Thursday, 2016-01-14

*** jasondotstar has quit IRC01:24
*** jasondotstar has joined #openstack-infra-incident01:29
*** crinkle_ has joined #openstack-infra-incident02:52
*** crinkle has quit IRC02:52
*** crinkle_ is now known as crinkle03:08
*** ig0r_ has joined #openstack-infra-incident09:17
*** ig0r_ has quit IRC09:41
*** nibalizer has joined #openstack-infra-incident17:20
jeblairanyone here?17:20
fungiyeah, so we should take care of it, though the urgency is not insane17:20
jeblairclarkb: what's the ubuntu package version?17:20
clarkblrt me pull it back up17:20
jeblairfungi: i agree re puppetmaster -- though some important machines ssh to the backup server17:21
clarkbhttp://www.ubuntu.com/usn/usn-2869-1/17:21
clarkbI dont see anything on centos announce yet17:21
jeblair1:6.6p1-2ubuntu2.4 is the updated package for trusty17:21
jeblair1:6.6p1-2ubuntu2.3 is what's on puppetmaster17:22
clarkbso we should be able to do an ansible !git* 'apt-get update && apt-get dist-upgrade'17:22
clarkbbut actually make that valid ansible17:22
fungipatched on precise yet?17:22
jeblairdist-upgrade is not showing an option to upgrade to ubuntu2.4 on puppetmaster17:22
clarkbthen modify ssh_config on the git servers ubtil centos has packages17:23
jeblairfungi: 1:5.9p1-5ubuntu1.817:23
clarkbfungi ya usn url has precise package too17:23
fungiokay, cool17:23
clarkbjeblair: that may mean we aeent using upstream ubuntu for security updates :/17:23
jeblairGet:28 http://mirror.rackspace.com trusty-security/main Sources [103 kB]17:23
jeblairclarkb: yep17:23
clarkbrax has a habit of overwriting those with their own mirrors17:23
jeblair:(17:23
clarkbya that17:23
nibalizerhi17:23
jeblairso, task 1: use ansible to find apt configs that have a mirror as the security repo17:24
jeblairtask2: figure out a way to fix that17:24
jeblairtask3: use ansible to upgrade all17:24
jeblairoh17:24
jeblairtask0: apply the config file mitigation on puppetmaster :)17:25
fungiideally, upgrade your clients first, before you ssh to the servers to upgrade them17:25
clarkbjeblair +117:25
jeblairfungi: yeah task -1 is that :)17:25
fungiheh17:25
clarkbjeblair I think the easy mode fix for sources is to have ansible just copy a file over for what it should be17:25
fungiworking on step -1 while trying to scarf down a quick lunch17:26
jeblairclarkb: probably; i just wanted to get an idea of what our sources actually look like first -- we do still have a mix of oses17:26
clarkbjeblair ya17:26
nibalizeri juts put the NoRoaming directive in my .ssh/config17:26
fungiit's faster for me to upgrade my openssh-client package17:27
jeblairmy step [-1] complete! :)17:27
jeblairi'll do [0]17:27
jeblair[0] done17:28
fungihttps://lists.debian.org/debian-security-announce/2016/msg00015.html for the debian advisory17:29
fungiif you're running sid or stretch, install 1:6.7p1-5+deb8u1 from jessie17:29
mordredo/17:30
Clintif you're not using an ssh-agent you might wanna replace your keys too17:31
fungiyep, depending on how much trust you place in the servers to which you've been ssh'ing with a given key17:31
fungii pretty heavily compartmentalize my keys, but for my infra ssh key it's probably time to do another annual rotation anyway17:33
clarkbI wonder if the ssh agent confirm is sufficient for protecting against this17:34
Clintit means they can't get your private key17:35
jeblairansible zm* -a "sh -c 'grep security /etc/apt/sources.list | grep rackspace'"17:35
clarkboh good I wont switch my key then17:35
jeblairi think something like that ^ should tell us which hosts have problems, yeah?17:36
jeblair(zm* was just me testing on a subset)17:36
fungiif i'm reading correctly, it's the ssh client's process memory which is at risk of leaking, so the agent is maintaining the key itself in another process anyway with its own separate allocation17:36
clarkbjeblair that looks right17:36
jeblairso i'll go do that with 'all' and report back here shortly17:36
clarkbjeblair exclude git* though as they are centos17:36
fungipbx too?17:36
clarkbpbx is trusty now17:37
fungioh, right!17:37
clarkbwas part of removing centos617:37
fungihow quickly i forget17:37
jeblairhttps://etherpad.openstack.org/p/pYJ6fttQIU17:37
nibalizer https://review.openstack.org/267730 would configure the client not to use roaming, if we want that17:38
jeblairclarkb: no need to exclude since they don't match anyway17:38
jeblair("SUCCESS" here means "found a rackspace security mirror")17:39
jeblair(so "SUCCESS" is "bad" :)17:39
nibalizerjeblair: what are the uuid hosts?17:39
mordrednibalizer: hosts where more than one machine has the same name17:39
jeblairnibalizer: good question!  i think we have to look that up in nova -- they are hosts with duplicate hostnames17:39
mordredyou can also look them up in the inventory cache17:39
jrolljeblair: if our mirrors are out of date let me know and I'll bug people17:40
jeblairjroll: your mirrors are out of date :)17:40
jroll:|17:40
jeblairjroll: but the real issue is that we shouldn't be using your mirrors for security updates17:40
jeblairjroll: that's actually an ubuntu-recommended way of doing things17:41
jeblairjroll: i believe rax has fixed that now17:41
jrolljeblair: ah17:41
jrollright.17:41
jeblairjroll: and standard configs are split, with main a mirror and security not, but we have some old hosts17:41
jrollok, I'll refrain from yelling then17:41
fungiin the past i thought i'd fixed our sources.list files to not use the rackspace mirrors for security updates?17:41
fungior is this something nova-agent is helpfully replacing for us?17:42
jeblairfungi: the list seems rather small for nova agent to be doing that17:42
fungii'll start on a system-config patch for that17:42
funginow that we're on a new enough apt platform we can just drop it into a /etc/apt/sources.list.d/something file17:43
jeblairfungi: hrm17:43
fungioh, precise may still be too old for that. i'll have to check17:43
jeblairfungi: i feel like this is an error we should correct -- like it would be better to remove them from sources.list17:44
clarkbis it something we need to puppet or just one shot fix?17:45
fungiwe could rewrite or sources.list files entirely, sure17:45
clarkbI guess until we control the images puppet is nice17:45
mordredyeah17:45
fungiwe could one-shot fix it and write the puppet change to keep it that way for new systems17:45
jeblairwe have 6 distinct sources.list files across all hosts17:45
jeblairaccording to sha1sum17:45
nibalizerapt::repo is pretty goo17:46
nibalizergood*17:46
jeblairmy hypothesis is that this is not an ongoing problem17:46
mordredbtw - /var/cache/ansible-inventory/ansible-inventory.cache is where the ansible inventory cache goes, in case people need to look things up in the data17:46
jeblairi believe the latest rax images don't do this, and i don't think we have confirmed that nova-agent overwrites this17:47
jeblairso i suspect that if we correct it once, we won't have to do it again...17:47
jeblairi'm fine with also using puppet to protect us from this happening again17:47
nibalizermordred: thanks17:47
mordredjeblair: yes to all of your statements17:48
jeblairi just want to make sure we understand that we don't _need_ to do that right now because i don't think we're under constant sources.list changing attack :)17:48
jeblairi could be wrong -- just i don't think we've proved that yet :)17:48
jeblair(we should definitely pay close attention)17:48
nibalizerone of the uuid hosts is release.slave.openstack.org17:48
nibalizerthe other is openstackid-dev.openstack.org17:49
fungiso we really just need one cleanup for trusty servers and a separate one for precise17:49
jeblairfungi: probably; i'm figuring out what the 6 different sources.list files are now17:50
mordrednibalizer: so there are two release.slave.openstack.org's and two openstackid-dev.openstack.org's ?17:50
clarkbtwo openstackids makes sense since I think fungi was triyng to trusty them at one point17:51
clarkbfor the release slave I don't know why that is, but its probably safe to deltee the one that isn't connected to jenkins17:51
nibalizerno I don't think so17:51
fungiopenstackid-dev? yeah, i have been booting and deleting a replacement for that17:51
nibalizeroh wait yes17:51
fungirelease.slave got replaced semi-recently and the old one (whatever has addresses not matching dns) can be ignored or deleted17:52
*** AJaeger has joined #openstack-infra-incident17:52
jeblairfungi, nibalizer: is this evidence that new rackspace images may have bad mirror configs?17:52
jeblairmaybe they relapsed17:53
fungijeblair: do you have a summary of the variances?17:53
jeblairfungi: working on that17:54
jeblairfungi: going into https://etherpad.openstack.org/p/pYJ6fttQIU as we speak17:54
nibalizeragain I think 267730 sets up the correct client-configuration to be safe until we get the apt-repos sorted17:54
fungiawesome, thanks17:54
jeblairnibalizer: you want to go ahead and merge that now?17:54
jeblairnibalizer: i think i found a syntax error in it, see comment17:55
nibalizerlooking17:55
nibalizerjeblair: good catch17:56
AJaegerteam, this is about the ssh client incident, correct? Anything that I you need my help with? I doubt it - but will listen in...17:56
mordredAJaeger: yes - that is the current incident - you're always welcome17:57
fungiAJaeger: reviewing puppet bits maybe? but basically under control, and not crazily urgent, just performing due diligence17:57
* AJaeger is not an expert but will have a look - reading backscroll now17:58
nibalizerjeblair: AJaeger https://review.openstack.org/#/c/267730 updated17:58
jeblairnibalizer: +217:59
nibalizerkk approving18:00
fungiso our precise servers are getting security updates from ubuntu directly it looks like18:02
fungideb http://security.ubuntu.com/ubuntu precise-security main restricted18:02
jeblairfungi: except ones with sha1sum of 12670adc87fd7296e430d450f7712058876348ea18:03
jeblairfungi: i just completed the precise section of the etherpad18:03
fungiokay, so we have a mix i guess18:03
jeblairfungi: 4 hosts with that18:03
jeblairfungi: listed in etherpad18:04
fungithose 4 were likely the last precise builds we did18:05
fungiat least they seem more recent than the other precise servers we still have18:05
fungiso this suggests a change in rax or we stopped puppeting in a correct sources.list at some point18:06
jeblairi think ci-backup-rs-ord and zuul-dev are old18:06
jeblairfungi: we puppet sources.list?18:06
nibalizerafaict we only apt::source once, to add the puppetlabs repo18:08
fungijeblair: i don't find evidence that we were puppeting security.ubuntu.com in a sources.list for anything besides jenkins slaves, and that seems to have ceased when we stopped using natty18:09
jeblairfungi: okay, analysis of 4 trusty sources.list complete18:09
fungianother possibility is that we manually fixed it at some point18:10
jeblairone of them is from ovh.18:10
mordredjeblair: oh yeah. we have other clouds18:10
jeblairmordred: pypi.bhs1.o.o is not showing up in the list18:13
jeblairmordred: clouds.yaml need updating or something?18:13
mordredhrm. maybe? lemme look18:13
jeblairthe other pypis are all there18:14
mordredjeblair: yes. patch coming18:14
fungiokay, the issue has finally made it into a post on the oss-security ml18:14
fungithough word seemed to get around earlier than planned18:15
clarkbstill nothing on https://lists.centos.org/pipermail/centos-announce/2016-January/thread.html18:15
mordredjeblair: https://review.openstack.org/26775818:16
jeblairmordred: thx18:16
clarkbwhat is the difference between all clouds and ansible clouds?18:16
mordredclarkb: all clouds includes nodepool regions18:17
mordredclarkb: it's not actually used anywhere18:17
clarkbah18:17
jeblairwell, it's for operator convenience18:17
jeblairso you can use it with 'openstack' cli18:17
mordredclarkb: it's in tree in case we wanted to drop a clouds.yaml somewhere to be able to do crazy things18:17
mordredyah. that18:17
clarkbright, but we separate so ansible does't get confused talking to 1200 test nodes18:17
mordredyup18:17
jeblaironce we nail it down, we can probably get rid of the .sh scripts in ci-launch18:17
jeblairfungi: okay, so on trusty, we have only one variant...18:18
jeblairin rax18:18
jeblairfungi: if i'm reading this right, i think all our trusty hosts are getting security updates from the rax mirror :(18:19
jeblairso i guess they relapsed to the old behavior18:19
fungithat's unfortunate18:19
jeblairi'm now more inclined to believe we should hard-fix this with puppet18:20
fungiyeah, i'm inclined to blow away sources.list entirely and have puppet install a minimal useful one18:20
jeblairshould we attempt to maintain usage of cloud-local mirrors at all, or should we just drop in a standard ubuntu one everywhere?18:20
jeblairi'm leaning toward standardized ubuntu18:21
fungiusing a common non-provider mirror will be easier to puppet18:21
jeblair(and hope their geodns does something useful for them there)18:21
clarkbthe only potential problem with standard ubuntu one is the test slaves18:21
fungisince we have to handle it separately for rax vs ovh vs... otherwise18:21
mordredI vote for standard-ubuntu for long-lived servers18:21
clarkbsince they all apt-get update and potentially pull packages that aren't cached18:21
clarkbthe flip side is the mirrors break semi frequently18:22
fungiwe might want to do this only to our non-slave servers18:22
mordredyah18:22
mordredthat's my vote18:22
mordredand we can solve slave servers once we have the mythical mirroring infrastructure ourselves18:22
fungiglean presumably gets separate code to manage sources lists on dynamic workers in the puppetless worker build future utopia18:22
nibalizerya in theory we'll have our own mirroring up soon™18:23
