2020-05-05 heroes meeting

[19:56:27] <bmwiedemann> good evening
[19:57:45] <mcaj_away> HI
[19:59:47] <tuanpembual> Hi
[19:59:53] <tuanpembual> good morning
[20:01:14] <King_InuYasha> good afternoon
[20:01:35] <cboltz> hi everybody, and welcome to the heroes meeting!
[20:01:48] <King_InuYasha> kl_eisbaer: fwiw, if this keeps happening, I *will* make a JeOS image
[20:01:55] <cboltz> two questions in parallel:
[20:02:01] <King_InuYasha> I know how to since I maintain kiwi in fedora ;)
[20:02:03] <cboltz> - who is here for the meeting   and
[20:02:13] <cboltz> - does someone from the community have questions?
[20:02:17] <lcp> me
[20:02:19] <tuanpembual> Me
[20:02:24] <adrianS> Me
[20:02:27] <King_InuYasha> I'm here! :)
[20:03:08] <Redtigra> hello everybody.
[20:03:13] <King_InuYasha> hello?
[20:04:44] <lcp> is that a community question? :P
[20:05:04] <mcaj_away> HI
[20:05:17] <robin_listas> hi
[20:05:32] <cboltz> lcp: it seems to become a tradition that we don't have community questions - but I'd love to be proven wrong ;-)
[20:05:52] <King_InuYasha> actually yes
[20:05:54] <darix> I can ask community questions if you want
[20:05:56] <lcp> you did have community questions when I was the community
[20:05:59] <darix> I am not a hero :P
[20:06:18] <gp_> Hi!
[20:06:21] <King_InuYasha> who are you, Redtigra? I'm unfamiliar with your nick
[20:06:30] <King_InuYasha> though I can guess who gp_ is :D
[20:06:44] <kl_eisbaer> gp -> great person? :-)
[20:06:49] <King_InuYasha> indeed
[20:06:50] <Redtigra> I am a (relatively) new team lead of Engineering Infra SUSE
[20:06:53] <King_InuYasha> all these new people though :)
[20:07:22] <Redtigra> jdsn's and mcaj's boss, if they don't mind. very young hero embrion :)
[20:07:30] <Redtigra> glad to meet you all
[20:07:53] <cboltz> glad to have you all here ;-)
[20:07:57] <King_InuYasha> hello, nice to meet you :)
[20:08:02] <bmwiedemann> and my boss :-)
[20:08:10] <King_InuYasha> it's always nice to meet SUSE folks :D
[20:08:38] <Redtigra> yes, bmwiedermann's too :)
[20:09:03] <mcaj_away> I would be better to meet F2F on openSUSE conference but that not going to happen this year...
[20:09:11] <lcp> cboltz: let's get through the topics, because I feel we have a big one at the end
[20:09:19] <cboltz> right
[20:09:37] <cboltz> let's do a *quick* round of status reports - and then focus on the account system
[20:09:47] <cboltz> so - does someone have a status report?
[20:09:50] <gp_> cboltz: I've also got one (though not exactly a community questions). :-) Happy to have that at the end.
[20:10:19] <tuanpembual> I had report.
[20:10:35] <cboltz> go ahead ;-)
[20:10:55] <tuanpembual> Last weeks, We already migrate new progress. I hope get less complaint and bug.
[20:11:21] <tuanpembual> if you have found any error, please update this ticket: https://progress.opensuse.org/issues/65456
[20:11:32] <tuanpembual> some last issue have been solved.
[20:11:40] <tuanpembual> that from me.
[20:12:00] <tuanpembual> If here any I can help, something with container. I will be glad to help
[20:12:10] <tuanpembual> :D
[20:12:38] <tuanpembual> next.
[20:12:59] <King_InuYasha> tuanpembual: thanks for new progress, it looks great :)
[20:13:03] <lcp> for the new freeipa, and the rest of the stuff, it was deployed and followed by the very popular announcement on the mailing list
[20:13:22] <lcp> and matrix + riot are setup for when we have saml and/or oidc to connect to it
[20:13:32] <tuanpembual> thanks King_InuYasha
[20:13:37] <King_InuYasha> 🔥
[20:14:08] <lcp> that's it for me :P
[20:14:32] <King_InuYasha> I've been working with lcp on some bug squashing with ipsilon (id.i.o.o / f-s.i.o.o)
[20:14:51] <King_InuYasha> things are in (mostly) good shape, and once we go into production, I'll cut the 3.0.0 release officially based on that
[20:15:36] <King_InuYasha> I'm in touch with rhbz devs, and they're going to be releasing rhbz source in the coming days
[20:15:50] <King_InuYasha> from there, we can look to adapt for susebz to shift to saml2 auth
[20:16:40] <King_InuYasha> fedora-aaa and lcp and I are in touch now and actively collaborating on features and configuration details
[20:16:46] <lcp> quite a surprising announcement, not expected that this week
[20:17:03] <King_InuYasha> I was pretty pleased too :)
[20:18:06] <King_InuYasha> working on some stuff in pagure for the upcoming code.i.o.o and dist.i.o.o instances, we'll see how that goes
[20:18:43] <King_InuYasha> oh, and working with lcp on freeipa porting to opensuse... good progress is made, perhaps we'll have it in a year :)
[20:18:48] <King_InuYasha> that's it for me :)
[20:19:12] <cboltz> I moved www.o.o from Provo to Nuremberg ~2 weeks ago, and besides /searchPage/ (which I wasn't aware of, and hot-fixed) everything went smooth :-)  (no serious 404s in the error_log)
[20:19:40] <cboltz> Note that www.o.o/openid/ is still proxied to the server in Provo - that's something we'll need to change
[20:20:03] <King_InuYasha> cboltz: lcp and I are working on a replacement for that, it's... ugly :(
[20:20:16] <bmwiedemann> cboltz: I am working on openid setup for our new bugzilla-ldap
[20:20:37] <cboltz> King_InuYasha: sounds interesting[tm]...
[20:20:45] <jdsn> s/bugzilla-ldap/community-accounts/  :)
[20:21:10] * jdsn is just trying to get rid of the term "bugzilla account" :)
[20:21:15] <King_InuYasha> haha
[20:21:27] <cboltz> still better than "Novell account" ;-)
[20:21:38] <jdsn> well, yes, but we can do better :)
[20:21:41] <King_InuYasha> I still have my email saying welcome to your novell account :P
[20:21:50] <jdsn> lol
[20:21:50] * adrianS would name jdsn's "community-accounts" instead "developer accounts" since they are used for all development topics, inside and outside of suse ...
[20:22:02] <adrianS> and partners
[20:22:07] <lcp> did you mean Micro Focus/NetIQ/Novell/SUSE/openSUSE accounts? :P
[20:22:07] <King_InuYasha> >_>
[20:22:16] <King_InuYasha> >_<
[20:22:37] <adrianS> yep, still the same database, just migrated now
[20:22:41] <cboltz> adrianS: and probably also bugreporters and forum users, so not only developers ;-)
[20:22:51] <King_InuYasha> and wiki people too :)
[20:22:58] <jdsn> did we shift to that topic already?
[20:23:04] <adrianS> bugreporters for sure ... not sure if forum and wiki will use it?
[20:23:05] <lcp> well, and also future chat infra, and meet.o.o etc
[20:23:18] <adrianS> or using independ account database?
[20:23:21] <King_InuYasha> and code/dist too
[20:23:31] <cboltz> jdsn: depends - does someone have a status report _not_ related to accounts?
[20:23:41] <cboltz> if yes, please speak up *now* ;-)
[20:23:48] <robin_listas> adrianS:  Per said he was trying.
[20:24:27] <lcp> oh yeah, we have auth setup on forums
[20:24:34] <lcp> forgot about that :P
[20:24:49] <adrianS> robin_listas: you mean trying to use a login proxy?
[20:25:02] <King_InuYasha> lcp: that was the *first* thing we did :P
[20:25:05] <adrianS> for forums?
[20:25:17] <lcp> kinda important, since that allows us to move forums from provo at last
[20:25:25] <King_InuYasha> yup
[20:25:59] <kl_eisbaer> I would have some status reports - but I guess everyone wants to focus on IDM. So fine with me (less to type ;-)
[20:26:16] <King_InuYasha> kl_eisbaer: well, if you have stuff to tell us, please do so :D
[20:26:27] <kl_eisbaer> I will just send my reports to the mailing list, I guess that's easier.
[20:26:42] <cboltz> also an option, whatever you prefer ;-)
[20:26:56] <kl_eisbaer> King_InuYasha: well: the current Fedora installer seems not to like my static IP configuration :-/
[20:26:59] <robin_listas> adrianS: He said "we expect to hook the forums into the above too (Nuernberg  datacenter)
[20:27:12] <King_InuYasha> kl_eisbaer: :(
[20:27:15] <kl_eisbaer> cboltz: I prefer to go to bed early ;-) -> Email
[20:27:32] <cboltz> ok, then I'm looking forward for your mail(s) ;-)
[20:27:41] <kl_eisbaer> King_InuYasha: I will try again, but IMHO I did nothing different than the last time. I'll keep you updated once the machine is available
[20:27:55] <King_InuYasha> kl_eisbaer: if f32 isn't working, f31 is fine
[20:27:57] <King_InuYasha> we can upgrade after
[20:28:04] <adrianS> robin_listas: and he is still trying or give up? or needs some help?
[20:28:09] <kl_eisbaer> King_InuYasha: I'm down to 31 already :-/
[20:28:12] <King_InuYasha> oh dear
[20:28:27] <King_InuYasha> kl_eisbaer: it didn't work with f32 I take it?
[20:28:32] <kl_eisbaer> I guess I will trash the qemu config and start from scratch - something seems fishy
[20:28:37] <King_InuYasha> yeah, that's odd
[20:28:39] <robin_listas> Dunno. YOu will have to ask him. That was this morning when he said this.
[20:28:43] <King_InuYasha> if you need help, let me know later :)
[20:28:52] <King_InuYasha> I'll do my best to assist
[20:31:44] <jdsn> cboltz: ?  IDM ?
[20:31:46] <cboltz> given the silence for > a minute, let's officially switch the topic to the account system
[20:31:57] <cboltz> yes ;-)
[20:32:01] <jdsn> IDM/IDP: then maybe I can start and quickly share what we did the last days/weeks:
[20:32:05] <King_InuYasha> here we go
[20:32:08] <jdsn> https://jdsn.de/ucs-setup-simplified.png
[20:32:18] <jdsn> we were setting up the Univention servers and then making sure we can bring all our data home into the NUE data center
[20:32:25] <jdsn> so we had to make sure that all this is setup for the Bugzilla move on the coming weekend
[20:32:29] <jdsn> thats what kept us busy days 'and nights' ...
[20:32:41] <jdsn> for many services this will mean just a small config change
[20:32:57] <jdsn> but as the schedules are no longer that tight as they were until yesterday, we have now time to spread the switch of services using that authentication backend step by step
[20:33:57] <lcp> alright, I am actually very curious about your current system first and foremost
[20:33:59] <jdsn> the diagram is very simplified, it should just show that we remove any dependency from MF and Novell-Servers and other datacenters
[20:35:11] <cboltz> so basically (and even more simplified) s/Novell account/SUSE account/ ?
[20:35:30] <lcp> I assume your new system is email based and not username based, how does username mapping work to the existing services
[20:36:04] <jdsn> bugzilla is email-based, all other systems afaik are uid based
[20:36:08] <lcp> I assume based on the lack of username entry in the register and login fields on suse.com ;)
[20:36:23] <adrianS> it is the same data as until now, except for the password.
[20:36:26] <lcp> well, obs is username based at the moment
[20:36:30] <jdsn> we do not map, we use the same data
[20:37:07] <King_InuYasha> it looks like scc is moving to email based (which makes me happy)
[20:37:24] * King_InuYasha is still annoyed that his suse account is ngompa when it's for his partner-related work
[20:37:53] <adrianS> scc is using Okta, but this is out of scope for development work and IMHO also for opensuse cost wise ....
[20:38:02] <King_InuYasha> thank goodness
[20:38:11] <King_InuYasha> I don't want to deal with Okta more than I already have to
[20:39:44] <adrianS> btw, we will switch first internal services tomorrow to the new system of jdsn to see how it works in real life
[20:40:08] <King_InuYasha> wait, what?
[20:40:10] <King_InuYasha> why?
[20:40:21] <mcaj_away> fingers cross
[20:40:28] <King_InuYasha> also, what are "internal services"?
[20:40:39] <jdsn> SUSE-internal
[20:40:48] <jdsn> our internal Build-Service e.g.
[20:40:52] <King_InuYasha> ah okay
[20:40:53] <lcp> does that include switching over internal openQA? :D
[20:41:18] <jdsn> not tomorrow :)
[20:41:40] <lcp> I see, I see
[20:42:18] <King_InuYasha> jdsn: how much has the timeline been loosened?
[20:42:20] <lcp> alright, so I would like to know what the goals are for switching over openSUSE stuff
[20:42:48] <jdsn> the migration phase "can" happen until end of June
[20:42:54] <jdsn> but that is a very hard stop
[20:43:09] <jdsn> we want to move as much services as possible in the next 2 weeks
[20:43:16] <jdsn> we = SUSE internal
[20:43:20] <jdsn> sorry
[20:43:47] <Redtigra> I'll answer about timeline
[20:43:49] <jdsn> and I would recommend to also move the openSUSE services rather early because there is one good reason:
[20:43:53] <adrianS> And I would like to move build.opensuse.org also asap to avoid that we run into problems due to different new accounts ...
[20:44:10] <adrianS> (same login name, but different user)
[20:44:27] <Redtigra> it came out, that auth backend is required to be cut off till May 18th for Bugzilla only
[20:44:30] <jdsn> people who do not have a valid email address set in their account (and wont change it because they would loose access to their bugzilla entries) will have to migrate their account
[20:44:37] <cboltz> adrianS: sounds unlikely - account creation is currently broken :-/
[20:44:51] <Redtigra> that's Bugzilla cut over requirement, not the whole auth.
[20:44:55] <jdsn> this migration works with the old AccessManager still in place and with your old credentials - and this without a password reset mail
[20:44:57] <adrianS> cboltz: well, that is good from this POV :)
[20:45:11] <jdsn> after end June we can only offer password reset mails
[20:45:27] <King_InuYasha> Redtigra, jdsn: so lcp and I have been mostly operating under the assumption that everything needs to cut over in two weeks
[20:46:01] <Redtigra> as Daniel said, we'd like to complete migration as earlier as possible to a) avoid two accounts and b) to have some time in case things go wrong at some place/moment
[20:46:09] <cboltz> adrianS: that's the only positive thing about the broken account creation...
[20:46:19] <adrianS> cboltz: I agree
[20:46:20] <jdsn> King_InuYasha: so were we until yesterday :)
[20:46:28] <jdsn> think how well I slept last night
[20:46:29] <Redtigra> King_InuYasha, so did we :D
[20:46:32] <jdsn> :)
[20:47:01] <King_InuYasha> so, on our side (oS Heroes), lcp and I had been working on decoupling from Novell accounts since late 2018
[20:47:31] <King_InuYasha> in January, we started working with the Fedora AAA folks to enumerate our requirements and mesh them into their solution that they were developing to replace FAS
[20:47:39] <King_InuYasha> (FAS is Fedora Account System, their legacy platform)
[20:47:45] <lcp> and there were 2 reasons, foundation and infra independence
[20:48:01] <lcp> and we grew some more reasons along the way
[20:48:38] <jdsn> I see the point - and - I even support it
[20:48:41] <King_InuYasha> in February, we enumerated the list of applications we needed to handle for accounts, and in March started working on that effort
[20:49:00] <jdsn> on the other hand SUSE is providing services to their communities and employees and customers
[20:49:07] <King_InuYasha> the original plan was to split the accounts slowly and cut over by the openSUSE Conference this year
[20:49:17] <lcp> as you might know, heroes internally use freeipa for various parts of IPA management, and we wouldn't like to part ways with that, for now at least
[20:49:20] <jdsn> and these are certified, so SUSE must be in control of this idetity system
[20:49:43] <King_InuYasha> this requirement does not apply in the openSUSE case, based on the conversation I've had with gp_
[20:49:45] <jdsn> but we can offer to oS to make use of it as oS did until now
[20:50:38] <King_InuYasha> so I'm confused why this point was brought up
[20:51:02] <King_InuYasha> because outside of bugzilla (which needs special handling anyway), nobody in the community side sees or controls SUSE-internal stuff
[20:51:09] <King_InuYasha> only the other way around
[20:51:27] <adrianS> well, if you can control the identity, you can become everyone and see all content
[20:51:34] <lcp> hopefully
[20:51:40] <King_InuYasha> what makes SUSE more special than openSUSE?
[20:51:48] <jdsn> that also not true for Jira/Confluence
[20:51:53] <King_InuYasha> which we cannot use
[20:52:02] <King_InuYasha> nobody in the community can use or access those systems
[20:52:02] <jdsn> a Common Criteria Certification
[20:52:04] <adrianS> the certification requires that only written down people can control the identity system who are employees
[20:52:15] <lcp> openSUSE uses neither Jira nor Confluence tho
[20:52:25] <darix> lcp: but the same account DB is used for both
[20:52:31] <lcp> we don't care about those
[20:52:32] <jdsn> community is bigger than oS :)
[20:52:37] <adrianS> King_InuYasha: you can not become another identity if you are root on the IDM server?
[20:52:51] <King_InuYasha> adrianS: not easily, no
[20:53:08] <darix> King_InuYasha: that is a few ldapmodify :P
[20:53:10] <King_InuYasha> it's possible, of course, but the architecture does not make that simple to do
[20:53:30] <King_InuYasha> adrianS: why should oS applications trust SUSE IdM in the same manner?
[20:53:39] <jdsn> something like "we don't care about those" makes it harder to consolidate
[20:53:49] <adrianS> King_InuYasha: that is a valid question
[20:53:54] <King_InuYasha> right
[20:53:55] <jdsn> from a user (or customer) perspective it would mean yet another login
[20:54:06] <lcp> but we would have to split that stuff either way, due to foundation stuff
[20:54:09] <adrianS> however, if we decide for a split, it means we also need to split bugzilla and some OBS content
[20:54:24] <adrianS> basically we would work more seperate and less together
[20:54:39] <King_InuYasha> jdsn: my experience in Fedora ecosystem has shown that it works quite well with FAS and RH/Customer and RH/Employee being separate
[20:54:54] <adrianS> IMHO the opposite should be the goal .... as we see with the "open SUSE bugs" discussion
[20:55:36] <King_InuYasha> then the question becomes, should we unite under SUSE? or under openSUSE?
[20:55:51] <jdsn> thats also my take, and also the goal of the closing the leap gap project
[20:55:54] <King_InuYasha> my feeling is that we should unite under openSUSE, and federate SUSE into openSUSE
[20:55:56] <adrianS> we would need seperate instance and write some additional code to be able to connect accounts
[20:56:04] <adrianS> all doable, but not cheap
[20:56:11] <King_InuYasha> adrianS: lcp and I have already been thinking about it and working on it
[20:56:28] <King_InuYasha> we knew going in that we'd have to solve this, and we assumed that this is something we need to do
[20:57:12] <adrianS> you mean connecting accounts, not building up new bugzilla and OBS servers, right?
[20:57:14] <King_InuYasha> yes
[20:57:31] <King_InuYasha> I maintain enough OBS servers :)
[20:58:22] <King_InuYasha> the openSUSE accounts system that lcp and I have been working on basically non-stop for two months is very extensible
[20:58:40] <King_InuYasha> and our goal is that SUSE Linux 16 platform will let use switch fully over to openSUSE Leap 16 for the infra
[20:58:53] <King_InuYasha> we will aggressively switch things over to openSUSE Leap as it becomes technically feasible
[20:59:35] <King_InuYasha> we are using Fedora servers for now to speed up deployment, and it helps with working with our friends in Fedora on this
[21:00:53] <King_InuYasha> adrianS, jdsn: this work is also how I've made the biggest push to get Red Hat to release the sources for Red Hat Bugzilla
[21:01:01] <darix> I vote for fewer accounts not more.
[21:01:16] <King_InuYasha> which includes their multi-auth module for Bugzilla
[21:01:20] <jdsn> I think we can have such a discussion at a given time, the topic now should be to plan for the switch of the openSUSE services to Univention - because the timer is ticking
[21:01:21] <King_InuYasha> using SAML 2
[21:01:41] <lcp> me too, that's why heroes accounts would be merged with this systems so we would have total of the same number of accounts
[21:01:55] <lcp> not more
[21:01:56] <jdsn> nothing prevents us from separating after the Univention system is live
[21:02:44] <jdsn> and with less dependecies now it should be even easier technically
[21:02:47] <darix> lcp: for everyone who works for suse it means more accounts not less.
[21:02:52] <darix> you should really see both sides
[21:02:58] <lcp> yes, I do think we should do it after, however I can already hear adrianS complaining about this :P
[21:03:11] <King_InuYasha> we can target sso.opensuse.org to the univention server
[21:03:11] <jdsn> me to :)
[21:03:22] <jdsn> I even see pros and cons for both sides
[21:03:26] <King_InuYasha> that way applications don't have to be aware once we switch the backends
[21:03:30] <jdsn> so even I am split :)
[21:03:52] <King_InuYasha> as someone who is both a suse partner/customer and opensuse contributor, I *really* prefer those two being split
[21:04:18] <lcp> well then, maybe get OBS to support more protocols, so we can have multiple openid connect providers there
[21:04:20] <jdsn> again: I see this as topic for later
[21:04:21] <King_InuYasha> but I recognize others care otherwise
[21:04:21] <darix> King_InuYasha: and I would even prefer to have just 1 account for all suse stuff
[21:04:25] <darix> *really*
[21:04:34] <lcp> omniauth would support this
[21:04:34] <jdsn> the new schedule gives us more time, but lets not waste it now
[21:04:49] <King_InuYasha> jdsn: how far along are you on the data import for openSUSE data?
[21:04:59] <adrianS> lcp: again, it is not about the protocols in first place, that is really a detail. It is about the trust of the content
[21:05:05] <jdsn> King_InuYasha: its done :)
[21:05:16] <King_InuYasha> if you can bridge the ldap endpoint into heroes servers, we can make sso.os.o talk to it and provide saml2, oidc, and openid
[21:05:24] <adrianS> and given that one can become root on many systems via OBS I am indeed really conservative, I admit
[21:05:39] <adrianS> but it is not my decision at the end of the day
[21:05:47] <jdsn> Univention already offers saml
[21:05:51] <adrianS>  but I want to make sure that all sides understand what they are doing ...
[21:05:53] <jdsn> and openid connect
[21:06:04] <King_InuYasha> jdsn: but not plain openid
[21:06:13] <lcp> I get it, I get
[21:06:14] <King_InuYasha> and I think connecting to our endpoint will result in fewer app changes
[21:06:19] <jdsn> correct, thats what Bernhard is working on ;)
[21:06:24] <adrianS> but given the certifications, it *will* mean we need to build up new OBS and bugzilla instances
[21:06:36] <jdsn> King_InuYasha: ok, also good point
[21:06:38] <adrianS> at least as long as SUSE says that these certifications are important
[21:06:50] <King_InuYasha> jdsn: and if you want, you can deploy ipsilon internally for suse openid
[21:07:01] <King_InuYasha> it's free software: https://pagure.io/ipsilon
[21:07:05] <lcp> adrianS: I wonder where in OBS there is anything hidden tbh
[21:07:06] <darix> no we dont
[21:07:19] <adrianS> lcp: for security updates under embargo
[21:07:34] <lcp> oh, really?
[21:07:35] <adrianS> and we would need to rethink some syncing stuff IMHO
[21:07:51] <adrianS> yes, all can be done, but it has consequences
[21:07:56] <King_InuYasha> jdsn: I'm also packaging it for openSUSE, though some small work needs to be done to fix the configs and such
[21:07:59] <gp_> I can guarantee that kind of assurances/certifications will remain relevant for a long time.
[21:08:00] <adrianS> and means work :)
[21:08:12] <lcp> hm, that does make sense, I was always thinking this is done in IBS instead
[21:08:26] <King_InuYasha> I assumed this work was done in IBS as well
[21:08:37] <darix> King_InuYasha: not if the target is opensuse
[21:08:43] <King_InuYasha> at work, I tended to use the cross-system copypac to push out publicly
[21:08:44] <adrianS> lcp: well, would be an option to do it only in IBS and not include community maintainers anymore
[21:08:55] <adrianS> but IMHO not wanted
[21:09:12] <King_InuYasha> adrianS: if you're involving community maintainers already, what's the net-change on the situation?
[21:09:16] <lcp> well, Leap stuff is synced from SLE, so how does that collaboration work
[21:09:27] <adrianS> King_InuYasha: it is only on topic and it is documented
[21:09:39] <adrianS> it is not that multiple people can see *everything*
[21:09:39] <darix> lcp: not all of it.
[21:09:58] <adrianS> same for bugzilla
[21:10:05] <lcp> that's true, but this seems like the goal of jump :P
[21:10:11] <adrianS> that are not my rules, just like common criteria is designed ...
[21:10:23] <adrianS> but we need to ensure to follow the rules ... with blood
[21:10:49] <adrianS> consequences of a violation are not really nice ...
[21:11:07] <King_InuYasha> I know :(
[21:11:16] <King_InuYasha> I've had to follow those rules before
[21:11:31] <darix> personally I thought all your freeipa+ipsilon work was just for heroes stuff not for all of opensuse TBH
[21:11:31] <King_InuYasha> I know what they are and how to deal with many of them
[21:12:11] <darix> i mean did you ask what the suse plans are before starting what with the work?
[21:12:13] <lcp> darix: some of it, yeah
[21:12:22] <King_InuYasha> darix: we *did*
[21:12:25] <darix> aha
[21:12:26] <King_InuYasha> for almost a year
[21:12:38] <King_InuYasha> nobody ever responded to any inquiry by us
[21:12:45] <darix> who did you ask?:)
[21:13:00] <lcp> jdsn: :D
[21:13:27] <King_InuYasha> we have tried *very* hard to consider everything when we started this work _last year_ after oSC
[21:13:53] <darix> just curious you never spoke to me about it after osc :)
[21:14:10] <jdsn> lcp: that was not "for years" ;) I am in the team since last October :)
[21:14:15] <lcp> I should have asked during oSC >:D
[21:14:25] * adrianS whished he knew that so many people would join FreeIPA work that would have maybe changed the decision last year, since we evaluated it as well ...
[21:14:27] <lcp> I forgot tho, and had to run do a talk anyway
[21:14:40] <King_InuYasha> adrianS: freeipa suse platform was merged in
[21:14:40] <jdsn> and yes, I meanwhile found your mail - it was directed to me alone :(
[21:14:41] <lcp> jdsn: no, we asked you recently, yeah
[21:15:03] <King_InuYasha> adrianS: thanks principally to lcp (with me helping a bit) we now have scaffolding in freeipa
[21:15:13] <adrianS> King_InuYasha: it is not SLE maintained since we don't have enough maintainer power internal
[21:15:19] <lcp> I worked on getting it ready
[21:15:20] <King_InuYasha> yeah, yeah
[21:15:26] <lcp> and it is getting backported to the next freeipa 4.8 release and obviously 4.9
[21:15:27] <gp_> As a general recommendation: Don't run into timeouts, find alternate comms (means of comms or contacts).
[21:15:31] <adrianS> so we just had the chance to employ new people for it or to buy in support
[21:15:41] <darix> freeipa actually was rejected in the internal evaluation
[21:15:46] <darix> adrianS: ^
[21:15:54] <darix> for technical reasons
[21:16:00] <adrianS> well, not technical rejected, it was a support topic in first place
[21:16:14] <darix> so we actually looked at it
[21:16:19] <lcp> gp_: actually, we didn't really know who to contact either
[21:16:32] <darix> lcp: in doubt the board
[21:16:40] <King_InuYasha> we definitely talked to the board
[21:16:42] <King_InuYasha> they knew
[21:16:43] <lcp> we really only got jdsn after kl_eisbaer pointed at them
[21:16:56] * adrianS did spoke also with the old board about IDM system last year just for the record ;)
[21:18:02] <lcp> clearly I should have asked rb about it too >:D
[21:18:04] <adrianS> but frankly, in the current situation, I would like to stay away for the past anlyses and like to find what we do now to rescue the situation in first place
[21:18:32] <gp_> lcp: I've been handling a load of (MF) IT related escalations the last seven months, cboltz felt some pity for me. That one did not come up as one.
[21:18:33] <adrianS> afterwards one can do a better critic with some distance ....
[21:18:59] <gp_> Yeah, and it's not I am asking for more escalations. :)
[21:19:00] <jdsn> lcp: and sorry again, that question hit when I was too busy because we were under high pressure - I still have hundreds of unread mails ;)
[21:19:20] <King_InuYasha> at least concretely, what we can do is set up an sso.opensuse.org instance talking to UCS
[21:19:36] <King_InuYasha> and move all the apps on openSUSE side to sso.opensuse.org
[21:19:38] <lcp> yeah, I still have the virtue of being able to respond to my emails in under 10 seconds :P
[21:19:52] <darix> lcp: we can hire you. would make that problem go away ;)
[21:19:58] * King_InuYasha has almost 100 folders and filters so that he can respond quickly
[21:19:58] <jdsn> lucky you ;)
[21:20:04] <adrianS> jdsn: bmwiedemann: when do you think you can have sso.opensuse.org running with ucs?
[21:20:21] <jdsn> I also filter, I did not even count the unread in the folders ;)
[21:20:23] <lcp> I will count that as the second time I was asked to work for SUSE darix even if it was a joke :P
[21:20:41] * King_InuYasha is actually amazed lcp doesn't work for SUSE at this point
[21:20:55] <jdsn> tbh: we need to focus on the internal services next week
[21:20:56] <gp_> But let's take Redtigra up on her offer last week and/or use me (in case it is needed - no hurt feelings if not ;-).
[21:21:02] <bmwiedemann> somewhen  after bugzilla and OBS switch?
[21:21:11] <jdsn> but after that we can find out whats needed to make it happen
[21:21:24] <darix> bmwiedemann: moving the vhost to you is relatively easy
[21:21:33] <King_InuYasha> we wouldn't move the vhost
[21:21:39] <King_InuYasha> there'd be no point
[21:22:10] <jdsn> it would need access to our DMZ though
[21:22:22] <King_InuYasha> jdsn: yeah, that's the tricky bit
[21:22:30] <jdsn> or it could be routed externally
[21:22:39] <adrianS> King_InuYasha: what would run on sso.opensuse.org ?
[21:22:43] <King_InuYasha> ipsilon
[21:23:01] <King_InuYasha> ipsilon is not strictly tied to freeipa
[21:23:11] <adrianS> ic
[21:23:12] <King_InuYasha> it's _easiest_ with it, but it can work with generic ldap and krb5
[21:23:15] <darix> King_InuYasha: last year you told me that ipsilon requires freeipa
[21:23:36] <King_InuYasha> that's before puiterwijk told me how to do it without freeipa
[21:23:56] <lcp> and that would allow us to actually set up our own applications instead of having to ask you for it :P
[21:23:56] <King_InuYasha> it's much more annoying and manual, and some features go away, but it works
[21:24:28] <darix> King_InuYasha: JFYI: UCS comes with konnect ( https://github.com/Kopano-dev/konnect ) so it could do openid too
[21:24:33] <adrianS> problem would be (maybe) that this vhost would need to be under exclusive control of eng-infra team
[21:24:44] <King_InuYasha> konnect does not do openid
[21:24:45] <adrianS> because you could sniff passwords there, right?
[21:24:57] <King_InuYasha> adrianS: not with https
[21:25:03] <darix> King_InuYasha: you could in the app.
[21:25:04] <darix> :)
[21:25:17] <lcp> yes
[21:25:24] <darix> and UCS has saml
[21:25:36] <darix> yes it is openid connect. to be exact.
[21:25:38] <King_InuYasha> darix: you better not be suggesting we make all the contributors for all the third party apps made by _not us_ to port away from regular openid?
[21:25:46] <King_InuYasha> openid connect != openid
[21:25:54] <King_InuYasha> completely different protocol
[21:26:00] <darix> i am aware
[21:26:06] <jdsn> and UCS could have all that you contribute to it, they are developing it openly on github.com and very welcome PRs
[21:26:13] <adrianS> that is understood, bmwiedemann is therefore working on openid (not connect)
[21:26:43] <King_InuYasha> jdsn: I am one of the maintainers for ipsilon itself upstream, why would I also do that?!
[21:27:11] <jdsn> why shouldn't you?
[21:27:16] <King_InuYasha> I don't have time :)
[21:27:21] <bmwiedemann> if ipsilon does openid, we might also be able to use that.
[21:27:35] <King_InuYasha> it definitely does, most fedora apps are openid
[21:27:46] <jdsn> it could save time to maintain a separate VM though if it was supported natively - right?
[21:28:00] <King_InuYasha> jdsn: are you asking me to package ipsilon for debian?
[21:28:09] <King_InuYasha> because if you are, I guess I can do that, as irritating as that would be
[21:28:15] <jdsn> no, that hint was not specifically for you ;)
[21:28:40] <jdsn> and Univention is open to work with us on running their product on SUSE as well
[21:28:54] <King_InuYasha> bmwiedemann: fedora uses primarily openid and openidc, with saml being used for bugzilla
[21:28:56] <gp_> That, by the way, would be really cool.
[21:29:00] <jdsn> then we could use your package directly ;)
[21:29:08] <darix> *nods*
[21:29:13] <gp_> Both openSUSE and SLE. :)
[21:29:49] <adrianS> bmwiedemann: maybe you could try to get ipsilon running with ucs ... and maybe King_InuYasha could give you some hints if you struggle? :)
[21:29:56] <King_InuYasha> sure
[21:30:00] <King_InuYasha> I like bmwiedemann :)
[21:30:23] <jdsn> King_InuYasha: I guess he has many fans
[21:30:25] <King_InuYasha> he makes git repos for opensuse packages
[21:30:29] <King_InuYasha> that makes me a fan of him
[21:30:43] <Redtigra> he does :)
[21:30:53] <darix> aha that's why you dont ask me about that anymore!
[21:31:00] <bmwiedemann> :-)
[21:31:00] <jdsn> thats why I sit next to him in the office ;)
[21:31:29] <lcp> well, as far as I'm aware the office doesn't exist anymore due to covid
[21:31:36] <King_InuYasha> :'(
[21:31:46] <darix> lcp: the office exists! we are just hiding elsewhere :P
[21:31:50] <jdsn> its still there: I can prove :)
[21:31:51] <King_InuYasha> the nuremburg office is quite nice too
[21:31:56] <jdsn> but its pretty empty
[21:31:59] <King_InuYasha> my visit there was pleasant
[21:33:07] <King_InuYasha> jdsn: I'd like for us to be able to go with our original timeline of splitting the accounts by August/September
[21:33:21] <King_InuYasha> that's a lot less panicky and we can be methodical about the integration work
[21:33:28] <darix> King_InuYasha: are you really really sure that everyone really wants that?
[21:33:51] <bmwiedemann> does it make sense to split before there is an openSUSE foundation?
[21:34:00] <lcp> well, do you want to maintain connect? >:P
[21:34:06] <jdsn> not sure if in that timeline all technical details can be sorted out, but well you can try :)
[21:34:09] <King_InuYasha> bmwiedemann: yes, because then we don't have legal chaos on top of the splitting part
[21:34:16] <darix> lcp: we can kill connect without freeipa
[21:34:32] <jdsn> and also, I'd like to see that really many many people want that split
[21:34:40] <jdsn> ... after they understood the implications
[21:34:43] <lcp> we can't if we don't have an alternative to connect
[21:34:43] <darix> we can even do that member group in UCS
[21:34:56] <lcp> and email aliases?
[21:35:05] <lcp> and viewable profiles?
[21:35:08] <King_InuYasha> so you're asking us to write a new app for managing the self-service portal then
[21:35:13] <darix> lcp: we dont really need our own social network
[21:35:14] <King_InuYasha> because that piece *does* require FreeIPA
[21:35:27] <gp_> Is it fair to say that for the next months the two top priorities are:
[21:35:27] <darix> no
[21:35:40] <gp_> 1. Survive (in various meanings of that)
[21:35:47] <gp_> 2. Get away from Micro Focus IT?
[21:35:58] <darix> the *only* thing the we should preserve from connect is membership handling
[21:36:07] <darix> we do not need our own social network
[21:36:08] * cboltz would even do that in reverse order
[21:36:18] <jdsn> :)
[21:36:40] <lcp> I am curious what to do with links to https://www.suse.com/selfreg/jsp/createOpenSuseAccount.jsp?login=Sign+up
[21:36:48] <lcp> since we have a few places that do link there
[21:36:53] <darix> lcp: UCS comes with self mgmt?
[21:37:09] <darix> so we point the links to that
[21:37:10] <jdsn> UCS will offer a self registration tool
[21:37:11] <kl_eisbaer> I'm sorry: here is someone waiting for his bedtime story since an hour... King_InuYasha: your machine is up and running: ssh root@fedora-freeipa.infra.opensuse.org should work for you and lcp. As usual: no Salt, no other stuff done (beside basic services setup and updates installed).
[21:37:19] <King_InuYasha> kl_eisbaer: thanks :)
[21:37:20] <lcp> it does, I know
[21:37:26] <adrianS> lcp: there will be a new self service portal behind idp-portal.suse.com IIRC
[21:37:34] <kl_eisbaer> bye
[21:37:41] <King_InuYasha> kl_eisbaer: your work is appreciated :D
[21:37:44] <adrianS> lcp: for creating, editing, password change/reset
[21:37:47] <lcp> where do we link NOW tho
[21:38:02] <King_InuYasha> adrianS: and memberships? groups? identity linkage?
[21:38:17] <King_InuYasha> are _those_ parts also self-service?
[21:38:24] <lcp> https://www.microfocus.com/selfreg/jsp/createOpenSuseAccount.jsp stopped working, since the form requires more than it has fields
[21:38:28] <lcp> where do we link
[21:38:41] <jdsn> idp-portal.suse.com
[21:38:48] <adrianS> lcp: It might become https://idp-portal.suse.com/univention/self-service
[21:38:51] <lcp> but that's down
[21:38:57] <adrianS> yep, not there yet
[21:39:13] <lcp> I assume people just don't create accounts rn?
[21:39:14] <jdsn> some firewall bits need to be sorted out still
[21:39:24] <jdsn> but it will be there before the weekend
[21:39:57] <jdsn> lcp: that would be actually good, because then our diff dump is empty ;)
[21:40:08] <lcp> that seems like a very rocky move compared to how we wanted to do this :/
[21:40:12] <adrianS> And for some time we will have https://idp-migrate.opensuse.org to be able to set the new password via the old one
[21:40:22] <adrianS> but that is temporary
[21:40:28] <lcp> well, you can't sign up to any openSUSE infra at the moment
[21:40:46] <adrianS> lcp: understood, only MF-IT can fix that :/
[21:40:48] <lcp> which sure is great, and sure doesn't generate us a lot of emails and questions in support chats
[21:41:07] <adrianS> it is not wanted, we are prepared for importing further accounts
[21:41:22] * adrianS heard the first time here about it
[21:41:59] <lcp> it is a ticket in opensuse-admin on progress
[21:42:15] <adrianS> but as jdsn said, if we have the portal running until end of the week, people can create at least new accounts for the services which switch over ....
[21:42:40] <lcp> so when do we switch over with login proxies then
[21:42:42] <adrianS> lcp: hm, someone (a suse employee) needs to make a MF-IT ticket out of it most likely...
[21:43:01] <lcp> since we will have to change links to registration pages
[21:43:07] <lcp> everywhere
[21:43:30] <adrianS> right
[21:43:59] <adrianS> and we can not do a redirect .... hm, maybe we should create a single instance already?
[21:44:00] <lcp> at least we know where, since we are somewhat prepared already >:D
[21:44:22] <adrianS> I mean we could adapt the links already and point to eg. idp.opensuse.org/register
[21:44:36] <adrianS> and redirect from the to microfocus for now
[21:44:49] <adrianS> but we can switch to the new side with one change there
[21:44:53] <adrianS> later
[21:45:19] <adrianS> so we could already prepare for it and do not need to wait...
[21:45:23] <lcp> alright, sounds good
[21:45:34] <cboltz> given that the MF registration page is broken, maybe better redirect to a "sorry" page...
[21:45:50] <adrianS> or that ...
[21:46:16] <cboltz> it's less disappointing than filling a form, and then getting an error message saying that you didn't fill non-existing fields
[21:46:52] <adrianS> hm, okay, who should build up that vhost?
[21:46:57] <cboltz> (but then, maybe someone is smart enough to live-edit the form in firefox, add those fields, and register? ;-)
[21:47:09] * adrianS is able to do redirections but unable to do a nice web page :)
[21:47:12] <darix> adrianS: it needs to be on the non hero side?
[21:47:21] <adrianS> darix: does not matter
[21:47:48] <darix> adrianS: well you can even do it on haproxy itself
[21:48:05] <adrianS> you can, I can not :)
[21:48:59] <darix> I will teach you!
[21:49:03] * adrianS won't be able to stay for much longer without being killed ....
[21:49:31] <adrianS> okay, so, for some conclusion
[21:49:31] <jdsn> the latter would not make you stay either ;)
[21:51:08] <adrianS> well, if no one else want's to do it, but everyone says it is a good idea to have it. I can do it on login proxies directly
[21:51:24] <adrianS> and drop a mail to admin mailing list, so that all services can be adapted
[21:51:32] <adrianS> is that a plan?
[21:51:57] <jdsn> +1
[21:52:13] <adrianS> who would use it? ;)
[21:52:56] <jdsn> adrianS: I guess, the both of us are alone here :)
[21:53:01] <adrianS> sorry, need to leave .... if you want me to do it, please drop me a mail.
[21:53:04] <bmwiedemann> still here
[21:53:25] <adrianS> good evening
[21:53:31] <jdsn> CU
[21:55:19] <jdsn> I'll be around for a few minutes before I have to leave
[21:55:24] <bmwiedemann> I need to get some sleep as well. Will try ipsilon soon.
[21:55:30] <jdsn> ok
[21:55:56] <jdsn> so back to moderator cboltz
[21:56:01] <Redtigra> thanks for the discussion and great to meet you all
[21:56:12] <Redtigra> leaving too
[21:56:40] <cboltz> I hope you all will also join the next meetings ;-)
[21:57:50] <cboltz> so - do we have more things to discuss?
[22:00:21] <gp_> Hardware requests from the heroes?
[22:00:38] <gp_> Not as in "let's discuss this here and now", but a reminder that since
[22:01:00] <gp_> the heroes meeting in November I haven't seen a list yet, and while times
[22:01:34] <gp_> right now are not easy (COVID-19 and such), I suggest you work on this and share.
[22:02:16] <cboltz> I know that Lars started to work on it (I've even seen a very rough draft), but he was probably side-tracked by other work
[22:03:09] <cboltz> I wouldn't be surprised if he's still busy with carveout stuff, so I'm not sure if reminding him _now_ makes sense
[22:06:31] <tuanpembual> thanks all, need back to sleep,
[22:06:36] <tuanpembual> good morning
[22:07:33] <cboltz> good night ;-)
[22:09:26] <lcp> I guess I could mention creating the list of the maintainer of various openSUSE applications that fall outside of heroes
[22:09:41] <lcp>  * I guess I could mention creating the list of the maintainers of various openSUSE applications that fall outside of heroes
[22:10:01] <lcp> since I had to contact some of them about some stuff as you might know
[22:10:47] <cboltz> right, good idea
[22:11:36] <gp_> cboltz: Yes, understood, but it's been half a year now, and at one point there may be a (SUSE) budget exercise coming up.
[22:12:26] <cboltz> lcp: since you now know the first people, just start that list in the admin wiki - and feel free to use questionmarks if you don't know the people for some services
[22:13:16] <cboltz> gp_: from what I remember, this might become a case of "be careful with your wishes" ;-)
[22:15:30] <cboltz> basically the idea was 3 big servers (1 TB RAM) + Netapp for storage (rotating rust for download.o.o, SSDs for everything else) - ideally at multiple locations, not only in NBG
[22:16:02] <cboltz> no idea what this means money-wise, my computers are typically a bit ;-) cheaper :-P
[22:17:21] <lcp> sure
[22:18:21] <lcp> I do wonder what's the unknown with the budget though
[22:19:08] <lcp> because this might become a bigger deal with foundation I assume
[22:20:13] <cboltz> I hope that's one of the reasons why gp_ asks for it *now* ;-)
[22:21:33] <cboltz> so that he can make Mexico^WSUSE pay for it
[22:25:15] <darix> lcp: JFYI: my recommendation in the past was ... membership is a project in progress. tickets for evaluation are in that
[22:25:29] <darix> and the email aliases could be just a text file in gitlab.i.o.o
[23:09:27] <lcp> darix: we considered it
[23:09:57] <lcp> it might be how we go about memberships too