1 * Du sprichst jetzt in #sysadmin
   2 * Das Thema für #sysadmin ist: the topic was lost
   3 * Das Thema für #sysadmin wurde gesetzt durch bkor um Thu Jun  4 21:05:35 2009
   4 <sri> howdy
   5 <Jc2k> hey
   6 <csenger> hi all
   7 <sri> meeting in 10 minutes?
   8 <pcutler> yessir
   9 <sri> vvvery good.
  10 * sri will sysadmin at work till then :D
  11 * sri is playing around with hadoop
  12 * behdad (~behdad@ip-209-167-232-100-yyz.redhat.com) hat #sysadmin betreten
  13 <Jc2k> sri: ooh shiny shiny
  14 <Jc2k> im making tea and updating the wiki so it looks like i have a plan for this meeting
  15 <Jc2k> ok 19.00 BST, 18.00 UTC. is everybody here?
  16 <Jc2k> alexos is missing..
  17 * mneptok is present ... at least physically
  18 <Jc2k> excellent
  19 <pcutler> here
  20 <sri> yep
  21 <Jc2k> SEJeff: ready?
  22 <Jc2k> leonko, csenger, are you guys here for the meeting :)?
  23 <csenger> csenger, yep, for the part about plone deployment
  24 <leonko> Jc2k, no, for watching)
  25 <csenger> Jc2k, sorry, tired ^^^
  26 <sri> pcutler: you doing minutes?
  27 <pcutler> i am
  28 <Jc2k> cool. well i guess i'll make a slow start...
  29 <SEJeff> Jc2k, In all honestly I can watch, but can not start
  30 <SEJeff> Our entire team stopped working on all projects to build a new cluster. They moved the deadline up 3 weeks
  31 <SEJeff> pcutler, I can rebuild the docbook package tonight sometimes
  32 <Jc2k> SEJeff: no worries.
  33 <Jc2k> so for people watching or reading the minutes, the elders decided to form a new sysadmin team and that Codethink would provide me as an interim coordinator to put people in place and start formalising the team
  34 <Jc2k> the initial team is (in no particular order) pcutler, SEJeff, sri and penguim.
  35 <SEJeff> Jc2k, You're not going to "officially" be a member?
  36 <Jc2k> ah. good point. pcutler, SEJeff, sri, penguim and me. mneptok and owen are also members of the team time permitting.
  37 <mneptok> i'm happy to help when time permits. that hasn't been much over the past year, sadly. but i can do some accounts work here and there, and provide guidance if/when necessary.
  38 <Jc2k> this is the first of our monthly (hopefully) team meetings
  39 <Jc2k> is first friday of the month a good day for people?
  40 <pcutler> is for me, other than next month with guadec travel
  41 <sri> yeah, that should be fine.
  42 <giskard> maybe i didn't pay attention but why these people are in the team (apart you owen and mnepotek)? did you choose them or?
  43 <giskard> i mean sri pcutler SEJeff and penguim :)
  44 <mneptok> giskard: volunteers.
  45 <SEJeff> giskard, A call for volunteers was put on p.g.o
  46 <Jc2k> giskard: good question. people volunteered. we checked them out. they have vouchers (even better, vouchers in the foundation). they had experience and time.
  47 * mneptok hat das Thema geändert zu: home of the GNOME sysadmins. please use #opers for network issues. please just state the nature of the issue, and be patient ...
  48 <giskard> uh cool :) /me whines  i  wrote some mails to sysadmin@ whitout  any answer i had to blog about that :)
  49 <Jc2k> when?
  50 <giskard> last time?19 march
  51 <sri> I am a sysadmin (storage engineer) I've been working on some kind of unix system since 1990.
  52 <mneptok> giskard: may we assume you are now volunteering?
  53 <Jc2k> giskard: i only recently got access to gnome-sysadmin mails, the requests i were aware of were on the gnome-infrastructure mailing list or to me personally and everyone got a mail
  54 <Jc2k> giskard: sorry you were missed out of the initial round :(
  55 <Jc2k> giskard: a few people filed RT tickets and had a similar fate - i've had RT access even less time
  56 <giskard> Jc2k: no problem i was only wondering how these people has been choosen
  57 <giskard> mneptok: i'm
  58 * muelli volunteers as well. While I certainly have experience adminstrating Linux machines, I don't have time the next month or so, especially due to GUADEC. But I'd happily take jobs afterwards, if there are any :)
  59 <giskard> mneptok: i will continue do account in my spare time... :)
  60 <mneptok> giskard: pull up a chair and join the meeting, then. :)
  61 <Jc2k> so what do people think about expanding the team right now? there are 7 of us if we count mneptok and owen.
  62 <SEJeff> At work we have 3 admins for thousands of machines. Gnome has how many? :)
  63 <pcutler> I don't think going from 7 to 10 is that big of a deal, all things considered
  64 <SEJeff> But we volunteer so sure
  65 * mneptok counts as .25
  66 <muelli> 7 sounds good. More people smells like more overhead.
