[Yahoo-eng-team] [Bug 1717707] Re: nova-compute failed to communicate with nova-conductor on start
** No longer affects: openstack-requirements -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1717707 Title: nova-compute failed to communicate with nova-conductor on start Status in OpenStack Compute (nova): New Bug description: Related to bug #1696094. An 'Timed out waiting for nova-conductor. Is it running? Or did this service start before nova-conductor? Reattempting establishment of nova-conductor connection...' error occurs in nova-compute.log when: on compute node 1. no usable nameserver in /etc/resolv.conf 2. only ipv4 or only ipv6 address of 'controller' (as rabbitmq server) is mapped in /etc/hosts 3. use 'controller' as rabbitmq server in nova.conf The eventlet greendns has been always enabled by monkey_patch since 0.20.0, and this will introduce some compatibility problems, e.g. 1. We create a connection to rabbitmq server using 'controller:5672' 2. patched socket.getaddrinfo('controller', 5672, 0) is called by amqp (0 for both ipv4 and ipv6) 3. greendns will use '127.0.0.1' as dns nameserver if there is no usable nameserver in /etc/resolv.conf 4. greendns will perform name resolving for 'controller', ipv6 dns lookup will be performed if there is no ipv6 mapping for 'controller' in /etc/hosts, so is ipv4. One of the dns lookup is leading to a timeout, and cause the problem mentioned above. The original socket.getaddrinfo is ok with this situation, I think it's better not to use eventlet greendns patch for now. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1717707/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1717847] [NEW] Policy does not work for trusts
Public bug reported: see: http://lists.openstack.org/pipermail/openstack- dev/2017-September/122115.html In short, the trusts APIs handle their policy in code rather than from the policy file. This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142 We should set better default policies, and change the code to respect the policy files rather than handle the policy checking based on hardcoded values. This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1717847 Title: Policy does not work for trusts Status in OpenStack Identity (keystone): New Bug description: see: http://lists.openstack.org/pipermail/openstack- dev/2017-September/122115.html In short, the trusts APIs handle their policy in code rather than from the policy file. This is rather confusing seeing as we have policies for trusts in the policy json file which do nothing: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json#L137-L142 We should set better default policies, and change the code to respect the policy files rather than handle the policy checking based on hardcoded values. This change needs to be handled carefully (and made very obvious in release notes), because anyone using an older policy file once the change to respect the policy file is part of a release, will mean any authed user can list trusts because of the existing (and incorrect) default policy rules. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1717847/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1716746] Re: functional job broken by new os-testr
** Also affects: tacker Importance: Undecided Status: New ** Changed in: tacker Importance: Undecided => Critical ** Changed in: tacker Assignee: (unassigned) => yong sheng gong (gongysh) ** Changed in: tacker Milestone: None => queens-1 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1716746 Title: functional job broken by new os-testr Status in networking-bgpvpn: Fix Released Status in BaGPipe: Fix Released Status in networking-sfc: Fix Released Status in neutron: Fix Released Status in tacker: In Progress Bug description: functional job fails with: 2017-09-12 16:09:20.705975 | 2017-09-12 16:09:20.705 | + /opt/stack/new/neutron/neutron/tests/contrib/post_test_hook.sh:main:L67: testr_exit_code=0 2017-09-12 16:09:20.707372 | 2017-09-12 16:09:20.706 | + /opt/stack/new/neutron/neutron/tests/contrib/post_test_hook.sh:main:L68: set -e 2017-09-12 16:09:20.718005 | 2017-09-12 16:09:20.717 | + /opt/stack/new/neutron/neutron/tests/contrib/post_test_hook.sh:main:L71: generate_testr_results 2017-09-12 16:09:20.719619 | 2017-09-12 16:09:20.719 | + /opt/stack/new/neutron/neutron/tests/contrib/post_test_hook.sh:generate_testr_results:L12: sudo -H -u stack chmod o+rw . 2017-09-12 16:09:20.720974 | 2017-09-12 16:09:20.720 | + /opt/stack/new/neutron/neutron/tests/contrib/post_test_hook.sh:generate_testr_results:L13: sudo -H -u stack chmod o+rw -R .testrepository 2017-09-12 16:09:20.722284 | 2017-09-12 16:09:20.721 | chmod: cannot access '.testrepository': No such file or directory This is because new os-testr switched to stestr that has a different name for the directory (.stestr). To manage notifications about this bug go to: https://bugs.launchpad.net/bgpvpn/+bug/1716746/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1266962] Re: Remove set_time_override in timeutils
** Also affects: sahara Importance: Undecided Status: New ** Changed in: sahara Status: New => In Progress ** Changed in: sahara Assignee: (unassigned) => zhangyangyang (zhangyangyang) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1266962 Title: Remove set_time_override in timeutils Status in Ceilometer: Fix Released Status in Cinder: Fix Released Status in gantt: New Status in Glance: Fix Released Status in OpenStack Heat: In Progress Status in Ironic: Fix Released Status in OpenStack Identity (keystone): Fix Released Status in keystonemiddleware: In Progress Status in Manila: Fix Released Status in neutron: In Progress Status in OpenStack Compute (nova): Fix Released Status in oslo.messaging: Fix Released Status in oslo.utils: New Status in python-keystoneclient: Fix Released Status in python-novaclient: Fix Released Status in rack: In Progress Status in Sahara: In Progress Status in tuskar: Fix Released Status in zaqar: Fix Released Bug description: set_time_override was written as a helper function to mock utcnow in unittests. However we now use mock or fixture to mock our objects so set_time_override has become obsolete. We should first remove all usage of set_time_override from downstream projects before deleting it from oslo. List of attributes and functions to be removed from timeutils: * override_time * set_time_override() * clear_time_override() * advance_time_delta() * advance_time_seconds() To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1266962/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1266962] Re: Remove set_time_override in timeutils
** Also affects: rack Importance: Undecided Status: New ** Changed in: rack Status: New => In Progress ** Changed in: rack Assignee: (unassigned) => zhangyangyang (zhangyangyang) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1266962 Title: Remove set_time_override in timeutils Status in Ceilometer: Fix Released Status in Cinder: Fix Released Status in gantt: New Status in Glance: Fix Released Status in OpenStack Heat: In Progress Status in Ironic: Fix Released Status in OpenStack Identity (keystone): Fix Released Status in keystonemiddleware: In Progress Status in Manila: Fix Released Status in neutron: In Progress Status in OpenStack Compute (nova): Fix Released Status in oslo.messaging: Fix Released Status in oslo.utils: New Status in python-keystoneclient: Fix Released Status in python-novaclient: Fix Released Status in rack: In Progress Status in tuskar: Fix Released Status in zaqar: Fix Released Bug description: set_time_override was written as a helper function to mock utcnow in unittests. However we now use mock or fixture to mock our objects so set_time_override has become obsolete. We should first remove all usage of set_time_override from downstream projects before deleting it from oslo. List of attributes and functions to be removed from timeutils: * override_time * set_time_override() * clear_time_override() * advance_time_delta() * advance_time_seconds() To manage notifications about this bug go to: https://bugs.launchpad.net/ceilometer/+bug/1266962/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
** Changed in: ossn Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing Status in OpenStack Identity (keystone): Fix Released Status in OpenStack Identity (keystone) mitaka series: Won't Fix Status in OpenStack Identity (keystone) newton series: Won't Fix Status in OpenStack Identity (keystone) ocata series: Won't Fix Status in OpenStack Identity (keystone) pike series: Fix Released Status in OpenStack Security Advisory: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp