| *** jamesmcarthur has joined #openstack-tc | 00:09 | |
| *** ianychoi has quit IRC | 00:12 | |
| *** tetsuro has joined #openstack-tc | 00:15 | |
| *** ianychoi has joined #openstack-tc | 00:15 | |
| *** jamesmcarthur has quit IRC | 00:24 | |
| *** tetsuro has quit IRC | 00:29 | |
| *** tetsuro has joined #openstack-tc | 00:29 | |
| *** ianychoi has quit IRC | 00:32 | |
| *** jamesmcarthur has joined #openstack-tc | 00:35 | |
| *** ianychoi has joined #openstack-tc | 00:48 | |
| *** jamesmcarthur has quit IRC | 00:49 | |
| *** jamesmcarthur has joined #openstack-tc | 00:51 | |
| *** jamesmcarthur has quit IRC | 00:54 | |
| *** jamesmcarthur has joined #openstack-tc | 00:55 | |
| *** tetsuro has quit IRC | 01:06 | |
| *** jamesmcarthur has quit IRC | 01:07 | |
| *** tetsuro has joined #openstack-tc | 01:39 | |
| *** tetsuro has quit IRC | 01:44 | |
| *** tetsuro has joined #openstack-tc | 02:17 | |
| *** jamesmcarthur has joined #openstack-tc | 02:18 | |
| *** tetsuro has quit IRC | 02:21 | |
| *** nicolasbock has quit IRC | 02:31 | |
| *** jamesmcarthur has quit IRC | 02:56 | |
| *** jamesmcarthur has joined #openstack-tc | 02:58 | |
| *** markvoelker has joined #openstack-tc | 03:07 | |
| *** markvoelker has quit IRC | 03:11 | |
| *** markvoelker has joined #openstack-tc | 03:21 | |
| *** markvoelker has quit IRC | 03:24 | |
| *** markvoelker has joined #openstack-tc | 03:30 | |
| *** markvoelker has quit IRC | 03:32 | |
| *** markvoelker has joined #openstack-tc | 03:32 | |
| *** markvoelker has quit IRC | 03:37 | |
| *** jamesmcarthur has quit IRC | 03:45 | |
| *** jamesmcarthur has joined #openstack-tc | 03:47 | |
| *** jamesmcarthur has quit IRC | 03:57 | |
| *** jamesmcarthur has joined #openstack-tc | 03:57 | |
| *** jamesmcarthur has quit IRC | 04:02 | |
| *** markvoelker has joined #openstack-tc | 04:07 | |
| *** jamesmcarthur has joined #openstack-tc | 04:33 | |
| *** markvoelker has quit IRC | 04:37 | |
| *** jamesmcarthur has quit IRC | 04:40 | |
| *** markvoelker has joined #openstack-tc | 05:01 | |
| *** spsurya has joined #openstack-tc | 05:04 | |
| *** markvoelker has quit IRC | 05:06 | |
| *** markvoelker has joined #openstack-tc | 05:11 | |
| *** markvoelker has quit IRC | 05:15 | |
| *** jamesmcarthur has joined #openstack-tc | 05:17 | |
| *** markvoelker has joined #openstack-tc | 05:20 | |
| *** jamesmcarthur has quit IRC | 05:23 | |
| *** markvoelker has quit IRC | 05:24 | |
| *** markvoelker has joined #openstack-tc | 05:29 | |
| *** markvoelker has quit IRC | 05:34 | |
| *** markvoelker has joined #openstack-tc | 05:38 | |
| *** markvoelker has quit IRC | 05:43 | |
| *** markvoelker has joined #openstack-tc | 05:47 | |
| *** markvoelker has quit IRC | 05:52 | |
| *** markvoelker has joined #openstack-tc | 05:57 | |
| *** markvoelker has quit IRC | 06:02 | |
| *** lpetrut has joined #openstack-tc | 06:02 | |
| *** lpetrut has quit IRC | 06:03 | |
| *** lpetrut has joined #openstack-tc | 06:03 | |
| *** markvoelker has joined #openstack-tc | 06:06 | |
| *** markvoelker has quit IRC | 06:10 | |
| *** markvoelker has joined #openstack-tc | 06:15 | |
| *** jamesmcarthur has joined #openstack-tc | 06:19 | |
| *** markvoelker has quit IRC | 06:20 | |
| *** ianychoi has quit IRC | 06:20 | |
| *** jaosorior has joined #openstack-tc | 06:21 | |
| *** ianychoi has joined #openstack-tc | 06:23 | |
| *** markvoelker has joined #openstack-tc | 06:24 | |
| *** markvoelker has quit IRC | 06:29 | |
| *** ianychoi has quit IRC | 06:29 | |
| *** jamesmcarthur has quit IRC | 06:30 | |
| *** ianychoi has joined #openstack-tc | 06:31 | |
| *** markvoelker has joined #openstack-tc | 06:33 | |
| *** markvoelker has quit IRC | 06:38 | |
| *** markvoelker has joined #openstack-tc | 06:43 | |
| *** markvoelker has quit IRC | 06:47 | |
| *** jamesmcarthur has joined #openstack-tc | 06:49 | |
| *** markvoelker has joined #openstack-tc | 06:52 | |
| *** markvoelker has quit IRC | 06:57 | |
| *** jamesmcarthur has quit IRC | 06:58 | |
| *** lpetrut has quit IRC | 06:59 | |
| *** lpetrut has joined #openstack-tc | 07:00 | |
| *** jamesmcarthur has joined #openstack-tc | 07:01 | |
| *** markvoelker has joined #openstack-tc | 07:01 | |
| *** markvoelker has quit IRC | 07:05 | |
| *** markvoelker has joined #openstack-tc | 07:10 | |
| *** markvoelker has quit IRC | 07:15 | |
| *** tosky has joined #openstack-tc | 07:16 | |
| *** markvoelker has joined #openstack-tc | 07:19 | |
| *** markvoelker has quit IRC | 07:24 | |
| *** markvoelker has joined #openstack-tc | 07:29 | |
| *** markvoelker has quit IRC | 07:34 | |
| *** markvoelker has joined #openstack-tc | 07:38 | |
| *** iurygregory has quit IRC | 07:39 | |
| *** markvoelker has quit IRC | 07:43 | |
| *** ianychoi has quit IRC | 07:45 | |
| *** markvoelker has joined #openstack-tc | 07:47 | |
| *** lpetrut has quit IRC | 07:48 | |
| *** lpetrut has joined #openstack-tc | 07:49 | |
| *** markvoelker has quit IRC | 07:52 | |
| *** e0ne has joined #openstack-tc | 07:52 | |
| *** e0ne has quit IRC | 07:53 | |
| *** markvoelker has joined #openstack-tc | 08:06 | |
| *** markvoelker has quit IRC | 08:11 | |
