2020-03-03T03:07:26 *** okurz_ is now known as okurz 2020-03-03T04:11:46 *** okurz_ is now known as okurz 2020-03-03T10:18:55 -heroes-bot- PROBLEM: PSQL locks on mirrordb1.infra.opensuse.org - POSTGRES_LOCKS CRITICAL: DB postgres total locks: 60 ; See https://monitor.opensuse.org/icinga/cgi-bin/extinfo.cgi?type=2&host=mirrordb1.infra.opensuse.org&service=PSQL%20locks 2020-03-03T11:38:55 -heroes-bot- RECOVERY: PSQL locks on mirrordb1.infra.opensuse.org - POSTGRES_LOCKS OK: DB postgres total=40 ; See https://monitor.opensuse.org/icinga/cgi-bin/extinfo.cgi?type=2&host=mirrordb1.infra.opensuse.org&service=PSQL%20locks 2020-03-03T12:18:55 -heroes-bot- PROBLEM: PSQL locks on mirrordb1.infra.opensuse.org - POSTGRES_LOCKS CRITICAL: DB postgres total locks: 52 ; See https://monitor.opensuse.org/icinga/cgi-bin/extinfo.cgi?type=2&host=mirrordb1.infra.opensuse.org&service=PSQL%20locks 2020-03-03T19:00:55 Hi everybody, and welcome to the heroes meeting! 2020-03-03T19:01:11 Today we "only" have the usual topics, see https://progress.opensuse.org/issues/63172 2020-03-03T19:01:54 let me start with the usual two questions in parallel: 2020-03-03T19:02:01 a) who is here for the meeting and 2020-03-03T19:02:09 b) does someone from the community have a question? 2020-03-03T19:02:30 LCP is here 2020-03-03T19:03:33 meinereiner 2020-03-03T19:05:10 so - let's start with the status reports ;-) 2020-03-03T19:05:48 news-o-o is live, and most of the bugs are fixed 2020-03-03T19:06:09 (if not in salt, in production) ;) 2020-03-03T19:06:37 the left of jekyll stuff is waiting for their turn 2020-03-03T19:06:53 yeah, sadly we have problems with the CI at the moment :-( 2020-03-03T19:07:06 nevertheless, thanks for your work on news.o.o! 2020-03-03T19:07:34 matrix salt profile is pretty much set up, it just needs the postgres mr to be merged and the firewall/dns stuff 2020-03-03T19:08:11 there are also two branches with mailman3 and ipsilon pretty much ready, just waiting for CI to work before sending MRs 2020-03-03T19:08:33 also sounds good :-) 2020-03-03T19:08:49 in worst case, I can test locally (one more test VM doesn't really matter) and then merge the salt changes manually 2020-03-03T19:08:56 but obviously I'd prefer a working CI 2020-03-03T19:09:06 yeah 2020-03-03T19:10:32 quick report from me: as I already wrote on the ML some days ago, I did a big cleanup in the openSUSE:infrastructure repo and deleted linked packages that were only build for 15.0 or SLE 15 (without SP) - which means we got rid of more than half of the packages there 2020-03-03T19:11:56 I've also seen lots of activity from Per to cleanup our mirror infrastructure 2020-03-03T19:12:09 from upstream, I did start working on freeipa on openSUSE (continuing stuff after howardg and darix) and securitas/noggin/whatever they rename it to because trademarks apparently I am waiting for Conan Kudo to package, but it has an openSUSE theme now 2020-03-03T19:12:13 and you've probably seen the mails that he's working on the forums move 2020-03-03T19:12:30 yup 2020-03-03T19:13:11 I am also wondering if for testing, we should setup a new freeipa instance or use the existing one because I can't really decide myself 😛 2020-03-03T19:14:02 better setup a new one - the risk of breaking the admin login (starting with VPN login) on the whole infrastructure is too big IMHO 2020-03-03T19:14:58 sure, so how to even begin setting up a centos/fedora vm >:D 2020-03-03T19:15:34 open a ticket and ask for that VM ;-) 2020-03-03T19:16:03 alright, you got it 2020-03-03T19:16:45 Conan Kudo: any preference for a testing server? fedora or centos 2020-03-03T19:21:28 looks like Pharaoh_Atem didn't notice your question ;-) 2020-03-03T19:21:36 * Pharaoh_Atem waves 2020-03-03T19:21:38 lcp: Fedora 2020-03-03T19:21:45 I'm doing all my work right now from Fedora 2020-03-03T19:22:16 lcp: oh wait, for FreeIPA? 2020-03-03T19:22:17 alright 2020-03-03T19:22:20 we should totally do CentOS 8 2020-03-03T19:22:22 yes 2020-03-03T19:22:30 decide >:T 2020-03-03T19:23:02 well, are we planning to run ipsilon and securitas/noggin/whatever from there? 