21:00:18 <serpent> #startmeeting
21:00:18 <MeetBot> Meeting started Wed Feb 26 21:00:18 2020 UTC.  The chair is serpent. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:00:18 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
21:00:24 <zigo> hi o/
21:00:53 <waldi> hi
21:01:02 <serpent> Welcome in New Yaar :-) Our last meeting was in December 2019, so it's 2 months
21:01:10 <marcello^> hi there !
21:02:00 <serpent> Looking at our mailing list - Emmanuel is working on Vagrant
21:02:13 <serpent> Bastian started working on AWS user management
21:02:37 <serpent> We still don't have official AWS account - process is still stuck at SPI
21:02:56 <noahm> we have the account, but can't yet publish AMIs to the marketplace.
21:03:15 <noahm> The account is in use and all the buster AMIs are there and usable by any AWS customer
21:03:21 <serpent> Yes - we're still missing marketplace and gov aggreemeng
21:03:59 <serpent> #action I'll ping SPI again, either this week or beginning next week about that
21:04:01 <noahm> We're *so* close to being able to publish to the marketplace. SPI has given signoff, but apparently they want to actually be the ones to click the Accept button for the agreement, for some unknown reason.
21:04:44 <waldi> well. in the meantime they are not longer sure who are "they"
21:05:15 <noahm> afaik it's just tpot.
21:06:10 <serpent> Regardless - it's long time. I even got question about Buster images in my company, so I assume this is a bit confusing for ordinary people
21:06:11 <noahm> Anyway, we have had quite a few contacts about this, and it would be *really* nice to finally resolve it.
21:06:46 <serpent> And as we're so close, it would be nice to finish it
21:07:22 <noahm> It's a good thing I don't have admin access to the AWS account, I might just go click the button and then beg forgiveness from SPI. ;)
21:07:38 <serpent> :-)
21:08:16 <serpent> I also don't have admin access there ;-/ Not sure if it's worrying or safer this way
21:08:35 <serpent> Should we move to next topic? E.g. Image Finder?
21:08:43 <noahm> before we move on...
21:08:52 <noahm> is there anything we actually *can* do to move the process along?
21:09:09 <serpent> Not except for sending more emails
21:09:19 * noahm sets up a cron job...
21:09:29 <serpent> Who has acccess to our root account?
21:10:12 <noahm> waldi and ?
21:10:42 <waldi> currently me and zobel, as this are the ones i encrypted the files to. we never talked about it
21:11:21 <serpent> It's not really urgent, but IMO people from SPI and delegates should also have access
21:11:31 <serpent> Or at least ability to get access
21:11:52 * Mrfai nods
21:12:20 <serpent> I know that zobel is in SPI, but he was quite absent for last 3 months (which is worrying as he was supposed to drive marketplace agreement)
21:14:15 <serpent> #topic Delegates
21:14:30 <serpent> As we're on this topic...
21:14:51 <serpent> #action I'll send email to Sam reminding him about appointing more delegates.
21:15:13 <noahm> these are the delegates we agreed on at the MIT cloud sprint?
21:15:40 <serpent> Yes - me, MrFai and rvandegrift
21:15:46 <noahm> ok
21:16:05 <Mrfai> ok. next topic please
21:16:08 <serpent> Sam was busy recently, so response for my first email was to sent it later
21:16:15 <serpent> #topic Image Finder
21:16:38 <Mrfai> status?
21:16:43 <serpent> The most urgent IMO is putting information about images built on Salsa to database
21:16:51 <serpent> I don't think it's done
21:16:52 <zigo> Right.
21:17:10 <noahm> I don't even think we've settled on an approach to doing so.
21:17:28 <serpent> Not really - the only thing from sprint is that it should be done
21:17:35 <zigo> We need that, then 1/ make it so that it can work with MySQL
21:17:35 <zigo> 2/ Get the db sync stuff out of manage.py and provide a standalone /usr/bin tool.
21:17:43 <noahm> Is it going to be push based? Pull based? How are we going to handle auth?
21:18:54 <noahm> Is anybody actually planning on dedicating time to this in the next month?
21:19:14 <zigo> There's also still the problem that we need to figure out which image is really new (ie: with one package updated), so we don't pull silly daily images which would make the list of image just huge !
21:19:47 <noahm> I don't think we should look at the daily builds at all.
21:20:09 <noahm> The release builds are generated by a different salsa project, so they should be very easy to distinguish.
21:20:34 <Mrfai> Let's focus on the release builds for now
21:20:37 <marcello^> how often does a release build take place ?
21:20:44 <noahm> every point release
21:20:50 <serpent> Agreed. Let's start with something smaller and easier to manage
21:20:58 <noahm> plus usually for things like kernel security updates
21:21:12 <noahm> (things that require a reboot to take effect)
21:21:22 <marcello^> I see
21:21:59 <Mrfai> Will anybody work on importing data?
21:22:13 <noahm> I will plan on spending some time on this in the next month.
21:22:20 <Mrfai> great
21:22:24 <noahm> I'll post on the mailing list if I get anywhere.
21:22:28 <serpent> You mean existing data, taken from e.g. marketplace?
21:22:34 <Mrfai> I we have all info in the json files on cloud.d.org a simple pull can be used. No auth needed.
21:22:43 <noahm> serpent: no, salsa is the source of truth
21:22:51 <serpent> OK
21:23:01 <noahm> Mrfai: right, if we want to pull from there, we can, and that'll be fine.
21:23:14 <zigo> I'm still not satisfied on the way the tool is deployed, and this should be reworked, the way I wrote above.
21:23:23 <serpent> #info We only take image info from Salsa, no other soource is considered official
21:24:06 <noahm> zigo: I will look at that as well
21:24:12 <serpent> zigo: agreed, but IMO it does not make sense to make perfect setup for service publishing old data
21:24:33 <serpent> Unless we can work on this independently
21:24:34 <zigo> We're not talking about a "perfect setup" here, but something that will just not work.
21:24:34 <Mrfai> btw, is the cloud finder currently online?
21:24:56 <zigo> It runs in a docker, and if it fails, I simply have no idea how to bring it back online.
21:25:16 <zigo> I want the image finder to be properly packaged and easy to deploy, maybe with some ansible / puppet.
21:25:17 <serpent> Then I agree this is problem
21:25:23 <zigo> Otherwise, I don't think it's sustainable.
21:25:24 <noahm> Mrfai: I don't think so.
21:25:28 <zigo> Please don't take it lightly.
21:26:10 <noahm> zigo: I'm not sure I agree. A docker container likely has far fewer moving parts than something managed by ansible or puppet.
21:26:34 <zigo> noahm: Not really, it's pulling from pypi right now ...
21:26:38 <Mrfai> http://image-finder.debian.net/ currently only shows an apache under construction page
21:26:40 <zigo> It's not reproducible.
21:26:45 <noahm> zigo: yeah, that's not good
21:26:59 <zigo> Oh ...
21:27:03 <zigo> Well, it used to work ! :)
21:27:05 <waldi> pypi is reproducible
21:27:45 <noahm> It depends on when it's pulling from pypi, really; if it's during the container image build, then it's probably ok.
21:27:52 <noahm> If it's during startup... then that would be bad.
21:27:53 <zigo> waldi: I saw really a lot of hacks based on pypi, I'm sure we can do so many things with it, but that's IMO off topic.
21:28:14 <noahm> zigo: agreed, let's move on.
21:28:25 <zigo> For the image-finder being broken right now, well ... I didn't know and just discover it now ! :)
21:28:26 <zigo> :(
21:28:41 <zigo> Anyway, since it has old data in it only, it wasn't very valuable.
21:28:43 <noahm> it's got stale data anyway, right? So it's just a demo more than anything else.
21:29:04 <zigo> Does anyone know if Arturo has some time available, btw?
21:29:18 <zigo> noahm: Correct !
21:29:24 <serpent> But without at least something running, we cannot work on importing new images to it
21:29:25 <zigo> And we need to figure out how to make it fetch data.
21:29:30 <zigo> Right now, I have no idea how ...
21:29:48 <noahm> Given that we haven't heard or seen anything from him, I'm guessing he has no time. Which is why I am volunteering to work on this.
21:29:52 <serpent> Accoring to Arthur there is some API to use.
21:30:03 <serpent> Or we could just insert data into database
21:30:17 <zigo> serpent: Yeah, but same, we have no idea how, documentation is missing there too.
21:31:05 <zigo> So anyway, that's the state of things for the image-finder...
21:31:13 <zigo> Let's move on? :)
21:31:23 <serpent> #info Arthur sent email with link to some documentation: https://cloud-team.pages.debian.net/image-finder/
21:31:36 <zigo> noahm: If you're volunteering, I'd happily work with you on this.
21:32:15 <noahm> ok. I'll first just spend some time familiarizing myself with the existing implementation.
