[libreoffice-website] Minutes from the Tue Jun 19 infra call

Participants
============

 1. guilhem
 2. Brett
 3. cloph

Agenda
======

 * FYI: No more hosts running Debian 7 (Wheezy), LTS of which ended on May 31th
 * [rdm#2463] Gerrit staging instance
   + Up and running on https://vm178.documentfoundation.org
   + AI cloph: Still need to test the maintenance scripts (account merging, etc.)
   + AI guilhem: Upgrade the prod instance during the next weeks (before RC1),
     ideally before the end of the month (failing that before the second week
     of July)?
   + Defer OS upgrade (Debian 8 → 9) to later
 * [rdm#1836] Bitergia dashboard <https://dashboard.documentfoundation.org>
   needs upgrade and refactoring (move out of docker containers)
   + https://github.com/grimoirelab/use_cases/tree/master/documentfoundation
   + Old vm (vm167) not using our current baseline, we can deploy on another
     VM and switch DNS records in due time
   + AI guilhem: Deploy new VM and hand over to Brett
 * [rdm#2141] Replace reCAPTCHA with self-hosted version?  At least on our own
   SSO portals?
   + The captcha solution we are using currently is quite weak
   + cloph: want (wishes for, but doesn't know anything) something as
     effective as reCAPTCHA, not aware of a solution that's as good
   + TODO: list and evaluate list of self-hosted solutions?
   + cloph: accessibility is another issue (shouldn't be visual only)
 * Saltstack 
   + Brett's 'papercut' branch
     /etc/cron.d is present here, but maybe a dependency on 'cron' is missing?
       $ dpkg -S /etc/cron.d
       sysstat, cron: /etc/cron.d
     Brett: removed that commit and added 'cron' to core's installed pkgs.
     Brett: There's still a MR open 
(https://infratools.documentfoundation.org/infra/salt/merge_requests/11) ^^
 * Monitoring
   + deployed new exporters for wmi and snmp (jenkins slaves, mikrotik)
     - cut down on what metrics are collected? → not necessary atm, when
       server runs out of space we can purge the uninteresting data
   + update wrt alert system? not yet, Brett wants to jump on that
   + update wrt status page? not yet, AI guilhem
 * whitebox monitoring from graylog; todo later
 * TDF wiki
   + Force WebSSO authentication (SAML 2.0)
     - Users with an active WebSSO session might need to log out
       <https://auth.documentfoundation.org/?logout=1> and in again to refresh
       ACLs
     - This is still the *transition phase*: having an LDAP account is
       necessary but (currently) not sufficient to authenticate on the wiki. 
       Best way to get access at the moment is to poke admins.
     - Only 260 LDAP accounts were granted auth right on the wiki at the time
       of the migration (now 271).  40 (now 36) of the 140 recent wiki editors
       (last 90 days) aren't known to LDAP yet, hence are barred from access
     - Of these 271 LDAP accounts, 83 have a wiki username that doesn't match
       the LDAP username.  Ultimately we want to unify them (ie rename them)
       but it's not done yet, to make it easier to revert to legacy auth if
       people complain too loudly.
   + Question: Case sensitivity seem to be a problem too, can Mediawiki be
     made case insensitive
   + Next steps (once the dust has settled):
     - poke the 83 account mismatches and rename them (is there a better
       solution?)
     - automatically grant auth access to any LDAP user, but ensure that only
       the wiki account owner can create an LDAP account with the wiki
       username
   + MediaWiki 1.31 LTS was released on June 13, we should upgrade ASAP
     (possibly via 1.30) since the 1.29.x series which we are currently using
     will be EOL by the end of June.
   + PHP 7.0 is required (for 1.31), so need first we need to upgrade the host
     from Debian 8 (Jessie) to Debian 9 (Stretch)
   + guilhem to upgrade to 1.30 first
 * SSO adoption stats:
   + 997 accounts in total, 289 since the last call, 262 since wiki auth
     change (mostly spam-looking…)
   + 30/193 (15%) TDF members not in LDAP
   + 36/140 (25%) recent wiki contributors not in LDAP
 * hypervisor reboots ETA?
   + AI guilhem: upgrade charly to Debian 9, then wait for things to settle
   + excelsior, dauntless, falco within the first 3 weeks of July
 * Next call: Tuesday July 17 2018 at 18:30 Berlin time (16:30 UTC)

-- 
Guilhem.

-- 
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy