Talk:SAC Meeting 2018-04-29

Transcript
07:00:09	robe2:	meeting starting now 07:00:36	MartinSpott:	robe2: is anybody here except us two ? ;-)   07:00:43	robe2:	Guess first topic is hardware. But Alex isn't here    07:01:15	robe2:	I know he said he was going to send for purchase since no -1s, does any one know if he's done that    07:02:20	robe2:	MartinSpott TemptorSent is here I think    07:02:36	MartinSpott:	The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ?    07:02:45	markusN:	Morning!    07:02:47	MartinSpott:	Moggeeeen !    07:02:53	robe2:	Hi Markus    07:03:00	MartinSpott:	repeating myself:    07:03:02	MartinSpott:	The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ?    07:03:25	MartinSpott:	That's fine with me, if nobody objects    07:04:31	robe2:	MartinSpott I thought it still had SSD via the Optane component.    07:04:39	MartinSpott:	Ah, now I see    07:04:46	MartinSpott:	*** Addiotional .... 07:05:04	MartinSpott:	fine, go for it   07:05:24	robe2:	I'm a bit clueless about the whole Optane thing 07:05:45	MartinSpott:	I suspect it's "cool" ;-)   07:05:49	robe2:	but there seemed to be hardware whores arguing so I figured they'd come up with something good    07:06:07	MartinSpott:	At least it doesn't hurt    07:06:45	robe2:	Next topic funtoo. Too bad TemptorSent couldn't keep his eyes open :) 07:06:56	TemptorSent:	Hello MartinSpott! 07:07:11	robe2:	TemptorSent you're alive and awake :)   07:07:14	TemptorSent:	Hello all.    07:07:17	markusN:	hi TemptorSent    07:07:27	MartinSpott:	Do we still need to retire one of the old machines before activating the new one ?    07:07:33	MartinSpott:	Hi TemptorSent    07:07:35	robe2:	MartinSpott no    07:07:49	robe2:	OSUOSL said they have plenty of space last I recall    07:08:04	MartinSpott:	Oh, how nice    07:08:25	robe2:	so we this will be an extra we can start moving stuff too at our own pace    07:08:45	TemptorSent:	That's refreshing.    07:09:07	robe2:	any more questions about Optane - TemptorSent I think knows a lot about it as he was one of the whores arguing    07:10:19	robe2:	okay guess no more questions - next topic funtoo host    07:10:26	MartinSpott:	go ahed    07:10:28	MartinSpott:	ahead    07:10:39	robe2:	MartinSpott you know what SSL ldap.osgeo.org is using?    07:11:03	MartinSpott:	wait a second, I'm mixing names 07:11:04	robe2:	I was trying to setup SSH via LDAP on funtoo, but ldapsearch is failing with key not trusted 07:11:18	MartinSpott:	the former was COMODO I think, the current is ....   07:12:05	robe2:	that's what I thought. As when I copied over the osgeo star bundle from osgeo6 and put on other servers I had setup and set in ldap.config if worked fine 07:12:17	robe2:	I had done the same on funtoo and it didn't work. 07:12:27	TemptorSent:	TLS trace: SSL_connect:SSLv3 read server hello A   07:12:27	TemptorSent:	TLS certificate verification: depth: 2, err: 2, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 07:12:27	TemptorSent:	TLS certificate verification: Error, unable to get issuer certificate 07:12:27	TemptorSent:	TLS trace: SSL3 alert write:fatal:unknown CA   07:12:35	robe2:	TemptorSent it occurred to me maybe it's not using the bundle I referenced 07:12:47	TemptorSent:	TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate). 07:13:11	robe2:	TemptorSent is there a way to tell which bundle. Maybe it's cache 07:13:13	robe2:	cached 07:13:31	TemptorSent:	Hmm, I don't recall off hand. 07:13:36	robe2:	I had originally use the ca-certificates one I saw in the folder and when that didn't work I downloaded the one I use 07:14:57	robe2:	MartinSpott TemptorSent can you see this page - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host 07:15:01	MartinSpott:	didn't the star package contain the entire bundle ? 07:15:14	robe2:	MartinSpott yes it did 07:15:26	robe2:	and it worked on all the debians I have setup 07:15:39	TemptorSent:	Yeah, I'm only seeing two signatures in that bundle. 07:15:51	robe2:	so I suspect this is a funtoo specific issue that it's using some other barebones bundle rather than the one I specified in ldap.config 07:16:23	robe2:	This is the file I changed - /etc/openldap/ldap.conf 07:16:30	TemptorSent:	It should be using the system pems I would think, which have a cert for AddTrust it appears 07:16:49	robe2:	I know it's at least reading it for ldap.osgeo.org since to do the ldapsearch I don't need to specify the -H 07:17:08	TemptorSent:	Ahh, /etc/ssl/openssl.cnf :)   07:17:50	robe2:	ah okay I wonder if maybe that's always used and I had thought it was the ldap one used, but others had an already full bundle    07:18:09	robe2:	TemptorSent did you just edit that or you want me too?    07:18:17	TemptorSent:	I have not edited.    