Wednesday, 2016-08-10

-openstackstatus- NOTICE: zuul is being restarted to reload configuration. Jobs should be re-enqueued but if you're missing anything (and it's not on please issue a recheck in 30min.05:23
jaosorioralee: ping13:20
aleejaosorior, yo13:20
jaosorioralee: Hey dude, I did the missing stuff from the barbican integration to tripleo13:21
jaosoriorwe need an RPM for puppet-barbican13:21
aleejaosorior, hey - I see you did some stuff :)13:21
jaosorioronce that's done we can get it working in CI13:21
aleejaosorior, catching up on what you've done .. looks great :)13:22
aleejaosorior, is the absence of the rpm the reason the centos 7 gate fails?13:23
jaosorioralee: yes13:25
aleejaosorior, nice work , dude!13:25
jaosorioralee: It can't find the ::barbican puppet class because there is no RPM13:25
jaosorioralee: we can test it locally without the RPM though. But yeah, just a heads up that it will be needed anyway13:25
aleejaosorior, ok -- do you know where the spec files for the puppet modules live?13:26
aleejaosorior, we should be able to whip one together pretty quick13:26
jaosorioralee: No but I can figure that out13:26
jaosoriorcan you log into the #tripleo channel?13:27
aleejaosorior, yup -- joining13:27
tinwoodhello. I'd like to ask what HSM's that the barbican project is developing against?  I tried to integrate SoftHSM2 (as an example) but ran into an OpenSSL < 1.0.2h issue on Ubuntu Xenial (16.04) which is missing an AES_WRAP_PAD function.  Thanks.14:00
woodster_redrobot: alee jaosorior ^^^^ Rackspace is using safenet HSMs. The default plugin is an insecure one. Redhat uses Dogtag. Are you guys aware of folks using softHSMs?14:04
tinwoodThanks woodster_14:05
jaosoriorwoodster_: no idea dude. should be possible I guess if the softHSM supports PKCS1114:05
jaosoriortinwood: I reocmmend Dogtag tough :D14:05
tinwoodjaosorior, woodster_ SoftHSM2 isn't able to work yet (on Ubuntu anyway) as the OpenSSL library is 1.0.2g and that's missing the WRAP_PAD function that eventually askes for.14:05
tinwoodso safenet and dogtag atm/so far?14:06
woodster_tinwood: is there a workaround? It'd be good to have that available14:07
jaosorioror ping canonical to update?14:07
woodster_tinwood: there is also KMIP support14:08
tinwoodwoodster_, I filed a bug 1611393 for it.  (disclaimer - I work for Canonical in the Openstack charms team)14:08
openstackbug 1611393 in OpenStack Barbican SoftHSM Charm "barbican + SoftHSM2 + openssl-1.0.2g missing EVP_aes_128_wrap_pad()" [Undecided,New]
woodster_tinwood: ah cool14:09
woodster_tinwood: we've considered using softHSM in a gate job in the past14:09
tinwoodwoodster_, jaosorior what we'd really like to do it to set it up in our lab with a real HSM as that's what actual customers would do; hence my query on what's being used in anger.14:10
tinwoodwoodster_, I also ran into an interesting configuration problem that required "WSGIApplicationGroup %{GLOBAL}" in the the barbican-api.conf file - it was to do with uwsgi and sub-interpreters + the C bindings to the library.14:11
jaosorioralee ^^ Know anything about that?14:12
woodster_tinwood: redrobot would be able to give details on safenet, but the recent PKCS11 plugin changes have been in support of that14:16
woodster_tinwood: we also use gunicorn internally now fwiw14:17
jaosoriorwe use apache14:17
* woodster_ don't recall reason for switch14:17
tinwoodwoodster_, jaosorior I think we pull the debian packages, test them.  They are Apache + WSGI (I think my uwsgi comment is in error).14:19
tinwoodwoodster_, jaosorior anyway, thanks for the info on HSMs - we're definitely keen to get something set up, so we'll be testing with Barbican going forward.14:20
jaosoriornice! :D14:22
woodster_That is nice, thanks!14:24
diazjftinwood, I tried getting SoftHSM to work a while ago with no success. I think I will continue to work on it during the midcycle.17:03
diazjftinwood, SoftHSMv2 would be great to integrate to a gate for testing, but shouldn't be used in Prod17:04
diazjfalee, could you point me towards the triple-o barbican integration items, I'd like to take a look17:04
*** diazjf1 has joined #openstack-barbican17:13
*** diazjf1 has quit IRC17:15
*** diazjf has quit IRC17:16
*** diazjf has joined #openstack-barbican18:22
*** catintheroof has quit IRC18:34
aleediazjf,  and
diazjfalee, awesome thanks!18:39
aleediazjf, np18:39
*** diazjf has joined #openstack-barbican19:39
*** diazjf has quit IRC19:48
*** diazjf has joined #openstack-barbican20:27
*** diazjf has quit IRC20:37
*** diazjf has joined #openstack-barbican20:39
*** michauds has joined #openstack-barbican20:40
openstackgerritArun Kant proposed openstack/barbican: Checking barbican resource id in URI is a valid uuid
