Tuesday, 2020-03-03

« Monday, 2020-03-02 Index Wednesday, 2020-03-04 »
openstackgerritdiwakar thyagaraj proposed airship/promenade master: [WIP] Fix apparmor for Promenade Containers  https://review.opendev.org/71013200:12
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] Add functionality to set libvirt sec driver  https://review.opendev.org/71088900:19
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088900:38
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088900:44
*** airshipbot has quit IRC00:50
*** airshipbot has joined #airshipit00:58
*** airshipbot has quit IRC00:59
*** airshipbot has joined #airshipit01:01
*** airshipbot has joined #airshipit01:02
*** dwalt has quit IRC01:04
*** airshipbot has quit IRC01:04
*** airshipbot has joined #airshipit01:05
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088901:09
*** airshipbot has quit IRC01:15
openstackgerritAlexander Hughes proposed airship/airshipctl master: [WIP] Resolve kubectl gate errors  https://review.opendev.org/71084501:41
openstackgerritAlexander Hughes proposed airship/airshipctl master: [#58] Update types for golint  https://review.opendev.org/71046901:41
*** siraj_ has quit IRC01:55
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088902:10
openstackgerritAlexander Hughes proposed airship/airshipctl master: [WIP] Resolve kubectl gate errors  https://review.opendev.org/71084502:26
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088902:31
openstackgerritStas Egorov proposed airship/airshipctl master: [WIP]: for test only  https://review.opendev.org/70922303:58
openstackgerritPrateek Dodda proposed airship/divingbell master: [WIP] Implement Security Context for Divingbell  https://review.opendev.org/70788504:09
openstackgerritStas Egorov proposed airship/airshipctl master: Added job for testing roles  https://review.opendev.org/70900704:26
*** rezroo has quit IRC05:03
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088905:10
*** evrardjp has quit IRC05:35
*** evrardjp has joined #airshipit05:35
*** GoldenBear has quit IRC05:35
*** GoldenBear has joined #airshipit05:37
openstackgerritPrateek Dodda proposed airship/divingbell master: [WIP] Implement Security Context for Divingbell  https://review.opendev.org/70788505:59
openstackgerritPrateek Dodda proposed airship/divingbell master: [WIP] Implement Security Context for Divingbell  https://review.opendev.org/70788506:08
*** toabctl has quit IRC06:18
*** toabctl has joined #airshipit06:22
openstackgerritPrateek Dodda proposed airship/shipyard master: [WIP] Implement Security Context for Airflow_Worker  https://review.opendev.org/69222406:49
openstackgerritPrateek Dodda proposed airship/divingbell master: [WIP] Implement Security Context for Divingbell  https://review.opendev.org/70788507:02
openstackgerritAhmad Mahmoudi proposed airship/shipyard master: (fix) Address image build issues, bionic  https://review.opendev.org/70905607:32
*** arijit has quit IRC07:46
*** happyhemant has joined #airshipit07:50
*** rezroo has joined #airshipit08:13
*** Connoreika has joined #airshipit08:15
openstackgerritPrateek Dodda proposed airship/divingbell master: [WIP] Implement Security Context for Divingbell  https://review.opendev.org/70788508:15
ConnoreikaColleagues, can someone suggest me, how i can put trusted root ca in pods of airsloop installation? I have MITM when i trying to download something from internet, and git doesn't want to clone repos.08:15
openstackgerritPrateek Dodda proposed airship/shipyard master: [WIP] Implement Security Context for Airflow_Worker  https://review.opendev.org/69222408:22
*** roman_g has joined #airshipit08:25
*** roman_g has quit IRC08:35
*** Connoreika has quit IRC08:49
*** roman_g has joined #airshipit10:06
*** openstackstatus has quit IRC10:59
*** roman_g has quit IRC11:05
*** zogger has quit IRC11:16
*** zogger has joined #airshipit11:16
*** zogger has quit IRC11:21
*** rezroo has quit IRC11:26
*** rezroo has joined #airshipit11:26
*** Connoreika has joined #airshipit11:35
ConnoreikaColleagues, can someone suggest me, how i can put trusted root ca in pods of airsloop installation? I have MITM when i trying to download something from internet, and git doesn't want to clone repos.11:35
*** Connoreika has quit IRC11:37
*** rezroo has quit IRC12:17
openstackgerritDmitry Ukov proposed airship/airshipctl master: Fix go get for airshipctl module  https://review.opendev.org/71040012:29
*** Connoreika has joined #airshipit12:31
*** Connoreika has quit IRC12:42
*** Connoreika has joined #airshipit13:03
openstackgerritNikolay Fedorov proposed airship/airshipctl master: [WIP] Add Bare Metal Operator resources  https://review.opendev.org/70653313:08
*** Connoreika has quit IRC13:14
openstackgerritNikolay Fedorov proposed airship/airshipctl master: [WIP] Add Bare Metal Operator Ironic config files  https://review.opendev.org/70673613:15
openstackgerritNikolay Fedorov proposed airship/airshipctl master: [WIP] Add Bare Metal Operator Ironic entrypoints  https://review.opendev.org/70673713:15
openstackgerritNikolay Fedorov proposed airship/airshipctl master: [WIP] Add Bare Metal Operator Ironic entrypoints  https://review.opendev.org/70673713:21
