#fedora-meeting log

18:00:09 <nirik> #startmeeting Infrastructure (2016-09-01)
18:00:09 <zodbot> Meeting started Thu Sep  1 18:00:09 2016 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:09 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:00:09 <zodbot> The meeting name has been set to 'infrastructure_(2016-09-01)'
18:00:09 <nirik> #meetingname infrastructure
18:00:09 <zodbot> The meeting name has been set to 'infrastructure'
18:00:09 <nirik> #topic aloha
18:00:09 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore threebean pingou puiterwijk pbrobinson
18:00:09 <zodbot> Current chairs: abadger1999 dgilmore lmacken nirik pbrobinson pingou puiterwijk relrod smooge threebean
18:00:10 <nirik> #topic New folks introductions
18:00:16 <clime> Hello! :-)
18:00:24 <puiterwijk> Hi
18:00:27 <sayan> Hi
18:00:27 <lousab> hello guys :)
18:00:39 <relrod> hi
18:00:39 <kushal> Hello
18:00:41 <trishnag> Hi
18:00:45 <marc84> hi
18:00:46 <nirik> good morning everyone.
18:01:08 <nirik> Any new folks around this week who might like to give a short one line introduction?
18:01:27 <bowlofeggs> .hello bowlofeggs
18:01:28 <zodbot> bowlofeggs: bowlofeggs 'Randy Barlow' <randy@electronsweatshop.com>
18:02:36 <nirik> ok, looks like mostly the usual folks around. ;)
18:02:50 <nirik> on to announcements
18:02:53 <nirik> #topic announcements and information
18:02:53 <nirik> #info Fedora 25 alpha is out the door! - everyone
18:02:53 <nirik> #info We are now out of freeze until Beta - everyone
18:02:53 <nirik> #info new koschei in production on Fedora 24 - mizdebsk
18:02:54 <nirik> #info openvpn links moved to higher/better encryption - kevin
18:02:55 <nirik> #info ssl config consolidated, everything using high grade - patrick
18:02:56 <nirik> #info various small changes made post freeze - kevin
18:02:58 <nirik> #info release fedimg 0.7 - sayan
18:03:09 <nirik> oh, there is a new pagure release in staging also...
18:03:41 * cverna is here
18:03:46 <nirik> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/message/OPVDRAODHBGJYE7D3J4Q6DST5NLMMOVM/
18:03:56 * doteast here
18:04:25 <nirik> anything else anyone would like to note or discuss from those?
18:05:48 * aikidouke here
18:06:29 <nirik> ok, moving on to discussion items then. ;)
18:06:53 <nirik> #topic fedorahosted retirement - kevin
18:07:12 <tmoreira> .hello tiagovieira
18:07:13 <zodbot> tmoreira: tiagovieira 'Tiago Moreira Vieira' <tmv@redhat.com>
18:07:21 <nirik> so there's a number of questions here which I would like to get wrapped up...
18:08:05 <nirik> we don't have pingou today... some of this might just be better on the list I guess...
18:08:20 <nirik> from the gobby:
18:08:23 <nirik> * what to do about lists.fedorahosted.org
18:08:23 <nirik> * what to do about freemedia
18:08:23 <nirik> * Other "special" projects?
18:08:23 <nirik> * When to send announcements
18:08:49 <puiterwijk> "When to send announcements", I'd say as soon as we get all expected questions answered
18:08:51 <nirik> IMHO, we should send announcement soon... if we keep delaying people won't realize its going away
18:08:58 <puiterwijk> Yep
18:09:02 <nirik> and will be surprised/upset
18:09:18 <puiterwijk> "special" projects, we can make exceptions on a per-project basis if we really want
18:10:11 <nirik> when I mentioned special projects I was thinking of those that had very customized trac workflows... like design, badges, possibly others
18:11:03 <nirik> and freemedia. ;)
18:12:23 <nirik> For lists, I guess I would say: existing lists.fedorahosted.org lists can continue, we should setup a lists.pagure.io and any that want to migrate can do so.
18:12:51 <puiterwijk> I don't think we'd want to migrate any, but setting up lists.pagure.io would be fine
18:13:21 <nirik> well, some people might want that. Basically make new list, close old one...
