Difference between revisions of "Talk:SAC Meeting 2018-05-10"
Jump to navigation
Jump to search
Line 1: | Line 1: | ||
− | |||
07:00:09 robe2: meeting starting now | 07:00:09 robe2: meeting starting now |
Revision as of 02:41, 29 April 2018
07:00:09 robe2: meeting starting now 07:00:36 MartinSpott: robe2: is anybody here except us two ? ;-) 07:00:43 robe2: Guess first topic is hardware. But Alex isn't here 07:01:15 robe2: I know he said he was going to send for purchase since no -1s, does any one know if he's done that 07:02:20 robe2: MartinSpott TemptorSent is here I think 07:02:36 MartinSpott: The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ? 07:02:45 markusN: Morning! 07:02:47 MartinSpott: Moggeeeen ! 07:02:53 robe2: Hi Markus 07:03:00 MartinSpott: repeating myself: 07:03:02 MartinSpott: The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ? 07:03:25 MartinSpott: That's fine with me, if nobody objects 07:04:31 robe2: MartinSpott I thought it still had SSD via the Optane component. 07:04:39 MartinSpott: Ah, now I see 07:04:46 MartinSpott: *** Addiotional .... 07:05:04 MartinSpott: fine, go for it 07:05:24 robe2: I'm a bit clueless about the whole Optane thing 07:05:45 MartinSpott: I suspect it's "cool" ;-) 07:05:49 robe2: but there seemed to be hardware whores arguing so I figured they'd come up with something good 07:06:07 MartinSpott: At least it doesn't hurt 07:06:45 robe2: Next topic funtoo. Too bad TemptorSent couldn't keep his eyes open :) 07:06:56 TemptorSent: Hello MartinSpott! 07:07:11 robe2: TemptorSent you're alive and awake :) 07:07:14 TemptorSent: Hello all. 07:07:17 markusN: hi TemptorSent 07:07:27 MartinSpott: Do we still need to retire one of the old machines before activating the new one ? 07:07:33 MartinSpott: Hi TemptorSent 07:07:35 robe2: MartinSpott no 07:07:49 robe2: OSUOSL said they have plenty of space last I recall 07:08:04 MartinSpott: Oh, how nice 07:08:25 robe2: so we this will be an extra we can start moving stuff too at our own pace 07:08:45 TemptorSent: That's refreshing. 07:09:07 robe2: any more questions about Optane - TemptorSent I think knows a lot about it as he was one of the whores arguing 07:10:19 robe2: okay guess no more questions - next topic funtoo host 07:10:26 MartinSpott: go ahed 07:10:28 MartinSpott: ahead 07:10:39 robe2: MartinSpott you know what SSL ldap.osgeo.org is using? 07:11:03 MartinSpott: wait a second, I'm mixing names 07:11:04 robe2: I was trying to setup SSH via LDAP on funtoo, but ldapsearch is failing with key not trusted 07:11:18 MartinSpott: the former was COMODO I think, the current is .... 07:12:05 robe2: that's what I thought. As when I copied over the osgeo star bundle from osgeo6 and put on other servers I had setup and set in ldap.config if worked fine 07:12:17 robe2: I had done the same on funtoo and it didn't work. 07:12:27 TemptorSent: TLS trace: SSL_connect:SSLv3 read server hello A 07:12:27 TemptorSent: TLS certificate verification: depth: 2, err: 2, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 07:12:27 TemptorSent: TLS certificate verification: Error, unable to get issuer certificate 07:12:27 TemptorSent: TLS trace: SSL3 alert write:fatal:unknown CA 07:12:35 robe2: TemptorSent it occurred to me maybe it's not using the bundle I referenced 07:12:47 TemptorSent: TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate). 07:13:11 robe2: TemptorSent is there a way to tell which bundle. Maybe it's cache 07:13:13 robe2: cached 07:13:31 TemptorSent: Hmm, I don't recall off hand. 07:13:36 robe2: I had originally use the ca-certificates one I saw in the folder and when that didn't work I downloaded the one I use 07:14:57 robe2: MartinSpott TemptorSent can you see this page - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host 07:15:01 MartinSpott: didn't the star package contain the entire bundle ? 07:15:14 robe2: MartinSpott yes it did 07:15:26 robe2: and it worked on all the debians I have setup 07:15:39 TemptorSent: Yeah, I'm only seeing two signatures in that bundle. 07:15:51 robe2: so I suspect this is a funtoo specific issue that it's using some other barebones bundle rather than the one I specified in ldap.config 07:16:23 robe2: This is the file I changed - /etc/openldap/ldap.conf 07:16:30 TemptorSent: It should be using the system pems I would think, which have a cert for AddTrust it appears 07:16:49 robe2: I know it's at least reading it for ldap.osgeo.org since to do the ldapsearch I don't need to specify the -H 07:17:08 TemptorSent: Ahh, /etc/ssl/openssl.cnf :) 07:17:50 robe2: ah okay I wonder if maybe that's always used and I had thought it was the ldap one used, but others had an already full bundle 07:18:09 robe2: TemptorSent did you just edit that or you want me too? 07:18:17 TemptorSent: I have not edited. 07:18:26 robe2: okay I'll edit 07:18:56 robe2: MartinSpott can you check to see if you can get into the funtoo server -- it's tech_dev@funtoo.osgeo.org 07:19:04 robe2: hopefully I didn't screw up adding your key 07:19:23 MartinSpott: looks like I'm in 07:19:57 MartinSpott: BTW, where can I read more about OSGeo using FunToo containers ? 07:20:08 MartinSpott: There wasn't much I could find 07:21:16 TemptorSent: We haven't gotten much written up as of yet other than meeting logs and some notes. 07:21:25 MartinSpott: ok 07:21:41 robe2: https://www.funtoo.org/LXD#PART_II_-_LXD_Installation 07:21:42 sigabrt: Title: LXD - Funtoo (at www.funtoo.org) 07:21:45 MartinSpott: To me the intention isn't clear, that why I was asking 07:22:13 robe2: oh we were going to put NextCloud, Weblate 07:22:29 robe2: basically things we want to experiment with and once they are good we could move to osuosl 07:22:36 MartinSpott: Is it "container as a paid service" ? 07:22:53 TemptorSent: Funtoo is providing a fairly substatinial amount of resources and infrastructure for us to build out and stage some of our services. 07:22:54 robe2: though in future we may use it for production stuff,right now just experiments 07:23:26 robe2: MartinSpott well technically they aren't changing us for use of hardware, but if we like we'd give them some sort of donation like we do for OSUOSL 07:23:31 TemptorSent: MartinSpott - At the moment, it's being provided as an in-kind donation. 07:23:42 MartinSpott: I see 07:23:45 strk: hi 07:23:49 robe2: So they gave us a host container and we are doing the lxd within lxd thing 07:23:50 TemptorSent: hi strk :) 07:23:51 strk: are you in a meeting ? 07:23:54 MartinSpott: strk: Moin 07:23:59 strk: hi MartinSpott 07:24:00 TemptorSent: Good timing! 07:24:01 robe2: hi strk we were just discussing funtoo with MartinSpott 07:24:06 markusN: hi strk 07:24:09 strk: hey 07:24:13 MartinSpott: "lxd within lxd", really ? 07:24:14 robe2: and I was still fiddling with setting up ldap ssh 07:24:18 strk: ouch, I wanted to take a quick look, now I seem to be stuck :P 07:24:44 robe2: strk you can get in tech_dev@funtoo.osgeo.org 07:24:47 TemptorSent: MartinSpott Yep, nested containers. 07:25:11 robe2: I don't have the ldap ssh configured yet. I ran into a stumbling block which TemptorSent might have figured out so going to try 07:25:34 robe2: strk you can get to here - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host 07:25:43 TemptorSent: Yeah, I don't recall how openssl wants to handle bundles by default. 07:26:26 robe2: TemporSent so in theory if I build local containers -- e.g. if I get this hardware thing - https://antsle.com/ 07:26:28 sigabrt: Title: antsle: The Private Cloud Server, Designed for Developers. (at antsle.com) 07:26:50 TemptorSent: Yeah, I was looking at that -- pretty slick case! 07:26:56 robe2: I can copy over the containers etc. It looks like a cute device and cheap end is only $1000 so was going to get it for my dev experiments 07:27:13 robe2: yah its so cute and Leo was sold on no noise :) 07:27:14 TemptorSent: I almost bought one of those -D boards a while back, but it was too much money at the time. 07:27:40 TemptorSent: They've gotten more reasonable it seems, but memory went the other way. 07:28:49 TemptorSent: No noise would be nice. 07:29:10 MartinSpott: robe2: which sort of LDAP authentiation did you try to establish ? 07:29:44 robe2: well I just did an ldapsearch 07:29:59 MartinSpott: ah, and it failed ? 07:30:10 robe2: I don't think I have all the pieces in place yet cause I was trying to map the packages to gen too / fun too and they namespace theirs 07:30:25 TemptorSent: robe2 -- um, check that ldap config again perhaps? 07:30:48 robe2: so for example I had installed sudo emerge sys-auth/nss-pam-ldapd 07:31:07 robe2: I assume that combines both the nss-ldapd and pad-ldapd that we normally install 07:31:22 MartinSpott: nss != pam 07:31:25 robe2: MartinSpott yah with the ssl key can't be authenticated 07:31:57 * markusN just FYI: on an off here, mainly for nextcloud item 07:32:08 robe2: MartinSpott I know that but looks like they combined the packaged in funtto -- you saw link I posted above? 07:32:22 MartinSpott: robe2: no, password protected .... 07:32:33 robe2: ? 