Friday, 2016-06-24

« Thursday, 2016-06-23 Index Saturday, 2016-06-25 »
*** adu has quit IRC00:00
*** adu has joined #openstack-swift00:05
*** rcernin has quit IRC00:12
claygoh *yeah* "ValueError: encryption_root_secret option in proxy-server.conf must be a base64 encoding of at least 32 raw bytes" <- what section?00:12
notmynamecom'on gerrit. tell me the differences between this patch set and the last, but not the stuff that was added in the dependent patch00:14
claygnotmyname: timur says that if gerrit doesn't have the right diff it's the patch authors fault00:15
notmynameyeah, he told me that too. but I don't think he's right in this case00:15
claygi blame #brexit00:16
notmynameI want to know the differences in patch sets N-1 and N in encryption-M, but not the new things that were added in the latest patch set in encryption-{M-1}00:16
notmynamethat's probably already a git command. `git diff --do-what-i-mean`00:17
clarkbseems like we have had this conversation before :) its actually not super trivial to do right but you can interdiff <$(git show patchset1) <$(patchset2) to approximate something that works00:17
clarkber git show patchset200:17
notmynamebefore? like when EC landed? ;-)00:18
notmynameoh, yeah, that does sound familiar00:18
clarkbbasically "pretty close" is easy. "Correct" for some version of "Correct" is harder00:18
notmynameclose counts in horseshoes, hand grenades, and git diffs?00:19
*** vinsh has quit IRC00:20
*** vinsh has joined #openstack-swift00:20
*** lyrrad has quit IRC00:22
claygnotmyname: vsaio has a thing like -> command "git clone -b #{node['swift_repo_branch']} #{node['swift_repo']}"00:25
claygI had been doing export SWIFT_REPO_BRANCH=feature/crypto00:25
claygis there a thing you can put after the -b when cloning that will give you patch 328209?00:25
patchbotclayg: https://review.openstack.org/#/c/328209/ - swift (feature/crypto-review) - Add encryption overview doc00:25
claygnotmyname: or at a minimum - is it like feature/crypto-review or something now?00:25
clarkbclayg: && git review -d 328209 or fetch and checkout FETCH_HEAD00:26
notmynameI'd been using `git review -d <num>`00:26
notmynameisn't there a syntax that can give you a patch set there?00:26
clarkbyes change,ps00:26
clarkbif you drop the ,ps you get the latest ps00:27
claygclarkb: notmyname: yeah so... not a branch?  oh...00:27
*** welldannit has quit IRC00:35
*** daemontool has quit IRC00:38
*** Suyash has quit IRC00:45
kota_good morning.00:53
*** StraubTW has joined #openstack-swift00:57
claygoh good point -> Note These container sync configuration steps will be necessary for container sync probe tests to pass if encryption middleware is included in the proxy pipeline of a test cluster.01:00
*** diogogmt has quit IRC01:01
claygtimburke: why not content-type again?01:03
claygtimburke: are we *sure* we encrypt customer uset metadata names?  just the values yeah?01:05
claygwhat is this?  In [8]: urllib.unquote('%7B%22body_key%22%3A+%7B%22iv%22%3A+%22NUnKj%2BU938ynzc%2F01Y0eFg%3D%3D%22%2C+%22key%22%3A+%224cImIJrB3OljN%2BjbNUppU5bnYapkxNqjzwKetSLr%2FbA%3D%22%7D%2C+%22cipher%22%3A+%22AES_CTR_256%22%2C+%22iv%22%3A+%22yECbKJ5zS2v6Ck91QSS%2BQQ%3D%3D%22%2C+%22key_id%22%3A+%7B%22path%22%3A+%22L0FVVEhfdGVzdC90ZXN0L3Rlc3Q%3D%22%2C+%22v%22%3A+%221%22%7D%7D')01:09
claygOut[8]: '{"body_key":+{"iv":+"NUnKj+U938ynzc/01Y0eFg==",+"key":+"4cImIJrB3OljN+jbNUppU5bnYapkxNqjzwKetSLr/bA="},+"cipher":+"AES_CTR_256",+"iv":+"yECbKJ5zS2v6Ck91QSS+QQ==",+"key_id":+{"path":+"L0FVVEhfdGVzdC90ZXN0L3Rlc3Q=",+"v":+"1"}}'01:09
claygi dont' think those +'s are supposed to be there in that json output01:09
clayger.. json *looking* output01:09
claygunquote_*plus* !?01:12
claygnoice01:12
*** Jeffrey4l has joined #openstack-swift01:16
*** zul has quit IRC01:22
*** zul_ has joined #openstack-swift01:22
*** tqtran has quit IRC01:31
*** Suyash has joined #openstack-swift01:32
*** cebreidian has quit IRC01:33
claygit's really not thatbad01:51
*** baojg has joined #openstack-swift01:54
jrichliwhat's this?  clayg is doing crypto!  Yay!  I have so much scrollback to read!02:20
*** tqtran has joined #openstack-swift02:29
*** tqtran has quit IRC02:34
jrichliclayg: why not encrypt content-type?  We decided to de-scope that when there were challenges to implementing multi-range GETs and there were predicted challenges to fast-post changing content-type.02:49
jrichlicrypto reviews : don't forget there are some questions for us to answer in the crypto-review questions column of https://trello.com/b/63l5zQhq/swift-encryption02:50
*** gyee has quit IRC02:51
jrichlis/reviews/reviewers/02:52
*** ChubYann has quit IRC02:53
jrichliacoles notmyname: we will need the gate changes that will allow for a crypto gate when it is no longer in the default proxy pipeline02:57
jrichliI started looking at that with the suggestions acoles had given me.  But I have questions.  It's on my list.02:58
*** StraubTW has quit IRC03:18
*** rcernin has joined #openstack-swift03:34
openstackgerritjingtao liang proposed openstack/swift: Make string.letters PY3 compatible  https://review.openstack.org/33371203:37
openstackgerritzhangguoqing proposed openstack/swift: Fix Python 3 issues  https://review.openstack.org/33371303:38
*** jkothari has joined #openstack-swift03:44
*** baojg has quit IRC03:50
*** baojg has joined #openstack-swift03:52
*** klrmn has quit IRC04:23
*** ppai has joined #openstack-swift04:30
*** tqtran has joined #openstack-swift04:31
*** dmorita has quit IRC04:34
*** tqtran has quit IRC04:35
*** dmorita has joined #openstack-swift04:36
*** psachin has joined #openstack-swift04:36
*** links has joined #openstack-swift04:37
*** dmorita has quit IRC04:40
*** SkyRocknRoll has joined #openstack-swift04:43
*** links has quit IRC04:50
*** links has joined #openstack-swift04:50
*** Suyash has quit IRC04:51
*** adu has quit IRC05:21
*** links has quit IRC05:25
*** rcernin has quit IRC05:35
*** links has joined #openstack-swift05:39
*** sheel has quit IRC05:45
*** zaitcev has quit IRC05:48
mahatic_timburke: this answer assures (with reference to wikipedia analysis) that aes 256 should be more than good - http://crypto.stackexchange.com/questions/870/how-does-one-scale-encryption-strength-upwards-from-256-bit05:49
mahatic_notmyname: acoles_: maybe US and UK should borrow some of these https://en.wikipedia.org/wiki/Indian_voting_machines ;)05:51
*** baojg has quit IRC05:56
*** geaaru has joined #openstack-swift06:02
*** links has quit IRC06:05
*** rcernin has joined #openstack-swift06:11
*** links has joined #openstack-swift06:18
*** baojg has joined #openstack-swift06:18
*** nadeem has joined #openstack-swift06:19
*** baojg_ has joined #openstack-swift06:22
*** baojg has quit IRC06:23
timburkemahatic_: my thought was less to do with having a 512-bit key because we want a 512-bit key, and more to do with using sha512 instead of sha256 because Reasons. i'd be hesitant to use sha512 and then throw out half the bits, which means incorporating them somehow06:27
openstackgerritjingtao liang proposed openstack/swift: Make string.letters PY3 compatible  https://review.openstack.org/33371206:27
*** baojg_ has quit IRC06:31
mahatic_timburke: oic. sha512 also happens to be faster on 64-bit OS. Someone also has results - http://crypto.stackexchange.com/questions/26336/sha512-faster-than-sha25606:31
timburkehuh. interesting06:32
*** tqtran has joined #openstack-swift06:32
mahatic_timburke: also, it doesn't look like cryptography package supports 3aes https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/06:32
timburkemahatic_: hi, by the way! i rarely get to talk to you on account of timezones!06:33
mahatic_timburke: heh yes, indeed. hello! :)06:33
*** baojg has joined #openstack-swift06:35
*** tqtran has quit IRC06:37
mahatic_timburke: I've also become less of an insomniac these days, so not so much of hanging around in the midnight (my time)06:37
