Tuesday, 2019-02-12

« Monday, 2019-02-11 Index Wednesday, 2019-02-13 »
*** jmlowe has quit IRC00:03
eanderssonstrigazi, flwang will have limited time this week for reviewing, but feel free to hit me up for anything with higher priority00:26
*** chhagarw has joined #openstack-containers00:37
*** chhagarw has quit IRC00:51
*** mnasiadka has joined #openstack-containers00:59
*** cosss_ has joined #openstack-containers00:59
*** sdake has joined #openstack-containers01:02
*** _fragatina has quit IRC01:37
*** sdake has quit IRC01:37
*** sdake has joined #openstack-containers01:41
*** sdake has quit IRC01:43
*** sdake has joined #openstack-containers01:51
*** sdake has quit IRC01:51
*** hongbin has joined #openstack-containers02:29
*** sapd1 has joined #openstack-containers02:47
*** FracKen has quit IRC03:11
*** FracKen has joined #openstack-containers03:13
*** ricolin has joined #openstack-containers03:19
*** ykarel has joined #openstack-containers03:26
jakeyipanyone had an opportunity to look into CVE-2019-5736 yet?03:26
flwangi tried to test how to upgrade docker, but i failed03:28
flwangthat said, i'm aware of this but i haven't figured out a way to fix it03:29
flwangnot sure if there will be a new fedora image with latest docker version03:29
jakeyipthanks flwang!03:40
*** sdake has joined #openstack-containers03:40
*** jmlowe has joined #openstack-containers03:43
jakeyiplooks like RH packages have dropped https://bugzilla.redhat.com/show_bug.cgi?id=1664908 there's a link on that page to fedora-all https://bugzilla.redhat.com/show_bug.cgi?id=167448903:43
openstackbugzilla.redhat.com bug 1664908 in vulnerability "CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem" [High,New] - Assigned to security-response-team03:43
openstackbugzilla.redhat.com bug 1674489 in runc "CVE-2019-5736 container-tools:2017.0/runc: Execution of malicious containers allows for container escape and access to host filesystem [fedora-all]" [High,New] - Assigned to jchaloup03:43
*** dave-mccowan has quit IRC03:58
*** sapd1 has quit IRC03:59
*** sapd1 has joined #openstack-containers03:59
*** sdake has quit IRC03:59
*** flwang1 has quit IRC04:00
*** udesale has joined #openstack-containers04:02
*** ramishra has joined #openstack-containers04:06
*** janki has joined #openstack-containers04:30
*** ykarel has quit IRC04:47
*** jmlowe has quit IRC04:50
*** ykarel has joined #openstack-containers05:05
*** hongbin has quit IRC05:30
*** ArchiFleKs has quit IRC05:31
*** ArchiFleKs has joined #openstack-containers05:37
*** udesale has quit IRC05:37
*** udesale has joined #openstack-containers07:09
*** ykarel is now known as ykarel|lunch07:33
*** ramishra_ has joined #openstack-containers07:37
*** ramishra has quit IRC07:38
*** ykarel|lunch has quit IRC07:41
*** ykarel has joined #openstack-containers07:43
*** ramishra_ is now known as ramishra07:56
*** jaewook_oh has joined #openstack-containers08:35
*** ricolin has quit IRC08:58
*** ricolin has joined #openstack-containers09:06
*** ricolin has quit IRC09:12
*** ykarel has quit IRC09:20
*** ramishra has quit IRC09:22
*** ricolin has joined #openstack-containers09:24
*** ykarel has joined #openstack-containers09:27
*** ramishra has joined #openstack-containers09:29
*** belmoreira has joined #openstack-containers10:12
*** flwang1 has joined #openstack-containers10:37
flwang1strigazi: around?10:37
openstackgerritRicardo Rocha proposed openstack/magnum master: Add hidden flag to cluster template  https://review.openstack.org/63494810:38
flwang1mordred: could you please issue 'shipit' again for https://github.com/ansible/ansible/pull/44686 ? thanks10:39
flwang1mordred: seems it needs another approval10:39
flwang1strigazi: any thought for CVE-2019-5736 ?10:39
