#openstack-meeting log

21:03:36 <ttx> #startmeeting crossproject
21:03:36 <morganfainberg> jeblair, welcome to ping-as-as-service fun facts?
21:03:37 <openstack> Meeting started Tue Feb  3 21:03:36 2015 UTC and is due to finish in 60 minutes.  The chair is ttx. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:03:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:03:41 <openstack> The meeting name has been set to 'crossproject'
21:03:42 <mestery> lol
21:03:47 <ttx> Our agenda for today:
21:03:51 <ttx> #link http://wiki.openstack.org/Meetings/CrossProjectMeeting
21:04:04 <ttx> #topic Horizon reviews for project (e.x. Sahara, Trove) panels (SergeyLukjanov)
21:04:09 <nikhil_k> o/
21:04:11 <ttx> SergeyLukjanov: awake ?
21:04:18 <SergeyLukjanov> ttx, yup
21:04:21 <ttx> SergeyLukjanov: you really shouldn't be, but you are
21:04:38 <ttx> So... Some changes in specific panels in Horizon seem to linger a bit
21:04:44 <ttx> I think this is due to a priority mismatch, with Horizon core focusing on the.. well.. core
21:04:53 <ttx> And because it's difficult for them to review the change functionally
21:04:56 <SergeyLukjanov> so, the question is very simple - how to manage change requests from different projects that have own panels to horizon
21:05:03 <ttx> Not sure how to best solve that mismatch...
21:05:18 <ttx> it won't get any better as we add more projects that may want Horizon panels
21:05:21 <SergeyLukjanov> yeah, unfortunately no good proposals on improving it
21:05:35 <jungleboyj> o/
21:05:36 <david-lyle> There are a couple of reasons for the lag generally
21:05:50 <SergeyLukjanov> but it's going to be an issues when new functionality couldn't be supported on the dashboard side
21:06:03 <david-lyle> first, they aren't targeted to any milestone, so we aren't watching for them
21:06:34 <david-lyle> two, the reason above, harder to verify the nuanced changes of other projects without subject matter experts
21:06:45 <david-lyle> and as a bonus item
21:06:55 <david-lyle> we've grown, a lot
21:07:11 <david-lyle> as the community continues to grow
21:07:13 <asalkeld> sounds a bit like tempest reviews
21:07:18 <SergeyLukjanov> the first ones seems to be able to be solved, but the second one sounds like a much bigger problem to solve
21:07:21 <SergeyLukjanov> yeah
21:07:28 <ttx> there is the option of having each project be responsible of their panel, but quality would be lower (and it's generally not the same people writing core code and Horizon panel code)
21:08:01 <dhellmann> ttx: would that be outside of the main horizon tree?
21:08:11 <ttx> dhellmann: a bit like tuskar-ui
21:08:24 <dhellmann> ok
21:08:24 <asalkeld> can you get the same functionality out of tree?
21:08:38 <dhellmann> it seems like that's a reasonable approach, but I don't know if the technical details work out
21:08:39 <SergeyLukjanov> sahara-dashboard was merged into the horizon during the prev. cycle :)
21:08:46 <david-lyle> horizon has a fairly mature plugin mechanism
21:09:18 <david-lyle> so it would be feasible to have UI plugins for services sit in a separate repo and installed onto Horizon nodes
21:09:25 <asalkeld> also there is benefit from having ui experts reviewing your code
21:09:26 <ttx> dhellmann: I think horizon-folk would still have to advise on how to best do one
21:09:38 <david-lyle> issues are UX consistency, translation, quality
21:09:44 <SergeyLukjanov> even if we'll have the project specific stuff out of the tree - will be horizon folks able to review changes to help keep some code quality?
21:09:50 <thingee> ttx: not sure how much has changed with horizon since it has been a while, but if each project's panel is a django app, can't these just live in tree of the projects? Like we plan to do with tempest?
21:09:51 <ttx> but maybe they could directly write some (say for Nova and other core-compute stuff), and support the work of others
21:09:55 <thingee> ttx: maybe I'm crazy
21:09:56 <SergeyLukjanov> david-lyle, ++
21:10:37 <ttx> david-lyle: we have a number of horizontal projects which are moving towards a "handle directly less projects, but provide tools and advice for all" model
21:10:50 <annegentle> to me it's a similar problem to the docs reviews-- and we manage to keep an eye on quite a few repos so far
21:11:00 <annegentle> so yes, what ttx said
21:11:16 <ttx> david-lyle: you would decide who you handle directly
21:11:16 <david-lyle> I worry UX is a different beast
21:11:22 <jeblair> at least having a "foo-dashboard" repo facilitates overlap between foo and horizon teams
21:11:29 <ttx> david-lyle: and provide advice for all the others rather than write them all
21:11:52 <cburgess> I would also point out that there arer panel in horizon today that have to touch multiple projects. The launch instance flow for instances can touch nova, neutron, and cinder. So I'm not sure how you would classify what is in core and what is in a project specific panel.
