Home Home > 2011 > 12 > 12 > Forums and Wikis and Blogs, Oh MY!
Sign up | Login

Forums and Wikis and Blogs, Oh MY!

December 12th, 2011 by

It has been suggested that I write a post explaining some of the big changes that we have been doing with the forums, wikis, and blogs over the last few weeks.  Here is a quick list:

  • Forums, wikis, and blogs have been moved from iChain to Novell Access Manager
  • Wikis have been upgraded to MediaWiki 1.17
  • Blogs have been upgraded to the latest version of WordPress
  • Blog and wiki servers have been patched to the latest kernel, Apache, and PHP

Now for the details…

Novell Access Manager

Until a couple of weeks ago, the openSUSE blogs, wikis, and forums were running on a product called iChain.  iChain is an appliance that acts as an accelerating (caching) proxy that can perform SSO, authorization, and identity injection for applications.  While iChain does its job very well, it was discontinued a number of years ago, and it has become increasingly difficult to keep it in service.  Some of the major problems are that the hardware it is running on is aging, and it will not run on newer hardware.  It is also having trouble with the extensions and field formatting of newer certificates, and it also has a lot of trouble with clients attempting to use newer TLS protocols.  Those of you who tried logging in to openSUSE.org with an iOS5 device more than two weeks ago have probably noticed this.

Novell Access Manager is the successor to iChain. While it is slightly more buggy, it has a lot of additional features, and is an actively developed and supported product. Recent builds have also been much more stable and issue-free. It works on a different principle than iChain in that it is based on a federation model. This makes SSO across domains and organizations much easier. For example, openSUSE.org is now single sign-on with www.novell.com and www.suse.com. We can also do SAML 2 federation with other sites, if that ever becomes necessary.

While we are working on moving the rest of the Novell related sites to Access Manager, we are running in what we call “migration mode”. In this setup, iChain continues to handle the authentication for itself and Novell Access Manager. This allows us to retain single sign-on between the two systems as we migrate. As some of you have noticed, a side effect of this is that the openSUSE sites now log in via a Novell-branded login page. When the rest of the sites have been moved off of iChain, we will be able to change back to an openSUSE branded login. This will probably take some time, but we will get there.

Since the openSUSE blogs, wikis, and forums were running on a single iChain server that is out of warranty and irreplaceable, they were among the first sites to be moved to Access Manager. While this provides some benefits, it has also led to a couple of problems that come with being the guinea pig.  The first is that we are having a few problems with the IPv6 tunnel that was set up for these sites, and the IDP domain (login.novell.com) does not have an IPv6 address yet.  I have reached out to the networking team to get this resolved, hopefully this week.  The second is that the default Access Manager timeout is very short compared to what the openSUSE contributors are used to.  I changed the timeout to 4 hours last night, so this should no longer be an issue.  I know the change has been frustrating for a few of you, but I hope that you can agree that it’s better to work out the kinks now, rather than waiting for the old system to break down.

Wiki Upgrade

While MediaWiki 1.17 comes with a lot of improvements, many of you have also noticed that it came with a lot of heartburns.  The biggest one was the UTF8 corruption that happened on most of the wikis.  This seems to have come from a combination of an outdated collation on the “older” wikis and the way that the update script handled the schema changes.  This highlighted a problem that I was not aware of before, which is that there are some major collation differences between the “new” (i.e. English and German) wikis, and the “older” wikis that were not recently rebuilt.  After many hours, I found a way to fix the UTF8 corruption, and  I also worked with our DBA to get the collation of the other wikis to match the new wikis as best as we could.  This should minimize the chance of future upgrade issues.

We also had a couple of smaller issues, mostly an Apache rewrite rule interfering with the new resource loader that came with 1.17.  Those issues were also resolved last week.  Despite these problems, the new MW software is working very well.  I have noticed a major improvement in performance, mostly due to the new resource loader optimizing the javascript and stylesheet load times.

Blog Upgrade

The WordPress upgrades are usually much easier than the MediaWiki upgrades, and this was no exception.  Except for a minor glitch in the theme for logged in users, there are no known issues with the new software.

System Patches

Similarly to the WordPress upgrades, this was a pretty uneventful change.  This update fixes a lot of vulnerabilities, including the “Apache killer” DoS attack discovered over the summer.

Both comments and pings are currently closed.

18 Responses to “Forums and Wikis and Blogs, Oh MY!”

  1. Henk van Veldeen

    I can not understand all the technical fuzz above here. Vut I now I acn NOT login at the forums since the Novell login page is there (28 november IIRC). That is the login works (that can be seen in the database), but ther efollows a redirect that should lead me to my original page, but all browser at all systems in my LAN report a redirect loop.

    I noticethat IPv6 is mentioned above. As I have a fully IPv6 capable environment, could you tell me if the IPv6 problems you mention are applicable to me?

  2. MatthewEhle

    Yes, that problem is applicable to you. Others who are on an IPv6 environment have reported the same issue.

    I believe the problem is the IPv6 address is being directed to the wrong place from our L4 switch. I am trying to reach our network engineers to resolve this.

    In the meantime, you should be able to get around this by either preferring IPv4 or disabling IPv6 entirely on your machine. Of course, exactly how you do this depends on your OS. Firefox also lets you disable IPv6 on the browser level, either globally or per domain. See http://kb.mozillazine.org/Network.dns.disableIPv6

  3. Henk van Veldeen

    Thanks, I, several forum mods and also Kim are searching for this since a few weeks!

