18:00:41 <nirik> #startmeeting Infrastructure (2016-08-11)
18:00:41 <zodbot> Meeting started Thu Aug 11 18:00:41 2016 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:41 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:00:41 <zodbot> The meeting name has been set to 'infrastructure_(2016-08-11)'
18:00:41 <nirik> #meetingname infrastructure
18:00:41 <zodbot> The meeting name has been set to 'infrastructure'
18:00:41 <nirik> #topic aloha
18:00:41 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore threebean pingou puiterwijk pbrobinson
18:00:41 <zodbot> Current chairs: abadger1999 dgilmore lmacken nirik pbrobinson pingou puiterwijk relrod smooge threebean
18:00:41 <nirik> #topic New folks introductions
18:00:44 * relrod here
18:00:45 * aikidouke is here
18:00:51 * puiterwijk here
18:00:52 * pcreech here
18:01:01 * doteast present
18:01:04 <odin2016> .here
18:01:09 <clime> .here
18:01:11 <odin2016> Here
18:01:23 * cverna is here
18:01:38 * athos here
18:01:51 * sayan is here
18:02:03 <nirik> welcome everyone. Any new folks like to give a short one line introduction of themselves to the group? Don't worry, we are all friendly... :)
18:02:30 * pingou here
18:02:43 <bowlofeggs> .here
18:02:46 <marc84> hi everyone
18:02:51 <bowlofeggs> .hello bowlofeggs
18:02:55 <zodbot> bowlofeggs: bowlofeggs 'Randy Barlow' <randy@electronsweatshop.com>
18:03:49 <smooge> here
18:04:52 <nirik> ok, if no one new, I'll move on to status/info...
18:05:10 <nirik> #topic announcements and information
18:05:10 <nirik> #info flock 2016 is over. Lots of blogs and soon videos to recap - everyone
18:05:10 <nirik> #info Fedora 25 Alpha Freeze has started - kevin
18:05:10 <nirik> #info nagios is all green for freeze - kevin/smooge/patrick
18:05:11 <nirik> #info Aug apprentice email went out (a bit late), reply by friday - kevin
18:05:12 <nirik> #info virthost-comm02 has been reinstalled with rhel7 - kevin
18:05:13 <nirik> #info rawhide/branched composers are now Fedora 24 - kevin
18:05:17 <nirik> #info pagure-importer with attachment support ready for test - cverna
18:05:21 <nirik> anything anyone would like to add or discuss out of those?
18:05:30 <nirik> cverna: I'll try and test the importer tomorrow. ;)
18:05:51 <marc84> nirik: im new
18:06:16 <cverna> nirik:  jflory7 has been trying in the afternoon the install does not seems to be trivial outside a venv
18:06:18 <nirik> marc84: ah, sorry... care to give a short introduction on yourself? and welcome!
18:06:26 <cverna> welcome marc84
18:06:37 <clime> welcome!
18:06:54 <jflory7> Welcome marc84!
18:07:06 <pingou> welcome marc84
18:07:26 <odin2016> Welcome
18:07:32 <pingou> nirik: for the importer, cverna said he will package it tonight otherwise free vodka all around
18:07:33 <marc84> my name is marc im from philadelphia and just sign up to join the Infrastructure team
18:07:58 * cverna goes to the shop to buy vodka
18:08:27 <aikidouke> welcome marc84:
18:08:43 * aikidouke is from Ohio - Midwest all the things!
18:08:58 <nirik> marc84: are you more interested in sysadmin type things or application development? or both? :)
18:09:01 <pingou> cverna: no souvenir from flock?
18:09:08 <aikidouke> do you have any questions or anyting you would like to work on marc84?
18:09:22 <aikidouke> oh sorry nirik: stealing your thunder
18:09:31 <nirik> not at all. ;)
18:09:51 <marc84> things and some on application development
18:10:14 <cverna> pingou: it is already dry
18:10:29 <aikidouke> i think I missed a line marc84. what was before things?
