Perl 6 - the future is here, just unevenly distributed

IRC log for #puppet-openstack, 2015-05-12

| Channels | #puppet-openstack index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:19 richm gildub: ping - was wondering if you had a chance to catch up with the discussion between crinkle and I about authentication
00:22 openstackgerrit Adam Vinsh proposed stackforge/puppet-swift: Add support for dedicated replication network.  https://review.openstack.org/177037
00:24 gildub richm, yes I did
00:24 ibravo joined #puppet-openstack
00:25 xingchao joined #puppet-openstack
00:26 gildub richm, just published comment to comments
00:27 richm but one of the points of this exercise is to prevent putting passwords, tokens, other secrets in a command line?
00:27 richm i.e. passing them in ENV?
00:28 britthou_ joined #puppet-openstack
00:28 richm as for putting the app config file last - I think the actual code will be fairly ugly to work around the fact that openrc will override it, but I'll give you guys the benefit of the doubt
00:31 richm if you pass values on the command line, will openstack use those values, and _only_ those values?  That is, if you have some seemingly unrelated setting in ENV e.g. OS_USER_DOMAIN_NAME, will openstack use it from ENV because it is there?
00:40 gildub richm, but how to do that without breaking the current puppet api, for instance, keystone_user has password parameter
00:40 richm My proposed code would have worked just fine
00:41 richm I'm not sure what you mean by "breaking the current puppet api"?
00:42 saneax joined #puppet-openstack
00:42 gildub richm, if you don't want to pass values on the command line ^
00:42 richm gildub: easy - you just clear ENV, set only the values you want in ENV, and call openstack
00:43 gildub richm, but you still do things like: puppet resource keystone_user foo password=blah ....
00:43 richm so?
00:43 gildub richm that's a command line
00:44 richm its not a /usr/bin/openstack command line
00:44 gildub richm, what's the difference, if we establish a security rule it must apply, no exceptions
00:45 gildub richm, otherwise it's not a security rule anymore
00:45 gildub richm, it's a breach
00:45 richm so there is no way to call puppet resource keystone_user foo password=blah and do the same thing without putting the password on the command line?
00:45 richm And you're telling me that some security is not better than none?
00:45 richm ok
00:46 richm fine
00:47 gildub richm, how to do you pass the parameters to the provider if not through the type?
00:47 gildub richm, I'm not saying such thing!
00:47 richm I don't know - I know nothing about  puppet resource
00:49 gildub richm, then maybe the providers are not the way to go
00:49 gildub richm, maybe manifests could rely on functions instead
00:50 gildub richm, this way parameters could be passed more from 'secured' manifests or better hiera with gpg backend
00:50 richm I don't understand - when puppet passes values from manifests through the type interface to the provider, that's all in puppet memory address space
00:51 richm ?
00:54 gildub richm, yes, so?
00:54 ducttape_ joined #puppet-openstack
00:54 richm So I don't understand what you mean by "maybe the providers are not the way to go - maybe manifests could rely on functions instead"
00:55 gildub richm, because if we use providers then we have to pass parameters, that's the nature of types/providers
00:55 richm If I'm just being paranoid/overly cautious/preoccupied with "security theater" rather than security - then I withdraw all of my objections to putting passwords/tokens/whatever on the command line - do it however you see fit
00:56 xavpaice joined #puppet-openstack
00:57 gildub richm, now, no matter how hard we move things around, when puppet is going to issue a request such as "openstack service command object properties" this is going to be *spawned* to the system and the whole line would be visible
00:58 richm ok
00:58 gildub richm, well you came up fist with the issue of *seeing* CLI details, and that's a very valid point.
00:59 gildub richm, but more we progress the less I see how we can avoid it, no matter how we pass credentials around
00:59 gildub richm, test1
00:59 richm The original implementation in icehouse explicitly passed passwords/tokens using ENV and put the other parameters on the command line
00:59 richm Then the openstack implementation in juno got rid of that
01:00 gildub A simple manifest: exec {"foo": command => '/tmp/foo blah'}
01:00 gildub rich, ps catches that
01:00 gildub richm, ^
01:00 richm yes
01:02 gildub now, I hope (going to verify it) commands :openstack => 'openstack', doesn't
01:02 gildub richm, did you check that?
01:02 richm what about exec {"foo": command => "/tmp/foo", environment => "PASSWORD=secret"}
01:03 richm gildub: are you saying that the commands module wraps the openstack command in such a way that its command line parameters are hidden?
