Tuesday, 2021-01-12

« Monday, 2021-01-11 Index Wednesday, 2021-01-13 »
*** tosky has quit IRC00:15
*** dwilde has quit IRC02:04
*** dwilde has joined #openstack-barbican02:07
*** dwilde has quit IRC02:07
*** dwilde has joined #openstack-barbican02:08
*** dwilde has quit IRC02:44
*** d34dh0r53 has quit IRC03:32
*** d34dh0r53 has joined #openstack-barbican03:33
*** d34dh0r53 has quit IRC03:35
*** d34dh0r53 has joined #openstack-barbican03:35
*** d34dh0r53 has quit IRC04:19
*** d34dh0r53 has joined #openstack-barbican04:20
*** d34dh0r53 has quit IRC04:22
*** d34dh0r53 has joined #openstack-barbican04:22
*** d34dh0r53 has quit IRC04:59
*** d34dh0r53 has joined #openstack-barbican04:59
*** d34dh0r53 has quit IRC05:01
*** d34dh0r53 has joined #openstack-barbican05:01
*** d34dh0r53 has quit IRC05:03
*** d34dh0r53 has joined #openstack-barbican05:03
*** d34dh0r53 has quit IRC05:03
*** d34dh0r53 has joined #openstack-barbican05:04
*** nikparasyr has joined #openstack-barbican07:27
*** dave-mccowan has quit IRC07:30
*** tosky has joined #openstack-barbican08:22
*** xek has joined #openstack-barbican08:53
*** Luzi has joined #openstack-barbican11:47
*** jaosorior has quit IRC11:53
*** raildo has joined #openstack-barbican12:14
*** rajivmucheli has joined #openstack-barbican12:45
rajivmucheliHi12:58
redrobotHi rajivmucheli!12:59
redrobot#startmeeting barbican13:00
openstackMeeting started Tue Jan 12 13:00:55 2021 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.13:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:00
*** openstack changes topic to " (Meeting topic: barbican)"13:00
openstackThe meeting name has been set to 'barbican'13:00
redrobot#topic Roll Call13:01
*** openstack changes topic to "Roll Call (Meeting topic: barbican)"13:01
redrobotCourtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek nearyo13:01
Luzio/13:01
redrobotAs usual our agenda can be found here:13:01
redrobot#link https://etherpad.opendev.org/p/barbican-weekly-meeting13:01
moguimaro/13:01
rajivmucheliredrobot i am currently testing barbican upgrade to victoria release, i see the below from the barbican-api pod when i execute barbican-api --version :13:03
rajivmucheliroot@barbican-api-59765f4fcb-z27rq:/# barbican-api --version13:03
rajivmucheli  from paste import httpserver13:03
rajivmucheli2021-01-12 13:03:08,716.716 243 INFO barbican.model.repositories [-] Setting up database engine and session factory13:03
rajivmucheli2021-01-12 13:03:08,745.745 243 INFO barbican.model.repositories [-] Not auto-creating barbican registry DB13:03
rajivmucheli2021-01-12 13:03:08,746.746 243 INFO barbican.api.app [-] Barbican app created and initialized13:03
rajivmucheli2021-01-12 13:03:08,760.760 243 WARNING datadog.dogstatsd [-] Error submitting packet: [Errno 111] Connection refused, dropping the packet and closing the socket: ConnectionRefusedError: [Errno 111] Connection refused13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 CRITICAL barbican [-] Unhandled error: OSError: [Errno 98] Address already in use13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican Traceback (most recent call last):13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/bin/barbican-api", line 17, in <module>13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican     run()13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/bin/barbican-api", line 14, in run13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican     httpserver.serve(application, host='0.0.0.0', port='9311')13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/lib/python3.8/site-packages/paste/httpserver.py", line 1338, in serve13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican     server = WSGIThreadPoolServer(application, server_address, handler,13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/lib/python3.8/site-packages/paste/httpserver.py", line 1157, in __init__13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican     WSGIServerBase.__init__(self, wsgi_application, server_address,13:03
