#metabrainz

/

11:50 AM
ruaok

> -A forward_ssh_nat -d 10.1.1.102 -j log_and_accept

2015-10-05 27814, 2015

11:51 AM
ruaok

no, wait, that might already be there.

2015-10-05 27817, 2015

11:51 AM
ruaok

hold on, let me check.

2015-10-05 27845, 2015

11:55 AM
ruaok

nope doesn't work.

2015-10-05 27819, 2015

11:56 AM
ruaok

I think we need to add the rule above to get this ssh forward to work

2015-10-05 27837, 2015

11:56 AM
zas

want me to add it to the PR ?

2015-10-05 27806, 2015

11:57 AM
ruaok

yes, please.

2015-10-05 27811, 2015

11:57 AM
ruaok heads out for noms

2015-10-05 27858, 2015

12:09 PM
flamingspinach has quit

2015-10-05 27816, 2015

12:10 PM
flamingspinach joined the channel

2015-10-05 27815, 2015

12:15 PM
ariscop has quit

2015-10-05 27843, 2015

12:26 PM
UmkaDK has quit

2015-10-05 27802, 2015

12:29 PM
UmkaDK joined the channel

2015-10-05 27846, 2015

12:37 PM
ruaok

zas: I just gave you a pile of MB privs.

2015-10-05 27856, 2015

12:37 PM
ruaok

you'll need this one the most, methinks: https://musicbrainz.org/admin/banner/edit

2015-10-05 27832, 2015

12:38 PM
zas

Ok, noted

2015-10-05 27811, 2015

12:39 PM
ruaok

so, when we play with the firewall, we should put up a message there and on beta.mb.org

2015-10-05 27826, 2015

12:39 PM
ruaok

and to tweet that we might loose connectivity for a minute or two

2015-10-05 27845, 2015

12:40 PM
ruaok

should I request the DNS change for data.mb.org to now go to: 167.148?

2015-10-05 27847, 2015

12:50 PM
zas

i guess so

2015-10-05 27812, 2015

12:51 PM
zas

any other hostname to change or add ? scooby had scooby.musicbrainz.org

2015-10-05 27826, 2015

12:51 PM
zas

and few others, chatlogs, etc..

2015-10-05 27830, 2015

13:06 PM
ruaok

let's do that when we move the domain over.

2015-10-05 27804, 2015

13:09 PM
D4RK-PH0ENiX has quit

2015-10-05 27844, 2015

13:10 PM
D4RK-PH0ENiX joined the channel

2015-10-05 27845, 2015

13:10 PM
D4RK-PH0ENiX has quit

2015-10-05 27852, 2015

13:10 PM
D4RK-PH0ENiX joined the channel

2015-10-05 27856, 2015

13:11 PM
CatQuest wonders what "yak shaving means again"

2015-10-05 27801, 2015

13:12 PM
CatQuest

erh wrong placement of "

2015-10-05 27826, 2015

13:12 PM
ruaok

data CNAME lb1.musicbrainz.org

2015-10-05 27826, 2015

13:12 PM
ruaok

right zas?

2015-10-05 27804, 2015

13:13 PM
ruaok

OMFG.

2015-10-05 27809, 2015

13:13 PM
zas

?

2015-10-05 27857, 2015

13:13 PM
CatQuest lso thinks we need to finally do a thing for april fools day. al lthe cool sites are doing it :(

2015-10-05 27813, 2015

13:15 PM
D4RK-PH0ENiX has quit

2015-10-05 27843, 2015

13:15 PM
ruaok

zas: does that CNAME change look ok to you?

2015-10-05 27858, 2015

13:16 PM
zas

yes, or you can use a A with the matching IP, it prevents useless dns queries (CNAME != alias)

2015-10-05 27841, 2015

13:17 PM
ruaok

DWNI really prefers this way. another reason we should move to gandi.

2015-10-05 27850, 2015

13:17 PM
ruaok

so, lets make those improvements later.

2015-10-05 27858, 2015

13:17 PM
zas

ok np ;)

2015-10-05 27826, 2015

13:18 PM
ruaok

have you added the wiki forward to the PR yet?

2015-10-05 27840, 2015

13:18 PM
zas

nope

2015-10-05 27846, 2015

13:18 PM
zas

i'll do it now

2015-10-05 27857, 2015

13:20 PM
zas

done, check the PR

2015-10-05 27809, 2015

13:21 PM
zas

i'm looking at the multicast thing

2015-10-05 27838, 2015

13:21 PM
ruaok

and that change makes sense to you, yes?

2015-10-05 27856, 2015

13:21 PM
ruaok

the NAT forwarding rule was already there, right?

2015-10-05 27813, 2015

13:28 PM
zas

i didnt check, let me see

2015-10-05 27826, 2015

13:28 PM
MajorLurker has quit

2015-10-05 27843, 2015

13:28 PM
zas

-A forward_new -i em1 -o em2.1 -p tcp -m tcp --dport 22 -j forward_ssh_nat

2015-10-05 27843, 2015

13:28 PM
zas

-A forward_new -i em1 -o em2.3 -p tcp -m tcp --dport 22 -j forward_ssh_nat

2015-10-05 27852, 2015

13:28 PM
zas

so it should be pl

2015-10-05 27859, 2015

13:28 PM
zas

s/pl/ok/

2015-10-05 27813, 2015

13:29 PM
ruaok

k

2015-10-05 27829, 2015

13:30 PM
D4RK-PH0ENiX joined the channel

2015-10-05 27859, 2015

13:30 PM
D4RK-PH0ENiX has quit

2015-10-05 27805, 2015

13:31 PM
D4RK-PH0ENiX joined the channel

2015-10-05 27840, 2015

13:39 PM
samphippen has quit

2015-10-05 27838, 2015

13:44 PM
zas

ruaok: did you try this already ? http://serverfault.com/questions/418634/secure-ip…

2015-10-05 27814, 2015

13:46 PM
ruaok

yes, I had no luck. I probably screwed it up though.

2015-10-05 27836, 2015

13:46 PM
zas

btw, multicast packets aren't not specifically handled by current rules it seems to me, so we can start by logging them (i tested, and no packet is logged has dropped)

2015-10-05 27808, 2015

13:47 PM
zas

s/has d/when d/

2015-10-05 27855, 2015

13:49 PM
zas

hmmm bert and ernie have different corosync configs, mcastaddr and mcastport differ

2015-10-05 27822, 2015

13:50 PM
ruaok

yes.

2015-10-05 27838, 2015

13:50 PM
ruaok

I've not fixed up bert much yet to reflect what things really ought to look like.

2015-10-05 27849, 2015

13:50 PM
ruaok

we want to keep bert out for now.

2015-10-05 27803, 2015

13:51 PM
ruaok

get ernie all setup and happy. then get bert happy.

2015-10-05 27826, 2015

13:51 PM
ruaok

then fail over. then we can run chef on ernie to make sure 100% that we're caught up.

2015-10-05 27814, 2015

13:52 PM
ruaok

wow, we have 10 unicorns now. :)

2015-10-05 27816, 2015

13:52 PM
ruaok

https://metabrainz.org/supporters

2015-10-05 27808, 2015

13:54 PM
Leo_Verto

Wow

2015-10-05 27819, 2015

13:56 PM
ruaok

now lets see if any of the other majors follow suit. :)

2015-10-05 27821, 2015

13:58 PM
zas

btw, shouldn't ernie corosync bind to 10.1.1.0 instead of 127.0.0.1 ?

2015-10-05 27816, 2015

13:59 PM
ruaok

THAT was the problem.

2015-10-05 27851, 2015

13:59 PM
ruaok

the cruz of it all that caused this.

2015-10-05 27819, 2015

14:02 PM
ruaok

crux

2015-10-05 27831, 2015

14:02 PM
zas

apart that, the rules described at http://serverfault.com/questions/418634/secure-ip… should work (once we adapted them to our setup), i'll prepare a PR for that

2015-10-05 27806, 2015

14:03 PM
ruaok

very good.

2015-10-05 27826, 2015

14:10 PM
ruaok

huh, they agreed that the contract should be considered retro-active to July 1 when their side signed the contract. Cool. :)

2015-10-05 27833, 2015

14:10 PM
ruaok

3 months free money. I dig.

2015-10-05 27801, 2015

14:11 PM
zas

:)

2015-10-05 27830, 2015

14:11 PM
Leo_Verto

I don't know how many people manage to let huge studios give them free money :P

2015-10-05 27850, 2015

14:11 PM
ruaok

<=== :-D

2015-10-05 27826, 2015

14:12 PM
ruaok

they will now have contributed more money that they've destroyed for us.

2015-10-05 27832, 2015

14:12 PM
ruaok

so, that is a plus.

2015-10-05 27832, 2015

14:12 PM
Leo_Verto

and I also don't know how you managed to do all of that stuff plus sysadministration before zas was a thing

2015-10-05 27841, 2015

14:12 PM
ruaok

poorly.

2015-10-05 27826, 2015

14:13 PM
ruaok

of course the server that I mentioned in the contract is actually down right now, but that's cool, right? :)

2015-10-05 27849, 2015

14:13 PM
CatQuest

bert and ernie should really be run together /offtopic

2015-10-05 27851, 2015

14:13 PM
CatQuest

:P

2015-10-05 27801, 2015

14:14 PM
ruaok

CatQuest: they are.

2015-10-05 27806, 2015

14:14 PM
ruaok

they are a pair.

2015-10-05 27846, 2015

14:14 PM
CatQuest

indeed :D

2015-10-05 27843, 2015

14:15 PM
CatQuest

also, the supporters page.. I guess it's just me, but the logoes all overlap and the text have become pillars

2015-10-05 27801, 2015

14:16 PM
CatQuest

only for unicorn thoguh, not the others

2015-10-05 27806, 2015

14:16 PM
zas

ruaok: did you ask for data.musicbrainz.org change already ? what is the usual delay (apart the ttl one) ?

2015-10-05 27818, 2015

14:16 PM
ruaok

I did.

