infrastructure
LOGS
19:00:01 <nirik> #startmeeting Infrastructure (2011-12-01)
19:00:01 <zodbot> Meeting started Thu Dec  1 19:00:01 2011 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:01 <nirik> #meetingname infrastructure
19:00:01 <nirik> #topic Robot Roll Call
19:00:01 <nirik> #chair smooge skvidal Codeblock ricky nirik abadger1999 lmacken dgilmore mdomsch
19:00:01 <zodbot> The meeting name has been set to 'infrastructure'
19:00:01 <zodbot> Current chairs: Codeblock abadger1999 dgilmore lmacken mdomsch nirik ricky skvidal smooge
19:00:18 * CodeBlock is here :D
19:00:30 * abadger1999 here
19:00:40 * wsterling here
19:00:56 * StylusEater is here
19:01:22 * skvidal is here
19:02:02 <nirik> ok, lets go ahead and dive in.
19:02:05 <nirik> #topic New folks introductions and apprentice tasks/feedback
19:02:23 <nirik> any new folks want to introduce themselves? or apprentices want to talk about specific tasks or tickets?
19:02:45 <nirik> note that I will be mailing out my monthy nag to apprentices later today. Please reply to it if you wish to remain in the fi-apprentice group
19:03:10 <smooge> nothing form me.
19:03:31 <nirik> ok, will move along then...
19:03:37 <jac1bat0> hi everyone
19:03:46 <nirik> morning jac1bat0
19:04:19 <nirik> jac1bat0: you sent an intro to the list... care to say hi and say a bit about your background and what you want to work on?
19:05:22 <jac1bat0> a linux newbie here, got some courses on linux and hooked into it ;) i'm really interested in sysadmin atm
19:05:42 <nirik> are you more interested in the sysadmin side of things? or programming on our various web applications?
19:06:08 <jac1bat0> sysadmin, definitely
19:06:39 <nirik> ok, cool. Do hang out in #fedora-admin / #fedora-noc and ask questions... we can see about getting you added to the apprentice group there to look and see what you might want to work on.
19:06:44 <nirik> welcome again.
19:06:56 * nirik moves along then.
19:06:57 <jac1bat0> nirik, thanks
19:07:00 <nirik> #topic Password / ssh key reset status and retrospective
19:07:14 <nirik> so, we have a bit left to do on our mass password/key expire.
19:07:29 * nokia3510 waves
19:07:42 <nirik> #action will be marking folks who haven't changed pass/ssh key inactive later today probibly.
19:07:43 * pingou here (late)
19:07:59 <nirik> we need to set a date to orphan/remove from acls those packagers who are inactive.
19:08:12 * nirik looks at schedule.
19:08:27 <smooge> I think January before fudcon
19:08:50 <nirik> yeah, how about 2012-01-10 or so...
19:08:52 <smooge> that way packages can be dropped/fixed before final release
19:09:01 <smooge> final feature freeze
19:09:01 <skvidal> when is alpha?
19:09:02 <smooge> sorry
19:09:14 <nirik> 2012-02-14 to 2012-02-28 - F17 Alpha Freeze
19:09:18 * CodeBlock will make note to take cover at fudcon... as to not be physically harmed after we do this. :)
19:09:32 <skvidal> ok
19:09:41 <nirik> well, doing it before fudcon also will give folks more chance to see and take ownership, etc.
19:09:52 <nirik> but I don't care too much
19:10:06 <nirik> any counterproposals to 2012-01-10 ?
19:10:31 <skvidal> no one is doing anything for the next 3 weeks. anyway
19:10:36 <skvidal> we could just set it on fire today
19:10:38 <skvidal> :)
19:10:44 <Southern_Gentlem> +1
19:10:45 * skvidal is not seriously proposing that
19:10:45 <nokia3510> +1 :)
19:11:03 <skvidal> but I do think doing some dry-runs of the orphaning
19:11:07 <smooge> and we can get pelted with rotten vegetables at the show
19:11:13 * nirik shrugs. I'm ok with giving people time to do our work for us with bounces. ;)
19:11:15 <skvidal> and refining our tooling to discover what will implode
19:11:27 <skvidal> but I think this
19:11:29 <nirik> yeah, absolutely.
19:11:29 <skvidal> if you're not a packager
19:11:33 <skvidal> and you're not in an admin group
19:11:36 <skvidal> you get deactivated
19:11:38 <skvidal> and no tears
19:11:40 <Southern_Gentlem> the sooner it is done faster workaround can happen and people do what they are requested
19:11:57 <nirik> #action tenatively remove inactive people from pkgdb on 2012-01-10. Can re-evaluate as we know more closer to the time.
19:12:09 <skvidal> nirik: here's what I suspect will happen
19:12:17 <skvidal> we'll catch a bunch of these people in the next week or two
19:12:20 <nirik> any other thoughts from this long painful road?
19:12:31 <skvidal> and he deactivation/orphaning won't be as dramatic in january
19:12:34 <skvidal> s/he/the/
19:12:40 <nirik> yeah.
19:13:15 <nirik> I hope it's at least 3 more years before we go through this again, BTW.
19:13:28 <nirik> it's a massive time and energy sink... but it needed to be done and I am glad we did it.
19:14:04 <skvidal> I thin kthe next authN/Z energy sink will be 2fa
19:14:10 <skvidal> but that's just my guess
19:14:15 <nirik> yeah, agreed.
19:14:27 <nirik> ok, will move on unless something further on this...
19:14:43 <nirik> #topic serverbeach / collab / hosted status
19:14:45 <abadger1999> Seems we do this once per fedora infra-lead :-)
19:14:56 <nirik> abadger1999: cool. Then I have done mine. ;)
19:15:02 <skvidal> abadger1999: oh so you're sayting nirik is going to run for his life now?
19:15:10 <nirik> so, some updates on serverbeach hosts.
19:15:15 <abadger1999> We should make it happen just before the lead leaves, though instead of at the beginning ;-)
19:15:21 <skvidal> heh
19:15:42 <nirik> We got old/bad hardware (boo), which they have now replaced with newer better hopefully hardware (yea!)
19:15:54 <nirik> we still need to install and setup things on the new boxes.
19:16:28 * CodeBlock can start on that today if we have a list of what needs to start happening where
19:16:34 <nirik> I'd like to try and get things moving/rescheduled on hosted and collab moves... but we will see how things shake out on the new hardware.
19:16:43 <skvidal> CodeBlock: install + setup raid1 on the disks,
19:16:49 <nirik> On the plus side the rhel6 trac migration was looking not too bad at all.
19:16:56 <skvidal> CodeBlock: I did them 2 weeks ago before we found out they were old
19:17:25 <CodeBlock> skvidal: Is there a thing in infra-docs about it, by chance?
19:17:39 <nirik> so, I think we could probibly mass move hosted to a rhel6 instance without much doom... then look further down the road at migrating those things out to further hosts or whatever.
19:17:42 <skvidal> CodeBlock: it's a normalish virthost setup
19:17:54 <skvidal> CodeBlock: kickstart using vnc - go from there
19:18:03 <skvidal> CodeBlock: we can talk more about it post-meeting
19:18:07 <CodeBlock> skvidal: sure :)
19:18:09 <nirik> and collab migration should be still hopefully pretty easy.
19:18:34 <nirik> So, perhaps we can get some of it done before the holidays... perhaps not until early jan... should be able to figure out more in the next week.
19:19:25 <nirik> any other thoughts on hosted/collab moves or serverbeach hosts?
19:19:37 <nirik> #info new machines will be installed in the next few days.
19:19:49 <nirik> #info will look at rescheduling collab and hosted moves after that.
19:20:28 <nirik> #topic ibiblio machines status
19:20:40 <nirik> So, we should have a new ibiblio03 showing up sometime...
19:20:53 <nirik> smooge: any eta on that one?
19:21:04 <nirik> we still need to migrate stuff off ibiblio01.
19:21:20 <nirik> and we need to setup a download-ibiblio01 instance to replace serverbeach01.
19:21:37 <skvidal> on ibiblio02 or 03?
19:21:39 * LoKoMurdoK here
19:21:55 * LoKoMurdoK late :S sorry
19:21:59 <nirik> skvidal: either way I guess. We do need to still migrate stuff off 01...
19:22:04 <skvidal> smooge: and lemme know about ibiblio03 showing up so I can plan my day of fun and frivolity there
19:22:12 <nirik> once we have 01 all clear we can re-install it rhel6... and have another machine
19:22:38 <nirik> if we could get 01 clear before we get 03 installed, we could re-install it at the same time.
19:22:40 <smooge> skvidal, it has been ordered. I haven't gotten an email saying its been invoiced yet so will let you know whne that happens
19:22:43 <nirik> but I don't know how practical that is.
19:23:03 <skvidal> smooge: kewl
19:23:20 <smooge> ok what does having a download-ibiblio or download-sb get us
19:23:27 <smooge> beyond torrents
19:23:47 <nirik> smooge: well, it's a remote mirror we control... so we can point people there if phx2 has issues or is down.
19:23:57 <nirik> or they have network issues reaching phx2.
19:24:24 * skvidal hmms
19:24:30 <nirik> also, currently serverbeach01 is used/needed for boot.fedoraproject.org
19:24:37 <skvidal> would it make any sense to cram torrent02 togewther with download-ibiblio?
19:24:42 <nirik> but that could possibly be adjusted.
19:24:43 <skvidal> or is that too much
19:25:07 <nirik> skvidal: you mean serve the torrents from the mirrored files? or just on the same host?
19:25:19 <skvidal> same host
19:25:33 <nirik> if they can fit, sure.
19:25:43 <nirik> I guess they might both get heavy i/o at times.
19:25:47 <skvidal> well, I was thinking that hardlinks to the files for the mirrors...
19:25:48 <skvidal> right
19:26:31 <smooge> oh warranty extension on ibiblio01 went through
19:26:33 <nirik> might be better to seperate them if we have enough space.
19:26:50 <smooge> I would say seperating the 3 big IOs would be a good idea
19:26:59 <smooge> backups, torrent, download
19:27:06 <nirik> yeah.
19:27:38 <smooge> oh silly question for the man with too little caffeine, why arent we making sb0X the new sb01 and have it be the backup?
19:28:02 <skvidal> please don't do the renumbering that way
19:28:07 <skvidal> for the love of all that is good and holy
19:28:07 <nirik> smooge: well, I think it's bad to have bare hosts serving things...
19:28:14 * aeperezt sorry been late, but here
19:28:18 <nirik> sb01 was 'special'
19:28:24 <nirik> welcome aeperezt
19:28:25 <skvidal> "special" == frelling broken
19:28:39 <skvidal> sb01 wouldn't support any guests w/o crashing
19:28:41 <skvidal> yay
19:28:49 <smooge> ok lets redefine the question a bit. Why not have a download-sb on one of the boxes?
19:29:01 <skvidal> disk space?
19:29:06 * skvidal doesn't know
19:29:07 <nirik> smooge: we could, we just thought we had extra capacity on ibiblio...
19:29:24 <nirik> yeah, disk is more limited at sb
19:29:44 <nirik> new boxes have 2 x 250 I think...
19:30:36 <nirik> sb01 is almost using 250 as is.
19:31:01 <smooge> ah got it
19:31:02 <smooge> ok
19:31:31 <nirik> anything else on ibiblio stuff?
19:32:08 <nirik> #topic Upcoming Tasks/Items
19:32:56 <nirik> #info 2011-12-01 Flag day for password reset/new ssh keys.
19:32:56 <nirik> #info 2011-12-01 nag fi-apprentice folks for december
19:32:57 <nirik> #info 2011-12-08 - Fedora 14 end of life.
19:32:57 <nirik> #info 2011-12-23 to 2012-01-02 - rh shutdown week.
19:32:57 <nirik> #info 2012-01-13 to 2012-01-15 - FUDCON blacksberg
19:32:57 <nirik> #info 2012-02-14 to 2012-02-28 - F17 Alpha Freeze
19:33:36 <nirik> I'll add in new dates for collab and hosted migrations when we can figure them out.
19:33:45 <smooge> I have sync'd most of F14 over to archive. I just need to do a last rsync after EOL and then I can talk with mdomsch about what needs to be done in MM
19:33:46 <nirik> any other upcoming items folks want to discuss/mention?
19:34:05 <nirik> smooge: cool. dgilmore or I could do the announcement... need to also turn it off in koji.
19:34:40 <abadger1999> We'll want to add the "orphan packages" into that list.
19:34:47 <nirik> oh yeah. ;)
19:35:04 <pingou> 2012-01-10?
19:35:05 <abadger1999> Probably also the deprecate orphaned packages -- but that may be something that releng coordinates.
19:35:05 <smooge> 2012-01-10
19:35:17 <nirik> yeah.
19:35:26 <nirik> abadger1999: yeah, there's a per cycle time to do that.
19:35:45 * abadger1999 just wants to know there's some time between those two events
19:36:21 <abadger1999> otherwise, "Tue: hey we've orphaned packages with inactive maintainers"  "Wed: Hey, we've retired all those packages you thought you might want to take"
19:36:26 <nirik> http://fedoraproject.org/wiki/Deprecate_orphaned_packages
19:36:34 <nirik> it's right before feature freeze.
19:36:53 <nirik> 2012-03-20
19:37:08 <nirik> so that gives folks a bit more than 2 months.
19:37:49 * nirik will move on in a minute if nothing more on upcoming tasks.
19:38:03 <abadger1999> nirik: Schedule page says feature freeze is 2012-02-07
19:38:14 <nirik> huh?
19:38:17 * nirik re-looks
19:38:34 <nirik> oh, so it is.
19:38:42 <nirik> so about a month?
19:38:51 <abadger1999> yeah.
19:38:56 <abadger1999> Fine with me.
19:39:04 <nirik> should be enough time I hope. ;)
19:39:24 <nirik> ok, moving on then...
19:39:26 <nirik> #topic Meeting tagged tickets:
19:39:27 <nirik> https://fedorahosted.org/fedora-infrastructure/report/10
19:39:33 <nirik> we have a meeting tagged ticket. Hurray!
19:39:41 <nirik> .ticket 3043
19:39:43 <StylusEater> :-)
19:39:47 <zodbot> nirik: #3043 (Password Complexity) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/3043
19:40:34 <nirik> so, I guess I don't mind this change (2 or 3 char required)... but I'm just worried we will keep adding things and get the brute force set too low. ;)
19:40:53 <StylusEater> The ticket is a continuation of a conversation started in #fedora-admin and on the list.
19:41:26 <smooge> what is the minimum length
19:41:33 <nirik> see also:
19:41:39 <nirik> .ticket 3027
19:41:39 <abadger1999> I sent off an email about it -- we need someone better versed in math than I to really analyze the brute force differences.
19:41:41 <zodbot> nirik: #3027 (Check the FAS password against dictionary words) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/3027
19:41:59 <abadger1999> but 2 char requirement seems very low impact (both positive and negative).
19:42:03 <StylusEater> I'm wondering if we should employ a combination of more complex + other deterrents
19:42:19 <skvidal> StylusEater: you mean like hammers to the finger tips?
19:42:34 <pingou> picture of skvidal ? :)
19:42:56 <nirik> smooge: "A passphrase with symbols, upper and lowercase letters, and digits must be at least 9 characters"
19:43:01 <StylusEater> I try to login ... fails ... page loads but login box is disabled for x seconds ... I fail again ... login disabled for x+5 seconds ... etc.
19:43:11 <nirik> also, the cost increases to documentation...
19:43:12 <skvidal> pingou: you want to entice them to change their passwords w/a reward? :)
19:43:20 <nirik> we have to add this to the change template...
19:43:27 <nirik> but I'm ok with the 2 char thing.
19:43:29 <abadger1999> smooge: 3 char diversity requirement will only impact the "lowercase only" case (20 chars) and the letters and digits case (12 chars)
19:44:05 <abadger1999> as the more stringent requirements already encompass needing to have multiple chars.
19:44:06 <pingou> smooge: aA1 is consider as 3 chars
19:44:27 <nirik> "A passphrase with lowercase letters and digits must be at least 12 characters" to "A passphrase with lowercase letters and digits must be at least 12 characters with at least 2 different letters used"
19:44:33 <abadger1999> for instance, the 9 char case requires a minimm of 4 different chars (an uppercase, a lowercase, a digit, and a symbol)
19:45:45 <nirik> one thing I saw in some of the recently feedback about password changes was that some people liked how simple and easy to see our guidelines were. ;)
19:46:21 <nirik> so, perhaps we need to try and find some folks more versed in security to give us some feedback?
19:46:31 <pingou> +100
19:46:34 <smooge> Hmm I think our guidelines should be simple. I would say hand it over to mark cox's group and ask for input
19:46:46 <smooge> or bresser
19:47:10 <nirik> yeah, I was thinking bress.
19:47:19 <StylusEater> nirik: do we know of anyone?
19:47:20 <StylusEater> ahh ok
19:47:35 <nirik> see: http://www.bress.net/blog/archives/200-Expanding-Red-Hats-Product-Security-Efforts.html
19:47:42 <nirik> they might be able to look for us.
19:48:03 <nirik> I can ping him and see if thats possible.
19:48:13 <smooge> I am guessing we will get bonus points of "we asked this time and are implementing what the experts said. if you don't like it become an expert yourself."
19:48:20 <nirik> #action nirik to talk to bressers and see if they can give us some help there.
19:48:44 <nirik> so, shall we just wait on this until we hear back?
19:48:48 <smooge> sorry I am rather grumpy, irritable and hostile today
19:49:14 <smooge> I think it would be a good idea.
19:49:16 <pingou> nirik: we can
19:49:44 <smooge> if people have made 'aaaaaaaaaaaaaaaa' their password well they only have themselves to blame for being so passive aggressive.
19:50:13 <nirik> yeah, everyone knows 'zzzzzzzzzzzzzzzzzzz' is more secure. ;)
19:50:19 <LinuxCode> exactly
19:50:23 <nirik> #topic Open Floor
19:50:28 <LinuxCode> it makes no difference statistically
19:50:28 <nirik> any items for open floor?
19:50:31 <wsterling> .ticket 2997
19:50:34 <zodbot> wsterling: #2997 (Create a script to check whether GeoIP updates remove used country codes) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2997
19:50:39 <wsterling> I have a stalled ticket
19:50:43 <abadger1999> nirik: I'm okay with implementing 2 char diversity now.
19:50:45 <spot> I've got the same combination on my luggage!
19:50:46 <wsterling> I'm not sure how to move it forward
19:51:01 <pingou> spot: not 007 ?
19:51:18 <LinuxCode> spot, next FUDcon I do come to, and you are there, I will leave a surprise for you in there
19:51:20 <LinuxCode> lol
19:51:26 <spot> hahaha
19:51:30 <abadger1999> than that I'm more than happy if we can get expert advice :-)
19:51:53 <smooge> my luggage only allows me to use lowercase and numbers. I cant get any of the required symbols
19:52:04 <nirik> abadger1999: well, I suppose that would be ok, but how do we modify the docs? is there a way to make it not sound confusing?
19:52:17 * nirik doesn't have a lock on his luggage. ;)
19:52:25 <smooge> wsterling, ok for your ticket
19:52:30 <smooge> what have you got so far
19:52:42 <wsterling> I have the script I wrote and attached to the ticket
19:53:17 <wsterling> It was run manually and no bad country codes were found other than those that were added for testing the script
19:53:22 <abadger1999> nirik: Mmm.. that's true.  2 chars only affects the 20 characters... so I think I can think of something.
19:53:33 <nirik> wsterling: I'd say see if you can work with abadger1999 to get that setup ?
19:53:39 <wsterling> I think it now needs to be put into a cron or some other documentation to be run regularly
19:53:45 <nirik> wsterling: we need to I think add it as a cron... yeah.
19:54:01 <abadger1999> wsterling: I can help you -- we'll add a cron job in puppet to handle it.
19:54:37 <wsterling> abadge1999: If you are going to be on-line tonight I'll try to work with you to get that done then.
19:55:11 <abadger1999> wsterling: I have karate tonight... maybe someone else would be better if that's when you/they are available.
19:55:14 <skvidal> abadger1999: it needs to be modified to source in the fas.conf
19:55:49 <abadger1999> skvidal: ah.  Okay, let's see if I can prep that part of it now.
19:56:08 <abadger1999> wsterling: then you can work on the cron job with someone else tonight (or catch me tomorrow)
19:56:17 <wsterling> ok, osunds good
19:56:28 <skvidal> wsterling: and I'm sorry about dropping that ticket - last week went left for me
19:56:33 <skvidal> wsterling: and I forgot about it
19:56:47 <skvidal> (worthy of note I'm still not getting tcket updates on it)
19:56:47 <wsterling> skvidal: NP
19:57:17 <nirik> ok, any other open floor stuff?
19:57:29 <pingou> fedora-review-server ?
19:57:45 <pingou> just to get an idea if you guys think the idea is interesting/worthwhile
19:58:11 <pingou> as at the end you will be concerned if it goes through
19:58:19 <nirik> pingou: I added some feedback... but I think you might get more from devel list.
19:58:37 <nirik> if we do decide for move forward on it, it would be a RFR
19:58:53 <pingou> Request For R?
19:59:06 <abadger1999> Resources
19:59:11 <pingou> ah, thanks :)
20:00:03 <nirik> http://infrastructure.fedoraproject.org/infra/docs/requestforresources.txt and http://fedoraproject.org/wiki/Request_For_Resources
20:00:22 <nirik> ie, we want to make sure this is well maintained and deployed in a good manner. ;)
20:00:32 <pingou> agreed there :)
20:00:59 <nirik> pingou: so, I would say if you want try asking devel list what they think... be ready for emails. :)
20:01:29 <pingou> nirik: that's one reason why I wanted to have a feeling by asking infra first :)
20:02:08 <nirik> I think it's something we talked about in the past, but it's a lot of work to setup and code, so no one really pushed it.
20:03:50 * nirik will close out in a minute if nothing more.
20:04:34 <nirik> Thanks for coming everyone!
20:04:37 <nirik> #endmeeting