Monday, 2016-06-27

« Sunday, 2016-06-26 Index Tuesday, 2016-06-28 »
*** rickyrem has quit IRC00:03
*** rickyrem has joined #openstack-swift00:07
*** ouchkernel has quit IRC00:12
*** vinsh has quit IRC00:16
*** vinsh has joined #openstack-swift00:17
*** ouchkernel has joined #openstack-swift00:19
*** furlongm has joined #openstack-swift00:48
*** vinsh has quit IRC00:53
kota_morning01:15
mattoliveraukota_: morning01:17
kota_mattoliverau: o/01:18
zaitcevI ended running hummingbird under strace to figure out what's wrong.01:47
zaitcevI succeeded, but man, that userland is _weird_. All the openat's for no reason...01:47
*** amit213 has joined #openstack-swift02:39
*** Jeffrey4l_ has quit IRC03:23
*** Jeffrey4l_ has joined #openstack-swift03:36
*** SkyRocknRoll has joined #openstack-swift03:40
*** sk_ has joined #openstack-swift03:53
sk_is there any way to display applied config like swift show config...03:54
*** klrmn has quit IRC03:55
*** Jeffrey4l_ has quit IRC04:00
*** kei_yama has quit IRC04:06
*** Jeffrey4l_ has joined #openstack-swift04:09
jrichlitimburke acoles: see latest comments on https://trello.com/c/6kiiS8KZ/47-consider-deriving-the-nonce-for-user-metadata04:14
*** links has joined #openstack-swift04:15
jrichliI am gonna be driving Monday morning and Tuesday afternoon, so my responsiveness will be spotty the next couple days :-)04:15
*** Jeffrey4l_ has quit IRC04:21
*** psachin has joined #openstack-swift04:39
*** Jeffrey4l_ has joined #openstack-swift04:39
*** amit213 has quit IRC04:46
*** zaitcev has quit IRC04:57
*** ChubYann has quit IRC05:13
*** rickyrem1 has joined #openstack-swift05:15
*** rickyrem has quit IRC05:18
*** kei_yama has joined #openstack-swift05:36
*** mariusv has quit IRC05:36
*** ouchkernel has quit IRC05:44
*** mariusv has joined #openstack-swift05:50
*** rickyrem1 has quit IRC05:50
*** ouchkernel has joined #openstack-swift05:51
*** mariusv has quit IRC05:51
rfeusiwho05:57
rfeusican help me in an architectic question?05:58
*** rcernin has joined #openstack-swift06:27
*** janonymous has joined #openstack-swift06:32
*** pcaruana has joined #openstack-swift06:41
*** geaaru has joined #openstack-swift06:42
mahatic_acoles_: thanks for the doc. I think timburke already has a patch for your proposal. (I'm pulling in those changes to take a look)06:43
*** sk_ has quit IRC06:53
*** d0ugal has joined #openstack-swift06:58
*** d0ugal has quit IRC06:59
*** tesseract- has joined #openstack-swift06:59
*** d0ugal has joined #openstack-swift07:00
*** jamielennox is now known as jamielennox|away07:01
*** sheel has joined #openstack-swift07:12
*** admin6 has joined #openstack-swift07:13
*** rledisez has joined #openstack-swift07:16
*** dmk0202 has joined #openstack-swift07:31
*** _JZ_ has joined #openstack-swift07:51
*** permalac has joined #openstack-swift07:56
openstackgerritCheng Li proposed openstack/python-swiftclient: Add python version constraint python>=2.7  https://review.openstack.org/33433308:11
*** haypo has joined #openstack-swift08:14
*** joeljwright has joined #openstack-swift08:20
*** ChanServ sets mode: +v joeljwright08:20
*** janonymous has quit IRC08:34
*** acoles_ is now known as acoles09:11
*** asettle has joined #openstack-swift09:12
*** SkyRocknRoll has quit IRC09:13
*** sheel has quit IRC09:15
*** SkyRocknRoll has joined #openstack-swift09:15
*** jamielennox|away is now known as jamielennox09:26
*** janonymous has joined #openstack-swift09:39
*** asettle has quit IRC10:10
*** asettle has joined #openstack-swift10:11
*** NaveeNeo has joined #openstack-swift10:22
NaveeNeohello!10:22
NaveeNeoI want to work on Swift related project10:23
NaveeNeowhat is the mechanism involved in writing data into the cloud using swift and nova10:24
NaveeNeoshould i first learn things about swift or nova?10:24
psachinNaveeNeo, You can start with SAIO10:24
psachinhttp://docs.openstack.org/developer/swift/development_saio.html10:25
NaveeNeotq psachin! :)10:25
NaveeNeoin order to know the data flow involved in openstack should i need to read source code??10:26