jeblairthat seems safe for now; i might want to explore the idea of changing it on the slaves too -- i wonder how bad it would really be, but i'm okay considering that a future scope expansion.18:23
fungior we do some trick with relative domain name search resolution18:23
jeblairnibalizer: tbh we have a plan, but no one working on it.18:23
mordredfungi: I'd say something similar to what we do with pypi mirrors and ready scripts18:23
jeblairnibalizer: so i wouldn't necessarily say we'll have it soon18:24
fungimordred: oh, true, nodepool is a better candidate than glean18:24
* mordred is good at batting features away from glean18:24
fungii don't know why i was thinking we needed that determined before nodepool connects to the worker18:25
fungiwe definitely don't18:25
jeblairso who wants to write a puppet change to install distro-specific sources.list on non-nodepool workers?18:25
fungiso, yeah, i say puppet for non-dynamic servers, nodepool for the dynamic ones18:25
fungii'll get working on that now. i've sufficiently degreased my lunchfingers18:26
jeblairfungi: that will be an even easier split when we stop puppeting nodepool workers :)18:26
jeblairfungi: ack, thanks18:26
clarkbin the mean time, have rax mirrors updated enough to allow us to patch without the upstream ubuntu security repos?18:27
fungishould be able to check by grepping the Packages.gz18:28
clarkbgit01 has 6.6.1p1 installed fwiw18:28
clarkbnothing on https://rhn.redhat.com/errata/rhel-server-7-errata.html either18:40
clarkbso we may be running with just the updated config on centos for a bit18:40
fungifirst stab is https://review.openstack.org/26777819:07
fungifeel free to recommend adjustments to the list files there, but the uncommented lines appear to correspond to what we were getting from rackspace mirrors previously19:09
jeblairfungi: +2d with a suggestion if you feel like an update19:11
fungiglad to update19:12
jeblairmordred: i'm assumed the extra lines were to keep them as close as possible to the standard ones?19:12
jeblairmordred: though, fungi did add extra comments, so they already aren't exactly the same :)19:13
mordredjeblair: yah to both statements19:13
fungiyeah, and also deleted some trailing lines and in the trusty case switched from gb to us hostnames19:13
fungiso another edit can't hurt19:13
fungii debated just removing all the comment lines19:13
jeblairfungi: i wouldn't object to that, i'm always surprised how much shorter and readable they are that way :)19:13
fungiyeah, i don't bother with comment lines for all that crap on my personal servers19:14
fungithough also my debian sources.list files are way shorter19:14
fungialso, any reason to leave the deb-src lines there? do we actually ever do anything with source packages on these servers?19:15
jeblairi hope not19:15
fungiyeah, removing those too19:15
fungii know i don't anyway19:15
fungiif i do, it'll be on my workstation and then end up on a repository somewhere19:16
jeblairi've worked with folks who like to ensure that gcc is _not_ installed on production servers because it's just helping the haxors.19:16
jeblairthat might be feasible for us once we finish detangling nodepool from puppet19:16
jeblairthough pip may throw a wrench in that19:17
fungiyeah, pip installing non-pure-python stuff will get painful19:18
fungiunless wheels everywhere19:18
clarkband even then if you don't keep up with making wheels pip will want to builkd from source19:18
clarkbpip will always take newest version it can and wheels only win if newest version has a wheel19:19
fungiokay, minor consistency tweak in that last patchset19:19
fungiready for any other comments19:19
clarkbI reall hate new gerrits inter patchset diffing19:20
jeblairfungi: ha!  you de-normalized the trailing /19:20
jeblairfungi: gertty shows deletions only for precise, but deletions and changes for trusty due to removal of some trailing slashes19:20
fungialternatively i can add missing trailing / to them all if anyone cares19:20
* jeblair pretends not to care19:21
clarkbnote us.archive may be not a great option for ovh19:21
clarkbbut we have few permanent hosts in ovh so not a huge deal19:21
jeblairclarkb: yeah, i don't think it's going to be a huge uptick in our international traffic from ovh19:21
fungiclarkb: well, that brings us to additional parameterization, which i'm not opposed to but19:21
jeblairit's one host19:22
jeblairokay 219:22
fungilet's consider that maybe a future opportunity for improvement if we care19:22
fungieasy enough to expand this to templates later19:22
clarkb+2'd no approving in case someone else wants to review19:22
jeblairapproved19:23
