16:00:41 <primeministerp> #startmeeting hyper-v 16:00:42 <openstack> Meeting started Tue Mar 11 16:00:41 2014 UTC and is due to finish in 60 minutes. The chair is primeministerp. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:43 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:46 <openstack> The meeting name has been set to 'hyper_v' 16:00:51 <primeministerp> Hi all 16:00:56 <primeministerp> ociuhandu: morning ;) 16:00:59 <luis_fdez> hi 16:01:03 <primeministerp> luis_fdez: luis! 16:01:05 <ociuhandu> morning primeministerp :) 16:01:07 <ociuhandu> hi all 16:01:13 <primeministerp> luis_fdez: glad you could join us 16:01:27 <luis_fdez> It's been a long time since last meeting yeps 16:01:50 <primeministerp> ociuhandu: give alex a kick 16:02:24 <alexpilotti> hi there 16:02:30 <primeministerp> alexpilotti: howdy 16:02:39 <alexpilotti> sorry, was having a chat in -horizon about passwords 16:02:46 <primeministerp> no worries 16:02:53 <primeministerp> we all have a lot going on 16:03:05 <primeministerp> figured we could sync on current status 16:03:32 <alexpilotti> sure 16:03:38 <primeministerp> #topic status update 16:03:52 <alexpilotti> ok 16:03:56 <primeministerp> alexpilotti: I know there were new commits 16:04:00 <alexpilotti> so, everything looks bright 16:04:06 <primeministerp> alexpilotti: you want to give the quick run down? 16:04:24 <alexpilotti> RDP merged in nova, python-novaclient and horizon 16:04:30 <primeministerp> great 16:04:35 <primeministerp> that's a big one 16:04:43 <alexpilotti> hyper-v security groups merged in neutron 16:05:16 <primeministerp> also good news, we've got people wanting that 16:05:24 <alexpilotti> nova get-password feature merged in horizon (thanks arezmerita) 16:06:04 <alexpilotti> bug fixes are merged or in teh process 16:06:22 <alexpilotti> so things are looking well 16:06:27 <primeministerp> awesome 16:06:59 <alexpilotti> questions on the status? 16:07:03 <primeministerp> we can almost start thinking about atlanta 16:07:09 <alexpilotti> luis_fdez? :-) 16:07:24 <luis_fdez> no questions alexpilotti, all the new features sound fantastic 16:07:44 <primeministerp> luis_fdez: i've got a thread going w/ Tim 16:07:55 <primeministerp> luis_fdez: re: cinder/smb3 16:08:03 <alexpilotti> cool, I know that you guys are interested in backporting to Havana, let me know if you need help 16:08:22 <luis_fdez> ok alexpilotti, I'll use your help for sure :D 16:08:25 <alexpilotti> primeministerp: should we briefly talk about what we plan to add for Juno? 16:08:30 <luis_fdez> primeministerp: smb3 is an option we want to explore yes 16:08:37 <primeministerp> yes we can start 16:08:51 <primeministerp> #topic juno ideas 16:08:53 <alexpilotti> cool 16:09:15 <primeministerp> so 16:09:28 <alexpilotti> the idea is to have others in the community to chime in as well, if they'd like some features that we didn't think of, or we didn't want to prioritize yet 16:09:34 <alexpilotti> 1) smb3 16:09:36 <primeministerp> smb3/cinder work is on the table 16:09:43 <alexpilotti> development is basically done 16:09:55 <alexpilotti> it's a big set of patches 16:10:05 <alexpilotti> involving mostly nova and cinder 16:10:32 <alexpilotti> the important part, is that it'll involve libvirt support as well, not only hyper-v 16:10:43 <luis_fdez> smb3 suport on kvm? 16:10:47 <alexpilotti> yep 16:10:50 <primeministerp> alexpilotti: yes we should not exclude linux functionality here 16:10:59 <primeministerp> luis_fdez: yes 16:11:01 <luis_fdez> that's a good point 16:11:10 <alexpilotti> luis_fdez: the idea is that this is going to be a cinder driver 16:11:18 <primeministerp> luis_fdez: both sides can consume it 16:11:28 <alexpilotti> and as such it'll need to be consumed by as many hypervisors as possible 16:11:55 <alexpilotti> think about an horizontal support, like what happens for ceph 16:12:35 <alexpilotti> luis_fdez: we can start beta testing it almost right away 16:12:54 <alexpilotti> it'll take at least one release cycle to get all the parts reviewed etc 16:13:15 <luis_fdez> alexpilotti: perfect, I