Krenair (Alex Monk)
Wikimedia volunteer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Oct 3 2014, 2:34 PM (228 w, 5 d)
Availability
Available
IRC Nick
Krenair
LDAP User
Alex Monk
MediaWiki User
Krenair [ Global Accounts ]

I am a Wikimedia volunteer helping in various technical ways. These days it's usually Beta Cluster, Cloud VPS, or Operations related. Since 2012 I've spent significant amounts of time involved in MediaWiki development, software deployments to the Wikimedia cluster, OTRS (email response to e.g. info-en@wikimedia.org addresses), and various other things.

Some of my old VisualEditor and other work (2014-2016) can be found under @AlexMonk-WMF instead.

I have opinions on things, which do not necessarily represent those of any organisation I am, have previously been, or will in the future be affiliated with.

Recent Activity

Yesterday

Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

It doesn't appear to work the same way:

krenair@deployment-db05:~$ sudo mariabackup --apply-log --use-memory=12G /srv/sqldata
Info: Using unique option prefix 'apply-log' is error-prone and can break in the future. Please use the full name 'apply-log-only' instead.
mariabackup: Error: unknown argument: '/srv/sqldata'
krenair@deployment-db05:~$ sudo mariabackup --apply-log --use-memory=12G --datadir /srv/sqldata
Info: Using unique option prefix 'apply-log' is error-prone and can break in the future. Please use the full name 'apply-log-only' instead.
mariabackup based on MariaDB server 10.1.38-MariaDB Linux (x86_64) 
Open source backup tool for InnoDB and XtraDB
Tue, Feb 19, 11:32 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

And of course I can't find the package from db03/db04 because their apt status is corrupted...

Tue, Feb 19, 11:22 AM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

-bash: innobackupex-1.5.1: command not found
-bash: innobackupex: command not found

Tue, Feb 19, 11:18 AM · Beta-Cluster-Infrastructure
Krenair merged T216484: Database locked on beta.wmflabs.org sites (deployment-db03 down?) into T216404: deployment-db03.deployment-prep.eqiad.wmflabs instance can not start.
Tue, Feb 19, 11:06 AM · User-Ryasmeen, Wikidata, User-Addshore, Cloud-VPS, cloud-services-team (Kanban), Beta-Cluster-Infrastructure
Krenair merged task T216484: Database locked on beta.wmflabs.org sites (deployment-db03 down?) into T216404: deployment-db03.deployment-prep.eqiad.wmflabs instance can not start.
Tue, Feb 19, 11:06 AM · Beta-Cluster-Infrastructure

Mon, Feb 18

Krenair added a comment to T216370: IP address list for grid nodes / Freenode iline request.

Have they added the whole range or just that NAT IP?
If they've just added the NAT IP, I expect problems will resume if the tools exec nodes get given floating IPs?

Mon, Feb 18, 11:17 PM · cloud-services-team (Kanban), wikimedia-irc-freenode, Toolforge
Krenair awarded T216451: Move DNS records for tools.eqiad.wmflabs to Designate a Evil Spooky Haunted Tree token.
Mon, Feb 18, 10:25 PM · cloud-services-team (Kanban), Toolforge
Krenair renamed T216419: Security review - Wikibase Termbox Front End from Security review Action Items to Security review Action Items - Wikibase Termbox Front End.
Mon, Feb 18, 4:58 PM · Security-Team-Review-Active
Krenair added a comment to T216321: beta-scap-eqiad repeat failures.

The DB one is probably me

Mon, Feb 18, 12:26 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

Transfer running the documented way, screen import on -db05 and export on -db04.
Once this is done I'll probably make deployment-db06 and copy stuff there too, then make MediaWiki treat one of them as a master.

Mon, Feb 18, 12:11 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

Strange since there is CuminExecution.py in the same directory as transfer.py

So WMFMariadbpy is WIP, and has not yet been productionized. It will likely search for those on /usr/lib/python/wmfmariadbpy . Either position those there or, easier until we have a proper .deb package,

-from wmfmariadbpy.RemoteExecution import RemoteExecution, CommandReturn
+from RemoteExecution import RemoteExecution, CommandReturn

on CuminExecution.py

and

-from wmfmariadbpy.CuminExecution import CuminExecution as RemoteExecution
+from CuminExecution import CuminExecution as RemoteExecution

on transfer.py so it can be found on .

I have yet to productionize this properly, that is why it is not yet deployed in production.

Mon, Feb 18, 11:58 AM · Beta-Cluster-Infrastructure

Sat, Feb 16

Krenair added a comment to T216208: ToolsDB overload and cleanup.

Also, you know, you're running outside of production.

Sat, Feb 16, 4:42 PM · Patch-For-Review, TCB-Team, Phragile, Data-Services, cloud-services-team (Kanban)

Thu, Feb 14

Krenair added a comment to T216126: Requesting contentadmin access for 'Lucas Werkmeister (WMDE)' on Wikitech.

Tools is a small fraction of the stuff with fingerprints recorded on wikitech: https://wikitech.wikimedia.org/wiki/Help:SSH_Fingerprints

Thu, Feb 14, 7:09 PM · cloud-services-team (Kanban), Toolforge, wikitech.wikimedia.org
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

I'm wondering if it's possible that the evacuation of db04 from the old broken hypervisor to the new one might have solved the problem.

Thu, Feb 14, 3:28 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

Did someone fix deployment-db04? It appears to have MySQL running now...

Thu, Feb 14, 3:24 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

When I go to the directory and do the import manually I get:

ariel@deployment-cumin:~/wmfmariadbpy/wmfmariadbpy$ python
 Python 2.7.9 (default, Sep 25 2018, 20:42:16) 
 [GCC 4.9.2] on linux2
 Type "help", "copyright", "credits" or "license" for more information.
>>> import CuminExecution.py
 Traceback (most recent call last):
   File "<stdin>", line 1, in <module>
   File "CuminExecution.py", line 3, in <module>
     import cumin
 ImportError: No module named cumin
>>>

so that's the problem I guess.

Thu, Feb 14, 1:06 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

@Marostegui /srv/sqldata has 39G on it on db04, presumably that's pretty close to the amount of data on the master.

If the master cannot be put down to do a binary transfer, probably a mysqldump on the master and then importing it on the new instance is a good way to rebuild it.

Thu, Feb 14, 12:48 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

I intend to attempt https://wikitech.wikimedia.org/wiki/Setting_up_a_MySQL_replica#Transferring_Data

If there was a working cumin installation on labs (or any other kind of remote execution system), transfer.py could be used which simplifies the process.

There is, at least for deployment-prep. I think there is one for general labs-wide cumin but that's not necessary. I'll look at this later, thanks.

Thu, Feb 14, 12:47 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

and set mariadb::config::basedir: /opt/wmf-mariadb101

That shouldn't be necessary, I believe under stretch it defaults to /opt/wmf-mariadb101 (you only have to set it if you install a different package), but I can have a look if there is something wrong on the role or profile.

Thu, Feb 14, 10:18 AM · Beta-Cluster-Infrastructure
Krenair added a comment to T215046: RfC: Use Github login for mediawiki.org.

I think any user logging in through such a external provider should (unless they also pass some extra check done on our side like 2FA) be at least limited to the rights provided to standard logged in users, i.e. anything extra like sysop is discarded.

  • We should replace our current nomenclature of privileged and unprivileged accounts with two different levels of privilege: security-sensitive accounts (can deploy Javascript, access or leak private data, or manage user permissions which allow those things; potentially a few more things which could be extremely disruptive like mass import or deploying central notices (although currently those both allow deploying Javscript anyway)) and abuse-sensitive accounts that cannot be used for security exploits in the traditional sense but can be used for highly disruptive vandalism (page deletion, interface text modifications, abuse filter changes, high-volume edits, bot flag, probably a lot of other things). Membership in the first group should require 2FA no matter the login method (or at a minimum 2FA should be required to actually use those privileges). Membership in the second group should not require 2FA, but would result in a more aggressive password policy and logging. (This is something we need to do anyway since we want to require 2FA for checkusers, bureaucrats, interface admins etc, but don't consider requiring 2FA for all admins viable.) I think sysops are not really sensitive today so I wouldn't worry about them logging in via GitHub. This task is probably orthogonal - no reason to think GitHub login is more risky than our current password-based login, so it should not be a blocker.
Thu, Feb 14, 10:08 AM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors

Wed, Feb 13

Krenair added a comment to T215046: RfC: Use Github login for mediawiki.org.

