#openstack-meeting log

16:00:41 <primeministerp> #startmeeting hyper-v
16:00:42 <openstack> Meeting started Tue Mar 11 16:00:41 2014 UTC and is due to finish in 60 minutes.  The chair is primeministerp. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:43 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:46 <openstack> The meeting name has been set to 'hyper_v'
16:00:51 <primeministerp> Hi all
16:00:56 <primeministerp> ociuhandu: morning ;)
16:00:59 <luis_fdez> hi
16:01:03 <primeministerp> luis_fdez: luis!
16:01:05 <ociuhandu> morning primeministerp :)
16:01:07 <ociuhandu> hi all
16:01:13 <primeministerp> luis_fdez: glad you could join us
16:01:27 <luis_fdez> It's been a long time since last meeting yeps
16:01:50 <primeministerp> ociuhandu: give alex a kick
16:02:24 <alexpilotti> hi there
16:02:30 <primeministerp> alexpilotti: howdy
16:02:39 <alexpilotti> sorry, was having a chat in -horizon about passwords
16:02:46 <primeministerp> no worries
16:02:53 <primeministerp> we all have a lot going on
16:03:05 <primeministerp> figured we could sync on current status
16:03:32 <alexpilotti> sure
16:03:38 <primeministerp> #topic status update
16:03:52 <alexpilotti> ok
16:03:56 <primeministerp> alexpilotti: I know there were new commits
16:04:00 <alexpilotti> so, everything looks bright
16:04:06 <primeministerp> alexpilotti: you want to give the quick run down?
16:04:24 <alexpilotti> RDP merged in nova, python-novaclient and horizon
16:04:30 <primeministerp> great
16:04:35 <primeministerp> that's a big one
16:04:43 <alexpilotti> hyper-v security groups merged in neutron
16:05:16 <primeministerp> also good news, we've got people wanting that
16:05:24 <alexpilotti> nova get-password feature merged in horizon (thanks arezmerita)
16:06:04 <alexpilotti> bug fixes are merged or in teh process
16:06:22 <alexpilotti> so things are looking well
16:06:27 <primeministerp> awesome
16:06:59 <alexpilotti> questions on the status?
16:07:03 <primeministerp> we can almost start thinking about atlanta
16:07:09 <alexpilotti> luis_fdez? :-)
16:07:24 <luis_fdez> no questions alexpilotti, all the new features sound fantastic
16:07:44 <primeministerp> luis_fdez: i've got a thread going w/ Tim
16:07:55 <primeministerp> luis_fdez: re: cinder/smb3
16:08:03 <alexpilotti> cool, I know that you guys are interested in backporting to Havana, let me know if you need help
16:08:22 <luis_fdez> ok alexpilotti, I'll use your help for sure :D
16:08:25 <alexpilotti> primeministerp: should we briefly talk about what we plan to add for Juno?
16:08:30 <luis_fdez> primeministerp: smb3 is an option we want to explore yes
16:08:37 <primeministerp> yes we can start
16:08:51 <primeministerp> #topic juno ideas
16:08:53 <alexpilotti> cool
16:09:15 <primeministerp> so
16:09:28 <alexpilotti> the idea is to have others in the community to chime in as well, if they'd like some features that we didn't think of, or we didn't want to prioritize yet
16:09:34 <alexpilotti> 1) smb3
16:09:36 <primeministerp> smb3/cinder work is on the table
16:09:43 <alexpilotti> development is basically done
16:09:55 <alexpilotti> it's a big set of patches
16:10:05 <alexpilotti> involving mostly nova and cinder
16:10:32 <alexpilotti> the important part, is that it'll involve libvirt support as well, not only hyper-v
16:10:43 <luis_fdez> smb3 suport on kvm?
16:10:47 <alexpilotti> yep
16:10:50 <primeministerp> alexpilotti: yes we should not exclude linux functionality here
16:10:59 <primeministerp> luis_fdez: yes
16:11:01 <luis_fdez> that's a good point
16:11:10 <alexpilotti> luis_fdez: the idea is that this is going to be a cinder driver
16:11:18 <primeministerp> luis_fdez: both sides can consume it
16:11:28 <alexpilotti> and as such it'll need to be consumed by as many hypervisors as possible
16:11:55 <alexpilotti> think about an horizontal support, like what happens for ceph
16:12:35 <alexpilotti> luis_fdez: we can start beta testing it almost right away
16:12:54 <alexpilotti> it'll take at least one release cycle to get all the parts reviewed etc
16:13:15 <luis_fdez> alexpilotti: perfect, I imagine a lot of refactoring/review involved
16:13:21 <alexpilotti> yep
16:13:46 <primeministerp> alexpilotti: plus we'll want to include it in the regular CI runs by then as well
16:13:53 <primeministerp> alexpilotti: all thing equal
16:13:58 <alexpilotti> if you guys want to run some tests, it'd be great. As we could provide the community with a third party point of view on the benefits
16:13:59 <primeministerp> er things
16:14:20 <alexpilotti> primeministerp: sure!
16:14:40 <alexpilotti> any questions on the SMB3 part?
16:14:49 <primeministerp> not really
16:14:52 <primeministerp> from my end
16:14:53 <luis_fdez> nop :)
16:15:05 <alexpilotti> ok, next is windows passwordless authentication
16:15:38 <alexpilotti> we did a lot of work to get x509 passwordless certification working in cloudbase-init and pywinrm
16:15:55 <alexpilotti> it's the rough equivalent of ssh keypairs
16:16:08 <alexpilotti> but native in the WIndows OS
16:16:51 <alexpilotti> we're going to propose a BP for certificates
16:16:51 <alexpilotti> in Nova
16:16:51 <alexpilotti> and Horizon
16:17:21 <alexpilotti> so teh use can choose a certificate and it gets provided via metadata to the instance
16:17:21 <alexpilotti> *the user
16:17:21 <alexpilotti> like:
16:18:00 <alexpilotti> nova boot --x509 myvert1 vm1
16:18:00 <alexpilotti> *mycert1
16:18:26 <alexpilotti> and the you can just use powershell to access the VM
16:18:26 <alexpilotti> no password involved, finally
16:18:48 <alexpilotti> this is mandatory for proper automation, security, etc
16:18:56 <primeministerp> alexpilotti: that's great news
16:19:09 <alexpilotti> same use cases as the SSH pubkey auth in Linux
16:19:12 <luis_fdez> alexpilotti: yeps, it's a must have
16:19:49 <alexpilotti> it's already working, by passwing the certificate in userdata or cutome metadata: #link http://www.cloudbase.it/windows-without-passwords-in-openstack/
16:20:38 <alexpilotti> but we really need a consistent API model in Nova to handle teh certificate generation and storage
16:20:53 <alexpilotti> ok
16:21:18 <primeministerp> isn't ayoung working on that
16:21:32 <ayoung> primeministerp, sort of
16:21:40 <ayoung> cermonger
16:21:43 <primeministerp> ayoung: ahh
16:21:47 <ayoung> certmonger
16:22:03 <alexpilotti> ayoung: hi there!
16:22:04 <ayoung> alexpilotti, ++ I was discussing something along those lines earlier
16:22:15 <primeministerp> ayoung: we need to have lunch soon
16:22:16 <alexpilotti> ayoung: cool
16:22:20 <ayoung> how do we autoregister a host with a domain controller.  I assume that is what you are discussing?
16:22:37 <alexpilotti> ayoung: no, passwordless authentication in WIndows
16:22:38 <primeministerp> ayoung: that would be part of your config mgmt right now
16:22:45 <alexpilotti> ayoung: a la SSH pubkey
16:22:49 <primeministerp> ayoung: what alexpilotti says
16:23:15 <ayoung> so...let me subvert this discussion\
16:23:21 <alexpilotti> ayoung: guest DC registration is a separate painpoint at the moment :-)
16:23:31 <ayoung> we were discussing the same thing, but within the context of FreeIPA
16:23:48 <ayoung> I assume that a new windows vm, should be able to enroll with a PDC, no?
