18:00:01 <nirik> #startmeeting Infrastructure (2015-04-23)
18:00:01 <zodbot> Meeting started Thu Apr 23 18:00:01 2015 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:00:01 <nirik> #meetingname infrastructure
18:00:01 <nirik> #topic aloha
18:00:01 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore mdomsch threebean pingou puiterwijk
18:00:01 <zodbot> The meeting name has been set to 'infrastructure'
18:00:01 <zodbot> Current chairs: abadger1999 dgilmore lmacken mdomsch nirik pingou puiterwijk relrod smooge threebean
18:00:01 <nirik> #topic New folks introductions / Apprentice feedback
18:00:38 <smooge> here
18:00:39 * pingou 
18:00:43 * puiterwijk is here
18:00:46 * threebean is here
18:00:48 * tflink is kinda around - in the middle of a questionably timed outage
18:00:52 <andreasch> here
18:01:00 * dotEast2015 here
18:01:00 <d3pr0f3t> here
18:01:02 * mizdebsk is here
18:01:17 * relrod here
18:02:32 <nirik> cool. any apprentices with questions or comments? or new folks who would like to introduce themselves?
18:03:20 <mizdebsk> i'm glad to be a new member of sysadmin team, i'll be working mostly on koschei
18:03:26 <d3pr0f3t> Yea actually
18:03:46 <nirik> welcome mizdebsk
18:03:53 <nirik> d3pr0f3t: fire away. ;)
18:04:00 <d3pr0f3t> as a task for me by SmootherFrOgZ to go through the fas3.0
18:04:08 <msimacek> msimacek, me too, I will be maintaining koschei with mizdebsk
18:04:14 <d3pr0f3t> so yea I did go through that and what I wanted to ask
18:04:20 <nirik> msimacek: welcome also. ;)
18:04:44 <d3pr0f3t> Why are we actually implemnting 2 factors authentication
18:04:48 <Mohamed_Fawzy> welcome all
18:05:00 <d3pr0f3t> Yubikey I get it
18:05:11 <d3pr0f3t> but Gauth
18:05:21 <puiterwijk> d3pr0f3t: because not everyone has a yubikey.
18:05:26 <pingou> welcome mizdebsk :)
18:05:34 <puiterwijk> and it's easier/cheaper to get a totp token than ayubikey
18:05:48 <d3pr0f3t> yea
18:05:52 <nirik> right. If we roll this out more to general contributors we will need a more widespread setup... not everyone has a yubikey
18:06:11 <d3pr0f3t> and Gauth is an optional one after the regualr fas right?
18:06:22 <nirik> well, it depends...
18:06:39 <d3pr0f3t> hmm
18:06:43 <d3pr0f3t> okkay
18:06:45 <nirik> right now for sudo on machines you always need your passphrase and a 2nd factor (yubikey or otp)
18:06:57 <nirik> we have not really rolled out 2fa for anything else.
18:07:05 <d3pr0f3t> okkay
18:07:05 <nirik> but we have talked about it some.
18:07:30 <d3pr0f3t> yea I mean actually I would share this thing
18:07:52 <d3pr0f3t> I was really proud and felt really happy that I got my fas login when puiterwijk sponsored me
18:08:14 <d3pr0f3t> So just like that I think it's more awesome to haveur own fas login :p
18:08:19 <d3pr0f3t> just a random thought
18:08:24 <d3pr0f3t> But leave it
18:08:34 <d3pr0f3t> Im okay, no more questions
18:08:36 <pingou> d3pr0f3t: we don't remove FAS login
18:08:41 <d3pr0f3t> I noe
18:08:43 <nirik> Glad you are enjoying it. ;) But yeah, we will see how we want to do 2fa for web apps and stuff down the road.
18:08:51 <nirik> so stay tuned. ;)
18:08:51 <d3pr0f3t> yea nirik
18:08:54 <d3pr0f3t> got it
18:09:02 <d3pr0f3t> I will :)
18:09:05 <nirik> ok, on to info dump from the gobby document:
18:09:16 <nirik> #topic announcements and information
18:09:16 <nirik> #info Fedora 22 Beta is out! - kevin
18:09:16 <nirik> #info Another re-install cycle of new cloud, hopefully last one - msuchy, smooge
18:09:16 <nirik> #info Mediawiki 123 hopefully going to staging soon - patrick
18:09:17 <nirik> #info Moved kojipkgs squid to use 8 threads instead of 1 - kevin
18:09:18 <nirik> #info Updated squid on kojipkgs to fix ssl cert chain issue - kevin
18:09:19 <nirik> #info Disabled lvmetad on all virthosts, it causes caching issues - kevin
18:09:21 <nirik> #info Koschei RFR - new application moving to staging - mizdebsk
18:09:23 <nirik> #link https://fedoraproject.org/wiki/Koschei
18:09:25 <nirik> #info new sysadmin-koschei group created - mizdebsk
18:09:27 <nirik> #info koschei playbook patch prepared - mizdebsk
18:09:29 <nirik> #info koschei SOP document(s) in preparation - msimacek
18:09:31 <nirik> #info new MirrorManager2 release -- pingou
18:09:33 <nirik> #info all the mm-*.stg (MirrorManager2 staging box) have been rebuilt (except for the Mirrorlist one) -- pingou
18:09:38 <nirik> #info pagure 0.1 to land very soon - test coverage is looking good -- pingou
18:09:40 <nirik> #info fedmsg and fedmsg_meta update out this week with bugfixes and various cosmetic improvements -- ralph
18:09:43 <nirik> anything in there folks want to discuss more or have questions on?
18:09:47 * smooge freaked out ofr a second thinking he needed to start over again
18:09:53 <smooge> on reinstalling cloud
18:10:01 <nirik> sorry. ;)
18:10:06 <pingou> smooge: that's your todo list for next week ;-)
18:10:11 <pingou> and the one after
18:10:13 <pingou> and the one after
18:10:15 <smooge> no problem.. it is more of a "Time to make the doughnuts"
18:10:21 <nirik> lets install every monday. ;)
18:10:24 <pingou> \ó/
18:11:07 <nirik> ok, so I don't see any discussion topics anyone put on gobby. And no one signed up to teach about anything, so that would take us to open floor. Unless someone has discussion or teaching items?
18:11:28 <nirik> Oh I guess I should mention the mm plan we just discussed...
18:11:34 <nirik> #topic Mirrormanager2
18:11:58 <nirik> If things look ok in stg today I am going to make production instances tomorrow and then early next week if all looks good we are going to move them into production.
18:12:11 <nirik> which will be really nice to finally have.
18:12:54 <nirik> this also means we can move the 'sundries' servers to rhel7 (they had mm1 on them), can kill off app01.stg and bapp02. and lots of other good stuff.
18:13:05 <nirik> #info looking to try and move mirrormanager2 to production next week.
18:13:06 <pingou> a test we wanted to do was: put a pickle on a couple of mirrorlist server
18:13:15 <pingou> to see if the new pickles are behaving as they should
18:13:20 <smooge> \o/
18:13:31 <nirik> sure. Once we have prod running right?
18:13:42 <pingou> nirik: we may want to announce this a little more broadly, no?
18:14:03 <pingou> nirik: we could do it before
18:14:12 <nirik> yeah, I guess we could note it to the mirror-admins and mirror discuss lists?
18:14:17 <nirik> end users should not see any change.
18:14:36 <pingou> these two would be good
18:14:38 <nirik> well, ideally better lists of mirrors I suppose.
18:14:59 <pingou> maybe devel-announce to let people know if something unexpected happens?
18:15:03 <nirik> pingou: I can mail them. I will also point to stg and ask them to test?
18:15:09 <pingou> nirik: sure
18:15:40 <nirik> I'm not sure devel-announce people will care much.
18:15:56 <pingou> ok
18:16:07 <nirik> perhaps infra list tho
18:16:11 <nirik> to keep everyone in the loop.
18:16:19 <nirik> I'll send my thing there too.
18:16:44 <nirik> #action nirik to mail infrastructure, mirror-admins, mirror-announce lists about mm2 roll out plans.
18:16:56 <pingou> +1 yes
18:17:05 <nirik> cool.
18:17:08 <nirik> #topic Open Floor
18:17:13 <nirik> anyone have items for open floor?
18:17:22 <dotEast2015> yes, nirik about dogtag
18:17:25 <nirik> I guess I am bad about lining up people to teach about things...
18:17:32 <nirik> #topic dogtag
18:17:37 <nirik> dotEast2015: sure. ;)
18:18:11 <dotEast2015> ok, now I'm not quite sure how to proceed with it
18:18:26 <nirik> well, you got it setup on a cloud node right?
18:18:39 <dotEast2015> I've prepared a minihowto for the setup
18:18:46 <dotEast2015> and looks ansible
18:18:59 <nirik> cool. I'd say mail that to the infrastructure list with also some pointers to the test instance...
18:19:01 <dotEast2015> but, whats more important is tweaking it to our needs
18:19:05 <nirik> and people can review and provide feedback
18:19:18 <nirik> sure. agreed.
18:19:27 <dotEast2015> well, I'm not quite sure what they will review
18:19:42 <nirik> this was mostly just to see if it was easy to install and how it works so we know if it can be made to meet our needs.
18:19:46 <dotEast2015> I've spent some time exploring scienarios of my own
18:20:09 <dotEast2015> but I feel like I'm working in an island
18:20:46 <nirik> well, no offense, but this is not the highest priority item going on. ;)
18:20:52 <dgilmore> dotEast2015: we need to evaluate how fedora-cert will interact with it
18:20:56 <nirik> and irc is often bad for these things...
18:21:03 <nirik> so I'd suggest again a list post.
18:21:07 <dgilmore> and and the other tools
18:21:20 <dotEast2015> hmm, I see
18:21:37 <nirik> right, so fedora-cert is used now to get maintainer certs. They get 1 valid cert at a tie.
18:21:38 <nirik> time
18:21:46 <threebean> hm.. would this be useful for internal-infra pki stuff too?  stuff that users never see?
18:21:49 <nirik> this is used to auth to koji and also to auth for source look aside uploads
18:22:02 <pingou> to generate the fedmsg ceerts?
18:22:04 <nirik> threebean: perhaps.
18:22:08 <dgilmore> threebean: maybe
18:22:18 <threebean> we have little pki scripts for fedmsg certs used internally.  and another set of those 2fa communication iirc.
18:22:20 <nirik> fedmsg certs, openvpn certs, possibly ssh certs.
18:22:21 <dgilmore> we would need a way to get certs for builders
18:22:21 <dotEast2015> sorry didn't get that
18:23:01 <dotEast2015> possibly I see those getting compiled into a list and working on them
18:23:03 <dgilmore> right now we have a python script that interacts with the CA to get them
18:23:18 <nirik> dotEast2015: we have some certs/ca's that are used only for specific internall applications. End users never see them, they are infra internal only
18:24:02 <dotEast2015> well, the tests that I made included automatic issue of service certificates and user dual-use keys
18:24:04 <nirik> so, I'd say lets start a discussion on list and we can flesh out requirements?
18:24:27 <dotEast2015> the first was obviously for internal apps as you name it (web, etc)
18:24:51 <dotEast2015> the other is to generate keys for users sign and encrypt
18:25:02 <dotEast2015> sign and encrypt stuff
18:25:08 <nirik> right, koji uses certs not only for maintainers to auth, but for build machines to auth... like they were other users.
18:26:20 <nirik> anyhow, lets continue on list and hopefully we can hash our better requirements for you to look at.
18:26:26 <nirik> dotEast2015: ok?
18:26:50 <dotEast2015> fine, with me. so announce instance and ..?
18:27:06 <nirik> post your minihowto about setup...
18:27:13 <nirik> and we can reply with more info on use cases.
18:27:21 <dotEast2015> sure
18:27:25 <nirik> great.
18:27:44 <nirik> #info dotEast2015 to post about dogtag test instance and setup and others to bring requirements to list discussion.
18:27:52 <nirik> #topic Open Floor again.
18:28:10 <threebean> heh, I need help with a collectd issue if anyone wants to take a look
18:28:35 <threebean> I have a custom plugin I wrote the other day and its not quite working.
18:28:48 <threebean> I guess, find me after the meeting if you're interested?
18:28:59 <nirik> sounds good. ;)
18:29:07 * nirik will close out in a minute if nothing else.
18:29:08 <threebean> #help threebean needs help with collectd.  help!!!
18:29:20 <nirik> oh, does someone want to step up to teach about something next week?
18:29:28 <nirik> any requests for apps/setups to talk about/
18:30:41 <nirik> ok, will try and figure something up. :)
18:30:44 <puiterwijk> maybe pkgs?
18:30:55 <nirik> puiterwijk: you want to talk about that? :)
18:31:00 <puiterwijk> nirik: sure.
18:31:05 <nirik> excellent. ;)
18:31:06 <nirik> thanks
18:31:15 <nirik> ok, thanks for coming everyone!
18:31:18 <nirik> #endmeeting