Page MenuHomePhabricator

Vgutierrez (Valentín Gutiérrez)
Traffic Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
Feb 12 2018, 9:51 AM (79 w, 2 d)
Availability
Available
IRC Nick
vgutierrez
LDAP User
Vgutierrez
MediaWiki User
Unknown

Recent Activity

Mon, Aug 19

Vgutierrez closed T225945: acme-chief staging time not working as expected as Resolved.

Yes :) it's working as expected.. latest renewal of unified and non-canonical-redirect certs set has been done with the proper staging time, as an example:

vgutierrez@acmechief1001:~$ sudo -i ls -alh /var/lib/acme-chief/certs/unified/
[..snip..]
drwxr-x---  2 acme-chief acme-chief 4.0K Jul 26 10:05 a40ba19e20ff4516bb7906d154cf5539
lrwxrwxrwx  1 acme-chief acme-chief   32 Aug  2 07:07 live -> a40ba19e20ff4516bb7906d154cf5539
lrwxrwxrwx  1 acme-chief acme-chief   32 Jul 26 08:00 new -> a40ba19e20ff4516bb7906d154cf5539
vgutierrez@acmechief1001:~$ sudo -i openssl x509 -noout -dates -in /var/lib/acme-chief/certs/unified/live/rsa-2048.crt
notBefore=Jul 26 07:00:47 2019 GMT
notAfter=Oct 24 07:00:47 2019 GMT
Mon, Aug 19, 6:12 AM · Operations, Traffic, Acme-chief
Vgutierrez closed T229096: Provide the three cert types (chain-only, cert only and chained) as soon as we get the certificate issued, a subtask of T229091: acme-chief failing in puppet with "Cannot open input file", as Resolved.
Mon, Aug 19, 6:04 AM · Traffic, Operations
Vgutierrez closed T229096: Provide the three cert types (chain-only, cert only and chained) as soon as we get the certificate issued as Resolved.

Yeah, thanks for the reminder! :)

Mon, Aug 19, 6:04 AM · Acme-chief, Traffic, Operations

Wed, Aug 14

Vgutierrez added a comment to T230470: Could not reach wikipedia from domain wikipedia.fi.

So, after adding the zone file for wikipedia.fi and the proper redirect rules:

$ curl http://wikipedia.fi -o /dev/null -v 2>&1|grep Location
< Location: https://fi.wikipedia.org/
Wed, Aug 14, 11:34 AM · Traffic, Operations, DNS, Domains
Vgutierrez triaged T230470: Could not reach wikipedia from domain wikipedia.fi as Normal priority.
Wed, Aug 14, 11:12 AM · Traffic, Operations, DNS, Domains
Vgutierrez added a comment to T230470: Could not reach wikipedia from domain wikipedia.fi.

a quick check shows:

willikins:~ vgutierrez$ host -t ns wikipedia.fi
Host wikipedia.fi not found: 2(SERVFAIL)
Wed, Aug 14, 11:05 AM · Traffic, Operations, DNS, Domains

Mon, Aug 12

Vgutierrez created P8902 (An Untitled Masterwork).
Mon, Aug 12, 1:23 PM
Vgutierrez closed T167513: Redirect lzh.wikipedia to zh-classical.wikipedia, a subtask of T30443: Rename zh-classical -> lzh, as Resolved.
Mon, Aug 12, 8:47 AM · Wiki-Setup (Rename), Community-consensus-needed, Wikimedia-Language-setup
Vgutierrez closed T167513: Redirect lzh.wikipedia to zh-classical.wikipedia as Resolved.
Mon, Aug 12, 8:47 AM · Patch-For-Review, Traffic, Wikimedia-Apache-configuration, Operations, DNS
Vgutierrez added a comment to T167513: Redirect lzh.wikipedia to zh-classical.wikipedia.

yeah, it's deployed, and actually I think we can drop the lzh.m.wikipedia.org rule from there, checking other languages redirects, it seems that it is not needed and if you open https://lzh.m.wikipedia.org/ from a mobile phone you end up in https://zh-classical.m.wikipedia.org/

