| *** dave-mccowan has joined #openstack-barbican | 00:09 | |
| *** agrebennikov has joined #openstack-barbican | 00:09 | |
| *** liujiong has joined #openstack-barbican | 01:26 | |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 02:20 |
|---|---|---|
| *** noslzzp has quit IRC | 03:21 | |
| *** dave-mccowan has quit IRC | 03:24 | |
| *** cpuga has joined #openstack-barbican | 03:26 | |
| *** cpuga has quit IRC | 03:30 | |
| *** cpuga has joined #openstack-barbican | 03:44 | |
| openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican-specs master: Specs rolling upgrade for Barbican https://review.openstack.org/472612 | 03:56 |
| *** agrebennikov has quit IRC | 04:29 | |
| openstackgerrit | Rajat Sharma proposed openstack/barbican master: switch to openstackdocs theme. https://review.openstack.org/479250 | 05:41 |
| *** hieulq has quit IRC | 05:45 | |
| *** hieulq has joined #openstack-barbican | 05:46 | |
| *** pcaruana has joined #openstack-barbican | 06:52 | |
| *** andreas_s has joined #openstack-barbican | 07:36 | |
| *** cpuga has quit IRC | 08:18 | |
| *** salmankhan has joined #openstack-barbican | 09:01 | |
| *** salmankhan1 has joined #openstack-barbican | 09:04 | |
| *** salmankhan has quit IRC | 09:05 | |
| *** salmankhan1 is now known as salmankhan | 09:05 | |
| *** salmankhan has quit IRC | 10:07 | |
| *** salmankhan1 has joined #openstack-barbican | 10:07 | |
| *** salmankhan1 is now known as salmankhan | 10:09 | |
| *** liujiong has quit IRC | 10:22 | |
| *** raildo has joined #openstack-barbican | 11:06 | |
| *** dave-mccowan has joined #openstack-barbican | 12:01 | |
| *** catintheroof has joined #openstack-barbican | 12:56 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/barbican master: Updated from global requirements https://review.openstack.org/477912 | 12:57 |
| *** noslzzp has joined #openstack-barbican | 13:02 | |
| *** deep-book-gk_ has joined #openstack-barbican | 13:04 | |
| *** deep-book-gk_ has left #openstack-barbican | 13:04 | |
| openstackgerrit | Jan Stodt proposed openstack/barbican master: WIP: PKCS11: Use correct attributes for key unwrapping https://review.openstack.org/483388 | 13:22 |
| openstackgerrit | Jan Stodt proposed openstack/barbican master: WIP: Use correct AES_GCM header in pkcs11 https://review.openstack.org/483378 | 13:25 |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 13:50 |
| openstackgerrit | Jan Stodt proposed openstack/barbican master: WIP: PKCS11: Add CKM_GENERIC_SECRET https://review.openstack.org/483400 | 13:54 |
| openstackgerrit | Jan Stodt proposed openstack/barbican master: WIP: PKCS11 key generation: Add CKM_GENERIC_KEY for generate HMAC https://review.openstack.org/483401 | 13:54 |
| openstackgerrit | Jan Stodt proposed openstack/barbican master: WIP: PoC: Implement CBC PAD as alternative to AES_GCM https://review.openstack.org/483404 | 14:03 |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/barbican master: Updated from global requirements https://review.openstack.org/477912 | 14:11 |
| *** cpuga has joined #openstack-barbican | 14:16 | |
| *** cpuga has quit IRC | 14:18 | |
| *** cpuga has joined #openstack-barbican | 14:18 | |
| *** cpuga has quit IRC | 14:22 | |
| *** cpuga has joined #openstack-barbican | 14:41 | |
| *** cpuga has quit IRC | 14:44 | |
| *** cpuga has joined #openstack-barbican | 14:44 | |
| *** andreas_s has quit IRC | 14:55 | |
| *** diazjf has joined #openstack-barbican | 14:59 | |
| *** diazjf has quit IRC | 14:59 | |
| *** pcaruana has quit IRC | 15:38 | |
| openstackgerrit | Paul Bourke (pbourke) proposed openstack/castellan master: Fix retrieving barbican endpoint from service catalog https://review.openstack.org/483457 | 16:01 |
| openstackgerrit | Paul Bourke (pbourke) proposed openstack/castellan master: Fix retrieving barbican endpoint from service catalog https://review.openstack.org/483457 | 16:05 |
| *** agrebennikov has joined #openstack-barbican | 16:07 | |
| *** jamielennox has quit IRC | 16:19 | |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 16:28 |
| *** kfarr has joined #openstack-barbican | 16:30 | |
| *** chlong has joined #openstack-barbican | 16:30 | |
| dave-mccowan | hi kfarr | 16:31 |
| kfarr | hey dave-mccowan ! | 16:31 |
| *** chlong has quit IRC | 16:32 | |
