User Details
- User Since
- Nov 25 2014, 1:54 PM (499 w, 20 m)
- Availability
- Available
- IRC Nick
- Jeff_Green
- LDAP User
- Jgreen
- MediaWiki User
- Jgreen (wmf) [ Global Accounts ]
Yesterday
There's a script in the internal frack "packages" repository that fetches the package and reports the portion of changelog associated with the latest package. The deb package is then added to the frack internal repository using "reprepro includedeb".
The basic install of dagster and its dependencies has been puppetized. Puppet also configures a pip-audit script to check for updates in the virtualenv and emails with success (clean audit) or an alert (patches are available). There's no project configuration in puppet yet, this part will be developed with BDC.
Thu, Jun 13
This needs some thought and investigation. Maybe we can just modify djangobannerstats to drop the additional logs into pgehres.landingpageimpressions_raw even though the new rows will be missing a couple of fields. This works with the existing schema, but we'd need to make sure anything querying that table will handle/ignore rows missing those fields.
Tue, Jun 11
More on vulnerability tracking. This isn't awesome but:
https://github.com/minio/minio/security executive summary: watch the blog :-|
Mon, Jun 10
Fri, May 31
Wed, May 29
Wed, May 22
May 13 2024
Looks like coincidental rolling kafka restarts.
This isn't limited to the two hosts I mentioned above. It seems like at any given time one of the kafka-jumbo is refusing connections.
Hmmmm. I'm seeing this occasionally:
May 9 2024
I ended up using nginx "access_by_lua_file" to use a lua function to cycle through a list of regexes (roughly one per package) and return a 403 if there's no match.
May 7 2024
(Puppetized) progress so far: I have an nginx https vhost running on tcp/444, and have configured pip to route everything to that host/port as a mirror. That vhost does a proxy_pass to either pypi or the package mirror depending on the request, and it restricts requests to GETs. It also modifies the response content on indexes to rewrite host in package URLs, so that traffic also goes through the proxy.
Bumping this task back to "Up Next" because there is renewed interest from FR Analytics on whether this is feasible.
May 3 2024
Now on to pip-audit, which has the https://pypi.org/... address hardcoded in lib/python3.11/site-packages/pip_audit/_service/pypi.py.
Fixed by rewriting the URL in the response in nginx.
Scratch that. Pip is just getting the index files from pypi. Back to the drawing board.
I looked at using pip with a proxy or mirror. The proxy behavior was not what I expected. With "proxy = http://..." pip attempts to tunnel through the proxy to remote port 443. This doesn't fit our existing nginx filtering+caching proxy scheme which is mainly for apt. I had better luck treating the proxy as a mirror. I also ran into an issue around SNI, since our existing configuration didn't employ this when connecting to the upstream server.
Apr 9 2024
Apr 1 2024
Mar 27 2024
Mar 22 2024
Mar 20 2024
Mar 19 2024
Mar 5 2024
Feb 26 2024
Switched to the new cert and we're still getting an A+ from Qualy SSL Labs, so this is done!
Feb 22 2024
We've received the new certificate and deployed it to the backup servers at codfw. So far things look good, it's showing up here https://crt.sh/?id=12150254625 . We'll give it a couple more days before deploying it to the live servers.
Feb 16 2024
Feb 15 2024
Done!
Feb 7 2024
@jhathaway I am fairly confident what we're seeing in the postmaster tools is misleading reporting based on no data. Looking at all the dmarc feedback we collected via the feedback address, since 6/23 there are only a handful of reports which are all dkim/spf failures from non-wmf IPs. So I think there is no legitimate mail being sent with this domain, other than its use in the envelope sender for the passing mail above.
@jhathaway looking at examples of normal TY emails from civicrm, the ARC-Authentication-Results header shows dkim=pass and spf=pass but, as expected, it is signed for the @wikimedia.org domain of the message header. So I suspect these messages are being counted in the postmaster tools success rate for domain wikimedia.org.
Feb 6 2024
@jhathaway interesting, I see what you mean re. dkim and dmarc authentication success rate for the domain. I will investigate tomorrow!
Feb 2 2024
I got the software install, schema fixes, and basic database upgrade to work in testing. Next step is to try upgrading the live instance and make sure various charts and reports work properly.
Jan 29 2024
Jan 18 2024
Switched project tags because the documentation referenced on this task is for FR Tech not FR Tech Operations.
Jan 17 2024
Jan 12 2024
Jan 9 2024
Jan 8 2024
Dec 20 2023
Dec 18 2023
Dec 12 2023
We scrape some metrics from logs that could be informative and/or useful for comparison re. this task: https://frmon.wikimedia.org/d/xbcwsjY4k/payment-transaction-outcomes?orgId=1&refresh=1m