Friday, 2016-09-09

« Thursday, 2016-09-08 Index Saturday, 2016-09-10 »
*** yee379 has left #openstack-operators00:01
*** Apoorva has quit IRC00:03
*** markvoelker has joined #openstack-operators00:13
*** zul has quit IRC00:14
*** piet has quit IRC00:34
*** saneax is now known as saneax-_-|AFK00:34
*** wasmum has joined #openstack-operators00:37
*** dtrainor has joined #openstack-operators00:44
*** dtrainor has quit IRC00:52
*** dtrainor has joined #openstack-operators00:53
*** simon-AS559 has joined #openstack-operators00:56
*** kenhui has joined #openstack-operators00:59
*** kenhui has quit IRC00:59
*** simon-AS559 has quit IRC01:00
*** jamesdenton has quit IRC01:07
*** jamesdenton has joined #openstack-operators01:08
*** Apoorva has joined #openstack-operators01:14
*** jamesdenton has quit IRC01:25
*** Apoorva has quit IRC01:45
*** piet has joined #openstack-operators01:46
*** karad has quit IRC02:01
*** karad has joined #openstack-operators02:04
*** julian1 has quit IRC02:26
*** chlong has joined #openstack-operators02:26
*** julian1 has joined #openstack-operators02:27
*** clayton has quit IRC02:32
*** clayton has joined #openstack-operators02:33
*** mriedem has quit IRC02:46
*** piet has quit IRC02:51
*** piet has joined #openstack-operators02:57
*** fragatina has quit IRC03:03
*** Apoorva has joined #openstack-operators03:21
*** armax has quit IRC03:24
*** stanchan has joined #openstack-operators03:35
*** sudipto has joined #openstack-operators03:47
*** sudipto_ has joined #openstack-operators03:47
*** karad has quit IRC03:56
*** piet has quit IRC04:10
*** fragatina has joined #openstack-operators04:26
*** zul has joined #openstack-operators04:27
*** fragatina has quit IRC04:30
*** VW has joined #openstack-operators04:31
*** VW has quit IRC04:35
*** Apoorva has quit IRC04:58
*** furlongm_ is now known as furlongm05:01
*** zul has quit IRC05:13
*** zul has joined #openstack-operators05:23
*** simon-AS559 has joined #openstack-operators05:29
*** chlong_ has joined #openstack-operators05:31
*** zul has quit IRC05:38
*** lbrune has joined #openstack-operators05:53
*** saneax-_-|AFK is now known as saneax06:00
*** pcaruana has joined #openstack-operators06:23
*** simon-AS559 has joined #openstack-operators06:39
*** beddari has quit IRC06:45
*** admin0 has joined #openstack-operators06:58
*** beddari has joined #openstack-operators07:01
*** tesseract- has joined #openstack-operators07:07
*** jsheeren has joined #openstack-operators07:10
*** matrohon has joined #openstack-operators07:12
*** chlong has quit IRC07:19
*** chlong_ has quit IRC07:19
*** hieulq has quit IRC07:27
*** hieulq has joined #openstack-operators07:28
*** lbrune has quit IRC07:29
*** bvandenh has joined #openstack-operators07:32
*** lbrune has joined #openstack-operators08:01
*** derekh has joined #openstack-operators08:05
*** cgross has quit IRC08:09
*** lmiccini_ has joined #openstack-operators08:09
*** lmiccini has quit IRC08:10
*** cgross has joined #openstack-operators08:12
*** snecklifter has joined #openstack-operators08:19
*** lmiccini_ is now known as lmiccini08:23
*** lutzb has joined #openstack-operators08:43
*** ptrlv has quit IRC08:46
*** stanchan has quit IRC09:11
*** bvandenh_ has joined #openstack-operators09:20
*** bvandenh__ has joined #openstack-operators09:23
*** bvandenh has quit IRC09:24
*** bvandenh_ has quit IRC09:25
*** bvandenh has joined #openstack-operators09:30
*** bvandenh__ has quit IRC09:31
*** Guest52040 has joined #openstack-operators09:56
*** lbrune has quit IRC10:06
*** hieulq has quit IRC10:06