| dave-mccowan | do you know what needs to be done before pike release of castellan? release date for non-client libraries is in one week. | 16:32 |
| *** chlong has joined #openstack-barbican | 16:34 | |
| dave-mccowan | kfarr (is castellan considered "non-client"?) | 16:34 |
| kfarr | yes, it's non-client | 16:34 |
| kfarr | dave-mccowan I am not sure | 16:40 |
| kfarr | it would be nice to get this in: https://review.openstack.org/#/c/418019/6 | 16:40 |
| kfarr | but it's only needed by the castellan-ui, which hasn't been published yet | 16:40 |
| openstackgerrit | Paul Bourke (pbourke) proposed openstack/castellan master: Improve docs around configuring Castellan https://review.openstack.org/483461 | 16:42 |
| dave-mccowan | kfarr let me know if anything needs a review. | 16:43 |
| dave-mccowan | kfarr did you notice i added you as a presenter for Barbican Workshop Part 3? | 16:43 |
| kfarr | dave-mccowan yes, thanks! | 16:44 |
| kfarr | dave-mccowan we will be sending one person, but it hasn't been decided yet | 16:44 |
| kfarr | it probably won't be me | 16:44 |
| kfarr | but maybe whoever is going from our team could help with the presentation? | 16:44 |
| dave-mccowan | sure, that'd be good. | 16:45 |
| *** jaosorior has joined #openstack-barbican | 16:46 | |
| kfarr | dave-mccowan did you see the vault plugin for castellan wip ?? | 16:49 |
| kfarr | that's exciting | 16:49 |
| kfarr | dims are you trying to get the vault plugin into this release? | 16:49 |
| dave-mccowan | yes, very cool. RIP barbican maybe, but still very cool. | 16:50 |
| dims | kfarr : nope, just experimenting | 16:50 |
| kfarr | dims do you know if anyone is looking at adding a keystone authentication plugin to vault ? | 16:51 |
| dims | dave-mccowan : why? ttx was talking about bring up barbican as base service. so i was looking at castellan and choices available | 16:51 |
| dims | kfarr : not that i know of | 16:51 |
| kfarr | okk thanks | 16:52 |
| dims | there's this one too in the queue (KMIP) https://review.openstack.org/#/c/298991/ | 16:52 |
| dave-mccowan | dims deployment choices are good. a castellan+vault deployment wouldn't need barbican, but that's ok. hopefully castellan+barbican+vault will also be choice (there's a WIP patch out for that too) | 16:54 |
| dims | ah cool | 16:54 |
| dave-mccowan | dims for castellan+kmip and castellan+vault to work, there needs to be keystone auth plugin for kmip and vault. | 16:57 |
| dims | i see. still reading docs etc. will see what they have | 16:58 |
| dave-mccowan | dims thanks for the patch! i know a lot of folks will be interested in getting this to work. | 17:00 |
| dims | yw dave-mccowan | 17:03 |
| *** raildo has quit IRC | 17:19 | |
| kfarr | for a proof-of-concept, it's possible to have a single set of vault credentials stored in the config file, and to use only those credentials when interacting withe key manager. this isn't very secure, but it's a way to get around keystone auth tokens | 17:25 |
| *** raildo has joined #openstack-barbican | 17:38 | |
| openstackgerrit | Octave Orgeron proposed openstack/barbican master: Use oslo.db options for database sync and upgrade https://review.openstack.org/463865 | 17:44 |
| *** salmankhan has quit IRC | 18:00 | |
| *** jamielennox has joined #openstack-barbican | 18:37 | |
| *** rmascena has joined #openstack-barbican | 18:38 | |
| *** pcaruana has joined #openstack-barbican | 18:38 | |
| *** raildo has quit IRC | 18:40 | |
| *** rmascena has quit IRC | 18:44 | |
| *** raildo has joined #openstack-barbican | 18:45 | |
| *** jaosorior has quit IRC | 19:05 | |
| *** alee_ has joined #openstack-barbican | 19:13 | |
| *** kfarr has quit IRC | 19:17 | |
| *** alee_ has quit IRC | 19:34 | |
| *** alee_ has joined #openstack-barbican | 19:35 | |
| *** diazjf has joined #openstack-barbican | 19:46 | |
| *** pcaruana has quit IRC | 19:52 | |
| *** randomhack has joined #openstack-barbican | 19:54 | |
| randomhack | so, I'm running openstack-newton and have gotten cinder, keystone, and barbican to work. I can create luks volumes from glance images, but I cannot mount these images to any instances without getting either fixed_key not defined error or (if I set fixed_key = none in nova.conf) I get KeyError '3f23...-....-....-............' != 00000000-0000-0000-0000-00000000 | 19:58 |
