jasonbrooks / centos / centos.org

Forked from centos/centos.org 5 years ago
Clone

Blame minutes/2014/september/centos-devel.2014-09-15-13.01.log.html

545090
545090
<html>
545090
<head>
545090
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
545090
<title>#centos-devel log</title>
545090
<style type="text/css">
545090
/* For the .log.html */
545090
pre { /*line-height: 125%;*/
545090
      white-space: pre-wrap; }
545090
body { background: #f0f0f0; }
545090
545090
body .tm  { color: #007020 }                      /* time */
545090
body .nk  { color: #062873; font-weight: bold }   /* nick, regular */
545090
body .nka { color: #007020; font-weight: bold }  /* action nick */
545090
body .ac  { color: #00A000 }                      /* action line */
545090
body .hi  { color: #4070a0 }                 /* hilights */
545090
/* Things to make particular MeetBot commands stick out */
545090
body .topic     { color: #007020; font-weight: bold }
545090
body .topicline { color: #000080; font-weight: bold }
545090
body .cmd       { color: #007020; font-weight: bold }
545090
body .cmdline  { font-weight: bold }
545090
545090
</style>
545090
</head>
545090
545090
<body>
545090
13:01:06 <bstinson> #startmeeting
545090
13:01:06 <centbot> Meeting started Mon Sep 15 13:01:06 2014 UTC.  The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.
545090
13:01:06 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
545090
13:01:27 <bstinson> #meetingname CBS-Infra-2014-09-15
545090
13:01:27 <centbot> The meeting name has been set to 'cbs-infra-2014-09-15'
545090
13:01:52 <bstinson> #chair alphacc Arrfab kbsingh bstinson MerlinTHP_
545090
13:01:52 <centbot> Current chairs: Arrfab MerlinTHP_ alphacc bstinson kbsingh
545090
13:02:45 <bstinson> #topic Is this a good time to meet?
545090
13:02:54 <MerlinTHP_> Well, it works for me :)
545090
13:03:51 <alphacc> Me too if we keep it under 30 min
545090
13:04:01 <bstinson> Good, I think we should make this a regular thing (weekly, or every-other-week) for a while until we run out of things to talk about
545090
13:04:09 * MerlinTHP_ nods.
545090
13:04:11 <bstinson> short meetings are good
545090
13:04:17 <alphacc> I think weekly is good for now.
545090
13:04:39 <MerlinTHP_> Agreed, i imagine we can find things to talk about
545090
13:04:57 <wolfy> works for me too. although I am just a lurker
545090
13:05:18 <bstinson> #agreed Weekly meetings on Monday at 13:00 UTC
545090
13:06:36 * lalatenduM is here too
545090
13:06:54 <bstinson> #topic SIG/Developer authentication
545090
13:07:39 <alphacc> so far cbs has his own CA, I don't know the status of git.c.o auth
545090
13:07:53 * MerlinTHP_ assumes it's ssh key auth
545090
13:07:59 <MerlinTHP_> Can anyone confirm?
545090
13:08:08 * kbsingh is here
545090
13:08:14 * gwd is here
545090
13:08:17 <bstinson> we also need to worry about the lookaside cache
545090
13:08:42 <MerlinTHP_> I'd be tempted to start from a default position of "what does fedora infra do?"
545090
13:09:01 <MerlinTHP_> If only that they've solved a lot of this stuff, and have existing tooling
545090
13:09:10 <bstinson> I think FAS is on the radar
545090
13:09:24 <kbsingh> i am not sure if FAS is indeed on the store for CentOS though - is it ?
545090
13:09:38 <MerlinTHP_> I've heard it mentioned, but nothing conclusive.
545090
13:09:49 <kbsingh> there certainly hasent been any movement on that front - FAS was brought up a few times, but only in line with other potential solutions as well
545090
13:09:49 <gwd> What's FAS?
545090
13:09:57 <Arrfab> alphacc: atm git.c.o uses his internal auth DB
545090
13:09:58 <kbsingh> gwd: the Fedora Accounting System
545090
13:09:59 <MerlinTHP_> Fedora Account System
545090
13:10:24 <MerlinTHP_> I'm not sure we really want to build something from scratch.
