Regarding #6 -
My original thought on the auth proxy was to put Access Manager gateways in Nuremberg and
put those sites behind it. It wouldn't provide any additional features over what we
have today, but it would resolve the latency issue of keeping the auth proxy in Provo
without any code changes on the sites.
As I thought about it more, I now suggest we use the LDAP auth proxy for www.opensuse.org
and other sites moving to Nuremberg. The LDAP proxy already serves openSUSE sites in NBG
and should be able to support the additional sites with only minor code changes on the
As Lars pointed out, one issue is SSO with Bugzilla and other sites. I would like to see
if the LDAP auth proxy can be extended to support either SAML or OpenID Connect, with
Access Manager as the identity provider. This would enable SSO with both the new and
existing Nuremberg sites. LDAP can be maintained as a fallback option in this case.
From: Lars Vogdt [Lars.Vogdt(a)suse.de]
Sent: Saturday, April 08, 2017 10:03 AM
Cc: Matthew Ehle
Subject: Re: [heroes] Heroes meeting moved to 2017-04-09
Am Sun, 02 Apr 2017 21:23:20 +0200
schrieb Christian Boltz <opensuse(a)cboltz.de>de>:
The Heroes meeting will be on 2017-04-09 18:00 UTC (=
time). See https://progress.opensuse.org/issues/17528
I'm not sure if it will work out for me, as my wife has her
But I hope nobody needs to wait until the monthly meeting to start some
discussions or bring up some topics, right?
So here are mine:
1) News article about status.opensuse.org
To get some progress into the new "project" status.opensuse.org
wrote a small news article on progress.o.o :
* should I put that to news.opensuse.org
to get some more attention?
* is there anything missing in the article?
* is there anything missing on the status.o.o page?
Otherwise I would switch over from testing to production mode rather
sooner than later (relase often, release early...).
2) Using news on progress vs. articles on news.opensuse.org
While writing #1, I was thinking about the difference between the two
"news systems". I would expect that we use the news on progress.o.o
(which is linked on planet.o.o and therefor not invisible to our
"customers") to inform ourselves about new admin stuff (like: "Hey,
our Salt repo got a new formula for handling mysql servers" or "the
new test system for service XX is online"), while we use news.o.o to
inform our users about really cool new stuff (our big outages?),
which go (affect) production.
Is my assumption correct?
3) Status report: openSUSE Cloud in Provo
Currently I'm waiting to get a routing setup done in Provo. After that,
we can start with the first openSUSE service managed by the openSUSE
heroes in Provo by providing a mirror server of download.o.o ! :-)
After that is in place, we should be able to host more services in
Provo - but this depends on the available bandwidth, network ranges,
storage space and legal constraints. Other than that: the hardware is
now in place and can be used, as the mirror server should prove.
The setup is a bit different than originally planned: we run a
virtualization cluster setup there now as we run in Nuremberg already.
So it might not be possible for the Heroes to get "bare metal access",
but instead get root access to virtual machines running there on top of
some hypervisor nodes. Currently it's open if we need to build a private
network there or connect the VMs via openVPN with the ones in
Nuremberg. I would leave this open until we run the first VMs there in
production and get an idea about the needs.
4) Status report: DNS of opensuse.org
The technical part is ready from our current point of view. We are
currently waiting for MF-IT to switch over to our hidden master.
The DNS will be managed by the freeIPA installation that Darix setup a
few weeks ago. So this system - even if not tested ultimately - is
now becoming an important core component of the openSUSE infrastructure!
5) Status report: Monitoring and status page
Thanks to the latest changes from cboltz, the status page should be
nearly ready to go into production mode. (see note #1)
is also setup and the authentication for
the Icinga installation is already using the user credentials from our
freeIPA host (where currently just darix, theo and myself have
accounts - how should we handle this?).
If I don't hear anything back, I would like to start migrating/adding
openSUSE machines to this monitoring instance by the upcoming weeks.
That might need some changes on currently running hosts (as the new
instance uses a new IP address and new certificates) and some
coordination with SUSE-IT (as I also like to move the machines out of
the internal monitoring to avoid duplicate checks) - so please do not
expect very quick updates here.
6) Status update for www.opensuse.org
/ auth-provider for openSUSE
I had a very short discussion with Matthew in the last days, where we
discussed the move of www.opensuse.org
from Provo to Nuremberg. My
explanation below is the try of a summary, but might contain some wrong
parts (as I might had a beer or two too much at the time...;-) - so
please take it with some grain of salt and do not hesitate to add your
fixes where I'm wrong.
The main concern about the move of www.opensuse.org
at the moment is the
fact, that the auth-proxy for all openSUSE related services is also
somehow behind that URL. So - if we move the DNS entry (point it to
another IP) - we need to adapt the configuration of the auth-proxy as
well, which - in the last try - turned out not to be that easy.
Matt now wants to investigate into the problem - and his current idea
is to use that move not only to reconfigure the auth-proxy but to
switch over to a completely new auth-proxy software, that has some more
I'm not sure about the time frame for this new setup, but I would say
it should be worth the delay of the move.
Another option might be to switch to an LDAP proxy, which is in place
already in Nuremberg, for the openSUSE services. But this does not cover
at least Bugzilla or the Features page. So a single sign on is not
possible with this alternative solution. It also required the adaption
of all involved services.
With kind regards,
To unsubscribe, e-mail: heroes+unsubscribe(a)opensuse.org
To contact the owner, e-mail: heroes+owner(a)opensuse.org