nodejs 4.4.6 has been uploaded to carbon. This doesn't fix all the security issues originally announced (that's why this is not 4.5.0 yet), but still CVE-2016-1669. I have built fixed packages and uploaded them to carbon. The following services using nodejs4/jessie need to be migrated:
scb in codfw and the restbase test systems have been upgraded without apparent problems so far.
I have a no-op html dump running in staging to test RESTBase. It's been running for half a day without problems. I think we can move ahead with RESTBase and consequently AQS (ping @JAllemandou @elukey).
For SCB, we first need to test all of the services there and then switch all of them at the same time. Let's set a deadline for the switch. I'm proposing next Wednesday, 2016-07-13.
@bearND @Mholloway @Yurik @KartikMistry @akosiaris could you please make sure your services work on Node 4.4.6 ?
Change 297419 had a related patch set uploaded (by Mholloway):
Update node version to 4.4.6
As it happens, I've been running 4.4.6 on my dev machine for a while now and so far as I've seen everything works fine.
@mobrovac: Wednesday 2016-07-13 works for me as a deadline, but I'll be off the next two days (just saying, in case we have issues).
@mobrovac, I will not be around that week, but all in all I doubt I will be needed. I don't maintain any services directly anyway and other opsen should be able to help with anything needed
Nice, thnx!
I've been testing RESTBase with 4.4.6 and haven't encountered any issues thus far, so I don't expect AQS to have issues either. Still, it would be nice if you could test it with the new version.
I pinged you primarily because of etherpad, but it can be switched independently, so that can be done this week too.
To anyone maintaining a service running on the scb* clusters; the scb servers in codfw have already been upgraded to nodejs 4.4.6, so you can use these for tests.
You can update your BC hosts by simply doing sudo apt-get install nodejs and restarting the service
Change 297615 had a related patch set uploaded (by Mobrovac):
Upgrade to nodejs v4.4.6
@mobrovac deployment-sca02.eqiad.wmflabs and deployment-sca01.eqiad.wmflabs should be fine to upgrade using simple apt-get?
Upgraded aqs100[456], we are going to test and upgrade 100[123] soon (@mobrovac I am ok for the deadline)
I pinged you primarily because of etherpad, but it can be switched independently, so that can be done this week too.
I had forgotten that one. So, upgrade tested in labs for some time yesterday, everything seemed fine, our etherpad instance was upgraded today.
Since all of the SCB services have been tested with the new version of node, @MoritzMuehlenhoff and I decided to switch SCB to Node 4.4.6 on Monday, 2016-07-11.
I will proceed with creating/merging the needed source repo patches and updating the respective deploy repos. Please do not deploy your service if it's on SCB until we do the switch and confirm everything is working as expected.
Change 298002 had a related patch set uploaded (by Mobrovac):
Update citoid to 8d31664
Change 298004 had a related patch set uploaded (by Mobrovac):
Update cxserver to 687a2d1
Change 298005 had a related patch set uploaded (by Mobrovac):
Update mathoid to 9922544
Change 298012 had a related patch set uploaded (by Mobrovac):
Update change-propagation to 8d8875d
Change 298018 had a related patch set uploaded (by Mobrovac):
Update graphoid to c3a6b11
Change 298019 had a related patch set uploaded (by Mobrovac):
Update mobileapps to 6d55828
Note that beside actually installing 4.4.6 on the nodes, the deploy repos have to updated to be built against 4.4.6
@ssastry OK to proceed with the upgrade of ruthenium to node 4.4.6? There shouldn't be any impact as it's a security update, and node 4.4.6 is the new stable version used in our infra.
@MoritzMuehlenhoff asked me about it y'day and I said yes already. He might done it by now even.