TPA team issueshttps://gitlab.torproject.org/tpo/tpa/team/-/issues2023-07-31T22:17:49Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/412782FA physical key setup on forum.torproject.org2023-07-31T22:17:49ZThorin2FA physical key setup on forum.torproject.orgin setting up 2FA with my yubikey, it is not clear to me what to put for the registered name or how important this piece of info is ... the default placeholder is `user.second_factor.security_key.default_name`
![whatname](/uploads/4822...in setting up 2FA with my yubikey, it is not clear to me what to put for the registered name or how important this piece of info is ... the default placeholder is `user.second_factor.security_key.default_name`
![whatname](/uploads/4822cbc89f694e032374d7eb2d123a4d/whatname.png)Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40054[RT] Error while creating a new Article2020-09-28T19:02:34ZGus[RT] Error while creating a new ArticleHi, I'm trying to create a new [Article](https://rt.torproject.org/Articles/Article/Edit.html) to reply to users, but I'm getting this error when I click on Create:
```
Could not add new custom field value: Couldn't create record: I...Hi, I'm trying to create a new [Article](https://rt.torproject.org/Articles/Article/Edit.html) to reply to users, but I'm getting this error when I click on Create:
```
Could not add new custom field value: Couldn't create record: Internal Error: Couldn't execute the query 'INSERT INTO ObjectCustomFieldValues (ObjectType, Disabled, LastUpdatedBy, ContentType, CustomField, Content, LargeContent, Creator, LastUpdated, ContentEncoding, Created, ObjectId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'ERROR: current transaction is aborted, commands ignored until end of transaction block
```anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40072[RT] Redirect swag@tpo to new RT queue 'swag'2020-10-27T17:29:09ZGus[RT] Redirect swag@tpo to new RT queue 'swag'Hi, Erin asked to create a new RT queue for swag coordination. Roger created the new email swag@torproject.org and I created the queue 'swag', but we still need a sysadmin to run some commands on rude to create the new queue (https://git...Hi, Erin asked to create a new RT queue for swag coordination. Roger created the new email swag@torproject.org and I created the queue 'swag', but we still need a sysadmin to run some commands on rude to create the new queue (https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/rt/#creating-a-queue).anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40566Abnormally slow requests on static mirror hosts2024-03-19T00:40:09ZJérôme Charaouilavamind@torproject.orgAbnormally slow requests on static mirror hostsThis morning Nagios was unhappy with some of the static mirror hosts, with several errors like this:
```
tor-nagios: [web-chi-03] network service - https is CRITICAL: CRITICAL - Socket timeout after 10 seconds
tor-nagios: [global] mirro...This morning Nagios was unhappy with some of the static mirror hosts, with several errors like this:
```
tor-nagios: [web-chi-03] network service - https is CRITICAL: CRITICAL - Socket timeout after 10 seconds
tor-nagios: [global] mirror sync - www is CRITICAL: CRITICAL: 38.229.82.25 broken: 500 Cant connect to www.torproject.org:443
```
Looking at Grafana, since about one week ago we are seeing increased loads on our web mirrors, which Apache connection slots getting abnormally filled up:
![Capture_d_écran_de_2021-12-20_12-29-57](/uploads/3ae395cb32e2874722367ab34e28c5c7/Capture_d_écran_de_2021-12-20_12-29-57.png)
Currently Nagios only barks if the web hosts don't respond to HTTPS connections within 10 seconds, which is fine to the purposes of determining whether the service is *alive* at all, but for static sites even on a busy webserver response times of 1 second or more shouldn't be considered acceptable.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40543Access to and instructions for restarting Gitlab CI runners2021-12-07T15:50:37ZAlexander Færøyahf@torproject.orgAccess to and instructions for restarting Gitlab CI runners@mikeperry and @jnewsome have both been doing some exciting stuff with our Gitlab CI recently and have run into some of the issues that happens every now and then. I think right now they depend upon an admin to kick the Gitlab CI service...@mikeperry and @jnewsome have both been doing some exciting stuff with our Gitlab CI recently and have run into some of the issues that happens every now and then. I think right now they depend upon an admin to kick the Gitlab CI service/machine in case it misbehaves and I was wondering if that is something Mike and Jim could get access to?
I'm writing this now particularly because Mike want to let the runners do a pretty big batch of experiments over the upcoming holiday and it would be sad if he needs to poke anybody for help in case of failure when nobody is around because they are taking time off.
I think the request is:
1. Give Mike and Jim access to restart the Gitlab CI service (maybe as a reboot of the machine?)
2. Do we have instructions for some of the failure modes or is it usually a restart?
Let me know what you think :-)anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41221Access VictoriaMetrics web interface with http authentication2023-06-10T13:05:11ZHiroAccess VictoriaMetrics web interface with http authenticationI need VictoriaMetrics exposed on the web behind http auth.
/cc @gkI need VictoriaMetrics exposed on the web behind http auth.
/cc @gkSponsor 112 : Combating Malicious RelaysHiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40930account name / permissions mismatch for dan2022-10-20T17:48:30ZDan Ballardaccount name / permissions mismatch for danOn tb-build-05 (and possibly other places) there's a mismatch in my unix name and some settings. My unix account is `dan` (on people, tb-build-05, etc) but in `/etc/subuid` (on tb-build-05) there is only a reference to a `dan_b` only. So...On tb-build-05 (and possibly other places) there's a mismatch in my unix name and some settings. My unix account is `dan` (on people, tb-build-05, etc) but in `/etc/subuid` (on tb-build-05) there is only a reference to a `dan_b` only. So I am unable to use tor-browser-build's rbm.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41173Account on survey.tpo for Sponsor 112 work2023-05-18T15:27:14ZGeorg KoppenAccount on survey.tpo for Sponsor 112 workDuring our Sponsor 112 work we want to create surveys for relay operators. Thus, please create an account for us to make this happen. I am not sure about the policy for who can get an account at our survey infrastructure (do upload and h...During our Sponsor 112 work we want to create surveys for relay operators. Thus, please create an account for us to make this happen. I am not sure about the policy for who can get an account at our survey infrastructure (do upload and handle surveys), so maybe it has not to be me. :smile:
Ideally, @acute would get it, though. (@acute: I was not sure whether Victoria is already hooked up to our Gitlab instance. If so, please add her to this ticket and maybe she should get an account, too (or instead))anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40572acl for /srv/shadow on additional runners2022-01-10T23:08:15ZJim Newsomeacl for /srv/shadow on additional runnersI don't seem to have access to /srv/shadow on ci-runner-x86-05. I'm guessing this may also be an issue for other new shadow/shadow-small runners.
On -03 it was configured via setfacl: https://gitlab.torproject.org/tpo/tpa/team/-/issues/...I don't seem to have access to /srv/shadow on ci-runner-x86-05. I'm guessing this may also be an issue for other new shadow/shadow-small runners.
On -03 it was configured via setfacl: https://gitlab.torproject.org/tpo/tpa/team/-/issues/40476#note_2759730
On 05 there doesn't appear to be any acl set:
```
jnewsome@ci-runner-x86-05:~$ getfacl /srv/shadow
getfacl: Removing leading '/' from absolute path names
# file: srv/shadow
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
```
In contrast here's the same command on -03:
```
jnewsome@chi-node-14:~$ getfacl /srv/shadow
getfacl: Removing leading '/' from absolute path names
# file: srv/shadow
# owner: root
# group: root
user::rwx
group::r-x
group:shadower:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:shadower:rwx
default:mask::rwx
default:other::r-x
```Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40515Adapt static-shim script for review apps2021-11-17T21:13:02ZJérôme Charaouilavamind@torproject.orgAdapt static-shim script for review appsIn order to experiment with Review Apps deployed to the static mirror system, I'd like to add two options to `tpa-rsync-static-update-wrapper.sh`.
