Tuesday, 2021-01-12

*** hamalq has quit IRC01:15
*** hashar has joined #opendev-meeting07:37
*** sboyron has joined #opendev-meeting08:33
*** sboyron has quit IRC17:46
*** sboyron has joined #opendev-meeting17:48
*** hamalq has joined #opendev-meeting17:58
*** ianw_pto is now known as ianw18:58
clarkbAlright is anyone else going to be around for the meeting? I realized I failed to send an agenda this morning and was busy with other meetings so one didn't go out19:00
ianwo/19:00
clarkbI'll start a meeting to go over some things that are worth mentioning but then probably just open it up from there19:00
clarkb#startmeeting Infra19:01
openstackMeeting started Tue Jan 12 19:01:07 2021 UTC and is due to finish in 60 minutes.  The chair is clarkb. Information about MeetBot at http://wiki.debian.org/MeetBot.19:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:01
*** openstack changes topic to " (Meeting topic: Infra)"19:01
openstackThe meeting name has been set to 'infra'19:01
clarkb#topic Announcements19:01
*** openstack changes topic to "Announcements (Meeting topic: Infra)"19:01
clarkbThe foundation's board of director elections are happening this week. If you are a foundation member you shoulve have received an email with your voting instructions in it19:01
clarkbPlease take a few minutes to go and vote if you are able to19:02
clarkb#topic Actions from last meeting19:02
*** openstack changes topic to "Actions from last meeting (Meeting topic: Infra)"19:02
clarkb#link http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-01-05-19.01.txt minutes from last meeting19:02
clarkbcorvus had an action to implement Gerrit WIP support in Zuul. I believe the change was written and I reviewed it. corvus if you are around has that merged yet?19:02
fungiif not, i'd appreciate a link so i can review19:03
clarkbya trying to find that now19:03
clarkb#link https://review.opendev.org/c/zuul/zuul/+/769436 looks like it merged according to gerritbot which is where I Found the link19:03
fungiawesome19:03
fungiso we need a restart to pick that up19:03
clarkbthat means the next step for us in supporting WIP is to restart the zuul scheduler and then test again19:03
clarkbyup19:03
fungiat least the scheduler, presumably19:04
fungiahh, you said those things19:04
* fungi is a bit scattered today19:04
clarkbme too19:04
clarkb#topic Priority Efforts19:04
*** openstack changes topic to "Priority Efforts (Meeting topic: Infra)"19:04
clarkb#topic OpenDev19:04
*** openstack changes topic to "OpenDev (Meeting topic: Infra)"19:04
clarkbFirst up it was pointed out that we were overdue for service coordinator nominations (and an election if necesasry)19:05
clarkb#link http://lists.opendev.org/pipermail/service-discuss/2021-January/000161.html19:05
clarkbI sent email dscribing what I think is a reasonable plan for addressing this miss19:05
clarkbif you think that plan is flawed in some way please respond to the mailing list and help us set up a new less flawed plan :)19:05
clarkbany other election feedback is also appreciated there.19:06
clarkbIf you are interested in taking on the service coordinator role I'm happy to talk about it if you need more info before committing. Otherwise please send email to the service-discuss list nominating yourself19:06
clarkbas mentioned in the email I linked I've done it for a number of cycles now and think that new perspectives would be a good thing to have.19:07
clarkbI'm not saying I won't run again if necessary, but do strongly feel that having a bit more rotation would be a good thing19:07
fungiprepare for zbr to volunteer19:07
fungizbr: you know you want to!19:08
clarkbthe email I sent also sets up a week for electiosn if they become necessary. And to avoid this problem of missing them in the future I set out dates for the next set of nominations and elections19:08
clarkbI'll add them into my calendar reminders if later if no one ends up objecting to that proposed plan19:09
clarkbThe opendev project update for the foundation's annual report is basically finalized now19:09
clarkb#link https://etherpad.opendev.org/p/opendev-2020-annual-report19:09
clarkbI think those are due tomorrow so if there are important edits get them in now (or let me know and I can make them)19:09
clarkbThe last opendev topic I wanted to bring up was the gitea 1.13.1 upgrade.19:10
clarkb#link https://review.opendev.org/c/opendev/system-config/+/76922619:10
mordredlgtm19:10
clarkbI think this is ready for serious consideration. There is a held gitea test node (somewhere I need to find it again via nodepool) running 1.13.1 to help confirm we're happy with it19:11
clarkbmy biggest concern is that gitea 1.13 added some big new features like kanban boards to projects so want to make sure we're presenting a gitea that is consistent with our current setup19:11
mordredpatch itself looks good - assuming the test node is solid19:12
clarkbya I looked it over (and I think fungi did too?) and it seemed fine19:12
fungii did, think i already +2'd19:12
clarkbif it does look good I should have plenty of time to watch it land and monitor it thursday19:12
fungitrying to get through some project-config backlog today, i noticed this one has a potential for global disruption but would like to merge and watch it closely after the meeting:19:13
fungi#link https://review.opendev.org/760495 Use internal mirror for RAX IAD/DFW19:13
fungithat switches the interface for mirror connections in two regions to use the second nic where bandwidth may be less constrained19:13
clarkb++19:13
fungi(we're already doing it that way in one)19:13
mordred++19:14
mordredmight be worth simplifying that to "if nodepool.cloud == 'rax'" at this point19:14
fungitrue19:14
fungiianw: ^ wdyt?19:15
mordrednot that I expect us to grow new rax regions or anything19:15
fungii'm happy to tweak it before approving if folks prefer19:15
ianwyeah, i don't mind; we have used this before for switching in other clouds so it might be useful to keep the cloud/region append just as an example of what to do19:15
fungii'm good with it as-is too19:16
clarkbwhy don't we land it as is then just to avoid unnecessary churn19:16
fungiwfm, will do19:17
clarkb#topic General Topics19:17
*** openstack changes topic to "General Topics (Meeting topic: Infra)"19:17
clarkb#topic Bup and Borg Backups19:17
*** openstack changes topic to "Bup and Borg Backups (Meeting topic: Infra)"19:17
clarkbianw: this was on my list to check up on after the holidays. Are we completely off of bup at this point for new backups?19:18
clarkband if so should I drop this item from our meeting agendas?19:18
ianwyep, since https://review.opendev.org/c/opendev/system-config/+/76630019:18
ianwi still have to finish the cleanup with https://review.opendev.org/c/opendev/system-config/+/766630/19:18
ianwi will work on that19:19
clarkbthanks19:19
clarkband thank you for working on that19:19
clarkbwe should be able to start looking at focal nodes now I think19:19
clarkb(since this was a big hold up for that iirc)19:19
ianwmaybe keep it for one more week as i cleanup the old servers19:20
clarkbcan do19:20
fungii can't remember, was borg manually added to the wiki server? if not, i'll try to prioritize that19:20
clarkbfungi: I'm not sure19:20
clarkbprobably not?19:20
ianwfungi: not sure either.  i don't remember doing it.  i can look into that19:20
fungiit was being backed up with bup19:21
fungi(still is afaik)19:21
clarkbit likely still is ya19:21
clarkbsince the bup bits are still there iirc19:21
clarkb(we have to keep them around for backup retention anyway)19:21
ianwmaybe give me an action item to confirm wiki being backed up so we don't forget19:22
clarkb#action ianw confirm wiki is still backed up after bup to borg migration19:22
clarkb#topic openstackid.org scale down19:23
*** openstack changes topic to "openstackid.org scale down (Meeting topic: Infra)"19:23
clarkbfungi and I conferred with smarcet to confirm that the desired running state for openstackid.org is to scale it down after we scaled it up for the summit19:24
clarkbfungi returned openstackid.org to its ansible + puppet managed state and I have shut down the two new servers in vexxhost and removed their A and AAAA dns records19:24
clarkbin a day or two when we're happy that we've cleaned things up without disruption I will delete them19:24
clarkbwe also discovered that smarcet uses docker for openstackid development so it sounds like we can collaborate to convert that over to a ansible + docker-compose + docker deployment19:25
clarkbhowever, that is more of a "yes we can do that" idea at this point19:25
clarkbmostly an fyi on that since that service had some changes and now we've undone them. And now everyone else is caught up19:26
clarkb#topic Open Discussion19:26
*** openstack changes topic to "Open Discussion (Meeting topic: Infra)"19:26
clarkbThat was what I had written down in notes really quickly after my previous meetings ended. We've got plenty of time to tlk about other topics if we need to19:26
clarkboh!19:27
clarkbhttps://bugs.chromium.org/p/gerrit/issues/detail?id=13930 is worth pointing out19:27
clarkbI think I managed to figure out why fedora 33 users are still having trouble with new gerrit and rsa19:27
clarkblong story short is upstream openssh has only deprecated ssh-rsa for hostkey signature exchanges. Fedora has disabled it for hostkey stuff and for public key auth19:27
clarkbGerrit does rsa-sha2-* just fine for hostkey stuff but it does not work for pubkey auth because that requires supporting the server-sig-algs kex extension in the server and gerrit's server doesn't seem to support that19:28
corvusoh sorry i got sucked into an issue19:28
clarkbfedora 33 users can work around this by enabling ssh-rsa or switching to an ed25119 or ecdsa key for auth19:29
ianwi feel like i'm using fedora 33 and it is working19:29
ianwohhh, i'm using and ed25119 key19:29
clarkbya this is specific to using rsa keys to auth19:29
fungiianw: see, you anticipated this19:29
clarkbif fedora users have qusetions we can point them to that bug. I'm hoping upstream will say "oh thats an easy fix" and it will magically happen but I think it may be more involved19:30
*** hashar has quit IRC19:30
ianwheh, yep, istr having to merge some changes to our puppet to handle ed keys years ago :)19:30
clarkbin particular I think the proper way to fix this is to update mina upstream since other mina sshds will want the same fix19:30
clarkbeventually ssh clients should switch their fallback rsa pubkey auth type to rsa-sha2-something. But until that happens I expect this will be a problem for people19:31
clarkbrelated: if anyone knows fedora devs ^ it might be worth suggesting they make that switch19:31
clarkbsince they are disabling the alternative19:31
fungiwell, and also fedora could improve the situation by not still looking for sha-1 with ssh-rsa and instead trying sha-2 first19:31
fungier, what you also just typed19:32
clarkbya it feels like fedora's disabling of ssh-rsa missed an important step19:32
clarkbwhich was to not fallback to ssh-rsa when doing rsa pubkey auth talking to a server that doesn't do server-sig-algs19:32
clarkbhttps://tools.ietf.org/html/rfc8332#section-3.3 notes that this is the expected end state once rsa-sha2 is sufficiently ubiquitous (and it seems fedora is saying that it is)19:33
ianwis it https://bugzilla.redhat.com/show_bug.cgi?id=1881301 ?19:34
openstackbugzilla.redhat.com bug 1881301 in openssh "openssh-clients do not accept PubkeyAcceptedKeyTypes rsa-sha2-512/256" [Unspecified,Closed: errata] - Assigned to jjelen19:34
clarkbianw: ya I think that is the bug on the fedora side19:35
ianwi'd like to get the zuul summary plugin going19:36
ianwthe review stack is @ https://review.opendev.org/q/topic:%22gerrit-admin-user%2219:36
clarkbianw: and that plugin is hosted upstream now too right?19:37
ianwyes, that's right19:37
clarkbexcellent I'll add that very high on the review todo list once I've got time to do that (probably tomorrow?)19:37
ianwok, yeah the stuff underneath is to cleanup review-dev, then initalize and populate gerrit during testing, then add selenium testing and take screenshots, and then finally add the plugin19:38
ianwwith a little bazelisk stuff for good measure :)19:39
clarkbalright anything else?19:41
zbri am back19:41
zbr(reading backlog)19:41
fungizbr: just me encouraging folks to make our service coordinator election an election this time19:42
clarkbI'll give zbr a coupel of minutes to catch up but then if that is it we can call it a meeting19:42
fungi(was the nick highlight i mean)19:42
zbrsure. ok to call the meeting off.19:45
clarkbthanks everyone. Sorry I missed the agenda. I'll do my best to not dismiss the alert until actually done in the future :)19:45
clarkbI think what happened was I habitually swiped it away when my phone made noise and had a thing pop up19:45
clarkb#endmeeting19:45
*** openstack changes topic to "Incident management and meetings for the OpenDev sysadmins; normal discussions are in #opendev"19:45
openstackMeeting ended Tue Jan 12 19:45:52 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)19:45
openstackMinutes:        http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-01-12-19.01.html19:45
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-01-12-19.01.txt19:45
openstackLog:            http://eavesdrop.openstack.org/meetings/infra/2021/infra.2021-01-12-19.01.log.html19:45
fungiif my phone tried to tell me what to do, i'd probably chuck it out a window19:46
zbras a side node, the RSA issue made me switch my main key to ssh-ed2551919:47
zbralso podman remoting support no longer works with RSA. that was the second reason.19:47
fungiinteresting19:48
zbrfedora can be reconfigured to work with rsa, but podman had not bugfix yet.19:48
zbrbut few people are using the remoting support in it.19:48
clarkbaiui there really isn't any reason to stop using rsa except that it is old and has some gotchas around ti like sha1 that can be avoided (also wanting more key bits)19:48
zbrclarkb: i did not had any plan to replace it, i was more of forced to swap primary key and keep the rsa as fallback.19:49
fungipeople are also scared that shor's algorithm will make quantum computers abel to factor large rsa keys19:49
clarkbya fedora has definitely made it hard to use rsa now19:49
zbrmine was 4096, it was standing-off between others :D19:49
ianwi feel like if i'm understanding 1881301 fedora 33 has a patch for this (https://bugzilla.redhat.com/show_bug.cgi?id=1881301#c29) *but* you have to have set "update-crypto-policy --set=LEGACY"?19:50
openstackbugzilla.redhat.com bug 1881301 in openssh "openssh-clients do not accept PubkeyAcceptedKeyTypes rsa-sha2-512/256" [Unspecified,Closed: errata] - Assigned to jjelen19:50
zbrextra bonus: the new ssh-ed25519 pubkey is 10x shorter.19:50
clarkbianw: right its reducing the security stance rather than changing the auth fallback to rsa-sha2-512 whihc would keep the same level of security they are trying toenforce19:51
fungithe flip side of that coin is "new" cryptography tends to have more potential flaws lurking somewhere inside while older algorithms have been vetted for longer by many more people19:52
clarkbianw: if you look at that rfc link I posted it basically says "we will change this fallback default in clients once rsa-sha2 is ubiquitous enough" and my take on that is fedora is saying it is ubiquitous enough for them so they should change that fallback19:52
zbryep, re-enabling it is a considerable PITA combines with a recurity risk19:52
fungisuccinctly put, cryptography is often about "choosing between the devil you know and the devil you don't"19:53
fungii'19:54
fungii'm still reasonably comfortable relying on md5 in situations where the baseline is trusted. for comparing two untrusted inputs though it's now effectively useless19:55
zbrclarkb: you said something recently regarding some kind of possible sprint or at least some kind of joined effort on taking care of some tasks. just ping me when you know them.19:56
fungibut users don't want to have to think about the nuances of the problems they're addressing with cryptography, so newer primitives with fewer caveats (even if they may not be as well understood as their older counterparts) are generally winning out19:56
fungizbr: great point, let's discuss in #opendev in case people aren't watching in here between meetings19:57
zbrclearly the rsa it was not well documented/advertised, i do not see mayself and average linux user and it took me a lot of time to decide between the other  two other algorithms to use.19:58
*** hashar has joined #opendev-meeting21:31
*** hashar has quit IRC23:15
*** sboyron has quit IRC23:45
*** sboyron has joined #opendev-meeting23:46
*** sboyron has quit IRC23:54
*** sboyron has joined #opendev-meeting23:56

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!