19:00:24 <smooge> #startmeeting infrastructure 19:00:24 <zodbot> Meeting started Thu Mar 17 19:00:24 2011 UTC. The chair is smooge. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:24 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:30 <smooge> #meetingname infrastructure 19:00:30 <zodbot> The meeting name has been set to 'infrastructure' 19:00:40 <smooge> #chair skvidal CodeBlock 19:00:40 <zodbot> Current chairs: CodeBlock skvidal smooge 19:00:52 <CodeBlock> :) 19:01:04 * thomasj lurks 19:01:12 <smooge> #topic roll call 19:01:17 * CodeBlock is here :) 19:01:19 * waltJ is around ... 19:01:20 <smooge> here 19:01:27 <hvivani> hvivani is here 19:01:29 <marchant> here 19:02:43 <CodeBlock> Let's get started 19:02:49 <CodeBlock> #topic RFR Documentation 19:02:53 <CodeBlock> abadger1999: aroudn? 19:02:56 <CodeBlock> *around 19:03:59 <CodeBlock> Alright then...well Basically it looks like abadger1999 has started a page with what a RFR owner's responsibilities are. 19:04:02 <CodeBlock> #link https://fedoraproject.org/wiki/Infrastructure/RFR_Responsibilities%28draft%29 19:04:03 * sijis is around 19:04:26 <CodeBlock> There's a relevant ticket, 19:04:29 <CodeBlock> .ticket 2674 19:04:30 <zodbot> CodeBlock: #2674 (Expectations for RFR Owners) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2674 19:04:50 <CodeBlock> I guess since he's not around, post comments/questions there. 19:05:23 <abadger1999> Yeah 19:05:30 * abadger1999 about to lose internet 19:05:42 <CodeBlock> abadger1999: ok - hi and bye :) 19:05:43 <abadger1999> mailing list may be better. 19:05:53 <abadger1999> :-) 19:06:10 <CodeBlock> Alright -- so yeah, send comments/questions about that to the mailing list then :) 19:06:19 * CodeBlock pulls up the meeting tickets list 19:07:14 <CodeBlock> #info app07 sucks, and apparently just died. 19:07:15 <CodeBlock> anyway 19:07:33 <CodeBlock> #topic Meeting tickets 19:07:45 <CodeBlock> .ticket 2501 19:07:46 <zodbot> CodeBlock: #2501 (What will it take to upgrade fedorahosted to RHEL6, new trac, new git?) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2501 19:08:31 <CodeBlock> I've been working on some ideas for hosted, and those are still in the prototype/mockup stage, and... not many people here have heard about them yet... which is fine -- but as part of those, yes I would like to get hosted to RHEL6 19:09:53 <StylusEater> CodeBLock: has hosted01 or 03 been setup with RHEL6 yet? 19:10:05 <CodeBlock> I'd like to maybe get a hosted03 built (smooge: can we do this on serverbeach05 where hosted2 is), and start playing around with making sure things work 19:10:16 <CodeBlock> StylusEater: nothing has yet 19:10:19 <CodeBlock> (as far as hoted) 19:10:21 <CodeBlock> *hosted 19:11:04 <smooge> I don't know if the serverbeach boxes have the umph to do another one on it. 19:11:10 * ricky_webchat is here. 19:11:18 <smooge> hi ricky_webchat 19:11:27 <CodeBlock> Along with that, (maybe after we get hosted1 as EL6) I'd also like to test our fallback to hosted2 19:11:51 <CodeBlock> smooge: hmm 19:12:43 <CodeBlock> smooge: we can talk about that later I guess, but yeah..let's maybe start finding a place for hosted03/EL6 testing 19:13:03 <smooge> well on hosted5 there is a partition for hosted02-el6 19:13:17 <CodeBlock> O.o 19:13:31 <CodeBlock> I have no clue what that is 19:14:39 <CodeBlock> Does anyone have anything else regarding getting hosted to EL6 (it will be a slow process, but I think it will be quite beneficial to have new trac) 19:15:14 <CodeBlock> Okay 19:15:26 <CodeBlock> I'll come back to meeting tickets, but 19:15:33 <CodeBlock> #topic Rebuilding puppet01 19:15:41 <smooge> whee 19:15:56 <CodeBlock> yesterday ricky_webchat and smooge talked about when/if we should rebuild puppet01 19:16:03 <CodeBlock> and smooge mentioned a few weeks after F15 is out 19:16:04 <smooge> I think the plan for this would be a 2 day task 19:16:13 <CodeBlock> and..yeah I'll let smooge take over :) 19:16:45 <smooge> basically puppet01 would be inventoried for what we would want to move over 19:16:49 <ricky_webchat> Most of the difficulty will be in notifying people to save their home directories 19:16:58 <ricky_webchat> Or alternatively, we could move it for people 19:17:01 <smooge> then puppet01 would be dropped and a new puppet system would be built on a different system. 