Page MenuHomePhabricator

Zotero container: Production is running candidate version, last production version is broken due to lack of ca-certificates package
Closed, ResolvedPublic

Description

This breaks things as Citoid will ask Zotero to deal with URLs like https://journals.plos.org/ploscompbiol/article?id=10.1371/journal.pcbi.1002947, but it will not be able to because it does not trust the journals.plos.org TLS certificate.
@akosiaris made https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/services/zotero/+/013b6cf2eae47ff1bf6b87ead16180abf9193a53%5E%21/#F0 which fixed this and there appears to have been candidate builds including this commit, but the only production version listed at https://tools.wmflabs.org/dockerregistry/wikimedia/mediawiki-services-zotero/tags/ is too old. Why is production working?

Event Timeline

Krenair created this task.May 15 2019, 1:43 AM
hashar removed a subscriber: hashar.May 15 2019, 4:33 AM
Joe added a comment.May 15 2019, 6:03 AM

It's working in production because we connect to external URIs via a proxy, hence we don't need ca-certificates.

We might in fact have a url-downloader in deployment-prep as well.

It's working in production because we connect to external URIs via a proxy, hence we don't need ca-certificates.

That's not the case. url-downloader acts as a TCP proxy in this case (the CONNECT HTTP verb is being used and all the proxy does is effectively connect the 2 TCP streams), so it's the job of zotero to validate the certificates and hence the need for ca-certificates.

Why is production working?

Cause it's using 2019-02-01-074657-candidate (stay tuned, this is going soon to be publicly viewable in gerrit) which does contain ca-certificates.

but the only production version listed at https://tools.wmflabs.org/dockerregistry/wikimedia/mediawiki-services-zotero/tags/ is too old

Zotero is an unfortunate edge case where due to the software not passing integration tests, we don't publish the production tagged version. By far the easiest way for us to add this would be to add swagger/openapi specs to the software. This is tracked in https://github.com/zotero/translation-server/issues/76 (AFAIK no respective phab exists)

Krenair renamed this task from Zotero container: Latest production container lacking ca-certificates package to Zotero container: Production is running candidate version, last production version is broken due to lack of ca-certificates package.May 15 2019, 3:40 PM

I'm removing the parent task, I guess I'll leave this open to track the fact that production is running a non-production release, unless there's an existing Phabricator task about it.

Krinkle removed a subscriber: Krinkle.May 29 2019, 2:50 PM
akosiaris triaged this task as Low priority.Jun 24 2019, 3:32 PM
akosiaris moved this task from Backlog to Externally Blocked on the serviceops board.
akosiaris closed this task as Resolved.Tue, Nov 19, 6:56 PM
akosiaris claimed this task.

This has been fixed in 3229da692ef3a003a860d6b0024c9ef4813ce13d. The reason production tagged releases are now again available is because we gave up on having swagger/openapi specs and removed helm.yaml (the thing informing the pipeline that integration tests should be run) in https://gerrit.wikimedia.org/r/#/c/mediawiki/services/zotero/+/538171/.

I 'll boldy resolve, feel free to reopen