| *** markvoelker has joined #openstack-tc | 08:15 | |
| *** jamesmcarthur has quit IRC | 08:17 | |
| *** jaosorior has quit IRC | 08:19 | |
| *** markvoelker has quit IRC | 08:20 | |
| *** iurygregory has joined #openstack-tc | 08:21 | |
| *** markvoelker has joined #openstack-tc | 08:24 | |
| *** markvoelker has quit IRC | 08:29 | |
| *** markvoelker has joined #openstack-tc | 08:34 | |
| *** markvoelker has quit IRC | 08:39 | |
| *** e0ne has joined #openstack-tc | 08:49 | |
| *** markvoelker has joined #openstack-tc | 08:52 | |
| *** tetsuro has joined #openstack-tc | 08:55 | |
| *** markvoelker has quit IRC | 08:57 | |
| *** markvoelker has joined #openstack-tc | 09:01 | |
| *** markvoelker has quit IRC | 09:06 | |
| *** markvoelker has joined #openstack-tc | 09:10 | |
| *** jamesmcarthur has joined #openstack-tc | 09:14 | |
| *** markvoelker has quit IRC | 09:15 | |
| *** ricolin has quit IRC | 09:15 | |
| *** diablo_rojo has joined #openstack-tc | 09:17 | |
| *** jamesmcarthur has quit IRC | 09:18 | |
| *** markvoelker has joined #openstack-tc | 09:20 | |
| *** diablo_rojo has quit IRC | 09:24 | |
| *** markvoelker has quit IRC | 09:25 | |
| *** markvoelker has joined #openstack-tc | 09:29 | |
| *** markvoelker has quit IRC | 09:34 | |
| *** markvoelker has joined #openstack-tc | 09:38 | |
| openstackgerrit | Alexandra Settle proposed openstack/governance master: Finalise the transition of the docs team to a SIG https://review.opendev.org/657142 | 09:39 |
|---|---|---|
| asettle | o/ | 09:41 |
| *** markvoelker has quit IRC | 09:43 | |
| *** markvoelker has joined #openstack-tc | 09:48 | |
| openstackgerrit | Alexandra Settle proposed openstack/governance master: Finalise the transition of the docs team to a SIG https://review.opendev.org/657142 | 09:50 |
| openstackgerrit | Alexandra Settle proposed openstack/governance master: Finalise the transition of the docs team to a SIG https://review.opendev.org/657142 | 09:51 |
| *** markvoelker has quit IRC | 09:52 | |
| openstackgerrit | Alexandra Settle proposed openstack/governance master: Finalise the transition of the docs team to a SIG https://review.opendev.org/657142 | 09:52 |
| *** markvoelker has joined #openstack-tc | 09:57 | |
| *** jaosorior has joined #openstack-tc | 09:59 | |
| *** markvoelker has quit IRC | 10:01 | |
| *** markvoelker has joined #openstack-tc | 10:06 | |
| *** jaosorior has quit IRC | 10:06 | |
| *** markvoelker has quit IRC | 10:11 | |
| *** tetsuro has quit IRC | 10:14 | |
| *** jamesmcarthur has joined #openstack-tc | 10:15 | |
| *** markvoelker has joined #openstack-tc | 10:15 | |
| *** diablo_rojo has joined #openstack-tc | 10:16 | |
| *** jamesmcarthur has quit IRC | 10:19 | |
| *** markvoelker has quit IRC | 10:20 | |
| *** jaosorior has joined #openstack-tc | 10:24 | |
| *** markvoelker has joined #openstack-tc | 10:24 | |
| *** markvoelker has quit IRC | 10:29 | |
| *** markvoelker has joined #openstack-tc | 10:34 | |
| *** markvoelker has quit IRC | 10:38 | |
| *** diablo_rojo has quit IRC | 10:40 | |
| *** markvoelker has joined #openstack-tc | 10:43 | |
| *** markvoelker has quit IRC | 10:47 | |
| *** tetsuro has joined #openstack-tc | 10:48 | |
| *** jaosorior has quit IRC | 10:51 | |
| *** markvoelker has joined #openstack-tc | 10:52 | |
| *** tetsuro has quit IRC | 10:54 | |
| *** markvoelker has quit IRC | 10:57 | |
| *** markvoelker has joined #openstack-tc | 11:01 | |
| *** markvoelker has quit IRC | 11:06 | |
| *** nicolasbock has joined #openstack-tc | 11:07 | |
| *** markvoelker has joined #openstack-tc | 11:10 | |
| *** markvoelker has quit IRC | 11:15 | |
| *** jamesmcarthur has joined #openstack-tc | 11:16 | |
| *** markvoelker has joined #openstack-tc | 11:20 | |
| *** jamesmcarthur has quit IRC | 11:20 | |
| *** tetsuro has joined #openstack-tc | 11:24 | |
| *** markvoelker has quit IRC | 11:24 | |
| evrardjp | thanks ttx on following up on the Shanghai organization of the meet the leaders :) | 11:25 |
| *** jamesmcarthur has joined #openstack-tc | 11:26 | |
| *** tetsuro has quit IRC | 11:28 | |
| *** markvoelker has joined #openstack-tc | 11:29 | |
| *** markvoelker has quit IRC | 11:34 | |
| *** jamesmcarthur has quit IRC | 11:35 | |
| *** jamesmcarthur has joined #openstack-tc | 11:37 | |
| *** markvoelker has joined #openstack-tc | 11:38 | |
| njohnston | o/ | 11:40 |
| *** markvoelker has quit IRC | 11:42 | |
| *** tosky_ has joined #openstack-tc | 11:44 | |
| *** tosky has quit IRC | 11:46 | |
| *** markvoelker has joined #openstack-tc | 11:47 | |
| *** jamesmcarthur has quit IRC | 11:51 | |
| *** markvoelker has quit IRC | 11:52 | |
| *** jamesmcarthur has joined #openstack-tc | 11:52 | |
| *** markvoelker has joined #openstack-tc | 11:57 | |
| *** jamesmcarthur has quit IRC | 11:59 | |
| *** markvoelker has quit IRC | 12:01 | |
| *** tosky_ is now known as tosky | 12:01 | |
| *** markvoelker has joined #openstack-tc | 12:05 | |
| *** jamesmcarthur has joined #openstack-tc | 12:07 | |
| *** markvoelker has quit IRC | 12:17 | |
| *** markvoelker has joined #openstack-tc | 12:17 | |
| *** markvoelker has quit IRC | 12:19 | |
| *** jamesmcarthur has quit IRC | 12:19 | |
| *** jamesmcarthur has joined #openstack-tc | 12:20 | |
| *** jamesmcarthur has quit IRC | 12:33 | |
| *** jamesmcarthur has joined #openstack-tc | 12:52 | |
| *** markvoelker has joined #openstack-tc | 13:01 | |
| *** mriedem has joined #openstack-tc | 13:22 | |
| *** jamesmcarthur has quit IRC | 13:40 | |
| *** jeremyfreudberg has joined #openstack-tc | 13:52 | |
| *** david-lyle has quit IRC | 13:55 | |
| *** david-lyle has joined #openstack-tc | 13:55 | |
| *** njohnston has quit IRC | 14:12 | |
| *** njohnston has joined #openstack-tc | 14:12 | |
| njohnston | tc-members, is my ZNC broken or is this the time for the Technical Committee Meeting? | 14:13 |
| mnaser | njohnston: i believe the meeting was moved off to the 10th | 14:13 |
| mnaser | due to timezone and availablities | 14:13 |
| jungleboyj | mnaser: ++ | 14:13 |
| njohnston | Ah, understood. Thanks! | 14:13 |
| *** jamesmcarthur has joined #openstack-tc | 14:14 | |
| *** lpetrut has quit IRC | 14:16 | |
| *** ricolin has joined #openstack-tc | 14:17 | |
| evrardjp | it was indeed. It was send through email | 14:24 |
| *** jeremyfreudberg has quit IRC | 14:33 | |
| *** jamesmcarthur has quit IRC | 14:35 | |
| *** jamesmcarthur has joined #openstack-tc | 14:40 | |
| *** jamesmcarthur has quit IRC | 14:41 | |
| *** jamesmcarthur has joined #openstack-tc | 14:44 | |
| gmann | o/ | 14:52 |
| *** dhellmann_ has joined #openstack-tc | 14:52 | |
| *** iurygregory_ has joined #openstack-tc | 14:52 | |
| *** dhellmann has quit IRC | 14:52 | |
| *** dhellmann_ is now known as dhellmann | 14:52 | |
| *** iurygregory has quit IRC | 14:54 | |
| *** jamesmcarthur has quit IRC | 14:57 | |
| *** tetsuro has joined #openstack-tc | 15:00 | |
| ricolin | o/ | 15:00 |
| *** jamesmcarthur has joined #openstack-tc | 15:00 | |
| zaneb | o/ | 15:00 |
| jungleboyj | o/ | 15:00 |
| njohnston | o/ | 15:01 |
| fungi | just a reminder if some folks didn't see scrollback from wednesday office hour, the opendev infrastructure sysadmins are looking for input on and assistance with this spec for updating our static content hosting platform: http://eavesdrop.openstack.org/irclogs/%23openstack-tc/%23openstack-tc.2019-10-02.log.html#t2019-10-02T01:02:11 | 15:02 |
| fungi | clarkb is indisposed today, but i'm happy to answer questions | 15:03 |
| *** tetsuro has quit IRC | 15:04 | |
| evrardjp | thanks for the reminder fungi | 15:04 |
| evrardjp | I know an ansible project that would benefit from having a generic haproxy role worked all together :) | 15:05 |
| fungi | i think the haproxy bits in there are more of an implementation detail | 15:06 |
| fungi | it's specifically a suggestion for being able to host an http redirector | 15:06 |
| evrardjp | indeed. it was a side note. | 15:06 |
| fungi | which we currently already do with apache vhosts, so may just wind up continuing to do that part the same way instead | 15:06 |
| evrardjp | I am not too familiar with our AFS process, but for static hosting, would it make sense to use swift more? | 15:08 |
| evrardjp | just curious | 15:08 |
| evrardjp | I am also very curious about why the governance website weights 200 mbs on afs | 15:10 |
| ricolin | fungi, Do we know when will forum schedule released by now? | 15:10 |
| evrardjp | darn you opened a pandora box :) | 15:10 |
| ricolin | evrardjp, would like to see what's been proposed. maybe some good one for U/V cycle goal?:) | 15:11 |
| evrardjp | oh you mean the official acceptance of each of the sessions we proposed for the forum? | 15:12 |
| ricolin | yes | 15:13 |
| evrardjp | I haven't received any feedback yet. It's on the agenda for next meeting, but any update is welcomed indeed :) | 15:13 |
| evrardjp | I would also encourage people to update the agenda, as I will send it to the Ml today | 15:13 |
| fungi | ricolin: i'm not sure, but jamesmcarthur may have some idea | 15:17 |
| fungi | evrardjp: if the governance site were already in afs, you could browse all the files for it as a network filesystem on a local mountpoint, but i can probably get you a summary in a moment | 15:19 |
| jamesmcarthur | hi - I'll be publishing the schedule for review later today | 15:19 |
| evrardjp | thanks jamesmcarthur | 15:19 |
| jamesmcarthur | I'll put out a mock schedule in a spreadsheet sooner rather than later and then also add it to the web/app schedule while we're waiting for approval | 15:19 |
| ricolin | thanks jamesmcarthur for the hard works! | 15:20 |
| fungi | evrardjp: as for afs over swift, it's hard to set up replication between different swift deployments in different service providers, whereas afs can be distributed and replicated between any providers where we set up a backend for that afs cell. also we can set up frontends in as many providers as we like for increased cross-provider redundancy | 15:20 |
| evrardjp | thanks for the info. Sad to hear it though, but pragmatic wins the day here | 15:21 |
| *** jamesmcarthur has quit IRC | 15:21 | |
| fungi | evrardjp: but also you gain the ability to browse all that content locally as /afs/openstack.org/... | 15:22 |
| fungi | (there is a built-in afs client in newer linux kernels called kafs, or you can just install the openafs kernel module) | 15:22 |
