Thursday, 2023-11-16

opendevreviewMerged openstack/kayobe stable/2023.1: Fix an issue when user forgot combine custom passwords  https://review.opendev.org/c/openstack/kayobe/+/90046101:22
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: ironic: Use baremetal_node_info  https://review.opendev.org/c/openstack/kolla-ansible/+/90110005:42
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: ironic: Use baremetal_node_info  https://review.opendev.org/c/openstack/kolla-ansible/+/90110005:44
opendevreviewefineshi proposed openstack/kolla-ansible master: Fix upload image bigger than 1GB failed  https://review.opendev.org/c/openstack/kolla-ansible/+/90066007:00
opendevreviewefineshi proposed openstack/kolla-ansible master: Fix upload image bigger than 1GB failed  https://review.opendev.org/c/openstack/kolla-ansible/+/90066007:01
opendevreviewefineshi proposed openstack/kolla-ansible master: Fix upload image bigger than 1GB failed  https://review.opendev.org/c/openstack/kolla-ansible/+/90066007:08
opendevreviewPetr Slavchenkov proposed openstack/kolla-ansible master: Fix proxysql get mariadb_backup_database_password  https://review.opendev.org/c/openstack/kolla-ansible/+/90097908:35
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: ironic: Use baremetal_node_info  https://review.opendev.org/c/openstack/kolla-ansible/+/90110008:53
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: ironic: Use baremetal_node_info  https://review.opendev.org/c/openstack/kolla-ansible/+/90110009:02
SvenKieskeo/09:12
SvenKieskemnasiadka: asking again if we should do a last effort to update rmq in yoga release? there is this one open: https://review.opendev.org/c/openstack/kolla/+/88079909:13
opendevreviewefineshi proposed openstack/kolla-ansible master: Fix upload image bigger than 1GB failed  https://review.opendev.org/c/openstack/kolla-ansible/+/90066009:13
fricklerI don't think we can do this now, since we can no longer test upgrades from xena. IMO best we could do is a warning telling deployers to do the upgrade locally09:17
mnasiadkayoga is going to be unmaintained soon09:19
mnasiadkaso I don't think the effort makes any sense09:20
mnasiadkabut we could do it for antelope (Zed for my company is just a jump through release)09:20
opendevreviewefineshi proposed openstack/kolla-ansible master: Fix upload image bigger than 1GB failed  https://review.opendev.org/c/openstack/kolla-ansible/+/90066009:24
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Fix OpenStack exporter scrape with internal TLS & FQDN  https://review.opendev.org/c/openstack/kolla-ansible/+/90106809:38
opendevreviewMichal Nasiadka proposed openstack/kolla-ansible master: ironic: Use baremetal_node_info  https://review.opendev.org/c/openstack/kolla-ansible/+/90110009:49
opendevreviewMerged openstack/kolla-ansible master: [doc] Fix the incorrect URL of 'Quick Start for development'  https://review.opendev.org/c/openstack/kolla-ansible/+/89818609:51
opendevreviewSven Kieske proposed openstack/kolla-ansible master: harden the glance-api cors settings  https://review.opendev.org/c/openstack/kolla-ansible/+/90112309:52
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/2023.1: Add command to force reset the state of RabbitMQ  https://review.opendev.org/c/openstack/kolla-ansible/+/90106909:52
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/zed: Add command to force reset the state of RabbitMQ  https://review.opendev.org/c/openstack/kolla-ansible/+/90107009:53
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Add command to force reset the state of RabbitMQ  https://review.opendev.org/c/openstack/kolla-ansible/+/90107109:53
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Add command to force reset the state of RabbitMQ  https://review.opendev.org/c/openstack/kolla-ansible/+/90107109:53
opendevreviewMark Goddard proposed openstack/kolla-ansible stable/yoga: Add command to force reset the state of RabbitMQ  https://review.opendev.org/c/openstack/kolla-ansible/+/90107109:54
opendevreviewWill Szumski proposed openstack/kolla-ansible master: Adds the neutron_service_limit option  https://review.opendev.org/c/openstack/kolla-ansible/+/87777609:56
janguttermnasiadka: I think that ubuntu podman build could possibly have been an outlier: https://zuul.opendev.org/t/openstack/builds?job_name=kolla-build-ubuntu-podman&project=openstack/kolla I don't see a pattern of badness...11:41
ViiHi. I have a question if this is normal because I don't think it is. The vnc service runs on libvirt nodes and issues an access port for each VM console, e.g. 5901, 5902, 5903. and you can access the vnc console from the vnc client without logging in. The service configuration should not include "Disable the 'No Authentication' security type."11:50
ViiThis looks like a serious security bug11:51
ViiI think I know the answer :/ https://review.opendev.org/c/openstack/openstack-manuals/+/433321/2/doc/admin-guide/source/compute-configuring-migrations.rst12:18
jovialDon't you normally have the vnc proxy in front of the those vnc sockets? Which at least has some kind of token based authentication.12:20
ViiI have vnc-proxy, but I was wondering if it is normal that I can connect to a libvirt machine without auth12:26
jovialI think that is normal in a k-a deploy, but like you say, it doesn't seem ideal from security perspective12:30
opendevreviewVerification of a change to openstack/kayobe master failed: Remove Monasca and co remnants  https://review.opendev.org/c/openstack/kayobe/+/90105913:14
opendevreviewVerification of a change to openstack/kayobe master failed: Drop not used grafana-conf from reqs  https://review.opendev.org/c/openstack/kayobe/+/90106013:14
SvenKieskeregarding vnc: isn't this normally only reachable via the horizon/skyline gui, which is authenticated? are you telling me we are exposing unauthed vnc traffic on public/external networks? I don't think we do?13:33
