Fedora Infrastructure IRC Meeting Log from 2007-06-28

Jeffrey C. Ollie jeff at ocjtech.us
Thu Jun 28 21:01:25 UTC 2007

[15:01] mmcgrath has set the subject to Fedora Infrastructure -- Who's here
[15:01] mmcgrath: ping all, who's here?
[15:01] * skvidal is here
[15:02] * xDamox is here
[15:02] * Bob-Laptop is not here but does not really count yet
[15:02] mmcgrath: paulobanon, dgilmore, mbonnet__, mbonnet, abadger1999, f13: ping
[15:02] * paulobanon is here
[15:03] notting has joined the group chat (n=notting at redhat/notting)
[15:03] * abadger1999 is here
[15:03] mmcgrath: allright
[15:04] mmcgrath has set the subject to Fedora Infrastructure -- Ticketing System
[15:04] mmcgrath: Lets talk about this and try to come to a conclusion today.
[15:04] * mmcgrath notes the schedule - http://fedoraproject.org/wiki/Infrastructure/Schedule
[15:04] mmcgrath: So here's my current concern.
[15:04] mmcgrath: I'm getting a lot of emails for requests for stuff that anyone in the team could do.
[15:05] mmcgrath: So as we discussed on the list the options are moving to a mailing list or trac.
[15:05] mmcgrath: What do you guys think?  (you don't have to be in the Infrastructure team to have a comment on this)
[15:05] paulobanon: trac for me
[15:06] skvidal: I can adapt to either - I think a list is easy - but if there's an rss feed for trac I'll accept that
[15:06] mmcgrath: skvidal: good question.
[15:06] mmcgrath: f13: does track have an rss feeder?
[15:07] * mmcgrath thinks f13 is away.
[15:07] skvidal: Indeed
[15:07] abadger1999: trac has an rss feed for timeline.  Not sure if tickets show up in timeline or not.
[15:07] paulobanon: http://trac.edgewall.org/wiki/TracRss
[15:07] mmcgrath: abadger1999: are you a trac fan or a mail list fan?
[15:08] paulobanon: yes it support tickets
[15:08] abadger1999: We need to have both a ml and ticketing system.
[15:09] mmcgrath: k, so I'll work on getting a trac system setup and properly configured with Infrastructure for us to take a look at.  We can decide to keep it and announce it hopefully next week.
[15:09] paulobanon: sounds good
[15:10] mmcgrath: ok, moving on.
[15:10] mmcgrath has set the subject to Fedora Infrastructure -- Package Database
[15:10] mmcgrath: abadger1999: how are you and G doing?
[15:11] G: I've been a little bit on hold, I've got next week off, so I hope to dedicate a bit of time to it
[15:11] mmcgrath: G: cool.
[15:11] mmcgrath: G: where are you two currently running tests from?
[15:12] G: Toshio created a hosted instance though (http://hosted.fedoraproject.org/projects/packagedb
[15:12] G: err. test3 I think
[15:12] mmcgrath: test3, k.
[15:12] mmcgrath: k, moving on.
[15:13] mmcgrath: Nothing new in configuration managemnt.
[15:13] mmcgrath has set the subject to Fedora Infrastructure -- VCS choice
[15:13] mmcgrath: jcollie: ping
[15:13] jcollie: mmcgrath, wassup?
[15:13] jcollie: oops 
[15:14] mmcgrath: I'm going to have some publictest1 space for you soon for http://fedoraproject.org/wiki/Infrastructure/RFR/GitPackageVCS
[15:14] jcollie: on a phone call, but no progress since last week
[15:14] jcollie: mmcgrath, thanks!
[15:14] mmcgrath: jcollie: k, can you apply for the sysadmin-test group when you get a mment?
[15:14] jcollie: sure
[15:14] * mmcgrath will continue
[15:15] mmcgrath has set the subject to Fedora Infrastructure -- Firewall system rewrite
[15:15] mmcgrath: xDamox: how's all that going?
[15:15] mmcgrath: and the new custom rules?
[15:15] xDamox: mmcgrath, just got to get skvidal to check over this torrent policy
[15:15] skvidal: xDamox: I did check it over
[15:15] skvidal: is there a new one?
[15:15] xDamox: the one in my home dir?
[15:16] xDamox: on lockbox
[15:16] abadger1991 has joined the group chat (n=abadger1 at 068.187-78-65.ftth.swbr.surewest.net)
[15:16] riel has joined the group chat (n=riel at bree.surriel.com)
[15:16] skvidal: did you tell me about those before today?
