============================================ #fedora-meeting: Infrastructure (2011-10-13) ============================================ Meeting started by nirik at 19:00:01 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2011-10-13/infrastructure.2011-10-13-19.00.log.html . Meeting summary --------------- * Robot Roll Call (nirik, 19:00:01) * New folks introductions and Apprentice tasks (nirik, 19:01:52) * Password/Ssh-key/Cert reset fallout (nirik, 19:06:34) * Please do change your pass and upload a new ssh key before 2011-11-30. (nirik, 19:07:32) * Upcoming Tasks/Items (nirik, 19:11:59) * Meeting tagged tickets: (nirik, 19:18:00) * LINK: https://fedorahosted.org/fedora-infrastructure/report/10 (nirik, 19:18:01) * Open Floor (nirik, 19:22:52) * LINK: http://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers -> these ? (pingou, 19:32:25) Meeting ended at 19:43:07 UTC. Action Items ------------ Action Items, by person ----------------------- * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * nirik (80) * dgilmore (31) * pingou (23) * StylusEater (10) * abadger1999 (8) * skvidal (7) * CodeBlock (6) * zodbot (5) * Smilers_ (5) * smooge (3) * LoKoMurdoK (3) * jsmith (3) * athmane (1) * mzhun (1) * lmacken (0) * ricky (0) * codeblock (0) -- 19:00:01 <nirik> #startmeeting Infrastructure (2011-10-13) 19:00:01 <zodbot> Meeting started Thu Oct 13 19:00:01 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:01 <nirik> #meetingname infrastructure 19:00:01 <zodbot> The meeting name has been set to 'infrastructure' 19:00:01 <nirik> #topic Robot Roll Call 19:00:01 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken 19:00:01 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge 19:00:05 * skvidal is here 19:00:12 <pingou> .fas pingou 19:00:13 <zodbot> pingou: pingou 'Pierre-YvesChibon' <pingou@xxxxxxxxxxxx> 19:00:17 * jsmith lurks 19:00:35 * CodeBlock 19:00:41 <mzhun> here 19:00:46 <Smilers_> here 19:01:14 * athmane is around 19:01:43 <nirik> ok, lets go ahead and start in... 19:01:52 <nirik> #topic New folks introductions and Apprentice tasks 19:01:59 <smooge> here 19:02:08 <nirik> any new folks want to say hi? or any apprentice tickets anyone would like to bring up? 19:02:22 <Smilers_> hi 19:02:38 <nirik> hello Smilers_ 19:02:47 <jsmith> nirik: There was that ticket you created for me this past week, about some slight modifications to the login screen (for password recovery) 19:03:06 <nirik> jsmith: yeah, someone already commited a fix. ;) It's not live yet tho 19:03:13 <jsmith> Oh, that was fast :-) 19:03:47 <nirik> yeah. ;) 19:04:02 <nirik> Smilers_: what sorts of things are you interested in working on? or whats your background? 19:04:39 * dgilmore is here 19:04:40 <Smilers_> My background is working with t student run computin facility (geeksoc.org) 19:04:59 <nirik> cool. 19:05:12 <Smilers_> anything from deploying LDAP to general maintenence 19:05:47 <nirik> nice. Well, welcome. ;) 19:05:54 <Smilers_> thanks :) 19:06:29 <nirik> do hang out in #fedora-admin and/or #fedora-noc and chime in and ask questions, etc. 19:06:34 <nirik> #topic Password/Ssh-key/Cert reset fallout 19:06:45 <nirik> So, our password/key change announcement went out. 19:06:59 <nirik> There was some pushback, but overall I think it's gone ok. 19:07:12 <dgilmore> any change will get some pushback 19:07:19 <skvidal> 'some pushback' 19:07:30 <CodeBlock> ^ 19:07:32 <nirik> #info Please do change your pass and upload a new ssh key before 2011-11-30. 19:07:43 * abadger1999 here 19:07:51 <nirik> so, I figure we wait a bit and start nagging people more... 19:08:01 <pingou> I was wondering reading abadger1999's mail if there is/should be a more strict policy for sysadmin 19:08:16 <pingou> but that's more a separate question than the current one 19:08:23 <nirik> yeah... 19:08:48 <nirik> I'd like to move forward with finishing yubikeys setup... and look more at one time stuff like google authenticator... 19:09:21 <CodeBlock> Is there an easy way to get stats of who has changed them and who still needs to? (just numbers is fine) 19:09:22 <dgilmore> my key is currently 4092 bits, i plan to make the new one bigger 19:09:33 <CodeBlock> dgilmore: 16384! 