18:01:12 #startmeeting Infrastructure (2016-05-26) 18:01:12 Meeting started Thu May 26 18:01:12 2016 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:12 Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:01:12 The meeting name has been set to 'infrastructure_(2016-05-26)' 18:01:12 #meetingname infrastructure 18:01:12 #topic aloha 18:01:12 #chair smooge relrod nirik abadger1999 lmacken dgilmore threebean pingou puiterwijk pbrobinson 18:01:12 The meeting name has been set to 'infrastructure' 18:01:12 Current chairs: abadger1999 dgilmore lmacken nirik pbrobinson pingou puiterwijk relrod smooge threebean 18:01:12 #topic New folks introductions / Apprentice feedback 18:01:26 .hello jflory7 18:01:32 .hello skamath 18:01:33 jflory7: jflory7 'Justin W. Flory' 18:01:36 skamath: skamath 'Sachin S Kamath ' 18:01:39 .hello devyani7 18:01:42 devyani7: devyani7 'Devyani Kota' 18:01:43 morning everyone 18:01:50 Hiya! 18:01:53 .hello skrzepto 18:01:54 skrzepto: skrzepto 'Szymon Mucha' 18:02:03 * pingou here 18:02:04 * sayan is here 18:02:09 hi 18:02:11 .hello 18:02:11 decause: (hello ) -- Alias for "hellomynameis $1". 18:02:13 * pcreech is here 18:02:17 .hello decause 18:02:18 decause: decause 'Remy DeCausemaker' 18:02:31 * threebean ! 18:02:32 Is there any new folks who would like to give a short one or two line introduction of themselves? If so, go ahead... 18:02:45 * lmacken 18:03:05 I am the new summer intern who will be working on FAS. 18:03:15 I'm not new, per-se, but I'm 'back' 18:03:45 skrzepto: welcome! 18:03:54 I'm kind of the same as pcreech. I haven't been around much before now, but I'm getting ready to dive in starting this week and beyond. :) 18:04:05 skrzepto: and hubs :) 18:04:10 :) 18:04:13 skrzepto: and python-fedora and.... and... :D 18:04:19 pingou, yes :) and other projects .... 18:04:19 welcome skrzepto! 18:04:20 and packaging flask-oidc 18:04:26 and welcome back pcreech 18:04:35 its my first time here. hello everyone :) Myself: CS Undergraduate, GSoC intern, will be working on Fedora-hubs :) 18:04:51 welcome jflory7 and devyani7 too. Lots of new folks. ;) 18:04:55 welcome here devyani7 :) 18:05:05 * devyani7 waves to threebean :) 18:05:14 nirik: pingou: thanks :) 18:05:24 Thanks nirik :) 18:06:04 Hello, I was away for a couple of weeks. I'll be working with the commops this GSoC :) 18:06:11 if anyone needs setup in the apprentice program or pointers on where to get started, do see me after the meeting in #fedora-admin (or ask in the apprentice open office hours later in the meeting) 18:06:18 *commops team 18:06:26 excellent 18:06:37 hey devyani7 :) 18:07:05 ok, shall we move on to status/info? 18:07:26 #topic announcements and information 18:07:26 #info Mass update/reboot cycle complete. Machines are ready for freeze - kevin/smooge/patrick/tflink 18:07:26 #info added +50GB space to bodhi-backend01, should last a bit - kevin 18:07:26 #info Fedora Message Notifications (FMN) finally caught back up 18:07:26 #info root passwords changed on all machines - kevin 18:07:27 #info ansible 2.1 on batcave01 for a few, reverted back to 2.0 for now - kevin 18:07:31 #info F24 final freeze coming up next week - everyone 18:07:43 anything else folks would like to note or mention status and info wise? 18:07:45 * pingou still working on the FMN redesign 18:07:52 nirik: what issues happened with ansible 2.1? 18:08:11 lmacken: we hit: https://github.com/ansible/ansible/issues/15996 apparently 18:08:32 particuarly in the httpd roles stuff it was passing in vars that were getting ignored/not used. 18:08:41 #info flask-oidc is ready for folks to start integrating - patrick 18:08:41 which made it all blow up. ;( 18:08:45 (more to follow i n"Learn about") 18:09:33 they are looking into it now... hopefully it will have an easy fix and a 2.1.1 will come out 18:10:18 lmacken: BTW, last nights updates pushes finished fine, todays are going... I think we are back on track there. 18:10:23 Oh, one other info: 18:10:31 nirik: good good. 18:10:37 #info monday is a holiday in many places, don't expect people to be around as much as normal 18:11:44 #info PyCon US is next week! 18:11:51 I've on my todo to send an email to the list about what's going on this summer 18:12:04 threebean: oh yeah. Thats right... 18:12:09 who all is heading to that? 18:12:12 we have quite a few projects having quite a few deadlines and I thought it might be cool to present these 18:12:22 lmacken: kushal abompard ? 18:12:32 pingou: sounds good. perhaps also update infra calendar... 18:12:47 kushal I am pretty sure is already there... not sure who else 18:12:59 * threebean will be 18:13:08 nirik: they are more project deadline (like before flock), not sure it's worth a calendar entry but we could :) 18:13:09 going to try and promote some hacking on the koji test suite at the sprints. 18:13:17 cool threebean ! 18:13:22 excellent. 18:13:50 lmacken: you heading to pycon? 18:13:57 nirik: yep, tomorrow 18:13:59 pingou: I take it you are not? 18:14:35 cool. safe travels all, let us know if there's anything we can help with from our end 18:14:42 #topic Seeking feedback on Modularity plans - threebean 18:14:43 nirik: indeed, not this year 18:14:58 https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/ 18:15:00 No need to go into this in detail in the meeting, but we're designing "lots of stuff" in the Modularity Working Group, but we don't want to accidentally wind up at cross-odds with the infra team. Can we schedule a discussion of it next week, so people have some time to prepare and ask questions? 18:15:02 threebean: I have your post marked to reply to, but just have not found time. ;( it's been a crazy week 18:15:08 * threebean nods 18:15:25 nirik: and there's crazy stuff in modularity land, which we should take slowly and think about and stuff 18:15:27 threebean: sounds like a good idea, but pycon? 18:15:31 it looked like lots of things were already there (but might get bigger in scope) 18:15:41 and a few new things... 18:15:59 from what I saw, there are a few changes needed to existing tools, but rather limited, most work seems to be in the new tool 18:16:02 s 18:16:31 pingou: hm. I can dip out of pycon for an infra discussion on it if we can next week. 18:16:42 roger 18:16:51 pingou: yeah - that's probably fair (about new versus old stuff). 18:16:52 threebean: all modules are expected to be built from yaml files? 18:16:54 * nirik is ok on a meetup for it... where and when? 18:17:06 nirik: could we do it as a section of the infra meeting next week? 18:17:18 sure. 18:17:24 i'm open to video chat on jit.si anytime too if you want to talk informally. 18:17:53 infra meeting next week would be fine with me... and we can expand out if we go too far afield there. ;) 18:18:06 wfm to 18:18:08 cool cool :) 18:18:44 ok, anything else for this right now? or shall we move on? 18:19:00 oh - how about this, just for some structure.. 18:19:19 next week maybe in the "learn about" section, I could go through each piece in the diagram and say a little about how it might need to change? 18:19:28 that way it's not just all one big mess. 18:19:42 a higher level overview? 18:19:53 * threebean nods 18:19:55 that would be welcome. (by me at least) 18:20:04 cool. we can move on and come back to it next week. 18:20:05 thanks! 18:20:11 sounds good. 18:20:31 #topic Apprentice office hours 18:20:41 jflory7: you had some queries here... 18:20:45 ! 18:20:46 Yeah. 18:20:56 Question: Would it be inappropriate to use Infinote for public note-taking? 18:20:56 (e.g. tasks related to infrastructure projects, like GSoC projects) - jflory7 18:21:10 Absolutely fine. You can use it for anything Fedora related. 18:21:16 Okay, cool, thanks. :) 18:21:27 I probably will use it a bit for that this summer then. 18:21:28 note that everything is kept in a git repo, so likely bad for anything that should be private 18:21:36 * jflory7 nods 18:21:37 Ack. 18:21:38 skamath: go ahead and chime right in. ;) 18:21:58 Is there a good yaml guide anywhere around here? 18:22:15 hum. I don't know of one off the top of my head, but others might? 18:22:16 I wanted to get started with the badges (as part of GSoC) 18:22:18 something like http://www.yaml.org/start.html ? 18:22:31 Or a more verbose: http://ess.khhq.net/wiki/YAML_Tutorial 18:23:07 jflory7: On your other question: 18:23:11 puiterwijk: I know the very basics. Nevertheless, I'll go through them :) Thanks. 18:23:11 Suggestion: For a weekly topic, it would be interesting to see how other members 18:23:11 of Infra using TaskWarrior manage their workflows / how they use it. - jflory7 18:23:22 skamath: Check this out too for Badges specifically: https://badges.fedoraproject.org/builder 18:23:35 I'd be happy to talk about task warrior... I've been using it here for a bit now. I know threebean does... not sure who else. 18:23:45 I use it 18:23:47 puiterwijk++ jflory7++ 18:23:51 decause: does iirc 18:24:09 I'm just starting to use it, but it would be cool to see how other members of Infra use it to understand how it can be used, what different things you can do with it, and how it fits into someone 18:24:13 * someone's workflow. 