Infrastructure Projects

humaton · February 7, 2024, 12:10pm

Fedora Infrastructure Projects

Let’s collaborate to shape a robust and efficient infrastructure that aligns with the evolving needs of the Fedora Project.

ARA

Install and configure ARA in OpenShift with its hook in our ansible repo.

Keycloak

Deploy and configure Keycloak and IPA-tuura in staging OpenShift and configure them with our IPA servers.
Import OAuth2 configuration from Ipsilon
Configure the mapping of IPA attributes to OIDC attributes in IPA-tuura
Test with test-auth
Check how the mapping of AWS groups could be done in IPA-tuura
Follow the implementation of Kerberos auth in IPA-tuura

Badges

It’s unrealistic to hope that the rewrite will be ready before RHEL7 goes EOL. We’ll have to do with the current implementation for a while still.

Docs: current implementation.

Tarhir

Make it use OIDC, like Bodhi
Port to Fedora Messaging (should be simple, see tahrir/tahrir/notifications.py)
Refresh Pyramid (must work on EL9)

fedbadges

Port the consumer to Fedora Messaging

MirrorManager

@abompard is currently working on this

Rework the scripts
Deploy to Openshift
Sanitize the codebase
Maybe make it usable by other distributions??

Easyfixes

It’s currently a static page built in OpenShift by a cron job every hour.

Rewrite with a more dynamic tech, and proper libraries.

Poddlers

The problem with the current Toddlers:

a message that crashes a toddler prevents it from getting processed by all the toddlers that come after it
if one toddler consumes a lot, other toddler pods can be added but they multiply all the toddlers, not only the one that needs scaling
it conceptually re-implements a queue system, except it’s in a for loop:
- messages are stored in memory during processing
- topic matching is done in Python
Convert toddlers to Fedora Messaging consumers so that a crashing toddler does not block the others
Each consumer will be a pod in a single Openshift project
The pod can have as many replica as needed
Each consumer will have separate queues and only be subscribed to what they actually need.

The gitforge problem

Fedora project is currently using pagure as its base for git repositories as well as for distgit implementation. While pagure is getting some traction now, there are other healthy open-source implementations of a git forge.

humaton · February 7, 2024, 12:11pm

Added engineering

humaton · February 7, 2024, 12:28pm

@abompard Does it make sense to talk about ARA in a thread like this?

abompard · February 7, 2024, 12:32pm

Hmm it may become confusing over time when replies to different projects accumulate after one another. Maybe a link to a separate Discourse thread? Not sure.

abompard · February 7, 2024, 12:35pm

The code that is currently running in staging Openshift is here in GitHub.

And this is the result: https://easyfix.apps.ocp.stg.fedoraproject.org/

humaton · February 7, 2024, 1:09pm

Yeah, I had high hopes that nested discussions would be solved by early 21st century.

humaton · February 7, 2024, 1:16pm

We might think about a hackathon/meetup at devconfcz2024, this seems doable over the weekend with the possibility of engagement with a wider audience.

mattia · February 8, 2024, 5:45pm

I think it would be nice to also have on all infrastructure projects a “Login with Kerberos”, like COPR. That way a packager who is already logged in with Kerberos to use fedpkg doesn’t need to login again with OIDC in Bodhi to submit their updates.

BTW, any progress in hardware 2FA (like yubikey) support in noggin?

abompard · February 8, 2024, 5:51pm

In theory, it should already be the case, as Ipsilon is supposed to support Kerberos auth. So it would be redirecting from Bodhi → Ipsilon → Kerberos auth → Bodhi and it should be transparent.

That’s dependant on support in IPA and Ipsilon. Support in IPA is either coming or already there, support in Ipsilon is probably never going to happen, but it’s likely to land in Keycloak at some point. This would be one of the reasons to switch to it.

abompard · February 15, 2024, 11:26am

Alright, so I made a wiki page: Infrastructure/Projects - Fedora Project Wiki. As always with wiki pages, it just needs to be kept up-to-date… I’ll try to do that.

This thread can be used to discuss the page and the general idea of grouping and advertising infra projects. New project suggestions should be made in new threads, but I suppose this one can be used as well if unsure.

kevin · February 15, 2024, 6:28pm

Thanks!

I think it might be good to add ‘kerneltest to python3/fedora-messaging’
(which is currently on rhel7 and needs to be done before rhel7 eol)?

Topic		Replies	Views
Infra and RelEng Update - Week 22 2025 Community Blog	0	92	May 30, 2025
Infra and RelEng Update - Week 17 Community Blog	0	127	April 25, 2025
The future of artifact signing in Fedora Project Discussion infrastructure-team	2	122	April 18, 2025
Infra and RelEng Update - Week 16 2025 Community Blog	0	96	April 18, 2025
Improving contribution to Fedora Infrastructure Project Discussion infrastructure-team	7	596	April 14, 2022