*** cdelatte has joined #openstack-operators10:58
*** karad has joined #openstack-operators11:15
*** snecklifter has left #openstack-operators11:42
*** bvandenh_ has joined #openstack-operators11:45
*** bvandenh has quit IRC11:48
*** bvandenh_ has quit IRC11:50
*** kenhui has joined #openstack-operators11:53
*** mriedem has joined #openstack-operators12:26
*** VW has joined #openstack-operators12:27
*** dminer has joined #openstack-operators12:36
*** VW has quit IRC12:40
*** VW has joined #openstack-operators12:41
*** VW has quit IRC12:45
*** kenhui has quit IRC13:13
*** mriedem has quit IRC13:20
*** mriedem has joined #openstack-operators13:22
*** mriedem has quit IRC13:26
*** VW has joined #openstack-operators13:32
*** VW has quit IRC13:32
*** VW has joined #openstack-operators13:32
*** Guest52040 has quit IRC13:40
*** dansmith is now known as superdan13:50
*** alaski is now known as lascii13:54
*** hj-hpe has joined #openstack-operators13:56
*** mriedem has joined #openstack-operators13:59
*** fragatina has joined #openstack-operators14:01
*** mriedem1 has joined #openstack-operators14:03
*** mriedem has quit IRC14:04
*** dminer has quit IRC14:04
*** fragatina has quit IRC14:06
*** mriedem1 is now known as mriedem14:06
*** zul has joined #openstack-operators14:16
*** mperazol has joined #openstack-operators14:28
*** ducttape_ has joined #openstack-operators14:41
*** sudipto has quit IRC14:49
*** sudipto_ has quit IRC14:49
*** zul has quit IRC14:51
*** dtrainor has quit IRC14:51
*** dtrainor has joined #openstack-operators14:51
*** mperazol_ has joined #openstack-operators14:53
*** karad has quit IRC14:53
*** mperazol has quit IRC14:56
*** rarcea has joined #openstack-operators14:59
*** matrohon has quit IRC14:59
*** kenhui has joined #openstack-operators15:00
*** armax has joined #openstack-operators15:02
*** pcaruana has quit IRC15:08
*** wasmum has quit IRC15:10
*** karad has joined #openstack-operators15:19
*** jsheeren has quit IRC15:26
*** admin0 has quit IRC15:27
*** kenhui has quit IRC15:44
*** openstackgerrit has quit IRC15:49
*** tesseract- has quit IRC15:49
*** openstackgerrit has joined #openstack-operators15:49
*** mperazol_ has quit IRC15:52
*** zul has joined #openstack-operators15:52
*** mperazol has joined #openstack-operators16:01
*** VW has quit IRC16:19
*** VW has joined #openstack-operators16:19
*** sudipto has joined #openstack-operators16:20
*** sudipto_ has joined #openstack-operators16:20
*** VW has quit IRC16:20
*** VW has joined #openstack-operators16:20
*** lmiccini has quit IRC16:21
*** cgross has quit IRC16:22
*** VW has quit IRC16:24
*** esker has joined #openstack-operators16:31
*** fragatina has joined #openstack-operators16:32
*** VW has joined #openstack-operators16:33
*** sudipto has quit IRC16:35
*** sudipto_ has quit IRC16:35
*** VW has quit IRC16:38
*** krobzaur has joined #openstack-operators16:39
*** cgross has joined #openstack-operators16:44
*** lmiccini has joined #openstack-operators16:47
*** pilgrimstack has quit IRC16:48
*** kenhui has joined #openstack-operators16:51
*** markd_ has quit IRC16:53
*** derekh has quit IRC16:54
simon-AS559I spent most of today working on OSSN-0069 https://wiki.openstack.org/wiki/OSSN/OSSN-006916:54
jlkI feel like this is a thing we discovered and changed a long time ago16:55
simon-AS559Tried on some instances (that were started under Kilo), and found that I could indeed talk to the hypervisor from the instance using IPv6 LL16:55
simon-AS559Yes, it is fixed in Liberty and above.16:55
jlkoh right, Dustin Lundquist. He's old Blue Box16:55