*** sapd1 has quit IRC10:45
*** udesale has quit IRC10:49
*** lpetrut has joined #openstack-containers11:15
*** _fragatina has joined #openstack-containers11:56
*** _fragatina has quit IRC11:59
*** _fragatina has joined #openstack-containers12:00
*** ricolin_ has joined #openstack-containers12:15
*** ricolin has quit IRC12:17
*** lpetrut has quit IRC12:38
*** lpetrut has joined #openstack-containers12:39
*** janki has quit IRC12:44
*** janki has joined #openstack-containers12:44
*** sapd1 has joined #openstack-containers12:44
*** ykarel is now known as ykarel|away12:48
*** ykarel|away has quit IRC12:54
*** mkuf_ has joined #openstack-containers12:55
*** _fragatina has quit IRC12:56
*** jaewook_oh has quit IRC12:56
*** mkuf has quit IRC12:58
*** udesale has joined #openstack-containers13:10
*** sdake has joined #openstack-containers13:31
*** mkuf_ has quit IRC13:37
*** openstackgerrit has quit IRC13:37
*** ykarel|away has joined #openstack-containers13:43
*** ykarel|away is now known as ykarel13:51
*** mkuf_ has joined #openstack-containers14:01
*** sdake has quit IRC14:03
*** zul has joined #openstack-containers14:08
*** sapd1 has quit IRC14:15
brtknrive noticed something rather peculiar, when are are multiple interfaces on a host running kubelet, the pods that are deployed have service endpoints that get assigned ip address on arbitrary choice of interface, rather than a predictable interface. this leads to dialing failure. anyone able to shed light on this?14:17
*** sdake has joined #openstack-containers14:20
*** sdake has quit IRC14:21
*** ArchiFleKs has quit IRC14:34
*** sdake has joined #openstack-containers14:35
*** sdake has quit IRC14:37
*** sdake_ has joined #openstack-containers14:37
*** janki has quit IRC14:47
*** hongbin has joined #openstack-containers14:49
*** ArchiFleKs has joined #openstack-containers14:49
*** mrodriguez has joined #openstack-containers14:49
*** udesale has quit IRC14:52
*** udesale has joined #openstack-containers15:02
*** sapd1 has joined #openstack-containers15:02
*** ianychoi has quit IRC15:07
*** ianychoi has joined #openstack-containers15:07
*** hongbin has quit IRC15:09
*** hongbin has joined #openstack-containers15:12
*** sapd1 has quit IRC15:32
*** ykarel is now known as ykarel|away15:43
*** lpetrut has quit IRC16:03
*** udesale has quit IRC16:37
*** jmlowe has joined #openstack-containers16:43
*** ykarel|away has quit IRC16:49
*** ramishra has quit IRC16:57
*** hongbin has quit IRC16:59
*** sdake_ has quit IRC17:01
*** sdake has joined #openstack-containers17:02
*** sapd1 has joined #openstack-containers17:04
*** sapd1 has quit IRC17:14
*** jmlowe has quit IRC17:21
*** ricolin_ has quit IRC17:21
flwang1brtknr: what's your service type? nodeport or lb?17:24
*** jaewookoh has quit IRC17:34
*** spsurya has quit IRC17:40
*** flwang1 has quit IRC17:43
*** sdake has quit IRC17:44
*** sdake has joined #openstack-containers17:46
*** sdake has quit IRC18:44
*** sdake has joined #openstack-containers18:51
*** _fragatina has joined #openstack-containers18:55
*** adrianreza has quit IRC19:04
*** flwang has quit IRC19:04
*** yankcrime has quit IRC19:04
*** belmoreira has quit IRC19:04
*** zul has quit IRC19:04
*** yankcrime has joined #openstack-containers19:14
*** flwang has joined #openstack-containers19:18
flwangstrigazi: do we have meeting today?19:18
*** sdake has quit IRC19:42
*** zul has joined #openstack-containers19:59
strigaziflwang: yes, we have a meeting20:36
strigazi@all, flwang: It seems that in fedora atomic hosts we are not affected by CVE-2019-573620:37
strigazisince all runc binaries in atomic have the immutable bit20:37
strigazii.e. chattr +i20:37
strigaziTo be checked with the fedora community20:37
flwangstrigazi: is there a confirmation from fedora community?20:41
flwangI have a team meeting in 20 mins, probably can't join the weekly meeting20:41
flwangstrigazi: i have approved your heat-container-agent patch, hope it can speed up your rolling upgrade work20:42
flwangflwang: i'm doing more test work for auth healing. now i would like to see you guys start to contribute those AC code back20:42
flwangstrigazi: could you pls revisit https://review.openstack.org/#/c/572897/ ? if we still need it, i think better to get it in soon so that we can test it fully, thanks20:44
*** dioguerra has quit IRC20:47
strigaziAC?20:48
strigaziflwang: tmr we will make a PR to kubernetes/autoscaler. this branch is fully functional: https://github.com/cernops/autoscaler/tree/magnum-autoscaler-release-1.020:49
strigaziI'll review with Ricardo https://review.openstack.org/#/c/572897/ and get back to you.20:51
strigaziflwang: Can you also take a look at the tiller pacth20:51
*** jmlowe has joined #openstack-containers20:55
flwangstrigazi: i have reviewed your tiller patch20:55
flwangAC = autoscaler20:56
strigaziflwang: in the repo the mention it as CA, hence the confusion :)20:56
flwangsorry, CA20:56
flwangmy typo20:56
strigazieandersson: around?20:57
flwangnow it's generally working in my test, need some fixes anyway20:57
flwangi have replied my comments on the PR on cernops repo20:57
flwangis your rolling upgrade patch on track?20:58
strigaziflwang: looks like fedora's crazy immutable fs saved us from the CVE. I'll try find a full explanation and send a mail to the ML20:58
strigaziflwang: yeap, it is on track20:59
flwangstrigazi: cool, thanks20:59
strigaziflwang: for the CA, I didn't get it, it is ok?20:59
flwangit's generally OK, i need some final testing today20:59
flwangbut we can fix small bugs later, that's fine20:59
eanderssono/20:59
flwangi have to offline for meeting, sorry21:00
colin-o/21:00
schaneyo/21:00
flwangeandersson: i will give the CA another test today and leave comments on, thanks21:00
strigazieandersson: I'll start the meeting to have things logged21:00
strigazi#startmeeting containers21:00
openstackMeeting started Tue Feb 12 21:00:47 2019 UTC and is due to finish in 60 minutes.  The chair is strigazi. Information about MeetBot at http://wiki.debian.org/MeetBot.21:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:00
*** openstack changes topic to " (Meeting topic: containers)"21:00
openstackThe meeting name has been set to 'containers'21:00
strigazi#topic Roll Call21:00
*** openstack changes topic to "Roll Call (Meeting topic: containers)"21:01
eanderssono/21:01
schaneyo/21:01
strigazio/21:01
*** imdigitaljim has joined #openstack-containers21:01
jakeyipo/21:01
colin-    \o21:01
imdigitaljimo/21:01
strigazi#topic stories/tasks21:02
*** openstack changes topic to "stories/tasks (Meeting topic: containers)"21:02
strigazi1. Regarding CVE-2019-5736 in fedora atomic host, looks like we are covered21:02
colin-nice21:03
strigazithe fs of fedora atomic is immutable so an exploit can not overwrite the runc binary21:03
strigazialso selinux protects users against an exploit of it.21:03
colin-oh, i thought you meant you had patched for it21:04
colin-i'm not as sure about those things21:04
strigaziunfortunately we have it disabled on k8s. I'm testing if we can enable it21:04
strigaziI'm checking with the fedora community21:04
strigaziI'll let you know21:05
strigazi2. For the the cluster autoscaler, we have a branch public which is fully functional and we'll push it kubernetes/autoscaler. https://github.com/cernops/autoscaler/tree/magnum-autoscaler-release-1.021:06
*** flwang has quit IRC21:06
colin-cool. there's some sample exploit code attached to this report if anyone needs to test https://www.openwall.com/lists/oss-security/2019/02/11/221:06
colin-(very generic)21:06
*** imdigitaljim has quit IRC21:06
strigazicolin-: I'll try to repro21:06
strigazi1 and 2 were a bit generic. next:21:07
strigazieandersson: and others can you have a quick look into these two so we can take them:21:07
strigazik8s_fedora: Deploy tiller https://review.openstack.org/#/c/612336/21:08
strigazi[k8s_fedora] Add heat-agent to worker nodes https://review.openstack.org/#/c/561858/ oh, flwang approved it21:08
strigaziThat's it from me. Does anyone else want to bring something up?21:09
schaneymind if I add some comments and questions to the CA PR?21:10
strigazischaney: go for it21:11
strigazischaney: I was thinking we can open the PR to k/a first, but we can bring the discussion there when it is open21:11
schaneythat works as well21:11
strigazibut it is public for that reason, so as you want :)21:12
strigazibetter comment now so you don't forget :)21:12
colin-strigazi: did you ever try using the ipvs transport layer on your clusters?21:12
colin-as opposed to iptables or similar21:13
strigazinope21:13
colin-ok21:13
schaneyis this PR up to date? https://github.com/cernops/autoscaler/pull/3  not sure the differences between that and the release branch21:13
strigazithe release branch is up to date21:14
*** imdigitaljim has joined #openstack-containers21:14
strigazinot sure where Thomas left the pr. lemme check21:14
strigazischaney: sorry I can not tell with certainty21:15
schaneyok, I'll use the existing PR but make sure the code is consistent with the branch, unless that PR is known to be out of date?21:17
imdigitaljimone random question with your autoscaler, have you tried on templates >= queens?21:17
imdigitaljimsince resources have had some changes since juno21:17
imdigitaljimhttps://github.com/openstack/magnum/blob/master/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml#L121:18
strigazischaney: maybe this helps https://github.com/cernops/autoscaler/compare/magnum-autoscaler-release-1.0...tghartland:openstack-provider21:18
imdigitaljimwell21:19
strigaziimdigitaljim: no21:19
imdigitaljimif you didnt have the PR with vendor folder21:19
imdigitaljimit would be reviewable /shrug21:19
imdigitaljim1307 files is a lot to browse through21:19
schaneylooks like a lot of extra gophercloud stuff yeah21:20
strigaziimdigitaljim: it is reviewable, you can ignore the vendor files21:20
strigazithe gopherloud changes are very clear here: https://github.com/cernops/autoscaler/commits/magnum-autoscaler-release-1.021:21
imdigitaljimwell we cant really comment on this PR effectively https://github.com/cernops/autoscaler/pull/3/files21:22
imdigitaljimis all i mean21:22
imdigitaljimin fact it hardly loads21:22
imdigitaljim:P21:22
strigaziI'll ping you tmr then, when we the PR will be up21:25
strigazigithub nicks?21:25
strigazisame as here?21:25
imdigitaljimjim-bach21:25
imdigitaljimor jabach@blizzard.com21:26
imdigitaljimi can forward to others21:26
schaneyscott-chaney or schaney@blizzard.com21:26
*** sdake has joined #openstack-containers21:26
strigaziexcellent21:26
schaneythanks!21:26
strigazianything else for the meeting?21:28
colin-itsc0lin on git21:29
colin-nope21:29
strigazithanks colin-21:29
jakeyipnope21:29
imdigitaljimthanks spyros!@21:30
strigazithanks everyone. see you next week o/21:30
imdigitaljim\o21:30
strigazi#endmeeting21:30
*** openstack changes topic to "OpenStack Containers Team"21:30
openstackMeeting ended Tue Feb 12 21:30:37 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)21:30
openstackMinutes:        http://eavesdrop.openstack.org/meetings/containers/2019/containers.2019-02-12-21.00.html21:30
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/containers/2019/containers.2019-02-12-21.00.txt21:30
openstackLog:            http://eavesdrop.openstack.org/meetings/containers/2019/containers.2019-02-12-21.00.log.html21:30
*** ArchiFleKs has quit IRC21:40
*** sdake has quit IRC21:50
*** ArchiFleKs has joined #openstack-containers21:52
*** flwang has joined #openstack-containers22:04
*** sdake has joined #openstack-containers23:43
« Monday, 2019-02-11 Index Wednesday, 2019-02-13 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!