Monday, 2018-08-13

« Sunday, 2018-08-12 Index Tuesday, 2018-08-14 »
*** AJaeger has quit IRC06:23
*** AJaeger has joined #openstack-infra-incident06:35
*** rosmaita has joined #openstack-infra-incident11:34
*** SteelyDan is now known as dansmith13:25
clarkbmordred: corvus ianw fungi Just sent followup email re Cody's rax questions to you all. Can you take a look at that reasonably soonish? Seems like this issue has dragged on for ~6 weeks and if we can fix it quickly now that we've been escalated to that will hopefully make people appy15:34
fungithanks, looking15:35
fungicody ended up back at rackspace? neat!15:59
clarkbya mordred fwiw I pulled cody off the recipient list so we can game plan a bit befor eresponding :)16:00
mordredoh. hah16:03
mordredclarkb: well - then ignore my hello to cody :)16:03
clarkbhttps://review.openstack.org/591446 is a related change16:09
corvusi guess we lost that when we switched to dib?16:10
clarkbI think when we switched off of puppet for dib16:10
corvuser yeah, that16:11
corvuscause, i mean, disabling password auth in the system as a whole was *literally* change #1  :)16:11
corvushttps://review.openstack.org/#/c/1/16:11
clarkbnice16:11
fungithat's a fun bit of history16:13
clarkbI'll reach out to cloudnull now and see if I can cc him on response to cody, then suggest that we clean up those servers and move on16:15
clarkbfungi: as for your checks, control plane is different because puppet applies sshd config16:15
fungiyep16:15
fungii wrote that before i saw the comment in here about puppetless dib16:16
clarkbfungi: my hunch is that ianw was reproducing some test result on these nodes and they ran some service which ended up being compromised16:16
fungientirely possible as well16:16
clarkbrather than ssh itself being at fault16:16
fungiplenty of potential backdoors after all16:16
fungiserves as a reminder to us all that we should delete temporary test servers when we're done with them16:16
clarkb++16:17
clarkbas for account contacts maybe we can put infra-root on there as well as PTL and jbryce? that should give us a decent spread?16:17
*** pabelanger has joined #openstack-infra-incident16:18
fungiyeah, but as i noted, none of them will get notified of problems unless someone in rackspace explicitly reaches out. trouble tickets they create will only end up mailing the internal sponsor, who may not be paying attention to them or may forget we need an explicit heads-up16:19
clarkbgot it16:19
fungiit's not like we regularly log into all our cloud accounts and check for new tickets16:19
clarkbI've reached out to cloudnull will respond to Cody as soon as I have a response from Keven (as for CC or not)16:20
fungiyeah, i'm mildly worried they'll notice soon that mvw isn't working there16:22
fungithen again, it took them years to realize jbryce, mordred, pvo, et al were no longer there but were listed as internal sponsors on comped accounts ;)16:22
clarkbkevin says always feel free to CC him when doing rax thing s:)16:28
clarkbalright email sent, I'll wait for ianw to show up in a few hours before deleting thins just to double check (instance is off and suspended anyway)16:38
*** rosmaita has quit IRC17:43
*** srwilkers_ has joined #openstack-infra-incident19:17
*** mgagne_ has joined #openstack-infra-incident19:24
*** srwilkers has quit IRC19:25
*** mgagne has quit IRC19:25
*** srwilkers_ is now known as srwilkers19:25
ianwclarkb: hey, sorry, catching up here20:49
ianwthis is the first i've heard of it, let me look at my notes20:49
ianwyeah, around then i was working on https://review.openstack.org/#/c/562004/20:51
clarkbianw: want ot follow up on that thread to let kevin and cody know we can delete the instance? (I'm happy for us to do it but unsure if rax wants to do more investigating)20:56
ianwclarkb: yes, just tapping away now, sorry about this20:59
clarkbno problem21:01
« Sunday, 2018-08-12 Index Tuesday, 2018-08-14 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!