19:17:09 <ricky_webchat> But back when mmcgrath_ did it, I'm pretty sure it was way less than a one day task 19:17:14 <ricky_webchat> Not to be overly optimistic :-) 19:17:38 <smooge> well mmcgrath_ is a god among men.. I quadruple any estimates to match him 19:18:19 <smooge> we would then just restore some trees and see what breaks 19:18:24 <CodeBlock> While we're rebuilding puppet01, have we considered EL6, and upgrading puppet...and are our puppet configs known to work on latest puppetmaster (or whatever is in EL6) 19:18:41 <smooge> the puppetmaster in EL6 should be the same as EL5 19:18:44 <ricky_webchat> Puppet is generally good about being backwards compatible 19:19:05 <ricky_webchat> But yeah, tmz keeps the versions the same everywhere because the client isn't always necessarily backwards-compatible, just the server 19:20:54 <CodeBlock> Alright - anything else on that? 19:20:56 <smooge> the main issue will be various 'links' and changes people will have made over the last 3 years 19:21:14 <ricky_webchat> And things on puppet01 not being in puppet :-( 19:21:20 <smooge> yes. 19:21:44 <smooge> I don't have anything more on that 19:22:02 <ricky_webchat> Same here - I'd be happy to help with the rebuild if I'm around during that time 19:22:02 <CodeBlock> smooge: ok, how long after F15 did we say? 19:22:33 <smooge> two weeks as puppet being down will affect a lot of stuff 19:22:40 <ricky_webchat> I'll probably have time the Thursday after :-) 19:22:45 <smooge> so I want the usual 2+ weeks of updates dealt with 19:22:49 <ricky_webchat> OK. 19:23:25 <smooge> so currently first week of June but prbly later 19:23:36 <CodeBlock> #agreed puppet01 will be rebuild approx. two weeks after F15 is released. 19:23:37 <smooge> hopefully a few of us will be at SELF and can meet up/etc 19:23:49 <CodeBlock> hmmm 19:23:58 <ricky_webchat> Nice, summer - I'll definitely be around then :-) 19:24:12 <CodeBlock> ricky_webchat: going to SELF? 19:24:27 * CodeBlock will talk to some people, but it would be neat to go 19:24:46 <ricky_webchat> Hm, most likely not 19:25:22 <CodeBlock> :( ok 19:26:03 <CodeBlock> .ticket 2574 brings me to.... 19:26:04 <zodbot> CodeBlock: Error: '2574 brings me to....' is not a valid integer. 19:26:08 <CodeBlock> #topic sysadmin cleanup 19:26:17 * CodeBlock tosses smooge the ..whatever it's called. :) 19:26:32 <ricky_webchat> .ticket 2574 19:26:33 <zodbot> ricky_webchat: #2574 (Perform regular inactive account prunings and possibly a password reset policy.) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2574 19:26:53 <ricky_webchat> The conch? 19:26:58 <smooge> ok I am working on cleaning up accounts 19:26:59 <CodeBlock> sure. :P 19:26:59 <smooge> the conch 19:27:03 <smooge> and then the pigs head 19:27:15 <smooge> and then it all goes down hill 19:27:45 <smooge> ok I started cleaning up accounts today. I can only do so on half of the sysadmin groups because uhm I am not owner or administrator in them :) 19:28:44 <smooge> from our 120 sysadmins we will be down to probably 80.. which to me is a lot more than we actually see working on stuff, but it is a good first pass 19:29:03 <CodeBlock> agreed 19:29:09 <ricky_webchat> So we have 80 people that *have* recently sudoed? 