07:33:28 robe2: so I still need - sudo emerge sys-auth/pam-ldap 07:33:42 TemptorSent: Nextcloud is up in a subcontainer :) 07:33:43 MartinSpott: The gitea page you posted above is password protected - which annoys me, I just didn't complain 07:33:48 robe2: that one didn't have an ldapd at the end and I thought you had mentioned the one without ldapd is old 07:34:16 robe2: MartinSpott oh are you able to get in? all osgeo folks should be able to. 07:34:33 MartinSpott: yup, pam/nss_ldap runs as root which is why GnuTLS complains 07:35:00 robe2: I can unprotect the repo nothing secret in there anyway. Want me to do that 07:35:00 MartinSpott: pam/nss_ldap*d* uses a user-space daemon 07:35:43 MartinSpott: robe2: It's up to you 07:35:59 robe2: MartinSpott what do you recommend? 07:36:32 MartinSpott: I just think that having a second Wiki and making common stuff passwort-protected is, well, not very elegant 07:36:33 robe2: I'm still a bit clueless about what each role plays 07:37:06 robe2: Well it's specific to funtoo at moment so not quite so common :) 07:37:29 MartinSpott: a *third* Wiki, BTW 07:37:44 robe2: you mean cause we have trac too :) 07:37:59 robe2: Yah strk was arguing with me about that too :) 07:38:29 robe2: gitea wiki is a lot easier to edit than wiki.osgeo.org (e.g. I can do shift tab and move a whole stream of text) 07:38:40 MartinSpott: osgeo ~ # nc -nv ldap.osgeo.org ldaps 07:38:40 MartinSpott: Can't parse ldap.osgeo.org as an IP address 07:39:01 robe2: and .. I liked the idea of having the page that described setup of server be with the configs we will eventually store 07:39:21 TemptorSent: osgeo /etc/openldap # ping ldap.osgeo.org 07:39:21 TemptorSent: PING ldap.osgeo.org (140.211.15.58) 56(84) bytes of data. 07:39:21 TemptorSent: 64 bytes from secure.osgeo.osuosl.org (140.211.15.58): icmp_seq=1 ttl=52 time=49.6 ms 07:39:57 TemptorSent: robe2 I can't disagee with that last, but we should probably consider standardizing that across all our config repos then., 07:40:00 MartinSpott: TemptorSent: yes, but apparently there's still something wrong with the resolver 07:40:36 TemptorSent: Noted. We can poke at that out of band. 07:40:55 MartinSpott: Agreed 07:41:09 MartinSpott: Note that this might be the root cause 07:41:11 TemptorSent: robe2, shall we move on to Nextcloud? 07:41:16 robe2: yes 07:41:19 TemptorSent: MartinSpott Agreed. 07:41:24 robe2: markusN you around 07:41:56 MartinSpott: Markus ! Markus ! Markus ! 07:42:00 MartinSpott: ;-) 07:42:07 robe2: I thnk markusN wanted to be involved in the talk hate to start without him being awake 07:42:16 MartinSpott: markusN: Oh, please get back to us 07:42:31 MartinSpott: Next time we're having a beer I promisre not to be late again ;-) 07:42:57 robe2: even beer is not waking him hope. 07:43:03 TemptorSent: Okay, let's give him a few to notice his ears are burning. 07:43:04 robe2: markusN is hopelessly out of it. 07:43:22 MartinSpott: robe2: Coffee might be more appropriate at this time of day 07:43:26 robe2: Let's skip nextcloud and go on to next topic and when he wakes up we can go back to it 07:43:55 robe2: next topic is the whole managing word press thing 07:43:55 MartinSpott: robe2: I suspect it's already past midgnight in your place, right ? 07:44:04 robe2: jive[m] any chance you are awake? 07:44:15 robe2: it's 3:44 AM 07:44:24 MartinSpott: ouch 07:44:32 MartinSpott: sorry about that 07:44:39 robe2: but I'm wide awake my sleep schedule is not normal 07:45:11 robe2: it's not even a regular sleep 07:45:16 TemptorSent: I'm on a second wind here :) 07:45:45 robe2: anyway getting back to gitea wordpress thing for foss4g2018 we are managing their main site now 07:46:39 robe2: I had setup a production and staging on web18a and just configure cron to pull every 5 minutes / prod /staging in gitea https://git.osgeo.org/gitea/osgeo/FOSS4G2018_WordPress 07:46:53 robe2: I think that is working okay for them. Was going to do the same for www.osgeo.org 07:47:21 robe2: strk and TemptorSent I presume you think we should have a production and staging branch 07:47:37 robe2: and strk of coures expects me to learn to do webhooks right 07:48:12 robe2: MartinSpott have any thoughts on that or have no opinion 07:48:19 MartinSpott: I 07:48:46 MartinSpott: I'm still trying to figure out how the setup actually looks like 07:48:55 TemptorSent: Yes, I think it is wise to have an active 'live' branch, a 'staging' branch, and a 'testing' branch for messign around with. 07:48:59 MartinSpott: but I think I'm not much involved at all 07:49:27 strk: sorry I was discracted 07:49:32 robe2: right now its a very dum setup 07:49:42 MartinSpott: The main website runs on a VM and it's hosting FOSS4G as well, correct ? 07:49:55 strk: MartinSpott: I'd love to hear a summary of what's going on with your osgeo work 07:50:02 robe2: for FOSS4G2018 it's just a cron git pull for staging / production branches that runs every 5 minutes on the server 07:50:05 strk: but probably an email would be best 07:50:28 strk: like, any advancement in dismissing those VMs we were supposed to drop looong ago ? 07:50:31 robe2: for www.osgeo.org it's not really under git at all, I have to synch it (so that shouldn't be too bad) since it's the same files 07:50:57 robe2: it's only the themes and some basic configs I have under git cause all the plugins change to frequently and are updated whenever a security update 07:51:19 robe2: strk what vms the cloudvps.com? 07:51:37 robe2: I sent them a note saying stop billing us we want to end service (granted I should have done that a month ago) 07:51:44 strk: robe2: osgeo3 or was it osgeo4 07:51:55 strk: or both ? 07:52:02 robe2: oh you are talking about those 07:52:16 strk: yeah, those things that end up being open issues for decades... 07:52:23 strk: like Wiki/LDAP 07:52:23 robe2: MartinSpott know what's going on with those. I presume we still have them and some things offloaded 07:52:38 strk: it's fun to open new things but maintainance should also involve closing others :) 07:52:45 robe2: that was going to be next topic 07:53:10 MartinSpott: Unfortunately my OSGeo work got lower priority for a couple of weeks due to internal project work at the company. Hopefully that'll change after May 9th 07:53:12 strk: great (I thought the meeting was basically over :) 07:53:26 markusN: now back 07:53:29 robe2: strk no we are only half way thru items 07:53:45 robe2: markusN we saved nextcloud for you so now we can switch back to nextcloud 07:54:06 robe2: TemptorSent anything to report on Nextcloud front? 07:54:32 markusN: cool. thanks much :-) 07:54:56 * markusN had a quick family gathering in the kitchen, to not de-socialize completely at home :p 07:55:08 TemptorSent: No problem markusN. 07:55:09 robe2: :) 07:55:42 MartinSpott: one half of our family is still asleep 07:55:51 markusN: same here 07:55:55 robe2: last we left off we were having issues with ldap 07:56:11 robe2: though I think maybe the issues are related to the other ldap issue MartinSpott mentioned 07:56:15 * strk is alone today 07:56:17 strk: just dog 07:56:43 TemptorSent: Okay, so what we have currently for Nextcloud is essentially a minimally configured host with nextcloud and all of its deps happily installed sitting in a lxd subcontainer. 07:56:45 robe2: just dog a small dog or big one 07:56:45 strk: I don't remember if ldap was self-signed 07:56:51 strk: small dog 07:57:00 robe2: strk I don't think it was self-signed 07:57:13 strk: so Nextcloud is giving file space to all OSGeo users ? 07:57:22 strk: or does it support any "groups" ? 07:57:26 TemptorSent: It's intende for board use. 07:57:28 robe2: MartinSpott thinks it uses comodo. so issue on funtoo is the cert bundle it's using is missing a lot of authorities 07:57:37 strk: is there a board LDAP group ? 07:57:51 strk: or are groups managed locally for nextcloud ? 07:57:57 strk: (like gitea implmeents its own groups) 07:58:41 robe2: I forget if I saw board or not 07:58:42 robe2: https://osgeo.host.funtoo.org/nextcloud/ 07:58:43 TemptorSent: I believe the certs on the host are current and based on debians, so that shouldn't be the issue there. 07:58:56 strk: still not nextcloud.osgeo.org ? 07:59:00 robe2: when I logged in with admin account I was able to get the query of all the groups and users from ldap 07:59:22 strk: untrusted SSL cert, with both URLs 07:59:29 markusN: (just FYI/OT: the German gov switches with 300k users to nextcloud, see eg https://www.heise.de/ix/meldung/Bundescloud-Open-Source-mit-Nextcloud-statt-Dropbox-oder-Google-Drive-4026111.html ) 07:59:31 sigabrt: Title: Bundescloud: Open-Source mit Nextcloud statt Dropbox oder Google Drive | iX (at www.heise.de) 07:59:35 TemptorSent: I haven't setup the rewrite for that, but feel free. 07:59:38 strk: 300k, wow! 07:59:38 markusN: I hope it will be eventually nextcloud.osgeo.org 07:59:51 markusN: 300k _gov_ users :-) 07:59:52 robe2: strk that just points at nginx. We haven't gotten the internal routing on the container working yet 08:00:18 strk: nor letsencrypt, looks like 08:00:23 robe2: but yes nextcloud.osgeo.org is a CName for osgeo.host.funtoo.org 08:00:25 TemptorSent: Actually, it's passign through fine :) 08:00:37 robe2: so once we have the internal thingy working we'll be all set 08:00:44 strk: I didn't force Firefox to load it 08:00:53 markusN: what is the issue with letsencrypt (just curious) 08:00:58 * strk is subborn, no self-signed certs >:( 08:01:08 robe2: TemptorSent so can you change it so https://nextcloud.osgeo.org is exposed to the nextcloud 08:01:14 TemptorSent: We just need to generate a request for it and dump it on the webserve to get the key. 08:01:17 strk: right, it's so easy with apache - my guess: issue is these kids want to use something "cooler" :P 08:01:18 robe2: then we can get a letsencrypt cert for it 08:01:36 markusN: that's easy indeed with apache 08:01:38 TemptorSent: robe2 it's just a nginx rewrite rule in the outer container I believe 08:01:47 strk: seriously, did you want to try the centralized approach TemptorSent ? 