yifengyou / centos / centos.org

Forked from centos/centos.org 3 years ago
Clone

Blame static/minutes/2014/september/centos-devel.2014-09-22-13.02.log.txt

c3b3e1
13:02:39 <bstinson> #startmeeting cbs/infra
c3b3e1
13:02:39 <centbot> Meeting started Mon Sep 22 13:02:39 2014 UTC.  The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.
c3b3e1
13:02:39 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
c3b3e1
13:02:42 <kbsingh> ok, check if you can get to the trello board - both you and alphacc are added there.
c3b3e1
13:02:50 <kbsingh> https://trello.com/b/CKGGvcKU/cbs-centos-org is the url to the board
c3b3e1
13:03:03 <bstinson> #topic Greetings / Who's Here?
c3b3e1
13:03:03 <alphacc> kbsingh: works for me
c3b3e1
13:03:07 <bstinson> looks like i'm in
c3b3e1
13:03:09 <MerlinTHP> Hello!
c3b3e1
13:03:09 * quaid is here
c3b3e1
13:03:14 <kbsingh> I'm here as well
c3b3e1
13:03:21 * Arrfab echoes "me too"
c3b3e1
13:03:44 <bstinson> #chair kbsingh quaid alphacc MerlinTHP Arrfab Evolution
c3b3e1
13:03:44 <centbot> Current chairs: Arrfab Evolution MerlinTHP alphacc bstinson kbsingh quaid
c3b3e1
13:03:54 * wolfy lurks
c3b3e1
13:04:21 <bstinson> #topic Agenda
c3b3e1
13:04:24 <bstinson> #info FAS/IPA Testing - Short Status Update
c3b3e1
13:04:28 <bstinson> #info Centpkg Progress - Short Status Update
c3b3e1
13:04:32 <bstinson> #info Blocker List
c3b3e1
13:04:35 <bstinson> #info Brainstorming SIG Branch and Build Target Names
c3b3e1
13:04:41 <bstinson> #info Open Floor
c3b3e1
13:05:00 <mikem> good morning
c3b3e1
13:05:09 <jitseklomp> Hi
c3b3e1
13:05:19 <bstinson> hi folks!
c3b3e1
13:05:28 <bstinson> #topic FAS/IPA Testing
c3b3e1
13:05:47 <MerlinTHP> FAS folks first ;)
c3b3e1
13:06:20 <bstinson> It sounds like Arrfab has started on some VMs for this project
c3b3e1
13:06:27 * MerlinTHP nods
c3b3e1
13:06:27 <quaid> #info Infra team provisioned three VMs last week to use for FAS & IPA testing
c3b3e1
13:06:39 <MerlinTHP> I've got access to the VM for IPA testing
c3b3e1
13:06:43 <Arrfab> bstinson: yes and quaid got account/sudo on those VMs
c3b3e1
13:07:02 <quaid> Arrfab: is one of them the one MerlinTHP has
c3b3e1
13:07:02 <quaid> ?
c3b3e1
13:07:18 <kbsingh> no, MerlinTHP's setup is in rackspace
c3b3e1
13:07:18 <Arrfab> quaid: no, a different one, running c7 for his IPA test
c3b3e1
13:07:35 <quaid> great
c3b3e1
13:08:08 <bstinson> great! is there anything the testing teams need going forward?
c3b3e1
13:08:17 <quaid> we need then a bit of requirements of what to test for
c3b3e1
13:09:04 <kbsingh> quaid: does the centos-devel thread give you all you need for scope ?
c3b3e1
13:09:10 <MerlinTHP> Evolution listed a few requirements on the mailing list for what we need the account system to do (self-service account creation, self-management for SIGs, etc).  IPA is missing a bunch of that stuff.
c3b3e1
13:09:21 <quaid> and just to interact with anyone who can help with tie-in to Koji
c3b3e1
13:09:34 <MerlinTHP> However, I've started writing a PoC web front end for IPA to do self-service.
c3b3e1
13:09:51 <quaid> kbsingh: I think so, can easily work up a wiki page on that
c3b3e1
13:09:58 <MerlinTHP> ( thus far users can sign up their own accounts )
c3b3e1
13:10:06 <quaid> #info can use the mailing list discussion to get requirements
c3b3e1
13:10:39 <quaid> #action quaid can write-up the requirements in to a wiki page to reference
c3b3e1
13:10:54 <alphacc> quaid: contact me if you need info on koji during your tests.
c3b3e1
13:11:35 <quaid> MerlinTHP: that's great! do you have the contacts you need with FreeIPA folks for that front end work?
c3b3e1
13:11:41 <Evolution> I'm assuming both ipa or fas would require a rekey of koji to test the ssl bits.
c3b3e1
13:11:53 <alphacc> Evolution: correct
c3b3e1
13:11:54 <quaid> alphacc: thanks
c3b3e1
13:11:55 <Evolution> would a second koji instance simply for ssl testing be in order?
c3b3e1
13:11:58 <MerlinTHP> Evolution: IPA would, certainly.
c3b3e1
13:12:13 <MerlinTHP> quaid: yeah, I already hang out in #freeipa ;)
c3b3e1
13:12:17 <Evolution> (once we get to that stage)
c3b3e1
13:12:42 <MerlinTHP> I'm planning to have the test IPA instance up with the front-end to poke at a bit later this week
c3b3e1
13:12:44 <quaid> Evolution: might be easier than messing with the running instance
c3b3e1
13:13:17 <quaid> similarly, I plan to have the basic FAS in place, and will rely upon smooge to help me get it further for actual testing
c3b3e1
13:13:31 <quaid> #idea should we have a second koji for ease of SSL testing, etc.?
c3b3e1
13:14:10 <kbsingh> there is a git.dev.centos.org that is already online - for testing scope on that side
c3b3e1
13:15:01 <bstinson> fantastic! it sounds like we're making progress
c3b3e1
13:15:10 <quaid> #ingo git.dev.centos.org can be used for testing git connection
c3b3e1
13:15:18 <quaid> #info git.dev.centos.org can be used for testing git connection
c3b3e1
13:15:21 <MerlinTHP> :)
c3b3e1
13:15:45 <quaid> that's all I've got right now, I think
c3b3e1
13:16:04 <kbsingh> dev.git.centos.org :)
c3b3e1
13:16:32 <MerlinTHP> In the course of doing research for the lookaside upload script, I've come to the conclusion that it'd help if the CA had an OCSP responder, and the host running the upload script was running apache 2.4 (so c7)
c3b3e1
13:17:06 <MerlinTHP> apache supports CRLs for certificate revocation, but you need to restart it every time you change the CRL file
c3b3e1
13:17:20 <kbsingh> we can run either c7 or c6 on the lookaside machine..
c3b3e1
13:17:53 <MerlinTHP> Whereas apache 2.4's OCSP support means it always goes ask the CA, so certificate revocations are instantly live.
c3b3e1
13:18:14 <MerlinTHP> Just a thought.
c3b3e1
13:18:18 <quaid> .undo
c3b3e1
13:18:27 <quaid> #info dev.git.centos.org can be used for testing git connection
c3b3e1
13:18:31 <quaid> #undo
c3b3e1
13:18:31 <centbot> Removing item from minutes: INFO by quaid at 13:18:27 : dev.git.centos.org can be used for testing git connection
c3b3e1
13:18:32 <quaid> #undo
c3b3e1
13:18:32 <centbot> Removing item from minutes: INFO by quaid at 13:15:18 : git.dev.centos.org can be used for testing git connection
c3b3e1
13:18:38 <quaid> #info dev.git.centos.org can be used for testing git connection
c3b3e1
13:19:11 <bstinson> ok, anything else before I move along?
c3b3e1
13:19:16 <MerlinTHP> Nothing from me
c3b3e1
13:19:29 <bstinson> thanks for researching the lookaside MerlinTHP
c3b3e1
13:19:39 <MerlinTHP> np
c3b3e1
13:19:50 <MerlinTHP> tbh, I spent more time on the IPA stuff...
c3b3e1
13:20:00 <bstinson> #topic Centpkg Progress
c3b3e1
13:20:38 <bstinson> ok this will be very short, I have Centpkg reading in user certs and i've been able to kick off koji builds
c3b3e1
13:20:45 <MerlinTHP> \o/
c3b3e1
13:20:52 <MerlinTHP> Oh, one thought
c3b3e1
13:21:06 <MerlinTHP> Currently, git branch to koji target is hard-coded
c3b3e1
13:21:16 <quaid> #info centpkg is reading in user certs and is able to kick off koji builds
c3b3e1
13:21:16 <MerlinTHP> I've thought for a while that it probably should be a config file
c3b3e1
13:21:17 <bstinson> i need to see if we can make it easer for centpkg to co-exist with fedpkg and its cousins
c3b3e1
13:21:38 <MerlinTHP> Does that sound like a sensible idea?
c3b3e1
13:21:40 <kbsingh> bstinson: can it pull from and do some level of mangling of git.centos.org hosted repos
c3b3e1
13:21:47 <MerlinTHP> I can work with you on it, bstinson
c3b3e1
13:21:53 <quaid> #idea put git branch to koji target in a config file instead of being hard-coded
c3b3e1
13:22:05 <kbsingh> MerlinTHP: we likely need a wider convo on git branch naming, i believe its in the schedule for later in the meeting
c3b3e1
13:22:25 <bstinson> kbsingh: yes it can pull (and push when we work out cert auth)
c3b3e1
13:22:33 <MerlinTHP> This is a bit orthagonal to that, imo
c3b3e1
13:22:40 <Evolution> so long as we can tie koji naming into that as well.. (bananas?)
c3b3e1
13:23:23 <bstinson> MerlinTHP: let's get together soon to talk about what you're thinking
c3b3e1
13:23:32 <MerlinTHP> Sure thing
c3b3e1
13:23:32 <kbsingh> what people can commit to - is tied into the targets they can consume in koji, but they should be able to ready from anywhere and build to the places they have acls to
c3b3e1
13:23:56 <kbsingh> tagging might have a role to play in here as well
c3b3e1
13:24:10 <alphacc> for semantic build=tag. policy work on tagging operation.
c3b3e1
13:25:08 <kbsingh> ok
c3b3e1
13:25:15 <bstinson> #action bstinson will clean up his commits and send centpkg patches to the mailing list
c3b3e1
13:25:31 <kbsingh> are we going to put this into a rpm ?
c3b3e1
13:25:37 <alphacc> I investigated the policy side and the easiest way now is to have a flat file and generate a policy. sig:user1,user2 and sig-admins:user1,user2
c3b3e1
13:25:58 <bstinson> kbsingh: i have a copr out there right now
c3b3e1
13:26:13 <kbsingh> we should have a more official process for this
c3b3e1
13:26:17 <kbsingh> maybe into centos-extras
c3b3e1
13:26:32 <kbsingh> but ok, lets do that as a second iteration
c3b3e1
13:26:54 <quaid> bstinson: what's the copr URL? (for the record)
c3b3e1
13:27:13 <bstinson> http://copr.fedoraproject.org/coprs/bstinson/Centpkg/
c3b3e1
13:27:33 <quaid> #idea have centpkg eventually live in e.g. CentOS Extras
c3b3e1
13:27:56 <MerlinTHP> That sounds sensible.
c3b3e1
13:28:11 <MerlinTHP> We'll have to decide where rpkg lives, though.
c3b3e1
13:28:17 <kbsingh> same place
c3b3e1
13:28:26 <MerlinTHP> rpkg is in EPEL, though
c3b3e1
13:28:32 <kbsingh> thats ok, were not relying on epel for now
c3b3e1
13:28:38 <MerlinTHP> ( that's just a note, not an objection )
c3b3e1
13:28:43 * MerlinTHP nods
c3b3e1
13:28:45 <MerlinTHP> Fair enough
c3b3e1
13:29:02 <kbsingh> anything in epel that we need - for now , we pull into local builds - longer term this is going to need a whole lot of conversation and attention :)
c3b3e1
13:29:09 <MerlinTHP> Mm
c3b3e1
13:29:54 <MerlinTHP> OK, centpkg looks to be cracking on
c3b3e1
13:29:59 <quaid> #info not currently relying upon EPEL directly, anything needed gets pulled in to local build, e.g. rpkg
c3b3e1
13:30:20 <Evolution> our interactions with epel will need to be a separate mailing list discussion or meeting here.
c3b3e1
13:30:31 <Evolution> that needs to happen semi-soon anyway to start getting expectations
c3b3e1
13:30:41 <Evolution> but I don't want to hijack this meeting for that
c3b3e1
13:31:00 <kbsingh> yeah
c3b3e1
13:31:14 * MerlinTHP pushes Evolution back down into his box
c3b3e1
13:31:42 <bstinson> ok, let's keep moving
c3b3e1
13:31:44 <bstinson> #topic Blocker List
c3b3e1
13:32:23 <alphacc> #info integrate upstream patch in koji to support git.c.o
c3b3e1
13:32:50 <kbsingh> ok, so what is the blocker list.. maybe we should first define what it is that is being blocked
c3b3e1
13:32:56 <alphacc> I have the RPMs ready.
c3b3e1
13:33:18 <alphacc> I will rebuild them in koji, and push it to infrastrcuture6 tag.
c3b3e1
13:33:32 <kbsingh> ok, so thats about 50% of the blocker problem fixed right ? if people can use centpkg to request builds from git.centos.org delivered into a target at cbs.centos.org
c3b3e1
13:33:53 <kbsingh> bstinson: once alphacc does his piece of work would that be possible ?
