Tuesday, 2019-01-15

ade_leeredrobot, and of course, zuul appears to be down now ..00:00
*** whoami-rajat has joined #openstack-barbican01:20
*** dave-mccowan has quit IRC04:11
openstackgerritMerged openstack/barbican master: Workaround for failing gates  https://review.openstack.org/62866705:57
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Fix Safenet HSM regression in PKCS#11  https://review.openstack.org/62929406:16
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Add barbican-status upgrade check command framework  https://review.openstack.org/61157406:16
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Remove tripleo newton and ocata jobs  https://review.openstack.org/61981206:17
openstackgerritDouglas Mendizábal proposed openstack/barbican master: PY3: Ensure normalize_before_encryption encodes b64payload  https://review.openstack.org/61332406:17
openstackgerritDouglas Mendizábal proposed openstack/barbican master: functionaltests: Add response headers to logging info  https://review.openstack.org/62126206:17
*** velizarx has joined #openstack-barbican07:57
*** graeb has joined #openstack-barbican08:48
*** graeb has quit IRC09:00
*** xek has joined #openstack-barbican09:00
*** graeb has joined #openstack-barbican09:00
*** graeb has quit IRC09:06
*** graeb has joined #openstack-barbican09:06
*** pcaruana has joined #openstack-barbican09:30
*** jaosorior has joined #openstack-barbican10:09
*** salmankhan has joined #openstack-barbican10:33
*** salmankhan has quit IRC10:42
*** salmankhan has joined #openstack-barbican10:42
*** salmankhan has quit IRC10:46
*** salmankhan has joined #openstack-barbican10:53
*** openstackgerrit has quit IRC11:22
*** marios has joined #openstack-barbican11:32
marioso/ folks review request please if you have time https://review.openstack.org/#/c/628244/ replace the multinode  scenario job with the new standalone. More info at http://lists.openstack.org/pipermail/openstack-discuss/2019-January/001377.html thanks!11:33
*** ign0tus has joined #openstack-barbican11:53
jaosoriormarios: done11:59
mariosthanks jaosorior12:02
*** raildo has joined #openstack-barbican12:34
*** Luzi has joined #openstack-barbican12:41
*** gyee has joined #openstack-barbican12:53
redrobot#startmeeting barbican13:01
openstackMeeting started Tue Jan 15 13:01:41 2019 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.13:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:01
*** openstack changes topic to " (Meeting topic: barbican)"13:01
openstackThe meeting name has been set to 'barbican'13:01
moguimarback from lunch just in time =D13:02
redrobot#topic Roll Call13:03
*** openstack changes topic to "Roll Call (Meeting topic: barbican)"13:03
redrobotCourtesy ping for ade_lee hrybacki jamespage Luzi lxkong moguimar raildo rm_work xek13:03
redrobotmoguimar, nice13:03
redrobotSweet, let's get started13:04
redrobot#topic Review action items from last week13:04
*** openstack changes topic to "Review action items from last week (Meeting topic: barbican)"13:04
graebI successfully tested patch for SafeNet HSM (see https://review.openstack.org/#/c/629294/). Thank you very much for the work!13:05
redrobotgraeb, awesome!  Glad we were able to unbreak you guys13:05
graebNevertheless I would like to stress one more time, that I am thinking, that generation of PKEKs with attribute CKA_SENSITIVE set to false may decreases security. As redrobot in the last meeting already mentioned, PKEKs get wrapped immediately after generation. But if my code analysis are correct, PKEKs stay in HSM memory after generation with attribute CKA_SENSITIVE set to false and will be used that way until they gets cleared out of the HSMs13:05
graebmemory and need to be unwrapped again. Therefore setting the default for the new configuration parameter always_set_cka_sensitive to true was a good decision. Thanks again!13:05
redrobotfirst action item:13:05
redrobotredrobot to update the Barbican Wiki page13:06
redrobotI did not do that13:06
redrobotso let's punt13:06
redrobot#action redrobot to update the Barbican Wiki page13:06
redrobotNext: redrobot to ask alee about submitting the Barbican workshop to the next Summit13:06
redrobotI did remind ade_lee that we've got the Summit CFP deadline coming up, but didn't ask about the workshop specifically13:06
redrobotso punt!13:06
redrobot#action redrobot to ask alee about submitting the Barbican workshop to the next Summit13:07
redrobotgraeb, I'll add an item to the agenda to talk about that13:07
