#fedora-meeting log

18:00:01 <nirik> #startmeeting Infrastructure (2015-04-02)
18:00:02 <zodbot> Meeting started Thu Apr  2 18:00:01 2015 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:00:02 <nirik> #meetingname infrastructure
18:00:02 <nirik> #topic aloha
18:00:02 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore mdomsch threebean pingou puiterwijk
18:00:02 <nirik> #topic New folks introductions / Apprentice feedback
18:00:02 <zodbot> The meeting name has been set to 'infrastructure'
18:00:02 <zodbot> Current chairs: abadger1999 dgilmore lmacken mdomsch nirik pingou puiterwijk relrod smooge threebean
18:00:28 <nirik> who's around for a infra meeting? any new folks like to introduce themselves? or apprentices with questions or comments?
18:00:46 <Shad0w_Crux> I'm new. I haven't been formally introduced yet.
18:01:00 <Shad0w_Crux> I just sent out my "Hello" e-mail a few days ago.
18:01:11 <nirik> Shad0w_Crux: welcome. :) If you can give a short one line intro that would be great...
18:01:24 <nirik> also if you are more interested in sysadmin or application development type stuff?
18:01:40 * threebean is here
18:01:50 * pingou as well
18:02:21 <Shad0w_Crux> My name is Turner England. I'm a university student interested in being a sysadmin (and eventually maybe some dev stuff too).
18:02:45 <nirik> Shad0w_Crux: great. :) Please see me in #fedora-admin after the meeting and I can give you pointers on how to get started. ;)
18:02:53 <Shad0w_Crux> Great, thanks.
18:03:18 <dgilmore> hey all
18:03:22 <nirik> hey dgilmore
18:03:40 <nirik> ok, on to the info dump from gobby. Will pause a minute to let anyone add last minute stuff to the document.
18:04:44 <nirik> #topic announcements and information
18:04:44 <nirik> #info askbot upgraded to 0.7.51 - patrick
18:04:44 <nirik> #info All machines updated before the freeze - kevin / smooge
18:04:44 <nirik> #info New release of the releng dash out with previously missing components and smarter pkgdb integration - ralph
18:04:45 <nirik> #link https://apps.fedoraproject.org/releng-dash
18:04:46 <nirik> #info New release of the-new-hotness out with more feedback on bugzilla tickets (patches, srpm failures) and two-way syncing between anitya and pkgdb - ralph
18:04:49 <nirik> #info new pkgdb2 release (mostly bug fixes) - pingou
18:04:51 <nirik> #info new fedocal release (with some very nice new features by rtnpro) - pingou
18:04:53 <nirik> #info new anitya release (with bug fixes and new features) - pingou
18:04:55 <nirik> #info Lots of misc freeze breaks fixing minor stuff for the most part - kevin
18:04:57 <nirik> #info taskotron-stg upgraded and redeployed on f21 machines. hitting problems that seem to be db related but investigation is ongoing - tflink
18:05:00 <nirik> #info it appears that stats from collectd are not being collected for any *.qa.fp.o hosts, even rhel7 boxes - tflink
18:05:28 <nirik> tflink: on that collectd thing, perhaps file a ticket so we don't forget and we can investigate...
18:05:35 <tflink> yeah, will do
18:05:44 <nirik> but you ruled out firewall?
18:05:47 <tflink> I tried poking at it a bit today but didn't really get anywhere
18:05:53 <tflink> I think so, nc seems to be able to connect
18:06:01 <nirik> odd, ok.
18:06:14 <nirik> perhaps it's denying connections from that net for some reason.
18:06:21 <nirik> or hosts in that net.
18:06:26 <tflink> 'nc -uv 10.5.126.13 25826' works from db-qa01.qa
18:06:33 <nirik> ok.
18:06:41 <nirik> we can track it down hopefully. ;)
18:07:02 <tflink> my other thought was that it could be a default setting in collectd or the rrd plugin that ignores hosts in a different domain
18:07:03 <nirik> ok, no one added any discussion topics, so I was going to move on to a 'learn about' session.
18:07:10 <nirik> tflink: could be.
18:07:35 <nirik> I put down to talk about koji, but my addled brain says I might have already done so in a previous meeting? or am I wrong? ;)
18:08:29 <mizdebsk> nirik: yes, the first talk ever was about koji, iirc
18:08:58 <nirik> yeah, just looking back. ;)
18:09:11 <nirik> ok, then would someone like to talk about another app / setup ?
18:09:52 <threebean> heh, not me today.  I'll volunteer another week though.
18:09:59 <nirik> fair.
18:10:08 <dotEast2015> nice to know about fas2
18:10:23 <nirik> I could pontificate on that some...
18:10:41 <nirik> #topic Learn About ... fas (fedora account system)
18:11:04 <nirik> so, fas is our home developed user and authentication management application.
18:11:19 <nirik> There was a version 1 and then a re-write for version 2 which we are using now.
18:11:38 <nirik> A version 3 is far underway already with another re-write and a bunch of new stuff.
18:12:11 <nirik> The first part of fas is a web application. User sign up there and make accounts, and add passwords and ssh keys and other information to their account.
18:12:48 <nirik> There are groups in fas that have users, sponsors and admins in them. Some of these groups allow members to ssh to some specific hosts, or push commits to specific git repos.
18:13:10 <nirik> sponsors can add new people to groups, admins can add/remove sponsors.
18:13:37 <lmacken> #link https://fedoraproject.org/wiki/User:Laxathom/Drafts:FAS3.0
18:14:04 <nirik> Another part to things is a fasClient tool. It can pull down information about accounts and uses nssdb on linux to setup those users so they have accounts, etc.