07:18:26	robe2:	okay I'll edit    07:18:56	robe2:	MartinSpott can you check to see if you can get into the funtoo server -- it's tech_dev@funtoo.osgeo.org    07:19:04	robe2:	hopefully I didn't screw up adding your key    07:19:23	MartinSpott:	looks like I'm in    07:19:57	MartinSpott:	BTW, where can I read more about OSGeo using FunToo containers ?    07:20:08	MartinSpott:	There wasn't much I could find    07:21:16	TemptorSent:	We haven't gotten much written up as of yet other than meeting logs and some notes.    07:21:25	MartinSpott:	ok    07:21:41	robe2:	https://www.funtoo.org/LXD#PART_II_-_LXD_Installation 07:21:42	sigabrt:	Title: LXD - Funtoo (at www.funtoo.org) 07:21:45	MartinSpott:	To me the intention isn't clear, that why I was asking 07:22:13	robe2:	oh we were going to put NextCloud, Weblate 07:22:29	robe2:	basically things we want to experiment with and once they are good we could move to osuosl 07:22:36	MartinSpott:	Is it "container as a paid service" ? 07:22:53	TemptorSent:	Funtoo is providing a fairly substatinial amount of resources and infrastructure for us to build out and stage some of our services. 07:22:54	robe2:	though in future we may use it for production stuff,right now just experiments 07:23:26	robe2:	MartinSpott well technically they aren't changing us for use of hardware, but if we like we'd give them some sort of donation like we do for OSUOSL 07:23:31	TemptorSent:	MartinSpott - At the moment, it's being provided as an in-kind donation. 07:23:42	MartinSpott:	I see 07:23:45	strk:	hi 07:23:49	robe2:	So they gave us a host container and we are doing the lxd within lxd thing 07:23:50	TemptorSent:	hi strk :)   07:23:51	strk:	are you in a meeting ?    07:23:54	MartinSpott:	strk: Moin    07:23:59	strk:	hi MartinSpott    07:24:00	TemptorSent:	Good timing!    07:24:01	robe2:	hi strk we were just discussing funtoo with MartinSpott    07:24:06	markusN:	hi strk    07:24:09	strk:	hey    07:24:13	MartinSpott:	"lxd within lxd", really ?    07:24:14	robe2:	and I was still fiddling with setting up ldap ssh    07:24:18	strk:	ouch, I wanted to take a quick look, now I seem to be stuck :P    07:24:44	robe2:	strk you can get in tech_dev@funtoo.osgeo.org    07:24:47	TemptorSent:	MartinSpott Yep, nested containers.    07:25:11	robe2:	I don't have the ldap ssh configured yet. I ran into a stumbling block which TemptorSent might have figured out so going to try    07:25:34	robe2:	strk you can get to here - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host 07:25:43	TemptorSent:	Yeah, I don't recall how openssl wants to handle bundles by default. 07:26:26	robe2:	TemporSent so in theory if I build local containers -- e.g. if I get this hardware thing - https://antsle.com/ 07:26:28	sigabrt:	Title: antsle: The Private Cloud Server, Designed for Developers. (at antsle.com) 07:26:50	TemptorSent:	Yeah, I was looking at that -- pretty slick case! 07:26:56	robe2:	I can copy over the containers etc. It looks like a cute device and cheap end is only $1000 so was going to get it for my dev experiments 07:27:13	robe2:	yah its so cute and Leo was sold on no noise :)   07:27:14	TemptorSent:	I almost bought one of those -D boards a while back, but it was too much money at the time.    07:27:40	TemptorSent:	They've gotten more reasonable it seems, but memory went the other way.    07:28:49	TemptorSent:	No noise would be nice.    07:29:10	MartinSpott:	robe2: which sort of LDAP authentiation did you try to establish ?    07:29:44	robe2:	well I just did an ldapsearch    07:29:59	MartinSpott:	ah, and it failed ?    07:30:10	robe2:	I don't think I have all the pieces in place yet cause I was trying to map the packages to gen too / fun too and they namespace theirs    07:30:25	TemptorSent:	robe2 -- um, check that ldap config again perhaps?    07:30:48	robe2:	so for example I had installed sudo emerge sys-auth/nss-pam-ldapd    07:31:07	robe2:	I assume that combines both the nss-ldapd and pad-ldapd that we normally install 07:31:22	MartinSpott:	nss != pam 07:31:25	robe2:	MartinSpott yah with the ssl key can't be authenticated 07:31:57		* markusN just FYI: on an off here, mainly for nextcloud item 07:32:08	robe2:	MartinSpott I know that but looks like they combined the packaged in funtto -- you saw link I posted above? 07:32:22	MartinSpott:	robe2: no, password protected ....   07:32:33	robe2:	? 07:33:28	robe2:	so I still need - sudo emerge sys-auth/pam-ldap 07:33:42	TemptorSent:	Nextcloud is up in a subcontainer :)   07:33:43	MartinSpott:	The gitea page you posted above is password protected - which annoys me, I just didn't complain    07:33:48	robe2:	that one didn't have an ldapd at the end and I thought you had mentioned the one without ldapd is old    07:34:16	robe2:	MartinSpott oh are you able to get in? all osgeo folks should be able to.    07:34:33	MartinSpott:	yup, pam/nss_ldap runs as root which is why GnuTLS complains    07:35:00	robe2:	I can unprotect the repo nothing secret in there anyway. Want me to do that    07:35:00	MartinSpott:	pam/nss_ldap*d* uses a user-space daemon    07:35:43	MartinSpott:	robe2: It's up to you    07:35:59	robe2:	MartinSpott what do you recommend?    