Wednesday, 2016-09-07

johnsom	Yeah, it works manually for me too	00:00
tmcpeak	pep8 runtests: commands[2] \| git stash	00:00
tmcpeak	WARNING:test command found but not installed in testenv	00:00
tmcpeak	cmd: /usr/bin/git	00:00
tmcpeak	env: /Users/travismcpeak/Documents/projects/openstack/octavia/.tox/pep8	00:00
tmcpeak	Maybe you forgot to specify a dependency? See also the whitelist_externals envconfig setting.	00:00
tmcpeak	I get that, but it otherwise works	00:00
johnsom	No, I added that	00:00
tmcpeak	johnsom: stash works for me, although I get a strange message about 'test' not being installed	00:01
tmcpeak	http://paste.openstack.org/show/567276/	00:01
tmcpeak	ahh, I see what it's saying	00:02
tmcpeak	it's saying the environment uses git but it's not listed as a dependency	00:02
johnsom	Yeah, I think it is skipping those lines without it in the	00:02
johnsom	whitelist_externals =	00:02
tmcpeak	johnsom: anyway, that works for me	00:03
tmcpeak	wrapping bandit-baseline in stash/unstash	00:03
tmcpeak	johnsom: git is actually not listed in any of those whitelists	00:05
tmcpeak	I think it needs to be added separately	00:05
tmcpeak	nevermind, I'm not reading correctly	00:05
johnsom	I added it to that one	00:05
tmcpeak	ahh ok	00:05
tmcpeak	having it work for me and not you is strange...	00:06
openstackgerrit	Vinay Potluri proposed openstack/syntribos: Added neutron templates https://review.openstack.org/366410	00:07
johnsom	Ok, let me play around with it. It is odd behavior	00:10
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Adding templates for neutron https://review.openstack.org/366257	00:12
*** ccneill has quit IRC		00:35
*** browne has quit IRC		01:22
*** zhihui has joined #openstack-security		01:45
*** tmcpeak has quit IRC		02:08
*** austin987 has joined #openstack-security		02:11
*** salv-orlando has joined #openstack-security		02:30
*** salv-orl_ has quit IRC		02:33
*** dave-mccowan has quit IRC		02:33
*** tmcpeak has joined #openstack-security		03:00
openstackgerrit	chen.xing proposed openstack/security-doc: [sec-guide] Consistent the 'Nginx' term https://review.openstack.org/366457	03:16
*** sdake_ has joined #openstack-security		03:32
*** sdake has quit IRC		03:35
*** markvoelker has quit IRC		03:54
*** diazjf has joined #openstack-security		04:25
*** aleyvah40 has joined #openstack-security		04:37
*** aleyvah40 has left #openstack-security		04:41
*** diazjf has quit IRC		04:44
*** markvoelker has joined #openstack-security		04:55
*** markvoelker has quit IRC		04:59
*** tmcpeak has quit IRC		05:06
*** knangia has quit IRC		05:11
*** openstackgerrit has quit IRC		05:18
*** openstackgerrit has joined #openstack-security		05:18
*** austin987 has quit IRC		05:27
*** sdake_ is now known as sdake		05:46
*** sdake has quit IRC		06:18
*** austin987 has joined #openstack-security		06:20
*** pcaruana has joined #openstack-security		06:34
*** vinaypotluri has quit IRC		06:52
*** markvoelker has joined #openstack-security		06:56
*** markvoelker has quit IRC		07:01
*** tesseract- has joined #openstack-security		07:02
*** sdake has joined #openstack-security		07:03
*** Bbyles has joined #openstack-security		07:13
*** Bbyles has quit IRC		07:17
*** trisq has joined #openstack-security		07:23
*** woodster_ has quit IRC		07:39
*** austin987 has quit IRC		07:41
*** knangia has joined #openstack-security		07:44
*** liverpooler has joined #openstack-security		08:29
*** salv-orl_ has joined #openstack-security		08:29
*** salv-orlando has quit IRC		08:32
*** openstackgerrit has quit IRC		08:34
*** openstackgerrit has joined #openstack-security		08:34
*** markvoelker has joined #openstack-security		08:57
*** B_Smith has joined #openstack-security		09:00
*** markvoelker has quit IRC		09:01
openstackgerrit	Merged openstack/anchor: Add __ne__ built-in function https://review.openstack.org/365377	09:11
*** sdake has quit IRC		09:47
*** markvoelker has joined #openstack-security		09:57
*** markvoelker has quit IRC		10:02
*** knangia has quit IRC		10:21
*** trisq has quit IRC		10:44
*** dikonoor has joined #openstack-security		10:55
*** dikonoor has quit IRC		11:05
*** dikonoor has joined #openstack-security		11:15
*** dave-mccowan has joined #openstack-security		11:41
*** dave-mccowan has quit IRC		11:46
*** salv-orl_ has quit IRC		11:52
*** salv-orlando has joined #openstack-security		11:52
*** markvoelker has joined #openstack-security		11:58
*** markvoelker has quit IRC		12:03
openstackgerrit	Luke Hinds proposed openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	12:05
*** dasm has joined #openstack-security		12:07
dasm	lhinds: o/	12:07
dasm	lhinds: i'd like to ask about: https://review.openstack.org/#/c/356712/18	12:07
dasm	lhinds: could you elaborate a little bit more, what's the purpose of note?	12:07
lhinds	hio dasm	12:08
dasm	lhinds: if i understand it correctly, kilo and liberty no longer have problems with ipv6	12:08
dasm	lhinds: so there is no danger in re-enabling it.	12:08
lhinds	IPv6 was being enabled in the default namespace, meaning it could bypass security group rules.	12:08
lhinds	now its disabled as you say	12:08
lhinds	so the note is to make operators aware that re-enabling this, means a tenant can get direct access to the Host	12:09
dasm	lhinds: ok, stupid me. i just read what's inside bugfix.	12:09
dasm	it's not about "we permanently solved an issue"	12:09
lhinds	so if they change ipv6 using systctl and flag it as enabled again, they are allowing tenants to again break isolation (and undo the work of the patch)	12:10
dasm	but just "we disabled ipv6 so bug is bypassed"	12:10
dasm	lhinds: yeah. now i get it.	12:10
lhinds	dasm: yep, you got it!	12:10
lhinds	no worries, it took me a while to get my head round it too	12:10
dasm	lhinds: \o/	12:10
lhinds	:)	12:10
dasm	lhinds: thanks for explaining this to me.	12:11
lhinds	thanks for the review btw! its good to have eyes on to make sure we don't put out the wrong info	12:11
lhinds	as these notes are consumed by a lot (we hope at least)	12:11
dasm	lhinds: i like this last part "we hope" :)	12:11
dasm	lhinds: yeah, vinay was pretty convincing to look into this note.	12:12
lhinds	I am hoping to get to see what I can learn more from the summit , on ops making use of these notes	12:12
lhinds	ah yeah, vinay did some good work on the note	12:13
*** liverpooler has quit IRC		12:28
*** edmondsw has joined #openstack-security		12:31
*** markvoelker has joined #openstack-security		12:32
*** trisq has joined #openstack-security		12:34
*** woodster_ has joined #openstack-security		12:42
*** jkf has joined #openstack-security		12:57
*** singlethink has joined #openstack-security		13:38
*** mvaldes has joined #openstack-security		13:47
*** tmcpeak has joined #openstack-security		13:48
*** rcernin has joined #openstack-security		13:57
*** jmckind has joined #openstack-security		14:03
*** ayoung has quit IRC		14:03
*** liverpooler has joined #openstack-security		14:04
*** zul_ has joined #openstack-security		14:05
*** knangia has joined #openstack-security		14:17
*** zul_ has quit IRC		14:20
*** salv-orlando has quit IRC		14:20
*** lhinds has quit IRC		14:20
*** webhat has quit IRC		14:20
*** salv-orlando has joined #openstack-security		14:30
*** woodburn has quit IRC		14:34
*** dikonoor has quit IRC		14:35
*** salv-orlando has quit IRC		14:40
*** zul_ has joined #openstack-security		14:42
*** lhinds has joined #openstack-security		14:42
*** webhat has joined #openstack-security		14:42
*** woodburn has joined #openstack-security		14:43
*** ayoung has joined #openstack-security		14:48
*** vinaypotluri has joined #openstack-security		14:52
openstackgerrit	Vinay Potluri proposed openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	15:12
openstackgerrit	Rahul U Nair proposed openstack/syntribos: Refactoring debug_logger https://review.openstack.org/365368	15:14
*** sdake has joined #openstack-security		15:24
openstackgerrit	Luke Hinds proposed openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	15:29
dasm	lhinds: vinaypotluri hey guys. jenkins failed for ^ because of too long lines.	15:33
lhinds	I think thats the ubuntu check? note the gate-security-doc-tox-doc-publish-checkbuild?	15:34
lhinds	I see those lines just on the edge from what I recall	15:34
