14:06:17 <sgallagh> #startmeeting OpenLMI Public IRC Meeting (2013-11-18) 14:06:17 <zodbot> Meeting started Mon Nov 18 14:06:17 2013 UTC. The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:06:17 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:06:26 <sgallagh> #topic Roll Call 14:06:34 <sgallagh> .hellomynameis sgallagh 14:06:35 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com> 14:07:00 <tsmetana> .hellomynameis tsmetana 14:07:01 <zodbot> tsmetana: tsmetana 'Tomas Smetana' <tsmetana@redhat.com> 14:07:21 <sgallagh> #chair sgallagh tsmetana jsafrane 14:07:21 <zodbot> Current chairs: jsafrane sgallagh tsmetana 14:07:52 <rnovacek> .hellomynameis rnovacek 14:07:54 <zodbot> rnovacek: rnovacek 'Radek Novacek' <rnovacek@redhat.com> 14:08:05 <aledvink> .hellomynameis aledvink 14:08:07 <zodbot> aledvink: aledvink 'None' <aledvink@redhat.com> 14:09:03 <sgallagh> jsafrane: Are you around? 14:09:13 <jsafrane> sgallagh: yup 14:09:19 <sgallagh> ok 14:09:37 <sgallagh> #topic Pegasus per-user provider invocation 14:09:51 <sgallagh> jsafrane: You were telling me earlier about this? Mind repeating it for the meeting notes? 14:10:17 <jsafrane> Pegasus starts new provider for each logged-in user. One provider binary can run in parallel several times, each with different user. 14:10:28 <sgallagh> #info Pegasus starts new provider for each logged-in user. One provider binary can run in parallel several times, each with different user. 14:10:49 <sgallagh> These are separate processes, correct? 14:10:50 <jsafrane> This must be explicitly configured per-provider, we currently run everything as root (=only once) 14:10:58 <jsafrane> sgallagh: yes, separate processes 14:11:39 <sgallagh> So this is probably a little memory-heavy, but it does afford us the opportunity to use something like PolicyKit to track the audit as the user all the way through. 14:12:02 <sgallagh> The providers themselves are shared libraries that are dlopen()ed, right? 14:12:08 <jsafrane> yes 14:12:45 <jsafrane> forked from pegasus, through few exec()s to get the righ selinux context and dlopen() in the end 14:14:12 <sgallagh> Ok, so one good thing about that is that if I understand the shared library functionality of Linux correctly, there should only be one copy of that lib in memory. 14:15:07 <sgallagh> Of course, we don't really expect there to be more than one user operating on it at a time anyway 14:15:56 <tsmetana> don't we? i can imagine one user to list partitions while another one is creating a new one for example 14:16:11 <sgallagh> So, for the purposes of auditing, we probably want to go this route, since it will ensure that we know exactly what user is performing an action. 14:16:25 <aledvink> sgallagh: will there be exception to one person rule: r/o automated monitoring + r/w admin. 14:16:29 <sgallagh> tsmetana: Sorry, I should have phrased it as "in the common case, there will likely only be one user at a time" 14:16:52 <sgallagh> Or perhaps more importantly "We don't ever expect to be handling large numbers of users concurrently" 14:17:22 <tsmetana> sgallagh: yes... quite similar to the usual administration from a ssh session. 14:17:28 <sgallagh> Right 14:17:55 <sgallagh> #info OpenLMI does not expect to handle large numbers of users concurrently, but must be able to support more than one at a time. 14:18:05 <sgallagh> ^^ Satisfactory? 14:18:15 * tsmetana nods 14:19:34 <sgallagh> OK, so we should look into adjusting how we launch these providers (and authorize them with PolicyKit) in the next major development cycle of OpenLMI. 14:19:40 <sgallagh> Which is a good segue into... 14:19:53 <sgallagh> #topic Planning the next major development cycle of OpenLMI 14:20:27 <sgallagh> At this point, for a variety of reasons including business drivers, we have effectively frozen the first stable release of OpenLMI 14:21:13 <sgallagh> Collectively, I've been calling this "OpenLMI 1.0", even though the package versions of -providers, -storage, -networking, etc* have varied wildly. 14:21:45 <sgallagh> It might be prudent to formally declare a project level version to make it easier to talk about. 14:22:37 <tsmetana> let's name the -providers 0.4 and the dependant packages the OpenLMI 1.0 14:22:49 <sgallagh> Does anyone have a problem if we start talking about OpenLMI 1.0 as being "openlmi-providers 0.4.x, openlmi-storage 0.7.x, etc.)? 14:23:21 <tsmetana> i don't. 14:23:30 <aledvink> should add action to update the project page 14:23:54 <sgallagh> ok, so the one action item there would be for us to tweak the spec file for -providers so that the 'openlmi' metapackage identifies as 1.0.0 14:24:37 <sgallagh> tsmetana: Does that seem reasonable? The metapackage will then have strict Requires: identifying those versions that make it up. 14:24:38 <jsafrane> sgallagh: how often do we expect to bump the version? 14:24:56 <sgallagh> So if you have that package installed, it makes sure they all upgrade together (nothing gets ahead) 14:25:03 <sgallagh> jsafrane: Rarely, I'd say. 14:25:09 <tsmetana> sgallagh: yes. sounds good. 14:25:36 <jsafrane> I don't want to end up with OpenLMI 42.0.0 anytime soon 14:25:37 <sgallagh> jsafrane: The stable branches will be mainly bug and security fixes, not new functionality. 14:25:56 <sgallagh> jsafrane: Far from it; I'd be thinking of 1.0.1 and 1.0.2 there, 14:26:16 <tsmetana> jsafrane: the openlmi-1.0.0 metapackage would only pull the correct (bugfix) versions of the other packages (like openlmi >= 0.4.0 and <= 0.5.0) 14:26:26 <sgallagh> Maybe going to 1.1.0 if we add decide to include a few new features. 14:26:38 <jsafrane> sgallagh: so we'll keep the API compatibility principle? Use 2.0.0 only when API changes? 14:26:49 <sgallagh> tsmetana: Actually, I'd fix the versions to be ==, so we can guarantee which ones are tested together 14:27:13 <sgallagh> jsafrane: Tricky question :) 14:27:27 <tsmetana> sgallagh: hm... ok. 14:27:29 <sgallagh> I was thinking of marketing versions 14:27:48 <sgallagh> i.e. it becomes 2.0.0 when we have added something of extreme interest 14:28:12 <sgallagh> Whereas 1.1.0 is "we added a new provider and didn't change the others in an incompatible way" 14:28:20 <tsmetana> and 1.1.0 when we add something boring... and keep the api, right? 14:28:33 <tsmetana> ok. 14:28:53 <sgallagh> jsafrane: So if we ever made an incompatible change, that MUST bump the X release 14:29:09 <sgallagh> but we can choose to bump it just for our own reasons too. 14:29:14 <sgallagh> Does that seem reasonable? 14:29:59 <jsafrane> sgallagh: fine for me 14:30:03 <sgallagh> This isn't an API version number, just a label so that when we talk about OpenLMI 1.0, we know exactly which functionality was in it. 14:30:04 <tsmetana> yes 14:30:44 <sgallagh> #agreed We will declare OpenLMI 1.0.0 with the current releases of the assorted components 14:31:08 <sgallagh> #agreed Bumping the Z component will happen if we make bugfix releases of the components. 14:31:27 <sgallagh> #agreed Bumping the Y component will be for minor functionality additions with no compatibility breakage 14:31:51 <sgallagh> #agreed Bumping the X component will be for major functionality additions or any compatibility breakage. 14:32:21 <sgallagh> Ok, so with that in mind, shall we discuss plans for OpenLMI 1.1 and 2.0? 14:32:52 <sgallagh> I think if we're going to change the security/audit policy as discussed above, that's probably worthy of the 2.0 name, yes? 14:33:35 <jsafrane> sgallagh: is it that important change? imo it's just minor evolutionary change 14:34:17 <tsmetana> jsafrane: i wonder... do we plan to add some authorization/roles along with that? like using more namespaces for unprivileged users, etc. 14:34:18 <sgallagh> jsafrane: I was concerned it might be an incompatible change. If it's not, then sure 14:34:32 <sgallagh> tsmetana: I'd suggest that we probably don't want to do that in the first pass. 14:34:55 <sgallagh> And actually, we shouldn't need that if we're going the PolicyKit route, because that engine will handle the authorization for us. 14:35:04 <tsmetana> sgallagh: all right. then it's almost invisible from the (openlmi) user's perspective. in fact totally invisible if done right. 14:35:06 <sgallagh> We won't be able to *hide* functionality, but we'll be able to prevent its use 14:35:22 <sgallagh> tsmetana: Sounds great to me 14:36:09 <sgallagh> In the first pass, I suspect we'll just deliver with the standard fallback PolicyKit policy of "if you're in the %wheel group... have fun" 14:36:15 <tsmetana> sgallagh: this allows it to get introduced in some of the 1.y releases. 14:36:16 <sgallagh> And deny everyone else 14:37:42 <tsmetana> what exactly needs to be done for this feature? 14:37:46 <sgallagh> #agreed Converting to per-user provider backends will be an OpenLMI 1.1 feature 14:38:22 <sgallagh> tsmetana: In many cases, nothing. Since basically all of the D-BUS services we're talking to are already using PolicyKit authorization 14:38:31 <sgallagh> We're just going in as root, so it's auto-authorized. 