| *** __ministry is now known as Guest62 | 07:51 | |
| *** elodilles is now known as elodilles_pto | 08:37 | |
| gibi | hi folks! Can I get a second core on the backport https://review.opendev.org/c/openstack/nova/+/934302 (and its parent)? | 08:57 |
|---|---|---|
| *** ralonsoh_ is now known as ralonsoh | 10:04 | |
| opendevreview | Merged openstack/nova stable/2024.2: Reproduce bug 2085975 in functional https://review.opendev.org/c/openstack/nova/+/934301 | 12:03 |
| sean-k-mooney | gibi: that should merge shortly ill look at the next branch later but im sure its fine | 12:45 |
| gibi | sean-k-mooney: thanks! | 12:45 |
| zigo | I'm now hit by the crypt.crypt removal in Python 3.13: | 12:53 |
| zigo | https://buildd.debian.org/status/fetch.php?pkg=nova&arch=all&ver=2%3A30.0.0-2&stamp=1731930425&file=log | 12:53 |
| zigo | tkajinam: Do you think your patch here https://review.opendev.org/c/openstack/oslo.utils/+/931899 could be used for it? | 12:54 |
| zigo | BTW, I don't think we should keep using md5 as algo, like the comment above https://github.com/openstack/nova/blob/master/nova/virt/disk/api.py#L634 says. Any distro still using md5 shouldn't be consider at this time and age. | 12:56 |
| zigo | gibi: bauzas: sean-k-mooney: Would it be accepted by the team if I was to propose a patch that does SHA-512 instead, and drop support for MD5 ? | 13:01 |
| sean-k-mooney | zigo: i dont have context but there are some places where we cant do that for upgrade reaons | 13:02 |
| zigo | sean-k-mooney: I believe nova/virt/disk/api.py is the bit that is doing password injections in VMs. | 13:03 |
| zigo | (I didn't check much, but should be...) | 13:03 |
| zigo | The comment says md5, because some distro may be outdated. | 13:03 |
| gibi | zigo: yeah that codepath generates the content of the shadow file so we need to make sure whathever we change there still works with old but not super old linux distros | 13:04 |
| zigo | This was in 2012 ... | 13:04 |
| zigo | gibi: Fast forward 12 years later, md5 is a security hole... | 13:04 |
| gibi | I'm aware | 13:04 |
| zigo | I'm sure you are. | 13:04 |
| zigo | So question still is: is it ok if we drop support for distros with such security hole? :) | 13:05 |
| gibi | OK, if you ask this way then it sounds right to say no, we should not support distros that uses md5 for the root password's hash | 13:05 |
| gibi | I'm sold | 13:06 |
| zigo | Thanks for confirming, I'll try to write a patch. | 13:06 |
| opendevreview | Thomas Goirand proposed openstack/nova master: Python 3.13: crypt.crypt support is dropped https://review.opendev.org/c/openstack/nova/+/935512 | 13:16 |
| sean-k-mooney | zigo: the password injection we may be removing | 13:17 |
| zigo | sean-k-mooney: I'm ok with it to be removed, but I'd prefer to have this patch merged, so I can safely backport it to Dalamatian, which will be the OpenStack release in the next Debian. | 13:18 |
| zigo | Also, that'd be annoying for rescuing ... what would be the method? | 13:19 |
| zigo | (especially for windows ...) | 13:19 |
| opendevreview | Thomas Goirand proposed openstack/nova master: Python 3.13: crypt.crypt support is dropped https://review.opendev.org/c/openstack/nova/+/935512 | 14:30 |
| tkajinam | zigo, I'm adding that utility for nova and ironic so let's use the oslo.utils implementation instead of pulling the same code to nova | 15:53 |
| frickler | not sure if I've mentioned this here before, the reqs bump to latest jsonschema is failing due to nova and placement jobs breaking, maybe someone can take a look https://review.opendev.org/c/openstack/requirements/+/925059 | 20:00 |
| sean-k-mooney | zigo: so file injefction on which password injection is based has been deprecated for removal for a long time | 20:17 |
| sean-k-mooney | zigo: we discussed this in the context of the crypt depency and the fact that is removed in py 3.13 | 20:17 |
| sean-k-mooney | so while we may or may note bable to change form md5 to sha512 in this case | 20:17 |
| sean-k-mooney | there is other technial debth with supproting passwod/file injection in general | 20:18 |
| sean-k-mooney | for rescuue you really should use cloud-init to set the password or use x509 or ssh keys | 20:19 |
| sean-k-mooney | the only non deprecated way to set teh root password today | 20:20 |
| sean-k-mooney | is to dues the qemu guest agent to do that with an image that has that installed | 20:20 |
| sean-k-mooney | which does nto need that code path if i recall correctly but i have not looked at that in some times | 20:21 |
| frickler | this also looks broken, might be due to latest sphinx, but I'm not sure why it would only affect nova and not most other projects https://zuul.opendev.org/t/openstack/builds?job_name=build-openstack-api-ref&project=openstack/nova | 20:46 |
| opendevreview | melanie witt proposed openstack/nova master: tests: Functional reproducer for bug 2088831 https://review.opendev.org/c/openstack/nova/+/935565 | 21:24 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!