devel

devel@lists.centos.org

16 participants
4590 discussions

Start a nNew thread

7.9.2009 vault population
by Neale Ferguson 11 Feb '21

11 Feb '21

Is there a schedule for when the remaining SIGs will populate vault.centos.org? SCLO is a notable missing piece Neale

2 4

NFV SIG meeting minutes 10 February 2021
by Thomas F Herbert 10 Feb '21

10 Feb '21

======================== #centos-meeting: NFV SIG ======================== Meeting started by tfherbert at 15:01:51 UTC. The full logs are available at https://www.centos.org/minutes/2021/February/centos-meeting.2021-02-10-15.0… . Meeting summary --------------- * LINK: https://hackmd.io/oRe_HVJiTteDI4H332ApMw (amoralej, 15:02:08) * FDP 21.A status (tfherbert, 15:03:01) * Meetings agenda: https://hackmd.io/oRe_HVJiTteDI4H332ApMw (tfherbert, 15:03:43) * ovs and ovn 2.13 have been rebuilt for CentOS 8 and are being tested (amoralej, 15:04:01) * dholler: ovn 2.11 is rebuilt and it is in testing. (tfherbert, 15:05:03) * 2.11 includes selinux package (tfherbert, 15:05:31) * selinux is in testing too (tfherbert, 15:05:57) * fdp 2.13 to be pushed to release in a few days. (tfherbert, 15:07:01) * FDP release 2.11 and 2.13 to be released near simultaneously in a few days. (tfherbert, 15:09:57) * FDP 21.A status (tfherbert, 15:10:51) * 21.A completed. (tfherbert, 15:11:12) * CentOS 8 STream status (tfherbert, 15:11:25) * tags are available for C8 Stream, https://pagure.io/centos-infra/issue/220 (tfherbert, 15:12:21) * C8 stream plan: 2.14 and 2.15 and updates to 2.11 and 2.13 will be coordinated with FDP. The exact plan and release dates are TBD for now. (tfherbert, 15:28:07) * Automation and CI proposal. (tfherbert, 15:30:15) * LINK: https://review.rdoproject.org/r/#/c/31871/ (amoralej, 15:33:17) * Proposal for CI testing of NFV packages, currently FDP packages: OVS and OVN (tfherbert, 15:38:23) * Proposal is to use RDO CI currently used in Cloud Sig and OpenStack. Please see https://review.rdoproject.org/r/#/c/31871/ for info on RDO CI for more info. (tfherbert, 15:40:04) * Meeting about CI proposal February 12 11:00 Eastern US time: Please contact Alfredo Moralejo Alonso for more info, amoralej(a)redhat.com (tfherbert, 15:44:42) * Anything other topics for NFV SIG? (tfherbert, 15:47:58) * question about NFV: NFV is Network Function Virtualization. (tfherbert, 15:50:16) * FDP is "Fast Data Path" (tfherbert, 15:50:39) * ovn is Open Virtual Network (amoralej, 15:51:26) Meeting ended at 15:52:00 UTC. Action Items ------------ Action Items, by person ----------------------- * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * amoralej (93) * tfherbert (55) * dholler (12) * smooge (3) * centbot (2) * ykarel (2) * Arrfab (1) -- *Thomas F Herbert* CTO Office Networking Group Networking Group *Red Hat* he/him/his

1 0

More dojos! (FOSDEM Dojo and future plans)
by Rich Bowen 10 Feb '21

10 Feb '21

For those of you who missed it, here's a recap of last week's CentOS Dojo at FOSDEM - https://blog.centos.org/2021/02/centos-dojo-fosdem-2021/ Given the adversarial and occasionally toxic discussions we've seen on this list over the past 2 months, I was concerned that we'd have more of the same at the Dojo, but it seems that seeing people's faces tempered the discussion. People continued to ask the hard questions, but without the hostility that we've seen recently. As a result, I'm considering running several more of these over the coming year, at least until we get back to doing some in-person events, and probably even after that. Last week's event was optimized for a European-centric time zone. The next one will probably be more centered around North American time zones, and will probably happen some time around May. If you are interested in helping put the event together, or have ideas about what content you'd like to see, or if you yourself want to present something, please let us know. Based on early feedback on the post-event survey, people want to hear more about: * CentOS Stream 9 * more non-red hat use cases * koji (and similar ways of managing smaller scale automated rpm builds) * creating your own module/stream in personal repo, freeipa, keycloak * NextGen: RHEL Sources Home / GitLab / Stream9 And I would echo the "non-Red Hat" item here. While it makes sense that our content has strong Red Hat participation, I'm always doubly-pleased when we get presentations from outside of Red Hat.

7 8

Source code missing, and insecure delivery pages linked
by Chris Drake 10 Feb '21

10 Feb '21

1. Your info page here: https://wiki.centos.org/FAQ/CentOSStream#Where_is_the_source_code.3F links to an insecure download resource: http://mirror.centos.org/centos/8-stream/ 2. You are not running a secure server: https://mirror.centos.org/centos/8-stream/ => connection times out *. Hopefully you understand the implications of the above - if not, run a build and take a look at the number of warnings related to unsigned code that your systems ignore. Better still - fix your systems so they always hard-fails on everything unsigned it encounters. It only takes one single unsigned mistake in any of your packages to expose all users to compromise when you're not using secure servers. Insecure servers in 2021 are completely unnecessary. 3. Source code is still missing. The folder structure exists, but none of the files are in there. Some new examples https://git.centos.org/rpms/sendmail/tree (no source) https://git.centos.org/rpms/sendmail/archive/imports/c8s/sendmail-8.15.2-34… (linked from git - 404) https://vault.centos.org/centos/8-stream/AppStream/Source/SPackages/ (empty) https://composes.centos.org/CentOS-Stream-8-20210108.n.2/compose/BaseOS/sou… (incomplete) # yumdownloader --source sendmail Last metadata expiration check: 2:09:27 ago on Mon 08 Feb 2021 09:45:31 PM GMT. No package sendmail-8.15.2-34.el8.src available. Exiting due to strict setting. Error: No package sendmail-8.15.2-34.el8.src available. Might I suggest you ask someone in the build team to fix or write whatever script is needed to make "yumdownloader" work? Obviously, since they're building stuff, *they* know where the source code **really** is - so it would only take 5 or 10 minutes to glue your existing tools (like yumdownloader) into whatever new location someone seems to have dreamed up for the actual source. Spending the few minutes to fix what every administrator already knows around source packaging/distro systems is a far better idea than making them all learn entirely new things (which will probably change a few more times before everyone's happy anyhow) All the above carry security implications - we really need to know what source was used to build our products, and we really need to be able to download binaries from properly secure locations (preferably all with working signatures, but that's a whole other problem, so TLS distro endpoints is at least an interim mitigation).

11 18

AAA/Auth switch / forwarding message from AAA team
by Fabian Arrotin 08 Feb '21

08 Feb '21

Hi all, As announced, there is initiative going on for the Fedora/CentOS auth backend merge (see https://lists.centos.org/pipermail/centos-devel/2021-January/076334.html as reminder) Let me forward what was discussed at the Fedora side this morning (and only impacting the "staging" setup, in case you'd be testing it in the next hours) : <forwarded message> Hey folks! The AAA team would like to test a re-import of the accounts in staging. We have learnt of a way to speed up the import significantly (20 times) and we'd like to test it. For that we'll need to remove all existing accounts and start from scratch. It means that if you're currently testing your application in staging, your account will disappear for something between hours to a couple days. We're going to start the process in 4-5 hours. Please shout if you're in the middle of something and you'd prefer us to wait for tomorrow. Thanks! Aurélien </forwarded message> -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

1 0

CPE Report: 2021-02-05
by Aoife Moloney 05 Feb '21

05 Feb '21

Hi Everyone, If you would like to see this report and toggle to the section you are most interested in, I would suggest visiting this link https://hackmd.io/8iV7PilARSG68Tqv8CzKOQ?view and use the header bar on your left to skip to where you want to go! ## Initiative FYI Links Initiatives repo here: https://pagure.io/cpe/initiatives-proposal 2021 Quarterly Planning timetable here: https://docs.fedoraproject.org/en-US/cpe/time_tables/ so you know when I need it in by to review it. Details on initiative requesting/how to work with us on new projects here: https://docs.fedoraproject.org/en-US/cpe/initiatives/ ### Misc #### Conferences! * CentOS Dojo @ FOSDEM is on right now! Links to talks from Thursday are on the CentOS youtube channel and Rich is playing a blinder getting all the content uploaded in record time https://www.youtube.com/TheCentOSProject * NOTE: 'playing a blinder' means doing an excellent job for anyone unfamiliar with the term :) * Fedora has a booth as well @ FOSDEM this weekend! Make sure you stop by and say hi to all those great Fedorans who will be manning it this weekend https://chat.fosdem.org/#/room/#fedora-stand:fosdem.org ## Project Updates *The below updates are pulled directly from our CPE team call we have every week.* ## CentOS Updates ### CentOS * CI team members are migrating Fedora-Infra and Fedora-apps namespace whcih is one of the last few before we shut down legacy cluster * There is also an investigation spike on Zabbix upgrade to current LTS version which will then be rolled-out on the CentOS Infra once complete ### CentOS Stream * Python39 built and ready to compose * Dist-git repos are regularly up to date * Repos are populated in the CentOS Stream GitLab instance and will be publically viewable in the coming weeks * Very detailed talks on CentOS Stream given by Brian Stinson & Brian 'Bex' Exelbierd are watchable now on the CentOS YouTube channel - check them out! ### Fedora * Infra team are assisting with the testing of ipa/noggin for otp/other cases in stg * Their also doing a cleanup of a bunch of broken links on koji volume * Mass rebuild of rpms is done, modules are underway * FTBFS for the mass rebuild are filled ### CPE ARC TEAM (Community Platform Engineering Advanced Reconnaissance Team....Team) We have a new sub team in our team, led by Pingou, who are running advance investigations on some of the tech debt and bigger initiatives that the CPE team have in our backlog and they have been tackling Datanomer/Datagrepper tech debt first. The team have been partitioning the ‘messages’ table of datagrepper's DB, & hope to be able to test this setup next week * prod like in openshift https://datagrepper-monitor-dashboard.app.os.fedoraproject.org * prod like with a default delta of 3 days http://datagrepper.arc.fedorainfracloud.org/datagrepper/ * partitioned table + default delta of 3 days http://datagrepper-test.arc.fedorainfracloud.org/datagrepper/ * using the timescale postgresql plugin [not implemented yet] http://datagrepper-timescale.arc.fedorainfracloud.org ### Noggin/AAA * We faced some issues with IPA limits and tuning, and 2FA & still trying to figure out the best way to enforce 2FA with sudo. * We are getting closer to migrating from stg to prod and once the Fedora migration is complete, the CentOS accounts will be then imported. * NOTE: If you have an account in both CentOS & Fedora and have different email addresses associated with each, please update your preferred email address in your profile and look out for an email next week on your options. * The work tracker for this project can be found here https://github.com/orgs/fedora-infra/projects/6 ### Fedora Messaging Schemas * Elections pr reviewed https://pagure.io/elections/pull-request/90 * Next is Greenwave & waiverdb * Board the issues are tracked on are here https://github.com/orgs/fedora-infra/projects/7 ## Team Info ### Background: The Community Platform Engineering group, or CPE for short, is the Red Hat team combining IT and release engineering from Fedora and CentOS. Our goal is to keep core servers and services running and maintained, build releases, and other strategic tasks that need more dedicated time than volunteers can give. See our wiki page here for more information:https://docs.fedoraproject.org/en-US/cpe/ As always, feedback is welcome, and we will continue to look at ways to improve the delivery and readability of this weekly report. Have a great weekend! Aoife Source: https://hackmd.io/8iV7PilARSG68Tqv8CzKOQ?view -- Aoife Moloney Product Owner Community Platform Engineering Team Red Hat EMEA Communications House Cork Road Waterford

1 0

Which bug tracker should I use to report things to CentOS ? (recap)
by Fabian Arrotin 05 Feb '21

05 Feb '21

With some moving parts within the CentOS Project, some people are now confused about where to report things, as https://bugs.centos.org isn't the only bugs/tickets tracker, so let's just have a quick recap so that people aren't confused anymore ? :) # CentOS Stream (all kind of tickets) see https://wiki.centos.org/FAQ/CentOSStream#Where_do_I_report_bugs.3F So basically https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20… # CentOS Infra, CBS, SIGs, mirror, CI, etc see previous mail : https://lists.centos.org/pipermail/centos-devel/2020-August/055980.html # All the rest (CentOS Linux pkgs, etc) https://bugs.centos.org Hope that it helps , as we have people asking on irc the status of a ticket that was filed in wrong tracker (and so also not correct category as for example infra categories were removed/archived on https://bugs.centos.org) and not reviewed. -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

2 3

CBS default maven module for virt8-ovirt-44-el8
by Sandro Bonazzola 05 Feb '21

05 Feb '21

Hi, I'm seeing the following error: Executing: xmvn --batch-mode --offline -Dmaven.test.skip=true -Dworkspace.root.dir=/builddir/build/BUILD/apache-sshd-2.6.0 package org.fedoraproject.xmvn:xmvn-mojo:install org.fedoraproject.xmvn:xmvn-mojo:javadoc org.fedoraproject.xmvn:xmvn-mojo:builddep ['xmvn', '--batch-mode', '--offline', '-Dmaven.test.skip=true', '-Dworkspace.root.dir=/builddir/build/BUILD/apache-sshd-2.6.0', 'package', 'org.fedoraproject.xmvn:xmvn-mojo:install', 'org.fedoraproject.xmvn:xmvn-mojo:javadoc', 'org.fedoraproject.xmvn:xmvn-mojo:builddep'] /usr/share/maven/bin/mvn: line 36: /etc/java/maven.conf: No such file or directory error: Bad exit status from /var/tmp/rpm-tmp.QeIPBF (%build) Bad exit status from /var/tmp/rpm-tmp.QeIPBF (%build) RPM build errors: which is a known bug of maven 3.6 shipped in RHEL 8.3 ( https://bugzilla.redhat.com/show_bug.cgi?id=1897375) There's a build in koji ( https://koji.mbox.centos.org/koji/taskinfo?taskID=207396) which should have the fix for this issue. Can we get that build in CBS build root? If not, can we get maven:3.5 module enabled instead of maven:3.6? thanks, -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING, EMEA R&D RHV Red Hat EMEA <https://www.redhat.com/> sbonazzo(a)redhat.com <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*

2 3

First round of RHEL programs announced
by Mike McGrath 04 Feb '21

04 Feb '21

Hi all, I know this was a hot topic on the list so I thought I'd share today's blog post which covers no-cost RHEL for small production workloads and no-cost RHEL for customer development teams. Keep in mind there are other programs coming, these just got done first. https://www.redhat.com/en/blog/new-year-new-red-hat-enterprise-linux-progra… Bullet Points: - Self-Support RHEL for no-cost in production use cases of up to 16 systems. - No-cost RHEL for customer development teams (larger number of systems for non-production cases). - Available no later than February 1 - Single Sign-on via a Red Hat account, or Github, Twitter, Facebook or other accounts (You'll soon not need to provide all kinds of personal information like you used to). -- Mike McGrath Linux Engineering - Chicago Red Hat mmcgrath(a)redhat.com T: (312)-660-3547

36 141

CentOS/Fedora authentication system merge (Please Read)
by Fabian Arrotin 03 Feb '21

03 Feb '21

# Introduction and background As it was preannounced some time ago , the CentOS Board agreed to merge the CentOS accounts (https://accounts.centos.org) with the Fedora FAS (https://admin.fedoraproject.org/accounts/) As both projects were running their own instance of FAS (running on el6/CentOS 6, so coming to EOL, so that needed to be migrated to new solution/platform), but that there are a lot of contributors common to both projects, it made sense to "migrate and merge" both into one, and so having only one account that can be used for both. The AAA/Noggin team worked in the last months on the new authentication system that will be used as foundation. The core block will be (Free)IPA (https://www.freeipa.org , already available in the distribution) and the community portal feature will be provided by noggin (https://github.com/fedora-infra/noggin) If you want to know more about noggin, consider watching the presentation given at last Fedora Nest event (https://www.youtube.com/watch?v=x1SevUmkE60) # What does it mean for you, contributors and SIG members ? Fedora already had an IPA infra, but "hidden" behind FAS, so accounts were already created in IPA backend. For CentOS, we were just using plain FAS, so users in our own backend (fas db). The "Merge" operation will go like this : - Fedora will kick fas2ipa script (https://github.com/fedora-infra/fas2ipa), synchronizing FAS attributes back into IPA, including group memberships coming from FAS/Fedora - Then the same process will be ran but importing from ACO (https://accounts.centos.org) into the same IPA backend. That's where the "fun" begins: * If the same nick/account exists at both side, the script is considering FAS as authoritative (remember, the FAS user *already* exists there, and is only modified for group[s] membership and attributes) * What is used to consider same nick/account being the same person ? the email (validated when registering account) will be used as primary key. So that means that you should *now* verify/update your email address in FAS and ACO so that they match * in case of a email address mismatch, the ACO account isn't migrated (group membership) but put in a queue to be verified * in case of matching email address, existing account is added to imported ACO groups The "open" question is about what to do for same account but in fact being different people (question is debated between Fedora and CentOS through the AAA initiative) # What has been already done ? You can follow publicly the status through dedicated tracker ( https://github.com/orgs/fedora-infra/projects/6 ), but let me focus on the CentOS Side (sending this to centos-devel so centos contributors) In the last months, Fedora already deployed a staging (.stg.) IPA instance, as well as a noggin community portal. For CentOS, we deployed (to be able to test integration) the following components in front of the Fedora IPA: * https://accounts.stg.centos.org (using noggin, with a centos visual theme applied) * https://id.stg.centos.org (ipsilon, used for openid/openidc IdP) We then reached out to some "key users" to validate that some applications migrated to new authentication system were working fine. We tested with : * pagure (https://git.stg.centos.org) * koji * openshift/OCP * some other apps using openid In December 2020, there was a first ran of the fas2ipa script, so (consider this a snapshot) existing accounts in both FAS and ACO were merged. >From that import, there were 123 accounts that were duplicates ones, but as said, it can be that they are the same account but using different email addresses. # What do you have to do ? You can try to login through https://accounts.stg.centos.org and see if you can login. Important remark: if you *didn't* have a FAS account , your account was imported/created for the first time in IPA, so that means that you'll have to use the "Forgot Password ?" feature on portal to reset your account (mail will be sent to email address tied to your account) # When will the real migration happen ? We'll wait on AAA/noggin team to give us estimated date, and when they'll migrate Fedora first. Once that will be done, we'll migrate ACO to the new setup (probably fas2ipa script ran during a week-end, but to be announced) # How will that impact my workflow for CentOS as SIG member ? Worth knowing that all deployed services using ACO will have to be reconfigured for AAA. That currently means : * https://git.centos.org (and also the MQTT bus for git push notifications) * https://cbs.centos.org (and also non public signing service) * other small services using OpenID/OpenIDC for authentication (https://blog.centos.org, some jenkins instances used by QA team, etc) As said, we have already staged all changes to support new auth in our ansible roles. When we'll have rolled out these changes, your existing TLS certificate that you use to authenticate with for cbs.centos.org *will not* work anymore (important) That means that you'll have to retrieve a new TLS cert, signed by the IPA CA cert. How to do that ? I'll see about how porting this to know repository, but for now, there is a copr repo that you can use : https://copr.fedorainfracloud.org/coprs/arrfab/fasjson-client/ IMPORTANT : do *not* use this pkg now, or do this from another workstation/vm/account/whatever : the new 'centos-cert' util would replace your currently working TLS cert (from ACO) . (Well, as fasjson for prod *isn't* deployed yet, that would not work at all, but it would when deployed If you have questions, feel free to ask in this thread, or join #fedora-aaa on Freenode. -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 17F3B7A1 | twitter: @arrfab

3 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

devel