*** links has quit IRC06:37
timburkemeanwhile my wife just left for a trip, so my insomnia's just ramping up :-)06:37
mahatic_haha. I thought with a toddler insomnia is always lurking around06:38
timburkenah, she sleeps well. occasionally might wake up in the middle of the night, but she'll mostly put herself back to sleep these days06:40
*** jmccarthy has quit IRC06:43
mahatic_great, that's a well sorted toddler!06:44
*** jmccarthy has joined #openstack-swift06:44
*** links has joined #openstack-swift06:49
*** baojg has quit IRC06:54
*** tesseract- has joined #openstack-swift06:57
*** baojg has joined #openstack-swift07:07
*** rledisez has joined #openstack-swift07:13
*** baojg has quit IRC07:23
*** hseipp has joined #openstack-swift07:26
*** ouchkernel has quit IRC07:33
*** ouchkernel has joined #openstack-swift07:38
openstackgerritVictor Stinner proposed openstack/swift: Python 3: fix dict.values()[0]  https://review.openstack.org/33330307:53
*** rcernin has quit IRC07:59
*** nadeem has quit IRC07:59
openstackgerritDavanum Srinivas (dims) proposed openstack/swift: [WIP] Testing latest u-c  https://review.openstack.org/31844108:10
openstackgerritjingtao liang proposed openstack/swift: Make string.letters PY3 compatible  https://review.openstack.org/33371208:12
rfeusiI need help for a 2 DC swift cluster architecture with minimal node number. Can some give me a hint?08:13
openstackgerritYaoZheng proposed openstack/swift: make print python3 compatible  https://review.openstack.org/33380108:14
*** cbartz has joined #openstack-swift08:16
*** dmk0202 has joined #openstack-swift08:17
*** daemontool has joined #openstack-swift08:17
*** mingyu has joined #openstack-swift08:20
*** acoles_ is now known as acoles08:21
*** mmcardle has joined #openstack-swift08:23
*** baojg has joined #openstack-swift08:35
*** ppai has quit IRC08:36
*** d0ugal has quit IRC08:46
*** d0ugal has joined #openstack-swift08:46
*** d0ugal has quit IRC08:46
*** d0ugal has joined #openstack-swift08:46
*** ppai has joined #openstack-swift08:49
*** baojg has quit IRC08:51
*** SkyRocknRoll_ has joined #openstack-swift08:52
*** SkyRocknRoll_ has quit IRC08:52
*** jordanP has joined #openstack-swift08:59
*** mingyu has quit IRC09:02
*** mingyu has joined #openstack-swift09:03
*** ppai has quit IRC09:32
*** baojg has joined #openstack-swift09:34
*** ppai has joined #openstack-swift09:45
*** kei_yama has quit IRC09:51
*** kei_yama has joined #openstack-swift09:53
*** kei_yama has quit IRC09:55
kota_agh, slower reviews than I estimated.09:57
kota_acoles: sorry, I'm at the beggining of encyption-3 yet but it seems awsome because it saves also swift3 work :)09:58
kota_acoles: I'm going to dinner and will attend the teleconf since UTC 1:30 pm.09:58
acoleskota_: great09:59
acoleskota_: always good to hear that some work is useful for more than one thing09:59
acoleskota_: that teleconf will be late for you, sorry!10:00
kota_acoles: not so late actually, proabley similer with your (and Christian's) weekly meeting time :)10:01
* kota_ is leaving to go dinner10:02
*** pcaruana has joined #openstack-swift10:09
*** baojg has quit IRC10:20
*** haypo has joined #openstack-swift10:27
*** baojg has joined #openstack-swift10:32
openstackgerritYaoZheng proposed openstack/swift: make print python3 compatible  https://review.openstack.org/33380110:36
*** baojg has quit IRC10:41
*** tqtran has joined #openstack-swift11:34
*** cdelatte has joined #openstack-swift11:35
*** jordanP has quit IRC11:37
*** tqtran has quit IRC11:39
*** jkothari is now known as janonymous12:00
*** ppai has quit IRC12:00
*** rcernin has joined #openstack-swift12:04
*** ppai has joined #openstack-swift12:14
*** jordanP has joined #openstack-swift12:15
*** ppai has quit IRC12:20
*** psachin has quit IRC12:36
*** psachin has joined #openstack-swift12:38
*** zul_ is now known as zul12:44
*** janonymous has quit IRC12:50
*** vinsh has quit IRC12:51
*** vinsh has joined #openstack-swift12:51
*** silor has joined #openstack-swift12:56
*** links has quit IRC13:00
*** tsg has joined #openstack-swift13:02
notmynamegood morning13:07