19:29:15 <smooge> no 19:29:40 <smooge> by just using sudo I was going to remove people who do stuff in mirror manager and such 19:29:44 <ricky_webchat> Ah - just curious, how did the pruning list shrink that much then? 19:30:18 <ricky_webchat> (Side note, MM we can split into a different group) 19:30:22 <smooge> and since there is no "did_admin" in fas I can't tell if people who are in various groups didn't do stuff 19:30:41 <smooge> so here are the steps of what I did. 19:30:42 <ricky_webchat> Yeah... although puppet commits + sudo tell a decent story, I think 19:31:09 <smooge> 1) func-command to who /var/log/wmtp | egrep '2010-12|2011' to get people who had logged into systems 19:31:11 <ricky_webchat> Otherwise, whatever they did most likely could have been done without access anyway (with some exceptions like mm and important people who rarely login) 19:31:29 <smooge> [since we don't have ldap to do so :)] 19:32:03 <smooge> 2) get a list of all sysadmins and find out their last_seen 19:32:15 <smooge> 3) get a list of all sudo from systems that log to log01 19:32:36 <smooge> I miss the publictest boxes but decided that if a person logs into the box htat was good enough data. 19:33:28 <ricky_webchat> Oh yeah, publictest - hopefully the majority of 120 are sysadmin-test. 19:33:38 <smooge> sorry there were 164 people in various admin accounts 19:34:21 <averi> ricky_webchat, I guess other groups apart -test is around ~40 people 19:34:50 <averi> don't know how that number will change with the cleanup though 19:34:59 <smooge> and 66 people are being removed. so uhm 98 people still in sysadmin groups 19:35:11 <hvivani> smooge, the risk that maybe someone could make an automated login from a script or something is considered ? 19:35:13 <ricky_webchat> Cool - thanks for working on this! 19:35:22 <averi> hvivani, what for? 19:35:27 <ricky_webchat> Hopefully we can assume that people won't be evil 19:35:29 <hvivani> I know, I am thinking bad 19:35:34 <averi> hvivani, I see no point in doing that :) 19:35:58 <smooge> 41 people have logged in and used sudo on non-pt boxes 19:36:10 <CodeBlock> what ricky_webchat said. We do that quite a bit around here. :) 19:37:05 <StylusEater> would it be sufficient to have a post login script update a table to keep tabs on "active people?" 19:37:06 <smooge> in any case. after I get elevated privs in some groups I will finish cleanup 19:37:48 <ricky_webchat> How about the question of required password resets/disabling inactive accounts for all of FAS? 19:37:50 <hvivani> averi, yeah you are right 19:38:01 <StylusEater> login ... calls resetTimer.py (an example) ... updates record in DB ... user is still considered active 19:38:18 <ricky_webchat> Any thoughts on what password complexity requirements should be, and how often we should require password changes, if at all? 19:38:26 <ricky_webchat> (And account expiry) 19:39:43 <smooge> password changes just get people cranky. 19:40:08 <smooge> and have a large number of people do things like "ThisIsMyPassword1", "ThisIsMyPassword2" 19:40:11 <smooge> etc etc 19:40:14 <ricky_webchat> Currently, I think the only complexity requirement is length >=8 19:40:36 <smooge> now on the other hand, I think for people who want to be in sysadmin, we can look at further requirements. 19:40:51 <ricky_webchat> Personally, I'm absolutely horrible about password changes - I wouldn't mind having a forced one to keep me on my toes :-) 19:41:31 <ricky_webchat> But even just for statistics purposes, I think it's worth not having a bunch of dead accounts lying around, and periodic password changes is one way to go about that 19:41:42 <smooge> and password changes rarely catch the issue that most people run into... using the same passwords in multiple places. 