|
|
545090 |
13:02:39 <bstinson> #startmeeting cbs/infra
|
|
|
545090 |
13:02:39 <centbot> Meeting started Mon Sep 22 13:02:39 2014 UTC. The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.
|
|
|
545090 |
13:02:39 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
|
|
|
545090 |
13:02:42 <kbsingh> ok, check if you can get to the trello board - both you and alphacc are added there.
|
|
|
545090 |
13:02:50 <kbsingh> https://trello.com/b/CKGGvcKU/cbs-centos-org is the url to the board
|
|
|
545090 |
13:03:03 <bstinson> #topic Greetings / Who's Here?
|
|
|
545090 |
13:03:03 <alphacc> kbsingh: works for me
|
|
|
545090 |
13:03:07 <bstinson> looks like i'm in
|
|
|
545090 |
13:03:09 <MerlinTHP> Hello!
|
|
|
545090 |
13:03:09 * quaid is here
|
|
|
545090 |
13:03:14 <kbsingh> I'm here as well
|
|
|
545090 |
13:03:21 * Arrfab echoes "me too"
|
|
|
545090 |
13:03:44 <bstinson> #chair kbsingh quaid alphacc MerlinTHP Arrfab Evolution
|
|
|
545090 |
13:03:44 <centbot> Current chairs: Arrfab Evolution MerlinTHP alphacc bstinson kbsingh quaid
|
|
|
545090 |
13:03:54 * wolfy lurks
|
|
|
545090 |
13:04:21 <bstinson> #topic Agenda
|
|
|
545090 |
13:04:24 <bstinson> #info FAS/IPA Testing - Short Status Update
|
|
|
545090 |
13:04:28 <bstinson> #info Centpkg Progress - Short Status Update
|
|
|
545090 |
13:04:32 <bstinson> #info Blocker List
|
|
|
545090 |
13:04:35 <bstinson> #info Brainstorming SIG Branch and Build Target Names
|
|
|
545090 |
13:04:41 <bstinson> #info Open Floor
|
|
|
545090 |
13:05:00 <mikem> good morning
|
|
|
545090 |
13:05:09 <jitseklomp> Hi
|
|
|
545090 |
13:05:19 <bstinson> hi folks!
|
|
|
545090 |
13:05:28 <bstinson> #topic FAS/IPA Testing
|
|
|
545090 |
13:05:47 <MerlinTHP> FAS folks first ;)
|
|
|
545090 |
13:06:20 <bstinson> It sounds like Arrfab has started on some VMs for this project
|
|
|
545090 |
13:06:27 * MerlinTHP nods
|
|
|
545090 |
13:06:27 <quaid> #info Infra team provisioned three VMs last week to use for FAS & IPA testing
|
|
|
545090 |
13:06:39 <MerlinTHP> I've got access to the VM for IPA testing
|
|
|
545090 |
13:06:43 <Arrfab> bstinson: yes and quaid got account/sudo on those VMs
|
|
|
545090 |
13:07:02 <quaid> Arrfab: is one of them the one MerlinTHP has
|
|
|
545090 |
13:07:02 <quaid> ?
|
|
|
545090 |
13:07:18 <kbsingh> no, MerlinTHP's setup is in rackspace
|
|
|
545090 |
13:07:18 <Arrfab> quaid: no, a different one, running c7 for his IPA test
|
|
|
545090 |
13:07:35 <quaid> great
|
|
|
545090 |
13:08:08 <bstinson> great! is there anything the testing teams need going forward?
|
|
|
545090 |
13:08:17 <quaid> we need then a bit of requirements of what to test for
|
|
|
545090 |
13:09:04 <kbsingh> quaid: does the centos-devel thread give you all you need for scope ?
|
|
|
545090 |
13:09:10 <MerlinTHP> Evolution listed a few requirements on the mailing list for what we need the account system to do (self-service account creation, self-management for SIGs, etc). IPA is missing a bunch of that stuff.
|
|
|
545090 |
13:09:21 <quaid> and just to interact with anyone who can help with tie-in to Koji
|
|
|
545090 |
13:09:34 <MerlinTHP> However, I've started writing a PoC web front end for IPA to do self-service.
