[15:01] mmcgrath has set the subject to Fedora Infrastructure -- Who's here [15:01] mmcgrath: ping all, who's here? [15:01] * skvidal is here [15:02] * xDamox is here [15:02] * Bob-Laptop is not here but does not really count yet [15:02] mmcgrath: paulobanon, dgilmore, mbonnet__, mbonnet, abadger1999, f13: ping [15:02] * paulobanon is here [15:03] notting has joined the group chat (n=notting@redhat/notting) [15:03] * abadger1999 is here [15:03] mmcgrath: allright [15:04] mmcgrath has set the subject to Fedora Infrastructure -- Ticketing System [15:04] mmcgrath: Lets talk about this and try to come to a conclusion today. [15:04] * mmcgrath notes the schedule - http://fedoraproject.org/wiki/Infrastructure/Schedule [15:04] mmcgrath: So here's my current concern. [15:04] mmcgrath: I'm getting a lot of emails for requests for stuff that anyone in the team could do. [15:05] mmcgrath: So as we discussed on the list the options are moving to a mailing list or trac. [15:05] mmcgrath: What do you guys think? (you don't have to be in the Infrastructure team to have a comment on this) [15:05] paulobanon: trac for me [15:06] skvidal: I can adapt to either - I think a list is easy - but if there's an rss feed for trac I'll accept that [15:06] mmcgrath: skvidal: good question. [15:06] mmcgrath: f13: does track have an rss feeder? [15:07] * mmcgrath thinks f13 is away. [15:07] skvidal: Indeed [15:07] abadger1999: trac has an rss feed for timeline. Not sure if tickets show up in timeline or not. [15:07] paulobanon: http://trac.edgewall.org/wiki/TracRss [15:07] mmcgrath: abadger1999: are you a trac fan or a mail list fan? [15:08] paulobanon: yes it support tickets [15:08] abadger1999: We need to have both a ml and ticketing system. [15:09] mmcgrath: k, so I'll work on getting a trac system setup and properly configured with Infrastructure for us to take a look at. We can decide to keep it and announce it hopefully next week. [15:09] paulobanon: sounds good [15:10] mmcgrath: ok, moving on. [15:10] mmcgrath has set the subject to Fedora Infrastructure -- Package Database [15:10] mmcgrath: abadger1999: how are you and G doing? [15:11] G: I've been a little bit on hold, I've got next week off, so I hope to dedicate a bit of time to it [15:11] mmcgrath: G: cool. [15:11] mmcgrath: G: where are you two currently running tests from? [15:12] G: Toshio created a hosted instance though (http://hosted.fedoraproject.org/projects/packagedb [15:12] G: err. test3 I think [15:12] mmcgrath: test3, k. [15:12] mmcgrath: k, moving on. [15:13] mmcgrath: Nothing new in configuration managemnt. [15:13] mmcgrath has set the subject to Fedora Infrastructure -- VCS choice [15:13] mmcgrath: jcollie: ping [15:13] jcollie: mmcgrath, wassup? [15:13] jcollie: oops [15:14] mmcgrath: I'm going to have some publictest1 space for you soon for http://fedoraproject.org/wiki/Infrastructure/RFR/GitPackageVCS [15:14] jcollie: on a phone call, but no progress since last week [15:14] jcollie: mmcgrath, thanks! [15:14] mmcgrath: jcollie: k, can you apply for the sysadmin-test group when you get a mment? [15:14] jcollie: sure [15:14] * mmcgrath will continue [15:15] mmcgrath has set the subject to Fedora Infrastructure -- Firewall system rewrite [15:15] mmcgrath: xDamox: how's all that going? [15:15] mmcgrath: and the new custom rules? [15:15] xDamox: mmcgrath, just got to get skvidal to check over this torrent policy [15:15] skvidal: xDamox: I did check it over [15:15] skvidal: is there a new one? [15:15] xDamox: the one in my home dir? [15:16] xDamox: on lockbox [15:16] abadger1991 has joined the group chat (n=abadger1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [15:16] riel has joined the group chat (n=riel@xxxxxxxxxxxxxxxx) [15:16] skvidal: did you tell me about those before today? [15:16] skvidal: I looked at what we talked about before [15:16] xDamox: nope [15:16] skvidal: oh, okay [15:16] xDamox: I was going to email you tonight [15:17] MrBawb has joined the group chat (i=abob@xxxxxxxxxxxxxxx) [15:17] skvidal: yes, continue with that plan [15:17] skvidal: [15:17] skvidal: thank you [15:17] mmcgrath: [15:17] xDamox: if your