[Labs-l] Bots project is too permissive, let's discuss options

Ryan Lane rlane at wikimedia.org
Sat Dec 15 00:29:11 UTC 2012


On Fri, Dec 14, 2012 at 3:55 PM, Petr Bena <benapetr at gmail.com> wrote:

> Hi, I don't know what happened, but someone removed recursively all data
> in ~wm-bot/logs
>
> I may have a backup but because this removal was done yesterday or earlier
> and apparently happens every day, it's a problem, because even the complete
> logs archive is almost empty now.
>
> Please be careful when you are running scripts as root on bots project,
> since all stuff is in /data all users can change it and that kind of suck.
> These logs were used by many wikimedia projects and this problem can cause
> a lot of troubles.
>
>
This really sucks. I think it's time we started a more formalized bots
project.

Petr mentioned that we should likely keep the current bots project as-is as
a development project for bots, then have a bots-production project that's
locked down. In bots-production no one would have root, and bots would be
deployed to the instances.

I've been writing a new deployment system for production. We may be able to
use it for this as well. It uses git, which means all bots would need to be
in a git repo, likely in gerrit. We could deploy all bot code to all
instances, and have configuration for which instances bots run on.

We really need to start pulling together a list of requirements for bots. I
think we have a puppet manifest that Damian has been working on, which
should be a good starting point.

Does this sound like a good plan? Anyone have alternative ideas?

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20121214/1aa06268/attachment.html>


More information about the Labs-l mailing list