| fungi | simple example for anonymous read-only access: https://docs.openstack.org/infra/system-config/afs.html#client-configuration | 15:23 |
| evrardjp | fungi: oh really? | 15:23 |
| evrardjp | TIL | 15:23 |
| fungi | it's super handy. docs.openstack.org is there already at /afs/openstack.org/docs/ | 15:24 |
| evrardjp | I should mount that once, and happy browse/send my stats toolings there | 15:25 |
| fungi | so we're basically proposing moving our other sites to use the same file management and jobs as the openstack docs site | 15:25 |
| *** jamesmcarthur has joined #openstack-tc | 15:30 | |
| evrardjp | I am not sure what's the impact for the TC (except a downtime during the migration) | 15:32 |
| evrardjp | and for others | 15:32 |
| fungi | well, we tried to expand on that question during wednesday office hour if you read that discussion | 15:32 |
| evrardjp | Could you clarify the required input from the TC? | 15:32 |
| evrardjp | 0k let me re-read this I have missed it | 15:32 |
| fungi | the summary, to quote my last comment there, is "we're hoping to 1. get input on the plan presented there, and 2. see if there are some folks willing to help with the publication job updates, but also 3. maybe think about ways we could compromise on simplifying all this current site sprawl" | 15:33 |
| mnaser | i wonder if running a stateless service that fetches things from different object storages might make our life easy | 15:35 |
| evrardjp | ok let me rephrase my question then. Does raising this during the office hours is for the 3 elements at the same time, or do you want us to focus on one of those points, like the 3rd? | 15:35 |
| evrardjp | I am fine with raising the 3 elements here, too :) | 15:36 |
| fungi | mnaser: if there's already a tool to be able to fetch or direct requests for specific files to different object stores, that could solve the provider redundancy use case. but also afs has existed for a very, very long time and seems to work really well for this so not sure why there's any need to reinvent that wheel | 15:38 |
| fungi | evrardjp: in my opinion those three points were more or less in priority order. to rephrase 1. opendev seeks input from the projects it's hosting on major infrastructure changes, 2. opendev works best when it receives assistance from the projects it's hosting in making major infrastructure changes, and 3. opendev appreciates if projects it's hosting can evaluate the demands they represent on the | 15:41 |
| fungi | infrastructure and sysadmin contributors and finds ways to reduce their workload | 15:41 |
| mnaser | fungi: oh gotcha, i thought afs was a painpoint in all of this | 15:41 |
| mnaser | fair enough :) | 15:41 |
| evrardjp | fungi: got it | 15:41 |
| fungi | mnaser: nope, afs is what we're moving toward. the pain point is a single webserver with a bunch of cinder volumes attached to it | 15:42 |
| mnaser | lets move to a single web server with one cinder volume attached to it instead (kidding, kidding) | 15:42 |
| fungi | heh. you joke, but that has been discussed in the past ;) | 15:42 |
| evrardjp | :) | 15:42 |
| mnaser | personally i trust the opendev team to know what's best, but we do have a bunch of websites, but i dont think the overhead of it seems too wild | 15:42 |
| mnaser | i dont know if restructuring our content is a good thing right now, heck, i'm annoyed by how hard it is to find _recent_ documentation these days | 15:43 |
| mnaser | 99% of search results are juno and mitaka | 15:43 |
| evrardjp | mnaser: I think that's why fungi raised the multiple elements here. It's not only enough to trust them, we should help them :) | 15:43 |
| evrardjp | mnaser: god yes | 15:43 |
| mnaser | i can volunteer some time if necessary to help the openstack side of things in doing all of this if needed | 15:44 |
| evrardjp | but that's SEO of our website and refactoring the search, not really refactoring the infra | 15:44 |
| fungi | well, one of the main painpoints, and where significant compromise could be considered, is the shared jurisdiction between the openstack infrastructure team and the osf web dev team over the openstack.org domain. but yes i understand that moving things to other domains or trying to combine existing subdomains into fewer subdomains is a challenge in more ways than one | 15:44 |
| mnaser | i'm torn on that one | 15:44 |
| mnaser | i like the fact we are under openstack.org (and i think corvus mentioned that the zone can be co-managed together with the infra team) | 15:45 |
| mnaser | but what could be the alternative is having authoritative subdomains per 'opendev tenant' | 15:45 |
| mnaser | i.e.: *.openstack.opendev.org and then we can just point CNAMEs to things | 15:46 |
| fungi | opendev has a robust dns management implementation backed by revision control, code review and continuous integration/deployment. the management workflow for that works really well for the opendev sysadmins (and is how opendev.org and zuul-ci.org are hosted now) | 15:46 |
| mnaser | i assume because of cloudflare openstack.org is a little harder to manage there. | 15:46 |
