2020-03-03 #opensuse-admin - heroes meeting

[20:00:55] <cboltz> Hi everybody, and welcome to the heroes meeting!
[20:01:11] <cboltz> Today we "only" have the usual topics, see https://progress.opensuse.org/issues/63172
[20:01:54] <cboltz> let me start with the usual two questions in parallel:
[20:02:01] <cboltz> a) who is here for the meeting and
[20:02:08] <cboltz> b) does someone from the community have a question?
[20:02:30] <lcp> LCP is here
[20:03:33] <mstroeder> meinereiner
[20:05:10] <cboltz> so - let's start with the status reports ;-)
[20:05:48] <lcp> news-o-o is live, and most of the bugs are fixed
[20:06:09] <lcp> (if not in salt, in production) ;)
[20:06:37] <lcp> the left of jekyll stuff is waiting for their turn
[20:06:53] <cboltz> yeah, sadly we have problems with the CI at the moment :-(
[20:07:05] <cboltz> nevertheless, thanks for your work on news.o.o!
[20:07:35] <lcp> matrix salt profile is pretty much set up, it just needs the postgres mr to be merged and the firewall/dns stuff
[20:08:11] <lcp> there are also two branches with mailman3 and ipsilon pretty much ready, just waiting for CI to work before sending MRs
[20:08:33] <cboltz> also sounds good :-)
[20:08:48] <cboltz> in worst case, I can test locally (one more test VM doesn't really matter) and then merge the salt changes manually
[20:08:56] <cboltz> but obviously I'd prefer a working CI
[20:09:06] <lcp> yeah
[20:10:32] <cboltz> quick report from me: as I already wrote on the ML some days ago, I did a big cleanup in the openSUSE:infrastructure repo and deleted linked packages that were only build for 15.0 or SLE 15 (without SP) - which means we got rid of more than half of the packages there
[20:11:55] <cboltz> I've also seen lots of activity from Per to cleanup our mirror infrastructure
[20:12:09] <lcp> from upstream, I did start working on freeipa on openSUSE (continuing stuff after howardg and darix) and securitas/noggin/whatever they rename it to because trademarks apparently I am waiting for Conan Kudo to package, but it has an openSUSE theme now
[20:12:13] <cboltz> and you've probably seen the mails that he's working on the forums move
[20:12:31] <lcp> yup
[20:13:11] <lcp> I am also wondering if for testing, we should setup a new freeipa instance or use the existing one because I can't really decide myself
[20:14:02] <cboltz> better setup a new one - the risk of breaking the admin login (starting with VPN login) on the whole infrastructure is too big IMHO
[20:14:58] <lcp> sure, so how to even begin setting up a centos/fedora vm >:D
[20:15:34] <cboltz> open a ticket and ask for that VM ;-)
[20:16:03] <lcp> alright, you got it
[20:16:45] <lcp> Conan Kudo: any preference for a testing server? fedora or centos
[20:21:28] <cboltz> looks like Pharaoh_Atem didn't notice your question ;-)
[20:21:36] * Pharaoh_Atem waves
[20:21:38] <Pharaoh_Atem> lcp: Fedora
[20:21:45] <Pharaoh_Atem> I'm doing all my work right now from Fedora
[20:22:16] <Pharaoh_Atem> lcp: oh wait, for FreeIPA?
[20:22:17] <lcp> alright
[20:22:21] <Pharaoh_Atem> we should totally do CentOS 8
[20:22:22] <lcp> yes
[20:22:30] <lcp> decide >:T
[20:23:02] <Pharaoh_Atem> well, are we planning to run ipsilon and securitas/noggin/whatever from there?
[20:23:05] <Pharaoh_Atem> if so, Fedora
[20:23:07] <Pharaoh_Atem> if not, CentOS
[20:23:27] <lcp> nope, we will run as much from openSUSE as possible
[20:23:39] <lcp> even if that means getting poetry in ipsilon repo
[20:23:52] <Pharaoh_Atem> errgh
[20:23:57] <Pharaoh_Atem> at least CentOS 8 has DNF now
[20:24:20] <lcp> also, maybe we can salt it too >:D
[20:24:22] * Pharaoh_Atem is amused at the thought of making more packages for EPEL for openSUSE
[20:25:36] <Pharaoh_Atem> lcp: we probably could use salt for it, leveraging the ansible stuff that already exists for ipa/idm
[20:26:02] <lcp> yup, yup
[20:28:12] <Pharaoh_Atem> cboltz: fwiw, I was doing some firefighting for $DAYJOB, that's why I didn't notice
[20:28:19] <Pharaoh_Atem> I was paged at the same time this started
[20:28:26] <cboltz> no problem ;-)
[20:28:32] <lcp> wew
[20:28:34] <lcp> https://progress.opensuse.org/issues/64156
[20:28:51] <lcp> I might change the title in the future because of the name changing nature >:D
[20:29:13] <Pharaoh_Atem> ugh, why can't I log in?