Mon, Aug 12, 8:15 AM · Patch-For-Review, Traffic, Wikimedia-Apache-configuration, Operations, DNS

Fri, Aug 9

Dzahn awarded T190244: en-wp.org certificate error a Orange Medal token.
Fri, Aug 9, 8:17 PM · Domains, Traffic, Operations, Wikimedia-Apache-configuration
Vgutierrez created P8892 (An Untitled Masterwork).
Fri, Aug 9, 9:12 AM

Wed, Aug 7

Vgutierrez added a comment to T229786: Create a service account to manage traffic.wmflabs.org. from acme-chief.

Yeah, to be honest, a limited access for this account would be better than a full administrator role

Wed, Aug 7, 4:56 AM · cloud-services-team (Kanban), Horizon, Acme-chief

Tue, Aug 6

Vgutierrez closed T190244: en-wp.org certificate error as Resolved.

This has been solved by the deploy of the ncredir service (T133548).

Tue, Aug 6, 5:39 AM · Domains, Traffic, Operations, Wikimedia-Apache-configuration
Vgutierrez closed T228382: Provide prometheus metrics for the ncredir service, a subtask of T133548: Create a secure redirect service for large count of non-canonical / junk domains, as Resolved.
Tue, Aug 6, 5:38 AM · Goal, Patch-For-Review, HTTPS, Operations, Traffic
Vgutierrez closed T228382: Provide prometheus metrics for the ncredir service as Resolved.
Tue, Aug 6, 5:38 AM · Traffic, Operations

Mon, Aug 5

Vgutierrez added a comment to T229621: Icinga check defined from LVS configuration for cloudelastic are borked.

I've seen the same behaviour configuring the ncredir LVS service as it's using two ports (80/443). Same happens with text and upload LVS services.

Mon, Aug 5, 9:30 AM · Patch-For-Review, Discovery-Search (Current work), Elasticsearch, Traffic, Operations
Vgutierrez created T229786: Create a service account to manage traffic.wmflabs.org. from acme-chief.
Mon, Aug 5, 8:56 AM · cloud-services-team (Kanban), Horizon, Acme-chief
Vgutierrez added a comment to T229783: Unable to create DNS zone traffic.wmflabs.org. in Horizon.

before trying to do anything I've checked with a simple DNS query that traffic.wmflabs.org. is available right now:

vgutierrez$ host traffic.wmflabs.org
Host traffic.wmflabs.org not found: 3(NXDOMAIN)
Mon, Aug 5, 8:40 AM · cloud-services-team (Kanban), Acme-chief, Horizon
Vgutierrez created T229783: Unable to create DNS zone traffic.wmflabs.org. in Horizon.
Mon, Aug 5, 8:36 AM · cloud-services-team (Kanban), Acme-chief, Horizon

Fri, Jul 26

Vgutierrez added a comment to T229091: acme-chief failing in puppet with "Cannot open input file".

As it's been done with unified, wikibase required the same patch:

>>> from acme_chief.x509 import Certificate
>>> from acme_chief.acme_chief import CERTIFICATE_TYPES
>>> cert = Certificate.load('/var/lib/acme-chief/certs/wikibase/new/rsa-2048.chained.crt')
>>> cert.save('/var/lib/acme-chief/certs/wikibase/new/rsa-2048.crt', mode=CERTIFICATE_TYPES['cert_only']['save_mode'])
>>> cert.save('/var/lib/acme-chief/certs/wikibase/new/rsa-2048.chain.crt', mode=CERTIFICATE_TYPES['chain_only']['save_mode'])
>>> cert = Certificate.load('/var/lib/acme-chief/certs/wikibase/new/ec-prime256v1.chained.crt')
>>> cert.save('/var/lib/acme-chief/certs/wikibase/new/ec-prime256v1.crt', mode=CERTIFICATE_TYPES['cert_only']['save_mode'])
>>> cert.save('/var/lib/acme-chief/certs/wikibase/new/ec-prime256v1.chain.crt', mode=CERTIFICATE_TYPES['chain_only']['save_mode'])
Fri, Jul 26, 2:24 PM · Traffic, Operations
Vgutierrez triaged T229097: Provide ensure => absent support for acme_chief::cert define as Normal priority.
Fri, Jul 26, 10:43 AM · Acme-chief, Traffic, Operations
Vgutierrez created T229097: Provide ensure => absent support for acme_chief::cert define.
Fri, Jul 26, 10:42 AM · Acme-chief, Traffic, Operations
Vgutierrez created T229096: Provide the three cert types (chain-only, cert only and chained) as soon as we get the certificate issued.
Fri, Jul 26, 10:39 AM · Acme-chief, Traffic, Operations
Vgutierrez lowered the priority of T229091: acme-chief failing in puppet with "Cannot open input file" from High to Normal.

So, I've manually generated the missing versions on acmechief1001:

>>> cert = Certificate.load('/var/lib/acme-chief/certs/unified/new/rsa-2048.chained.crt')
>>> cert.save('/var/lib/acme-chief/certs/unified/new/rsa-2048.crt', mode=CERTIFICATE_TYPES['cert_only']['save_mode'])
>>> cert.save('/var/lib/acme-chief/certs/unified/new/rsa-2048.chain.crt', mode=CERTIFICATE_TYPES['chain_only']['save_mode'])
>>> cert = Certificate.load('/var/lib/acme-chief/certs/unified/new/ec-prime256v1.chained.crt')
>>> cert.save('/var/lib/acme-chief/certs/unified/new/ec-prime256v1.crt', mode=CERTIFICATE_TYPES['cert_only']['save_mode'])
>>> cert.save('/var/lib/acme-chief/certs/unified/new/ec-prime256v1.chain.crt', mode=CERTIFICATE_TYPES['chain_only']['save_mode'])
Fri, Jul 26, 10:38 AM · Traffic, Operations
Vgutierrez raised the priority of T229091: acme-chief failing in puppet with "Cannot open input file" from Normal to High.

This is a big issue, cause right now due to the invalid state of update-ocsp/acme-chief, nginx cannot be restarted in the cp nodes in eqsin

Fri, Jul 26, 9:50 AM · Traffic, Operations
Vgutierrez added a comment to T229091: acme-chief failing in puppet with "Cannot open input file".

update-ocsp is configured to use the certificate only version to perform the OCSP stapling:

`
vgutierrez@cp5001:/etc/update-ocsp.d$ cat unified-new-ec-prime256v1.conf
[Options]
Proxy=webproxy.eqsin.wmnet:8080
Certificates=/etc/acmecerts/unified/new/ec-prime256v1.crt
Output=/etc/acmecerts/unified/new/ec-prime256v1.client.ocsp
Fri, Jul 26, 9:46 AM · Traffic, Operations
Vgutierrez added a comment to T229091: acme-chief failing in puppet with "Cannot open input file".

This happens at the same time that the unified cert is being renewed:

