14:04:10 <bstinson> #startmeeting CBS/Infra 14:04:10 <centbot> Meeting started Mon Dec 15 14:04:10 2014 UTC. The chair is bstinson. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:04:10 <centbot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:04:23 <bstinson> #chair alphacc Arrfab kbsingh MerlinTHP 14:04:23 <centbot> Current chairs: Arrfab MerlinTHP alphacc bstinson kbsingh 14:04:31 <bstinson> #info Topic: Status Updates 14:04:36 <bstinson> #info Subtopic: Centralized Authentication 14:04:41 <bstinson> #info Subtopic: Koji/Repos 14:04:47 <bstinson> #info Subtopic: Centpkg 14:04:54 <bstinson> #info Topic: Building a package to provide the koji client config & cbs binary? 14:04:59 <bstinson> #info Topic: Open Floor 14:05:16 <imcleod> Sorry I'm late. 14:05:22 <imcleod> .hellomynameis imcleod 14:05:24 <Evolution> tsk tsk 14:05:38 <alphacc> hi imcleod 14:05:48 <imcleod> Hello alphacc 14:05:53 <bstinson> #topic Status Updates 14:06:16 <bstinson> how's central auth coming along? 14:06:37 <Evolution> MerlinTHP: you want to take this one or shall I? 14:06:50 <MerlinTHP> Well, you've been talking to some people 14:07:10 <MerlinTHP> I've not got a lot to say on MyPA, but it sounds like it might not be relevant? 14:07:38 <Evolution> so, with MerlinTHP letting $DAYJOB dictate what he does with his time... I've been trying to work directly with the IPA kids to see what we might work out 14:07:55 <MerlinTHP> $DAYJOB and Microsoft, to be fair. 14:08:04 <MerlinTHP> Damn you, Halo. 14:08:30 <Evolution> the IPA folks recommended we look at https://code.google.com/p/pwm/ for creating ldap users in IPA. they seem to feel that's an appropriate way forward. 14:08:39 <MerlinTHP> ( to be clear, I do still intend to work on MyPA, the timescales are looking unsuitable for CentOS ) 14:08:51 <Evolution> I was planning to work with Arrfab this week to get some vm's up to test. 14:09:10 <alphacc> Evolution: I dig a bit and it looks good for a first iteration. 14:09:11 <Evolution> the cert portion of central auth is still tricky, as pwm only handles auth, not cert generation 14:10:01 <MerlinTHP> I've got a patch for IPA 3.3 that does the IPA side of cert stuff 14:10:17 <Evolution> I'm leaning toward the 7.1 ipa as that has 2fa auth support by default 14:10:25 <MerlinTHP> The IPA guys who looked at it didn't vomit too much 14:10:27 <Evolution> so, yubikey etc for those interested. 14:10:31 * MerlinTHP nods. 14:10:34 <MerlinTHP> Sounds like a plan 14:10:51 <bstinson> yubikey++ 14:10:51 * lalatenduM is late to the meeting 14:11:44 <MerlinTHP> Evolution: oh, btw, the IPA guys tested the 2fa auth stuff with OTP codes. They've even got android and iOS OTP apps. 14:11:54 <Arrfab> Evolution: well, the x509 part is the crucial one so if that pwm thing only let those people register username, we still have to generate certs 14:11:56 <MerlinTHP> Look for "FreeOTP" in $app_store 14:12:00 <Evolution> correct. FreeOTP 14:12:04 <Evolution> yeah. it's a rh app. :-P 14:12:07 <MerlinTHP> It is. 14:12:15 * MerlinTHP has been near the code. 14:12:43 <Evolution> Arrfab: right. I'm hoping we can get MerlinTHP away from halo long enough to work on the cert bits. 14:13:50 <Evolution> that's pretty much where things stand currently. 14:13:52 <bstinson> #info Evolution is working on demoing pwm as a self-service solution for creating users in IPA 14:14:03 <Arrfab> Evolution: also verified in the default IPA web gui, and $user can't retrieve his x509 cert either, same as for FAS 14:14:23 <bstinson> #info MerlinTHP has patches upstream to IPA to start working on the X509 bits 14:14:37 <MerlinTHP> Arrfab: IPA upstream has no support for user certs 14:14:46 <MerlinTHP> Only host and service certs. 14:15:06 <Arrfab> also, letting people create their accounts is one thing, but manually creating the certs and authorizing it on all various places is something else, so what's the real benefit of auto-registration ? 14:15:22 <MerlinTHP> FAS does that. 14:16:17 <MerlinTHP> Also, account set up and password resets are boring ;) 14:16:26 <Arrfab> ok, so let me play "devil's advocate" for one minute : why do we absolutely need user self-registration ? 14:16:56 <Evolution> Arrfab: not having it sets a fairly high bar to contribution. 14:17:08 <Evolution> Arrfab: patch submission from community -> SIG for one. 14:17:27 <Arrfab> Evolution: I mean you still have to generate the certs/distribute/authorize 14:17:58 <Evolution> not really. we just need to establish sane baseline permissions. 14:19:05 <Evolution> brand new user could (for example) do scratch rpm builds in koji, and submit pull requests in git. nothing more. 14:19:24 <Arrfab> Evolution: well, MerlinTHP just said that IPA doesn't provide x509 user certs by default, so something has to be manually done , and same for auth .. so user-registration just let random people create accounts , but an admin has still to verify all that and grand perms 14:19:35 <mikem> I guess the question is, how far can we scale without registration? 14:19:38 <MerlinTHP> It can't, but I've got a patch so that it can 14:19:59 <MerlinTHP> It's not upstream'd, because the IPA guys want to go the sub-CA route 14:20:57 <bstinson> how high is that on their priority list? 14:21:20 <MerlinTHP> They've got someone looking into it, but it requires changes to dogtag and IPA 14:22:13 <MerlinTHP> IPA as-is has a single CA (managed by dogtag), and all host and service certs are issued from that CA. 14:22:27 <MerlinTHP> Their idea is allowing IPA to create sub-CAs for different purposes. 14:22:46 <MerlinTHP> So you'd have e.g. the openvpn sub-CA, that issues certs for connecting to openvpn 14:23:10 <MerlinTHP> Not trivial to implement, so don't hold your breath, sadly :( 14:23:18 * Jeff_S here 14:23:29 <Arrfab> MerlinTHP: gotcha so your MyPA frontend was to allow user to self-register *but* also to generate x509 user certs and retrieve those 14:23:36 <MerlinTHP> yep 14:23:36 <Jeff_S> btw these meetings are crazy early for me :( 14:23:43 <Arrfab> which is something not covered at all by pwm so that one is a no-go 14:24:07 <Arrfab> Evolution: ^ 14:24:33 <kbsingh> Jeff_S: CentOS meetings, helping folks around the dark side of the world wake up to a productive week 14:24:41 <Jeff_S> kbsingh: heh 14:24:56 <Jeff_S> kbsingh: wait, which one of us is the dark side? ;) 14:25:01 <MerlinTHP> Hey, mid-afternoon for me ;) 14:26:16 <Evolution> Arrfab: doesn't rule it out completely. just means we find a different way to accomplish it. 14:26:16 <kbsingh> me too, half 2 here 14:26:36 <Evolution> if we start getting into rube goldberg levels of engineering, then it's time to re-evaluate 14:27:18 <Arrfab> Evolution: well, if pwm only allow users to self-register, and that we still needs something like MyPA, why duplicating the tools ? 14:27:28 <kbsingh> Evolution: pretty much 14:28:01 <MerlinTHP> kbsingh: it's ok, there's still the midlands between us ;) 14:28:30 <Evolution> Arrfab: because it could be possible to put into centpkg tooling, similar to fedora cert bits. 14:29:34 <kbsingh> one key thing also is : velocity. we really need something to come up in the short term, as in, very very short term that allows stuff behind it to move 14:29:42 <bstinson> it never hurts to stand up a pwm instance to see if it fits 14:29:51 <kbsingh> we can then iterate periodically and get better 14:29:52 <Evolution> so long as it's simple and documented (sorry for the D word) for the user... 14:31:23 <bstinson> good segue into the lookaside stuff. MerlinTHP, kbsingh: think we can get the script working with our manually created users for now? 14:31:45 <bstinson> and what help do you need on that? 14:31:48 <Evolution> MerlinTHP pushed a commit this weekend I think. 14:32:03 <MerlinTHP> I did 14:32:17 <MerlinTHP> The script should be suitable for our requirements for now 14:32:26 <MerlinTHP> It has the ACL stuff based on the gitblit config 14:33:03 <MerlinTHP> https://git.centos.org/tree/sig-core!cbs-tools.git/9ed232b8cdd8b565477889dcb23eefffb5bbf5d8/lookaside 14:33:06 <bstinson> woot! 14:33:18 <MerlinTHP> See, sometimes I deliver on promises! 