21:11:59 <david-lyle> ttx, honestly most are written externally now and merged into tree
21:12:14 <ttx> david-lyle: so the problem is more.. maintenance ?
21:12:22 <david-lyle> yes
21:12:23 <jeblair> cburgess: yes, i think those are good candidates for a basic layer supported in horizon tree
21:12:25 <thingee> cburgess: good point
21:12:36 <david-lyle> many projects are providing the maintenance as well
21:12:55 <david-lyle> core review load hasn't scaled to support the diversity
21:13:05 <SergeyLukjanov> ttx, maintening and improving
21:13:06 <cburgess> So to pick on cinder.. I could see a "volume" panel as being project specific, but the launch instance flow stuff is core. So there is defiantly overlap.
21:13:28 <david-lyle> additionally, when we get rather mature code merges, the UX can be inconsistent and harder to maintain
21:13:37 <thingee> cburgess: what about creating a volume from an image :)
21:13:46 <cburgess> Right that too.
21:13:51 <cburgess> It gets complicated.. quickly.
21:14:02 <david-lyle> but by that point it can be too far in the process
21:14:12 <thingee> or backup a volume to an object store
21:14:20 <ttx> david-lyle: it's a complex issue. I don't think we'll find the solution today, but I think that's the larger challenge for Horizon today
21:14:26 <ttx> largest*
21:14:30 <thingee> scratch the backup example
21:14:35 <david-lyle> I agree
21:14:53 <david-lyle> the big-tent scares me in that regard
21:14:56 <ttx> find its role and place in the larger tent
21:15:28 <david-lyle> either we look like we have 17 UI teams that throw something together, or we figure a better way to scale
21:15:36 <ttx> david-lyle: like I said, other horizontal projects have decided to move more in a tools+mentoring mode, but I see how that may not be applicabel to Horizon
21:15:56 <david-lyle> I think the latter is the correct approach, but details are pesky
21:16:39 <ttx> I think it's a discussion you should have with your team and see how to reorganize to support the future
21:16:51 <david-lyle> already have started
21:16:55 <ttx> not sure there is much more we can do today
21:17:02 <ttx> SergeyLukjanov: ?
21:17:12 <SergeyLukjanov> yeah
21:17:24 <david-lyle> it's a good point and not lost on me, been grappling with it for a while
21:17:29 <ttx> anything else on that topic ?
21:17:38 <SergeyLukjanov> david-lyle, could we followup with blueprints and issues?
21:17:46 <david-lyle> sure
21:17:52 <SergeyLukjanov> david-lyle, I mean to ensure that they aren't missed on the milestones?
21:17:57 <ttx> yes, the targeting coordination sounds solvable short-term
21:17:59 <david-lyle> that would be ideal
21:18:26 <ttx> ok, moving on
21:18:27 <ttx> #topic openstack-specs discussion
21:18:28 <SergeyLukjanov> david-lyle, okay, I'll take a look on how it could be done and contact you
21:18:33 <SergeyLukjanov> ttx, david-lyle thx
21:18:36 <ttx> * Add TRACE definition to log guidelines (https://review.openstack.org/#/c/145245/)
21:18:37 <david-lyle> thanks SergeyLukjanov
21:18:41 <ttx> Sergfethx for staying up
21:18:55 <ttx> SergeyLukjanov: ^
21:19:04 <ttx> sdague: around?
21:19:07 <sdague> ttx: yes
21:19:31 <sdague> so this is the first add after the major log guidelines, which is basically to take back the TRACE keyword
21:19:41 <sdague> which we've been randomly jamming into stack traces
21:19:50 <ttx> No opposition so far, so I raise it today to see if we can move on to TC rubberstamping next week
21:19:56 <sdague> and use it for trace level logging (i.e. < DEBUG)
21:20:02 <ttx> or if this needs a few more cycles
21:20:12 <dansmith> sdague: +10^9
21:20:24 <ttx> my impression is that this doesn't have enough PTLs +1 yet
21:20:42 <fungi> i was personally surprised the first time i saw a project logging stack traces/tracebacks as "trace" log level
21:21:02 <sdague> fungi: well, it kind of isn't. It's just jammed into the oslo log format string
21:21:10 <sdague> slightly back doored
21:21:14 <fungi> yeah
21:21:24 <fungi> but yeah, not what that's for
21:21:42 <ttx> sdague: if you do another revision for any reason, i would add trace definition in the bullet list
21:21:51 <sdague> anyway, please express opinions. This will clearly take longer amount of time because we'll need an oslo change
21:21:55 <ttx> but not worth losing the curent votes over
21:22:09 <dhellmann> sdague: did you have a chance to look at the implementation comment I left?
21:22:10 <sdague> but I think it's the right long term direciton
21:22:24 <sdague> dhellmann: I have not yet, I will loop back around on it
21:22:46 <dhellmann> sdague: nothing critical, but we have to be careful about assuming that everything can use oslo.log because of the dependency cycles
21:22:53 <sdague> ok
21:22:59 <ttx> I read the current silence on this as consent, but we actually need +1 for consent :)
21:23:34 <Rockyg> It would be really good to get a couple of seasoned operators' opinions from the operators list on this one.  I can try to get some more attention...
21:23:51 <sdague> Rockyg: this should not impact ops
21:23:51 <ttx> Rockyg: that would be great
21:24:04 <sdague> the expected use of this is at a level way below what ops should set at
21:24:06 * dhellmann hopes operators are not running with that much output
21:24:17 <dansmith> yeah, not sure this is an operator thing
21:24:17 <cburgess> sdague: Well several of us find stack traces very useful. As long as we can still get them without having to always run sub-debug level.
21:24:26 <Rockyg> Most ops are running at debug
21:24:27 <dhellmann> cburgess: this isn't about stack traces, though
21:24:36 <cburgess> OK
21:24:38 <cburgess> Haven't read the spec.
21:24:40 <dansmith> cburgess: I think the point is, not using TRACE for stack traces at all
21:24:43 <cburgess> and yes... we run at debug level.
21:24:50 <cburgess> OK thats cool.
21:24:54 <dansmith> cburgess: we want TRACE back for actual tracing
21:25:01 <jeblair> yeah, stack traces should be at >= error
21:25:03 <Rockyg> ++
21:25:08 <morganfainberg> dansmith, ++
21:25:13 <cburgess> Yeah so I agree with that then. Move stack traces to debug and let operators choose debug if they want.
21:25:14 <ttx> Free TRACE!
21:25:20 <sdague> jeblair: agreed
21:25:24 <cburgess> or error
21:25:36 <sdague> cburgess: no, stack traces should be errors, I think that's in the first log spec
21:25:44 <sdague> because that should never be an ok thing
21:25:45 <cburgess> Thats fine with me.
21:25:51 <jeblair> cburgess: yes, certainly that if you are running at debug, you should see stack traces
21:26:00 <dhellmann> cburgess: http://git.openstack.org/cgit/openstack/openstack-specs/tree/specs/log-guidelines.rst
21:26:08 <cburgess> OK I'm on the same page.
21:26:13 <cburgess> I don't see how this is an operator issue then.
21:26:32 <sdague> cburgess: http://git.openstack.org/cgit/openstack/openstack-specs/tree/specs/log-guidelines.rst#n246 more specifically
21:26:35 <cburgess> stack traces still happen, debug is debug, and trace will be a new thing. Seems fine to me.
21:26:54 <ttx> More on this topic ?
21:27:01 <sdague> just ... go vote on it
21:27:08 <ttx> yeah
21:27:59 <ttx> #topic rootwrap overhead - should we stay on this plan (sdague)
21:28:03 <bknudson> just a warning that code that's not tested (e.g., if trace isn't enabled) often winds up broken
21:28:13 <ttx> For those who missed the previous episodes, rootwrap was built for privilege separation, not really for performance
21:28:22 <ttx> Some services make heavy use of rootwrapped system calls, so the low performance impacts them
21:28:40 <ttx> and apparently as a result, some operators patch it out (although that's the first time I hear of that, I could use some details)
21:28:45 <dhellmann> are those projects adopting the daemon mode work you did?
21:28:49 <ttx> This basically means they are running the rootwrap-using nodes as root, which IMHO is not a great idea
21:28:58 <ttx> dhellmann: no
21:29:01 <ttx> The problem was *already* addressed on oslo.rootwrap side in Juno, with a high-performance daemon mode which is actually even faster than shelling out to sudo.
21:29:10 <ttx> But that change was not picked up by Neutron or Nova yet
21:29:25 <ttx> Neutron has a Kilo spec for it
21:29:26 <cburgess> I'll fall on the grenade here.
21:29:31 <ttx> sdague: but you had other suggestions ?
