Saturday, 2015-11-07

*** cloudnau_ has quit IRC00:07
*** dims has joined #kolla00:10
*** achanda has joined #kolla00:11
*** mimizone has joined #kolla00:27
*** tzn has quit IRC00:47
*** tzn has joined #kolla00:47
*** mimizone has quit IRC00:59
*** tzn has joined #kolla01:02
*** tzn has quit IRC01:09
*** tzn has joined #kolla01:10
*** dims has quit IRC01:11
*** tzn has quit IRC01:15
*** severion has quit IRC01:18
*** ssurana has quit IRC01:18
*** unicell has quit IRC01:35
*** bmace__ has quit IRC02:11
*** bmace__ has joined #kolla02:11
*** stvnoyes has quit IRC02:14
*** stvnoyes has joined #kolla02:15
*** dims has joined #kolla02:38
*** rhallisey has quit IRC02:46
*** unicell has joined #kolla03:01
*** cloudnautique has joined #kolla03:31
*** tzn has joined #kolla03:35
*** dims has quit IRC03:50
*** cemmason has joined #kolla03:51
*** unicell1 has joined #kolla04:08
*** unicell has quit IRC04:09
*** achanda has quit IRC04:12
*** achanda has joined #kolla04:17
*** achanda has quit IRC04:42
*** jasonsb has joined #kolla04:56
*** achanda has joined #kolla05:43
*** bharath has joined #kolla05:47
bharathanyone using ubuntu 14.04 and tried ge-image.sh05:48
bharathI am facing the issue of virt-customize "command not found"05:48
*** achanda has quit IRC05:48
bharathcan anyone help me with this issue?05:49
*** achanda has joined #kolla05:54
*** bharath has quit IRC06:41
*** sdake has quit IRC06:50
*** sdake has joined #kolla06:54
openstackgerritSteven Dake proposed openstack/kolla: Prepare base images for USER operation  https://review.openstack.org/24273207:02
*** achanda has quit IRC08:01
openstackgerritSteven Dake proposed openstack/kolla: Drop root privileges for glance services  https://review.openstack.org/24273508:26
openstackgerritSteven Dake proposed openstack/kolla: Drop root privileges for glance services  https://review.openstack.org/24273508:29
openstackgerritSteven Dake proposed openstack/kolla: Prepare base images for USER operation  https://review.openstack.org/24273208:29
*** mfalatic has quit IRC08:36
sdakeSamYaple when your around hae a quesiton - openvswitchdb is returning a failure on startup08:50
*** tzn has quit IRC09:29
openstackgerritSteven Dake proposed openstack/kolla: Drop root privileges for heat services  https://review.openstack.org/24274010:16
*** tzn has joined #kolla10:30
*** jmccarthy has joined #kolla10:32
*** jmccarthy has quit IRC10:32
*** tzn has quit IRC10:35
*** jmccarthy has joined #kolla10:49
*** jmccarthy has quit IRC10:49
*** athomas has quit IRC10:50
*** sdake has quit IRC11:09
*** pbourke has quit IRC11:15
*** pbourke has joined #kolla11:16
*** tzn has joined #kolla11:31
*** tzn has quit IRC11:38
*** jmccarthy has joined #kolla11:51
*** dims has joined #kolla13:01
*** tzn has joined #kolla13:34
*** tzn has quit IRC13:39
*** unicell has joined #kolla14:07
*** unicell1 has quit IRC14:07
*** tzn has joined #kolla14:35
*** tzn has quit IRC14:40
*** jmccarthy has quit IRC14:47
*** jmccarthy has joined #kolla14:48
*** jmccarthy has quit IRC14:49
*** akwasnie has joined #kolla14:54
SamYaplekfox1111: i think we are 2 weeks away from a 1.1 tag15:07
SamYaplekfox1111: sdake is build 1.0.1, which is different15:07
SamYaplefor 1.1 we are backporting some things that havent even been written yet15:08
*** tzn has joined #kolla15:36
*** tzn has quit IRC15:41
britthouserI see your patches sdake.  I'll cherry pick https://review.openstack.org/#/c/242732/2 and try to fix keystone on top of that.15:56
*** akwasnie has quit IRC15:56
*** akwasnie1 has joined #kolla15:56
openstackgerritSam Yaple proposed openstack/kolla: DO NOT MERGE: gate testing  https://review.openstack.org/24276315:58
SamYaplebritthouser: do not do that15:58
SamYaplebritthouser: that impelmentation is not going to work15:58
britthouserAre your concerns in teh implementation of base or glance?16:00
SamYapleyes!16:00
SamYaple:)16:00
britthouserok =)16:00
SamYapleone affects the other16:00
britthouserI thought just base, so I could do keystone on top, and then however base was fixed I'd still be ok.16:00
SamYaplewell britthouser the issue is in the whole idea of implementation16:01
SamYapleits taken straight from Yaodu and it works in yaodu..... but not Kolla16:01
SamYaplethe reason being Kolla provides what process to laucnh external to the container, yoadu did not16:02
britthouserOk16:03
SamYaplei have added some thoughts in the blueprint britthouser16:04
SamYaplefeel free to do the same16:04
SamYaplemy exact thoughts are we will probably do the privilege droping from the start.sh script16:04
SamYaplethat way very little needs to change, but we stil lget the priv dropping for the running process16:05
britthouser"compromised user" - this would be the user on the host, or user in the container?16:05
SamYaplein the container16:05
SamYapleif, say, the glance process gets hijacked then the could override things they shouldnt, like run_command16:06
britthouserI gotcha...so we need to keep most of the container startup as root, but still drop to user when teh main process starts.  Is that the basic idea?16:07
SamYaplethats my 5-minute-brainstorm on it16:07
SamYapleit should actually make the implementation much cleaner too16:07
SamYapleno need to special sudo all over the place16:07
britthouserso the trick will be keeping start.sh generic across containers, but still allowing a different user in each container to run the main process16:08
SamYapleshould be pretty easy actually16:09
SamYapleenv USER_TO_DROP_TO glance16:09
SamYapleso start.sh would just drop to that user, since the exec is the last step anyway16:09
*** akwasnie1 has quit IRC16:26
openstackgerritSam Yaple proposed openstack/kolla: Make the database json variable more readable  https://review.openstack.org/24202416:45
openstackgerritSam Yaple proposed openstack/kolla: Add missing group for keystone  https://review.openstack.org/24276716:45
openstackgerritSam Yaple proposed openstack/kolla: Incorrect parsed variable name  https://review.openstack.org/24276816:45
*** openstackgerrit has quit IRC16:46
*** openstackgerrit has joined #kolla16:46
*** dims_ has joined #kolla17:02
*** dims has quit IRC17:04
*** achanda has joined #kolla17:08
*** akwasnie has joined #kolla17:18
*** mbound has quit IRC17:18
*** achanda has quit IRC17:21
*** akwasnie has quit IRC17:27
*** akwasnie has joined #kolla17:28
*** tzn has joined #kolla17:37
*** tzn has quit IRC17:42
*** akwasnie is now known as macs17:51
*** macs is now known as Guest4610717:51
*** Guest46107 is now known as macsz17:54
*** macsz has quit IRC17:58
*** sdake has joined #kolla18:06
SamYaplesdake: ping18:15
sdakesup pain in the ass18:15
SamYapleyoud be nothing without me18:15
sdakeif you say so18:15
SamYapleso multinode testing is ubuntu only18:15
SamYaplethey dont have centos vms for multinode18:15
SamYapleadditionally due to a change clarkb asked me to make to the job names it just wont work18:16
SamYaplesdake: https://review.openstack.org/#/c/242772/18:16
SamYaplethat patch i just posted is required to make multinode work18:16
SamYapleor at least enable our experimental gate should i say18:16
sdakei'm goingg bak to bed18:16
SamYaplelol18:16
*** mbound has joined #kolla18:18
*** mbound has quit IRC18:23
*** tzn has joined #kolla18:33
*** tzn has joined #kolla18:34
*** tzn has quit IRC18:38
*** tzn has joined #kolla18:40
*** tzn has quit IRC18:58
*** akwasnie has joined #kolla19:08
sdakesamyaple this sort of works : http://paste.fedoraproject.org/287971/2323714419:08
sdakethe problem is sudo ends up as pid1 http://paste.fedoraproject.org/287972/6923306119:08
sdakethe only viable solution i see is  to rewrite the .sh in python19:09
sdakethen we have access to change uid system calls19:09
sdakeand should be able to exec replace19:10
SamYapleyou can exec from within python19:10
sdakeyes i know19:11
sdakeand can also change uid/euid19:11
sdakein shell yoou cannot change uid without external helper19:12
sdakeor so says stackoverflow nerds19:12
SamYapleright but im not running everything under the python interpreter19:12
SamYaplei think weve had this talk before19:13
SamYapleyou were against that too19:13
sdakei was against running python as pid1 permanently19:13
sdakebut an exec wfm19:13
sdakewe can't have the non-active process be pid119:13
sdakeit just breaks all singal handling19:14
sdakenot bepdid 1 i mean19:14
SamYapleim confused as to what you are prosing19:14
SamYapleproposing19:14
sdakethe idea of having sudo as pid is a nonstrter to me19:15
sdakepid 119:15
sdakesee above ps paste19:15
*** akwasnie has quit IRC19:15
*** dims_ has quit IRC19:16
SamYaplethe paste only has you setting an env variabel19:16
sdakehttp://paste.fedoraproject.org/287972/6923306119:16
sdakesee line 219:17
SamYapleoh right yea i know what you are saying19:17
SamYaplebut how does python fix that19:17
sdakepython can exec and sudo at same time19:17
SamYapleyou cant exec out of python19:18
SamYaplethe interprtur stays pid 119:18
SamYapleinterpreter19:18
sdakeother  then writing a c helper i'm out of ideas19:20
SamYaplewell for starters, I dont actually have a problem with sudo being pid 119:20
SamYaplebut what I do have a problem with is the run_command being owned by the user19:21
