Participants ============ 1. guilhem 2. Brett 3. cloph Agenda ====== * Replace pootle box and hand it over to Brett for PiTR - https://www.manitu.de/root-server/ - Currently have an XL from 3.5y ago; current XLs are identical but we could upgrade to XXL for double RAM and disk - Brett: PiTR could take quite a bit of space, the larger one might be good - cloph: ack * Upcoming upgrade/downtime - Staggered hypervisor reboot needed (new kernel) - cloph: we have weekly releases/tags now, but rebooting during the fri/sat night would work * Embargoed saltstack vulnerability (initial publication date Feb 4th, then delayed until 25th) — salt-master turned off during the publication window while we assess things and can upgrade smoothly - https://saltproject.io/active-saltstack-cve-announced-2021-jan-21/ * Dual cert (ECDSA alongside RSA) for cheaper handshake - update checker, piwik and crashreport in particular are hammered with requests, the handshake causes unnecessary load with large RSA keys - cloph: current LO master is using libcurl 7.71 and libssl 1.1.1, so quite capable of using EC - guilhem: need to refactor the certificate deployment setup, have some ideas about this (we'd need to maintain two X.509 with identical subject and SANs, recipe for disaster if we don't use a single list for both) - twice as many certificates but we should remain below the rate limits from Let's Encrypt <https://letsencrypt.org/docs/rate-limits/> (if we exceed the limit and the renewal fails it should succeed next day or so) * The Mac mini and KVM switch at Adfinis are broken, waiting for reply and will proceed with new orders - cloph: CI suffered until the m1 box was hooked up - cloph: planning to replace one of the physical linux hosts with windows and deploy a new linux guest at hetzner to relieve some load off CI * Cloph: gustl's OpenVPN server is still causing issues (multiple connections hiccups, blacklisting) sometimes, would be nice to use a more modern implementation on a dedicated box - guilhem: and force people to use stronger password and/or client cert authentication so we can remove the blacklist, esp. with additional tls-auth HMAC signatures before the handshake * Still pending - mailing list import - firewall refactoring + deploy plain nftables rules by salt instead of shorewall rules.d + v4/v6 consolidation + shorewall backend (iptables/ip6tables) and xtables are deprecated in netfilter + nftables has nicer syntax, atomic reloads, builtin ipsets (with expiration etc) - node monitoring on the guests + have the guests *push* to prometheus so we don't have to bother about firewalls + use HTTP basic authentication on the prometheus side * Next call: March 16 at 17:30 UTC
-- Guilhem. -- To unsubscribe e-mail to: [email protected] Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.libreoffice.org/global/website/ Privacy Policy: https://www.documentfoundation.org/privacy