imagine a lot of refactoring/review involved 16:13:21 <alexpilotti> yep 16:13:46 <primeministerp> alexpilotti: plus we'll want to include it in the regular CI runs by then as well 16:13:53 <primeministerp> alexpilotti: all thing equal 16:13:58 <alexpilotti> if you guys want to run some tests, it'd be great. As we could provide the community with a third party point of view on the benefits 16:13:59 <primeministerp> er things 16:14:20 <alexpilotti> primeministerp: sure! 16:14:40 <alexpilotti> any questions on the SMB3 part? 16:14:49 <primeministerp> not really 16:14:52 <primeministerp> from my end 16:14:53 <luis_fdez> nop :) 16:15:05 <alexpilotti> ok, next is windows passwordless authentication 16:15:38 <alexpilotti> we did a lot of work to get x509 passwordless certification working in cloudbase-init and pywinrm 16:15:55 <alexpilotti> it's the rough equivalent of ssh keypairs 16:16:08 <alexpilotti> but native in the WIndows OS 16:16:51 <alexpilotti> we're going to propose a BP for certificates 16:16:51 <alexpilotti> in Nova 16:16:51 <alexpilotti> and Horizon 16:17:21 <alexpilotti> so teh use can choose a certificate and it gets provided via metadata to the instance 16:17:21 <alexpilotti> *the user 16:17:21 <alexpilotti> like: 16:18:00 <alexpilotti> nova boot --x509 myvert1 vm1 16:18:00 <alexpilotti> *mycert1 16:18:26 <alexpilotti> and the you can just use powershell to access the VM 16:18:26 <alexpilotti> no password involved, finally 16:18:48 <alexpilotti> this is mandatory for proper automation, security, etc 16:18:56 <primeministerp> alexpilotti: that's great news 16:19:09 <alexpilotti> same use cases as the SSH pubkey auth in Linux 16:19:12 <luis_fdez> alexpilotti: yeps, it's a must have 16:19:49 <alexpilotti> it's already working, by passwing the certificate in userdata or cutome metadata: #link http://www.cloudbase.it/windows-without-passwords-in-openstack/ 16:20:38 <alexpilotti> but we really need a consistent API model in Nova to handle teh certificate generation and storage 16:20:53 <alexpilotti> ok 16:21:18 <primeministerp> isn't ayoung working on that 16:21:32 <ayoung> primeministerp, sort of 16:21:40 <ayoung> cermonger 16:21:43 <primeministerp> ayoung: ahh 16:21:47 <ayoung> certmonger 16:22:03 <alexpilotti> ayoung: hi there! 16:22:04 <ayoung> alexpilotti, ++ I was discussing something along those lines earlier 16:22:15 <primeministerp> ayoung: we need to have lunch soon 16:22:16 <alexpilotti> ayoung: cool 16:22:20 <ayoung> how do we autoregister a host with a domain controller. I assume that is what you are discussing? 16:22:37 <alexpilotti> ayoung: no, passwordless authentication in WIndows 16:22:38 <primeministerp> ayoung: that would be part of your config mgmt right now 16:22:45 <alexpilotti> ayoung: a la SSH pubkey 16:22:49 <primeministerp> ayoung: what alexpilotti says 16:23:15 <ayoung> so...let me subvert this discussion\ 16:23:21 <alexpilotti> ayoung: guest DC registration is a separate painpoint at the moment :-) 16:23:31 <ayoung> we were discussing the same thing, but within the context of FreeIPA 16:23:48 <ayoung> I assume that a new windows vm, should be able to enroll with a PDC, no? 16:24:00 <ayoung> no "have to" but "should be able to" 16:24:06 <primeministerp> yes 16:24:06 <ayoung> and the pattern would be something like 16:24:11 <alexpilotti> ayoung: optionally 16:24:28 <ayoung> nova generates an OTP, passes it to the PDC as well as to the new vm via Vendoer data 16:24:32 <ayoung> vendoer 16:24:36 * ayoung gives up 16:24:41 <ayoung> venderrrrrrr 16:24:44 <ayoung> anyways 16:24:46 <alexpilotti> ayoung: the feature we are discussing is the equivalent of SSH pubkey auth 16:24:54 <primeministerp> ayoung: stop peddling the bike ;) 16:24:55 <alexpilotti> ayoung: #link http://www.cloudbase.it/windows-without-passwords-in-openstack/ 16:25:21 <alexpilotti> ayoung: said that, we are also VERY interested in your work 16:25:32 <ayoung> alexpilotti, so Windows also has this whole Kerberos infrastructure, as well as a CA etc 16:25:40 <alexpilotti> ayoung: as we are using crazy Heat