happy I can check them in to puppet and firewall will be done [15:17] * dgilmore is here [15:17] * abadger1991 back [15:18] mmcgrath: xDamox: excellent. [15:18] skvidal: cool-mo-dee [15:18] xDamox: [15:18] mmcgrath: xDamox: anything else? [15:18] xDamox: do you want any firewall rules applied to xen? [15:19] JSchmitt has joined the group chat (n=s4504kr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [15:19] xDamox: XEN are the only hosts without firewall rules [15:19] dgilmore: xDamox: yes but we need to work out what [15:19] xDamox: yea not a problem [15:19] mmcgrath: ahhh yes. [15:19] mmcgrath: So here's the problems to overcome. [15:19] mmcgrath: We'd like to be able to block traffic from the xen guests at the xen host. [15:19] dgilmore: xDamox: we have some guests we want almost no access to others inside the colo [15:20] mmcgrath: Note, the xen guests will move around so its probably smart to have the same rules on all xen hosts. [15:20] dgilmore: probbaly need to use ebtables on the xen bridge [15:20] xDamox: Ok [15:20] mmcgrath: and 2) the interface name might change when migrating around so rules based off of interface won't work. [15:20] mmcgrath: ip rules off of IP are easy to circumvent [15:20] mmcgrath: ip rules off of mac may be spoofable (but could be our best bet) [15:21] mmcgrath: Any suggestions there? [15:21] xDamox: I would go with MAC addresses [15:21] dgilmore: mac address absed rules on the bridges [15:21] xDamox: that would be the best bet [15:22] mmcgrath: dgilmore: ahh, very true. [15:22] fchiulli has left ("CGI:IRC (Ping timeout)" (i=824c400f@gateway/web/cgi-irc/ircatwork.com/x-63cc1cf3a5d2721f)) [15:22] warren: The guests cannot change their MAC [15:22] warren: ? [15:22] mmcgrath: ok, so we can work on those when the time comes. [15:22] mmcgrath: warren: the guest can probably change it but the host won't honor it. [15:22] warren: ah [15:22] mmcgrath: at least in theory, we'll have to test that. [15:22] warren: sounds like a plan [15:23] warren: You might not need to use ebtables though [15:23] warren: I've used iptables MAC module before [15:23] fchiulli has joined the group chat (i=824c400f@gateway/web/cgi-irc/ircatwork.com/x-1f7399ce8f2ba354) [15:23] dgilmore: warren: ona bridge? SmootherFrOgZ_id is now known as SmootherFrOgZ [15:23] warren: dgilmore, oh, good question. [15:23] warren: It is worth trying though [15:24] warren: If it works, that's one less additional thing to track [15:24] mmcgrath: <now> we should take this to the list. [15:24] warren: agreed [15:24] dgilmore: mmcgrath: quite possibly we could do rules for known macs we want to allow access then deny everything else [15:25] abadger1999 has left (No route to host (n=abadger1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)) [15:25] mmcgrath: dgilmore: thats true, its good to know we have options. We'll just have to find the solution thats best for our environment. [15:25] dgilmore: so if they change mac and its honored we still drop [15:25] mmcgrath: <nod> [15:25] mmcgrath: I skipped one item [15:25] paulobanon: +1 [15:25] mmcgrath has set the subject to Fedora Infrastructure -- DB1 upgrade [15:25] mmcgrath: mbonnet__: ping? [15:25] mmcgrath: mbonnet: ? [15:25] lennert: iptables can filter on --mac-source on input/forward, anything more fancy needs ebtables abadger1991 is now known as abadger1999 [15:25] mmcgrath: Right now we're just waiting on the ok from mbonnet to make sure the new postfix version will support koji. [15:26] mbonnet__: mmcgrath: sorry, in a meeting [15:26] mmcgrath: mbonnet__: no worries, I'll just move to the next item. [15:26] mmcgrath: but thats where db1 is at right now. [15:26] mmcgrath has set the subject to Fedora Infrastructure -- Server Upgrades [15:26] abadger1999: s/postfix/postgres/ [15:26] warren: mmcgrath, what about postfix doesn't support koji? [15:26] mmcgrath: abadger1999: err yes [15:26] warren: oh [15:26] warren: =) [15:26] * mmcgrath has post on the mind [15:27] mmcgrath: So I'm working with the soc on some items with the server upgrade. [15:27] dgilmore: mmcgrath: for what its worth my koji install has a FC-6 based postgres [15:27] paulobanon: i think everyone got confused with that one [15:27] mmcgrath: dgilmore: excellent. [15:27] mmcgrath: The new disk tray for our builders came in and is now in use. [15:27] dgilmore: running on sparc but its FC-6 [15:27] dgilmore: [15:27] mmcgrath: 2.0T 691G 1.3T 35% /mnt/ntap-fedora1/fedora [15:27] dgilmore: f13: dont fill it [15:27] warren: sparc? [15:28] dgilmore: warren: yes sparc [15:28] mmcgrath: I think there's some koji work to enable better garbage collection. Keep in mind whats in our 691G of space right now. [15:28] mmcgrath: Just Fedora 7. [15:28] mmcgrath: well and some other stuff. [15:29] dgilmore: mmcgrath: rawhide also [15:29] mmcgrath: Also I'm working with the soc to get some warranty stuff figured out. There's some server's I need to double check. [15:29] mmcgrath: <nod> rawhide. [15:29] mmcgrath: which right now is basically F7 [15:29] mmcgrath has set the subject to Fedora Infrastruture -- Xen Conversions [15:29] mmcgrath: I've converted a few more boxes to the iscsi share. We're up to... [15:30] mmcgrath: 12 hosts at present. [15:30] mmcgrath: many of them test, a few of them are production. [15:30] paulobanon: how many left _ [15:30] paulobanon: ? [15:31] mmcgrath: paulobanon: depends, I don't have a final count right now but by the time we get the server upgrades the target number will change drastically. [15:31] paulobanon: k k [15:31] mmcgrath: thats all the priority 1 stuff [15:31] mmcgrath: Nothing new on bacula [15:31] mmcgrath: translators stuff is still going well [15:31] mmcgrath: nothing new on accoutns [15:32] skvidal: did everyone look to make sure they had all their stuff off of fpserv? [15:32] mmcgrath: f13 isn't around but I suspect nothing terribly new on hosted. [15:32] skvidal: I emailed about it but didn't get any response [15:32] mmcgrath has set the subject to Fedora Infrastruture -- FedoraPeople.org [15:32] mmcgrath: skvidal: everything I have on there should be vanishable [15:33] skvidal: okie doke [15:33] skvidal: I'll take that as definitive [15:33] mmcgrath: heh [15:33] paulobanon: kill fpserv! [15:33] paulobanon: [15:33] mmcgrath has set the subject to Fedora Infrastructure -- Ibiblio Mirror [15:33] skvidal: thank you [15:33] mmcgrath: I've been laxed on this, I just need to test that they have everything exported correctly. [15:34] mmcgrath: then find some testers. [15:34] mmcgrath: So thats all the stuff on the schedule. [15:34] mmcgrath has set the subject to Fedora Infrastructure -- Open Floor [15:34] mmcgrath: Anyone have anything they'd like to discuss? [15:34] dgilmore: skvidal: i had nothing on fpserv [15:34] skvidal: dgilmore: cool [15:34] mmcgrath: notting: ping [15:34] skvidal: dgilmore: I just wanted to be sure [15:35] notting: mmcgrath: yes? [15:36] paulobanon: whats with all priority 3 stuff ? is it something that we even want to have there and move it to a thinking about it section ?! [15:36] paulobanon: s/and/or [15:36] mmcgrath: notting: do you have a moment to discuss the signing server? [15:37] mmcgrath: paulobanon: I don't know what is with that stuff. [15:37] mmcgrath: paulobanon: that reminds me though can you add the wiki cla stuff you're doing with quaid to the list in priority 2? [15:37] paulobanon: yup [15:37] notting: mmcgrath: sure [15:38] mmcgrath: notting: just give us a quick overview of what you guys are doing, what you'll need and what problem it solves. [15:39] notting: ok [15:39] notting: first of all, lots of info at http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft [15:39] mmcgrath: ohhh, very nice. [15:40] notting: the idea is that instead of just handing out gpg keys and passphrases, we use a signing server to sign packages [15:40] * warren yay! [15:40] notting: this server will have lists of what people (FAS accounts) are allowed to sign with what keys [15:40] notting: there is some code that RH has [15:40] notting: however, to use a) FAS b) koji it's going to take a lot of hacking. might just need redone [15:41] notting: what we need: a locked down box with very limited access [15:41] notting: as the box will need to have private keys on it [15:41] warren: So outside of