#centos-devel log

14:04:10 <bstinson> #startmeeting CBS/Infra
14:04:10 <centbot> Meeting started Mon Dec 15 14:04:10 2014 UTC.  The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:04:10 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:04:23 <bstinson> #chair alphacc Arrfab kbsingh MerlinTHP
14:04:23 <centbot> Current chairs: Arrfab MerlinTHP alphacc bstinson kbsingh
14:04:31 <bstinson> #info Topic: Status Updates
14:04:36 <bstinson> #info Subtopic: Centralized Authentication
14:04:41 <bstinson> #info Subtopic: Koji/Repos
14:04:47 <bstinson> #info Subtopic: Centpkg
14:04:54 <bstinson> #info Topic: Building a package to provide the koji client config & cbs binary?
14:04:59 <bstinson> #info Topic: Open Floor
14:05:16 <imcleod> Sorry I'm late.
14:05:22 <imcleod> .hellomynameis imcleod
14:05:24 <Evolution> tsk tsk
14:05:38 <alphacc> hi imcleod
14:05:48 <imcleod> Hello alphacc
14:05:53 <bstinson> #topic Status Updates
14:06:16 <bstinson> how's central auth coming along?
14:06:37 <Evolution> MerlinTHP: you want to take this one or shall I?
14:06:50 <MerlinTHP> Well, you've been talking to some people
14:07:10 <MerlinTHP> I've not got a lot to say on MyPA, but it sounds like it might not be relevant?
14:07:38 <Evolution> so, with MerlinTHP letting $DAYJOB dictate what he does with his time... I've been trying to work directly with the IPA kids to see what we might work out
14:07:55 <MerlinTHP> $DAYJOB and Microsoft, to be fair.
14:08:04 <MerlinTHP> Damn you, Halo.
14:08:30 <Evolution> the IPA folks recommended we look at https://code.google.com/p/pwm/ for creating ldap users in IPA. they seem to feel that's an appropriate way forward.
14:08:39 <MerlinTHP> ( to be clear, I do still intend to work on MyPA, the timescales are looking unsuitable for CentOS )
14:08:51 <Evolution> I was planning to work with Arrfab this week to get some vm's up to test.
14:09:10 <alphacc> Evolution: I dig a bit and it looks good for a first iteration.
14:09:11 <Evolution> the cert portion of central auth is still tricky, as pwm only handles auth, not cert generation
14:10:01 <MerlinTHP> I've got a patch for IPA 3.3 that does the IPA side of cert stuff
14:10:17 <Evolution> I'm leaning toward the 7.1 ipa as that has 2fa auth support by default
14:10:25 <MerlinTHP> The IPA guys who looked at it didn't vomit too much
14:10:27 <Evolution> so, yubikey etc for those interested.
14:10:31 * MerlinTHP nods.
14:10:34 <MerlinTHP> Sounds like a plan
14:10:51 <bstinson> yubikey++
14:10:51 * lalatenduM is late to the meeting
14:11:44 <MerlinTHP> Evolution: oh, btw, the IPA guys tested the 2fa auth stuff with OTP codes.  They've even got android and iOS OTP apps.
14:11:54 <Arrfab> Evolution: well, the x509 part is the crucial one so if that pwm thing only let those people register username, we still have to generate certs
14:11:56 <MerlinTHP> Look for "FreeOTP" in $app_store
14:12:00 <Evolution> correct. FreeOTP
14:12:04 <Evolution> yeah. it's a rh app. :-P
14:12:07 <MerlinTHP> It is.
14:12:15 * MerlinTHP has been near the code.
14:12:43 <Evolution> Arrfab: right. I'm hoping we can get MerlinTHP away from halo long enough to work on the cert bits.
14:13:50 <Evolution> that's pretty much where things stand currently.
14:13:52 <bstinson> #info Evolution is working on demoing pwm as a self-service solution for creating users in IPA
14:14:03 <Arrfab> Evolution: also verified in the default IPA web gui, and $user can't retrieve his x509 cert either, same as for FAS
14:14:23 <bstinson> #info MerlinTHP has patches upstream to IPA to start working on the X509 bits
14:14:37 <MerlinTHP> Arrfab: IPA upstream has no support for user certs
14:14:46 <MerlinTHP> Only host and service certs.
14:15:06 <Arrfab> also, letting people create their accounts is one thing, but manually creating the certs and authorizing it on all various places is something else, so what's the real benefit of auto-registration ?
14:15:22 <MerlinTHP> FAS does that.
