Wednesday, 2014-09-10

« Tuesday, 2014-09-09 Index Thursday, 2014-09-11 »
*** vkmc has joined #openstack-trove00:02
*** mattgriffin has joined #openstack-trove00:04
*** todd_dsm has quit IRC00:05
*** tkatarki has quit IRC00:05
*** IanGovett has quit IRC00:06
*** tkatarki has joined #openstack-trove00:07
*** eghobo has quit IRC00:07
*** mattgriffin has quit IRC00:10
*** ViswaV has quit IRC00:18
*** Longgeek has quit IRC00:26
*** Riddhi has quit IRC00:31
openstackgerritAuston McReynolds proposed a change to openstack/trove-integration: Make Rsync For Guest Optional  https://review.openstack.org/11948800:36
*** russellb has quit IRC00:46
*** pdmars has quit IRC00:47
*** tkatarki has quit IRC00:47
*** pdmars has joined #openstack-trove00:47
*** russellb has joined #openstack-trove00:49
*** IanGovett has joined #openstack-trove00:55
*** tkatarki has joined #openstack-trove00:58
*** Riddhi has joined #openstack-trove01:05
*** IanGovett has quit IRC01:10
*** todd_dsm has joined #openstack-trove01:24
*** newb has joined #openstack-trove01:54
*** nosnos has joined #openstack-trove01:54
*** amcrn has quit IRC01:55
*** todd_dsm has quit IRC01:58
*** georgelorch has quit IRC02:02
*** rhodgin has joined #openstack-trove02:03
*** georgelorch has joined #openstack-trove02:03
*** fifieldt_ is now known as fifieldt02:03
*** ViswaV has joined #openstack-trove02:05
*** haomaiw__ has quit IRC02:14
*** haomaiwang has joined #openstack-trove02:15
*** ViswaV has quit IRC02:21
*** tkatarki has quit IRC02:21
*** harlowja is now known as harlowja_away02:25
*** haomaiwang has quit IRC02:30
*** haomaiw__ has joined #openstack-trove02:30
*** haomaiwa_ has joined #openstack-trove02:35
*** haomaiwa_ has quit IRC02:35
*** haomaiw__ has quit IRC02:36
*** haomaiwang has joined #openstack-trove02:36
*** haomai___ has joined #openstack-trove02:42
*** haomaiwang has quit IRC02:45
*** vkmc has quit IRC02:49
*** juantwo_ has joined #openstack-trove02:54
*** juantwo has quit IRC02:57
*** newb has quit IRC02:58
*** ramishra has joined #openstack-trove03:07
*** jasonb365 has joined #openstack-trove03:11
*** achampio1 has joined #openstack-trove03:32
*** haomai___ has quit IRC03:35
*** haomaiwang has joined #openstack-trove03:35
*** achampion has quit IRC03:35
*** haomaiw__ has joined #openstack-trove03:47
*** haomaiwang has quit IRC03:50
*** achampion has joined #openstack-trove04:10
*** achampio1 has quit IRC04:13
*** ramishra has quit IRC04:19
*** ramishra_ has joined #openstack-trove04:21
*** rushiagr_away is now known as rushiagr04:40
*** ajayaa has joined #openstack-trove04:51
*** jasonb365 has quit IRC05:04
*** sgotliv has joined #openstack-trove05:09
*** juantwo_ has quit IRC05:17
*** vigneshvar has joined #openstack-trove05:17
vigneshvarhttps://review.openstack.org/#/c/117985/05:35
*** k4n0 has joined #openstack-trove05:45
*** ramishra_ has quit IRC05:49
*** achampion has quit IRC05:53
*** ramishra has joined #openstack-trove05:54
*** ajayaa has quit IRC06:30
*** flaper87|afk is now known as flaper8706:34
*** ajayaa has joined #openstack-trove06:39
*** ramishra has quit IRC06:42
openstackgerritNikhil Manchanda proposed a change to openstack/trove-integration: Fix dsvm-gate-tests command to run int-tests  https://review.openstack.org/12032206:48
*** rushiagr is now known as rushiagr_away06:48
*** rushiagr_away is now known as rushiagr06:49
*** k4n0 has quit IRC07:07
*** k4n0 has joined #openstack-trove07:21
openstackgerritNikhil Manchanda proposed a change to openstack/trove-integration: Fix dsvm-gate-tests command to run int-tests  https://review.openstack.org/12032207:36
*** sgotliv has quit IRC07:37
*** achampion has joined #openstack-trove07:59
*** jdandrea has joined #openstack-trove08:00
*** julienvey has joined #openstack-trove08:02
*** achampion has quit IRC08:07
*** boblebauce has joined #openstack-trove08:22
*** julienvey has quit IRC08:29
*** julienvey has joined #openstack-trove08:30
*** achampion has joined #openstack-trove08:32
*** ramishra has joined #openstack-trove08:43
*** ramishra has quit IRC08:47
*** sgotliv has joined #openstack-trove08:48
*** ramishra has joined #openstack-trove08:59
*** ramishra has quit IRC09:00
*** ramishra has joined #openstack-trove09:01
*** ramishra has quit IRC09:05
*** rushiagr is now known as rushiagr_away09:18
*** rushiagr_away is now known as rushiagr09:18
*** vigneshvar has quit IRC09:30
*** vigneshvar has joined #openstack-trove09:31
*** nosnos has quit IRC09:41
*** nosnos has joined #openstack-trove09:42
*** nosnos has quit IRC09:47
*** ramishra has joined #openstack-trove09:52
*** Longgeek has joined #openstack-trove09:59
*** Bharat_Kobagana has joined #openstack-trove10:02
*** sgotliv has quit IRC10:09
*** Bharat_Kobagana is now known as bharat_kobagana10:10
*** ramishra has quit IRC10:25
*** ramishra has joined #openstack-trove10:26
*** sgotliv has joined #openstack-trove10:26
*** haomaiw__ has quit IRC10:34
*** 18VAAWTEG has joined #openstack-trove10:34
*** Riddhi has quit IRC10:44
*** ramishra has quit IRC10:44
*** IanGovett has joined #openstack-trove10:47
*** 18VAAWTEG has quit IRC10:53
*** haomaiwang has joined #openstack-trove10:53
*** miqui has quit IRC11:00
*** bharat_kobagana has quit IRC11:03
*** Longgeek_ has joined #openstack-trove11:14
*** Longgeek has quit IRC11:18
*** tomblank has quit IRC11:20
*** isviridov_away is now known as isviridov11:42
*** juantwo has joined #openstack-trove11:52
*** juantwo has quit IRC11:53
*** juantwo has joined #openstack-trove11:53
*** vkmc has joined #openstack-trove12:00
*** vkmc has joined #openstack-trove12:00
*** ramishra has joined #openstack-trove12:15
*** ramishra has quit IRC12:19
*** jcru has joined #openstack-trove12:28
*** miqui has joined #openstack-trove12:29
*** radez_g0n3 is now known as radez12:43
*** achampion has quit IRC12:43
*** boblebauce has quit IRC12:49
*** achampion has joined #openstack-trove12:52
*** georgelorch has quit IRC13:00
*** georgelorch has joined #openstack-trove13:00
denis_makogonHey, guys, i've started to filing bugs for clustering, any help is welcome, see https://etherpad.openstack.org/p/trove-cluster-api-bugs13:04
*** IanGovett1 has joined #openstack-trove13:08
*** IanGovett has quit IRC13:10
*** IanGovett has joined #openstack-trove13:15
*** ramishra has joined #openstack-trove13:16
*** tomblank has joined #openstack-trove13:16
*** IanGovett1 has quit IRC13:16
*** tkatarki has joined #openstack-trove13:16
*** boblebauce has joined #openstack-trove13:19
*** ramishra has quit IRC13:20
*** IanGovett has quit IRC13:26
*** rhodgin has quit IRC13:31
*** julienvey has quit IRC13:34
*** Barker has joined #openstack-trove13:39
*** julienvey has joined #openstack-trove13:52
*** sgotliv has quit IRC13:54
*** johnma has quit IRC13:55
*** Longgeek_ has quit IRC13:56
*** sgotliv has joined #openstack-trove14:10
*** Longgeek has joined #openstack-trove14:11
*** tomblank has quit IRC14:16
*** mattgriffin has joined #openstack-trove14:16
*** rhodgin has joined #openstack-trove14:17
*** ajayaa has quit IRC14:24
*** tomblank has joined #openstack-trove14:27
*** rwsu has joined #openstack-trove14:30
*** Longgeek has quit IRC14:34
*** iartarisi has joined #openstack-trove14:35
*** Longgeek has joined #openstack-trove14:42
*** IanGovett has joined #openstack-trove14:42
*** rwsu has quit IRC14:48
*** Longgeek has quit IRC14:49
*** ramishra has joined #openstack-trove14:50
*** ramishra has quit IRC14:54
*** kevinconway has joined #openstack-trove14:55
*** jasonb365 has joined #openstack-trove14:58
*** jmontemayor has joined #openstack-trove15:00
*** jmontemayor has quit IRC15:00
*** jmontemayor has joined #openstack-trove15:02
*** jmontemayor has quit IRC15:03
*** grapex has joined #openstack-trove15:04
*** jmontemayor has joined #openstack-trove15:06
*** grapex_ has joined #openstack-trove15:09
*** grapex has quit IRC15:12
*** jmontemayor has quit IRC15:15
*** jmontemayor has joined #openstack-trove15:18
*** sgotliv has quit IRC15:30
*** k4n0 has quit IRC15:34
*** iartarisi has quit IRC15:39
*** sgotliv has joined #openstack-trove15:43
*** johnma has joined #openstack-trove15:51
amrithdenis_makogon, yt?15:53
