=== cppforlife is now known as cppforlife_
=== seelaman` is now known as seelaman
=== 18VABY2RP is now known as lazyPower
=== beuno_ is now known as beuno
jobotHello, I have tried to create my first charm. The install hook is here: http://paste.ubuntu.com/9759291/ , it fails on line 44 saying that the site does not exist. If you wouldn't mind giving me some guidance on this hook, it would be appreciated01:57
sarnoldjobot: I -think- you need to change this name: /etc/apache2/sites-available/suitecrm to /etc/apache2/sites-available/suitecrm.conf01:59
sarnoldjobot: there was a change somewhere along the way that I -think- requires the .conf extension on those files now.01:59
jobotOk. Thank you. I will try that :)02:00
blron utopic, cloud-utils is marked recommends for lxc-templates, which appears to result in failed container creation with the local provider02:16
blrpotentially I just had my machine in a weird state, but it seems curious.. might try in a clean vm02:17
=== kadams54 is now known as kadams54-away
=== axw_ is now known as axw
=== paulproteus_ is now known as paulproteus
=== kadams54 is now known as kadams54-away
=== urulama__ is now known as urulama
=== Spads_ is now known as Spads
Muntanergood morning08:54
MuntanerI'm quite new to Juju and having problems08:55
Muntanercan anyone help me? Am I in the right place?08:55
Odd_BlokeMuntaner: You are in the right place; ask a question and hopefully somebody will be able to answer it. :)08:57
Muntanerok! I have two laptops connected to the same networks, and
Muntaneron the second one, I installed devstack to do some tests08:58
Muntanerand I'm trieing to deploy services from the first laptop08:59
Muntanerwith Juju, naturally :)08:59
MuntanerI set all the fields with juju-quickstrap08:59
Muntanerand I get this error:08:59
MuntanerRROR juju.cmd supercommand.go:323 index file has no data for cloud {RegionOne} not found08:59
Muntaneris the devstack installation "incomplete" or I am doing something wrong on the first laptop?09:00
Muntanerit seems like the file "index.json" is missing from the devstack computer... I can read errors like these:09:01
Muntaner DEBUG juju.environs.simplestreams simplestreams.go:419 fetchData failed for "": failed to GET object images/streams/v1/index.sjson from container con-366ffb69922d4b7892e6bef71723947309:03
Muntanerand now I'm quite lost, don't know exactly what o do09:06
Muntanerto do *09:06
dimiternMuntaner, can you give me a bit more background please09:07
Muntanerwhatever you need!09:07
dimiternMuntaner, how is your deployment structured - 2 machines, each with 2 network interfaces?09:08
Muntanertwo laptops, connected to the same network with internet access. They have the local IPs I wrote - and
MuntanerI'm pretty sure they can see each other (from the first one, I'm able to login in the devstack running on the second one via the web browser)09:09
dimiternok, so are these IPs configured via DHCP or statically?09:09
MuntanerProbably static - I can't manage the network configuration09:10
dimiternMuntaner, also, it will help if you can use paste.ubuntu.com to share some logs to see what errors you're getting09:10
dimiternCan you give me a summary of the commands/operations you used?09:11
Muntanerhere it is: http://paste.ubuntu.com/9760532/09:12
MuntanerI used some basic commands... juju init, juju bootstrap, juju quickstart etc.09:13
dimiternso you're using juju-quickstart - let me ask some of the folks working on this09:13
dimiternrick_h_, hey, can you have a look at that log please ? ^^09:13
Muntaneryes, yesterday I arrived to the same error by configuring manually environments.yawl09:14
dimiternhow did you install juju-quickstart?09:15
Muntaner 1217  sudo add-apt-repository ppa:juju/stable09:15
Muntaner 1218  sudo apt-get update09:15
Muntaner 1219  sudo apt-get install juju-quickstart09:15
Muntanerif needed, I can copypaste my environments.yawl aswell09:15
urulamadimitern: i'll ping frankban to look at that log, he should be joining soon.09:16
dimiternYes please - you can redact keys/passwords/etc. from it first09:16
dimiternthanks urulama!09:16
Muntanerhere it is my environments.yawl: http://paste.ubuntu.com/9760545/09:18
Muntanercontrol-bucket and admin-secret have been autogenerated by clicking on the option in juju-quickstart09:18
dimiternMuntaner, hmm.. ok so I believe the issue is you'll need to run sync-tools first to generate metadata for your private openstack installation09:19
MuntanerI'll ask a very silly question now:09:19
dimiternMuntaner, I'll give you more info in a sec09:19
Muntanerdo the laptop with devstack need to install anything about juju?09:19
Muntanerbecause, right now, it has nothing installed - just devstack09:19
dimiternMuntaner, assuming you want to use the devstack laptop as "the cloud", no - you install the juju client (quickstart does that for you) and use it to bootstrap an environment on the other laptop09:20
Muntanerexactly, that was the test I wanted to do09:21
Muntanerjust to get involved into the software and try some charms09:21