the normal FI authentication [15:42] warren: sysadmin-main shouldn't be able to login as root [15:42] rdieter has joined the group chat (n=rdieter@xxxxxxxxxxxxxxxxxxxxxxxxxxx) [15:42] paulobanon: notting: its the RFR/FedoraCertificateSystem right ?! [15:42] mmcgrath: warren: Doesn't have to be. We don't have to include sysadmin-main [15:42] notting: probably not jwb is now known as jwb_gone [15:42] mmcgrath: warren: oh, nm, I think we're talking about the same thing [15:42] dgilmore: warren: no one should log in as root on any box unless its to fix something broken [15:42] warren: dgilmore, true couf is now known as couf_afk [15:43] warren: mmcgrath, I mean... regular sysadmins or people who could mess with the account system shouldn't be able to grant access to the signing server. [15:43] mmcgrath: notting: we can work on that part. I've also considered looking into something like two factor authentication for the signers. [15:43] notting: yeah, it's sort of up in the air how much auth we want from the signers w.r.t FAS (ssh key + fas user/pw? more?) [15:43] mmcgrath: notting: will the private keys been encrypted? [15:44] paulobanon: SELinux it hard [15:44] notting: mmcgrath: as much as any gpg private keys are [15:44] mmcgrath: k, so we'll just have to discuss and find what solution works best for us. [15:44] notting: the box does *not* need to be public facing, but it will need to be accessible from the colo so people can request sigs [15:44] mmcgrath: notting: do you guys have a time frame on any of this yet? [15:44] notting: wait, strike that [15:44] warren: signing server shouldn't be connected or depend on FAS at all [15:45] JSchmitt_ has joined the group chat (n=s4504kr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx) [15:45] notting: if we want people to sign who don't have some sort of bastion access, i suppose it does need to be public [15:45] mmcgrath: notting: going through bastion won't be an issue. [15:45] fab has left (Read error: 104 (Connection reset by peer) (n=bellet@xxxxxxxxxxx)) [15:45] fab_ has left (Read error: 104 (Connection reset by peer) (n=bellet@xxxxxxxxxxx)) [15:45] notting: mmcgrath: considering we don't have server code yet, no. [15:45] tibbs has left ("Konversation terminated!" (i=tibbs@fedora/tibbs)) [15:45] warren: notting, we could abstract access through koji or something. [15:45] warren: notting, koji keeps track of what wants signing [15:46] notting: warren: koji has click-through cert auth. makes it *TRIVIAL* to impersonate someone with merely phyiscal access to their box [15:46] warren: notting, oh, I meant requesting signs, not actual signing. [15:46] mmcgrath: notting: we'll keep it on our radar for now. let us know when it becomes more... imminent [15:46] warren: notting, isn't it safe to assume that someone trusted to do actual signing should have bastion access? [15:47] mmcgrath: notting: we could look at physical key requirements as well. How many signers do you suspect we'll have? [15:47] notting: warren: in that they're trusted enough to have bastion access, yes, however, it's entirely possible that they wouldn't have needed it for anything else [15:48] notting: mmcgrath: dunno. more than 2, less than 10. [15:48] mmcgrath: <nod> [15:48] mmcgrath: notting: thanks, we'll keep our eyes out for it. [15:48] mmcgrath: In the meantime does anyone have anything else they'd like to discuss? [15:48] mmcgrath: paulobanon: you had something? [15:48] mmcgrath: oh the priority 3 stuff [15:48] warren: ssh with pubkey -> somehost, where they don't see a shell, it asks for a passphrase that is private for each signer. [15:49] paulobanon: cant we take a quick tour on that and on the not implemented RFRs [15:49] paulobanon: and see what can or not be done [15:49] mmcgrath: sure, so a lot of those things are just sort of on hold. [15:49] mmcgrath: the priority 3 stuff. [15:49] paulobanon: cause for someone not on the list for long, it looks like we do nothing [15:49] paulobanon: since that never changes [15:49] mmcgrath: I can confirm that postfix, finoc, mailman and speeding up the wiki are on hold or blocking on other people. [15:50] mmcgrath: lmacken: ping? [15:50] fab has joined the group chat (n=bellet@xxxxxxxxxxx) [15:50] mmcgrath: rhlinux.redhat.com migration is the same thing as the elvis stuff. thats going on. [15:50] paulobanon: FedoraPasteBin - everyone uses pastebin, we still interested in having our one ? [15:50] mmcgrath: the look and feel stuff ricky is working on (though not aorund) [15:50] mmcgrath: yeah, I think it would be good to have our own. Just have to install it I suppose. [15:51] mmcgrath: and these are the RFR's - http://fedoraproject.org/wiki/Infrastructure/Schedule?action=fullsearch&context=180&value=Infrastructure%2FRFR&titlesearch=Titles [15:51] paulobanon: no need for that big url [15:51] paulobanon: just go for /RFR/ [15:51] paulobanon: you have all if you scroll down [15:51] paulobanon: i added all of them there [15:52] paulobanon: until 2 weeks ago i think [15:52] mmcgrath: paulobanon: but some are missing. [15:52] mmcgrath: [15:52] paulobanon: ill update it later then [15:52] paulobanon: requesters should add the link there [15:52] mmcgrath: so those are the rfr's. Some are taken, some aren't. Most are just waiting for worker bees. [15:52] paulobanon: lazy guys [15:53] mmcgrath: paulobanon: I actually skipped doing the list that way just because its so easy to do a search for "Infrastructure/RFR" [15:53] paulobanon: where do u want the pastebin ? i can talk with lmacken to have it deployed [15:53] mmcgrath: paulobanon: go ahead and contact luke. see what he says. [15:53] dgilmore: paulobanon: we were going to integrate it waith fas [15:53] paulobanon: will do [15:53] warren: dgilmore, cool, limit spam. [15:54] mmcgrath: dgilmore: we can let apache do that if we want, should be pretty easy. [15:54] dgilmore: paulobanon: i think thats the main reason it stalled [15:54] dgilmore: mmcgrath: yeah i think skvidal has some turbogears app he wanted to use [15:54] * mmcgrath seems to remember some of that. [15:54] skvidal: dgilmore: a loooooooong time ago [15:54] warren: dgilmore, I saw other pastebins without auth used by random people as a way to store links to warez [15:54] dgilmore: mmcgrath: abadger1999's fedora-python stuff should help [15:55] dgilmore: warren: sure [15:55] mmcgrath: yep, the fedora-python stuff is beautiful. And very easy to use. [15:55] paulobanon: cant we limit access the same way we limit access to teh cgi's in the admin site ? [15:55] mmcgrath: Ok, we've got a couple of minutes left. Anyone else have anything they'd like to discuss? [15:55] dgilmore: skvidal: so now your a RHer you can get er done [15:55] skvidal: dgilmore: heh, I'll put it on my list [15:56] * dgilmore has nothing [15:56] skvidal: just not ultra-highpriority, ok? [15:56] dgilmore: skvidal: sure [15:56] abadger1999: mmcgrath: People have been getting interested in FAS2 recently. But the instance on the test servers is down and we need to have a list of FAS tasks they can jump in to work on. [15:56] mmcgrath: abadger1999: I haven't had anyone contact me with help. The fas link should be back up in a bit actually. [15:57] abadger1999: Cool. [15:57] paulobanon: should we create a Tasks list like the other SIGs have ?! [15:57] paulobanon: instead of having everything in the schedule [15:58] paulobanon: if we are gonna test trac, we could convert the current schedule in tasks, and get a proper schedule with milestones in Trac [15:58] mmcgrath: paulobanon: We'll have to see more when we get into Trac. [15:58] mmcgrath: The thing about schedules is that its always been around and we've always used it, when OTRS came around we just ignored it. [15:59] mmcgrath: I guess we'll just have to set it up and see if we can get our team to actually use it. [15:59] paulobanon: true [15:59] mmcgrath: Ok, we're about to run over time. [15:59] mmcgrath: If no one has anything pressing I'll close the meeting in 30 [15:59] mmcgrath: 10 [15:59] mmcgrath: [15:59] fchiulli has left ( (i=824c400f@gateway/web/cgi-irc/ircatwork.com/x-1f7399ce8f2ba354)) [16:00] mmcgrath has set the subject to Meeting closed [16:00] mmcgrath: thanks for coming guys.
Attachment:
signature.asc
Description: This is a digitally signed message part