*** juantwo has quit IRC15:56
*** juantwo has joined #openstack-trove15:57
*** kevinconway has quit IRC15:58
*** Barker has quit IRC15:59
*** grapex has joined #openstack-trove15:59
*** grapex_ has quit IRC16:01
*** kevinconway has joined #openstack-trove16:03
*** Barker has joined #openstack-trove16:04
*** rwsu has joined #openstack-trove16:12
*** boblebauce has quit IRC16:17
*** todd_dsm has joined #openstack-trove16:24
*** julienve_ has joined #openstack-trove16:30
*** ViswaV has joined #openstack-trove16:34
*** juantwo has quit IRC16:34
*** julienvey has quit IRC16:34
*** todd_dsm has quit IRC16:35
*** todd_dsm has joined #openstack-trove16:36
*** ViswaV_ has joined #openstack-trove16:37
denis_makogonamrith, yes16:38
denis_makogonamrith, i'm going to leave, soon, hope it's not something urgent16:39
amrithdenis_makogon, I'm not sure I understand the rationale for your comment in https://review.openstack.org/#/c/117174/16:39
amrithit was your comment ;)16:39
*** sgotliv has quit IRC16:39
*** jasonb365 has quit IRC16:40
*** ViswaV has quit IRC16:40
*** kevinconway has quit IRC16:40
*** Barker has quit IRC16:42
*** juantwo has joined #openstack-trove16:43
*** Barker has joined #openstack-trove16:43
denis_makogonamrith, yes, i see, it's not quite good to catch to broad exception in general, we might avoid such things because of coding standards (see the same question here http://stackoverflow.com/questions/14797375/should-we-always-specify-an-exception-type-in-python)16:44
amrithyes, I've read that (after seeing your comment)16:44
amrithbut if I were to handle stuff differently based on the exception, your comment makes sense16:45
amrithand that answer doesn't say "don't ever ever ever use 'except:'"16:45
amrithit is a warning, not an error.16:45
amrithNo matter what the exception is, I will do the exact same thing.16:45
amrithso what's the objection?16:45
*** todd_dsm has quit IRC16:45
amrithBut, reading your comment and Dan's (esp, yt?) made me realize that the code is bad for another reason16:47
amrithI'm just rethrowing whatever exception I got16:47
amrithand there's no telling whether the caller will be able to catch that16:47
amrithso maybe I shouldn't just raise, I should raise RunTimeError() or some such thing16:47
amrithwhich there is a better chance that the caller is catching.16:47
amrithwhich brings up the fact that this routine has no doc string telling what it may raise ;)16:47
*** Barker has quit IRC16:48
denis_makogonamrith, sounds good (about RunTime exception)16:48
denis_makogonamrith, in general code style looks not so good, and if we're able to avoid even warnings - worth trying it16:49
amrithbut I don't get a warning for this code16:49
amrithnot from pep16:49
amrithnot from my IDE16:49
amrithnot from emacs (which is all that really matters)16:49
amrithYes, if I change it to 'except:' my IDE gives me a warning16:50
denis_makogonactually, don't know why, my PyCharm raised warning16:50
amrithand the warning is?16:50
amrithactually16:51
denis_makogon"too broad exception"16:51
amrithwas it a warning or an info lightbulb16:51
denis_makogonactual warning16:51
amrithI use pycharm as well, no warning.16:51
*** jmontemayor has quit IRC16:52
*** ViswaV_ has quit IRC16:52
denis_makogonno matter, i'd suggest to dig into exceptions that are might be raised by methods that were used and write exception handling according to them16:53
denis_makogonit's just IMHO, you can ignore it and move forward, as i said "i strongly recommend", i didn't say "Hey, that's bad, fix it"16:54
