Project

General

Profile

2020-05-05-heroes-meeting.txt

IRC meeting log - cboltz, 2020-05-05 22:15

 
1
2020-05-05 heroes meeting
2

    
3
[19:56:27] <bmwiedemann> good evening
4
[19:57:45] <mcaj_away> HI
5
[19:59:47] <tuanpembual> Hi
6
[19:59:53] <tuanpembual> good morning
7
[20:01:14] <King_InuYasha> good afternoon
8
[20:01:35] <cboltz> hi everybody, and welcome to the heroes meeting!
9
[20:01:48] <King_InuYasha> kl_eisbaer: fwiw, if this keeps happening, I *will* make a JeOS image
10
[20:01:55] <cboltz> two questions in parallel:
11
[20:02:01] <King_InuYasha> I know how to since I maintain kiwi in fedora ;)
12
[20:02:03] <cboltz> - who is here for the meeting   and
13
[20:02:13] <cboltz> - does someone from the community have questions?
14
[20:02:17] <lcp> me
15
[20:02:19] <tuanpembual> Me
16
[20:02:24] <adrianS> Me
17
[20:02:27] <King_InuYasha> I'm here! :)
18
[20:03:08] <Redtigra> hello everybody.
19
[20:03:13] <King_InuYasha> hello?
20
[20:04:44] <lcp> is that a community question? :P
21
[20:05:04] <mcaj_away> HI
22
[20:05:17] <robin_listas> hi
23
[20:05:32] <cboltz> lcp: it seems to become a tradition that we don't have community questions - but I'd love to be proven wrong ;-)
24
[20:05:52] <King_InuYasha> actually yes
25
[20:05:54] <darix> I can ask community questions if you want
26
[20:05:56] <lcp> you did have community questions when I was the community
27
[20:05:59] <darix> I am not a hero :P
28
[20:06:18] <gp_> Hi!
29
[20:06:21] <King_InuYasha> who are you, Redtigra? I'm unfamiliar with your nick
30
[20:06:30] <King_InuYasha> though I can guess who gp_ is :D
31
[20:06:44] <kl_eisbaer> gp -> great person? :-)
32
[20:06:49] <King_InuYasha> indeed
33
[20:06:50] <Redtigra> I am a (relatively) new team lead of Engineering Infra SUSE
34
[20:06:53] <King_InuYasha> all these new people though :)
35
[20:07:22] <Redtigra> jdsn's and mcaj's boss, if they don't mind. very young hero embrion :)
36
[20:07:30] <Redtigra> glad to meet you all
37
[20:07:53] <cboltz> glad to have you all here ;-)
38
[20:07:57] <King_InuYasha> hello, nice to meet you :)
39
[20:08:02] <bmwiedemann> and my boss :-)
40
[20:08:10] <King_InuYasha> it's always nice to meet SUSE folks :D
41
[20:08:38] <Redtigra> yes, bmwiedermann's too :)
42
[20:09:03] <mcaj_away> I would be better to meet F2F on openSUSE conference but that not going to happen this year...
43
[20:09:11] <lcp> cboltz: let's get through the topics, because I feel we have a big one at the end
44
[20:09:19] <cboltz> right
45
[20:09:37] <cboltz> let's do a *quick* round of status reports - and then focus on the account system
46
[20:09:47] <cboltz> so - does someone have a status report?
47
[20:09:50] <gp_> cboltz: I've also got one (though not exactly a community questions). :-) Happy to have that at the end.
48
[20:10:19] <tuanpembual> I had report.
49
[20:10:35] <cboltz> go ahead ;-)
50
[20:10:55] <tuanpembual> Last weeks, We already migrate new progress. I hope get less complaint and bug.
51
[20:11:21] <tuanpembual> if you have found any error, please update this ticket: https://progress.opensuse.org/issues/65456
52
[20:11:32] <tuanpembual> some last issue have been solved.
53
[20:11:40] <tuanpembual> that from me.
54
[20:12:00] <tuanpembual> If here any I can help, something with container. I will be glad to help
55
[20:12:10] <tuanpembual> :D
56
[20:12:38] <tuanpembual> next.
57
[20:12:59] <King_InuYasha> tuanpembual: thanks for new progress, it looks great :)
58
[20:13:03] <lcp> for the new freeipa, and the rest of the stuff, it was deployed and followed by the very popular announcement on the mailing list
59
[20:13:22] <lcp> and matrix + riot are setup for when we have saml and/or oidc to connect to it
60
[20:13:32] <tuanpembual> thanks King_InuYasha
61
[20:13:37] <King_InuYasha> 🔥
62
[20:14:08] <lcp> that's it for me :P
63
[20:14:32] <King_InuYasha> I've been working with lcp on some bug squashing with ipsilon (id.i.o.o / f-s.i.o.o)
64
[20:14:51] <King_InuYasha> things are in (mostly) good shape, and once we go into production, I'll cut the 3.0.0 release officially based on that
65
[20:15:36] <King_InuYasha> I'm in touch with rhbz devs, and they're going to be releasing rhbz source in the coming days
66
[20:15:50] <King_InuYasha> from there, we can look to adapt for susebz to shift to saml2 auth
67
[20:16:40] <King_InuYasha> fedora-aaa and lcp and I are in touch now and actively collaborating on features and configuration details
68
[20:16:46] <lcp> quite a surprising announcement, not expected that this week
69
[20:17:03] <King_InuYasha> I was pretty pleased too :)
70
[20:18:06] <King_InuYasha> working on some stuff in pagure for the upcoming code.i.o.o and dist.i.o.o instances, we'll see how that goes
71
[20:18:43] <King_InuYasha> oh, and working with lcp on freeipa porting to opensuse... good progress is made, perhaps we'll have it in a year :)
72
[20:18:48] <King_InuYasha> that's it for me :)
73
[20:19:12] <cboltz> I moved www.o.o from Provo to Nuremberg ~2 weeks ago, and besides /searchPage/ (which I wasn't aware of, and hot-fixed) everything went smooth :-)  (no serious 404s in the error_log)
74
[20:19:40] <cboltz> Note that www.o.o/openid/ is still proxied to the server in Provo - that's something we'll need to change
75
[20:20:03] <King_InuYasha> cboltz: lcp and I are working on a replacement for that, it's... ugly :(
76
[20:20:16] <bmwiedemann> cboltz: I am working on openid setup for our new bugzilla-ldap
77
[20:20:37] <cboltz> King_InuYasha: sounds interesting[tm]...
