infrastructure
LOGS
19:00:01 <nirik> #startmeeting Infrastructure (2011-10-13)
19:00:01 <zodbot> Meeting started Thu Oct 13 19:00:01 2011 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:01 <nirik> #meetingname infrastructure
19:00:01 <zodbot> The meeting name has been set to 'infrastructure'
19:00:01 <nirik> #topic Robot Roll Call
19:00:01 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken
19:00:01 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge
19:00:05 * skvidal is here
19:00:12 <pingou> .fas pingou
19:00:13 <zodbot> pingou: pingou 'Pierre-YvesChibon' <pingou@pingoured.fr>
19:00:17 * jsmith lurks
19:00:35 * CodeBlock 
19:00:41 <mzhun> here
19:00:46 <Smilers_> here
19:01:14 * athmane is around
19:01:43 <nirik> ok, lets go ahead and start in...
19:01:52 <nirik> #topic New folks introductions and Apprentice tasks
19:01:59 <smooge> here
19:02:08 <nirik> any new folks want to say hi? or any apprentice tickets anyone would like to bring up?
19:02:22 <Smilers_> hi
19:02:38 <nirik> hello Smilers_
19:02:47 <jsmith> nirik: There was that ticket you created for me this past week, about some slight modifications to the login screen (for password recovery)
19:03:06 <nirik> jsmith: yeah, someone already commited a fix. ;) It's not live yet tho
19:03:13 <jsmith> Oh, that was fast :-)
19:03:47 <nirik> yeah. ;)
19:04:02 <nirik> Smilers_: what sorts of things are you interested in working on? or whats your background?
19:04:39 * dgilmore is here
19:04:40 <Smilers_> My background is working with t student run computin facility (geeksoc.org)
19:04:59 <nirik> cool.
19:05:12 <Smilers_> anything from deploying LDAP to general maintenence
19:05:47 <nirik> nice. Well, welcome. ;)
19:05:54 <Smilers_> thanks :)
19:06:29 <nirik> do hang out in #fedora-admin and/or #fedora-noc and chime in and ask questions, etc.
19:06:34 <nirik> #topic Password/Ssh-key/Cert reset fallout
19:06:45 <nirik> So, our password/key change announcement went out.
19:06:59 <nirik> There was some pushback, but overall I think it's gone ok.
19:07:12 <dgilmore> any change will get some pushback
19:07:19 <skvidal> 'some pushback'
19:07:30 <CodeBlock> ^
19:07:32 <nirik> #info Please do change your pass and upload a new ssh key before 2011-11-30.
19:07:43 * abadger1999 here
19:07:51 <nirik> so, I figure we wait a bit and start nagging people more...
19:08:01 <pingou> I was wondering reading abadger1999's mail if there is/should be a more strict policy for sysadmin
19:08:16 <pingou> but that's more a separate question than the current one
19:08:23 <nirik> yeah...
19:08:48 <nirik> I'd like to move forward with finishing yubikeys setup... and look more at one time stuff like google authenticator...
19:09:21 <CodeBlock> Is there an easy way to get stats of who has changed them and who still needs to? (just numbers is fine)
19:09:22 <dgilmore> my key is currently 4092 bits, i plan to make the new one bigger
19:09:33 <CodeBlock> dgilmore: 16384!
19:09:44 <dgilmore> CodeBlock: not likely that big
19:09:55 <nirik> knock yourself out. ;)
19:10:22 <nirik> CodeBlock: skvidal has a script to check
19:10:42 <skvidal> that we discovered is not including users that are not cla_done
19:10:53 <skvidal> b/c fas's interface doesn't return those <womp> <womp>
19:11:03 * LoKoMurdoK here
19:11:10 * LoKoMurdoK late
19:11:11 * CodeBlock will poke you after meeting for that then, I think it would be neat to watch
19:11:12 <LoKoMurdoK> :(
19:11:14 <nirik> welcome LoKoMurdoK
19:11:38 <nirik> ok, if nothing else on the password reset flames, will move on...
19:11:59 <nirik> #topic Upcoming Tasks/Items
19:12:25 <nirik> ? - make a new bastion02/nuke bastion04 ( smooge ?)
19:12:35 <nirik> ? - move app02/04
19:13:02 <nirik> with those done we can retire our xen boxes that went out of warentee.
19:13:22 <nirik> 2011-10-25 - 2011-11-08: Final change freeze
19:13:51 <nirik> I'd like to look at dumping audit messages to our syslog for epylog processing.
19:14:17 <nirik> also, as a note, I will be out next thursday/friday. ;)
19:15:10 <nirik> on the rel-eng side it would be nice to get kojipkgs02 and releng04 fully operational
19:15:51 <nirik> anyone have other items they would like to work on/get done before final freeze.
19:16:06 <nirik> Oh, yeah, another one: reinstall ppc05-10 and hand them off to secondary arch folks.
19:16:24 * StylusEater is late ... sorry
19:16:25 <CodeBlock> value move ... in 1.25 hours ;)
19:17:31 <nirik> cool.
19:18:00 <nirik> #topic Meeting tagged tickets:
19:18:01 <nirik> https://fedorahosted.org/fedora-infrastructure/report/10
19:18:02 <abadger1999> nirik: I've got raffle working in staging.  Going to finally deploy out to prod
19:18:08 <nirik> abadger1999: excellent.
19:18:18 <nirik> no meeting tickets marked.
19:18:20 <abadger1999> nirik: Also need to deploy a fas hotfix that skvidal mentioned earlier.
19:18:32 <abadger1999> (wrt fas not returning a complete list of users)
19:18:54 <nirik> abadger1999: any idea how hard it will be to add a 'clear' button for ssh key? is that an easyfix thing? or more complex?
19:19:21 <abadger1999> nirik: Probably easy fix but I'm not entirely sure.
19:19:40 <nirik> ok
19:19:56 <abadger1999> it'll be template (to add a checkbox) and a bit of python code in a single controller method to do something when that checkbox is set.
19:20:07 <nirik> cool.
19:20:16 <nirik> if you think it's easy, feel free to mark that ticket easyfix.
19:20:22 <abadger1999> so someone who can mess a tiny bit with html and knows python should be able to do it.
19:20:44 <abadger1999> will do
19:20:54 <dgilmore> nirik: lmacken promised me bodhi updates before freeze
19:21:31 <nirik> dgilmore: ok. releng04 needs some fix to handle /usr/share/bodhi/comps/ more correctly, otherwise it might be close.
19:22:05 <dgilmore> nirik: yeah, we need updated bodhi i believe
19:22:46 <nirik> yeah
19:22:52 <nirik> #topic Open Floor
19:23:02 <nirik> ok, anyone have anything for open floor?
19:23:29 <pingou> note somewhere to think about a policy regarding ssh key for sysadmin ?
19:23:50 <nirik> pingou: you're welcome to open a discussion on the list... or we can talk some about it here. What policy would you suggest?
19:24:36 <pingou> nirik: well based on what I have see/understood, some @rh need to change their ssh every x time
19:24:44 <pingou> (I have 6 weeks in mind, not sure though)
19:24:59 <smooge> no
19:25:03 <dgilmore> pingou: no
19:25:05 <smooge> not that I know of
19:25:19 <pingou> sysadmin are a sensible group, them more than anyone else should be aware of the sensibility of ssh keys
19:25:29 <dgilmore> id rathe be forced to use otp's
19:25:30 <pingou> maybe it wasn't @rh then :)
19:25:37 <nirik> I don't think forcing a change every X time is a good idea.
19:25:56 <nirik> but I would like to move to yubikeys or googleauth or something like that...
19:26:02 <dgilmore> i use my yubikey pretty much everyday
19:26:12 * nirik lost his. need to get another.
19:26:18 <dgilmore> id rather have to use a yubikey to auth as sudo and for ssh
19:26:39 <pingou> nirik: I am not sure how frequet yubikey are outside us
19:26:49 <pingou> dgilmore: +1
19:26:50 <nirik> well, everyone in sysadmin-main (aside from me) has a yubikey
19:26:54 <pingou> but in the mean while ?
19:27:14 * dgilmore has 4 or 5 yubikeys
19:27:22 <nirik> all but one person has a iOS or android device that could run googleauth
19:27:45 <nirik> I dont know about all of sysadmin*
19:27:49 <pingou> sysadmin or sysadmin-main
19:27:50 <nirik> perhaps we should poll on the list.
19:27:57 <nirik> pingou: thats just sysadmin-main...
19:27:57 <dgilmore> nirik: personally id rather not use a service from google for auth
19:28:07 <pingou> +1 there to
19:28:08 <nirik> dgilmore: it doesn't use googles services.
19:28:10 <dgilmore> but maybe its open and we can run it all ourselves
19:28:14 <nirik> its open source
19:28:18 <nirik> it's a pam module
19:28:22 <dgilmore> nirik: ok, i honestly had not heard of it until just now
19:28:35 <dgilmore> nirik: it has a server we could run?
19:28:35 <nirik> downside of it is that it requires you to store a secret on the machines
19:28:46 <nirik> no server, it looks locally for the secrets.
19:28:50 <StylusEater> I'm torn as to whether the suggestion that yubikeys should be mandatory would be a good idea or fly in the face of Fedora and what it stands for...
19:28:52 <dgilmore> ok
19:29:19 <dgilmore> StylusEater: what about yubikeys is contrary?
19:29:24 <pingou> StylusEater: there has not been such suggestions
19:29:30 <nirik> StylusEater: yeah. In the case of sysadmin-main everyone has one, so we could require that for them only...
19:29:41 <StylusEater> dgilmore: payment
19:29:56 <pingou> 25$
19:30:03 <dgilmore> StylusEater: fedora has some that can be provided
19:30:08 <StylusEater> nirik: that's what I was thinking.
19:30:12 <dgilmore> if cost is an issue
19:30:16 <nirik> but larger groups like sysadmin or packager it would not be feasable to supply them to everyone
19:30:33 <StylusEater> dgilmore: hrm, then maybe it would make sense to do that. As a congratulations for making it through the "ring of fire." :-)
19:30:44 <dgilmore> nirik: right
19:30:49 <StylusEater> nirik: +1
19:30:58 <nirik> I'm all for finishing deploying yubikey as an optional...
19:31:06 <dgilmore> nirik: we could feasibly do it for all people in groups that get sudo on boxes
19:31:09 <dgilmore> maybe
19:31:10 <StylusEater> nirik: with what dgilmore just mentioned I think it would be sensible to require for sysadmin-main.
19:31:14 <dgilmore> not sure of the exact numbers
19:31:29 <pingou> dgilmore: any box ?
19:31:33 <pingou> including stagging ?
19:31:39 <nirik> yeah. Not sure either.
19:31:41 <dgilmore> maybe excepting public test boxes
19:31:53 <dgilmore> pingou: staging but not public test
19:32:15 <pingou> which one do you consider public?
19:32:25 <pingou> http://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers -> these ?
19:32:33 <dgilmore> pingou: no
19:33:12 <dgilmore> pingou: the boxes labeled as public testing for developing and testing solutions to be used in fedora infra
19:33:22 <dgilmore> ie publictestxx.fedoraproject.org
19:34:05 <pingou> ok
19:34:09 <dgilmore> pingou: the boxes referenced in that page are provided by community members for use of packagers
19:34:12 <nirik> Ideally I would like to have yubikey setup for true 2 factor for those that want to use it, and add something like googleauth if we can get it setup in a way we like. Then we could require one or the other for specific groups perhaps.
19:34:19 <dgilmore> the only tie in they have is to get the packager ssh keys to allow access
19:35:15 <nirik> right.
19:35:40 <nirik> so, if anyone has cycles to look at finishing yubikey deployment or seeing how we could best integrate googleauth, please do.
19:36:38 <nirik> pingou: does that address your question at all?
19:36:54 <pingou> nirik: it raises discussion, which was my intention :)
19:37:00 <StylusEater> pingou: interesting topic, thanks.
19:37:18 <nirik> yeah. I think moving to a 2factor setup is a good goal...
19:37:22 <skvidal> +1
19:37:39 * pingou considering investing $25
19:38:07 <nirik> there's disadvantages to yubikey and googleauth, but advantages to both too... so I think ideally we will want to look at supporting either or.
19:38:30 <nirik> or something like either
19:38:37 <StylusEater> nirik: +1
19:39:02 <pingou> supporting either, enforcing one over another in some cases I guess :)
19:39:50 <nirik> yeah
19:40:09 <nirik> ok, anything further? or shall we call it a meeting?
19:40:59 * nirik will close out in a minute if nothing more
19:41:46 * skvidal reads backscroll
19:41:55 * nirik waits
19:42:08 * dgilmore has nothing
19:42:46 <StylusEater> nirik: I have a non-meeting question I'll ask in another channel.
19:42:51 <nirik> StylusEater: ok.
19:42:57 * skvidal has nothing additional
19:43:04 <nirik> thanks for coming everyone!
19:43:07 <nirik> #endmeeting