Tuesday, 2016-07-05

« Monday, 2016-07-04 Index Wednesday, 2016-07-06 »
*** dgonzalez has quit IRC00:08
*** dgonzalez has joined #openstack-barbican00:15
*** dimtruck is now known as zz_dimtruck00:34
*** alee has quit IRC00:59
*** jamielennox is now known as jamielennox|away01:09
*** mixos has joined #openstack-barbican01:33
*** jamielennox|away is now known as jamielennox01:43
*** jamielennox is now known as jamielennox|away01:53
*** zz_dimtruck is now known as dimtruck02:14
*** dimtruck is now known as zz_dimtruck02:36
*** jamielennox|away is now known as jamielennox02:43
*** mixos has quit IRC02:46
*** Kevin_Zheng has joined #openstack-barbican03:34
*** jsheeren has joined #openstack-barbican06:04
*** pcaruana has joined #openstack-barbican06:46
*** andreas_s has joined #openstack-barbican06:47
*** rhagarty__ has quit IRC07:17
*** rhagarty__ has joined #openstack-barbican07:18
*** chlong has quit IRC07:52
*** chlong has joined #openstack-barbican08:04
*** jsheeren has quit IRC08:22
*** jsheeren has joined #openstack-barbican08:22
*** alee has joined #openstack-barbican08:33
*** alee has quit IRC08:40
*** alee has joined #openstack-barbican08:45
*** alee has quit IRC09:04
*** jsheeren has quit IRC10:58
*** jsheeren has joined #openstack-barbican11:05
*** alee has joined #openstack-barbican11:50
*** alee has quit IRC11:55
*** chlong has quit IRC12:12
*** alee has joined #openstack-barbican12:14
*** openstackgerrit has quit IRC12:19
*** openstackgerrit has joined #openstack-barbican12:19
*** alee_ has joined #openstack-barbican12:36
*** alee has quit IRC12:39
jsheerenanyone here got experience with octavia and https terminated tls listeners?12:41
*** chlong has joined #openstack-barbican12:43
*** jmckind has joined #openstack-barbican13:02
*** woodster_ has joined #openstack-barbican14:05
*** permalac has quit IRC14:14
alee_redrobot, ping14:21
*** spotz_zzz is now known as spotz14:22
*** randallburt has joined #openstack-barbican14:29
*** randallburt1 has joined #openstack-barbican14:31
*** randallburt has quit IRC14:33
*** sigmavirus_away is now known as sigmavirus14:33
*** sigmavirus is now known as bops14:33
*** bops is now known as sigmavirus14:34
*** jsheeren has quit IRC14:50
redrobotalee_ pong15:03
alee_redrobot, hey -- did you ever set up those deployment docs?15:04
alee_redrobot, so that folks know how do deploy barbican ..15:04
redrobotalee_ nope.  that stuff is all in flux right now... nobody could give me a straight answer on how to get them up there15:04
redrobotalee_  I suppose we could start documenting in our own docs and then move them when the doc team has their stuff figured out15:05
alee_yeah - thats probably best15:05
*** diazjf has joined #openstack-barbican15:06
alee_redrobot, I'll probably have a little time to work on this next week15:07
redrobotalee_ cool, I'll get a CR up with a skeleton in our own repo15:07
alee_redrobot ok15:07
alee_diazjf, ping15:08
diazjfredrobot, hey I'll be sending an email on the mailing list later this week for the midcycle. I'll keep everyone on this channel up to date!15:09
diazjfalee_ pong15:09
alee_diazjf, I was going to ask about the midcycle actually15:09
alee_as well as the barbican workshop ..15:09
alee_diazjf, have you already submitted the barbican workshop ?15:10
redrobotdiazjf cool15:10
alee_redrobot, diazjf do we have confirmed dates / plans for the midcycle?15:10
diazjfalee_ so its gonna be Aug 15 - 17 Barbican, Aug 17 - 19 Security. Austin, Texas15:10
redrobotalee_ waiting on diazjf to confirm15:10
alee_ibm or rackspace?15:11
diazjfalee_ ibm15:11
alee_cool15:11
alee_diazjf, and the barbican workshop?  have you submitted the talk proposal?15:11
diazjfalee_ not yet, we have until the 15. I wanna get redrobot in on it15:12
redrobotdiazjf I'm in! ;)15:12
alee_diazjf, I thought it was the 13th ..15:12
diazjfalee_ your right!15:13
diazjfyou're*15:13
alee_diazjf, yeah - so coming up soon ..15:13
alee_hyakuhei, same topic ..15:14
alee_hyakuhei, if we're going to do a "PKI in Openstack" talk, we need to submit soon.15:14
diazjfalee_, redrobot, how many people are allowed for a workshop?15:16
diazjfI think we should get all/most cores in on it15:16
redrobotdiazjf alee_ in Paris we had 2 presenters and 3 people on the floor to help with questions15:16
diazjfredrobot, so register it as a panel?15:16
redrobotdiazjf I _think_ there's a way to say it's a workshop?15:16
diazjfredrobot, cool I'll look into it15:18
alee_diazjf, redrobot looks like only panel and presentation15:21
alee_diazjf, redrobot but panel allows 4 speakers and 1 moderator15:21
alee_while preso has max 3 speakers15:21
redrobotalee_ diazjf yeah, but we need a room with tables so people can use their laptops15:22
alee_redrobot, understood - there just is no workshop category15:22
alee_on the call for preso page15:23
diazjfalee_ redrobot, Ill choose panel and from there I can choose hand-on workshop in the general topic15:23
alee_diazjf, cool15:23
alee_redrobot, diazjf note that it seems like speaker bios are mandatory and need to be in before the deadline most likely15:25
diazjfalee_ I'll set a deadline for myself to register the talk by tomorrow afternoon. I'll make sure to email everyone on the talk to fill out their bio15:26
alee_diazjf, cool thanks15:27
alee_diazjf, redrobot ya'll wouldn't remember where the tempest test to test encrypted volumes is, would you?15:28
diazjfalee_ https://github.com/openstack/tempest/blob/dcc559792320d6cd087f658a3c49a88104493dc5/tempest/scenario/test_encrypted_cinder_volumes.py ?15:30
alee_diazjf, awesome thanks!15:31
*** openstackgerrit has quit IRC15:33
*** openstackgerrit has joined #openstack-barbican15:33
*** jmckind_ has joined #openstack-barbican15:35
*** jmckind has quit IRC15:38
*** zz_dimtruck is now known as dimtruck15:43
*** gyee has joined #openstack-barbican15:45
*** jmckind_ has quit IRC15:46
*** jmckind has joined #openstack-barbican15:48
*** andreas_s has quit IRC16:07
*** kebray has joined #openstack-barbican16:09
*** pcaruana has quit IRC16:33
*** alee has joined #openstack-barbican16:48
*** alee_ has quit IRC16:48
*** diazjf has quit IRC16:59
*** permalac has joined #openstack-barbican17:09
*** randallburt1 has quit IRC17:46
*** randallburt has joined #openstack-barbican17:49
-openstackstatus- NOTICE: Job instability resulting from a block storage connectivity error on mirror.iad.rax.openstack.org has been corrected; jobs running in rax-iad should be more reliable again.18:13
*** diazjf has joined #openstack-barbican18:27
*** diazjf has quit IRC18:31
*** diazjf has joined #openstack-barbican18:34
*** diazjf has quit IRC18:40
*** diazjf has joined #openstack-barbican18:54
*** diazjf has quit IRC18:57
*** diazjf has joined #openstack-barbican19:00
openstackgerritPankaj Khandar proposed openstack/barbican: Insecure default PROTOCOL_TLSv1 version in KMIP plugin  https://review.openstack.org/33068819:11
*** dimtruck is now known as zz_dimtruck19:24
*** gyee has quit IRC19:31
*** kebray has quit IRC19:35
*** zz_dimtruck is now known as dimtruck19:43
*** jsheeren has joined #openstack-barbican20:04
jsheerenhi everyone20:05
jsheerenso i'm still playing around with octavia, got it running, so i can create loadbalancers, which work fine as advertised20:05
jsheerenunfortunatelly i'm running into an issue with creating https tls listeners20:05
jsheerenit says it can't find the certificates (which are stored in barbican), but using the barbican client i can fetch them without issues20:05
jsheerenlogs tell me octavia is pushing the wrong project id to fetch stuff from barbican (it's pushing the service project id instead of the user project id)20:05
jsheerenalso, i configured everything to be https20:05
jsheerenyet i see in the logs that there are posts going to http20:06
jsheerencan anyone point me in the right direction where to look? config setting i overlooked?20:06
rm_workjsheeren: octavia uses its service account to get the secrets20:06
rm_workjsheeren: the users need to set up ACLs to allow the octavia user access20:06
rm_workyou're missing part of the workflow20:06
rm_workI think there might be docs for that somewhere...20:07
jsheerenrm_work: aha, thanks!  so i set up acl for the user that created the certificate containers? (the same users that creates the loadbalancer)20:07
rm_workthough... hmm20:07
rm_workjsheeren: yeah, there's an ACL call for the container (and the secrets) that allows another user to READ them20:07
jsheerenyeah i found that docs and octavia are not always easy :-)20:07
rm_workwhich you'll want to set, with the octavia service user as the target20:07
jsheerenok, so i set the octavia service user in the acl with read permissions?20:08
rm_workyes20:08
*** diazjf has quit IRC20:08
rm_workbut, if you run into issues, let us know20:08
jsheerenok that makes sense, cause that's the project id that i see in the logs (the octavia service user)20:08
rm_workyep20:08
*** dimtruck is now known as zz_dimtruck20:09
jsheerenrm_work: allright, thank you!  i'll look into it right away20:09
jsheerenrm_work: the id that's pushed to barbican by octavia is the one of the service project/tenant20:11
jsheerencan i give a project/tenant (not the user) read rights?20:11