openstackgerritAlexander Hughes proposed airship/airshipctl master: [#70] Resolve kubectl gate errors  https://review.opendev.org/71084513:31
openstackgerritdiwakar thyagaraj proposed airship/porthole master: Fix helm Installation Script in Apparmor Scripts  https://review.opendev.org/71017813:51
*** SRao has joined #airshipit13:59
*** rezroo has joined #airshipit14:06
*** aaronsheffield has joined #airshipit14:06
*** jamesgu has quit IRC14:10
*** airshipbot has joined #airshipit14:10
openstackgerritAlexander Hughes proposed airship/drydock master: [WIP] Uplift pyyaml and requests  https://review.opendev.org/71101914:16
*** airshipbot has quit IRC14:18
openstackgerritAlexander Hughes proposed airship/drydock master: [WIP] Uplift pyyaml and requests  https://review.opendev.org/71101914:18
*** jamesgu has joined #airshipit14:19
*** ab2434_ has joined #airshipit14:37
mattmceueno/ everyone -- for our meeting in 15min here's the agenda: https://etherpad.openstack.org/p/airship-meeting-2020-03-0314:45
mattmceuenplease add anything you'd like to discuss14:45
openstackgerritAlexander Hughes proposed airship/drydock master: Uplift pyyaml and requests  https://review.opendev.org/71101914:48
*** siraj_ has joined #airshipit14:49
*** airshipbot has joined #airshipit14:50
*** nishantkr has joined #airshipit14:53
*** michael-beaver has joined #airshipit14:53
*** dwalt has joined #airshipit14:55
*** Connoreika has joined #airshipit14:55
ConnoreikaColleagues, can someone suggest me, how i can put trusted root ca in pods of airsloop installation? I have MITM when i trying to download something from internet, and git doesn't want to clone repos.14:56
mattmceuenHey Connoreika14:57
ConnoreikaHi Matt!14:57
mattmceuenLet me add that as an item in our meeting so we can get everyone's eyes ton i14:57
mattmceuenand make sure we get an answer for you14:57
mattmceuenIt starts in 2 min :)14:58
ConnoreikaWould be grate!14:58
ConnoreikaTu14:58
ConnoreikaMatt, i saw that in future, you plan to do an iso image to deploy genesis node and whole cluster. Is it true?14:59
mattmceuenYep - the plan is for the CLI to create a boot iso for the ephemeral node (replaces the role of genesis), and then boot it remotely via redfish (optional step), and then that ephemeral node sets up a k8s instance that drives provisioning of the rest of the nodes15:00
mattmceuen#startmeeting airship15:00
openstackMeeting started Tue Mar  3 15:00:54 2020 UTC and is due to finish in 60 minutes.  The chair is mattmceuen. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
*** openstack changes topic to " (Meeting topic: airship)"15:00
openstackThe meeting name has been set to 'airship'15:00
mattmceuen#topic Rollcall15:01
*** openstack changes topic to "Rollcall (Meeting topic: airship)"15:01
Connoreikao/15:01
aaronsheffieldo/15:01
howello/15:01
mattmceueno/ everyone and good morning/evening!15:01
seaneagano/15:01
nishantkro/15:01
michael-beavero/15:01
mattmceuenHere's our agenda: https://etherpad.openstack.org/p/airship-meeting-2020-03-0315:01
dwalto/15:01
alexanderhugheso/15:01
jamesguo/15:01
*** nasirkamal has joined #airshipit15:01
airshipbot<alex.bailey.1> o/15:02
mattmceuenOk, let's get started:15:02
mattmceuen#topic KubeCon update15:02
*** openstack changes topic to "KubeCon update (Meeting topic: airship)"15:02
mattmceuenFirst, a follow-up to kubecon discussion last week15:02
*** roman_g has joined #airshipit15:03
mattmceuenUnfortunately, AT&T yesterday announced a hold on all international travel, so it joins Ericsson in that boat15:03
jemangso/15:03
mattmceuenAnd others will probably follow suit15:03
Connoreika%(15:03
roman_go/15:03
mattmceuenSo we will be forgoing the in-person meeting at KubeCon, sadly15:03
ConnoreikaWe dont follow.15:03
mattmceuenWe were planning on having an Airship Meetup in KubeCon during the summit15:04
mattmceuento hash through some design topics etc face to face15:04
Connoreikai saw that15:04
mattmceuenok cool :)15:04
mattmceuenWe do still plan to have a strong PTG session at the open infra / PTG conference in Vancouver15:05
*** pramchan63 has joined #airshipit15:05
mattmceuenIn addition, we'd like to set up a "virtual meetup" for Airship around the same time as KubeCon, so we can have the same discussion we would have had, over telepresense15:05
*** uzumaki has joined #airshipit15:05
mattmceuenso please stay tuned for more info on that!15:05
ConnoreikaThats cool!15:05
mattmceuenYeah agree :)15:06
ConnoreikaZoom?15:06
mattmceuengood question; zoom or webex or something similar15:06
roman_gZoom, WebEx, whatever.15:06
ConnoreikaCool15:06
*** ashferg has joined #airshipit15:07
mattmceuenAnything else on this one before moving on?15:07
pramchan63link #https://etherpad.openstack.org/p/airship-kubecon-amsterdam15:07
mattmceuenlet's deprecate that link please15:07
ConnoreikaSo we are not going on kubecon?15:07
*** zainub_wahid has joined #airshipit15:07
pramchan63OK15:07
mattmceuensince airship will not be at kubecon in amsterdam15:07
mattmceuenConnoreika:  AT&T and E/// will not be, but I can't speak for all corporations -- last I heard the conference is still going to happen15:08
ConnoreikaVancouver is much more expensive than Amsterdam %)15:08
mattmceuenI was looking forward to seeing amsterdam too, never been there.  Oh well, can't complain given the global situation15:09
ConnoreikaOk, sorry that interrupted, lets move on.15:09
mattmceuenOk, next topic:15:09
mattmceuenno worries :)15:09
mattmceuen#topic Slack<-> IRC sync'ing15:09
*** openstack changes topic to "Slack<-> IRC sync'ing (Meeting topic: airship)"15:09
mattmceuenAnother follow up from last week15:09
ConnoreikaWhy do we need it to be synced?15:10
mattmceuenThere are some folks who are interested in joining through slack instead of the IRC client, and slack is the norm in the CNCF world15:10
mattmceuenon the other hand, IRC has a lot of benefits too15:11
mattmceuenso I was going to look into ways to use both and mirror the conversation15:11
mattmceuenI put together a rough helm chart for one of them and am currently running it off my laptop15:11
mattmceueno/ airshipbot15:11
roman_gWe have had Slack previously, it didn't work out. Conversation sync could help, though.15:12
mattmceuenMy scrum master has joined from slack world as well15:12
airshipbot<aw442m> I exist in both worlds15:12
mattmceuenYeah, I think the reason it didn't work out was that it was run kind of ad-hoc; that's why I wanted to have dependable k8s orchestration of it15:12
pramchan63which workspace in slack with which github - the sync?15:12
airshipbot<aw442m> this is dwalt btw15:12
howellwhich slack channel is that?15:12
mattmceuenpramchan63:  it's the "airshipproject" workspace in slack15:13
mattmceuenI haven't made a push to invite everyone because I'm waiting to get it running somewhere besides my laptop :)15:13
mattmceuenas it is not open 24 hours a day15:13
mattmceuenOnce we have a lab up and running (there are a couple in progress) then we can home the bot there permanently, otherwise I'll plan get it running on my home machine as a stopgap15:14
mattmceuenHere's the chart, which links to the tool itself:  https://github.com/mattmceuen/slack-irc-chart15:15
mattmceuenThat's all I had on this one.  Any questions?15:15
roman_gNope. Thanks, Matt.15:15
ConnoreikaDont like slack. I like discord and telegram %)15:15
*** KeithMnemonic has quit IRC15:16
mattmceuenThat's fair15:16
dwaltThanks for working on this Matt15:16
Connoreika:)15:16
mattmceuenIf you'd like to integrate with those tools as well, that would be great Connoreika :)  the more bots the merrier15:16
mattmceuen#topic airshipctl non-descriptive variables15:17
*** openstack changes topic to "airshipctl non-descriptive variables (Meeting topic: airship)"15:17
ConnoreikaIm too stupid to write asuch a bot :)15:17
mattmceuen (ie: https://opendev.org/airship/airshipctl/src/branch/master/pkg/config/cmds.go#L26) use of single letter, or two letter variables15:17
mattmceuenit may already exist, who knows!15:17
mattmceuenalexanderhughes:  I think this one is yours!15:17
alexanderhughesjust a gentle suggestion, we have more and more developers joining the project daily.  as they try to get up to speed making code easy to read I think is valuable.  when we are initializing variables as things like "o" or "fo" it makes code more difficult to read, resulting in more frequent tracebacks to where the variable was initialized and what it is supposed to mean15:18
howellso this is something that's pretty typical in go code15:19
howellthe rule in general is that the longer a variable is in use, the longer its name should be15:19
howellbut,15:19
mattmceuenI mean the language is called "go" ;-)15:19
howellI agree that it could get confusing15:19
mattmceuenthat's only one g better than o15:19
mattmceuenthat's - an interesting convention - I'd never heard it before, and kinda like the philosophy15:20
howellI have no issue with disregarding the above rule. It's a bit weird anyway15:20
mattmceuenyeah, "options" wouldn't be that many more keystrokes15:21
howellmattmceuen: it makes sense at first15:21
alexanderhughesthere's no line limit length in go, so extra characters to make things clear would be helpful - especially for things we're passing in like func RunGetAuthInfo(o *AuthInfoOptions, out io.Writer, airconfig *Config) error {15:21
alexanderhugheso here, to me should be something like authOptions15:21
alexanderhughesthrow away variables like when looping for i:=0, but things that are important to the function would be nice to be more legible15:21
mattmceuenI think that's a very fair public service announcement, and a good thing to keep in mind as developers15:22
howell^This makes a lot of sense to me15:22
howellspecifically for function parameters15:22
howellthat will appear in documentation15:22
mattmceuen++15:22
Connoreika+ with Alexander15:22
alexanderhughesin any case that's my rant, I want to make things as easy as they can get for code reviewers, and for onboarding new developers.  you may see a patchset from me here soon acting on that rant if the community is okay with more verbose variables15:23
mattmceuenlol15:23
mattmceuenno objections here, as long as we don't go to the other extreme15:23
howellI think we can be a bit lax with variables declared within a functoin, but certainly any variable that is exposed should be more descriptive15:23
* mattmceuen shudders and remembers iphone programming APIs15:24
alexanderhughesyeah I'm not implementing authInfoOptionsForFunctionXonLineNumberTwentySevenUsedOnlyOneTime15:24
howelllol or java. Get yourself a JavaBeanFactoryFactory15:24
alexanderhughesbut I think just a few more chars on most of these vars would be helpful15:24
roman_galexanderhughes: would you submit a patch to coding conventions in docs repo? Then we can add devs who do Go development work to +2/+1 it and collect feedback.15:24
alexanderhughesroman_g:15:24
alexanderhughesyeah I can take this action15:25
mattmceuenonly thing I'd caution is, I'd suggest we call it a guideline instead of a rule15:25
roman_galexanderhughes: that would be very good. Thank you.15:25
mattmceuenas I'm sure there are exceptions15:25
mattmceuenyeah, thanks for bringing up alexanderhughes, good discussion15:25
mattmceuennext topic:15:25
mattmceuen#topic gate enhancement idea (alexanderhughes)15:26
*** openstack changes topic to "gate enhancement idea (alexanderhughes) (Meeting topic: airship)"15:26
mattmceuen    "make update-golden" to ensure tests are updated with test modifying changeset before code merges15:26
mattmceuen    https://review.opendev.org/#/c/710085/ for example does not modify config cmd "set-context" but when running make update-golden for new test addition unused test was removed15:26
roman_gmattmceuen: Yes, coding guidelines, of course. Native exceptions are i,j,k,n,x,y,z in cycles, for an example.15:26
mattmceuenroman_g: yep exactly15:26
alexanderhughesso this was me as well.  in our python projects such as Pegleg we implemented YAPF as a gate.  basically ensuring that the code being submitted matched the formatting we expected with YAPF.  I think a gate that did something similar ensuring that the test cases present in patch match what make update-golden would do (which updates the golden test data for each test)15:27
*** jtwill98 has joined #airshipit15:28
alexanderhughesso that we don't have missing, or inaccurate tests for a future patchset.  our tests are only valuable if they are up to date and accurate15:28
howellI'm not sure I understand15:28
mattmceuenalexanderhughes:  we should be wary of things that use codebase to generate the expected output of the current codebase -- do we avoid a "the code does what the code does" scenario?15:28
howellgolden files are just the "expected" output from unit tests15:28
dwaltShouldn't the unit tests fail if the golden files are not updated?15:29
dwaltIn this case, it just appeared that we had an extra one15:29
alexanderhughesso from the example patch here, https://review.opendev.org/#/c/710085/ there was no change to config command "set-context" but I did update a new unit test.  when I ran make update-golden it modified set-context15:29
mattmceuenAgree, I think golden output changes need to be intentional, to guard against output changes that are accidental (bugs)15:29
alexanderhughesthis should have happened in a previous patchset15:29
howellthe above PS is unique in that it is the first time that we have /removed/ a golden file15:29
pramchan63Does removal of kubectl impact CI in Zuul? for testing15:29
howellwe should implement something to make sure there are no unused files15:30
alexanderhughesI don't want to automatically update our codebase using zuul, I want to ensure that the tools we have to update are being run locally by devs and match expected results before merging15:30
dwaltI think that's what howell is suggesting. Adding that check to the unit tests command15:31
alexanderhughesthat's fair, as the unit tests command is present in the gates15:31
alexanderhughesany other opinions on this?15:33
Connoreikanope15:33
howellany idea on how to implement?15:33
howellthat's a detail, we can take that offline15:34
pramchan63May be bring it to design call?15:34
alexanderhughesat a high level sounds like we run make unit-tests to ensure current code matches test cases, then make update-golden to see if anything gets deleted after the tests have passed.  if there is a deletion fail the make command and advise user to run make update-golden15:34
jtwill98Unit test can be used to expose abandoned files in a report, but the team should take action to remove them with a PR.15:35
howellalexanderhughes: that sounds like it should work15:35
mattmceuenalexanderhughes:  agree with that15:35
dwaltthat's a good idea15:36
dwaltbut then we need to add gate logic, right?15:36
*** zainub_wahid has quit IRC15:36
dwaltSince someone could unknowingly push without the updated golden files15:36
mattmceuenpramchan63:  sure, feel free to add to the design call agenda15:36
alexanderhughesyes, the gate would have to run the logic above15:36
howelldwalt: we could probably cram it all into the `unit-tests` target15:36
mattmceuenbut I think we can hash through it here (hopefully)15:36
dwaltgotcha. So if some golden files get deleted, it just fails the test command?15:37
howellthat's what I would think15:37
alexanderhugheswe could move this into a new make command: test-and-update or similar.  runs make unit-tests, runs make update-golden, searches for deletions, if present alert.  update gate to use the new make target15:37
dwaltOk. That may be confusing to someone running locally, but it's better than having extra files.15:37