| *** alee_ has quit IRC | 20:00 | |
| randomhack | http://pasted.co/4e8a312w (my nova.conf lines specific to barbican) | 20:00 |
| *** alee_ has joined #openstack-barbican | 20:19 | |
| *** diazjf has quit IRC | 20:31 | |
| *** raildo has quit IRC | 20:46 | |
| dave-mccowan | randomhack can check your paste link? i get 404 | 20:49 |
| *** chlong has quit IRC | 20:52 | |
| dave-mccowan | randomhack https://docs.openstack.org/newton/config-reference/block-storage/volume-encryption.html | 20:55 |
| randomhack | dave-mccowan: hey, it's pasted.co/4e8a312e | 20:56 |
| randomhack | typo on last character | 20:56 |
| *** raildo has joined #openstack-barbican | 21:00 | |
| *** raildo has quit IRC | 21:02 | |
| randomhack | dave-mccowan: nova error log from attaching volume: http://pasted.co/91119f6c | 21:05 |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 21:18 |
| *** diazjf has joined #openstack-barbican | 21:20 | |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 21:30 |
| dave-mccowan | randomhack backtrace shows nova is trying to use conf_key_mgr (configured key) instead of castellan/barbican (what you want) | 21:38 |
| randomhack | If I define a fixed key, it is able to mount a volume, but it's just using the fixed_key and not barbican. :/ | 21:39 |
| dave-mccowan | randomhack i don't think you need the [barbican] stanza in your nova.conf, and shouldn't need a fixed_line. the only line needed is api_class. | 21:47 |
| dave-mccowan | randomhack can you try it like that? nova should be able to get everything else from the catalog | 21:48 |
| *** diazjf has quit IRC | 21:48 | |
| *** cpuga has quit IRC | 21:52 | |
| randomhack | I'll give it a shot | 21:53 |
| *** diazjf has joined #openstack-barbican | 22:01 | |
| randomhack | dave-mccowan: http://pasted.co/0a5424de (error output) - Still getting fixed_key not defined | 22:01 |
| dave-mccowan | randomhack :-( maybe a nova bug? i'll give it a try tonight. check back here tomorrow? | 22:03 |
| *** alee_ has quit IRC | 22:04 | |
| *** alee_ has joined #openstack-barbican | 22:05 | |
| randomhack | dave-mccowan: well, I'm running a hosted control-plane, so it's probably something to do with the control plane and data plane separation that they're doing - here's the nova startup options that it's using http://pasted.co/1d41c598 | 22:07 |
| randomhack | platform9.net | 22:08 |
| *** diazjf has quit IRC | 22:09 | |
| dave-mccowan | line 854 shows it's using conf_key_mgr, not castellan per nova.conf | 22:10 |
| randomhack | by jove, you're right.. what the heck | 22:14 |
| dave-mccowan | randomhack are you sure Newton? in ocata and before the section was called [keymgr] instead of [key_manager] | 22:26 |
| dave-mccowan | randomhack nm. the log even says key_manager | 22:27 |
| randomhack | dave-mccowan: they're looking into why my config override file isn't being read (pf9 support) | 22:36 |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 22:51 |
| *** alee_ has quit IRC | 22:52 | |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 22:53 |
| openstackgerrit | Davanum Srinivas (dims) proposed openstack/castellan master: [WIP] Vault based key manager https://review.openstack.org/483080 | 22:57 |
| dims | kfarr : dave-mccowan : yep i have a token in the config file for now. | 23:01 |
| dims | kfarr dave-mccowan : i think i now have test_vault_key_manager.py mirror exactly how test_barbican_key_manager.py is setup | 23:03 |
| *** catintheroof has quit IRC | 23:03 | |
| dims | kfarr : dave-mccowan : "tox -e functional-vault VaultKeyManagerOSLOContextTestCase" runs 33 tests | 23:03 |
| *** randomhack has quit IRC | 23:04 | |
| *** alee_ has joined #openstack-barbican | 23:06 | |
| *** randomhack has joined #openstack-barbican | 23:20 | |
| *** randomhack has quit IRC | 23:27 | |
| dave-mccowan | dims cool. good stuff. this would be ok for a single-tenant private cloud, but without a keystone auth plugin, each user would have access to all secrets. that's why we never got around to finishing the kmip plugin. | 23:30 |
| dims | ack dave-mccowan | 23:33 |
| *** randomhack has joined #openstack-barbican | 23:34 | |
| *** randomhack has quit IRC | 23:44 | |
| *** randomhack has joined #openstack-barbican | 23:45 | |
| *** randomhack has quit IRC | 23:50 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!