21:00:18 <serpent> #startmeeting 21:00:18 <MeetBot> Meeting started Wed Feb 26 21:00:18 2020 UTC. The chair is serpent. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:18 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 21:00:24 <zigo> hi o/ 21:00:53 <waldi> hi 21:01:02 <serpent> Welcome in New Yaar :-) Our last meeting was in December 2019, so it's 2 months 21:01:10 <marcello^> hi there ! 21:02:00 <serpent> Looking at our mailing list - Emmanuel is working on Vagrant 21:02:13 <serpent> Bastian started working on AWS user management 21:02:37 <serpent> We still don't have official AWS account - process is still stuck at SPI 21:02:56 <noahm> we have the account, but can't yet publish AMIs to the marketplace. 21:03:15 <noahm> The account is in use and all the buster AMIs are there and usable by any AWS customer 21:03:21 <serpent> Yes - we're still missing marketplace and gov aggreemeng 21:03:59 <serpent> #action I'll ping SPI again, either this week or beginning next week about that 21:04:01 <noahm> We're *so* close to being able to publish to the marketplace. SPI has given signoff, but apparently they want to actually be the ones to click the Accept button for the agreement, for some unknown reason. 21:04:44 <waldi> well. in the meantime they are not longer sure who are "they" 21:05:15 <noahm> afaik it's just tpot. 21:06:10 <serpent> Regardless - it's long time. I even got question about Buster images in my company, so I assume this is a bit confusing for ordinary people 21:06:11 <noahm> Anyway, we have had quite a few contacts about this, and it would be *really* nice to finally resolve it. 21:06:46 <serpent> And as we're so close, it would be nice to finish it 21:07:22 <noahm> It's a good thing I don't have admin access to the AWS account, I might just go click the button and then beg forgiveness from SPI. ;) 21:07:38 <serpent> :-) 21:08:16 <serpent> I also don't have admin access there ;-/ Not sure if it's worrying or safer this way 21:08:35 <serpent> Should we move to next topic? E.g. Image Finder? 21:08:43 <noahm> before we move on... 21:08:52 <noahm> is there anything we actually *can* do to move the process along? 21:09:09 <serpent> Not except for sending more emails 21:09:19 * noahm sets up a cron job... 21:09:29 <serpent> Who has acccess to our root account? 21:10:12 <noahm> waldi and ? 21:10:42 <waldi> currently me and zobel, as this are the ones i encrypted the files to. we never talked about it 21:11:21 <serpent> It's not really urgent, but IMO people from SPI and delegates should also have access 21:11:31 <serpent> Or at least ability to get access 21:11:52 * Mrfai nods 21:12:20 <serpent> I know that zobel is in SPI, but he was quite absent for last 3 months (which is worrying as he was supposed to drive marketplace agreement) 21:14:15 <serpent> #topic Delegates 21:14:30 <serpent> As we're on this topic... 21:14:51 <serpent> #action I'll send email to Sam reminding him about appointing more delegates. 21:15:13 <noahm> these are the delegates we agreed on at the MIT cloud sprint? 21:15:40 <serpent> Yes - me, MrFai and rvandegrift 21:15:46 <noahm> ok 21:16:05 <Mrfai> ok. next topic please 21:16:08 <serpent> Sam was busy recently, so response for my first email was to sent it later 21:16:15 <serpent> #topic Image Finder 21:16:38 <Mrfai> status? 21:16:43 <serpent> The most urgent IMO is putting information about images built on Salsa to database 21:16:51 <serpent> I don't think it's done 21:16:52 <zigo> Right. 21:17:10 <noahm> I don't even think we've settled on an approach to doing so. 21:17:28 <serpent> Not really - the only thing from sprint is that it should be done 21:17:35 <zigo> We need that, then 1/ make it so that it can work with MySQL 21:17:35 <zigo> 2/ Get the db sync stuff out of manage.py and provide a standalone /usr/bin tool. 21:17:43 <noahm> Is it going to be push based? Pull based? How are we going to handle auth? 21:18:54 <noahm> Is anybody actually planning on dedicating time to this in the next month? 21:19:14 <zigo> There's also still the problem that we need to figure out which image is really new (ie: with one package updated), so we don't pull silly daily images which would make the list of image just huge ! 