2020-08-07T02:48:58  *** okurz_ is now known as okurz
2020-08-07T06:40:01  <pjessen> goodmorning
2020-08-07T06:41:00  <pjessen> we seem to have a problem with freeipa - no vpn, no progress, no bugzilla etc
2020-08-07T06:41:26  <pjessen> see stasiek ticket 69673
2020-08-07T07:10:54  <lcp> pjessen: hm, bugzilla and progress should work, the account system managing those shouldn't be related
2020-08-07T07:11:08  <lcp> but yeah, freeipa is very dead atm
2020-08-07T07:12:08  <pjessen> lcp: i cant login to porogress
2020-08-07T07:12:22  <pjessen> lcp: didnt' try logging in to bugzilla
2020-08-07T07:13:06  <lcp> I just tried and progress login works
2020-08-07T07:13:32  <pjessen> lcp: wait - I thought progress.o.o and the vpn passwd were the same?
2020-08-07T07:14:02  <pjessen> okay, I guess they're not, I can also login to progress now.
2020-08-07T07:14:29  <lcp> yeah, there are very few services using freeipa login
2020-08-07T07:14:51  <pjessen> lcp: got it
2020-08-07T07:15:00  <lcp> that means we are locked out of very few things as it's down, but this might be problematic when freeipa backs the auth system as a whole
2020-08-07T07:15:18  <lcp> eh, it's a shame I got locked out of vpn :/
2020-08-07T07:15:34  <pjessen> yup. you gotta be more careful when you're fiddling with it in the middle of the night :-)
2020-08-07T07:16:23  <lcp> well, better the middle of the night than the middle of the weekend
2020-08-07T07:17:21  <lcp> but I took all of the precautions I could, I couldn't do much about the vpn thing exactly
2020-08-07T07:18:15  <pjessen> lcp: yeah, shit happens.  lesson learned.
2020-08-07T07:19:51  <lcp> I'm not sure what the lesson is tbh, be faster before vpn inevitably just logs you out because the service you were working on was required for vpn to stay connected?
2020-08-07T07:20:04  <lcp> sounds about right
2020-08-07T07:32:33  <pjessen> lcp: i wud say it's about being careful and knowing the risks. better doing it on a monday morning and have someone in nuernberg ready
2020-08-07T07:34:14  <lethliel> +
2020-08-07T07:34:40  <lethliel> oops. wrong window.
2020-08-07T08:01:39  <pjessen> heh, eisbaerli ?
2020-08-07T08:57:25  <lethliel> I am on freeipa now and start debugging
2020-08-07T09:06:21  <lethliel> lcp why do we need a new f26 machine to restore the backup?
2020-08-07T09:08:52  <lethliel> Or would it just possible to downgrade freeipa again?
2020-08-07T09:29:09  <lethliel> lcp when did you start the migration exactly?
2020-08-07T09:35:57  <lethliel> We are restoring and old netapp snapshot right now
2020-08-07T09:52:58  <lethliel> freeipa back again
2020-08-07T09:53:26  <lethliel> vpn working
2020-08-07T10:13:18  <pjessen> lethliel: cool!
2020-08-07T10:40:15  <lethliel> kl_eisbaer was involved too ;-)
2020-08-07T12:17:42  <lethliel> lcp: I attached the old lun to freeipa and mounted it to /mnt/freeipa_broken
2020-08-07T12:48:11  <deneb_alpha> lcp, I'm a bit lost with nicknames for the new project on progress. could you please help me? I'm missing someone from the list we discussed yesterday but I can't find all the nicknames :(
2020-08-07T13:10:01  <pjessen> deneb_alpha: who are you missing?
2020-08-07T13:10:13  <pjessen> I counted 10 participants
2020-08-07T13:14:10  <deneb_alpha> pjessen, ngompa for example
2020-08-07T13:16:44  <deneb_alpha> pjessen, we are 8 users in the new project
2020-08-07T13:17:48  <deneb_alpha> pjessen, btw we are all managers. feel free to  add missing admins if you can spot something
2020-08-07T13:18:29  <deneb_alpha> King_InuYasha, I can't find your nickname for progress :(
2020-08-07T13:18:35  <King_InuYasha> Pharaoh_Atem
2020-08-07T13:18:43  <deneb_alpha> ok...
2020-08-07T13:18:45  <deneb_alpha> thanks
2020-08-07T13:22:06  <pjessen> ah, the guy from indonesia I think - esti ?
2020-08-07T13:22:28  <pjessen> et
2020-08-07T13:22:28  <deneb_alpha> pjessen, I added him. I was mistyping his nickname
2020-08-07T13:22:43  <deneb_alpha> should be fine now. we are 10 in the group.
2020-08-07T13:22:56  <pjessen> deneb_alpha:  yep, I see him now. yup, 10.
2020-08-07T13:23:06  <deneb_alpha> I also migrated the tasks to the new project.
2020-08-07T13:23:25  <pjessen> yep, i see that too. cool
2020-08-07T13:24:02  <deneb_alpha> pjessen, I was looking also at the queue in admin project. not sure if could make sense to migrate to the new project also the notification of forum spam. what's your take?
2020-08-07T13:27:03  <pjessen> deneb_alpha: good question. 1st thought - no.  There are too many, and they keep coming.
