Meeting Log - 2008-05-22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



07:57 < dgilmore> mmcgrath: show time?
07:58 < mmcgrath> yep
07:58 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Who's Here?
07:58 < ivazquez> Pong.
07:58  * ianweller
07:59 < mmcgrath> so who's all here?
07:59  * dgilmore is here
07:59  * skvidal is
07:59 < G> me
07:59  * mmcgrath lets people roll in
07:59  * ricky
07:59  * nirik is off in the spectator seats.
08:00 < jcollie> hello
08:00  * f13
08:01 < mmcgrath> Allrighty, lets get started
08:01 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Open Tickets 08:01 < mmcgrath> .tiny https://fedorahosted.org/fedora-infrastructure/query?status=new&status=assigned&status=reopened&group=milestone&keywords=%7EMeeting&order=priority
08:01 < zodbot> mmcgrath: http://tinyurl.com/2hyyz6
08:01 < mmcgrath> .ticket 395
08:01 < zodbot> mmcgrath: #395 (Audio Streaming of Fedora Board Conference Calls) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/395
08:01 < mmcgrath> jcollie: any news ?
08:02 < jcollie> not really
08:02 < mmcgrath> k, next ticket
08:02 < mmcgrath> .ticket 398
08:02 < zodbot> mmcgrath: #398 (elfutils `monotone' (mtn) error) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/398
08:02 < mmcgrath> abadger1999: jcollie: anything there?
08:02 < jcollie> nope
08:02 < abadger1999> nope
08:02 < abadger1999> It's all roland for now.
08:02 < mmcgrath> k
08:02 < mmcgrath> .ticket 446
08:02 < zodbot> mmcgrath: #446 (Possibility to add external links on spins page) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/446
08:02 < mmcgrath> dgilmore: any news?
08:03  * dgilmore notes that he sucks
08:03 < mmcgrath> hah, no news then?
08:04 < mmcgrath> .ticket 547
08:04 < zodbot> mmcgrath: #547 (Koji DB Server as postgres 8.3) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/547 08:04 < mmcgrath> abadger1999: so we're going to package this but we didn't really get any farther then that.
08:04 < abadger1999> mmcgrath: Right.  It's packaged and in the fi-repo now.
08:04 < abadger1999> F-9 versions.
08:04 < dgilmore> abadger1999: is this weekend too soon to roll out
08:05 < dgilmore> abadger1999: just thinking we can piggy back on the fsck
08:05 < abadger1999> I thought we were going to wait for the dedicated koji db server?
08:05 < jcollie> fsck is going take almost 24hrs anyway
08:05 < dgilmore> we can do that also
08:05 < abadger1999> We could deploy now... just saying that was my original plan.
08:06 < mmcgrath> yeah, lets just wait for the new server.
08:06 < mmcgrath> That way we can call an outage, try to migrate. if it fails, we can just turn db2 back on. no harm no foul
08:06 < abadger1999> <nod>  Makes sense to me
08:06 < dgilmore> having done a conversion from 8.1 to 8.3 it was pretty smooth 08:06 < mmcgrath> we can do it this weekend but I won't be around much is all.
08:07 < mbonnet> the dump/restore will take a significant amount of time
08:07  * abadger1999 likes having an escape option
08:07 < dgilmore> mbonnet: which is why i suggested during the 24 hr window for the fsck
08:08 < dgilmore> but im with abadger1999
08:08 < abadger1999> <nod> Do we know how long the backup currently takes on the koji db?
08:08 < dgilmore> we do 4 a day
08:08 < dgilmore> restore will take longer i think
08:08 < mmcgrath> abadger1999: the backups don't take long, the restores take a very long time though. I'm not sure how long though.
08:08 < abadger1999> yeah.
08:09 < mmcgrath> its the indexes
08:09 < mmcgrath> abadger1999: to give you an idea, the backup is 4.1G, the database is 61G.
08:10 < abadger1999> <nod>
08:10 < mmcgrath> anywho. I'll leave that up to you tosho when you want to do it. It'd be nice to do a trial run first and import of all the production data to know what issues we'll run into.
08:11 < mmcgrath> anything else on that?  If not we'll move on.
08:11 < abadger1999> k. For the real thing I say wait for the koji db server.
08:11 < abadger1999> Nope, no more.
08:11 < mmcgrath> k
08:11 < mmcgrath> next item
08:11 < G> yeah, kind of makes sense
08:11 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- The Wiki Migration
08:11  * ricky must go now :-(
08:11 < mmcgrath> So the new wiki will be in place on Friday (most of it)
08:11 < mmcgrath> ricky:  later!
