Meeting Log - 2008-05-22

[Nigel Jones]

07:57 < dgilmore> mmcgrath: show time?
07:58 < mmcgrath> yep
07:58 -!- mmcgrath changed the topic of #fedora-meeting to: 
Infrastructure -- Who's Here?
07:58 < ivazquez> Pong.
07:58  * ianweller
07:59 < mmcgrath> so who's all here?
07:59  * dgilmore is here
07:59  * skvidal is
07:59 < G> me
07:59  * mmcgrath lets people roll in
07:59  * ricky
07:59  * nirik is off in the spectator seats.
08:00 < jcollie> hello
08:00  * f13
08:01 < mmcgrath> Allrighty, lets get started
08:01 -!- mmcgrath changed the topic of #fedora-meeting to: 
Infrastructure -- Open Tickets
08:01 < mmcgrath> .tiny 
https://fedorahosted.org/fedora-infrastructure/query?status=new&status=assigned&status=reopened&group=milestone&keywords=%7EMeeting&order=priority
08:01 < zodbot> mmcgrath: http://tinyurl.com/2hyyz6
08:01 < mmcgrath> .ticket 395
08:01 < zodbot> mmcgrath: #395 (Audio Streaming of Fedora Board 
Conference Calls) - Fedora Infrastructure - Trac - 
https://fedorahosted.org/projects/fedora-infrastructure/ticket/395
08:01 < mmcgrath> jcollie: any news ?
08:02 < jcollie> not really
08:02 < mmcgrath> k, next ticket
08:02 < mmcgrath> .ticket 398
08:02 < zodbot> mmcgrath: #398 (elfutils `monotone' (mtn) error) - 
Fedora Infrastructure - Trac - 
https://fedorahosted.org/projects/fedora-infrastructure/ticket/398
08:02 < mmcgrath> abadger1999: jcollie: anything there?
08:02 < jcollie> nope
08:02 < abadger1999> nope
08:02 < abadger1999> It's all roland for now.
08:02 < mmcgrath> k
08:02 < mmcgrath> .ticket 446
08:02 < zodbot> mmcgrath: #446 (Possibility to add external links on 
spins page) - Fedora Infrastructure - Trac - 
https://fedorahosted.org/projects/fedora-infrastructure/ticket/446
08:02 < mmcgrath> dgilmore: any news?
08:03  * dgilmore notes that he sucks
08:03 < mmcgrath> hah, no news then?
08:04 < mmcgrath> .ticket 547
08:04 < zodbot> mmcgrath: #547 (Koji DB Server as postgres 8.3) - Fedora 
Infrastructure - Trac - 
https://fedorahosted.org/projects/fedora-infrastructure/ticket/547
08:04 < mmcgrath> abadger1999: so we're going to package this but we 
didn't really get any farther then that.
08:04 < abadger1999> mmcgrath: Right.  It's packaged and in the fi-repo now.
08:04 < abadger1999> F-9 versions.
08:04 < dgilmore> abadger1999: is this weekend too soon to roll out
08:05 < dgilmore> abadger1999: just thinking we can piggy back on the fsck
08:05 < abadger1999> I thought we were going to wait for the dedicated 
koji db server?
08:05 < jcollie> fsck is going take almost 24hrs anyway
08:05 < dgilmore> we can do that also
08:05 < abadger1999> We could deploy now... just saying that was my 
original plan.
08:06 < mmcgrath> yeah, lets just wait for the new server.
08:06 < mmcgrath> That way we can call an outage, try to migrate.  if it 
fails, we can just turn db2 back on.  no harm no foul
08:06 < abadger1999> <nod>  Makes sense to me
08:06 < dgilmore> having done a conversion from 8.1 to 8.3  it was 
pretty smooth
08:06 < mmcgrath> we can do it this weekend but I won't be around much 
is all.
08:07 < mbonnet> the dump/restore will take a significant amount of time
08:07  * abadger1999 likes having an escape option
08:07 < dgilmore> mbonnet: which is why i suggested during the 24 hr 
window for the fsck
08:08 < dgilmore> but im with abadger1999
08:08 < abadger1999> <nod>  Do we know how long the backup currently 
takes on the koji db?
08:08 < dgilmore> we do 4 a day
08:08 < dgilmore> restore will take longer i think
08:08 < mmcgrath> abadger1999: the backups don't take long, the restores 
take a very long time though.  I'm not sure how long though.
08:08 < abadger1999> yeah.
08:09 < mmcgrath> its the indexes
08:09 < mmcgrath> abadger1999: to give you an idea, the backup is 4.1G, 
the database is 61G.
08:10 < abadger1999> <nod>
08:10 < mmcgrath> anywho.  I'll leave that up to you tosho when you want 
to do it.  It'd be nice to do a trial run first and import of all the 
production data to know what issues we'll run into.
08:11 < mmcgrath> anything else on that?  If not we'll move on.
08:11 < abadger1999> k.  For the real thing I say wait for the koji db 
server.
08:11 < abadger1999> Nope, no more.
08:11 < mmcgrath> k
08:11 < mmcgrath> next item
08:11 < G> yeah, kind of makes sense
08:11 -!- mmcgrath changed the topic of #fedora-meeting to: 
Infrastructure -- The Wiki Migration
08:11  * ricky must go now :-(
08:11 < mmcgrath> So the new wiki will be in place on Friday (most of it)
08:11 < mmcgrath> ricky:  later!
08:11 < ianweller> woo, my subject. :D
08:12 < ianweller> ricky: cya
08:12 < mmcgrath> we're officialy doing the switchover on Tuesday.
08:12  * dgilmore hopes he can continue to use moin syntax
08:12 < ianweller> i've had enough with moin syntax :/
08:12 < mmcgrath> the idea is we'll do the main mass import on friday, 
go through, fix up, test, etc.  Then just re-import the pages that have 
changed in moin.
08:12  * lmacken wants LaTeX syntax by default ;)
08:12 < mmcgrath> This will consume almost all of my time starting two 
days ago until Tuesday.
08:13 < ianweller> same here
08:13 < mmcgrath> ianweller and ricky have also been hard at work but if 
_any_ of you have free time we can use additional hands and eyes on this.
08:13 < mmcgrath> in testing, verifying, etc.
08:13 < mmcgrath> We're in good shape but there's a couple of hangups 
right now.
08:13 < mmcgrath> 1) auth
08:13 < mmcgrath> and 2) auth -> email mapping.
08:13 < mmcgrath> beyond that I don't think there's any blockers.
08:13 < jcollie> brb
08:14 < mmcgrath> A reminder, you won't be able to do regex watchlists 
anymore.  (thats a design choice and one of the reaons Moin was so slow 
on page saves)
08:14 < ianweller> tomorrow after the main mass import my first priority 
is to fix up the WikiEditing page
08:14 < mmcgrath> s/slow/expensive/
08:14 < mmcgrath> but you should (if we get the extension configured in 
time) be able to watch /wiki/Docs/* for example.
08:15 < mmcgrath> This is going to be painful for about the first month 
I suspect.  After that we'll all be glad we switched.
08:15 < mmcgrath> Does anyone have any questions or comments about the wiki?
08:15 < mmcgrath> Anyone want to volunteer some time?
08:15  * ianweller
08:15 < mmcgrath> oh!  G's also been mega helpful in this too.
08:15 < mmcgrath> as has smooge
08:15 < dgilmore> mmcgrath: what do we have as the backend/frontend setup?
08:15 < ianweller> mediawiki allows spaces in page names.
08:15 < mmcgrath> dgilmore: backend is going to be db1, frontend is 
going to be app[1-2]
08:16 < smooge> ?
08:16 < mmcgrath> well the append
08:16 < mmcgrath> smooge: talking about mediawiki :-P
08:16 < G> mmcgrath: I might be able to help on Tuesday, but it'll be a 
balancing act
08:16 < mmcgrath> to start we won't be deploying any caching abilities 
of mediawiki.  I want to make sure to get a baseline.
08:16 < mmcgrath> G: thanks.
08:17 < mmcgrath> Anyone have anything else to discuss there?
08:17 < mmcgrath> k, next item
08:17 < smooge> ah ok.
08:17 -!- mmcgrath changed the topic of #fedora-meeting to: 
Infrastructure -- 3rd party machine auth.
08:18 < mmcgrath> this is on the infrastructure list right now
08:18 < mmcgrath> nirik: ping (see topic)
08:18 < nirik> you rang?
08:18 < mmcgrath> What do y'all think?  I want to be able to provide 
this but I need to do it in a way that won't get me fired.
08:18  * nirik doesn't want to cause any security problems... but it 
would be nice to have.
08:19 < nirik> I need ssh pub keys & logins I guess... no password auth.
08:19 < mmcgrath> nirik: and its a service we'd like to be able to provide.
08:19 < G> this is where something like two facter authentication would 
be nice
08:19 < mmcgrath> does anyone think this is a service we should not provide?
08:20 < G> oh I really do think it's something we should provide
08:20 < mmcgrath> G: indeed, I'd like to do that but right now I'm 
-ENOTIME unless someone else wants to pick up the job.
08:20  * ianweller is reading the list archive
08:21 < nirik> G: which 2 factors? ssh key + openid or something?
08:21  * dgilmore thinks we should provide it.  
08:21 < ianweller> is the subject 'FAS and public Key auth'?
08:21 < G> if you were to do something like what the banks use (two 
facter auth) you have something *you* know and something you *don't* know
08:21 < dgilmore> but im biased as im one of those wanting it
08:21 < mmcgrath> Yeah, i don't think anyone is against providing it, 
the question now is how to do it properly.
08:21 < mmcgrath> G: yeah, and we have a couple of options there.
08:21 < G> shouldn't be too hard to implement inside fedora, you could 
have a pam_fas plugin or something to manage the something you don't 
know token
08:22 < G> login to fas, bam there is the one use token that you can use 
to login to the core machines w/ your public key
08:23 < nirik> well, I thought 2 factor is more: something you know + 
something you have... (cell/secureid fob, etc), but ok.
08:23 < wfp> To make it worth doing, doesn't 2 factor auth need 
something like a hardware crypto card?
08:23 < G> wfp: not really
08:23 < mmcgrath> wfp: that makes it much more secure, but there are 
levels of security between singlefactor and two factor w/ hardware key.
08:24 < nirik> if we have * and cell phone numbers we could use that... 
"call from fedora account system, do you auth this, press 1"
08:24 < G> nirik: that sounds costly :)
08:24 < ivazquez> There's PhoneFactor, but I don't think they work 
outside NA.
08:24 < ianweller> nirik: G: myopenid.com does that.
08:24 < G> get a SMS gateway to sponsor text messages
08:24 < ianweller> G: costly to the end user
08:24 < G> ianweller: ohhh okay
08:24  * dgilmore just wants to easily give fedora community access to a 
sparc box for doing mock builds
08:25  * dgilmore really doesnt care how its achieved
08:25  * nirik just wants to give fedora community acces to ppc and 
x86_64 boxes for mockbuilds and debugging.
08:25 < dgilmore> mmcgrath: ill bring you a sparc box to put into phx :)
08:25 < G> I agree, we should provide it for those exact reasons (didn't 
I mention this in my F10 wishlist? :P)
08:26 < mmcgrath> Lets think on this for another week or so and talk 
about it at the next meeting as well.
08:26 < nirik> I can also think of more fun stuff down the road... on 
demand test virtuals, access to archive of rawhide daily installs, etc.
08:28 < G> exactly, Debian offer Developer (equiv to our cvsextras) 
access to donated boxes for testing w/ chroots, bugfixing etc
08:28 < mmcgrath> alrighty then, beyond that I've got nothing else.
08:28 -!- mmcgrath changed the topic of #fedora-meeting to: 
Infrastructure -- Open Floor
08:28 < mmcgrath> Who's got something they want to discuss?
08:28 < lmacken> SELinux!
08:28 < mmcgrath> lmacken: have at it.
08:28 < lmacken> I sat down with Dan Walsh today, and we tackled the 
SELinux issues around bastion, app1, and proxy1.
08:28 < lmacken> .ticket 230
08:28 < zodbot> lmacken: #230 (SELinux Deployment) - Fedora 
Infrastructure - Trac - 
https://fedorahosted.org/projects/fedora-infrastructure/ticket/230
08:28 < lmacken> see the ticket for more details :)
08:28 < lmacken> progress is being made
08:29 < mmcgrath> if only we can get Dan to sit down with everyone who 
wants to use selinux :)
08:29 < lmacken> seriously
08:29 < mmcgrath> lmacken: how bad of shape are we in?
08:29 < lmacken> mmcgrath: well, we've got a lot of custom apps, running 
in a lot of custom locations.
08:29 < lmacken> which is easily fixable from an selinux standpoint
08:29 < lmacken> but puppet..
08:29 < lmacken> that's were we need the changes
08:30 < mmcgrath> lmacken: how does selinux work with the satellite 
deployment tools?
08:30 < lmacken> Brett Lentz (wakko666) has been doing a great job of 
pushing the selinux patch and unit test to puppet upstream
08:30 < lmacken> mmcgrath: No clue whatesover
08:31 < mmcgrath> <nod>
08:31 < lmacken> dwalsh is pretty determined to get our infrastructure 
working 100% with SELinux by F10
08:31 < dgilmore> lmacken: builders will need alot of work
08:31 < ivazquez> What a coup that would be for SELinux.
08:31 < mmcgrath> lmacken: now with selinux and puppet are you talking 
about deploying selinux policies via puppet?  Or actually what puppet 
does when deploying configs is causing selinux issues?
08:31 < lmacken> dgilmore: yes, but a lot of that is being done right 
now by Eric Paris, with the mock/livecd-creator stuff, right ?
08:31 < dgilmore> lmacken: not really
08:32 < dgilmore> lmacken: simmiliar but different
08:32 < lmacken> mmcgrath: deploy custom policies, booleans, and 
contexts with puppet.. and also making puppet smart when creating new files
08:33 < mmcgrath> solid.
08:33 < mmcgrath> well, baby steps I guess :)
08:33 < lmacken> indeed.  I'm meeting with dan again next week.  I'll 
keep that ticket up to date with our progress
08:33 < mmcgrath> solid.
08:34 < mmcgrath> lmacken: are you or dan going to hold some training 
sessions for the rest of our team?
08:34 < lmacken> mmcgrath: yeah, we'll make sure it's well documented 
and people know how to use it
08:34 < mmcgrath> solid.
08:35 < mmcgrath> anything else on selinux?
08:35 < lmacken> nada
08:35 < abadger1999> lmacken: You might want to look at app2 as well
08:35 < abadger1999> app1 is the one app server not running all of our 
TG apps.
08:35 < mmcgrath> solid
08:36 < mmcgrath> anyone have anything else they'd like to discuss?
08:36 < lmacken> abadger1999: yep, we'll get there :)  we just wanted to 
hit a few different types of machines today to get a good high-level 
idea of what we're dealing with
08:36 < G> The voting app is near readiness
08:36 < abadger1999> Yeah, you're doing really great work on that!
08:36 < G> Hopefully I'll have something ready for testing with the 
masses in a day or two
08:37 < mmcgrath> G: you've got everything you need to put togther a 
public test of it for everyone right?
08:37 < G> I've got an RPM ready, but I spotted something wack with the 
URLs etc but hopefully get that fixed today
08:38 < ivazquez> Although not quite FI-specific, do we have the new 
planet up somewhere?
08:38 < G> mmcgrath: all I really need to create a dummy fas login, so I 
don't expose a real user login on pt10 and a new group in the main fas
08:38 < G> but yeah, I'll do a test deploy today on pt10 and see what 
happens
08:38 < mmcgrath> ivazquez: the new planet?  Like what skvidal has been 
up to?
08:38 < mmcgrath> G: solid
08:38 < skvidal> ivazquez: call be slartibartifast!
08:39 < ivazquez> Yes.
08:39 < ianweller> hey now. slartibartfast is my computer's host name.
08:39 < ianweller> that would get confusing for me :/
08:39 < ianweller> ;)
08:39 < skvidal> ivazquez: we still only have 78 people in the .planet files
08:39 < G> if anyone wants to, the new group is currently meant to be 
"elections" :P
08:39 < skvidal> and 230 in the existing planet
08:39 < dgilmore> skvidal: im sorry i suck and have not done it yet
08:39 < ivazquez> Well, it would still be nice if the 78 people could 
make sure that their feeds work :P
08:39 < G> skvidal: thats a third, the rest will fall in line when they 
suddenly disappear :)
08:40 < skvidal> ivazquez: agreed
08:40 < ivazquez> Plus it might get some others in gear when they see it 
happening.
08:40 < ianweller> skvidal: if you need help with pinging individual 
people, i'm up for it after the wiki switch ;)
08:40 < skvidal> ianm: nah
08:40 < skvidal> err ianweller nah
08:40 < iWolf> mmcgrath: re, the wiki, has any PHP hardening been done 
or considered?
08:40 < skvidal> ivazquez: agreed - but it's only been a week - so I 
didn't want piss off everyone :)
08:40 < G> abadger1999: btw, thanks
08:40 < ivazquez> A week is Forever in Fedora time.
08:41  * skvidal rolls his eyes
08:41 < ivazquez> Heh.
08:41 < ianweller> so it takes 26 forevers for each fedora release? ;)
08:41 < mmcgrath> iWolf: we have mod_security mildly deployed.  Beyond 
that though no.  Needs someone with time and experience to do it, I only 
have the latter at the moment.
08:41 < jcollie> ianweller: sometimes it seems like it
08:42 < abadger1999> G: For what? You've been doing all the work :-)
08:42 < iWolf> mmcgrath: understood.
08:42 < G> abadger1999: I was saying thanks for your comment :)
08:42 < ianweller> mediawiki is pretty secure (lots of testing), not so 
sure about the extensions though
08:42 < ianweller> the more extensions you have, the more potential 
holes you have.
08:43 < iWolf> mmcgrath: does one just need sysadmin-test to access the 
current wiki server php config?
08:43 < mmcgrath> iWolf: yes.
08:43 < mmcgrath> iWolf: We've got multiple deploys of it going, if you 
want your own you're encouraged to install one :)
08:43 < iWolf> mmcgrath: :)
08:43  * ianweller has one at /w-ian/
08:44 < ianweller> that's where he's writing his IRCLog extension for 
the moment.
08:44 < mmcgrath> we've got like 5 or 6 wiki's I think :)
08:44 < ianweller> something like that
08:45 < mmcgrath> Ok, well talks seem to have calmed down a bit.  If no 
one has anything else we'll close a little early this week.  I'll give it 30
08:46 < G> yeah, I have nothing more
08:46 < mmcgrath> 15
08:46 < mmcgrath> 5
08:46 -!- mmcgrath changed the topic of #fedora-meeting to: 
Infrasturcture -- Meeting End
08:46 < mmcgrath> Thanks for coming everyone!
08:46 < G> I'll sort out the log
08:47 -!- giallu [n=giallu at 81-174-9-190.dynamic.ngi.it] has joined 
#fedora-meeting
08:47 -!- mmcgrath changed the topic of #fedora-meeting to: Channel is 
used by various Fedora groups and committees for their regular meetings 
| Note that meetings often get logged | For questions about using Fedora 
please ask in #fedora | See 
http://fedoraproject.org/wiki/Communicate/FedoraMeetingChannel for 
meeting schedule