21:35:35 <serpent> Should we move to next topic?
21:35:40 <Mrfai> yes
21:35:42 <noahm> yes
21:35:49 <serpent> if so - which one? AWS user accounts (waldi) or Vagrant?
21:36:13 <marcello^> I can talk about Vagrant
21:36:19 <serpent> OK
21:36:25 <serpent> #topic Vagrant
21:37:05 <marcello^> so I have started to move some of the work from the vagrant-boxes repo on salsa to debian-cloud-images, to use FAI instead of packer
21:37:05 <serpent> So what's the status? Do you have plans or need help?
21:37:41 <marcello^> I think around a third of the work is done
21:37:47 <serpent> Cool!
21:37:53 <marcello^> I have this open merge request: https://salsa.debian.org/cloud-team/debian-cloud-images/-/merge_requests/186
21:38:43 <serpent> I can see you're disussing this with waldi
21:38:49 <marcello^> I would prefer if someone can review my work in the beginning and then I can commit directly, as I mostly will touch my own FAI classes
21:39:00 <marcello^> yes waldi is reviewing :)
21:39:06 <noahm> I'll take a look at that, as well. We should get it into the daily pipeline as well.
21:39:22 <marcello^> noahm: thank you.
21:39:28 <waldi> i opened issues for the tasks
21:39:36 <marcello^> What is the daily pipeline ?
21:40:01 <serpent> Salsa job to build daily images
21:40:06 <noahm> marcello^: https://salsa.debian.org/cloud-admin-team/debian-cloud-images-daily builds cloud images daily using GitLab CI
21:40:17 <serpent> We discussed it shortly regarding image finder
21:40:21 <marcello^> noahm: thanks.
21:40:21 <noahm> for buster, bullseye, and sid.
21:40:33 <waldi> #info issues for vagrant support https://salsa.debian.org/cloud-team/debian-cloud-images/issues/18
21:40:36 <serpent> Basically it's good way of testing our images
21:41:31 <marcello^> I am not 100% sure of the overlap of Vagrant and cloud images, but I will try :)
21:41:50 <marcello^> other question, what do I have to do to make the Vagrant boxes official ?
21:42:16 <marcello^> the stuff here: https://app.vagrantup.com/debian/
21:42:17 <waldi> does someone have a running ubuntu system and can take a look if they still build ssh keys during boot?
21:42:21 <serpent> marcello^: initial idea was to try also with cd images, so don't worry about scope or overlap :-)
21:43:30 <marcello^> waldi: are you talking about Ubuntu Vagrant box specifically or general Ubuntu ?
21:43:44 <waldi> general ubuntu
21:44:17 <waldi> the hashicorp ubuntu vagrant boxes are darn weird, they include multiple kernel version
21:45:11 <marcello^> the hashicorp ubuntu boxes are to be forgotten I think, but Ubuntu has their own, you can download them amount their cloud images IIRC
21:45:37 <marcello^> s/amount/amongst/
21:46:20 <waldi> #action waldi continue working with marcello^ on vagrant build
21:46:37 <marcello^> ok I don't have anything more on the topic, noah if you activate the daily build I'd be happy to see it
21:47:06 <noahm> once we get your MR merged, I'll look at that.
21:47:12 <Mrfai> marcello^: If there's anything FAI related, just ask me
21:48:10 <marcello^> Mrfai: I'll sure have some questions, I'll probably ask on Debian cloud ML if that's fine for you
21:48:38 <Mrfai> yes, or just write me personally
21:49:32 <serpent> Should we move to next topic?
21:49:44 <marcello^> marcello^: yes
21:49:50 <noahm> yep
21:50:07 <serpent> So - AWS user accounts (via Salsa) or DebConf?
21:50:17 <serpent> CFP was just announced
21:50:35 <serpent> Is it too early to discuss it yet?
21:50:56 <noahm> I think it's reasonably to agree that we should talk about something there. ;)
21:51:03 <noahm> *reasonable
21:51:46 <noahm> I hope to attend, and would be interested in presenting something, as well as having a BoF
21:51:50 <serpent> Yes. It looks like I won't come there (work related conflict)
21:52:10 <serpent> #topic DebConf
21:53:49 <rvandegrift> not 100% sure yet, but I probably have a conflict too
21:54:24 <Mrfai> I'll try to come
21:54:24 <zigo> I've attended all debconf since 2011, but wont come this year.
21:54:40 <serpent> I guess we'll need to return to this closer to registration period
21:55:28 <zigo> I'd be ok attending a BoF remotely, if that can be setup.
21:56:14 <serpent> We'll try to do it - a bit like we did during first and second sprint (IRC, maybe something more)
21:56:29 <noahm> tangentially related: I don't suppose anybody is attending SCALE next week, are they?
21:56:42 <serpent> #idea Ability for remove BoF attendance
21:56:56 <waldi> removeā€¦
21:57:12 <serpent> Sorry: s/remove/remote/
21:57:41 <serpent> It's not Freudian slip :-)
21:58:06 <serpent> It's almost 1h - should we discuss something more, or finish?
21:58:55 <zigo> Yeah.
21:58:57 <zigo> cloud-utils
21:59:10 <serpent> #topic cloud-utils
21:59:14 <zigo> noahm: Looks like we have another good candidate for a buster update, no?
21:59:19 <noahm> yes, we do
21:59:29 <zigo> Will you take care of it?
21:59:36 <noahm> though afaik even upstream hasn't added IMDSv2 support there yet.
21:59:42 <noahm> Yes, I plan on working on it.
21:59:48 <zigo> I'm also worried that we're getting no reply from the release team for cloud-init. Worried, but kind of not surprised ... :(
22:00:15 <noahm> yeah, I will prepare a 19.4 upload for stable and test that, then bug the release team again.
22:00:36 <noahm> IMDSv2 support will likely impact other cloud SDKs (e.g. for Ruby, Go, Python, etc)
22:00:47 <waldi> zigo: well, you ignored what they said for bug reports: include the diff
22:00:51 <zigo> I've opened already maybe half a dozen bug for openstack related updates too, so it'd be nice if someone else than me was bugging them indeed.
22:00:58 <zigo> Oh...
22:01:03 <zigo> waldi: I just didn't see it.
22:02:06 <noahm> many of the packages that need updates for IMDSv2 are not owned by the cloud-team.  Somebody (probably me) should engage with the maintainers and look at backporting that support to the stable versions.
22:02:08 <zigo> waldi: There's no such request in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947351
22:02:27 <zigo> noahm: What packages are we talking about?
22:03:29 <noahm> python-boto, golang-github-aws-aws-sdk-go-dev, awscli, ruby-aws-sdk
22:03:35 <noahm> etc
22:03:43 <zigo> Oh, so quite a bunch ... :/
22:04:07 <noahm> it's specifically an AWS feature, so people who don't care about AWS won't be impacted (i.e. OpenStack)
22:04:27 <noahm> But AWS customers who want to enable that feature will find that a lot of things break in stable today.
22:05:12 <noahm> If you don't turn on IMDSv2, then everything still works fine, but some people will likely want it.
22:05:28 <waldi> noahm: how long until it get mandatory?
22:05:37 <noahm> I don't know that it will ever be mandatory.
22:06:09 <noahm> I'll send mail to debian-cloud with more details.
22:07:11 <serpent> noahm thanks, we can discuss it more fully there
22:07:15 <noahm> Bug #952563 contains some background and links.
22:09:10 <waldi> serpent: something more? you brought up aws users, do you want to know something about it?
22:09:42 <serpent> If you have something new (more than what you wrote in email) we could discuss it
22:09:53 <serpent> Otherwise - let's slowly finish it
22:10:43 <waldi> noahm: i don't think there are news on those further aws accounts?
22:10:56 <noahm> davdunc: are you here? ^^^
22:11:03 <davdunc> I am .
22:11:07 <noahm> I nagged davdunc about them last week. And again just now. ;)
22:11:30 <davdunc> :D there has been a modification in the way the accounts work.
22:11:48 <davdunc> it has slowed me down because i have some cleanup to do with the business team.
22:12:07 <davdunc> moved from linked to aws organizations.
22:12:21 <davdunc> I will keep you posted.
22:13:06 <serpent> Thanks. Should we test it a bit?
22:13:22 <waldi> test what?
22:13:45 <serpent> https://awsauth.debian.net/
22:13:56 <serpent> I haven't yet tried to login using this link
22:14:03 <waldi> you can try. but you won't get far
22:14:41 <serpent> ok, then send info to ML when it makes sense to try to login
22:15:27 <waldi> so noone sees problems with that approach?
22:15:57 <noahm> it looks good to me.
22:16:14 <serpent> You mean that we use Salsa as identity provider? I'm OK with that, especially if also 2FA is used
22:16:21 <serpent> Can we check that?
22:16:59 <noahm> waldi: to be clear, the ultimate goal is to be able to open up cloud resources to DDs?
22:17:37 <rvandegrift> it sounded good to me
22:17:49 <noahm> serpent: I have one more short topic when we're done with AWS/salsa auth stuff
22:18:10 <waldi> no, the ultimate goal is to allow other teams, for example the qa people, to specify users with access to their resources without our intervention
22:18:32 <noahm> waldi: that's basically what I meant. :)
22:18:52 <serpent> noahm your topic?
22:19:11 <noahm> The AWS CloudFront archive mirror
22:19:21 <waldi> noahm: ah, i missread you
22:19:28 <serpent> #topic CloudFront mirror
22:19:49 <noahm> cdn-aws.deb.debian.org is the default apt source in EC2.
22:20:01 <noahm> It lives in JEB's account (the legacy AWS account)
22:20:26 <noahm> I have contacted him about rebuilding it in one of the newer accounts.
22:20:50 <noahm> He sounds generally supportive of the idea, since he has very little time to devote to it.
22:21:37 <noahm> There is also some possibility that AWS itself will be willing to offer Debian archive services, and I'll follow up on that internally.
22:21:37 <serpent> So I guess we need manpower to do it?
22:22:11 <noahm> well, at the very least, I am sure that I have more time to devote to this than JEB does.
22:22:17 <noahm> But I don't know how much is involved.
22:22:39 <waldi> noahm: i really would like to use a separate accounts for the different projects, one of them the mirror stuff. this however is someone in limbo
22:23:01 <noahm> waldi: agreed. this isn't something that could happen immediately anyway.
22:23:35 <serpent> waldi: you created many accounts during sprint. Was it for supporting different needs, like those mirrors?
22:23:42 <waldi> serpent: yes
22:24:12 <waldi> each part project can get it's own account, so we don't need to share and make sure the resources don't conflict
22:24:40 <serpent> So we need first to see what needs to be set up, and then decide how to set up
22:26:01 <serpent> noahm: anything for us to do, or will you send info to ML when more is known
22:26:35 <noahm> Nothing for us to do now.  I'll keep in touch with JEB and the rest of the team
22:26:43 <serpent> Thanks.
22:26:47 <noahm> and will send an update when there's something substantial to say
22:26:59 <noahm> Just wanted to make sure people knew about it.
22:27:08 <serpent> Really thanks
22:28:19 <serpent> Unless there is anything urgent, I propose finishing. It's late and I'm getting tired.
22:28:33 <serpent> And don't want to sleep on keyboard :-)
22:28:38 <marcello^> me too, let's finish
22:28:38 <Mrfai> yes, let's finish
22:28:42 <zigo> I think it's done.
22:28:44 <zigo> Just one more thing ...
22:28:56 <zigo> Next meeting will be after dailight saving change, no?
22:29:09 <zigo> dailight
22:29:12 <zigo> daylight
22:29:14 <zigo> grrr...
22:29:30 <serpent> March? If we do it in last week, probably. If earlier, before daylight saving time
22:29:36 <zigo> So, should we keep the same time, meaning one hour less for UTC ?
22:29:41 <serpent> #topic next meeting
22:30:03 <serpent> You mean - let's keep 22:00 CET/CEST?
22:30:09 <serpent> And update UTC as needed?
22:30:09 <zigo> Yeah !
22:30:17 <serpent> Any objections?
22:30:19 <zigo> If everyone agrees ...
22:30:28 <noahm> No objection here. I am OK with an hour in either direction.
22:30:29 <waldi> for me it's currently a bit late
22:30:50 <waldi> but after DST it should fit for now
22:30:58 <marcello^> for me too, I would prefer one hour earlier
22:31:15 <rvandegrift> either is okay with me
22:31:40 <Mrfai> i'm fine with all +1, -1 or stay at same time
22:32:05 <serpent> zigo - are you open to have meeting one hour earlier?
22:32:20 <zigo> It's hard for me to be there, because of kids ...
22:32:32 <zigo> We could do 30 mins earlier though ? :)
22:33:08 <serpent> OK - let's try 25th of March on 21:30 CET
22:33:16 <zigo> +1
22:33:19 <marcello^> +1
22:33:25 <serpent> #action I'll send email about that
22:33:54 <serpent> And sumary of this meeting - but most probaly at beginning of next week (i.e. 2-4th of March)
22:34:03 <serpent> #endmeeting