arrfab / centos /

Forked from centos/ 4 years ago
Blob Blame History Raw
13:02:39 <bstinson> #startmeeting cbs/infra
13:02:39 <centbot> Meeting started Mon Sep 22 13:02:39 2014 UTC.  The chair is bstinson. Information about MeetBot at
13:02:39 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
13:02:42 <kbsingh> ok, check if you can get to the trello board - both you and alphacc are added there.
13:02:50 <kbsingh> is the url to the board
13:03:03 <bstinson> #topic Greetings / Who's Here?
13:03:03 <alphacc> kbsingh: works for me
13:03:07 <bstinson> looks like i'm in
13:03:09 <MerlinTHP> Hello!
13:03:09 * quaid is here
13:03:14 <kbsingh> I'm here as well
13:03:21 * Arrfab echoes "me too"
13:03:44 <bstinson> #chair kbsingh quaid alphacc MerlinTHP Arrfab Evolution
13:03:44 <centbot> Current chairs: Arrfab Evolution MerlinTHP alphacc bstinson kbsingh quaid
13:03:54 * wolfy lurks
13:04:21 <bstinson> #topic Agenda
13:04:24 <bstinson> #info FAS/IPA Testing - Short Status Update
13:04:28 <bstinson> #info Centpkg Progress - Short Status Update
13:04:32 <bstinson> #info Blocker List
13:04:35 <bstinson> #info Brainstorming SIG Branch and Build Target Names
13:04:41 <bstinson> #info Open Floor
13:05:00 <mikem> good morning
13:05:09 <jitseklomp> Hi
13:05:19 <bstinson> hi folks!
13:05:28 <bstinson> #topic FAS/IPA Testing
13:05:47 <MerlinTHP> FAS folks first ;)
13:06:20 <bstinson> It sounds like Arrfab has started on some VMs for this project
13:06:27 * MerlinTHP nods
13:06:27 <quaid> #info Infra team provisioned three VMs last week to use for FAS & IPA testing
13:06:39 <MerlinTHP> I've got access to the VM for IPA testing
13:06:43 <Arrfab> bstinson: yes and quaid got account/sudo on those VMs
13:07:02 <quaid> Arrfab: is one of them the one MerlinTHP has
13:07:02 <quaid> ?
13:07:18 <kbsingh> no, MerlinTHP's setup is in rackspace
13:07:18 <Arrfab> quaid: no, a different one, running c7 for his IPA test
13:07:35 <quaid> great
13:08:08 <bstinson> great! is there anything the testing teams need going forward?
13:08:17 <quaid> we need then a bit of requirements of what to test for
13:09:04 <kbsingh> quaid: does the centos-devel thread give you all you need for scope ?
13:09:10 <MerlinTHP> Evolution listed a few requirements on the mailing list for what we need the account system to do (self-service account creation, self-management for SIGs, etc).  IPA is missing a bunch of that stuff.
13:09:21 <quaid> and just to interact with anyone who can help with tie-in to Koji
13:09:34 <MerlinTHP> However, I've started writing a PoC web front end for IPA to do self-service.
13:09:51 <quaid> kbsingh: I think so, can easily work up a wiki page on that
13:09:58 <MerlinTHP> ( thus far users can sign up their own accounts )
13:10:06 <quaid> #info can use the mailing list discussion to get requirements
13:10:39 <quaid> #action quaid can write-up the requirements in to a wiki page to reference
13:10:54 <alphacc> quaid: contact me if you need info on koji during your tests.
13:11:35 <quaid> MerlinTHP: that's great! do you have the contacts you need with FreeIPA folks for that front end work?
13:11:41 <Evolution> I'm assuming both ipa or fas would require a rekey of koji to test the ssl bits.
13:11:53 <alphacc> Evolution: correct
13:11:54 <quaid> alphacc: thanks
13:11:55 <Evolution> would a second koji instance simply for ssl testing be in order?
13:11:58 <MerlinTHP> Evolution: IPA would, certainly.
13:12:13 <MerlinTHP> quaid: yeah, I already hang out in #freeipa ;)
13:12:17 <Evolution> (once we get to that stage)
13:12:42 <MerlinTHP> I'm planning to have the test IPA instance up with the front-end to poke at a bit later this week
13:12:44 <quaid> Evolution: might be easier than messing with the running instance
13:13:17 <quaid> similarly, I plan to have the basic FAS in place, and will rely upon smooge to help me get it further for actual testing
13:13:31 <quaid> #idea should we have a second koji for ease of SSL testing, etc.?
