[09:42:40] <wikibugs>	 10serviceops, 10Release-Engineering-Team, 10Release Pipeline (Blubber): Base Blubber policy file for CI - https://phabricator.wikimedia.org/T215319 (10akosiaris) >>! In T215319#4928541, @thcipriani wrote: > Clarification needed from #serviceops folks: is it only the base-image for the production variant we w...
[09:50:21] <wikibugs>	 10serviceops, 10Release-Engineering-Team, 10Release Pipeline (Blubber): Base Blubber policy file for CI - https://phabricator.wikimedia.org/T215319 (10fsero) @thcipriani AFAIK the policy applies to every image not only for production ones, i think it should be fairly easy (look into [2]) to build a base imag...
[10:17:10] <_joe_>	 lol I was about to comment on that ticket, but maybe I shouldn't brigade on it
[10:24:57] <wikibugs>	 10serviceops, 10MediaWiki-Docker, 10docker-pkg: Clarify and document our docker image building process and policies. - https://phabricator.wikimedia.org/T216234 (10fsero)
[10:26:30] <fsero>	 i wrote that task because i think we have a clear convention about we shouldnt trust external docker images which is not written anywhere
[10:26:32] <_joe_>	 fsero: heh indeed, lemme fix scap (damn me) and I'll get to it
[10:26:41] <fsero>	 maybe it is and i didnt found it
[10:31:16] <_joe_>	 no I wanted to write a design document on the image lifecycle
[11:24:52] <wikibugs>	 10serviceops, 10Operations, 10Thumbor, 10Patch-For-Review, and 2 others: Upgrade Thumbor servers to Stretch - https://phabricator.wikimedia.org/T170817 (10fgiunchedi)
[11:30:24] <wikibugs>	 10serviceops, 10Operations, 10Kubernetes, 10Patch-For-Review, 10User-fsero: Upgrade calico in production to version 2.4+ - https://phabricator.wikimedia.org/T207804 (10akosiaris)
[11:34:16] <fsero>	 akosiaris: +1, we should also add another task for instating a PodSecurityPolicy as recommended on https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/ that forces images to run as unprivileged
[11:34:28] <fsero>	 s/images/containers/g
[11:47:09] <akosiaris>	 yeah we already force that on blubber, let's also do it in the infrastructure
[12:40:02] <_joe_>	 we should look at enforcing seccomp profiles too?
[12:40:15] <_joe_>	 well, in the future, I mean
[12:41:12] <_joe_>	 apiVersion: policy/v1beta1 thanks, kubernetes.
[12:41:35] <_joe_>	 it's encouraging to start using something that's in beta
[12:55:48] <fsero>	 according to kubernetes release strategy 'beta' is good enough
[12:56:04] <fsero>	 it means that the api is stable but implementation could change
[12:56:08] <fsero>	 ingress is also beta
[12:56:16] <fsero>	 it has been beta since forever :)
[12:56:25] <fsero>	 and deploys were beta for a long long time
[12:56:33] <fsero>	 i wouldnt consider an alpha feature
[12:56:49] <fsero>	 but beta definitely (in a case by case basis)
[13:41:43] <_joe_>	 well I considered ingress quite unusable
[13:41:57] <_joe_>	 when I looked at floss implementations 2 years ago
[13:59:09] <wikibugs>	 10serviceops, 10Analytics, 10Operations, 10Research, and 4 others: Transferring data from Hadoop to production MySQL database - https://phabricator.wikimedia.org/T213566 (10akosiaris) >>! In T213566#4934895, @Ottomata wrote: >> they will also not allow them to send the SYN/ACK packet required for the secon...
[14:11:32] <wikibugs>	 10serviceops, 10MediaWiki-Docker, 10docker-pkg: Clarify and document our docker image building process and policies. - https://phabricator.wikimedia.org/T216234 (10dbarratt) The docker image found here: https://hub.docker.com/_/mediawiki uses these Dockerfiles: https://github.com/wikimedia/mediawiki-docker a...
[14:22:07] <cdanis>	 btw jijiki I am about to install rasdaemon on thumbor1004 for testing -- https://phabricator.wikimedia.org/T205396 https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/490787/
[14:22:37] <jijiki>	 hey tx :D
[14:27:48] <cdanis>	 wait, no I'm not
[14:28:05] <cdanis>	 thumbor isn't stretch yet 🤦
[14:29:50] <cdanis>	 sorry for the noise
[14:43:44] <cdanis>	 jijiki: okay, I'm going to install rasdaemon on mw2213 and mw2206, and look at a jessie backport
[14:46:06] <cdanis>	 haha crap, mw2213 is showing up in my graphs for the past 30d, but was decommed last week
[14:53:12] <_joe_>	 cdanis: it was out of rotation since forever
[14:53:38] <cdanis>	 _joe_: that's fine, all I want is to see what rasdaemon does when these events happen
[14:59:31] <cdanis>	 (correctable memory error events, to be clear)
[15:06:07] <effie>	 cdanis: I can give you thumbor2002 on monday
[15:06:42] <effie>	 but that server doesnt have mem issues
[15:06:54] <effie>	 nah mybad
[15:07:27] * cdanis looks back and forth between effie and jijiki suspiciously
[15:07:31] <cdanis>	 🤔
[15:07:42] <paravoid>	 lol
[15:09:21] <cdanis>	 it's okay, mor.itz says that the jessie backport looks trivial, so for me it should be only mildly difficult
[15:09:51] <effie>	 cdanis: when I am not on my laptop I am effie :)
[15:10:26] <effie>	 also, I have written lovely docs for backporting a package!
[15:14:44] <wikibugs>	 10serviceops, 10MediaWiki-Docker, 10docker-pkg: Clarify and document our docker image building process and policies. - https://phabricator.wikimedia.org/T216234 (10dbarratt) Also, I think it's totally fine if we build & host the same "base" release images as well. In my mind there's nothing wrong with that,...