08:11 < ianweller> woo, my subject. :D
08:12 < ianweller> ricky: cya
08:12 < mmcgrath> we're officialy doing the switchover on Tuesday.
08:12  * dgilmore hopes he can continue to use moin syntax
08:12 < ianweller> i've had enough with moin syntax :/
08:12 < mmcgrath> the idea is we'll do the main mass import on friday, go through, fix up, test, etc. Then just re-import the pages that have changed in moin.
08:12  * lmacken wants LaTeX syntax by default ;)
08:12 < mmcgrath> This will consume almost all of my time starting two days ago until Tuesday.
08:13 < ianweller> same here
08:13 < mmcgrath> ianweller and ricky have also been hard at work but if _any_ of you have free time we can use additional hands and eyes on this.
08:13 < mmcgrath> in testing, verifying, etc.
08:13 < mmcgrath> We're in good shape but there's a couple of hangups right now.
08:13 < mmcgrath> 1) auth
08:13 < mmcgrath> and 2) auth -> email mapping.
08:13 < mmcgrath> beyond that I don't think there's any blockers.
08:13 < jcollie> brb
08:14 < mmcgrath> A reminder, you won't be able to do regex watchlists anymore. (thats a design choice and one of the reaons Moin was so slow on page saves) 08:14 < ianweller> tomorrow after the main mass import my first priority is to fix up the WikiEditing page
08:14 < mmcgrath> s/slow/expensive/
08:14 < mmcgrath> but you should (if we get the extension configured in time) be able to watch /wiki/Docs/* for example. 08:15 < mmcgrath> This is going to be painful for about the first month I suspect. After that we'll all be glad we switched.
08:15 < mmcgrath> Does anyone have any questions or comments about the wiki?
08:15 < mmcgrath> Anyone want to volunteer some time?
08:15  * ianweller
08:15 < mmcgrath> oh!  G's also been mega helpful in this too.
08:15 < mmcgrath> as has smooge
08:15 < dgilmore> mmcgrath: what do we have as the backend/frontend setup?
08:15 < ianweller> mediawiki allows spaces in page names.
08:15 < mmcgrath> dgilmore: backend is going to be db1, frontend is going to be app[1-2]
08:16 < smooge> ?
08:16 < mmcgrath> well the append
08:16 < mmcgrath> smooge: talking about mediawiki :-P
08:16 < G> mmcgrath: I might be able to help on Tuesday, but it'll be a balancing act 08:16 < mmcgrath> to start we won't be deploying any caching abilities of mediawiki. I want to make sure to get a baseline.
08:16 < mmcgrath> G: thanks.
08:17 < mmcgrath> Anyone have anything else to discuss there?
08:17 < mmcgrath> k, next item
08:17 < smooge> ah ok.
08:17 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- 3rd party machine auth.
08:18 < mmcgrath> this is on the infrastructure list right now
08:18 < mmcgrath> nirik: ping (see topic)
08:18 < nirik> you rang?
08:18 < mmcgrath> What do y'all think? I want to be able to provide this but I need to do it in a way that won't get me fired. 08:18 * nirik doesn't want to cause any security problems... but it would be nice to have.
08:19 < nirik> I need ssh pub keys & logins I guess... no password auth.
08:19 < mmcgrath> nirik: and its a service we'd like to be able to provide.
08:19 < G> this is where something like two facter authentication would be nice
08:19 < mmcgrath> does anyone think this is a service we should not provide?
08:20 < G> oh I really do think it's something we should provide
08:20 < mmcgrath> G: indeed, I'd like to do that but right now I'm -ENOTIME unless someone else wants to pick up the job.
08:20  * ianweller is reading the list archive
08:21 < nirik> G: which 2 factors? ssh key + openid or something?
08:21 * dgilmore thinks we should provide it. 08:21 < ianweller> is the subject 'FAS and public Key auth'? 08:21 < G> if you were to do something like what the banks use (two facter auth) you have something *you* know and something you *don't* know
08:21 < dgilmore> but im biased as im one of those wanting it
08:21 < mmcgrath> Yeah, i don't think anyone is against providing it, the question now is how to do it properly.
08:21 < mmcgrath> G: yeah, and we have a couple of options there.
08:21 < G> shouldn't be too hard to implement inside fedora, you could have a pam_fas plugin or something to manage the something you don't know token 08:22 < G> login to fas, bam there is the one use token that you can use to login to the core machines w/ your public key 08:23 < nirik> well, I thought 2 factor is more: something you know + something you have... (cell/secureid fob, etc), but ok. 08:23 < wfp> To make it worth doing, doesn't 2 factor auth need something like a hardware crypto card?