13:14:10 <kbsingh> there is a that is already online - for testing scope on that side
13:15:01 <bstinson> fantastic! it sounds like we're making progress
13:15:10 <quaid> #ingo can be used for testing git connection
13:15:18 <quaid> #info can be used for testing git connection
13:15:21 <MerlinTHP> :)
13:15:45 <quaid> that's all I've got right now, I think
13:16:04 <kbsingh> :)
13:16:32 <MerlinTHP> In the course of doing research for the lookaside upload script, I've come to the conclusion that it'd help if the CA had an OCSP responder, and the host running the upload script was running apache 2.4 (so c7)
13:17:06 <MerlinTHP> apache supports CRLs for certificate revocation, but you need to restart it every time you change the CRL file
13:17:20 <kbsingh> we can run either c7 or c6 on the lookaside machine..
13:17:53 <MerlinTHP> Whereas apache 2.4's OCSP support means it always goes ask the CA, so certificate revocations are instantly live.
13:18:14 <MerlinTHP> Just a thought.
13:18:18 <quaid> .undo
13:18:27 <quaid> #info can be used for testing git connection
13:18:31 <quaid> #undo
13:18:31 <centbot> Removing item from minutes: INFO by quaid at 13:18:27 : can be used for testing git connection
13:18:32 <quaid> #undo
13:18:32 <centbot> Removing item from minutes: INFO by quaid at 13:15:18 : can be used for testing git connection
13:18:38 <quaid> #info can be used for testing git connection
13:19:11 <bstinson> ok, anything else before I move along?
13:19:16 <MerlinTHP> Nothing from me
13:19:29 <bstinson> thanks for researching the lookaside MerlinTHP
13:19:39 <MerlinTHP> np
13:19:50 <MerlinTHP> tbh, I spent more time on the IPA stuff...
13:20:00 <bstinson> #topic Centpkg Progress
13:20:38 <bstinson> ok this will be very short, I have Centpkg reading in user certs and i've been able to kick off koji builds
13:20:45 <MerlinTHP> \o/
13:20:52 <MerlinTHP> Oh, one thought
13:21:06 <MerlinTHP> Currently, git branch to koji target is hard-coded
13:21:16 <quaid> #info centpkg is reading in user certs and is able to kick off koji builds
13:21:16 <MerlinTHP> I've thought for a while that it probably should be a config file
13:21:17 <bstinson> i need to see if we can make it easer for centpkg to co-exist with fedpkg and its cousins
13:21:38 <MerlinTHP> Does that sound like a sensible idea?
13:21:40 <kbsingh> bstinson: can it pull from and do some level of mangling of hosted repos
13:21:47 <MerlinTHP> I can work with you on it, bstinson
13:21:53 <quaid> #idea put git branch to koji target in a config file instead of being hard-coded
13:22:05 <kbsingh> MerlinTHP: we likely need a wider convo on git branch naming, i believe its in the schedule for later in the meeting
13:22:25 <bstinson> kbsingh: yes it can pull (and push when we work out cert auth)
13:22:33 <MerlinTHP> This is a bit orthagonal to that, imo
13:22:40 <Evolution> so long as we can tie koji naming into that as well.. (bananas?)
13:23:23 <bstinson> MerlinTHP: let's get together soon to talk about what you're thinking
13:23:32 <MerlinTHP> Sure thing
13:23:32 <kbsingh> what people can commit to - is tied into the targets they can consume in koji, but they should be able to ready from anywhere and build to the places they have acls to
13:23:56 <kbsingh> tagging might have a role to play in here as well
13:24:10 <alphacc> for semantic build=tag. policy work on tagging operation.
13:25:08 <kbsingh> ok
13:25:15 <bstinson> #action bstinson will clean up his commits and send centpkg patches to the mailing list
13:25:31 <kbsingh> are we going to put this into a rpm ?
13:25:37 <alphacc> I investigated the policy side and the easiest way now is to have a flat file and generate a policy. sig:user1,user2 and sig-admins:user1,user2
13:25:58 <bstinson> kbsingh: i have a copr out there right now
13:26:13 <kbsingh> we should have a more official process for this
13:26:17 <kbsingh> maybe into centos-extras
13:26:32 <kbsingh> but ok, lets do that as a second iteration
13:26:54 <quaid> bstinson: what's the copr URL? (for the record)
13:27:13 <bstinson>
13:27:33 <quaid> #idea have centpkg eventually live in e.g. CentOS Extras
13:27:56 <MerlinTHP> That sounds sensible.
