=Sun May 27, 2018=

# Helped Christian get his local wiki instance operational

=Sat May 26, 2018=

# Emailed with Christian about making an offline version of the wiki for browsing in kiwix like wikipedia & other popular wikis https://wiki.kiwix.org/wiki/Content

## we may have to install Parsoid and/or the VIsualEditor extension https://www.howtoforge.com/tutorial/how-to-install-visualeditor-for-mediawiki-on-centos-7/

## but I asked Christain to first look into methods that do not require Parsoid, such as zimmer http://www.openzim.org/wiki/Build_your_ZIM_file#zimmer

## Christian hit some 403 forbidden messages when hitting the mediawiki api, so I attempted to whitelist his ip address from all mod_security rules

  # disable mod_security with rules as needed                                                                                                                                               

  # (found by logs in: /var/log/httpd/modsec_audit.log)                                                                                                                                     

# kiwix-ready zim files for archival & offline viewing                                                                                                                             

SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 176.56.237.113" phase:1,nolog,allow,pass,ctl:ruleEngine=off,id:1                                                                 

# In testing, I accidentally banned myself. When validating, I saw that our server had banned 2 other IPs, which are crawlers. I went to their site, and found that they obey robots.txt's "Crawl-delay" option http://mj12bot.com/

[root@hetzner2 httpd]# iptables -L

DROP      all  --  crawl1.bl.semrush.com  anywhere           

DROP      all  --  crawl-vfyrb9.mj12bot.com  anywhere           

DROP      all  --  184-157-49-133.dyn.centurytel.net  anywhere           

ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:http

ACCEPT    tcp  -- anywhere            anywhere            state NEW tcp dpt:https

ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:pharos

ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:32415

LOG        all  --  anywhere            anywhere            limit: avg 5/min burst 5 LOG level debug prefix "iptables IN denied: "

DROP      all  --  anywhere            anywhere           

 

DROP      all  --  crawl1.bl.semrush.com  anywhere           

DROP      all  --  crawl-vfyrb9.mj12bot.com  anywhere           

DROP      all  --  184-157-49-133.dyn.centurytel.net  anywhere           

 

ACCEPT    all  -- anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    all  --  localhost.localdomain  localhost.localdomain

ACCEPT    udp  --  anywhere            ns1-coloc.hetzner.de  udp dpt:domain

ACCEPT    udp  -- anywhere            ns2-coloc.hetzner.net  udp dpt:domain

ACCEPT    udp  --  anywhere            ns3-coloc.hetzner.com  udp dpt:domain

LOG        all  -- anywhere            anywhere            limit: avg 5/min burst 5 LOG level debug prefix "iptables OUT denied: "

DROP      tcp  --  anywhere            anywhere            owner UID match nginx

[root@hetzner2 httpd]#  

# so I created a robots.txt file per https://www.mediawiki.org/wiki/Manual:Robots.txt

cat << EOF > /var/www/html/wiki.opensourceecology.org/htdocs/robots.txt

User-agent: *

Disallow: /index.php?

Disallow: /index.php/Help

Disallow: /index.php/Special:

Disallow: /index.php/Template

Disallow: /wiki/Help

Disallow: /wiki/Special:

Crawl-delay: 15

chown not-apache:apache /var/www/html/wiki.opensourceecology.org/htdocs/robots.txt

chmod 0040 /var/www/html/wiki.opensourceecology.org/htdocs/robots.txt

</pre>

# I reset the password for 'Zeitgeist_C.Real_-' & sent them an email

# did some back-of-the-envelope calculations for crypto currency mining with our wiki as piratebay does

## coinhive says 30 hashes/sec is reasonable. https://coinhive.com/info/faq

## yesterday we got 31,453 hits. much of that is probably spiders. Unfortunately, awstats doesn't give unique visitors per day, only per month. But we've basically been online for only one day, and the monthly says 2,422 unique visitors this month. So let's say we get 2,000 visitors per month. 81.4% of our traffic is <=30s long. Average visit is 208s (probably some people leave it open in the background for a very long time (= all our devs)). Let's be conservative & say that 100-81.4=18.6% of our daily users = 2000* 0.18 = 360 users are on the site for 30 seconds. That's 10800 seconds of mining

## Coinhive pays out in 0.000064 XMR per 1 million hashes. We'll be generating 10800 seconds/day * 30 hashes/s = 324,000 hashes per day. 324,000 * 30 = 9,720,000 hashes per month. 9720000/1000000 = 9.72 *  0.000064 xmr = 0.00062208 xmr / month.

