| opendevreview | Merged openstack/kayobe master: Fix passwords.yml generation when parent directory doesn't exist https://review.opendev.org/c/openstack/kayobe/+/854236 | 07:27 |
|---|---|---|
| opendevreview | Merged openstack/kayobe master: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kayobe/+/879222 | 07:28 |
| SvenKieske | mnasiadka: so I took a look at https://bugs.launchpad.net/kolla/+bug/1990432 again, and I fear that the used fix is incomplete. I wrote down my reasoning in the bug report but I really would appreciate a second opinion here. | 07:34 |
| mnasiadka | SvenKieske: the exact (more or less) same fix is in Nova, you want to tell me their fix is incomplete as well? ;-) | 07:35 |
| mnasiadka | SvenKieske: and I'm not an expert as well, maybe we need to find one :) | 07:36 |
| opendevreview | Michal Nasiadka proposed openstack/kayobe stable/zed: Fix passwords.yml generation when parent directory doesn't exist https://review.opendev.org/c/openstack/kayobe/+/880387 | 07:38 |
| opendevreview | Michal Nasiadka proposed openstack/kayobe stable/yoga: Fix passwords.yml generation when parent directory doesn't exist https://review.opendev.org/c/openstack/kayobe/+/880388 | 07:39 |
| opendevreview | Michal Nasiadka proposed openstack/kayobe stable/xena: Fix passwords.yml generation when parent directory doesn't exist https://review.opendev.org/c/openstack/kayobe/+/880389 | 07:39 |
| SvenKieske | well; I'm pretty sure my reasoning is sound, it seems to be it was just missed, that the bug is not only about relative paths like "/../" but about symlink attacks as well, read the original python bug report, I don't know why it isn't linked to from either nist.gov nor launchpad.net but some random exploit blogpost instead | 07:39 |
| SvenKieske | I don't even know if there is a trust boundary crossed in kolla, but under the assumption that we can't trust the path component I'm 90% sure the fix is incomplete. | 07:40 |
| SvenKieske | and I took that as a given assumption, as else there would be no reason to even attempt to fix the relative path issue. | 07:41 |
| SvenKieske | ¯\_(ツ)_/¯ | 07:41 |
| mnasiadka | so just propose a followup, including a unit test for a symlink case and let's get over it ;) | 07:41 |
| frickler | I don't think we should care at all, commented on the bug | 07:42 |
| SvenKieske | yeah, that last part is the hard part for me, the fix itself is trivial, rewriting abspath to realpath. maybe I can take some inspiration from the upstream symlink testcase.. never wrote kolla tests before | 07:42 |
| SvenKieske | frickler: I replied. might be "ok" to not fix this, but at the very least it should be documented then to the end user that he is expected to only use tarballs from trusted resources. | 07:47 |
| frickler | mnasiadka: what's your opinion on xena, seems new backports keep creeping up, my pov is we should cut the final release now regardless of that | 07:47 |
| mnasiadka | frickler: yes, I think so | 07:47 |
| SvenKieske | tbh I don't like that approach, users tend to not read warnings in docs, or gloss over them, and then burn their hands on the hot oven in the kitchen.. | 07:48 |
| mnasiadka | I don't see any critical patches in stable/xena for all three deliverables | 07:48 |
| frickler | SvenKieske: well IMO that should be pretty obvious, but feel free to propose a patch. if people use untrusted sources, they can get into trouble regardless of what protection we build in | 07:48 |
| frickler | mnasiadka: o.k., so I'll build a release patch now. is kayobe fine, too? | 07:49 |
| frickler | oh, you said three, o.k. | 07:49 |
| SvenKieske | I'm gonna ask the security team for advice, because if it is seen as a problem (or not), it affects multiple openstack projects | 07:51 |
| mnasiadka | SvenKieske: I think what frickler wants to say, that there are probably other bugs/features where your time would be beter spent ;-) | 07:51 |
| SvenKieske | true, I'll just hand it off to security real quick. I have some sort of PTSD regarding underestimated security bugs which tend to own whole companies in the end.. | 07:53 |
| SvenKieske | does anybody know matthew helers nick here on IRC? I'm waiting for their reply to https://review.opendev.org/c/openstack/kolla-ansible/+/855498 | 08:03 |
| frickler | SvenKieske: likely they are not on IRC, maybe not even around at all any longer. maybe you can set up a local deployment with that patch and that will help to resolve all open questions? let's discuss that internally | 08:17 |
| SvenKieske | sure, will try that. but I'm also interested in upstreams opinion because both exporters have a certain overlap and happen to be programmed by the same person | 08:18 |
| mmalchuk | please merge this wallaby chained patches: https://review.opendev.org/q/project:openstack%252Fkolla+branch:stable%252Fwallaby+status:open | 08:41 |
| opendevreview | Maksim Malchuk proposed openstack/kayobe stable/zed: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kayobe/+/880462 | 08:44 |
| opendevreview | Maksim Malchuk proposed openstack/kayobe stable/yoga: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kayobe/+/880463 | 08:44 |
| opendevreview | Maksim Malchuk proposed openstack/kayobe stable/xena: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kayobe/+/880464 | 08:44 |
| mmalchuk | mnasiadka please merge https://review.opendev.org/c/openstack/kolla-ansible/+/879221 the related patch already merged in Kayobe | 08:47 |
| opendevreview | Maksim Malchuk proposed openstack/kolla-ansible stable/zed: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kolla-ansible/+/880475 | 09:57 |
| opendevreview | Maksim Malchuk proposed openstack/kolla-ansible stable/yoga: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kolla-ansible/+/880476 | 09:57 |
| opendevreview | Maksim Malchuk proposed openstack/kolla-ansible stable/xena: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kolla-ansible/+/880477 | 09:57 |
| opendevreview | Merged openstack/kolla-ansible master: Fix merge action plugins verbose output https://review.opendev.org/c/openstack/kolla-ansible/+/879221 | 10:36 |
| opendevreview | Matt Crees proposed openstack/kolla-ansible master: Add precheck to fail if RabbitMQ HA needs configuring https://review.opendev.org/c/openstack/kolla-ansible/+/880274 | 11:54 |
| opendevreview | Matt Crees proposed openstack/kolla-ansible master: Add precheck to fail if RabbitMQ HA needs configuring https://review.opendev.org/c/openstack/kolla-ansible/+/880274 | 12:12 |
| opendevreview | Maksim Malchuk proposed openstack/kolla-ansible master: Fix maximum width of the DIB Multiline-YAML https://review.opendev.org/c/openstack/kolla-ansible/+/833633 | 13:36 |
| sschmitt | Hello, I'm doing a deploy and trying to do some custom service configs. I have an ironic.conf in {{custom_node_config}}/config/ironic/ironic.conf and am ml2_conf.ini in {{custom_node_config}}/config/neutron/ml2_conf.ini. It seems like these aren't getting picked up. I have other config in here such as ceph config that is being picked up. Any ideas? | 14:32 |
| sschmitt | Do I need to change the directory to like "ironic-conductor" instead of just the generic "ironic" | 14:32 |
| sschmitt | (i should specify this isn't getting picked up when running a k-a reconfigure | 14:33 |
| sschmitt | Ok, actually looks like the ml2 conf took, but not the ironic | 14:48 |
| *** EugenMayer41 is now known as EugenMayer4 | 19:17 | |
| *** EugenMayer48 is now known as EugenMayer4 | 19:32 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!