13:28:11 <MerlinTHP> We'll have to decide where rpkg lives, though.
13:28:17 <kbsingh> same place
13:28:26 <MerlinTHP> rpkg is in EPEL, though
13:28:32 <kbsingh> thats ok, were not relying on epel for now
13:28:38 <MerlinTHP> ( that's just a note, not an objection )
13:28:43 * MerlinTHP nods
13:28:45 <MerlinTHP> Fair enough
13:29:02 <kbsingh> anything in epel that we need - for now , we pull into local builds - longer term this is going to need a whole lot of conversation and attention :)
13:29:09 <MerlinTHP> Mm
13:29:54 <MerlinTHP> OK, centpkg looks to be cracking on
13:29:59 <quaid> #info not currently relying upon EPEL directly, anything needed gets pulled in to local build, e.g. rpkg
13:30:20 <Evolution> our interactions with epel will need to be a separate mailing list discussion or meeting here.
13:30:31 <Evolution> that needs to happen semi-soon anyway to start getting expectations
13:30:41 <Evolution> but I don't want to hijack this meeting for that
13:31:00 <kbsingh> yeah
13:31:14 * MerlinTHP pushes Evolution back down into his box
13:31:42 <bstinson> ok, let's keep moving
13:31:44 <bstinson> #topic Blocker List
13:32:23 <alphacc> #info integrate upstream patch in koji to support git.c.o
13:32:50 <kbsingh> ok, so what is the blocker list.. maybe we should first define what it is that is being blocked
13:32:56 <alphacc> I have the RPMs ready.
13:33:18 <alphacc> I will rebuild them in koji, and push it to infrastrcuture6 tag.
13:33:32 <kbsingh> ok, so thats about 50% of the blocker problem fixed right ? if people can use centpkg to request builds from delivered into a target at
13:33:53 <kbsingh> bstinson: once alphacc does his piece of work would that be possible ?
13:35:36 <bstinson> should be
13:35:52 <alphacc> #action Build CentOS koji rpms and install them (server-side).
13:36:21 <bstinson> right now, i've just been kicking off builds using --srpm which creates an intermediate src rpm and uploads it for building
13:37:08 <bstinson> alphacc: does the patch need any extra voices on the mailing lists?
13:37:58 <alphacc> bstinson: I think we decided that we will have our own koji rpms, so no, just more testing.
13:38:30 <bstinson> ok great
13:39:10 <kbsingh> its been upstreamed as well right ? just not in a release
13:39:21 <kbsingh> if they reject the patch upstream then we've got something to think about
13:39:28 <quaid> #agreed Project will carry own koji RPMs to carry our own patches etc.
13:39:51 <alphacc> mikem proposed the patch, but I don't think it is in master yet.
13:40:39 <mikem> alphacc, which patch was that?
13:41:32 <alphacc> mikem: koji-rpm-source-layout
13:41:33 <mikem> "Support rpm source layout (SPECS and SOURCES dirs) when building srpms from source control."?  That's in upstream git
13:42:07 <alphacc> ok great I missed it.
13:42:56 <bstinson> ok, is anyone else have a component blocked on something?
13:42:59 <kbsingh> so thats a good sign that were ok to carry it
13:43:11 <bstinson> s/is/does/
13:43:14 <kbsingh> the second half of the issue is auth into
13:43:37 <kbsingh> i can import content in, and give people access based in login names, but its going to be https http_basic auth
13:43:44 <kbsingh> works now, works for a few people, wont scale
13:44:03 <kbsingh> and how much of a problem might we be creating for ipa folks to import this into their setup later ?
13:44:55 <Evolution> kbsingh: bringing existing users over, or doing http auth?
13:45:01 <alphacc> kbsingh: the forseen solution would be ssh-keys ?
13:45:51 <MerlinTHP> If we go the IPA route, it'll just be a matter of converting ACLs into group memberships (or another LDAP attribute, if we go a more customised route for IPA)
13:46:03 <kbsingh> Evolution: either/neither - i presume this will be just using CA keys, shared with koji longer term
13:46:30 * quaid doesn't know yet of any hassles moving to FAS from http auth
13:46:35 <kbsingh> alphacc: cant do sshkeys, the commits need to be over https to use the user<->branch mapping, since the commit needs to be 'intercepted' by code that can make that decision easily
13:47:16 <bstinson> kbsingh: is that live on dev.git.c.o?
13:47:27 <quaid> #info can't use sshkeys for auth for git, needs to go over https for code pathway
13:47:44 <kbsingh> we could likely write something that does some sanity testing and checks keyname and works out group name and then looks at branch name etc, but the problem with that is still that folks can push at once - multiple branches
13:48:06 <kbsingh> bstinson: it can be fairly easily.