07:36:32	MartinSpott:	I just think that having a second Wiki and making common stuff passwort-protected is, well, not very elegant    07:36:33	robe2:	I'm still a bit clueless about what each role plays 07:37:06	robe2:	Well it's specific to funtoo at moment so not quite so common :)   07:37:29	MartinSpott:	a *third* Wiki, BTW    07:37:44	robe2:	you mean cause we have trac too :) 07:37:59	robe2:	Yah strk was arguing with me about that too :)   07:38:29	robe2:	gitea wiki is a lot easier to edit than wiki.osgeo.org (e.g. I can do shift tab and move a whole stream of text)    07:38:40	MartinSpott:	osgeo ~ # nc -nv ldap.osgeo.org ldaps    07:38:40	MartinSpott:	Can't parse ldap.osgeo.org as an IP address    07:39:01	robe2:	and .. I liked the idea of having the page that described setup of server be with the configs we will eventually store    07:39:21	TemptorSent:	osgeo /etc/openldap # ping ldap.osgeo.org    07:39:21	TemptorSent:	PING ldap.osgeo.org (140.211.15.58) 56(84) bytes of data.    07:39:21	TemptorSent:	64 bytes from secure.osgeo.osuosl.org (140.211.15.58): icmp_seq=1 ttl=52 time=49.6 ms    07:39:57	TemptorSent:	robe2 I can't disagee with that last, but we should probably consider standardizing that across all our config repos then.,    07:40:00	MartinSpott:	TemptorSent: yes, but apparently there's still something wrong with the resolver 07:40:36	TemptorSent:	Noted. We can poke at that out of band. 07:40:55	MartinSpott:	Agreed 07:41:09	MartinSpott:	Note that this might be the root cause 07:41:11	TemptorSent:	robe2, shall we move on to Nextcloud? 07:41:16	robe2:	yes 07:41:19	TemptorSent:	MartinSpott Agreed. 07:41:24	robe2:	markusN you around 07:41:56	MartinSpott:	Markus ! Markus ! Markus ! 07:42:00	MartinSpott:	;-)   07:42:07	robe2:	I thnk markusN wanted to be involved in the talk hate to start without him being awake    07:42:16	MartinSpott:	markusN: Oh, please get back to us    07:42:31	MartinSpott:	Next time we're having a beer I promisre not to be late again ;-) 07:42:57	robe2:	even beer is not waking him hope. 07:43:03	TemptorSent:	Okay, let's give him a few to notice his ears are burning. 07:43:04	robe2:	markusN is hopelessly out of it. 07:43:22	MartinSpott:	robe2: Coffee might be more appropriate at this time of day 07:43:26	robe2:	Let's skip nextcloud and go on to next topic and when he wakes up we can go back to it   07:43:55	robe2:	next topic is the whole managing word press thing 07:43:55	MartinSpott:	robe2: I suspect it's already past midgnight in your place, right ? 07:44:04	robe2:	jive[m] any chance you are awake? 07:44:15	robe2:	it's 3:44 AM   07:44:24	MartinSpott:	ouch 07:44:32	MartinSpott:	sorry about that 07:44:39	robe2:	but I'm wide awake my sleep schedule is not normal 07:45:11	robe2:	it's not even a regular sleep 07:45:16	TemptorSent:	I'm on a second wind here :)   07:45:45	robe2:	anyway getting back to gitea wordpress thing for foss4g2018 we are managing their main site now    07:46:39	robe2:	I had setup a production and staging on web18a and just configure cron to pull every 5 minutes / prod /staging in gitea https://git.osgeo.org/gitea/osgeo/FOSS4G2018_WordPress    07:46:53	robe2:	I think that is working okay for them. Was going to do the same for www.osgeo.org    07:47:21	robe2:	strk and TemptorSent I presume you think we should have a production and staging branch    07:47:37	robe2:	and strk of coures expects me to learn to do webhooks right    07:48:12	robe2:	MartinSpott have any thoughts on that or have no opinion    07:48:19	MartinSpott:	I    07:48:46	MartinSpott:	I'm still trying to figure out how the setup actually looks like    07:48:55	TemptorSent:	Yes, I think it is wise to have an active 'live' branch, a 'staging' branch, and a 'testing' branch for messign around with. 07:48:59	MartinSpott:	but I think I'm not much involved at all 07:49:27	strk:	sorry I was discracted 07:49:32	robe2:	right now its a very dum setup 07:49:42	MartinSpott:	The main website runs on a VM and it's hosting FOSS4G as well, correct ? 07:49:55	strk:	MartinSpott: I'd love to hear a summary of what's going on with your osgeo work 07:50:02	robe2:	for FOSS4G2018 it's just a cron git pull for staging / production branches that runs every 5 minutes on the server 07:50:05	strk:	but probably an email would be best 07:50:28	strk:	like, any advancement in dismissing those VMs we were supposed to drop looong ago ? 