21:29:41 <sdague> ttx: 2 things
21:29:46 <thingee> ttx: or cinder https://review.openstack.org/#/c/149677/
21:29:52 <cburgess> So we did extensive performance testing of nova-network nova-compute in the G cycle with sudo and rootwrap.
21:29:54 <mestery> ttx: For Neutron, we plan to get rootwrap daemon mode in by Kilo-3.
21:29:56 <cburgess> Its wasn't even close.
21:30:08 <cburgess> So we patched back in the ability to select sudo.
21:30:09 <ttx> cburgess: not the daemon mode, I suspect
21:30:17 <cburgess> Nope not daemon mode. Wasn't an option yet.
21:30:35 <cburgess> So I will freely admit that our current practice is based on old performance data.
21:30:42 <ttx> cburgess: no question the "normal" mode sucks. It was designed for a couple calls in nova
21:30:56 <ttx> Neutron calls it a few hundreds times when creating a network
21:31:09 <cburgess> The daemon mode sound interesting and is something I would like to play with. But until nova and neutron support it (the two heaviest users of rootwrap) I don't know that it should be the only option.
21:31:23 <ttx> See perf impact at https://review.openstack.org/#/c/81798/
21:31:28 <sdague> yeh, nova is going to land a patch to make sudo selectable
21:31:30 <jogo> nova is holding off supporting daemon mode until it lands in neutron
21:31:47 <sdague> the other issue is the rootwrap policies are full of some pretty big holes
21:31:55 * dhellmann hopes mestery doesn't say neutron is waiting for nova
21:32:02 <dansmith> sdague: it's landed
21:32:06 <cburgess> Right so the patch to allow sudo again was added (by me) because a recent setuptools change undid the hack in PBR to make rootwrap perfomant. This resulted in gate failures due to timeouts.
21:32:12 <mestery> lol
21:32:14 <mestery> No, we plan to land that in kilo-3
21:32:27 <mestery> The work slipped from kilo-2, but I have high confidence it will land in kilo-3
21:32:31 <ttx> you realize "running with sudo" is the same as running as root security-wise ?
21:32:33 <dhellmann> mestery: early enough that nova is likely to be able to land it, too?
21:32:34 <sdague> nova-compute's policies actually make 0 sense because there are at least half a dozen own the box holes in it
21:32:47 <ttx> since you grant the user the ability to run anythign under sudo
21:33:04 <mestery> dhellmann: I'm not sure about that. The services split caused the author a slight headache I think, but we have a plan now on it.
21:33:05 <dhellmann> sdague: is that an issue with rootwrap, or with the policy definitions?
21:33:10 <cburgess> ttx: Yup I'm aware.
21:33:17 <ttx> with policy definitions
21:33:24 <dhellmann> sdague: like, do you see it as fundamental?
21:33:34 <sdague> dhellmann: it's an issue with the assumption that some of these services can be priv separated
21:33:37 <ttx> almost everything uses CommandFilter which sucks
21:33:43 * Rockyg I thought ttx was going to say running with sudo was like running with scissors
21:33:45 <cburgess> But as sdague pointed out you  can do that anyways with the current policies. Its a risk we take on and have to be sure we are aware of audit.
21:34:31 <ttx> cburgess: not for all the nodes though. I agree that the network and compute nodes have policies that basically let you do anything, because nobody takes the time to fix them
21:34:39 <dhellmann> sdague: because they need to do so many things as root?
21:34:42 <ttx> but an api or a metadata node are pretty secure
21:34:43 <sdague> dhellmann: yes
21:34:43 <cburgess> ttx: Agreed and we only patch it back in for nova.
21:35:10 <cburgess> ttx: We don't use neutron yet, but I suspect we would for that as well, though I will need to benchmark neutron and the new daemon mode in kilo.
21:35:10 <ttx> I wish that instead of patching it out people would spend more time fixing the policies or adopting the daemon mode
21:35:24 <dhellmann> ok, well, yeah, if there are real cases of that we should figure out if we can just run a root-level service with a small application-specific api of some sort
21:35:39 <dansmith> cburgess: IIRC, you can't use it with nova yet unless you make nova's rootwrap support support daemon mode
21:35:47 <cburgess> dansmith: Right
21:35:57 <dhellmann> sdague: but when I suggested neutron do that instead of building this general purpose thing into rootwrap they said that would be too hard
21:36:08 <dhellmann> the surface area may be different for nova's needs
21:36:11 <dansmith> fixing the policy definitions and supporting daemon mode are one thing,
21:36:14 <cburgess> So seems like we should get nova using daemon mode then do a 3 way performance analysis. If daemon mode is as good as it looks remove the sudo option again.
