| *** hamalq has quit IRC | 00:01 | |
| openstackgerrit | melissaml proposed openstack/oslo.versionedobjects master: Remove translation sections from setup.cfg https://review.opendev.org/728354 | 00:41 |
|---|---|---|
| *** rcernin has quit IRC | 01:27 | |
| *** rcernin has joined #openstack-oslo | 01:30 | |
| *** rcernin has quit IRC | 02:37 | |
| *** rcernin has joined #openstack-oslo | 03:37 | |
| openstackgerrit | melissaml proposed openstack/oslo.utils master: Fix pygments style https://review.opendev.org/733435 | 06:09 |
| openstackgerrit | melissaml proposed openstack/oslo.reports master: Fix pygments style https://review.opendev.org/733436 | 06:14 |
| openstackgerrit | melissaml proposed openstack/oslo.cache master: Fix pygments style https://review.opendev.org/733440 | 06:26 |
| openstackgerrit | melissaml proposed openstack/oslo.context master: Fix pygments style https://review.opendev.org/733441 | 06:34 |
| *** redrobot has quit IRC | 06:39 | |
| openstackgerrit | melissaml proposed openstack/oslo.privsep master: Fix pygments style https://review.opendev.org/733445 | 06:46 |
| openstackgerrit | melissaml proposed openstack/oslo.serialization master: Fix pygments style https://review.opendev.org/733447 | 06:50 |
| *** jaosorior has quit IRC | 07:00 | |
| openstackgerrit | melissaml proposed openstack/oslo.service master: Fix pygments style https://review.opendev.org/733452 | 07:01 |
| *** jaosorior has joined #openstack-oslo | 07:06 | |
| openstackgerrit | melissaml proposed openstack/oslo.tools master: Fix pygments style https://review.opendev.org/733455 | 07:15 |
| *** rcernin has quit IRC | 07:15 | |
| openstackgerrit | melissaml proposed openstack/oslo.db master: Fix pygments style https://review.opendev.org/733456 | 07:17 |
| *** rcernin has joined #openstack-oslo | 07:20 | |
| *** rcernin has quit IRC | 07:21 | |
| *** rcernin has joined #openstack-oslo | 07:21 | |
| openstackgerrit | melissaml proposed openstack/oslo.middleware master: Fix pygments style https://review.opendev.org/733458 | 07:25 |
| openstackgerrit | melissaml proposed openstack/oslo.messaging master: Fix pygments style https://review.opendev.org/733460 | 07:29 |
| *** ralonsoh has joined #openstack-oslo | 07:32 | |
| openstackgerrit | melissaml proposed openstack/oslo.policy master: Fix pygments style https://review.opendev.org/733463 | 07:32 |
| openstackgerrit | melissaml proposed openstack/oslo.reports master: Fix pygments style https://review.opendev.org/733468 | 07:41 |
| *** rcernin has quit IRC | 07:41 | |
| *** tosky has joined #openstack-oslo | 07:46 | |
| *** rpittau|afk is now known as rpittau | 07:50 | |
| openstackgerrit | melissaml proposed openstack/oslo.concurrency master: Fix pygments style https://review.opendev.org/733473 | 07:55 |
| openstackgerrit | melissaml proposed openstack/oslo.config master: Fix pygments style https://review.opendev.org/733474 | 08:02 |
| *** dtantsur|afk is now known as dtantsur | 08:13 | |
| openstackgerrit | Ildiko Vancsa proposed openstack/openstackdocstheme master: DNM - Cross-job to test changes with starlingxdocs theme https://review.opendev.org/733483 | 08:45 |
| *** tkajinam has quit IRC | 08:48 | |
| openstackgerrit | Ildiko Vancsa proposed openstack/openstackdocstheme master: DNM - Cross-job to test changes with starlingxdocs theme https://review.opendev.org/733483 | 09:08 |
| openstackgerrit | Ildiko Vancsa proposed openstack/openstackdocstheme master: DNM - Cross-job to test changes with starlingxdocs theme https://review.opendev.org/733483 | 09:31 |
| *** geguileo has quit IRC | 09:56 | |
| *** geguileo has joined #openstack-oslo | 09:58 | |
| *** rpittau is now known as rpittau|bbl | 10:02 | |
| *** hemna has quit IRC | 10:26 | |
| *** hemna has joined #openstack-oslo | 10:33 | |
| *** rpittau|bbl is now known as rpittau | 11:35 | |
| openstackgerrit | Ildiko Vancsa proposed openstack/openstackdocstheme master: DNM - Cross-job to test changes with starlingxdocs theme https://review.opendev.org/733483 | 11:36 |
| openstackgerrit | Ildiko Vancsa proposed openstack/openstackdocstheme master: DNM - Cross-job to test changes with starlingxdocs theme https://review.opendev.org/733483 | 11:42 |
| *** raildo has joined #openstack-oslo | 11:55 | |
| *** kgiusti has joined #openstack-oslo | 12:16 | |
| *** ianychoi_ has joined #openstack-oslo | 12:32 | |
| *** csatari_ has joined #openstack-oslo | 12:33 | |
| *** hemna_ has joined #openstack-oslo | 12:34 | |
| *** ralonsoh_ has joined #openstack-oslo | 12:34 | |
| *** dmellado_ has joined #openstack-oslo | 12:35 | |
| *** benj_- has joined #openstack-oslo | 12:36 | |
| *** zzzeek has quit IRC | 12:36 | |
| *** dmellado has quit IRC | 12:36 | |
| *** csatari has quit IRC | 12:36 | |
| *** hemna has quit IRC | 12:36 | |
| *** zigo has quit IRC | 12:36 | |
| *** csatari_ is now known as csatari | 12:36 | |
| *** benj_ has quit IRC | 12:36 | |
| *** tonyb has quit IRC | 12:36 | |
| *** ralonsoh has quit IRC | 12:36 | |
| *** elod has quit IRC | 12:36 | |
| *** ianychoi has quit IRC | 12:36 | |
| *** benj_- is now known as benj_ | 12:36 | |
| *** elod_ has joined #openstack-oslo | 12:37 | |
| *** dmellado_ is now known as dmellado | 12:37 | |
| *** zzzeek has joined #openstack-oslo | 12:38 | |
| *** zigo_ has joined #openstack-oslo | 12:46 | |
| *** tkajinam has joined #openstack-oslo | 13:02 | |
| *** Guest10631 has joined #openstack-oslo | 13:04 | |
| *** Guest10631 is now known as redrobot | 13:05 | |
| *** elod_ is now known as elod | 13:17 | |
| *** rpittau is now known as rpittau|brb | 13:24 | |
| *** ralonsoh_ is now known as ralonsoh | 14:00 | |
| ralonsoh | hi! I have a question about privsep. I'm trying to execute some methods using a privsep decorator | 14:00 |
| *** rpittau|brb is now known as rpittau | 14:01 | |
| ralonsoh | I'm decorating some "sysctl" commands, to define or to read some parameters | 14:01 |
| ralonsoh | but I found that, in my system, those commands succeed regardless of the linux cap I set | 14:01 |
| ralonsoh | for example, "sysctl -w net.ipv4.conf.all.send_redirects=1" is executed correctly with the "stack" user | 14:02 |
| ralonsoh | if I execute this in a shell, I have | 14:02 |
| ralonsoh | sysctl: permission denied on key 'net.ipv4.conf.all.send_redirects' | 14:02 |
| ralonsoh | can you guess what is wrong in my system? or why this is happening? | 14:03 |
| ralonsoh | btw, this is NOT happening in the CI | 14:03 |
| bnemec | ralonsoh: How are you configuring the priv_context? | 14:20 |
| ralonsoh | bnemec, very similar to the unique priv_context we have in Neutron | 14:21 |
| ralonsoh | this is the new one | 14:21 |
| ralonsoh | sysctl_cmd = priv_context.PrivContext( | 14:21 |
| ralonsoh | __name__, | 14:21 |
| ralonsoh | cfg_section='privsep', | 14:21 |
| ralonsoh | pypath=__name__ + '.sysctl_cmd', | 14:21 |
| ralonsoh | capabilities=[caps.CAP_SYS_ADMIN, # To be able to access to a namespace | 14:21 |
| ralonsoh | caps.CAP_NET_ADMIN] | 14:21 |
| ralonsoh | ) | 14:21 |
| ralonsoh | same as https://github.com/openstack/neutron/blob/master/neutron/privileged/__init__.py | 14:22 |
| bnemec | Are you expecting the sysctls to not work with those? CAP_SYS_ADMIN and CAP_NET_ADMIN are pretty permissive. | 14:24 |
| ralonsoh | bnemec, no no, I'm expecting sysctl to work with those ones | 14:25 |
| ralonsoh | bnemec, but I tried to deleted them and add a trivial one, not related | 14:25 |
| ralonsoh | and the command is executed correctly | 14:25 |
| ralonsoh | for example, CAP_SYSLOG | 14:26 |
| bnemec | Ah. That sounds bad. :-( | 14:26 |
| ralonsoh | yeah... | 14:26 |
| ralonsoh | but I think this is somthing in my system | 14:26 |
| ralonsoh | because in my system all UTs passed | 14:26 |
| ralonsoh | but not in the CI | 14:26 |
| ralonsoh | (actually I'm executing sysctl commands in UTs by mistake) | 14:27 |
| ralonsoh | without the correct permissions | 14:27 |
| bnemec | Is this code available somewhere that I could try it? | 14:30 |
| ralonsoh | bnemec, yes, one sec | 14:34 |
| ralonsoh | bnemec, https://review.opendev.org/#/c/733250/ | 14:35 |
| ralonsoh | bnemec, if you use sysctl with a namespace (you have only CAP_NET_ADMIN), this should fail | 14:35 |
| openstackgerrit | Merged openstack/oslo.messaging stable/ussuri: Print warning message when connection running out https://review.opendev.org/731761 | 14:41 |
| openstackgerrit | Ben Nemec proposed openstack/oslo.privsep master: Add functional test for calling sysctl https://review.opendev.org/733633 | 14:44 |
| bnemec | ralonsoh: I can reproduce that behavior in a minimal functional test ^ | 14:44 |
| bnemec | I'm curious what that does in the gate. | 14:44 |
| bnemec | Oh wait, the functional tests don't run in the gate. :-/ | 14:45 |
| ralonsoh | bnemec, so is this method passing in you dev environment? | 14:45 |
| ralonsoh | hahaha | 14:45 |
| ralonsoh | bnemec, we can run this in Neutron CI | 14:45 |
| ralonsoh | I can push a patch to test this | 14:45 |
| bnemec | ralonsoh: Yeah, I'm seeing the same thing as you. I run it as a regular user in shell and it fails, but when I run it under privsep, even with minimal permissions, it works. | 14:46 |
| ralonsoh | uffff | 14:46 |
| bnemec | I wonder if it's because of subprocess. | 14:46 |
| bnemec | That would spawn a new process as root, but it won't drop capabilities because it isn't a privsep process. | 14:47 |
| ralonsoh | bnemec, btw, I'm wrapping processutils.execute | 14:47 |
| bnemec | Yeah, that calls subprocess under the covers. | 14:47 |
| ralonsoh | I though that was calling popen | 14:48 |
| ralonsoh | your are right | 14:48 |
| ralonsoh | obj = subprocess.Popen(cmd, ... | 14:48 |
| *** Luzi has joined #openstack-oslo | 15:05 | |
| *** Luzi has quit IRC | 15:05 | |
| bnemec | Okay, it's not subprocess. I get the same thing if I write directly to /proc/sys/net/ipv4/conf/all/send_redirects in-process. | 15:08 |
| ralonsoh | right, and just writing a file | 15:12 |
| bnemec | I wonder if it's because that's just a file operation so all it checks is the file permissions. | 15:15 |
| ralonsoh | bnemec, but not under /proc/sys | 15:16 |
| openstackgerrit | Hervé Beraud proposed openstack/oslo.service master: [WIP] Fix SSL tests for wsgi module under python 3 https://review.opendev.org/730884 | 15:18 |
| bnemec | Hmm, interesting. If I create a file in /root, I can write to it even with no capabilities. But I can't create the file if it doesn't already exist. | 15:20 |
| ralonsoh | I've tried with capsh with no luck | 15:21 |
| ralonsoh | I can't test it in my dev env | 15:22 |
| ralonsoh | just to check what caps I need for any operation | 15:22 |
| openstackgerrit | Ben Nemec proposed openstack/oslo-specs master: policy: Migrate Default Policy Format from JSON to YAML https://review.opendev.org/733650 | 15:49 |
| openstackgerrit | Hervé Beraud proposed openstack/oslo.service master: [WIP] Fix SSL tests for wsgi module under python 3 https://review.opendev.org/730884 | 15:52 |
| openstackgerrit | Hervé Beraud proposed openstack/oslo.service master: [WIP] Fix SSL tests for wsgi module under python 3 https://review.opendev.org/730884 | 15:53 |
| openstackgerrit | Ben Nemec proposed openstack/oslo-specs master: policy: Migrate Default Policy Format from JSON to YAML https://review.opendev.org/733650 | 16:00 |
| *** tkajinam has quit IRC | 16:05 | |
| *** ebbex has joined #openstack-oslo | 16:14 | |
| *** hamalq has joined #openstack-oslo | 16:18 | |
| *** hamalq has quit IRC | 16:18 | |
| *** hamalq has joined #openstack-oslo | 16:19 | |
| *** rpittau is now known as rpittau|afk | 16:31 | |
| *** dtantsur is now known as dtantsur|afk | 16:33 | |
| *** pmatulis has quit IRC | 16:49 | |
| *** pmatulis has joined #openstack-oslo | 16:49 | |
| *** moguimar has quit IRC | 17:47 | |
| *** ralonsoh has quit IRC | 18:07 | |
| *** raildo has quit IRC | 22:18 | |
| *** dougwig has quit IRC | 22:35 | |
| *** samueldmq has quit IRC | 22:35 | |
| *** dawzon has quit IRC | 22:35 | |
| *** csatari has quit IRC | 22:35 | |
| *** jungleboyj has quit IRC | 22:35 | |
| *** knikolla has quit IRC | 22:36 | |
| *** rpittau|afk has quit IRC | 22:36 | |
| *** mnaser has quit IRC | 22:36 | |
| *** larainema has quit IRC | 22:36 | |
| *** jberg-dev has quit IRC | 22:36 | |
| *** mnasiadka has quit IRC | 22:37 | |
| *** gagehugo has quit IRC | 22:37 | |
| *** andrewbogott has quit IRC | 22:37 | |
| *** Nizars has quit IRC | 22:37 | |
| *** TheJulia has quit IRC | 22:37 | |
| *** jberg-dev has joined #openstack-oslo | 22:37 | |
| *** gagehugo has joined #openstack-oslo | 22:37 | |
| *** jrosser has quit IRC | 22:37 | |
| *** johnsom has quit IRC | 22:37 | |
| *** gmann has quit IRC | 22:37 | |
| *** vdrok has quit IRC | 22:37 | |
| *** rm_work has quit IRC | 22:38 | |
| *** larainema has joined #openstack-oslo | 22:38 | |
| *** Nizars has joined #openstack-oslo | 22:38 | |
| *** gmann has joined #openstack-oslo | 22:38 | |
| *** dougwig has joined #openstack-oslo | 22:38 | |
| *** knikolla has joined #openstack-oslo | 22:39 | |
| *** andrewbogott has joined #openstack-oslo | 22:39 | |
| *** mnasiadka has joined #openstack-oslo | 22:39 | |
| *** csatari has joined #openstack-oslo | 22:39 | |
| *** dawzon has joined #openstack-oslo | 22:40 | |
| *** jrosser has joined #openstack-oslo | 22:41 | |
| *** mnaser has joined #openstack-oslo | 22:41 | |
| *** TheJulia has joined #openstack-oslo | 22:41 | |
| *** johnsom has joined #openstack-oslo | 22:43 | |
| *** rcernin has joined #openstack-oslo | 22:48 | |
| *** rm_work has joined #openstack-oslo | 22:51 | |
| *** jungleboyj has joined #openstack-oslo | 22:53 | |
| *** vdrok has joined #openstack-oslo | 22:54 | |
| *** tkajinam has joined #openstack-oslo | 22:56 | |
| *** samueldmq has joined #openstack-oslo | 23:02 | |
| *** rpittau|afk has joined #openstack-oslo | 23:04 | |
| *** hamalq has quit IRC | 23:22 | |
| *** tosky has quit IRC | 23:35 | |
| *** rcernin has quit IRC | 23:49 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!