18:00:56 #startmeeting Infrastructure (2012-05-10) 18:00:56 Meeting started Thu May 10 18:00:56 2012 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:56 Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:00:56 #meetingname infrastructure 18:00:56 The meeting name has been set to 'infrastructure' 18:00:56 #topic Robot Roll Call 18:00:56 #chair smooge skvidal CodeBlock ricky nirik abadger1999 lmacken dgilmore mdomsch threebean 18:00:56 Current chairs: CodeBlock abadger1999 dgilmore lmacken mdomsch nirik ricky skvidal smooge threebean 18:01:01 * relrod here 18:01:02 * skvidal is here 18:01:04 * abadger1999 here 18:01:08 * wolfkit is here 18:01:08 crrowbot here 18:01:12 * lmacken 18:01:15 hola 18:01:20 * jds2001 18:01:21 neldogz is here 18:01:42 here 18:02:07 * nirik waves 18:02:13 * SilentBob is here 18:03:00 #topic New folks introductions and Apprentice tasks. 18:03:00 If any new folks want to give a quick one line bio or any apprentices 18:03:00 would like to ask general questions, they can do so now. Anyone? 18:03:36 * nirik waits a min for any apprentices 18:03:49 Sure, I can start.. I am new here , have about 10 years of general IT experience, strong within the server and networking side 18:04:19 welcome Neldogz. You interested in sysadmin type stuff? or application development? 18:04:50 thank you nirik, I am mostly interested in sysadmin work. monitoring, patching, fixing issues 18:05:09 Neldogz: which monitoring frameworks have you used? 18:05:13 great. see me in #fedora-admin after the meeting and we can see about setting you up. 18:05:29 (yah - what nirik said) :) 18:05:42 will do! skvidal, i have used PRTG and HP SIM for monitoring 18:05:53 I am also currently learning Nagios 18:06:01 any other new folks? or apprentices wanting to talk about tasks? 18:06:10 I am new as well and about the same stats are Neldogz and would also like to get more involved in the system admin side 18:06:38 welcome whiterhino 18:07:09 I have used PRTG and nagios in the past, I currently use icinga and cacti 18:07:12 thanks 18:07:40 we use nagios here... and it needs some rework that various people have looked into. ;) 18:08:06 anyhow, moving along. 18:08:13 #topic two factor auth status 18:08:21 I think we have some movement in this this week? 18:08:27 this is coming along quite nicely :) 18:08:44 I have the pam_url module escaping usernames and passwords, and has been committed to the pam_url source tree 18:08:52 excellent. 18:08:58 there is an odd segfault on 64-bit machines with it.. but I'm still looking in to that 18:09:24 wolfkit: would you be willing also to package it up for Fedora/RHEL? 18:09:49 hehe, kind of one step ahead of you, was playing around with a Fedora package for it last night :) 18:10:00 haven't tested it on RHEL, can do though 18:10:06 cool. I would be happy to review if you like. 18:10:26 I think the cgi side also had a bunch of work this week.. 18:10:33 great! will file a ticket when it is ready 18:11:07 and some more items 18:11:07 thanks 18:11:13 mricon did new patches to the totp cgi 18:11:17 #info pam_url is nearly ready to package up and use. 18:11:18 that does the checking of the keys 18:11:32 specifically he added an 'encrypt the seed with the users passphrase/pin' 18:11:53 https://github.com/mricon/totp-cgi <- url for cgi 18:11:54 so the user can have the opened seed on their end - but we only have the one encrypted with their pin/passphrase 18:12:11 this means we never have any unencrypted goo sitting on our system somewhere 18:12:25 now a user could get compromised, of course 18:12:32 but that just gives them one key 18:12:34 not all of them 18:12:38 s/key/seed/ 18:12:43 great. 18:12:56 it is terribly neat, actuall 18:12:56 y 18:13:19 provided the pins aren't easily brute forceable... ie, not like 4 char number only. 18:13:55 ok, anything else on this? or shall we move on? 18:14:14 that's it 18:14:23 nirik: I think the pins can be whatever... 18:14:40 yeah, so we can make it something reasonable (although I don't think they need as much as passwords) 18:14:46 agreed 18:14:47 anyhow, moving along... 18:14:49 #topic Staging re-work status 18:14:50 nod 18:14:53 this is done! 18:14:57 #info done! 18:15:05 yay! 18:15:06 Cool! 18:15:09 and there was much rejoicin 18:15:11 +1 18:15:11 awesome :D 18:15:12 let me know if you run into any problems with staging in the new world order. 18:15:43 #topic Applications status / discussion 18:15:58 any applications news this week? abadger1999 / lmacken / threebean / pingou / CodeBlock 18:16:22 not really, just a lot of bodhi2.0 hacking. 18:16:33 I still need to find a couple of hours to wrap up the packages/tagger deployment 18:16:52 none from me 18:16:53 lmacken: cool. We should still setup a meeting sometime for 2.0 discussions... perhaps after f17 goes gold... 18:17:25 nirik: sounds good 18:18:06 nothing major new with messaging. lots of package reviews (almost done!) 18:18:16 oh, I'll note that now in staging we no longer have a rhel5 host... but the only rhel5 thing we have left is app07 to run old community. 18:18:29 so, hopefully that can putter along until we retire it. 18:18:29 yay for no rhel5! 18:18:36 no more py2.4 :) 18:19:22 sadly, 2.6 is already feeling old :( 18:19:34 I think bapp01 and xen04 (soon to be stopped) and app07 are all we have left now. so, thats good. 18:20:16 (community and smolt's cron job) 18:20:29 oh, and app01.dev I guess... 18:20:33 we need to redo that sometime. 18:20:46 * relrod can do that, just let me know when is good 18:21:03 I think there's some active development going on on it... but I could be wrong... abadger1999 ? 18:21:04 lmacken, its ok.. we can move to 2.8 when it comes out 18:21:15 yeah 18:21:38 relrod: I'll have to coordinate that -- backup stuff and put on the new hosts 18:22:04 relrod: I'd also like to split it into two hosts -- a fas-development server (for developing fas, not a fas for the dev env) 18:22:10 #info will coordinate app01.dev re-install. 18:22:10 relrod: and a pkgdb development server. 18:22:24 lmacken: we might think about building bodhi2 on py3. pyramid is already compatible (and mako and sqlalchemy). 18:22:32 relrod: But if you wanted to create the new hosts.. I could just start moving the code over? 18:22:54 abadger1999: Sounds good. Will start on that tonight after finals or tomorrow. 18:22:54 threebean: good call, I'll create a py3 virtualenv for my local development. 18:23:00 relrod: Cool. 18:23:19 uhhh... 18:23:24 is there a python3 in rhel/epel6? 18:23:29 yup 18:23:29 Not sure if I'd support that unless 18:23:34 :D 18:23:44 we do something about the py3 version in RHEL5/6 vs Fedora 18:23:47 err 18:23:54 just epel6 18:24:16 unles dmalcolm already updated? 18:24:19 * nirik doesn't see it. 18:24:27 * abadger1999 checks whats available 18:24:37 * abadger1999 doesn't either 18:24:53 so... we'd need a whole new stack of deps... 18:25:01 I think he's working on it 18:25:04 lots of packaging work if you want to go that route. 18:25:07 and yeah, it'll require a lot of packaging tweaks 18:25:12 but, inevitable tweaks. 18:25:14 most spec files will have conditionals 18:25:31 should be reasonable to get those changed. 18:26:08 and since it's not in yet, you won't have to worry about it being a really old version of py3 18:26:10 how do things like mod_wsgi handle multiple python versions? 18:26:29 otoh... it does mean that we'll have to support both py2 and py3. 18:26:34 nirik: They don't 18:26:42 so we'd need two sets of app servers too.... 18:26:51 yeah, so we would need more servers... 18:26:51 yeah 18:26:56 logisitcs of this seems more and more suspect. 18:27:03 yeah, true :) 18:27:08 why two sets? 18:27:16 instead of two instances? 18:27:23 jds2001: TG1 and TG2 will never be able to shift over to python3 18:27:31 because some of there deps are never going to port. 18:27:35 jds2001: you mean multiple httpds? 18:27:39 perhaps not necessarily building bodhi2 specifically for py3, but testing on py3 to ensure it's working / compatible with it for a later deployment? 18:27:40 nirik: yeah 18:27:44 lmacken: build it with python-six so bodhi2 can run on py3 someday... someday. 18:27:47 wolfkit: yeah 18:27:56 threebean: yeah, python-six is probably the way to go 18:28:06 so until all of those are ported to different toolkits, we'd need to support modules for python2 and modules for python3. 18:28:15 I suppose that could work, but it's always a bit odd to do that... ie, never know which server restarts when you do a restart, etc. 18:28:15 18:28:51 threebean: six +1... That could be a good way forward -- also the next py3 release will make u"string" valid again 18:28:54 so that will help 18:29:15 :) 18:29:18 nirik: many moons ago at my previous job, I'd ran 20+ httpd instances on one box. 18:29:25 crazy. ;) 18:29:30 and could restart each independently :) 18:29:38 anyhow, worth investigating... we don't have to decide now. 18:29:46 any other application news? 18:29:50 speakin of mod_wsgi, I've been pinging upstream about my hash seed patch. dead air :( 18:30:09 in the mean time, we could potentially do the apache init script hack to enable hash seed randomization 18:30:27 or, we could ship a custom mod_wsgi with my patch 18:30:55 * lmacken looks to see if our python in production already supports it 18:31:03 probibly the init script hack would be easier as a hotfix... custom mod_wsgi would require us to keep on our toes updating. 