rajivmucheli2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/lib/python3.8/site-packages/paste/httpserver.py", line 1136, in __init__13:03
redrobotrajivmucheli hey, thanks for joining.  We just started the weekly meeting, so maybe we can talk about it after the meeting is over?13:04
rajivmuchelithis is my 1st IRC meeting, apologise if i missed to update any pre-req, i can do it now, if guided.13:04
rajivmuchelisure13:04
redrobotno worries13:04
redrobotjust a suggestion for next time13:04
redrobottry not to paste logs here as it floods the channel with messages13:04
redrobottry using http://paste.openstack.org/ instead13:04
redrobotOK, let's get started with the meeting13:05
redrobot#topic Aciton Items From Last Meeting13:05
*** openstack changes topic to "Aciton Items From Last Meeting (Meeting topic: barbican)"13:05
redrobot#link http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-01-05-13.02.html13:05
redrobotLooks like we didn't have any Action Items last week13:05
redrobot(ps. thanks moguimar for running the meeting last week)13:05
redrobotMoving on ...13:06
redrobot#topic Liaison Updates13:06
moguimarmaybe check on the AI from your last meeting13:06
*** openstack changes topic to "Liaison Updates (Meeting topic: barbican)"13:06
redrobotmoguimar?  tosky?13:06
moguimarOslo is droping lower constraints13:06
moguimarand taking cursive under its umbrella13:06
moguimaropen to barbican contributions13:06
redrobotI had a topic for Cursive in the agenda, but we can talk about it now13:07
redrobot#topic Cursive13:07
*** openstack changes topic to "Cursive (Meeting topic: barbican)"13:07
redrobot#link https://opendev.org/x/cursive13:07
moguimardo you want to add anything else to that statement?13:08
redrobotA little background for folks:  Cursive is a digital signing library13:08
redrobotit's used by a few projects and the original maintainers have moved on to other things13:09
redrobotThere was an ML discussion to get new maintainers since it's still used by OpenStack13:09
redrobotLet me fish that ML link13:09
tosky(sorry , nothing from me, and I haven't even updated the cursive patch)13:10
redrobot#link http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019430.html13:10
redrobotTL;DR Oslo owns Cursive now13:10
redrobotbut our team will also have core reviewer votes as we are somewhat SMEs for crypto stuff13:10
toskyand guess why :)13:10
redrobottosky ?13:11
redrobotwhy is that? 🤔13:12
toskyguess why you are considered SMEs for crypto stuff :D13:13
redrobot🤔🤔🤔13:13
toskymaybe the fact that barbican is "crypto stuff" :)13:14
redrobotlol13:15
toskyok, ok, it was a cheap attempt of joking13:15
redrobotI lol'ed for real though 😝13:15
redrobotmoguimar can we get an updated dashboard link that pulls in Cursive reviews?13:16
moguimarwill do13:16
redrobotThanks!13:16
redrobot#action moguimar to use his gerrit-foo to make us a new dashboard link that includes Cursive reviews13:16
redrobotOK, moving on13:16
redrobot#topic Kanban Review13:17
*** openstack changes topic to "Kanban Review (Meeting topic: barbican)"13:17
redrobot#link https://tree.taiga.io/project/dmend-openstack-barbican/kanban13:17
redrobotNo updates from me here13:17
redrobotJust got back into the office yesterday after a few weeks off, so I'm just starting to get back into the swing of things13:17
redrobot#topic Cycle checkin13:20
*** openstack changes topic to "Cycle checkin (Meeting topic: barbican)"13:20
redrobot#link https://releases.openstack.org/wallaby/schedule.html13:20
redrobotWallaby-2 milestone is coming up next week13:20
redrobotI will try to get the Microversions patch and Secret Consumers patches up before then13:20
redrobot🤞🤞13:21
redrobotAlso, it does not look like we have any specs for review this cycle:13:21
redrobot#link https://review.opendev.org/q/project:openstack/barbican-specs+status:open13:21
redrobotSo if you're thinking of a spec for Wallaby now is the time to get it up for review.13:22
redrobotAny questions/comments about Wallaby-2?13:23
redrobotOK, moving on13:25
redrobot#topic Bug Review13:25
*** openstack changes topic to "Bug Review (Meeting topic: barbican)"13:25
redrobot#link https://storyboard.openstack.org/#!/project_group/barbican13:25
redrobotLooks like no new bugs in the Barbican Storyboards13:26
redrobot#link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=013:26
redrobotand also no new bugs in Castellan13:26
redrobot#topic Wayward Reviews13:26
*** openstack changes topic to "Wayward Reviews (Meeting topic: barbican)"13:26
redrobot#link https://tinyurl.com/y3ydwmkl13:27
moguimarhttps://review.opendev.org/c/openstack/barbican/+/76851213:28
redrobotmoguimar I think I will -1 that one13:30
redrobotthe MKEK and HMAC labels don't have defaults in the config13:31
redrobot#link https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L50-L5113:31
redrobotand the rest of the instructions in that doc all use the convention of $HSM_NAME_mkek_0 and $HSM_NAME_hmac_013:31
moguimarI see13:31
moguimarI just think the new name is more generic13:32
redrobotI think the new name looks ugly :-P13:32
moguimaryeah, but when you see something like that, you know you can name it whatever13:32
moguimarnot a fixed value13:32
redrobotat least make both barbican_hmac_0 or my_hmac and my_mkek13:32
moguimarsure13:32
moguimarmy_... works13:33
moguimarmake that suggestion then13:33
redrobotwill do13:34
moguimarhttps://review.opendev.org/c/openstack/barbican/+/76727513:34
moguimarit took me a while on this one to actually look at the classifiers13:34
moguimarin pypi13:34
redrobotLGTM13:35
redrobothttps://review.opendev.org/c/openstack/barbican/+/76800013:35
moguimarand translations13:35
moguimarhttps://review.opendev.org/c/openstack/barbican/+/76800013:36
moguimaryeah, same13:36
moguimarneeds approval13:36
moguimarhttps://review.opendev.org/c/openstack/barbican/+/76909013:36
moguimarah, I see you have already reviewed those13:37
moguimarhttps://review.opendev.org/c/openstack/castellan/+/76772613:37
moguimarwanna ship this one?13:37
moguimarwe decided on single approval, but you can put your finger on it =P13:38
redrobotdone13:39
redrobotEasy one https://review.opendev.org/c/openstack/barbican-specs/+/76926413:40
moguimarI was like "again? didn't I just +w this one?"13:41
redrobothehe13:41
moguimarand it is finally snowing13:42
redrobotI think that's it for easy reviews13:42
moguimaryeah13:42
redrobotYeah, it's really freakin' cold over here too13:42
moguimaropen discussion? so rajivmucheli can have his questions?13:42
redrobotwoke up to 32 F ( 0 C)13:42
redrobot#topic Open Discussion13:43
*** openstack changes topic to "Open Discussion (Meeting topic: barbican)"13:43
rajivmucheliif this is better http://paste.openstack.org/show/801555/ ?13:43
redrobotrajivmucheli yes, much better, thank you13:46
redrobot> [Errno 98] Address already in use13:46
redrobotmy guess is there may be some other service running on that port?13:47
rajivmucheliyes, the ps -ef shares the o/p13:47
rajivmucheliideally, barbican-api --version should ideally share an o/p, right ? i have the same setup to create openstack containers, i dont get this error for other services.13:48
openstackgerritMerged openstack/barbican-specs master: remove unicode from code  https://review.opendev.org/c/openstack/barbican-specs/+/76926413:48
redrobotnot sure what you mean by o/p ?13:49
rajivmuchelioutput **13:49
redrobotwell, output should go to stdout, but I think that error means that the process can't bind to the 0.0.0.0:9311 address13:51
redrobotmaybe there is another process using that port?13:51