01:03 gildub richm, yes of course, that's why I think using ENV is the best we have
01:04 gildub richm, ^ is about ^^^
01:05 richm ok
01:05 gildub richm, I'm not sure, but that would help if puppet hides commands
01:05 gildub richm, if it does then that solves the token issue type of things
01:05 richm I don't think it is possible with exec* family of system calls
01:06 gildub richm, yeah, probably not
01:10 gildub richm, I think our approaches collided a bit, can we try to agree on something here?
01:11 gildub richm, I mean in the light of how we realize everyday the rabbit hole is deeper!
01:12 richm gildub: I guess let's just go with your current patch - there are a couple of minor issues here and there, but it is mostly ok
01:13 gildub richm, well actually I realized that doing class inheritance here is not good.
01:14 gildub richm, class inheritance is good for polymorphism, what we need is interfacing.
01:15 richm ok
01:15 gildub richm, openstacklib/provider/openstack.rb must be converted into a module, that module can be included by providers, using the extend stanza
01:16 gildub richm, this way each provider class will 'inherit' the methods, which will become class methods (extend vs include), providing the features
01:17 gildub richm, That's what I started in https://review.openstack.org/#/c/180407
01:17 richm ok
01:18 gildub but I think the whole openstack.rb to be a module.
01:19 richm ok - I'm not a ruby guy so I'm not familiar with all of the idioms
01:19 richm It doesn't matter to me, as long as it works
01:20 gildub richm, for me it's how maintainable the code is, it cost $1 to write a line of code, $100 to maintain it, although with puppet I think it's more $1000
01:20 gildub richm, well, of course, assuming it works in the first place
01:21 gildub richm, maybe that's why puppet entreprise exists ;)
01:23 gildub richm, ok, I need to clear a couple of things
01:25 gildub richm, First off, the workflow, in the mainling list, crinkle and I, agreed on 1.ENV; 2.RC; 3.Config file. Are you ok with that?
01:25 stevemar joined #puppet-openstack
01:27 gildub richm, well from your comments I think you're not but I think we all got confused:
01:27 gildub richm, when we say ENV first, we mean we inherit the ENV as context
01:28 gildub richm, then RC is used, which mean that gets transformed in ENV, overriding existing ones if they exist
01:29 gildub richm, then config file as fail over is not enough cred provided
01:30 gildub richm, those config file credentials are transformed into ENV, so we're safe
01:31 gildub richm, that's how I see it and therefore there is no need to manipulate a credential hash
01:31 gildub richm, does it make sense?
01:32 gildub richm, one line is confusing, sorry => then config file is used as fail over if not enough creds
01:34 gildub richm, but I also understand that we don't solve use cases such as the openstack token issue to validate user's password
01:37 gildub richm, and the latter cannot be solved without altering the puppet-keystone api
01:41 britthouser joined #puppet-openstack
01:41 britthouser joined #puppet-openstack
01:45 richm gildub: 1.ENV; 2.RC; 3.Config file.  - That's fine with me
01:47 richm gildub: re: token issue - I'm not sure how to solve that
01:50 gildub richm, ok
01:55 gildub richm, ok we can keep token issue to submit request with parameters on command line for now, and solve it along with keystone_user provider/type later
01:59 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
02:00 openstackgerrit Emilien Macchi proposed stackforge/puppet-cinder: Bring Redhat support to acceptance tests  https://review.openstack.org/182047
02:01 openstackgerrit Emilien Macchi proposed stackforge/puppet-designate: Bring Redhat support to acceptance tests  https://review.openstack.org/182053
02:04 * gildub bbl
02:25 gildub joined #puppet-openstack
02:35 xavpaice joined #puppet-openstack
02:38 starmer joined #puppet-openstack
02:39 vinsh joined #puppet-openstack
02:46 ducttape_ joined #puppet-openstack
02:54 AshlarBill joined #puppet-openstack
02:55 Creeture joined #puppet-openstack
02:57 Creeture Any idea how to disable the reconfiguration of my yum repos (rdo and epel specifically) when using puppetlabs-openstack 4.0.0?
02:57 Creeture I have a local mirror and I don't want it to mess with my settings. Can't find a way other than editing the modules themselves to configure it.
