Hi All,
There is quite a bit going on with Community Build System developers and those of us working on other tools. I thought it might be helpful to get in the same (virtual) room on a regular basis to help us coordinate our efforts.
I propose that our first meeting be held at 13:00 UTC Monday September 15th, 2014 in #centos-devel on Freenode
My topics for this meeting:
- Is this a good recurring time for all? - What's next for Centpkg - Authentication? - Certificate Delivery? - Open Flood
If there is something specific you would like included on the "agenda" let me know.
Questions? Comments? Counter-proposals? Brian
-- Brian Stinson bstinson@ksu.edu | IRC: bstinson | Bitbucket/Twitter: bstinsonmhk
On 09/11/2014 11:04 PM, Brian Stinson wrote:
Hi All,
There is quite a bit going on with Community Build System developers and those of us working on other tools. I thought it might be helpful to get in the same (virtual) room on a regular basis to help us coordinate our efforts.
I propose that our first meeting be held at 13:00 UTC Monday September 15th, 2014 in #centos-devel on Freenode
sounds good, I'm in. The time works well if we want to make this regular ( maybe start weekly and then gradually make it lesser frequent as change-rate decreases .... )
My topics for this meeting:
- Is this a good recurring time for all?
- What's next for Centpkg
- Authentication?
- Certificate Delivery?
- Open Flood
If there is something specific you would like included on the "agenda" let me know.
Questions? Comments? Counter-proposals?
thanks for taking this up!
On 11/09/2014 23:04, Brian Stinson wrote:
I propose that our first meeting be held at 13:00 UTC Monday September 15th, 2014 in #centos-devel on Freenode
The time is fine for me, and should be fine going forwards.
On Thu, Sep 11, 2014 at 11:04 PM, Brian Stinson bstinson@ksu.edu wrote:
Hi All,
There is quite a bit going on with Community Build System developers and those of us working on other tools. I thought it might be helpful to get in the same (virtual) room on a regular basis to help us coordinate our efforts.
I propose that our first meeting be held at 13:00 UTC Monday September 15th, 2014 in #centos-devel on Freenode
My topics for this meeting:
- Is this a good recurring time for all?
- What's next for Centpkg
- Authentication?
- Certificate Delivery?
- Open Flood
If there is something specific you would like included on the "agenda" let me know.
- Building from arbitrary git sources? - ppa-like functionality for developers to host experimental / custom packages?
-George
Should we try and get a ToDo List together for the outstanding work ? That gives us a target to drive towards. Maybe even a trello board, so we can easily monitor who's doing what and who needs help where.
thanks
On Sep 16 17:23, Karanbir Singh wrote:
Should we try and get a ToDo List together for the outstanding work ? That gives us a target to drive towards. Maybe even a trello board, so we can easily monitor who's doing what and who needs help where.
thanks
-- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
That sounds like a good idea, Is there already a Trello organization out there? I'm wondering if we should include the bugtracker as well.
Brian
-- Brian Stinson bstinson@ksu.edu | IRC: bstinson | Bitbucket/Twitter: bstinsonmhk
On 09/16/2014 05:32 PM, Brian Stinson wrote:
On Sep 16 17:23, Karanbir Singh wrote:
Should we try and get a ToDo List together for the outstanding work ? That gives us a target to drive towards. Maybe even a trello board, so we can easily monitor who's doing what and who needs help where.
That sounds like a good idea, Is there already a Trello organization out there? I'm wondering if we should include the bugtracker as well.
There is a CentOS org and a centos-dev org as well, we can use either. I can get the board setup, send me your trello logins at kbsingh centos.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/16/2014 09:32 AM, Brian Stinson wrote:
On Sep 16 17:23, Karanbir Singh wrote:
Should we try and get a ToDo List together for the outstanding work ? That gives us a target to drive towards. Maybe even a trello board, so we can easily monitor who's doing what and who needs help where.
thanks
-- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
That sounds like a good idea, Is there already a Trello organization out there? I'm wondering if we should include the bugtracker as well.
I missed the meeting this week but read the log. It seemed one of our major blockers in the auth system. I was thinking it might be useful if we setup an instance of FreeIPA and Fedora Account System (FAS) to do a side-by-side comparison?
I'm available to work on the FAS instance this week, if there is anyone with FAS experience who can help or give advice, please do. :) I'm asking Fabian if he can setup a few of VMs for the auth tryout - something disposable where folks helping can get ssh + sudo to do the work. Just to be accurate, we may want to have a separate VM for the database as that's likely how we'd configure it in the end.
https://github.com/fedora-infra/fas/blob/develop/INSTALL http://infrastructure.fedoraproject.org/el/6/x86_64/ http://infrastructure.fedoraproject.org/el/7/x86_64/
Fedora is currently running FAS2 on EL6, primarily due to TurboGears requirements. I was told we can run the Postgres instance on CentOS 7, but trying to do the FAS2 on CentOS 7 sounds like a bit of a rathole right now. Anyway, lots of *.centos.org runs on CentOS 6, so no worries there. (FAS3 is coming end-of-year aiui, and it will run on CentOS 7.)
Anyone interested in setting up FreeIPA for a comparison?
We do know of one blocker for FreeIPA, which is that it doesn't have user self-service features - you can't reset your own password, etc. That may not be a problem for us if we have <200 users on the Koji+git, but if we use IPA for more than that, we'll have a scaling problem. One option is to code the module(s) ourselves, which is nothing I'm able to do. :)
- - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
On Sep 16 12:22, Karsten Wade wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/16/2014 09:32 AM, Brian Stinson wrote:
On Sep 16 17:23, Karanbir Singh wrote:
Should we try and get a ToDo List together for the outstanding work ? That gives us a target to drive towards. Maybe even a trello board, so we can easily monitor who's doing what and who needs help where.
thanks
-- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
That sounds like a good idea, Is there already a Trello organization out there? I'm wondering if we should include the bugtracker as well.
I missed the meeting this week but read the log. It seemed one of our major blockers in the auth system. I was thinking it might be useful if we setup an instance of FreeIPA and Fedora Account System (FAS) to do a side-by-side comparison?
I'm available to work on the FAS instance this week, if there is anyone with FAS experience who can help or give advice, please do. :) I'm asking Fabian if he can setup a few of VMs for the auth tryout - something disposable where folks helping can get ssh + sudo to do the work. Just to be accurate, we may want to have a separate VM for the database as that's likely how we'd configure it in the end.
https://github.com/fedora-infra/fas/blob/develop/INSTALL http://infrastructure.fedoraproject.org/el/6/x86_64/ http://infrastructure.fedoraproject.org/el/7/x86_64/
Fedora is currently running FAS2 on EL6, primarily due to TurboGears requirements. I was told we can run the Postgres instance on CentOS 7, but trying to do the FAS2 on CentOS 7 sounds like a bit of a rathole right now. Anyway, lots of *.centos.org runs on CentOS 6, so no worries there. (FAS3 is coming end-of-year aiui, and it will run on CentOS 7.)
Anyone interested in setting up FreeIPA for a comparison?
We do know of one blocker for FreeIPA, which is that it doesn't have user self-service features - you can't reset your own password, etc. That may not be a problem for us if we have <200 users on the Koji+git, but if we use IPA for more than that, we'll have a scaling problem. One option is to code the module(s) ourselves, which is nothing I'm able to do. :)
- Karsten
Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQYjgwACgkQ2ZIOBq0ODEFjLwCgnztaF5ae3eE+QfZ0gUNwEjDS YJ8AoImKkyZyvcpyG6sDIylGLQ5TREn8 =/u2H -----END PGP SIGNATURE-----
I suppose that's my cue to actually post links to the minutes from our Monday meeting! Sorry for the oversight everyone.
Summary: http://www.centos.org/minutes/2014/september/centos-devel.2014-09-15-13.01.h...
Chatlog: http://www.centos.org/minutes/2014/september/centos-devel.2014-09-15-13.01.l...
Brian
-- Brian Stinson bstinson@ksu.edu | IRC: bstinson | Bitbucket/Twitter: bstinsonmhk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I missed the meeting this week but read the log. It seemed one of our major blockers in the auth system. I was thinking it might be useful if we setup an instance of FreeIPA and Fedora Account System (FAS) to do a side-by-side comparison?
BTW, I just learned in #centos-devel that auth is not actually a blocker for progress with Koji, which is good news. (Also means I should re-read the IRC log again :D )
We can work in parallel to test FreeIPA and FAS, and when a solution is delivered, switch Koji to use that.
- - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 16/09/14 22:11, Karsten Wade wrote:
I missed the meeting this week but read the log. It seemed one of our major blockers in the auth system. I was thinking it might be useful if we setup an instance of FreeIPA and Fedora Account System (FAS) to do a side-by-side comparison?
BTW, I just learned in #centos-devel that auth is not actually a blocker for progress with Koji, which is good news. (Also means I should re-read the IRC log again :D )
We can work in parallel to test FreeIPA and FAS, and when a solution is delivered, switch Koji to use that.
- Karsten
Yes, the main blocker on CBS isn't (at the moment) the central authentication. Koji supports both kerberos and x509 certificates. The IPA/FAS discussion is related but not directly required for the CBS effort. That's the reason why , due to the small amount of people requiring CBS access $now, it was decided with Thomas to start small, with our own internal CA to generate our keys/certs for koji and let people start using the CBS platform.
In parallel, the FAS/IPA/other solution discussion can be held/debated/selected. And we'll always have a solution to migrate CBS to the other x509 setup we'll have in production.
Cheers,
- -- Fabian Arrotin gpg key: 56BEC54E | twitter: @arrfab
On 16/09/2014 21:24, Fabian Arrotin wrote:
Yes, the main blocker on CBS isn't (at the moment) the central authentication. Koji supports both kerberos and x509 certificates. The IPA/FAS discussion is related but not directly required for the CBS effort. That's the reason why , due to the small amount of people requiring CBS access $now, it was decided with Thomas to start small, with our own internal CA to generate our keys/certs for koji and let people start using the CBS platform. In parallel, the FAS/IPA/other solution discussion can be held/debated/selected. And we'll always have a solution to migrate CBS to the other x509 setup we'll have in production.
Speaking personally, I'm quite an IPA advocate, and have done a bunch of work customising it for $employer and tying various bits of software into it as an authn/authz source. However, I'm trying not to push it too hard (not least because I had a brief chat with Jim, and he said that there were some issues around using it that'd require potential functionality development in IPA itself, some of which may not be trivial). FAS works nicely for Fedora, and the potential for federating Fedora and CentOS FAS does sound quite appealing.
Is there somewhere we can start collating requirements for the auth system? The Trello board, or a wiki page maybe? We could use that to start making a requirements vs software features matrix to help guide our descisions.
( I also missed the #centos-devel conversation, and need to go back and read the logs )
On 09/17/2014 05:25 AM, Howard Johnson wrote:
On 16/09/2014 21:24, Fabian Arrotin wrote:
Yes, the main blocker on CBS isn't (at the moment) the central authentication. Koji supports both kerberos and x509 certificates. The IPA/FAS discussion is related but not directly required for the CBS effort. That's the reason why , due to the small amount of people requiring CBS access $now, it was decided with Thomas to start small, with our own internal CA to generate our keys/certs for koji and let people start using the CBS platform. In parallel, the FAS/IPA/other solution discussion can be held/debated/selected. And we'll always have a solution to migrate CBS to the other x509 setup we'll have in production.
Speaking personally, I'm quite an IPA advocate, and have done a bunch of work customising it for $employer and tying various bits of software into it as an authn/authz source. However, I'm trying not to push it too hard (not least because I had a brief chat with Jim, and he said that there were some issues around using it that'd require potential functionality development in IPA itself, some of which may not be trivial). FAS works nicely for Fedora, and the potential for federating Fedora and CentOS FAS does sound quite appealing.
If IPA can be made to work, then I'm all for it. I'd like something we can use that won't require a ton of custom patching in the future.
Is there somewhere we can start collating requirements for the auth system? The Trello board, or a wiki page maybe? We could use that to start making a requirements vs software features matrix to help guide our descisions.
We've not put anything together officially, but we do have a basic list.
Auth primarily needs to function for git, koji, http, and local auth (for the projects who require a vm). Further integration like the forums or bugs is a bonus, but not a deal breaker.
Users need to be able to maintain their own accounts, to include generating an ssl cert for koji, resetting password, uploading ssh keys, etc. If these steps require intervention from someone on the project, then it fails. SIG leaders should be able to manage their own groups, so we'd need tiered permissioning. Project folks add sig leaders, sig leaders can add sig members etc.
Currently the only two auth mechanisms that seem to cover both aspects of this are FAS and IPA. Each seem to have a few drawbacks.
KB/Fabian, shall we add a trello card with more formal requirements? Then we can do a head-to-head to see what works. I'm entirely fine with having a shoot-out between them. If Howard wants to take on setting up an IPA instance in a vm, I believe Karsten is working on a FAS test instance.
On 17 September 2014 04:25, Howard Johnson merlin@mwob.org.uk wrote:
On 16/09/2014 21:24, Fabian Arrotin wrote:
Yes, the main blocker on CBS isn't (at the moment) the central authentication. Koji supports both kerberos and x509 certificates. The IPA/FAS discussion is related but not directly required for the CBS effort. That's the reason why , due to the small amount of people requiring CBS access $now, it was decided with Thomas to start small, with our own internal CA to generate our keys/certs for koji and let people start using the CBS platform. In parallel, the FAS/IPA/other solution discussion can be held/debated/selected. And we'll always have a solution to migrate CBS to the other x509 setup we'll have in production.
Speaking personally, I'm quite an IPA advocate, and have done a bunch of work customising it for $employer and tying various bits of software into it as an authn/authz source. However, I'm trying not to push it too hard (not least because I had a brief chat with Jim, and he said that there were some issues around using it that'd require potential functionality development in IPA itself, some of which may not be trivial). FAS works nicely for Fedora, and the potential for federating Fedora and CentOS FAS does sound quite appealing.
Well I am not sure that FAS allows for federation yet :). I like to think of FAS as Kerberos done by people who hated Kerberos but generally adding in various features over time :).
I personally have no horse in this race. I can help with getting a FAS up and relay problems we run into for the FAS3 development group which is working this December. I can also learn how FreeIPA works and help out there if possible.
Is there somewhere we can start collating requirements for the auth system? The Trello board, or a wiki page maybe? We could use that to start making a requirements vs software features matrix to help guide our descisions.
( I also missed the #centos-devel conversation, and need to go back and read the logs )
-- HJ
CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
On 09/17/2014 09:46 PM, Stephen John Smoogen wrote:
Well I am not sure that FAS allows for federation yet :). I like to think of FAS as Kerberos done by people who hated Kerberos but generally adding in various features over time :).
One of the key issues we need to solve, and I am not sure how we are going to do this is git-branch to user to sig mapping. Consider this:
- git.centos.org hosts git repos, one repo per package name ( eg. there is only one kernel.git repo ).
- master branch for each of those git repos is locked and will not allow content beyond the readme file.
- the distro branches are locked, in that only core sig people and the rhel release process can write to those branches. eg. c5/c6/c7 are not available to commit and push into by anyone other than the buildsystem for the distros.
- every sig gets commit access to the git repos they want ( and anyone can ask for any repo ); however, they can only push to git.centos.org into a branch name that matches that signame. assume virt-sig has 'virtsig' as their ID, then their kernel will and can live in the same git repo as the distro kernel, but in a branch called virtsig. Out git infra can ( and already does ) handle this level of user to group to gitbranch mapping.
- we need the auth mechanism used for koji, the lookaside cache upload and whatever interface is exposed to git.centos.org, to also work with this.
Note: 1) we might need to find a schema that allows a sig to push multiple branches. eg. if the virtsig is doing a kernel-mainline and a kernel-xen, they might need two branches to handle those in. I've tested that with a tag_* schema, where virtsig_<whatever> would be accepted from a member of the virtsig team; but this might be creating uneeded constraints on the sig folks, so am open to conversation around that.
2) the git.centos.org resource is completely multi-master federated and replicated. Recently some people in Canada complained about perf issues against it, and I can quite imagine us putting more of the replica's public ( this includes the entire api and git interface, not just the web interface ) - so the auth mechanism we end up with needs to support that as well ( i dont see it as being a problem, but its worth mentioning ).
Regards
On Wed, Sep 17, 2014 at 9:57 PM, Karanbir Singh mail-lists@karan.org wrote:
- every sig gets commit access to the git repos they want ( and anyone
can ask for any repo ); however, they can only push to git.centos.org into a branch name that matches that signame. assume virt-sig has 'virtsig' as their ID, then their kernel will and can live in the same git repo as the distro kernel, but in a branch called virtsig. Out git infra can ( and already does ) handle this level of user to group to gitbranch mapping.
I assume you mean something like virtsig/c5, virtsig/c6, &c?
-George
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/17/2014 01:46 PM, Stephen John Smoogen wrote:
I personally have no horse in this race. I can help with getting a FAS up and relay problems we run into for the FAS3 development group which is working this December. I can also learn how FreeIPA works and help out there if possible.
If you want to work with me on the FAS instance, that would be great. We can coordinate directly, maybe get together to do sprints via IRC.
- - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
On 09/17/2014 03:46 PM, Stephen John Smoogen wrote:
Well I am not sure that FAS allows for federation yet :). I like to think of FAS as Kerberos done by people who hated Kerberos but generally adding in various features over time :).
Correct. Federation was discussed as being on the FAS3 roadmap. The largest win I see from FAS is a common toolset with fedora/epel which would (in theory) enable simpler contribution sharing.
With IPA, the largest win is that it's a part of the base distribution, and quite well documented. There are no real "extras" required to make it go.
I personally have no horse in this race. I can help with getting a FAS up and relay problems we run into for the FAS3 development group which is working this December. I can also learn how FreeIPA works and help out there if possible.
Agreed. I don't really care which one we go with, so long as it does what we need.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/17/2014 03:25 AM, Howard Johnson wrote:
Is there somewhere we can start collating requirements for the auth system? The Trello board, or a wiki page maybe? We could use that to start making a requirements vs software features matrix to help guide our descisions.
I haven't used Trello much to know if this fits there yet, a wiki page is fine for me.
- - Karsten - -- Karsten 'quaid' Wade .^\ CentOS Doer of Stuff http://TheOpenSourceWay.org \ http://community.redhat.com @quaid (identi.ca/twitter/IRC) \v' gpg: AD0E0C41
On 16 September 2014 13:22, Karsten Wade kwade@redhat.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/16/2014 09:32 AM, Brian Stinson wrote:
On Sep 16 17:23, Karanbir Singh wrote:
Should we try and get a ToDo List together for the outstanding work ? That gives us a target to drive towards. Maybe even a trello board, so we can easily monitor who's doing what and who needs help where.
thanks
-- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel
That sounds like a good idea, Is there already a Trello organization out there? I'm wondering if we should include the bugtracker as well.
I missed the meeting this week but read the log. It seemed one of our major blockers in the auth system. I was thinking it might be useful if we setup an instance of FreeIPA and Fedora Account System (FAS) to do a side-by-side comparison?
I'm available to work on the FAS instance this week, if there is anyone with FAS experience who can help or give advice, please do. :) I'm asking Fabian if he can setup a few of VMs for the auth tryout - something disposable where folks helping can get ssh + sudo to do the work. Just to be accurate, we may want to have a separate VM for the database as that's likely how we'd configure it in the end.
I can help with the FAS side of things. I can try to get to the meetings though they are at 0700 my time currently. I have put it on my calendar for next week.
https://github.com/fedora-infra/fas/blob/develop/INSTALL http://infrastructure.fedoraproject.org/el/6/x86_64/ http://infrastructure.fedoraproject.org/el/7/x86_64/
Fedora is currently running FAS2 on EL6, primarily due to TurboGears requirements. I was told we can run the Postgres instance on CentOS 7, but trying to do the FAS2 on CentOS 7 sounds like a bit of a rathole right now. Anyway, lots of *.centos.org runs on CentOS 6, so no worries there. (FAS3 is coming end-of-year aiui, and it will run on CentOS 7.)
Anyone interested in setting up FreeIPA for a comparison?
We do know of one blocker for FreeIPA, which is that it doesn't have user self-service features - you can't reset your own password, etc. That may not be a problem for us if we have <200 users on the Koji+git, but if we use IPA for more than that, we'll have a scaling problem. One option is to code the module(s) ourselves, which is nothing I'm able to do. :)
Setting up either one of these is going to be 'easy' but may not actually tell what problems people are going to run into getting things integrated with koji stuff.
-
Brian Stinson -
Fabian Arrotin -
George Dunlap -
Howard Johnson -
Jim Perrin -
Karanbir Singh -
Karsten Wade -
Stephen John Smoogen