| *** rlandy is now known as rlandy|PTO | 00:12 | |
| *** ysandeep|out is now known as ysandeep | 03:51 | |
| *** bhagyashris is now known as bhagyashris|ruck | 05:46 | |
| *** ysandeep is now known as ysandeep|afk | 06:01 | |
| *** ysandeep|afk is now known as ysandeep | 06:48 | |
| *** jpena|off is now known as jpena | 07:35 | |
| *** tkajinam is now known as tkajinam|away | 08:33 | |
| *** sean-k-mooney1 is now known as sean-k-mooney | 09:10 | |
| dpawlik | clarkb: but wait, "input of this form gets treated this way" - that's what I'm doing in logsender - https://review.opendev.org/c/openstack/ci-log-processing/+/838655/2/logscraper/logsender.py#247 | 09:33 |
|---|---|---|
| dpawlik | IIRC you can not send json as a value for some field, but I can be wrong | 09:35 |
| dpawlik | so how will i be able to help logstash service? | 09:35 |
| dpawlik | clarkb: I can try to use json.dumps for parsing the json content and send it to the opensearch | 09:38 |
| dpawlik | clarkb: seems that json is working - https://paste.openstack.org/show/bkbpdW9JB3EGIhim1Awb/ . Old one looks like https://paste.openstack.org/show/bLW7SQbEDXlC6LY0cGvE/ | 10:00 |
| *** rlandy|PTO is now known as rlandy | 10:33 | |
| *** dviroel_ is now known as dviroel | 11:07 | |
| *** dviroel is now known as dviroel|rover | 11:07 | |
| *** ysandeep is now known as ysandeep|afk | 12:25 | |
| opendevreview | Cedric Jeanneret proposed openstack/project-config master: Use goto, chain policy and drop REJECT https://review.opendev.org/c/openstack/project-config/+/839212 | 13:29 |
| Tengu | fungi++ thanks for the correction! | 13:32 |
| Tengu | fungi: I've abandonned the global change in favor of the openstack/project-config one. | 13:32 |
| fungi | thanks. i've also left you a question on the new change | 13:36 |
| *** ysandeep|afk is now known as ysandeep | 13:41 | |
| Tengu | answered | 13:42 |
| Tengu | unfortunately, the policy is either drop or accept. | 13:42 |
| Tengu | nothing fancy. but as said in the answer: we we can't ensure the ordering, we can't really do it differently :/. that REJECT is breaking a needed change in tripleo to prevent accidental lockout. | 13:43 |
| Tengu | *if we can't ensure ordering | 13:43 |
| Tengu | (sorry, pain killer are a bit hard on me) | 13:43 |
| fungi | thanks, losing explicit and clear rejection messages will make it harder to diagnose problems with fallthrough on test nodes since a dropped packet is often (especially for datagrams) indistinguishable from a hung listener, but i guess it's an acceptable trade-off | 13:50 |
| Tengu | I can't think of any other way to not rely on policy for now :/. I'll work on the tripleo_firewall thing to actually inject rules in a specific ordering. | 13:51 |
| Tengu | but that's not for "now", and we need the other patch I mentioned in order to prevent unwanted lockout under certain conditions. | 13:52 |
| Tengu | and the proposed patch is the best one I could come up with the current state of the ansible things we're using.... Once I get it in, it will be safer for me to dev, and I'll work on the actual feature I want: "copying" the puppet-firewall behavior and actually properly manage rules. | 13:53 |
| Tengu | getting the dedicated chain will also make it far, far easier. | 13:53 |
| Tengu | fungi: added a note about the "what's next". If it can help you changing your mind and vote on the change :) | 13:57 |
| fungi | Tengu: i just need to do some deeper digging and figure out why a separate reject chain wouldn't work | 13:57 |
| Tengu | fungi: due to ordering. though....... wait a minute | 13:57 |
| Tengu | AHA | 13:58 |
| Tengu | fungi: I may be able to abandon my patch. | 13:58 |
| Tengu | I forgot the default "action" in ansible.builtin.iptables is "append". not "insert" | 13:58 |
| fungi | oh, so if you ask ansible to use insert you can add custom allow rules before the fall-through | 13:59 |
| Tengu | yes | 13:59 |
| Tengu | and since I have a nice RETURN at the end of my custom chain.... we should be safer. | 14:00 |
| Tengu | though the POLICY for INPUT will be switched to DROP | 14:00 |
| fungi | i need to go run some errands, but am happy to revisit my -1 if your other solution doesn't pan out | 14:00 |
| Tengu | but it shouldn't ever match, since the openstack-INPUT has the REJECT | 14:00 |
| Tengu | I need some more testing. | 14:01 |
| Tengu | but... yeah, that should do it. | 14:01 |
| fungi | i'd just rather not lose the additional diagnostic info (which makes it clear to the client that iptables rejected a packet) if we can help it | 14:01 |
| Tengu | lemme -w my patch. | 14:01 |
| fungi | thanks | 14:01 |
| Tengu | np | 14:01 |
| Tengu | sorry for being a bit slow - I'm still recovering. | 14:01 |
| fungi | no worries, also it's monday, that's enough of an excuse on its own ;) | 14:02 |
| Tengu | true :) | 14:02 |
| clarkb | Tengu: fungi: couple of quick thoughts without having read all the scrollback (but I have viewed the change). First is that I'm pretty certain the existing ruleset allows you to insert your rules or chains where you want them so I don't undersatnd why yo uneed the modications at all. That said I'm also not sure the ruleset was ever intended to be super sophisticated. It | 14:30 |
| clarkb | ensures that test jobs that don't want to worry aboutthe firewall still block dns reflection attacks and similar. We give you root in the jobs should a complicated setup be required. Your job can (and in this case should if the rule insertion isn't sufficient) provide its own ruleset. I don't think we should modify the defaults | 14:30 |
| Tengu | clarkb: yeah - I forgot ansible "iptables" modules uses "append" by default. So I just updated my other patch to insert in the right place, it should be just fine. | 14:31 |
| Tengu | we can probably abandon that other patch of mine against openstack/project-config | 14:32 |
| Tengu | my brain's still a bit messy | 14:32 |
| Tengu | :) but it's apparently improving. | 14:32 |
| *** tkajinam|away is now known as tkajinam | 14:42 | |
| *** dviroel|rover is now known as dviroel|rover|lunch | 15:30 | |
| *** ysandeep is now known as ysandeep|out | 15:38 | |
| *** dviroel|rover|lunch is now known as dviroel|rover | 16:17 | |
| opendevreview | Clark Boylan proposed openstack/project-config master: Set noop jobs on ELK puppetry to prep for retirement https://review.opendev.org/c/openstack/project-config/+/839235 | 16:40 |
| *** jpena is now known as jpena|off | 16:46 | |
| pmatulis | anyone know why this isn't getting merged? https://review.opendev.org/c/openstack/charm-guide/+/838932 | 16:55 |
| opendevreview | Clark Boylan proposed openstack/project-config master: Finalize ELK puppetry retirement https://review.opendev.org/c/openstack/project-config/+/839243 | 16:57 |
| clarkb | pmatulis: its parent is an abandoned change. Abandoned chagnes cannot merge and git represents the commits in a DAG. Basically that means since the parent cannot merge the child cannot either. YOu need to rebase it or restore and land the parent | 16:59 |
| pmatulis | interesting | 17:07 |
| *** rlandy is now known as rlandy|mtg | 18:00 | |
| opendevreview | Merged openstack/project-config master: Set noop jobs on ELK puppetry to prep for retirement https://review.opendev.org/c/openstack/project-config/+/839235 | 18:08 |
| *** rlandy|mtg is now known as rlandy | 19:03 | |
| *** dasm is now known as dasm|off | 22:06 | |
| *** rlandy is now known as rlandy|bbl | 22:16 | |
| *** dviroel|rover is now known as dviroel|rover|afk | 22:36 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!