> This is now done and I think everything is working.
>
Congrats!
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org
Fedora Code of Conduct:
On IRC, rcrit pointed out that the client (in my case, curl) is asking for the
HTTP service principal and not the one I have set for fasjson. So, I wonder if
there is a way to run different HTTP services on the same VM at all. Maybe
using virtualhosts and subdomains? But then I may need to add
Hey folks!
I'm trying to run IPA and another wsgi piece of code (FASJSON) on the same VM,
and I think I'm having trouble with the gssproxy config.
I have set fasjson to a separate gssproxy socket (gssproxy conf & app env var),
I have enabled logging in gssproxy, and it rejects authentication
So, something broke, I forgot that the bodhi user also publishes to the
org.fedoraproject.{env}.pungi.
I fixed that now but there were quite a few messages rejected during my
night. It may be necessary to restart the compose.
Aurélien
Le lun. 10 juil. 2023 à 17:43, Aurelien Bompard
a écrit
Done. The following users are not protected by ACLs (which means they can
send to any topics):
- notifs-web and notifs-backend, because we'll remove the old FMN soonish
- alt-src: I couldn't contact the owner (Siteshwar?). Related to CentOS
Stream. I tried to contact Brian Stinston.
- coreos:
> I watched the recording today. Thanks for starting all the way at the
> beginning with the easyfix page. It was interesting to see your dev
> environment with VS Code at the beginning and OpenShift GitHub
> automation at the end, plus the tiny-stage concept. I learned a few
> things!
>
Hey folks!
This Friday at 13:00 UTC I'll be steaming on Twitch[1] about the
development of Fedora infrastructure apps. I'll start on a clean env,
checkout one of our apps, setup a dev env, fix a small bug, test it, and
create a PR.
[1] https://twitch.tv/ohwellien
I haven't decided which app
We might be able to make it work with
https://www.npmjs.com/package/es-module-shims, do you mind opening a ticket on
FMN's tracker please?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to
> So… I understand why this default was chosen, but I think that it'd be better
> to change the default to something narrow-but-reasonable, especially for
> new users. If I'm new to Fedora, I probably wouldn't know about fmn and
> it'd be hard to discover. But if I get even a few notifications,
> But the program requires something that my browser
> doesn't have, so nothing is displayed.
If I understand correctly, you browser's javascript engine can't run the app?
There are some tools in the development chain we use that are translating the
TypeScript code we write to something that
> I used to set the old FMN to send me a "daily or n messages" digest...
> I've just realized that there is no such functionality in the new FMN!
> Is that something that can be reconsidered?
Indeed, I don't think that came up during the requirements gathering phase, but
it would be a cool
> Are only email notifications supported?
No, it can do IRC and Matrix as well.
> (On the new website, it says "Add destination", and in the drop down menu
> there's only my email address.)
The available destinations are retrieved from your user profile on Noggin
> s/tech debt/older software that needs work to reduce ongoing maintenance
> costs/
Indeed :-)
I'll call it OSTNWTROMC then, it's shorter. But even as an acronym, it's more
letters than "tech debt" ;-)
(just kidding, I get your point)
___
devel
> I see only a blank page. So it has strict requirements for which
> Javascript runners can be used to run it, then?
Yes, the UI is written in javascript (Typescript with Vue.js to be precise). We
should probably add a noscript tag to make that clearer.
> I'm still a bit confused what I need to do though: It looks like
> notifications-old is still running, as I continue to get IRC
> notifications from it ...
> - How long are the old and new services expected to continue running
> in parallel?
Yeah we'll keep running both until F39 to give time
> I'll try to free some cycles and take a look if it's possible to have an
> intermediate solution.
I have some ideas on how we could do that without touching the existing Badges
code.
Basically what I was thinking was:
- write the Fedora Messaging Schema for Badges (you'll need to do that at
Hey!
Bugzilla, Pagure, Bodhi and Discussion are all apps that have their own
notification systems, as you've noticed. The notifications that FMN handles are
for apps that don't, such as Koji for example. But the old FMN being unreliable
has discouraged app owners to use it. That may change
OK, the switch is complete, the new notifications app is at
https://notifications.fedoraproject.org, and if necessary you'll see a link to
the old app there.
Please open issues at https://github.com/fedora-infra/fmn/issues if you find
any. Thanks!
Aurélien
> So ... what happens when the switch to the "new" Notifications app
> happens? Are the same "defaults" that are configured for the IRC
> delivery mechanism in the "old" Notifications app applied to all
> users, or does everybody start with a "blank slate", i.e. will I need
> to manually create
> - email me when I get a new badge
Yes, Badges has still not been ported over to Fedora Messaging. It's actually
the last remaining piece I think, with FMN done. Until then, FMN can't
understand the messages that Badges emits, so you can't subscribe to
notifications yet. Sorry about that!
> Thank you, the new FMN is much cleaner and easier to use than the
> previous version.
Thanks!
> One thing it's not clear to me: are the rules processed sequentially
> (first to match stop processing) or in parallel? I'd like to create two
> rules, one for my packages and one for packages of a
Hi folks!
The "FMN replacement" team has finished writing the new version of our
notification system, and we are ready to deploy!
We plan on:
- deploying the new version on https://notifications.fedoraproject.org
this week,
- keep the old one around but move it to
Hi folks!
The "FMN replacement" team has finished writing the new version of our
notification system, and we are ready to deploy!
We plan on:
- deploying the new version on https://notifications.fedoraproject.org
this week,
- keep the old one around but move it to
Hi folks!
The FMN replacement team has finished writing the new version of our
notification system, and we are ready to deploy! We plan on deploying
the new version on https://notifications.fedoraproject.org this week,
we'll keep the old one around but move it to
> I was going to say that one thing you need to 'add' is announcing this plan
> of changes to devel and users mailing lists and the equivalent discourse at
> least 3 times.
Very true, thanks for the suggestion, I would not have communicated
enough. Sadly, people don't like surprises.
> I guess
Oh yeah one more thing:
> - How do you see the transition to the new system? We were thinking:
> - move the current FMN to a different URL, such as
> notifications-old.fp.o. It will still be processing messages and
> sending notifications
> - run the new system in notifications.fp.o (in place
Hey folks!
I have a few questions about the final deployment of the FMN replacement:
- There's been a request to handle a user being disabled in IPA, which
should trigger their rules being disabled (FMN#826). We can do that
but we have questions about re-enablement: should the rules be
> We should drop that from dns. [...]
> Anyhow, the ssh access SOP should be updated with all this info.
I looked for the SOP and found this:
https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/sshaccess/
It still mentions bastion-iad01. Am I on the wrong docs? It looks like
the right
Hey folks!
To help me search through the FMN logs during development I've written
a small script that parses and stores the logs in a SQLite database on
log01 (that I remove afterwards :-).
While doing that I noticed that MDAPI produces quite a bit of logs.
Here is the number of log lines
> I'd like to setup log forwarding on our production cluster to log all
> application level logs to log01.
+1 to that, it would be very useful to the folks developing apps as
well, as we all know that no bug ever shows up when we deploy
something to production.
Thanks!
Aurélien
> I'm missing any kind of release guide and I'm missing how to run tests
> in contribution guide (I only found how to setup dev env with vagrant
> and setup quick test instance in README).
Thanks Michal, I've added that to my TODO list.
A.
___
Hey folks!
I would like to ask you about Ipsilon and its documentation. I have
made the last significant commits to it over the past few years
(mostly during the AAA project development), and I might be one of the
few people who *kinda* know how it works. At least some parts.
That's not a very
> Well, we can actually do persistent storage in the ocp4 cluster. ;)
Oh, that's interesting! Are we using it already in one of our
ansible-deployed apps?
> I'm not sure how slow/fast it might be, but it is there...
I think it's fine, Redis will use memory first and snapshot to disk
e,
but we haven't stored a lot of data in there yet.
Le lun. 28 nov. 2022 à 01:17, Kevin Fenzi a écrit :
>
> On Thu, Nov 24, 2022 at 10:56:57AM +0100, Aurelien Bompard wrote:
> > Hey folks!
> >
> > The new version of FMN will run in OpenShift and will use Redis as a
> &
Hey folks!
