20:00:00 <nitzmahone> #startmeeting Ansible Windows Working Group
20:00:00 <zodbot> Meeting started Tue Apr  5 20:00:00 2022 UTC.
20:00:00 <zodbot> This meeting is logged and archived in a public location.
20:00:00 <zodbot> The chair is nitzmahone. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
20:00:00 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
20:00:00 <zodbot> The meeting name has been set to 'ansible_windows_working_group'
20:00:08 <nitzmahone> bam
20:00:12 <briantist> heyy
20:00:12 <nitzmahone> #chair jborean93
20:00:12 <zodbot> Current chairs: jborean93 nitzmahone
20:00:19 <nitzmahone> hey hey
20:00:22 <jborean93> hey
20:00:32 <nitzmahone> #info agenda https://github.com/ansible/community/issues/644
20:00:36 <nitzmahone> nothing there so
20:00:39 <nitzmahone> #topic open floor
20:01:18 <jborean93> I've got nothing interesting to add, it's been a while since the last collection release so I'm probably going to do that this week or next
20:01:24 <nitzmahone> nice
20:01:34 <briantist> I got nothing much
20:02:02 <nitzmahone> Matt C and I were talking about some CI stuff- we might try to move some of the win_reboot stuff that's causing that test to fail to a unit test on the action
20:02:18 <jborean93> the incidental test?
20:02:32 <nitzmahone> We really don't need to rapid-fire it that way
20:02:39 <nitzmahone> Yeah
20:03:03 <nitzmahone> (though unless the real test has changed, I assume it'd suffer from the same problem)
20:03:08 <jborean93> I know the last time I briefly looked at it we wanted to try and enable reboot testing for the remote CI instances like RHEL, macOS, FreeBSD
20:03:45 <nitzmahone> That as well- he's got some stuff going that will properly separate the controller/remote groups so that can be done safely
20:03:54 <jborean93> nice
20:03:54 <nitzmahone> (on pure remote targets anyway)
20:05:20 <nitzmahone> The one that has problems (maybe it was only in 2.9, can't remember where all it lives now), rebooted the host again *immediately* after it came up, and sometimes the shutdown command fails
20:06:00 <nitzmahone> Not really much we could do there short of adding an arbitrary delay, but what the second reboot was testing could be equally well covered by a unit test, and much more cheaply :D
20:06:45 <nitzmahone> Anyway, nothing exciting from me...
20:06:59 * nitzmahone wonders if briantist's packet sniffing bore fruit last week
20:07:06 <briantist> yes, I figured out my DNS problem (&@#$%^ VPN client software)
20:07:10 <nitzmahone> hahaha
20:07:21 <nitzmahone> Been there
20:08:06 <nitzmahone> Well, if no new topics, we'll close at 10 after
20:08:15 <jborean93> I'm all good, got to get back to CI bashing
20:08:16 <briantist> it has a "feature", which prevents the client from using any DNS servers other than the ones they set, and the feature: only work on Windows, doesn't work with TCP DNS requests, and is on by default
20:08:27 <nitzmahone> ugh
20:08:41 <nitzmahone> So it was jacked under WSL then?
20:08:58 <briantist> so, everyone else I asked to try (on Macs) didn't see an issue, explains why my TCP requests worked, and explains why the networking team was not previously aware of it
20:09:14 <briantist> well, WSL uses the host's networking, it all had to go through the VPN
20:09:30 <briantist> Windows VMs on macs were not affected, because the VPN software is on the mac side
20:09:50 <nitzmahone> good times
20:09:52 <jborean93> heh, sounds like fun :)
20:09:56 <jborean93> at least you figured it out
20:09:58 <briantist> yup. glad that's over at least
20:10:30 <jborean93> I ended up giving up testing cert auth in GHA CI
20:10:37 <jborean93> What I thought the issue was, was not actually it
20:10:54 <briantist> oh?