  67 <sri> SEJeff: system stuff is kind of easy, but hadnling git stuff not so much.  I have no clue about that.
  68 <owen> SEJeff: well, it is number of services not number of machines really...
  69 <SEJeff> sri, ha! Easy until you try HPC or financial stuff :)
  70 <sri> (one of the reasons why I joined.. dealing with a software shop will be good experience)
  71 <SEJeff> owen, Yes, the services need a lot of love
  72 <giskard> owen: :) 
  73 <sri> SEJeff: HPC?
  74 <SEJeff> high perf computing
  75 <SEJeff> where nanosecond increases actually matter
  76 <sri> SEJeff: oh right.. that's the name of our group internally. :D
  77 * hanthana_ hat die Verbindung getrennt (Read error: 104 (Connection reset by peer))
  78 <SEJeff> ha
  79 <owen> Jc2k: I don't have any strong feelings about what the team size should be. My main feeling is that it should be trackable and not fuzzy around the edges -t here shouldn't be 20 people with root access, only 3 of which actually do stuff
  80 <SEJeff> *nods*
  81 <sri> owen: agreed.. root should be very limited.
  82 <Jc2k> owen: agreed
  83 <sri> owen: and we should set up sudo to do the common jobs if we need root access.
  84 <sri> most of the time, root is not required, but we can restrict access as root to certain commands.
  85 <sri> your 3 sysadmins should also be geologically distributed for coverage.
  86 <SEJeff> Lets do intros to see where everyone is at
  87 <mneptok> sri: i hope you mean "geographically," otherwise, we all have to line in coal mines.
  88 <sri> yeah, sorry, I meant geographically haha :D
  89 <mneptok> *live
  90 <Jc2k> (so i'd be open to allowing giskard and muelli join the team because they have most of the powers already)
  91 * sri will volunteer to work from a volcano.
  92 <SEJeff> +1 for muelli 
  93 <SEJeff> He seems pretty intent on fixing the AccountTeam to be more responsive
  94 <Jc2k> i live in sheffield, england. this morning it was sunny and i got a bit of a tan, and now its raining
  95 <SEJeff> At least for foundation stuff
  96 <sri> nothing like a man wtih a mission
  97 <Jc2k> there are no coal mines, any more
  98 <SEJeff> cl0b
  99 <mneptok> i need to move along to Monty Program tasks soon (he signs the paycheck). but i would *strongly* encourage people not to work on tasks/services/platforms with which they are not 100% comfortable. this is why i have not done ANY LDAP work for GNOME.
 100 <SEJeff> gah! connserver shortcut for a sysrq b is CTRL ecl0b
 101 <giskard> uhm, i guess we have to list all the services hosted by gnome and then maybe point people on the are they want to help
 102 <mneptok> i'm sort of referring to Christian's e-mail from yesterday about putting RT comments on spam tickets.
 103 <mneptok> that's ajust a Bad Idea(tm), and is self-evident to anyone that is familiar with RT,
 104 <mneptok> if you need a RT tutorial, just ask.
 105 <Jc2k> well, thats partly my fault. ive still got to add them to the gnome-sysadmin mailing list so they get the joyous RT spam
 106 <mneptok> do NOT comment or reply to spam tickets. just mark them deleted. and the easiest way is via the "Bulk Update" view from RT
 107 <pcutler> was probably my fault, I had been deleting them, and then fat fingered 2 of them as resolved instead
 108 <Jc2k> anyway we went off at a tangent and at a tangent and at a tangent
 109 <sri> I need to run guys.. (I could only stay for 30 minutes)  Jc2k can explain my XP.
 110 <pcutler> later sri
 111 <giskard> ciao sri
 112 <Jc2k> rather than going over every service right now i was going to talk about some short term targets and ask who felt comfortable with them
 113 <Jc2k> sri: ciao
 114 <Jc2k> so responding to RT tickets is mostly going to be simple stuff that specific to GNOME infrastructure we all need to get used to and probably not worth talking about
 115 <Jc2k> id ask if anyone had problems but i think only pcutler and 1/2 of SEJeff are available... :)
 116 <SEJeff> I'm good
 117 <SEJeff> Just doing 3 things at once
 118 <Jc2k> ok :)
 119 <Jc2k> so some tasks
 120 * claude (~claude@222-198.104-92.cust.bluewin.ch) hat #sysadmin betreten
 121 <Jc2k> there were some simple requests fredp made on the gnome-infrastructure list
 122 <Jc2k> they are varied but bite sized
 123 <SEJeff> I can rebuild a newer copy of the docbook-xsl for window
 124 <SEJeff> Responding now
 125 <Jc2k> cool.
 126 <Jc2k> pcutler: do you want to look into what needs to happen for http://mail.gnome.org/archives/gnome-infrastructure/2009-May/msg00051.html ?
 127 <pcutler> sure
 128 <Jc2k> owen is probably your friend, but i think it means finding friends on RH sysadmin team
 129 <giskard> who are they ? 
 130 <owen> Any changes to firewall rules should go to me
 131 <owen> And I'll file a ticket in RH IT
 132 <pcutler> darn, that was easy
 133 <Jc2k> lol
 134 <Jc2k> go pcutler 
 135 <pcutler> owen: do you want me to forward you the email?
 136 <owen> So, does the sysadmin team want port 9070 open to the world?
 137 <owen> (having Red Hat IT open it to the world and firewalling in iptables on the systeam is another option if the buildbot security isn't sufficient)
 138 <owen> pcutler: I might as well do it now, if there's sufficient information to make the request
 139 <Jc2k> have RH IT open it to the world and firewall it locally
 140 <owen> pcutler: Otherwise, send me a mail when you have things sorted out
 141 <Jc2k> pcutler: i guess speak to fredp about how many more changes are expected
 142 <pcutler> will do
 143 <Jc2k> owen: is there any other route if you were unavailable? pretty sure olav had a direct line
 144 <owen> Jc2k: In an emergency, if I'm not around, contact jrb, and failing that any other Red Hat desktop team member
 145 <Jc2k> ok, good to know
 146 <owen> Jc2k: mgalgoci used to be somewhat involved, but is pretty much out of the loop now, and requests that go to him are much more likely to get lost than things that get filed into the Red Hat IT ticket system
 147 <Jc2k> ah, also good to know :)
 148 <Jc2k> right. damned lies. i forgot to put this on agenda.
 149 <Jc2k> web app that can (wants to) poke git
 150 <owen> pcutler: OK, so you are going to check with fredp about a) number of more changes expected b) what level of security is provided by buildbot itself ?
 151 <pcutler> owen: yes
 152 <pcutler> and then I will email you
 153 <Jc2k> owen: how do you feel about DL being able to push transltions straight into git?
 154 <owen> pcutler: (my take is that there's no point in having port filtering at the Red hat level, if it's there's already some sort of auth in buildbot, or if the damage is mimimal if evildoers get access to the port, but if we are really relying on it for the only security, then belt-and-suspenders is probably good)
 155 <Jc2k> i think i'd be OK with it with a hook to make sure it is only translations that get pushed
 156 <Jc2k> owen,pcutler: from what i remember its got username/password for each slave but its in the clear, no ssl or anything
 157 <owen> Jc2k: I'd agree. Without the hook, I'm not comfortable with it at all. With the hook, I'm sort of comfortable with it.
 158 <mneptok> is there a set number of IP address(es) that will be pushing into 9070?
 159 <claude> that would be great for a number of l10n coordinators
 160 <Jc2k> mneptok: the plan is to grow the number of build slaves but its gonna be happening somewhat eratically.
 161 <mneptok> Jc2k: limiting connections by IP address or range in iptables would be nice
 162 <Jc2k> mneptok: i agree
 163 <owen> Jc2k: if that's the case, sounds like filtering at our level is good enough for that, but anyways, we can let pcutler check with fredp for details
 164 <Jc2k> yep
 165 <pcutler> will do
 166 <owen> Jc2k: if you can find someone else to write the hook, I can review it. Don't want to take the task myself though.
 167 <Jc2k> owen: ok so sri wants to learn more about the git side of sysadmin - i'd like to have him have a stab at the git hook and then we'll review it
 168 <Jc2k> sound ok?
 169 <owen> Jc2k: sure
 170 <claude> the hook should be similar to the existing one with po files (msgfmt check)
 171 <owen> Jc2k: Should mostly be picking and combining pieces of checks already there
 172 <Jc2k> yes
 173 <Jc2k> ok. next thing. test plone instance for the new www.gnome.org
 174 <pcutler> http://live.gnome.org/GnomeWeb/Plone/Deployment
 175 <Jc2k> csenger: is here to talk about this
 176 <Jc2k> we've already decided to deploy it on socket so we dont disrupt anything important
 177 * diegoe (~diego@190.232.188.245) hat #sysadmin betreten
 178 <owen> (Also needs a little thought to auth. Presumably it would be committing from a no-passphrase ssh key on progress.gnome.org. Is there a point in IP limiting the authorized key? Doesn't really help much if damned-lies is compromised)
 179 <Jc2k> owen: (i think im happy with a no-passphrase ssh key, and no ip limiting)
 180 <pcutler> just in case csenger isn't here, he's on the CMS team, I'm on the Content team for the wgo revamp
 181 <pcutler> lucas put together our milestones here:  http://live.gnome.org/TwoPointTwentyseven
 182 <claude> owen: it doesn't hurt either
 183 <pcutler> darn, wrong link
 184 <csenger> I'm here
 185 <Jc2k> i guess if debian still has broken ssh keys it helps :]
 186 <owen> claude: well, it would require create-auth modifications, so it hurts in that way
 187 <pcutler> http://live.gnome.org/GnomeWeb/TwoPointTwentyseven
 188 <claude> owen: yes, i'd like to say that it doesn't hurt to check ip
 189 <SEJeff> owen, Can't we just ssh triggers?
 190 <owen> SEJeff: Not sure I understand. The request here is to be able to have a web interface for editing translations
 191 <owen> SEJeff: so damned-lies would no longer just be statistics, but would need to activtely push changes into modules
 192 <Jc2k> so we dont really have any plone experts on board right now. i'd like to throw pcutler to csenger
 193 <SEJeff> no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="git commit -a -m 'auto-checkin for translations' ssh-dss AAAA...
 194 <SEJeff> You can limit certain keys to run certain commands. So when that key logs in, sshd will ignore what the user tries to do and only run what is in authorized_keys
 195 <Jc2k> SEJeff: thats already the case
 196 <owen> SEJeff: Yes. Sure.That's how git.gnome.org is locked down.
 197 <pcutler> I'm open to that, but I'm also probably the least experienced sysadmin person, and will probably need some help
 198 <Jc2k> SEJeff: the worry is that damn lies could inject bad code into our git modules if damned lies is hacked
 199 <Jc2k> or make autogen.sh do bad things etc etx
 200 <SEJeff> Right, so we quasi-mitigate that with a git hook
 201 <SEJeff> At least that is the thought, right?
 202 <Jc2k> yes
 203 <SEJeff> Seems bad, surely there is a better way
 204 <Jc2k> its an increasing effort for diminishing levels of protection. we could have damned lies e-mail gpg signed patches and git a-m them, but thats not really any better.
 205 <SEJeff> What will d-l be committing, translations?
 206 <Jc2k> yep
 207 <Jc2k> i think people with ordinary git access pose more threat than damend-lies with the translations-only pre- hook.
 208 <claude> Jc2k: +1
 209 <SEJeff> Could we setup someting clever with git-tag and signed commits?
 210 <SEJeff> But in the end, you're right Jc2k 
 211 <Jc2k> i think the hook is the most stable and clean option we have right now.
 212 <SEJeff> Right
 213 <claude> i thought we reached an agreement here, but if someone has better ideas, i'm always open, feel free to discuss on ML
 214 * owen hat die Verbindung getrennt (Leaving)
 215 <Jc2k> the more dancing and hand waving we do, the more attack vectors we introduce. so. sri can implement a hook and i'll review it and then owen has final say
 216 * owen (~otaylor@lan-nat-pool-bos.redhat.com) hat #sysadmin betreten
 217 * root gibt Op-Status an owen
 218 <Jc2k> so, consensus and back to csenger, pcutler and plone.
 219 <Jc2k> so as pcutler said, he's the least experienced but as this is on socket and a test instance i think its a great chance for him to own something
 220 <SEJeff> Zope is a beast unto itsself
 221 <Jc2k> with help in here from all of us.
 222 <pcutler> sounds good, we have some of it documented, and listening to csenger and jens they have some experience with this as well
 223 <csenger> Jc2k, pcutler, deploying a plone installation is quite simple as it's automated (zc.buildout).
 224 <Jc2k> my old company knows a thing or 2 about plone if we get stuck, too
 225 <csenger> Even Zope is pulled in and compiled
 226 <SEJeff> csenger, Is it possible to have it pull down exact versions of zope and deps? To keep from the problems like with gem maddness
 227 <csenger> The only (odd) dependency is python 2.4.4+
 228 <Jc2k> csenger: i think that upset the security guy at my old firm because he likes things packaged and wants nagios alerts for security updates
 229 <owen> pcutler/csenger: Make sure you think about backup, that was an issue with Zope 10 years ago when we used it for news.gnome.org
 230 <pcutler> will do
 231 <SEJeff> owen, I've got a tool from zenoss for that
 232 <csenger> SEJeff, dependencies are pinned with versions and seperated from the system's python environment
 233 <owen> Backup (for the Red Hat machines) is done by rsync'ing to a machine that is then tape backed up, so tbasically there needs to be some file(s) somehwere in a consistent state that can be rsync'ed, and we can exclude other files from the rsync as necessary
 234 <SEJeff> csenger, perfect
 235 <csenger> owen, we can work out an backup mechanism depending on gnome's backup system
 236 <giskard> Jc2k: afaik you spoke about adding features to what is atm in production, but what about other stuff?
 237 <owen> (socket is different, don't know the backup details there, if the socket location isn't temporary, someone will have to track down a canonical sysadmin about the details)
 238 <csenger> Are you comfortable with an installation that isn't managed by the distributions package management?
 239 <Jc2k> giskard: i dont understand your question
 240 <SEJeff> csenger, I would prefer not but it doesn't look like thats possible with zope
 241 <giskard> Jc2k: plone git zope git hooks, but what about bugzilla mysql ldap mailman (-> searchable public archives...(
 242 <giskard> )
 243 <csenger> SEJeff, there are no usable distribution managed packages. I know some guys that build rpm's, but use buildout directly myself
 244 <SEJeff> zope upstream does not play well with others. It isn't an option for zope really
 245 <SEJeff> So we'll deal with getting the right deps and whatnot for it
 246 <Jc2k> giskard: im concentrating on short term goals or we'll be here forever. existing services arent going anywhere and we've got more time but e.g. people want the plone test instance running in 2 weeks
 247 <Jc2k> giskard: new things are also a good way to get our feet wet without crippling something like bugzilla
 248 * yippi hat die Verbindung getrennt (Leaving)
 249 <csenger> The dependencies are handles. The intresting areas are running updates across maschines and monitoring security updates.
