JFTR, the mediawiki announcement referred to these under the CVE ID assigned for curl, but in the mean time these got assigned separate CVE IDs for guzzle, I'm renaming the task accordingly.
Last status updates have been here: https://phabricator.wikimedia.org/T247653#7974301
Wed, Jun 29
This appeared in the CVE feed as https://www.cve.org/CVERecord?id=CVE-2022-34750
Maybe we need run "swapoff -a" prior to the wipefs call?
Can't we just import the Cassandra 4 debs and use those? The work needs to happen at some point anyway and it's a fresh cluster. Buster is almost three years old, going into LTS stage in a month and per our designated OS lifecycle has a year left...
This is complete
Tue, Jun 28
We discussed this in yesterday's SRE IF meeting: Let's start by adding sudo permissions for the three cookbooks listed, homer be implicitly started by these cookbooks. +2 on Puppet is root-equivalent and there should be very few cases left where it's needed for the server racking workflow (e.g. for extending the partman globbing if there's a new server naming scheme). If those remaining cases are identified, then this can also trickle into future automation work (e.g. the partman config could become a drop-down menu in Netbox at some point).
Mon, Jun 27
I have updated our PHP build in component/php74 to the latest 7.4.x release; 7.4.30. Uploaded as 7.4.30-3+0~20220627.69+debian10~1.gbpf2b381+wmf1+buster1
Sat, Jun 25
Fri, Jun 24
These look fine. Our Ganeti cookbook doesn't allow to create disks in plain mode, so these will be created using DRBD and then reconfigured to plain mode. Just ping me if you run into any issues.
This is completed
This is complete, all puppet-managed Diamond collectors are gone by now.
Thu, Jun 23
"Wikimedia's installations of Ganeti, a clustered virtual machine management stack" should do, along with a link to https://wikitech.wikimedia.org/wiki/Ganeti
With a hacked-up config on idp-test.w.o and when configuring a user to pass mfa-webauthn to the Groovy script I'm getting into the webauthn device registration dialogue. Registering the token fails since no datastore is defined yet. I tried to set
cas.authn.mfa.web-authn.core.trusted-device-metadata.location to a file URI, but that bails out with a bean error related to the fasterxml parser, I guess need to provide some stub XML file there, needs some poking.
cas 6.5.5 has been built and uploaded to apt.wikimedia.org. It's currently installed on idp-test.wikimedia.org and functionality is working fine. The WMF-specific theming needs to be adapted still, the login screen is currently visually a little distorted.
Wed, Jun 22
Since there were no further objections, the repository has now been removed.
Tue, Jun 21
This is complete
ganeti4004 has been added to the ganeti/ulsfo cluster now. Cluster is currently rebalancing.
Mon, Jun 20
Due to a dependency on python-yaml in https://gerrit.wikimedia.org/r/admin/repos/operations/debs/cassandra-tools-wmf, we'd need to create a new package that depends on python3-yaml and upload it to bullseye-wikimedia (at least this is my undestanding, let me know if there is more).
Fri, Jun 17
Thanks! I'll do that on Tuesday
I reached out to Marc-André Pelletier (Coren) via email and he replied the following (quoted with his permission), as such I'm listing him under CONTRIBUTORS with his firstname.lastname@example.org email address:
This is complete.
This is complete. The eqsin cluster is affected by T309724, but that will be investigated via that task (and it doesn't have a functional impact apart from the fact that gnt-cluster verify fails)
This is complete. The ulsfo cluster is affected by T309724, but that will be investigated via that task (and it doesn't have a functional impact apart from the fact that gnt-cluster verify fails)
The server can be powered down any time, while it already has the ganeti role, it's not yet added to the cluster.
The server doesn't have virtualisation enabled. I tried to enable it via the BIOS over the serial console, but I'm not getting a console, just "Unified Server Configurator does not support console redirection", does this need to be enabled somewhere?
Thu, Jun 16
This is complete.
Wed, Jun 15
I also removed logsteralarms@ earlier the day, it's no longer needed.
Ben and myself did some debugging: While we had been using CAS for Hue for the last two years, it was never explicitly enabled within Hiera: profile::hue::enable_cas was still set to false as in the original commit which introduced it: https://github.com/wikimedia/puppet/commit/b9c17a9a4a5a6c21c04791830713b42c93eb2c1c
Tue, Jun 14
Sorry, there was something still missing. It should be fixed now, I have just merged the patch (but it will take up to 30 minutes for Puppet to deploy the change fully). Please let me know if that fixes access for you.
Mon, Jun 13
A new chromium version has been released, the new target version is 102.0.5005.115-1~deb11u1
ganeti3001 is removed from the cluster, downtimed and needs the same firmware/NIC updates to enable the reimage to Bullseye.
Sun, Jun 12
The immediate issue has been resolved, closing. There are some actionables, but rather sub tasks to existing tasks and those will be created early next week.
Fri, Jun 10
Thu, Jun 9
ganeti3002 is removed from the cluster, downtimed and needs the same firmware/NIC updates to enable the reimage to Bullseye.