## At today's exchange rate, that's $0.10 per month. Fuck.

## ^ that said, my calculations are extremely conservative. If we actually have 2,422 unique visitors spending an average of 208 seconds on the site, then it's 2422 * 208 = 503776 seconds per day. 503776 * 30 hashes/s = 15113280 hashes per day. 15113280 * 30 days = 453398400 hashes per month. 453398400/1000000 = 453.3984 * 0.000064 xmr = 0.029017498 xmr / month.

## At today's exchange rate, that's $4.85/month.

# So if we cryptomine on our wiki users, we're looking at between $0.10 - $5 per month profit. Meh.

# fixed mod_security false-positive

## whitelisted 981247 = SQLI

# I created a snashot of the wiki for Christian to build a local copy for zim-ifying it for kiwix

# DECLARE VARS

snapshotDestDir='/var/tmp/snapshotOfWikiForChris.20180526'

wikiDbPass='CHANGEME'

mkdir -p "${snapshotDestDir}"

time nice mysqldump -u"${wikiDbUser}" -p"${wikiDbPass}" --databases "${wikiDbName}" > "${wikiDbName}.${stamp}.sql"# DECLARE VARS

snapshotDestDir='/var/tmp/snapshotOfWikiForChris.20180526'

mkdir -p "${snapshotDestDir}"

time nice mysqldump --single-transaction -u"${wikiDbUser}" -p"${wikiDbPass}" --databases "${wikiDbName}" | gzip -c > "${wikiDbName}.${stamp}.sql.gz"

time nice tar -czvf "${snapshotDestDir}/wiki.opensourceecology.org.vhost.${stamp}.tar.gz" /var/www/html/wiki.opensourceecology.org/*

# I drove to town to pickup some plexiglass and epoxy for the 3d printer

# I worked on Marin's computer for a bit, updated the OSE Marlin github to include compartmentalized Configration.h files for distinct D3D flavors, and added a new one with the LCD. I got the LCD connected & working. Then the SD card connected & working

# When we went to print from the SD card, the print nozzle was too high. We went back to Marlin to print, and the same thing happened.

# We need to fix the z probe (replace it?) before we can proceed further...

 

=Fri May 25, 2018=

# I got a few emails from people saying thank you, a few asking me to delete their account from the wiki, and one from someone asking for help reseting their password.

# I confirmed that the self-password-reset function worked for me (it sent me an email with a temporary password, I used it, logged-in, then reset my password)

# I hopped over to awstats & munin. Finally, awstats is getting some good data.  

[File:awstats_morningAfterWikiMigration.png]

[File:awstatsPages_morningAfterWikiMigration.png]

# Munin looks good too

[File:munin_morningAfterWikiMigration.png]

 

## obviously there's a jump in the graphs from after the wiki (our most popular site) piped more traffic to hetzner2. Most notably is the number of connections

## CPU & Load aren't much of a change. But if we didn't have varnish, that certainly wouldn't be the case.

## there's some minor changes to the varnish hit rate graph. A tiny sliver of orange hit-for-pass appeared at the top of the graph--that's probably our wiki users that are logged-in. But the hit rate still seems >90%, which is awesome! The dip in the hit rate was from me manually giving varnish a restart--surprisingly it didn't dip much, and it quickly returned to >90% hit rate!

## the number of objects in the varnish cache nearly doubled. I would have expected it to more than double, but maybe with time..

osemain@dedi978:~$ bash -c 'source /usr/home/osemain/backups/backup.settings; ssh $RSYNC_USER@$RSYNC_HOST du -sh hetzner1/*'

12G    hetzner1/20180501-052002

259M    hetzner1/20180502-052001

0      hetzner1/20180520-052001

12G    hetzner1/20180521-052001

12G    hetzner1/20180522-052001

12G    hetzner1/20180523-052001

12G    hetzner1/20180524-052001

481M    hetzner1/20180524-141649

12G    hetzner1/20180524-233533

# I moved the now-static wiki files from the old server into the noBackup dir, so that we won't have those being copied to dreamhost nightly anymore (the backup size should drop from 12G to 0.5G).

osemain@dedi978:~$ mkdir noBackup/deleteMeIn2019/osewiki_olddocroot

osemain@dedi978:~$ mv public_html/w noBackup/deleteMeIn2019/osewiki_olddocroot/

</pre>

# the backups on hetnzer2 aren't growing like crazy, so that bug appears to have been fixed

<pre>

osemain@dedi978:~$ bash -c 'source /usr/home/osemain/backups/backup.settings; ssh $RSYNC_USER@$RSYNC_HOST du -sh hetzner2/*'

15G     hetzner2/20180501-072001

43G     hetzner2/20180524_072001

15G     hetzner2/20180525_001249

15G     hetzner2/20180525_072001

osemain@dedi978:~$

# total disk usage on dreamhost is 172G; hopefully that won't trigger their action on us again. Now that the wiki is migrated, many other things that were blocked can begin to move--one of which is that we can move our backups onto s3, which will now be ~15G daily it seems.

osemain@dedi978:~$ bash -c 'source /usr/home/osemain/backups/backup.settings; ssh $RSYNC_USER@$RSYNC_HOST du -sh .'

172G    .

osemain@dedi978:~$  

# we still didn't get a green lock on firefox for ssl because some content was https. I changed all the links on our Main_Page at least to be https where possible, but there was another culprit: our Creative Commons image in the bottom-right of every page. I changed this in LocalSettings.php from 'http://mirrors.creativecommons.org/presskit/buttons/88x31/png/by-sa.png' to 'https://mirrors.creativecommons.org/presskit/buttons/88x31/png/by-sa.png'. After clearing the varnish cache with `varnishadm 'ban req.url ~ "."'`, we got the green lock on firefox on our main page!

# for the 2x users who asked for their accounts to be deleted: unfortunately, I deleting mediawiki users isn't supported https://meta.wikimedia.org/wiki/MediaWiki_FAQ#How_do_I_delete_a_user_from_my_list_of_users.3F

## instead, I offered them to rename their account and/or change their email address

# I documented how to "block" users by changing their email address, renaming their account, and banning their account

# now that the wiki stuff is stable, I finally got a chance to merge-in the images I found on the 'oseblog'

# documented TODO for OSE Linux needing encrypted persistence https://wiki.opensourceecology.org/wiki/OSE_Linux#Persistence

# Marcin noticed that we had anonymous edits permitted. I looked in the LocalSettings.php file & found this

$wgGroupPermissions['*']['edit'] = true;

## I commented that out, replacing it with the line

$wgGroupPermissions['*']['edit'] = false;

#$wgGroupPermissions['*']['edit'] = true;

## I'm not sure why that didn't permit anon edits before, but it's fixed now!

# I did some further cleanup of the "wiki locking" section of LocalSettings.php. This included commenting-out the line that permitted '*' users from creating accounts. It's misleading.

# uncomment this to put a banner message on every page leading up to a                                                                                                                       

# maintenance window                                                                                                                                                                         

#$wgSiteNotice = '<div class="notify-warning" style="margin: 10px 0px; padding:12px; color: #9F6000; background-color: #FEEFB3;">&#9432; NOTICE: This wiki will be temporarily made READ-ONLY during a maintenance window today at 15:00 UTC. Please finish & save any pending changes to avoid data loss.</div>';                                                                         

#$wgSiteNotice = '<div class="notify-warning" style="margin: 10px 0px; padding:12px; color: #9F6000; background-color: #FEEFB3;">&#9432; NOTICE: This wiki is currently undergoing maintenance and is therefore in an ephemeral state. Any changes made to this wiki will be lost! Please check back tomorrow.</div>';                                                                    

$wgGroupPermissions['*']['edit'] = false;                                                                                                                                                    

#$wgGroupPermissions['*']['edit'] = true;                                                                                                                                                    

$wgGroupPermissions['*']['createaccount'] = true;                                                                                                                                            

#$wgGroupPermissions['*']['createaccount'] = false; ## Account creation disabled by TLG 06/18/2015                                                                                           

$WgGroupPermissions['user']['edit'] = true;                                                                                                                                                  

$wgGroupPermissions['sysop']['createaccount'] = true;                                                                                                                                        

#$wgGroupPermissions['sysop']['createaccount'] = false; ## Account creation disabled by TLG 06/18/2015                                                                                       

