Talk:SAC Meeting 2018-03-02
Jump to navigation
Jump to search
Transcript
19:59:14 robe2: Everybody ready to meet 19:59:36 TemptorSent: Hello 20:01:52 robe2: Hi TemptorSent 20:03:08 robe2: Well doesn't look like Martin was able to make it but he did provide his list of accomplishments 20:03:51 robe2: First on agenda FOSS4G2018 I think I was supposed to be doing something but still have a cold 20:05:11 TemptorSent: Okay, I honestly can't make heads or tails as to what that agenda item means :) 20:05:22 robe2: Next topic www.osgeo.org website I plan to move this weekend 20:05:55 robe2: probably like early morningish on Saturday 20:06:06 robe2: TemportSent you mean the FOSS4G2018 one? 20:06:24 TemptorSent: Yes, the one on the meeting wiki 20:08:15 robe2: TemptorSent I updated it a bit 20:08:35 robe2: the main objective is to move it over to webextra and have it under letsencrypt ssl 20:09:02 TemptorSent: Ahh, much clearer. 20:09:04 robe2: I'm not even quite sure the state of webextra or if it should be moved to new VM we will eventually build 20:09:59 robe2: next topic is the new hardware 20:10:36 robe2: I'd ask wildintellect but he isn't here. Does anyone know if we are any nearer to having the new hardware. I get the feeling it still has not been purchased 20:10:56 robe2: then again I've been drugged up on robitussin so I may have missed some events 20:11:03 TemptorSent: I haven't seen any further quotes/PO, nor have I heard anything. 20:11:29 robe2: okay so I'll put a note to follow up on mailing list for that 20:12:19 TemptorSent: I think we had the configuration solid, and the only thing not nailed down is how much bulk storage we need. 20:13:48 robe2: TemptorSent since you are more informed you want to shoot off a SAC list mail detailing status and pushing to nail that so we can get some new hardware 20:13:52 TemptorSent: OSGeoLive requests a fair chunk of storage for maintaining their versioned artifacts, and I imagine that the geodata group will need a decent chunk even just for the small stuff, so IMHO, the more the better. 20:14:07 robe2: I'm hesitant to bring anything else new on without that small comfort :)\ 20:14:43 robe2: Yah me too but we should also consider what we have that can be reused as well 20:15:07 TemptorSent: The difference is only a few hundred dollars one way or the other from the original quote. 20:15:42 robe2: TemportSent we should just buy it then -- propose that so we can be done with it 20:16:04 robe2: strk are you awake :) 20:16:18 robe2: any movement on drop box replacement? 20:17:43 TemptorSent: From my reply to the mailing list a while back, the pricing for larger drives: (+$212 for 4x10he or +$540 for 4x12he) 20:18:37 robe2: ping strk 20:18:45 robe2: strk is apparently asleep again 20:19:25 TemptorSent: That gives us practical double-redundant storage of 12-16TB and 16-20TB respectively, depending how we use it. 20:19:54 robe2: TemptorSent that sounds good to me. Want to shoot off email or you want me too? 20:20:42 TemptorSent: If you'd like to put out the call to finalize discussion, that would probably be best. 20:21:40 TemptorSent: I think I pretty well flogged the dead horse in the thread on the mailing list already :) 20:23:03 robe2: okay will do 20:25:06 robe2: TemptorSent sent my crying baby email :) 20:25:18 TemptorSent: *lol* 20:26:30 TemptorSent: Those HDD prices are relative to the first entry on https://drive.google.com/file/d/1X-z66jXXBUZuPqh6EP0d43g2NUCL7xcL/view 20:26:31 sigabrt: Title: Silicon_Mechanics_Quote_344069.pdf - Google Drive (at drive.google.com) 20:30:47 robe2: Well Alex can clarify if needed 20:30:55 robe2: next topic TracSVN 20:31:14 robe2: performance seem to be good. Do we still have svn permission issue? 20:31:16 TemptorSent: As for reuse, it's difficult to recommend using older hardware for anything other than backup or supporting non-critical service at this point. 