19:00:01 #startmeeting Infrastructure (2011-12-08) 19:00:01 Meeting started Thu Dec 8 19:00:01 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:01 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:01 #meetingname infrastructure 19:00:01 #topic Robot Roll Call 19:00:01 #chair smooge skvidal Codeblock ricky nirik abadger1999 lmacken dgilmore mdomsch 19:00:01 The meeting name has been set to 'infrastructure' 19:00:01 Current chairs: Codeblock abadger1999 dgilmore lmacken mdomsch nirik ricky skvidal smooge 19:00:10 * skvidal is here 19:01:03 morning everyone. 19:01:10 * nirik will wait a few min for folks to wander in 19:01:26 * jnalley is here 19:01:26 hello nirik, everybody 19:01:32 * abadger1999 here 19:01:33 * jsmith is lurking 19:02:08 * mdomsch is lurking too 19:03:08 #topic New folks introductions and Apprentice tasks 19:03:13 ok, lets dive in. 19:03:25 any new folks or apprentices care to discuss anything? 19:03:33 or introduce themselves? 19:03:59 I'm going to try and add some more easyfix tickets soon... if I can get fires quenched. 19:04:27 hi, i introduced myself on the list a while back but haven't really started working on a ticket since then. just today i contacted some ticket owners about helping out on otherwise stale tickets that hopefully will be easy for an fi-n00b. 19:04:43 jnalley: cool. Welcome. 19:04:50 and it does't help that i also changed my nick from the less-intelligble nick ke4zvu3 19:04:54 do hang out in #fedora-admin and/or #fedora-noc and chime in as you can. 19:05:02 i have, do, and will 19:05:05 lost your ham license? ;) 19:05:18 haha, no, just changed it to be uniform with my FAS name 19:05:28 oh good. 19:06:01 any other introductions or issues with apprentice tasks? 19:06:17 * nirik moves on. 19:06:25 #topic serverbeach / collab / hosted status 19:06:40 so, we have our new new hardware in, we have installed on it. 19:06:51 I've sent out an announcement about moving collab on next monday. 19:06:59 from collab01 to collab03. 19:07:19 Hopefully that will be a pretty easy migration. 19:07:42 Also, I am going to send out an announcement later today about moving hosted on next wed... from hosted01 to hosted03. 19:08:10 If anyone has ideas for stress testing the new machines before we migrate to them, please do speak up. 19:08:47 right now, I am thinking of just moving hosted pretty much as is, because I want to get it off rhel5/old machine. 19:09:04 nirik: maybe just rsync back and forth from the systems 19:09:09 to fill up the disks - to test the range 19:09:19 then we can schedule a lists.fedorahosted.org move later along with a more targeted move of projects to a new setup with cnames. 19:09:35 skvidal: yeah, I have been running rsyncs... they do have the data from the live/prod boxes on them. 19:10:06 I need to finish the migration script for hosted and then we can start hitting it for testing again. 19:10:18 (via a /etc/hosts change) 19:11:17 also, it's worth noting that I setup hosted03/04 and collab03/04 with drbd... It means if the primary dies, we can bring up the data on the secondary pretty easily and not have much loss. 19:12:00 so, any questions or concerns on all that? or shall we move on? 19:12:28 #topic ibiblio machines status 19:12:40 we have a new ibiblio03 coming in next week or so I think. 19:12:55 we have also started moving things from ibiblio01->02. 19:13:04 (which ran into some anoying ipv6 pain yesterday. ;( 19:13:38 we have 3 things still on 01... 19:13:49 smtp-mm03 (which can be migrated in the next few days) 19:14:01 backup02 (which I want to migrate to ibiblio03 once it's in) 19:14:05 and torrent01. 19:14:16 :( to that last one 19:14:16 what will it take to migrate torrents to torrent02? 19:14:24 nirik: a torrent client from this decade? 