Tuesday, 2015-12-01

« Monday, 2015-11-30 Index Wednesday, 2015-12-02 »
*** jerrygb_ has joined #openstack-lbaas00:04
*** jerrygb has quit IRC00:05
*** crc32 has quit IRC00:05
*** bana_k has quit IRC00:09
*** manishg has joined #openstack-lbaas00:11
*** Kennan has joined #openstack-lbaas00:16
*** bana_k has joined #openstack-lbaas00:27
*** Kennan has quit IRC00:31
*** Kennan has joined #openstack-lbaas00:32
*** ducttape_ has quit IRC00:34
*** manishg has quit IRC00:40
xgermanrm_work since I can’t trust CI I have to install and execute all the tests manually — do you run our tempest tests against it?00:43
*** ajmiller has quit IRC00:43
xgermando=did?00:43
*** diogogmt has quit IRC00:45
*** manishg has joined #openstack-lbaas00:48
*** Kennan has left #openstack-lbaas00:52
*** openstackgerrit has quit IRC01:22
*** openstackgerrit has joined #openstack-lbaas01:22
*** ducttape_ has joined #openstack-lbaas01:33
*** ktrmzn has quit IRC01:34
*** yamamoto has joined #openstack-lbaas01:51
*** jerrygb_ has quit IRC01:51
*** jerrygb has joined #openstack-lbaas01:52
*** jerrygb has quit IRC01:55
*** prabampm has joined #openstack-lbaas01:58
*** diogogmt has joined #openstack-lbaas02:04
*** prabampm has quit IRC02:20
openstackgerritPaul Michali proposed openstack/neutron-lbaas: Pin pylint and astroid  https://review.openstack.org/25160902:24
*** madhu_ak has quit IRC02:28
*** prabampm has joined #openstack-lbaas02:34
*** prabampm has quit IRC02:47
*** prabampm has joined #openstack-lbaas02:49
*** blogan_ has joined #openstack-lbaas02:54
*** bana_k has quit IRC02:59
*** bana_k has joined #openstack-lbaas03:13
*** yuanying has quit IRC03:23
xgermandougwig so we are getting the boot from Armando?03:42
xgermansince his examples are L2 only...03:43
*** bana_k has quit IRC04:05
*** yuanying has joined #openstack-lbaas04:07
reedipHi All, I am trying to use HaproxyNSDriver for LBaaSV204:20
reedipFor the same I added the following in /etc/neutron/neutron_lbaas.conf04:21
reedipervice_provider=LOADBALANCERV2:Haproxy:neutron.services.loadbalancer.drivers.haproxy.synchronous_namespace_driver.HaproxyNSDriver:default04:21
reedipservice_provider=LOADBALANCERV2:Haproxy:neutron.services.loadbalancer.drivers.haproxy.synchronous_namespace_driver.HaproxyNSDriver:default04:21
reedipon restarting neutron using the neutron_lbaas.conf Configuration, I am getting the following error:04:22
reedipImportError: No module named drivers.haproxy.synchronous_namespace_driver . Although this driver actually exists under the HAProxy drivers directory.04:22
reedipwanted to know if there is something else I need to do, or is there something which I am doing, is wrong?04:23
*** prabampm has quit IRC04:30
*** blogan_ has quit IRC04:31
*** blogan_ has joined #openstack-lbaas04:31
blogan_reedip: any reason why you're wanting to use that driver?04:32
reedipblogan_ : experiment04:33
reedipblogan_ I actually wanted to use an HAProxy driver04:33
reedipblogan_: Using the following driver was not yeilding the results I wanted04:33
reedipLOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default04:33
blogan_reedip: reason i ask is we should probably just remove that driver, it was a stop gap in kilo, and i don't think anyone is using04:34
blogan_reedip: what results are you looking for?04:34
blogan_oh and you're service providers line is using neutron. and not neutron_lbaas.04:34
blogan_which is the problem04:34
reedipblogan_ : In order to verify the fix for a bug, I was looking to use the HAProxy driver, as the changes are mainly related to it04:34
reedipblogan_ : I updated neutron_lbaas04:35
reedipand there is no service_providers line in neutron04:35
reedipblogan_ : I guess you are correct, let me try it the other way ( using the service provider in neutron)04:35
blogan_no i mean04:35
blogan_service_provider=LOADBALANCERV2:Haproxy:neutron.services.loadbalancer.drivers.haproxy.synchronous_namespace_driver.HaproxyNSDriver:default04:36
blogan_should be04:36
blogan_service_provider=LOADBALANCERV2:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.synchronous_namespace_driver.HaproxyNSDriver:default04:36
reedipOh, neutron_lbaas04:36
reedipGot it04:36
blogan_and be sure that you start neutron-server with --config-file /etc/neutron/neutron_lbaas.conf too (along with the neutron.conf)04:36
reedipBlogan : restarted using the following04:37
reedipIn /etc/neutron/neutron_lbaas :04:37
reedipservice_provider = LOADBALANCERV2:Haproxy:neutron_lbaas.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default04:37
reediprestarted with this :04:38
reedip/usr/local/bin/neutron-server --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file /etc/neutron/neutron_lbaas.conf04:38
reedipOn creating a LoadBalancer, it is currently showing the provider as Octavia04:38
reedipIs that correct?04:38
*** ianbrown has joined #openstack-lbaas04:41
rm_workxgerman: hmm i had not, I need to do that, I keep forgetting we still don't have scenario tests running in the gate04:42
reedipblogan_ : Any suggestions ?04:45
blogan_no thats not correct04:45
blogan_i mean it showing octavia as the provider is not correct04:45
blogan_unless you have another service_provider line there with octavia04:45
blogan_but it shoudl complain about there being 2 defaults if that were the case04:46
blogan_rm_work, xgerman: i was actually going to start getting hte scenario tests working tonight04:46
blogan_or at least starting that work effort04:46
blogan_and then hopefully we can get those voting04:46
xgermanAwesome. Looking forward to that04:48
dougwigxgerman: boot or not, we're ready-ish for either. but i think he's trying to make things saner, and i wouldn't expect any immediate change.04:48
dougwigxgerman: nor will a change like that happen without input.04:48
dougwigwell, i'd hope not. :)04:49
reedipblogan_ : http://paste.openstack.org/show/480457/ shows the current  information for the configuration I am using04:49
xgermanMe too :-)04:49
*** ducttape_ has quit IRC04:49
reedipblogan_ : Octavia is disabled , HAProxy enabled but still its showing the provider as octavia. Loading any other driver( a10, radware) reports error like HAProxy did ( ImportError: No module named .....)04:50
blogan_reedip: hmm interesting, i dont see why this would happen04:51
reedipblogan_ : Any suggestions of resolving it?04:54
blogan_reedip: not off the top of my head, other than looking at logs and seeing what driver it says its loading (obviously octavia), but if possible even debugging through that to see why its loading octavia04:55
blogan_but i was going to do that too as soon as my stack was successful04:55
blogan_but of course...problems with stacking04:55
reedipblogan_ : Ok , let me try to work on it a bit more.04:57
reedipIf there is any problem , I will get back here04:57
*** ducttape_ has joined #openstack-lbaas04:58
blogan_reedip: sounds good, thanks04:58
reedipthnx :)04:59
dougwigreminder to rsvp on the meetup etherpad.05:00
openstackgerritOpenStack Proposal Bot proposed openstack/neutron-lbaas: Updated from global requirements  https://review.openstack.org/25096005:03
*** manishg has quit IRC05:07
rm_workblogan_: cool, godspeed05:11
*** prabampm has joined #openstack-lbaas05:12
*** prabampm has quit IRC05:19
*** prabampm has joined #openstack-lbaas05:21
*** amotoki has joined #openstack-lbaas05:26
*** numans has joined #openstack-lbaas05:27
*** ianbrown has quit IRC05:32
*** jerrygb has joined #openstack-lbaas05:35
*** ducttape_ has quit IRC05:52
*** jerrygb has quit IRC05:52
openstackgerritOpenStack Proposal Bot proposed openstack/neutron-lbaas: Updated from global requirements  https://review.openstack.org/25096006:07
openstackgerritOpenStack Proposal Bot proposed openstack/octavia: Updated from global requirements  https://review.openstack.org/25056606:08
*** bana_k has joined #openstack-lbaas06:23
*** prabampm1 has joined #openstack-lbaas06:26
*** prabampm has quit IRC06:26
*** sc68cal has quit IRC06:40
*** sc68cal has joined #openstack-lbaas06:44
*** ducttape_ has joined #openstack-lbaas06:53
*** amit213 has quit IRC06:55
*** amit213 has joined #openstack-lbaas06:55
*** ducttape_ has quit IRC06:59
*** ducttape_ has joined #openstack-lbaas07:03
blogan_reedip: btw finaly got devstack fixed for me and used the same service_provider line you used and it works for me07:16
reedipblogan_ : and I am still having the same issue :)07:19
blogan_reedip: gotta be something simple07:20
reedipblogan_ : Still working on it....  but will be getting back to you07:20
blogan_but easy to overlook07:20
*** ducttape_ has quit IRC07:20
reedipblogan_ : Thats what I am wondering... everything which should work is there07:20
blogan_reedip: sure there isn't a service_provider line in neutron.conf?07:20
reedipsomething external is messing with the setup07:20
reedipblogan_ : Yes, I made sure of that. Also verified that if there is a service_provider in neutron.conf, then getting an error07:21
blogan_damn, i hate these kind of errors, feels like such a waste figuring them out07:22
blogan_unavoidable though, they always happen07:22
reedipblogan_ : I hope I get to learn something useful at the end of the day, though07:23
reedipI will work on it today07:23
blogan_lol i hope so too07:23
reedip:)07:23
blogan_of course the only thing i usually learn is that i'm an idiot07:23
reedipsame here, but when someone else faces it, the idiocity helps out ...practical experience , you see :)07:24
blogan_you're an optimist at heart eh? we need more of that!07:25
*** kobis has joined #openstack-lbaas07:27
reedip :) lets see07:27
blogan_if you have a chance, set a breakpoint (i'm using pdb at the moment) here: https://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/services/loadbalancer/plugin.py#L39307:30
blogan_and then see what this returns: pconf.ProviderConfiguration('neutron_lbaas').providers07:30
*** prabampm1 has quit IRC07:31
reedipI have added logs there and checking q-svc.log07:32
reedipblogan_ something weird which I found while restarting neutron is that when I restarted neutron with HAproxy, the output on the screen showed HAProxy07:33
reedipI mean the logs on the screen showed HAProxy07:33
blogan_yeah that is weird07:33
reedipHowever, VPN service providers are no working07:34
reedipnot*07:34
reedipand probably thats the reason why it is not launching with HAProxy07:34
reedipThat's what the stderr log is saying on screen07:35
blogan_try running without vpn and only lbaas07:36
blogan_but at this point i'm just throwing shit on a wall seeing what sticks07:37
reedipYes, I am doing that itself ( not thworing shit, disabling vpn)07:37
reedip:D07:37
blogan_lol07:37
*** eezhova has quit IRC07:51
*** eezhova has joined #openstack-lbaas07:53
*** bana_k has quit IRC07:53
*** blogan_ has quit IRC08:04
*** reedip has quit IRC08:05
*** prabampm has joined #openstack-lbaas08:08
*** prabampm has quit IRC08:13
*** prabampm has joined #openstack-lbaas08:13
*** prabampm1 has joined #openstack-lbaas08:16
*** prabampm has quit IRC08:17
*** ducttape_ has joined #openstack-lbaas08:21
*** reedip has joined #openstack-lbaas08:22
*** nmagnezi has joined #openstack-lbaas08:22
*** ducttape_ has quit IRC08:25
*** rcernin has joined #openstack-lbaas08:37
*** jschwarz has joined #openstack-lbaas08:49
*** jerrygb has joined #openstack-lbaas08:52
*** ducttape_ has joined #openstack-lbaas09:21
*** ducttape_ has quit IRC09:26
*** yuanying has quit IRC09:30
*** nmagnezi has quit IRC09:59
*** itsuugo has quit IRC10:03
*** itsuugo has joined #openstack-lbaas10:05
*** nmagnezi has joined #openstack-lbaas10:07
*** ducttape_ has joined #openstack-lbaas10:22
*** kiran-r has joined #openstack-lbaas10:22
*** ducttape_ has quit IRC10:28
*** jerrygb has quit IRC10:31
*** mdavidson has joined #openstack-lbaas10:48
*** jerrygb has joined #openstack-lbaas11:16
*** jerrygb has quit IRC11:19
*** yamamoto has quit IRC11:20
*** elarson has quit IRC11:26
*** elarson has joined #openstack-lbaas11:26
*** chlong has quit IRC11:35
*** chlong has joined #openstack-lbaas11:35
*** thehoffau has joined #openstack-lbaas11:58
*** thehoffau has quit IRC12:00
*** ducttape_ has joined #openstack-lbaas12:01
*** rtheis has joined #openstack-lbaas12:02
*** yamamoto has joined #openstack-lbaas12:04
*** ducttape_ has quit IRC12:06
*** jerrygb has joined #openstack-lbaas12:20
*** kiranr has joined #openstack-lbaas12:20
*** kiran-r has quit IRC12:21
*** jerrygb has quit IRC12:27
openstackgerritJacky_lei_zhang proposed openstack/neutron-lbaas: LB_NFV KiloV1 :the default session limit is 2000 rather than unlimit  https://review.openstack.org/25184712:41
*** jschwarz has quit IRC12:45
*** jschwarz has joined #openstack-lbaas12:58
*** jerrygb has joined #openstack-lbaas13:01
openstackgerritgaryk proposed openstack/neutron-lbaas: Fix pep8 issues  https://review.openstack.org/25185513:02
*** ducttape_ has joined #openstack-lbaas13:10
openstackgerritgaryk proposed openstack/neutron-lbaas: Fix pep8 issues  https://review.openstack.org/25185513:12
*** kiranr has quit IRC13:19
*** jschwarz has quit IRC13:20
*** jschwarz has joined #openstack-lbaas13:28
openstackgerritgaryk proposed openstack/neutron-lbaas: Fix pep8 issues  https://review.openstack.org/25185513:29
*** ducttape_ has quit IRC13:33
*** yamamoto has quit IRC13:40
openstackgerritgaryk proposed openstack/neutron-lbaas: Fix pep8 issues  https://review.openstack.org/25185513:40
openstackgerritgaryk proposed openstack/neutron-lbaas: Fix pep8 issues  https://review.openstack.org/25185513:48
*** yamamoto has joined #openstack-lbaas13:50
*** yamamoto has quit IRC13:57
*** yamamoto has joined #openstack-lbaas13:57
openstackgerritJacky_lei_zhang proposed openstack/neutron-lbaas: LB_NFV KiloV1 :the default session limit is 2000 rather than unlimit  https://review.openstack.org/25184714:03
*** neelashah has joined #openstack-lbaas14:20
*** ajmiller has joined #openstack-lbaas14:20
*** ajmiller has quit IRC14:23
*** amotoki_ has joined #openstack-lbaas14:24
*** Piet has quit IRC14:36
*** amotoki has quit IRC14:38
dougwigis our gate fixed?14:43
*** ducttape_ has joined #openstack-lbaas14:50
*** amotoki_ is now known as amotoki15:01
*** yamamoto_ has joined #openstack-lbaas15:04
*** manishg has joined #openstack-lbaas15:05
*** yamamoto has quit IRC15:05
*** prabampm1 has quit IRC15:11
xgermanI did not fix it… so unless pc_m did I guess we are still toast15:18
*** ajmiller has joined #openstack-lbaas15:23
*** TrevorV has joined #openstack-lbaas15:27
openstackgerritgaryk proposed openstack/neutron-lbaas: Unblock the gate. Did the following:  https://review.openstack.org/25192315:30
pc_mxgerman: hi15:33
xgermanhi15:33
pc_mI think I have a fix for VPN on master. Trying same fix for LB, using a commit I tried before that didn't work.15:33
pc_mTesting locally.15:34
xgermanwondering if FWaaS is also affected. I am afraid it is15:34
pc_mVPN change is pushed and will see if it works.15:34
xgermanok15:34
pc_mFWaaS is ok. they actually do NOT run pylint as part of pep8, so are not affected (but are not testing!)15:35
pc_marmax: ^^15:36
pc_mMy LB fix works locally.15:36
pc_mTesting py27 for grins, and will push up change as soon as that is done.15:36
xgermanyeah, I have seen a lot of test skipping in this world...15:37
pc_mxgerman: I'm not test skipping15:37
pc_mFound a really simple solution.15:37
xgermanno, I know. It’s just one of my general gripes with OpenStack that we have to skip tests to fir into the tiny window infra give sis in the gate...15:38
xgerman(it’s my favorite yak BTW)15:38
pc_mI hear ya15:39
openstackgerritDoug Wiegley proposed openstack/neutron-lbaas: Remove pylint from pep8  https://review.openstack.org/25192815:39
*** diogogmt has quit IRC15:39
pc_mdougwig: I have a good solution.15:39
pc_mWill push in a min. Please consider it, as it is better than removing pyllint.15:40
dougwigpc_m: is it in queue *right now* ?  if not, let's fix the gate, then fix the issue.  if it is, ignore mine.15:40
dougwigpc_m: nothing precludes re-adding pylint later.15:40
openstackgerritgaryk proposed openstack/neutron-lbaas: Unblock the gate  https://review.openstack.org/25192315:40
pc_mI'm going to push in a min. it will fix gate.15:40
pc_mLB sets pylint dependency in tox.ini. I added astroid and pinned them there.15:40
*** diogogmt has joined #openstack-lbaas15:41
dougwighonestly, pylint was about *this close* to being disabled before this anyway.  :)15:45
pc_mdougwig: I have my fix ready? Should I push? I see you've disabled pylint15:47
dougwigpc_m: push it, though it may fail the requirements job.15:47
openstackgerritPaul Michali proposed openstack/neutron-lbaas: Fix pylint/astroid breakage  https://review.openstack.org/25160915:47
pc_mdougwig: no it won't15:47
pc_mdougwig: I think :)15:47
pc_mdougwig: xgerman: ^^15:48
dougwigi'd still rather approve them both and deal with whichever merges afterwards.15:48
pc_mdougwig: sure15:49
pc_mVPN one passed pep8 on gate.15:50
pc_mNeed approvals... hint hint :)15:50
ajmillerpc_m on it15:50
pc_majmiller: thanks!15:51
ajmillerpc_m: could you give a quick summary of which patches you've submitted15:52
ajmillerJust the links15:52
*** TrevorV has quit IRC15:53
johnsomI can look at things too this morning15:53
pc_mMy LB commit just ran pep8 and passed.15:54
ajmillercool15:54
pc_mVPN: https://review.openstack.org/#/c/251556/15:54
pc_mLB: https://review.openstack.org/#/c/251609/15:54
dougwigajmiller, johnsom - an alternative - https://review.openstack.org/25192815:54
pc_mVPN kilo: https://review.openstack.org/#/c/251874/15:54
*** TrevorV has joined #openstack-lbaas15:54
*** diogogmt has quit IRC15:55
pc_mNeutron Kilo: https://review.openstack.org/#/c/251827/15:55
johnsomdougwig +215:55
pc_mWe need LB kilo pinning, similar to what VPN did.15:56
johnsomdougwig Won't the local pinning get blocked from merge due to global requirements?16:00
pc_mActually, I guess if we use 251609, we could cherry pick that for Kilo16:00
dougwigi was expecting some complications there.16:00
dougwigpc_m: looks like kilo's tox is too different.16:00
pc_m(or any of the other solutions, like removing pylint)16:00
pc_mdougwig: ah. no pylint that can be pinned in tox.ini?16:01
pc_mdougwig: For VPN, do you think I should cherry pick 251556 versus use the traditional pinning that 251874 is doing (and requires the infra change)?16:02
dougwigliberty - https://review.openstack.org/#/c/251935/16:02
dougwigkilo - https://review.openstack.org/#/c/251939/16:02
dougwigno pylint in juno.16:04
*** jschwarz_ has joined #openstack-lbaas16:04
dougwigpc_m: sec, in a meeting16:04
*** rcernin has quit IRC16:04
*** jschwarz has quit IRC16:06
*** nmagnezi has quit IRC16:15
*** numans has quit IRC16:15
rm_workarmax / dougwig: it looks like people didn't catch the spec for the TLS RFE?16:22
dougwigrm_work: i missed it. link?16:22
rm_workI commented in the RFE -- it was linked at the top but not in the summary, I added it there16:23
rm_worklooking16:23
rm_workhttps://review.openstack.org/#/c/237807/16:23
rm_workI was sad the discussion happened without anyone reading that :P16:24
dougwigrm_work: indeed. ok, let me shower, then let's talk.16:25
rm_workk16:25
rm_workthere was a bit of discussion around this at the summit too16:26
rm_workbut you may have been elsewhere16:26
rm_workit was mostly RAX/HP/BB involved in that16:26
dougwigindeed.16:26
*** fnaval has joined #openstack-lbaas16:26
*** yamamoto_ has quit IRC16:28
xgermanwell, I was hoping it died… but16:37
xgermanyeah, let me know where I can out my -1s16:37
*** diogogmt has joined #openstack-lbaas16:41
openstackgerritKyle Mestery proposed openstack/neutron-lbaas: Remove version from setup.cfg  https://review.openstack.org/25196216:46
*** woodster_ has joined #openstack-lbaas16:51
*** amotoki has quit IRC16:55
openstackgerritJames Arendt proposed openstack/neutron-lbaas: Add flavor option to loadbalancerv2 creation  https://review.openstack.org/22323216:58
*** jschwarz__ has joined #openstack-lbaas17:06
*** jschwarz_ has quit IRC17:10
*** kobis has quit IRC17:18
*** doug-fish has joined #openstack-lbaas17:25
bloganxgerman: btw the scenario jobs are running actual real drivers now, so if you see a review get pushed up and the scenario jobs fail -1 it for that since its non voting at this point17:29
blogani dont want to make it voting until it has a good track record though, so reviewers just need to be mindful of that job now17:29
xgermanawesome17:31
xgermanI really hated it that I needed to install every patch and test on my devstack or get ridiculed by johnsom17:31
dougwigrm_work: ping?17:31
dougwigreading that spec, isn't this a failure of the global lbaas creds to barbican? it's become a trusted source since it has global access, and that seems the security fail, not passwords that we'd then have to store in a db (double security fail.)17:32
xgermanyeah, we can add a way to compare tenants-ids, e.g. if we create an LB on behalf of Bob we check that the TLS cert belongs to Bob, etc.17:33
xgermanor better yet barbican client can17:33
*** manishg has quit IRC17:36
*** manishg has joined #openstack-lbaas17:37
*** bana_k has joined #openstack-lbaas17:47
dougwigxgerman: i'd rather see lbaas not have global creds to barbican.17:59
xgermanwe don’t. The user just sets up a trust with us… but if Bob sets up a trust and Alice we can see both their certs and hence the security implication. However, Charles who doesn’t trust us — we can’t access his stuff18:00
xgermanand that trust is for TLS only. So if Bob has other secrets they are off limits for us18:01
xgermanI think having god access is what all the services do with each other… hence service account. Not sure if we can recycle the user’s auth token somehow18:02
*** jschwarz__ is now known as jschwarz18:05
*** madhu_ak has joined #openstack-lbaas18:07
dougwigxgerman: hmm, i was under the impression that trust was tied to the user. i do not like that it grants that users stuff to all of lbaas. our code has not been security vetted enough for that kind of exposure.18:08
xgermanyeah, trust is tied to the LBaaS user BUT everybody using TLS needs to trust us. That’s how we get cross fire. Simple solution is to check if the tenant-id of the person creating LB matches the tenant-id of the one owning the TLS secret18:09
xgermanalso there is probably no good way around since a) we want to support fail overs without any user intervention b) we ideally don’t want to store secrets in our DB18:11
xgermanI ran rm_work’s proposal by my security people and they said that checking tenant_ids was ok (preliminary)18:12
dougwigwell, you can limit it by doing things like storing the widget used for the third party encrypted with the user's password as the key, so it's only usable when they're making a change, e.g.  ahh, but the failover case. hmm.18:13
*** neelashah has quit IRC18:13
openstackgerritMerged openstack/neutron-lbaas: Remove pylint from pep8  https://review.openstack.org/25192818:14
*** nmagnezi has joined #openstack-lbaas18:15
xgermanI belive checking tenant -id is sufficient for most sue cases. I am not opposed to optionally store the passpohrase (so I can switch that of) but if we go down that route I like to see that code be outside LBaaS so it can be shared with VPN and other services requiring TLS certificates18:17
dougwigshouldn't the passphrase be stored by barbican? or stored there, and certs retrieved get the passphrase auto-stripped on the fly? storing passwords in a non-security database seems like a bad solution.18:20
xgermanyep18:21
xgermanI would not do it but RAX has some useless where it makes sense when I understood rm_work correctly18:22
xgermanand if Barbican stores both it doesn’t matter to us and for us (or somebody else) enforcing that the tenat_ids match is good. That kills the sue case case that Bob store a cert for Alice to use. But I think it’s rare that somebody won’t use the same tenant and an acceptable limitation18:23
*** fnaval has quit IRC18:24
xgermanso to sum it up my vote is:18:24
xgerman1) Start enfocring that the tenant creating LB also owns TLS cert18:25
xgerman2) Ideally do that outside LBaas so it can be reused in other projects18:25
dougwigmy fundamental beef is that none of these proposals address the underlying security hole. which is either in how we're using barbican, or a fundamental flaw in their API itself.  add "if tenant_id == foo:" in interpreted code still leaves a mountain of exploit available.18:27
*** neelashah has joined #openstack-lbaas18:28
xgermanyeah, that is sadly the best we can do18:29
xgermanand believe me I am not a fan of them shooting everything which  might help us down18:29
*** rcernin has joined #openstack-lbaas18:38
*** jschwarz has quit IRC18:39
*** neelashah1 has joined #openstack-lbaas18:43
*** neelashah has quit IRC18:45
*** neelashah has joined #openstack-lbaas19:05
*** neelashah1 has quit IRC19:06
xgermandougwig who can approve stuff on octavia stable/liberty?19:12
*** neelashah1 has joined #openstack-lbaas19:16
*** armax has quit IRC19:16
*** neelashah has quit IRC19:18
*** barclaac has joined #openstack-lbaas19:19
*** nmagnezi has quit IRC19:23
openstackgerritPaul Michali proposed openstack/neutron-lbaas: Remove dependency on neutron for topics  https://review.openstack.org/25202819:29
*** neelashah has joined #openstack-lbaas19:37
*** neelashah1 has quit IRC19:39
*** nmagnezi has joined #openstack-lbaas19:49
*** armax has joined #openstack-lbaas19:51
rm_workxgerman / dougwig: neither of those are the actual issue T_T and i believe this is a problem for your deployment too, but you might just not care as much as I do (not sure even people here care as much as I do)19:54
rm_workdougwig: I can talk through it on hangouts or something later today, I have a meeting presently19:55
xgermanok, I always like to learn how I am wrong19:55
xgerman;-)19:55
rm_workI thought I had been through the issues with xgerman and that you understood at the summit19:55
rm_workbut maybe not19:55
rm_workthe real concern is internal actors (support/etc)19:55
rm_workfor me19:56
rm_workthe other problem can be taken care of with tenant-id checks19:56
xgermanso it’s not that Alice can access Bob secret unless we do the tenant_id=foo19:56
rm_workwhich i updated the spec for19:56
rm_workyeah that isn't the issue19:56
xgermanoh, I missed that with the internal actors19:56
*** neelashah has quit IRC19:56
rm_workthe issue is that an internal actor who has a keystone admin account can get the ACTUAL token for a user19:56
rm_workso there's literally no way to distinguish who is asking for the info19:56
rm_workso if Barbican has everything necessary to decrypt the PK...19:57
rm_workhosed.19:57
xgermanwell, good that the CIA buys their cloud from Amazon I guess ;-)19:57
rm_workLBaaS can store half of the necessary data to decrypt, and since LBaaS wouldn't ever EXPOSE that data (even to the original user) then it is secure19:57
rm_workI would bet me next month's paychecks both of our orgs have hostile government actors *working* internally on support/etc teams19:57
rm_workjust saying19:57
rm_workI don't *think* that makes me paranoid, just a realist19:57
xgermanwell, but that a keystone admin can see everything is a general problem and should be resolved by barbican (e.g. access logs at the least)19:58
rm_workerr19:58
rm_workwell, access logs are great19:58
rm_workfor tracking down why someone lost millions of dollars19:58
rm_worka week later19:58
rm_work>_>19:58
xgermanyeah, but we don’t have a public cloud19:58
rm_workI would prefer to actually stop the problem19:58
rm_workloooool alright xgerman19:58
rm_workthat is a valid point for you i guess :P19:58
rm_worknot so much for the rest of us T_T19:58
xgermanyep, but I think if the person has keystone can;t they access the vm and steal the token right there?19:59
rm_workno19:59
rm_workwell19:59
rm_workyes?19:59
rm_worki made a note about how it requires some specific deployment stuff internally as well to be effective19:59
rm_workfor instance, there's an assumption that the controlplane is on machines inaccessible with keystone credentials19:59
rm_workIE baremetal or somesuch20:00
rm_workin our deployment only like 6 people would be able to access those machines, and it'd be with SSH key auth20:00
xgermanyeah, we at HP usually wave our hand and say appropriate structures exist to separate access...20:00
rm_workT_T20:00
rm_workwait did we just opt to REMOVE pylint checks? https://review.openstack.org/#/c/251928/20:03
rm_workinstead of something like what I was working on with https://review.openstack.org/#/c/251546/20:04
rm_worksurprising20:04
rm_workseems pretty nuclear T_T20:04
*** neelashah has joined #openstack-lbaas20:06
rm_workI mean it isn't my repo, so >_>20:06
rm_workbut if it were octavia I would have -2'd that I think unless someone had a REALLY strong argument20:06
dougwigrm_work: wait, so you're upset that root access is... root?20:13
dougwigrm_work: feel free to put it back, but in gate breakage world: 1) fix the break, 2) fix it right.20:14
*** madhu_ak has quit IRC20:14
johnsomrm_work I agreed with dougwig as it was going on day two, we were finding more layers to the problem (astroid), and other projects were reporting dead ends trying to straighten out the import ordering.20:21
johnsomSo, yeah, disable it, fix it offline and bring it back in seemed like the right answer.20:21
*** madhu_ak has joined #openstack-lbaas20:22
dougwigrm_work: do you have any custom code running for lbaas? because if rax is the only ones with an issue here, you could put the passphrase in a custom table and call it a day.20:29
*** neelashah has quit IRC20:32
*** nmagnezi has quit IRC20:41
*** neelashah has joined #openstack-lbaas20:44
*** crc32 has joined #openstack-lbaas20:46
openstackgerritAdam Harwell proposed openstack/neutron-lbaas: Gatefix: ignore most new pylint rules, fix some imports  https://review.openstack.org/25154620:49
rm_workjohnsom / dougwig yeah that seems fair20:52
