Hi!
We are happy to announce the new domain 'toolforge.org' is now ready to be
adopted by our Toolforge community.
There is a lot of information related to this change in a wikitech page we have
for this:
https://wikitech.wikimedia.org/wiki/News/Toolforge.org
The most important change you will see happening is a new domain/scheme for
Toolforge-hosted webservices:
* from https://tools.wmflabs.org/<toolname>/
* to https://<toolname>.toolforge.org/
A live example of this change can be found in our internal openstack-browser
webservice tool:
* legacy URL: https://tools.wmflabs.org/openstack-browser/
* new URL: https://openstack-browser.toolforge.org
This domain change is something we have been working on for months previous to
this announcement. Part of our work has been to ensure we have a smooth
transition from the old domain (and URL scheme) to the new canonical one.
However, we acknowledge the ride might be bumpy for some folks, due to technical
challenges or cases we didn't consider when planning this migration. Please
reach out intermediately if you find any limitation or failure anywhere related
to this change. The wikitech page also contains a section with information for
common problems.
You can check now if your webservice needs any specific change by creating a
temporal redirection to the new canonical URL:
$ webservice --canonical --backend=kubernetes start [..]
$ webservice --canonical --backend=gridengine start [..]
The --canonical switch will create a temporal redirect that you can turn on/off.
Please use this to check how your webservice behaves with the new domain/URL
scheme. If you start the webservice without --canonical, the temporal redirect
will be removed.
We aim to introduce permanent redirects for the legacy URLs on 2020-06-15. We
expect to keep serving legacy URLs forever, by means of redirections to the new
URLs. More information on the redirections can also be found in the wikitech page.
The toolforge.org domain is finally here! <3
--
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services
Wikimedia Foundation
Hi there!
If you use a CloudVPS web proxy, this email is for you. Toolforge
developers/users can ignore this email.
We are introducing a change to eliminate the 'X-Forwarded-For' HTTP header that
the CloudVPS web proxy adds when forwarding the HTTP request to your instance.
This header contains the original IP address of the internet client that sent
the request. This is private information that we would like to reduce in our
environment [0].
You use the web proxy if you have a public web endpoint hosted in CloudVPS under
the wmflabs.org domain. These are generally configured using Horizon in the DNS
> Web Proxies section.
Examples of web proxy names:
* accounts.wmflabs.org
* glampipe.wmflabs.org
* incubator.wmflabs.org
Full list can be seen in the Openstack Browser tool [1].
We are ready to introduce this change [2], but wanted to give some heads up for
projects that do require this information for whatever reason. We would like to
hear from you in the next couple of weeks. Please contact us in the phabricator
task [0] and include some rationale why you need the XFF header.
This is the timeline this change will follow:
* 2020-04-01: this email, start collecting list of things that require XFF
* 2020-04-07: start evaluating list of things that require XFF
* 2020-04-15: introduce the change, with proper case whitelisting
When the change is introduced, in two weeks from now, proxy backends that were
not whitelisted will stop receiving the XFF header.
Please reach out for any questions or comments.
regards.
[0] https://phabricator.wikimedia.org/T135046
[1] https://openstack-browser.toolforge.org/project/project-proxy
[2] https://gerrit.wikimedia.org/r/c/operations/puppet/+/583098
--
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services
Wikimedia Foundation
Hi there!
In a few days from now (2020-04-13), the CloudVPS network will see a change
happening that will likely go unnoticed, but it is important enough to share it
with you beforehand.
We will be changing the IPv4 address that we use as the main source NAT for
egress connections (initiated in the VM instances). This change won't affect VM
instances using floating IPs.
Old IP address: 185.15.56.1
New IP address: 208.80.155.92
If you know of anywhere (a firewall, ACL or any other mechanism) that had this
address hardcoded, you will need to update it.
See this wikitech page for more details:
https://wikitech.wikimedia.org/wiki/News/CloudVPS_NAT_change
Please reach out if you have any doubts, questions, or any other issue.
regards.