dasm	lhinds: checkniceness	15:34
vinaypotluri	let me let me quickly correct it	15:35
openstackgerrit	Vinay Potluri proposed openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	15:36
*** salv-orlando has joined #openstack-security		15:41
openstackgerrit	chen.xing proposed openstack/security-doc: [sec-guide] Consistent the 'Nginx' term https://review.openstack.org/366457	15:46
*** mdong has joined #openstack-security		15:47
*** salv-orlando has quit IRC		15:48
openstackgerrit	Vinay Potluri proposed openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	15:51
*** ccneill has joined #openstack-security		15:55
*** salv-orlando has joined #openstack-security		15:57
*** pcaruana has quit IRC		16:01
*** sicarie has joined #openstack-security		16:02
openstackgerrit	chen.xing proposed openstack/security-doc: Add a glossary link to 'Nginx's https://review.openstack.org/366849	16:02
openstackgerrit	chen.xing proposed openstack/security-doc: Add a glossary link to 'Nginx's https://review.openstack.org/366849	16:08
*** tesseract- has quit IRC		16:09
openstackgerrit	Merged openstack/syntribos: Refactoring debug_logger https://review.openstack.org/365368	16:13
ccneill	all the template CRs have at least +1's, so if we can get a few +2's this morning we'll be ready to get hacking :)	16:25
openstackgerrit	Merged openstack/syntribos: Unit tests for the identity client https://review.openstack.org/365365	16:35
*** ayoung has quit IRC		16:35
*** ayoung has joined #openstack-security		16:36
ccneill	here comes the merge train..	16:39
*** sigmavirus is now known as irvirus		16:40
*** irvirus is now known as sigmavirus		16:40
mdong	ccneill, unrahul: can one of you send me the configs you’re using to test Neutron?	16:40
ccneill	mdong: shouldn't really be any different except the endpoint port, right?	16:41
openstackgerrit	Merged openstack/syntribos: Neutron LBaaS and FWaaS templates https://review.openstack.org/366357	16:41
mdong	I’m getting a “failed to authenticate"	16:41
ccneill	interesting..	16:42
ccneill	from keystone or neutron?	16:42
mdong	from the identity extension	16:42
openstackgerrit	Merged openstack/syntribos: Adding templates for neutron https://review.openstack.org/366257	16:42
openstackgerrit	Khanak Nangia proposed openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	16:42
openstackgerrit	Vinay Potluri proposed openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	16:44
*** mvaldes has quit IRC		16:48
openstackgerrit	Khanak Nangia proposed openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	16:50
unrahul	hey mdong did u get the config??	16:55
mdong	yeah, got it now, thanks	16:57
*** mdong_ has joined #openstack-security		17:00
*** mdong has quit IRC		17:04
*** mdong_ is now known as mdong		17:04
openstackgerrit	Khanak Nangia proposed openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	17:07
openstackgerrit	Merged openstack/syntribos: Added neutron templates https://review.openstack.org/366410	17:09
openstackgerrit	Khanak Nangia proposed openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	17:10
*** mvaldes has joined #openstack-security		17:14
*** sicarie has quit IRC		17:15
*** sicarie has joined #openstack-security		17:16
openstackgerrit	Khanak Nangia proposed openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	17:19
*** jmckind_ has joined #openstack-security		17:24
*** ayoung has quit IRC		17:27
*** jmckind has quit IRC		17:27
openstackgerrit	Khanak Nangia proposed openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	17:28
ccneill	is anyone else getting seemingly random 401s/404s vs 201s?	17:34
*** trisq has quit IRC		17:34
*** ndillon has joined #openstack-security		17:35
*** sicarie has quit IRC		17:35
*** ccneill_ has joined #openstack-security		17:48
*** ccneill has quit IRC		17:49
*** ccneill_ is now known as ccneill		17:50
*** jkf has left #openstack-security		17:53
unrahul	Eh some I guess when I ran the trial run, thought it might be because it was trying to access some random resource	18:01
openstackgerrit	OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/366898	18:23
openstackgerrit	Merged openstack/syntribos: Adding neutron templates for Syntribos https://review.openstack.org/366861	18:23
openstackgerrit	Merged openstack/security-doc: Updated OSSN-0069 https://review.openstack.org/356712	18:25
lhinds	yay!	18:27
lhinds	finally	18:27
*** zul has quit IRC		18:27
lhinds	ping tmcpeak	18:27
lhinds	or hyakuhei	18:28
lhinds	For the Neutron review, Brian Haley gave a soft -1 based on some nits, so its a given its ok with him (as the nits have been addressed)	18:29
vinaypotluri	Yay... Finally !!! :)	18:30
ccneill	nice!	18:31
*** ayoung has joined #openstack-security		18:39
unrahul	:D. finally vinaypotluri !	18:44
*** ndillon has quit IRC		18:49
knangia	:D vinaypotluri !!!	18:51
*** zul_ has quit IRC		18:55
*** diazjf has joined #openstack-security		18:55
*** sdake has quit IRC		19:02
*** salv-orlando has quit IRC		19:02
*** sdake has joined #openstack-security		19:10
*** zul has joined #openstack-security		19:12
*** salv-orlando has joined #openstack-security		19:13
*** rcernin has quit IRC		19:21
*** tmcpeak has quit IRC		19:24
*** ndillon has joined #openstack-security		19:26
*** zul_ has joined #openstack-security		19:31
mdong	ccneill: did the auth tests run when yall were testing Keystone?	19:53
*** mvaldes1 has joined #openstack-security		19:53
ccneill	I think I had to make some edits to get it to work.. should've saved them :\	19:54
mdong	yeah…this line should be changed	19:55
mdong	https://github.com/openstack/syntribos/blob/master/syntribos/tests/auth/auth.py#L85	19:55
*** mvaldes has quit IRC		19:56
*** diazjf has quit IRC		19:57
*** mvaldes1 has quit IRC		19:58
unrahul	hey ccneill mdong are any of the versions v2.0 uri returning anything other than 404?	20:01
unrahul	I am getting mostly 404 and once got a weird 503.	20:01
unrahul	when token was fuzzed	20:01
ccneill	mdong: yeah, that's right. it should be "if not _ and not _"	20:01
ccneill	unrahul: yeah, mostly 404.. :S	20:02
ccneill	wonder if we need to enable some extensions somehow?	20:02
unrahul	I am not sure.. though.. that why we are getting 404 :/	20:02
ccneill	also, weirdly, I get 401s for lots of requests, and them seemingly randomly 404s sometimes	20:03
unrahul	I think the neutron I have setup in the cloud is v1 .. :\|	20:03
*** diazjf has joined #openstack-security		20:03
unrahul	i got a few 502 and one elusive 503 , not able to get it now though	20:03
*** diazjf has quit IRC		20:04
*** openstackgerrit has quit IRC		20:04
*** openstackgerrit has joined #openstack-security		20:04
ccneill	{"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "http://...:9696/v2.0", "rel": "self"}]}]}	20:06
ccneill	looks like 2.0 is enabled	20:06
unrahul	its not showing up when I do a openstack catalog list.. may be it wont show up	20:09
*** mwturvey has joined #openstack-security		20:09
*** salv-orlando has quit IRC		20:10
*** tmcpeak has joined #openstack-security		20:12
*** diazjf has joined #openstack-security		20:17
ccneill	mdong: also, line 30 should be "setUp" not "setUpClass"	20:18
*** mdong has quit IRC		20:18
*** mdong has joined #openstack-security		20:18
*** salv-orlando has joined #openstack-security		20:18
ccneill	otherwise it doesn't end up sending those requests	20:18
*** mwturvey has quit IRC		20:19
ccneill	so.. I seem to get 401s with the admin account but more 200s with the regular user..	20:22
*** rizze has joined #openstack-security		20:22
rizze	hello	20:23
ccneill	unrahul: uhhh.. got a 500 on GET /v2.0 lol :X	20:25
*** rizze has quit IRC		20:26
unrahul	ehh.. that is weird :D	20:27
unrahul	whats going on ccneill . . any idea..?	20:27
*** ndillon has quit IRC		20:29
unrahul	at least networks are getting created..	20:29
*** salv-orl_ has joined #openstack-security		20:29
unrahul	there are a ton of networks created.. showing up when I use the command line..	20:30
*** sicarie has joined #openstack-security		20:30
ccneill	hm.. I haven't been doing all the tests, just some of them, and I was using the admin user which was failing most of the time, but strangely not all of the time..	20:32
*** salv-orlando has quit IRC		20:33
unrahul	:/	20:34
*** sicarie has quit IRC		20:35
*** sicarie has joined #openstack-security		20:35
unrahul	exit	20:35
*** jmckind_ has quit IRC		20:39
unrahul	hey ccneill	20:54
ccneill	yo	20:54
unrahul	I think the because the neutron admin uri is a local one.. as ideally it should not be exposed	20:55
unrahul	that we are getting these 404	20:55
unrahul	for most..	20:55
unrahul	that any admin functionality is essentially blocked	20:55
*** mvaldes has joined #openstack-security		20:56
openstackgerrit	Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/366898	20:56
ccneill	ah	20:57
unrahul	so.. what should we do..?	20:57
unrahul	run syntribos inside the cluster.. or only test the publically available features. if the assumption is correct that is	20:58
ccneill	let's just test what we can for now, and we can revisit the admin stuff if we have time	21:00
*** dougwig has joined #openstack-security		21:04
*** mdong has quit IRC		21:07
*** mdong has joined #openstack-security		21:08
*** edmondsw has quit IRC		21:19
*** mvaldes has quit IRC		21:28
dougwig	hiya, is anyone here familiar with the launchpad setup for cve bugs? octavia's secret bugs aren't linked to the neutron-coresec group properly.	21:32
*** mvaldes has joined #openstack-security		21:32
*** singlethink has quit IRC		21:59
*** singlethink has joined #openstack-security		22:01
*** mvaldes has quit IRC		22:02
*** jass93 has quit IRC		22:02
*** jass93 has joined #openstack-security		22:10
tmcpeak	gmurphy: ^	22:14
tmcpeak	dougwig: gmurphy can help you :)	22:15
gmurphy	dougwig: i think you'll need to contact one of the openstack admins to sort that out. - https://launchpad.net/~openstack-admins	22:19
gmurphy	Jeremy Stanley is probably your best bet (fungi on irc)	22:20
*** diazjf has quit IRC		22:20
gmurphy	he's in vmt and also that admin group.	22:20
*** singleth_ has joined #openstack-security		22:23
*** sdake has quit IRC		22:24
*** diazjf has joined #openstack-security		22:25
*** diazjf has quit IRC		22:25
*** mdong has quit IRC		22:26
*** singlethink has quit IRC		22:26
*** mdong has joined #openstack-security		22:27
*** singleth_ is now known as singlethink		22:32
*** singlethink has quit IRC		22:40
dougwig	tmcpeak, gmurphy: ty	22:43
tmcpeak	dougwig: sure man, let us know if we can help	22:55
*** mdong has quit IRC		22:56
*** mdong has joined #openstack-security		22:56
*** mdong has quit IRC		23:05
*** jass93 has quit IRC		23:09
*** salv-orl_ has quit IRC		23:16
*** salv-orlando has joined #openstack-security		23:17
*** salv-orlando has quit IRC		23:21
*** edmondsw has joined #openstack-security		23:46
*** edmondsw has quit IRC		23:49
unrahul	hey ccneill any luck?	23:51
ccneill	mmm maybe a few minor things	23:51
ccneill	got a bunch of length_diff failures on the BOF tests, but as far as I can tell nothing interesting is happening in the response..	23:52
ccneill	some potential second-order XSS maybe	23:52
ccneill	I don't know how hard it would be, but it would be cool to set up Horizon so we could test for XSS	23:53
unrahul	I shall try to set it up ccneill , shouldnt be that hard..	23:54
unrahul	I am trying to setup my devstack .. had shutdown the vm , so not working properly, may be will have a better chance with that..	23:54
*** jass93 has joined #openstack-security		23:54
ccneill	yeah, that would let us do admin testing, and it might be faster too	23:55
ccneill	I was thinking I might set up devstack on my laptop too	23:55
unrahul	yeah.. that should help I guess.. as the cluster.. it is a lil diff ryt..	23:55
ccneill	I'm just thinking the network latency of testing locally vs. cluster might help our tests run faster	23:57
ccneill	it's kinda outside our scope to try to solve for every possible configuration, or at least if we want to do that we should spend more time per project	23:57
unrahul	yeah.. and creating nws and not deleting them.. all of the team doing that again and again on the cluster can easliy mess with our config.. or fill up the pool	23:59
ccneill	yep	23:59
unrahul	but if its devstack, we can easily destroy it and start it back up	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!