[20:29:38] <lcp> (this uses openSUSE Login, not FreeIPA login)
[20:31:08] <Pharaoh_Atem> lcp: nope, no dice
[20:31:58] <lcp> oh, you aren't even a member of admin
[20:32:03] <Pharaoh_Atem> welp
[20:32:26] <lcp> maybe you got vinzv'd by anti-spam bot
[20:33:05] <cboltz> I should be able to fix that ;-) - what's your username?
[20:33:56] <cboltz> found "Pharaoh_Atem", and it was indeed blocked
[20:34:56] <cboltz> you should be able to login again
[20:35:20] <tampakrap> hello, I'm reading the backlog
[20:35:27] <cboltz> hi tampakrap
[20:35:53] <lcp> hello
[20:36:49] <Pharaoh_Atem> cboltz: yep, thanks!
[20:36:56] <Pharaoh_Atem> cboltz: what caused that, out of curiosity?
[20:37:15] <Pharaoh_Atem> I'm pretty sure I was able to login in the past
[20:37:41] <cboltz> I can only guess - maybe someone accidently disabled your account while blocking spammers
[20:37:50] <tuanpembual> hello, sorry be late
[20:37:50] * Pharaoh_Atem shrugs
[20:38:03] <tuanpembual> *reading backlogs too
[20:38:12] <lcp> oh yeah, I also forgot, I looked through our services, most of them support openid/openid connect/saml2 when we get to switch over
[20:38:23] <lcp> except OBS, but that was reported
[20:38:24] <cboltz> Pharaoh_Atem: I'm quite sure it wasn't intentional ;-)
[20:38:29] <Pharaoh_Atem> lcp: yeeey! :D
[20:39:11] <lcp> I didn't actually go through any admin service because they already work with the existing freeipa, so I assume they work
[20:40:01] <lcp> and then vbulletin is a thing (I really hope we replace it soonish tho)
[20:40:16] <Pharaoh_Atem> so in theory, MF-IT has a SAML2 addon for it
[20:40:30] <Pharaoh_Atem> so that should be sufficient to get it working with Ipsilon
[20:40:51] <lcp> ah, excellent
[20:41:03] <Pharaoh_Atem> at least, that's what was mentioned on the ML earlier today
[20:41:15] <Pharaoh_Atem> at this point, that's hearsay
[20:41:21] <lcp> alright, sounds good
[20:41:52] <Pharaoh_Atem> worst case, we're going to implement some kind of apache mod_auth_mellon mod_auth_openidc thing
[20:42:02] <Pharaoh_Atem> err mod_auth_mellon / mod_auth_openidc
[20:42:34] <Pharaoh_Atem> because I'm somewhat certain it respects $REMOTE_USER (that's probably how the CAS thing works for the ICS system)
[20:42:56] <Pharaoh_Atem> upstream vB doesn't support *any* SSO, which is a problem :(
[20:43:00] <lcp> for what needs to be done as transition though, we need to actually develop something to move over with the accounts, which will most likely have a workflow of login into old proxy, allow to change username/password and "register" into the new login system
[20:43:13] <lcp> that means we need to have a list of existing usernames
[20:43:19] <lcp> for reservation
[20:44:18] <lcp> Pharaoh_Atem: it's weird tbh, you would expect such popular software would figure that out
[20:44:39] <lcp> I also looked at how mozilla does login for their matrix instance, they use saml with auth0
[20:44:46] <Pharaoh_Atem> erk
[20:44:58] <Pharaoh_Atem> I guess we'll SAML to Ipsilon?
[20:45:33] <lcp> yes, but we will need to modify the saml handler to accept usernames verbatim
[20:45:57] <lcp> because the handler does quite a bit of mangling because of some saml implementations having email for id
[20:46:45] <Pharaoh_Atem> right
[20:46:55] <Pharaoh_Atem> I think Ipsilon sends both?
[20:47:10] <lcp> correct, and it uses usernames as uid
[20:47:15] <Pharaoh_Atem> yeah
[20:47:17] <lcp> so it's 2 in 1
[20:47:31] <Pharaoh_Atem> that's pretty much how that's supposed to work :)
[20:47:46] <Pharaoh_Atem> also, speaking of SAML, how do we want to reach out to RH about their bugzilla auth enhancements?
