Wednesday, 2024-12-11

« Tuesday, 2024-12-10 Index Thursday, 2024-12-12 »
opendevreviewMerged openstack/swift master: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93749305:42
opendevreviewMerged openstack/swift master: docs: Call out that xprofile is not intended for production  https://review.opendev.org/c/openstack/swift/+/93749405:42
opendevreviewTim Burke proposed openstack/swift stable/2024.2: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93750706:20
opendevreviewTim Burke proposed openstack/swift stable/2024.1: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93750806:20
opendevreviewTim Burke proposed openstack/swift stable/2023.2: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93750906:20
opendevreviewTim Burke proposed openstack/swift master: Refactor FormPost to use WSGIContext  https://review.opendev.org/c/openstack/swift/+/93620806:37
opendevreviewMerged openstack/swift stable/2024.2: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93750708:54
opendevreviewMerged openstack/swift master: Refactor FormPost to use WSGIContext  https://review.opendev.org/c/openstack/swift/+/93620808:56
opendevreviewMerged openstack/swift stable/2024.1: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93750809:34
opendevreviewMerged openstack/swift stable/2023.2: xprofile: Stop using eval()  https://review.opendev.org/c/openstack/swift/+/93750909:44
opendevreviewAlistair Coles proposed openstack/swift feature/mpu: mpu-auditor: add statsd metrics  https://review.opendev.org/c/openstack/swift/+/93737810:47
opendevreviewAlistair Coles proposed openstack/swift feature/mpu: mpu: make ContainerBroker discover potential orphans  https://review.opendev.org/c/openstack/swift/+/93727910:47
opendevreviewChinemerem Chigbo proposed openstack/swift master: Aggregate per-disk recon stats  https://review.opendev.org/c/openstack/swift/+/93726717:05
opendevreviewTim Burke proposed openstack/swift stable/2024.2: docs: Call out that xprofile is not intended for production  https://review.opendev.org/c/openstack/swift/+/93755317:09
opendevreviewTim Burke proposed openstack/swift stable/2024.1: docs: Call out that xprofile is not intended for production  https://review.opendev.org/c/openstack/swift/+/93755417:13
opendevreviewTim Burke proposed openstack/swift stable/2023.2: docs: Call out that xprofile is not intended for production  https://review.opendev.org/c/openstack/swift/+/93755517:14
opendevreviewChinemerem Chigbo proposed openstack/swift master: Aggregate per-disk recon stats  https://review.opendev.org/c/openstack/swift/+/93726717:17
opendevreviewMerged openstack/swift feature/mpu: mpu-auditor: add statsd metrics  https://review.opendev.org/c/openstack/swift/+/93737817:20
opendevreviewChinemerem Chigbo proposed openstack/swift master: Aggregate per-disk recon stats  https://review.opendev.org/c/openstack/swift/+/93726718:31
opendevreviewChinemerem Chigbo proposed openstack/swift master: Aggregate per-disk recon stats  https://review.opendev.org/c/openstack/swift/+/93726718:42
opendevreviewChinemerem Chigbo proposed openstack/swift master: Aggregate per-disk recon stats  https://review.opendev.org/c/openstack/swift/+/93726718:57
opendevreviewChinemerem Chigbo proposed openstack/swift master: Aggregate per-disk recon stats  https://review.opendev.org/c/openstack/swift/+/93726718:59
opendevreviewChinemerem Chigbo proposed openstack/swift master: Add alternative config to manager  https://review.opendev.org/c/openstack/swift/+/93756119:13
-opendevstatus- NOTICE: Gerrit will undergo a short restart to pick up some bugfixes for the 3.10 release that we upgraded to.19:26
mattolivermorning21:01
timburkeoh, right!21:02
timburke#startmeeting swift21:02
opendevmeetMeeting started Wed Dec 11 21:02:04 2024 UTC and is due to finish in 60 minutes.  The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot.21:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:02
opendevmeetThe meeting name has been set to 'swift'21:02
timburkewho's here for the swift meeting?21:02
acoleso/21:02
timburkei had some trouble updating the agenda (wiki would let me log in, but then immediately forget who i was the next time i loaded a page) but i've got some notes for myself :-)21:04
timburkefirst up21:04
mattolivero/21:04
timburke#topic https://bugs.launchpad.net/swift/+bug/209112421:04
patch-botBug #2091124 - Use of eval() on untrusted data (In Progress)21:04
timburkethis was a fun bug i found last week -- as far as i can tell, the xprofile middleware has allowed remote code execution ever since it was introduced in swift 2.0.021:04
timburkefortunately, the fix was simple21:04
timburke#link https://review.opendev.org/c/openstack/swift/+/93749321:05
patch-botpatch 937493 - swift - xprofile: Stop using eval() (MERGED) - 1 patch set21:05