19:14:39 yeah, that would be nice. 19:14:44 we're sorta up shit creek when it comes toa torrent seed and tracker that has the same features 19:14:46 I can get one working 19:14:48 but not the logging 19:14:51 and stats tracking 19:14:58 that btseed/ bttrack currently offers 19:15:06 fun. Can we just rebuild the thing we have now for now? 19:15:22 I can probably force it to work on el6 19:15:24 and look at moving to magnet or something. 19:15:32 magnet links will provide even less info 19:15:44 it lets us just distribute out the link info - which is nice 19:15:52 but won't help us provide stats on if they are being used :( 19:16:05 ok. wasn't herlo investigating some of the options? 19:16:25 nirik: istr, yes - but last I heard the options were all full of suck.. 19:16:34 I'll ask him if he had a final report or not 19:16:41 worth asking on the devel/infra lists for ideas? 19:16:59 I suspect we 19:17:10 'll get a dozen comments of an unhelpful nature 19:17:18 that's not cynicism - just reality 19:17:20 well, I'd like to move things off ibiblio01 so we can rhel6ize it, but we can see. 19:17:28 yeah, probibly the case. 19:17:35 it seems like outside of the tpb no one really USES torrents much 19:17:55 perhaps we could contact them and get them to open source their stuff? ;) 19:18:00 hahahaha 19:18:03 you're funny 19:18:28 oh 19:18:28 right 19:18:33 I knew I had forgotten something 19:18:43 the other issue we were hoping to work around 19:18:45 torrent + ipv6 19:18:55 which the existing client does not support, at all. 19:19:09 yeah. ;( 19:19:25 #info gather more info/options for torrent seed/trackers. 19:19:34 if we could dump the data gathering requirement 19:19:40 we could make something else work, probably quickly, too 19:19:56 So what do we use that data for? 19:20:01 I guess spins popularity? 19:20:56 and in general 19:21:02 just 'how much stuff got downloaded' 19:21:08 well, the statistics page doesn't really use them anymore... 19:21:13 nod 19:21:23 skvidal: opentracker still not up to snuff? 19:21:25 I haven't looked in a while 19:21:27 but the spins.fp.o uses them a lot 19:21:39 last I knew, it still had the split v4 and v6 daemons 19:21:41 mdomsch: stats crash iirc 19:21:48 skvidal: I think that's fixed now 19:21:52 per bugzilla 19:22:08 worth a look at least 19:22:23 mdomsch: I think this is what herlo was looking into 19:23:04 I guess if it comes down to it, we can just move torrent01 over to ibiblio02 as a rhel5 if we can't come up with any better options. 19:23:44 ok, gather more info, try and find a non sucky option... 19:23:46 a question I'd love an answer to 19:23:53 do we really NEED the torrent anymore? 19:24:04 can we just deprecate it? would the sky fall down on us? 19:24:08 well, spins are currently not widely mirrored 19:24:13 they are torrent only. 19:24:22 torrent _only_? 19:24:23 no 19:24:24 (well, they are in the alt mirror component, but very few mirrors mirror that) 19:24:26 I don't think that's true 19:24:28 okay 19:24:31 so not torrent _only_ 19:25:12 yeah, but a pretty small number of mirrors. 19:25:41 * nirik would be happy to punt that decision to the Board or fesco. ;) 19:25:43 how large is the consume population? 19:26:26 from looking at the torrent stats, not all that vast. 19:26:40 opentracker is in the trees, and is lightly maintained (one spec patch since Jan) 19:27:27 lets try and gather more info, and revisit next week... 19:28:03 hola 19:28:11 hey dgilmore 19:28:19 #topic Upcoming Tasks/Items 19:28:27 flood ahead: 19:28:31 #info 2011-12-08 - Fedora 14 end of life. 19:28:31 #info 2011-12-12 - migrate to collab03/04 (evening) (tenative) 19:28:31 #info 2011-12-14 - migrate hosted (tenative) 19:28:31 #info 2011-12-22 - contact peer1 about retirement schedule for old machines. 19:28:31 #info 2011-12-23 to 2012-01-02 - rh shutdown week. 19:28:31 #info 2012-01-10 - drop inactive maintainers from pkgdb acls. 19:28:33 #info 2012-01-13 to 2012-01-15 - FUDCON blacksberg 19:28:37 #info 2012-02-31 - fas 0.8.11 final release. 19:28:39 #info 2012-02-14 to 2012-02-28 - F17 Alpha Freeze 19:28:48 anything anyone would like to discuss upcoming? 19:29:43 ok, moving along then. 19:29:47 #topic Meeting tagged tickets 19:30:10 none. 19:30:21 #topic NFS outage 19:30:25 :( 19:30:28 We are currently in a nfs outage. ;( 19:30:41 it looks like it was caused by a network hiccup to the backend storage. 19:31:05 Not sure what we can do to avoid this kind of thing moving forward, but it's an anoying SPOF 19:31:26 yeah 19:31:38 iscsi ftw 19:32:22 so, if we have ideas for clustered filesystems or the like, we can investigate. I'm not sure I trust any of them with our data yet tho. 19:32:33 yeah 19:32:38 all of the clustered fs will be an issue 19:32:43 b/c of ownerships afaict 19:32:47 yeah 19:32:49 maybe gfs2 19:32:55 skvidal: yeah 19:33:03 but I'm not sure that's going to not require an arseload of infrastructure that we do not have 19:33:09 * nirik hasn't looked at gfs2 lately, but long ago I remember it being a royal pain to setup. 19:33:27 maybe a clusered fs would help with a network glitch 19:33:38 gluster ? :-) 19:33:44 but its a whole different ball of fish 19:33:59 * nirik notes that RH announced a storage product today... 19:34:10 gluster 19:34:11 nirik: yup 19:34:14 gluster has the perms issues 19:34:32 it can do normal posix 19:34:32 no acls, right? 19:34:35 but not extended acls 19:34:45 and no selinux - though that may have changed very recently 19:34:50 ask ric if that's coming... 19:34:52 we dont do acls 19:34:54 not sure we use acls on /mnt/koji 19:35:00 nirik: we dont 19:35:14 mdomsch: I've asked the gluster folks and it is tricky 19:36:14 so, that might be something to look into... would need to setup a testbed and make sure it doesn't blow up and that we understand it. 19:36:51 not sure what we could do short term. ;( 19:37:12 yeah 19:37:20 not sure it would really help 19:37:32 gluster is userland right 19:37:40 on top of something else? 19:37:52 dgilmore: it's userland - yes - but it replicates across the network 19:38:17 dgilmore: you then mount it from userland onto your clients - I want to say it is fuse 19:38:20 on the client end 19:38:22 yes, fuse 19:38:27 skvidal: right 19:38:36 skvidal: which would do nothing in this case 19:38:44 ?? 19:38:46 it would do nothing? 19:38:53 since the issue was that the iscsi storage blipped 19:38:57 if we had 2 units setup as mirrors 19:38:59 and ext4 got messed up 19:39:03 and each of them had independent backends? 19:39:17 skvidal: so if we got another blip likely get the same 19:40:03 oh - if they are both backended on the same storage network 19:40:06 yah - I see 19:40:18 skvidal: yeah. 19:40:29 so do we have a place to replicate the nfs data to? 19:40:41 skvidal: bnfs01 19:40:49 but it takes me a day to rsync to it 19:40:56 drbd! 19:40:57 would drbd 19:40:58 * nirik runs 19:41:00 exactly 19:41:03 will it scale to that size? 19:41:09 12T 19:41:20 no idea 19:41:27 it can, as long as the net can keep up to the disk i/o 19:41:49 which usually isn't a problem 19:42:00 are bnfs01 and koji's nfs backended to different devices? 19:42:08 or is it all onto the netapp? 19:42:08 yes 19:42:19 yes to which one 19:42:23 different devices 19:42:27 bnfs01 is 1tb drives attached directly using disk shelves 19:42:37 nfs01 is equalogic over iscsi 19:42:50 and how close to end of life is bnfs01, it's disks, etc? 19:43:03 both are ~1 year old 19:43:12 2013-01-17 19:43:16 okay, great 19:43:20 wait 19:43:24 Jan 2013? 19:43:29 so a bit over a year? 19:43:33 like 13 months? 19:43:34 yep 19:43:39 bleah 19:43:42 nirik: that doesnt seem right 19:43:43 but we can extend. 19:43:54 unless it's labeled wrong. it could be. 19:44:07 arent they normally 3 years? 