| mnaser | which has good and bad (it'll be pretty helpful for shanghai for example) | 15:46 |
| fungi | but asking the web devs and designers at osf to submit to code review workflows for things hasn't gotten much traction in the past | 15:46 |
| fungi | so we end up with openstack.org locked up in rackspace's proprietary dns hosting platform behind a terrible webui and proprietary rest api | 15:47 |
| mnaser | i think openstack.org might be on cloudflare now | 15:47 |
| fungi | that's another risk, yes | 15:47 |
| mnaser | nope its not | 15:47 |
| fungi | well, it is and it isn't | 15:47 |
| fungi | osf has authorized a *.opendev.org wildcard cert for cloudflare, so cf can in theory impersonate any of the services opendev is hosting in the openstack.org domain currently | 15:48 |
| fungi | er, i mean *.openstack.org | 15:48 |
| mnaser | i think cf could also theoritically impersonate a big part of the internet these days =P | 15:48 |
| fungi | opendev.org ssl certs are managed via letsencrypt/acme automation | 15:48 |
| mnaser | with osf.dev becoming more of a thing, we (openstack) can start managing openstack.org a bit more. so we can take the initiative of moving it over (and i think we make far more dns modifications than osf does) | 15:49 |
| mnaser | and i can def pick that up, if i convince the right people that they wont have to do anything :) | 15:49 |
| mnaser | that way openstack.org will live under opendev's dns | 15:49 |
| fungi | yeah, it would be great if osf eventually agreed to hand management of the openstack.org dns over to opendev completely, but that's probably still a long way off because of their investment in a lot of web properties important to them on subdomains they want to change dns records for regularly | 15:50 |
| mnaser | is each zone in opendev managed in an individual repo? | 15:50 |
| fungi | yes | 15:50 |
| fungi | well, to an extent. for example zuul-ci.org and zuulci.org are both in the same opendev/zone-zuul-ci.org repo | 15:51 |
| mnaser | so technically we can have osf staff as cores there | 15:51 |
| mnaser | i mean i guess fungi has a lot more context for this conversation than i ever will :) | 15:51 |
| fungi | yes, i think the bigger challenge is they want to be able to make ~immediate dns changes and don't necessarily want to put that through code review | 15:52 |
| evrardjp | I appreciate the ~ before immediate :p | 15:52 |
| mnaser | right, i mean nothing stops them from +W their own changes | 15:53 |
| mnaser | i think.. we can trust them :) | 15:53 |
| fungi | well, nothing about dns is ever *truly* immediate ;) | 15:53 |
| mnaser | but i can imagine a few reasons where it might make sense that they dont want this type of thing | 15:53 |
| evrardjp | fungi: exactly :p | 15:53 |
| mnaser | eg: creating shanghai-summit.openstack.org and not wanting folks to know about it | 15:53 |
| mnaser | cause that wasnt announced yet or something | 15:54 |
| fungi | evrardjp: i think it's that there are a number of stakeholders in osf who would like to be able to make dns changes directly without having to learn non-webgui tools to be able to do that enbd-to-end | 15:54 |
| evrardjp | fungi: yes that's what I understood from the convo. Not sure if that message was for me :p | 15:54 |
| evrardjp | Thanks for sharing this topic again | 15:55 |
| fungi | learning git can be a stumbling block, and also a frustration for, say, an executive who wants to make an emergency dns change and can't afford to spend 15-30 minutes (or more) to set up a dev environment and refamiliarize themselves with the tools | 15:55 |
| fungi | evrardjp: er, yeah i think i meant to respond to mnaser | 15:56 |
| evrardjp | fungi: are you in fungi timezone again? :) | 15:56 |
| fungi | i'm always in my timezone | 15:56 |
| evrardjp | if you spend more than 5 seconds to respond yes, it definitely reached its intent | 15:57 |
| evrardjp | hahaha | 15:57 |
| jungleboyj | When is an executive making changes? | 15:57 |
| fungi | jungleboyj: in a very small nonprofit organization with lots of stakeholders who all have the keys to everything | 15:57 |
| jungleboyj | fungi: Ah, fair enough. | 15:57 |
| jamesmcarthur | yeah, it happens more often than you'd think | 15:58 |
| fungi | that can present its own change tracking challenges of course | 15:58 |
| jamesmcarthur | If our servers go down or we have to switch something out on the fly for whatever reason. | 15:58 |
| jamesmcarthur | at the end of the day, there are a handful of us, but we sometimes need critical changes made in 5 minutes | 15:59 |
| evrardjp | I love swift/s3 for static hosting. | 15:59 |
| evrardjp | I won't bring that again, promise | 15:59 |
| evrardjp | ahem | 15:59 |
| fungi | evrardjp: i think the www.openstack.org site is actually using swift for a lot of that content | 16:00 |
| fungi | but yeah, to recap, basically managing sites in openstack.org is an additional level of burden for the opendev sysamdmins because they're unable to use their preferred tooling/automation for dns and ssl cert management, so reducing (if not eliminating) the number of such sites helps their efficiency tremendously | 16:00 |
