| derekokeeffe | Hi all, back again :) I'm trying to get Barbican working with Thales Luna Network HSM, I have most of the config done and the client on the machine can connect to the HSM but Barbican can't. I am on to Thales support trying to figure it out but I think you said you had it done before noonedeadpunk?? When I run the command to create the hmac or mkek keys it returns the error: ERROR: No token was found in slot 0non-zero return code. Any ideas | 07:38 |
|---|---|---|
| derekokeeffe | on where to look? | 07:38 |
| noonedeadpunk | hey. I think pretty much same issue mgariepy had recently. I'm not sure if they were able to resolve it though, but worth asking | 07:50 |
| noonedeadpunk | but neither of my advices has helped :( | 07:50 |
| noonedeadpunk | I believe that things like config, plugin and symlinks are in place? | 07:51 |
| jrosser | derekokeeffe: did you see the examples in the barbican role docs? | 07:54 |
| jrosser | https://docs.openstack.org/openstack-ansible-os_barbican/latest/ | 07:55 |
| noonedeadpunk | these didn't help Mark iirc | 07:57 |
| noonedeadpunk | but yeah, good question to ask | 07:58 |
| jrosser | noonedeadpunk: i know you had trouble with pki/git permissions, so did we, could you take a look at https://review.opendev.org/c/openstack/ansible-role-pki/+/890793 | 07:58 |
| jrosser | we have a deploy host with a non root deploy user and ssh config which makes that user ssh as root | 07:58 |
| jrosser | so it's slightly different again | 07:58 |
| derekokeeffe | Hi noonedeadpunk & jrosser, thanks for the reply. Yeah I have all the config done and I thought it was the Luna HSM hence why I contacted them as the error suggests it's something I have failed to do on that (so I thought anyway) the one thing different from the docs is that I don't have libdpod.plugin instead I have libcloud.plugin. Could that be an issue? | 07:59 |
| derekokeeffe | Other than that I must say the AIO is great (I should have taken your advice earlier) :) | 08:00 |
| noonedeadpunk | derekokeeffe: at the end of the day - you can generate mkek and hmac manually thorugh luna clients... | 08:00 |
| noonedeadpunk | As barbican after all cares only about labels. | 08:00 |
| noonedeadpunk | Though they should be in proper algorythm and format | 08:01 |
| jrosser | i would expect some kind of debug enable on the shared library to | 08:01 |
| jrosser | too | 08:01 |
| noonedeadpunk | jrosser: yeah, I missed when it went from WIP | 08:01 |
| derekokeeffe | Oh can I? Do you have any link to instructions on how to do that with the client? | 08:01 |
| jrosser | i only have experience of this with yubihsm not thales but it was possible to set some env vars that made the yubi pkcs11 library drop a log file | 08:01 |
| jrosser | maybe possible to do the same sort of thing with the thales one? | 08:02 |
| derekokeeffe | Oh ok, something else to look at so. Right I'l go digging again and if I find a solution I'll let you know. Thanks as always | 08:03 |
| noonedeadpunk | I never had any reasonable output from thales lib | 08:03 |
| derekokeeffe | Ah ok | 08:05 |
| noonedeadpunk | derekokeeffe: and you provide proper slot id to the barbican-manage command? | 08:07 |
| noonedeadpunk | So HMAC should be CKK_AES/CKK_SHA256_HMAC algo with length 32 | 08:08 |
| noonedeadpunk | MKEK same length, CKK_AES only | 08:09 |
| derekokeeffe | noonedeadpunk I have yep, If I provide a slot that doesn't exist I get an error saying it's invalid, that's the reason I initially thought it was misconfiguration on the HSM as Barbican could actually see what slots were available. Thanks I'll get on that now and see if I can get this over the line | 08:10 |
| noonedeadpunk | Or wait for Marc to wake up:) | 08:10 |
| derekokeeffe | Haha I'll do both :) | 08:11 |
| noonedeadpunk | if it was them at all.... | 08:12 |
| jrosser | idk if this is any use https://thalesdocs.com/gphsm/ptk/5.9/docs/Content/PTK-C_Program/PKCS_11_Logger/PKCS_11_logger.htm | 08:13 |