Jul 26 08:00:02 acmechief1001 acme-chief-backend[8198]: Number of certificates per status: Counter({'VALID': 42, 'NEEDS_RENEWAL': 2})
Jul 26 08:00:02 acmechief1001 acme-chief-backend[8198]: Handling new certificate event for unified / ec-prime256v1
Jul 26 08:00:02 acmechief1001 acme-chief-backend[8198]: Creating new certificate version a40ba19e20ff4516bb7906d154cf5539 for unified
Jul 26 08:00:15 acmechief1001 acme-chief-backend[8198]: Triggering DNS zone update...
Jul 26 08:00:15 acmechief1001 acme-chief-backend[8198]: Running subprocess ['/usr/local/bin/acme-chief-gdnsd-sync.py', '--remote-servers', 'authdns1001.wikimedia.org', 'authdns2001.wikimedia.org', 'multat
Jul 26 08:00:17 acmechief1001 acme-chief-backend[8198]: Handling pushed CSR event for unified / ec-prime256v1
Jul 26 08:00:27 acmechief1001 acme-chief-backend[8198]: Handling validated challenges event for unified / ec-prime256v1
Jul 26 08:00:30 acmechief1001 acme-chief-backend[8198]: Handling pushed challenges event for unified / ec-prime256v1
Jul 26 08:00:34 acmechief1001 acme-chief-backend[8198]: Handling order finalized event for unified / ec-prime256v1
Jul 26 08:00:35 acmechief1001 acme-chief-backend[8198]: Enforcing staging_time for unified / ec-prime256v1
Jul 26 08:00:35 acmechief1001 acme-chief-backend[8198]: Staging_time will be enforced for unified / ec-prime256v1 till 2019-08-02 07:00:33
Jul 26 08:00:35 acmechief1001 acme-chief-backend[8198]: Handling new certificate event for unified / rsa-2048
Jul 26 08:00:39 acmechief1001 acme-chief-backend[8198]: Skipping challenge validation for certificate unified / rsa-2048
Jul 26 08:00:44 acmechief1001 acme-chief-backend[8198]: Handling pushed challenges event for unified / rsa-2048
Jul 26 08:00:48 acmechief1001 acme-chief-backend[8198]: Handling order finalized event for unified / rsa-2048
Jul 26 08:00:49 acmechief1001 acme-chief-backend[8198]: Enforcing staging_time for unified / rsa-2048
Jul 26 08:00:49 acmechief1001 acme-chief-backend[8198]: Staging_time will be enforced for unified / rsa-2048 till 2019-08-02 07:00:47
Jul 26 09:00:01 acmechief1001 systemd[1]: Reloading acme-chief Service.
Jul 26 09:00:01 acmechief1001 acme-chief-backend[8198]: SIGHUP received
Jul 26 09:00:01 acmechief1001 systemd[1]: Reloaded acme-chief Service.
Jul 26 09:00:01 acmechief1001 acme-chief-backend[8198]: Missing/invalid DNS zone updater CMD timeout, using the default one: 60.00
Jul 26 09:00:01 acmechief1001 acme-chief-backend[8198]: Number of certificates per status: Counter({'VALID': 42, 'CERTIFICATE_STAGED': 2})
Jul 26 09:00:02 acmechief1001 acme-chief-backend[8198]: Enforcing staging_time for unified / ec-prime256v1
Jul 26 09:00:02 acmechief1001 acme-chief-backend[8198]: Staging_time will be enforced for unified / ec-prime256v1 till 2019-08-02 07:00:33
Jul 26 09:00:02 acmechief1001 acme-chief-backend[8198]: Enforcing staging_time for unified / rsa-2048
Jul 26 09:00:02 acmechief1001 acme-chief-backend[8198]: Staging_time will be enforced for unified / rsa-2048 till 2019-08-02 07:00:47
Fri, Jul 26, 9:22 AM · Traffic, Operations

Jul 18 2019

Vgutierrez created T228382: Provide prometheus metrics for the ncredir service.
Jul 18 2019, 8:54 AM · Traffic, Operations

Jul 17 2019

Vgutierrez added a comment to T228135: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers.

Implement logging of SSL Elliptic Curve used: https://github.com/apache/trafficserver/pull/5724 has been already merged into master. The API proposal part of https://github.com/apache/trafficserver/pull/5726 is being currently discussed in dev@trafficserver.apache.org

Jul 17 2019, 5:43 AM · Patch-For-Review, Traffic, Operations

Jul 16 2019

Vgutierrez added a comment to T133548: Create a secure redirect service for large count of non-canonical / junk domains.

ncredir service has been deployed successfully and it's currently serving live traffic for wikipedia.com:

$ curl -v https://en.wikipedia.com/wiki/Special:Random -o /dev/null 2>&1 |fgrep -i location:
< location: https://en.wikipedia.org/wiki/Special:Random
$ curl -v http://en.wikipedia.com/wiki/Special:Random -o /dev/null 2>&1 |fgrep -i location:
< Location: https://en.wikipedia.org/wiki/Special:Random
Jul 16 2019, 1:36 PM · Goal, Patch-For-Review, HTTPS, Operations, Traffic
Vgutierrez updated the task description for T133548: Create a secure redirect service for large count of non-canonical / junk domains.
Jul 16 2019, 1:33 PM · Goal, Patch-For-Review, HTTPS, Operations, Traffic
Vgutierrez added a comment to T228135: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers.