20:10:59 <nitzmahone> Oh noes, what will the teeming masses that rely on that do? ;)
20:11:05 <briantist> ha
20:11:20 <jborean93> on a brighter side, httpx allows you to use a password protected key
20:11:31 <nitzmahone> bout damn time
20:11:33 <jborean93> allows you to specify a password to decrypt it which is nice
20:11:47 <nitzmahone> I wrote a PR for requests to do that, but I think they didn't like something about it, so I never went back to it
20:12:11 <jborean93> it honestly is pretty simple, the work is done on the SSLContext through a single method
20:12:29 <nitzmahone> I remember it being harder than it should've been for requests, but I don't recall why- twas several years ago
20:12:59 <jborean93> yea most likely an improvement to the `ssl` module has made it a lot easier
20:13:09 <jborean93> 3.x brought a lot of nice things to that
20:13:34 <jborean93> https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain - looks like it was 3.3 that added the password option
20:13:50 <nitzmahone> Yeah, that would certainly make it a lot easier :D
20:14:17 <nitzmahone> I might've been `ctypes`ing out to something which was why they didn't like it
20:14:34 <jborean93> So I lied it wasn't really httpx that made it easier, rather they accept the `SSLContext` directly and pypsrp can call this
20:15:55 <nitzmahone> The "you have to use an unencrypted key" thing was the way I usually talked $enterprise_users out of cert auth (when I couldn't get them to understand how awful it is to maintain in the first place)
20:16:19 <briantist> lolll
20:16:27 <nitzmahone> (oh, and that you *also* still have to maintain the local user's password)
20:16:46 <briantist> 🤷‍♂️"yeah sorry, I dunno, nobody supports encrypted keys"
20:17:43 <jborean93> + only works for local users
20:17:44 <nitzmahone> IIRC most of the time that came up with was Linux admins that didn't know much about Windows and really seized on the cert auth as an analogue for SSH key auth on Windows
20:18:01 <nitzmahone> "no, it's really not the same at all, and you don't want it"
20:18:05 <briantist> the "only local users" thing is the strongest nail in the coffin imo
20:18:09 <nitzmahone> definitely
20:18:22 <nitzmahone> But the way the mapping is maintained is also pretty awful
20:18:27 <briantist> right
20:18:58 <nitzmahone> If you could just splat a cert issuer/thumbprint/whatever in AD and it worked, holy crap, that'd be awesome
20:19:22 <briantist> seriously, that'd be a gamechanger
20:19:34 <nitzmahone> I never really understood why they didn't do that, because that's basically how smartcard/PIV auth works
20:20:03 <jborean93> isn't that what Kerberos + PKINIT is meant for
20:20:18 <jborean93> (one of the things)
20:20:19 <briantist> I get the feeling that cert auth was some thing they put it in to appease some VERY BIG CLIENT that paid them to, and the way it works is because that's exactly how that company wanted to use it
20:20:37 <jborean93> IIRC it's part of the CIM standard
20:20:41 <jborean93> CIM/WSMan
20:21:08 <jborean93> Then again so is `Digest` and they just state it doesn't work so you are probably right :)
20:21:44 <nitzmahone> Heh, I always remember thinking `Digest` would solve a lot of auth problems back when I used to host authenticated apps in IIS, but never once did it actually :D
20:21:55 <briantist> `ReadersDigest` enter your subscription number and UPC code from the latest issue (two factor)
20:22:09 <nitzmahone> Ms. Chanandler Bong
20:22:15 <nitzmahone> (oh wait, that was TV Guide)
20:22:31 * jborean93 ffs CI, why don't you fail when I need you to
20:22:32 <briantist> same demographic
20:23:16 <nitzmahone> jborean93: runme.sh test and forgot `set -eux`? ;)
20:23:27 <jborean93> unfortunately it's a pytest failure
20:23:45 <jborean93> https://github.com/jborean93/pypsrp/blob/44511d4eee2a46f07410abcc5a2100a7939ff770/tests/tests_psrp/test_sync.py#L940-L959 is failing with https://github.com/jborean93/pypsrp/runs/5828263213?check_suite_focus=true
20:23:54 <jborean93> > psrp._exceptions.PipelineFailed: A parameter cannot be found that matches parameter name 'Name'.
20:24:12 <jborean93> For whatever reason it's only on the sync test, async hasn't failed yet
20:24:50 <nitzmahone> also good
20:24:51 <briantist> async can't fail if you never check the result [thinking guy meme]
20:24:51 <nitzmahone> times
20:25:34 <nitzmahone> Heh, ansible should add some checks on that like Python and C# have :D
20:25:42 <jborean93> I'm trying to run only that test right now with debug logs enabled but no luck. Might have to just run the whole test suite with debug logs which takes a lot longer
20:25:50 <nitzmahone> ("hey, you never `await`ed this thing")
20:27:43 <nitzmahone> welp, til next week- thanks all!
20:27:45 <nitzmahone> #endmeeting