I think any user logging in through such a external provider should (unless they also pass some extra check done on our side like 2FA) be at least limited to the rights provided to standard logged in users, i.e. anything extra like sysop is discarded.

Wed, Feb 13, 11:21 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Krenair updated the task description for T216067: Recover from corrupted beta MySQL slave (deployment-db04).
Wed, Feb 13, 8:19 PM · Beta-Cluster-Infrastructure
Krenair added a comment to T216067: Recover from corrupted beta MySQL slave (deployment-db04).

Along with the usual deployment-prep setup steps around puppet certs, I've applied the usual MySQL role and set mariadb::config::basedir: /opt/wmf-mariadb101 in hiera.
I then encountered this:

[ERROR] Could not open mysql.plugin table. Some plugins may be not loaded
[ERROR] Can't open and lock privilege tables: Table 'mysql.servers' doesn't exist
20<Krenair>30 following https://stackoverflow.com/questions/34198735/could-not-open-mysql-plugin-table-some-plugins-may-be-not-loaded
20<Krenair>30 moved /srv/sqldata out the way
20<Krenair>30  /opt/wmf-mariadb101/scripts/mysql_install_db --user=mysql --basedir=/opt/wmf-mariadb101 --datadir=/srv/sqldata
20<Krenair>30 ran puppet again
20<Krenair>30 Notice: /Stage[main]/Mariadb::Config/File[/srv/sqldata]/group: group changed 'root' to 'mysql'
20<Krenair>30 Notice: /Stage[main]/Mariadb::Config/File[/srv/sqldata]/mode: mode changed '0700' to '0755'
20<Krenair>30 Notice: /Stage[main]/Mariadb::Service/Service[mariadb]/ensure: ensure changed 'stopped' to 'running'
20<Krenair>30 mariadb is running
Wed, Feb 13, 8:13 PM · Beta-Cluster-Infrastructure
Krenair created T216067: Recover from corrupted beta MySQL slave (deployment-db04).
Wed, Feb 13, 8:12 PM · Beta-Cluster-Infrastructure
Krenair created P8078 deployment-db04 enwiki.logging corruption 2019-02-13.
Wed, Feb 13, 6:30 PM · Beta-Cluster-Infrastructure

Tue, Feb 12

Krenair awarded T215888: openstack-browser: include deployment view support a Like token.
Tue, Feb 12, 11:26 AM · Tools, cloud-services-team (Kanban)

Mon, Feb 11

Krenair renamed Acme-chief from Certcentral to Acme-chief.
Mon, Feb 11, 5:37 PM
Krenair added a comment to T215071: Merge Wikipedia subdomains into one, to discourage censorship.

How exactly would certs from LetsEncrypt be a downgrade in security?

I'm not an HTTPS expert but I imagine we wouldn't pay GlobalSign if we considered free LetsEncrypt certificates of equal value.

We can't get some types of cert (Extended Validation, among others) from LE, so that is one reason for some of our certs still being purchased elsewhere.

Mon, Feb 11, 8:05 AM · Domains, DNS, Traffic, Operations, HTTPS

Sun, Feb 10

Krenair added a comment to T215071: Merge Wikipedia subdomains into one, to discourage censorship.

At some point maybe we could downgrade their security and just letsencrypt them

Sun, Feb 10, 2:27 AM · Domains, DNS, Traffic, Operations, HTTPS

Fri, Feb 8

Krenair updated the task description for T215046: RfC: Use Github login for mediawiki.org.
Fri, Feb 8, 8:56 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Krenair added a comment to T215617: Toolforge: Re-evaluate root and user SSH access to nodes.

Isn't the SSHd config standard across all Wikimedia machines? I think prod roots can log in there directly as root over SSH...

Fri, Feb 8, 2:38 PM · cloud-services-team (Kanban), Toolforge

Thu, Feb 7

Krenair added a comment to T215376: mwscript dies on mwmaint with PHP=php7.2 due to php-redis missing.

In modules/contint/manifests/packages/php.pp we're doing ensure => latest

We should probably stop doing that. Surprise upgrades from "latest" have bitten us too much in the past.

Thu, Feb 7, 1:24 PM · User-jijiki, serviceops, Operations, Wikimedia-General-or-Unknown, PHP 7.2 support
Krenair added a watcher for PHP 7.2 support: Krenair.
Thu, Feb 7, 1:18 PM
Krenair added a comment to T214998: Remove .m. subdomain, serve mobile and desktop variants through the same URL.

(People interested in merging subdomains may also be interested in T215071: Merge Wikipedia subdomains into one, to discourage censorship which is about merging languages)

Thu, Feb 7, 12:50 PM · Readers-Web-Backlog (Tracking), Traffic, Operations, MobileFrontend

Wed, Feb 6

Krenair added a comment to T215046: RfC: Use Github login for mediawiki.org.

Have we audited Github's login code to ensure it's as secure as our own username+password system?

Wed, Feb 6, 11:35 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Krenair added a comment to T204694: cloudvps: telnet project trusty deprecation.

Can that remaining VM be deleted now?

Wed, Feb 6, 2:33 PM · Cloud-VPS (Ubuntu Trusty Deprecation)

Tue, Feb 5

Krenair added a comment to T199207: 404 on workboard for an existing project (due to custom filter applied which did not exist in database).

Fixed MinervaNeue

Tue, Feb 5, 4:35 PM · Phabricator (Upstream), Upstream, User-MModell, Release-Engineering-Team (Kanban), User-Ryasmeen
Krenair merged T215291: #MinervaNeue 404s despite seemingly not restricted into T199207: 404 on workboard for an existing project (due to custom filter applied which did not exist in database).
Tue, Feb 5, 4:32 PM · Phabricator (Upstream), Upstream, User-MModell, Release-Engineering-Team (Kanban), User-Ryasmeen
Krenair merged task T215291: #MinervaNeue 404s despite seemingly not restricted into T199207: 404 on workboard for an existing project (due to custom filter applied which did not exist in database).
Tue, Feb 5, 4:32 PM · Phabricator
Krenair added a comment to T215291: #MinervaNeue 404s despite seemingly not restricted.

Oh this is an old bug, the trick is to go to a query URL like https://phabricator.wikimedia.org/project/board/2799/query/LhkyKh0DN2_0/ (where 2799 comes from the /project/view/ URL you posted above, and the query string is any random query string you can get by filtering any other workboard) and saving the filtering as default on the broken workboard. Then you can go to Open Tasks and Save As Default on that. I've done it for this one.

Tue, Feb 5, 4:31 PM · Phabricator

Mon, Feb 4

Krenair awarded T215217: deployment-prep: Code stewardship request a Evil Spooky Haunted Tree token.
Mon, Feb 4, 10:46 PM · Beta-Cluster-Infrastructure, Code-Stewardship-Reviews
Krenair awarded T215211: cloud instance rescue tools a Cookie token.
Mon, Feb 4, 10:40 PM · Patch-For-Review, Cloud-VPS, cloud-services-team (Kanban)
Krenair added a comment to T215211: cloud instance rescue tools.

Per discussion on IRC, production hosts are trusted to some extent. If we had a single global root password in labs, even if the VMs only ever stored a hash of it, someone could make a software change within the instance to record all root password attempts (even via console) - potentially then simply breaking their instance and asking for rescue to silently acquire the password, and use it to escalate privileges on any other labs host they have access to (e.g. ordinary tools user to root), or potentially log straight into any that allow root password SSH (so probably not those actively running our puppet).

Mon, Feb 4, 10:30 PM · Patch-For-Review, Cloud-VPS, cloud-services-team (Kanban)
Krenair added a comment to T207389: Rename the Certcentral project.

acme-chief sounds fine

Mon, Feb 4, 10:04 AM · Patch-For-Review, Acme-chief

Sun, Feb 3

Krenair closed T215112: +2 for Zoranzoki21 in mediawiki/* as Declined.

I have to agree, adding a few comments with @covers does not come close to the generally expected requirements for this.
To answer your question about what would qualify as an actual code contribution you should at least be altering the logic used in the code that gets run by the wiki.

Sun, Feb 3, 2:18 AM · Repository-Ownership-Requests

Fri, Feb 1

Krenair added a comment to T215074: Support Keystone Application Credentials.

I'm not familiar with the workings of that particular client but can't people just insert their username+password once and get their (normal, current system) token, and store the token in memory for use like a session cookie would for Horizon? Is there any need for the user to store their username+password locally?

They could but is that's less secure than a scope API token. Usually, systems use API tokens for automation rather than requiring user/password to be entered every time. I think this is a common pattern everywhere and I don't see what's specific constrain in Cloud VPS that wouldn't permit to adopt this way of working.

Fri, Feb 1, 10:27 PM · cloud-services-team (Kanban), Cloud-VPS
Krenair added a comment to T215074: Support Keystone Application Credentials.

Why couldn't people use Terraform against the API with user+password, instead of user+password through their browser+Horizon? Are you worried that people might end up storing their password in an insecure manner, but that tokens would be stored securely and be scoped appropriately?

Yes, Terraform against the API directly with App Credentials instead of user+password (so people don't have to store their dev account credentials in plain text somewhere). And yes, scoped tokens would be preferred as well, so impact is limited in case of a compromise.

I'm not familiar with the workings of that particular client but can't people just insert their username+password once and get their (normal, current system) token, and store the token in memory for use like a session cookie would for Horizon? Is there any need for the user to store their username+password locally?

Fri, Feb 1, 10:07 PM · cloud-services-team (Kanban), Cloud-VPS
Krenair added a comment to T215074: Support Keystone Application Credentials.

Why couldn't people use Terraform against the API with user+password, instead of user+password through their browser+Horizon?

Fri, Feb 1, 9:27 PM · cloud-services-team (Kanban), Cloud-VPS
Krenair added a comment to T215074: Support Keystone Application Credentials.

Right now AFAIK, the APIs are only available internally within labs/prod, and logins from within labs are (basically) restricted to the read-only user. People aren't going to be running terraform against labs from within prod. Without changing the network restrictions to allow the outside world I don't see the use case.

Fri, Feb 1, 8:08 PM · cloud-services-team (Kanban), Cloud-VPS
Krenair added a comment to T215076: Disable Two-factor authentication for user seicer.

We use TOTP authentication as the second factor, not SMS, there's no phone numbers involved...

Fri, Feb 1, 8:04 PM · Trust-and-Safety
Krenair added a comment to T215046: RfC: Use Github login for mediawiki.org.

you need a wiki account to use the support desk

Fri, Feb 1, 5:09 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Krenair added a comment to T215072: Request creation of globalcu VPS project.

IIRC it doesn't provide backends with the remote IP, but probably does UA. You might find you are able to prevent the UA being made available to MediaWiki on your end, not sure.
This sounds okay as long as you use all the relevant banners from the TOU, and don't need to recreate a beta-cluster/prod style infrastructure (it sounds like a single vagrant VM is all so this should be fine)

Fri, Feb 1, 5:06 PM · cloud-services-team (Kanban), Cloud-VPS (Project-requests)
Krenair added a comment to T215046: RfC: Use Github login for mediawiki.org.

I'm also not convinced at all that difficulty in recruiting volunteer
developers is down to our relatively obscure (among the wider software
development world) authentication system.

Fri, Feb 1, 4:51 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Krenair added a comment to T215046: RfC: Use Github login for mediawiki.org.

If we're talking about adding an external auth provider, what would the UX
be when, after someone logs in via GitHub and gets used to that, we decide
to remove external authentication? It sounds to me like this could be hard
to undo.

Fri, Feb 1, 4:49 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Krenair added a comment to T215071: Merge Wikipedia subdomains into one, to discourage censorship.

I'm not sure it's strictly resolved, I wouldn't say it's invalid and I don't think it would get outright declined either. I feel like this must've been discussed before somewhere so there should be a related (duplicate?) task hanging around somewhere.
There's some considerations that would go into this though - Is it worth it - is there any real strategic advantage here or are we just going to wind up with the people who would block one language version instead just blocking all language versions? How easy is it to change our setup (and redirect all existing URLs) to support this? Are there any significantly negative SEO implications that would follow such a URL change?

