#cockpit log

13:01:42 <mvollmer> #startmeeting meeting
13:01:42 <zodbot> Meeting started Mon Apr 10 13:01:42 2017 UTC.  The chair is mvollmer. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:01:42 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
13:01:42 <zodbot> The meeting name has been set to 'meeting'
13:01:47 <mvollmer> .hello mvo
13:01:47 <zodbot> mvollmer: mvo 'Marius Vollmer' <marius.vollmer@gmail.com>
13:02:13 <garrett> .hello garrett
13:02:14 <zodbot> garrett: garrett 'Garrett LeSage' <garrett@lesage.us>
13:02:19 <stefw> .hello stefw
13:02:20 <zodbot> stefw: stefw 'Stef Walter' <stefw@redhat.com>
13:02:26 <pitti> .hello martinpitt
13:02:30 <zodbot> pitti: martinpitt 'Martin Pitt' <martin@piware.de>
13:02:32 <dperpeet_> .hello dperpeet
13:02:33 <zodbot> dperpeet_: dperpeet 'None' <dperpeet@redhat.com>
13:03:36 <mvollmer> #topic Agenda
13:03:40 <mvollmer> * Fedora 26
13:04:17 <stefw> * Authentication/Authorize protocol changes
13:05:21 <mvollmer> Alright!
13:05:32 <mvollmer> #topic Fedora 26
13:05:50 <mvollmer> I'll try to make progress to get our tests pass on Fedora 26
13:06:16 <mvollmer> pitti has done most of the work already for debian-testing I guess
13:06:38 <pitti> "most" is an exaggeration, just a few that were due to storaged >= 2.6.3
13:06:47 <pitti> happy to look at some others though, if you need a hand
13:06:57 <mvollmer> kubernetes doesn't work at all
13:07:11 <mvollmer> some access right issues and general config issues
13:07:40 <mvollmer> stefw, can you take a look at that?
13:07:43 <pitti> and multi-machine crashes with "fatal: Internal error in login process" which doesn't sound healthy either
13:08:23 <stefw> mvollmer, likely petervo would be the one to take a look at kubernetes on Fedora 26
13:08:25 <mvollmer> i had hard coded some assumptions about Networkmanager 1.6 into cockpit, but I guess they aren't true.  I'll check those
13:08:29 <mvollmer> related to checkpoints
13:08:37 <mvollmer> stefw, okay!
13:08:38 <pitti> I had a similar error with the debian packaging, it was due to wrong perms of /usr/libexec/cockpit-session; could be selinux related (but just guessing)
13:09:03 <mvollmer> pitti, no, systemctl start kube-apiserver fails
13:09:04 <stefw> pitti, if you see a "fatal: Internal error in login process" and there's not additional reasons in the log
13:09:14 <stefw> then that's a bug in and of itself
13:09:29 <pitti> mvollmer: I meant multi-machine, not kubernetes
13:09:49 <pitti> I can look at the multi-machine bits if you want to, I've worked with that a fair bit
13:10:23 <mvollmer> pitti, yep, that would be great
13:10:46 <mvollmer> one reason to get f26 testing going is the ABRT stuff, which needs f26 for testing, afaiu
13:11:02 <pitti> I propose to make a todo list in the PR for coordinatino
13:11:14 <mvollmer> good idea
13:11:34 <stefw> so this blocks the ABRT pull request right?
13:11:36 <stefw> it should
13:11:43 <mvollmer> yes, it does
13:12:00 <stefw> in which case that should go into the todo list
13:12:14 <mvollmer> of the abrt pr?
13:12:16 <stefw> yup
13:12:47 <mvollmer> yep
13:12:58 <pitti> I added an inital three [ ], please add as you see fit
13:13:10 <pitti> but let's merge the storaged PR and re-run with that, to clear it up a bit
13:15:14 <mvollmer> yes
13:17:21 <mvollmer> okay, next topic?
13:17:43 <pitti> stefw:
13:18:54 <mvollmer> pitti, next topic?
