Participants
============
1. guilhem
2. Cloph
3. Brett
Agenda
======
* guilhem: anything pending for libocon videos sharing?
+ cloph: all good already
+ guilhem to save the pre-recorded videos and cancel the jibri box
* gerrit sshd
+ https://lists.freedesktop.org/archives/libreoffice/2021-October/087900.html
+ mina sshd <2.7.0 are affected
+ gerrit 3.4 upgrades to mina sshd 2.6 only, so affected as well
+ cloph: Hossein upgraded logerrit to use EC keys already, so the problem only
affects returning users — who are more likely to be technical or ask on #-dev
→ nothing concrete to do here
* bullseye: 11.1 was released some weeks ago
+ guilhem: upgraded the baseline, no major issues; heads up
- python2 was removed (affects mailman2 and planetplanet, possibly also some of
our custom scripts in dev-tools) → proper fix is to port scripts to python3,
not to keep unsupported python2 forever :-)
- bullseye has PHP7.4 not 8.0 (somewhat better now but might bite us later in
the recycle cycle)
- guilhem: upgraded the [matrix] (newer synapse is better for federation with
matrix.org) and jitsi boxes
- guilhem: dunno how pg_basebackup work with multiple PG version (buster has 11,
bullseye 13)
. Brett: Should be fine since it is largely shell getting the wal files
- guilhem: plan to upgrade other non-mission critical systems during what's left
of 2021, then later proceed with hypervisors and mission critical guests
* Useless X3 intermediate supplied by let's encrypt:
+ client-side validation issue (they should be happy with the one path that's
valid) but older libssl choke on this
+ affects tinderboxes, temporary fix is to remove X3 from the chain on the server,
or its issuer on the client (Brett, cloph: did that)
+ unclear why let's encrypt still adds X3 though as it can't be used in validation
paths anymore
→ nothing concrete to do for now
* pg backups:
+ Brett: removed barman from all boxes
+ Brett: haven't configured the copying logic — push vs. pull
- let's go with push then, it's is more common
+ sftp -l postgres should land in a chroot so it doesn't access other host's DB
- internal-sftp subsystem, cf. for instance this sshd_config snippet
Match User backup-*
AllowUsers backup-*
AllowGroups *
DisableForwarding yes
PermitTTY no
PermitUserRC no
# Note: The chroot and all its parent directories must be root:root with mode 0755.
ChrootDirectory %h
ForceCommand internal-sftp
+ can be integrated with other backup solutions if we want to move away from
rsnapshot
- cloph, guilhem: not specially attached to rsnapshot
- that's an intrusive change though, and can be done independently
* 90 min downtime on friday in CH
+ 11:30 CEST til 13:00 CEST (UTC+2)
+ tb84 (mac mini) might be down until next day (housing's PW-button is not working)
+ but of course can also change the power-plan to power-on in the afternoon
* Next call on Nov 16 at 17:30 UTC (DST change!)
--
Guilhem.
--
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy
Context
- [libreoffice-website] Minutes from the Tue Oct 19 infra call · Guilhem Moulin
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.