dimiternMuntaner, that's *awesome* - thanks for trying Juju out!09:23
dimiternMuntaner, I'm checking a few places first, but I think I can help you with your issue09:23
MuntanerThanks, I already tried it in my laptop only - deploying Wordpress + MySQL has been a piece of cake :)09:23
dimiternMuntaner, ok, so let's try the easiest thing first09:30
dimiternMuntaner, add the following to your environsments.yaml, e.g. just after the line "username:", with the same indentation09:30
dimiternMuntaner, agent-metadata-url: https://streams.canonical.com/juju/tools09:32
dimiternMuntaner, sorry - for 1.20.x use "tools-metadata-url" instead09:33
dimiternor agent-metadata-url09:33
Muntanerok, I try now and give feedback09:33
dimitern..instead *of09:33
dimiternMuntaner, then, run $ juju bootstrap --debug 2>&1 > juju-bootstrap.log and paste that please09:34
Muntanerseems like nothing changed - juju-bootstrap.log is empty09:36
MuntanerI can copypaste whatever is needed09:37
dimiternMuntaner, did you see output on the console?09:38
Muntaneryes, looks like they are the same errors09:38
Muntanernew environments -> http://paste.ubuntu.com/9760637/09:39
dimiternMuntaner, hmm.. that's weird.. I'll have a look at the code to see what's happening09:40
dimiternMuntaner, before anything - please try running $ juju-quickstart --upload-tools --debug and paste the log09:43
Muntaneryes, just a sec09:45
dimiternbtw I've reported a bug for your issue against quickstart, so we can think how to improve the experience in cases like yours - https://bugs.launchpad.net/juju-quickstart/+bug/141157409:53
mupBug #1411574: quickstart should detect private clouds somehow and generate metadata url in the environments.yaml <juju-quickstart:Confirmed> <https://launchpad.net/bugs/1411574>09:53
dimiternMuntaner, you might later try following the docs here - https://juju.ubuntu.com/docs/howto-privatecloud.html#deploying-private-clouds09:55
MuntanerI'm back now, sorry09:56
Muntanerresult of juju-quickstart --upload-tools --debug: http://paste.ubuntu.com/9760712/09:59
dimiternMuntaner, thanks, it's weird how nothing has changed though.. try $ juju metadata validate-images and then also $ juju metadata validate-tools ?10:05
Muntanerjuju metadata validate-images: http://paste.ubuntu.com/9760764/10:08
Muntanerand juju metadata validate-tools: http://paste.ubuntu.com/9760771/10:09
=== rvba` is now known as rvba
Muntanershall I try something else, guys?10:19
dimiternMuntaner, thanks, will get back to you shortly10:23
dimiternMuntaner, let's try adding "images-metadata-url: http://cloud-images.ubuntu.com/releases/" to environments.yaml and re-run $ juju metadata validate-images10:40
Muntanerat the moment devstack isn't running - I'll try this in minutes10:42
dimiternok, no worries10:43
Muntanerdid we just discover an hidden bug or this may be my bad configuration of the "net" ?10:44
dimiternMuntaner, well, for one - it's definitely a bug with quickstart, as the user experience can be improved11:04
dimiternMuntaner, but the reason it fails is insufficient configuration, so it's not a juju bug - at least not yet11:05
Muntaneraw ok. Now, I'm installing Ubuntu Server on the devstack laptop11:09
dimiternMuntaner, what happened with devstack btw? why do you need to do this now?11:10
Muntanerdimitern, laptop owner decided to do so, needs Ubuntu server for other stuff. Btw, the previous devstack installation is "safe" on another partition with Linux Mint (the OS with who I was experimenting and encountered the problems)11:13
dimiternMuntaner, ok, thanks for the info; I'll need to finish some other stuff now, but please let me know if you still have issues later.11:14
gnuoy`jamespage, did you see my request for a review of https://code.launchpad.net/~gnuoy/charms/trusty/ceph-radosgw/next-support-ha/+merge/243263 if you have time?ay ?11:17
Muntanerdimitern, I did what you suggested12:33
MuntanerI get the same error12:33
dimiternMuntaner, what did you do last?12:34
MuntanerI'm pasting it for you12:34
Muntanerthe environments.yawl is: http://paste.ubuntu.com/9761347/12:35
dimiternMuntaner, I think I have a solution - try theses steps: 1) keep tools-metadata-url set as before; 2) run $ juju metadata generate-images -d $HOME/.juju/metadata (paste any errors); 3) run $ juju metadata validate-images -d $HOME/.juju/metadata (should be fine, but again paste any errors); 4) run $ juju bootstrap --debug --metadata-source $HOME/.juju/metadata and paste the output12:37
dimiternMuntaner, but first, remove "images-metadata-url" from environments.yaml12:37
Muntanerdimitern, error: unrecognized command: metadata generate-images12:39
dimiternMuntaner, sorry - generate-image12:40
Muntanerdimitern, ERROR image id must be specified12:41
MuntanerI'll be back in an hour12:41
Muntanerboss calling, see you later12:41
Muntanerand thanks :)12:42
dimiternMuntaner, np - re that error, yes sorry - specifying image id (-i <..>) for generate-image is required. You need to know your devstack available images. Here's an article providing pretty much all you need I think - http://blog.felipe-alfaro.com/2014/04/29/bootstraping-juju-on-top-of-an-openstack-private-cloud/13:01
=== Darkwing_ is now known as Darkwing
=== jrwren_ is now known as jrwren
Muntanerdimitern, thanks, I'm following that post13:49
dimiternplease let me know if you're successful13:52
Muntanerdimitern, is it hard to write own charms?14:25
dimiternMuntaner, :) depends on what the charm does, but for simple things it's not hard at all14:26
dimiternMuntaner, here's the right place to ask just this - any one of the guys like jcastro, lazyPower, mbruzek, from the ecosystem team can help you with that14:29
* lazyPower reads scrollback14:29
lazyPowerMuntaner: thats subjective :) but if you were to ask me 1:1 i'd say - "Charm development isn't hard - but writing *good* charms requires a fair amount of thought and testing"14:31
Muntanerit's fine! was just curious about that ;)14:31
Muntanerbtw, dimitern14:31
MuntanerI'm reading that post, I jumped the whole part inerent to OpenStack Glance14:31
lazyPowerthats one of the things I love about charm development, its like any other software project. its an iterative process and you can prototype quickly in bash before you commit to a config management framework14:31
lazyPowerregardless of that being something like chef/puppet or using our own charm helpers libraries to greenfield develop in python.14:32
dimiternMuntaner, yeah - that happens to be the most important part :)14:39
nicopaceMuntaner: two days ago, i implemented a simple charm pretty quickly. You can look at it, it is pretty small in LOCs :) https://code.launchpad.net/~nicopace/+junk/simplewebservercharm14:39
Muntanerin your opinion, what is the best language to implement charms? is Java fine?14:43
mbruzekMuntaner you could14:44
mbruzekMuntaner: but as a Java developer I have tried that and it is not easy.14:44
jrwrenMuntaner: python14:44
mbruzekMuntaner: Technically you could write a charm in anything that runs on Ubuntu14:44
jrwrenMuntaner: the charm-helpers library makes python for charms the best.14:45
mbruzekMuntaner: but setting up the Java environment was a hassle for me, just to write the charm hooks in Java14:45
jrwrenyou'd have to write part of the install hook in some other language to install the JRE.14:46
mbruzekbut Muntaner it can be done14:46
lazyPowerMuntaner: the fact is we support close to anything/everything - so long as you can encapsulate the logic in a format that resembles the events we model with the hooks. So as a java developer you can certainly write hooks in java but your pre-install will require you to install a JRE, and any third party deps you require - another option would be to write them in scala which is similar to java, but not quite right?14:46
Muntanerok, I understand. Thanks for this lot of info14:48
mbruzekMuntaner: As a fellow Java Developer, I would be willing to help you with any questions you might have.  Please feel free to IM me on IRC14:49
Muntanermbruzek, thanks a lot :)14:49
mbruzekno problem at all14:49
josembruzek, lazyPower, marcoceppi_, tvansteenburgh1: if any of you guys have a minute to do a review, I've got a critical security fix on the waitlist (queue not updating), mind taking a look? https://code.launchpad.net/~jose/charms/precise/owncloud/fix-poodle/+merge/246208 https://code.launchpad.net/~jose/charms/trusty/owncloud/fix-poodle/+merge/24620515:11
jshiehsorry to be off topic, but looking for macfarlan or a. rosales...a good channel to find either of them?15:24
lazyPowerjshieh: arosales is CO based and should be around within the hour here.15:24
lazyPowerjose: in standup will sync with you afterwords15:24
josesoudns good, thanks lazyPower!15:25
=== Guest8667 is now known as balloons
=== roadmr is now known as roadmr_afk
Muntanerdimitern, got some news16:15
dimiternMuntaner, is it good? :)16:17
Muntanerdimitern, no, lol, I got new errors16:21
Muntanerdimitern, if you want I can copypaste them for you16:22
dimiternMuntaner, yes please16:25
Muntanerdimitern, http://paste.ubuntu.com/9762355/16:27
Muntanercare, it's quite long16:27
=== roadmr_afk is now known as roadmr
=== kadams54 is now known as kadams54-away
arosalesjshieh: hello16:41
arosalessorry my network was done earlier this morning16:41
=== kadams54-away is now known as kadams54
Muntanerdimitern, I'm going crazy, lol16:56
dimiternMuntaner, *much* better!16:57
dimiternMuntaner, you've managed to bootstrap almost :)16:57
Muntanerdimitern, wow! :D16:57
Muntanerdimitern, yep, what remains now?16:57
dimiternMuntaner, but the image metadata seems incomplete - try validate-images and also make sure that image id b2731f9e-6971-4c91-bea3-39aa0e23e15b is in it16:58
=== kadams54 is now known as kadams54-away
=== kadams54-away is now known as kadams54
dimiternMuntaner, but first - change tools-metadata-url back and drop --upload-tools from bootstrap17:00
dimitern*back to what it used to be (I see it empty)17:00