rm_workdougwig: to some extent, yes, i am trying to protect against "root", if you define root as "half of your organization has root and shouldn't really"20:53
bloganrm_work: i think we determined ignoring thsoe rules isn't the real fix, its pinning astroid20:53
rm_workblogan: well, the new rules are valid, we just can't fix the issues where they exist because they aren't our code, they're vendor code20:53
bloganwhenever requirements gets it in20:53
rm_workblogan: i FIXED the issues where I actually could20:53
rm_workthe long term solution can't be "pin the version to an old version that doesn't have the new checks" >_>20:54
rm_workdo we expect to be on an old version forever? or do we intend to get the pylint people to REMOVE the checks they added?20:54
rm_workI mean... >_> i dunno what we are expecting here as a path forward20:54
bloganno but we don't want to always pull in the new pylint checks, so pinning pylint and astroid for a release is the better way to go, then moving to the next version and evaluating then is probably better20:54
rm_workmaybe? although in this case, calling out the places where there are issues with the pylint comments in-line seems to be a better call IMO20:55
blogangotta worry about older stable releases20:55
rm_workyeah for old/stable pin away20:55
rm_workfor master we should not do that20:55
blogani think we should, more work for nothing, just do it once per release20:55
bloganstart a new cycle, pin to a new version of pylint20:56
rm_workthe natural progression of that is "let's just pin all our reqs at day 1 of each cycle"20:56
rm_workbecause when you start pinning high level reqs you are going to run into deps issues20:56
rm_workas other things start REQUIRING them20:57
bloganexcept pylint changes cause gate breakages frequently enough to warrant it this way20:57
rm_workmaybe i'm overreacting, i just think it's a bad idea when we have a clear way forward that doesn't just block new code20:57
*** Piet_ has joined #openstack-lbaas21:04
dougwigpylint is the devil anyway. i was an early fan, but it's caused way more churn than bug finding, compared to hacking.21:06
rm_workhmm21:06
rm_worki mean i don't think the things it's complaining about are invalid21:06
rm_workwhich is why i was more a fan of calling out the places and hoping the authors will fix them21:06
bloganif we enabled all the rules i would say a lot of those are invalid21:06
rm_workjust because i don't feel comfortable futzing with vendor code21:06
rm_worksome are, and we ignore some21:06
rm_workbut i don't mind a lot of the new ones21:06
*** neelashah has quit IRC21:18
rm_workthis is so weird that it's failing in the checks though21:18
rm_workpassing locally and all the versions of everything i see are exactly the same21:18
*** harlowja has quit IRC21:27
*** harlowja has joined #openstack-lbaas21:28
*** crc32 has quit IRC21:28
*** rcernin has quit IRC21:31
*** jerrygb has quit IRC21:32
*** manishg has quit IRC21:40
*** crc32 has joined #openstack-lbaas21:42
*** neelashah has joined #openstack-lbaas21:52
*** rtheis has quit IRC21:56
openstackgerritDoug Wiegley proposed openstack/neutron-lbaas: Switch to internal _i18n pattern, as per oslo_i18n guidelines  https://review.openstack.org/25011822:02
dougwigrm_work: if it's in our repo, we own it, and we must futz with it. or being a decomp.22:06
dougwig /being/begin/22:06
dougwigIMO22:06
rm_workhmm k22:06
rm_workbut we have zero visibility into how their systems work22:06
rm_workso when we mess with code doing REST requests/responses to their hardware ... ??? how do we even do that22:06
rm_workI did change the one spot where it was an obviously non-impacting change22:07
*** TrevorV has quit IRC22:07
dougwigif they don't have adequate tests in place to cover that, it's on them. we have to maintain our codebase.22:07
rm_workalright, noted22:07
rm_workgood to hear from a vendor at least :P22:08
doug-fishanyone avail to give a +A to https://review.openstack.org/#/c/244318/ ?22:11
dougwigdoug-fish: looking22:14
xgermanhow do we test that?22:14
doug-fishxgerman: yeah that's a fair question! let me see if we have that documented22:14
*** dnovosel has quit IRC22:15
doug-fishso far, the only instructions I know of are in the commit message for https://review.openstack.org/#/c/241764/22:16
xgermanI also alerted our Horizon people who will look tomorrow22:16
doug-fishand frankly I think those are incomplete22:16
xgermanyeah, we got bitten by the eBay panel. I tried to run it, parachuted some HP Horizon people in, just to learn that you could not create a load balancer :-)22:17
doug-fishxgerman: fair warning: you can't create a load balancer with this UI yet either22:18
xgermanok22:18
doug-fishbut you can list them and see a few details22:18
xgermanwell, I guess I have my work cut out for the rest of the day...22:19
*** harlowja has quit IRC22:19
*** dnovosel has joined #openstack-lbaas22:19
dougwigany chance we can add a lbaas-dashboard to our devstack plugin?22:20
doug-fishdougwig: that would be cool - I don't know much about devstack plugins22:21
rm_workshouldn't be difficult?22:21
doug-fishI think the manual setup instructions here would work https://github.com/openstack/neutron-lbaas-dashboard/blob/master/README.rst22:21
*** harlowja has joined #openstack-lbaas22:21
doug-fishbut that's not quite the way I do it22:21
rm_workif we pull in horizon and that project22:21
doug-fishso I'm going to try them now22:21
rm_workI would assume it'd just "work"22:22
doug-fishalmost22:22
*** diogogmt has quit IRC22:22
doug-fishpull in horizon, then the plugin, then do the readme (which again should work, but I want to try it)22:22
dougwigajmiller: you around? any chance you can work your devstack magic?22:22
*** barclaac has quit IRC22:22
rm_workyeah that's just part of the setup script22:22
ajmillerdougwig: Yeah, whats up?22:22
rm_workeasy enough22:23
xgermanthat would be real cool indeed22:23
dougwigajmiller: neutron-lbaas-dashboard repo could use a devstack plugin, i'm thinking?22:23
rm_workI would assume they should22:23
xgermanwell, can’t we just clone them with our plugin22:23
xgerman?22:23
rm_workyes22:23
rm_workbut long-term it'd be good to "enable_plugin lbaas-dashboard" or whatever22:23
xgermanwhen I read it right we just need to check out the repo and copy one file22:23
*** barclaac has joined #openstack-lbaas22:23
rm_workprojects really should take care of their own installation22:24
rm_workthat's the point of the devstack plugins22:24
xgermanwell, I think we install Octavia so we could as well install our horizon panel22:25
rm_worksure, but i would assume we install octavia via it's devstack plugin? or do we do it manually22:25
xgermanplugin22:25
rm_workyeah22:25
*** diogogmt has joined #openstack-lbaas22:25
ajmillerWell it looks like a devstack plugin would be pretty straight-forward...22:28
rm_workI would assume so yeah22:28
xgermanwell, if you have cycles that would really help us to have that done ;-)22:28
* rm_work sits here and says agreeable things and waits for someone else to implement it :P22:28
*** jerrygb has joined #openstack-lbaas22:32
* ajmiller has been pondering the balance of other commitments, but I can do it.22:35
*** jerrygb has quit IRC22:37
openstackgerritMichael Johnson proposed openstack/octavia: Amphora Flows and Drivers for Active Standby  https://review.openstack.org/20625222:41
xgermandougwig, blogan. doug-fish: https://bugs.launchpad.net/neutron/+bug/152178322:46
openstackLaunchpad bug 1521783 in neutron "RfE: Cascading delete for LBaaS Objects" [Undecided,New] - Assigned to Bharath (bharathm)22:46
doug-fishxgerman: nice!22:46
dougwigxgerman: confirmed and commented.22:52
xgermanthanks22:53
rm_workneat22:54
*** harlowja has quit IRC22:57
*** harlowja has joined #openstack-lbaas23:01
*** TrevorV|Home has joined #openstack-lbaas23:05
*** neelashah has quit IRC23:08
*** fnaval has joined #openstack-lbaas23:23
*** fnaval has quit IRC23:24
*** fnaval has joined #openstack-lbaas23:25
doug-fishI see in bug 1321783 dougwig has mentioned an API to make a lb tree in one API call -- is that API arriving any time soon?23:33
openstackbug 1321783 in gallery-app " QT_LOAD_TESTABILITY checking should be added to gallery-app to load qttestability driver" [Low,Fix released] https://launchpad.net/bugs/1321783 - Assigned to Arthur Mello (artmello)23:33
doug-fishuh23:33
doug-fishno23:33
doug-fishhow about bug 152178323:33
openstackbug 1521783 in neutron "RfE: Cascading delete for LBaaS Objects" [Undecided,Confirmed] https://launchpad.net/bugs/1521783 - Assigned to Bharath (bharathm)23:33
dougwigblogan was working on that.  blogan?23:34
blogandougwig: i dont believe so23:34
dougwigblogan: heh, are you hiding from the lb tree api now?23:34
blogandougwig: ha no but thats a create23:34
dougwigblogan: that's what he's asking about.23:35
blogandougwig: no thats delete23:35
doug-fishblogan: dougwig mentioned the create API in the delete bug23:35
xgermanI am talking delete :-)23:35
doug-fishI hadn't heard about this create API before23:35
dougwigblogan: he's asking about create, since i mentioned that delete should parallel.23:35
bloganohh, sorry i just read a few lines above this23:35
bloganthen yes i am giogn to work on it :)23:36
dougwigi might be easily amusable today, but (SFW): http://i.imgur.com/YAaM3PM.jpg23:36
blogansomeone was working on it but I believe it has been stale23:36
bloganso i volunteered to pick it up once i got a chance23:36
bloganthats a bit much23:37
xgermanwell, I have somebody for delete23:37
blogani mean thtat plane is a bit much23:38
openstackgerritMerged openstack/neutron-lbaas: Support for Name field in Members and HMs  https://review.openstack.org/24566423:39
*** madhu_ak_ has joined #openstack-lbaas23:39
*** TrevorV|Home has quit IRC23:40
*** madhu_ak has quit IRC23:43
*** TrevorV|Home has joined #openstack-lbaas23:43
*** jorgem is now known as jorgem[away]23:53
*** crc32 has quit IRC23:56
*** diogogmt has quit IRC23:57
« Monday, 2015-11-30 Index Wednesday, 2015-12-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!