*** vinsh_ has joined #openstack-swift13:07
*** vinsh has quit IRC13:07
*** StraubTW has joined #openstack-swift13:12
mahatic_notmyname: good morning13:14
timburkemorning13:15
kota_good morning notmyname, timburke13:17
*** silor1 has joined #openstack-swift13:24
*** SkyRocknRoll has quit IRC13:24
pdardeaugood morning13:25
*** silor has quit IRC13:25
*** silor1 is now known as silor13:25
kota_pdardeau: \o/13:26
pdardeauhi kota!13:26
notmynameoh, hi pdardeau13:26
pdardeauhi notmyname. you're here early13:27
notmynamejust couldn't stay away ;-)13:28
pdardeaunotmyname: is it excitement from brexit or crypto (or both)?13:29
notmynamecrypto :-)13:29
*** dmk0202 has quit IRC13:31
torgomatichooray early stuff :|13:35
*** dmorita has joined #openstack-swift13:35
*** dmorita has quit IRC13:39
*** dmellado_ is now known as dmellado13:40
cbartzhttps://review.openstack.org/#/c/333331/ anyone quick feedback?13:42
patchbotcbartz: patch 333331 - swift - Preserve query params in tempurl13:42
*** jordanP has quit IRC13:56
*** tsg has quit IRC13:58
*** ametts has joined #openstack-swift14:00
*** diogogmt has joined #openstack-swift14:06
acolesi almost got to say good morning while it was still morning14:14
notmyname:-)14:14
acolesmaybe the uk will shift timezones as a symbolic gesture of separation14:15
tdasilvaacoles: is the call over? my internet connection dropped at home :(14:16
acolestdasilva: it is14:16
tdasilvaacoles: ok14:16
acolestda sorry, git you get to hear any of it?14:16
acoless/git/did/14:16
pdardeauacoles: splitters14:16
acolesheh14:17
tdasilvayeah, I was there for I think the first 30 min, then lost connection14:17
pdardeau:114:17
pdardeautabfail14:17
acolestdasilva: we decided (tentatively) that using a MAC would at least be easier to document (since its not violating any best practice)14:18
jrichliusing the md5 itself as the iv was a separate idea, right?14:19
jrichliI sorta prefer that one.  I will have to think more about the MAC approach.14:19
mahatic_yeah without the hexdigest i believe14:19
openstackgerritAlistair Coles proposed openstack/swift: Enable middleware to set metadata on object POST  https://review.openstack.org/32820614:20
openstackgerritAlistair Coles proposed openstack/swift: Allow middleware to override metadata header checking  https://review.openstack.org/32820714:20
openstackgerritAlistair Coles proposed openstack/swift: Enable object body and metadata encryption  https://review.openstack.org/32820814:20
jrichliI am on board with encrypting without the hexdigest.14:20
openstackgerritAlistair Coles proposed openstack/swift: Add encryption overview doc  https://review.openstack.org/32820914:20
mahatic_although I'm not sure of the cons of using md5 alone for encryption14:20
jrichlibut if we have just a MAC of the md5 as the backend-is-at, doesn't that get stored on disk?  and then you have a hash of a plaintext md5 on disk.14:21
jrichliam I wrong?14:21
mahatic_if there aren't any, that seems simpler and more comprehensible (in current context) and less changes maybe (?)14:21
jrichlicca said that it is a "message locked encryption" scheme, so I think that is an accepted thing to do.  as he said, the thing is, you have to have the messge in order to unlock.  which we do14:22
acolesThat is today's update to crypto-review - not a huge amount of change, mostly in patch 328208 where I made the changes to the iv offset calculation14:22
patchbotacoles: https://review.openstack.org/#/c/328208/ - swift (feature/crypto-review) - Enable object body and metadata encryption14:22
torgomaticso, what, HMAC(key + etag, etag) is what gets stored? seems sane to me14:22
jrichlii guess i am just thinking: we are encrypting the md5 hash because we are saying that a hash needs to be protected.14:23
jrichlibut we are claiming now that the HMAC in the clear does not reveal info about the message14:24
