Friday, 2018-08-17

« Thursday, 2018-08-16 Index Saturday, 2018-08-18 »
openstackgerritMatthew Oliver proposed openstack/swift master: Expand docs on root secret life cycle  https://review.openstack.org/59262600:52
openstackgerritMatthew Oliver proposed openstack/swift master: Add chaging secret key for external KMS section  https://review.openstack.org/59277300:52
*** ianychoi has joined #openstack-swift01:47
*** mahatic has quit IRC01:51
kota_good morning02:33
*** HW_Peter has quit IRC02:36
mattoliveraukota_: morning03:02
zaitcevdid anyone notice that all pep8 tests in the gate fail with "[main] ERROR Unknown test found in profile: B109"?03:04
*** gkadam_ has joined #openstack-swift03:24
*** cbartz has joined #openstack-swift04:15
*** gkadam_ has quit IRC04:30
*** mahatic has joined #openstack-swift05:07
*** ChanServ sets mode: +v mahatic05:07
*** hseipp has joined #openstack-swift06:12
*** links has joined #openstack-swift06:37
*** pcaruana has joined #openstack-swift06:54
*** rcernin has quit IRC06:55
mattoliverauzaitcev: I did notice that, well now. I wonder if infra know (as in it's a OS wide ci issue).06:59
*** mvkr has quit IRC08:08
*** ejat has joined #openstack-swift08:12
*** cbartz has quit IRC08:25
*** zaitcev_ has joined #openstack-swift08:32
*** ChanServ sets mode: +v zaitcev_08:32
*** zaitcev has quit IRC08:35
*** hseipp has quit IRC08:40
*** mikecmpbll has joined #openstack-swift08:45
*** cbartz has joined #openstack-swift08:47
*** mvkr has joined #openstack-swift08:55
*** notmyname has quit IRC11:42
*** notmyname has joined #openstack-swift11:43
*** ChanServ sets mode: +v notmyname11:43
*** yousef_ has joined #openstack-swift11:58
*** yousef_ has quit IRC12:02
openstackgerritThiago da Silva proposed openstack/swift master: Attempt to fix pep8  https://review.openstack.org/59304813:17
*** zaitcev_ is now known as zaitcev13:19
*** hoonetorg has quit IRC14:02
*** hoonetorg has joined #openstack-swift14:03
* zaitcev pokes tdasilva - so why not bandit.yaml?14:03
*** cbartz has quit IRC14:06
*** hoonetorg has quit IRC14:09
tdasilvazaitcev: good point, let me fix that14:18
openstackgerritThiago da Silva proposed openstack/swift master: Attempt to fix pep8  https://review.openstack.org/59304814:23
*** hoonetorg has joined #openstack-swift14:35
claygtdasilva: what's going on with this pep8 stuff!?15:14
claygERRORUnknown test found in profile: B109 - I mean what even *is* B109?15:18
tdasilvaclayg: not sure specifically about b109, but looks like latest version of bandit removed it. This bandit release hit different projects with pep8 issues: http://lists.openstack.org/pipermail/openstack-dev/2018-August/133418.html15:26
claygtdasilva: ok, so unpin bandit and pull the check?  Or something....15:33
claygoh, or we don't need to do anything to the bandit requirements or whatever... just pull out the check...15:35
claygwhich had something to do with secrets...15:35
claygsigh15:35
tdasilvaclayg bandit is not currently pinned, so we always get the latest, which caused this issue15:41
tdasilvain that email thread Doug mentioned pinning stable branches, maybe that's a good diea15:42
tdasilvaideia15:42
tdasilvaidea15:42
zaitcevIt was hours, but still no check from Zuul.15:49
tdasilvazaitcev: according to http://zuul.openstack.org/ 11 more minutes15:54
*** silor has joined #openstack-swift16:00
*** mikecmpbll has quit IRC16:05
tdasilvai put a +A16:34
tdasilvabrb16:35
zaitcevYes, thanks. Saw it just now.16:38
*** links has quit IRC16:43
*** gyee has joined #openstack-swift16:52
timburketdasilva: bah! i messed up my commit message when i was editing things. https://review.openstack.org/#/c/592230/ was supposed to be a new patchset for https://review.openstack.org/#/c/575860/. will fix16:54
patchbotpatch 592230 - swift - s3api: Include '-' in multipart ETags - 1h 44m 25s spent in CI16:54
patchbotpatch 575860 - swift - Include '-' in multipart ETags - 11h 52m 26s spent in CI16:54
*** mikecmpbll has joined #openstack-swift16:58
timburkeclayg: each individual piece of metadata gets its own iv -- but it should all get encrypted at once with the same derived key. that encryption/key information is what gets stuffed into X-Object-Transient-Sysmeta-Crypto-Meta17:01
claygyup17:02
claygi got a little confused with swift-object-info only showing metadata from the data file - but I got there eventually17:02
claygtimburke: you're too good about reading scrollback :P17:02
timburkethe encryption is done directly with the derived key rather than using the derived key to encrypt a randomly generated key (like we do for the data) because the metadata will be fairly small -- so if we ever want to re-key, we're willing to just replace it all17:02
claygbut THANK YOU17:02
timburkeand if you want to get us to the point where we can encrypt content-type, *great* -- i would love to see that patch17:03
claygyes, design makes sense - no good reason for me to be confused - i was just ignorant17:03
claygtimburke: oh, i figured there was some good reason we don't do it?17:04
timburkei think there were concerns about whether we could do that and not horribly break things. but i don't remember all of the details now17:04
claygso in the container listsings - the only thing we encrypt is ... the etag?17:04
timburkewe'd definitely need to start storing *that* with its own key_id though17:05
timburkeyup17:05
timburkemaybe there were concerns about making the content-type header too long? idk17:08
openstackgerritTim Burke proposed openstack/swift master: s3api: Include '-' in multipart ETags  https://review.openstack.org/57586017:31
openstackgerritTim Burke proposed openstack/swift master: s3api: Include '-' in S3 ETags of normal SLOs  https://review.openstack.org/59223117:31
*** nguyenhai_ has quit IRC17:39
*** nguyenhai_ has joined #openstack-swift17:40
tdasilvatimburke: heh, i'm still a bit confused, so I'll let you update https://wiki.openstack.org/wiki/Swift/PriorityReviews17:46
timburketdasilva: updated. and the patch that needed to be abandoned has been abandoned17:52
timburkejust gotta wait another half-hour or so for the bandit patch to land... :-/17:53
openstackgerritTim Burke proposed openstack/swift master: Add support for multiple root encryption secrets  https://review.openstack.org/57787417:58
openstackgerritTim Burke proposed openstack/swift master: Multi-key KMIP keymaster  https://review.openstack.org/58645517:58
openstackgerritTim Burke proposed openstack/swift master: Multi-key KMS keymaster  https://review.openstack.org/59155518:00
openstackgerritTim Burke proposed openstack/swift master: Add debugging info to SignatureDoesNotMatch responses  https://review.openstack.org/57580818:04
openstackgerritMerged openstack/swift master: Attempt to fix pep8  https://review.openstack.org/59304818:25
openstackgerritMerged openstack/swift master: Fix locking in swift-recon-cron  https://review.openstack.org/59220018:30
*** gyee has quit IRC18:43
*** silor has quit IRC19:50
clayghrm....ValueError: keymaster_config_path is set, but there are other config options specified: key_id, key_id_2018, key_id_2019, active_root_secret_id20:09
timburkeclayg: you set those in proxy-server.conf instead of the external file?20:10
claygso I didn't really notice that i put key_id in my kmip config file... now that i'm doing multiple keys it seems to make more sense that my connection/client details would go one place but the keymaster config would stay near the middleware config... hmm...20:10
claygok, I think i see how this works...21:13
openstackgerritMerged openstack/swift master: Add support for multiple root encryption secrets  https://review.openstack.org/57787421:16
claygoh, ok... right ValueError: KmipKeyMaster config cannot be read from conf dir %s. Use keymaster_config_path option in the proxy server config to specify a config file.21:18
claygI see how this happened :D21:18
*** mikecmpbll has quit IRC23:36
« Thursday, 2018-08-16 Index Saturday, 2018-08-18 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!