07:50:31	robe2:	for www.osgeo.org it's not really under git at all, I have to synch it (so that shouldn't be too bad) since it's the same files 07:50:57	robe2:	it's only the themes and some basic configs I have under git cause all the plugins change to frequently and are updated whenever a security update 07:51:19	robe2:	strk what vms the cloudvps.com? 07:51:37	robe2:	I sent them a note saying stop billing us we want to end service (granted I should have done that a month ago) 07:51:44	strk:	robe2: osgeo3 or was it osgeo4 07:51:55	strk:	or both ? 07:52:02	robe2:	oh you are talking about those 07:52:16	strk:	yeah, those things that end up being open issues for decades... 07:52:23	strk:	like Wiki/LDAP 07:52:23	robe2:	MartinSpott know what's going on with those. I presume we still have them and some things offloaded 07:52:38	strk:	it's fun to open new things but maintainance should also involve closing others :)   07:52:45	robe2:	that was going to be next topic    07:53:10	MartinSpott:	Unfortunately my OSGeo work got lower priority for a couple of weeks due to internal project work at the company. Hopefully that'll change after May 9th    07:53:12	strk:	great (I thought the meeting was basically over :)    07:53:26	markusN:	now back    07:53:29	robe2:	strk no we are only half way thru items    07:53:45	robe2:	markusN we saved nextcloud for you so now we can switch back to nextcloud    07:54:06	robe2:	TemptorSent anything to report on Nextcloud front?    07:54:32	markusN:	cool. thanks much :-) 07:54:56		* markusN had a quick family gathering in the kitchen, to not de-socialize completely at home :p 07:55:08	TemptorSent:	No problem markusN. 07:55:09	robe2:	:)   07:55:42	MartinSpott:	one half of our family is still asleep    07:55:51	markusN:	same here    07:55:55	robe2:	last we left off we were having issues with ldap    07:56:11	robe2:	though I think maybe the issues are related to the other ldap issue MartinSpott mentioned    07:56:15		* strk is alone today    07:56:17	strk:	just dog    07:56:43	TemptorSent:	Okay, so what we have currently for Nextcloud is essentially a minimally configured host with nextcloud and all of its deps happily installed sitting in a lxd subcontainer.    07:56:45	robe2:	just dog a small dog or big one    07:56:45	strk:	I don't remember if ldap was self-signed    07:56:51	strk:	small dog    07:57:00	robe2:	strk I don't think it was self-signed    07:57:13	strk:	so Nextcloud is giving file space to all OSGeo users ?    07:57:22	strk:	or does it support any "groups" ?    07:57:26	TemptorSent:	It's intende for board use. 07:57:28	robe2:	MartinSpott thinks it uses comodo. so issue on funtoo is the cert bundle it's using is missing a lot of authorities 07:57:37	strk:	is there a board LDAP group ? 07:57:51	strk:	or are groups managed locally for nextcloud ? 07:57:57	strk:	(like gitea implmeents its own groups) 07:58:41	robe2:	I forget if I saw board or not 07:58:42	robe2:	https://osgeo.host.funtoo.org/nextcloud/ 07:58:43	TemptorSent:	I believe the certs on the host are current and based on debians, so that shouldn't be the issue there. 07:58:56	strk:	still not nextcloud.osgeo.org ? 07:59:00	robe2:	when I logged in with admin account I was able to get the query of all the groups and users from ldap 07:59:22	strk:	untrusted SSL cert, with both URLs 07:59:29	markusN:	(just FYI/OT: the German gov switches with 300k users to nextcloud, see eg https://www.heise.de/ix/meldung/Bundescloud-Open-Source-mit-Nextcloud-statt-Dropbox-oder-Google-Drive-4026111.html ) 07:59:31	sigabrt:	Title: Bundescloud: Open-Source mit Nextcloud statt Dropbox oder Google Drive | iX (at www.heise.de) 07:59:35	TemptorSent:	I haven't setup the rewrite for that, but feel free. 07:59:38	strk:	300k, wow! 07:59:38	markusN:	I hope it will be eventually nextcloud.osgeo.org 07:59:51	markusN:	300k _gov_ users :-)   07:59:52	robe2:	strk that just points at nginx. We haven't gotten the internal routing on the container working yet    08:00:18	strk:	nor letsencrypt, looks like    08:00:23	robe2:	but yes nextcloud.osgeo.org is a CName for osgeo.host.funtoo.org    08:00:25	TemptorSent:	Actually, it's passign through fine :) 08:00:37	robe2:	so once we have the internal thingy working we'll be all set 08:00:44	strk:	I didn't force Firefox to load it   08:00:53	markusN:	what is the issue with letsencrypt (just curious) 08:00:58		* strk is subborn, no self-signed certs >:(   08:01:08	robe2:	TemptorSent so can you change it so https://nextcloud.osgeo.org is exposed to the nextcloud    08:01:14	TemptorSent:	We just need to generate a request for it and dump it on the webserve to get the key.    08:01:17	strk:	right, it's so easy with apache - my guess: issue is these kids want to use something "cooler" :P    08:01:18	robe2:	then we can get a letsencrypt cert for it    08:01:36	markusN:	that's easy indeed with apache    08:01:38	TemptorSent:	robe2 it's just a nginx rewrite rule in the outer container I believe    08:01:47	strk:	seriously, did you want to try the centralized approach TemptorSent ?    08:01:55	strk:	MartinSpott: TemptorSent was thinking about putting all certs on the same machine    08:02:01	strk:	markusN: ^    08:02:07	strk:	(wrong nick completion)    08:02:18	TemptorSent:	All cert requests anyway. 08:02:27	strk:	ah, right 08:02:31	strk:	feels better 08:02:41	strk:	so certs are still local, just the "letsencrypt" setup would be centralized 08:02:47	strk:	right, was that the idea ? 08:02:49	TemptorSent:	Yup. 08:02:55	MartinSpott:	strk: do you mean putting all certs on the main host container and terminating SSL there ? 08:02:59	robe2:	this seems like a surprisingly good time to meet :)   08:03:37	robe2:	though I guess we should alternate cause this is a time I think jive[m] and wildintellect can't make    08:03:48	TemptorSent:	No MartinSpott - just having letsencrypt updater running on a single host and having the various servers pass through the WKT url.    08:03:55	strk:	we've to balance maintainability, I mean... for SAC members (current and future) it should be easy to deal with / troubleshoot etc.    08:04:01	strk:	so if you do anything complex it should be carefully documented on the wiki    08:04:32	strk:	robe2: indeed, I was really only here by chance :) 08:04:49	MartinSpott:	TemptorSent: I havve to admit I don't know how this is supposed to work - simply because I don't know much about letsencrypt mechanics 08:05:16		* markusN has only certbot experience 08:05:36		* robe2 only has certbot experience 08:05:41	TemptorSent:	Yeah, we'd just let certbot run in standalone mode on a single host (secure?) 08:05:59	robe2:	but it would need to impersonate all the subdomains 08:06:04	robe2:	right 08:06:18	TemptorSent:	Then the individual servers expose the WKT as a passthroug to that. 08:06:23	robe2:	so not clear how that bit would work if we aren't getting a wildcard cert 08:06:42	TemptorSent:	Because each server would have the correct WKT for it's request. 08:06:47	robe2:	wildintellect seemed against a wildcard cert not clear what his argument was about it too easy to compromise 08:06:58	robe2:	WKT? 08:07:01	TemptorSent:	Wildcard certs are a bad idea. 08:07:02	markusN:	did anyone already try letsencrypt's wildcard support? 08:07:17	markusN:	oh 08:07:19	MartinSpott:	I simply need to understand the meaning of this WKT in this context 08:07:33	robe2:	sorry all I think of is well-known text whic I presume is not what that acronymy stands for in this context 08:07:40	TemptorSent:	Well Known Text -- essentially. The URL that letsencrypt checks to see if you indeed controll your host. 08:07:59	MartinSpott:	ah 08:08:25	robe2:	but doesn't the url have to reside on the domain asking? 08:08:28	MartinSpott:	But you still need to provide a certificate on every instance which is terminating SSL 08:08:32	MartinSpott:	correct ? 08:08:38	TemptorSent:	Right. 08:08:42	robe2:	so don't see how that would work unless everything proxies thru secure 08:08:44	TemptorSent:	Just a single cerbot instance. 08:08:45	strk:	so each server would have to setup an alias/redirect for the /.well-known/acme-challenge/ url 08:08:55	strk:	to be served by the centralized letsencrypt service 08:08:55	robe2:	ah 08:08:56	TemptorSent:	Yup. 08:08:57	strk:	right ? 08:09:11	robe2:	okay that makes sense now okay understood 08:09:18	MartinSpott:	TemptorSent: "Yup" to proxying ? 08:09:41	TemptorSent:	Alias/proxy that single URL 08:09:49	robe2:	so that folder would be alias to secure 08:09:56	robe2:	and can't be a regular redirect 08:10:09	TemptorSent:	Actually, it MAY work with redirects. 08:10:41	TemptorSent:	But proxy is easy enough for that, and reliable. 08:11:17	MartinSpott:	TemptorSent: I still don't understand how each individual service would get their SSL certificate, may I ask you to draw a little chart to be discussed next meeting ? 08:11:42	MartinSpott:	Containing the paths for 'regular' traffic and the letsencrypt stuff ? 08:11:43	robe2:	a chart would be good and to put on the wiki 08:11:56	robe2:	though it's clear in my mind now how it works 08:12:07	TemptorSent:	Sure... Actually, I think I can sorta put it on one line of ascii: 08:12:30	robe2:	one line in ascii looks good 08:12:51	strk:	scp ? 08:13:07	strk:	to install the cert from letsencrypt.osgeo.org to .osgeo.org server...   08:13:40	robe2:	secure -> certbot renew -> certbot writes to .well-known folder -> certbot confirms new file is there accessible via http:/whatever.osgeo.org/well-known/... 08:14:09	robe2:	well rather not certbot confirming but letsencrypt authority 08:14:10	TemptorSent:	A,B,C are webhosts, S is secure L is LetsEncrypt: L requests A/.well-known/acme-challenge which replies with S/.well-known/acme-challenge 08:14:57	robe2:	so instead of WKT should be WKA :)   08:15:17	TemptorSent:	Yeah, the URL itself is the WKT :) 08:15:44	robe2:	and the strk scp thing, secure scps the cert to the respective webserver 08:16:08	TemptorSent:	After a successful request, the certbot fires off scp. 08:16:17	MartinSpott:	robe2: Exactly this is the mising link 08:16:26	MartinSpott:	missing 08:16:37	TemptorSent:	Oh, sorry -- thought the ssl side was the confusion :)   08:17:00	MartinSpott:	no, the entire picture wasn't clear ;-) 08:17:20	TemptorSent:	Gotcha -- 08:17:28	robe2:	yah the acme challenge response protocol is fairly new 08:17:47	robe2:	when I get it using other ssl providers it's always a manual thing 08:17:56	TemptorSent:	SSL requests handled in-band, scp to copy the key to the host trigged by the callback runs out of band. 08:17:56	robe2:	but certbot has it all nicely automated for you 08:18:51	TemptorSent:	It's pretty slick actually, much nicer than the old PITA way of authing. 08:19:08	robe2:	TemportorSent so all that said can we go ahead and get a letsencrypt for nextcloud.osgeo.org and repoint that for nextcloud use 08:19:46	TemptorSent:	robe2 Sure -- do you have the LE account info so we don't have to set up yet another? 08:19:54	robe2:	yah the way other providers implement it is clumsy and manual 08:20:05	robe2:	LE account? 08:20:11	robe2:	I never use one 08:20:11	TemptorSent:	LetsEncrypt 08:20:19	robe2:	well I always have to type in my email address 08:20:31	TemptorSent:	Hmm, the OSGeo stuff isn't all under one? 08:20:56	robe2:	didn't know under one was a thing aside from wildcard 08:21:20		* robe2 fears she's been doing it all wrong 08:21:24	TemptorSent:	The're not too clear on it actually. 08:21:39	TemptorSent:	I just try to avoid setting things up repeatedly :)   08:21:44	TemptorSent:	Doesn't much matter I guess.    08:21:59	robe2:	yah I mean certbot seems to keep track of all    08:22:16	robe2:	so certbot renew as I recall will renew all that need renewing on the same server    08:22:29	robe2:	though I have on my calendar to confirm it's working when it comes due    08:23:16	TemptorSent:	robe2 in that case, emerge app-crypt/certbot-nginx :) 08:25:11	TemptorSent:	Hmm, is the ldap cert for ldap.osgeo.org or secure.osgeo.org? 08:25:41	TemptorSent:	er secure.osgeo.osuosl.org rather 08:27:50	robe2:	I think they are the same 08:28:05	TemptorSent:	Reverse-lookup may be biting us. 08:28:17	TemptorSent:	I'll have to look at that when I'm a bit more alive :)   08:28:46	MartinSpott:	Litte question: did you plan to discuss yet another topic today ?    08:28:49	TemptorSent:	LDAP and SSL while heading into seriously too tired realm is dangerous for all involved :) 08:29:09	TemptorSent:	Wiki thoughts I think? 08:30:14	TemptorSent:	I believe we had a tenative plan there from our last discussion and need to make a testing clone of the running system to work on. 08:31:47	robe2:	MartinSpott yes we were going to discuss the LDAP / Wiki 08:31:55	robe2:	I guess the question is where will we put this clone 08:32:17	robe2:	Do we just wait till the new hardware comes in and maybe the clone eventually becomes the real new thing 08:32:35	robe2:	cuase I imagine ldap is old and the wiki is definitely old 08:32:45		* strk broomed the house 08:32:48	TemptorSent:	No, we'll need to wipe the clone out and refresh it right before we actually do the switch for real. 08:32:50	MartinSpott:	Considering #165, I think it always boils down to: Who's having the skills to modify the Wiki login page ? 08:33:33	TemptorSent:	I can probably hack the wiki stuff if needed, but I'd prefer not to be the lynchpin on that. 08:33:44	robe2:	is that a php or phython thing page 08:33:46	MartinSpott:	hehe 08:33:49	MartinSpott:	PHP 08:34:07	TemptorSent:	Yeah, I'm painfully familiar with PHP, just rusty and bit out of date. 08:34:43	MartinSpott:	From my perspective it makes little difference wether it's being update in-place or setup new: The resource to modify the Wiki is the bottleneck 08:34:44	robe2:	so the idea is whenever anyone logs into the wiki rewrite the login to legacy_osgeoname or something 08:34:44	strk:	re LE Auth... I'm afraid I used my own one 08:34:51	TemptorSent:	I used to write significant php librarires and applications, but I'd rather not go back there :)   08:34:51	robe2:	I forgot the workflow of it    08:34:55	strk:	at least, I'm often getting expiration reminders for postgis.net    08:35:01	robe2:	I can look at page I think my php skills are decent    08:35:23	strk:	for letslecnrypt can you please register letsencrypt.osgeo.org and use that point for redirects ?    08:35:40	robe2:	strk I put my email address in for all the ones I setup :) 08:35:41	TemptorSent:	We rewrite all names when we move the db. 08:35:49	strk:	not sure itshould be secure VM rather than somewhere else (in case "secure" is not so much accessible) 08:35:49	MartinSpott:	If we had PHP developer ressources, we could already have the issue ironed you years ago 08:35:55	MartinSpott:	the Wiki/LDAP I mean 08:36:15	strk:	can we pay a MediaWiki developer for the task ? 08:36:24	strk:	I tried asking the LDAP plugin author but he never replied.. 08:36:30	TemptorSent:	Okay, let me dunk my php-skillz in some phosphoric and wirewheel the scale off. 08:36:35	robe2:	yah I don't think the difficulty would be on the PHP side 08:36:43	robe2:	would be more on the Wiki structure side 08:36:48	MartinSpott:	robe2: agreed 08:36:56	TemptorSent:	That should be pretty easy on the db side of things. 08:37:14	robe2:	I don't think I have access to the wiki database 08:37:16	TemptorSent:	A db dump, some mangling, and a reload with an update script. 08:37:21	MartinSpott:	I can do some PHP as well, but my changes never showed up on the place I expected them to do :-)   08:37:33	TemptorSent:	*lol* Yeah, php is bad for that.    08:37:35	robe2:	I think in last meeting I tried logging in and got greeted with German "hello you are not authorized"    08:37:57	MartinSpott:	TemptorSent: to me it's been the way MediaWiki works    08:37:58	robe2:	so I was going to look at the db structure but of course the German message says "No no"    08:37:58	TemptorSent:	We need a sandbox to experiment with it safely.    08:38:33	robe2:	MartinSpott did you install wiki?    08:38:38	MartinSpott:	robe2: yes    08:38:50	robe2:	okay so you're the Geman saying "no no"    08:38:52	TemptorSent:	I don't even want to think about touching live data until we can reliably run our migration in 30 mins or less.    08:39:14	MartinSpott:	robe2: I didn't do so by intention 08:39:27	robe2:	agreed so MartinSpott any chance you can give me access or a backup 08:39:52	TemptorSent:	Then, ideally we drop the old offline, create the new instance, migrate, and bring it back up in a half hour or less of total downtime, with an immediate revert possible. 08:40:04	robe2:	I think we'd want to upgrade wiki as well as test migration right 08:40:08	MartinSpott:	A MediaWiki dump or a DB dump ? MediaWiki is preferred, I guess 08:40:22	TemptorSent:	Both, really. 08:40:23	robe2:	Db dump for now 08:40:33	robe2:	but yah we'd need both eventually 08:40:35	strk:	what do you want to do with the dump ? 08:40:39	strk:	matching between LDAP and local ? 08:40:39	TemptorSent:	But the DB is where the real work will be. 08:40:56	TemptorSent:	Figuring out how to do the rewriting in one fell swoop. 08:41:00	robe2:	I just wanted to see how db is structured (since I am a db programmer more than a regular web programmer) 08:41:09	strk:	we won't find all matches 08:41:16	strk:	some (no idea how many) will match by email 08:41:21	strk:	but others will just not have a match 08:41:25	robe2:	strk well we weren't going to match right just rename 08:41:32	TemptorSent:	We're not even going to try to match them. 08:41:44	robe2:	I just want to make sure their is no crazy linkage (like lacking ref integrity) 08:41:44	strk:	what's the plan then ? 08:42:03	robe2:	word press was a mess total lack of respect for referential integrity 08:42:14	strk:	I'd love to see staging.wiki.osgeo.org with the LDAP plugin installed and configured, to see what it does for us   08:42:31	robe2:	yah that would be the first 08:42:32	TemptorSent:	Rename all wiki accounts with a prefix such as _OWU_ (_OldWikiUser_) 08:42:39	strk:	ah ok   08:42:46	strk:	and next step ? 08:42:55	strk:	as we do want merging between accounts 08:42:58	strk:	and use meaningful names in history of changes 08:43:01	strk:	ie: new names 08:43:02	robe2:	yah and in theory rename can happen in db but need to make sure there are no loose ends in other tables 08:43:04	TemptorSent:	then when users try to login, we force them straight to the osgeo login. 08:43:21	strk:	ok, let's say they have one, so they login 08:43:23	strk:	what happens next ? 08:43:40	TemptorSent:	Once they're logged in with their ldap account, they get asked if there are wiki accounts to merge, and if so, asks for username and password. 08:43:40	strk:	they need to claim their old identity too 08:43:50	strk:	is this done already by the plugin ? 08:43:50	robe2:	we show the ldap screen and force them to log in again :)   08:44:09	TemptorSent:	We prepend the prefix to the username they specify, verify it, and then run merge_users tool.    08:44:35	strk:	ok so this is NOT part of the plugin but of the envisioned development to be done ?    08:45:04	TemptorSent:	Just the trick to get the old account and merge_users (the plugin)    08:46:23	MartinSpott:	Folks, we need to tell between a) ideas on the logic and b) actual implementation    08:46:24	TemptorSent:	We can even get tricky and detect them trying to log in with an old name and tell them what to do.    08:46:47	MartinSpott:	Suggestions on a) have been around for years 08:46:48	TemptorSent:	Yeah, need to see the DB to determine how much work is actually required on that end. 08:46:59	TemptorSent:	The login itself is fairly easy. 08:47:21	MartinSpott:	Ok, I'll provide the required dumps within a few days 08:47:37	MartinSpott:	Then show us wether the logic actually works ;-)   08:47:40	TemptorSent:	So we set it up and everyone will be logging in fresh, using ldap only.    08:48:04	TemptorSent:	Yeah, it's all theoreticall until the code start flying.    08:48:12		* MartinSpott short break    08:48:34	robe2:	hmm we probably should be ending the meeting    08:48:39	robe2:	almost 2 hrs already    08:48:50	TemptorSent:	But at worst, we'd have a wiki with all existing content present, with prefixed names, and users logging in using ldap.    08:48:51	robe2:	anything else people want to discuss before we adjourn    08:49:28	TemptorSent:	The automerging feature is a nice thing to have, but doesn't prevent the migration if push comes to shove.    08:49:41	markusN:	I'd suggest to write this up on the SAC page, in order to develop pros and cons    08:49:56	TemptorSent:	It's already mostly layed out in the bug IIRC? 08:50:05	markusN:	which #? 08:50:11	TemptorSent:	robe2 Can you append the notes from this meeting? 08:50:18	TemptorSent:	#165 IIRC? 08:50:34	TemptorSent:	Don't have it in front of me, something near that :)   08:50:51	robe2:	yah will do after    08:51:09	robe2:	https://wiki.osgeo.org/wiki/SAC_Meeting_2018-04-29    08:51:10	sigabrt:	Title: SAC Meeting 2018-04-29 - OSGeo (at wiki.osgeo.org)    08:51:23	markusN:	https://trac.osgeo.org/osgeo/ticket/165    08:51:24	sigabrt:	Title: #165 (Wiki LDAP integration) â€“ OSGeo (at trac.osgeo.org)    08:51:25	markusN:	bingo    08:51:27	robe2:	I haven't added anything yet -- feel free to update with the key points    08:52:15	TemptorSent:	Okay, just notes RE DB dumps and sandbox clone needs.    08:52:23	robe2:	I think he last set of topics we can't discuss because no movment or people involved not here    08:52:38	robe2:	yah knock yourself out    08:52:43	MartinSpott:	robe2: Next Meeting: Which one is correct ? Saturday or the link behind ?    08:53:12	robe2:	definitely not saturday 08:53:20	MartinSpott:	ok, Thursday then 08:53:29	TemptorSent:	Oh, Website "Friends" page? 08:53:35	robe2:	I was going to move to Thursday so alternate between Thursday and Sunday 08:53:49	MartinSpott:	ack 08:53:53	markusN:	ok 08:54:00	TemptorSent:	Anything we need to do on that item immediately? 08:54:11	MartinSpott:	I'll provide dumps 08:54:40		* markusN needs to go   08:54:47	TemptorSent:	Thank you MartinSpott -- I'll get some eyeballs on them and take a look at the wiki code. 08:54:48		* markusN waves 08:54:55	MartinSpott:	If the extensions don't break - are available for current MediaWiki -, I might update the current instance in-place 08:54:56	TemptorSent:	Take care markusN! 08:55:15	MartinSpott:	I'l check carefully beforehand 08:55:24	robe2:	okay updated the next meet time 08:55:30	TemptorSent:	If that's sanely feasible, it would probably make the migration easier. 08:55:38	MartinSpott:	Yup 08:55:45	TemptorSent:	Thanks. 08:55:56	MartinSpott:	I'll always have a current backup available 08:56:08	markusN:	thanks to all! 08:56:16	MartinSpott:	cu Markus 08:56:18	robe2:	thanks markusN 08:56:37	markusN:	didn't contribute much 08:56:55	robe2:	well your interest is always appreciated 08:58:02	TemptorSent:	Looks like I've got some poking to do at the resolver and SSL setup to see if something is amis, or just not the config I'm used to. 08:58:09	robe2:	TemptorSent I'm lost which line in openssl.cnf to edit 08:58:23	robe2:	all seem like the certs for the server (not certificate authority bundle) 08:58:27	MartinSpott:	robe2: Did you close the meeting ? 08:58:47	TemptorSent:	Not yet.. 08:58:53	MartinSpott:	ok 08:58:58	TemptorSent:	Please do :)   08:59:05	robe2:	yah it's closing slowly    08:59:16	robe2:	I think I did actually but TemptorSent missed it :) 08:59:26	robe2:	meeting adjourned 08:59:32	TemptorSent:	:)   08:59:39	TemptorSent:	Okay, after-hours.    08:59:57	MartinSpott:	thanks for joining so late/early    09:00:07	robe2:	np    09:00:32	TemptorSent:	I'm honestly a bit too tired to debug openssl/openldap right now -- it' will likely be painfully obviouls in the morning with a cup of coffee :) 09:00:59	TemptorSent:	Spent the day turning over the garden beds, so I'm wiped.