78
[20:20:45] <jdsn> s/bugzilla-ldap/community-accounts/  :)
79
[20:21:10] * jdsn is just trying to get rid of the term "bugzilla account" :)
80
[20:21:15] <King_InuYasha> haha
81
[20:21:27] <cboltz> still better than "Novell account" ;-)
82
[20:21:38] <jdsn> well, yes, but we can do better :)
83
[20:21:41] <King_InuYasha> I still have my email saying welcome to your novell account :P
84
[20:21:50] <jdsn> lol
85
[20:21:50] * adrianS would name jdsn's "community-accounts" instead "developer accounts" since they are used for all development topics, inside and outside of suse ...
86
[20:22:02] <adrianS> and partners
87
[20:22:07] <lcp> did you mean Micro Focus/NetIQ/Novell/SUSE/openSUSE accounts? :P
88
[20:22:07] <King_InuYasha> >_>
89
[20:22:16] <King_InuYasha> >_<
90
[20:22:37] <adrianS> yep, still the same database, just migrated now
91
[20:22:41] <cboltz> adrianS: and probably also bugreporters and forum users, so not only developers ;-)
92
[20:22:51] <King_InuYasha> and wiki people too :)
93
[20:22:58] <jdsn> did we shift to that topic already?
94
[20:23:04] <adrianS> bugreporters for sure ... not sure if forum and wiki will use it?
95
[20:23:05] <lcp> well, and also future chat infra, and meet.o.o etc
96
[20:23:18] <adrianS> or using independ account database?
97
[20:23:21] <King_InuYasha> and code/dist too
98
[20:23:31] <cboltz> jdsn: depends - does someone have a status report _not_ related to accounts?
99
[20:23:41] <cboltz> if yes, please speak up *now* ;-)
100
[20:23:48] <robin_listas> adrianS:  Per said he was trying.
101
[20:24:27] <lcp> oh yeah, we have auth setup on forums
102
[20:24:34] <lcp> forgot about that :P
103
[20:24:49] <adrianS> robin_listas: you mean trying to use a login proxy?
104
[20:25:02] <King_InuYasha> lcp: that was the *first* thing we did :P
105
[20:25:05] <adrianS> for forums?
106
[20:25:17] <lcp> kinda important, since that allows us to move forums from provo at last
107
[20:25:25] <King_InuYasha> yup
108
[20:25:59] <kl_eisbaer> I would have some status reports - but I guess everyone wants to focus on IDM. So fine with me (less to type ;-)
109
[20:26:16] <King_InuYasha> kl_eisbaer: well, if you have stuff to tell us, please do so :D
110
[20:26:27] <kl_eisbaer> I will just send my reports to the mailing list, I guess that's easier.
111
[20:26:42] <cboltz> also an option, whatever you prefer ;-)
112
[20:26:56] <kl_eisbaer> King_InuYasha: well: the current Fedora installer seems not to like my static IP configuration :-/
113
[20:26:59] <robin_listas> adrianS: He said "we expect to hook the forums into the above too (Nuernberg  datacenter)
114
[20:27:12] <King_InuYasha> kl_eisbaer: :(
115
[20:27:15] <kl_eisbaer> cboltz: I prefer to go to bed early ;-) -> Email
116
[20:27:32] <cboltz> ok, then I'm looking forward for your mail(s) ;-)
117
[20:27:41] <kl_eisbaer> King_InuYasha: I will try again, but IMHO I did nothing different than the last time. I'll keep you updated once the machine is available
118
[20:27:55] <King_InuYasha> kl_eisbaer: if f32 isn't working, f31 is fine
119
[20:27:57] <King_InuYasha> we can upgrade after
120
[20:28:04] <adrianS> robin_listas: and he is still trying or give up? or needs some help?
121
[20:28:09] <kl_eisbaer> King_InuYasha: I'm down to 31 already :-/
122
[20:28:12] <King_InuYasha> oh dear
123
[20:28:27] <King_InuYasha> kl_eisbaer: it didn't work with f32 I take it?
124
[20:28:32] <kl_eisbaer> I guess I will trash the qemu config and start from scratch - something seems fishy
125
[20:28:37] <King_InuYasha> yeah, that's odd
126
[20:28:39] <robin_listas> Dunno. YOu will have to ask him. That was this morning when he said this.
127
[20:28:43] <King_InuYasha> if you need help, let me know later :)
128
[20:28:52] <King_InuYasha> I'll do my best to assist
129
[20:31:44] <jdsn> cboltz: ?  IDM ?
130
[20:31:46] <cboltz> given the silence for > a minute, let's officially switch the topic to the account system
131
[20:31:57] <cboltz> yes ;-)
132
[20:32:01] <jdsn> IDM/IDP: then maybe I can start and quickly share what we did the last days/weeks:
133
[20:32:05] <King_InuYasha> here we go
134
[20:32:08] <jdsn> https://jdsn.de/ucs-setup-simplified.png
135
[20:32:18] <jdsn> we were setting up the Univention servers and then making sure we can bring all our data home into the NUE data center
136
[20:32:25] <jdsn> so we had to make sure that all this is setup for the Bugzilla move on the coming weekend
137
[20:32:29] <jdsn> thats what kept us busy days 'and nights' ...
138
[20:32:41] <jdsn> for many services this will mean just a small config change
139
[20:32:57] <jdsn> but as the schedules are no longer that tight as they were until yesterday, we have now time to spread the switch of services using that authentication backend step by step
140
[20:33:57] <lcp> alright, I am actually very curious about your current system first and foremost
141
[20:33:59] <jdsn> the diagram is very simplified, it should just show that we remove any dependency from MF and Novell-Servers and other datacenters
142
[20:35:11] <cboltz> so basically (and even more simplified) s/Novell account/SUSE account/ ?
