devel April 2021

devel@lists.centos.org

47 participants
33 discussions

auth switch status update : cbs.centos.org is back online
by Fabian Arrotin 06 Apr '21

06 Apr '21

Hi all, As announced, we started today the centos infra switch to new authentication source (merged with Fedora) So https://accounts.centos.org is now live and using same auth backend (IPA) than https://accounts.fedoraproject.org This morning at 6:00am utc, I kicked the ansible roles to reflect new TLS/CA for https://cbs.centos.org koji systems and took it offline for sanity tests. - kojihub/web were converted - tested authentication with new TLS cert - tested remote authentication with personal TLS cert - tested to submit koji tasks - verified that all builders were back on the hub and enabled - tested a tag-build/untag-build to test the signing process - tested the new sync script to fetch users/groups from IPA (through https://fasjson.fedoraproject.org , IPA API endpoint using kerberos auth) As all was working, https://cbs.centos.org was then back online around 6:30am UTC What do you need to do : Get your new TLS cert that will be used for cert authentication (new TLS cert as new CA, coming from IPA backend) The SIGGuide (https://wiki.centos.org/SIGGuide) was updated to reflect the new way to retrieve your cert (anchor link : https://wiki.centos.org/SIGGuide#SIGGuide.2FSIGProcess.Community_Buildsystem) PS : worth knowing that if you just had your account imported in new IPA backend, you have *first* to reset your own password (password salt/hash from ACO isn't compatible with the one from IPA, so just reset your password on portal https://accounts.centos.org) PS2: as some users were skipped during import process , it can be that you're in a situation where you either don't exist, or your group membership wasn't reflected (and so you currently don't have build rights anymore in koji/cbs). If that's the case, just ask your SIG chair to get in touch Now moving to other services to be converted -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

1 0

Hyperscale SIG Quarterly Report for 2021Q1
by Davide Cavalca 05 Apr '21

05 Apr '21

Hello! I just posted our first activity report for the Hyperscale SIG on the CentOS blog: https://blog.centos.org/2021/04/centos-hyperscale-sig-quarterly-report/ One thing I'll signal boost: we have released a systemd 247 backport in the SIG repository. This backport includes experimental SELinux support via an overlay module; if you use SELinux in your deployments and would like to provide feedback, that would be much appreciated. Cheers Davide

1 0

Fedora/CentOS authentication merge : April 1st status
by Fabian Arrotin 01 Apr '21

01 Apr '21

Let me start this email by saying that it's *not* a joke (despite April 1st date) :-) As announced, we turned today https://accounts.centos.org into Read-Only mode , so that we were sure that nothing would change (frozen state) wrt users status and group membership, while all services continued to be usable (including for example https://cbs.centos.org) Mark O'Brien and myself then kicked the fas2ipa script, to ensure that it would have enough time to parse the CentOS accounts and groups as first sanity check. Number of users: 1097 Number of groups: 31 But we found a particular case for people who were registered in both FAS and ACO , with different nickname *but* same email address, so the script failed to import these users (81 accounts) The taken action was to send a mail to concerned users so that they can decide which solution they want to adopt : Basically, either consolidating centos group membership on their FAS account (and so using their FAS account for both projects) *or* update their email address so that the fas2ipa script would be able to import them (but that would mean two different accounts in same auth platform) . We'll take action on case-by-case through email feedback for these users. All in all it seems that it went ok for the sanity check tests and that means that it's green light for the real infra switch on Tuesday April 6th. PS : quite some users were in SKIPPED state, as they never took action for the "email address match for same nickname" situation, explained in previous email (https://lists.centos.org/pipermail/centos-devel/2021-March/076690.html) Kind Regards, -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

devel April 2021