16:01:35 #startmeeting Infrastructure (2022-04-14) 16:01:35 Meeting started Thu Apr 14 16:01:35 2022 UTC. 16:01:35 This meeting is logged and archived in a public location. 16:01:35 The chair is eddiejennings. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 16:01:35 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:01:35 The meeting name has been set to 'infrastructure_(2022-04-14)' 16:01:48 .hi 16:01:48 .hello 16:01:48 dtometzki: dtometzki 'Damian Tometzki' 16:01:51 aheath1992: (hello ) -- Alias for "hellomynameis $1". 16:01:51 #meetingname infrastructure 16:01:51 The meeting name has been set to 'infrastructure' 16:01:57 .hello anheath1992 16:01:58 aheath1992: Sorry, but user 'anheath1992' does not exist 16:02:01 #chair nirik siddharthvipul mobrien zlopez pingou bodanel dtometzki jnsamyak computerkid 16:02:01 Current chairs: bodanel computerkid dtometzki eddiejennings jnsamyak mobrien nirik pingou siddharthvipul zlopez 16:02:01 #info Agenda is at: https://board.net/p/fedora-infra 16:02:02 #info About our team: https://docs.fedoraproject.org/en-US/cpe/ 16:02:02 #topic greetings! 16:02:03 .hi 16:02:04 mobrien: mobrien 'Mark O'Brien' 16:02:04 .hello aheath1992 16:02:07 aheath1992: aheath1992 'Andrew Heath' 16:02:08 .hi 16:02:10 eddiejennings: eddiejennings 'Eddie Jennings' 16:02:50 morning 16:02:55 #topic New folks introductions 16:02:55 #info This is a place where people who are interested in Fedora Infrastructure can introduce themselves 16:02:55 #info Getting Started Guide: https://fedoraproject.org/wiki/Infrastructure/GettingStarted 16:02:57 .hi 16:02:59 darknao: darknao 'Francois Andrieu' 16:03:18 Good [time appropriate greeting] all! 16:03:33 .hello petebuffon 16:03:34 petebuffon: petebuffon 'Peter Buffon' 16:03:35 Hello everyone 16:03:38 Do we have any new folks with us today? If so, introduce yourselves! 16:03:46 We won't bit! Not even petebuffon 16:03:55 /s/bit/bite 16:05:39 Last call for new folks introductions! 16:06:04 Hi. I'm Prakash. I've worked as an SRE in the past. I look forward to contributing to Fedora Infra 16:06:13 welcome prakashmishra 16:06:18 o/ 16:06:18 Welcome Prakash! 16:06:20 hi 16:06:32 o/ 16:06:38 .hello zlopez 16:06:39 mkonecny: zlopez 'Michal Konecny' 16:06:51 Moving along. :) 16:06:52 #topic Next chair 16:06:53 #info magic eight ball says: 16:06:53 ##info chair 2022-04-14 - eddiejennings 16:06:53 ##info chair 2022-04-21 - ?? 16:06:53 ##info chair 2022-04-28 - ?? 16:07:11 So I'm willing to chair 4/21, since that'll be the end of my on-call week 16:07:12 i will do 28 16:07:23 28th sold to dtometzki 16:07:31 Hi Prakash 16:07:34 I can do 21 16:07:48 21st sold to mobrien 16:07:55 oh no i cant eddiejennings 16:08:05 iam not available 16:08:06 sorry, all bids final :P 16:08:18 I'll do the 28th then :D 16:08:35 ##info chair 2022-04-21 - mobrien 16:08:36 should i do 21 16:08:43 ok 16:08:52 ##info chair 2022-04-28 - eddiejennings 16:09:05 How about May 5th? 16:09:24 yes that is ok 16:09:36 great 16:09:38 ##info chair 2022-05-05 dtometzki 16:09:59 Excellent. 16:10:08 I think we're well covered for the new few weeks. 16:10:25 #topic announcements and information 16:10:34 #info CPE Infra&Releng EU-hours team has a Monday through Thursday 30 minute meeting going through tickets at 1030 Europe/paris in #centos-meeting 16:10:34 #info CPE Infra&Releng NA-hours team has a Monday through Thursday 30 minute meeting going through tickets at 1800 UTC in #fedora-meeting-3 16:10:34 #info If your team wants support from the Fedora Program Management Team, file an isssue: https://pagure.io/fedora-pgm/pgm_team/issues?template=support_request 16:10:34 #info Fedora 36 Beta is out 16:10:35 #info Fedora Final freeze is on going 16:10:37 #info thread on fedoraplanet on infrastructure list, chime in if you have thoughts on it 16:10:39 #info Easter Holidays on Friday 15th April and Monday 18th April, plenty of Red Hat folks will be unavailable 16:11:20 #info please help us with improving contribution to fedora infra https://discussion.fedoraproject.org/t/improving-contribution-to-fedora-infrastructure/38294/8 16:11:53 Noted. Any other announcements? 