[openstack-dev] [openstack-ansible] Stepping down from OpenStack-Ansible core
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, As promised, I am stepping down from being an OpenStack-Ansible core reviewer since I am unable to meet the obligations of the role with my new job. :( Thanks to everyone who has mentored me along the way and put up with my gate job breakages. I have learned an incredible amount about OpenStack, Ansible, complex software deployments, and open source communities. I appreciate everyone's support as I worked through the creation of the ansible-hardening role as well as adding CentOS support for OpenStack-Ansible. - -- Major Hayden -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEG/mSZJWWADNpjCUrc3BR4MEBH7EFAlq4774ACgkQc3BR4MEB H7E+gA/9HJEDibsQhdy191NbxbhF75wUup3gRDHhGPI6eFqHo/Iz8Q5Kv9Z9CXbo rkBGMebbGzoKwiLnKbFWr448azMJkj5/bTRLHb1eDQg2S2xaywP2L4e0CU+Gouto DucmGT6uLg+LKdQByYTB8VAHelub4DoxV2LhwsH+uYgWp6rZ2tB2nEIDTYQihhGx /WukfG+3zA99RZQjWRHmfnb6djB8sONzGIM8qY4qDUw9Xjp5xguHOU4+lzn4Fq6B cEpsJnztuEYnEpeTjynu4Dc8g+PX8y8fcObhcj+1D0NkZ1qW7sdX6CA64wuYOqec S552ej/fR5FPRKLHF3y8rbtNIlK5qfpNPE4UFKuVLjGSTSBz4Kp9cGn2jNCzyw5c aDQs/wQHIiUECzY+oqU1RHZJf9/Yq1VVw3vio+Dye1IMgkoaNpmX9lTcNw9wb1i7 lac+fm0e438D+c+YZAttmHBCCaVWgKdGxH7BY84FoQaXRcaJ9y3ZoDEx6Rr8poBQ pK4YjUzVP9La2f/7S1QemX2ficisCbX+MVmAX9G4Yr9U2n98aXVWFMaF4As1H+OS zm9r9saoAZr6Z8BxjROjoClrg97RN1zkPseUDwMQwlJwF3V33ye3ib1dYWRr7BSm zAht+Jih/JE6Xtp+5UEF+6TBCYFVtXO8OHzCcac14w9dy1ur900= =fx64 -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Going but not gone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello there, I'm leaving my current role for a new opportunity and, unfortunately, this means I won't be as involved in OpenStack as much in the near future. I've spoken with our fearless OpenStack-Ansible PTL and I let JP know that I will resign from the core reviewers group immediately if I feel that I cannot meet the obligations of the role. With that said, the OpenStack community has been truly amazing. My first humble contribution[0] was a fix for broken glance tests back in 2011. I've done a little more since then and I'm proud to be a tiny part of what OpenStack has become today. I'd like to thank everyone who has reviewed one of my patches, fixed one of the bugs I created with my patches, and fixed the gate jobs that I broke with my patches. Thanks to everyone who has attended one of my talks at the Summits and thanks to everyone who has put up with my oddball suggestions at Design Summits, Forums, and PTGs. I have learned an *incredible* amount about OpenStack, Python, Linux, open source, communities, and how to be a better human. Thanks to the leaders of the OpenStack Foundation as well for their continued support. They have been excellent listeners and they took lots of time to consider my suggestions for improvements. I love you all and working in this community has been one of the best experiences in my professional career. :) [0] https://review.openstack.org/#/c/2652/ - -- Major Hayden -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEG/mSZJWWADNpjCUrc3BR4MEBH7EFAlqikg0ACgkQc3BR4MEB H7HN9Q/+PKC0TpfosAcZwotuVoSncoJc5D3RDL6RgO09Vm1xbI84BWkv6b6tJz4/ SvBmiqR7LtXUQDN1yiDg1g8Bq8gNKJO7E0hW7WqRE5rJmXAX2Gpx80pQ04mO0LBv 21OaeJSGElT5MdQYu/wz6oP8iNwjAqUaU7b/BZFXcGgpA+S9qDMaQCMK/EXnrodd hsDbBxtOridNk9j7SefgwIGZKOr4gdPCxvqnTfj0/X5Cjb+OfMU4rU6dRSIoVaiz JVrwZr7DVVyvJmF5JFtpsOJGS9SF7YkOJKia3BsmCnJWeNm9+r1n2XjSXHY240tQ gjNfqgvWbyaLddm+8ZMC77zsZu3Kaf4M2ta9F95K0/PlsShoZYBCDso23aDRsjps czR3RjT51bdGdEDNhpJkimHQLLFqrvO6NRfg6Azf+Wii3/POrtez60Nx49SQgBul PTB/i+mHl44Yn9R2VpWgqKM+WMixRxD75SRyOlDXrU0setUv/91Hz+x32cqeeiX0 C8mWOPh9POOdQPLeIalR2E4F9//CFv4nWZNSjpwIEEeXLd/Mlkyf2ue7ye+1s/5U JYo2wygRLEiLimacaoEyTRguR5/QsKtMieqKKfIYQglQDQkulWhhxOeqJmkpP10p xQp11b/GIwrXA4wVi5KA3hQEB/ST/2ENvTO76e/oGW41RK9S0gw= =5+cM -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Limiting pip wheel builds for OpenStack clients
Hey there, I was spelunking into the slow wheel build problems we've been seeing in CentOS and I found that our wheel build process was spending 4-6 minutes building cassandra-driver. The wheel build process usually takes 8-12 minutes, so half the time is being spent there. More digging revealed that cassandra-driver is a dependency of python-monascaclient, which is a dependency of heat. The requirements.txt for heat drags in all of the clients: https://github.com/openstack/heat/blob/master/requirements.txt We're already doing selective wheel builds and building only the wheels and venvs we need for the OpenStack services which are selected for deployment. Would it make sense to reduce the OpenStack client list for heat during the wheel/venv build? For example, if we're not deploying monasca, should we build/venv the python-monascaclient package (and its dependencies)? I've opened a bug: https://bugs.launchpad.net/openstack-ansible/+bug/1745215 -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [kolla] [tripleo] [openstack-ansible] [deployment] Collaboration at PTG
On 08/17/2017 09:30 AM, Emilien Macchi wrote: > If you're working on Kolla / OpenStack-Ansible - please let us know if > you have specific constraints on the schedule, so we can maybe block a > timeslot in the agenda from now. > We'll have a "Packaging" room which is reserved for all topics related > to OpenStack deployments, so we can use this one. I don't have any constraints (that I'm aware of), but I'd be interested in participating! Performance in the gate jobs has been one of my tasks lately and I'd like to see if we can collaborate there to make improvements without ruining infra's day. ;) As long as you can put up with a few Dad jokes, I'll be there. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld
On 08/02/2017 03:57 AM, Mark Goddard wrote: > The solution we built used a conf.d/ mechanism layered on top of iptables. An > advantage of this approach is that operators or co-resident software stacks > could add their own rules to the firewall. AFAIK, this is not generally > possible when using iptables-save/restore as it relies on a single > configuration file which must be 'owned' by something - in this case > presumably OSA. > > I'm not suggesting that you reimplement the solution I've described, but it > does outline one benefit of firewalld - OSA would not need to entirely own > the firewall configuration. Thanks for the feedback! I'm leaning away from firewalld now and looking at something a little simpler with iptables. During a recent IRC meeting someone brought up ferm[0]. They have several examples, but the workstation[1] one makes some sense. It would be fairly easy to template the ferm DSL files. [0] http://ferm.foo-projects.org/ [1] http://ferm.foo-projects.org/download/examples/webserver.ferm -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [OpenStack-Ansible] Not running for Queens PTL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/31/2017 04:48 AM, Andy McCrae wrote: > Following on from last week's meeting - I've had 2 cycles as PTL for OSA, > which has been a really great experience - we've achieved a lot and built on > the strong base we had, which I'm really proud of. I strongly believe that > inviting a fresh perspective and new ideas as PTL is a winning strategy - > it's served us well so far, and in line with previous PTLs I won't be > standing for a 3rd cycle. > > Looking forward to assisting the next PTL, and helping to continue to mature > and improve the project! We're so thankful that you've put up with us for these past two cycles! :) You've been a beacon for quality within the project and you've carefully fostered a ton of new development within OpenStack-Ansible. Thanks for your efforts! - -- Major Hayden -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEG/mSZJWWADNpjCUrc3BR4MEBH7EFAll/ITQACgkQc3BR4MEB H7FWYg//UEAtlNPu9puvbi9P2rR46Yy9DlKYN7Xs/YJOjEXFRh5cLAHNIJ8OJIB9 f3WcQV8kL7WgXBaMoMFP3dR5ciNxD8MUYJtu4JecyRVOkI14HhVxuphKpiv0EXeW N6eIO8k3GBRO5XjjhMJ8HqCyj2Ijg3vRtpK/SCMgXBV7UmJ/hXcSWRzpHgjsbe39 kvyNrxwJhSBmiBBPWfVefy59dQDxoQMhn13rsmz9WgB7DsioLpo59FC8WQOHB3EG MF7NOesHfRyAWeQuRsmicueCsXgkeN24oea3Ymxe0i7UQXW73Db2UoyF3qKlwg6Z nkzbbm1QkzKfOrGdzunl+XCtekUF16epdxFzP00i4KyNmbjKWfkTf1P5PyU82f6I X/c89Wq0HmKbRjzzLKHrXACjdkB3hskiNQRSRVCHf+01uPiDNwFFBdGFU+Q0Pl3x /k2+/NygkGsil919abt5SRyx8xnUxfZIwA+8GrrfbwavrB46uWZfWcGssqFl6QXB dwf9e9w0oDAM7QdBO0BpHOMi4X7ZC4qmv3DVW3pmYujMpRbD/tMwsmca2XV/Bodm yHofdDT4tJx663pIoX3AFjOsrBCDFunEoI48v1EOkeyG6CDwkZydrjWbc75SpBvP WTzSftscID2rUwd6XMZpQyLf1JQQHy2mv7uqUy4Sg0d8oiLhXDE= =iyd7 -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, I'm working through some drafts of a spec[0] (rendered[1]) that aims to deploy software firewalls within an OpenStack-Ansible deployment. The goal is to increase security by restricting lateral movement. One of the questions that was raised was the method for managing firewall rules. The spec lays out a plan for firewalld since it is available in the supported operating systems (Ubuntu 16.04, CentOS 7, OpenSUSE 42.x) and it allows us to control IPv4/IPv6 rules in the same place. However, Logan makes a good point about using a jinja template to write firewall rules to a file and load that via normal iptables service mechanisms. I definitely see merit to that approach, too. I'd really like feedback from developers/operators of OpenStack-Ansible to determine the best method to proceed. Here's what I've come up with so far: firewalld advantages - 1) Available in all distributions we support 2) Provides simple commands to interface with firewall rules 3) Manages IPv4/IPv6 iptables rules at the same time firewalld disadvantages - --- 1) Different distributions have different base rule sets 2) Medium/High complexity rules require --direct, which is like using iptables anyway 3) It's another daemon to manage/monitor 4) We wouldn't be able to use firewalld's "zones" very heavily 5) Saving/restoring iptables rules is battle-tested already [0] https://review.openstack.org/#/c/479415/ [1] http://docs-draft.openstack.org/15/479415/5/check/gate-openstack-ansible-specs-docs-ubuntu-xenial/6a50e01//doc/build/html/specs/pike/software-firewall.html - -- Major Hayden -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEG/mSZJWWADNpjCUrc3BR4MEBH7EFAll4rkwACgkQc3BR4MEB H7G3ThAAkYfAGPThoaLK+a+xSZjQrrDYo3T2Q8h/nCVdSbXU1npfv0wnIUcpezH7 a2bq4tSOX53tupUtvtMXK1VzSh5zQbohewfndmAOpwH8yNJ6UdnBjTfNXbs1WU05 ke6X/RIvkNEKO4q5RvO3hbgKFKtLFdDVWRa7m6ORM2UaN2QXRrr85Cs0GrS0wWJq XDLVf5277VPXiobntUkdSdVAHfPX0QULMUBxSbnhAjGhLWfZnGiyInntHAu0rGqj xhkZNT3wuEMmorbIfUkY1NhjWJyy5LyjCar+hpJKRz/pNlFiOiF36Ps4PLNBW06P IwL3IbTkOwI6KPffFBqmMYb2AHsbqpnwxjBjoUQv1YvW55IZn3EliUY0t05JBFZ0 N4EDNplyX9UhEQdFQrKHkOjCzADuuI/nnngfsZiCziiU068mRYIp4S3phj6QiOZP bHdjQDUx3X7rk1s6i7SdLPxPYNPxEs6wipXzofjB4STwDYqFKmpSNOTecLVN64PE H1bmt/lOfSpl05jjwhk8Jaxd0RgMAM2a7pA7nsTpFqRG4v7VaucewGaCRypCvAUD JiuQ+RYCNifEBb8nX6lx8TnJLCzaFK4xZuEdpBqGCwKaXRYUqdS+W2bRPqRY6EmF 5jYN1d2U0rxyYmQ1cH921VQPhA8K142FoUgq+oqiaH/8cqeWr9o= =lwtm -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts
On 07/26/2017 07:48 AM, Markus Zoeller wrote: > To close the loop, I've added a bug report to track this effort: > https://bugs.launchpad.net/openstack-ansible/+bug/1706595 > > TBH, I'm not sure when/if I can work on that. I also don't know how the > effort prioritization works within the openstack-ansible project. This is a good start! :) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts
On 07/25/2017 08:36 AM, Markus Zoeller wrote: > A short grep in 'openstack-ansible' shows that the file permissions are > often not set. I used these commands: > > $ grep -n -R "template:" --include \*.yml -A 5 > $ grep -n -R "copy:" --include \*.yml -A 5 > > IIUC, we're using 'ansible-lint' for style checks. Does it make sense to > add a new rule which warns/enforces to set the mode (or group/user)? I'd definitely be in support of that. We should be as explicit as possible when we deploy files and templates. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [OpenStack-Ansible] Proposing Markos Chandras for osa-core
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/18/2017 04:23 AM, Andy McCrae wrote: > Following on from last week's meeting I'd like to propose Markos (hwoarang) > for OSA core. > > Markos has done a lot of good reviews and commits over an extended period of > time, and has shown interest in the project as a whole. (Not to mention the > addition of SUSE support) > > We already have quite a few +1's from the meeting itself, but opening up to > everybody who wasn't available at the meeting! +1 here! Anyone that offers to help with the ansible-hardening role is solid in my book. ;) Markos has been doing great work and he's automated quite a few things that we used to push around manually. SUSE support has been building out *really* quickly, too. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJZbgXFAAoJEHNwUeDBAR+x0b0P/jYbzThAhWkmb0qbdzQcHYoc 9Tgx6eymEU8HEs+wC74+r1JBAfUF32thymwM1ToZv7RT+3w0KT3ArEadEmo2+BSz TtNCsg4adCHVQHdPnHeFor0jT9PHXYlMzRwfU4UHEjFkcDBX4iHNvUIYkOp/NSy2 OAZE3YmYxPRUbw87VeIOi2lLhhbdoJJWlFJbHRH4xY2jjl6Le6UjdVpgErhzHcaP 3VhJI5mR4bKLhjrnJmgMVC6ECxZ4PDMa3uzfpJ+STWVzgOODk6FQ89AfcOTwbX8K /m3aw6e9+KyiacrriK6xZJlTzBpWZyj17V9V6xb4hzHZMkSn0X0OJD0L6YYp1k+r YBXB4kPFeX4KMoxpp5Xu0COu0cjLF3rqb0tZHsh0B8dDjYcXs+SY1QEoQyEvyX1q 2kqbNS4+rg0uNO0ioddAG+mwJZ7oX+b3kHeJT6XLhkXgyLnBVXC9lCvbNrOJUuwa HHcNj/Xxti1fZT51/TvtKM/ou1gdWPbW3NGAwp0+d5oEiy2mUnL/p1J8i1T1c3V/ kA5zWcY9UX+WbArwmxRtoOIJn5CAOSccii8Uc2HCx89au7BBxtA3k7LNNWo9B2jF S4KcWUZi7EnWyFOw4+VcW2OctCxKeEuO7yCxaW5ffrHeYl2GjXoKupPanvVMq/Pq WphlU0lHsiNNTXrghFaw =2Zxr -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts
On 07/04/2017 03:54 AM, Markus Zoeller wrote: > How do you deal with hosts which have a restrictive umask of 077 > *before* openstack-ansible starts the setup? Do you start with the > default umask of 022 and opt-in later to that security hardening[1]? We don't test for that in the OpenStack-Ansible gates since those settings from openstack-ansible-security/ansible-hardening are disabled by default. It's possible to start with 022 and switch to 077 later, but that could cause additional problems. > What's the development policy of openstack-ansible regarding setting > file or directory permissions in tasks? > > * is a umask value of 022 assumed for tasks to work? Yes. > * should tasks always explicitly set the file/dir mode? They certainly should, and if they don't, we should adjust those tasks. I'd rather be as explicit as possible to reduce the chances of problems down the road if distribution defaults change. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Rename openstack-ansible-security role?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/23/2017 12:23 PM, Major Hayden wrote: > I'll see if we can move forward with 'ansible-hardening' and keep everyone > updated! :) The repo is up and ready to go: https://github.com/openstack/ansible-hardening There are some patches proposed to get the 'openstack-ansible-security' references changed to 'ansible-hardening'. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJZLrzjAAoJEHNwUeDBAR+xSLoP/j/cSbNe11/PfI9htneJraqp 4HpuVxw0i1WyrrasJplt0WFcfaNIn/0JoN0Z3Wf+mqDOFGHOh1IHz4MJKEN6lOG7 XV/mzx3VnH87aLkdLEMznHlymeJaRxRq/8RBKIWQqGyDGjlJcl2mCUItrpIMCQHt JUJzNCdMpZa7f7xbe7J1CX9cjAI9Sx/g3jS/s3WiWJ/MJR9uGKUKdAUD3kX6RoTb a8nOvdE7gEyvqOKh/iJm7/LDZ+tM5kS03Su2pJJuSWSg4pluLtvwutdB14d0FRnk DgW39mi3IMADbvNpH+U+Y+g4ar7QxoIdKDW9DuwCP5cjkx0GTl/2T/IC6bYm99Ko oo/5xwYMvENndDbi8EbvhRbiGwSx8/mKKOykLlFum3iHqbhcwApHNEGlrXiKW1pz veJeywJGk6loRcB8/RmvpqUB1EMd0qv+6NNDe/P35mcAFxTvJrQYIVRFrsgfxw1f 5nZNGN6iHmJkSnP0f4j27zasUSEdxpYSYl1A+glU8TJhjLrbCGyFxnRtmJXz7vHP /N87ufYxOOIMKtduNquNxlSKhhL1xX3cPcTZbvSR3hIncZl5c++0hzgpEgaXHKO5 p2/WgINgftZ9eWO4w7qIz3h774JFi2GwejM6AZ6KWk3uWUlAx/kzOEYepRILpeso bPStj0ixfMPNUgKuy9Oa =YwNX -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Rename openstack-ansible-security role?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/17/2017 12:25 PM, Major Hayden wrote: > So my questions are: > > 1) Should the openstack-ansible-security role be > renamed to alleviate confusion? > > 2) If it should be renamed, what's your suggestion? Thanks for all of the feedback! Everyone seems to agree that a rename would be helpful to reduce confusion. Here are the suggested names (in no particular order): - ansible-host-security - ansible-security - ansible-hardening - linux-ansible-security - ansible-host-hardening - ansible-server-security I'm a sucker for short names, and 'ansible-hardening' is pretty brief. It also explains what the role does: Ansible that does hardening. Also, a quick check of Google and GitHub doesn't come up with any matches. I'll see if we can move forward with 'ansible-hardening' and keep everyone updated! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJZJHAQAAoJEHNwUeDBAR+xMlcP/jLUG9IDLtHuqHGp9q06lKiP LpiA4JnATk4oTIM9WHUqKErCkzgebBj+mOHpcXb3Fv7eIGfFTdNajWBOaRgrX89n +zqelhCKTbLk7Ob1D3njRMUevSBu1HwBnBPep6m9uFmEnVrSqINvz/fgjhqvnPKm 5R7/giniBxHwVyH7ChErF2b68iwcctFcbHg1+NSaDWVMI7N3dly/IjEWrlIHe5Tn 0VfDxBaWyaDesChjZUxo8UPBLgBNxY8FjCnsHJO4+43iOilzU4Peg+/od6GDiVXB kOdYMialw1bFEO2eNR2j1eGRpPMRIlm0VPByyN6kJdiK6cAszhzosn4OSUHzv0IJ xS4KaDWcvxmhIXmKo+io3HwNPVbV6eg39ztYEjg0copZQ6nq90AiiCbSTR8BVb1q Mw5W4Xig78yBM7VlKzAHMU+3/PFruLb5sv6RWFC+7Y6+eDkFcqfzVvQIDAUjRuaG nfnr7lmM1YzZkA/BSSAEtzR+Sw+3GWgxwaq/zigs8zlQ2VhBMaKdvfzsL/uVvTHS /brch/4jp4T0YEb+n0eYzniv7sbgAm8ialL1gTt7xgEECl33Z0qMTyR+G07NS4H6 mDGVwlPtqxvmk7g9srMD3LiMABHQF65+zYgXoVNIHx2GoeWakrOv9ue/txyMP/rz 77ekrvA7cjq2ISD2YEod =GZDX -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [glance][openstack-ansible] Moving on
On 05/18/2017 10:55 PM, Steve Lewis wrote: > It is clear to me now that I won't be able to work on OpenStack as a part of > my next day job, wherever that ends up being. As such, I’ll no longer be able > to invest the time and energy required to maintain my involvement in the > community. It's time to resign my role as a core reviewer, effective > immediately. > > Thanks for all the fish. You will definitely be missed, Steve! Thanks for everything you've done so far and for helping so many of us level up along the way. :) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Need a new owner for the Thursday meeting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey folks, My responsibilities at work are changing slightly and I need to find a new owner for Thursday's OpenStack-Ansible weekly meeting[0]. I'll still be working with OpenStack-Ansible on a regular basis, but my calendar is a disaster on most Thursdays. ;) If you're new to running meetings and you want some tips on how to run a good meeting, please let me know. I'll be happy to do some brief training! Thanks! [0] https://wiki.openstack.org/wiki/Meetings/openstack-ansible - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJY2lm3AAoJEHNwUeDBAR+xYnsQAILn4NdU3iuHq9Mb2mYmQGLA y0t48/uf9h8LSbz1cSK70Each2qo3tFN4P59g/hgddRgL5Y+mBkCu81wL4vsxv51 JqJJiNYKPl0N420unUDumQYDZolYGHD4F33LWIY9M4b2qOujWCR+J1zJ+Tse4CHZ J3qT+eu9SEVHQG6s8CAQOrZJpaerQjHx+p3eIxTqhwg9PBag3t5oray4ZvUXkUzs 9Ak4ymKzsLBOyYzcel9fvuA8fAUNgWDy/yYXRDR8oM/D7XV5HIIahMRUC5zMef4a OeGo2pN/f//Oxb+paHF6cNaZyoJGlN4AQ4v7/SsS8Exj/OtoS6HNXtWvzus5JfGd UdBFU5+lPT1nTtjrEJ/dJlT3HVY8XHHGN53vM+tU5tSg2Jjo+5VcAsyhNlvcWrPB J9UciyEAb1yYzws7nGT5L+7Dt5hQrJRXYoSQRfkwmJsKkczrRnrLjr0UucHm4KNe 19u0kuPfbEnkWH8q2lr0tWwSNUtWlcw0iLcYEzVlDZ7WQ7II4uNbSOU5gy1G+tPZ wguYWU+r1pyik2zSxFRzGFhlmiTIkzYRYdOiQJyqnKJIAyWFxLwgStdDb2WN53Mh Mfb3c2VB+aGMgKK1EZhZiiowvYcido77t+Yoh7bpqt6uwi+D0cyPs1XjcuAGhZQE oZ2MjuUNihlYL4b2InVG =dJ5t -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Monitoring script framework PoC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, One of the items discussed at the PTG[0] was the creation of some monitoring scripts in a framework that could monitor various OpenStack services, support services (RabbitMQ/Galera/etc), and some system basics. There's a spec proposed[1] that discusses the work in detail. I've created a PoC repository[2] to demonstrate what the framework might look like. It uses the 'click' Python module to automatically bring in new plugins and implement them into the framework. This has some nice benefits: 1) Minimal code to write to add a new check 2) Minimal tests to write to add a new check 3) All of the output formatting is handled/tested in the framework 4) Argument/option handling is done in the framework Kevin already dropped by and made a PR to improve some of the dynamic importing that makes the code easier to read. I'd really love to get some feedback on it and see if it's useful for others. [0] https://etherpad.openstack.org/p/osa-ptg-pike-monitoring [1] https://review.openstack.org/#/c/436498/ [2] https://github.com/major/monitorstack - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYtu8/AAoJEHNwUeDBAR+x3FMP/0f38v8zcBVvKFfo9AtkZVUY tSDyXyb+3zelFq8U07DnkzvOA7nFNB2DY8SXyGxCIgzSXGfs/fzSlncKc485p02I 1B9ak462trvrX6nwL9CNYWhnmuGo4+6yVNtPpIf13YOfsVPqCf3ikc401WlVkpHY DDQQLC3TzzYWJCkNMgV4dZhiO1yRKNLbHVL2hEc/oMWxRTau4CS5tmLESC/b4AzX pIC6xkPN1CRNJCsxqg1dihzAMG49fDhBqsh+Ej2EUfsf2opI4Rzc92Nw74rj2F4y baFDDm0tYfkPqekiuKHLHi1BZlZDxf36FHqpck3civW+RbUZxE3uyNilg7akPAyX rlwVddx6kPInWiU5e4beZ7s43MZffIdcieKVsTh069OdB6Ls81S8ciKkRM/4Vd5z coFAwnhofzur+uEvhb9HHbudv1rYFPLTA+ZmzRzGcxF/zC50664HCvNyNYhod61T ZsuDruYEtaDjTQ2jyTXQncBAzZVJPilp9TuZEan4eb3bI8t1WpXb1ayjTkdxbw9P CnxRmjlC7HgBF7K4BEZiM6eEEOl34iXEhkPPLrKy0oGMUssFupHgmRerQKpzUL4G 1Z1Qfm9WDMhJu1aZhsK5beHeizJyRsBMmq8YnTSJPfzPN78rKDz4AfcJeS73Yo4r 406anxjIB40AP+80zQ2E =+8CG -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] So long, farewell, auf wiedersehen
On 02/22/2017 11:48 AM, Truman, Travis wrote: > I’ve very much enjoyed being part of the OpenStack community over the past 14 > months. My time in the OpenStack-Ansible community has been one of the most > rewarding experiences of my career. However, my career is changing directions > and I’ll no longer be able to invest the time and energy required to maintain > my involvement in the community. Thanks for all you've done for the project and for all you've done for the OpenStack-Ansible community members, too. We wish you the best in your future endeavors! :) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [ansible]Octavia ansible script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/07/2017 12:00 AM, Santhosh Fernandes wrote: > Can we know the status of octavia ansible script ? > > Link :- https://blueprints.launchpad.net/~german-eichberger > <https://blueprints.launchpad.net/%7Egerman-eichberger> > > Is there any version available for beta testing. Can you provide us link? or > time line of availability. Hello Santosh, Although I drafted the spec[0], German Eichberger has taken over the work on the WIP patchset[1]. He would be the best person to discuss timelines and remaining work to be done. [0] http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/lbaasv2.html [1] https://review.openstack.org/#/c/417210/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYmdSOAAoJEHNwUeDBAR+xkh0P/25yqkYIIxPuO/uvV+jNdiny NMxNClMfNxpKagCjokJyoMvyVDVX0VR71RloEeigOrTGTP7goAotn99J0pUK+je/ X7zU7POwqV92mAj/3gU7uWm1792EZNCWNpnd9IQiik9PfEcLPmmW1FZeuxyY/l8K ZE3VOAId0lHaZYbHXR9GCLzy5QwwXM1kg1+Ub1ivIbU3Q81Ais3L64KXLth7ahtu 5dIaCAKZ6uqOVRe336kI9aYPv5N4Fpwt5OkZUdGf4iNc/fivAjrGxaLt9H0ldZJQ lsbOl1wtjlYJwreQWVGaNBEx/F1UZocnnvzUe9vAUIY2leTZ4eQck16fEkbkRe6b Zl+o/GVh0mwS+IBjZcilJxQ7PoOX/07Z2wZOHuy8ihUIkM/L2ySP3TBWImv5a5H0 eQW1uK1B45j68E61oEuyW9DvNCWNTltUwD/FQNk833vFAtv35eqMRF1vhx3pPwmO GI1SQC55n0q96DF+5JedkAVy3qXwgt4CQwxvku8meD0hFb7XpWwy5DBd5p4ZbBb4 XpjlsGkLzBK0uyLPyXaZ0LbFJ3Czp68Gbys09yLxjGI+P+PFWuWGVgoL/+FV9XA2 H7St0aFZJgM0cLFYYQF1ols48SbPUp3HchexaXgltMfGYy2A3x/nnbEJSPtH7Vp9 V9TEomffspXHgMQ2U3R5 =BmgA -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Propose Marc Gariepy as core reviewer
+1 Anyone who gets into the SELinux trenches with me that many times is worth having as a core. ;) -- Major Hayden On Fri, Feb 3, 2017 at 7:33 AM, Jesse Pretorius <jesse.pretor...@rackspace.co.uk> wrote: > I’d like to propose Marc Gariepy [1] as a core reviewer for > OpenStack-Ansible. His tireless effort to get CentOS as a supported platform > in the last two cycles is getting very close to completion, and I feel that > it’s important that he’s able to safeguard this work and help grow the > maintenance community for it. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [requirements][ffe] Jinja2 2.9.5 upper constraint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/30/2017 02:38 PM, Doug Hellmann wrote: > If we only update the constraint list, it would not be safe to > release something that relied on the features in the newer version, > because our minimum version in the global requirements list will > then be wrong. I've gone ahead and abandoned the patch for now. It's not critical at the moment and 2.8.1 should be acceptable for Ocata. Thanks, though! - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYj7SnAAoJEHNwUeDBAR+xpGcP/24gEQq//FLwpiLHvHZRlOe+ Vh7zKzvSrU2KdPUo8dhM6pQdvtqR/j/NnyhkjCqTHyBwj3aG89kFxhpieOTtfy05 frSjzqXcjRG7RPHmTmA6HTkk4b2B+hK/BXgqCaNSzF1mNBoxAhgd54nWYANdp5Z/ 887dpiHYNMtxQ1VWusHrJb/6eefEMybfZH9EqrFgHLzwkITzdmdSFycsdlNnrIMo JtHI5iXxnJ8UX1JKnCEWPG+rpPQ83kp3Vs9Hdx3G7zlZhKafnEDOvdo0JnDzDyVp pD5vzlr9kfwoCtbH5+dCS3rRAT43IjvaqSXKLzMx7pZpWbQyl4wC8+RMyhRYcmnN uVC3uGzuo3jPCmS15Xcq0uBv36iUrqaw75g6wW3eHsFlqKd9HwA05fs2Z73gkdET M6fIva+yjAjTLGFsQS6H452duohxHBqijIfzCNvzEDhb6u7tuG7R2DYx/Yv3czg7 rMDW59Yvt/156H/+Z/zje6NcSyljHK1ACvFh1vWY6uh5j42hCBF64sl3Q8Pxcbsr 50b0QAwUX+YlPkxyLCedEatDZB3ZxV/KvPthCQtRbUv9tkseGRV38USWfC6o51kG 3uI6rOcFsdLAT85Vq8KKSqJFAdYhV56gPRZ9wcXlgSUPK/u1/d7mQXNg1HcMbCFd E810NXJvHf7uJUT1kBYe =UBla -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [requirements][ffe] Jinja2 2.9.5 upper constraint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello there, I just submitted a patch[0] to bump Jinja2's upper constraint to 2.9.5. We previously set the upper constraint to 2.8.1[1] when a change appeared that broke Ansible. The bug caused the `groupby` filter to return a namedtuple and it was fixed later in 2.9.5, which was released[2] two days ago. Other than that bug, the 2.9.0-2.9.4 releases worked fine. Version 2.9.5 also contains two new tests[3] which are very helpful for the openstack-ansible-security role. Would it be possible to get the upper constraint for Jinja2 changed for Ocata? Thanks! [0] https://review.openstack.org/#/c/426857/ [1] https://review.openstack.org/#/c/418494/ [2] https://github.com/pallets/jinja/releases/tag/2.9.5 [3] https://github.com/pallets/jinja/pull/624 - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYj34YAAoJEHNwUeDBAR+xvCAQAJjzgtP+u8LyQN0C/jZ5Xbe3 OXNO9ENTzPIaGNLt0Tu+vxtFD7n/3V3sksvd4oJC9IfuEWOCBASD8WzBMrPsaJ6n yfuyomemoJnNA8GOVUjGzkOyjZyCnEiiXeHsffsog81She7J4BCCyVmMM+NZYTob cTabwgQCLRUFcmdCOkDsnYyFhc6QZL4QNB3ERi6dMSfwMigmAvfYWqULuLR/puHI 907ePIa5zfbEzUxcEpRMo+m/NdEiE6ILCHWvrWGFzcvo/12wBE6QlrCDKfzVQCt2 GTq3/Dr4gaSeAjzGei5XR8I3IIQ27iCeFfFKiRACd1Dj4xP1IG/BI+7uJSlDotCp UQKmysBjCHolaGsfziwQD5162c57j7MPnBiLPU1tOXYphqkQBVKyd79TPWjxQjah LA+pXK9XBs8YtSUNz0xgGr7NtvfivkIyUdhlbzjcKlsfEc9y3b6Qv4m2Ye3Ixdsv WJ50eZK4wtCZZsXO5fq2oFUHPPofz5+nfFOCaySfw9rz+3pSiw1eVK8wVNzdKaRw JOZpEzh7JAWTLfO+cOTQhlE0S4SqKLmcdjCw9qOf4zAya5nhHPBUescQmzSHmPoB X+K69W3Tr9Db6D35OK0fXDoT7q9IeSSNCv8enNcxXUK66CsywUPpcSUmlUg4I4E3 Y2/uzCSbHSgNexf8Tjc7 =TUs4 -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Proposing Amy Marrich for core
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/27/2017 08:29 AM, Alexandra Settle wrote: > I would like to propose Amy Marrich for the core team for OpenStack-Ansible. +3.14 - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYi15kAAoJEHNwUeDBAR+xNkwQAI8NISykMYLjNJkwv14VOeUe 2P1OCmCFlzq5EnnLi1zkevxE8KRblh7xtwPoHYMq9+1UCW2RzqEEtW7aRLa8wjra 2qwpnfSVxSGCFxO0qjduslbD/pio/onXq8AzAVhePatXsFPHL2pKs/a5CKf9XuQR 1Y28+H7fmnXLzrIMN+WX/H88r7+qi9UqJIuqU35isVxqywE8NDh9/Xv5blKEJisu lil9C5jVLq0Xelk8KrRPn5cBBXsdGQLcpAD/LQE9LshCPL9/+UiZdM8rPhDhCfm5 fi4lz9KtwtfAQ54rlKEwtgD91j3jXKoQGs/nsnj2KAH+oUpAzxJfKVIB73a8i8gV mH/duVnZELlxJLVYhssWA55ZWSjvTA9plK3ylEuyJ92OCxac5raN0g4+8++6IRnd bAey/8mHzRBCKwWZqSysLtSCl1POz96OomfIE0U04cjqRUkdJ+aOgHjKX1JRlvhi VsGtkP7z66QZ5RlSKXIBcWouMZwqRGAFiUyILU2wEZJME06F3Dkhg10JEOYJJK9z 40MzZ4s+tOHWZrJ67617pILcrsZuBstP8jRgODrOqesMgAZsn7QpKLOrP4QUGm3e Q3OqfvVMKsIHCGAjxNMqMVOHOvG/c+qPp6XH+cdKc0aBurFvPFD9fGL0e5Ep2W1K H84/6oPb6iChqu0w3IZz =rgbW -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Ocata deployed on CentOS 7!
