#metabrainz

/

      • akshaaatt
        Other than that, I worked on our docker containers dashboard, thanks to atj! I need to add some plugins to react bs datatable for which I was looking to connect with the actual dev and make PRs there
      • Plus the work on Design system, MB and LB revamp has been ongoing simultaneously
      • That's about it for me. Go mayhem!
      • TOPIC: MetaBrainz Community and Development channel | MusicBrainz non-development: #musicbrainz | BookBrainz: #bookbrainz | Channel is logged; see https://musicbrainz.org/doc/IRC for details | Agenda: Reviews, Congratulate GSoC students (alastair), MeB-wide Oauth (lucifer), Securing MeB infrastructure - part 4
      • mayhem
        right-o.
      • last week I was mostly on vacation, except for being around for the schema change and having nothing at all to do.
      • !m MB team
      • BrainzBot
        You're doing good work, MB team!
      • monkey
        +1
      • Freso
        (Others still up: alastairp, atj, lucifer, yvanzo, Freso – anyone else who to give review, let me know ASAP! :))
      • mayhem
        thursday and friday I got back into the swing of things and looked over the gsoc situation and immediately acted on a suggestion on how to improve one tricky situation.
      • lucifer
        Freso: i already went :)
      • mayhem
        so, there is a seekrit project in the wings that we hope to unveil wednesday after the board meeting tomorrow.
      • akshaaatt likes seekrits
      • I also created a PR for adding release_tags to the mb metadata cache only to realize that that was pointless and that I should be returning release-group tags. lol. one step forward...
      • and today I spent most of the lining up the ducks for the board meeting, collecting financial data and writing up notes for the agenda for tomorrow.
      • ready to roll!
      • yvanzo: go!
      • yvanzo
        Hi!
      • The two past weeks were mostly dedicated to the MB database schema change.
      • After that, search indexes have been rebuilt, setting recording’s first release date, and catching up with missed updates.
      • Unfortunately it made search to be barely usable for a long time.
      • Freso
        (Only alastairp, atj, and myself (Freso) left on my list for reviews. Last call for anyone else who wish to give a review!)
      • yvanzo
        But there could be a way to avoid this in SIR and MB SolrCloud: https://tickets.metabrainz.org/browse/SEARCH-674
      • Plus some maintenance tasks with sir, trille, and MB website 5xx.
      • Fin. Go alastairp!
      • alastairp
        hi!
      • I helped with some LB functionality to keep it up during the musicbrainz schema update
      • mayhem
        thank you!
      • alastairp
        I reviewed some of Ansh's PRs for BB, and updated some missing functionality that I found (thanks lucifer for helping debug this). I also released a new version of the BU test database that uses the new schema release
      • I started to write some docs for LB for the data mapping and to answer some deployment questions that I had that I wanted to write down for future me
      • as monkey said, we made some improvements to brainzbot, and also broke some other things (sorry about that). We're going to have a pending task soon to upgrade this, as the server and dependencies are quite old and sad.
      • atj: next up?
      • atj
        hi
      • last week I didn't get a great deal done due to work and life keeping me busy
      • I managed to progress the docker dashboard page a bit with akshaaatt, and anonymised the data to make it safe to publish on the internet
      • (for testing and development)
      • Freso
        Thank you, alastairp and monkey :bowing:
      • atj
        I fixed a minor issue with the netplan ansible role that zas uncovered when deploying aretha
      • I think that's about it, Freso?
      • Freso
        🙋
      • I did a wee bit more of trying to coordinate about the tg/#mb bridge, other than that been dealing with flags, reports, and being around/about.
      • And this weekend I helped out with a 3-day fundraiser for three trans rights organisations actively fighting the on-going genocide of trans kids in the US and UK. Still recovering from that. :)
      • fin.
      • And that’s all for reviews! Thank you all for yours!
      • We have a few more topics on the agenda today, so let’s get to it:
      • lucifer
        !m Freso
      • BrainzBot
        You're doing good work, Freso!
      • Freso
        alastair: Congratulate GSoC students
      • alastairp
        I guess we've done this a few times over the last few days
      • but welcome skelly37, Ansh, yellowhatpro, riksucks , PrathameshG and Shubh to MeB for GSoC this year!
      • Freso
        🙌
      • monkey
        🎉🎉🎉 I see great potential this year !
      • alastairp
        you're welcome to stick around for the meetings, that happen at this time every week. if you want to say anything, let Freso know
      • once gsoc starts properly, we can get you on the regular rotation for the meetings
      • that's it, thanks Freso
      • Freso
        Thanks alastairp :) - and congrats to the students!
      • NExt up…
      • lucifer: MeB-wide Oauth
      • lucifer
        hi all!
      • TOPIC: MetaBrainz Community and Development channel | MusicBrainz non-development: #musicbrainz | BookBrainz: #bookbrainz | Channel is logged; see https://musicbrainz.org/doc/IRC for details | Agenda: MeB-wide Oauth (lucifer), Securing MeB infrastructure - part 4
      • for the past few years, we have been discussing moving the Oauth stuff over to MeB from MB.
      • here's a brief ssketch of idea, some of us prepared last year. https://docs.google.com/document/d/1Doi5s99Pjry...
      • (edit to all @meb.org accounts)
      • the intent is to move over both user accounts and oauth applications to MeB. users create an account on meb.org and then all other projects can then communicate with MeB Oauth to create that user's account inside that project.
      • the greater benefits are on the Oauth side though, as it allows us to implement OAuth once and add project specific scopes instead of implementing oauth in each project again and again.
      • alastairp
        and also allow for someone to sign in once (for example on LB) and be able to add tags to MB or reviews to CB without logging in again
      • lucifer
        yup that too, also to enable some BrainzPlayer use cases iirc.
      • monkey
        Yes
      • lucifer
        thoughts on how we should go about this?
      • we have 2 things to do: 1) implement OAuth apps on MeB.org 2) move users and oauth apps to MeB.org from MB.
      • mayhem
        hmm. I think it might be best if alastair, you and I discuss this in a smaller group rather than the weekly meeting.
      • alastairp
        mayhem mentioned that it would be a good idea to get everyone together (including MB team) after the schema change to see if this is something that we could all work on together to get done
      • although yes - maybe we require some more offline planning first?
      • Freso
        We should probably also move Discourse auth (which is not OAuth) to MeB.o then, since users may have MeB accounts but not MB ones. I’ll try and jot down some thoughts on this in the document.
      • monkey
        Similarly I can add BB use-cases
      • lucifer
        planning more in a smaller group makes sense.
      • mayhem
        I think so, we need to understand what we are doing -- its been too long for me to jump in and speak cogently about it.
      • monkey
        (they'll most probably align to what I've seen in the document)
      • alastairp
        if anyone else feels that they are knowledgeable in oauth then please let us know and join in these discussions, as I have a bunch of general ideas about how I think oauth works and how it could work for us, but I'm not sure if any of it is actually grounded in truth
      • lucifer
        meanwhile all can add their suggestions to the document?
      • monkey
        Similarly if anyone has good reading resources about oauth I'm a taker
      • yvanzo
        It seems there is a need for more work on specification.
      • rdswift
        Is this change to MeB accounts for oauth going to also impact Picard?
      • mayhem
        if picard logs into MB, then very likely yes.
      • lucifer
        yvanzo: yes indeed.
      • zas
        it does
      • monkey
        And also impacts DB replication packages and such?
      • mayhem
        monkey: less likely.
      • alastairp
        monkey: probably not much
      • monkey
        Good
      • yvanzo
        We should probably have each project to document their needs.
      • alastairp
        so - let's some of us talk about this in more detail, and then potentially plan a month where we can all work on this feature together?
      • mayhem
        yes.
      • yvanzo
        It’s a good example of documenting projects’ external dependencies (as discussed recently).
