Difference between revisions of "Talk:SAC Meeting 2018-05-10"

From OSGeo
Jump to navigation Jump to search
m (Robe moved page Talk:SAC Meeting 2018-04-29th to Talk:SAC Meeting 2018-05-10: this was created in error already have a 4-29 transcript page)
(Replaced content with "== Transcript ==")
Line 1: Line 1:
 
+
== Transcript ==
    07:00:09 robe2: meeting starting now
 
    07:00:36 MartinSpott: robe2: is anybody here except us two ? ;-)
 
    07:00:43 robe2: Guess first topic is hardware. But Alex isn't here
 
    07:01:15 robe2: I know he said he was going to send for purchase since no -1s, does any one know if he's done that
 
    07:02:20 robe2: MartinSpott TemptorSent is here I think
 
    07:02:36 MartinSpott: The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ?
 
    07:02:45 markusN: Morning!
 
    07:02:47 MartinSpott: Moggeeeen !
 
    07:02:53 robe2: Hi Markus
 
    07:03:00 MartinSpott: repeating myself:
 
    07:03:02 MartinSpott: The new quote is slightly different from the past ones, because it doesn't contain any SSD stuff - did I get this correctly ?
 
    07:03:25 MartinSpott: That's fine with me, if nobody objects
 
    07:04:31 robe2: MartinSpott I thought it still had SSD via the Optane component.
 
    07:04:39 MartinSpott: Ah, now I see
 
    07:04:46 MartinSpott: *** Addiotional ....
 
    07:05:04 MartinSpott: fine, go for it
 
    07:05:24 robe2: I'm a bit clueless about the whole Optane thing
 
    07:05:45 MartinSpott: I suspect it's "cool" ;-)
 
    07:05:49 robe2: but there seemed to be hardware whores arguing so I figured they'd come up with something good
 
    07:06:07 MartinSpott: At least it doesn't hurt
 
    07:06:45 robe2: Next topic funtoo. Too bad TemptorSent couldn't keep his eyes open :)
 
    07:06:56 TemptorSent: Hello MartinSpott!
 
    07:07:11 robe2: TemptorSent you're alive and awake :)
 
    07:07:14 TemptorSent: Hello all.
 
    07:07:17 markusN: hi TemptorSent
 
    07:07:27 MartinSpott: Do we still need to retire one of the old machines before activating the new one ?
 
    07:07:33 MartinSpott: Hi TemptorSent
 
    07:07:35 robe2: MartinSpott no
 
    07:07:49 robe2: OSUOSL said they have plenty of space last I recall
 
    07:08:04 MartinSpott: Oh, how nice
 
    07:08:25 robe2: so we this will be an extra we can start moving stuff too at our own pace
 
    07:08:45 TemptorSent: That's refreshing.
 
    07:09:07 robe2: any more questions about Optane - TemptorSent I think knows a lot about it as he was one of the whores arguing
 
    07:10:19 robe2: okay guess no more questions - next topic funtoo host
 
    07:10:26 MartinSpott: go ahed
 
    07:10:28 MartinSpott: ahead
 
    07:10:39 robe2: MartinSpott you know what SSL ldap.osgeo.org is using?
 
    07:11:03 MartinSpott: wait a second, I'm mixing names
 
    07:11:04 robe2: I was trying to setup SSH via LDAP on funtoo, but ldapsearch is failing with key not trusted
 
    07:11:18 MartinSpott: the former was COMODO I think, the current is ....
 
    07:12:05 robe2: that's what I thought. As when I copied over the osgeo star bundle from osgeo6 and put on other servers I had setup and set in ldap.config if worked fine
 
    07:12:17 robe2: I had done the same on funtoo and it didn't work.
 
    07:12:27 TemptorSent: TLS trace: SSL_connect:SSLv3 read server hello A
 
    07:12:27 TemptorSent: TLS certificate verification: depth: 2, err: 2, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 
    07:12:27 TemptorSent: TLS certificate verification: Error, unable to get issuer certificate
 
    07:12:27 TemptorSent: TLS trace: SSL3 alert write:fatal:unknown CA
 
    07:12:35 robe2: TemptorSent it occurred to me maybe it's not using the bundle I referenced
 
    07:12:47 TemptorSent: TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get issuer certificate).
 
    07:13:11 robe2: TemptorSent is there a way to tell which bundle. Maybe it's cache
 
    07:13:13 robe2: cached
 
    07:13:31 TemptorSent: Hmm, I don't recall off hand.
 
    07:13:36 robe2: I had originally use the ca-certificates one I saw in the folder and when that didn't work I downloaded the one I use
 
    07:14:57 robe2: MartinSpott TemptorSent can you see this page - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host
 
    07:15:01 MartinSpott: didn't the star package contain the entire bundle ?
 
    07:15:14 robe2: MartinSpott yes it did
 
    07:15:26 robe2: and it worked on all the debians I have setup
 
    07:15:39 TemptorSent: Yeah, I'm only seeing two signatures in that bundle.
 
    07:15:51 robe2: so I suspect this is a funtoo specific issue that it's using some other barebones bundle rather than the one I specified in ldap.config
 
    07:16:23 robe2: This is the file I changed - /etc/openldap/ldap.conf
 
    07:16:30 TemptorSent: It should be using the system pems I would think, which have a cert for AddTrust it appears
 
    07:16:49 robe2: I know it's at least reading it for ldap.osgeo.org since to do the ldapsearch I don't need to specify the -H
 
    07:17:08 TemptorSent: Ahh, /etc/ssl/openssl.cnf :)
 
    07:17:50 robe2: ah okay I wonder if maybe that's always used and I had thought it was the ldap one used, but others had an already full bundle
 
    07:18:09 robe2: TemptorSent did you just edit that or you want me too?
 
