2017-08-01 #opensuse-admin - Heroes meeting

[20:01:32] <tampakrap> meeting time!
[20:01:39] <tampakrap> who is around?
[20:01:49] <mmaher_home> me
[20:01:58] <mmaher_home> good evening everyone
[20:02:22] <cboltz> hi everybody!
[20:02:40] <Ada_Lovelace> Hi
[20:03:41] <tampakrap> cboltz: wanna chair?
[20:04:02] <cboltz> well, why not ;-)
[20:04:34] <cboltz> first topic - questions from the community
[20:04:41] <cboltz> does someone have a question?
[20:05:16] <mmaher_home> do we cover topics from last meeting that were not answered? at the end? or here
[20:05:23] <mmaher_home> sorry, if i ask. just unsure
[20:05:37] <Ada_Lovelace> That's default...
[20:05:41] <tampakrap> usually at the end, but I don't mind to cover them first
[20:06:00] <cboltz> yeah, that's probably better than forgetting them ;-)
[20:06:12] <mmaher_home> okay, good to know
[20:06:48] <cboltz> I don't see any question from the community, so - mmaher_home, what's the topic you have in mind?
[20:07:15] <mmaher_home> about the heinlein sponsering, what came out while taking this topic to the board
[20:07:32] <mmaher_home> because we didn't know last time how to proceed / handle it.
[20:07:33] <cboltz> right
[20:07:49] <Ada_Lovelace> We'll use the heinlein sponsoring. We accept it.
[20:08:16] <cboltz> this is an "old" board decision (old as in "decided before Sarah and I were elected")
[20:08:35] <cboltz> we discussed it again, and as Sarah already said, we'll accept it
[20:08:55] <mmaher_home> that sounds good. so after the membership topic this topic can proceed then?
[20:09:02] <Ada_Lovelace> Yes
[20:09:39] <mmaher_home> ok then i'm lookig forward to it. thanks
[20:09:47] <cboltz> I'll ask on the board ML about the next steps and keep you updated
[20:09:56] <Ada_Lovelace> Do you have another topic?
[20:10:48] <mmaher_home> cboltz: thank you very much
[20:11:02] <mmaher_home> no thats it
[20:11:19] <cboltz> ok, then let's continue with the status reports
[20:11:38] <cboltz> I'll start with the wiki
[20:12:02] <cboltz> I probably don't need to mention that all wikis are moved and updated ;-)
[20:12:46] <cboltz> I spent some evenings to replace the old <feed> tags with the new <rss> in all wikis (including languages where I can't even read the characters)
[20:12:46] <mmaher_home> and it looks now very modern
[20:13:24] <cboltz> en-test.opensuse.org got a new skin - still with some rough edges, but it already looks very good :-)
[20:13:47] <cboltz> fixing the login is on my TODO list for later tonight
[20:14:14] <cboltz> and Guo will probably need to do some CSS adjustments here and there
[20:14:24] <tampakrap> how was the overall feedback from the community so far after the move?
[20:14:41] <tampakrap> for example, does it feel faster?
[20:14:49] <Ada_Lovelace> I believe the font size is a little bit too big...
[20:14:57] <Ada_Lovelace> The rest is fine. :-)
[20:15:01] <cboltz> the only serious problem was with the cookie domain which caused some login problems
[20:15:16] <cboltz> besides that, I only heard positive feedback
[20:16:01] <cboltz> including that it feels faster - even when testing from Provo :-)
[20:16:43] <tampakrap> cool
[20:16:55] <cboltz> I mean - we tested it long enough, so what could have gone wrong? ;-)
[20:16:56] <tampakrap> there are a few dns stuff on my side todo, but not really urgent
[20:19:00] <cboltz> I've seen a few tickets about broken member mail - is this something you could handle? (ideally soon, since people might depend on the @opensuse.org address)
[20:20:10] <tampakrap> sure
[20:20:29] <tampakrap> just give me some time, there is a lot on my plate right now, esp regarding updating machines to new leap and sle versions
[20:20:30] <cboltz> ok, I'll search for those tickets and assign them to you after the meeting ;-)
[20:20:51] <cboltz> any other status reports?
[20:21:13] <cboltz> did everything survive the 42.3 release?
[20:21:46] <tampakrap> well, I need to update most of the infrastructure to 42.3 still
[20:22:00] <tampakrap> I will do a major part during the maintenance window this thursday
[20:22:15] <tampakrap> and I will do some not-so-critical machines outside of the maintenance window
[20:22:23] <tampakrap> so fingers crossed nothing will go wrong :)
[20:22:58] <Ada_Lovelace> Do you change all machines from SLES to Leap?
