[Mageia-sysadm] progress of the night

Tue Nov 23 05:14:57 CET 2010

Hi,
+
+so, following the meeting of yesterday, here is a new summary :
+- svn ldap access is ready to roll, the module pam::access_commiters
+should work fine. 
+
+I have finally found the issue after a long journey in the code of
+openssh and pam_ldap. just for the record, if someone one day see that a
+pam module do not work because openssh give " #010#012#015#177INCORRECT
+" as password to your pam module, this is because there is a error
+before ( in my case, the shell was not installed and this caused openssh
+to overwrite the password to protect from timing attack, see
+pam_auth.c ).
+
+example :
+node svn-server {
+  include pam::commiters_access 
+}
+
+this should give access to people from the mga-commiters group, by
+forcing the restricted shell on the server that include the class.
+
+- I have also rewrote the restricted shell module.
+
+Following the previous example, you cannot connect to the server.
+Someone also need to autorise the access, by adding :
+
+node svn-server {
+  include pam::commiters_access 
+  include restrictshell::allow_svn 
+}
+
+We can for now use git, svn, repsys ( pkgsubmit ), scp, sftp and rsync.
+The 3 last one are not tested, and default configuration requires
+tweaking for filtering the path. There is also support for cvs, but I do
+not think we will use it.
+
+So basically, we could deploy pam::commiters_access , add the proper
+class for svn access, and let people use the svn. We just need to
+migrate the local account to ldap, and setup the ssh keys by ourself.
+
+The next steps are :
+1) add support for ssh keys handling to catdap
+2) deploy a cronjob to checkout keys from ldap to the fs
+this part is half done, but if people have suggestions, do not hesitate
+( I am not much in favor of using patchs on openssh like openssh-lpk
+since they are not upstream )
+
+I would also like that we start to use the class subversion::repository,
+as there is lots of goodies included ( and I need to add more ).
+
+
+Regarding the mailling lists  deployment, I have started to work on
+spamassassin integration, using amavis ( as this is the safest way i
+know ). Unfortunately, my knowledge is either out of date ( ie, no more
+rules_du_jour ) or already setup ( ie all plugins that I usually used
+are loaded by default ). So the only customization I have added is rules
+compiling from perl to C. I guess I will also look at enabling pyzor,
+and maybe others tweak on postgrey as suggested by Luca. 
+
+I didn't tested anything, so if someone deploy it while I sleep, please
+test before :). But as i think the default setup should just work fine,
+it should not cause real trouble. ( on the other hand, we may need to do
+more test on postfix ).
+
+next steps will then be :
+1) to test and validate the setup 
+2) to create 1 mailling list for testing and to see how and what we can
+tweak it ( ie, a guinea pig ml ) 
+3) to migrate one by one the current mailling list :
+  - subscribers
+  - web archives, if possible by preserving url ( I guess we can do some
+magic on zarb side for this )
+  - gmane 
+Mailman can give use archives with mbox, there is ( iirc ) static html
+page for web archives, and we have some basic tools to fetch the
+configuration.
+
+There is currently 12 mailling lists.
+
+( blino also did some work, but I will let him talk of this, like :
+- explaining the cooldron idea
+- the vhost "repository" ( and that he need to add it to dns /o\ )
+
+-- 
+Michael Scherer
+
+