16:12:31 Above is a discussion thread about ways to possibly improve contribution, any and all feedback is wanted and welcomed 16:13:02 I'll take a look at that thread :) 16:13:19 Ok. Shifting gears. 16:13:27 #topic Oncall 16:13:40 #info https://fedoraproject.org/wiki/Infrastructure/Oncall 16:13:40 #info https://docs.fedoraproject.org/en-US/cpe/day_to_day_fedora/ 16:13:40 ## .oncalltakeeu .oncalltakeus 16:13:40 #info petebuffon on call from 2022-04-01 to 2022-04-07 16:13:40 #info mobrien on call from 2022-04-08 to 2022-04-14 16:13:41 #info eddiejennings on call from 2022-04-15 to 2022-04-21 16:13:43 #info ? on call from 2022-04-22 to 2022-04-28 16:13:43 Thank you 🙂 16:13:51 You're welcome :D 16:14:07 Any takers for 4/22 - 4/28? 16:15:11 i can takit but iam unavailable on 4/28 16:15:25 Just that one day? 16:15:32 yes 16:15:40 I'll cover for you on the 28th 16:15:59 perefct 16:16:00 #info dtometzki on call from 2022-04-22 to 2022-04-28 (eddiejennings covering 2022-04-28) 16:16:20 Any takers for 4/29 - 5/5? 16:17:40 I can if no one else wants it. 16:17:43 I think 2 weeks in advance is probably ok 16:17:44 I think my cat may be volunteering. He just brought me his little toy :P 16:17:53 Yeah. We can leave it open until next week 16:18:10 Moving along. 16:18:22 #info Summary of last week: (from current oncall ) 16:18:36 mobrien, take it away! 16:19:14 I was sick at the end of last week so didn't take it until start of this week but I received no pings 16:19:48 No pings are the best pings :D 16:19:54 things have been quiet... 16:20:09 #topic Monitoring discussion [nirik] 16:20:09 #info https://nagios.fedoraproject.org/nagios 16:20:09 #info Go over existing out items and fixs 16:20:16 I'm guessing Freeze is the reason behind the quiet 16:20:25 nirik, you're up 16:20:47 lets see... I think we are in better shape than before... 16:21:15 2 "down" hosts are just mgmt interfaces misbehaving... 16:21:30 once f36-test is sorted, we should be pretty green. 16:21:43 We have been getting lots of badges and resultsdb alerts.... 16:21:55 resultsdb is on the way into openshift, so hopefully that will fix that. 16:22:13 not sure what to do about badges. ;( Perhaps we should adjust the alerting 16:22:37 thats about it, unless there's any questions... 16:22:50 Badges broken or alerting needlessly? 16:23:05 nirik: whats the eta on resultsdb going in? is anyone working on that atm? 16:23:26 f36-test playbook is running as we speak(although looking like it will fail) 16:23:55 eddiejennings: it's getting stuck from time to time and we get alerts on the queue growing, so someone has to go wipe it's queue and restart it. 16:24:09 ah 16:24:28 Saffroni1ue: yeah, odra (lrossett) is working on it. not sure how much time he has for it tho... it's been a long road. 16:24:38 we almost have it up in stg. 16:25:08 kk might see how hes geting on, PrakashMishra[m] and I were looking to work on some openshift related tasks 16:26:19 yeah, you might be more in his time zone to help with it too. 16:26:34 also, we have a mini-iniative to move stuff from ocp3 to 4... 16:27:20 I'd like to retire the ocp3.11 cluster soon 16:28:18 anyhow, we can move on from monitoring... 16:28:18 Yes. Saffroni1ue and I were talking about working on some Openshift related tasks. I also have experience working with OCP 3.11 and 4. I will sync with him to see where and how I can help 16:28:28 Noted. 16:28:53 #topic Learning topic 16:28:53 #topic Tor and Tor Services [eddiejennings & petebuffon] - 2022-04-14 16:29:00 So for those that are new. 16:29:19 We generally alternate weeks between someone presenting a learning topic and looking at the ticket backlog. 16:29:24 This week is a learning topic week. 16:29:36 petebuffon and I are going to tag-team it for this week. 16:30:08 petebuffon will start the topic about Tor itself and Tor services, then I'll jump in and start the discussion as it relates to an open ticket we have. 16:30:15 petebuffon, take it away! :D 16:30:38 Okay! So let's enter the world of Tor and the darkweb 16:30:56 * nirik puts on a hoodie. 16:31:06 There is a lot of opinions and politics surrounding Tor, I will focus on how it works. 16:31:10 * eddiejennings secures his tinfoil hat. 16:31:28 Tor was developed in the 1990s by the United States Navy. The Onion Routing Project simply became Tor and was released under a free license in 2004. The Tor Project was founded for maintaining Tor. 16:31:40 https://www.torproject.org/ 16:31:55 Tor relies on the concept of onion routing, where messages are encapsulated in multiple layers of encryption. 16:32:06 The encrypted data is transmitted through a series of network nodes called onion routers, each of which decrypts a single layer, uncovering the data’s next destination. 16:32:20 Tor relies on TLS for encryption. 16:32:28 The Tor network is operated by a group of worldwide volunteers who each run their own onion router. 16:32:39 When the final layer is decrypted, the message has arrived at its destination. 16:32:48 Each onion router only knows the locations of the preceding and following nodes, resulting in anonymity for both the sending and receiving parties. 16:33:05 images for demonstration 16:33:07 https://en.wikipedia.org/wiki/Tor_(network)#/media/File:How_Tor_Works_2.svg 16:33:11 https://en.wikipedia.org/wiki/Onion_routing#/media/File:Onion_diagram.svg 16:33:31 And for those wanting to go on a deep dive, the crypto is really interesting: https://www.onion-router.net/Publications/CACM-1999.pdf 16:34:06 any questions so far? 16:34:22 * nirik is looking at diagrams 16:35:06 basically tor traffic instead of hopping through normal routers, hops through onion routers. 16:35:35 A key concept, at least from my reading, is the idea of the Tor circuit. 16:35:48 each onion router can only see encrypted payloads because they don't have the encryption keys to decrypt the payload 16:36:14 huh, so the sender client knows all the servers and decides the path on sending? I guess that makes sense because then they can do all the encryption up front. Just the nodes don't know the full path. 16:36:24 Traffic enters the Tor network via a "guard", will be relayed at least once through another note, then exits to the destination via an "exit node" 16:37:17 ya the client decides on a path, or circuit. It's also changed about once every minute 16:38:03 anything else to add eddiejennings before I talk about services? 16:38:33 I think that's about it for an overview. Understanding the idea of the circuit is important for the services. Good job so far :D 16:38:48 nice okay 16:38:57 Servers configured to receive inbound connections only through Tor are called onion services (formerly, hidden services). 16:39:07 Onion services are accessed through a .onion top level domain, which are not actual DNS names. 16:39:15 These sites can only be accessed through the Tor network where the onion address is used to lookup public keys and introduction points (located in a distributed hash table) for the service. 16:39:44 Setting up an onion service is as easy as installing Tor (either from package repo or from https://torproject.org), editing the Tor config (/etc/tor/torrc), and then starting the service (systemctl start tor). 16:39:55 Set your web server to listen only on localhost (127.0.0.1) and add the following lines to /etc/tor/torrc: 16:39:58 HiddenServiceDir /var/lib/tor/hidden_service/http 16:40:02 HiddenServicePort 80 127.0.0.1:80 16:40:08 You can get your .onion address with: 16:40:12 $ sudo cat /var/lib/tor/hidden_service/http/hostname 16:40:15 o9asojd8aymqqtoa.onion 16:40:43 this is a small exert from a linuxjournal article: https://www.linuxjournal.com/content/tor-hidden-services 16:41:27 clients can either access onion services via the Tor browser 16:41:46 or through socks5 proxies as well 16:42:37 anything to add eddiejennings? 16:43:07 In the example of the webserver, from my understanding, using a Tor service is kind of like running a reverse-proxy on the same host as your web server. 16:43:33 right 16:43:41 You reverse-proxy (the Tor service) is listening for traffic on port 80 on your public NIC. 16:44:05 Then it hands the traffic off to the loopback interfact on Port 80, which the web server hosting content is listening on 16:44:33 interfact = interface 16:44:49 Questions about the general idea of Tor services? 16:45:13 so I assume there's some way to prevent duplicate names... ie, we advertise o9asojd8aymqqtoa.onion as a pointer to mirrors.fedoraproject.org, something would prevent someone from just setting that hostname and hyjacking traffic? 16:46:07 I believe that has to do with the distributed hash table for .onion names, but I'm not exactly sure how that works 16:46:32 ok, just wondering. 16:46:48 Speaking of, this brings us to this ticket. 16:47:05 https://pagure.io/fedora-infrastructure/issue/9549 16:47:19 .ticket9549 16:47:25 .ticket 9549 16:47:27 eddiejennings: Issue #9549: Tor hidden service for update metadata - fedora-infrastructure - Pagure.io - https://pagure.io/fedora-infrastructure/issue/9549 16:47:46 Does Tor has something like DNS? 16:48:44 From what I gathered, yes it does for your Tor services. There is a mechanism that publishes a directory of sorts. petebuffon may have another way of describing it. 16:50:02 ah from a quick poking around... the .onion hostname is a key hash... so it needs to match the key you generate for you to get the traffic/have that valid name 16:50:28 right, it's a private key / public key kinda deal 16:51:07 To determine the feasibility of the request for 9549, there are a few things that have to be considered. 16:51:12 the hash table of onion addresses is stored at each onion router 16:52:04 One question I have, and maybe nirik can shed some light. I learned there's a rust application that is what generates the metalinks used by dnf. Is that the application that's accepting incoming requests, or is a webserver getting the request and handing it to that application? 16:53:14 it's apache -> mirrorlist2 server 16:53:27 so it does hit apache on the proxies first and proxies to mirrorlist2 server 16:54:21 and mirrorlist2 server is what generates the metalinks? 16:54:42 yep 16:54:49 thats the rust app 16:55:45 Which would bring up the question of can that app function behind a Tor hidden service? I don't know the answer to that, but that's something that I think has to be answered to determine if we should move forward. 16:56:28 I would think it could... we could test in staging... 16:56:35 The other thing, is if that's behind a Tor hidden service and functioning, will there be any impact with traffic received by that service that's not coming from the Tor network. Again, don't have the answer for that (my hunch is "no"), but that would have to be known. 16:56:37 I'm not sure how you would enable this in dnf? 16:58:01 (but it sounds like the ticket reporter knows some way?) 16:58:22 My guess on that would be when dnf reaches out to the mirrors, there's a way for the mirrors to see this is coming from Tor and serve up the appropriate metalinks. 16:59:02 So the tl;dr for this ticket is, I don't think it's a hard "no," but there are answers that need to be had to really wrap our heads around it. 16:59:28 well, you can't use .onion addresses in /etc/yum.repos.d/ files... so I don't know how you tell dnf to contact the metalink server over tor... 16:59:58 yeah. Great investigation eddiejennings and petebuffon! Lots to consider and great describing it... 17:00:26 Great talk eddiejennings & petebuffon 17:00:35 The question then becomes, is this worth the time and effort, which we can discuss in #fedora-admin or other channels :) 17:01:16 and if the goals wanted by using tor can be achieved by another method 17:01:26 So we've hit 13:00, any other quick announcements or other things or note? 17:01:41 no many thanks 17:01:45 #topic Open Floor 17:02:21 Thank you to my partner in crime petebuffon for this week's meeting :D 17:02:34 cheers, what a wild ride 17:02:35 thanks eddiejennings, petebuffon was fun 17:02:43 And with that you may return to your regularly scheduled Thursday! 17:02:45 * nirik has to run to another meeting. thanks. 17:02:57 Thanks for running this eddiejennings 17:03:02 #endmeeting