#freedesktop on 2022-10-11 — irc logs at oftc.irclog.whitequark.org

2022-08-14 19:45 ChanServ changed the topic of #freedesktop to: https://www.freedesktop.org infrastructure and online services || for questions about freedesktop.org projects, please see each project's contact || for discussions about specifications, please use https://gitlab.freedesktop.org/xdg or xdg@lists.freedesktop.org

00:45 ybogdano has joined #freedesktop

00:47 Leopold has quit []

00:54 pitsch[m] has joined #freedesktop

00:54 alanc has quit [Remote host closed the connection]

00:55 alanc has joined #freedesktop

00:56 ybogdano has quit [Ping timeout: 480 seconds]

01:03 rgallaispou has quit [Read error: Connection reset by peer]

01:06 rgallaispou has joined #freedesktop

01:13 pitsch[m] has quit [Ping timeout: 480 seconds]

01:37 pendingchaos has quit [Ping timeout: 480 seconds]

01:48 kem has quit [Ping timeout: 480 seconds]

01:50 pendingchaos has joined #freedesktop

01:54 vsyrjala_ has joined #freedesktop

01:56 vsyrjala has quit [Ping timeout: 480 seconds]

01:58 kem has joined #freedesktop

02:10 marcel203s[m] has joined #freedesktop

02:14 Sumera[m] has joined #freedesktop

02:15 gnfzdz[m] has joined #freedesktop

02:32 ngcortes has quit [Quit: Leaving]

02:37 kem has quit [Ping timeout: 480 seconds]

02:46 nirbheek_ has joined #freedesktop

02:47 kem has joined #freedesktop

02:48 ttancos[m] has joined #freedesktop

02:55 ximion has quit []

03:22 kem has quit [Ping timeout: 480 seconds]

03:32 kem has joined #freedesktop

05:53 thaller has joined #freedesktop

05:54 nazarewk[m] has joined #freedesktop

06:01 gkiagia has joined #freedesktop

06:14 heftig has joined #freedesktop

06:17 miracolix has quit []

06:17 vbenes has joined #freedesktop

06:19 danvet has joined #freedesktop

06:35 ewlsh[m] has joined #freedesktop

06:39 bstrie[m] has joined #freedesktop

07:05 MajorBiscuit has joined #freedesktop

07:11 vsyrjala_ is now known as vsyrjala

07:19 tinywrkb has joined #freedesktop

07:40 chrysn[m]1 has joined #freedesktop

07:50 muhlinux[m] has joined #freedesktop

08:02 aenderboy[m] has joined #freedesktop

08:03 ximion has joined #freedesktop

08:03 pkira has joined #freedesktop

08:26 mvlad has joined #freedesktop

08:39 miracolix has joined #freedesktop

08:44 fahien has joined #freedesktop

09:00 kem has quit [Ping timeout: 480 seconds]

09:09 kem has joined #freedesktop

09:15 chipxxx has joined #freedesktop

09:21 gagallo7[m] has joined #freedesktop

09:31 fahien has quit [Quit: fahien]

09:31 fahien has joined #freedesktop

09:44 therickestrick001[m] has joined #freedesktop

09:49 AbleBacon has quit [Read error: Connection reset by peer]

09:55 Leopold has joined #freedesktop

10:20 scorpion2185[m]1 has joined #freedesktop

10:29 Leopold has quit []

10:34 fahien has quit [Ping timeout: 480 seconds]

10:37 Leopold_ has joined #freedesktop

10:56 fahien has joined #freedesktop

11:17 <thaller> btw, it seems that all gitlab-ci jobs on https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/jobs are "pending" and don't get started.

11:18 <thaller> I guess, it will resolve itself? Is there a link to a dashboard, where we can see the capacity/state for the gitlab-ci workers?

11:21 ximion has quit []

11:33 fahien has quit [Quit: fahien]

11:38 pkira has quit [Ping timeout: 480 seconds]

11:46 MajorBiscuit has quit [Quit: WeeChat 3.5]

12:08 pkira has joined #freedesktop

12:12 <daniels> bentiss: oh, that's interesting - so the static token would be one with access to all minio, and we'd lean on istio do to the per-req validation?

12:15 <glehmann> is mesa CI working okay? the sanity job for my MR is now pending for 45min

12:16 <daniels> glehmann, thaller: looking now

12:16 <thaller> daniels, some NM jobs started in the meantime... Still slower than usual.

12:18 <daniels> yeah, I think all the gst runners are on holiday ... alatiera?

12:28 <__tim> htz2 is doing stuff, htz3 + htz4 seem idle

12:29 kusma has joined #freedesktop

12:30 <bentiss> daniels: something like that, yes. I am still trying to get my head around it and seeing if this is possible, but given that istio allows to filter per req the access of the destination pod, we can implement any rule we want

12:34 thaller is now known as Guest2816

12:34 thaller has joined #freedesktop

12:36 <bentiss> daniels: FWIW, I already managed to secure a webservice by using https://www.openpolicyagent.org/docs/latest/envoy-tutorial-istio/, but the official istio documentation says we can use something slightly different in the way we implement an authorization pattern (https://istio.io/latest/docs/concepts/security/#authorization-architecture)

12:37 <bentiss> so I am kind of looking endlessly at the docs since yesterday :/

12:41 Guest2816 has quit [Ping timeout: 480 seconds]

12:45 <daniels> bentiss: hrmmm, it's not immediately obvious to me how you'd map that into an s3 req structure

12:47 <bentiss> daniels: the whole thing is that istio (+envoy) allows to add a proxy in front of a dedicated service. You can then attach any rule in front of that webservice, which are JWT validation, OPA calls, or any lua script (or a bunch of others)

12:48 <daniels> oh yeah, I just mean how you'd go about writing the approval rules in the istio auth yaml

12:48 <bentiss> so the plan is to trick ceph into believing the request initially contained the AWS token, when it was actually added by the proxy (and removed on the response)

12:48 <daniels> right

12:48 <bentiss> daniels: we keep using OPA :)

12:49 <bentiss> it's just the way of calling OPA which is not exactly the most current one on the OPA website

12:49 <bentiss> right now, they tell us to have a custom EnvoyFilter, but actually we can use a CUSTOM Istio authorization rule

12:51 <bentiss> Ideally I'd like to have only one way of writing the envoy filters (2 with OPA), and not 3 as it is now: JWT validated in Istio, OPA being called by EnvoyFilter and OPA (though I might have to add an EnvoyFilter to call the lua script)

12:52 <bentiss> because given that this is new, I can very much say "this is secure" when there is an obvious opened door

13:08 dcbaker has joined #freedesktop

13:10 dakr has quit [Read error: Connection reset by peer]

13:11 dakr has joined #freedesktop

13:11 <__tim> both htz3 and htz4 seem to be doing things now

13:12 <__tim> in the runners list it says that those are 'locked to a particular project' by admins, could that be related?

13:30 <daniels> bentiss: yeah, all that makes sense, just can't see how to write the istio rules, but let's see :)

13:30 <daniels> __tim: hmm, it's not showing as that by me, and it is working on multiple projects

13:31 DavidHeidelberg[m] has joined #freedesktop

13:31 <__tim> ok, so all good then?

13:32 <daniels> I think so!

13:32 <__tim> cool

13:39 <zmike> I just tried marging https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/18961 and it looks like the pipeline failed to start?

13:40 chipxxx has quit [Read error: Connection reset by peer]

14:02 <daniels> zmike: you mean the pipeline that's nearly finished?

14:03 <daniels> if it comes up with a brown pause icon that says 'pending', that means it's waiting for an available runner

14:10 MajorBiscuit has joined #freedesktop

14:10 Leopold_ has quit []

14:14 Haaninjo has joined #freedesktop

14:17 <zmike> daniels: yes, it's not surprising that it's nearly finished when you checked, but I assigned it 2 hours ago and it timed out after an hour without having started the pipeline

14:17 <zmike> I'm not sure I've seen it time out like that when starting the merge pipeline unless something is more deeply wrong

14:17 <daniels> yeah, people have been DoSing CI lately

14:17 <daniels> but that's what the brown pause icon means - it's waiting for a runner to become available

14:17 <zmike> who's DoSing it

14:18 <zmike> I'll have a talk with them

14:18 <daniels> mostly NetworkManager, but some dbus, some virgl, some Mesa

14:28 kem has quit [Ping timeout: 480 seconds]

14:37 kem has joined #freedesktop

14:39 <glehmann> do other projects (not mesa) run CI on every push?

14:40 <daniels> nope

14:40 <daniels> NM runs manually, but its testing is extremely heavyweight and ties our runners up for a long time

14:43 pkira has quit [Ping timeout: 480 seconds]

15:01 seb128 has joined #freedesktop

15:07 fahien has joined #freedesktop

15:09 fahien has quit []

15:51 ybogdano has joined #freedesktop

15:58 unrznbl[m] has joined #freedesktop

16:14 mitTengiz[m] has joined #freedesktop

16:18 Major_Biscuit has joined #freedesktop

16:20 MajorBiscuit has quit [Ping timeout: 480 seconds]

16:22 chipxxx has joined #freedesktop

16:29 <bentiss> daniels: alright, I think I'm done for today: I pushed the istiod deployment on gitlab-config, and the fdo-opa to attach on top of the new ceph rgw fdo-opa storage

16:30 <bentiss> daniels: so it adds a CUSTOM Istio authorization rule which is forwarded to OPA, and then there is the JWT token validation (haven't checked if it works and itf it is before or after OPA)

16:31 <bentiss> the policy will need to be updated because we don't have the full plain token in OPA, nor if this is the owner or not

16:32 <bentiss> right now I allow any request that claims to be AWS* token, meaning that the dashboard and the operator can talk to it

16:32 <bentiss> daniels: and if you want to play with it, there is also a foo namespace with an httpbin webservice where we can play with istio

16:38 Major_Biscuit has quit [Ping timeout: 480 seconds]

17:00 ___nick___ has joined #freedesktop

17:01 ngcortes has joined #freedesktop

17:05 ___nick___ has quit []

17:15 chomwitt has joined #freedesktop

17:26 halfline[m] has joined #freedesktop

17:26 ximion has joined #freedesktop

17:45 genpaku has quit [Remote host closed the connection]

17:48 genpaku has joined #freedesktop

17:59 ngcortes_ has joined #freedesktop

17:59 ngcortes_ has quit [Read error: Connection reset by peer]

18:03 ngcortes has quit [Ping timeout: 480 seconds]

18:30 thaller is now known as Guest2837

18:30 thaller has joined #freedesktop

18:34 Guest2837 has quit [Read error: Connection reset by peer]

18:35 thaller is now known as Guest2838

18:35 thaller has joined #freedesktop

18:37 Leopold has joined #freedesktop

18:38 thaller has quit [Read error: Connection reset by peer]

18:38 thaller has joined #freedesktop

18:41 Guest2838 has quit [Ping timeout: 480 seconds]

18:44 thaller is now known as Guest2839

18:44 Guest2839 has quit [Read error: Connection reset by peer]

18:44 thaller has joined #freedesktop

18:45 bendlas[m] has joined #freedesktop

18:53 chipxxx has quit [Read error: Connection reset by peer]

19:01 thaller has quit [Ping timeout: 480 seconds]

19:14 pv has joined #freedesktop

19:24 thaller has joined #freedesktop

19:31 AbleBacon has joined #freedesktop

19:32 thaller is now known as Guest2842

19:32 thaller has joined #freedesktop

19:38 Guest2842 has quit [Ping timeout: 480 seconds]

20:04 mvlad has quit [Remote host closed the connection]

20:04 ppascher has quit [Quit: Gateway shutdown]

20:05 cassidy[m] has joined #freedesktop

20:08 seb128 has quit [Quit: Ex-Chat]

20:11 Haaninjo has quit [Quit: Ex-Chat]

20:12 Guest2847 has joined #freedesktop

21:17 Leopold has quit [Ping timeout: 480 seconds]

21:18 Leopold has joined #freedesktop

21:29 hikiko_ has joined #freedesktop

21:32 hikiko has quit [Ping timeout: 480 seconds]

21:41 razze[m] has joined #freedesktop

21:46 danvet has quit [Ping timeout: 480 seconds]

21:49 ngcortes has joined #freedesktop

21:51 nielsdg has joined #freedesktop

22:40 chomwitt has quit [Ping timeout: 480 seconds]

22:41 Leopold has quit []

23:23 ppascher has joined #freedesktop

23:33 inpursuitofsilence[m] has joined #freedesktop