|
|
|
545090 |
13:09:51 <quaid> kbsingh: I think so, can easily work up a wiki page on that
|
|
|
545090 |
13:09:58 <MerlinTHP> ( thus far users can sign up their own accounts )
|
|
|
545090 |
13:10:06 <quaid> #info can use the mailing list discussion to get requirements
|
|
|
545090 |
13:10:39 <quaid> #action quaid can write-up the requirements in to a wiki page to reference
|
|
|
545090 |
13:10:54 <alphacc> quaid: contact me if you need info on koji during your tests.
|
|
|
545090 |
13:11:35 <quaid> MerlinTHP: that's great! do you have the contacts you need with FreeIPA folks for that front end work?
|
|
|
545090 |
13:11:41 <Evolution> I'm assuming both ipa or fas would require a rekey of koji to test the ssl bits.
|
|
|
545090 |
13:11:53 <alphacc> Evolution: correct
|
|
|
545090 |
13:11:54 <quaid> alphacc: thanks
|
|
|
545090 |
13:11:55 <Evolution> would a second koji instance simply for ssl testing be in order?
|
|
|
545090 |
13:11:58 <MerlinTHP> Evolution: IPA would, certainly.
|
|
|
545090 |
13:12:13 <MerlinTHP> quaid: yeah, I already hang out in #freeipa ;)
|
|
|
545090 |
13:12:17 <Evolution> (once we get to that stage)
|
|
|
545090 |
13:12:42 <MerlinTHP> I'm planning to have the test IPA instance up with the front-end to poke at a bit later this week
|
|
|
545090 |
13:12:44 <quaid> Evolution: might be easier than messing with the running instance
|
|
|
545090 |
13:13:17 <quaid> similarly, I plan to have the basic FAS in place, and will rely upon smooge to help me get it further for actual testing
|
|
|
545090 |
13:13:31 <quaid> #idea should we have a second koji for ease of SSL testing, etc.?
|
|
|
545090 |
13:14:10 <kbsingh> there is a git.dev.centos.org that is already online - for testing scope on that side
|
|
|
545090 |
13:15:01 <bstinson> fantastic! it sounds like we're making progress
|
|
|
545090 |
13:15:10 <quaid> #ingo git.dev.centos.org can be used for testing git connection
|
|
|
545090 |
13:15:18 <quaid> #info git.dev.centos.org can be used for testing git connection
|
|
|
545090 |
13:15:21 <MerlinTHP> :)
|
|
|
545090 |
13:15:45 <quaid> that's all I've got right now, I think
|
|
|
545090 |
13:16:04 <kbsingh> dev.git.centos.org :)
|
|
|
545090 |
13:16:32 <MerlinTHP> In the course of doing research for the lookaside upload script, I've come to the conclusion that it'd help if the CA had an OCSP responder, and the host running the upload script was running apache 2.4 (so c7)
|
|
|
545090 |
13:17:06 <MerlinTHP> apache supports CRLs for certificate revocation, but you need to restart it every time you change the CRL file
|
|
|
545090 |
13:17:20 <kbsingh> we can run either c7 or c6 on the lookaside machine..
|
|
|
545090 |
13:17:53 <MerlinTHP> Whereas apache 2.4's OCSP support means it always goes ask the CA, so certificate revocations are instantly live.
|
|
|
545090 |
13:18:14 <MerlinTHP> Just a thought.
|
|
|
545090 |
13:18:18 <quaid> .undo
|
|
|
545090 |
13:18:27 <quaid> #info dev.git.centos.org can be used for testing git connection
|
|
|
545090 |
13:18:31 <quaid> #undo
|
|
|
545090 |
13:18:31 <centbot> Removing item from minutes: INFO by quaid at 13:18:27 : dev.git.centos.org can be used for testing git connection
|
|
|
545090 |
13:18:32 <quaid> #undo
|
|
|
545090 |
13:18:32 <centbot> Removing item from minutes: INFO by quaid at 13:15:18 : git.dev.centos.org can be used for testing git connection
|
|
|
545090 |
13:18:38 <quaid> #info dev.git.centos.org can be used for testing git connection
|
|
|
545090 |
13:19:11 <bstinson> ok, anything else before I move along?
|
|
|
545090 |
13:19:16 <MerlinTHP> Nothing from me
|
|
|
545090 |
13:19:29 <bstinson> thanks for researching the lookaside MerlinTHP
|
|
|
545090 |
13:19:39 <MerlinTHP> np
|
|
|
545090 |
13:19:50 <MerlinTHP> tbh, I spent more time on the IPA stuff...
|
|
|
545090 |
13:20:00 <bstinson> #topic Centpkg Progress
|
|
|
545090 |
13:20:38 <bstinson> ok this will be very short, I have Centpkg reading in user certs and i've been able to kick off koji builds
|
|
|
545090 |
13:20:45 <MerlinTHP> \o/
|
|
|
545090 |
13:20:52 <MerlinTHP> Oh, one thought
|
|
|
545090 |
13:21:06 <MerlinTHP> Currently, git branch to koji target is hard-coded
|
|
|
545090 |
13:21:16 <quaid> #info centpkg is reading in user certs and is able to kick off koji builds
|
|
|
545090 |
13:21:16 <MerlinTHP> I've thought for a while that it probably should be a config file
|
|
|
545090 |
13:21:17 <bstinson> i need to see if we can make it easer for centpkg to co-exist with fedpkg and its cousins
|
|
|
545090 |
13:21:38 <MerlinTHP> Does that sound like a sensible idea?
|
|
|
545090 |
13:21:40 <kbsingh> bstinson: can it pull from and do some level of mangling of git.centos.org hosted repos
|
|
|
545090 |
13:21:47 <MerlinTHP> I can work with you on it, bstinson
|
|
|
545090 |
13:21:53 <quaid> #idea put git branch to koji target in a config file instead of being hard-coded
|
|
|
545090 |
13:22:05 <kbsingh> MerlinTHP: we likely need a wider convo on git branch naming, i believe its in the schedule for later in the meeting
|
|
|
545090 |
13:22:25 <bstinson> kbsingh: yes it can pull (and push when we work out cert auth)
|
|
|
545090 |
13:22:33 <MerlinTHP> This is a bit orthagonal to that, imo
|
|
|
545090 |
13:22:40 <Evolution> so long as we can tie koji naming into that as well.. (bananas?)
|
|
|
545090 |
13:23:23 <bstinson> MerlinTHP: let's get together soon to talk about what you're thinking
|
|
|
545090 |
13:23:32 <MerlinTHP> Sure thing
|
|
|
545090 |
13:23:32 <kbsingh> what people can commit to - is tied into the targets they can consume in koji, but they should be able to ready from anywhere and build to the places they have acls to
|
|
|
545090 |
13:23:56 <kbsingh> tagging might have a role to play in here as well
|
|
|
545090 |
13:24:10 <alphacc> for semantic build=tag. policy work on tagging operation.
|
|
|
545090 |
13:25:08 <kbsingh> ok
|
|
|
545090 |
13:25:15 <bstinson> #action bstinson will clean up his commits and send centpkg patches to the mailing list
|
|
|
545090 |
13:25:31 <kbsingh> are we going to put this into a rpm ?
|
|
|
545090 |
13:25:37 <alphacc> I investigated the policy side and the easiest way now is to have a flat file and generate a policy. sig:user1,user2 and sig-admins:user1,user2
|
|
|
545090 |
13:25:58 <bstinson> kbsingh: i have a copr out there right now
|
|
|
545090 |
13:26:13 <kbsingh> we should have a more official process for this
|
|
|
545090 |
13:26:17 <kbsingh> maybe into centos-extras
|
|
|
545090 |
13:26:32 <kbsingh> but ok, lets do that as a second iteration
|
|
|
545090 |
13:26:54 <quaid> bstinson: what's the copr URL? (for the record)
|
|
|
545090 |
13:27:13 <bstinson> http://copr.fedoraproject.org/coprs/bstinson/Centpkg/
|
|
|
545090 |
13:27:33 <quaid> #idea have centpkg eventually live in e.g. CentOS Extras
|
|
|
545090 |
13:27:56 <MerlinTHP> That sounds sensible.