timburkeand backports have been proposed (and merged) for all stable branches21:05
timburkeadditionally, i proposed doc changes to make it clear that xprofile is for testing only, and not intended for production21:05
timburke#link https://review.opendev.org/c/openstack/swift/+/93749421:05
patch-botpatch 937494 - swift - docs: Call out that xprofile is not intended for p... (MERGED) - 1 patch set21:05
timburkeand another change to flip our bandit config from "run these tests" to "skip these tests"21:05
timburke#link https://review.opendev.org/c/openstack/swift/+/93749521:05
patch-botpatch 937495 - swift - CI: Configure bandit better - 1 patch set21:05
timburkei don't know that there's a lot to discuss; mostly i just wanted to raise awareness in case anyone missed the bug21:06
timburkethanks for all the reviews mattoliver!21:06
timburkei should also try to get a release together, but knowing my history, it seems unlikely i'll get to it before we hit the holiday lull21:07
mattolivernps, good find!21:07
mattolivertim21:07
acolesin https://review.opendev.org/c/openstack/swift/+/937495 is the diskfile assert change related to the bandit change?21:08
patch-botpatch 937495 - swift - CI: Configure bandit better - 1 patch set21:08
timburkeoh, yes! bandit will flag asserts, since they can become passes if running with python -O21:09
timburkei suppose an alternative would be to break that part out as a separate follow-on21:09
acolesOIC and I guess before we only opted in to tests and presumably the test for assert wasn't an opt in before, but now we opt out we're getting dinged21:10
timburkeyup :-(21:10
timburkespeaking of things i discovered in this week...21:11
timburke#topic eventlet and underscores in headers21:11
acolesI might prefer it to be a follow-up? IDK21:11
timburkecan do21:11
timburkerecent versions of eventlet ignore headers with underscores in their names when building the request environment21:11
timburke#link https://github.com/eventlet/eventlet/commit/ed743d7521:11
timburkethis caused breakage with some tempest tests that were sending headers like x-container-meta-foo_bar: baz21:11
timburketempest should be fixed with p 937416, but heads-up: other clients may be affected21:11
patch-bothttps://review.opendev.org/c/openstack/tempest/+/937416 - tempest - Stop sending underscores in header names to Swift - 3 patch sets21:11
timburkenow i've got a few questions:21:12
timburke(1) should we have a similar sort of a change in python-swiftclient, to .replace('_', '-') on user-provided headers/meta?21:12
timburke(2) should we write up a bug eventlet about the change impacting behaviors that have nothing to do with message framing?21:12
timburkeand (3) should we have a fix server-side to do a similar translation?21:12
timburkesince we've still got access to environ['headers_raw'] which has *all* the headers21:12
mattoliverOh geesh, big questions21:13
timburkei'm kinda torn -- it's definitely a breaking behavior for us (as the tempest failures demonstrate), but we've also never (to my knowledge) endorsed underscores in headers, and the translation has just been an artifact of WSGI/CGI21:14
acolesquick search suggests underscores in headers are allowed, so what motivated eventlet?21:15
timburkesomething something security, i think?21:15
timburkethere's a little more conversaion in21:16
timburke#link https://github.com/eventlet/eventlet/pull/95921:16
timburkemy initial reaction over in #openstack-oslo was "idk why CONTENT_LENGTH vs Content-Length should be such a worry when there are so many other fun ways to break header parsing: https://github.com/python/cpython/issues/81274" :P21:17
timburkei think we could probably scope any potential server fix to *just* look at a/c/o user meta21:19
timburke...but at the same time, i don't actually *want* to add this sort of a hack, and i think we can get away with it because *who sends underscores in headers!?*21:19
acolesI guess headers are mapped to '_' delimited keys in the env so there's an ambiguity ? 🤷21:20
timburkeyup21:20
acolesi.e. it's a wsgi thing21:20
timburkein the wsgi env there's no difference between content-length, Content-Length, and CONTENT_LENGTH on the wire21:21
timburke("who does this" -- well, aside from some s3 client that prompted me to write this mess: https://opendev.org/x/swift3/commit/f3a933aa )21:21
acolesyeah, so if you previously sent swift foo_bar we'd accept it same as foo-bar, which is an argument for us on server-side continuing t do the same with no more ambiguity than before21:22
opendevreviewMerged openstack/swift master: Add unit test for object-updater recon dump  https://review.opendev.org/c/openstack/swift/+/93725221:22
acolessomeone round here often extos us to be "tolerant in what we accept, strict in what we send"21:23
acolesextols*21:23
