14:32:22 #startmeeting RELENG (2016-09-12) 14:32:23 Meeting started Mon Sep 12 14:32:22 2016 UTC. The chair is dgilmore. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:32:23 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:32:23 The meeting name has been set to 'releng_(2016-09-12)' 14:32:23 #meetingname releng 14:32:23 The meeting name has been set to 'releng' 14:32:23 #chair dgilmore nirik tyll sharkcz bochecha masta pbrobinson pingou maxamillion mboddu 14:32:23 Current chairs: bochecha dgilmore masta maxamillion mboddu nirik pbrobinson pingou sharkcz tyll 14:32:26 #topic init process 14:32:36 * pbrobinson o/ 14:32:38 * sharkcz is here 14:33:28 morning 14:34:03 lets wait for a few 14:35:25 .hello bowlofeggs 14:35:26 bowlofeggs: bowlofeggs 'Randy Barlow' 14:36:16 lets get started 14:36:29 #topic aarch64 migration 14:36:47 So I think it went fairly smoothly 14:36:50 so the main packages have been merged and we're building 14:37:03 I'm checking things over a it looks reasonable 14:37:21 eclipse is in a weird state due to a quick in how it is built 14:37:42 yes, but the maintainer is investigating 14:37:48 cool. ;) congrats. 14:37:54 https://bugzilla.redhat.com/show_bug.cgi?id=1374938 14:37:59 we still need to adjust rawhide compose right? 14:38:02 I'm just finishing up bits around compose stuff and should send a PR for pungi-fedora 14:38:09 we do need to adjust rawhide 14:38:23 dgilmore: nirik: I should have a PR later today 14:38:34 cool. :) 14:38:48 #info pbrobinson to send in a pull request today to make changes to the compose process 14:39:49 we missed adding aarch64 builders to the eclipse channel 14:40:32 it was much less work than when we brought armhfp online 14:40:39 yes, I fixed that this morning, with luck that channel will go away shortly 14:41:00 pbrobinson: I believe that the plan is to bring power online in 4-6 weeks? 14:41:13 or maybe a tad longer, but well before mass rebuild? 14:41:15 correct 14:41:42 I would like to see it merged by late Oct (ie before the focus shifts from F-25 -> 26) 14:41:45 * limburgher lurking 14:42:25 sounds good 14:42:39 how far are we from armv7 builder vms? 14:42:39 awesome 14:43:02 hi linuxmodder 14:43:05 hi limburgher 14:43:09 we've got a few issues to fix up there, but they're actually issues are seen on x86 too 14:43:11 sorry linuxmodder 14:43:36 some of them have gone with the systemd limits change for kojid 14:43:51 nirik: did you send in a PR to koji? 14:43:57 but nothing major really 14:44:13 dgilmore: for what? 14:44:14 nirik: or would you rather I do it? 14:44:23 nirik: for changing the systemd limits 14:44:39 oh, right. No, I haven't yet, if you would like to that would be great 14:44:51 I think setting it unlimited is probibly the best bet 14:44:56 sure 14:45:20 TasksMax=infinity 14:45:25 does anyone have any questions about the changes that have been made? 14:45:59 * nirik is looking forward to replacing the calxeda builders. ;) 14:46:19 :) 14:46:26 the io on them is slow 14:46:29 nirik: I think we're almost there :) 14:46:55 #topic #6467 Consider splitting the ancient portions of the archive 14:46:59 yeah, it will be interesting to see what ends up being slowest... probibly still them, but much faster than we have now. 14:47:10 https://fedorahosted.org/rel-eng/ticket/6467 14:47:36 nirik: at least for some lings, like java where the optimisation is not good 14:47:59 yes, without doubt, I'd still bet on Power8 being the fastest ;-) 14:48:15 so spliting up the archive module 14:48:52 * nirik doesn't recall where we were here. going to gather info? 14:48:57 http://download.opensuse.org/distribution/ 14:49:01 yeah 14:49:16 so suse does not seem to have all of their old releases online 14:50:13 do we need to mirror them? could we just put them on a dedicated non mirrored thing in the corner? Any idea what the traffic for them is? 14:50:31 well, recently eoled versions get a lot of traffic. 14:51:10 nirik: maybe we keep 2 eol versions in /pub/fedora etc 14:51:12 so maybe recent-history and ancient-history are needed :) 14:51:27 and make archive no rsyncable 14:51:39 not rsyncable 14:51:54 I was thinking we just change when we remove eol releases from /pub/fedora... just make that longer until traffic dies out? 14:52:22 why not? if people want to mirror archive, why not let them? 14:52:22 rotate them out a cycle later and not advertise them on mirror manager which actively then breaks the repos and they need to manually change the baseurl 14:52:44 we have not done that ever, would be a pretty big change 14:53:06 nirik: yeah. just keep the content in /pub/fedora longer 14:53:11 it would make it bigger 14:53:48 there is 4 mirrors for fedora 20 x86_64 14:53:59 3 for fedora 21 14:54:22 fedora 22 has not moved to archive yet 14:54:27 * nirik goes to get more coffee 14:55:43 sorry did not have county=global 14:56:34 there is 7 mirrors globally for f21 x86_64 14:57:26 f22 has not yet been archived 14:57:36 and soon f23 will be eol 14:58:05 #proposal we move f22 to archive when f26 is released 14:58:27 +1 14:58:56 sounds reasonable 14:59:15 +1 14:59:33 that should leave it in place long enough for it to not be overly popular 14:59:43 #agreed we move f22 to archive when f26 is released 14:59:59 which will mean f23 is moved when f27 is released 15:00:24 we need to have some discussions with mirrors on ostree, and moving content around 15:00:42 yep and pimp quick-mirror some more. 15:00:45 I did send an email today asking for more mirrors to pick up /pub/fedora-secondary 15:01:19 I got one email asking how to do so 15:01:38 have we got a solution to the billions of tiny files problem for ostree at all? 15:01:43 a reply! cool. ;) 15:02:07 pbrobinson: kinda 15:02:23 using ostree itself to do the mirroring and not rsync seems best 15:02:59 but yeah it needs some work there 15:03:04 I wonder if it could pack up the files into an archive... but then we have to pack/unpack 15:04:05 nirik: possibly 15:05:01 * nirik shrugs. dunno. ;( 15:05:03 okay I will update the ticket 15:05:37 we probably need a good document covering when we move releases to archive 15:05:43 dgilmore: can you ref the ticket for for notes 15:06:20 i'm hoping to help out with the ostree mirroring problem once i get docker planning finished 15:06:28 so i'd love to be involved there 15:06:32 pbrobinson: which ticket? 15:07:10 dgilmore: you mentioned updating a ticket on a subject (not sure which one) above 15:07:18 pbrobinson: the one in the topic 15:07:28 ah :) 15:07:31 that is already referenced in the meeting notes 15:07:39 * pbrobinson goes back to sleep 15:08:02 #topic #6420 Hypothetical maximum speed mirroring 15:08:09 https://fedorahosted.org/rel-eng/ticket/6420 15:08:18 so I think that this is all done 15:08:27 and we just need to tout the solution 15:08:49 try get more mirrors using quick-fedora-mirror 15:09:29 #topic Secondary Architectures updates 15:09:40 this section probably needs to go away 15:09:52 or at the least be refactored in purpose 15:09:56 s/Secondary/Alternative/ 15:10:06 well that 15:10:28 but build and compose issues will be more generic and readily visible 15:10:40 yeah 15:10:55 for instance I am not sure we need to discuss aarch64 anymore 15:11:05 well not for rawhide 15:11:11 for f25 we're going fine 15:11:11 sure 15:11:25 over time it will go away entirely 15:11:37 no issues to report, mostly boring just like I like my architectures :-P 15:11:56 sharkcz: anything to report for s390x? 15:12:16 I think for now I will condense it to one Alternative Archiecture topic 15:12:27 I will be working on compose things for s390x this week 15:12:30 no problems build-wise, but need pbrobinson to set the composes for f25 (and fix rawhide repo job) 15:12:45 sharkcz: yes, on my todo list for today/tomorrow 15:12:51 pbrobinson: thx :-) 15:12:53 * nirik still needs to file a ticket on the firewalling/networking stuff. it's on my list 15:13:11 I'm not very happy about that situation, but I'm sure we will sort it as best we can. 15:14:24 #info s390 issues being worked on 15:14:40 nirik: about having the builders rw /mnt/koji 15:15:00 hum? 15:15:11 nirik: well what are you not happy about? 15:15:57 oh sorry... well, that the builders are remote and need to only be accessable by RH employees. 15:16:14 thats ok for secondary, but it's not great for when it's in the primary koji 15:16:37 oh yeah, that is not exactly avoidable unless we got some bubble in the network, which I am not sure I see RH IT doing for us 15:17:13 still working on the IBM get us a Z-series option too but I'm not hopeful 15:17:19 I'm not sure how the only rh employees will work if they are reachable for ansible... 15:17:33 ideally IBM gives us a small z series machine to put in phx2 so it is all the same as everything else 15:17:36 but we might also be able to get some kind of firewalling 15:17:48 yeah, that would be ideal. 15:18:05 nirik: fact is that the area of the network the z-series is in is already accessible by partners so I'm kind of shocked that it's fully open to the rest of the network 15:18:42 yeah, seems bad. ;( anyhow, we will keep working on it and hopefully come up wth a solution thats acceptable 15:18:51 indeed 15:18:58 okay lets move on 15:19:00 #topic Open Floor 15:19:10 bowlofeggs: you had something 15:19:12 ? 15:19:27 * nirik had a few items to ask about/note. 15:20:04 nirik: why don't you go 15:20:09 ok. 15:20:19 dgilmore: did you get the f26 key reissued and ready to go? 15:20:24 nirik: yes 15:20:37 cool. 15:20:44 I am waiting on a resolution of the type= issue to send in the PR 15:20:53 * nirik tries to recall the other items. 15:21:03 everyone has access to the f26 key, and needs to change thier passwords 15:21:05 oh, we have lives that are hanging in both branched and rawhide now 15:21:14 dgilmore: that's just primary key right? 15:21:20 pbrobinson: right 15:21:33 https://bugzilla.redhat.com/show_bug.cgi?id=1374809 15:21:41 the primary key ended up with fedora-25 in the uid 15:21:46 if anyone has time to try and figure it out 15:21:55 dgilmore: cool, I will change my password later 15:21:59 oh, one last one: 15:22:37 updates/updates-testing repodata is still not right. It's adding weak deps for new updates that are added in, but it's not seeing them on updates that were already in repo before the change. 15:22:48 * dgilmore suspects that the live is a packaging change causing different ordering of the packages being installed 15:22:48 I nuked the repocache dirs and that didn't seem to do it. 15:22:54 and causing something to hang 15:23:04 nirik: that will be expected 15:23:04 is there any other caching anyone knows of? 15:23:13 why? 15:23:22 nirik: yes, mash uses the previous repo 15:23:31 ah poop. :( 15:23:45 though would have to look at what exactly bodhi is doing 15:23:48 so how do we get around this? manually update the repodata? 15:24:03 depends on what bodhi is doing 15:24:17 I honestly an not 100% sure how bodhi calls mash 15:24:18 bodhi seems to make a repocache dir... 15:24:26 but yeah, I don't know either 15:25:00 It will take someone looking into what bodhi is doing 15:25:04 I can ask around and see if we can sort it. If anyone can, feel free. ;) 15:25:12 thats all I had 15:25:17 okay 15:25:17 I have two things 15:25:24 bowlofeggs: seems to have vanished 15:25:34 puiterwijk: go for it 15:25:50 oh! 15:26:01 So, first of all: we now have autosigning in staging, and planning to enable that for production tonight. We can then start to enable tags one by one 15:26:04 there's a new bodhi 2.1.9 beta deployed to stg - please test! 15:26:16 bowlofeggs: uno momento por favor 15:26:36 puiterwijk: nice :) 15:26:47 puiterwijk: we should start with f26 15:26:56 \o/ 15:26:57 puiterwijk: so to clarify: this uses autosign02 and listens for fedmsgs on builds? 15:27:07 nirik: yes. 15:27:11 or is there any docs on it all? (if not we should make one :) 15:27:29 we need docs and debugging instructions 15:27:39 nirik: I'm also adding a cron job that will make it go through its assigned tags to forcefully sign everything that it didn't pick up (due to fedmsg issues or whatever) 15:27:40 and it moves tags after signing? or ? 15:27:42 dgilmore: yep, will do. 15:27:51 nirik: yep. It moves them to a configured target tag 15:28:10 So you configure per tag with which key to sign and to which tag to move afterwards. 15:28:17 ok, if so then we should perhaps adjust rawhide to go to a pending-signing tag and have it move after they are signed. 15:28:22 yeah. cool. ;) 15:28:24 Yep, that was the plan 15:28:26 we will need to adjust build targets 15:28:28 rawhide signing here we come! 15:28:41 a long dream. 15:28:47 dgilmore: yep. So we'll sync up about that :) 15:28:55 nirik: dream/nightmare 15:29:16 oh, did we want to repave autosign02 before moving to prod? and adjust it so only a few people have access? 15:29:25 and perhaps we can nuke autosign01? 15:29:26 Yep, was going to do that 15:29:33 nirik: /me would say yes 15:29:56 I have all in my ansible working directory now, and after that's pushed I'll execute it all 15:30:23 PSA for signers: part of that will requires updating sigul, so I'll sync up when it's not being used so I can do that 15:30:25 cool 15:30:40 dgilmore: is it ok for puiterwijk to have access to help setup/debug? 15:30:55 nirik: it should be okay 15:31:01 cool. 15:31:40 Also, the new version has a more strict username vs certificate CN check. Theoretically, if the certificates are issued correctly, nobody should notice anything. But if any certs are misissued, it will start screaming Authorization Denied. If it does, we have a way to exempt certain certificates from this check. 15:31:46 (new version of sigul) 15:32:04 and you wanted to do a new CA right? so we all need new certs 15:32:26 ? 15:32:39 nirik: we could, but that would be something else. So we can do it at the same time, or just do that later 15:32:54 ok, later is fine. 15:32:58 that is news to me 15:33:00 or more discussion on it then later. 15:33:05 puiterwijk: what and why? 15:33:18 dgilmore: currently the private key for the CA that issues the client certs is "online" on fas01. I suggested we might make a separate CA for this and keep that one offline. 15:33:35 (sigul client certs*) 15:33:51 puiterwijk: sure, there is other protections in place as well 15:34:02 Yes, I am aware. Was just a suggestion :) 15:34:15 dgilmore: just to verify: your question mark was about the new CA, and not the CN vs username check, right? 15:34:25 at this point I would rather wait. 15:34:31 sure 15:34:41 there still needs to be a tie in to koji, and the same ca 15:34:54 and we have other changes coming in auth land 15:34:56 doesn't need to be the same CA 15:35:16 but yeah, more changes are upcoming, so we can discuss this further 15:35:26 sure, sorry for sidetracking. ;) 15:35:52 dgilmore: but you understood the CN vs username check, and how that can make it shout if we have misissued certs? 15:36:07 puiterwijk: sure 15:36:17 great. Wanted to make sure that came across 15:36:50 * dgilmore would rather any discussion about changes to the auth to be an all encompasing plan rather than disjoint changes 15:37:12 yep, agreed 15:37:35 does not mean all auth has to be the same 15:37:43 just that its part of a single plan 15:37:58 is that all puiterwijk ? 15:38:10 dgilmore: yep, that's all from me for now 15:38:13 thanks for bearing with me :) 15:38:13 #info puiterwijk has autosigning working, plans to deploy to production today 15:38:23 bowlofeggs: okay the floor is yours now 15:39:04 15:26 < bowlofeggs> there's a new bodhi 2.1.9 beta deployed to stg - please test! 15:39:11 he has vanished agian 15:39:14 again 15:39:23 but there is a new bodhi in stg 15:39:33 and he would like it to be run through its paces 15:39:45 sounds good 15:39:58 anything else? 15:40:10 #info new bodhi in stg please test 15:40:59 I willa ssume we are done 15:41:03 thanks all 15:41:07 #endmeeting