15:00:21 #startmeeting manila 15:00:23 Meeting started Thu Mar 23 15:00:21 2017 UTC and is due to finish in 60 minutes. The chair is bswartz. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:24 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:26 The meeting name has been set to 'manila' 15:00:27 o/ 15:00:30 Hi 15:00:34 hi 15:00:35 hello all 15:00:36 hello 15:00:40 hello 15:00:48 ganso: hello 15:01:03 hi hi o/ 15:01:05 hi 15:01:09 hi 15:01:10 ganso: tommy respects only you )) 15:01:15 hi 15:01:19 no announcements today 15:01:21 vponomaryov: ... 15:01:23 vponomaryov: lol 15:01:33 ganso: hi 15:01:36 hi 15:01:36 #agenda https://wiki.openstack.org/wiki/Manila/Meetings 15:01:42 ganso: hi 15:02:12 vponomaryov, tbarron, tommylikehu_ : hello :) 15:02:21 #topic SSL certificate verification 15:02:49 this issue popped up late last week and I thought it would be good to bring it up here 15:02:55 for API? drivers? 15:03:12 this is a py27 change 15:03:59 hey all! 15:04:00 between py 2.7.8 and 2.7.9, the SSL library switched from not verifying SSL certs by default to verifying by default 15:04:20 in either case the behavior is configurable but the default changed and most people use the default 15:04:47 hi 15:04:58 Apparently it's relatively common for people to actually use HTTPS an not verify certificates, even though it's bad security practice 15:05:33 my understanding was older python couldnt be made to do it instead you had to install extra libs (hence the urllib3 insecure platform warning) 15:05:46 NetApp first noticed this issue back during ocata when our driver started having issues communicating with some backends using HTTPS 15:06:05 clarkb: I wasn't aware of that -- that explains some things 15:06:48 in any case the initial response was to turn create an option to turn off SSL cert verification in our driver, but I pushed back against that solution 15:06:56 I should clarify older python stdlib couldnt do it 15:07:37 My stance is that SSL certification verification is there for a reason, and it's better to show users how to use it correctly than to give them a switch to turn it off 15:08:24 users who _really_ don't want to do the work of setting up SSL right still have the option to use HTTP or downgrade to python 2.7.8 15:09:26 Seems reasonable. 15:09:35 anyways the issue popped up again because EMC encountered the same issue and pushed a bugfix to disable SSL cert verification in their driver, but did it using a global driver option 15:09:54 I have reverted that bugfix https://review.openstack.org/#/c/447065/ 15:10:11 and the remaining issue is how to solve EMC's problem 15:10:16 it is good to be able to turn it off in test labs 15:10:27 markstur: I disagree 15:10:42 it's good to setup SSL properly in your test labs 15:11:04 or test with HTTP 15:11:12 bswartz: I thought you are okay for a driver only fix? 15:11:38 anyways the current proposal is to introduce an EMC-only driver option to disable SSL cert verification, and I'm okay with that 15:11:39 its trivial to properly trust a self signed cert fwiw 15:11:58 s/it is good/it is sometimes necessary (and evil...)/ 15:12:06 but I don't want anyone getting the idea that's is a recommended practice 15:12:37 xyang2: I have some concern with driver only fix unless the option is marked 'testing...' or whatever 15:12:47 xyang2: from a distro and support POV, #1 15:13:12 xyang2: and #2, from manila seeking managed-vulnerability-status from OpenStack security 15:13:14 tbarron: from my understanding, that was targetting production clouds 15:13:42 ganso: ? so why would a production cloud want to run w/o cert for https? 15:13:56 xyang2: I would hope that the EMC driver option default to true (verify certificates unless the admin specifically disables it) 15:14:04 tbarron: default to true, is ok? 15:14:15 tbarron: I don't know, EMC should have the answer to that 15:14:29 xyang2: maybe log a warning when it's turned off, explaining the risks 15:14:40 bswartz: ok 15:14:58 xyang2: yeah, something loud that support people will see 15:15:15 the truth is that most admins are dumb and will take the path of least resistance to make things work 15:15:39 which is why I applaud the python community for making it harder to use SSL without certificate validation 15:16:39 as developers we have responsibility to make things secure by default and make it clear when options are changed to compromise security 15:16:58 bswartz++ 15:17:04 lol 15:17:21 Truth. 15:17:29 * bswartz gets off his soap box 15:17:53 #topic Specs 15:18:04 #link https://review.openstack.org/#/q/status:open+project:openstack/manila-specs 15:18:54 specs deadline is in 3 weeks 15:19:11 please be reviewing specs 15:19:25 are there any spec-review-related issues we should discuss here today? 15:20:32 zhongjun_: you have the most open specs for pike 15:20:35 https://review.openstack.org/#/c/447021/ is a good spec but needs an implementor 15:20:51 ^^ if anyone is interested 15:20:58 bswartz: yes, please review my specs 15:22:03 ^^ should largely be a port from cinder 15:22:07 also I should point out that while pike is a longer release, we have fewer people actively working on the team now :-( so we need to be mindful of core reviewer bandwidth 15:22:43 we will most likely need to make some priority calls about what we focus on in Pike 15:23:11 and some perfectly good specs and/or ideas might not get approved just so we can focus on the high priority stuff 15:23:48 more eyes on this would be appreciated https://review.openstack.org/#/c/445441/ 15:24:09 tbarron: why would Arne Wiebalck propose a spec he doesn't plan to work on? 15:24:22 with a high interest with regards to the perf section 15:25:01 How to define which spec is perfectly good specs? :D 15:25:02 bswartz: arnewiebalck is running a very big cloud full time, I think it's great to have operators proposing work for us 15:25:07 bswartz: b/c I’d like that feature to operate Manila in our cloud 15:25:19 instead of us just coming up a priori with ideas of what operators need 15:25:34 arnewiebalck: hi! 15:25:47 bswartz: o/ 15:26:09 bswartz: besides, I wouldn’t call myself a developer :) 15:26:19 okay I would just assume that operators would work with a developer to produce a spec that the developer would go on to implement 15:26:39 it's great to get input from operators 15:27:05 but a spec with no implementor does create problems for us 15:27:06 bswartz: I thought defining more precisely what I’d need would helkp finding a dev 15:27:19 I guess it's good to raise awareness that we need a volunteer here 15:27:57 and hopefully it's obvious to everyone that working on something that a deployer asks for is way more likely to be useful that working on stuff we dream up ourselves 15:28:00 :-) 15:28:32 actually, I can take it 15:28:39 if the implementation is not very complex (I need to read the spec), we may be able to get an intern from Outreachy to work on that 15:28:51 or Valeriy :) 15:28:51 Outreachy? 15:29:01 yeah it's an internship project we have in OpenStack 15:29:04 ah 15:29:06 s/project/program/g 15:29:34 and btw vkmc's spec https://review.openstack.org/#/c/445441/ for telemetry is actual operator/customer demanded also 15:29:45 we have a bunch of shovel-ready work for interns who want to contribute 15:29:56 If it is just a port from Cinder it shouldn't be that bad. 15:30:10 jungleboyj: +1 15:30:32 i referenced the Cinder commit in the spec 15:30:37 vponomaryov: if you're interested please take a look 15:30:47 I'm curious to know how much work this is 15:30:48 bswartz: ok 15:30:48 oh nice... yeah, in that case it could be ok 15:31:30 vkmc: If you have someone Outreachy for it I can be available to help understand the Cinder side as they bring it over. 15:31:51 well vponomaryov will probably have it done tomorrow :) 15:31:51 jungleboyj, that would be awesome! 15:31:58 yeah :) 15:32:03 tbarron, ^ 15:32:29 but jungleboyj there's more gold where that came from 15:32:38 :-) Is he the Gorka of Manila tbarron ? 15:33:37 okay I think that covers specs 15:34:04 please review them, please don't feel bad about pushing for reviews if you're an author 15:34:08 #topic open discussion 15:34:13 any other things for today? 15:34:39 wait 15:35:07 hope someone would like to take a look 15:35:08 https://review.openstack.org/#/c/448384/ 15:35:22 I am proposing this in cinder, but we also have this in manila 15:36:45 tommylikehu_: is there a spec for that, or just the change? 15:37:03 it's a idea 15:37:22 tommylikehu_: Is this THE change? 15:37:32 jungleboyj: yes 15:37:41 Ah, yes it is. :-) 15:37:57 I hope I can get more response 15:37:59 just that. 15:38:14 So, I looked at that more this morning and my confusion was I didn't even know that change had gone in place. 15:38:18 okay and I see that jprovazn already saw it so hopefully the idea can be integrated into the manila user messages work if it makes sense 15:38:24 tommylikehu_: thank you for working for consistency across the two projects where it matters, despite jgriffith saying he doesn't give a @#$#@ about what manila does :) 15:38:38 tbarron: ++ 15:38:40 tbarron: lol 15:38:49 tbarron: you checked the history 15:39:14 tommylikehu_: I will go comment in the review. See what others think. Thank you for the updates and bearing with me on that. 15:39:14 tommylikehu_, bswartz: yes, I like the idea in the patch and if manila user messages spec will be accepted I hope we can use the same too 15:39:25 k 15:39:39 thanks. jprovazn, jungleboyj, tbarron:) 15:40:04 We can do this after meeting 15:40:15 alright if there's nothing else we're done 15:40:21 thanks everyone 15:40:32 #endmeeting