20:31:35 TemptorSent: I'm not familiar with what's going on as far as perms... 20:31:43 robe2: I didn't check I know I did have one trying to pull gdal (it prompted for password) - about a week ago 20:32:51 TemptorSent: Was the repo or db behind it down at the time perhaps? It appears that it prompts for password on any private OR non-existent repo. 20:33:16 robe2: Well as I recall I could still get into postgis svn 20:33:41 strk: sorry I was cooking 20:33:50 robe2: it was trying to annonymously pull (e.g from GDAL) where it was an issue 20:33:53 strk: (and eating) 20:34:10 robe2: strk you always seem busy at this time 20:34:17 robe2: maybe we should push meeting time up one hour 20:34:25 robe2: or 30 minutes :) 20:34:40 TemptorSent: Hiya strk. 20:34:47 robe2: strk we were just talking about svn 20:34:54 strk: I am, in particular today I've had an incident with pasta (was populated by little flies, so I had to throw it away after cooking for 30 minutes 20:35:03 robe2: if people are still having permission issues. Martin said he was investigating 20:35:19 strk: I've read that report 20:35:25 robe2: strk pasta and flies -- nice combination :) 20:35:28 strk: but could not handle to verify it 20:35:30 TemptorSent: Has EvenR mentioned any issues with the gdal repo? I suspect he'd be the first to see them. 20:35:45 strk: it's supposedly affecting anonymous users 20:35:48 TemptorSent: strk - sounds like it was a french dish :) 20:35:48 strk: hardly any developer would notice 20:35:50 robe2: fly sauce sounds yummy don't need to add any extra meat 20:36:11 strk: I'm using "flies" because I don't know the english word for what they were 20:36:13 robe2: strk yah that was my experience 20:36:17 strk: just very tiny dots, moving 20:36:25 strk: "bugs" ? 20:36:32 robe2: when I was trying to check out gdal code was only time I had the issue, so I just went for tar ball instead 20:36:37 TemptorSent: strk - he wouldn't have problems, but #gdal would get flooded. 20:36:54 strk: I don't know how many people would be using SVN in 2018 20:37:08 TemptorSent: weevils? 20:37:15 robe2: well I think most people probably pull gdal from gasp github unless they commit to gdal 20:37:19 robe2: so they wouldn't notice 20:37:21 strk: so nobody replicated ? 20:37:39 TemptorSent: Was it only a problem from svn itself, not from gitea? 20:37:39 robe2: strk? 20:37:46 robe2: no I think the replication is fine 20:37:52 strk: gitea is unrelated to svn 20:37:57 robe2: just couldn't pull from svn anonymously 20:38:07 strk: any repo or just gdal ? 20:38:24 robe2: TemporSent yah only thing they have in common is LDAP use, so that rules out LDAP I guess 20:38:42 robe2: but anyway you don't need to authenticate to annoymously pull 20:38:50 TemptorSent: strk - what's bridging the svn/git view then? 20:39:03 robe2: strk gdal was the only one besides geos and postgis I use 20:39:12 robe2: and gdal is the only one I'm not a committer on so would notice 20:39:45 robe2: let me try again hold on 20:40:50 robe2: seems fine now - well svn updating a gdal 2.2 branch 20:41:09 robe2: so perhaps martin did fix in his investigation 20:41:12 strk: I was looking at the configurations, don't see anything different between postgis and gdal 20:41:25 robe2: strk well it wouldn't be the configuration 20:41:26 strk: TemptorSent: which view ? You mean Trac ? 20:41:37 strk: robe2: permissions are also the same 20:41:46 robe2: it would be whether you are logging in or anonymous 20:41:56 TemptorSent: Huh, I thought it had a gitea connection too -- apparently not. 20:42:06 robe2: I do gdal always as a public user since I don't have committ access 20:42:08 strk: TemptorSent: Gitea only supports Git 20:42:53 strk: are we following an agenda or talking randomly ? 