libravatar-fans team mailing list archive

[Lars Kruse <lists@xxxxxxxxxxxxx>]

Hello,

we finished our bi-weekly IRC meeting.
See the full log attached.
The wiki contains a summary:
 https://wiki.libravatar.org/shutdown-coordination/?updated#index2h2

Topics of the meeting:
* changes during the last two weeks
* missing things for the migration to the new instance
* DNS zone
* root access to the new instance

Our next IRC meeting will happen on the 27th of January at 19:00 UTC in
#libravatar at freenode.

Cheers,
Lars

20:02 <sumpfralle> Welcome to our bi-weekly IRC meeting!
20:02 <sumpfralle> Who is around?
20:03  * fmarier is here
20:04 <nipos> Hello,I'm here too
20:05 --> clime (~clime@xxxxxxxxxxxxxxxxxxxxxxxxxxx) hat den Channel #libravatar betreten
20:05 <clime> hey
20:06 <clime> is there a meeting?
20:06 <nipos> Yes
20:06 <@fmarier> clime: it just started, sumpfralle is asking who's around
20:06 <clime> oh, alright, thx
20:07 <clime> i am around :)
20:07 <clime> sry for being late
20:10 <clime> sumpfralle: are you here?
20:12 <clime> fmarier, nipos: ping
20:12 <@fmarier> Looks like he might have stepped out.
20:13 <clime> okay
20:13 <nipos> I'm still here but don't know anything interesting to say
20:13 <@fmarier> clime: are you able to give an update on how the new stack is progressing?
20:13 --> tleguern (50d7c915@gateway/web/freenode/ip.80.215.201.21) hat den Channel #libravatar betreten
20:13 <tleguern> Hello
20:13 <clime> tleguern: hi!
20:13 <tleguern> Sorry for being late
20:13  * fmarier waves at tleguern 
20:13 <clime> tleguern: np!
20:13 <@fmarier> tleguern: we
20:13 <@fmarier> re just getting started
20:13 <sumpfralle> sorry - I was distracted
20:14 <sumpfralle> What happened during the last weeks?
20:14 <clime> ye, so fmarier asked me that also
20:14 <sumpfralle> I saw, that the list of critical issues went down to one: https://git.linux-kernel.at/oliver/ivatar/issues?label_name%5B%5D=critical
20:14 <clime> ofalk finished the "release" blockers we had
20:15 <clime> ye
20:15 <clime> i also need to setup postfix at the server - that should be the last thing
20:15 <clime> last thing to do before deploy
20:16 <clime> the security check - i don't know what to do about it really
20:16 <@fmarier> so we should be able to test a live instance soon ?
20:16 <clime> i think, app and the servers are secure
20:16 <clime> fmarier: well, it is for testing already
20:16 <clime> libravatar.fedorainfracloud.org
20:16 <nipos> Does security check mean something like try hacking and if it doesn't work,everything's fine?
20:17 <clime> nipos: i have know idea
20:18 <sumpfralle> I guess, it is more a "take a thorough look". Which is probably the right thing, given our set of knowledge.
20:18 <clime> i am not a security expert but unless there is some undiscovered bug in some of our libs that we are using (like openid), then we should be ok
20:18 <@fmarier> Well, it
20:18 <@fmarier> 's missing a TLS cert :)
20:18 <clime> yes, because it's not the domain under which it will run
20:19 <nipos> The instance at https://avatars.linux-kernel.at works with TLS.Is that the same VM?
20:19 <@fmarier> Maybe we should set it up as new.libravatar.org (temporarily)
20:19 <clime> no, that's a different vm
20:20 <@fmarier> That way, you could get a letsencrypt cert for it.
20:20 <clime> ok
20:21 <clime> that will be probably be just tls cert for the subdomain, no?
20:21 <nipos> The new navigation bar at the homepage looks really ugly :( I'll try to find some time for improving it this week
20:22 <@fmarier> Yeah I'm not sure how to delegate *.new.libravatar.org to that server
20:22 <@fmarier> The other thing we could do is transfer the domain over. That way you could make all of the changes you want.
20:23 <tleguern> A wildcard CNAME can do the trick
20:23 <clime> can we do it while keeping the old libravatar.org instance working meanwhile?
20:23 <@fmarier> tleguern: how do you create it?
20:24 <clime> tleguern: i don't know that trick
