Talk:SAC Meeting 2018-03-02

Transcript
19:59:14	robe2:	Everybody ready to meet 19:59:36	TemptorSent:	Hello 20:01:52	robe2:	Hi TemptorSent 20:03:08	robe2:	Well doesn't look like Martin was able to make it but he did provide his list of accomplishments 20:03:51	robe2:	First on agenda FOSS4G2018 I think I was supposed to be doing something but still have a cold 20:05:11	TemptorSent:	Okay, I honestly can't make heads or tails as to what that agenda item means :)   20:05:22	robe2:	Next topic www.osgeo.org website I plan to move this weekend    20:05:55	robe2:	probably like early morningish on Saturday    20:06:06	robe2:	TemportSent you mean the FOSS4G2018 one?    20:06:24	TemptorSent:	Yes, the one on the meeting wiki    20:08:15	robe2:	TemptorSent I updated it a bit    20:08:35	robe2:	the main objective is to move it over to webextra and have it under letsencrypt ssl    20:09:02	TemptorSent:	Ahh, much clearer.    20:09:04	robe2:	I'm not even quite sure the state of webextra or if it should be moved to new VM we will eventually build    20:09:59	robe2:	next topic is the new hardware    20:10:36	robe2:	I'd ask wildintellect but he isn't here. Does anyone know if we are any nearer to having the new hardware. I get the feeling it still has not been purchased 20:10:56	robe2:	then again I've been drugged up on robitussin so I may have missed some events 20:11:03	TemptorSent:	I haven't seen any further quotes/PO, nor have I heard anything. 20:11:29	robe2:	okay so I'll put a note to follow up on mailing list for that 20:12:19	TemptorSent:	I think we had the configuration solid, and the only thing not nailed down is how much bulk storage we need. 20:13:48	robe2:	TemptorSent since you are more informed you want to shoot off a SAC list mail detailing status and pushing to nail that so we can get some new hardware 20:13:52	TemptorSent:	OSGeoLive requests a fair chunk of storage for maintaining their versioned artifacts, and I imagine that the geodata group will need a decent chunk even just for the small stuff, so IMHO, the more the better. 20:14:07	robe2:	I'm hesitant to bring anything else new on without that small comfort :)\   20:14:43	robe2:	Yah me too but we should also consider what we have that can be reused as well    20:15:07	TemptorSent:	The difference is only a few hundred dollars one way or the other from the original quote.    20:15:42	robe2:	TemportSent we should just buy it then -- propose that so we can be done with it    20:16:04	robe2:	strk are you awake :) 20:16:18	robe2:	any movement on drop box replacement? 20:17:43	TemptorSent:	From my reply to the mailing list a while back, the pricing for larger drives: (+$212 for 4x10he or +$540 for 4x12he) 20:18:37	robe2:	ping strk 20:18:45	robe2:	strk is apparently asleep again 20:19:25	TemptorSent:	That gives us practical double-redundant storage of 12-16TB and 16-20TB respectively, depending how we use it. 20:19:54	robe2:	TemptorSent that sounds good to me. Want to shoot off email or you want me too? 20:20:42	TemptorSent:	If you'd like to put out the call to finalize discussion, that would probably be best. 20:21:40	TemptorSent:	I think I pretty well flogged the dead horse in the thread on the mailing list already :)   20:23:03	robe2:	okay will do    20:25:06	robe2:	TemptorSent sent my crying baby email :) 20:25:18	TemptorSent:	*lol* 20:26:30	TemptorSent:	Those HDD prices are relative to the first entry on https://drive.google.com/file/d/1X-z66jXXBUZuPqh6EP0d43g2NUCL7xcL/view 20:26:31	sigabrt:	Title: Silicon_Mechanics_Quote_344069.pdf - Google Drive (at drive.google.com) 20:30:47	robe2:	Well Alex can clarify if needed 20:30:55	robe2:	next topic TracSVN 20:31:14	robe2:	performance seem to be good. Do we still have svn permission issue? 20:31:16	TemptorSent:	As for reuse, it's difficult to recommend using older hardware for anything other than backup or supporting non-critical service at this point. 20:31:35	TemptorSent:	I'm not familiar with what's going on as far as perms... 20:31:43	robe2:	I didn't check I know I did have one trying to pull gdal (it prompted for password) - about a week ago 20:32:51	TemptorSent:	Was the repo or db behind it down at the time perhaps? It appears that it prompts for password on any private OR non-existent repo. 20:33:16	robe2:	Well as I recall I could still get into postgis svn 20:33:41	strk:	sorry I was cooking 20:33:50	robe2:	it was trying to annonymously pull (e.g from GDAL) where it was an issue 20:33:53	strk:	(and eating) 20:34:10	robe2:	strk you always seem busy at this time 20:34:17	robe2:	maybe we should push meeting time up one hour 20:34:25	robe2:	or 30 minutes :)   20:34:40	TemptorSent:	Hiya strk.    20:34:47	robe2:	strk we were just talking about svn    20:34:54	strk:	I am, in particular today I've had an incident with pasta (was populated by little flies, so I had to throw it away after cooking for 30 minutes 20:35:03	robe2:	if people are still having permission issues. Martin said he was investigating 20:35:19	strk:	I've read that report 20:35:25	robe2:	strk pasta and flies -- nice combination :)   20:35:28	strk:	but could not handle to verify it    20:35:30	TemptorSent:	Has EvenR mentioned any issues with the gdal repo? I suspect he'd be the first to see them.    20:35:45	strk:	it's supposedly affecting anonymous users    20:35:48	TemptorSent:	strk - sounds like it was a french dish :) 20:35:48	strk:	hardly any developer would notice 20:35:50	robe2:	fly sauce sounds yummy don't need to add any extra meat 20:36:11	strk:	I'm using "flies" because I don't know the english word for what they were 20:36:13	robe2:	strk yah that was my experience 20:36:17	strk:	just very tiny dots, moving 20:36:25	strk:	"bugs" ? 20:36:32	robe2:	when I was trying to check out gdal code was only time I had the issue, so I just went for tar ball instead 20:36:37	TemptorSent:	strk - he wouldn't have problems, but #gdal would get flooded. 20:36:54	strk:	I don't know how many people would be using SVN in 2018 20:37:08	TemptorSent:	weevils? 20:37:15	robe2:	well I think most people probably pull gdal from gasp github unless they commit to gdal 20:37:19	robe2:	so they wouldn't notice 20:37:21	strk:	so nobody replicated ? 20:37:39	TemptorSent:	Was it only a problem from svn itself, not from gitea? 20:37:39	robe2:	strk? 20:37:46	robe2:	no I think the replication is fine 20:37:52	strk:	gitea is unrelated to svn 20:37:57	robe2:	just couldn't pull from svn anonymously 20:38:07	strk:	any repo or just gdal ? 20:38:24	robe2:	TemporSent yah only thing they have in common is LDAP use, so that rules out LDAP I guess 20:38:42	robe2:	but anyway you don't need to authenticate to annoymously pull 20:38:50	TemptorSent:	strk - what's bridging the svn/git view then? 20:39:03	robe2:	strk gdal was the only one besides geos and postgis I use 20:39:12	robe2:	and gdal is the only one I'm not a committer on so would notice 20:39:45	robe2:	let me try again hold on   20:40:50	robe2:	seems fine now - well svn updating a gdal 2.2 branch 20:41:09	robe2:	so perhaps martin did fix in his investigation 20:41:12	strk:	I was looking at the configurations, don't see anything different between postgis and gdal 20:41:25	robe2:	strk well it wouldn't be the configuration 20:41:26	strk:	TemptorSent: which view ? You mean Trac ? 20:41:37	strk:	robe2: permissions are also the same 20:41:46	robe2:	it would be whether you are logging in or anonymous 20:41:56	TemptorSent:	Huh, I thought it had a gitea connection too -- apparently not. 20:42:06	robe2:	I do gdal always as a public user since I don't have committ access 20:42:08	strk:	TemptorSent: Gitea only supports Git 20:42:53	strk:	are we following an agenda or talking randomly ? 20:43:14	robe2:	following an agenda until you disrupted our flow :)   20:43:28	strk:	sorry, I'll be quiet    20:43:50	robe2:	https://wiki.osgeo.org/wiki/SAC_Meeting_2018-03-02    20:43:51	sigabrt:	Title: SAC Meeting 2018-03-02 - OSGeo (at wiki.osgeo.org)    20:43:56	robe2:	we are up to ticket triage    20:44:11	robe2:	I don't think we want to enforce https on downloads    20:44:27	strk:	soon browsers will enforce https anyway    20:44:37	robe2:	people can use http or https now which serves the need and I worry about banning older wget etc.    20:44:45	robe2:	yah so we really don't need to    20:44:56	robe2:	as long as we support https which now we do    20:45:11	strk:	+1    20:45:33	TemptorSent:	Agreed, http for downloads is perfectly fine, especially if checksums are provided via https when desired.    20:46:26	TemptorSent:	https everywhere is breaking caching in most places, increasing overhead where there is no particular benefit. 20:46:53	MartinSpott:	Moin 20:47:04	strk:	TemptorSent: indeed 20:47:08	TemptorSent:	Forcing it for login/authenticated use is fine, but for pulling bulk data, it's a waste of resources when the user doesn't want it. 20:47:12	robe2:	Hey MartinSpott 20:47:17	robe2:	glad you could join us   20:47:20	TemptorSent:	Hello MartinSpott. 20:47:33	robe2:	last we spoke was abou the svn permission issue. But seems fine to me now 20:47:48	robe2:	I had password prompt for svn gdal before and just tested and seems fine. 20:48:24	robe2:	TemptorSent yap my feeling too 20:48:38	MartinSpott:	I can offer approx. 15 minutes 20:48:53	MartinSpott:	Regarding SVN, as far s I can tell there was one report of failure 20:49:06	MartinSpott:	Maybe it's the right direction, but not far enough ? 20:49:08	strk:	MartinSpott: we cannot reproduce (Regina could some time in the past, but cannot anymore) 20:50:18	robe2:	MartinSpott I'll add my not to that ticket 20:50:39	robe2:	I was having the same issue around the time the ticket came in, but it was there -- I should have added my antidote 20:50:46	robe2:	antecdote 20:51:45	MartinSpott:	Concerning Debian7 upgrades, I'd like to do Web and Wiki as an intermediate step and then take care of moving stuff off the Projects VM   20:51:50	MartinSpott:	does this sound reasonable ? 20:52:50	MartinSpott:	Concerning the main website, do you plan to move it to the old Web VM or a different place ? 20:53:38	robe2:	MartingSpott the main website I'm moving to web18a 20:53:55	MartinSpott:	Oh, isn't it already hosted there ? 20:53:59	robe2:	were you ever able to log into web18a or you still have the issue from before? 20:54:05	TemptorSent:	Sounds reasonable to me. 20:54:11	strk:	MartinSpott: upgrading all machines which need to sounds reasonable (so to close that SSL ticket once for all) 20:54:15	robe2:	no it's hosted on cloudvps.com 20:54:26	robe2:	which we are paying I forget how much for a month 20:54:38	MartinSpott:	ah, still on cloudvps 20:54:39	robe2:	something like $50 a month I think 20:54:45	robe2:	or $40 EUR 20:55:06	robe2:	yah and it's running PHP5 and MYSQL5 yuck and Debian 8 20:55:33	MartinSpott:	heh, I'm running my private EMail relay there, they're doing a good job, as far as I can tell 20:55:40	robe2:	but anyway my plan is to disable editing on it, move it over - change the DNS 20:55:55	robe2:	so anyone who has the old dns entry can still view the site, but won't be able to edit 20:56:05	TemptorSent:	Sounds good. 20:56:13	MartinSpott:	concerning web18a, I have to admit I didn't try again in the meantime 20:56:32	TemptorSent:	What kind of provisioning do we currently have with cloudvps? 20:56:58	robe2:	it's the same config as web18a (except it's debian 8 instead of debian 9) 20:57:16	robe2:	and we don't use any of their backup services or anything 20:57:43	robe2:	just had baccula installed on it, which MartinSpott is going to install on web18a once he can log in   20:57:48	MartinSpott:	ssh -l tech_dev web18a.osgeo.osuosl.org still gives me a "Permission denied (publickey)" 20:57:53	robe2:	strk yah and I probably spelled that wrong 20:58:16	MartinSpott:	from both machines, private and work 20:58:29	robe2:	MartinSpott and ssh -l martin 20:58:41	robe2:	let me check the logs 20:58:53	strk:	TemptorSent: do you mean "automated deploy" by "provisioning" ? 20:59:45	TemptorSent:	Resources provisioned -- disk, memory, cores, network 21:00:15	TemptorSent:	And if it's a volume that can be exported wholesale :)   21:01:25	robe2:	MartinSpott hmm can you try again, not seeing you in logs though I see my successful log in    21:01:52	robe2:	or is 84.245.154.74 you    21:01:57	MartinSpott:	Ok, will now try from 84.245.154.74 as user martin    21:02:11	MartinSpott:	failure    21:03:12	robe2:	Mar 2 21:00:48 web18a sshd[21276]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] Mar 2 21:00:48 web18a sshd[21276]: Connection closed by 84.245.154.74 port 48472 [preauth]    21:03:21	MartinSpott:	TemptorSent: According to my - little - experience with CloudVPS, you can't export a volume    21:03:23	TemptorSent:	Is that host documented on the wiki anywhere?    21:03:41	TemptorSent:	MartinSpott - Drat, that would be convenient :) 21:03:45	robe2:	TemptorSent yes it is but anyway I wouldn't want to export volume 21:03:49	robe2:	backup file is small 21:03:52	robe2:	under 2 GB   21:04:41	MartinSpott:	robe2: I wonder where it gets a dss key from 21:04:53	MartinSpott:	Let me try again: 21:04:54	TemptorSent:	Yeah, it just makes it easier to clone the exact deployment back and forth. 21:04:59	robe2:	TemptorSent here is the CloudVPS - https://wiki.osgeo.org/wiki/SAC:betawebsite 21:05:00	MartinSpott:	foehn: 22:04:16 ~> ssh -i .ssh/id_rsa.pub -l martin web18a.osgeo.osuosl.org 21:05:01	sigabrt:	Title: SAC:betawebsite - OSGeo (at wiki.osgeo.org) 21:05:08	MartinSpott:	Permission denied (publickey). 21:05:17	robe2:	Yah I wouldn't want to cause it's running PHP 5 yuck 21:05:35	robe2:	We should never have let the web site contractors set it up   21:05:54	robe2:	it was using myisam, not utf8, old php old mysql 21:05:59	strk:	TemptorSent: if it's not in Service_Status wiki page I suggest you file an enhancement ticket to have it added 21:06:00	TemptorSent:	Ug, that's downright ancient at this point. 21:07:00	strk:	robe2: SAC:betawebsite is the description of "web18a" hardware and usage etc ? We should try to be consistent with those pages 21:07:26	robe2:	the web18a I have in gitea wiki - https://git.osgeo.org/gitea/osgeo/www_apache_configs/wiki/Web18a-setup 21:07:32	strk:	like SAC:OSGeo6, we should have SAC:Web18a (or similar) 21:07:55	robe2:	strk betawebsite is not web18a it's cloudvps 21:07:58	strk:	gitea wiki is still not official, please use the mediawiki, with all others 21:08:00	TemptorSent:	I'm sure it's there somewhere, but I can't find anything reliably on the wiki at all -- pages don't link to other pages and categories seem almost random. 21:08:23	strk:	TemptorSent: yeah, wiki always needs more love 21:08:39	robe2:	strk can I put a link to gitea wiki page on mediawiki :)   21:09:03	robe2:	I like the gitea wiki better cause it's in git and the syntax is a lot easier to deal with    21:09:54	robe2:	anyway getting back to Martin's problem he can't get into web18a    21:09:59	TemptorSent:	robe2 - if so, we should probably look at migrating all related materials to the same place so we don't have even MORE of a mess on our hands.    21:10:16	robe2:	strk I don't think I ever added you key to techdev, but you can get in fine with strk right -- can you log in    21:10:26	robe2:	just want to compare messages I am seeing in auth    21:11:11	strk:	robe2: I'm fine with just a link on mediawiki :) 21:11:44	robe2:	TemporSent I was also concerned cause I was copying from my local scripts where I may have left passwords 21:12:03	robe2:	and I figured since the gitea one is locked down, only SAC folks would see it anyway should I have made such a mistake 21:12:06	TemptorSent:	Yeah, good point. 21:12:10	TemptorSent:	I can't even see it :)   21:12:30	strk:	I do can login to web18a    21:13:09	robe2:	TemptorSent now you can :) 21:13:10	MartinSpott:	strk: Can you look into the "martin" account as root ? 21:13:31	TemptorSent:	Ahh, much better -- thank's robe2. 21:13:38	robe2:	MartinSpott when strk logs in I see him authenticating with ssh2 like me   21:14:04	strk:	I cannot become root (don't have a password to "sudo") 21:14:13	robe2:	but yours gives that ssh-dss thingy 21:14:21	strk:	uhm, I'm silly 21:14:22	robe2:	strk password is your password 21:14:29	MartinSpott:	ok, that would made made it easier to debut during daytime hours 21:14:37	strk:	(it's my LDAP) 21:14:44	robe2:	yap 21:14:55	MartinSpott:	debug 21:14:59	robe2:	I didn't add you to the main techdev account which doesn't use ldap 21:15:00	strk:	MartinSpott: you have 2 keys authorized 21:15:07	robe2:	but all other accounts use LDAP 21:15:17	strk:	ok, now you do MartinSpott 21:15:26	strk:	authorized_key was in your home, rather than under .ssh 21:15:34	MartinSpott:	ouch 21:15:41	robe2:	oh no don't tell me I screwed that 21:15:44	robe2:	:(   21:16:05	TemptorSent:	Details, details -- why don't computers just do what we mean, not what we tell them?    21:16:09	strk:	I dunno who screwed that, it was around Feb 21 20:42    21:16:09	MartinSpott:	IÃ„m in    21:16:32	robe2:	TemptorSent that's my next project RegOS does what you mean not what you tell it to    21:16:35	MartinSpott:	both keys working    21:16:40	TemptorSent:	*cheers*    21:16:59	robe2:	MartinSpott so sorry for my ineptness    21:17:07	robe2:	so I must have screwed up the techdev one somehow    21:17:18	strk:	I added my key to root's authorized keys too    21:17:30	strk:	just in case LDAP breaks    21:17:32	TemptorSent:	So rm -rf will just cause the computer to burst into flames without wiping the drive robe2? :) 21:17:39	robe2:	strk you can't log in with root 21:17:48	robe2:	you need to add it to tech_dev 21:17:53	robe2:	root login is not allowed 21:18:08	strk:	ah, ok   21:18:34	MartinSpott:	robe2: intentionally disabled ? 21:18:41	robe2:	yes 21:18:41	strk:	what's the point ? 21:18:43	TemptorSent:	The only time direct root login should be allowed is directly from the hardware console. 21:18:46	robe2:	by osuosl staff 21:18:49	strk:	do we all share "tech_dev" password then ? 21:18:55	robe2:	but Alex and I thought that was probably for best anyway 21:19:03	TemptorSent:	No, just add all keys to tech_dev 21:19:16	strk:	ok but what for ? 21:19:17	robe2:	strk well technically we only need tech_dev if ldap is down 21:19:20	TemptorSent:	remote root login should NEVER be enabled, EVER. 21:19:20	robe2:	so yes we do   21:19:43	robe2:	and it's in the file called password which we were going to delete but is in secure/access if you need it    21:19:50	MartinSpott:	TemptorSent: I know, and the more often you repeat it, the less I care about it    21:20:20	strk:	ok, found tech_dev password 21:20:24	MartinSpott:	If I need a teacher, I'll ask for one 21:20:32	TemptorSent:	MartinSpott - I know you do MartinSpott, I was telling strk. 21:21:22	strk:	so shall we drop root's authorized_keys ? 21:21:42	robe2:	who's in it? 21:21:58	TemptorSent:	You can still use them from localhost if you like as opposed to sudo 21:21:59	robe2:	I guess you can 21:22:12	robe2:	oh okay so we should keep them 21:22:22	robe2:	osuosl staff keys might be in there 21:22:38	MartinSpott:	they are - and for a good reason 21:22:56	TemptorSent:	If you ever watch the logs for a while, you'll see hundreds of attempts to port 22 as root per day. 21:23:20	robe2:	yah among others 21:23:45	robe2:	anyway been 1.5 hrs 21:23:53	TemptorSent:	Those should be getting blocked before they ever get a chance to try anything, which makes brute-force attacks mostly worthless. 21:24:02	MartinSpott:	TemptorSent: Indeed, and, as a super clever gou you'll know that disabling root SSH logins won't change that 21:24:10	robe2:	I think only thing left to cover is LDAP ssh keys - which I presume we are no closer to accomplishing 21:24:37	TemptorSent:	I never use password logins to remote machines for exactly that reason. 21:24:57	strk:	it looks like MartinSpott is too busy with upgrades to look at LDAP ? 21:25:02	TemptorSent:	AFAIK, there is nothing preventing the use of ssh ldap keys other than adding the schema. 21:25:02	MartinSpott:	TemptorSent: I don't use password logins to remote machines either 21:25:06	robe2:	and GeoForALL -- jmckenna anything to say about that 21:25:21	MartinSpott:	We're not talking about password logins, we're talking about root logins 21:25:32	strk:	TemptorSent: are you familiar with LDAP ? Do you want to be our LDAP resident maintainer ? 21:26:05	TemptorSent:	I'm rusty with ldap, but 20ish years ago I maintained a multi-master auth service that worked pretty well :)   21:26:11	MartinSpott:	Oh, don't do that, next day he's going to disable another vital feature    21:26:31	robe2:	someone put a note about some bug in debian to be cautious of with the LDAP ssh thingy    21:26:49	MartinSpott:	That's history    21:27:06	MartinSpott:	overcome with replacing pam_ldap by pam_ldapd    21:27:10	TemptorSent:	Goodbye.    21:27:32	strk:	MartinSpott: waht's this fight with TemporSent ?    21:27:44	MartinSpott:	pam_ldap was running as root and modern GnuTLS doesn't do sensitive stuff as root    21:27:54	robe2:	strk oh I wasn't imaging things I thought I was looking at a cat fight    21:27:57	robe2:	but wasn't sure    21:28:00	MartinSpott:	pam_ldapd is using nslcd as a helper daemon    21:28:08	jmckenna:	no update here from GeoForAll team (still no response from Jason) 21:28:38	robe2:	jmckenna want to send him another note just to be a little annoying to show we care :)   21:29:12	strk:	MartinSpott: what vital feature was disabled by TemporSent ?    21:29:51	jmckenna:	robe2: willdo ;) 21:29:55	MartinSpott:	If you completely disable root logins via SSH, we're locked out if LDAP authentication fails because the way it's set up it relies on LDAP for sudo 21:30:08	MartinSpott:	that's the point 21:30:24	strk:	did he have a role in that ? 21:30:32	MartinSpott:	And that won't change by notoriously repeating that root SSH is bad 21:31:09	robe2:	MartinSpott I'm lost though what is wrong with having a local account, not in ldap that is not root but has sudo 21:31:29	strk:	anyway I've understood the "tech_dev" account still works w/out LDAP 21:31:32	robe2:	Doesn't that server the same purpose (so you can disable root ssh like what web18a has in place) 21:32:04	MartinSpott:	strk: and how does "tech_dev" authenticate sudo ? 21:32:12	strk:	local password 21:32:18	strk:	or so I understood (didn't verify) 21:32:18	robe2:	but anyway there is a point at which you are so secure your lock yourself out of your house. 21:32:39	robe2:	I'm always more worried about locking myself out that preventing others from getting in. 21:34:43	MartinSpott:	The moszt critical point in terms of IT security is that the SSH daemon is running as root user 21:34:57	MartinSpott:	and we're unlikely going to change that soon 21:36:50	robe2:	but SSH can still run under root without allowing remote SSH logins right 21:37:05	MartinSpott:	sure, it does 21:38:05		* MartinSpott -> family time 21:38:30	MartinSpott:	mmh, turned out to be a little more than 15 minutes 21:38:41	robe2:	yah it's been long enough here too got some bulk emails to send and applications to launch 21:39:06	robe2:	MartinSpott it's always more than 15 minutes. We are lucky if we can keep it below an hour 21:39:06	MartinSpott:	for the root login, I suggest thinking about passphrase protected Ed25519 keys 21:39:11	MartinSpott:	in the long term 21:40:09	robe2:	Anyway I call meeting over