Re: [Distutils] PyPI Migrated to New Infrastructure with some Breakage
It definitely looks like we've got some issues introduced in recent server migrations and reconfigurations. Things I'm aware of: - OAuth is busted - OpenID is confused and/or busted - password reset is possibly busted - pypissh is busted Richard On 27 January 2014 00:26, Alex Clark wrote: > On 1/25/14, 6:38 PM, Donald Stufft wrote: > >> My question >> to you is, is this something that distutils-sig is willing to have >> happen? If >> we are to re-enable pypissh we’ll need to write a new solution to doing >> it that >> can be properly HA’d and we’d prefer to put our efforts into improving >> things >> for a much larger set of people. >> > > +0 re: pypissh, but I am still interested in seeing OAuth support come > back: > > - https://bitbucket.org/pypa/pypi/issue/85/oauth-authorise- > not-found-https-must-be > > Any idea if this can come back as part of PyPI or if we have to wait for > warehouse? Nice work on the infrastructure, thank you! > > -- > Alex Clark · http://about.me/alex.clark > > > ___ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] PyPI Migrated to New Infrastructure with some Breakage
On 1/25/14, 6:38 PM, Donald Stufft wrote: My question to you is, is this something that distutils-sig is willing to have happen? If we are to re-enable pypissh we’ll need to write a new solution to doing it that can be properly HA’d and we’d prefer to put our efforts into improving things for a much larger set of people. +0 re: pypissh, but I am still interested in seeing OAuth support come back: - https://bitbucket.org/pypa/pypi/issue/85/oauth-authorise-not-found-https-must-be Any idea if this can come back as part of PyPI or if we have to wait for warehouse? Nice work on the infrastructure, thank you! -- Alex Clark · http://about.me/alex.clark ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] PyPI Migrated to New Infrastructure with some Breakage
Congrats! Thanks for always making the PyPI infrastructure better and better. Where are the states stored? On Sat, Jan 25, 2014 at 5:18 PM, Donald Stufft wrote: > > On Jan 25, 2014, at 7:04 PM, Chris Jerdonek > wrote: > > > On Sat, Jan 25, 2014 at 3:38 PM, Donald Stufft wrote: > >> Today (Sat Jan 25, 2014) the Infrastructure team has migrated PyPI to > new > >> infrastructure. > >> > >> The old infrastructure was: > >> > >> - a single database server managed by OSUOSL > >> - a pair of load balancers shared by all of the python.org services > hosted on > >> OSUOSL > >> - a single backend VM that served as everything else for PyPI > >> > >> The VM that was acting as the backend server from PyPI was partially > hand > >> configured and partially setup to be managed by chef. Additionally it > had an > >> issue that caused it to kernel panic every so often which had been the > cause of > >> a number of downtimes in the last few months. Because it was primarily > >> configured and administered by hand and because the way it was set up > it was > >> not feasible to have any sort of failover or spare. > >> > >> The new infrastructure is: > >> > >> - 2 Web VMs > >> - 2 Database servers in Master/Slave Configuration > >> - 2 PgPool Servers pooling connections to the database servers and load > >> balancing reads across them. > >> - 2 GlusterFS servers backed by Cloud Block Storage acting as the file > storage > >> for package and package docs > >> - 1 metrics server to handle updating the download counts as they come > in from > >> Fastly > >> > >> All of the VMs are hosted on Rackspace’s Public Cloud and have their > >> configuration completely controlled and managed using Salt. Going > forward this > > > > Can you say a little about the choice to use Salt instead of Chef? I > > don't really care either way, but am just curious. Is it because Salt > > is written in Python, or were there other reasons (functionality, > > etc)? > > > > --Chris > > I’d need to ask Ernest to be sure, but I believe it was mostly that he was > more familiar > with it. The fact that it was written in Python was a bonus as well ;) I > don’t think that > there was anything that Chef was missing or that Salt had over Chef, just > familiarity > of the person who did most of the work. I’ll double check with Ernest to > make sure there > wasn’t another reason :) > > - > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 > DCFA > > > ___ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig > > ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] PyPI Migrated to New Infrastructure with some Breakage
s/states/salt states/ On Sat, Jan 25, 2014 at 9:15 PM, Kyle Kelley wrote: > Congrats! Thanks for always making the PyPI infrastructure better and > better. > > Where are the states stored? > > > On Sat, Jan 25, 2014 at 5:18 PM, Donald Stufft wrote: > >> >> On Jan 25, 2014, at 7:04 PM, Chris Jerdonek >> wrote: >> >> > On Sat, Jan 25, 2014 at 3:38 PM, Donald Stufft >> wrote: >> >> Today (Sat Jan 25, 2014) the Infrastructure team has migrated PyPI to >> new >> >> infrastructure. >> >> >> >> The old infrastructure was: >> >> >> >> - a single database server managed by OSUOSL >> >> - a pair of load balancers shared by all of the python.org services >> hosted on >> >> OSUOSL >> >> - a single backend VM that served as everything else for PyPI >> >> >> >> The VM that was acting as the backend server from PyPI was partially >> hand >> >> configured and partially setup to be managed by chef. Additionally it >> had an >> >> issue that caused it to kernel panic every so often which had been the >> cause of >> >> a number of downtimes in the last few months. Because it was primarily >> >> configured and administered by hand and because the way it was set up >> it was >> >> not feasible to have any sort of failover or spare. >> >> >> >> The new infrastructure is: >> >> >> >> - 2 Web VMs >> >> - 2 Database servers in Master/Slave Configuration >> >> - 2 PgPool Servers pooling connections to the database servers and load >> >> balancing reads across them. >> >> - 2 GlusterFS servers backed by Cloud Block Storage acting as the file >> storage >> >> for package and package docs >> >> - 1 metrics server to handle updating the download counts as they come >> in from >> >> Fastly >> >> >> >> All of the VMs are hosted on Rackspace’s Public Cloud and have their >> >> configuration completely controlled and managed using Salt. Going >> forward this >> > >> > Can you say a little about the choice to use Salt instead of Chef? I >> > don't really care either way, but am just curious. Is it because Salt >> > is written in Python, or were there other reasons (functionality, >> > etc)? >> > >> > --Chris >> >> I’d need to ask Ernest to be sure, but I believe it was mostly that he >> was more familiar >> with it. The fact that it was written in Python was a bonus as well ;) I >> don’t think that >> there was anything that Chef was missing or that Salt had over Chef, just >> familiarity >> of the person who did most of the work. I’ll double check with Ernest to >> make sure there >> wasn’t another reason :) >> >> - >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >> DCFA >> >> >> ___ >> Distutils-SIG maillist - Distutils-SIG@python.org >> https://mail.python.org/mailman/listinfo/distutils-sig >> >> > ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] PyPI Migrated to New Infrastructure with some Breakage
Quoting Richard Jones : Thanks everyone who helped make this happen. From my perspective* I believe the ssh upload mechanism was added to address security issues around the basic-auth-over-http method used historically. Now uploads *may* be done over https, and those using the ssh method can move over to using twine or pip upload, I think that it's reasonable to discontinue support for ssh uploads. There is one usecase that still isn't addressed by any of the alternatives: Automated uploads still require the password to be stored on disk. So if the laptop is stolen, the password may get stolen as well. With SSH upload, the authentication comes from the ssh-agent, which protects the credentials better (i.e. if the laptop is powered-down, or requires the user to enter a password on access, the key is protected). It has been suggested to resolve this using the keyring library (which would give the same protection to the password as ssh-agent to the private key), but a) I don't think it actually *has* been implemented, and b) to properly implement it (i.e. without monkey-patching register/upload), it would have to be done in CPython, and c) that would require to put keyring into CPython, which could happen in Python 3.5 at the earliest. So I suggest that somebody does a), and then provides a package that works around b) and c) by monkeypatching distutils (just like pypissh does). In any case, if you really chose to discontinue SSH access, I suggest that you also change the UI to drop registration of SSH keys, and then ultimately remove them from the schema. BTW, you can get an indication of how many users this might affect by checking how many users have keys registered. Regards, Martin ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