13:48:40 <kbsingh> bstinson: its live at
13:48:45 <bstinson> i'd like to poke at it from the client side whenever it's ready
13:48:59 <kbsingh> the user -> branch mapping ?
13:49:28 <bstinson> the auth component
13:50:20 <kbsingh> ok, i dont get what you want to poke at
13:50:45 <kbsingh> the only way to commit to is over https, unless its the upstream buildservices, that can use a privileged path
13:51:56 <bstinson> right, rpkg does all the committing over ssh so centpkg will need a few tweaks
13:52:46 <kbsingh> ok
13:53:01 <kbsingh> technically it should just be a case of using a different git remote url
13:53:44 <kbsingh> iirc, there is a centpkg.git in's root git's
13:53:47 <MerlinTHP> I suspect it'd work just by changing the git URL in the config file
13:53:50 <kbsingh> isnt that how this works as well
13:54:07 <kbsingh>
13:54:56 <kbsingh> just going over this again to make sure i understand what piece of work you want me to deliver on
13:56:10 <mattymo> hey Evolution
13:56:37 <bstinson> when you say http_basic auth, are you meaning username/password?
13:56:42 <kbsingh> yeah
13:56:48 <Evolution> mattymo: meeting presently. wait one (or pm)
13:56:54 <mattymo> oh ok
13:57:32 <mattymo> I'll write here just b/c anyone can comment. I see this bug here:
13:57:32 <bstinson> ah, we may need to hash out some details on that, I was hoping to hand you a client cert and get the user account info that way
13:57:45 <kbsingh> bstinson: my understanding is that this will go away and fas or ipa will provide the certauthority to auth with
13:58:13 <MerlinTHP> Mm
13:58:57 <kbsingh> so the user will actually only have the one set of certs they use for koji and git
13:59:10 <MerlinTHP> Yeah
13:59:24 <MerlinTHP> ( + the lookaside, depending if you count that as part of git )
13:59:37 <kbsingh> and somewhere in there will be a mechanism that says what branches ( or what groups ) this person belongs to
13:59:50 <kbsingh> MerlinTHP: right, lookaside too
14:00:12 <MerlinTHP> That mechanism could e.g. be an LDAP query against IPA
14:00:55 <alphacc> MerlinTHP: I could query same ldap for the koji policy
14:01:05 <MerlinTHP> That'd be neat
14:01:16 <MerlinTHP> But you can probably s/IPA/FAS/ too
14:01:51 * MerlinTHP wonders if we need to make this meeting slot longer
14:02:03 <gwd> Sorry to interrupt -- could someone with koji admin privileges make a virt6-testing tag?  (I think that's what I want...)
14:02:30 <bstinson> we are making good progress, at some point they'll get shorter :)
14:02:34 <MerlinTHP> :)
14:02:41 <alphacc> gwd: already there. pm.
14:02:49 <MerlinTHP> I've got to go shortly
14:02:55 <bstinson> since we're in the weeds, let's bring this back up offline and again next week
14:03:08 <kbsingh> sounds good
14:03:19 <kbsingh> i think the integration layers might be what needs the most effort
14:03:26 <MerlinTHP> Agreed.
14:03:27 <quaid> #info need to settle on temp auth method for over https
14:03:40 <kbsingh> if we can offload auth for lookaside into httpd, we might do the same for git as well, but lets cross that bridge
14:03:57 <alphacc> ok good for me too.
14:04:19 <gwd> alphacc: Oops, sorry... missed the 2nd page on the web interface.
14:05:01 <alphacc> gwd: it's a tag not a target, what are you yting to achieve ?
14:05:16 <alphacc> s/yting/trying
14:05:20 <bstinson> we can probably save SIG Branch and Build Target naming until next week also
14:05:21 <kbsingh> cool, are we closing meeting ?
14:05:41 <bstinson> closing in 1 minute
14:05:44 <kbsingh> mattymo: still waiting for you guys to actually start doing some contributing and things into CentOS
14:06:19 <bstinson> #info Next Meeting: Monday 29-Sept, 13:00 UTC
14:06:35 <bstinson> thanks everyone!
14:06:40 <MerlinTHP> Cheers!
14:06:41 <gwd> alphacc: I'm trying to build ipxe into an actual repo, so that I can then try building xen (which depends on ipxe).
14:06:50 <quaid> nice meeting, thx
14:06:55 <bstinson> #endmeeting