 250 <giskard> Jc2k: ok i see your point. i was wondering who will start getting knowledge about what the old sysadmin team did in the past years. 
 251 <SEJeff> owen, Jc2k You'd mentioned something about ldap sucking or breaking often. That needs to be fixed.
 252 <Jc2k> SEJeff: getting to that, and something i ear marked for you :]
 253 <SEJeff> csenger, Can we cheat a little bit in the same way you'd "secure" an iis webserver by fronting it with apache + mod_proxy?
 254 <pcutler> i need to take a call for work, be back in 5, semi-here
 255 <Jc2k> giskard: i want to try and have each sysadmin member with a project (a bit like a sprint) for each month. and they are where we'll slowly learn the systems inside and out
 256 <Jc2k> giskard: so pcutler doing plone stuff, sri doing the damned lies/git stuff, jeff playing with ldap
 257 <csenger> SEJeff, The setting for wgo will be something like httpd -> reverse caching proxy -> load balancer -> zope server
 258 <SEJeff> csenger, great
 259 <SEJeff> Jc2k, Sounds great. Maybe sri can teach me some git when he's a guru like owen
 260 <Jc2k> and you can teach us some ldap.. :]
 261 <SEJeff> No problem
 262 <Jc2k> SEJeff: so the low hanging fruit is the create-auth-script which has edge cases that remove access, and then we also need to get to the bottom of what breaks ldap. but we can talk about that outside of the meeting.
 263 <csenger> we need some statistical data to say somthing about the size of the installation. The public stats list the hit's to many gnome services. We need to have numbers for the parts that will be covered by plone (mostly w.g.o stuff)
 264 <csenger> where can we get a log for only w.g.o?
 265 <Jc2k> we'll arrange for that for you. im not sure there is anything public.
 266 <owen> there is http://www.gnome.org/stats/
 267 <Jc2k> ha, well there you go
 268 <pcutler> oh yeah, stormy had a request too for a new stats package
 269 <owen> pretty crappy compared to say google analytics, but gives you some idea
 270 <Jc2k> http://mail.gnome.org/archives/gnome-infrastructure/2009-May/msg00044.html
 271 <Jc2k> piwik
 272 <pcutler> her request was for what is basically a OSS version of google analytics
 273 <pcutler> yeah, that's it
 274 <SEJeff> Jc2k, piwik is good but has had some scary security holes.
 275 <Jc2k> SEJeff: thats why i havent committed to it just yet...
 276 <csenger> owen, that combines many (all) public gnome site's including downloads, home directories etc. We need a subset of that
 277 <owen> csenger: well, it is broken out there as well
 278 <owen> So you can certainly get some idea of how many requests to the www.gnome.org frontpage etc.
 279 <owen> csenger: The sysadmin team can definitely get you raw log data as well, if you have some way you want to access it
 280 <owen> (or if you are in gnomeweb, you can get it yourself)
 281 <Jc2k> ok. so pcutler and csenger can talk offline about this and feedback about what the plan is. i'll be available for questionable input
 282 <pcutler> I'll probably have a bunch of questions  :)
 283 <Jc2k> if piwik has security holes i guess we should tell stormy that its not an option right now
 284 <Jc2k> unless its improved
 285 <pcutler> which will bring up the question of google analytics
 286 <pcutler> which I think is more of a debate about using FOSS or not
 287 <SEJeff> Yeah but what will we do then, have a "gnome gmail"?
 288 <pcutler> we want better analytics around friends of gnome specifically
 289 <SEJeff> Lets be pragmatic, not philosophical here
 290 <SEJeff> We need stats and it fills a void.
 291 <pcutler> we want to understand hits and conversion, and drive some traffic to it
 292 <giskard> Jc2k: count me for old stuff then new :) 
 293 <csenger> there was a request to host the current development test instance on wgo. How can we start with this?
 294 <pcutler> csenger: that's what I've been assigned
 295 <csenger> atm it is hosted on my server
 296 <csenger> pcutler, ah
 297 <pcutler> we're going to put the test instance on socket.gnome.org
 298 <pcutler> so you and I will be working together to get that done per lucas' timetable
 299 <csenger> pcutler, ok
 300 <Jc2k> giskard: do you want to work with penguim on getting to the bottom of the live.gnome.org/bugzilla slowness?
 301 <giskard> Jc2k:  i had some irc-onversation with bkor about bugzilla slowness
 302 <Jc2k> all i know on the matter is that at some points that box is waaaay low on memory
 303 <giskard> i can try to run some test metrics blablabla
 304 <Jc2k> pcutler, SEJeff: on piwik. the guy who suggested it was willing to host it. if we really arent ready to host it ourselves because of security issues in its past, i think him hosting it would be an option.
