Server SIG Weekly Meeting Minutes (2016-10-18)
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===================================================================
#fedora-meeting-1: Server Working Group Weekly Meeting (2016-10-18)
===================================================================
Meeting started by sgallagh at 20:00:21 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting-1/2016-10-18/server_work...
.
Meeting summary
- ---------------
* roll call (sgallagh, 20:00:21)
* Agenda (sgallagh, 20:05:24)
* Agenda Item: Logic Model: Threat or Menace? (sgallagh, 20:05:40)
* Agenda Item: AnsibleFest Report-Out (sgallagh, 20:06:04)
* Logic Model: Threat or Menace? (sgallagh, 20:08:18)
* LINK:
https://kolinahr.fedorainfracloud.org/edit/57ff81347b76717eefcbc44b
(sgallagh, 20:08:22)
* ACTION: vvaldez to "own" the creation of the Deployment Role for
Fedora Server (sgallagh, 20:28:02)
* ACTION: jds2001 to own the creation of an NFS role for Fedora Server
(sgallagh, 20:28:22)
* ACTION: sgallagh to take ownership of "Minimal viable install set
content" and "Highly-restrictive default firewall" outputs
(sgallagh, 20:32:50)
* ACTION: vvaldez and sgallagh to co-own creation of a Domain
Controller role (sgallagh, 20:34:25)
* ACTION: dperpeet to oversee creation of Cockpit modules. (sgallagh,
20:34:41)
* Ownership here means overseeing and responsible for an Output. It
explicitly does not mean "must do all the work". (sgallagh,
20:35:25)
* ACTION: dustymabe to oversee the OpenStack and AMI images.
(sgallagh, 20:40:20)
* ACTION: nirik will oversee production of the traditional netinstall
and DVD media for Fedora Server (sgallagh, 20:41:17)
* ACTION: vvaldez to oversee the creation of the Samba file sharing
role (sgallagh, 20:42:33)
* AnsibleFest Report-Out (sgallagh, 20:46:20)
* nirik thinks signing should be very possible now given that
puiterwijk has whipped our signing infra into shape (sgallagh,
20:48:07)
* LINK: https://galaxy.ansible.com/api/v1/ (jds2001, 20:51:05)
* Open Question: Can we and should we make it possible to interrogate
a system to see if a role has been deployed there (and with what
configuration)? (sgallagh, 20:59:12)
Meeting ended at 21:11:13 UTC.
Action Items
- ------------
* vvaldez to "own" the creation of the Deployment Role for Fedora Server
* jds2001 to own the creation of an NFS role for Fedora Server
* sgallagh to take ownership of "Minimal viable install set content" and
"Highly-restrictive default firewall" outputs
* vvaldez and sgallagh to co-own creation of a Domain Controller role
* dperpeet to oversee creation of Cockpit modules.
* dustymabe to oversee the OpenStack and AMI images.
* nirik will oversee production of the traditional netinstall and DVD
media for Fedora Server
* vvaldez to oversee the creation of the Samba file sharing role
Action Items, by person
- -----------------------
* dperpeet
* dperpeet to oversee creation of Cockpit modules.
* dustymabe
* dustymabe to oversee the OpenStack and AMI images.
* jds2001
* jds2001 to own the creation of an NFS role for Fedora Server
* nirik
* nirik will oversee production of the traditional netinstall and DVD
media for Fedora Server
* sgallagh
* sgallagh to take ownership of "Minimal viable install set content"
and "Highly-restrictive default firewall" outputs
* vvaldez and sgallagh to co-own creation of a Domain Controller role
* vvaldez
* vvaldez to "own" the creation of the Deployment Role for Fedora
Server
* vvaldez and sgallagh to co-own creation of a Domain Controller role
* vvaldez to oversee the creation of the Samba file sharing role
* **UNASSIGNED**
* (none)
People Present (lines said)
- ---------------------------
* sgallagh (119)
* jds2001 (49)
* vvaldez (32)
* dperpeet (23)
* nirik (18)
* zodbot (12)
* mhayden (8)
* puiterwijk (5)
* dustymabe (4)
* vvaldez_ (3)
* smooge (3)
* adamw (1)
* langdon (1)
* jds2001_ (1)
* mjwolf (0)
Generated by `MeetBot`_ 0.1.4
.. _`MeetBot`: http://wiki.debian.org/MeetBot
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.5.2
Comment: https://www.mailvelope.com
wkYEAREIABAFAlgGkD4JEHolVWI2uqOjAACVZQCdGa2zaCYqg+r3hVIz0MNC
xtzIrE4AoJQ6NyBOAlXa35Q0hex+8alVb2OZ
=ckch
-----END PGP SIGNATURE-----
7 years, 5 months
Galaxy API access
by Chris Houseknecht
Stephen -
Just following up on our conversation at AnsibleFest regarding access to
the Galaxy API.
You can access the API today at https://galaxy.ansible.com/api/v1. The API
is browsable, so start by pointing a browser at that URL and clicking
through the role related endpoints to see the various response objects.
No authentication is required to query role data, but triggering imports to
create and update roles or sending delete requests to remove roles does
require authentication.
When you're ready to create, update, delete roles you will need to use a
GitHub account to authenticate. You can either use the ansible-galaxy
client to authenticate and interact with the API (http://docs.ansible.com/
ansible/galaxy.html#the-ansible-galaxy-command-line-tool), or you can send
requests directly to the API.
An example of authenticating and initiating a role import exists in this
role: https://galaxy.ansible.com/chouseknecht/galaxy-import-role/ Note
that the integration tests are failing only because I have not fully
figured out how to write the integration tests for it, however the role
actually works. It uses the Ansible uri module to send requests directly to
the API.
Let me know what questions you have. I'll get to work on some specs for the
new endpoint(s) related to 'signing' role versions.
--Chris
--
Chris Houseknecht
Principal Engineer
Ansible by Red Hat
919.803.9159 | <919.803.9159> ansible.com <https://www.ansible.com/>
*GitHub: *chouseknecht
<https://www.github.com/chouseknecht>*Twitter: *@chouseknecht
<https://www.twitter.com/@chouseknecht>
7 years, 5 months
Meeting Tomorrow
by Stephen Gallagher
I'm at a conference today and tomorrow, so if someone else wants to host it,
please gather an agenda and go ahead, but I will be unable to attend.
7 years, 5 months
PRD Discussion: Kellogg Logic Model (Phase 2: Outcomes)
by Stephen Gallagher
OK, at last week's meeting, we settled on our new Mission and Vision statement,
which compromises the "Impact" portion of the Kellogg Logic Model. This is one
half of the "effects" side of the diagram (the set of things we indirectly
influence).
The other half of this is the "Outcomes" column. We need to describe a list of
outcomes that our efforts need to have in order to effect the Impact we decided on.
Outcomes *must* be measurable. We don't necessarily need to be able to measure
it today, or even a specific plan to create those measurements, but it must be
at least theoretically possible to do so.
Back at Flock, we had a short brainstorming session and came up with a few
ideas. I'm going to try to capture them here (in a slightly more structured
approach than we had in the notes).
========
(1)
Summary: A growing number of startups and other SMBs pick Fedora Server for apps
and services
Supports: Vision
How it supports: Greater participation in the ecosystem leads to better testing,
documentation and widespread knowledge availability.
How to measure: Download statistics, formal and informal polls, bugzilla reports
========
(2)
Summary: Admins are happy with default settings
Supports: Mission
How it supports: "Validated" service roles will be those conforming to default
settings.
How to measure: User surveys, news articles, bugzilla reports
========
(3)
Summary: Customers not frequently adding packages to base outside of roles
Supports: Mission
How it supports: "Validated" service roles will be those conforming to default
settings.
How to measure: Bugzilla reports, sosreport
========
(4)
Summary: Community of users contributing roles
Supports: Vision and Mission
How it supports: Greater participation in the ecosystem leads to better testing,
documentation and widespread knowledge availability. Community development will
increase number and quality of available roles as well as increased affinity to
the project.
How to measure: Number of participants involved and roles in the catalog.
========
(5)
Summary: We get buzz (Translation: increased media presence)
Supports: Vision
How it supports: The more positive reviews of Fedora Server, the more confident
that people will be in its ability to deliver what they need.
How to measure: News articles, social media analytics
These are just some starter examples; we can take or drop any of them. Other
examples of outcomes (in a similar format) are hereby solicited.
7 years, 5 months
F24 firewalld gssproxy causing long boot times?
by Chris Murphy
[chris@f24v ~]$ systemd-analyze blame
42.494s firewalld.service
41.715s gssproxy.service
5.028s zoneminder.service
961ms mariadb.service
520ms httpd.service
480ms rolekit.service
This is with a clean default Fedora 24 Server installation using
netintall in qemu/kvm. I'm not getting this on a ~10 month old
baremetal installation that started out as F23 and upgraded to F24.
I'm not exactly sure how to find out what's wrong.
The strongest clue:
$ sudo journalctl -b -o short-monotonic
[...snip...]
[ 4.708852] f24v.localdomain systemd[1]: Starting Install ABRT
coredump hook...
[ 4.709312] f24v.localdomain systemd[1]: Started Authorization Manager.
[ 4.713339] f24v.localdomain systemd[1]: Starting firewalld -
dynamic firewall daemon...
[ 4.776282] f24v.localdomain audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=abrt-ccpp comm="systemd" exe="/u
[ 4.776710] f24v.localdomain systemd[1]: Started Install ABRT coredump hook.
[ 46.680551] f24v.localdomain kernel: random: nonblocking pool is initialized
[ 46.317247] f24v.localdomain audit[1]: SERVICE_START pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=gssproxy comm="systemd" exe="/us
[ 46.318236] f24v.localdomain systemd[1]: Started GSSAPI Proxy Daemon.
[ 46.320713] f24v.localdomain systemd[1]: Reached target NFS client services.
[ 46.321821] f24v.localdomain systemd[1]: Reached target Remote File
Systems (Pre).
[ 46.322751] f24v.localdomain systemd[1]: Reached target Remote File Systems.
[ 46.335676] f24v.localdomain systemd[1]: Starting Permit User Sessions...
[ 46.343635] f24v.localdomain systemd[1]: Started Permit User Sessions.
I also get a pile of rngd read errors, but that always happens
everywhere [1]. I don't recall seeing this on recent F24 workstation
installations, but that would have older packages of course.
Chris Murphy
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=1197419
--
Chris Murphy
7 years, 5 months
disabling root and password ssh logins, F26/F27
by Chris Murphy
Hi,
I'm noticing even with cockpit-0.117 in Fedora 24 Server, that it
supports ssh key assignment for users. Since it's possible to login to
cockpit out of the box, and setup ssh keys via the web interface, is
it now practical to set these by default in the F26/F27 time frame?
And if not, what additional work needs to be done?
Disable root logins with ssh
/etc/ssh/sshd_config PermitRootLogin no
Disable root entirely (sudo -i still works)
usermod -p '!' root
Disable password login with ssh (key only)
/etc/ssh/sshd_config PasswordAuthentication no
In my case I use all three as pretty much the first step for a new
Fedora 24 Server installation.
--
Chris Murphy
7 years, 5 months
Server SIG Weekly Meeting Minutes (2016-10-04)
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=========================================================
#fedora-meeting-1: Server SIG Weekly Meeting (2016-10-04)
=========================================================
Meeting started by sgallagh at 20:03:33 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting-1/2016-10-04/serversig.2...
.
Meeting summary
- ---------------
* roll call (sgallagh, 20:03:34)
* Agenda (sgallagh, 20:06:33)
* Agenda Item: Finalize Logic Model (sgallagh, 20:07:10)
* Agenda Item: Openstack and AMI images (sgallagh, 20:08:39)
* Finalize Logic Model (sgallagh, 20:08:58)
* LINK: http://kolinahr.herokuapp.com/edit/57d05a6984338834000515c9
(sgallagh, 20:09:09)
* Openstack and AMI images (sgallagh, 20:14:46)
* LINK:
https://github.com/dustymabe/public-cloud-img-prep/tree/master/DigitalOce...
(dustymabe, 21:00:08)
* AGREED: Server SIG will produce install media for AMI and OpenStack.
These will all be built from the "Fedora Server Edition (without
GUI)" profile. Server SIG will also produce Anaconda install media
that will provide both that and a "Fedora Server Edition (with Web
GUI)" profile, which will be the default. (sgallagh, 21:02:46)
* The "Server SIG (without GUI)" profile will be comprised primarily
of a kernel, systemd, a shell, SSH, NetworkManager, storaged,
firewalld and the GUI-less portions of Cockpit (sgallagh, 21:03:32)
* The "Server SIG (with Web GUI)" profile will be comprised of the set
of packages in the "Server SIG (without GUI)" profile, plus the
web-based interface to Cockpit. (sgallagh, 21:04:01)
* Logic Model (redux) (sgallagh, 21:05:08)
* please express your opinions about the logic model on the mailing
list (sgallagh, 21:05:22)
* Open Floor (sgallagh, 21:05:28)
Meeting ended at 21:08:02 UTC.
Action Items
- ------------
Action Items, by person
- -----------------------
* **UNASSIGNED**
* (none)
People Present (lines said)
- ---------------------------
* sgallagh (109)
* dustymabe (61)
* nirik (25)
* dperpeet (25)
* smooge (22)
* mhayden (15)
* zodbot (14)
* vvaldez (12)
* adamw (4)
* jds2001 (0)
* mjwolf (0)
Generated by `MeetBot`_ 0.1.4
.. _`MeetBot`: http://wiki.debian.org/MeetBot
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.5.2
Comment: https://www.mailvelope.com
wkYEAREIABAFAlf0GnUJEHolVWI2uqOjAAChbgCcDEQk4w4DkTDfRzwPonnD
3LELbP4AoJoQc0apjpYMWZeZR8V/qj4tmf4V
=io+n
-----END PGP SIGNATURE-----
7 years, 5 months