Two PRs have been submitted to upstream:

Jul 16 2019, 5:41 AM · Patch-For-Review, Traffic, Operations
Vgutierrez triaged T228135: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers as Normal priority.
Jul 16 2019, 5:32 AM · Patch-For-Review, Traffic, Operations
Vgutierrez created T228135: ATS lacks the possibility of reporting SSL stats to an origin server via HTTP Headers.
Jul 16 2019, 5:32 AM · Patch-For-Review, Traffic, Operations

Jul 15 2019

Vgutierrez closed T224397: ATS: log mode cannot depend on log filters being configured as Resolved.
Jul 15 2019, 10:44 AM · Traffic, Operations

Jul 11 2019

Vgutierrez updated the task description for T133548: Create a secure redirect service for large count of non-canonical / junk domains.
Jul 11 2019, 2:56 PM · Goal, Patch-For-Review, HTTPS, Operations, Traffic

Jul 10 2019

Vgutierrez updated the task description for T133548: Create a secure redirect service for large count of non-canonical / junk domains.
Jul 10 2019, 10:56 AM · Goal, Patch-For-Review, HTTPS, Operations, Traffic

Jul 5 2019

Vgutierrez closed T227315: creation of prometheus_puppet_agent_stats fails on first puppet run as Resolved.
Jul 5 2019, 11:31 AM · Operations
Vgutierrez created T227315: creation of prometheus_puppet_agent_stats fails on first puppet run.
Jul 5 2019, 11:19 AM · Operations
Vgutierrez closed T224539: Provide nginx support in compile_redirects(), a subtask of T133548: Create a secure redirect service for large count of non-canonical / junk domains, as Resolved.
Jul 5 2019, 6:22 AM · Goal, Patch-For-Review, HTTPS, Operations, Traffic
Vgutierrez closed T224539: Provide nginx support in compile_redirects() as Resolved.
Jul 5 2019, 6:21 AM · Traffic, Operations

Jul 2 2019

Vgutierrez committed rOSAC3d5e997f211b: acme_chief: Enforce staging time validation (authored by Vgutierrez).
acme_chief: Enforce staging time validation
Jul 2 2019, 3:34 AM

Jun 18 2019

Vgutierrez added a comment to T224977: puppet-catalog-compiler: compilation result randomly places servers in the 'failed' section.

After checking https://puppet-compiler.wmflabs.org/compiler1001/16855/ change error/warning logs for hosts marked as "fail to compile when the change is applied" it looks like two warnings are being interpreted as errors:

Warning: Unknown variable: '::restricted_to'. at /srv/jenkins-workspace/puppet-compiler/16855/change/src/modules/profile/manifests/ldap/client/labs.pp:5:72
Warning: Unknown variable: '::restricted_from'. at /srv/jenkins-workspace/puppet-compiler/16855/change/src/modules/profile/manifests/ldap/client/labs.pp:6:76
Jun 18 2019, 11:58 AM · Operations, puppet-compiler
Vgutierrez committed rOSACb001cf023eaa: acme_chief: Enforce staging time validation (authored by Vgutierrez).
acme_chief: Enforce staging time validation
Jun 18 2019, 10:20 AM
Vgutierrez committed rOSAC955e6d27dc40: acme_chief: Enforce staging time validation (authored by Vgutierrez).
acme_chief: Enforce staging time validation
Jun 18 2019, 8:40 AM