19:42:26 <sijis> disabling inactive sounds like a bigger problem than changing passwords 19:42:36 <ricky_webchat> I wonder if people would listen if we make a giant note about password reuse 19:42:37 <sijis> *inactive accounts 19:42:38 <smooge> personally I think it would be better if we could just have a 60 day expiration, but that would require us to move away from passwd_db and some sort of centralized system which I don't think will happen 19:42:50 <smooge> ricky, no they won't. 19:43:03 <ricky_webchat> I'm trying to steer this to about FAS accounts in general, and not just sysadmins 19:43:11 <ricky_webchat> Even though sysadmins is the biggest one here 19:43:25 <smooge> I have dealt with this over 20 years and it really only takes "oh look someone got MY password and used it everywhere" to get a person to do anything 19:43:26 <ricky_webchat> We can do fun stuff like run crackers on our password db and notify people 19:43:41 <smooge> uhm no. 19:43:52 <CodeBlock> ha 19:43:55 * ricky_webchat was thinking a page people are forced to click through before password changes 19:44:06 <ricky_webchat> The cracker thing was just for people with accounts on our machines 19:44:12 <smooge> let me be clear on this. as much fun as I have doing that (and I really do).. it is outside of our terms and agreements. 19:44:20 * ricky_webchat hears that some sysadmins actually do this, which I think is reasonable 19:44:21 <sijis> if it has a 'next' button. folks will just click thru it 19:44:34 <marchant> is there no requirement to use an ssh key along with a password? 19:44:49 <CodeBlock> marchant: on some systems. 19:44:57 <CodeBlock> marchant: that doesn't address other FAS uses though. 19:44:58 <ricky_webchat> marchant: It's another one of those things where we stronly recommend it, but we have no way of enforcing it 19:45:04 <ricky_webchat> (I assume you mean passphrases on SSH keys) 19:45:45 * CodeBlock assumed you meant ssh key instead of/along with fas 19:45:58 <marchant> I meant some sort of two factor 19:46:05 <marchant> password and a... 19:46:27 <marchant> so losing a password is less-bad 19:46:49 * CodeBlock would like to get yubikey working on some more systems, speaking of. 19:47:03 <ricky_webchat> smooge: Note that with the cracker thing, it wouldn't actually store the results - just notify people that they must change it because it's weak. (although to be clear, I'm not really suggesting or supporting that we do this - just trying to say that we can do stronger things for sysadmins as opposed to other FAS accounts) 19:47:53 <ricky_webchat> marchant: The way it works now, you can already log into FAS with a password and add an SSH key, so to make it really two factor would require big changes to how authentication to FAS (the web app) works 19:48:04 <smooge> ricky, I understand. we can look at doing this for people wanting to join/work in sysadmin. But even checking without storing causes all kinds of issues. I ran into this at my last job 19:48:29 <marchant> ricky_webchat: ok, thank you 19:48:45 <ricky_webchat> Yeah - personally I don't think the whole cracking thing is important or useful when we can just implement better requirements in FAS 19:49:30 <CodeBlock> Alright, 10 minutes left 19:49:34 <CodeBlock> #topic future meeting place 19:49:34 <hvivani> could be yubikey mandatory ? at least for sysadmins ? 19:49:40 <CodeBlock> Can we PLEASE move back to -admin? :S 19:50:07 <CodeBlock> Not sure why we started coming back here, but -admin worked well for us 19:50:09 <smooge> no. the problem with -admin is that people come in and expect it to be where they can talk about stuff not meeting releated 19:50:35 <smooge> the last 3 meetings we had 2 side conversations per meeting that broke my flow of thought on running things 19:50:53 <smooge> sorry that should have been s/no/I would prefer not/ 19:51:01 <CodeBlock> smooge: Then something like #fedora-fi-meeting ... or someplace that we don't conflict with other meetings if we're not directly on time. 19:51:05 <smooge> I am running on a lack of sleep 19:51:12 <smooge> I understand on that. 19:51:12 <CodeBlock> Although our UTC is moved back now, so we should be fine for now, but what about in 6 months 19:51:14 <marchant> does the meeting need to move because this channel is too busy? 19:51:40 <smooge> the problem most sited for being in a new channel is that no one is in it. 19:51:43 <ricky_webchat_> Sorry, I got dropped :-( 19:51:46 <CodeBlock> marchant: Basically we keep running over time (I've been trying