[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Hello, I'm Tollef.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I'm part of the DSA team
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,With me today, we have zobel
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,who's also a DSA member
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and we're here to talk a little bit about what DSA does
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and obviously, if you have questions or anything, we'd be happy to try to
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,answer those
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Try to keep that as some sort of round-table
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because we want a discussion, this is not going to be a talk
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so whenever you have questions, just ask
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: The DSA currently consists of 7 people.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Most of us are in Europe,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but we also have Luca who is in Canada
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,apart from that, paravoid is on "holiday" and ??
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and various other people.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: The duties we have as Debian System Administrators
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is basically to build and maintain the infrastructure you are all using
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,for running our distribution
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's the general sysadmin stuff;
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we are doing installing security updates,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,keeping machines up to date,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,keeping the hardware running,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,creating accounts for you,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,running DNS and mail.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: One thing we actually don't do is...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we provide the base, we provide the OS, support for that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we don't run the services
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so lists.debian.org, we're not the people you want to talk to
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,if there is some problem with spam handling
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Then, you want to talk to this guy
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,who is also a part of the listmaster team
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Similar, bugs.debian.org, the web pages
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We make sure that apache is running
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but if you find typos on the web page,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,if there is a typo don't blame us.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: I don't know how many machines we run in the meantime
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think it's around 150/160 machines in total, including the VMs.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: No, if you count VMs, it's more like 250
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: OK
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We run those machines currently at about 30 locations worldwide
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Also part of our duty is to deal with hosters and the local admins
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If they have firewalls running in front of our machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we try to convince them to disable the firewall parts for our machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so we get to manage that stuff ourselves.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: This is often ??
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we have some locations where the machines are ?? connected for instance
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and this breaks secure NTP
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There are various places where we have to make accommodations
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because it's hard to get the hardware to be another place
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,maybe it's dev boards for an architecture which is being bootstrapped
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,in some cases we kind of have to endure a little bit of pain for that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but most hosters and most local admins are really nice people
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,really easy to deal with and very very accommodating
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I mean, we don't pay for any of this.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's all sponsored and given to us, free of charge.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We're quite lucky.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: It differs from location to location
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we currently have locations where we have a full rack
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which we can populate with hardware,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there are other locations where we just have 1 or 2 machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just sitting and doing the jobs for us.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Keep in mind all of us, 7 persons, are not paid to do sysadmin jobs
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We are all doing that on our volunteer time
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So if you speak up on IRC,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,sometimes you will not get a reaction within 5 minutes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but I think that's mostly clear to all of you.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Because we have to so many machines,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we like automation
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We run puppet everywhere
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It was chosen some time ago
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it generally does the right thing
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and generally works okay.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This often makes for some interesting problems when bootstrapping
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because apparently ruby is really awesome to bootstrap.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Right, Steve? [laughs]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Especially on arm.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We also like git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we have the entire puppet repository in git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,our domains are in git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Our wiki is in git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Everything.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Yeah, basically everything can be put into git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You probably don't to do it to a database
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but anything else, put it into git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: We have some sort of account management tool
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which we are currently rewriting called userd-LDAP or ud-ldap
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Luca has done quite a lot of work on the rewrite
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think it's already handling the generating stuff
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just rolled out to the debian.org machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,all the other parts of ud-ldap are still using the old codebase
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which is ugly to read,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it reads like perl bash, written in python.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If you have spare time and knowledge in python,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,help us to finish the rewrite jump
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: The new ud is a django project
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So it's fairly nice and well written
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What ud-ldap actually does is...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it has a local ldap server which runs on the machine called ??