Jun 17 2019

Vgutierrez moved T225945: acme-chief staging time not working as expected from Triage to TLS on the Traffic board.
Jun 17 2019, 3:46 PM · Operations, Traffic, Acme-chief
Restricted Application added a project to T225945: acme-chief staging time not working as expected: Operations.
Jun 17 2019, 3:45 PM · Operations, Traffic, Acme-chief
Vgutierrez triaged T225945: acme-chief staging time not working as expected as High priority.
Jun 17 2019, 3:44 PM · Operations, Traffic, Acme-chief
Vgutierrez created T225945: acme-chief staging time not working as expected.
Jun 17 2019, 3:44 PM · Operations, Traffic, Acme-chief

Jun 12 2019

Vgutierrez committed rOSACb041f762848d: x509: Expose the OCSP URI of a Certificate as a property (authored by Vgutierrez).
x509: Expose the OCSP URI of a Certificate as a property
Jun 12 2019, 10:40 AM

Jun 11 2019

Vgutierrez added a comment to T225484: cloudvirt servers: SSL certificate expiring.

I don't think we have any automation in place for internally issued certificates, and of course we cannot switch to LE for client certificates so acme-chief is not an option here.

Jun 11 2019, 9:42 AM · cloud-services-team (Kanban)

Jun 7 2019

Vgutierrez created P8599 (An Untitled Masterwork).
Jun 7 2019, 1:17 PM
Vgutierrez archived P8598 (An Untitled Masterwork).
Jun 7 2019, 1:17 PM
Vgutierrez created P8598 (An Untitled Masterwork).
Jun 7 2019, 1:13 PM

Jun 5 2019

Vgutierrez triaged T225096: Provide acme-chief/TLS SNI list support in compile_redirects() as Normal priority.
Jun 5 2019, 3:14 PM · Patch-For-Review, HTTPS, Traffic, Operations
Vgutierrez created T225096: Provide acme-chief/TLS SNI list support in compile_redirects().
Jun 5 2019, 1:56 PM · Patch-For-Review, HTTPS, Traffic, Operations
Vgutierrez closed T224428: ATS: traffic_layout currently forces to use its own copy of shared libraries as Resolved.
Jun 5 2019, 8:30 AM · Traffic, Operations

Jun 4 2019

Vgutierrez closed T220518: acme-chief: Validate that configured certificates can be actually issued, a subtask of T133548: Create a secure redirect service for large count of non-canonical / junk domains, as Resolved.
Jun 4 2019, 12:39 PM · Goal, Patch-For-Review, HTTPS, Operations, Traffic
Vgutierrez closed T220518: acme-chief: Validate that configured certificates can be actually issued as Resolved.
Jun 4 2019, 12:39 PM · Acme-chief, HTTPS, Traffic, Operations

May 29 2019

Vgutierrez triaged T224539: Provide nginx support in compile_redirects() as Normal priority.
May 29 2019, 7:33 AM · Traffic, Operations
Vgutierrez created T224539: Provide nginx support in compile_redirects().
May 29 2019, 7:33 AM · Traffic, Operations

May 28 2019

Vgutierrez committed rOSACaad632720b13: debian: Add release 0.17 to changelog (authored by Vgutierrez).
debian: Add release 0.17 to changelog
May 28 2019, 11:09 AM
Vgutierrez created P8566 (An Untitled Masterwork).
May 28 2019, 8:56 AM

May 27 2019

Vgutierrez moved T224428: ATS: traffic_layout currently forces to use its own copy of shared libraries from Triage to Caching on the Traffic board.
May 27 2019, 2:36 PM · Traffic, Operations
Vgutierrez triaged T224428: ATS: traffic_layout currently forces to use its own copy of shared libraries as Normal priority.
May 27 2019, 2:36 PM · Traffic, Operations
Restricted Application added a project to T224428: ATS: traffic_layout currently forces to use its own copy of shared libraries: Operations.
May 27 2019, 2:36 PM · Traffic, Operations
Vgutierrez created P8561 (An Untitled Masterwork).
May 27 2019, 9:32 AM
Vgutierrez moved T224397: ATS: log mode cannot depend on log filters being configured from Triage to Caching on the Traffic board.
May 27 2019, 7:50 AM · Traffic, Operations
Vgutierrez triaged T224397: ATS: log mode cannot depend on log filters being configured as Normal priority.
May 27 2019, 7:49 AM · Traffic, Operations
Restricted Application added a project to T224397: ATS: log mode cannot depend on log filters being configured: Operations.
May 27 2019, 7:48 AM · Traffic, Operations