19:09:44 <dgilmore> CodeBlock: not likely that big 19:09:55 <nirik> knock yourself out. ;) 19:10:22 <nirik> CodeBlock: skvidal has a script to check 19:10:42 <skvidal> that we discovered is not including users that are not cla_done 19:10:53 <skvidal> b/c fas's interface doesn't return those <womp> <womp> 19:11:03 * LoKoMurdoK here 19:11:10 * LoKoMurdoK late 19:11:11 * CodeBlock will poke you after meeting for that then, I think it would be neat to watch 19:11:12 <LoKoMurdoK> :( 19:11:14 <nirik> welcome LoKoMurdoK 19:11:38 <nirik> ok, if nothing else on the password reset flames, will move on... 19:11:59 <nirik> #topic Upcoming Tasks/Items 19:12:25 <nirik> ? - make a new bastion02/nuke bastion04 ( smooge ?) 19:12:35 <nirik> ? - move app02/04 19:13:02 <nirik> with those done we can retire our xen boxes that went out of warentee. 19:13:22 <nirik> 2011-10-25 - 2011-11-08: Final change freeze 19:13:51 <nirik> I'd like to look at dumping audit messages to our syslog for epylog processing. 19:14:17 <nirik> also, as a note, I will be out next thursday/friday. ;) 19:15:10 <nirik> on the rel-eng side it would be nice to get kojipkgs02 and releng04 fully operational 19:15:51 <nirik> anyone have other items they would like to work on/get done before final freeze. 19:16:06 <nirik> Oh, yeah, another one: reinstall ppc05-10 and hand them off to secondary arch folks. 19:16:24 * StylusEater is late ... sorry 19:16:25 <CodeBlock> value move ... in 1.25 hours ;) 19:17:31 <nirik> cool. 19:18:00 <nirik> #topic Meeting tagged tickets: 19:18:01 <nirik> https://fedorahosted.org/fedora-infrastructure/report/10 19:18:02 <abadger1999> nirik: I've got raffle working in staging. Going to finally deploy out to prod 19:18:08 <nirik> abadger1999: excellent. 19:18:18 <nirik> no meeting tickets marked. 19:18:20 <abadger1999> nirik: Also need to deploy a fas hotfix that skvidal mentioned earlier. 19:18:32 <abadger1999> (wrt fas not returning a complete list of users) 19:18:54 <nirik> abadger1999: any idea how hard it will be to add a 'clear' button for ssh key? is that an easyfix thing? or more complex? 19:19:21 <abadger1999> nirik: Probably easy fix but I'm not entirely sure. 19:19:40 <nirik> ok 19:19:56 <abadger1999> it'll be template (to add a checkbox) and a bit of python code in a single controller method to do something when that checkbox is set. 19:20:07 <nirik> cool. 19:20:16 <nirik> if you think it's easy, feel free to mark that ticket easyfix. 19:20:22 <abadger1999> so someone who can mess a tiny bit with html and knows python should be able to do it. 19:20:44 <abadger1999> will do 19:20:54 <dgilmore> nirik: lmacken promised me bodhi updates before freeze 19:21:31 <nirik> dgilmore: ok. releng04 needs some fix to handle /usr/share/bodhi/comps/ more correctly, otherwise it might be close. 19:22:05 <dgilmore> nirik: yeah, we need updated bodhi i believe 19:22:46 <nirik> yeah 19:22:52 <nirik> #topic Open Floor 19:23:02 <nirik> ok, anyone have anything for open floor? 19:23:29 <pingou> note somewhere to think about a policy regarding ssh key for sysadmin ? 19:23:50 <nirik> pingou: you're welcome to open a discussion on the list... or we can talk some about it here. What policy would you suggest? 19:24:36 <pingou> nirik: well based on what I have see/understood, some @rh need to change their ssh every x time 19:24:44 <pingou> (I have 6 weeks in mind, not sure though) 19:24:59 <smooge> no 19:25:03 <dgilmore> pingou: no 19:25:05 <smooge> not that I know of 19:25:19 <pingou> sysadmin are a sensible group, them more than anyone else should be aware of the sensibility of ssh keys 19:25:29 <dgilmore> id rathe be forced to use otp's 19:25:30 <pingou> maybe it wasn't @rh then :) 19:25:37 <nirik> I don't think forcing a change every X time is a good idea. 19:25:56 <nirik> but I would like to move to yubikeys or googleauth or something like that... 19:26:02 <dgilmore> i use my yubikey pretty much everyday 19:26:12 * nirik lost his. need to get another. 19:26:18 <dgilmore> id rather have to use a yubikey to auth as sudo and for ssh 19:26:39 <pingou> nirik: I am not sure how frequet yubikey are outside us 19:26:49 <pingou> dgilmore: +1 19:26:50 <nirik> well, everyone in sysadmin-main (aside from me) has a yubikey 19:26:54 <pingou> but in the mean while ? 19:27:14 * dgilmore has 4 or 5 yubikeys 19:27:22 <nirik> all but one person has a iOS or android device that could run googleauth 19:27:45 <nirik> I dont know about all of sysadmin* 19:27:49 <pingou> sysadmin or sysadmin-main 19:27:50 <nirik> perhaps we should poll on the list. 19:27:57 <nirik> pingou: thats just sysadmin-main... 19:27:57 <dgilmore> nirik: personally id rather not use a service from google for auth 19:28:07 <pingou> +1 there to 19:28:08 <nirik> dgilmore: it doesn't use googles services. 19:28:10 <dgilmore> but maybe its open and we can run it all ourselves 19:28:14 <nirik> its open source 19:28:18 <nirik> it's a pam module 19:28:22 <dgilmore> nirik: ok, i honestly had not heard of it until just now 19:28:35 <dgilmore> nirik: it has a server we could run? 19:28:35 <nirik> downside of it is that it requires you to store a secret on the machines 19:28:46 <nirik> no server, it looks locally for the secrets. 19:28:50 <StylusEater> I'm torn as to whether the suggestion that yubikeys should be mandatory would be a good idea or fly in the face of Fedora and what it stands for... 19:28:52 <dgilmore> ok 19:29:19 <dgilmore> StylusEater: what about yubikeys is contrary? 19:29:24 <pingou> StylusEater: there has not been such suggestions 19:29:30 <nirik> StylusEater: yeah. In the case of sysadmin-main everyone has one, so we could require that for them only... 19:29:41 <StylusEater> dgilmore: payment 19:29:56 <pingou> 25$ 19:30:03 <dgilmore> StylusEater: fedora has some that can be provided 19:30:08 <StylusEater> nirik: that's what I was thinking. 19:30:12 <dgilmore> if cost is an issue 19:30:16 <nirik> but larger groups like sysadmin or packager it would not be feasable to supply them to everyone 19:30:33 <StylusEater> dgilmore: hrm, then maybe it would make sense to do that. As a congratulations for making it through the "ring of fire." :-) 19:30:44 <dgilmore> nirik: right 19:30:49 <StylusEater> nirik: +1 19:30:58 <nirik> I'm all for finishing deploying yubikey as an optional... 19:31:06 <dgilmore> nirik: we could feasibly do it for all people in groups that get sudo on boxes 19:31:09 <dgilmore> maybe 19:31:10 <StylusEater> nirik: with what dgilmore just mentioned I think it would be sensible to require for sysadmin-main. 19:31:14 <dgilmore> not sure of the exact numbers 19:31:29 <pingou> dgilmore: any box ? 19:31:33 <pingou> including stagging ? 19:31:39 <nirik> yeah. Not sure either. 19:31:41 <dgilmore> maybe excepting public test boxes 19:31:53 <dgilmore> pingou: staging but not public test 19:32:15 <pingou> which one do you consider public? 19:32:25 <pingou> http://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers -> these ? 19:32:33 <dgilmore> pingou: no 19:33:12 <dgilmore> pingou: the boxes labeled as public testing for developing and testing solutions to be used in fedora infra 19:33:22 <dgilmore> ie publictestxx.fedoraproject.org 19:34:05 <pingou> ok 19:34:09 <dgilmore> pingou: the boxes referenced in that page are provided by community members for use of packagers 19:34:12 <nirik> Ideally I would like to have yubikey setup for true 2 factor for those that want to use it, and add something like googleauth if we can get it setup in a way we like. Then we could require one or the other for specific groups perhaps. 19:34:19 <dgilmore> the only tie in they have is to get the packager ssh keys to allow access 19:35:15 <nirik> right. 19:35:40 <nirik> so, if anyone has cycles to look at finishing yubikey deployment or seeing how we could best integrate googleauth, please do. 19:36:38 <nirik> pingou: does that address your question at all? 19:36:54 <pingou> nirik: it raises discussion, which was my intention :) 19:37:00 <StylusEater> pingou: interesting topic, thanks. 19:37:18 <nirik> yeah. I think moving to a 2factor setup is a good goal... 19:37:22 <skvidal> +1 19:37:39 * pingou considering investing $25 19:38:07 <nirik> there's disadvantages to yubikey and googleauth, but advantages to both too... so I think ideally we will want to look at supporting either or. 19:38:30 <nirik> or something like either 19:38:37 <StylusEater> nirik: +1 19:39:02 <pingou> supporting either, enforcing one over another in some cases I guess :) 19:39:50 <nirik> yeah 19:40:09 <nirik> ok, anything further? or shall we call it a meeting? 19:40:59 * nirik will close out in a minute if nothing more 19:41:46 * skvidal reads backscroll 19:41:55 * nirik waits 19:42:08 * dgilmore has nothing 19:42:46 <StylusEater> nirik: I have a non-meeting question I'll ask in another channel. 19:42:51 <nirik> StylusEater: ok. 19:42:57 * skvidal has nothing additional 19:43:04 <nirik> thanks for coming everyone! 19:43:07 <nirik> #endmeeting
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
