#musicbrainz-devel

/

18:01 PM
ruaok

what does that do?

2015-04-24 11418, 2015

18:01 PM
kepstin-laptop

(you might be able to use a service module to enable it instead of running that manually)

2015-04-24 11438, 2015

18:01 PM
kepstin-laptop

the service didn't get the symlinks in /etc/rc*.d installed, that installs them.

2015-04-24 11457, 2015

18:01 PM
ruaok

ah

2015-04-24 11422, 2015

18:02 PM
ruaok

pushed.

2015-04-24 11419, 2015

18:03 PM
kepstin-laptop

ok, that looks good. it's happily moving the ips back and forth, and survives reboots. I'm just gonna try the dual poweroff scenario then i'll be satisfied

2015-04-24 11433, 2015

18:03 PM
ruaok

:-D

2015-04-24 11418, 2015

18:04 PM
ruaok

packemaker links installed.

2015-04-24 11420, 2015

18:04 PM
ruaok

looking good.

2015-04-24 11428, 2015

18:04 PM
bagoluls joined the channel

2015-04-24 11450, 2015

18:04 PM
ruaok

and also, the traffic shaper is getting installed. might be worth testing that too.

2015-04-24 11456, 2015

18:04 PM
kepstin-laptop

ok, everything came back up fine

2015-04-24 11414, 2015

18:05 PM
kepstin-laptop

I've tested the script separately before

2015-04-24 11427, 2015

18:05 PM
ruaok

ok. :)

2015-04-24 11429, 2015

18:05 PM
ruaok

\ø/

2015-04-24 11433, 2015

18:05 PM
ruaok

thanks so much.

2015-04-24 11448, 2015

18:05 PM
ruaok

I just need to test dnscache on ernie and then I think I am done.

2015-04-24 11458, 2015

18:05 PM
kepstin-laptop

ok, this corosync+pacemaker config is looking good now.

2015-04-24 11418, 2015

18:06 PM
ruaok

:(

2015-04-24 11438, 2015

18:06 PM
kepstin-laptop

ruaok, yep, that means out of date openssl or nginx version.

2015-04-24 11439, 2015

18:06 PM
ruaok

we need to update our wildcard cert.

2015-04-24 11414, 2015

18:07 PM
ruaok

let me do an apt-get upgrade again

2015-04-24 11429, 2015

18:07 PM
kepstin-laptop

globalsign run their own ssl checker, but i find they try to upsell you on their own services, and the diagnostics aren't as good as the ssllabs one

2015-04-24 11447, 2015

18:07 PM
Gentlecat

ruaok: maybe get a cert for meb.org while you are at it

2015-04-24 11412, 2015

18:08 PM
ruaok

I'll do that next week when I deploy meb

2015-04-24 11427, 2015

18:08 PM
ruaok

I wonder if we can make meb SSL only.

2015-04-24 11404, 2015

18:09 PM
ruaok

upgraded packages. didn't see anything pertaining to ssl being updated.

2015-04-24 11412, 2015

18:09 PM
ruaok

doing a reboot test now.

2015-04-24 11416, 2015

18:09 PM
Gentlecat

definitely need to do that for user account parts

2015-04-24 11435, 2015

18:09 PM
Gentlecat

alastairp: got a question about your comment https://github.com/metabrainz/acousticbrainz-serv…

2015-04-24 11442, 2015

18:09 PM
ruaok

I'm considering doing it for ALL urls, save for hte replication fetch

2015-04-24 11453, 2015

18:09 PM
kepstin-laptop

ruaok, this is 'www.musicbrainz.org' you're testing?

2015-04-24 11403, 2015

18:10 PM
ruaok

no gtest.musicbrainz.org

2015-04-24 11415, 2015

18:10 PM
yeeeargh

tsl only with a+ would be great

2015-04-24 11418, 2015

18:10 PM
ruaok

which is running the * cert with sha1.

2015-04-24 11425, 2015

18:10 PM
ruaok

but at least the software ought to be up to date.