| noonedeadpunk | maybe they've re-created slot or smth like that... I really can't recall | 08:14 |
| noonedeadpunk | I has setup it once like 2-3 years ago and never touched HSM part since them | 08:14 |
| noonedeadpunk | (and actually nobody did) | 08:14 |
| noonedeadpunk | it just works | 08:15 |
| derekokeeffe | Thanks jrosser, Oh you have a currently working setup noonedeadpunk? | 08:19 |
| noonedeadpunk | yup | 08:19 |
| opendevreview | Merged openstack/openstack-ansible-os_nova master: Enable multiple console proxies where requried in deployments https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/890521 | 09:49 |
| noonedeadpunk | jrosser: I've left a comment to the patch | 09:58 |
| opendevreview | Merged openstack/openstack-ansible-galera_server master: Remove galera-4 package during upgrades to force version up https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/890787 | 10:10 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/openstack-ansible-galera_server stable/2023.1: Remove galera-4 package during upgrades to force version up https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/892879 | 10:13 |
| noonedeadpunk | though we can merge that if you think it's fine this way. I'll put +2 but won't set +W | 10:21 |
| andrewbonney | noonedeadpunk: I'll take a look at that pki patch comment shortly | 10:22 |
| opendevreview | Andrew Bonney proposed openstack/ansible-role-pki master: Add defaults for owner/group/mode on pki_install_host https://review.opendev.org/c/openstack/ansible-role-pki/+/890793 | 10:51 |
| mgariepy | i do not have barbican ;) | 11:20 |
| mgariepy | so it wasn't me hehe | 11:20 |
| noonedeadpunk | sorry then :D | 11:28 |
| noonedeadpunk | then I don't know who that was.... | 11:28 |
| jamesdenton | i did those Entrust docs, fwiw | 13:21 |
| jamesdenton | but it's been a while | 13:21 |
| NeilHanlon | i've been meaning to look at barbican, but due to $requirements ended up just slapping together a solution with yubiHSMs | 13:23 |
| jamesdenton | I was anticipating a customer demand that never manifested | 13:26 |
| jamesdenton | for the HSM, anyway | 13:26 |
| NeilHanlon | yeah my use case is for signing secure boot kernels which comes with its own mess of problems | 13:30 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Fix ansible_ssh_extra_args extra newline https://review.opendev.org/c/openstack/openstack-ansible/+/893191 | 13:57 |
| noonedeadpunk | Eventually encrypted volumes are pretty much used and asked for, at least by our customers | 14:49 |
| noonedeadpunk | this also unblocks tls termination for octavia | 14:50 |
| jamesdenton | +1 | 15:05 |
| noonedeadpunk | though admin side of things is a disaster.... | 15:06 |
| jamesdenton | off topic, but have you had good luck with vpnaas? | 15:07 |
| noonedeadpunk | well. relatively:) | 15:08 |
| noonedeadpunk | runs in production for ages | 15:08 |
| jamesdenton | cool. just now revisiting it | 15:09 |
| noonedeadpunk | router failovers - can be problematic, but this can be solved from user side by setting vpn state donw/up | 15:09 |
| noonedeadpunk | we also had to apply some override to templates for cisco specifically | 15:09 |
| jamesdenton | oh, nice. For Cisco peers, like ASA? | 15:10 |
| noonedeadpunk | I'm not sure to be frank... But we had to enable make_before_break, disable mobike and slightly tuned re-keying intervals | 15:13 |
| noonedeadpunk | But IIRC make_before_break was quite a big deal | 15:14 |
| jamesdenton | will have to check that out | 15:14 |
| jamesdenton | have a small POC right now, just creating the VPN between 2 neutron routers at 2 sites | 15:15 |
| jamesdenton | but its through an ASA on each side, for now. Passthrough | 15:15 |
| jamesdenton | don't think i'm getting through ipsec phase 2, as the tunnel is down | 15:15 |
| jamesdenton | is there any decent logging? | 15:15 |
| noonedeadpunk | Um.. No. We've enabled one with custom template as well | 15:16 |
