Participants
============
1. guilhem
2. cloph
3. Emiliano
Agenda
======
* Creating start-up services for mac build slaves
+ guilhem: missing some context
+ cloph: at the moment building LibO on mac requires a graphical login
+ cloph: on windows there is something to automatically start a graphical
login, but unsure how to do for macs
+ currently macs are managed manually, need to connect manually and start a
graphical login on reboot etc
+ minor convenience?
* TGClean: Delete-Bot for old Telegram messages (esp. the LibreOffice-channel,
but also others)
+ tg groups/bots aren't managed by the infra team at large, it's done by a
so-called botfather / single group admin (cloph atm)
+ EV: do we agree that we need to clean up the history?
cloph: depends on the channel, but just preventing newly joined users from
accessing the history would already solve most concerns
* Old TLS profiles
+ Currently all boxes running Buster use Mozilla's "intermediate" TLS
profiles (no TLS <1.2, no CBC/RC4, etc), in practice all browsers ≥12
years old should work,
https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
+ Most likely not an issue for services accessed from a normal
browser (website, wiki, ask, etc), at least noone complained so far
+ Might be problematic for systems accessed from LibO: update check (0.02%
excluded, 7k out of 50M) and crashreport (0.03% excluded, 95 out of 300k)
- cloph: that's just noise, so few that it's not relevant enough for QA
anyway we can afford rejecting these handshakes
- [rdm#3187] more problematic if that's Xisco's system (he said he'll
upgrade)
- possible workaround:
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
* Allow attachments on public mailing lists
+ on a per-mailing list
+ cloph: not worth discussing here, we can do a test and disable
pymime on some lists to give it a try and see if people complain
+ AI guilhem, do it on all lists with ≤150 subscribers for now
* Hypervisor upgrade
+ charly upgraded to Buster 3 weeks ago
+ backported libvirtd 6.0 (to access better guest info, FS usage,
kernel version, OS, etc.)
+ AI guilhem need to make fancy grafana dashboards and alert rules
(FS filling up, old kernel running, etc.)
+ AI guilhem upgrade other hypervisors starting with dauntless (to
be announce on the website+dev list)
+ crashtest is now a metal host, no longer living on charly
+ charly is now rolling thumbs, we can rebalance guests to free up
excelsior
* Streamline firewall on the Debian ≥10 baseline? (nftables, firewalld)
+ baseline uses shorewall right now
+ v4/v6 aren't unified by default, need to symlink but care should be taken
when filtering by subnets
+ iptables scripts are harder to read and write atomically
+ kernel nf subsystem use nftables modules now, xtables is legacy
+ guilhem: suggests to just ship plain nftables, easier to read/write and
apply atomically
. config has a macro language and ipsets are supported natively
. native v4/v6 consolidation
+ EV: how complicated are the shorewall rules anyway
. we don't have many rules on top of the defaults, just opening the
relevant ports and enabling forwarding for intranet
- allowing SSH just is:
SSH(ACCEPT) all $FW
+ guilhem to write a salt state as a PoC and deploy it on some guests as a
PoC
* Pending AI:
+ guilhem Move infra testbed ( https://infratools.documentfoundation.org )
to Gerrit and make the salt repo world-readable
+ before going public: Use `git filter-branch` to remove certs and privkeys
that were once uploaded there
. won't be fast-forward so disruption for local clones, but just a one-off
thing
* Next call: Mon May 18 16:30:00 UTC 2020
--
Guilhem.
--
To unsubscribe e-mail to: [email protected]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy
