frickler | mnasiadka: mgoddard: bbezak: do you want to do a final zed release before we proceed with unmaintaining it? https://review.opendev.org/c/openstack/releases/+/916501 | 05:29 |
---|---|---|
opendevreview | Freerk-Ole Zakfeld proposed openstack/kolla-ansible master: Allow configuration of keepalived managed addresses and interfaces https://review.opendev.org/c/openstack/kolla-ansible/+/916587 | 05:38 |
opendevreview | Freerk-Ole Zakfeld proposed openstack/kolla-ansible master: Allow configuration of keepalived managed addresses and interfaces https://review.opendev.org/c/openstack/kolla-ansible/+/916587 | 05:39 |
opendevreview | Dr. Jens Harbott proposed openstack/kolla-ansible master: WIP: Add option to split glance-api containers https://review.opendev.org/c/openstack/kolla-ansible/+/916708 | 06:20 |
opendevreview | Sven Kieske proposed openstack/kolla-ansible master: Add ovn-exporter https://review.opendev.org/c/openstack/kolla-ansible/+/855498 | 07:51 |
opendevreview | Pierre Riteau proposed openstack/kolla master: Replace meeting time by link to the meetings page https://review.opendev.org/c/openstack/kolla/+/916685 | 07:56 |
SvenKieske | I think we may have - somewhere - a too long password in our testing infra, but I can't find it: | 08:07 |
SvenKieske | 2024-04-22 17:49:42.646 21 WARNING keystone.common.password_hashing [None req-7c34e05c-9dbb-435b-8f57-ea690973f8df - - - - - -] Truncating password to algorithm specific maximum length 72 characters. | 08:07 |
SvenKieske | in general we seem to have quite the number of warnings and errors in CI logs which could be fixed most of the time imho, I'll look into it, after cleaning up ovn-exporter (e.g. see this mess: https://zuul.opendev.org/t/openstack/build/4ed9e0a9b39c4780b0f00990c62f2380/log/primary/logs/kolla/all-WARNING.txt ) | 08:09 |
opendevreview | Alex Welsh proposed openstack/kolla-ansible master: Automate prometheus blackbox configuration https://review.opendev.org/c/openstack/kolla-ansible/+/912420 | 08:12 |
mnasiadka | SvenKieske: that's the effect of using dead project (passlib - https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues) ;-) | 09:04 |
SvenKieske | mnasiadka: I happen to know a thing or two about bcrypt: that's not a problem of the implementation - passlib in this case - but a well known restriction in the algorithm, that it only supports 72 characters (I really think it's characters, not bytes, but would have to look that up) | 09:06 |
mnasiadka | SvenKieske: whatever, I just love keystone being dependent on an unmaintained project | 09:07 |
SvenKieske | so the solution is not to use something different but limit your passwords to 72 characters. with the right bcrypt parameters this is no security issue | 09:07 |
mnasiadka | and IIRC passlib does not support newer bcrypt versions | 09:08 |
SvenKieske | mnasiadka: that's still not what the actual problem is here. that's really a different one. | 09:08 |
mnasiadka | well, you think that keystone should limit the length of password for people? | 09:09 |
mnasiadka | https://review.opendev.org/c/openstack/keystone/+/891024 - should we rather move to that? | 09:09 |
SvenKieske | yes, if the underlying alg doesn't support longer passwords, it's a security issue to silently truncate them. | 09:09 |
SvenKieske | but it's also an issue when our test env knowingly uses longer passwords despite we know bcrypt does not handle more than 72 bytes | 09:10 |
SvenKieske | that's just absurd. | 09:10 |
mnasiadka | well, it's not only our test env | 09:10 |
mnasiadka | kolla-genpwd generates such passwords | 09:10 |
mnasiadka | so that's EVERY deployment | 09:10 |
mnasiadka | stop thinking our CI is special - it's designed in a way we do things just as every normal deployment would do | 09:11 |
SvenKieske | well it shouldn't generate passwords longer than 72 bytes if we know the algorithm in our default auth backend doesn't support that? | 09:12 |
SvenKieske | isn't this obvious? | 09:12 |
mnasiadka | it is, but it's not a trivial change, and surely not a backwards compatible change | 09:13 |
mnasiadka | and since it's only a WARNING, there are more important things to tackle in a small development community | 09:14 |
SvenKieske | and every CI is special and differs from real world deplyoments in meaningful ways, in general, even if not in this specific case. | 09:14 |
mnasiadka | You always need to have the last word, right? | 09:15 |
SvenKieske | it's an actual security bug to generate passwords longer than the supported maximum length, your longer passwords will be silently truncated and you are one change away from being locked out from your account if you use such a scheme | 09:15 |
SvenKieske | no I don't :) | 09:15 |