redrobotare you running only this barbican container?13:52
rajivmucheliyes, only barbican-api container is running in the barbican pod13:53
redrobotIs this an exec command after you started the container?13:53
rajivmucheliyes, its an exec into the container.13:53
redrobotOH!13:53
redrobotyeah, that won't work13:53
redrobotwhen you start the container a barbican-api process binds to that port13:53
redrobotthat command is trying to exec a new process, so it won't work13:54
redrobotwhat you can do instead is something like "curl http://0.0.0.0:9311" outside the container13:54
redrobotand if things are working you should get a response13:54
rajivmucheliokay, i wanted this confirmation! prior to upgrading to victoria release13:54
rajivmuchelithanks, so barbican is designed to work this way on port 9311 ?13:55
rajivmucheliis it possible to get a secret by its name ? i see its restricted to URI only https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/barbican.html#secret-get.13:57
redrobotcurrently we do not support getting secret by name13:58
redrobotbut you can use only the UUID, not the full URI13:58
redrobotAnd yes, barbican runs on port 9311 by default13:58
redrobotbut you can configure that any way you want13:58
redrobotalso bin/barbican-api is not necessarily a production-ready script13:59
redrobotI think Kolla uses uwsgi in front of barbican13:59
redrobotbut you can also use apache+mod_wsgi13:59
redrobotAaaand we're out of time for the meeting14:00
redrobot(but I'll stick around if you still have questions rajivmucheli)14:00
redrobotThanks for joining everyone14:00
redrobot#endmeeting14:00
*** openstack changes topic to "OpenStack Barbican Development - Weekly Meeting Agenda: https://etherpad.openstack.org/p/barbican-weekly-meeting"14:00
openstackMeeting ended Tue Jan 12 14:00:35 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-01-12-13.00.html14:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-01-12-13.00.txt14:00
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-01-12-13.00.log.html14:00
rajivmuchelioh ok, thanks for all your confirmation. Whats the other way to validate barbican is on victoria release ?14:01
rajivmuchelido we need to upgrade the OpenSSL version prior upgrading to victoria release ? will this be fixed in Wallaby release :14:02
rajivmucheli  from paste import httpserver14:02
redrobotif you have the openstack cli you can just "openstack secret list"  if it doesn't give you any errors then things should be fine14:02
redrobotrajivmucheli are you using your own containers?  Kolla? or?14:02
rajivmuchelithe cli works fine14:02
rajivmucheliwe switched from kolla to loci https://github.com/sapcc/loci/tree/master14:03
redrobotInteresting, I was not familiar with LOCI14:06
redrobotI would have to dig into it to be sure14:06
redrobotbut it looks like they are using https://opendev.org/openstack/barbican/src/branch/master/bin/barbican-api#L1414:06
redrobotbut, like I mentioned, that script is not good enough for production14:07
redrobothttpserver is not a production-ready server14:07
redrobotyou need to run barbican behind either nginx+gunicorn or apache+mod_wsgi or uwsgi, but definitely not that script14:07
redrobotand when you do that, then nginx or apache or uwsgi needs to have TLS enabled14:08
rajivmucheliokay, i will work on this! Thats it from me, thanks for extending.14:09
redrobotYou're welcome! :)14:11
*** rajivmucheli has quit IRC14:13
*** Luzi has quit IRC14:31
*** jaosorior has joined #openstack-barbican14:41
*** dave-mccowan has joined #openstack-barbican15:00
openstackgerritMerged openstack/barbican master: Update doc8 version  https://review.opendev.org/c/openstack/barbican/+/76727515:14
openstackgerritMerged openstack/barbican master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/barbican/+/76800015:14
openstackgerritMerged openstack/barbican master: remove unicode from code  https://review.opendev.org/c/openstack/barbican/+/76909015:15
