Project

General

Profile

communication #101851

2021-12-07 19:00 UTC: openSUSE Heroes meeting December 2021

Added by cboltz 7 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
opensuse-admin
Category:
Event
Target version:
-
Start date:
2021-11-02
Due date:
% Done:

100%

Estimated time:

Description

Where: https://meet.opensuse.org/heroes
When: 2021-12-07 19:00 UTC / 20:00 CET
Who: The openSUSE Heroes team and everybody else!

Topics
see/use checklist


Checklist

  • Questions and answers from the community
  • status reports about everything
  • review old tickets
  • next meeting - Jan 4th or move to Jan 11th?
  • Contributor Agreement (see #99804)

History

#1 Updated by cboltz 7 months ago

  • Private changed from Yes to No

#2 Updated by lrupp 7 months ago

Status updates

Updates/Upgrades

Gitlab

Enabled the automatic de-activation of dormant users.

  • Dormant users are automatically de-activated after 90 days of inactivity.
  • Users can reactivate their account by signing in.

JeOS image (for Leap 15.3)

  • Update to 0.4.1:
    • add/change sysctl settings:
    • do not use the privacy extension, we disabled it anyway: net.ipv6.conf.default.use_tempaddr=0 -> disable_ipv6_autoconf.conf
    • make it easier to allow to disable/enable route verification on all interfaces via net.ipv4.conf.all.rp_filter -> rp_filter.conf
    • Disable response to broadcasts. You don't want yourself becoming a Smurf amplifier: net.ipv4.icmp_echo_ignore_broadcasts=1 -> ignore_broadcasts.conf
  • added new nrpe check definitions:
    • check_external.cfg
    • check_private.cfg
    • check_apache_status.cfg
    • check_connections.cfg
    • check_cpu_stats.cfg
    • check_partition_var.cfg
    • check_ntp.cfg
    • check_logrotate_status.cfg
    • check_iostat_vdb.cfg
    • check_mysql.cfg
    • check_rsyslog.cfg
    • check_running_kernel.cfg
    • check_eth1.cfg They are covering some defaults of the new monitoring setup.
  • added udev rules to rename eth0 to private
  • adjust /root/bin/initial_setup.sh
    • follow the renaming
    • add interactive mode for people, that need it
    • add the IP of the remote syslog server in /etc/hosts, as it might happen, that the DNS resolution comes up too late for rsyslog
  • install additional packages:
    • bzip2 (needed by some scripts for tar.bz2 files)
    • xfsprogs (to create/handle xfs filesystems)
  • switch from EFI boot mode to legacy boot (saves some space on the root disk of the VM. EFI is not really needed there atm.
  • enforced to clean-up config.sh from deprecated values
    • moved /etc/hosts modification from config.sh to initial_setup.sh
  • use releasever variable instead of hardcoded Leap version in zypper repositories, which makes an upgrade easier
  • remove check_mk from xinetd: not needed/used any longer
  • be a bit more verbose in config.sh: makes debugging easier
  • install nnd activate umad and tuned for performance tuning
  • use systemctl to enable/disable services, as baseInsertService and baseRemoveService seem not to work reliably at the moment
  • disable a couple of (for a VM) unneeded services:
    • IPv4 & IPv6 DHCP
    • Network nanny
    • Raid/mdadm checks
    • lvm2 services
    • battery check timer

Adjusted our virtual machine testing wiki page, to follow the latest image changes.

SSL Configuration changes

As CVE-2002-2001 allows an attacker to DoS our SSL endpoints, I disabled Diffie-Hellman Epheremal key exchange (DHE). As this was one of the weakest ciphers that our SSL servers supported, we potentially lost only very old clients (like Safari <= 8).

Have a look at https://www.ssllabs.com/ssltest/analyze.html?d=www.opensuse.org&latest for details. We are meanwhile rated A+ :-)

Fixed Security problem on paste.o.o

Michal Hrusecky thankfully fixed a XSS security issue in https://paste.opensuse.org/ today (2021-12-07). Lars asked, if he wants to migrate the service into the openSUSE heroes infrastructure: he agreed, but want to upgrade his application first, before doing so.

External IP for code.opensuse.org

Worked a bit on the external IP part for https://code.opensuse.org/ :

  • dehydrated setup beautified (to be ready for Salt)
  • nginx SSL settings adjusted to be "A+ conform"
  • services (xinetd) bond to internal interfaces

Security scans

As we have meanwhile an internal openVAS security scanner, Lars runs scans inside the internal network from time to time. Additional people with access to the instance:

  • cboltz
  • pjessen

For most important issues, Lars opened/opens issues here in progress.o.o and tries to assign these tickets to the Admins of the affected servers directly (if possible, otherwise Group opensuse-admin is default).

Most interesting at the moment might be #102599, as it's currently not clear, if jQuery is still in use at all?

#3 Updated by cboltz 6 months ago

  • Checklist item next meeting - Jan 4th or move to Jan 11th? added

#4 Updated by cboltz 6 months ago

2021-12-07 heroes meeting

jitsi:

  • test package is building
  • test installation will probably be updated next week
  • meet.o.o can currently only have SUSE admins because it's used for SUSE-internal meetings
  • meet-test.o.o server can have community admins (use one of the *.infra.o.o VMs as jump host for ssh login)

status reports:

openSUSE Infrastructure Contributor Agreement:

  • we base on trust
  • should include the common openSUSE principles/guidelines
  • we can not require an openSUSE hero to be an openSUSE member - as they just earn the credits to become a member by working as openSUSE hero - but we can ask to follow the member guidelines in general

next meeting:

  • will be moved by a week to Jan 11th

#5 Updated by lrupp 4 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF