19:00:24 <smooge> #startmeeting infrastructure
19:00:24 <zodbot> Meeting started Thu Mar 17 19:00:24 2011 UTC.  The chair is smooge. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:24 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:30 <smooge> #meetingname infrastructure
19:00:30 <zodbot> The meeting name has been set to 'infrastructure'
19:00:40 <smooge> #chair skvidal CodeBlock
19:00:40 <zodbot> Current chairs: CodeBlock skvidal smooge
19:00:52 <CodeBlock> :)
19:01:04 * thomasj lurks
19:01:12 <smooge> #topic roll call
19:01:17 * CodeBlock is here :)
19:01:19 * waltJ is around ...
19:01:20 <smooge> here
19:01:27 <hvivani> hvivani is here
19:01:29 <marchant> here
19:02:43 <CodeBlock> Let's get started
19:02:49 <CodeBlock> #topic RFR Documentation
19:02:53 <CodeBlock> abadger1999: aroudn?
19:02:56 <CodeBlock> *around
19:03:59 <CodeBlock> Alright then...well Basically it looks like abadger1999 has started a page with what a RFR owner's responsibilities are.
19:04:02 <CodeBlock> #link https://fedoraproject.org/wiki/Infrastructure/RFR_Responsibilities%28draft%29
19:04:03 * sijis is around
19:04:26 <CodeBlock> There's a relevant ticket,
19:04:29 <CodeBlock> .ticket 2674
19:04:30 <zodbot> CodeBlock: #2674 (Expectations for RFR Owners) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2674
19:04:50 <CodeBlock> I guess since he's not around, post comments/questions there.
19:05:23 <abadger1999> Yeah
19:05:30 * abadger1999 about to lose internet
19:05:42 <CodeBlock> abadger1999: ok - hi and bye :)
19:05:43 <abadger1999> mailing list may be better.
19:05:53 <abadger1999> :-)
19:06:10 <CodeBlock> Alright -- so yeah, send comments/questions about that to the mailing list then :)
19:06:19 * CodeBlock pulls up the meeting tickets list
19:07:14 <CodeBlock> #info app07 sucks, and apparently just died.
19:07:15 <CodeBlock> anyway
19:07:33 <CodeBlock> #topic Meeting tickets
19:07:45 <CodeBlock> .ticket 2501
19:07:46 <zodbot> CodeBlock: #2501 (What will it take to upgrade fedorahosted to RHEL6, new trac, new git?) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2501
19:08:31 <CodeBlock> I've been working on some ideas for hosted, and those are still in the prototype/mockup stage, and... not many people here have heard about them yet... which is fine -- but as part of those, yes I would like to get hosted to RHEL6
19:09:53 <StylusEater> CodeBLock: has hosted01 or 03 been setup with RHEL6 yet?
19:10:05 <CodeBlock> I'd like to maybe get a hosted03 built (smooge: can we do this on serverbeach05 where hosted2 is), and start playing around with making sure things work
19:10:16 <CodeBlock> StylusEater: nothing has yet
19:10:19 <CodeBlock> (as far as hoted)
19:10:21 <CodeBlock> *hosted
19:11:04 <smooge> I don't know if the serverbeach boxes have the umph to do another one on it.
19:11:10 * ricky_webchat is here.
19:11:18 <smooge> hi ricky_webchat
19:11:27 <CodeBlock> Along with that, (maybe after we get hosted1 as EL6) I'd also like to test our fallback to hosted2
19:11:51 <CodeBlock> smooge: hmm
19:12:43 <CodeBlock> smooge: we can talk about that later I guess, but yeah..let's maybe start finding a place for hosted03/EL6 testing
19:13:03 <smooge> well on hosted5 there is a partition for hosted02-el6
19:13:17 <CodeBlock> O.o
19:13:31 <CodeBlock> I have no clue what that is
19:14:39 <CodeBlock> Does anyone have anything else regarding getting hosted to EL6 (it will be a slow process, but I think it will be quite beneficial to have new trac)
19:15:14 <CodeBlock> Okay
19:15:26 <CodeBlock> I'll come back to meeting tickets, but
19:15:33 <CodeBlock> #topic Rebuilding puppet01
19:15:41 <smooge> whee
19:15:56 <CodeBlock> yesterday ricky_webchat and smooge talked about when/if we should rebuild puppet01
19:16:03 <CodeBlock> and smooge mentioned a few weeks after F15 is out
19:16:04 <smooge> I think the plan for this would be a 2 day task
19:16:13 <CodeBlock> and..yeah I'll let smooge take over :)
19:16:45 <smooge> basically puppet01 would be inventoried for what we would want to move over
19:16:49 <ricky_webchat> Most of the difficulty will be in notifying people to save their home directories
19:16:58 <ricky_webchat> Or alternatively, we could move it for people
19:17:01 <smooge> then puppet01 would be dropped and a new puppet system would be built on a different system.
19:17:09 <ricky_webchat> But back when mmcgrath_ did it, I'm pretty sure it was way less than a one day task
19:17:14 <ricky_webchat> Not to be overly optimistic :-)
19:17:38 <smooge> well mmcgrath_ is a god among men.. I quadruple any estimates to match him
19:18:19 <smooge> we would then just restore some trees and see what breaks
19:18:24 <CodeBlock> While we're rebuilding puppet01, have we considered EL6, and upgrading puppet...and are our puppet configs known to work on latest puppetmaster (or whatever is in EL6)
19:18:41 <smooge> the puppetmaster in EL6 should be the same as EL5
19:18:44 <ricky_webchat> Puppet is generally good about being backwards compatible
19:19:05 <ricky_webchat> But yeah, tmz keeps the versions the same everywhere because the client isn't always necessarily backwards-compatible, just the server
19:20:54 <CodeBlock> Alright - anything else on that?
19:20:56 <smooge> the main issue will be various 'links' and changes people will have made over the last 3 years
19:21:14 <ricky_webchat> And things on puppet01 not being in puppet :-(
19:21:20 <smooge> yes.
19:21:44 <smooge> I don't have anything more on that
19:22:02 <ricky_webchat> Same here - I'd be happy to help with the rebuild if I'm around during that time
19:22:02 <CodeBlock> smooge: ok, how long after F15 did we say?
19:22:33 <smooge> two weeks as puppet being down will affect a lot of stuff
19:22:40 <ricky_webchat> I'll probably have time the Thursday after :-)
19:22:45 <smooge> so I want the usual 2+ weeks of updates dealt with
19:22:49 <ricky_webchat> OK.
19:23:25 <smooge> so currently first week of June but prbly later
19:23:36 <CodeBlock> #agreed puppet01 will be rebuild approx. two weeks after F15 is released.
19:23:37 <smooge> hopefully a few of us will be at SELF and can meet up/etc
19:23:49 <CodeBlock> hmmm
19:23:58 <ricky_webchat> Nice, summer - I'll definitely be around then :-)
19:24:12 <CodeBlock> ricky_webchat: going to SELF?
19:24:27 * CodeBlock will talk to some people, but it would be neat to go
19:24:46 <ricky_webchat> Hm, most likely not
19:25:22 <CodeBlock> :( ok
19:26:03 <CodeBlock> .ticket 2574 brings me to....
19:26:04 <zodbot> CodeBlock: Error: '2574 brings me to....' is not a valid integer.
19:26:08 <CodeBlock> #topic sysadmin cleanup
19:26:17 * CodeBlock tosses smooge the ..whatever it's called. :)
19:26:32 <ricky_webchat> .ticket 2574
19:26:33 <zodbot> ricky_webchat: #2574 (Perform regular inactive account prunings and possibly a password reset policy.) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2574
19:26:53 <ricky_webchat> The conch?
19:26:58 <smooge> ok I am working on cleaning up accounts
19:26:59 <CodeBlock> sure. :P
19:26:59 <smooge> the conch
19:27:03 <smooge> and then the pigs head
19:27:15 <smooge> and then it all goes down hill
19:27:45 <smooge> ok I started cleaning up accounts today. I can only do so on half of the sysadmin groups because uhm I am not owner or administrator in them :)
19:28:44 <smooge> from our 120 sysadmins we will be down to probably 80.. which to me is a lot more than we actually see working on stuff, but it is a good first pass
19:29:03 <CodeBlock> agreed
19:29:09 <ricky_webchat> So we have 80 people that *have* recently sudoed?