The new version of FMN will run in OpenShift and will use Redis as a
cache backends (we chose it over memcached because it can do native
"is-this-string-in-this-set" operations).
I can deploy redis inside my openshift project easily enough , but I
was wondering if it would be
> > 1. Sync the prod DB to staging.
>
> I think it might work, but not sure we have anyplace off hand with
> enough disk space. We might. I can look more if this is the way we want
> to go.
Well if we don't have the disk space on staging then let's do something else.
> > 2. Having a second
Hey folks!
There's been a report of queries long enough to cause a timeout in
datagrepper:
https://github.com/fedora-infra/datagrepper/issues/467
I don't think those queries should take so much time, and I'd like to debug
this performance issue, possibly try a couple new indexes on the tables,
> Hey, folks. Just a note on the FMN replacement plan - as part of that
> involves making sure important things have fedora-messaging message
> schemas, I thought I'd link to a thing I wrote a while back which may
> be handy:
>
> https://pagure.io/fedora-qa/python-ci_messages
Thanks Adam, I'll
Hey folks!
I have begun setting topic authorizations on our message bus: apps will no
longer be able to send messages to any topics, only to those they are
explicitly allowed to. I'll need your help to make sure I'm not forgetting
topics that your app wants to send to.
In RabbitMQ these
> However, fas is still there, so when we take down the cluster, badges
> will break. Ideally we would fix that before we take down the old
> cluster, but I don't want to leave it running there too long.
>
I'll check if there's an easyfix for badges' reliance on FAS. It may not be
that much work.
> I've moved a bunch more projects the last few days.
>
I've realized with datagrepper that we need to move apps that share a
virtualhost at the same time. Otherwise the SSLProxyCACertificateFile value
in the HTTP proxy will conflict and things will fail.
Luckily datagrepper only conflicted with
REMOVE: fas-changes.yml
> ( I think this was just needed for a short time for the account system
> migration, please correct me if it's got some better use)
>
Correct, it can be dropped.
> REMOVE: ipsilon.yml
> ( we moved this to vm's because we couldn't run pam_sssd in openshift.
> Has
Hey folks!
A few months ago I started a library to share some boilerplate code in our
applications when it comes to SQLAlchemy.
Remember the thread about Flask and SQLAlchemy
> The bigger problem is that those applications are *not* able to easily
> be deployed outside of Fedora infrastructure. One consequence of
> OpenShift based deployments is that it's become almost too easy to
> assume nobody else would ever want to run that code.
Because of this, it becomes hard
>
> I'm going to deploy the recent changes to production soonish (probably
> tomorrow early morning UTC).
>
And it's done. There were a couple hiccups because of course I did not
record everything I did on staging to make it work, but it's now working
fine. Enjoy the new OTP field! :-)
Aurélien
> As a package maintainer... I LOATHE pinning. ;(
>
Let me rephrase that and please tell me if I'm correctly representing your
thoughts.
You loathe somebody else deciding which dependencies you must use.
That's fair, it's a distro packager's hell.
However in this case I think it's pretty
Hey folks!
I have recently been given the powers to make Ipsilon releases, so I'm
going to deploy the recent changes to production soonish (probably tomorrow
early morning UTC). We've been working with a snapshot so it's not as big
an update as you'd think when looking at the date of the last
> Something like:
>>
>> Applications in Fedora Infrastructure may be deployed via non rpm
>> methods (as long as they obey licensing guidelines (
>> https://fedoraproject.org/wiki/Infrastructure_Licensing )). For those
>> applications, creating and maintaining an rpm is optional.
>>
>>
> How
Hey folks!
After spending some time evaluating our options, CPE's Advance Reconnaissance
Team came up with this proposal for the next version of FMN:
https://fedora-arc.readthedocs.io/en/latest/fmn/april2022/index.html
Please check it out if you're interested, it has an analysis of the
> On Fri, 2022-04-22 at 11:35 +0200, Miro Hrončok wrote:
>
> Replying to a reply because I can't find the original mail, sorry.
>
> I want to be easily able to *NOT* be notified of things I just did. In
> fact this should probably be the default. Right now my FMN
> notifications are floods of
> Unfortunately no, it won't. I am a mamber of a group that has too many
> artifacts to be notififed about all of them by default. This needs to be
> opt-in.
Noted, thanks.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send
> Not really. However, not sure if the "watch" is counted in this category
> or in the previous.
Right, it wasn't clear. When I wrote "my artifacts" I meant the artifacts I'm
the owner of.
> What belongs into this category? Not really sure.
App maintainers may define in their message and
> Groups. I want to be notified of what happens on group's artifacts, events
> referring to the group's name.
Good point! So let's say when an artifact is owned by a group you're a member
of, you'll be considered an owner, and notified as such. Would that work for
you?
There's currently no
> Please make it Matrix native. That way FMN can send richer and more
> useful notifications.
Yeah that's maybe the only additional feature we're considering adding :-)
> I also want notifications about CI/CD things happening in PRs in Dist-Git.
If a Fedora Message is sent, as long as the
Hey folks!
We're having a look at FMN these days, and we're trying to design its
replacement in our Fedora Messaging enabled world.
The current FMN has the following shortcomings:
- too slow at runtime
- slow at startup time (a couple of hours to startup…)
- complex UI
We think that this all
Hey Fabio!
> However, testing the fallback to OpenID, it does
> not work for me with bodhi.stg.fedoraproject.org
> Trying to access this login URL, I'm getting HTTP 500 / Internal
> Server Error responses from
> https://bodhi.stg.fedoraproject.org/dologin.html?openid=https%3A%2F%2Fid
> which
> * What is the expiration period? Or, can we set the expiration date ourselves?
What expiration do you mean? The buildroot override setting that
save_override() gives access to is really unrelated to authentication and you
probably don't need it if you didn't need it before.
If you mean when
> I wonder if kerberos going to be supported or not?
Not at this time.
Aurélien
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
Hey everyone!
Bodhi 6.0 will be published in a few days, and deployed to production a
couple weeks after the Fedora release. It has backwards-incompatible
changes, here's what you need to know.
== Authentication ==
Bodhi gained support for OpenID Connect (OIDC) authentication, like most of
Hey Frantisek!
Excellent questions!
> * Our users can use Packit via CLI and use their identity for Bodhi
> connections. With this, it's not nice, but doable to open a web-browser. (Not
> sure how this works in the containerised use-cases.)
The Bodhi CLI will display a URL that you'll have to
Hey everyone!
Bodhi 6.0 will be published in a few days, and deployed to production a
couple weeks after the Fedora release. It has backwards-incompatible
changes, here's what you need to know.
== Authentication ==
Bodhi gained support for OpenID Connect (OIDC) authentication, like most of
Hey everyone!
Bodhi 6.0 will be published in a few days, and deployed to production a
couple weeks after the Fedora release. It has backwards-incompatible
changes, here's what you need to know.
== Authentication ==
Bodhi gained support for OpenID Connect (OIDC) authentication, like most of
Hey Ondrej!
On Wed, Mar 16, 2022 at 12:50 AM Ondrej Nosek wrote:
> I don't have expertise in Irish holidays (I know there is one on this
Thursday), so I don't know how much time I have.
This was my attempt at a joke: I was suggesting the worst possible moment,
when everybody is on holiday.
> well, the cron job that does daily bodhi updates pushes (when we are not
> in freeze) calls 'bodhi-push --username releng'.
>
Would this be affected? I am not sure how it authenticates currently. :(
>
Nope that's not the same bodhi client, the bodhi client I'm asking about is
just "bodhi". This
Hey folks!
We are preparing for the deployment of the next major release of Bodhi
(planned for a Friday evening on an Irish bank holiday during freeze in the
Thanksgiving extended weekend), and the authentication has changed, which
means automated calls of the bodhi client ("bodhi" command line)
> But yeah, making it impossible to use the bodhi cli without opening a web
> browser for authentication would be bad for my use cases / my projects -
> particularly fedora-update-feedback. If I need to open a web browser for
> authentication, I can just use it to submit bodhi feedback as well,
Hey folks!
A long email to give you some context, please bear with me :-)
A while back, Bodhi's integration tests stopped working on the "pip"
release (basically the latest python packages from PyPI). Since the
integration tests were flaky at that time, they were disabled on the
"pip" release.
> Do you think it's a good idea to do this on Friday?
Well, I did not say Friday *evening*, so, this is fine :-D
Yeah Monday is better, I realized it after sending the email :-)
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
> I am back now so we can do this whenever suits you
Cool! What about this Friday morning? Too short notice? It should take
an hour or two, less if we're lucky.
WDYT?
___
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To
Hey folks!
I am happy to report that the datanommer data migration is finally
complete! \o/
Now we can move on to migrating the apps themselves. I had initially
written this plan:
https://github.com/fedora-infra/datanommer/wiki/Migration-plan
We'll need to set a downtime window, I'd say of a
Hey folks!
I published version 3.0.0 of Fedora Messaging this morning. It is a major
release, and the backwards-incompatible changes are:
- Queues created by the CLI are now non-durable, auto-deleted and
exclusive, as server-named queues are.
- It is no longer necessary to declare a queue in the
> Sorry for taking so long to reply. I'm afraid I don't check this mailing
> list as often as I should. :)
>
Totally fine, thanks for the reply!
When I thought about that use case, I supposed it would be OK to
> instantiate the app and start the app context from within the script, as it
> would
>
> - we end up with many slightly different integrations, written by
>> different people or even the same person at different points in time.
>> Ironically, our attempt at avoiding tech debt has caused us more tech
>> debt.
>>
>
> One approach could be to build your data-models as a dedicated
Thanks for your input!
1. We're using a clustered database (CockroachDB, for those who care)
> that uses optimistic concurrency, so automatic transaction retries are
> a must, and we need control over how those retries are done.
>
Interesting, we don't use that, but then again we've recently
Hey folks!
I'd like to open a can of worms: SQLAlchemy integration in Flask. It's a
long read but I hope you'll like it. I try not to be on the ranty side.
First, some context: we have been plagued by tech debt for a very long
time, maybe more than other development projects because web tech has
Hey!
I'm trying to write an application that is cloud native, that needs to
> be able to interract with the FAS for Fedora Account System User ID,
>
If you want to auth your users against FAS, the best way to go is OIDC
(OpenID Connect)
> also for Fedora Badges. I am wiritng this using
Hey folks!
I just released and deployed Noggin 1.4.0. Here are the release notes:
== Features ==
* Improve the display of group communication channels (IRC or Matrix)
(#309).
* Add the email address in the user’s profile (#568).
* Display the SSH public keys on the user’s profile (#676).
*
Hey everyone!
I just released and deployed FASJSON 1.3.0, it only contains a new feature
and a bugfix.
* Add some more user fields: github_username, gitlab_username, website, and
pronouns (#213).
* Respect the user's privacy setting on the search endpoint (#257).
This last item fixes an
> So, how about this: Just disable notifications there in #fedora-apps for
> now.
>
> If someone wants them (or a subset back), they can propose re-adding it
> there or in another channel?
>
Works for me! Thanks!
___
infrastructure mailing list --
> > At the moment I get notified of my own
> > actions which is extra annoying.
>
> Yeah. But if you silent the notification channel, do those notices do
> any good?
>
I could decide to look at it when I'm waiting for something to finish, or
re-enable temporarily the notifications if I'm waiting
Yeah I see what you mean. I don't think IRC notifications are useless, but
if they are in a different channel I can set this channel to be silent even
on messages with my nickname. At the moment I get notified of my own
actions which is extra annoying.
The use case you described still generates
> > - either "dev", "devel", or "develop"
>
> Had a quick look, and there are over 50 already at "develop" as the
> main branch. -- most of the others are 'main' or 'master' -- so it
> looks like 'develop' is a bit of a standard already.
>
Alright. I think I've setup most of the projects that
Hey folks!
We currently have messages posted on the #fedora-apps and
#fedora-infrastructure IRC channels when there's a ticket change or a
pull-request change. I don't know about the infrastructure channel, but it
makes it difficult to have a development conversation in #fedora-apps, the
Hey folks!
I think most of the repos just went with GitHub default, which recently
> changed from master to main.
> In Anitya and the-new-hotness I have:
> - master
> - staging
> - production
> The staging and production corresponds to deployment in OpenShift. This is
> why I named them like
> * Do we want to get noggin to be able to verify nicks first?
>
> How will the verification works?
>
We don't know yet. I was thinking of having and IRC bot that would get an
HTTP request from Noggin to verify a user, and would send a link with a JWT
token as a private message that the user
Hey folks!
I have released and deployed Noggin 1.2.0 to production a few minutes ago.
Here are the release notes:
Features
- Display the version in the page footer (#592).
- Allow sponsors to resign from their position in the group (#599).
- Disallow login and register with mixed-case usernames
Hey folks!
I have released and deployed FASJSON 1.1.0 to production a few minutes ago.
It's a small release, as you can see. I've also rebased the Openshift image
on F34 (it was on F32).
*Features:*
- Field mask support: request more or less object attributes with a HTTP
header (#144
Hey folks!
I have released and deployed Noggin 1.1.0 to production a few minutes
ago. Here are the release notes:
Features
- Add a verification step when enrolling a new OTP token (#422).
- The GPG key ID fields now refuse key IDs shorter than 16 characters,
and allow up to 40 characters (the
Hi!
> - fedora messaging - https://github.com/fedora-infra/fedora-messaging
Hmm, I don't think we're using PDC in fedora messaging, but I might be wrong.
Where did you find it?
A.
___
devel mailing list -- devel@lists.fedoraproject.org
To
> > Just one note: I'm not sure how the token generation works in noggin, but
> > usually you get a few seconds to use the old code when the new one is
> > generated, but I just got invalid code when the new one was generated during
> > typing the old one.
>
> I guess this is a question for IPA
> Once it's merged and deployed, the tokens will only be enabled once
> users have proven that their app works, so it should cut down on those
> "I'm locked out" requests.
OK, it's merged and deployed on staging. If you folks want to test it
out, it's at
https://accounts.stg.fedoraproject.org/
> So, we have at least a half-dozen of these pending now. ;(
I have implemented a verification step for OTP tokens, it's currently
under review:
https://github.com/fedora-infra/noggin/pull/584
Once it's merged and deployed, the tokens will only be enabled once
users have proven that their app
> So technically you can have something like:
> - create OTP token and mark it disabled
> - show OTP token configuration details to a user
> - ask user for this token validation: enter a password and a value
> - enable token
> - verify token
> - if verification fails, disable the token again
Some
> > * Could we require someone enter their password + token before accepting
> > the token? ie, they try and enroll, ipa adds it, they have to verify, if
> > they can't, it's removed?
>
> This is _very_ common in other implementations.
Yeah, but there is no API in IPA to do that (we did consider
An update again!
We've sent an email to folks that have an account in both Fedora & CentOS but
registered with different email addresses. If that's your case, please choose
one address for both accounts, it'll help us migrate.
We are now in the middle of the final sprint for production
Hey folks!
Some update since last time:
- we re-ran the import script with the suggested optimisation, it was faster
but still took about 52 hours, so we'll run an incremental updater until we go
to prod. There are still ways we can cut down on the number of imported
accounts (not importing
Hey folks!
The AAA team would like to test a re-import of the accounts in staging. We
have learnt of a way to speed up the import significantly (20 times) and
we'd like to test it.
For that we'll need to remove all existing accounts and start from scratch.
It means that if you're currently
> Alexander Bokovoy created the feature
> https://github.com/SSSD/sssd/issues/5482. Once
> implemented you will be able to Kerberos check authentication indicators like
> OTP from a
> PAM service.
Yeah, this seems like the way to go, thanks.
> You have a couple of options to speed up migration
Hey folks!
As you've probably heard before, we're upgrading our authentication system to
something that is based on FreeIPA.
Here's a quick status report on that initiative. We're currently in an
integration phase, figuring out the smaller details of configuration and
infrastructure setup
> But yeah, I think if the fas sync is going to take a bit, perhaps we
> should disable the new account creation for now.
I've added the feature to disable registration yesterday, once it's
reviewed and merged I'll push it to the staging instance and disable
the registration. Thanks for pointing
1 - 100 of 482 matches
Mail list logo
