18:00:04 <nirik> #startmeeting Infrastructure (2015-02-19)
18:00:04 <zodbot> Meeting started Thu Feb 19 18:00:04 2015 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:04 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:00:04 <nirik> #meetingname infrastructure
18:00:04 <zodbot> The meeting name has been set to 'infrastructure'
18:00:04 <nirik> #topic aloha
18:00:04 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore mdomsch threebean pingou puiterwijk
18:00:04 <zodbot> Current chairs: abadger1999 dgilmore lmacken mdomsch nirik pingou puiterwijk relrod smooge threebean
18:00:18 * puiterwijk is here
18:00:58 <dgilmore> hola
18:00:58 * pingou is here
18:01:09 <taedori> here
18:01:32 * danofsatx is here today, for once
18:01:58 <janeznemanic> hello
18:02:01 <tridev> hi
18:02:46 * relrod here
18:04:15 <nirik> ok, lets go ahead and get started. ;)
18:04:24 <nirik> #topic New folks introductions and Apprentice tasks.
18:04:31 <nirik> any new folks like to introduce themselves?
18:04:37 <nirik> or apprentices with questions or comments?
18:04:46 <tridev> I am new in fedora Infrastructure team(I am a second year college student).I didnot get the way to start with it.I know C,Python and linux to beginner level.I want to improve the skills and learn more.
18:04:46 * threebean is here
18:05:09 <nirik> tridev: welcome. ;) Are you more interested in development or sysadmin type work?
18:05:25 <tridev> I am more interested in development
18:05:30 <tridev> :)
18:05:48 <nirik> cool. Do join our #fedora-apps channel and folks there can see about pointing you in the right direction.
18:05:53 <mhurron> :P weekly reminder I'm happy to update the appretice page with an Ansible workflow
18:05:58 <nirik> most of our applications are in python
18:06:19 <nirik> mhurron: might have time to help with that later today... you going to be around this afternoon?
18:06:21 <tridev> okay
18:06:41 <tridev> thank you nirik
18:07:02 <nirik> no problem, and welcome again. ;) Do ask questions as you think of them...
18:07:05 <mhurron> I can try to be, or just mail a dump of info to me and I'll make something of it
18:07:20 <nirik> mhurron: alright.
18:07:50 <nirik> #topic Applications status / discussion
18:07:59 <nirik> any applications news this week or upcoming?
18:08:09 <nirik> I'll note we head into freeze next tuesday for f22 alpha
18:08:15 <pingou> the-new-hotness pushed in prod
18:08:15 <threebean> the-new-hotness got deployed to production this week (on tuesday)
18:08:20 <threebean> pingou: ;p
18:08:24 <pingou> #info the-new-hotness got deployed to production this week (on tuesday)
18:08:32 <threebean> https://stg.fedoraproject.org/wiki/Upstream_release_monitoring
18:08:39 <threebean> doh, not stg.
18:08:46 <threebean> how do you strike something from the record?
18:08:50 <pingou> #info pkgdb2 getting ready for the new branc/package management
18:08:52 <nirik> cool. ;) should we announce that?
18:09:01 <threebean> https://fedoraproject.org/wiki/Upstream_release_monitoring
18:09:15 <dgilmore> #undo
18:09:18 <threebean> heh, yeah we probably should.  use the devel-announce list you think?
18:09:23 <nirik> yep.
18:09:29 <pingou> +1 for me
18:09:30 <threebean> dgilmore: thanks.  it's already buried in the stack now.
18:09:35 <dgilmore> threebean:
18:09:36 <nirik> might note how to add projects that aren't monitored...
18:09:46 <nirik> or opt out
18:09:51 <threebean> will do
18:11:07 <nirik> anything else on the application horizon?
18:11:23 <nirik> are we any closer to a bodhi02.stg thats bodhi2? ;)
18:11:31 <pingou> oh, I got progit to do branch-based pull-requests :)
18:11:45 <nirik> nice
18:11:55 <nirik> Oh, also GSoC proposals are due tomorrow.
18:11:56 <pingou> I'll be working on issue dependency later this week
18:12:15 <pingou> yeah, we got 3 proposal in or so
18:12:25 <pingou> and tyll added some on for rel-eng
18:13:05 * pingou eof
18:13:21 <nirik> cool.
18:13:48 <dcsaba> Hello Team! Answering your question nirik, I want to ask some.
18:14:17 <nirik> dcsaba: hello. ask away.
18:15:03 <dcsaba> First is how much time at least do I must spend on working in the team?