2015-04-24 11427, 2015

18:10 PM
yeeeargh

*tls

2015-04-24 11432, 2015

18:10 PM
Gentlecat

I was thinking only about editing, but it seems sensible to do that on the server since we'll need that data for viewing datasets

2015-04-24 11402, 2015

18:11 PM
ruaok

how do I fix this, yeeeargh & kepstin-laptop ?

2015-04-24 11404, 2015

18:11 PM
Gentlecat

did you mean caching on the server for a certain amount of time?

2015-04-24 11418, 2015

18:11 PM
kepstin-laptop

ruaok, just a moment, the ssllabs test isn't connecting, and I want to see its diagnostics.

2015-04-24 11429, 2015

18:11 PM
ruaok

hang on, I just broke something.

2015-04-24 11434, 2015

18:11 PM
ruaok

nginx didn't come up cleanly.

2015-04-24 11452, 2015

18:11 PM
ruaok

the vhost is gone.

2015-04-24 11429, 2015

18:12 PM
ruaok

the virtual ip survived reboot, so that is good. :)

2015-04-24 11441, 2015

18:13 PM
ruaok

gotta clean up a little mess real quick. hang on.

2015-04-24 11445, 2015

18:13 PM
Gentlecat

alastairp: I'll post that on github

2015-04-24 11450, 2015

18:13 PM
kepstin-laptop

what ubuntu version is the nginx that's terminating ssl running?

2015-04-24 11409, 2015

18:14 PM
kepstin-laptop

should be able to do tls1.2 in 12.04 and newer

2015-04-24 11423, 2015

18:14 PM
ruaok

sUbuntu 14.04.2 LTS

2015-04-24 11430, 2015

18:14 PM
ruaok

or did you mean the nginx version?

2015-04-24 11441, 2015

18:14 PM
kepstin-laptop

need to make sure it has "ssl_protocols TLSv1.2 TLSv1.1 TLSv1;" in the config

2015-04-24 11458, 2015

18:14 PM
ruaok

1.4.6-1ubuntu3.2

2015-04-24 11413, 2015

18:15 PM
kepstin-laptop

ok, should have no problem, those package versions are plenty new enough

2015-04-24 11436, 2015

18:15 PM
ruaok

ok, I see that.

2015-04-24 11448, 2015

18:15 PM
ruaok

trouble is that might conflict with the production version.

2015-04-24 11453, 2015

18:15 PM
ruaok

er, fuckit for now.

2015-04-24 11427, 2015

18:16 PM
Enverex joined the channel

2015-04-24 11453, 2015

18:16 PM
kepstin-laptop

but yeah, there's nothing listening on port 443 on 72.29.167.152 right now.

2015-04-24 11414, 2015

18:17 PM
Enverex

Silly question whilst the server continues to fall over - what's the general turnaround time on edits these days?

2015-04-24 11406, 2015

18:18 PM
kepstin-laptop

Enverex, seems like more of a user question, but https://musicbrainz.org/doc/Introduction_to_Voting should cover it.

2015-04-24 11451, 2015

18:19 PM
ruaok

hmmm. something didn't work right on boot.

2015-04-24 11459, 2015

18:19 PM
ruaok

but it worked after a chef deploy.

2015-04-24 11403, 2015

18:20 PM
ruaok

I need to get to the bottom of that.

2015-04-24 11444, 2015

18:20 PM
kepstin-laptop

do you have nginx binding to specific ip addresses in the config?

2015-04-24 11411, 2015

18:21 PM
ruaok

yes, the one virtual ip I have.

2015-04-24 11412, 2015

18:21 PM
kepstin-laptop

if you are, it will fail to start if the ip isn't available.

2015-04-24 11414, 2015

18:21 PM
ruaok

and a pile I don't have.

2015-04-24 11431, 2015

18:21 PM
ruaok

problem is it started, but it failed out the vhost.

2015-04-24 11436, 2015

18:21 PM
ruaok

I need to look at the logs.

2015-04-24 11442, 2015

18:21 PM
ruaok

but I am re-running the ssllabs one

2015-04-24 11414, 2015

18:22 PM
kepstin-laptop

yeah, gets an A now, main warning is the sha1 cert

2015-04-24 11418, 2015

18:22 PM
ruaok

A!!!

2015-04-24 11433, 2015

18:22 PM
ruaok

it will get better with the main cert since we switched to sha2 a while back.

2015-04-24 11434, 2015

18:22 PM
kepstin-laptop

you're also including the root cert in the cert chain, which you shouldn't be

2015-04-24 11441, 2015

18:22 PM
kepstin-laptop

should only be the servers's cert and the intermediate

2015-04-24 11456, 2015

18:22 PM
kepstin-laptop

(that'll make the ssl setup a bit faster, 1 less cert to transmit)

2015-04-24 11408, 2015

18:24 PM
ruaok

gateway-chef/cookbooks/ssl/files/default/wildcard.musicbrainz.crt

2015-04-24 11413, 2015

18:24 PM
ruaok

what there needs to be nuked?

2015-04-24 11415, 2015

18:25 PM
kepstin-laptop

delete the third block

2015-04-24 11421, 2015

18:25 PM
kepstin-laptop

keep the first 2

2015-04-24 11426, 2015

18:25 PM
Enverex

kepstin-laptop: Yep, my bad.

2015-04-24 11441, 2015

18:25 PM
Leo_Verto

wee, no downgrading to B anymore :D

2015-04-24 11450, 2015

18:26 PM
kepstin-laptop

ssllabs is giving some "weak' notices on some ciphers, that's because it's using 1024bit diffie-hellman. That's fine for now, but might be worth looking at to change to 2048 bit later.

2015-04-24 11409, 2015

18:27 PM
ruaok

yeah. and the main cert is sha2.

2015-04-24 11423, 2015

18:27 PM
ruaok

ok, giving another whirl

2015-04-24 11448, 2015

18:27 PM
ruaok

the anchor bit is gone. :)

2015-04-24 11421, 2015

18:29 PM
ruaok

looking better.

2015-04-24 11430, 2015

18:29 PM
ruaok

ok, need to take a bit of a break.

2015-04-24 11443, 2015

18:29 PM
ruaok

I'll re-do the reboot test and do my final dnscache check.

2015-04-24 11452, 2015

18:29 PM
ruaok

after that, I'll try to migrate to the new gateway.

2015-04-24 11455, 2015

18:29 PM
ruaok

bbiab

2015-04-24 11456, 2015

18:29 PM
kepstin-laptop

ok. don't forget to remove me from the repo when you're done :)

2015-04-24 11406, 2015

18:30 PM
ruaok

will do.

2015-04-24 11455, 2015

19:30 PM
ruaok

kepstin-laptop: did everything come back up on boot for you?

2015-04-24 11408, 2015

19:31 PM
ruaok

my nginx comes up, but the vhost isn't working.

2015-04-24 11425, 2015

19:31 PM
ruaok

nothing interesting in the logs.

2015-04-24 11443, 2015

19:31 PM
kepstin-laptop

hmm, let me look at the nginx config you have

2015-04-24 11444, 2015

19:31 PM
ruaok

but as soon as I do another chef deploy, it starts working.

2015-04-24 11454, 2015

19:31 PM
kepstin-laptop

i was mostly concentrating on the ip stuff, didn't really look at nginx

2015-04-24 11423, 2015

19:33 PM
kepstin-laptop

can i see the nginx config being used somewhere?

2015-04-24 11436, 2015

19:33 PM
ruaok

sure one sec

2015-04-24 11404, 2015

19:34 PM
ruaok

well, if you still have those instances...

2015-04-24 11410, 2015

19:34 PM
ruaok

/usr/local/nginx

2015-04-24 11418, 2015

19:34 PM
ruaok

if not, I can add you to the team on github.

2015-04-24 11422, 2015

19:34 PM
kepstin-laptop

I didn't do the full setup on them

2015-04-24 11430, 2015

19:34 PM
ruaok

ah

2015-04-24 11436, 2015

19:34 PM
kepstin-laptop

missing some of the bits to get your chef config going

2015-04-24 11437, 2015

19:34 PM
rvedotrc pops in again.

2015-04-24 11439, 2015

19:34 PM
kepstin-laptop

i think

2015-04-24 11425, 2015

19:35 PM
ruaok

rvedotrc: wb. how does tinydns bind to a specific IP? or does it?