rm_workI believe so? redrobot ?20:12
rm_workhmm20:12
* redrobot pokes head in20:12
rm_workI thought octavia would NEED to use its service-user20:12
rm_workwhich would be a userID20:12
rm_workit20:12
rm_work* it's using a keystone token for the barican read operation, which *must* be a user, right?20:13
rm_workcan't generate a keystone token for a tenant without a user?20:13
redrobotrm_work keystone tokens use a triad of user+project+role20:13
rm_workyeah20:13
rm_workthat's what i thought20:13
rm_workjsheeren: it may only be showing you the tenantID, but there *is* a userID20:14
*** zz_dimtruck is now known as dimtruck20:14
jsheerenrm_work: ok20:14
redrobotunder normal circumstances barbican checks to make sure the project matches between the token being presented, and the project stored in barbican as the "owner" project20:14
redrobotif the project mismatches it checks the UserID to see if it is in ACL list20:14
redrobotif both fail then you get a 40120:14
jsheerenredrobot: allright thank you20:14
jsheerenrm_work: also, thanks20:15
rm_worknp20:15
rm_workgood luck, let me know how it works out, our testing on this aspect has been ... sparse20:15
redrobotjsheeren yep, sorry I missed you earlier.... let me know if anything else comes up20:15
rm_workso I am excited to see people using it :P20:15
jsheerenyeah no problem, i'm in a different time zone i guess :-)20:16
jsheereni'm glad you guys are helping me out!20:16
jsheerenhmm: HTTPNotFound: Not Found. Sorry but your container is in another castle.20:25
jsheerenin the debug log of barbican i can see the sql statements20:25
jsheerenthere it is using the service project id as the external id20:26
jsheereni added the octavia user with the "acl submit" command, read and project access to the container;  should this be enought or am i missing something?20:27
jsheerenmaybe related, but the last line in the log is: "POST /v1/containers/5680e375-eaa9-4657-8ba2-a605b67179a8/consumers/ HTTP/1.1" 404 359 "-" "keystoneauth1/2.4.0 python-requests/2.9.1 CPython/2.7.11+"20:29
jsheerenthis post is coming into http, but i setup the service using https..20:29
*** dimtruck is now known as zz_dimtruck20:35
*** randallburt has quit IRC20:36
jsheerenon another note: my barbican-keystone-listener fails with the message: Could not load 'simple_certificate_event': cannot import name certificate_manager20:37
jsheerenis there an easy fix for that one?20:37
redrobotjsheeren to be honest, I haven't used the keystone-listener much20:43
jsheerenredrobot: what is it for actually?20:44
redrobotjsheeren listens for Keystone events like account deletion to clean up barbican data20:44
jsheerenah nice20:45
*** zz_dimtruck is now known as dimtruck20:47
jsheerenhah, i think i found it; it's not the octavia user, but the neutron user that's making the request for the secret container20:53
jsheerenlet me check ...20:53
rm_workAH yes20:53
rm_workthat sounds right20:53
rm_workactually, i think it will be both <_<20:53
rm_workbut, we configure them to share a user in production :/20:53
rm_workjsheeren: ^^20:53
rm_workthe check is done for validation on the frontend (neutron-lbaas), then the cert is read AGAIN on the backend (octavia) to actually be used20:54
rm_workthis will be simplified a lot once neutron-lbaas and octavia are merged20:54
*** gyee has joined #openstack-barbican20:55
*** jmckind_ has joined #openstack-barbican20:56
*** jmckind has quit IRC20:58
jsheerenrm_work: that's an idea to configure it to share a user. might look into that21:02
jsheerenanyway; i added the neutron user to the acl for the secret container AND the secrets; but i'm still getting the "HTTPNotFound: Not Found. Sorry but your container is in another castle." message21:03
jsheerengah; i need to go, i'll dig deeper in the logs, if i find it, i'll let you know here sometime tomorrow21:05
jsheerenrm_work: thank you for helping21:05
jsheerenredrobot: also, thanks!!21:05
rm_workhmm ok21:05
rm_worki am interested, so keep me posted21:05
jsheerenwill do! bye21:06
*** jsheeren has quit IRC21:06
*** kebray has joined #openstack-barbican21:06
*** kebray has quit IRC21:07
*** diazjf has joined #openstack-barbican21:11
*** DandyPandy has quit IRC21:26
*** DandyPandy has joined #openstack-barbican21:32
*** diazjf has quit IRC21:33
*** diazjf has joined #openstack-barbican21:34
*** sigmavirus is now known as sigmavirus_away21:42
*** diazjf has quit IRC21:43
*** spotz is now known as spotz_zzz22:21
*** jmckind_ has quit IRC22:24
*** permalac has quit IRC23:35
« Monday, 2016-07-04 Index Wednesday, 2016-07-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!