Transition Technology: Ticket Query

#645: APC Tuning on Parrot and Penguin

chris — Tue, 10 Dec 2013 10:52:31 GMT

As part of the upgrade from Squeeze to Wheezy, see ticket:535, Munin graphs for APC were added:

There is also more APC info here:

The documentation for the variables which can be set in /etc/php5/mods-available/apc.ini can be found here:

http://php.net/manual/en/apc.configuration.php

This monitoring is generating quite a high volume of warnings about fragmentation and purges and this ticket has been created to try to sort this issue out.

#676: Alternative to Skype for TTech Meetings

chris — Tue, 14 Jan 2014 13:33:51 GMT

Jim has pointed out that:

Skype costs us 15-30 minutes of grinding pain every time we do this!

So what are the alternatives and what are our requirements?

#814: Higher that usual loads on PuffinServer since early September

chris — Wed, 03 Dec 2014 17:12:35 GMT

The following load graph from PuffinServer shows that the load increased substantially in early September 2014, does anyone know why?

When I found I went to Drupal 7.33 and all I got was a slow site I thought that perhaps a Drupal 7 site on the server could be the cause but 7.33 came out on 7th November 2014.

Anyone have any ideas?

#881: Site on ParrotServer with a memory leak?

chris — Fri, 23 Oct 2015 11:19:04 GMT

It appears a site, or application, on ParrotServer might have a memory leak.

#898: Fwd: Access to Drupal

ade — Tue, 26 Jan 2016 17:35:05 GMT

Hi Chris,
The web team at the development agency are requesting access to the
webserver so that they can look at the sites make up.
(Please see below)
Would you please set up an account so that they can get root read access?
I guess this would be done via FTP, but your thoughts greatly appreciated.
best regards
Ade
---------- Forwarded message ----------
From: Ainslie Beattie <ainsliebeattie@transitionnetwork.org>
Date: 26 January 2016 at 17:25
Subject: Fwd: Access to Drupal
To: Sam Rossiter <samrossiter@transitionnetwork.org>, Ade Stuart <
adestuart@transitionnetwork.org>, Yvonne Struthers <yvonne@thisisyoke.com>
Hey both, can you please action this urgently so that Yoke can have access.
Cheers
---------- Forwarded message ----------
From: "Yvonne Struthers" <yvonne@thisisyoke.com>
Date: 26 Jan 2016 10:58
Subject: Access to Drupal
To: <ainsliebeattie@transitionnetwork.org>
Cc:
Hi Ainslie,
Just a quick email as I'm out seeing a client today,but just to say,it
looks like you have only given us access to the database. What we need
please is admin access to the Drupal site and to the code base so that we
can get a sense of how it's all set up.
Thanks in advance!
Yvonne
Sent from my iPhone
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

#655: Add social media icons with counters to blogs listings views

ed — Thu, 12 Dec 2013 13:03:11 GMT

Investigate with Rob how to add Social media icons with counters into the /blogs listings views and individual node views.

I suggest starting with just Rob's blogs (/rob-hopkins), separate context for 'Transition Culture section' and then roll it out over other blogs and maybe news content type once the /rob-hopkins has been trialled

Sam to talk with Rob

Also cc-ing Ben as design - theme guy

#541: Documentation of the WordPress sites

chris — Wed, 01 May 2013 20:25:57 GMT

These pages have been created for the documentation of the wiki:WordPress sites running on wiki:PenguinServer:

So far they only have a listing on the plugins for each site.

Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting.

Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else.

#587: Puffin MySQL Tuning

chris — Thu, 05 Sep 2013 12:54:47 GMT

This ticket is to track the tuning we do to MySQL on PuffinServer.

See also previous comments on this issue:

#638: Question about notifications option for content creators

ed — Thu, 28 Nov 2013 12:32:57 GMT

Content creators (news, Rob's blog, social reporters) struggle with the notifications. the problem is that they forget to click the option to 'do not send notifications for this update' and then notifications are sent out. It is easy for us to think this is easy for them, but when you are bashing stuff out in a hurry, it's easy to forget this fiddly bit.

CAN WE set drupal to NOT send notifications out as standard for some of the content types?

And change it so that the content creators (news, Rob's blog, social reporters) choose to SEND notifications out instead (of NOT sending them) ?

#590: Drupal performance improvements

jim — Fri, 06 Sep 2013 10:27:27 GMT

This ticket is to track the work and changes done within the Drupal sphere in relation to performance enhancements done since #585.

More information is needed and will come when ticket:586 New Relic Monitoring for BOA is completed.

I also note that many of these cleanup operations will also help make the move to D7 smoother and better.

Summary of actions and status

TODO

O) Stop making so many URL aliases for non-relevant pages, clean up url_alias table -- 1/4-1/2 hour, medium reward, only risk is that some already broken links might break... Per chat with Ed, only these will be removed (plus releated tweaks to Pathauto settings):

3,579 entries where src = node/%/feed
1,856 entries where src = user/%/contact
= 5,435 or ~11% of entries in url_alias

L) Review slow query log, explain queries, tweak as necessary/flag poorly behaving modules. 2-4 hours, high reward, low risk... Keep looking at the slow query log and adjust Drupal or find patches as necessary. ALSO related Reduce your server's resource usage by moving MySQL temporary directory to tmpfs... Have opened ticket for this: #591 for Chris.

Done

A) Remove spam taxonomy entries ~~1/2 hour, Low risk, low reward -- See item 8 below. A simple delete from taxo term table where length > 50 is worth doing IMHO, and nothing I saw that would be clobbered is not spam.~~

B) Try a Taxonomy Cleanup: 3 hours, Medium risk, medium reward -- style module to try to merge terms with the same names and clean up the link tables back to nodes. Further, we can remove any taxonomies or relations to certain CTs that don't really add value.

D) Review Views caching ~~1 hour, low risk, high reward -- Utilise Views Content Cache this was done a while back but I think -- done (task 12) in comment 21.~~

F) Force blocks caches to cached appropriately (and be rendered/included only as needed) 1-2 hours, medium reward, low risk -- BOA packages the Block Cache Alter, which makes sure Drupal only renders blocks when needed. Potential small but nice boost quickly in whole site. -- per comment 22, block caching is disabled by other modules so this will have to go on hold for now.

H) Remove CustomError? module all together 1/2 hour, low risk, low reward -- We should take out the PHP code from the 403 section of CustomError? and put it into a simple page entry. See comment 6 below as this has happened for 404s (which need no PHP). We can then remove the CustomError? module all together, saving lots of sessions. I would go ahead and do this but since the 403 page has various displays depending on user type, I wanted to raise it here as it *may* have side effects. Or not...

I) Re-enable block caching. 2-6 hours, high risk, high reward -- Per comment 24, a module (probably Content Access) is stopping Drupal caching blocks, which for some of them means a fair amount of pointless overhead. We need to somehow get around this and get blocks cached if possible. R&D mainly, perhaps with some hacking/patching - but I'd stop short of doing this if so.

K) Add & enable Views Lite Pager on big views. ~~1 hour, low risk, low reward -- Using this module stops a heavy count query on views with pagers -- recommended for large sites.~~

M) Take control of Cron, and maximise time pages are cached for. .25h, high reward, low risk -- Cron is wiping the page cache, so we need to install https://drupal.org/project/elysia_cron so we can clear the page less often, and run other things when we want and the site is quieter. Now need per minute resolution set to get the best, see comment 33 and 34 for more...

N) Replace Admin Menu 1.x with 3.x -- will happen when #590 occurs, marking complete here -- ~~5 mins, high reward, low risk -- done when #582 happens, could be the cause of some load spikes as it occasionally goes made and does 2000-5000 queries~~~~

#596: Captions issue

benj — Mon, 16 Sep 2013 16:58:04 GMT

basically captions are appearing on body inline images and featured images on STG but not PROD and I can't see where the difference is...

The following code addition to the bottom of template.php should be (but isn't) adding the caption class to images such as the one at the top of this page:

https://www.transitionnetwork.org/blogs/ed-mitchell/2013-06/test-blog-test-caption-and-featured-image

Any reason you can think of why not? Or do you know of another easy way of adding the class caption to featured image fields? (I guess the module https://drupal.org/project/semantic_cck - but maybe overkill...)

Adds caption css class to featured images */

function transition2_imagecache_formatter_featured_image_default($element) {

Inside a view $element may contain NULL data. In that case, just return. if (empty($element#item fid?)) {

return ;

}

Extract the preset name from the formatter name. $presetname = substr($element#formatter, 0, strrpos($element#formatter, '_')); $style = 'linked'; $style = 'default';

$item = $element#item; $itemdata?alt? = isset($itemdata?alt?) ? $itemdata?alt? : ; $itemdata?title? = isset($itemdata?title?) ? $itemdata?title? : NULL;

$class = "imagecache imagecache-$presetname imagecache-$style imagecache-{$element#formatter} caption"; return theme('imagecache', $presetname, $itemfilepath?, $itemdata?alt?, $itemdata?title?, array('class' => $class));

}

#701: Emails & Telephone calls

paul — Tue, 18 Mar 2014 09:38:24 GMT

#711: Emails & Telephone calls

paul — Tue, 01 Apr 2014 13:47:56 GMT

#727: Change background on block from orange to white

sam — Fri, 16 May 2014 10:02:17 GMT

Hi Ben

Rob wants a list of the themes presented in a block.

I did the block: https://www.transitionnetwork.org/admin/build/block/configure/block/97

But it appears with an orange background. The block is visible towards the bottom of the page (for logged in admins) here: https://www.transitionnetwork.org/blogs/rob-hopkins

If I put the block on other pages it appears with a white background.

I tried to hack it with some inline CSS but failed.

Could you take a look?

Thanks

Sam

#758: * Advisory ID: DRUPAL-SA-CORE-2014-003

paul — Wed, 16 Jul 2014 21:55:29 GMT

View online: https://www.drupal.org/SA-CORE-2014-003

Advisory ID: DRUPAL-SA-CORE-2014-003
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-July-16
Security risk: Critical [2]
Exploitable from: Remote
Vulnerability: Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

.... Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability.

.... Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField? [3] module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField? - Access bypass [4]) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

.... Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

.... Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

/A CVE identifier [5] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 6.x versions prior to 6.32.
Drupal core 7.x versions prior to 7.29.

Install the latest version:

If you use Drupal 6.x, upgrade to Drupal core 6.32. [6]
If you use Drupal 7.x, upgrade to Drupal core 7.29. [7]

Also see the Drupal core [8] project page.

The denial of service vulnerability using malicious HTTP Host headers was

reported by Régis Leroy [9].

The access bypass vulnerability in the File module was reported by Ivan

Ch [10].

The cross-site scripting vulnerability with Form API option groups was

reported by Károly Négyesi [11].

The cross-site scripting vulnerability in the Ajax system was reported by

mani22test [12].

The denial of service vulnerability using malicious HTTP Host headers was

fixed by Régis Leroy [13], and by Klaus Purer [14] of the Drupal Security Team.

The access bypass vulnerability in the File module was fixed by Nate Haug

[15] and Ivan Ch [16], and by Drupal Security Team members David Rothstein [17], Heine Deelstra [18] and David Snopek [19].

The cross-site scripting vulnerability with Form API option groups was

fixed by Greg Knaddison [20] of the Drupal Security Team.

The cross-site scripting vulnerability in the Ajax system was fixed by

Neil Drumm [21] of the Drupal Security Team.

The Drupal Security Team [22]

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [23].

Learn more about the Drupal Security team and their policies [24], writing secure code for Drupal [25], and securing your site [26].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [27]

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#582: TN.org platform and sites

jim — Mon, 02 Sep 2013 09:30:02 GMT

The TN.org platform and Drupal site updates are to be tracked in this ticket.

Current PROD platform build = P009 Current STG platform build = S010

Updates pending:

SECURITY UPDATE - NO RISK: Pressflow core 6.30 is due, but the security holes fixed do not affect us, low priority. Platforms: present in S010, but not in P009.

#636: Changes to Space.transitionnetwork.org homepage to facilitate user registration

ed — Wed, 27 Nov 2013 17:30:19 GMT

Space currently does not give users who aren't already registered a way in. Anon users can see some of the spaces but when they try to apply for membership, they hit a login page, which they can't complete as they are not registered.

RTFM for OA as to OA best practice - this is billable time. Then leave notes about it in wiki for later developers.

The homepage needs editing to sort this out. Here are some first changes:

2.1. Remove the 'Need the pros' pane (RHS) 2.2 Remove the 'Just getting started' pane (LHS) 2.3 Add a 'Request membership' pane which is basically a user registration form. Make registration 'approval only' for now, approval to be by a site admin (webproject@…)

The /spaces listings view shows the spaces that are publicly viewable, and there is a 'request group membership' button for each of them.

Can you make this into a registration form as well?

#662: Subscriptions' links in text emails breaking

ed — Tue, 17 Dec 2013 15:37:13 GMT

for January - to get Sam and Jim talking - in January

The subs sent out to subscribers: are fine in html but the text version is broken and unsatisfactory. I know we've been through this and it's a known bug etc. etc. but I'm wondering if we can switch all subs to html, or if there are any patches to this problem?

Adding as Jim's ticket with Sam cc-ed

#737: SPF / Emails rejected from the website contact form

sam — Thu, 05 Jun 2014 15:46:13 GMT

We had a user report that they could not send a message via our contact form:

"Yesterday I sent a message to you via the contact form on the website. But obviously something went wrong: for I got a failure notice saying my message could not be delivered. Therefore I'm sending it directly via email (see below) hoping that you're receiving my message this way."

<info@…>: host mx1.spamfiltering.com[72.249.150.158] said:

550 81.95.XX.XX is not allowed to send mail from gmx.de. Please see http://www.openspf.net/Why?scope=mfrom;identity=userXX@gmx.de;ip=81.95.XX.XX (in reply to end of DATA command)

(User details edited as this is publicly archived)

I'm not sure I quite understand what's going on here. Chris indicated in email that this would affect other users whose email provider has set this kind of SPF record.

Can we make an educated guess as to what proportion of email providers set this kind of SPF?

How many messages do we never get to see? Is it a problem? Or a small enough number of users that we just don't worry about it?

Thanks

Sam

#772: new TIs not appearing on staging until caches flushed

annesley — Tue, 05 Aug 2014 09:26:32 GMT

i added a new Mulling transition initiative on staging in Afghanistan and it did not appear on the map... i flushed caches and then it started appearing on the main initiatives map. is this intended? is it a known?

#826: Switching MX records from United to Google

ed — Thu, 15 Jan 2015 17:15:41 GMT

TN are switching the MX records from United to Google on Friday 23/1/15.

Will this affect the website/Web Architects in any way that we need to plan for in advance? Scripts, web forms etc? Anything you can think of?

#862: Puffin locked

chris — Sat, 27 Jun 2015 15:31:27 GMT

PuffinServer is not responding, I got a Munin email alert, on the Xen console:

[2008077.910371] BUG: soft lockup - CPU#1 stuck for 61s! [munin-node [::f:25444]
[2008077.910371] Modules linked in: joydev sg st sd_mod crc_t10dif sr_mod scsi_mod ide_gd_mod ide_cd_mod ide_core cdrom xt_recent xt_tcpudp xt_connlimit nf_nat_ftp ipt_REDIRECT xt_conntrack iptable_mangle nf_conntrack_ftp ipt_REJECT ipt_LOG xt_limit xt_multiport iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables x_tables snd_pcm snd_timer snd soundcore snd_page_alloc evdev pcspkr ext4 crc16 jbd2 mbcache dm_mod xen_netfront xen_blkfront
[2008077.910371] CPU 1:
[2008077.910371] Modules linked in: joydev sg st sd_mod crc_t10dif sr_mod scsi_mod ide_gd_mod ide_cd_mod ide_core cdrom xt_recent xt_tcpudp xt_connlimit nf_nat_ftp ipt_REDIRECT xt_conntrack iptable_mangle nf_conntrack_ftp ipt_REJECT ipt_LOG xt_limit xt_multiport iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables x_tables snd_pcm snd_timer snd soundcore snd_page_alloc evdev pcspkr ext4 crc16 jbd2 mbcache dm_mod xen_netfront xen_blkfront
[2008077.910371] Pid: 25444, comm: munin-node [::f Not tainted 2.6.32-5-xen-amd64 #1
[2008077.910371] RIP: e030:[<ffffffff8100922a>]  [<ffffffff8100922a>] hypercall_page+0x22a/0x1001
[2008077.910371] RSP: e02b:ffff8800988f7ba8  EFLAGS: 00000246
[2008077.910371] RAX: 0000000000040000 RBX: ffffea0006c2eb88 RCX: ffffffff8100922a
[2008077.910371] RDX: 00000000ffffff00 RSI: 0000000000000000 RDI: 0000000000000000
[2008077.910371] RBP: 0000000000000002 R08: 0000000000000002 R09: ffff8801ffc1dd00
[2008077.910371] R10: 0000000000000002 R11: 0000000000000246 R12: ffff88000000ad00
[2008077.910371] R13: ffff880000008000 R14: 0000000000000200 R15: 000000000000000e
[2008077.910371] FS:  00007fefd0bde700(0000) GS:ffff88000bb20000(0000) knlGS:0000000000000000
[2008077.910371] CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[2008077.910371] CR2: 00007fefce124380 CR3: 0000000001001000 CR4: 0000000000000660
[2008077.910371] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[2008077.910371] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[2008077.910371] Call Trace:
[2008077.910371]  [<ffffffff810baa62>] ? free_hot_cold_page+0x1a2/0x1af
[2008077.910371]  [<ffffffff8100e635>] ? xen_force_evtchn_callback+0x9/0xa
[2008077.910371]  [<ffffffff8100ecf2>] ? check_events+0x12/0x20
[2008077.910371]  [<ffffffff8100ecdf>] ? xen_restore_fl_direct_end+0x0/0x1
[2008077.910371]  [<ffffffff8130f142>] ? _spin_unlock_irqrestore+0xd/0xe
[2008077.910371]  [<ffffffff810bd9ca>] ? release_pages+0x16a/0x18d
[2008077.910371]  [<ffffffff8100c1a7>] ? xen_mc_flush+0x159/0x185
[2008077.910371]  [<ffffffff810da555>] ? free_pages_and_swap_cache+0x57/0x73
[2008077.910371]  [<ffffffff810cd5bf>] ? unmap_vmas+0x6cb/0x959
[2008077.910371]  [<ffffffff8100922a>] ? hypercall_page+0x22a/0x1001
[2008077.910371]  [<ffffffff8100922a>] ? hypercall_page+0x22a/0x1001
[2008077.910371]  [<ffffffff810d1bca>] ? exit_mmap+0xc4/0x148
[2008077.910371]  [<ffffffff8104cd95>] ? mmput+0x3c/0xdf
[2008077.910371]  [<ffffffff81050a2e>] ? exit_mm+0x102/0x10d
[2008077.910371]  [<ffffffff81052453>] ? do_exit+0x1f8/0x6c9
[2008077.910371]  [<ffffffff8105299a>] ? do_group_exit+0x76/0x9d
[2008077.910371]  [<ffffffff810529d3>] ? sys_exit_group+0x12/0x16
[2008077.910371]  [<ffffffff81011b42>] ? system_call_fastpath+0x16/0x1b
[2008381.335662] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=122.172.30.208 DST=81.95.52.103 LEN=60 TOS=0x08 PREC=0x20 TTL=55 ID=30880 DF PROTO=TCP SPT=60400 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
[2008384.465057] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=122.172.30.208 DST=81.95.52.103 LEN=60 TOS=0x08 PREC=0x20 TTL=55 ID=30881 DF PROTO=TCP SPT=60400 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
[2008390.255448] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:19:68:02:00:12:1e:13:6c:db:08:00 SRC=122.172.30.208 DST=81.95.52.103 LEN=60 TOS=0x08 PREC=0x20 TTL=55 ID=30882 DF PROTO=TCP SPT=60400 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0

#867: Piwik 2.14.2

chris — Mon, 27 Jul 2015 11:18:26 GMT

The Changelog:

What’s new in Piwik 2.14.2?

In this release we have focused on fixing a few regressions reported in the last major release Piwik 2.14.0, as well as 15 other small improvements. As always we – the Piwik team – are very interested to hear your feedback!

15 tickets have been closed by 6 contributors.

#878: Reconomy.org add subdomains

ade — Thu, 15 Oct 2015 11:35:03 GMT

Hi Chris,
I thought I had added this as a ticket, but does not seem to have come
through.
I have had a request to add the following to the reconomy.org website.
I notice that i do not have permission to do this myself via gandi.net so
could you please add for me.
many thanks
Ade
We're going to need to point the REfund API to a particular subdomain
of the reconomy.org domain in the next few weeks. This will also apply
to the frontend. Is there anyone I can email about this?
Here are the proposed subdomains:
funds.reconomy.org
api.funds.reconomy.org
Both subdomains should point to this IP: 178.62.93.215
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

#888: Adverts on Transition Network Front Page loaded via flickrit.com embedded content

chris — Sun, 06 Dec 2015 12:25:49 GMT

It it intentional or accidental that adverts from https://secureads.bitbillions.com/ are being loaded on the front page of https://www.transitionnetwork.org/ via the embedded content from flickrit.com?

#889: BOA-2.4.7

chris — Tue, 08 Dec 2015 17:35:35 GMT

Following is the Changelog, please note this contains:

This BOA release (2.4.7) is the last release which still supports deprecated PHP versions: 5.3 and 5.4

And:

We will support Drupal/Pressflow 6 in all new releases, as long as available PHP versions will allow to use it (we run our own Pressflow 6 based site on PHP 5.6 for many months with zero issues). For more details please check: https://github.com/omega8cc/boa/issues/824

If we are sticking with Drupal 6 and BOA then I would suggest we should test the site on PHP 5.6 and if it is OK then upgrade, perhaps this should be done by spinning up a new virtual server and installing a new version of BOA on it and then copying the site over for testing?

See also the tickets for the previous, un-applied, updates:

BOA 2.4.6 ticket:872
BOA 2.4.5 ticket:864
BOA 2.4.4 ticket:863
BOA 2.4.3 ticket:854

And this ticket on the question of updating PHP: ticket:754

### Stable BOA-2.4.7 Release - Full Edition
### Date: Fri Dec  4 08:09:21 PST 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.7
### Latest hotfix added on: Mon Dec  7 15:32:44 PST 2015
  @=> Includes Aegir Hostmaster 2.x-head with improvements
  @=> Includes Aegir Provision 3.x-head with improvements
  @=> Includes Drush 7 customized for BOA
# Release Notes:
  This BOA release includes several important system upgrades and bug fixes,
  with most notable features and changes listed below.
  @=> All supported Aegir platforms have been updated with latest Drupal cores
  @=> Drupal 8 support for custom platforms in the ~/static directory tree
      will be included, along with Drush 8 and PHP 7 in the *upcoming*
      BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
  @=> This BOA release (2.4.7) is the last release which still supports
      deprecated PHP versions: 5.3 and 5.4 -- You should switch to PHP 5.6
      or at least 5.5 as soon as possible, or you will not be able to upgrade
      to newer BOA versions after 2.4.7 -- https://omega8.cc/node/330
  @=> What are BOA plans for Drupal 6 support after February 24th, 2016?
      We will support Drupal/Pressflow 6 in all new releases, as long as
      available PHP versions will allow to use it (we run our own Pressflow 6
      based site on PHP 5.6 for many months with zero issues). For more details
      please check: https://github.com/omega8cc/boa/issues/824
  @=> SSH keys for root are required by newer OpenSSH versions used in BOA
      BOA installs SSH from sources by default (Debian only). This means that
      password based access for root will not work once BOA is installed or
      upgraded to current stable version. It is a result of OpenSSH changes
      in recent releases and not BOA specific change. BOA will deny the initial
      install and Barracuda will refuse to run upgrade if it detects that system
      root has no SSH keys added and only password based access is available.
      You can still modify this behaviour in /usr/etc/sshd_config but future
      OpenSSH versions may still revert such changes, so it is not recommended.
  @=> BOA switched from SPDY to HTTP/2 + PFS on all supported OS versions
# Changes:
  * Allow to disable SQL monitoring with /root/.no.sql.cpu.limit.cnf -- #799
  * Disable page caching on the fly where needed
  * Disable temporarily support for broken Restaurant distro
  * Do not rebuild features and entities on cache clear
  * Document new requirement: SSH keys for root -- fixes #786 #833
  * Make ioncube_loader optional and disable by default with _PHP_IONCUBE=NO
  * Nginx SSL: enable OCSP stapling by default
  * Nginx SSL: enable OCSP stapling for existing HTTPS vhosts
  * Nginx: Add ssl_dhparam to existing vhosts, if needed
  * Nginx: HTTP/2 replaces SPDY -- fixes #624
  * PHP: Add YAML extension with LibYAML
  * Preserve customized /etc/sysctl.conf -- fixes #789
  * Run modules ON/OFF only weekly -- requires _MODULES_FIX=YES (default is NO)
  * Run most of crontab, install and upgrade tasks with low priority using
    nice and ionice -- fixes #780
# System upgrades:
  * cURL 7.45.0 (if installed from sources)
  * GEOS 3.5.0 (requires _PHP_GEOS=YES)
  * Git 2.6.1 (if installed from sources)
  * MariaDB 10.0.22
  * MariaDB 5.5.46
  * MariaDB Galera Cluster 10.0.22
  * Nginx 1.9.7
  * OpenSSL 1.0.2e (used only in custom built Nginx)
  * PHP 5.5.30
  * PHP 5.6.16
  * Redis 3.0.5
# Fixes:
  * Add /root/.skip_cleanup.cnf support
  * Add feature branch testing in HEAD
  * Avoid load spikes caused by long running tasks
  * Avoid race conditions on multi-line sed replacement -- fixes #806
  * Clean up any remaining procs zombies
  * Clean up postfix queue to get rid of bounced emails
  * Disable ioncube and opcache for HHVM
  * Disable Redis for Hostmaster in the backend
  * Do not allow to install non-standard OpenSSH on Ubuntu
  * Do not break /data/all/cpuinfo permissions on Octopus upgrade
  * Do not run 'apt-get autoremove' automatically
  * Do not use wrapper for dot-files cleanup
  * Document better BOA aggressive installation behavior -- fixes #811
  * Document boa in-octopus command -- fixes #817
  * Don't strip $args from $request_uri in redirects
  * Fix cron schedule for upgrades
  * Fix for broken Git on Ubuntu
  * Fix for not working PHP rebuild check
  * Fix for not working syncpass tool
  * Fix PHP deprecated warning in D8 -- fixes #804
  * Ignore 'env COLUMNS' sent by Drush remotely -- fixes #373
  * Ignore daily.sh in clear.sh
  * Improve _SQUEEZE_TO_WHEEZY procedure -- #627
  * Improve cron tasks schedule
  * Improve daily cleanup performance + support for /root/.giant_traffic.cnf
  * Improve devpts check -- fixes #788
  * Improve docs/MIGRATE.txt
  * Improve resolv.conf auto-recovery procedure
  * Improve system check -- fixes #811
  * Move Redis restart procedure to correct script
  * PHP: Add missing path to open_basedir for CLI
  * Remove debug code to not kill the initial install
  * Remove not working /etc/logrotate.d/lshell -- fixes #823
  * Update advagg auto configuration variables -- fixes #792
  * Update boa/lib/functions/helper.sh.inc with current OS -- fixes #787
  * Update FPM workers autoconf logic
  * Update the cache cleanup logic
  * Use better placeholder for solr_integration_module variable
  * Use correct DPkg::Options for dist-upgrade -- fixes #627
  * Use known MySQLTuner version -- fixes #827
  * Use LibYAML 0.1.6
  * Use opcache.restrict_api
  * Use sha256 for self-signed certs

If we are not going to stick with BOA then can we please consider the suggestions in this comment? ticket:754#comment:61

#744: Add CSS Injector module to the D6 mix

annesley — Thu, 19 Jun 2014 10:50:03 GMT

CSS Injector module allows admin dynamic adding of CSS in to a live production server without code updates. this is to respond quickly to client needs whilst implementing the requests in the correct place in the themes on the next promotion from dev.

#774: * Advisory ID: DRUPAL-SA-CORE-2014-004

paul — Wed, 06 Aug 2014 19:52:54 GMT

View online: https://www.drupal.org/SA-CORE-2014-004

Advisory ID: DRUPAL-SA-CORE-2014-004
Project: Drupal core [1]
Version: 6.x, 7.x
Date: 2014-August-06
Security risk: 13/25 ( Moderately Critical)

AC:None/A:None/CI:None/II:None/E:Proof/TD:100 [2]

Exploitable from: Remote
Vulnerability: Denial of service

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available (xmlrpc.php). The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

All Drupal sites are vulnerable to this attack whether XML-RPC is used or not.

In addition, a similar vulnerability exists in the core OpenID module (for sites that have this module enabled).

This is a joint release as the XML-RPC vulnerability also affects WordPress (see the announcement [3]).

/A CVE identifier [4] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Drupal core 7.x versions prior to 7.31.
Drupal core 6.x versions prior to 6.33.

Install the latest version:

If you use Drupal 7.x, upgrade to Drupal core 7.31 [5].
If you use Drupal 6.x, upgrade to Drupal core 6.33 [6].

If you are unable to install the latest version of Drupal immediately, you can alternatively remove the xmlrpc.php file from the root of Drupal core (or add a rule to .htaccess to prevent access to xmlrpc.php) and disable the OpenID module. These steps are sufficient to mitigate the vulnerability in Drupal core if your site does not require the use of XML-RPC or OpenID functionality. However, this mitigation will not be effective if you are using a contributed module that exposes Drupal's XML-RPC API at a different URL (for example, the Services module); updating Drupal core is therefore strongly recommended.

Also see the Drupal core [7] project page.

Willis Vandevanter [8]
Nir Goldshlager [9]

Andrew Nacin [10] of the WordPress Security Team
Michael Adams [11] of the WordPress Security Team
Frédéric Marand [12]
David Rothstein [13] of the Drupal Security Team
Damien Tournoud [14] of the Drupal Security Team
Greg Knaddison [15] of the Drupal Security Team
Stéphane Corlosquet [16] of the Drupal Security Team
Dave Reid [17] of the Drupal Security Team

The Drupal Security Team [18] and the WordPress [19] Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [20].

Learn more about the Drupal Security team and their policies [21], writing secure code for Drupal [22], and securing your site [23].

[1] http://drupal.org/project/drupal [2] http://drupal.org/security-team/risk-levels [3] https://wordpress.org/news/2014/08/wordpress-3-9-2/ [4] http://cve.mitre.org/ [5] http://drupal.org/drupal-7.31-release-notes [6] http://drupal.org/drupal-6.33-release-notes [7] http://drupal.org/project/drupal [8] https://www.drupal.org/user/1867894 [9] https://www.drupal.org/user/2891345 [10] http://profiles.wordpress.org/nacin [11] http://profiles.wordpress.org/mdawaffe [12] https://www.drupal.org/user/27985 [13] https://www.drupal.org/user/124982 [14] https://www.drupal.org/user/22211 [15] https://www.drupal.org/u/greggles [16] https://www.drupal.org/user/52142 [17] https://www.drupal.org/user/53892 [18] http://drupal.org/security-team [19] http://wordpress.org [20] http://drupal.org/contact [21] http://drupal.org/security-team [22] http://drupal.org/writing-secure-code [23] http://drupal.org/security/secure-configuration

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#837: Iframe in a panel page

sam — Thu, 12 Mar 2015 11:55:21 GMT

Hi Ben

I'm trying to embed a Eventbrite form into the 'tickets' block on this page: https://www.transitionnetwork.org/conference-2015

It looks like it's going to appear in the preview here: https://www.transitionnetwork.org/node/39195/panel_content

But when I view the actual page it's just a big white space.

Could you estimate how long it would take to get it working?

Thanks

Sam

#572: Design changes for homepage and TC section

ed — Wed, 17 Jul 2013 14:17:25 GMT

Design changes for TN homepage and TC section done by Ben to be part of maintenance budget.

list here: https://docs.google.com/spreadsheet/ccc?key=0An7ZaZdq6UfJdDhxS0JxbXZLYnhLRkN4X3h5aVV3R1E#gid=0

#584: News CTs and featured images: not handling as expected

ed — Wed, 04 Sep 2013 08:33:12 GMT

The news CT has a featured image, but it doesn't seem to be handling it as expected (succesfully on the blogs). See this news item:

https://www.transitionnetwork.org/news/2013-09-03/new-economy-20-enterprises-report-released

The featured image isn't visible anywhere - either:

in the news item itself
in the /news view

Please investigate and resolve

#592: Many panes on homepage are in italics

ed — Wed, 11 Sep 2013 07:29:50 GMT

they shouldn't be, but they are: ingredient of the day latest tc post featured training why do transition featured resrouce featured project social reporters all automated listings at bottom

please resolve - ben are you around to do this or is it more suitable to ask jim atm?

#608: User profile pictures are too big

ed — Mon, 14 Oct 2013 08:37:38 GMT

The user profile pictures on the user profile nodes are too big.

e.g. https://transitionnetwork.org/people/tina-clarke

Please investigate and restrain them into a suitable maximum size

NB: Ed is keeping a number of small UI-ish tickets back for Ben to do in a lump when we've built up enough so don't do anything yet.

#633: RHS blocks changes for homepage

ed — Mon, 25 Nov 2013 15:27:15 GMT

Re-arrange/add/edit the RHS blocks to appear the order below

Why/how etc. : NO change
newsletter promo: NO change
POJDS book button: much smaller - can you set book image to lhs and buy button to rhs within block? might need a special .png to have both in it
Transition nearby button: NO change
New iT2 film promo button: needs a graphic
New TFP button: NEW: Trucie providing a graphic to fit in
Training button: NEW: Ed asking for training graphic to fit in
Social media promo button: NEW: needs some very modest SM logos to link to SM outposts FB and twitter

NB: Rob is only thinking of the homepage; Ed is not sure of the implications elsewhere on site... please advise on how/if this affects things elsewhere...

#634: Embeds - some don't work

ed — Wed, 27 Nov 2013 11:50:23 GMT

I couldn't embed a 'paper.li' embed into a page recently and forgot about it. Now I can't embed a slideshare embed either adn wonder if I am seeing a pattern.

Please look and advise: https://www.transitionnetwork.org/blogs/ed-mitchell/2013-11/web-strategy-update

#637: What is the wordcount for the /news and /blogs/rob-hopkins teasers?

ed — Thu, 28 Nov 2013 09:40:48 GMT

http://www.transitionnetwork.org/news http://www.transitionnetwork.org/blogs/rob-hopkins

what is the teaser length - ie the first paragraph of a news or blog item that is published in the listings views?

rob wants to know how many words he has for his introductions...

#643: Add paginator for /films view

ed — Mon, 09 Dec 2013 11:40:08 GMT

Please add pages links for this view: https://www.transitionnetwork.org/admin/build/views/edit/Films?destination=films#views-tab-page_1

10 per page should do it

#207: Logwatch Issues

chris — Fri, 17 Dec 2010 14:19:50 GMT

This is a ticket to track items that show up in the logwatch emails to root and often just take a few mins of reading time and response.

Any issues that look like they might take longer than a few mins should have their own tickets opened.

#208: Dblog Issues

chris — Fri, 17 Dec 2010 14:53:29 GMT

"The dblog module monitors your website, capturing system events in a log to be reviewed by an authorized individual at a later time. The dblog log is simply a list of recorded events containing usage data, performance data, errors, warnings and operational information. It is vital to check the dblog report on a regular basis as it is often the only way to tell what is going on."

https://www.transitionnetwork.org/admin/reports/dblog

This is a ticket to be used to flag up issues that are not going to take up enough time that they justify their own ticket -- if an issue is raised in a comment on this ticket that does look like it's going to take some significant time then best start a new ticket for it.

#218: Debian upgrades and updates

chris — Thu, 06 Jan 2011 13:34:16 GMT

This is a ticket to track debian upgrades to the wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer the time they take.

See:

These updates are generally done using the wiki:AptitudeUpdateScript and this records all the changes in the /root/Changelog and then the contents of the Changelog are pasted into the ticket to document the upgrade.

This ticket was was originally used for the ~~wiki:DevelopmentServer~~ and the ~~wiki:NewLiveServer~~.

#371: Piwik Hosting

chris — Mon, 05 Dec 2011 21:34:51 GMT

Another option to consider for Piwik would be be to use a instance on another server, and there happens to be one here that could be used:

https://stats.webarch.net/

Could this be considered?

#382: Measurement and tracking requirements for TN and PSE

ed — Tue, 13 Dec 2011 04:57:12 GMT

to list the measurement and tracking requirements for TN and PSE so that we can assess piwik vs google and decide which way to go.

#470: Penguin install and configuration

chris — Sat, 15 Dec 2012 16:05:16 GMT

penguin.webarch.net is a new 2GB RAM virtual server which will replace NewLiveServer and DevelopmentServer for running all non-Drupal sites and is due to go live in early 2013. Drupal sites from the old servers will be migrated to PuffinServer.

This ticket has been created for tracking time and tasks done during the install.

See https://tech.transitionnetwork.org/trac/wiki/PenguinServer and also the corresponding PuffinServer.

#483: Nginx 502 Bad Gateway Errors with BOA

chris — Mon, 28 Jan 2013 11:23:45 GMT

The Barracuda Octopus Aegir server on puffin.webarch.net is getting generating a lot of Nginx 502 Bad Gateway errors, see ticket:466#comment:31 and ticket:466#comment:38

The Nginx logs contain 58 502 errors:

cd /var/log/nginx
grep " 502 " * | wc -l
58

I expect the cause of these is Nginx asking PHP-FPM for a page and not getting one, an answer might be to either speed up PHP-FPM response time or adjust the Nginx settings so that it waits longs for a response from PHP-FPM.

There are several threads about this on http://groups.drupal.org/ but none of them have any useful suggestions (eg 1 2 3 4).

#494: Email account for TRAC

ed — Thu, 21 Feb 2013 10:16:37 GMT

Set up: 'trac@…' Password: going to Chris separately Secure SSL/TLS Settings Username: trac@… Password: Use the email account’s password. Incoming Server: mail.xssl.net IMAP: Port 993 POP3: Port 995 Outgoing Server: mail.xssl.net SMTP: Port 465 Authentication is required for IMAP, POP3, and SMTP.

#495: Replace Google Analytics with Piwki

ed — Thu, 21 Feb 2013 10:20:25 GMT

Unless we see any issue, turn GA off on 01/03/13. Use Piwik instead.

#499: MySQL backup dump error on puffin

chris — Tue, 26 Feb 2013 01:26:53 GMT

Warnings from /etc/backup.d/20.mysql :

Warning: mysqldump: Got error: 1142: "SELECT,LOCK TABL command denied to user 'root'@'localhost' for table 'cond_instances'" when using LOCK TABLES
Warning: Failed to dump mysql databases performance_schema

#502: patterns sub-domain for transitionresearchnetwork.org, was: Setting up specific pointer for URL

ed — Wed, 27 Feb 2013 07:10:03 GMT

Can we set this URL:
www.transitionresearchnetwork.org/research-guidelines
to point to this location:
https://cldstr.com/docs/configure-dns
While this URL:
www.transitionresearchnetwork.org/
Still points to the current location.
~~~~
Ed Mitchell: Transition Network Web manager
web: http://transitionnetwork.org
project blog: http://transitionnetwork.org/blogs/ed-mitchell
mobile: +44 (0)7807 141 828
office hours: Mon, Tues, Wed, Thurs
company no. 6135675  charity no. 1128675
Subscribe to Transition news: http://tinyurl.com/transitionregister
~~~~

#528: patterns.transitionresearchnetwork.org DNS update

chris — Tue, 26 Mar 2013 09:58:13 GMT

Request from Ethan:

We've moved the site back to the production server. Would you be willing to set the CNAME for patterns.transitionresearchnetwork.org to patterns.transitionresearchnetwork.org.230.cldstr.com?

See also previous tickets ticket:482 and ticket:502

#529: New Barracuda BOA-2.0.7 Edition available

chris — Fri, 05 Apr 2013 08:57:09 GMT

There is new BOA-2.0.7 Edition of Barracuda and Octopus available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

#530: New Barracuda BOA-2.0.8 Edition available

chris — Mon, 08 Apr 2013 07:44:51 GMT

If I had known this was about to come out I would have waited before doing the BOA-2.0.7 upgrade last night on ticket:529

There is new BOA-2.0.8 Edition of Barracuda and Octopus available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

Is mostly to fix a problem for people using Percona, https://drupal.org/node/1962690 and as we are using MariaDB this isn't an issue for us.

Other updates in this version:

Allow to use [a-z0-9] subdomains and not only [www] for IDN domain names.
Change the interval between platforms builds from 5 to 3 seconds.
Forced 1s Speed Booster TTL for vhosts behind local proxy is deprecated.
Move old firewall logs to backups to avoid crazy load after upgrade.
Nginx: Better exceptions handling in the Abuse Guard for js/shs modules.
PHP: CLI is at 5.3 since BOA-2.0.4, so symlink old 5.2 binary path to 5.3
Update _LENNY_TO_SQUEEZE major upgrade procedure.
Update contrib with login_security-7.x-1.2
Use static downloads for all distros in stable edition.

I'll do this update tonight unless there are any objections, hopefully it should be quite quick.

#531: Disk usage on puffin

chris — Wed, 10 Apr 2013 13:12:24 GMT

The disk usage on puffing is currently at 85% and it's been going up at around 5% a week, see:

https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/df.html

This will become a critical issue in a couple of weeks, it would be good to find and address the cause before then.

#532: Upgrade to Mediawiki 1.19.5

chris — Mon, 15 Apr 2013 13:40:34 GMT

New version out tonight:

This is a notice that on Monday, April 15th between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon. CVSS scores are between 4.3 and 7.1, most users will want to update.

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000126.html

#534: Add accounts for Ben

chris — Fri, 26 Apr 2013 17:16:23 GMT

Ben is a new member of the TTech team and accounts need setting up for him, this is a ticket to track the time taken to do this.

#535: Upgrade Puffin, Penguin and Parrot from Debian Squeeze to Wheezy

chris — Fri, 26 Apr 2013 18:49:16 GMT

Debian 7 is due out on 5th May 2013 and wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer will need upgrading.

#536: Upgrade Mediawiki to 1.19.6

chris — Mon, 29 Apr 2013 20:35:32 GMT

A new version of Mediawiki is due out tomorrow:

This is a notice that on Tuesday, April 30th between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon.

http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-April/000128.html

The upgrade should simply be a matter of following the steps taken last time, see ticket:532#comment:2

#539: REconomy site migration and updates

chris — Wed, 01 May 2013 10:01:00 GMT

This ticket is to keep track of the tasks undertaken and the time spent on the migration of the http://www.reconomy.org/ site to wiki:ParrotServer.

#542: Parrot RAM

chris — Wed, 01 May 2013 20:35:50 GMT

I'm concerned that wiki:ParrotServer might not be able to cope with load spikes due to it only having 1GB of RAM, these are the Munin graphs we need to key an eye on:

If the server runs out of RAM it will basically stop responding.

#543: Puffin Load Spike

chris — Fri, 03 May 2013 20:48:16 GMT

Puffin just had a massive load spike up to 65 and then it calmed down and it's up in the 70's again:

uptime
 21:46:43 up 91 days,  3:01,  4 users,  load average: 73.45, 30.76, 28.09

I'm trying to find the cause, it's making the TN site unresponsive.

#544: CSF / LDF false positive blocks on Puffin

chris — Sat, 04 May 2013 11:02:53 GMT

Ticket to keep track of CSF /LDF issues on Puffin, see wiki:PuffinServer#CSFLDF

#545: Registration page: 502

ed — Wed, 08 May 2013 08:38:13 GMT

http://www.transitionnetwork.org/user/register

found a bunch of these yesterday - this one is still showing a 502...

#546: Trac documentation

chris — Wed, 08 May 2013 18:47:09 GMT

Better documentation of things like how to set billing times etc

#547: New Barracuda BOA-2.0.9 Edition available

chris — Fri, 10 May 2013 11:28:17 GMT

Do we want to upgrade to Wheezy, see ticket:535 at the same time as upgrading to BOA-2.0.9? Or should we wait a few weeks, as Jim suggested here ticket:535#comment:3

I think we should schedule this update (to BOA-2.0.9) for an evening when there isn't much traffic on the site, perhaps Saturday or Sunday night. I don't think this update is super urgent as we have already upgraded Nginx, see ticket:218#comment:80

There is new BOA-2.0.9 Edition of Barracuda and Octopus available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

The Changelog contains:

# This is the first Barracuda-only Edition, released to address important
  security issue with Nginx server and provide system level upgrades.
  This Edition will not upgrade Aegir Master nor Aegir Satellite Instances,
  because there was no new Drupal core released since BOA-2.0.8 Edition and
  there were not enough updates to built-in platforms or contrib accumulated.
  Releasing Barracuda-only Edition separately from full Edition allows us
  to address system/services security issues without any extra delay,
  while releasing Octopus-only Edition will allow us to provide Drupal core
  or Aegir version upgrades, without affecting system level services.
  There is also another reason while separate releases will be useful.
  BOA-2.0.9 is the last Edition where Aegir 2.x uses still old Drush 4.6
  in the backend. We need to sync BOA specific Aegir 2.x with upstream
  and finally switch to Drush 5, or even Drush 6, if possible.
  This change, however, may cause issues if you still host legacy Drupal 5
  or some old Drupal 6 sites, with either core or contrib not compatible
  with PHP 5.3, which is now used by default.
  That is why we plan to introduce ability to install older/previous
  Barracuda and/or Octopus release, if you need more time to upgrade.
# New features and enhancements in this release:
  * Debian 7.0 Wheezy support.
  * Automated upgrade from Squeeze with _SQUEEZE_TO_WHEEZY=YES option.
  * Added config template with inline how-to in docs/cnf/barracuda.cnf
  * Added config template with inline how-to in docs/cnf/octopus.cnf
  * Added passwords encryption how-to in docs/BLOWFISH.txt
  * Added the list of symbols used on install in docs/PLATFORMS.txt
  * Forced mysql restart if there are too many high CPU mysqld processes.
  * Improved docs/NOTES.txt
  * Improved docs/README.txt
  * Install libpam-unix2 and libxcrypt1 by default.
  * Install s3cmd by default.
  * Issue #1974640 - Allow to use Midnight Commander for limited shell users.
  * Limited Shell Logs Monitor enabled by default.
  * Nginx: Check for Linux/Cdorked.A malware and delete if discovered.
  * Re-generate and sync Aegir passwords before and after instance upgrade.
  * The silent 'system' mode documented in docs/UPGRADE.txt
  * Allow to exclude platform from otherwise forced `drush en entitycache -y`
    if sites/all/modules/entitycache_dont_enable.info control file is present.
# Changes in this release:
  * Nginx 1.5.0 - security upgrade for CVE-2013-2028
  * PHP 5.3.25
  * Redis 2.6.13
  * Do not disable update module in platforms known to include it as required.
  * Firewall: Open port 1129 for outgoing connections (some gateways need it).
  * Force syslog module as disabled by default and save some disk I/O.
  * Tune kernel to always use max RAM and not swap, if possible.
# Fixes in this release:
  * Add outgoing port 25 SMTP to the list of requirements.
  * Firewall: Add truly permanent block for heavy abusers.
  * Fix for mytop support, available again on systems with MariaDB.
  * Fix permissions in the /data/all tree if required.
  * Fix the order of checks - they scan only the last (current) minute.
  * Force _STRONG_PASSWORDS=NO if locales still look broken on second check.
  * Improve detecting no longer running drush.php and/or cron PHP processes.
  * Improve fix_locales logic.
  * Improve global.inc symlinking on initial install and upgrade.
  * Improve messages displayed when fix_locales discovers broken locales.
  * Improve monitoring to avoid duplicate entries on low traffic systems.
  * Improve sanitize_string() filtering to avoid issues with strong passwords.
  * Improve syncpass tool - Update system user passwd and flush privileges.
  * Issue #1961226 - Warning: Could not change permissions of sites/all to 751.
  * Issue #1962458 - 403 for anonymous users on node/add.
  * Issue #1963044 - Force UTF-8 locales if not present/configured properly.
  * Issue #1974542 - Use /root/.home.no.wildcard.chmod.cnf control file.
  * Issue #1987936 - Restore ability to install PHP 5.2 for FPM and CLI.
  * Make sure that /dev/null is writable for everyone.
  * Make sure that all drushrc.php files are owned by Aegir system user.
  * Make sure that all expected sites/all/{modules,themes,libraries} dirs exist.
  * Make sure that DB server is restarted on upgrade after config tuning.
  * Make sure that pdnsd and resolvconf are properly installed.
  * Nginx: Remove duplicate Vary: Accept-Encoding headers.
  * Percona no longer supports older Ubuntu non-LTS releases.
  * PHP: Do not reload FPM every hour - it may cause error 502.
  * PHP: Fix paths depending on CLI version used.
  * PHP: Fix the extensions installation and upgrade logic.
  * PHP: Make sure that the FPM port is set correctly for D6 sites with 5.2
  * PHP: Properly uninstall all related packages when using source build.
  * PHP: Start more FPM workers on systems with enough RAM by default.
  * Purge bin logs before disabling them.
  * Run NewRelic re-install early enough to avoid locking full-upgrade.
  * Sync the load limits for spiders and backend tasks.
  * The Java/Jetty monitor should use higher allowed limits by default.
  * Update apticron message to recommend system mode instead of full upgrade.
  * Update docs for _BUILD_FROM_SRC option.
  * Use aggressive enough Jetty restart procedure on nightly services reload.
  * Use correct status messages on install and upgrade.
  * Use installer and not Aegir version download on stable install/upgrade.

#550: Transition Town Totnes migration

chris — Sun, 19 May 2013 14:59:44 GMT

It has been agreed to migrate Transition Town Totnes, http://transitiontowntotnes.org/ to wiki:ParrotServer and this ticket has been created to record this process and the time spent on it and the documentation of the migration.

There is also an issue regarding what, if anything, to do with the old Drupal site at http://archive.transitiontowntotnes.org/

#551: Mediawiki 1.19.7 upgrade

chris — Tue, 21 May 2013 08:25:51 GMT

From MediaWiki-announce:

This is a notice that on Tuesday, May 21st between 20:00-21:00 UTC (1-2pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time, with the git repositories updated later that afternoon. Although MediaWiki does not have the vulnerable feature enabled by default, most wiki using common advanced features will want to patch for this issue.

#552: Puffin Downtime 23rd May 2013

chris — Thu, 23 May 2013 20:54:15 GMT

There was a massive load spike on wiki:PuffinServer this afternoon, the load average peaked at over 60 and at exactly the same time there was also one on the virtual server serving http://webarch.net/.

Pingdom reported:

www.transitionnetwork.org down since 23/05/2013 12:11:57
www.transitionnetwork.org is UP again at 23/05/2013 12:19:57, after 8m of downtime
www.transitionnetwork.org is down since 23/05/2013 12:26:57
www.transitionnetwork.org is UP again at 23/05/2013 12:58:57, after 32m of downtime

When I did managed to get back into the server php-fpm and nginx were not running and it took several attempt to get them to start up.

Attached is the munin graps of the load from today, munin didn't record the start of the spike but it did start recording it as it came down.

This ticket has been created to report the issue and also to record anything that might be found in the logs to explain what happened.

#554: Site slow down and MySQL load increase

chris — Tue, 28 May 2013 18:11:51 GMT

Since the upgrade to MariaDB 5.5.31, done on ticket:218#comment:93 (and fixed on ticket:548#comment:32) there appears to have been been a noticeable slowdown in the time for pages to be generated, measuring with http://tools.pingdom.com/fpt/ the front page alone takes around 5 seconds to generate.

There is a clear increase in the amount of MySQL/MariaDB activity measured by Munin, see the attached graphs, the upgrade was done around midday on 24th May 2013. There has also been a increase in traffic according to the firewall graphs. The memory usage of redis has also dropped right down and the database memory usage has significantly increased.

It's not totally clear if the cause of this change in behaviour of the site is related to the MySQL/MariaDB upgrade or if there was a coincidental change in the traffic to the site at the same time. There is no noticeable change in the visitors recorded in the Piwik stats.

According to pingdom the front page of the site is now "slower than 77% of all tested websites" with a total load time of around 6 seconds, almost all of this is down to the wait of around 5 seconds for the index.php file. This can also be tested from parrot with Apache bench, sometimes cached pages are served up and these appear in an instance, if the front page is generated it takes around 5 seconds, see wiki:LoadTimes#a2013-05-28

#555: Load spikes causing the TN site to be stopped for 15 min at a time

chris — Wed, 29 May 2013 09:53:52 GMT

The BOA /var/xdrago/second.sh script is run every minute via the root crontab and if it detects a certain load level it changes the nginx config to a "high load" config which results in bots being served 503 errors when they spider the site, see ticket:563. When the load goes higher and hits another threshold the second.sh script kills the webserver applications, nginx and php-fpm, and waits till the load has dropped before starting them up again. This was happening once or twice a day following the increase in traffic around the launch of The Power of Just Doing Stuff. This has been addressed by multiplying the thresholds by 5 in second.sh.

Original Description

This morning at 10:19:24 I received the following alert from puffin:

Subject: lfd on puffin.webarch.net: High 5 minute load average alert - 6.59
Time:                    Wed May 29 10:17:02 2013 +0100
1 Min Load Avg:          23.39
5 Min Load Avg:          6.59
15 Min Load Avg:         2.57
Running/Total Processes: 44/326

At 10:21:57 I got an alert regarding ssh:

Service: SSH
Host: puffin
Address: puffin.webarch.net
State: CRITICAL
Date/Time: Wed May 29 10:21:57 BST 2013
Additional Info:
CRITICAL - Socket timeout after 10 seconds

Then at 10:26:47 ssh appeared to have recovered:

Service: SSH
Host: puffin
Address: puffin.webarch.net
State: OK
Date/Time: Wed May 29 10:26:47 BST 2013
Additional Info:
SSH OK - OpenSSH_5.5p1 Debian-6+squeeze3 (protocol 2.0)

But then pingdom reported at 10:29:07:

www.transitionnetwork.org is down since 29/05/2013  10:24:57.

There was then a report regarding Nginx at 10:32:07:

Notification Type: PROBLEM
Service: HTTP
Host: puffin
Address: puffin.webarch.net
State: CRITICAL
Date/Time: Wed May 29 10:32:07 BST 2013
Additional Info:
Connection refused

So at 10:33:47 I ssh'd in and found that php53-fpm and nginx were not running and it took several attempts to get them running again.

The up email from pingdom reported:

www.transitionnetwork.org is UP again at 29/05/2013  10:36:57, after 12m of downtime.

I can't find anything in the logs to indicate what caused the load spike and php-fpm and nginx to stopp running.

#556: Upgrade Piwik to version 1.12

chris — Thu, 30 May 2013 21:40:48 GMT

A new version of Piwik came out today with some interesting looking features:

#557: Set up a re-direct

ed — Tue, 04 Jun 2013 15:21:18 GMT

Please can you set up two re-direct/pointers

from: "power.transitionnetwork.org" to: "http://www.transitionnetwork.org/power-just-doing-stuff"

AND

from: "http://www.thepowerofjustdoingstuff.org" (we own in gandi) to: "http://www.transitionnetwork.org/power-just-doing-stuff"

#563: 503 Errors

chris — Wed, 19 Jun 2013 10:59:54 GMT

Original Description

The site is generating a lot of 503 errors, 83 since 6:30am today and there were around 750 yesterday.

#567: Update BOA for new Redis 2.6.14

chris — Tue, 02 Jul 2013 11:10:27 GMT

A suggestion from Jim:

BOA now includes Redis 2.6.14 <https://raw.github.com/antirez/redis/2.6/00-RELEASENOTES> if you do a 'barracda up-stable system'... What interests me about this is these lines from the changelog:

UPGRADE URGENCY: HIGH because of the following two issues:

Lua scripting + Replication + AOF in slaves problem (see Issue #1164).
AOF + expires possible race condition (see Issue #1079).

It's a long shot, but that could maybe be part of the issue we've seen recently.

I'm not sure if this is best done now or later tonight when the site is less busy?

#569: 403s served to editors, admin very slow

ed — Tue, 09 Jul 2013 07:52:32 GMT

Rob is getting 403s when trying to submit his work. Report from 07:12am this morning (Tuesday)

Ed tried to add a blog post at node add:

https://www.transitionnetwork.org/node/add/blog It took nearly 15 seconds to get this published https://www.transitionnetwork.org/blogs/ed-mitchell/2013-07/eds-test-blog-item-check-403

Running admin functions takes ages.This request took well over 30 seconds:

https://www.transitionnetwork.org/admin/content/node/overview

Please advise?

#573: MariaDB 5.5.32 is available for Puffin

chris — Thu, 18 Jul 2013 19:11:24 GMT

I could either update this via aptitude and it would be quick and have little down time or I could update it via BOA and it'll take 3 or 4 times as long and involved extra downtime.

Jim -- which way would you like it done?

The MariaDB project is pleased to announce the immediate availability of MariaDB 5.5.32.

This is a bug-fix release. See the Release Notes and Changelog for details.

MariaDB 5.5.32 Stable (GA)

Release Notes: https://kb.askmonty.org/en/mariadb-5532-release-notes
Changelog: https://kb.askmonty.org/en/mariadb-5532-changelog
http://lists.askmonty.org/pipermail/announce/2013-July/000048.html

#574: EFF: How HTTPS Everywhere affects transitionnetwork.org

chris — Thu, 25 Jul 2013 08:09:31 GMT

The following email was sent via the whois contact details for the transitionnetwork.org domain name, see also ticket:571 -- the changes made on ticket:571 has broken the site for anon Firefox users with the EFF HTTPS Everywhere browser extension installed.

Hi,

You're receiving this note because transitionnetwork.org is part of our HTTPS Everywhere browser extension, and an upcoming change to the way Firefox handles HTTPS pages may cause your site to display or function incorrectly. We want to make sure that the nearly 3 million HTTPS Everywhere users have the best possible experience while browsing, so we're asking you to please take a minute and test how your site behaves in Firefox 23. You can find out more about our software at

https://www.eff.org/https-everywhere

To see the rules affecting your site, you can visit the HTTPS Everywhere Atlas at

https://www.eff.org/https-everywhere/atlas/domains/transitionnetwork.org.html

The Atlas shows both rules in the development and stable versions of our extension. Rules in the stable version are used by millions of users, while development rules are used by tens of thousands of users. Development rules are now being tested but will be migrated to the stable version in the future.

An upcoming change (described below) in how the Firefox browser renders HTTPS content makes it especially important that you check that your site is prepared for HTTPS access. We urge you review the rules affecting your site and also to test it using HTTPS Everywhere with the upcoming version of Firefox.

*NEW FIREFOX CONTENT SECURITY POLICY*: In the upcoming Firefox 23 browser release, due out the week of August 6, Firefox will stop loading certain "active" content such as scripts and stylesheets from insecure http:// URLs if they've been included from a secure https:// site. If the HTTPS Everywhere rules send users to the secure version of your site but the secure version includes some content loaded over an insecure connetion, the rendering of your site may become broken for Firefox users with HTTPS Everywhere installed after they upgrade to Firefox 23. You can check this by downloading a preview release of Firefox 23, installing HTTPS Everywhere, and visiting your site. We urge all web site operators to protect their users by making sure that all site content is always loaded over a secure connection. A preview version of Firefox 23 is available now at https://www.mozilla.org/en-US/firefox/beta/ and the HTTPS Everywhere extension is at https://www.eff.org/https-everywhere

HTTPS Everywhere rules instruct browsers to access certain specified resources securely -- over HTTPS -- even if the user typed or followed a non-HTTPS link or even if the resources were included in a page via a non-HTTPS URL. For example, it might automatically rewrite

http://www.transitionnetwork.org/

to

https://www.transitionnetwork.org/

or make some similar change.

The goal of this rewriting is to protect as much as possible of every web site against sniffing and tampering by ensuring that as many site resources as possible are loaded over a secure HTTPS connection.

When web sites are accessed insecurely, users are vulnerable to attacks by other users on their networks. HTTPS Everywhere aims to activate sites' existing HTTPS protection more consistently to make sure users are as well-protected from these attacks as possible -- including attacks like sidejacking and SSL stripping.

http://www.firesheep.org/ http://www.thoughtcrime.org/sslstrip

As a result, we think there's an emerging consensus to make all web sites secure, not just financial sites and login pages. Providing a secure connection helps protect users' login credentials, but also helps protect their privacy and security even when accessing public resources, for example by preventing network operators from injecting malware downloads.

The goal of HTTPS Everywhere is to make the web more secure and help users express their preference to use the secure version of every site automatically, even on sites where this is not the default. We don't want to break sites or harm users' experience. So, we encourage webmasters to test the effect of HTTPS Everywhere on their sites and fix any problems that result -- ideally, by making sure that all resources that make up a site are available over HTTPS, using a current, valid certificate. Although we only include rules that we've been told and believe work properly, we can't always anticipate whether a rule adversely affects a site, especially if the site's URL structure, use of CDNs, or level of HTTPS support changes over time.

We are always happy to receive bug reports, updates, and fixes to HTTPS Everywhere rules. We will also make rules inactive by default if a site operator asks us to. Although we are working for a web where all sites are secure, we are not trying to use this software to force sites to use HTTPS against their operators' wishes. You can send any corrections, updates, or requests to https-everywhere-rules@… (which is a public and publicly-archived mailing list), or by replying to this e-mail address.

Thanks for your attention!

Seth Schoen, Senior Staff Technologist, Electronic Frontier Foundation for the HTTPS Everywhere development team

#576: Site down

ed — Thu, 01 Aug 2013 09:42:44 GMT

Been down for 15 minutes by now I reckon

#577: Transition Streets Wordpress Migration

chris — Tue, 06 Aug 2013 21:28:25 GMT

This is a ticket to document the migration of the Transition Totnes http://www.transitionstreets.org.uk/ wiki:WordPress site to wiki:ParrotServer.

#580: php5-fpm starting when puffin boots

chris — Mon, 12 Aug 2013 16:03:06 GMT

When wiki:PuffinServer is booted /etc/init.d/php5-fpm is started and this causes errors with the site.

#583: tmp files on parrot exceeded inode limit

ed — Mon, 02 Sep 2013 12:28:46 GMT

Users are attempting to purchase a DVD and the cart always zeros out even after attempts to update cart etc.

Laura suggests that this may be a server issue and to start with Chris:

The prob could v likely be on the hosting side, so be worth contacting Chris first (and mention can add to cart all okay when logged in, view cart and alter and get to billing page, so could be a session setting that's changed) -

Does the server have disk space left on /tmp. Session data is most likely written there. (sometimes this cart faff issue can happen because of that.)

Are the PHP Session settings correct/ have they changed recently? Chris can fix this if needing a tweakette in php.ini or other places in the underworld of those types of files.

DB could potentially need check/repair.

Another one is the shop element relies on cookies so if a user has set browser to not accept cookies may poss not work! (but think thats something not to think about here, as I tested as both logged in and logged out with cookies set to work on my browser, logged out got the 'cart empty' faff factor like other users will be getting.)

If Chris can't spot the bug (does sound server side and sessions related from a quick test here, haven't looked at the server logs, but if get a mo later will see if I can), poss good to chat and I can think some more on it, but first thoughts alert me mostly to server side, sometimes a roll back to php 5.2 clicks things back into place (but shouldn't be needed). Be good to see if there is a correlation with any server changes/tweaks happening around same timing that the cart stopped working. Keep me in the loop if it is a server fix-y thing as always interested to hear results on bug fixing on sites.

#586: New Relic Monitoring for BOA

chris — Thu, 05 Sep 2013 08:35:17 GMT

This is a ticket to document the consideration, and possible installation, of https://newrelic.com/ on the PuffinServer

#588: RSS feed caching

chris — Fri, 06 Sep 2013 09:43:57 GMT

At the meeting on 5th September ticket:585 one thing we discussed was that:

The biggest single source of bandwidth by URL is Rob's RSS feed, 34.5GB of data, 150k hits. This represents half the total site data transfer, the RSS files is 0.4MB but will hopefully be mostly served gzipped at 0.1MB.

This ticket is to follow up on that -- are the RSS feeds served directly by Nginx?

#589: Blocking spammers at a firewall level

chris — Fri, 06 Sep 2013 09:48:59 GMT

At the meeting on 5th September ticket:585 one thing we discussed was that for August 2013:

More data is transferred for /user/register than the front page, 5.1GB compared to 3.6GB.

Most of this will be spam bots trying to register to post spam. Jim suggested that we could look at blocking some of these spam bots at a firewall level to save on resources. This ticket is to follow up on this suggestion.

#591: Move MySQL temporary directory to tmpfs

jim — Mon, 09 Sep 2013 12:47:41 GMT

Chris, please read: http://2bits.com/articles/reduce-your-servers-resource-usage-moving-mysql-temporary-directory-ram-disk.html

I think we could easily drop a little MySQL memory to give it some in-memory disk space to do the temporary table munching Drupal is causing it. I see there are already some mounted tmpfs partitions.

Related to #590 (proposal L: Review slow query log, explain queries, tweak as necessary/flag poorly behaving modules)

What do you think? Worth doing?

#593: Migrating Puffin to a ZFS file server

chris — Wed, 11 Sep 2013 15:52:47 GMT

This ticket is for the migration of PuffinServer to a ZFS file server, this will involve some downtime but should result in better IO and easier backups.

#594: WordPress 3.6.1 Maintenance and Security Release

chris — Wed, 11 Sep 2013 22:05:01 GMT

The following is from http://wordpress.org/news/2013/09/wordpress-3-6-1/

WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:

Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

#595: Upgrade Mediawiki to 1.19.8 from 1.19.7

chris — Wed, 11 Sep 2013 22:18:05 GMT

From https://git.wikimedia.org/blob/mediawiki%2Fcore.git/REL1_19/RELEASE-NOTES-1.19

MediaWiki 1.19.8

This is a security and maintenance release of the MediaWiki 1.19 branch.

Changes since 1.19.7

SECURITY: Sanitize ResourceLoader exception messages
SECURITY: Token-getting functions will fail when using jsonp callbacks.
SECURITY: Fix extension detection with 2 .'s
Allow a string other than '*' as condition for DatabaseBase::delete()
Purge upstream caches when deleting file assets.
jquery.tablesorter: Add missing dependency on jquery.mwExtension

#597: Default owner for tickets

chris — Tue, 17 Sep 2013 08:04:58 GMT

Ben reported that the default owner for tickets is laura and that this should be changed.

#599: Server time drift

chris — Sun, 29 Sep 2013 21:57:59 GMT

The servers are not keeping good time at the moment.

#604: Times for admin tasks

ed — Thu, 03 Oct 2013 13:10:00 GMT

I am timing some of the admin tasks and keeping a log here for reference. Front of the site is great, backend is still like hauling ghosts through jelly for me.

58 seconds: https://www.transitionnetwork.org/admin/user/user/create

#607: Getting three copies of stats reports

ed — Mon, 14 Oct 2013 08:27:59 GMT

I'm getting three copies of the stats reports (weekly) that I've set up here: https://stats.transitionnetwork.org/index.php?module=PDFReports&action=index&idSite=1&period=day&date=today

Please investigate

#612: Upgrade to BOA-2.1.1 Stable Edition

chris — Sun, 03 Nov 2013 11:11:24 GMT

I have been sent this email from wiki:PuffinServer:

There is new BOA-2.1.0 Stable Edition available.

Please review the changelog and upgrade as soon as possible to receive all security updates and new features.

Changelog: http://bit.ly/newboa

I could potentially do this upgrade tonight as it's a quite time for the server -- Jim, any reason not to apply this update tonight?

#613: Parrot mysql console errors

chris — Mon, 04 Nov 2013 09:48:35 GMT

I connected to the wiki:ParrotServer wiki:XenShell to check the bandwidth usage and there was the following output, we should try to track down the cause of this:

parrot login: [41569.058444] hrtimer: interrupt took 59422559 ns
[442920.164115] INFO: task mysqld:3522 blocked for more than 120 seconds.
[442920.164133] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[442920.164142] mysqld        D ffff880003755c40     0  3522    711 0x00000000
[442920.164153]  ffff8800bfa68e20 0000000000000282 ffff8800565fb9e8 ffff8800565fb9e4
[442920.164165]  00000000000157c8 0000000000000000 000000000000f9e0 ffff8800565fbfd8
[442920.164175]  00000000000157c0 00000000000157c0 ffff88000180c6a0 ffff88000180c998
[442920.164185] Call Trace:
[442920.164200]  [<ffffffff8110fb96>] ? sync_buffer+0x0/0x40
[442920.164211]  [<ffffffff8130de82>] ? io_schedule+0x73/0xb7
[442920.164219]  [<ffffffff8110fbd1>] ? sync_buffer+0x3b/0x40
[442920.164228]  [<ffffffff8130f142>] ? _spin_unlock_irqrestore+0xd/0xe
[442920.164237]  [<ffffffff8130e292>] ? __wait_on_bit_lock+0x3f/0x84
[442920.164246]  [<ffffffff8110fb96>] ? sync_buffer+0x0/0x40
[442920.164253]  [<ffffffff8130e342>] ? out_of_line_wait_on_bit_lock+0x6b/0x77
[442920.164262]  [<ffffffff81066360>] ? wake_bit_function+0x0/0x23
[442920.164271]  [<ffffffff8110ffc3>] ? sync_dirty_buffer+0x29/0x93
[442920.164286]  [<ffffffffa001be04>] ? journal_dirty_data+0xd1/0x1b0 [jbd]
[442920.164301]  [<ffffffffa0032f4c>] ? ext3_journal_dirty_data+0xf/0x34 [ext3]
[442920.164312]  [<ffffffffa00313f5>] ? walk_page_buffers+0x65/0x8b [ext3]
[442920.164322]  [<ffffffffa0032f71>] ? journal_dirty_data_fn+0x0/0x13 [ext3]
[442920.164333]  [<ffffffffa0034a93>] ? ext3_ordered_write_end+0x73/0x10f [ext3]
[442920.164343]  [<ffffffff810b648a>] ? generic_file_buffered_write+0x18d/0x278
[442920.164352]  [<ffffffff810b6926>] ? __generic_file_aio_write+0x25f/0x293
[442920.164361]  [<ffffffff810b69b3>] ? generic_file_aio_write+0x59/0x9f
[442920.164369]  [<ffffffff810f0316>] ? do_sync_write+0xce/0x113
[442920.164377]  [<ffffffff81066332>] ? autoremove_wake_function+0x0/0x2e
[442920.164385]  [<ffffffff8130f6fa>] ? error_exit+0x2a/0x60
[442920.164394]  [<ffffffff8101251d>] ? retint_restore_args+0x5/0x6
[442920.164403]  [<ffffffff8102de30>] ? pvclock_clocksource_read+0x3a/0x8b
[442920.164411]  [<ffffffff810f0c68>] ? vfs_write+0xa9/0x102
[442920.164419]  [<ffffffff810f0d7d>] ? sys_write+0x45/0x6e
[442920.164427]  [<ffffffff81011b42>] ? system_call_fastpath+0x16/0x1b
[442920.164435] INFO: task mysqld:21061 blocked for more than 120 seconds.
[442920.164441] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[442920.164448] mysqld        D ffff8800018b0e20     0 21061    711 0x00000000
[442920.164457]  ffff8800018b0e20 0000000000000282 ffffffff8100c426 ffffffff8100e233
[442920.164469]  ffff880003755d10 0000000000000002 000000000000f9e0 ffff8800bdde3fd8
[442920.164480]  00000000000157c0 00000000000157c0 ffff8800bd9462e0 ffff8800bd9465d8
[442920.164492] Call Trace:
[442920.164498]  [<ffffffff8100c426>] ? pfn_to_mfn+0xe/0x22
[442920.164506]  [<ffffffff8100e233>] ? arbitrary_virt_to_machine+0x28/0x73
[442920.164515]  [<ffffffff8110fb96>] ? sync_buffer+0x0/0x40
[442920.164523]  [<ffffffff8106ce4a>] ? timekeeping_get_ns+0xe/0x2e
[442920.164531]  [<ffffffff8110fb96>] ? sync_buffer+0x0/0x40
[442920.164538]  [<ffffffff8130de82>] ? io_schedule+0x73/0xb7
[442920.164545]  [<ffffffff8110fbd1>] ? sync_buffer+0x3b/0x40
[442920.164554]  [<ffffffff8130f142>] ? _spin_unlock_irqrestore+0xd/0xe
[442920.164561]  [<ffffffff8130e292>] ? __wait_on_bit_lock+0x3f/0x84
[442920.164569]  [<ffffffff8110fb96>] ? sync_buffer+0x0/0x40
[442920.164576]  [<ffffffff8130e342>] ? out_of_line_wait_on_bit_lock+0x6b/0x77
[442920.164584]  [<ffffffff81066360>] ? wake_bit_function+0x0/0x23
[442920.164592]  [<ffffffff8110ffc3>] ? sync_dirty_buffer+0x29/0x93
[442920.164600]  [<ffffffffa001be04>] ? journal_dirty_data+0xd1/0x1b0 [jbd]
[442920.164611]  [<ffffffffa0032f4c>] ? ext3_journal_dirty_data+0xf/0x34 [ext3]
[442920.164622]  [<ffffffffa00313f5>] ? walk_page_buffers+0x65/0x8b [ext3]
[442920.164632]  [<ffffffffa0032f71>] ? journal_dirty_data_fn+0x0/0x13 [ext3]
[442920.164643]  [<ffffffffa0034a93>] ? ext3_ordered_write_end+0x73/0x10f [ext3]
[442920.164652]  [<ffffffff810b648a>] ? generic_file_buffered_write+0x18d/0x278
[442920.164661]  [<ffffffff810b6926>] ? __generic_file_aio_write+0x25f/0x293
[442920.164670]  [<ffffffff810b69b3>] ? generic_file_aio_write+0x59/0x9f
[442920.164677]  [<ffffffff810f0316>] ? do_sync_write+0xce/0x113
[442920.164685]  [<ffffffff81066332>] ? autoremove_wake_function+0x0/0x2e
[442920.164693]  [<ffffffff810f0c68>] ? vfs_write+0xa9/0x102
[442920.164700]  [<ffffffff810f0d18>] ? sys_pwrite64+0x57/0x77
[442920.164706]  [<ffffffff81011b42>] ? system_call_fastpath+0x16/0x1b

#618: Migrate Penguin and Parrot to the ZFS fileserver

chris — Fri, 15 Nov 2013 09:37:36 GMT

Since wiki:PuffinServer has been running from the ZFS fileserver, see ticket:593, it has been performing better -- we should also migrate wiki:PenguinServer and wiki:ParrotServer to the ZFS server prior to upgrading them to Debian Wheezy on ticket:535.

#620: Upgrade MediaWiki to 1.19.9

chris — Fri, 15 Nov 2013 14:57:58 GMT

See the announcement email:

I would like to announce the release of MediaWiki 1.21.3, 1.20.8 and
1.19.9. These releases fix 2 security related bugs that could affect users
of MediaWiki. Download links are given at the end of this email.
* Kevin Israel (Wikipedia user PleaseStand) identified and reported two
vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist
(CVE-2013-4567, CVE-2013-4568).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55332>
* Internal review while debugging a site issue discovered that MediaWiki
and the CentralNotice extension were incorrectly setting cache headers when
a user was autocreated, causing the user's session cookies to be cached,
and returned to other users (CVE-2013-4572).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=53032>
Additionally, the following extensions have been updated to fix security
issues:
* CleanChanges: MediaWiki steward Teles reported that revision-deleted IP's
are not correctly hidden when this extension is used (CVE-2013-4569).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=54294>
* ZeroRatedMobileAccess: Tomasz Chlebowski reported an XSS vulnerability
(CVE-2013-4573).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=55991>
* CentralAuth: MediaWiki developer Platonides reported a login CSRF in
CentralAuth (CVE-2012-5394).
<https://bugzilla.wikimedia.org/show_bug.cgi?id=40747>
Full release notes for 1.21.3:
<https://www.mediawiki.org/wiki/Release_notes/1.21>
Full release notes for 1.20.8:
<https://www.mediawiki.org/wiki/Release_notes/1.20>
Full release notes for 1.19.9:
<https://www.mediawiki.org/wiki/Release_notes/1.19>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

The steps followed for the last upgrade can be followed again, see ticket:595 and see also the documentation at wiki:PenguinServer#wiki.transitionnetwork.org

#629: Upgrade to BOA-2.1.3 Stable Edition

chris — Sun, 24 Nov 2013 11:47:23 GMT

This ticket is for BOA-2.1.3, the previous version was BOA-2.1.1 ticket:612, see wiki:PuffinServer#Upgradetickets The steps to follow when upgrading wiki:PuffinServer are documented at wiki:PuffinServer#UpgradingBOA

#630: Archiving Transition Town Totnes site

ed — Mon, 25 Nov 2013 11:54:35 GMT

Please estimate to archive TTT site as per conversation with Ed:

convert to html
host on Penguin (incl. any likely issues for Penguin doing this)
any ongoing maintenance

Then Ed will discuss with Frances at TTT as per agreement with Chris

#631: Move Transition Culture onto PARROT

ed — Mon, 25 Nov 2013 11:57:44 GMT

We are about to move TC onto PARROT. List of likely actions here:

Ed speak to Simon (move the host, keep the developer if poss)
Chris speak to Simon about TC issues - traffic, size etc.
analyse TC traffic and DB size
prepare PARROT
move TC

Chris thinks we'll need to up PARROT to VPS2 + 2 GB RAM

#632: Add accounts for Sam

chris — Mon, 25 Nov 2013 14:41:25 GMT

Following ticket:534

#635: Transition Research Patterns WEBrick monitoring

chris — Wed, 27 Nov 2013 12:51:13 GMT

Tom noticed that the wiki:TransitionResearchWagn site was unavailable today. I restarted it following the notes. We could do with something being set up to check that is it running. When it is running it's task can be found like this:

ps -lA | grep "ruby1.8"
1 S  1003  1449     1  1  80   0 - 47153 -      ?        00:00:05 ruby1.8

#639: earthin site wordpress error

chris — Fri, 29 Nov 2013 14:06:01 GMT

When using wp on the command line for wiki:EarthInheritorsWordPress

PHP Fatal error:  Call to undefined function get_post_format_slugs() in /home/earthin/sites/default/wp-includes/theme.php on line 1264

#641: Enable dynamic Munin graphs

chris — Mon, 02 Dec 2013 15:25:45 GMT

If we only generate munin graphs on the fly we will also get the zoom function working, this example config looks good: http://uname.pingveno.net/blog/index.php/post/2013/08/25/Configure-Munin-graphs-with-Nginx-and-Debian-7