545090
13:10:33 <alphacc> Arrfab: but gitblit does support ssl cert ?
545090
13:10:45 <kbsingh> git.centos.org can more or less do anything, includiung ldap, krb, shared certs, shared ca, pub certs, internal pipe backend for auth or even static files
545090
13:10:51 <kbsingh> alphacc: yes
545090
13:10:57 <MerlinTHP_> What does g.c.o do now?
545090
13:11:13 <kbsingh> MerlinTHP_: flat file, internal auth
545090
13:11:24 <MerlinTHP_> I suppose we're at the point of not having a huge userbase to reeducate
545090
13:12:24 <kbsingh> are we talking purely in the context of git.centos.org + cbs.centos.org ? I guess having FAS like system would help if were to come up system wide for all of .centos.org - and we can move wiki + bugs + forums + other things to it as well
545090
13:12:41 <MerlinTHP_> I'd suggest that ideally the latter
545090
13:13:15 <MerlinTHP_> In addition to FAS, I'd be tempted to throw IPA into the ring as an option too.
545090
13:13:48 <MerlinTHP_> I spend a fair amount of time in $dayjob getting stuff to auth against our IPA instace.
545090
13:14:04 <Arrfab> MerlinTHP_: such discussion started too, but the scope is wider than just cbs+git which is supposed to be the "to be discussed points" today
545090
13:14:06 <alphacc> kbsingh: yes. In term of interaction between cbs/git we just need people to be able to create branches at the git level
545090
13:14:26 <MerlinTHP_> Arrfab: agreed.
545090
13:14:38 <MerlinTHP_> Seems silly to build something just for cbs & git, though
545090
13:15:34 <kbsingh> how would branches in git.c.o work - at the moment, the distro brach is locked - noone can commit to those. and I've been working to have branch name be the sig name for someone
545090
13:15:37 <alphacc> MerlinTHP_: I think it's better to test the workflow for building and defer auth for later.
545090
13:15:54 <kbsingh> eg. VirtSig people will need to work with their own branch - but wont be able to create and push to other ones, unless they had acl's for other sig's as well
545090
13:16:21 <MerlinTHP_> alphacc: I'm just a bit worried about getting people too familiar with something that we might well change later
545090
13:16:21 <Arrfab> MerlinTHP_: agreed too, but it would be good to know what are the blockers now on the git/cbs status. and if common auth is the real issue, then another meeting around centralized auth can be foreseen :-)
545090
13:17:19 <alphacc> MerlinTHP_: the koji part won't change, and educate user to access git with pass or ssh key doesn't seems an issue for our audience
545090
13:17:27 <MerlinTHP_> alphacc: fair enough
545090
13:17:40 <gwd> kbsingh: So I think we need to be able to have dev branches from which we can issue a pull request.
545090
13:17:50 <alphacc> MerlinTHP_: I would agree if it was for everybody.
545090
13:18:29 <MerlinTHP_> alphacc: I'm a bit worried that you don't scale, though ;)
545090
13:18:37 <MerlinTHP_> alphacc: you're doing all the account creation by hand atm?
545090
13:19:04 <alphacc> MerlinTHP_: correct. this is part of this week documentation effort.
545090
13:19:05 <Arrfab> MerlinTHP_: yes, but afaik less than 10 people have access through approved SIGs
545090
13:19:17 <kbsingh> in terms of forward-looking-planning, my estimate on user accounts to end of the year 2014 is 50
545090
13:19:27 <MerlinTHP_> OK
545090
13:19:27 <kbsingh> and in the next 18 momths, is to grow that to 150
545090
13:19:44 <bstinson> which is not so bad
545090
13:20:10 <kbsingh> most SIG's are only going to have a few people commiting into git.centos.org right ? I'm counting on the biggest ones having 10
545090
13:20:18 <Evolution> I still think long-term it should be automated, rather than blocking on a specific person
545090
13:20:27 <Evolution> or group of people.