mnasiadka | So raise a bug, follow up with a fix, and we can review that | 09:15 |
mnasiadka | And stop this meaningless discussion | 09:16 |
SvenKieske | I certainly didn't start it :) | 09:16 |
mnasiadka | You did | 09:16 |
SvenKieske | you argued that the root cause is some deprecated lib which is just plain wrong, whatever. | 09:16 |
mnasiadka | I didn't argue that's the root cause, I just pointed out other problems with keystone's passlib implementation. | 09:17 |
mnasiadka | Try to read carefully and not put your own thinking into other people keyboards. | 09:17 |
SvenKieske | yeah, so totally unrelated to my question, but thanks for pointing me at kolla-genpwd, maybe I can fix that | 09:17 |
SvenKieske | but first I need to find out the shenanigans with the ovn socket in ovn-exporter | 09:18 |
mnasiadka | ovn-exporter is doing a lot of assumptions for socket locations (and didn't support overriding them in the past) | 09:19 |
SvenKieske | well the location is fine (It's the same we have in all other containers, but I'll double check) and we do mount /run/openvswitch/ shared everywhere | 09:20 |
SvenKieske | problem is my laptop went mad and doesn't boot and my current test env is a raspberry pi..let's see if ovn-exporter starts up there :D | 09:21 |
SvenKieske | and sorry for reading maybe too much into your writing. thanks for the hint at kolla-genpwd, I'll try to keep it in the back of my mind. was merely posting here because I currently can't look into it and password truncations always irk me. | 09:23 |
mnasiadka | SvenKieske: personally I have hate relationship with keystone ERROR messages - https://84e062ca697ca0249f67-9c10699607fb9a51400f0bde75ab980e.ssl.cf5.rackcdn.com/855498/35/check/kolla-ansible-debian-ovn/4ed9e0a/primary/logs/kolla/all-ERROR.txt | 09:28 |
SvenKieske | yeah I was looking at that | 09:29 |
SvenKieske | I hope that empty hashring is only a symptom of a not in sync neutron cluster(?) and not the root cause there | 09:30 |
SvenKieske | that being said it's possible the exporter starts too early and ovn is not ready to answer queries via the port | 09:30 |
mnasiadka | skip the neutron one - the keystone ones make me sad ;) | 09:35 |
mnasiadka | every time ansible module checks if user exists - keystone gives you a traceback | 09:35 |
mnasiadka | (if the user does not exist) | 09:35 |
SvenKieske | yeah | 09:37 |
SvenKieske | mhm, maybe I found something.. | 09:38 |
SvenKieske | e.g. we specify run_default_volumes_docker but afaik never use that (it's empty, so okay, but weird) | 09:39 |
SvenKieske | ah we actually do as "run_default_volumes_' + kolla_container_engine" | 09:41 |
opendevreview | Alex Welsh proposed openstack/kolla-ansible master: Automate prometheus blackbox configuration https://review.opendev.org/c/openstack/kolla-ansible/+/912420 | 10:40 |
mhiner | Hello, I have a following situation in migration patch: | 12:10 |
mhiner | nova_conductor tries to contact openvswitch_db container 30 secs before it gets deployed | 12:10 |
mhiner | this creates error message in nova logs and nova_conductor is deemed unhealthy and fails my CI tests | 12:11 |
mhiner | any tips on how to remedy this, please? | 12:11 |
opendevreview | Matúš Jenča proposed openstack/kolla-ansible master: Add backend TLS between MariaDB and ProxySQL https://review.opendev.org/c/openstack/kolla-ansible/+/909912 | 12:42 |
opendevreview | Matúš Jenča proposed openstack/kolla-ansible master: Implement TLS for Redis https://review.opendev.org/c/openstack/kolla-ansible/+/909188 | 15:05 |
opendevreview | Matúš Jenča proposed openstack/kolla-ansible master: Add backend TLS between MariaDB and ProxySQL https://review.opendev.org/c/openstack/kolla-ansible/+/909912 | 15:09 |
opendevreview | Uwe Jäger proposed openstack/kolla-ansible master: Allow overriding of Skyline logos https://review.opendev.org/c/openstack/kolla-ansible/+/909481 | 16:02 |
opendevreview | Merged openstack/kolla-ansible master: Update configuration to enable more services in Skyline Console https://review.opendev.org/c/openstack/kolla-ansible/+/909482 | 18:41 |
opendevreview | Sven Kieske proposed openstack/kolla-ansible master: Add ovn-exporter https://review.opendev.org/c/openstack/kolla-ansible/+/855498 | 18:49 |
*** parallax is now known as Guest2080 | 20:41 | |
g3ek | I am trying to install Kolla-Ansible Master into my dev cluster and I am getting an error on cinder-olume `tooz.coordination.ToozConnectionError: invalid username-password pair` and nova-compute `2024-04-23 21:11:30.299 7 ERROR oslo_service.service libvirt.libvirtError: authentication failed: authentication failed` anyone have similar issue? | 21:12 |
g3ek | IDENTIFY | 23:48 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!