[20:23:31] <tampakrap> I try, it's not that straightforward
[20:23:47] <tampakrap> the heroes-managed machines that are running sle12 have to be changed to leap
[20:24:03] <tampakrap> the heroes-managed machines that are running sle11 have to be redeployed to a new VM
[20:24:34] <Ada_Lovelace> ok
[20:24:35] <tampakrap> the non-heroes-managed machines are a bigger discussion, as they involve more admins there and some suse services as well
[20:24:52] <tampakrap> that's a generalization, does it answer your question?
[20:24:57] <Ada_Lovelace> yes
[20:25:39] <tampakrap> good
[20:26:54] <cboltz> does everybody have VPN access in the meantime?
[20:27:19] <Ada_Lovelace> yes
[20:27:26] <tampakrap> most of the people yes, but I know that Per doesn't yet
[20:27:50] <cboltz> not too surprising, he just came back from vacation
[20:28:02] <tampakrap> exactly
[20:29:37] <cboltz> I just had a look at the open tickets - right now we have 150 open tickets
[20:29:38] <tampakrap> mmaher_home: you got your vpn working btw?
[20:30:49] <cboltz> most of them are not terribly urgent, but nevertheless I'd like to remind everybody to check the open tickets - assign them to the right people, and please get your own tickets done ;-)
[20:32:25] <mmaher_home> tampakrap: still something missing in the vpn conf, but i will figure it out
[20:32:59] <mmaher_home> mirror tickets should be fine atm. i try make them immitiatly so they dont stuck up anymore
[20:33:45] <Ada_Lovelace> Great
[20:34:23] <cboltz> for the VPN - my openvpn config is in the admin wiki on progress, no need to re-invent the wheel
[20:34:47] <mmaher_home> that is very nice :)
[20:35:37] <tampakrap> I will put my dnsmasq config as well so that you can have fully working dns inside the suse network
[20:36:30] <Ada_Lovelace> I believe you can config dnsmasq in the openvpn config, too.
[20:36:47] <cboltz> good idea, maybe I should also add my unbound config (overriding a NS entry is slightly ;-) more difficult than overriding other DNS entries)
[20:37:22] <cboltz> (just in case more people don't allow openvpn to change resolv.conf)
[20:38:07] <tampakrap> cool
[20:38:46] <cboltz> more status reports about done or planned work?
[20:38:53] <cboltz> anything else we need to discuss?
[20:40:05] <cboltz> tampakrap: IIRC the question if mysql.infra.o.o does daily backups was never answered. Did you check that in the meantime?
[20:45:10] * cboltz wonders if tampakrap is searching for backup cronjobs right now
[20:46:47] <tampakrap> sorry was afk for a min :)
[20:46:52] <tampakrap> no it doesn't BUT
[20:47:03] <tampakrap> this cluster runs on the suse-dmz vlan
[20:47:20] <tampakrap> so we will need to create a new mysql and a new postgresql cluster for the heroes-managed vlan
[20:47:40] <tampakrap> meanwhile I could add the daily mysql backups
[20:47:52] <tampakrap> file a ticket for me please so we don't forget
[20:47:57] <tampakrap> same for postgresql
[20:48:10] <tampakrap> but the backups are going to be on the suse-dmz vlan as well
[20:48:16] <tampakrap> makes sense?
[20:49:00] <cboltz> I hope that I/we won't need the backup, so it's fine if they are not directoy accessible for everybody at the moment
[20:49:10] <cboltz> the important thing is to _have_ backups ;-)
[20:49:29] <cboltz> I'll open tickets as requested
[20:49:34] <tampakrap> agreed
[20:49:59] <cboltz> speaking about backups - would it make sense to setup a backup VM?
[20:50:12] <cboltz> my usecase would be rsnapshot backups of the wiki file uploads
[20:50:17] <tampakrap> we do have one, also at the suse-dmz vlan :)
[20:50:24] <tampakrap> so yes we need a new one
[20:50:57] <tampakrap> we need backups via rsyncd/rsnapshot, we need rsyslog server, and we already have the storage backups that I need to verify at some point
[20:52:33] <cboltz> I'd vote for rsnapshot over SSH instead of having rsyncd running
[20:53:09] <tampakrap> there are pros and cons for each method, we can discuss it outside of this meeting
[20:53:32] <cboltz> BTW: you know you can run rsnapshot as root (so that it can read all files) and still only give it read-only permissions?
[20:53:37] <cboltz> ok
[20:53:45] <tampakrap> sure
[20:54:14] <tampakrap> but to run it over ssh means ssh-root login, which is something we want to get rid of
[20:54:21] <tampakrap> either way, let's not discuss it now, it's a big topic
[20:54:42] <cboltz> ok
[20:55:20] <cboltz> any news on encrypted pillar (besides "still on the TODO list")?
[20:56:09] <tampakrap> no and don't wait for me on this
[20:56:18] <tampakrap> it is easy enough for you even to do it
[20:56:31] <tampakrap> I would like to focus on the ldap topic at the moment
[20:56:47] <cboltz> makes sense
[20:57:17] <cboltz> I can't promise if/when I'll have time for it, so if there are any volunteers... ;-)
[20:58:34] <cboltz> any other topic?
[20:58:48] <tampakrap> one last
[20:59:00] <tampakrap> dns, we need to start thinking of fully taking it over
[20:59:09] <tampakrap> is this something that the board could start discussing?
[21:00:06] <cboltz> I can bring it up on the board ML
[21:00:25] <cboltz> do you have a specific timeframe in mind, or simply "as soon as possible"?
[21:01:12] <tampakrap> the sooner the better
[21:01:23] <cboltz> ok
[21:01:30] <tampakrap> it will solve a lot of technical issues regarding the dns setup we currently have, plus the upcoming relay.o.o
[21:01:50] <cboltz> ok
[21:02:15] <cboltz> that reminds me of what could be the "very last" topic ;-)
[21:02:20] <tampakrap> it is not urgent/high priority though, as things work and we can proceed with stuff
[21:02:29] <tampakrap> so it's not a blocker, but it would be nice to proceed on
[21:02:41] <cboltz> ok
[21:02:47] <cboltz> www.o.o is still running in Provo
[21:03:08] <cboltz> moving the website is technically boring, but it also includes an openID provider
[21:03:33] <tampakrap> well, you are the expert on moving services from provo now :)
[21:03:49] <cboltz> yeah, but I'm not an expert on openID ;-)
[21:04:00] <tampakrap> why it needs openid?
[21:04:02] * tampakrap checks
[21:04:15] <cboltz> www.o.o doesn't _need_ openID
[21:04:34] <tampakrap> it seems a static page
[21:04:36] <tampakrap> ah sorry, continue
[21:04:44] <cboltz> it _provides_ openID which you can use to login at various places inside and outside openSUSE
[21:05:10] <tampakrap> ah
[21:05:20] <cboltz> https://www.opensuse.org/openid/
[21:05:26] <tampakrap> and the openid clients care about the openid's provider?
[21:05:38] <mmaher_home> the openid stuff is managed by mf it
[21:05:43] <tampakrap> I mean, do they care about the openid's provider's IP?
[21:06:00] <cboltz> the IP doesn't matter AFAIK
[21:06:36] <tampakrap> we could create a www2.o.o and move the webpage and the openid provider there
[21:06:47] <tampakrap> and then create a clone of a website that is an openid client
[21:06:53] <tampakrap> and see what breaks
[21:07:07] <tampakrap> it might need a few tricks on the haproxy, but it seems totally doable to me
[21:07:11] <mmaher_home> tampakrap arent the accounts the same we use in bugzilla?
[21:07:44] <tampakrap> yeah I see your point
[21:07:55] <cboltz> right, same account everywhere
[21:08:02] <tampakrap> we will need to contact MF-IT to open a hole to their API/db to get the accounts
[21:08:39] <tampakrap> I wonder if we could convince them to move openid to openid.o.o
[21:08:45] <tampakrap> then we can move a bunch of stuff easier
[21:09:51] <cboltz> if openID logins "survive" redirects (so that www.o.o/openid/user still works), I like the idea to have a separate VM for it
[21:10:36] <cboltz> for the accounts - can't we simply put an openID provider behind login2.o.o?
[21:10:38] <tampakrap> I don't even care even if it stays in provo, as long as the main website can be moved
[21:10:58] <tampakrap> I doubt it, the ichain is managed by mf-it
[21:11:04] <tampakrap> we don't have access to them
[21:11:29] <tampakrap> maybe we could by using our ldap mirror, but I can't answer it now
[21:11:35] <cboltz> yes, but login2.o.o knows all accounts, so - what's the problem?
[21:12:45] <tampakrap> I'd say send a mail to the mailing list to have darix and lars involved in the discussion
[21:12:58] <cboltz> ok
[21:13:15] <tampakrap> they know better than me if it is technically and policitally doable
[21:14:47] <cboltz> can someone beat the "very last" topic with another topic?
[21:15:49] <cboltz> doesn't look so
[21:15:58] <cboltz> thanks everybody for joining the meeting!
[21:16:15] <tampakrap> thank you too for chairing!
[21:16:26] <mmaher_home> thanks everyone
[21:16:30] <cboltz> enjoy the evening, and whenever you are bored, feel free to handle one of our 150 tickets ;-)
[21:16:54] <tampakrap> I would say let them become 200 as long as we have a hot summer
[21:17:04] <tampakrap> when it gets cold again we can go back to them :P
[21:17:30] <cboltz> I vote for melting that number down as long as it's hot *g*