Blob Blame History Raw
13:01:06 <bstinson> #startmeeting
13:01:06 <centbot> Meeting started Mon Sep 15 13:01:06 2014 UTC.  The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:01:06 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:01:27 <bstinson> #meetingname CBS-Infra-2014-09-15
13:01:27 <centbot> The meeting name has been set to 'cbs-infra-2014-09-15'
13:01:52 <bstinson> #chair alphacc Arrfab kbsingh bstinson MerlinTHP_
13:01:52 <centbot> Current chairs: Arrfab MerlinTHP_ alphacc bstinson kbsingh
13:02:45 <bstinson> #topic Is this a good time to meet?
13:02:54 <MerlinTHP_> Well, it works for me :)
13:03:51 <alphacc> Me too if we keep it under 30 min
13:04:01 <bstinson> Good, I think we should make this a regular thing (weekly, or every-other-week) for a while until we run out of things to talk about
13:04:09 * MerlinTHP_ nods.
13:04:11 <bstinson> short meetings are good
13:04:17 <alphacc> I think weekly is good for now.
13:04:39 <MerlinTHP_> Agreed, i imagine we can find things to talk about
13:04:57 <wolfy> works for me too. although I am just a lurker
13:05:18 <bstinson> #agreed Weekly meetings on Monday at 13:00 UTC
13:06:36 * lalatenduM is here too
13:06:54 <bstinson> #topic SIG/Developer authentication
13:07:39 <alphacc> so far cbs has his own CA, I don't know the status of git.c.o auth
13:07:53 * MerlinTHP_ assumes it's ssh key auth
13:07:59 <MerlinTHP_> Can anyone confirm?
13:08:08 * kbsingh is here
13:08:14 * gwd is here
13:08:17 <bstinson> we also need to worry about the lookaside cache
13:08:42 <MerlinTHP_> I'd be tempted to start from a default position of "what does fedora infra do?"
13:09:01 <MerlinTHP_> If only that they've solved a lot of this stuff, and have existing tooling
13:09:10 <bstinson> I think FAS is on the radar
13:09:24 <kbsingh> i am not sure if FAS is indeed on the store for CentOS though - is it ?
13:09:38 <MerlinTHP_> I've heard it mentioned, but nothing conclusive.
13:09:49 <kbsingh> there certainly hasent been any movement on that front - FAS was brought up a few times, but only in line with other potential solutions as well
13:09:49 <gwd> What's FAS?
13:09:57 <Arrfab> alphacc: atm git.c.o uses his internal auth DB
13:09:58 <kbsingh> gwd: the Fedora Accounting System
13:09:59 <MerlinTHP_> Fedora Account System
13:10:24 <MerlinTHP_> I'm not sure we really want to build something from scratch.
13:10:33 <alphacc> Arrfab: but gitblit does support ssl cert ?
13:10:45 <kbsingh> git.centos.org can more or less do anything, includiung ldap, krb, shared certs, shared ca, pub certs, internal pipe backend for auth or even static files
13:10:51 <kbsingh> alphacc: yes
13:10:57 <MerlinTHP_> What does g.c.o do now?
13:11:13 <kbsingh> MerlinTHP_: flat file, internal auth
13:11:24 <MerlinTHP_> I suppose we're at the point of not having a huge userbase to reeducate
13:12:24 <kbsingh> are we talking purely in the context of git.centos.org + cbs.centos.org ? I guess having FAS like system would help if were to come up system wide for all of .centos.org - and we can move wiki + bugs + forums + other things to it as well
13:12:41 <MerlinTHP_> I'd suggest that ideally the latter
13:13:15 <MerlinTHP_> In addition to FAS, I'd be tempted to throw IPA into the ring as an option too.
13:13:48 <MerlinTHP_> I spend a fair amount of time in $dayjob getting stuff to auth against our IPA instace.
13:14:04 <Arrfab> MerlinTHP_: such discussion started too, but the scope is wider than just cbs+git which is supposed to be the "to be discussed points" today
13:14:06 <alphacc> kbsingh: yes. In term of interaction between cbs/git we just need people to be able to create branches at the git level
13:14:26 <MerlinTHP_> Arrfab: agreed.
13:14:38 <MerlinTHP_> Seems silly to build something just for cbs & git, though
13:15:34 <kbsingh> how would branches in git.c.o work - at the moment, the distro brach is locked - noone can commit to those. and I've been working to have branch name be the sig name for someone
13:15:37 <alphacc> MerlinTHP_: I think it's better to test the workflow for building and defer auth for later.
13:15:54 <kbsingh> eg. VirtSig people will need to work with their own branch - but wont be able to create and push to other ones, unless they had acl's for other sig's as well
13:16:21 <MerlinTHP_> alphacc: I'm just a bit worried about getting people too familiar with something that we might well change later
13:16:21 <Arrfab> MerlinTHP_: agreed too, but it would be good to know what are the blockers now on the git/cbs status. and if common auth is the real issue, then another meeting around centralized auth can be foreseen :-)
13:17:19 <alphacc> MerlinTHP_: the koji part won't change, and educate user to access git with pass or ssh key doesn't seems an issue for our audience
13:17:27 <MerlinTHP_> alphacc: fair enough
13:17:40 <gwd> kbsingh: So I think we need to be able to have dev branches from which we can issue a pull request.
13:17:50 <alphacc> MerlinTHP_: I would agree if it was for everybody.
13:18:29 <MerlinTHP_> alphacc: I'm a bit worried that you don't scale, though ;)
13:18:37 <MerlinTHP_> alphacc: you're doing all the account creation by hand atm?
13:19:04 <alphacc> MerlinTHP_: correct. this is part of this week documentation effort.
13:19:05 <Arrfab> MerlinTHP_: yes, but afaik less than 10 people have access through approved SIGs
13:19:17 <kbsingh> in terms of forward-looking-planning, my estimate on user accounts to end of the year 2014 is 50
13:19:27 <MerlinTHP_> OK
13:19:27 <kbsingh> and in the next 18 momths, is to grow that to 150
13:19:44 <bstinson> which is not so bad
13:20:10 <kbsingh> most SIG's are only going to have a few people commiting into git.centos.org right ? I'm counting on the biggest ones having 10
13:20:18 <Evolution> I still think long-term it should be automated, rather than blocking on a specific person
13:20:27 <Evolution> or group of people.
13:20:31 <MerlinTHP_> Mm
13:20:48 <MerlinTHP_> This is one of those "FAS has already solved this issue" things, tbh
13:21:04 <kbsingh> gwd: would'nt that be local though ? eg. if come of people want to do local branches ? or are you saying that people will need commit access to git.centos.org where from a 'privileged' account can merge into the production branch and issue a build req ?
13:21:06 <Evolution> yeah. fas or a bit of scripting around ipa.
13:21:11 <MerlinTHP_> Evolution: exactly
13:21:27 <alphacc> Evolution: yes agreed
13:21:36 <MerlinTHP_> TBH I personally like IPA a lot, but I'm trying not to be too biased ;)
13:22:01 <kbsingh> gwd: if we want the push coming to git.centos.org - we might need to workout some sort of a convention for personal branches.
13:22:18 <kbsingh> automate everything
13:22:49 <gwd> kbsingh: Well it doesn't need to be on git.c.o, if that's what you mean; it could be on gitorious/github/some other public repo.  But wherever it is, we want to be able to build from it.  At least, I assume the burden of testing to make sure it builds properly should be on the person sending the pull request, not on the person potentially doing the pulling. :-)
13:23:04 <kbsingh> specially, since automation is the only way to really make sure there is a 'user-exiting' cleanup process as well
13:23:15 <MerlinTHP_> Just bear in mind that koji needs config for each git server you want to pull from
13:23:26 <kbsingh> MerlinTHP_: it will only pull from git.centos.org
13:23:27 <MerlinTHP_> I'd recommend only having koji pull from g.c.o
13:23:33 <MerlinTHP_> Right.
13:23:39 <alphacc> yes
13:24:02 <MerlinTHP_> So anything you want to build has to end up in g.c.o, even if people are pushing to github or whatever
13:24:34 <Arrfab> MerlinTHP_: yes
13:24:43 <kbsingh> yeah, its a good problem domain to fix, its the classic who CI's and how does the CI queue work
13:24:46 <alphacc> MerlinTHP_: There is SRPM use case, but I really didn't find any good reason.
13:24:47 <gwd> MerlinTHP: Then that would imply either 1) sending pull requests from trees that haven't been tested on koji or 2) having development trees on git.c.o so that things could be tested on koji before sending a pull request
13:25:06 <kbsingh> i wonder if we can have people do scratch builds, and the results be a consideation for people doing the pulls
13:25:16 <alphacc> gwd: koji should not become a CI.