143
[20:35:30] <lcp> I assume your new system is email based and not username based, how does username mapping work to the existing services
144
[20:36:04] <jdsn> bugzilla is email-based, all other systems afaik are uid based
145
[20:36:08] <lcp> I assume based on the lack of username entry in the register and login fields on suse.com ;)
146
[20:36:23] <adrianS> it is the same data as until now, except for the password.
147
[20:36:26] <lcp> well, obs is username based at the moment
148
[20:36:30] <jdsn> we do not map, we use the same data
149
[20:37:07] <King_InuYasha> it looks like scc is moving to email based (which makes me happy)
150
[20:37:24] * King_InuYasha is still annoyed that his suse account is ngompa when it's for his partner-related work
151
[20:37:53] <adrianS> scc is using Okta, but this is out of scope for development work and IMHO also for opensuse cost wise ....
152
[20:38:02] <King_InuYasha> thank goodness
153
[20:38:11] <King_InuYasha> I don't want to deal with Okta more than I already have to
154
[20:39:44] <adrianS> btw, we will switch first internal services tomorrow to the new system of jdsn to see how it works in real life
155
[20:40:08] <King_InuYasha> wait, what?
156
[20:40:10] <King_InuYasha> why?
157
[20:40:21] <mcaj_away> fingers cross
158
[20:40:28] <King_InuYasha> also, what are "internal services"?
159
[20:40:39] <jdsn> SUSE-internal
160
[20:40:48] <jdsn> our internal Build-Service e.g.
161
[20:40:52] <King_InuYasha> ah okay
162
[20:40:53] <lcp> does that include switching over internal openQA? :D
163
[20:41:18] <jdsn> not tomorrow :)
164
[20:41:40] <lcp> I see, I see
165
[20:42:18] <King_InuYasha> jdsn: how much has the timeline been loosened?
166
[20:42:20] <lcp> alright, so I would like to know what the goals are for switching over openSUSE stuff
167
[20:42:48] <jdsn> the migration phase "can" happen until end of June
168
[20:42:54] <jdsn> but that is a very hard stop
169
[20:43:09] <jdsn> we want to move as much services as possible in the next 2 weeks
170
[20:43:16] <jdsn> we = SUSE internal
171
[20:43:20] <jdsn> sorry
172
[20:43:47] <Redtigra> I'll answer about timeline
173
[20:43:49] <jdsn> and I would recommend to also move the openSUSE services rather early because there is one good reason:
174
[20:43:53] <adrianS> And I would like to move build.opensuse.org also asap to avoid that we run into problems due to different new accounts ...
175
[20:44:10] <adrianS> (same login name, but different user)
176
[20:44:27] <Redtigra> it came out, that auth backend is required to be cut off till May 18th for Bugzilla only
177
[20:44:30] <jdsn> people who do not have a valid email address set in their account (and wont change it because they would loose access to their bugzilla entries) will have to migrate their account
178
[20:44:37] <cboltz> adrianS: sounds unlikely - account creation is currently broken :-/
179
[20:44:51] <Redtigra> that's Bugzilla cut over requirement, not the whole auth.
180
[20:44:55] <jdsn> this migration works with the old AccessManager still in place and with your old credentials - and this without a password reset mail
181
[20:44:57] <adrianS> cboltz: well, that is good from this POV :)
182
[20:45:11] <jdsn> after end June we can only offer password reset mails
183
[20:45:27] <King_InuYasha> Redtigra, jdsn: so lcp and I have been mostly operating under the assumption that everything needs to cut over in two weeks
184
[20:46:01] <Redtigra> as Daniel said, we'd like to complete migration as earlier as possible to a) avoid two accounts and b) to have some time in case things go wrong at some place/moment
185
[20:46:09] <cboltz> adrianS: that's the only positive thing about the broken account creation...
186
[20:46:19] <adrianS> cboltz: I agree
187
[20:46:20] <jdsn> King_InuYasha: so were we until yesterday :)
188
[20:46:28] <jdsn> think how well I slept last night
189
[20:46:29] <Redtigra> King_InuYasha, so did we :D
190
[20:46:32] <jdsn> :)
191
[20:47:01] <King_InuYasha> so, on our side (oS Heroes), lcp and I had been working on decoupling from Novell accounts since late 2018
192
[20:47:31] <King_InuYasha> in January, we started working with the Fedora AAA folks to enumerate our requirements and mesh them into their solution that they were developing to replace FAS
193
[20:47:39] <King_InuYasha> (FAS is Fedora Account System, their legacy platform)
194
[20:47:45] <lcp> and there were 2 reasons, foundation and infra independence
195
[20:48:01] <lcp> and we grew some more reasons along the way
196
[20:48:38] <jdsn> I see the point - and - I even support it
197
[20:48:41] <King_InuYasha> in February, we enumerated the list of applications we needed to handle for accounts, and in March started working on that effort
198
[20:49:00] <jdsn> on the other hand SUSE is providing services to their communities and employees and customers
199
[20:49:07] <King_InuYasha> the original plan was to split the accounts slowly and cut over by the openSUSE Conference this year
200
[20:49:17] <lcp> as you might know, heroes internally use freeipa for various parts of IPA management, and we wouldn't like to part ways with that, for now at least
201
[20:49:20] <jdsn> and these are certified, so SUSE must be in control of this idetity system
202
[20:49:43] <King_InuYasha> this requirement does not apply in the openSUSE case, based on the conversation I've had with gp_
203
[20:49:45] <jdsn> but we can offer to oS to make use of it as oS did until now
204
[20:50:38] <King_InuYasha> so I'm confused why this point was brought up
205
[20:51:02] <King_InuYasha> because outside of bugzilla (which needs special handling anyway), nobody in the community side sees or controls SUSE-internal stuff
206
[20:51:09] <King_InuYasha> only the other way around
207
[20:51:27] <adrianS> well, if you can control the identity, you can become everyone and see all content
208
[20:51:34] <lcp> hopefully
209
[20:51:40] <King_InuYasha> what makes SUSE more special than openSUSE?