21:19:47 <noahm> I don't think we should look at the daily builds at all. 21:20:09 <noahm> The release builds are generated by a different salsa project, so they should be very easy to distinguish. 21:20:34 <Mrfai> Let's focus on the release builds for now 21:20:37 <marcello^> how often does a release build take place ? 21:20:44 <noahm> every point release 21:20:50 <serpent> Agreed. Let's start with something smaller and easier to manage 21:20:58 <noahm> plus usually for things like kernel security updates 21:21:12 <noahm> (things that require a reboot to take effect) 21:21:22 <marcello^> I see 21:21:59 <Mrfai> Will anybody work on importing data? 21:22:13 <noahm> I will plan on spending some time on this in the next month. 21:22:20 <Mrfai> great 21:22:24 <noahm> I'll post on the mailing list if I get anywhere. 21:22:28 <serpent> You mean existing data, taken from e.g. marketplace? 21:22:34 <Mrfai> I we have all info in the json files on cloud.d.org a simple pull can be used. No auth needed. 21:22:43 <noahm> serpent: no, salsa is the source of truth 21:22:51 <serpent> OK 21:23:01 <noahm> Mrfai: right, if we want to pull from there, we can, and that'll be fine. 21:23:14 <zigo> I'm still not satisfied on the way the tool is deployed, and this should be reworked, the way I wrote above. 21:23:23 <serpent> #info We only take image info from Salsa, no other soource is considered official 21:24:06 <noahm> zigo: I will look at that as well 21:24:12 <serpent> zigo: agreed, but IMO it does not make sense to make perfect setup for service publishing old data 21:24:33 <serpent> Unless we can work on this independently 21:24:34 <zigo> We're not talking about a "perfect setup" here, but something that will just not work. 21:24:34 <Mrfai> btw, is the cloud finder currently online? 21:24:56 <zigo> It runs in a docker, and if it fails, I simply have no idea how to bring it back online. 21:25:16 <zigo> I want the image finder to be properly packaged and easy to deploy, maybe with some ansible / puppet. 21:25:17 <serpent> Then I agree this is problem 21:25:23 <zigo> Otherwise, I don't think it's sustainable. 21:25:24 <noahm> Mrfai: I don't think so. 21:25:28 <zigo> Please don't take it lightly. 21:26:10 <noahm> zigo: I'm not sure I agree. A docker container likely has far fewer moving parts than something managed by ansible or puppet. 21:26:34 <zigo> noahm: Not really, it's pulling from pypi right now ... 21:26:38 <Mrfai> http://image-finder.debian.net/ currently only shows an apache under construction page 21:26:40 <zigo> It's not reproducible. 21:26:45 <noahm> zigo: yeah, that's not good 21:26:59 <zigo> Oh ... 21:27:03 <zigo> Well, it used to work ! :) 21:27:05 <waldi> pypi is reproducible 21:27:45 <noahm> It depends on when it's pulling from pypi, really; if it's during the container image build, then it's probably ok. 21:27:52 <noahm> If it's during startup... then that would be bad. 21:27:53 <zigo> waldi: I saw really a lot of hacks based on pypi, I'm sure we can do so many things with it, but that's IMO off topic. 21:28:14 <noahm> zigo: agreed, let's move on. 21:28:25 <zigo> For the image-finder being broken right now, well ... I didn't know and just discover it now ! :) 21:28:26 <zigo> :( 21:28:41 <zigo> Anyway, since it has old data in it only, it wasn't very valuable. 21:28:43 <noahm> it's got stale data anyway, right? So it's just a demo more than anything else. 21:29:04 <zigo> Does anyone know if Arturo has some time available, btw? 21:29:18 <zigo> noahm: Correct ! 21:29:24 <serpent> But without at least something running, we cannot work on importing new images to it 21:29:25 <zigo> And we need to figure out how to make it fetch data. 21:29:30 <zigo> Right now, I have no idea how ... 21:29:48 <noahm> Given that we haven't heard or seen anything from him, I'm guessing he has no time. Which is why I am volunteering to work on this. 21:29:52 <serpent> Accoring to Arthur there is some API to use. 21:30:03 <serpent> Or we could just insert data into database 21:30:17 <zigo> serpent: Yeah, but same, we have no idea how, documentation is missing there too. 21:31:05 <zigo> So anyway, that's the state of things for the image-finder... 