May 23 2019

Vgutierrez added a comment to T223902: cloudcontrol: decide on FQDN for service endpoints.

Right.. that ldap service certificate it's being handled by acme-chief and as Alex explained the *.wikimedia.org limitation only affects services that need to use https caching.

May 23 2019, 8:08 PM · Traffic, Operations, Cloud-VPS, cloud-services-team (Kanban)
Vgutierrez added a comment to T223902: cloudcontrol: decide on FQDN for service endpoints.

That's right. Also take into account that you can get as many certificates as you need from acme-chief, so maybe you don't need the wildcard one.

May 23 2019, 5:13 PM · Traffic, Operations, Cloud-VPS, cloud-services-team (Kanban)

May 22 2019

Vgutierrez moved T224119: ATS is currently adding its own server header from Triage to Caching on the Traffic board.
May 22 2019, 1:36 PM · Operations, Traffic
Vgutierrez triaged T224119: ATS is currently adding its own server header as Normal priority.
May 22 2019, 1:36 PM · Operations, Traffic
Vgutierrez created T224119: ATS is currently adding its own server header.
May 22 2019, 1:36 PM · Operations, Traffic
Vgutierrez added a comment to T223902: cloudcontrol: decide on FQDN for service endpoints.

IMHO you should move away from *.wikimedia.org then and use another domain

May 22 2019, 9:55 AM · Traffic, Operations, Cloud-VPS, cloud-services-team (Kanban)
Vgutierrez added a comment to T223902: cloudcontrol: decide on FQDN for service endpoints.

so, after a quick check you should consider several things:

  • wikimedia.org is a canonical domain for WMF, everything is expected to use secure TLS settings.
  • if you aim to use the production caching layer, the hostnames must match *.wikimedia.org
May 22 2019, 9:26 AM · Traffic, Operations, Cloud-VPS, cloud-services-team (Kanban)

May 18 2019

Vgutierrez added a comment to T184293: rack/setup/install lvs101[3-6].
hostnicmac
lvs1013enp4s0f0F4:E9:D4:DB:0C:00
lvs1013enp4s0f1F4:E9:D4:DB:0C:02
lvs1013enp5s0f0F4:E9:D4:CF:40:D0
lvs1013enp5s0f1F4:E9:D4:CF:40:D2
lvs1014enp4s0f0F4:E9:D4:DB:27:40
lvs1014enp4s0f1F4:E9:D4:DB:27:42
lvs1014enp5s0f0F4:E9:D4:C8:88:F0
lvs1014enp5s0f1F4:E9:D4:C8:88:F2
May 18 2019, 9:29 PM · Operations, Traffic

May 16 2019

Vgutierrez added a comment to T223408: Page gets redirected randomly to former blackout page.

This issue can be reproduced searching lliga de campions 2017 in google using a mobile browser, the first result pointing to ca.wikipedia.org is https://ca.m.wikipedia.org/wiki/Viquip%C3%A8dia:Comunicat_24_de_mar%C3%A7

May 16 2019, 6:58 AM · Readers-Web-Backlog (Tracking), Performance-Team (Radar), Wikimedia-Incident

May 14 2019

Dzahn awarded T131930: Set SPF (... -all) for toolserver.org a Yellow Medal token.
May 14 2019, 1:04 AM · cloud-services-team (Kanban), Traffic, Mail, Cloud-VPS, Patch-For-Review, Operations, DNS

