary though, right?
[18:32:50] <paravoid>	 in the sense that you'll reenable them?
[18:32:50] <manybubbles>	 also, I added myself as a co-mentor for the elasticsearch stuff
[18:32:55] <brion>	 paravoid: that's the plan yeah
[18:32:58] <brion>	 it shouldn't remove the existing ones
[18:33:04] <paravoid>	 what I'm asking is whether we need to clean up the store or not
[18:33:16] <brion>	 no leave them there and they'll get picked up again later
[18:33:19] <brion>	 once we resolve the player issue
[18:33:21] <paravoid>	 okay
[18:34:03] <Nemo_bis>	 manybubbles: great! I meant your email on Date: Tue, 11 Feb 2014 08:24:22 -0500
[18:34:09] <Nikerabbit>	 hmm
[18:34:31] <paravoid>	 manybubbles: so, I'm thinking of mailing Nikerabbit & you to move this forward (hopefully with subsequent comm in a public medium), unless you have a better idea?
[18:34:39] <paravoid>	 basically the reason I'm pinging you now about this is
[18:34:47] <paravoid>	 Solr 
[18:34:48] <paravoid>	 CRITICAL
[18:34:53] <paravoid>	 Average request time is 1166.436 (gt 1000) 
[18:35:10] <paravoid>	 if avg req time is 1.1s, might just as well replace the damn thing :)
[18:35:13] <manybubbles>	 Nemo_bis: oh yeah, that one.  I can describe in a bit
[18:35:21] <manybubbles>	 paravoid: huh
[18:35:37] <manybubbles>	 well, I mean, we should replace it but we don't have code for that
[18:35:40] <paravoid>	 40 days and counting, noone really cares about this service apparently
[18:35:53] <bd808>	 !log Forced update of /svr/scap to 6203585 across cluster
[18:36:01] <morebots>	 Logged the message, Master
[18:36:09] <paravoid>	 bd808: backdoor and everything?
[18:36:10] <paravoid>	 :P
[18:36:33] <paravoid>	 (kidding)
[18:36:37] <bd808>	 paravoid: I'm saving that for the weekend
[18:36:50] <bd808>	 greg-g: ima gonna no-op scap now unless you changed your mind
[18:36:55] <Nemo_bis>	 paravoid: what do you mean nobody cares? nobody with the power to set an alert has set up one that goes to someone who cares
[18:37:03] <Nemo_bis>	 is my guess
[18:37:16] <Nikerabbit>	 paravoid: so is this average request time for ttmserver solr?
[18:37:23] <paravoid>	 yes
[18:37:28] <manybubbles>	 just the ttm server?
[18:37:35] <paravoid>	 what do you mean?
[18:37:38] <paravoid>	 it's a solr instance
[18:37:58] <Nikerabbit>	 isn't there solr also for geocoordinates or something
[18:38:02] <paravoid>	 different solr
[18:38:25] <paravoid>	 which doesn't have the alert
[18:38:28] <Nemo_bis>	 paravoid: my personal monitoring system tells me the search has somehow worked in the last few months https://toolserver.org/~nemobis/tmp/SearchTranslations.log
[18:38:55] <Nemo_bis>	 last timeout in 2013-05-08 17.10
[18:38:59] <Nikerabbit>	 ttmserver isn't that sensitive to slow queries, as long as it is not affecting anything else running on the server
[18:39:38] <MaxSem>	 so the problem is that ttmserver is building extremely inefficient queries
[18:39:46] <manybubbles>	 paravoid: off topic, but I'm reenabling puppet on elastic1007.  It was disabled when it crashed and I ran it manually when it came back but I never reenabled it.
[18:39:50] <Nikerabbit>	 but yes it is a known issue that it has issues [huh] and if it is causing troubles [is it?] it should be given more priority to address it
[18:39:54] <paravoid>	 manybubbles: ack
[18:40:19] <paravoid>	 if it's not causing troubles, the alert is wrong
[18:40:47] <manybubbles>	 paravoid: I was going to say, if we're sure that the thing is working "ok" then can we bump up the alert time?
[18:40:52] <manybubbles>	 like 10 seconds or something silly?
[18:40:56] <paravoid>	 but moreover, there's an underlying issue that the service isn't well-operated or properly supported/designed (just runs on one server...)
[18:40:57] <logmsgbot>	 !log bd808 Started scap: no-diff scap to test script changes; expect l10n updates
[18:41:04] <morebots>	 Logged the message, Master
[18:41:13] <paravoid>	 if there's a critical alert for 40 days and noone blinks an eye
[18:41:41] <paravoid>	 so it could be that it's entirely our fault, but I doubt we'll ever fix this by caring more
[18:41:48] <Nikerabbit>	 it is unclear who is supposed to be monitoring that
[18:41:55] <paravoid>	 I think we need to fix it to pass it on to our beloved search team ;)
[18:42:04] <paravoid>	 *by passing it on
[18:42:08] <Nikerabbit>	 one of the reasons I wish to move to elasticsearch... less unlikely to go abandoned
[18:42:13] <paravoid>	 yeah exactly
[18:42:15] <Nemo_bis>	 *likely
[18:42:18] <grrrit-wm>	 (03PS1) 10MaxSem: Okay, so TTM wants to do slow queries?:) [operations/puppet] - 10https://gerrit.wikimedia.org/r/114765 
[18:42:31] <manybubbles>	 I'm happy to help with the move.
[18:42:38] <manybubbles>	 I'm not sure beyond that what I should do though
[18:43:27] <paravoid>	 it looks like to me that we're a bit deadlocked
[18:43:31] <paravoid>	 one waiting for the other
[18:43:45] <paravoid>	 Nikerabbit: what do you think should happen to move this forward?
[18:44:06] <Nikerabbit>	 paravoid: well, I haven't really been waiting, it has just been on the table given other priorities
[18:44:09] <grrrit-wm>	 (03CR) 10Nemo bis: "Do we know at what point it gets so slow as to cause timeouts for Special:SearchTranslations? Or are we just throwipng a random number bec" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114765 (owner: 10MaxSem)
[18:45:09] <grrrit-wm>	 (03PS2) 10Faidon Liambotis: Bump TTM's avg req time alert to 5 seconds(!) [operations/puppet] - 10https://gerrit.wikimedia.org/r/114765 (owner: 10MaxSem)
[18:45:11] <Nikerabbit>	 I should likely ask some time to work on this issue and pull some people including manybubbles to replace solarium with elastice and think of ways to make it faster in general
[18:45:37] <grrrit-wm>	 (03CR) 10Faidon Liambotis: [C: 032] Bump TTM's avg req time alert to 5 seconds(!) [operations/puppet] - 10https://gerrit.wikimedia.org/r/114765 (owner: 10MaxSem)
[18:45:46] <paravoid>	 ok
[18:45:51] <paravoid>	 how can I help you with that?
[18:47:05] <paravoid>	 e.g. I can drop an email saying that we (ops) really suck in supporting this setup and we'd rather see it replaced so it can be better supported with the help of the search team
[18:47:14] <grrrit-wm>	 (03PS1) 10BBlack: regularly compact memory on varnish caches [operations/puppet] - 10https://gerrit.wikimedia.org/r/114766 
[18:47:32] <paravoid>	 would that help you with your internal prioritization?
[18:47:41] <manybubbles>	 Nikerabbit: I've blocked some time out on Monday for me to review the translation extension and put together a proposed plan of attack
[18:48:02] <manybubbles>	 I figure we can go from there
[18:48:03] <paravoid>	 Ryan_Lane2: ping
[18:48:16] <Nikerabbit>	 paravoid: yes, I can quote you for that but of course it is good if it comes directly from you
[18:48:28] <paravoid>	 Ryan_Lane2: your redis changeset is not merged, can I merge?
[18:48:29] <grrrit-wm>	 (03PS2) 10BBlack: regularly compact memory on varnish caches [operations/puppet] - 10https://gerrit.wikimedia.org/r/114766 
[18:48:59] <Nikerabbit>	 manybubbles: Monday is not my WMF-day, but I hope to be available if you have quick questions
[18:49:25] <manybubbles>	 Nikerabbit: I'll send something off on Monday.  which days are wmf?
[18:49:43] <logmsgbot>	 !log bd808 scap-1 failed on 4 hosts
[18:49:48] <paravoid>	 Nikerabbit: okay, where should I mail that?
[18:49:48] <Nikerabbit>	 manybubbles: currently Tuesday and Thursday and randomly along the week on other days ;)
[18:49:51] <morebots>	 Logged the message, Master
[18:50:28] <Nikerabbit>	 paravoid: localisation-team@lists.wikimedia.org I think (it's moderated but reaches the whole team)
[18:50:33] <bd808>	 !log The 4 hosts that failed scap-1 were snapshot[1234]; all have old/bad python installs
[18:50:35] <paravoid>	 awesome
[18:50:38] <paravoid>	 manybubbles: I'll Cc you
[18:50:40] <morebots>	 Logged the message, Master
[18:50:49] <paravoid>	 thanks to both
[18:50:54] <paravoid>	 of you ;)
[18:53:59] <Nikerabbit>	 manybubbles: it's my evening on your regular worktimes (like now) so I'm likely to be around
[18:54:28] <logmsgbot>	 !log bd808 scap-rebuild-cdbs failed on 4 hosts
[18:54:36] <logmsgbot>	 !log bd808 Finished scap: no-diff scap to test script changes; expect l10n updates (duration: 13m 38s)
[18:54:36] <morebots>	 Logged the message, Master
[18:54:44] <morebots>	 Logged the message, Master
[18:55:33] <bd808>	 !log The 4 hosts that failed scap-rebuild-cdbs were snapshot[1234]; can we pull them from mediawiki-installation dsh group?
[18:55:41] <morebots>	 Logged the message, Master
[18:56:33] <logmsgbot>	 !log catrope synchronized php-1.23wmf14/extensions/VisualEditor/modules/ve-mw/init/ve.init.mw.Target.js  'touch'
[18:56:37] <icinga-wm>	 PROBLEM - Apache HTTP on mw1047 is CRITICAL: HTTP CRITICAL: HTTP/1.0 500 Internal Server Error - 50376 bytes in 0.023 second response time  
[18:56:40] <morebots>	 Logged the message, Master
[18:56:42] <RoanKattouw>	 bd808: My understanding is they can't be. Talk to apergos for details
[18:56:46] <icinga-wm>	 PROBLEM - Apache HTTP on mw1079 is CRITICAL: HTTP CRITICAL: HTTP/1.0 500 Internal Server Error - 50376 bytes in 0.006 second response time  
[18:56:51] <logmsgbot>	 !log catrope synchronized php-1.23wmf14/extensions/VisualEditor/modules/ve-mw/init/targets/ve.init.mw.ViewPageTarget.js  'touch'
[18:57:03] <morebots>	 Logged the message, Master
[18:57:07] <RoanKattouw>	 bd808: Although if snapshot 10NN did work, then maybe we can; but ask Ariel
[18:57:09] <apergos>	 not yet, I'll get em gone soon though
[18:57:10] <logmsgbot>	 !log catrope synchronized php-1.23wmf15/extensions/VisualEditor/modules/ve-mw/init/ve.init.mw.Target.js  'touch'
[18:57:17] <morebots>	 Logged the message, Master
[18:57:26] <apergos>	 th sn100xs work, there's a few misc jobs I still need to get off
[18:57:32] <logmsgbot>	 !log catrope synchronized php-1.23wmf15/extensions/VisualEditor/modules/ve-mw/init/targets/ve.init.mw.ViewPageTarget.js  'touch'
[18:57:40] <morebots>	 Logged the message, Master
[18:57:50] <RoanKattouw>	 apergos: snapshot1: rsync: change_dir#3 "/usr/local/apache/common-local/php-1.23wmf15/extensions/VisualEditor/modules/ve-mw/init" failed: No such file or directory (2)
[18:57:51] <bd808>	 apergos: The new scap scripts are failing there so snapshot[1234] aren't getting WM updates
[18:58:01] <RoanKattouw>	 Well, maybe that's because they don't have MW directories
[18:58:26] <apergos>	 thy o but maybe not there
[18:58:30] <bd808>	 RoanKattouw: The rsyncs have been failing for them since we changes scap to be python guts
[18:58:34] <RoanKattouw>	 Right
[18:58:45] <RoanKattouw>	 apergos: Is it OK if we stop deploying MW updates to the pmtpa snapshot hosts?
[18:58:54] <apergos>	 well this will just be he motivation I need to get em gone
[18:58:57] <RoanKattouw>	 Or should we fix them to receive those updates?
[18:59:00] <apergos>	 yeah go ahead and nuke em
[18:59:04] <RoanKattouw>	 Alright
[18:59:14] <bd808>	 \o/
[18:59:27] <RoanKattouw>	 bd808: Eradicate snapshot{1..4} from mediawiki-installation then. You may need to touch puppet for that, I forget how this is managed these days
[18:59:44] <RoanKattouw>	 But leave the eqiad snapshot hosts (snapshot1001 and beyond) alone
[19:00:04] <ori>	 files/dsh/group/.. in operations/puppet
[19:00:09] <bd808>	 RoanKattouw: Will do. I'm pretty sure it's a puppet change, but I will submit
[19:00:12] <RoanKattouw>	 Sweet
[19:00:18] <RoanKattouw>	 Thanks ori
[19:00:23] <RoanKattouw>	 Also, cool nick :)
[19:00:24] <grrrit-wm>	 (03CR) 10Faidon Liambotis: [C: 032] regularly compact memory on varnish caches [operations/puppet] - 10https://gerrit.wikimedia.org/r/114766 (owner: 10BBlack)
[19:00:52] <bd808>	 In other news: scap has a progress bar now. Will send an email to ops-l today telling people what to expect.
[19:01:03] <greg-g>	 bd808: my hero
[19:01:42] <mark>	 haha
[19:01:50] <bd808>	 greg-g: ori wrote the hard parts, i just put some lipstick on it
[19:02:11] <greg-g>	 mark: what you missed from the core team channel yesterday:
[19:02:11] <greg-g>	 18:36 <    greg-g> I loooove progress bars, it's what got me into computers
[19:02:15] <greg-g>	 18:36              greg-g wishes he was kidding
[19:02:23] <mark>	 haha
[19:02:28] <ori>	 http://progressquest.com/
[19:02:47] <bd808>	 It looks like: scap-1: 0% (ok: 1; fail: 0; left: 426)
[19:02:48] <mark>	 i do recall programming my first progress bars early in, in my basic programs
[19:02:57] <mark>	 and getting off by one mistakes and all
[19:03:03] <bd808>	 … scap-1: 91% (ok: 386; fail: 4; left: 37)
[19:03:26] <greg-g>	 ori: :) :)
[19:03:36] <greg-g>	 bd808: yeah, that's awesome
[19:03:51] <Nemo_bis>	 does it also have a message "last eqiad/ulsfo host done!"
[19:04:11] <icinga-wm>	 RECOVERY - Solr on zinc is OK: All OK  
[19:04:14] <Nemo_bis>	 or non-pmtpa for short
[19:04:38] <bd808>	 Nope. Little known fact we update hosts in random order during the scap
[19:05:09] <bd808>	 In theory to avoid thundering herd on the rsync slaves
[19:05:11] <Nemo_bis>	 Ah. At some point that had been changed to leave pmtpa last, I guess it didn't work out
[19:05:36] <bd808>	 The file is sorted that way but then shuffled before running the batch
[19:05:44] <grrrit-wm>	 (03PS3) 10BBlack: regularly compact memory on varnish caches [operations/puppet] - 10https://gerrit.wikimedia.org/r/114766 
[19:07:08] <grrrit-wm>	 (03CR) 10BBlack: [C: 032 V: 032] regularly compact memory on varnish caches [operations/puppet] - 10https://gerrit.wikimedia.org/r/114766 (owner: 10BBlack)
[19:10:41] <icinga-wm>	 RECOVERY - HTTP 5xx req/min on tungsten is OK: OK: reqstats.5xx [warn=250.000  
[19:10:45] <grrrit-wm>	 (03PS1) 10BryanDavis: Remove snapshot[1234] from mediawiki-installation dsh group [operations/puppet] - 10https://gerrit.wikimedia.org/r/114768 
[19:11:38] <bd808>	 RoanKattouw, apergos: ^^
[19:12:30] <apergos>	 yup
[19:12:33] <apergos>	 do it
[19:12:47] * bd808  is not a root

[19:13:40] <grrrit-wm>	 (03CR) 10Ori.livneh: [C: 032] Remove snapshot[1234] from mediawiki-installation dsh group [operations/puppet] - 10https://gerrit.wikimedia.org/r/114768 (owner: 10BryanDavis)
[19:14:13] <apergos>	 ah. woops
[19:15:03] <apergos>	 sorry, most of my mind was elsewhere
[19:15:56] <bd808>	 apergos: No worries. Looks like Ori is on it
[19:16:00] <ori>	 try this trick and spin it, yeah
[19:16:07] <apergos>	 yeah, thanks 
[19:16:19] * bd808  thought ori was on vacation today

[19:16:53] <ori>	 heh, i am sick
[19:16:59] <ori>	 but yes
[19:17:05] <paravoid>	 ori? on vacation?
[19:17:06] <paravoid>	 impossible.
[19:17:20] <bd808>	 Apparently
[19:17:20] <ori>	 cold turkey didn't work, going to taper
[19:19:30] <ori>	 mark, paravoid: got time for https://gerrit.wikimedia.org/r/#/c/113900/ ?
[19:22:02] <paravoid>	 it looks okay to me on a first glance (apart from a probably useless "inline" keyword), but maybe bblack could do a proper review and deploy next week?
[19:23:34] <ori>	 speaking of deployment systems, there is definite room in the varnish ecosystem for a VCL deployment tool. the ability to load VCL by string using varnishadm is neat. the tool i envision depools a varnish, pushes vcl with the commit short sha1 as the config name, runs some asserts, repools
[19:26:46] <ori>	 rollback as easy as varnishadm vcl.load I10170d77c
[19:27:05] <ori>	 something like that, anways
[19:27:45] <paravoid>	 we still haven't fixed the issue of automatically depooling/pooling servers; this is a manual process
[19:27:50] <paravoid>	 and for varnish, into multiple places
[19:28:01] <paravoid>	 I have a few ideas, I was hoping to work with one of the three hires we're expecting on that
[19:28:21] <ori>	 would be cool
[19:28:52] <paravoid>	 basically: zookeeper or etcd (hopefully etcd), maybe integrate it with pybal and other stuff
[19:29:14] <ori>	 i should learn zookeeper one day
[19:29:38] <paravoid>	 etcd is prettier, but I'm not sure if it's stable enough yet
[19:30:02] <ori>	 heh. "build: failing"
[19:30:11] <paravoid>	 yeah, for example :)
[19:30:37] <paravoid>	 so pybal right now fetches files over HTTP from noc.wm.org to pool/depool
[19:30:40] <paravoid>	 that we edit using vi
[19:30:45] <paravoid>	 and it just interprets them as python
[19:30:57] <paravoid>	 it would be a simple change to switch to etcd or something like it
[19:43:11] <icinga-wm>	 PROBLEM - Puppet freshness on virt1000 is CRITICAL: Last successful Puppet run was Fri 21 Feb 2014 04:42:42 PM UTC  
[19:55:03] <grrrit-wm>	 (03CR) 10Dzahn: [C: 031] "per matanya's links above. it says it can "probably be removed"" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114136 (owner: 10Matanya)
[19:56:08] <grrrit-wm>	 (03CR) 10Dzahn: [C: 032] "nice URL" [operations/puppet] - 10https://gerrit.wikimedia.org/r/114498 (owner: 10Odder)
[19:57:24] <grrrit-wm>	 (03PS2) 10Dzahn: swift: remove lookupvar and replace with fact @ var [operations/puppet] - 10https://gerrit.wikimedia.org/r/112885 (owner: 10Matanya)
[20:01:22] <grrrit-wm>	 (03CR) 10Legoktm: [C: 04-1] "If this is supposed to mimic the production config, it should be only enabled on CA wikis that aren't loginwiki." [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 (owner: 10Yuvipanda)
[20:05:30] <yuvipanda>	 logmsgbot: aren't all wikis CA wikis?
[20:10:53] <legoktm>	 yuvipanda: no... all private + fishbowl wikis aren't
[20:11:00] <yuvipanda>	 legoktm: aah
[20:11:09] <yuvipanda>	 legoktm: hmm, so that's a bit more complicated, I presume. 
[20:11:21] <yuvipanda>	 legoktm: Need to find out if those are on betalabs, and then how to exclude them
[20:12:26] <legoktm>	 yuvipanda: you can do a 'wmgUseGlobalCssJs' => array( 'default' => true, 'private' => false, 'fishbowl' => false, 'loginwiki' => false, ),
[20:12:30] <legoktm>	 that should work
[20:12:39] <yuvipanda>	 legoktm: update patch? :)
[20:14:32] <legoktm>	 sure
[20:24:15] <dr0ptp4kt>	 Mr. Liambotis, you around?
[20:24:27] <paravoid>	 I am
[20:24:44] <dr0ptp4kt>	 can you spare 7 minutes on hangout? or at least on irc?
[20:25:02] <paravoid>	 I can, what is this about?
[20:25:19] <dr0ptp4kt>	 NOT(hosting)
[20:25:28] <paravoid>	 hm?
[20:26:21] <dr0ptp4kt>	 it's about the approach for showing contributory features on mdot/zerodot. wanted to run an idea ori and i talked about yesterday by you to see if it's passable.
[20:26:38] <paravoid>	 okay, sure
[20:26:45] <dr0ptp4kt>	 k, i'll call you
[20:26:54] <paravoid>	 do we need ori too?
[20:27:23] <dr0ptp4kt>	 probably not, although i try add him. ori, heads up.
[20:28:30] <paravoid>	 stupid hangouts
[20:28:34] <bd808>	 greg-g: Can I get flight deck clearance for a no-op scap so I can record a screencast as Ori suggested?
[20:30:43] <greg-g>	 bd808: ENTHUSIASTIC YES
[20:30:52] <greg-g>	 sorry for yelling
[20:30:58] <bd808>	 neat
[20:31:46] <logmsgbot>	 !log bd808 Started scap: no-diff scap; recording asciicast
[20:31:55] <morebots>	 Logged the message, Master
[20:32:41] <legoktm>	 yuvipanda: does betalabs have a bits.wm.o equivalent? or does it just use the per-wiki load.php's?
[20:32:56] <legoktm>	 /bits.beta.wmflabs.org/meta.wikimedia.beta.wmflabs.org/load.php
[20:32:58] <legoktm>	 great.
[20:33:05] <yuvipanda>	 legoktm: it does have bits
[20:33:07] <yuvipanda>	 right
[20:33:55] <grrrit-wm>	 (03PS2) 10Legoktm: Add GlobalCssJs extension to betalabs [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 (owner: 10Yuvipanda)
[20:34:52] <legoktm>	 yuvipanda: fixed ^
[20:34:58] <yuvipanda>	 legoktm: woo! :)
[20:34:59] <logmsgbot>	 !log bd808 Finished scap: no-diff scap; recording asciicast (duration: 03m 13s)
[20:35:03] <yuvipanda>	 legoktm: now to get hashar to merge it :)
[20:35:07] <morebots>	 Logged the message, Master
[20:35:17] <yuvipanda>	 legoktm: I'm going to get some sleep now. have to wake up early tomorrow :( can you get that merged?
[20:35:21] <hashar>	 yuvipanda: legoktm I am not op :-D
[20:35:31] <yuvipanda>	 hashar: it's to betalabs :D
[20:35:51] <legoktm>	 yuvipanda: gnite. who normally "approves" extensions for beta labs?
