19:00:02 <nirik> #startmeeting Infrastructure (2011-09-22) 19:00:02 <zodbot> Meeting started Thu Sep 22 19:00:02 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:03 <nirik> #meetingname infrastructure 19:00:03 <nirik> #topic Robot Roll Call 19:00:03 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken 19:00:03 <zodbot> The meeting name has been set to 'infrastructure' 19:00:03 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge 19:00:09 <smooge> Here 19:00:13 <smooge> Smoogen is kere. 19:00:32 <abadger1999> buenos dias 19:00:35 <smooge> we are dealing with some system outages so this will probably be a short meeting 19:00:38 * LoKoMurdoK here 19:00:41 * nirik is here, but fighting fires. 19:01:00 * rfelsburg here 19:01:22 <smooge> #topic Freeze Items 19:01:33 <smooge> Beta freeze is still ongoing 19:01:50 <smooge> we should not be playing with things in core infrastructure without +!/-1 19:02:11 <nirik> also, note that freeze is now an extra week. 19:02:12 <smooge> beta has slipped a week so most beta tickets will wait until then 19:02:26 <nirik> ending 2011-10-04 19:02:51 <smooge> ok any questions or points? I think people should watch for any RC2 candidate and download/test 19:03:01 <nirik> testing is always good. 19:03:42 <dgilmore> hey 19:03:58 <smooge> dgilmore, any items from releng for infra to deal with? 19:04:12 <dgilmore> smooge: not right now 19:04:18 <smooge> cool 19:04:27 <smooge> any other beta issues or questions? 19:04:46 <smooge> #topic New People 19:04:56 <smooge> ok new people.. any new volunteers or such? 19:05:08 <KKA> good morning all 19:05:19 <LoKoMurdoK> hi KKA 19:05:20 <KKA> I am new member here 19:05:31 <nirik> welcome KKA 19:05:48 <KKA> working as a sysadmin for past 2 yrs 19:06:11 <KKA> nirik/LokoMurdok:hi 19:06:34 <nirik> KKA: well, welcome, do hang out in #fedora-admin and/or #fedora-noc and ask questions and get involved. ;) 19:06:40 <nirik> See https://fedoraproject.org/wiki/Infrastructure/GettingStarted if you haven't already. 19:07:30 <nirik> Any other questions or new folks? 19:07:47 <nirik> #topic Password/Ssh-key/Cert reset flag day discussion 19:08:00 <nirik> So, we had some discussion of this on the list and in the last irc Board meeting. 19:08:12 <nirik> I've written up: https://fedoraproject.org/wiki/Infrastructure_mass_password_update 19:08:22 <nirik> listing the requirements, etc for this. 19:08:42 <nirik> First thing we need to have in place is good docs. I'm looking at updating the CSI security doc... 19:08:51 <nirik> any changes or corrections to that are welcome. 19:09:23 <rfelsburg> Under 'Rationale' it actually says '<link to csi or wiki page on security best practices>' instead of the link. 19:09:41 <nirik> yeah, I started making a wiki page, but then decided the csi thing might be better... 19:09:53 <nirik> and didn't want to point to the current version until we update it. 19:09:53 <rfelsburg> Gotcha, just making sure it didn't fall through the cracks. 19:10:10 * CodeBlock here, late sorry 19:10:19 <nirik> #info feedback wanted on https://fedoraproject.org/wiki/Infrastructure_mass_password_update 19:10:26 <nirik> #info CSI needs updating first. 19:10:37 <lmacken> 5/wg 24 19:10:40 <nirik> #info scheduling proposed was 1month after f16 release. 19:10:40 <lmacken> oops :( 19:11:20 <nirik> Anything more on this topic? anyone have issues/concerns? 19:11:36 <nirik> oh, I did have one more thing... 19:12:22 <nirik> I took a quick survey of sysadmin-main folks. Pretty much everyone has yubikeys (except me, can't seem to locate mine) and all but 1 have some form of ios/android device. 19:13:11 <nirik> google authenticator is pretty nice, but openssh needs a patch to do two factor auth if we wanted to use it for ssh. 19:14:22 <nirik> I was thinking we might look at doing _either_ pass+yubikey or pass+googleauth (as the person chooses). then folks who want can use the one they like better. 19:14:46 <nirik> and we would need to add googleauth support to fas... which I don't know how hard that would be. 19:15:22 * abadger1999 has never looked at googleauth 19:15:27 <nirik> so, all stuff to look into. 19:15:53 <nirik> https://bugzilla.redhat.com/show_bug.cgi?id=737735 19:15:56 <nirik> it's under review. 