545090
13:20:31 <MerlinTHP_> Mm
545090
13:20:48 <MerlinTHP_> This is one of those "FAS has already solved this issue" things, tbh
545090
13:21:04 <kbsingh> gwd: would'nt that be local though ? eg. if come of people want to do local branches ? or are you saying that people will need commit access to git.centos.org where from a 'privileged' account can merge into the production branch and issue a build req ?
545090
13:21:06 <Evolution> yeah. fas or a bit of scripting around ipa.
545090
13:21:11 <MerlinTHP_> Evolution: exactly
545090
13:21:27 <alphacc> Evolution: yes agreed
545090
13:21:36 <MerlinTHP_> TBH I personally like IPA a lot, but I'm trying not to be too biased ;)
545090
13:22:01 <kbsingh> gwd: if we want the push coming to git.centos.org - we might need to workout some sort of a convention for personal branches.
545090
13:22:18 <kbsingh> automate everything
545090
13:22:49 <gwd> kbsingh: Well it doesn't need to be on git.c.o, if that's what you mean; it could be on gitorious/github/some other public repo.  But wherever it is, we want to be able to build from it.  At least, I assume the burden of testing to make sure it builds properly should be on the person sending the pull request, not on the person potentially doing the pulling. :-)
545090
13:23:04 <kbsingh> specially, since automation is the only way to really make sure there is a 'user-exiting' cleanup process as well
545090
13:23:15 <MerlinTHP_> Just bear in mind that koji needs config for each git server you want to pull from
545090
13:23:26 <kbsingh> MerlinTHP_: it will only pull from git.centos.org
545090
13:23:27 <MerlinTHP_> I'd recommend only having koji pull from g.c.o
545090
13:23:33 <MerlinTHP_> Right.
545090
13:23:39 <alphacc> yes
545090
13:24:02 <MerlinTHP_> So anything you want to build has to end up in g.c.o, even if people are pushing to github or whatever
545090
13:24:34 <Arrfab> MerlinTHP_: yes
545090
13:24:43 <kbsingh> yeah, its a good problem domain to fix, its the classic who CI's and how does the CI queue work
545090
13:24:46 <alphacc> MerlinTHP_: There is SRPM use case, but I really didn't find any good reason.
545090
13:24:47 <gwd> MerlinTHP: Then that would imply either 1) sending pull requests from trees that haven't been tested on koji or 2) having development trees on git.c.o so that things could be tested on koji before sending a pull request
545090
13:25:06 <kbsingh> i wonder if we can have people do scratch builds, and the results be a consideation for people doing the pulls
545090
13:25:16 <alphacc> gwd: koji should not become a CI.
545090
13:25:28 <MerlinTHP_> Yeah, koji isn't great for CI
545090
13:25:37 <kbsingh> i dont think gwd is talking CI though
545090
13:25:51 <MerlinTHP_> Right.
545090
13:25:53 <kbsingh> were not testing the code, per se - its just to make sure the branch is buildable
545090
13:26:04 <kbsingh> maybe --scratch builds might be a middle ground there ?
545090
13:26:05 <alphacc> Yes just a warning, casue I have koji users :)
545090
13:26:21 <gwd> Just because it build via an SRPM doesn't mean it will build from a git tree. :-)
545090
13:26:44 <MerlinTHP_> There's not that much difference between koji building a package and mock on a user box, as long as mock is using the koji repos.
545090
13:26:54 <kbsingh> gwd: right, but koji only ever builds from a srpm - the git is just where the srpm is stored, were never building from git
545090
13:27:15 <kbsingh> when koji gets a build-this, it git checksout, make it into an srpm - then does the mock run to build rpms out of it
545090
13:27:17 <MerlinTHP_> Well, koji pulls the source from git and builds a srpm
545090
13:27:24 <alphacc> kbsingh: yes
545090
13:27:24 <MerlinTHP_> Yeah, tha
545090
13:27:25 <MerlinTHP_> t
545090
13:28:13 <bstinson> (bringing it back in a little bit) it sounds to me like we aren't quite ready to talk about long-term auth
545090
13:28:21 <kbsingh> nutshell: gwd's point is that people need to be able to propose changes, without running their own buildsystems. right ?
545090
13:28:24 * MerlinTHP_ is getting that ;)
545090
13:28:28 <MerlinTHP_> +feeling
545090
13:29:30 <bstinson> what can we do in the short term to get people access to the lookaside caches? i know that's come up a couple of times
545090
13:29:45 <MerlinTHP_> Auth with the same SSL cert they use for koji?
545090
13:30:10 <alphacc> bstinson: I think we need at least docs on the process will be handled.
545090
13:30:27 <MerlinTHP_> The upload script for fedora's lookaside is public, and can be easily adapted to our cache
545090
13:31:07 <MerlinTHP_> I can hunt that out if there's interest
545090
13:31:07 <alphacc> MerlinTHP_: can it be part of centpkg ?
545090
13:31:11 <kbsingh> are we talking about https://git.centos.org/sources/ ?
545090
13:31:26 <bstinson> kbsingh: yes
545090
13:31:27 <MerlinTHP_> Yeah
545090
13:31:35 <kbsingh> the privileged path to that store is via ssh or rsync over ssh at the moment
545090
13:31:42 <Evolution> 868963
545090
13:31:43 <MerlinTHP_> Hmm
545090
13:31:58 <kbsingh> but its a flat filesystem, so a cgi script ( like what fedora use ) might be easy to adapt, and we can protect branches at the unix level
545090
13:32:09 <Evolution> 195082
545090
13:32:16 <kbsingh> ( ie. I can make sure the buildsystem and distro branches are owned by someone else )
545090
13:32:27 <kbsingh> Evolution: move your yubi key to a different usb port
545090
13:32:32 <MerlinTHP_> Heh
545090
13:32:36 <alphacc> ah ah
545090
13:32:39 <Evolution> bah, was dialing phone.
545090
13:32:47 <kbsingh> alternatively, folks - anyone needing to break into Evolution's 2FA accounts, you ahve about 180 seconds to use those two codes
545090
13:32:48 * Evolution moves laptop
545090
13:32:50 <MerlinTHP_> No, you weren't ;)
545090
13:32:55 <bstinson> heh
545090
13:33:18 <kbsingh> i need a better keyboard, way too many typos
545090
13:33:31 <bstinson> alphacc: to answer your question, it's already built into rpkg we just need to figure out how to say if a user has upload privs or not
545090
13:33:32 <kbsingh> so, what / how would centpkg integrate with the sources / lookaside push ?
545090
13:33:47 <MerlinTHP_> centpkg has upload support
545090
13:33:57 <MerlinTHP_> It needs tweaking for centos' cache layout
545090
13:34:11 <MerlinTHP_> It does an HTTPS request with the client cert for auth
545090
13:34:42 <MerlinTHP_> sorry, rpkg has that, centpkg can override that code
545090
13:35:02 <alphacc> ok
545090
13:35:14 <kbsingh> what do we need on the server to support that push ?
545090
13:35:31 <MerlinTHP_> A CGI script on an HTTPS server with some client auth config
545090
13:35:41 <MerlinTHP_> So cgi + httpd config
545090
13:35:47 <kbsingh> what sort of auth backend can that support ?
545090
13:36:05 <kbsingh> also, upload via https.... is going to need some multipart fluffery
545090
13:36:40 <MerlinTHP_> That bit is a solved problem, afaik.  rpkg already does it
545090
13:36:57 <MerlinTHP_> The server validates the client cert against our CA
545090
13:37:14 <MerlinTHP_> Needs a CRL to be able to revoke certs.
545090
13:38:14 <kbsingh> right, so this would then share the ca with koji ?
545090
13:38:19 <MerlinTHP_> Yeah
545090
13:38:39 <kbsingh> and we'd need to have git.centos.org also then use the same CA
545090
13:38:47 <MerlinTHP_> Mm
545090
13:38:55 <MerlinTHP_> IPA getting more attractive by the second...
545090
13:38:56 <MerlinTHP_> ;)
545090
13:39:31 <alphacc> if we keep the koji CA (and use it for soemthing else) we may want to move easy_rsa + git-crypt (for scaling issue)
545090
13:39:37 <alphacc> or FreeIPA ;)
545090
13:40:36 <gwd> I'm more of a stout man myself...
