DevOps Meeting 2021-02-25

• DevOps Meeting 2021-02-25
  • Arch-boxes mirroring on mirrors
    • Who
  • SPI follow-up
    • Who
  • Archweb SSO
  • Gluebuddy
    • Actionable
  • Confidential issue
    • Actionable
    • Who
  • Move network manager check to a new VPS?
    • Actionable
    • Who
  • nginx monitoring
  • signstar
    • Who

Arch-boxes mirroring on mirrors

!296 (merged)

Who

• svenstaro

SPI follow-up

We received some kind of document from them but that's about it.

Who

• anthraxx

Archweb SSO

Work is underway to get archweb on Keycloak.

https://github.com/archlinux/archweb/issues/284 https://github.com/archlinux/archweb/tree/oidc

The mapping of Roles/Groups to Django groups/repository permissions for new users seems to work fine on logon, but we need to also handle the case where a user is updated

• We seem to need a periodic role/group syncing from keycloak to django (also for offboarding developers for example)
  • Inspiration: https://gitlab.archlinux.org/archlinux/mail-credential-syncer
• The django oidc library creates a random uuid for the username, as many functionality's in archweb depend on the username we'll use the keycloak preferred_username but this would imply the username is unique.
• For matching users from Keycloak, we currently use the email address, do we guarrantee that a username/email is unique?
• Logging out of keycloak from archweb is a bit tedious and needs to be implemented still.

Make sure that users cannot change their email/username as those values should come from Keycloak?

Gluebuddy

• Mapping of keycloak usernames to GitLab usernames unique?
  • Users can currently change their GitLab username: https://gitlab.archlinux.org/-/profile/account
    • Can be disabled: https://docs.gitlab.com/ee/administration/user_settings.html#disallow-users-changing-usernames
  • GitLab uses sub for uid: https://docs.gitlab.com/ee/administration/auth/oidc.html
• What happens with external auth providers in terms of unique usernames?
• https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_first_login
• Staff keycloak hierarchy and who should be put into the GitLab group

Actionable

• Disable GitLab username changing: https://docs.gitlab.com/ee/administration/user_settings.html#disallow-users-changing-usernames
• Document that username must NEVER be changed

Confidential issue

https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/284

Actionable

• Report upstream

Who

• wCPO

Move network manager check to a new VPS?

!311 (merged) #239 (closed)

Should we additionally consider moving it to a separate machine?

Actionable

• Use the redirect.al.org machine

Who

• Jelle & wCPO

nginx monitoring

I will add nginx-mod-vts to our monitoring, it is sadly a third party module, but it does allows us to monitor status codes, upstream, bytes send, request timings.

https://github.com/vozlt/nginx-module-vts

signstar

Follow up with diabonas

Who

• anthraxx