18:00:41 <nirik> #startmeeting Infrastructure (2016-08-11) 18:00:41 <zodbot> Meeting started Thu Aug 11 18:00:41 2016 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:41 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:00:41 <zodbot> The meeting name has been set to 'infrastructure_(2016-08-11)' 18:00:41 <nirik> #meetingname infrastructure 18:00:41 <zodbot> The meeting name has been set to 'infrastructure' 18:00:41 <nirik> #topic aloha 18:00:41 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore threebean pingou puiterwijk pbrobinson 18:00:41 <zodbot> Current chairs: abadger1999 dgilmore lmacken nirik pbrobinson pingou puiterwijk relrod smooge threebean 18:00:41 <nirik> #topic New folks introductions 18:00:44 * relrod here 18:00:45 * aikidouke is here 18:00:51 * puiterwijk here 18:00:52 * pcreech here 18:01:01 * doteast present 18:01:04 <odin2016> .here 18:01:09 <clime> .here 18:01:11 <odin2016> Here 18:01:23 * cverna is here 18:01:38 * athos here 18:01:51 * sayan is here 18:02:03 <nirik> welcome everyone. Any new folks like to give a short one line introduction of themselves to the group? Don't worry, we are all friendly... :) 18:02:30 * pingou here 18:02:43 <bowlofeggs> .here 18:02:46 <marc84> hi everyone 18:02:51 <bowlofeggs> .hello bowlofeggs 18:02:55 <zodbot> bowlofeggs: bowlofeggs 'Randy Barlow' <randy@electronsweatshop.com> 18:03:49 <smooge> here 18:04:52 <nirik> ok, if no one new, I'll move on to status/info... 18:05:10 <nirik> #topic announcements and information 18:05:10 <nirik> #info flock 2016 is over. Lots of blogs and soon videos to recap - everyone 18:05:10 <nirik> #info Fedora 25 Alpha Freeze has started - kevin 18:05:10 <nirik> #info nagios is all green for freeze - kevin/smooge/patrick 18:05:11 <nirik> #info Aug apprentice email went out (a bit late), reply by friday - kevin 18:05:12 <nirik> #info virthost-comm02 has been reinstalled with rhel7 - kevin 18:05:13 <nirik> #info rawhide/branched composers are now Fedora 24 - kevin 18:05:17 <nirik> #info pagure-importer with attachment support ready for test - cverna 18:05:21 <nirik> anything anyone would like to add or discuss out of those? 18:05:30 <nirik> cverna: I'll try and test the importer tomorrow. ;) 18:05:51 <marc84> nirik: im new 18:06:16 <cverna> nirik: jflory7 has been trying in the afternoon the install does not seems to be trivial outside a venv 18:06:18 <nirik> marc84: ah, sorry... care to give a short introduction on yourself? and welcome! 18:06:26 <cverna> welcome marc84 18:06:37 <clime> welcome! 18:06:54 <jflory7> Welcome marc84! 18:07:06 <pingou> welcome marc84 18:07:26 <odin2016> Welcome 18:07:32 <pingou> nirik: for the importer, cverna said he will package it tonight otherwise free vodka all around 18:07:33 <marc84> my name is marc im from philadelphia and just sign up to join the Infrastructure team 18:07:58 * cverna goes to the shop to buy vodka 18:08:27 <aikidouke> welcome marc84: 18:08:43 * aikidouke is from Ohio - Midwest all the things! 18:08:58 <nirik> marc84: are you more interested in sysadmin type things or application development? or both? :) 18:09:01 <pingou> cverna: no souvenir from flock? 18:09:08 <aikidouke> do you have any questions or anyting you would like to work on marc84? 18:09:22 <aikidouke> oh sorry nirik: stealing your thunder 18:09:31 <nirik> not at all. ;) 18:09:51 <marc84> things and some on application development 18:10:14 <cverna> pingou: it is already dry 18:10:29 <aikidouke> i think I missed a line marc84. what was before things? 18:13:01 <marc84> yes im interested in sysadmin type things and some on application development 18:13:23 <nirik> cool. See me after the meeting in #fedora-admin and we can get you added to our apprentice program... 18:13:43 <marc84> nirik: thanks 18:14:04 <nirik> ok, on to discussion items then... 18:14:06 <nirik> #topic flock workshop followup - kevin 18:14:16 <nirik> I sent a mail to the list about the stuff we talked about at flock. 18:14:36 <nirik> Everyone should feel free to chime in there or here with any questions or ideas or ways we can better do things. 18:14:58 * pingou had a few additions to it 18:15:04 <nirik> we want to make sure everyone who wasn't at flock has time to read up and have input before we do anything. ;) 18:15:10 <nirik> great! 18:15:13 * aikidouke will send a reply soon 18:15:41 <aikidouke> did you talk about how inappropriate content would be audited? 18:15:55 <nirik> in what context? 18:15:57 <aikidouke> or storage limits? 18:16:01 <nirik> cloud instances? 18:16:09 <aikidouke> oh yes sorry 18:16:12 <aikidouke> cloud instances 18:16:26 <nirik> well, we did a bit, and I think we want to have a pretty general/simple ruleset: 18:16:34 <nirik> 1. whatever you are doing should be fedora related. 18:16:55 <nirik> 2. We reserve the right to terminate it and remove access anytime we feel we need to 18:17:17 <nirik> 3. long running stuff should be moved to persistent instances that can be shared between users. 18:17:45 <nirik> we will probibly have to evolve things as we see what use cases people come up with. :) 18:18:40 <aikidouke> right on 18:18:56 <aikidouke> so and maybe this is something I need to read up on 18:19:28 <aikidouke> i guess an example would b best 18:19:28 <nirik> I'm guessing most packager/qa folks will use these to just spin up an instance to test their package or debug some issue on a specific release they don't have locally or handy 18:19:50 <nirik> we need to talk to other groups and see if they would have some use cases too. 18:20:03 <aikidouke> where do we fall on allowing someone to host a repo of non-free packages like proprietary nvidia drivers? 18:20:17 <nirik> no, we don't want to allow that. 18:20:21 <aikidouke> gotcha 18:20:23 <nirik> only content that is acceptable for fedora 18:20:32 <aikidouke> makes sense 18:21:07 <aikidouke> any storage limits? 18:21:39 <aikidouke> oh I already asked that...sorry - kinda all over the place 18:22:06 <nirik> well, I guess whatever is available on the size instances we allow. ;) I'm ok allowing pretty large... but it's all transient, you can't store anything long term 18:22:53 <nirik> probibly the next step here is to write up a wiki page or something with details to approve/implement 18:23:11 <aikidouke> ok - thats logical. Sounds like you got a good bit done at Flock :) 18:23:51 <nirik> a good bit discussed yeah... nothing is done until we give the community time/place to weigh in. 18:24:17 <puiterwijk> except maybe Flock itself. I'm guessing that that is unfortunately done for thsi year :) 18:24:28 <nirik> true enough. 18:24:38 <nirik> pingou: you want to just share your comments on the list? or ? 18:24:39 <pingou> snif :( 18:25:02 <pingou> nirik: I'll share them w/ the list, it was mostly about the deadlines we set for the different projects 18:25:04 <doteast> I thought part of the resource request process was to cover these angles! or it is about imposing "hard-limits"? 18:25:28 <pingou> like porting apps on FAS3 during the F25 beta freeze (which implies having python-fedora ported before that) 18:25:39 <nirik> pingou: ah, ok, please do 18:25:51 <pingou> or the 1 year dead-line for koji/ipa/cert or we extend the current cert 18:26:06 <puiterwijk> pingou: that's the next discussion point actually :-) 18:26:18 <pingou> puiterwijk: I have more to say about that :D 18:26:22 <nirik> doteast: well, RFR is for getting a new fully supported application deployed. I am not sure how allowing some groups access to private cloud overlaps with that. They are kinda different processes. 