[20:35:55] <yuvipanda>	 legoktm: hashar
[20:36:12] <hashar>	 yuvipanda: well anyone should be able to review / +2 the change.  Just have to make sure it is not going to kill production
[20:36:35] <hashar>	 yuvipanda: legoktm: also want to make sure GlobalCssJs is planned for production
[20:36:45] <yuvipanda>	 hashar: yeah, it changes only labs-specific files, so should be ok
[20:36:52] <legoktm>	 hashar: it is https://bugzilla.wikimedia.org/show_bug.cgi?id=57891
[20:38:16] <hashar>	 legoktm: great :-]
[20:38:23] <hashar>	 legoktm: might want to poke Dan Garry about it
[20:38:42] <yuvipanda>	 hashar: Dan responded on that bug saying it's ok :)
[20:38:45] <yuvipanda>	 just today
[20:38:55] <hashar>	 anyway busy with other things
[20:39:05] <yuvipanda>	 ok
[20:39:06] <hashar>	 so get dan to +1 change then any deployer can review and +2
[20:42:50] <grrrit-wm>	 (03CR) 10Greg Grossmeier: [C: 031] "I'm not Dan, but I can play one if I need to. :)" [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 (owner: 10Yuvipanda)
[20:43:58] <legoktm>	 lol
[20:44:02] <legoktm>	 greg-g: :D
[20:44:48] <hashar>	 :D
[20:56:48] <grrrit-wm>	 (03CR) 10Deskana: [C: 031] "Let the tests begin." [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 (owner: 10Yuvipanda)
[21:02:06] <grrrit-wm>	 (03CR) 10MarkTraceur: [C: 032] "Good luck, all :)" [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 (owner: 10Yuvipanda)
[21:02:14] <grrrit-wm>	 (03Merged) 10jenkins-bot: Add GlobalCssJs extension to betalabs [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/114719 (owner: 10Yuvipanda)
[21:02:14] <rdwrer>	 legoktm, yuvipanda ^^
[21:02:22] <legoktm>	 :D
[21:02:37] * rdwrer  watches betalabs

[21:02:47] <legoktm>	 rdwrer: do you also need to sync it so there are no missing commits in the prod repo?
[21:02:57] <rdwrer>	 I don't think so.
[21:03:02] <legoktm>	 okay
[21:03:17] <Deskana>	 So, naive product manager question. When does this actually become live on Beta Labs for us to test?
[21:03:19] <yuvipanda>	 rdwrer: \o/
[21:03:28] <yuvipanda>	 Deskana: in about 20-30s
[21:03:28] <legoktm>	 Deskana: in a few minutes
[21:03:29] <rdwrer>	 Soon!
[21:03:38] <yuvipanda>	 Deskana: maybe minutes
[21:03:39] * rdwrer  puts on Barcelona accent

[21:03:41] <rdwrer>	 Eventually!
[21:04:00] <legoktm>	 Deskana: just keep refreshing http://meta.wikimedia.beta.wmflabs.org/wiki/Special:Version :P
[21:04:40] <Deskana>	 i.love.long.urls.beta.wmflabs.org
[21:05:44] <legoktm>	 Deskana: https://bits.beta.wmflabs.org/meta.wikimedia.beta.wmflabs.org/load.php is a real url ;)
[21:05:57] <legoktm>	 Deskana: its live
[21:06:06] <Deskana>	 <globalcssjs-desc>
[21:06:08] <Deskana>	 Oops
[21:06:13] <legoktm>	 hmmm
[21:06:33] <legoktm>	 I blame caching
[21:06:34] <AaronSchulz>	 Profiling error: in(Wikibase\PropertyParserFunction::getRenderer), out(Wikibase\PropertyParserFunction::doRender)
[21:06:57] <AaronSchulz>	 Reedy: not sure exactly where the bug is, probably Wikibae
[21:07:01] <AaronSchulz>	 *Wikibase
[21:07:18] * hoo  heart Wikibase

[21:07:20] * hoo  runs

[21:08:47] <dr0ptp4kt>	 yurik: you around?
[21:09:10] <legoktm>	 it works!
[21:09:31] <yuvipanda>	 wooo!
[21:12:38] <Deskana>	 legoktm: Where in Special:Preferences is the preference?
[21:12:45] <legoktm>	 there is no preference?
[21:12:53] <legoktm>	 it got axed
[21:13:04] <Deskana>	 I'll update the extension instructions then. :)
[21:13:09] <legoktm>	 ah
[21:13:12] <legoktm>	 I need to re-write that page
[21:15:09] <grrrit-wm>	 (03PS2) 10Jeremyb: close ukwikimedia [operations/mediawiki-config] - 10https://gerrit.wikimedia.org/r/113878 
[21:17:04] <Deskana>	 legoktm: Looks pretty nifty so far. :)
[21:17:13] <legoktm>	 :D
[21:19:02] <mutante>	 legoktm: SSL cert for bits.beta.wmflabs.org/meta.wikimedia.beta.wmflabs.org ?:)
[21:19:47] <se4598>	 mh, I'm the only one who wonders why there is no en-message for tog-enableglobalcssj? https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FGlobalCssJs/0a52548ce76cbdf12e94fe5de8a6ac65d5e90159/GlobalCssJs.i18n.php
[21:20:03] <legoktm>	 se4598: that message was removed, let me find the patch
[21:20:05] <mutante>	 i know it's not the entire thing:), but still was just wondering how that discussion turned out
[21:20:08] <mutante>	 The certificate is only valid for *.wmflabs.org
[21:20:19] <legoktm>	 mutante: oh, I think I whitelisted it in my browser :/
[21:20:31] <legoktm>	 se4598: https://gerrit.wikimedia.org/r/#/c/101626/
[21:20:35] <mutante>	 i suppose *.beta.wmflabs.org is needed
[21:20:44] <mutante>	 because can't have *.*.
[21:20:45] <se4598>	 thanks
[21:21:19] <se4598>	 certs etc.: https://bugzilla.wikimedia.org/show_bug.cgi?id=48501
[21:21:28] <se4598>	 mutante^
[21:23:00] <mutante>	 se4598: thanks, yea, i knew there was a lengthy ticket, i wondered about the end of it.. and yea. i see so we want but don't have.. 
[21:24:14] <mutante>	 Coren: are you pokable for that one maybe? there is the special project handling the certs i know, i just haven't been involved so far
[21:24:18] <mutante>	 ^
[21:24:34] <bd808>	 Can someone do a graceful restart of apache on mw1047 and mw1079? Those 2 hosts are throwing a PHP error that looks to be an APC problem. Line numbers in exception don't match files on disk.
[21:24:42] * Coren  reads scrollback.

[21:24:51] <mutante>	 Coren: it's about getting *.beta.wmflabs.org SSL cert
[21:25:00] <mutante>	 as opposed to just *.wmflabs.org
[21:25:07] <se4598>	 "I think we do want it, on a limited set of subdomains to keep the cost down." <- do it half right, so it's still broken for everyone else on a non-en-wiki? No money for a wildcard?
[21:25:10] <mutante>	 and how we handle it in the special restricted project
[21:25:22] <mutante>	 where the keys live etc...
[21:25:46] <Coren>	 Doable, but I haven't been in the buy-cert-chain before.  I'll need to involve Rob anyways.
[21:25:52] <bd808>	 !log mw1047 and mw1079 throwing PHP exception that looks like APC corruption
[21:26:00] <morebots>	 Logged the message, Master
[21:26:12] <Coren>	 Is there an RT ticket or bz associated with this for context?
[21:26:39] <se4598>	 Coren: bug says 
[21:26:39] <se4598>	 [reply] [−] Description Antoine "hashar" Musso 2013-05-15 10:00:13 CEST
[21:26:39] <se4598>	 We now have nginx SSL proxies in front of the beta caches (Bug 36648). We still have to fix the certificate (that is *.wmflabs.org for now).
[21:26:39] <se4598>	 We need certificates generated by 'Labs CA' for the entries listed in role::protoproxy::ssl::beta and some more.  I guess the easiest would be to create *.beta.wmflabs.org cert that will also contains the following DNS entries:
[21:26:39] <se4598>	 *.wikimedia.beta.wmflabs.org
[21:26:49] <mutante>	 Coren: se4598: i would even argue we can use cacert.org for that because it's - no money but also not self signed, and people who test can be expected to import a CA root cert once, but paravoid said cacert is kind of dead.. well ..i still use it
[21:27:32] <se4598>	 sorry for the flood, something strange happened 
[21:27:32] <mutante>	 if they are generated by Labs CA, then that's a different thing
[21:27:44] <mutante>	 and is not related to buying them
[21:28:14] <mutante>	 se4598: i'm not sure if you can have a *. that contains another *, but maybe
[21:28:21] <mutante>	 you can't have a *.* though
[21:28:23] <hashar>	 there was a bug for beta ssl certs, can't find it right now thuogh
[21:28:26] <Coren>	 Ah, okay, point me at it then.  I'll handle it over the weekend unless it's an even bigger rush than this?
[21:28:32] <bd808>	 apergos: You should be asleep, but topic has your name. Apache graceful needed for mw1047 and mw1079 to clear APC corruption
[21:28:51] <mutante>	 bd808: doing it
[21:28:59] <bd808>	 mutante: Thanks
[21:29:15] <AaronSchulz>	 mutante: apache-graceful is only on fenari? Does that still work?
[21:29:41] <icinga-wm>	 RECOVERY - Apache HTTP on mw1047 is OK: HTTP OK: HTTP/1.1 301 Moved Permanently - 808 bytes in 0.072 second response time  
[21:29:42] <mutante>	 !log graceful'ing apache on mw1047 and mw1079 by request 
[21:29:50] <morebots>	 Logged the message, Master
[21:29:51] <icinga-wm>	 RECOVERY - Apache HTTP on mw1079 is OK: HTTP OK: HTTP/1.1 301 Moved Permanently - 808 bytes in 0.088 second response time  
[21:30:05] <mutante>	 AaronSchulz: in this case i just did them manually on the boxes.. but last time i looked. yes
[21:30:32] <se4598>	 Coren: bugs say theres something at ticket https://rt.wikimedia.org/Ticket/Display.html?id=6116
[21:30:33] <mutante>	 AaronSchulz: yes to both, still on fenari and needs to move, and yes, still worked.. but it's been a while
[21:32:54] <Coren>	 se4598: What BZ is this?  I just read the RT
[21:34:29] <mutante>	 Coren:  https://bugzilla.wikimedia.org/show_bug.cgi?id=48501
[21:36:31] <apergos>	 topic has my name and it's not even my week
[21:36:55] <apergos>	 but if I had been here when pinged I woulda done it (thanks mutante for being willing and in a good tz)
[21:38:04] <Coren>	 se4598: mutante: The next step forward is not clear; self signed certs or non-default CAs are not an option because of the automation and the inability to distribute certs.
[21:38:34] <Coren>	 The BZ mentions the possibility of using only a few (selected) hostnames rather than wildcards.
[21:40:15] <bd808>	 !log mw1047 and mw1079 errors cleared after apache-graceful
[21:40:23] <morebots>	 Logged the message, Master
[21:40:36] * bd808  continues to <3 logstash

[21:49:13] <mutante>	 Coren: gotcha, yea, you pretty much summed it up i think. so the one that made me bring it up was https://bits.beta.wmflabs.org/  having bits. seems reasonable
[22:00:57] <jgage>	 it seems that haproxy is installed on db10{23,33,56}, although not running. anyone know why?
[22:08:17] <paravoid>	 jgage: probably sean experimenting -- he mentioned haproxy the other day on the list
[22:08:20] <paravoid>	 Coren: ping?
[22:08:37] <paravoid>	 jgage: (not in the context of installing it, just that it'd be a good idea to use it maybe)
[22:12:17] <jgage>	 cool, thanks paravoid.
[22:16:13] <superm401>	 How fast do the logs used by the logstash web interface (https://logstash.wikimedia.org/#/dashboard/elasticsearch/default) rotate?
[22:16:23] <superm401>	 Does anyone know if it's size or time-based?
[22:16:30] <bd808>	 30 days
[22:17:22] <bd808>	 We write to a new elasticsearch index every day. There's a cron that runs each morning to drop indices that are 31 days old
[22:17:34] <superm401>	 Okay, thanks bd808.
[22:17:39] <bd808>	 yw
[22:17:49] <superm401>	 It turns out the count I thought was since rotation was every 30 seconds, which is... bad.
[22:17:52] * bd808  needs to update the wikitech page on this stuff

[22:18:38] <ebernhar1son>	 hmm, logstash->elasticsearch.  sounds like graylog2?
[22:18:53] <ebernhar1son>	 or actually, is there a wiki page for the new logstash stuff?
[22:19:09] * gwicke  listens up on hearing graylog2

[22:19:19] <bd808>	 ebernhar1son: yes. https://wikitech.wikimedia.org/wiki/Logstash
[22:19:20] <superm401>	 I don't really get it, but I should probably go read the docs.
[22:19:38] <superm401>	 The "count per 30s" and "count per 1d" are very close.
[22:19:56] <ebernhar1son>	 bd808: excelent, thanks
[22:19:57] <bd808>	 I'd be glad to do hangout or something to talk through the UI
[22:20:57] <gwicke>	 bd808, is our logstash instance prepared to receive graylog2 logs?