Fri, Feb 1, 4:06 PM · Domains, DNS, Traffic, Operations, HTTPS
Krenair added a comment to T215071: Merge Wikipedia subdomains into one, to discourage censorship.

Well you wouldn't be able to distinguish e.g. English Wikipedia from French Wikipedia traffic by looking at the DNS lookup or TLS SNI anymore. Encrypting SNI is already being covered in T205378: Enable ESNI support on Wikimedia servers though.

Fri, Feb 1, 3:55 PM · Domains, DNS, Traffic, Operations, HTTPS

Thu, Jan 31

Krenair added a comment to T211559: Notification links redirects to desktop site .

This may become obsolete by T214998

Thu, Jan 31, 12:56 AM · Notifications, Growth-Team, MobileFrontend
Krenair added a comment to T195494: Handle mobile domains in core.

Suggest getting rid of such domains instead: T214998: Remove .m. subdomain, serve mobile and desktop variants through the same URL

Thu, Jan 31, 12:55 AM · Readers-Web-Backlog (Tracking), User-Jdlrobson, MediaWiki-General-or-Unknown, MobileFrontend
Krenair added a comment to T198969: Ensure links on the mobile version of pages are not to the desktop version.

Let's just scrap the whole domain: T214998: Remove .m. subdomain, serve mobile and desktop variants through the same URL

Thu, Jan 31, 12:53 AM · Readers-Web-Backlog (Tracking), MobileFrontend, Mobile, SEO
Krenair added a comment to T60425: Mobile site does not automatically redirect to desktop version (and not possible to use browser "use desktop view").

See also T214998: Remove .m. subdomain, serve mobile and desktop variants through the same URL

Thu, Jan 31, 12:45 AM · Puppet, User-Jdlrobson, Readers-Web-Backlog (Tracking), MobileFrontend
Krenair awarded T214998: Remove .m. subdomain, serve mobile and desktop variants through the same URL a Mountain of Wealth token.
Thu, Jan 31, 12:43 AM · Readers-Web-Backlog (Tracking), Traffic, Operations, MobileFrontend

Wed, Jan 30

Krenair added a comment to T62169: Global equivalent of autoconfirmed group.

Groups can be made by stewards but for the stewards to make such a group there'd need to be a global autopromotion mechanism which I don't think we have.

Wed, Jan 30, 9:05 PM · Stewards-and-global-tools, MediaWiki-extensions-CentralAuth, Wikimedia-Site-requests
Krenair added a comment to T214767: Redirect from http://wdcm.wmflabs.org/* to http://wmdeanalytics.wmflabs.org/*.

There is no process for requesting redirects like this, if you want to do that, point the domain to be redirected at your instance and configure your instance to return the right redirects. I think an nginx site config for it would look like this:

server {
        listen 9001;
        server_name wdcm.wmflabs.org;
        return 301 https://wmdeanalytics.wmflabs.org;
}

with the port number being up to you

Wed, Jan 30, 5:56 PM · Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), User-Addshore, WMDE-Analytics-Engineering, User-GoranSMilovanovic, Cloud-VPS
Krenair added a comment to T208052: Server side upload for Victorgrigas.

2 months should be more than enough

Wed, Jan 30, 1:24 AM · video2commons, Commons, Wikimedia-Site-requests

Tue, Jan 29

Krenair added a comment to T214819: Add license statement to Grafana dashboards.

this seems relevant: https://meta.wikimedia.org/wiki/Wikilegal/Database_Rights
it sounds to me like the argument that this would not be copyrighted anywhere could be true

Tue, Jan 29, 5:56 PM · Performance-Team (Radar), Graphite, WMF-Legal, Software-Licensing, Operations
Krenair added a comment to T204506: cloudvps: maps project trusty deprecation.

It's now over a week since more information was requested.

Tue, Jan 29, 5:37 PM · User-TheDJ, Cloud-VPS (Ubuntu Trusty Deprecation), Maps

Mon, Jan 28

Krenair added a comment to T214820: Enable CheckUser for beta cluster.

Yeah but to SSH in you would've had to agree to the labs TOU at some point. I don't think that's needed to hold on-wiki flags.

