#fedora-meeting log

18:01:12 <nirik> #startmeeting Infrastructure (2016-05-26)
18:01:12 <zodbot> Meeting started Thu May 26 18:01:12 2016 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:12 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:01:12 <zodbot> The meeting name has been set to 'infrastructure_(2016-05-26)'
18:01:12 <nirik> #meetingname infrastructure
18:01:12 <nirik> #topic aloha
18:01:12 <nirik> #chair smooge relrod nirik abadger1999 lmacken dgilmore threebean pingou puiterwijk pbrobinson
18:01:12 <zodbot> The meeting name has been set to 'infrastructure'
18:01:12 <zodbot> Current chairs: abadger1999 dgilmore lmacken nirik pbrobinson pingou puiterwijk relrod smooge threebean
18:01:12 <nirik> #topic New folks introductions / Apprentice feedback
18:01:26 <jflory7> .hello jflory7
18:01:32 <skamath> .hello skamath
18:01:33 <zodbot> jflory7: jflory7 'Justin W. Flory' <me@justinwflory.com>
18:01:36 <zodbot> skamath: skamath 'Sachin S Kamath ' <sskamath96@gmail.com>
18:01:39 <devyani7> .hello devyani7
18:01:42 <zodbot> devyani7: devyani7 'Devyani Kota' <devyanikota@gmail.com>
18:01:43 <nirik> morning everyone
18:01:50 <jflory7> Hiya!
18:01:53 <skrzepto> .hello skrzepto
18:01:54 <zodbot> skrzepto: skrzepto 'Szymon Mucha' <skrzepto@gmail.com>
18:02:03 * pingou here
18:02:04 * sayan is here
18:02:09 <puiterwijk> hi
18:02:11 <decause> .hello
18:02:11 <zodbot> decause: (hello <an alias, 1 argument>) -- Alias for "hellomynameis $1".
18:02:13 * pcreech is here
18:02:17 <decause> .hello decause
18:02:18 <zodbot> decause: decause 'Remy DeCausemaker' <decause@redhat.com>
18:02:31 * threebean !
18:02:32 <nirik> Is there any new folks who would like to give a short one or two line introduction of themselves? If so, go ahead...
18:02:45 * lmacken 
18:03:05 <skrzepto> I am the new summer intern who will be working on FAS.
18:03:15 <pcreech> I'm not new, per-se, but I'm 'back'
18:03:45 <threebean> skrzepto: welcome!
18:03:54 <jflory7> I'm kind of the same as pcreech. I haven't been around much before now, but I'm getting ready to dive in starting this week and beyond. :)
18:04:05 <pingou> skrzepto: and hubs :)
18:04:10 <threebean> :)
18:04:13 <pingou> skrzepto: and python-fedora and.... and... :D
18:04:19 <skrzepto> pingou, yes :) and other projects ....
18:04:19 <nirik> welcome skrzepto!
18:04:20 <puiterwijk> and packaging flask-oidc
18:04:26 <nirik> and welcome back pcreech
18:04:35 <devyani7> its my first time here. hello everyone :) Myself: CS Undergraduate, GSoC intern, will be working on Fedora-hubs :)
18:04:51 <nirik> welcome jflory7 and devyani7 too. Lots of new folks. ;)
18:04:55 <pingou> welcome here devyani7 :)
18:05:05 * devyani7 waves to threebean :)
18:05:14 <devyani7> nirik: pingou: thanks :)
18:05:24 <jflory7> Thanks nirik :)
18:06:04 <skamath> Hello, I was away for a couple of weeks. I'll be working with the commops this GSoC :)
18:06:11 <nirik> if anyone needs setup in the apprentice program or pointers on where to get started, do see me after the meeting in #fedora-admin (or ask in the apprentice open office hours later in the meeting)
18:06:18 <skamath> *commops team
18:06:26 <nirik> excellent
18:06:37 <threebean> hey devyani7 :)
18:07:05 <nirik> ok, shall we move on to status/info?
18:07:26 <nirik> #topic announcements and information
18:07:26 <nirik> #info Mass update/reboot cycle complete. Machines are ready for freeze - kevin/smooge/patrick/tflink
18:07:26 <nirik> #info added +50GB space to bodhi-backend01, should last a bit - kevin
18:07:26 <nirik> #info Fedora Message Notifications (FMN) finally caught back up
18:07:26 <nirik> #info root passwords changed on all machines - kevin
18:07:27 <nirik> #info ansible 2.1 on batcave01 for a few, reverted back to 2.0 for now - kevin
18:07:31 <nirik> #info F24 final freeze coming up next week - everyone
18:07:43 <nirik> anything else folks would like to note or mention status and info wise?
18:07:45 * pingou still working on the FMN redesign
18:07:52 <lmacken> nirik: what issues happened with ansible 2.1?
18:08:11 <nirik> lmacken: we hit: https://github.com/ansible/ansible/issues/15996 apparently
18:08:32 <nirik> particuarly in the httpd roles stuff it was passing in vars that were getting ignored/not used.
18:08:41 <puiterwijk> #info flask-oidc is ready for folks to start integrating - patrick
18:08:41 <nirik> which made it all blow up. ;(
18:08:45 <puiterwijk> (more to follow i n"Learn about")
18:09:33 <nirik> they are looking into it now... hopefully it will have an easy fix and a 2.1.1 will come out
18:10:18 <nirik> lmacken: BTW, last nights updates pushes finished fine, todays are going... I think we are back on track there.
18:10:23 <nirik> Oh, one other info:
18:10:31 <lmacken> nirik: good good.
18:10:37 <nirik> #info monday is a holiday in many places, don't expect people to be around as much as normal
18:11:44 <threebean> #info PyCon US is next week!
18:11:51 <pingou> I've on my todo to send an email to the list about what's going on this summer
18:12:04 <nirik> threebean: oh yeah. Thats right...
18:12:09 <nirik> who all is heading to that?
18:12:12 <pingou> we have quite a few projects having quite a few deadlines and I thought it might be cool to present these
18:12:22 <pingou> lmacken: kushal abompard ?
18:12:32 <nirik> pingou: sounds good. perhaps also update infra calendar...
18:12:47 <nirik> kushal I am pretty sure is already there... not sure who else
18:12:59 * threebean will be
18:13:08 <pingou> nirik: they are more project deadline (like before flock), not sure it's worth a calendar entry but we could :)
18:13:09 <threebean> going to try and promote some hacking on the koji test suite at the sprints.
18:13:17 <pingou> cool threebean !
18:13:22 <nirik> excellent.
18:13:50 <nirik> lmacken: you heading to pycon?
18:13:57 <lmacken> nirik: yep, tomorrow
18:13:59 <nirik> pingou: I take it you are not?
18:14:35 <nirik> cool. safe travels all, let us know if there's anything we can help with from our end
18:14:42 <nirik> #topic Seeking feedback on Modularity plans - threebean
18:14:43 <pingou> nirik: indeed, not this year
18:14:58 <threebean> https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/
18:15:00 <threebean> No need to go into this in detail in the meeting, but we're designing "lots of stuff" in the Modularity Working Group, but we don't want to accidentally wind up at cross-odds with the infra team.  Can we schedule a discussion of it next week, so people have some time to prepare and ask questions?
18:15:02 <nirik> threebean: I have your post marked to reply to, but just have not found time. ;( it's been a crazy week
18:15:08 * threebean nods
18:15:25 <threebean> nirik: and there's crazy stuff in modularity land, which we should take slowly and think about and stuff
18:15:27 <pingou> threebean: sounds like a good idea, but pycon?
18:15:31 <nirik> it looked like lots of things were already there (but might get bigger in scope)
18:15:41 <nirik> and a few new things...
18:15:59 <pingou> from what I saw, there are a few changes needed to existing tools, but rather limited, most work seems to be in the new tool
18:16:02 <pingou> s
18:16:31 <threebean> pingou: hm.  I can dip out of pycon for an infra discussion on it if we can next week.
18:16:42 <pingou> roger
18:16:51 <threebean> pingou: yeah - that's probably fair (about new versus old stuff).
18:16:52 <pingou> threebean: all modules are expected to be built from yaml files?
18:16:54 * nirik is ok on a meetup for it... where and when?
18:17:06 <threebean> nirik: could we do it as a section of the infra meeting next week?
18:17:18 <nirik> sure.
18:17:24 <threebean> i'm open to video chat on jit.si anytime too if you want to talk informally.
18:17:53 <nirik> infra meeting next week would be fine with me... and we can expand out if we go too far afield there. ;)
18:18:06 <pingou> wfm to
18:18:08 <threebean> cool cool :)
18:18:44 <nirik> ok, anything else for this right now? or shall we move on?
18:19:00 <threebean> oh - how about this, just for some structure..
18:19:19 <threebean> next week maybe in the "learn about" section, I could go through each piece in the diagram and say a little about how it might need to change?
18:19:28 <threebean> that way it's not just all one big mess.
18:19:42 <nirik> a higher level overview?
18:19:53 * threebean nods
18:19:55 <nirik> that would be welcome. (by me at least)
18:20:04 <threebean> cool.  we can move on and come back to it next week.
18:20:05 <threebean> thanks!
18:20:11 <nirik> sounds good.
18:20:31 <nirik> #topic Apprentice office hours
18:20:41 <nirik> jflory7: you had some queries here...
18:20:45 <skamath> !
18:20:46 <jflory7> Yeah.
18:20:56 <nirik> Question: Would it be inappropriate to use Infinote for public note-taking?
18:20:56 <nirik> (e.g. tasks related to infrastructure projects, like GSoC projects) - jflory7
18:21:10 <nirik> Absolutely fine. You can use it for anything Fedora related.
18:21:16 <jflory7> Okay, cool, thanks. :)
18:21:27 <jflory7> I probably will use it a bit for that this summer then.
18:21:28 <nirik> note that everything is kept in a git repo, so likely bad for anything that should be private
18:21:36 * jflory7 nods
18:21:37 <jflory7> Ack.
18:21:38 <nirik> skamath: go ahead and chime right in. ;)
18:21:58 <skamath> Is there a good yaml guide anywhere around here?
18:22:15 <nirik> hum. I don't know of one off the top of my head, but others might?
18:22:16 <skamath> I wanted to get started with the badges (as part of GSoC)
18:22:18 <puiterwijk> something like http://www.yaml.org/start.html ?
18:22:31 <puiterwijk> Or a more verbose: http://ess.khhq.net/wiki/YAML_Tutorial
18:23:07 <nirik> jflory7: On your other question:
18:23:11 <skamath> puiterwijk: I know the very basics. Nevertheless, I'll go through them :) Thanks. <eof>
18:23:11 <nirik> Suggestion: For a weekly topic, it would be interesting to see how other members
18:23:11 <nirik> of Infra using TaskWarrior manage their workflows / how they use it. - jflory7
18:23:22 <jflory7> skamath: Check this out too for Badges specifically: https://badges.fedoraproject.org/builder
18:23:35 <nirik> I'd be happy to talk about task warrior... I've been using it here for a bit now. I know threebean does... not sure who else.
18:23:45 <puiterwijk> I use it
18:23:47 <skamath> puiterwijk++ jflory7++
18:23:51 <pingou> decause: does iirc
18:24:09 <jflory7> I'm just starting to use it, but it would be cool to see how other members of Infra use it to understand how it can be used, what different things you can do with it, and how it fits into someone
18:24:13 <jflory7> * someone's workflow.
18:24:17 * devyani7 started using today :)
18:24:31 * skamath is poking around with it
18:24:38 <nirik> I did do a blog post not long back about it...
18:24:38 <jflory7> There's plenty of guides online, but a Fedora context would be cool too :)
18:24:52 <jflory7> Ooh, that would be a cool reference for the time being.
18:24:58 <nirik> https://www.scrye.com/wordpress/nirik/2016/03/30/taskwarrior-tips-and-notes/
18:25:03 * devyani7 clicks
18:25:26 <skamath> nirik++ rad!
18:25:47 <nirik> might be time for an update... but yeah, I am liking it pretty well overall.
18:25:49 * jflory7 bookmarks
18:26:31 <nirik> also if you need/want it, there's a android app and a gnome-desktop extension... I set those up, but never use them... :)
18:26:37 <jflory7> Will definitely read it all post-meeting, thanks. :) In addition, would be cool to get a "power user" perspective if anyone else wanted to demo or explain certain things that aren't well-documented with Taskwarrior.
18:26:53 <skamath> RIght now, I'm using Evernote to sync.
18:26:56 <nirik> The android app may be of use at flock or the like... note a task if you are not in front of your laptop
18:27:15 * skamath is switching over
18:27:24 <nirik> cool.
18:27:45 <nirik> ok, any other general apprentice questions or issues?
18:27:56 <jflory7> None from me at the moment.
18:28:04 <odin2016> interesting.
18:28:06 <skamath> !
18:28:52 <skamath> How can I get read only access to the fedora machines. Couldn't do much research this week.
18:29:11 <nirik> skamath: we can add you to the apprentice group... see me in #fedora-admin after the meeting and we can get you setup...
18:29:20 <nirik> or for that matter I can do it now... whats your fas account?
18:29:27 <skamath> nirik: I am already in the group :)
18:29:35 <nirik> oh, in that case see:
18:29:50 <nirik> https://infrastructure.fedoraproject.org/infra/docs/sshaccess.rst
18:30:22 <skamath> Cool. Thanks again :)
18:30:42 <nirik> Oh, one quick thing I wanted to mention: There was an interesting article in this weeks lwn about 'drive by' contributors...
18:30:45 <skamath> eof
18:30:53 <nirik> ie, people who submit some single patch or fix and thats it...
18:31:10 <misc> but that's in the paid section for now, no ?
18:31:16 <nirik> it had some nice ideas how to make your projects good for such contributors.
18:31:29 * pingou curious
18:31:32 <nirik> yeah, will be out free next week, we can discuss it more then, but might be worth trying to do some of those things...
18:31:48 <nirik> much of which was "have good docs for how to submit things/process"
18:32:04 <pingou> pagure was on lwn last week as well :)
18:32:23 * danofsatx almost forgot
18:32:26 <nirik> so a quick doc with steps, then a detailed version with details on each step... so drive by folks don't need to ask about how to submit their one patch
18:32:27 <danofsatx> I'm here!
18:32:35 <nirik> anyhow, we can discuss that more later.
18:32:37 <nirik> welcome danofsatx
18:32:49 <nirik> #topic Learn about: oidc tutorial part 2 - patrick
18:32:55 <nirik> puiterwijk: take it away. :)
18:33:05 <puiterwijk> Okay, so I get to explain the next part in my OIDC series.
18:33:10 <puiterwijk> First two remarks:
18:33:20 <puiterwijk> 1. I will be scheduling a classroom sometime soon, given the complexity of the subject
18:33:24 <nirik> whats OIDC?
18:33:25 <nirik> :)
18:33:26 <pingou> +1
18:33:34 <pingou> nirik: that's not a remark, that's a question :D
18:33:34 <puiterwijk> OIDC = OpenID Connect
18:34:01 <puiterwijk> 2. I am expecting that people have either attended last weeks meeting or read back my part there, since explaining it all over will again take me 30 minutes :)
18:34:29 <puiterwijk> So, with this, let's get this show on the road. This week I was planning to talk about scopes, what are they ,what do you do with them, and such
18:34:31 <nb> misc, i think subscribers can send links to stuff, let me see if i can figure out how
18:35:04 <puiterwijk> First off: flask-OIDC has been released last monday. Which means that people can now start integrating their applications against our development instance on iddev.fedorainfracloud.org
18:35:12 <pingou> https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2016-05-19-18.00.log.html last week's minutes
18:35:42 <puiterwijk> Okay, so scopes. As some people might know, OpenID Connect is based heavily on OAuth2, which is a specification for getting and using authorization tokens.
18:35:56 <misc> nb: "send free link"
18:36:20 <puiterwijk> These tokens are used to authenticate as a client to a remote API as a specific user.
18:36:55 <nb> #link The value of drive-through contributions https://lwn.net/SubscriberLink/688560/b76a2332f597f06b/
18:36:59 <puiterwijk> You can request tokens as part of the OpenID Connect process as part of the Access token or Authorization Code flows. Note explicitly that the id_token flow doeS NOT provide you with an access token
18:37:59 <puiterwijk> So, every scope is attached to a client ID (client being the application deployment), and a user that authorized the issuance of the token (the user that logged in).
18:38:16 <pingou> !
18:38:19 <puiterwijk> pingou: yes?
18:38:35 <pingou> can the user choose the scope of the token?
18:38:43 <puiterwijk> The user will consent to the scopes
18:38:51 <pingou> for example on android app foo asks for foo and bar
18:38:59 <pingou> the choice of the user is either: ok or don't use the app
18:39:20 <pingou> I would love if we could do: ok for foo but not for bar
18:39:41 <pingou> (which is what I tried to implement in pagure)
18:39:58 <puiterwijk> Right. The application can do that
18:40:17 <puiterwijk> the application can see what kind of scopes its tokens have at any point, and if it's not enough, get the user to re-authenticate with a larger scopeset
18:40:51 <pingou> :/
18:41:08 <pingou> most devs will say: but for feature X I need bar, so I'll just always ask for bar
18:41:21 <puiterwijk> pingou: the reason for that is that the specification has no way to indicate which permissions are required and which are optional.
18:41:22 <pingou> but I'm disgressing :)
18:41:39 <pingou> puiterwijk: pity
18:41:47 <puiterwijk> So that means that if I would make them all optional, a user might issue no consent and return to the app with an empty token, and the app can't use it
18:42:05 <puiterwijk> So, these scopes are basically just a string that points to a specific permission that the token is authorized for
18:42:40 <puiterwijk> There are a few values pre-defined: openid, email, profile, phone. The "openid" scope you will pretty much always want to request, since it authorizes the release of an id_token with any information about the user
18:42:55 <puiterwijk> profile gives name, email and phone are probably self-explanatory
18:43:50 <puiterwijk> We will have to define further scopes for our infrastructure. I will be writing documentation on how to define those soon. Basically, we need to decide on what kind of base URI we will be using
18:44:20 <nirik> we probibly will have to go over each app and think what it might need right?
18:44:32 <puiterwijk> nirik: yes
18:44:41 <nirik> fas_groups likely will be popular
18:44:53 <puiterwijk> So when these scopes are defined, an application could for example request "https://fedorahosted.org/koji/scope/build_package", and the user will see a consent screen asking for release of "Build package on Koji" for example
18:45:18 <puiterwijk> nirik: yes, very likely
18:45:29 <pingou> does that mean pagure could trigger a build on koji as the user logged in?
18:45:48 <puiterwijk> pingou: if Pagure had requested a token for the user with that scope and the user consented, yes
18:45:51 <pingou> (bad example due to ssl certs, but for the idea?)
18:45:56 <pingou> cool :)
18:46:06 <puiterwijk> pingou: well, I am working on a patch for koji for it to accept these tokens ... :)
18:46:12 <pingou> \ó/
18:46:22 <puiterwijk> so hopefully we will be able to get rid of ssl certs for koji rather soon
18:46:24 <pingou> puiterwijk: I can write the patch to drop SSL from FAS :D
18:46:32 <puiterwijk> pingou: heh :)
18:46:38 <pingou> \ó/²
18:47:20 <nirik> how does 2fa fit in? could we have some permissions that require the user auth with a second factor?
18:47:58 <puiterwijk> nirik: yes. I am planning to make it possible to mark certain scopes as "requires ACR x"
18:48:09 <nirik> great
18:48:32 <puiterwijk> Also, the Authentication class will be returned as part of the authentication response.
18:49:15 <puiterwijk> These are more things we will need to define, but I am hoping to have a lot of the basic definitions et al ready in a week or two
18:50:07 <puiterwijk> So, I would suggest one thing for application developers: make sure to have a clear view on which scopes you need to request from users, and only request that part. Don't request too much, as the user might get hesitant if the list of permissions requested is too large
18:50:21 <puiterwijk> (if anyone's see Android pre-M installs, you will likely know what I mean)
18:51:15 <puiterwijk> I think that that's all for now on the scopes part of things for now, this mostly needs a lo tof defining at the particular applications regarding what they need
18:52:15 <puiterwijk> Oh, one thing for people that will want to start testing with it: note that you will either need to run o nhttp://localhost or use TLS. You will not be able to enter anything else as return URI when you register your client
18:53:20 <puiterwijk> Are there any further questions? We have 6 more minutes
18:54:02 <nirik> I look forward to our OAUTH2 token overlords
18:54:36 <nirik> thanks puiterwijk
18:54:43 <nirik> #topic Open Floor
18:54:46 <jflory7> puiterwijk++
18:55:02 <nirik> anyone have any final items for open floor? questions, comments, ideas, mad plans to take over the world?
18:55:27 <jflory7> Latter sounds interesting. ;)
18:55:32 <jflory7> Nothing from me, though
18:55:35 <pingou> I have something for the last point, but I can't speak now
18:55:42 <jflory7> pingou++
18:55:47 <devyani7> :P
18:56:02 <puiterwijk> I thought I was well underway of taking over the Fedora authn world...
18:56:14 <odin2016> nope... just poking rhel 5 bkxes at work.
18:56:16 <nirik> :)
18:56:41 <nirik> ok, thanks everyone for coming. Do continue in #fedora-admin, #fedora-apps and #fedora-noc.
18:56:45 <nirik> #endmeeting