SvenKieske@Vii: see above13:34
Vii@SvenKieske there is no access from the public/external network. I was simply surprised that you can open a VNC connection without auth from inside the network. I was wondering if this was normal. But it looks like it is13:37
SvenKieskeVii: it seems that the default auth_schemes is "none": https://docs.openstack.org/nova/latest/configuration/config.html#vnc.auth_schemes13:43
SvenKieskenot 100% sure this is the correct config option to look at, in a past life I did design novnc authentication also based on novnc-proxy in a different but similar product..13:43
SvenKieskeVii: at least this _was_ by design..looking into what happened to this spec: https://specs.openstack.org/openstack/nova-specs/specs/wallaby/approved/nova-support-webvnc-with-password-authentication.html13:52
SvenKieske"The spec wasn't approved for Xena and has outstanding issues. Abandoning until this is reproposed and reworked in a future release" https://review.opendev.org/c/openstack/nova/+/622336/37#message-2a790d3cea7b38415b5efc670223b27d0efd569f13:54
SvenKieskeVii: I just asked over at #openstack-nova14:05
ViiSvenKieske: thans, for me looks like a security bug14:07
opendevreviewSven Kieske proposed openstack/kolla-ansible master: harden the glance-api cors settings  https://review.opendev.org/c/openstack/kolla-ansible/+/90112314:15
SvenKieskeVii: well you need a token inside your URL, basic password auth doesn't buy you much, you really need to carefully describe an attacker scenario where an adversary crosses a trust boundary, just glancing at the problem I don't see that just yet.14:20
SvenKieskeyou may though want to encrypt the network channel between the novnc proxy and the end user, that is possible (and even needed if you want to do password auth).14:22
SvenKieskethe designspec was seemingly rejected on the basis that password based auth wasn't deemed secure enough/enough of a security benefit, but I don't have the details at hand.14:23
ViiI'm more concerned about the situation that the local "admin" in the local network can open any libvirt vnc connections and connect to a specific libvirt node14:23
SvenKieskewell, you can configure nova, to always only connect to the novnc proxy and you need to get a bearer token to be able to do so, but you get one by default by e.g. issuing "openstack console.."14:24
SvenKieskethe thing is, the admin can always reconfigure nova/qemu to accept local unauthed vnc connections14:25
Viiif you have any libvirt node available with running VMs, connect with vnc client to ip.node.address:5900 /5901 / 590214:25
SvenKieskeI personally don't believe in all the "remote attestation" hype, if you can't trust your cloud admin, you have big problems. that doesn't mean we should strive to make stuff even secure against admins14:26
ViiSure, I understand and I understand what's going on. Thanks14:27
SvenKieskeah I guess we need to enable "vencrypt" as an auth_scheme, as mentioned above14:27
SvenKieskeVii: maybe open a bug against kolla-ansible?14:27
ViiI'd have to create an account :) If I remember, I'll do it tomorrow14:28
SvenKieskeI _think_ we should adjust the default vnc.auth_schemes to have "vencrypt" at least that seems to lock this down to the proxy14:28
SvenKieskeokay, then I guess I'll just file a bug myself, to not forget this stuff14:28
SvenKieskeVii: opened a bug: https://bugs.launchpad.net/kolla-ansible/+bug/2043709 feel free to subscribe there or update with your concrete findings :)14:35
SvenKieskefrom my experience it always helps if a user can clearly state what is wrong and how they expect the system to behave..we devs are somewhat disconnected from this stuff :D14:36
opendevreviewCan Özyurt proposed openstack/kolla-ansible master: Remove auth.conf from config.json for fake nova-compute  https://review.opendev.org/c/openstack/kolla-ansible/+/90116814:54
*** Continuity__ is now known as Continuity17:25
fricklermnasiadka: looking at examples for the deprecation, I found renos saying we'd drop sahara and vitrage this cycle, do we still want to do that?17:33
opendevreviewDr. Jens Harbott proposed openstack/kolla-ansible master: Deprecate Masakari  https://review.opendev.org/c/openstack/kolla-ansible/+/90119317:45
fricklerhmm, do we mark deprecations only in k-a and not in kolla? also doc/source/support_matrix.rst still mentions bullseye and not bookworm?17:50
opendevreviewMerged openstack/kayobe master: Remove Monasca and co remnants  https://review.opendev.org/c/openstack/kayobe/+/90105918:13
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/2023.1: Fix issue with octavia security group rules creation  https://review.opendev.org/c/openstack/kolla-ansible/+/90107521:09
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/yoga: Add ability to configure rabbitmq  https://review.opendev.org/c/openstack/kolla-ansible/+/90120921:21
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/yoga: Add ability to configure rabbitmq  https://review.opendev.org/c/openstack/kolla-ansible/+/90120921:22
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/yoga: Add ability to configure rabbitmq  https://review.opendev.org/c/openstack/kolla-ansible/+/90120921:24
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/yoga: Configure coordination in default for masakari-api  https://review.opendev.org/c/openstack/kolla-ansible/+/90107621:26
opendevreviewMaksim Malchuk proposed openstack/kolla-ansible stable/2023.1: Add support for multiple ceph files  https://review.opendev.org/c/openstack/kolla-ansible/+/90107721:28
opendevreviewMagnus Lööf proposed openstack/kolla-ansible master: Enable TLS backend for designate  https://review.opendev.org/c/openstack/kolla-ansible/+/86652421:29

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!