Mon, Jan 28, 1:41 PM · Trust-and-Safety, WMF-Legal, Patch-For-Review, Beta-Cluster-Infrastructure, User-Rxy, CheckUser

Sat, Jan 26

Krenair added a comment to T214764: Find all "MediaWiki message delivery" accounts across Wikimedia sites and have them all properly connected via SUL.

What purpose would SUL serve for system users?

Sat, Jan 26, 4:11 PM · Wikimedia-Site-requests, MediaWiki-extensions-CentralAuth, MassMessage
Krenair added a subtask for T28508: Content Security Policy (CSP): T214743: Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).
Sat, Jan 26, 12:41 AM · Front-end-Standards-Group, Security, Security-Team, WorkType-NewFunctionality, MediaWiki-General-or-Unknown
Krenair added a parent task for T214743: Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain): T28508: Content Security Policy (CSP).
Sat, Jan 26, 12:41 AM · CodeEditor
Krenair added a comment to T214743: Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).

hm, that doesn't match *.wikipedia.org ?

Sat, Jan 26, 12:41 AM · CodeEditor

Fri, Jan 25

Krenair added a comment to T214604: OTRS receiving flood of emails.

Junk is up to 19021 and rising fast. At least they're not going into proper queues now.

Fri, Jan 25, 2:14 PM · Mail, Operations, OTRS
Krenair renamed T214604: OTRS receiving flood of emails from OTRS receiving flood of emails into info-en-c to OTRS receiving flood of emails.
Fri, Jan 25, 2:14 PM · Mail, Operations, OTRS

Thu, Jan 24

Krenair added a comment to T214604: OTRS receiving flood of emails.

@Ruthven: Looks like another one is here

Thu, Jan 24, 8:22 PM · Mail, Operations, OTRS
Krenair triaged T214604: OTRS receiving flood of emails as Unbreak Now! priority.

Began around 16:30, @akosiaris is looking into it

Thu, Jan 24, 5:11 PM · Mail, Operations, OTRS
Krenair created T214604: OTRS receiving flood of emails.
Thu, Jan 24, 5:10 PM · Mail, Operations, OTRS
Krenair added a comment to T214558: Puppet failure on deployment-prometheus01.deployment-prep.eqiad.wmflabs.

I think you have to give up deployment-prep adminship (and possibly membership?) to avoid getting emails about puppet failures there.

Thu, Jan 24, 10:49 AM · monitoring, Puppet, Beta-Cluster-Infrastructure

Tue, Jan 22

Krenair awarded T210313: Statistics for views of individual Wikimedia images a Like token.
Tue, Jan 22, 7:28 PM · Analytics, Tool-Pageviews
Krenair added a comment to T214201: Implement NSFW image classifier using Open NSFW.

Given the number of random members of the public that've emailed OTRS about such attacks I don't think it's a particularly well-kept secret at this point.

Tue, Jan 22, 4:34 PM · artificial-intelligence, Scoring-platform-team
Krenair added a comment to T214201: Implement NSFW image classifier using Open NSFW.

Why has an anti-vandalism ticket like this become private? It appears to be even further than standard security, this is actually #acl*security_team instead of Security ?

Tue, Jan 22, 4:06 PM · artificial-intelligence, Scoring-platform-team

Mon, Jan 21

Krenair added a comment to T214334: Beta cluster: Confirm email doesn't work.

done

Mon, Jan 21, 11:06 PM · User-DannyS712, Beta-Cluster-Infrastructure
Krenair merged T214334: Beta cluster: Confirm email doesn't work into T212327: Beta Cluster mailer not sending emails.
Mon, Jan 21, 11:03 PM · User-DannyS712, Cloud-VPS, Beta-Cluster-reproducible, Patch-For-Review, Mail
Krenair merged task T214334: Beta cluster: Confirm email doesn't work into T212327: Beta Cluster mailer not sending emails.
Mon, Jan 21, 11:03 PM · User-DannyS712, Beta-Cluster-Infrastructure
Krenair reopened T204694: cloudvps: telnet project trusty deprecation as "Open".

@GTirloni: https://tools.wmflabs.org/openstack-browser/server/telnet2.telnet.eqiad.wmflabs

Mon, Jan 21, 9:18 PM · Cloud-VPS (Ubuntu Trusty Deprecation)

Jan 21 2019

Krenair added a comment to T214313: Add new Tool Labs IPs to Varnish rate limit whitelist.