[22:21:16] <bd808>	 It is not, but that could be easily added
[22:21:21] <superm401>	 bd808, thanks. phuedx recommended I watch the video at http://logstash.net/ , so I'll finish what I'm working on, check that out, then ask if it still doesn't make sense.
[22:22:08] <bd808>	 superm401: If the count you are talking about is the (nnnnn hits) that is across the total time window you are searching
[22:22:31] <bd808>	 the "count per 30s" or whatever is the width of each bar in the histogram
[22:22:42] <superm401>	 I see, so the interval only affects the graph.
[22:22:42] <gwicke>	 bd808: ok, we'll likely have a gelf backend for parsoid logging soon
[22:22:47] <bd808>	 if you hove a bar it should show you the count in that interval
[22:23:00] <bd808>	 *hover
[22:23:14] <bd808>	 gwicke: I'd be glad to help figure out how to get that into logstash
[22:23:21] <superm401>	 bd808, how do I check the total time window I'm searching?
[22:23:40] <superm401>	 Never mind, I found it (green filtering bar).
[22:23:50] <bd808>	 superm401: it's in the top middle of the page "an hour to a few seconds ago" or some such
[22:24:16] <superm401>	 Thanks, that looks easier to change.
[22:24:22] <gwicke>	 bd808: cool, will ping you when we are ready
[22:25:02] <bd808>	 gwicke: excellent. The labs project would probably be the place to start. Your beta traffic into it until we get all the kinks worked out
[22:26:21] <gwicke>	 bd808, we can also log both to a gelf backend and a local file for a bit
[22:26:56] <gwicke>	 so it doesn't need to be stable right from the start
[22:27:05] <bd808>	 That sounds like a smart idea :)
[22:27:37] <bd808>	 It's just easier to piddle with the labs instance since it's not controlled by operations/puppet.git
[22:27:52] <gwicke>	 yeah, very true
[22:28:07] <bd808>	 We can even spin up one just for you to dork around with 
[22:28:29] <gwicke>	 we could point our rt clients to it, those are currently in labs
[22:28:51] <gwicke>	 but in any case the logging infrastructure patch needs to land before that
[22:28:56] <gwicke>	 will ping you
[22:29:02] * bd808  nods

[22:37:00] <Coren>	 paravoid: Ping?
[22:37:08] <paravoid>	 hey
[22:37:15] <Coren>	 What be up?
[22:37:22] <Coren>	 (Or down, as the case may be)
[22:37:35] <paravoid>	 can you have a look at the ecehttps://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=virt0&service=Certificate+expiration
[22:37:43] <paravoid>	 at that :)
[22:37:45] <paravoid>	 or this https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=virt1000&service=Certificate+expiration
[22:37:58] <paravoid>	 this check has its one month anniversary
[22:40:15] <legoktm>	 Deskana: I updated https://www.mediawiki.org/wiki/Extension:GlobalCssJs
[22:40:42] <Deskana>	 legoktm: Great. :)
[22:41:59] <grrrit-wm>	 (03PS5) 10Matanya: removed orion shell account [operations/puppet] - 10https://gerrit.wikimedia.org/r/113637 
[22:42:06] <paravoid>	 Coren: ack?
[22:42:13] <Coren>	 paravoid: virt0 is hearing the wail of the banshee anyways (and this isn't the canonical name); virt1000 will get the wikitech cert once we switch in ~2weeks.
[22:42:37] <Coren>	 paravoid: So I don't think renewing those is worthwhile.
[22:42:44] <paravoid>	 what do you mean renewing?
[22:42:47] <paravoid>	 the check is broken
[22:42:51] <paravoid>	 it spews a traceback
[22:42:53] <paravoid>	 for starters :)
[22:43:00] <Coren>	 Oh!
[22:43:06] <Coren>	 D'oh!  Ignore me.  :-)
[22:43:14] <Coren>	 I'll look into it.
[22:43:16] <paravoid>	 then, virt0 has a proper certificate too
[22:43:29] <paravoid>	 I mean https://wikitech works for me
[22:43:32] <Coren>	 Does it?  I thought only the wikitech name had one.
[22:43:33] <paravoid>	 so maybe we should fix the check?
[22:43:40] <mutante>	 Coren: paravoid it's using a different check command
[22:43:47] <mutante>	 check_command => "check_cert!${fqdn}!636!${ca_name
[22:43:50] <paravoid>	 well, yes, then we should fix the check to check for wikitech then maybe?
[22:43:56] <mutante>	 i think it can just use the normal check_http
[22:44:01] <paravoid>	 I mean, we /do/ care if wikitech's certificate expires
[22:44:02] <mutante>	 like it was used elsewhere
[22:44:11] <icinga-wm>	 PROBLEM - Puppet freshness on virt1000 is CRITICAL: Last successful Puppet run was Fri 21 Feb 2014 04:42:42 PM UTC  
[22:44:44] <mutante>	 Coren: more like $USER1$/check_http -H $ARG1$ -I $HOSTADDRESS$ --ssl --certificate=90
[22:44:48] <Coren>	 paravoid: I didn't understand you the first time; I thought you wanted me to address the certs, not the check /itself/  :-)
[22:44:52] <mutante>	 templates/icinga/checkcommands.cfg.erb
[22:46:14] <grrrit-wm>	 (03CR) 10Dzahn: [C: 032] removed orion shell account [operations/puppet] - 10https://gerrit.wikimedia.org/r/113637 (owner: 10Matanya)
[22:47:12] <grrrit-wm>	 (03PS4) 10Matanya: remove smerritt shell account [operations/puppet] - 10https://gerrit.wikimedia.org/r/113638 
[22:48:34] <Coren>	 mutante: Yeah, check_http would work just as well.  We already have command_name check_ssl_cert for that which we should use rather than check_cert
[22:48:44] * Coren  fixies.

[22:49:10] <mutante>	 Coren: +1 for not having separate ones
[22:51:53] <Coren>	 Ah, no, wait.  That's the SSL cert for the /LDAP/ server!
