14:01:17 <mvollmer> #startmeeting weekly meeting
14:01:17 <zodbot> Meeting started Mon Dec 19 14:01:17 2016 UTC.  The chair is mvollmer. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:17 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
14:01:17 <zodbot> The meeting name has been set to 'weekly_meeting'
14:01:26 <mvollmer> .hello mvo
14:01:26 <zodbot> mvollmer: mvo 'Marius Vollmer' <marius.vollmer@gmail.com>
14:01:47 <andreasn> .hello andreasn
14:01:48 <zodbot> andreasn: andreasn 'Andreas Nilsson' <anilsson@redhat.com>
14:01:58 <dperpeet> .hello dperpeet
14:01:59 <zodbot> dperpeet: dperpeet 'None' <dperpeet@redhat.com>
14:02:42 <mvollmer> #topic Agenda
14:02:51 <mvollmer> * NFS Server Configuration
14:04:34 <andreasn> is that all we have? we could talk a bit about the Firewall too
14:04:59 <mvollmer> sure
14:05:00 <dperpeet> * package name change cockpit-shell
14:05:24 <andreasn> * Firewall configuration
14:05:46 <mvollmer> let's start
14:06:01 <mvollmer> #topic package name change cockpit-shell
14:06:11 <mvollmer> dperpeet, this is probably shortish, right?
14:06:19 <dperpeet> right
14:06:28 <mvollmer> let's get it out of the way
14:06:30 <mvollmer> :)
14:06:37 <dperpeet> so, cockpit-shell is now cockpit-system
14:06:48 <dperpeet> https://github.com/cockpit-project/cockpit/pull/5600 has been merged
14:06:55 <mvollmer> okay
14:07:03 <dperpeet> the package still 'provides' cockpit-shell
14:07:07 <dperpeet> so things shouldn't break
14:07:15 <dperpeet> but cockpit-shell was misleading
14:07:41 <dperpeet> we still have the shell concept inside cockpit, of course
14:08:09 <dperpeet> but the package itself may contain a number of system-relevant parts
14:08:25 <dperpeet> e.g. on RHEL cockpit-system may also include selinux troubleshooting
14:08:31 <mvollmer> what was the motivation for the change?
14:08:53 <dperpeet> many people thought "cockpit-shell" was the terminal
14:08:55 <mvollmer> getting something that we can commit to for RHEL?
14:09:03 <mvollmer> right
14:09:10 <dperpeet> or looking at package lists, you think about a real shell
14:09:17 <dperpeet> maybe direct interaction on the cli with cockpit
14:09:27 <dperpeet> so now we have the bridge
14:09:28 <mvollmer> like gnome shell is the terminal? :-)
14:09:37 <dperpeet> cockpit-ws with its websocket communication
14:09:45 <dperpeet> mvollmer, right :)
14:10:00 <dperpeet> and cockpit-system has the core parts of cockpit that you connect to on a system
14:10:03 <dperpeet> via the bridge
14:10:17 <dperpeet> you configure the system with cockpit-system
14:10:37 <dperpeet> end of topic
14:10:51 <mvollmer> thanks!
14:10:57 <mvollmer> #topic NFS Server COnfiguration
14:11:06 <mvollmer> so I was looking at that
14:11:13 <mvollmer> don't know where to start, tbh
14:11:35 <mvollmer> but the fog is lifting
14:11:49 <mvollmer> for me, this is more about accounts and permissions than about NFS
14:12:12 <mvollmer> and using FreeIPA to manage permissions
14:12:13 <dperpeet> I don't completely agree
14:12:29 <dperpeet> you're right to an extent, but only about accounts and permissions as they relate to sharing
14:12:35 <dperpeet> otherwise you get so much more
14:13:04 <dperpeet> do you think we need to be careful with the scope regarding identities, permissions and the rest of cockpit?
14:13:36 <mvollmer> so people should create/manage accounts and groups in the FreeIPA UI, and only pick them from a list inside cockpit?
14:13:38 <dperpeet> or is it ok to make this work for just NFS now and worry about other stuff later
14:13:57 <dperpeet> I think in this iteration that should be the case
14:14:06 <dperpeet> we don't want to have a freeipa configuration in nfs
14:14:07 <andreasn> yes, that's how I imagine it. You get a list of users/groups within cockpit
14:14:24 <andreasn> and assign a folder to them
14:14:29 <mvollmer> can we push 'everything' to FreeIPA?
14:14:51 <dperpeet> everything as in?
14:15:02 <mvollmer> i.e., Cockpit makes the "share", registers a service in FreeIPA if necessary, and then has a link to the FreeIPA UI where people can manage that thing?
14:15:05 <dperpeet> I think in the NFS case we only consume identities and permissions
14:15:10 <mvollmer> does that even make sense?
14:15:22 <dperpeet> yes, except that there is no such UI right now :)
14:15:25 <dperpeet> I think
14:15:30 <mvollmer> should there be?
14:15:38 <dperpeet> long-term, definitely
14:15:41 <dperpeet> for NFS? no
14:15:45 <dperpeet> eventually they should be linked
14:16:30 <andreasn> so a link somewhere "Click here to manage users"?
14:16:47 <dperpeet> there is for example https://github.com/libre-server/proposals/blob/master/Domain%20Controller.md
14:16:54 <mvollmer> the big picture is "NFS Server role" for Fedora, this can include changes to FreeIPA, if you ask me
14:17:10 <dperpeet> definitely!
14:17:45 <dperpeet> let's say the work of changing permissions et cetera shouldn't reside with NFS server config when working with FreeIPA
14:18:00 <dperpeet> eventually there should be a page for FreeIPA
14:18:00 <andreasn> yeah, the service creation in FreeIPA felt very arbitary to me, so if that could be automated somehow, that would be nice
14:18:02 <dperpeet> that can do just that
14:19:03 <mvollmer> ohh, ansible playbooks
14:19:22 <mvollmer> i should talk to sgallagh
14:19:33 <dperpeet> this is all work in progress
14:19:45 <mvollmer> is it time to write code for Cockpit already?
14:19:52 <mvollmer> or not yet?
14:19:58 <dperpeet> yes, but scope the FreeIPA stuff out
14:20:03 <andreasn> but it sounds like the Stories and Workflows are in good shape at least?
14:20:05 <dperpeet> otherwise we'll never get anywhere
14:20:16 <mvollmer> so, a UI for /etc/exports?
14:20:22 <dperpeet> i.e. consider FreeIPA configured
14:20:42 <sgallagh> mvollmer: can you book some time in an hour or so? I'm a little busy right this minute.
14:21:14 <mvollmer> sgallagh, unfortunately not.
14:21:26 <mvollmer> sgallagh, shall we come back to this after the holidays?
14:21:35 <sgallagh> mvollmer: OK, what's the specific question you need answered?
14:21:51 <dperpeet> scoping nfs server configuration vs freeipa
14:21:52 <mvollmer> if I start writing code for Cockpit, what's the APIs you have in mind that I would be using?
14:22:11 <mvollmer> exporting/importing ansible playbooks?
14:22:53 <sgallagh> mvollmer: That was what we were thinking, yes.
14:22:59 <mvollmer> okay
14:23:09 <mvollmer> can I start writing code, or should I wait?
14:23:17 <sgallagh> That's similar to how Microsoft Server Manager works.
14:23:31 <mvollmer> i can come down the stack and help with the playbooks themselves, maybe
14:23:43 <sgallagh> It walks you through all the settings, then allows you to export a PowerShell script at the end and either execute it or take it and modify it yourself.
14:24:00 <dperpeet> mvollmer, jds2001 will almost certainly help with those as well I think
14:24:05 <dperpeet> or at least find someone who will
14:24:07 <mvollmer> hmm, not very cockpity
14:24:35 <mvollmer> okay, I guess I read more and learn what the plans are
14:24:58 <dperpeet> mvollmer, and we need to learn what it takes to make that more cockpity :)
14:25:23 <mvollmer> i don't even know where the permissions would be recorded.... in /etc/exports?
14:25:55 <sgallagh> mvollmer: Permissions in NFS aren't recorded by NFS itself except for RO/RW of the whole share.
14:26:14 <sgallagh> The permissions are handled by filesystem permissions on the underlying filesystem, server-side
14:26:35 <mvollmer> right, so the playbook would include the appropriate chown/chmod calls for the exported directory?
14:26:48 <sgallagh> So if you wanted to create a share accessible only to a group of users, you'd have to do `chgrp -R thegroup thefolder`
14:26:59 <mvollmer> right
14:27:00 <sgallagh> Yes, it would have to.
14:27:11 * mvollmer starts to get it
14:27:18 <dperpeet> I think cockpit's value in this case lies with bringing the right stuff together - e.g. the right playbook and maybe some sanity checking of permissions
14:27:58 <sgallagh> The reason we want to use playbooks is so that everything is repeatable and automatable later.
14:28:11 <mvollmer> we could do the same for a shell server, where people log in and share files via the local fsys
14:28:25 <sgallagh> To help people scale up from managing a few machines with Cockpit to managing hundreds or thousands down the road as they grow
14:28:58 <sgallagh> (And yes, please involve jds2001 on this as much as possible)
14:29:20 <sgallagh> mvollmer: Regarding FreeIPA, we opted for this time to "assume FreeIPA is all set up"
14:29:26 <mvollmer> what role has FreeIPA in this?
14:29:44 <mvollmer> distributing information about available "shares"
14:29:47 <mvollmer> ?
14:29:52 <sgallagh> mvollmer: OK, so NFS is fairly nitpicky about how users work.
14:30:07 <mvollmer> right, synchronizing user ids?
14:30:10 <sgallagh> In most cases, all of the clients and the NFS server have to have the same idea of what the user IDs and group IDs are
14:30:40 * mvollmer ignores that sgallagh is busy
14:30:41 <sgallagh> And also, NFSv4 uses Kerberos to handle identity, authentication and encryption of NFS shares.
14:30:57 <sgallagh> (I put things aside for a few; appreciate it!)
14:31:13 <mvollmer> this is helping me a lot
14:32:05 <mvollmer> the tutorials talk about creating a service in FreeIPA for the nfs server
14:32:09 <sgallagh> mvollmer: Basically, without a working LDAP and Kerberos setup, the best you can do is manually keep IDs in sync and use unencrypted shares that simply trust that the client machine isn't lying about which user is accessing things.
14:32:22 <sgallagh> That's setting up the Kerberos configuration.
14:32:37 <mvollmer> for identity, authentication and encryption?
14:32:41 <sgallagh> yes
14:32:44 <mvollmer> right
14:32:51 <mvollmer> the playbook does that also?
14:33:43 <sgallagh> Yes, it will need to request the service account if it doesn't already exist and retrieve the keytab entry for that service
14:34:11 <sgallagh> (That latter part may be a little tricky to do idempotently; jds2001 and I will likely have to help with that part)
14:34:54 <mvollmer> so, a general "run this playbook with progress and cancelling and logging and blackjack" in Cockpit would be nice?
14:35:05 <sgallagh> "blackjack"?
14:35:14 <mvollmer> i can see how we use playbooks for more and more stuff
14:35:19 <mvollmer> futurama reference
14:35:21 <sgallagh> ok
14:35:38 <sgallagh> Yeah, there's probably value in making that execution a generic module.
14:35:42 <mvollmer> http://knowyourmeme.com/memes/im-going-to-build-my-own-theme-park-with-blackjack-and-hookers
14:35:57 <sgallagh> (So if you were looking for a place to start hacking, that is probably a good one)
14:36:05 <mvollmer> right
14:36:45 <mvollmer> okay, I think that should be enough
14:36:51 <mvollmer> sgallagh, thanks a million!
14:37:05 <sgallagh> mvollmer: Absolutely! Let me know what else I can help with.
14:37:44 <mvollmer> my f25 X session is crashing twice a day, so if you could...
14:37:46 <mvollmer> :-)
14:37:58 <sgallagh> mvollmer: Switch to Wayland? It's working wonders for me :-D
14:38:13 <mvollmer> yeah, any day now, got my xkb osrted more or less
14:38:17 <mvollmer> *sorted
14:38:18 <dperpeet> I think that's end of topic...
14:38:30 <mvollmer> andreasn, do you want to get a word in?
14:38:54 <andreasn> with regards to NFS? No, I think I have it fairly sorted out metally
14:39:10 <mvollmer> okay
14:39:14 <andreasn> I couldn't get the CLI tools to work on my system, but that's OK
14:39:25 <mvollmer> one question: why do we put it into tools and not in Storage?
14:39:51 <andreasn> not sure yet, but in my thinking, this would be fairly separate
14:40:08 <andreasn> so in the longer run, you install a Role, and then it creates a new page
14:40:18 <mvollmer> yeah
14:40:24 <andreasn> but it doesn't add to an existing page
14:40:24 <mvollmer> true
14:40:49 <sgallagh> andreasn: What CLI tools didn't work?
14:41:26 <andreasn> sgallagh: ipa-client-automount Didn't work on Friday, tried again today for a while without success
14:41:45 <andreasn> it just gives me one of those fun python errors
14:41:50 <sgallagh> Oh right. I'm not really sure what's going on there. It worked for me on two separate F25 VMs
14:41:56 <andreasn> that's my favorite thing about python actually
14:42:00 <sgallagh> Could you take that to the #freeipa guys?
14:42:07 <andreasn> I asked there already, no reply
14:42:22 <sgallagh> andreasn: ping ab directly; he'll sort you out, I'm sure
14:42:30 <andreasn> could try it on another machine, but I figured I got the workflow figured out anyway
14:42:34 <andreasn> I'll try that
14:43:24 <andreasn> eot I think
14:43:47 <mvollmer> #topic Firewall configuration
14:44:56 <andreasn> so bhakti is making progress here
14:45:08 <andreasn> https://github.com/cockpit-project/cockpit/wiki/Feature:-Firewall
14:45:28 <andreasn> I think the stories and workflows are fairly finished
14:45:33 <andreasn> so she'll focus on the wireframes next
14:45:46 <andreasn> so get your concerns in quickly before it's too late! :)
14:46:25 <dperpeet> :)
14:46:51 <dperpeet> there's also some work by bhakti on her blog https://bhaktibhikne14.wordpress.com/
14:46:53 <andreasn> I guess bhakti isn't here still, since it's about 20.00 in the night for her
14:47:14 <bhakti> I am here,just lurking :)
14:47:36 <bhakti> I have added the post link to the notes ( for the firewall comparison)
14:48:21 <mvollmer> bhakti, hi! :-)
14:48:30 <bhakti> hello mvollmer! o/
14:48:35 <mvollmer> nice work, looking forward to use it!
14:48:55 <bhakti> Thank You! :)
14:49:39 <mvollmer> bhakti, this will be using firewalld, right?
14:49:43 <bhakti> yep
14:49:55 <mvollmer> right
14:50:34 <mvollmer> eot?
14:51:18 <andreasn> I think so
14:52:10 <mvollmer> #topic Any other business
14:53:34 <mvollmer> nothing?
14:53:44 <andreasn> not from me
14:54:09 <mvollmer> there is a guy here who is using cockpit on 32bit arm, rasberry pi
14:54:25 <mvollmer> some trouble with docker, he filed issues
14:54:32 <mvollmer> otherwise seems to just work
14:54:36 <mvollmer> which is nice
14:54:39 <mvollmer> he is a fan
14:55:46 <mvollmer> he is a fin, also :-)
14:55:51 <mvollmer> enough silliness
14:56:00 <mvollmer> #endmeeting