jlkyou know, a date somewhere on an OSSN would be great16:56
simon-AS559We run Liberty now, but as I said, we still have instances that was started pre-Liberty where the issue can be exploited.16:56
simon-AS559True about the date! The announcement was sent yesterday (8 September) to some openstack mailing lists16:57
simon-AS559(not -operators though)16:57
simon-AS559The "Recommended Actions" section leaves to be desired.16:58
simon-AS559I certainly cannot disable IPv6 globally on *all* interfaces in our installation.16:59
simon-AS559For example, all our RBD access is over IPv6.16:59
simon-AS559When you have the fixed code installed (for example because you have recent Liberty packages or better), new instances are safe...17:00
simon-AS559…and old instances can be made safe by live-migration17:00
*** VW has joined #openstack-operators17:00
simon-AS559…or you can manually disable IPv6 on the *RELEVANT* interfaces17:00
jlkso what we do is disable ipv6 by default, and then only enable ipv6 on the interfaces where we need ipv617:01
jlkwe turn ipv6 into a whitelist rather than a blacklist17:01
jlkThe original bug was discovered and filed back in January.17:01
simon-AS559Yes17:01
simon-AS559As I said, I'm scared of turning off IPv6 by default.17:02
simon-AS559How/where do I need to turn it on again?17:02
simon-AS559This seems operationally risky.17:02
simon-AS559If people tell me that the disable_ipv6 is ignored whenever you specify IPv6 addresses (or "ipv6 dhcp") in /etc/network/interfaces, then OK.17:03
simon-AS559The code change is nice—make sure that IPv6 gets disabled on these funny bridge interfaces…17:03
simon-AS559There's even a Kilo backport, though it hasn't appeared in packages yet, at least not in Ubuntu Cloud Archive.17:04
*** VW has quit IRC17:05
simon-AS559Kilo backport: https://review.openstack.org/#/c/29665917:05
*** markd_ has joined #openstack-operators17:05
*** lubirkhahn has joined #openstack-operators17:05
jlkDustin can explain it better, but at least on Ubuntu there is a fairly easy way to define that a specific interface should have ipv6 on it17:06
*** vinsh has joined #openstack-operators17:09
*** lutzb has quit IRC17:10
*** lubirkhahn has quit IRC17:10
*** ckonstanski has joined #openstack-operators17:12
*** VW has joined #openstack-operators17:15
*** zul has quit IRC17:15
*** zul has joined #openstack-operators17:16
*** albertom has quit IRC17:17
simon-AS559jlk; Thanks. I really wish there would have been some guidance in the "Recommended Actions" section.17:18
simon-AS559As it is, it is completely useless for us "IPv6 should remain disabled for each interface".17:19
simon-AS559It should remain disabled on the internal interfaces to tenant networks, but in our case it MUST NOT be disabled on the actual interfaces.17:19
simon-AS559Personally I tend towards the following approach:17:20
simon-AS559If you have Liberty or better, you are fine.17:21
simon-AS559If you have Kilo, install the backported patch!17:21
simon-AS559Then for instances that were created before the fix, either live-migrate each of them17:21
simon-AS559or run the following one-liner on each compute node (lightly tested, use at your own risk etc.)17:22
simon-AS559$ for x in `grep -l 0 /proc/sys/net/ipv6/conf/{qbr,qvo,qvb,tap}*/disable_ipv6`; do d=`dirname $x`; b=`basename $d`; echo 1 | sudo tee $x >/dev/null && echo "Disabled IPv6 on $b"; done17:22
simon-AS559(Review welcome)17:22
simon-AS559Probably you'd want to do something similar on the network node, but I'm not sure exactly (what).17:22
