2020-04-07 #opensuse-admin - heroes meeting [19:58:59] * Eighth_Doctor waves [20:00:31] good evening all [20:00:34] hi everybody, and welcome to the heroes meeting! [20:00:46] hi all, [20:01:14] so far, we only have the "usual" topics on https://progress.opensuse.org/issues/64168 - but we can add things if needed [20:02:15] does someone from the community have a question? [20:04:25] i guess the community is busy elsewhere ? [20:04:55] or people are too shy to ask us ;-) (hint: we don't bite!) [20:05:07] eh, well, at least I'm working on ipsilon and noggin atm [20:05:13] I just want to say that Lars asked me to build 2 new gitlab runners... and I dind't had time yet :-( (/me in shame) [20:05:18] (their packaging, that is) [20:05:25] anyway - let's continue with status reports [20:05:29] but... I fixed the keepalived upstream formula on the Saltstack repo :-) [20:06:52] I have small update. [20:07:02] from new progress. [20:07:35] new progress? [20:07:37] still working to fix patch for create ticket as private with send email to redmine@o.o [20:07:47] Eighth_Doctor: progress-test.o.o [20:07:49] https://progress-test.opensuse.org [20:08:24] that all [20:09:36] that's pretty cool, I have had a look at redmine theming and it will require quite a bit of css so I didn't touch it yet [20:09:49] it looks fancy :D [20:11:57] okay let me continue - last week I enabled TLS for outound on anna and else. [20:12:21] thanks [20:12:25] I'll learn to type, honestly. one of these days [20:13:07] TLS for outbound should have no big impact on anything, I doubt if anyone has noticed anything [20:13:45] I've also been doing some more mirror cleanup, but only minor stuff. [20:14:11] I've seen some admin-auto mails from pontifex (for example a missing database column) - any idea what's wrong? [20:14:35] cboltz: I've not seen those, will have to check [20:14:55] maybe someone is working on the mirroring setup ? otherwise it has not changed [20:15:43] Darix/Lars team made changes on mirrorbrain last week [20:16:30] that might explain it ;-) [20:16:52] lets forward those mails to lars :-) [20:17:34] anyway, from me, that's it - no progress on forums, still need someone who understand how to integrate it with our authenticatrion setup [20:18:48] pjessen: I hope to help you with that, but that will entirely depend on how much we actually know ;) [20:19:17] lcp: together maybe we'll make it to 0 ? 0+0 ? :-) [20:19:48] I admit, I have no idea how it works. [20:20:01] I think we might be adding negatives ;) [20:20:18] lcp: LOL [20:21:04] joking aside, it's saml, so we can set it up with the previous auth that mf had in their infra, since it's not dependent on the local server setup mostly [20:21:31] however that depends on what address the current site has so testing might suck [20:22:02] that is sort of what I was hoping for, yeah. I just see some missing bits in the apache config, I suspect. [20:22:07] in any case, until we have some local saml setup, either with our own login system or SUSE login system, we kinda have to use that [20:22:43] I'm hoping to get a basic noggin package ready in the coming days [20:23:28] sounds good, but - IMHO that should be a separate step and not block the forum move ;-) [20:23:34] I didn't setup the freeipa2, because we had the salt issue, and now that salt in the repo was updated, we have more salt issues there [20:23:44] I'd start with whatever we have already available ;-) [20:23:58] and I also split myself in half and did a bunch of work on porting freeipa to openSUSE out of frustration obviously [20:24:36] cboltz: agree [20:25:41] in worst (?) case, it might even be an idea to write a small plugin that works with our auth proxy [20:26:21] it's just a guess, but I wouldn't be surprised if that's easier than reverse-engeneering the needed saml config [20:26:43] my main problem remains - I simply don't know how it works today. [20:27:07] same for me [20:27:12] Good evening. What is the topic? The new bugzilla auth backend coming in May? [20:27:30] for testing I would probably request we had it pointing entirely at forums.o.o instead of forums-nbg.o.o, so we can test auth at least locally [20:27:43] and I also would request some access so I can take a look [20:27:45] bmwiedemann: no, we are talking about forum move, especially authentification [20:28:00] but what you mention also sounds interesting - can you tell us some details? [20:28:30] yes. I didnt mean to disturb your topic, though. [20:28:36] lcp: I dont think we can update the DNS until we're ready to move. [20:29:11] lcp: with "request some access", do you mean sudo on the forum-nbg server? [20:29:45] pjessen: not dns, but juggling forums.opensuse.org to the ip in the /etc/hosts should work [20:29:51] cboltz: yes [20:30:37] lcp: afaik, the setup does not work on forums-ngb yet, but you should certainly have access [20:31:10] pjessen: unless we request it with provo to add forums-nbg to their saml setup for testing ;) [20:32:11] also I don't really need fully working as long as I can mess with auth plugin and the dump we got from provo [20:32:51] I probably only need to key, then I can set it up for you. [20:32:58] I probably only need your key, then I can set it up for you. [20:33:27] I believe it's in freeipa [20:33:41] pjessen: fetch_freeipa_ldap_sshpubkey.sh hellcp [20:33:56] okay [20:34:12] oh yeah, there is a script for that [20:34:44] normally it's used by sshd, but nobody will stop you from using it manually ;-) [20:35:23] maybe I should status report then now [20:36:12] I have made a bunch of progress on matrix setup, and in salt there is a huuuge PR that does a lot of things like set up integrations and riot and some other stuff [20:36:23] at this point what's left are some pretty cosmetic things [20:37:13] basically only waiting for gitlab runners, and for that issue with firewall and haproxy setup at this point [20:37:29] lcp: you should have root access on forum.i.o.o now. [20:37:37] thanks [20:38:02] outside of that, you might have noticed we transitioned to news-o-o and planet-o-o this last month [20:39:08] and discontinued lizards.o.o [20:39:15] so no more wordpress? [20:39:16] yes, that was a "boring" (as in: no serious problems) move ;-) [20:39:45] right, no more wordpress :-) [20:40:01] [20:40:07] ah yeah, there are also formulas for postman3 and ipsilon and some other stuff waiting for gitlab-runners, but aren't PRs yet [20:40:31] yay. [20:40:34] * bmwiedemann loves getting rid of another php application. [20:40:34] just the moment gitlab-runners happen there is a bunch of stuff to review ;) [20:41:40] well, reviews can be done without the gitlab-runners ;-) [20:42:11] (but especially for the bigger MRs having them checked by the CI would be nice) [20:42:25] yup [20:42:33] and those are big prs, adding services [20:43:24] yes, but then - the CI might not be too useful for this because it doesn't check everything [20:44:34] well, I feel like the only issues with those PRs might be CI complaining, because the rest looks fine, and there just might be small issues I didn't notice otherwise [20:45:24] if you only worry about the CI, that's not enough reason to stop you ;-) [20:45:51] I'll do a review later, and if everything looks good, I can merge it manually [20:45:57] so that you can continue to work on the server [20:46:05] alrighty [20:46:42] in worst case, we'll have to do a little follow-up fix once the CI works again ;-) - but if highstate works, it's unlikely that the CI will complain [20:47:33] at this point with matrix tho, I could use the firewall/haproxy more than merging the PR with the contents, since that is much more pressing for testing, because it's testing the base ;) [20:48:45] cboltz: are we impacted because the CI is not working, so, my lack of time to finish the gitlab runners setup is the cause, right? [20:49:40] * klein thinking to install at least one manually, so the work is not stoped because of this [20:49:46] since you ask this way - I'm afraid the answer is yes [20:50:48] also in case the PR to matrix gets merged, I will need the corresponding setup on pgsql server [20:50:50] I can work around by doing manual merges, but having the CI back would be nice ;-) [20:51:43] bmwiedemann: bugzilla - was that why I saw a 2nd email from bugzilla-devel_noreply@suse.de ? [20:51:49] yes [20:52:00] bmwiedemann: very cool! [20:52:02] As you know, auth for bugzilla, forums, wiki, OBS etc is provided by MicroFocus right now, but there is a carve-out process ongoing since SUSE was sold by them. That means, that MF will stop providing these services and the deadline is already 2020-05-18. [20:52:09] So we are setting up our own bugizlla right now using a DB dump. And we are also setting up our own LDAP auth backend to serve the login-proxies in front of OBS. [20:52:09] The same ldap should also serve for the other public openSUSE services that need auth. [20:52:18] As you might know, the design of the login-proxies is so that the user-password is only ever seen by them and services hidden behind them just receive the authenticated user name in a HTTP header. [20:52:18] There will also be some kind of migration necessary, because we will not receive user passwords as part of MF's DB dump. Easiest would probably a password-reset email for every user. [20:53:10] bmwiedemann: that is a huge problem then, since we will need a saml server from SUSE side for forums in that case [20:53:39] forum software cannot be patched to accept http-header as auth? [20:53:52] I heard, this kind of patch is usually just a few lines [20:53:58] we don't know, we only have saml plugin [20:54:26] well, it exists: https://wiki.univention.de/index.php/SAML_Identity_Provider [20:54:34] bmwiedemann: I would expect so, but nbody has much experience with the forums software [20:55:05] as long as it does not expose user passwords to the forum software, it should be fine. [20:55:32] bmwiedemann: how can we test this? [20:56:10] once it is up and running - still takes some more days. [20:56:29] okay, no hurry [20:57:00] bmwiedemann: i'll be in touch by email tomorrow. [20:57:35] bmwiedemann: somewhat related - do you also have a replacement for https://www.opensuse.org/openid/ on your radar? [20:57:55] (moving the website itsself is easy, but so far /openid/ is a blocker) [20:57:56] I guess, there could also be an app for it. [20:58:42] can you please check and report back as soon as you know? [20:59:19] is 'openid connect' good enough? [20:59:52] not the same thing I'm afraid [21:03:28] do we know, who consumes this openid endpoint? [21:03:57] we cannot know, since that's auth for users, not for specific services [21:03:59] I know, I installed an internal dyndns and it is using it for auth [21:04:13] that means that they can auth with any service using that id [21:04:32] any service that supports openid that is [21:06:17] bmwiedemann: alright, let's maybe approach it from this angle, we were planning splitting auth away from SUSE anyway, and we could try to synchronize the efforts from ours and your side so we split away from MF and each other at the same time [21:06:35] we do have software to do that selected, and it supports the things we more or less need [21:07:27] however, we don't have a strategy for getting the list of all of the users we would need to transition, which we would need as you need ;) [21:07:48] so would there be an openSUSE account separate from the bugzilla account then? [21:08:22] bugzilla is something we are discussing with redhat at this moment, to get their system for auth with multiple account systems [21:08:41] * Eighth_Doctor has a note to ping Jim about this again [21:09:27] bugzilla would be unique in that it would be the one service where we would have both accounts be able to login [21:09:51] everything else is pretty obvious if it's openSUSE or SUSE [21:10:06] lcp: afaict, we have the user list in the databaee [21:10:40] but for users it can still be confusing to have 2 different SSO systems then [21:11:13] pjessen: yeah, I kinda wanted to ask service admins to export the list of people registered in every service, but it's hard to get to everybody everywhere ;) [21:11:31] 2 SSO systems is an oxymoron .... [21:11:53] bmwiedemann: well, I hope they will be branded sufficiently well, so people can tell which one they need to use [21:12:37] lcp: i'm blinkered, I just want the forums migration out of the way. [21:13:17] yes, I guess, they will have green chameleons :-P [21:13:22] pjessen: yeeeeah, me too, we really need to set it up at MF right now [21:14:24] lcp: if the auth system is going to go away in 6 weeks ? [21:14:57] pjessen: so forums can work on this account system for 6 weeks [21:15:01] that's a lot of time [21:16:09] lcp: true - if we can get it working in less than a week. Might be better to aim for the new auth system. We will also have to send a reset-your-pwd to all forums users. [21:16:15] if we rush through it, I and Conan Kudo can get the login system ready to test with forums-nbg next week/ in two weeks tho [21:17:10] yeah... [21:17:10] for testing is the keyword, because it certainly won't work a 100% ;) [21:17:22] lcp: by all means have a go at it. [21:18:45] pjessen: I will create an issue for exporting usernames from all of the software then [21:19:41] then we will ask bmwiedemann or some contact if you prefer to give us the passwordless dump of those users' accounts [21:19:43] lcp: okay, no prob [21:21:17] lcp: with email addrs and real names, it will count as PII and there are pretty strict rules about those in Germany. [21:21:29] just usernames would be easy, though. [21:22:01] bmwiedemann: i can do usernames only. [21:22:28] bmwiedemann: hm, but what will the dump you get from MF contain then? [21:23:26] also, considering that openSUSE Project at this moment is not a split entity from SUSE, those things should be able to move around inside SUSE without much problem (but add that to the problems that board has to figure out for foundation) [21:24:16] bmwiedemann: ah yeah, any idea who to contact about deployments of openQA/OBS/OSEM and other stuff hosted by SUSE so we can export usernames there too? [21:24:33] lcp: the dump we get, should contain everything except passwords. But that also means that we need to be extra careful in handling that data. E.g. we need a workers council agreement. [21:26:18] bmwiedemann: eh, I will discuss that with board then too, I see that is going to be really problematic [21:27:32] sometimes I wonder if using github accounts for auth wouldnt be easier (for openSUSE stuff) [21:28:18] well, I am hoping to setup git forge right after we get openSUSE Account system, so no [21:29:43] bmwiedemann: that would mean openSUSE uses Microsoft for authentification, and I'd expect some ;-) funny discussions if we do that *g,d&r* [21:30:04] cboltz: yup. [21:30:21] Google does. And Microsoft uses chromium code as base for their browser... not so strange? [21:30:42] code is one thing, data another [21:31:07] that principle still applies even here, amazing [21:34:56] so far, I added a reminder to export usernames for the heroes when we have it (hopefully end of April) [21:36:53] bmwiedemann: https://progress.opensuse.org/issues/65405 [21:36:54] I guess, when openSUSE has a working separate auth, we could also send out password-reset mails to users with a link to that new auth system. [21:37:35] yup, that should be easy enough to do [21:38:14] still will need some effort, because we want to handle email bounces gracefully. And I expect there will be a lot of those. [21:38:43] as an additional point, since that was a request, we do want to allow for change of the username for users that want it, but we will handle that manually, since I don't expect that to be popular [21:38:53] at this point we have 2 requests like that [21:39:28] wow. Will that even work with all connected services? Or will it just be like a new acocunt for those? [21:39:30] so that's also why I'm asking for contact point for the OBS/openQA/OSEM deployments, since that's something that will have to be covered too [21:39:47] bmwiedemann: it will have to be done per service unfortunately [21:39:58] OBS => adrian , openQA=> coolo , OSEM dont know [21:39:58] if we can move accounts there, then yes [21:40:24] thanks! that's helpful [21:40:35] I'm afraid changing usernames will open a can of worms because we'll need to change the username at lots of places (starting with > 20 wikis) [21:41:01] I slightly ;-) doubt that we want to do this [21:41:05] lcp: and as we discussed in the openid topic, there can be any number of consumers we dont know about [21:41:10] cboltz: yeah, I do hope they don't just login into everything in our infra [21:41:35] bmwiedemann: we will be able to gracefully redirect to our new openid solution easily [21:41:36] I don't even want to _check_ 20 wikis if a specific user ever logged in there ;-) [21:41:52] cboltz: I am afraid I will have to then ;) [21:42:16] somebody will have to gather info on who logged into every single service in our infra [21:42:30] automation could [21:42:31] only username tho [21:42:42] yes, of course [21:42:58] I won't stop you, but that's not the point ;-) - allowing to change the username causes us lots of work without a big gain [21:42:59] I will automate as far as I can [21:43:15] then we will have to crossreference who was where if they request username change [21:43:38] cboltz: I call that being way too nice [21:43:38] the "old way" (just register a new username, and stop using the old one) is probably good enough, and doesn't cause work [21:44:20] and even if we allow changing the username, we should IMHO block the old name from being re-used [21:44:32] of course [21:45:07] I agree with cboltz there [21:46:49] I know it will be a lot of work, but I think it's worth it as an option [21:46:57] one time offer for the transition [21:49:03] I will regret it later, but oh well [21:49:19] :-D [21:49:21] I'm sure you'll regret it ;-) [21:49:24] alternatively we could offer it to the two poor souls that want it >:D [21:49:52] because I know both of them quite well [21:49:58] well, well enough [21:50:54] still, I'd recommend that these poor souls first register a new account with the username they want [21:51:21] that's easier than having to block the old username "manually" [21:51:47] after that, we can chown ;-) their data on specific services [21:51:49] eh, it is a lot of effort to move stuff arround tho [21:52:18] maybe they have a list of services where they are interested in keeping stuff. [21:52:33] old forum posts might not be as interesting as OBS package maintainership [21:52:44] yup [21:53:12] I will ask then, I will handle this in https://progress.opensuse.org/issues/30970 and with Conan Kudo later ;) [21:54:47] alright, I think that's enough of accounts talk for now, we have a lot of work for the next few weeks >:D [21:54:54] :D [21:55:34] so we meet again on 2020-05-05 ? [21:55:41] I hate deadlines, but here we are ;) [21:55:48] sounds like a plan [21:56:07] hopefully with a working accounts system too [21:56:28] unless there are more subjects we didn't discuss [21:56:43] If there is something needed - I'm probably reading emails more often than IRC on many days. [21:58:16] alright, got it [21:58:26] ditto [21:59:50] looks like that's it for today ;-) [22:00:00] thanks everybody for joining, and for all the work you do! [22:01:09] stay healthy everone [22:02:27] thanks, you too! [22:05:07] have a good night [22:05:38] thanks all [22:05:49] good morning :) [22:06:02] night!