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which is db.debian.org
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and on there it generates static files which are synced out to all machines.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So even though we're using LDAP for account information,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we don't have a single point of failure.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So if that machine goes down,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it means you can't update your password or your SSH keys
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but you can still login, at various places.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: It also works around network issues between machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If SSH between ?? and the porting machine or whatever,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you can login to machines.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We monitor our machines using Munin and nowadays Icinga.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We had some performance issues with Munin,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with the wheezy version, I think it was
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and I think there were other stuff,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Munin works quite well for us
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,In general if there are web pages,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,like Icinga or Munin asking for a password
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,then this is just dsa-guest and either no password or just a random password.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This is just to protect our services against script kiddies
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,or whoever to wants to see what his script is doing
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,in effect to the Debian services, not seeing the results directly
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but everyone who knows how the Debian system works you get access to there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: It's also so that we don't accidentally end up with spiders walking around
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because Munin web interface is generating the graphs on the fly
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it's using rrdtool and that can consume great amounts of CPU power
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and web spiders are really good at wasting CPU power, for us
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so we want to keep them off those pages.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: To track our issues we currently have with hardware failures,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with accounts we need to create and so on,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we use request tracker on rt.debian.org
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which some other teams use as well
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You can even mail it, or use the web interface.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Debian developers, I think only, for viewing the web interface?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: For most people it's read-only
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You can interface with request through mail of course.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If you need to send something there, send it to rt@rt.debian.org
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and make sure to including debian rt in the subject
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,else we'll just throw it away because then it's spam
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's a really efficient spam filter
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Slightly annoying for when you submit the first ticket.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: The last talk we gave about the DSA team
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,was, I think, 2 years ago.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We tried to summarise what we've done in the last 2 years
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,When was that meeting in Oslo, 3 years ago?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: 3 years ago, yes.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: 3 years ago we decided that we want,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,at least the infrastructure hardware
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,not the porting hardware
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,on machines that are under warranty
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so we can open a ticket at HP, IBM or whatever
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and ask them to send replacement parts when hardware breaks.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We use server-grade hardware,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,currently most of the machines are HP machines:
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,80 DL360 DL580
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: They work quite well,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think we're mostly done with that transition.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It turns out having actual servers,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,rather than something someone put under a desk and forgot about
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,actually makes for less pain and more uptime
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: We try to consolidate the amount of data centres
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we are having core services running in.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So currently we have like 3 to 5 data centres,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we have quite a lot of services running in.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's: manda; bytemark; grnet, still a little bit;
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,also OSUOSL, UBC.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: UBC-ECE
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Yes. We also have some other places with fewer machines,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but since it's often painful to have a single machine
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,in a location, we try to avoid that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's kind of a tradeoff,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you want to have enough locations that you resilience
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but you don't want to have so many that you basically have 2 machines everywhere,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and each time there is a problem
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you have to deal with somebody you haven't spoken to in 2 years
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because that was when the last problem occurred.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: For the core services we are currently using ganeti for virtualization
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which is some sort of KVM-based virtualization framework.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: It's a cluster manager which came out of Google,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and which works really well.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Its target is clusters from 1 to 50 machines,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,free software of course.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: It works very well for us.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The target where I try to work on in the last few months is
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the single sign on framework web applications.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Thankfully together with Enrico, who helped quite a lot with that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Rewritten the ugly perl code I wrote to a python django framework
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We hope to be able to provide single sign on,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,also for non debian.org web services.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Which with the current software we use for debian.org,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,didn't work out for security reasons.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So let's see where we stand in 2 years with SSO for web stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: We had a problem earlier this year,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that the backup server we had would die and then die and then die,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with various problems: It claimed to have hard drive errors,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but it looked more like controller errors and so on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Obviously, running without backups isn't a terribly good idea.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We bootstrapped another backup server but
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it was running at the bytemark data centre
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and because we have many other services hosted there,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's not a very good situation
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just because if something happens at that data centre
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it burns down, suddenly we've lost both the backups
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and the services being backed up.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So a month ago, we got a new machine
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it's hosted at DGI?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: DGI, in Dusseldorf.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: and it's happily chugging along making backups.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We're currently using Bacula for backups,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it's working okay,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we're having some interesting problems with scheduling of backups
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so we're probably going to need to do something to fix things there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Luca is doing the ud-ldap rewrite,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,as already mentioned earlier, we need helping hands there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think Paul and Peter are working on the snapshot infrastructure,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,giving especially the QA integration for snapshot.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: We had a donation from Leaseweb, earlier this year.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Similar to the backups, it turns out servers when they grow big enough
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you get lots of disk dying...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Linux isn't terribly good at handling this when you get enough of your disks dying.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We had one machine that died,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with controller failure again!
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We tried to revive it, it wasn't really successful.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we ended up getting this donation from Leaseweb
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and we then have a small cluster of machines in their data centre
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: snapshot is currently about 23 terabytes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: something like that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: 30 terabytes in size
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Which is currently the biggest 'archive' we maintain.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We tried to roll out SSL everywhere in the past
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: It's been something we wanted to do for a while,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to enable HTTPS and so on everywhere,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,even on public and open resources.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It felt, with the - it wasn't really triggered by
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but it was in the same way as the Snowden things.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It was like we should probably actually move forward with this,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because it turns out there are entirely too many people
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,who are TCP dumping too much.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[single applaud]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We're pushing for more SSL everywhere.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There was a little bit of controversy around this when we did it to people.debian.org
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because it turns out that ??? had some problems with verifying the certificate and so on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's not a completely uncontroversial and smooth move but
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,sometimes you need to make a little bit of sacrifice
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to actually get the security we want.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Related to that also, we pushed some bits towards using CDNs,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which also are interesting in the context of SSL,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because you have to give your cert to somebody else,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there is a tradeoff there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You kind of have to trust your provider there.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: What we are also doing due to the fact that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we got a huge donation from Bytemark,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think one and a half years ago?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It was a full blade centre and 6 MSA shelves
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: 3 chassis plus 3 ??
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Currently we still have some spare CPU cycles left at Bytemark.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Currently setting up Openstack at the Bytemark datacentre for one or two
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,blades
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,In the end, the idea is that Debian Developers can start VMs there, themselves
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Similar to the VMs we are using for our infrastructure
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we can more easily migrate debian.net services to debian.org services
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,giving you some sort of common infrastructure we use on debian
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So you can help us to migrate services, or we can help you to migrate
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,from your hardware to the Debian infrastructure
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Part of the reason that is:
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it turns out running various half-official services
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,on peoples' home machines and co-lo machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,isn't a terribly good idea.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Often they'll run for years and then somebody will get bored
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,or they'll quit debian or they'll go broke,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the machine will burn down... something will happen,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the services disappear and people get upset.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we try to talk any services that are half-official
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and we would rather move them onto debian.org hardware
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So if you have a service which is kind of a half-official thing
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and you want to make it more official,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and actually have somebody do the base OS maintenance for you
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so you don't have to worry about that,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,then please come and talk to us.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We're quite happy to provide you we reasonable VMs.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: How to contact us.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There are several mailing lists,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there is a debian-admin@lists.debian.org list where we discussed that this
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,mailing list will more or less be open to every Debian Developer.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Debian devel people can subscribe to that mailing list aswell.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There's dsa@debian.org email address,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which we changed due to the fact there was
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,a debian-admin@debian.org and there was quite a lot of confusion
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,about the debian-admin@lists and the debian-admin@debian.org email address.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we decided to move to a new email alias which is dsa@debian.org
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You can hang around on IRC as mentioned earlier, in the #debian-admin channel
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Feel free to join there if you have any issues,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just raise them and talk to us.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Like any people in any teams in Debian,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we obviously have more things to do than we actually have time for.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So help is very much appreciated.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Getting help with sysadmin tasks is kind of an interesting challenge
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because you can't just give out root to all debian.org machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to somebody who shows up and goes:
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,"I would like to rewrite your authentication infrastructure"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,However, since we keep the puppet repository and so on, in git
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it's at least possible for people to get in and contribute.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Send us patches, show up, discuss things.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If you think something can be improved,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's quite likely and we would be happy to discuss how to do that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Documentation is always welcome,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there is a bit of documentation for things like debile.debian.org and so on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But more is always welcome.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Also just hanging out on IRC, answering people's questions
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is often surprisingly useful.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: We also really want to grow the team,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,from the seven person team we are currently
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We had, a few months ago, spoken to a Debian Developer who
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,- is he here in the room? Might be! -
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,who said he currently does not want to become a member of the DSA team due to
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the fact he has too many other things, other duties in Debian.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Just talk to us and help us, and at one point we'd probably get annoying with
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,doing too many tasks for you, so we just give out the root access then.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: It's how it usually works in Debian,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,at some point you've contributed enough,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's it's more annoying to merge your patches
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and review them than to just give you access.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So that happens.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: I think that's all about the slides,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so just ask...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: questions!
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question1]: I guess this is more DSA
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the listmaster pieces, are they in puppet as well?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: No, the list stuff is not in puppet.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The exim config we are using on debian.org machines is in puppet
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But lists uses postfix.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Alex Wirt is also sitting here in lecture room,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,he could easily your questions for lists.debian.org
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,More questions!
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,No more questions?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[laughter]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question2]: As one of the local admins for a bunch of buildds,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I know that every now and again we get asked for stuff opening up, more ports
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because we're one of those evil places with a firewall, even for the DMZ.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Do you actually have a central list of all of things that you want to be able
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to get access to, you know?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That kind of thing would be awesome,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that I could just point, say the ARM network sysadmins at
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,instead of every now and again having to say:
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,"Oh and we need this extra thing"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and then backwards are forwards, because their immediate response is:
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,"Well, why?"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If we can give them a list and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just give them a notification that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there are few new things we'd like,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it might go easier.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: I don't think we have a list as such.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What we do have is our firewall config is ??
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we have a list of things we want to be able to accept on various servers,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,even though we don't have a list as in "Go to this web page and here you have
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,these ports and their justification", we can generate that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So yeah that's a good idea, we should do something like that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question3]: Can you explain more about your backup system?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think you covered it very briefly.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: We have bacula, it's a centralised backup system using,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it's kind of mix of push and pull, in that you have a central director
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which tells the machines that are to be backed up,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that you are now going to be backing your things up
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to this storage daemon over here.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Then it also tells the storage daemon, that please expect a connection from
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,this machine.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We run the director, which is this central component,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that runs in adm in Bytemark.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,The actual storage is at DGI
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and obviously the various machines being backed up are everywhere.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,One of the painful things about bacula is that it thinks,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,even though we are backing up to hard drives,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it still thinks we are actually backing up to tape drives
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and that makes for, the nicest thing about hard drives is that generally you
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,don't really have seek time in the same way you have seek time on tapes.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So you don't care about rebinding tapes and switching to a different tape,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's called "opening another file" and it doesn't take very long.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We also have the problem that bacula doesn't have the concept of-
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,if you look at a backup system like backuppc,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it never does full backups, it will only do incremental backups
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and then has a hardlink farm.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,bacula will do a full backup, then incrementals
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,then a full backup then incrementals.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,This makes less sense when you have hard drives
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,than when you have tapes.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Also the scheduler isn't very smart,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,if it can't back up a machine for some reason
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,then instead of rescheduling that back up
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it will, depending on how you configure it,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it will then just skip it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Some of our hosts actually don't have that good connections,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so when you're trying to do a full backup,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which can take 24 hours,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you really don't want that TCP stream to be disconnected
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because then you've lost that full backup.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,And also it ends up batching the full backups so they're very clustered
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,rather than being nicely spread out.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,One of the things we're looking at is writing a different scheduler for bacula
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just to basically tell it: "please do a full backup of this host, now."
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,rather than relying on the built-in scheduler.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: (inaudible)
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question3]: I'm the maintainer of a package called 'bup'
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's not a full-fledged backup system with a scheduler, et cetera
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but it does use for its backend, git packfiles rather than tapes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If you're interested in git, maybe some interesting technology to take a look at
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Look time I looked at bup, it didn't actually support expiring backups
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Which makes for some pain.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question3]: There are some workarounds,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but it's one of the limitations currently
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: For us, that would mean we would run into-
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I'm sure ?? or ?? would be very happy but I'm not sure that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,our treasure would be as happy.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We need the ability to expire backups,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,just because we don't have infinite sized hard drives
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and backups are actually quite big.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: One of the other issues with bacula is that currently all of the full
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,backups run at the same time
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so we run into some sort of ?? limitations
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which it's not an issue but it's annoying that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,all machines are doing the full backups at the same time.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Any else questions?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question4]: You touched on it earlier, Single Sign On
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What services are next for that?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Don't run away from the mic!
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: I'll answer that as far as I know
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,many people may have different plans.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Single Sign On is currently using DACS,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which I would suggest against, in general...
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[laughter]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Having looked deeply into it,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it probably seemed like a good idea at the time
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but the internet moved in a different direction.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But DACS is still useful because it's an apache thing
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so one can just put a directory of static files under DACS
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and that can be done quite reasonably simply.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,At DebConf I want to discuss with the currently available DSAs
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,about finishing the DACS setup, putting the basic stuff in puppet
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and making a guide for deploying new stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Any Debian Developer that deploys services can set up DACS
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,reasonably easily, but the way that I see we should go in the future
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is OAuth 2, which is what we are using for the conference thing.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Because that is a bit more like a standard that may work now
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and which hopefully supports log out!