--
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services
Wikimedia Foundation
I created <https://phabricator.wikimedia.org/T249774> to nominate
Reedy for basically the same rights as I hold in the Cloud Services
environment. This nomination comes out of some conversations with
Reedy and my selfish desire to be able to nerd snipe him into helping
with more things. Per
<https://wikitech.wikimedia.org/wiki/Help:Access_policies> I am
announcing the nomination here. I will also follow up with the policy
mandated inquiry to Trust & Safety.
The archives of this list are public, so remember that if you choose
to respond directly to this message with your endorsement or concerns.
Private email to a WMCS team member, such as Brooke Storm since I am
the nominating party and may be seen as biased, is potentially the
best method of ensuring that concerns are heard during the 7 day
comment period.
Bryan
--
Bryan Davis Technical Engagement Wikimedia Foundation
Principal Software Engineer Boise, ID USA
[[m:User:BDavis_(WMF)]] irc: bd808
Thanks Bryan - sorry for not answering faster, but looks like you only
replied to cloud-admin and I am not there :-)
Today in our 1:1 this subject came up and Jaime forwarded me the mail, as
he is in cloud-admin hehe.
Answers in line!
On Mon, Mar 30, 2020 at 1:02 PM Jaime Crespo <jcrespo(a)wikimedia.org> wrote:
> ---------- Forwarded message ---------
> From: Bryan Davis <bd808(a)wikimedia.org>
> Date: Tue, Mar 24, 2020 at 3:56 PM
> Subject: Re: [Cloud-admin] Update 1 labsdb host to buster and 10.4
> To: Cloud Services administration and infrastructure discussion
> <cloud-admin(a)lists.wikimedia.org>
>
>
> On Tue, Mar 24, 2020 at 2:36 AM Manuel Arostegui
> <marostegui(a)wikimedia.org> wrote:
> >
> > So far we have had normal 1 instance hosts upgraded, multi-instance (2
> mysqld processes) upgraded, and we need to have a multisource (labsdb) host
> upgrade, to make sure 10.4 works fine or to know what might need work
> (mysqld-exporter https://phabricator.wikimedia.org/T247290 or whatever),
> better to know in advance.
> >
> > 10.4 also fixes some bugs that are hitting labsdb hosts specifically:
> > - Grants race condition: https://jira.mariadb.org/browse/MDEV-14732
> > - GTID works on multisource: https://jira.mariadb.org/browse/MDEV-12012
> this is one of the early bugs we filed with MariaDB almost 3 years ago and
> looks like it is now working even though - this requires some work on the
> master's side, but my last tests are looking good and if we can enable GTID
> on labsdb hosts that'd we be a BIG improvement towards avoiding corruption
> during a crash.
>
> These all sound like good things. And thank you very much, seriously,
> for the effort you have been putting into thinking about and caring
> for the wiki replicas.
>
You are welcome! :-)
>
> > So, any objections to reimage labsdb1011 as Buster and 10.4 (/srv won't
> be formatted, so we don't have to rebuild that host).
>
> Any idea what the roll back plan would look like if it turns out that
> something about 10.4 and multisource do not work well together? Would
> it be less risky to do labsdb1012 first and see how it works there?
>
The rollback plan is basically, reimage back to Stretch and reclone from
labsdb1012.
The idea to use labsdb1011 is to actually test 10.4 in this very unique
environment (lots of heavy queries).
Labsdb1012 is barely used, and only a few days during the month, so it
wouldn't be representative. Also, the rollback is easier as we can use
labsdb1012, as it is normally fine to stop it for 24h (as long as it is not
during the few days it is used at the start of each month), so no user
impact there.
Whereas, stopping a wiki replica, means we have to put more pressure on the
other 2 hosts for the time it is stopped.
Does this make sense and answer your question?
Thank you!
Manuel.