clarkbus.archive seems to be on the east coast at least :)19:23
clarkbstill no centos package that I see21:29
clarkbnibalizer: jeblair fungi mordred the puppet change to add the ssh config line fails on slave builds22:41
clarkbI think that means puppet is broken everywhere22:41
fungiclarkb: yeah, see scrollback in -infra. it is22:41
fungii pinged nibalizer with the puppet error i saw from it22:42
clarkbin that case Ican't actually test that nodepool image builds are working22:42
fungii was just getting around to checking whether our sources.list change landed22:42
jeblairclarkb: how does it fail?22:43
fungioh grr, the apply jobs are failing on mine22:43
clarkbjeblair: Error: 6 lines match pattern 'Host *' in file '/etc/ssh/ssh_config'.  One or no line must match the pattern.22:43
clarkbI am pulling up file_line docs now to see if we can just put it at the end of the file22:44
mordredso ...22:44
jeblairclarkb: ah22:44
mordredwe put out ssh_config files ... why don't we just edit the file template?22:44
jeblairmordred: we do sshd_config -- do we also do ssh_config ?22:44
mordredOH - you're right. we only do sshd_config22:45
mordredI saw the line wrong in my brainhole22:45
jeblairmordred: but regardless, maybe we could just switch to doing that if we aren't already22:45
clarkbhttps://github.com/puppetlabs/puppetlabs-stdlib#parameters22:45
mordredI mean - this current thing clearly doesn't work - and we grok how file templates work22:45
nibalizerhi22:46
fungiargh! we have a duplicate definition for /etc/apt/sources.list in (unsurprisingly) the apt module22:46
nibalizersorry was doing a thing22:46
clarkbso we could make that work if ruby regex can match EOF22:46
clarkbhrm I don't think we can set the /m flag22:48
clarkboh!22:50
clarkbdefault behavior is to append if you don't set a match or after22:50
clarkbshould I write the change?22:50
funginibalizer: should we be punching our custom sources.list files through into here instead? https://github.com/puppetlabs/puppetlabs-apt/blob/master/manifests/init.pp#L10122:51
nibalizer https://review.openstack.org/267854 should work22:52
nibalizerclarkb: ^22:52
clarkboh except if we have multiple matches each one needs to be fixed22:53
*** ChanServ changes topic to "CVE-2016-0777 openssh-client https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt"22:54
nibalizerclarkb: yea the errror was22:54
nibalizerError: 8 lines match pattern 'Host *' in file '/etc/ssh/ssh_config'.  One or no line must match the pattern.22:54
clarkbya22:54
nibalizerbut putting the ^ in ther makes it match only the uncommented one22:54
clarkbgotcha22:55
nibalizertested on an ubuntu node and a centos node22:55
clarkbI did read an ssh_config to check too22:55
clarkbso +222:55
nibalizerokay i gotta run22:55
nibalizerfungi: i consult the crinkle is my best advice22:55
nibalizerI can look later22:55
funginibalizer: oh, right, you had a thing. sorry!22:56
* fungi is forgetty22:56
crinklehow can i help22:57
nibalizerfungi: if we have custom apt sources and we want to puppet them we should probably use apt::source23:01
nibalizerif we want to just have a file and dump it in /etc/apt/sourecs.list.d/ we should probably just use a file resource23:02
fungicrinkle: trying to figure out the best path forward on https://review.openstack.org/267778 since we want a custom sources.list on our servers but that conflicts with the apt module's desire to manage that file in places23:02
clarkbI tink we want to control the actual sources.list23:03
nibalizerclarkb: i approved the puppet fix23:04
fungiyeah, we want to, at best, feed the sources_list_content into that file resource23:06
fungiand i need to go cook dinner. i'll look at this again in a bit, but more recommendations welcome23:08
crinklewhy do we need to control the actual sources.list instead of adding to sources.list.d?23:18
crinkleyou could do this http://paste.openstack.org/show/483942/ but that is sort of gross hax23:24
clarkbcrinkle: because we aren't adding we are replacing, though maybe that just works23:24
fungicrinkle: because our servers have sources.list content we don't want23:25
fungiso we would like puppet to replace the sources.list content that comes on our servers23:26
fungireasons explained in the commit message for that change23:26
crinkleyou could set purge => { 'sources.list' => true } in the apt class and then add an apt::source resource or file resource23:27
crinklepurge just replaces the whole file with a comment23:27
crinklei will comment23:29
fungicrinkle: thanks! that will probably be good enough23:32

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!