graebredrobot, thx13:07
redrobotok, moving on13:09
redrobotthanks Luzi and graeb for using the agenda etherpad13:09
redrobot#topic Successfully tested regression fix patch for SafeNet HSM13:09
*** openstack changes topic to "Successfully tested regression fix patch for SafeNet HSM (Meeting topic: barbican)"13:09
redrobot#link https://review.openstack.org/#/c/629294/13:10
*** openstackgerrit has joined #openstack-barbican13:10
openstackgerritMerged openstack/barbican master: Replace tripleo-scenario002-multinode with scenario002-standalone  https://review.openstack.org/62824413:10
graebI was to fast, sorry, First point already mentioned. Second is, we found a new bug:  "ERROR: _get_master_key() takes exactly 3 arguments (2 given)" when executing `barbican-manage hsm rewrap_pkek`13:10
redrobotRE: graeb's concern above13:11
redrobotSome HSMs actually require that CKA_SENSITIVE=False when CKA_EXTRACTABLE=True13:11
redrobotThe spec is not very clear on the relationship between the two13:12
graebJep. Nothing we can do13:12
redrobothence the disagreement between what the Safenet HSM does and what these other HSMs are doing.13:12
redrobotok, moving on13:12
redrobot#topic Bug "ERROR: _get_master_key() takes exactly 3 arguments (2 given)" when executing `barbican-manage hsm rewrap_pkek` (Luzi, graeb)13:12
*** openstack changes topic to "Bug "ERROR: _get_master_key() takes exactly 3 arguments (2 given)" when executing `barbican-manage hsm rewrap_pkek` (Luzi, graeb) (Meeting topic: barbican)"13:12
graebI think nothing more to say here?13:13
graebIt's clearly a bug. Tested also with two different HSMs.13:13
LuziSafenet and Utimaco Soft HSM are the ones we test with13:14
redrobotYeah, sounds like we forgot to update wrap_pkek when we changed things to use configurable mechanisms13:15
redrobotshould be a striaghtforward fix13:15
redrobotgraeb, Luzi did y'all add a Story yet?13:15
Luziwill do it, after the meeting13:16
graebluzi, thx13:16
*** mhen has joined #openstack-barbican13:16
redrobotLuzi, thanks, please post the link in the IRC channel after you open it.  I'll see about getting that fixed13:17
Luziredrobot, okay :)13:17
redrobot#action Luzi to add a new story to the Barbican Storyboard for the _get_master_key() error13:18
redrobot#topic Why do we SHA256 HMAC over a wrapped PKEK?13:19
*** openstack changes topic to "Why do we SHA256 HMAC over a wrapped PKEK? (Meeting topic: barbican)"13:19
graebWe have problems with a HSM (emulator) from Utimaco. If a new PKEK gets generated, Barbican computes a HMAC of the wrapped PKEK (and its initialization vector) using CKM_SHA256_HMAC. Barbican throws a traceback with error CKR_MECHANISM_INVALID. We already in touch with Utimaco. One of their system engineers suggested to replace CKM_SHA256_HMAC by CKM_AES_MAC, which works. The problem now is, that the HMAC, that will be generated is just 64 bits13:19
graeblong instead of 256 bits. So i was just wondering, whether Barbican becomes less secure because of that and that the reason for computing a HMAC of wrapped PKEKs actually is?13:19
redrobotSo, we calculate an HMAC to guarantee integrity of the data13:22
redrobote.g. an hmac would fail if the ciphertext for the PKEK becomes corrupted13:23
graebOk, but why secure it with an Key?13:23
graebFor integrity reasons makes sense to me. But don't know why encrypting the signature.13:24
redrobotSo, HMAC does use a key13:24
redrobotand the signature is not sensitive material13:25
redrobotso there's no need to encrypt that13:25
mhenso, the difference between 256 and 64 bit HMAC is only how frequent collisions are?13:27
mhen(sorry for barging in suddenly)13:27
redrobotI'm not 100% on how AES HMAC works13:28
redrobotno worries mhen13:28
redrobotwe always appreciate input from smart folks13:28
*** dave-mccowan has joined #openstack-barbican13:28
graebSo its just a compatibility issue with Utimaco HSMs. What to do about it?13:29
redrobotgraeb, yeah, we'll need to make that HMAC wrap a configurable mechanism as weel13:30
graebSounds good. :-D Shall I add a story?13:31
redrobotgraeb, yes, please13:32
redrobot#action graeb to add story for making HMAC Key Wrap mechanism configurable13:32
graebredrobot, thanks I will do after the meeting.13:32
redrobot#topic Failing Gates13:32
*** openstack changes topic to "Failing Gates (Meeting topic: barbican)"13:32
redrobotI'm sure you noticed the gates were failing all last week.13:32
redrobotWe ended up merging a workaround yesterday13:33
redrobot#link https://review.openstack.org/#/c/628667/13:33
redrobotTo undo the workaround we're going to need to rewrite the paging/quota tests so that there are no race conditions when run in parallel13:33
*** gyee has quit IRC13:34
redrobotWe'll also need to figure out why grenade is failing13:34
redrobotMaybe I should add some stories for those13:35
redrobot#action redrobot to add stories for permanent fixes to the gate workarounds13:36
redrobotWe should be back in business now, so I'll be rebasing patches to get the patch backlog down13:36
redrobotany questions about the workaround?13:37
redrobotOk, that's all the topics I had for today13:38
redrobotany last minute topics y'all want to talk about?13:38
redrobotI'm gonna take that as a no13:40
redrobotthanks for coming everyone!13:40
*** openstack changes topic to "OpenStack PTG Denver - https://etherpad.openstack.org/p/barbican-stein-ptg"13:40
openstackMeeting ended Tue Jan 15 13:40:49 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)13:40
openstackMinutes:        http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-01-15-13.01.html13:40
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-01-15-13.01.txt13:40
openstackLog:            http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-01-15-13.01.log.html13:40
*** ade_lee has quit IRC13:46
*** ignaziocassano1 has joined #openstack-barbican13:47
ignaziocassano1Please, anyone could post a heat stack example with octavia and barbican for creating a TLS-terminated HTTPS load balancer?13:47
*** velizarx has quit IRC13:50
*** raildo has quit IRC13:56
*** velizarx has joined #openstack-barbican13:59
*** raildo has joined #openstack-barbican14:03
*** mmethot has joined #openstack-barbican14:12
*** ignaziocassano1 has quit IRC14:16
*** moguimar has quit IRC14:36
*** moguimar has joined #openstack-barbican14:36
LuziI wrote the first story: https://storyboard.openstack.org/#!/story/200477914:44
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Remove tripleo newton and ocata jobs  https://review.openstack.org/61981215:26
*** abishop is now known as abishop|afk15:37
*** Luzi has quit IRC15:44
*** salmankhan has quit IRC15:45
*** velizarx has quit IRC15:48
*** moguimar has quit IRC15:57
*** moguimar has joined #openstack-barbican15:59
*** moguimar is now known as moguimar_afk15:59
*** salmankhan has joined #openstack-barbican16:04
*** ign0tus has quit IRC16:21
*** graeb has quit IRC16:27
*** prometheanfire has joined #openstack-barbican16:40
prometheanfirecan we get a release of python-barbicanclient for rocky and queens so they can get the UUID fixes (master also needs a release for the second UUID fix)16:41
*** ade_lee has joined #openstack-barbican16:41
redrobothi prometheanfire.  I'm pretty sure ade_lee is working on it.16:44
prometheanfireok, didn't see anything in the releases queue for it16:45
ade_leeredrobot, what am I working on?16:46
redrobotade_lee, python-barbicanclient for rocky and queens16:47
prometheanfirevoluntold :D16:47
ade_leeprometheanfire, yeah - I'16:48
ade_leeI'll definitely get that out this week.16:48
ade_leenow that the gates are flowing again ..16:49
openstackgerritMerged openstack/barbican master: Add barbican-status upgrade check command framework  https://review.openstack.org/61157416:49
openstackgerritMerged openstack/barbican master: PY3: Ensure normalize_before_encryption encodes b64payload  https://review.openstack.org/61332416:49
*** salmankhan has quit IRC16:50
*** salmankhan has joined #openstack-barbican16:50
ade_leedave-mccowan, redrobot if we can get a review on https://review.openstack.org/582705 please.  Its been sitting for awhile17:06
jaosoriorade_lee: commented.17:09
ade_leejaosorior, hey!17:09
*** abishop|afk is now known as abishop17:19
openstackgerritMerged openstack/barbican master: Imported Translations from Zanata  https://review.openstack.org/63048817:53
*** pcaruana has quit IRC18:01
*** salmankhan1 has joined #openstack-barbican18:04
*** salmankhan has quit IRC18:07
*** salmankhan1 has quit IRC18:08
openstackgerritMerged openstack/barbican master: Remove -u root as mysql is executed with root user  https://review.openstack.org/59340318:35
openstackgerritMerged openstack/barbican master: Remove tripleo newton and ocata jobs  https://review.openstack.org/61981218:35
openstackgerritMerged openstack/barbican master: functionaltests: Add response headers to logging info  https://review.openstack.org/62126218:49
