13:02:39 <bstinson> #startmeeting cbs/infra

13:02:39 <centbot> Meeting started Mon Sep 22 13:02:39 2014 UTC.  The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.

13:02:39 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.

13:02:42 <kbsingh> ok, check if you can get to the trello board - both you and alphacc are added there.

13:02:50 <kbsingh> https://trello.com/b/CKGGvcKU/cbs-centos-org is the url to the board

13:03:03 <bstinson> #topic Greetings / Who's Here?

13:03:03 <alphacc> kbsingh: works for me

13:03:07 <bstinson> looks like i'm in

13:03:09 <MerlinTHP> Hello!

13:03:09 * quaid is here

13:03:14 <kbsingh> I'm here as well

13:03:21 * Arrfab echoes "me too"

13:03:44 <bstinson> #chair kbsingh quaid alphacc MerlinTHP Arrfab Evolution

13:03:44 <centbot> Current chairs: Arrfab Evolution MerlinTHP alphacc bstinson kbsingh quaid

13:03:54 * wolfy lurks

13:04:21 <bstinson> #topic Agenda

13:04:24 <bstinson> #info FAS/IPA Testing - Short Status Update

13:04:28 <bstinson> #info Centpkg Progress - Short Status Update

13:04:32 <bstinson> #info Blocker List

13:04:35 <bstinson> #info Brainstorming SIG Branch and Build Target Names

13:04:41 <bstinson> #info Open Floor

13:05:00 <mikem> good morning

13:05:09 <jitseklomp> Hi

13:05:19 <bstinson> hi folks!

13:05:28 <bstinson> #topic FAS/IPA Testing

13:05:47 <MerlinTHP> FAS folks first ;)

13:06:20 <bstinson> It sounds like Arrfab has started on some VMs for this project

13:06:27 * MerlinTHP nods

13:06:27 <quaid> #info Infra team provisioned three VMs last week to use for FAS & IPA testing

13:06:39 <MerlinTHP> I've got access to the VM for IPA testing

13:06:43 <Arrfab> bstinson: yes and quaid got account/sudo on those VMs

13:07:02 <quaid> Arrfab: is one of them the one MerlinTHP has

13:07:02 <quaid> ?

13:07:18 <kbsingh> no, MerlinTHP's setup is in rackspace

13:07:18 <Arrfab> quaid: no, a different one, running c7 for his IPA test

13:07:35 <quaid> great

13:08:08 <bstinson> great! is there anything the testing teams need going forward?

13:08:17 <quaid> we need then a bit of requirements of what to test for

13:09:04 <kbsingh> quaid: does the centos-devel thread give you all you need for scope ?

13:09:10 <MerlinTHP> Evolution listed a few requirements on the mailing list for what we need the account system to do (self-service account creation, self-management for SIGs, etc).  IPA is missing a bunch of that stuff.

13:09:21 <quaid> and just to interact with anyone who can help with tie-in to Koji

13:09:34 <MerlinTHP> However, I've started writing a PoC web front end for IPA to do self-service.

13:09:51 <quaid> kbsingh: I think so, can easily work up a wiki page on that

13:09:58 <MerlinTHP> ( thus far users can sign up their own accounts )

13:10:06 <quaid> #info can use the mailing list discussion to get requirements

13:10:39 <quaid> #action quaid can write-up the requirements in to a wiki page to reference

13:10:54 <alphacc> quaid: contact me if you need info on koji during your tests.

13:11:35 <quaid> MerlinTHP: that's great! do you have the contacts you need with FreeIPA folks for that front end work?

13:11:41 <Evolution> I'm assuming both ipa or fas would require a rekey of koji to test the ssl bits.

13:11:53 <alphacc> Evolution: correct

13:11:54 <quaid> alphacc: thanks

13:11:55 <Evolution> would a second koji instance simply for ssl testing be in order?

13:11:58 <MerlinTHP> Evolution: IPA would, certainly.

13:12:13 <MerlinTHP> quaid: yeah, I already hang out in #freeipa ;)

13:12:17 <Evolution> (once we get to that stage)

13:12:42 <MerlinTHP> I'm planning to have the test IPA instance up with the front-end to poke at a bit later this week

13:12:44 <quaid> Evolution: might be easier than messing with the running instance

13:13:17 <quaid> similarly, I plan to have the basic FAS in place, and will rely upon smooge to help me get it further for actual testing

13:13:31 <quaid> #idea should we have a second koji for ease of SSL testing, etc.?