20:43:14 robe2: following an agenda until you disrupted our flow :) 20:43:28 strk: sorry, I'll be quiet 20:43:50 robe2: https://wiki.osgeo.org/wiki/SAC_Meeting_2018-03-02 20:43:51 sigabrt: Title: SAC Meeting 2018-03-02 - OSGeo (at wiki.osgeo.org) 20:43:56 robe2: we are up to ticket triage 20:44:11 robe2: I don't think we want to enforce https on downloads 20:44:27 strk: soon browsers will enforce https anyway 20:44:37 robe2: people can use http or https now which serves the need and I worry about banning older wget etc. 20:44:45 robe2: yah so we really don't need to 20:44:56 robe2: as long as we support https which now we do 20:45:11 strk: +1 20:45:33 TemptorSent: Agreed, http for downloads is perfectly fine, especially if checksums are provided via https when desired. 20:46:26 TemptorSent: https everywhere is breaking caching in most places, increasing overhead where there is no particular benefit. 20:46:53 MartinSpott: Moin 20:47:04 strk: TemptorSent: indeed 20:47:08 TemptorSent: Forcing it for login/authenticated use is fine, but for pulling bulk data, it's a waste of resources when the user doesn't want it. 20:47:12 robe2: Hey MartinSpott 20:47:17 robe2: glad you could join us 20:47:20 TemptorSent: Hello MartinSpott. 20:47:33 robe2: last we spoke was abou the svn permission issue. But seems fine to me now 20:47:48 robe2: I had password prompt for svn gdal before and just tested and seems fine. 20:48:24 robe2: TemptorSent yap my feeling too 20:48:38 MartinSpott: I can offer approx. 15 minutes 20:48:53 MartinSpott: Regarding SVN, as far s I can tell there was one report of failure 20:49:06 MartinSpott: Maybe it's the right direction, but not far enough ? 20:49:08 strk: MartinSpott: we cannot reproduce (Regina could some time in the past, but cannot anymore) 20:50:18 robe2: MartinSpott I'll add my not to that ticket 20:50:39 robe2: I was having the same issue around the time the ticket came in, but it was there -- I should have added my antidote 20:50:46 robe2: antecdote 20:51:45 MartinSpott: Concerning Debian7 upgrades, I'd like to do Web and Wiki as an intermediate step and then take care of moving stuff off the Projects VM 20:51:50 MartinSpott: does this sound reasonable ? 20:52:50 MartinSpott: Concerning the main website, do you plan to move it to the old Web VM or a different place ? 20:53:38 robe2: MartingSpott the main website I'm moving to web18a 20:53:55 MartinSpott: Oh, isn't it already hosted there ? 20:53:59 robe2: were you ever able to log into web18a or you still have the issue from before? 20:54:05 TemptorSent: Sounds reasonable to me. 20:54:11 strk: MartinSpott: upgrading all machines which need to sounds reasonable (so to close that SSL ticket once for all) 20:54:15 robe2: no it's hosted on cloudvps.com 20:54:26 robe2: which we are paying I forget how much for a month 20:54:38 MartinSpott: ah, still on cloudvps 20:54:39 robe2: something like $50 a month I think 20:54:45 robe2: or $40 EUR 20:55:06 robe2: yah and it's running PHP5 and MYSQL5 yuck and Debian 8 20:55:33 MartinSpott: heh, I'm running my private EMail relay there, they're doing a good job, as far as I can tell 20:55:40 robe2: but anyway my plan is to disable editing on it, move it over - change the DNS 20:55:55 robe2: so anyone who has the old dns entry can still view the site, but won't be able to edit 20:56:05 TemptorSent: Sounds good. 20:56:13 MartinSpott: concerning web18a, I have to admit I didn't try again in the meantime 20:56:32 TemptorSent: What kind of provisioning do we currently have with cloudvps? 20:56:58 robe2: it's the same config as web18a (except it's debian 8 instead of debian 9) 20:57:16 robe2: and we don't use any of their backup services or anything 20:57:43 robe2: just had baccula installed on it, which MartinSpott is going to install on web18a once he can log in 20:57:48 MartinSpott: ssh -l tech_dev web18a.osgeo.osuosl.org still gives me a "Permission denied (publickey)" 20:57:53 robe2: strk yah and I probably spelled that wrong 20:58:16 MartinSpott: from both machines, private and work 20:58:29 robe2: MartinSpott and ssh -l martin 20:58:41 robe2: let me check the logs 20:58:53 strk: TemptorSent: do you mean "automated deploy" by "provisioning" ? 20:59:45 TemptorSent: Resources provisioned -- disk, memory, cores, network 21:00:15 TemptorSent: And if it's a volume that can be exported wholesale :) 21:01:25 robe2: MartinSpott hmm can you try again, not seeing you in logs though I see my successful log in 21:01:52 robe2: or is 84.245.154.74 you 21:01:57 MartinSpott: Ok, will now try from 84.245.154.74 as user martin 21:02:11 MartinSpott: failure 21:03:12 robe2: Mar 2 21:00:48 web18a sshd[21276]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] Mar 2 21:00:48 web18a sshd[21276]: Connection closed by 84.245.154.74 port 48472 [preauth] 21:03:21 MartinSpott: TemptorSent: According to my - little - experience with CloudVPS, you can't export a volume 21:03:23 TemptorSent: Is that host documented on the wiki anywhere? 21:03:41 TemptorSent: MartinSpott - Drat, that would be convenient :) 21:03:45 robe2: TemptorSent yes it is but anyway I wouldn't want to export volume 21:03:49 robe2: backup file is small 21:03:52 robe2: under 2 GB 21:04:41 MartinSpott: robe2: I wonder where it gets a dss key from 21:04:53 MartinSpott: Let me try again: 21:04:54 TemptorSent: Yeah, it just makes it easier to clone the exact deployment back and forth. 21:04:59 robe2: TemptorSent here is the CloudVPS - https://wiki.osgeo.org/wiki/SAC:betawebsite 21:05:00 MartinSpott: foehn: 22:04:16 ~> ssh -i .ssh/id_rsa.pub -l martin web18a.osgeo.osuosl.org 21:05:01 sigabrt: Title: SAC:betawebsite - OSGeo (at wiki.osgeo.org) 21:05:08 MartinSpott: Permission denied (publickey). 21:05:17 robe2: Yah I wouldn't want to cause it's running PHP 5 yuck 21:05:35 robe2: We should never have let the web site contractors set it up 21:05:54 robe2: it was using myisam, not utf8, old php old mysql 21:05:59 strk: TemptorSent: if it's not in Service_Status wiki page I suggest you file an enhancement ticket to have it added 21:06:00 TemptorSent: Ug, that's downright ancient at this point. 21:07:00 strk: robe2: SAC:betawebsite is the description of "web18a" hardware and usage etc ? We should try to be consistent with those pages 21:07:26 robe2: the web18a I have in gitea wiki - https://git.osgeo.org/gitea/osgeo/www_apache_configs/wiki/Web18a-setup 21:07:32 strk: like SAC:OSGeo6, we should have SAC:Web18a (or similar) 21:07:55 robe2: strk betawebsite is not web18a it's cloudvps 21:07:58 strk: gitea wiki is still not official, please use the mediawiki, with all others 21:08:00 TemptorSent: I'm sure it's there somewhere, but I can't find anything reliably on the wiki at all -- pages don't link to other pages and categories seem almost random. 21:08:23 strk: TemptorSent: yeah, wiki always needs more love 21:08:39 robe2: strk can I put a link to gitea wiki page on mediawiki :) 21:09:03 robe2: I like the gitea wiki better cause it's in git and the syntax is a lot easier to deal with 21:09:54 robe2: anyway getting back to Martin's problem he can't get into web18a 21:09:59 TemptorSent: robe2 - if so, we should probably look at migrating all related materials to the same place so we don't have even MORE of a mess on our hands. 21:10:16 robe2: strk I don't think I ever added you key to techdev, but you can get in fine with strk right -- can you log in 21:10:26 robe2: just want to compare messages I am seeing in auth 21:11:11 strk: robe2: I'm fine with just a link on mediawiki :) 21:11:44 robe2: TemporSent I was also concerned cause I was copying from my local scripts where I may have left passwords 21:12:03 robe2: and I figured since the gitea one is locked down, only SAC folks would see it anyway should I have made such a mistake 21:12:06 TemptorSent: Yeah, good point. 