acolestorgomatic: yes, something like that. store it under x-object-sysmeta-blah, set x-backend-etag-is-at to blah, and then use a random iv to encrypt the value we already store in x-object-sysmeta-crypto-etag14:24
torgomaticacoles: 👍14:25
acolestorgomatic: where the value of 'blah' is to be determined by commitee ;)14:25
torgomaticsounds good to me before coffee, at least ;)14:25
acolesjrichli: I'll write it in etherpad, then the rest of you can find the flaws14:26
mahatic_:)14:27
jrichliacoles: ok, thx14:28
mahatic_acoles: thanks!14:29
acolesjrichli: I'm assuming a cryptograhically strong hash for the HMAC. maybe there is another function that would suffice, idk.14:31
*** joeljwright has joined #openstack-swift14:32
*** ChanServ sets mode: +v joeljwright14:32
*** psachin has quit IRC14:33
jrichliacoles: but it still reveals when two things are equal, right?14:33
*** admin6 has quit IRC14:40
*** siva_krish has joined #openstack-swift14:42
acolesjrichli: Yes that is unavoidable14:52
acolesjrichli: two things on the same path that is. on different path, no - the HMACs would be different due to using object_key14:53
jrichliacoles: ah, right.  i guess you'd have the same issue with md5 as iv.14:55
*** diogogmt has quit IRC14:56
*** diogogmt has joined #openstack-swift14:58
*** arch-nemesis has joined #openstack-swift14:59
*** diogogmt has quit IRC15:00
acolesjrichli: yeah, to solve that one you need some varying parameter for same object content, which of course cannot then be deterministic.15:02
acolesjrichli: mahatic_ tdasilva timburke torgomatic notmyname : my notes appended to https://etherpad.openstack.org/p/swift_md5_encryption. I am gone now til Monday, assuming no opposition I'll then code up that approach.15:03
tdasilvaacoles: have a good weekend!15:03
acolesNote the list of review "discussion topics" here https://trello.com/b/63l5zQhq/swift-encryption15:04
acoleskota_: ^^ notes on etherpad15:05
*** acoles is now known as acoles_15:06
kota_Thx! acoles! Have a good weekend!15:06
*** cbartz has left #openstack-swift15:06
*** arch-nemesis has quit IRC15:07
*** tesseract- has quit IRC15:12
*** klrmn has joined #openstack-swift15:14
*** jmccarthy has quit IRC15:18
*** baojg has joined #openstack-swift15:19
*** jmccarthy has joined #openstack-swift15:19
*** arch-nemesis has joined #openstack-swift15:20
*** diogogmt has joined #openstack-swift15:21
*** d0ugal has quit IRC15:25
*** StraubTW has quit IRC15:34
*** chsc has joined #openstack-swift15:35
*** mingyu has quit IRC15:35
*** tqtran has joined #openstack-swift15:36
*** pcaruana has quit IRC15:38
*** rcernin has quit IRC15:39
*** tqtran has quit IRC15:40
*** jmccarthy has quit IRC15:41
*** jmccarthy has joined #openstack-swift15:42
*** zul has quit IRC15:47
*** thumpba has joined #openstack-swift15:48
*** daemontool_ has joined #openstack-swift15:52
*** daemontool has quit IRC15:54
*** Suyash has joined #openstack-swift15:54
notmynameok, now back online at a reasonable hour of the morning ;-)15:55
tdasilvalol15:57
jrichlithanks again everyone for attending the meeting - despite some challenging times of the day15:58
*** nadeem has joined #openstack-swift15:59
*** lyrrad has joined #openstack-swift16:09
*** ouchkernel has quit IRC16:12
*** ouchkernel has joined #openstack-swift16:17
*** klrmn has quit IRC16:21
*** zul has joined #openstack-swift16:23
*** rledisez has quit IRC16:25
*** baojg has quit IRC16:26
*** dmorita has joined #openstack-swift16:34
*** dmk0202 has joined #openstack-swift16:34
*** mingyu has joined #openstack-swift16:35
timburkegood morning16:37
*** mingyu_ has joined #openstack-swift16:38
*** mingyu has quit IRC16:39
*** joeljwright has quit IRC16:40
*** pgbridge has joined #openstack-swift16:52
*** SkyRocknRoll has joined #openstack-swift16:53
*** superflyy has joined #openstack-swift17:08
*** hseipp has quit IRC17:09
*** ouchkernel has quit IRC17:10
timburkejrichli: acoles_: i like the suggestion in https://trello.com/c/6kiiS8KZ/47-consider-deriving-the-nonce-for-user-metadata - that's basically exactly what i was thinking17:13