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[laughs]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which DACS does not do very well.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I have not studied OAuth 2, so I'm not interested,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it won't be me who does it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If any of you knows OAuth 2 and wants to sit down with me and explain it step
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,by step during DebConf, then please I would like to migrate NM and Debian
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Contributors to OAuth 2, if at all possible.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But I do want to understand the protocol before I touch it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So the direction as far as I'm concerned, will be OAuth 2.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We may get stuck with DACS, because it integrates with apache
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but I'm not comfortable with it and there are too many hacky things
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to make things work as expected.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I wish, my personal dream would be to at some move to OAuth 2 and then
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,replace DACS with just an OAuth 2 provider.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Other limitations of our current DACS set up
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is that it only works for the debian.org domain
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,otherwise we would need to give out credentials,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there is some jurisdiction key and federation key,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so we would need to give out access to them to the debian.net services.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That's one of the other limitations of our current DACS set up.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So probably OAuth 2 might be the way to go.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But in the end it's up to you and
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the Debian Developers helping to extend the single sign on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: As new DACS services, ?? set up something that uses DACS
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: It's a new PTS implementation
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think he just wants to if a person is logged in
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,then he can modify some news on the new PTS implementation and so on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: One good thing with DACS at the moment, is that login is optional
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it totally supports serving a site as it is
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and if one is logged in, in single sign on then more stuff can happen.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: I think OAuth 2 is a better thing for the wiki to do.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: Does Moin does OAuth 2?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Steve]: (inaudible)
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: I think I looked that up a few months ago and I think it supports OAuth 2.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: DACS will give you a remote user variable, so in theory it's easy
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but if it does OAuth 2, then it's more future proof in my opinion.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Steve]: The fun thing with the wiki as well
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I was going touch about on this in my Wiki and Web BoF
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,(see advertising too!)
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We've also currently got, like thousands of existing user accounts.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Now obviously for people who've already got Alioth or a Debian LDAP account
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,then we will encourage people to merge and just move over to those
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but for the many thousands of others who haven't,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we're going to have to come up with something.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I don't know what that is.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: I don't have any response to that on the spot.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's tempting to say, they can just get themselves an Alioth account.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Some people might be upset at that answer.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I guess there's also the question of how many
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,of these accounts are actually active?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Rather than somebody registered back in 2005
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and haven't used the account since.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: I'd be happy to have a conversation about this during DebConf.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Because for Debian Contributors,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I require to have an Alioth account to get credited in site
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because I don't want to have a user database in Debian Contributors.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It may be too much of a strict requirement,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it may be that we just document that if you do
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,anything in Debian you get an Alioth account.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Let's talk about it, separately.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: In that case, I think we need to have a conversation with my other hat,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,which is that hat of various other people, which is the Alioth admin hat.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Steve L.]: As the person who inflicted Alioth logins on everybody for DebConf
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,this year, I have been getting feedback that, in particular the sign up
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,process for Alioth is a bit of an obstacle.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So there are a few things there, which I think we should talk about
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,streamlining.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,As the person who decided that we were, for this year, moving away from Penta
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and moving to Summit, no I did not want to have an authentication database.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I didn't want password hashes in Summit
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and so I said yes, we're going to have figure out how to hook this up to
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Debian SSO and the consequence of that was, yes:
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we had the Debian SSO which was only available to Debian Developers
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Alioth was the other database that was out there
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and so I guess, my fault,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I apologise for anyone that was stressed about the rollout of that
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because I didn't entirely co-ordinate with all of the parties ahead of time
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but I think it's hanging together fairly well.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But we should talk sometime this week about where we should go forward with
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that and if alioth is the right authentication provider.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But I think it's important we agree there be an authentication provider,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,for these kinds of services, whether that lives in Alioth or somewhere else.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: With a flat namespace.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Steve L.]: With a flat username space, yes.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Which we kind of have, today
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Enrico]: (inaudible)
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Steve L.]: The way OAuth provides them is
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you get the domain name with it
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So in fact all Debian Developers have two different-
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's a "flat namespace" and DDs all have two they can use.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[laughter]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: More questions?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question5]: You mentioned that all our hosting is sponsored by the hosts
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and we get some hardware donations at least.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I think we, we buy some, as well, don't we?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,My question isn't really about that,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it's about how much support do we get-
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,there's 1.5, well 2, tending to 1 hardware manufacturers on the sponsors there
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,-how much support do we get from them doing interesting stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I'm thinking, you mentioned we get fairly regular controller failures on some of our hardware
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and all of the sponsors we've got have got nice but hard to set up multipath things.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It seems to me it would be interesting and for them
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,to set things up like that, on the Debian infrastructure.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Is that kind of thing possible, or?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Yeah, so we do have that in some places
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Like the Bytemark set-up, the UBC-ECE set-up and so on
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There we have a SAN, we have a bunch of machines
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and either it's doing SATA or it's doing Fibre Channel
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: iSCSI
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: iSCSI, as well, yeah.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we do have a bunch of that,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,the problem is if you want to do data storage
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,where you have available 25 terabytes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and you want to do that on a SAN,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's very not cheap, that's really quite expensive.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That's a reason why those machines with special storage requirements,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,like backups and snapshot, basically, they're different.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That's also why they need those two machines,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,they have like 5 controllers each,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,that's why they are different in that regard.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We do get a bunch of sponsorship from the hardware vendors,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,we usually buy HP gear, mostly because we've had good experience with it
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and it generally works
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: We had good connections at HP.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: We also had historically good connections,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,they've been good about giving us hardware in the past
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,they are happy to sponsor Debian and DebConf
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,both in actual terms of money given to us,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but also in terms of pretty nice prices.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I don't think we've actually approached them about saying,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,"could you please give us this enormously expensive piece of hardware?"
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It's often hard for them to give that away,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because it has to come out of somebodies' budget
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and somehow they don't have large SANs just hidden under their desks.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: More questions? Criticism?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[question6]: Hi, I was just curious about your mail infrastructure.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,It doesn't look like you use DKIM or SPF, or DMARC records.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Do you have plans for any of that?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: There's been some experimentation with domain keys.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Luca has been playing with that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,There's this interesting ??
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,?? we generally don't provide outgoing SMTP for random people,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,because that's painful.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: We are not a mail provider.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Yes, obviously you get a @debian.org account
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,You get incoming email, which we then forward onto somewhere
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,where you'll hopefully remember to update that when that account expires
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,rather than giving us bounces.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,That's a big change, which we forgot to mention
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is that we are actually in the process of reworking the entire way we do mail
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We have drastically reduced the number of incoming mail servers,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so now most mail now goes to a set of two MXs.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: It will increase in the future.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,At MIT, we will open up one more mailserver.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: Well, we can.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Currently we have two and then if there is special mail routing needed,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,it will be routed to the right internal host.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,But most hosts no longer listens for incoming mail from the internet.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Which is a good thing.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Not only because it means we don't have to run spamassassin everywhere.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Peter did this DAME, SMTP thing
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,weasel, Peter, wanted to do ?? DAME encryption ?? for outgoing mails.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So we're experimenting with a bunch of things.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,What I was going to say about domain keys,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,is that because we don't provide outgoing mail servers,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,you need to be able to provide the infrastructure
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,with what your key is going to be.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Luca has been working on some patches to ud-ldap to do this
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so it can show up in DNS and so on.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,So yes, things are happening.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,If you're interested in that, do grab us and we can talk more about it.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: I think we are done because the timer's almost over.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I have one small announcement to make.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Luca offered some RIPE NCC ATLASS notes to give away
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and the persons who applied for those notes
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,and got into the list of getting those notes,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,please come to me, talk to me directly after the talk
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,so I can hand out those notes.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Because Luca is not here at DebConf14 this year.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Anibal]: Any plans to use Yubikeys?
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: I'm port of the maintainer team of yubikey tools in Debian
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I would very much like to use them for some things.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,We need to find out how they should best fit into the infrastructure
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,if we're going to do that.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,One thing that has been mentioned is,
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,for some cases we want to do actual two-factor.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,Currently there is no two-factor authentication anywhere.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Help us setting up those infrastructure
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: There are no concrete plans
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,but yes, we are very much aware of yubikeys
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I'm kind of looking for good places to put them in.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,I like them. I like both the company and the product.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,They are also quite happy to sponsor free software stuff.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: I think we are done.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: I think we're out of time
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[zobel]: Thank you for being here.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[Tollef]: If you have any more questions, grab us afterwards.
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,[applause]
Dialogue: 0,9:59:59.99,9:59:59.99,Default,,0000,0000,0000,,