210
[20:51:48] <jdsn> that also not true for Jira/Confluence
211
[20:51:53] <King_InuYasha> which we cannot use
212
[20:52:02] <King_InuYasha> nobody in the community can use or access those systems
213
[20:52:02] <jdsn> a Common Criteria Certification
214
[20:52:04] <adrianS> the certification requires that only written down people can control the identity system who are employees
215
[20:52:15] <lcp> openSUSE uses neither Jira nor Confluence tho
216
[20:52:25] <darix> lcp: but the same account DB is used for both
217
[20:52:31] <lcp> we don't care about those
218
[20:52:32] <jdsn> community is bigger than oS :)
219
[20:52:37] <adrianS> King_InuYasha: you can not become another identity if you are root on the IDM server?
220
[20:52:51] <King_InuYasha> adrianS: not easily, no
221
[20:53:08] <darix> King_InuYasha: that is a few ldapmodify :P
222
[20:53:10] <King_InuYasha> it's possible, of course, but the architecture does not make that simple to do
223
[20:53:30] <King_InuYasha> adrianS: why should oS applications trust SUSE IdM in the same manner?
224
[20:53:39] <jdsn> something like "we don't care about those" makes it harder to consolidate
225
[20:53:49] <adrianS> King_InuYasha: that is a valid question
226
[20:53:54] <King_InuYasha> right
227
[20:53:55] <jdsn> from a user (or customer) perspective it would mean yet another login
228
[20:54:06] <lcp> but we would have to split that stuff either way, due to foundation stuff
229
[20:54:09] <adrianS> however, if we decide for a split, it means we also need to split bugzilla and some OBS content
230
[20:54:24] <adrianS> basically we would work more seperate and less together
231
[20:54:39] <King_InuYasha> jdsn: my experience in Fedora ecosystem has shown that it works quite well with FAS and RH/Customer and RH/Employee being separate
232
[20:54:54] <adrianS> IMHO the opposite should be the goal .... as we see with the "open SUSE bugs" discussion
233
[20:55:36] <King_InuYasha> then the question becomes, should we unite under SUSE? or under openSUSE?
234
[20:55:51] <jdsn> thats also my take, and also the goal of the closing the leap gap project
235
[20:55:54] <King_InuYasha> my feeling is that we should unite under openSUSE, and federate SUSE into openSUSE
236
[20:55:56] <adrianS> we would need seperate instance and write some additional code to be able to connect accounts
237
[20:56:04] <adrianS> all doable, but not cheap
238
[20:56:11] <King_InuYasha> adrianS: lcp and I have already been thinking about it and working on it
239
[20:56:28] <King_InuYasha> we knew going in that we'd have to solve this, and we assumed that this is something we need to do
240
[20:57:12] <adrianS> you mean connecting accounts, not building up new bugzilla and OBS servers, right?
241
[20:57:14] <King_InuYasha> yes
242
[20:57:31] <King_InuYasha> I maintain enough OBS servers :)
243
[20:58:22] <King_InuYasha> the openSUSE accounts system that lcp and I have been working on basically non-stop for two months is very extensible
244
[20:58:40] <King_InuYasha> and our goal is that SUSE Linux 16 platform will let use switch fully over to openSUSE Leap 16 for the infra
245
[20:58:53] <King_InuYasha> we will aggressively switch things over to openSUSE Leap as it becomes technically feasible
246
[20:59:35] <King_InuYasha> we are using Fedora servers for now to speed up deployment, and it helps with working with our friends in Fedora on this
247
[21:00:53] <King_InuYasha> adrianS, jdsn: this work is also how I've made the biggest push to get Red Hat to release the sources for Red Hat Bugzilla
248
[21:01:01] <darix> I vote for fewer accounts not more.
249
[21:01:16] <King_InuYasha> which includes their multi-auth module for Bugzilla
250
[21:01:20] <jdsn> I think we can have such a discussion at a given time, the topic now should be to plan for the switch of the openSUSE services to Univention - because the timer is ticking
251
[21:01:21] <King_InuYasha> using SAML 2
252
[21:01:41] <lcp> me too, that's why heroes accounts would be merged with this systems so we would have total of the same number of accounts
253
[21:01:55] <lcp> not more
254
[21:01:56] <jdsn> nothing prevents us from separating after the Univention system is live
255
[21:02:44] <jdsn> and with less dependecies now it should be even easier technically
256
[21:02:47] <darix> lcp: for everyone who works for suse it means more accounts not less.
257
[21:02:52] <darix> you should really see both sides
258
[21:02:58] <lcp> yes, I do think we should do it after, however I can already hear adrianS complaining about this :P
259
[21:03:11] <King_InuYasha> we can target sso.opensuse.org to the univention server
260
[21:03:11] <jdsn> me to :)
261
[21:03:22] <jdsn> I even see pros and cons for both sides
262
[21:03:26] <King_InuYasha> that way applications don't have to be aware once we switch the backends
263
[21:03:30] <jdsn> so even I am split :)
264
[21:03:52] <King_InuYasha> as someone who is both a suse partner/customer and opensuse contributor, I *really* prefer those two being split
265
[21:04:18] <lcp> well then, maybe get OBS to support more protocols, so we can have multiple openid connect providers there
266
[21:04:20] <jdsn> again: I see this as topic for later
267
[21:04:21] <King_InuYasha> but I recognize others care otherwise
268
[21:04:21] <darix> King_InuYasha: and I would even prefer to have just 1 account for all suse stuff
269
[21:04:25] <darix> *really*
270
[21:04:34] <lcp> omniauth would support this
271
[21:04:34] <jdsn> the new schedule gives us more time, but lets not waste it now
272
[21:04:49] <King_InuYasha> jdsn: how far along are you on the data import for openSUSE data?
273
[21:04:59] <adrianS> lcp: again, it is not about the protocols in first place, that is really a detail. It is about the trust of the content
274
[21:05:05] <jdsn> King_InuYasha: its done :)
275
[21:05:16] <King_InuYasha> if you can bridge the ldap endpoint into heroes servers, we can make sso.os.o talk to it and provide saml2, oidc, and openid
276
[21:05:24] <adrianS> and given that one can become root on many systems via OBS I am indeed really conservative, I admit
277
[21:05:39] <adrianS> but it is not my decision at the end of the day
278
[21:05:47] <jdsn> Univention already offers saml
279
[21:05:51] <adrianS>  but I want to make sure that all sides understand what they are doing ...
280
[21:05:53] <jdsn> and openid connect
281
[21:06:04] <King_InuYasha> jdsn: but not plain openid
282
[21:06:13] <lcp> I get it, I get
283
[21:06:14] <King_InuYasha> and I think connecting to our endpoint will result in fewer app changes
284
[21:06:19] <jdsn> correct, thats what Bernhard is working on ;)
285
[21:06:24] <adrianS> but given the certifications, it *will* mean we need to build up new OBS and bugzilla instances
286
[21:06:36] <jdsn> King_InuYasha: ok, also good point
287
[21:06:38] <adrianS> at least as long as SUSE says that these certifications are important
288
[21:06:50] <King_InuYasha> jdsn: and if you want, you can deploy ipsilon internally for suse openid
289
[21:07:01] <King_InuYasha> it's free software: https://pagure.io/ipsilon
290
[21:07:05] <lcp> adrianS: I wonder where in OBS there is anything hidden tbh
291
[21:07:06] <darix> no we dont
292
[21:07:19] <adrianS> lcp: for security updates under embargo
293
[21:07:34] <lcp> oh, really?
294
[21:07:35] <adrianS> and we would need to rethink some syncing stuff IMHO
295
[21:07:51] <adrianS> yes, all can be done, but it has consequences
296
[21:07:56] <King_InuYasha> jdsn: I'm also packaging it for openSUSE, though some small work needs to be done to fix the configs and such
297
[21:07:59] <gp_> I can guarantee that kind of assurances/certifications will remain relevant for a long time.
298
[21:08:00] <adrianS> and means work :)
299
[21:08:12] <lcp> hm, that does make sense, I was always thinking this is done in IBS instead
300
[21:08:26] <King_InuYasha> I assumed this work was done in IBS as well
301
[21:08:37] <darix> King_InuYasha: not if the target is opensuse
302
[21:08:43] <King_InuYasha> at work, I tended to use the cross-system copypac to push out publicly
303
[21:08:44] <adrianS> lcp: well, would be an option to do it only in IBS and not include community maintainers anymore
304
[21:08:55] <adrianS> but IMHO not wanted
305
[21:09:12] <King_InuYasha> adrianS: if you're involving community maintainers already, what's the net-change on the situation?
306
[21:09:16] <lcp> well, Leap stuff is synced from SLE, so how does that collaboration work
307
[21:09:27] <adrianS> King_InuYasha: it is only on topic and it is documented
308
[21:09:39] <adrianS> it is not that multiple people can see *everything*
309
[21:09:39] <darix> lcp: not all of it.
310
[21:09:58] <adrianS> same for bugzilla
311
[21:10:05] <lcp> that's true, but this seems like the goal of jump :P
312
[21:10:11] <adrianS> that are not my rules, just like common criteria is designed ...
313
[21:10:23] <adrianS> but we need to ensure to follow the rules ... with blood
314
[21:10:49] <adrianS> consequences of a violation are not really nice ...
315
[21:11:07] <King_InuYasha> I know :(
316
[21:11:16] <King_InuYasha> I've had to follow those rules before
317
[21:11:31] <darix> personally I thought all your freeipa+ipsilon work was just for heroes stuff not for all of opensuse TBH
318
[21:11:31] <King_InuYasha> I know what they are and how to deal with many of them
319
[21:12:11] <darix> i mean did you ask what the suse plans are before starting what with the work?
320
[21:12:13] <lcp> darix: some of it, yeah
321
[21:12:22] <King_InuYasha> darix: we *did*
322
[21:12:25] <darix> aha
323
[21:12:26] <King_InuYasha> for almost a year
324
[21:12:38] <King_InuYasha> nobody ever responded to any inquiry by us
325
[21:12:45] <darix> who did you ask?:)
326
[21:13:00] <lcp> jdsn: :D
327
[21:13:27] <King_InuYasha> we have tried *very* hard to consider everything when we started this work _last year_ after oSC
328
[21:13:53] <darix> just curious you never spoke to me about it after osc :)
329
[21:14:10] <jdsn> lcp: that was not "for years" ;) I am in the team since last October :)
330
[21:14:15] <lcp> I should have asked during oSC >:D
331
[21:14:25] * adrianS whished he knew that so many people would join FreeIPA work that would have maybe changed the decision last year, since we evaluated it as well ...
332
[21:14:27] <lcp> I forgot tho, and had to run do a talk anyway
333
[21:14:40] <King_InuYasha> adrianS: freeipa suse platform was merged in
334
[21:14:40] <jdsn> and yes, I meanwhile found your mail - it was directed to me alone :(
335
[21:14:41] <lcp> jdsn: no, we asked you recently, yeah
336
[21:15:03] <King_InuYasha> adrianS: thanks principally to lcp (with me helping a bit) we now have scaffolding in freeipa
337
[21:15:13] <adrianS> King_InuYasha: it is not SLE maintained since we don't have enough maintainer power internal
338
[21:15:19] <lcp> I worked on getting it ready
339
[21:15:20] <King_InuYasha> yeah, yeah
340
[21:15:26] <lcp> and it is getting backported to the next freeipa 4.8 release and obviously 4.9
341
[21:15:27] <gp_> As a general recommendation: Don't run into timeouts, find alternate comms (means of comms or contacts).
342
[21:15:31] <adrianS> so we just had the chance to employ new people for it or to buy in support
343
[21:15:41] <darix> freeipa actually was rejected in the internal evaluation
344
[21:15:46] <darix> adrianS: ^
345
[21:15:54] <darix> for technical reasons
346
[21:16:00] <adrianS> well, not technical rejected, it was a support topic in first place
347
[21:16:14] <darix> so we actually looked at it
348
[21:16:19] <lcp> gp_: actually, we didn't really know who to contact either
349
[21:16:32] <darix> lcp: in doubt the board
350
[21:16:40] <King_InuYasha> we definitely talked to the board
351
[21:16:42] <King_InuYasha> they knew
352
[21:16:43] <lcp> we really only got jdsn after kl_eisbaer pointed at them
353
[21:16:56] * adrianS did spoke also with the old board about IDM system last year just for the record ;)
354
[21:18:02] <lcp> clearly I should have asked rb about it too >:D
355
[21:18:04] <adrianS> but frankly, in the current situation, I would like to stay away for the past anlyses and like to find what we do now to rescue the situation in first place
356
[21:18:32] <gp_> lcp: I've been handling a load of (MF) IT related escalations the last seven months, cboltz felt some pity for me. That one did not come up as one.
357
[21:18:33] <adrianS> afterwards one can do a better critic with some distance ....
358
[21:18:59] <gp_> Yeah, and it's not I am asking for more escalations. :)
359
[21:19:00] <jdsn> lcp: and sorry again, that question hit when I was too busy because we were under high pressure - I still have hundreds of unread mails ;)
360
[21:19:20] <King_InuYasha> at least concretely, what we can do is set up an sso.opensuse.org instance talking to UCS
361
[21:19:36] <King_InuYasha> and move all the apps on openSUSE side to sso.opensuse.org
362
[21:19:38] <lcp> yeah, I still have the virtue of being able to respond to my emails in under 10 seconds :P
363
[21:19:52] <darix> lcp: we can hire you. would make that problem go away ;)
364
[21:19:58] * King_InuYasha has almost 100 folders and filters so that he can respond quickly
365
[21:19:58] <jdsn> lucky you ;)
366
[21:20:04] <adrianS> jdsn: bmwiedemann: when do you think you can have sso.opensuse.org running with ucs?
367
[21:20:21] <jdsn> I also filter, I did not even count the unread in the folders ;)
368
[21:20:23] <lcp> I will count that as the second time I was asked to work for SUSE darix even if it was a joke :P
369
[21:20:41] * King_InuYasha is actually amazed lcp doesn't work for SUSE at this point
370
[21:20:55] <jdsn> tbh: we need to focus on the internal services next week
371
[21:20:56] <gp_> But let's take Redtigra up on her offer last week and/or use me (in case it is needed - no hurt feelings if not ;-).
372
[21:21:02] <bmwiedemann> somewhen  after bugzilla and OBS switch?
373
[21:21:11] <jdsn> but after that we can find out whats needed to make it happen
374
[21:21:24] <darix> bmwiedemann: moving the vhost to you is relatively easy
375
[21:21:33] <King_InuYasha> we wouldn't move the vhost
376
[21:21:39] <King_InuYasha> there'd be no point
377
[21:22:10] <jdsn> it would need access to our DMZ though
378
[21:22:22] <King_InuYasha> jdsn: yeah, that's the tricky bit
379
[21:22:30] <jdsn> or it could be routed externally
380
[21:22:39] <adrianS> King_InuYasha: what would run on sso.opensuse.org ?
381
[21:22:43] <King_InuYasha> ipsilon
382
[21:23:01] <King_InuYasha> ipsilon is not strictly tied to freeipa
383
[21:23:11] <adrianS> ic
384
[21:23:12] <King_InuYasha> it's _easiest_ with it, but it can work with generic ldap and krb5
385
[21:23:15] <darix> King_InuYasha: last year you told me that ipsilon requires freeipa
386
[21:23:36] <King_InuYasha> that's before puiterwijk told me how to do it without freeipa
387
[21:23:56] <lcp> and that would allow us to actually set up our own applications instead of having to ask you for it :P
388
[21:23:56] <King_InuYasha> it's much more annoying and manual, and some features go away, but it works
389
[21:24:28] <darix> King_InuYasha: JFYI: UCS comes with konnect ( https://github.com/Kopano-dev/konnect ) so it could do openid too
390
[21:24:33] <adrianS> problem would be (maybe) that this vhost would need to be under exclusive control of eng-infra team
391
[21:24:44] <King_InuYasha> konnect does not do openid
392
[21:24:45] <adrianS> because you could sniff passwords there, right?
393
[21:24:57] <King_InuYasha> adrianS: not with https
394
[21:25:03] <darix> King_InuYasha: you could in the app.
395
[21:25:04] <darix> :)
396
[21:25:17] <lcp> yes
397
[21:25:24] <darix> and UCS has saml
398
[21:25:36] <darix> yes it is openid connect. to be exact.
399
[21:25:38] <King_InuYasha> darix: you better not be suggesting we make all the contributors for all the third party apps made by _not us_ to port away from regular openid?
400
[21:25:46] <King_InuYasha> openid connect != openid
401
[21:25:54] <King_InuYasha> completely different protocol
402
[21:26:00] <darix> i am aware
403
[21:26:06] <jdsn> and UCS could have all that you contribute to it, they are developing it openly on github.com and very welcome PRs
404
[21:26:13] <adrianS> that is understood, bmwiedemann is therefore working on openid (not connect)
405
[21:26:43] <King_InuYasha> jdsn: I am one of the maintainers for ipsilon itself upstream, why would I also do that?!
406
[21:27:11] <jdsn> why shouldn't you?
407
[21:27:16] <King_InuYasha> I don't have time :)
408
[21:27:21] <bmwiedemann> if ipsilon does openid, we might also be able to use that.
409
[21:27:35] <King_InuYasha> it definitely does, most fedora apps are openid
410
[21:27:46] <jdsn> it could save time to maintain a separate VM though if it was supported natively - right?
411
[21:28:00] <King_InuYasha> jdsn: are you asking me to package ipsilon for debian?
412
[21:28:09] <King_InuYasha> because if you are, I guess I can do that, as irritating as that would be
413
[21:28:15] <jdsn> no, that hint was not specifically for you ;)
414
[21:28:40] <jdsn> and Univention is open to work with us on running their product on SUSE as well
415
[21:28:54] <King_InuYasha> bmwiedemann: fedora uses primarily openid and openidc, with saml being used for bugzilla
416
[21:28:56] <gp_> That, by the way, would be really cool.