timburkebut there's a limit once we start worrying about CVE surface area21:23
acolesbut does a server-side fix mean us overriding something in eventlet wsgi?21:24
acolesyes, not so tolerant as to accept executable scripts21:24
timburkedepends on where/when we do it21:24
mattoliveri dunno, if the http spec says w _'s are a valid char in headers, we should be supporting them.. but I don't like horrible hacks.  21:26
mattoliverok, no idea where that extra 'w' came from :P 21:26
mattoliverI think this is something I need to think more about21:27
timburkefwiw, we have some experience in needing to do something like this: https://github.com/openstack/swift/blob/2.34.0/swift/common/http_protocol.py#L19221:28
timburkeyeah, we can think more about it -- a reasonable stance might be just "wait and see who all notices"21:29
timburke#topic constraining deps in the gate21:29
acolesimportant to note that whilst _ may be valid in an http header, it will not be distinguished from '-' in a wsgi app (IIUC)21:29
timburkeyup21:29
acoleswhich is different to "case insensitive"21:29
timburketo follow-on from eventlet breaking our CORS tests (which i mentioned last week)21:29
timburkep 936872 has now merged21:29
patch-bothttps://review.opendev.org/c/openstack/swift/+/936872 - swift - CI: drop pip --upgrade flag in tox.ini (MERGED) - 1 patch set21:29
timburkebut p 937045 sent me down a bit of a rabbit hole (more in a bit)21:30
patch-bothttps://review.opendev.org/c/openstack/swift/+/937045 - swift - CI: Use constraints for api-ref builds - 1 patch set21:30
timburkeand now in a separate chain, we've got p 937072 and p 937073 to bring our py3-constraints.txt more in line with the global upper-constraints.txt file21:30
patch-bothttps://review.opendev.org/c/openstack/swift/+/937072 - swift - Bring py3-constraints.txt more in line with global... - 2 patch sets21:30
patch-bothttps://review.opendev.org/c/openstack/swift/+/937073 - swift - Bring py3-constraints.txt more in line with global... - 2 patch sets21:30
acolestimburke: has been doing CI house keeping 🙏21:30
timburkethere were some up-revs (-72) and down-revs (-73) required, which was why i split up the changes21:31
timburkei also wrote up a tool for myself to help notice discrepancies; i figure i ought to just aim to run it periodically, since the requirements repo sees a good bit of churn21:32
timburkebut i still need to write a patch to add a (non-voting) job that runs without any constraints file at all21:32
timburke(though i'm not at all sure which version of python that ought to run under...)21:33
timburkespeaking of21:33
acoleshmmm, maybe the oldest??21:33
timburke#topic "supported" python versions21:34
timburkewhat do we (intend to) mean when we want to say "we support python version X.Y"?21:34
timburkeand what kind of testing matrix do we want/need to keep us honest?21:34
timburkea few different things prompt my question:21:34
acoleswe intend to mean that X!=2 :D21:34
timburkeacoles noticed recently that `tox -e pep8` no longer works on py38 (his default)21:34
timburkei noticed that currently, i can build docs without including https://github.com/openstack/swift/blob/2.34.0/tox.ini#L124 -- but i still need it (at least) to build docs on py221:35
timburke(and i have no sense for whether doc building works on any other pythons besides py310 [which is used in the gate] and py312 [which i use locally])21:35
timburke(this is that rabbit hole i fell down)21:36
timburkeand acoles also noticed that a sizeable portion of our s3api func tests are skipped in the gate because21:36
timburke(1) i made us skip boto tests if it can't be imported (on the assumption that it wasn't installed -- see p 918144),21:36
patch-bothttps://review.opendev.org/c/openstack/swift/+/918144 - swift - Skip boto 2.x tests if boto is not installed (MERGED) - 1 patch set21:36
timburke(2) boto does not work on py312 (raising an import error),21:36
timburkeand (3) all of our voting func test jobs now run on py31221:36
timburkeso: how much of our tox envs should still be expected to be able to run under a given python version?21:37
mattoliveri use py39 everywhere, for some reasons my system python is 312 21:37
mattoliversorry on my phone (dealing with kids) so typing is hard :P 21:37
acolesFYI i just kicked off tox -e docs on py38 and it fails because upper constraints isn't compatible with py3821:38
acolesI tend to just run the sphinx build command to build docs21:38
timburkethat seems about right :-/21:38
timburkedoes it help any to set TOX_CONSTRIANTS_FILE=py3-constraints.txt ?21:39
timburkei don't think the docs-only deps are anywhere in there, so it'd be "unconstrained" for those21:40
acolestimburke: no and nor does TOX_CONSTRAINTS_FILE=py3-constraints.txt 🤔21:42
timburkeboo!21:42
acolesoh but I still see 'docs: install_deps> pip install -U -r /vagrant/swift/doc/requirements.txt -r /vagrant/swift/requirements.txt -c https://releases.openstack.org/constraints/upper/master'21:43
timburkeoh! maybe try UPPER_CONSTRAINTS_FILE -- i merged something recently to standardize on the other21:44
timburkewell, are we content to say that tox -e docs,pep8 requires py39+ (which would match PTI)? but they're not necessarily expected to work on earlier pythons?21:46
acolesyeah that's working, which is odd because I was about to say don't we need to add it to ``passenv``21:47
timburkei think the trick is that tox uses it, but it's not available to pip/pytest/etc21:48
acolesor is passenv for vars passed to the venv, not tox21:48
timburkebingo21:48
timburkei feel like what i want is to say "we expect to be able to run a prod system on python X.Y and will be responsive to reports of breakage"21:49
timburkeand a direct follow-on from there is that we should expect unit, func, and probe tests to all pass on pyXY21:49
acoles"unit, func, and probe tests to all pass on pyXY" yes, absolutely21:49
timburkebut i'm not clear on where that leaves doc builds, flake8, or even s3 cross-compat tests21:49
acolesI think it is unfortunate but perhaps acceptable for pep8 and docs to require >=3.9 and document the workaround for <3.921:50
timburke👍21:51
acolescross-compat tests I'd like to include under "func tests"21:51
acolesI mean, we could even have a different pep8-alt tox env just for me and other py3.7/3.8 freaks21:52
timburkei'm torn -- i don't know that i'd -1 a change that wanted to start using f-strings in cross compat tests, say -- the significant thing for declaring support is the python used on the server, not the test runner21:52
acolesbut I can live with the env var trick, especially now it is in my command history21:53
timburkeafter all, what version of python does AWS run? ;-P21:53
timburkeall right, we're running a little low on time21:54
timburke#topic open discussion21:54
timburkeanything else we ought to bring up this week?21:54
mattoliverhmm, I'm getting an openstackdocstheme.page_context error now that I try and build docs on py39.. but might be my env (its an old one).. I'll play with it in my own time :) 21:54
timburkethanks for the data point mattoliver!21:54
acoles"the significant thing for declaring support is the python used on the server, not the test runner" - agree, I misunderstood. But can we configure a zuul job that runs a py3.7 service and test runner is py3.12?21:54
acoleshttps://www.irccloud.com/pastebin/e8UeXpe8/21:55
acolesoops, not sure how I posted that as a snippet21:56
acolesthat's how my tox -e docs just finished, I remember now that even after persuading it to build a venv under py38 it bombed out at the end :(21:56
mattoliverUmm I have reworked the sharder rsync_then_merge patch. https://review.opendev.org/c/openstack/swift/+/901095  21:57
patch-botpatch 901095 - swift - db_replication: big containers that haven't sunk s... - 2 patch sets21:57
timburke"can we configure a zuul job that runs a py3.7 service and test runner is py3.12?" we can, though it isn't necessarily simple. we do something like that with the rolling upgrade jobs, which are multi-node21:57
mattoliverThere is another option I'm playing with where we only ever rsync in the sharder.. but I'm worried that'll make any small handoff always fall back to rsync_then_merge and that could be quite expensive (as rsync it to tmp, and them locally merges all the old shard into the new one (with on a row or 2) and then copies it to the location. 21:58
timburkeyeah! i need to take a look at that, mattoliver!21:58
acolesthanks timburke for figuring out all the tox/zuul stuff!21:58
mattoliveryeah +121:59
mattoliveranyway I think we're at time. Sorry was a bit distracted with kids this meeting. 21:59
timburkeno worries22:00
timburkethank you all for coming, and thank you for working on swift!22:00
timburke#endmeeting22:00
opendevmeetMeeting ended Wed Dec 11 22:00:21 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/swift/2024/swift.2024-12-11-21.02.html22:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/swift/2024/swift.2024-12-11-21.02.txt22:00
opendevmeetLog:            https://meetings.opendev.org/meetings/swift/2024/swift.2024-12-11-21.02.log.html22:00
timburkemattoliver, oh, fun! was it "exception: 'str' object has no attribute 'relative_to'"?22:31
timburkei'm seeing that in a py39 env, too -- i think they may have started relying on getting a pathlib.Path where py39 returns a str22:33
timburkeah -- https://review.opendev.org/c/openstack/openstackdocstheme/+/93438422:45
patch-botpatch 934384 - openstackdocstheme - fix support for py39 (MERGED) - 1 patch set22:45
« Tuesday, 2024-12-10 Index Thursday, 2024-12-12 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!