Wednesday, 2015-11-11

« Tuesday, 2015-11-10 Index Thursday, 2015-11-12 »
*** pdesai has quit IRC00:03
*** ccneill has quit IRC00:09
*** jmckind has joined #openstack-barbican00:22
*** gyee has joined #openstack-barbican00:56
*** edtubill has joined #openstack-barbican01:11
*** mixos has joined #openstack-barbican01:11
*** edtubill has quit IRC01:24
*** edtubill has joined #openstack-barbican01:26
*** edtubill has quit IRC01:42
*** yuanying_ has joined #openstack-barbican02:02
*** kebray has quit IRC02:05
*** yuanying has quit IRC02:05
*** jmckind has quit IRC02:10
*** yuanying_ has quit IRC02:11
*** woodster_ has quit IRC02:29
*** alee has quit IRC02:32
*** alee has joined #openstack-barbican02:33
*** su_zhang has joined #openstack-barbican02:42
*** yuanying has joined #openstack-barbican02:52
*** jhfeng has joined #openstack-barbican02:53
*** edtubill has joined #openstack-barbican02:54
*** jamielennox is now known as jamielennox|away03:00
*** jhfeng has quit IRC03:08
*** jamielennox|away is now known as jamielennox03:10
*** su_zhang has quit IRC03:15
*** yuanying has quit IRC03:23
*** gyee has quit IRC03:23
*** dave-mcc_ has quit IRC03:45
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/24391704:01
*** yuanying has joined #openstack-barbican04:07
*** stevemar_ has joined #openstack-barbican04:13
openstackgerritElvin Tubillara proposed openstack/barbican-specs: Create spec for cron job garbage collector for barbican database  https://review.openstack.org/24380604:13
*** stevemar_ has quit IRC04:16
openstackgerritElvin Tubillara proposed openstack/barbican-specs: Create spec for cron job garbage collector for barbican database  https://review.openstack.org/24380604:26
*** xaeth_afk is now known as xaeth04:44
openstackgerritElvin Tubillara proposed openstack/barbican-specs: Create spec for cron job garbage collector for barbican database  https://review.openstack.org/24380604:47
*** xaeth is now known as xaeth_afk05:01
*** edtubill has quit IRC05:03
*** jhfeng has joined #openstack-barbican05:06
*** jhfeng has quit IRC05:10
*** stevemar_ has joined #openstack-barbican05:29
*** su_zhang has joined #openstack-barbican05:30
*** stevemar_ has quit IRC05:31
*** su_zhang has quit IRC05:47
*** jamielennox is now known as jamielennox|away06:29
*** jaosorior has joined #openstack-barbican06:34
*** stevemar_ has joined #openstack-barbican07:29
*** stevemar_ has quit IRC07:32
*** nelsnels_ has joined #openstack-barbican07:41
*** jamielennox|away has quit IRC07:41
*** whydidyoustealmy has joined #openstack-barbican07:43
*** barra204 has quit IRC07:43
*** nelsnelson has quit IRC07:44
*** everjeje has joined #openstack-barbican08:03
*** jamielennox|away has joined #openstack-barbican08:31
*** jamielennox|away is now known as jamielennox08:31
*** stevemar_ has joined #openstack-barbican08:35
*** stevemar_ has quit IRC08:38
*** jaosorior has quit IRC10:26
*** jaosorior has joined #openstack-barbican10:27
*** jaosorior has quit IRC10:30
*** jaosorior has joined #openstack-barbican10:30
*** shohel has joined #openstack-barbican10:32
*** stevemar_ has joined #openstack-barbican10:36
*** stevemar_ has quit IRC10:38
*** mixos has quit IRC10:55
*** stevemar_ has joined #openstack-barbican11:23
*** stevemar_ has quit IRC11:26
*** stevemar_ has joined #openstack-barbican12:00
*** shohel has quit IRC12:04
*** shohel has joined #openstack-barbican12:20
*** peter-hamilton has joined #openstack-barbican12:20
*** shohel has quit IRC12:25
*** openstackgerrit has quit IRC12:31
*** openstackgerrit has joined #openstack-barbican12:32
*** shohel has joined #openstack-barbican12:52
*** shohel has quit IRC13:03
*** shohel has joined #openstack-barbican13:36
*** shohel has quit IRC13:41
*** dave-mccowan has joined #openstack-barbican13:41
*** shohel has joined #openstack-barbican13:41
*** shohel has quit IRC13:53
*** darrenmoffat1 has joined #openstack-barbican14:02
*** darrenmoffat has quit IRC14:08
*** su_zhang has joined #openstack-barbican14:13
*** shohel has joined #openstack-barbican14:29
*** shohel1 has joined #openstack-barbican14:32
*** shohel has quit IRC14:32
*** shohel1 has quit IRC14:36
*** mixos has joined #openstack-barbican14:39
*** david-ly_ has joined #openstack-barbican14:41
*** su_zhang has quit IRC14:42
*** mixos has quit IRC14:42
*** david-lyle has quit IRC14:42
*** shohel has joined #openstack-barbican14:43
*** lisaclark1 has joined #openstack-barbican15:00
*** spotz_zzz is now known as spotz15:05
*** jhfeng has joined #openstack-barbican15:10
*** kfarr has joined #openstack-barbican15:31
*** edtubill has joined #openstack-barbican15:44
*** lisaclark1 has quit IRC15:47
*** lisaclark1 has joined #openstack-barbican15:53
aleekfarr, ping15:57
kfarralee pong!15:57
aleekfarr, hey - question about image signing in glance ..15:57
*** shohel has quit IRC15:57
kfarralee ask away!15:57
aleekfarr, in https://review.openstack.org/#/c/183137/18/glance/common/signature_utils.py , I see the code added to glance to verify a signature15:57
aleelooks like we have an RSA-PSS signature on the a hash of the checksum15:58
*** diazjf has joined #openstack-barbican15:58
aleekfarr, where is the code in nova to create the signature?15:58
kfarralee Ah ok, so, when the user uploads the image, he or she is supposed to upload the signature as well15:59
kfarrthe verification part in Nova is not merged yet15:59
aleekfarr, ah - and is there code -say in the glance client - to compute the signature?16:00
aleeor documentation/instructions on how to compute it?16:00
kfarralee, my understanding is that the user creates the signature out of band of glance16:00
openstackgerritElvin Tubillara proposed openstack/barbican: Remove unused scrub variables in barbican.conf  https://review.openstack.org/24417416:00
kfarralee, let me see, one sec16:00
*** shohel has joined #openstack-barbican16:01
aleekfarr, there are a few out of band steps -- for one thing, the cert needs to be uploaded to castellan ..16:01
*** openstackgerrit has quit IRC16:02
kfarralee right16:02
aleein order for verification in nova and glance to occur.16:02
*** lisaclark1 has quit IRC16:02
*** openstackgerrit has joined #openstack-barbican16:02
aleeseems like something that should be done in glance/openstack client16:03
*** bpoulos has joined #openstack-barbican16:03
aleebpoulos, hi Briana -- I think you've been pinged by kfarr :)16:04
kfarralee bpoulos knows all16:04
kfarrhttps://etherpad.openstack.org/p/liberty-glance-image-signing-instructions16:04
bpouloshaha, yep, kfarr pinged me16:05
*** xaeth_afk is now known as xaeth16:05
bpouloswe're working on a spec in nova -- but it hasn't been approved yet16:05
bpoulosnova spec: https://review.openstack.org/#/c/188874/16:05
bpoulosthe glance spec is official, and is available at http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html16:06
*** mixos has joined #openstack-barbican16:07
*** david-ly_ is now known as david-lyle16:07
aleebpoulos, yeah I saw the glance spec .. so it seems like there is a nova spec to verify the signature16:08
aleebpoulos, does that cover signature generation too?16:08
aleebpoulos, ie. case 2 -- An image is created in Nova, and Nova signs the image at the request of the End User ...16:08
*** woodster_ has joined #openstack-barbican16:10
aleebpoulos, there are an awful lot of steps needed out of band to create the image signature etc,  Has anyone considered putting a lot of this into glance-client or openstack-client?16:12
*** shohel has quit IRC16:12
*** rhagarty__ has joined #openstack-barbican16:13
*** dabukalam_ has joined #openstack-barbican16:15
*** kebray has joined #openstack-barbican16:16
*** rhagarty_ has quit IRC16:17
*** edtubill has quit IRC16:17
*** dabukalam has quit IRC16:17
*** silos has joined #openstack-barbican16:19
bpoulosalee: the nova spec doesn't cover signature generation yet, there will be a future spec to create signatures for snapshots16:20
bpoulosbut it requires that nova use glance v2, which isn't the case yet16:20
bpoulosand yes, we want to make it easier to generate signatures in the future16:20
bpoulosbut we are focused on getting the initial functionality in for now16:20
*** mixos has quit IRC16:24
aleebpoulos, cool thanks - I was just trying to see how it all works16:28
*** gyee has joined #openstack-barbican16:28
bpoulosalee: happy to help16:29
*** lisaclark1 has joined #openstack-barbican16:29
*** mixos has joined #openstack-barbican16:30
*** ccneill has joined #openstack-barbican16:33
*** zz_dimtruck has quit IRC16:38
*** mixos has quit IRC16:38
*** mixos has joined #openstack-barbican16:40
openstackgerritFernando Diaz proposed openstack/python-barbicanclient: Allow Barbican Secrets to be Updated via File  https://review.openstack.org/24263516:40
*** zz_dimtruck has joined #openstack-barbican16:40
*** zz_dimtruck is now known as dimtruck16:41
*** xaeth is now known as xaeth_afk16:47
*** cbits has joined #openstack-barbican16:48
cbitsAfternoon.  I am trying to get barbican to interface with a kmip server.  Not really sure how to configure this.  is the a doc I can RTFM?16:50
redrobothi cbits16:51
cbitsHi redrobth.  I am bit of a nob but would love to get this working.16:51
redrobotcbits Barbican documentation can be found here: http://docs.openstack.org/developer/barbican/ but unfortunately we don't have much written up on configuration16:51
redrobotcbits it's fairly straight-forward to configure the different backends though16:52
redrobotcbits give me a sec, I'll get you some relevant links16:52
*** mixos has quit IRC16:52
redrobotcbits  to use the KMIP plugin, you'll need to reconfigure the Secret Store Plugin section in barbican.conf https://github.com/openstack/barbican/blob/master/etc/barbican/barbican.conf#L255-L25816:53
cbitsI have that set to enabled_secretstore_plugins = kmip_plugin16:54
cbitsand in the kmip_plugin section I have (getting...)16:54
cbits[kmip_plugin]16:55
cbitsusername = 'user'16:55
cbitspassword = 'password'16:55
cbitshost = 10.1.1.216:55
cbitsport = 900216:55
cbitskeyfile = '/etc/barbican/certs/kms_user.key'16:55
cbitscertfile = '/etc/barbican/certs/kms_user.crt'16:55
cbitsca_certs = '/etc/barbican/certs/my.crt'16:55
redrobotcbits  hmm...  that looks about right to me...  maybe kfarr has some more info?16:56
redrobotcbits kfarr is one of the devs working on the KMIP side of barbican16:56
redrobotcbits what failures are you seeing?16:56
*** xaeth_afk is now known as xaeth16:57
kfarrok cbits redrobot, I'm catching up on the conversation16:57
cbitsI was getting an error saying there was no kmip module.16:57
*** edtubill has joined #openstack-barbican16:57
kfarrOh, cbits, do you have pykmip installed?16:57
cbitsI installed python-pykmip and that went awauy16:57
*** kebray has quit IRC16:57
cbitsbut I am doing a tcpdump to see if barbican is going to my kmip server I am not seeing any traffic.  And I am not getting any errors in the barbican logs.. :(16:58
*** kebray has joined #openstack-barbican16:58
kfarrcbits, are you trying to create keys?  Are the keys created successfully even if you don't see the traffic?16:59
cbitsdoing this16:59
cbitsbarbican secret list16:59
cbitsI let me try to create a key and see if there is traffic16:59
cbitsjust sec.16:59
kfarrcbits, I don't think the list command talks to the backend servers17:00
*** mixos has joined #openstack-barbican17:00
cbitsit created the key.  saw no traffic to the kmip server17:00
cbitsIt looks to me that its being created and stored in the local store17:00
siloscbits: Are there two barbican.conf files on your system? One in /etc/barbican and one in your home directory?17:01
cbitslet me look17:01
cbits(running this in devstack)17:01
siloscbits: ok. Where were you making the changes to the barbican.conf file?17:01
*** pdesai has joined #openstack-barbican17:02
cbitsyes in /etc/barbican/barbican.conf17:02
*** mixos has quit IRC17:02
*** lisaclark1 has quit IRC17:02
cbitssilos I did not see a second config file in the stack home dir17:02
*** mixos has joined #openstack-barbican17:03
siloscbits: that's good. It should be reading from the file in /etc/barbican/ then17:03
kfarrcbits do you have access to your kmip device?  Are you able to check on the kmip device side that there was a key created?17:04
cbitsyes we have readonly access to that device. (via its web interface)17:04
*** mixos has quit IRC17:05
cbitsis there a way I can start barbican server to output more data that might help me?17:05
*** mixos has joined #openstack-barbican17:05
kfarrcbits, there are debug options in the barbican conf17:07