18:24:17 * devyani7 started using today :) 18:24:31 * skamath is poking around with it 18:24:38 I did do a blog post not long back about it... 18:24:38 There's plenty of guides online, but a Fedora context would be cool too :) 18:24:52 Ooh, that would be a cool reference for the time being. 18:24:58 https://www.scrye.com/wordpress/nirik/2016/03/30/taskwarrior-tips-and-notes/ 18:25:03 * devyani7 clicks 18:25:26 nirik++ rad! 18:25:47 might be time for an update... but yeah, I am liking it pretty well overall. 18:25:49 * jflory7 bookmarks 18:26:31 also if you need/want it, there's a android app and a gnome-desktop extension... I set those up, but never use them... :) 18:26:37 Will definitely read it all post-meeting, thanks. :) In addition, would be cool to get a "power user" perspective if anyone else wanted to demo or explain certain things that aren't well-documented with Taskwarrior. 18:26:53 RIght now, I'm using Evernote to sync. 18:26:56 The android app may be of use at flock or the like... note a task if you are not in front of your laptop 18:27:15 * skamath is switching over 18:27:24 cool. 18:27:45 ok, any other general apprentice questions or issues? 18:27:56 None from me at the moment. 18:28:04 interesting. 18:28:06 ! 18:28:52 How can I get read only access to the fedora machines. Couldn't do much research this week. 18:29:11 skamath: we can add you to the apprentice group... see me in #fedora-admin after the meeting and we can get you setup... 18:29:20 or for that matter I can do it now... whats your fas account? 18:29:27 nirik: I am already in the group :) 18:29:35 oh, in that case see: 18:29:50 https://infrastructure.fedoraproject.org/infra/docs/sshaccess.rst 18:30:22 Cool. Thanks again :) 18:30:42 Oh, one quick thing I wanted to mention: There was an interesting article in this weeks lwn about 'drive by' contributors... 18:30:45 eof 18:30:53 ie, people who submit some single patch or fix and thats it... 18:31:10 but that's in the paid section for now, no ? 18:31:16 it had some nice ideas how to make your projects good for such contributors. 18:31:29 * pingou curious 18:31:32 yeah, will be out free next week, we can discuss it more then, but might be worth trying to do some of those things... 18:31:48 much of which was "have good docs for how to submit things/process" 18:32:04 pagure was on lwn last week as well :) 18:32:23 * danofsatx almost forgot 18:32:26 so a quick doc with steps, then a detailed version with details on each step... so drive by folks don't need to ask about how to submit their one patch 18:32:27 I'm here! 18:32:35 anyhow, we can discuss that more later. 18:32:37 welcome danofsatx 18:32:49 #topic Learn about: oidc tutorial part 2 - patrick 18:32:55 puiterwijk: take it away. :) 18:33:05 Okay, so I get to explain the next part in my OIDC series. 18:33:10 First two remarks: 18:33:20 1. I will be scheduling a classroom sometime soon, given the complexity of the subject 18:33:24 whats OIDC? 18:33:25 :) 18:33:26 +1 18:33:34 nirik: that's not a remark, that's a question :D 18:33:34 OIDC = OpenID Connect 18:34:01 2. I am expecting that people have either attended last weeks meeting or read back my part there, since explaining it all over will again take me 30 minutes :) 18:34:29 So, with this, let's get this show on the road. This week I was planning to talk about scopes, what are they ,what do you do with them, and such 18:34:31 misc, i think subscribers can send links to stuff, let me see if i can figure out how 18:35:04 First off: flask-OIDC has been released last monday. Which means that people can now start integrating their applications against our development instance on iddev.fedorainfracloud.org 18:35:12 https://meetbot.fedoraproject.org/teams/infrastructure/infrastructure.2016-05-19-18.00.log.html last week's minutes 18:35:42 Okay, so scopes. As some people might know, OpenID Connect is based heavily on OAuth2, which is a specification for getting and using authorization tokens. 18:35:56 nb: "send free link" 18:36:20 These tokens are used to authenticate as a client to a remote API as a specific user. 18:36:55 #link The value of drive-through contributions https://lwn.net/SubscriberLink/688560/b76a2332f597f06b/ 18:36:59 You can request tokens as part of the OpenID Connect process as part of the Access token or Authorization Code flows. Note explicitly that the id_token flow doeS NOT provide you with an access token 18:37:59 So, every scope is attached to a client ID (client being the application deployment), and a user that authorized the issuance of the token (the user that logged in). 18:38:16 ! 