sdakesudo being pid 1 will break all signal handling19:21
SamYaplehow so?19:22
sdakesudo doesn't pass ssignals to glance19:23
sdakein the aboe example19:23
SamYapleit does according to the man page19:24
SamYaple"Because the command is run as a child of the sudo process, sudo will relay signals it receives to the command."19:24
sdakekeep reading19:25
sdake Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will19:25
sdake     not be relayed to the command.  As a general rule, SIGTSTP should be used19:25
sdake     instead of SIGSTOP when you wish to suspend a command being run by sudo.19:25
SamYapleare you just talking about the container kills?19:26
sdakeyup19:26
SamYapleyou know we sigkill right now because the default timeout is always reached right?19:27
sdakenope19:27
SamYaplenot fighting for sudo or anything, but we dont shutdown from the initial sigterm19:27
SamYapleafter the timeout it sends a sigkill19:27
*** slagle has quit IRC19:27
sdakeya i am familar wiht the docker shutdown - deubgged it heavily during pid1 nonsense19:27
sdakehost=pid nonsense i mean19:28
SamYaplealright then you should know that it sends a sigterm19:29
SamYaplewhich works just fine19:29
SamYapleand a sigkill is for the sudo process itself19:29
*** slagle has joined #kolla19:29
SamYapleso it does pass sigterm...19:29
sdakei think the attack vector you propose (application overwriting run_command) is not really a big deal19:36
sdakeif thye have figured o ut how to do that, there are any numbr of ways they can corrupt the execution of the process19:37
SamYaplei think running sudo is not a big deal19:39
SamYapleand it removes that attack vector19:39
SamYapleif this patch wasnt 100% about security, I wouldn't push this19:39
SamYaplebut that is the only reason we are even doing it19:39
SamYaplelets do it right19:39
SamYaplesdake: btw this really shouldnt be the priority19:40
SamYaplewe need to hammer out the upgrades and get kolla 1.1 out19:41
SamYaplethere is still a ton of work to do around that19:41
sdakethat is coming19:43
sdakepatience young padawan19:43
SamYapleif you are really concerned about this you could just whitelies set_configs.py to run as sudo19:51
*** tzn has joined #kolla19:59
sdakeyup I thought about that20:01
sdakebecause set_configs.py is run as sudo, and blah.sh is run as glance, it would be ipossible or the glance network service to overwrite set_ocnfigs.py20:01
sdakeimpossible that is20:02
sdakeand perform any type of non-immutable hacking on teh content of the container20:02
*** tzn has quit IRC20:04
*** ssurana has joined #kolla20:06
SamYapleis there a problem with that approach?20:07
sdakewfm20:09
sdakei think its  the best one suggested so far20:09
sdakei guess really what we are after with drop root is to prevent glance from modifying the contents of the container20:10
SamYapleisnt that what all prilege dropping is about though?20:10
SamYaplelimit the scope of a compromised process?20:10
sdakewell herere we are onlhy limiting scope to modyfing the filesystem20:10
sdakebut ya privilege drop is about limiting scope20:10
sdakeutnil ia few years ago i ran my normal shell as root :)20:11
sdakerather then everything in suo20:11
sdakesudo20:11
*** unicell1 has joined #kolla20:14
openstackgerritHui Kang proposed openstack/kolla: Fix neutron bootstrap  https://review.openstack.org/24277720:14
*** unicell has quit IRC20:16
openstackgerritSteven Dake proposed openstack/kolla: Take two of root drop  https://review.openstack.org/24277820:21
SamYaplesdake: that take two patch, thats not what i was talking about20:24
SamYaplei was saying we could run set_configs as sudo20:24
sdakeye20:24
sdakei know20:24
SamYapleoh ok20:24
sdakethis ws the last appraoch i tried20:24
sdakei was just getting in the trackeer so peope could see the three approaches20:24
SamYapleare you just posting it up for reviews?20:24
SamYapleah ok20:24
SamYapleim going to -1 it for the reasons we have discussed20:24
sdakeya put link to irc if you could20:25
SamYaplesorry already commented20:29
*** sdake has quit IRC20:40
*** tzn has joined #kolla21:03
*** tzn has quit IRC21:08
*** ssurana has quit IRC21:14
*** v1k0d3n has joined #kolla21:32
*** Ti-mo has quit IRC21:33
*** Ti-mo has joined #kolla21:34
*** slagle has quit IRC21:35
*** dims has joined #kolla21:46
*** tzn has joined #kolla22:04
*** tzn has quit IRC22:09
*** jcrubio has joined #kolla22:54
*** jcrubio has left #kolla23:00
*** tzn has joined #kolla23:06
*** tzn has quit IRC23:11
*** sdake has joined #kolla23:44

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!