| njohnston | Sounds convincing to me | 16:01 |
| mnaser | does openstack.org use letsencrypt? | 16:01 |
| jamesmcarthur | we do | 16:01 |
| fungi | in some places, yeah. also cloudflare in some i think? | 16:01 |
| mnaser | is there a way for opendev.org to use the same letsencrypt keys so it can automagically do ssl things | 16:02 |
| mnaser | esp that wildcards with dns verification is possible | 16:02 |
| mnaser | so once infra has the right keys they can gnerate certs to *.openstack.org | 16:03 |
| fungi | the automation opendev uses for letsencrypt is designed to be able to create certificates before the server which would host the site even exists, so does it through dns validation | 16:04 |
| fungi | this would basically require that automation to grow integration into rackspace's proprietary dns management rest api, and we're pretty set on sticking to apis for open-source software instead | 16:04 |
| jamesmcarthur | we already have automation set up for letsencrypt on openstack.org | 16:04 |
| mnaser | right but you dont need to do automation for specific domains | 16:05 |
| mnaser | my idea is adding support for *.openstack.org via dns | 16:05 |
| mnaser | and then you can just use that to generate as much certs as you want | 16:05 |
| fungi | yes, we basically don't want our cert management automation dependent on proprietary dns hosting | 16:06 |
| fungi | so for now plan to stick to automating cert generation/distribution for domains hosted in opendev | 16:07 |
| *** iurygregory_ has quit IRC | 16:07 | |
| mnaser | ok but you dont have to add support for properitary dns hosting | 16:08 |
| mnaser | we literally ask the osf to add one record and then we can generate as much wildcard certs as we want/need | 16:08 |
| fungi | in principle that still relies on the domain which is being hosted in a proprietary platform | 16:08 |
| fungi | the (fuzzy) division of responsibility we've established is that work being done under the opendev name should work toward independence from proprietary software and services | 16:09 |
| mnaser | ok but cant we just reach a middle-man comprimise ? | 16:09 |
| mnaser | id rather see security.openstack.org instead of security.openstack.opendev.org or whatever alternative we have | 16:09 |
| fungi | the middle-man compromise at this point is that work which touches proprietary systems is being done by the openstack infrastructure team, not the opendev sysadmins (even though many of them are the same people) | 16:09 |
| mnaser | so if someone from the openstack community was to volunteer their time to make this work, would this be accepted by opendev? | 16:10 |
| corvus | the dns records from the hosts still won't be managed by our tooling either -- so if we move a fileserver, someone has to go click in the web interface. we can't just grep for all the records that point to it. | 16:10 |
| jamesmcarthur | ftr - I believe there are legal reasons as well that the foundation controls that openstack.org domain | 16:10 |
| mnaser | corvus: right, but we can workaround that with CNAMEs | 16:10 |
| mnaser | security.openstack.org CNAME's to security.opendev.openstack.org | 16:10 |
| jamesmcarthur | jbryce: is not able to jump on now, but he has offered to answer any questions along those lines via email (he's currently in Sweden at dinner) | 16:11 |
| fungi | reducing the number of subdomains would be a good start as well. so while docs.opendev.org/openstack/security would be an ideal place for security.openstack.org, docs.openstack.org/security would still be an improvement to reduce the subdomain sprawl | 16:11 |
| corvus | jamesmcarthur: i don't think we've ever proposed changing who 'controls' the domain, just what tools we use to work together to manage it | 16:11 |
| jamesmcarthur | yep, just offering some additional clarification about why it's on rackspace | 16:11 |
| corvus | we tried to design the system we're using for opendev as a model for how multiple groups of people can work together to manage zones | 16:12 |
| jamesmcarthur | +1 to fungi's proposal on docs.opendevorg/openstack ... but keep in mind there are big SEO hits there | 16:13 |
| corvus | we'd never suggest changing the domain ownership or contacts. just the delegated dns servers | 16:13 |
| fungi | (and management interface of course) | 16:13 |
| jamesmcarthur | corvus: thanks for the clarification. I'm jumping in a bit late to the discussion :) | 16:13 |
| corvus | me too :) | 16:13 |
| corvus | mnaser: i'd like to understand more about your LE delegation ida -- can you spell that out in a little more detail? | 16:14 |
| corvus | ida/idea | 16:14 |
| mnaser | corvus: right, so when you issue a cert, you are given a challenge and you have to create a dns record (dns01) or http page (http01) -- dns01 verification supports wildcard certs, so we can make a request for *.openstack.org (inside opendev.org), grab the challenge, give it to osf to add to the dns, and then grab ourselves an ssl cert for *.openstack.org that we can leverage across all other domains afterwards | 16:16 |
| mnaser | so the only manual step is the dns record creation | 16:16 |