2015-10-05 27818, 2015

14:16 PM
CatQuest

no wait also bronze

2015-10-05 27828, 2015

14:16 PM
Leo_Verto

CatQuest, uhh, which firefox version are you using these days?

2015-10-05 27839, 2015

14:16 PM
ruaok

usually they are on it reasonably fast, but not today. should I call them to poke them?

2015-10-05 27843, 2015

14:16 PM
CatQuest

seems to be dependant on the amounts of peopl in the tier

2015-10-05 27858, 2015

14:16 PM
CatQuest

Leo_Verto: let me try in the dev version first ok?

2015-10-05 27817, 2015

14:17 PM
CatQuest

not an issue there

2015-10-05 27834, 2015

14:17 PM
CatQuest

somehow there is not a newline in the old ff

2015-10-05 27847, 2015

14:17 PM
CatQuest

they just get squeezed in on the same line

2015-10-05 27844, 2015

14:19 PM
zas

well, i would poke them, ttl is 1 day, ftp is down since too long time imho

2015-10-05 27843, 2015

14:20 PM
kahu joined the channel

2015-10-05 27846, 2015

14:21 PM
ruaok

ftp is up. just not updating. :)

2015-10-05 27829, 2015

14:22 PM
ruaok stops being snark and calls DWNI

2015-10-05 27813, 2015

14:28 PM
ruaok

done, changed while I was holding. he's next going to clear his cache and we should see the change directly off their service

2015-10-05 27826, 2015

14:28 PM
ruaok

yep. ok, done

2015-10-05 27856, 2015

14:32 PM
zas

we need to apply fw rules now and see if it suffices or no

2015-10-05 27804, 2015

14:36 PM
ruaok

is there a new PR?

2015-10-05 27845, 2015

14:36 PM
zas

for the multicast ? not ready yet

2015-10-05 27859, 2015

14:36 PM
ruaok

ok

2015-10-05 27819, 2015

14:37 PM
ruaok

do you want to try the new rules now or wait for the mulitcast?

2015-10-05 27807, 2015

14:38 PM
zas

i don't think we need to wait for multicast thing

2015-10-05 27817, 2015

14:38 PM
ruaok

ok.

2015-10-05 27829, 2015

14:38 PM
ruaok

let me set a banner and tweet about a possible short interruption.

2015-10-05 27835, 2015

14:38 PM
ruaok

ready in a few minutes?

2015-10-05 27825, 2015

14:41 PM
ruaok

ok, done.

2015-10-05 27827, 2015

14:41 PM
ruaok

ready when you are zas

2015-10-05 27822, 2015

14:42 PM
zas

did you merge the PR ?

2015-10-05 27833, 2015

14:42 PM
zas

ah no ;)

2015-10-05 27836, 2015

14:42 PM
zas

i do it

2015-10-05 27838, 2015

14:42 PM
ruaok

k

2015-10-05 27840, 2015

14:44 PM
zas

to deploy new rules, you just run update.sh ? like for nagios-chef ?

2015-10-05 27855, 2015

14:44 PM
ruaok

NO !!!

2015-10-05 27802, 2015

14:45 PM
zas

ah ;)

2015-10-05 27804, 2015

14:45 PM
ruaok

you can't do that on the live node.

2015-10-05 27817, 2015

14:45 PM
zas

so how do you proceed ?

2015-10-05 27818, 2015

14:45 PM
ruaok

you need to hand install the updates. :(

2015-10-05 27831, 2015

14:45 PM
ruaok

in future you'll fail over, update and then fail over again.

2015-10-05 27848, 2015

14:45 PM
zas

ok, so iptables-restore using new rules ?

2015-10-05 27800, 2015

14:47 PM
alastairp

new url for chatlogs?

2015-10-05 27808, 2015

14:47 PM
ruaok

zas: yes.

2015-10-05 27815, 2015

14:47 PM
ruaok

alastairp: chatlogs.metabrainz.org

2015-10-05 27818, 2015

14:47 PM
alastairp

or more specifically, ruaok: what's the url of the second-hand bike page you sent to Gentlecat

2015-10-05 27824, 2015

14:47 PM
alastairp

502

2015-10-05 27837, 2015

14:47 PM
ruaok

502, really?

2015-10-05 27843, 2015

14:47 PM
ruaok

Leo_Verto: ping?

2015-10-05 27804, 2015

14:48 PM
Leo_Verto

uh

2015-10-05 27814, 2015

14:48 PM
ruaok

Leo_Verto: sorry, nm

2015-10-05 27819, 2015

14:48 PM
Leo_Verto

yeah

2015-10-05 27827, 2015

14:48 PM
ruaok

alastairp: chatlogs.METAbrainz.org

2015-10-05 27830, 2015

14:48 PM
Leo_Verto

:P

2015-10-05 27837, 2015

14:48 PM
Leo_Verto

maybe add a redirect?

2015-10-05 27845, 2015

14:48 PM
ruaok

I was planning on doing that. :)

2015-10-05 27831, 2015

14:49 PM
zas

ruaok: ok, i'm ready, i'll set safety belt to 1 minute

2015-10-05 27836, 2015

14:49 PM
ruaok

go!