    07:18:17 TemptorSent: I have not edited.
 
    07:18:26 robe2: okay I'll edit
 
    07:18:56 robe2: MartinSpott can you check to see if you can get into the funtoo server -- it's tech_dev@funtoo.osgeo.org
 
    07:19:04 robe2: hopefully I didn't screw up adding your key
 
    07:19:23 MartinSpott: looks like I'm in
 
    07:19:57 MartinSpott: BTW, where can I read more about OSGeo using FunToo containers ?
 
    07:20:08 MartinSpott: There wasn't much I could find
 
    07:21:16 TemptorSent: We haven't gotten much written up as of yet other than meeting logs and some notes.
 
    07:21:25 MartinSpott: ok
 
    07:21:41 robe2: https://www.funtoo.org/LXD#PART_II_-_LXD_Installation
 
    07:21:42 sigabrt: Title: LXD - Funtoo (at www.funtoo.org)
 
    07:21:45 MartinSpott: To me the intention isn't clear, that why I was asking
 
    07:22:13 robe2: oh we were going to put NextCloud, Weblate
 
    07:22:29 robe2: basically things we want to experiment with and once they are good we could move to osuosl
 
    07:22:36 MartinSpott: Is it "container as a paid service" ?
 
    07:22:53 TemptorSent: Funtoo is providing a fairly substatinial amount of resources and infrastructure for us to build out and stage some of our services.
 
    07:22:54 robe2: though in future we may use it for production stuff,right now just experiments
 
    07:23:26 robe2: MartinSpott well technically they aren't changing us for use of hardware, but if we like we'd give them some sort of donation like we do for OSUOSL
 
    07:23:31 TemptorSent: MartinSpott - At the moment, it's being provided as an in-kind donation.
 
    07:23:42 MartinSpott: I see
 
    07:23:45 strk: hi
 
    07:23:49 robe2: So they gave us a host container and we are doing the lxd within lxd thing
 
    07:23:50 TemptorSent: hi strk :)
 
    07:23:51 strk: are you in a meeting ?
 
    07:23:54 MartinSpott: strk: Moin
 
    07:23:59 strk: hi MartinSpott
 
    07:24:00 TemptorSent: Good timing!
 
    07:24:01 robe2: hi strk we were just discussing funtoo with MartinSpott
 
    07:24:06 markusN: hi strk
 
    07:24:09 strk: hey
 
    07:24:13 MartinSpott: "lxd within lxd", really ?
 
    07:24:14 robe2: and I was still fiddling with setting up ldap ssh
 
    07:24:18 strk: ouch, I wanted to take a quick look, now I seem to be stuck :P
 
    07:24:44 robe2: strk you can get in tech_dev@funtoo.osgeo.org
 
    07:24:47 TemptorSent: MartinSpott Yep, nested containers.
 
    07:25:11 robe2: I don't have the ldap ssh configured yet. I ran into a stumbling block which TemptorSent might have figured out so going to try
 
    07:25:34 robe2: strk you can get to here - https://git.osgeo.org/gitea/osgeo/osgeo_funtoo/wiki/Configuring-SSH-LDAP-on-the-Host
 
    07:25:43 TemptorSent: Yeah, I don't recall how openssl wants to handle bundles by default.
 
    07:26:26 robe2: TemporSent so in theory if I build local containers -- e.g. if I get this hardware thing - https://antsle.com/
 
    07:26:28 sigabrt: Title: antsle: The Private Cloud Server, Designed for Developers. (at antsle.com)
 
    07:26:50 TemptorSent: Yeah, I was looking at that -- pretty slick case!
 
    07:26:56 robe2: I can copy over the containers etc. It looks like a cute device and cheap end is only $1000 so was going to get it for my dev experiments
 
    07:27:13 robe2: yah its so cute and Leo was sold on no noise :)
 
    07:27:14 TemptorSent: I almost bought one of those -D boards a while back, but it was too much money at the time.
 
    07:27:40 TemptorSent: They've gotten more reasonable it seems, but memory went the other way.
 
    07:28:49 TemptorSent: No noise would be nice.
 
    07:29:10 MartinSpott: robe2: which sort of LDAP authentiation did you try to establish ?
 
    07:29:44 robe2: well I just did an ldapsearch
 
    07:29:59 MartinSpott: ah, and it failed ?
 
    07:30:10 robe2: I don't think I have all the pieces in place yet cause I was trying to map the packages to gen too / fun too and they namespace theirs
 
    07:30:25 TemptorSent: robe2 -- um, check that ldap config again perhaps?
 
    07:30:48 robe2: so for example I had installed sudo emerge sys-auth/nss-pam-ldapd
 
    07:31:07 robe2: I assume that combines both the nss-ldapd and pad-ldapd that we normally install
 
    07:31:22 MartinSpott: nss != pam
 
    07:31:25 robe2: MartinSpott yah with the ssl key can't be authenticated
 
    07:31:57 * markusN just FYI: on an off here, mainly for nextcloud item
 
    07:32:08 robe2: MartinSpott I know that but looks like they combined the packaged in funtto -- you saw link I posted above?
 
    07:32:22 MartinSpott: robe2: no, password protected ....
 
    07:32:33 robe2: ?
 