| mnaser | another idea is | 16:17 |
| mnaser | we can delegate _acme-challenge subdomain to opendev.org | 16:17 |
| mnaser | so we get a one time delegation of _acme-challenge.openstack.org to the opendev nameservers, and control that zone with all of our automation that we need | 16:18 |
| mnaser | the only hard thing is that if osf relies on letsencrypt too, we might have to see how we can coordinate that part.. but perhaps that might be an easier thing to solve | 16:18 |
| fungi | ianw has a proposal to do basically that, but we're doing our best not to tie opendev automation to proprietary services and attempting to continue moving more things away from them where they do have any lingering ties | 16:18 |
| mnaser | if delegatin the subdomain is still conisdered being tied to a proprietary service | 16:20 |
| mnaser | i feel like that a bit too much | 16:20 |
| corvus | mnaser: can we individually delegate, say "_acme-challenge.docs.openstack.org IN CNAME acme.opendev.org" ? | 16:22 |
| corvus | (er, add a trailing '.' there of course :) | 16:22 |
| mnaser | corvus: yes! | 16:23 |
| mnaser | https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation under "Separate and Limited Privileges" | 16:23 |
| mnaser | "Let's Encrypt follows the chain of CNAME records and will resolve the challenge validation token from the last record in the chain." | 16:23 |
| corvus | so, to construct a strawman proposal here: we could, for every foo.openstack.org host, add two cnames: one for the server and one for acme. that would limit the openstack.org dns interaction to the following cases: 1) creating or deleting a "virtual webserver"; 2) changing the name of the target cname (eg files.opendev.org) | 16:25 |
| corvus | does that sound about right? | 16:25 |
| mnaser | corvus: actually looking there too, the strategy in "Use a "Throwaway" Validation Domain" makes sense too | 16:26 |
| corvus | mnaser: fwiw, we use the acme cname delegation already in opendev -- it was unclear to me whether that would work across the second-level domain boundaries: https://opendev.org/opendev/zone-opendev.org/src/branch/master/zones/opendev.org/zone.db | 16:26 |
| mnaser | oh gotcha | 16:27 |
| mnaser | yes, it seems like it would | 16:27 |
| fungi | seems like it should | 16:27 |
| mnaser | and yes, i think what you suggest would work, it might be a little more work on the osf but i think they'd be okay with that (and being able to have the ability to make quick changes) | 16:28 |
| mnaser | i would even go for 'project' specific target cname's, just to give us more control long term (i.e. static.openstack.org points to files.openstack.opendev.org points to files.opendev.org) | 16:29 |
| mnaser | but thats just details :) | 16:29 |
| corvus | okay, i think we should consider that proposal. i would love for us to all work together on automating all the things, and still hold out hope that we can do that with dns at some point. it would let us create a more flexible infrastructure where we're able to easily and automatically let anyone from the openstack project create any openstack.org site (with proper collaboration and approval). but | 16:32 |
| corvus | if we (as a big wide community that involves opendev, tc, osf) aren't ready to work together on that, then this system where we have specific arms-length interaction on certain websites does seem like it may be workable from my perspective, and i think it's worth consideration. | 16:32 |
| jamesmcarthur | can you all write up a proposal for this and send it to Jonathan and cc me? | 16:34 |
| mnaser | jamesmcarthur: you're thinking proposal for the moving all dns (or the strawman of leaving openstack.org at rax but with ability to let infra generate certs and all) | 16:34 |
| jamesmcarthur | the strawman | 16:35 |
| mnaser | i can help out with that if someone is interested :) | 16:35 |
| corvus | i'd be happy to write up my happy-hippy proposal for dns love. i think the strawman would be pretty brief. it's "infra does even less with openstack.org dns than they already do". someone else can write that up. :) | 16:36 |
| corvus | but maybe do that after the next infra team meeting | 16:36 |
| *** e0ne has quit IRC | 16:36 | |
| fungi | yeah, there's not much to say about that | 16:37 |
| fungi | basically creating some additional acme validation cnames for names of sites served from services infra is already managing | 16:38 |
| fungi | e.g. docs.openstack.org and the like | 16:38 |
| fungi | docs.starlingx.io is another good non-openstack example suppose | 16:39 |
| *** david-lyle has quit IRC | 16:44 | |
| *** david-lyle has joined #openstack-tc | 16:45 | |
| *** david-lyle has quit IRC | 16:45 | |
| *** dklyle has joined #openstack-tc | 16:46 | |
| *** jbryce has joined #openstack-tc | 16:49 | |
| mnaser | fungi, corvus, jamesmcarthur: https://etherpad.openstack.org/p/openstack-org-dns i just wrote this up | 16:51 |
| jamesmcarthur | thanks! | 16:51 |
| mnaser | happy to get feedback :) | 16:51 |
| corvus | mnaser: that matches my understanding of the strawman, thx | 16:53 |
| corvus | let's put that on the next infra meeting agenda | 16:54 |