21:36:29 <dansmith> but I think that precluding support for sudo in the tree is not a necessary policy
21:36:35 <dhellmann> dansmith: ++
21:37:04 <cburgess> dansmith: daemon mode and policy fixes are separate things.
21:37:06 <dhellmann> on the other hand, then we have to ask which mode we'd test with
21:37:17 <cburgess> Also this feel like a nova and maybe neutron issue and not something that has to impact all projects.
21:37:21 <dansmith> cburgess: the two are required to demonstrate any advantage to using rootwrap, was my point
21:37:35 <cburgess> dansmith: Agreed
21:37:46 <ttx> dansmith: it was done at a time when performance was not so much an issue, and we hoped people would just write better filter definitions
21:37:47 <dansmith> dhellmann: we can test with rootwrap if we want, that's fine.. I don't think there is much risk there for the more relaxed case breaking
21:37:55 <dansmith> ttx: yeah, I understand
21:38:09 <ttx> the sad truth is, people don't care taht much about privilege separation
21:38:28 <ttx> neutron (which can still use sudo) is most often run with it
21:38:43 <fungi> it's also worth considering the risk profile of letting these services do things locally as root. in situations where they're the only thing running on the machine, it may not actually be buying you much to prevent giving them control over all the other things that system isn't actually doing
21:38:44 <morganfainberg> ttx, people may not care but that is because there hasn't been a reason to care (yet, thankfully)
21:38:45 <dansmith> well, and there are people that don't want to solve the problem that way anyway
21:39:00 <dansmith> we spend (too much) time getting our SELinux policies super tight
21:39:02 <sdague> well it only helps if you *really* know you've got policy that doesn't let you get out
21:39:17 <ttx> dansmith, sdague: so the patch is not patching out, it's just allowing to use sudo back again ?
21:39:18 <dansmith> fungi: exactly
21:39:23 <morganfainberg> but with the isolation fungi just described (many people run that way) it is less important to have the isolation
21:39:26 <sdague> ttx: correct
21:39:33 <dansmith> ttx: yes
21:39:34 <ttx> sdague: i'm fine with that
21:39:35 <cburgess> ttx: Yes its an option, uses rootwrap by default.
21:39:44 <ttx> matches what Neutron has
21:39:48 <fungi> what rootwrap is mostly buying is safety from someone coercing a service into doing things it wasn't intended to do, but preventing root access is a poor proxy for that sort of protection
21:40:07 <morganfainberg> this is a nice middleground fix allow sudo where people want to use sudo
21:40:09 <dhellmann> sdague, ttx, dansmith : should we push that up into the oslo.rootwrap code itself, so applications only have to deal with one api?
21:40:13 <sdague> fungi: right, agreed. which is why I wanted to raise it as an issue
21:40:22 <ttx> rootwrap doesn't enforce being the only option...
21:40:30 <dansmith> dhellmann: that would be a library option to ... not do anything? :)
21:40:34 <morganfainberg> ttx but nova not supporting anything else does.
21:40:37 <ttx> so Nova can definitely support both options
21:40:43 <morganfainberg> ttx, exactly
21:40:47 <cburgess> My work here is done.
21:40:51 <ttx> it's nova-side code anyway
21:40:52 <dhellmann> dansmith: a library option to use a function that calls sudo instead of our wrapper, so nova doesn't have to care at all
21:41:00 <sdague> because it seems like we're doing a lot of work here, to provide options, but as no one is really auditing the policies effectively, it seems.... not effective
21:41:12 <dhellmann> sdague: ++
21:41:29 <dhellmann> dansmith: and also instead of nova and neutron both having their own version of that option, and wrapper code
21:41:30 <sdague> it's like belt and suspenders, but no pants
21:41:39 <dansmith> dhellmann: well, my point is, it seems weird to have the library have a short-circuit option, because if I want to use sudo I could just snip that import line from nova and be good, instead of having to install the library for no reason, right?
21:41:42 <ttx> It's also worth noting that in many cases, the root call is not even necessary
21:41:50 <ttx> it's just convenient
21:42:04 <jogo> sdague: I once brought this up with one of the 'security' groups in OpenStack and they just shrugged and didn't want to audit
21:42:05 <dhellmann> dansmith: it makes rootwrap become "run this as root somehow" instead of "use your wrapper to run this"
21:42:17 <dansmith> I'd really like to be able to say "use sudo" and not even have the library imported as native support in the tree
21:42:25 <fungi> things like selinux and apparmor (and even just careful application of extended attributes and cgroups-imposed namespacing) are probably closer to where the real safety net should be, but that's a lot more complicated and varying cross-platform
21:42:30 <dhellmann> dansmith: why make every application author implement that?
21:42:42 <dansmith> dhellmann: I suppose, just seems overkill, but meh
21:42:43 <morganfainberg> jogo, "containers or isolation of concerns mostly mitigates the issue" i mean - to be fair if someone compromised neutron they could still do all neutron could do w/ rootwrap.
21:42:44 <ttx> sdague: you mentioned capabilities too
21:42:52 <morganfainberg> which isn't a small amount of breaking things.
21:42:54 <sdague> fungi: bingo, that seems like where the effort should be spent to me, honestly
21:42:58 * dhellmann takes off his Killing Code Duplication hat
21:42:58 <dansmith> fungi: yep
21:43:10 <ttx> sdague: I think it's not completely crazy to grant he neutron user rights over networky stuff
21:43:27 <ttx> and shave a few thousands rootwrap calls
21:43:31 <sdague> ttx: I was told neutron was moving to a model like that at the nova midcycle, maybe mestery can speak up
21:43:36 <ttx> to me it's a complentary approach
21:43:40 <fungi> except that networky stuff can often be parlayed into full root access to the system anyway
21:43:40 <dansmith> dhellmann: code dedup is good, but less-friggin-libraries-required wins for me every time :)
21:43:43 <ttx> complementary*
21:43:54 <bknudson> there's at least a review in progress to get selinux in triploe - https://review.openstack.org/#/c/108168/
21:43:57 <bknudson> tripleo
21:44:01 <ttx> fungi: you stole my bullet :)
21:44:08 <mestery> sdague: To be honest, we're hoping to get rootwrap in and I'm hoping we can discuss these aspects at the summit with the broader community
21:44:09 <dhellmann> dansmith: meh. Work on more than one project for a while.
21:44:18 <mestery> As someone said, we shouldn't solve htis one way in neutron and another in nova
21:44:23 <fungi> definitely one of those classic security arguments where the perfect can be the enemy of the good, but not sure we've really got candidates for either perfect or good
21:44:42 <mestery> fungi: ++
21:45:13 <morganfainberg> fungi, +∞
21:45:39 <fungi> the main thing i see rootwrap doing is letting some deployers feel like they have control over what a service can or can't do, but it's the "false sense of" variety of security
21:46:08 <ttx> I  would pursue all options. Allow nova to run sudo directly for the less security-conscious. Enable rootwrap daemon mode for those who want a decent tradeoff. Add capabilities to shave a thousand rootwrap calls. Improve the rootwrap filter definitions so that they actually filter
21:46:18 <sdague> fungi: yeh, that's a big concern for me
21:46:20 <fungi> and i have doubts that many deployers/operators are fine-tuning the default supplied rootwrap rules to begin with
21:46:20 <sdague> I mean - https://github.com/openstack/nova/blob/master/etc/nova/rootwrap.d/compute.filters#L39
21:46:24 <cburgess> ttx: +1
21:47:11 <ttx> sdague: I've been removing that one at least once in the past
21:47:19 <ttx> it just keeps on reappearing
21:47:35 <cburgess> Dear god that line scares me
21:47:35 <bknudson> needs a hacking check
21:47:44 <sdague> well there is also dd, cp in there
21:47:45 <morganfainberg> cburgess, haha
21:47:50 <ttx> and chown
21:47:58 <cburgess> Yeah
21:48:04 <cburgess> Wow I just really started looking at that file.
21:48:05 <sdague> yeh, like I said, it's kind of pointless
21:48:07 <jeblair> there seems to be a reviewer education problem
21:48:10 <cburgess> I'm going to go back to my safe pretend world now.
21:48:28 <ttx> the nova-compute node is running as root basically
21:48:33 <sdague> ttx: right
21:48:37 <morganfainberg> ttx, shhhh
21:48:41 <morganfainberg> ttx, you'll scare someone
21:48:45 <dansmith> sdague: the qemu-nbd one is probably the worst in there
21:48:47 <ttx> rootwrap just gives you a framlework to fix that, it's not a work-free bullet
21:48:49 <morganfainberg> :P
21:48:55 <dansmith> sdague: export /dev/sda as an nbd device.. game over :)
21:49:08 <morganfainberg> cburgess, what has been seen cannot be unseen. though yelling lalalalala helps sometimes.
