Sign-vault01 outage Retrospective - 2011-03-22 at 20UTC
by Kevin Fenzi
Greetings.
As some of you may know, we had an outage of our signing server on
friday (2011-03-18). The outage was caused by hardware failure on that
physical machine, but there are a number of issues around this we
should discuss and address.
Due to heroic efforts from a number of folks, things were back up and
functioning later friday. Thanks to all involved!
We would like to hold a retrospective on this outage in #fedora-meeting
at 20:00UTC on 2011-03-22.
Agenda/Items to discuss:
* Timeline/Background info
* Setup of sensitive boxes
* func/puppet/fasClient or not?
* encrypted /
* Updates for sensitive boxes
* regular with other updates?
* do not schedule on fridays?
* Backups of sensitive boxes
* Avoiding single points of failure
* Notifications on outages like this
Please join us and add input to help make things better.
kevin
13 years, 1 month
Removing users from sysadmin-* accounts
by Stephen John Smoogen
System administration is a privilege as it gives access and control over
many users resources and data. In order to best protect those assets, it
is a normal procedure to remove people who do not seem to have need for
that access anymore. Fedora Infrastructure policy is to remove special
access to people who have not been using it in 60 days. Having gone
through the user lists in wtmp, web logs and other data the following
accounts will be removed from various system administration groups.
People who are removed may reapply later to the infrastructure program
when they feel they need access again. Accounts will not be removed
from the infrastructure mailing list.
Accounts will be removed by 2011-03-17 2000 UTC.
sysadmin akistler
sysadmin benbeecher
sysadmin billchen
sysadmin ccielogs
sysadmin dianam
sysadmin ff4273
sysadmin ggruener
sysadmin gsieranski
sysadmin jasonwalsh
sysadmin jaxjax
sysadmin jeffreyt
sysadmin jonrob
sysadmin jorn
sysadmin kolesovdv
sysadmin marcelomgarcia
sysadmin mkearey
sysadmin nman64
sysadmin rordway
sysadmin santosp
sysadmin sbathe
sysadmin thierry
sysadmin valholla
sysadmin wfoster
sysadmin yingbull
cmsadmin cyrushmh
cmsadmin itbegins
cmsadmin matheo
cmsadmin schendje
cmsadmin teb
cmsadmin wonderer
sysadmin-cloud arjunroy
sysadmin-cloud hbrock
sysadmin-cloud lutter
sysadmin-cloud pmyers
sysadmin-cloud sheid
sysadmin-cloud slinabery
sysadmin-cloud sseago
sysadmin-dba mikeb
sysadmin-devel davivercillo
sysadmin-devel huzaifas
sysadmin-devel itbegins
sysadmin-devel ivazquez
sysadmin-hosted huzaifas
sysadmin-hosted jaxjax
sysadmin-main mikeb
sysadmin-noc badone
sysadmin-noc billchen
sysadmin-noc ggruener
sysadmin-noc huzaifas
sysadmin-noc jdieter
sysadmin-noc jorn
sysadmin-noc kanarip
sysadmin-noc rigeld2
sysadmin-noc sgrubb
sysadmin-noc sheid
sysadmin-noc wakko666
sysadmin-noc yingbull
sysadmin-spin kanarip
sysadmin-spin maxamillion
sysadmin-spin sandeen
sysadmin-test akistler
sysadmin-test anujmore
sysadmin-test badone
sysadmin-test drak
sysadmin-test emichan
sysadmin-test huzaifas
sysadmin-test itbegins
sysadmin-test jhutar
sysadmin-test jtluka
sysadmin-test kanarip
sysadmin-test mapleoin
sysadmin-test marcelomgarcia
sysadmin-test matheo
sysadmin-test mbacovsk
sysadmin-test mganisin
sysadmin-test schendje
sysadmin-test zc00gii
sysadmin-tools huzaifas
sysadmin-tools santosp
sysadmin-tools tgalyean
sysadmin-web adrian
sysadmin-web akistler
sysadmin-web asgeirf
sysadmin-web badone
sysadmin-web glezos
sysadmin-web huzaifas
sysadmin-web ivazquez
sysadmin-web johnp
sysadmin-web jokajak
sysadmin-web jorn
sysadmin-web mbacovsk
sysadmin-web wakko666
sysadmin-web yingbull
sysadmin-web zoglesby
--
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren
13 years, 1 month
FAS password complexity requirements
by Ricky Zhou
Hey, so we discussed in the meeting, FAS's password requirements are
currently very lax - just a minimum length of 8 characters. What do we
think the requirements should be changed to?
One possible strength checker that I mentioned during the meeting was:
http://www.nongnu.org/python-crack/
This can use a dictionary to detect weak passwords.
Thoughts?
Ricky
13 years, 1 month
Can I authenticate against FAS without python?
by Sean Flanigan
Hi,
I'm part of a team which is working on a Java-based web translation
system called Zanata (formerly Flies) which needs to authenticate
against the Fedora Account System (ideally SSO).
What's the state of http://fedoraproject.org/wiki/OpenID ? This seems
like it would be fairly easy to integrate into Java. That page says
it's in beta. Would it be a really bad idea to build a system which
depends on it, even as a stop-gap?
Apart from authentication, I would like to check if the user has signed
a CLA before letting them enter translations. What options are
available to a Java system for checking CLAs?
I know there's python-fedora, but is there a documented web service
underneath, which I could access from Java? I guess I'm looking for an
XML/JSON version of
https://admin.fedoraproject.org/accounts/user/view/{username},
preferably one which doesn't require my system to authenticate itself as
a Fedora user.
Also, I've been looking at the python-fedora API, and I have some questions:
1. is there an attribute which tells me the user has signed a CLA?
2. can I fetch this attribute without authenticating?
3. if I do need to authenticate, how can I get a non-human Fedora
account for my web server to use?
Thanks!
Sean.
--
Sean Flanigan
Senior Software Engineer
Engineering - Internationalisation
Red Hat
13 years, 1 month
Re: Removing users from sysadmin-* accounts
by Matt Domsch
Ack.
Sent from my Dell Streak
-----Original Message-----
From: Adrian Reber [adrian(a)lisas.de]
Received: Thursday, 17 Mar 2011, 1:55am
To: Fedora Infrastructure [infrastructure(a)lists.fedoraproject.org]
Subject: Re: Removing users from sysadmin-* accounts
On Wed, Mar 16, 2011 at 09:59:21PM -0600, Stephen John Smoogen wrote:
> sysadmin-web adrian
Please do not delete my sysadmin-web account. I need for MirrorManager
admin rights.
Adrian
_______________________________________________
infrastructure mailing list
infrastructure(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
13 years, 1 month
Intro
by Marco Grigull
Dear infra team,
I am based in Brisbane, Australia and spend most of my time extending
and looking after engineering resources.
I have some experience with templating tool cfengine (and some exposure
to puppet) and nagios. I would like to help out with establishing
localised resources for existing content and to keep core systems running.
I look forward to participating and helping to cover during the
Autralasian-Pacific hours.
Regards,
Marco
irc: ciphernaut
13 years, 1 month
mismatch_cnt on various raid's
by Kevin Fenzi
So, we have been getting weekly mismatch_cnt emails from a number of
machines with raid setups.
http://fedoraproject.org/wiki/Infrastructure/SOP/Raid_Mismatch_Count
Describes a process to run repair and check on them, but in these cases
the mismatches have come back right away.
Why is that you might ask?
It's because these are all raid-1 setups. There are cases where raid1
can and does have a mismatched sector setup and it's perfectly fine.
It's still good to run the weekly check on them in case there is a
marginal drive that drops out or otherwise shows lower layer problems.
See: https://bugzilla.redhat.com/show_bug.cgi?id=566828
So, moving forward I think I will try and do a "hotfix" for
/etc/cron.weekly/99-raid-check and make it not mail
for raid1 mismatches. (see patch in above bug)
Longer term, perhaps there will be a mdadm update for rhel5, or we will
get everything moved to rhel6 (which has the fix already).
kevin
13 years, 1 month
Converting old fedora-git-commit-mail-hook users to gnome mail hook on hosted
by Todd Zullinger
Jim Meyering mentioned in #fedora-admin today that pushing to repos
which use the fedora-git-commit-mail-hook can produce unwanted output
15:40:23 <meyering> hi guys, I've pushed two batches of c-sets, and noticed what may be a trace of a bug in a git update hook (or maybe some other):
15:40:23 <meyering> $ git push
15:40:23 <meyering> ...
15:40:27 <meyering> Total 13 (delta 10), reused 0 (delta 0)
15:40:30 <meyering> remote: git: 'refs/heads/master' is not a git command. See 'git --help'.
15:40:33 <meyering> To ssh://git.fedorahosted.org/git/iwhd.git
15:40:36 <meyering> b57b085..25ef441 master -> master
15:40:44 <meyering> Note the "remote: git: ... is not a git command." diagnostic
I updated the check-perms script to look for repos using the old hook,
but before I run it with the --fix option to convert them to the newer
hooks we borrowed from the folks at gnome.org, it seems wise to check
whether anyone has reasons to avoid doing so or suggestions on how to
make sure this doesn't annoy users of fedorahosted.org.
The gnome hook is what we use for the infrastructure puppet repo as
well as all of the git repos for packages. The formatting should be
fairly similar to what the old hook produced, and it does include
similar X- headers for folks using those to filter mail.
Here's the list of repos which use the old mail hook:
[tmz@hosted1 ~ (master)]$ time ~/bin/git-check-perms
/git/389/admin-console.git: uses old mail hook
/git/389/admin.git: uses old mail hook
/git/389/adminutil.git: uses old mail hook
/git/389/console.git: uses old mail hook
/git/389/ds-console.git: uses old mail hook
/git/389/ds.git: uses old mail hook
/git/389/dsgw.git: uses old mail hook
/git/389/dsmlgw.git: uses old mail hook
/git/389/winsync.git: uses old mail hook
/git/CloudFS.git: uses old mail hook
/git/OpenAPC.git: uses old mail hook
/git/TinyEarth.git: uses old mail hook
/git/anaconda-help.git: uses old mail hook
/git/anaconda-images.git: uses old mail hook
/git/anaconda.git: uses old mail hook
/git/bharati.git: uses old mail hook
/git/bluecurve-classic-metacity-theme: uses old mail hook
/git/bluecurve-gdm-theme: uses old mail hook
/git/bluecurve-gnome-theme: uses old mail hook
/git/bluecurve-gtk-themes: uses old mail hook
/git/bluecurve-icon-theme: uses old mail hook
/git/bluecurve-kde-theme: uses old mail hook
/git/bluecurve-kdm-theme: uses old mail hook
/git/bluecurve-kwin-theme: uses old mail hook
/git/bluecurve-metacity-theme: uses old mail hook
/git/bluecurve-qt-engine: uses old mail hook
/git/bluecurve-xmms-skin: uses old mail hook
/git/bodhi.git: uses old mail hook
/git/booty.git: uses old mail hook
/git/cas.git: uses old mail hook
/git/certmaster.git: uses old mail hook
/git/cloud-kickstarts.git: uses old mail hook
/git/comps.git: uses old mail hook
/git/courses.git: uses old mail hook
/git/d-feet.git: uses old mail hook
/git/ding-libs.git: uses old mail hook
/git/docbook-utils.git: uses old mail hook
/git/docs/about-fedora.git: uses old mail hook
/git/docs/elections-guide.git: uses old mail hook
/git/docs/fedora-doc-utils.git: uses old mail hook
/git/docs/homepage.git: uses old mail hook
/git/docs/install-guide.git: uses old mail hook
/git/docs/readme-burning-isos.git: uses old mail hook
/git/docs/readme.git: uses old mail hook
/git/docs/storage-administration-guide.git: uses old mail hook
/git/docs/systemtap-beginners-guide.git: uses old mail hook
/git/dorrie.git: uses old mail hook
/git/elections.git: uses old mail hook
/git/fas.git: uses old mail hook
/git/fedora-gnome-theme: uses old mail hook
/git/fedora-icon-theme: uses old mail hook
/git/fedora-infrastructure.git: uses old mail hook
/git/fedora-kontributor.git: uses old mail hook
/git/fedora-packager.git: uses old mail hook
/git/fedora-project-schedule.git: uses old mail hook
/git/fedora-screensaver-theme: uses old mail hook
/git/fedora-security.git: uses old mail hook
/git/fedora-tour.git: uses old mail hook
/git/fedora-trans-es.git: uses old mail hook
/git/fedora-web.old.git: uses old mail hook
/git/fedorabubbles-gdm-theme: uses old mail hook
/git/fedoradna-gdm-theme: uses old mail hook
/git/fedoradna-kdm-theme: uses old mail hook
/git/fedoraflyinghigh-gdm-theme: uses old mail hook
/git/fedoraflyinghigh-kdm-theme: uses old mail hook
/git/fedorainfinity-gdm-theme: uses old mail hook
/git/fedorainfinity-screensaver-theme: uses old mail hook
/git/firstboot.git: uses old mail hook
/git/fontpackages.git: uses old mail hook
/git/freeipa.git: uses old mail hook
/git/func.git: uses old mail hook
/git/gnome-applet-vm.git: uses old mail hook
/git/grid/carod.git: uses old mail hook
/git/grid/caroniad.git: uses old mail hook
/git/grid/configuration-tools.git: uses old mail hook
/git/grid/job_hooks.git: uses old mail hook
/git/grid/spqr.git: uses old mail hook
/git/grid/wallaby.git: uses old mail hook
/git/grid/win32-packaging.git: uses old mail hook
/git/grubby.git: uses old mail hook
/git/indic-typing-booster.git: uses old mail hook
/git/isomd5sum.git: uses old mail hook
/git/koji: uses old mail hook
/git/libnmserver.git: uses old mail hook
/git/livecd: uses old mail hook
/git/liveusb-creator.git: uses old mail hook
/git/mkinitrd: uses old mail hook
/git/moksha.git: uses old mail hook
/git/music-creation.git: uses old mail hook
/git/newt-syrup.git: uses old mail hook
/git/ogrechess.git: uses old mail hook
/git/openussd.git: uses old mail hook
/git/osutil.git: uses old mail hook
/git/piranha.git: uses old mail hook
/git/pirut.git: uses old mail hook
/git/pyblock.git: uses old mail hook
/git/pyjigdo.git: uses old mail hook
/git/pykickstart.git: uses old mail hook
/git/redhat-rpm-config: uses old mail hook
/git/reflector.git: uses old mail hook
/git/revisor: uses old mail hook
/git/revista-fedora-latam.git: uses old mail hook
/git/rhpl.git: uses old mail hook
/git/rhq/rhq-config.git: uses old mail hook
/git/rhq/rhq-manage-jboss.git: uses old mail hook
/git/rhq/rhq-manage-os.git: uses old mail hook
/git/rhq/rhq.git: uses old mail hook
/git/sanlock.git: uses old mail hook
/git/secstate.git: uses old mail hook
/git/simon.git: uses old mail hook
/git/smolt.git: uses old mail hook
/git/snap.git: uses old mail hook
/git/spacewalk.git: uses old mail hook
/git/sssd.git: uses old mail hook
/git/symbolic.git: uses old mail hook
/git/system-config-kickstart.git: uses old mail hook
/git/timpus-events.git: uses old mail hook
/git/trustedcomputing.git: uses old mail hook
/git/utrrs.git: uses old mail hook
/git/virt_web.git: uses old mail hook
/git/webzash.git: uses old mail hook
/git/wikirename.git: uses old mail hook
/git/xo.git: uses old mail hook
123 problems remain unfixed
--
Todd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Every actual state is corrupt. Good men must not obey the laws too
well.
-- Ralph Waldo Emerson
13 years, 1 month