18:13:31 * jflory7 waves
18:14:30 <aikidouke> for badges - I have a good base done in pagure, but have been very busy lately and havent gotten folks to test and work on the repo
18:14:44 <aikidouke> anyone that knows badges could pick it up
18:14:45 <nirik> aikidouke: do you see any show stoppers there for badges?
18:14:58 <nirik> I know there's a pretty custom trac setup...
18:15:35 <aikidouke> I dont know - I really need someone that works on badges alot to review
18:15:43 <aikidouke> I dont see anything major
18:15:44 <kushal> cloud trac
18:16:03 <aikidouke> but it may be a shift for people that do artwork if they arent used to pagure
18:16:15 <aikidouke> jflory7: what say you?
18:16:25 <sayan> aikidouke: how do you want to go ahead with the review?
18:16:30 <nirik> yeah, I am sure it will be different, but as long as it's acceptable to the folks doing the work. ;)
18:17:05 <aikidouke> sayan: I need to pull in artwork in bits and compress some of the history
18:17:32 <jflory7> aikidouke: I think it could be replicated with tags, but it would be tricky and not as intuitive as with Trac (with all of the specific metadata fields, e.g. artwork status, badge definition status, etc.).
18:17:36 <aikidouke> then look at the old badges wiki/trac and check on the scenarios
18:17:40 <nirik> I'm still hoping to move fedora-infra soon, but hit a bug in pagure-importer. ;)
18:17:44 * nirik looks at cverna_
18:17:55 <jflory7> It will take some work, but I think it could work, but would definitely need info and feedback from Design Team members on it.
18:18:38 <aikidouke> would it be better to add functionality to the badges admin app??
18:18:44 <cverna_> nirik: yeah not an easy bug to investigate
18:18:51 <nirik> I still don't know what to do about freemedia. I hate to say we should write an app, but perhaps we should. Or look for some existing thing that might fit better... neither trac nor pagure is really ideal for it
18:18:52 <cverna_> I ll have to do some test
18:19:01 <sayan> aikidouke: functionality like?
18:19:11 <nirik> cverna_: happy to gather info for you too...
18:19:58 <puiterwijk> jflory7: well, I've requested "random fields" as well to Pagure, since Ipsilon uses them too. I think I managed to convince pingou the other day
18:20:01 <aikidouke> sayan: basically you would need a suggest a badge functionality, propose artwork, artwork approval, rules configuration, ok for production
18:20:24 <cverna_> nirik: thx ;)
18:20:50 <aikidouke> sayan: it would really just be some new forms I think, with the exception of having a way to store WIP badge artwork somewhere
18:20:51 <jflory7> puiterwijk: If those were added, the Badges Trac migration would be *so* much easier, especially if you could do sorting on that metadata. For badges, for example, if certain metadata is met, it's easy to see a badge as "ready to be pushed" and a sysadmin can push it.
18:20:57 <sayan> aikidouke: badges admin panel comes to play once the badge has been pushed
18:21:15 <aikidouke> right, maybe I will look at that?
18:21:17 <puiterwijk> jflory7: yep.
18:21:18 <sayan> also not all have access to the admin panel
18:21:31 <aikidouke> true
18:21:41 <puiterwijk> aikidouke: so, for the move of badges to trac, I thin kthe main issue is the fields in pagure, and as said I asked pingou to add that
18:21:48 <sayan> puiterwijk: +1
18:21:49 <jflory7> aikidouke: Hmmm... I feel like porting the badge requests to Tahrir might not be the best solution. I think having a ticket-like solution with Pagure would be a better focus.
18:22:07 <jflory7> I think putting it into Tahrir would require a lot more work is all
18:22:11 <aikidouke> ok - just thinking out loud there
18:22:14 <jflory7> Yup :)
18:22:16 <jflory7> aikidouke++
18:22:23 <nirik> puiterwijk: so that would allow admins to add 'fieldnanme' 'value' pairs? or ?
18:22:32 <aikidouke> so looks like we must give Pingou more cookies :)
18:22:42 <jflory7> aikidouke: Thanks for tackling and leading on investigation for the Badges Trac migration too.
18:22:44 <puiterwijk> nirik: yes, that's what I asked for
18:23:02 <aikidouke> :) thanks jflory7 - you all have been a big help
18:23:04 <puiterwijk> nirik: so, Ipsilon has a "component" field with "framework", "OpenID", "SAML2", ...