[15:16] skvidal: I looked at what we talked about before
[15:16] xDamox: nope
[15:16] skvidal: oh, okay
[15:16] xDamox: I was going to email you tonight
[15:17] MrBawb has joined the group chat (i=abob at guppy.drown.org)
[15:17] skvidal: yes, continue with that plan
[15:17] skvidal: 
[15:17] skvidal: thank you
[15:17] mmcgrath: 
[15:17] xDamox: if your happy I can check them in to puppet and  firewall will be done
[15:17] * dgilmore is here
[15:17] * abadger1991 back
[15:18] mmcgrath: xDamox: excellent.
[15:18] skvidal: cool-mo-dee
[15:18] xDamox: 
[15:18] mmcgrath: xDamox: anything else?
[15:18] xDamox: do you want any firewall rules applied to xen?
[15:19] JSchmitt has joined the group chat (n=s4504kr at p54B1127B.dip0.t-ipconnect.de)
[15:19] xDamox: XEN are the only hosts without firewall rules
[15:19] dgilmore: xDamox: yes  but we need to work out what
[15:19] xDamox: yea not a problem
[15:19] mmcgrath: ahhh yes.
[15:19] mmcgrath: So here's the problems to overcome.
[15:19] mmcgrath: We'd like to be able to block traffic from the xen guests at the xen host.
[15:19] dgilmore: xDamox: we have some guests we want almost no access to others inside the colo
[15:20] mmcgrath: Note, the xen guests will move around so its probably smart to have the same rules on all xen hosts.
[15:20] dgilmore: probbaly need to use ebtables on the xen bridge
[15:20] xDamox: Ok
[15:20] mmcgrath: and 2) the interface name might change when migrating around so rules based off of interface won't work.
[15:20] mmcgrath: ip rules off of IP are easy to circumvent
[15:20] mmcgrath: ip rules off of mac may be spoofable (but could be our best bet)
[15:21] mmcgrath: Any suggestions there?
[15:21] xDamox: I would go with MAC addresses
[15:21] dgilmore: mac address absed rules on the bridges
[15:21] xDamox: that would be the best bet
[15:22] mmcgrath: dgilmore: ahh, very true.
[15:22] fchiulli has left ("CGI:IRC (Ping timeout)" (i=824c400f at gateway/web/cgi-irc/ircatwork.com/x-63cc1cf3a5d2721f))
[15:22] warren: The guests cannot change their MAC
[15:22] warren: ?
[15:22] mmcgrath: ok, so we can work on those when the time comes.
[15:22] mmcgrath: warren: the guest can probably change it but the host won't honor it.
[15:22] warren: ah
[15:22] mmcgrath: at least in theory, we'll have to test that.
[15:22] warren: sounds like a plan
[15:23] warren: You might not need to use ebtables though
[15:23] warren: I've used iptables MAC module before
[15:23] fchiulli has joined the group chat (i=824c400f at gateway/web/cgi-irc/ircatwork.com/x-1f7399ce8f2ba354)
[15:23] dgilmore: warren: ona  bridge?
SmootherFrOgZ_id is now known as SmootherFrOgZ
[15:23] warren: dgilmore, oh, good question.
[15:23] warren: It is worth trying though
[15:24] warren: If it works, that's one less additional thing to track
[15:24] mmcgrath: <now> we should take this to the list.
[15:24] warren: agreed
[15:24] dgilmore: mmcgrath: quite possibly we could do rules for known macs we want to allow access then deny everything else
[15:25] abadger1999 has left (No route to host (n=abadger1 at 068.187-78-65.ftth.swbr.surewest.net))
[15:25] mmcgrath: dgilmore: thats true, its good to know we have options.  We'll just have to find the solution thats best for our environment.
[15:25] dgilmore: so if they change mac and its honored we still drop
[15:25] mmcgrath: <nod>
[15:25] mmcgrath: I skipped one item
[15:25] paulobanon: +1
[15:25] mmcgrath has set the subject to Fedora Infrastructure -- DB1 upgrade
[15:25] mmcgrath: mbonnet__: ping?
[15:25] mmcgrath: mbonnet: ?
[15:25] lennert: iptables can filter on --mac-source on input/forward, anything more fancy needs ebtables
abadger1991 is now known as abadger1999
[15:25] mmcgrath: Right now we're just waiting on the ok from mbonnet to make sure the new postfix version will support koji.
[15:26] mbonnet__: mmcgrath: sorry, in a meeting
[15:26] mmcgrath: mbonnet__: no worries, I'll just move to the next item.
[15:26] mmcgrath: but thats where db1 is at right now.
[15:26] mmcgrath has set the subject to Fedora Infrastructure -- Server Upgrades
[15:26] abadger1999: s/postfix/postgres/
[15:26] warren: mmcgrath, what about postfix doesn't support koji?
[15:26] mmcgrath: abadger1999: err yes 
[15:26] warren: oh
[15:26] warren: =)
[15:26] * mmcgrath has post on the mind
[15:27] mmcgrath: So I'm working with the soc on some items with the server upgrade.
[15:27] dgilmore: mmcgrath: for what its worth my koji install has a FC-6 based postgres
[15:27] paulobanon: i think everyone got confused with that one
[15:27] mmcgrath: dgilmore: excellent.
[15:27] mmcgrath: The new disk tray for our builders came in and is now in use.
[15:27] dgilmore: running on sparc  but its FC-6
[15:27] dgilmore: 
[15:27] mmcgrath: 2.0T  691G  1.3T  35% /mnt/ntap-fedora1/fedora
[15:27] dgilmore: f13: dont fill it
[15:27] warren: sparc?
[15:28] dgilmore: warren: yes sparc
[15:28] mmcgrath: I think there's some koji work to enable better garbage collection.  Keep in mind whats in our 691G of space right now.
[15:28] mmcgrath: Just Fedora 7.
[15:28] mmcgrath: well and some other stuff.
[15:29] dgilmore: mmcgrath: rawhide also
[15:29] mmcgrath: Also I'm working with the soc to get some warranty stuff figured out.  There's some server's I need to double check.
[15:29] mmcgrath: <nod> rawhide.
[15:29] mmcgrath: which right now is basically F7 
[15:29] mmcgrath has set the subject to Fedora Infrastruture -- Xen Conversions
[15:29] mmcgrath: I've converted a few more boxes to the iscsi share.  We're up to...
[15:30] mmcgrath: 12 hosts at present.
[15:30] mmcgrath: many of them test, a few of them are production.
[15:30] paulobanon: how many left _
[15:30] paulobanon: ?
[15:31] mmcgrath: paulobanon: depends, I don't have a final count right now but by the time we get the server upgrades the target number will change drastically.
[15:31] paulobanon: k k
[15:31] mmcgrath: thats all the priority 1 stuff
[15:31] mmcgrath: Nothing new on bacula
[15:31] mmcgrath: translators stuff is still going well
[15:31] mmcgrath: nothing new on accoutns
[15:32] skvidal: did everyone look to make sure they had all their stuff off of fpserv?
[15:32] mmcgrath: f13 isn't around but I suspect nothing terribly new on hosted.
[15:32] skvidal: I emailed about it but didn't get any response
[15:32] mmcgrath has set the subject to Fedora Infrastruture -- FedoraPeople.org
[15:32] mmcgrath: skvidal: everything I have on there should be vanishable 
[15:33] skvidal: okie doke
[15:33] skvidal: I'll take that as definitive 
[15:33] mmcgrath: heh
[15:33] paulobanon: kill fpserv!
[15:33] paulobanon: 
[15:33] mmcgrath has set the subject to Fedora Infrastructure -- Ibiblio Mirror
[15:33] skvidal: thank you
[15:33] mmcgrath: I've been laxed on this, I just need to test that they have everything exported correctly.
[15:34] mmcgrath: then find some testers.
[15:34] mmcgrath: So thats all the stuff on the schedule.
[15:34] mmcgrath has set the subject to Fedora Infrastructure -- Open Floor
[15:34] mmcgrath: Anyone have anything they'd like to discuss?
[15:34] dgilmore: skvidal: i had nothing on fpserv
[15:34] skvidal: dgilmore: cool
[15:34] mmcgrath: notting: ping
[15:34] skvidal: dgilmore: I just wanted to be sure
[15:35] notting: mmcgrath: yes?
[15:36] paulobanon: whats with all priority 3 stuff ? is it something that we even want to have there and move it to a thinking about it section ?!
[15:36] paulobanon: s/and/or
[15:36] mmcgrath: notting: do you have a moment to discuss the signing server?
[15:37] mmcgrath: paulobanon: I don't know what is with that stuff.
[15:37] mmcgrath: paulobanon: that reminds me though can you add the wiki cla stuff you're doing with quaid to the list in priority 2?
[15:37] paulobanon: yup
[15:37] notting: mmcgrath: sure
[15:38] mmcgrath: notting: just give us a quick overview of what you guys are doing, what you'll need and what problem it solves.
[15:39] notting: ok
[15:39] notting: first of all, lots of info at  http://fedoraproject.org/wiki/JesseKeating/SigningServerSpecDraft
[15:39] mmcgrath: ohhh, very nice.
[15:40] notting: the idea is that instead of just handing out gpg keys and passphrases, we use a signing server to sign packages
[15:40] * warren yay!
[15:40] notting: this server will have lists of what people (FAS accounts) are allowed to sign with what keys
[15:40] notting: there is some code that RH has
[15:40] notting: however, to use a) FAS b) koji it's going to take a lot of hacking. might just need redone
[15:41] notting: what we need: a locked down box with very limited access
[15:41] notting: as the box will need to have private keys on it
[15:41] warren: So outside of the normal FI authentication
[15:42] warren: sysadmin-main shouldn't be able to login as root
[15:42] rdieter has joined the group chat (n=rdieter at ip68-110-20-4.om.om.cox.net)
[15:42] paulobanon: notting: its the RFR/FedoraCertificateSystem right ?!
[15:42] mmcgrath: warren: Doesn't have to be.  We don't have to include sysadmin-main
[15:42] notting: probably not
jwb is now known as jwb_gone
[15:42] mmcgrath: warren: oh, nm, I think we're talking about the same thing 
[15:42] dgilmore: warren: no one should log in as root on any box unless its to fix something broken
[15:42] warren: dgilmore, true
couf is now known as couf_afk
[15:43] warren: mmcgrath, I mean... regular sysadmins or people who could mess with the account system shouldn't be able to grant access to the signing server.
[15:43] mmcgrath: notting: we can work on that part.  I've also considered looking into something like two factor authentication for the signers.
[15:43] notting: yeah, it's sort of up in the air how much auth we want from the signers w.r.t FAS (ssh key + fas user/pw? more?)
[15:43] mmcgrath: notting: will the private keys been encrypted?
[15:44] paulobanon: SELinux it hard
[15:44] notting: mmcgrath: as much as any gpg private keys are
[15:44] mmcgrath: k, so we'll just have to discuss and find what solution works best for us.
[15:44] notting: the box does *not* need to be public facing, but it will need to be accessible from the colo so people can request sigs
[15:44] mmcgrath: notting: do you guys have a time frame on any of this yet?
[15:44] notting: wait, strike that
[15:44] warren: signing server shouldn't be connected or depend on FAS at all
[15:45] JSchmitt_ has joined the group chat (n=s4504kr at p54B11AD8.dip0.t-ipconnect.de)
[15:45] notting: if we want people to sign who don't have some sort of bastion access, i suppose it does need to be public
[15:45] mmcgrath: notting: going through bastion won't be an issue.
[15:45] fab has left (Read error: 104 (Connection reset by peer) (n=bellet at bellet.info))
[15:45] fab_ has left (Read error: 104 (Connection reset by peer) (n=bellet at bellet.info))
[15:45] notting: mmcgrath: considering we don't have server code yet, no.
[15:45] tibbs has left ("Konversation terminated!" (i=tibbs at fedora/tibbs))
[15:45] warren: notting, we could abstract access through koji or something.
[15:45] warren: notting, koji keeps track of what wants signing
[15:46] notting: warren: koji has click-through cert auth. makes it *TRIVIAL* to impersonate someone with merely phyiscal access to their box
[15:46] warren: notting, oh, I meant requesting signs, not actual signing.
[15:46] mmcgrath: notting: we'll keep it on our radar for now.  let us know when it becomes more... imminent
[15:46] warren: notting, isn't it safe to assume that someone trusted to do actual signing should have bastion access?
[15:47] mmcgrath: notting: we could look at physical key requirements as well.  How many signers do you suspect we'll have?
[15:47] notting: warren: in that they're trusted enough to have bastion access, yes, however, it's entirely possible that they wouldn't have needed it for anything else
[15:48] notting: mmcgrath: dunno. more than 2, less than 10.
[15:48] mmcgrath: <nod>
[15:48] mmcgrath: notting: thanks, we'll keep our eyes out for it.
[15:48] mmcgrath: In the meantime does anyone have anything else they'd like to discuss?
[15:48] mmcgrath: paulobanon: you had something?
[15:48] mmcgrath: oh the priority 3 stuff
[15:48] warren: ssh with pubkey -> somehost, where they don't see a shell, it asks for a passphrase that is private for each signer.
[15:49] paulobanon: cant we take a quick tour on that and on the not implemented RFRs
[15:49] paulobanon: and see what can or not be done
[15:49] mmcgrath: sure, so a lot of those things are just sort of on hold.
[15:49] mmcgrath: the priority 3 stuff.
[15:49] paulobanon: cause for someone not on the list for long, it looks like we do nothing
[15:49] paulobanon: since that never changes
[15:49] mmcgrath: I can confirm that postfix, finoc, mailman and speeding up the wiki are on hold or blocking on other people.
[15:50] mmcgrath: lmacken: ping?
[15:50] fab has joined the group chat (n=bellet at bellet.info)
[15:50] mmcgrath: rhlinux.redhat.com migration is the same thing as the elvis stuff.  thats going on.
[15:50] paulobanon: FedoraPasteBin - everyone uses pastebin, we still interested in having our one ?
[15:50] mmcgrath: the look and feel stuff ricky is working on (though not aorund)
[15:50] mmcgrath: yeah, I think it would be good to have our own.  Just have to install it I suppose.
[15:51] mmcgrath: and these are the RFR's - http://fedoraproject.org/wiki/Infrastructure/Schedule?action=fullsearch&context=180&value=Infrastructure%2FRFR&titlesearch=Titles
[15:51] paulobanon: no need for that big url
[15:51] paulobanon: just go for /RFR/
[15:51] paulobanon: you have all if you scroll down
[15:51] paulobanon: i added all of them there
[15:52] paulobanon: until 2 weeks ago i think
[15:52] mmcgrath: paulobanon: but some are missing.
[15:52] mmcgrath: 
[15:52] paulobanon: ill update it later then
[15:52] paulobanon: requesters should add the link there
[15:52] mmcgrath: so those are the rfr's.  Some are taken, some aren't.  Most are just waiting for worker bees.
[15:52] paulobanon: lazy guys
[15:53] mmcgrath: paulobanon: I actually skipped doing the list that way just because its so easy to do a search for "Infrastructure/RFR"
[15:53] paulobanon: where do u want the pastebin ? i can talk with lmacken to have it deployed
[15:53] mmcgrath: paulobanon: go ahead and contact luke.  see what he says.
[15:53] dgilmore: paulobanon: we were going to integrate it waith fas
[15:53] paulobanon: will do
[15:53] warren: dgilmore, cool, limit spam.
[15:54] mmcgrath: dgilmore: we can let apache do that if we want, should be pretty easy.
[15:54] dgilmore: paulobanon: i think thats the main reason it stalled
[15:54] dgilmore: mmcgrath:   yeah i think skvidal has some turbogears app he wanted to use
[15:54] * mmcgrath seems to remember some of that.
[15:54] skvidal: dgilmore: a loooooooong time ago
[15:54] warren: dgilmore, I saw other pastebins without auth used by random people as a way to store links to warez
[15:54] dgilmore: mmcgrath: abadger1999's fedora-python stuff should help 
[15:55] dgilmore: warren: sure
[15:55] mmcgrath: yep, the fedora-python stuff is beautiful.  And very easy to use.
[15:55] paulobanon: cant we limit access the same way we limit access to teh cgi's in the admin site ?
[15:55] mmcgrath: Ok, we've got a couple of minutes left.  Anyone else have anything they'd like to discuss?
[15:55] dgilmore: skvidal: so now your a RHer you can get er done 
[15:55] skvidal: dgilmore: heh, I'll put it on my list
[15:56] * dgilmore has nothing 
[15:56] skvidal: just not ultra-highpriority, ok?
[15:56] dgilmore: skvidal: sure
[15:56] abadger1999: mmcgrath: People have been getting interested in FAS2 recently.  But the instance on the test servers is down and we need to have a list of FAS tasks they can jump in to work on.
[15:56] mmcgrath: abadger1999: I haven't had anyone contact me with help.  The fas link should be back up in a bit actually.
[15:57] abadger1999: Cool.
[15:57] paulobanon: should we create a Tasks list like the other SIGs have ?!
[15:57] paulobanon: instead of having everything in the schedule
[15:58] paulobanon: if we are gonna test trac, we could convert the current schedule in tasks, and get a proper schedule with milestones in Trac
[15:58] mmcgrath: paulobanon: We'll have to see more when we get into Trac.
[15:58] mmcgrath: The thing about schedules is that its always been around and we've always used it, when OTRS came around we just ignored it.
[15:59] mmcgrath: I guess we'll just have to set it up and see if we can get our team to actually use it.
[15:59] paulobanon: true
[15:59] mmcgrath: Ok, we're about to run over time.
[15:59] mmcgrath: If no one has anything pressing I'll close the meeting in 30
[15:59] mmcgrath: 10
[15:59] mmcgrath: 
[15:59] fchiulli has left ( (i=824c400f at gateway/web/cgi-irc/ircatwork.com/x-1f7399ce8f2ba354))
[16:00] mmcgrath has set the subject to Meeting closed
[16:00] mmcgrath: thanks for coming guys.