21:31:13 <zigo> Let's move on? :) 21:31:23 <serpent> #info Arthur sent email with link to some documentation: https://cloud-team.pages.debian.net/image-finder/ 21:31:36 <zigo> noahm: If you're volunteering, I'd happily work with you on this. 21:32:15 <noahm> ok. I'll first just spend some time familiarizing myself with the existing implementation. 21:35:35 <serpent> Should we move to next topic? 21:35:40 <Mrfai> yes 21:35:42 <noahm> yes 21:35:49 <serpent> if so - which one? AWS user accounts (waldi) or Vagrant? 21:36:13 <marcello^> I can talk about Vagrant 21:36:19 <serpent> OK 21:36:25 <serpent> #topic Vagrant 21:37:05 <marcello^> so I have started to move some of the work from the vagrant-boxes repo on salsa to debian-cloud-images, to use FAI instead of packer 21:37:05 <serpent> So what's the status? Do you have plans or need help? 21:37:41 <marcello^> I think around a third of the work is done 21:37:47 <serpent> Cool! 21:37:53 <marcello^> I have this open merge request: https://salsa.debian.org/cloud-team/debian-cloud-images/-/merge_requests/186 21:38:43 <serpent> I can see you're disussing this with waldi 21:38:49 <marcello^> I would prefer if someone can review my work in the beginning and then I can commit directly, as I mostly will touch my own FAI classes 21:39:00 <marcello^> yes waldi is reviewing :) 21:39:06 <noahm> I'll take a look at that, as well. We should get it into the daily pipeline as well. 21:39:22 <marcello^> noahm: thank you. 21:39:28 <waldi> i opened issues for the tasks 21:39:36 <marcello^> What is the daily pipeline ? 21:40:01 <serpent> Salsa job to build daily images 21:40:06 <noahm> marcello^: https://salsa.debian.org/cloud-admin-team/debian-cloud-images-daily builds cloud images daily using GitLab CI 21:40:17 <serpent> We discussed it shortly regarding image finder 21:40:21 <marcello^> noahm: thanks. 21:40:21 <noahm> for buster, bullseye, and sid. 21:40:33 <waldi> #info issues for vagrant support https://salsa.debian.org/cloud-team/debian-cloud-images/issues/18 21:40:36 <serpent> Basically it's good way of testing our images 21:41:31 <marcello^> I am not 100% sure of the overlap of Vagrant and cloud images, but I will try :) 21:41:50 <marcello^> other question, what do I have to do to make the Vagrant boxes official ? 21:42:16 <marcello^> the stuff here: https://app.vagrantup.com/debian/ 21:42:17 <waldi> does someone have a running ubuntu system and can take a look if they still build ssh keys during boot? 21:42:21 <serpent> marcello^: initial idea was to try also with cd images, so don't worry about scope or overlap :-) 21:43:30 <marcello^> waldi: are you talking about Ubuntu Vagrant box specifically or general Ubuntu ? 21:43:44 <waldi> general ubuntu 21:44:17 <waldi> the hashicorp ubuntu vagrant boxes are darn weird, they include multiple kernel version 21:45:11 <marcello^> the hashicorp ubuntu boxes are to be forgotten I think, but Ubuntu has their own, you can download them amount their cloud images IIRC 21:45:37 <marcello^> s/amount/amongst/ 21:46:20 <waldi> #action waldi continue working with marcello^ on vagrant build 21:46:37 <marcello^> ok I don't have anything more on the topic, noah if you activate the daily build I'd be happy to see it 21:47:06 <noahm> once we get your MR merged, I'll look at that. 21:47:12 <Mrfai> marcello^: If there's anything FAI related, just ask me 21:48:10 <marcello^> Mrfai: I'll sure have some questions, I'll probably ask on Debian cloud ML if that's fine for you 21:48:38 <Mrfai> yes, or just write me personally 21:49:32 <serpent> Should we move to next topic? 21:49:44 <marcello^> marcello^: yes 21:49:50 <noahm> yep 21:50:07 <serpent> So - AWS user accounts (via Salsa) or DebConf? 21:50:17 <serpent> CFP was just announced 21:50:35 <serpent> Is it too early to discuss it yet? 21:50:56 <noahm> I think it's reasonably to agree that we should talk about something there. ;) 21:51:03 <noahm> *reasonable 21:51:46 <noahm> I hope to attend, and would be interested in presenting something, as well as having a BoF 21:51:50 <serpent> Yes. It looks like I won't come there (work related conflict) 21:52:10 <serpent> #topic DebConf 21:53:49 <rvandegrift> not 100% sure yet, but I probably have a conflict too 21:54:24 <Mrfai> I'll try to come 21:54:24 <zigo> I've attended all debconf since 2011, but wont come this year. 21:54:40 <serpent> I guess we'll need to return to this closer to registration period 21:55:28 <zigo> I'd be ok attending a BoF remotely, if that can be setup. 21:56:14 <serpent> We'll try to do it - a bit like we did during first and second sprint (IRC, maybe something more) 21:56:29 <noahm> tangentially related: I don't suppose anybody is attending SCALE next week, are they? 21:56:42 <serpent> #idea Ability for remove BoF attendance 21:56:56 <waldi> removeā¦ 21:57:12 <serpent> Sorry: s/remove/remote/ 21:57:41 <serpent> It's not Freudian slip :-) 21:58:06 <serpent> It's almost 1h - should we discuss something more, or finish? 21:58:55 <zigo> Yeah. 21:58:57 <zigo> cloud-utils 21:59:10 <serpent> #topic cloud-utils 21:59:14 <zigo> noahm: Looks like we have another good candidate for a buster update, no? 21:59:19 <noahm> yes, we do 21:59:29 <zigo> Will you take care of it? 21:59:36 <noahm> though afaik even upstream hasn't added IMDSv2 support there yet. 21:59:42 <noahm> Yes, I plan on working on it. 21:59:48 <zigo> I'm also worried that we're getting no reply from the release team for cloud-init. Worried, but kind of not surprised ... :( 22:00:15 <noahm> yeah, I will prepare a 19.4 upload for stable and test that, then bug the release team again. 22:00:36 <noahm> IMDSv2 support will likely impact other cloud SDKs (e.g. for Ruby, Go, Python, etc) 22:00:47 <waldi> zigo: well, you ignored what they said for bug reports: include the diff 22:00:51 <zigo> I've opened already maybe half a dozen bug for openstack related updates too, so it'd be nice if someone else than me was bugging them indeed. 22:00:58 <zigo> Oh... 22:01:03 <zigo> waldi: I just didn't see it. 22:02:06 <noahm> many of the packages that need updates for IMDSv2 are not owned by the cloud-team. Somebody (probably me) should engage with the maintainers and look at backporting that support to the stable versions. 22:02:08 <zigo> waldi: There's no such request in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947351 22:02:27 <zigo> noahm: What packages are we talking about? 22:03:29 <noahm> python-boto, golang-github-aws-aws-sdk-go-dev, awscli, ruby-aws-sdk 22:03:35 <noahm> etc 22:03:43 <zigo> Oh, so quite a bunch ... :/ 22:04:07 <noahm> it's specifically an AWS feature, so people who don't care about AWS won't be impacted (i.e. OpenStack) 22:04:27 <noahm> But AWS customers who want to enable that feature will find that a lot of things break in stable today. 22:05:12 <noahm> If you don't turn on IMDSv2, then everything still works fine, but some people will likely want it. 22:05:28 <waldi> noahm: how long until it get mandatory? 22:05:37 <noahm> I don't know that it will ever be mandatory. 22:06:09 <noahm> I'll send mail to debian-cloud with more details. 22:07:11 <serpent> noahm thanks, we can discuss it more fully there 22:07:15 <noahm> Bug #952563 contains some background and links. 22:09:10 <waldi> serpent: something more? you brought up aws users, do you want to know something about it? 22:09:42 <serpent> If you have something new (more than what you wrote in email) we could discuss it 22:09:53 <serpent> Otherwise - let's slowly finish it 22:10:43 <waldi> noahm: i don't think there are news on those further aws accounts? 22:10:56 <noahm> davdunc: are you here? ^^^ 22:11:03 <davdunc> I am . 22:11:07 <noahm> I nagged davdunc about them last week. And again just now. ;) 22:11:30 <davdunc> :D there has been a modification in the way the accounts work. 22:11:48 <davdunc> it has slowed me down because i have some cleanup to do with the business team. 22:12:07 <davdunc> moved from linked to aws organizations. 22:12:21 <davdunc> I will keep you posted. 22:13:06 <serpent> Thanks. Should we test it a bit? 22:13:22 <waldi> test what? 22:13:45 <serpent> https://awsauth.debian.net/ 22:13:56 <serpent> I haven't yet tried to login using this link 22:14:03 <waldi> you can try. but you won't get far 22:14:41 <serpent> ok, then send info to ML when it makes sense to try to login 22:15:27 <waldi> so noone sees problems with that approach? 