Time
S
Nick
Message
01:49 jri joined #dataverse
06:44 icarito[m] joined #dataverse
07:45 jri joined #dataverse
10:05 icarito[m] joined #dataverse
11:53 donsizemore joined #dataverse
11:55 donsizemore
@pdurbin gonna make the default a port 80 ajp proxy with inverse redirectmatches for external services, with the option to enable an ssl redirect but leave cert generation up to the end user (for now). baby steps?
11:55 pdurbin
Just so I understand...
11:55 pdurbin
apache on port 80
11:56 pdurbin
proxypass dataverse to apache
11:56 pdurbin
dataverse also on 8080
11:56 pdurbin
apache on 443 with self signed cert
11:57 pdurbin
is that right? that's how I have phoenix set up too
11:58 donsizemore
@pdurbin well, your issue wants valid certs so i wasn't going to go self-signed
11:58 donsizemore
@pdurbin but i can if you like
11:59 donsizemore
@pdurbin letsencrypt wants an assertion of control over the domain
11:59 donsizemore
@pdurbin i was just going to pop everything onto 80 by default, with the option to configure 443
12:00 pdurbin
If you do it in a branch I'm happy to spin it up and take a look.
12:01 donsizemore
yis
12:01 pdurbin
Sorry, by self signed I meant whatever is spun up in ec2. It's a fake ou, etc. I forget what it's called.
12:01 donsizemore
it's all snake oil
12:01 pdurbin
maybe "someOrganization" or whatever
12:02 donsizemore
so invalid certs are cool? that was the sticking point
12:05 pdurbin
I don't like the browser warnings.
12:06 pdurbin
sorry if I'm not being clear
12:06 pdurbin
really I'm trying to avoid browser warnings
12:06 pdurbin
for invalid certs
12:06 pdurbin
for mixed content (ssl and non-ssl)
12:06 donsizemore
well, for functionality i'd like to start with stuff on 80, make them avaliable
12:06 pdurbin
absolutely
12:06 donsizemore
but if they require certs, they're going to be self-signed
12:07 pdurbin
github pages flips you over to https these days. mixed content. that's really the issue
12:07 pdurbin
does that make sense?
12:07 donsizemore
absolutely. but if we do certs, they'll most often be self-signed
12:08 pdurbin
sure, but I can issue free certs for dataverse.org
12:08 pdurbin
if that helps
12:08 donsizemore
that will help dataverse.org users =)
12:08 pdurbin
:)
12:09 pdurbin
well, can we give dataverse.org dns entries to the ec2 instances
12:10 pdurbin
what if the hosts had names like https://d0a78461.test.dataverse.org ?
12:10 pdurbin
with a valid star cert
12:10 donsizemore
that will work well for dataverse ec2 users
12:11 pdurbin
good :)
12:11 pdurbin
but I don't know how to make it happen
12:11 pdurbin
I mean, I think I can pull off minting a star cert.
12:11 pdurbin
but I'd need help with the dns bit and getting the private key onto the ec2 instance
12:12 pdurbin
(safely, securely)
12:20 donsizemore
this is what i mean. let me put in the ssl plumbing, enable the external tools on 80 for easy testing, then we need an SSL fairy
12:23 pdurbin
heh, ok
12:23 pdurbin
thanks, it sounds like we're on the same page
12:24 pdurbin
maybe I would just have the private key on my laptop... only trusted people would have the private key and be able to use the test.dataverse.org star cert
12:25 pdurbin
but there would still be some unsolved dns work to do... unless we use some static IPs?
12:25 pdurbin
I don't know what that costs on aws.
12:26 pdurbin
again, I'm looking to replace https://dev1.dataverse.org anyway, get it off vmware (in the server room downstairs)
12:27 pdurbin
but I don't need it up all the time
12:27 pdurbin
I don't want the responsibility of keeping it patched.
12:27 pdurbin
I mean, I'll patch it for a week or whatever.
12:27 pdurbin
long enough for people to try out a new feature or bug fix
12:28 pdurbin
then spin it down until it's needed again
12:35 donsizemore
what i'm hearing is you want jenkins and a webhook
12:39 donsizemore
p.s. i can do the dataexplorer, wholetale and dataverse-previewer bits only minor changes to the role. only dataverse-metrics needs to go in the http config. i'll take care of the first three
12:45 pdurbin
ah, so you plan to install dataexplorer locally #nevermore
13:29 jri left #dataverse
14:02 pdurbin
donsizemore: you're right about Jenkins. Question for you about this.
14:02 donsizemore
yes sir
14:03 pdurbin
Do you run Jenkins at UNC?
14:03 donsizemore
we do
14:03 donsizemore
it's pretty painless
14:04 pdurbin
How would you feel about hosting a public installation of Jenkins for http://dataversecommunity.global ?
14:05 donsizemore
ooh. i must ask jon but personally would be happy to
14:05 pdurbin
cool, thanks and please keep me posted
14:06 donsizemore
we've got a github webhook for https://github.com/OdumInstitute/dataverse/tree/trsa-api which, with a shell script and some ssh keys deploys akio's builds to https://impacttest.irss.unc.edu/
14:12 pdurbin
very cool, this is exactly what I want, but I'd want the Jenkins installation to be public facing
14:12 pdurbin
I like being able to link to https://build.hmdc.harvard.edu:8443/job/phoenix.dataverse.org-apitest-develop/ so anyone can see if tests are passing.
14:15 donsizemore
oh, if it's just your official build that would be super-easy. it could even push to one of your VMs (or we could run one here)
14:16 pdurbin
I'm fine with you building the official build. :)
14:38 donsizemore
jon likes the idea as well. we already have a jenkins instance unless you want GDCC to have its own
14:39 donsizemore
do you want a VM for phoenix.dataverse.org (or other hostname)?
14:42 pdurbin
Great! I'm thinking it might be nice if the instance were not too entangled with other stuff at UNC, if that makes sense. That way, if UNC wants some other org in the consortium to take a turn hosting it, it would be more straightforward. What do you think?
14:42 donsizemore
fine by me. we'll just set up the jenkins build on this side and push the warfile where you want?
14:43 pdurbin
Sounds perfect. Would you be able to support creating jobs from the command line? From my laptop? :)
14:44 donsizemore
whatever jenkins and/or ssh can do. could start by having it watch develop?
14:45 pdurbin
Starting with develop sounds perfect.
14:45 donsizemore
i'll need to get you our public key, tell me where to push the warfile
14:46 pdurbin
I think I'd like you to push the war file to the same place as the ec2 spin up scripts. I can go make a second account that doesn't have your name on it. :)
14:47 pdurbin
Can we have the config for Jenkins be open source? In case someone else wants to run it some day? Or if they want to run a similar build service for their fork? I'm thinking you could create a repo under https://github.com/GlobalDataverseCommunityConsortium
14:49 donsizemore
we can absolutely document it. i was going to send you what we're doing for TRSA-Dataverse and let you all correct/augment
14:49 pdurbin
perfect, thanks!
14:49 pdurbin
we can look at Pete's config too. one sec
14:50 pdurbin
jenkins declarative pipeline goodness: https://github.com/sbgrid/data-capture-module/tree/0.6/jenkins
14:51 donsizemore
sent
14:54 pdurbin
got it, thanks!
15:15 donsizemore
@pdurbin if develop could send a push webhook to https://jenkins.irss.unc.edu/github-webhook/ we'll be building
15:42 pdurbin
donsizemore: wait, is that the new consortium-only Jenkins already or is that your existing UNC Jenkins?
17:05 donsizemore joined #dataverse
17:05 donsizemore
@pdurbin it's currently Odum's jenkins (your automatic build would be the 3rd project, the other two are akio's)
17:06 donsizemore
@pdurbin but if you want one for the gdcc i can stand one up
17:11 pdurbin
donsizemore: if it's not too much trouble to stand up one for gdcc, I would really appreciate it!
17:42 donsizemore
@pdurbin mostly done; certs requested
17:51 pdurbin
donsizemore: fantastic!
18:10 donsizemore
https://gdcc-jenkins.odum.unc.edu
18:15 pdurbin
donsizemore: nice! Can we make it public?
18:15 pdurbin
public like https://build.hmdc.harvard.edu:8443/ I mean where you can see jobs
18:15 donsizemore
it should be. i'm setting up the IQSS/develop job now
18:16 pdurbin
ok, maybe once the first job is public I'll be able to see it without logging in
18:18 donsizemore
@pdurbin can IQSS add a push webhook to https://github-jenkins.odum.unc.edu/github-webhook/
18:18 pdurbin
I feel bad for asking now since you already got a valid cert but I was thinking maybe you'd go for jenkins.dataversecommunity.global or something. Do you want me to set up DNS and a cert for a hostname under dataverse.org?
18:19 donsizemore
i can change the name. i can't generate non-unc certs for free though. i'll ask kasha if she has a dataversecommunity.global wildcard
18:20 pdurbin
I can generate dataverse.org certs for free. Just sayin'.
18:22 donsizemore
we don't control dataversecommunity.global apparently so if you want a dataverse.org name that's fine
18:24 pdurbin
jenkins.dataverse.org?
18:24 donsizemore
that's fine
18:28 pdurbin
Does http://jenkins.dataverse.org go to your new gdcc instance?
18:30 donsizemore
by DNS , yes
18:31 pdurbin
cool, want to email me a csr?
18:34 donsizemore
done
18:35 pdurbin
Thanks. Do you add -sha256 when calling openssl req?
18:38 donsizemore
no, but i can if you want
18:39 pdurbin
It's more for me. Not sure if it's required. Nevermind.
18:41 pdurbin
but.. what do I want... "InCommon SSL (SHA-2)"? Does that sound right?
18:45 donsizemore
i gave it rsa:2048 but can regenerate however you want
18:48 pdurbin
"applied"
18:48 * pdurbin
waits
18:54 pdurbin
donsizemore: please check your email
18:55 donsizemore
@pdurbin Office365 (ugh) has decided that they're bad. BAD attachments!
18:55 donsizemore
(could you resend them in a .zip?)
18:55 pdurbin
lord. yes
18:55 pdurbin
no, tarball
18:57 pdurbin
with some mac stuff in it... ._ files sorry
18:57 donsizemore
@pdurbin i have to send our ID mgmt guys zip files or O365 scrubs the XML
18:57 donsizemore
don't forget the bank account numbers while you're at it
18:57 pdurbin
tarball sent
19:07 pdurbin
or does it need to be a zip?
19:15 donsizemore
i got the certs fine, but the md5s don't match
19:15 pdurbin
bah
19:16 pdurbin
what md5s?
19:17 donsizemore
i can send you the output in e-mail. i generated the CSR with the same CLI flags I always use for incommon, i just swapped out the UNC stuff for Harvard
19:23 pdurbin
ok, https://dev2.dataverse.org has a valid cert now. I'll send you how I made the csr
19:27 pdurbin
sent
19:31 pdurbin
donsizemore: I'm using dev2_dataverse_org_cert.cer
19:31 pdurbin
with the _cert
20:12 xarthisius joined #dataverse
20:28 pdurbin
anyway, we'll have to pick up this cert fun next week, I'm out
20:28 pdurbin
have a good weekend, everyone!
20:28 pdurbin left #dataverse
21:33 donsizemore joined #dataverse
22:02 andrewSC joined #dataverse