    07:33:28 robe2: so I still need - sudo emerge sys-auth/pam-ldap
 
    07:33:42 TemptorSent: Nextcloud is up in a subcontainer :)
 
    07:33:43 MartinSpott: The gitea page you posted above is password protected - which annoys me, I just didn't complain
 
    07:33:48 robe2: that one didn't have an ldapd at the end and I thought you had mentioned the one without ldapd is old
 
    07:34:16 robe2: MartinSpott oh are you able to get in? all osgeo folks should be able to.
 
    07:34:33 MartinSpott: yup, pam/nss_ldap runs as root which is why GnuTLS complains
 
    07:35:00 robe2: I can unprotect the repo nothing secret in there anyway. Want me to do that
 
    07:35:00 MartinSpott: pam/nss_ldap*d* uses a user-space daemon
 
    07:35:43 MartinSpott: robe2: It's up to you
 
    07:35:59 robe2: MartinSpott what do you recommend?
 
    07:36:32 MartinSpott: I just think that having a second Wiki and making common stuff passwort-protected is, well, not very elegant
 
    07:36:33 robe2: I'm still a bit clueless about what each role plays
 
    07:37:06 robe2: Well it's specific to funtoo at moment so not quite so common :)
 
    07:37:29 MartinSpott: a *third* Wiki, BTW
 
    07:37:44 robe2: you mean cause we have trac too :)
 
    07:37:59 robe2: Yah strk was arguing with me about that too :)
 
    07:38:29 robe2: gitea wiki is a lot easier to edit than wiki.osgeo.org (e.g. I can do shift tab and move a whole stream of text)
 
    07:38:40 MartinSpott: osgeo ~ # nc -nv ldap.osgeo.org ldaps
 
    07:38:40 MartinSpott: Can't parse ldap.osgeo.org as an IP address
 
    07:39:01 robe2: and .. I liked the idea of having the page that described setup of server be with the configs we will eventually store
 
    07:39:21 TemptorSent: osgeo /etc/openldap # ping ldap.osgeo.org
 
    07:39:21 TemptorSent: PING ldap.osgeo.org (140.211.15.58) 56(84) bytes of data.
 
    07:39:21 TemptorSent: 64 bytes from secure.osgeo.osuosl.org (140.211.15.58): icmp_seq=1 ttl=52 time=49.6 ms
 
    07:39:57 TemptorSent: robe2 I can't disagee with that last, but we should probably consider standardizing that across all our config repos then.,
 
    07:40:00 MartinSpott: TemptorSent: yes, but apparently there's still something wrong with the resolver
 
    07:40:36 TemptorSent: Noted. We can poke at that out of band.
 
    07:40:55 MartinSpott: Agreed
 
    07:41:09 MartinSpott: Note that this might be the root cause
 
    07:41:11 TemptorSent: robe2, shall we move on to Nextcloud?
 
    07:41:16 robe2: yes
 
    07:41:19 TemptorSent: MartinSpott Agreed.
 
    07:41:24 robe2: markusN you around
 
    07:41:56 MartinSpott: Markus ! Markus ! Markus !
 
    07:42:00 MartinSpott: ;-)
 
    07:42:07 robe2: I thnk markusN wanted to be involved in the talk hate to start without him being awake
 
    07:42:16 MartinSpott: markusN: Oh, please get back to us
 
    07:42:31 MartinSpott: Next time we're having a beer I promisre not to be late again ;-)
 
    07:42:57 robe2: even beer is not waking him hope.
 
    07:43:03 TemptorSent: Okay, let's give him a few to notice his ears are burning.
 
    07:43:04 robe2: markusN is hopelessly out of it.
 
    07:43:22 MartinSpott: robe2: Coffee might be more appropriate at this time of day
 
    07:43:26 robe2: Let's skip nextcloud and go on to next topic and when he wakes up we can go back to it
 
    07:43:55 robe2: next topic is the whole managing word press thing
 
    07:43:55 MartinSpott: robe2: I suspect it's already past midgnight in your place, right ?
 
    07:44:04 robe2: jive[m] any chance you are awake?
 
    07:44:15 robe2: it's 3:44 AM
 
    07:44:24 MartinSpott: ouch
 
    07:44:32 MartinSpott: sorry about that
 
    07:44:39 robe2: but I'm wide awake my sleep schedule is not normal
 
    07:45:11 robe2: it's not even a regular sleep
 
    07:45:16 TemptorSent: I'm on a second wind here :)
 
    07:45:45 robe2: anyway getting back to gitea wordpress thing for foss4g2018 we are managing their main site now
 
    07:46:39 robe2: I had setup a production and staging on web18a and just configure cron to pull every 5 minutes / prod /staging in gitea https://git.osgeo.org/gitea/osgeo/FOSS4G2018_WordPress
 
    07:46:53 robe2: I think that is working okay for them. Was going to do the same for www.osgeo.org
 
    07:47:21 robe2: strk and TemptorSent I presume you think we should have a production and staging branch
 
    07:47:37 robe2: and strk of coures expects me to learn to do webhooks right
 
    07:48:12 robe2: MartinSpott have any thoughts on that or have no opinion
 
    07:48:19 MartinSpott: I
 
    07:48:46 MartinSpott: I'm still trying to figure out how the setup actually looks like
 
    07:48:55 TemptorSent: Yes, I think it is wise to have an active 'live' branch, a 'staging' branch, and a 'testing' branch for messign around with.
 
    07:48:59 MartinSpott: but I think I'm not much involved at all
 
    07:49:27 strk: sorry I was discracted
 
    07:49:32 robe2: right now its a very dum setup
 
    07:49:42 MartinSpott: The main website runs on a VM and it's hosting FOSS4G as well, correct ?
 