417
[21:29:00] <jdsn> then we could use your package directly ;)
418
[21:29:08] <darix> *nods*
419
[21:29:13] <gp_> Both openSUSE and SLE. :)
420
[21:29:49] <adrianS> bmwiedemann: maybe you could try to get ipsilon running with ucs ... and maybe King_InuYasha could give you some hints if you struggle? :)
421
[21:29:56] <King_InuYasha> sure
422
[21:30:00] <King_InuYasha> I like bmwiedemann :)
423
[21:30:23] <jdsn> King_InuYasha: I guess he has many fans
424
[21:30:25] <King_InuYasha> he makes git repos for opensuse packages
425
[21:30:29] <King_InuYasha> that makes me a fan of him
426
[21:30:43] <Redtigra> he does :)
427
[21:30:53] <darix> aha that's why you dont ask me about that anymore!
428
[21:31:00] <bmwiedemann> :-)
429
[21:31:00] <jdsn> thats why I sit next to him in the office ;)
430
[21:31:29] <lcp> well, as far as I'm aware the office doesn't exist anymore due to covid
431
[21:31:36] <King_InuYasha> :'(
432
[21:31:46] <darix> lcp: the office exists! we are just hiding elsewhere :P
433
[21:31:50] <jdsn> its still there: I can prove :)
434
[21:31:51] <King_InuYasha> the nuremburg office is quite nice too
435
[21:31:56] <jdsn> but its pretty empty
436
[21:31:59] <King_InuYasha> my visit there was pleasant
437
[21:33:07] <King_InuYasha> jdsn: I'd like for us to be able to go with our original timeline of splitting the accounts by August/September
438
[21:33:21] <King_InuYasha> that's a lot less panicky and we can be methodical about the integration work
439
[21:33:28] <darix> King_InuYasha: are you really really sure that everyone really wants that?
440
[21:33:51] <bmwiedemann> does it make sense to split before there is an openSUSE foundation?
441
[21:34:00] <lcp> well, do you want to maintain connect? >:P
442
[21:34:06] <jdsn> not sure if in that timeline all technical details can be sorted out, but well you can try :)
443
[21:34:09] <King_InuYasha> bmwiedemann: yes, because then we don't have legal chaos on top of the splitting part
444
[21:34:16] <darix> lcp: we can kill connect without freeipa
445
[21:34:32] <jdsn> and also, I'd like to see that really many many people want that split
446
[21:34:40] <jdsn> ... after they understood the implications
447
[21:34:43] <lcp> we can't if we don't have an alternative to connect
448
[21:34:43] <darix> we can even do that member group in UCS
449
[21:34:56] <lcp> and email aliases?
450
[21:35:05] <lcp> and viewable profiles?
451
[21:35:08] <King_InuYasha> so you're asking us to write a new app for managing the self-service portal then
452
[21:35:13] <darix> lcp: we dont really need our own social network
453
[21:35:14] <King_InuYasha> because that piece *does* require FreeIPA
454
[21:35:27] <gp_> Is it fair to say that for the next months the two top priorities are:
455
[21:35:27] <darix> no
456
[21:35:40] <gp_> 1. Survive (in various meanings of that)
457
[21:35:47] <gp_> 2. Get away from Micro Focus IT?
458
[21:35:58] <darix> the *only* thing the we should preserve from connect is membership handling
459
[21:36:07] <darix> we do not need our own social network
460
[21:36:08] * cboltz would even do that in reverse order
461
[21:36:18] <jdsn> :)
462
[21:36:40] <lcp> I am curious what to do with links to https://www.suse.com/selfreg/jsp/createOpenSuseAccount.jsp?login=Sign+up
463
[21:36:48] <lcp> since we have a few places that do link there
464
[21:36:53] <darix> lcp: UCS comes with self mgmt?
465
[21:37:09] <darix> so we point the links to that
466
[21:37:10] <jdsn> UCS will offer a self registration tool
467
[21:37:11] <kl_eisbaer> I'm sorry: here is someone waiting for his bedtime story since an hour... King_InuYasha: your machine is up and running: ssh root@fedora-freeipa.infra.opensuse.org should work for you and lcp. As usual: no Salt, no other stuff done (beside basic services setup and updates installed).
468
[21:37:19] <King_InuYasha> kl_eisbaer: thanks :)
469
[21:37:20] <lcp> it does, I know
470
[21:37:26] <adrianS> lcp: there will be a new self service portal behind idp-portal.suse.com IIRC
471
[21:37:34] <kl_eisbaer> bye
472
[21:37:41] <King_InuYasha> kl_eisbaer: your work is appreciated :D
473
[21:37:44] <adrianS> lcp: for creating, editing, password change/reset
474
[21:37:47] <lcp> where do we link NOW tho
475
[21:38:02] <King_InuYasha> adrianS: and memberships? groups? identity linkage?
476
[21:38:17] <King_InuYasha> are _those_ parts also self-service?
477
[21:38:24] <lcp> https://www.microfocus.com/selfreg/jsp/createOpenSuseAccount.jsp stopped working, since the form requires more than it has fields
478
[21:38:28] <lcp> where do we link
479
[21:38:41] <jdsn> idp-portal.suse.com
480
[21:38:48] <adrianS> lcp: It might become https://idp-portal.suse.com/univention/self-service
481
[21:38:51] <lcp> but that's down
482
[21:38:57] <adrianS> yep, not there yet
483
[21:39:13] <lcp> I assume people just don't create accounts rn?
484
[21:39:14] <jdsn> some firewall bits need to be sorted out still
485
[21:39:24] <jdsn> but it will be there before the weekend
486
[21:39:57] <jdsn> lcp: that would be actually good, because then our diff dump is empty ;)
487
[21:40:08] <lcp> that seems like a very rocky move compared to how we wanted to do this :/
488
[21:40:12] <adrianS> And for some time we will have https://idp-migrate.opensuse.org to be able to set the new password via the old one
489
[21:40:22] <adrianS> but that is temporary
490
[21:40:28] <lcp> well, you can't sign up to any openSUSE infra at the moment
491
[21:40:46] <adrianS> lcp: understood, only MF-IT can fix that :/
492
[21:40:48] <lcp> which sure is great, and sure doesn't generate us a lot of emails and questions in support chats
493
[21:41:07] <adrianS> it is not wanted, we are prepared for importing further accounts
494
[21:41:22] * adrianS heard the first time here about it
495
[21:41:59] <lcp> it is a ticket in opensuse-admin on progress
496
[21:42:15] <adrianS> but as jdsn said, if we have the portal running until end of the week, people can create at least new accounts for the services which switch over ....
497
[21:42:40] <lcp> so when do we switch over with login proxies then
498
[21:42:42] <adrianS> lcp: hm, someone (a suse employee) needs to make a MF-IT ticket out of it most likely...
499
[21:43:01] <lcp> since we will have to change links to registration pages
500
[21:43:07] <lcp> everywhere
501
[21:43:30] <adrianS> right
502
[21:43:59] <adrianS> and we can not do a redirect .... hm, maybe we should create a single instance already?
503
[21:44:00] <lcp> at least we know where, since we are somewhat prepared already >:D
504
[21:44:22] <adrianS> I mean we could adapt the links already and point to eg. idp.opensuse.org/register
505
[21:44:36] <adrianS> and redirect from the to microfocus for now
506
[21:44:49] <adrianS> but we can switch to the new side with one change there
507
[21:44:53] <adrianS> later
508
[21:45:19] <adrianS> so we could already prepare for it and do not need to wait...
509
[21:45:23] <lcp> alright, sounds good
510
[21:45:34] <cboltz> given that the MF registration page is broken, maybe better redirect to a "sorry" page...
511
[21:45:50] <adrianS> or that ...
512
[21:46:16] <cboltz> it's less disappointing than filling a form, and then getting an error message saying that you didn't fill non-existing fields
513
[21:46:52] <adrianS> hm, okay, who should build up that vhost?
514
[21:46:57] <cboltz> (but then, maybe someone is smart enough to live-edit the form in firefox, add those fields, and register? ;-)
515
[21:47:09] * adrianS is able to do redirections but unable to do a nice web page :)
516
[21:47:12] <darix> adrianS: it needs to be on the non hero side?
517
[21:47:21] <adrianS> darix: does not matter
518
[21:47:48] <darix> adrianS: well you can even do it on haproxy itself
519
[21:48:05] <adrianS> you can, I can not :)
520
[21:48:59] <darix> I will teach you!
521
[21:49:03] * adrianS won't be able to stay for much longer without being killed ....
522
[21:49:31] <adrianS> okay, so, for some conclusion
523
[21:49:31] <jdsn> the latter would not make you stay either ;)
524
[21:51:08] <adrianS> well, if no one else want's to do it, but everyone says it is a good idea to have it. I can do it on login proxies directly
525
[21:51:24] <adrianS> and drop a mail to admin mailing list, so that all services can be adapted
526
[21:51:32] <adrianS> is that a plan?
527
[21:51:57] <jdsn> +1
528
[21:52:13] <adrianS> who would use it? ;)
529
[21:52:56] <jdsn> adrianS: I guess, the both of us are alone here :)
530
[21:53:01] <adrianS> sorry, need to leave .... if you want me to do it, please drop me a mail.
531
[21:53:04] <bmwiedemann> still here
532
[21:53:25] <adrianS> good evening
533
[21:53:31] <jdsn> CU
534
[21:55:19] <jdsn> I'll be around for a few minutes before I have to leave
535
[21:55:24] <bmwiedemann> I need to get some sleep as well. Will try ipsilon soon.
536
[21:55:30] <jdsn> ok
537
[21:55:56] <jdsn> so back to moderator cboltz
538
[21:56:01] <Redtigra> thanks for the discussion and great to meet you all
539
[21:56:12] <Redtigra> leaving too
540
[21:56:40] <cboltz> I hope you all will also join the next meetings ;-)
541
[21:57:50] <cboltz> so - do we have more things to discuss?
542
[22:00:21] <gp_> Hardware requests from the heroes?
543
[22:00:38] <gp_> Not as in "let's discuss this here and now", but a reminder that since
544
[22:01:00] <gp_> the heroes meeting in November I haven't seen a list yet, and while times
545
[22:01:34] <gp_> right now are not easy (COVID-19 and such), I suggest you work on this and share.
546
[22:02:16] <cboltz> I know that Lars started to work on it (I've even seen a very rough draft), but he was probably side-tracked by other work
547
[22:03:09] <cboltz> I wouldn't be surprised if he's still busy with carveout stuff, so I'm not sure if reminding him _now_ makes sense
548
[22:06:31] <tuanpembual> thanks all, need back to sleep,
549
[22:06:36] <tuanpembual> good morning
550
[22:07:33] <cboltz> good night ;-)
551
[22:09:26] <lcp> I guess I could mention creating the list of the maintainer of various openSUSE applications that fall outside of heroes
552
[22:09:41] <lcp>  * I guess I could mention creating the list of the maintainers of various openSUSE applications that fall outside of heroes
553
[22:10:01] <lcp> since I had to contact some of them about some stuff as you might know
554
[22:10:47] <cboltz> right, good idea
555
[22:11:36] <gp_> cboltz: Yes, understood, but it's been half a year now, and at one point there may be a (SUSE) budget exercise coming up.
556
[22:12:26] <cboltz> lcp: since you now know the first people, just start that list in the admin wiki - and feel free to use questionmarks if you don't know the people for some services
557
[22:13:16] <cboltz> gp_: from what I remember, this might become a case of "be careful with your wishes" ;-)
558
[22:15:30] <cboltz> basically the idea was 3 big servers (1 TB RAM) + Netapp for storage (rotating rust for download.o.o, SSDs for everything else) - ideally at multiple locations, not only in NBG
559
[22:16:02] <cboltz> no idea what this means money-wise, my computers are typically a bit ;-) cheaper :-P
560
[22:17:21] <lcp> sure
561
[22:18:21] <lcp> I do wonder what's the unknown with the budget though
562
[22:19:08] <lcp> because this might become a bigger deal with foundation I assume
563
[22:20:13] <cboltz> I hope that's one of the reasons why gp_ asks for it *now* ;-)
564
[22:21:33] <cboltz> so that he can make Mexico^WSUSE pay for it
565
[22:25:15] <darix> lcp: JFYI: my recommendation in the past was ... membership is a project in progress. tickets for evaluation are in that
566
[22:25:29] <darix> and the email aliases could be just a text file in gitlab.i.o.o
567
[23:09:27] <lcp> darix: we considered it
568
[23:09:57] <lcp> it might be how we go about memberships too
569