    We are all blaming the other ;) But in fact it is in the forums software (or related).

    I hope you can resolve this very soon.I do not take your suggestion to switch off IPv6 to serious. I am not going back to the dark ages :(

    I hope you can cure that bug asap so I can join the Forums again and do my work as Global Mod.

  4. MatthewEhle

    Unfortunately, it’s not up to me, but the network engineers to fix this. However, I have indicated that it is important, and it sounds like they are working on it.

    I am a big proponent of IPv6 myself. My personal server runs it natively, and I have been watching for the moment my ISP offers native IPv6 in my area. I understand not wanting to go back to IPv4. However, in my last comment, I did mention that you can turn it off for only opensuse.org and only in Firefox. This will at least let you work for a few days while you wait on a solution.

  5. MatthewEhle

    Just as an update, we will soon be publishing AAAA (IPv6) records for the IDP. This will most likely fix the issue.

    I am also getting native IPv6 set up in my office, so I will be able to personally test openSUSE.org against a dual stack.

  6. Henk van Velden

    That is good to know. I watch the comments here, so I will no doubt read your (hopefully positive) report and then test myself (and report back here of course).

  7. Henk van Velden

    I just checked this morning (like every morning) and I can login again!

    Thanks to everybody who contributed to identifying and solving this.

  8. Bill

    help ever time i try to load 12.1 it gets all the way to saving the bootloader and then it freezes my computer so i have to start all over but with my 11.2 version what am i doing wrong?

  9. Bill

    help i even tried to upgrade to 12.1 and it does that too

  10. Henk van Velden

    Dear Bill,

    I am sorry you have a technical problem. But you should understand tha this blog about the method to login in openSUSE pages is not the place to ask for help for all sorts of problems. Please go to the openSUSE Forums at forums.opensuse.org, look a bit around there to get a feeling about how the forums work, sign-up, choose the most fitting sub-forum for your problem and start a new thread there with a title that tells short and clear what your problem is about (thus not “Help”!). There are plenty of co-users there who are very willing to help you.

    Regards,

    Henk

  11. this is totally messed up. HOW can Novell have such inept ‘network’ people???
    There are at least 5 different places to login and None seem to be ‘connected’.
    news.opensuse, forums.opensuse, etc…
    This Sucks!

    Landis.

  12. MatthewEhle

    Sorry that you are unsatisfied. However, I don’t understand exactly what you’re unhappy about. There are many different openSUSE sites, but I don’t understand the part about 5 different places to log in. The two examples you gave (news and forums) are single sign-on with each other and bring you to the same sign in page.

    There are some openSUSE sites that don’t leverage this single sign-on solution, but that is hardly due to inability. I know several of the people who work on those sites, and they are anything but inept. They are just like most people in this world, in that they don’t have the time to do everything they would like. I’m sure they will integrate their sites when they have the time and when it makes sense for their situation.

  13. mirko

    Thanks for this infrastructure update!

    I already noticed that the mediawikis and wordpress installations are not updated regulary. So I’m wondering…

    As most of the installed updates are security updates, do you have some insights if (and how often) hackers try to attack the openSUSE infrastructure?

    How do you protect the installations and the userdata if you are running with software that is unmaintained since (at least) months?

    Is there any documentation available how openSUSE secures its infrastructure and its own distribution?

    Thanks in advance for your answers!

    • MatthewEhle

      Hi Mirko,

      Sorry for the late response, but here are a few insights that I can give:

      Other than spammers and script kiddies, most people like to leave us alone. We get notified when suspicious activity is going on, and it doesn’t happen all that often (knock on wood).

      The SSO system affords us a pretty decent amount of protection. It is the only thing that directly interacts with the user store, so no sensitive information is kept in the applications themselves. It also reverse proxies the application servers, so it can filter out some bad activity in that regard. In addition, the applications have the default login systems replaced or supplemented by the SSO integration, so upstream vulnerabilities in login or account management code don’t matter much to us. I can think of several “critical” WP vulnerabilities which did not apply to us for that reason alone.

      With all that said, we are working harder to keep current on the software. This is especially true of WP, since it is easy to upgrade and tends to have more security issues that do affect us (e.g. XSS vulnerabilities).

  14. John Middlebrook

    I note that Henk van Velden can now log into the Forum. Unfortunately, I cannot. I get the message, “The page isn’t redirecting properly. Firefox has detected that the server is redirecting the request for this address in a way that will never complete”. I just hope that this will not continue for much longer.

  15. Henk van Velden

    Strange. As I reported, I had the exeact the same error (and similar in other browsers). It is gone as I reported above and I loged in every day since.

    As, in my case, it seemed to be related to an inconsistent IPv6 configuration at the Novell side (my site being full IPv6 capable), what about your IPv6 capability (and that of your ISP)?

  16. MatthewEhle

    Some people have trouble with IPv6 tunnels for some reason. Native IPv6 has worked very well for people since the change.

    I have received two complaints since the AAAA records were published, but they were both due to client configurations, and they are up and running now. I would check for AAAA records, DNS caching, hosts file entries, etc.

  17. cap10ibraim

    Hi,
    I still get the redirection loop when logging in to wiki or forums ,
    I can login at the Novell home page