18:31:10 yep 18:31:22 but also note that we are in freeze... so we need to be careful what we change 18:31:25 I already put the diff for that init script patch in the trac ticket 18:31:35 yeah, probably will have to wait in that case 18:32:01 ok. 18:32:03 oh -- ryansb contributed an ircbot for fedmsg. fun! 18:32:28 cool.... irc message busing. ;) 18:32:55 yeah, our python already supports -R... should be simple to enable it for our apps. 18:33:13 excellent. 18:33:15 (even though there is a bug in the python hash randomization http://bugs.python.org/issue14621) 18:33:35 I doubt any of our apps rely on dict ordering, but we'll still want to test everything in staging first 18:34:18 yeah, perhaps we could do that soon and deploy after freeze... or if it looks fine, just do a freeze break and push it out. 18:34:22 my init script patch is here: https://fedorahosted.org/fedora-infrastructure/ticket/3169 18:35:08 yeah 18:35:22 oh wait, I was looking at the wrong python... looks like we don't have the patch in production 18:35:35 ah, ;( 18:35:50 hopefully a yum update should pull it in though... not positive 18:36:03 I thought I saw that update go by 18:36:23 but I guess not 18:36:51 lets discuss further outside of meeting I guess. I can look into where that update is. 18:37:01 moving along... 18:37:21 #topic Upcoming Tasks/Items 18:37:36 #info 2012-05-08 to 2012-05-22 FINAL FREEZE 18:37:36 #info 2012-05-10 - drop inactive fi-apprentices 18:37:36 #info 2012-05-11 - Skvidal out. 18:37:36 #info 2012-05-22 - F17 release 18:37:36 #info 2012-06-01 - nag fi-apprentices. 18:37:36 #info 2011-06-03 - gitweb-cache removal day. 18:37:38 #info 2012-06-08 OOW: osuosl01.fedoraproject.org 18:37:41 #info 2012-06-17 OOW: sign-vault02.phx2.fedoraproject.org 18:37:42 #info 2012-06-21 to 2012-07-04 Kevin is off on trains and boats. 18:37:44 thats what I have for upcoming. 18:37:59 anyone want to schedule something or note some upcoming task/work? 18:38:06 I'll note something 18:38:28 I am getting buildvm-05 - 08 setup today - and I will be starting a ftbfs run on them 18:38:40 I'll be basing the run from lockbox01 into some disk space there 18:38:51 skvidal: cool. Is this against rawhide I assume? 18:38:56 yeah it will be 18:39:02 nirik: I belive we can close easyfix ticket 3231. After the restart of the unbound service, nagios appears to be performing the check successfully. https://admin.fedoraproject.org/nagios/cgi-bin//extinfo.cgi?type=2&host=unbound-telia01&service=Unbound+443%2Ftcp 18:39:39 Neldogz: yeah, odd. It was doing it for a while, then stopped. ;) Oh well. 18:40:02 skvidal: anything we need to know if we need to stop it or the like? 18:40:12 nirik: no 18:40:15 I wish we could pinpoint what exactly was causing the problem. 18:40:22 nirik: just kill the processes running as me on lockbox01 18:40:31 nirik: and you can either kill or reboot buildvmhost-02 18:40:42 it might eat up some disk space on lockbox01 18:40:48 I'm looking to make sure that won't happen now 18:40:48 Neldogz: me too. oh well, we will see if it happens again I guess. 18:40:53 skvidal: ok. 18:41:12 nirik: hmm - not a lot of disk there, is there... 18:41:12 #info FTBFS run starting on buildvm05-08 and 02. 18:41:18 not 02 18:41:25 question.. when does skvidal get back 18:41:31 buildvm-05 -> 08 - which are all on buildvmhost-02 18:41:36 smooge: I'll be back monday 18:41:39 ah, right, sorry. Could be more clear there. 18:41:42 smooge: my little brother is graduating from college 18:41:50 so I'm away for that this weekend 18:41:55 skvidal: mine just did :) 18:42:00 I should be available via phone some of the time 18:42:01 jds2001: :) 18:42:07 but I wouldn't bet on it 18:42:12 you kids 18:42:36 nirik: can someone that has access re-enable the notifications for the tls/ssh dns check to unbound-telia01 18:42:47 Neldogz: yeah, I can see after the meeting. 18:42:57 cool 18:43:11 #topic Open Floor 18:43:16 anyone have items for open floor? 18:43:35 nirik: I have one item, maybe? 18:43:41 sure, shoot... 18:43:45 ansible made it into epel-6 and fedora now as pkgs 18:43:51 so it is easier for folks to play/test with 18:43:56 it is still evolving 18:44:03 but I wanted to encourage folks to mess with it 18:44:16 cool. 18:44:16 and complain baout things if you find issues 18:44:16 * nirik makes a note to try it out here. 18:44:23 will be messing with it next week as I redeploy my home system 18:44:25 I'm using ansible's api to drive the ftbfs stuff 18:44:38 and using the playbooks to setup the buildvm boxes I'm doing today 18:44:48 but more eyes/complaints are good 18:44:51 thx 18:45:32 #info ansible is in fedora/epel, please play with it. 18:46:21 ok, anything else or shall we call it a meeting? 18:47:49 ok, thanks for coming everyone! 18:47:52 #endmeeting