14:39:12 <jsafrane> sgallagh: well, most services don't use dbus 14:39:45 <sgallagh> So for those services, we'll need to see which actions should be privileged and make sure they have a PolicyKit escalation attached. 14:40:11 <sgallagh> Where this is needed should become fairly obvious the moment we start invoking things as a user instead of as root 14:40:38 <sgallagh> Particularly if our test coverage is decent 14:41:29 <sgallagh> But it is certainly possible that I am oversimplifying the situation 14:43:05 <tsmetana> hm. we still use things like libuser, blivet, lm_sensors, hw detecting libraries (libpci, calling smartctl...), those need to be examined. 14:43:31 * sgallagh nods 14:43:44 <sgallagh> In a pinch, we can use pk_exec as well 14:44:12 <jsafrane> sgallagh: I'm pretty sure that blivet architecture doesn't support such operations 14:44:27 <jsafrane> sgallagh: it might get better with udisks 14:44:38 <sgallagh> Yeah, I know udisks *does* 14:44:59 <sgallagh> We don't necessarily have to switch everything over at once. 14:45:09 <sgallagh> We can improve things as the option becomes available 14:45:27 <sgallagh> And live with just the Pegasus and kernel audit logging for the gaps until we close them 14:46:13 <sgallagh> But like I said, if it came to it, we could always use pkexec(), which allows us to essentially wrap any other executable in a PolicyKit check 14:46:27 <sgallagh> So then we'd at least have logging at that layer 14:48:58 <sgallagh> Changing topics, besides this, what are some other high-level features we'd want to roll into 1.1? 14:49:26 <tsmetana> wsman support in the client? 14:49:28 <sgallagh> I think we may want to consider supporting a WS-MAN interface at that point 14:49:35 <sgallagh> tsmetana: You read my mind :) 14:50:12 <sgallagh> tsmetana: Support in just the client or also offering e.g. openwsman from the managed systems for other consoles to interact with? 14:50:54 <tsmetana> sgallagh: the latter should be fairly easy with the new pegasus. hopefully... 14:50:59 <tsmetana> jsafrane: right? ^^^ 14:51:11 <jsafrane> sgallagh: I checked last week that it's enough to enable wsman in Pegasus and it just works 14:51:43 <sgallagh> jsafrane: I thought I remembered hearing a while back that Pegasus' WS-MAN support was experimental and flaky. 14:52:05 <tsmetana> sgallagh: i run into problems with openwsman on top of pegasus. 14:52:08 <sgallagh> How does the built-in WS-MAN support compare with openwsman? 14:52:12 <sgallagh> hmm... 14:52:55 <jsafrane> sgallagh: it's hard to compare as we don't have any application which would test it thoroughly, just few simple scripts 14:52:56 <tsmetana> sgallagh: openwsman acts more like a proxy translating the wsman requests to cim-xml 14:53:11 <tsmetana> jsafrane: true. 14:53:45 <tsmetana> the wsman feature is quite new in pegasus i think. not sure how well it was tested by the others. 14:53:50 * sgallagh wishes kkampf was around today 14:55:19 <sgallagh> #info OpenLMI 1.1 should convert any providers for which there exists PolicyKit support to using per-user provider backends. 14:55:33 <sgallagh> #info OpenLMI 1.1 should add WS-MAN support for both client and managed systems 14:55:49 <sgallagh> We can dig into the details at a later date. 14:56:31 <sgallagh> We're about at the top of the hour. Let's plan to discuss OpenLMI 1.1 more at the next meeting. 14:56:37 <tsmetana> yes. we need to do some research on the protocol itself. the shell offers some features which might be complicted to mimick with wsman. 14:56:57 <sgallagh> #action sgallagh Add OpenLMI 1.1 planning to next week's agenda 14:57:25 <sgallagh> #topic Open Floor 14:57:34 <sgallagh> Three minutes left: anything for the open floor? 14:58:54 <tsmetana> nothing from me. 14:59:08 <jsafrane> nope 14:59:58 <aledvink> sgallagh: it's quite some time since I last asked pegasus upstream on the default settings for the wsman server part in pegasus. the answer was not clearly stating that it is problematic but in the meaning it's probably that ways since nobody checked the defaults for quite some time. 15:00:57 <sgallagh> aledvink: So we may be taking a lot of support efforts upon ourselves if we enable it? 15:01:05 <tsmetana> all: thank you. i have another meeting now... 15:01:26 <sgallagh> Thank you all. We'll resume this next week. 15:01:30 <sgallagh> #endmeeting