03:12 starmer joined #puppet-openstack
03:14 panda|afk joined #puppet-openstack
03:19 arnaud_orange joined #puppet-openstack
03:19 peterstac joined #puppet-openstack
03:28 fedexo joined #puppet-openstack
03:30 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Beaker: install APT repo with openstack_extras  https://review.openstack.org/182029
03:36 openstackgerrit Benedikt Trefzer proposed stackforge/puppet-vswitch: make dkms on Debian/Ubuntu optional, add tests  https://review.openstack.org/151629
03:38 openstackgerrit Emilien Macchi proposed stackforge/puppet-keystone: Beaker: install APT repo with openstack_extras  https://review.openstack.org/182026
03:42 openstackgerrit Emilien Macchi proposed stackforge/puppet-keystone: Bring Redhat support to acceptance tests  https://review.openstack.org/181439
04:00 openstackgerrit Emilien Macchi proposed stackforge/puppet-keystone: Bring Redhat support to acceptance tests  https://review.openstack.org/181439
04:02 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
04:02 openstackgerrit Emilien Macchi proposed stackforge/puppet-designate: Bring Redhat support to acceptance tests  https://review.openstack.org/182053
04:04 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Beaker: install APT repo with openstack_extras  https://review.openstack.org/182029
04:05 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
04:06 openstackgerrit Emilien Macchi proposed stackforge/puppet-cinder: Beaker: install APT repo with openstack_extras  https://review.openstack.org/182046
04:07 openstackgerrit Emilien Macchi proposed stackforge/puppet-cinder: Bring Redhat support to acceptance tests  https://review.openstack.org/182047
04:08 openstackgerrit Emilien Macchi proposed stackforge/puppet-designate: Beaker: install APT repo with openstack_extras  https://review.openstack.org/182052
04:09 openstackgerrit Emilien Macchi proposed stackforge/puppet-designate: Bring Redhat support to acceptance tests  https://review.openstack.org/182053
04:09 openstackgerrit Emilien Macchi proposed stackforge/puppet-glance: Beaker: install APT repo with openstack_extras  https://review.openstack.org/182058
04:12 openstackgerrit Emilien Macchi proposed stackforge/puppet-glance: Bring Redhat support to acceptance tests  https://review.openstack.org/182149
04:15 gildub_ joined #puppet-openstack
04:54 stevemar joined #puppet-openstack
04:54 markvoelker joined #puppet-openstack
05:24 openstackgerrit Merged stackforge/puppet-nova: Fix RSpec3.x keywords  https://review.openstack.org/180137
05:57 tfz joined #puppet-openstack
06:08 arnaud_orange joined #puppet-openstack
06:18 markvoelker joined #puppet-openstack
06:30 openstackgerrit Gilles Dubreuil proposed stackforge/puppet-openstacklib: Predefined source of authentication information  https://review.openstack.org/180407
06:38 mmagr joined #puppet-openstack
07:14 panda|afk joined #puppet-openstack
07:18 dgurtner joined #puppet-openstack
07:33 jistr joined #puppet-openstack
07:48 ahcorporto joined #puppet-openstack
07:52 jpena joined #puppet-openstack
07:56 tfz joined #puppet-openstack
08:09 derekh joined #puppet-openstack
08:28 openstackgerrit Merged stackforge/puppet-tripleo: Add support for haproxy_service_manage  https://review.openstack.org/180484
08:56 stamak joined #puppet-openstack
09:13 tfz joined #puppet-openstack
09:23 gfidente joined #puppet-openstack
09:26 degorenko joined #puppet-openstack
09:48 ikkeT left #puppet-openstack
09:55 cdent joined #puppet-openstack
10:15 openstackgerrit Yanis Guenane proposed stackforge/puppet-tripleo: Provide helper class for pacemaker resource  https://review.openstack.org/182222
10:17 openstackgerrit Yanis Guenane proposed stackforge/puppet-tripleo: Provide helper class for pacemaker resource  https://review.openstack.org/182222
10:39 rcallawa joined #puppet-openstack
10:39 rcallawa_ joined #puppet-openstack
10:40 igajsin joined #puppet-openstack
10:40 igajsin left #puppet-openstack
10:42 openstackgerrit Giulio Fidente proposed stackforge/puppet-keystone: Decouple sync_db from enabled  https://review.openstack.org/180565
11:10 EmilienM good morning!