dimiternI have to go unfortunately17:01
=== urulama is now known as urulama__
=== kadams54 is now known as kadams54-away
=== mbarnett` is now known as mbarnett
nicopaceHi guys.. is there any way that a charm is run using python2?18:22
asanjarmwak_: hi there, cory_fu said you had some issues with hadoop charm?18:23
cory_fuasanjar: mwak_ had to leave for the weekend.  :/18:24
cory_fuWe'll have to reconvene on Monday18:25
asanjarcory_fu: do you have his email?18:25
cory_fuNo.  :/18:25
asanjarokay then, we wait till Monday18:25
jrwrennicopace: What do you mean? charm hooks are run as binaries or #! directive. #!/usr/bin/python is python218:26
nicopaceyes... when i specify python3 as the hook.py interpreter, it say 'bad interpreter'18:27
nicopacei ssh-ed into the unit, and it seems python3 is not installed!18:27
nicopacejrwren: ^18:28
avoinenicopace: try with #!/usr/bin/env python218:30
lazyPowernicopace: is this a precise host? i tend to use env to route those properly18:30
avoineor just #!/usr/bin/env python actually18:31
lazyPoweralso just saw your email to the list about apache2 tests - i haven't dug in, but thanks for taking a look at that :)18:31
nicopaceoh... if it is precise it uses python2 by default?18:31
nicopacelazyPower: :D18:31
lazyPowernicopace: python2 is default across precise/trusty18:32
lazyPowerbut trusty has python3 interpreter in the base image i do beleive, if not its a simple apt-get install away18:33
nicopaceavoine, lazyPower: that actually works, but as i'm using charmhelpers i need python318:33
lazyPowercharmhelpers is python2 compliant18:33
lazyPoweras is amulet18:33
nicopacethat's strange... i think it is failing because it requires six18:34
lazyPowercan you hand me a stacktrace of what you're looking at? we've had some issues with test dependencies in the past18:34
lazyPoweri think tvansteenburgh1 was the one that put a lot of those fixes in place during our last bug-run.18:34
lazyPowerhe's kind of a big deal when it comes to fixing python dependency chains :)18:35
=== kadams54 is now known as kadams54-away
=== kadams54-away is now known as kadams54
nicopacelazyPower: http://paste.ubuntu.com/9763023/18:40
nicopacethe problem is that charmhelpers is requiring six, and it is not installed18:41
lazyPoweryep, missing python dependency on the host. Which provider is this?18:41
lazyPowerinteresting, thats a cloud image.18:41
lazyPowerif you add python-six to the install routine of the charm does it work as expected?18:42
lazyPoweras in (apt-get install python-six)18:42
nicopacei can't, as i'm using hooks.py18:42
nicopacewell... i can, but i have to add a middleman18:42
lazyPowernicopace: typically when there are pre-deps the install hook becomes a shell script that then calls hooks.py18:50
captineeve all.  can someone point me to where i can figure out what is causing the below (first time trying juju and trying to get it to use br0 for local containers to get network ip's..18:53
captineERROR juju.provisioner provisioner_task.go:418 cannot start instance for machine "2": container failed to start18:53
captinesame error for machine 118:53
lazyPowercaptine: that can be for a variety of reasons and its not really clear unfortunately18:55
lazyPowercaptine: i'm assuming this is with regard to bridging for reaching into the containers from outside your host right?18:56
captinelazyPower, am guessing18:56
captinesince the last time we were chatting, i havent looked at things until now18:56
lazyPowercaptine: when we last left off, we had just gotten the bridge adapter created and you were working through a bootstrap18:58
lazyPowerwe need to look @ your template container configs and ensure the networking was applied to those - i'm betting it wasnt and we have a few options18:58
captinetemplate container configs?18:59
lazyPoweryou'll need inspect the 'config' file in /var/lib/lxc/juju-$series-lxc-template18:59
lazyPoweri bet its pointing at lxcbr018:59
lazyPowerthese template containers get cloned to create the local provider machines18:59
captinelet me check it19:00
lazyPowerthe line we are concerned with is: lxc.network.link = lxcbr019:00
lazyPoweryou'll need to change that to br0 and give it another go19:00
captinechanged them both19:01
captineso now do i destroy the 2 machiens19:01
captineand bootstrap again?19:01
captineok.  crossing fingers19:04
nicopacelazyPower: sorry, i had to go out for some minutes19:05
nicopacei understand19:05
nicopacei'll try that19:05
lazyPowernicopace: no worries19:05
captinelazyPower, assuming this works, is there a way to stop the lxc containers starting automatically?  may want to only start manually>?19:05
lazyPowercaptine: there is but i'm not aware off teh top of my head19:05
captinenp.  will google19:06
lazyPoweri'm fairly certain we are generating jobs in /etc/lxc/autostart or something similar to that19:06
lazyPowerit *should* be as simple as removing those, but i cannot be certain as I have not done so before. Typically when i have containers I want to control i dont create them with juju19:06
lazyPoweri build them with lxc-create19:06
stubnicopace: if you look at charmhelpers/__init__.py you should see some bootstrap code that installs python-six packages. If it is empty, you can fix it by getting that file synced in.19:07
captinelazyPower, does it work the same way with lxc-create?19:08
captinewould i need to do something to get br0 to be used?19:08
lazyPowercaptine: its 100% manual. you get zero magic from juju19:08
captinelazyPower, not sure it is working.  agent state has been "pending" for 10 minutes19:19
lazyPowercaptine: it should be up within 30 seconds depending on disk io19:19
lazyPowerso, if its still pending we have hit another issue19:20
captinemaybe i didnt destroy everything correctly.19:20
lazyPowerwhat I suggest is actually removing those templates19:20
lazyPowerdestroy-environment, remove the templates19:20
captinefrom /var/lib/lxc/juju19:20
lazyPowersudo lxc-destroy --name19:20
lazyPowerremove any containers that are related to juju, destroy the local environment with -y --force, and then start from step 1, it'll re-download the templates and generate them according to teh config19:21
captinelxc-destroy -- is that to remove the templates19:22
captineor do i just rm -rf the templates?19:22
captinefrom /var/lib....19:22
lazyPoweri would use lxc-destroy19:22
lazyPowerwe're basically resetting your local provider environment to square 119:23
lazyPowerby removing the templates and containers, we're eliminating any traces of old config19:23
lazyPowerand letting juju perform the setup according to the files we edited in our prior session19:23
captinenoting in /var/lib/lxc/19:24
captinebootstrapping now19:25
marcoceppi_lazyPower arosales jcastro: maas just got a little more interesting https://insights.ubuntu.com/2015/01/15/virtualbox-extensions-for-maas/19:29
captinelazyPower, still not working.  should i remove lxc and juju with apt-get purge?  then start again?19:33
lazyPowercaptine: its hard to say depending on why the containers are failing to start. can you try starting the container manually so we can debug?19:33
captinelazyPower, so the container is not up (  "1":19:34
captine    instance-id: pending19:34
captine    series: trusty19:34
captinehow do i manually start that (sorry for pasting multiple rows.  didnt think it would do that)19:34
lazyPowersudo lxc-start --name $container-name -d19:35
captineso would the name be "1"?19:35
lazyPowernegative, thats in the output from sudo lxc-ls --fancy19:35
captinewell.  guess what.  my machine must just be slow19:36
captinejust checked status again, and i see an ip address19:36
lazyPowernice :)19:36
lazyPowerremember on first boot19:36
lazyPowerits goign to download those templates19:36
lazyPowerso juju deploy cs:precise/wordpress -- the very first time its pulling down the 200mb cloud image and building that template container19:37
lazyPowerthen ti clones it and kicks off the charm19:37
captinelazyPower, thanks a mil.  I am connecting and it is working well19:39
captinenow the learning starts :)19:39
lazyPowercaptine: glad we got you sorted :) make sure you tell your friends about us here in #juju19:40
arosalesmarcoceppi_: thanks for the link talking a look19:40
=== roadmr is now known as roadmr_afk
captinelazyPower, just a questions.. maybe a dumb one.  i dont need to ssh to these lxc containers to run apt-get update and apt-get upgrade?  or do I?19:58
captinedo they update when i run it on the hose?19:58
lazyPowerthey dont19:59
lazyPowerthink of them as isolated VM's. you'll need to apt-get update/upgrade19:59
captinecool. so i can install management software into them etc.  very cool.19:59
lazyPowerand its typically a good pattern to adopt in your charm to do that during the install hook - but certain members like jrwren have their own opinions about it.19:59
lazyPoweri reference you not out of finger pointing but knowing that you have good and valid reasons for avoiding that p attern jrwren <320:00
captinewell, it will be months/years away from writing charms.  am an accountant by trade, so dont get much time for my tech hobbie :)20:00
captinelazyPower, what was ur blog address again for the setup of br0 etc... it didnt seem to save in my fabourites20:03
lazyPowercaptine: blog.dasroot.net20:03
lazyPowercaptine: it would be a good idea to back up those config files we modified in the event you *ever* need to go back through and edit them on another system20:03
jrwrenI just like the speed of skipping the apt-get update upgrade step.20:04
lazyPowerupdates will prompt you that there is a collision and you may have to manually edit them again, but ubuntu is good about not clobbering user updates to config files.20:04
captinei best get a local apt-mirror setup to install from20:04
lazyPowerread up on setting up a squid deb proxy :)20:05
lazyPowerpath of least resistance20:05
jrwrenI like the speed because EC2 IOOPs are very slow and IOOPS on my slow spinning rust drives are also very slow. I'd likely not care on all SSD.20:06