May 13 2019

Vgutierrez closed T209707: tagged_interface sometimes exceeds IFNAMSIZ as Resolved.
May 13 2019, 3:31 PM · Traffic, Operations
Vgutierrez closed T209707: tagged_interface sometimes exceeds IFNAMSIZ, a subtask of T216724: relocate/reimage cloudvirt1024 with 10G interfaces, as Resolved.
May 13 2019, 3:31 PM · Patch-For-Review, Operations, cloud-services-team (Kanban)
Vgutierrez created P8519 (An Untitled Masterwork).
May 13 2019, 10:23 AM
Vgutierrez changed the status of T220786: Add SPF record for non-canonical domains that are not parked from Open to Stalled.
May 13 2019, 7:26 AM · Patch-For-Review, Operations, Traffic, DNS
Vgutierrez closed T131930: Set SPF (... -all) for toolserver.org as Resolved.
May 13 2019, 7:22 AM · cloud-services-team (Kanban), Traffic, Mail, Cloud-VPS, Patch-For-Review, Operations, DNS
Vgutierrez closed T131930: Set SPF (... -all) for toolserver.org, a subtask of T220786: Add SPF record for non-canonical domains that are not parked, as Resolved.
May 13 2019, 7:22 AM · Patch-For-Review, Operations, Traffic, DNS

May 7 2019

Vgutierrez added a comment to T209707: tagged_interface sometimes exceeds IFNAMSIZ.

so taking a deeper look into https://manpages.debian.org/jessie/vlan/vlan-interfaces.5.en.html:

vlan-raw-device devicename
Indicates the device to create the vlan on. This is ignored when the devicename is part of the vlan interface name.

May 7 2019, 6:27 PM · Traffic, Operations
Vgutierrez added a comment to T209707: tagged_interface sometimes exceeds IFNAMSIZ.

As discussed on IRC, using vlan-raw-device enp175s0f1d1 should be enough, as recommended in https://wiki.debian.org/NetworkConfiguration#Manual_config

May 7 2019, 5:23 PM · Traffic, Operations

May 6 2019

Vgutierrez triaged T222642: false positives in check_trafficserver_config_status as Normal priority.
May 6 2019, 5:28 PM · Operations, Traffic
Vgutierrez moved T222642: false positives in check_trafficserver_config_status from Triage to Caching on the Traffic board.
May 6 2019, 5:28 PM · Operations, Traffic
Vgutierrez created T222642: false positives in check_trafficserver_config_status.
May 6 2019, 5:27 PM · Operations, Traffic

May 3 2019

Vgutierrez created P8472 (An Untitled Masterwork).
May 3 2019, 3:30 PM
Vgutierrez updated the task description for T220383: Evaluate ATS TLS stack.
May 3 2019, 8:06 AM · Patch-For-Review, Traffic, Operations
Vgutierrez updated the task description for T220383: Evaluate ATS TLS stack.
May 3 2019, 7:43 AM · Patch-For-Review, Traffic, Operations

May 2 2019

Vgutierrez committed rOSACaeebce8fda81: Release 0.17 (authored by Vgutierrez).
Release 0.17
May 2 2019, 2:19 PM
Vgutierrez committed rOSAC2422525715e4: acme_chief: Prevalidate CN/SNI list (authored by Vgutierrez).
acme_chief: Prevalidate CN/SNI list
May 2 2019, 2:19 PM
Vgutierrez committed rOSAC6e2e5365d517: CI: Run tests with minimum and latest dependencies (authored by Vgutierrez).
CI: Run tests with minimum and latest dependencies
May 2 2019, 2:19 PM
Vgutierrez committed rOSAC3fe1747eebac: dns: Move DNS operations to its own module (authored by Vgutierrez).
dns: Move DNS operations to its own module
May 2 2019, 2:19 PM
Vgutierrez committed rOSAC809d846b4a66: config: Move ACMEChiefConfig to its own module (authored by Vgutierrez).
config: Move ACMEChiefConfig to its own module
May 2 2019, 2:19 PM