20:24 <sumpfralle> wildcard certificate: dns-01 challenge with letsencrypt
20:24 <@fmarier> clime: if you only change entries under new.libravatar.org, then all of the old stuff will keep working
20:24 <clime> okay
20:24 <tleguern> fmarier: do you manage the zone yourself or do you delegate it to your registrar ?
20:25 <@fmarier> I use Gandi's DNS.
20:26 <sumpfralle> whom do we want to be in control of the zone? (technically and ownership)
20:27 <nipos> In my opinion clime or ofalk should do it as they created most of the software and also control the VM.They may have best use for it.
20:29 <@fmarier> ultimately, clime is the owner of the infra, right?
20:29 <clime> well, i have setup the vm
20:29 <clime> but i'll give access to you guys as well
20:30 <clime> but you need Fedora account for that
20:30 <clime> then i can make you root there
20:30 <sumpfralle> sounds good!
20:31 <nipos> I have a Fedora account and you can give me access if you want but I'm not sure what I should use it for.
20:31 <sumpfralle> regarding control of the DNS zone: let us assume, that clime and ofalk will control it?
20:31 <sumpfralle> I will document this in the wiki.
20:31 <clime> nipos: when something has gone wrong, you can look at the sever and try to debug it
20:32 <tleguern> Where does one register for a fedora account ?
20:32 <nipos> Ok,makes sense
20:32 <clime> https://admin.fedoraproject.org/accounts/
20:32 <tleguern> Thanks
20:32 <nipos> My username is nipos there,too
20:33 <clime> oh, cool, i will add you immediatelly then
20:33 <sumpfralle> Any comments on the proposed shift of DNS access?
20:34 <@fmarier> clime: do you have a GPG key?
20:34 <nipos> I agree that clime and ofalk should get the access as I already said ;)
20:35 <tleguern> My username is tleguern
20:35 <clime> https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=6a56766
20:35 <clime> fmarier: yes, sure, i can send it to you by email
20:37 <sumpfralle> Is there anything else (besides the certificate) to be prepared before the migration?
20:37 <sumpfralle> Can/should we do some partial replacement? Putting both instances in read-only mode and change the DNS entry for a day? (wild ideas)
20:37 <@fmarier> clime: actually, can you put it in the repo or on the server so that I can verify that it's yours?
20:38 <tleguern> I made some update to the API documentaion on the wiki. Can someone check it ?
20:38 <@fmarier> clime: i.e. I'm going to be sure I'm talking to the clime that has access to the new server :)
20:38 <clime> fmarier: ye sure, on what server
20:38 <clime> tleguern: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=0b222fd
20:39 <@fmarier> I guess we can use http://libravatar.fedorainfracloud.org
20:39 <clime> fmarier: okay
20:39 <@fmarier> Though I'll need to get an account to ssh into it
20:39 <clime> i can make it available through http
20:39 <clime> fmarier: but if you have fas account, i can give you ssh, no problem
20:39 <clime> the same for sumpfralle
20:40 <clime> sumpfralle: the only thing left is postfix setup on my side but that I can do tomorrow at latest
20:40 <@fmarier> clime: I do, I just need to reset my password
20:40 <clime> clime: otherwise i think we are pretty much ready
20:41 <clime> tleguern, nipos: you need to put your public gpg key into fas, then i need to redeploy the machines so that you actually get access
20:41 <clime> we can probably finish this after meeting or via email
20:42 <nipos> I don't use SSH that often.Where can I get my public key and can I use the same on different clients?
20:43 <clime> well, the easiest way is ssh-keygen
20:43 <clime> that will generate it for your
20:43 <nipos> Should I set a passphrase for it?
20:43 <clime> nope
20:43 <clime> just enter
20:44 <@fmarier> clime: ok, I've added an ssh key to my FAS account: fmarier
20:44 <clime> fmarier: ok cool
20:44 <nipos> Ok,I have a key now.Will send it to you.
20:44 <nipos> Oh wait,I should add it to the account,right?How do I do that?
20:45 <tleguern> clime: I am confused, you need a gpg or ssh key ?
20:45 <nipos> Never used Fedora FAS before so I may be asking stupid questions,sorry
20:45 <clime> nipos: well rsa key i guess
20:46 <clime> so ye the ssh key, i don't have gpg key
20:46 <@fmarier> clime: let me know once I can login to libravatar.fedorainfracloud.org and collect your GPG key
20:46 <nipos> That's the answer to tleguern,right?I asked how I can upload it to FAS
20:47 <@fmarier> I'll follow up with you regarding the domain transfer
20:47 <clime> nipos: copy content of .ssh/id_rsa.pub and paste into fas
20:48 <clime> nipos: ~/.ssh/id_rsa.pub
20:48 <sumpfralle> clime: thank you. I just created "sumpfralle".
20:48 <clime> sumpfralle: cool!
20:48 <sumpfralle> It is probably a good idea to do this now instead of waiting for the emergency :)
20:48 <clime> yes
20:48 <nipos> Thanks,I already know the file.I only need to find out how this FAS thingy works
20:48 <clime> i'll add you and fmarier also
20:49 <clime> nipos: there should be an option to either upload your ssh public key or paste it into some form field
20:49 <@fmarier> it
20:49 <@fmarier> s in the profile section
20:49 <nipos> First I need to find my password
20:49 <@fmarier> If you edit your profile, you can click a button to upload the public key.
20:50 <clime> and I think you will probably also need to agree with some CLA
20:50 <clime> Contributor Level Agreement
20:50 <clime> before the access is possible
20:50 <clime> ok, i am gonna add fmarier and sumpfralle
20:51 <nipos> Found the PW,now I'll try the other things
20:52 <sumpfralle> regarding the migration to the new implementation: do we have a plan how exactly we will do this? Should we discuss it in the next meeting?
20:53 <clime> sumpfralle, fmarier: https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=7fb14385227fae6db3b85cce480f239263e85447
20:53 <clime> \o/
20:53 <sumpfralle> yeah - thank you!
20:54 <clime> sumpfralle: well, i wouldn't wait for the next meeting probably
20:54 <clime> maybe we can discuss it on the list?
20:55 <clime> i guess minimal downtime is our goal
20:55 <sumpfralle> I would also like a non-final switch (i.e. we can notice one day later that things are not there, yet - and switch back).
20:55 <sumpfralle> ok - mailing list
20:55 <@fmarier> clime: so how do I log into the box?
20:55 <sumpfralle> clime: would you propose it there for discussion?
20:55 <@fmarier> ssh fmarier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx?
20:56 <clime> ye btw. i will verify your fas nicks against your emails
20:56 <nipos> My SSH key should be online now
20:56 <clime> but i can do it afterwards
20:56 <clime> nipos: cool!
20:56 <@fmarier> clime: it's not working
20:56 <clime> fmarier: just use root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
20:56 <clime> fmarier: i also need to redeploy the machines
20:57 <clime> i mean "reprovision"
20:57 <clime> = rerun the playbooks
20:58 <clime> ye, i am ran the playbook for libravatar-stg, i'll let you know when it is finished
20:58 <tleguern> I asked a friend who was involved in security jobs to take a look at the current code. I am not sure if he will do anything though, but don't worry if you have weird results in your logs @clime.
20:59 <clime> tleguern: nice!
20:59 <clime> thank you
20:59 <tleguern> I also added my ssh key to my fedora account.
20:59 <sumpfralle> I think, we are finished for now? Or do you have other topics?
20:59 <clime> tleguern: cool, thank you
21:00 <nipos> Anyone of the new root users should try if the access works before closing the meeting
21:00 <nipos> For me it doesn't work right now but it still needs some time,right?
21:00 <clime> yup
21:01 <clime> the playbook will run for some time
21:01 <clime> also not sure if your CLA is yet confirmed
21:02 <nipos> I think it is.I immediately got a email confirming it
21:02 <clime> sumpfralle: cool
21:03 <sumpfralle> clime: I guess, you can see, whether our ssh keys are added to /root/.ssh/authorized_keys on the host?
