We have come to the realisation that this has to be done sooner rather than
later. So i'm putting out a call for help and for feedback.
We need to revamp the CA infrastructure used in Fedora.
This is where Id like to see us go.
Publish a Certificate Revocation list so that all apps can check for revoked
Have users able to revoke their own cert
Have user certs be revoked when they request a new cert
Have admins able to create/revoke certs
Their are 2 types of certificates currently handled by 2 CA's I really want
to use a single CA for all:
Type 1) user certs. used for plague/koji/cvs upload access. there is work
underway to use these for other fedora web based apps also.
Type 2) Builders, kojira, internal service authentication.
Products to be evaluated:
FAS will need modification to work with the new framework. I also want to
allow fedora-packager-setup to grab the cert directly rather than having the
user manually do it. probably with a flag for when to get a new cert.
All users will need to get new user certs when we make the change. as well as
koji hub, all builders, koji garbage collection, bodhi, It would also be a
good time to deploy ssl auth for other apps.
We have a ticket https://fedorahosted.org/fedora-infrastructure/ticket/466
Please make suggestions for other apps we could use, also ideas for making
the workflow better.
So this is a brief overview of whats needed. Im going to open the floor for a
week for open discussion on how we should best do this.
Someone just reported that the wiki was down and I thought xen7 might
have crashed again. when I tried to ssh to it my connection timed out.
ping xen7 was fine. I serial consoled in and then immediately tried
to ssh to xen7 again. it worked. uptime showed that xen7 has been up
since this morning and the app servers are all running, etc. There are
no iscsi errors in /var/log/messages.
Is there a possibility that we're experiencing some sort of networking
issue with xen7? Maybe that issue is exacerbating the iscsi bug that
causes our xen hosts to crash?
I'm finding trying to get Friday's snapshot of Fedora 9 to be very
sub-optimal... 62 hours estimated to go after already timing out once.
I've got two peers and one seed :( I'll probably get it by time the
next snapshot is ready :)
Is this happening to others?
Is this really a viable way to put out *weekly* snapshots?
Is hosting jigdo templates a possibility? In my situation it would work
well because I mirror the rawhide trees locally--yes I realize this begs
the question of why I need the snapshot if I already mirror rawhide, but
I'm curious if it fails to install for me just as rawhide has for the
past three days.
I am applying to Google Summer of Code for the Fedora Project. I am
interested in writing a backend committer for Transifex
(#tx-committer). Our plan is to seperate the commit proccess and have
transifex interact with various remote committers through json or
You can find a more detailed description in the wiki page:
Any ideas/questions are more than wellcome :)
The last step in completing the download.fp.o move onto the proxy
servers is to remove the forced client redirect, and instead use a
local rewrite rule and proxy pass, just as mirrors.fp.o/mirrorlist
I think this is right, but want extra eyeballs. Here's the diff.
RCS file: /cvs/puppet/configs/web/download.fedoraproject.org/rewrite.conf,v
retrieving revision 1.6
diff -u -r1.6 rewrite.conf
--- rewrite.conf 19 Nov 2007 23:06:40 -0000 1.6
+++ rewrite.conf 26 Mar 2008 20:52:53 -0000
@@ -1,3 +1,12 @@
-RewriteRule ^/(.+)$ http://mirrors.fedoraproject.org/mirrorlist?path=$1&redirect=1 [R=307,L]
-RewriteRule ^/$ http://mirrors.fedoraproject.org/mirrorlist?path=pub/fedora/linux/&redire... [R=307,L]
+RequestHeader set CP-Location /mirrormanager
+RewriteRule ^/(.*)$ balancer://mirrorsCluster//mirrorlist?path=$1&redirect=1 [P]
+RewriteRule ^/$ balancer://mirrorsCluster//mirrorlist?path=pub/fedora/linux/&redirect=1 [P]
+ProxyPassReverse / http://app3.fedora.phx.redhat.com
+ProxyPassReverse / http://app4.fedora.phx.redhat.com
+ProxyPassReverse / http://app5.vpn.fedoraproject.org
and for reference, here's what mirrors.fp.o has this below. The interesting rule is the second rewriterule.
RequestHeader set CP-Location /mirrormanager
RewriteRule ^/publiclist(.*) balancer://mirrorsCluster//mirrorlists/publiclist/$1 [P]
RewriteRule ^/mirrorlist(.*) balancer://mirrorsCluster//mirrorlist$1 [P]
RewriteRule ^/(.*)$ balancer://mirrorsCluster//mirrorlists/$1 [P]
RewriteRule ^/(.*) balancer://mirrorsCluster/$1 [P]
ProxyPassReverse / http://app3.fedora.phx.redhat.com
ProxyPassReverse / http://app4.fedora.phx.redhat.com
ProxyPassReverse / http://app5.vpn.fedoraproject.org
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux
My name is John Roman, and I suppose this is my introduction. I hope to
be considered for membership in the infrastructure group but of couse,
I'm not yet familiar enough with it. im lurking the #fedora-admin
channel for now as nimbius. occasionally ill browse the ticketing
system to get an idea of what infrastructure at Fedora does.
I'm a 26 year old infrastructure engineer by trade with 3 years
experience in Red Hat based systems. Ive worked one small shop, and one
large shop. I've been a Fedora user since its inception and its taught
me quite a bit about linux. Some of the things I enjoy doing most with
fedora are high-availability clustering, building fiber channel LVM,
and samba replacements for domain controllers.
for reference, I am an active contributor in the sambawiki on active
I want to join the infrastructure group because it will give me a chance
to help the project, as well as learn more about an operating system
that has been with me in one form or another for around 8 years.
hey guys, I'm going to rebuild app2 and stick some of our tg apps on
there. Seth brought up an excellent point earlier in that our tg apps
aren't really using any x86_64 code but the python objects they create can
be 2-3x larger in memory. Since most of our performance issues with these
apps is memory bloat (and ultimate swap) I'm going to build it as an i686
box. After a week or two we can compare memory footprints. I'd really
like to get some benchmarks done to have some actual data to compare to
but I just don't think I'll have time for it (if someone else wants to
though I'd greatly appreciate it)
I'm going to add app2 to the farm with some of our apps like smolt,
mirrormanager and pkgdb. Then compare memory footprints after a week or
Also, the last thing blocking us from app3 is getting mediawiki in EL-5 or
in the infrastructure repo. If someone wants to get together and verify
that the newest mediawiki in Fedora will build in EL-5 I'd greatly
appreciate it (don't forget about the deps).
Matt Domsch mentioned the other day to the Board that CVS file system
usage is at ~77%. How does that trend over time, and does that include
the lookaside cache? Matt may have been working on answering these
questions already, I just thought they would be of interest in a public
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug