[libreoffice-website] Minutes from the Tue Apr 21 infra call

Guilhem Moulin <guilhem -AT- libreoffice.org>
Thu, 23 Apr 2020 23:36:45 +0200

Participants
============
1. guilhem
2. cloph
3. Emiliano

Agenda
======

 * Creating start-up services for mac build slaves
   + guilhem: missing some context
   + cloph: at the moment building LibO on mac requires a graphical login
   + cloph: on windows there is something to automatically start a graphical
     login, but unsure how to do for macs
   + currently macs are managed manually, need to connect manually and start a
     graphical login on reboot etc
   + minor convenience?
 * TGClean: Delete-Bot for old Telegram messages (esp. the LibreOffice-channel,
   but also others)
   + tg groups/bots aren't managed by the infra team at large, it's done by a
     so-called botfather / single group admin (cloph atm)
   + EV: do we agree that we need to clean up the history?
     cloph: depends on the channel, but just preventing newly joined users from
     accessing the history would already solve most concerns
 * Old TLS profiles
   + Currently all boxes running Buster use Mozilla's "intermediate" TLS
     profiles (no TLS <1.2, no CBC/RC4, etc), in practice all browsers ≥12
     years old should work,
     
https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
   + Most likely not an issue for services accessed from a normal
     browser (website, wiki, ask, etc), at least noone complained so far
   + Might be problematic for systems accessed from LibO: update check (0.02%
     excluded, 7k out of 50M) and crashreport (0.03% excluded, 95 out of 300k)
     - cloph: that's just noise, so few that it's not relevant enough for QA
       anyway we can afford rejecting these handshakes
     - [rdm#3187] more problematic if that's Xisco's system (he said he'll upgrade)
     - possible workaround: 
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
 * Allow attachments on public mailing lists
   + on a per-mailing list
   + cloph: not worth discussing here, we can do a test and disable
     pymime on some lists to give it a try and see if people complain
   + AI guilhem, do it on all lists with ≤150 subscribers for now
 * Hypervisor upgrade
   + charly upgraded to Buster 3 weeks ago
   + backported libvirtd 6.0 (to access better guest info, FS usage,
     kernel version, OS, etc.)
   + AI guilhem need to make fancy grafana dashboards and alert rules
     (FS filling up, old kernel running, etc.)
   + AI guilhem upgrade other hypervisors starting with dauntless (to
     be announce on the website+dev list)
   + crashtest is now a metal host, no longer living on charly
   + charly is now rolling thumbs, we can rebalance guests to free up
     excelsior
 * Streamline firewall on the Debian ≥10 baseline? (nftables, firewalld)
   + baseline uses shorewall right now
   + v4/v6 aren't unified by default, need to symlink but care should be taken
     when filtering by subnets
   + iptables scripts are harder to read and write atomically
   + kernel nf subsystem use nftables modules now, xtables is legacy
   + guilhem: suggests to just ship plain nftables, easier to read/write and
     apply atomically
    . config has a macro language and ipsets are supported natively
    . native v4/v6 consolidation
   + EV: how complicated are the shorewall rules anyway
    . we don't have many rules on top of the defaults, just opening the
      relevant ports and enabling forwarding for intranet
      - allowing SSH just is: 
        SSH(ACCEPT)     all             $FW
   + guilhem to write a salt state as a PoC and deploy it on some guests as a
     PoC
 * Pending AI:
   + guilhem Move infra testbed ( https://infratools.documentfoundation.org )
     to Gerrit and make the salt repo world-readable
   + before going public: Use `git filter-branch` to remove certs and privkeys
     that were once uploaded there
     . won't be fast-forward so disruption for local clones, but just a one-off
       thing
 * Next call: Mon May 18 16:30:00 UTC 2020

-- 
Guilhem.

-- 
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy

Context

[libreoffice-website] Minutes from the Tue Apr 21 infra call · Guilhem Moulin

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.