WMCS has redesigned the PAWS cluster and built a new one in parallel. We
would like people to try things out and makes sure it's ready to go. If
you are a PAWS user and have some things you might like to try out, you
can visit https://hub.paws.wmcloud.org and give it a shot. Please create
a Phabricator task with the project tag #paws if you find any bugs or
things that don't work as well as in the old cluster. We will leave both
clusters live until August 7th (2020-08-07), when we will change
paws.wmflabs.org to a redirect to the new domain.
Please be aware that it is running on the local sqlite database for now,
and that may reduce the performance for things like launching notebooks
under load. It will be using Toolsdb like the existing PAWS cluster
after the final cut over.
For further details, please see:
https://wikitech.wikimedia.org/wiki/News/2020_PAWS_migration
--
Brooke Storm
SRE
Wikimedia Cloud Services
bstorm(a)wikimedia.org
IRC: bstorm_
Today we merged two small changes [0][1] to the front proxy for
*.toolforge.org. These changes allowed us to close a 5 year old
feature request [2] asking for Toolforge to always use TLS (HTTPS) and
to also set a strict-transport-security header (HSTS) to tell web
browser that they should *always* use TLS when talking to a Toolforge
webservice.
Most of this has been happening for some time, but the final changes
were to increase the HSTS duration to one year (technically we
advertise 31,622,400 seconds which is 366 days) and to close the "POST
loophole". The "POST loophole" was created when TLS was first enforced
on Toolforge back in January 2019 [3]. It allowed HTTP requests with
the POST verb to continue without TLS encryption. This was done
because of unspecified behavior of clients (web browsers) when
receiving an HTTP "301 Permanent Redirect" response to a POST action.
A similar exception was originally made when the Wikimedia project
wikis were switched to always require TLS encryption.
We do not expect new issues with the use of Toolforge webservices as a
result of this change, but if you find something behaving badly as a
result please report it in Phabricator using the #Toolforge project
tag or join us in the #wikimedia-cloud Freenode IRC channel to ask for
help.
[0]: https://gerrit.wikimedia.org/r/612947
[1]: https://gerrit.wikimedia.org/r/612948
[2]: https://phabricator.wikimedia.org/T102367
[3]: https://phabricator.wikimedia.org/phame/post/view/132/migrating_tools.wmfla…
Bryan
--
Bryan Davis Technical Engagement Wikimedia Foundation
Principal Software Engineer Boise, ID USA
[[m:User:BDavis_(WMF)]] irc: bd808
Hi!
We are happy to announce the new domain 'toolforge.org' is now ready to be
adopted by our Toolforge community.
There is a lot of information related to this change in a wikitech page we have
for this:
https://wikitech.wikimedia.org/wiki/News/Toolforge.org
The most important change you will see happening is a new domain/scheme for
Toolforge-hosted webservices:
* from https://tools.wmflabs.org/<toolname>/
* to https://<toolname>.toolforge.org/
A live example of this change can be found in our internal openstack-browser
webservice tool:
* legacy URL: https://tools.wmflabs.org/openstack-browser/
* new URL: https://openstack-browser.toolforge.org
This domain change is something we have been working on for months previous to
this announcement. Part of our work has been to ensure we have a smooth
transition from the old domain (and URL scheme) to the new canonical one.
However, we acknowledge the ride might be bumpy for some folks, due to technical
challenges or cases we didn't consider when planning this migration. Please
reach out intermediately if you find any limitation or failure anywhere related
to this change. The wikitech page also contains a section with information for
common problems.
You can check now if your webservice needs any specific change by creating a
temporal redirection to the new canonical URL:
$ webservice --canonical --backend=kubernetes start [..]
$ webservice --canonical --backend=gridengine start [..]
The --canonical switch will create a temporal redirect that you can turn on/off.
Please use this to check how your webservice behaves with the new domain/URL
scheme. If you start the webservice without --canonical, the temporal redirect
will be removed.
We aim to introduce permanent redirects for the legacy URLs on 2020-06-15. We
expect to keep serving legacy URLs forever, by means of redirections to the new
URLs. More information on the redirections can also be found in the wikitech page.
The toolforge.org domain is finally here! <3
--
Arturo Borrero Gonzalez
SRE / Wikimedia Cloud Services
Wikimedia Foundation