*** tidwellr has joined #openstack-barbican | 00:12 | |
*** tidwellr has quit IRC | 00:17 | |
*** asbishop has joined #openstack-barbican | 00:26 | |
*** asbishop has quit IRC | 02:30 | |
*** jaosorior has joined #openstack-barbican | 04:32 | |
*** sapcc-bot has quit IRC | 04:40 | |
*** sapcc-bot has joined #openstack-barbican | 04:40 | |
*** strigazi has quit IRC | 04:46 | |
*** strigazi has joined #openstack-barbican | 04:48 | |
*** strigazi has quit IRC | 04:55 | |
*** strigazi has joined #openstack-barbican | 04:57 | |
openstackgerrit | Zhangruochen proposed openstack/barbican master: Update docs to use barbican-manage instead of deprecated barbican-db-manage https://review.openstack.org/576355 | 05:19 |
---|---|---|
*** Luzi has joined #openstack-barbican | 06:07 | |
*** serlex has joined #openstack-barbican | 06:48 | |
*** jmlowe has quit IRC | 07:07 | |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Creating some useful functions for OVO https://review.openstack.org/576392 | 07:15 |
*** namnh has joined #openstack-barbican | 07:28 | |
*** pcaruana has joined #openstack-barbican | 07:50 | |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [3] https://review.openstack.org/499419 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [4] https://review.openstack.org/528972 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [5] https://review.openstack.org/500244 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace ACL resource to use OVO https://review.openstack.org/563857 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace Transport-key using OVO https://review.openstack.org/563858 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace secretstore and secretmeta using OVO https://review.openstack.org/564025 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace container resource using OVO https://review.openstack.org/564672 | 08:06 |
openstackgerrit | Nam Nguyen Hoai proposed openstack/barbican master: Unit-tests for OVO[1] https://review.openstack.org/576409 | 08:06 |
*** jaosorior has quit IRC | 08:49 | |
*** tidwellr has joined #openstack-barbican | 08:57 | |
*** tidwellr has quit IRC | 09:01 | |
*** pbourke has quit IRC | 09:10 | |
*** pbourke has joined #openstack-barbican | 09:12 | |
*** jaosorior has joined #openstack-barbican | 09:15 | |
*** salmankhan has joined #openstack-barbican | 09:32 | |
*** namnh has quit IRC | 10:14 | |
*** annp has quit IRC | 10:36 | |
*** salmankhan has quit IRC | 10:59 | |
*** salmankhan has joined #openstack-barbican | 10:59 | |
*** asbishop has joined #openstack-barbican | 11:02 | |
*** salmankhan has quit IRC | 11:06 | |
*** salmankhan has joined #openstack-barbican | 11:08 | |
*** namnh has joined #openstack-barbican | 11:58 | |
redrobot | #startmeeting barbican | 12:01 |
openstack | Meeting started Tue Jun 19 12:01:22 2018 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 12:01 |
openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 12:01 |
*** openstack changes topic to " (Meeting topic: barbican)" | 12:01 | |
openstack | The meeting name has been set to 'barbican' | 12:01 |
redrobot | #topic Roll Call | 12:01 |
*** openstack changes topic to "Roll Call (Meeting topic: barbican)" | 12:01 | |
redrobot | o/ | 12:01 |
Luzi | o/ | 12:01 |
redrobot | hi Luzi! | 12:02 |
Luzi | hi redrobot | 12:02 |
redrobot | Let's wait a couple of minutes to see if anyone shows up | 12:02 |
redrobot | I'm filling in for alee, as he is on vacation for a couple of weeks. | 12:02 |
Luzi | okay, I am relativly new in here :) | 12:03 |
redrobot | Here is the agenda link: | 12:04 |
redrobot | #link https://wiki.openstack.org/wiki/Meetings/Barbican | 12:04 |
redrobot | aaaand it looks like it hasn't been updated in ages. | 12:04 |
redrobot | so we're just going to wing it. | 12:04 |
redrobot | Ok, I don't think anyone else is coming... | 12:05 |