    07:49:55 strk: MartinSpott: I'd love to hear a summary of what's going on with your osgeo work
 
    07:50:02 robe2: for FOSS4G2018 it's just a cron git pull for staging / production branches that runs every 5 minutes on the server
 
    07:50:05 strk: but probably an email would be best
 
    07:50:28 strk: like, any advancement in dismissing those VMs we were supposed to drop looong ago ?
 
    07:50:31 robe2: for www.osgeo.org it's not really under git at all, I have to synch it (so that shouldn't be too bad) since it's the same files
 
    07:50:57 robe2: it's only the themes and some basic configs I have under git cause all the plugins change to frequently and are updated whenever a security update
 
    07:51:19 robe2: strk what vms the cloudvps.com?
 
    07:51:37 robe2: I sent them a note saying stop billing us we want to end service (granted I should have done that a month ago)
 
    07:51:44 strk: robe2: osgeo3 or was it osgeo4
 
    07:51:55 strk: or both ?
 
    07:52:02 robe2: oh you are talking about those
 
    07:52:16 strk: yeah, those things that end up being open issues for decades...
 
    07:52:23 strk: like Wiki/LDAP
 
    07:52:23 robe2: MartinSpott know what's going on with those. I presume we still have them and some things offloaded
 
    07:52:38 strk: it's fun to open new things but maintainance should also involve closing others :)
 
    07:52:45 robe2: that was going to be next topic
 
    07:53:10 MartinSpott: Unfortunately my OSGeo work got lower priority for a couple of weeks due to internal project work at the company. Hopefully that'll change after May 9th
 
    07:53:12 strk: great (I thought the meeting was basically over :)
 
    07:53:26 markusN: now back
 
    07:53:29 robe2: strk no we are only half way thru items
 
    07:53:45 robe2: markusN we saved nextcloud for you so now we can switch back to nextcloud
 
    07:54:06 robe2: TemptorSent anything to report on Nextcloud front?
 
    07:54:32 markusN: cool. thanks much :-)
 
    07:54:56 * markusN had a quick family gathering in the kitchen, to not de-socialize completely at home :p
 
    07:55:08 TemptorSent: No problem markusN.
 
    07:55:09 robe2: :)
 
    07:55:42 MartinSpott: one half of our family is still asleep
 
    07:55:51 markusN: same here
 
    07:55:55 robe2: last we left off we were having issues with ldap
 
    07:56:11 robe2: though I think maybe the issues are related to the other ldap issue MartinSpott mentioned
 
    07:56:15 * strk is alone today
 
    07:56:17 strk: just dog
 
    07:56:43 TemptorSent: Okay, so what we have currently for Nextcloud is essentially a minimally configured host with nextcloud and all of its deps happily installed sitting in a lxd subcontainer.
 
    07:56:45 robe2: just dog a small dog or big one
 
    07:56:45 strk: I don't remember if ldap was self-signed
 
    07:56:51 strk: small dog
 
    07:57:00 robe2: strk I don't think it was self-signed
 
    07:57:13 strk: so Nextcloud is giving file space to all OSGeo users ?
 
    07:57:22 strk: or does it support any "groups" ?
 
    07:57:26 TemptorSent: It's intende for board use.
 
    07:57:28 robe2: MartinSpott thinks it uses comodo. so issue on funtoo is the cert bundle it's using is missing a lot of authorities
 
    07:57:37 strk: is there a board LDAP group ?
 
    07:57:51 strk: or are groups managed locally for nextcloud ?
 
    07:57:57 strk: (like gitea implmeents its own groups)
 
    07:58:41 robe2: I forget if I saw board or not
 
    07:58:42 robe2: https://osgeo.host.funtoo.org/nextcloud/
 
    07:58:43 TemptorSent: I believe the certs on the host are current and based on debians, so that shouldn't be the issue there.
 
    07:58:56 strk: still not nextcloud.osgeo.org ?
 
    07:59:00 robe2: when I logged in with admin account I was able to get the query of all the groups and users from ldap
 
    07:59:22 strk: untrusted SSL cert, with both URLs
 
    07:59:29 markusN: (just FYI/OT: the German gov switches with 300k users to nextcloud, see eg https://www.heise.de/ix/meldung/Bundescloud-Open-Source-mit-Nextcloud-statt-Dropbox-oder-Google-Drive-4026111.html )
 
    07:59:31 sigabrt: Title: Bundescloud: Open-Source mit Nextcloud statt Dropbox oder Google Drive | iX (at www.heise.de)
 
    07:59:35 TemptorSent: I haven't setup the rewrite for that, but feel free.
 
    07:59:38 strk: 300k, wow!
 
    07:59:38 markusN: I hope it will be eventually nextcloud.osgeo.org
 
    07:59:51 markusN: 300k _gov_ users :-)
 
    07:59:52 robe2: strk that just points at nginx. We haven't gotten the internal routing on the container working yet
 
    08:00:18 strk: nor letsencrypt, looks like
 
    08:00:23 robe2: but yes nextcloud.osgeo.org is a CName for osgeo.host.funtoo.org
 
    08:00:25 TemptorSent: Actually, it's passign through fine :)
 
    08:00:37 robe2: so once we have the internal thingy working we'll be all set
 
    08:00:44 strk: I didn't force Firefox to load it
 
    08:00:53 markusN: what is the issue with letsencrypt (just curious)
 
    08:00:58 * strk is subborn, no self-signed certs >:(
 
    08:01:08 robe2: TemptorSent so can you change it so https://nextcloud.osgeo.org is exposed to the nextcloud
 
    08:01:14 TemptorSent: We just need to generate a request for it and dump it on the webserve to get the key.
 
    08:01:17 strk: right, it's so easy with apache - my guess: issue is these kids want to use something "cooler" :P
 
    08:01:18 robe2: then we can get a letsencrypt cert for it
 
    08:01:36 markusN: that's easy indeed with apache
 
    08:01:38 TemptorSent: robe2 it's just a nginx rewrite rule in the outer container I believe
 
    08:01:47 strk: seriously, did you want to try the centralized approach TemptorSent ?
 
    08:01:55 strk: MartinSpott: TemptorSent was thinking about putting all certs on the same machine
 
    08:02:01 strk: markusN: ^
 
    08:02:07 strk: (wrong nick completion)
 
    08:02:18 TemptorSent: All cert requests anyway.
 
    08:02:27 strk: ah, right
 
    08:02:31 strk: feels better
 
    08:02:41 strk: so certs are still local, just the "letsencrypt" setup would be centralized
 
    08:02:47 strk: right, was that the idea ?
 
    08:02:49 TemptorSent: Yup.
 
    08:02:55 MartinSpott: strk: do you mean putting all certs on the main host container and terminating SSL there ?
 
    08:02:59 robe2: this seems like a surprisingly good time to meet :)
 
    08:03:37 robe2: though I guess we should alternate cause this is a time I think jive[m] and wildintellect can't make
 
    08:03:48 TemptorSent: No MartinSpott - just having letsencrypt updater running on a single host and having the various servers pass through the WKT url.
 
    08:03:55 strk: we've to balance maintainability, I mean... for SAC members (current and future) it should be easy to deal with / troubleshoot etc.
 
    08:04:01 strk: so if you do anything complex it should be carefully documented on the wiki
 
    08:04:32 strk: robe2: indeed, I was really only here by chance :)
 
    08:04:49 MartinSpott: TemptorSent: I havve to admit I don't know how this is supposed to work - simply because I don't know much about letsencrypt mechanics
 
    08:05:16 * markusN has only certbot experience
 
    08:05:36 * robe2 only has certbot experience
 
    08:05:41 TemptorSent: Yeah, we'd just let certbot run in standalone mode on a single host (secure?)
 
    08:05:59 robe2: but it would need to impersonate all the subdomains
 
    08:06:04 robe2: right
 
    08:06:18 TemptorSent: Then the individual servers expose the WKT as a passthroug to that.
 
    08:06:23 robe2: so not clear how that bit would work if we aren't getting a wildcard cert
 
    08:06:42 TemptorSent: Because each server would have the correct WKT for it's request.
 
    08:06:47 robe2: wildintellect seemed against a wildcard cert not clear what his argument was about it too easy to compromise
 
    08:06:58 robe2: WKT?
 
    08:07:01 TemptorSent: Wildcard certs are a bad idea.
 
    08:07:02 markusN: did anyone already try letsencrypt's wildcard support?
 
    08:07:17 markusN: oh
 
    08:07:19 MartinSpott: I simply need to understand the meaning of this WKT in this context
 
    08:07:33 robe2: sorry all I think of is well-known text whic I presume is not what that acronymy stands for in this context
 
    08:07:40 TemptorSent: Well Known Text -- essentially. The URL that letsencrypt checks to see if you indeed controll your host.
 
    08:07:59 MartinSpott: ah
 
    08:08:25 robe2: but doesn't the url have to reside on the domain asking?
 
    08:08:28 MartinSpott: But you still need to provide a certificate on every instance which is terminating SSL
 
    08:08:32 MartinSpott: correct ?
 
    08:08:38 TemptorSent: Right.
 
    08:08:42 robe2: so don't see how that would work unless everything proxies thru secure
 
    08:08:44 TemptorSent: Just a single cerbot instance.
 
    08:08:45 strk: so each server would have to setup an alias/redirect for the /.well-known/acme-challenge/ url
 
    08:08:55 strk: to be served by the centralized letsencrypt service
 
    08:08:55 robe2: ah
 
    08:08:56 TemptorSent: Yup.
 
    08:08:57 strk: right ?
 
    08:09:11 robe2: okay that makes sense now okay understood
 
    08:09:18 MartinSpott: TemptorSent: "Yup" to proxying ?
 
    08:09:41 TemptorSent: Alias/proxy that single URL
 
    08:09:49 robe2: so that folder would be alias to secure
 
    08:09:56 robe2: and can't be a regular redirect
 
    08:10:09 TemptorSent: Actually, it MAY work with redirects.
 
    08:10:41 TemptorSent: But proxy is easy enough for that, and reliable.
 
    08:11:17 MartinSpott: TemptorSent: I still don't understand how each individual service would get their SSL certificate, may I ask you to draw a little chart to be discussed next meeting ?
 
    08:11:42 MartinSpott: Containing the paths for 'regular' traffic and the letsencrypt stuff ?
 
    08:11:43 robe2: a chart would be good and to put on the wiki
 
    08:11:56 robe2: though it's clear in my mind now how it works
 
    08:12:07 TemptorSent: Sure... Actually, I think I can sorta put it on one line of ascii:
 
    08:12:30 robe2: one line in ascii looks good
 
    08:12:51 strk: scp ?
 
    08:13:07 strk: to install the cert from letsencrypt.osgeo.org to <service>.osgeo.org server...
 
    08:13:40 robe2: secure -> certbot renew -> certbot writes to .well-known folder -> certbot confirms new file is there accessible via http:/whatever.osgeo.org/well-known/...
 