 305 <SEJeff> Jc2k, Absolutely
 306 <SEJeff> Sounds good to me
 307 <SEJeff> Jc2k, depending on this quarter, I'll likely be donating a new server to the foundation. To make a new db server
 308 <Jc2k> but a more concrete answer on its security would make me happier. like does it have a constant stream of security problems? are there unpatched issues.
 309 <SEJeff> So bugzilla and wiki aren't so slow
 310 <SEJeff> Probably one of the newer DL 360s
 311 <SEJeff> or 65s with nehalems
 312 <Jc2k> SEJeff: cool.
 313 * sri is back.
 314 <Jc2k> hey sri.
 315 * sri scrolls back to see what he missed.
 316 <SEJeff> tons of fun and excitement
 317 <SEJeff> So priority is plone plone plone huh?
 318 * claude is congratulating sri
 319 <Jc2k> 2 week rush
 320 <pcutler> yes, lucas is quite the stern taskmaster
 321 <SEJeff> Well it is understandable for the new website
 322 <Jc2k> ok the only other short term priority is for us to bend over backwards to help muelli get the elections stuff going :]
 323 <SEJeff> But plone needs a lot of ram, right?
 324 <SEJeff> Jc2k, Yeah he doesn't seem to have access to approve foundation members in mango
 325 <SEJeff> Would he need to be on the AccountsTeam to do that? I think so
 326 <pcutler> Jc2k: the only other thing on my to-do list at some point is to get gnomejournal fixed on blogs.gnome.org
 327 <Jc2k> SEJeff: it will be on its own on socket pretty much, and heavily proxied - afaik not much dynamic content
 328 <SEJeff> Ok good
 329 <Jc2k> SEJeff: yeah i reckon he needs account team for that
 330 <Jc2k> so
 331 <Jc2k> has everyone got a task to think about (or badger me about) apart from day to day RT tasks?
 332 <SEJeff> muelli, Check your mango
 333 <giskard> Jc2k: so you are going to re-write who is doing what or?
 334 <csenger> SEJeff, yes, the memory requirements are high, but depend a lot on the specific scenario that is not clear yet
 335 <muelli> SEJeff: No password falls out of "mango" :-\
 336 <SEJeff> How does 1 reset a mango password?
 337 <Jc2k> giskard: yes
 338 <Jc2k> SEJeff: with great pain and misery. i'll document it after the meeting.
 339 <SEJeff> Jc2k, good
 340 <Jc2k> so in summary:
 341 <Jc2k> SEJeff, ldap. (talk to me about the create-auth scripts and to owen or bkor about the problem that makes ldap fall over). giskard/penguim, bugzilla/lgo. pcutler: wgo. sri: damned lies.
 342 <Jc2k> SEJeff: if you think piwik is insecure can you put together a few paragraphs that say as much for us to send to stormy. maybe suggest other options we could deploy?
 343 <owen> Jc2k: Maybe a topic for next months meeting is the sudo/password-propagation; people may have a better sense of the tradeoffs there once they've been working within the system for a bit
 344 <Jc2k> owen: good idea
 345 <SEJeff> owen, once we fix ldap, we'll upgrade to the latest sudo and do ldap-ized sudo
 346 <pcutler> I will save the log on lgo and publish meeting minutes there as well (minutes will be done by tomorrow)
 347 <Jc2k> 2 last points before i let you guys go
 348 <Jc2k> what access rights do we still need to sort out
 349 <sri> ah, I see.. damned lies/git hook eh?
 350 <SEJeff> muelli needs access to approve foundation membership applications
 351 <Jc2k> i have access to signal and torrent now so need to give owen access there
 352 <Jc2k> SEJeff: that should work, we just need to reset his password :)
 353 <sri> I'll have to read up on git.. I'm a total newbie, Jc2k knows that I'm a bzr fan :D
 354 <muelli> yep. It's not that important right now because all members eligible to vote are processed.
 355 <sri> and looks like there is something that was already done before for hooks.  
 356 <SEJeff> Jc2k, It is surprising that you can't do that through mango. We'll have to fix that.
 357 <sri> we have a coding style template or is it just GNU coding style?
 358 <Jc2k> sri: bwahaha. ive some experience. i'll talk to you after hte meeting
 359 <owen> sri: hooks are in the gitadmin-bin module in git
 360 <Jc2k> SEJeff: its certainly planned (django-mango branch)
 361 <sri> Jc2k: oh, okay.
 362 <sri> owen: thanks.
 363 <Jc2k> SEJeff: the plan was to make password resets and such self service.
 364 <sri> Jc2k: eggselent.  I can't do much until tuesday, no problems with that?
 365 * sri has a final exam on tuesday.
 366 <Jc2k> so access. i have to pass on access to signal and torrent to everyone, and i think label.
 367 <owen> sri: run-git-or-special-command in the sysadmin-bin module might also be relevant, but I don't think so offhand. (It's the wrapper that controls what can be done via ssh)
 368 <Jc2k> sri: sure, thats fine for me
 369 <Jc2k> everyone has mango access afaik
 370 <sri> I need to test mango access.