ade_leeredrobot, yay --- stuff merging ..19:43
ade_leeredrobot, we gotta backport the dogtag/paging fix to rocky19:44
redrobotade_lee, 🎉🎉🎉19:44
ade_leeredrobot, doing that now ..19:44
*** whoami-rajat has quit IRC20:00
ade_leeredrobot, dave-mccowan --> https://review.openstack.org/#/c/631062 and https://review.openstack.org/#/c/631063/ please20:03
ade_leeto unblock gates on queens and rocky20:03
ade_leedave-mccowan, we need your magic on the above reviews ..20:12
ade_leeto unblock queens/rocky20:12
dave-mccowani subscribed.  i'll watch for the gate jobs to complete.  if i don't +2 right away, please ping me again when zuul finishes.20:13
ade_leedave-mccowan, might as well +2/W  -- if the gate jobs fail, it wont go through anyways -- and if they do, well - then we wont have to ping you.20:21
ade_leeup to you though20:22
ade_leeredrobot, whatever happened to https://review.openstack.org/#/c/388267/ ?20:25
redrobotade_lee, I was working on that right before I left the Rack.  Didn't get a chance to get it merged before I started the next gig.20:27
redrobotade_lee, I still think it would be a good idea... not sure how to make it backwards compatible though?20:28
redrobotmaybe deprecate the old names now? and wait a couple of cycles.  Add a warning like PIP did when they changed the column format? 🤔20:29
ade_leeredrobot, ok - I just happened to see its still around.20:29
ade_leeredrobot, and wondered whether it needed to be abandoned ..20:30
ade_leebut yeah, if we want it, we need to deprecate etc.20:31
redrobotI changed it to WIP ... I still think it would make using the cli easier to use20:32
ade_leeredrobot, ok20:54
openstackgerritMerged openstack/barbican master: Update Octavia co-gate for python3 first  https://review.openstack.org/62507221:02
ade_leeredrobot, dave-mccowan any idea whats going on here -- https://review.openstack.org/#/c/622710/ ?21:03
redrobotade_lee, looking21:09
dave-mccowan!!! UNABLE to load uWSGI plugin: ./python_plugin.so: cannot open shared object file: No such file ade_lee redrobot   in barbican-svc21:16
openstackdave-mccowan: Error: "!!" is not a valid command.21:16
dave-mccowanUNABLE to load uWSGI plugin: ./python_plugin.so: cannot open shared object file: No such file ade_lee redrobot   in barbican-svc21:16
redrobotdave-mccowan, where are you seeing that?21:17
redrobotI see this duplicate entry error http://logs.openstack.org/10/622710/1/check/castellan-functional-devstack/b221ee2/controller/logs/screen-barbican-svc.txt.gz#_Jan_15_17_48_42_54635221:17
*** whoami-rajat has joined #openstack-barbican21:18
dave-mccowanmaybe red herring?21:18
dave-mccowanoh yea... we've seen the multiple rows thing before.21:19
ade_leedave-mccowan, maybe seems to say it cant load it - and goes ahead and does it ..21:19
ade_leewe have?21:19
ade_leemultiple threads trying to do db-init?21:20
ade_leedb-sync ..21:20
*** salmankhan has joined #openstack-barbican21:23
*** xek has quit IRC21:24
openstackLaunchpad bug 1726378 in Barbican "MultipleResultsFound error in _find_or_create_kek_objects()" [High,Triaged]21:26
dave-mccowanbut, no fix21:26
ade_leedave-mccowan, thats right - I remember this now -- we end up just kicking it over and over till it worked ...21:28
ade_leedave-mccowan, not ideal - we should try to fix this ..21:30
ade_leedave-mccowan, redrobot seems to be rather a consistent problem in those tests to be some kind of timing thing ..21:43
ade_leeat least in those tests ..21:43
ade_leedave-mccowan, incidentally , if you check zuul, the tests will pass - just waiting on the last non-voting gates21:44
ade_leefor the two rocky/queens reviews21:44
ade_leeah I see -- the duplicate entry is on the project -- seems like we created two project entries through potentially a timing thing.21:48
ade_leethat would aaffect all the secrets stored or generated for that project21:49
ade_leeso the place we'd potentially need a lock is where we create the project entry21:51
*** raildo has quit IRC21:58
ade_leewell - I suppose the same happens when you have a per-project resource like a PKEK22:01
*** mhen has quit IRC22:21
*** trident has joined #openstack-barbican22:51
ade_leedave-mccowan, gates up ..23:16
ade_leedave-mccowan, that is the gates CI jobs passed ..23:17
*** ade_lee has quit IRC23:22
*** whoami-rajat has quit IRC23:47
*** salmankhan has quit IRC23:56
*** ade_lee has joined #openstack-barbican23:59

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!