2015-04-24 11459, 2015

19:35 PM
rvedotrc

iirc, /etc/tinydns/env/IP

2015-04-24 11410, 2015

19:36 PM
rvedotrc

something like that.

2015-04-24 11413, 2015

19:36 PM
ruaok

kepstin-laptop: I invited you to be part of the metabrainz team.

2015-04-24 11422, 2015

19:36 PM
kepstin-laptop

oh, on github

2015-04-24 11424, 2015

19:36 PM
ruaok

accept that and then look at the nginx repo

2015-04-24 11434, 2015

19:36 PM
ruaok

yeah. that one doesn't live on bb.

2015-04-24 11426, 2015

19:37 PM
ruaok

rvedotrc: the IP file shows only localhost. but on carl it listens on .250

2015-04-24 11430, 2015

19:37 PM
ruaok

how does that work?

2015-04-24 11446, 2015

19:37 PM
rvedotrc looks

2015-04-24 11421, 2015

19:38 PM
rvedotrc

dnscache is on .250, tinydns is on 12.0.0.1

2015-04-24 11426, 2015

19:38 PM
rvedotrc

different services.

2015-04-24 11446, 2015

19:38 PM
rvedotrc

which one are you asking about?

2015-04-24 11408, 2015

19:39 PM
rvedotrc

grep ^ /etc/dnscache/env/* /etc/tinydns/env/*

2015-04-24 11425, 2015

19:39 PM
ruaok

ah. I didn't know much about either of those.

2015-04-24 11431, 2015

19:39 PM
ruaok

but it makes sense now.

2015-04-24 11437, 2015

19:39 PM
rvedotrc

cool :-)

2015-04-24 11440, 2015

19:39 PM
ruaok

I'll have to tweak the configs in order to test that.

2015-04-24 11429, 2015

19:42 PM
bagoluls

hey guys, how does one build the search indexes?

2015-04-24 11425, 2015

19:44 PM
bagoluls

nevermind, found it :)

2015-04-24 11449, 2015

19:47 PM
ruaok

looks like tinydns isn't working. it used to be. :(

2015-04-24 11407, 2015

19:48 PM
rvedotrc

Anything I can help with?

2015-04-24 11420, 2015

19:48 PM
johtso_ joined the channel

2015-04-24 11428, 2015

19:48 PM
ruaok

are you averse to logging into the new gateway?

2015-04-24 11440, 2015

19:48 PM
ruaok

if not, ernie.musicbrainz.org

2015-04-24 11441, 2015

19:48 PM
kepstin-laptop

interesting; nginx's behaviour differs in how it binds to ips depending on whether or not a config is present that binds to * on the port in question.

2015-04-24 11449, 2015

19:48 PM
rvedotrc

Why not. Username rachel? :-)

2015-04-24 11405, 2015

19:49 PM
ruaok

rvedotrc: if you send us a PR for that, I can change that.

2015-04-24 11411, 2015

19:49 PM
ruaok

alas, still djce.

2015-04-24 11414, 2015

19:49 PM
rvedotrc

PR to what codebase?

2015-04-24 11433, 2015

19:49 PM
kepstin-laptop

is there anything in the config that has "listen 80" or "listen *:80" (or :443), or do all listens specify an ip address?

2015-04-24 11433, 2015

19:49 PM
ruaok

syswiki

2015-04-24 11433, 2015

19:49 PM
rvedotrc

also, hostname?

2015-04-24 11440, 2015

19:49 PM
ruaok

ernie

2015-04-24 11443, 2015

19:49 PM
rvedotrc

k

2015-04-24 11422, 2015

19:50 PM
ruaok

feel free to make changes, but let me know what you change so I can get that into the chef config.

2015-04-24 11432, 2015

19:50 PM
ruaok

I added an internal ip .150 for testing purposes.

2015-04-24 11448, 2015

19:50 PM
ruaok

and changed dnscache/env/IP to be .150

2015-04-24 11456, 2015

19:50 PM
kepstin-laptop

it looks like if there is a listener on * for some port, nginx only listens on *, and does not bind separately to the ips.

2015-04-24 11409, 2015

19:51 PM
kepstin-laptop

if there is no listener to *, it *only* binds to the separate ips.