 371 <Jc2k> everyone has rt acces
 372 <Jc2k> s
 373 <sri> owen: okay, tahnks.
 374 <sri> I'm going to probably spend a little time just documenting the setup, it'll help me get acquainted with the infrastructure.
 375 <Jc2k> i havent added anyone to teh private gnome-sysadmin mailing list. owen described it briefly but i havent had time to think about it and press go.
 376 <muelli> I don't have access to rt tickets other than elections and foundation. But that might be no problem, as I won't have time the next month anyway.
 377 <SEJeff> Jc2k, if it is super high traffic can you not hit go just yet?
 378 <Jc2k> SEJeff: its about 20-40 emails a day?
 379 <Jc2k> im no even sure
 380 <SEJeff> Ah thats not horrible
 381 <Jc2k> muelli, giskard: if you want to join us i'll finish off your access.
 382 <giskard> Jc2k:  it would be cool.
 383 <giskard> Jc2k:  in fact now i'm totally lost about people/who are they working on. i mean who is willing to help accounts@ moderator@
 384 <sri> SEJeff: it is if you're already reading that much at work :D
 385 <giskard> because account is around 20mail week afaik, but moderator is a pain.
 386 <SEJeff> multiply that by about 2 or 5 first :)
 387 <sri> yeah, if there is a problem.
 388 <giskard> Jc2k:  RT accounts queue sent me 21 mail since the 2 of july; i have 165 mails for the moderator@ queue :) (some info about e-mail traffic)
 389 <Jc2k> i think everyone is happy to do accounts@ stuff, and have already started to some extent. im not familiar with moderator@ though.
 390 <Jc2k> but we dont want to get bogged down in stuff like that and not have time to fix the infrastructure
 391 <Jc2k> presumably we can recruit from anywhere for moderating duties?
 392 <Jc2k> its not a priviledged thing, is it?
 393 <giskard> no, there is ashared password
 394 <giskard> for the list handled by moderators@
 395 <giskard> password == for the mailman interface
 396 <giskard> web*
 397 <giskard> fatalerror: know it for sure
 398 <Jc2k> ok im confused now, :)
 399 <Jc2k> you need access to moderators@? is that what your asking?
 400 <giskard> no i have my access i don't have the password here right now :)
 401 <Jc2k> ok your trying to recruit helpers?
 402 <Jc2k> :P
 403 <giskard> ahahah
 404 <giskard> true
 405 <SEJeff> s/helpers/minions to do his bidding/
 406 <Jc2k> id love to help, but i had free time id put it into the sysadmin team first, conduit second, and then i might have time
 407 <giskard> beer?
 408 * pcutler doesn't dare sign up for anything more
 409 <Jc2k> beer third, good point :P
 410 <pcutler> (he likes whiskey)
 411 <Jc2k> this is also true
 412 <Jc2k> :P
 413 <Jc2k> ok this meetings be going on too long. giskard, are you joining the sysadmins? what is your area of expertise?
 414 <Jc2k> i think we've all got some stuff to be getting on with and can go through details offline.
 415 <sri> SEJeff: I ahve minions!
 416 <sri> although they won't help me in gnome sysadmin 
 417 <Jc2k> i wanted to talk about the big plan, but i think i'll move that to the mailing list
 418 <Jc2k> (there isnt one yet)
 419 <giskard> Jc2k:  yes i'm asking to join the team, i can't say i'm an expert of blablabla i'm interested in helping in what i define the old services, like bugzilla mysql jabber blablabla i work with them and i can share my knowledge
 420 <pcutler> hey sri - go into rt3 and take the ticket I just sent in, and test your mango access by giving me a gnome.org email alias  =)
 421 <Jc2k> giskard: excellent excellent
 422 <Jc2k> ok any other business?
 423 <Jc2k> ok meeting over, back to bed guys
 424 <Jc2k> see you ~= 1 month :P
 425 <pcutler> thanks Jc2k
 426 <pcutler> I'll have the minutes up tomorrow, and will drop an email to the list when they're published
 427 <Jc2k> pcutler: awesome
 428 <sri> yeah, please publish the action items and owners too. :)
 429 <sri> pcutler: I haven't seen the ticket yet.  (at any of my two addresses)
 430 <Jc2k> sri: you wont get an email i dont think, unless its a ticket you commented on already
 431 <Jc2k> sri: its this one, though https://www.gnome.org/rt3/Ticket/Display.html?id=8822
 432 <sri> Jc2k: oh, okay.  
 433 <sri> thanks.. I need to book mark that.
 434 <Jc2k> :]
 435 <Jc2k> when i add you all to the gnome-sysadmin list you'll get RT spam too
 436 <sri> Jc2k: so how do I set up the mail alias?
 437 <pcutler> sri, log in to mango
 438 <Jc2k> sri: in mango, find user and tick the 'has a cool @gnome.org alias'
 439 <sri> pcutler: doh.. right.. you said that earlier.
 440 <pcutler> click users, search for pcutler
 441 <giskard> check if the mail is the same listed in the foundation-member list ;)
 442 <sri> hmm.. trouble authenticating.. I'm using 'sri' but it might be 'sri@gnome.org' 
 443 <giskard> no, only sri
 444 <giskard> you have to wait until ldap is replicated afaik
 445 <sri> ok.
 446 <Jc2k> well, sri should have access. sri, what password are you using.. this is the weird mango password, not the password you gave me an md5 of
 447 <giskard> pcutler: in theory afaik we can't setup the "has a cool.." because the mail in mango is not the same
 448 <sri> yeah, I think that's where I'm stuck.  Id on't know hte password.
 449 <sri> it's not the one you /msg sometime back is it? (the one for RT)
 450 <giskard> you have to file a ticket
 451 <giskard> i will send you an auth token
 452 <giskard> and then i will change your mail address
 453 <Jc2k> for a mango password?
 454 <giskard> i like some much burocracy :)
 455 <giskard> (not so much kidding btw)
 456 <sri> I just checked, it was only the RT password you gave me on /msg.
 457 <pcutler> sri: were you able to get your Mango pw by http://live.gnome.org/MangoFAQ
 458 <pcutler> ssh -l $USERNAME svn.gnome.org mango
 459 <pcutler> (you can only do that once)
 460 <Jc2k> WARNING one time only WARNING </blink>
 461 <sri> let me read the faq before going forward.
 462 <sri> so looking through the faq, and doing a search on my mail, I don't think I ever got a "welcome mail" from mango.  I have gotten mail from mango stating that my ssh key was uploaded but that's about it.
 463 <sri> anyways, I'm going to try that mango command.
 464 <sri> /usr/bin/mango: 3: cannot create /var/local/mango/sri: Permission denied
 465 <Jc2k> hmm, you may need a new password rather than just a reset password. joy.
 466 <pcutler> see, I was a good test for you and Mango  :)
 467 <sri> heh
 468 <Jc2k> pcutler, sri: can you guys ssh into label?
 469 <pcutler> yes, and sudo works
 470 <sri> yep, sudo works for me as well.
 471 <Jc2k> oh, cool!
 472 <sri> btw, in terms of master plans have you looked at the SysadminToDoList?
 473 <sri> oh, never mind.. I see this is pretty current, I thought it was old.
 474 <pcutler> oh, speaking of blogs.gnome.org
 475 <pcutler> wordpress is phasing out wp-mu starting next week, and going to build it into normal wordpress
 476 <pcutler> i'm not sure what that means for us long term as we use wp-mu for security updates and what not
 477 <sri> well, I would guess that it would take about 6 months to stabilize.
 478 <sri> what is the jabber server for out of curiosity?
 479 <pcutler> yeah, with wordpress you need to wait for .1 release, they like their security updates
 480 <owen> sri: in theory, it's for users to have @gnome.org jabber accounts to chat with. In practice, for many reasons, never got significant 
 481 <Jc2k> sri: openfire? crossfire? something thats written in java and uses 4% of memory on label
 482 <owen> traction
 483 <Jc2k> dammit, misread
 484 <Jc2k> bedtime :)
 485 <sri> night.
 486 <Jc2k> pcutler: mango password resets are here http://www.mail-archive.com/gnome-infrastructure@gnome.org/msg00981.html
 487 <sri> owen: ah, I see.  I vaguely remember that idea.
 488 <owen> sri: it was jdub's project
 489 <pcutler> thanks
 490 <Jc2k> pcutler: run the command it gives on socket
 491 <Jc2k> and you can find the ldap password in...
 492 <sri> is it worth pursuing?
 493 <pcutler> holy crap, what a pita
 494 <Jc2k> /home/admin/secret/ldap. but that isnt on socket, you can see it on label tho.
 495 <Jc2k> pcutler: the command reset-passwd only works if they have had mango access before. for sri, i think new-passwd is needed.
 496 <Jc2k> 1 more cup of tea before bed if you want to try and sort sri out with some access
 497 <pcutler> i'm re-reading this, but I really need to get some work done over the next 90 minutes, so it might have to wait until later in the weekend
 498 <sri> yeah, I got a meeting in 20 minutes too.
 499 <sri> damn meetings.
 500 * diegoe hat die Verbindung getrennt (Floaty, crowny things!)
 501 <Jc2k> pcutler: no worries. dont get distracted by links of that page. the ssh magic, the handle-ldap-modules and the stuff i said here should cover all your needs.
 502 <pcutler> $#(&$#'ing xchat-gnoem
 503 <pcutler> can someone send me a log of the meeting please?
 504 <giskard> i've irc logs since 21:03 (utc + 2)
 505 <pcutler> giskard: if you can just send me a raw log to pcutler@foresightlinux.org I'd appreciate it
 506 <sri> mango looks like it requires some love.. but it has some strict design parameters.
 507 <csenger> pcutler, can send it to you