19:16:00 <smooge> waits for the howls 19:16:13 <nirik> it's pretty slick actually. 19:16:28 * smooge wonders if we could build our own app to do that for us :) 19:16:40 <nirik> basically a pam module / command line enroll thing. 19:16:54 <nirik> smooge: review packages? ;) 19:17:25 <smooge> well I guess we could write an app for that too 19:17:34 <nirik> it spits out a nice QR code you can scan with your phone to add the auth 19:17:38 <nirik> or a numeric. 19:19:13 <abadger1999> how does the otp get verified/generated? 19:19:30 <abadger1999> is there a backend server like yubikeys? 19:19:59 <nirik> it's a pam module/command line tool. The command line generates it, and sticks it (by default) into '~/.google_authenticator' 19:20:09 <nirik> but there's a option to do a per machine location. 19:20:11 <nirik> nope. 19:21:24 <nirik> anyhow, just something to consider. That may be a better option for some of our users who don't wish to buy a yubikey. 19:22:06 <nirik> shall we move on? or anything else on password/key reset or two factor auth/ 19:22:48 <nirik> #topic Bastion outages/openvpn discussion. 19:23:01 <nirik> So, we have been having problems with our new bastion03 for a while now... 19:23:12 <nirik> it's bug: https://bugzilla.redhat.com/show_bug.cgi?id=725332 19:23:28 <nirik> smooge rebuilt a new bastion01 for us thats 32bit and it's so far been just fine. 19:23:37 <nirik> So, hopefully we have at least a good workaround for it now. 19:25:05 <nirik> If it continues to look good we will look at replacing bastion02 with a new one, but it will have to happen after the freeze most likely. 19:25:30 <nirik> anything more on bastion woes? (I just like saying woe) 19:26:07 <nirik> #topic Upcoming Tasks/Items 19:26:22 <nirik> Anyone have upcoming tasks or items they are working on they would like to talk about? 19:27:10 <nirik> I have a proxy08 to setup to replace proxy01 (but bringing it up seems to have affected production, so I need to figure that out) 19:27:51 <smooge> retrace is setup 19:28:14 <smooge> it will be ready for test day on Tuesday 19:28:14 <nirik> smooge: good news. ;) just handing it off to them left? 19:28:20 <smooge> pretty much. 19:28:21 <nirik> cool. 19:28:54 <smooge> my day is waiting for IBM and see what new things they find wrong with the bladecenter 19:29:30 <nirik> as soon as freeze is over (or sooner in some cases) we need to get things moved off the xen boxes that are going out of warentee... 19:30:33 <nirik> #topic Request for Resources progress report 19:30:46 <nirik> #info ask is pretty much all set to move to production 19:30:59 <nirik> I will be working on setting up ask in the next week or so... 19:31:13 <nirik> if anyone finds any issues or concerns with the stg instance, please let us know. 19:31:20 <nirik> I think it's in pretty ok shape. 19:31:37 <nirik> #info paste is still working in dev to iron out issues. 19:31:46 <nirik> any other outstanding RFR's ? 19:32:32 <nirik> #topic Open Floor 19:32:40 <nirik> ok, anyone have any items for open floor? 19:33:08 <nirik> #info we are at 217 tickets currently. I'd like to get that under 200 before the end of the year... but I guess we will see. 19:33:37 <nirik> abadger1999: how's raffle coming along? 19:34:14 <abadger1999> nirik: I think I've got everything ready in puppet to push to staging -- was just waiting for a time today when what I did wouldn't clash with any troubleshooting of other stuff. 19:34:39 <nirik> cool. 19:34:41 * abadger1999 cargo culted a little of the proxy stuff so it'll be a learning experience. 19:34:55 <nirik> yeah, I am still learning the proxy/caching setup... 19:35:15 <nirik> httpd -> varnish (sometimes) -> haproxy (sometimes) -> app (sometimes) 19:36:02 <abadger1999> yeah 19:36:04 <nirik> ok, I'll go ahead and close out in a minute if nothing else comes up. 19:36:23 <nirik> varnish also only seems to be able to work on url matching. 19:36:24 <abadger1999> and fas is setup differently in varnish than everything else 19:36:59 <nirik> yeah, it's setup with as a single thing with 3 backends. 19:37:21 <nirik> and I think it doesn't use haproxy at all? 19:38:23 <nirik> anyhow, lets go back to #fedora-admin / #fedora-noc. 19:38:27 <nirik> thanks for coming everyone! 19:38:31 <nirik> #endmeeting