Project

General

Profile

2020-06-02-heroes-meeting.txt

IRC meeting log - cboltz, 2020-06-03 11:19

 
1
2020-06-02 #opensuse-admin - heroes meeting
2

    
3
[19:59:29] <bmwiedemann1> hi here
4
[20:01:04] <cboltz> hi everybody, and welcome to the heroes meeting!
5
[20:01:16] <Eighth_Doctor> hey all
6
[20:01:30] <cboltz> the topics are listed on https://progress.opensuse.org/issues/66463 - but we can add topics if needed
7
[20:01:48] <cboltz> so - let's do two things in parallel:
8
[20:01:53] <cboltz> a) who's here?   and
9
[20:01:59] <bmwiedemann1> I
10
[20:02:00] <cboltz> b) does someone from the community have a question?
11
[20:02:33] <pjessen> good evening all
12
[20:02:49] * jdsn is here
13
[20:04:58] <cboltz> since nobody dared to ask a question, let's continue with status reports
14
[20:06:11] <cboltz> so - who has something to report?
15
[20:06:17] <pjessen> from me - not really much of my doing, but the opensuse forums having been running in NBG for a while now.
16
[20:06:52] <pjessen> there are a few issues to be ironed out, but overall we're goog
17
[20:06:56] <pjessen> good
18
[20:07:42] <pjessen> otherwise I'm slowly working off the queue of mirror issues I opened priot to corona
19
[20:08:14] <pjessen> I also promise to take a lessons in typing. Very soon.
20
[20:08:22] <pjessen> and english.
21
[20:08:38] <cboltz> ;-)
22
[20:09:09] <cboltz> funny one from me - I repaired rendering of counter.o.o - someone, probably I, did run the render job as root a year ago when firefighting it, and now it lacked permissions to overwrite these files ;-)
23
[20:10:49] <cboltz> does someone else have status reports?
24
[20:10:58] <pjessen> there are some open issues wrt forums still - database location and getting a news server running.
25
[20:11:11] <bmwiedemann1> I kicked download.o.o VM after it crashed on monday
26
[20:12:02] <pjessen> bmwiedemann1: i didn't notice. what happened?
27
[20:12:33] <bmwiedemann1> not sure. We didnt find logs, but it was down for ~25m
28
[20:12:50] <bmwiedemann1> maybe oom
29
[20:12:52] <pjessen> wow.  very unusual.
30
[20:12:55] <bmwiedemann1> or kernel crash
31
[20:15:17] <pjessen> hej olav
32
[20:15:40] <oreinert> hejsa
33
[20:15:56] <cboltz> I think we can continue with the next topic - status of www.o.o/openid migration
34
[20:16:17] <cboltz> (I didn't expect the "fun" we had with it when adding that topic - but I'll let bmwiedemann1 report ;-)
35
[20:17:41] <bmwiedemann1> So somehow the service provided by MF-IT stopped working yesterday
36
[20:17:57] <bmwiedemann1> underlying curl https://130.57.66.6 shows a timeout
37
[20:18:26] <bmwiedemann1> Lars said, there was some kernel crash or so, but somehow they did not manage to fix it yet
38
[20:19:01] <bmwiedemann1> so I keep working on the ipsilon deployment as stop-gap (not fully production-ready with sqlite)
39
[20:20:22] <bmwiedemann1> we tried to switch to it during this day but found that it produced different identity URLs
40
[20:20:28] <bmwiedemann1> and I am very close to fix that
41
[20:21:25] <cboltz> :-)
42
[20:23:50] <bmwiedemann1> I just need to find out if old URL was https://www.opensuse.org/openid/user/bmwiedemann or with trailing slash (because ipsilon code tries to force the latter)
43
[20:24:47] <cboltz> I'd guess the answer might be in the openqa database
44
[20:25:01] <bmwiedemann1> okurz might know ^
45
[20:26:45] <bmwiedemann1> I guess, we can get a temp-fix done tomorrow
46
[20:27:02] <cboltz> sounds good
47
