Plan for tomorrow's Fedora Infrastructure meeting (2013-10-09)
by Stephen John Smoogen
Kevin Fenzi is out tomorrow. I will be assisted at the meeting by Frankie
Onuonga.
The infrastructure team will be having it's weekly meeting tomorrow,
2013-10-09 at 19:00 UTC in #fedora-meeting on the freenode network.
Suggested topics:
#topic New folks introductions and Apprentice tasks.
If any new folks want to give a quick one line bio or any apprentices
would like to ask general questions, they can do so in this part of the
meeting. Don't be shy!
#topic Applications status / discussion
Check in on status of our applications: pkgdb, fas, bodhi, koji,
community, voting, tagger, packager, dpsearch, etc.
If there's new releases, bugs we need to work around or things to note.
#topic Sysadmin status / discussion
Here we talk about sysadmin related happenings from the previous week,
or things that are upcoming.
#topic Upcoming Tasks/Items
https://apps.fedoraproject.org/calendar/list/infrastructure/
#topic Open Floor
Submit your agenda items, as tickets in the trac instance and send a
note replying to this thread.
More info here:
https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings
--
Stephen J Smoogen.
10 years, 7 months
How we handle attacks?
by Miroslav Suchý
I see in log file of copr-fe-dev a lot of attempts to login as root/postgres/nagios/oracl/test user. Well it is ~4000
attempts. So it depend on your definition of "lot of". But it caught my attention.
Do we have some standard procedure how to handle it? Add that IPs to blacklist? Move ssh port to non standard number? Or
should I just ignore them?
--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
10 years, 7 months
Proxy header for SSL
by Aurelien Bompard
Hi *,
I'm having a small problem with the way we proxy connections to our
webapps. If I understand correctly, the proxy handles SSL connections
and forwards them as plain-text connections (which is normal).
The problem is, I can't find a header I could use to detect that the
connection was made using HTTPS, and as a result I can't find a way to
properly redirect plain-text connections to SSL on the login form (and
when the user is auth'ed).
This is a common problem and Django has a way to detect that the
connection was securely forwarded if some header is set :
https://docs.djangoproject.com/en/1.5/ref/settings/#secure-proxy-ssl-header
A common way is to set HTTP_X_FORWARDED_PROTO to 'https'
Which proxy are we using? With NginX the config line to add is:
proxy_set_header X-Forwarded-Protocol $scheme;
With Apache it would be:
RequestHeader set X-Forwarded-Protocol "https"
in the virtualhost listening on port 443, and:
RequestHeader set X-Forwarded-Protocol "http"
in the virtualhost listening on port 80.
What do you think of all that? How do we handle HTTPS detection at the
moment?
If it looks OK to you, should we wait for the freeze to be over before
making this change?
Thanks,
Aurélien
--
http://aurelien.bompard.org ~~~~~~ xmpp:aurelien@bompard.org
Concentre-toi sur ce que tu as plutôt que sur ce que tu n'as pas.
10 years, 7 months
yum updates and ansible managed hosts
by Toshio Kuratomi
Currently, with puppet we have a cron job that has puppet client check in
and decide whether the host it's running on needs to have any of its
configuration changed. This is not the case with our ansible deployment.
Until someone writes the equivalent cron job and we deploy it we'll need to
remember the following:
* Changes to config need to manually be pushed out to hosts (most people
know to do this anyhow)
* When we update a package on a host, we need to have ansible reconfigure
the host. This takes care of the case where the rpm overwrites some of
our configuration or hotfixes need to be applied (note that you should
remove obsoleted hotfixes before running ansible ;-)
Ticket for writing the cron job:
* https://fedorahosted.org/fedora-infrastructure/ticket/4045
-Toshio
10 years, 7 months
Plan for tomorrow's Fedora Infrastructure meeting (2013-10-03)
by Kevin Fenzi
The infrastructure team will be having it's weekly meeting tomorrow,
2013-10-03 at 19:00 UTC in #fedora-meeting on the freenode network.
Suggested topics:
#topic New folks introductions and Apprentice tasks.
If any new folks want to give a quick one line bio or any apprentices
would like to ask general questions, they can do so in this part of the
meeting. Don't be shy!
#topic Applications status / discussion
Check in on status of our applications: pkgdb, fas, bodhi, koji,
community, voting, tagger, packager, dpsearch, etc.
If there's new releases, bugs we need to work around or things to note.
#topic Sysadmin status / discussion
Here we talk about sysadmin related happenings from the previous week,
or things that are upcoming.
#topic Upcoming Tasks/Items
https://apps.fedoraproject.org/calendar/list/infrastructure/
#topic Open Floor
Submit your agenda items, as tickets in the trac instance and send a
note replying to this thread.
More info here:
https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings
Thanks
kevin
10 years, 7 months
reminder: I'll be out tomorrow and next week
by Kevin Fenzi
Just a reminder that I am heading out on vacation tomorrow and will be
out all next week. ;)
if you need me for something urgent, please catch me today.
If you need something while I am gone, please file a ticket or direct
your issue to someone else to take care of. ;)
kevin
10 years, 7 months
datanommer/datagrepper upgrade status
by Ian Weller
busgateway01.stg is running fedmsg 0.7.0 and datanommer 0.6.0.
datagrepper01.stg is running fedmsg 0.7.0 and datagrepper 0.2.1.
As far as I know, the rest of staging is stlil running an earlier
version of fedmsg, and we should attempt to upgrade the rest of staging
to make sure there aren't any issues with 0.7.0.
datagrepper 0.2.1 is running perfectly except for an SELinux denial,
which occurs when the WSGI process tries to publish a fedmsg message.
The AVC message is:
node=10.5.126.67 type=AVC msg=audit(1380646727.079:916): avc: denied { write } for pid=11948 comm="httpd" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3660 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
We checked into it on IRC a few days ago and there's not a boolean
available to handle this, so how do we handle SELinux policies in puppet
or ansible? (And do we want to submit this upstream?)
(I need to split out the web application and the job runner in puppet
still, but that should get done within the next couple of hours.)
--
Ian Weller <ian(a)ianweller.org>
10 years, 7 months