2020-08-07T13:27:34  <pjessen> also, they are not really gdpr requests, just internal tidy up
2020-08-07T13:28:57  <deneb_alpha> pjessen, yep. similar idea. I remember that for banning etc we should keep a kind of record but better to ask to Ciaran
2020-08-07T13:29:11  <deneb_alpha> it's what was confusing me
2020-08-07T14:07:08  <robin_listas> Just to mention that on the connect platform (which should be removed when we can do it) we are constantly banning people. No records, no messages. Just do it.
2020-08-07T14:08:39  <darix> ban all the people
2020-08-07T14:09:07  <pjessen> darix: :-)
2020-08-07T14:17:49  <darix> btw: just to throw in a crazy idea
2020-08-07T14:18:00  <darix> one could drop mailinglists in favor of mailinglist mode in discourse
2020-08-07T14:18:14  <darix> at least for the user focused mailinglists
2020-08-07T14:18:41  <darix> advantages: a) free archive. b) people can easily resume old threads from the archive
2020-08-07T14:19:00  <darix> and you have just one place for discussions
2020-08-07T14:19:13  <darix> people who want emails can set that up in discourse and reply via emails
2020-08-07T14:19:14  <darix> (:
2020-08-07T14:19:16  <darix> so
2020-08-07T14:19:28  <darix> now it is time to prepare lunch
2020-08-07T14:36:33  <lcp> lethliel: whoops, sorry, I was out the whole day, so I couldn't be of any help
2020-08-07T14:37:08  <darix> lcp: I dont think you could have done anything anyway without getting the volume attached :)
2020-08-07T14:37:26  <lcp> well, good to know tbh
2020-08-07T14:43:24  <lethliel> lcp The troubleshooting guide you provided did not help in this case as the first command failed already-
2020-08-07T14:43:43  <lethliel> So we decided to roll back to get VPN working again
2020-08-07T14:43:53  * darix stares lethliel 
2020-08-07T14:44:22  <lethliel> what?
2020-08-07T14:44:53  * lethliel stares back
2020-08-07T14:46:16  <lcp> I did have issues with CA overall, and I don't really understand why
2020-08-07T14:46:49  <lcp> migrating CA doesn't work, upgrading CA doesn't work
2020-08-07T14:47:13  <lcp> CA might need to stay on fedora 25 forever >:D
2020-08-07T14:47:26  <lcp> or 26, it's the same freeipa version
2020-08-07T14:47:44  <darix> we can also migrate the internal CA to cfssl or step-ca
2020-08-07T14:47:55  <darix> i can show you and the team those tools if you are interested
2020-08-07T14:48:32  <lcp> yeah, I'm not against looking around, but having that under a single umbrella makes it easier
2020-08-07T14:48:47  <lcp> but I would love to hear about it at some point when I'm not doing other stuff ;)
2020-08-07T14:48:48  <darix> step-ca would give you ACME protocol support
2020-08-07T14:49:04  <darix> which means you could automate the cert roll out :)
2020-08-07T14:49:17  <lethliel> But you could test on freeipa2?
2020-08-07T14:49:34  <darix> and there is home:darix:apps/step-ca
2020-08-07T14:49:43  <darix> and a container for it too :)
2020-08-07T14:49:54  <lcp> yeah, the issue is that freeipa migrates fine to freeipa2 just fine, as long as you don't migrate ca lethliel
2020-08-07T14:50:17  <lcp> too many fines >:D
2020-08-07T14:50:31  * darix fines lcp €5 for using weird words
2020-08-07T14:50:47  <lethliel> Ah ok. So the ca is the problem here. Sorry for the questions. I am totally not into freeipa and CAs
2020-08-07T14:57:57  <lcp> lethliel: I have to think what to do about it, I might just redo ca server from scratch and have all of the vms re-request the certs, which isn't that many vms for that matter
2020-08-07T14:58:23  <darix> lcp: are you actually using the freeipa way of distributing certs?
2020-08-07T14:58:31  <darix> or are they rolled out manually?
2020-08-07T14:59:37  <lcp> I don't manage any vm that requires a cert, so that would be a question to gitlab admins for example
2020-08-07T15:00:10  <darix> there it was manually
2020-08-07T15:00:12  <darix> if i recall correctly
2020-08-07T15:00:24  <lcp> we might not be using it yet, because nothing pki related is packaged in openSUSE, which I have been slowly doing for the sake of freeipa on openSUSE
2020-08-07T15:00:41  <darix> what do you mean with pki related?
2020-08-07T15:00:52  <lcp> tomcat related
2020-08-07T15:00:56  <darix> ah
2020-08-07T15:01:43  <darix> that's why I started looking into cfssl and later smallstep ... i did not want to have to maintain a whole java stack for my VM :)
2020-08-07T15:01:52  <darix> both are in golang^^
2020-08-07T15:02:00  <darix> s/VM/CA/
2020-08-07T15:09:34  <lcp> well, I would say if we do freeipa, it doesn't really make any sense to not maintain the whole java stack (and since there is a lot of interest in freeipa on openSUSE distros in general from outsiders)
2020-08-07T15:10:16  <lcp> I know Lubos said he was hopeful this can be a thing for Leap 16, so I'm working towards it