18:26:28 <puiterwijk> heh, feel free to bring it up then :) 18:26:45 <pingou> did we agree on more deadlines? I think the rest was more: discussion points, right? 18:27:00 <doteast> oh, I see. 18:27:03 <nirik> pingou: deadlines for which? the items from flock? 18:27:06 <pingou> yes 18:27:25 <nirik> I don't guess we did yet really on most of them, so it might be good to also decide that on list/next week? 18:27:45 <nirik> some of them depend on other things... like cloud stuff probibly depends on when the rhosp upgrade happens 18:29:03 <nirik> #info more discussion on list about flock items, in particular we should decide deadlines/timeframes for things. 18:29:14 <nirik> anything else on those items? or shall we move on? 18:29:46 <pingou> .next :) 18:30:16 <nirik> #topic FAS/IPA/koji/... - puiterwijk 18:30:21 <nirik> puiterwijk: take it away 18:30:47 <puiterwijk> So, as some of you know, there's been talks several timees about replacing FAS with IPA in the FEdora Infra, most often pushed from the freeIPA team 18:31:14 <puiterwijk> During Flock, we finally got into an agreement that that's not happening anytime soon, but we might be able to start migrating some things. 18:31:30 <puiterwijk> One of the things we had a specific reason for using is for example koji, to get rid of the client certificates. 18:31:43 <pingou> \ó/ 18:31:57 <nirik> less certs is great. ;) 18:32:01 <puiterwijk> So, the current state on this is that this is now live in staging, for testing out evertything 18:32:13 <tammy_> No meeting today 18:32:28 <nirik> tammy_: there is, and you are now in it. ;) 18:32:40 <tammy_> OK 18:32:45 <puiterwijk> As soon as you login to any staging app, your account gets synced to the IPA server in staging, so that after that you can get a @STG.FEDORAPROJECT.ORG ticket, which you can use with Koji already 18:32:55 <puiterwijk> (staging koji, that is) 18:33:15 <puiterwijk> So, we should start discussing sometime soon whether to move forward with this, and if yes how. 18:33:26 <puiterwijk> (currently it's a proof of concept/testing stage) 18:33:53 <nirik> puiterwijk: how does this impact fas3? similar code could be there? 18:34:07 <puiterwijk> nirik: yes, I will be submitting the same type of sync code to FAS3. 18:34:15 <puiterwijk> It's all pretty minor things, so should be easy enough to do 18:34:19 <pingou> how big is the changeset? 18:34:30 <puiterwijk> for fas2 it was pretty small 18:34:33 <puiterwijk> it's already in 18:34:48 <nirik> when this goes to production, we would sync everyone? I don't think people would like having to login to something before using it... 18:34:50 <pingou> https://github.com/fedora-infra/fas/pull/200 18:34:54 <puiterwijk> pingou: https://github.com/fedora-infra/fas/pull/200 18:35:13 <puiterwijk> nirik: we would need to require people to log in first, but they would log in to anything. 18:35:19 <pingou> puiterwijk: can koji support both cert and ticket? 18:35:21 <puiterwijk> So even pkgdb or whatever will work 18:35:27 <puiterwijk> pingou: yep. And that's what staging does right now 18:35:37 <nirik> thats going to be a bit of a pain I predict, but ok. No way around that? 18:35:41 <pingou> puiterwijk: so they could use koji w/ either 18:35:45 <puiterwijk> nirik: well, why that? 18:36:03 <puiterwijk> pingou: yes. But in a year or so, when the CA cert expires, I'd prefer to just leave it be and from then on no longer support client certs 18:36:28 <puiterwijk> nirik: people log into bodhi, or koji, or whatever regularly. They would only need to login to any of the apps once before we disable client certs. 18:36:29 <nirik> some people may not read they need to login first, so if we git rid of certs they would find themselves unable to auth and come to us asking for help... 18:36:54 <puiterwijk> nirik: we can have a period of now until the CA expires during which we enable the sync code. 18:36:58 <nirik> well, someone who just builds rawhide doesn't need to... 18:37:11 <puiterwijk> nirik: then they'll need to recreate their cert in at most 6 months :) 18:37:12 <nirik> but sure, just trying to see the scope of it 18:37:38 <pingou> puiterwijk: the login is just once right? not like: everytime just before you interact w/ koji 18:37:42 <nirik> and to be clear, everything else would keep using ipsilon / fas right? 18:37:51 <puiterwijk> pingou: yep 18:38:07 <pingou> so I logged in in stg, I don't have to do it ever again for koji.stg to work? 18:38:08 <puiterwijk> nirik: yes. But in due time, Ipsilon can also accept the krb tickets, allowing for full single signon for people 18:38:45 <nirik> for those apps that use ipsilon... I guess we don't have too many that hit fas directly anymore. 18:38:47 <puiterwijk> pingou: not to the web applications. Your local ticket will expire after about 24 hours, after which you'll need to run a kinit again, but that will be handled automatically by the koji tools 18:39:00 <pingou> puiterwijk: cool 18:39:18 <pingou> so as long as we have at least 6 months before the cert expires, we should be fine 18:39:35 <nirik> would freeipa -> ipsilon -> fedora app be able to get groups and such? many apps need that... can it be in a kerb ticket? 18:39:48 <pingou> nirik: wiki, python-fedora (fas client) and ipsilon are the only ones I can think of 18:40:03 <puiterwijk> pingou: and sigul... but I'm just working on that :-) 18:40:16 <puiterwijk> nirik: for now, IPA won't know of the groups. Syncing that will be in a later stage 18:40:42 <puiterwijk> nirik: at the moment, the IPA part is really only used for the kerberos ticket. We can move stuff over to IPA in due time as they make sense. 18:40:44 <nirik> ok. we would also need that I guess to replace fas_client with kerb tickets/freeipa... 18:41:04 <puiterwijk> Yes, correct. 18:41:33 <nirik> also if we do that we would need to look at how freeipa does 2fa vs fas... 18:42:05 <puiterwijk> nirik: yep, I was looking at that too for in the future. But logging into the systems etc won't change for now. 18:42:44 <nirik> so do you think this is worth moving to production before fas3? also, we should file a RFR for freeipa so we make sure not to forget any of the process as we deploy 18:43:16 <puiterwijk> nirik: I think so, yes, since it would allow us to start the prod sync process sooner rather than later. 18:43:48 <puiterwijk> We don't have to enable anything else yet, but if we start the syncing process already, that'll give the passwords hashed in teh correct format so we can then start using the IPA accounts 18:44:28 <nirik> sure. I'd like to try and have a pair of them in prod for HA... I guess it does master/replicant pretty easily? 18:44:39 <puiterwijk> It does multi-master 18:44:43 <nirik> even better 18:44:49 <puiterwijk> There's no slave or anything, all replicas are masters 18:45:07 <nirik> does it use a db? or it's all local storage? 18:45:23 <puiterwijk> it has an ldap directory, which stores everything 18:45:47 <puiterwijk> So we'd need to make backups of that ldap information, but that should be all 18:46:08 <nirik> does that still use bdb? or ? 18:46:21 <puiterwijk> I need to look into that 18:46:39 <nirik> ok. 18:46:53 <nirik> any other questions on this? 18:48:20 <nirik> ok, thanks puiterwijk, moving on then... 18:48:30 <nirik> #topic Apprentice Open office hours 18:48:42 <nirik> any apprentices with questions, comments or looking for things to work on ? 18:49:08 <clime> I am happy that 'Reviews Weekly' status email arrived on Monday :) 18:49:15 <tammy_> Just still working on accessing servers 18:49:28 <nirik> clime: yep. worked like a charm 18:49:30 <tammy_> Still not working but will try 18:49:49 <nirik> tammy_: we can try and assist... let us know when you have a chunk of time to work on it... 18:50:09 <tammy_> OK will let you know 18:51:08 <clime> I guess .5407 ticket stayed "unexplained" for now :). 