I'm BDavis (WMF) on wiki, bd808 on irc, and BryanDavis on Gerrit and Wikitech.
I've got a thing for ๐ฆs. Don't judge.
I work for or provide services to the Wikimedia Foundation, but this is my only Phabricator account. Edits, statements, or other contributions made from this account are my own, and may not reflect the views of the Foundation.
The footer for Striker is:
Do we have any known requests from the community for such a tool as a replacement/enhancment for irc + mailing list + phabricator?
+1 from me as a Cloud VPS admin to proceed with creating this project
Fail fast has basically always been the behavior of maintain-dbusers. The historic fix would be one of delete the broken account (test-abogott5) or correct whatever is causing the account's failure.
Per https://wikitech.wikimedia.org/wiki/Help:Cloud_VPS_project#Reviews_of_Cloud_VPS_Project_requests:
The majority of project requests are approved, but there are some things which will cause further discussion:
...
"Umbrella" projects with a broad scope, such as all the work to be done by an engineering team or a large problem space."Umbrella" projects with broad scopes are difficult to track over time because of organizational changes and lack of continuity in ownership.
I have thought about this before, but while I was patrolling today I ended up wanting very much to have in-line diffs and consistent click targets to make the process a bit quicker.
Similar to, but not exactly the same as T316832: Mark notifs about approved/declined membership requests as read for all admins. Although I would have a hunch that if T316832 were implemented most admins would not feel the need for a "ignore this backlog because it is too deep" button. :)
T144713: Add a web shell allowing people to perform actions as their tool from striker could be considered a duplicate of this or a specific implementation of the desired feature. For now I think I will make this task a parent to that older task and we can continue to explore what the "best" solution is to the general problem.
The mediawiki-vagrant powered development environment is no longer supported.
T321919: Figure out and document how to call the Kubernetes API as your tool user from inside a pod has some information on possible ways for to interact with the Toolforge Kubernetes API from inside the Kubernetes cluster.
Make sure to read the warnings on that page about how this can fail. Also be aware that the community provided guidance on that page for a Python service is incomplete. The uwsgi container must be restarted for source code changes to take effect. The missing step would be to call the Kubernetes API to kill the running container or otherwise affect the termination of the active pod and creation of a new one. PHP reads files from disk again for each requests which makes that workflow simpler.
Account was approved.
This is not a declaration that this is a good idea, but if I understand the current enwp.org behavior, I think this would replace it:
diff --git i/modules/ncredir/files/nc_redirects.dat w/modules/ncredir/files/nc_redirects.dat index dc52c09013..bbcc31d1d3 100644 --- i/modules/ncredir/files/nc_redirects.dat +++ w/modules/ncredir/files/nc_redirects.dat @@ -115,6 +115,7 @@ rewrite *wikimediaenterprise.com https://enterprise.wikimedia.com
Apparently envvars can be used to override some settings. This could be combined with the idea of using k8s secrets for storage as well by using https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables.
Reported upstream as https://github.com/42wim/matterbridge/issues/2020
I think I have found a workaround for this. I granted the wm-bridegbot user a custom admin role in the Telegram chat. This seems to allow it to bypass the slow mode restriction. The custom role is titled "bot" and has all of the "what can this admin do?" toggles turned off.
Matterbridge's IRC handler has a MessageDelay knob that can be used to avoid rate limits. Unfortunately the Telegram handler does not have an equivalent function.
I have requested an account for the bot at botsin.space. They have a manual moderation queue for new accounts, so things are stalled until the account is approved or rejected upstream.
I think I should probably make the bot's toots unlisted too to avoid boring instance timeline clutter.
Stashbot does "own" the account. Moving to botsin.space because of defederation concerns seems reasonable.
Basically wm-bot serves the same relay bot role in the WMCS SAL logging path as logmsgbot does for wiki cluster SAL logging: app - โ relay bot - โ irc - โ stashbot - โ wikitech + sal.toolforge.org
[16:39] < roy649_> When a do a get onย https://upload.wikimedia.org/wikipedia/commons/thumb/b/b2/Pete_Sutherland_playing_at_Bristol_town_tribute_%28cropped%29.jpg/280px-Pete_Sutherland_playing_at_Bristol_town_tribute_%28cropped%29.jpg, I get "Our servers are currently under maintenance or experiencing a technical problem. Please try again in a few minutes." [16:39] < roy649_> Just in case this isn't already a known issue. [16:40] < roy649_> Request from 2600:4041:51ec:c500:fdcb:d9c7:57cb:3c21 via cp1090 cp1090, Varnish XID 716451937 [16:40] < roy649_> Upstream caches: cp1090 int [16:40] < roy649_> Error: 404, Not Found at Tue, 14 Mar 2023 16:38:25 GMT [16:58] <AntiComposite> works for me
[16:37] < bd808> ah! I think my code is to blame! [16:38] < bd808> It seems to memoize and assume that each user only has one role! [16:38] <andrewbogott> that would do it :) [16:38] < taavi> oh of course, I even had the exact same issue with openstack-browser :D [16:38] < bd808> yeah, I think this is the bug. it's in Striker'sย openstack.pyย and the users_by_role() method [16:39] < bd808> because the client was copied from strikerย taaviย :) [16:40] <andrewbogott> welp, I tried to provide a graceful transition by leaving the old roles in place and that just made it worse :)
[22:42] < bd808> kindrobot: I think you should be able to create a phab board with Striker now. [22:42] < bd808> I can see you listed onย https://toolsadmin.wikimedia.org/tools/id/ducttapeย at least [22:52] <kindrobot> It worked! :D
Rolling back to the prior settings.OPENSTACK_USER_ROLE and settings.OPENSTACK_ADMIN_ROLE values has fixed the issue with non-admin users not showing in the UI. It should also fix the originally reported issue of failing to find Phabricator accounts for maintainers. That was caused by the maintainer list being empty due to the config mismatch. Luckily all of this was a client configuration issue without any data loss in the canonical LDAP storage.
>>> from striker.tools import cache >>> users = cache.get_openstack_users() >>> users.keys() dict_keys(['glanceadmin', 'heat_stack_owner', 'admin', 'member', 'projectadmin', 'designateadmin', 'heat_stack_user', 'keystonevalidate', 'user', 'reader']) >>> for role in users.keys(): ... print(role, len(users[role])) ... glanceadmin 0 heat_stack_owner 0 admin 0 member 26 projectadmin 0 designateadmin 1 heat_stack_user 0 keystonevalidate 0 user 2406 reader 0
We changed the settings before the backing database for Keystone was updated. :/
We changed the values of settings.OPENSTACK_USER_ROLE and settings.OPENSTACK_ADMIN_ROLE today with https://gerrit.wikimedia.org/r/c/labs/striker/+/895140. This feels like the likely cause of strange behaviors. It may be entirely in this custom manager's _get_tool_users implementation:
class MaintainerManager(models.Manager): def _get_tool_users(self): if settings.TEST_MODE: # Hack to keep from trying to talk to openstack API from django # test harness return [] users = cache.get_openstack_users() return ( users[settings.OPENSTACK_USER_ROLE] + users[settings.OPENSTACK_ADMIN_ROLE] )
$ python3 manage.py shell >>> from striker.tools.models import Tool >>> ducttape = Tool.objects.get(cn='tools.ducttape') >>> ducttape.maintainer_ids() ['kindrobot'] >>> ducttape.maintainers() <QuerySet []> >>> from striker.tools.models import Maintainer >>> Maintainer.objects.get(uid='kindrobot') Traceback (most recent call last): File "<console>", line 1, in <module> File "/opt/lib/python/site-packages/django/db/models/manager.py", line 82, in manager_method return getattr(self.get_queryset(), name)(*args, **kwargs) File "/opt/lib/python/site-packages/django/db/models/query.py", line 408, in get self.model._meta.object_name striker.tools.models.Maintainer.DoesNotExist: Maintainer matching query does not exist. >>> Maintainer.objects.get(uid='bd808') <Maintainer: BryanDavis>
$ ssh cloudweb1003.wikimedia.org $ cd ~/projects/striker $ ./debug-striker.sh -it --entrypoint=/bin/bash $ python3 manage.py loaddata software_license.json Installed 33 object(s) from 1 fixture(s)
The service is working again because I live hacked the missing podsecuritypolicies grants back into the user-maintainer clusterrole, but this will break again as soon as someone runs the helm deploy for maintain-kubeusers.