08:01:55 strk: MartinSpott: TemptorSent was thinking about putting all certs on the same machine 08:02:01 strk: markusN: ^ 08:02:07 strk: (wrong nick completion) 08:02:18 TemptorSent: All cert requests anyway. 08:02:27 strk: ah, right 08:02:31 strk: feels better 08:02:41 strk: so certs are still local, just the "letsencrypt" setup would be centralized 08:02:47 strk: right, was that the idea ? 08:02:49 TemptorSent: Yup. 08:02:55 MartinSpott: strk: do you mean putting all certs on the main host container and terminating SSL there ? 08:02:59 robe2: this seems like a surprisingly good time to meet :) 08:03:37 robe2: though I guess we should alternate cause this is a time I think jive[m] and wildintellect can't make 08:03:48 TemptorSent: No MartinSpott - just having letsencrypt updater running on a single host and having the various servers pass through the WKT url. 08:03:55 strk: we've to balance maintainability, I mean... for SAC members (current and future) it should be easy to deal with / troubleshoot etc. 08:04:01 strk: so if you do anything complex it should be carefully documented on the wiki 08:04:32 strk: robe2: indeed, I was really only here by chance :) 08:04:49 MartinSpott: TemptorSent: I havve to admit I don't know how this is supposed to work - simply because I don't know much about letsencrypt mechanics 08:05:16 * markusN has only certbot experience 08:05:36 * robe2 only has certbot experience 08:05:41 TemptorSent: Yeah, we'd just let certbot run in standalone mode on a single host (secure?) 08:05:59 robe2: but it would need to impersonate all the subdomains 08:06:04 robe2: right 08:06:18 TemptorSent: Then the individual servers expose the WKT as a passthroug to that. 08:06:23 robe2: so not clear how that bit would work if we aren't getting a wildcard cert 08:06:42 TemptorSent: Because each server would have the correct WKT for it's request. 08:06:47 robe2: wildintellect seemed against a wildcard cert not clear what his argument was about it too easy to compromise 08:06:58 robe2: WKT? 08:07:01 TemptorSent: Wildcard certs are a bad idea. 08:07:02 markusN: did anyone already try letsencrypt's wildcard support? 08:07:17 markusN: oh 08:07:19 MartinSpott: I simply need to understand the meaning of this WKT in this context 08:07:33 robe2: sorry all I think of is well-known text whic I presume is not what that acronymy stands for in this context 08:07:40 TemptorSent: Well Known Text -- essentially. The URL that letsencrypt checks to see if you indeed controll your host. 08:07:59 MartinSpott: ah 08:08:25 robe2: but doesn't the url have to reside on the domain asking? 08:08:28 MartinSpott: But you still need to provide a certificate on every instance which is terminating SSL 08:08:32 MartinSpott: correct ? 08:08:38 TemptorSent: Right. 08:08:42 robe2: so don't see how that would work unless everything proxies thru secure 08:08:44 TemptorSent: Just a single cerbot instance. 08:08:45 strk: so each server would have to setup an alias/redirect for the /.well-known/acme-challenge/ url 08:08:55 strk: to be served by the centralized letsencrypt service 08:08:55 robe2: ah 08:08:56 TemptorSent: Yup. 08:08:57 strk: right ? 08:09:11 robe2: okay that makes sense now okay understood 08:09:18 MartinSpott: TemptorSent: "Yup" to proxying ? 08:09:41 TemptorSent: Alias/proxy that single URL 08:09:49 robe2: so that folder would be alias to secure 08:09:56 robe2: and can't be a regular redirect 08:10:09 TemptorSent: Actually, it MAY work with redirects. 08:10:41 TemptorSent: But proxy is easy enough for that, and reliable. 08:11:17 MartinSpott: TemptorSent: I still don't understand how each individual service would get their SSL certificate, may I ask you to draw a little chart to be discussed next meeting ? 08:11:42 MartinSpott: Containing the paths for 'regular' traffic and the letsencrypt stuff ? 08:11:43 robe2: a chart would be good and to put on the wiki 08:11:56 robe2: though it's clear in my mind now how it works 08:12:07 TemptorSent: Sure... Actually, I think I can sorta put it on one line of ascii: 08:12:30 robe2: one line in ascii looks good 08:12:51 strk: scp ? 08:13:07 strk: to install the cert from letsencrypt.osgeo.org to <service>.osgeo.org server... 08:13:40 robe2: secure -> certbot renew -> certbot writes to .well-known folder -> certbot confirms new file is there accessible via http:/whatever.osgeo.org/well-known/... 08:14:09 robe2: well rather not certbot confirming but letsencrypt authority 08:14:10 TemptorSent: A,B,C are webhosts, S is secure L is LetsEncrypt: L requests A/.well-known/acme-challenge which replies with S/.well-known/acme-challenge 08:14:57 robe2: so instead of WKT should be WKA :) 08:15:17 TemptorSent: Yeah, the URL itself is the WKT :) 08:15:44 robe2: and the strk scp thing, secure scps the cert to the respective webserver 08:16:08 TemptorSent: After a successful request, the certbot fires off scp. 08:16:17 MartinSpott: robe2: Exactly this is the mising link 08:16:26 MartinSpott: missing 08:16:37 TemptorSent: Oh, sorry -- thought the ssl side was the confusion :) 08:17:00 MartinSpott: no, the entire picture wasn't clear ;-) 08:17:20 TemptorSent: Gotcha -- 08:17:28 robe2: yah the acme challenge response protocol is fairly new 08:17:47 robe2: when I get it using other ssl providers it's always a manual thing 08:17:56 TemptorSent: SSL requests handled in-band, scp to copy the key to the host trigged by the callback runs out of band. 08:17:56 robe2: but certbot has it all nicely automated for you 08:18:51 TemptorSent: It's pretty slick actually, much nicer than the old PITA way of authing. 08:19:08 robe2: TemportorSent so all that said can we go ahead and get a letsencrypt for nextcloud.osgeo.org and repoint that for nextcloud use 08:19:46 TemptorSent: robe2 Sure -- do you have the LE account info so we don't have to set up yet another? 08:19:54 robe2: yah the way other providers implement it is clumsy and manual 08:20:05 robe2: LE account? 08:20:11 robe2: I never use one 08:20:11 TemptorSent: LetsEncrypt 08:20:19 robe2: well I always have to type in my email address 08:20:31 TemptorSent: Hmm, the OSGeo stuff isn't all under one? 08:20:56 robe2: didn't know under one was a thing aside from wildcard 08:21:20 * robe2 fears she's been doing it all wrong 08:21:24 TemptorSent: The're not too clear on it actually. 08:21:39 TemptorSent: I just try to avoid setting things up repeatedly :) 08:21:44 TemptorSent: Doesn't much matter I guess. 08:21:59 robe2: yah I mean certbot seems to keep track of all 08:22:16 robe2: so certbot renew as I recall will renew all that need renewing on the same server 08:22:29 robe2: though I have on my calendar to confirm it's working when it comes due 08:23:16 TemptorSent: robe2 in that case, emerge app-crypt/certbot-nginx :) 08:25:11 TemptorSent: Hmm, is the ldap cert for ldap.osgeo.org or secure.osgeo.org? 08:25:41 TemptorSent: er secure.osgeo.osuosl.org rather 08:27:50 robe2: I think they are the same 08:28:05 TemptorSent: Reverse-lookup may be biting us. 08:28:17 TemptorSent: I'll have to look at that when I'm a bit more alive :) 08:28:46 MartinSpott: Litte question: did you plan to discuss yet another topic today ? 08:28:49 TemptorSent: LDAP and SSL while heading into seriously too tired realm is dangerous for all involved :) 08:29:09 TemptorSent: Wiki thoughts I think? 08:30:14 TemptorSent: I believe we had a tenative plan there from our last discussion and need to make a testing clone of the running system to work on. 08:31:47 robe2: MartinSpott yes we were going to discuss the LDAP / Wiki 08:31:55 robe2: I guess the question is where will we put this clone 08:32:17 robe2: Do we just wait till the new hardware comes in and maybe the clone eventually becomes the real new thing 08:32:35 robe2: cuase I imagine ldap is old and the wiki is definitely old 08:32:45 * strk broomed the house 08:32:48 TemptorSent: No, we'll need to wipe the clone out and refresh it right before we actually do the switch for real. 08:32:50 MartinSpott: Considering #165, I think it always boils down to: Who's having the skills to modify the Wiki login page ? 08:33:33 TemptorSent: I can probably hack the wiki stuff if needed, but I'd prefer not to be the lynchpin on that. 08:33:44 robe2: is that a php or phython thing page 08:33:46 MartinSpott: hehe 08:33:49 MartinSpott: PHP 08:34:07 TemptorSent: Yeah, I'm painfully familiar with PHP, just rusty and bit out of date. 08:34:43 MartinSpott: From my perspective it makes little difference wether it's being update in-place or setup new: The resource to modify the Wiki is the bottleneck 08:34:44 robe2: so the idea is whenever anyone logs into the wiki rewrite the login to legacy_osgeoname or something 08:34:44 strk: re LE Auth... I'm afraid I used my own one 08:34:51 TemptorSent: I used to write significant php librarires and applications, but I'd rather not go back there :) 08:34:51 robe2: I forgot the workflow of it 08:34:55 strk: at least, I'm often getting expiration reminders for postgis.net 08:35:01 robe2: I can look at page I think my php skills are decent 08:35:23 strk: for letslecnrypt can you please register letsencrypt.osgeo.org and use that point for redirects ? 