denis_makogonjust friendly suggestion =)16:55
*** ViswaV has joined #openstack-trove16:55
*** jmontemayor has joined #openstack-trove16:55
denis_makogonamrith, once you're here, you might take a look at https://etherpad.openstack.org/p/trove-cluster-api-bugs16:55
amrithI understand, what I'm trying to understand is why you think that's the case. why is it important. After all, you took the time to make the suggestion so it must matter to you.16:57
*** kevinconway has joined #openstack-trove16:57
*** kevinconway has quit IRC16:58
*** harlowja_away is now known as harlowja16:58
denis_makogonjust want to see nice stylish code16:58
*** kevinconway has joined #openstack-trove16:58
denis_makogonif we know what's going to be raised, why can't we expect it16:58
denis_makogonthat's all16:59
*** Barker has joined #openstack-trove17:01
*** Barker has quit IRC17:02
amrithdenis_makogon, one second, let me send you screen shot from my PyCharm17:03
*** Barker has joined #openstack-trove17:03
amrithhow do I send you a picture?17:04
amrithscreen shot of PyCharm17:04
denis_makogonamrith, let's do it later, i'm leaving now17:04
amrithok17:05
*** amcrn has joined #openstack-trove17:05
denis_makogonamrith, just wanted to say what i want to say, in general, code looks good, i don't have objections about it, just wanted to recommend to rework exception handling =)17:06
*** vigneshvar has quit IRC17:08
*** denis_makogon has quit IRC17:10
*** rushiagr is now known as rushiagr_away17:13
*** juantwo_ has joined #openstack-trove17:20
*** juantwo has quit IRC17:23
*** julienve_ has quit IRC17:35
*** julienvey has joined #openstack-trove17:35
*** rushiagr_away is now known as rushiagr17:36
*** julienvey has quit IRC17:40
*** eghobo has joined #openstack-trove17:45
*** saurabhs has joined #openstack-trove17:50
*** rushiagr is now known as rushiagr_away17:51
*** vigneshvar has joined #openstack-trove17:55
*** jasonb365 has joined #openstack-trove17:55
*** jmontemayor has quit IRC17:58
*** Barker has quit IRC17:59
*** Barker has joined #openstack-trove18:02
SlickNikReminder: Weekly trove meeting is happening now in #openstack-meeting-alt18:02
*** jmontemayor has joined #openstack-trove18:03
*** ramashri has joined #openstack-trove18:05
*** ranjitha has joined #openstack-trove18:05
*** cweid_ has joined #openstack-trove18:12
*** ranjitha has quit IRC18:12
*** ranjitha has joined #openstack-trove18:14
*** cweid has quit IRC18:15
*** robertmyers has joined #openstack-trove18:21
*** todd_dsm has joined #openstack-trove18:30
*** rushiagr_away is now known as rushiagr18:33
*** todd_dsm has quit IRC18:34
*** todd_dsm has joined #openstack-trove18:35
*** julienvey has joined #openstack-trove18:36
*** Barker has quit IRC18:40
*** julienvey has quit IRC18:40
*** ranjitha has quit IRC18:42
*** sgotliv has joined #openstack-trove18:44
*** ViswaV has quit IRC18:44
*** todd_dsm has quit IRC18:51
openstackgerritamrith proposed a change to openstack/trove: Partially address concerns in Couchbase restore strategy  https://review.openstack.org/11717418:53
*** Barker has joined #openstack-trove18:55
*** georgelorch has quit IRC18:57
*** georgelorch has joined #openstack-trove18:57
*** IanGovett has quit IRC18:58
*** IanGovett has joined #openstack-trove18:58
*** eghobo has quit IRC18:59
*** radez is now known as radez_g0n318:59
*** ranjitha has joined #openstack-trove19:00
*** Barker has quit IRC19:00
*** cweid_ has quit IRC19:01
*** Barker has joined #openstack-trove19:02
*** rushiagr is now known as rushiagr_away19:02
*** Barker has quit IRC19:02
*** grapex_ has joined #openstack-trove19:03
*** Barker has joined #openstack-trove19:03
*** ranjitha has quit IRC19:03
*** grapex has quit IRC19:06
*** cweid has joined #openstack-trove19:07
kevinconwayamrith: SlickNik: grapex_: i updated the BP from monday to include examples of the scenarios we outlined: https://wiki.openstack.org/wiki/Trove/TroveSSL19:11
kevinconwaywith regards to ssl, thatis19:12
amrithkevinconway, will read it now.19:12
*** ramashri has quit IRC19:14
*** ViswaV has joined #openstack-trove19:17
openstackgerritSergey Gotliv proposed a change to openstack/trove: [WIP] Updates RPC API to use oslo.messaging  https://review.openstack.org/9448419:21
*** tkatarki has quit IRC19:27
*** tkatarki has joined #openstack-trove19:27
*** Barker has quit IRC19:33
*** newb has joined #openstack-trove19:34
*** Barker has joined #openstack-trove19:36
*** julienvey has joined #openstack-trove19:36
*** Barker has quit IRC19:40
*** julienvey has quit IRC19:41
vgnbkrkevinconway: re SSL: Could you give us an idea of how you see this being used?  Is the intention that the cloud provider would provide a common cert across all dbs, all dbs for a given tenant would share a cert, or that the user will define a cert (similar to how keypairs are done)?19:48
kevinconwayvgnbkr: ideally that's at the whim of a provider19:53
kevinconwayi'm trying to set this up so providers have as much flex as needed to implement their own key/cert management19:53
kevinconwaywithout requiring that trove do all those things19:53
*** ViswaV has quit IRC19:56
*** ViswaV has joined #openstack-trove20:02
*** julienvey has joined #openstack-trove20:02
*** jmontemayor_ has joined #openstack-trove20:04
*** jmontema_ has joined #openstack-trove20:05
*** jmontemayor has quit IRC20:06
*** tkatarki has quit IRC20:07
*** julienvey has quit IRC20:07
*** tkatarki has joined #openstack-trove20:08
*** jmontemayor_ has quit IRC20:09
*** dkehn has quit IRC20:10
*** dkehn has joined #openstack-trove20:12
dougshelley66kevinconway, a clarification - so out of the box will SSL work or will the "user" have to implement something20:14
*** ViswaV has quit IRC20:17
*** jmontema_ has quit IRC20:31
amrithkevinconway, read the spec. I think it reflects what I'd proposed (3 options) on Monday although in my understanding, the ssl_payload for the NoOp use case was that the guest agent knew what to do and it would just do it.20:32
amrithI'm assuming that the default config will be ssl_disabled20:32
amrithsome other questions20:32
amrithhow do we know whether a data store supports ssl?20:32
amrithnot whether it is enabled or not, but whether it is supported or not?20:33
amrithhow do we know what kind(s) of payloads a guest agent may understand20:33
amrithkevinconway ^^ (thanks)20:34
*** amcrn has quit IRC20:35
kevinconwayamrith: my intention was for each datastore which support ssl to implement both the provider and installer. this way it is one config option for the driver20:39
kevinconwayamrith: the guest would simply load the given driver and be able to consume the payload since the driver also produces the payload20:39
*** zacksh has quit IRC20:40
kevinconwayamrith: clarification: when you ask whether a datastore supports ssl, do you mean the datastore itself or the trove datastore (as in the PAI construct)20:40
*** freyes has quit IRC20:41
*** zacksh has joined #openstack-trove20:41
*** freyes has joined #openstack-trove20:42
amrithtrove datastore (aka, is it valid to execute the ssl_enable command)20:42
*** juantwo_ has quit IRC20:42
kevinconwayi see. for the initial impl i imagined this would be a feature that would either be enabled/disabled at instance create with an optional mgmt command to enable it20:43
kevinconwayi haven't spec'ed out a trove consumer api yet20:43
*** tomblank has quit IRC20:43
amrithif it is at instance create time, then why the restart_required state?20:44
amrithoh, ok20:44
amrithoptional command to enable later?20:44
*** IanGovett has quit IRC20:44
kevinconwayyes, setting up ssl on an existing instance would require restart for most datastores20:44
kevinconwaythat's what the state is for20:44
*** jcru has quit IRC20:45
amrithkevinconway, one thing20:46
amrithvgnbkr and I have been chatting about this on the sidelines20:46
amrithone thing which we came away with was this20:46
amrithwe can't think of any good reason why one would send the keypair over the wire20:46
amrithI had initially thought it would be a keypair expiry thing20:47
amrithbut after reading more about it overnight, vgnbkr's point of view is correct.20:47
amrithsending the keypair over the wire seems to be unnecessary (in any case that we can conceive of at least)20:47
amrithso, I'd like to know specifically the answer to vgnbkr's qustion about where he asks for a use-case/situation where the user would like to provide the keypair to the guest machine20:48
amrithI get the idea of why one would give it the cert20:48
amrithno argument there20:48
amrithbut I submit to you that in 100% of the cases that I can think of (i'm not a security expert, I don't play one on tv or IRC), there is no need to send the keypair over to the guest.20:49
*** tmcpeak has joined #openstack-trove20:49
amrithvgnbkr, did I correctly represent the things we chatted about?20:49
kevinconwayclarification - who is user the is providing the keypair? trove consumer or trove deployer?20:49
*** ViswaV has joined #openstack-trove20:50
kevinconwayin the scenarios you discussed, that is20:50
amrithno one provides the keypair as far as I can tell20:50
amriththe machine creates it20:50
amriththe ssl_enable command has a payload that only needs one thing20:51
amrithcertificate20:51
tmcpeakhey guys, trying to get up to speed20:51
amrith(ca certificate)20:51
tmcpeakamrith asked me to come by20:51
amrithah, tmcpeak ... hello20:51
tmcpeakI'm from OSSG20:51
tmcpeakhi all20:51
amriththx tmcpeak ...20:51
amrithwe're talking about ssl on trove instances20:51
kevinconwaywell it depends. if you want to use signed keys the ssl keypair needs to be generated and signed using the ca-cert and ca-key20:51
SlickNikamrith: You can't generate a random key — you'll need the same one that the CA has signed.20:52
tmcpeakcan we generate one and go about whatever procedure to get it signed?20:53
tmcpeakwhat's the CA in this case?20:53
amrithSlickNik, I'm not grokking something here.20:53
amrithSlickNik, kevinconway ... let me send around what I understand to be the process and why I'm confused about this.20:53
amrithsorry, fell off the network20:55
kevinconwaytmcpeak: using mysql as an example, the typical mysql ssl setup is to sign a key pair, install that in the db, and provide the public ca-cert to end users20:55
kevinconwaybut generically for the feature it is simply the ca pair used to sign ssl keys20:56
tmcpeakok, how is it protected during transfer20:57
tmcpeak?20:57
vgnbkramrith: Yes, you have reflected what we discussed.20:57
vgnbkrI think we need to clarify use cases.20:57
kevinconwaytmcpeak: so under the current BP the ca-key would never be transported20:57
*** tkatarki has quit IRC20:58
vgnbkrFrom a cloud provider's point of view, they would want to inject the keys and certs into the instances so that all databases can be accessed by the same cert.20:58
tmcpeakok, yeah, definitely can't transfer the CA key20:58
*** jmontemayor has joined #openstack-trove20:58
tmcpeakonly the CA should ever have the CA private key20:59
vgnbkrEnterprises may wish to do the same, or they might prefer to avoid the key mgmt overhead, have each instance generate it's own keys/cert, then require the user to download the cert for that instance.20:59
kevinconwayi think most of the contention comes from the notion that a deployer might distribute ssl key pairs (private included) over the AMQ20:59
amrithkevinconway, that's correct. that is my concern.20:59
amrithalmost in its entirety.21:00
tmcpeakkevinconway: yeah, how is that AMQ connection secured?21:00
kevinconwayit's the trove infra message bus. all trove to guest communication occurs over that AMQ21:00
tmcpeakhmm21:00
kevinconwayi suppose there is nothing to prevent a deployer from unsecuring it21:01
amrithkevinconway, tmcpeak have to step out for a bit. will read scrollback later. also will send what I tested when I get back to a PC.21:01
amrithsorry, unexpected callout.21:01
SlickNikit's a deployment option though, correct? I can chose in my deployment to do it over AMQP if I have a secure AMQP connection in my deployment (i.e. using TLS). If not, I can choose to bake the keys into the image, and use the same cert for all instances?21:01
tmcpeakamrith: cool21:01
kevinconwaySlickNik: correct, pushing keys over the AMQ would be a possible option for deployers, likely not the trove default21:01
tmcpeakso what is the solution actually implementing? are you just saying "public/private keys and the cert need to end up on the machine, make that happen somehow" or are you actually transferring them yourself?21:02
*** julienvey has joined #openstack-trove21:03
kevinconwaythe solution is simply an interface that allows trove to pass _some_ identifier to the guest that represents a public key, private key, and ca cert21:03
kevinconwaywe have discussed multiple options including those references being HREF's or being nothing at all21:03
tmcpeakso it could be an encrypted blob as well21:03
kevinconwaypossibly being the keys themselves21:03
tmcpeak?21:03
kevinconwayyes, there is nothing that would prevent that as an implementation21:04
tmcpeakin that case, I think it's fine21:04
kevinconwayultimately it would be at the deployers discretion21:04
tmcpeakok, yeah, as long as you aren't implementing sending a private key yourself, it's fine21:05
vgnbkrI don't know that just saying "encrypted blob" achieves anything.  You would have to push the keys for the blob to be unencrypted.21:05
tmcpeakit could be out of band though21:05
*** tkatarki has joined #openstack-trove21:05
kevinconwayyou can put a shared key in the guest image, for example, which allows it to decrypt the payload21:05
tmcpeakright21:05
vgnbkrSo if you have an "out of band" channel, why wouldn't you just send the SSL keys/cert over it?21:05
kevinconwaywe already do this for backups21:05
SlickNikvgnbkr: Because you might want to have a shared secret, but uniques SSL keys/certs.21:06
vgnbkrSo shouldn't the keys/certs be managed similar to how nova deals with keypairs?21:06
SlickNiknova keypairs don't ever need the private-key for anything though. It only ever deals with the public key.21:07
*** julienvey has quit IRC21:07
openstackgerritPeter Stachowski proposed a change to openstack/trove: Document Trove configuration options  https://review.openstack.org/11875921:07
vgnbkrSlickNik: I meant an option in horizon to generate the keys/cert so that the enterprise user can manage them.21:08
vgnbkrTrove would then pass them down to the instances.21:08
kevinconwaywouldn't that be a feature and use case of barbican once it supports those kinds of operations?21:09
tmcpeakkevinconway: yeah, I think that's in barbican territory21:10
SlickNikvgnbkr: That would work for self-signed certs, but if you want to have a CA signed cert, then you'd have to ship the key to the user so that they can pass it to the CA, and then also ship the cert back to the trove instance once the CA has signed it.21:10
SlickNikyup, getting close to barbican territory.21:11
*** miqui has quit IRC21:12
tmcpeakI would call out in some way in the BP how the bottom example is secured21:13
tmcpeakwhere it just says: ssl_payload => {"public_key": "BEGIN RSA...", "private_key": "...", "ca_cert": "..."} guest behaviour => Use the keys given in the payload and setup ssl.21:14
tmcpeaklooks terrifying21:14
*** ramashri has joined #openstack-trove21:14
*** ranjitha has joined #openstack-trove21:14
tmcpeakbut if you're relying on a secure message channel you can mention that21:14
kevinconwayyes, i think most everyone has agreed that a large disclaimer should accompany any tx of secure information over the bus21:15
tmcpeakok cool21:15
*** todd_dsm has joined #openstack-trove21:20
*** Toodles has joined #openstack-trove21:21
*** ViswaV has quit IRC21:23
ToodlesKevinconway.. Does this mean that sending pk on the message bus is optional?21:25
*** juantwo has joined #openstack-trove21:28
kevinconwayToodles: we discussed alternate implementation of the driver that would not require it, yes21:28
*** Toodles has quit IRC21:29
*** robertmyers has quit IRC21:30
*** ranjitha has quit IRC21:31
*** ramashri has quit IRC21:32
*** mattgriffin has quit IRC21:38
*** tomblank has joined #openstack-trove21:38
*** mattgriffin has joined #openstack-trove21:41
*** jasonb365 has quit IRC21:42
*** julienve_ has joined #openstack-trove21:43
*** ViswaV has joined #openstack-trove21:43
*** ramashri has joined #openstack-trove21:43
*** julienve_ has quit IRC21:44
*** newb_ has joined #openstack-trove21:53
*** amcrn has joined #openstack-trove21:53
*** newb has quit IRC21:56
*** jmontemayor has quit IRC22:03
*** ranjitha has joined #openstack-trove22:04
amrithkevinconway, that was me. I couldn't get onto freenode with my (registered) nick from my phone.22:08
amrithback for a short while at a PC.22:08
amrithso, my concern (after speaking with vgnbkr) was this and I didn't do a good job conveying it earlier.22:09
amrithis it necessary to provide the keys to the guest22:10
amrithcan the guest obtain it instead.22:10
amrithSlickNik, I read your comment re: the keypair having to be provided to the guest, I understand that part.22:10
amrithI'm thinking about my own experience with ssl'ing a site.22:10
amrithwhere once the certs and keys are ready22:10
amrithI have to get them over some secure channel (typically https)22:11
amrithand that https is based on the sender having a cert installed that is trusted by some entity that we mutually trust.22:11
amrithso, seeing the scrollback now, I see that there is a mechanism where the guest can GET the keypair and the cert22:11
amrithso I think I'm good with it.22:11
*** tmcpeak has left #openstack-trove22:11
amrithkevinconway, SlickNik, vgnbkr, tmcpeak ^^ please let me know if this makes sense.22:12
*** ranjitha has quit IRC22:12
*** tmcpeak has joined #openstack-trove22:14
*** todd_dsm has quit IRC22:20
*** flaper87 is now known as flaper87|afk22:22
stevelleHaving trouble getting a redstack up here.  Trove won't let me create an instance larger than 5GB, but at that size the nova instance wont launch.  I gave swift 80GB on this devstack but still being gated at 5GB.22:24
*** tmcpeak has left #openstack-trove22:26
stevelleAny clues about where to go next?22:26
*** todd_dsm has joined #openstack-trove22:26
openstackgerritSergey Gotliv proposed a change to openstack/trove: [WIP] Updates RPC API to use oslo.messaging  https://review.openstack.org/9448422:29
*** juantwo has quit IRC22:49
*** juantwo has joined #openstack-trove22:51
*** rhodgin has quit IRC22:58
*** mattgriffin has quit IRC22:59
*** todd_dsm has quit IRC23:04
*** todd_dsm has joined #openstack-trove23:05
*** kevinconway has quit IRC23:05
*** todd_dsm has quit IRC23:06
*** vigneshvar has quit IRC23:09
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-troveclient: Updated from global requirements  https://review.openstack.org/12061023:09
*** todd_dsm has joined #openstack-trove23:14
*** mattgriffin has joined #openstack-trove23:14
*** todd_dsm has quit IRC23:20
*** sgotliv has quit IRC23:22
*** IanGovett has joined #openstack-trove23:38
*** todd_dsm has joined #openstack-trove23:40
*** harlowja has quit IRC23:48
*** harlowja_ has joined #openstack-trove23:48
*** todd_dsm has quit IRC23:58
amcrnstevelle: the default configure of cinder on devstack won't permit a volume size > 5GB23:58
amcrnconfiguration* rather23:59
« Tuesday, 2014-09-09 Index Thursday, 2014-09-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!