== Agenda == Items we will be discussing: * Review ACTION points from previous meeting. * Review progress made on the specification listed on the [[ServerTeam/Roadmap| Roadmap]]. * Open Discussion. * Agree on next meeting date and time. == Minutes == ## Use title4 (ie ==== ) for each section of the minutes ## Only topics discussed during the meetings should be put in the minutes. ## Status reporting is done via another channel. ==== Add 'status' action to server init scripts ==== kirkland created [[InitScriptStatusActions| a wiki page]] to keep track of the different packages that should implement a status action in their init script. He also added a recipe explaining how to implement a status action in an init script. ACTION: kirkland to update the init script wiki page with a list of packages that should be fixed. ==== Augeas ==== nxvl reported that the augeas package was published in the ubuntu archive. It was also accepted in Debian. The next step is to write more lenses. nxvl setup a [[UbuntuCentralizedServiceAdministrator/Augeas| wiki page]] to keep track of the lenses writing effort. He also looked into the [[http://config-model.wiki.sourceforge.net/|Model:Config]] project. He plans to package it once Augeas is supported. ==== Encrypted ~/Private Directory in Each User's Home ==== kirkland reported that most of the MIRs had been written. He is also using an auth-client-config profile to setup the pam configuration correctly. He updated the [[https://wiki.ubuntu.com/EncryptedPrivateDirectory#head-4a2aa7460fdca18bfe78bb1283becff406bbc13c|testing instructions]] and is looking for more testers. ==== Migrate new installs and upgrades of client and server packages to use SSL v3 or TLS ==== ivoks made a list of packages that need their configuration updated. He added it to the [[MigrateOffSSL2| wiki page]]. There was some discussion about dropping support for sslv2 in the openssl package, rather than modifying each package. mathiaz suggested that it may be worth having a session about this proposal during next UDS or at least start a conversation on the ubuntu-devel mailing list. ==== Integration of SASL and Postfix ==== ivoks looked briefly into it: since postfix is jailed, giving access to the sasl daemon socket is the main issue (which is the same problem with Dovecot SASL). ACTION: ivoks to discuss cyrus socket integration with lamont. ==== Review ServerGuide for Intrepid ==== sommer updated the samba section in the Ubuntu Server Guide. mathiaz looked into creating a bzr branch of the server guide after discussing with LaserJock about handling translations. He is still working on figuring out a simple workflow for new contributors. ==== Agree on next meeting date and time ==== Next meeting will be on Tuesday, July 22nd at 15:00 UTC in #ubuntu-meeting. == Log == {{{ [16:01] Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE] [16:01] \o/ [16:01] _/\_ [16:01] ___ ? [16:01] dendrobates: scoliosis? [16:01] hello [16:02] https://wiki.ubuntu.com/ServerTeam/Meeting [16:02] \o/ [16:02] _/\_ [16:02] /o\ [16:02] nealmcb: thanks for the meeting agenda [16:02] :) [16:02] last meeting minutes: https://wiki.ubuntu.com/MeetingLogs/Server/20080708 [16:02] kirkland: updated the lsb section [16:03] mathiaz: i certainly did, big progress there [16:03] mathiaz: actually, broke it out to its own wiki page [16:04] mathiaz: just waiting on one more change to the library function to make it upstream [16:04] mathiaz: could i perhaps call for volunteers from the community to help with other init scripts? [16:04] the new page to track all of this: https://wiki.ubuntu.com/InitScriptStatusActions [16:04] mathiaz: the changes are pretty simple [16:04] hello [16:04] mathiaz: good patch practice [16:04] mathiaz: while still being very useful functionality [16:05] all: there's a recipe on the page mathiaz mentioned [16:05] cool [16:05] kirkland: do you have a list of other services that need to be updated ? [16:05] mathiaz: I'll grab that by next week. owh created that list for hardy some time ago [16:06] kirkland: I see only references to bugs that have already been fixed [16:06] kirkland: i will, i'm a little busy this days so i have just a little time at nights for contributing, and init scripts take me just little time [16:06] :D [16:06] mathiaz: see the link to Onno Benshop's page [16:06] but i thing a list of pendients will be really usefull [16:06] https://wiki.ubuntu.com/OnnoBenschop/ubuntu-server/init.d-status [16:07] on a quick look [16:07] i don't understand that page [16:07] i'll nail down a good list [16:07] by the next meeting [16:08] kirkland: awesome [16:08] [ACTION] kirkland to update the init script wiki page with a list of packages that should be fixed. [16:08] ACTION received: kirkland to update the init script wiki page with a list of packages that should be fixed. [16:08] nxvl: any news on the augeas front ? [16:08] and i'm going on holidays the week after the next one so i will have more time [16:08] mathiaz: a lot [16:09] ok [16:09] augeas is already on the archives [16:09] it has been acepted an included already [16:09] also i got it accepted on debian [16:09] thee is a session about augeas at OLS that I will go to [16:09] and it reched the archives on sunday IIRC [16:09] or yesterday maybe [16:10] raphink has been working on some lenses [16:10] nxvl: great - so the next step is to write more lenses [16:10] any more feedback from ebox on augeas? [16:10] and he's reviewing them with lutter (the upstream PL) [16:10] mathiaz: yes it is [16:10] debian too - great! [16:10] nealmcb: there are still to few lenses [16:10] nxvl: great ! [16:11] nealmcb: i think it will better to write more of them, and then ping the eBox team again [16:11] also [16:11] i have been mailed about Model:Config [16:11] nxvl: could you add a point to the roadmap about augeas integration ? [16:11] http://config-model.wiki.sourceforge.net/ [16:11] LINK received: http://config-model.wiki.sourceforge.net/ [16:11] https://sourceforge.net/project/screenshots.php?group_id=155650 [16:11] and they said it will support augeas soon [16:12] so i'm waiting for it to start palying [16:12] if they made it soon, i think we can have UCSA for intrepid+1 [16:12] at least the first version [16:12] mathiaz: doing it right now [16:12] nxvl: could config-model be integrated with augeas ? [16:12] nxvl: it seems that both would fit well [16:13] nxvl: the blue section could use augeas and its lenses [16:13] nxvl: I'm refering to the picture at http://config-model.wiki.sourceforge.net/ [16:14] hm - nm - I've just noticed that augeas is being integrated in Config::Model [16:14] great minds thinking alike :) [16:15] nxvl: do you think about packaging config-model ? [16:16] sorry, needed to minimize the window [16:16] * nxvl read the questions [16:17] mathiaz: yes, they said they are planning on supporting augeas [16:17] for me that's really important since augeas will let us manage the config files AND let the sysadmins edit them by hand [16:17] without breaking anything === gnomefre1k is now known as gnomefreak [16:18] i'm in contact with config-model upstream, so i'm waiting for them to support augeas and keeping an eye on it [16:18] and yes [16:18] i have planned on packaging it BUT after having a good amount on lenses [16:18] and after it supports augeas [16:18] nxvl: waiting for support augeas may be a good thing [16:19] nxvl: I wouldn't wait for a lot of lenses [16:19] yes, that's true since we can start playing with just few lenses [16:19] but [16:19] nxvl: having config available would show case what can be done with augeas [16:19] also i have an exchange of mails with them [16:19] nxvl: and thus trigger more interest in writing lenses [16:20] and lenses will not be the only think needed, it will also need a model on config-model, which keeps the logic behind the config files managment [16:20] which seems pretty fair to me [16:20] since just config files managment isn't enought [16:20] nxvl: sure [16:21] oh! ok [16:21] i understand what you mean [16:21] yes, it sounds awesome for me [16:21] but still we need to wait until it support augeas [16:21] which i hope will be soon [16:22] nxvl: yes - I'd suggest to wait for augeas support and then package for ubuntu [16:22] ep [16:22] will do [16:22] :D [16:22] i wil keep track of it next week [16:22] since this week i'm in final exams [16:22] nxvl: great - thanks [16:22] let's move on [16:23] so next week with one think lees to care about i will give ucsa the time i was giving to the university [16:23] [TOPIC] Encrypted ~/Private Directory in Each User's Home [16:23] New Topic: Encrypted ~/Private Directory in Each User's Home [16:23] kirkland: ^ ? [16:23] mathiaz: in good shape [16:23] mathiaz: MIRs nearly done [16:23] mathiaz: ie, nearly approved [16:23] kirkland: testing instructions are up-to-date ? [16:23] kirkland: did you resolve the pam stack issue ? [16:23] mathiaz: need to clean up some sprintf's in one of the the libraries, other than that, all approved [16:24] mathiaz: we're using jdstrand's auth-client-config as a temporary work around for now [16:24] mathiaz: slangasek has a comprehensive pam stack configurator in his head, he's trying to put together for intrepid [16:24] mathiaz: wiki testing instructions are most definitely up to date [16:24] mathiaz: i would very much appreciate any intrepid server users out there using/testing it!!! [16:25] kirkland: ok - so thre is a workaround even if the pam integration doesn't make it for intrepid [16:25] kirkland: is there a link for the testing? [16:25] sommer: https://wiki.ubuntu.com/EncryptedPrivateDirectory#head-4a2aa7460fdca18bfe78bb1283becff406bbc13c [16:25] kirkland: thx [16:25] mathiaz: hmm, there's a one liner that the sysadmin has to run, specifically: [16:25] kirkland: I plan to write a blog post on ubuntuserver asking for testing [16:25] mathiaz: sudo auth-client-config -p ecryptfs_standard -t pam-auth,pam-session [16:25] mathiaz: it's a one time deal [16:26] mathiaz: i think we're running into debian policy problems, with one package needing to modify another package's config files [16:26] kirkland: can't you call that from the posting ? [16:26] kirkland: *postinst* [16:26] mathiaz: i'm under the impression that Debian Policy says no [16:27] mathiaz: libecryptfs0 package provides pam_ecryptfs.so [16:27] kirkland: it is a command line, not a change to the conf [16:27] kirkland: IIRC, since it's a command you could use it [16:27] mathiaz: it needs to make two modifications, to /etc/pam.d/common-auth, and common-session to make the unwrap passphrase work correctly [16:27] kirkland: you may wanna ask slangasek about it though [16:27] only if you could revert the change from pre/post-rm, right? [16:27] mathiaz: slangasek would not like it done that way [16:27] kirkland: ok [16:27] mathiaz: it will be our fall back for intrepid [16:28] right - let's move on [16:28] [TOPIC] Migrate new installs and upgrades of client and server packages to use SSL v3 or TLS [16:28] New Topic: Migrate new installs and upgrades of client and server packages to use SSL v3 or TLS [16:28] ivoks: you made the list [16:28] yay [16:29] so, basicaly, this can be done per package or in openssl [16:29] ivoks: there are only a couple of packages [16:29] ivoks: what would be required in openssl ? [16:29] if we would drop sslv2 from openssl, we would solve all problems [16:29] surely except for upgrades? [16:29] openssl can be compiled without SSLv2 [16:29] and this is the problem [16:30] we cant go with openssl compile changes cause of upgrade [16:30] but we can do per package configuration change on fresh install [16:31] mathiaz: right, only couple of them; if you think of any other that provides SSL, please add it to the list :) [16:31] sslv3 would have to conflict with sslv2? [16:31] no [16:31] what if I have a client that only speaks v2? [16:31] most of the services provide sslv2 and sslv3 [16:31] I would not like to be locked out at openssl level [16:31] in most of the cases, clients asks for sslv2 [16:31] ivoks: right - dropping sslv2 from openssl should definitely be discussed on ubuntu-devel [16:32] nijaba: then that client is very broken [16:32] ivoks: I think the path you suggest is safer and more reasonable for intrepid [16:32] sslv3 is here for a decade [16:32] ivoks: right, but there are a lot of very broken thing in the enterprise [16:32] ivoks: ie do it on a per-package basis [16:32] I kind of like the idea of just dropping v2 from openssl. It does make me cringe a little about breaking people, but it's a sure way to make sure it's off. :P [16:33] dropping sslv2 may be worth discussing at next uds [16:33] mathiaz: and i would go only with service providing packages; ie, not with clients [16:33] for the intrepid timeframe, we'd better focus the per-package approach [16:34] right... in most cases, changes are trivial... [16:34] ivoks: excellent - the list of package is there. [16:34] some packages will require code changes; uw-imapd [16:34] What about providing two openssl packages? One with and one without v2. [16:34] it seems like per-package would be more accepted by Debian upstreams too [16:34] Brazen: that seems too complicated [16:34] ok [16:35] i'll provide patches for all packages on the list by the end of the week [16:35] ivoks: do you know which packages are easier to do ? like the one that don't require src code changes ? [16:35] and then i'll examine what else we have in universe :/ [16:35] ivoks: great - thanks for this work [16:35] mathiaz: all packages listed on wiki need 1-2 lines in config [16:36] let's move on [16:36] :) [16:36] [TOPIC] Integration of Dovecot SASL and Postfix [16:36] New Topic: Integration of Dovecot SASL and Postfix [16:36] ivoks: have you looked into cyrus sasl integration ? [16:36] i tought we decided to replace that with Cyrus SASL [16:36] mathiaz: i have couple of cyrus sasl production enviroments [16:36] and i think everybody who played with email servers know how to set it up [16:37] ivoks: correct - I've renamed the task to :Integration of SASL and Postfix [16:37] i need to run, read you all guys! [16:37] * nxvl HUGS everyone [16:37] only 'issue' is to package it right [16:37] nxvl: bye; good work ;) [16:37] since our postifx is jailed, we'll have to bind mount cyrus socket [16:38] and that brings us back to the core of dovecot's sasl 'problem' :D [16:38] with one exception; cyrus sasl is configured for sasl out of the box [16:38] ivoks: right - could you discuss this issue with lamont ? [16:38] so, we should just bind it's socket to postfix [16:38] sure [16:39] ivoks: great - thanks [16:39] it was my pleasure ;) [16:39] [ACTION] ivoks to discuss cyrus socket integration with lamont [16:39] ACTION received: ivoks to discuss cyrus socket integration with lamont [16:40] that's all there is on the Last meeting minutes [16:40] let's move on to review progress made on the specification listed on the Roadmap. [16:40] https://wiki.ubuntu.com/ServerTeam/Roadmap [16:41] [TOPIC] Track pages on help.ubuntu.com that need to be updated [16:41] New Topic: Track pages on help.ubuntu.com that need to be updated [16:41] sommer: ? [16:41] err, not much progress with the wiki [16:42] the samba sections of the serverguide are updated though :) [16:42] except for integrating with AD, but that's coming soon [16:42] sommer: awesome - I discussed with LaserJock about bzr branch [16:42] sommer: I haven't done more work on that front [16:42] sommer: but we don't need to keep the .po files in the bzr branch [16:43] mathiaz: that's cool, I briefly looked at it and didn't get too far either [16:43] sommer: we'd just had to pull them from lp when releasing a new package [16:43] sommer: I'd put that in the release process rather then working on the package itself [16:43] mathiaz: gotcha, seems pretty straight forward [16:44] sommer: the difference between an upstream write (just using the bzr branch to update the server guide content) [16:44] sommer: and the package maintainer that is responsible for pulling all the things together (with the translateion) [16:45] sommer: dropping the po files would make the bzr branch a few 100k [16:45] sommer: making branching super-fast [16:45] super fast is good [16:46] mathiaz: do you have time to do the packaging or are were you looking for help with that... because I'm very willing to help [16:46] sommer: I'll make more experiments about branches to see how we can organize the branches [16:46] mathiaz: sounds good, I'll keep at updating the content [16:46] sommer: I could figure out the packaging bits, but I'd aim at someelse to do the package maintainance [16:47] sommer: I'll work on the whole workflow [16:47] mathiaz: very cool, just let me know how I can help [16:48] sommer: sure [16:49] [TOPIC] Boot Support for Degraded RAID [16:49] New Topic: Boot Support for Degraded RAID [16:49] kirkland: ? [16:49] mathiaz: working on it at the moment [16:49] * nijaba hugs kirkland [16:49] mathiaz: it looks relatively containable [16:49] mathiaz: I'm hoping for patches this week [16:49] mathiaz: hoping to have patches for review by this week, i mean [16:50] mathiaz: there's been some misinformation in the bug/wiki [16:50] mathiaz: I'm trying to wheedle through that [16:50] kirkland: ok - great [16:50] let's move on [16:50] [TOPIC] # [16:50] Open Discussion. [16:50] New Topic: # [16:50] [TOPIC] Open Discussion. [16:50] New Topic: Open Discussion. [16:50] anyone wants to add something ? [16:51] I had a question about kerberos... are we recommending heimdal for intrepid? [16:51] sommer: nope - MIT is in main [16:51] sommer: that's the version that is supported [16:51] sommer: heimdal is in universe [16:52] mathiaz: cool, answers that quesiton, thanks [16:52] that's all I had [16:55] [TOPIC] Agree on next meeting date and time [16:55] New Topic: Agree on next meeting date and time [16:55] next week, same time, same place ? [16:55] * nealmcb will be at oscon next week [16:56] this time works for me :) [16:57] * nijaba at oscon too [16:57] all right - so same place, same time, next week [16:57] who wants to compensate me for hours lost at work and fly me to Oregon? [16:57] nijaba: see you there :) [16:57] lukehasnoname: where do you live? [16:58] TX [16:58] ooh, drive up to Wichita, KS and we can carpool :D [16:58] #endmeeting }}}