IRC logs for #baserock for Monday, 2016-08-22

*** dabukalam has quit IRC05:39
*** dabukalam has joined #baserock05:39
*** paulwaters_ has joined #baserock07:14
*** jonathanmaw has joined #baserock07:46
*** CTtpollard has joined #baserock08:03
*** rdale has joined #baserock08:08
*** anahuelamo has joined #baserock08:13
pedroalvarezpaulsherwood: if you run `git fetch https://gerrit.baserock.org/baserock/baserock/definitions refs/changes/78/2278/3 && git checkout FETCH_HEAD` in a definitions checkout08:14
pedroalvarez(command taken from the dowload dropdown menun in the top right)08:14
paulsherwoodpedroalvarez: tvm08:15
pedroalvarez:)08:16
* paulsherwood has forgotten everything about gerrit since he has been working primarily with gitlab and github08:17
jjardonpaulsherwood: hi, did you have, by any chance, time to work on the tar problem with gitlab?08:29
jjardonWell, gitlab public runners08:30
*** locallycompact has joined #baserock09:13
paulsherwoodjjardon: sadly, no. i think i'm going to need help with that09:18
*** paulwaters_ has joined #baserock09:33
*** brlogger has joined #baserock11:17
*** rdale has quit IRC11:22
*** rdale has joined #baserock11:23
paulsherwoodrjek: not sure i understand what you mean by "I don't think it should implement SSL/TLS.  There are too many gotchas13:53
paulsherwoodand pitfalls here."13:53
rjekYou'll get it wrong.13:54
paulsherwoodi was only re-using an existing library implementation13:54
rjekJust let a web server handle it13:54
paulsherwoodso you'd vote -1 against enabling cherrypy https support?13:55
rjekI would.13:55
paulsherwood:/13:55
paulsherwoodgiven cherrypy supports it, and the patch i linked to 'seems to work', what could i be getting wrong?13:58
paulsherwood(note - i'm ok with the idea that it's better to leave this to a web server, but there may be folks who would rather not have to set one up)13:59
rjekHow are you configuring the cipher selection?  The DH parameters?13:59
rjekPeople who can't be arsed deserve no security13:59
paulsherwoodlol13:59
paulsherwoodrjek: i want to improve kbas in this area. figuring out how to configure a web server seems a long way off my track, tbh14:04
* rjek has stated his position, you are free to ignore his opinion14:04
paulsherwoodi'm not ignoring it. i'm seeking help14:05
rjekIncluding the configuration snippets for a range of popular httpds in your README seems popular14:05
paulsherwoodrjek: i don't have any experience with httpds14:07
rjekLearning is good for the mind! :)14:08
rjeknginx snippet:14:08
rjeklocation /kbas/ {14:08
rjek        auth_basic "Restricted";14:08
rjek        auth_basic_user_file /etc/nginx/.htpasswd;14:08
rjek        proxy_pass http://kbas-server.admin.colo.codethink.co.uk:8000/;14:08
rjek}14:08
paulsherwoodrjek: would you mind writing up actual instructions for how to setup a kbas with nginx?14:09
rjekI would :)14:10
paulsherwoodwhy?14:10
rjekEver increasing todo list14:10
paulsherwoodsadly i guess i'll have to ignore your opinion on this after all, then14:12
rjekhttp://docs.cherrypy.org/en/latest/deploy.html#reverse-proxying14:12
rjekSomebody's already documented how to do it14:13
paulsherwoodironically, i took the openssl parameters for the ssl implementation from that very page14:20
paulsherwoodhttp://docs.cherrypy.org/en/latest/deploy.html#ssl-support14:20
paulsherwoodi assume it's just as likely (more likely in fact) that i can get the nginx setup wrong, as the ssl.14:22
rjeka) there are no SSL/TLS protocol parameters on that page, b) the page suggests using a snakeoil certificate14:22
rjekSo basically wrong.14:23
paulsherwood:)14:23
paulsherwoodwhat do you mean by snakeoil certificate? (i'm trying to understand, here, i really am)14:25
rjekIt's not created by a recognised certificate authority so the end user has no mechnism to assign trust to it unless they have been told the certificate's fingerprint out-of-band.14:25
rjekWithout additional configuration, wget and curl will refuse to talk to it, and most web browsers will make it difficult14:26
paulsherwoodso it's the self-signed cert you're calling snakeoil?14:27
rjekIt is.14:27
paulsherwoodok. for the limited usecase where kbas server originator doesn't care whether users trust or not (use at your own risk... but i self-certify)14:28
paulsherwoodand the users are only running ybd, would self-cert be sufficient?14:28
rjekWill you implement all the needed certificate checking and server certificate storage logic in ybd?14:30
paulsherwoodi don't know what that involves, tbh. aiui i'm only trying to establish an encypted pipe so that ybd can access kbas with a password that isn't plaintext14:31
paulsherwoodwhy would ybd need to care about the certificate etc?14:31
rjekHow else would you know you're talking to the real kbas?14:32
paulsherwoodurl14:33
* rjek poisons paulsherwood's DNS cache14:33
paulsherwoodif that happens, i've got bigger problems than ybd-kbas14:33
rjekIf you trust your traffic to never be man-in-the-middled, then you don't need TLS14:33
jmacsWould it be any easier to use SSH to secure this and tunnel kbas traffic over a forwarded port?14:34
paulsherwoodi think pedroalvarez suggested something like that14:35
richard_mawdoesn't that have the same authentication problem, just with ssh keys instead of ssl certificates?14:35
rjekAlso means a dedicated UNIX user, any of which can add or remove which keys are acceptable14:35
jmacsProbably; it's a case of which you understand. I have a better understanding of SSH keys than HTTPS certificates, and maybe others do too.14:36
rjeka) use an acceptable certification authority, b) have a web server with known-good TLS cipher and DH param defaults, c) have the ability to have more than one password/token14:36
rjeka) can be avoided if the client can be told to trust the self-signed snakeoil certificate14:37
