Participants
============
1. guilhem
2. Brett
3. cloph
Agenda
======
* Replace pootle box and hand it over to Brett for PiTR
- https://www.manitu.de/root-server/
- Currently have an XL from 3.5y ago; current XLs are identical but we could
upgrade to XXL for double RAM and disk
- Brett: PiTR could take quite a bit of space, the larger one might be good
- cloph: ack
* Upcoming upgrade/downtime
- Staggered hypervisor reboot needed (new kernel)
- cloph: we have weekly releases/tags now, but rebooting during the fri/sat
night would work
* Embargoed saltstack vulnerability (initial publication date Feb 4th, then
delayed until 25th) — salt-master turned off during the publication window
while we assess things and can upgrade smoothly
- https://saltproject.io/active-saltstack-cve-announced-2021-jan-21/
* Dual cert (ECDSA alongside RSA) for cheaper handshake
- update checker, piwik and crashreport in particular are hammered with
requests, the handshake causes unnecessary load with large RSA keys
- cloph: current LO master is using libcurl 7.71 and libssl 1.1.1, so quite
capable of using EC
- guilhem: need to refactor the certificate deployment setup, have some ideas
about this (we'd need to maintain two X.509 with identical subject and SANs,
recipe for disaster if we don't use a single list for both)
- twice as many certificates but we should remain below the rate limits from
Let's Encrypt <https://letsencrypt.org/docs/rate-limits/> (if we exceed the
limit and the renewal fails it should succeed next day or so)
* The Mac mini and KVM switch at Adfinis are broken, waiting for reply and will
proceed with new orders
- cloph: CI suffered until the m1 box was hooked up
- cloph: planning to replace one of the physical linux hosts with windows and
deploy a new linux guest at hetzner to relieve some load off CI
* Cloph: gustl's OpenVPN server is still causing issues (multiple connections
hiccups, blacklisting) sometimes, would be nice to use a more modern
implementation on a dedicated box
- guilhem: and force people to use stronger password and/or client cert
authentication so we can remove the blacklist, esp. with additional
tls-auth HMAC signatures before the handshake
* Still pending
- mailing list import
- firewall refactoring
+ deploy plain nftables rules by salt instead of shorewall rules.d
+ v4/v6 consolidation
+ shorewall backend (iptables/ip6tables) and xtables are deprecated in
netfilter
+ nftables has nicer syntax, atomic reloads, builtin ipsets (with
expiration etc)
- node monitoring on the guests
+ have the guests *push* to prometheus so we don't have to bother about
firewalls
+ use HTTP basic authentication on the prometheus side
* Next call: March 16 at 17:30 UTC
--
Guilhem.
--
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy
Context
- [libreoffice-website] Minutes from the Tue Feb 16 infra call · Guilhem Moulin
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.