admin6Hi there, could someone please help me understand the object-reconstructor logs, especially concerning time remaining values. I used to have  last week a full reconctruction done in about one hour with around 30 partitions per second treated, but the more data are injected into my erasure coded ring, the more time it takes, and the values are today : 70 hours for a full reconstruction with only 5 partitions per seconds for10:27
admin6about 5TB of stored data10:27
admin6Jun 27 06:33:08 STACO1 object-reconstructor: 818326/818326 (100.00%) partitions of 7/7 (100.00%) devices reconstructed in 159563.78s (5.13/sec, 0s remaining)10:27
admin6Jun 27 06:38:39 STACO1 object-reconstructor: 955/116211 (0.82%) partitions of 1/7 (14.29%) devices reconstructed in 300.03s (3.18/sec, 70h remaining)10:27
*** manous has joined #openstack-swift10:31
admin6Also what means the "partitions" values given ? Last week I had only 113992 partitions, and now I have 818326?  However, my ring only contains 26244 partitions.10:32
admin6262144 partitions, 12.000000 replicas, 1 regions, 4 zones, 28 devices, 0.82 balance, 31.02 dispersion10:33
admin6an extract of last week object-reconstructor log :10:34
admin6Jun 18 06:26:51 STACO1 object-reconstructor: 102414/113992 (89.84%) partitions of 7/7 (100.00%) devices reconstructed in 3600.01s (28.45/sec, 6m remaining)10:34
*** NaveeNeo has quit IRC10:39
*** NaveeNeo has joined #openstack-swift10:40
*** links has quit IRC10:43
*** silor has joined #openstack-swift10:44
NaveeNeo??10:45
*** daemontool has joined #openstack-swift10:50
*** natarej has quit IRC10:53
*** links has joined #openstack-swift10:55
*** NaveeNeo has quit IRC10:57
*** Jeffrey4l_ has quit IRC11:18
*** silor1 has joined #openstack-swift11:21
*** silor has quit IRC11:22
*** silor1 is now known as silor11:22
*** mariusv has joined #openstack-swift11:24
*** mariusv has quit IRC11:24
*** mariusv has joined #openstack-swift11:24
*** mariusv has quit IRC11:24
*** Jeffrey4l_ has joined #openstack-swift11:30
*** Jeffrey4l_ has quit IRC11:38
mahatic_acoles: hi, I was looking at derived iv on trello, I have a question - "for each v, use N+L as a nonce where L is greater than the maximum number of blocks allowed in a user metadata header value"11:44
mahatic_acoles: why can't we simply choose L? (without appending N) as a random nonce and increase the counter for each value?11:47
mahatic_I think because of iv needs to be 32 bytes and L may or may not adhere to that?11:49
acolesmahatic_: the idea as it was originally described to me was to guarantee that the iv used for each item of metadata was unique from any counter value used while encrypting any other item of metadata, and adding L provides that guarantee.11:49
acolesIf N is 32bytes then N+L can be11:50
acolesmahatic_: however, it could be that we simply let the encrypter counter increment from a single starting value N, since we will always encrypt all the headers sequentially, we are never trying to encrypt an individual header independent of the others11:51
acolesI think timburke  maybe raised that point too ^^11:51
acolesSo it gets simpler than I wrote on trello...11:52
acolessort all the headers, then encrypt their values in sorted order using a single encryptor context with randomly chose IV. Do the inverse when decrypting.11:53
* acoles afk back later11:53
mahatic_acoles: right. but I'm not sure if that doesn't conflict with a future case of independently updatable metdata11:53
*** raildo-a` is now known as raildo11:56
*** Jeffrey4l_ has joined #openstack-swift11:58
*** asettle has quit IRC11:59
*** asettle has joined #openstack-swift12:03
*** daemontool has quit IRC12:05
*** daemontool has joined #openstack-swift12:05
*** manous has quit IRC12:08
mahatic_for future case, what you suggested on trello ought to do12:11
openstackgerritChristian Schwede proposed openstack/swift: Add swiftbackmeup to associated projects  https://review.openstack.org/33444612:19
*** manous has joined #openstack-swift12:21
openstackgerritChristian Schwede proposed openstack/swift: Add swiftbackmeup to associated projects  https://review.openstack.org/33444612:38
*** kei_yama has quit IRC12:50
haypohello. as you may have noticed, i sent new patches for port swift to python 3: https://review.openstack.org/#/c/333297/ -- my new patches are simpler than my previous patch serie ;)12:57
patchbothaypo: patch 333297 - swift - Python 3: Fix basestring, long and StringIO12:57
haypocome to me if you need more information ;)12:58
*** klamath has joined #openstack-swift13:01
*** klamath has quit IRC13:01
*** klamath has joined #openstack-swift13:02
*** wanghua has joined #openstack-swift13:05
tdasilvagood morning13:16
*** psachin has quit IRC13:19
*** psachin has joined #openstack-swift13:21
*** SkyRocknRoll has quit IRC13:22
*** ManojK has joined #openstack-swift13:24
*** diogogmt has quit IRC13:29
*** vinsh has joined #openstack-swift13:33
*** baojg has joined #openstack-swift13:36
*** tongli has joined #openstack-swift13:47
*** _JZ_ has quit IRC13:48
tdasilvahaypo: thanks for the patches, just as a heads up, master branch is currently in a soft-freeze in order to get encryption middleware merged: http://lists.openstack.org/pipermail/openstack-dev/2016-June/097102.html13:50
*** ManojK has quit IRC13:54
*** ManojK has joined #openstack-swift13:55
*** ametts has joined #openstack-swift14:00
haypotdasilva: ok14:05
*** siva_krish has joined #openstack-swift14:07
*** siva_krish has quit IRC14:09
*** diogogmt has joined #openstack-swift14:12
*** cdelatte has joined #openstack-swift14:13
*** tmoreira has quit IRC14:27
*** tmoreira has joined #openstack-swift14:33
*** cdelatte has quit IRC14:34
*** psachin has quit IRC14:35
*** manous has quit IRC14:36
*** siva_krish has joined #openstack-swift14:40
*** amit213 has joined #openstack-swift14:43
*** tmoreira has quit IRC14:47
*** arch-nemesis has joined #openstack-swift14:48
*** manous has joined #openstack-swift14:48
acolestimburke: thanks for the hmac patch!14:55
*** Suyash has joined #openstack-swift14:55
*** tmoreira has joined #openstack-swift14:56
*** psachin has joined #openstack-swift14:58
*** psachin has quit IRC15:01
*** psachin has joined #openstack-swift15:01
*** jistr is now known as jistr|mtg15:01
*** mvk_ has quit IRC15:02
*** baojg has quit IRC15:04
*** pgbridge has joined #openstack-swift15:09
*** ManojK has quit IRC15:11
*** jistr|mtg is now known as jistr15:16
*** ManojK has joined #openstack-swift15:18
*** klrmn has joined #openstack-swift15:21
*** psachin has quit IRC15:29
*** dmk0202 has quit IRC15:30
*** cdelatte has joined #openstack-swift15:34
*** pcaruana has quit IRC15:38
*** tesseract- has quit IRC15:40
*** jmccarthy has quit IRC15:43
*** jmccarthy has joined #openstack-swift15:44
*** daemontool has quit IRC15:44
*** cdelatte has quit IRC15:45
*** cdelatte has joined #openstack-swift15:51
notmynamegood morning15:51
*** cdelatte has quit IRC15:52
*** links has quit IRC15:52
*** dmorita has joined #openstack-swift15:54
*** dmorita has quit IRC15:58
notmynameI have a new "intro to swift" slide, I think15:58
notmynameSwift is for Highly Resilient HyperScale HyperConvergence Web-Scale/Enterprise/Carrier-Grade Big Data Cloud (both Edge/IoT & Core/Data Center) Automation15:58
notmynameI mean, who wouldn't want that?15:58
*** dmorita has joined #openstack-swift15:59
acolesnotmyname: good morning15:59
notmynamehi!16:00
acolestimburke: I' using your dashboard to hopefully stop me forgetting to publish comments!16:00
notmynameare there new patch sets to downloan?16:00
notmynameor even to download?16:00
notmynameseemingly this monday am my fingers arent' ready for typing16:00
acolesnotmyname: real soon now, local testing just completing16:00
notmynamegreat!16:00
acolesnotmyname: we need to discuss what action (if any) to take re constraints checks. see my reply to comments on patch 32820716:01
patchbotacoles: https://review.openstack.org/#/c/328207/ - swift (feature/crypto-review) - Allow middleware to override metadata header checking16:01
*** haypo has left #openstack-swift16:02
notmynamehmmmmm16:03
openstackgerritAlistair Coles proposed openstack/swift: Enable middleware to set metadata on object POST  https://review.openstack.org/32820616:03
openstackgerritAlistair Coles proposed openstack/swift: Allow middleware to override metadata header checking  https://review.openstack.org/32820716:03
openstackgerritAlistair Coles proposed openstack/swift: Enable object body and metadata encryption  https://review.openstack.org/32820816:03
openstackgerritAlistair Coles proposed openstack/swift: Add encryption overview doc  https://review.openstack.org/32820916:03