14:16:17 <MerlinTHP> Also, account set up and password resets are boring ;)
14:16:26 <Arrfab> ok, so let me play "devil's advocate" for one minute : why do we absolutely need user self-registration ?
14:16:56 <Evolution> Arrfab: not having it sets a fairly high bar to contribution.
14:17:08 <Evolution> Arrfab: patch submission from community -> SIG for one.
14:17:27 <Arrfab> Evolution: I mean you still have to generate the certs/distribute/authorize
14:17:58 <Evolution> not really. we just need to establish sane baseline permissions.
14:19:05 <Evolution> brand new user could (for example) do scratch rpm builds in koji, and submit pull requests in git. nothing more.
14:19:24 <Arrfab> Evolution: well, MerlinTHP just said that IPA doesn't provide x509 user certs by default, so something has to be manually done , and same for auth .. so user-registration just let random people create accounts , but an admin has still to verify all that and grand perms
14:19:35 <mikem> I guess the question is, how far can we scale without registration?
14:19:38 <MerlinTHP> It can't, but I've got a patch so that it can
14:19:59 <MerlinTHP> It's not upstream'd, because the IPA guys want to go the sub-CA route
14:20:57 <bstinson> how high is that on their priority list?
14:21:20 <MerlinTHP> They've got someone looking into it, but it requires changes to dogtag and IPA
14:22:13 <MerlinTHP> IPA as-is has a single CA (managed by dogtag), and all host and service certs are issued from that CA.
14:22:27 <MerlinTHP> Their idea is allowing IPA to create sub-CAs for different purposes.
14:22:46 <MerlinTHP> So you'd have e.g. the openvpn sub-CA, that issues certs for connecting to openvpn
14:23:10 <MerlinTHP> Not trivial to implement, so don't hold your breath, sadly :(
14:23:18 * Jeff_S here
14:23:29 <Arrfab> MerlinTHP: gotcha so your MyPA frontend was to allow user to self-register *but* also to generate x509 user certs and retrieve those
14:23:36 <MerlinTHP> yep
14:23:36 <Jeff_S> btw these meetings are crazy early for me :(
14:23:43 <Arrfab> which is something not covered at all by pwm so that one is a no-go
14:24:07 <Arrfab> Evolution: ^
14:24:33 <kbsingh> Jeff_S: CentOS meetings, helping folks around the dark side of the world wake up to a productive week
14:24:41 <Jeff_S> kbsingh: heh
14:24:56 <Jeff_S> kbsingh: wait, which one of us is the dark side? ;)
14:25:01 <MerlinTHP> Hey, mid-afternoon for me ;)
14:26:16 <Evolution> Arrfab: doesn't rule it out completely. just means we find a different way to accomplish it.
14:26:16 <kbsingh> me too, half 2 here
14:26:36 <Evolution> if we start getting into rube goldberg levels of engineering, then it's time to re-evaluate
14:27:18 <Arrfab> Evolution: well, if pwm only allow users to self-register,  and that we still needs something like MyPA, why duplicating the tools ?
14:27:28 <kbsingh> Evolution: pretty much
14:28:01 <MerlinTHP> kbsingh: it's ok, there's still the midlands between us ;)
14:28:30 <Evolution> Arrfab: because it could be possible to put into centpkg tooling, similar to fedora cert bits.
14:29:34 <kbsingh> one key thing also is : velocity. we really need something to come up in the short term, as in, very very short term that allows stuff behind it to move
14:29:42 <bstinson> it never hurts to stand up a pwm instance to see if it fits
14:29:51 <kbsingh> we can then iterate periodically and get better
14:29:52 <Evolution> so long as it's simple and documented (sorry for the D word) for the user...
14:31:23 <bstinson> good segue into the lookaside stuff. MerlinTHP, kbsingh: think we can get the script working with our manually created users for now?
14:31:45 <bstinson> and what help do you need on that?
14:31:48 <Evolution> MerlinTHP pushed a commit this weekend I think.
14:32:03 <MerlinTHP> I did
14:32:17 <MerlinTHP> The script should be suitable for our requirements for now
14:32:26 <MerlinTHP> It has the ACL stuff based on the gitblit config
14:33:03 <MerlinTHP> https://git.centos.org/tree/sig-core!cbs-tools.git/9ed232b8cdd8b565477889dcb23eefffb5bbf5d8/lookaside
14:33:06 <bstinson> woot!
14:33:18 <MerlinTHP> See, sometimes I deliver on promises!
14:33:59 <bstinson> #info MerlinTHP has a version of the lookaside upload script ready and pushed
14:34:22 <bstinson> next step is to deploy for testing?
14:34:45 <MerlinTHP> Mm
14:34:54 <MerlinTHP> kbsingh was talking about standing up a new server
14:35:32 <MerlinTHP> bstinson: can you take a look at the README?  There's a "Calling the script" section, and I want to make sure it's properly lined up with centpkg
14:36:24 <bstinson> #action bstinson will read through the Lookaside README
14:36:48 <MerlinTHP> ta, dearie
14:36:55 <bstinson> MerlinTHP: we're going to have to customize the upload method anyways so we can do whatever we need to
14:37:05 <MerlinTHP> It's not massively different
14:38:28 <bstinson> speaking of centpkg... https://git.centos.org/summary/centpkg.git
14:38:47 <bstinson> v0.4.3 and all the necessary deps are tagged into bananas7-testing
14:39:52 <bstinson> i did a little readme tweaking..but i need to get a step-by-step workflow up on a wiki page
14:40:49 <bstinson> any other status updates?
14:42:19 <bstinson> #topic Building a package to provide the koji client config & cbs binary
14:42:32 <bstinson> alphacc: you still around?
14:42:39 <alphacc> bstinson: yes
14:43:04 <alphacc> bstinson: I didn't have update on that + signing, we need to syncwith kbsingh this week.
14:43:28 <bstinson> so i took your koji srpm to use in my repoclosure
14:43:29 <alphacc> bstinson: the koji pacakges are ready,  I saw you rebuild them for el7
14:44:02 <bstinson> since it had the upstream configs i thought it best to leave them be and do that in a separate package http://cbs.centos.org/koji/buildinfo?buildID=247
14:44:15 <alphacc> bstinson: it just misses the koji conf change and should have all needed patch for docker cc imcleod
14:45:15 <bstinson> so centos-packager installs the config with a profile called 'cbs', and symlinks /usr/bin/cbs -> /usr/bin/koji
14:47:33 <alphacc> bstinson: ok let's evaluate nad decide on the way to go this week.
14:47:33 <Arrfab> talking about koji and access : alphacc : will you generated a user/cert/config that can be used on the master internal mirror to trigger the repo gen remotely ? (if you're still interested)
14:47:45 <Arrfab> s/generated/generate/
14:48:10 <bstinson> alphacc: once centpkg is out in the repos, could that help with pulling lookaside sources on the builders?
14:49:02 <alphacc> bstinson: sorry I didn't get your question. What do you mean
14:50:52 <alphacc> Arrfab: yes let's me know the hostname for the cert
14:51:08 <bstinson> alphacc: pulling sources from the lookaside was one of the things holding up building from git.c.o right?
14:51:25 <alphacc> bstinson: ahhh that was fixed ages ago.
14:51:48 <alphacc> bstinson: both srpm and git build should work.
14:51:59 <Arrfab> bstinson: it will run on mirror.rdu2.centos.org (internal mirror known by koji, btw)
14:52:13 <Arrfab> hmm, alphacc ^
14:53:02 <bstinson> :) heh, guess i'm working from old notes
14:53:12 <bstinson> ok only a few minutes left
14:53:16 <bstinson> #topic Open Floor
14:53:22 <alphacc> Arrfab: ?
14:53:59 <Arrfab> alphacc: you asked for the hostname for the cert (repo-gen script)
14:54:35 <alphacc> I have a working tag for building i686/x86_64 with buildlogs.c.o
14:54:38 <alphacc> Arrfab: ok :)
14:54:48 <alphacc> (for c7)
14:55:19 <alphacc> I'll drop an email eo -devel to discuss what we want for biarch pkgs.
14:55:58 <alphacc> #action document and discuss biarch for centos7.
14:56:39 <Arrfab> #action Arrfab to implement a trigger for koji to rebuild repo metadata in koji when it changes on the internal mirror used by koji
14:57:56 <bstinson> anything else for open floor? is this day/time still good for everyone?
14:58:03 <alphacc> nothing else on my side.
14:58:30 <MerlinTHP> nothing from me
14:58:45 <Arrfab> I don't think that there was progress on the auth side, but if that's fine for everybody, I'm fine with that too :-)
15:00:08 <bstinson> Arrfab: :)
15:00:10 <bstinson> ok, closing
15:00:13 <bstinson> thanks everyone!
15:00:25 <bstinson> #endmeeting