2020-03-03T19:23:05 if so, Fedora 2020-03-03T19:23:07 if not, CentOS 2020-03-03T19:23:27 nope, we will run as much from openSUSE as possible 2020-03-03T19:23:39 even if that means getting poetry in ipsilon repo 2020-03-03T19:23:52 errgh 2020-03-03T19:23:57 at least CentOS 8 has DNF now 2020-03-03T19:24:20 also, maybe we can salt it too >:D 2020-03-03T19:24:22 * Pharaoh_Atem is amused at the thought of making more packages for EPEL for openSUSE 2020-03-03T19:25:36 lcp: we probably could use salt for it, leveraging the ansible stuff that already exists for ipa/idm 2020-03-03T19:26:02 yup, yup 2020-03-03T19:28:12 cboltz: fwiw, I was doing some firefighting for $DAYJOB, that's why I didn't notice 2020-03-03T19:28:19 I was paged at the same time this started 2020-03-03T19:28:26 no problem ;-) 2020-03-03T19:28:32 wew 2020-03-03T19:28:34 https://progress.opensuse.org/issues/64156 2020-03-03T19:28:51 I might change the title in the future because of the name changing nature >:D 2020-03-03T19:29:12 ugh, why can't I log in? 2020-03-03T19:29:38 (this uses openSUSE Login, not FreeIPA login) 2020-03-03T19:31:08 lcp: nope, no dice 2020-03-03T19:31:58 oh, you aren't even a member of admin 2020-03-03T19:32:03 welp 2020-03-03T19:32:26 maybe you got vinzv'd by anti-spam bot 2020-03-03T19:33:05 I should be able to fix that ;-) - what's your username? 2020-03-03T19:33:56 found "Pharaoh_Atem", and it was indeed blocked 2020-03-03T19:34:56 you should be able to login again 2020-03-03T19:35:20 hello, I'm reading the backlog 2020-03-03T19:35:27 hi tampakrap 2020-03-03T19:35:53 hello 2020-03-03T19:36:49 cboltz: yep, thanks! 2020-03-03T19:36:56 cboltz: what caused that, out of curiosity? 2020-03-03T19:37:15 I'm pretty sure I was able to login in the past 2020-03-03T19:37:41 I can only guess - maybe someone accidently disabled your account while blocking spammers 2020-03-03T19:37:50 hello, sorry be late 2020-03-03T19:37:50 * Pharaoh_Atem shrugs 2020-03-03T19:38:03 *reading backlogs too 2020-03-03T19:38:12 oh yeah, I also forgot, I looked through our services, most of them support openid/openid connect/saml2 when we get to switch over 2020-03-03T19:38:23 except OBS, but that was reported 2020-03-03T19:38:24 Pharaoh_Atem: I'm quite sure it wasn't intentional ;-) 2020-03-03T19:38:29 lcp: yeeey! :D 2020-03-03T19:39:11 I didn't actually go through any admin service because they already work with the existing freeipa, so I assume they work 2020-03-03T19:40:01 and then vbulletin is a thing (I really hope we replace it soonish tho) 2020-03-03T19:40:15 so in theory, MF-IT has a SAML2 addon for it 2020-03-03T19:40:30 so that should be sufficient to get it working with Ipsilon 2020-03-03T19:40:51 ah, excellent 2020-03-03T19:41:03 at least, that's what was mentioned on the ML earlier today 2020-03-03T19:41:15 at this point, that's hearsay 2020-03-03T19:41:21 alright, sounds good 2020-03-03T19:41:52 worst case, we're going to implement some kind of apache mod_auth_mellon mod_auth_openidc thing 2020-03-03T19:42:02 err mod_auth_mellon / mod_auth_openidc 2020-03-03T19:42:34 because I'm somewhat certain it respects $REMOTE_USER (that's probably how the CAS thing works for the ICS system) 2020-03-03T19:42:56 upstream vB doesn't support *any* SSO, which is a problem :( 2020-03-03T19:43:00 for what needs to be done as transition though, we need to actually develop something to move over with the accounts, which will most likely have a workflow of login into old proxy, allow to change username/password and "register" into the new login system 2020-03-03T19:43:12 that means we need to have a list of existing usernames 2020-03-03T19:43:19 for reservation 2020-03-03T19:44:18 Pharaoh_Atem: it's weird tbh, you would expect such popular software would figure that out 2020-03-03T19:44:39 I also looked at how mozilla does login for their matrix instance, they use saml with auth0 2020-03-03T19:44:46 erk 2020-03-03T19:44:58 I guess we'll SAML to Ipsilon? 2020-03-03T19:45:32 yes, but we will need to modify the saml handler to accept usernames verbatim 2020-03-03T19:45:57 because the handler does quite a bit of mangling because of some saml implementations having email for id 2020-03-03T19:46:45 right 2020-03-03T19:46:55 I think Ipsilon sends both? 2020-03-03T19:47:10 correct, and it uses usernames as uid 2020-03-03T19:47:15 yeah 2020-03-03T19:47:17 so it's 2 in 1 2020-03-03T19:47:31 that's pretty much how that's supposed to work :) 2020-03-03T19:47:46 also, speaking of SAML, how do we want to reach out to RH about their bugzilla auth enhancements? 2020-03-03T19:47:59 do we have a contact at SUSE to loop in for that conversation? 