13:25:28 <MerlinTHP_> Yeah, koji isn't great for CI
13:25:37 <kbsingh> i dont think gwd is talking CI though
13:25:51 <MerlinTHP_> Right.
13:25:53 <kbsingh> were not testing the code, per se - its just to make sure the branch is buildable
13:26:04 <kbsingh> maybe --scratch builds might be a middle ground there ?
13:26:05 <alphacc> Yes just a warning, casue I have koji users :)
13:26:21 <gwd> Just because it build via an SRPM doesn't mean it will build from a git tree. :-)
13:26:44 <MerlinTHP_> There's not that much difference between koji building a package and mock on a user box, as long as mock is using the koji repos.
13:26:54 <kbsingh> gwd: right, but koji only ever builds from a srpm - the git is just where the srpm is stored, were never building from git
13:27:15 <kbsingh> when koji gets a build-this, it git checksout, make it into an srpm - then does the mock run to build rpms out of it
13:27:17 <MerlinTHP_> Well, koji pulls the source from git and builds a srpm
13:27:24 <alphacc> kbsingh: yes
13:27:24 <MerlinTHP_> Yeah, tha
13:27:25 <MerlinTHP_> t
13:28:13 <bstinson> (bringing it back in a little bit) it sounds to me like we aren't quite ready to talk about long-term auth
13:28:21 <kbsingh> nutshell: gwd's point is that people need to be able to propose changes, without running their own buildsystems. right ?
13:28:24 * MerlinTHP_ is getting that ;)
13:28:28 <MerlinTHP_> +feeling
13:29:30 <bstinson> what can we do in the short term to get people access to the lookaside caches? i know that's come up a couple of times
13:29:45 <MerlinTHP_> Auth with the same SSL cert they use for koji?
13:30:10 <alphacc> bstinson: I think we need at least docs on the process will be handled.
13:30:27 <MerlinTHP_> The upload script for fedora's lookaside is public, and can be easily adapted to our cache
13:31:07 <MerlinTHP_> I can hunt that out if there's interest
13:31:07 <alphacc> MerlinTHP_: can it be part of centpkg ?
13:31:11 <kbsingh> are we talking about https://git.centos.org/sources/ ?
13:31:26 <bstinson> kbsingh: yes
13:31:27 <MerlinTHP_> Yeah
13:31:35 <kbsingh> the privileged path to that store is via ssh or rsync over ssh at the moment
13:31:42 <Evolution> 868963
13:31:43 <MerlinTHP_> Hmm
13:31:58 <kbsingh> but its a flat filesystem, so a cgi script ( like what fedora use ) might be easy to adapt, and we can protect branches at the unix level
13:32:09 <Evolution> 195082
13:32:16 <kbsingh> ( ie. I can make sure the buildsystem and distro branches are owned by someone else )
13:32:27 <kbsingh> Evolution: move your yubi key to a different usb port
13:32:32 <MerlinTHP_> Heh
13:32:36 <alphacc> ah ah
13:32:39 <Evolution> bah, was dialing phone.
13:32:47 <kbsingh> alternatively, folks - anyone needing to break into Evolution's 2FA accounts, you ahve about 180 seconds to use those two codes
13:32:48 * Evolution moves laptop
13:32:50 <MerlinTHP_> No, you weren't ;)
13:32:55 <bstinson> heh
13:33:18 <kbsingh> i need a better keyboard, way too many typos
13:33:31 <bstinson> alphacc: to answer your question, it's already built into rpkg we just need to figure out how to say if a user has upload privs or not
13:33:32 <kbsingh> so, what / how would centpkg integrate with the sources / lookaside push ?
13:33:47 <MerlinTHP_> centpkg has upload support
13:33:57 <MerlinTHP_> It needs tweaking for centos' cache layout
13:34:11 <MerlinTHP_> It does an HTTPS request with the client cert for auth
13:34:42 <MerlinTHP_> sorry, rpkg has that, centpkg can override that code
13:35:02 <alphacc> ok
13:35:14 <kbsingh> what do we need on the server to support that push ?
13:35:31 <MerlinTHP_> A CGI script on an HTTPS server with some client auth config
13:35:41 <MerlinTHP_> So cgi + httpd config
13:35:47 <kbsingh> what sort of auth backend can that support ?