18:13:01 <marc84> yes im interested in sysadmin type things and some on application development
18:13:23 <nirik> cool. See me after the meeting in #fedora-admin and we can get you added to our apprentice program...
18:13:43 <marc84> nirik: thanks
18:14:04 <nirik> ok, on to discussion items then...
18:14:06 <nirik> #topic flock workshop followup - kevin
18:14:16 <nirik> I sent a mail to the list about the stuff we talked about at flock.
18:14:36 <nirik> Everyone should feel free to chime in there or here with any questions or ideas or ways we can better do things.
18:14:58 * pingou had a few additions to it
18:15:04 <nirik> we want to make sure everyone who wasn't at flock has time to read up and have input before we do anything. ;)
18:15:10 <nirik> great!
18:15:13 * aikidouke will send a reply soon
18:15:41 <aikidouke> did you talk about how inappropriate content would be audited?
18:15:55 <nirik> in what context?
18:15:57 <aikidouke> or storage limits?
18:16:01 <nirik> cloud instances?
18:16:09 <aikidouke> oh yes sorry
18:16:12 <aikidouke> cloud instances
18:16:26 <nirik> well, we did a bit, and I think we want to have a pretty general/simple ruleset:
18:16:34 <nirik> 1. whatever you are doing should be fedora related.
18:16:55 <nirik> 2. We reserve the right to terminate it and remove access anytime we feel we need to
18:17:17 <nirik> 3. long running stuff should be moved to persistent instances that can be shared between users.
18:17:45 <nirik> we will probibly have to evolve things as we see what use cases people come up with. :)
18:18:40 <aikidouke> right on
18:18:56 <aikidouke> so and maybe this is something I need to read up on
18:19:28 <aikidouke> i guess an example would b best
18:19:28 <nirik> I'm guessing most packager/qa folks will use these to just spin up an instance to test their package or debug some issue on a specific release they don't have locally or handy
18:19:50 <nirik> we need to talk to other groups and see if they would have some use cases too.
18:20:03 <aikidouke> where do we fall on allowing someone to host a repo of non-free packages like proprietary nvidia drivers?
18:20:17 <nirik> no, we don't want to allow that.
18:20:21 <aikidouke> gotcha
18:20:23 <nirik> only content that is acceptable for fedora
18:20:32 <aikidouke> makes sense
18:21:07 <aikidouke> any storage limits?
18:21:39 <aikidouke> oh I already asked that...sorry - kinda all over the place
18:22:06 <nirik> well, I guess whatever is available on the size instances we allow. ;) I'm ok allowing pretty large... but it's all transient, you can't store anything long term
18:22:53 <nirik> probibly the next step here is to write up a wiki page or something with details to approve/implement
18:23:11 <aikidouke> ok - thats logical. Sounds like you got a good bit done at Flock :)
18:23:51 <nirik> a good bit discussed yeah... nothing is done until we give the community time/place to weigh in.
18:24:17 <puiterwijk> except maybe Flock itself. I'm guessing that that is unfortunately done for thsi year :)
18:24:28 <nirik> true enough.
18:24:38 <nirik> pingou: you want to just share your comments on the list? or ?
18:24:39 <pingou> snif :(
18:25:02 <pingou> nirik: I'll share them w/ the list, it was mostly about the deadlines we set for the different projects
18:25:04 <doteast> I thought part of the resource request process was to cover these angles! or it is about imposing "hard-limits"?
18:25:28 <pingou> like porting apps on FAS3 during the F25 beta freeze (which implies having python-fedora ported before that)
18:25:39 <nirik> pingou: ah, ok, please do
18:25:51 <pingou> or the 1 year dead-line for koji/ipa/cert or we extend the current cert
18:26:06 <puiterwijk> pingou: that's the next discussion point actually :-)
18:26:18 <pingou> puiterwijk: I have more to say about that :D
18:26:22 <nirik> doteast: well, RFR is for getting a new fully supported application deployed. I am not sure how allowing some groups access to private cloud overlaps with that. They are kinda different processes.
18:26:28 <puiterwijk> heh, feel free to bring it up then :)
18:26:45 <pingou> did we agree on more deadlines? I think the rest was more: discussion points, right?
18:27:00 <doteast> oh, I see.
18:27:03 <nirik> pingou: deadlines for which? the items from flock?
18:27:06 <pingou> yes
18:27:25 <nirik> I don't guess we did yet really on most of them, so it might be good to also decide that on list/next week?
18:27:45 <nirik> some of them depend on other things... like cloud stuff probibly depends on when the rhosp upgrade happens
18:29:03 <nirik> #info more discussion on list about flock items, in particular we should decide deadlines/timeframes for things.
18:29:14 <nirik> anything else on those items? or shall we move on?
18:29:46 <pingou> .next :)
18:30:16 <nirik> #topic FAS/IPA/koji/... - puiterwijk
18:30:21 <nirik> puiterwijk: take it away
18:30:47 <puiterwijk> So, as some of you know, there's been talks several timees about replacing FAS with IPA in the FEdora Infra, most often pushed from the freeIPA team
18:31:14 <puiterwijk> During Flock, we finally got into an agreement that that's not happening anytime soon, but we might be able to start migrating some things.
18:31:30 <puiterwijk> One of the things we had a specific reason for using is for example koji, to get rid of the client certificates.
18:31:43 <pingou> \ó/
18:31:57 <nirik> less certs is great. ;)
18:32:01 <puiterwijk> So, the current state on this is that this is now live in staging, for testing out evertything
18:32:13 <tammy_> No meeting today
18:32:28 <nirik> tammy_: there is, and you are now in it. ;)
18:32:40 <tammy_> OK
18:32:45 <puiterwijk> As soon as you login to any staging app, your account gets synced to the IPA server in staging, so that after that you can get a @STG.FEDORAPROJECT.ORG ticket, which you can use with Koji already
18:32:55 <puiterwijk> (staging koji, that is)
18:33:15 <puiterwijk> So, we should start discussing sometime soon whether to move forward with this, and if yes how.
18:33:26 <puiterwijk> (currently it's a proof of concept/testing stage)
18:33:53 <nirik> puiterwijk: how does this impact fas3? similar code could be there?
18:34:07 <puiterwijk> nirik: yes, I will be submitting the same type of sync code to FAS3.
18:34:15 <puiterwijk> It's all pretty minor things, so should be easy enough to do
18:34:19 <pingou> how big is the changeset?
18:34:30 <puiterwijk> for fas2 it was pretty small
18:34:33 <puiterwijk> it's already in
18:34:48 <nirik> when this goes to production, we would sync everyone? I don't think people would like having to login to something before using it...
18:34:50 <pingou> https://github.com/fedora-infra/fas/pull/200
18:34:54 <puiterwijk> pingou: https://github.com/fedora-infra/fas/pull/200
18:35:13 <puiterwijk> nirik: we would need to require people to log in first, but they would log in to anything.
18:35:19 <pingou> puiterwijk: can koji support both cert and ticket?
18:35:21 <puiterwijk> So even pkgdb or whatever will work
18:35:27 <puiterwijk> pingou: yep. And that's what staging does right now
18:35:37 <nirik> thats going to be a bit of a pain I predict, but ok. No way around that?
18:35:41 <pingou> puiterwijk: so they could use koji w/ either
18:35:45 <puiterwijk> nirik: well, why that?
18:36:03 <puiterwijk> pingou: yes. But in a year or so, when the CA cert expires, I'd prefer to just leave it be and from then on no longer support client certs
18:36:28 <puiterwijk> nirik: people log into bodhi, or koji, or whatever regularly. They would only need to login to any of the apps once before we disable client certs.
18:36:29 <nirik> some people may not read they need to login first, so if we git rid of certs they would find themselves unable to auth and come to us asking for help...
18:36:54 <puiterwijk> nirik: we can have a period of now until the CA expires during which we enable the sync code.