*** VW has quit IRC17:24
*** albertom has joined #openstack-operators17:25
simon-AS559The goal should be that "ip -6 addr list" looks somewhat similar to "ip -4 addr list" (not the addresses, but the set of interfaces *with* addresses)17:26
simon-AS559(heading home now)17:26
*** simon-AS559 has quit IRC17:27
klindgrenyea the mitigation in that announcement is sorely lacking17:30
*** VW has joined #openstack-operators17:32
*** fragatina has quit IRC17:39
*** admin0 has joined #openstack-operators17:40
*** fragatina has joined #openstack-operators17:43
*** VW has quit IRC17:46
*** fragatina has quit IRC17:48
*** kenhui has quit IRC17:59
*** simon-AS559 has joined #openstack-operators17:59
*** kenhui has joined #openstack-operators18:00
*** mperazol has quit IRC18:00
*** VW has joined #openstack-operators18:05
*** dalees has quit IRC18:06
*** kenhui1 has joined #openstack-operators18:07
*** kenhui has quit IRC18:07
*** rarcea has quit IRC18:11
*** esker is now known as esker[away]18:19
*** admin0 has quit IRC18:19
*** mperazol has joined #openstack-operators18:32
*** fragatina has joined #openstack-operators18:34
*** fragatina has quit IRC18:34
*** fragatina has joined #openstack-operators18:34
*** zul has quit IRC18:44
*** esker[away] is now known as esker18:47
*** esker has quit IRC18:55
*** admin0 has joined #openstack-operators18:59
*** zul has joined #openstack-operators19:00
*** vinsh has quit IRC19:01
*** VW has quit IRC19:17
*** VW has joined #openstack-operators19:18
*** dminer has joined #openstack-operators19:19
*** vijaykc4 has joined #openstack-operators19:20
*** cgross has quit IRC19:22
*** lmiccini has quit IRC19:22
*** VW has quit IRC19:22
*** vijaykc4 has quit IRC19:31
*** vijaykc4 has joined #openstack-operators19:33
*** VW has joined #openstack-operators19:41
*** vijaykc4 has quit IRC19:42
*** admin0 has quit IRC19:43
*** VW has quit IRC19:45
*** admin0 has joined #openstack-operators19:48
*** vijaykc4 has joined #openstack-operators19:49
*** vijaykc4 has quit IRC19:52
*** saneax is now known as saneax-_-|AFK19:54
*** VW has joined #openstack-operators19:55
*** cdelatte has quit IRC19:56
*** VW has quit IRC19:59
*** ducttape_ has quit IRC20:03
*** VW has joined #openstack-operators20:09
*** zul has quit IRC20:10
*** zul has joined #openstack-operators20:10
*** VW has quit IRC20:14
*** kenhui1 has quit IRC20:16
*** VW has joined #openstack-operators20:23
*** superdan is now known as dansmith20:27
*** kenhui has joined #openstack-operators20:30
*** lmiccini has joined #openstack-operators20:39
*** rmcall has quit IRC20:39
*** cgross has joined #openstack-operators20:40
*** rmcall has joined #openstack-operators20:40
*** esker has joined #openstack-operators20:41
*** albertom is now known as albertom_afk20:47
*** lascii is now known as alaski21:04
*** spiette has quit IRC21:20
*** admin0 has quit IRC21:28
*** simon-AS559 has quit IRC21:29
*** kenhui has quit IRC21:34
*** wasmum has joined #openstack-operators21:39
*** krobzaur has quit IRC21:55
*** esker has quit IRC21:59
*** mriedem has quit IRC22:11
*** VW_ has joined #openstack-operators22:29
*** VW has quit IRC22:32
*** VW_ has quit IRC22:33
*** ckonstanski has quit IRC22:33
*** VW has joined #openstack-operators22:58
*** VW has quit IRC23:02
*** dminer has quit IRC23:05
*** mperazol has quit IRC23:11
*** armax has quit IRC23:20
*** esker has joined #openstack-operators23:28
*** zul has quit IRC23:33
*** armax has joined #openstack-operators23:44
« Thursday, 2016-09-08 Index Saturday, 2016-09-10 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!