*** mixos has quit IRC17:08
kfarrbut just to clarify, you mean when you go to check the KMIP device, there are no keys created?17:08
edtubillHi, I was wondering if anyone knows where the key uuid is kept for volumes for block encryption? Is it kept in the volume metadata or is it kept in the volume type?17:08
cbitscorrect no keys created17:08
kfarredtubill it's kept in the metadata17:09
cbitsthe command says the key is created.  and we can list it.  but its not in the kmip device17:09
kfarrcbits okk17:09
edtubillkfarr: volume metadata? ok thanks.17:09
kfarredtubill, yes volume metadata17:09
*** mixos has joined #openstack-barbican17:10
kfarrcbits, I'm sure you've already done this a bunch of times, but can you please double check the barbican conf file?17:10
kfarralso, if you want to turn on debugging, it looks like the option to uncomment is #debug = True17:10
kfarrIt's strange that you got the kmip module error because that means it went so far as Barbican knew it needed to talk to the KMIP backend, so I'm not sure why it seems to be getting confused now17:12
*** diazjf has quit IRC17:13
*** diazjf has joined #openstack-barbican17:14
*** diazjf has quit IRC17:15
*** _edmund has joined #openstack-barbican17:15
*** mixos has quit IRC17:15
cbitskfarr be gald to check17:16
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/24391717:17
*** mixos has joined #openstack-barbican17:17
openstackgerritOpenStack Proposal Bot proposed openstack/castellan: Updated from global requirements  https://review.openstack.org/24422517:17
kfarredtubill, if it helps anything, here's the part in cinder code where the encryption id gets set in the metadata: https://github.com/openstack/cinder/blob/ad5170a9e12ab7e14aa18c34a6e828055ef8dbe6/cinder/volume/flows/api/create_volume.py#L404-L43217:20
cbitskfarr this is my config.  I did a double check and I am not seeing anything wrong.  perhaps a second pair of eyes?  http://paste.openstack.org/show/478590/17:21
cbitsI am going to turn on debug to see if I can get more info that way17:22
kfarrOkk, cbits, your config file looked all good to me17:22
kfarrIs your keyfile permissions set to 400?17:23
kfarr*Are17:23
cbitsI can check.  ;)17:23
cbitsit was not17:24
kfarrOk, try it now!  That might have been the issue17:24
kfarrbrb17:25
edtubillkfarr:thanks for the link17:25
cbitskfarr not seeing any improvment.  and with debug=true I can see that its pulling the keys when I do a `barbican secret list` from the db17:32
cbitslet me try to create a key and see what it does17:32
*** _edmund1 has joined #openstack-barbican17:33
*** diazjf has joined #openstack-barbican17:36
*** _edmund has quit IRC17:37
*** _edmund1 has quit IRC17:38
cbitskfarr when I do a create I can see (in the debug output) that its doing an INSERT INTO containers17:38
*** _edmund has joined #openstack-barbican17:38
kfarrcbits hmm let me see if I can reproduce this17:40
cbitscheers!17:40
kfarrcbits, does that mean you got it to work?17:40
*** lisaclark1 has joined #openstack-barbican17:41
cbitsno still now working.  cheers = thanks much for all yoru help!17:41
kfarrcbits *sigh* I was hoping.  btw are you using DevStack?17:42
cbitsyes17:42
cbitsI dont have Liberity in my env yet. so POC using Devstack so I can add barbican when we deploy Liberty17:43
*** lisaclark1 has quit IRC17:48
*** su_zhang has joined #openstack-barbican17:53
kfarrcbits, sorry, having devstack problems18:08
cbitsI can get you my local.conf I used for devstack18:08
cbitshttp://paste.openstack.org/show/478594/18:09
cbitsand this is how I set up devstack on a blank 14.04 server http://paste.openstack.org/show/478596/18:12
kfarrThanks!  I haven't used this VM in awhile and everything is out of date18:12
cbitsI can understand that. :)18:13
*** diazjf has quit IRC18:13
*** diazjf has joined #openstack-barbican18:15
*** jaosorior has quit IRC18:17
*** diazjf has quit IRC18:27
*** justtesting has joined #openstack-barbican18:32
*** justtesting has quit IRC18:32
*** bpoulos has quit IRC18:48
*** ccneill has quit IRC19:00
*** edtubill has quit IRC19:06
kfarrcbits, sorry was pulled away for a bit.  Ok, so I finally found a working VM, but when I tried to update it to the latest devstack, it wasn't working, so I'm doing this all with code from a month or two ago19:06