21:49:08 <sdague> yeh, there are so many game overs
21:49:26 <sdague> which is why I'm not sure this approach works
21:49:56 <ttx> sdague: buggy filters make it just as unsecure as the option of using sudo directly
21:50:13 <morganfainberg> ttx, might make it worse. because it provides the sense of security falsely
21:50:32 <ttx> morganfainberg: true
21:50:49 <ttx> but most people think "running under a non-root user" makes them safe too
21:51:24 <ttx> The main issue to me is.. even when we fix them (I think I did it twice over the years) people keep on re-breaking them
21:51:24 <mriedem> did i already miss any discussion on bug 967832 ?
21:51:27 <ttx> difficult to gate on it
21:51:29 <sdague> anyway, it seems like on the compute nodes we should just admit it's basically game over, not sugar coat it at this level. Do it at the selinux/apparmor level
21:51:32 <ttx> mriedem: no
21:51:50 <ttx> sdague: or fix the filters
21:51:59 <dansmith> honestly,
21:52:05 <dansmith> there are two valuable things on a comptue node
21:52:11 <dansmith> the images with other people's data, and the mq credentials
21:52:21 <dansmith> if you get the latter, you can do anything you want to the entire deployment
21:52:28 <dansmith> both of those things are readable by nova's user anyway
21:52:57 <morganfainberg> sdague, i have opiinion on selinux and apparmor, but putting the enforcement at that level seems waaaaay more sane [regardless of which] than rootwrap
21:52:57 <sdague> yep
21:53:03 <dansmith> if you're running your company's imap server alongside nova-compute, you're in for more trouble anyway
21:53:12 <lifeless> !
21:53:28 <fungi> from a vmt perspective, having a handle on this and publicizing that it "does not do the things you think" for securing a deployment would help reduce what could otherwise become needless vulnerability reports
21:53:28 <ttx> We have one more topic to cover
21:53:32 <morganfainberg> dansmith, the mq-creds should be guarded with signed messages..
21:53:36 <cburgess> So I shouldn't be running my our payroll processing and credit card processor on the same server and my openstack cloud?
21:53:37 <morganfainberg> dansmith, but thats another story
21:53:41 <dansmith> morganfainberg: should be but they're not
21:53:52 <morganfainberg> dansmith, lets plan to circle back on that at L summit?
21:53:56 <morganfainberg> dansmith, i want to see that gap closed.
21:54:00 <ttx> cburgess: you should run them in containers on the same machine
21:54:06 <cburgess> morganfainberg +1
21:54:07 <morganfainberg> dansmith, will bug you on that front a bit later on this cycle?
21:54:10 <dansmith> morganfainberg: it's been on the list for a long time, but.. yeah :)
21:54:12 <morganfainberg> cburgess, you too.
21:54:18 <cburgess> ttx: Yeah I was joking and we are moving to containerizing everything.
21:54:37 <sdague> because containers never have exploits... :)
21:54:41 <ttx> cburgess: because that is safe (joking too)
21:54:42 <morganfainberg> sdague, ever.
21:54:48 <morganfainberg> sdague, EVAR
21:54:55 <ttx> OK, let's cover the last topic quick
21:54:59 <ttx> #topic Bug 967832 (mriedem)
21:55:00 <cburgess> ttx: I'm terrible at sarcasm. morganfainberg can verify this
21:55:08 <ttx> and I'm French
21:55:11 <ttx> #link https://bugs.launchpad.net/nova/+bug/967832
21:55:14 <ttx> #link http://lists.openstack.org/pipermail/openstack-dev/2015-February/055801.html
21:55:15 <morganfainberg> ttx, he's worse at it :P
21:55:20 <ttx> mriedem: you have 5 min :)
21:55:20 <cburgess> LOL
21:55:30 <mriedem> so morganfainberg already commented on this in the ML,
21:55:38 <mriedem> basically this is a bug across projects since grizzly,
21:55:52 <mriedem> looks like there was an approved spec in juno in neutron that didn't land code and wasn't re-proposed for kilo,
21:56:11 <morganfainberg> i actually like the concept of putting this into middleware that can receive registered "do X on event Y"
21:56:16 <mriedem> wondering if everyone is in agreement about fixing this thing and then looking for best solutions since it's going to be probably similar impl in the various projects
21:56:22 <morganfainberg> i would be 100% behind that.
21:56:41 <cburgess> mriedem: From an operator perspective I can tell you that this bug sucks, badly.
21:56:51 <mriedem> so nova tells middleware to call nova delete on an instance when a project that instance is running under is gone?
21:56:53 <fungi> it might make tempest devs a lot happier too
21:56:56 <morganfainberg> mriedem, yep.