11:14 panda|afk joined #puppet-openstack
11:36 salmankh joined #puppet-openstack
11:51 social oh my uninting auth_uri identity_uri and auth_version across projects will be pain :(
12:00 morazi joined #puppet-openstack
12:02 dprince joined #puppet-openstack
12:10 ducttape_ joined #puppet-openstack
12:20 dgurtner joined #puppet-openstack
12:20 dgurtner joined #puppet-openstack
12:21 jpena has anyone seen that applying a series of keystone_config sections in a puppet manifest ends up with a messed up keystone.conf file (multiple eventlet_server sections)?
12:40 social jpena|lunch: nope
12:49 ferest joined #puppet-openstack
12:51 alex_bh joined #puppet-openstack
12:52 rcallawa joined #puppet-openstack
12:54 rcallawa joined #puppet-openstack
12:56 rcallawa joined #puppet-openstack
13:03 jtomasek joined #puppet-openstack
13:05 jtomasek mfisch: hi, could you please re-review this one? https://review.openstack.org/#/c/178655
13:05 openstackgerrit Lukas Bezdicka proposed stackforge/puppet-ceilometer: Support identity_uri and auth_uri properly and add auth_version option  https://review.openstack.org/182281
13:06 richm joined #puppet-openstack
13:16 openstackgerrit Lukas Bezdicka proposed stackforge/puppet-cinder: Add auth_version option in nova::api  https://review.openstack.org/182285
13:29 prad joined #puppet-openstack
13:30 EmilienM dprince: you may want to look these two patches ^
13:30 dprince EmilienM: ack
13:52 jpena|lunch joined #puppet-openstack
13:57 dfisher joined #puppet-openstack
14:00 rgowrishankar joined #puppet-openstack
14:05 starmer joined #puppet-openstack
14:15 vinsh joined #puppet-openstack
14:17 stevemar joined #puppet-openstack
14:19 delattec joined #puppet-openstack
14:25 mfisch jtomasek: looking
14:38 jtomasek mfisch: thanks!
14:43 social this one is nice: https://github.com/stackforge/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L29
14:43 social so we require auth_host and auth_port even though user set auth_uri
14:44 jpena related to my earlier question: do we know if puppetlabs-inifile is expected to behave well when an ini file has duplicated sections?
14:44 ducttape_ joined #puppet-openstack
14:45 * EmilienM waves on crinkle and nibalizer
14:45 jpena for example, https://raw.githubusercontent.com/openstack/keystone/master/etc/keystone.conf.sample has a duplicated [cors] section, and I think this is causing trouble
14:48 mdorman joined #puppet-openstack
14:55 EmilienM jpena: can you rise a bug in keystone? I thought the configuration was generated by Oslo
14:56 EmilienM @all Puppet meeting is about to start in a few (#openstack-meeting-4, freenode)
14:56 EmilienM https://etherpad.openstack.org/p/puppet-openstack-weekly-meeting-20150512
14:57 jpena EmilienM: well, it's the RDO Liberty-generated package, that created keystone.conf from keystone.conf.sample. There is already https://review.openstack.org/#/c/182138/ with a fix, but I wanted to know if this is expected to break from the puppet side or not
14:57 EmilienM jpena: ack
14:59 rwsu joined #puppet-openstack
14:59 crinkle morning
15:09 richm joined #puppet-openstack
15:13 panda joined #puppet-openstack
15:14 ericpeterson joined #puppet-openstack
15:23 mdorman joined #puppet-openstack
15:25 derekh_ joined #puppet-openstack
15:38 ducttape_ joined #puppet-openstack
15:42 aimon joined #puppet-openstack
15:45 AshlarBill joined #puppet-openstack
15:52 mfisch EmilienM: removing puppet-group just merged lol
15:53 EmilienM mfisch: link?
15:53 mfisch https://review.openstack.org/#/c/182346
15:53 mfisch I put it in the etherpad, didnt expect a merge in 5 min
15:58 rwsu joined #puppet-openstack
16:04 britthouser joined #puppet-openstack
16:16 openstackgerrit Lukas Bezdicka proposed stackforge/puppet-neutron: Fix support for auth_uri setting in neutron provider  https://review.openstack.org/182374
16:17 xarses joined #puppet-openstack
16:23 igajsin joined #puppet-openstack
16:23 igajsin left #puppet-openstack
16:46 rgoerishankar joined #puppet-openstack
16:57 dfisher before I get into #openstack-glance and likely make a fool of myself … does anybody know WHY glance needs 4 conf files and 3 paste files to configure a glorified FTP service?
