Page MenuHomePhabricator

Zotero container: Production is running candidate version, last production version is broken due to lack of ca-certificates package
Closed, ResolvedPublic

Description

This breaks things as Citoid will ask Zotero to deal with URLs like https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1002947, but it will not be able to because it does not trust the journals.plos.org TLS certificate.
@akosiaris made https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/services/zotero/+/013b6cf2eae47ff1bf6b87ead16180abf9193a53%5E%21/#F0 which fixed this and there appears to have been candidate builds including this commit, but the only production version listed at https://tools.wmflabs.org/dockerregistry/wikimedia/mediawiki-services-zotero/tags/ is too old. Why is production working?

Event Timeline

It's working in production because we connect to external URIs via a proxy, hence we don't need ca-certificates.

We might in fact have a url-downloader in deployment-prep as well.

It's working in production because we connect to external URIs via a proxy, hence we don't need ca-certificates.

That's not the case. url-downloader acts as a TCP proxy in this case (the CONNECT HTTP verb is being used and all the proxy does is effectively connect the 2 TCP streams), so it's the job of zotero to validate the certificates and hence the need for ca-certificates.

Why is production working?

Cause it's using 2019-02-01-074657-candidate (stay tuned, this is going soon to be publicly viewable in gerrit) which does contain ca-certificates.

but the only production version listed at https://tools.wmflabs.org/dockerregistry/wikimedia/mediawiki-services-zotero/tags/ is too old

Zotero is an unfortunate edge case where due to the software not passing integration tests, we don't publish the production tagged version. By far the easiest way for us to add this would be to add swagger/openapi specs to the software. This is tracked in https://github.com/zotero/translation-server/issues/76 (AFAIK no respective phab exists)

Krenair renamed this task from Zotero container: Latest production container lacking ca-certificates package to Zotero container: Production is running candidate version, last production version is broken due to lack of ca-certificates package.May 15 2019, 3:40 PM

I'm removing the parent task, I guess I'll leave this open to track the fact that production is running a non-production release, unless there's an existing Phabricator task about it.

akosiaris moved this task from Incoming 🐫 to this.quarter 🍕 on the serviceops board.
akosiaris claimed this task.

This has been fixed in 3229da692ef3a003a860d6b0024c9ef4813ce13d. The reason production tagged releases are now again available is because we gave up on having swagger/openapi specs and removed helm.yaml (the thing informing the pipeline that integration tests should be run) in https://gerrit.wikimedia.org/r/#/c/mediawiki/services/zotero/+/538171/.

I 'll boldy resolve, feel free to reopen