============================================ #fedora-meeting: Infrastructure (2011-09-15) ============================================ Meeting started by nirik at 19:00:00 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2011-09-15/infrastructure.2011-09-15-19.00.log.html . Meeting summary --------------- * Robot Roll Call (nirik, 19:00:01) * New folks introductions and apprentice tasks/feedback (nirik, 19:02:36) * Password/Ssh-key/Cert reset flag day discussion. (nirik, 19:04:28) * ACTION: nirik will whip up a plan/schedule. (nirik, 19:18:28) * Bastion outages/openvpn discussion. (nirik, 19:19:45) * bastion03 hopefully stable now. (nirik, 19:23:30) * will look at setting heartbeat back up after the freeze. (nirik, 19:23:42) * Upcoming Tasks/Items (nirik, 19:25:29) * Open Floor (nirik, 19:32:11) Meeting ended at 19:34:39 UTC. Action Items ------------ * nirik will whip up a plan/schedule. Action Items, by person ----------------------- * nirik * nirik will whip up a plan/schedule. * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * nirik (74) * smooge (22) * skvidal (16) * zodbot (10) * abadger1999 (7) * ke4zvu3 (5) * pingou (4) * lmacken (2) * CodeBlock (2) * athmane (1) * ricky (0) * codeblock (0) -- 19:00:00 <nirik> #startmeeting Infrastructure (2011-09-15) 19:00:00 <zodbot> Meeting started Thu Sep 15 19:00:00 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:00 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:01 <nirik> #meetingname infrastructure 19:00:01 <nirik> #topic Robot Roll Call 19:00:01 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken 19:00:01 <zodbot> The meeting name has been set to 'infrastructure' 19:00:01 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge 19:00:22 <smooge> here 19:00:32 * abadger1999 here 19:00:33 <smooge> mostly watching a console trying to boot 19:00:43 <smooge> please ping when you need my attention 19:00:49 * athmane is here 19:01:19 <smooge> ok got it to pause. really here 19:01:53 * lmacken 19:02:28 <nirik> ok, I guess lets go ahead and dive in... 19:02:36 <nirik> #topic New folks introductions and apprentice tasks/feedback 19:02:55 <nirik> any new folks want to introduce themselves? 19:02:57 * ke4zvu3 is here too but hasn't sent the introductory email yet to join and such 19:03:04 <nirik> or any apprentice tickets or tasks we want to discuss? 19:03:11 <nirik> welcome ke4zvu3. :) 19:03:25 * CodeBlock is here, sorry. 19:04:17 <nirik> ok, I guess lets go ahead and drive on. 19:04:28 <nirik> #topic Password/Ssh-key/Cert reset flag day discussion. 19:04:47 <nirik> So, there was some discussion of this on list and some more in the most recent board meeting. 19:04:59 <nirik> Anyone have any further input on it? 19:05:39 <nirik> I would like to have docs updated and perhaps a nice wiki page to point people to before we announce anything. 19:06:38 <nirik> and we do still need to determine timing. 19:07:05 <abadger1999> If we're changing the password reqs it would need a little FAS coding too. 19:07:15 <nirik> yeah, that too. 19:07:18 <smooge> how much? 19:07:53 <abadger1999> non-invasive (modify one method) but how much depends on how complex an algorithm. 19:08:03 <abadger1999> If it's "20 chars" it's easy :-) 19:08:06 <nirik> For timing, I am thinking perhaps a month after f16 might make sense... or 2 weeks. That way people who are busy with the release can push it out until it's done and have time to do changes then. 19:08:26 <nirik> .ticket 2804 19:08:28 <zodbot> nirik: #2804 (Decide on FAS password requirements.) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2804 19:08:31 <smooge> nirik, that sounds good. 19:08:38 <nirik> we had a more complex set in that ticket we talked about. 19:09:41 <nirik> which we could of course revisit. 19:09:50 <abadger1999> ah, but that was before the xkcd ;-) 19:09:57 <smooge> still digesting 19:10:00 <nirik> true. ;) 19:10:01 <lmacken> heh 19:10:53 <nirik> I think perhaps the next step here is to gather all these things and post a plan... 19:10:54 <smooge> I would add one line to cover that. 19:11:11 * skvidal is here 19:11:11 <smooge> if its over 20 characters only lower case and spaces is needed :) 19:11:14 <nirik> oh, there is also another issue if we want to make sure people don't reupload their old certs. ;) 19:11:25 <nirik> welcome skvidal. 19:11:25 <skvidal> nirik: what's that? 19:11:53 <nirik> well, we need to code a check in fas to save the last key and verify the new one isn't it. 19:12:16 <skvidal> nirik: OR 19:12:25 <skvidal> we could just do it as a nightly cron job 19:12:32 <skvidal> grab a copy of the pubkeys now 19:12:44 <skvidal> and compare them with ones each night 19:12:55 <skvidal> if they are same as before 'nuke the key and send an email' 19:12:59 <nirik> well, there's also the case of 'upload crap key, then reupload old key', but not sure people would go to that length. ;) 19:13:20 <skvidal> well that's why we grab their keys now 19:13:23 <skvidal> but yes 19:13:24 <skvidal> you're right 19:13:47 <nirik> also, if it's in fas it might be nice moving forward.. 19:14:24 <skvidal> true 19:14:25 <smooge> nirik, oh I am sure one or 2 would :). 19:14:33 <nirik> so, let me do this (or anyone else): collect things we need to put in place and a suggested timeline and go from there? 