    08:14:09 robe2: well rather not certbot confirming but letsencrypt authority
 
    08:14:10 TemptorSent: A,B,C are webhosts, S is secure L is LetsEncrypt: L requests A/.well-known/acme-challenge which replies with S/.well-known/acme-challenge
 
    08:14:57 robe2: so instead of WKT should be WKA :)
 
    08:15:17 TemptorSent: Yeah, the URL itself is the WKT :)
 
    08:15:44 robe2: and the strk scp thing, secure scps the cert to the respective webserver
 
    08:16:08 TemptorSent: After a successful request, the certbot fires off scp.
 
    08:16:17 MartinSpott: robe2: Exactly this is the mising link
 
    08:16:26 MartinSpott: missing
 
    08:16:37 TemptorSent: Oh, sorry -- thought the ssl side was the confusion :)
 
    08:17:00 MartinSpott: no, the entire picture wasn't clear ;-)
 
    08:17:20 TemptorSent: Gotcha --
 
    08:17:28 robe2: yah the acme challenge response protocol is fairly new
 
    08:17:47 robe2: when I get it using other ssl providers it's always a manual thing
 
    08:17:56 TemptorSent: SSL requests handled in-band, scp to copy the key to the host trigged by the callback runs out of band.
 
    08:17:56 robe2: but certbot has it all nicely automated for you
 
    08:18:51 TemptorSent: It's pretty slick actually, much nicer than the old PITA way of authing.
 
    08:19:08 robe2: TemportorSent so all that said can we go ahead and get a letsencrypt for nextcloud.osgeo.org and repoint that for nextcloud use
 
    08:19:46 TemptorSent: robe2 Sure -- do you have the LE account info so we don't have to set up yet another?
 
    08:19:54 robe2: yah the way other providers implement it is clumsy and manual
 
    08:20:05 robe2: LE account?
 
    08:20:11 robe2: I never use one
 
    08:20:11 TemptorSent: LetsEncrypt
 
    08:20:19 robe2: well I always have to type in my email address
 
    08:20:31 TemptorSent: Hmm, the OSGeo stuff isn't all under one?
 
    08:20:56 robe2: didn't know under one was a thing aside from wildcard
 
    08:21:20 * robe2 fears she's been doing it all wrong
 
    08:21:24 TemptorSent: The're not too clear on it actually.
 
    08:21:39 TemptorSent: I just try to avoid setting things up repeatedly :)
 
    08:21:44 TemptorSent: Doesn't much matter I guess.
 
    08:21:59 robe2: yah I mean certbot seems to keep track of all
 
    08:22:16 robe2: so certbot renew as I recall will renew all that need renewing on the same server
 
    08:22:29 robe2: though I have on my calendar to confirm it's working when it comes due
 
    08:23:16 TemptorSent: robe2 in that case, emerge app-crypt/certbot-nginx :)
 
    08:25:11 TemptorSent: Hmm, is the ldap cert for ldap.osgeo.org or secure.osgeo.org?
 
    08:25:41 TemptorSent: er secure.osgeo.osuosl.org rather
 
    08:27:50 robe2: I think they are the same
 
    08:28:05 TemptorSent: Reverse-lookup may be biting us.
 
    08:28:17 TemptorSent: I'll have to look at that when I'm a bit more alive :)
 
    08:28:46 MartinSpott: Litte question: did you plan to discuss yet another topic today ?
 
    08:28:49 TemptorSent: LDAP and SSL while heading into seriously too tired realm is dangerous for all involved :)
 
    08:29:09 TemptorSent: Wiki thoughts I think?
 
    08:30:14 TemptorSent: I believe we had a tenative plan there from our last discussion and need to make a testing clone of the running system to work on.
 
    08:31:47 robe2: MartinSpott yes we were going to discuss the LDAP / Wiki
 
    08:31:55 robe2: I guess the question is where will we put this clone
 
    08:32:17 robe2: Do we just wait till the new hardware comes in and maybe the clone eventually becomes the real new thing
 
    08:32:35 robe2: cuase I imagine ldap is old and the wiki is definitely old
 
    08:32:45 * strk broomed the house
 
    08:32:48 TemptorSent: No, we'll need to wipe the clone out and refresh it right before we actually do the switch for real.
 
    08:32:50 MartinSpott: Considering #165, I think it always boils down to: Who's having the skills to modify the Wiki login page ?
 
    08:33:33 TemptorSent: I can probably hack the wiki stuff if needed, but I'd prefer not to be the lynchpin on that.
 
    08:33:44 robe2: is that a php or phython thing page
 
    08:33:46 MartinSpott: hehe
 
    08:33:49 MartinSpott: PHP
 
    08:34:07 TemptorSent: Yeah, I'm painfully familiar with PHP, just rusty and bit out of date.
 
    08:34:43 MartinSpott: From my perspective it makes little difference wether it's being update in-place or setup new: The resource to modify the Wiki is the bottleneck
 
    08:34:44 robe2: so the idea is whenever anyone logs into the wiki rewrite the login to legacy_osgeoname or something
 
    08:34:44 strk: re LE Auth... I'm afraid I used my own one
 
    08:34:51 TemptorSent: I used to write significant php librarires and applications, but I'd rather not go back there :)
 
    08:34:51 robe2: I forgot the workflow of it
 
    08:34:55 strk: at least, I'm often getting expiration reminders for postgis.net
 
    08:35:01 robe2: I can look at page I think my php skills are decent
 
    08:35:23 strk: for letslecnrypt can you please register letsencrypt.osgeo.org and use that point for redirects ?
 