08:23 < G> wfp: not really
08:23 < mmcgrath> wfp: that makes it much more secure, but there are levels of security between singlefactor and two factor w/ hardware key. 08:24 < nirik> if we have * and cell phone numbers we could use that... "call from fedora account system, do you auth this, press 1"
08:24 < G> nirik: that sounds costly :)
08:24 < ivazquez> There's PhoneFactor, but I don't think they work outside NA.
08:24 < ianweller> nirik: G: myopenid.com does that.
08:24 < G> get a SMS gateway to sponsor text messages
08:24 < ianweller> G: costly to the end user
08:24 < G> ianweller: ohhh okay
08:24 * dgilmore just wants to easily give fedora community access to a sparc box for doing mock builds
08:25  * dgilmore really doesnt care how its achieved
08:25 * nirik just wants to give fedora community acces to ppc and x86_64 boxes for mockbuilds and debugging.
08:25 < dgilmore> mmcgrath: ill bring you a sparc box to put into phx :)
08:25 < G> I agree, we should provide it for those exact reasons (didn't I mention this in my F10 wishlist? :P) 08:26 < mmcgrath> Lets think on this for another week or so and talk about it at the next meeting as well. 08:26 < nirik> I can also think of more fun stuff down the road... on demand test virtuals, access to archive of rawhide daily installs, etc. 08:28 < G> exactly, Debian offer Developer (equiv to our cvsextras) access to donated boxes for testing w/ chroots, bugfixing etc
08:28 < mmcgrath> alrighty then, beyond that I've got nothing else.
08:28 -!- mmcgrath changed the topic of #fedora-meeting to: Infrastructure -- Open Floor
08:28 < mmcgrath> Who's got something they want to discuss?
08:28 < lmacken> SELinux!
08:28 < mmcgrath> lmacken: have at it.
08:28 < lmacken> I sat down with Dan Walsh today, and we tackled the SELinux issues around bastion, app1, and proxy1.
08:28 < lmacken> .ticket 230
08:28 < zodbot> lmacken: #230 (SELinux Deployment) - Fedora Infrastructure - Trac - https://fedorahosted.org/projects/fedora-infrastructure/ticket/230
08:28 < lmacken> see the ticket for more details :)
08:28 < lmacken> progress is being made
08:29 < mmcgrath> if only we can get Dan to sit down with everyone who wants to use selinux :)
08:29 < lmacken> seriously
08:29 < mmcgrath> lmacken: how bad of shape are we in?
08:29 < lmacken> mmcgrath: well, we've got a lot of custom apps, running in a lot of custom locations.
08:29 < lmacken> which is easily fixable from an selinux standpoint
08:29 < lmacken> but puppet..
08:29 < lmacken> that's were we need the changes
08:30 < mmcgrath> lmacken: how does selinux work with the satellite deployment tools? 08:30 < lmacken> Brett Lentz (wakko666) has been doing a great job of pushing the selinux patch and unit test to puppet upstream
08:30 < lmacken> mmcgrath: No clue whatesover
08:31 < mmcgrath> <nod>
08:31 < lmacken> dwalsh is pretty determined to get our infrastructure working 100% with SELinux by F10
08:31 < dgilmore> lmacken: builders will need alot of work
08:31 < ivazquez> What a coup that would be for SELinux.
08:31 < mmcgrath> lmacken: now with selinux and puppet are you talking about deploying selinux policies via puppet? Or actually what puppet does when deploying configs is causing selinux issues? 08:31 < lmacken> dgilmore: yes, but a lot of that is being done right now by Eric Paris, with the mock/livecd-creator stuff, right ?
08:31 < dgilmore> lmacken: not really
08:32 < dgilmore> lmacken: simmiliar but different
08:32 < lmacken> mmcgrath: deploy custom policies, booleans, and contexts with puppet.. and also making puppet smart when creating new files
08:33 < mmcgrath> solid.
08:33 < mmcgrath> well, baby steps I guess :)
08:33 < lmacken> indeed. I'm meeting with dan again next week. I'll keep that ticket up to date with our progress
08:33 < mmcgrath> solid.
08:34 < mmcgrath> lmacken: are you or dan going to hold some training sessions for the rest of our team? 08:34 < lmacken> mmcgrath: yeah, we'll make sure it's well documented and people know how to use it
08:34 < mmcgrath> solid.
08:35 < mmcgrath> anything else on selinux?
08:35 < lmacken> nada
08:35 < abadger1999> lmacken: You might want to look at app2 as well
08:35 < abadger1999> app1 is the one app server not running all of our TG apps.
08:35 < mmcgrath> solid
08:36 < mmcgrath> anyone have anything else they'd like to discuss?
