| *** jwcroppe has joined #openstack-trove | 00:33 | |
| *** jwcroppe has quit IRC | 00:43 | |
| *** jwcroppe has joined #openstack-trove | 00:43 | |
| *** zhurong has joined #openstack-trove | 00:43 | |
| *** gouthamr has quit IRC | 01:42 | |
| *** zhaochao has joined #openstack-trove | 01:54 | |
| *** zhurong has quit IRC | 02:07 | |
| *** chlong has quit IRC | 02:42 | |
| *** itlinux_ has joined #openstack-trove | 02:43 | |
| *** itlinux_ has quit IRC | 02:51 | |
| *** gouthamr has joined #openstack-trove | 02:52 | |
| *** georgelorch has joined #openstack-trove | 03:10 | |
| *** Keverw has joined #openstack-trove | 03:21 | |
| *** itlinux_ has joined #openstack-trove | 03:47 | |
| *** itlinux_ has quit IRC | 03:49 | |
| *** chhavi has joined #openstack-trove | 03:50 | |
| *** zhurong has joined #openstack-trove | 03:51 | |
| *** flwang has quit IRC | 03:52 | |
| *** flwang has joined #openstack-trove | 03:53 | |
| *** itlinux_ has joined #openstack-trove | 03:54 | |
| *** gcb has quit IRC | 03:58 | |
| *** itlinux_ has quit IRC | 03:59 | |
| *** itlinux has joined #openstack-trove | 04:06 | |
| *** zhurong has quit IRC | 04:27 | |
| *** links has joined #openstack-trove | 04:32 | |
| *** zhurong has joined #openstack-trove | 04:33 | |
| *** itlinux has quit IRC | 04:54 | |
| *** gouthamr has quit IRC | 05:23 | |
| *** gcb has joined #openstack-trove | 05:30 | |
| *** jwcroppe_ has joined #openstack-trove | 05:31 | |
| *** jwcroppe has quit IRC | 05:32 | |
| *** gcb has quit IRC | 05:46 | |
| *** gcb has joined #openstack-trove | 05:46 | |
| *** rcernin has joined #openstack-trove | 06:05 | |
| *** pcaruana has joined #openstack-trove | 06:06 | |
| *** tesseract has joined #openstack-trove | 06:41 | |
| openstackgerrit | jian.song proposed openstack/trove master: Redis 'repl-backlog-size' conf parameter using wrong MIN value https://review.openstack.org/473709 | 07:03 |
|---|---|---|
| *** damien_r has joined #openstack-trove | 07:13 | |
| *** zhurong has quit IRC | 07:55 | |
| *** zhurong has joined #openstack-trove | 09:06 | |
| *** damien_r has quit IRC | 09:55 | |
| *** zhurong has quit IRC | 10:20 | |
| *** smatzek has joined #openstack-trove | 10:30 | |
| *** smatzek has quit IRC | 10:42 | |
| *** zhurong has joined #openstack-trove | 10:43 | |
| *** magicboiz has joined #openstack-trove | 11:01 | |
| *** smatzek has joined #openstack-trove | 11:38 | |
| *** chlong has joined #openstack-trove | 11:56 | |
| *** damien_r has joined #openstack-trove | 12:03 | |
| *** openstackgerrit has quit IRC | 12:18 | |
| *** zhurong has quit IRC | 12:19 | |
| *** jwcroppe_ has quit IRC | 13:23 | |
| *** links has quit IRC | 13:33 | |
| *** georgelorch has quit IRC | 13:35 | |
| *** gouthamr has joined #openstack-trove | 13:36 | |
| *** jwcroppe has joined #openstack-trove | 13:37 | |
| *** Keverw has quit IRC | 13:41 | |
| *** itlinux_ has joined #openstack-trove | 14:22 | |
| *** georgelorch has joined #openstack-trove | 14:36 | |
| *** zhaochao has quit IRC | 14:37 | |
| *** itlinux_ has quit IRC | 14:41 | |
| *** danpawlik is now known as _danpawlik | 15:02 | |
| *** trevormc has joined #openstack-trove | 15:10 | |
| *** tesseract has quit IRC | 15:10 | |
| damien_r | amrith: Hello. I check your video, and it's not yet exactly what I'm looking for. In fact I have more issue with nova. When a customer spawn a trove database, it will create a Vm in the user Tenant. The problem is that the customer can make a nova rescue on it and inject anything in the Vm like this (via nova vnc acces). Do you have anything to prevent this ? | 15:42 |
| *** pmackinn has joined #openstack-trove | 15:44 | |
| smatzek | so you're worried about a user with permissions to be able to launch a Trove instance also having permissions to rescue the VM and break into the OS vs being locked in the DB only interface? Wouldn't you handle that concern by making a group in Nova's policy.json for that user and then disallow them to call the rescue API? | 15:56 |
| damien_r | smatzek: it's exactly what we are thinking about( policy.json), we were just wondering if you have official documentation ? And which type of property we can use. Userid is the customer user id, tenant is of course the same | 16:08 |
| damien_r | glance image Id may be but it's not that clean | 16:10 |
| *** damien_r has quit IRC | 16:13 | |
| *** openstackgerrit has joined #openstack-trove | 16:22 | |
| openstackgerrit | Trevor McCasland proposed openstack/trove master: Clean up H904 and add it to tox https://review.openstack.org/471923 | 16:22 |
| smatzek | damien_r, The last time I worked a lot in Nova's policy.json was about 1.5 years ago so this may be a bit stale, but I think the idea would be you'd make a role for your trove users in Nova's policy.json. You then use the rule to allow/disallow the trove users actions. | 16:24 |
| smatzek | you make the users that can just do Trove stuff be in the trove role vs the admin role. | 16:25 |
| *** itlinux_ has joined #openstack-trove | 16:26 | |
| smatzek | I'm not aware of any documented list of Nova (or cinder, neutron, etc) policy.json API names such as 'os_compute_api:servers:create' that you would have to grant to the user for proper operation through Trove. It would be a process of working through the use cases that are important to you. | 16:27 |
| smatzek | the above comment should be "grant to the role" not user. | 16:27 |
| *** trevormc has quit IRC | 16:34 | |
| *** rcernin has quit IRC | 16:41 | |
| smatzek | amrith, you around? | 16:45 |
| *** gmann has quit IRC | 16:57 | |
| amrith | smatzek trove does not use policy.json | 17:07 |
| amrith | and what makes you believe that trove users should not be able to launch nova vms? | 17:08 |
| smatzek | amrith, obviously trove users should be bale to launch vms. I recall the other day you said trove doesn't use policy.json. If damien_r wants to restrict users that are using Trove to launch instances from being able to Nova-rescue them then it could probably be done outside of Trove in Nova's policy.json. | 17:22 |
| amrith | so, doing a nova rescue can't do much for the user ... | 17:23 |
| smatzek | in order to do it you'd likely want to make a role in Nova's policy.json and make all your trove users be in that role, then use Nova's policy.json to allow/disallow Nova API calls while not disallowing ones that Trove needs. | 17:23 |
| amrith | let them inject what they wish into the VM, not a problem | 17:23 |
| *** chhavi has quit IRC | 17:25 | |
| smatzek | what I wanted to ask you about it what type of prioritization I should put on trove review requests. I did some reviewing this morning. Some of the larger, more indepth ones are a bit out of my league to review but I can help do triage on the others as I did this morning. Would you prefer I prioritize reviews that have no CR check above those that have been reviewed by others? What about verified -1/+1, skip over ones that are failing verified | 17:26 |
| smatzek | in in the initial pass? | 17:26 |
| *** itlinux_ has quit IRC | 17:56 | |
| *** itlinux_ has joined #openstack-trove | 17:56 | |
| openstackgerrit | Merged openstack/trove-dashboard master: Update launchpad link to trove-dashboard https://review.openstack.org/447465 | 18:00 |
| *** itlinux_ has quit IRC | 18:23 | |
| *** rcernin has joined #openstack-trove | 18:26 | |
| *** itlinux_ has joined #openstack-trove | 18:31 | |
| *** trevormc has joined #openstack-trove | 18:54 | |
| *** pmackinn has quit IRC | 19:57 | |
| *** itlinux_ has quit IRC | 20:20 | |
| smatzek | trevormc, as you noted in https://review.openstack.org/#/c/454205 it may not be worth tracking down why the secret change is breaking instance launch. However, I also like to understand why that change would do cause that breakage. | 20:25 |
| smatzek | I've been looking through the logs of that failure along with successful verify logs and am using it as a learning exercise for the create-instance path. What I do know is that the Nova instance is up and running at the time of failure and it's likely some issue of comm between the trove conductor and the guest agent. | 20:26 |
| trevormc | smatzek, hey I'm not sure what the issue is. I'm sure you're learning about the signs to early failures by looking into it though. I guess I could revert all the secret changes and see which config param is causing the issue and then look into it more. | 20:28 |
| trevormc | It would be more of an experimental thing for me to do when I have more time. | 20:29 |
| smatzek | The log statements are saying the instance creation from Trove's point of view never fails. So it should be possible to recreate in a sandbox/dev environment outside of the gate by putting the code in place and running a simple DB instance launch. I'm going to try that next, likely tomorrow. | 20:29 |
| smatzek | At that point I could debug inside the DB instance VM, add more logging code, etc. | 20:30 |
| smatzek | again, generally would be overkill for the bug fix debug, but as a learning exercise it's good. I just wanted to give you a heads up that I'm working on that debug. | 20:31 |
| *** itlinux_ has joined #openstack-trove | 20:32 | |
| *** smatzek has quit IRC | 20:48 | |
| *** pmackinn has joined #openstack-trove | 20:53 | |
| *** gouthamr has quit IRC | 21:03 | |
| *** trevormc has quit IRC | 21:14 | |
| *** gouthamr has joined #openstack-trove | 21:29 | |
| *** rcernin has quit IRC | 21:54 | |
| *** pmackinn_ has joined #openstack-trove | 22:02 | |
| *** pmackinn has quit IRC | 22:05 | |
| *** itlinux_ has quit IRC | 22:59 | |
| *** pmackinn_ has quit IRC | 23:14 | |
| *** jwcroppe has quit IRC | 23:20 | |
| *** jwcroppe has joined #openstack-trove | 23:33 | |
| *** jwcroppe has quit IRC | 23:38 | |
| *** jwcroppe has joined #openstack-trove | 23:42 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!