Wednesday, 2014-11-12

« Tuesday, 2014-11-11 Index Thursday, 2014-11-13 »
*** ryanpetrello has joined #openstack-barbican00:08
*** ryanpetrello has quit IRC00:23
*** akoneru has joined #openstack-barbican00:30
*** bdpayne_ has joined #openstack-barbican00:31
*** bdpayne has quit IRC00:33
*** nkinder has joined #openstack-barbican00:47
*** ryanpetrello has joined #openstack-barbican00:56
*** bdpayne_ has quit IRC00:56
*** morganfainberg has joined #openstack-barbican01:04
morganfainbergooh i wasn't lurking in this channel already01:04
dstufftlurker01:06
dstufft:D01:06
morganfainberg^_^01:06
morganfainberghttp://goo.gl/forms/4W7xVM9x49 if anyone is interested in the KEystone mid-cycle01:18
*** gyee has quit IRC01:27
*** ryanpetrello has quit IRC01:39
rm_youhmm, if that's at RS again I might stop by just out of principle01:53
morganfainbergrm_you, likely it'll be in Sunnyvale or Mountain View. but it's still up in the air.02:16
morganfainbergrm_you, we'll see what the survey results say02:17
*** dave-mccowan_ has joined #openstack-barbican02:18
*** dave-mccowan has quit IRC02:19
*** dave-mccowan_ is now known as dave-mccowan02:19
*** ayoung has joined #openstack-barbican02:29
*** openstackgerrit has quit IRC02:34
*** rsyed is now known as rsyed_away02:40
*** SheenaG1 has joined #openstack-barbican03:16
*** akoneru has quit IRC03:59
*** dave-mccowan has quit IRC04:26
*** akoneru has joined #openstack-barbican05:11
*** liam_ has joined #openstack-barbican07:22
*** liam_ is now known as Guest4606107:23
*** Guest46061 has quit IRC07:28
*** rm_you| has joined #openstack-barbican07:35
*** rm_you has quit IRC07:38
*** akoneru has quit IRC11:14
*** rm_you| has quit IRC11:17
*** rm_you| has joined #openstack-barbican11:17
*** dave-mccowan has joined #openstack-barbican11:58
*** dave-mccowan has quit IRC12:02
*** dave-mccowan has joined #openstack-barbican12:03
*** rm_you| has quit IRC12:08
*** rm_you| has joined #openstack-barbican12:08
*** jaosorior has joined #openstack-barbican12:15
*** ryanpetrello has joined #openstack-barbican12:38
*** rellerreller has joined #openstack-barbican13:01
*** akoneru has joined #openstack-barbican13:41
*** dave-mccowan has quit IRC13:47
*** rsyed_away is now known as rsyed13:48
*** rellerreller has quit IRC13:53
*** joesavak has joined #openstack-barbican14:07
*** nkinder has quit IRC14:18
*** openstackgerrit has joined #openstack-barbican14:40
*** SheenaG1 has quit IRC14:43
*** ametts has joined #openstack-barbican14:50
*** paul_glass has joined #openstack-barbican15:01
*** tdink has joined #openstack-barbican15:01
*** SheenaG1 has joined #openstack-barbican15:03
*** SheenaG11 has joined #openstack-barbican15:07
*** SheenaG1 has quit IRC15:07
*** nkinder has joined #openstack-barbican15:10
chellygelrm_work, rm_you|15:14
openstackgerritTim Kelsey proposed openstack/barbican: Fix communication of secret_type info  https://review.openstack.org/13369515:17
*** ryanpetrello has quit IRC15:19
*** zz_dimtruck is now known as dimtruck15:23
*** ryanpetrello has joined #openstack-barbican15:25
openstackgerritTim Kelsey proposed openstack/barbican: Fix communication of secret_type info  https://review.openstack.org/13369515:31
*** ayoung is now known as ayoung-afk15:53
*** JeffF has joined #openstack-barbican15:56
*** paul_glass has quit IRC15:59
openstackgerritTim Kelsey proposed openstack/barbican: Fix communication of secret_type info  https://review.openstack.org/13369516:02
*** david-lyle has joined #openstack-barbican16:04
*** kebray has joined #openstack-barbican16:09
chellygelredrobot, YT?16:12