openstackgerritMerged openstack/castellan master: Dropping lower constraints testing  https://review.opendev.org/c/openstack/castellan/+/76772615:15
*** d34dh0r53 has quit IRC15:51
*** d34dh0r53 has joined #openstack-barbican15:53
openstackgerritDouglas Mendizábal proposed openstack/ansible-role-atos-hsm master: Ignore lint error 106  https://review.opendev.org/c/openstack/ansible-role-atos-hsm/+/77044016:04
openstackgerritAlex Schultz proposed openstack/ansible-role-atos-hsm master: Fix linter  https://review.opendev.org/c/openstack/ansible-role-atos-hsm/+/77044116:07
openstackgerritAlex Schultz proposed openstack/ansible-role-thales-hsm master: Fix linters  https://review.opendev.org/c/openstack/ansible-role-thales-hsm/+/77044316:16
openstackgerritAlex Schultz proposed openstack/ansible-role-thales-hsm master: Update README to clarify Thales name  https://review.opendev.org/c/openstack/ansible-role-thales-hsm/+/77016816:16
*** d34dh0r53 has quit IRC16:19
*** d34dh0r53 has joined #openstack-barbican16:19
openstackgerritDouglas Mendizábal proposed openstack/ansible-role-thales-hsm stable/victoria: Update .gitreview for stable/victoria  https://review.opendev.org/c/openstack/ansible-role-thales-hsm/+/76780116:28
openstackgerritDouglas Mendizábal proposed openstack/ansible-role-atos-hsm stable/victoria: Update .gitreview for stable/victoria  https://review.opendev.org/c/openstack/ansible-role-atos-hsm/+/76776816:31
*** jaosorior has quit IRC16:32
*** jaosorior has joined #openstack-barbican16:45
dave-mccowanade_lee redrobot: do you guys have any experience using barbican with multiple HSMs for HA/redundancy?16:50
*** jaosorior has quit IRC16:51
*** jaosorior has joined #openstack-barbican16:51
*** openstackgerrit has quit IRC16:55
*** jaosorior has quit IRC16:57
*** jaosorior has joined #openstack-barbican16:57
redrobothi dave-mccowan!16:59
redrobotYes, I've run Barbican with HA HSMs before, but the caveat is that HA is usually done by your HSM client (e.g. the pkcs11.so file provided by the vendor)17:00
redrobotUsing Luna SA HSMs, for example, the lunacm tool provided by Thales is used to configure 2 or more HSMs into an HA group, and that results in a new HSM slot.  Barbican is then configured to talk to that HA slot.17:01
redrobotSo from the Barbican point of view, it's just talking to a single slot.  The HA magic happens in the pkcs11 client provided by Thales17:02
dave-mccowantalking with ATOS, they say we need a multi-threaded process to do it, but barbican use a single threaded for HSM backend.17:03
redrobotdave-mccowan we've implemented ATOS HA support in TripleO17:05
redrobottrying to remember how we did it17:05
redrobotLuna is freshes in my mind because we implemented it recently17:05
redrobot*freshest17:05
redrobotdave-mccowan https://opendev.org/openstack/ansible-role-atos-hsm/commit/5069751256fb218d56ce1f30552de678bd56b48a17:08
*** d34dh0r53 has quit IRC17:10
redrobotdave-mccowan We were using ATOS Trustway Proteccio HSMs.  IIRC the magic is in cloning/duplicating the SHAMIR/CIK cards, and booting 2 (or more) HSMs with the duplicate cards.17:11
redrobotthen the proteccio.rc file just needs to have all HSMs listed and Mode=2 set17:11
dave-mccowanredrobot thanks for the help!  I'll check on those things.17:20
*** d34dh0r53 has joined #openstack-barbican17:27
*** nikparasyr has left #openstack-barbican18:13
*** d34dh0r53 has quit IRC18:13
*** d34dh0r53 has joined #openstack-barbican18:31
*** openstackgerrit has joined #openstack-barbican19:58
openstackgerritDouglas Mendizábal proposed openstack/barbican master: [doc] Fix hmac/mkek generation commands  https://review.opendev.org/c/openstack/barbican/+/76851219:58
*** raildo has quit IRC22:05
« Monday, 2021-01-11 Index Wednesday, 2021-01-13 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!