Skip to main content

Fudcon day 1

Fudcon day 1 started with having to get up at 7:30am to get ready for the 9am starting time. Thats 5:30am my time, so that's an excuse for me being groggy this morning. ;) Had no problem getting to the venue and getting my badge and t-shirt. Then, after some logistics we started in on the first session of the day: Fixing Staging in Fedora Infrastructure. Some background: Currently we have a some 'staging' machines that are supposed to be copies of production instances that we can use to test and integrate new things with. We have a seperate git branch in puppet that handles the staging instances, which seems neat, but turns out to be an annoyance in several ways. There was a lot of information and debate on what production, dev, staging, integration, or the meant. How we could setup puppet. If we could on demand make a staging instance or a subset of those. How process should work. How we could go from here. We came up with a plan of attack and some things to consider:

  • Drop the 'staging' git branch. Everything is in the same git repo. ie, all machines are production.
  • Try and make our apps more able to be 'containers'. Ie, reduce dependence on other parts of Infrastructure so things can be tested in containers easier.
  • Look at ways to build containers or integration staging machines on the fly as needed.
After a quick lunch (man the wind was nasty to/from lunch), it was time for a 2 factor auth session. We've been talking about finishing off yubikey as a true two factor authentication method in fedora infrastructure. We had a lot of good input here and hashed out a plan here too: Short term:
  • Fork linotp's pam module to a new project. This would be just the pam module, and we would enhance it to require a valid ssl cert from the server it's talking to before sending it anything, prompting for pin and pass and other enhancements.
  • First target is going to be sudo for all sysadmin-main users.
  • Create a CGI that the pam module can talk to and send auth info to and return ok, bad, broken
  • CGI will likely run on fas servers so it can talk to fas and yubikey
  • Some quick and dirty way to query pin
Longer term:
  • FAS changes to store and set/reset pin
  • ADD google auth or OATH to the CGI
  • Increase parts thats are covered/where 2 factor is required
All in all some great sessions today. I think we have some lovely plans in fedora infrastructure, ready to dig in and get working in the coming days and weeks.