| *** openstack has joined #openstack-kuryr | 14:36 | |
| *** openstack has joined #openstack-kuryr | 15:44 | |
| *** lezbar has joined #openstack-kuryr | 15:48 | |
| *** salv-orlando has joined #openstack-kuryr | 15:49 | |
| *** irenab has joined #openstack-kuryr | 16:12 | |
| *** apuimedo has quit IRC | 16:20 | |
| *** apuimedo_ has joined #openstack-kuryr | 16:45 | |
| apuimedo_ | ajo: ping | 16:45 |
|---|---|---|
| ajo | hi apuimedo_ :) | 16:46 |
| apuimedo_ | I have something ugly to show you | 16:46 |
| apuimedo_ | :-) | 16:46 |
| apuimedo_ | related to running kuryr/neutron agents as a regular users but still be able to perform the root operations | 16:47 |
| apuimedo_ | ajo: http://paste.openstack.org/show/480398/ | 16:50 |
| apuimedo_ | gcc -I/usr/include/python2.7 -lpython2.7 test_python.c -o test_python | 16:50 |
| apuimedo_ | and then just | 16:50 |
| apuimedo_ | `sudo setcap cap_net_admin=eip test_python` | 16:51 |
| apuimedo_ | ;-) | 16:51 |
| apuimedo_ | I tried it with something not neutron obviously | 16:51 |
| apuimedo_ | http://paste.openstack.org/show/480400/ | 16:52 |
| apuimedo_ | ajo: http://paste.openstack.org/show/480401/ | 16:53 |
| apuimedo_ | mestery: what do you think of the above? | 16:53 |
| apuimedo_ | salv-orlando: ^^ | 16:53 |
| apuimedo_ | I'll admit it's a bit hacky to have a small C launcher | 16:54 |
| apuimedo_ | but it is much simpler than to have an all privileges daemon server with interop | 16:54 |
| ajo | apuimedo_ , it would be for the neutron-*-agent right? | 16:55 |
| mestery | apuimedo_: The general direction is the privsep work that gus is doing | 16:55 |
| mestery | So my advice is we utilize that :)( | 16:55 |
| ajo | mestery : that was the idea to avoid privsep at all | 16:55 |
| ajo | mestery , since our case is simpler than other services | 16:55 |
| apuimedo_ | yes | 16:55 |
| ajo | we're comfortable with "network confined" | 16:56 |
| mestery | ajo: OK, if that makes sense, then sure :) | 16:56 |
| apuimedo_ | neutron agents | 16:56 |
| mestery | OK | 16:56 |
| mestery | cool | 16:56 |
| ajo | mestery , apuimedo_ , but I'd understand we need to test it with the agents, remove sudo, and check that all works, right? | 16:56 |
| apuimedo_ | ajo: yes | 16:56 |
| apuimedo_ | so if you have time, give it a shot with some agent | 16:56 |
| apuimedo_ | I'll try with kuryr | 16:56 |
| ajo | apuimedo_ , I'm a bit swamped now, but I will try to find a slot | 16:57 |
| ajo | during this week | 16:57 |
| apuimedo_ | ajo: no problem. You have the sample now ;- | 16:57 |
| apuimedo_ | ajo: no problem. You have the sample now ;-) | 16:57 |
| ajo | :D | 16:57 |
| apuimedo_ | The other alternative is to have systemd start the agents with root | 16:57 |
| ajo | apuimedo_ , if we have a wrapper | 16:58 |
| apuimedo_ | and then in python drop the privileges and change user | 16:58 |
| apuimedo_ | but I think this is simpler | 16:58 |
| ajo | setcap does set the capabilities on the binary/filesystem? | 16:58 |
| * apuimedo_ doesn't like when root reaches python | 16:58 | |
| ajo | or does start the binary ? | 16:58 |
| ajo | (I'm new to this) ;) | 16:58 |
| apuimedo_ | setcap sets attributes on the fs | 16:58 |
| ajo | ah, cool | 16:58 |
| apuimedo_ | there may be some fs that does not support it | 16:58 |
| apuimedo_ | for example running on fat32 | 16:58 |
| apuimedo_ | :P | 16:58 |
| ajo | well | 16:59 |
| ajo | I'd say, OS on fat32 is unsupported | 16:59 |
| ajo | :) | 16:59 |
| * ajo copies & pastes on a notepad | 16:59 | |
| apuimedo_ | ;-) | 16:59 |
| *** devvesa has quit IRC | 17:04 | |
| *** salv-orl_ has joined #openstack-kuryr | 17:08 | |
| salv-orl_ | apuimedo_: but by mentioning "systemd" you are making a quasi-religious assertion | 17:10 |
| salv-orl_ | ;) | 17:10 |
| apuimedo_ | that's why I made a solution that does not need it | 17:11 |
| apuimedo_ | salv-orl_: even if I'm on team systemd | 17:11 |
| apuimedo_ | Arch linux | 17:11 |
| *** salv-orlando has quit IRC | 17:11 | |
| salv-orl_ | apuimedo_: anyway, are you considering setcap a viable alternative to rootwrap and the privsep stuff that will come? | 17:13 |
| *** apuimedo has joined #openstack-kuryr | 17:13 | |
| *** apuimedo_ has quit IRC | 17:14 | |
| apuimedo | salv-orl_: I'm wondering about that | 17:14 |
| apuimedo | I have to see how much it conflicts with packaging and what's the distro position on that | 17:14 |
| apuimedo | I've lived in a Python privsep world | 17:14 |
| salv-orl_ | apuimedo: was it a good place to be in? | 17:15 |
| apuimedo | oVirt's vdsm works like that (vdsm server and supervdsm, the priv one) | 17:15 |
| apuimedo | debugging sucks | 17:15 |
| apuimedo | it's not like the current state with eventlet debugging is paradise | 17:16 |
| apuimedo | but then, it would be worse, because you have to attach debuggers on both servers sometimes | 17:16 |
| salv-orl_ | does debugging suck because there are two different processes, one with standard priviliges and one with full privilges? | 17:16 |
| apuimedo | otherwise you get timeouts and silliness | 17:16 |
| apuimedo | because of the multi process | 17:16 |
| salv-orl_ | yuo | 17:16 |
| salv-orl_ | yup | 17:16 |
| apuimedo | sometimes silliness in the serialization | 17:16 |
| apuimedo | I didn't follow the OSt privsep much | 17:17 |
| apuimedo | which serialization are we gonna use? | 17:17 |
| salv-orl_ | Yeah, serialization is the only concern I have honestly | 17:17 |
| apuimedo | salv-orl_: lack of serialization for exceptions always pissed me off | 17:17 |
| apuimedo | you'd get a serialization exception | 17:17 |
| *** gsagie_ has joined #openstack-kuryr | 17:17 | |
| salv-orl_ | I think these issues will be addressed, but I have no idea how | 17:18 |
| apuimedo | and you would be a while wondering if the exception was serialization, or it was an exception that crashed the serializer | 17:18 |
| salv-orl_ | anyway, with setcap we probably might still have similar problems. How do you attach a debugger to the python routine that runs with setcap? | 17:19 |
| salv-orl_ | Forgive me for the silly questions. | 17:19 |
| salv-orl_ | My debugger is a print | 17:19 |
| salv-orl_ | printf | 17:19 |
| apuimedo | salv-orl_: the whole agent or the whole kuryr runs with the privileges | 17:19 |
| apuimedo | so you just attach normally to the daemon | 17:19 |
| apuimedo | putting ipdb.set_trace on the script | 17:20 |
| apuimedo | or you can make the launcher have a -d flag | 17:20 |
| apuimedo | to start with the debugger | 17:20 |
| apuimedo | salv-orl_: unfortunately many times I had to even use gdb for python debugging | 17:20 |
| apuimedo | nasty ctypes problems | 17:20 |
| apuimedo | when using multiple threads | 17:21 |
| apuimedo | it's fun though. The latest gdb python plugin is quite good | 17:22 |
| openstackgerrit | Mohammad Banikazemi proposed openstack/kuryr: Adding support for Discovery calls https://review.openstack.org/245978 | 17:26 |
| *** gsagie_ has quit IRC | 17:29 | |
| *** salv-orl_ has quit IRC | 17:56 | |
| *** salv-orlando has joined #openstack-kuryr | 17:57 | |
| *** salv-orlando has quit IRC | 18:01 | |
| *** itsuugo has quit IRC | 18:40 | |
| *** itsuugo has joined #openstack-kuryr | 18:41 | |
| *** salv-orlando has joined #openstack-kuryr | 18:57 | |
| *** salv-orlando has quit IRC | 19:19 | |
| *** salv-orlando has joined #openstack-kuryr | 19:20 | |
| *** salv-orlando has quit IRC | 20:35 | |
| *** salv-orlando has joined #openstack-kuryr | 20:35 | |
| openstackgerrit | Mohammad Banikazemi proposed openstack/kuryr: Completing the basic configuration for Kuryr https://review.openstack.org/251532 | 20:38 |
| openstackgerrit | Mohammad Banikazemi proposed openstack/kuryr: Completing the basic configuration for Kuryr https://review.openstack.org/251532 | 21:22 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!