notmynameon the one hand I totally get how "but middleware could do something bad" is not a very strong argument. it's about as good as "but the admin with root access can erase the computer" or "the storage system could delete my data". I mean, you've got to trust the code that's running and the people running it. so if there's some middleware that does Bad Things, then don't install it16:04
notmynamelike I said, it's just something that seems like one of those places where some bug will creep in because of some unknown interaction between different modules. that's what made me nervous about it16:05
*** tqtran has joined #openstack-swift16:05
acolesnotmyname: on the other hand... if it could happen, it will16:05
notmynamebut I totally understand why it's needed and how it fits into the larger whole16:06
notmynameyeah16:06
acolesespecially in a HyperScale HyperConvergence Web-Scale system ;)16:06
notmynameyou should check out the rest of that statement ;-) https://twitter.com/notmyname/status/74745699524287283316:07
notmynamewhat is patch 318441 and why does it keep getting rechecked?16:07
patchbotnotmyname: https://review.openstack.org/#/c/318441/ - swift - [WIP] Testing latest u-c16:07
notmynamewith now 37 patch sets16:07
*** lyrrad has joined #openstack-swift16:08
notmynametdasilva: just land it ;-) https://review.openstack.org/#/c/334446/16:08
patchbotnotmyname: patch 334446 - swift - Add swiftbackmeup to associated projects16:08
notmynametdasilva: cschwede: you're not in SF for the red hat summit, are you?16:10
cschwedenotmyname: Hi! unfortunately not, i would have told you :)16:10
notmyname:-)16:11
notmynameturns out that portante is :-)16:11
acolesnotmyname: I can't remember why we did not consider simply moving the user metadata to the other namespace that allowed longer values. maybe it didn't occur to us.16:12
acolesah, perhaps because that ^^ doesn't work out with container/account metadata, where you could end up with a mix.16:14
*** pauloewerton has joined #openstack-swift16:17
*** Suyash has quit IRC16:19
tdasilvanotmyname: I'm not either, but yeah, portante and luis will be there16:19
*** rledisez has quit IRC16:23
*** klrmn has quit IRC16:25
*** dmorita has quit IRC16:27
*** dmorita has joined #openstack-swift16:28
notmynameacoles: do the new patch sets include timburke's patch for the iv/hmac?16:33
timburkenotmyname: yes, with modifications (at least, that's my understanding)16:34
notmynameah, good16:34
notmynamejust pulling it all down now16:34
*** vinsh has quit IRC16:37
*** vinsh has joined #openstack-swift16:38
acolestimburke: notmyname : yes, hmac for conditional gets is included. single iv for user metadata is not, yet - I like that approach but jrichli has concerns so I have left it for a future version (or not).16:43
acolestimburke:  the mods are cosmetic, the algorithm is as etherpad and as you implemented.16:43
*** asettle has quit IRC16:44
acolesnotmyname: http://www.xe.com/currencycharts/?from=GBP&to=USD&view=1W :(16:44
notmynameouch16:45
acolesuhuh16:45
timburkeacoles: yeah, i wasn't expecting the single-user-meta-crypto-meta unless i'm willing to code it. i'd be hesitant to do it as future work, though, as we'd still need to have code to handle existing objects with per-user-meta-crypto-meta16:46
timburkewe'll see what today/tonight brings16:46
*** amit213 has quit IRC16:46
*** _JZ_ has joined #openstack-swift16:46
*** manous has quit IRC16:46
notmynametimburke: still have you're google shortlink for the crypto dash?16:50
acolestimburke: jrichli : i'll watch for opinions on  https://trello.com/c/6kiiS8KZ/47-consider-deriving-the-nonce-for-user-metadata overnight16:50
acolesmahatic_: ^^16:50
*** gyee has joined #openstack-swift16:51
timburkenotmyname: https://goo.gl/f9gMj416:52
notmynametimburke: ah, found it https://goo.gl/f9gMj416:53
notmyname:-)16:53
notmynamethanks16:53
notmynameadded it to http://not.mn/swift/swift_community_dashboard.html16:55
claygacoles: timburke: is the derived iv thing fixed for etags?16:55
acolesclayg: yes16:56
acolesfixed == no more derived iv's, use an hmac16:56
claygacoles: nice, i'll get back to work then16:56
acolesclayg: k, thanks16:56
claygman, was anyone online when pasachin NaveeNeo and admin6 were asking questsions?16:58
acolestimburke: btw, I'm not sure we need to track the IV offset for each metadata header16:58
