Fudcon day 1 started with having to get up at 7:30am to get ready for the 9am starting time. Thats 5:30am my time, so that’s an excuse for me being groggy this morning.
Had no problem getting to the venue and getting my badge and t-shirt. Then, after some logistics we started in on the first session of the day:
Fixing Staging in Fedora Infrastructure.
Some background: Currently we have a some ‘staging’ machines that are supposed to be copies of production instances that we can use to test and integrate new things with. We have a seperate git branch in puppet that handles the staging instances, which seems neat, but turns out to be an annoyance in several ways.
There was a lot of information and debate on what production, dev, staging, integration, or the meant. How we could setup puppet. If we could on demand make a staging instance or a subset of those. How process should work. How we could go from here.
We came up with a plan of attack and some things to consider:
- Drop the ‘staging’ git branch. Everything is in the same git repo. ie, all machines are production.
- Try and make our apps more able to be ‘containers’. Ie, reduce dependence on other parts of Infrastructure so things can be tested in containers easier.
- Look at ways to build containers or integration staging machines on the fly as needed.
After a quick lunch (man the wind was nasty to/from lunch), it was time for a 2 factor auth session.
We’ve been talking about finishing off yubikey as a true two factor authentication method in fedora infrastructure. We had a lot of good input here and hashed out a plan here too:
- Fork linotp’s pam module to a new project. This would be just the pam module, and we would enhance it to require a valid ssl cert from the server it’s talking to before sending it anything, prompting for pin and pass and other enhancements.
- First target is going to be sudo for all sysadmin-main users.
- Create a CGI that the pam module can talk to and send auth info to and return ok, bad, broken
- CGI will likely run on fas servers so it can talk to fas and yubikey
- Some quick and dirty way to query pin
- FAS changes to store and set/reset pin
- ADD google auth or OATH to the CGI
- Increase parts thats are covered/where 2 factor is required
All in all some great sessions today. I think we have some lovely plans in fedora infrastructure, ready to dig in and get working in the coming days and weeks.