timburkesorting shouldn't be too bad; there won't be very many values. (fwiw, we do similar things in swift3 as part of the request-signing process)17:14
timburkei'm not sure i understand the length-limit concern, though; won't CTR handle all of the incrementing for us?17:14
timburkefwiw, i was thinking of something like https://gist.github.com/tipabu/82256be1136ca0446b73189eec5b5e26 -- i can try to turn that into a real patch later today17:14
*** dmk0202 has quit IRC17:15
*** ouchkernel has joined #openstack-swift17:16
*** klrmn has joined #openstack-swift17:16
timburke(minor edit there: first version was using X-Object-Sysmeta-Crypto-Meta-Meta instead of X-Object-Transient-Sysmeta-Crypto-Meta-Meta)17:16
*** catintheroof has joined #openstack-swift17:16
*** dmk0202 has joined #openstack-swift17:16
*** zaitcev has joined #openstack-swift17:18
*** ChanServ sets mode: +v zaitcev17:18
*** superflyy has quit IRC17:20
*** nadeem has quit IRC17:26
*** tqtran has joined #openstack-swift17:30
*** siva_krish has quit IRC17:34
*** daemontool_ has quit IRC17:34
*** dmk0202 has quit IRC17:35
*** dmk0202 has joined #openstack-swift17:39
*** thumpba_ has joined #openstack-swift17:46
*** thumpba has quit IRC17:48
*** zul has quit IRC18:02
*** openstackgerrit has quit IRC18:03
*** openstackgerrit has joined #openstack-swift18:03
*** manous has joined #openstack-swift18:08
*** mingyu_ has quit IRC18:09
*** SkyRocknRoll has quit IRC18:11
claygah, yeah the passing of the bytes in the SLO's and stuff - updating content-type hrmm...18:17
*** zul has joined #openstack-swift18:25
*** SkyRocknRoll has joined #openstack-swift18:26
claygwhat's the qs or header to tell an object request to look at the manifest instead of the thing represented by the manifest?18:35
clayg?multipart-manifest=get18:36
clayghttp://docs.openstack.org/developer/swift/overview_large_objects.html18:36
timburkeyeah, that18:36
*** openstackstatus has quit IRC18:40
*** openstack has joined #openstack-swift18:43
*** Lickitysplitted_ has joined #openstack-swift18:53
*** Lickitysplitted has quit IRC18:53
*** cdelatte has quit IRC19:01
*** hk_ has joined #openstack-swift19:08
*** hk_ has quit IRC19:10
*** hk_ has joined #openstack-swift19:11
hk_hi al19:11
*** siva_krish has joined #openstack-swift19:13
hk_hi all, I'm new on openstack-proxy. may you help me to fix swift proxy?19:18
notmynamehk_: depends on what your problem is19:18
timburkeacoles_: jrichli: fyi, i've got a WIP patch to start using hmac for conditional-request etags at http://paste.openstack.org/show/522027/ - functests seem to still pass; still sorting out what's going on in some of the unittests19:19
timburkewill drop attach a better patch to 328208 once i've got that sorted out19:20
hk_When i check service status, it shows failed to start swift-proxy service19:20
notmynamehk_: why does it say it failed to start? any messages printed out? anything in the logs?19:20
hk_yes19:20
jrichlitimburke: nice.  i'll take look19:21
hk_same message i see on lots of question on ask.openstack.org19:21
notmynamehk_: feel free to use paste.openstack.org to share what you're seeing19:21
hk_but did not give anyone ans19:21
hk_wait19:21
hk_http://paste.openstack.org/show/522028/19:23
hk_it smy log, i have config it as official doc19:23
*** cdelatte has joined #openstack-swift19:23
hk_i have 2 swift node19:23
hk_hey notmyname19:25
notmynamehk_: I've not seen that error before. I don't know what "Unit openstack-swift-proxy.service entered failed state." means. normally I'd expect a message printed to stdout/stderr or in syslog19:25
hk_what i paste is i seen when i fire command "systemctl status openstack-swift-proxy"19:26
*** ametts has quit IRC19:31
*** Jeffrey4l_ has joined #openstack-swift19:31
hk_hi19:32
hk_hello notmyname19:32
*** SkyRocknRoll has quit IRC19:33
*** Jeffrey4l has quit IRC19:34
hk_i could attach more ref from internet which is same as my question, but still no one could able19:34
zaitcevnotmyname: It's what happens when someone tries to start services with  systemctl start openstack-swift-proxy and the proxy tracebacks. The traceback is too long for systemd to capture.19:38
zaitcevhk_: set SElinux to permissive (at least temporarily) and start with  swift-init proxy-server start. That should allow you to see the traceback. Something is typoed in your proxy-server.conf or maybe some module is missing that's specified in the pipeline.19:39
claygweee crypto is fun19:44
notmynameclayg: when I write stuff to a cluster with crypto, I can't read the on-disk data. so it's good, right? :-)19:45
zaitcevmaybe you can if you have a supercomputer and right algorithms19:46
hk_ahahah supercomputer, it's too much far as quatum computer19:48
*** haypo has left #openstack-swift19:53
*** nadeem has joined #openstack-swift19:54
*** nadeem has quit IRC19:59
clayghow *did* all that insanity with quotes on etags happen?20:02
claygnotmyname: EC sorta works like that too?20:02
notmynamewhich particular insanity?20:03
claygwell, mainly swob._resp_etag_property20:03
claygit's like what the how?20:03
*** hk__ has joined #openstack-swift20:04
claygwas it just something webob used to do?20:04
*** hk_ has quit IRC20:04
notmynamethe lack of quotes might have started with webob. I don't remember.20:05
timburkeclayg: from the spec, etags are supposed to have quotes. historically, we didn't. at one point we tried changing that, broke a bunch of clients, and went back to no-quotes20:06
timburke(at least, that's how i recall it being communicated to me)20:06
notmynametimburke: yeah, but I don't know the reason for "historically we didnt"20:06
notmynamemaybe webob. maybe just because that's something that happened with twisted's web server in NAST (the thing that came before swift)20:07
*** ChubYann has joined #openstack-swift20:07
notmynameclayg: I feel like I missed the point of your question20:09
timburkei suppose we'd *really* run into trouble if we tried to support "weak validator" markings. i've occasionally considered doing it for DLOs with more than a single container listing's worth of segments, but always stop when i consider how many places might need to know how to handle it20:10
hk__@zaitcev, thanks. I did not enable [filter:authtoken] in /etc/swift/proxy-server.conf. now its working fine.20:10
*** hk__ has quit IRC20:11
*** ouchkernel has quit IRC20:13
*** dmorita has quit IRC20:13
*** dmorita has joined #openstack-swift20:13
*** cdelatte has quit IRC20:14
*** ouchkernel has joined #openstack-swift20:18
claygwow, so X-Static-Large-Object: True is always stored unencrypted - so even if you try to read a SLO from an encrypted manifest w/o the encryption middleware - it gets picked up by the slo middleware20:25
*** silor has quit IRC20:25
*** manous has quit IRC20:25
claygthe interesting thing is that the slo middlware is kinda "cool" with garbage coming back in the maifest20:26
claygtry: segments = json.loads() except ValueError: segments = []20:28
clayg^ you're welcome20:28
timburkeclayg: i'm guessing the lack of encryption there is at least in part because we'd have swift_bytes in the content-type, which is a dead give-away20:28
claygtimburke: sure20:29
claygstill sorta surprised maybe that it hasn't been an issue for us before -> https://github.com/openstack/swift/blob/c0217a4845e2ea780dc4dcb61877e604bc488729/swift/common/middleware/slo.py#L65720:31
claygthe silent passing of the error doing the thing that is obviously not going to be correct in order to not have to blow up and return an error20:31
clayghell, there's not even any logging20:31
*** Suyash has quit IRC20:31
*** Suyash has joined #openstack-swift20:32
*** Suyash has quit IRC20:32
*** Suyash has joined #openstack-swift20:32
notmynametimburke: running node directly worked on my machine for those tests you asked about20:34
timburkenotmyname: i figured out what happened. try running the tests twice -- something like `./.unittests common/middleware/test_encrypter_decrypter.py common/middleware/test_encrypter_decrypter.py`20:35
timburke(i'd used a * which brought in the pyc files, too)20:36
notmynameoh, weird20:36
notmynameI've never tried that before. I think I shall not try it again20:37
timburkehaha20:37
notmynamehowever, it doesn't seem right20:37
timburkeit's actually really really useful when you're trying to hit one of those occasionally-failing tests. i have nose run just that one test like 5000 times20:38
openstackgerritMerged openstack/swift: Make string.letters PY3 compatible  https://review.openstack.org/33371220:39
*** manous has joined #openstack-swift20:39
*** siva_krish has quit IRC20:41
timburkejrichli: acoles_: i think http://paste.openstack.org/show/522038/ ought to do it. also added a link to it on the relevant patch20:46
*** dmk0202 has quit IRC20:46
*** manous has quit IRC20:46
claygmaybe I glad I hadn't really grokked iv_base yet20:51
*** siva_krish has joined #openstack-swift21:00
*** siva_krish has quit IRC21:09
claygX-Object-Transient-Sysmeta-Crypto-Meta-Mtime <- winning21:13
*** dmorita has quit IRC21:27
*** dmorita has joined #openstack-swift21:28
*** dmorita has quit IRC21:30
*** geaaru has quit IRC21:35
*** dmorita has joined #openstack-swift21:43
*** vinsh_ has quit IRC22:12
*** dmorita has quit IRC22:17
claygso we going to merge these always random iv goodness?22:17
*** dmorita has joined #openstack-swift22:17
notmynameclayg: I'm testing timburke's patch diff now22:17
notmynamebut it's up to acoles_ to handle getting it into the patch chain22:18
notmynameas far as the idea goes, though, yeah. i'm totally for it. sounds a lot better than the current proposal22:18
*** catintheroof has quit IRC22:18
*** thumpba_ has quit IRC22:24
*** thumpba has joined #openstack-swift22:24
*** thumpba has quit IRC22:24
*** thumpba has joined #openstack-swift22:25
*** thumpba has quit IRC22:25
*** thumpba has joined #openstack-swift22:25
*** thumpba has quit IRC22:26
*** thumpba has joined #openstack-swift22:26
*** thumpba has quit IRC22:27
*** dmorita has quit IRC22:27
*** thumpba has joined #openstack-swift22:27
*** thumpba has quit IRC22:27
*** thumpba has joined #openstack-swift22:28
*** thumpba has quit IRC22:28
*** thumpba has joined #openstack-swift22:28
*** ManojK has joined #openstack-swift22:29
*** thumpba has quit IRC22:29
*** thumpba has joined #openstack-swift22:29
*** thumpba has quit IRC22:30
*** thumpba_ has joined #openstack-swift22:30
*** thumpba_ has quit IRC22:30
*** dmorita has joined #openstack-swift22:31
*** dmorita has quit IRC22:36
*** dmorita has joined #openstack-swift22:37
*** nadeem has joined #openstack-swift22:40
clayghave any cryptanalysis types weighted in on the idea of using the object key in a second context like an HMAC?22:41
*** arch-nemesis has quit IRC22:42
claygthe concatination of the key with the provided etag makes me feel like we think it's not safe to use the object key as the secret in an hmac without an iv (so we're adding on the user provided if-match etag)22:43
claygalso using the body of hmac as part of the secret seems weird22:43
*** thumpba has joined #openstack-swift22:45
*** thumpba has quit IRC22:45
*** ManojK has quit IRC22:58
*** ouchkernel has quit IRC23:00
*** thumpba has joined #openstack-swift23:06
*** thumpba has quit IRC23:06
*** ouchkernel has joined #openstack-swift23:06
*** itlinux has quit IRC23:09
*** pgbridge has quit IRC23:20
*** nadeem has quit IRC23:20
*** nadeem has joined #openstack-swift23:21
*** chsc has quit IRC23:23
*** ManojK has joined #openstack-swift23:24
claygtimburke: does the key_id == path in the crypto_meta dict go away too?23:27
claygyeah it seems unfair that the *container* etag gets to use a random iv23:29
*** dmorita has quit IRC23:57
*** ManojK has quit IRC23:58
*** thumpba has joined #openstack-swift23:59
*** thumpba has quit IRC23:59
« Thursday, 2016-06-23 Index Saturday, 2016-06-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!