timburkeacoles: why?16:58
*** manous has joined #openstack-swift17:00
timburkefor the rest of the channel, i had an idea that (i think) would address jrichli's concern: similar to us tacking on ';swift_meta=...' for the container-update etag, we tack ';swift_crypto_offset=N' onto the end of the encrypted value17:00
acolestimburke: say we pick a random IV for all user metadata, then create an encryptor context. Then, sort all the headers and update the encrypter with their values in sorted order. The counter will tick up from the starting IV, we never re-use a counter value. And its all repeatable in the decryption path.17:01
*** joeljwright has quit IRC17:01
timburkeacoles: right; we certainly don't need it given the way that things currently work. but if the concern is a future implementation of individually-updatable object metadata, this would let us discard items that were overwritten17:01
acolestimburke: how would we know what offset to choose for a new piece of individually updateable metadata - we wouldn't know what offsets were already in use with existing metadata, and we'd no longer be able to rely on all existing metadata being replaced.17:04
*** joeljwright has joined #openstack-swift17:05
*** ChanServ sets mode: +v joeljwright17:05
*** ManojK has quit IRC17:05
acolestimburke: we could tack individual IVs onto the end of the metadata, or indeed a crypto_meta dict, but there is a reason we didn't already do that.17:05
*** joeljwright has quit IRC17:05
* acoles tries to remember why17:05
timburkeacoles: i was thinking each update would need to have its own encryption context and random iv. basically, each ts associated with metadata would be independent. not sure how it would be stored yet (since we don't want to overwrite the existing crypto meta), but if i knew that, i'd just code something up :-)17:07
*** ukaynar has joined #openstack-swift17:10
acolestimburke: OIC, so each item of metadata would be somehow marked with its ts (to map it back to the iv)?17:10
timburkei can't think of how else one would reconcile them17:11
acolestimburke: I'm wondering if we can ever make x-object-meta- individually updateable ... clients expect a POST to replace everything, can we change that semantic in the same namespace? IDK.17:14
timburkealthough i kind like the idea of just putting an iv on it instead, and making sure that each meta encryption starts at a fresh block17:14
timburkev2! v2! v2!17:14
timburke;-)17:15
acoleshmmm, which takes me back to why have we not done that i.e. appended the crypto-meta17:15
acoles^^ jrichli will have it noted somewhere :)17:16
timburkei suppose *all* of the crypto meta would make it considerably longer, while just an iv is fairly cheep...but i'm not sure how it's any worse than splitting it over two headers...17:16
*** klrmn has joined #openstack-swift17:17
*** vinsh_ has joined #openstack-swift17:18
acoleshehe, I already argued that we didn't need the cipher stored N times but got over-ruled on that17:18
*** cdelatte has joined #openstack-swift17:19
*** vinsh has quit IRC17:21
*** Suyash has joined #openstack-swift17:23
timburkeacoles: well, if we ever need to change the cipher...17:29
acolestimburke: I'll be retired ;)17:29
acolestimburke: we'll only use one cipher with each POST, so we only need one record of the cipher somewhere in the metadata (imho)17:30
acolesunless its individually updateable, of course, but then we're back to your idea.17:31
acolestimburke: So, the concern with tacking crypto meta to the header was, IIRC, that when decrypting we must know that the header was in fact encrypted, otherwise we might just have user plaintext meta that happened to contain "...;iv=...". But, we could have a single piece of transient sysmeta that tells us that metadata (at ts in future) *is* encrypted, then tack iv onto end of each value.17:32
acolesjrichli: what have I forgotten? why did we not do this ^^17:33
*** dmorita has quit IRC17:35
timburkeacoles: the "swift_" param protection only applies to content-type currently, right?17:37
acolestimburke: yes. there is no restriction on user meta content (other than length)17:39
timburkethere's our solution! unnecessary padding! :P17:40
acolestimburke: hehe, it was considered!17:40
acolestimburke: but I do think we can tack ;iv= onto the end so long as we have some piece of meta that tells us we've encrypted stuff, and in your future updateable meta world, then you need one piece of such meta for each ts.17:42
timburkeacoles: yup. which asymptotically approaches the current two-headers-per-meta implementation...17:43
acolestimburke: updateable is hard!17:44
timburkemaybe *that's* the really compelling reason. it would look like this anyway, and it will look like this for account/container once we add support there, so let's just have one way17:45
acolesthose two headers are analogous to the (val, ts) tuple that goes into the container/account db17:45
acolestimburke: but why build in support for an unknown future implementation that will break existing meta anyway, or at least require a way to detect and differentiate old vs new?17:53
* acoles being devil's advocate ^17:54
acolestimburke: plus there's other gotcha's with container and accounts :/ like what happens when you update previously encrypted x-account-meta-foo with an unencrypted value, you have stale x-account-sysmeta-crypto-meta-foo lying around, and to do the right thing we'd need to start shipping the per item meta timestamps back to the middleware.17:56
timburkeyou would still need to have the encrypter in the pipeline, though, right? why wouldn't it clear x-account-sysmeta-crypto-meta-foo when it sees that it shouldn't encrypt x-account-meta-foo?17:58
acolesbut you may not have it in the pipeline, even if you are *supposed to* - the current object implementation will cope with that, as test_encrypter_decrypter.py should verify.18:00
acolesmaybe we can reason that its ok or acceptable, I was just mentioning it.18:01
acolestimburke: BTW in case you aren't aware, this is best I came up with for updateable object sysmeta, and "best" does not necessarily imply "good", https://review.openstack.org/#/c/109314/18:01
patchbotacoles: patch 109314 - swift-specs - Updateable Object Sysmeta (MERGED)18:01
*** ManojK has joined #openstack-swift18:01
acolesnotmyname: I just noticed that this ^^ does not appear on the archive list here http://specs.openstack.org/openstack/swift-specs/18:01
acolesnotmyname: maybe it was so old it was in the wrong dir for the indexing??18:02
acolestimburke: I have to leave. Sounds like we should leave things as they are?? pending further debate??18:03
timburkeacoles: i think i'm coming around on it, yeah18:03
*** manous has quit IRC18:04
acolesI did convince myself we could change strategy later without breaking what we are doing now. Obviously it means having legacy handling code around, but no unsolvable compatibiliy issue.18:04
timburkeyeah, i'm not too worried there. although i think i'd still argue in favor of not changing it later18:06
notmynameacoles: that's unfortunate?18:08
notmyname;-)18:08
timburkeacoles: now i'm wondering whether we ought to require the encrypter. i don't like allowing operators to have a bad config like that. maybe only automatically add it if decrypter is present?18:09
*** diogogmt has quit IRC18:09
*** diogogmt has joined #openstack-swift18:10
openstackgerritMerged openstack/swift: Add swiftbackmeup to associated projects  https://review.openstack.org/33444618:15
*** manous has joined #openstack-swift18:16
*** siva_krish has quit IRC18:16
acolestimburke: not sure how to enforce encrypter. will think more on that.18:21
acolestimburke: on meta, I'd still prefer to reduce the overhead of all the redundant crypto meta, if we can, so please keep pondering that. good night.18:23
timburkeacoles: i'd be tempted to always auto-insert, and pass disable_encryption=True when auto-inserting18:23
*** acoles is now known as acoles_18:24
timburkeacoles: will do. getting it properly sorted may require that i go implement individually-updatable metadata first, though :P18:24
*** rcernin has quit IRC18:34
*** mwheckmann has joined #openstack-swift18:36
notmynameyou could save some typing by renaming test_create_decryption_context_non_zero_offset() to test_magic() in test_crypto_utils.py18:44
*** ChubYann has joined #openstack-swift18:51
*** rcernin has joined #openstack-swift19:03
*** amit213 has joined #openstack-swift19:04
*** arch-nemesis has quit IRC19:10
*** arch-nemesis has joined #openstack-swift19:11
*** adu has joined #openstack-swift19:12
*** ukaynar has quit IRC19:14
*** siva_krish has joined #openstack-swift19:22
tdasilvaacoles_: 3 goals in 18 minutes, my expectations were completely wrong19:29
*** Jeffrey4l__ has joined #openstack-swift19:32
*** silor has quit IRC19:32
*** Jeffrey4l_ has quit IRC19:34
jrichlitimburke acoles: yes, timburke said exactly what i was about to say - "it will look like this for account/container once we add support there, so let's just have one way"19:40
jrichliI am pretty sure that is why we did it that way, because we had container and account meta already implemented19:40
*** ManojK has quit IRC19:59
pdardeaukudos to the author(s) of overview_encryption.rst -- very well written :-)20:00
*** ManojK has joined #openstack-swift20:01
notmynamepdardeau: +120:02
*** tongli has quit IRC20:04
pdardeauin looking at encryption stuff (just beginning), one of the things that jumped out at me is encryption_root_secret. i was kinda hoping it would not require the secret to be explicitly set in conf file. instead maybe allow for a URI-ish setting of something like "file:/path/to/file/containing/encryption/root/secret"20:16
pdardeauhaving that indirection would be nice since it wouldn't require additional secrecy of the conf file (which could be helpful when the conf files need to be shared, put in version control, etc.)20:17
notmynamepdardeau: yeah, that's a common topic20:18
notmynamepdardeau: we've chosen to do it this way initially for a few reasons20:18
notmynamefirst, there's other sensitive stuff in the config files anyway. maybe this is "more sensitive", but maybe not. point is, you still should have config files relatively protected anyway20:19
notmyname...and the use case we're designing crypto for (initially) is summarized as the "you can RMA a drive" use case. not "prevent operators from reading your data"20:19
notmynamesecond, no matter where the key is stored or what level of indirection is used, it all comes down to get_crypto_key() and all the rest of the patch chain is really the hard part that has to be done anyway20:20
notmyname...so we figured let's restrict the scope and focus on the baseline, especially since the baseline in the patch now is actually useful to users today20:20
notmynameand finally, it comes down to the keymaster middleware. I'm positive that there will be other keymaster implementations that do something different (including storing the master key in some crypto vault thing)20:21
notmynameso...baby steps. it's hard enough already :-)20:21
pdardeaunotmyname: thx for explanation. makes sense, although i didn't think anyone RMA drives anymore (maybe they will after this!)20:23
notmynamepdardeau: yeah, now they might start. but probably more likely that the data could be at risk if a drive moves from a swift cluster to some other server in the data center without being wiped. now all they'd see is encrypted stuff20:25
openstackgerritMichael Barton proposed openstack/swift: go: time out flock differently  https://review.openstack.org/33464620:26
*** adu has quit IRC20:32
*** manous has quit IRC20:37
*** asettle has joined #openstack-swift20:42
openstackgerritMichael Barton proposed openstack/swift: go: get rid of BackendError  https://review.openstack.org/33465520:44
notmynamepdardeau: your question reminded me of something I wanted to add to that doc. thanks :-)20:48
*** manous has joined #openstack-swift20:50
*** catintheroof has joined #openstack-swift20:55
*** asettle has quit IRC20:58
*** manous has quit IRC20:58
*** mvk_ has joined #openstack-swift21:01
*** cdelatte has quit IRC21:03
*** cdelatte has joined #openstack-swift21:03
*** mkrcmari__ has joined #openstack-swift21:05
*** raildo is now known as raildo-afk21:07
*** mvk has joined #openstack-swift21:07
*** mvk_ has quit IRC21:09
*** mkrcmari__ has quit IRC21:10
timburkeall this stuff about metadata has me wondering whether we should be migrating from X-Static-Large-Object to X-Object-Sysmeta-Static-Large-Object, and why we haven't already. i think there's the possibility for bad behavior during failures21:20
notmynametimburke: bad behavior if we migrate or if we don't migrate?21:20
timburkeif we don't21:20
*** asettle has joined #openstack-swift21:24
*** asettle has quit IRC21:26
claygtimburke: historically i've not worried much about the system meta that manually plumbs it's business down - the ones that freak me out are the system meta that hi-jacks the user meta space?21:34
*** mvk_ has joined #openstack-swift21:35
*** geaaru has quit IRC21:35
*** permalac_ has joined #openstack-swift21:35
*** pauloewerton has quit IRC21:35
*** permalac has quit IRC21:36
*** mvk has quit IRC21:38
timburkeclayg: i think this (combined with your observations about unparseable SLOs) might lead to objects that are only *sometimes* available. if an SLO is overwritten but one of those copies has to go to a handoff, then the object is POSTed to after things recover but before replication, you'll have a split brain where one or more object servers have the X-Static-Large-Object header despite no longer storing a manifest21:39
*** mkrcmari__ has joined #openstack-swift21:41
openstackgerritClay Gerrard proposed openstack/swift: Fix swift-get-nodes arg parsing for missing ring  https://review.openstack.org/33423821:42
*** mkrcmari__ has quit IRC21:43
*** mvk has joined #openstack-swift21:44
*** mvk_ has quit IRC21:44
*** catintheroof has quit IRC21:55
*** ManojK has quit IRC22:00
*** ManojK has joined #openstack-swift22:01
*** zul_ has joined #openstack-swift22:09
*** zul has quit IRC22:12
*** peterlisak has quit IRC22:13
*** onovy has quit IRC22:14
*** kaleta has quit IRC22:14
*** jamielennox is now known as jamielennox|away22:21
mattoliveraumorning22:24
*** ametts has quit IRC22:28
*** ManojK has quit IRC22:30
*** siva_krish has quit IRC22:34
*** siva_krish has joined #openstack-swift22:35
*** siva_krish has quit IRC22:38
*** ametts has joined #openstack-swift22:41
*** ouchkernel has quit IRC22:43
*** ouchkernel has joined #openstack-swift22:48
*** ametts has quit IRC22:48
*** ManojK has joined #openstack-swift22:57
*** mvk_ has joined #openstack-swift22:58
*** mvk has quit IRC23:02
*** ouchkernel has quit IRC23:08
*** _JZ_ has quit IRC23:12
*** ouchkernel has joined #openstack-swift23:15
*** kei_yama has joined #openstack-swift23:23
claygtimburke: that sounds annoying terrible - like X-Static-Large-Object should already be a protected header that has the life-cycle of sysmeta (i.e. lives with and is persisted only in the .data)23:26
timburkeclayg: this call seems to indicate otherwise :-/ https://github.com/openstack/swift/blob/3944d82/swift/obj/server.py#L50023:29
timburkei still haven't writtena  probe test to check it or anything, though23:29
*** _JZ_ has joined #openstack-swift23:31
*** pgbridge has quit IRC23:35
*** mwheckmann has quit IRC23:37
claygtimburke: yup, one of good reasons for classifying metadata was so that all the complicated lifecycle stuff could get applied consistently - i'm sure x-static-large-object works fine with POST in the old post_as_copy world...23:39
*** onovy has joined #openstack-swift23:39
*** peterlisak has joined #openstack-swift23:39
*** kaleta has joined #openstack-swift23:40
claygi guess DLO's manifest header/metadata are updable with POST, but a SLO has a body and should probably be disallowed in .meta files :\23:40
*** lyrrad has quit IRC23:41
claygsomewhere around https://github.com/openstack/swift/blob/3944d82/swift/obj/diskfile.py#L2220 is were we pull out key system metadata to play over the .meta metadata :\23:41
*** lyrrad has joined #openstack-swift23:42
*** jamielennox|away is now known as jamielennox23:43
*** _JZ_ has quit IRC23:46
claygtimburke: yeah it's going to be pretty annoying to expose in a probe test - but it's almost definately a bug - we should have just continued to ignore x-static-large-object in metadata on post and make it so that metadata item on a data file could bleed through a .meta update23:48
claygtimburke: basically revert patch 182564 and make the change in diskfile23:49
patchbotclayg: https://review.openstack.org/#/c/182564/ - swift - Fix the missing SLO state on fast-post (MERGED)23:49
claygtimburke: I think it's mostly safe to ignore any x-static-large-object in a .meta if the key is not there in a data because that's nonsense too23:50
« Sunday, 2016-06-26 Index Tuesday, 2016-06-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!