Monday, 2016-02-01

« Sunday, 2016-01-31 Index Tuesday, 2016-02-02 »
*** chlong has quit IRC00:01
*** mp1 has left #openstack-barbican00:05
*** DuncanT has quit IRC00:15
*** DuncanT has joined #openstack-barbican00:16
*** su_zhang has joined #openstack-barbican00:17
*** chlong has joined #openstack-barbican00:17
*** woodster_ has quit IRC00:36
*** kebray has joined #openstack-barbican00:49
*** cheneydc has joined #openstack-barbican02:21
*** kebray has quit IRC02:22
*** Nirupama has joined #openstack-barbican02:32
*** su_zhang has quit IRC02:55
*** yuanying has quit IRC03:22
*** yuanying has joined #openstack-barbican03:22
*** yuanying has quit IRC04:06
*** kebray has joined #openstack-barbican04:08
*** kebray has quit IRC04:30
*** kebray has joined #openstack-barbican04:30
*** zz_dimtruck is now known as dimtruck04:51
*** sidx64 has joined #openstack-barbican04:53
*** Kevin_Zheng has quit IRC05:02
*** chlong has quit IRC05:05
*** chlong has joined #openstack-barbican05:17
*** chlong has quit IRC05:25
*** Nirupama has quit IRC05:30
*** chlong has joined #openstack-barbican05:38
*** DuncanT_ has joined #openstack-barbican05:42
*** sidx64_Cern has joined #openstack-barbican05:45
*** _junghans_ has joined #openstack-barbican05:46
*** sidx64_Cern has quit IRC05:46
*** sidx64_Cern has joined #openstack-barbican05:46
*** sidx64 has quit IRC05:47
*** dimtruck_ has joined #openstack-barbican05:48
*** DuncanT has quit IRC05:49
*** dimtruck has quit IRC05:49
*** jamielennox has quit IRC05:49
*** _jungh4ns has quit IRC05:49
*** eglute has quit IRC05:49
*** dimtruck_ is now known as dimtruck05:49
*** DuncanT_ is now known as DuncanT05:51
*** eglute has joined #openstack-barbican05:55
*** sidx64_Cern is now known as sidx6406:03
*** jamielennox|away has joined #openstack-barbican06:07
*** jamielennox|away is now known as jamielennox06:07
*** _junghans_ is now known as _jungh4ns06:07
*** su_zhang has joined #openstack-barbican06:09
*** dongc has joined #openstack-barbican06:19
*** kebray has quit IRC06:20
*** cheneydc has quit IRC06:21
*** dongc is now known as cheneydc06:21
*** dave-mccowan has quit IRC06:21
*** chlong has quit IRC06:41
*** Nirupama has joined #openstack-barbican06:42
*** chlong has joined #openstack-barbican06:46
*** dongc has joined #openstack-barbican06:48
*** cheneydc has quit IRC06:48
*** dongc is now known as cheneydc06:48
*** Nirupama has quit IRC07:01
*** jaosorior has joined #openstack-barbican07:26
*** scheuran has joined #openstack-barbican07:26
*** jaosorior has quit IRC07:26
*** jaosorior has joined #openstack-barbican07:27
*** jaosorior has quit IRC07:41
*** chlong has quit IRC07:46
*** dimtruck is now known as zz_dimtruck08:03
*** su_zhang has quit IRC08:23
*** Nirupama has joined #openstack-barbican08:31
*** zz_dimtruck is now known as dimtruck08:47
*** dimtruck is now known as zz_dimtruck08:56
*** openstackgerrit has quit IRC10:02
*** openstackgerrit_ has joined #openstack-barbican10:02
*** openstackgerrit_ has quit IRC10:03
*** cheneydc has quit IRC10:05
*** sidx64_Cern has joined #openstack-barbican10:26
*** sidx64 has quit IRC10:29
*** sidx64_Cern is now known as sidx6410:45
*** zz_dimtruck is now known as dimtruck10:47
*** dimtruck is now known as zz_dimtruck11:01
*** su_zhang has joined #openstack-barbican11:03
*** su_zhang has quit IRC11:08
*** jaosorior has joined #openstack-barbican11:36
*** openstackgerrit has joined #openstack-barbican11:53
*** openstackgerrit has quit IRC11:54
*** openstackgerrit_ has joined #openstack-barbican11:54
*** openstackgerrit_ is now known as openstackgerrit11:55
*** openstackgerrit has quit IRC11:59
*** openstackgerrit has joined #openstack-barbican12:07
*** prazumovsky has joined #openstack-barbican12:08
prazumovskyHello! I reported new bug, take a look, please: https://bugs.launchpad.net/barbican/+bug/154033912:18
openstackLaunchpad bug 1540339 in Barbican "Barbican secret get request returns deleted objects" [Undecided,New]12:18
jaosoriorprazumovsky: Sure, will check it out12:21
jaosoriorthanks!12:21
*** jaosorior has quit IRC12:21
*** jaosorior has joined #openstack-barbican12:21
*** sidx64_Cern has joined #openstack-barbican12:40
*** sidx64 has quit IRC12:43
*** zz_dimtruck is now known as dimtruck12:52
*** sidx64_Cern has quit IRC12:57
*** jaosorior has quit IRC13:00
*** dimtruck is now known as zz_dimtruck13:01
*** xek__ is now known as xek13:12
*** dave-mccowan has joined #openstack-barbican13:22
*** su_zhang has joined #openstack-barbican13:51
*** cheneydc has joined #openstack-barbican13:53
*** cheneydc has quit IRC13:54
*** zz_dimtruck is now known as dimtruck14:12
*** nelsnelson has joined #openstack-barbican14:17
*** nelsnels_ has quit IRC14:17
*** edtubill has joined #openstack-barbican14:19
*** nelsnelson has quit IRC14:20
*** nelsnelson has joined #openstack-barbican14:21
*** kfarr has joined #openstack-barbican14:26
*** Nirupama has quit IRC14:28
*** prazumovsky has quit IRC14:42
*** dimtruck is now known as zz_dimtruck14:50
*** jmckind has joined #openstack-barbican14:59
*** kfarr has quit IRC15:03
*** spotz_zzz is now known as spotz15:04
*** sidx64 has joined #openstack-barbican15:12
*** woodster_ has joined #openstack-barbican15:16
*** kebray has joined #openstack-barbican15:22
*** jorge_munoz has joined #openstack-barbican15:29
*** silos has joined #openstack-barbican15:49
*** rellerreller has joined #openstack-barbican15:57
*** mp1 has joined #openstack-barbican15:59
*** dave-mccowan has quit IRC16:03
*** jhfeng has joined #openstack-barbican16:03
*** dave-mccowan has joined #openstack-barbican16:18
*** anteaya has quit IRC16:18
*** diazjf has joined #openstack-barbican16:25
*** sidx64 has quit IRC16:29
*** diazjf has quit IRC16:30
*** kebray has quit IRC16:31
*** diazjf has joined #openstack-barbican16:34
*** kebray has joined #openstack-barbican16:34
*** kebray has quit IRC16:38
*** pwp has joined #openstack-barbican16:45
*** ccneill has joined #openstack-barbican16:49
openstackgerritskseeker proposed openstack/barbican: LOG.warn is deprecated in python3  https://review.openstack.org/27478516:49
*** mp1 has quit IRC16:49
*** silos has quit IRC16:50
*** mp1 has joined #openstack-barbican16:51
*** pdesai has joined #openstack-barbican16:59
*** diazjf has quit IRC17:02
*** diazjf has joined #openstack-barbican17:03
*** silos has joined #openstack-barbican17:04
*** zz_dimtruck is now known as dimtruck17:07
*** pwp has quit IRC17:09
*** pwp has joined #openstack-barbican17:09
*** su_zhang has quit IRC17:16
*** gyee has joined #openstack-barbican17:17
*** scheuran has quit IRC17:17
*** diazjf has quit IRC17:28
*** diazjf has joined #openstack-barbican17:32
*** diazjf has quit IRC17:37
*** mp1 has quit IRC17:45
*** diazjf has joined #openstack-barbican17:51
*** kebray has joined #openstack-barbican17:51
*** kfarr has joined #openstack-barbican17:55
openstackgerritArun Kant proposed openstack/barbican-specs: Adding spec for supporting multiple secret store backends  https://review.openstack.org/26397217:57
*** jmckind has quit IRC18:01
*** jaosorior has joined #openstack-barbican18:05
*** silos has quit IRC18:06
*** rellerreller has quit IRC18:16
*** su_zhang has joined #openstack-barbican18:30
*** jaosorior has quit IRC18:41
*** fnaval has quit IRC18:44
*** mp1 has joined #openstack-barbican18:50
*** su_zhang has quit IRC19:01
*** su_zhang has joined #openstack-barbican19:01
*** ccneill has quit IRC19:07
*** silos has joined #openstack-barbican19:08
*** jmckind has joined #openstack-barbican19:09
*** su_zhang has quit IRC19:19
*** su_zhang has joined #openstack-barbican19:19
openstackgerritKaitlin Farr proposed openstack/castellan: Update MockKeyManager to use given algorithm  https://review.openstack.org/27486119:19
*** ccneill has joined #openstack-barbican19:20
*** kebray has quit IRC19:26
*** kebray has joined #openstack-barbican19:27
*** diazjf has quit IRC19:38
*** kfarr has quit IRC19:45
*** diazjf has joined #openstack-barbican19:52
*** pwp has quit IRC19:56
*** dave-mccowan has quit IRC19:57
*** maxabidi has joined #openstack-barbican20:00
*** kfarr has joined #openstack-barbican20:01
*** pwp has joined #openstack-barbican20:03
*** pwp has quit IRC20:04
*** rellerreller has joined #openstack-barbican20:04
*** kfarr has quit IRC20:05
*** pwp has joined #openstack-barbican20:06
*** pwp has quit IRC20:08
*** kfarr has joined #openstack-barbican20:10
*** pwp has joined #openstack-barbican20:14
*** dave-mccowan has joined #openstack-barbican20:16
*** kebray has quit IRC20:19
*** pwp has quit IRC20:21
*** pwp has joined #openstack-barbican20:21
*** su_zhang has quit IRC20:23
*** maxabidi has quit IRC20:34
aleediazjf, want to meet right now?20:34
diazjfalee, sure20:34
*** pwp has quit IRC20:34
aleediazjf, actually give me about 5 mins20:35
diazjfalee, no worries, ping me when you get a chance20:35
diazjfrellerreller, kfarr, I'm also gonna work on adding 'created' to castellan objects. Let me know what you think about the comment in https://review.openstack.org/#/c/238150/11/castellan/common/objects/opaque_data.py, also since I'll be using POSIX time, I'll do the conversion here: https://review.openstack.org/#/c/238150/11/castellan/key_manager/barbican_key_manager.py20:37
diazjfrellerreller, kfarr, and thanks for all the reviews, y'all have been extremely helpful20:38
rellerrellerdiazjf np20:38
kfarrdiazjf, thanks for all the great work!20:38
diazjfthanks :)20:39
woodster_jkf: jhfeng  I was curious if you guys are using a lightweight threading deployment for your HSM deploys, vs a multi process one? Seems you wouldn't need the thread locking in the HSM code if you were using the latter approach, so was curious20:41
*** kebray has joined #openstack-barbican20:44
*** silos has quit IRC20:44
jkfwoodster_: I added locking around the caches after talking with jhfeng and findout out he's using threading in his environment. Most people avoid threads in python, but considering how barbican with pkcs11 is really io constrained, it sorta makes sense, so I didn't want to force people into the single-threaded route by not having thread-safe code.20:45
jkfI'm tempted to try threading in my environment just to see what kind of difference it makes. The threading will also allow better cache utilization, as each process in the multi-process model has its own cache and can't share with the other processes. That also means more duplicated session keys on the HSMs.20:46
jhfengwoodster_: I was testing barbican using uWSGi, and enabled multi-threading. but in our prod env, i think threading mode wouldn't be used.20:48
woodster_jkf: I recall that some folks (reaperhulk jvrbanac) had noticed performance issues with thread locks in the past, so was curious if you had seen similar slow downs. I agree with the better caching argument, but I'm a bit concerned about mixing python threading and eventlet (used for the queuing/messaging stuff) together.20:49
woodster_jhfeng:  had you tried to use multi-processing instead?20:50
jkfwoodster_: uncontested locks are really fast. The performance numbers I generated were with locking around the caches, so performance isn't bad.20:50
jhfengwoodster_: yes20:51
*** silos has joined #openstack-barbican20:51
woodster_jkf:  good to know20:51
woodster_jhfeng:  do you recall if the performance was about the same between multi-thread and multi-process?20:52
jhfengwoodster_ i didn't notice big difference using process vs threading mode20:53
jkfwoodster_: One thing I can't tell you is how well the locking plays with eventlet, but I imagine you would have similar issues with it as with threading, depending on how it broke up the streams of execution.20:53
woodster_jkf: I figure it comes down to how well the magical eventlet monkey patching works with threading20:54
jkfHave I mentioned how much I hate eventlet? :)20:54
reaperhulkit's awful.20:54
reaperhulkI actually have been playing in PKCS11 land again recently20:54
woodster_jkf: ha, yeah that is why I'm so squeamish about it all20:54
reaperhulkhttps://github.com/reaperhulk/cryptography-pkcs11/blob/master/src/cryptography_pkcs11/session_pool.py#L49 here is a random experimental session pool :)20:54
*** mp11 has joined #openstack-barbican20:54
*** jhfeng_ has joined #openstack-barbican20:55
woodster_reaperhulk: sorry to hear that Paul :)20:55
reaperhulk(and yeah, cryptography-pkcs11 lets you use cryptography's APIs with PKCS11)20:55
*** diazjf1 has joined #openstack-barbican20:55
reaperhulkit's also not production ready by a long shot20:56
*** mp1 has quit IRC20:56
aleediazjf, now?20:56
*** diazjf has quit IRC20:57
rellerrellerarunkant comments on spec, https://etherpad.openstack.org/p/key-wrapping20:57
*** edtubill has quit IRC20:57
woodster_reaperhulk: are you recommending threading vs multi-process for p11 usage as well then? I presume the latter would require locking primitives in the c-layer managing the p11 interface20:57
jkfreaperhulk: Neat. I'll check it out and see how you're doing things.20:58
*** ngupta has quit IRC20:58
*** jhfeng has quit IRC20:58
diazjf1alee, ready20:59
aleediazjf1, can you set up a google hangout?20:59
diazjf1alee, gimme 2 mins20:59
*** pwp has joined #openstack-barbican20:59
*** ngupta has joined #openstack-barbican21:00
reaperhulkjkf: I dunno if the way I'm doing things is really great, I just decided to try a completely different method :) It still doesn't do anything like handle out of memory and there are edge cases where sessions don't get closed, etc21:00
reaperhulkwoodster_: Multi-process does solve some problems by forcing the PKCS11 lib to do the threading for you, but it's not practical for my use case (where cryptography's APIs need to appear identical)21:01
diazjf1https://hangouts.google.com/call/pydxcjxdcyz7mwa3zzfldd4beua21:01
diazjf1alee ^21:01
diazjf1alee: https://review.openstack.org/#/c/263462/ this is the patch I reviewed21:01
aleediazjf1, I'm in the hangout21:02
aleewell I was ..21:02
diazjf1hmm21:02
diazjf1try again21:03
aleehmm .. you are not allowed to join this video call.21:03
aleeYou're not allowed to join this video call.21:03
*** rellerreller has quit IRC21:04
aleejsut a sec .. brb21:04
diazjf1alee, I'll try setting it up again21:04
jkfwoodster_: The pkcs11 standard itself pushes threads vs processes and you can share resources easily between threads. Load a session key once and then use it from multiple threads for operations. The issue really that I see is how much does Python's threading support affect things.21:04
diazjf1alee https://hangouts.google.com/call/abj5dbxctef457sq4fwt5jlcwya21:04
jkfSince we're mainly io bound, it could be beneficial here. Needs more testing I think.21:05
woodster_jkf, reaperhulk  thanks I think we'll evaluate the multi-threaded approach first then21:06
*** pwp has quit IRC21:07
*** pwp has joined #openstack-barbican21:07
jkfreaperhulk: How would you like feedback on that code?21:07
aleediazjf1, no dice -- let me try setting one up21:08
diazjf1ok cool21:08
*** fnaval has joined #openstack-barbican21:08
*** jmckind has quit IRC21:09
aleediazjf1, try again --- I think I got it21:09
diazjf1alee https://hangouts.google.com/hangouts/_/fiu.edu/puppet21:09
diazjf1I changed a setting try now21:10
reaperhulkjkf: you can drop comments on the commit if you want or else you can just open issues on the repo21:11
reaperhulkI'm happy to take PRs on that as well, with the caveat that everything in the project is subject to change (I think this is the third form of the session pool in the past 4 days since I started working on this)21:12
openstackgerritElvin Tubillara proposed openstack/barbican: Simple soft deletion cleanup script  https://review.openstack.org/26990321:16
*** edtubill has joined #openstack-barbican21:17
*** jmckind has joined #openstack-barbican21:18
*** pwp has quit IRC21:19
jhfeng_reaperhulk: Paul, could you please post the link again ? I was disconnected from channel21:20
*** pwp has joined #openstack-barbican21:21
reaperhulkjhfeng_ sure: https://github.com/reaperhulk/cryptography-pkcs11/blob/master/src/cryptography_pkcs11/session_pool.py is where the session pool lives and https://github.com/reaperhulk/cryptography-pkcs11/ is the project21:21
jhfeng_reaperhulk: thx21:22
reaperhulkNo problem. It probably won't be all that useful to barbican for now, but who knows21:23
openstackgerritElvin Tubillara proposed openstack/barbican: Simple soft deletion cleanup script  https://review.openstack.org/26990321:26
*** su_zhang has joined #openstack-barbican21:30
*** su_zhang has quit IRC21:34
*** pwp has quit IRC21:44
*** pwp has joined #openstack-barbican21:44
*** pwp has quit IRC21:50
*** pwp has joined #openstack-barbican21:57
*** su_zhang has joined #openstack-barbican22:04
*** su_zhang has quit IRC22:08
*** su_zhang has joined #openstack-barbican22:09
*** su_zhang has quit IRC22:10
*** su_zhang has joined #openstack-barbican22:10
*** chlong has joined #openstack-barbican22:10
*** silos has left #openstack-barbican22:33
jhfeng_jkf: ping22:38
jkfjhfeng_: What's up?22:38
*** diazjf1 has quit IRC22:38
*** edtubill has quit IRC22:38
*** edtubill has joined #openstack-barbican22:39
jhfeng_jkf: is there any reason why we use CKM_AES_CBC_PAD for key wrapping ?22:39
*** edtubill has quit IRC22:39
reaperhulkjhfeng_: historically it was because the HSMs rackspace (and symantec) used for this had severe firmware constraints on the allowable mechanisms in C_WrapKey22:40
reaperhulkthey didn't support AES keywrap or AES GCM, both of which would provide authentication and remove the need for the HMAC pass22:40
openstackgerritDouglas Mendizábal proposed openstack/barbican: Use config option for host reference in versions  https://review.openstack.org/27491522:41
jhfeng_reaperhulk: ok thanks. i see.22:43
*** pwp has quit IRC22:45
jkfjhfeng_: what he said. :)22:46
*** su_zhang has quit IRC22:50
*** su_zhang has joined #openstack-barbican22:50
*** jhfeng_ has quit IRC22:59
*** jmckind has quit IRC23:01
*** yuanying has joined #openstack-barbican23:02
*** david-lyle has quit IRC23:15
*** kfarr has quit IRC23:18
*** spotz is now known as spotz_zzz23:22
*** kebray has quit IRC23:34
*** jamielennox is now known as jamielennox|away23:36
*** dimtruck is now known as zz_dimtruck23:38
*** kragniz_ is now known as kragniz23:38
*** nkinder has quit IRC23:54
« Sunday, 2016-01-31 Index Tuesday, 2016-02-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!