c3b3e1
13:35:36 <bstinson> should be
c3b3e1
13:35:52 <alphacc> #action Build CentOS koji rpms and install them (server-side).
c3b3e1
13:36:21 <bstinson> right now, i've just been kicking off builds using --srpm which creates an intermediate src rpm and uploads it for building
c3b3e1
13:37:08 <bstinson> alphacc: does the patch need any extra voices on the mailing lists?
c3b3e1
13:37:58 <alphacc> bstinson: I think we decided that we will have our own koji rpms, so no, just more testing.
c3b3e1
13:38:30 <bstinson> ok great
c3b3e1
13:39:10 <kbsingh> its been upstreamed as well right ? just not in a release
c3b3e1
13:39:21 <kbsingh> if they reject the patch upstream then we've got something to think about
c3b3e1
13:39:28 <quaid> #agreed Project will carry own koji RPMs to carry our own patches etc.
c3b3e1
13:39:51 <alphacc> mikem proposed the patch, but I don't think it is in master yet.
c3b3e1
13:40:39 <mikem> alphacc, which patch was that?
c3b3e1
13:41:32 <alphacc> mikem: koji-rpm-source-layout
c3b3e1
13:41:33 <mikem> "Support rpm source layout (SPECS and SOURCES dirs) when building srpms from source control."?  That's in upstream git
c3b3e1
13:42:07 <alphacc> ok great I missed it.
c3b3e1
13:42:56 <bstinson> ok, is anyone else have a component blocked on something?
c3b3e1
13:42:59 <kbsingh> so thats a good sign that were ok to carry it
c3b3e1
13:43:11 <bstinson> s/is/does/
c3b3e1
13:43:14 <kbsingh> the second half of the issue is auth into git.centos.org
c3b3e1
13:43:37 <kbsingh> i can import content in, and give people access based in login names, but its going to be https http_basic auth
c3b3e1
13:43:44 <kbsingh> works now, works for a few people, wont scale
c3b3e1
13:44:03 <kbsingh> and how much of a problem might we be creating for ipa folks to import this into their setup later ?
c3b3e1
13:44:55 <Evolution> kbsingh: bringing existing users over, or doing http auth?
c3b3e1
13:45:01 <alphacc> kbsingh: the forseen solution would be ssh-keys ?
c3b3e1
13:45:51 <MerlinTHP> If we go the IPA route, it'll just be a matter of converting ACLs into group memberships (or another LDAP attribute, if we go a more customised route for IPA)
c3b3e1
13:46:03 <kbsingh> Evolution: either/neither - i presume this will be just using CA keys, shared with koji longer term
c3b3e1
13:46:30 * quaid doesn't know yet of any hassles moving to FAS from http auth
c3b3e1
13:46:35 <kbsingh> alphacc: cant do sshkeys, the commits need to be over https to use the user<->branch mapping, since the commit needs to be 'intercepted' by code that can make that decision easily
c3b3e1
13:47:16 <bstinson> kbsingh: is that live on dev.git.c.o?
c3b3e1
13:47:27 <quaid> #info can't use sshkeys for auth for git, needs to go over https for code pathway
c3b3e1
13:47:44 <kbsingh> we could likely write something that does some sanity testing and checks keyname and works out group name and then looks at branch name etc, but the problem with that is still that folks can push at once - multiple branches
c3b3e1
13:48:06 <kbsingh> bstinson: it can be fairly easily.
c3b3e1
13:48:40 <kbsingh> bstinson: its live at git.centos.org
c3b3e1
13:48:45 <bstinson> i'd like to poke at it from the client side whenever it's ready
c3b3e1
13:48:59 <kbsingh> the user -> branch mapping ?
c3b3e1
13:49:28 <bstinson> the auth component
c3b3e1
13:50:20 <kbsingh> ok, i dont get what you want to poke at
c3b3e1
13:50:45 <kbsingh> the only way to commit to git.centos.org is over https, unless its the upstream buildservices, that can use a privileged path
c3b3e1
13:51:56 <bstinson> right, rpkg does all the committing over ssh so centpkg will need a few tweaks
c3b3e1
13:52:46 <kbsingh> ok
c3b3e1
13:53:01 <kbsingh> technically it should just be a case of using a different git remote url
c3b3e1
13:53:44 <kbsingh> iirc, there is a centpkg.git in git.centos.org's root git's
c3b3e1
13:53:47 <MerlinTHP> I suspect it'd work just by changing the git URL in the config file
c3b3e1
13:53:50 <kbsingh> isnt that how this works as well
c3b3e1
13:54:07 <kbsingh> https://git.centos.org/summary/centpkg.git
c3b3e1
13:54:56 <kbsingh> just going over this again to make sure i understand what piece of work you want me to deliver on
c3b3e1
13:56:10 <mattymo> hey Evolution
c3b3e1
13:56:37 <bstinson> when you say http_basic auth, are you meaning username/password?
c3b3e1
13:56:42 <kbsingh> yeah
c3b3e1
13:56:48 <Evolution> mattymo: meeting presently. wait one (or pm)
c3b3e1
13:56:54 <mattymo> oh ok
c3b3e1
13:57:32 <mattymo> I'll write here just b/c anyone can comment. I see this bug here: https://github.com/karelzak/util-linux/issues/121
c3b3e1
13:57:32 <bstinson> ah, we may need to hash out some details on that, I was hoping to hand you a client cert and get the user account info that way
c3b3e1
13:57:45 <kbsingh> bstinson: my understanding is that this will go away and fas or ipa will provide the certauthority to auth with
c3b3e1
13:58:13 <MerlinTHP> Mm
c3b3e1
13:58:57 <kbsingh> so the user will actually only have the one set of certs they use for koji and git
c3b3e1
13:59:10 <MerlinTHP> Yeah
c3b3e1
13:59:24 <MerlinTHP> ( + the lookaside, depending if you count that as part of git )
c3b3e1
13:59:37 <kbsingh> and somewhere in there will be a mechanism that says what branches ( or what groups ) this person belongs to
c3b3e1
13:59:50 <kbsingh> MerlinTHP: right, lookaside too
c3b3e1
14:00:12 <MerlinTHP> That mechanism could e.g. be an LDAP query against IPA
c3b3e1
14:00:55 <alphacc> MerlinTHP: I could query same ldap for the koji policy
c3b3e1
14:01:05 <MerlinTHP> That'd be neat
c3b3e1
14:01:16 <MerlinTHP> But you can probably s/IPA/FAS/ too
c3b3e1
14:01:51 * MerlinTHP wonders if we need to make this meeting slot longer
c3b3e1
14:02:03 <gwd> Sorry to interrupt -- could someone with koji admin privileges make a virt6-testing tag?  (I think that's what I want...)
c3b3e1
14:02:30 <bstinson> we are making good progress, at some point they'll get shorter :)
c3b3e1
14:02:34 <MerlinTHP> :)
c3b3e1
14:02:41 <alphacc> gwd: already there. pm.
c3b3e1
14:02:49 <MerlinTHP> I've got to go shortly
c3b3e1
14:02:55 <bstinson> since we're in the weeds, let's bring this back up offline and again next week
c3b3e1
14:03:08 <kbsingh> sounds good
c3b3e1
14:03:19 <kbsingh> i think the integration layers might be what needs the most effort
c3b3e1
14:03:26 <MerlinTHP> Agreed.
c3b3e1
14:03:27 <quaid> #info need to settle on temp auth method for git.centos.org over https
c3b3e1
14:03:40 <kbsingh> if we can offload auth for lookaside into httpd, we might do the same for git as well, but lets cross that bridge
c3b3e1
14:03:57 <alphacc> ok good for me too.
c3b3e1
14:04:19 <gwd> alphacc: Oops, sorry... missed the 2nd page on the web interface.
c3b3e1
14:05:01 <alphacc> gwd: it's a tag not a target, what are you yting to achieve ?
c3b3e1
14:05:16 <alphacc> s/yting/trying
c3b3e1
14:05:20 <bstinson> we can probably save SIG Branch and Build Target naming until next week also
c3b3e1
14:05:21 <kbsingh> cool, are we closing meeting ?
c3b3e1
14:05:41 <bstinson> closing in 1 minute
c3b3e1
14:05:44 <kbsingh> mattymo: still waiting for you guys to actually start doing some contributing and things into CentOS
c3b3e1
14:06:19 <bstinson> #info Next Meeting: Monday 29-Sept, 13:00 UTC
c3b3e1
14:06:35 <bstinson> thanks everyone!
c3b3e1
14:06:40 <MerlinTHP> Cheers!
c3b3e1
14:06:41 <gwd> alphacc: I'm trying to build ipxe into an actual repo, so that I can then try building xen (which depends on ipxe).
c3b3e1
14:06:50 <quaid> nice meeting, thx
c3b3e1
14:06:55 <bstinson> #endmeeting