*** cloudnau_ has quit IRC | 00:07 | |
*** dims has joined #kolla | 00:10 | |
*** achanda has joined #kolla | 00:11 | |
*** mimizone has joined #kolla | 00:27 | |
*** tzn has quit IRC | 00:47 | |
*** tzn has joined #kolla | 00:47 | |
*** mimizone has quit IRC | 00:59 | |
*** tzn has joined #kolla | 01:02 | |
*** tzn has quit IRC | 01:09 | |
*** tzn has joined #kolla | 01:10 | |
*** dims has quit IRC | 01:11 | |
*** tzn has quit IRC | 01:15 | |
*** severion has quit IRC | 01:18 | |
*** ssurana has quit IRC | 01:18 | |
*** unicell has quit IRC | 01:35 | |
*** bmace__ has quit IRC | 02:11 | |
*** bmace__ has joined #kolla | 02:11 | |
*** stvnoyes has quit IRC | 02:14 | |
*** stvnoyes has joined #kolla | 02:15 | |
*** dims has joined #kolla | 02:38 | |
*** rhallisey has quit IRC | 02:46 | |
*** unicell has joined #kolla | 03:01 | |
*** cloudnautique has joined #kolla | 03:31 | |
*** tzn has joined #kolla | 03:35 | |
*** dims has quit IRC | 03:50 | |
*** cemmason has joined #kolla | 03:51 | |
*** unicell1 has joined #kolla | 04:08 | |
*** unicell has quit IRC | 04:09 | |
*** achanda has quit IRC | 04:12 | |
*** achanda has joined #kolla | 04:17 | |
*** achanda has quit IRC | 04:42 | |
*** jasonsb has joined #kolla | 04:56 | |
*** achanda has joined #kolla | 05:43 | |
*** bharath has joined #kolla | 05:47 | |
bharath | anyone using ubuntu 14.04 and tried ge-image.sh | 05:48 |
---|---|---|
bharath | I am facing the issue of virt-customize "command not found" | 05:48 |
*** achanda has quit IRC | 05:48 | |
bharath | can anyone help me with this issue? | 05:49 |
*** achanda has joined #kolla | 05:54 | |
*** bharath has quit IRC | 06:41 | |
*** sdake has quit IRC | 06:50 | |
*** sdake has joined #kolla | 06:54 | |
openstackgerrit | Steven Dake proposed openstack/kolla: Prepare base images for USER operation https://review.openstack.org/242732 | 07:02 |
*** achanda has quit IRC | 08:01 | |
openstackgerrit | Steven Dake proposed openstack/kolla: Drop root privileges for glance services https://review.openstack.org/242735 | 08:26 |
openstackgerrit | Steven Dake proposed openstack/kolla: Drop root privileges for glance services https://review.openstack.org/242735 | 08:29 |
openstackgerrit | Steven Dake proposed openstack/kolla: Prepare base images for USER operation https://review.openstack.org/242732 | 08:29 |
*** mfalatic has quit IRC | 08:36 | |
sdake | SamYaple when your around hae a quesiton - openvswitchdb is returning a failure on startup | 08:50 |
*** tzn has quit IRC | 09:29 | |
openstackgerrit | Steven Dake proposed openstack/kolla: Drop root privileges for heat services https://review.openstack.org/242740 | 10:16 |
*** tzn has joined #kolla | 10:30 | |
*** jmccarthy has joined #kolla | 10:32 | |
*** jmccarthy has quit IRC | 10:32 | |
*** tzn has quit IRC | 10:35 | |
*** jmccarthy has joined #kolla | 10:49 | |
*** jmccarthy has quit IRC | 10:49 | |
*** athomas has quit IRC | 10:50 | |
*** sdake has quit IRC | 11:09 | |
*** pbourke has quit IRC | 11:15 | |
*** pbourke has joined #kolla | 11:16 | |
*** tzn has joined #kolla | 11:31 | |
*** tzn has quit IRC | 11:38 | |
*** jmccarthy has joined #kolla | 11:51 | |
*** dims has joined #kolla | 13:01 | |
*** tzn has joined #kolla | 13:34 | |
*** tzn has quit IRC | 13:39 | |
*** unicell has joined #kolla | 14:07 | |
*** unicell1 has quit IRC | 14:07 | |
*** tzn has joined #kolla | 14:35 | |
*** tzn has quit IRC | 14:40 | |
*** jmccarthy has quit IRC | 14:47 | |
*** jmccarthy has joined #kolla | 14:48 | |
*** jmccarthy has quit IRC | 14:49 | |
*** akwasnie has joined #kolla | 14:54 | |
SamYaple | kfox1111: i think we are 2 weeks away from a 1.1 tag | 15:07 |
SamYaple | kfox1111: sdake is build 1.0.1, which is different | 15:07 |
SamYaple | for 1.1 we are backporting some things that havent even been written yet | 15:08 |
*** tzn has joined #kolla | 15:36 | |
*** tzn has quit IRC | 15:41 | |
britthouser | I see your patches sdake. I'll cherry pick https://review.openstack.org/#/c/242732/2 and try to fix keystone on top of that. | 15:56 |
*** akwasnie has quit IRC | 15:56 | |
*** akwasnie1 has joined #kolla | 15:56 | |
openstackgerrit | Sam Yaple proposed openstack/kolla: DO NOT MERGE: gate testing https://review.openstack.org/242763 | 15:58 |
SamYaple | britthouser: do not do that | 15:58 |
SamYaple | britthouser: that impelmentation is not going to work | 15:58 |
britthouser | Are your concerns in teh implementation of base or glance? | 16:00 |
SamYaple | yes! | 16:00 |
SamYaple | :) | 16:00 |
britthouser | ok =) | 16:00 |
SamYaple | one affects the other | 16:00 |
britthouser | I thought just base, so I could do keystone on top, and then however base was fixed I'd still be ok. | 16:00 |
SamYaple | well britthouser the issue is in the whole idea of implementation | 16:01 |
SamYaple | its taken straight from Yaodu and it works in yaodu..... but not Kolla | 16:01 |
SamYaple | the reason being Kolla provides what process to laucnh external to the container, yoadu did not | 16:02 |
britthouser | Ok | 16:03 |
SamYaple | i have added some thoughts in the blueprint britthouser | 16:04 |
SamYaple | feel free to do the same | 16:04 |
SamYaple | my exact thoughts are we will probably do the privilege droping from the start.sh script | 16:04 |
SamYaple | that way very little needs to change, but we stil lget the priv dropping for the running process | 16:05 |
britthouser | "compromised user" - this would be the user on the host, or user in the container? | 16:05 |
SamYaple | in the container | 16:05 |
SamYaple | if, say, the glance process gets hijacked then the could override things they shouldnt, like run_command | 16:06 |
britthouser | I gotcha...so we need to keep most of the container startup as root, but still drop to user when teh main process starts. Is that the basic idea? | 16:07 |
SamYaple | thats my 5-minute-brainstorm on it | 16:07 |
SamYaple | it should actually make the implementation much cleaner too | 16:07 |
SamYaple | no need to special sudo all over the place | 16:07 |
britthouser | so the trick will be keeping start.sh generic across containers, but still allowing a different user in each container to run the main process | 16:08 |
SamYaple | should be pretty easy actually | 16:09 |
SamYaple | env USER_TO_DROP_TO glance | 16:09 |
SamYaple | so start.sh would just drop to that user, since the exec is the last step anyway | 16:09 |
*** akwasnie1 has quit IRC | 16:26 | |
openstackgerrit | Sam Yaple proposed openstack/kolla: Make the database json variable more readable https://review.openstack.org/242024 | 16:45 |
openstackgerrit | Sam Yaple proposed openstack/kolla: Add missing group for keystone https://review.openstack.org/242767 | 16:45 |
openstackgerrit | Sam Yaple proposed openstack/kolla: Incorrect parsed variable name https://review.openstack.org/242768 | 16:45 |
*** openstackgerrit has quit IRC | 16:46 | |
*** openstackgerrit has joined #kolla | 16:46 | |
*** dims_ has joined #kolla | 17:02 | |
*** dims has quit IRC | 17:04 | |
*** achanda has joined #kolla | 17:08 | |
*** akwasnie has joined #kolla | 17:18 | |
*** mbound has quit IRC | 17:18 | |
*** achanda has quit IRC | 17:21 | |
*** akwasnie has quit IRC | 17:27 | |
*** akwasnie has joined #kolla | 17:28 | |
*** tzn has joined #kolla | 17:37 | |
*** tzn has quit IRC | 17:42 | |
*** akwasnie is now known as macs | 17:51 | |
*** macs is now known as Guest46107 | 17:51 | |
*** Guest46107 is now known as macsz | 17:54 | |
*** macsz has quit IRC | 17:58 | |
*** sdake has joined #kolla | 18:06 | |
SamYaple | sdake: ping | 18:15 |
sdake | sup pain in the ass | 18:15 |
SamYaple | youd be nothing without me | 18:15 |
sdake | if you say so | 18:15 |
SamYaple | so multinode testing is ubuntu only | 18:15 |
SamYaple | they dont have centos vms for multinode | 18:15 |
SamYaple | additionally due to a change clarkb asked me to make to the job names it just wont work | 18:16 |
SamYaple | sdake: https://review.openstack.org/#/c/242772/ | 18:16 |
SamYaple | that patch i just posted is required to make multinode work | 18:16 |
SamYaple | or at least enable our experimental gate should i say | 18:16 |
sdake | i'm goingg bak to bed | 18:16 |
SamYaple | lol | 18:16 |
*** mbound has joined #kolla | 18:18 | |
*** mbound has quit IRC | 18:23 | |
*** tzn has joined #kolla | 18:33 | |
*** tzn has joined #kolla | 18:34 | |
*** tzn has quit IRC | 18:38 | |
*** tzn has joined #kolla | 18:40 | |
*** tzn has quit IRC | 18:58 | |
*** akwasnie has joined #kolla | 19:08 | |
sdake | samyaple this sort of works : http://paste.fedoraproject.org/287971/23237144 | 19:08 |
sdake | the problem is sudo ends up as pid1 http://paste.fedoraproject.org/287972/69233061 | 19:08 |
sdake | the only viable solution i see is to rewrite the .sh in python | 19:09 |
sdake | then we have access to change uid system calls | 19:09 |
sdake | and should be able to exec replace | 19:10 |
SamYaple | you can exec from within python | 19:10 |
sdake | yes i know | 19:11 |
sdake | and can also change uid/euid | 19:11 |
sdake | in shell yoou cannot change uid without external helper | 19:12 |
sdake | or so says stackoverflow nerds | 19:12 |
SamYaple | right but im not running everything under the python interpreter | 19:12 |
SamYaple | i think weve had this talk before | 19:13 |
SamYaple | you were against that too | 19:13 |
sdake | i was against running python as pid1 permanently | 19:13 |
sdake | but an exec wfm | 19:13 |
sdake | we can't have the non-active process be pid1 | 19:13 |
sdake | it just breaks all singal handling | 19:14 |
sdake | not bepdid 1 i mean | 19:14 |
SamYaple | im confused as to what you are prosing | 19:14 |
SamYaple | proposing | 19:14 |
sdake | the idea of having sudo as pid is a nonstrter to me | 19:15 |
sdake | pid 1 | 19:15 |
sdake | see above ps paste | 19:15 |
*** akwasnie has quit IRC | 19:15 | |
*** dims_ has quit IRC | 19:16 | |
SamYaple | the paste only has you setting an env variabel | 19:16 |
sdake | http://paste.fedoraproject.org/287972/69233061 | 19:16 |
sdake | see line 2 | 19:17 |
SamYaple | oh right yea i know what you are saying | 19:17 |
SamYaple | but how does python fix that | 19:17 |
sdake | python can exec and sudo at same time | 19:17 |
SamYaple | you cant exec out of python | 19:18 |
SamYaple | the interprtur stays pid 1 | 19:18 |
SamYaple | interpreter | 19:18 |
sdake | other then writing a c helper i'm out of ideas | 19:20 |
SamYaple | well for starters, I dont actually have a problem with sudo being pid 1 | 19:20 |
SamYaple | but what I do have a problem with is the run_command being owned by the user | 19:21 |
sdake | sudo being pid 1 will break all signal handling | 19:21 |
SamYaple | how so? | 19:22 |
sdake | sudo doesn't pass ssignals to glance | 19:23 |
sdake | in the aboe example | 19:23 |
SamYaple | it does according to the man page | 19:24 |
SamYaple | "Because the command is run as a child of the sudo process, sudo will relay signals it receives to the command." | 19:24 |
sdake | keep reading | 19:25 |
sdake | Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will | 19:25 |
sdake | not be relayed to the command. As a general rule, SIGTSTP should be used | 19:25 |
sdake | instead of SIGSTOP when you wish to suspend a command being run by sudo. | 19:25 |
SamYaple | are you just talking about the container kills? | 19:26 |
sdake | yup | 19:26 |
SamYaple | you know we sigkill right now because the default timeout is always reached right? | 19:27 |
sdake | nope | 19:27 |
SamYaple | not fighting for sudo or anything, but we dont shutdown from the initial sigterm | 19:27 |
SamYaple | after the timeout it sends a sigkill | 19:27 |
*** slagle has quit IRC | 19:27 | |
sdake | ya i am familar wiht the docker shutdown - deubgged it heavily during pid1 nonsense | 19:27 |
sdake | host=pid nonsense i mean | 19:28 |
SamYaple | alright then you should know that it sends a sigterm | 19:29 |
SamYaple | which works just fine | 19:29 |
SamYaple | and a sigkill is for the sudo process itself | 19:29 |
*** slagle has joined #kolla | 19:29 | |
SamYaple | so it does pass sigterm... | 19:29 |
sdake | i think the attack vector you propose (application overwriting run_command) is not really a big deal | 19:36 |
sdake | if thye have figured o ut how to do that, there are any numbr of ways they can corrupt the execution of the process | 19:37 |
SamYaple | i think running sudo is not a big deal | 19:39 |
SamYaple | and it removes that attack vector | 19:39 |
SamYaple | if this patch wasnt 100% about security, I wouldn't push this | 19:39 |
SamYaple | but that is the only reason we are even doing it | 19:39 |
SamYaple | lets do it right | 19:39 |
SamYaple | sdake: btw this really shouldnt be the priority | 19:40 |
SamYaple | we need to hammer out the upgrades and get kolla 1.1 out | 19:41 |
SamYaple | there is still a ton of work to do around that | 19:41 |
sdake | that is coming | 19:43 |
sdake | patience young padawan | 19:43 |
SamYaple | if you are really concerned about this you could just whitelies set_configs.py to run as sudo | 19:51 |
*** tzn has joined #kolla | 19:59 | |
sdake | yup I thought about that | 20:01 |
sdake | because set_configs.py is run as sudo, and blah.sh is run as glance, it would be ipossible or the glance network service to overwrite set_ocnfigs.py | 20:01 |
sdake | impossible that is | 20:02 |
sdake | and perform any type of non-immutable hacking on teh content of the container | 20:02 |
*** tzn has quit IRC | 20:04 | |
*** ssurana has joined #kolla | 20:06 | |
SamYaple | is there a problem with that approach? | 20:07 |
sdake | wfm | 20:09 |
sdake | i think its the best one suggested so far | 20:09 |
sdake | i guess really what we are after with drop root is to prevent glance from modifying the contents of the container | 20:10 |
SamYaple | isnt that what all prilege dropping is about though? | 20:10 |
SamYaple | limit the scope of a compromised process? | 20:10 |
sdake | well herere we are onlhy limiting scope to modyfing the filesystem | 20:10 |
sdake | but ya privilege drop is about limiting scope | 20:10 |
sdake | utnil ia few years ago i ran my normal shell as root :) | 20:11 |
sdake | rather then everything in suo | 20:11 |
sdake | sudo | 20:11 |
*** unicell1 has joined #kolla | 20:14 | |
openstackgerrit | Hui Kang proposed openstack/kolla: Fix neutron bootstrap https://review.openstack.org/242777 | 20:14 |
*** unicell has quit IRC | 20:16 | |
openstackgerrit | Steven Dake proposed openstack/kolla: Take two of root drop https://review.openstack.org/242778 | 20:21 |
SamYaple | sdake: that take two patch, thats not what i was talking about | 20:24 |
SamYaple | i was saying we could run set_configs as sudo | 20:24 |
sdake | ye | 20:24 |
sdake | i know | 20:24 |
SamYaple | oh ok | 20:24 |
sdake | this ws the last appraoch i tried | 20:24 |
sdake | i was just getting in the trackeer so peope could see the three approaches | 20:24 |
SamYaple | are you just posting it up for reviews? | 20:24 |
SamYaple | ah ok | 20:24 |
SamYaple | im going to -1 it for the reasons we have discussed | 20:24 |
sdake | ya put link to irc if you could | 20:25 |
SamYaple | sorry already commented | 20:29 |
*** sdake has quit IRC | 20:40 | |
*** tzn has joined #kolla | 21:03 | |
*** tzn has quit IRC | 21:08 | |
*** ssurana has quit IRC | 21:14 | |
*** v1k0d3n has joined #kolla | 21:32 | |
*** Ti-mo has quit IRC | 21:33 | |
*** Ti-mo has joined #kolla | 21:34 | |
*** slagle has quit IRC | 21:35 | |
*** dims has joined #kolla | 21:46 | |
*** tzn has joined #kolla | 22:04 | |
*** tzn has quit IRC | 22:09 | |
*** jcrubio has joined #kolla | 22:54 | |
*** jcrubio has left #kolla | 23:00 | |
*** tzn has joined #kolla | 23:06 | |
*** tzn has quit IRC | 23:11 | |
*** sdake has joined #kolla | 23:44 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!