Tuesday, 2018-06-19

*** tidwellr has joined #openstack-barbican00:12
*** tidwellr has quit IRC00:17
*** asbishop has joined #openstack-barbican00:26
*** asbishop has quit IRC02:30
*** jaosorior has joined #openstack-barbican04:32
*** sapcc-bot has quit IRC04:40
*** sapcc-bot has joined #openstack-barbican04:40
*** strigazi has quit IRC04:46
*** strigazi has joined #openstack-barbican04:48
*** strigazi has quit IRC04:55
*** strigazi has joined #openstack-barbican04:57
openstackgerritZhangruochen proposed openstack/barbican master: Update docs to use barbican-manage instead of deprecated barbican-db-manage  https://review.openstack.org/57635505:19
*** Luzi has joined #openstack-barbican06:07
*** serlex has joined #openstack-barbican06:48
*** jmlowe has quit IRC07:07
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Creating some useful functions for OVO  https://review.openstack.org/57639207:15
*** namnh has joined #openstack-barbican07:28
*** pcaruana has joined #openstack-barbican07:50
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [3]  https://review.openstack.org/49941908:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [4]  https://review.openstack.org/52897208:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Implement OVO for Barbican [5]  https://review.openstack.org/50024408:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace ACL resource to use OVO  https://review.openstack.org/56385708:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace Transport-key using OVO  https://review.openstack.org/56385808:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace secretstore and secretmeta using OVO  https://review.openstack.org/56402508:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: [WIP] Replace container resource using OVO  https://review.openstack.org/56467208:06
openstackgerritNam Nguyen Hoai proposed openstack/barbican master: Unit-tests for OVO[1]  https://review.openstack.org/57640908:06
*** jaosorior has quit IRC08:49
*** tidwellr has joined #openstack-barbican08:57
*** tidwellr has quit IRC09:01
*** pbourke has quit IRC09:10
*** pbourke has joined #openstack-barbican09:12
*** jaosorior has joined #openstack-barbican09:15
*** salmankhan has joined #openstack-barbican09:32
*** namnh has quit IRC10:14
*** annp has quit IRC10:36
*** salmankhan has quit IRC10:59
*** salmankhan has joined #openstack-barbican10:59
*** asbishop has joined #openstack-barbican11:02
*** salmankhan has quit IRC11:06
*** salmankhan has joined #openstack-barbican11:08
*** namnh has joined #openstack-barbican11:58
redrobot#startmeeting barbican12:01
openstackMeeting started Tue Jun 19 12:01:22 2018 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.12:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.12:01
*** openstack changes topic to " (Meeting topic: barbican)"12:01
openstackThe meeting name has been set to 'barbican'12:01
redrobot#topic Roll Call12:01
*** openstack changes topic to "Roll Call (Meeting topic: barbican)"12:01
redroboto/12:01
Luzio/12:01
redrobothi Luzi!12:02
Luzihi redrobot12:02
redrobotLet's wait a couple of minutes to see if anyone shows up12:02
redrobotI'm filling in for alee, as he is on vacation for a couple of weeks.12:02
Luziokay, I am relativly new in here :)12:03
redrobotHere is the agenda link:12:04
redrobot#link https://wiki.openstack.org/wiki/Meetings/Barbican12:04
redrobotaaaand it looks like it hasn't been updated in ages.12:04
redrobotso we're just going to wing it.12:04
redrobotOk, I don't think anyone else is coming...12:05
redrobot#topic New Meeting Time12:05
*** openstack changes topic to "New Meeting Time (Meeting topic: barbican)"12:05
LuziI like this new meeting time :D12:06
redrobotI do too!12:06
redrobot#link http://lists.openstack.org/pipermail/openstack-dev/2018-June/131509.html12:06
redrobotlink above is for the ML message.  Hopefully everyone saw it.  Just linking it here for folks who read the meeting minutes after the fact12:07
Luzimaybe it should be updated here: http://eavesdrop.openstack.org/#Barbican_Meeting12:07
Luzii also did read the ML12:08
redrobotHmm..12:09
redrobotAde did send an update for that12:09
redrobot#link https://review.openstack.org/#/c/576177/12:09
redrobotit looks like it's merged, but for some reason the website didn't update12:09