rjek(But not just blindly trust any certificate)14:37
rjekThen you can use a trusted, out-of-band method of communicating that certificate14:38
richard_mawcould bake that signature into ybd, but that makes kbas a singleton14:38
paulsherwoodcan't we just add a conf value?14:38
rjekThat also means every kbas has the same private key, and thus anyone can impersonate anyone else's kbas, and in turn obtain the passwords/tokens14:38
paulsherwoodso what would ybd need to know, for a given self-signed cert?14:40
rjekI am still advocating that if you want security for a permanent kbas installation, you do it properly and spend the 20 minutes it takes to read the docs of your chosen web server and have it off-load it14:40
paulsherwoodand i am ok with that. i just want to understand what is possible/sensible without having to install a web server. there is at least one established kbas instance where no webserver is chosen14:42
paulsherwoodadding a webserver increases the attack surface, after all14:43
richard_mawthe alternative is expanding kbas' attack surface with something that isn't so widely peer reviewed and battle-tested isn't it?14:45
rjekAnd in a way that consumes a whole port/IP address14:47
paulsherwoodrichard_maw: i don't see how anything i'm suggesting expands anything - kbas already uses cherrypy, but only via http14:48
richard_mawadding https support is expanding the attack surface, as is adding a config option for certificate selection14:49
paulsherwoodso you would see that as worse than leaving the current plaintext implementation?14:53
rjekIt may give a false sense of security.14:53
rjekWe know the current system is unsecure against man-in-the-middle.  It would be a shame to imagine doing this made it more secure when infact it added nothing.14:54
paulsherwoodlol. i've used that argument myself, about automated tests :)14:54
richard_mawplus, if there's an SSL vulnerability that allows remote code execution, then that's worse than just being allowed to upload and download files it shouldn't14:54
rjekSo, let the extensively-tested peer-reviewed thing do the difficult bit14:54
richard_mawand if there is a mitigation to the SSL vulnerability, then there would be guides on how to reconfigure your web server to mitigate it, not so for applications that do their own SSL14:55
richard_mawbut no, I wasn't intending to say that adding SSL expanding the attack surface is worse than leaving it unsecure, just that it's a false equivalence to say that doing so via a web server is adding an attack surface where adding it to the application isn't14:56
paulsherwoodack14:57
richard_mawbut just because it's not the argument I was trying to make, doesn't mean it's not true14:58
* paulsherwood struggles to parse the triple negative15:07
* richard_maw wasn't arguing that not implementing SSL is better, but not implementing SSL might be better anyway15:08
paulsherwoodthat's still three negatives :) but i understand now, thanks15:09
* richard_maw could have sworn he cut it down to two non-overlapping ones15:11
locallycompacthaving no negatives often doesn't unconceal the same point as not having them15:11
paulsherwoodgaaaaaaaah :)15:11
*** mwilliams_ct has joined #baserock15:13
mwilliams_ctHi folks. Is it possible to spin up a Baserock VM on AWS? I'd like to deploy a trove In The Cloud15:15
richard_mawmwilliams_ct: not unless things have changed since I last tried15:16
rjekHas anyone tried getting Trove running on Debian/Ubuntu recently?15:16
mwilliams_ctrichard_maw: ack, I seemed to remember it wasnt possible. Any recollection of what the issue was?15:16
mwilliams_ctalso what rjek said15:16
locallycompactI thought AWS just offers their own supported images and that was it15:16
locallycompactI didn't see anything you could upload an iso15:16
richard_mawmwilliams_ct: the blockers were a lack of Xen drivers and that my attempt didn't include cloud-init15:16
richard_mawlocallycompact: it's possible to do your own images, but rigourously undocumented15:17
locallycompactI see15:17
richard_maw(though I did write up how to make the images at one point)15:17
mwilliams_ctrichard_maw: ok, that sounds delightfully painful. thanks for answering though!15:17
mwilliams_ctSo to echo what rjek asked, could I run Trove on Debian/Ubuntu?15:19
richard_mawmwilliams_ct: http://paste.baserock.org/ucubowitat is what I had written up15:20
richard_mawmwilliams_ct: I don't know about running it on Debian, but if you were to try it on Ubuntu it wouldn't work because they miscompiled one of the libraries gitano depends on15:21
mwilliams_ctrichard_maw: nice. does upstream Gitano know?15:21
richard_mawyes15:21
richard_mawwem15:21
richard_mawwe do15:21
mwilliams_ctack, so I can't even complain in #gitano :). OK, looks like I'm going to have to try it on debian15:22
richard_mawyou'll have to do local installs of all the bespoke components and I have no idea if the other components have sufficient versions packaged in debian15:22
mwilliams_ctrichard_maw: ok, thanks for the help. I think I'm just going to have to play around with it and see what happens at this point. At any rate, Trove In The Cloud seems a really useful thing to have15:25
richard_mawit already is if you're using an openstack rather than AWS15:25
mwilliams_cttrue, I am being bad and using The Cloud to mean AWS, which is specifically useful to me at this moment in time15:26
leemingI'm assuming no, but... anyone supporting sandboxlib currently? https://github.com/CodethinkLabs/sandboxlib16:11
leemingI have a feeling it breaks normal usage of python's loggers16:12
*** jonathanmaw has quit IRC16:53
*** locallycompact has quit IRC17:21
*** rdale has quit IRC19:04
*** rdale has joined #baserock21:55
*** rdale has quit IRC22:13

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!