| noonedeadpunk | I think there's an example somewhere even, sec | 15:16 |
| jamesdenton | alrighty, i can check that out. thanks for the hint | 15:17 |
| noonedeadpunk | we have strongswan.conf like that https://paste.openstack.org/show/bbECsZitB2aEj1XEFnF6/ | 15:18 |
| noonedeadpunk | there's an example here on how to distribute it https://docs.openstack.org/openstack-ansible-os_neutron/latest/configure-network-services.html#virtual-private-network-service-vpnaas-optional | 15:18 |
| noonedeadpunk | but iirc you'd need to replace 1 with 2 or smth for more verbose output | 15:18 |
| noonedeadpunk | jamesdenton: sorry | 15:19 |
| noonedeadpunk | syslog didn't fly | 15:19 |
| noonedeadpunk | we ended up with https://paste.openstack.org/show/bUAt6wbdLuvKAELIsDOA/ | 15:20 |
| jamesdenton | oh, it didn't want to write to syslog? | 15:20 |
| noonedeadpunk | filepath is relative to namespace | 15:20 |
| jamesdenton | or didn't want to clutter | 15:20 |
| jamesdenton | ok | 15:20 |
| noonedeadpunk | well, it's in netns | 15:20 |
| jamesdenton | right, ok | 15:20 |
| noonedeadpunk | so it's hard with syslog there | 15:20 |
| * noonedeadpunk goes to partch things internally | 15:21 | |
| jamesdenton | rebuilding some terraform now | 15:21 |
| jamesdenton | thanks again | 15:21 |
| noonedeadpunk | these logs will end up in /var/lib/neutron/ipsec/<router uuid>/var/run eventually | 15:23 |
| jamesdenton | right, gotcha. thanks | 15:23 |
| opendevreview | Merged openstack/openstack-ansible-galera_server stable/2023.1: Remove galera-4 package during upgrades to force version up https://review.opendev.org/c/openstack/openstack-ansible-galera_server/+/892879 | 16:26 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible-lxc_container_create master: Allow LXC container auto mounts to be customised https://review.opendev.org/c/openstack/openstack-ansible-lxc_container_create/+/893229 | 16:56 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: Add default name for user collections file https://review.opendev.org/c/openstack/openstack-ansible/+/893230 | 17:07 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 18:25 |
| jrosser | ^ i guarantee this is broken right now but is more-right-than-wrong for anyone interested in magnum cluster api | 18:26 |
| jrosser | see https://vexxhost.github.io/magnum-cluster-api/admin/intro/ for context | 18:27 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 18:28 |
| opendevreview | Merged openstack/ansible-role-pki master: Add defaults for owner/group/mode on pki_install_host https://review.opendev.org/c/openstack/ansible-role-pki/+/890793 | 18:31 |
| opendevreview | Jonathan Rosser proposed openstack/ansible-role-pki stable/2023.1: Add defaults for owner/group/mode on pki_install_host https://review.opendev.org/c/openstack/ansible-role-pki/+/893247 | 18:35 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 18:49 |
| Karni | Hi | 19:33 |
| Karni | In our previous experiences, it couldn't touch even 1G. | 19:34 |
| Karni | noonedeadpunk suggested me to enable the feature multiqueue on images/flavors that allows networking tasks to use all vCPU. | 19:35 |
| Karni | This is my Scenario: I have 3 VMs on 3 different physical servers. Each server has 10G NIC cards. VM1=Ubuntu A=ipref Client | VM2 = Cisco ASAv (just for monitoring; it's the gateway for the other two VMS) | VM3=Ubuntu B = ipref Server | 19:35 |
| Karni | All traffics goes through ASA (I want to use its bit rates graphs) | 19:36 |
| Karni | I'm looking for the right tool to generate traffics | 19:38 |
| Karni | As someone mentioned that "Note that iperf3 is single threaded, so if you are CPU bound, this will not yield higher throughput." | 19:38 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 20:51 |
| opendevreview | Jonathan Rosser proposed openstack/openstack-ansible master: WIP - test Vexxhost CAPI driver for magnum https://review.opendev.org/c/openstack/openstack-ansible/+/893240 | 22:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!