| *** chandankumar is now known as chkumar|rover | 06:16 | |
| noonedeadpunk | jrosser: systemd-analyze security is really interesting. Didn't know about it.... | 08:57 |
|---|---|---|
| noonedeadpunk | I'm not sure though were and how we add it? | 08:58 |
| noonedeadpunk | except like in post jobs.... | 08:58 |
| jrosser | it's all in the unit files | 08:59 |
| jrosser | so we can have "sensible defaults" in the systemd service role | 08:59 |
| jrosser | and then where we want tighter things we can add more config as needed | 09:00 |
| jrosser | theres already stuff there for some of it https://github.com/openstack/ansible-role-systemd_service/blob/master/templates/systemd-service.j2#L90-L98 | 09:01 |
| jrosser | but i expect we could do more | 09:01 |
| jrosser | maybe adding the output of systemd-analyze security to our log collection would be easy/useful | 09:02 |
| noonedeadpunk | Well, checking one of my compute nodes I barely can find anything in good state | 09:03 |
| noonedeadpunk | except systemd units themselves :) | 09:04 |
| noonedeadpunk | I wonder what we can do better though https://pastebin.com/TkBhQhex | 09:46 |
| noonedeadpunk | maybe smth like PrivateTmp, ProtectClock, ProtectKernelModules... | 09:55 |
| opendevreview | Merged openstack/ansible-role-systemd_service master: Add ability to create templated services https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/816531 | 10:12 |
| *** odyssey4me is now known as Guest761 | 10:15 | |
| jrosser | i guess there are a bunch of those we can apply pretty globally, going down the list by score | 10:29 |
| jrosser | others might need some work to get them right | 10:29 |
| jrosser | noonedeadpunk: do you have thoughts about where we should do the sshd configuration for ssh certificates/principals? | 10:46 |
| jrosser | i am currently adding it to openstack_hosts but wonder if keeping it all in the PKI role is better? | 10:46 |
| noonedeadpunk | I bet this should be in our sshd role https://opendev.org/openstack/openstack-ansible/src/branch/master/ansible-role-requirements.yml#L236-L239 | 10:51 |
| jrosser | yeah well it's kind of not our role | 10:51 |
| jrosser | and actually i don't think we use that outside of AIO | 10:51 |
| jrosser | this would be the first time we mess with sshd config for deployments, thats usually out of scope | 10:52 |
| opendevreview | Merged openstack/openstack-ansible-os_glance stable/victoria: Replace NFS test with integrated one https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/823539 | 10:52 |
| noonedeadpunk | yeah, indeed... | 10:52 |
| noonedeadpunk | But I bet I saw ssh configuration being applied somewhere already... was it openstack_hosts? | 10:55 |
| noonedeadpunk | or maybe hardening... | 10:55 |
| opendevreview | Merged openstack/openstack-ansible-os_glance stable/victoria: Add boto3 module for s3 backend https://review.opendev.org/c/openstack/openstack-ansible-os_glance/+/822946 | 10:57 |
| jrosser | maybe i just hack this up in openstack_hosts and then share what the patch looks like | 11:01 |
| jrosser | i am kind of leaning toward putting it in PKI to make that solf contained and re-usable | 11:02 |
| noonedeadpunk | Well configuring sshd is probably not design of pki role tbh... | 11:03 |
| noonedeadpunk | but yeah, depending on how it looks like ) | 11:03 |
| jrosser | right - this could all be in its own role completely if we want | 11:04 |
| jrosser | as actually its not x509 certs at all | 11:04 |
| noonedeadpunk | Btw we do pretty much of ssh config here https://opendev.org/openstack/ansible-hardening/src/branch/master/tasks/rhel7stig/sshd.yml | 11:04 |
| jrosser | luckily we are in modern times and have sshd_config.d/ | 11:05 |
| jrosser | so that should not be too much of a problem | 11:05 |
| noonedeadpunk | yeah, that;s true:) | 11:08 |
| *** sshnaidm|afk is now known as sshnaidm | 11:13 | |
| *** dviroel|out is now known as dviroel | 11:28 | |
| *** dviroel is now known as dviroel|lunch | 15:06 | |
| *** frenzy_friday is now known as frenzyfriday|ruck | 15:58 | |
| *** dviroel|lunch is now known as dviroel | 16:14 | |
| opendevreview | Merged openstack/openstack-ansible-os_placement master: Move system_crontab_coordination role to collection https://review.opendev.org/c/openstack/openstack-ansible-os_placement/+/824592 | 16:33 |
| jrosser | jamesdenton: i see a whole slew of those sshd deprecated options here https://paste.opendev.org/show/812161/ | 17:59 |
| jamesdenton | hrm | 17:59 |
| jamesdenton | i guess if we disable the hardening role then there's nothing else left to manage sshd_config? | 18:00 |
| jrosser | not at the moment, we leave that to the deployer | 18:02 |
| jrosser | although i am working on some sshd stuff right now | 18:02 |
| jrosser | noonedeadpunk: it's kind of working https://paste.opendev.org/show/812163/ | 18:02 |
| DK4 | hey is it possible to deploy a spine/leaf network setup withopenstack ansible? | 18:57 |
| jamesdenton | https://docs.openstack.org/openstack-ansible/latest/user/l3pods/example.html | 19:02 |
| jamesdenton | it's been a very long time since i looked at that, though | 19:02 |
| DK4 | Thank you, ill check that out. i've been using kolla-ansible before and its not possible to do that here | 19:04 |
| mgariepy | DK4, it does work i did a deployment like that. | 19:06 |
| mgariepy | with some other tweaks tho (i do have some services (haproxy and network hosts) link to external stuff on a l2 over l3 to be able to migrate IP from on node to the other. | 19:07 |
| DK4 | mgariepy: thanks i'm trying to avoid bonding and have two nics per server e.g management leaf0 and management leaf1 per server | 19:07 |
| DK4 | jup, the virtual ip is the one that gives me headaches | 19:08 |
| mgariepy | i understand :) been there. | 19:09 |
| mgariepy | my network equipment do support vxlan accross datacenter and then expose it as vlan to the host so i can migrate the VIP across my racks. | 19:10 |
| DK4 | i was thinking to test ECMP balancing to the controllers but kolla gives you no way to configure it like that, ill check on osa tommorow | 19:10 |
| mgariepy | but it depend on the network implementation you decide to go with. | 19:10 |
| jrosser | DK4: osa does not do any of the host networking for you | 19:30 |
| jrosser | so long as you set up the bridges it expects, in any way you like, then you are good | 19:30 |
| jrosser | i have a reasonbly large deployment with leaf/spine, but i have a seperate pair of leafs for the control plane | 19:30 |
| jrosser | that made all the stuff with the VIP easier to follow the usual deployment with the controllers in their own l2 domain | 19:31 |
| jrosser | and then i use vxlan also on top of that for things that need to span all the leafs, like octavia mgmt network | 19:32 |
| *** dviroel is now known as dviroel|afk | 21:18 | |
| opendevreview | James Denton proposed openstack/openstack-ansible-ops master: Update MNAIO for Focal https://review.opendev.org/c/openstack/openstack-ansible-ops/+/824486 | 22:25 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!