Tools cannot be done separately, it does not have an IP space of it's own, tools instances are scattered around the same network as instances from other projects.

Jan 21 2019, 4:45 PM · Toolforge, Wikimedia-Apache-configuration, Operations, Traffic
Krenair added a comment to T204703: cloudvps: wildcat project trusty deprecation.

@GTirloni: doesn't look like it: https://tools.wmflabs.org/openstack-browser/server/danny-b.wildcat.eqiad.wmflabs

Jan 21 2019, 4:43 PM · Patch-For-Review, Cloud-VPS (Ubuntu Trusty Deprecation)
Krenair edited projects for T214278: Quickstatements, "backend is overloaded", added: Toolforge; removed Cloud-Services.
Jan 21 2019, 9:56 AM · Tools, Toolforge

Jan 20 2019

Krenair added a parent task for T133548: Create a secure redirect service for large count of non-canonical / junk domains: T190244: en-wp.org certificate error.
Jan 20 2019, 3:42 AM · Patch-For-Review, HTTPS, Operations, Traffic
Krenair added a subtask for T190244: en-wp.org certificate error: T133548: Create a secure redirect service for large count of non-canonical / junk domains.
Jan 20 2019, 3:42 AM · Domains, Operations, Traffic, Wikimedia-Apache-configuration
Krenair removed a subtask for T133548: Create a secure redirect service for large count of non-canonical / junk domains: T190244: en-wp.org certificate error.
Jan 20 2019, 3:42 AM · Patch-For-Review, HTTPS, Operations, Traffic
Krenair removed a parent task for T190244: en-wp.org certificate error: T133548: Create a secure redirect service for large count of non-canonical / junk domains.
Jan 20 2019, 3:42 AM · Domains, Operations, Traffic, Wikimedia-Apache-configuration
Krenair added a parent task for T133548: Create a secure redirect service for large count of non-canonical / junk domains: T214253: en.wikipedia.com [sic] serves an invalid certificate.
Jan 20 2019, 3:40 AM · Patch-For-Review, HTTPS, Operations, Traffic
Krenair added a subtask for T214253: en.wikipedia.com [sic] serves an invalid certificate: T133548: Create a secure redirect service for large count of non-canonical / junk domains.
Jan 20 2019, 3:40 AM · Operations, Traffic, HTTPS
Krenair added a comment to T214253: en.wikipedia.com [sic] serves an invalid certificate.

https://www.wikipedia.com works fine.

Jan 20 2019, 3:39 AM · Operations, Traffic, HTTPS
Krenair added projects to T214253: en.wikipedia.com [sic] serves an invalid certificate: HTTPS, Traffic, Operations.

I think wikipedia.com is a junk redirect domain which makes this another case of T133548: Create a secure redirect service for large count of non-canonical / junk domains

Jan 20 2019, 3:38 AM · Operations, Traffic, HTTPS

Jan 19 2019

Krenair closed T207373: Remove maximum version dependencies as Resolved.
Jan 19 2019, 9:36 PM · Patch-For-Review, Acme-chief
Krenair created P8010 tourbot error.
Jan 19 2019, 9:02 PM
Krenair updated subscribers of T196802: Remove deprecated mediawiki.api.* dependencies from extensions.

I've gone through @Krinkle's mwgreps and dealt with on-wiki uses of those modules

Jan 19 2019, 8:36 PM · MW-1.33-notes (1.33.0-wmf.16; 2019-02-05), Readers-Web-Backlog (Tracking), MediaWiki-extensions-General
Krenair added a comment to T204527: cloudvps: osmit project trusty deprecation.

Yes and I see you marked it in use in the last purge. However a project also needs to be maintained.

Jan 19 2019, 2:40 PM · Cloud-VPS (Ubuntu Trusty Deprecation)

Jan 18 2019

Krenair added a comment to T214201: Implement NSFW image classifier using Open NSFW.

Yes. I believe that when opening a task around a subject that may involve controversy, it can be helpful to provide any context showing how this is not the same thing as was argued over last time, and that transparency is highly valued around here :)

Jan 18 2019, 10:22 PM · artificial-intelligence, Scoring-platform-team