*** kebray has quit IRC16:16
*** alee has quit IRC16:18
*** dave-mccowan has joined #openstack-barbican16:24
*** dave-mccowan_ has joined #openstack-barbican16:26
redrobotchellygel YT?16:28
*** dave-mccowan has quit IRC16:29
*** dave-mccowan_ is now known as dave-mccowan16:29
SheenaG11redrobot: stand up!16:29
*** alee has joined #openstack-barbican16:30
chellygelredrobot, just looking for the blueprint for CA discovery API -- didnt see a link to it and im on LP looking for it.16:30
SheenaG11chellygel: that's my fault, I'll add those to the stories16:30
redrobotSheenaG11 but I like sitting down.16:31
SheenaG11STAND UP FOR WHAT16:31
SheenaG11related: i had coffee this morning16:31
*** gyee has joined #openstack-barbican16:45
aleeredrobot, ping16:55
redrobotalee pong16:55
aleeredrobot, I'm trying to figure out how to start barbican16:56
aleethat is -- I have a fresh vm in which I have installed the barbican libs etc.16:56
redrobotalee barbican.sh not working?16:56
aleevia an rpm -- and am trying to figuere out how barbican.sh works16:57
redrobotah...   was the rpm built from the SPEC in the repo?16:57
*** ayoung-afk is now known as ayoung16:57
aleeredrobot, no - from my own spec based on what is there.16:57
aleeredrobot, so just trying to understand barbican.sh16:58
redrobotso, the spec file pre-dates barbican.sh16:58
aleeredrobot, start_barbican essentially calls ..16:58
*** tdink_ has joined #openstack-barbican16:58
redrobotalee the RPM was configured to use Upstart to run the service.  https://github.com/openstack/barbican/blob/master/etc/init/barbican-api.conf16:59
redrobotyou should be able to just do:16:59
redrobotservice barbican-api start16:59
aleeuwsgi --master --die-on-term --emperor /etc/barbican/vassals --logto /var/log/barbican/barbican-api.log --stats localhost:931416:59
aleeso its basically doing that ^^17:00
aleein your example ..17:00
redrobotalee yup.  Although the assumption that everyone will be using uwsgi may not be true for a general use RPM.17:00
aleeredrobot, or I tried doing ..17:00
aleeuwsgi --master --emperor /etc/barbican/vassals17:01
aleenow - when I do that -- I see uwsgi come up but no app is loaded17:01
*** tdink has quit IRC17:01
aleeredrobot, so what tells uwsgi what to load up?17:02
*** rm_you| has quit IRC17:02
redrobotalee --emperor /etc/barbican/vassals tells uwsgi to run in emperor mode.  It looks at all files in the vassals directory and spins up a process for each file.17:02
*** rm_you| has joined #openstack-barbican17:02
*** joesavak has quit IRC17:03
aleeredrobot, ok so this is whats in my vassals directory17:03
*** joesavak has joined #openstack-barbican17:04
redrobotalee https://github.com/openstack/barbican/tree/master/etc/barbican/vassals17:04
alee[root@vm-056 SPECS]# ls /etc/barbican/vassals/17:04
aleebarbican-admin.ini  barbican-api.ini17:04
redrobot ?17:04
aleechecking if they are the samme17:04
redrobotalee looks right.  Each INI file then points to a paste file.17:04
redrobotalso, as a sanity check you can start up a repl and make sure you can "import barbican"17:05
aleeredrobot, start up a repl?17:08
redrobotalee python interactive session17:09
redrobotalee my debug path is: Make sure confs are ok, then make sure that barbican is properly installed in the python packages.17:09
redrobotif "import barbican" doesn't throw any errors, it means that Python can find the modules.17:10
aleeok - pyhton can find the modules17:11
redrobot"sudo start barbican-api" didn't work?17:12
aleeredrobot, ot using upstart17:13
redrobothmmm...  anything helpful in the logs?17:13