22:15:57 <noahm> it looks good to me. 22:16:14 <serpent> You mean that we use Salsa as identity provider? I'm OK with that, especially if also 2FA is used 22:16:21 <serpent> Can we check that? 22:16:59 <noahm> waldi: to be clear, the ultimate goal is to be able to open up cloud resources to DDs? 22:17:37 <rvandegrift> it sounded good to me 22:17:49 <noahm> serpent: I have one more short topic when we're done with AWS/salsa auth stuff 22:18:10 <waldi> no, the ultimate goal is to allow other teams, for example the qa people, to specify users with access to their resources without our intervention 22:18:32 <noahm> waldi: that's basically what I meant. :) 22:18:52 <serpent> noahm your topic? 22:19:11 <noahm> The AWS CloudFront archive mirror 22:19:21 <waldi> noahm: ah, i missread you 22:19:28 <serpent> #topic CloudFront mirror 22:19:49 <noahm> cdn-aws.deb.debian.org is the default apt source in EC2. 22:20:01 <noahm> It lives in JEB's account (the legacy AWS account) 22:20:26 <noahm> I have contacted him about rebuilding it in one of the newer accounts. 22:20:50 <noahm> He sounds generally supportive of the idea, since he has very little time to devote to it. 22:21:37 <noahm> There is also some possibility that AWS itself will be willing to offer Debian archive services, and I'll follow up on that internally. 22:21:37 <serpent> So I guess we need manpower to do it? 22:22:11 <noahm> well, at the very least, I am sure that I have more time to devote to this than JEB does. 22:22:17 <noahm> But I don't know how much is involved. 22:22:39 <waldi> noahm: i really would like to use a separate accounts for the different projects, one of them the mirror stuff. this however is someone in limbo 22:23:01 <noahm> waldi: agreed. this isn't something that could happen immediately anyway. 22:23:35 <serpent> waldi: you created many accounts during sprint. Was it for supporting different needs, like those mirrors? 22:23:42 <waldi> serpent: yes 22:24:12 <waldi> each part project can get it's own account, so we don't need to share and make sure the resources don't conflict 22:24:40 <serpent> So we need first to see what needs to be set up, and then decide how to set up 22:26:01 <serpent> noahm: anything for us to do, or will you send info to ML when more is known 22:26:35 <noahm> Nothing for us to do now. I'll keep in touch with JEB and the rest of the team 22:26:43 <serpent> Thanks. 22:26:47 <noahm> and will send an update when there's something substantial to say 22:26:59 <noahm> Just wanted to make sure people knew about it. 22:27:08 <serpent> Really thanks 22:28:19 <serpent> Unless there is anything urgent, I propose finishing. It's late and I'm getting tired. 22:28:33 <serpent> And don't want to sleep on keyboard :-) 22:28:38 <marcello^> me too, let's finish 22:28:38 <Mrfai> yes, let's finish 22:28:42 <zigo> I think it's done. 22:28:44 <zigo> Just one more thing ... 22:28:56 <zigo> Next meeting will be after dailight saving change, no? 22:29:09 <zigo> dailight 22:29:12 <zigo> daylight 22:29:14 <zigo> grrr... 22:29:30 <serpent> March? If we do it in last week, probably. If earlier, before daylight saving time 22:29:36 <zigo> So, should we keep the same time, meaning one hour less for UTC ? 22:29:41 <serpent> #topic next meeting 22:30:03 <serpent> You mean - let's keep 22:00 CET/CEST? 22:30:09 <serpent> And update UTC as needed? 22:30:09 <zigo> Yeah ! 22:30:17 <serpent> Any objections? 22:30:19 <zigo> If everyone agrees ... 22:30:28 <noahm> No objection here. I am OK with an hour in either direction. 22:30:29 <waldi> for me it's currently a bit late 22:30:50 <waldi> but after DST it should fit for now 22:30:58 <marcello^> for me too, I would prefer one hour earlier 22:31:15 <rvandegrift> either is okay with me 22:31:40 <Mrfai> i'm fine with all +1, -1 or stay at same time 22:32:05 <serpent> zigo - are you open to have meeting one hour earlier? 22:32:20 <zigo> It's hard for me to be there, because of kids ... 22:32:32 <zigo> We could do 30 mins earlier though ? :) 22:33:08 <serpent> OK - let's try 25th of March on 21:30 CET 22:33:16 <zigo> +1 22:33:19 <marcello^> +1 22:33:25 <serpent> #action I'll send email about that 22:33:54 <serpent> And sumary of this meeting - but most probaly at beginning of next week (i.e. 2-4th of March) 22:34:03 <serpent> #endmeeting