15:11:05 <knesenko> #startmeeting oVirt Infra
15:11:05 <ovirtbot> Meeting started Mon Dec  9 15:11:05 2013 UTC.  The chair is knesenko. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:11:05 <ovirtbot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:11:26 * bkp here
15:11:34 <singler> fabiand: so I should wait for Jenkins build for patch set 5? Last Jenkins' comment is about patch set 3, but I cannot find iso in build link
15:12:24 <knesenko> #topic Hosting
15:12:28 <knesenko> ok guys
15:12:36 <knesenko> #chair dcaro obasan eedri
15:12:36 <ovirtbot> Current chairs: dcaro eedri knesenko obasan
15:12:49 <knesenko> update on rackspcae
15:12:53 <fabiand> singler, yeah you should wait for patchset 5 - when you follow that jenkins link, the iso link is somewhat hidden. select centos or fedora at the bottom of the linked page and then the samll plus at the top of the follow up page, near artifacts
15:12:53 <knesenko> host is back
15:13:09 <knesenko> we need to try reinstall it once again ....
15:13:35 <knesenko> there are still issues with VPN, so if it will fail will need to open them a tciket once again
15:13:45 <knesenko> #action knesenko install rackspace03
15:15:01 <knesenko> #info there are still issues with VPN console
15:15:18 <knesenko> anything else on hosting ? eedri ?
15:15:36 <eedri> knesenko, we need to add new vm for images
15:15:46 <eedri> knesenko, that will be able to hold 100-200GB,
15:15:50 <knesenko> eedri: saw it ... on which setup ?
15:16:02 <knesenko> eedri: i don't think we have an infra for that right now
15:16:07 <eedri> knesenko, well..if we manage to bring up RAX this week, we can put it there
15:16:14 <eedri> knesenko, it has almost 1 TB free space
15:16:40 <dcaro> knesenko: we do a very ugly 'hack' to restore the network if the connectivity is lost
15:16:43 <eedri> knesenko, if not, itamar will create a new vm on amazon and we'll just need to request DNS for it
15:16:51 <knesenko> eedri: I don't remember how much space we have for glusterfs
15:17:02 <eedri> knesenko, iirc it's 1TB or more
15:17:11 <knesenko> eedri: rakckspace is not a stable setup
15:17:20 <eedri> knesenko, we need it for backup as well
15:17:21 <knesenko> eedri: so we need to think before we install it
15:17:30 <eedri> knesenko, ok, we can start with amazon vm then
15:17:35 <knesenko> eedri: ok
15:17:43 <knesenko> eedri: who will install it ?
15:17:56 <itamar> eedri: itamar already created a VM with 500GB (for now) and gave oved access to take a look at setting it up
15:18:15 <knesenko> itamar: DNS name ?
15:18:17 <eedri> itamar, thanks. can oved provide us with the ip so we can open a ticket for dns
15:18:18 <itamar> no dns yet...
15:18:24 <itamar> ping oved please...
15:18:43 <knesenko> #info itamar has created a VM on amazon to store images
15:18:45 <eedri> knesenko, please add action item on oved to provide info and one for adding dns entry for images.ovirt.org?
15:19:27 <knesenko> #action once we have a DNS name update the WIKI
15:20:00 <knesenko> #action talk to oved and ask him for an info about images.ovirt.org
15:20:12 <knesenko> #action open a ticket for a DNS request
15:20:18 <knesenko> ok what next ?
15:20:34 <eedri> there is open action item on upgrading all centos 6.4 to 6.5
15:20:45 <eedri> ewoud, said he'll take it, but i don't know if its done yet
15:20:56 <eedri> also jenkins slaves labels/names are not updated as well
15:21:21 <eedri> knesenko, can you verify? and update if needed?
15:21:34 <eedri> knesenko, currently blocking vdsm from pushing some patches to master
15:22:04 <knesenko> #action update all centos slaves from 6.4 to 6.5
15:22:25 <knesenko> #action eedri open a ticket and assign it to someone to upgrade centos slaves
15:22:47 <knesenko> #action knesenko update jenkins slaves labels
15:23:10 * orc_orc appears later
15:23:35 <knesenko> #chair orc_orc
15:23:35 <ovirtbot> Current chairs: dcaro eedri knesenko obasan orc_orc
15:23:45 <knesenko> ok ... anything else on hosting ?
15:24:09 <dcaro> I enabled ssl for gerrit.ovirt.org the other day
15:24:26 <dcaro> I'm not sure why it wasnt enabled
15:25:03 <knesenko> dcaro: this certificated is expired
15:25:14 <dcaro> knesenko: that might be it :)
15:25:25 <knesenko> dcaro: need to request a new one
15:25:59 <knesenko> dcaro: and it should be issued to gerrit.ovirt.org ... can you request it ?
15:26:35 <dcaro> knesenko: I think I even have a ticket on it
15:26:56 <knesenko> #action dcaro request a new certificate for gerrit.ovirt.org
15:27:15 <martingo> Hi, is there a procedure to import an existing VG into ovirt-engine 3.3, i'm moving my hypervisors from ovirt-engine 3.1
15:27:44 <martingo> the VG is created in ovirt-enginge 3.1 and is located an a san lun
15:27:50 <eedri> martingo, we're currently in an infra ovirt meeting, can you hold you question another 30 min please?
15:28:01 <martingo> shure
15:28:37 <knesenko> #topic Foreman and Puppet
15:28:56 <knesenko> dcaro: why do we have sudo rule for jenkins ALL = (root)
15:29:07 <knesenko> whynot to set it as ALL=(ALL) ?
15:29:26 <knesenko> it wont block us when we want to run commands as postgres user for example
15:29:49 <knesenko> obasan: you sent a patch for this right ?
15:30:10 <obasan> knesenko, yes. but I still that it still doesn't work. this job is problematic
15:30:12 <dcaro> knesenko: no specific reason, I suppose that before when it was limited to a set of commands had sense, but now it does not
15:30:39 <knesenko> so I am +1 to change it to ALL=(ALL)
15:30:42 <knesenko> objections ?
15:31:24 <Rydekull> o_O
15:31:38 <knesenko> Rydekull: want to join us ?
15:31:41 <Rydekull> Well, quite a few ones without knowing the context why it is needed :-)
15:31:47 <Rydekull> knesenko: Well, I just arrived
15:32:35 <knesenko> Rydekull: np
15:32:41 <knesenko> #chair Rydekull
15:32:41 <ovirtbot> Current chairs: Rydekull dcaro eedri knesenko obasan orc_orc
15:33:14 <lid> Hi fabiand
15:33:28 <knesenko> #action obasan send a patch to enable sudo for jenkins as ALL=(ALL)
15:34:03 <Rydekull> So, I dont know the context for that rule. But any security implementation should work in the principle of least privilege
15:34:17 <Rydekull> and ALL=(ALL) is quite the opposite of that :-)
15:34:38 <knesenko> now its ALL = (root)
15:35:00 <knesenko> and when trying to run as jenkins - sudo -u postgres cmd
15:35:02 <knesenko> it fails
15:35:17 <Rydekull> Well, that's better then ALL=(ALL) even though it kinda works along the lines of security through obscurity
15:36:15 <Rydekull> If you want jenkins to be able to run a command as user @ host, i'd define just that, host=(user)
15:36:18 <knesenko> why its better ?
15:36:44 <knesenko> Rydekull: you mean a specific rule ?
15:36:50 <Rydekull> Cause it limits it to the root user (but since the root user has access, it gives access to everything)
15:37:18 <Rydekull> Like Im telling you, I dont know the context. Im just arguing that ALL=(ALL) is bad practice security wise :-)
15:37:21 <knesenko> Rydekull: right .... so ALL = (root)
15:37:42 <dcaro> Rydekull: the context is executting jobs on the slave jenkins machines
15:37:55 <fabiand> lid, hey
15:38:16 <lid> Is it a good time to chat about stateless node?
15:38:23 <singler> I believe you can add more users to run as in sudoers, so you could just add root,postgres,etc on as needed basis
15:38:48 <Rydekull> dcaro: as postgres? build hostgroup in sudo, add a rule for jenkins to that specific hostgroup and the user
15:38:51 <Rydekull> postgres in this case
15:38:59 <Rydekull> Seems dangerous to give jenkins root access
15:39:22 <dcaro> Rydekull: well, for other jobs we had to enable the root access, in that case is giving it also postres access
15:39:54 <Rydekull> I'd revise those other jobs as another action point.
15:39:59 <fabiand> lid, sure - tho we could wait for the meeting to end ..
15:40:02 <knesenko> Rydekull: so I assume we need to add a group of a specific commands
15:40:20 <Rydekull> But in this case I'd change "ALL" to a hostgroup and extend users from "root" to "root,postgres"
15:40:39 <Rydekull> knesenko: well, it seems like a smart move to do :-)
15:43:01 <knesenko> #info start thinking to create sudo command groups for all users
15:43:13 <knesenko> dcaro: something else here ?
15:43:21 <Rydekull> Revise sudo rules in general it seems like :-)
15:44:05 <dcaro> nothing else comes to mind
15:44:15 <lid> fabiand: sure, I 'll wait for the meeting to end
15:44:20 <knesenko> #topic Jenkins
15:44:25 <knesenko> ok what do we have here ?
15:44:29 <knesenko> obasan: ^^
15:45:27 <obasan> knesenko, we are trying to fix the dao tests
15:46:01 <obasan> knesenko, it worked on the wrong user. we changed it and it still doesn't work. and we updated the puppet manifest to grant the jenkins user with the correct sudo permissions
15:46:08 <knesenko> #info knesenko review upgrade_params job
15:46:12 <knesenko> obasan: ok thanks
15:46:17 <knesenko> instead of that ?
15:48:14 <knesenko> #Other Business
15:48:48 <Rydekull> obasan: wakey wakey
15:48:51 <Rydekull> obasan: oh, sorry
15:49:12 <Rydekull> knesenko: I think you missed #info in previous command :-)
15:49:21 <obasan> Rydekull, partially awake :)
15:49:36 <Rydekull> obasan: heh, it was a command going wrong, meant to message a friend ;-)
15:49:39 <dneary> knesenko, I see "install to rackspace3" as one of your actions... did you sort out the issues?
15:50:19 <knesenko> dneary: hello ... yes we are
15:50:43 <knesenko> dneary: but we still have issues that are not related to us...keyboard doesn't works via VPN
15:51:06 <knesenko> dneary: so when we lost a connectivity to the host, its impossible for us to open a console and debug
15:51:15 <knesenko> dneary: that's a blocker for us right now
15:52:09 <dneary> So still the idrac issue?
15:52:30 <knesenko> dneary: correct
15:52:42 <Rydekull> How is the keyboard issue presenting itself?
15:52:52 <Rydekull> tried using different versions of java/browers/.net etc?
15:53:25 <dcaro> Rydekull: the problem seems related to the machine installed os and console redirection from the iDRAC, tried different oses, javas, browsers...
15:54:12 <Rydekull> Hrm
15:54:40 <Rydekull> What os is the machine running?
15:54:45 <Rydekull> and what kind of model is the machine?
15:55:14 <knesenko> Rydekull: is idrac related to OS ?
15:55:22 <knesenko> idrac issues
15:56:11 <Rydekull> Shouldn't be affected by what OS you're running on the server.
15:57:13 <Rydekull> is it iDRAC7? (Im assuming so)
15:57:26 <dcaro> Rydekull: fedora 19, let me check the details
15:59:29 <Rydekull> ie 10 with activex ought to be working with iDRAC atleast
15:59:45 <Rydekull> well, or java, but java could be a matter of having the correct version of java
16:00:03 <dcaro> Rydekull: the hardware is Dell R720, running iDRAC7 version 1.42.42
16:00:14 <knesenko> ok we are out of time ... thanks guys
16:00:18 <knesenko> #endmeeting