redrobotI can follow up with the infra team to figure out why the website didn't update with that patch.12:09
redrobot#action redrobot to follow up with infra team regarding the meeting time change on the eavesdrop website12:10
redrobotok, moving on12:10
redrobot#topic Castellan as a base service12:10
*** openstack changes topic to "Castellan as a base service (Meeting topic: barbican)"12:10
*** raildo has joined #openstack-barbican12:10
redrobotLooks like the TC has a good proposal for adding a Castellan-compatible key store as a base service12:11
redrobot#link https://review.openstack.org/#/c/572656/12:11
redrobotI expect the current patch to be merged12:11
redrobotalthough I don't remember of the top of my head how long the TC waits to merge these12:11
redrobotLuzi, any questions about the Castellan base services patch?12:14
* redrobot waves at raildo 12:14
Luzino12:14
raildoo/12:14
Luzihi raildo12:14
*** tovin07 has joined #openstack-barbican12:14
raildohey Luzi :) how you doing?12:14
redrobotok, moving on12:15
redrobot#topic Code Reviews12:16
*** openstack changes topic to "Code Reviews (Meeting topic: barbican)"12:16
redrobot#link https://review.openstack.org/#/q/project:openstack/barbican+status:open12:16
*** tovin07 is now known as tovin2312:16
redrobotlooks like the next patch in the OVO series is ready for review12:16
redrobotplease take some time to look over it12:16
redrobot#link https://review.openstack.org/#/q/project:openstack/python-barbicanclient+status:open12:17
redrobotthere's a few barbicanclient patches ready for review as well12:17
* redrobot needs to figure out how to get a dashboard with all projects in a single page on gerrit12:17
redrobotnothing new in castellan to review, so I won't link that12:17
redrobot#topic Bug Triage12:18
*** openstack changes topic to "Bug Triage (Meeting topic: barbican)"12:18
redrobotjust a reminder that every project except for Castellan is being tracked on Storyboard12:19
redrobot#link https://storyboard.openstack.org/#!/project_group/8112:19
redrobot#link https://bugs.launchpad.net/castellan12:20
redrobotI did add a new bug for Castellan12:20
redrobotafter talking to raildo and reading the proposed Castellan-keystore base service spec, I'm starting to think that we should probably do away with the credentials factory in Castellan12:21
redrobotand instead update the Barbican backend to get its credentials directly from the conf like the Vault backend does now.12:21
redrobotany thoughts on that?12:22
* redrobot hears crickets12:23
*** jmlowe has joined #openstack-barbican12:23
raildowell, imo the credentials factory make sense if it useful for the backends12:23
raildoif we currently have 2 backend options, barbican/vault, and it's only useful for barbican, well, that would be a sign that we need to fix/improve that12:24
redrobotthe problem I see with it is that people are likely to continue to pass end-user oslo-contexts into the backends.  With the Barbican backend that has the side effect of making the user the owner of the secret, which is explicitly a bad thing if you read the Castellan-base-service proposal.12:24
redrobot>>> Note that in the context of the base services set Castellan is intended only to provide an interface for services to interact with a key store, and it should not be treated as a means to proxy API calls from users to that key store.12:26
*** chandankumar has left #openstack-barbican12:26
redrobotWe don't have to make a decision right now, but it's something to think about...12:26
raildoI don't have a final position at this point yet :P12:26
redrobothaha12:26
redrobotgood12:26
redrobotok, moving on12:27
redrobot#topic Open Discussion12:27
*** openstack changes topic to "Open Discussion (Meeting topic: barbican)"12:27
redrobotanything else y'all want to talk about?12:27
Luziaes xts 51212:27
raildonothing from my side12:27
redrobotLuzi, what about it?12:27
*** jmlowe has quit IRC12:27
Luzias far as i have read the code - barbican can only generate AES keys with a size of 256, right?12:28
Luziso when using aes xts the key is split, and a key with a size of 256 would only be effectiva as 12812:28
redrobotHmm... I can't remember off the top of my head.  What happens when you set the bit length in an order to 512?12:29
Luzibarbican cannot generate it12:30
Luziit just doesn't work12:30