19:15:14 <smooge> tht sounds good 19:15:18 <skvidal> ok 19:15:25 <nirik> fas password changes, fas key reuse checking, docs to point people at about good security, way to notify everyone (mass email?), and deadline/what happens if you fail. 19:16:04 <nirik> we could also restrict the ssh key requirement to only some groups? or do we not want to do that? 19:17:11 <nirik> ie, anyone who could actually use them in fedora? but then that would leave someone who uploaded one, then gets sponsored and has an old key. 19:17:13 <abadger1999> as long as null is an okay state, I'd be more in favor of all. 19:17:30 <abadger1999> yep, for the reason you just stated. 19:18:21 <nirik> ok. will whip up a plan... 19:18:28 <nirik> #action nirik will whip up a plan/schedule. 19:18:37 <nirik> anything else on this? 19:18:44 <skvidal> nope 19:18:57 * pingou late 19:19:27 <nirik> I'm sure we will see pushback on the ssh key thing... so I think it's impotant we have good docs and announcement that explains why we want to do this. ;) 19:19:37 <nirik> hey pingou 19:19:45 <nirik> #topic Bastion outages/openvpn discussion. 19:19:59 <nirik> So, bastion03 has been hitting what looks like a nasty virtio bug. ;( 19:20:15 <nirik> I've changed it to use e1000 for it's network, so hopefully it will be stable again. 19:20:49 <nirik> if it croaks again, we should switch back to bastion02 for now. 19:21:09 <nirik> due to this issue, it's gotten me thinking about how we could better do our vpn setup... 19:21:26 <nirik> but none of the options look too great to me. 19:21:46 <smooge> yeah 19:21:47 <nirik> The best currently is to resetup heatbeat after the freeze... so at least we have failover. 19:22:44 <nirik> so, if anyone has brilliant ideas for improving the setup, please do share them with the list/etc. 19:23:30 <nirik> #info bastion03 hopefully stable now. 19:23:42 <nirik> #info will look at setting heartbeat back up after the freeze. 19:23:55 <nirik> any other comments on this?/ 19:24:17 <smooge> looking at rhel5 for this if rhel6 is not stable 19:24:30 <pingou> ie bastion02 19:24:44 <nirik> yeah, we still have bastion02(rhel5) around. 19:24:55 <nirik> but I'd really like to get us migrated to 6. ;) 19:25:29 <nirik> #topic Upcoming Tasks/Items 19:25:29 <smooge> well I mean el5 on kvm 19:25:42 <nirik> smooge: yeah, I suppose we could... as a last resort. ;) 19:25:52 <smooge> sorry my brain is feeling like someone hit it with a brick twice 19:25:54 <nirik> ok, so we are in freeze currently. 19:26:10 <nirik> So, this is a good time to work on docs and such... 19:26:36 <nirik> askbot is moving along toward production. 19:26:47 <nirik> paste is doing so as well, but not yet in stg. 19:27:01 <nirik> any other upcoming items people are working on they want to talk about? 19:28:12 <ke4zvu3> can i ask a question about paste? 19:28:34 <nirik> Oh, another after the freeze thing: I want to move some vpn hosts around... move hosts that don't need much vpn access to a subnet that is more iptables locked. 19:28:38 <nirik> ke4zvu3: sure. 19:28:39 <ke4zvu3> is the intention to take over the fpaste.org domain from Unity or would the production FQDN be paste.fedoraproject.org ? 19:29:01 <smooge> we don't own fpaste.org 19:29:06 <nirik> ke4zvu3: I think the plan was to take over the domain, but it's still unknown if the domain owner wants to move it over. 19:29:10 <smooge> and the owner has not been very communicative I believe 19:29:15 <nirik> if not, then paste.fedoraproject.org. ;) 19:29:17 <ke4zvu3> understood, thanks. 19:30:20 <nirik> Oh, we also do have all the beta tickets. I filed them yesterday. 19:30:34 <nirik> .ticket 2945 19:30:35 <zodbot> nirik: #2945 (Fedora 16 Beta - New website) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2945 19:30:37 <nirik> .ticket 2946 19:30:38 <zodbot> nirik: #2946 (Fedora 16 Beta - verify mirror space) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2946 19:30:41 <nirik> .ticket 2947 19:30:43 <zodbot> nirik: #2947 (Fedora 16 Beta - release day ticket) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2947 19:30:47 <nirik> .ticket 2948 19:30:48 <zodbot> nirik: #2948 (Fedora 16 Beta - verify release permissions with rel-eng) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2948 19:30:49 <nirik> .ticket 2949 19:30:52 <zodbot> nirik: #2949 (Fedora 16 Beta - Mirrormanager redirects for beta) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2949 19:31:27 <smooge> nirik, ok I will take my usuals :) 19:31:29 <smooge> thanks 19:31:32 <nirik> smooge: cool. ;) 19:32:11 <nirik> #topic Open Floor 19:32:17 <nirik> Any items for open floor? 19:32:32 <smooge> ppc is a lovely architecture and I have no idea why it never took off 19:32:38 <skvidal> smooge: haha 19:32:41 <pingou> ^^ 19:32:41 <ke4zvu3> ha 19:32:43 <skvidal> smooge: LIAR LIAR 19:32:55 <pingou> skvidal: "be nice" :) 19:33:01 <nirik> smooge: but it's ultra secure... not booting and all. ;) 19:33:16 <skvidal> pingou: :) 19:33:18 <CodeBlock> :) 19:33:24 <smooge> yes.. and all you need to do to make a box not boot is take out its working drive and PUT BACK the drive 19:33:57 <smooge> I haven't had this much fun since the great days of playing with HPUX-5 19:34:14 <nirik> joy. 19:34:28 <nirik> ok, I guess lets wrap up and go back to infrastructuring. 19:34:32 <nirik> thanks for coming everyone! 19:34:39 <nirik> #endmeeting
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
