#fedora-meeting: Infrastructure (2011-09-15)
Meeting started by nirik at 19:00:00 UTC. The full logs are available at
* Robot Roll Call (nirik, 19:00:01)
* New folks introductions and apprentice tasks/feedback (nirik,
* Password/Ssh-key/Cert reset flag day discussion. (nirik, 19:04:28)
* ACTION: nirik will whip up a plan/schedule. (nirik, 19:18:28)
* Bastion outages/openvpn discussion. (nirik, 19:19:45)
* bastion03 hopefully stable now. (nirik, 19:23:30)
* will look at setting heartbeat back up after the freeze. (nirik,
* Upcoming Tasks/Items (nirik, 19:25:29)
* Open Floor (nirik, 19:32:11)
Meeting ended at 19:34:39 UTC.
* nirik will whip up a plan/schedule.
Action Items, by person
* nirik will whip up a plan/schedule.
People Present (lines said)
* nirik (74)
* smooge (22)
* skvidal (16)
* zodbot (10)
* abadger1999 (7)
* ke4zvu3 (5)
* pingou (4)
* lmacken (2)
* CodeBlock (2)
* athmane (1)
* ricky (0)
* codeblock (0)
19:00:00 <nirik> #startmeeting Infrastructure (2011-09-15)
19:00:00 <zodbot> Meeting started Thu Sep 15 19:00:00 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:00 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:01 <nirik> #meetingname infrastructure
19:00:01 <nirik> #topic Robot Roll Call
19:00:01 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken
19:00:01 <zodbot> The meeting name has been set to 'infrastructure'
19:00:01 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge
19:00:22 <smooge> here
19:00:32 * abadger1999 here
19:00:33 <smooge> mostly watching a console trying to boot
19:00:43 <smooge> please ping when you need my attention
19:00:49 * athmane is here
19:01:19 <smooge> ok got it to pause. really here
19:01:53 * lmacken
19:02:28 <nirik> ok, I guess lets go ahead and dive in...
19:02:36 <nirik> #topic New folks introductions and apprentice tasks/feedback
19:02:55 <nirik> any new folks want to introduce themselves?
19:02:57 * ke4zvu3 is here too but hasn't sent the introductory email yet to join and such
19:03:04 <nirik> or any apprentice tickets or tasks we want to discuss?
19:03:11 <nirik> welcome ke4zvu3.
19:03:25 * CodeBlock is here, sorry.
19:04:17 <nirik> ok, I guess lets go ahead and drive on.
19:04:28 <nirik> #topic Password/Ssh-key/Cert reset flag day discussion.
19:04:47 <nirik> So, there was some discussion of this on list and some more in the most recent board meeting.
19:04:59 <nirik> Anyone have any further input on it?
19:05:39 <nirik> I would like to have docs updated and perhaps a nice wiki page to point people to before we announce anything.
19:06:38 <nirik> and we do still need to determine timing.
19:07:05 <abadger1999> If we're changing the password reqs it would need a little FAS coding too.
19:07:15 <nirik> yeah, that too.
19:07:18 <smooge> how much?
19:07:53 <abadger1999> non-invasive (modify one method) but how much depends on how complex an algorithm.
19:08:03 <abadger1999> If it's "20 chars" it's easy :-)
19:08:06 <nirik> For timing, I am thinking perhaps a month after f16 might make sense... or 2 weeks. That way people who are busy with the release can push it out until it's done and have time to do changes then.
19:08:26 <nirik> .ticket 2804
19:08:28 <zodbot> nirik: #2804 (Decide on FAS password requirements.) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2804
19:08:31 <smooge> nirik, that sounds good.
19:08:38 <nirik> we had a more complex set in that ticket we talked about.
19:09:41 <nirik> which we could of course revisit.
19:09:50 <abadger1999> ah, but that was before the xkcd ;-)
19:09:57 <smooge> still digesting
19:10:00 <nirik> true.
19:10:01 <lmacken> heh
19:10:53 <nirik> I think perhaps the next step here is to gather all these things and post a plan...
19:10:54 <smooge> I would add one line to cover that.
19:11:11 * skvidal is here
19:11:11 <smooge> if its over 20 characters only lower case and spaces is needed
19:11:14 <nirik> oh, there is also another issue if we want to make sure people don't reupload their old certs.
19:11:25 <nirik> welcome skvidal.
19:11:25 <skvidal> nirik: what's that?
19:11:53 <nirik> well, we need to code a check in fas to save the last key and verify the new one isn't it.
19:12:16 <skvidal> nirik: OR
19:12:25 <skvidal> we could just do it as a nightly cron job
19:12:32 <skvidal> grab a copy of the pubkeys now
19:12:44 <skvidal> and compare them with ones each night
19:12:55 <skvidal> if they are same as before 'nuke the key and send an email'
19:12:59 <nirik> well, there's also the case of 'upload crap key, then reupload old key', but not sure people would go to that length.
19:13:20 <skvidal> well that's why we grab their keys now
19:13:23 <skvidal> but yes
19:13:24 <skvidal> you're right
19:13:47 <nirik> also, if it's in fas it might be nice moving forward..
19:14:24 <skvidal> true
19:14:25 <smooge> nirik, oh I am sure one or 2 would
19:14:33 <nirik> so, let me do this (or anyone else): collect things we need to put in place and a suggested timeline and go from there?
19:15:14 <smooge> tht sounds good
19:15:18 <skvidal> ok
19:15:25 <nirik> fas password changes, fas key reuse checking, docs to point people at about good security, way to notify everyone (mass email?), and deadline/what happens if you fail.
19:16:04 <nirik> we could also restrict the ssh key requirement to only some groups? or do we not want to do that?
19:17:11 <nirik> ie, anyone who could actually use them in fedora? but then that would leave someone who uploaded one, then gets sponsored and has an old key.
19:17:13 <abadger1999> as long as null is an okay state, I'd be more in favor of all.
19:17:30 <abadger1999> yep, for the reason you just stated.
19:18:21 <nirik> ok. will whip up a plan...
19:18:28 <nirik> #action nirik will whip up a plan/schedule.
19:18:37 <nirik> anything else on this?
19:18:44 <skvidal> nope
19:18:57 * pingou late
19:19:27 <nirik> I'm sure we will see pushback on the ssh key thing... so I think it's impotant we have good docs and announcement that explains why we want to do this.
19:19:37 <nirik> hey pingou
19:19:45 <nirik> #topic Bastion outages/openvpn discussion.
19:19:59 <nirik> So, bastion03 has been hitting what looks like a nasty virtio bug. ;(
19:20:15 <nirik> I've changed it to use e1000 for it's network, so hopefully it will be stable again.
19:20:49 <nirik> if it croaks again, we should switch back to bastion02 for now.
19:21:09 <nirik> due to this issue, it's gotten me thinking about how we could better do our vpn setup...
19:21:26 <nirik> but none of the options look too great to me.
19:21:46 <smooge> yeah
19:21:47 <nirik> The best currently is to resetup heatbeat after the freeze... so at least we have failover.
19:22:44 <nirik> so, if anyone has brilliant ideas for improving the setup, please do share them with the list/etc.
19:23:30 <nirik> #info bastion03 hopefully stable now.
19:23:42 <nirik> #info will look at setting heartbeat back up after the freeze.
19:23:55 <nirik> any other comments on this?/
19:24:17 <smooge> looking at rhel5 for this if rhel6 is not stable
19:24:30 <pingou> ie bastion02
19:24:44 <nirik> yeah, we still have bastion02(rhel5) around.
19:24:55 <nirik> but I'd really like to get us migrated to 6.
19:25:29 <nirik> #topic Upcoming Tasks/Items
19:25:29 <smooge> well I mean el5 on kvm
19:25:42 <nirik> smooge: yeah, I suppose we could... as a last resort.
19:25:52 <smooge> sorry my brain is feeling like someone hit it with a brick twice
19:25:54 <nirik> ok, so we are in freeze currently.
19:26:10 <nirik> So, this is a good time to work on docs and such...
19:26:36 <nirik> askbot is moving along toward production.
19:26:47 <nirik> paste is doing so as well, but not yet in stg.
19:27:01 <nirik> any other upcoming items people are working on they want to talk about?
19:28:12 <ke4zvu3> can i ask a question about paste?
19:28:34 <nirik> Oh, another after the freeze thing: I want to move some vpn hosts around... move hosts that don't need much vpn access to a subnet that is more iptables locked.
19:28:38 <nirik> ke4zvu3: sure.
19:28:39 <ke4zvu3> is the intention to take over the fpaste.org domain from Unity or would the production FQDN be paste.fedoraproject.org ?
19:29:01 <smooge> we don't own fpaste.org
19:29:06 <nirik> ke4zvu3: I think the plan was to take over the domain, but it's still unknown if the domain owner wants to move it over.
19:29:10 <smooge> and the owner has not been very communicative I believe
19:29:15 <nirik> if not, then paste.fedoraproject.org.
19:29:17 <ke4zvu3> understood, thanks.
19:30:20 <nirik> Oh, we also do have all the beta tickets. I filed them yesterday.
19:30:34 <nirik> .ticket 2945
19:30:35 <zodbot> nirik: #2945 (Fedora 16 Beta - New website) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2945
19:30:37 <nirik> .ticket 2946
19:30:38 <zodbot> nirik: #2946 (Fedora 16 Beta - verify mirror space) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2946
19:30:41 <nirik> .ticket 2947
19:30:43 <zodbot> nirik: #2947 (Fedora 16 Beta - release day ticket) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2947
19:30:47 <nirik> .ticket 2948
19:30:48 <zodbot> nirik: #2948 (Fedora 16 Beta - verify release permissions with rel-eng) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2948
19:30:49 <nirik> .ticket 2949
19:30:52 <zodbot> nirik: #2949 (Fedora 16 Beta - Mirrormanager redirects for beta) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2949
19:31:27 <smooge> nirik, ok I will take my usuals
19:31:29 <smooge> thanks
19:31:32 <nirik> smooge: cool.
19:32:11 <nirik> #topic Open Floor
19:32:17 <nirik> Any items for open floor?
19:32:32 <smooge> ppc is a lovely architecture and I have no idea why it never took off
19:32:38 <skvidal> smooge: haha
19:32:41 <pingou> ^^
19:32:41 <ke4zvu3> ha
19:32:43 <skvidal> smooge: LIAR LIAR
19:32:55 <pingou> skvidal: "be nice"
19:33:01 <nirik> smooge: but it's ultra secure... not booting and all.
19:33:16 <skvidal> pingou:
19:33:24 <smooge> yes.. and all you need to do to make a box not boot is take out its working drive and PUT BACK the drive
19:33:57 <smooge> I haven't had this much fun since the great days of playing with HPUX-5
19:34:14 <nirik> joy.
19:34:28 <nirik> ok, I guess lets wrap up and go back to infrastructuring.
19:34:32 <nirik> thanks for coming everyone!
19:34:39 <nirik> #endmeeting
infrastructure mailing list