[22:52:38] <mutante>	 that's why port 636
[22:52:46] <Coren>	 (which explains the virt0 vs wikitech too
[22:52:48] <Coren>	 )
[22:52:50] <mutante>	 yea.. hrmm.. but check_http also has option for ports
[22:53:21] <Coren>	 mutante: Yeah, but then it'll try to do a GET which is going to fail when talking to LDAP
[22:53:47] <Coren>	 So I need to figure out why the check_ssl is teh failz.
[22:55:24] <Coren>	 cd /etc/icinga
[22:55:30] <Coren>	 bah.
[22:55:38] <mutante>	 Coren: i see, well that would explain the separate scrit
[22:56:06] <grrrit-wm>	 (03CR) 10Dzahn: [C: 032] remove smerritt shell account [operations/puppet] - 10https://gerrit.wikimedia.org/r/113638 (owner: 10Matanya)
[22:59:40] <grrrit-wm>	 (03CR) 10Dzahn: "please fix path conflict" [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:04:31] <Coren>	 Aha!  The plugin sucks at error reporting, but now I know why it fails:  LDAP is still trying to use the star certificate.
[23:06:23] <Coren>	 RobH: When you ordered replacement for wikitech, did you also do virt0 and virt1000?
[23:06:26] * Coren  guesses no.

[23:09:44] <Coren>	 We need our own CA for internal junk, so that we can simply distribute our root via puppet.
[23:09:55] <grrrit-wm>	 (03PS6) 10Dzahn: remove shell access and key for mgrover [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:10:02] <Coren>	 mutante: What's our current process for only-used-internally certificates?
[23:10:32] <grrrit-wm>	 (03CR) 10jenkins-bot: [V: 04-1] remove shell access and key for mgrover [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:12:29] <RobH>	 Coren: for virt0 and virt1000 they have their own cert
[23:12:39] <RobH>	 its installed via the nova whatevs iirc
[23:12:45] <RobH>	 i even updated them to use it
[23:12:57] <RobH>	 for ldap
[23:13:09] <RobH>	 again, iirc, it was weeks ago
[23:13:35] <RobH>	 https://rt.wikimedia.org/Ticket/Display.html?id=6592
[23:15:22] <mutante>	 Coren: i dunno about the "internal" part
[23:17:36] <grrrit-wm>	 (03PS7) 10Dzahn: remove shell access and key for mgrover [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:18:14] <grrrit-wm>	 (03CR) 10jenkins-bot: [V: 04-1] remove shell access and key for mgrover [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:19:00] <mutante>	 bah
[23:23:46] <grrrit-wm>	 (03PS8) 10Dzahn: remove shell access and key for mgrover [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:26:28] <grrrit-wm>	 (03CR) 10Dzahn: [C: 032] remove shell access and key for mgrover [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:30:16] <Coren>	 RobH: It didn't take then, LDAP responds with the star certificate still.
[23:30:40] <RobH>	 well, someone undid it!
[23:30:45] <Coren>	 s:/serialNumber=3Te2KNVS3beWLBffkE0QtVQ4qxo3Ix10/C=US/O=*.wikimedia.org/OU=GT11518520/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.wikimedia.org
[23:30:49] <RobH>	 cuz i shredded the wildcard certs and ensured puppet wasnt puttin git on
[23:30:52] <RobH>	 so wtf...
[23:30:55] <RobH>	 lets see.
[23:31:15] <RobH>	 Coren: uhh
[23:31:24] <RobH>	 there is no star.wikimedia.org cert even on virt0
[23:31:29] <Coren>	 ...!
[23:31:37] <RobH>	 where are you pulling that?
[23:31:42] <Coren>	 Where in blazes is it fishing that certificate from?
[23:31:46] <RobH>	 i have no idea
[23:31:53] <Coren>	 virt0.wikimedia.org:636
[23:31:55] <RobH>	 well, atleast there isnt in /etc/ssl
[23:32:03] <RobH>	 if ldap shoves it someplace odd....
[23:32:35] <RobH>	 yea, there is no star certs on the /etc/ssl on those
[23:32:37] * Coren  hunts it down.

[23:32:52] <mutante>	 is it in LDAP itself?
[23:33:41] <RobH>	 i see ldap config refer to the hostname configs
[23:33:51] <grrrit-wm>	 (03CR) 10Dzahn: "notice: /Stage[main]/Accounts::Mgrover/Ssh_authorized_key[norbertgrover@Norberts-MacBook-Pro.local]/ensure: removed" [operations/puppet] - 10https://gerrit.wikimedia.org/r/113636 (owner: 10Matanya)
[23:33:57] <RobH>	 it says they live in /etc/ssl
[23:34:08] <RobH>	 TLS_CACERTDIR   /etc/ssl/certs 
[23:35:43] <Coren>	 Eeeeew.  opendj is written in Java.  The cert might be in the funky java keystore thing.
[23:36:04] <mutante>	 ack
[23:36:18] <mutante>	 keytool -list ?
[23:36:23] <RobH>	 yea, i just put the new cert in, and did a full restart but i didnt run anythign else
[23:36:40] <RobH>	 well, restarted the services i know, restarted system prolly not
[23:36:46] <RobH>	 but admin log would have it for that day
[23:36:51] <mutante>	 keytool -list -v -keystore keystore.jks
[23:36:52] <Coren>	 config.ldif:ds-cfg-ssl-cert-nickname: star.wikimedia.org
[23:36:55] <RobH>	 eww.
[23:37:21] <RobH>	 so yea, i gave both virt0 and virt1000 their own hostname based certificates
[23:37:43] <Coren>	 RobH: Okay, all that's left is fixing opendj to actually use those.
[23:37:59] <RobH>	 that in puppet or via command line?
[23:38:22] <Coren>	 RobH: I'm guessing that has to be done via command line, I'm pretty sure we don't manage the keystore with puppet
[23:38:47] <RobH>	 so where does it get the info in the first place?
[23:39:12] <Coren>	 The keystore is an implicit java mechanism/hack.  But now that I look in it I see it's empty.  Hm...
[23:39:20] <Coren>	 Oh!  The config is /in ldap/
[23:40:06] <Coren>	 cn=LDAPS Connection Handler,cn=Connection Handlers,cn=config
[23:43:56] <Coren>	 There's some stuff in puppet about certificates for the LDAP servers, but it's not clear how that actually updates the server.
[23:47:46] <Coren>	 RobH: Ah, yes, opendj does indeed use the keystore.  [bleep] [bleep]ing java [bleep].