21:03 <clime> ye, the playbook finished running
21:03 <clime> i can see, some of your keys has been added
21:03 <clime> so you can try ssh root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
21:04 <clime> i have launched playbook for the "production" instance so you should be able to log in too in about five minutes
21:04 <nipos> It works
21:05 <sumpfralle> same for me
21:05 <sumpfralle> great
21:06 <tleguern> It works
21:06 <clime> cool
21:06 <clime> it should start working for libravatar instance too shortly
21:06 <@fmarier> clime: ok, i'm in. you can put your gpg key in there
21:06 <clime> fmarier: okay, i've found out i need to generate one first :))
21:07 <clime> so i'll probably do it after the meeting
21:07 <@fmarier> ok, no worries. Just email me once it's ready. We can then figure out how to transfer the domains.
21:07 <@fmarier> There
21:07 <clime> fmarier: alright, cool!
21:07 <@fmarier> 's actually two: libravatar.org and libravatar.com
21:08 <clime> okay
21:08 <@fmarier> The second one isn't used but I grabbed both at the same time to prevent typosquatters from getting it.
21:08 <clime> :)
21:08 <clime> good idea
21:09 <clime> so we just need to figure out how to do the transfer painlessly with regards to the tls certs
21:09 <clime> so maybe post the idea to the list where we can further discuss it?
21:09 <nipos> Maybe we should redirect libravatar.com to libravatar.org?
21:09 <sumpfralle> list: sounds good to me
21:09 <@fmarier> this is how I've done it in the past: https://feeding.cloud.geek.nz/posts/server-migration-plan/
21:11 <clime> ok, so maybe we can adapt it
21:12 <@fmarier> I found it's really helpful to have a written plan before beginning the migration.
21:12 <@fmarier> It's so easy to forget things.
21:12 <tleguern> You are totaly right :)
21:14 <sumpfralle> clime: who is able to add new root users to the host? (just what you did now)
21:14 <sumpfralle> I am documenting this in the wiki.
21:15 <clime> sumpfralle: atm only me
21:15 <sumpfralle> ok
21:15 <clime> you would need to become Fedora sysadmin for it
21:15 <sumpfralle> no problem
21:15 <clime> or sysadmin-libravatar
21:15 <sumpfralle> we just need to know it :)
21:15 <clime> sumpfralle: well sysadmins can push to ansible if i remember correctly
21:16 <clime> you need sysadmin-libravatar to be able to actually provision the machine with the updated playbook
21:17 <clime> maybe you can locate the sysadmin-libravatar in FAS
21:17 <clime> i need to have a look
21:17 <sumpfralle> clime: it would be certainly nice, if you could document this model (or just mention links to the relevant documentation for the Fedora infrastructure) somewhere in the libravatar wiki.
21:17 <sumpfralle> "model": how to maintain the VM
21:18 <clime> yes, it's there: sysadmin-libravatar
21:18 <clime> sumpfralle: sure
21:18 <clime> will do it
21:18 <sumpfralle> great
21:19 <nipos> Found the group but can't join,it's invite only
21:21 <clime> nipos: ye well, you can also make a patch which i can deploy for you at the beginning
21:21 <sumpfralle> I think, we are done for this meeting? (even though you shall not stop communicating ...)
21:23 <tleguern> I think too
21:23 <clime> nipos: patch to https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/libravatar
21:23 <clime> but if you want privs to run the playbooks, it can be probably done somehow
21:23 <clime> sumpfralle: ye, don't have anything else too
21:23 <nipos> No,it's not important for me.
21:24 <nipos> I thought the access to the libravatar group is also something everyone here gets.It's ok for me if only you have access
21:24 <sumpfralle> Good - so have a refreshing evening!
21:24 <tleguern> Good evening everyone
21:24 <clime> ok, good night
21:25 <nipos> Good night
21:26 <clime> nipos: i will have a look if i can add you, i am now not sure if being Fedora sysadmin is a prerequizite for it or now
21:27 <clime> nipos: will let you know
21:27 <nipos> Ok thanks
21:27 <clime> bb