18:23:13 <puiterwijk> and I asked for things like that in Pagure
18:23:18 <nirik> yeah, that could help badges and design indeed.
18:23:18 <puiterwijk> (Ipsilon trac, that is)
18:23:36 * aikidouke must part - $day job stuff
18:24:13 <nirik> ok. So... shall we wait more for the announcement? or go ahead and send it?
18:24:53 <sayan> I am for going ahead and sending it
18:25:21 <nirik> we still have things to figure out, but thats going to be the case for a while I think.
18:25:33 <nirik> and better to get projects thinking about it asap
18:26:21 <cverna_> I agree with sayan and nirik
18:26:42 <doteast> +1 for sending announcements
18:27:02 <tmoreira> +1 send announcements
18:27:05 <nirik> #info announcement draft on gobby for anyone wishing to provide feedback
18:27:23 <nirik> #action nirik will post to list about outstanding items
18:27:52 <nirik> anything else we should discuss here? I guess I'm done unless anyone has brillant ideas about how to handle freemedia
18:29:45 <nirik> ok. ;)
18:30:05 <nirik> #topic fas plans - kevin
18:30:31 <nirik> puiterwijk: so, whats next on our fas2/freeipa thing?
18:30:45 <puiterwijk> nirik: so, I'm planning to deploy the production version later today.
18:30:51 <puiterwijk> That should get us starting syncing.
18:31:01 <nirik> so, short term, no difference right?
18:31:17 <puiterwijk> Well, I am planning to enable kerberos for prod koji very soon afterwards
18:31:21 <puiterwijk> (probably tonight as well)
18:31:40 <nirik> ok. certs will also keep working however right?
18:31:46 <puiterwijk> so after then, people will be able to login with kerberos if they want and don't yet have a client cert (since the client defaults to cert if they have one)
18:32:02 <puiterwijk> Yep
18:32:12 <nirik> and to do that they need some config and run kinit
18:32:18 <puiterwijk> Yep.
18:32:24 <puiterwijk> Well, currently they need some config
18:32:36 <puiterwijk> I submitted a PR for fedora-packager that would take care of the config, but it has not yet been merged
18:32:44 <nirik> so, whats next after that? perhaps we should write up a roadmap here?
18:32:50 * nirik nods
18:32:58 <puiterwijk> After that I'm planning to start more thorough syncs of user info
18:33:17 <puiterwijk> I have a preliminary patch for that, which will start to sync all information of a user, including group memberships
18:34:10 <puiterwijk> After that, my plan is to move Ipsilon to use it in staging.
18:34:25 <puiterwijk> It has all the code for it, and it would allow people to use single sign on for all Fedora webapps
18:34:57 <nirik> so you then kinit and ipsilon sees your ticket and just logs you in? or ipsilon gets you a ticket when you login via it?
18:35:10 <puiterwijk> You get a ticket and ipsilon sees it and logs you in
18:35:32 <puiterwijk> You can configure gnome-online-accounts to do the kinit part
18:35:33 <nirik> ok.
18:36:14 <nirik> after we have groups we could look at moving to sssd instead of fas_client? or are there things needed still for that?
18:36:22 <puiterwijk> Yep.
18:36:26 <puiterwijk> No, we should be good for that
18:36:49 <nirik> which brings us to fas3. ;)
18:37:04 <nirik> fas3 needs a security audit still... but then what are the next steps after that?
18:37:19 <nirik> if we switch to sssd, we don't need to worry about the fas_client part of things?
18:37:23 <puiterwijk> after that, we have it in staging.
18:37:24 <puiterwijk> Correct
18:37:51 <nirik> and then targeting prod after f25 is out right?
18:38:10 <puiterwijk> Yes, I think that's the plan
18:38:21 <puiterwijk> We'll need to add the sync code to fas3 too, but that shouldn't be too hard.
18:38:40 <puiterwijk> After that, we are planning to kill fas2 in staging, and move to fas3, and then we start porting apps
18:38:55 <nirik> could you perhaps write up this stuff and shoot an email to the list on it? in case other folks have questions or ideas on how we could leverage it...
18:39:01 <puiterwijk> There should not be a lot that still directly connects to FAS anyway
18:39:16 <nirik> yeah, not much. wiki, but we should move it to openid
18:39:24 <puiterwijk> nirik: sure.
18:39:34 <nirik> oh, one other question...
18:39:37 <dgilmore> puiterwijk: we will have to provide some tooling or something for koji config management
18:39:37 <puiterwijk> Yes?
18:39:51 <puiterwijk> dgilmore: sorry, what do you mean there?
18:40:16 <dgilmore> puiterwijk: well I kinda expect we will ship a ssl cert and a krb version
18:40:17 <nirik> how will two factor work in the sssd world? people would need to enroll in freeipa directly and we move all that out of fas? or would we have to sync it somehow?
18:40:46 <puiterwijk> dgilmore: we don't need to. If the client doesn't have a client cert, it'll try kerberos automatically
18:40:49 <nirik> oh, and we need to decide how long tickets last... it's 24 hours by default? we should discuss if we keep that or change it...
18:41:05 <puiterwijk> nirik: My goal is to have 2fa all done by IPA.
18:41:11 <dgilmore> puiterwijk: koji does fall back to krb if the configured auth fails
18:41:38 <dgilmore> puiterwijk: but I can see people needing to manage it, either on a case by case basis, or even a location by location basis
18:42:02 <puiterwijk> dgilmore: I don't see what you mean.. what would people need to manage?
18:42:09 <dgilmore> puiterwijk: I may have a ssl cert but I am at work and have to go through a proxy, in which case I have to use krb for auth
18:42:39 <puiterwijk> any local proxies should not impact the auth stuff...
18:42:41 <dgilmore> puiterwijk: the ssl auth code in koji does not support proxies
18:43:07 <puiterwijk> dgilmore: ah, right. The krb stuff should, but no idea how to configure that
18:43:14 <dgilmore> puiterwijk: right
18:43:34 <dgilmore> puiterwijk: I see cases where people may need to use different configs
18:43:37 <puiterwijk> But we could publish info on how to do that after switching, since it would just be a new feature
18:43:48 <dgilmore> puiterwijk: we may want to deal with it in fedpkg/fedorapackager
18:43:55 <dgilmore> it just needs thought and a plan
18:44:03 <puiterwijk> Right, okay
18:44:23 <nirik> We should also revisit 2fa options when we move to ipa. Ie, should we require 2nd factor if defined for a kerb ticket? for some services? etc, etc.
18:44:27 <puiterwijk> So, I hadn't planned out all of the next steps, only the part where I'm going to make sure people can use it. I was going to come to you afterwards
18:44:47 <dgilmore> puiterwijk: :) okay
18:44:48 <puiterwijk> nirik: we will have the freedom to do it per-service with the new IPA in RHEL7.3.
18:45:24 <puiterwijk> Since then IPA will insert the auth status (2fa or not) into the krb tickets, which means Ipsilon can make decisions based on that
18:45:41 <nirik> puiterwijk: cool. could we also require it if it's defined?
18:45:49 <puiterwijk> nirik: yep, absolutely.
18:46:00 <puiterwijk> But we don't want to yet :)
18:46:39 <puiterwijk> Well, we could require it for all services, we don't want to require it for getting an initial ticket. Technical reasons, I can explain that later
18:46:45 <nirik> great. I can see it being a lot easier to say "hey packagers, if you can, please go here and enable a second factor with yubikey or freeotp and we will use it for your authentication" than "you must have 2factor if you are in the packager group"
18:46:57 <puiterwijk> Yep.
18:47:06 <nirik> sure, thats a sidetrack anyhow, but would be nice.
18:47:21 <puiterwijk> One note: we will not be using the webinterface of IPA itself.
18:47:39 <nirik> puiterwijk: anyhow, could you write this all up for the list? I think it will be good to let folks know where we are heading here.
18:47:44 <puiterwijk> my "hidden" goal in the (VERY) long term is to get to a point where FAS is just a tiny shell around IPA
18:47:52 <puiterwijk> nirik: yep, sure.
18:47:56 <nirik> ok.
18:48:25 <nirik> the web interface might be handy sometimes for admins...
18:48:30 <nirik> but yeah, not users.
18:48:30 <puiterwijk> I'll do that in the same email where I say "Hey, you can get a ticket here"
18:48:51 <puiterwijk> nirik: yes. I've actually disabled all self-service in our IPA web interface. So even if users get access ,there's literally nothing they can do
18:49:11 * nirik nods.
18:49:17 <nirik> ok, anything else on this?
18:49:19 <puiterwijk> dgilmore: maybe you can look at getting my fedora-packager patch merged sometime soon :-)
18:49:32 <nirik> #action puiterwijk to send email on fas2/3/freeipa plans
18:49:36 <puiterwijk> It would enable people to get krb tickets without config
18:50:08 <nirik> ok, moving on then...
18:50:11 <nirik> #topic Apprentice Open office hours
18:50:24 <nirik> Any apprentices looking for things to do? or with questions?
18:50:25 <clime> .ticket 5407
18:50:26 <zodbot> clime: #5407 (fix make-git-checkout-seed script) – Fedora Infrastructure - https://fedorahosted.org/fedora-infrastructure/ticket/5407
18:50:34 <nirik> clime: I added debugging to it...
18:50:37 <clime> Did anything interesting appeared?:)
18:50:47 <nirik> I guess it runs once a week tho... so it didn't run last night. I can make it run tonight.
18:50:53 <clime> oh ok.
18:51:12 <nirik> I'm curious to see what we get too... it's a weird one
18:51:16 <clime> I'll wait. I am just curious what it will be
18:51:18 <clime> ye
18:51:29 * doteast has spare time and heart
18:51:50 <doteast> I'm looking for things to work on
18:52:21 <doteast> I'v recently moved to a conv timezone, and like to help out more
18:52:34 <nirik> cool.
18:52:37 * nirik ponders
18:53:30 <sayan> I am also looking if I can help with something
18:54:19 <nirik> I know smooge is working on automating our nagios setup, but we should really add a check for mirrorlist servers that stop processing. I guess it could be a haproxy check...
18:54:41 <doteast> hmm. sounds interesting
18:55:09 <nirik> there's https://fedorahosted.org/fedora-infrastructure/ticket/5249 (monitor size of FMN queues)
18:55:26 <nirik> I guess tammyb5 was going to look into that
18:55:57 <doteast> yeah, last I check pingou delayed it for a release sake
18:56:00 <nirik> I have a fun one on my list someone could take: figure out rkhunter config such that it doesn't yell about freeipa. ;)
18:56:22 <doteast> ;)
18:56:55 <nirik> I can file the mirrorlist monitor one
18:57:00 <clime> I could perhaps take that funny one...
18:57:11 <clime> quite a challenge
18:57:18 <clime> tho
18:57:24 <nirik> The rkhunter one?
18:57:29 <clime> yep :)
18:57:40 <clime> I can try at least and see
18:58:10 <doteast> nirik, +1 to nagios/mirrorlist and partying with smooge
18:59:02 <nirik> clime: cool. If you can install freeipa in a vm or something it should be easy to see... fedora server would make that pretty easy.
18:59:02 <doteast> nirik, did you file the ticket already ?!
18:59:12 <nirik> doteast: not yet, but in process. ;)
18:59:14 <clime> nirik: alright, thanks!
18:59:35 <doteast> nirik, anthing ansible related?
18:59:52 * doteast has a large queue to fill
19:00:40 <nirik> https://fedorahosted.org/fedora-infrastructure/ticket/5453
19:01:10 <nirik> if you want a larger project it would be cool to setup ansible-review to run in a hook in our ansible repo.
19:01:30 <nirik> we would need a config for it, and the hook, but it could be very nice.
19:02:00 <doteast> hmm. sweet, I can look at that as well
19:02:22 <doteast> nirik, thanks
19:02:24 <nirik> it's already packaged, just needs a config and setup and such. Possibly some discussion about what kind of things are ok.
19:02:31 <nirik> ok, I see we are over time...
19:02:34 <nirik> #topic Open Floor
19:02:46 <nirik> quick open floor. Anyone have anything?
19:02:58 <doteast> nothing here...
19:03:05 <nirik> oh, reminder: monday is a holiday in the US.... so fewer people might be around then
19:03:29 <puiterwijk> nirik: you mean people actually take the day off on holidays? :O
19:03:48 <nirik> I hear some of them do, yeah. Quite strange if you ask me. ;)
19:03:55 <nirik> ok, thanks for coming everyone!
19:03:58 <nirik> #endmeeting