The first would be to allow a CI job to deploy to a subdirectory of the static mirror com...In order to experiment with Review Apps deployed to the static mirror system, I'd like to add two options to `tpa-rsync-static-update-wrapper.sh`.
The first would be to allow a CI job to deploy to a subdirectory of the static mirror component DocumentRoot. For example, if the CI job passes a second argument of `syncreview-new-blog-post` (`new-blog-post` being the name of a MR) then the wrapper, via `exec rrsync -wo "/srv/static-gitlab-shim/$SITE_URL/$REMOTE_SUBDIR"` would rsync the artifacts to a `/syncreview-new-blog-post` subdirectory on the static mirror, below the DocumentRoot.
Secondly, we'd need to be able to call that same wrapper to delete such subdirectories when the associated Review Apps are no longer needed. For example, if we re-use the second-argument idea above, then something like `deletereview-new-blog-post` would trigger a `rm -rf` on that `new-blog-post` subdirectory.
If the increase in complexity is too problematic for that poor wrapper, maybe instead of trying to shove everything in a single script, we could just create a new, dedicated one, on a different user account on `static-gitlab-shim.tpo`?anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40804Add @msimonelli to /etc/subuid on tb-build machines2022-06-20T14:27:04ZMarco SimonelliAdd @msimonelli to /etc/subuid on tb-build machinesAs mentioned [here](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40785#note_2811661), I (username `msimonelli`) should be able to use `tb-build-05` for browser team work. `tor-browser-build` expects the active user to have an entr...As mentioned [here](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40785#note_2811661), I (username `msimonelli`) should be able to use `tb-build-05` for browser team work. `tor-browser-build` expects the active user to have an entry in `/etc/subuid` (i.e. `msimonelli:100000:65536`). Since I don't have an entry here, attempting to use RBM will always fail.
Related conversation with @anarcat in `#tor-admin`:
```
[10:13:35 pm] <msim> anarcat: i'm trying to run some builds on tb-build-05, but it fails with the following error: "Error: Could not find uid in /etc/subuid"
[10:14:06 pm] <msim> is my uid meant to be in there? i can't seem to su to tb-builder either
[2:03:18 am] <anarcat> yeah, looks like we need to add you in therre, can you file a ticket? we can do that on Monday
```anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41211add a banner on legacy git servers to announce deprecation and migration2023-06-08T18:02:25Zanarcatadd a banner on legacy git servers to announce deprecation and migrationthere should be a banner of some sort on the git servers to announce their deprecation.there should be a banner of some sort on the git servers to announce their deprecation.legacy Git infrastructure retirement (TPA-RFC-36)anarcatanarcat2023-06-08https://gitlab.torproject.org/tpo/tpa/team/-/issues/41383Add al@ alias2023-11-07T12:53:36Zmicahmicah@torproject.orgAdd al@ aliasIt seems people write to al@torproject when they are meaning to write to smith@tor project. I know we have an alias for geko/gk, so maybe it would be nice to add an `al` one!It seems people write to al@torproject when they are meaning to write to smith@tor project. I know we have an alias for geko/gk, so maybe it would be nice to add an `al` one!Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40882add an email forward for trinity-1686a2022-09-07T12:33:04Ztrinity-1686aadd an email forward for trinity-1686aHi,
could I get a tpo mail address forwarding to my gmail address please? I don't think I need an LDAP accountHi,
could I get a tpo mail address forwarding to my gmail address please? I don't think I need an LDAP accountJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41481Add bella to grants alias2024-01-19T16:20:49ZGabagaba@torproject.orgAdd bella to grants aliasPlease add bella@torproject.org to the grants alias.
ThanksPlease add bella@torproject.org to the grants alias.
Thankshttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40186Add boklm to tb-tester ldap group2021-03-09T18:11:34ZMatthew FinkelAdd boklm to tb-tester ldap group```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please add boklm as a member of the tb-tester group.