13:19:38 <pitti> yes, that's why I pinged stefw, the "* Authentication/Authorize protocol changes" is next
13:19:42 <mvollmer> #topic  Authentication/Authorize protocol changes
13:20:02 <stefw> In cockpit 138 there was a large cleanup related change
13:20:18 <stefw> we dropped somewhere between 5000-6000 lines of authentication related C code
13:20:39 <stefw> and in the process we changed the behavior of how cockpit expects to authenticate users
13:20:53 <stefw> this has not been a completely stable API yet, but i'd like to give a heads up on the change anyway
13:21:16 <stefw> In the cockpit protocol, there's an "init" message
13:21:17 <stefw> https://github.com/cockpit-project/cockpit/blob/master/doc/protocol.md
13:22:07 <stefw> usually that was the first message sent/received over the protocol, on each "hop" where the protocol is used, whether cockpit-ws <-> cockpit-bridge, or cockpit-ws <-> web shell
13:22:22 <stefw> or web shell <-> web component task (iframe)
13:22:32 <stefw> in 136 we started to allow send "authorize" messages before the "init" message
13:22:48 <stefw> these really should be called "authenticate" messages, since they are used for much more than "authorize" stuff
13:23:00 <stefw> but due to compatibility reasons the "authorize" name has stuck.
13:23:36 <stefw> Up until 138 we used a complex SEQ_PACKET additional file descriptor to pass around authentication information to things like cockpit-session or cockpit-ssh
13:23:54 <stefw> from 138 forward, we use the "authorize" messages on the standard protocol for all sorts of authentication and authorization tasks
13:24:08 <stefw> this brings us back to a single protocol for communicating between the various parts of cockpit
13:24:16 <stefw> and makes the entire thing much more easy to reason about
13:24:21 <stefw> hence the many thousands of lines of reduced code
13:24:46 <stefw> so still outstanding is updating this documentation: https://github.com/cockpit-project/cockpit/blob/master/doc/authentication.md
13:24:55 <stefw> and if everything looks good, we can mark the resulting protocol changes as stable
13:26:11 <mvollmer> nice!
13:26:17 <dperpeet_> great :)
13:27:08 <mvollmer> stefw, do you need help?
13:27:15 <stefw> i do need help with the documentation
13:27:23 <mvollmer> alright
13:27:29 <stefw> but i guess i'll see if pvolpe and i can combine forces to finish that off
13:27:49 <stefw> one last thing that's of note:
13:28:01 <stefw> cockpit-ws now makes no decisions about whether something is logged in or not
13:28:30 <stefw> once it gets an "init" message from either cockpit-bridge it figures the user is logged in
13:28:58 <stefw> that cockpit-bridge is launched via either cockpit-session or cockpit-ssh ... and it's up to those intermediate processes to properly authenticate the user before starting cockpit-bridge
13:29:10 <stefw> there is also very little concept of "which user has logged into cockpit"
13:29:50 <stefw> since it can be multiple users on different bridges ... or in the case of some pluggable authentication programs (a cockpit-session replacement in certain situations) ... no user with a real "name"
13:30:14 <pitti> there's also another followup here: while this cleaned up a lot of C code, it has aggravated the protection of the password -- it's now being copied around (and not cleaned up) much more often
13:30:56 <stefw> pitti, indeed, the decoding of the base64 basic user:password auth happens in more places
13:31:06 <stefw> and that's the source of that needing cleanup in more places
13:32:05 <stefw> the protocol is pretty much sound now ... but if there are places where needless copying is going on, or memory is not being cleared, those should be fixed as a follow up.
13:32:28 <stefw> eot here ... next is documentation and announcement to cockpit-devel
13:33:15 <mvollmer> alright
13:33:30 <mvollmer> #topic Other business
13:35:11 <mvollmer> Okay, looks like we are done.
13:35:14 <mvollmer> Thanks!
13:35:18 <mvollmer> #endmeeting