aleeredrobot, let me paste my log17:14
*** paul_glass has joined #openstack-barbican17:18
*** tdink_ has quit IRC17:24
*** tdink has joined #openstack-barbican17:25
aleeredrobot, http://fpaste.org/150135/81324414/17:27
aleeredrobot, so it reads the config files but then loads nothing up afaics17:28
redrobotalee that's really strange...  I wonder if this is the problem?17:33
redrobot!!! UNABLE to load uWSGI plugin: /usr/lib64/uwsgi/python_plugin.so: cannot open shared object file: No such file or directory !!!17:33
openstackredrobot: Error: "!!" is not a valid command.17:33
redrobothow did you install uwsgi?17:33
aleeredrobot, openstack does not like !! !17:33
aleeredrobot, yum install uwsgi17:33
redrobotis there a uwsgi-python perhaps?17:34
redrobotnot sure how uwsgi is packaged...  we ended up having to FPM our own uwsgi17:34
rsyedalee the yum version of uwsgi is modular...you'd have to install the python plugin (not sure what the package name is)17:34
rsyeduwsgi-plugin-python it appears17:34
aleersyed, thanks - trying that17:36
rsyedyou may need other plugins, depending on how barbican runs uwsgi (i'm not familiar with it).  for example if you wanted the http functionality, you'd need the http plugin17:37
aleersyed, yeah -- I'll try adding more modules17:38
aleeredrobot, rsyed - yeah adding the python module helped -- now at least its trying to load something (and failing)17:41
aleebut I have soemthing to debug now17:42
*** paul_glass has quit IRC17:42
*** paul_glass has joined #openstack-barbican17:44
*** paul_glass has quit IRC17:44
*** paul_glass has joined #openstack-barbican17:47
*** paul_glass has quit IRC17:49
*** kebray has joined #openstack-barbican18:02
*** atiwari has joined #openstack-barbican18:22
*** bdpayne has joined #openstack-barbican18:24
*** alee has quit IRC18:33
*** alee has joined #openstack-barbican18:33
morganfainbergcan anyone tell me where barbican midcycle is tentatively being planned for?18:40
morganfainbergis it San Antonio? (geekdom/rax)?18:40
chellygelmorganfainberg, last i heard was maybe San Francisco18:41
chellygelno final decision yet though morganfainberg18:41
morganfainbergchellygel, hm. ok.18:41
morganfainbergif it's the bay that makes it easier for me to decide we're doing bay for Keystone as well.18:41
morganfainbergeven though (unfortunately) it means a few rackspace people can't come.18:42
chellygeli think that was the hope18:42
chellygelwas to do them together18:42
morganfainbergyeah, looks like if we're doing bay it'll be at RedHat for keystone18:42
morganfainbergso mountain view18:42
chellygeloh whoa18:42
redrobotmorganfainberg yeah, no concrete plans yet.  SFO was tossed around as an option since we have Rackspace event space available to us for free.18:42
morganfainbergand the overwhelming preference is Jan 19-21 for us (mon, tues, wed)18:43
morganfainbergi mean, i'm also happy to occupy Rackspace event space ;)18:44
morganfainbergbut RH has offered to directly supply space as well.18:44
morganfainbergwho should i speak with for info on event space [if we can actually share the space that is]18:45
morganfainberg?18:45
redrobotmorganfainberg I can poke some people here on our end.  I don't foresee any problems with sharing space.18:45
morganfainbergredrobot, great i'll run with the assumption that Jan 19 - 21 is our preferred dates on keystone side [i have a committment to be elsewhere in the bay later that week and most people seem to prefer the earlier weekdays anyway]18:46
morganfainbergredrobot, and if it doesn't work for us to use the same space i do also have RH space offered.18:47
redrobotmorganfainberg noted.  I'll poke some people here and get back to you as soon as I have some answers.18:47
*** tdink_ has joined #openstack-barbican18:55
*** jsavak has joined #openstack-barbican18:58
*** tdink has quit IRC18:59
*** tdink_ has quit IRC18:59
*** joesavak has quit IRC19:02
*** tdink has joined #openstack-barbican19:04
*** paul_glass has joined #openstack-barbican19:07
*** kebray has quit IRC19:08
*** kebray has joined #openstack-barbican19:12
rm_workchellygel: you back? :P19:24
chellygelaye rm_work19:24
rm_workcool :)19:24
chellygelque paso19:25
rm_workchellygel: do you know if the serial number for cert signing matters at all if we're just doing a bunch of self signed certs for internal use?19:25
rm_worksomeone said you were the Cert expert :P19:25
chellygelha19:25
chellygelim working on being that person19:25
chellygelim not sure about that though19:25
chellygelim not even sure about a serial number rm_work19:26
SheenaG11rm_work: I don't know what that is either, is that just a unique identifier per cert?19:26
rm_workyes19:26
rm_workI believe it is used for revocations maybe?19:26
rm_workthough I don't know for sure19:26
dstufftyou want some randomness in the serial number19:27
SheenaG11Symantec uses the cert to process the revoke19:27
rm_workthe best description i could find was essentially "bookkeeping purposes"19:27
SheenaG11But there is a uuid associated with the RAX order I think19:27
SheenaG11We should probably still have a serial number since domain isn't unique across certs19:27
dstufftwell a cert has to have a serial number afaik19:27
dstuffthttps://github.com/saltstack/salt/issues/1674419:27
rm_workdstufft: but like, if i just set all of them to "0" will they not work or something?19:28
dstufft^^ some info on that ticket19:28
dstufftthat i'm too lazy to copy/paste19:28
rm_workok interesting19:28
dstufftNote: Most of that was copy/pasted from reaperhulk telling me things19:28
rm_workyeah I'm down for their randomization thing19:28
rm_workbinascii.hexlify(os.urandom(20)) seems good to me :)19:29
dstuffthttps://github.com/python/psf-salt/blob/master/salt/_extensions/pillar/ca.py#L69-L7019:29
dstufftint(binascii.hexlify(os.urandom(20)), 16) techincally19:29
rm_workkk19:29
rm_workcopy/pasting that whole method19:30
rm_workhmm the licenses are compatible, right? :P19:30
rm_workdstufft: thanks19:32
chellygelrm_work, see not a cert master19:33
chellygellol19:33
rm_work:P19:33
rm_workthat question was particularly specific and unusual tho :)19:33
*** tdink_ has joined #openstack-barbican19:33
dstufftthe licenses on psf-salt is Apache 219:34
*** tdink has quit IRC19:34
dstufftand I wrote it19:34
dstufftso if it wasn't I could just relicense it19:34
rm_workheh19:34
rm_workI don't think it matters much for a single line that's not particularly special :)19:34
dstufftyea19:35
dstufftI'd argue that particular line isn't a creative work and that copyright doesn't really apply19:35
*** tdink_ has quit IRC19:37
*** tdink has joined #openstack-barbican19:45
*** darrenmoffat has quit IRC19:48
*** darrenmoffat has joined #openstack-barbican19:49
*** bdpayne has quit IRC19:54
*** tdink has quit IRC19:56
*** jsavak has quit IRC20:01
*** joesavak has joined #openstack-barbican20:03
*** jaosorior has quit IRC20:03
*** paul_glass has quit IRC20:05
*** liam_ has joined #openstack-barbican20:05
*** liam_ is now known as Guest3924320:05
*** Guest39243 has quit IRC20:06
*** tdink has joined #openstack-barbican20:12
*** tdink_ has joined #openstack-barbican20:13
*** tdink has quit IRC20:16
*** tdink_ has quit IRC20:18
*** bdpayne has joined #openstack-barbican20:42
redrobotrm_work serial number matters to the issuer, since they need to reference it for revokation, etc.20:46
rm_workok20:46
rm_workI'm not building any provisions for revocation into this20:47
rm_workso, I suppose I don't care :P20:47
redrobotrm_work in the TLS class I was talking about, we were using just a serial that started at A0000001 and incremented by one.20:47
*** dave-mccowan has quit IRC20:48
rm_workheh20:48
rm_workyeah20:48
rm_workwell, I implemented dstufft's thing, and as long as the certs it generates are valid, i couldn't care any less20:48
*** tdink has joined #openstack-barbican20:49
*** tdink has quit IRC20:54
*** gyee has quit IRC20:58
*** bubbva has quit IRC21:04
*** bubbva has joined #openstack-barbican21:04
openstackgerritMerged openstack/barbican: Fix communication of secret_type info  https://review.openstack.org/13369521:06
*** gyee has joined #openstack-barbican21:14
*** rtom has joined #openstack-barbican21:17
*** rsyed is now known as rsyed_away21:19
*** atiwari has quit IRC21:21
redrobotchellygel you coming into the Castle tomorrow?21:31
*** rsyed_away is now known as rsyed21:37
*** dimtruck is now known as zz_dimtruck21:38
*** dave-mccowan has joined #openstack-barbican21:40
chellygelredrobot, no, will be in austin21:40
chellygelbringing the puppy home tomorrow21:41
redrobotchellygel bah... they're asking people at Castle to wear Scorpions jerseys21:41
chellygelaww lameeee!!21:41
chellygelwhy for??21:41
redrobotno idea... message was a bit cryptic21:41
redrobot"If you’re a big UTSA Roadrunners or Scorpions Fan.. You might just want to wear your team jersey/shirt/  tomorrow.21:41
redrobotI’m just saying.  :)"21:41
chellygelweirdo emails21:42
redrobotfor reals21:42
redrobotif I se Billy Forbes I'm going to pass out.21:42
redrobot:-P21:42
chellygeli gotta keep my jersey clean for saturday dood21:42
redrobotcrap, that's right... guess I'll just have to buy another jersey.21:43
chellygelpfhahaa21:44
redrobotActually, I have a team shirt I can wear tomorrow.21:45
*** kebray has quit IRC21:49
*** zz_dimtruck is now known as dimtruck22:00
*** SheenaG11 has quit IRC22:04
*** tdink has joined #openstack-barbican22:11
*** JeffF has quit IRC22:13
*** joesavak has quit IRC22:16
*** SheenaG1 has joined #openstack-barbican22:24
*** akoneru has quit IRC22:36
*** akoneru has joined #openstack-barbican22:36
*** tdink has quit IRC22:36
*** tdink has joined #openstack-barbican22:37
*** dimtruck is now known as zz_dimtruck22:42
*** tdink has quit IRC22:44
*** SheenaG1 has quit IRC22:57
*** david-lyle is now known as david-lyle_afk23:12
*** tdink has joined #openstack-barbican23:13
*** nkinder has quit IRC23:18
*** dave-mccowan has quit IRC23:27
*** kebray has joined #openstack-barbican23:30
*** rtom has quit IRC23:32
*** ametts has quit IRC23:33
*** ryanpetrello has quit IRC23:39
*** nkinder has joined #openstack-barbican23:43
reaperhulkrm_work: randomizing your serial in that way is perfect.23:53
reaperhulkTo handle the comical paranoia you can also do stuff like https://github.com/r509/r509/blob/master/lib/r509/certificate_authority/signer.rb#L14323:57
reaperhulkalthough you could still collide if you issue ~2**48 certificates in a microsecond :D23:58
reaperhulk(or get unbelievably unlucky)23:59
*** nkinder has quit IRC23:59
*** tdink has quit IRC23:59
« Tuesday, 2014-11-11 Index Thursday, 2014-11-13 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!