redrobotlame.  seems like something Bbarbican should do12:30
redrobotespecially since aes keys of arbitrary lengths are easy to generate12:30
Luziexactly, when xts is choosen barbican should be able to generate 512 keys12:30
redrobotLuzi, do you want to file a bug report and work on that?12:31
LuziI would like to try to contribute in that case12:31
Luziyes12:31
redrobotawesome!12:31
redrobot#action Luzi to add a story to Storyboard for adding AES 512 keys to barbican12:31
Luzibut i am quite new, and it would be nice, to know how exactly storyboard works12:31
*** tovin23 has quit IRC12:32
redrobotyou should be able to sign in with your Ubuntu One account12:32
*** jmlowe has joined #openstack-barbican12:33
redrobotafter that navigate to the Barbican project and add a new story12:33
Luziredrobot: what times are you here in IRC? so, when i have have questions i would come back here12:33
Luziokay, thank you12:33
redrobot#link https://storyboard.openstack.org/#!/project/98012:33
redrobotLuzi, ☝12:34
redrobotLuzi, I'm typically on ~7am-5pm CST12:34
Luzithank you12:34
redrobotI also have a bouncer set up, so I'm always listening12:35
redrobotany other topics for Open Discussion?12:36
Luzinot from my side12:37
redrobotok, let's call it a day, then.12:38
redrobotwe all get 20 minutes back 😄12:39
redrobot#endmeeting12:39
*** openstack changes topic to "Discussion about development of OpenStack Barbican and its client libraries. - Logs: http://eavesdrop.openstack.org/irclogs/%23openstack-barbican/"12:39
openstackMeeting ended Tue Jun 19 12:39:26 2018 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)12:39
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.html12:39
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.txt12:39
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2018/barbican.2018-06-19-12.01.log.html12:39
zigoHi there!13:10
zigoredrobot: redrobot: Luzi: What's the status of Barbican regarding Py3 ?13:10
zigoI get tempest.scenario.test_encrypted_cinder_volumes.TestEncryptedCinderVolumes.test_encrypted_cinder_volumes_luks to fail in the puppet-openstack CI for Debian.13:10
redrobotzigo, I'm pretty sure we're running a py35 gate for barbican13:11
redrobotzigo, should be working afaik13:11
zigoredrobot: Including functional tests ?13:11
redrobotzigo, great question... not sure about the functional tests13:11
zigoredrobot: Supporting py3 means that it also works in uwsgi / mod_wsgi mode.13:12
zigoOtherwise, no SSL ...13:12
zigoLet me get the logs of the failure.13:12
zigoredrobot: http://logs.openstack.org/16/576416/1/check/puppet-openstack-integration-4-scenario002-tempest-debian-stable/adaf8d4/job-output.txt.gz#_2018-06-19_12_50_21_41294313:13
zigoDoes it tells you anything?13:13
zigoIn cinder-api.log, I'm seeing this: http://paste.openstack.org/show/723824/13:15
zigoIt's similar results for the test_encrypted_cinder_volume_cryptsetup() test.13:15
*** namnh_ has joined #openstack-barbican13:16
*** namnh has quit IRC13:20
zigoredrobot: When I type "openstack secret store --name mysecret --payload j4=]d21" then I get as return:13:44
zigo'title'13:44
zigoSomething is obviously wrong here ... :/13:44
redrobotyikes13:44
* zigo switches to uwsgi to have more verbose logs.13:46
zigoredrobot: With uwsgi, I get:13:48
zigo# openstack secret store --name mysecret --payload j4=]d2113:48
zigoUnexpected exception for https://127.0.0.1:9311/v1/secrets/: ("Connection broken: ConnectionResetError(104, 'Connection reset by peer')", ConnectionResetError(104, 'Connection reset by peer'))13:48
zigoredrobot: Any idea what this could be?13:48
* zigo checks what barbican ships for uwsgi config13:48
redrobotsorry zigo.  I've just recently started working on Barbican again, so I don't have many answers off the top of my head13:48
zigoredrobot: Do you know if, in the gate, barbican-api uses uwsgi + SSL ?13:50
zigoredrobot: I'm sorry if I am annoying, but after uploading all of the OpenStack queens packages to Debian Sid, and fixing all of the issues in puppet-openstack to support Debian, this looks like one of my last problem, so I really want to fix it ! :)13:53
redrobotzigo, haha, no worries.  Looks like our uwsgi config is HTTP not HTTPS https://github.com/openstack/barbican/blob/master/etc/barbican/vassals/barbican-api.ini#L313:54
zigoredrobot: Yeah, which is why I was asking.13:54
zigoIMO, to be in real conditions, it should be switched to SSL.13:54
zigoThat's a common problem I've seen in many places in OpenStack.13:55
*** salmankhan has quit IRC13:57
*** salmankhan has joined #openstack-barbican14:00
redrobotzigo, agreed.14:06
zigoredrobot: In the logs, I'm getting some "2018-06-19 14:17:23.716 11759 WARNING keystonemiddleware.auth_token [-] Authorization failed for token: keystonemiddleware.auth_token._exceptions.InvalidToken: Token authorization failed" so it should be the root cause, probably.14:18
zigoThough I wonder how puppet-openstack could have make a mistake here ...14:18
zigoI'm not so sure where to look at.14:18
*** Luzi has quit IRC14:33
*** antosh has joined #openstack-barbican14:38
zigoredrobot: It looks like what was wrong is what's in /etc/barbican/barbican-api-paste.ini14:44
zigoHow come there's passwords there?14:44
zigoShouldn't it be all in barbican.conf ?14:45
*** biggles has joined #openstack-barbican14:52
*** biggles has quit IRC14:53
*** tidwellr has joined #openstack-barbican14:53
*** tidwellr has quit IRC14:53
*** tidwellr has joined #openstack-barbican14:54
*** FrankZhang has joined #openstack-barbican14:56
namnh_jaosorior: Hello Juan, could you review my patch set (Implement OVO from 3 to 5) https://review.openstack.org/#/c/576392/15:01
redrobotzigo, hmmm... not seeing passwords in the ini in the repo.15:02
zigoredrobot: This is how my barbican-api-paste.ini looks like:15:03
zigohttp://paste.openstack.org/show/723835/15:03
zigoredrobot: Before, it had http instead of https, the wrong tenant name, password and auth_version.15:04
zigoAfter fixing it, it just worked.15:04
zigoredrobot: I wonder how come I had to write it there, instead of barbican.conf ...15:04
zigoShouldn't it be in [keystone_authtoken] instead?15:04
redrobotzigo, in the barbican.ini? Yeah, that should be the right place for it... it's been ages since I've looked at that stuff.  Probably all needs to be updated.15:06
zigoredrobot: barbican.conf you mean?15:12
redrobotzigo, yeah, that15:13
zigoI'm using /etc/barbican/barbican.conf, but YMMV with a different command line, I guess ... :P15:13
zigoOh, is it that I'm not giving barbican.conf as parameter in the command line?15:13
* zigo tries...15:13
*** serlex has quit IRC15:13
zigoIndeed ...15:13
*** tidwellr has quit IRC15:19
*** pcaruana has quit IRC15:29
* zigo just understood the keystone_authtoken mistake and is fixing it.15:30
*** tidwellr has joined #openstack-barbican15:32
*** namnh_ has quit IRC15:33
*** tidwellr has quit IRC15:33
*** tidwellr has joined #openstack-barbican15:33
*** pbourke has quit IRC15:35
*** tidwellr has quit IRC15:38
*** pbourke has joined #openstack-barbican15:38
*** tidwellr has joined #openstack-barbican15:57
*** noslzzp has joined #openstack-barbican16:02
*** tidwellr has quit IRC16:22
*** tidwellr has joined #openstack-barbican16:23
*** tidwellr has quit IRC16:37
*** pcaruana has joined #openstack-barbican17:05
*** salmankhan has quit IRC17:10
*** tidwellr has joined #openstack-barbican19:04
*** tidwellr has quit IRC19:10
*** salmankhan has joined #openstack-barbican19:53
*** hrybacki has joined #openstack-barbican19:53
openstackgerritHarry Rybacki proposed openstack/barbican master: Port RuleDefaults to DocumentedRuleDefaults  https://review.openstack.org/57521820:07
*** tidwellr has joined #openstack-barbican20:19
*** salmankhan has quit IRC20:22
*** tidwellr has quit IRC20:23
*** tidwellr has joined #openstack-barbican20:26
*** pcaruana has quit IRC20:29
*** tidwellr has quit IRC20:31
openstackgerritHarry Rybacki proposed openstack/barbican master: Port RuleDefaults to DocumentedRuleDefaults  https://review.openstack.org/57521820:43
*** FrankZhang has quit IRC21:00
*** raildo has quit IRC21:11
openstackgerritHarry Rybacki proposed openstack/barbican master: Port RuleDefaults to DocumentedRuleDefaults  https://review.openstack.org/57521821:32
*** antosh has quit IRC21:55
*** tidwellr has joined #openstack-barbican22:02
*** tidwellr has quit IRC22:06
*** tidwellr has joined #openstack-barbican22:20
*** tidwellr has quit IRC22:25
*** antosh has joined #openstack-barbican22:37
*** jmlowe_ has joined #openstack-barbican23:15
*** jmlowe has quit IRC23:15
*** antosh has quit IRC23:28

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!