21:57:05 <jogo> mriedem: yeah, callbacks
21:57:06 <morganfainberg> mriedem or spool, it for a periodic
21:57:14 <mtreinish> fungi: yes it would, it makes the cleanup story much easier
21:57:20 <mriedem> but...does nova need the tenant to exist for the delete to happen, or does middlware process the callback before deleting the tenant?
21:57:24 <morganfainberg> mriedem up to nova to figure it all out the best way to not crater itself
21:57:24 <notmyname> mriedem: middleware in what project? nova or keystone?
21:57:34 <lifeless> I think you need a bit of both
21:57:34 <morganfainberg> notmyname, i'd put it as a package in keystonemiddleware
21:57:35 <mriedem> notmyname: keystone
21:57:37 <lifeless> you want events for latency
21:57:38 <morganfainberg> but not in auth_token
21:57:56 <morganfainberg> notmyname, s/package/module
21:57:59 <notmyname> thanks
21:58:04 <cburgess> I don't think you would need the tenant to exist.
21:58:09 <lifeless> and you want either a lossless history or a diff style check to deal with servers that were down etc
21:58:11 <mriedem> did anyone look at the WIPs from neutron in juno? https://review.openstack.org/#/q/status:abandoned+project:openstack/neutron+branch:master+topic:bp/tenant-delete,n,z
21:58:13 <cburgess> Each project would only cleanup its own local resources.
21:58:16 <mriedem> mestery: do you remember those? ^
21:58:20 <jogo> cburgess: agreed, making sure tenant exists makes this a lot more complex
21:58:24 <cburgess> The problem we have is cross project relationships. Like volumes attached to VMs.
21:58:37 <cburgess> But maybe we don't care.
21:58:49 <notmyname> middleware sounds risky since (1) it requires coordination for things that can't be coordinated (eg what happens if an instance fails to delete?) and (2) it will _really_ slow down the delete call to keystone
21:58:51 <cburgess> Maybe we just take destructive do it anyways actions because its all being nuked.
21:59:12 <morganfainberg> notmyname, it's a callback - i assume nova would spool it for a delete job that is periodic
21:59:16 <bknudson> are there any other examples where a server needs to keep track of state in another server?
21:59:16 <mriedem> does multi-tenancy muck this up at all
21:59:17 <morganfainberg> not a 'do it right now'
21:59:17 <mriedem> ?
21:59:24 <morganfainberg> mriedem, not really.
21:59:25 <mriedem> can i have volumes attached to my instance from another project?
21:59:33 <notmyname> an alternate solution would be a background keystone scrubber that looks at what's been deleted and sends the related commands to different services (projects)
21:59:35 <morganfainberg> mriedem, god i hope not
21:59:54 <dhellmann> notmyname: ++
21:59:55 <mriedem> notmyname: yeah, but how long does that keep casting?
21:59:56 <mtreinish> mriedem: I don't think so, that sounds like a recipe for disaster
21:59:57 <morganfainberg> notmyname, sure - i'd just say whatever would be a listener that takes a callback
22:00:14 <notmyname> morganfainberg: I'm still not clear on what you mean by "callback
22:00:22 <morganfainberg> notmyname, so we publish the framework you register a function to do something
22:00:25 <lifeless> notmyname: or the projects could do the checking
22:00:28 <notmyname> and I'm considering what happens when someone is deleted from keystone and has a PB of data in swift
22:00:34 <jogo> notmyname: you register a function for the keystone janitor to call upon tenant deletion
22:00:38 <lifeless> notmyname: making keystone not have to know whats dependent on it
22:00:57 <lifeless> notmyname: which would be better I think
22:00:57 <bknudson> keystone_middleware.on_project_delete(function_to_call)
22:00:58 <ttx> Out of time -- Looks like that discussion can continue on the thread? We can cover it at next week meeting if necessary ?
22:01:08 <morganfainberg> ttx ++
22:01:10 <mriedem> sure
22:01:11 <notmyname> lifeless: but keystone does know. that's the whole point of keystone. it knows everything
22:01:26 <ttx> Feel free to continue to argue on #openstack-dev though
22:01:27 <morganfainberg> notmyname, no keystone doesn't know what depends on it.
22:01:30 <morganfainberg> anyway
22:01:32 <ttx> we just ned to vacate channel
22:01:34 <jogo> notmyname: it doesn't know how much data a user has in swift.
22:01:39 <ttx> No time for open discussion
22:01:44 <ttx> I'll just paste the link to the 1:1 syncs we had today, focused on the kilo-2 tag
22:01:50 <ttx> #link http://eavesdrop.openstack.org/meetings/ptl_sync/2015/ptl_sync.2015-02-03-09.06.html
22:02:03 <ttx> #endmeeting