[Fedora-infrastructure-list] Log from today's meeting - 2006-07-20
Elliot Lee
sopwith at redhat.com
Thu Jul 20 22:07:31 UTC 2006
Here it is.
Thanks for everyone who made it out!
-- Elliot
-------------- next part --------------
Jul 20 16:00:52 <Sopwith> It looks like there are a good bunch of us here, so let's get started.
Jul 20 16:00:56 <mspevack> skvidal: yeah, i just got on the list yesterday :-P
Jul 20 16:01:03 <skvidal> gregdek: I think the last one we had continued the words 'retarded half wit'
Jul 20 16:01:05 <mspevack> skvidal: i decided that I needed more email :-)
Jul 20 16:01:25 <skvidal> mspevack: you should always read ALL the recent archives before joining a list, of course ;)
Jul 20 16:01:38 * mspevack hangs his head in shame
Jul 20 16:01:46 <skvidal> :)
Jul 20 16:01:48 <mspevack> the funny thing is I wrote that email last week
Jul 20 16:01:55 <mspevack> and it didn't get through moderation until today, it looks like
Jul 20 16:02:02 <mspevack> it's timestamped the 14th
Jul 20 16:02:04 <Sopwith> Yea, because you weren't a member when you wrote it.
Jul 20 16:02:12 <Sopwith> I just noticed it today when I was going through the queue.
Jul 20 16:02:27 <mspevack> *nod*
Jul 20 16:02:33 <Sopwith> OK, let's get cracking on this TODO list and see where we are.
Jul 20 16:02:36 <mmcgrath> For the new people: http://fedoraproject.org/wiki/Infrastructure/Schedule <- Thats the basic ajenda for the meetings.
Jul 20 16:03:30 <Sopwith> ongoing stuff - I know rordway is working through tons of tickets (thanks!), and I think xdamox was applying updates recently, so are we good there?
Jul 20 16:03:49 <xDamox> yea
Jul 20 16:03:59 <Sopwith> Cool
Jul 20 16:04:00 <rordway> yep
Jul 20 16:04:03 <xDamox> I apply all updates from RHN when I am notifyed
Jul 20 16:04:17 <Sopwith> xdamox: Did you fix proxy2 to get kernel updates?
Jul 20 16:04:30 <xDamox> Not yet ill do it now
Jul 20 16:04:34 <Sopwith> ok
Jul 20 16:04:48 <xDamox> my Inet has been soooo slow today :(
Jul 20 16:05:17 <Sopwith> doh, that's no good. Type more slowly :)
Jul 20 16:05:31 <Sopwith> OK, while he does that, the first task - dgilmore & skvidal on the minimal buildroots.
Jul 20 16:05:41 <skvidal> Sopwith: we need to upgrade the boxes
Jul 20 16:05:50 <mmcgrath> did you guys decide on FC5?
Jul 20 16:05:52 <skvidal> the builders are all over the map as to what they have installed
Jul 20 16:06:05 <skvidal> I think FC5 would be reasonably sensible but I'm open to rhel4 on them, as well.
Jul 20 16:06:09 <Sopwith> skvidal: OK. Do you have everything you need to do that?
Jul 20 16:06:32 <skvidal> Sopwith: I need time :) - it might be best if dgilmore does it
Jul 20 16:06:46 <Sopwith> dgilmore: Do you have everything you need to do the upgrades?
Jul 20 16:06:57 <skvidal> the only thing we have to keep in mind is restoration of the ssl keys for plague AFTER the upgrades are done
Jul 20 16:07:18 <Sopwith> Should those keys be stored in fedora-config cvs?
Jul 20 16:07:27 <skvidal> umm - how secure is that?
Jul 20 16:07:31 <skvidal> they're ssl keys
Jul 20 16:07:40 <skvidal> I'm a little worried about them being visible anywhere, of course
Jul 20 16:08:00 <Sopwith> It's a private CVS repo on lockbox that relatively few people have access to.
Jul 20 16:08:12 <skvidal> okay
Jul 20 16:08:41 <Sopwith> I've had the cvs & admin ssl keys in there for a while, so this would be consistent.
Jul 20 16:08:51 <skvidal> that sounds fine to me, then.
Jul 20 16:09:39 <skvidal> dgilmore: ping me on whatever you need, if you're interested in handling this
Jul 20 16:10:16 <skvidal> Sopwith: if you want to leave that one assigned to both of us that'd be fine
Jul 20 16:10:19 <warren> back
Jul 20 16:10:20 <Sopwith> OK, will do
Jul 20 16:10:34 <Sopwith> pasqual?
Jul 20 16:10:38 <pasqual> hello
Jul 20 16:10:44 * iWolf wanders in from team meeting
Jul 20 16:10:51 <Sopwith> pasqual: So I remember seeing an e-mail from you this past week - thank you!
Jul 20 16:11:04 <pasqual> Sopwith: thanks
Jul 20 16:11:22 <Sopwith> pasqual: Am I correct in thinking that the next step is to get that page posted as the admin.fedoraproject.org homepage?
Jul 20 16:11:26 <pasqual> Sopwith: I have done the draft, now there are some questions
Jul 20 16:11:30 * mmcgrath will be in and out for a bit, kitchen sink is leaking.
Jul 20 16:11:34 <Sopwith> OK, questions
Jul 20 16:11:51 <pasqual> Sopwith: yes, correct, that was one questions
Jul 20 16:11:58 <Sopwith> ahah ok
Jul 20 16:11:59 <pasqual> ok
Jul 20 16:12:23 <pasqual> I have seen that you use a cvs
Jul 20 16:12:34 <pasqual> for keeping all the web content
Jul 20 16:12:43 <pasqual> sold this page go to the cvs?
Jul 20 16:12:55 <-- daMaestro has quit (Nick collision from services.)
Jul 20 16:13:09 --> daMaestro (n=jon at fedora/damaestro) has joined #fedora-admin
Jul 20 16:13:15 <Sopwith> There is more than one cvs repository. cvs.fedoraproject.org:/cvs/fedora module 'web' is the content for fedora.redhat.com, but that's not the right place.
Jul 20 16:13:27 <pasqual> I think that I need some kind of privilege to have write access to it
Jul 20 16:13:38 <pasqual> ok
Jul 20 16:13:41 <Sopwith> Maybe we need to set up an entirely new cvs repo for the content on admin.fedoraproject.org - currently there isn't much of one...
Jul 20 16:13:52 <pasqual> but tha's the fedoraproject main page
Jul 20 16:14:05 <pasqual> mus this go to the same place?
Jul 20 16:14:44 <Sopwith> Right - we don't want this page of yours to go up in the same place, so I think it would work better to have a separate CVS repository just for admin.fedoraproject.org and other small/secondary Fedora web sites
Jul 20 16:14:49 <pasqual> that's and option
Jul 20 16:14:55 <mmcgrath> we *could* just use the wiki and have admin.fedoraproject.org/ proxypass to it.
Jul 20 16:15:23 <Sopwith> Hmm, I dunno.
Jul 20 16:15:43 * Sopwith wishes for the plone deployment to be finished.
Jul 20 16:15:58 <mmcgrath> I think thats still quite a ways out.
Jul 20 16:16:33 <daMaestro> i'd like to get in the mix of getting plone deployed
Jul 20 16:16:33 <skvidal> Sopwith: so do I
Jul 20 16:16:43 <skvidal> daMaestro: talk to the website folks
Jul 20 16:16:48 <Sopwith> damaestro: nman64 is the guy to talk to
Jul 20 16:16:55 <mmcgrath> #fedora-websites
Jul 20 16:17:06 <daMaestro> thanks.. i will
Jul 20 16:17:09 <daMaestro> so what is the deal with ldap?
Jul 20 16:17:11 <Sopwith> So for now, we could use the wiki and proxypass it, or we could just set up a 'other-web' module in /cvs/fedora and start pushing that out as the main content for admin.fedoraproject.org, webtest.fedoraproject.org, and others.
Jul 20 16:17:52 <pasqual> athat second optios can do the job
Jul 20 16:17:52 <pasqual> well .....
Jul 20 16:17:52 <pasqual> I like the second
Jul 20 16:17:52 <pasqual> what do you think?
Jul 20 16:17:55 <Sopwith> pasqual: You're going to be doing the actual work, so, how do you want it to be done? :)
Jul 20 16:18:08 <Sopwith> OK...
Jul 20 16:18:52 <Sopwith> pasqual: I'll work on it later and e-mail you with info.
Jul 20 16:18:58 <daMaestro> s/deal with/status of/
Jul 20 16:19:24 <Sopwith> damaestro: Good question to talk about, but first there are a few other items.
Jul 20 16:19:28 <mmcgrath> daMaestro: we'll get there, we're not that far on the schedule
Jul 20 16:19:35 <pasqual> I need editgroup privilege to put the web in the wiki, I think?
Jul 20 16:19:35 <pasqual> Sopwith: the wiki is ok for me
Jul 20 16:19:35 <xDamox> Sopwith, kernels updated on proxy2
Jul 20 16:19:35 <pasqual> Sopwith: the last question was where is nagios
Jul 20 16:19:35 <xDamox> Has db1 been reinstalled?
Jul 20 16:19:38 <daMaestro> ok.. sorry.. i will keep quite until then.
Jul 20 16:19:40 <Sopwith> xdamox: Cool
Jul 20 16:19:43 <daMaestro> quiet*
Jul 20 16:19:48 <pasqual> Sopwith: I have not found information for them in the wiki
Jul 20 16:19:50 <mmcgrath> qasqual: https://admin.fedoraproject.org/nagios/
Jul 20 16:20:04 <pasqual> thanks mmcrath
Jul 20 16:20:15 <Sopwith> damaestro: Schedule page is at http://fedoraproject.org/wiki/Infrastructure/Schedule if you want to follow along
Jul 20 16:20:22 <daMaestro> thank you
Jul 20 16:20:23 <iWolf> xDamox: kernel update, rebooted too?
Jul 20 16:20:40 <xDamox> I aint rebooted it ill do it now tho
Jul 20 16:20:46 <iWolf> xDamox: db1 is on hold till we get the second DB server.
Jul 20 16:21:05 <xDamox> ok, just updated it anyways
Jul 20 16:21:09 <iWolf> xDamox: Then we will sort of swing server it and end up with replication/clustered dbs by the end.
Jul 20 16:21:35 <xDamox> :) cool
Jul 20 16:21:37 <Sopwith> iwolf: mdomsch said he got all the specs from mmcgrath and is just waiting on final budget approval. mspevack is going to be receiving the machine and will find someone to get it set up and shipped to PHX
Jul 20 16:21:48 <mspevack> woohoo
Jul 20 16:21:55 <iWolf> Sopwith: Sounds great! :)
Jul 20 16:21:56 <Sopwith> I don't know when Stacy is going to PHX next, and when the Dell box will arrive, so we could be waiting a while yet.
Jul 20 16:22:10 * xDamox Rebooting proxy2
Jul 20 16:22:15 <dgilmore> Sopwith: sorry got called out of office. I will need whatever access is needed to do the reinstalls
Jul 20 16:22:51 <Sopwith> Fortunately, with bastion upgraded, I think the only upgrades left are the build systems (dgilmore), and db1.
Jul 20 16:23:27 <dgilmore> Sopwith: im happy to do the builders upgrades
Jul 20 16:23:38 <Sopwith> dgilmore: OK, cool.
Jul 20 16:24:11 <Sopwith> dgilmore: I'll assume skvidal is ok with adding you to the sysadmin-build group - that should give you all the access you need except for the passwords for the power switches and consoles.
Jul 20 16:24:29 <skvidal> Sopwith: yes, I'm cool w/that
Jul 20 16:25:00 <Sopwith> dgilmore: The powerpc machines are kind of funky to work with, we'll have to talk later about the details.
Jul 20 16:25:12 <dgilmore> Sopwith: ok
Jul 20 16:25:25 <Sopwith> dgilmore: ping me after and I'll get you all the details :)
Jul 20 16:25:27 <skvidal> dgilmore: you're 'ausil' right?
Jul 20 16:25:30 <dgilmore> are the plague and mock configs kept in cvs somewhere?
Jul 20 16:25:35 <dgilmore> skvidal: uep thats me
Jul 20 16:25:41 <dgilmore> yep even
Jul 20 16:25:47 <skvidal> dgilmore: no they're not in cvs that I know of
Jul 20 16:25:48 <xDamox> proxy2 is back up
Jul 20 16:25:58 <skvidal> best making a tarball of /etc on those boxes before the reinstall
Jul 20 16:26:01 <Sopwith> dgilmore: They should be in fedora-config (if they're not, they can be put there)
Jul 20 16:26:25 <mmcgrath> They and a lot of configs have gotten out of sync as of late with whats in fedora-config
Jul 20 16:26:54 <dgilmore> good time to make sure tehre right
Jul 20 16:27:04 --> abompard (n=gauret at vol75-3-82-66-216-165.fbx.proxad.net) has joined #fedora-admin
Jul 20 16:27:09 <skvidal> mmcgrath: indeed
Jul 20 16:27:09 <Sopwith> bleah :-\ It's a key recovery & tracking mechanism. dgilmore will probably find all the problems when he reinstalls :)
Jul 20 16:27:10 <dgilmore> im assuming it would be good to put the old ssh keys back on builders as well
Jul 20 16:27:23 <Sopwith> dgilmore: not a biggie, but it can't hurt
Jul 20 16:27:26 <abompard> I'm late, sorry
Jul 20 16:27:52 <skvidal> dgilmore: you've been added to sysadmin-build
Jul 20 16:27:53 <Sopwith> abompard: Heya, welcome
Jul 20 16:28:01 <Sopwith> lmacken! tell us about firewalls please!
Jul 20 16:28:01 <dgilmore> skvidal: :) thanks
Jul 20 16:28:16 <lmacken> k
Jul 20 16:28:20 <lmacken> I wrote a Makefile and an RPM for pyroman. Also, I rewrote a lot of the configuration and integrated it into our fedora-config module, which I've currently deployed to proxy.live.
Jul 20 16:28:28 <lmacken> I also tossed up some info and deployment status on InfrastructurePrivate/Firewall.
Jul 20 16:28:33 <lmacken> At the moment, only proxy4 is armed. I'm going to be doing a bunch more testing/configuration in the next day or so, then deploy it to the rest of our proxy servers.
Jul 20 16:28:41 <lmacken> Any preference as to which group of systems I start with after I'm done with proxy[1-4] ?
Jul 20 16:29:10 <Sopwith> not from me...
Jul 20 16:29:22 <lmacken> ok.. well, what isn't getting rebuilt any time soon ? :)
Jul 20 16:29:27 <Sopwith> There are two app servers, so you have room to mess up on one of them if you want to try them next.
Jul 20 16:29:38 <mmcgrath> the app servers would be a good next start.
Jul 20 16:29:40 <lmacken> ok, cool.. i'll hit up app[1-2] next :)
Jul 20 16:30:10 <Sopwith> Nice work.
Jul 20 16:30:26 <Sopwith> Hey, your name is on the next item as well - TG packaging.
Jul 20 16:30:42 <lmacken> on to TurboGears..
Jul 20 16:30:44 <lmacken> ConfigObj, Paste, and SimpleJSON made it through the extras review process so far. I'm still waiting on PasteScript and PasteDeploy. Once completed, I'll need to bump sqlobject and formencode, and pull Turbo{Json,Cheetah,Kid} out of the TurboGears package.
Jul 20 16:30:48 <lmacken> I'd say another week or so until we have 0.9a6 in devel.
Jul 20 16:31:09 <abompard> lmacken: I'll review the rest
Jul 20 16:31:24 <lmacken> abompard: thanks :)
Jul 20 16:31:33 <abompard> that is, if nobody beats me to it :)
Jul 20 16:31:41 <lmacken> i think someone might have, but i'm not sure
Jul 20 16:31:51 <lmacken> i've been getting a constant stream of review emails.. hard to keep track of
Jul 20 16:32:08 <abompard> yeah, that's only sign of FE's good health :)
Jul 20 16:32:25 <lmacken> very true
Jul 20 16:32:42 <Sopwith> Sounds good to me.
Jul 20 16:33:26 <Sopwith> Next item is documentation
Jul 20 16:34:50 <skvidal> ::crickets::
Jul 20 16:35:02 <Sopwith> I'm going to be taking a leave of absence starting in a week and a half and not being around very much.
Jul 20 16:35:05 <Sopwith> No is a very good time to start asking me to document things you all need to keep things running.
Jul 20 16:35:07 <Sopwith> err now
Jul 20 16:35:22 <mmcgrath> hah
Jul 20 16:35:32 <mmcgrath> My biggest issue is still access from time to time.
Jul 20 16:35:56 <mmcgrath> I need to get a network diagram together at the very least and stick it on the wiki
Jul 20 16:36:23 <Sopwith> Does the systems list not have that info?
Jul 20 16:36:26 <iWolf> I still fight that silly console on a semi regular basis. Since that works for mmcgrath these days, probably more an issue on my end.
Jul 20 16:36:37 <mmcgrath> Actually it is pretty close.
Jul 20 16:38:05 <Sopwith> OK, well, this week is "pick sopwith's brain week" if you feel so inclined.
Jul 20 16:38:09 <Sopwith> Backups!
Jul 20 16:38:15 <Sopwith> backuppc package?
Jul 20 16:38:30 <mmcgrath> its up, dgilmore's testing it. We've got a couple of changes to make.
Jul 20 16:39:19 <mmcgrath> right now we're just thinking about adding backuppc's public key under root on the boxes with a host restriction of the backup machine.
Jul 20 16:39:39 <Sopwith> ok
Jul 20 16:39:44 <mmcgrath> Once its up all backups will be automated and all restores can be done via the web-interface.
Jul 20 16:40:19 <Sopwith> Sounds convenient & dangerous :)
Jul 20 16:40:25 <Sopwith> So is the backuppc package done, or still under review?
Jul 20 16:40:35 <mmcgrath> lil bit. still under review but close.
Jul 20 16:41:22 <Sopwith> OK, so packaging is well along, and you've already gotten into thinking about deployment, cool.
Jul 20 16:41:43 <mmcgrath> as for the free servers, we've already gone over that. I'll move it to done.
Jul 20 16:41:51 <mmcgrath> actually I'll update the status
Jul 20 16:41:56 <Sopwith> don't do it just yet
Jul 20 16:42:03 * Sopwith is editing the page with all these changes mentioned.
Jul 20 16:42:18 <Sopwith> Max will be getting the servers so he will be the person who has the next update for that item.
Jul 20 16:42:37 <mmcgrath> haahaahha oops
Jul 20 16:42:38 --> daMaestro|isBack (n=jon at fedora/damaestro) has joined #fedora-admin
Jul 20 16:42:42 <mmcgrath> too late. just overwrite mine.
Jul 20 16:42:48 <mspevack> Sopwith: works4me
Jul 20 16:43:01 <Sopwith> rordway: anything you want to say about metrics?
Jul 20 16:43:04 <Sopwith> Metrics are cool? :)
Jul 20 16:43:26 <Sopwith> It's OK if you want to just punt on that for now - I know you've gotten involved with the ticketing system a fair bit.
Jul 20 16:43:45 <Sopwith> Let's just keep the status page updated so others know what needs doing and by who.
Jul 20 16:43:47 <rordway> Sopwith: yeah, I think for now I'll pass
Jul 20 16:44:08 <rordway> I might be able to do some data gathering scripts when I get time
Jul 20 16:44:21 <Sopwith> OK
Jul 20 16:44:25 <Sopwith> I noticed cacti was up though
Jul 20 16:44:31 <rordway> is there a list of data sources we want to be grabbing?
Jul 20 16:44:36 <Sopwith> That is a cool thing, even if I am a few weeks behind the curve! :)
Jul 20 16:44:39 <mmcgrath> Yeah, thats just waiting on further net-snmp installs and proper firewall configs.
Jul 20 16:44:47 <Sopwith> rordway: yea, there's a list in the fedora-metrics module
Jul 20 16:44:59 <Sopwith> rordway: fedora-metrics/fedora-metrics.txt
Jul 20 16:45:15 <rordway> k, will take a look
Jul 20 16:45:43 <rordway> Sopwith: oh yeah, I can take a stab at some of those
Jul 20 16:45:49 <rordway> might be a few weeks though
Jul 20 16:45:56 <Sopwith> Cool, NP
Jul 20 16:46:30 <Sopwith> jcmoore: Were you by chance looking for something to hack on while you wait for the new db server to show up? :)
Jul 20 16:47:11 <Sopwith> Figured it wouldn't hurt to ask :)
Jul 20 16:47:37 <Sopwith> skvidal: Is there anything we need to know about the overall status of your very cool mirrors.fedoraproject.org? How much more is there to be done?
Jul 20 16:47:47 <rordway> Sopwith: who would I talk to about the various data sources listed? just send something out on f-i-l?
Jul 20 16:47:56 <skvidal> I need to check the configs into config-cvs for the mirror they're on
Jul 20 16:48:01 <skvidal> but afaict it's running and done
Jul 20 16:48:01 <xDamox> dammit go to shoot, everyone I have jsut send an email on the mailling list about the hardware tracker please take a look and reply
Jul 20 16:48:14 <skvidal> I fixed a bunch of bugs for people last week and then it appears to be doing the right thing
Jul 20 16:48:15 <xDamox> with suggestions if you have any
Jul 20 16:48:19 <Sopwith> xdamox: Cool, thanks!
Jul 20 16:48:24 <jcmoore> Sopwith: maybe, depends on what it entails :)
Jul 20 16:48:26 <Sopwith> xdamox: See you later.
Jul 20 16:48:31 <xDamox> c ya
Jul 20 16:48:40 <Sopwith> rordway: I can tell you where to get the data for all of those.
Jul 20 16:49:07 <skvidal> if there's anything else that needs doing - let me know
Jul 20 16:49:08 <rordway> Sopwith: cool, you can e-mail me off-list after the meeting if you want
Jul 20 16:49:18 <skvidal> I sent the configs to f13 for use in fedora-release
Jul 20 16:49:26 <skvidal> so I think it is ready to roll.
Jul 20 16:49:35 <Sopwith> rordway: OK, and I'll cc jcmoore so he knows what is going on at least :)
Jul 20 16:49:37 <skvidal> unless someone wants to put the info on more than one server for redundancy
Jul 20 16:49:43 <rordway> ok, cool
Jul 20 16:50:21 <Sopwith> skvidal: Cool, it'll be neat to see it in use for the next test release.
Jul 20 16:50:23 <rordway> do we need a mirror list of mirror lists? :-)
Jul 20 16:50:32 <Sopwith> nah, one is enough
Jul 20 16:50:43 <dgilmore> skvidal: i have a domainname i can donate if you want it fedoramiiror.net
Jul 20 16:50:50 <skvidal> actually I believe the code does the right thing
Jul 20 16:50:56 <Sopwith> But if you want redundancy, we can have the PHX web servers serve the same stuff.
Jul 20 16:50:56 <dgilmore> skvidal: thats fedoramirror.net
Jul 20 16:50:56 <skvidal> so if the upstream mirrorlist goes away
Jul 20 16:51:12 <skvidal> it won't overwrite the current files with nothing
Jul 20 16:51:18 <skvidal> Sopwith: I thought they couldn't call out?
Jul 20 16:51:29 <mmcgrath> I need to get ahold of stacy to find out how to get to www.redhat.com from inside the phx colo.
Jul 20 16:51:36 * mmcgrath emails now...
Jul 20 16:52:00 <Sopwith> skvidal: They can call out if we set up the on-host firewalls correctly.
Jul 20 16:52:08 <Sopwith> skvidal: Talk to lmacken about that :)
Jul 20 16:52:56 <Sopwith> OK, the only other item I think we have time for (or updates to give for) is the account system.
Jul 20 16:53:05 <Sopwith> lyz, are ya here?
Jul 20 16:53:16 <mmcgrath> Sopwith: the problem was with www.redhat.com and how it resolved.
Jul 20 16:53:16 <lyz> yup
Jul 20 16:53:31 <mmcgrath> I even disabled iptables and got the same issues. I suppose I could setup a hosts file.
Jul 20 16:54:04 <Sopwith> mmcgrath: Hmm, that makes sense. Do we need to be able to retrieve www.redhat.com content from the proxy systems?
Jul 20 16:54:26 <Sopwith> lyz: So if you had to summarize the LDAP back-and-forth from the past week, what would you say?
Jul 20 16:54:38 <lyz> that we are inconclusive
Jul 20 16:54:43 <Sopwith> lol
Jul 20 16:55:16 <lyz> everyone has a differing opinion
Jul 20 16:55:41 <rordway> :-)
Jul 20 16:55:42 <mmcgrath> actually it needs fedora.redhat.com
Jul 20 16:55:43 <iWolf> Score Card... http://fedoraproject.org/wiki/Infrastructure/AccountSystem2/LDAPvsSQL :)
Jul 20 16:56:04 <rordway> it sounds reasonable to me to go with an LDAP interface with a SQL back-end
Jul 20 16:56:06 <Sopwith> lyz: Are you willing to start on the actual coding for the account system?
Jul 20 16:56:24 <lyz> I'm willing to write some code, but need some direction
Jul 20 16:56:35 <mmcgrath> both resolve to the same IP though.
Jul 20 16:56:56 <lyz> I've been looking at the current SQL schema
Jul 20 16:57:25 <Sopwith> Cool. Does it mostly make sense?
Jul 20 16:57:40 <lyz> yeah, it's pretty simple. There's not much in there
Jul 20 16:58:15 <Sopwith> I know for v2, we'd at least need to add a table to map accounts to emails, and also rework the group membership stuff so that one group can be a member of another group.
Jul 20 16:58:33 --- [lyz] (n=lyz at dsl081-149-006.chi1.dsl.speakeasy.net) : Tom
Jul 20 16:58:33 --- [lyz] #fedora-admin
Jul 20 16:58:33 --- [lyz] irc.freenode.net :http://freenode.net/
Jul 20 16:58:33 --- [lyz] is identified to services
Jul 20 16:58:33 --- [lyz] End of WHOIS list.
Jul 20 16:58:45 <lyz> I will work on getting that done
Jul 20 16:59:27 <Sopwith> lyz: Ultimately, my advice is to make a decision on LDAP vs SQL (even if it's the wrong one) because you're the one that's actually doing something about it.
Jul 20 16:59:30 <abompard> I'd like to help, will you work on a public repo ?
Jul 20 16:59:53 <Sopwith> If you're wrong about the backend, you'll find out eventually and fix it.
Jul 20 17:00:16 <lyz> ok, at this point I don't see a benefit to LDAP
Jul 20 17:00:39 <mmcgrath> lyz: uhhhh,
Jul 20 17:00:40 <abompard> we can start with SQL, so we don't need to write the LDAP schema right now
Jul 20 17:01:26 <mmcgrath> Here's my hangup. It seems like all the people that don't get LDAP have just never used it.
Jul 20 17:02:05 <abompard> it's true that the whole problem of groups containing groups would be easily solved with LDAP
Jul 20 17:02:08 <mmcgrath> We wouldn't have to write the LDAP schema, the default schema supports most of what we want to do.
Jul 20 17:02:58 <Sopwith> mmcgrath: I want to argue with you for many moons about this, but ultimately, it has to be up to the people doing the work, otherwise we'll never get anything done.
Jul 20 17:03:15 <lyz> mmcgrath, please email me your thoughts
Jul 20 17:03:15 <Sopwith> And I trust that if he's wrong, he'll be willing to admit it.
Jul 20 17:03:19 <abompard> OK, lyz if you don't know ldap well, how about letting me do a kind of "ldap plugin" ?
Jul 20 17:03:24 <Sopwith> mmcgrath: Besides, you're WRONG :)
Jul 20 17:03:30 <lyz> abompard, sure
Jul 20 17:03:32 <abompard> I do know ldap decently
Jul 20 17:03:54 <Sopwith> abompard: Cool
Jul 20 17:03:58 <mmcgrath> I'd feel better about this if someone would tell me when, besides the current system, anyone here has ever used a custom sql instance with custom written software for their core user administration.
Jul 20 17:04:32 <Sopwith> mmcgrath: I did the old one for the GNOME project, if that helps.
Jul 20 17:04:39 <mmcgrath> Its not like this is just one system, this is the center of all of our user management. All apps have to be able to interface with this.
Jul 20 17:04:54 <abompard> our functions could be made to plug into different backends, that should not be too hard
Jul 20 17:05:43 <lyz> what apps are going to authenticte with the account system?
Jul 20 17:05:51 <lyz> authenticate
Jul 20 17:05:54 <mmcgrath> lyz: as many as is humly possible.
Jul 20 17:05:55 <Sopwith> lyz: Most of the ones on pasqual's list
Jul 20 17:06:01 <mmcgrath> humanly
Jul 20 17:06:17 <lyz> Sopwith, where's pasqual's list
Jul 20 17:06:20 <mmcgrath> and future apps that don't exist yet.
Jul 20 17:06:33 <abadger1999> mmcgrath: Do you know where I can find the equivalent of "The Practical SQL Handbook"? I need something along those lines to understand what LDAP's poewr is...
Jul 20 17:06:34 <pasqual> It's not yet on the web
Jul 20 17:06:38 <Sopwith> lyz: He posted it in fedora-infrastructure-list last week.
Jul 20 17:07:00 <lyz> must've missed it, I'll look through it today
Jul 20 17:07:33 <iWolf> What seems powerful about LDAP is so many systems can use it for auth. Shell access, Plone, Moin Moin, etc, etc. So with less work to get those pieces working there can be more time to work on our unique requirements.
Jul 20 17:07:47 <mmcgrath> http://gort.metaparadigm.com/ldap/Practical-LDAP-and-Linux.pdf
Jul 20 17:08:02 <Sopwith> lyz/abompard: I think you guys need to make the ultimate decision if you're going to do the work. But can we move ahead with other parts of the process (such as abstract schema design, user interface mockups, setting up a CVS module, etc.)?
Jul 20 17:08:41 <mmcgrath> I mean we can write a system from scratch, code all of our apps to work with it, and admin and design it. Or we can use what stuff already exists.
Jul 20 17:08:43 <abompard> I'll check if the default LDAP schema (inetOrgPerson) can handle all our requirements in AccountSystem2
Jul 20 17:09:12 <abadger1999> mmcgrath: Err.. The Practical SQL Handbook is a programming guide.
Jul 20 17:09:25 <lyz> there's more to the system than just authentication, is LDAP good for that too?
Jul 20 17:09:36 <mmcgrath> got'cha. that link is like a showcase.
Jul 20 17:10:04 <abompard> lyz: for example ? LDAP can do group memberships if that's what you mean
Jul 20 17:10:29 * warren wonders if we could leverage any help from Red Hat's Directory Server division, if we go the LDAP route. Maybe they know something about LDAP. =)
Jul 20 17:11:14 <Sopwith> I'm sure they'd be willing to help, yea.
Jul 20 17:11:17 <lyz> abompard, I'm thinking like number of bugs closed and projects working on
Jul 20 17:11:31 <Sopwith> lyz: That's stuff for the metrics system rather than the account system...
Jul 20 17:11:33 <warren> They may see benefit in lending a hand to us, because greater exposure and use by the Fedora community benefits them too.
Jul 20 17:11:47 <dgilmore> warren: you would hope they know something
Jul 20 17:11:52 <lyz> Sopwith, I see
Jul 20 17:12:17 <abompard> we'll still need to extend the default schema, for example to check if the CLA has been signed
Jul 20 17:12:23 <Sopwith> the account system covers authorization, authentication, project membership, CLA, and a few other things (e,g, email aliases)
Jul 20 17:12:43 <lyz> oh
Jul 20 17:12:48 <abompard> in this list, only the CLA boolean is not covered by the default schema
Jul 20 17:12:50 <warren> I've used openldap with samba for central authentication in the past. It isn't too hard to extend schema for additional things you want to keep track of.
Jul 20 17:12:50 <Sopwith> Let's figure out a TODO for next week so we don't spend forever talking about orange versus apple.
Jul 20 17:13:00 <lyz> than LDAP isn't as bad as I first thought
Jul 20 17:13:03 <mmcgrath> I think a great deal more research needs to be done on this before we even think about implementing it.
Jul 20 17:13:31 * iWolf agrees with mmcgrath
Jul 20 17:14:01 <Sopwith> So what does that mean on a practical level?
Jul 20 17:14:05 <abompard> warren: much harder than adding a column to your database. you need an OID, a matching criteria, etc...
Jul 20 17:15:17 <mmcgrath> here's one example of an ldap query: ldap://ldapserver/ou=Users,dc=fedoraproject,dc=org?uid?sub?(&(objectClass=user)(!(uid=baduser)))
Jul 20 17:15:29 <iWolf> Sopwith: I think it might be wrapped up in your abstract comment. Working up what exactly this system need to do to make groups happy. Then apply those thought out requirements to an LDAP scenario and a SQL scenario and maybe even the LDAP_SQL scenario.
Jul 20 17:15:33 <mmcgrath> that will return a list of users in the users ou, it excludes baduser.
Jul 20 17:15:56 <warren> poor baduser
Jul 20 17:16:04 <mmcgrath> he's tottally excluded.
Jul 20 17:16:06 <lyz> he deserved it
Jul 20 17:16:09 <Sopwith> hehe
Jul 20 17:16:16 <iWolf> Sort of like abompard is thinking of now, what does the default LDAP schema do for us out of the box. And how hard to tweak it to do what we need.
Jul 20 17:16:17 <abompard> I'll setup a test LDAP server and try to implement a structure which would fulfill our requirements
Jul 20 17:16:20 <Sopwith> iwolf: lyz has done a good job of collecting requirements so far.
Jul 20 17:16:21 <mmcgrath> but he could be a group, and it could have been cn=SysadminMain,ou=Users,dc=fedoraproject,dc=org
Jul 20 17:16:42 <mmcgrath> abompard: I had an fds system setup on lockbox that had all of our users migrated already.
Jul 20 17:16:53 <abompard> mmcgrath: nice
Jul 20 17:16:59 <Sopwith> abompard: That's a good todo item.
Jul 20 17:17:04 <abompard> mmcgrath: can I have access to that ?
Jul 20 17:17:17 <mmcgrath> yeah, I honsetly don't know if its still up and running.
Jul 20 17:17:30 <iWolf> Sopwith: Agreed, now it is time to see which requires more work. Fitting them to an LDAP schema or SQL.
Jul 20 17:18:06 <Sopwith> lyz: I think it would be useful to have a CVS module set up for holding prototypes and stuff like that... What say you?
Jul 20 17:18:15 <abompard> mmcgrath: maybe I'll be faster setting up openldap on my PC
Jul 20 17:18:17 <iWolf> Sopwith: And how those pieces fit with various systems. To me the fact that LDAP should work with several of our systems with minimal effort means there is more time to tweak what does need tweaking with LDAP.
Jul 20 17:18:25 <lyz> Sopwith, good idea. I need CVS access though
Jul 20 17:18:33 <mmcgrath> abompard: bah, go straight with fds - Its actually pretty good.
Jul 20 17:18:45 <Sopwith> lyz: Please make sure you go through the process of creating an account in admin.fedoraproject.org/accounts/, and also completing the CLA.
Jul 20 17:18:46 <iWolf> Sopwith: Whereas the pure SQL solution seems like more work overall to get the schema setup and plugged into all the different apps.
Jul 20 17:19:10 <lyz> Sopwith, I think I did that already
Jul 20 17:19:18 <Sopwith> lyz: OK, what's your username?
Jul 20 17:19:27 <iWolf> Sopwith: Of course with all that said, I totally respect your comments that if you're not the one writing it then your vote may not count as much. :)
Jul 20 17:19:30 <abompard> mmcgrath: a perfect opportunity to give it a try :)
Jul 20 17:19:33 <lyz> Sopwith, lyz
Jul 20 17:19:36 <Sopwith> cool
Jul 20 17:20:31 <warren> Is a hybrid solution a bad idea? My university had everything in SQL, and exported to LDAP. Various services used either depending on which was easier to integrate.
Jul 20 17:20:54 <mmcgrath> I've thought about a hybrid.
Jul 20 17:21:13 <iWolf> warren: I don't think a hybrid solution would be all bad either.
Jul 20 17:21:13 <lyz> How would it sync?
Jul 20 17:21:19 <mmcgrath> scripts
Jul 20 17:21:19 <abompard> sounds nice, but I don't know how that can be done
Jul 20 17:21:19 <skvidal> lyz: no sync
Jul 20 17:21:22 <Sopwith> lyz: You should be able to do 'cvs -d :ext:lyz at cvs.fedoraproject.org:/cvs/fedora checkout accounts2' to get a blank module to work in.
Jul 20 17:21:23 <skvidal> push-only
Jul 20 17:21:30 <skvidal> from sql->ldap
Jul 20 17:21:35 <abompard> skvidal: oh
Jul 20 17:21:37 <mmcgrath> or ldap->sql
Jul 20 17:21:40 <skvidal> mmcgrath: true
Jul 20 17:21:47 <skvidal> one has to be the definitive set, though
Jul 20 17:21:50 <skvidal> b/c merging is a bitch
Jul 20 17:22:16 <lyz> Sopwith, will try it thanks
Jul 20 17:22:22 <Sopwith> lyz: For next week, can you and abompbard start to pull together a more definite schema that meets the requirements, and stick it in there?
Jul 20 17:22:36 <lyz> can do
Jul 20 17:22:39 <Sopwith> Coolness.
Jul 20 17:22:42 <abompard> lyz: sure
Jul 20 17:23:12 <abompard> ah, I forgot this detail : I'll be on holiday from tuesday on
Jul 20 17:23:15 <abompard> ...
Jul 20 17:23:18 <abompard> :/
Jul 20 17:23:20 <Sopwith> Oh, have fun then!
Jul 20 17:23:30 <lyz> abompard, I don't know if I have you email. Send something to lyz27 at yahoo.com please
Jul 20 17:23:42 <abompard> lyz: abompard at fedoraproject.org
Jul 20 17:23:53 <lyz> oh .......
Jul 20 17:24:08 <abompard> yeah, you'll have that nice one too when you're in the account system
Jul 20 17:24:24 <lyz> i have it, I just don't use it yet
Jul 20 17:24:30 <abompard> okay
Jul 20 17:24:34 <Sopwith> Sorry this has gone on so long guys. I think we've covered just about everything.
Jul 20 17:24:45 <abompard> yeah, it's getting late
Jul 20 17:24:48 <Sopwith> Anyone here who is looking for something to do or just wants to introduce themselves?
Jul 20 17:24:55 <Sopwith> I know damaestro mentioned LDAP earlier
Jul 20 17:25:59 <lyz> Does anyone know me yet?
Jul 20 17:26:10 <mmcgrath> I know of you :-D
Jul 20 17:26:20 <Sopwith> lyz: You've been here three times, so you're one of us.
Jul 20 17:26:22 <abompard> who truly knows anyone ?
Jul 20 17:26:29 <Sopwith> hehe
Jul 20 17:26:35 <Sopwith> (meeting is over, FWIW)
Jul 20 17:26:37 <lyz> Sopwith, sweet
Jul 20 17:26:54 <abadger1999> I'm going to need some resources to deploy my prototype of bzr for package version control.
Jul 20 17:27:15 <dgilmore> abadger1999: what kind of resources?
Jul 20 17:27:38 <iWolf> headed out guys... later.
Jul 20 17:27:42 <Sopwith> So now that I'm not trying to keep everyone on the same page, it's probably a good time to respond to all those LDAP comments...
Jul 20 17:27:43 <abadger1999> ssh (with the scponly package installed) and http access.
Jul 20 17:27:45 <lyz> later
Jul 20 17:27:54 <abadger1999> A filesystem mounted with acl support.
Jul 20 17:28:14 <Sopwith> iwolf: later
Jul 20 17:28:40 <Sopwith> So my $0.02 on LDAP is that even though I probably wouldn't choose it personally, it can work fine as long as you stick with the standardized schema.
Jul 20 17:28:50 <abadger1999> If I do a full import of just Extras devel head I need 1- 1.5GB of space.
Jul 20 17:29:13 <Sopwith> But all these tools, and systems that authenticate against LDAP, are not going to be useful with the schema modifications that we need.
Jul 20 17:29:36 <Sopwith> For example, the standard LDAP groups table is probably going to be useless
Jul 20 17:29:59 <Sopwith> And retrieving a person's e-mail address will be hard for moinmoin when they have 5 e-mail addresses listed in a separate table.
Jul 20 17:30:13 <Sopwith> All these apps that have LDAP support built in assume use of the standard schema
Jul 20 17:30:14 <dgilmore> abadger1999: i might be able to help you out
Jul 20 17:30:27 <lyz> Sopwith, so it would be hard to allow groups access to certian apps?
Jul 20 17:30:43 <lyz> based on the group they are a member of
Jul 20 17:30:44 <abadger1999> dgilmore: Great!
Jul 20 17:31:03 <Sopwith> lyz: Well, probably not much harder than with an SQL solution...
Jul 20 17:31:25 <mmcgrath> Sopwith: we can add to the standard schema without changing whats there.
Jul 20 17:31:41 <mmcgrath> And why would the standard LDAP groups not work?
Jul 20 17:31:55 <Sopwith> mmcgrath: Because we need to support having groups be members of other groups
Jul 20 17:32:04 <Sopwith> mmcgrath: How would you implement that in LDAP?
Jul 20 17:32:12 <mmcgrath> FDS has full support for dynamic groups.
Jul 20 17:32:16 <abadger1999> dgilmore: Do you want to email me? toshio fedoraproject.org
Jul 20 17:32:33 <mmcgrath> you can say "if such and such user has a 3 in their telephone number and are located in Phoenix then they are a member of this group"
Jul 20 17:32:39 <tibbs> How far is FDS (chuckle) from getting into extras?
Jul 20 17:32:44 <mmcgrath> long wya
Jul 20 17:32:48 <mmcgrath> but they're working on it.
Jul 20 17:32:49 <Sopwith> mmcgrath: OK, cool.
Jul 20 17:33:09 <mmcgrath> A lot of places out there are using dynamic groups with custom attributes that you put on the use. Which isn't very hard to do.
Jul 20 17:33:20 <Sopwith> mmcgrath: OK, that will meet that need then.
Jul 20 17:33:37 <Sopwith> mmcgrath: And handling multiple e-mail addresses?
Jul 20 17:33:52 <mmcgrath> LDAP laughs in the face of multiple email addresses. No problem.
Jul 20 17:33:56 <lyz> mmcgrath, how would you say " If a member is this type of member then they are allowed access to authenticate to application X "
Jul 20 17:34:10 <mmcgrath> Depends on the app. In apache its very easy.
Jul 20 17:34:21 <lyz> do most apps support that?
Jul 20 17:34:25 <mmcgrath> its just different.
Jul 20 17:34:42 <mmcgrath> More support LDAP than will support our propriatary SQL server.
Jul 20 17:34:54 <lyz> k
Jul 20 17:34:54 * mmcgrath wishes pastebin would actually work from time to time :-D
Jul 20 17:34:56 <Sopwith> mmcgrath: How many apps will need modifying to handle those two features?
Jul 20 17:35:09 <Sopwith> abompard: By the way, CLA support is more than just having a boolean field...
Jul 20 17:35:50 <lyz> guys I gotta run. Please include what more you talk about in the log
Jul 20 17:35:56 <Sopwith> lyz: OK, will do
Jul 20 17:36:03 <lyz> thanks bye
Jul 20 17:36:04 <Sopwith> abompard: For all the group memberships, we need to track where people are at in the membership process, and when they joined a group, etc.
Jul 20 17:36:10 <-- lyz has quit ("Leaving")
Jul 20 17:39:25 <mmcgrath> Sopwtih: for most stuff like logging in to apache, having multiple email addresses doesn't really matter
Jul 20 17:40:03 <Sopwith> mmcgrath: For using multiple e-mail addresses, moinmoin's "page changed" notifications are a good example.
Jul 20 17:40:21 <mmcgrath> ahh, that will be in moinmoin then.
Jul 20 17:41:05 <mmcgrath> here's an apache config example: http://mmcgrath.net/~mmcgrath/apacheexample.conf
Jul 20 17:41:17 <Sopwith> Yea, but someone mentioned that moinmoin had LDAP support, so I'm wondering whether these mentions of support mean complete support for the schema, or just the ability to authenticate against LDAP?
Jul 20 17:41:44 <Sopwith> It'd also be nice to do away with wiki groups and use LDAP groups instead, as another example.
Jul 20 17:41:49 <mmcgrath> that I don't know, its usually up to the apps but it would be a simple ldap query to get the email addresses from a specific user.
Jul 20 17:42:12 <Sopwith> Does LDAP have the idea of a 'default' address?
Jul 20 17:42:34 <pasqual> I leave for tonight, see you next week
Jul 20 17:42:39 <-- pasqual (n=pasqual at 81-202-75-184.user.ono.com) has left #fedora-admin ("Leaving")
Jul 20 17:44:48 <mmcgrath> Sopwith: I'm not sure about specifically with email. We'll have to see.
Jul 20 17:44:52 <Sopwith> OK
Jul 20 17:45:24 <mmcgrath> Hey, before you go. Is there anyone else that has full admin access to the accounting system? Should I set myself up as an admin in all the groups?
Jul 20 17:45:47 <Sopwith> Yes, and no...
Jul 20 17:46:01 <mmcgrath> k and won't :-D
Jul 20 17:48:23 <daMaestro> sorry i missed the discussion.. i am at work
Jul 20 17:48:42 <daMaestro> mmcgrath, thanks for make points that I would have also been inclined to make
Jul 20 17:49:15 <daMaestro> Sopwith, as far as I know.. all of what mmcgrath has mentioned about ldap is correct
Jul 20 17:49:24 <daMaestro> and FDS is a really good server
Jul 20 17:49:49 <Sopwith> damaestro: That's cool. Knowing about LDAP dynamic groups and a few other specific features does help a lot.
Jul 20 17:50:10 <mmcgrath> bah we'll see what happens :-D
Jul 20 17:50:28 <Sopwith> Is FDS at the point where we could use it? It does smack of "synergies within the Fedora project" to use it :)
Jul 20 17:51:22 <mmcgrath> The admin interface still relies on Sun's JDK.
Jul 20 17:51:42 <mmcgrath> But there are web interfaces that should work well for us.
Jul 20 17:51:47 <Sopwith> Cool
Jul 20 17:52:06 <Sopwith> If it helps at all, Jakub is planning on checking in a 25M patch to gcc that backports a bunch of Java stuff from head, and allows appletviewer to work. :)
Jul 20 17:52:25 <mmcgrath> huzza.
Jul 20 17:52:38 <mmcgrath> That'll be fun.
More information about the infrastructure
mailing list