18:51:15 <clime> .5407 18:51:18 <nirik> clime: I am unsure what to do on that weird git checkout error... I guess we could wait until after freeze then set pkgs02 permissive and see if it works, then we know for sure it's selinux 18:51:30 <nirik> yeah that one 18:51:37 <nirik> .ticket 5407 18:51:38 <zodbot> nirik: #5407 (fix make-git-checkout-seed script) – Fedora Infrastructure - https://fedorahosted.org/fedora-infrastructure/ticket/5407 18:51:43 <clime> oh thanks. 18:52:09 <nirik> its still failing from cron 18:52:17 <clime> interesting. 18:52:43 <clime> Is it failing always on the same repo? 18:53:06 <clime> that enunciate-core-annotations repo. 18:54:10 <nirik> well, it's unclear if it's that repo or one around it... 18:54:15 * nirik looks at the output 18:54:19 <clime> But anyway, I have no clue (except perhaps collision with some other script) for now so I would go for anything that could help us solve it. 18:54:52 <nirik> basename: extra operand ‘enunciate-core-annotations).git’ 18:54:52 <nirik> Try 'basename --help' for more information. 18:54:52 <nirik> sed: can't read /srv/git_seed/git-checkout//.git/config: No such file or directory 18:54:52 <nirik> sed: can't read /srv/git_seed/git-checkout//.git/config: No such file or directory 18:55:01 <clime> right 18:55:17 <clime> couldn't reproduce that :( 18:55:24 <nirik> so the basename call is failing somehow... but not sure what it's passed. I guess I could make it run with -x from cron to a logfile 18:55:40 <clime> that could help. 18:56:08 <clime> this message (or similar) is output if basename gets more params than two 18:57:11 <clime> my (wild guess) is that 'enunciate-core-annotations).git' is the third (redundant) param. 18:57:30 <nirik> yeah. I'll look at adding some debugging and see about a freeze break for it. 18:57:39 <nirik> we are close to out of time... 18:57:43 <nirik> #topic Open Floor 18:57:52 <nirik> anyone have anything for open floor? questions, comments, ideas? 18:58:18 <tammy_> I do not at this point 18:58:40 <itamarjp_> nirik, yes, one question, 18:58:46 <nirik> itamarjp_: sure, shoot. ;) 18:59:13 <itamarjp_> anyone interested in a hangout to talk about infrastructure group to some Brazilians ? 18:59:23 <itamarjp_> how stuff works, etc... 18:59:35 <nirik> I'm sure we could work something out... 18:59:44 <tammy_> Sound interesting 18:59:46 <itamarjp_> ok, I will contact you later, then 18:59:53 <nirik> always fun finding times, but I think it's a fine idea. 19:00:09 <nirik> sure, or discuss on list and we can try and come up with a good time or times. 19:00:49 <nirik> The QA folks did something like this not long ago... I've not heard how it went tho 19:01:41 <pingou> just a quick item for me: https://apps.fedoraproject.org/calendar/meeting/4431/ 19:02:23 <nirik> pingou: can we all join this meeting? :) I'm hoping it's somewhere fun 19:02:43 <tammy_> Count me in 19:02:54 <aikidouke> just want to put out there - still working on badges -> pagure 19:02:59 <pingou> nirik: remote, wild and back in the 90s internet :) 19:03:13 <aikidouke> just sent an email out yesterday - havent followed up yet tho 19:03:27 <nirik> aikidouke: cool. The converter should be able to do attachements now so I hear 19:03:37 <aikidouke> oh nice - I need to look into that 19:03:52 <aikidouke> ty 19:03:53 <pingou> feel free to test with stg.pagure.io 19:04:01 <pingou> it's there for that :) 19:04:05 <aikidouke> thanks pingou 19:04:19 <nirik> ok, thanks for coming everyone! do continue in #fedora-admin, #fedora-apps and #fedora-noc. ;) 19:04:22 <nirik> #endmeeting