Summary/Minutes from today's Fedora Infrastructure Meeting (2011-09-22)

Thu Sep 22 19:39:11 UTC 2011

============================================
#fedora-meeting: Infrastructure (2011-09-22)
============================================

Meeting started by nirik at 19:00:02 UTC. The full logs are available at
http://meetbot.fedoraproject.org/fedora-meeting/2011-09-22/infrastructure.2011-09-22-19.00.log.html

Meeting summary
---------------
* Robot Roll Call  (nirik, 19:00:03)

* Freeze Items  (smooge, 19:01:22)

* New People  (smooge, 19:04:46)

* Password/Ssh-key/Cert reset flag day discussion  (nirik, 19:07:47)
  * feedback wanted on
    https://fedoraproject.org/wiki/Infrastructure_mass_password_update
    (nirik, 19:10:19)
  * CSI needs updating first.  (nirik, 19:10:26)
  * scheduling proposed was 1month after f16 release.  (nirik, 19:10:40)
  * LINK: https://bugzilla.redhat.com/show_bug.cgi?id=737735   (nirik,
    19:15:53)

* Bastion outages/openvpn discussion.  (nirik, 19:22:48)

* Upcoming Tasks/Items  (nirik, 19:26:07)

* Request for Resources progress report  (nirik, 19:30:33)
  * ask is pretty much all set to move to production  (nirik, 19:30:46)
  * paste is still working in dev to iron out issues.  (nirik, 19:31:37)

* Open Floor  (nirik, 19:32:32)
  * we are at 217 tickets currently. I'd like to get that under 200
    before the end of the year... but I guess we will see.  (nirik,
    19:33:08)

Meeting ended at 19:38:31 UTC.

Action Items
------------

Action Items, by person
-----------------------
* **UNASSIGNED**
  * (none)

People Present (lines said)
---------------------------
* nirik (76)
* smooge (20)
* abadger1999 (8)
* zodbot (4)
* KKA (4)
* rfelsburg (3)
* lmacken (2)
* LoKoMurdoK (2)
* dgilmore (2)
* CodeBlock (1)
* ricky (0)
* skvidal (0)
* codeblock (0)
--
19:00:02 <nirik> #startmeeting Infrastructure (2011-09-22)
19:00:02 <zodbot> Meeting started Thu Sep 22 19:00:02 2011 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:03 <nirik> #meetingname infrastructure
19:00:03 <nirik> #topic Robot Roll Call
19:00:03 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken
19:00:03 <zodbot> The meeting name has been set to 'infrastructure'
19:00:03 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge
19:00:09 <smooge> Here
19:00:13 <smooge> Smoogen is kere.
19:00:32 <abadger1999> buenos dias
19:00:35 <smooge> we are dealing with some system outages so this will probably be a short meeting
19:00:38 * LoKoMurdoK here
19:00:41 * nirik is here, but fighting fires.
19:01:00 * rfelsburg here
19:01:22 <smooge> #topic Freeze Items
19:01:33 <smooge> Beta freeze is still ongoing
19:01:50 <smooge> we should not be playing with things in core infrastructure without +!/-1
19:02:11 <nirik> also, note that freeze is now an extra week.
19:02:12 <smooge> beta has slipped a week so most beta tickets will wait until then
19:02:26 <nirik> ending 2011-10-04
19:02:51 <smooge> ok any questions or points? I think people should watch for any RC2 candidate and download/test
19:03:01 <nirik> testing is always good.
19:03:42 <dgilmore> hey
19:03:58 <smooge> dgilmore, any items from releng for infra to deal with?
19:04:12 <dgilmore> smooge: not right now
19:04:18 <smooge> cool
19:04:27 <smooge> any other beta issues or questions?
19:04:46 <smooge> #topic New People
19:04:56 <smooge> ok new people.. any new volunteers or such?
19:05:08 <KKA> good morning all
19:05:19 <LoKoMurdoK> hi KKA
19:05:20 <KKA> I am new member here
19:05:31 <nirik> welcome KKA
19:05:48 <KKA> working as a sysadmin for past 2 yrs
19:06:11 <KKA> nirik/LokoMurdok:hi
19:06:34 <nirik> KKA: well, welcome, do hang out in #fedora-admin and/or #fedora-noc and ask questions and get involved. ;)
19:06:40 <nirik> See https://fedoraproject.org/wiki/Infrastructure/GettingStarted if you haven't already.
19:07:30 <nirik> Any other questions or new folks?
19:07:47 <nirik> #topic Password/Ssh-key/Cert reset flag day discussion
19:08:00 <nirik> So, we had some discussion of this on the list and in the last irc Board meeting.
19:08:12 <nirik> I've written up: https://fedoraproject.org/wiki/Infrastructure_mass_password_update
19:08:22 <nirik> listing the requirements, etc for this.
19:08:42 <nirik> First thing we need to have in place is good docs. I'm looking at updating the CSI security doc...
19:08:51 <nirik> any changes or corrections to that are welcome.
19:09:23 <rfelsburg> Under 'Rationale' it actually says '<link to csi or wiki page on security best practices>' instead of the link.
19:09:41 <nirik> yeah, I started making a wiki page, but then decided the csi thing might be better...
19:09:53 <nirik> and didn't want to point to the current version until we update it.
19:09:53 <rfelsburg> Gotcha, just making sure it didn't fall through the cracks.
19:10:10 * CodeBlock here, late sorry
19:10:19 <nirik> #info feedback wanted on https://fedoraproject.org/wiki/Infrastructure_mass_password_update
19:10:26 <nirik> #info CSI needs updating first.
19:10:37 <lmacken> 5/wg 24
19:10:40 <nirik> #info scheduling proposed was 1month after f16 release.
19:10:40 <lmacken> oops :(
19:11:20 <nirik> Anything more on this topic? anyone have issues/concerns?
19:11:36 <nirik> oh, I did have one more thing...
19:12:22 <nirik> I took a quick survey of sysadmin-main folks. Pretty much everyone has yubikeys (except me, can't seem to locate mine) and all but 1 have some form of ios/android device.
19:13:11 <nirik> google authenticator is pretty nice, but openssh needs a patch to do two factor auth if we wanted to use it for ssh.
19:14:22 <nirik> I was thinking we might look at doing _either_ pass+yubikey or pass+googleauth (as the person chooses). then folks who want can use the one they like better.
19:14:46 <nirik> and we would need to add googleauth support to fas... which I don't know how hard that would be.
19:15:22 * abadger1999 has never looked at googleauth
19:15:27 <nirik> so, all stuff to look into.
19:15:53 <nirik> https://bugzilla.redhat.com/show_bug.cgi?id=737735
19:15:56 <nirik> it's under review.
19:16:00 <smooge> waits for the howls
19:16:13 <nirik> it's pretty slick actually.
19:16:28 * smooge wonders if we could build our own app to do that for us :)
19:16:40 <nirik> basically a pam module / command line enroll thing.
19:16:54 <nirik> smooge: review packages? ;)
19:17:25 <smooge> well I guess we could write an app for that too
19:17:34 <nirik> it spits out a nice QR code you can scan with your phone to add the auth
19:17:38 <nirik> or a numeric.
19:19:13 <abadger1999> how does the otp get verified/generated?
19:19:30 <abadger1999> is there a backend server like yubikeys?
19:19:59 <nirik> it's a pam module/command line tool. The command line generates it, and sticks it (by default) into '~/.google_authenticator'
19:20:09 <nirik> but there's a option to do a per machine location.
19:20:11 <nirik> nope.
19:21:24 <nirik> anyhow, just something to consider. That may be a better option for some of our users who don't wish to buy a yubikey.
19:22:06 <nirik> shall we move on? or anything else on password/key reset or two factor auth/
19:22:48 <nirik> #topic Bastion outages/openvpn discussion.
19:23:01 <nirik> So, we have been having problems with our new bastion03 for a while now...
19:23:12 <nirik> it's bug: https://bugzilla.redhat.com/show_bug.cgi?id=725332
19:23:28 <nirik> smooge rebuilt a new bastion01 for us thats 32bit and it's so far been just fine.
19:23:37 <nirik> So, hopefully we have at least a good workaround for it now.
19:25:05 <nirik> If it continues to look good we will look at replacing bastion02 with a new one, but it will have to happen after the freeze most likely.
19:25:30 <nirik> anything more on bastion woes? (I just like saying woe)
19:26:07 <nirik> #topic Upcoming Tasks/Items
19:26:22 <nirik> Anyone have upcoming tasks or items they are working on they would like to talk about?
19:27:10 <nirik> I have a proxy08 to setup to replace proxy01 (but bringing it up seems to have affected production, so I need to figure that out)
19:27:51 <smooge> retrace is setup
19:28:14 <smooge> it will be ready for test day on Tuesday
19:28:14 <nirik> smooge: good news. ;) just handing it off to them left?
19:28:20 <smooge> pretty much.
19:28:21 <nirik> cool.
19:28:54 <smooge> my day is waiting for IBM and see what new things they find wrong with the bladecenter
19:29:30 <nirik> as soon as freeze is over (or sooner in some cases) we need to get things moved off the xen boxes that are going out of warentee...
19:30:33 <nirik> #topic Request for Resources progress report
19:30:46 <nirik> #info ask is pretty much all set to move to production
19:30:59 <nirik> I will be working on setting up ask in the next week or so...
19:31:13 <nirik> if anyone finds any issues or concerns with the stg instance, please let us know.
19:31:20 <nirik> I think it's in pretty ok shape.
19:31:37 <nirik> #info paste is still working in dev to iron out issues.
19:31:46 <nirik> any other outstanding RFR's ?
19:32:32 <nirik> #topic Open Floor
19:32:40 <nirik> ok, anyone have any items for open floor?
19:33:08 <nirik> #info we are at 217 tickets currently. I'd like to get that under 200 before the end of the year... but I guess we will see.
19:33:37 <nirik> abadger1999: how's raffle coming along?
19:34:14 <abadger1999> nirik: I think I've got everything ready in puppet to push to staging -- was just waiting for a  time today when what I did wouldn't clash with any troubleshooting of other stuff.
19:34:39 <nirik> cool.
19:34:41 * abadger1999 cargo culted a little of the proxy stuff so it'll be a learning experience.
19:34:55 <nirik> yeah, I am still learning the proxy/caching setup...
19:35:15 <nirik> httpd -> varnish (sometimes) -> haproxy (sometimes) -> app (sometimes)
19:36:02 <abadger1999> yeah
19:36:04 <nirik> ok, I'll go ahead and close out in a minute if nothing else comes up.
19:36:23 <nirik> varnish also only seems to be able to work on url matching.
19:36:24 <abadger1999> and fas is setup differently in varnish than everything else
19:36:59 <nirik> yeah, it's setup with as a single thing with 3 backends.
19:37:21 <nirik> and I think it doesn't use haproxy at all?
19:38:23 <nirik> anyhow, lets go back to #fedora-admin / #fedora-noc.
19:38:27 <nirik> thanks for coming everyone!
19:38:31 <nirik> #endmeeting
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20110922/7d9150ac/attachment.bin 