User Details
- User Since
- Apr 1 2015, 4:33 PM (426 w, 2 d)
- Availability
- Available
- LDAP User
- Moritz Mühlenhoff
- MediaWiki User
- MMuhlenhoff (WMF) [ Global Accounts ]
Today
sre.ganeti.makevm now supports fractions of gigabytes.
Is there a task about the udp2log porting work to Python 3, or will that be unnecessary due to T205856?
The old-style syntax is used all over the place and it would be a significant effort to change. Since it wil be continue to supported by Apache in the foreeseable future, marking as declined for now
Yesterday
Wed, May 31
This happened via T337269
Tue, May 30
Fri, May 26
Indeed, there's nothing really to fix here (or something changed between 2018 and now): perf-roots grants a few people root access on app servers and caches to help them debug some issues. deployment access is moslty unrelated to that.
I'd say let's just remove legacy_compat, nothing should rely on it anymore.
I think this is resolved. Since this task was opened we obsoleted some controllers and generally shrunk the list of packages we imported for later distro releases.
Yes, I think we can close this. This didn't cause any other issue AFAICT (in fact I don't remeber the issue that prompted to file the task) and we're moving away from Exim anyway.
Mon, May 22
I've updated https://wikitech.wikimedia.org/wiki/Ganeti to point to the new cookbook
The old cookbook has been removed and the docs were updated.
Fri, May 19
So far we've been only using Apereo CAS for authentication against our self-hosted infrastructure. Given that SemGrep is more along the linesof other SaaS solutions provided to staff I think makes more sense to integrate it into Okta.
New target version is 113.0.5672.126:
https://lists.debian.org/debian-security-announce/2023/msg00095.html
@ayounsi There's now netflow2003 running Bookworm with FNM 1.2.4. If that works fine, we can reimage the other netflow* VMs in-place once Bookworm is stable.
Wed, May 17
I think I'll simply backport/release the patch to bullseye-security, then we can simply re-use the resulting binary and import it to buster-wikimedia (it only depends on adduser, libc6 (>= 2.4), lsb-base)
I think you should simply add nfsv4 to profile::debdeploy::client::exclude_filesystems, that will entire make the issues vanish. We have similar config snippets in prouction for systems with an HFDS mount (such as the stat* nodes).
Usual IANAL disclaimer ahead: If this were a software license this would not meet the standard required by OSI. They e.g. cover this in the FAQ at https://opensource.org/faq/#evil and one infamous example is the JSON license (http://www.json.org/license.html) for which https://lwn.net/Articles/707510/ is a nice writeup. That said, restrictions might not be fully enforced (I have no idea if "You agree not to use the Model or Derivatives of the Model" is a binding restriction?)
Tue, May 16
Thanks for all the input, much appreciated! I'll revise the plan and update the task in the next days.
Old task, no longer really actionable at this point and this hasn't been seen since then.
Thu, May 11
The installer is working fine for baremetal and VM installations, but there will be a few more RC releases before the final release, so keeping the task open for now.
Wed, May 10
Tue, May 9
One other actionable: We'd need a new LDAP group (e.g. cn=fr-tech-admins or cn=fr-tech-sres) which grants +2 on operations/git.dns
AFAICS are two remaining use cases for the private repo:
Mon, May 8
The current VMs are quite overdimensioned in terms of CPU core: I'd go with 4G RAM, 4 CPUs and 20G disk space instead for ldap-rw1001/2001
Fri, May 5
Maybe it's time to add "Mail security-help@wikimedia.org to get Security access in Phabricator" as part of the onboarding checklist for SREs. Anyone in SRE needs to be able to react to Security tasks opened by users, so this seems like a sensible default.
Thu, May 4
You need to email security-help@wikimedia.org, they make the change.
May 3 2023
This is resolved:
- apt sources on remaining stretch servers stopped using the mirrors
- stretch-based images are no longer being reported by docker-reporter and no longer being built in the core images
- support for stretch has been removed from the cowbuilders on build2001
I could track this down to the upstream security fix for https://www.cve.org/CVERecord?id=CVE-2020-27759.
May 2 2023
Apr 28 2023
Narrowed down to these three patches: