The infrastructure team will be having it's weekly meeting tomorrow, 2015-02-19 at 18:00 UTC in #fedora-meeting on the freenode network.
Suggested topics:
#topic New folks introductions and Apprentice tasks.
If any new folks want to give a quick one line bio or any apprentices would like to ask general questions, they can do so in this part of the meeting. Don't be shy!
#topic Applications status / discussion
Check in on status of our applications: pkgdb, fas, bodhi, koji, community, voting, tagger, packager, dpsearch, etc. If there's new releases, bugs we need to work around or things to note.
#topic Sysadmin status / discussion
Here we talk about sysadmin related happenings from the previous week, or things that are upcoming.
#topic nagios/alerts recap
Here we go over the last weeks alerts and see if we can find ways to make it so they don't happen again.
#topic Upcoming Tasks/Items
https://apps.fedoraproject.org/calendar/list/infrastructure/
#topic Open Floor
Submit your agenda items, as tickets in the trac instance and send a note replying to this thread.
More info here:
https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings
Thanks
kevin
On Wed, Feb 18, 2015 at 04:46:39PM -0700, Kevin Fenzi wrote:
#topic Open Floor
I want to propose this: https://fedorahosted.org/fedora-infrastructure/ticket/4670 #4670: move planet.fedoraproject.org to fedoraplanet.org
Regards Till
============================================ #fedora-meeting: Infrastructure (2015-02-19) ============================================
Meeting started by nirik at 18:00:04 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2015-02-19/infrastructure.20... .
Meeting summary --------------- * aloha (nirik, 18:00:04)
* New folks introductions and Apprentice tasks. (nirik, 18:04:24)
* Applications status / discussion (nirik, 18:07:50) * the-new-hotness got deployed to production this week (on tuesday) (pingou, 18:08:24) * LINK: https://stg.fedoraproject.org/wiki/Upstream_release_monitoring (threebean, 18:08:32) * pkgdb2 getting ready for the new branc/package management (pingou, 18:08:50) * LINK: https://fedoraproject.org/wiki/Upstream_release_monitoring (threebean, 18:09:01)
* Sysadmin status / discussion (nirik, 18:16:58) * pkgs migration is done (puiterwijk, 18:17:21)
* nagios/alerts recap (nirik, 18:21:13) * LINK: http://ur1.ca/jr7j4 (nirik, 18:21:13)
* Upcoming Tasks/Items (nirik, 18:24:10) * LINK: https://apps.fedoraproject.org/calendar/list/infrastructure/ (nirik, 18:24:10)
* Open Floor (nirik, 18:30:29)
* Upcoming authentication ideas (nirik, 18:32:18)
* ticket 4670 (nirik, 18:47:42) * LINK: https://fedorahosted.org/fedora-infrastructure/ticket/4670 (nirik, 18:47:45) * nirik will work on moving this forward. (nirik, 18:50:13)
* Open Floor (part 2, the open flooring) (nirik, 18:50:30) * LINK: http://threebean.org/fedmenu/ (threebean, 18:51:28) * LINK: https://fedorahosted.org/fedora-infrastructure/ticket/130 (nirik, 18:52:28)
Meeting ended at 18:56:53 UTC.
Action Items ------------
Action Items, by person ----------------------- * **UNASSIGNED** * (none)
People Present (lines said) --------------------------- * nirik (100) * puiterwijk (55) * pingou (32) * threebean (23) * tridev (6) * zodbot (5) * mhurron (3) * dgilmore (3) * relrod (2) * dcsaba (2) * taedori (1) * danofsatx (1) * janeznemanic (1) * abadger1999 (0) * lmacken (0) * smooge (0) * mdomsch (0) -- 18:00:04 <nirik> #startmeeting Infrastructure (2015-02-19) 18:00:04 <zodbot> Meeting started Thu Feb 19 18:00:04 2015 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:04 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:00:04 <nirik> #meetingname infrastructure 18:00:04 <zodbot> The meeting name has been set to 'infrastructure' 18:00:04 <nirik> #topic aloha 18:00:04 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore mdomsch threebean pingou puiterwijk 18:00:04 <zodbot> Current chairs: abadger1999 dgilmore lmacken mdomsch nirik pingou puiterwijk relrod smooge threebean 18:00:18 * puiterwijk is here 18:00:58 <dgilmore> hola 18:00:58 * pingou is here 18:01:09 <taedori> here 18:01:32 * danofsatx is here today, for once 18:01:58 <janeznemanic> hello 18:02:01 <tridev> hi 18:02:46 * relrod here 18:04:15 <nirik> ok, lets go ahead and get started. ;) 18:04:24 <nirik> #topic New folks introductions and Apprentice tasks. 18:04:31 <nirik> any new folks like to introduce themselves? 18:04:37 <nirik> or apprentices with questions or comments? 18:04:46 <tridev> I am new in fedora Infrastructure team(I am a second year college student).I didnot get the way to start with it.I know C,Python and linux to beginner level.I want to improve the skills and learn more. 18:04:46 * threebean is here 18:05:09 <nirik> tridev: welcome. ;) Are you more interested in development or sysadmin type work? 18:05:25 <tridev> I am more interested in development 18:05:30 <tridev> :) 18:05:48 <nirik> cool. Do join our #fedora-apps channel and folks there can see about pointing you in the right direction. 18:05:53 <mhurron> :P weekly reminder I'm happy to update the appretice page with an Ansible workflow 18:05:58 <nirik> most of our applications are in python 18:06:19 <nirik> mhurron: might have time to help with that later today... you going to be around this afternoon? 18:06:21 <tridev> okay 18:06:41 <tridev> thank you nirik 18:07:02 <nirik> no problem, and welcome again. ;) Do ask questions as you think of them... 18:07:05 <mhurron> I can try to be, or just mail a dump of info to me and I'll make something of it 18:07:20 <nirik> mhurron: alright. 18:07:50 <nirik> #topic Applications status / discussion 18:07:59 <nirik> any applications news this week or upcoming? 18:08:09 <nirik> I'll note we head into freeze next tuesday for f22 alpha 18:08:15 <pingou> the-new-hotness pushed in prod 18:08:15 <threebean> the-new-hotness got deployed to production this week (on tuesday) 18:08:20 <threebean> pingou: ;p 18:08:24 <pingou> #info the-new-hotness got deployed to production this week (on tuesday) 18:08:32 <threebean> https://stg.fedoraproject.org/wiki/Upstream_release_monitoring 18:08:39 <threebean> doh, not stg. 18:08:46 <threebean> how do you strike something from the record? 18:08:50 <pingou> #info pkgdb2 getting ready for the new branc/package management 18:08:52 <nirik> cool. ;) should we announce that? 18:09:01 <threebean> https://fedoraproject.org/wiki/Upstream_release_monitoring 18:09:15 <dgilmore> #undo 18:09:18 <threebean> heh, yeah we probably should. use the devel-announce list you think? 18:09:23 <nirik> yep. 18:09:29 <pingou> +1 for me 18:09:30 <threebean> dgilmore: thanks. it's already buried in the stack now. 18:09:35 <dgilmore> threebean: 18:09:36 <nirik> might note how to add projects that aren't monitored... 18:09:46 <nirik> or opt out 18:09:51 <threebean> will do 18:11:07 <nirik> anything else on the application horizon? 18:11:23 <nirik> are we any closer to a bodhi02.stg thats bodhi2? ;) 18:11:31 <pingou> oh, I got progit to do branch-based pull-requests :) 18:11:45 <nirik> nice 18:11:55 <nirik> Oh, also GSoC proposals are due tomorrow. 18:11:56 <pingou> I'll be working on issue dependency later this week 18:12:15 <pingou> yeah, we got 3 proposal in or so 18:12:25 <pingou> and tyll added some on for rel-eng 18:13:05 * pingou eof 18:13:21 <nirik> cool. 18:13:48 <dcsaba> Hello Team! Answering your question nirik, I want to ask some. 18:14:17 <nirik> dcsaba: hello. ask away. 18:15:03 <dcsaba> First is how much time at least do I must spend on working in the team? 18:15:23 <nirik> there's no requrement... as much time as you like/can spare. 18:16:38 <nirik> anything else on the applications side? 18:16:58 <nirik> #topic Sysadmin status / discussion 18:17:12 <nirik> on the sysadmin side, smooge and I have been busy moving more things to rhel7/ansible. 18:17:21 <puiterwijk> #info pkgs migration is done 18:17:30 <puiterwijk> pkgs02 is now based on rhel7 with ansible. 18:17:38 <threebean> exciting :) 18:17:51 <nirik> I also made a proxy10 in phx2... and just now reinstalled proxy01 18:18:15 <nirik> I also moved all the stuff off virthost04 and shut it down (it was an old old machine we are retiring) 18:18:39 <nirik> we also got a number of new hosts setup... virthost02 and virthost11 (for stg stuff) and virthost-comm04 18:19:33 <nirik> we are down to 31 hosts in puppet. 18:20:02 <nirik> I will send out an email in the next day or two with more detailed status on those hosts. We can't get them all before freeze, but possibly between alpha/beta 18:21:00 <nirik> anything else on the sysadmin side? 18:21:13 <nirik> #topic nagios/alerts recap 18:21:13 <nirik> http://ur1.ca/jr7j4 18:21:21 <nirik> I saved that url this time. ;) 18:21:49 <nirik> of course it's slow to load 18:22:04 <nirik> so, the top 4 are all proxy07. 18:22:17 <nirik> we really need to figure out a way to reinstall that host and proxy. 18:22:48 <nirik> I think smooge might have a way to do so now, will see if we can't move that forward. 18:23:16 <nirik> but I think we are decreasing on alerts this week, which is good. 18:24:10 <nirik> #topic Upcoming Tasks/Items 18:24:10 <nirik> https://apps.fedoraproject.org/calendar/list/infrastructure/ 18:24:19 <nirik> anything upcoming anyone would like to note or schedule? 18:24:25 <nirik> next week is f22 alpha freeze. 18:24:44 <puiterwijk> I'm going to attempt a mediawiki upgrade by next week in staging. 18:24:59 <puiterwijk> anyone that has scripts running against mediawiki, please get in contact with me to test 18:25:13 <puiterwijk> (I'll keep reminding every meeting until we move it to prod) 18:25:25 <nirik> puiterwijk: adamw and the ambassadors membership thing in infra are mostly the only users. 18:25:40 <puiterwijk> nirik: I already spoke with adamw yeah, but anyone else is welcome to ping me 18:26:09 <nirik> are you going to try and migrate to postgres too? or did that end up being too difficult? 18:26:22 <puiterwijk> and to anyone: even if your code *should* work with the new mediawiki, we're also migrating to openid, so auth *will* need work. 18:26:52 <threebean> I might try to put out a bugfix release of the fmn web frontend before freeze, but may not get to it in time. 18:26:58 <puiterwijk> I'm going to attempt to migrate to postgres yeah 18:27:13 <threebean> shouldn't affect the noisy backend component. 18:27:40 <nirik> threebean: cool. A blog post/look at what people changed in the default packager settings could be cool. ;) 18:27:57 <threebean> oh, right. running the numbers. 18:28:01 * threebean queues that up 18:28:57 <nirik> I failed to line up someone to talk about an application today again. Should really add that to the meeting process. :( 18:29:25 <nirik> unless someone wants to free form talking about one? ;) 18:30:25 <nirik> no worries. Will try harder next time. ;) 18:30:29 <nirik> #topic Open Floor 18:30:40 <nirik> anything anyone would like to bring up? Suggestions, comments, etc? 18:31:27 <puiterwijk> nirik: I could do a quick talk about upcoming auth ideas, or is that not what you meant? 18:32:04 <nirik> puiterwijk: sure, would be fine. :) I have been trying to once per meeting talk about one of our applications or things we use... so people could see how it works/was setup/what it did, etc. 18:32:18 <nirik> #topic Upcoming authentication ideas 18:32:38 <puiterwijk> Okay, so I've been working on some stuff for the auth infrastructure 18:32:47 <puiterwijk> first of all, there's the migration to Ipsilon of course. 18:33:09 <puiterwijk> next, I'm planning to implement single login/logout. 18:33:42 <puiterwijk> the login code is at https://github.com/fedora-infra/jsautologin, and I would like to invite anyone to take a look and give comments on how I could improve it within the bounds of the protocols we use 18:34:19 <nirik> where were we on plans to 2fa web applications? someone asked about it the other day... 18:34:48 <puiterwijk> I don't think we decided anything on that in the end. The auth system can support it in Ipsilon, so we can add it 18:35:19 <puiterwijk> after Ipsilon is in production, applications could indicate they want people to use a second factor themselves 18:35:26 <pingou> puiterwijk: adding 2fa in our apps would be nice I think 18:35:27 <nirik> yeah, depends on how we want to do it and what we want to enforce 18:35:36 <mhurron> what 2fa options are supported? 18:35:42 <pingou> mhurron: yubikey and gauth 18:35:43 <puiterwijk> mhurron: currently we have Google Auth and Yubikey 18:35:56 <puiterwijk> well, Google Auth == TOTP in this case 18:36:14 <pingou> puiterwijk: does ipsilon require all 2fa or does it handle a per user difference? 18:36:25 <puiterwijk> pingou: applications can request the user to use 2fa. 18:36:29 <pingou> (as in you have yubikey, I don't) 18:36:46 <puiterwijk> ah, right. that's configurable 18:36:47 <pingou> puiterwijk: but $apps doesn't know if you have 2fa or not, only FAS would know that 18:37:09 <pingou> so all $app can say is: "2fa++ otherwise 1fa" 18:37:16 <puiterwijk> pingou: right, but if the app says "Require 2fa", and the user doesn't have 2fa, Ipsilon would error out. 18:37:30 <puiterwijk> at least, with the current implementation. if we want anything else, we can implement that obviously 18:37:41 <pingou> so unless *all* our users have 2fa, it's not something we can use atm 18:37:53 <puiterwijk> well, we could use it for more sensitive applications 18:37:59 * pingou note: we could require it for admin access 18:38:07 <puiterwijk> yeah 18:38:15 <pingou> hm, nm, we can't 18:38:19 <nirik> but some users may want to enable it for them for all apps that can support it. 18:38:24 <puiterwijk> well, we theoretically could 18:38:49 <puiterwijk> pingou: ^ 18:38:56 <pingou> puiterwijk: I was thinking: if you're in X you need 2fa, but before the login, we don't know if you are in X 18:39:17 <puiterwijk> pingou: well, what we could do, is have an app only request group X if it specified it needs 2fa 18:39:35 <puiterwijk> or require re-auth the first time you do an admin action 18:39:47 <pingou> hm :/ 18:40:03 <nirik> yeah, lots of things to consider. ;) 18:40:05 <puiterwijk> so we store the current 2fa state (ipsilon will provide that), and if 2fa=false and we try admin action, redirect to Ipsilon for 2fa 18:40:13 <puiterwijk> that'd be something like sudo actually. 18:40:25 <pingou> and most annoying from a UX pov 18:40:42 <puiterwijk> right. but secure. 18:40:50 * relrod has to duck out early to go meet with a professor 18:41:00 <pingou> relrod: good luck :) 18:41:04 <puiterwijk> relrod: have fun 18:41:19 <puiterwijk> pingou: but as said, this is all open for discussion. 18:41:27 <nirik> I think the first case people will want is to use it if they have it... the admin case is interesting too tho I suppose. 18:41:31 <pingou> puiterwijk: but annoying is the most dangerous thing of a secure system, because people will try to go around it :) 18:41:49 <puiterwijk> pingou: well, we'll just have to make sure you can't go around it :-) 18:42:01 <puiterwijk> but yeah, this needs thought 18:42:35 <nirik> indeed. 18:42:49 <nirik> perhaps a mailing list thread for use cases? 18:42:57 <nirik> and applications that might want it 18:43:01 <puiterwijk> yeah, makes sense. I'll start one later today 18:43:26 <nirik> cool. Oh, I just realized till wanted us to discuss a ticket too today... 18:43:41 <puiterwijk> one last thing regarding SSO if I can get one more minute, nirik ? 18:43:45 <nirik> sure. 18:44:10 <puiterwijk> I explained single login, and I'm working on a specification for an OpenID extension for single logout. Will publish that soon 18:44:29 <puiterwijk> that was everything I had in mind at this time. If there's any more questions, feel free to let me know. 18:44:40 <nirik> cool. Thanks for the info. 18:44:49 <pingou> puiterwijk: how long is the session cookie on fedoauth currently? 18:45:08 <puiterwijk> pingou: at this moment 15 minutes. but once I get single logout implemented, I will bump that considerably 18:45:30 <pingou> puiterwijk: I was wondering if we want it higher for sso as well 18:45:38 <puiterwijk> ingyeah, that was my idea 18:45:45 <puiterwijk> yeah, that was my idea* 18:45:46 <nirik> so to signout you just hit a url? 18:46:09 <puiterwijk> nirik: signout is going to be a pretty complicated process that I'm still trying to think entirely through 18:46:20 <puiterwijk> because it will need to hit all of the apps you signed in to 18:46:38 <nirik> ok. I was just pondering the idea of some hook with screensaver/lockscreen to sign out on lock 18:46:57 <nirik> but possibly too difficult. ;) 18:47:00 <puiterwijk> nirik: I have even bigger ideas coming up.. :) 18:47:17 <puiterwijk> but yeah, that's certainly doable 18:47:25 <nirik> ok. cool. ;) 18:47:42 <nirik> #topic ticket 4670 18:47:45 <nirik> https://fedorahosted.org/fedora-infrastructure/ticket/4670 18:47:59 <puiterwijk> .ticket 4670 18:48:01 <nirik> after thinking about this I am in favor... ie, moving to a new domain and http 18:48:03 <zodbot> puiterwijk: #4670 (move planet.fedoraproject.org to fedoraplanet.org) – Fedora Infrastructure - https://fedorahosted.org/fedora-infrastructure/ticket/4670 18:48:27 <nirik> it's sad that it makes our existing cert useless, but oh well, such is life. 18:48:35 <puiterwijk> nirik: yeah, I'm +1 as well 18:48:54 <pingou> nirik: we have a dedicated cert for planet? 18:49:00 <pingou> it's not using *.fp? 18:49:03 <nirik> also I think it will take a while, unless we have a good set of redirects. 18:49:07 <nirik> pingou: we do. 18:49:22 <nirik> its using it's own because we didn't want the wildcard one on people03 where users login 18:49:31 <pingou> ah ok 18:50:03 <nirik> so I think next step here is to get domain and figure out redirects. 18:50:13 <nirik> #info nirik will work on moving this forward. 18:50:30 <nirik> #topic Open Floor (part 2, the open flooring) 18:50:39 <nirik> anything for part 2 of open floor? ;) 18:51:16 <threebean> oh, real quick 18:51:26 <threebean> I put a little work into a little menu thing 18:51:28 <threebean> http://threebean.org/fedmenu/ 18:51:38 <nirik> oh yeah. great idea. ;) 18:51:39 <threebean> a javascript blog that we could add to all our apps (like puiterwijk's js auto login script) 18:51:45 <threebean> blob, not blog 18:51:52 <nirik> I think a common menu is our oldest open ticket right now. ;) 18:51:57 <pingou> :) 18:52:01 <threebean> so. it needs work and polish.. but it should be easy to add everywhere 18:52:13 <threebean> puiterwijk: we should team up so when you go around adding js login everywhere we can add the menu at the same time. 18:52:17 <puiterwijk> threebean: cool! :) 18:52:25 <pingou> and it does not impact the current design of our apps 18:52:27 <pingou> threebean++ 18:52:28 <nirik> https://fedorahosted.org/fedora-infrastructure/ticket/130 18:52:46 <puiterwijk> threebean: and yeah, makes sense. would you have time tomorrow? 18:53:12 <threebean> puiterwijk: likely. although I'm not ready to push it out anywhere yet.. like I say it still needs a little work. 18:53:32 <puiterwijk> threebean: sure, but we can discuss things. we'll discuss it on #-apps 18:53:52 * nirik nods. 18:54:07 <nirik> if no one has anything more, will close out the meeting in a minute or two or less. 18:54:30 <nirik> oh, a quick one from me: 18:54:41 <nirik> we now have a proxy10 and proxy01 in phx2. 18:54:51 <nirik> all/most all the apps are using proxy10. 18:54:58 <nirik> proxy10 is not in dns externally. 18:55:08 <puiterwijk> great! 18:55:14 <nirik> should we add it into dns for external? keep it for just apps? 18:55:24 <puiterwijk> nirik: I say only for internal apps 18:55:39 <puiterwijk> that way, we have a fallback in case we get lots of traffic to the external DNS servers again 18:55:46 <puiterwijk> (thinK: F22 release day) 18:55:53 <nirik> yeah. 18:56:06 <nirik> ok. I am fine with that. we can enable it in external dns if we want tho. 18:56:31 <nirik> ok, thats all I had. ;) 18:56:50 <nirik> Thanks for coming everyone. Do continue over in #fedora-admin, #fedora-apps and #fedora-noc. 18:56:53 <nirik> #endmeeting
infrastructure@lists.fedoraproject.org