$wgGroupPermissions['sysop']['edit'] = true;                                                                                                                                                

$wgReadOnlyFile="$IP/read-only-message";                                                                                                                                                    

## after

#$wgSiteNotice = '<div class="notify-warning" style="margin: 10px 0px; padding:12px; color: #9F6000; background-color: #FEEFB3;">&#9432; NOTICE: This wiki will be temporarily made READ-ONLY during a maintenance window today at 15:00 UTC. Please finish & save any pending changes to avoid data loss.</div>';                                                                         

#$wgSiteNotice = '<div class="notify-warning" style="margin: 10px 0px; padding:12px; color: #9F6000; background-color: #FEEFB3;">&#9432; NOTICE: This wiki is currently undergoing maintenance and is therefore in an ephemeral state. Any changes made to this wiki will be lost! Please check back tomorrow.</div>';                                                                     

$WgGroupPermissions['user']['edit'] = true;                                                                                                                                                  

$wgGroupPermissions['sysop']['edit'] = true;                                                                                                                                                 

$wgReadOnlyFile="$IP/read-only-message";

# Marcin asked me to add 'zip' to the list of possible uploads to the wiki. Done.

 

## started at 14:20. Paused at 15:00. minus 30 min for helping Marcin with git

## somehow I skipped the part where the back is installed. Maybe it was absent or I was absent minded. Any way, after I installed the so-called "last" acrylic piece on the top & saw that the back was already attached, I just snapped in the back at that point

## somehow I made it to the end without installing the proximity sensor. I went back to this doc & did it https://docs.imade3d.com/Guide/Assemble+the+X+Assembly/147

## the info on the checklist after the build was *extremely* lacking, so I just went off guide & started poking it at this point https://docs.imade3d.com/Wiki/Easy_Kit_Flow#Section_Checkpoint_It_s_Alive

## It heated up, moved around, and then immediately ran horizontally with the extruder tip slamming into the bed. I quickly turned off the big friendly button (power switch)!

## the guide was wrong for setting the "x homing offset". It should be "Settings -> Motion -> X home offset", but it said simply "Settings > X Homing Offset". I found it after poking around the menu for a bit https://docs.imade3d.com/Guide/%E2%86%B3+X+Homing+Offset/213

## I finished my first print at 18:19. That's a 10.5 hour build time.

## I thought my next print was good, such as the fish skeleton, but Marcin pointed out that the fish's joints should actually be free to move. we broke the joints a bit & got motion, but apparently it should be printed so precise that we shouldn't have to break it

## I tightened the z motor. they were still loose from my initial build, where the video said to leave it loose. Subsequent prints were better. I got the gears to spin, but--again--only after some breaking

## now prints are sliding around on the surface before the print is finished. I'll have to fix that tomorrow

 

=Thr May 24, 2018=

# today is the big day! I began the wiki migration at ~14:00 UTC

# first step: I moved the wiki to a new home outside the docroot, effectively turning the existing wiki off (and making the state of it immutable)

<pre>

osemain@dedi978:~$ date

Thu May 24 16:07:07 CEST 2018

osemain@dedi978:~$ pwd

/usr/home/osemain

osemain@dedi978:~$ mkdir ~/wiki_olddocroot

osemain@dedi978:~$ mv public_html/w ~/wiki_olddocroot

osemain@dedi978:~$

# I created a simple html file indicating that we're down for maintenance where the old site was.

osemain@dedi978:~$ mkdir public_html/w

osemain@dedi978:~$ echo 'This wiki is currently down for maintenance. Please check back tomorrow.' > public_html/w/index.html

osemain@dedi978:~$

# now that the wiki can't change mid-backup, I initiated the backup process. This will should our last backup of the site pre-upgrade. Note that, after this completes, I'll need to move the '~/wiki_olddocroot' dir into '~/noBackup/deleteMeIn2019/wiki_olddocroot' else our 18G immutably version of the oold wiki will still be backed-up daily superciliously

osemain@dedi978:~$ source /usr/home/osemain/backups/backup.settings

osemain@dedi978:~$ /usr/home/osemain/backups/backup.sh

================================================================================

...