2020-03-03T19:48:21 if there is anybody from SUSE infra here, sure 2020-03-03T19:48:30 but I think we will need to get board involved 2020-03-03T19:48:37 AFAIK someone @SUSE is working on moving bugzilla from Provo to Nuremberg 2020-03-03T19:48:43 I can probably find a mail address ;-) 2020-03-03T19:48:52 cboltz: that'd be very helpful :) 2020-03-03T19:48:55 that would be VERY useful 2020-03-03T19:49:02 we should also track this on progress 2020-03-03T19:49:06 yes 2020-03-03T19:49:17 I need to see if I can dig up a contact on the RH side for rhbz 2020-03-03T19:49:44 to my knownledge, the plan is that SUSE will manage bugzilla, and share it with openSUSE, so in theory we can just lean back ;-) 2020-03-03T19:50:05 and, if anybody is curious, I decided connect will be killed right after we figure out accounts, because we can do groups in there, and we will just need to get a private mailing list for the member admins to be able to receive emails and assign people to the group in account system 2020-03-03T19:50:18 so I don't actually know what to do with the issue on progress :P 2020-03-03T19:50:27 deprecate it for a new issue? 2020-03-03T19:51:14 I guess so, a big issue for accounts or something more split? 2020-03-03T19:51:51 probably a big issue for replacing accounts 2020-03-03T19:52:04 err implementing accounts 2020-03-03T19:53:08 lcp: speaking about connect - TSP "hides" in a subdirectory of it. Do you know enough about it to move it to a new (well, already existing and idling) VM? 2020-03-03T19:53:32 I actually do, but I want to finish moving it to bs4 with new theme 2020-03-03T19:53:42 I will also make a new theme for KDE because they are using it too 2020-03-03T19:53:56 it will take me a few more days 2020-03-03T19:53:58 nice 2020-03-03T19:54:15 do we need to worry about events.o.o? 2020-03-03T19:54:30 it uses omniauth 2020-03-03T19:54:30 https://reimbursements.kde.org/ 2020-03-03T19:54:41 cool, then we're set :D 2020-03-03T19:54:43 and this uses devise 2020-03-03T19:54:50 we are 😛 2020-03-03T19:54:58 ugh, and now we're not :( 2020-03-03T19:55:06 lcp: ping me when you are ready, and I'll make sure to give you enough permissions on tsp.infra.o.o ;-) 2020-03-03T19:55:21 excellent, thank you 2020-03-03T19:55:53 Pharaoh_Atem: why? there is devise openid ;) 2020-03-03T19:56:26 does it work?! 2020-03-03T19:56:39 as a sidenote - TSP currently fetches some fields (for example the realname) from the connect database, we'll need to break/drop this connection 2020-03-03T19:56:56 it is an option in the settings 2020-03-03T19:57:02 config* 2020-03-03T19:57:31 cboltz: that might be fixable with the switchover to openid 2020-03-03T19:59:12 maybe it shares some more fields - but having to re-enter those fields won't kill the TSP users ;-) 2020-03-03T19:59:45 I know the properties are shared with SAML2 and OIDC, I just don't remember how much is exported with OpenID 2020-03-03T20:01:35 FYI: the current TSP setup uses our login proxy (which results in HTTP_X_USERNAME etc. headers) 2020-03-03T20:01:54 that's using openSUSE-maintained devise-ichain 2020-03-03T20:02:08 it's easy enough to replace 2020-03-03T20:02:46 it's also easy to setup if you want to stay with it for the new VM 2020-03-03T20:03:02 yup, that's true 2020-03-03T20:03:10 (and I have to admit that I'm more familiar with it than with the other auth "stuff" you discussed today) 2020-03-03T20:06:39 oh god, the child being urgent made all of the tasks urgent, thanks redmine 2020-03-03T20:07:16 well, if that means we get everything done and fixed this week... ;-) 2020-03-03T20:07:55 if I get a freeipa vm, I might get it all deployed this month 2020-03-03T20:08:31 although, I would rather love to be done with matrix and mailman first, because those are already started and pretty far along 2020-03-03T20:10:07 and if I'm given additional year, we might migrate to openSUSE port of FreeIPA ;) 2020-03-03T20:14:16 oh yeah, worth noting https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591 2020-03-03T20:21:25 that reminds me, I need to do make the same notice for Fedora Infra 2020-03-03T20:35:28 lcp: just noticed - maybe we should redirect more feed URLs for news.o.o 2020-03-03T20:35:30 https://fr.opensuse.org/index.php?title=Portal:Tumbleweed/News&diff=0&oldid=15694 2020-03-03T20:36:10 we should do */feed/ redirect probably 2020-03-03T20:36:33 feel free to do it directly in the nginx config (and of course also mirror it to salt) 2020-03-03T20:41:10 cboltz: done 2020-03-03T20:42:28 thanks!