21:01:28 <timburke> #startmeeting swift 21:01:28 <opendevmeet> Meeting started Wed Jan 18 21:01:28 2023 UTC and is due to finish in 60 minutes. The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:01:28 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:01:28 <opendevmeet> The meeting name has been set to 'swift' 21:01:36 <timburke> who's here for the swift meeting? 21:02:03 <mattoliver> o/ 21:02:49 <zaitcev> o7 21:02:58 <kota> o/ 21:03:05 <indianwhocodes> o/ 21:03:08 <timburke> as usual, the agenda's at 21:03:10 <timburke> #link https://wiki.openstack.org/wiki/Meetings/Swift 21:03:27 <timburke> first up 21:03:57 <timburke> #topic CVE-2022-47950 21:04:28 <timburke> there's a critical CVE for swift that was made public this week 21:05:53 <timburke> security researchers at OVH discovered a way for authenticated clients to read arbitrary files from proxy-servers 21:06:08 <timburke> #link https://bugs.launchpad.net/swift/+bug/1998625 21:07:35 <timburke> this included things like tempauth credentials, keymaster root secrets, swift.conf swift_hash_path_prefix/suffix values, and auth_token service user credentials 21:08:22 <timburke> the good news is, this only affects clusters with S3 access enabled 21:09:35 <timburke> the bad news is, it's not limited to s3api; swift3 is also affected (for clusters that aren't on rocky yet) 21:10:04 <timburke> the fix is already merged to master 21:10:12 <timburke> #link https://review.opendev.org/c/openstack/swift/+/870823 21:10:45 <mattoliver> do we still have a swift3 repo? I haven't looked at that for years 21:10:58 <timburke> and backports are up for wallaby through zed -- though i'm realizing that the functional test may need a small update 21:11:37 <timburke> https://opendev.org/x/swift3/ is still a thing, though inactive 21:12:28 <mattoliver> kk 21:12:43 <timburke> maybe also worth noting: the github mirroring went away a while ago: https://github.com/openstack-archive/swift3/ 21:13:42 <timburke> i don't think any patch is expected for swift3 -- i just want to be clear about the scope of affected clusters 21:14:15 <mattoliver> ok, and the readme does say it's frozen and all new patches goto the s3api middleware, so maybe its ok. 21:14:22 <mattoliver> but a good reason for anyone to finally upgrade from queens or before 21:15:19 <mattoliver> zaitcev: did you guys have anyone still on pre-rocky? or is that something to ask cschwede ? 21:15:26 <timburke> for sure! thankfully, even if operators can't upgrade directly to a more-recent swift, the code change is literally one line 21:15:29 <timburke> https://review.opendev.org/c/openstack/swift/+/870823/1/swift/common/middleware/s3api/etree.py 21:16:54 <zaitcev> mattoliver: Yes. We still have customers on Queens. 21:17:09 <timburke> unfortunately, the best mitigation i see for anyone that can't do *any* sort of code change is to disable S3 access 21:17:36 <mattoliver> the backport is going to what, as low as wallaby you said, so its probably more of a case to anything before there. 21:17:50 <mattoliver> Like you say tho isn't a 1 liner 21:18:29 <mattoliver> if redhat still package swift3 for queens maybe they can just at a patch to it. 21:18:41 <timburke> if i can get stable gates happy again, i'm happy to do more backports -- more on that later, tho 21:18:54 <mattoliver> kk 21:20:40 <timburke> any other questions or comments on the CVE? i want to give everyone a chance to digest it a bit 21:23:17 <timburke> all right, we'll move on -- if anyone needs more info about it, feel free to reach out to me, either in channel or privately 21:23:34 <timburke> and i'd like to give special thanks to OVH for discovering the issue, mattoliver acoles and clayg for reviewing the patch, and fungi for getting the patches into gerrit! 21:23:52 <timburke> #topic vPTG 21:24:08 <fungi> my pleasure! 21:24:22 <timburke> just a reminder that there's a vPTG scheduled for the end of march 21:24:55 <timburke> mattoliver and i still need to get doodle poll and etherpad up 21:25:19 <timburke> but everyone should go ahead and register if they haven't already! 21:25:21 <timburke> #link https://www.eventbrite.com/e/project-teams-gathering-march-2023-tickets-483971570997 21:25:43 <mattoliver> oh yeah, I'll get on that etherpad, so we can start gathering ideas 21:25:54 <timburke> thanks mattoliver 21:26:10 <timburke> #topic gate health 21:26:22 <timburke> another week, another gate breakage 21:26:34 <mattoliver> sigh 21:27:02 <timburke> dnspython 2.3.0 was recently released, which caused eventlet's monkey-patching of it to break 21:27:32 <mattoliver> oh great :( 21:27:35 <timburke> this would happen as soon as you went to import eventlet 21:27:42 <timburke> #link https://github.com/eventlet/eventlet/issues/781 21:28:14 <timburke> good news is that a fix has merged to eventlet, and temoto tagged a new 0.33.3 release that includes it 21:28:27 <mattoliver> So we need to pin the package until there is an upstream fix? 21:28:34 <mattoliver> oh wow, I like a quick turn around! 21:29:08 <timburke> ...yes and no. so, we *should* have been safe from this because of the general openstack upper-constraints policy 21:29:38 <timburke> https://github.com/openstack/requirements/blob/master/upper-constraints.txt still lists dnspython===2.2.1 21:30:00 <timburke> and in fact, *most* of our jobs were still fine 21:30:31 <timburke> buuuut... our docs build previously only specified the extra doc-building requirements 21:30:31 <mattoliver> hey, it looks like you fixed it in upstream eventlet timburke, nice work! 21:30:48 <timburke> :D 21:31:25 <timburke> i also went ahead and fixed our docs job to properly use constraints 21:31:27 <timburke> #link https://review.opendev.org/c/openstack/swift/+/870853 21:31:39 <fungi> if it makes anyone feel any better (it probably doesn't), you're not alone. mistral spotted the exact same problem today, so i was able to point amorin at timburke's fix. worked like a charm there as well 21:32:14 <timburke> 👍 as long as the pain saves someone else some trouble, right? 21:33:16 <mattoliver> nice 21:33:18 <timburke> really, i don't think i would've minded *nearly* as much if we weren't also trying to get the CVE fix merged 21:34:52 <timburke> the doc-building fix also got backported -- wallaby through zed all have it now 21:34:52 <mattoliver> lol, true 21:35:32 <timburke> victoria started running into other issues, though 21:35:34 <timburke> #link https://review.opendev.org/c/openstack/swift/+/870784 21:36:53 <timburke> this is unfortunate and annoying -- not two weeks ago that gate was working and we merged the fix for the cpython '//' bug 21:36:56 <timburke> #link https://review.opendev.org/c/openstack/swift/+/868143 21:38:48 <timburke> i'll work on trying to get it functional again, but wanted to float a couple ideas 21:39:25 <timburke> 1. declare more stable branches end-of-life 21:40:02 <mattoliver> failures seem to be caused by the smmap package verson mismatch, maybe needs a specific pin? 21:40:10 <timburke> 2. remove (or mark non-voting) some/many jobs from stable branches 21:41:36 <mattoliver> yeah true, is there an openstack policy on how many stable branches to maintain? 21:41:45 <timburke> mattoliver, yeah -- i think it's probably related to py2 support. thinking longer term, though, i'm willing to bet we'll see similar issues cropping up for py36 (which is no longer maintained by upstream cpython) 21:42:56 <mattoliver> yeah, definitely looks py2, as obvioulsy the new version of smmap looks only py3+ 21:42:59 <mattoliver> so yeah, we're just going to get more and more of these 21:43:30 <timburke> there's https://docs.openstack.org/project-team-guide/stable-branches.html -- "OpenStack development typically has 3 branches active at any point of time, master (the current development release), stable (the most recent release) and oldstable (previous release)." 21:43:45 <mattoliver> we either need to lock all pre py3 branches down, pinning everything. Or maybe mark them as non-voting knowing that py2 support has bacially gone 21:44:12 <timburke> with the introduction of "extended maintenance" i'm not sure that quote is entirely true 21:44:24 <mattoliver> Well based on n-2, we could remove a bunch of stable 21:44:54 <mattoliver> although I know redhat do support for longer. So do they need more stable branches upstream? 21:45:59 <mattoliver> or do we just need to support n-2 + some point in time LTS, but the latter can be non-voting for a bunch of tests? 21:47:38 <timburke> my impression is that we have a lot of discretion about both how many stable branches to support and what level of testing and support "extended maintenance" should mean 21:48:19 <mattoliver> extended maintence does say reduced CI commitment which makes me think, non-voting or even removed gate checks 21:49:19 <timburke> fwiw, i've left so many stable branches open so far for exactly the sort of situation in which we find ourselves: a pretty big security issue for which it'd be nice to offer downstream packagers an official release for old versions 21:49:45 <mattoliver> yeah 21:49:50 <mattoliver> which is good 21:50:34 <timburke> but if it turns into me fighting with CI off and on for a month or two to be able to land *anything*, i'm not sure it's worth it 21:51:55 <mattoliver> go n-2 of them should be supported (cI etc) the rest we should be able to reduce CI committment. maybe reduce it to pep8 and unit tests? 21:52:16 <mattoliver> I guess functional and probe too, but we seem to be having package issues breaking those 21:53:08 <mattoliver> OR, do we just force in this security bug to the old old stables and then EOF everything below wallaby and be done with it for now? 21:53:20 <mattoliver> *security patch 21:53:36 <timburke> not on victoria, at least. could keep in-process func tests but drop dsvm, for example 21:53:53 <mattoliver> true 21:54:37 <timburke> idk -- i'll poke at it for another day or two, see what i can come up with. seems like a good topic for the PTG tho :-) 21:54:43 <timburke> #topic open discussion 21:54:51 <timburke> anything else we should bring up this week? 21:55:07 <mattoliver> Well I can't speak for anyone, but for now, I think reduce CI to make them work and get the current security fix in, then we can discuss ditching them at the PTG 21:55:38 <mattoliver> or at least having our own definition of reduced CI committment that doesn't take all your time 21:55:47 <mattoliver> also sorry about it always falling to you timburke 21:56:43 <timburke> eh, no worries -- there are worse things. just feels like i'm spinning my wheels sometimes, tho 21:58:13 <mattoliver> OK open discussion, I'm playing with a sharding statemachine change to just freakin update the state_timestamp everytime a state changes (why we don't already is historic), but I feel it'll make life easier. So having a play with how much churn it causes 21:58:15 <mattoliver> alot it seems in tests. 21:58:23 <mattoliver> haven't pushed it up yet, and it's currently only an experiment, but if it works I think it'll make the early cleave and active stuff much more trivial to deal with. 21:59:18 <timburke> nice! looking forward to it 21:59:21 <mattoliver> trying to tread carefully because the state_timestamp is used to cycle round the statemachine, and statemachine changes can be fickle, so hoping I haven't missed something past al or I knew that currement me doesn't. 21:59:47 <timburke> i do wonder why it isn't like that already... 22:00:29 <mattoliver> yeah, I agree, and it's because state_timestamp was added later to allow us to do back to active in roots, ie restart the statemachine 22:00:59 <timburke> all right, we're at time so i'll call it 22:01:07 <mattoliver> kk 22:01:12 <timburke> thank you all for coming, and thank you for working on swift! 22:01:15 <timburke> #endmeeting