18:15:23 <nirik> there's no requrement... as much time as you like/can spare.
18:16:38 <nirik> anything else on the applications side?
18:16:58 <nirik> #topic Sysadmin status / discussion
18:17:12 <nirik> on the sysadmin side, smooge and I have been busy moving more things to rhel7/ansible.
18:17:21 <puiterwijk> #info pkgs migration is done
18:17:30 <puiterwijk> pkgs02 is now based on rhel7 with ansible.
18:17:38 <threebean> exciting :)
18:17:51 <nirik> I also made a proxy10 in phx2... and just now reinstalled proxy01
18:18:15 <nirik> I also moved all the stuff off virthost04 and shut it down (it was an old old machine we are retiring)
18:18:39 <nirik> we also got a number of new hosts setup... virthost02 and virthost11 (for stg stuff) and virthost-comm04
18:19:33 <nirik> we are down to 31 hosts in puppet.
18:20:02 <nirik> I will send out an email in the next day or two with more detailed status on those hosts. We can't get them all before freeze, but possibly between alpha/beta
18:21:00 <nirik> anything else on the sysadmin side?
18:21:13 <nirik> #topic nagios/alerts recap
18:21:13 <nirik> http://ur1.ca/jr7j4
18:21:21 <nirik> I saved that url this time. ;)
18:21:49 <nirik> of course it's slow to load
18:22:04 <nirik> so, the top 4 are all proxy07.
18:22:17 <nirik> we really need to figure out a way to reinstall that host and proxy.
18:22:48 <nirik> I think smooge might have a way to do so now, will see if we can't move that forward.
18:23:16 <nirik> but I think we are decreasing on alerts this week, which is good.
18:24:10 <nirik> #topic Upcoming Tasks/Items
18:24:10 <nirik> https://apps.fedoraproject.org/calendar/list/infrastructure/
18:24:19 <nirik> anything upcoming anyone would like to note or schedule?
18:24:25 <nirik> next week is f22 alpha freeze.
18:24:44 <puiterwijk> I'm going to attempt a mediawiki upgrade by next week in staging.
18:24:59 <puiterwijk> anyone that has scripts running against mediawiki, please get in contact with me to test
18:25:13 <puiterwijk> (I'll keep reminding every meeting until we move it to prod)
18:25:25 <nirik> puiterwijk: adamw and the ambassadors membership thing in infra are mostly the only users.
18:25:40 <puiterwijk> nirik: I already spoke with adamw yeah, but anyone else is welcome to ping me
18:26:09 <nirik> are you going to try and migrate to postgres too? or did that end up being too difficult?
18:26:22 <puiterwijk> and to anyone: even if your code *should* work with the new mediawiki, we're also migrating to openid, so auth *will* need work.
18:26:52 <threebean> I might try to put out a bugfix release of the fmn web frontend before freeze, but may not get to it in time.
18:26:58 <puiterwijk> I'm going to attempt to migrate to postgres yeah
18:27:13 <threebean> shouldn't affect the noisy backend component.
18:27:40 <nirik> threebean: cool. A blog post/look at what people changed in the default packager settings could be cool. ;)
18:27:57 <threebean> oh, right.  running the numbers.
18:28:01 * threebean queues that up
18:28:57 <nirik> I failed to line up someone to talk about an application today again. Should really add that to the meeting process. :(
18:29:25 <nirik> unless someone wants to free form talking about one? ;)
18:30:25 <nirik> no worries. Will try harder next time. ;)
18:30:29 <nirik> #topic Open Floor
18:30:40 <nirik> anything anyone would like to bring up? Suggestions, comments, etc?
18:31:27 <puiterwijk> nirik: I could do a quick talk about upcoming auth ideas, or is that not what you meant?
18:32:04 <nirik> puiterwijk: sure, would be fine. :) I have been trying to once per meeting talk about one of our applications or things we use... so people could see how it works/was setup/what it did, etc.
18:32:18 <nirik> #topic Upcoming authentication ideas
18:32:38 <puiterwijk> Okay, so I've been working on some stuff for the auth infrastructure
18:32:47 <puiterwijk> first of all, there's the migration to Ipsilon of course.
18:33:09 <puiterwijk> next, I'm planning to implement single login/logout.
18:33:42 <puiterwijk> the login code is at https://github.com/fedora-infra/jsautologin, and I would like to invite anyone to take a look and give comments on how I could improve it within the bounds of the protocols we use
18:34:19 <nirik> where were we on plans to 2fa web applications? someone asked about it the other day...
18:34:48 <puiterwijk> I don't think we decided anything on that in the end. The auth system can support it in Ipsilon, so we can add it
18:35:19 <puiterwijk> after Ipsilon is in production, applications could indicate they want people to use a second factor themselves
18:35:26 <pingou> puiterwijk: adding 2fa in our apps would be nice I think
18:35:27 <nirik> yeah, depends on how we want to do it and what we want to enforce
18:35:36 <mhurron> what 2fa options are supported?
18:35:42 <pingou> mhurron: yubikey and gauth
18:35:43 <puiterwijk> mhurron: currently we have Google Auth and Yubikey
18:35:56 <puiterwijk> well, Google Auth == TOTP in this case
18:36:14 <pingou> puiterwijk: does ipsilon require all 2fa or does it handle a per user difference?
18:36:25 <puiterwijk> pingou: applications can request the user to use 2fa.
18:36:29 <pingou> (as in you have yubikey, I don't)
18:36:46 <puiterwijk> ah, right. that's configurable
18:36:47 <pingou> puiterwijk: but $apps doesn't know if you have 2fa or not, only FAS would know that
18:37:09 <pingou> so all $app can say is: "2fa++ otherwise 1fa"
18:37:16 <puiterwijk> pingou: right, but if the app says "Require 2fa", and the user doesn't have 2fa, Ipsilon would error out.
18:37:30 <puiterwijk> at least, with the current implementation. if we want anything else, we can implement that obviously
18:37:41 <pingou> so unless *all* our users have 2fa, it's not something we can use atm
18:37:53 <puiterwijk> well, we could use it for more sensitive applications
18:37:59 * pingou note: we could require it for admin access
18:38:07 <puiterwijk> yeah
18:38:15 <pingou> hm, nm, we can't
18:38:19 <nirik> but some users may want to enable it for them for all apps that can support it.
18:38:24 <puiterwijk> well, we theoretically could
18:38:49 <puiterwijk> pingou: ^
18:38:56 <pingou> puiterwijk: I was thinking: if you're in X you need 2fa, but before the login, we don't know if you are in X
18:39:17 <puiterwijk> pingou: well, what we could do, is have an app only request group X if it specified it needs 2fa
18:39:35 <puiterwijk> or require re-auth the first time you do an admin action
18:39:47 <pingou> hm :/
18:40:03 <nirik> yeah, lots of things to consider. ;)
18:40:05 <puiterwijk> so we store the current 2fa state (ipsilon will provide that), and if 2fa=false and we try admin action, redirect to Ipsilon for 2fa
18:40:13 <puiterwijk> that'd be something like sudo actually.
18:40:25 <pingou> and most annoying from a UX pov
18:40:42 <puiterwijk> right. but secure.
18:40:50 * relrod has to duck out early to go meet with a professor
18:41:00 <pingou> relrod: good luck :)
18:41:04 <puiterwijk> relrod: have fun
18:41:19 <puiterwijk> pingou: but as said, this is all open for discussion.
18:41:27 <nirik> I think the first case people will want is to use it if they have it... the admin case is interesting too tho I suppose.
18:41:31 <pingou> puiterwijk: but annoying is the most dangerous thing of a secure system, because people will try to go around it :)
18:41:49 <puiterwijk> pingou: well, we'll just have to make sure you can't go around it :-)
18:42:01 <puiterwijk> but yeah, this needs thought
18:42:35 <nirik> indeed.
18:42:49 <nirik> perhaps a mailing list thread for use cases?
18:42:57 <nirik> and applications that might want it
18:43:01 <puiterwijk> yeah, makes sense. I'll start one later today
18:43:26 <nirik> cool. Oh, I just realized till wanted us to discuss a ticket too today...
18:43:41 <puiterwijk> one last thing regarding SSO if I can get one more minute, nirik ?
18:43:45 <nirik> sure.
18:44:10 <puiterwijk> I explained single login, and I'm working on a specification for an OpenID extension for single logout. Will publish that soon
18:44:29 <puiterwijk> that was everything I had in mind at this time. If there's any more questions, feel free to let me know.
18:44:40 <nirik> cool. Thanks for the info.
18:44:49 <pingou> puiterwijk: how long is the session cookie on fedoauth currently?
18:45:08 <puiterwijk> pingou: at this moment 15 minutes. but once I get single logout implemented, I will bump that considerably
18:45:30 <pingou> puiterwijk: I was wondering if we want it higher for sso as well
18:45:38 <puiterwijk> ingyeah, that was my idea
18:45:45 <puiterwijk> yeah, that was my idea*
18:45:46 <nirik> so to signout you just hit a url?
18:46:09 <puiterwijk> nirik: signout is going to be a pretty complicated process that I'm still trying to think entirely through
18:46:20 <puiterwijk> because it will need to hit all of the apps you signed in to
18:46:38 <nirik> ok. I was just pondering the idea of some hook with screensaver/lockscreen to sign out on lock
18:46:57 <nirik> but possibly too difficult. ;)
18:47:00 <puiterwijk> nirik: I have even bigger ideas coming up.. :)
18:47:17 <puiterwijk> but yeah, that's certainly doable
18:47:25 <nirik> ok. cool. ;)
18:47:42 <nirik> #topic ticket 4670
18:47:45 <nirik> https://fedorahosted.org/fedora-infrastructure/ticket/4670
18:47:59 <puiterwijk> .ticket 4670
18:48:01 <nirik> after thinking about this I am in favor... ie, moving to a new domain and http
18:48:03 <zodbot> puiterwijk: #4670 (move planet.fedoraproject.org to fedoraplanet.org) – Fedora Infrastructure - https://fedorahosted.org/fedora-infrastructure/ticket/4670
18:48:27 <nirik> it's sad that it makes our existing cert useless, but oh well, such is life.
18:48:35 <puiterwijk> nirik: yeah, I'm +1 as well
18:48:54 <pingou> nirik: we have a dedicated cert for planet?
18:49:00 <pingou> it's not using *.fp?
18:49:03 <nirik> also I think it will take a while, unless we have a good set of redirects.
18:49:07 <nirik> pingou: we do.
18:49:22 <nirik> its using it's own because we didn't want the wildcard one on people03 where users login
18:49:31 <pingou> ah ok
18:50:03 <nirik> so I think next step here is to get domain and figure out redirects.
18:50:13 <nirik> #info nirik will work on moving this forward.
18:50:30 <nirik> #topic Open Floor (part 2, the open flooring)
18:50:39 <nirik> anything for part 2 of open floor? ;)
18:51:16 <threebean> oh, real quick
18:51:26 <threebean> I put a little work into a little menu thing
18:51:28 <threebean> http://threebean.org/fedmenu/
18:51:38 <nirik> oh yeah. great idea. ;)
18:51:39 <threebean> a javascript blog that we could add to all our apps (like puiterwijk's js auto login script)
18:51:45 <threebean> blob, not blog
18:51:52 <nirik> I think a common menu is our oldest open ticket right now. ;)
18:51:57 <pingou> :)
18:52:01 <threebean> so.  it needs work and polish.. but it should be easy to add everywhere
18:52:13 <threebean> puiterwijk: we should team up so when you go around adding js login everywhere we can add the menu at the same time.
18:52:17 <puiterwijk> threebean: cool! :)
18:52:25 <pingou> and it does not impact the current design of our apps
18:52:27 <pingou> threebean++
18:52:28 <nirik> https://fedorahosted.org/fedora-infrastructure/ticket/130
18:52:46 <puiterwijk> threebean: and yeah, makes sense. would you have time tomorrow?
18:53:12 <threebean> puiterwijk: likely.  although I'm not ready to push it out anywhere yet.. like I say it still needs a little work.
18:53:32 <puiterwijk> threebean: sure, but we can discuss things. we'll discuss it on #-apps
18:53:52 * nirik nods.
18:54:07 <nirik> if no one has anything more, will close out the meeting in a minute or two or less.
18:54:30 <nirik> oh, a quick one from me:
18:54:41 <nirik> we now have a proxy10 and proxy01 in phx2.
18:54:51 <nirik> all/most all the apps are using proxy10.
18:54:58 <nirik> proxy10 is not in dns externally.
18:55:08 <puiterwijk> great!
18:55:14 <nirik> should we add it into dns for external? keep it for just apps?
18:55:24 <puiterwijk> nirik: I say only for internal apps
18:55:39 <puiterwijk> that way, we have a fallback in case we get lots of traffic to the external DNS servers again
18:55:46 <puiterwijk> (thinK: F22 release day)
18:55:53 <nirik> yeah.
18:56:06 <nirik> ok. I am fine with that. we can enable it in external dns if we want tho.
18:56:31 <nirik> ok, thats all I had. ;)
18:56:50 <nirik> Thanks for coming everyone. Do continue over in #fedora-admin, #fedora-apps and #fedora-noc.
18:56:53 <nirik> #endmeeting