13:36:05 <kbsingh> also, upload via https.... is going to need some multipart fluffery
13:36:40 <MerlinTHP_> That bit is a solved problem, afaik.  rpkg already does it
13:36:57 <MerlinTHP_> The server validates the client cert against our CA
13:37:14 <MerlinTHP_> Needs a CRL to be able to revoke certs.
13:38:14 <kbsingh> right, so this would then share the ca with koji ?
13:38:19 <MerlinTHP_> Yeah
13:38:39 <kbsingh> and we'd need to have git.centos.org also then use the same CA
13:38:47 <MerlinTHP_> Mm
13:38:55 <MerlinTHP_> IPA getting more attractive by the second...
13:38:56 <MerlinTHP_> ;)
13:39:31 <alphacc> if we keep the koji CA (and use it for soemthing else) we may want to move easy_rsa + git-crypt (for scaling issue)
13:39:37 <alphacc> or FreeIPA ;)
13:40:36 <gwd> I'm more of a stout man myself...
13:40:40 <kbsingh> gitblit can maknss calls as well if that makes life easier
13:40:53 <kbsingh> can make nss
13:41:22 <kbsingh> from the git.centos.org perspective, we can use pretty much anything and it will consume it .
13:41:27 * MerlinTHP_ nods.
13:41:49 <kbsingh> there are 2 things that we need to protect though - (1) there is always going to be a privileged path for rhel sources and buildsystem feedback - both of those can never fail
13:42:09 <kbsingh> and (2) we need a way to gurantee branch names and commit access to branch names is locked down
13:42:33 <bstinson> does gitblit currently give you that control?
13:42:34 <kbsingh> so if the auth setup is going to happen at koji CA - that needs to provide a user:sig name mapping which can be used to map users:branch
13:42:34 <MerlinTHP_> Can gitblit do that per-branch stuff?
13:42:38 <kbsingh> bstinson: yes.
13:42:52 <MerlinTHP_> Hrm
13:43:20 <MerlinTHP_> We need more than just a CA for this
13:43:30 <MerlinTHP_> CA + something with groups and things like that.
13:43:33 <kbsingh> I worked with the author of gitblit ( james moger ) to work that in, and I've made some more tweaks at this end that make it work quite nicely
13:43:49 <MerlinTHP_> That's cool.
13:44:10 <kbsingh> for the git code itself, and the lookaside cache - the privleged path is via ssh
13:44:28 <kbsingh> and gitblit does not mind that, it will happy refresh local git content cache if it finds the underlaying storage changee
13:44:53 <MerlinTHP_> I'd have assumed that git+ssh was the default push method anyway
13:45:06 <kbsingh> fwiw, gitolite can also consume and implement a user:branch mapping
13:45:37 <kbsingh> push mode for git is over https
13:45:41 <MerlinTHP_> Oh, ok
13:45:54 <kbsingh> thinking there is that if we need entity verification, an EV cert will give you that
13:46:31 <MerlinTHP_> Do we have a cert revocation system for the current koji CA?
13:46:48 <MerlinTHP_> If I lose my laptop with koji cert now, what happens?
13:47:09 <alphacc> MerlinTHP_: we can revoke access to koji
13:47:23 <alphacc> MerlinTHP_: no crl right now but agreed it's needed.
13:47:55 <MerlinTHP_> Is that turn off the user, or turn off the cert?
13:48:05 <MerlinTHP_> ( so to speak )
13:48:16 <alphacc> MerlinTHP_: user
13:48:21 * MerlinTHP_ nods.
13:49:02 <bstinson> ok, let's start wrapping up
13:49:07 <alphacc> MerlinTHP_: user-rsa when Arrfab show me it existed. I don't want to reinvent the wheel.
13:49:16 <MerlinTHP_> alphacc: *nod*
13:49:23 <alphacc> MerlinTHP_: easy_rsa
13:49:26 <MerlinTHP_> Being a CA is a PITA.
13:49:45 <MerlinTHP_> OK, so, do we have any sort of consensus? :)
13:49:54 <MerlinTHP_> Or anything to have a consensus about
13:50:34 <MerlinTHP_> koji requires either SSL or KRB auth, and we're using SSL.  Trying to use that for everything we can sounds appropriate?