19:44:08 * nirik can check for sure. 19:44:14 jds2001: yep 19:44:18 i thought normally 5 years 19:44:21 * jds2001 checks into the cheap seats :) 19:44:24 jds2001: well if ~1yr old == 2yrs 19:44:24 3 is normal 19:44:30 jds2001: then.. :) 19:44:43 heh 19:44:49 in any case... one pain of moving to drbd is that we need somewhere to shuffle the data, make the drbd and then shuffle back. ;) 19:44:49 im often wrong 19:44:57 nirik: nod 19:45:13 nirik: we could probably beg for tmpspace on the netapp 19:45:16 nirik: for a few weeks 19:45:17 yeah. 19:45:39 * nirik has used heartbeat+drbd for nfs servers in the past. 19:45:52 you'd have to remount everything 19:46:00 b/c the filehandles would all change 19:46:05 yeah. 19:46:07 it's doable - but with our static mounts its harder 19:46:09 * skvidal likes autofs 19:46:20 but I'm probably one of the 4 people in the universe who does 19:46:29 skvidal: that makes one of us :) 19:46:43 anyhow, thats also longer term... perhaps we could have a nice 'nuke SPOFs' talk at fudcon too. 19:46:54 nirik: we had that talk at the last fudcon :) 19:47:11 yeah, and we can keep doing it until we get it right! :) 19:47:19 hah 19:47:22 oh and remember everyone 19:47:28 bring your body armor to fudcon 19:47:34 http://www.cbsnews.com/8301-201_162-57339465/2-shot-dead-at-va-tech-gunman-sought/ 19:47:40 * jds2001 prepares for the 'nuke SPOF' talk at fudcon 2060 :D 19:47:41 yeah, crazy. 19:47:49 anyhow... 19:47:49 skvidal: im all for eliminating spof 19:47:56 #topic Open Floor 19:48:05 anyone have anything for open floor? 19:48:48 * jds2001 hasn't been around in infra a ton lately 19:48:53 * jds2001 apologizes :/ 19:48:55 jds2001: welcome back. ;) 19:49:05 there's a lot of tasks 19:49:07 which need doing 19:49:11 which need time 19:49:16 * nirik gets the list of things we assigned to jds2001 while he wasn't around. ;) 19:49:18 if anyone wants to work on projects 19:49:21 there are a bunch of them 19:49:50 well all of this talk of collab and mailing lists is near and dear to my heart. 19:50:20 though i really dont want to work on it for 14-18 hours straight like last time :) 19:50:28 we still do need to get the last lists at rh moved too someday. 19:50:37 nirik: like what? 19:50:45 epel and such 19:50:46 epel-devel, some of the ambassadors lists. 19:51:26 I am hoping the collab move will be very easy. I have fewer hopes for the fedorahosted one... 19:52:00 well, the hosted move is similar to moving from rh, right? 19:52:10 nirik: Do you want to update on what bressers said? 19:52:13 that wasn't terribly hard, except a few glitches. 19:52:44 jds2001: the moving lists.fedorahosted -> collab? yeah, that will be just like that, but with another domain tossed into the mix. 19:52:46 nirik: I was wondering specifically if he'd said anything about how much diversity wold be good/bad. 19:52:54 abadger1999: oh yeah, sorry, I meant to mention that. 19:53:14 nirik: and having control of both sides makes it even easier, really. 19:53:16 * abadger1999 is sure that 2 chars is good, but unsure above that. 19:53:40 so, he said: 19:53:45 "I would say in the short term, enact some of the above rules. They won't 19:53:46 hurt and will certainly prevent really bad passwords. They won't solve the 19:53:46 real problem though." 19:54:04 sadly, he is not going to be at fudcon. ;( 19:54:17 perhaps we could invite him for next weeks meeting and discuss this a bit more? 19:54:41 Sure. 19:55:13 * nirik sees if he's around now. guess not. 19:55:22 abadger1999: what is 'the real problem'? 19:55:41 skvidal: having passwords instead of 2factor or the like. 19:55:45 ah 19:55:57 I do have an update on the 2fa stuff 19:56:22 I worked on the pam_linotp module - I got it building and it submits the 2fa input over the wire to a cgi which can verify it 19:56:46 cool. 19:56:53 so that works just fine. to make 2fa happen on EVERY ssh login, though, we'll need to modify sshd 19:57:00 with patches from dwmw2 19:57:18 if we just want them on sudo, though, that should be fine right now 19:57:28 so what can be used as the other factor there? googleauth? yubikey? 19:57:51 yubikey is simple and i already have one :) 19:57:53 right now it would be totp 19:58:14 but, ostensibly, you could verify whatever in the cgi 19:58:17 * jds2001 hasnt even looked at googleauth, but it seems cool. 19:58:35 since the string sizes are so massively different between totp and yubikeys 19:58:35 it should be possible to accept either 19:58:48 * dgilmore doesnt trust anything with google in the name 19:58:57 dgilmore: it's open source. ;) 19:58:59 * skvidal shakes his head 19:59:13 I'd be find with yubikeys for sudo, but want a pin + yubikey 19:59:20 dgilmore: at least its not cubsauth :D 19:59:20 nirik: i know, I have an irrational distrust of anything google does 19:59:23 open or not 19:59:25 and it sounds like this linotp might be able to let us do whichever 19:59:33 nirik: all linotp offers is this 19:59:43 1. a pam_module to submit the info to a cgi elsewhere 19:59:48 I think having ssh key for login and 2fa auth for sudo would offer a lot over what we currently have. 19:59:52 jds2001: id be ok with that 20:00:11 abadger1999: +1. I'd like that 20:00:12 2. some simple routines to verify various types of 2fa 20:00:28 to make something work for both totp and yubikey 20:00:35 we'd have to maintain it ourselves 20:00:43 though I suspect 20:00:45 if we do this 20:00:51 other people would be interested 20:00:57 yeah. 20:01:21 skvidal: i agree 20:01:41 modifying the pam module to get it working took some minor patching - nothing serious 20:01:49 and there are a few things in the module which make me grumpy 20:01:51 is it packaged up at all? 20:01:57 oh god no 20:02:04 ok. 20:02:06 and to be fair 20:02:15 packaging up all of lin_otp seems like a bad idea 20:02:23 they want to be a one-stop shop for all sorts of auth stuff 20:02:25 ok, we just need the pam module? 20:02:29 and integrating it into fas would be a mess 20:02:47 pammodule + whatever cgi the pam module submits info to 20:03:06 they have a cgi which is django based and involves all their other admin-interface 20:03:07 yeah. 20:03:15 which would probably make us want to kill ourselves to keep it going 20:03:25 right, so perhaps we want to look at forking and cleaning up/simplifying this. 20:03:30 right 20:03:55 so let me confirm a few things 20:03:57 abadger1999: you had some questions for bress ? 20:03:57 b/c that will help 20:04:02 has anyone had disucssions with upstream about that? 20:04:14 i.e. making a "lin_otp lite" if you will? 20:04:18 jds2001: they are using the split-source/commerical modules thing 20:04:25 :/ 20:04:35 jds2001: so... no 20:04:56 oh and one more hitch to using a lot of their code 20:05:03 some of it is agpl 20:05:05 bress: hey, so about checking password strength by eliminating passwords of only a few different characters.... is there some number of different characters that makes things worse instead of better? 20:05:06 ugh 20:05:32 * nirik notes we are over time, but I don't think there is a meeting after us if we want to keep going. 20:05:46 I'd like to get confirmation on a few things 20:05:53 nirik: after abadger1999 and bress are finishe 20:05:54 d 20:05:57 skvidal: ok 20:07:03 bress: My back of the envelope calculation is ensuring two separate characters for standard passwords has little drawback -- but my math skills aren't up to tackling how larger diversity requirements affect the ability to brute force passwords 20:07:03 abadger1999: I mailed Kevin Fenzi about this a while back. In general, password policies make things worse. The real answer is some sort of 2 factor system. In general though, you're not talking about reducing your corpus by all that much. 20:07:16 k. 20:07:20 * nirik is kevin, FYI. ;) 20:07:24 * jds2001 thinks that no matter what technical restrictions we put on passwords, we'll always have someone choose something like AbC123$ 20:07:31 20:07:39 jds2001: shit, now I have to go change my password! 20:07:46 the more restrictions also the worse documentation looks 20:07:50 I wouldn't be as worried about someone using a shitty password as I would be making sure an attacker can't brute force any of our systems. If you allow more than say 6 logins per minute, we're doing it wrong. 20:08:09 skvidal: Just go with AbC1234$ 20:08:14 your password must be at least 12 characters, unless it's monday in which case you need to use 2 non repeating lower case letters, unless it's a full moon, in which case... 20:08:22 bress: +1 on the login comment ... ;-) 20:08:30 bress: So ensuring diversity of characters is going to hit, "what will our users stand for" quicker than "you've reduced your possible combinations too mch". 20:08:40 abadger1999: Yeah 20:08:48 bress: thanks. 20:08:50 abadger1999: It could be wise to point folks at diceware. 20:09:07 Since picking a new password is really hard for people. 20:09:31 yeah, we did link to that in our change announcement. 20:10:03 abadger1999: how hard would it be to modify our fas web logins so we require password + 2fa? 20:10:07 But I'd say the real answer here is going to be some sort of 2 factor auth. 20:10:29 bress: That's nice -- smooge had also suggested ading javascript to our password reset that does something similar. 20:10:42 As a password suggestion for people. 20:10:45 working on that 20:10:46 20:10:48 Yeah, that's a good idea. 20:11:04 sorry for missing the meeting guys 20:11:13 bress: which places do you think 2fa should be used: on any ssh login? git commits? webapp logins? sudo? 20:11:26 smooge: lucky for you, it's still going on. ;) 20:11:42 skvidal: "allow" pretty easy -- it's a variant on the yubikey acceptance that's already in. 20:11:54 skvidal: "require" is harder. 20:11:56 skvidal: That one is tricky. I'd probably say anywhere a password is needed. Things where an SSH key will do is probably OK. 20:12:05 skvidal: "require for some people" even more. 20:12:08 skvidal: If people can't commit without jumping through hoops, they just won't commit. 20:12:39 bress: oh cmon - marriage rates alone disprove that 20:12:46 The trick isn't to ellimate risk, but to understand and control it. 20:13:05 so another question wrt to commits 20:13:10 * bress wonders how long skvidal has been waiting to use that one ;) 20:13:12 so question. To get an idea of how bad our users practices are.. can we "anonymize" the hashes from before the new hash became standard and run jtr with rockyou top 10000 20:13:15 skvidal: but none of it is something we lack the ability to do (even considering how time constrained we are) 20:13:43 would it help us to require people to connect with an ssh master connection - requiring 2fa for that connection duration 20:13:53 then if we find a large number before and after we say "simple test" if you chose a password here you need to chose something else. 20:13:59 so they could connect once, stay on, and then not have to auth again until forced out 20:14:12 * skvidal is just brainstorming a bit 20:14:37 I suspect we will get a lot of pushback on making pkg commits 2factor. 20:14:46 skvidal: That's an interesting concept. The only problem I can see is people forgetting to logout (or just never logging out to save time) 20:14:46 nod 20:14:55 bress: forgetting to logout we can actually handle 20:15:09 bress: in much the same way rh handles it when I neglect to disconnect from the vpn 20:15:10 nirik: Ahh, but we can make them 2 factor sneakily. Do ssh for auth, and have users sign their commits :) 20:15:18 the issue that i see is like bress said, we're making things harder. 20:15:20 skvidal: You disconnect from the VPN? :) 20:15:27 bress: it makes me 20:15:35 bress: every 10hours or so 20:15:39 skvidal: I can keep openvpn up for days. 20:15:44 skvidal: But that's another conversation. 20:15:47 yes 20:15:48 anyway 20:15:50