19:00:02 #startmeeting Infrastructure (2011-09-22) 19:00:02 Meeting started Thu Sep 22 19:00:02 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:02 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:03 #meetingname infrastructure 19:00:03 #topic Robot Roll Call 19:00:03 #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken 19:00:03 The meeting name has been set to 'infrastructure' 19:00:03 Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge 19:00:09 Here 19:00:13 Smoogen is kere. 19:00:32 buenos dias 19:00:35 we are dealing with some system outages so this will probably be a short meeting 19:00:38 * LoKoMurdoK here 19:00:41 * nirik is here, but fighting fires. 19:01:00 * rfelsburg here 19:01:22 #topic Freeze Items 19:01:33 Beta freeze is still ongoing 19:01:50 we should not be playing with things in core infrastructure without +!/-1 19:02:11 also, note that freeze is now an extra week. 19:02:12 beta has slipped a week so most beta tickets will wait until then 19:02:26 ending 2011-10-04 19:02:51 ok any questions or points? I think people should watch for any RC2 candidate and download/test 19:03:01 testing is always good. 19:03:42 hey 19:03:58 dgilmore, any items from releng for infra to deal with? 19:04:12 smooge: not right now 19:04:18 cool 19:04:27 any other beta issues or questions? 19:04:46 #topic New People 19:04:56 ok new people.. any new volunteers or such? 19:05:08 good morning all 19:05:19 hi KKA 19:05:20 I am new member here 19:05:31 welcome KKA 19:05:48 working as a sysadmin for past 2 yrs 19:06:11 nirik/LokoMurdok:hi 19:06:34 KKA: well, welcome, do hang out in #fedora-admin and/or #fedora-noc and ask questions and get involved. ;) 19:06:40 See https://fedoraproject.org/wiki/Infrastructure/GettingStarted if you haven't already. 19:07:30 Any other questions or new folks? 19:07:47 #topic Password/Ssh-key/Cert reset flag day discussion 19:08:00 So, we had some discussion of this on the list and in the last irc Board meeting. 19:08:12 I've written up: https://fedoraproject.org/wiki/Infrastructure_mass_password_update 19:08:22 listing the requirements, etc for this. 19:08:42 First thing we need to have in place is good docs. I'm looking at updating the CSI security doc... 19:08:51 any changes or corrections to that are welcome. 19:09:23 Under 'Rationale' it actually says '' instead of the link. 19:09:41 yeah, I started making a wiki page, but then decided the csi thing might be better... 19:09:53 and didn't want to point to the current version until we update it. 19:09:53 Gotcha, just making sure it didn't fall through the cracks. 19:10:10 * CodeBlock here, late sorry 19:10:19 #info feedback wanted on https://fedoraproject.org/wiki/Infrastructure_mass_password_update 19:10:26 #info CSI needs updating first. 19:10:37 5/wg 24 19:10:40 #info scheduling proposed was 1month after f16 release. 19:10:40 oops :( 19:11:20 Anything more on this topic? anyone have issues/concerns? 19:11:36 oh, I did have one more thing... 19:12:22 I took a quick survey of sysadmin-main folks. Pretty much everyone has yubikeys (except me, can't seem to locate mine) and all but 1 have some form of ios/android device. 19:13:11 google authenticator is pretty nice, but openssh needs a patch to do two factor auth if we wanted to use it for ssh. 19:14:22 I was thinking we might look at doing _either_ pass+yubikey or pass+googleauth (as the person chooses). then folks who want can use the one they like better. 19:14:46 and we would need to add googleauth support to fas... which I don't know how hard that would be. 19:15:22 * abadger1999 has never looked at googleauth 19:15:27 so, all stuff to look into. 19:15:53 https://bugzilla.redhat.com/show_bug.cgi?id=737735 19:15:56 it's under review. 19:16:00 waits for the howls 19:16:13 it's pretty slick actually. 19:16:28 * smooge wonders if we could build our own app to do that for us :) 19:16:40 basically a pam module / command line enroll thing. 19:16:54 smooge: review packages? ;) 19:17:25 well I guess we could write an app for that too 19:17:34 it spits out a nice QR code you can scan with your phone to add the auth 19:17:38 or a numeric. 19:19:13 how does the otp get verified/generated? 19:19:30 is there a backend server like yubikeys? 19:19:59 it's a pam module/command line tool. The command line generates it, and sticks it (by default) into '~/.google_authenticator' 19:20:09 but there's a option to do a per machine location. 19:20:11 nope. 19:21:24 anyhow, just something to consider. That may be a better option for some of our users who don't wish to buy a yubikey. 19:22:06 shall we move on? or anything else on password/key reset or two factor auth/ 19:22:48 #topic Bastion outages/openvpn discussion. 19:23:01 So, we have been having problems with our new bastion03 for a while now... 19:23:12 it's bug: https://bugzilla.redhat.com/show_bug.cgi?id=725332 19:23:28 smooge rebuilt a new bastion01 for us thats 32bit and it's so far been just fine. 19:23:37 So, hopefully we have at least a good workaround for it now. 19:25:05 If it continues to look good we will look at replacing bastion02 with a new one, but it will have to happen after the freeze most likely. 19:25:30 anything more on bastion woes? (I just like saying woe) 19:26:07 #topic Upcoming Tasks/Items 19:26:22 Anyone have upcoming tasks or items they are working on they would like to talk about? 19:27:10 I have a proxy08 to setup to replace proxy01 (but bringing it up seems to have affected production, so I need to figure that out) 19:27:51 retrace is setup 19:28:14 it will be ready for test day on Tuesday 19:28:14 smooge: good news. ;) just handing it off to them left? 19:28:20 pretty much. 19:28:21 cool. 19:28:54 my day is waiting for IBM and see what new things they find wrong with the bladecenter 19:29:30 as soon as freeze is over (or sooner in some cases) we need to get things moved off the xen boxes that are going out of warentee... 19:30:33 #topic Request for Resources progress report 19:30:46 #info ask is pretty much all set to move to production 19:30:59 I will be working on setting up ask in the next week or so... 19:31:13 if anyone finds any issues or concerns with the stg instance, please let us know. 19:31:20 I think it's in pretty ok shape. 19:31:37 #info paste is still working in dev to iron out issues. 19:31:46 any other outstanding RFR's ? 19:32:32 #topic Open Floor 19:32:40 ok, anyone have any items for open floor? 19:33:08 #info we are at 217 tickets currently. I'd like to get that under 200 before the end of the year... but I guess we will see. 19:33:37 abadger1999: how's raffle coming along? 19:34:14 nirik: I think I've got everything ready in puppet to push to staging -- was just waiting for a time today when what I did wouldn't clash with any troubleshooting of other stuff. 19:34:39 cool. 19:34:41 * abadger1999 cargo culted a little of the proxy stuff so it'll be a learning experience. 19:34:55 yeah, I am still learning the proxy/caching setup... 19:35:15 httpd -> varnish (sometimes) -> haproxy (sometimes) -> app (sometimes) 19:36:02 yeah 19:36:04 ok, I'll go ahead and close out in a minute if nothing else comes up. 19:36:23 varnish also only seems to be able to work on url matching. 19:36:24 and fas is setup differently in varnish than everything else 19:36:59 yeah, it's setup with as a single thing with 3 backends. 19:37:21 and I think it doesn't use haproxy at all? 19:38:23 anyhow, lets go back to #fedora-admin / #fedora-noc. 19:38:27 thanks for coming everyone! 19:38:31 #endmeeting