[20:47:59] <Pharaoh_Atem> do we have a contact at SUSE to loop in for that conversation?
[20:48:22] <lcp> if there is anybody from SUSE infra here, sure
[20:48:30] <lcp> but I think we will need to get board involved
[20:48:36] <cboltz> AFAIK someone @SUSE is working on moving bugzilla from Provo to Nuremberg
[20:48:43] <cboltz> I can probably find a mail address ;-)
[20:48:53] <Pharaoh_Atem> cboltz: that'd be very helpful :)
[20:48:55] <lcp> that would be VERY useful
[20:49:02] <lcp> we should also track this on progress
[20:49:06] <Pharaoh_Atem> yes
[20:49:17] <Pharaoh_Atem> I need to see if I can dig up a contact on the RH side for rhbz
[20:49:44] <cboltz> to my knownledge, the plan is that SUSE will manage bugzilla, and share it with openSUSE, so in theory we can just lean back ;-)
[20:50:05] <lcp> and, if anybody is curious, I decided connect will be killed right after we figure out accounts, because we can do groups in there, and we will just need to get a private mailing list for the member admins to be able to receive emails and assign people to the group in account system
[20:50:18] <lcp> so I don't actually know what to do with the issue on progress :P
[20:50:27] <Pharaoh_Atem> deprecate it for a new issue?
[20:51:14] <lcp> I guess so, a big issue for accounts or something more split?
[20:51:51] <Pharaoh_Atem> probably a big issue for replacing accounts
[20:52:04] <Pharaoh_Atem> err implementing accounts
[20:53:07] <cboltz> lcp: speaking about connect - TSP "hides" in a subdirectory of it. Do you know enough about it to move it to a new (well, already existing and idling) VM?
[20:53:32] <lcp> I actually do, but I want to finish moving it to bs4 with new theme
[20:53:43] <lcp> I will also make a new theme for KDE because they are using it too
[20:53:56] <lcp> it will take me a few more days
[20:53:58] <Pharaoh_Atem> nice
[20:54:15] <Pharaoh_Atem> do we need to worry about events.o.o?
[20:54:30] <lcp> it uses omniauth
[20:54:30] <lcp> https://reimbursements.kde.org/
[20:54:41] <Pharaoh_Atem> cool, then we're set :D
[20:54:43] <lcp> and this uses devise
[20:54:50] <lcp> we are
[20:54:58] <Pharaoh_Atem> ugh, and now we're not :(
[20:55:06] <cboltz> lcp: ping me when you are ready, and I'll make sure to give you enough permissions on tsp.infra.o.o ;-)
[20:55:21] <lcp> excellent, thank you
[20:55:53] <lcp> Pharaoh_Atem: why? there is devise openid ;)
[20:56:26] <Pharaoh_Atem> does it work?!
[20:56:39] <cboltz> as a sidenote - TSP currently fetches some fields (for example the realname) from the connect database, we'll need to break/drop this connection
[20:56:57] <lcp> it is an option in the settings
[20:57:02] <lcp> config*
[20:57:31] <Pharaoh_Atem> cboltz: that might be fixable with the switchover to openid
[20:59:12] <cboltz> maybe it shares some more fields - but having to re-enter those fields won't kill the TSP users ;-)
[20:59:46] <Pharaoh_Atem> I know the properties are shared with SAML2 and OIDC, I just don't remember how much is exported with OpenID
[21:01:34] <cboltz> FYI: the current TSP setup uses our login proxy (which results in HTTP_X_USERNAME etc. headers)
[21:01:55] <lcp> that's using openSUSE-maintained devise-ichain
[21:02:08] <lcp> it's easy enough to replace
[21:02:46] <cboltz> it's also easy to setup if you want to stay with it for the new VM
[21:03:02] <lcp> yup, that's true
[21:03:10] <cboltz> (and I have to admit that I'm more familiar with it than with the other auth "stuff" you discussed today)
[21:06:40] <lcp> oh god, the child being urgent made all of the tasks urgent, thanks redmine
[21:07:15] <cboltz> well, if that means we get everything done and fixed this week... ;-)
[21:07:55] <lcp> if I get a freeipa vm, I might get it all deployed this month
[21:08:32] <lcp> although, I would rather love to be done with matrix and mailman first, because those are already started and pretty far along
[21:10:07] <lcp> and if I'm given additional year, we might migrate to openSUSE port of FreeIPA ;)
[21:14:16] <lcp> oh yeah, worth noting https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591
[21:21:25] <Pharaoh_Atem> that reminds me, I need to do make the same notice for Fedora Infra