    08:35:40 robe2: strk I put my email address in for all the ones I setup :)
 
    08:35:41 TemptorSent: We rewrite all names when we move the db.
 
    08:35:49 strk: not sure itshould be secure VM rather than somewhere else (in case "secure" is not so much accessible)
 
    08:35:49 MartinSpott: If we had PHP developer ressources, we could already have the issue ironed you years ago
 
    08:35:55 MartinSpott: the Wiki/LDAP I mean
 
    08:36:15 strk: can we pay a MediaWiki developer for the task ?
 
    08:36:24 strk: I tried asking the LDAP plugin author but he never replied..
 
    08:36:30 TemptorSent: Okay, let me dunk my php-skillz in some phosphoric and wirewheel the scale off.
 
    08:36:35 robe2: yah I don't think the difficulty would be on the PHP side
 
    08:36:43 robe2: would be more on the Wiki structure side
 
    08:36:48 MartinSpott: robe2: agreed
 
    08:36:56 TemptorSent: That should be pretty easy on the db side of things.
 
    08:37:14 robe2: I don't think I have access to the wiki database
 
    08:37:16 TemptorSent: A db dump, some mangling, and a reload with an update script.
 
    08:37:21 MartinSpott: I can do some PHP as well, but my changes never showed up on the place I expected them to do :-)
 
    08:37:33 TemptorSent: *lol* Yeah, php is bad for that.
 
    08:37:35 robe2: I think in last meeting I tried logging in and got greeted with German "hello you are not authorized"
 
    08:37:57 MartinSpott: TemptorSent: to me it's been the way MediaWiki works
 
    08:37:58 robe2: so I was going to look at the db structure but of course the German message says "No no"
 
    08:37:58 TemptorSent: We need a sandbox to experiment with it safely.
 
    08:38:33 robe2: MartinSpott did you install wiki?
 
    08:38:38 MartinSpott: robe2: yes
 
    08:38:50 robe2: okay so you're the Geman saying "no no"
 
    08:38:52 TemptorSent: I don't even want to think about touching live data until we can reliably run our migration in 30 mins or less.
 
    08:39:14 MartinSpott: robe2: I didn't do so by intention
 
    08:39:27 robe2: agreed so MartinSpott any chance you can give me access or a backup
 
    08:39:52 TemptorSent: Then, ideally we drop the old offline, create the new instance, migrate, and bring it back up in a half hour or less of total downtime, with an immediate revert possible.
 
    08:40:04 robe2: I think we'd want to upgrade wiki as well as test migration right
 
    08:40:08 MartinSpott: A MediaWiki dump or a DB dump ? MediaWiki is preferred, I guess
 
    08:40:22 TemptorSent: Both, really.
 
    08:40:23 robe2: Db dump for now
 
    08:40:33 robe2: but yah we'd need both eventually
 
    08:40:35 strk: what do you want to do with the dump ?
 
    08:40:39 strk: matching between LDAP and local ?
 
    08:40:39 TemptorSent: But the DB is where the real work will be.
 
    08:40:56 TemptorSent: Figuring out how to do the rewriting in one fell swoop.
 
    08:41:00 robe2: I just wanted to see how db is structured (since I am a db programmer more than a regular web programmer)
 
    08:41:09 strk: we won't find all matches
 
    08:41:16 strk: some (no idea how many) will match by email
 
    08:41:21 strk: but others will just not have a match
 
    08:41:25 robe2: strk well we weren't going to match right just rename
 
    08:41:32 TemptorSent: We're not even going to try to match them.
 
    08:41:44 robe2: I just want to make sure their is no crazy linkage (like lacking ref integrity)
 
    08:41:44 strk: what's the plan then ?
 
    08:42:03 robe2: word press was a mess total lack of respect for referential integrity
 
    08:42:14 strk: I'd love to see staging.wiki.osgeo.org with the LDAP plugin installed and configured, to see what it does for us
 
    08:42:31 robe2: yah that would be the first
 
    08:42:32 TemptorSent: Rename all wiki accounts with a prefix such as _OWU_ (_OldWikiUser_)
 
    08:42:39 strk: ah ok
 
    08:42:46 strk: and next step ?
 
    08:42:55 strk: as we do want merging between accounts
 
    08:42:58 strk: and use meaningful names in history of changes
 
    08:43:01 strk: ie: new names
 
    08:43:02 robe2: yah and in theory rename can happen in db but need to make sure there are no loose ends in other tables
 
    08:43:04 TemptorSent: then when users try to login, we force them straight to the osgeo login.
 
    08:43:21 strk: ok, let's say they have one, so they login
 
    08:43:23 strk: what happens next ?
 
    08:43:40 TemptorSent: Once they're logged in with their ldap account, they get asked if there are wiki accounts to merge, and if so, asks for username and password.
 
    08:43:40 strk: they need to claim their old identity too
 
    08:43:50 strk: is this done already by the plugin ?
 
    08:43:50 robe2: we show the ldap screen and force them to log in again :)
 
    08:44:09 TemptorSent: We prepend the prefix to the username they specify, verify it, and then run merge_users tool.
 
    08:44:35 strk: ok so this is NOT part of the plugin but of the envisioned development to be done ?
 
    08:45:04 TemptorSent: Just the trick to get the old account and merge_users (the plugin)
 
    08:46:23 MartinSpott: Folks, we need to tell between a) ideas on the logic and b) actual implementation
 
    08:46:24 TemptorSent: We can even get tricky and detect them trying to log in with an old name and tell them what to do.
 
    08:46:47 MartinSpott: Suggestions on a) have been around for years
 
    08:46:48 TemptorSent: Yeah, need to see the DB to determine how much work is actually required on that end.
 
    08:46:59 TemptorSent: The login itself is fairly easy.
 
    08:47:21 MartinSpott: Ok, I'll provide the required dumps within a few days
 
    08:47:37 MartinSpott: Then show us wether the logic actually works ;-)
 
    08:47:40 TemptorSent: So we set it up and everyone will be logging in fresh, using ldap only.
 
    08:48:04 TemptorSent: Yeah, it's all theoreticall until the code start flying.
 
    08:48:12 * MartinSpott short break
 
    08:48:34 robe2: hmm we probably should be ending the meeting
 
    08:48:39 robe2: almost 2 hrs already
 
    08:48:50 TemptorSent: But at worst, we'd have a wiki with all existing content present, with prefixed names, and users logging in using ldap.
 
    08:48:51 robe2: anything else people want to discuss before we adjourn
 
    08:49:28 TemptorSent: The automerging feature is a nice thing to have, but doesn't prevent the migration if push comes to shove.
 
    08:49:41 markusN: I'd suggest to write this up on the SAC page, in order to develop pros and cons
 
    08:49:56 TemptorSent: It's already mostly layed out in the bug IIRC?
 
    08:50:05 markusN: which #?
 
    08:50:11 TemptorSent: robe2 Can you append the notes from this meeting?
 
    08:50:18 TemptorSent: #165 IIRC?
 
    08:50:34 TemptorSent: Don't have it in front of me, something near that :)
 
    08:50:51 robe2: yah will do after
 
    08:51:09 robe2: https://wiki.osgeo.org/wiki/SAC_Meeting_2018-04-29
 
    08:51:10 sigabrt: Title: SAC Meeting 2018-04-29 - OSGeo (at wiki.osgeo.org)
 
    08:51:23 markusN: https://trac.osgeo.org/osgeo/ticket/165
 
    08:51:24 sigabrt: Title: #165 (Wiki LDAP integration) – OSGeo (at trac.osgeo.org)
 
    08:51:25 markusN: bingo
 
    08:51:27 robe2: I haven't added anything yet -- feel free to update with the key points
 
    08:52:15 TemptorSent: Okay, just notes RE DB dumps and sandbox clone needs.
 
    08:52:23 robe2: I think he last set of topics we can't discuss because no movment or people involved not here
 
    08:52:38 robe2: yah knock yourself out
 
    08:52:43 MartinSpott: robe2: Next Meeting: Which one is correct ? Saturday or the link behind ?
 
    08:53:12 robe2: definitely not saturday
 
    08:53:20 MartinSpott: ok, Thursday then
 
    08:53:29 TemptorSent: Oh, Website "Friends" page?
 
    08:53:35 robe2: I was going to move to Thursday so alternate between Thursday and Sunday
 
    08:53:49 MartinSpott: ack
 
    08:53:53 markusN: ok
 
    08:54:00 TemptorSent: Anything we need to do on that item immediately?
 
    08:54:11 MartinSpott: I'll provide dumps
 
    08:54:40 * markusN needs to go
 
    08:54:47 TemptorSent: Thank you MartinSpott -- I'll get some eyeballs on them and take a look at the wiki code.
 
    08:54:48 * markusN waves
 
    08:54:55 MartinSpott: If the extensions don't break - are available for current MediaWiki - , I might update the current instance in-place
 
    08:54:56 TemptorSent: Take care markusN!
 
    08:55:15 MartinSpott: I'l check carefully beforehand
 
    08:55:24 robe2: okay updated the next meet time
 
    08:55:30 TemptorSent: If that's sanely feasible, it would probably make the migration easier.
 
    08:55:38 MartinSpott: Yup
 
    08:55:45 TemptorSent: Thanks.
 
    08:55:56 MartinSpott: I'll always have a current backup available
 
    08:56:08 markusN: thanks to all!
 
    08:56:16 MartinSpott: cu Markus
 
    08:56:18 robe2: thanks markusN
 
    08:56:37 markusN: didn't contribute much
 
    08:56:55 robe2: well your interest is always appreciated
 
    08:58:02 TemptorSent: Looks like I've got some poking to do at the resolver and SSL setup to see if something is amis, or just not the config I'm used to.
 
    08:58:09 robe2: TemptorSent I'm lost which line in openssl.cnf to edit
 
    08:58:23 robe2: all seem like the certs for the server (not certificate authority bundle)
 
    08:58:27 MartinSpott: robe2: Did you close the meeting ?
 
    08:58:47 TemptorSent: Not yet..
 
    08:58:53 MartinSpott: ok
 
    08:58:58 TemptorSent: Please do :)
 
    08:59:05 robe2: yah it's closing slowly
 
    08:59:16 robe2: I think I did actually but TemptorSent missed it :)
 
    08:59:26 robe2: meeting adjourned
 
    08:59:32 TemptorSent: :)
 
    08:59:39 TemptorSent: Okay, after-hours.
 
    08:59:57 MartinSpott: thanks for joining so late/early
 
    09:00:07 robe2: np
 
    09:00:32 TemptorSent: I'm honestly a bit too tired to debug openssl/openldap right now -- it' will likely be painfully obviouls in the morning with a cup of coffee :)
 
    09:00:59 TemptorSent: Spent the day turning over the garden beds, so I'm wiped.
 

Revision as of 03:44, 29 April 2018

Transcript

Retrieved from "http://wiki.osgeo.org/w/index.php?title=Talk:SAC_Meeting_2018-05-10&oldid=114675"