communication #60578
closed2020-01-07 19:00 UTC: openSUSE Heroes meeting January 2020
0%
Description
Where: irc://irc.freenode.net/#openSUSE-admin IRC channel
When: 2020-01-07 19:00 UTC / 20:00 CET
Who: The openSUSE Heroes team and everybody else!
Topics
see/use checklist
Files
Checklist
- Questions and answers from the community
- status reports about everything
- review old tickets
- Internal SSL CA for servers
- What to do with old FreeIPA accounts (pw expired)
- IPv6 renumbering
- Mirror tickets
- GDPR -> Saltify account removal
Updated by lrupp over 4 years ago
- Checklist item changed from [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets to [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering
What to do with old FreeIPA accounts?¶
At the moment, we already have some accounts in FreeIPA that are not used since a long, long time. The password is expired and I see a high potential that the owners of those accounts silently left the openSUSE heroes. While it should not be a big deal to leave the accounts as they are (once the owners log in, they are asked to renew their password - and that's it), I see a high potential to sum up some dead accounts in an "only infrastructure" related database. For me, this includes the potential for security risks (as - for example - nobody really knows if a hacker might crack and misuse such an account) and also makes it harder to keep an overview about active members.
So I like to ask if we could agree on disabling a user which password has been expired for more than 6 months?
This would leave the user account (reserved) in the database, but the user will be unable to log-in.
This also allows to filter the inactive accounts and only see the active users.
Updated by lrupp over 4 years ago
IPv6 renumbering¶
This is more or less just a "for your information" message - details have still to be sorted out.
I got a confirmation from SUSE-IT that SUSE got a new IPv6 range assigned: 2001:67c:2178::/48
openSUSE machines should also use IPs from this IPv6-range.
Most of the openSUSE machines are still using an old range from 2010: 2620:113:80c0::/50
This network will not any longer belong to SUSE in the near future - and therefor the openSUSE machines should be migrated over to the new range.
Updated by cboltz over 4 years ago
lrupp wrote:
So I like to ask if we could agree on disabling a user which password has been expired for more than 6 months?
There are two possible reasons for expired passwords:
a) someone really isn't active anymore
b) someone didn't login to FreeIPA since a long time. Note that you can still use an expired password to login to the VPN and when using sudo. Only when logging in to FreeIPA, you'll be annoyed you to change the password - but (besides changing your password) the only reasons to login to FreeIPA are to setup a new heroes account or do DNS changes, which are restricted to a few people. Oh, and FreeIPA does not even send out a mail when your password expires.
This also means that we'll at least have to send out mails to the people without expired passwords before disabling their accounts to avoid that we disable too many accounts.
IPv6 renumbering
Great, we didn't have fun with changing IP addresses for two years ;-)
Updated by lrupp over 4 years ago
Mirror tickets¶
There are currently a lot of open tickets around download.ooensuse.org mirrors. We should clarify who is currently working on those tickets and try to solve them...
Updated by lrupp over 4 years ago
- Checklist item changed from [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering to [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering, [ ] Mirror tickets
Updated by lrupp over 4 years ago
- Checklist item changed from [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering, [ ] Mirror tickets to [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering, [ ] Mirror tickets, [ ] GDPR -> Saltify account removal
GDPR -> Saltify account removal¶
As we get more requests for complete deletion of accounts, I think it is time to think about a way to automate as much as possible even in this direction.
I'm thinking of something like:
- User sends ticket for deletion
- MF-IT (or whoever) disables the user and does other "magic" stuff
- the requests ends again on the openSUSE heroes plate
- any Hero could do something like:
salt '*' cmd.run '/root/bin/remove_user $login'which would do whatever is needed on the systems to remove the user- disabling/deleting the user on FreeIPA
- remove the user from the community.o.o database
- removing the user from any other database / application
- remove any local files (like cron jobs, home directories, files) and processes
- remove the users SSH keys from Gitlab
- disable/remove the user in Gitlab
- check planet.o.o feeds for this user - and creates issues or PR's to remove him
- send back a status report about the stuff done on the machines
- enhance the output with additional information which other parties might need to get informed
IMHO this should give us - as Heroes - also a good overview, where users might have their data stored and which systems are in place and using data.
Updated by lrupp over 4 years ago
- Checklist item changed from [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering, [ ] Mirror tickets, [ ] GDPR -> Saltify account removal to [ ] Questions and answers from the community, [ ] status reports about everything, [ ] review old tickets, [ ] Internal SSL CA for servers, [ ] What to do with old FreeIPA accounts (pw expired), [ ] IPv6 renumbering, [ ] Mirror tickets, [ ] GDPR -> Saltify account removal
Internal SSL CA for servers¶
I know at least three services, that use SSL certificates for secure communication:
- NRPE (currently using own script)
- MySQL/MariaDB (self signed)
- PostgreSQL (self signed?)
While FreeIPA allows to generate certificates for "known hosts", so far we tried to avoid FreeIPA for anything else than user management. But internal SSL certificates are needed - and the certificates for the Galera Cluster hosts are already outdated and need a renewal. So how to proceed here: shouldn't we have an internal "certbot" that can be used to generate SSL certificates for services?
Updated by cboltz over 4 years ago
- File 2020-01-07-heroes-meeting.txt 2020-01-07-heroes-meeting.txt added
- Status changed from New to Closed
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] Questions and answers from the community
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] status reports about everything
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] What to do with old FreeIPA accounts (pw expired)
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] IPv6 renumbering
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] Mirror tickets
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] GDPR -> Saltify account removal
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] Internal SSL CA for servers
Updated by lrupp about 4 years ago
- Checklist item changed from to [x] review old tickets