2020-06-02 #opensuse-admin - heroes meeting

[19:59:29] <bmwiedemann1> hi here
[20:01:04] <cboltz> hi everybody, and welcome to the heroes meeting!
[20:01:16] <Eighth_Doctor> hey all
[20:01:30] <cboltz> the topics are listed on https://progress.opensuse.org/issues/66463 - but we can add topics if needed
[20:01:48] <cboltz> so - let's do two things in parallel:
[20:01:53] <cboltz> a) who's here?   and
[20:01:59] <bmwiedemann1> I
[20:02:00] <cboltz> b) does someone from the community have a question?
[20:02:33] <pjessen> good evening all
[20:02:49] * jdsn is here
[20:04:58] <cboltz> since nobody dared to ask a question, let's continue with status reports
[20:06:11] <cboltz> so - who has something to report?
[20:06:17] <pjessen> from me - not really much of my doing, but the opensuse forums having been running in NBG for a while now.
[20:06:52] <pjessen> there are a few issues to be ironed out, but overall we're goog
[20:06:56] <pjessen> good
[20:07:42] <pjessen> otherwise I'm slowly working off the queue of mirror issues I opened priot to corona
[20:08:14] <pjessen> I also promise to take a lessons in typing. Very soon.
[20:08:22] <pjessen> and english.
[20:08:38] <cboltz> ;-)
[20:09:09] <cboltz> funny one from me - I repaired rendering of counter.o.o - someone, probably I, did run the render job as root a year ago when firefighting it, and now it lacked permissions to overwrite these files ;-)
[20:10:49] <cboltz> does someone else have status reports?
[20:10:58] <pjessen> there are some open issues wrt forums still - database location and getting a news server running.
[20:11:11] <bmwiedemann1> I kicked download.o.o VM after it crashed on monday
[20:12:02] <pjessen> bmwiedemann1: i didn't notice. what happened?
[20:12:33] <bmwiedemann1> not sure. We didnt find logs, but it was down for ~25m
[20:12:50] <bmwiedemann1> maybe oom
[20:12:52] <pjessen> wow.  very unusual.
[20:12:55] <bmwiedemann1> or kernel crash
[20:15:17] <pjessen> hej olav
[20:15:40] <oreinert> hejsa
[20:15:56] <cboltz> I think we can continue with the next topic - status of www.o.o/openid migration
[20:16:17] <cboltz> (I didn't expect the "fun" we had with it when adding that topic - but I'll let bmwiedemann1 report ;-)
[20:17:41] <bmwiedemann1> So somehow the service provided by MF-IT stopped working yesterday
[20:17:57] <bmwiedemann1> underlying curl https://130.57.66.6 shows a timeout
[20:18:26] <bmwiedemann1> Lars said, there was some kernel crash or so, but somehow they did not manage to fix it yet
[20:19:01] <bmwiedemann1> so I keep working on the ipsilon deployment as stop-gap (not fully production-ready with sqlite)
[20:20:22] <bmwiedemann1> we tried to switch to it during this day but found that it produced different identity URLs
[20:20:28] <bmwiedemann1> and I am very close to fix that
[20:21:25] <cboltz> :-)
[20:23:50] <bmwiedemann1> I just need to find out if old URL was https://www.opensuse.org/openid/user/bmwiedemann or with trailing slash (because ipsilon code tries to force the latter)
[20:24:47] <cboltz> I'd guess the answer might be in the openqa database
[20:25:01] <bmwiedemann1> okurz might know ^
[20:26:45] <bmwiedemann1> I guess, we can get a temp-fix done tomorrow
[20:27:02] <cboltz> sounds good
[20:27:17] <cboltz> and I wouldn't be surprised if you are faster than MF-IT can reboot the server in Provo ;-)
[20:28:37] <bmwiedemann1> let's make it a race.
[20:29:44] <bmwiedemann1> there are other aspects about openid. E.g. we need to find out if we need a different domain from id.o.o to pass common criteria certification.
[20:31:11] * cboltz has no idea about certification paperwork
[20:31:18] <jdsn> background: SUSE is in the process of being certified under common criteria and we have to take special care about systems that deal with our login credentials
[20:31:20] <bmwiedemann1> do you think, it would be an issue for our users, if logins went through some secure-suse.tld domain?
[20:32:26] <pjessen> bmwiedemann1: isnt that much how it used to work with mf-it ?
[20:32:36] <bmwiedemann1> sort of, yes.
[20:33:40] <Eighth_Doctor> bmwiedemann1: it probably would be
[20:34:07] <Eighth_Doctor> generally people seem to be unhappy about the bouncing back and forth between SUSE and openSUSE and the marketing email thing didn't help either
[20:34:46] <lcp> well, I would generally prefer if the accounts were clearly labeled as SUSE
[20:35:01] <Eighth_Doctor> jdsn: also, you have my sympathies for going through CC and STIGs
[20:35:55] <jdsn> thanks
[20:36:14] <Eighth_Doctor> used to work for gov subcontractor, so I have some idea of the pain involved
[20:36:23] <jdsn> the thing is, the login process must be in a protected environment on SUSE owned machines
[20:36:45] <jdsn> the client systems can be outside (opensuse dmz)
[20:37:08] <Eighth_Doctor> jdsn: that's not true if the data is partitioned
[20:37:18] <Eighth_Doctor> e.g. what is SUSE stuff and what is openSUSE stuff is clearly split
[20:37:46] <jdsn> bugzilla for example is both
[20:37:48] <bmwiedemann1> but with Leap, things get merged together from SLE+openSUSE
[20:37:58] <jdsn> and we have more of these mixed systems
[20:38:02] <Eighth_Doctor> no they didn't
[20:38:18] <Eighth_Doctor> Leap is not mixed, because we take stuff from SLE without a feedback loop
[20:38:50] <Eighth_Doctor> for the jump thing, there's going to be some kind of cross-instance SR federating thing, so it's already remaining partitioned that way
[20:38:57] <bmwiedemann1> still not easy to separate. And I think, feedback is WIP
[20:39:29] <Eighth_Doctor> jdsn: bugzilla is something that LCP and I have been thinking about for a while
[20:39:59] <Eighth_Doctor> it is definitely a special case
[20:40:36] <jdsn> but its not alone special, we also have the special Jira and special Confluence
[20:40:47] <Eighth_Doctor> jira and confluence are not special
[20:40:52] <Eighth_Doctor> nobody but suse people can access or use them
[20:40:53] <jdsn> :) ok
[20:41:04] <lcp> neither of which openSUSE uses, and is planning to (hopefully)
[20:41:16] <jdsn> I meant special in way that the tool allows login for employees and non-employees
[20:41:33] <Eighth_Doctor> jdsn: currently non-employees cannot log into jira or confluence, afaik?
[20:41:41] <Eighth_Doctor> at least I can't neither with partner or community accounts
[20:41:59] <jdsn> but its a service we (SUSE) offer externally and have to provide a secure login anyway
[20:42:14] <jdsn> yes they can - with a special contract
[20:43:02] <Eighth_Doctor> oh boy
[20:43:46] <pjessen> any more status reports ?
[20:44:11] <lcp> I just really wanted ask about the status on access for freeipa.i.o.o
[20:45:19] <pjessen> lcp: no prob, we just get sidetracked too often
[20:45:21] <jdsn> lcp: in general I heard positive reactions about that, but we fist need to remove some "dependencies" before we can open it
[20:45:45] <jdsn> sorry, I can not go into more details
[20:46:04] <lcp> I hope it's not the case of boosters machine which hosted 20 things at once ;)
[20:46:32] <jdsn> nope
[20:47:02] <jdsn> but please don't start the yes-no game now :)
[20:47:26] <lcp> I will restrain myself from asking questions then
[20:47:53] <jdsn> thanks :)
[20:48:00] <Eighth_Doctor> :(
[20:48:10] <cboltz> just wondering - AFAIK freeipa.i.o.o hosts a) heroes accounts and b) DNS entries. I'm somewhat surprised that we need to go through paperwork for giving lcp access there
[20:48:14] <cboltz> or do I miss something?
[20:48:19] <jdsn> but ping me, if I don't get it done in 3 weeks
[20:48:33] <Eighth_Doctor> cboltz: that is pretty much all that's on that box
[20:48:59] <jdsn> cboltz: its not paperwork, and I can show you "after" I removed it :)
[20:49:19] <Eighth_Doctor> LCP and I are in a position to migrate that to the new EL8 based FreeIPA box (so not being stuck on F24 anymore! 🎉)
[20:49:39] <cboltz> jdsn: ok, I'm looking forward to that ;-)
[20:50:44] <lcp> cboltz: I'm sure our VPN wiki mentions that admin machines aren't "normal"
[20:50:59] <lcp> I don't expect legacy fedora 24 machine to be an exception
[20:51:35] <cboltz> well, let's start with   define "normal"   ;-))
[20:51:42] <cboltz> (just joking)
[20:53:49] <cboltz> are we done with status reports?
[20:54:19] <lcp> I started doing the error pages, but got a little too ambitious at javascript part
[20:54:43] <lcp> https://progress.opensuse.org/issues/67435
[20:55:55] <lcp> basically I started messing with cachet api to check for the current status of the service displaying 503
[20:56:06] <cboltz> ideally the error pages should be static, so that haproxy can deliver a single HTML file (possibly loading css, images etc. from static.o.o - but it should still look somewhat readable if static.o.o is down)
[20:56:40] <lcp> they are static, although built with jekyll because it's easier for me
[20:56:56] <lcp> but yeah, they will be static, with additional js, css, images etc
[20:57:21] <cboltz> ok, sounds good
[20:59:28] <cboltz> I just looked at some old tickets (which actually is our next topic)
[21:00:17] <cboltz> pjessen: https://progress.opensuse.org/issues/17676 looks like a forgotten mirror ticket. Can you have a look at it? (the remaining part is stage.o.o access)
[21:00:33] <pjessen> 17676 ?? wow.
[21:00:52] <cboltz> yes, it's our 3rd-oldest open ticket ;-)
[21:00:57] <pjessen> sure, assign it to me.
[21:02:26] <cboltz> done
[21:05:13] <pjessen> got it
[21:06:34] <pjessen> I see somebody changed the css for mirror.o.o ?
[21:14:46] <pjessen> okay, i guess I'll have to fix it tomorrow.
[21:18:57] <cboltz> given the silence, I think we can close the meeting
[21:19:02] <cboltz> thanks everybody for joining!
[21:19:27] <cboltz> (and if you have some time left, have a look at our tickets (both old and new) and maybe handle one of them ;-)
[21:19:47] <pjessen> okay, good night.
[21:19:57] <jdsn> N8
[21:21:42] <bmwiedemann1> gn
[21:40:26] <Eighth_Doctor> good evening all :)