13:14:10 <kbsingh> there is a git.dev.centos.org that is already online - for testing scope on that side

13:15:01 <bstinson> fantastic! it sounds like we're making progress

13:15:10 <quaid> #ingo git.dev.centos.org can be used for testing git connection

13:15:18 <quaid> #info git.dev.centos.org can be used for testing git connection

13:15:21 <MerlinTHP> :)

13:15:45 <quaid> that's all I've got right now, I think

13:16:04 <kbsingh> dev.git.centos.org :)

13:16:32 <MerlinTHP> In the course of doing research for the lookaside upload script, I've come to the conclusion that it'd help if the CA had an OCSP responder, and the host running the upload script was running apache 2.4 (so c7)

13:17:06 <MerlinTHP> apache supports CRLs for certificate revocation, but you need to restart it every time you change the CRL file

13:17:20 <kbsingh> we can run either c7 or c6 on the lookaside machine..

13:17:53 <MerlinTHP> Whereas apache 2.4's OCSP support means it always goes ask the CA, so certificate revocations are instantly live.

13:18:14 <MerlinTHP> Just a thought.

13:18:18 <quaid> .undo

13:18:27 <quaid> #info dev.git.centos.org can be used for testing git connection

13:18:31 <quaid> #undo

13:18:31 <centbot> Removing item from minutes: INFO by quaid at 13:18:27 : dev.git.centos.org can be used for testing git connection

13:18:32 <quaid> #undo

13:18:32 <centbot> Removing item from minutes: INFO by quaid at 13:15:18 : git.dev.centos.org can be used for testing git connection

13:18:38 <quaid> #info dev.git.centos.org can be used for testing git connection

13:19:11 <bstinson> ok, anything else before I move along?

13:19:16 <MerlinTHP> Nothing from me

13:19:29 <bstinson> thanks for researching the lookaside MerlinTHP

13:19:39 <MerlinTHP> np

13:19:50 <MerlinTHP> tbh, I spent more time on the IPA stuff...

13:20:00 <bstinson> #topic Centpkg Progress

13:20:38 <bstinson> ok this will be very short, I have Centpkg reading in user certs and i've been able to kick off koji builds

13:20:45 <MerlinTHP> \o/

13:20:52 <MerlinTHP> Oh, one thought

13:21:06 <MerlinTHP> Currently, git branch to koji target is hard-coded

13:21:16 <quaid> #info centpkg is reading in user certs and is able to kick off koji builds

13:21:16 <MerlinTHP> I've thought for a while that it probably should be a config file

13:21:17 <bstinson> i need to see if we can make it easer for centpkg to co-exist with fedpkg and its cousins

13:21:38 <MerlinTHP> Does that sound like a sensible idea?

13:21:40 <kbsingh> bstinson: can it pull from and do some level of mangling of git.centos.org hosted repos

13:21:47 <MerlinTHP> I can work with you on it, bstinson

13:21:53 <quaid> #idea put git branch to koji target in a config file instead of being hard-coded

13:22:05 <kbsingh> MerlinTHP: we likely need a wider convo on git branch naming, i believe its in the schedule for later in the meeting

13:22:25 <bstinson> kbsingh: yes it can pull (and push when we work out cert auth)

13:22:33 <MerlinTHP> This is a bit orthagonal to that, imo

13:22:40 <Evolution> so long as we can tie koji naming into that as well.. (bananas?)

13:23:23 <bstinson> MerlinTHP: let's get together soon to talk about what you're thinking

13:23:32 <MerlinTHP> Sure thing

13:23:32 <kbsingh> what people can commit to - is tied into the targets they can consume in koji, but they should be able to ready from anywhere and build to the places they have acls to

13:23:56 <kbsingh> tagging might have a role to play in here as well

13:24:10 <alphacc> for semantic build=tag. policy work on tagging operation.

13:25:08 <kbsingh> ok

13:25:15 <bstinson> #action bstinson will clean up his commits and send centpkg patches to the mailing list

13:25:31 <kbsingh> are we going to put this into a rpm ?

13:25:37 <alphacc> I investigated the policy side and the easiest way now is to have a flat file and generate a policy. sig:user1,user2 and sig-admins:user1,user2

13:25:58 <bstinson> kbsingh: i have a copr out there right now

13:26:13 <kbsingh> we should have a more official process for this

13:26:17 <kbsingh> maybe into centos-extras

13:26:32 <kbsingh> but ok, lets do that as a second iteration

13:26:54 <quaid> bstinson: what's the copr URL? (for the record)

13:27:13 <bstinson> http://copr.fedoraproject.org/coprs/bstinson/Centpkg/

13:27:33 <quaid> #idea have centpkg eventually live in e.g. CentOS Extras

13:27:56 <MerlinTHP> That sounds sensible.

13:28:11 <MerlinTHP> We'll have to decide where rpkg lives, though.

13:28:17 <kbsingh> same place

13:28:26 <MerlinTHP> rpkg is in EPEL, though

13:28:32 <kbsingh> thats ok, were not relying on epel for now

13:28:38 <MerlinTHP> ( that's just a note, not an objection )

13:28:43 * MerlinTHP nods

13:28:45 <MerlinTHP> Fair enough

13:29:02 <kbsingh> anything in epel that we need - for now , we pull into local builds - longer term this is going to need a whole lot of conversation and attention :)

13:29:09 <MerlinTHP> Mm

13:29:54 <MerlinTHP> OK, centpkg looks to be cracking on

13:29:59 <quaid> #info not currently relying upon EPEL directly, anything needed gets pulled in to local build, e.g. rpkg

13:30:20 <Evolution> our interactions with epel will need to be a separate mailing list discussion or meeting here.

13:30:31 <Evolution> that needs to happen semi-soon anyway to start getting expectations

13:30:41 <Evolution> but I don't want to hijack this meeting for that

13:31:00 <kbsingh> yeah

13:31:14 * MerlinTHP pushes Evolution back down into his box

13:31:42 <bstinson> ok, let's keep moving

13:31:44 <bstinson> #topic Blocker List

13:32:23 <alphacc> #info integrate upstream patch in koji to support git.c.o

13:32:50 <kbsingh> ok, so what is the blocker list.. maybe we should first define what it is that is being blocked

13:32:56 <alphacc> I have the RPMs ready.

13:33:18 <alphacc> I will rebuild them in koji, and push it to infrastrcuture6 tag.

13:33:32 <kbsingh> ok, so thats about 50% of the blocker problem fixed right ? if people can use centpkg to request builds from git.centos.org delivered into a target at cbs.centos.org

13:33:53 <kbsingh> bstinson: once alphacc does his piece of work would that be possible ?

13:35:36 <bstinson> should be

13:35:52 <alphacc> #action Build CentOS koji rpms and install them (server-side).

13:36:21 <bstinson> right now, i've just been kicking off builds using --srpm which creates an intermediate src rpm and uploads it for building

13:37:08 <bstinson> alphacc: does the patch need any extra voices on the mailing lists?

13:37:58 <alphacc> bstinson: I think we decided that we will have our own koji rpms, so no, just more testing.

13:38:30 <bstinson> ok great

13:39:10 <kbsingh> its been upstreamed as well right ? just not in a release

13:39:21 <kbsingh> if they reject the patch upstream then we've got something to think about

13:39:28 <quaid> #agreed Project will carry own koji RPMs to carry our own patches etc.

13:39:51 <alphacc> mikem proposed the patch, but I don't think it is in master yet.

13:40:39 <mikem> alphacc, which patch was that?

13:41:32 <alphacc> mikem: koji-rpm-source-layout

13:41:33 <mikem> "Support rpm source layout (SPECS and SOURCES dirs) when building srpms from source control."?  That's in upstream git

13:42:07 <alphacc> ok great I missed it.

13:42:56 <bstinson> ok, is anyone else have a component blocked on something?

13:42:59 <kbsingh> so thats a good sign that were ok to carry it

13:43:11 <bstinson> s/is/does/

13:43:14 <kbsingh> the second half of the issue is auth into git.centos.org

13:43:37 <kbsingh> i can import content in, and give people access based in login names, but its going to be https http_basic auth

13:43:44 <kbsingh> works now, works for a few people, wont scale

13:44:03 <kbsingh> and how much of a problem might we be creating for ipa folks to import this into their setup later ?

13:44:55 <Evolution> kbsingh: bringing existing users over, or doing http auth?

13:45:01 <alphacc> kbsingh: the forseen solution would be ssh-keys ?

13:45:51 <MerlinTHP> If we go the IPA route, it'll just be a matter of converting ACLs into group memberships (or another LDAP attribute, if we go a more customised route for IPA)

13:46:03 <kbsingh> Evolution: either/neither - i presume this will be just using CA keys, shared with koji longer term

13:46:30 * quaid doesn't know yet of any hassles moving to FAS from http auth

13:46:35 <kbsingh> alphacc: cant do sshkeys, the commits need to be over https to use the user<->branch mapping, since the commit needs to be 'intercepted' by code that can make that decision easily

13:47:16 <bstinson> kbsingh: is that live on dev.git.c.o?

13:47:27 <quaid> #info can't use sshkeys for auth for git, needs to go over https for code pathway

13:47:44 <kbsingh> we could likely write something that does some sanity testing and checks keyname and works out group name and then looks at branch name etc, but the problem with that is still that folks can push at once - multiple branches

13:48:06 <kbsingh> bstinson: it can be fairly easily.

13:48:40 <kbsingh> bstinson: its live at git.centos.org

13:48:45 <bstinson> i'd like to poke at it from the client side whenever it's ready

13:48:59 <kbsingh> the user -> branch mapping ?

13:49:28 <bstinson> the auth component

13:50:20 <kbsingh> ok, i dont get what you want to poke at

13:50:45 <kbsingh> the only way to commit to git.centos.org is over https, unless its the upstream buildservices, that can use a privileged path

13:51:56 <bstinson> right, rpkg does all the committing over ssh so centpkg will need a few tweaks

13:52:46 <kbsingh> ok

13:53:01 <kbsingh> technically it should just be a case of using a different git remote url

13:53:44 <kbsingh> iirc, there is a centpkg.git in git.centos.org's root git's

13:53:47 <MerlinTHP> I suspect it'd work just by changing the git URL in the config file

13:53:50 <kbsingh> isnt that how this works as well

13:54:07 <kbsingh> https://git.centos.org/summary/centpkg.git

13:54:56 <kbsingh> just going over this again to make sure i understand what piece of work you want me to deliver on

13:56:10 <mattymo> hey Evolution

13:56:37 <bstinson> when you say http_basic auth, are you meaning username/password?

13:56:42 <kbsingh> yeah

13:56:48 <Evolution> mattymo: meeting presently. wait one (or pm)

13:56:54 <mattymo> oh ok

13:57:32 <mattymo> I'll write here just b/c anyone can comment. I see this bug here: https://github.com/karelzak/util-linux/issues/121

13:57:32 <bstinson> ah, we may need to hash out some details on that, I was hoping to hand you a client cert and get the user account info that way

13:57:45 <kbsingh> bstinson: my understanding is that this will go away and fas or ipa will provide the certauthority to auth with

13:58:13 <MerlinTHP> Mm

13:58:57 <kbsingh> so the user will actually only have the one set of certs they use for koji and git

13:59:10 <MerlinTHP> Yeah

13:59:24 <MerlinTHP> ( + the lookaside, depending if you count that as part of git )

13:59:37 <kbsingh> and somewhere in there will be a mechanism that says what branches ( or what groups ) this person belongs to

13:59:50 <kbsingh> MerlinTHP: right, lookaside too

14:00:12 <MerlinTHP> That mechanism could e.g. be an LDAP query against IPA

14:00:55 <alphacc> MerlinTHP: I could query same ldap for the koji policy

14:01:05 <MerlinTHP> That'd be neat

14:01:16 <MerlinTHP> But you can probably s/IPA/FAS/ too

14:01:51 * MerlinTHP wonders if we need to make this meeting slot longer

14:02:03 <gwd> Sorry to interrupt -- could someone with koji admin privileges make a virt6-testing tag?  (I think that's what I want...)

14:02:30 <bstinson> we are making good progress, at some point they'll get shorter :)

14:02:34 <MerlinTHP> :)

14:02:41 <alphacc> gwd: already there. pm.

14:02:49 <MerlinTHP> I've got to go shortly

14:02:55 <bstinson> since we're in the weeds, let's bring this back up offline and again next week

14:03:08 <kbsingh> sounds good

14:03:19 <kbsingh> i think the integration layers might be what needs the most effort

14:03:26 <MerlinTHP> Agreed.

14:03:27 <quaid> #info need to settle on temp auth method for git.centos.org over https

14:03:40 <kbsingh> if we can offload auth for lookaside into httpd, we might do the same for git as well, but lets cross that bridge

14:03:57 <alphacc> ok good for me too.

14:04:19 <gwd> alphacc: Oops, sorry... missed the 2nd page on the web interface.

14:05:01 <alphacc> gwd: it's a tag not a target, what are you yting to achieve ?

14:05:16 <alphacc> s/yting/trying

14:05:20 <bstinson> we can probably save SIG Branch and Build Target naming until next week also

14:05:21 <kbsingh> cool, are we closing meeting ?

14:05:41 <bstinson> closing in 1 minute

14:05:44 <kbsingh> mattymo: still waiting for you guys to actually start doing some contributing and things into CentOS

14:06:19 <bstinson> #info Next Meeting: Monday 29-Sept, 13:00 UTC

14:06:35 <bstinson> thanks everyone!

14:06:40 <MerlinTHP> Cheers!

14:06:41 <gwd> alphacc: I'm trying to build ipxe into an actual repo, so that I can then try building xen (which depends on ipxe).

14:06:50 <quaid> nice meeting, thx

14:06:55 <bstinson> #endmeeting