17:02 asilenkov_ joined #puppet-openstack
17:02 chem joined #puppet-openstack
17:02 dprince joined #puppet-openstack
17:02 degorenko joined #puppet-openstack
17:03 ducttape_ joined #puppet-openstack
17:04 jesusaurus joined #puppet-openstack
17:06 jprs joined #puppet-openstack
17:07 openstackgerrit Ryan Bak proposed stackforge/puppet-monasca: Remove automatic setup of service dimension  https://review.openstack.org/182388
17:13 crinkle dfisher: i have no idea but i love the way you asked :D
17:13 dfisher :)
17:13 dfisher i hate glance *so much*
17:14 dfisher it's beyond dumb and unnecessary.
17:14 * dfisher sighs
17:15 dfisher also asked in openstack-dev.   /me leans into it.
17:18 dfisher also love how glance:  migrated to utf8 for mysql in a freakin' update to juno (and was the only component to do so), uses 7 conf files, doesn't mark options deprecated in the conf files, uses a different library to parse different bits (glance_store), etc.
17:20 dfisher i need a beer and it's only 11:15 MST.
17:33 openstackgerrit Merged stackforge/puppet-monasca: Remove automatic setup of service dimension  https://review.openstack.org/182388
17:59 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
18:04 openstackgerrit Ryan Bak proposed stackforge/puppet-monasca: Remove more automatic dimensions  https://review.openstack.org/182400
18:22 tfz joined #puppet-openstack
18:29 cdent joined #puppet-openstack
18:36 rgowrishankar joined #puppet-openstack
18:52 stamak joined #puppet-openstack
19:14 panda joined #puppet-openstack
19:16 openstackgerrit_ joined #puppet-openstack
19:24 nosleep77 joined #puppet-openstack
19:30 rcallawa_ joined #puppet-openstack
19:45 markvoelker joined #puppet-openstack
19:51 rcallawa joined #puppet-openstack
20:07 rcallawa joined #puppet-openstack
20:09 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
20:18 openstackgerrit Merged stackforge/puppet-monasca: Remove more automatic dimensions  https://review.openstack.org/182400
20:36 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
20:37 openstackgerrit joined #puppet-openstack
20:44 stamak joined #puppet-openstack
20:56 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
21:00 rcallawa joined #puppet-openstack
21:21 rcallawa joined #puppet-openstack
21:22 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
21:51 EmilienM crinkle, mgagne: this is a PoC: https://github.com/enovance/puppet-oslo
21:52 EmilienM what do you think?
22:01 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
22:01 cwolferh joined #puppet-openstack
22:18 logan2 joined #puppet-openstack
22:24 markvoelker joined #puppet-openstack
22:31 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
22:36 openstackgerrit Emilien Macchi proposed stackforge/puppet-nova: PoC: integrate puppet-oslo  https://review.openstack.org/182482
22:37 EmilienM crinkle, mgagne: a PoC in puppet-nova that actually use puppet-oslo
22:37 EmilienM the only concern I have now is how do we deal when nova has a more recent oslo than cinder
22:37 mgagne this ^
22:38 mgagne or when you upgrade oslo to fix bugs and the version installed is more recent than the one we require
22:39 EmilienM mgagne: AFIK, all OpenStack projects use a version of Oslo (in a specific range of version) that should work together
22:39 mgagne EmilienM: see openstaack-operators ML for use cases
22:39 EmilienM mgagne: any thread in particular?
22:39 mgagne rabbit + heartbeat
22:42 EmilienM mgagne: oh dear
22:42 mgagne yea
22:43 EmilienM now I wonder if puppet-oslo is useful
22:43 mgagne it is if we have a way to support those use cases
22:49 richm How do you handle those use cases now?  Does every openstack puppet module have some sort of awkward logic to handle that?
22:51 EmilienM richm: right now, I'm not sure
22:59 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
23:04 derekh joined #puppet-openstack
23:08 openstackgerrit Emilien Macchi proposed stackforge/puppet-nova: do not merge  https://review.openstack.org/182492
23:28 openstackgerrit Gilles Dubreuil proposed stackforge/puppet-openstacklib: Predefined source of authentication information  https://review.openstack.org/180407
23:30 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035
23:34 gildub joined #puppet-openstack
23:55 openstackgerrit Emilien Macchi proposed stackforge/puppet-ceilometer: Bring Redhat support to acceptance tests  https://review.openstack.org/182035

| Channels | #puppet-openstack index | Today | | Search | Google Search | Plain-Text | summary