fedora-server
LOGS
17:00:27 <pboy> #startmeeting fedora-server
17:00:27 <zodbot> Meeting started Wed Jul 19 17:00:27 2023 UTC.
17:00:27 <zodbot> This meeting is logged and archived in a public location.
17:00:27 <zodbot> The chair is pboy. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
17:00:27 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
17:00:27 <zodbot> The meeting name has been set to 'fedora-server'
17:00:38 <eseyman> meeting time!
17:00:40 <pboy> #topic Welcome / roll call
17:00:52 <pboy> Welcome to our Server WG IRC meeting today!
17:00:54 <eseyman> .hello2 eseyman
17:00:55 <zodbot> eseyman: eseyman 'Emmanuel Seyman' <emmanuel@seyman.fr>
17:01:05 <jwhimpel> .hello
17:01:05 <zodbot> jwhimpel: (hello <an alias, 1 argument>) -- Alias for "hellomynameis $1".
17:01:13 <pboy> Hi eseyman, right on time today. :-)
17:01:32 <jwhimpel> .hello2
17:01:34 <zodbot> jwhimpel: jwhimpel 'John Himpel' <john@jlhimpel.net>
17:01:45 * nirik has another meeting at the same time as usual. ;( but here in the background...
17:02:28 <pboy> hi nirik, we may need you for top 3 (your technical opinium)
17:03:12 <pboy> OK, let's stat with the agenda
17:03:21 <pboy> #topic Agenda
17:03:30 <pboy> #info  Follow up actions
17:03:33 <nirik> I can try... ;)
17:03:39 <pboy> info  Fedora 39 change Proposal:  Enable Firmware Update Notification
17:03:48 <pboy> #info  LLMNR should be disabled in resolved in f39
17:03:58 <pboy> #info  Work Project: Using Ansible to install and configure Wildfly
17:04:10 <pboy> #info  F39/40 Work Project: Fedora Server in a virtualized runtime environment
17:04:19 <pboy> #info  Open floor
17:04:29 <pboy> Any topic to add?
17:04:37 <pboy> I think we have a lot
17:04:42 <eseyman> agreed
17:04:58 <pboy> #topic 1. Follow up actions
17:05:12 <pboy> #action pboy will write a info about changing the timeout value and nirik will review – still work in progress
17:05:21 <pboy> #info ACTION: eseyman will review the NFS documentation - done
17:05:41 <pboy> The NFS doc needs still some work. Eseyman will complete the text? hopefuly
17:06:00 <pboy> Nothing to announce
17:06:12 <pboy> Any addition?
17:06:49 <pboy> Obviously not
17:06:57 <pboy> #topic 2.  Fedora 39 change Proposal:  Enable Firmware Update Notification
17:07:02 <eseyman> I wanted to reply in private but sent the reply to the list
17:07:07 <eseyman> Sorry about that
17:07:36 <pboy> OK
17:07:51 <pboy> #link https://pagure.io/fedora-server/issue/115
17:08:01 <pboy> If possible, 10 mins max.
17:08:19 <pboy> We had an ad hoc discussion and we have a decision
17:08:46 <pboy> maybe  we will share additional ideas?
17:08:57 <pboy> I had the idea to add mail notification. But server as we distribute, there is no mail server installed.
17:09:21 <pboy> So it's nothing for this year. :-)
17:09:34 <eseyman> the issue is who to send mail to...
17:09:51 <pboy> Yes, indeed. that's tghe 2nd peroblem
17:10:11 <pboy> logwatch sends to root@localhost
17:10:26 <pboy> Hopefully, the disk is large enough
17:11:08 <eseyman> in /etc/aliases, there's a commented-out alias from root to marc
17:11:53 <pboy> Yeah, so that's an easy way to determine an addressee
17:12:14 <pboy> But you must edit the file after installation. ....
17:13:07 <pboy> There are some very light weigt mail sending progs. Maybe, we can install one of them with the reworked installation media.
17:13:29 <pboy> And then it may be useful.
17:13:52 <eseyman> and even sending to /var/spool/mail/$USER does not mean the mail will get read
17:14:19 <pboy> No, you need to send it to someones daily mail account.
17:14:37 <eseyman> honestly, I would just ask during installation "do you want email notifications? if so, to which address?"
17:14:39 <pboy> But then it might be helpful.
17:15:07 <pboy> eseyman I suppose RPM doesn't support that.
17:15:25 <pboy> So we would have to do it with Anaconda
17:15:41 <pboy> That's not trivial
17:16:19 <pboy> But a message of the day when you occasionally log in is better than nothing
17:16:21 <eseyman> yes
17:16:31 <pboy> OK, let's switch
17:16:43 <jwhimpel> pboy: Hopefully the rewrite of the installer that is currently progressing will make future changes easier.
17:17:04 <pboy> Yes, I hope so!
17:17:08 <pboy> #topic 3. LLMNR should be disabled in resolved in f39
17:17:18 <pboy> #link https://pagure.io/fedora-server/issue/114
17:17:28 <pboy> Change proposal
17:17:39 <pboy> #link https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/DCX54HQNCPT56XDGVXXTHMDPGHJWKT7A/#DCX54HQNCPT56XDGVXXTHMDPGHJWKT7A
17:17:48 <pboy> Diskussion:
17:18:01 <pboy> #link https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/DCX54HQNCPT56XDGVXXTHMDPGHJWKT7A/#DCX54HQNCPT56XDGVXXTHMDPGHJWKT7A
17:18:32 <pboy> We are explicitely asked about it via ticket system. So we should deal with it.
17:18:46 <pboy> I think, it's useful. But I'm not familiar with the technical details.
17:19:06 <pboy> nirik here is your part
17:19:10 <pboy> :-)
17:19:55 <eseyman> no opinion
17:21:02 <pboy> Yeah, it sounds like a good idea. But that's just on the surface.
17:22:38 <eseyman> would be nice to get the systemd maintainers' opinion on the subject
17:23:25 <pboy> We use split DNS a lot. But that has nothing to with multicast as to my little knowledge
17:24:26 <pboy> And DNSSEC would be really fine.
17:24:54 <pboy> Well, nirik seems to be busy.
17:25:27 <eseyman> DNSSEC would be much appreciated...
17:26:03 <pboy> proposal, because we have no dedicated opinion and are not familiar enough, I'll work out an answer together with nirik, as soon as he can manage
17:26:41 <pboy> any objection?
17:27:25 <pboy> None, so
17:27:49 <eseyman> no
17:28:15 <pboy> #agreed. pboy and nirik will resolve the issue on behalf of Server WG.
17:28:28 <pboy> #agreed pboy and nirik will resolve the issue on behalf of Server WG.
17:28:55 <pboy> #topic 4. Work Project: Using Ansible to install and configure Wildfly
17:29:07 <pboy> #link https://pagure.io/fedora-server/issue/60
17:29:24 <pboy> It's the main topic today.
17:29:37 <pboy> Objective here. Deciding about the next steps
17:29:59 <pboy> Besides the certificate issue, we have to plan
17:30:22 <pboy> * What proxy to use (Apache httpd, Nginx, HAproxy, all of them
17:30:25 <eseyman> we still have certificate issues ???
17:30:32 <pboy> * Where to store the software: /opt/wildfly or anywhere else?
17:30:48 <pboy> * How organize storage
17:30:57 <pboy> * How to make the Ansible playbook
17:31:10 <pboy> I hope that all for now.
17:31:29 <jwhimpel> The current role that I am working on configures a standalone version of wildfly.  Should we have another role(s) to configure a cluster of servers?
17:31:32 <pboy> John, can you give the latest status of the certificate issue?
17:31:58 <pboy> I think, we should start with a standalone.
17:32:19 <eseyman> standalone alone is fine
17:32:46 <jwhimpel> I've had another round of health issues, so I have not made any progress.  I did find a link that seemed to address the certificate issue.  I promise to have tried that approach by our next meeting in August
17:33:23 <eseyman> as for the proxy in front, I'm mostly in favour of nginx
17:33:38 <pboy> Yeaj John, too.  :-)
17:33:43 <eseyman> but this should be controlled via a variable in the playbook
17:34:15 <jwhimpel> There's some good documentation on how to configure that on the web.
17:34:25 <pboy> Well, Fedora policy is, to prefer Apache
17:34:39 <pboy> But proxy is a bit weak with httpd
17:34:53 <jwhimpel> From an ansible standpoint, I think configuring a proxy should be a separate role.  One role for each type of proxy frontend.
17:35:03 <pboy> If I remember correctly, nginx supports the proxy proticoll
17:35:09 <pboy> as dies haproxy.
17:35:20 <pboy> Does someone know more details?
17:35:36 <pboy> Because the proxy protocol is quite important
17:35:50 <pboy> for traffic analyses, e.g.
17:36:09 <jwhimpel> Either would work.  Question: If we have a standalone instance of wildfly, why do we need a proxy?  I ask out of ignorance rather than out of objection.
17:37:06 <eseyman> either to serve static files better than wildfly or protect wildfly from attacks
17:37:14 <pboy> Without a proxy, wildfly uses port 80 exclusivly for the complete server. No other web service would be poissible
17:38:29 <pboy> And I'm not sure, tomcat is quite slow in distributing static pages and is of limited funtionality
17:38:34 <jwhimpel> wildfly uses port 8080 not 80
17:38:47 <pboy> Or is nowadays apache integrated in wildfly?
17:39:21 <pboy> Yes, indeed. But by default everybody uses port 80.
17:39:27 <jwhimpel> Wildfly has an integrated servlet processor and is also capable of serving static pages.
17:39:48 <pboy> OK, that's like tomcat
17:40:28 <pboy> Nevertheless, you want your service be accessible via port 80 / 443. Everybody uses it.
17:40:41 <pboy> And most not even kknow about 8080
17:40:45 <jwhimpel> Disclaimer: I haven't actually used the integrated servlet processor, but I recall seeing that in the documentation.
17:41:25 <pboy> jwhimpel we use it a lot in our project. It is our main and default servlet processor.
17:41:58 <jwhimpel> I'm used to having port 80 pages with links pointing to 8080.  But I understand your point and would not object to having a proxy in front.
17:42:00 <pboy> and we have always a proxy in front because we server several domains  all on 80
17:42:49 <pboy> jwhimpel that's the 'poor mans proxy'. :-)
17:43:19 <pboy> OK, we use a proxy and start with nginx.
17:43:56 <pboy> For the books: nginx can proxy protocol, and Apache can't. That makes nginx the better solution.
17:44:36 <pboy> And haproxy might be an alternative for high traffic sites. We do that later (if at all. :-) )
17:45:06 <pboy> I guess, no objection
17:45:38 <jwhimpel> Before our next meeting, I will also upgrade the role to install the latest version of wildfly (the current role is 2 versions behind).
17:45:57 <pboy> #agreed We'll use nginx as proxy solution, because it is able to handle the proxy protocol.
17:46:04 <jwhimpel> I do install the software into /opt/wildfly  is that okay with everyone?
17:46:23 <pboy> That's the next question.
17:46:42 <pboy> According to FHS, I think, it is the best solution .
17:47:09 <eseyman> probably
17:47:15 <pboy> But tomcat installs into usr/share and /var/lib for datá and /etc for configuration
17:47:35 <pboy> It uses sym link to spread the locations
17:47:44 <eseyman> again, please make this a variable in the role so that it can be easily changed if need be
17:47:48 <pboy> Do we have a Fedora policy about that?
17:48:45 <pboy> I see, nobody knows.?
17:48:59 <eseyman> not me
17:49:07 <jwhimpel> Me neither.
17:49:09 <pboy> Then I would peropose, we ask Jave SIG. I could do that.
17:49:58 <pboy> #action pboy asks Java SIG about best practise for a installation location.
17:50:37 <pboy> Nest issue: storage organisation.
17:51:10 <pboy> Our official solution is, to use LVM LVs to store data, separate from the system files.
17:51:41 <pboy> I think, we should do so in our Ansible playbook.
17:52:16 <pboy> We could either make a LV for /opt, or a thin provisioned for /opt/Ansible
17:52:44 <pboy> I mean /opt/wildfly
17:53:09 <jwhimpel> If we go that route, I would suggest /opt/Wildfly as a LV
17:53:39 <eseyman> oh yes
17:53:52 <pboy> Yes, would be the best. we would have the option to make snapshot just for that.
17:54:15 <pboy> OK, we ...
17:54:50 <jwhimpel> Question: Do we want to support multiple simultaneous versions of Wildfly on a single host?
17:54:55 <pboy> #agreed we will create a separate log. Volume for /opt/wildfly according the Fedora Server Edition storage concept.
17:55:17 <pboy> jwhimpel I think that would be great!
17:55:30 <pboy> Tomcat is able to do that.
17:56:14 <pboy> With Tomcat you use one binary and several data locations.
17:56:46 <pboy> If I remember correctly, the wildfly RPM could that, too
17:57:00 <pboy> years back, when we had one
17:57:40 <jwhimpel> Since Wildfly is updated every six months, it would not be unusual to need Wildfy 45 and 46 needed simultaneously.  That is what I was asking about.
17:57:59 <jwhimpel> Sorry, I need to run to Doctor appointment now.
17:58:23 <pboy> I'm not sure. Often there is a lot of change and you have a lot to adjust.
17:58:40 <pboy> OK. I think we have done a lot today!
17:58:45 <pboy> And our time is up.
17:59:15 <pboy> Let's discuss the multiversion / multi instances question next time.
17:59:25 <eseyman> yes
17:59:36 <pboy> Well, open floor
17:59:46 <pboy> #topic  5. Open Floor
18:00:21 <pboy> eseyman By he way, I translated my German pieces int he nfs doc.
18:00:35 <eseyman> pboy: will review again
18:00:44 <pboy> thanks.
18:00:53 <eseyman> do you want a review of the mail documentation ?
18:01:41 <pboy> yes, but is is not complete yet. But the postfix part and the dovecot part are complete - at least I hope so
18:01:54 <eseyman> will review
18:02:06 <pboy> You did some work with mail recently?
18:02:13 <pboy> Thanks-
18:02:23 <pboy> Anything else?
18:02:27 <eseyman> pboy: it's still ongoing
18:02:50 <pboy> OK, maybe we get some more insight from it.
18:03:09 <pboy> It's quite complidated with SPF, dmarc and dkim
18:03:21 <eseyman> but yeah, I have two smtp gateway serving 200k emails daily
18:03:44 <pboy> Oh that't a lot
18:04:06 <pboy> Ours at University is similiar
18:04:30 <eseyman> I call this moderately high volume
18:04:44 <pboy> Yeah
18:05:03 <pboy> OK, I think we close now.
18:05:17 <pboy> Thanks everyone for comming
18:05:25 <pboy> bye bye
18:05:35 <pboy> #endmeeting