545090
13:40:40 <kbsingh> gitblit can maknss calls as well if that makes life easier
545090
13:40:53 <kbsingh> can make nss
545090
13:41:22 <kbsingh> from the git.centos.org perspective, we can use pretty much anything and it will consume it .
545090
13:41:27 * MerlinTHP_ nods.
545090
13:41:49 <kbsingh> there are 2 things that we need to protect though - (1) there is always going to be a privileged path for rhel sources and buildsystem feedback - both of those can never fail
545090
13:42:09 <kbsingh> and (2) we need a way to gurantee branch names and commit access to branch names is locked down
545090
13:42:33 <bstinson> does gitblit currently give you that control?
545090
13:42:34 <kbsingh> so if the auth setup is going to happen at koji CA - that needs to provide a user:sig name mapping which can be used to map users:branch
545090
13:42:34 <MerlinTHP_> Can gitblit do that per-branch stuff?
545090
13:42:38 <kbsingh> bstinson: yes.
545090
13:42:52 <MerlinTHP_> Hrm
545090
13:43:20 <MerlinTHP_> We need more than just a CA for this
545090
13:43:30 <MerlinTHP_> CA + something with groups and things like that.
545090
13:43:33 <kbsingh> I worked with the author of gitblit ( james moger ) to work that in, and I've made some more tweaks at this end that make it work quite nicely
545090
13:43:49 <MerlinTHP_> That's cool.
545090
13:44:10 <kbsingh> for the git code itself, and the lookaside cache - the privleged path is via ssh
545090
13:44:28 <kbsingh> and gitblit does not mind that, it will happy refresh local git content cache if it finds the underlaying storage changee
545090
13:44:53 <MerlinTHP_> I'd have assumed that git+ssh was the default push method anyway
545090
13:45:06 <kbsingh> fwiw, gitolite can also consume and implement a user:branch mapping
545090
13:45:37 <kbsingh> push mode for git is over https
545090
13:45:41 <MerlinTHP_> Oh, ok
545090
13:45:54 <kbsingh> thinking there is that if we need entity verification, an EV cert will give you that
545090
13:46:31 <MerlinTHP_> Do we have a cert revocation system for the current koji CA?
545090
13:46:48 <MerlinTHP_> If I lose my laptop with koji cert now, what happens?
545090
13:47:09 <alphacc> MerlinTHP_: we can revoke access to koji
545090
13:47:23 <alphacc> MerlinTHP_: no crl right now but agreed it's needed.
545090
13:47:55 <MerlinTHP_> Is that turn off the user, or turn off the cert?
545090
13:48:05 <MerlinTHP_> ( so to speak )
545090
13:48:16 <alphacc> MerlinTHP_: user
545090
13:48:21 * MerlinTHP_ nods.
545090
13:49:02 <bstinson> ok, let's start wrapping up
545090
13:49:07 <alphacc> MerlinTHP_: user-rsa when Arrfab show me it existed. I don't want to reinvent the wheel.
545090
13:49:16 <MerlinTHP_> alphacc: *nod*
545090
13:49:23 <alphacc> MerlinTHP_: easy_rsa
545090
13:49:26 <MerlinTHP_> Being a CA is a PITA.
545090
13:49:45 <MerlinTHP_> OK, so, do we have any sort of consensus? :)
545090
13:49:54 <MerlinTHP_> Or anything to have a consensus about
545090
13:50:34 <MerlinTHP_> koji requires either SSL or KRB auth, and we're using SSL.  Trying to use that for everything we can sounds appropriate?
545090
13:50:44 <MerlinTHP_> Sounds like g.c.o can use it
545090
13:51:07 <bstinson> so (if i'm understanding correctly), we want gitblit to talk to the koji CA but we need to work out some name:sig mappings, and we want to look at having the lookaside cache use the fedora-style cgi script
545090
13:51:08 <MerlinTHP_> We need a way to store cert / user / group / sig info
545090
13:52:00 <kbsingh> yeah, if we can get some groups info in there that would rock
545090
13:52:16 <MerlinTHP_> OK
545090
13:52:16 <kbsingh> if not, we can always store user:group mappings in gitblit itself, and just have it querry the CA for auth
545090
13:52:31 <MerlinTHP_> I reckon we probably want that centrally too
545090
13:52:41 <kbsingh> and i presume the upload script can do something with the same CA as well ... if so - then we should trial it - or start trialing it at git.dev.centos.org
545090
13:52:53 <kbsingh> yeah, ideally all the info would be in one place
545090
13:53:01 <MerlinTHP_> It's the httpd config rather than the script itself, but yeah
545090
13:53:40 <kbsingh> ah i see
545090
13:53:50 <kbsingh> but will that be able to map user's to dir names ?
