Freeze Break Request - Fixing Blocker Proposal in Blockerbugs App
by Tim Flink
A bug was filed the other day claiming that it was impossible to
propose bugs as FE or blockers in the blockerbugs app. I have a fix
ready that's already deployed to stg and I'd like to move it into prod.
After some triage today, it turns out that there were selinux denials
on httpd writing to a cookiefile which is required by python-bugzilla
and used as part doing the actual proposal.
The fix is in three places:
- the package was modified to create a directory for the cookiefile
that has appropriate permissions and selinux context so that the
proposal works.
- the code was modified to have a better default cookie location when
the app is in production mode
code changes for these two changes are at:
https://git.fedorahosted.org/cgit/blockerbugs.git/commit/?id=be2a20b9c686...
These changes have been built as blockerbugs-0.3.0.3.1-1.el6 and is
in the infrastructure-testing repo
- the config file in puppet needs to be modified so that it is no
longer overriding the default cookie location
diff --git a/modules/blockerbugs/templates/blockerbugs-settings.py.erb
b/modules/blockerbugs/t index 8c33d6f..5b58b7a 100644
--- a/modules/blockerbugs/templates/blockerbugs-settings.py.erb
+++ b/modules/blockerbugs/templates/blockerbugs-settings.py.erb
@@ -3,7 +3,6 @@ SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://<%=
blockerbugs_app %>:<%= bl FAS_ADMIN_GROUP = "qa-admin"
FAS_USER = "<%= blockerbugs_fas_user %>@fedoraproject.org"
FAS_PASSWORD = "<%= blockerbugs_fas_password %>"
-BUGZILLA_COOKIE = "" # this should be blank for production
<% if environment == "staging" %>
FAS_HTTPS_REQUIRED = False
FAS_CHECK_CERT = False
Thanks,
Tim
10 years, 8 months
Freeze break request: /etc/init.d/httpd is not executable
by Aurelien Bompard
Hi there,
This is a trivial fix, on mailman01 the /etc/init.d/httpd script was
copied (hotfix) without setting the executable bit:
$ ls -l /etc/init.d/httpd
-rw-r--r-- 1 root root 3449 5 sept. 16:38 /etc/init.d/httpd
As a result Ansible can't start Apache.
This is my proposed one-liner fix:
--- a/tasks/apache.yml
+++ b/tasks/apache.yml
@@ -21,6 +21,7 @@
# install hash randomization hotfix
- name: hotfix - copy over new httpd init script
copy: src=$files/hotfix/httpd/httpd.init dest=/etc/init.d/httpd
+ owner=root group=root mode=0755
notify:
- restart apache
tags:
Is it OK? Did anything depend on the previous behavior?
Aurélien
--
http://aurelien.bompard.org ~~~~~~ xmpp:aurelien@bompard.org
"Life is what happens to you while you're busy making other plans."
-- John Lennon
10 years, 8 months
2 factor authentication
by Pierre-Yves Chibon
Dear all,
We are in the process of implementing 2 factor authentication in our web
application.
We already have some code written [1], reviewed and which seems to be fine from a
code point of view, however there seems to be still some discussion as to the
approach we should take from a logic/design perspective.
I will here try to summarize the different approach possible with pros and cons.
/!\ summary might be a little long :)
1) Ask for password+2fa token
Login page:
___________________________________________________
| |
| Login: [____________________] |
| |
| Password + 2 fa: [____________________] |
| |
|___________________________________________________|
Mechanism:
Application send login and password + 2 fa to the server that allows or deny
the login.
+ This is the current approach we have on the systems
+ A single request sent to the server
+ Simple
+ Attackers have no way to know if someone activated 2 fa or not
- Confusing for user that do not have or do not know about 2 factor
authentication
- No possibility to know what is wrong (Missing 2fa, wrong password or clock
skew too large?)
2) Ask for password and 2fa
Login page:
___________________________________________________
| |
| Login: [____________________] |
| |
| Password: [____________________] |
| |
| 2 factor: [____________________] |
| |
|___________________________________________________|
Mechanism:
Application send login and password and 2 fa to the server that allows or deny
the login.
+ Still similar to the current approach we have (can be made to mimic 1))
+ Still only 1 request send to the server
- Still confusing for the user that do not know / do not have 2 fa
- Still no possibility to know if you set up 2 fa and forgot about it or
misstyped your password or the 2 fa system is broken (clock skew too big)
3) Ask for password, validate, then ask for 2 fa is set up
Login page:
___________________________________________________
| |
| Login: [____________________] |
| |
| Password: [____________________] |
| |
|___________________________________________________|
Then:
___________________________________________________
| |
| This account has 2fa activated: |
| |
| 2 factor: [____________________] |
| |
|___________________________________________________|
Mechanism:
Application send login and password to the server that validates them, then
asks for a 2 factor if set.
- At minimum 1 request send to the server, more if 2 fa enabled
+ More user friendly as only the person with 2 fa enabled will have the 2 fa
token requested
+ You are able to know if you misstyped your password (which is also a -, see
below).
+ Attackers can brute force password, after that they might (or not) be blocked
by the requirement of 2fa.
4) Ask for password, check if user has 2 fa, ask for token, then validate.
Login page: see 3.1
Mechanism:
Application sends login and password to the server that checks if the user has
enabled 2 fa, if not authenticate user w/ login and password. If 2 fa enabled,
request 2 fa token and authenticate user w/ login, password and 2 fa token.
- At minimum 1 request send to the server, more if 2 fa enabled
+ More user friendly as only the person with 2 fa enabled will have the 2 fa
token requested
+ You are able to know if you misstyped your password (which is also a -, see
below).
- Attackers are able to know if you have 2 fa set up or not, and thus can
target users that do not have it enabled.
5) Application knows if user has 2 fa enabled or not.
Login page:
___________________________________________________
| |
| Login: [____________________] |
|___________________________________________________|
Then:
___________________________________________________
| |
| |
| Password: [____________________] |
| |
| This account has 2fa activated: |
| |
| 2 factor: [____________________] |
| |
|___________________________________________________|
Mechanism:
The application has its own login/password to connect to FAS and retrieve the
information whether the user has 2 fa enabled or not.
+ User friendly
- Attacker directly knows if user has 2 fa enabled or not
- 2 requests sent to the server (always)
- Application has login/password to FAS
- You are not able to know why your login failed (unless we make the server say
so)
I think this summarize the different approach available.
There is a separate issue that we will need to decide upon as well as some
point, regarding the order in which we check a user is authenticated (wrt
session_id), but this is a separate issue for the moment.
So which way do we decide to go?
Cheers,
Pierre
10 years, 8 months
key.fpo index.html 2 patches
by Kévin Raymond
Hi,
With nirik we saw that the SKS url was incorrect, the first patch correct
that.
The second patch correct the css, as it does not respect the Fedora
colors[1]. There is a dupplicate patch as I don't know which is best
(light or strong blue..)
0001-make-css-use-right-Fedora-colors-inverted is probably best..
[1] https://fedoraproject.org/wiki/Logo/UsageGuidelines#Colors
Cheers,
--
Kévin Raymond
(Shaiton)
10 years, 8 months
Plan for tomorrow's Fedora Infrastructure meeting (2013-09-05)
by Kevin Fenzi
The infrastructure team will be having it's weekly meeting tomorrow,
2013-09-05 at 19:00 UTC in #fedora-meeting on the freenode network.
Suggested topics:
#topic New folks introductions and Apprentice tasks.
If any new folks want to give a quick one line bio or any apprentices
would like to ask general questions, they can do so in this part of the
meeting. Don't be shy!
#topic Applications status / discussion
Check in on status of our applications: pkgdb, fas, bodhi, koji,
community, voting, tagger, packager, dpsearch, etc.
If there's new releases, bugs we need to work around or things to note.
#topic Sysadmin status / discussion
Here we talk about sysadmin related happenings from the previous week,
or things that are upcoming.
#topic Upcoming Tasks/Items
https://apps.fedoraproject.org/calendar/list/infrastructure/
#topic Open Floor
Submit your agenda items, as tickets in the trac instance and send a
note replying to this thread.
More info here:
https://fedoraproject.org/wiki/Infrastructure/Meetings#Meetings
Thanks
kevin
10 years, 8 months
Meeting Agenda Item: Re-Introduction Ausmarton Fernandes
by Ausmarton Fernandes
Hi,
This is Ausmarton Fernandes, I was a member of fi-apprentice for about 8
months until July when I left the group since I felt I was not able to find
enough time to be useful here. Anyway, this is my re-introduction.
I work as a developer/technical lead at PTC India. Although development is
my day job, I like devops and sysadmin stuff, and that's the area that
interests me here in fedora infractructure.
Last time, I was here, I heard about ansible, and I found it very
interesting and over the last couple of months I have got to know a lot
about it. I do a bit of python programming as well. So, I'm looking forward
to contributing in these areas.
My IRC nickname is: ausmarton
Country: India
Regards,
Ausmarton Fernandes
10 years, 8 months
freeze break request: adjust builder yum repos
by Kevin Fenzi
While working on the rsyslog issue eariler ran into an issue with yum
on the builders. It's not able to hit the mirrorlist default url and
then can't hit the mirror it gets.
This fix is to correct that. It sets the repos to point to infrastructure
directly instead of mirrorlists and install those repos on fedora machines.
kevin
--
diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml
index e8ad472..2cd791f 100644
--- a/tasks/yumrepos.yml
+++ b/tasks/yumrepos.yml
@@ -1,6 +1,6 @@
---
-- name: put repos on system
+- name: put rhel repos on system
action: copy src=$files/common/$item dest=/etc/yum.repos.d/$item
with_items:
- epel6.repo
@@ -10,6 +10,17 @@
- config
- packages
+- name: put fedora repos on system
+ action: copy src=$files/common/$item dest=/etc/yum.repos.d/$item
+ with_items:
+ - fedora.repo
+ - fedora-updates.repo
+ - fedora-updates-testing.repo
+ only_if: '$is_fedora'
+ tags:
+ - config
+ - packages
+
- name: add infrastructure repo
action: copy src=$files/common/$item dest=/etc/yum.repos.d/$item
with_items:
[kevin@lockbox01 ansible (master)]$ cat files/common/fedora-updates-testing.repo files/common/fedora-updates.repo files/common/fedora.repo
[updates-testing]
name=Fedora $releasever - $basearch - Test Updates
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-testing-debuginfo]
name=Fedora $releasever - $basearch - Test Updates Debug
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-testing-source]
name=Fedora $releasever - Test Updates Source
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-testing-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates]
name=Fedora $releasever - $basearch - Updates
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-debuginfo]
name=Fedora $releasever - $basearch - Updates - Debug
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-debug-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[updates-source]
name=Fedora $releasever - Updates Source
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/updates/...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-source-f$releasever&arch=$basearch
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora]
name=Fedora $releasever - $basearch
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora-debuginfo]
name=Fedora $releasever - $basearch - Debug
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-debug-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
[fedora-source]
name=Fedora $releasever - Source
failovermethod=priority
baseurl=http://infrastructure.fedoraproject.org/pub/fedora/linux/releases...
#metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-source-$releasever&arch=$basearch
enabled=0
metadata_expire=7d
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
10 years, 8 months
Freeze break request (retroactive)
by Patrick マルタインアンドレアス Uiterwijk
Hi,
Per request of tflink, I have added next-line's and filename's for
virt15-18.qa for his beaker setup, only to remember we are in freeze
afterwards.
Could I get retroative +1's?
Thanks,
Patrick
10 years, 8 months
freeze break (simple): update fedora-magazine alias
by Kevin Fenzi
Pretty simple change... for ticket
https://fedorahosted.org/fedora-infrastructure/ticket/3979
+1s?
kevin
--
diff --git a/configs/system/smtp/aliases.template.erb
b/configs/system/smtp/aliases.template.erb index 9ada660..ec44cec 100644
--- a/configs/system/smtp/aliases.template.erb
+++ b/configs/system/smtp/aliases.template.erb
@@ -173,7 +173,7 @@ census: npmccallum,kevin,toshio,ianweller,tflink
# User for openshift fedora-status instance
fedora-status: kevin,codeblock,puiterwijk
# User for openshift fedora magazine wordpress instance.
-fedora-mag-admin: kevin,duffy
+fedora-mag-admin: kevin,duffy,chrisroberts,mitzie
endoflife: triage(a)lists.fedoraproject.org
# Amazon cloud account, ticket #1903
10 years, 8 months