16:24:00 <ayoung> no "have to" but "should be able to"
16:24:06 <primeministerp> yes
16:24:06 <ayoung> and the pattern would be something like
16:24:11 <alexpilotti> ayoung: optionally
16:24:28 <ayoung> nova generates an OTP, passes it to the PDC as well as to the new vm via Vendoer data
16:24:32 <ayoung> vendoer
16:24:36 * ayoung gives up
16:24:41 <ayoung> venderrrrrrr
16:24:44 <ayoung> anyways
16:24:46 <alexpilotti> ayoung: the feature we are discussing is the equivalent of SSH pubkey auth
16:24:54 <primeministerp> ayoung: stop peddling the bike  ;)
16:24:55 <alexpilotti> ayoung: #link http://www.cloudbase.it/windows-without-passwords-in-openstack/
16:25:21 <alexpilotti> ayoung: said that, we are also VERY interested in your work
16:25:32 <ayoung> alexpilotti, so Windows also has this whole Kerberos infrastructure, as well as a CA etc
16:25:40 <alexpilotti> ayoung: as we are using crazy Heat templates at the moment to handle AD DC registration
16:26:02 <ayoung> and I think that a single mechanism supporting PDC registration for Windows and FreeIPA for Linux would be a powerful abstraction, and get you a good extension to that blueprint
16:26:06 <alexpilotti> ayoung: sure, but I wouldn't mix the two scenarios
16:26:20 <ayoung> yeah, but that means that an user registering a VM via Horizon or Nova can bypass
16:26:46 <ayoung> so...key injection is currently done in the LInux use case, so you need to handle the analogue in that blueprint
16:26:50 <ayoung> not arguing against that
16:27:06 <alexpilotti> ayoung: sure, that's just the vry basic scenario
16:27:06 <ayoung> but I think you have it under control, and I like the fact that you are using X509s instead of raw keys
16:27:31 <ayoung> right now, however, horizon doesn't let me say "create a vm, and let me inject alexpilotti 's key into it"
16:27:37 <ayoung> I can only add my own key
16:27:39 <ayoung> and that sux
16:27:54 <alexpilotti> ayoung: sure
16:28:18 <ayoung> alexpilotti, for certificates to be done right, the secret key should never leave the remote machine
16:28:25 <ayoung> it should generate the CSR and post to a CA
16:28:28 <ayoung> and there is the rub
16:28:41 <alexpilotti> ayoung: it never does
16:28:51 <alexpilotti> ayoung: we inject only a self signed x509 (w/o key)
16:29:06 <alexpilotti> ayoung: in teh same way in which you inject the pubkey in SSH case
16:29:12 <ayoung> ah, but for logging into a machine, you don't have a problem.  You only have a problem when the machine needs to call out...which is what HEAT is facing
16:29:43 <alexpilotti> ayoung: sure, that's why I'm saying that there are 2 completely different use cases :-)
16:29:47 <ayoung> certmonger can help, in that it allows you a mechanism for posting the CSR, but you still need an approval strategy
16:29:59 <ayoung> alexpilotti, but related....you want single sign on
16:30:12 <alexpilotti> ayoung: not everytime
16:30:16 <ayoung> alexpilotti, I thin the x509 case you ahve well covered
16:30:30 <ayoung> but I think quickly you are going to run into this issue
16:30:38 <ayoung> antyway, I'll leave you guys to discuss
16:30:43 <ayoung> look into certmonger
16:30:44 <alexpilotti> ayoung: a user can just say: I just want a VM, no complex Heat stuf, just let me log in w/o having to handle passwords
16:30:53 <ayoung> https://fedorahosted.org/certmonger/
16:31:11 <ayoung> alexpilotti, that is the easy sider
16:31:21 <primeministerp> ayoung: #link https://fedorahosted.org/certmonger/ thx!
16:31:23 <ayoung> the hard side is getting the X509 signed.
16:31:36 <alexpilotti> ayoung: certmonger has the potential to solve all the other cases
16:31:50 <alexpilotti> ayoung: not for the basica auth case we are facing here
16:31:58 <alexpilotti> ayoung: self signed is way enough
16:32:07 <alexpilotti> ayoung: and one detail:
16:32:07 <ayoung> alexpilotti, it is part of the solution, but you still need to figure out the approval process.
16:32:09 <ayoung> alexpilotti, ugh
16:32:31 <ayoung> selfsigned is....not something you want in production
16:32:32 <alexpilotti> ayoung: like teh SSH case
16:32:43 <ayoung> yeah...same argument
16:32:52 * ayoung mutters about cowboys
16:32:59 <primeministerp> hehe
16:33:06 <alexpilotti> ayoung: you generate your own key, it never leaves your client, etc etc
16:33:11 <alexpilotti> lol
16:33:16 <ayoung> alexpilotti, right...and there is no revocation
16:33:20 <ayoung> and no expiration
16:33:28 <ayoung> at least selfsigned will have expiration
16:33:57 <primeministerp> i want to second that
16:34:02 <alexpilotti> ayoung: yep, but again I would'nt mix the various cases
16:34:02 <primeministerp> his lunch part
16:34:06 <primeministerp> ;)
16:34:31 <primeministerp> alexpilotti: let's finish this up, and you guys can continue the discussion
16:34:32 <alexpilotti> ayoung-lunch: you mean dinner, here? :-)
16:35:03 <alexpilotti> so, let's join the certmonger effort
16:35:13 <alexpilotti> and help on teh AD bits
16:35:38 <primeministerp> alexpilotti: sounds like a plan, let's discuss more later and see what we can do
16:36:06 <primeministerp> I want to touch on the puppet modules for a moment
16:36:13 <alexpilotti> great
16:36:14 <primeministerp> luis_fdez: we're going to be starting cleanup work
16:36:25 <luis_fdez> primeministerp: ok great :)
16:36:26 <primeministerp> luis_fdez: in order to get things ready for puppetforge
16:36:33 <primeministerp> luis_fdez: so I'll be looking into your bits
16:36:44 <primeministerp> luis_fdez: sorry for the delay
16:36:44 <luis_fdez> Ok, I have to push local changes for the refactoring of:
16:36:49 <luis_fdez> nova_hyper_v...
16:36:53 <primeministerp> luis_fdez: great
16:36:55 <luis_fdez> I also have some work done in
16:36:57 <luis_fdez> ceilometer_hyper_v
16:37:11 <primeministerp> luis_fdez: let's align over the next week or so
16:37:15 <luis_fdez> I'm trying to align with the main stackforge modules structure
16:37:17 <luis_fdez> ok
16:37:18 <luis_fdez> perfect
16:37:26 <primeministerp> luis_fdez: great
16:37:46 <primeministerp> luis_fdez: let's keep that going, i want to get to the point where we could potentially merge into existing modules if possible
16:37:55 <primeministerp> luis_fdez: knowing that will take some time
16:38:06 <luis_fdez> ok, perfect
16:38:19 <primeministerp> luis_fdez: It may be another week before I get to get my hands more into the code
16:38:31 <luis_fdez> no problem
16:38:33 <digambar> Hello Guys, I am also working on HyperV for openstack as a compute node, I'd like to contribute on this effort
16:38:34 <primeministerp> luis_fdez: still trying to get back into things after two weeks at the mothership
16:38:41 <luis_fdez> hehe
16:38:44 <primeministerp> digambar: hey there
16:38:48 <digambar> yes
16:38:52 <primeministerp> digambar: have you seen the existing bits
16:39:11 <primeministerp> digambar: https://github.com/openstack-hyper-v/puppet-openstack_hyper_v
16:39:14 <digambar> just joined here
16:39:16 <digambar> ok
16:39:18 <primeministerp> digambar: o great
16:39:19 <alexpilotti> digambar: cool, welcome onboard!
16:39:34 <digambar> Thank you guys :)
16:39:38 <primeministerp> digambar: what time zone are you in?
16:39:46 <digambar> IST
16:39:57 <primeministerp> digambar: we can have a call/skype and I can catch up
16:40:11 <digambar> absolutely
16:40:18 <digambar> we can
16:40:23 <primeministerp> can you email me ppouliot@microsoft.com
16:40:38 <primeministerp> digambar: ^^ and I'll work on scheduling something
16:40:51 <primeministerp> digambar: for later this week
16:40:53 <digambar> yep, I'll mail you on this
16:40:56 <digambar> yep
16:40:58 <primeministerp> digambar: perfect
16:41:03 <digambar> :)
16:41:26 <alexpilotti> digambar: the main channel for the project is #openstack-hyper-v
16:41:28 <primeministerp> luis_fdez: let's touch base later in the week too to see where we each stand
16:41:34 <luis_fdez> ok primeministerp
16:41:39 <primeministerp> luis_fdez: I need to catch up w/ vijay and tim and see what they want to take on
16:41:59 <primeministerp> luis_fdez: anything else to add?
16:42:00 <digambar> Sure, I'll be available from today on this node
16:42:09 <primeministerp> digambar: great
16:42:14 <luis_fdez> I'm also thinking about have some kind of 'meta python module' like other linux distribution have like 'openstack-nova-common'
16:42:41 <primeministerp> luis_fdez: we sort of started one
16:42:43 <digambar> yep
16:42:48 <primeministerp> luis_fdez: w/ our python module
16:42:58 <luis_fdez> it's the easiest aproach to align with stackforge modules but not sure if it's the best option.
16:43:11 <primeministerp> luis_fdez: we're prob going to have to do it
16:43:23 <primeministerp> luis_fdez: considering the different options for getting the python bits
16:43:27 <luis_fdez> yeps
16:43:41 <primeministerp> luis_fdez: esp w/ what we're doing w/ the autocompilation
16:44:28 <primeministerp> ok then, if there's nothing else
16:44:33 <primeministerp> i think we'll end it here
16:44:42 <luis_fdez> ok, have a nice day all of you :)
16:44:45 <primeministerp> #endmeeting