545090
13:53:59 <bstinson> once all that's in place we can sculpt centpkg around our setup
545090
13:54:04 <kbsingh> eg. if someone is locked to branch 'virtsig' they can only upload into <packagename>/virtsig/
545090
13:54:17 <MerlinTHP_> kbsingh: ok, that bit would need script changes :)
545090
13:54:40 <MerlinTHP_> the httpd-level stuff is authn, the authz would need to be in the script, I think
545090
13:55:28 <bstinson> Is MerlinTHP_ volunteering to look at that for the next meeting?
545090
13:55:36 <MerlinTHP_> Sure
545090
13:56:30 <bstinson> ok, great!
545090
13:56:35 <MerlinTHP_> :)
545090
13:56:47 <MerlinTHP_> Running out of meeting
545090
13:56:48 <kbsingh> when are we meeting next ?
545090
13:56:54 <MerlinTHP_> Same time next week?
545090
13:57:09 <kbsingh> ok, weekly works, but longer term we should think about making it bi-weekly
545090
13:57:13 <MerlinTHP_> Sure
545090
13:57:18 <kbsingh> maybe do ~ 6 weekly ones ?
545090
13:57:21 <bstinson> #info Next meeting: Monday 22-Sept 2014 13:00 UTC
545090
13:57:36 <bstinson> kbsingh: that's reasonable
545090
13:57:40 * MerlinTHP_ nods.
545090
13:58:12 <bstinson> #info We will be doing 6 weekly meetings, then moving to a bi-weekly schedule
545090
13:58:14 <lalatenduM> works for /Me
545090
13:58:24 <MerlinTHP_> Is there a meetbot give-merlinthp-an-action command? ;)
545090
13:58:41 * MerlinTHP_ should read the manual
545090
13:59:20 <lalatenduM> does "#action" work
545090
13:59:21 <bstinson> #action MerlinTHP_ Research lookaside cache authentication and upload permissions
545090
13:59:35 <MerlinTHP_> Ah :)
545090
13:59:42 <bstinson> i think i said that right
545090
13:59:52 <MerlinTHP_> Works for me.
545090
13:59:54 <bstinson> anything else that needs to go in the minutes?
545090
14:00:07 <kbsingh> is someone going to look at storing user:groups in the koji auth layers
545090
14:00:18 <MerlinTHP_> I'll have a think about that too
545090
14:00:19 <kbsingh> there must be something like this already - since users are limited to some tag's and targets
545090
14:00:27 <kbsingh> cant those just be the groups and sig names as well
545090
14:01:32 <alphacc> kbsingh: user are limited to the tagging action not to some target. This policy stuff need investigation. I don't think there is a group directive.
545090
14:02:54 <MerlinTHP_> OK, so we done with the meeting? :)
545090
14:02:59 <bstinson> gwd: i think that was you who sent a message to -devel with other agenda items, sorry our discussion sort of trampled over yours
545090
14:03:00 <alphacc> #action alphacc investigate koji policy for cbs.
545090
14:03:08 <bstinson> hopefully there will be time for an open-flood next week
545090
14:03:53 <bstinson> #info send agenda items for next week to the centos-devel@centos.org
545090
14:04:01 <bstinson> 1 minute warning before I close the minutes
545090
14:04:16 <MerlinTHP_> I'm good.
545090
14:04:44 <kbsingh> same here
545090
14:05:02 <kbsingh> i think were going to need some of these sessions of just open chat before we start working on and only on agenda items.
545090
14:05:04 <alphacc> ok with me.
545090
14:05:28 <bstinson> sure thing
545090
14:05:31 <bstinson> #endmeeting
545090
</body></html>