to move things along to prevent that, but...) and conflicting with the next meeting in this channel 19:51:48 <averi> marchant, here we have ~1 hour limit :) 19:51:50 <ricky_webchat_> What did I miss? 19:52:11 <smooge> we moved to where to have the meeting and we have 8 minutes 19:52:14 <CodeBlock> smooge: yeah, we'd have to announce it on the mailing list, wiki, etc 19:52:37 <ricky_webchat_> I think it's fine to just cut off at an hour - unless somebody here just loooves 2 hour meetings :-) 19:52:41 <smooge> I am going to punt on this one and say its something that nirik can work out in April 19:53:06 * marchant thinks a new channel is a great idea fwiw 19:53:06 <ricky_webchat_> I think the list of tasks from a 2 hour meeting is too long to easily keep track of anymore anyway 19:53:47 <smooge> ricky, the main problem is most of us aren't getting a lot of time together other than this meeting. You and CodeBlock have classes, dgilmore is 12 hours off of us (currently), skvidal has development focus issues, abadger has other issues. 19:53:48 <CodeBlock> ricky_webchat_: not loves, but more we keep running into things that take longer to discuss and it's annoying to have to cut them off because of being scared of running out of time 19:54:10 <smooge> we end up only getting thursdays to talk and work out all the crap going on so we end up overtime 19:54:25 * goozbach pings in 19:54:31 <ricky_webchat_> Do we lose out on productivity because we didn't get to the next topic? 19:54:44 <goozbach> maybe we could have a "shelve it" type action 19:54:52 <goozbach> which moves that topic to -infra 19:55:00 <goozbach> and we go on with the next topic 19:55:34 <smooge> ricky, sometimes.. the cleanup topic started in December but we didn't get meeting time on it til Fudcon 19:55:46 <ricky_webchat_> I think meetings are a good time to list out tasks for a week and get agreement on certain decisions related to those tasks - as long as we can get a week's worth of tasks, I'm happy 19:56:11 <smooge> and part of it is I am not a good meeting runner. but I look forward to having someone who is :) 19:56:23 <smooge> anyway.. 4 minutes and I think I am typed out for a bit 19:56:40 <ricky_webchat_> Did we come to any agreement on the password complexity thing while I was dropping? 19:56:54 <ricky_webchat_> http://www.nongnu.org/python-crack/doc/index.html is the library I was talking about, by the way. 19:56:57 <CodeBlock> smooge: I've been trying to do better when I run them :P .. I _am_ getting better at moving things along. It's just a bit annoying sometimes, when I think we can do better 19:57:06 <CodeBlock> by moving elsewhere 19:57:39 <CodeBlock> If time for the meeting (not wanting to go two hours) we could prioritize, discuss important things first, then move on to longer/more in-depth discussion after.. or come back to things 19:57:47 <smooge> CodeBlock, you have done a good job 19:58:18 <StylusEater> why not limit the meeting to two topics? 19:58:25 * waltJ fist time with CodeBlock as meeting runner. Yes, great job. 19:58:34 <CodeBlock> waltJ: thank you :P 19:58:37 <StylusEater> then if we start having a surplus of time ... add one more and see how things go until we hit our "limit"? 19:58:43 <ricky_webchat_> I'm happy with moving in-depth discussion to the ML 19:58:55 <CodeBlock> ricky_webchat_: fair point 19:58:58 <ricky_webchat_> I can send one about the password reqs once I get connectoin to home back :-) 19:59:28 <CodeBlock> heh...alright - meeting stays here I guess then. 19:59:37 <CodeBlock> #topic very quick open floor 19:59:37 <ricky_webchat_> I think we're underusing the mailing list if our meetings are blowing up this much due to discussion (although I don't blame us - IRC is so convenient and real time) 19:59:42 <CodeBlock> anyone have anything urgent before we close? 19:59:59 <StylusEater> meeting note links are updated 19:59:59 <CodeBlock> 10 20:00:06 <CodeBlock> 5 20:00:09 <CodeBlock> #endmeeting