[20:27:17] <cboltz> and I wouldn't be surprised if you are faster than MF-IT can reboot the server in Provo ;-)
48
[20:28:37] <bmwiedemann1> let's make it a race.
49
[20:29:44] <bmwiedemann1> there are other aspects about openid. E.g. we need to find out if we need a different domain from id.o.o to pass common criteria certification.
50
[20:31:11] * cboltz has no idea about certification paperwork
51
[20:31:18] <jdsn> background: SUSE is in the process of being certified under common criteria and we have to take special care about systems that deal with our login credentials
52
[20:31:20] <bmwiedemann1> do you think, it would be an issue for our users, if logins went through some secure-suse.tld domain?
53
[20:32:26] <pjessen> bmwiedemann1: isnt that much how it used to work with mf-it ?
54
[20:32:36] <bmwiedemann1> sort of, yes.
55
[20:33:40] <Eighth_Doctor> bmwiedemann1: it probably would be
56
[20:34:07] <Eighth_Doctor> generally people seem to be unhappy about the bouncing back and forth between SUSE and openSUSE and the marketing email thing didn't help either
57
[20:34:46] <lcp> well, I would generally prefer if the accounts were clearly labeled as SUSE
58
[20:35:01] <Eighth_Doctor> jdsn: also, you have my sympathies for going through CC and STIGs
59
[20:35:55] <jdsn> thanks
60
[20:36:14] <Eighth_Doctor> used to work for gov subcontractor, so I have some idea of the pain involved
61
[20:36:23] <jdsn> the thing is, the login process must be in a protected environment on SUSE owned machines
62
[20:36:45] <jdsn> the client systems can be outside (opensuse dmz)
63
[20:37:08] <Eighth_Doctor> jdsn: that's not true if the data is partitioned
64
[20:37:18] <Eighth_Doctor> e.g. what is SUSE stuff and what is openSUSE stuff is clearly split
65
[20:37:46] <jdsn> bugzilla for example is both
66
[20:37:48] <bmwiedemann1> but with Leap, things get merged together from SLE+openSUSE
67
[20:37:58] <jdsn> and we have more of these mixed systems
68
[20:38:02] <Eighth_Doctor> no they didn't
69
[20:38:18] <Eighth_Doctor> Leap is not mixed, because we take stuff from SLE without a feedback loop
70
[20:38:50] <Eighth_Doctor> for the jump thing, there's going to be some kind of cross-instance SR federating thing, so it's already remaining partitioned that way
71
[20:38:57] <bmwiedemann1> still not easy to separate. And I think, feedback is WIP
72
[20:39:29] <Eighth_Doctor> jdsn: bugzilla is something that LCP and I have been thinking about for a while
73
[20:39:59] <Eighth_Doctor> it is definitely a special case
74
[20:40:36] <jdsn> but its not alone special, we also have the special Jira and special Confluence
75
[20:40:47] <Eighth_Doctor> jira and confluence are not special
76
[20:40:52] <Eighth_Doctor> nobody but suse people can access or use them
77
[20:40:53] <jdsn> :) ok
78
[20:41:04] <lcp> neither of which openSUSE uses, and is planning to (hopefully)
79
[20:41:16] <jdsn> I meant special in way that the tool allows login for employees and non-employees
80
[20:41:33] <Eighth_Doctor> jdsn: currently non-employees cannot log into jira or confluence, afaik?
81
[20:41:41] <Eighth_Doctor> at least I can't neither with partner or community accounts
82
[20:41:59] <jdsn> but its a service we (SUSE) offer externally and have to provide a secure login anyway
83
[20:42:14] <jdsn> yes they can - with a special contract
84
[20:43:02] <Eighth_Doctor> oh boy
85
[20:43:46] <pjessen> any more status reports ?
86