On 01/19/2017 10:19 AM, Ian Cordasco wrote: >> I believe this is more about supporting folks who want to run on >> Centos/RHEL, rather than a step to removing Ubuntu support. > That's also correct. OpenStack-Ansible is attempting to support > multiple distros at the same time. =) Correct! The Ocata release of OpenStack-Ansible will certainly support Ubuntu 16.04 as the primary OS, but there is a subset of us who are trying to get it working well on CentOS 7 as well. ;) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Ocata deployed on CentOS 7!
On 01/19/2017 10:04 AM, Adam Heczko wrote: > BTW are you implying that Ubuntu LTS is unstable or not stable enough to run > OpenStack? > I think that it would be valuable if you could share more details in this > regard, point to Ubuntu specific bugs etc. Hey Adam, One of the bigger issues (as Ian noted) is a performance regression[0] that seems to impact Ansible[1] heavily. That one is being worked now. I have a scratch sheet of some things that are broken in 16.04.1 that I still need to open bugs for: * Xenial installer fails if server is UEFI capable, but the installer is run in legacy mode * 14.04 to 16.04 upgrades on UEFI capable servers fail if 14.04 was installed in legacy/BIOS mode * systemd-networkd 229 has a bug where bridges can't have a VLAN interface attached * Kernel panics on Dell PowerEdge R710 when the server is fairly loaded with LXC containers I'm still working on reducing some of these bugs down into something tangible but I hope to do that soon. [0] https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1638695 [1] https://bugs.launchpad.net/openstack-ansible/+bug/1637494 -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Ocata deployed on CentOS 7!
Hey folks, Our multi-os work has paid off and I was able to wrap up a CentOS 7 deployment of OpenStack-Ansible's master branch yesterday. My environment only has four physical servers, so I deployed the basics: - keystone - nova - glance - neutron - heat - horizon - galera/rabbitmq/memcached/rsyslog I did run into a few bugs and I'm working through those. SELinux is currently in permissive mode[1], which isn't ideal. There's more to come, but this is looking great so far. The stability of CentOS 7 over Ubuntu 16.04 is certainly welcomed. ;) [1] I'VE BEEN TROLLED THOROUGHLY ABOUT THIS ALREADY. SERIOUSLY. I'M WORKING ON IT! SHEESH! -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Can someone run tomorrow's (2016-01-12) meeting for me?
On 01/11/2017 10:08 AM, Alexandra Settle wrote: > I can run the meeting tomorrow ☺ Thanks so much, Alex! :) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Can someone run tomorrow's (2016-01-12) meeting for me?
Hey folks, A conflict came up and I won't be available to run tomorrow's weekly meeting in IRC. Would someone else be able to take over this meeting for me? -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] STIG Tools
On 01/09/2017 11:07 AM, Ian Cordasco wrote: >> I am new to the STIG hardening process and wanted to see if there was a >> standard way to diff between releases (RHEL STIG 7 draft 0.2 and 0.3 for >> example) or between RHEL 5 and 6 or something. Obviously the reason for >> this is too quickly check / implement the diff instead of going through the >> whole STIG again. > Hi Joel, > > I'm not sure you meant to send this to the OpenStack mailing list, but > in case you did, I don't know of a good way of doing that. That said, > there is at least one project that attempts to automate it for you > (openstack-ansible-security). I've CC'd one of the cores to grab their > attention in case they can help you. Hello Joel, (Thanks for making the connection, Ian!) The openstack-ansible-security role has support for the RHEL 7 STIG (version 0.2) and I'll be doing my best to keep that updated going forward. The repo has a parser in it that generates documentation metadata from the giant STIG XML file. That should allow us to closely track any changes coming from the STIG. The security role would be updated when that occurs and proper release notes will be provided. Here are some helpful links: https://github.com/openstack/openstack-ansible-security http://docs.openstack.org/developer/openstack-ansible-security/ If you'd like to talk on IRC, hop into #openstack-ansible and find me (mhayden). -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Need reviewers/testers for new STIG content
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, All of the patches for the 236 STIG controls in the RHEL 7 beta STIG are merged or under review in the openstack-ansible-security[0] role! Here's what you need to know: * The original RHEL6 STIG content is still in place. * The new RHEL7 STIG content is going into tasks/rhel7stig/ * The RHEL7 STIG tasks only support Ubuntu 16.04 (Xenial), CentOS 7, and Red Hat Enterprise Linux 7. * The RHEL6 STIG content will likely be removed in P/Q Now to my request: I'm in need of reviewers and testers. ;) TESTERS - --- If you're interested in testing, spin up a new VM or find a test server. Clone the repository and run the tests: git clone https://github.com/openstack/openstack-ansible-security cd openstack-ansible-security tox -e func_rhel7 The server should still be totally functional after running the tests. If the playbook stops for any reason, displays an error, or has confusing output, please file a bug[1]. Also, if something isn't working right on your system after the playbook finishes, file a bug for that as well. REVIEWERS - - If you're interested in reviewing, please take a look at the queue of patches[2]. I've tried my best to break up the patches into the smallest pieces possible so that they're easier to review. THANKS! - --- Thanks to everyone who has helped make this role a success with patches, reviews, testing, and general encouragement. ;) - -- Major Hayden [0] https://github.com/openstack/openstack-ansible-security [1] https://launchpad.net/openstack-ansible/+filebug [2] https://review.openstack.org/#/q/project:openstack/openstack-ansible-security+status:open -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYSdq4AAoJEHNwUeDBAR+xC54P/3pxIjePjnT2GnvSBfaXhn/q kZCRrOMdsVM0VIjQMXE/Cd17V9x50nkmAWr1xRfmha6xPNSaLAPOn7MSzVUKa2wN A8KvdYhRYBJhEgo1HVcmo3TR68oHR+OEsb3o+V8zyCeV/XOwUnPhDPWuMqJ+LWEg NJsoBudiOoAjksbCCo0zzB59XbPGqL7x1uIMwTxdOnHjAJHvNCvOFy/N6h69fP4+ uv4L86QnqtXtJdX7Ewd0fKaleSuUz2LVNCMWDwKMhOiBDc94DnwfcawDpkq/EnLG NiXKcxxu7QPRa3IFc6JRcjI3R0JkaHqYto3RpyHrLasiU1uS+E9QG9Fn0eg6pjpT 058IzyeQUvTGw/xJtJvSa774j0yocapZIAETTsihfium6NXha8rAYhQaqPPcgzTa ALHZVhZshkxvW0LDRvaTkZqhwHPc6cm88Iyld2l5+8L2uyjCTFdtKLdbmv69GQ9i k/7WeUj4y/96st1foZeNVp/X2hIGtsgxIAEARBpy4XXhv6O9kXbHGzXzCn4Wwmnr VZPCvqaoHrorx0lGUKfuvPn1OWh/Py5OKQiOfiBi75M/b5Q6kwgtuhVdzHZ5f2Z4 Un9BH0dBb48VtAhCfDFHTq6KlGamXDmp0HvqR5tHlFe6ecb35AfljNmv59k7hYgE pylZhhyP+KXn3RMH05i+ =1tAX -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osa] [docs] OpenStack-Ansible deploy guide live!
On 11/30/2016 09:03 AM, Alexandra Settle wrote: > I am really pleased to announce that the OpenStack-Ansible Deployment Guide > is now available on the docs.o.o website! You can view it in all its glory > here: http://docs.openstack.org/project-deploy-guide/newton/ > > This now paves the way for many other deployment projects to publish their > deployment guides on the docs.o.o website, under “Deployment Guides” > <http://docs.openstack.org/> and gain more visibility. > > Any questions about this effort, feel free to contact me directly J Awesome! Great work by everyone involved. ;) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Debugging slow Xenial gate
On 11/02/2016 08:51 AM, Major Hayden wrote: > At this point, I'm still trying to test some additional theories. Does anyone > have any other ideas? Here's an update for today. There are a few bugs open now: OpenStack-Ansible bug: https://bugs.launchpad.net/openstack-ansible/+bug/1637494 Ubuntu python2.7 bug: https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1638695 The suggestion from the python2.7 bug is to compile python 2.7.12 with gcc-4.8 on 16.04 to see if the performance issue is related to GCC. I haven't had a chance to test that out yet, but if someone else has a moment to try it, I'd be much obliged. ;) There is also a private bug opened with Canonical that has been escalated as part of my company's support contract with Canonical. I'll provide relevant updates from that bug when I get them. -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Debugging slow Xenial gate
On 10/28/2016 04:02 AM, Major Hayden wrote: > On the topic of threads, the sysbench output from both Trusty and Xenial are > nearly identical with the exception of threads. Trusty is usually about > 15-20% faster on that benchmark than Xenial. I spoke with a few other people and it seems like the culprit could be a CPU scheduler difference and/or a glibc change. After messing around with perf for a long time, I found that context switches and CPU migrations were slightly higher on Xenial than Trusty, but by a negligible amount (< 10% at worst). I tossed up a horribly written hack[0] to change some CPU scheduler settings back to the Trusty settings. My initial tests were great! Also, the first test in OpenStack CI was really good -- 62 minutes for trusty and 65 minutes for xenial. However, that seems to be a fluke since the second test had a 30 minute gap between the test durations. :( Those scheduler changes for busy_factor, min_interval, and max_interval appear to have been made in the upstream Linux kernel, and they're present on various distributions like Ubuntu, CentOS, and Fedora. At this point, I'm still trying to test some additional theories. Does anyone have any other ideas? [0] https://review.openstack.org/392316 -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][octavia] Spec: Deploy Octavia with OpenStack-Ansible
Hey folks, I drafted a spec yesterday for deploying Octavia with OpenStack-Ansible. The spec review[0] is pending and you can go straight to the rendered version[1] if you want to take a look. We proposed this before in the Liberty release, but we ended up implementing only LBaaSv2 with the agent-based load balancers. Octavia has come a long way and is definitely ready for use in Newton/Ocata. Most of the spec is fairly straightforward, but there are still two open questions that may need to be answered in the implementation steps: 1) Do we generate the amphora (LB) image on the fly with DIB with each deployment? Or, do we pre-build it and download it during the deployment? It might be easier to use DIB in the development stages and then figure out a cached image solution as the role becomes a little more mature. 2) Do we want to implement SSL offloading (Barbican is required) now or tackle that later? I'd lean towards deploying Octavia without SSL offloading first, and then add in the Barbican support afterwards. My gut says it's better to the basic functionality working well first before we begin adding on extras. Your feedback is definitely welcomed! :) [0] https://review.openstack.org/392205 [1] http://docs-draft.openstack.org/05/392205/2/check/gate-openstack-ansible-specs-docs-ubuntu-xenial/8f1eec1//doc/build/html/specs/ocata/octavia.html -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Team photo from Barcelona
Hey there, Monty was kind enough to take a photo of some of the OpenStack-Ansible team members at the OpenStack Summit in Barcelona. Here's a link to the photo: http://i.imgur.com/5wOOAhe.jpg -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Debugging slow Xenial gate
On 10/28/2016 10:17 AM, Major Hayden wrote: >> Also, when running the tests on both systems, track cpu usage and number >> > of threads to see if one has more restrictions than the other. > Almost no difference here. On the topic of threads, the sysbench output from both Trusty and Xenial are nearly identical with the exception of threads. Trusty is usually about 15-20% faster on that benchmark than Xenial. That leads me to rule out a few things: 1) It's probably not python that is slow since it affects sysbench, too 2) The kernel version doesn't seem to make a difference 3) The way python was compiled doesn't matter (I tried pyenv) 4) Kernel tunables (via sysctl) look very similar, especially with regard to threads I also ran the full suite of tests from nova and got these results: Trusty: 375 seconds Xenial: 531 seconds -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Debugging slow Xenial gate
On 10/28/2016 01:44 AM, Mike Carden wrote: > I bounced this off my 'distro differences' goto guy, Chris Smart. Here are > his thoughts: > > "Run the 14.04 kernel on 16.04 system and re-run the tests to see if it's > kernel related. > > If 16.04 userland with 14.04 kernel is as fast as Ubuntu 14.04, then > compare the kernel .config files to see if there were major changes, > like switching out schedulers. 14.04 with 16.04's kernel is actually just a small amount (~ 3-5%) faster than 14.04 with its standard kernel. > Also, when running the tests on both systems, track cpu usage and number > of threads to see if one has more restrictions than the other. Almost no difference here. > Check swappiness and also "vmstat 1" to see if you're getting more pages > swapped in and out in 16.04. No difference here, either. > I'm assuming that the two virtual machines are identical (CPU type, memory, > threads, virtio, etc)." They are! We've seen this occur in the OpenStack CI jobs (with KVM), and I've also tested this with Xen and bare metal. -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Debugging slow Xenial gate
Hey there, We've talked about the slow Xenial gate during the OpenStack Summit this week and I decided to do a little digging. I built two quick test instances: one with Trusty and the other with Xenial. Trusty comes with python 2.7.6 and Xenial has 2.7.12. Here are the initial comparisons: https://gist.github.com/major/20d7d11442685355c30d0abf0c07be98 The worst test shows that 2.7.12 on Xenial is 1.88 slower than 2.7.6 on Trusty. Wow. I compiled 2.7.12 from source on Xenial to see if it's a packaging issue, but that didn't change anything much. I then compiled 2.7.12 on 14.04 and found it be to be slightly slower than 2.7.6 on 14.04, but faster than 2.7.12 on 16.04. That's confusing, so here's a ranking from fastest to slowest performance: 1) 2.7.6 on Ubuntu 14.04 (fastest) 2) 2.7.12 compiled from source on Ubuntu 14.04 (a little slower than #1) 3) 2.7.12 compiled from source on Ubuntu 16.04 (slightly faster than #4) 4) 2.7.12 on Ubuntu 16.04 (significant slower than #1) It's evident that 2.7.12 is a little bit slower, but something in Ubuntu 16.04 makes it much worse. I checked sysctl settings and the only big difference was the max threads per process (16.04 was about half of 14.04). I set them both to the same value but the performance testing didn't change. Does anyone else have any ideas of what might be causing this? -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] What's Happening in OpenStack-Ansible (WHOA) - September 2016
Hey there, The September edition of the What's Happening in OpenStack-Ansible (WHOA) report is here! https://major.io/2016/09/30/whats-happening-in-openstack-ansible-whoa-september-2016/ The report includes the latest developments in Liberty, Mitaka, and Newton along with some news about OpenStack-Ansible training from Hastexo! Previous reports are always available via the 'whoa' tag: https://major.io/tag/whoa/ Please send over any feedback you have. I wish everyone safe travels to Barcelona in a few weeks! :) -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent
On 09/21/2016 05:17 AM, Rob C wrote: > Apart from missing elections, I think we do a huge amount for the community > and removing us from OpenStack would in no way be beneficial to either the > Security Project or OpenStack as a whole. I definitely agree with Rob here and I support keeping the Security team in the big tent. Although I'm not an active contributor there (but I want to be), I've joined some of their meetings and they've provided guidance on some of the work I've done with OpenStack-Ansible's (OSA) security hardening role. The OSSN's they produce are helpful and the information contained within them is used when we improve OSA. The Security Guide is also extremely useful for deployers who need advice on configuring OpenStack in a secure way. -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] What's Happening in OpenStack-Ansible (WHOA) - August 2016
