Friday, March 19, 2021

New Fedora Account System Production Deployment - What this means for you


For the last 12 + months, the Community Platform Engineering team have
been developing a new service to replace the current FAS2 application
for the Fedora Account System.

The FAS2 application was written over 10 years ago with python2 and
TurboGears1 framework. Due to its dependencies, it is tied to a RHEL6
deployment and could not be moved to a newer OS without rewriting.
Finally FAS2 has a very small deployment base and we had to maintain
it all.

The new account system is based on the widely used IPA product. We
have created a community portal frontend for managing account details
(noggin). This means we only need to maintain the frontend and can
leave the high security parts to IPA. Additionally, noggin may be used
by many more community products.

Key Dates - Subject to Change*

Tuesday 23rd March: Data sync to IPA
Wednesday 24th & Thursday 25th March: System-Wide Outage for machine
config to Noggin
25th March: Final Run-Through of Production Rollout
26th March: Production Rollout Complete
29th March March onwards: Support for post deployment issues
We do not anticipate these dates to change, however our team will meet
for a final review of work on Tuesday 23rd March and once satisfied
all rollback paths are in place and risks have been mitigated, we
intend to deploy to production against the dates listed above. Please
keep an eye on this mail for any potential last minute updates

What This Means for You


If you have an otp token enrolled it will be needed everywhere. This
will include logging in through ipsilon or getting a kerberos
ticket(kinit) which was not previously the case.
Outages and interruptions to services during migration dates

System Administrators

All system administrators will need to enroll a new otp token with noggin
Sudo command will ask for First factor and Second factor separately
which is a slight change from the previous password+otp prompt

Packagers & Package Maintainers

Any packager that has otp enabled will have to follow new process in
docs for kinit/pkinit

'Drive-By' Contributors

If you are a 'drive-by' or more casual contributor to the Fedora
project, you may have to reset your password. We anticipate the number
of people who will need to do this is low, depending on when you last
logged in.
Please re-sign into your Fedora account post migration date.

Post Deployment Support

If you experience issues with your workflow as a result of FAS
changing please log an issue on the fedora infra tracker

FAS will be left in a read-only state to support any applications that
you might not be in a position to migrate immediately. However, we
don't recommend using it as the data it contains will quickly become
out of date.

Maintainer-test instances will be left in a "frozen" state which means
any user changes such as new users or new ssh keys will not be
reflected on these machines.

Further Information

Outage ticket link:
Community blog post:
Noggin Documentation:

Ant Carroll
Associate Manager, Software Engineering
Red Hat Waterford
Communications House
Cork Road, Waterford City
M: +353876213163 IM: ancarrol
@redhatjobs redhatjobs @redhatjobs
announce mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

No comments:

Post a Comment