08:35:40 robe2: strk I put my email address in for all the ones I setup :) 08:35:41 TemptorSent: We rewrite all names when we move the db. 08:35:49 strk: not sure itshould be secure VM rather than somewhere else (in case "secure" is not so much accessible) 08:35:49 MartinSpott: If we had PHP developer ressources, we could already have the issue ironed you years ago 08:35:55 MartinSpott: the Wiki/LDAP I mean 08:36:15 strk: can we pay a MediaWiki developer for the task ? 08:36:24 strk: I tried asking the LDAP plugin author but he never replied.. 08:36:30 TemptorSent: Okay, let me dunk my php-skillz in some phosphoric and wirewheel the scale off. 08:36:35 robe2: yah I don't think the difficulty would be on the PHP side 08:36:43 robe2: would be more on the Wiki structure side 08:36:48 MartinSpott: robe2: agreed 08:36:56 TemptorSent: That should be pretty easy on the db side of things. 08:37:14 robe2: I don't think I have access to the wiki database 08:37:16 TemptorSent: A db dump, some mangling, and a reload with an update script. 08:37:21 MartinSpott: I can do some PHP as well, but my changes never showed up on the place I expected them to do :-) 08:37:33 TemptorSent: *lol* Yeah, php is bad for that. 08:37:35 robe2: I think in last meeting I tried logging in and got greeted with German "hello you are not authorized" 08:37:57 MartinSpott: TemptorSent: to me it's been the way MediaWiki works 08:37:58 robe2: so I was going to look at the db structure but of course the German message says "No no" 08:37:58 TemptorSent: We need a sandbox to experiment with it safely. 08:38:33 robe2: MartinSpott did you install wiki? 08:38:38 MartinSpott: robe2: yes 08:38:50 robe2: okay so you're the Geman saying "no no" 08:38:52 TemptorSent: I don't even want to think about touching live data until we can reliably run our migration in 30 mins or less. 08:39:14 MartinSpott: robe2: I didn't do so by intention 08:39:27 robe2: agreed so MartinSpott any chance you can give me access or a backup 08:39:52 TemptorSent: Then, ideally we drop the old offline, create the new instance, migrate, and bring it back up in a half hour or less of total downtime, with an immediate revert possible. 08:40:04 robe2: I think we'd want to upgrade wiki as well as test migration right 08:40:08 MartinSpott: A MediaWiki dump or a DB dump ? MediaWiki is preferred, I guess 08:40:22 TemptorSent: Both, really. 08:40:23 robe2: Db dump for now 08:40:33 robe2: but yah we'd need both eventually 08:40:35 strk: what do you want to do with the dump ? 08:40:39 strk: matching between LDAP and local ? 08:40:39 TemptorSent: But the DB is where the real work will be. 08:40:56 TemptorSent: Figuring out how to do the rewriting in one fell swoop. 08:41:00 robe2: I just wanted to see how db is structured (since I am a db programmer more than a regular web programmer) 08:41:09 strk: we won't find all matches 08:41:16 strk: some (no idea how many) will match by email 08:41:21 strk: but others will just not have a match 08:41:25 robe2: strk well we weren't going to match right just rename 08:41:32 TemptorSent: We're not even going to try to match them. 08:41:44 robe2: I just want to make sure their is no crazy linkage (like lacking ref integrity) 08:41:44 strk: what's the plan then ? 08:42:03 robe2: word press was a mess total lack of respect for referential integrity 08:42:14 strk: I'd love to see staging.wiki.osgeo.org with the LDAP plugin installed and configured, to see what it does for us 08:42:31 robe2: yah that would be the first 08:42:32 TemptorSent: Rename all wiki accounts with a prefix such as _OWU_ (_OldWikiUser_) 08:42:39 strk: ah ok 08:42:46 strk: and next step ? 08:42:55 strk: as we do want merging between accounts 08:42:58 strk: and use meaningful names in history of changes 08:43:01 strk: ie: new names 08:43:02 robe2: yah and in theory rename can happen in db but need to make sure there are no loose ends in other tables 08:43:04 TemptorSent: then when users try to login, we force them straight to the osgeo login. 08:43:21 strk: ok, let's say they have one, so they login 08:43:23 strk: what happens next ? 08:43:40 TemptorSent: Once they're logged in with their ldap account, they get asked if there are wiki accounts to merge, and if so, asks for username and password. 08:43:40 strk: they need to claim their old identity too 08:43:50 strk: is this done already by the plugin ? 08:43:50 robe2: we show the ldap screen and force them to log in again :) 08:44:09 TemptorSent: We prepend the prefix to the username they specify, verify it, and then run merge_users tool. 08:44:35 strk: ok so this is NOT part of the plugin but of the envisioned development to be done ? 08:45:04 TemptorSent: Just the trick to get the old account and merge_users (the plugin) 08:46:23 MartinSpott: Folks, we need to tell between a) ideas on the logic and b) actual implementation 08:46:24 TemptorSent: We can even get tricky and detect them trying to log in with an old name and tell them what to do. 08:46:47 MartinSpott: Suggestions on a) have been around for years 08:46:48 TemptorSent: Yeah, need to see the DB to determine how much work is actually required on that end. 08:46:59 TemptorSent: The login itself is fairly easy. 08:47:21 MartinSpott: Ok, I'll provide the required dumps within a few days 08:47:37 MartinSpott: Then show us wether the logic actually works ;-) 08:47:40 TemptorSent: So we set it up and everyone will be logging in fresh, using ldap only. 08:48:04 TemptorSent: Yeah, it's all theoreticall until the code start flying. 08:48:12 * MartinSpott short break 08:48:34 robe2: hmm we probably should be ending the meeting 08:48:39 robe2: almost 2 hrs already 08:48:50 TemptorSent: But at worst, we'd have a wiki with all existing content present, with prefixed names, and users logging in using ldap. 08:48:51 robe2: anything else people want to discuss before we adjourn 08:49:28 TemptorSent: The automerging feature is a nice thing to have, but doesn't prevent the migration if push comes to shove. 08:49:41 markusN: I'd suggest to write this up on the SAC page, in order to develop pros and cons 08:49:56 TemptorSent: It's already mostly layed out in the bug IIRC? 08:50:05 markusN: which #? 08:50:11 TemptorSent: robe2 Can you append the notes from this meeting? 08:50:18 TemptorSent: #165 IIRC? 08:50:34 TemptorSent: Don't have it in front of me, something near that :) 08:50:51 robe2: yah will do after 08:51:09 robe2: https://wiki.osgeo.org/wiki/SAC_Meeting_2018-04-29 08:51:10 sigabrt: Title: SAC Meeting 2018-04-29 - OSGeo (at wiki.osgeo.org) 08:51:23 markusN: https://trac.osgeo.org/osgeo/ticket/165 08:51:24 sigabrt: Title: #165 (Wiki LDAP integration) – OSGeo (at trac.osgeo.org) 08:51:25 markusN: bingo 08:51:27 robe2: I haven't added anything yet -- feel free to update with the key points 08:52:15 TemptorSent: Okay, just notes RE DB dumps and sandbox clone needs. 08:52:23 robe2: I think he last set of topics we can't discuss because no movment or people involved not here 08:52:38 robe2: yah knock yourself out 08:52:43 MartinSpott: robe2: Next Meeting: Which one is correct ? Saturday or the link behind ? 08:53:12 robe2: definitely not saturday 08:53:20 MartinSpott: ok, Thursday then 08:53:29 TemptorSent: Oh, Website "Friends" page? 08:53:35 robe2: I was going to move to Thursday so alternate between Thursday and Sunday 08:53:49 MartinSpott: ack 08:53:53 markusN: ok 08:54:00 TemptorSent: Anything we need to do on that item immediately? 08:54:11 MartinSpott: I'll provide dumps 08:54:40 * markusN needs to go 08:54:47 TemptorSent: Thank you MartinSpott -- I'll get some eyeballs on them and take a look at the wiki code. 08:54:48 * markusN waves 08:54:55 MartinSpott: If the extensions don't break - are available for current MediaWiki - , I might update the current instance in-place 08:54:56 TemptorSent: Take care markusN! 08:55:15 MartinSpott: I'l check carefully beforehand 08:55:24 robe2: okay updated the next meet time 08:55:30 TemptorSent: If that's sanely feasible, it would probably make the migration easier. 08:55:38 MartinSpott: Yup 08:55:45 TemptorSent: Thanks. 08:55:56 MartinSpott: I'll always have a current backup available 08:56:08 markusN: thanks to all! 08:56:16 MartinSpott: cu Markus 08:56:18 robe2: thanks markusN 08:56:37 markusN: didn't contribute much 08:56:55 robe2: well your interest is always appreciated 08:58:02 TemptorSent: Looks like I've got some poking to do at the resolver and SSL setup to see if something is amis, or just not the config I'm used to. 08:58:09 robe2: TemptorSent I'm lost which line in openssl.cnf to edit 08:58:23 robe2: all seem like the certs for the server (not certificate authority bundle) 08:58:27 MartinSpott: robe2: Did you close the meeting ? 08:58:47 TemptorSent: Not yet.. 08:58:53 MartinSpott: ok 08:58:58 TemptorSent: Please do :) 08:59:05 robe2: yah it's closing slowly 08:59:16 robe2: I think I did actually but TemptorSent missed it :) 08:59:26 robe2: meeting adjourned 08:59:32 TemptorSent: :) 08:59:39 TemptorSent: Okay, after-hours. 08:59:57 MartinSpott: thanks for joining so late/early 09:00:07 robe2: np 09:00:32 TemptorSent: I'm honestly a bit too tired to debug openssl/openldap right now -- it' will likely be painfully obviouls in the morning with a cup of coffee :) 09:00:59 TemptorSent: Spent the day turning over the garden beds, so I'm wiped.