19:29:15 <smooge> no
19:29:40 <smooge> by just using sudo I was going to remove people who do stuff in mirror manager and such
19:29:44 <ricky_webchat> Ah - just curious, how did the pruning list shrink that much then?
19:30:18 <ricky_webchat> (Side note, MM we can split into a different group)
19:30:22 <smooge> and since there is no "did_admin" in fas I can't tell if people who are in various groups didn't do stuff
19:30:41 <smooge> so here are the steps of what I did.
19:30:42 <ricky_webchat> Yeah...  although puppet commits + sudo tell a decent story, I think
19:31:09 <smooge> 1) func-command to who /var/log/wmtp | egrep '2010-12|2011' to get people who had logged into systems
19:31:11 <ricky_webchat> Otherwise, whatever they did most likely could have been done without access anyway (with some exceptions like mm and important people who rarely login)
19:31:29 <smooge> [since we don't have ldap to do so :)]
19:32:03 <smooge> 2) get a list of all sysadmins and find out their last_seen
19:32:15 <smooge> 3) get a list of all sudo from systems that log to log01
19:32:36 <smooge> I miss the publictest boxes but decided that if a person logs into the box htat was good enough data.
19:33:28 <ricky_webchat> Oh yeah, publictest - hopefully the majority of 120 are sysadmin-test.
19:33:38 <smooge> sorry there were 164 people in various admin accounts
19:34:21 <averi> ricky_webchat, I guess other groups apart -test is around ~40 people
19:34:50 <averi> don't know how that number will change with the cleanup though
19:34:59 <smooge> and 66 people are being removed. so uhm 98 people still in sysadmin groups
19:35:11 <hvivani> smooge, the risk that maybe someone could make an automated login from a script or something is considered ?
19:35:13 <ricky_webchat> Cool - thanks for working on this!
19:35:22 <averi> hvivani, what for?
19:35:27 <ricky_webchat> Hopefully we can assume that people won't be evil
19:35:29 <hvivani> I know, I am thinking bad
19:35:34 <averi> hvivani, I see no point in doing that :)
19:35:58 <smooge> 41 people have logged in and used sudo on non-pt boxes
19:36:10 <CodeBlock> what ricky_webchat said. We do that quite a bit around here. :)
19:37:05 <StylusEater> would it be sufficient to have a post login script update a table to keep tabs on "active people?"
19:37:06 <smooge> in any case. after I get elevated privs in some groups I will finish cleanup
19:37:48 <ricky_webchat> How about the question of required password resets/disabling inactive accounts for all of FAS?
19:37:50 <hvivani> averi, yeah you are right
19:38:01 <StylusEater> login ... calls resetTimer.py (an example) ... updates record in DB ... user is still considered active
19:38:18 <ricky_webchat> Any thoughts on what password complexity requirements should be, and how often we should require password changes, if at all?
19:38:26 <ricky_webchat> (And account expiry)
19:39:43 <smooge> password changes just get people cranky.
19:40:08 <smooge> and have a large number of people do things like "ThisIsMyPassword1", "ThisIsMyPassword2"
19:40:11 <smooge> etc etc
19:40:14 <ricky_webchat> Currently, I think the only complexity requirement is length >=8
19:40:36 <smooge> now on the other hand, I think for people who want to be in sysadmin, we can look at further requirements.
19:40:51 <ricky_webchat> Personally, I'm absolutely horrible about password changes - I wouldn't mind having a forced one to keep me on my toes :-)
19:41:31 <ricky_webchat> But even just for statistics purposes, I think it's worth not having a bunch of dead accounts lying around, and periodic password changes is one way to go about that
19:41:42 <smooge> and password changes rarely catch the issue that most people run into... using the same passwords in multiple places.
19:42:26 <sijis> disabling inactive sounds like a bigger problem than changing passwords
19:42:36 <ricky_webchat> I wonder if people would listen if we make a giant note about password reuse
19:42:37 <sijis> *inactive accounts
19:42:38 <smooge> personally I think it would be better if we could just have a 60 day expiration, but that would require us to move away from passwd_db and some sort of centralized system which I don't think will happen
19:42:50 <smooge> ricky, no they won't.
19:43:03 <ricky_webchat> I'm trying to steer this to about FAS accounts in general, and not just sysadmins
19:43:11 <ricky_webchat> Even though sysadmins is the biggest one here
19:43:25 <smooge> I have dealt with this over 20 years and it really only takes "oh look someone got MY password and used it everywhere" to get a person to do anything
19:43:26 <ricky_webchat> We can do fun stuff like run crackers on our password db and notify people
19:43:41 <smooge> uhm no.
19:43:52 <CodeBlock> ha
19:43:55 * ricky_webchat was thinking a page people are forced to click through before password changes
19:44:06 <ricky_webchat> The cracker thing was just for people with accounts on our machines
19:44:12 <smooge> let me be clear on this. as much fun as I have doing that (and I really do).. it is outside of our terms and agreements.
19:44:20 * ricky_webchat hears that some sysadmins actually do this, which I think is reasonable
19:44:21 <sijis> if it has a 'next' button. folks will just click thru it
19:44:34 <marchant> is there no requirement to use an ssh key along with a password?
19:44:49 <CodeBlock> marchant: on some systems.
19:44:57 <CodeBlock> marchant: that doesn't address other FAS uses though.
19:44:58 <ricky_webchat> marchant: It's another one of those things where we stronly recommend it, but we have no way of enforcing it
19:45:04 <ricky_webchat> (I assume you mean passphrases on SSH keys)
19:45:45 * CodeBlock assumed you meant ssh key instead of/along with fas
19:45:58 <marchant> I meant some sort of two factor
19:46:05 <marchant> password and a...
19:46:27 <marchant> so losing a password is less-bad
19:46:49 * CodeBlock would like to get yubikey working on some more systems, speaking of.
19:47:03 <ricky_webchat> smooge: Note that with the cracker thing, it wouldn't actually store the results - just notify people that they must change it because it's weak.  (although to be clear, I'm not really suggesting or supporting that we do this - just trying to say that we can do stronger things for sysadmins as opposed to other FAS accounts)
19:47:53 <ricky_webchat> marchant: The way it works now, you can already log into FAS with a password and add an SSH key, so to make it really two factor would require big changes to how authentication to FAS (the web app) works
19:48:04 <smooge> ricky, I understand. we can look at doing this for people wanting to join/work in sysadmin. But even checking without storing causes all kinds of issues. I ran into this at my last job
19:48:29 <marchant> ricky_webchat: ok, thank you
19:48:45 <ricky_webchat> Yeah - personally I don't think the whole cracking thing is important or useful when we can just implement better requirements in FAS
19:49:30 <CodeBlock> Alright, 10 minutes left
19:49:34 <CodeBlock> #topic future meeting place
19:49:34 <hvivani> could be yubikey mandatory ? at least for sysadmins ?
19:49:40 <CodeBlock> Can we PLEASE move back to -admin? :S
19:50:07 <CodeBlock> Not sure why we started coming back here, but -admin worked well for us
19:50:09 <smooge> no. the problem with -admin is that people come in and expect it to be where they can talk about stuff not meeting releated
19:50:35 <smooge> the last 3 meetings we had 2 side conversations per meeting that broke my flow of thought on running things
19:50:53 <smooge> sorry that should have been s/no/I would prefer not/
19:51:01 <CodeBlock> smooge: Then something like #fedora-fi-meeting ... or someplace that we don't conflict with other meetings if we're not directly on time.
19:51:05 <smooge> I am running on a lack of sleep
19:51:12 <smooge> I understand on that.
19:51:12 <CodeBlock> Although our UTC is moved back now, so we should be fine for now, but what about in 6 months
19:51:14 <marchant> does the meeting need to move because this channel is too busy?
19:51:40 <smooge> the problem most sited for being in a new channel is that no one is in it.
19:51:43 <ricky_webchat_> Sorry, I got dropped :-(
19:51:46 <CodeBlock> marchant: Basically we keep running over time (I've been trying to move things along to prevent that, but...) and conflicting with the next meeting in this channel
19:51:48 <averi> marchant, here we have ~1 hour limit :)
19:51:50 <ricky_webchat_> What did I miss?
19:52:11 <smooge> we moved to where to have the meeting and we have 8 minutes
19:52:14 <CodeBlock> smooge: yeah, we'd have to announce it on the mailing list, wiki, etc
19:52:37 <ricky_webchat_> I think it's fine to just cut off at an hour - unless somebody here just loooves 2 hour meetings :-)
19:52:41 <smooge> I am going to punt on this one and say its something that nirik can work out in April
19:53:06 * marchant thinks a new channel is a great idea fwiw
19:53:06 <ricky_webchat_> I think the list of tasks from a 2 hour meeting is too long to easily keep track of anymore anyway
19:53:47 <smooge> ricky, the main problem is most of us aren't getting a lot of time together other than this meeting. You and CodeBlock have classes, dgilmore is 12 hours off of us (currently), skvidal has development focus issues, abadger has other issues.
19:53:48 <CodeBlock> ricky_webchat_: not loves, but more we keep running into things that take longer to discuss and it's annoying to have to cut them off because of being scared of running out of time
19:54:10 <smooge> we end up only getting thursdays to talk and work out all the crap going on so we end up overtime
19:54:25 * goozbach pings in
19:54:31 <ricky_webchat_> Do we lose out on productivity because we didn't get to the next topic?
19:54:44 <goozbach> maybe we could have a "shelve it" type action
19:54:52 <goozbach> which moves that topic to -infra
19:55:00 <goozbach> and we go on with the next topic
19:55:34 <smooge> ricky, sometimes.. the cleanup topic started in December but we didn't get meeting time on it til Fudcon
19:55:46 <ricky_webchat_> I think meetings are a good time to list out tasks for a week and get agreement on certain decisions related to those tasks - as long as we can get a week's worth of tasks, I'm happy
19:56:11 <smooge> and part of it is I am not a good meeting runner. but I look forward to having someone who is :)
19:56:23 <smooge> anyway.. 4 minutes and I think I am typed out for a bit
19:56:40 <ricky_webchat_> Did we come to any agreement on the password complexity thing while I was dropping?
19:56:54 <ricky_webchat_> http://www.nongnu.org/python-crack/doc/index.html is the library I was talking about, by the way.
19:56:57 <CodeBlock> smooge: I've been trying to do better when I run them :P .. I _am_ getting better at moving things along. It's just a bit annoying sometimes, when I think we can do better
19:57:06 <CodeBlock> by moving elsewhere
19:57:39 <CodeBlock> If time for the meeting (not wanting to go two hours) we could prioritize, discuss important things first, then move on to longer/more in-depth discussion after.. or come back to things
19:57:47 <smooge> CodeBlock, you have done a good job
19:58:18 <StylusEater> why not limit the meeting to two topics?
19:58:25 * waltJ fist time with CodeBlock as meeting runner. Yes, great job.
19:58:34 <CodeBlock> waltJ: thank you :P
19:58:37 <StylusEater> then if we start having a surplus of time ... add one more and see how things go until we hit our "limit"?
19:58:43 <ricky_webchat_> I'm happy with moving in-depth discussion to the ML
19:58:55 <CodeBlock> ricky_webchat_: fair point
19:58:58 <ricky_webchat_> I can send one about the password reqs once I get connectoin to home back :-)
19:59:28 <CodeBlock> heh...alright - meeting stays here I guess then.
19:59:37 <CodeBlock> #topic very quick open floor
19:59:37 <ricky_webchat_> I think we're underusing the mailing list if our meetings are blowing up this much due to discussion (although I don't blame us - IRC is so convenient and real time)
19:59:42 <CodeBlock> anyone have anything urgent before we close?
19:59:59 <StylusEater> meeting note links are updated
19:59:59 <CodeBlock> 10
20:00:06 <CodeBlock> 5
20:00:09 <CodeBlock> #endmeeting