templates at the moment to handle AD DC registration 16:26:02 <ayoung> and I think that a single mechanism supporting PDC registration for Windows and FreeIPA for Linux would be a powerful abstraction, and get you a good extension to that blueprint 16:26:06 <alexpilotti> ayoung: sure, but I wouldn't mix the two scenarios 16:26:20 <ayoung> yeah, but that means that an user registering a VM via Horizon or Nova can bypass 16:26:46 <ayoung> so...key injection is currently done in the LInux use case, so you need to handle the analogue in that blueprint 16:26:50 <ayoung> not arguing against that 16:27:06 <alexpilotti> ayoung: sure, that's just the vry basic scenario 16:27:06 <ayoung> but I think you have it under control, and I like the fact that you are using X509s instead of raw keys 16:27:31 <ayoung> right now, however, horizon doesn't let me say "create a vm, and let me inject alexpilotti 's key into it" 16:27:37 <ayoung> I can only add my own key 16:27:39 <ayoung> and that sux 16:27:54 <alexpilotti> ayoung: sure 16:28:18 <ayoung> alexpilotti, for certificates to be done right, the secret key should never leave the remote machine 16:28:25 <ayoung> it should generate the CSR and post to a CA 16:28:28 <ayoung> and there is the rub 16:28:41 <alexpilotti> ayoung: it never does 16:28:51 <alexpilotti> ayoung: we inject only a self signed x509 (w/o key) 16:29:06 <alexpilotti> ayoung: in teh same way in which you inject the pubkey in SSH case 16:29:12 <ayoung> ah, but for logging into a machine, you don't have a problem. You only have a problem when the machine needs to call out...which is what HEAT is facing 16:29:43 <alexpilotti> ayoung: sure, that's why I'm saying that there are 2 completely different use cases :-) 16:29:47 <ayoung> certmonger can help, in that it allows you a mechanism for posting the CSR, but you still need an approval strategy 16:29:59 <ayoung> alexpilotti, but related....you want single sign on 16:30:12 <alexpilotti> ayoung: not everytime 16:30:16 <ayoung> alexpilotti, I thin the x509 case you ahve well covered 16:30:30 <ayoung> but I think quickly you are going to run into this issue 16:30:38 <ayoung> antyway, I'll leave you guys to discuss 16:30:43 <ayoung> look into certmonger 16:30:44 <alexpilotti> ayoung: a user can just say: I just want a VM, no complex Heat stuf, just let me log in w/o having to handle passwords 16:30:53 <ayoung> https://fedorahosted.org/certmonger/ 16:31:11 <ayoung> alexpilotti, that is the easy sider 16:31:21 <primeministerp> ayoung: #link https://fedorahosted.org/certmonger/ thx! 16:31:23 <ayoung> the hard side is getting the X509 signed. 16:31:36 <alexpilotti> ayoung: certmonger has the potential to solve all the other cases 16:31:50 <alexpilotti> ayoung: not for the basica auth case we are facing here 16:31:58 <alexpilotti> ayoung: self signed is way enough 16:32:07 <alexpilotti> ayoung: and one detail: 16:32:07 <ayoung> alexpilotti, it is part of the solution, but you still need to figure out the approval process. 16:32:09 <ayoung> alexpilotti, ugh 16:32:31 <ayoung> selfsigned is....not something you want in production 16:32:32 <alexpilotti> ayoung: like teh SSH case 16:32:43 <ayoung> yeah...same argument 16:32:52 * ayoung mutters about cowboys 16:32:59 <primeministerp> hehe 16:33:06 <alexpilotti> ayoung: you generate your own key, it never leaves your client, etc etc 16:33:11 <alexpilotti> lol 16:33:16 <ayoung> alexpilotti, right...and there is no revocation 16:33:20 <ayoung> and no expiration 16:33:28 <ayoung> at least selfsigned will have expiration 16:33:57 <primeministerp> i want to second that 16:34:02 <alexpilotti> ayoung: yep, but again I would'nt mix the various cases 16:34:02 <primeministerp> his lunch part 16:34:06 <primeministerp> ;) 16:34:31 <primeministerp> alexpilotti: let's finish this up, and you guys can continue the discussion 16:34:32 <alexpilotti> ayoung-lunch: you mean dinner, here? :-) 16:35:03 <alexpilotti> so, let's join the certmonger effort 16:35:13 <alexpilotti> and help on teh AD bits 16:35:38 <primeministerp> alexpilotti: sounds like a plan, let's discuss more later and see what we can do 16:36:06 <primeministerp> I want to touch on the puppet modules for a moment 16:36:13 <alexpilotti> great 16:36:14 <primeministerp> luis_fdez: we're going to be starting cleanup work 16:36:25 <luis_fdez> primeministerp: ok great :) 16:36:26 <primeministerp> luis_fdez: in order to get things ready for puppetforge 16:36:33 <primeministerp> luis_fdez: so I'll be looking into your bits 16:36:44 <primeministerp> luis_fdez: sorry for the delay 16:36:44 <luis_fdez> Ok, I have to push local changes for the refactoring of: 16:36:49 <luis_fdez> nova_hyper_v... 16:36:53 <primeministerp> luis_fdez: great 16:36:55 <luis_fdez> I also have some work done in 16:36:57 <luis_fdez> ceilometer_hyper_v 16:37:11 <primeministerp> luis_fdez: let's align over the next week or so 16:37:15 <luis_fdez> I'm trying to align with the main stackforge modules structure 16:37:17 <luis_fdez> ok 16:37:18 <luis_fdez> perfect 16:37:26 <primeministerp> luis_fdez: great 16:37:46 <primeministerp> luis_fdez: let's keep that going, i want to get to the point where we could potentially merge into existing modules if possible 16:37:55 <primeministerp> luis_fdez: knowing that will take some time 16:38:06 <luis_fdez> ok, perfect 16:38:19 <primeministerp> luis_fdez: It may be another week before I get to get my hands more into the code 16:38:31 <luis_fdez> no problem 16:38:33 <digambar> Hello Guys, I am also working on HyperV for openstack as a compute node, I'd like to contribute on this effort 16:38:34 <primeministerp> luis_fdez: still trying to get back into things after two weeks at the mothership 16:38:41 <luis_fdez> hehe 16:38:44 <primeministerp> digambar: hey there 16:38:48 <digambar> yes 16:38:52 <primeministerp> digambar: have you seen the existing bits 16:39:11 <primeministerp> digambar: https://github.com/openstack-hyper-v/puppet-openstack_hyper_v 16:39:14 <digambar> just joined here 16:39:16 <digambar> ok 16:39:18 <primeministerp> digambar: o great 16:39:19 <alexpilotti> digambar: cool, welcome onboard! 16:39:34 <digambar> Thank you guys :) 16:39:38 <primeministerp> digambar: what time zone are you in? 16:39:46 <digambar> IST 16:39:57 <primeministerp> digambar: we can have a call/skype and I can catch up 16:40:11 <digambar> absolutely 16:40:18 <digambar> we can 16:40:23 <primeministerp> can you email me ppouliot@microsoft.com 16:40:38 <primeministerp> digambar: ^^ and I'll work on scheduling something 16:40:51 <primeministerp> digambar: for later this week 16:40:53 <digambar> yep, I'll mail you on this 16:40:56 <digambar> yep 16:40:58 <primeministerp> digambar: perfect 16:41:03 <digambar> :) 16:41:26 <alexpilotti> digambar: the main channel for the project is #openstack-hyper-v 16:41:28 <primeministerp> luis_fdez: let's touch base later in the week too to see where we each stand 16:41:34 <luis_fdez> ok primeministerp 16:41:39 <primeministerp> luis_fdez: I need to catch up w/ vijay and tim and see what they want to take on 16:41:59 <primeministerp> luis_fdez: anything else to add? 16:42:00 <digambar> Sure, I'll be available from today on this node 16:42:09 <primeministerp> digambar: great 16:42:14 <luis_fdez> I'm also thinking about have some kind of 'meta python module' like other linux distribution have like 'openstack-nova-common' 16:42:41 <primeministerp> luis_fdez: we sort of started one 16:42:43 <digambar> yep 16:42:48 <primeministerp> luis_fdez: w/ our python module 16:42:58 <luis_fdez> it's the easiest aproach to align with stackforge modules but not sure if it's the best option. 16:43:11 <primeministerp> luis_fdez: we're prob going to have to do it 16:43:23 <primeministerp> luis_fdez: considering the different options for getting the python bits 16:43:27 <luis_fdez> yeps 16:43:41 <primeministerp> luis_fdez: esp w/ what we're doing w/ the autocompilation 16:44:28 <primeministerp> ok then, if there's nothing else 16:44:33 <primeministerp> i think we'll end it here 16:44:42 <luis_fdez> ok, have a nice day all of you :) 16:44:45 <primeministerp> #endmeeting