14:33:59 <bstinson> #info MerlinTHP has a version of the lookaside upload script ready and pushed 14:34:22 <bstinson> next step is to deploy for testing? 14:34:45 <MerlinTHP> Mm 14:34:54 <MerlinTHP> kbsingh was talking about standing up a new server 14:35:32 <MerlinTHP> bstinson: can you take a look at the README? There's a "Calling the script" section, and I want to make sure it's properly lined up with centpkg 14:36:24 <bstinson> #action bstinson will read through the Lookaside README 14:36:48 <MerlinTHP> ta, dearie 14:36:55 <bstinson> MerlinTHP: we're going to have to customize the upload method anyways so we can do whatever we need to 14:37:05 <MerlinTHP> It's not massively different 14:38:28 <bstinson> speaking of centpkg... https://git.centos.org/summary/centpkg.git 14:38:47 <bstinson> v0.4.3 and all the necessary deps are tagged into bananas7-testing 14:39:52 <bstinson> i did a little readme tweaking..but i need to get a step-by-step workflow up on a wiki page 14:40:49 <bstinson> any other status updates? 14:42:19 <bstinson> #topic Building a package to provide the koji client config & cbs binary 14:42:32 <bstinson> alphacc: you still around? 14:42:39 <alphacc> bstinson: yes 14:43:04 <alphacc> bstinson: I didn't have update on that + signing, we need to syncwith kbsingh this week. 14:43:28 <bstinson> so i took your koji srpm to use in my repoclosure 14:43:29 <alphacc> bstinson: the koji pacakges are ready, I saw you rebuild them for el7 14:44:02 <bstinson> since it had the upstream configs i thought it best to leave them be and do that in a separate package http://cbs.centos.org/koji/buildinfo?buildID=247 14:44:15 <alphacc> bstinson: it just misses the koji conf change and should have all needed patch for docker cc imcleod 14:45:15 <bstinson> so centos-packager installs the config with a profile called 'cbs', and symlinks /usr/bin/cbs -> /usr/bin/koji 14:47:33 <alphacc> bstinson: ok let's evaluate nad decide on the way to go this week. 14:47:33 <Arrfab> talking about koji and access : alphacc : will you generated a user/cert/config that can be used on the master internal mirror to trigger the repo gen remotely ? (if you're still interested) 14:47:45 <Arrfab> s/generated/generate/ 14:48:10 <bstinson> alphacc: once centpkg is out in the repos, could that help with pulling lookaside sources on the builders? 14:49:02 <alphacc> bstinson: sorry I didn't get your question. What do you mean 14:50:52 <alphacc> Arrfab: yes let's me know the hostname for the cert 14:51:08 <bstinson> alphacc: pulling sources from the lookaside was one of the things holding up building from git.c.o right? 14:51:25 <alphacc> bstinson: ahhh that was fixed ages ago. 14:51:48 <alphacc> bstinson: both srpm and git build should work. 14:51:59 <Arrfab> bstinson: it will run on mirror.rdu2.centos.org (internal mirror known by koji, btw) 14:52:13 <Arrfab> hmm, alphacc ^ 14:53:02 <bstinson> :) heh, guess i'm working from old notes 14:53:12 <bstinson> ok only a few minutes left 14:53:16 <bstinson> #topic Open Floor 14:53:22 <alphacc> Arrfab: ? 14:53:59 <Arrfab> alphacc: you asked for the hostname for the cert (repo-gen script) 14:54:35 <alphacc> I have a working tag for building i686/x86_64 with buildlogs.c.o 14:54:38 <alphacc> Arrfab: ok :) 14:54:48 <alphacc> (for c7) 14:55:19 <alphacc> I'll drop an email eo -devel to discuss what we want for biarch pkgs. 14:55:58 <alphacc> #action document and discuss biarch for centos7. 14:56:39 <Arrfab> #action Arrfab to implement a trigger for koji to rebuild repo metadata in koji when it changes on the internal mirror used by koji 14:57:56 <bstinson> anything else for open floor? is this day/time still good for everyone? 14:58:03 <alphacc> nothing else on my side. 14:58:30 <MerlinTHP> nothing from me 14:58:45 <Arrfab> I don't think that there was progress on the auth side, but if that's fine for everybody, I'm fine with that too :-) 15:00:08 <bstinson> Arrfab: :) 15:00:10 <bstinson> ok, closing 15:00:13 <bstinson> thanks everyone! 15:00:25 <bstinson> #endmeeting