Mon 08 Mar 2021 06:18:46 PM GMT
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEJrrhUxAYAYnrQ1BBVCGQ+kuO2hwFAmBGao4ACgkQVCGQ+kuO
2h...```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please add boklm as a member of the tb-tester group.
Mon 08 Mar 2021 06:18:46 PM GMT
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEJrrhUxAYAYnrQ1BBVCGQ+kuO2hwFAmBGao4ACgkQVCGQ+kuO
2hy5VQf+Ipqf68xHtkDgEKWGd7Hel1L6xyFNFJWq4yewMsFPV4q8ZOBLKyin8LV7
sR96TPoHFNKQ4C4EJisbv0BniSKEAj1iSV4d6MjPu92tAqJqcPb3zWaaPwJz4btm
N9cZ0N6I5URjY7O5twrqMKdVSglMm/4sfumkiSGYuy1QeHyz7tWyUxCBM2JZ6wUh
w1kNOL6Q8/ewN76atMgQdvL7AC/iayzjisV+iLoQRQRtpo4f88tZ1xGk0V4IzrgB
gZb0RhrmGHnPu6pV+U5DyxYXePAhr/aVy0ffXUIK4NikTB/sZlsC8A8On7hX1MKe
acWRcvHbIm7BSqZKaOadssTp66xMqw==
=SlRf
-----END PGP SIGNATURE-----
```
cc @boklm @gkanarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40807Add Crypto python package to henryi2022-06-22T15:44:29ZTom Rittertom@ritter.vgAdd Crypto python package to henryiIn `/srv/consensus-health.torproject.org/depictor` trying to run ./update gives the error:
```
Traceback (most recent call last):
File "/srv/consensus-health.torproject.org/depictor/./write_website.py", line 27, in <module>
from w...In `/srv/consensus-health.torproject.org/depictor` trying to run ./update gives the error:
```
Traceback (most recent call last):
File "/srv/consensus-health.torproject.org/depictor/./write_website.py", line 27, in <module>
from website import WebsiteWriter
File "/srv/consensus-health.torproject.org/depictor/website.py", line 17, in <module>
from Crypto.PublicKey import RSA
ModuleNotFoundError: No module named 'Crypto'
```
I think this got broken in bullseye upgrade, it's caused consensus-health.torproject.org to be stuck since June 15 as details in https://gitlab.torproject.org/tpo/network-health/depictor/-/issues/16anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40992Add gk to the consensus-health role/group2022-12-12T18:25:32ZGeorg KoppenAdd gk to the consensus-health role/groupI think we should have someone besides @tom who can look at consensus-health things in case of emergencies, vacations etc. and at least I should probably be that person.
I am assuming @tom acks that request (as IIRC that's the right pro...I think we should have someone besides @tom who can look at consensus-health things in case of emergencies, vacations etc. and at least I should probably be that person.
I am assuming @tom acks that request (as IIRC that's the right process here) but I have not asked yet. :)https://gitlab.torproject.org/tpo/tpa/team/-/issues/40209Add irl to metrics-related groups2021-04-08T19:01:46ZirlAdd irl to metrics-related groups@gaba should probably sign off on this
I've got my LDAP account working, but it's not a member of the metrics groups. To get started I will need:
* metrics
* exonerator
* exonerator-web
* onionoo
* collector@gaba should probably sign off on this
I've got my LDAP account working, but it's not a member of the metrics groups. To get started I will need:
* metrics
* exonerator
* exonerator-web
* onionoo
* collectoranarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40224Add irl to whatever group can upload to dist.torproject.org2021-04-19T18:16:51ZirlAdd irl to whatever group can upload to dist.torproject.org@gaba should sign off on this.
In order to make releases for metrics-lib, CollecTor, Onionoo, etc. I will need to upload those releases to dist.tpo.@gaba should sign off on this.
In order to make releases for metrics-lib, CollecTor, Onionoo, etc. I will need to upload those releases to dist.tpo.anarcatanarcat