[20:44:11] <lcp> I just really wanted ask about the status on access for freeipa.i.o.o
87
[20:45:19] <pjessen> lcp: no prob, we just get sidetracked too often
88
[20:45:21] <jdsn> lcp: in general I heard positive reactions about that, but we fist need to remove some "dependencies" before we can open it
89
[20:45:45] <jdsn> sorry, I can not go into more details
90
[20:46:04] <lcp> I hope it's not the case of boosters machine which hosted 20 things at once ;)
91
[20:46:32] <jdsn> nope
92
[20:47:02] <jdsn> but please don't start the yes-no game now :)
93
[20:47:26] <lcp> I will restrain myself from asking questions then
94
[20:47:53] <jdsn> thanks :)
95
[20:48:00] <Eighth_Doctor> :(
96
[20:48:10] <cboltz> just wondering - AFAIK freeipa.i.o.o hosts a) heroes accounts and b) DNS entries. I'm somewhat surprised that we need to go through paperwork for giving lcp access there
97
[20:48:14] <cboltz> or do I miss something?
98
[20:48:19] <jdsn> but ping me, if I don't get it done in 3 weeks
99
[20:48:33] <Eighth_Doctor> cboltz: that is pretty much all that's on that box
100
[20:48:59] <jdsn> cboltz: its not paperwork, and I can show you "after" I removed it :)
101
[20:49:19] <Eighth_Doctor> LCP and I are in a position to migrate that to the new EL8 based FreeIPA box (so not being stuck on F24 anymore! 🎉)
102
[20:49:39] <cboltz> jdsn: ok, I'm looking forward to that ;-)
103
[20:50:44] <lcp> cboltz: I'm sure our VPN wiki mentions that admin machines aren't "normal"
104
[20:50:59] <lcp> I don't expect legacy fedora 24 machine to be an exception
105
[20:51:35] <cboltz> well, let's start with   define "normal"   ;-))
106
[20:51:42] <cboltz> (just joking)
107
[20:53:49] <cboltz> are we done with status reports?
108
[20:54:19] <lcp> I started doing the error pages, but got a little too ambitious at javascript part
109
[20:54:43] <lcp> https://progress.opensuse.org/issues/67435
110
[20:55:55] <lcp> basically I started messing with cachet api to check for the current status of the service displaying 503
111
[20:56:06] <cboltz> ideally the error pages should be static, so that haproxy can deliver a single HTML file (possibly loading css, images etc. from static.o.o - but it should still look somewhat readable if static.o.o is down)
112
[20:56:40] <lcp> they are static, although built with jekyll because it's easier for me
113
[20:56:56] <lcp> but yeah, they will be static, with additional js, css, images etc
114
[20:57:21] <cboltz> ok, sounds good
115
[20:59:28] <cboltz> I just looked at some old tickets (which actually is our next topic)
116
[21:00:17] <cboltz> pjessen: https://progress.opensuse.org/issues/17676 looks like a forgotten mirror ticket. Can you have a look at it? (the remaining part is stage.o.o access)
117
[21:00:33] <pjessen> 17676 ?? wow.
118
[21:00:52] <cboltz> yes, it's our 3rd-oldest open ticket ;-)
119
[21:00:57] <pjessen> sure, assign it to me.
120
[21:02:26] <cboltz> done
121
[21:05:13] <pjessen> got it
122
[21:06:34] <pjessen> I see somebody changed the css for mirror.o.o ?
123
[21:14:46] <pjessen> okay, i guess I'll have to fix it tomorrow.
124
[21:18:57] <cboltz> given the silence, I think we can close the meeting
125
[21:19:02] <cboltz> thanks everybody for joining!
126
[21:19:27] <cboltz> (and if you have some time left, have a look at our tickets (both old and new) and maybe handle one of them ;-)
127
[21:19:47] <pjessen> okay, good night.
128
[21:19:57] <jdsn> N8
129
[21:21:42] <bmwiedemann1> gn
130
[21:40:26] <Eighth_Doctor> good evening all :)