dwaltOh I like the new target idea alexanderhughes15:38
dwaltThat one gets run in the gate; dev can run make tests locally15:38
alexanderhughesyes, gives granularity locally but achieves same end goal at the gate15:38
*** rpocase has joined #airshipit15:39
dwaltawesome. Good idea15:39
alexanderhughes+/- votes on implementation?  would like to get an issue created to summarize our thoughts and track the work15:39
dwalt+115:40
mattmceuen+115:40
Connoreika+15:40
alexanderhughesgreat thanks all, I'll get an issue created shortly15:40
pramchan63+115:40
mattmceuenawesome - ty alex15:41
alexanderhughesif there's more discussion needed on this we can followup @ flight plan call tomorrow15:41
pramchan63so I don't need this to be brought to design call?15:41
pramchan63Ok15:41
mattmceuenI think we reached consensus here, probably no need to bring it up there15:41
mattmceuenOk, moving on:15:41
mattmceuen#topic baremetal renaming changes merging tomorrow (04-March)  (alexanderhughes)15:41
*** openstack changes topic to "baremetal renaming changes merging tomorrow (04-March) (alexanderhughes) (Meeting topic: airship)"15:41
mattmceuen    per Jaakko Kuuskoski during 03-March Airship design call15:42
mattmceuen    https://github.com/metal3-io/cluster-api-provider-baremetal/pull/26815:42
mattmceuen    https://github.com/metal3-io/metal3-dev-env/pull/23915:42
mattmceuen    https://github.com/metal3-io/metal3-io.github.io/pull/15315:42
alexanderhughesjust a quick announcement, Jaakko mentioned these are merging tomorrow during design call.  just want to make sure anyone who wasn't present on that call has an opportunity to see it here15:42
mattmceuengood idea.15:42
mattmceuenThe gist is that all the references to a generic "bare metal provider" are being renamed more specifically to "metal3 provider"-related naming15:43
mattmceuenthat will allow for the existance multiple bare metal providers15:43
pramchan63namesapce change in capi  from CAPBM to CAPM3  - noted15:44
howellI think it's more clear too. this is a good change15:44
Connoreika+15:44
mattmceuenAlright, moving on unless there's anything else on this topic?15:45
mattmceuen#topic: how i can put trusted root ca in pods of airsloop installation? (Connoreika)15:45
*** openstack changes topic to ": how i can put trusted root ca in pods of airsloop installation? (Connoreika) (Meeting topic: airship)"15:45
ConnoreikaYep15:45
mattmceuenConnoreika's asked this a couple times in the chat, let's get him on the right direction:15:45
mattmceuenI have MITM when i trying to download something from internet, and git doesn't want to clone repos.15:45
pramchan63on metal3.io side it's still on hold?15:46
*** timClicks has joined #airshipit15:46
mattmceuenThis one is an airship 1 topic15:46
mattmceuenDoes anyone have a good reference at their fingertips for adding custom CAs to a deployment?15:46
dwaltcan you elaborate on what the man-in-the-middle is? A proxy server?15:46
pramchan63you mean airsloop of airship 1.x15:47
ConnoreikaNo, its security team, they listen all the traffic in company.15:47
uzumakidwalt, yeah, the proxy server, sort of15:48
dwaltDo you still have a direct connection to the internet?15:48
ConnoreikaYes, direct connection. But they change certs on fly.15:48
dwaltUzumaki: if it's a proxy server, do you know its address? And does it require a certificate?15:49
uzumakiwell, the thing with MITM is, it's principally hidden from the client and server15:49
ConnoreikaNo, its not proxy.15:49
uzumakiIt's like Server <... SSLA...> MITM <...SSLB...> Client15:49
mattmceuenHave you seen this example doc, Connoreika?:  https://github.com/airshipit/treasuremap/blob/master/site/seaworthy/secrets/certificates/certificates.yaml15:50
ConnoreikaYes. exactly.15:50
mattmceuenThat one defines the certs, CAs for the seaworthy site15:50
mattmceuenThat might not apply for the "armada reaching out" case though15:51
ConnoreikaBut im not shure what to put in that example and where?15:51
pramchan63what does MITM mean ? #link https://airship-treasuremap.readthedocs.io/en/latest/airsloop.html15:51
mattmceuenyeah, I retract that one15:51
uzumakipramchan63, Man-In-The-Middle, a way to snoop on SSL traffic15:51
ConnoreikaAnd first problem is with armada :(15:51
pramchan63thanks so question of avoiding attacks through proxy is causing issues15:52
ConnoreikaNo.15:52
ConnoreikaI have a root ca cert.15:53
*** arijit has joined #airshipit15:53
ConnoreikaUsually, i put it into the host system, and cert, that security team become signed.15:53
ConnoreikaAnd trusted15:53
ConnoreikaAlthow it's selfsigned.15:54
uzumakiyeah, just like server BMC https certs15:54
ConnoreikaBut, when we setup airship, it's startind armada in pod, and in that pod, it's doing git clone.15:55
ConnoreikaThat pod, doesnt know anything about my selfsignet cert.15:55
pramchan63i see15:55
ConnoreikaSo git clone - failed. Coz of fake cert.15:55
mattmceuenis there any chance you can use a non-self-signed CA, e.g. letsencrypt?15:56
mattmceuenI'm not sure this has been solved for within Airship unfortunately15:56
ConnoreikaIt's not me. Im in bank, and it's bank security team.15:56
mattmceuenyeah, makes sense15:56
mattmceuenhmm15:56
ConnoreikaThey listen that way alll the trafic from and to our bank.15:57
*** rezroo has quit IRC15:57
mattmceuenlol I guess SSL is working as designed.. now I understand the MITM reference15:58
uzumakihaha15:58
uzumakiis there a way to force local git client to accept self-signed certs?15:58
mattmceuencan the MITM  use a CA that's has a chain of trust back to the root CAs maybe?  I know that's probably outside your control15:59
dwalt#link https://stackoverflow.com/questions/11621768/how-can-i-make-git-accept-a-self-signed-certificate15:59
dwaltit appears so15:59
mattmceuenWe're out of time for the meeting, but let's please keep the conversation going here...15:59
mattmceuenRequests for review:15:59
mattmceuen    https://review.opendev.org/#/c/711019/ - drydock, security alert for 2 CVEs relating to old packages15:59
mattmceuen    https://review.opendev.org/#/c/710085/ - remove kubectl subcommand from airshipctl15:59
mattmceuen    https://review.opendev.org/#/c/710469/ - refactor of airshipctl types to be golint compliant15:59
uzumakiit can actually, but the thing is, going back to root ca might cost you a license15:59
ConnoreikaWhat i do usually15:59
mattmceuenReview on those please :) ^^15:59
uzumakiand on the flip side, that will make the MITM even more sneaky15:59
mattmceuen#endmeeting16:00
*** openstack changes topic to "https://opendev.org/airship || https://wiki.openstack.org/wiki/Airship || https://review.opendev.org/#/q/projects:airship+status:open+NOT+label:Verified%253D-1+NOT+label:Workflow%253D-1+NOT+message:DNM+NOT+message:WIP"16:00
openstackMeeting ended Tue Mar  3 16:00:02 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:00
openstackMinutes:        http://eavesdrop.openstack.org/meetings/airship/2020/airship.2020-03-03-15.00.html16:00
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/airship/2020/airship.2020-03-03-15.00.txt16:00
openstackLog:            http://eavesdrop.openstack.org/meetings/airship/2020/airship.2020-03-03-15.00.log.html16:00
ConnoreikaUploaded file: https://uploads.kiwiirc.com/files/3cbe9ffb64f03d02c75342556640d448/pasted.txt16:00
ConnoreikaUploaded file: https://uploads.kiwiirc.com/files/b6745ece81baf7e27517e2ba972fc51a/image.png16:00
ConnoreikaUploaded file: https://uploads.kiwiirc.com/files/ea4243400bb4b6c312873ceb58acb9cd/image.png16:00
alexanderhughesthanks all16:00
dwaltI imagine that getting your cert in the pod would fix this16:00
ConnoreikaYes.16:00
mattmceuenyeah16:00
mattmceuenbuilding a custom image16:00
dwalt++16:00
mattmceuenand then passing that image in as a helm values override16:00
uzumakiyeah, or somehow 'convince' git everywhere to use self-signed certs (which now sounds like a bad idea)16:00
mattmceuenyou could just base an image off the existing image and add your CA in?16:01
mattmceuenlol uzumaki16:01
ConnoreikaThats bad way.16:01
uzumakivery bad indeed :-)16:01
ConnoreikaCoz i think, i need to do that with all the images.16:01
Connoreikahttps://medium.com/@paraspatidar/add-ssl-tls-certificate-or-pem-file-to-kubernetes-pod-s-trusted-root-ca-store-7bed5cd683d16:02
jtwill98Does the bank have a signing server where you can submit cert that they sign?16:02
Connoreikahttps://medium.com/@paraspatidar/add-self-signed-or-ca-root-certificate-in-kubernetes-pod-ca-root-certificate-store-cb7863cb3f8716:02
ConnoreikaI have a cert that submit fake cert as valid.16:03
ConnoreikaThat 2 links is how people usually do.16:04
ConnoreikaBut i thought that you have in airship some standart way to do this.16:04
mattmceuenunfortunately I don't think so :(16:05
mattmceuenBut hopefully the dockerfile approach will be pretty straightforward16:05
ConnoreikaCoz you are doing something with certs during instalation16:05
ConnoreikaThats how i do on regular host: https://uploads.kiwiirc.com/files/3cbe9ffb64f03d02c75342556640d448/pasted.txt16:07
*** nasirkamal has quit IRC16:07
*** uzumaki has quit IRC16:07
ConnoreikaWell any idea?16:08
mattmceuenBest idea I have is just use a small dockerfile, FROM the upstream armada image, that adds in your CA per that doc16:08
mattmceuen you'd need to host the image in a docker registry that's accessible from the cluster16:09
mattmceuenand then you can  change your versions.yaml file to use your image instead of the default upstream one16:09
jtwill98Did the k8 (Method 3— Kubernets Deployment Yaml / Helm changes) approach not work for you?16:10
ConnoreikaThats a bit overhead, docker registry, patching.16:11
Connoreikajtwill98 dont know. Will it?16:11
rpocaseIs there an equivalent set of FQDN names (from https://airship-treasuremap.readthedocs.io/en/latest/authoring_and_deployment.html#register-dns-names) to define for an architecture initially based on airsloop? I'm getting back around to building a small cluster and was hoping to start with something airsloop based for simplicity and add nodes as the initial authoring is proved out. Or perhaps thats a16:14
rpocaseflawed plan and I should start with seaworthy with less nodes? I'll ultimately have 2 controllers/2 workers with each node having very different hardware16:14
jtwill98Just reading that seems like the best approach and entirely script-able.  Although if kuebctl is not available ... it won't be possible.16:15
