- Friday, September 6, 2019

release-team@conference.openafs.org

Friday, September 6, 2019< ^ >

Room Configuration

Room Occupants

GMT+0
[11:54:11] mbarbosa joins the room
[14:10:19] meffie joins the room
[14:48:46] wiesand joins the room
[14:58:28] <meffie> good afternoon
[15:01:11] <wiesand> hello
[15:01:23] <kaduk@jabber.openafs.org/barnowl> greetings
[15:01:44] yadayada joins the room
[15:01:51] <yadayada> Hello All
[15:02:08] <mvita> oh hey
[15:02:18] <wiesand> we're complete :)
[15:03:30] <wiesand> ok, on 1.8.4pre2: I just merged the Linux 5.3 changes and am about to merge 13789 & 90 unless there are complaints
[15:04:21] <wiesand> that would be the pre2 content discussed so far
[15:04:28] <wiesand> any late additions?
[15:04:54] <kaduk@jabber.openafs.org/barnowl> I don't think so, but give me a minute to remember the thing I was
supposed to mention at this meeting.
[15:05:21] <kaduk@jabber.openafs.org/barnowl> Er.  I think it was an RT ticket, but RT is down :(
[15:05:47] <wiesand> yes, seems awol
[15:06:25] <kaduk@jabber.openafs.org/barnowl> On the other hand, we did get a pre1 success report
[15:07:09] <kaduk@jabber.openafs.org/barnowl> Anyway, no late additions from me, sorry for the distraction
[15:07:10] <wiesand> if Jeffrey's comment on 9588 is correct, maybe we want something like 13838 in 1.8.4?
[15:08:17] <yadayada> I tried 1.8.4pre1 on ppc64le and ran our stress test .. all looks good
[15:08:17] <kaduk@jabber.openafs.org/barnowl> Perhaps, though I could see either 1.8.4 or 1.8.5 being okay
[15:09:26] <kaduk@jabber.openafs.org/barnowl> (The code in question has been in 1.8 since before 1.8 branched)
[15:09:33] <wiesand> right
[15:11:45] <wiesand> I think the change is zero risk, so I'd be willing to accept it for 1.8.4 even it didn't make a prerelease, allowing time for sufficient discussion whether it's needed and how much the limit should actually be increased.
[15:12:15] <kaduk@jabber.openafs.org/barnowl> I concur
[15:12:56] <wiesand> yadayada: thanks for testing
[15:13:11] <wiesand> is there any other feedback on pre1 yet?
[15:13:45] <yadayada> I am going to try 1.8.4pre1 on s390x arch in coming week
[15:13:45] <meffie> not that i have heard
[15:13:59] <meffie> thank you yadayada
[15:14:47] <kaduk@jabber.openafs.org/barnowl> Stephan, my editorial hand is feeling heavy today ( possibly a side
effect of spending last week reviewing IETF documents); do you mind
if I tweak the commit message a bit on 13838?
[15:15:07] <wiesand> not at all
[15:16:08] <wiesand> looks like we'll get Linux 5.3-rc8 this weekend - I
[15:17:19] <wiesand> 'd like to issue pre2 soon after (ideally monday) … thoughts?
[15:18:01] <meffie> sounds good.
[15:18:41] <kaduk@jabber.openafs.org/barnowl> (Commit message edit published; sorry to have stomped on your review,
Mike.)
[15:19:45] <wiesand> better.
[15:20:54] <wiesand> yadayada: thanks again
[15:21:34] <wiesand> ok, I merged Ben's 'remove automake version/package references' changes
[15:21:52] <kaduk@jabber.openafs.org/barnowl> Andrew's, really; I just did the backport
[15:22:13] <wiesand> thus, what's left to do before pre2 (barring Linux 5.3 surprises or pre1 bug reports) is a NEWS update
[15:22:27] <wiesand> ok, credit where it's due
[15:23:44] <wiesand> looks like we have a plan for pre2 then - and I'm afraid that's what I have on the stable series today
[15:24:22] <meffie> thank you
[15:24:34] <kaduk@jabber.openafs.org/barnowl> My topics for master are pretty sparse as well; this week left me
rather wiped out
[15:24:46] <yadayada> I was working on RHEL 8 and saw that pam_krb5 is not avaliable on RHEL 8. Instead we need to use pam_sss.so. Have we tried using pam_sss.so for PAM authrntication. I was trying pam_sss.so along with pam_afs_session.so, but facing issues.
[15:25:25] <mvita> oof, pam, my condolences
[15:26:12] <kaduk@jabber.openafs.org/barnowl> IIRC SSSD wants to use a gss_proxy for many kerberos operations (that
provides privilege separation for credentials management), but I don't
know the details.
[15:26:35] <kaduk@jabber.openafs.org/barnowl> To be clear, you have pam_sss.so working for "normal" kerberos things,
and it's just the AFS part that was having trouble?
[15:27:12] <kaduk@jabber.openafs.org/barnowl> I bet Mark will not be happy if I ponder out loud about adopting
pam_afs_session into the openafs tree, since my understanding is that
it's unmaintained at the moment
[15:27:32] <wiesand> "The following pam_krb5 options have no replacement due to only being useful for AFS: afs_cells, external, ignore_afs, null_afs, tokens, tokens_strategy."
[15:27:41] <wiesand> :-( :-( :-(
[15:28:17] <mvita> I have no objections to pam or afs integration with it - my comment just reflects my unpleasant experiences with getting it to work
[15:28:49] <mvita> years ago
[15:29:23] <yadayada> that's right, also config files are different like pam_sss.conf need to contain realm name etc. I was having issues with AFS authentication. I am not sure if anyone has tried it already ?  On pam_afs_session, it works perfect with pam_krb5
[15:30:25] <wiesand> I'm not there yet with EL8.
[15:30:54] <wiesand> Note that pam_afs_session is orphaned, unfortunately.
[15:31:25] <mvita> it would be nice if openafs.org could pick it up
[15:31:27] <kaduk@jabber.openafs.org/barnowl> Indeed.  "But we could fix that"
[15:32:01] <wiesand> I wonder whether it's feasible to port pam_krb5 to EL8 and forego that sss stuff a couple more years…
[15:32:36] <kaduk@jabber.openafs.org/barnowl> I expect porting pam_krb5 would not be too hard, it's a question of
how many other things depend on SSSD
[15:33:10] <wiesand> up to and including EL7 it's expendable ;-)
[15:35:26] <yadayada> they claim that pam_sss.so has all functionality which is part of pam_krb5, but ofcourse they have not included certain afs options. When we say porting does it mean we will have pam_krb5 in our source tree ?
[15:35:46] <kaduk@jabber.openafs.org/barnowl> Not in our source tree
[15:36:22] <kaduk@jabber.openafs.org/barnowl> I was saying that wiesand could, for his machines, have a local build
of pam_krb5.so on RHEL8 and use that instead of pam_sss.so; openafs
wouldn't be involved directly
[15:37:27] <wiesand> I was'nt suggesting to adopt pam_krb5. Though it would be nice.
[15:37:48] <wiesand> Just like adopting pam_afs_session would.
[15:38:36] <kaduk@jabber.openafs.org/barnowl> perhaps we should bring up pam_afs_session on openafs-info
[15:40:37] <meffie> ok
[15:42:09] <yadayada> I will explore more on pam_sss.so in coming days. I was thinking that pam_sss.so should help us getting TGT and then we can use our pam_afs_session.so for getting tokens
[15:42:35] <kaduk@jabber.openafs.org/barnowl> I think so, yes.
[15:42:48] <kaduk@jabber.openafs.org/barnowl> There may be some differences in how we get access to the TGT, though.
[15:43:11] <meffie> it looks like pam_afs_session is not specific to openafs tho. perhaps it just needs a home and maintainer.
[15:43:16] <kaduk@jabber.openafs.org/barnowl> By the say, there are frequently some SSSD developers in #krbdev on
the freenode IRC network, though I think they are US-east based
[15:43:35] <kaduk@jabber.openafs.org/barnowl> *By the way
[15:44:09] <kaduk@jabber.openafs.org/barnowl> meffie: pam_afs_session is not inherently specific to openafs, no,
which is why it was originally a separate thing
[15:46:04] <wiesand> sigh, for a decade things were pretty smooth, and now it's back to the early 2000s ;-(
[15:46:34] <meffie> i dont remember the smooth part :)
[15:47:24] <meffie> (btw, i need to leave at 12:00 here)
[15:48:30] <wiesand> (and I'm getting tired)
[15:48:37] <wiesand> anything else to discuss today?
[15:48:41] <kaduk@jabber.openafs.org/barnowl> Taking Mike's point, as for master, I merged a couple tiny things and
the rest of Yadav's aklog fixes are ready to land (but apparently we
have to rebase to appease gerrit)
[15:49:32] <kaduk@jabber.openafs.org/barnowl> I see Cheyenne submitted some (more?) IPv6 prep stuff; that's good to
see, as well as some audit enhancements, but I haven't looked at them
yet
[15:49:43] <meffie> excellent. sorry ive not been able to review the aklog stuff, been out
[15:49:54] <kaduk@jabber.openafs.org/barnowl> it's okay
[15:50:02] <kaduk@jabber.openafs.org/barnowl> (both that you've been out and the stuff itself)
[15:50:37] <kaduk@jabber.openafs.org/barnowl> Anyone want to say things about master?
[15:51:07] <meffie> andrew has been making progress on rxgk patches as well.
[15:51:19] <yadayada> just one point, last satrurday I again faced issues pushing changes to gerrit and it was down for ~ 4 hrs
[15:51:36] <kaduk@jabber.openafs.org/barnowl> Hmm, interesting.
[15:51:52] <kaduk@jabber.openafs.org/barnowl> I believe it's set up for weekly restarts sunday morning (localtime
for it, in Boston)
[15:51:54] <yadayada> this happened last friday
[15:52:07] <kaduk@jabber.openafs.org/barnowl> But it would not be hard to make it twice-weekly
[15:53:26] <kaduk@jabber.openafs.org/barnowl> I can try to remember to look at the logs and see if anything sticks
out -- there have been some new warnings on startup with the newer
gerrit version that I never really looked into, as well.
[15:53:41] <yadayada> sure Thanks
[15:53:56] <kaduk@jabber.openafs.org/barnowl> thanks for the report, and sorry for the trouble getting things
uploaded
[15:54:53] <yadayada> nothing more from my side
[15:55:15] <wiesand> Let's adjourn then?
[15:55:23] <mvita> agreed
[15:55:31] <kaduk@jabber.openafs.org/barnowl> agreed; thanks everyone!
[15:55:36] <yadayada> Thanks
[15:55:42] <wiesand> Thanks everyone!
[15:55:57] wiesand leaves the room
[15:56:05] yadayada leaves the room
[15:56:06] <meffie> Thanks!
[15:56:47] meffie leaves the room
[18:17:44] mbarbosa leaves the room
[19:09:58] mbarbosa joins the room
[20:21:02] mbarbosa leaves the room
[21:25:00] mbarbosa joins the room
[21:32:14] mbarbosa leaves the room