devel February 2021

devel@lists.centos.org

62 participants
47 discussions

First round of RHEL programs announced
by Mike McGrath 04 Feb '21

04 Feb '21

Hi all, I know this was a hot topic on the list so I thought I'd share today's blog post which covers no-cost RHEL for small production workloads and no-cost RHEL for customer development teams. Keep in mind there are other programs coming, these just got done first. https://www.redhat.com/en/blog/new-year-new-red-hat-enterprise-linux-progra… Bullet Points: - Self-Support RHEL for no-cost in production use cases of up to 16 systems. - No-cost RHEL for customer development teams (larger number of systems for non-production cases). - Available no later than February 1 - Single Sign-on via a Red Hat account, or Github, Twitter, Facebook or other accounts (You'll soon not need to provide all kinds of personal information like you used to). -- Mike McGrath Linux Engineering - Chicago Red Hat mmcgrath(a)redhat.com T: (312)-660-3547

36 141

CentOS/Fedora authentication system merge (Please Read)
by Fabian Arrotin 03 Feb '21

03 Feb '21

# Introduction and background As it was preannounced some time ago , the CentOS Board agreed to merge the CentOS accounts (https://accounts.centos.org) with the Fedora FAS (https://admin.fedoraproject.org/accounts/) As both projects were running their own instance of FAS (running on el6/CentOS 6, so coming to EOL, so that needed to be migrated to new solution/platform), but that there are a lot of contributors common to both projects, it made sense to "migrate and merge" both into one, and so having only one account that can be used for both. The AAA/Noggin team worked in the last months on the new authentication system that will be used as foundation. The core block will be (Free)IPA (https://www.freeipa.org , already available in the distribution) and the community portal feature will be provided by noggin (https://github.com/fedora-infra/noggin) If you want to know more about noggin, consider watching the presentation given at last Fedora Nest event (https://www.youtube.com/watch?v=x1SevUmkE60) # What does it mean for you, contributors and SIG members ? Fedora already had an IPA infra, but "hidden" behind FAS, so accounts were already created in IPA backend. For CentOS, we were just using plain FAS, so users in our own backend (fas db). The "Merge" operation will go like this : - Fedora will kick fas2ipa script (https://github.com/fedora-infra/fas2ipa) synchronizing FAS attributes back into IPA, including group memberships coming from FAS/Fedora - Then the same process will be ran but importing from ACO (https://accounts.centos.org) into the same IPA backend. That's where the "fun" begins: * If the same nick/account exists at both side, the script is considering FAS as authoritative (remember, the FAS user *already* exists there, and is only modified for group[s] membership and attributes) * What is used to consider same nick/account being the same person ? the email (validated when registering account) will be used as primary key. So that means that you should *now* verify/update your email address in FAS and ACO so that they match * in case of a email address mismatch, the ACO account isn't migrated (group membership) but put in a queue to be verified * in case of matching email address, existing account is added to imported ACO groups The "open" question is about what to do for same account but in fact being different people (question is debated between Fedora and CentOS through the AAA initiative) # What has been already done ? You can follow publicly the status through dedicated tracker ( https://github.com/orgs/fedora-infra/projects/6 ), but let me focus on the CentOS Side (sending this to centos-devel so centos contributors) In the last months, Fedora already deployed a staging (.stg.) IPA instance, as well as a noggin community portal. For CentOS, we deployed (to be able to test integration) the following components in front of the Fedora IPA: * https://accounts.stg.centos.org (using noggin, with a centos visual theme applied) * https://id.stg.centos.org (ipsilon, used for openid/openidc IdP) We then reached out to some "key users" to validate that some applications migrated to new authentication system were working fine. We tested with : * pagure (https://git.stg.centos.org) * koji * openshift/OCP * some other apps using openid In December 2020, there was a first ran of the fas2ipa script, so (consider this a snapshot) existing accounts in both FAS and ACO were merged. >From that import, there were 123 accounts that were duplicates ones, but as said, it can be that they are the same account but using different email addresses. # What do you have to do ? You can try to login through https://accounts.stg.centos.org and see if you can login. Important remark: if you *didn't* have a FAS account , your account was imported/created for the first time in IPA, so that means that you'll have to use the "Forgot Password ?" feature on portal to reset your account (mail will be sent to email address tied to your account) # When will the real migration happen ? We'll wait on AAA/noggin team to give us estimated date, and when they'll migrate Fedora first. Once that will be done, we'll migrate ACO to the new setup (probably fas2ipa script ran during a week-end, but to be announced) # How will that impact my workflow for CentOS as SIG member ? Worth knowing that all deployed services using ACO will have to be reconfigured for AAA. That currently means : * https://git.centos.org (and also the MQTT bus for git push notifications) * https://cbs.centos.org (and also non public signing service) * other small services using OpenID/OpenIDC for authentication (https://blog.centos.org, some jenkins instances used by QA team, etc) As said, we have already staged all changes to support new auth in our ansible roles. When we'll have rolled out these changes, your existing TLS certificate that you use to authenticate with for cbs.centos.org *will not* work anymore (important) That means that you'll have to retrieve a new TLS cert, signed by the IPA CA cert. How to do that ? I'll see about how porting this to know repository, but for now, there is a copr repo that you can use : https://copr.fedorainfracloud.org/coprs/arrfab/fasjson-client/ IMPORTANT : do *not* use this pkg now, or do this from another workstation/vm/account/whatever : the new 'centos-cert' util would replace your currently working TLS cert (from ACO) . (Well, as fasjson for prod *isn't* deployed yet, that would not work at all, but it would when deployed If you have questions, feel free to ask in this thread, or join #fedora-aaa on Freenode. -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

3 3

ConfigManagement SIG : removal of old/unmaintained ansible versions
by Fabian Arrotin 02 Feb '21

02 Feb '21

Notification: So far, the ConfigManagement SIG rebuilt and shipped some Ansible versions through different repos (per "branch") over the last months/years , so we currently still have on mirror.centos.org (and so external mirrors) the following repositories : For CentOS 7: - ansible 2.6 - ansible 2.7 - ansible 2.8 - ansible 2.9 For CentOS 8 (also working on 8-stream) : - ansible 2.9 Per Ansible EOL policy (see https://docs.ansible.com/ansible/devel/reference_appendices/release_and_mai…) we'll continue to maintain 2.8 (security fixes if they appear) and 2.9 but we'll remove previous versions/repositories. Worth knowing that they'd still be available through vault.centos.org though, but not available directly through a centos-release-ansible*.rpm (configuring yum/dnf repositories on systems) So far I never had a chance/time to look at ansible 2.10, as there is a split between ansible-base and ansible-core and then collections. My goal would be to discuss with EPEL/Fedora maintainer (Kevin Fenzi) about the best way to have it working and then we can start (re)building through configmanagement tags on https://cbs.centos.org Kind Regards, -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

4 3

Reminder: CentOS Dojo this week. FOSDEM this weekend
by Rich Bowen 02 Feb '21

02 Feb '21

TL;DR: https://wiki.centos.org/Events/Dojo/FOSDEM2021 <-- Dojo Thursday and Friday https://fosdem.org/2021/ <-- FOSDEM Saturday and Sunday The full schedule of talks for the Dojo is available at the above URL, and includes a roundtable discussion with (some of) the Board. Registration is free, and all talks will be recorded for later viewing on our YouTube channel. But of course if you want to participate in the Q&A aspect of the event, you'll need to be there. Hoping to see you Thursday, --Rich

1 0

[Storage-SIG] Meeting minutes of the CentOS Storage SIG - 2021 - Feb - 02
by Francesco Pantano 02 Feb '21

02 Feb '21

=====================================*#centos-meeting2: Monthly Storage SIG* ===================================== Meeting started by ndevos at 10:03:03 UTC. The full logs are available at https://www.centos.org/minutes/2021/February/centos-meeting2.2021-02-02-10.… *Meeting summary ---------------* * *Roll Call* (ndevos, 10:03:12) * *Agenda* (ndevos, 10:05:18) * LINK: https://hackmd.io/Epc35JIESaeotoGzwu5R5w (ndevos, 10:05:25) * *per sig ML and review on the Storage sig page* (fmount, 10:08:29) * AGREED: use *[Storage-SIG]* in subjects to centos-devel, so that it is easy to filter, and others automatically see our updates/discussions too (ndevos, 10:13:56) * *ceph dist-git usage* (fmount, 10:17:44) * AGREED: fix calendar and wiki with meeting irc chan name (gfidente, 10:17:48) * ACTION: fmount to request a cephadm distgit repo in git.centos.org (fmount, 10:51:28) * Open Floor (ndevos, 11:02:39) Meeting ended at 11:03:39 UTC. *Action Items* - fmount to request a cephadm distgit repo in git.centos.org - fmount to learn about the dist-git ceph process and reach kkeithley for any additional info -- Francesco Pantano GPG KEY: F41BD75C

1 0

CentOS Stream 8 kernel
by Gena Makhomed 01 Feb '21

01 Feb '21

Hello All, I found regression in the CentOS Stream 8 kernels, and create bug report https://bugzilla.redhat.com/show_bug.cgi?id=1913806 After reading https://wiki.centos.org/Contribute/CentOSStream I try to download kernel sources and look for root cause of bug, but dist-git and source-git repos does not contain kernel sources, even if I try to execute %prep phase. For this reason I can't even try to find root cause of this bug by myself. This bug is critical for me, because currently I try to use systemd-nspawn for containers virtualization in production. If future CentOS 8.4 will contain this bug - it will be disaster. What else I can do (as user or developer) for fixing this bug? P.S. https://centos.org/distro-faq/ Q5: Does this mean that CentOS Stream is the RHEL BETA test platform now? A: No. CentOS Stream will be getting fixes and features ahead of RHEL. Generally speaking we expect CentOS Stream to have fewer bugs and more runtime features as it moves forward in time but always giving direct indication of what is going into a RHEL release ================================== But currently I hit the bug, which is absent in CentOS 8.3 but present in CentOS Stream 8. Looks like CentOS Stream 8 is really the beta version for future RHEL minor release, despite the CentOS FAQ. Sorry, but this is true. -- Best regards, Gena

9 13

resigning from config management sig
by Julien Pivotto 01 Feb '21

01 Feb '21

Dear community, I was enthusiastic about building a config management SIG a few years back, but never really had the time to make it to the point where it should be. Partly because the complexity of config management tooling is huge, and partly because I did not estimate properly the amount of time to learn the tooling around CBS. Today, I resign from the SIG to refocus my work on other open source projects. The SIG, as a group, is inactive. Volunteers still actively use the CBS build targets and produce artefacts, including ansible and ara. If anyone want to step up and take the lead of the SIG, they should probably contact the board. Regards, Julien Pivotto

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

devel February 2021