captinelazyPower, whats the best way to backup the files?  just copy to fileserver?  or is there a good tool?20:06
lazyPowercaptine: i myself just keep a git repository of all my config stuff on my NAS20:08
captinei need to learn to use git more20:08
captinejust installed it on a vm at work to try to get our IT department to use it for application rule file (IBM Cognos files)... but am not very good with it20:09
captinegoing to crash. thanks again for all the help20:09
lazyPowercheers Caguax :)20:10
lazyPowerer.. yeah20:10
Caguaxcheers lazyPower20:10
=== wendar_ is now known as wendar
arosalesmarcoceppi_:  lazyPower: mbruzek: jose: niedbalski_: tvansteenburgh1: dpb1:  Got a good question from the openstack folks I wanted to get your opinion on20:38
* dpb1 listens20:39
* mbruzek waves20:39
arosalesPolicy states, "Should make use of AppArmor to increase security."20:41
arosalesBut we don't make any references to how this can be accomplished in the charm, and we unfortunately don't have any good examples.20:41
arosalesI am a +1 for security, but how do we enforce this or if a user says, "Great how do I do this" what is the answer?20:42
* arosales ends question20:42
sarnoldhey arosales :) there's a handful of policies in /etc/apparmor.d/ on most ubuntu systems that can serve as a too-quick introduction to apparmor20:43
arosalessarnold: hello :-)20:44
sarnoldarosales: jdstrand has a series of short-and-sweet blog posts about apparmor that are a decent enough introduction, too, https://penguindroppings.wordpress.com/2014/06/06/application-isolation-with-apparmor-part-iv/20:44
arosalesPerhaps the right answer here is to reach out to the ubuntu security team and formulate some examples in the docs20:44
sarnoldarosales: one thing that I'd love to see in juju charms is making use of the relation information to help create flexible policies20:45
mbruzekarosales: This policy predates me, but I have not seen a charm using apparmor.  I suspect *someone* knows how to do that20:45
arosalessarnold: do you feel this is handled inside the app, or are there extra measure the charm should be taking?20:45
sarnoldarosales: it depends; e.g., installing mysql from the archive will automatically get the packaged apparmor policies installed20:45
mbruzekgood point sarnold20:46
arosalesgood point, but others may not .  . .20:46
sarnoldarosales: but if you're creating a charm for software that doesn't already supply its own policy, you could bundle it alongside the charm, drop it into /etc/apparmor.d/, and .. *waves hands about making sure it's loaded before the service is started*20:46
sarnoldarosales: one complicating factor is that apparmor policies currently can't be nested; the local provider uses LXC, which uses apparmor to enforce some of its policies. so, local deployed charms wouldn't be able to use their own policy. (this is being addressed but probably won't be ready for many months.)20:47
sarnoldarosales: jdstrand and sbeattie also put together an apparmor "policy template" language, apparmor-easyprof, that _might_ be a suitable starting place for charm authors to smack out some quick template-based policies -- which might be useful for tuning them based on configurations20:49
arosalesinteresting re lxc, didn't think of that20:49
sarnoldI think the mysql init stuff may have mechanisms in place to cope, I haven't looked in ages.20:50
arosalessarnold: do you have a link to the "policy template" lauguage?20:50
arosalessarnold: do you know of any issues with xen or kvm in app armour policies?20:51
sarnoldarosales: hrm, I'm having trouble finding links to apparmor-easyprof examples; it's used a bit with snap / click packaging but those tools aren't exactly easy to learn from20:51
lazyPowerarosales: i agree that we need to get documentation around this or link to the proper docs in our charming series docs20:52
sarnoldarosales: xen / kvm should work just fine; libvirtd does have apparmor policies confining portions of the systems (e.g. shared host/guest filesystems sometimes have trouble, and need extended policies) -- but the kvm-emulated machine or xen-emulated machine get their own apparmor policies no trouble20:52
jhobbsfyi i filed a bug on it here https://github.com/juju/docs/issues/22920:52
lazyPowerarosales: what may be a good starting poitn would be to get a charm school video about security enhnacement with apparmor profiles on a simple charm - like pick the day1 charm and put in some nginx app armor policies20:52
lazyPowerhowever app armor itself is a beast of a topic and goes into a broad range of things as sarnold has pointed out20:53
=== kadams54 is now known as kadams54-away
lazyPowerand o/ sarnold :)20:53
arosalesjhobbs: thanks20:54
sarnoldhey lazyPower :)20:54
sarnoldI've got to head off for lunch, but I'll be back ~hour :)20:54
arosaleslazyPower: ya I think at a min we need some docs to point users on how to accomplish this20:54
arosalessarnold: if you come across those links please send them onto us :-)20:55
lazyPowerarosales:  i have a marching order over this next week to get some visualizations done for my slides / video over charm relationships - i can add an addendum to that for app armor as a follow up task.20:55
arosalessarnold: thanks for the input here, much appreciated20:55
sarnoldthe policies are easy enough; the hard part is tying them together to handle e.g. running under lxc, getting them loaded before programs start, etc..20:55
lazyPoweri've ran into some really good articles that we - being juju charmers, are not warehousing, but i can distill that info into a digestible doc for starting out with app armor and link to the app armor community documentation which goes into further depth how to write them20:56
arosaleslazyPower: if you have some time to start some docs on apparmor that wold be helpful20:56
lazyPoweryeah, i'll try tos queeze it in :)20:56
lazyPowermaybe as a slack task20:56
arosaleslazyPower: sounds good20:56
josearosales: so as it's a should and not a must hasn't probably been looked at much. the policies are installed with packages on the archive, but I guess this is more directed to packages which are installed from an external sourcec21:02
josearosales: agree with contacting the security team, if we can get examples it would make it easier for all authors to understand what is and how it works - without reference in our own docs it's tedious work to understand it21:02
lazyPowerarosales: and if we can get the security team to contribute those docs - would probably be better than me putting down the crumbs of info i have picked up from blog posts over the last 3 years.21:04
lazyPowersooooooo... theres *that* little tidbit of info21:04
arosalesjose: ya some folks read that should in policy and want to follow it but don't know how, and we don't give docs on how to do so unfortunately21:05
arosalesperhaps some "shoulds" in the policy should be best practice21:05
arosalespolicy is usually a little more black and white and not gray. These are valid points the openstack folks like jhobbs are pointing out21:06
lazyPoweri agree with that statement, a should sounds like it can or cannot21:06
lazyPowerpolicy should be true/false21:06
joseI believe this specific one would apply to charms that gather things from outside21:06
arosalesjose: lazyPower: but regardless of where it lives we should reach out to the security team and get some good docs around app armor21:06
jose+1 on that21:07
arosalesjose: lazyPower: also how do you guys evaluate a charm "following the spirit of Ubuntu?"21:10
arosalesanother policy item that is kind of vague, but a good one21:11
josearosales: http://en.wikipedia.org/wiki/Ubuntu_%28philosophy%29 and CoC21:11
* arosales has read that :-)21:11
lazyPowerarosales: http://www.ubuntu.com/about/about-ubuntu/our-philosophy21:11
arosalesjust wants to know how you guys evaluate that against a charm21:11
lazyPowerbut to be honest21:11
arosalesjose: lazyPower: we allow for a charm to deploy propritary bits so does that go against the philosophy?21:11
lazyPoweri am probably the most lienient about that line in policy21:12
lazyPoweras i haven't nacked anything for not being in the spirit of ubuntu21:12
arosaleswell my point is "spirt of ubuntu" could mean a lot of different things21:12
josearosales: I wouldn't say so. It is giving you the opportunity to deploy software easily, which is the purpose of a charm21:13
arosaleshow does one consistantly review a charm against that policy statement21:13
lazyPowerarosales: well, if it follows the PCBSD spirit, its clearly not in the ubuntu spirit21:13
* lazyPower rimshots21:13
arosalesdon't get me wrong I like following the spirit of ubuntu big +1 there21:14
mbruzekarosales: I read that as a reason to nack a charm if it is doing something illegal or wrong.21:14
josebut the policy is unclear21:14
lazyPowerarosales: so, what if the charm were to deploy say - a fully pre-loaded XXX photo distribution hub21:14
arosalesmy question is how do multiple different reviewers consitantly grade a charm against this line in a similiar manner?21:14
lazyPoweri think thats where the follows the "ubuntu philosophy' comes into play21:15
joseI would do the same as Matt over there21:15
arosalesshouldn't we say that then?21:15
josewe need to make it more clear, define it21:15
lazyPowerexplicit seems to work better than implicit, there's less room for interp.21:15
joseI believe we can change that to follows the CoC - not doing anything that could lead to illegal actions21:16
arosalesa good question for your charmers is should policy be explicitly true or false, or maybe21:16
arosaleslike read this for policy21:16
arosales"A charm should follow the ubuntu spirit"21:16
arosalesA Charm must not contain or deploy any illegal software"21:17
arosalesthe latter I can clearly check off21:17
jhobbsin what jurisdiction? :)21:17
arosalesthe former is open to my interpretation21:17
arosalesjhobbs: US where the charm store resides21:17
arosalesbut valid point21:18