|
|
|
545090 |
13:28:11 <MerlinTHP> We'll have to decide where rpkg lives, though.
|
|
|
545090 |
13:28:17 <kbsingh> same place
|
|
|
545090 |
13:28:26 <MerlinTHP> rpkg is in EPEL, though
|
|
|
545090 |
13:28:32 <kbsingh> thats ok, were not relying on epel for now
|
|
|
545090 |
13:28:38 <MerlinTHP> ( that's just a note, not an objection )
|
|
|
545090 |
13:28:43 * MerlinTHP nods
|
|
|
545090 |
13:28:45 <MerlinTHP> Fair enough
|
|
|
545090 |
13:29:02 <kbsingh> anything in epel that we need - for now , we pull into local builds - longer term this is going to need a whole lot of conversation and attention :)
|
|
|
545090 |
13:29:09 <MerlinTHP> Mm
|
|
|
545090 |
13:29:54 <MerlinTHP> OK, centpkg looks to be cracking on
|
|
|
545090 |
13:29:59 <quaid> #info not currently relying upon EPEL directly, anything needed gets pulled in to local build, e.g. rpkg
|
|
|
545090 |
13:30:20 <Evolution> our interactions with epel will need to be a separate mailing list discussion or meeting here.
|
|
|
545090 |
13:30:31 <Evolution> that needs to happen semi-soon anyway to start getting expectations
|
|
|
545090 |
13:30:41 <Evolution> but I don't want to hijack this meeting for that
|
|
|
545090 |
13:31:00 <kbsingh> yeah
|
|
|
545090 |
13:31:14 * MerlinTHP pushes Evolution back down into his box
|
|
|
545090 |
13:31:42 <bstinson> ok, let's keep moving
|
|
|
545090 |
13:31:44 <bstinson> #topic Blocker List
|
|
|
545090 |
13:32:23 <alphacc> #info integrate upstream patch in koji to support git.c.o
|
|
|
545090 |
13:32:50 <kbsingh> ok, so what is the blocker list.. maybe we should first define what it is that is being blocked
|
|
|
545090 |
13:32:56 <alphacc> I have the RPMs ready.
|
|
|
545090 |
13:33:18 <alphacc> I will rebuild them in koji, and push it to infrastrcuture6 tag.
|
|
|
545090 |
13:33:32 <kbsingh> ok, so thats about 50% of the blocker problem fixed right ? if people can use centpkg to request builds from git.centos.org delivered into a target at cbs.centos.org
|
|
|
545090 |
13:33:53 <kbsingh> bstinson: once alphacc does his piece of work would that be possible ?
|
|
|
545090 |
13:35:36 <bstinson> should be
|
|
|
545090 |
13:35:52 <alphacc> #action Build CentOS koji rpms and install them (server-side).
|
|
|
545090 |
13:36:21 <bstinson> right now, i've just been kicking off builds using --srpm which creates an intermediate src rpm and uploads it for building
|
|
|
545090 |
13:37:08 <bstinson> alphacc: does the patch need any extra voices on the mailing lists?
|
|
|
545090 |
13:37:58 <alphacc> bstinson: I think we decided that we will have our own koji rpms, so no, just more testing.
|
|
|
545090 |
13:38:30 <bstinson> ok great
|
|
|
545090 |
13:39:10 <kbsingh> its been upstreamed as well right ? just not in a release
|
|
|
545090 |
13:39:21 <kbsingh> if they reject the patch upstream then we've got something to think about
|
|
|
545090 |
13:39:28 <quaid> #agreed Project will carry own koji RPMs to carry our own patches etc.
|
|
|
545090 |
13:39:51 <alphacc> mikem proposed the patch, but I don't think it is in master yet.
|
|
|
545090 |
13:40:39 <mikem> alphacc, which patch was that?
|
|
|
545090 |
13:41:32 <alphacc> mikem: koji-rpm-source-layout
|
|
|
545090 |
13:41:33 <mikem> "Support rpm source layout (SPECS and SOURCES dirs) when building srpms from source control."? That's in upstream git
|
|
|
545090 |
13:42:07 <alphacc> ok great I missed it.
|
|
|
545090 |
13:42:56 <bstinson> ok, is anyone else have a component blocked on something?
|
|
|
545090 |
13:42:59 <kbsingh> so thats a good sign that were ok to carry it
|
|
|
545090 |
13:43:11 <bstinson> s/is/does/
|
|
|
545090 |
13:43:14 <kbsingh> the second half of the issue is auth into git.centos.org
|
|
|
545090 |
13:43:37 <kbsingh> i can import content in, and give people access based in login names, but its going to be https http_basic auth
|
|
|
545090 |
13:43:44 <kbsingh> works now, works for a few people, wont scale
|
|
|
545090 |
13:44:03 <kbsingh> and how much of a problem might we be creating for ipa folks to import this into their setup later ?
|
|
|
545090 |
13:44:55 <Evolution> kbsingh: bringing existing users over, or doing http auth?
|
|
|
545090 |
13:45:01 <alphacc> kbsingh: the forseen solution would be ssh-keys ?
|
|
|
545090 |
13:45:51 <MerlinTHP> If we go the IPA route, it'll just be a matter of converting ACLs into group memberships (or another LDAP attribute, if we go a more customised route for IPA)
|
|
|
545090 |
13:46:03 <kbsingh> Evolution: either/neither - i presume this will be just using CA keys, shared with koji longer term
|
|
|
545090 |
13:46:30 * quaid doesn't know yet of any hassles moving to FAS from http auth
|
|
|
545090 |
13:46:35 <kbsingh> alphacc: cant do sshkeys, the commits need to be over https to use the user<->branch mapping, since the commit needs to be 'intercepted' by code that can make that decision easily
|
|
|
545090 |
13:47:16 <bstinson> kbsingh: is that live on dev.git.c.o?
|
|
|
545090 |
13:47:27 <quaid> #info can't use sshkeys for auth for git, needs to go over https for code pathway
|
|
|
545090 |
13:47:44 <kbsingh> we could likely write something that does some sanity testing and checks keyname and works out group name and then looks at branch name etc, but the problem with that is still that folks can push at once - multiple branches
|
|
|
545090 |
13:48:06 <kbsingh> bstinson: it can be fairly easily.
|
|
|
545090 |
13:48:40 <kbsingh> bstinson: its live at git.centos.org
|
|
|
545090 |
13:48:45 <bstinson> i'd like to poke at it from the client side whenever it's ready
|
|
|
545090 |
13:48:59 <kbsingh> the user -> branch mapping ?
|
|
|
545090 |
13:49:28 <bstinson> the auth component
|
|
|
545090 |
13:50:20 <kbsingh> ok, i dont get what you want to poke at
|
|
|
545090 |
13:50:45 <kbsingh> the only way to commit to git.centos.org is over https, unless its the upstream buildservices, that can use a privileged path
|
|
|
545090 |
13:51:56 <bstinson> right, rpkg does all the committing over ssh so centpkg will need a few tweaks
|
|
|
545090 |
13:52:46 <kbsingh> ok
|
|
|
545090 |
13:53:01 <kbsingh> technically it should just be a case of using a different git remote url
|
|
|
545090 |
13:53:44 <kbsingh> iirc, there is a centpkg.git in git.centos.org's root git's
|
|
|
545090 |
13:53:47 <MerlinTHP> I suspect it'd work just by changing the git URL in the config file
|
|
|
545090 |
13:53:50 <kbsingh> isnt that how this works as well
|
|
|
545090 |
13:54:07 <kbsingh> https://git.centos.org/summary/centpkg.git
|
|
|
545090 |
13:54:56 <kbsingh> just going over this again to make sure i understand what piece of work you want me to deliver on
|
|
|
545090 |
13:56:10 <mattymo> hey Evolution
|
|
|
545090 |
13:56:37 <bstinson> when you say http_basic auth, are you meaning username/password?
|
|
|
545090 |
13:56:42 <kbsingh> yeah
|
|
|
545090 |
13:56:48 <Evolution> mattymo: meeting presently. wait one (or pm)
|
|
|
545090 |
13:56:54 <mattymo> oh ok
|
|
|
545090 |
13:57:32 <mattymo> I'll write here just b/c anyone can comment. I see this bug here: https://github.com/karelzak/util-linux/issues/121
|
|
|
545090 |
13:57:32 <bstinson> ah, we may need to hash out some details on that, I was hoping to hand you a client cert and get the user account info that way
|
|
|
545090 |
13:57:45 <kbsingh> bstinson: my understanding is that this will go away and fas or ipa will provide the certauthority to auth with
|
|
|
545090 |
13:58:13 <MerlinTHP> Mm
|
|
|
545090 |
13:58:57 <kbsingh> so the user will actually only have the one set of certs they use for koji and git
|
|
|
545090 |
13:59:10 <MerlinTHP> Yeah
|
|
|
545090 |
13:59:24 <MerlinTHP> ( + the lookaside, depending if you count that as part of git )
|
|
|
545090 |
13:59:37 <kbsingh> and somewhere in there will be a mechanism that says what branches ( or what groups ) this person belongs to
|
|
|
545090 |
13:59:50 <kbsingh> MerlinTHP: right, lookaside too
|
|
|
545090 |
14:00:12 <MerlinTHP> That mechanism could e.g. be an LDAP query against IPA
|
|
|
545090 |
14:00:55 <alphacc> MerlinTHP: I could query same ldap for the koji policy
|
|
|
545090 |
14:01:05 <MerlinTHP> That'd be neat
|
|
|
545090 |
14:01:16 <MerlinTHP> But you can probably s/IPA/FAS/ too
|
|
|
545090 |
14:01:51 * MerlinTHP wonders if we need to make this meeting slot longer
|
|
|
545090 |
14:02:03 <gwd> Sorry to interrupt -- could someone with koji admin privileges make a virt6-testing tag? (I think that's what I want...)
|
|
|
545090 |
14:02:30 <bstinson> we are making good progress, at some point they'll get shorter :)
|
|
|
545090 |
14:02:34 <MerlinTHP> :)
|
|
|
545090 |
14:02:41 <alphacc> gwd: already there. pm.
|
|
|
545090 |
14:02:49 <MerlinTHP> I've got to go shortly
|
|
|
545090 |
14:02:55 <bstinson> since we're in the weeds, let's bring this back up offline and again next week
|
|
|
545090 |
14:03:08 <kbsingh> sounds good
|
|
|
545090 |
14:03:19 <kbsingh> i think the integration layers might be what needs the most effort
|
|
|
545090 |
14:03:26 <MerlinTHP> Agreed.
|
|
|
545090 |
14:03:27 <quaid> #info need to settle on temp auth method for git.centos.org over https
|
|
|
545090 |
14:03:40 <kbsingh> if we can offload auth for lookaside into httpd, we might do the same for git as well, but lets cross that bridge
|
|
|
545090 |
14:03:57 <alphacc> ok good for me too.
|
|
|
545090 |
14:04:19 <gwd> alphacc: Oops, sorry... missed the 2nd page on the web interface.
|
|
|
545090 |
14:05:01 <alphacc> gwd: it's a tag not a target, what are you yting to achieve ?
|
|
|
545090 |
14:05:16 <alphacc> s/yting/trying
|
|
|
545090 |
14:05:20 <bstinson> we can probably save SIG Branch and Build Target naming until next week also
|
|
|
545090 |
14:05:21 <kbsingh> cool, are we closing meeting ?
|
|
|
545090 |
14:05:41 <bstinson> closing in 1 minute
|
|
|
545090 |
14:05:44 <kbsingh> mattymo: still waiting for you guys to actually start doing some contributing and things into CentOS
|
|
|
545090 |
14:06:19 <bstinson> #info Next Meeting: Monday 29-Sept, 13:00 UTC
|
|
|
545090 |
14:06:35 <bstinson> thanks everyone!
|
|
|
545090 |
14:06:40 <MerlinTHP> Cheers!
|
|
|
545090 |
14:06:41 <gwd> alphacc: I'm trying to build ipxe into an actual repo, so that I can then try building xen (which depends on ipxe).
|
|
|
545090 |
14:06:50 <quaid> nice meeting, thx
|
|
|
545090 |
14:06:55 <bstinson> #endmeeting
|