18:36:58 <nirik> well, someone who just builds rawhide doesn't need to...
18:37:11 <puiterwijk> nirik: then they'll need to recreate their cert in at most 6 months :)
18:37:12 <nirik> but sure, just trying to see the scope of it
18:37:38 <pingou> puiterwijk: the login is just once right? not like: everytime just before you interact w/ koji
18:37:42 <nirik> and to be clear, everything else would keep using ipsilon / fas right?
18:37:51 <puiterwijk> pingou: yep
18:38:07 <pingou> so I logged in in stg, I don't have to do it ever again for koji.stg to work?
18:38:08 <puiterwijk> nirik: yes. But in due time, Ipsilon can also accept the krb tickets, allowing for full single signon for people
18:38:45 <nirik> for those apps that use ipsilon... I guess we don't have too many that hit fas directly anymore.
18:38:47 <puiterwijk> pingou: not to the web applications. Your local ticket will expire after about 24 hours, after which you'll need to run a kinit again, but that will be handled automatically by the koji tools
18:39:00 <pingou> puiterwijk: cool
18:39:18 <pingou> so as long as we have at least 6 months before the cert expires, we should be fine
18:39:35 <nirik> would freeipa -> ipsilon -> fedora app be able to get groups and such? many apps need that... can it be in a kerb ticket?
18:39:48 <pingou> nirik: wiki, python-fedora (fas client) and ipsilon are the only ones I can think of
18:40:03 <puiterwijk> pingou: and sigul... but I'm just working on that :-)
18:40:16 <puiterwijk> nirik: for now, IPA won't know of the groups. Syncing that will be in a later stage
18:40:42 <puiterwijk> nirik: at the moment, the IPA part is really only used for the kerberos ticket. We can move stuff over to IPA in due time as they make sense.
18:40:44 <nirik> ok. we would also need that I guess to replace fas_client with kerb tickets/freeipa...
18:41:04 <puiterwijk> Yes, correct.
18:41:33 <nirik> also if we do that we would need to look at how freeipa does 2fa vs fas...
18:42:05 <puiterwijk> nirik: yep, I was looking at that too for in the future. But logging into the systems etc won't change for now.
18:42:44 <nirik> so do you think this is worth moving to production before fas3? also, we should file a RFR for freeipa so we make sure not to forget any of the process as we deploy
18:43:16 <puiterwijk> nirik: I think so, yes, since it would allow us to start the prod sync process sooner rather than later.
18:43:48 <puiterwijk> We don't have to enable anything else yet, but if we start the syncing process already, that'll give the passwords hashed in teh correct format so we can then start using the IPA accounts
18:44:28 <nirik> sure. I'd like to try and have a pair of them in prod for HA... I guess it does master/replicant pretty easily?
18:44:39 <puiterwijk> It does multi-master
18:44:43 <nirik> even better
18:44:49 <puiterwijk> There's no slave or anything, all replicas are masters
18:45:07 <nirik> does it use a db? or it's all local storage?
18:45:23 <puiterwijk> it has an ldap directory, which stores everything
18:45:47 <puiterwijk> So we'd need to make backups of that ldap information, but that should be all
18:46:08 <nirik> does that still use bdb? or ?
18:46:21 <puiterwijk> I need to look into that
18:46:39 <nirik> ok.
18:46:53 <nirik> any other questions on this?
18:48:20 <nirik> ok, thanks puiterwijk, moving on then...
18:48:30 <nirik> #topic Apprentice Open office hours
18:48:42 <nirik> any apprentices with questions, comments or looking for things to work on ?
18:49:08 <clime> I am happy that 'Reviews Weekly' status email arrived on Monday :)
18:49:15 <tammy_> Just still working on accessing servers
18:49:28 <nirik> clime: yep. worked like a charm
18:49:30 <tammy_> Still not working but will try
18:49:49 <nirik> tammy_: we can try and assist... let us know when you have a chunk of time to work on it...
18:50:09 <tammy_> OK will let you know
18:51:08 <clime> I guess .5407 ticket stayed "unexplained" for now :).
18:51:15 <clime> .5407
18:51:18 <nirik> clime: I am unsure what to do on that weird git checkout error... I guess we could wait until after freeze then set pkgs02 permissive and see if it works, then we know for sure it's selinux
18:51:30 <nirik> yeah that one
18:51:37 <nirik> .ticket 5407
18:51:38 <zodbot> nirik: #5407 (fix make-git-checkout-seed script) – Fedora Infrastructure - https://fedorahosted.org/fedora-infrastructure/ticket/5407
18:51:43 <clime> oh thanks.
18:52:09 <nirik> its still failing from cron
18:52:17 <clime> interesting.
18:52:43 <clime> Is it failing always on the same repo?
18:53:06 <clime> that enunciate-core-annotations repo.
18:54:10 <nirik> well, it's unclear if it's that repo or one around it...
18:54:15 * nirik looks at the output
18:54:19 <clime> But anyway, I have no clue (except perhaps collision with some other script) for now so I would go for anything that could help us solve it.
18:54:52 <nirik> basename: extra operand ‘enunciate-core-annotations).git’
18:54:52 <nirik> Try 'basename --help' for more information.
18:54:52 <nirik> sed: can't read /srv/git_seed/git-checkout//.git/config: No such file or directory
18:54:52 <nirik> sed: can't read /srv/git_seed/git-checkout//.git/config: No such file or directory
18:55:01 <clime> right
18:55:17 <clime> couldn't reproduce that :(
18:55:24 <nirik> so the basename call is failing somehow... but not sure what it's passed. I guess I could make it run with -x from cron to a logfile
18:55:40 <clime> that could help.
18:56:08 <clime> this message (or similar) is output if basename gets more params than two
18:57:11 <clime> my (wild guess) is that 'enunciate-core-annotations).git' is the third (redundant) param.
18:57:30 <nirik> yeah. I'll look at adding some debugging and see about a freeze break for it.
18:57:39 <nirik> we are close to out of time...
18:57:43 <nirik> #topic Open Floor
18:57:52 <nirik> anyone have anything for open floor? questions, comments, ideas?
18:58:18 <tammy_> I do not at this point
18:58:40 <itamarjp_> nirik, yes, one question,
18:58:46 <nirik> itamarjp_: sure, shoot. ;)
18:59:13 <itamarjp_> anyone  interested in a hangout to talk about infrastructure group to  some Brazilians ?
18:59:23 <itamarjp_> how stuff works, etc...
18:59:35 <nirik> I'm sure we could work something out...
18:59:44 <tammy_> Sound interesting
18:59:46 <itamarjp_> ok, I will contact you later, then
18:59:53 <nirik> always fun finding times, but I think it's a fine idea.
19:00:09 <nirik> sure, or discuss on list and we can try and come up with a good time or times.
19:00:49 <nirik> The QA folks did something like this not long ago... I've not heard how it went tho
19:01:41 <pingou> just a quick item for me: https://apps.fedoraproject.org/calendar/meeting/4431/
19:02:23 <nirik> pingou: can we all join this meeting? :) I'm hoping it's somewhere fun
19:02:43 <tammy_> Count me in
19:02:54 <aikidouke> just want to put out there - still working on badges -> pagure
19:02:59 <pingou> nirik: remote, wild and back in the 90s internet :)
19:03:13 <aikidouke> just sent an email out yesterday - havent followed up yet tho
19:03:27 <nirik> aikidouke: cool. The converter should be able to do attachements now so I hear
19:03:37 <aikidouke> oh nice - I need to look into that
19:03:52 <aikidouke> ty
19:03:53 <pingou> feel free to test with stg.pagure.io
19:04:01 <pingou> it's there for that :)
19:04:05 <aikidouke> thanks pingou
19:04:19 <nirik> ok, thanks for coming everyone! do continue in #fedora-admin, #fedora-apps and #fedora-noc. ;)
19:04:22 <nirik> #endmeeting