08:36 < lmacken> abadger1999: yep, we'll get there :) we just wanted to hit a few different types of machines today to get a good high-level idea of what we're dealing with
08:36 < G> The voting app is near readiness
08:36 < abadger1999> Yeah, you're doing really great work on that!
08:36 < G> Hopefully I'll have something ready for testing with the masses in a day or two 08:37 < mmcgrath> G: you've got everything you need to put togther a public test of it for everyone right? 08:37 < G> I've got an RPM ready, but I spotted something wack with the URLs etc but hopefully get that fixed today 08:38 < ivazquez> Although not quite FI-specific, do we have the new planet up somewhere? 08:38 < G> mmcgrath: all I really need to create a dummy fas login, so I don't expose a real user login on pt10 and a new group in the main fas 08:38 < G> but yeah, I'll do a test deploy today on pt10 and see what happens 08:38 < mmcgrath> ivazquez: the new planet? Like what skvidal has been up to?
08:38 < mmcgrath> G: solid
08:38 < skvidal> ivazquez: call be slartibartifast!
08:39 < ivazquez> Yes.
08:39 < ianweller> hey now. slartibartfast is my computer's host name.
08:39 < ianweller> that would get confusing for me :/
08:39 < ianweller> ;)
08:39 < skvidal> ivazquez: we still only have 78 people in the .planet files
08:39 < G> if anyone wants to, the new group is currently meant to be "elections" :P
08:39 < skvidal> and 230 in the existing planet
08:39 < dgilmore> skvidal: im sorry i suck and have not done it yet
08:39 < ivazquez> Well, it would still be nice if the 78 people could make sure that their feeds work :P 08:39 < G> skvidal: thats a third, the rest will fall in line when they suddenly disappear :)
08:40 < skvidal> ivazquez: agreed
08:40 < ivazquez> Plus it might get some others in gear when they see it happening. 08:40 < ianweller> skvidal: if you need help with pinging individual people, i'm up for it after the wiki switch ;)
08:40 < skvidal> ianm: nah
08:40 < skvidal> err ianweller nah
08:40 < iWolf> mmcgrath: re, the wiki, has any PHP hardening been done or considered? 08:40 < skvidal> ivazquez: agreed - but it's only been a week - so I didn't want piss off everyone :)
08:40 < G> abadger1999: btw, thanks
08:40 < ivazquez> A week is Forever in Fedora time.
08:41  * skvidal rolls his eyes
08:41 < ivazquez> Heh.
08:41 < ianweller> so it takes 26 forevers for each fedora release? ;)
08:41 < mmcgrath> iWolf: we have mod_security mildly deployed. Beyond that though no. Needs someone with time and experience to do it, I only have the latter at the moment.
08:41 < jcollie> ianweller: sometimes it seems like it
08:42 < abadger1999> G: For what? You've been doing all the work :-)
08:42 < iWolf> mmcgrath: understood.
08:42 < G> abadger1999: I was saying thanks for your comment :)
08:42 < ianweller> mediawiki is pretty secure (lots of testing), not so sure about the extensions though 08:42 < ianweller> the more extensions you have, the more potential holes you have. 08:43 < iWolf> mmcgrath: does one just need sysadmin-test to access the current wiki server php config?
08:43 < mmcgrath> iWolf: yes.
08:43 < mmcgrath> iWolf: We've got multiple deploys of it going, if you want your own you're encouraged to install one :)
08:43 < iWolf> mmcgrath: :)
08:43  * ianweller has one at /w-ian/
08:44 < ianweller> that's where he's writing his IRCLog extension for the moment.
08:44 < mmcgrath> we've got like 5 or 6 wiki's I think :)
08:44 < ianweller> something like that
08:45 < mmcgrath> Ok, well talks seem to have calmed down a bit. If no one has anything else we'll close a little early this week. I'll give it 30
08:46 < G> yeah, I have nothing more
08:46 < mmcgrath> 15
08:46 < mmcgrath> 5
08:46 -!- mmcgrath changed the topic of #fedora-meeting to: Infrasturcture -- Meeting End
08:46 < mmcgrath> Thanks for coming everyone!
08:46 < G> I'll sort out the log
08:47 -!- giallu [n=giallu@xxxxxxxxxxxxxxxxxxxxxxxxxxx] has joined #fedora-meeting 08:47 -!- mmcgrath changed the topic of #fedora-meeting to: Channel is used by various Fedora groups and committees for their regular meetings | Note that meetings often get logged | For questions about using Fedora please ask in #fedora | See http://fedoraproject.org/wiki/Communicate/FedoraMeetingChannel for meeting schedule

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux