On Wed, 10 Aug 2011, Stephen Gallagher wrote:
> On Wed, 2011-08-10 at 09:15 -0600, Kevin Fenzi wrote:
> > > 3) Turn ReviewBoard into a turnkey OpenShift virtual instance and
> > > allow any Fedora Hosted project to spin one up. This instance would
> > > use standard enrollment (rather than FAS integration, which is
> > > impossible outside the Infra firewall). Each project could have its
> > > own complete instance to maintain on its own. Upsides: less work for
> > > Fedora Admins, support for email and better performance. Downsides: no
> > > centrally-managed user accounts and projects need to do more of the
> > > maintaining of the system themselves.
> > This is pretty interesting... I assume after following the steps they
> > would have a persistent instance they could use moving forward. It
> > doesn't need anything special to talk to their project on hosted?
> > Does it end up costing the end project anything?
> I've submitted a patch upstream to ReviewBoard to add easy configuration
> of Fedora Hosted source repositories:
> I have confirmation from Christian Hammond (the upstream project lead)
> that it will be included in the 1.5.6 and 1.6.0 releases (aka
> So there's very little that the projects need to do in order to connect
> to the hosted repo. As I said above, they lose the centrally-managed
> users available to FAS, so they'd need to manage their own groups
> themselves. On the other side, this does mean that they gain much finer
> control over permissions (since they can define their own
> project-specific groups rather than relying on FAS groups).
> > What happens if someone sets up an instance and then disappears?
> > Does the project have any way to deal with that? Or just make a new one?
> That's a good question for Mike McGrath. I suspect that it would be
> prudent to recommend that projects set up several administrators so that
> a disappearance of one doesn't result in the loss of all administrators.
> Also, it's possible to promote a user to admin status if you have
> database privileges as well by setting the admin flag on their user
> account, but of course that assumes you have access to a DB admin.
> A final option would be to modify the openshift instance to always
> install a recovery admin with a random password that was escrowed by the
> Fedora project, but I'm not sure whether that's realistic. Mike, can you
> speak to that?
We should have multiple ssh key support soon to allow multiple admins of a
single project. Having said that the apps are tied to an individual user
account. At the moment if someone wanted to move it they'd have to make a
snapshot and restore it elsewhere (if for some reason the app needed to
change owners or something)
To do the "fedora project recovery" bits, we'd have to setup the fedora
project as an intermediary (basically running everything as a fedora
user). The rest could all be scripted fairly easily. At the moment
though there's a limit of 5 apps per account so the best bet is to have
users setup their own for the time being.
infrastructure mailing list