13:50:44 <MerlinTHP_> Sounds like g.c.o can use it
13:51:07 <bstinson> so (if i'm understanding correctly), we want gitblit to talk to the koji CA but we need to work out some name:sig mappings, and we want to look at having the lookaside cache use the fedora-style cgi script
13:51:08 <MerlinTHP_> We need a way to store cert / user / group / sig info
13:52:00 <kbsingh> yeah, if we can get some groups info in there that would rock
13:52:16 <MerlinTHP_> OK
13:52:16 <kbsingh> if not, we can always store user:group mappings in gitblit itself, and just have it querry the CA for auth
13:52:31 <MerlinTHP_> I reckon we probably want that centrally too
13:52:41 <kbsingh> and i presume the upload script can do something with the same CA as well ... if so - then we should trial it - or start trialing it at git.dev.centos.org
13:52:53 <kbsingh> yeah, ideally all the info would be in one place
13:53:01 <MerlinTHP_> It's the httpd config rather than the script itself, but yeah
13:53:40 <kbsingh> ah i see
13:53:50 <kbsingh> but will that be able to map user's to dir names ?
13:53:59 <bstinson> once all that's in place we can sculpt centpkg around our setup
13:54:04 <kbsingh> eg. if someone is locked to branch 'virtsig' they can only upload into <packagename>/virtsig/
13:54:17 <MerlinTHP_> kbsingh: ok, that bit would need script changes :)
13:54:40 <MerlinTHP_> the httpd-level stuff is authn, the authz would need to be in the script, I think
13:55:28 <bstinson> Is MerlinTHP_ volunteering to look at that for the next meeting?
13:55:36 <MerlinTHP_> Sure
13:56:30 <bstinson> ok, great!
13:56:35 <MerlinTHP_> :)
13:56:47 <MerlinTHP_> Running out of meeting
13:56:48 <kbsingh> when are we meeting next ?
13:56:54 <MerlinTHP_> Same time next week?
13:57:09 <kbsingh> ok, weekly works, but longer term we should think about making it bi-weekly
13:57:13 <MerlinTHP_> Sure
13:57:18 <kbsingh> maybe do ~ 6 weekly ones ?
13:57:21 <bstinson> #info Next meeting: Monday 22-Sept 2014 13:00 UTC
13:57:36 <bstinson> kbsingh: that's reasonable
13:57:40 * MerlinTHP_ nods.
13:58:12 <bstinson> #info We will be doing 6 weekly meetings, then moving to a bi-weekly schedule
13:58:14 <lalatenduM> works for /Me
13:58:24 <MerlinTHP_> Is there a meetbot give-merlinthp-an-action command? ;)
13:58:41 * MerlinTHP_ should read the manual
13:59:20 <lalatenduM> does "#action" work
13:59:21 <bstinson> #action MerlinTHP_ Research lookaside cache authentication and upload permissions
13:59:35 <MerlinTHP_> Ah :)
13:59:42 <bstinson> i think i said that right
13:59:52 <MerlinTHP_> Works for me.
13:59:54 <bstinson> anything else that needs to go in the minutes?
14:00:07 <kbsingh> is someone going to look at storing user:groups in the koji auth layers
14:00:18 <MerlinTHP_> I'll have a think about that too
14:00:19 <kbsingh> there must be something like this already - since users are limited to some tag's and targets
14:00:27 <kbsingh> cant those just be the groups and sig names as well
14:01:32 <alphacc> kbsingh: user are limited to the tagging action not to some target. This policy stuff need investigation. I don't think there is a group directive.
14:02:54 <MerlinTHP_> OK, so we done with the meeting? :)
14:02:59 <bstinson> gwd: i think that was you who sent a message to -devel with other agenda items, sorry our discussion sort of trampled over yours
14:03:00 <alphacc> #action alphacc investigate koji policy for cbs.
14:03:08 <bstinson> hopefully there will be time for an open-flood next week
14:03:53 <bstinson> #info send agenda items for next week to the centos-devel@centos.org
14:04:01 <bstinson> 1 minute warning before I close the minutes
14:04:16 <MerlinTHP_> I'm good.
14:04:44 <kbsingh> same here
14:05:02 <kbsingh> i think were going to need some of these sessions of just open chat before we start working on and only on agenda items.
14:05:04 <alphacc> ok with me.
14:05:28 <bstinson> sure thing
14:05:31 <bstinson> #endmeeting