Meeting Log - 2008-05-22
dev at nigelj.com
Thu May 22 20:52:06 UTC 2008
07:57 < dgilmore> mmcgrath: show time?
07:58 < mmcgrath> yep
07:58 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- Who's Here?
07:58 < ivazquez> Pong.
07:58 * ianweller
07:59 < mmcgrath> so who's all here?
07:59 * dgilmore is here
07:59 * skvidal is
07:59 < G> me
07:59 * mmcgrath lets people roll in
07:59 * ricky
07:59 * nirik is off in the spectator seats.
08:00 < jcollie> hello
08:00 * f13
08:01 < mmcgrath> Allrighty, lets get started
08:01 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- Open Tickets
08:01 < mmcgrath> .tiny
08:01 < zodbot> mmcgrath: http://tinyurl.com/2hyyz6
08:01 < mmcgrath> .ticket 395
08:01 < zodbot> mmcgrath: #395 (Audio Streaming of Fedora Board
Conference Calls) - Fedora Infrastructure - Trac -
08:01 < mmcgrath> jcollie: any news ?
08:02 < jcollie> not really
08:02 < mmcgrath> k, next ticket
08:02 < mmcgrath> .ticket 398
08:02 < zodbot> mmcgrath: #398 (elfutils `monotone' (mtn) error) -
Fedora Infrastructure - Trac -
08:02 < mmcgrath> abadger1999: jcollie: anything there?
08:02 < jcollie> nope
08:02 < abadger1999> nope
08:02 < abadger1999> It's all roland for now.
08:02 < mmcgrath> k
08:02 < mmcgrath> .ticket 446
08:02 < zodbot> mmcgrath: #446 (Possibility to add external links on
spins page) - Fedora Infrastructure - Trac -
08:02 < mmcgrath> dgilmore: any news?
08:03 * dgilmore notes that he sucks
08:03 < mmcgrath> hah, no news then?
08:04 < mmcgrath> .ticket 547
08:04 < zodbot> mmcgrath: #547 (Koji DB Server as postgres 8.3) - Fedora
Infrastructure - Trac -
08:04 < mmcgrath> abadger1999: so we're going to package this but we
didn't really get any farther then that.
08:04 < abadger1999> mmcgrath: Right. It's packaged and in the fi-repo now.
08:04 < abadger1999> F-9 versions.
08:04 < dgilmore> abadger1999: is this weekend too soon to roll out
08:05 < dgilmore> abadger1999: just thinking we can piggy back on the fsck
08:05 < abadger1999> I thought we were going to wait for the dedicated
koji db server?
08:05 < jcollie> fsck is going take almost 24hrs anyway
08:05 < dgilmore> we can do that also
08:05 < abadger1999> We could deploy now... just saying that was my
08:06 < mmcgrath> yeah, lets just wait for the new server.
08:06 < mmcgrath> That way we can call an outage, try to migrate. if it
fails, we can just turn db2 back on. no harm no foul
08:06 < abadger1999> <nod> Makes sense to me
08:06 < dgilmore> having done a conversion from 8.1 to 8.3 it was
08:06 < mmcgrath> we can do it this weekend but I won't be around much
08:07 < mbonnet> the dump/restore will take a significant amount of time
08:07 * abadger1999 likes having an escape option
08:07 < dgilmore> mbonnet: which is why i suggested during the 24 hr
window for the fsck
08:08 < dgilmore> but im with abadger1999
08:08 < abadger1999> <nod> Do we know how long the backup currently
takes on the koji db?
08:08 < dgilmore> we do 4 a day
08:08 < dgilmore> restore will take longer i think
08:08 < mmcgrath> abadger1999: the backups don't take long, the restores
take a very long time though. I'm not sure how long though.
08:08 < abadger1999> yeah.
08:09 < mmcgrath> its the indexes
08:09 < mmcgrath> abadger1999: to give you an idea, the backup is 4.1G,
the database is 61G.
08:10 < abadger1999> <nod>
08:10 < mmcgrath> anywho. I'll leave that up to you tosho when you want
to do it. It'd be nice to do a trial run first and import of all the
production data to know what issues we'll run into.
08:11 < mmcgrath> anything else on that? If not we'll move on.
08:11 < abadger1999> k. For the real thing I say wait for the koji db
08:11 < abadger1999> Nope, no more.
08:11 < mmcgrath> k
08:11 < mmcgrath> next item
08:11 < G> yeah, kind of makes sense
08:11 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- The Wiki Migration
08:11 * ricky must go now :-(
08:11 < mmcgrath> So the new wiki will be in place on Friday (most of it)
08:11 < mmcgrath> ricky: later!
08:11 < ianweller> woo, my subject. :D
08:12 < ianweller> ricky: cya
08:12 < mmcgrath> we're officialy doing the switchover on Tuesday.
08:12 * dgilmore hopes he can continue to use moin syntax
08:12 < ianweller> i've had enough with moin syntax :/
08:12 < mmcgrath> the idea is we'll do the main mass import on friday,
go through, fix up, test, etc. Then just re-import the pages that have
changed in moin.
08:12 * lmacken wants LaTeX syntax by default ;)
08:12 < mmcgrath> This will consume almost all of my time starting two
days ago until Tuesday.
08:13 < ianweller> same here
08:13 < mmcgrath> ianweller and ricky have also been hard at work but if
_any_ of you have free time we can use additional hands and eyes on this.
08:13 < mmcgrath> in testing, verifying, etc.
08:13 < mmcgrath> We're in good shape but there's a couple of hangups
08:13 < mmcgrath> 1) auth
08:13 < mmcgrath> and 2) auth -> email mapping.
08:13 < mmcgrath> beyond that I don't think there's any blockers.
08:13 < jcollie> brb
08:14 < mmcgrath> A reminder, you won't be able to do regex watchlists
anymore. (thats a design choice and one of the reaons Moin was so slow
on page saves)
08:14 < ianweller> tomorrow after the main mass import my first priority
is to fix up the WikiEditing page
08:14 < mmcgrath> s/slow/expensive/
08:14 < mmcgrath> but you should (if we get the extension configured in
time) be able to watch /wiki/Docs/* for example.
08:15 < mmcgrath> This is going to be painful for about the first month
I suspect. After that we'll all be glad we switched.
08:15 < mmcgrath> Does anyone have any questions or comments about the wiki?
08:15 < mmcgrath> Anyone want to volunteer some time?
08:15 * ianweller
08:15 < mmcgrath> oh! G's also been mega helpful in this too.
08:15 < mmcgrath> as has smooge
08:15 < dgilmore> mmcgrath: what do we have as the backend/frontend setup?
08:15 < ianweller> mediawiki allows spaces in page names.
08:15 < mmcgrath> dgilmore: backend is going to be db1, frontend is
going to be app[1-2]
08:16 < smooge> ?
08:16 < mmcgrath> well the append
08:16 < mmcgrath> smooge: talking about mediawiki :-P
08:16 < G> mmcgrath: I might be able to help on Tuesday, but it'll be a
08:16 < mmcgrath> to start we won't be deploying any caching abilities
of mediawiki. I want to make sure to get a baseline.
08:16 < mmcgrath> G: thanks.
08:17 < mmcgrath> Anyone have anything else to discuss there?
08:17 < mmcgrath> k, next item
08:17 < smooge> ah ok.
08:17 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- 3rd party machine auth.
08:18 < mmcgrath> this is on the infrastructure list right now
08:18 < mmcgrath> nirik: ping (see topic)
08:18 < nirik> you rang?
08:18 < mmcgrath> What do y'all think? I want to be able to provide
this but I need to do it in a way that won't get me fired.
08:18 * nirik doesn't want to cause any security problems... but it
would be nice to have.
08:19 < nirik> I need ssh pub keys & logins I guess... no password auth.
08:19 < mmcgrath> nirik: and its a service we'd like to be able to provide.
08:19 < G> this is where something like two facter authentication would
08:19 < mmcgrath> does anyone think this is a service we should not provide?
08:20 < G> oh I really do think it's something we should provide
08:20 < mmcgrath> G: indeed, I'd like to do that but right now I'm
-ENOTIME unless someone else wants to pick up the job.
08:20 * ianweller is reading the list archive
08:21 < nirik> G: which 2 factors? ssh key + openid or something?
08:21 * dgilmore thinks we should provide it.
08:21 < ianweller> is the subject 'FAS and public Key auth'?
08:21 < G> if you were to do something like what the banks use (two
facter auth) you have something *you* know and something you *don't* know
08:21 < dgilmore> but im biased as im one of those wanting it
08:21 < mmcgrath> Yeah, i don't think anyone is against providing it,
the question now is how to do it properly.
08:21 < mmcgrath> G: yeah, and we have a couple of options there.
08:21 < G> shouldn't be too hard to implement inside fedora, you could
have a pam_fas plugin or something to manage the something you don't
08:22 < G> login to fas, bam there is the one use token that you can use
to login to the core machines w/ your public key
08:23 < nirik> well, I thought 2 factor is more: something you know +
something you have... (cell/secureid fob, etc), but ok.
08:23 < wfp> To make it worth doing, doesn't 2 factor auth need
something like a hardware crypto card?
08:23 < G> wfp: not really
08:23 < mmcgrath> wfp: that makes it much more secure, but there are
levels of security between singlefactor and two factor w/ hardware key.
08:24 < nirik> if we have * and cell phone numbers we could use that...
"call from fedora account system, do you auth this, press 1"
08:24 < G> nirik: that sounds costly :)
08:24 < ivazquez> There's PhoneFactor, but I don't think they work
08:24 < ianweller> nirik: G: myopenid.com does that.
08:24 < G> get a SMS gateway to sponsor text messages
08:24 < ianweller> G: costly to the end user
08:24 < G> ianweller: ohhh okay
08:24 * dgilmore just wants to easily give fedora community access to a
sparc box for doing mock builds
08:25 * dgilmore really doesnt care how its achieved
08:25 * nirik just wants to give fedora community acces to ppc and
x86_64 boxes for mockbuilds and debugging.
08:25 < dgilmore> mmcgrath: ill bring you a sparc box to put into phx :)
08:25 < G> I agree, we should provide it for those exact reasons (didn't
I mention this in my F10 wishlist? :P)
08:26 < mmcgrath> Lets think on this for another week or so and talk
about it at the next meeting as well.
08:26 < nirik> I can also think of more fun stuff down the road... on
demand test virtuals, access to archive of rawhide daily installs, etc.
08:28 < G> exactly, Debian offer Developer (equiv to our cvsextras)
access to donated boxes for testing w/ chroots, bugfixing etc
08:28 < mmcgrath> alrighty then, beyond that I've got nothing else.
08:28 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- Open Floor
08:28 < mmcgrath> Who's got something they want to discuss?
08:28 < lmacken> SELinux!
08:28 < mmcgrath> lmacken: have at it.
08:28 < lmacken> I sat down with Dan Walsh today, and we tackled the
SELinux issues around bastion, app1, and proxy1.
08:28 < lmacken> .ticket 230
08:28 < zodbot> lmacken: #230 (SELinux Deployment) - Fedora
Infrastructure - Trac -
08:28 < lmacken> see the ticket for more details :)
08:28 < lmacken> progress is being made
08:29 < mmcgrath> if only we can get Dan to sit down with everyone who
wants to use selinux :)
08:29 < lmacken> seriously
08:29 < mmcgrath> lmacken: how bad of shape are we in?
08:29 < lmacken> mmcgrath: well, we've got a lot of custom apps, running
in a lot of custom locations.
08:29 < lmacken> which is easily fixable from an selinux standpoint
08:29 < lmacken> but puppet..
08:29 < lmacken> that's were we need the changes
08:30 < mmcgrath> lmacken: how does selinux work with the satellite
08:30 < lmacken> Brett Lentz (wakko666) has been doing a great job of
pushing the selinux patch and unit test to puppet upstream
08:30 < lmacken> mmcgrath: No clue whatesover
08:31 < mmcgrath> <nod>
08:31 < lmacken> dwalsh is pretty determined to get our infrastructure
working 100% with SELinux by F10
08:31 < dgilmore> lmacken: builders will need alot of work
08:31 < ivazquez> What a coup that would be for SELinux.
08:31 < mmcgrath> lmacken: now with selinux and puppet are you talking
about deploying selinux policies via puppet? Or actually what puppet
does when deploying configs is causing selinux issues?
08:31 < lmacken> dgilmore: yes, but a lot of that is being done right
now by Eric Paris, with the mock/livecd-creator stuff, right ?
08:31 < dgilmore> lmacken: not really
08:32 < dgilmore> lmacken: simmiliar but different
08:32 < lmacken> mmcgrath: deploy custom policies, booleans, and
contexts with puppet.. and also making puppet smart when creating new files
08:33 < mmcgrath> solid.
08:33 < mmcgrath> well, baby steps I guess :)
08:33 < lmacken> indeed. I'm meeting with dan again next week. I'll
keep that ticket up to date with our progress
08:33 < mmcgrath> solid.
08:34 < mmcgrath> lmacken: are you or dan going to hold some training
sessions for the rest of our team?
08:34 < lmacken> mmcgrath: yeah, we'll make sure it's well documented
and people know how to use it
08:34 < mmcgrath> solid.
08:35 < mmcgrath> anything else on selinux?
08:35 < lmacken> nada
08:35 < abadger1999> lmacken: You might want to look at app2 as well
08:35 < abadger1999> app1 is the one app server not running all of our
08:35 < mmcgrath> solid
08:36 < mmcgrath> anyone have anything else they'd like to discuss?
08:36 < lmacken> abadger1999: yep, we'll get there :) we just wanted to
hit a few different types of machines today to get a good high-level
idea of what we're dealing with
08:36 < G> The voting app is near readiness
08:36 < abadger1999> Yeah, you're doing really great work on that!
08:36 < G> Hopefully I'll have something ready for testing with the
masses in a day or two
08:37 < mmcgrath> G: you've got everything you need to put togther a
public test of it for everyone right?
08:37 < G> I've got an RPM ready, but I spotted something wack with the
URLs etc but hopefully get that fixed today
08:38 < ivazquez> Although not quite FI-specific, do we have the new
planet up somewhere?
08:38 < G> mmcgrath: all I really need to create a dummy fas login, so I
don't expose a real user login on pt10 and a new group in the main fas
08:38 < G> but yeah, I'll do a test deploy today on pt10 and see what
08:38 < mmcgrath> ivazquez: the new planet? Like what skvidal has been
08:38 < mmcgrath> G: solid
08:38 < skvidal> ivazquez: call be slartibartifast!
08:39 < ivazquez> Yes.
08:39 < ianweller> hey now. slartibartfast is my computer's host name.
08:39 < ianweller> that would get confusing for me :/
08:39 < ianweller> ;)
08:39 < skvidal> ivazquez: we still only have 78 people in the .planet files
08:39 < G> if anyone wants to, the new group is currently meant to be
08:39 < skvidal> and 230 in the existing planet
08:39 < dgilmore> skvidal: im sorry i suck and have not done it yet
08:39 < ivazquez> Well, it would still be nice if the 78 people could
make sure that their feeds work :P
08:39 < G> skvidal: thats a third, the rest will fall in line when they
suddenly disappear :)
08:40 < skvidal> ivazquez: agreed
08:40 < ivazquez> Plus it might get some others in gear when they see it
08:40 < ianweller> skvidal: if you need help with pinging individual
people, i'm up for it after the wiki switch ;)
08:40 < skvidal> ianm: nah
08:40 < skvidal> err ianweller nah
08:40 < iWolf> mmcgrath: re, the wiki, has any PHP hardening been done
08:40 < skvidal> ivazquez: agreed - but it's only been a week - so I
didn't want piss off everyone :)
08:40 < G> abadger1999: btw, thanks
08:40 < ivazquez> A week is Forever in Fedora time.
08:41 * skvidal rolls his eyes
08:41 < ivazquez> Heh.
08:41 < ianweller> so it takes 26 forevers for each fedora release? ;)
08:41 < mmcgrath> iWolf: we have mod_security mildly deployed. Beyond
that though no. Needs someone with time and experience to do it, I only
have the latter at the moment.
08:41 < jcollie> ianweller: sometimes it seems like it
08:42 < abadger1999> G: For what? You've been doing all the work :-)
08:42 < iWolf> mmcgrath: understood.
08:42 < G> abadger1999: I was saying thanks for your comment :)
08:42 < ianweller> mediawiki is pretty secure (lots of testing), not so
sure about the extensions though
08:42 < ianweller> the more extensions you have, the more potential
holes you have.
08:43 < iWolf> mmcgrath: does one just need sysadmin-test to access the
current wiki server php config?
08:43 < mmcgrath> iWolf: yes.
08:43 < mmcgrath> iWolf: We've got multiple deploys of it going, if you
want your own you're encouraged to install one :)
08:43 < iWolf> mmcgrath: :)
08:43 * ianweller has one at /w-ian/
08:44 < ianweller> that's where he's writing his IRCLog extension for
08:44 < mmcgrath> we've got like 5 or 6 wiki's I think :)
08:44 < ianweller> something like that
08:45 < mmcgrath> Ok, well talks seem to have calmed down a bit. If no
one has anything else we'll close a little early this week. I'll give it 30
08:46 < G> yeah, I have nothing more
08:46 < mmcgrath> 15
08:46 < mmcgrath> 5
08:46 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrasturcture -- Meeting End
08:46 < mmcgrath> Thanks for coming everyone!
08:46 < G> I'll sort out the log
08:47 -!- giallu [n=giallu at 81-174-9-190.dynamic.ngi.it] has joined
08:47 -!- mmcgrath changed the topic of #fedora-meeting to: Channel is
used by various Fedora groups and committees for their regular meetings
| Note that meetings often get logged | For questions about using Fedora
please ask in #fedora | See
More information about the Fedora-infrastructure-list