21:12:10 TemptorSent: I can't even see it :) 21:12:30 strk: I do can login to web18a 21:13:09 robe2: TemptorSent now you can :) 21:13:10 MartinSpott: strk: Can you look into the "martin" account as root ? 21:13:31 TemptorSent: Ahh, much better -- thank's robe2. 21:13:38 robe2: MartinSpott when strk logs in I see him authenticating with ssh2 like me 21:14:04 strk: I cannot become root (don't have a password to "sudo") 21:14:13 robe2: but yours gives that ssh-dss thingy 21:14:21 strk: uhm, I'm silly 21:14:22 robe2: strk password is your password 21:14:29 MartinSpott: ok, that would made made it easier to debut during daytime hours 21:14:37 strk: (it's my LDAP) 21:14:44 robe2: yap 21:14:55 MartinSpott: debug 21:14:59 robe2: I didn't add you to the main techdev account which doesn't use ldap 21:15:00 strk: MartinSpott: you have 2 keys authorized 21:15:07 robe2: but all other accounts use LDAP 21:15:17 strk: ok, now you do MartinSpott 21:15:26 strk: authorized_key was in your home, rather than under .ssh 21:15:34 MartinSpott: ouch 21:15:41 robe2: oh no don't tell me I screwed that 21:15:44 robe2: :( 21:16:05 TemptorSent: Details, details -- why don't computers just do what we mean, not what we tell them? 21:16:09 strk: I dunno who screwed that, it was around Feb 21 20:42 21:16:09 MartinSpott: IÄm in 21:16:32 robe2: TemptorSent that's my next project RegOS does what you mean not what you tell it to 21:16:35 MartinSpott: both keys working 21:16:40 TemptorSent: *cheers* 21:16:59 robe2: MartinSpott so sorry for my ineptness 21:17:07 robe2: so I must have screwed up the techdev one somehow 21:17:18 strk: I added my key to root's authorized keys too 21:17:30 strk: just in case LDAP breaks 21:17:32 TemptorSent: So rm -rf will just cause the computer to burst into flames without wiping the drive robe2? :) 21:17:39 robe2: strk you can't log in with root 21:17:48 robe2: you need to add it to tech_dev 21:17:53 robe2: root login is not allowed 21:18:08 strk: ah, ok 21:18:34 MartinSpott: robe2: intentionally disabled ? 21:18:41 robe2: yes 21:18:41 strk: what's the point ? 21:18:43 TemptorSent: The only time direct root login should be allowed is directly from the hardware console. 21:18:46 robe2: by osuosl staff 21:18:49 strk: do we all share "tech_dev" password then ? 21:18:55 robe2: but Alex and I thought that was probably for best anyway 21:19:03 TemptorSent: No, just add all keys to tech_dev 21:19:16 strk: ok but what for ? 21:19:17 robe2: strk well technically we only need tech_dev if ldap is down 21:19:20 TemptorSent: remote root login should NEVER be enabled, EVER. 21:19:20 robe2: so yes we do 21:19:43 robe2: and it's in the file called password which we were going to delete but is in secure/access if you need it 21:19:50 MartinSpott: TemptorSent: I know, and the more often you repeat it, the less I care about it 21:20:20 strk: ok, found tech_dev password 21:20:24 MartinSpott: If I need a teacher, I'll ask for one 21:20:32 TemptorSent: MartinSpott - I know you do MartinSpott, I was telling strk. 21:21:22 strk: so shall we drop root's authorized_keys ? 21:21:42 robe2: who's in it? 21:21:58 TemptorSent: You can still use them from localhost if you like as opposed to sudo 21:21:59 robe2: I guess you can 21:22:12 robe2: oh okay so we should keep them 21:22:22 robe2: osuosl staff keys might be in there 21:22:38 MartinSpott: they are - and for a good reason 21:22:56 TemptorSent: If you ever watch the logs for a while, you'll see hundreds of attempts to port 22 as root per day. 21:23:20 robe2: yah among others 21:23:45 robe2: anyway been 1.5 hrs 21:23:53 TemptorSent: Those should be getting blocked before they ever get a chance to try anything, which makes brute-force attacks mostly worthless. 21:24:02 MartinSpott: TemptorSent: Indeed, and, as a super clever gou you'll know that disabling root SSH logins won't change that 21:24:10 robe2: I think only thing left to cover is LDAP ssh keys - which I presume we are no closer to accomplishing 21:24:37 TemptorSent: I never use password logins to remote machines for exactly that reason. 21:24:57 strk: it looks like MartinSpott is too busy with upgrades to look at LDAP ? 21:25:02 TemptorSent: AFAIK, there is nothing preventing the use of ssh ldap keys other than adding the schema. 21:25:02 MartinSpott: TemptorSent: I don't use password logins to remote machines either 21:25:06 robe2: and GeoForALL -- jmckenna anything to say about that 21:25:21 MartinSpott: We're not talking about password logins, we're talking about root logins 21:25:32 strk: TemptorSent: are you familiar with LDAP ? Do you want to be our LDAP resident maintainer ? 21:26:05 TemptorSent: I'm rusty with ldap, but 20ish years ago I maintained a multi-master auth service that worked pretty well :) 21:26:11 MartinSpott: Oh, don't do that, next day he's going to disable another vital feature 21:26:31 robe2: someone put a note about some bug in debian to be cautious of with the LDAP ssh thingy 21:26:49 MartinSpott: That's history 21:27:06 MartinSpott: overcome with replacing pam_ldap by pam_ldapd 21:27:10 TemptorSent: Goodbye. 21:27:32 strk: MartinSpott: waht's this fight with TemporSent ? 21:27:44 MartinSpott: pam_ldap was running as root and modern GnuTLS doesn't do sensitive stuff as root 21:27:54 robe2: strk oh I wasn't imaging things I thought I was looking at a cat fight 21:27:57 robe2: but wasn't sure 21:28:00 MartinSpott: pam_ldapd is using nslcd as a helper daemon 21:28:08 jmckenna: no update here from GeoForAll team (still no response from Jason) 21:28:38 robe2: jmckenna want to send him another note just to be a little annoying to show we care :) 21:29:12 strk: MartinSpott: what vital feature was disabled by TemporSent ? 21:29:51 jmckenna: robe2: willdo ;) 21:29:55 MartinSpott: If you completely disable root logins via SSH, we're locked out if LDAP authentication fails because the way it's set up it relies on LDAP for sudo 21:30:08 MartinSpott: that's the point 21:30:24 strk: did he have a role in that ? 21:30:32 MartinSpott: And that won't change by notoriously repeating that root SSH is bad 21:31:09 robe2: MartinSpott I'm lost though what is wrong with having a local account, not in ldap that is not root but has sudo 21:31:29 strk: anyway I've understood the "tech_dev" account still works w/out LDAP 21:31:32 robe2: Doesn't that server the same purpose (so you can disable root ssh like what web18a has in place) 21:32:04 MartinSpott: strk: and how does "tech_dev" authenticate sudo ? 21:32:12 strk: local password 21:32:18 strk: or so I understood (didn't verify) 21:32:18 robe2: but anyway there is a point at which you are so secure your lock yourself out of your house. 21:32:39 robe2: I'm always more worried about locking myself out that preventing others from getting in. 21:34:43 MartinSpott: The moszt critical point in terms of IT security is that the SSH daemon is running as root user 21:34:57 MartinSpott: and we're unlikely going to change that soon 21:36:50 robe2: but SSH can still run under root without allowing remote SSH logins right 21:37:05 MartinSpott: sure, it does 21:38:05 * MartinSpott -> family time 21:38:30 MartinSpott: mmh, turned out to be a little more than 15 minutes 21:38:41 robe2: yah it's been long enough here too got some bulk emails to send and applications to launch 21:39:06 robe2: MartinSpott it's always more than 15 minutes. We are lucky if we can keep it below an hour 21:39:06 MartinSpott: for the root login, I suggest thinking about passphrase protected Ed25519 keys 21:39:11 MartinSpott: in the long term 21:40:09 robe2: Anyway I call meeting over