Hey guys, so we talked about this... well, a long time ago and decided to
do it but it never got implemented. So I'm going to implement it now and
its likely going to cause some people pain for now.
I'm going to set the default bash TMOUT value to 32400 (9 hours). If you
need to overwrite this, you can do it in your bashrc though its
recommended that you not do that.
I'm going to add this to the security policy as this is a security
measure. I'll do it tomorrow morning so get ready.
So I've added some suggested changes and would like to do this on the list
instead of on IRC. So here's what I propose:
1) I'd like everyone in a sysadmin* group to be compliant with this policy
as part of orientation for new members.
2) I'd like everyone who is already in a sysadmin* group to become
compliant with this standard by March 31st 2009. PLENTY of time to make
whatever changes you need to make.
3) We'll continue to refine this policy but never with the assumption that
everyone is immediately compliant. Notice will be given.
 I'm working on finding permanent hosting for that, but for now
fedorapeople will work.
What do people think of having an Infrastructure-related FAD (Fedora
Activity Day)? Something more along the lines of a hackfest rather
than a barcamp style thing. Rel-Eng folks would be welcome too since
I'm sure buildsystem stuff will get discussed.
Having it in Chicago or the vicinity would be cool since Mike McGrath
and Dennis Gilmore are nearby (and I'm not that far off either). Or
if you really wanted to get crazy we could have it in Des Moines and
I'd be willing to take care of most of the legwork. I might even be
able to get some conference space at $DAYJOB for relatively little
cost (one bonus of this would be better-than-most-hotel wireless and
Timewise I'm thinking a Saturday in February...
Anyway, as long as it's no further from Des Moines than Chicago I'd
make a serious attempt to attend... (It's really sucked that I haven't
been able to get to a FUDCon).
"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."
-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"
This isn't really required but it's my intention to implement these
policies (or what we come to after some discussion). This is targeted
_ONLY_ at this team and those with shell access to our servers. Its not
my intention to roll it out to the larger community, though its certainly
a good idea for people to read through it.
Give these a read and think on them some. There's quite a bit there. I
understand that much of what is listed there is impossible to enforce, and
I certainly don't think we'll be at the point where I'm removing people
from groups who aren't following the policies but I'm hoping it won't come
to that. For now though I'm thinking the honor system.
I'm new to the environment but have exp with postfix @ $DAYJOB, so I
figure this might be something I can contribute to without sounding
too dumb, but if I do please take it easy. :)
>Currently all mail which goes through bastion (for example all
>@fedoraproject.org mail) then relays through mx.util.phx.redhat.com.
I'm not sure what bastion is but my question is why is the relay going
through mx.util.phx.redhat.com currently? I'm guessing bastion is the
host the @fedoraproject.org email is delivered on. (?) I can't find
mx.util.phx.redhat.com in public dns is there an ACL on the zone or is
this an /etc/host entry? Is the relay to mx.util.phx.redhat.com done
via a relayhost entry in main.cf? Also, where does mail go after
mx.util.phx.redhat.com, I'm guessing there's another hop before the
internet because of the dns failure.
>Which are all redhat.com boxes. So our mail goes from there, to bastion
>to expand out the aliases we have (ultimately) then back to
>mx.util.phx.redhat.com to be relayed out to the rest of the world.
back to mx.util.phx.redhat.com? does it come from their or from the MX hosts?
>For various reasons mail bound from bastion to @redhat.com addresses
>probably needs to go through mx.util.phx.redhat.com, however, mail not
>bound for @redhat.com shouldn't have to.
Just curious as the the "various reasons" you mention here.
>I'm proposing using a postfix transport map which explicitly says:
I believe you could also remove the last line and if a relayhost is
used in main.cf comment it out. It should do the same thing since
postfix uses dns mx or A record for next hop delivery.
>So my question for all you nice people is:
>Can anyone see any problem with doing this? I've tested it out on a
>different mail server I take care of and it works fine.
I would wonder if this is needed at all? why can't the redhat.com
domain go to the mx too? just curious. As long as redhat.com isn't one
of bastion's postfix mydestination I would expect everything to still
work and be a much easier config to change or troubleshoot later. /me
likes things as simple as possible :-)
PS. was there a meeting yesterday? I was planning on joining but had a
conf call scheduled and didn't see notes from the list.
In puppet when we add a new file, we use this lines in the .pp files:
source => 'puppet:///config/web/applications/FreeMedia-error.html',
where as the actual location of the file (FreeMedia-error.html) is
[susmit@puppet1 puppet]$ find -name FreeMedia-error.html
So the source in the .pp file should be
Why this discrepancy? Just curious...
I've been trying to deploy rpmgrok (a Turbogears 1 app ) behind
mod_wsgi, and finally figured out why mod_wsgi stopped working when I
added a WSGIProcessGroup directive (which avoids having to start a new
process per http request)
I know bpeck has had similar issues with his "beaker" code 
It was working on publictest14.fp.org, but not on my local workstation
(both RHEL-5 running mod_wsgi from EPEL).
Attempts to browse led to no response coming from httpd, and no log.
It turned out, I had mod_python installed on the box.
Upon disabling "LoadModule python_module modules/mod_python.so"
from /etc/httpd/conf.d/python.conf it worked.
Known issue? http://code.google.com/p/modwsgi/wiki/InstallationIssues
describes another mod_wsgi/mod_python incompatibility, but the symptoms
seem different 
Hope this helps
 debugging attempts led me to find "stuck" httpd threads waiting
forever for the global interpreter lock, presumably acquired by
mod_python elsewhere in the process:
#0 0x005bf402 in __kernel_vsyscall ()
#1 0x0018331e in sem_wait(a)GLIBC_2.0 ()
#2 0x01d97f3b in PyThread_acquire_lock ()
#3 0x01d74d57 in PyEval_RestoreThread ()
#4 0x01d9104f in PyGILState_Ensure () from /usr/lib/libpython2.4.so.1.0
#5 0x00c65785 in wsgi_start_process (p=0x918a550, daemon=0x92b91a8) at
#6 0x00c661b3 in wsgi_hook_init (pconf=0x918a550, ptemp=0x91b8608,
plog=0x91bc618, s=0x918c3f0) at mod_wsgi.c:8919
#7 0x00c27783 in ap_run_post_config (pconf=0x918a550, plog=0x91b8608,
#8 0x00c1311d in main (argc=152602056, argv=0x9281448)
grep /proc/$PID/maps mod_
showed mod_python to be loaded.
I'd like to get involved in the Fedora Infratructure projet, helping with
RHEL/Xen administration, network security, backups...
I have been running Linux for close to ten years, going from then-Mandrake
to Slackware, then Gentoo, CentOS and Fedora.
I know Bash, Python, C, and some Perl/PHP ; and also LVM, squid, apache,
postfix, iptables/netfilter, bind, samba, and assorted apps like mailman
My day life gravitates between RHEL5/Xen and Cisco PIX and Catalyst
administration. I live in UTC+1/UTC+2.
My Freenode IRC nickname and FAS account are both fcami.