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, The August edition of the What's Happening in OpenStack-Ansible (WHOA) report is here! https://major.io/2016/08/23/whats-happening-in-openstack-ansible-whoa-august-2016/ Yesterday's report covers the OpenStack-Ansible mid-cycle meeting, the latest releases, and links to detailed changes in each release. Previous reports are always available here: https://major.io/tag/whoa/ Did you see something in the report you want to know more about? Is there something missing that should have been included? I love feedback -- send me some! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIsBAEBCAAWBQJXvaBPDxxtYWpvckBtaHR4Lm5ldAAKCRBzcFHgwQEfsXC3D/0W NzygxrJ0YQH4feQBTRWbtMP3mtlCX740nSjM4F1TV0OyH9I7y4xE4SotSVvsOtjB E0dEp8WPNpfxcmzb1ORu5kMgCYWjyDMs+c9Dk40G3dV3dXwJ/D1xWOOMcwKCzyQr WHnDxjrkL7nBnWckRX1jGLxeYflEQ4ZVRLK9dTEr8duLuvoZo1gujFbNKsGy0z6R B0NxIoNGiA4L8lzXHKXLPWjM6Bw6d+K3ZYZ06/g6VQ67BP7J0BaFYqnmpWa5kWVR +z6bXoCGLJAOP0dTAvdFJ6dOb6SrW1FQGNkmDcn13eY80ecHKs91uFk1htJ2pv28 jKIlYvmGzNxxlqrwkLm5upYnnnujCE6uJydlQ0HO/hQ0lJYGL5FGxsZ5v/Gv65f0 DVPZtra8z2dMl6eOzSEnriIFGBzU5YDALKxGTJvz4N+nfn5o6F2RJLGqOlMWD9/G h75Vjj8aSYEJQzAAxM3I08ND/zoAf/H9G8SqqdLDlpSu3RfKNK27w0AHucXcFEFq HNJJFFyiMdiU+Gzt7lJOdSGENxtSRJgGeE07dCUKotP5zB2gZJsv5hRDZJGA0jbV 9oqocygKmx5oaS02/DeS4twROQZiR4p6haV9fe4O28EiTX6zdzN/RdKX3fOmeeKJ rZyGJ62JU3nV+JAu2tTxhQbIpwjhr89owenXseum5g== =W15A -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Adding RHEL 7 STIG to openstack-ansible-security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/18/2016 11:26 AM, Hooper, Mark (Nokia - US) wrote: > This makes perfect sense and will fit well into the work my team is already > doing on RHEL7 STIG hardening and will allow us to easily upstream our work. Thanks for the input, Mark! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIsBAEBCAAWBQJXteJHDxxtYWpvckBtaHR4Lm5ldAAKCRBzcFHgwQEfscaxD/9g gL9yvPldW8rICf+WNw2nEUsVI5omtknza0n7BJLOlWe0m600rLJWgtvFTROXbaAq Yjsoz3gsS9i8wZTooeTW3cYfJp/TCQwGQAO3YYjVZVxrwtGwZbplWLrRsQbLyRCF Rot0m0PIyjK8u0doYR7qQR016X+Kd5iiBvkF1+au4P0p1ve8y7O5yDUfzgGykWd1 98maluNOT7KCI+lyAHT8Vm4/xm3gtf76TM/JLTk2Nor9EuAVZMfj7mA0Cmc+fqF+ GfYxjePS+mj3MKa4WrJPZYblSRFaCLDi4AvSMp4nuWYdpiToPr4uB3YJuVylFK5T SAXYmatxzsLcq3xZr9WAIp0InmFkQxl4gk+ox00OcDbzymPPoDIV64jiu5KlXwKa pqcaNRsZONkEJHU6/JIVV2Gil35h+D8e4SX2v1HZUEu7tg0gPAielgwO2bljBq6j npT87t4FVk57XCguMqrtO2l5kdDXZUFdupeQGRjE5btYXu1WriphFyia8/Q4J49w UE7t9w4hXpL979qebY76F1qLQH6HeneqTVPBXZLqBhj5lyPTmJ0tCydanMNaZ03W yJGZMPh42ExhmbIA3EAxlDGvRf9f6AKg/g8TFMYAhAMsJE8NWlMQMvplwN+fsS8p t/oMxIX7Zu8dEd6QpVuoG0MBVBbodV5rn3X7GUx+bw== =toqs -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Adding RHEL 7 STIG to openstack-ansible-security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/04/2016 12:45 PM, Major Hayden wrote: > The existing openstack-ansible-security role uses security configurations > from the Security Technical Implementation Guide (STIG) and the new Red Hat > Enterprise Linux 7 STIG is due out soon. The role is currently based on the > RHEL 6 STIG, and although this works quite well for Ubuntu 14.04, the RHEL 7 > STIG has plenty of improvements that work better with Ubuntu 16.04, CentOS 7 > and RHEL 7. I've gone ahead and proposed a spec for these changes here: https://review.openstack.org/#/c/354389/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIsBAEBCAAWBQJXre2XDxxtYWpvckBtaHR4Lm5ldAAKCRBzcFHgwQEfsUOTEACc Y+8TwsdFpmePraheCu/REA3f+Jd/Qu+DE6ZWWD9KdMdzYJZY4ODmnevkKxg2aOw6 kvh1b3cHOa6WD6Vppw9645hj4rAm/Gisi0ULUl4gAiLuti8Q/A+hbO9GTgEryXW5 ptVVKV+zfV6Ieul0C5LopfUj+6ItvvHWlkQJ9JHVgCsFEVA2nN5dcP79A13KHkzH qdCCkWeS/3S6fSiNTg8npHkigd4CxQuGHzn4mE/rVMGRjq80SJZUOvaKQFl9yB7s eeblvRiwpK568S1jxLzfktH/L1s9JrS06LP510vzTM0lTv787HOKd9wRcYe56RvG UED7wsCy4DwQJQL8UmFhoHvNlEGwZ0EOPavstiur3vUu2yyKf8WxXUPlvs43hWyf YDfayr6MPvcq5SvplN8BJadB3dIMjWdGlCoVtW7Kfgr1MVrZphdJtPyvzRlZhi1n 7zvrhqa/1zed/uAMncpMvGnO4NVw50QUzCZ3A0ZspoQzhIP4Gtx0aZiKfjm51xey q5QCGQRYXA8h9iD7dCx0q0kkTGCRMfeNPkFOapawlzP+KhsxoJm7rIZQbtrM3Qv8 hBbF/D8mf+fwVjU17eb0D1FjaRcPQEINoiMUPEayZBIW7ZhzsUGTf53bcRrR53u/ oOoWYCE3XfOgMogunZzz4ncvqEXJfxsPahXfUcfytg== =Wk7j -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Adding RHEL 7 STIG to openstack-ansible-security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, The existing openstack-ansible-security role uses security configurations from the Security Technical Implementation Guide (STIG) and the new Red Hat Enterprise Linux 7 STIG is due out soon. The role is currently based on the RHEL 6 STIG, and although this works quite well for Ubuntu 14.04, the RHEL 7 STIG has plenty of improvements that work better with Ubuntu 16.04, CentOS 7 and RHEL 7. I'd like to make the following changes around which STIG is applied to each OS: * RHEL 6 STIG - Ubuntu 14.04 * RHEL 7 STIG - Ubuntu 16.04 - CentOS 7 - RHEL 7 Challenges - -- There are a few challenges to rebasing the role on the RHEL 7 STIG: * All of the configurations have been renumbered in the new STIG * Many of the new configurations have no overlap with the RHEL 6 STIG * Users of the role on CentOS 7 / Ubuntu 16.04 will have different configurations applied than they did previously * The Newton deadline is rapidly approaching I have a couple of ideas on how to implement this: Idea #1: Update what exists today - - This would keep the same role structure as it stands right now and it would intermingle RHEL 6/7 STIGs in the same tasks. Some tasks are identical between both STIGs, but some are different. It's nice because it's less of an overall change, but it could get messy with lots of 'when' statements all over the place. Idea #2: Put a fork in the road - --- This would involve restructuring the role so that there's a big fork in main.yml. The structure might look something like this: /main.yml /rhel6/main.yml /rhel6/auth.yml /rhel6/audit.yml /rhel6/... /rhel7/main.yml /rhel7/auth.yml /rhel7/audit.yml Note that the 'rhel6' directory would contain RHEL 6 STIG content for Ubuntu 14.04 while the 'rhel7' directory would contain RHEL 7 content for Ubuntu 16.04, CentOS 7 and RHEL 7. The root 'main.yml' would have an include line that would check the OS and include the correct main.yml from the 'rhel6' or 'rhel7' directory. This would involve more changes, and possibly a little bit of repeated tasks between the two STIGs. However, it should be cleaner and easier to maintain. when support for UBuntu 14.04 needs to be removed, the 'rhel6' directory could be dropped entirely. Requested feedback - -- I'd really like to hear feedback from users, especially those who use this role on a regular basis. Here are my questions: 1) Which plan makes the most sense? 2) Is there another idea that makes more sense than these two? Thanks in advance for your help! I plan to put a spec together once I get some feedback. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXo38iAAoJEHNwUeDBAR+xH5YP/0kmhZC4a1FAyV+OlEWcKM4p qYZhHscgWqtmYHLgX5q51IyGEas9ae89cxF2ThskvF+LZ37+RfwaUAjpCwFR6wgB AjouNKXWE7skRmNcsfvhU8m19vAdf8DV6qvZzcc8Ii5xxiuNIwKaJKgcMNAWnHww GndfleJjUFdG4YUGf/I/UFodKuxM0PGjHDxGbCQVEtJsJMTBl0O8CPhTDnk2FFoy oHtzeemDRyEWwrMgj5meqyxIi6E+LI78Ougoti4TiX32VgsT16mzfjMagqhYspLV c4fYIfgX8fguGYNfTpKNv9XyeZaNWJWtW8ia7zgeLhuzgLJtyihZl2dd0MGc2qBf laa7o8lVeUGLwpDGDISewISaL7kZariaVNF3zA59mOYlCN7eVhUsVKaxgG6RANNW OD+cNA3m6zPgPpcY3FzD6mHD10fcnZLxULiyccGceeetCVB2ibRsEeddPC9rX8lv uiBlc8Tq8Z808bKWygQC05TcIg/vP7CIO1eHcJwWLnFe5fhQ7Z15pnuaMWZOtMur dCbp+EIiuLwbpOcRPYTRMrhxYCXsKCoGyKANvEjBROBnbc5T3fjTATkqAXfYQUGy onogutZ5eF3n4hAzEYbmk1oSW5Z6gZOzvuNB2k98DB0RpT8/X/30BwpIcwutPZ7X ccaa8MfgA0yDR5x7bH0k =arAJ -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Project Mascot
On 07/17/2016 10:48 PM, Carter, Kevin wrote: > A little out of band from the meeting but maybe an "Osa Eucharitid" [ > http://www.petsfoto.com/insect-world/#foobox-1/0/Insect-Life1.jpg ]? > > However the Cape Buffalo would be good too. Join in the discussion in the Etherpad: https://etherpad.openstack.org/p/osa-mascot -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Nominating Jean-Philippe Evrard for core in openstack-ansible and all openstack-ansible-* roles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/12/2016 01:33 PM, Truman, Travis wrote: > Jean-Philippe has been providing great code reviews and patches for some > time. His recent commitment to running bug triage every week shows his > willingness to step up and take responsibilities within the community. He’s > also found an opportunity to innovate by introducing an improved bug triage > process. He can often be found in #openstack-ansible as *evrardjp *providing > support to deployers in a welcoming and friendly manner. Count me as a +1 for JP. He's doing excellent work. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXjT6hAAoJEHNwUeDBAR+xeDMP/2Q0SGZFaLmrI1tQ6KJjmp7F yzxg1KTpc27sI1yPsAfAxk6kjCIyPAxEkY0rzS0QrOM1mBbrn1PvxEzoVqF6UWD0 4VPS20Gy256pF0BBBLEdmGsctIELvO36AAmmQjMq8PQIismvjHezePhiE16MzSol urWOOrIJP5WFxDjDvXBoeXpHEPSgmS+fD3+2rd1IkYHj5L2YS5lJvWoOBzqIowlg bLvry8bXD5krc5VR4W8bDWC4RiFur86OdIBpegH77mSIziveMJRsmRtM9Ut0mFVZ JBG8OtKZatianSL1Rcb1ofyL7V0DU0actQ2WZ/bRBShZ7FuSPMfJZF1PaFH3zM2H /yuUPFMPbd/yWk4O/KRHFBkP++QU4gIsicKyQ48ELEpaW4iGwhJAlwM3lZEyiTfd oVn+amgQEQqnZVzcl2tMwX8Y+8j43zewhWdEDdJ6s3VUhhfYABdGgBoYnKMSvJsx dHTDHkA8O+tDNVYnwoi+JMTN2NyC2qy6+VxqsIfWegTzQlw9I9Tz7vj5yKuFQIem 3H8ZmbfaJ1aXc7Fva2qbyKwV7jUAQWA04IbCkPkKuGi9Zbju8jE+GWn6A50h7Igx hPtOaeitt/zTUv/zSYdHzT+cZFbb3BlYNeSuJrqp1mHizmst7b4wCL1Lo9nN2lR2 nlfR7ls3wpAcjfvvVX5d =5aKT -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] OpenStack-Ansible and Open vSwitch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/06/2016 06:52 AM, Truman, Travis wrote: > Please find the post here: > http://trumant.github.io/openstack-ansible-openvswitch.html > > I hope others find this useful and that it may serve as a good reference > point when the community begins building scenario-based documentation. Thanks for writing this, Travis! It's really easy to follow along and I plan to give this a run-through in the lab in the next week or two. :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXfU1dAAoJEHNwUeDBAR+x2rIP/ivWP/uj9PJoGcdwi//HlM3f 2IrE9akCPxxqDiHKtW2K4DTeP282iPYwSzagu7aHk55H6PU8wozVtnZWE/8hFqMF DSTm3OCPIJpILkwKzCtbx63CO2NOLh+lgSCbSmQ4stfxIlApGNqsTyYK62fEJUbu Evh9apXmhS2u5HDieJ1cs70LfAyzq+A56IZ2J7h5GFWKBQxZ6ROugIB3ctAKls6u bYxgXPdlJp3qcMhJ1OunVDU5Goj5Q6fAjlBdh4HvuHn6yBJH2F1esgNEx+zCxQ6W kc7YXBcTTJ4EeWlu57kGj68E/t2aNLXD4WrPaO+0cV64q4F3QPVYY3ZKR6ViTdgZ 9i0iWm7l9216CNPGYGIhf5Lh4LLnXMzs+bJktnmRE51gx2o2TJLWT2qEtVsBiBts Gt9YwTj/IrN/UuXmM+UPvWcSXSYsyo2Lq9lM9911V8oR+LSn/mDLv2c9X9IbfY7B gau88nuOgTLzNuqzTyNGVD8M4dA21vItu2TZCb7zY7m5waV4ret0NGo2n+p05wge T5XHUV6dBoZCDuH3rupsy0E3p0OmjtLS7/NmMFyG4d5J5VIhnYkpQBPOZLQ+Z8Xs ravg6k2hq2ac0zGIm2c7QV7PuOkjABMSU/CNtpEjF8N3KaOPZ3mFF1Gzwaq/vZbD F2iITxTNe6SM3r8q+unt =mqmu -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Change of default database collation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/24/2016 12:07 AM, Jimmy McCrory wrote: > The question then comes to how to best handle upgrades from Mitaka to Newton. > Any input for the current proposal[3] from anyone that may have experience > with any project's database migration scripts, or MySQL-based databases in > general, would be appreciated. Your proposal looks fine, and from what I read, it seems like the difference between utf8_unicode and utf8_general is mainly around sorting Unicode characters. Then again, I'm no collation/unicode expert, so I'll gladly defer to anyone with more experience there. ;) Do we know if a change from utf8_unicode_ci to utf8_general_ci will change data in the database? If it doesn't, I'd imagine that a wholesale conversion to utf8_general_ci (as you've proposed in 333733) would be just fine. There are some small performance concerns documented[1], but they don't look huge. [1] http://stackoverflow.com/questions/766809/whats-the-difference-between-utf8-general-ci-and-utf8-unicode-ci - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXbSsXAAoJEHNwUeDBAR+x8KYP/01HJ3P2SqjsiUJuMp3zJPV7 y1elLRFC8KnjOwGShRxLYheASTHgszPFhV0SBdynBgVRtpFo3uB7Az1Yzt9hU4lL dRNhvDChZuSDlMw+6K1w/bzS0p244984t/RIHTd8aqtd10nLE3IeCOMOlvE9FkHO 10r6NoN3NTLkxGmksqyDCTDEXzPBQZ2VYwsAeAKHSAVRGYba4kitYEqs002GvAx7 2GeZrjSb7ZVpAjF1cF4KBTyB0CPaPS1wXzk7yeHQouK8LgbhBKqPGSzBiQkhYRdN 7WohOJTOIqc8T9IgXufUGJbYhQ5CWfHcaESv3a9CHqWCHQsaAx9E0PrMRVAo4Jb1 3DRis03GCw3/+jts3WJR0t21slO5wW/u69BuvSuZ4FjYvJMOprLkufFHXr+j873D SXwzXFem4ZaxENGtwe2R+bTDchLb2kf9JCgs9RMSnLRX0GmiAaG4XP7SC0Pl10nX IiWOK5PcL3phlCQRIFn/djTFi8zo7+I1nGXxprNILtBspqzGaZK2NeId0DEQSZpI +Ycn0YbjNA82ZW6hPwLljWwX5E9Q41Mc5bpwST14oKN9uHRkABMh/YSMg0apRnlI 8nTP1JSHLNsBIu34Ns9zcbvoQF9UsWoX6uIcJSHCbop9kb0ZvWz+UB/Biobm6JY0 wd1HIBAPXpRgsETr4OuL =63dN -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] What's Happening in OpenStack-Ansible - June 2016
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello there, One of the feedback items that came out of the OpenStack Summit in Austin was around the constant stream of changes throughout OpenStack-Ansible and how to best keep up with them. That could be said about OpenStack in general as well, but I decided to take some action and make these changes easier to understand and digest. Hugh Blemings started his "Last Week on openstack-dev" last year and I found myself reading it each week to keep up with some of the bigger developments. I borrowed Hugh's strategy and format to create the "What's Happening in OpenStack-Ansible" (also called the "WHOA") report. I will publish this report monthly (somewhere in the middle of the month) on my blog. If you find anything that belongs in the report, feel free to let me know! Without further ado, the first edition for June 2016 is here: https://major.io/2016/06/15/whats-happening-openstack-ansible-whoa-june-2016/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXYqkyAAoJEHNwUeDBAR+xCUsP+wXzKva4jeNCpjQgQhj5m/3L +vEhsProy9pIlouqJ+ITZ2MBMuy/u8rlvhoH//uQJ3atIY2ca8zV19hV2w80pRRR wBSB8h7jSc7ubtvlIIFZUK/1nMa06LV4EKihmuFLpamzfJMxE4vNuleZTnmAIe+S C7HowoBLYZb6sM72Zcl9vtMe+mAH1d8UVv5fDTx+oarz1ynWpePJI3LyW1wvpirA MJ4r2JYPkeODZqRAOK4wPFf/8WVZ5F2OeIMOAq15PdPMWCnvLRjgO8XiOceUrjx2 p7grqbXFKH8nFGLKQ606wTskmJdABFFOIh7x0jvPdOrreEkDpdnwAswCBIeZVsh3 Y5qxU/eEX4ARiWoY/9WJHuda3IovMpqKGrgR5ioSeoa+Pa4NDV2wavEVFy9pC9T4 3erVo/aqmopsNGQaNupYgUOZns0EL26l85DY+mWdlTERf5WdZFv1CtIDiUWQk568 lHQ+EOhELCCDL8iJS5rNJW17B1udjNHnRIXCgsVTUBdhGvpVuylJxaoXQ0lSZWTi WMK3C6SIMN4VHRhQmzBK/K2w+3Tm9TIq7hdRgbKXIBvEwNFipXcGM8W4jXqEhCyD nYpu3TpRIxWbyeAYk9CTuDH5DT9qerIORfRtebscoeLAflOEc1ssxLach71PNYWt RzTO74nstbR0dp+f6mnS =U2zE -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Deeper diffs in OSA releases
On 06/14/2016 08:08 AM, Jesse Pretorius wrote: > That's neat Major! It'd be great to extend it to also do the diffs for the > included roles, both OpenStack and non-OpenStack to get full coverage. That shouldn't be too difficult to implement. I'd need to refactor the comparison code so that it works for both. > I think the ops repo is the right one - we just need to get the scaffolding > in place. I'll put a review up shortly. Thanks, Jesse! :) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Deeper diffs in OSA releases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey folks, Every OpenStack-Ansible release consists of SHA bumps for roles as well as OpenStack services (like keystone, nova, and glance). However, tracking the diffs of the changes in those OpenStack services can be challenging. It's difficult to tell if that nova fix you've been waiting for has made it into a particular OSA release. I have written a script to make this a little easier (hopefully).[1] The script takes two parameters: $ ./osadiffer.py [older OSA SHA] [newer OSA SHA] It digs into the YAML files for the repo build and retrieves the list of commits that were applied to the OpenStack services that OSA builds for the repo server. Al of those commits are rolled into a report[2]. The script seems to work fairly well so far, even with big diffs. However, I'm not sure where the script actually belongs. I proposed it for openstack-ansible-ops, but we don't have the right scaffolding there yet for testing. Would it make more sense to have it in openstack-ansible's 'scripts' directory? Thanks for your input! :) [1] https://review.openstack.org/328469 [2] http://paste.openstack.org/raw/510670/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXX/2sAAoJEHNwUeDBAR+xSJ0P/3H188yIgGYUDCW1Wt3Qddum +2UNPxWSAJSMjAJhp5EeOXPR4XKvVqI5WIcn6r0ymk0Bq19GwiYe5FToXTRR4jPM B2nI6xWDHMBpK8mF05pqfISHeKd1bxq0HZUSkhA5IgZkp39Rld3QFszfcg5XQcoT H6KxY21OnlH/yAZ7lsA4IrsPKxE33QzcPF60AoCVCZ/ID11K0V3cTBZeLeOQ6WPo 9qlhfNqTy49Jogx+X4+4fwmkPBm/EmIhXfb7ykSKgAei3MmHDXRIskWASfdWbapU xeW+rJAkYm4NWHvR6wKAyD/CNjg86LEWskQfb4cpqWGgOOPseOvBecnvCfvvfVhn AQ8zGoD5SFYISBHL5bNx/cFBTD0gj9EKIRsxD6Od0XlUdBA1W/dwntRMP/kCynK0 vCSETOqYFK/R68KunofYv/VIbf1/VVbBW+G3qwAn+rugZYCxf7jx7F5d/34X51Uj KXeiG9vFbAO3XsM+5++N0j7b3wyYfw9SvNhLWH5wosPFq0lBmAyQYFf58fSU7gvD 8EEyxEn6F5aVIUa2d8MBX5P+0rr462Fia9oNZc9kO+y5+NASqWNt3KaCcRCSDrRK T5PcNv0XbTMwALyhdfhsPULk1IMYIJBMJe4fB71WND06uaOBInGKUJC7PE8XDRUv OQWWIiO+taBEsi0XzLNy =SbLO -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Mid-cycle date selection (need input!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/09/2016 01:51 PM, Major Hayden wrote: > Once we get that sorted out, we can fire up an etherpad for everyone to sign > up for a spot. As promised, here's a link to the etherpad: https://etherpad.openstack.org/p/osa-midcycle-newton Please add a +1 beside the dates you prefer and add your name to the bottom of the etherpad if you plan to attend. I need this information by the end of the week to get the meeting room booked and arrange for a hotel discount! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXXxWsAAoJEHNwUeDBAR+xXNkP/i1zX7/rv76ey1Ix+zcMIV41 L29BtTYhpDfzbG94cwzcpp8etDShL7dlt+R0yo3OKFiHI6QWSiZ0ahU78nfp6wpE uiKHXGv7+vyhhP6obsywvV4iAFdXjI9fmaTAr5ibK+0dBHrMe0nrjF/5pSGoAtVq mH1G4nP71yjppJFetcteroKFSW8gnMQD4DCrtlkFF7pDlrg+YTpnfzKIfddGvdAM jsOFAU5uUln3C6qqwIYdGF8csNUMUhGGNr4yNwErNqAyDqZKheifkFWeysUh1MpR X3JXkudUbVY+aKd6am7slF2UN8w167LN3uL40FNT/9Q0ZC4BHkZA0MTQztF3KmCj Nn38+b28IfK8b/XhOwEK7kMn6J2ZoruBMKszeK5mZAd6mrVg3yvjchHjetchTxEW lgPH4GSTVulzI7GdQ6AbqX0smHuNj4aDqkrbI3W5+ysQcjl2oYE/DsmnF2sqpHYa xa4D2uQ9KEk5dR02ysIV5g8fUensWKjphtGYIfca/N07w+vppAtjUDPeMWP6mqPx twyaaWYYHyKDSrep8c20n9a4lR6Y2lvEvg0ElGlT67vTZfaqAyeOtr9V87bhQIi0 MMWkj7EPuWAdRL1DjBdZMYXRN3QaLdnWqqA12Cj8WSDi7VdJR1GuAd4kzizTCNXr EENIO/S6/4873dbwsrnT =XmLr -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Mid-cycle date selection (need input!)
On 06/10/2016 03:16 AM, Jesse Pretorius wrote: > Thanks Major. I have no conflicts for any of the dates. By option 2 I'm > guessing you mean either 22-24 August (Mon-Wed) or 24-26 (Wed-Fri) rather > than the entire week? Correct. For the August 22-26 dates, we could choose anything within that range. I'm not sure if hugging a weekend or sitting in the middle of the week is best for us. I'd imagine that folks outside the US might appreciate a weekend to recover from time zone changes before or after. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Mid-cycle date selection (need input!)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey folks, I've been able to secure a few dates at Rackspace's headquarters in San Antonio, Texas: 1) August 10-12 2) August 22-26 3) August 29 - September 2 During the meeting earlier today, #3 was determined to cause a lot of conflicts for people. #1 seems to be the most preferred. I have emails out to ask about deals on local hotels and I'm waiting to hear back on those. The room should seat about 20-25 people and we would have at least one projector. Please reply with your thoughts and a date preference! Once we get that sorted out, we can fire up an etherpad for everyone to sign up for a spot. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXWbqdAAoJEHNwUeDBAR+xMUYP/1/SN69gCraGCO2XxR52ZKIN NWzbeY7mw44eQyoeUBXtJLLo/qFxeQniR6ybaz/zMhqhxOliOys0rDn3Q1Xawtkn Mq8IN/aStnGXLn1dXY2DkkaOksvKZTAKhHTvM5ojzGh2laso0Qeh9DK6aItmmljn fibzU0FNkYlSOj3LQLW+dnxSYUaovs+1Ir1QlCGq5dB49pQF7wEVU0adMabYkL7n 6GsjYCfsiy/Iyr1TEc8vjcbVwyteOLS59ibN1c+Y0Yp42jBb+zpA8VmupiL2Y9yM aUvNgmtyO0lx2LWGh2MWBrxeNgcA6aLpxgOG4oOLK7U5CRQkXy/Rw9BfeA5X5WB4 A6DWptzSYR3HiVqoD6BG2sH4Ube5Xd3PLMIcfG7ar0lSvN1s6fNugS/u1/tKnCHf /e16zhZ/2m96s7Pe6pX1hckgDYUbLyDrw7FwyO4QZZBPeILk6QBHJ978/n2PH2yD kaka04A4mqbr+wD2iaoPURM46RPuk5I2noDTjW+udm12tN4dBLdc5PZ6M5tIjhUM G3GY82B4lOLlgGZUlwyu1Whq8jVkctdgbq0gjK7jy+iWl4c/77V+KUgKbfAjIx0W cPgW7/adKK1x0Ev02L9j5oMcqYlOz0QpKPrILUY1G+jjwBVX5+74zbNTgBTopBw0 Q0fSm4KIMeuF5cD2pvAS =J7ZQ -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
On 05/15/2016 04:53 AM, Xav Paice wrote: > Great stuff! - that's covered everything I've been looking at so far, except > that we're not wanting to run neutron-server (and therefore the octavia api) > on the same boxes as the Neutron L3 agent (where I understand we need to run > the worker). This isn't the place for usage questions, I was wondering how > you deal with that separation or if it's not yet been worked into the branch? > > I will assume that SSL certs haven't been dealt to yet? I expect to be > throwing Barbican into the mix shortly to deal with that, maybe Anchor too. I haven't done the work on that separation quite yet. That could potentially be done using our existing affinity settings in OpenStack-Ansible, provided that Octavia is treated as a separate service. My branch doesn't account for that. There's some work underway to get barbican rolling with OpenStack-Ansible and that should make the certificate management part a bit easier. > I'll run up a test env asap, seems that using your branch with some minor > updates might be just what we need. Any updates will of course be shared :) Great! > Ugh - I really need to live in a country with a decent timezone. I'm in > UTC+12 - will lurk around a bit and see who's online at the same time as I > am, and the whole project looks to be pretty friendly for newcomers. I work > funny hours but 4am isn't when I'm at my best. Either way, we usually have folks in the channel around the clock, so feel free to jump in and ask questions. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/12/2016 11:42 PM, Xav Paice wrote: > Thanks for explaining that - I thought I was going mad. You're right about > implementation challenges! It's definitely a new way of doing things. I'm trying to get used to this new service VM model (like Astara and Octavia use), but it's been difficult. For what it's worth, I have a (somewhat dated) branch with Octavia support in Github[1]. > TBH, I'm writing something that would work at least in our environment and > trying to keep it as small and simple as possible so we can maintain it - > currently one of our dev team is adding a feature or two to make Octavia > match our business requirements, and I'm working on the deployment. > Openstack-ansible is quite a new approach for our deployment (we've done most > things via puppet till now) - what I was really after is some examples to > scab from, but if I manage to beat you to it, it might wind up the other way > round. The Puppet deployment has been really good till recently but like > many, we're now unable to do 'big bang' upgrades and the lack of > orchestration in Puppet is a real limitation. > > I'm happy to be involved with the implementation, but until we're using > openstack-ansible for our deployments my ability to test/run things would be > quite limited. > > Maybe this is the push I need to knuckle down and migrate. We would definitely be happy to help with any questions you have while you're using OpenStack-Ansible. It's always nice to have feedback from new users, especially those who are used to other deployment frameworks. The OpenStack-Ansible contributors have done a lot to "smooth off" the rough edges of OpenStack deployments, but we find new things that surprise us from time to time. :) Feel free to join #openstack-ansible on Freenode or hang out with us during our IRC meetings on Thursday[2]. [1] https://github.com/major/openstack-ansible/tree/octavia [2] https://wiki.openstack.org/wiki/Meetings/openstack-ansible - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXNcg2AAoJEHNwUeDBAR+xOeYP/iaIAxf23wh0qnpgehaOrHR9 +fJV+iHUweFo24k2twT2Bm6cwLbp5krb6ytP1RfTItznJqmBNxwkdgH7vZtIFW7x nOCYPJnWbOaBB7C+fkiyfp4b7NJeJf2Otk9WOk7zCPp4q/dwKtz8bKWUvxtWRdvG hlTM5UtQKKC+qpouOSB0nRofAtYAoYOUbn7PwRT0QO0e5cpQjX2Kcvm4NZZ4gVuV RXHT8Z3CkhUY+sHOoFqx6yTj5XUpgjI2riaxK6LdDKxPV2fYJeDCJTWYBgwzBxsY nKpf46YBuaSXSTMt6w6a92VpRPBUbnGcLptiynUpokKf2d7oJx4q51k7MY/zodLp tACDMI8BADuMlmHVNypWjAyL06dtQF+KujboPQ6plz8cLY45cZ2pHLn8BHxviQdt RNV2YcX7VRF/4wZPDRMTC66yuHYOTTYIaL+Gjgd8Yds4Ke2lFWN/Gl9ahMhcwT2l NT4zxSwNLttmvAUaeADsmddHq+LtLEqGXjTNd6MDIEXtasvUtpNr+rT1QN/simpi 5QFAi/CHS6StSS+UIKh75PU3XWi3ssl+89tMzkE2u5KQzEXie624Oj+IGHMN1old I8Szm4ZJU3kSU62H87hwgngKzpxuB6X9NjmXnvmudP6L+tJtTVswYBRXCylk7bvj ywAQZ/FkpRn81EOIb5xb =HuxP -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/10/2016 11:58 PM, Xav Paice wrote: > Sorry to dig up an ancient thread. > > I see the spec has been implemented, and in the os_neutron repo I see configs > for the Haproxy driver for LOADBALANCERV2 - but not Octavia. Am I missing > something here? Hello Xav, No need to apologize -- I should have sent an update sooner. :) After a thorough review, we decided to go forth with LBaaSv2 via the agent since we needed something to quickly replace the now deprecated LBaaSv1 API. Octavia is still on the roadmap, but there are some implementation challenges that need more attention. I'm working to get more involved in some of the Octavia meetings and discussions so I can share the use cases of various OpenStack-Ansible operators. Did you have some interest in helping with the implementation or are you eager to consume it once it's available? - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXMyaMAAoJEHNwUeDBAR+xYwUP/iLfOuSOgW4TeOZ/pN0hkXuR H0L1suY6R+oGjDT+xuxox2uDcAADIWbHxBKosV/1jQHJRPoWfKhBhke4W2/MOsTV miqBrCKILLzJxdcXHrG54QHPb0FBqSLcmJIaFfysW1Rw3rH2btCSw8zoWNXipy39 tYkDxh1z216gCIqNFSXSnpMgEj5D1LzAOZ1igBBOsYJYAwCvJp9XNcqAvN7FUg4C cvzSDztrb/r/CYtqqRYweD7vc70o/dz2Ej1wQn7ris0TrQHUiKU977NUMAiQmu+l 0YR/5FHV1VFMvZJGHv9J0gLWfq6sHhbqOOSLNuxtO9L99L25Knq72kOviipsYHWK IfIcP/s2KFIvX9mOrvMejXk2GKDSIb/vZ1LWTrS4Kg9i8rjVEroyHdO8/AHTpUK4 bGbMcp3cqtTh1LHKu4NQh14SOvVwcR6hHVkRfcxO8l+YGghpexURjIOCGYGC+PI/ Gk1t8bkW32x7+rZJHoiW/jBoWNR8l0ugFmS6VliJy9gufKEekCYZpIESPrnsHXjI 1NSOBv4QtpXXd+FJFNO2r9pRAzkj+CKrKQ9EJIr0wYbdiGEwic+CWOZwEw+Jsc5a DoQmS6iCVIZx5dxoO3Bes0F8k4Ov1mj2ZyYEN2JKArzArrDF/4NSDeSCNxYMGeRB 9NGm0sY4uHu6ZelxlFyS =sCy8 -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Nominate Major Hayden for core in openstack-ansible-security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/03/2016 01:47 PM, Truman, Travis wrote: > Major has made an incredible number of contributions of code and reviews to > the OpenStack-Ansible community. Given his role as the primary author of the > openstack-ansible-security project, I can think of no better addition to the > core reviewer team. Thanks for all the kind words in the thread! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXLNmtAAoJEHNwUeDBAR+xVI0P/0qPXf+Th0Rwe7Ct170+xHuk FjxlN5r1wBChmbqQCTLsG519SRiQ0qYheCNJBkNWbLwvJUDIfDiofcY4in8MSFZJ +Wl2ccT0/E1vXJWZjmktdrrsIt/9r7J6sA6s+JVPXgXvMQLx4q+ZaMHJBMrTZv6c 2T4dgGhIbQFaU9APyu06Y2pEIT4Xh1UzgWZn/ZO6KWPYVrwE+SOD+3k/seWG2IZ/ fKQIFTH+h6Ls6rdyMZpNVZQGYhwHx4yyFpY+yeHUFQs8kzIAUGcJ2zL/GlSh/4nl f8yXcsuKP6RTJK4rJ+/L11fRb2MX4OefAlcBSm4yM6+VIciekAf7nXzNh3sf2k8E qyWnDd5S7zgB9L0PtBHBdxPu5nljARyAsj0f6u+JDK5oXuzn+qIIc89vzSZmTA+8 o9nYDIBoV5PYy3XXC0yZXuOFczNq3vKJtYcMmSH+yoyCwRrYSTNK1eFn7WEImUKR 9Pm+w6J0UPBxhg75Uj0TmGcp5IsUcKeOv09zOK0rL+qHIfHGYrmuOAnwWGN0rEB6 kJtiILvB9MMb9Oju/zlcAgp2MXUNpVLStEMr4GMvNmRTBrtoyqBqyTTPfJh8T06M NSSm5CrsbHprdwmC9uaYDYmiFfqq1c8MQ/7IUUU0zrMQxcsfVkcUDj9SttGsdHNk IOwFfdsXhFD0ejlCmB/T =2xsM -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [all][stackalytics] Gaming the Stackalytics stats
On 04/08/2016 03:31 PM, Jeremy Stanley wrote: > Thanks for taking this up--some people just need > encouragement/suggestions for better ways to make an impact. On the > other hand, if you find that many of them have addresses at the same > company domain... well I guess we can find people higher up the > ladder in those companies and talk to them about how to channel > their employee quotas/incentives in more productive directions for > the community as well. Hey folks, I have sent five emails so far and I received two responses already. Both of the people who replied said they are new to OpenStack and how to do reviews. They welcomed more input on how to find the right code reviews and how to complete the review. They weren't aware that these particular contributions were seen as unhelpful or gaming the system. Would it make sense to encourage cores/PTLs on these projects to reach out to these users and share gerrit dashboard[1] links? A PTL shared some of these with me and it certainly helped me focus better on the right reviews. [1] https://github.com/openstack/gerrit-dash-creator -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [all][stackalytics] Gaming the Stackalytics stats
On 04/08/2016 02:25 PM, Anita Kuno wrote: > Nothing is stopping you from doing so. You can see the names and can > find the emails of those engaged in this by following the gerrit link > Dims posted in his first post. > > Perhaps as you say, the personal touch may help them to learn how to > contribute in a way that has value. I'll take a sample of the folks listed there and contact them. Hopefully I can provide some general results here soon. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [all][stackalytics] Gaming the Stackalytics stats
On 04/08/2016 02:04 PM, Doug Wiegley wrote: > Are they using the numbers for some internal company purpose maybe? If so, > how does it matter to any of us? > > Chasing this tail just takes time away from useful things, IMO. Although I understand the reasoning behind the effort underway in the review above to skip Stackalytics stats for proposal bot reviews, it doesn't really add a ton of value. As Doug noted, one cannot simply become a core reviewer by gaming stackalytics. Those personal interactions on mailing lists, reviews with lots of patchsets, IRC meetings, and in-person events (like mid-cycles/summits) make the big difference. Can we reach out to some of these people making questionable +1's and find out if we can help them become a more productive community member? If there are companies out there who are setting "quotas" for review counts, we could possibly reach out to them as well. Perhaps I'm being too optimistic. :) But, as Dolph said earlier, leaving this issue alone certainly makes it easier to single out the folks who are doing something unproductive. ;) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Update: Host security hardening
Howdy folks, I wanted to take a few moments to update everyone on the host security hardening work in the openstack-ansible-security[1] role for OpenStack-Ansible. Current status -- The role has run in every Mitaka gate job for OpenStack-Ansible since January 2016 and seems to be stable. Other than issues with overzealous auditd rules and an improved check for unlocked system accounts, the role has worked well. The auditd issues are fixed and the unlocked system account fix is pending a Mitaka backport now. Release status -- Newton: * Available, but not enabled by default * Patch submitted[2] to make it enabled on all deployments by default Mitaka: * Available, but not enabled by default * Plan to backport Newton's "enabled by default" change to Mitaka soon Liberty: * Not available, but can be added easily (docs exist for this) * Need input on whether this should be backported * If backported, I suggest we leave it disabled by default (much like we did for LBaaS v2) Request for feedback Would there be opposition to backporting openstack-ansible-security into OpenStack-Ansible's Liberty release with it being disabled by default? The only impact from this change to an existing deployment would be an additional role downloaded via ansible-galaxy within the bootstrap-ansible.sh script. Deployers would need to change 'apply_security_hardening' to 'true' in order to activate the role. Thanks! [1] http://docs.openstack.org/developer/openstack-ansible-security/ [2] https://review.openstack.org/#/c/301152/ -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Security hardening backport to Liberty desirable?
On 03/05/2016 06:40 AM, Jesse Pretorius wrote: > Liberty is a stable branch and the Mitaka release is just around the corner. > I think it's a bit late in the game to add it. Consider, also, that deployers > can easily consume the role with their own playbook to execute it if they > would like to. > > *If* a backport is supported by the consuming community and core team, I > would only support an opt-in model to allow deployers to make use of the > role, but only if they choose to. That seems reasonable. Would it be appropriate to add some documentation in the Liberty release that explains how to enable the role with that release? -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Security hardening backport to Liberty desirable?
Hey folks, I have proposed a review[1] which adds the openstack-ansible-security[2] role to OpenStack-Ansible's Liberty release. I would really appreciate some feedback from deployers on whether this change is desirable in Liberty. The role applies cleanly to Liberty on Ubuntu 14.04 and the role already has some fairly basic gating. The two main questions are: 1) Does it make sense to backport the openstack-ansible-security role/playbook to Liberty? 2) Should it be applied by default on AIO/gate builds as it is in Mitaka (master)? Thanks! [1] https://review.openstack.org/#/c/273257/ [2] http://docs.openstack.org/developer/openstack-ansible-security/ -- Major Hayden signature.asc Description: OpenPGP digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] network question and documentation
On 02/17/2016 09:00 AM, Fabrice Grelaud wrote: > So, i would like to know if i'm going in the right direction. > We want to use both, existing vlan from our existing physical architecture > inside openstack (vlan provider) and "private tenant network" with IP > floating offer (from a flat network). > > My question is about switch configuration: > > On Bond0: > the switch port connected to bond0 need to be configured as trunks with: > - the host management network (vlan untagged but can be tagged ?) > - container(mngt) network (vlan-container) > - storage network (vlan-storage) > > On Bond1: > the switch port connected to bond1 need to be configured as trunks with: > - vxlan network (vlan-vxlan) > - vlan X (existing vlan in our existing network infra) > - vlan Y (existing vlan in our existing network infra) > > Is that right ? You have a good plan here, Fabrice. Although I don't have bonding configured in my own production environment, I'm doing much the same as you are with individual network interfaces. > And do i have to define a new network (a new vlan, flat network) that offer > floatting IP for private tenant (not using existing vlan X or Y)? Is that new > vlan have to be connected to bond1 and/or bond0 ? > Is that host management network could play this role ? You *could* use the host management network as your floating IP pool network, but you'd need to create a flat network in OpenStack for that (unless your host management network is tagged). I prefer to use a specific VLAN for those public-facing, floating IP addresses. You'll need routers between your internal networks and that floating IP VLAN to make the floating IP addresses work (if I remember correctly). > ps: otherwise, about the documentation, for great understanding and perhaps > consistency > In Github (https://github.com/openstack/openstack-ansible), in the file > openstack_interface.cfg.example, you point out that for br-vxlan and > br-storage, "only compute node have an IP on this bridge. When used by infra > nodes, IPs exist in the containers and inet should be set to manual". > > I think it will be good (but i may be wrong ;-) ) that in chapter 3 of the > "install guide: configuring the network on target host", you propose the > /etc/network/interfaces for both controller node (br-vxlan, br-storage: > manual without IP) and compute node (br-vxlan, br-storage: static with IP). That makes sense. Would you be able to open a bug for us? I'll be glad to help you write some documentation if you're interested in learning that process. Our bug tracker is here in LaunchPad: https://bugs.launchpad.net/openstack-ansible -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] : Steps to upgrade the current setup from Kilo to Liberty
On 02/18/2016 04:02 AM, Sharma Swati6 wrote: > I have followed the following steps- > ./Scripts/teardown.sh > Git checkout 12.0.6 (liberty) > ran setup-hosts.yml*(FACING ISSUES HERE)* Hello Sharma, Could you give us the exact command you ran the error output that you received? That should help us figure out if it's a problem in Ansible or within your OS configuration. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible]Review of Bug "1535536"
On 02/17/2016 04:33 AM, Sirisha Guduru wrote: > I recently committed code as a fix for the bug > "https://bugs.launchpad.net/openstack-ansible/+bug/1535536”. > Jenkins gave a ‘-1’ during the review. Going through the logs I found that > the errors are not in the code I committed but from other containers and the > original code in openstack-ansible. > Due to that, there is no actual review of the code committed. > > Kindly let me know, how to get it fixed? Or if anyone can review the code, > that would be great. Hello Sirisha, It looks like Andy has given you some feedback there in the review that should help. If not, feel free to make additional comments in that review and we will have a look. ;) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [lbaas][octavia] Security/networking questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, I've been doing some work to research how best to implement LBaaSv2 and Octavia within the OpenStack-Ansible project. During that research, I've come up with a few questions. 1) Is it possible for octavia to operate without providing it with admin credentials? 2) If a user has amphora LB's deployed and a serious vulnerability is released for OpenSSL/haproxy, what should the user do to patch those load balancers? 3) Is a load balancer management network required? Putting a LB onto an admin tenant network as well as a customer tenant network is challenging and bridging those networks could allow an attacker to gain access to other things on that admin tenant network. Thanks in advance for your time. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWuLpuAAoJEHNwUeDBAR+xSF8P/j/KBH2320xB/dGWmy6xOMuJ DRQCcpEEljIu3O4pU8sF6yGEZX/CIoI3WXGaOBR2g0phWxEus5lhy0DdkPw4ctAa +UJ7da/s0C7fDbbl09TvWDe3eBoohIunLOm6ABpMT48YipfM0zJLLDEy9kQpDcFg qg68S5xgtC9zP9CeK1Gvsq5EwjwyX6Mt0a3+G1NMFbUoARLpDDof06YHrNFw73Td 25AxqToR09yRRXsJfadrjjP9/lGWNBF5f5Oh5WoPnEAiThqN08Ico3geHKIr9s2r Ift5NueWovCI5MUzOzqwsazKgnVgQXrgaaQwRotl5WdZbstUfWJLO+2If5/z4z8d AArWLXwsCgIv+I6ZyJ4R3YzJVP3KBY8+8gDswjdMV4Jfy7YV9aragy96ofCEwjuH p6QOGAKJZASD3cQpOdqVqQt4BaWBXMqm70sNDjfzKRBwweuOZgpNRInluDMbhngs Yqdj2LGUhuij50gQLa21cYJ5pcuA6yY7KNoiiPLkNbFDJtQo6cjVt/McVFPxN3mu RKRXpZNBgzf5UAKtrMIyPbw1wioAhbt7lgevfvCOLxHCmu0VxsLzRmOdiON5Exmg vopL518GJSUx93GhA0cwnqT/ilcTvDxFxPXQrvQK/XPtEQq4U3wBF/kZALK1/4tu 7hi/GjugHBcixIZGE5sI =XI9V -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/08/2016 06:40 AM, Jesse Pretorius wrote: > Darren's reply is interesting and perhaps worth consideration. As far as I > recall the security role adopted the STIG primarily because it was the only > openly available set of standards that didn't require licensing. If there are > other options to explore and ways to consume them, then perhaps that should > be an initiative for the Newton cycle? That's right. After direct conversations with CIS, we found that the licensing and restricted use of the security benchmarks wouldn't allow us to use them in OpenStack projects. That could change in the future, but that's what exists at the moment. The STIG was chosen since it's widely adopted and it is in the public domain. It could be interesting to take an XCCDF/OVAL dump and try to implement it in an automated way with Ansible. Creating the XCCDF XML isn't easy (nor fun), but that could be an option, too. Darren's point about using vendor-provided hardening standards for Red Hat, Fedora, and Solaris is a good one. This could be very useful if the multi-os support for OpenStack-Ansible comes together. It's a shame that Ubuntu doesn't have a comprehensive XCCDF profile available as the other distributions do. :/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWuJmjAAoJEHNwUeDBAR+x7BYP/2Cv31QL7enVAXgEzHThc1Wb ov3phFoEYCY8FFmcOoH6grSK3DsRPmPc33ma2I6bMMKWpz8j+RFGMfgPAaEEkGiq d9Ak3bidFe+xYjlMlZkj+EQbIfv2JvZ5FA/eqyVuB1opRpALWnCzXxuSNoIPsbyZ 3u0QkMiNX9eo+Iz0Y3UHQbV61bZWmhz5xO08vo8vxeIhOgbv1Mq9fyRXcsay2tqY K6nZMK2Tj+Y46hjQ1WR1KMY9HUPBujkhY+It/qtq9QIUPLduavVNzAV8dYRoPwu8 HPRLZA/abWW51VAvmdbr2ABqhDIkL/EKhPUgnKPn/IPWDQuEHa3SAJb4VHK3njz9 fcanJ2h59fY90cBwYz7g0BNbf2m8i1k4DZCdgMfqPzSQ7OdWze3aLd2Eh1AI5ihp Zk+41Cj8yZPb6d0Ocsqt8voPYtbh0seXLvdiiVccESq8chGBBIvjasFsq1pFrIlH VqEl13YHI/VlnoLcSHiYP7AYDdM1IXY722It7HDBwB7bKGWL/NaogH/putvlXTw8 J1NT3EnGg7G4p92X0qTiP4datB8AIfYSQhNgjVDJSwJwS2DMaMgrPJr5AWDZ5dfv iJE4vUbZLI2etmghb4y9XXMMa2g6/zXxvcSQVCEE5v1FoVfLCtr4HuMFGFfhxBeB KY8imLhpcXlLsJgodUSa =0PLZ -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [OpenStack-Ansible] Mid Cycle Sprint
On 02/04/2016 12:41 PM, Jesse Pretorius wrote: > As discussed in the community meeting today [1] we will be able to include > remote participants in the Mid Cycle via Video Conference. In order to > facilitate this I need to ensure that we have an attendance list for me to > send the Video Conference invitations to, so please get a Remote > Partitipation ticket in Eventbrite [2] if you intend to join us through this > facility. Thanks for getting the remote participation put together for the event! :) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/26/2016 01:48 PM, Kevin Carter wrote: > I personally think it'd be great to see this feature in OSA and I look > forward to reviewing the spec. The first draft of the spec is in Gerrit: https://review.openstack.org/#/c/273749/ I appreciate any and all feedback! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWqoIyAAoJEHNwUeDBAR+xjuEP/2TSZoziJFTbKCsu3LvfkXir qaC/J0XZTSZVfCFB1gjqdXAsSYQT0T8gxRvEAtWkjXQ9IjbNdn+JP1TS5KntZnLc PB5+Fg90zj00IG7RHTaeMirv9FHqRwVOwI8AQmLZRovD+t8QFIGMAFWzHYGHzRoP VigvNau1HEgMs525cA2cZwG0AaC2dmt5pnuWpX9sPtUklbGq4xlZgjOi5RZT3wjO yzG4LqimVpWnYhKB1WxE4VCwzFXSkvZ8QmNoAjj/yNJafyV0f/aQn9Zg0yZ3JGi6 OZtpUrhS3NA+goog1BI5gObfo+cRGUUIkhSBzXgPOWAqXr19uMXhWWabAf5BhQFv 2I4l+mkwU7cVa5FMKIgOdT/CUd9Cs1hLKYVYePrEoFDRagZpKbcC7ozeWdSJb6ri GK766Wm9ypLshI75fZTsnzLRaJEGk25PpmggYG9afnS6lP1JMlZ78opiVGpu5ISb H+aWQDhZopG8wxBkQ21xpS3NaG/oIfVst0R6zrBpxTznRSPA/gnqSN8YHdHmr8M4 z+zxXxeU7iSG1uc5Nu4rUrVydXId8Cm9lwH33VDqs0MOJmawpxu7HeK2fk2J4JQH Nqky4EQZu9lWVjwEyfrnFYNY/xxnolboQTCC/cvDokwp+NHMsZmnUdzbaPFhrayX 8u41SM4i4S+ffOURAvt+ =jZxV -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Security hardening is now integrated!
Hey folks, After four months and 80+ gerrit reviews, the security hardening configurations provided by the openstack-ansible-security role are now integrated with OpenStack-Ansible! The Jenkins gate jobs for OpenStack-Ansible are already applying these configurations by default. Documentation is available[1] for deployers who want to use this role with their OpenStack-Ansible deployments. Deployers also have the option to choose which hardening configurations[2] they want to apply. The full list of configurations (including exceptions and workarounds) is available in the openstack-ansible-security documentation[3]. Thanks to everyone who helped to make this possible. :) [1] http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-initial.html#security-hardening [2] http://docs.openstack.org/developer/openstack-ansible-security/configuration.html [3] http://docs.openstack.org/developer/openstack-ansible-security/controls.html -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, After poking around a bit at LBaaS in OpenStack-Ansible, I discovered that LBaaS v2[1] was available in Liberty and Mitaka. At first, I thought it involved switching agents from neutron-lbaas-agent to neutron-lbaasv2-agent, but things are a little bit more involved. LBaaS v1 works by configuring HAProxy within agent containers. However, LBaaS v2 creates virtual machines to hold load balancers and attaches those virtual machines to the appropriate subnet. It offers some active/passive failover capabilities, but a single load balancer is the default. One of the biggest benefits of v2 is that you can put multiple listeners on the same load balancer. For example, you could host a website on ports 80 and 443 on the same VIP and floating IP address. The provisioning would look like this for v2: * Create a load balancer * Create a listener * Create a pool * Create members in the pool Many thanks to Brandon Logan (blogan) for sitting down with me this morning to go over it. It looks like we'd need to do the following to get LBaaS v2 into OpenStack-Ansible: 1) Build a new container to hold an Octavia venv 2) Run four new daemons in that container: * octavia-api * octavia-worker * octavia-housekeeping * octavia-health-manager 3) Ensure that neutron-lbaas-agent isn't running at the same time as the octavia stack 4) Create a new RabbitMQ queue for octavia along with credentials 5) Create a new MariaDB database for octavia along with credentials At this moment, LBaaS v2 panels are planned for Horizon in Mitaka, but they're not available as of right now. It seems like a spec would be necessary for this effort. Are there users/deployers who would like to have this feature available? [1] http://docs.openstack.org/developer/devstack/guides/devstack-with-lbaas-v2.html - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWp8usAAoJEHNwUeDBAR+xXk8P/37tkHZujAbbX3SY5X4dR2wX cmR1DN+upBHJgVfrEKdFEBkGaS5ByZXnSvB0nGdJGYluL22DmNQRW2VxYDkqF+/W h/0dprxEzscdYCt8cO/8LVftZ0krln7Wp7Yn8YUCLSm9yHPrrgUIUIJNm6r552Ts BEJrdDaC+9R+vMstYFzdHKPegV53L25muXFCU7FM50WeGEXOgd72rMNf81VSQXUU DBJzYyYvN8MZownOcvoh9aAH6a+ASwZmEMZpc7HGj2ltpc99LSfmuTT+t8Jzysr5 prCK6XBzzsedgYFWG2v1JZUOvTgjhbkeLIjPhYdnzfYp3b1sOz1qL9EXOcw/p4z7 xyHgns2HlpAMixTmqg+ZfaveGfqKAo6Pu+6z+BIT3+uqec7t1cQy3CQ7bBOX8GBe PQyzU06jdT9x+/sarQGGfqMOfnX9XPEfUlfC7xa1KGUDdK7wf+yZdVf+D2Uh+vr/ K8Tohnswr6wDgVxB60Z+tptXkmSkV4jhPvXo9cPN2Gjed7/R1wb71XSb+OJ/3jxg OdCVAz6mbCBxjWhrGkz7RR90NDZNy5CD3tqv22rVOuYZIFKw+IccCZ6KIfN8Fgne XscCZPsZ2n/535PjAXDYqfHi+Qb7bAjjvj7Ast9bGNGrUiwNuoKa+L4HjFfopUqs hXlq6F7n3pPmMCIgR76o =KsIk -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/26/2016 01:48 PM, Kevin Carter wrote: > Seems like a sensible change however I'd love to see it written up as a spec. > Also do we know if there are any scenario tests in tempest for octavia or > would we need to develop them/something? > > As for adding Octavia as a new service within OpenStack Ansible this makes > sense. Another approach may be to add octavia to the existing neutron-agent > container which would making coordinating some of the services easier while > ensuring the service deployment is simpler but that has isolation and > segmentation drawback so i have no strong opinions on whats best. > > I personally think it'd be great to see this feature in OSA and I look > forward to reviewing the spec. Thanks, Kevin. I'm wondering if it should be in the neutron-server instead of the agent container. It doesn't need any special connections to isolated networks since it talks to neutron/nova to get that done. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWp85iAAoJEHNwUeDBAR+x/BoP/RDR8dS4Z8/qf3xBPV6/Poff ujj2ld7OgNDj+eZKsHNRnFZcoBxyHxIkNqFgUs12c0vZJ+q3zyFgDZRA8KdlFz+3 3GbDuHfBDUn56eGRvuIdXHYgVOLWWYHqnP7yUCE0Wvp2vuI3U5wZia0j6aD3Cizo Tfl3Fh2S7lheOwVfslcc8w2GxFvqjdelK0ue2K9gAfY1y2wb2HpjfHnKiKcQ0fw6 lVZ3MacULsq9o56xJBsS87XooZrnt803F/WVHy6hA/MHUQHw7/3z2veF8zmthqsP YZCPx85d/Sr8pFcxMo7MaZ6D0fB4kskkEz6Qaa/SzpPq28Mo7LOTFXLRDUPTOuDD S5GLVxqmiWcdE4CnLXj+umOr4wXEKiEBlSVI+6BCSnx4VAANNQlPgQL83vIlpBl1 Ym29KpQB+T4YRKki2SVd0MKbucnqNE+/ZG19fju8TohZR3zigJFEpG4uY878ScZ0 8+4s/RAN272Fn2JQc99MsMhcvbKOWyY13n27dR4mIYkGeMeODXCYG9zmJ30wtJnX x1MoKAddC9l49jiWj/jvtl+nmpHMsfAObwZ3LmY5mQ4w5/2wnuxXcGpDkps+aNUN JzN3uBUiGseXleV6zZYhpLJwMmXwFM6trhftx6iAPwpIJg8tsYhE/50joj5m+VS9 WJEtVxSVWFMiJUOFOU4t =mXI/ -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] LBaaSv2 / Octavia support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/26/2016 02:01 PM, Fox, Kevin M wrote: > I believe lbaas v1 and v2 are different then every other openstack api > version in that while you can run v1 and v2 at the same time but they are > completely different systems that just share a name. A lb created in v1 > doesn't show up in v2 or vis a versa. But being able to enable both at once > gives users a migration path. If you don't do this, all their lb's will just > disappear when going to octavia. :/ I tend to agree, but I'm hearing that it's not possible to run both versions concurrently. Brandon might be able to share a little more about the reasons why. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWp9HwAAoJEHNwUeDBAR+x1vEP/A7b+3u42wo9Xf+YUxk83gzr gWghI6Q/hSy/cF7lqzOUAPzm+vu/ThpLOx7x5AEbxMYIDXgNZVmU0wExhmRodH+r gyohCixhsndpLpz/u5BfN2HAX9xz3RrdmxH8mSJ7PbzWDQu23+0Mi1coIa2HeEYV RQeObSnSQCr7rYBW7u2yqFPEj1hn39wzoI3uTFMlswH3XO+VVHw/vWsYn8xBV9nd MPamrteZzIS4ztNx5yaj11V7VWNWnKQdb1Zlp5Ma4GiiqrkKISkzpxeRAhoxl8K1 XrcFKsWUcIlMGuUHOlhHGlNnnBJhQlmyq0jiG0M1dZTBU9WNQnRl0R9I4gPmOoyF zlOvJyJ+QnPEVBQmcv4XLkkYZdMupoSASNQFfWfYAciBO2/WFPRQ1bGa3CBLZYav YPEIWhIrIyh5AHzzel58Xs9i2wmw+B465FmIr6M6o1aGhhk9GrJgQ7qF3H5fCe+b bRJOv5Ixfb3BAxaLwZT3qmyciWeNaDHilk3Z7b96w/O8L4hNEZKxZegu5BiGDq0G MBaSXi1TfVEXGYY/zW391uQWlYkauHIZTQXsFF5wf2PE8ezG4dltdUwsPbMUkMMB XZ3WuQW8Ly5jUlEa8153a6l9oveE27IhiSFDbnFQkmGkiW74qgcUNEvtj19thCBf BfEd4xbszDatbhi7Y1TO =ZSVT -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Improving SSL/TLS in OpenStack-Ansible
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey folks, I've attended some of the OpenStack Security Mid-Cycle meeting this week and Robert Clark was kind enough to give me a deep dive on the Anchor project[1]. We had a good discussion around my original email thread[2] on improving SSL/TLS certificates within OpenStack-Ansible (OSA) and we went over my proposed spec[3] on the topic. Jean-Philippe Evrard helped me assemble an etherpad[4] this morning where we brainstormed some problem statements, user stories, and potential solutions for improving the certificate experience in OSA. It seems like an ephemeral PKI solution, like Anchor, might provide a better certificate experience for users while also making the revocation and issuance process easier. I'd really like to get some feedback from the OpenStack community on our current brainstorming efforts. We've enumerated a few use cases and user stories already, but we've probably missed some other important ones. Feel free to stop by #openstack-ansible or join us in the etherpad. Thanks! [1] https://wiki.openstack.org/wiki/Security/Projects/Anchor [2] http://lists.openstack.org/pipermail/openstack-dev/2015-October/077877.html [3] https://review.openstack.org/#/c/243332/ [4] https://etherpad.openstack.org/p/openstack-ansible-tls-improvement - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWmP+9AAoJEHNwUeDBAR+xZpwP/Ana9JFTEGRvZSzKQHv/jQeY KjUFTjXIBqijVysPpv4VIus8A8wiZNIUk2GMFy6IAA3XrBuAMXaRYmTvJZ6/gUq+ k57o3buH2pxlLiYJkK4DToPqzgYx2pjfUzO3IXPrmDS82JQrKp7xLvGgICe0lgtS VCSjEDfXFRQuaKg5Uk99hzoZsuRVsiIpAAd97Q2h603FNzZk3bqleF1czrSQS/0i vjLYQoCcUKYTy9dvqZ39dhh4ACtsaccKv0tF72v0rEn7y6eTJZ6ssAC1257Duzii UffLA+t++BZ0SMeIhVGoI7kE+KoItEdzPMJ9V4i+/HZBbUQPmFik01vlfGsrAH9r uygSnZyDJ2+jIx/eoLTM9QRjf4rqXjBbTlz9EpwQoo0nhJWV/EBrUNoFmRFTItr+ MkNwRty1HK4g28yqUI/iHiVu+GOU91M6EDlGqBO/lvMyy8886SPakZaNLfB4Mo2K +LwvwIrRHBgQNC12FkG7nwOXnetRoaxYvw0hu5Zbm/yhQiIDe5LFu0REKNiJb6KG kDSaCmKWNixHiOwCWYecRpkGqIJJfIasQ8DYaUm905WsxaDwisBG4lu3TEJSHKs/ SmoLmMFNaN9PhiaVlLSeuj+FwN4arTDBxAahASQoaMSDMCy/HURTaQSt7+FXn+wD eEVF2pRXgeRQl31B5Dpe =ukvd -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/13/2016 02:59 PM, Clark, Robert Graham wrote: > I’m pretty new to openstack-ansible-security but based on my use cases which > are as much > About using this for verification as they are for building secure boxes my > preference > would be 3) Use an Ansible callback plugin to catch these and print them at > the end of the > playbook run I'm leaning in that direction as well, but I'm not sure if there's a way to wedge this type of functionality into a role. It can be done easily with a playbook, but I'm not sure if we can add this to a role by itself. - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWl6O9AAoJEHNwUeDBAR+xCUMQAIg+eZudAHowbFXqwBu3XQ74 Kov9gD2hwd3wq6LPzpeFVjrd61vlw+GOMQUwJlvf5jeM0oXlw7/oRHtJWaHvLcLc mFQDW2QTfA/jX1gGOSYctkFF6nTahNmWuSQ3G01Om0WkjNBGrZLJQM42BK+UQ+VF /aEXS6Rg/hPACd92ebXBpD9VSw7EI/K6i8Qt6fbTfLxSSVgGiRtWoJ6bsj8cWKft OKNSnsddDC2+40z91X84eiRIRvMeblBDl7q0wdyS3c+ZwkyJyG9YL3CT92qbtjPK gd3i9zjJ2XMlF6MPv06aNeiHidV+8bzupr8ZSh/gP7Zr4SkwmQLv0SppG/M2mb6h nHqJD1QtJTmKbE4jynfqkEwVL1MSwAvRG7Yx3Y1JletONybYOSjkQ+PRcl0Wl+IM 4SF6Fo8NFF48ywaGSrNSp9TSlzFecKxSc0XTN/0LK+XoquqQYV0TurboHlUYFrRK /AW8Q3M9Zf6R5vqAolut8fxNgaizZnNTFWp2ZlI1dbKoCFlKvmmPY75xrD17j963 Zna4DHgvglXOxtEYjLrDGbw8KOItvZXdjRMnIZOdBdnnpaN2eOjYfTOCpjoSunKD MXyiqMj3svg9vUJLeoGTVmKKhYgP3hyDJd9W8aS3GC2U5bWfd65fzgrG0Qmx+fqw VF/jWXNDzYryEKMFzR87 =J+iA -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey there, After presenting openstack-ansible-security at the Security Project Mid-Cycle meeting yesterday, the question came up around how to handle situations where automation might cause problems. For example, the STIG requires[1] that all system accounts other than root are locked. This could be dangerous on a running production system as Ubuntu has non-root accounts that are not locked. At the moment, the playbook does a hard stop (using the fail module) when this check fails[2]. Although that can be skipped with --skip-tag, it can be a little annoying if you have automation that depends on the playbook running without stopping. Is there a good alternative for this? I've found a few options: 1) Leave it as-is and do a hard stop on these tasks 2) Print a warning to the console but let the playbook continue 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run Thanks in advance for any advice! [1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38496 [2] https://github.com/openstack/openstack-ansible-security/blob/master/tasks/auth.yml#L60-L87 - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWlmjbAAoJEHNwUeDBAR+x7zAP/RfGnihciZV0m7Jf+hVKSrzf PEc4gauKRA1mZEFdgX4Ib137Vrztu9p1mPB29bRx9GN8aMcY2TtRwrR1QKmUOHX9 gtrjif9m5XgCM0ja/DMbj82j7pPpIQC5Tby0+CIhX27ZdgGxBpo/9UOj1Dns39Mg DzOdNGkGVO6ngmBKdqKetjkT+i0wSKXGQyS341PvyJDy77JCRaGFKc+jRnJWTdVc Tpdkc+TL5Rv92gMkMlLnW6txHmtPEJDKjgndhrzWExhY6CLn6XogRMTdZ/1fMP2Y x02S4s0VehuNF/9L5nmZ+lBS7HNhtiiSC6KGIo/0X7rZVo9VJ4KNjVaXGQ7clbxS sDrqO9uXl98n4S7H44jzBiukYO8MtXVf9djQwujN5A5oN+d1r+sCDDLhxlsLDMVN fMlj2LItNREzKe+ZFWBuEkl6GLAO3y0TQPRWYdc3L8PhiwqVJiJ0+WefYO2PNcZe Csik3IHCn+jdIq1WdsPQXDEYhAHL1Y1OqEMoBnte/FHeq1BmnojXxuVNtrY1EKtL APGGrUbhUWLtZ6v6ke3OT83BSd1FFmLLe/0MlIJ5LYZZZFR/bHgxuEiHcYNr6Fm1 Dnlrg0NNeeQgClABcB5wK2T8lbDahhxp6Nq7F3MTirnIVYHGo7CYa7g5Gw2b7BMu qWWgC8FnH0FzwE7P1LSj =wi7P -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Tracking jenkins jobs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey folks, I've been chasing down some annoying gate failures in kilo and I put together a script to populate a spreadsheet[1] with information about our gate jobs. Within a few seconds of a gate job completing, you'll see a new line pop on the spreadsheet. I'm only collecting data from the gate-openstack-ansible-dsvm-commit at the moment, but other jobs could be added if needed. Let me know if this is useful or if it should be expanded to include something else. Of course, if it's totally useless, let me know about that too. ;) [1] https://docs.google.com/spreadsheets/d/1YZC6ng-AIHqbHHHeGPC2mar_JPYunvFm4BzqfAEOYLI/edit#gid=0 - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWkCTcAAoJEHNwUeDBAR+xyKgP+wc4EC74SNjkz5wcwjJjR67L KfA3y719XXVLmuYyB2PllDHC9cDYTxVJFM57/tR0xM4O5ubHm3ywjDD0G0iFQZWl amVzkXto0BgaAe7w2esHOrTnP2K3x06y2i1tCj5zDGpC+b3RRBrh28Fjj8f43JpX zg7ThrdichVE7VENEYWP3p83bq30ur/d3+moKwoVtZ280PCU13Zs7kVReI4DHaMk 15AAEq+akHXOuiAn6wDYLyWOVsMSb+boP3plHByRggYH89JrnhFOrq8qrhS0je1B Glptieb0MYtmkDOyRwhmoUoKB74zp/mSPyS5uOh+vq6Ah85Ex5GYuTGrgCWG6en+ 0X3dH6Jaw0kTf8SMgxOkgeMSBglNpp56jzJtlM4+YtT40eF8PR6DQdFS38evG8O7 36BAEm+R0+KoQGiFVuiBttXeZs5JWR4Ee3T70xOXbYy5vYpZ5t6GfsDDBY2l6eY0 /s1jbwKq/6FRtkekcTenvDeFffpqCI8K7gPt86mLF2P+XTxeCT/JGQt2rIUiZzGD Xs1XlUgMsS5Ghf7P3FtVz3zFWxmeDjkWIS5Qlm5qkn/5Ct+hlfQ6fVgAFFQKDmnp tAp9+SvrDJi1QyQ/7NyNSiZvQT5l5WieCWppEaZKk2HNjsDiMaS5a18c/ZsHwh/D ZVek5thkvlWCCiE5qD3T =a+Gr -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [oslo][osdk] PrettyTable needs a home in OpenStack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/08/2016 07:06 AM, Flavio Percoco wrote: > I'm saying all the above because we now need to find a home for it in > OpenStack. > > I've identified 2 possible places: > > 1) Oslo, as we maintaing cross-project libraries and some of them are > not in the oslo namespace > > 2) OpenStack Client team as they maintain cliff already and it'd > perhaps make more sense to have this library there. #2 makes the most sense to me. Thanks for taking action to keep PrettyTable alive! :) - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWj7taAAoJEHNwUeDBAR+xBPkP/2HPChBdroQH/bW9l1LfEvxR KzkJa8GeMMjs5nhc55AttR6H8lOyp+f2sj0+3lcSV/9AmWdK0+TN+KcZTHhWHYqM ONMVN6ii4tAvwN48lJALHxr02D+iPEH6HWw3iH5sMfnoQfoDNSQM6m42XWtHP0GR cGlYr3M2lPXJbpEiDqJHLWBWWbHeuy5wCyZpcJY4GNNZUcv9Xm+XT3s+bE27tFhm mVYZRgBbxfHHhNaaEkI5e9n6DSmFc5ScJU94O3lSNPP439pDxHHVVODwDnJXhKHx dAAE7wxFpJEYrYKFJNDK8g48qKKXevqrUVDhnAKW8ivsDENDYhwdqJ3U0p0i6cCj qeScjSqCwzjbVxibj89YtcosstkDZgyASIfp99MRQ9/TxsO9vqa9wi8O/WQsljbY y0WwFRXQkpcndE6Ia/t1uu7EaXmUbtPsVldMKwdUpelr/b/R0F/T6Z503rG83Dy1 FLvVxqDk3Leb4VV/H6zNNqKm9mcw1hB7JfDcEDRR7HarEA/p8HZezlCXg9Fa0w7x ZngtPO9/23g35Bk62XqU01yy7d6OmBpCsGMXcjsmyWojhF7VIjZCvWlY2BK5+tUQ IkdMgXXS6AIyXBef89sRxZ/48Nw6ZyYkepiKUoSVztvQzqNOOhKHBFd+9visC9De +tjioMLJ3V2QO8qszGrs =wUJt -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Mid Cycle Sprint
On Wed, 2015-12-09 at 12:45 +, Jesse Pretorius wrote: > At the Mitaka design summit in Tokyo we had some corridor discussions > about doing a mid-cycle meetup for the purpose of continuing some > design discussions and doing some specific sprint work. > > *** > I'd like indications of who would like to attend and what > locations/dates/topics/sprints would be of interest to you. > *** I'm glad to see this brought up on the list. As a fairly new contributor, I'd really like some more face time with folks who work on openstack-ansible. As far as topics go, I'm very interested in: * Documentation cleanup (writing docs for personas, friendlier install guide, troubleshooting docs) * Multi-OS support (specifically Fedora + CentOS, possibly Debian) I'm located in San Antonio, TX (USA), so I'd prefer to have it somewhere around here. I certainly wouldn't pass up a trip to London either (if it's in the cards). ;) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Install Openstack-Ansible
On Fri, 2015-12-04 at 10:01 +0530, Sharma Swati6 wrote: > To add a new container, we have followed the steps as mentioned in > the extra_container.yml.example. Please find the sample designate.yml > file attached and created as per the steps. That's a good start. However, you'll need to sign up[1] to be an OpenStack developer (agreeing to some contracts and things so you can commit this into the upstream repositories. Once you do that, you'll want to assemble a spec for the changes you want to make. A spec defines what you hope to accomplish and gives everyone on the project a chance to review the steps you're planning to take. You can look at a spec I wrote[2] for ideas and then use the openstack-ansible-specs template[3] to begin working on your spec. A spec isn't busywork -- it shows the intention of what you're trying to do and allows other people on the project to point out areas of concern and improvement. > To add the new roles in openstack-ansible repository, shall I create > the directory looking at what is there for keystone or other > components and make the configuration changes only, or can I clone it > from somewhere also? There is a push lately to use independent role repositories, but I'm not sure if that's a hard requirement at the moment. Jesse Pretorius or Kevin Carter may be better people to talk about that in this thread. Details on independent role repositories are in a spec[4] as well. > Thereafter, as suggested by you, I have to test this new container > with the existing ones. > > I believe there is no such link available with such steps and 'how > to' part for openstack-ansible. Please let me know if you/anyone else > have already done this part to add a new component container > similarly. We can help you with this in IRC once you've completed the other steps I've listed above. Join us on Freenode in #openstack-ansible and we will be happy to help you along the way! [1] http://docs.openstack.org/infra/manual/developers.html [2] http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/security-hardening.html [3] https://github.com/openstack/openstack-ansible-specs/blob/master/specs/template.rst [4] http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/independent-role-repositories.html -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Install Openstack-Ansible
On Tue, 2015-12-01 at 20:35 +0530, Sharma Swati6 wrote: > However, I just want to know if I have to implement this in > openstack-ansible, or for that matter, I want to add any new > component to it, are there any steps or guidelines to be followed. > For example, first I create containers and mention/add it to config > files. etc. > I went through http://docs.openstack.org/developer/openstack-ansible/ > developer-docs/extending.html but this is not much self-explanatory. > > If the steps provided by you are helpful I can begin with this and > contribute soon. Hello Sharma, I haven't implemented a new service in openstack-ansible quite yet, but I'll give you some tips. First, you'll need to use the extra_container.yml.example[1] to make a new container. Next, you'll want to create a role that will configure the operating system and the required services within the container. You can review the roles within the openstack-ansible repository to see what is typically configured in each one. The keystone role[2] might be a good place to start. From there, you'll need to test the container build-out and configuration to make sure the service works well with the other services (like authentication with keystone). [1] https://github.com/openstack/openstack-ansible/tree/master/etc/openstack_deploy/env.d [2] https://github.com/openstack/openstack-ansible/tree/master/playbooks/roles/os_keystone -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Install Openstack-Ansible
On Tue, 2015-12-01 at 13:41 +0530, Sharma Swati6 wrote: > The ansible playbooks are running as of now and as per my > understanding, it is only installing the basic (main) openstack > components. > > How to install other Openstack components like Designate, Ironic, > etc. Please let me know the steps/links for installing any other > customized components through ansible-playbooks, it will be of great > help. Hello Sharma, Thanks for the question about openstack-ansible! Designate and Ironic aren't currently included in the standard openstack-ansible roles, but we're always looking for help in getting things like this done. There's already a spec open[1] for an Ironic role within openstack- ansible and I've heard talk about Designate from time to time. If you're interested in doing this work, you can create a spec using the template[2] from the openstack-ansible-specs repository. If you have more questions, feel free to reply on this thread or hop into #openstack-ansible on Freenode. [1] http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/role-ironic.html [2] https://github.com/openstack/openstack-ansible-specs/blob/master/specs/template.rst -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [OpenStack-Ansible] Building a dev env with AIO
On Fri, 2015-11-27 at 09:21 -0800, Anthony Chow wrote: > I have a Ubuntu desktop with 8GB of ram and is using vagrant to start > a 14.04 VM so I can play around before setting the environment on the > desktop. > > Over the last few days I have followed the Step-by-Step guide and > failed 3 times. The last 2 times I failed in setting up the galera > cluster. Hello Anthony, My guess would be that your VM doesn't have enough RAM allocated to it for the AIO build. It's recommended[1] to have 16GB of RAM available to the system if possible. We do testing with 8GB VM's with a highly specialized configuration that limits resource usage but there's not enough RAM left over for building VM's. [1] http://docs.openstack.org/developer/openstack-ansible/developer- docs/quickstart-aio.html -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Random ssh errors in gate check jobs
On 11/23/2015 06:32 AM, Jesse Pretorius wrote: > Thanks for digging into this Major. It is a royal pain and will likely be > resolved with the release of Ansible 2, but for now we're stuck with having > to work around the issue with what we have. > > I wonder, is there a difference in results or performance between using > paramiko or turning ssh pipelining off? I tried running some jobs with pipelining on and off, but the errors still appeared. It seems like the ssh client itself is part of the problem. I haven't looked to see if Ubuntu has updated sshd recently in 14.04. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Random ssh errors in gate check jobs
Hey folks, Some of my recent reviews have been frequent fliers in the land of CI gate jobs and I've spent a fair amount of time diagnosing random ssh failures to containers in AIO builds. The error I get most often is this: SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh After digging in Ansible code for a bit, I found the error within the ssh connection plugin[1]. It looks like an issue where the ssh connection is actually open but data cannot be sent to the subprocess. I messed around heavily with multiplexing, keys, GSSAPI, and more, but the errors randomly appear. I've proposed a review[2] for a switch to paramiko transport mode for gate jobs only and it has run four times without ssh errors (although two builds had timeouts due to the repo build taking too long). The fifth build is running now and it seems to be moving along fairly quickly. [1] https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/connection/ssh.py#L245-L260 [2] https://review.openstack.org/#/c/248361/ -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] Fedora/CentOS/other Support
On 11/18/2015 04:19 AM, Jesse Pretorius wrote: > The current community has done some research into appropriate patterns to use > and has a general idea of how to do it - but in order to actually execute > there need to be enough people who commit to actually maintaining the work > once it's done. We don't want to carry the extra code if we don't also pick > up extra contributors to maintain the code. Should there be a concept of primary and secondary operating systems supported by openstack-ansible? I'm thinking something similar to the tiers of hypervisors in OpenStack where some are tested heavily with gating while others have a lighter amount of testing. We might be able to have something along the lines of: * Primary OS: Used in gate checks, heavily tested * Secondary OS: Not used in gate checks, lightly tested * Tertiary OS: Support in WIP state, not tested -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Next steps: openstack-ansible-security
On 11/16/2015 07:47 AM, Jesse Pretorius wrote: > Based on the spec's proposed change section [1] I would say that items 4 & 5 > are the next steps. Those steps, however, are kind-of waiting for the gate > split work. Perhaps the best way to get this done that doesn't have the > dependency is to implement an additional option for gate-check-commit option > to turn on using the security role, but leave it off by default. The current > job will then continue to run and we can add an additional gate check to run > it with the security bits on as a comparison. That sounds good. I'll hopefully get time to take a crack at that along with the check mode enhancements this week. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Next steps: openstack-ansible-security
On 11/06/2015 05:38 PM, Jesse Pretorius wrote: > While I applaud the idea, changing the current commit integration test is > probably not the best approach. We're in the middle of splitting the roles > out into their own repositories and also extending the gate checks into > multiple use-cases. That will certainly help with many things and I'm looking forward to it. ;) > I think that the best option for now will be to add the implementation of the > security role as an additional use-case. Depending on the results there we > can figure out whether the role should be a default in all use cases. What would you propose as the final steps to get the blueprint marked as completed? Should documentation be added into openstack-ansible about integrating openstack-ansible-security or should a script be provided for quicker integration? -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?
On 10/29/2015 08:42 AM, Clark, Robert Graham wrote: > It sounds like what you probably need is a lightweight CA, without > revocation, that gives you some basic constraints by which you can restrict > certificate issuance to just your ansible tasks and that could potentially be > thrown away when it’s no longer required. Particularly something light enough > that it could live on any deployment/installer node. > > This sounds like it _might_ be a good fit for Anchor[1], though possibly not > if I’ve misunderstood your use-case. > > [1] https://wiki.openstack.org/wiki/Security#Anchor_-_Ephemeral_PKI Thanks, Robert. After talking a bit in the last OpenStack Security IRC meeting and doing a deep dive into Anchor, I'm not sure I'm looking for a CA that issues ephemeral certificates. For example, issuing ephemeral certificates for RabbitMQ or MySQL would involve frequent restarts of each service to apply new certificates on a regular basis (if I'm understanding Anchor correctly). I could see how this wouldn't be a big issue on a web/API front-end, like horizon, but it would definitely cause some disruptions for services that are slower to start, like RabbitMQ and MySQL. I found a CA role[1] for Ansible on Galaxy, but it appears to be GPLv3 code. :/ Another suggestion was to use Letsencrypt, but it's in a limited access period at the moment. It also supplies ephemeral certs, as Anchor does. The dogtag service looks interesting, but it has quite a few dependencies that may be a bit heavy resource-wise within the average openstack-ansible environment. I'm still on the hunt for a good solution but I appreciate the input so far! [1] https://github.com/debops/ansible-pki -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Converting the AIO bootstrap script to Ansible
Hey folks, After 51 patch sets, I feel that the AIO bootstrap conversion to Ansible is worth reviewing[1]. There was a bunch of logic within the bootstrap-aio.sh script that took a bunch of tries to get right. Also, I ended up with some ssh timing issues in the dsvm tests that caused some serious head-scratching. I've tried to copy the exact functionality from bootstrap-aio.sh without making many improvements. There were some areas where Ansible made things much simpler, which was nice. This should also make it easier to support more than one operating system (the multi-platform-host blueprint) and I've stubbed out some initial support for RPM-based distributions within a variables file in the playbook. Feel free to critique it and I'll get to work on making the changes. The spec[2] should answer most of the questions about the effort. Thanks! :) [1] https://review.openstack.org/#/c/239525/ [2] http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/convert-aio-bootstrap-to-ansible.html -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Next steps: openstack-ansible-security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello there, At this moment, openstack-ansible-security[1] is feature complete and all of the Ansible tasks and documentation for the STIGs are merged. Exciting! I've done lots of work to ensure that the role uses sane defaults so that it can be applied to the majority of OpenStack deployments without disrupting services. It only supports Ubuntu 14.04 for now, but that's openstack-ansible's supported platform as well. I'd like to start by adding it to the gate-check-commit.sh script so that the security configurations are applied prior to running tempest. This should hopefully catch any defaults that could be disruptive in an openstack-ansible environment. If that works, I'd like to add it to the run-playbooks.sh script so that it runs for all deployments (toggled via a configuration option, of course). Does that seem like a decent plan? Let me know if that makes sense and I'll get to work. [1] http://docs.openstack.org/developer/openstack-ansible-security/ - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWPSDTAAoJEHNwUeDBAR+x0/sP/iOO29N5wqLmbI/LU5FlGK6l RMnFLDmzw5bMYOHW8xeh8E689CIEnV2caew65raSKWxH5321hQfCkvxabR5UKEaE H4w/QUkHRCQz1UMYxL8/QuOqrluCf1T9pkVvOIcw3o1AKKAMMTVvB73ZP9HGkMEL y9zRtMby8Q99bRImTXvC9UDZGLhA3eK22jEQlwNxrbotTm2Ydz5jnxn1tFoEXUK1 n52skdokchjxn59U0VE+ITWCF9u05xy3oyT2ihoSRSGj5vTNf7u/wHHZr9330Wn6 VZ5JwqcOTmlp8svhiouTUTw7hBhM9gJ1f5BuuIxz7rcFgCwrUFwVfAyte+wG0S0B 0kH5F0jdsNy7AoQ/C6L+xq2Y4P9z6c3qGUvJY1EsYpTz8RjMNFCdyLwZyks2IiCG S+XCZGBWIIFjtl0MVBdMG42toak1e8fll+Lc5N5Pto1ru3a6b8LxuaXBts5kEXh9 dzu7XFaNU5GxIAWZWcMnjG0OvYXqPC4tMjT9eNp/fWEbezVlLPEvwESLgGjy6+Bg C7RAw599NEgfvkkWG9nS9AvRCdJVgTS7GsQHbHNxacwjApRkG4meMcrykW/vHBks wY9kII932CTbv1sfsunGkm4+sh8/z39eCS6Ny+NDoW/Bqig0unUjZHm4WkvNHYFS lrdlLLaolbSwY7UTFsBb =fPim -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?
On 10/29/2015 04:33 AM, McPeak, Travis wrote: > The only potential security drawback is that we are introducing a new > asset to protect. If we create the tools that enable a deployer to > easily create and administer a lightweight CA, that should add > significant value to OpenStack, especially for smaller organizations > that don't have experience running a CA. This is certainly true. However, I'd like to solve for the use of self-signed SSL certificates in openstack-ansible first. At the moment, each self-signed certificate for various services is generated within each role. The goal would be to make a CA at the beginning and then allow roles to utilize another role/task to issue certificates from that CA. The CA would most likely be located on the deployment host. Deployers who are very security conscious can provide keys, certificates, and CA certificates in the deployment configuration and those will be used instead of generating self-signed certificates. -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?
Hello there, I've been researching some additional ways to secure openstack-ansible deployments and I backed myself into a corner with secure log transport. The rsyslog client requires a trusted CA certificate to be able to send encrypted logs to rsyslog servers. That's not a problem if users bring their own certificates, but it does become a problem if we use the self-signed certificates that we're creating within the various roles. I'm wondering if we could create a role that creates a CA on the deployment host and then uses that CA to issue certificates for various services *if* a user doesn't specify that they want to bring their own certificates. We could build the CA very early in the installation process and then use it to sign certificates for each individual service. That would allow to have some additional trust in environments where deployers don't choose to bring their own certificates. Does this approach make sense? -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible][security] All STIGs proposed -- time for reviews!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello there, Thanks again to everyone who is helping to make openstack-ansible-security better! Various members of the openstack-ansible team, the security team, and other OpenStack contributors have been providing help with reviews and reaching out to me via email and IRC. As of today, all of the Ansible tasks and documentation for openstack-ansible-security have been proposed[1]. I'm working to fix up a few problems with AIDE and organize the documentation a bit better. If anyone would like to join in the review process, many of these reviews are fairly simple as they contain an Ansible task or two, and small bits of documentation. Here's what I'm really looking for in the reviews: 1) Does the Ansible task(s) and/or exception documentation cover the STIG's requirements? 2) Is the commit good quality? (Proper Ansible YAML and quality documentation) 3) Is there a better implementation than the one that is proposed? 4) Should certain changes be opt-in or opt-out that aren't current configured that way? Thanks again for all of the help. Feel free to reach out to me anytime with any questions. :) [1] https://review.openstack.org/#/q/status:open+project:openstack/openstack-ansible-security,n,z - -- Major Hayden -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWHVIrAAoJEHNwUeDBAR+xFsEQAIs+UTOGLwdHQKk90Xn2zyg9 4+7UQCmWjHZG3NQb+ydlenhkAVWiPYsKqcmldEVzZu+BGAbdkhIbn777SoCcMqRD DWv1NjJuIHcAzkf4pgjQ+MCa3CbV/tQLuEhYcge+72pORVijv3b9NE3vLcDLx6FW MywatnpVG6g1/TGrcsAMjKJy3/4E5eB7eZuw6IF2tvFVJvyxmFd/1b2ULDOADrhp pjYritmWsLLBsRgD6pqOEbxl4pZVTepWPIbksIkCGC8UJfSqZ6RKR01+q5/WiVBD w+p15+A81/Ruj7WfUw3VkFpWlFE0PvnLA8LljBUYLTUnmY3agBM2ljjmGVkmbXg9 HIXqJGZlAqewUWBNxLFB+5IhasYHHYhCUhNoxIVVdvqocIMssRFUrQtoFLrN8XVf +BCCjQ+JRLFRl2yP230PjDAlVZ096HWeSALaXSvOIJIp1gTO23OPIun2EQoop3qe GpG+NHQdxZAsBz18Ckx9ozq66tRxjh0F3gkwZWx3rOwORnOLERNsbZiDHI4wmC+z m5tVXjpjkK5n6qGdx4TwDSc8G7k8pbOGNEfI3BBPAfvrUJCOeFWckDIUSRkbstgs Fdls+pS1ud5Z/KIQOOJffzDCh97uZ2Y8RAJbIbPsBaT8MtfzZa5BIRv/es3YAsxB bBNPwI69xtr1bqH7eDTY =wiCK -END PGP SIGNATURE- __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Reviews needed: openstack-ansible-security
Hey folks, Now that the openstack-ansible-security role has been added to OpenStack, we're in need of some reviews[1]! Many of these reviews are fairly easy to do as they involve a task or two plus a small amount of documentation. Some reviews involve only documentation. You can refer to each STIG requirement quickly using the STIG Viewer[2]. It's a great way for new folks to get started with reviews. ;) Feel free to ask me any questions about any of the patches. I'm in #openstack-ansible on Freenode as 'mhayden'. [1] https://review.openstack.org/#/q/status:open+project:openstack/openstack-ansible-security,n,z [2] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/ -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] Security spec status update
Hello there, A couple of people were asking me about the status of the security spec[1] for openstack-ansible. Here are a few quick updates as of today: * We've moved away from considering CIS temporarily due to licensing and terms of use issues * We're currently adapting the RHEL 6 STIG[2] for Ubuntu 14.04 * There's are lots of tasks coming together in a temporary repository[3] * Documentation is up on ReadTheDocs[4] (temporarily) At this point, we have 181 controls left to evaluate (out of 264[5]). Feel free to hop into #openstack-ansible and ask any questions you have about the work. [1] http://specs.openstack.org/openstack/openstack-ansible-specs/specs/mitaka/security-hardening.html [2] http://iase.disa.mil/stigs/Pages/index.aspx [3] https://github.com/rackerlabs/openstack-ansible-security [4] http://openstack-ansible-security.readthedocs.org/en/latest/ [5] https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/ -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] To NTP, or not to NTP, that is the question
On 09/21/2015 07:14 PM, Sergii Golovatiuk wrote: > Are any chance to configure chrony instead of ntpd? It acts more predictable > on virtual environments. That's my plan, if I can find an upstream Ansible galaxy role to use. ;) -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] To NTP, or not to NTP, that is the question
Hey there, I start working on a bug[1] last night about adding a managed NTP configuration to openstack-ansible hosts. My patch[2] gets chrony up and running with configurable NTP servers, but I'm still struggling to meet the "Proposal" section of the bug where the author has asked for non-infra physical nodes to get their time from the infra nodes. I can't figure out how to make it work for AIO builds when one physical host is part of all of the groups. ;) I'd argue that time synchronization is critical for a few areas: 1) Security/auditing when comparing logs 2) Troubleshooting when comparing logs 3) I've been told swift is time-sensitive 4) MySQL/Galera don't like time drift However, there's a strong argument that this should be done by deployers, and not via openstack-ansible. I'm still *very* new to the project and I'd like to hear some feedback from other folks. [1] https://bugs.launchpad.net/openstack-ansible/+bug/1413018 [2] https://review.openstack.org/#/c/225006/ -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] PTL Non-Candidacy
On 09/14/2015 04:02 PM, Kevin Carter wrote: > TL;DR - I'm sending this out to announce that I won't be running for PTL of > the OpenStack-Ansible project in the upcoming cycle. Although I won't be > running for PTL, with community support, I intend to remain an active > contributor just with more time spent more cross project and in other > upstream communities. I've only been working on the project for a short while, but I really appreciate your hard work and consideration! -- Major Hayden __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