      • mayhem
        perhaps you I can take a first stab at getting up to speed next time you're in the office
      • monkey
        I'd like to join
      • alastairp
        yvanzo: I started writing some notes about needs in that document, though not directly as a list of requirements per prokect
      • zas
        currently Picard users are logging in using MB account (token), we need to take care to ensure old versions of Picard still work, at least for a while
      • alastairp
        zas: thanks, I added it to the doc
      • monkey
        > AFAIK, OB is the only user of MeB OAuth
      • Is that the case?
      • (OfficeBrainz)
      • mayhem
        could be
      • Freso
        (We have about 13 min left. Do we want to talk OAuth for the rest of this and move Securing MeB infrastructure - part 4 to next week?)
      • mayhem
        this convo is dying. lets close it.
      • Freso
        Alright. My understanding is that the various projects document their OAuth etc. needs in that document and then we have a meeting later with more discussion?
      • mayhem
        sure
      • Freso
        Great. Moving on. :)
      • Securing MeB infrastructure - part 4
      • yvanzo
        We were at “Reducing docker container capabilities”
      • Not “everything” run as root/root but those which still do (such as sir) should avoid it.
      • alastairp
        LB does
      • yvanzo
        I’m not sure which other projects are concerned.
      • (MBS doesn’t)
      • monkey
        I think BB does too, but need to check the node base image
      • alastairp
        I think that this item is kind of in two parts, is that right? one is running as a non-root user in the container
      • and the other is about reducing the capabilities of a docker container by only allowing a user to do certain things
      • I'm not certain, but I think that the first can also be achieved by the second? You can say "even if you're root in this container you can't do <certain thing>"?
      • yvanzo
        I don’t think it is.
      • alastairp
      • yvanzo
        zas, atj: Has this point been added by one of you?
      • alastairp
        > This means that in most cases, containers do not need “real” root privileges at all. And therefore, containers can run with a reduced capability set; meaning that “root” within a container has much less privileges than the real “root”. For instance, it is possible to:
      • this part
      • Freso
        (5 min left)
      • lucifer
        i think this is more of a look into it thing? (we discussed it briefly as part of other stuff iirc)
      • alastairp
        I think it makes sense to look into running all of our containers as non-root
      • lucifer
        yup makes sense
      • alastairp
        and perhaps the capabilities/rootless stuff can go on the "in the distant future" backburner
      • zas
        yvanzo: I guess that's atj, but that's a good point. Though, capabilities aren't always easy to manage.
      • yvanzo
        This should be discussed again with atj next time then.
      • alastairp
        for now are we happy to have all contractors in a `docker`/`sudo` group to be able to run docker commands?
      • if so, I recommend that we shelve this idea for now
      • yvanzo
        just postpone the discussion, we are running out of time and missing the main initiator.
      • mayhem
        yeah, I am too fried for this.
      • alastairp
        I remember that it was added as a "let's look at this and see if it makes sense for our case"
      • definitey not as a point that we absolutely need to implement
      • yvanzo
        Thanks!
      • Freso
        I think that’s as fine a place to end as any then… :)
      • Thank you all for your time! Stay safe, remember to wear a mask and remember to wear sunscreen!
      • </BANG>
      • monkey
        👋
      • alastairp
        thanks all
      • yvanzo
        MetaBrainz Community and Development channel | MusicBrainz non-development: #musicbrainz | BookBrainz: #bookbrainz | Channel is logged; see https://musicbrainz.org/doc/IRC for details | Agenda: MeB infrastructure - part 4 with atj
      • TOPIC: MetaBrainz Community and Development channel | MusicBrainz non-development: #musicbrainz | BookBrainz: #bookbrainz | Channel is logged; see https://musicbrainz.org/doc/IRC for details | Agenda: MeB infrastructure - part 4 with atj
      • ansh
        alastairp I was setting up BB on wolf and while building docker, I got the following error.
      • alastairp
        ansh: it looks like someone else is already exposing redis and postgres on that port
      • that being said, it looks like thse are on the public ip address 0.0.0.0.0
      • alastairp investigates