#openstack-meeting-alt log

15:00:21 <bswartz> #startmeeting manila
15:00:23 <openstack> Meeting started Thu Mar 23 15:00:21 2017 UTC and is due to finish in 60 minutes.  The chair is bswartz. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:26 <openstack> The meeting name has been set to 'manila'
15:00:27 <jungleboyj> o/
15:00:30 <cknight> Hi
15:00:34 <xyang2> hi
15:00:35 <bswartz> hello all
15:00:36 <vponomaryov> hello
15:00:40 <ganso> hello
15:00:48 <tommylikehu_> ganso: hello
15:01:03 <vkmc> hi hi o/
15:01:05 <jprovazn> hi
15:01:09 <tbarron> hi
15:01:10 <vponomaryov> ganso: tommy respects only you ))
15:01:15 <arnewiebalck> hi
15:01:19 <bswartz> no announcements today
15:01:21 <tommylikehu_> vponomaryov: ...
15:01:23 <ganso> vponomaryov: lol
15:01:33 <tbarron> ganso: hi
15:01:36 <zhongjun_> hi
15:01:36 <bswartz> #agenda https://wiki.openstack.org/wiki/Manila/Meetings
15:01:42 <vponomaryov> ganso: hi
15:02:12 <ganso> vponomaryov, tbarron, tommylikehu_ : hello :)
15:02:21 <bswartz> #topic SSL certificate verification
15:02:49 <bswartz> this issue popped up late last week and I thought it would be good to bring it up here
15:02:55 <vponomaryov> for API? drivers?
15:03:12 <bswartz> this is a py27 change
15:03:59 <dustins> hey all!
15:04:00 <bswartz> between py 2.7.8 and 2.7.9, the SSL library switched from not verifying SSL certs by default to verifying by default
15:04:20 <bswartz> in either case the behavior is configurable but the default changed and most people use the default
15:04:47 <markstur> hi
15:04:58 <bswartz> Apparently it's relatively common for people to actually use HTTPS an not verify certificates, even though it's bad security practice
15:05:33 <clarkb> my understanding was older python couldnt be made to do it instead you had to install extra libs (hence the urllib3 insecure platform warning)
15:05:46 <bswartz> NetApp first noticed this issue back during ocata when our driver started having issues communicating with some backends using HTTPS
15:06:05 <bswartz> clarkb: I wasn't aware of that -- that explains some things
15:06:48 <bswartz> in any case the initial response was to turn create an option to turn off SSL cert verification in our driver, but I pushed back against that solution
15:06:56 <clarkb> I should clarify older python stdlib couldnt do it
15:07:37 <bswartz> My stance is that SSL certification verification is there for a reason, and it's better to show users how to use it correctly than to give them a switch to turn it off
15:08:24 <bswartz> users who _really_ don't want to do the work of setting up SSL right still have the option to use HTTP or downgrade to python 2.7.8
15:09:26 <jungleboyj> Seems reasonable.
15:09:35 <bswartz> anyways the issue popped up again because EMC encountered the same issue and pushed a bugfix to disable SSL cert verification in their driver, but did it using a global driver option
15:09:54 <bswartz> I have reverted that bugfix https://review.openstack.org/#/c/447065/
15:10:11 <bswartz> and the remaining issue is how to solve EMC's problem
15:10:16 <markstur> it is good to be able to turn it off in test labs
15:10:27 <bswartz> markstur: I disagree
15:10:42 <bswartz> it's good to setup SSL properly in your test labs
15:11:04 <bswartz> or test with HTTP
15:11:12 <xyang2> bswartz: I thought you are okay for a driver only fix?
15:11:38 <bswartz> anyways the current proposal is to introduce an EMC-only driver option to disable SSL cert verification, and I'm okay with that
15:11:39 <clarkb> its trivial to properly trust a self signed cert fwiw
15:11:58 <markstur> s/it is good/it is sometimes necessary (and evil...)/
15:12:06 <bswartz> but I don't want anyone getting the idea that's is a recommended practice
15:12:37 <tbarron> xyang2: I have some concern with driver only fix unless the option is marked 'testing...' or whatever
15:12:47 <tbarron> xyang2: from a distro and support POV, #1
15:13:12 <tbarron> xyang2: and #2, from manila seeking managed-vulnerability-status from OpenStack security
15:13:14 <ganso> tbarron: from my understanding, that was targetting production clouds
15:13:42 <tbarron> ganso: ?  so why would a production cloud want to run w/o cert for https?
15:13:56 <bswartz> xyang2: I would hope that the EMC driver option default to true (verify certificates unless the admin specifically disables it)
15:14:04 <xyang2> tbarron: default to true, is ok?
15:14:15 <ganso> tbarron: I don't know, EMC should have the answer to that
15:14:29 <bswartz> xyang2: maybe log a warning when it's turned off, explaining the risks
15:14:40 <xyang2> bswartz: ok
15:14:58 <tbarron> xyang2: yeah, something loud that support people will see
15:15:15 <bswartz> the truth is that most admins are dumb and will take the path of least resistance to make things work
15:15:39 <bswartz> which is why I applaud the python community for making it harder to use SSL without certificate validation
15:16:39 <bswartz> as developers we have responsibility to make things secure by default and make it clear when options are changed to compromise security
15:16:58 <vkmc> bswartz++
15:17:04 <zhongjun_> lol
15:17:21 <jungleboyj> Truth.
15:17:29 * bswartz gets off his soap box
15:17:53 <bswartz> #topic Specs
15:18:04 <bswartz> #link https://review.openstack.org/#/q/status:open+project:openstack/manila-specs
15:18:54 <bswartz> specs deadline is in 3 weeks
15:19:11 <bswartz> please be reviewing specs
15:19:25 <bswartz> are there any spec-review-related issues we should discuss here today?
15:20:32 <bswartz> zhongjun_: you have the most open specs for pike
15:20:35 <tbarron> https://review.openstack.org/#/c/447021/ is a good spec but needs an implementor
15:20:51 <tbarron> ^^ if anyone is interested
15:20:58 <zhongjun_> bswartz: yes, please review my specs
15:22:03 <tbarron> ^^ should largely be a port from cinder
15:22:07 <bswartz> also I should point out that while pike is a longer release, we have fewer people actively working on the team now :-( so we need to be mindful of core reviewer bandwidth
15:22:43 <bswartz> we will most likely need to make some priority calls about what we focus on in Pike
15:23:11 <bswartz> and some perfectly good specs and/or ideas might not get approved just so we can focus on the high priority stuff
15:23:48 <vkmc> more eyes on this would be appreciated https://review.openstack.org/#/c/445441/
15:24:09 <bswartz> tbarron: why would Arne Wiebalck propose a spec he doesn't plan to work on?
15:24:22 <vkmc> with a high interest with regards to the perf section
15:25:01 <zhongjun_> How to define which spec is perfectly good specs? :D
15:25:02 <tbarron> bswartz: arnewiebalck is running a very big cloud full time, I think it's great to have operators proposing work for us
15:25:07 <arnewiebalck> bswartz: b/c I’d like that feature to operate Manila in our cloud
15:25:19 <tbarron> instead of us just coming up a priori with ideas of what operators need
15:25:34 <bswartz> arnewiebalck: hi!
15:25:47 <arnewiebalck> bswartz: o/
15:26:09 <arnewiebalck> bswartz: besides, I wouldn’t call myself a developer :)
15:26:19 <bswartz> okay I would just assume that operators would work with a developer to produce a spec that the developer would go on to implement
15:26:39 <bswartz> it's great to get input from operators
15:27:05 <bswartz> but a spec with no implementor does create problems for us
15:27:06 <arnewiebalck> bswartz: I thought defining more precisely what I’d need would helkp finding a dev
15:27:19 <bswartz> I guess it's good to raise awareness that we need a volunteer here
15:27:57 <bswartz> and hopefully it's obvious to everyone that working on something that a deployer asks for is way more likely to be useful that working on stuff we dream up ourselves
15:28:00 <bswartz> :-)
15:28:32 <vponomaryov> actually, I can take it
15:28:39 <vkmc> if the implementation is not very complex (I need to read the spec), we may be able to get an intern from Outreachy to work on that
15:28:51 <vkmc> or Valeriy :)
15:28:51 <bswartz> Outreachy?
15:29:01 <vkmc> yeah it's an internship project we have in OpenStack
15:29:04 <bswartz> ah
15:29:06 <vkmc> s/project/program/g
15:29:34 <tbarron> and btw vkmc's spec https://review.openstack.org/#/c/445441/ for telemetry is actual operator/customer demanded also
15:29:45 <bswartz> we have a bunch of shovel-ready work for interns who want to contribute
15:29:56 <jungleboyj> If it is just a port from Cinder it shouldn't be that bad.
15:30:10 <tbarron> jungleboyj: +1
15:30:32 <arnewiebalck> i referenced the Cinder commit in the spec
15:30:37 <bswartz> vponomaryov: if you're interested please take a look
15:30:47 <bswartz> I'm curious to know how much work this is
15:30:48 <vponomaryov> bswartz: ok
15:30:48 <vkmc> oh nice... yeah, in that case it could be ok
15:31:30 <jungleboyj> vkmc:  If you have someone Outreachy for it I can be available to help understand the Cinder side as they bring it over.
15:31:51 <tbarron> well vponomaryov will probably have it done tomorrow :)
15:31:51 <vkmc> jungleboyj, that would be awesome!
15:31:58 <vkmc> yeah :)
15:32:03 <vkmc> tbarron, ^
15:32:29 <tbarron> but jungleboyj there's more gold where that came from
15:32:38 <jungleboyj> :-)  Is he the Gorka of Manila tbarron  ?
15:33:37 <bswartz> okay I think that covers specs
15:34:04 <bswartz> please review them, please don't feel bad about pushing for reviews if you're an author
15:34:08 <bswartz> #topic open discussion
15:34:13 <bswartz> any other things for today?
15:34:39 <tommylikehu_> wait
15:35:07 <tommylikehu_> hope someone would like to take a look
15:35:08 <tommylikehu_> https://review.openstack.org/#/c/448384/
15:35:22 <tommylikehu_> I am proposing this in cinder, but we also have this in manila
15:36:45 <bswartz> tommylikehu_:  is there a spec for that, or just the change?
15:37:03 <tommylikehu_> it's a idea
15:37:22 <jungleboyj> tommylikehu_:  Is this THE change?
15:37:32 <tommylikehu_> jungleboyj: yes
15:37:41 <jungleboyj> Ah, yes it is.  :-)
15:37:57 <tommylikehu_> I hope I can get more response
15:37:59 <tommylikehu_> just that.
15:38:14 <jungleboyj> So, I looked at that more this morning and my confusion was I didn't even know that change had gone in place.
15:38:18 <bswartz> okay and I see that jprovazn already saw it so hopefully the idea can be integrated into the manila user messages work if it makes sense
15:38:24 <tbarron> tommylikehu_: thank you for working for consistency across the two projects where it matters, despite jgriffith saying he doesn't give a @#$#@ about what manila does :)
15:38:38 <jungleboyj> tbarron: ++
15:38:40 <tommylikehu_> tbarron: lol
15:38:49 <tommylikehu_> tbarron: you checked the history
15:39:14 <jungleboyj> tommylikehu_:  I will go comment in the review.  See what others think.  Thank you for the updates and bearing with me on that.
15:39:14 <jprovazn> tommylikehu_, bswartz: yes, I like the idea in the patch and if manila user messages spec will be accepted I hope we can use the same too
15:39:25 <bswartz> k
15:39:39 <tommylikehu_> thanks. jprovazn, jungleboyj, tbarron:)
15:40:04 <tommylikehu_> We can do this after meeting
15:40:15 <bswartz> alright if there's nothing else we're done
15:40:21 <bswartz> thanks everyone
15:40:32 <bswartz> #endmeeting