Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
> On 06/29/2018 05:38 AM, Josephine Seifert wrote: >> Hello Dean, >> >> thanks for your code comments so far. >> >>> Looking at the changes you have to cursive, if that is all you need >>> from it those bits could easily go somewhere in osc or osc-lib if you >>> don't also need them elsewhere. >> There lies the problem, because we also want to implement signature >> generation in nova for the "server image create". Do you have a >> suggestion, where we could implement this instead of cursive? > > I was just chatting with Dean about this in IRC. I'd like to suggest > putting the image signing code into openstacksdk. Users of > openstacksdk would almost certainly also want to be able to sign > images they're going to upload. That would take care of having it in a > library and also having that library be something OSC depends on. > > We aren't using SDK in nova yet - but it shouldn't be hard to get some > POC patches up to include it ... and to simplify a few other things. > > I'd be more than happy to work with you on getting the code in. > > Monty That sounds like a good idea. We will try to integrate the code from cursive into openstacksdk and update the review, story and etherpad accordingly. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
On 06/29/2018 05:38 AM, Josephine Seifert wrote: Hello Dean, thanks for your code comments so far. Looking at the changes you have to cursive, if that is all you need from it those bits could easily go somewhere in osc or osc-lib if you don't also need them elsewhere. There lies the problem, because we also want to implement signature generation in nova for the "server image create". Do you have a suggestion, where we could implement this instead of cursive? I was just chatting with Dean about this in IRC. I'd like to suggest putting the image signing code into openstacksdk. Users of openstacksdk would almost certainly also want to be able to sign images they're going to upload. That would take care of having it in a library and also having that library be something OSC depends on. We aren't using SDK in nova yet - but it shouldn't be hard to get some POC patches up to include it ... and to simplify a few other things. I'd be more than happy to work with you on getting the code in. Monty __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
Hello Dean, thanks for your code comments so far. > Looking at the changes you have to cursive, if that is all you need > from it those bits could easily go somewhere in osc or osc-lib if you > don't also need them elsewhere. There lies the problem, because we also want to implement signature generation in nova for the "server image create". Do you have a suggestion, where we could implement this instead of cursive? Regards, Josephine __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
On Thu, Jun 28, 2018 at 8:04 AM, Josephine Seifert wrote: >> Go ahead and post WIP reviews and we can look at it further. To merge >> I'll want all of the usual tests, docs, release notes, etc but don't >> wait if that is not all done up front. > Here are the two WIP reviews: > > cursive: https://review.openstack.org/#/c/578767/ > osc: https://review.openstack.org/#/c/578769/ So one problem I have here is the dependencies of cursive, all of which become OSC dependencies if cursive is added. It includes oslo.log which OSC does not use and doesn't want to use for $REASONS that boil down to assumptions it makes for server-side use that are not good for client-side use. cursive includes castellan which also includes oslo.log and oslo.context, which I must admit I don't know how it affects a CLI because we've never tried to include it before. python-barbicanclient is also included by cursive, which would make that a new permanent dependency. This may be acceptable, it is partially up to the barbican team if they want to be subject to OSC testing that they may not have now. Looking at the changes you have to cursive, if that is all you need from it those bits could easily go somewhere in osc or osc-lib if you don't also need them elsewhere. dt -- Dean Troyer dtro...@gmail.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
On Thu, Jun 28, 2018 at 8:04 AM, Josephine Seifert wrote: >> Go ahead and post WIP reviews and we can look at it further. To merge >> I'll want all of the usual tests, docs, release notes, etc but don't >> wait if that is not all done up front. > Here are the two WIP reviews: > > cursive: https://review.openstack.org/#/c/578767/ > osc: https://review.openstack.org/#/c/578769/ So one problem I have here is the dependencies of cursive, all of which become OSC dependencies if cursive is added. It includes oslo.log which OSC does not use and doesn't want to use for $REASONS that boil down to assumptions it makes for server-side use that are not good for client-side use. cursive includes castellan which also includes oslo.log and oslo.context, which I must admit I don't know how it affects a CLI because we've never tried to include it before. python-barbicanclient is also included by cursive, which would make that a new permanent dependency. This may be acceptable, it is partially up to the barbican team if they want to be subject to OSC testing that they may not have now. Looking at the changes you have to cursive, if that is all you need from it those bits could easily go somewhere in osc or osc-lib if you don't also need them elsewhere. dt -- Dean Troyer dtro...@gmail.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [osc][python-openstackclient] osc-included image signing
Sorry, I wrote partially german in my last mail. Here is the english version ;) > Go ahead and post WIP reviews and we can look at it further. To merge > I'll want all of the usual tests, docs, release notes, etc but don't > wait if that is not all done up front. Here are the two WIP reviews: cursive: https://review.openstack.org/#/c/578767/ osc: https://review.openstack.org/#/c/578769/ On our setup the following tests succeeded: 1.A) Generate Private and Public Key without password openssl genrsa -out image_signing_key.pem 4096 openssl rsa -pubout -in image_signing_key.pem -out image_signing_pubkey.pem 1.B) Generate Private and Public Key with password export PASSWORD="my-little-secret" openssl genrsa -aes256 -passout pass:$PASSWORD -out image_signing_key.pem 4096 openssl rsa -pubout -in image_signing_key.pem -passin pass:$PASSWORD -out image_signing_pubkey.pem 2.) generate Public Key certificate openssl rsa -pubout -in image_signing_key.pem -out image_signing_pubkey.pem openssl req -new -key image_signing_key.pem -out image_signing_cert_req.csr openssl x509 -req -days 365 -in image_signing_cert_req.csr -signkey image_signing_key.pem -out image_signing_cert.crt 3.) upload certificate to Barbican openstack secret store --name image-signing-cert --algorithm RSA --expiration 2020-01-01 --secret-type certificate --payload-content-type "application/octet-stream" --payload-content-encoding base64 --payload "$(base64 image_signing_cert.crt)" 4.) sign & upload image to Glance openstack image create --sign key-path=image_signing_key.pem,cert-id=$CERT_UUID --container-format bare --disk-format raw --file $IMAGE_FILE $IMAGE_NAME __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
Hi, > Go ahead and post WIP reviews and we can look at it further. To merge > I'll want all of the usual tests, docs, release notes, etc but don't > wait if that is not all done up front. Hier sind die zwei WIP reviews: cursive: https://review.openstack.org/#/c/578767/ osc: https://review.openstack.org/#/c/578769/ Auf unserem System funktionierte folgender Test: 1.A) Generate Private and Public Key without password openssl genrsa -out image_signing_key.pem 4096 openssl rsa -pubout -in image_signing_key.pem -out image_signing_pubkey.pem 1.B) Generate Private and Public Key with password export PASSWORD="my-little-secret" openssl genrsa -aes256 -passout pass:$PASSWORD -out image_signing_key.pem 4096 openssl rsa -pubout -in image_signing_key.pem -passin pass:$PASSWORD -out image_signing_pubkey.pem 2.) generate Public Key certificate openssl rsa -pubout -in image_signing_key.pem -out image_signing_pubkey.pem openssl req -new -key image_signing_key.pem -out image_signing_cert_req.csr openssl x509 -req -days 365 -in image_signing_cert_req.csr -signkey image_signing_key.pem -out image_signing_cert.crt 3.) upload certificate to Barbican openstack secret store --name image-signing-cert --algorithm RSA --expiration 2020-01-01 --secret-type certificate --payload-content-type "application/octet-stream" --payload-content-encoding base64 --payload "$(base64 image_signing_cert.crt)" 4.) sign & upload image to Glance openstack image create --sign key-path=image_signing_key.pem,cert-id=$CERT_UUID --container-format bare --disk-format raw --file $IMAGE_FILE $IMAGE_NAME __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [osc][python-openstackclient] osc-included image signing
[Apologies for the relay in responding...] On Fri, Jun 1, 2018 at 8:13 AM, Josephine Seifert wrote: > our team has implemented a prototype for an osc-included image signing. We > would like to propose a spec or something like this, but haven't found where > to start at. So here is a brief concept of what we want to contribute: > > https://etherpad.openstack.org/p/osc-included_image_signing > > Please advise us which steps to take next! This looks like a great addition, thanks! I am not familiar with cursive, it is not a current dependency of OSC. Also, does this depend on barbican client at all? That is not a direct dependency of OSC, If it does have a hard dependency on barbican client, we would need to handle the errors if it is not installed. We do not have a formal spec process in OSC, that etherpad[0[ and story [1] look good. Tasks 19810 and 19812 could likely be done in the same review depending on how things are structured. Go ahead and post WIP reviews and we can look at it further. To merge I'll want all of the usual tests, docs, release notes, etc but don't wait if that is not all done up front. dt [0] https://etherpad.openstack.org/p/osc-included_image_signing [1] https://storyboard.openstack.org/?#!/story/2002128 -- Dean Troyer dtro...@gmail.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [osc][python-openstackclient] osc-included image signing
Hi, our team has implemented a prototype for an osc-included image signing. We would like to propose a spec or something like this, but haven't found where to start at. So here is a brief concept of what we want to contribute: https://etherpad.openstack.org/p/osc-included_image_signing Please advise us which steps to take next! Regards, Josephine __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