18:14:23 <nirik> One very nice thing is that it handles network issues very well as all the data is locally on each host.
18:14:42 <nirik> So, if fas (the web app) is down, you can still login to any machines that were synced via fasClient before then
18:15:21 <nirik> fas also provides an interface to yubikey info for 2fa. (freeotp/google authenticator is via another tool)
18:16:03 <nirik> fas the app is used to authenticate users on some of our older webapps...
18:16:30 <nirik> also, fas servers (specifically fas01) is the place people get ssl certs for koji authentication.
18:17:07 <nirik> We also have a seperate fas setup for staging
18:17:25 <nirik> from time to time we sync the production database over to staging, but they are completely seperate instances.
18:17:29 <dgilmore> having the cert system resiliant and seperate would be a high priority
18:17:46 <nirik> dgilmore: yeah, agreed. We have been saying that for years sadly. ;(
18:17:57 <pingou> resilient?
18:18:44 <nirik> pingou: resistant to problems. stable. highly available.
18:18:47 <nirik> something like that
18:19:37 <nirik> anyhow, any questions on that setup or thoughts?
18:19:38 <pingou> should we split it out of FAS?
18:20:05 <pingou> it sounds like a simple API that we could just split out
18:20:20 <nirik> pingou: well, we could. we have talked also about using dogtag or the like.
18:20:37 <nirik> but no one has evaluated how hard that would be to do. ;)
18:20:49 <pingou> http://pki.fedoraproject.org/wiki/PKI_Main_Page ?
18:21:04 <pingou> The Dogtag Certificate System can be downloaded for free and set up in less than an hour.
18:21:07 <pingou> there is the answer :D
18:21:11 <nirik> uh huh.
18:21:28 <nirik> I looked a few years ago and it was a confusing pile of complexity.
18:21:33 <nirik> but perhaps it's a lot better now. ;)
18:21:58 <nirik> anyhow, if someone wants to look and test it and report back to the list that would be great!
18:22:01 <dgilmore> pingou: well right now if fas01 is down we can not issue certs to users
18:22:23 * nirik also keeps thinking we might find a use for ssh certs.
18:22:36 <dgilmore> pingou: dogtag would likely be ideal, but we need to set it up and have a migrtation plan etc
18:22:58 <mizdebsk> why it's not possible to get someone else's public ssh key from fas?
18:23:10 <dgilmore> dogtag does oscp which is better than how we do the crl currently
18:23:43 <pingou> dgilmore: could dogtag generates certs compatible with the current system?
18:23:50 <lmacken> yeah, standing up dogtag with ansible could be a good project for someone looking to help out ☺
18:23:57 <nirik> mizdebsk: I don't know the history there... but there was some historical reason for disallowing it.
18:24:13 <nirik> I can try and find out. ;)
18:24:33 <mizdebsk> several times i had to ask other ppl for their keys because i can't get them from fas
18:25:00 <nirik> now that we have rhel7 we could look at switching to ssh certs perhaps. I guess that would fail for 6 machines as long as we still had them tho
18:25:46 <dgilmore> pingou: we would likely start from scratch witha  new CA
18:25:48 <nirik> so I guess I will revisit that when we have no 6 left. ;)
18:26:04 <dgilmore> pingou: it can make valid certs but there is not a great migration path
18:26:12 <pingou> ok
18:26:22 <dgilmore> we have about 3 years until the CA cert expires
18:26:32 <dgilmore> we can issue a new one from the Key
18:26:39 <pingou> would dogtag provide that migration path?
18:27:54 <dgilmore> pingou: no
18:28:13 <dgilmore> afaik we can not import what we have
18:28:29 <pingou> dgilmore: and within dogtag?
18:28:39 <pingou> I mean, would we end-up in the same situation in 10 year?
18:28:41 <pingou> s
18:28:50 <dgilmore> pingou: no
18:29:05 <dgilmore> pingou: as long as we stay with dogtag
18:29:10 <pingou> ok
18:29:22 <nirik> who knows what things will be like in 10 years. ;)
18:29:24 <dgilmore> we should talk to the dog tag devs
18:29:24 <nirik> anyhow...
18:29:31 <dgilmore> and see what is possible
18:29:38 <dgilmore> lets move on
18:29:49 <nirik> #help someone should test install and review dogtag for our koji ssl cert needs and report back to the infrastructure list.
18:30:00 <nirik> #topic Open Floor
18:30:06 <nirik> anyone have anything open floor wise?
18:30:11 <nirik> questions, comments, ideas?
18:30:36 <dotEast2015> nirik, thanks for the fas intro, it was informative
18:31:13 <nirik> happy to help. ;) I hope we can use the parts of these meetings without discussions to bring people up to speed on things. ;)
18:31:44 <threebean> If is hasn't already been mentioned, tomorrow is a holiday for Red Hat employees, no?
18:31:50 <nirik> oh yes.
18:31:53 <threebean> US hatters, that is.
18:31:58 <nirik> tomorrow is a holiday for many folks in the US.
18:32:03 <nirik> monday is a holiday for many in EU
18:32:15 <nirik> and those canadians apparently get both! :)
18:32:22 <threebean> what!?  not fair :p
18:32:46 <nirik> yeah, I'm totally moving to canada. ;)
18:32:53 <pingou> +1
18:33:01 <mhurron> damn dirty canadians
18:33:21 <nirik> so, anyhow... don't expect folks to be around much, be patient if waiting for replies, etc.
18:34:09 <nirik> ok, thanks for coming everyone. I give you 25minutes of your life back. ;)
18:34:12 <nirik> #endmeeting