15:11:05 <knesenko> #startmeeting oVirt Infra
15:12:24 <knesenko> #topic Hosting
15:12:28 <knesenko> ok guys
15:12:36 <knesenko> #chair dcaro obasan eedri
Current chairs: dcaro eedri knesenko obasan
15:12:49 <knesenko> update on rackspcae
15:12:53 <knesenko> host is back
15:13:09 <knesenko> we need to try reinstall it once again ....
15:13:35 <knesenko> there are still issues with VPN, so if it will fail will need to open them a tciket once again
15:13:45 <knesenko> #action knesenko install rackspace03
15:15:01 <knesenko> #info there are still issues with VPN console
15:15:18 <knesenko> anything else on hosting ? eedri ?
15:15:36 <eedri> knesenko, we need to add new vm for images
15:15:46 <eedri> knesenko, that will be able to hold 100-200GB,
15:15:50 <knesenko> eedri: saw it ... on which setup ?
15:16:02 <knesenko> eedri: i don't think we have an infra for that right now
15:16:07 <eedri> knesenko, well..if we manage to bring up RAX this week, we can put it there
15:16:14 <eedri> knesenko, it has almost 1 TB free space
15:16:40 <dcaro> knesenko: we do a very ugly 'hack' to restore the network if the connectivity is lost
15:16:43 <eedri> knesenko, if not, itamar will create a new vm on amazon and we'll just need to request DNS for it
15:16:51 <knesenko> eedri: I don't remember how much space we have for glusterfs
15:17:02 <eedri> knesenko, iirc it's 1TB or more
15:17:11 <knesenko> eedri: rakckspace is not a stable setup
15:17:20 <eedri> knesenko, we need it for backup as well
15:17:21 <knesenko> eedri: so we need to think before we install it
15:17:30 <eedri> knesenko, ok, we can start with amazon vm then
15:17:35 <knesenko> eedri: ok
15:17:43 <knesenko> eedri: who will install it ?
15:17:56 <itamar> eedri: itamar already created a VM with 500GB (for now) and gave oved access to take a look at setting it up
15:18:15 <knesenko> itamar: DNS name ?
15:18:17 <eedri> itamar, thanks. can oved provide us with the ip so we can open a ticket for dns
15:18:18 <itamar> no dns yet...
15:18:24 <itamar> ping oved please...
15:18:43 <knesenko> #info itamar has created a VM on amazon to store images
15:18:45 <eedri> knesenko, please add action item on oved to provide info and one for adding dns entry for images.ovirt.org?
15:19:27 <knesenko> #action once we have a DNS name update the WIKI
15:20:00 <knesenko> #action talk to oved and ask him for an info about images.ovirt.org
15:20:12 <knesenko> #action open a ticket for a DNS request
15:20:18 <knesenko> ok what next ?
15:20:34 <eedri> there is open action item on upgrading all centos 6.4 to 6.5
15:20:45 <eedri> ewoud, said he'll take it, but i don't know if its done yet
15:20:56 <eedri> also jenkins slaves labels/names are not updated as well
15:21:21 <eedri> knesenko, can you verify? and update if needed?
15:21:34 <eedri> knesenko, currently blocking vdsm from pushing some patches to master
15:22:04 <knesenko> #action update all centos slaves from 6.4 to 6.5
15:22:25 <knesenko> #action eedri open a ticket and assign it to someone to upgrade centos slaves
15:22:47 <knesenko> #action knesenko update jenkins slaves labels
15:23:35 <knesenko> #chair orc_orc
Current chairs: dcaro eedri knesenko obasan orc_orc
15:23:45 <knesenko> ok ... anything else on hosting ?
15:24:09 <dcaro> I enabled ssl for gerrit.ovirt.org the other day
15:24:26 <dcaro> I'm not sure why it wasnt enabled
15:25:03 <knesenko> dcaro: this certificated is expired
15:25:14 <dcaro> knesenko: that might be it :)
15:25:25 <knesenko> dcaro: need to request a new one
15:25:59 <knesenko> dcaro: and it should be issued to gerrit.ovirt.org ... can you request it ?
15:26:35 <dcaro> knesenko: I think I even have a ticket on it
15:26:56 <knesenko> #action dcaro request a new certificate for gerrit.ovirt.org
15:28:37 <knesenko> #topic Foreman and Puppet
15:28:56 <knesenko> dcaro: why do we have sudo rule for jenkins ALL = (root)
15:29:07 <knesenko> whynot to set it as ALL=(ALL) ?
15:29:26 <knesenko> it wont block us when we want to run commands as postgres user for example
15:29:49 <knesenko> obasan: you sent a patch for this right ?
15:30:10 <obasan> knesenko, yes. but I still that it still doesn't work. this job is problematic
15:30:12 <dcaro> knesenko: no specific reason, I suppose that before when it was limited to a set of commands had sense, but now it does not
15:30:39 <knesenko> so I am +1 to change it to ALL=(ALL)
15:30:42 <knesenko> objections ?
15:31:24 <Rydekull> o_O
15:31:38 <knesenko> Rydekull: want to join us ?
15:31:41 <Rydekull> Well, quite a few ones without knowing the context why it is needed :-)
15:31:47 <Rydekull> knesenko: Well, I just arrived
15:32:35 <knesenko> Rydekull: np
15:32:41 <knesenko> #chair Rydekull
Current chairs: Rydekull dcaro eedri knesenko obasan orc_orc
15:33:28 <knesenko> #action obasan send a patch to enable sudo for jenkins as ALL=(ALL)
15:34:03 <Rydekull> So, I dont know the context for that rule. But any security implementation should work in the principle of least privilege
15:34:17 <Rydekull> and ALL=(ALL) is quite the opposite of that :-)
15:34:38 <knesenko> now its ALL = (root)
15:35:00 <knesenko> and when trying to run as jenkins - sudo -u postgres cmd
15:35:02 <knesenko> it fails
15:35:17 <Rydekull> Well, that's better then ALL=(ALL) even though it kinda works along the lines of security through obscurity
15:36:15 <Rydekull> If you want jenkins to be able to run a command as user @ host, i'd define just that, host=(user)
15:36:18 <knesenko> why its better ?
15:36:44 <knesenko> Rydekull: you mean a specific rule ?
15:36:50 <Rydekull> Cause it limits it to the root user (but since the root user has access, it gives access to everything)
15:37:18 <Rydekull> Like Im telling you, I dont know the context. Im just arguing that ALL=(ALL) is bad practice security wise :-)
15:37:21 <knesenko> Rydekull: right .... so ALL = (root)
15:37:42 <dcaro> Rydekull: the context is executting jobs on the slave jenkins machines
15:38:23 <singler> I believe you can add more users to run as in sudoers, so you could just add root,postgres,etc on as needed basis
15:38:48 <Rydekull> dcaro: as postgres? build hostgroup in sudo, add a rule for jenkins to that specific hostgroup and the user
15:38:51 <Rydekull> postgres in this case
15:38:59 <Rydekull> Seems dangerous to give jenkins root access
15:39:22 <dcaro> Rydekull: well, for other jobs we had to enable the root access, in that case is giving it also postres access
15:39:54 <Rydekull> I'd revise those other jobs as another action point.
15:40:02 <knesenko> Rydekull: so I assume we need to add a group of a specific commands
15:40:20 <Rydekull> But in this case I'd change "ALL" to a hostgroup and extend users from "root" to "root,postgres"
15:40:39 <Rydekull> knesenko: well, it seems like a smart move to do :-)
15:43:01 <knesenko> #info start thinking to create sudo command groups for all users
15:43:13 <knesenko> dcaro: something else here ?
15:43:21 <Rydekull> Revise sudo rules in general it seems like :-)
15:44:05 <dcaro> nothing else comes to mind
15:44:20 <knesenko> #topic Jenkins
15:44:25 <knesenko> ok what do we have here ?
15:44:29 <knesenko> obasan: ^^
15:45:27 <obasan> knesenko, we are trying to fix the dao tests
15:46:01 <obasan> knesenko, it worked on the wrong user. we changed it and it still doesn't work. and we updated the puppet manifest to grant the jenkins user with the correct sudo permissions
15:46:08 <knesenko> #info knesenko review upgrade_params job
15:46:12 <knesenko> obasan: ok thanks
15:46:17 <knesenko> instead of that ?
15:48:14 <knesenko> #Other Business
15:49:39 <dneary> knesenko, I see "install to rackspace3" as one of your actions... did you sort out the issues?
15:50:19 <knesenko> dneary: hello ... yes we are
15:50:43 <knesenko> dneary: but we still have issues that are not related to us...keyboard doesn't works via VPN
15:51:06 <knesenko> dneary: so when we lost a connectivity to the host, its impossible for us to open a console and debug
15:51:15 <knesenko> dneary: that's a blocker for us right now
15:52:09 <dneary> So still the idrac issue?
15:52:30 <knesenko> dneary: correct
15:52:42 <Rydekull> How is the keyboard issue presenting itself?
15:52:52 <Rydekull> tried using different versions of java/browers/.net etc?
15:53:25 <dcaro> Rydekull: the problem seems related to the machine installed os and console redirection from the iDRAC, tried different oses, javas, browsers...
15:54:12 <Rydekull> Hrm
15:54:40 <Rydekull> What os is the machine running?
15:54:45 <Rydekull> and what kind of model is the machine?
15:55:14 <knesenko> Rydekull: is idrac related to OS ?
15:55:22 <knesenko> idrac issues
15:56:11 <Rydekull> Shouldn't be affected by what OS you're running on the server.
15:57:13 <Rydekull> is it iDRAC7? (Im assuming so)
15:57:26 <dcaro> Rydekull: fedora 19, let me check the details
15:59:29 <Rydekull> ie 10 with activex ought to be working with iDRAC atleast
15:59:45 <Rydekull> well, or java, but java could be a matter of having the correct version of java
16:00:03 <dcaro> Rydekull: the hardware is Dell R720, running iDRAC7 version 1.42.42
16:00:14 <knesenko> ok we are out of time ... thanks guys
16:00:18 <knesenko> #endmeeting