kfarrMy steps were, 1. Launch DevStack19:07
kfarr2. Adjust barbican config file at /etc/barbican.conf19:07
kfarr3. Make sure key file permissions are set to 40019:07
kfarr4. restart barbican (this makes sure it's reading the latest config file)19:07
kfarrWhen I said "wasn't working" I meant I couldn't get DevStack would error out when it was stacking19:10
kfarr*DevStack would error out19:10
*** cpower has joined #openstack-barbican19:19
cbitskfarr cpower  will be taking over for me19:20
cbitsI need to step away.  Thanks again for all your help19:20
*** lisaclark1 has joined #openstack-barbican19:22
*** diazjf has joined #openstack-barbican19:25
*** edtubill has joined #openstack-barbican19:30
*** mixos has quit IRC19:30
siloskfarr: You still having devstack problems?19:32
*** mixos has joined #openstack-barbican19:36
openstackgerritElvin Tubillara proposed openstack/barbican-specs: Create spec for cron job garbage collector for barbican database  https://review.openstack.org/24380619:42
*** lisaclark1 has quit IRC19:44
*** lisaclark1 has joined #openstack-barbican19:47
*** mixos has quit IRC19:52
*** mixos has joined #openstack-barbican19:53
kfarrsilos, I was yeah, but I'm not sure it it was an old vm problem. Might just need to blow it away and start afresh19:54
openstackgerritFernando Diaz proposed openstack/barbican: Add user_meta column to Secrets Database  https://review.openstack.org/24264519:55
*** su_zhang has quit IRC19:55
*** su_zhang has joined #openstack-barbican19:56
*** mixos has quit IRC19:56
*** spotz is now known as spotz_zzz20:00
*** spotz_zzz is now known as spotz20:01
*** lisaclark1 has quit IRC20:02
*** mixos has joined #openstack-barbican20:05
*** su_zhang has quit IRC20:08
siloskfarr: okay. In case you decide to blow it away I have a patch pending that explains the devstack plugin method way to run devstack with barbican. https://review.openstack.org/#/c/230276/20:11
*** kebray has quit IRC20:11
kfarrsilos oh yeah, thanks!  That's very useful, though the problems I was having was just DevStack in general, not Barbican-specific20:12
siloskfarr: ah. okay.20:13
*** cpower has quit IRC20:21
*** lisaclark1 has joined #openstack-barbican20:28
openstackgerritElvin Tubillara proposed openstack/barbican-specs: Create spec for cron job garbage collector for barbican database  https://review.openstack.org/24380620:28
*** mixos has quit IRC20:33
*** _edmund1 has joined #openstack-barbican20:36
*** _edmund has quit IRC20:40
*** lisaclark1 has quit IRC20:43
*** su_zhang has joined #openstack-barbican20:53
*** lisaclark1 has joined #openstack-barbican20:57
*** su_zhang has quit IRC20:57
*** su_zhang has joined #openstack-barbican20:59
*** cpower has joined #openstack-barbican21:08
*** cpower has quit IRC21:10
*** cpower has joined #openstack-barbican21:11
*** jhfeng has quit IRC21:16
*** jhfeng has joined #openstack-barbican21:18
*** lisaclark1 has quit IRC21:28
*** lisaclark1 has joined #openstack-barbican21:37
*** kebray has joined #openstack-barbican21:43
*** kebray has quit IRC21:45
*** peter-hamilton has quit IRC21:57
*** kebray has joined #openstack-barbican22:02
*** jhfeng has quit IRC22:19
*** jhfeng has joined #openstack-barbican22:21
*** jhfeng has quit IRC22:22
*** jhfeng has joined #openstack-barbican22:22
*** cpower has quit IRC22:35
*** silos has left #openstack-barbican22:38
*** kebray has quit IRC22:39
*** edtubill has quit IRC22:46
*** lisaclark1 has quit IRC22:52
*** lisaclark1 has joined #openstack-barbican22:56
*** everjeje has quit IRC23:17
*** diazjf has quit IRC23:18
*** lisaclark1 has quit IRC23:18
*** xaeth is now known as xaeth_afk23:20
*** ccneill has joined #openstack-barbican23:26
*** lisaclark1 has joined #openstack-barbican23:29
*** diazjf has joined #openstack-barbican23:33
*** _edmund1 has quit IRC23:40
*** spotz is now known as spotz_zzz23:41
*** su_zhang has quit IRC23:41
*** jhfeng has quit IRC23:41
*** diazjf has quit IRC23:54
*** ccneill has quit IRC23:56
« Tuesday, 2015-11-10 Index Thursday, 2015-11-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!