mattmceuenrpocase:  I think airsloop is probably an easier place to start; you can always add in bits and pieces of seaworthy as you need them16:16
mattmceuenairsloop and seaworthy are just different example manifest sets -- you can adjust them to fit your needs16:16
mattmceuen(i.e. something "in between" the two of them)16:16
Connoreikajtwill98 ?16:16
*** pramchan63 has quit IRC16:17
*** ab2434_ has quit IRC16:17
ConnoreikaWell guys? What i need to do?16:18
ConnoreikaDocker registry and custom images?16:19
dwaltI would personally try the custom images approach first, in order to make sure it works. Then, we can formulate a long-term solution.16:19
dwaltYou can push your custom images to dockerhub or quay.io16:20
ConnoreikaI also think to do something with proxy. Set up a local proxy, that have root certs, and try to download everything through it. What do you think?16:22
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#11] Implement selector kustomize primitive  https://review.opendev.org/70925216:23
Connoreika?16:26
openstackgerritAlexander Hughes proposed airship/airshipctl master: [#81][WIP] makefile to check for unused test data  https://review.opendev.org/71105016:27
dwaltConnoreika: Sorry, I'm not familiar enough to know if that would work. If it's less effort, it may be worth a try.16:30
dwaltThough the base images approach seems easiest. For our deployments, we always build custom images using known, scanned base images. That's very standard and something you'll probably want to do if you run Airship in a production environment.16:30
ConnoreikaIs there any automation on building images?16:32
rpocasemattmceuen: Thanks! Sounds like start with airsloop, ignore fqdn for now, and merge in manifest sets as I have use cases for htenm16:32
rpocases/htenm/them16:32
dwaltYes, you can use the Makefile in each project. Just run `make images FROM=<your base image>`16:32
dwaltWhere your base image is a base Ubuntu image that has your certificate16:32
dwaltThen, you can push your custom image and change the chart values like mattmceuen suggested :)16:34
ConnoreikaOk. Tu very much. Will try some cases.16:34
ConnoreikaFirs will try with proxy.16:35
ConnoreikaSeems easyest way.16:35
dwaltConnoreika: Sure thing. Let us know if anything comes up :)16:35
ConnoreikaAlso question, in future, when there will be image to upload and it will make all jobs, will it contain in itself all needed git/apt/docker/pyp stuff so other nodes wont need to go in internet and downoad anything?16:37
*** timClicks has quit IRC16:38
dwaltEverything gets downloaded during the build process https://opendev.org/airship/armada/src/branch/master/images/armada/Dockerfile.ubuntu_bionic16:39
dwaltWhen deploying the Helm chart + image into K8s, everything is already contained within the image.16:39
Connoreikadwalt, no, you didnt understand. In airship2.0, there will be deploy image.16:41
ConnoreikaWill it contain all that needed for other nodes, and those nodes will download everything from "genesis" node16:42
*** Connoreika has quit IRC16:46
AlexNoskovHi, could please someone review/merge the following PS: https://review.opendev.org/#/c/690392/ https://review.opendev.org/#/c/680495/ https://review.opendev.org/709638, two of them already have +217:03
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#11] Implement selector kustomize primitive  https://review.opendev.org/70925217:07
openstackgerritPrateek Dodda proposed airship/shipyard master: [WIP] Implement Security Context for Airflow_Worker  https://review.opendev.org/69222417:12
*** SRao has quit IRC17:18
*** jojensen has joined #airshipit17:20
openstackgerritAlexander Hughes proposed airship/airshipctl master: [#81][WIP] makefile to check for unused test data  https://review.opendev.org/71105017:23
*** rpocase has quit IRC17:29
*** jojensen has quit IRC17:31
*** evrardjp has quit IRC17:35
*** evrardjp has joined #airshipit17:35
airshipbot<andrew.schiefelbein> Hail and well met17:37
roman_gHi.17:38
*** mfuller has joined #airshipit17:39
*** jojensen has joined #airshipit17:40
*** jojensen has quit IRC17:40
airshipbot<kk6740> hey hey!17:45
dwalto/17:46
*** nasir has joined #airshipit17:48
openstackgerritMerged airship/porthole master: Fix helm Installation Script in Apparmor Scripts  https://review.opendev.org/71017817:49
openstackgerritMerged airship/deckhand master: (fix) Address uwsgi and other gating issues  https://review.opendev.org/70895817:55
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088918:01
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088918:09
openstackgerritIan Pittwood proposed airship/airshipctl master: [WIP][#35] Refactor config package  https://review.opendev.org/71009718:09
openstackgerritsai battina proposed airship/airshipctl master: Add proxy to systemwide-executable roles  https://review.opendev.org/71107918:15
openstackgerritsai battina proposed airship/airshipctl master: Add proxy to systemwide-executable roles  https://review.opendev.org/71107918:16
*** SRao has joined #airshipit18:21
openstackgerritMerged airship/treasuremap master: Extend VM's configuration with NUMA/CPU/Memory/NIC changes  https://review.opendev.org/69039218:22
*** rezroo has joined #airshipit18:23
roman_gAlexNoskov: done.18:23
AlexNoskovThanks18:24
openstackgerritsai battina proposed airship/airshipctl master: Add proxy to systemwide-executable roles  https://review.opendev.org/71107918:38
airshipbot<lindsey.durway> This is my first slack message. Today I am a man!18:39
airshipbot<andrew.schiefelbein> Welcome!18:40
openstackgerritAlexander Hughes proposed airship/airshipctl master: [#81][WIP] makefile to check for unused test data  https://review.opendev.org/71105018:40
airshipbot<lindsey.durway> Thank you, mon frere.18:40
openstackgerritAlexander Hughes proposed airship/airshipctl master: [#81][WIP] makefile to check for unused test data  https://review.opendev.org/71105018:41
*** gagehugo has joined #airshipit18:43
*** michael-beaver has quit IRC19:13
openstackgerritPrateek Dodda proposed airship/shipyard master: [WIP] Implement Security Context for Airflow_Worker  https://review.opendev.org/69222419:21
*** SRao has quit IRC19:39
openstackgerritsai battina proposed airship/airshipctl master: Add proxy to systemwide-executable roles  https://review.opendev.org/71107919:46
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] [WIP] Add functionality to set libvirt sec driver  https://review.opendev.org/71088919:47
openstackgerritMatthew Fuller proposed airship/treasuremap master: Add support for modifying genesis kernel parameters for OVS-DPDK  https://review.opendev.org/70963820:14
openstackgerritdiwakar thyagaraj proposed airship/maas master: Enable Docker default AppArmor profile to maas  https://review.opendev.org/70513620:19
openstackgerritAhmad Mahmoudi proposed airship/shipyard master: WIP: (fix) Address image build issues, bionic  https://review.opendev.org/70905620:20
openstackgerritdiwakar thyagaraj proposed airship/maas master: [WIP] Enable Logs  Append for maas  https://review.opendev.org/70976320:30
openstackgerritAlexander Noskov proposed airship/treasuremap master: Add unsafe profile for disk VM's  https://review.opendev.org/71048020:53
*** aaronsheffield has quit IRC20:55
openstackgerriteric welch proposed airship/deckhand master: deleting extra comments  https://review.opendev.org/69393521:10
openstackgerritPrateek Dodda proposed airship/divingbell master: Implement Security Context for Divingbell  https://review.opendev.org/70788521:16
*** ashferg has quit IRC21:16
openstackgerritMerged airship/airshipctl master: [#58] Update types for golint  https://review.opendev.org/71046921:18
*** SRao has joined #airshipit21:20
*** happyhemant has quit IRC21:29
*** rezroo has quit IRC21:32
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#75] Add functionality to set libvirt sec driver  https://review.opendev.org/71088921:36
*** SRao has quit IRC21:40
*** dpawlik has quit IRC22:00
openstackgerritJordan Kramer proposed airship/armada master: [WIP] Added Password Rotation Gate  https://review.opendev.org/70853822:07
openstackgerritAhmad Mahmoudi proposed airship/shipyard master: WIP: (fix) Address image build issues, bionic  https://review.opendev.org/70905622:08
*** segorov has joined #airshipit22:26
openstackgerritJordan Kramer proposed airship/armada master: [WIP] Added Password Rotation Gate  https://review.opendev.org/70853822:26
openstackgerritKostyantyn Kalynovskyi proposed airship/airshipctl master: [#11] Implement selector kustomize primitive  https://review.opendev.org/70925222:31
openstackgerritAhmad Mahmoudi proposed airship/shipyard master: WIP: (fix) Address image build issues, bionic  https://review.opendev.org/70905622:32
openstackgerritSirajudeen proposed airship/airshipctl master: [#21] - prompt for config init options  https://review.opendev.org/71018022:33
openstackgerritAhmad Mahmoudi proposed airship/shipyard master: (fix) Address image build issues, bionic  https://review.opendev.org/70905622:34
openstackgerritSirajudeen proposed airship/airshipctl master: [#21] - prompt for config init options  https://review.opendev.org/71018022:41
openstackgerritJagan Mohan Kavva proposed airship/maas master: Enable Docker default AppArmor profile to maas  https://review.opendev.org/70513622:42
openstackgerritJagan Mohan Kavva proposed airship/maas master: Enable Docker default AppArmor profile to maas  https://review.opendev.org/70513622:42
openstackgerritSirajudeen proposed airship/airshipctl master: [#21] - prompt for config init options  https://review.opendev.org/71018022:43
openstackgerritJordan Kramer proposed airship/armada master: [WIP] Added Password Rotation Gate  https://review.opendev.org/70853822:56
openstackgerritPrateek Dodda proposed airship/divingbell master: Implement Security Context for Divingbell  https://review.opendev.org/70788523:00
airshipbot<mattmceuen> Review on this would be appreciated:  https://review.opendev.org/#/c/708132/523:03
*** airshipbot has quit IRC23:33
openstackgerritKrishna Venkata proposed airship/airshipctl master: [lint]: Fix indentation  https://review.opendev.org/71112823:43
*** dwalt has quit IRC23:44
openstackgerritsai battina proposed airship/airshipctl master: Add proxy to systemwide-executable roles  https://review.opendev.org/71107923:56
*** segorov has quit IRC23:56
*** segorov has joined #airshipit23:56
« Monday, 2020-03-02 Index Wednesday, 2020-03-04 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!