| * corvus edits wiki | 16:54 | |
| corvus | https://wiki.openstack.org/wiki/Meetings/InfraTeamMeeting#Agenda_for_next_meeting updated | 16:55 |
| fungi | i've added a couple of minor clarifications to the pad | 17:02 |
| fungi | indicating why the scope of work for osf staff will be small and should also decrease over time | 17:03 |
| * mnaser feels like the lack of authoritative domains for openstack content isn't the most ideal | 17:13 | |
| mnaser | but we can discuss that when the time comes | 17:13 |
| *** tosky has quit IRC | 17:14 | |
| fungi | yeah, as i said, having something like docs.openstack.org/governance/tc and docs.openstack.org/security and docs.openstack.org/releases and so on, all on the same subdomain instead of scattered across lots of them would be nicer to users, in my opinion | 17:16 |
| fungi | and that would also reduce the number of ssl certs needed | 17:17 |
| fungi | and simplify publication jobs even more | 17:17 |
| fungi | the reason why we ended up with so many from the outset is that the osf controlled www.openstack.org so we couldn't easily publish to it with automation, the docs team was originally *very* concerned about any content not controlled by them getting published to docs.openstack.org (and also it was hosted on rackspace cloudfiles for a very long time), so there was no great place for different teams to | 17:18 |
| fungi | publish content of their own | 17:18 |
| *** jamesmcarthur has quit IRC | 17:18 | |
| *** jamesmcarthur has joined #openstack-tc | 17:19 | |
| mnaser | yeah but that'll cause a lot of seo related issues | 17:19 |
| mnaser | and its not like our docs arent confusing on their own | 17:19 |
| fungi | the www.o.o challenge still remains, but with the decentralization of docs management in more recent years we could at least put more there if we want | 17:20 |
| fungi | another alternative would be hosting all the non-docs stuff somewhere like project.openstack.org (similar to how the apache project coexists with their foundation) | 17:20 |
| *** openstackgerrit has quit IRC | 17:21 | |
| mnaser | i think the only way i'd be okay with us doing that is if we put a serious effort into redirects | 17:22 |
| mnaser | (like the type of effort we did with gitea for example) | 17:22 |
| fungi | well, if we don't alter the structure within those trees, redirects are simple (and i would consider redirecting a necessary component of any consolidation like that regardless) | 17:23 |
| fungi | it wouldn't need to be anywhere near as complex as the cgit->gitea redirects. that was essentially mapping a web application to another web application | 17:24 |
| fungi | in contrast, content redirection for this wouldn't need more than a rule or two per site | 17:24 |
| fungi | redirecting all the content of security.openstack.org to docs.openstack.org/security would only need a single rule | 17:26 |
| mnaser | ++ | 17:33 |
| *** ricolin has quit IRC | 17:35 | |
| *** jamesmcarthur has quit IRC | 17:51 | |
| *** jamesmcarthur has joined #openstack-tc | 17:51 | |
| *** jamesmcarthur has quit IRC | 17:52 | |
| *** e0ne has joined #openstack-tc | 17:59 | |
| *** e0ne has quit IRC | 18:06 | |
| *** spsurya has quit IRC | 18:07 | |
| *** jamesmcarthur has joined #openstack-tc | 18:47 | |
| zaneb | I agree that it shouldn't be as complicated as gitea, but we don't have a great track record of redirecting deep links in general | 18:53 |
| *** lpetrut has joined #openstack-tc | 18:58 | |
| *** lpetrut has quit IRC | 18:59 | |
| *** lpetrut has joined #openstack-tc | 19:00 | |
| fungi | agreed, but site moves/aggregation don't really change that. has more to do with becoming diligent about updating redirect hints every time we do a git mv | 19:03 |
| fungi | and reviewing with that in mind | 19:04 |
| zaneb | I'm talking about the fact we have done complete site moves and only put in shallow redirects in the past | 19:08 |
| zaneb | you can check it out by visiting https://api.openstack.org/ right now :( | 19:10 |
| *** lbragstad has quit IRC | 19:11 | |
| fungi | i think that was an ancient redirect set up in cloudfiles, which has now been sold to liquidweb | 19:16 |
| fungi | if memory serves, cloudfiles redirect sites didn't provide much flexibility in that regard | 19:16 |
| fungi | we could easily set a more proper redirect for it on servers we control since docs.o.o/developer.o.o moved off cloudfiles ages ago | 19:17 |
| fungi | if anyone sees value in trying to resurrect api.openstack.org urls it wouldn't be hard at all | 19:18 |
| *** lpetrut has quit IRC | 19:41 | |
| *** gmann is now known as gmann_afk | 19:52 | |
| *** jamesmcarthur has quit IRC | 20:21 | |
| *** lbragstad has joined #openstack-tc | 20:29 | |
| *** tosky has joined #openstack-tc | 20:50 | |
| *** camelCaser has quit IRC | 21:28 | |
| *** camelCaser has joined #openstack-tc | 21:28 | |
| *** markvoelker has quit IRC | 22:30 | |
| *** jamesmcarthur has joined #openstack-tc | 23:23 | |
| *** tosky has quit IRC | 23:23 | |
| *** jamesmcarthur has quit IRC | 23:24 | |
| *** mriedem has quit IRC | 23:26 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!