redrobot | #topic New Meeting Time | 12:05 |
*** openstack changes topic to "New Meeting Time (Meeting topic: barbican)" | 12:05 | |
Luzi | I like this new meeting time :D | 12:06 |
redrobot | I do too! | 12:06 |
redrobot | #link http://lists.openstack.org/pipermail/openstack-dev/2018-June/131509.html | 12:06 |
redrobot | link above is for the ML message. Hopefully everyone saw it. Just linking it here for folks who read the meeting minutes after the fact | 12:07 |
Luzi | maybe it should be updated here: http://eavesdrop.openstack.org/#Barbican_Meeting | 12:07 |
Luzi | i also did read the ML | 12:08 |
redrobot | Hmm.. | 12:09 |
redrobot | Ade did send an update for that | 12:09 |
redrobot | #link https://review.openstack.org/#/c/576177/ | 12:09 |
redrobot | it looks like it's merged, but for some reason the website didn't update | 12:09 |
redrobot | I can follow up with the infra team to figure out why the website didn't update with that patch. | 12:09 |
redrobot | #action redrobot to follow up with infra team regarding the meeting time change on the eavesdrop website | 12:10 |
redrobot | ok, moving on | 12:10 |
redrobot | #topic Castellan as a base service | 12:10 |
*** openstack changes topic to "Castellan as a base service (Meeting topic: barbican)" | 12:10 | |
*** raildo has joined #openstack-barbican | 12:10 | |
redrobot | Looks like the TC has a good proposal for adding a Castellan-compatible key store as a base service | 12:11 |
redrobot | #link https://review.openstack.org/#/c/572656/ | 12:11 |
redrobot | I expect the current patch to be merged | 12:11 |
redrobot | although I don't remember of the top of my head how long the TC waits to merge these | 12:11 |
redrobot | Luzi, any questions about the Castellan base services patch? | 12:14 |
* redrobot waves at raildo | 12:14 | |
Luzi | no | 12:14 |
raildo | o/ | 12:14 |
Luzi | hi raildo | 12:14 |
*** tovin07 has joined #openstack-barbican | 12:14 | |
raildo | hey Luzi :) how you doing? | 12:14 |
redrobot | ok, moving on | 12:15 |
redrobot | #topic Code Reviews | 12:16 |
*** openstack changes topic to "Code Reviews (Meeting topic: barbican)" | 12:16 | |
redrobot | #link https://review.openstack.org/#/q/project:openstack/barbican+status:open | 12:16 |
*** tovin07 is now known as tovin23 | 12:16 | |
redrobot | looks like the next patch in the OVO series is ready for review | 12:16 |
redrobot | please take some time to look over it | 12:16 |
redrobot | #link https://review.openstack.org/#/q/project:openstack/python-barbicanclient+status:open | 12:17 |
redrobot | there's a few barbicanclient patches ready for review as well | 12:17 |
* redrobot needs to figure out how to get a dashboard with all projects in a single page on gerrit | 12:17 | |
redrobot | nothing new in castellan to review, so I won't link that | 12:17 |
redrobot | #topic Bug Triage | 12:18 |
*** openstack changes topic to "Bug Triage (Meeting topic: barbican)" | 12:18 | |
redrobot | just a reminder that every project except for Castellan is being tracked on Storyboard | 12:19 |
redrobot | #link https://storyboard.openstack.org/#!/project_group/81 | 12:19 |
redrobot | #link https://bugs.launchpad.net/castellan | 12:20 |
redrobot | I did add a new bug for Castellan | 12:20 |
redrobot | after talking to raildo and reading the proposed Castellan-keystore base service spec, I'm starting to think that we should probably do away with the credentials factory in Castellan | 12:21 |
redrobot | and instead update the Barbican backend to get its credentials directly from the conf like the Vault backend does now. | 12:21 |
redrobot | any thoughts on that? | 12:22 |
* redrobot hears crickets | 12:23 | |
*** jmlowe has joined #openstack-barbican | 12:23 | |
raildo | well, imo the credentials factory make sense if it useful for the backends | 12:23 |
raildo | if we currently have 2 backend options, barbican/vault, and it's only useful for barbican, well, that would be a sign that we need to fix/improve that | 12:24 |
redrobot | the problem I see with it is that people are likely to continue to pass end-user oslo-contexts into the backends. With the Barbican backend that has the side effect of making the user the owner of the secret, which is explicitly a bad thing if you read the Castellan-base-service proposal. | 12:24 |
redrobot | >>> Note that in the context of the base services set Castellan is intended only to provide an interface for services to interact with a key store, and it should not be treated as a means to proxy API calls from users to that key store. | 12:26 |
*** chandankumar has left #openstack-barbican | 12:26 | |
redrobot | We don't have to make a decision right now, but it's something to think about... | 12:26 |
raildo | I don't have a final position at this point yet :P | 12:26 |
redrobot | haha | 12:26 |
redrobot | good | 12:26 |
redrobot | ok, moving on | 12:27 |
redrobot | #topic Open Discussion | 12:27 |
*** openstack changes topic to "Open Discussion (Meeting topic: barbican)" | 12:27 | |
redrobot | anything else y'all want to talk about? | 12:27 |
Luzi | aes xts 512 | 12:27 |
raildo | nothing from my side | 12:27 |
redrobot | Luzi, what about it? | 12:27 |
*** jmlowe has quit IRC | 12:27 | |
Luzi | as far as i have read the code - barbican can only generate AES keys with a size of 256, right? | 12:28 |
Luzi | so when using aes xts the key is split, and a key with a size of 256 would only be effectiva as 128 | 12:28 |
redrobot | Hmm... I can't remember off the top of my head. What happens when you set the bit length in an order to 512? | 12:29 |
Luzi | barbican cannot generate it | 12:30 |
Luzi | it just doesn't work | 12:30 |
redrobot | lame. seems like something Bbarbican should do | 12:30 |
redrobot | especially since aes keys of arbitrary lengths are easy to generate | 12:30 |
Luzi | exactly, when xts is choosen barbican should be able to generate 512 keys | 12:30 |
redrobot | Luzi, do you want to file a bug report and work on that? | 12:31 |
Luzi | I would like to try to contribute in that case | 12:31 |
Luzi | yes | 12:31 |
redrobot | awesome! | 12:31 |
redrobot | #action Luzi to add a story to Storyboard for adding AES 512 keys to barbican | 12:31 |
Luzi | but i am quite new, and it would be nice, to know how exactly storyboard works | 12:31 |
*** tovin23 has quit IRC | 12:32 | |
redrobot | you should be able to sign in with your Ubuntu One account | 12:32 |
*** jmlowe has joined #openstack-barbican | 12:33 | |
redrobot | after that navigate to the Barbican project and add a new story | 12:33 |
Luzi | redrobot: what times are you here in IRC? so, when i have have questions i would come back here | 12:33 |
Luzi | okay, thank you | 12:33 |
redrobot | #link https://storyboard.openstack.org/#!/project/980 | 12:33 |
redrobot | Luzi, ☝ | 12:34 |
redrobot | Luzi, I'm typically on ~7am-5pm CST | 12:34 |
Luzi | thank you | 12:34 |
redrobot | I also have a bouncer set up, so I'm always listening | 12:35 |
redrobot | any other topics for Open Discussion? | 12:36 |
Luzi | not from my side | 12:37 |
redrobot | ok, let's call it a day, then. | 12:38 |
redrobot | we all get 20 minutes back 😄 | 12:39 |
redrobot | #endmeeting | 12:39 |
*** openstack changes topic to "Discussion about development of OpenStack Barbican and its client libraries. - Logs: http://eavesdrop.openstack.org/irclogs/%23openstack-barbican/" | 12:39 | |
openstack | Meeting ended Tue Jun 19 12:39:26 2018 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 12:39 |
openstack | Minutes: http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.html | 12:39 |
openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.txt | 12:39 |
openstack | Log: http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.log.html | 12:39 |
zigo | Hi there! | 13:10 |
zigo | redrobot: redrobot: Luzi: What's the status of Barbican regarding Py3 ? | 13:10 |
zigo | I get tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_luks to fail in the puppet-openstack CI for Debian. | 13:10 |
redrobot | zigo, I'm pretty sure we're running a py35 gate for barbican | 13:11 |
redrobot | zigo, should be working afaik | 13:11 |
zigo | redrobot: Including functional tests ? | 13:11 |
redrobot | zigo, great question... not sure about the functional tests | 13:11 |
zigo | redrobot: Supporting py3 means that it also works in uwsgi / mod_wsgi mode. | 13:12 |
zigo | Otherwise, no SSL ... | 13:12 |
zigo | Let me get the logs of the failure. | 13:12 |
zigo | redrobot: http://logs.openstack.org/16/576416/1/check/puppet-openstack-integration-4-scenario002-tempest-debian-stable/adaf8d4/job-output.txt.gz#_2018-06-19_12_50_21_412943 | 13:13 |
zigo | Does it tells you anything? | 13:13 |
zigo | In cinder-api.log, I'm seeing this: http://paste.openstack.org/show/723824/ | 13:15 |
zigo | It's similar results for the test_encrypted_cinder_volume_cryptsetup() test. | 13:15 |
*** namnh_ has joined #openstack-barbican | 13:16 | |
*** namnh has quit IRC | 13:20 | |
zigo | redrobot: When I type "openstack secret store --name mysecret --payload j4=]d21" then I get as return: | 13:44 |
zigo | 'title' | 13:44 |
zigo | Something is obviously wrong here ... :/ | 13:44 |
redrobot | yikes | 13:44 |
* zigo switches to uwsgi to have more verbose logs. | 13:46 | |
zigo | redrobot: With uwsgi, I get: | 13:48 |
zigo | # openstack secret store --name mysecret --payload j4=]d21 | 13:48 |
zigo | Unexpected exception for https://127.0.0.1:9311/v1/secrets/: ("Connection broken: ConnectionResetError(104, 'Connection reset by peer')", ConnectionResetError(104, 'Connection reset by peer')) | 13:48 |
zigo | redrobot: Any idea what this could be? | 13:48 |
* zigo checks what barbican ships for uwsgi config | 13:48 | |
redrobot | sorry zigo. I've just recently started working on Barbican again, so I don't have many answers off the top of my head | 13:48 |
zigo | redrobot: Do you know if, in the gate, barbican-api uses uwsgi + SSL ? | 13:50 |
zigo | redrobot: I'm sorry if I am annoying, but after uploading all of the OpenStack queens packages to Debian Sid, and fixing all of the issues in puppet-openstack to support Debian, this looks like one of my last problem, so I really want to fix it ! :) | 13:53 |
redrobot | zigo, haha, no worries. Looks like our uwsgi config is HTTP not HTTPS https://github.com/openstack/barbican/blob/master/etc/barbican/vassals/barbican-api.ini#L3 | 13:54 |
zigo | redrobot: Yeah, which is why I was asking. | 13:54 |
zigo | IMO, to be in real conditions, it should be switched to SSL. | 13:54 |
zigo | That's a common problem I've seen in many places in OpenStack. | 13:55 |
*** salmankhan has quit IRC | 13:57 | |
*** salmankhan has joined #openstack-barbican | 14:00 | |
redrobot | zigo, agreed. | 14:06 |
zigo | redrobot: In the logs, I'm getting some "2018-06-19 14:17:23.716 11759 WARNING keystonemiddleware.auth_token [-] Authorization failed for token: keystonemiddleware.auth_token._exceptions.InvalidToken: Token authorization failed" so it should be the root cause, probably. | 14:18 |
zigo | Though I wonder how puppet-openstack could have make a mistake here ... | 14:18 |
zigo | I'm not so sure where to look at. | 14:18 |
*** Luzi has quit IRC | 14:33 | |
*** antosh has joined #openstack-barbican | 14:38 | |
zigo | redrobot: It looks like what was wrong is what's in /etc/barbican/barbican-api-paste.ini | 14:44 |
zigo | How come there's passwords there? | 14:44 |
zigo | Shouldn't it be all in barbican.conf ? | 14:45 |
*** biggles has joined #openstack-barbican | 14:52 | |
*** biggles has quit IRC | 14:53 | |
*** tidwellr has joined #openstack-barbican | 14:53 | |
*** tidwellr has quit IRC | 14:53 | |
*** tidwellr has joined #openstack-barbican | 14:54 | |
*** FrankZhang has joined #openstack-barbican | 14:56 | |
namnh_ | jaosorior: Hello Juan, could you review my patch set (Implement OVO from 3 to 5) https://review.openstack.org/#/c/576392/ | 15:01 |
redrobot | zigo, hmmm... not seeing passwords in the ini in the repo. | 15:02 |
zigo | redrobot: This is how my barbican-api-paste.ini looks like: | 15:03 |
zigo | http://paste.openstack.org/show/723835/ | 15:03 |
zigo | redrobot: Before, it had http instead of https, the wrong tenant name, password and auth_version. | 15:04 |
zigo | After fixing it, it just worked. | 15:04 |
zigo | redrobot: I wonder how come I had to write it there, instead of barbican.conf ... | 15:04 |
zigo | Shouldn't it be in [keystone_authtoken] instead? | 15:04 |
redrobot | zigo, in the barbican.ini? Yeah, that should be the right place for it... it's been ages since I've looked at that stuff. Probably all needs to be updated. | 15:06 |
zigo | redrobot: barbican.conf you mean? | 15:12 |
redrobot | zigo, yeah, that | 15:13 |
zigo | I'm using /etc/barbican/barbican.conf, but YMMV with a different command line, I guess ... :P | 15:13 |
zigo | Oh, is it that I'm not giving barbican.conf as parameter in the command line? | 15:13 |
* zigo tries... | 15:13 | |
*** serlex has quit IRC | 15:13 | |
zigo | Indeed ... | 15:13 |
*** tidwellr has quit IRC | 15:19 | |
*** pcaruana has quit IRC | 15:29 | |
* zigo just understood the keystone_authtoken mistake and is fixing it. | 15:30 | |
*** tidwellr has joined #openstack-barbican | 15:32 | |
*** namnh_ has quit IRC | 15:33 | |
*** tidwellr has quit IRC | 15:33 | |
*** tidwellr has joined #openstack-barbican | 15:33 | |
*** pbourke has quit IRC | 15:35 | |
*** tidwellr has quit IRC | 15:38 | |
*** pbourke has joined #openstack-barbican | 15:38 | |
*** tidwellr has joined #openstack-barbican | 15:57 | |
*** noslzzp has joined #openstack-barbican | 16:02 | |
*** tidwellr has quit IRC | 16:22 | |
*** tidwellr has joined #openstack-barbican | 16:23 | |
*** tidwellr has quit IRC | 16:37 | |
*** pcaruana has joined #openstack-barbican | 17:05 | |
*** salmankhan has quit IRC | 17:10 | |
*** tidwellr has joined #openstack-barbican | 19:04 | |
*** tidwellr has quit IRC | 19:10 | |
*** salmankhan has joined #openstack-barbican | 19:53 | |
*** hrybacki has joined #openstack-barbican | 19:53 | |
openstackgerrit | Harry Rybacki proposed openstack/barbican master: Port RuleDefaults to DocumentedRuleDefaults https://review.openstack.org/575218 | 20:07 |
*** tidwellr has joined #openstack-barbican | 20:19 | |
*** salmankhan has quit IRC | 20:22 | |
*** tidwellr has quit IRC | 20:23 | |
*** tidwellr has joined #openstack-barbican | 20:26 | |
*** pcaruana has quit IRC | 20:29 | |
*** tidwellr has quit IRC | 20:31 | |
openstackgerrit | Harry Rybacki proposed openstack/barbican master: Port RuleDefaults to DocumentedRuleDefaults https://review.openstack.org/575218 | 20:43 |
*** FrankZhang has quit IRC | 21:00 | |
*** raildo has quit IRC | 21:11 | |
openstackgerrit | Harry Rybacki proposed openstack/barbican master: Port RuleDefaults to DocumentedRuleDefaults https://review.openstack.org/575218 | 21:32 |
*** antosh has quit IRC | 21:55 | |
*** tidwellr has joined #openstack-barbican | 22:02 | |
*** tidwellr has quit IRC | 22:06 | |
*** tidwellr has joined #openstack-barbican | 22:20 | |
*** tidwellr has quit IRC | 22:25 | |
*** antosh has joined #openstack-barbican | 22:37 | |
*** jmlowe_ has joined #openstack-barbican | 23:15 | |
*** jmlowe has quit IRC | 23:15 | |
*** antosh has quit IRC | 23:28 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!