18:38:19 pingou: yes? 18:38:35 can the user choose the scope of the token? 18:38:43 The user will consent to the scopes 18:38:51 for example on android app foo asks for foo and bar 18:38:59 the choice of the user is either: ok or don't use the app 18:39:20 I would love if we could do: ok for foo but not for bar 18:39:41 (which is what I tried to implement in pagure) 18:39:58 Right. The application can do that 18:40:17 the application can see what kind of scopes its tokens have at any point, and if it's not enough, get the user to re-authenticate with a larger scopeset 18:40:51 :/ 18:41:08 most devs will say: but for feature X I need bar, so I'll just always ask for bar 18:41:21 pingou: the reason for that is that the specification has no way to indicate which permissions are required and which are optional. 18:41:22 but I'm disgressing :) 18:41:39 puiterwijk: pity 18:41:47 So that means that if I would make them all optional, a user might issue no consent and return to the app with an empty token, and the app can't use it 18:42:05 So, these scopes are basically just a string that points to a specific permission that the token is authorized for 18:42:40 There are a few values pre-defined: openid, email, profile, phone. The "openid" scope you will pretty much always want to request, since it authorizes the release of an id_token with any information about the user 18:42:55 profile gives name, email and phone are probably self-explanatory 18:43:50 We will have to define further scopes for our infrastructure. I will be writing documentation on how to define those soon. Basically, we need to decide on what kind of base URI we will be using 18:44:20 we probibly will have to go over each app and think what it might need right? 18:44:32 nirik: yes 18:44:41 fas_groups likely will be popular 18:44:53 So when these scopes are defined, an application could for example request "https://fedorahosted.org/koji/scope/build_package", and the user will see a consent screen asking for release of "Build package on Koji" for example 18:45:18 nirik: yes, very likely 18:45:29 does that mean pagure could trigger a build on koji as the user logged in? 18:45:48 pingou: if Pagure had requested a token for the user with that scope and the user consented, yes 18:45:51 (bad example due to ssl certs, but for the idea?) 18:45:56 cool :) 18:46:06 pingou: well, I am working on a patch for koji for it to accept these tokens ... :) 18:46:12 \ó/ 18:46:22 so hopefully we will be able to get rid of ssl certs for koji rather soon 18:46:24 puiterwijk: I can write the patch to drop SSL from FAS :D 18:46:32 pingou: heh :) 18:46:38 \ó/² 18:47:20 how does 2fa fit in? could we have some permissions that require the user auth with a second factor? 18:47:58 nirik: yes. I am planning to make it possible to mark certain scopes as "requires ACR x" 18:48:09 great 18:48:32 Also, the Authentication class will be returned as part of the authentication response. 18:49:15 These are more things we will need to define, but I am hoping to have a lot of the basic definitions et al ready in a week or two 18:50:07 So, I would suggest one thing for application developers: make sure to have a clear view on which scopes you need to request from users, and only request that part. Don't request too much, as the user might get hesitant if the list of permissions requested is too large 18:50:21 (if anyone's see Android pre-M installs, you will likely know what I mean) 18:51:15 I think that that's all for now on the scopes part of things for now, this mostly needs a lo tof defining at the particular applications regarding what they need 18:52:15 Oh, one thing for people that will want to start testing with it: note that you will either need to run o nhttp://localhost or use TLS. You will not be able to enter anything else as return URI when you register your client 18:53:20 Are there any further questions? We have 6 more minutes 18:54:02 I look forward to our OAUTH2 token overlords 18:54:36 thanks puiterwijk 18:54:43 #topic Open Floor 18:54:46 puiterwijk++ 18:55:02 anyone have any final items for open floor? questions, comments, ideas, mad plans to take over the world? 18:55:27 Latter sounds interesting. ;) 18:55:32 Nothing from me, though 18:55:35 I have something for the last point, but I can't speak now 18:55:42 pingou++ 18:55:47 :P 18:56:02 I thought I was well underway of taking over the Fedora authn world... 18:56:14 nope... just poking rhel 5 bkxes at work. 18:56:16 :) 18:56:41 ok, thanks everyone for coming. Do continue in #fedora-admin, #fedora-apps and #fedora-noc. 18:56:45 #endmeeting