Date: Fri, 7 May 2021 08:53:34 From: Lisa Gruwell To: Megan Hernandez Cc: Dallas Wisehaupt Subject: Re: Please approve Julia Brungs superset access ----------------------------------------
Thu, May 6
All of the iptables and pfw rules have been pushed. Basic connectivity verified. On to testing all the functionality.
Wed, May 5
@MeganHernandez_WMF ping to check on the access request. Did you need for me to submit it to Lisa?
This has been verified. Closing.
Redis config rolled out. iptables rules updated and pushed. eqiad hosts are running and replicating. codfw hosts are running but waiting on T281942 for replication to be completed.
Tue, May 4
I have pushed out the apache and nginx configs. nginx is serving on port 442 with the puppet ssl certs and forwarding to a low proxy port for apache. Still researching the possibility of adding rate limiting and how to work that into the overall nginx templates.
Thu, Apr 29
Wed, Apr 28
config.php is now pulled in and deposited in /srv/civiproxy. Please verify everything looks ok.
The repo has been added to frdeploy and the code has been pushed to the fundraising_qa and civicrm roles in /srv/civiproxy. The config.php file from localsettings did not appear to come across so need to find out why that is the case.
Tue, Apr 27
Added in the config for smashpig/main.yaml.erb and added it to the redis_collector for gathering stats.
commit 209ddd6fef58652e6cdaacbc5c4bab19e86aee1e (HEAD -> master) Author: Dallas Wisehaupt <firstname.lastname@example.org> Date: Tue Apr 27 19:15:04 2021 +0000
Mon, Apr 26
@MeganHernandez_WMF Just wanted to check to see if you had sent on the request for access to Lisa or if you would like for me to do that. Additionally, we will need to get Julia added to the contact list with her information.
Fri, Apr 23
Verified installation is working.
Mon, Apr 19
Re-adding the ops tags to get payments1006 back on the radar for the console redirection.
Certificate generated and sent via email. Password sent via SMS.
Fri, Apr 16
Header added to fundraising nginx templates and deployed.
[frack::puppet] 58ed92cf Add Permissions-Policy header (Google FLoC)
Thu, Apr 15
Wed, Apr 14
Note: Can't roll forward on require ssl for the fr_stats db user until we sort out the older python2 DjangoBannerStats code and its connections.
Tue, Apr 13
Grant scripts updated to use 'create user or replace' (available since 10.1.3) which will allow us to run the scripts and just update the user accounts without the need to drop and recreate grants if we so desire. Tested with my user account and runsgood.
Thu, Apr 8
civicrm and superset accounts created. Passwords and instructions sent to Lindsay so she can initiate password changes and resets.
SSL client cert created and sent via email. Password sent via SMS.
Key file updated. Pushed to hosts and rmurthy verified access is working as expected. closing.
Apr 7 2021
[frack::puppet] 7eb60640 Renaming of kmod blacklist to blocklist
This has been completed and pushed.
Apr 6 2021
Apr 5 2021
Apr 2 2021
Changes of note at this point: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html
This has been completed and is in the regular review cycle.
Replication user on fundraising db set to require ssl. Grants script pushed and run on frdb1004. Replication stopped and restarted on a set of hosts and the connection succeeded and replication continues. mysql.user table shows updated ssl_type value.
Replication user on payments db set to require ssl. Grants script pushed and run on payments1001. Replication stopped and started on a subset of hosts and the connection continues. At the mysql.user table level, the change is seen in the ssl_type value.
Before: +-------------+----------+ | User | ssl_type | +-------------+----------+ | replication | | | replication | | +-------------+----------+ After: +-------------+----------+ | User | ssl_type | +-------------+----------+ | replication | ANY | | replication | ANY | +-------------+----------+
Apr 1 2021
This is complete. All hosts using GTID for replication.
Pushed this for make_grants to allow the ability to require ssl on user db connections. Not currently enabled for any accounts yet.
[frack::puppet::private] e69d624 Add requires option to user definitions
Mar 31 2021
All clear and good.
Mar 30 2021
This is not needed for our use cases. If it comes up as needed in the future we can revisit it.
This may be from the 'original' paypal integration and may not be of concern. We have time to research before May 1.
The stretch repos have been pulled from config, /var/www/reprepro/stretch removed, and puppet hosts sync'd.
There is a new task to track the failures to pull since they are not transport related. (T278878) Closing this task.
Mar 26 2021
DB is recloned. It and the source db (frdb2001) are back in action.
Ok, today's run failed in the same manner:
The date for this has come and gone. The ssh host key has not changed. There were 2 failmails related to the audit process but they were about failures to handle a corrupted file. Awaiting the run today to see if that has been sorted.
After digging in, I found the issue. There was one transaction that was skipped during the utf8mb4 testing and other work on frdb2002. When trying to reapply that transaction, I hit a snag with dupe keys on the log tables. This prompted the thought that the log tables may be 'off by one' on this host and could thus cause issues in the future. The cleanest and safest route is to reclone from frdb2001. This recloning has started.