# I know from experience that the hetzner1 backups take an absurdly long time to complete, but hetnzer2 is only a couple hours. I probably won't wait for both to finish. I will kick off the one on hetzner2 and kick off the migration of the data to hetzner2 at the same time. Then, after the hetzner2 backup finishes, I'll tear down the ephemeral wiki & replace it with the migrated data.

# First, I start the backups on hetzner2

root@hetzner2 ~]# # STEP 0: CREATE BACKUPS

[root@hetzner2 ~]# # for good measure, trigger a backup of the entire system's database & files:

[root@hetzner2 ~]# time /bin/nice /root/backups/backup.sh &>> /var/log/backups/backup.log

# Then I kicked-off the file/data transfer from hetzner1 to hetnzer2. Note that I had to modify some of these vars because I moved the files outside the docroot as the only way to stop writes to the db + files (hetzner1 is a shared hosing server, so I can't mess with the vhost configs or bounce the httpd service, etc  one of the reasons we're migrating to hetzner2!)

# DECLARE VARIABLES

source /usr/home/osemain/backups/backup.settings

backupDir_hetzner1="/usr/home/osemain/noBackup/tmp/backups_for_migration_to_hetzner2/wiki_${stamp}"

backupFileName_db_hetzner1="mysqldump_wiki.${stamp}.sql.bz2"

backupFileName_files_hetzner1="wiki_files.${stamp}.tar.gz"

#vhostDir_hetzner1='/usr/www/users/osemain/w'

vhostDir_hetzner1='/usr/home/osemain/wiki_olddocroot/w'

# STEP 1: BACKUP DB

mkdir -p ${backupDir_hetzner1}/{current,old}

pushd ${backupDir_hetzner1}/current/

mv ${backupDir_hetzner1}/current/* ${backupDir_hetzner1}/old/

time nice mysqldump -u"${dbUser_hetzner1}" -p"${dbPass_hetzner1}" --all-databases --single-transaction | bzip2 -c > ${backupDir_hetzner1}/current/${backupFileName_db_hetzner1}

# while those 3 backups ran, I logged into our cloudflare account

## Unrelated, but after I logged-into our cloudflare account, I reset the password to a new 100-char random password. I stored this to our shared keepass.

## in the dns tab, I disabled CDN/DDOS protection for the 'opensourceecology.org' domain. That's the last one that had that enabled. So, after this migration, we'll be able to either cancel our cloudlfare account (just go with the free version) or migrate our DNS back to dreamhost. iirc, cloudflare provides some free services, and they're actually a pretty good low-latency dns provider. So maybe we keep them as a free nameserver. Either way, let's stop paying them!

## The new site is going to be 'wiki.opensourceecology.org', which is already pointed to hetnzer2. Only after we've finished validating this new wiki will I make 'opensourceecology.org' point to hetzner2. Then I'll probably just setup some 301 redirect with modrewrite to point all 'opensourceecology.org/w/*' requests to 'wiki.opensourceecology.org/'.

# I added a message to the top of our 'wiki.opensourceecology.org' site to warn users that they shouldn't make changes until after the migration is complete, lest they loose their work!

$wgSiteNotice = '<div class="notify-warning" style="margin: 10px 0px; padding:12px; color: #9F6000; background-color: #FEEFB3;">&#9432; NOTICE: This wiki is currently undergoing maintenance and is therefore in an ephemeral state. Any changes made to this wiki will be lost! Please check back tomorrow.</div>';  

# the backup run on hetzner2 finished creating the encrypted archive + the hetnzer1 backup of the wiki files/data finished at both the same time. The backup process on hetzner2 was still rsyncing to dreamhost, but that's fine. I'm going to proceed with bringing up the new wiki on hetzner2.

# Marcin tried to login, but it failed 9because his password was too short)

Incorrect username or password entered. Please try again.

</blockquote>

# the only outstanding issue with the wiki is that Marcin isn't getting an email when someone requests an account on the wiki. Note that we did confirm that we can approve them from the wiki, then the user does get an email with their temp password after the account is created. It's just that the initial email notifying Marcin that someone submitted a request to create an account isn't coming through.

# we decided that this isn't a blocker; we're going to mark the migration as a success, and I'll look into the emails out at a later date

# next, I need to setup redirects, email our most active users that they should reset their passwords, and mark all user' passwords as expired

## I tested that I could force my test user to have their password reset upon next login. note that this field is normally 'NULL' for our users