mbruzekarosales: The problem with that is it may not contain any illegal software, but what if it contains software that allows someone to *DO* something illegal.21:18
lazyPowermbruzek: thats dangerous - thats like shooting teh protocol of bit torrent because you *can* send illegal content over it21:18
mbruzekarosales: You could write rules like that all day and someone will find a way around the wording21:18
arosalesmbruzek: well now you just took it tooo far :-)21:18
arosalesdo we sell knives still ?21:19
mbruzekguns don't kill people, people kill people21:19
arosalesmbruzek: lazyPower: jose: pehaps something to discus in your charmers meeting and send to the list21:20
arosalesmy suggestion would be for a policy review and to make a decision on clear true/false or explictly leave items ambiguous for the charm author to decide.21:20
mbruzekarosales: My only problem with your "illegal" wording is that software may be "legal" but we might still might not want it in the charm store.  And there could be different reasons for "illegal software", what if I someone didn't have the legal authority to include the software in a charm.21:21
mbruzekarosales: If they are all yes or no questions, what do you need us for?21:21
arosalessomeone has to check those yes/no21:22
=== kadams54-away is now known as kadams54
* mbruzek welcomes our new robot ~charmer overlords21:22
lazyPowermbruzek: we are the charminators of policy - we stamp out immutable config21:22
jhobbsi have more questions on the policy21:22
jhobbs"Must also be valid for the charm and/or bundle format defined in Juju's documentation" - what does this mean?21:22
arosalesmbruzek: be interesting to hear what your use case is for "legal" software that we don't want in the charm store21:22
lazyPowerjhobbs: we should really encapsulate these issues in a mail and hit the list with them so the community has an opportunity  to pipe in with these21:22
jhobbsis that just "you can't upload arbitrary non charm stuff to the store"21:23
lazyPoweri added an addendum to our charmer meeting next week for our pre-discussion about it - but i imagine this will be a long running thread on the list for anyone that wants to participate in policy dicussion21:23
jhobbslazyPower: i can do that - what list should i send them to?21:23
lazyPowerjhobbs: the general user mailing list - juju@lists.ubuntu.com21:23
jhobbslazyPower: ok21:23
lazyPowerthanks for bringing up these points though and capturing them :)21:24
lazyPowerappreciate it jhobbs, arosales21:24
mbruzekjhobbs: I believe that means it must be in a charm or bundle format so it works with Juju.21:24
arosalesjhobbs: to answer your question though, yes the charm or bundle needs to be in a valid form (directory) in order for it to be recognized by the charm store21:24
arosalesjhobbs: appreciate the feedback21:24
jhobbsnp, thanks for the detailed responses21:24
mbruzekarosales: I don't have a good example, but illegal software draws a strange / arbitrary line in the sand.  Someone will work around, or cross the line at some point.21:25
arosalesmbruzek: fair point21:26
arosalesmbruzek: for that point we should be careful with the wording21:26
mbruzekarosales: Yeah like "ubuntu philosophy" and not being against it21:27
jhobbsi think the guidance should focus on good people who are trying to do the right thing. like you say, bad people will always try to work around. there should be some net rule for that like "we reserve the right to reject any charm store submission if we feel it is bad."21:27
mbruzekjhobbs: good point21:28
jcastroubuntu philosophy is things like the "don't be a jerk" rule for charms IMO.21:30
mbruzekjcastro: Can you give an example?21:30
jcastroMy charm deletes user data without asking21:31
jcastroor ... says it does something but really does something else21:31
josesame I understand21:31
jcastroor sends your data to a third party without your knowledge, etc. etc.21:31
josebasically, follow CoC when writing your charms21:31
jcastrobasically, it's a catchall "don't be a jerk" so that our policy on what is acceptable and not acceptable isn't a huge book21:32
mbruzekjcastro like to amazon?21:32
jcastrowell this is cloud software so like, everything talks to other services21:32
lazyPoweri seem to remember having this conversation with marco before, and that was his reasoning for the vague terminology21:33
mbruzekjcastro: https://www.youtube.com/watch?v=DXnfa0H30L421:33
jcastrobut like, if I install a "bruzek" charm and it phones home to the author so he can spam me, that sucks21:33
sealis there an easy way to check machine creation status? something similar to juju pprint?21:33
jcastrombruzek, his opinions are based on an incorrect assumption, the dash is an online search engine, it's supposed to do that, and it says it does that clearly and it's easy to turn off21:34
mbruzekseal talk with katco in #juju-dev she did some work on the juju status21:34
sealmbruzek: thanks21:35
mbruzekjcastro: I know21:35
dalek57I'm trying to build a rails deployment with juju, and when trying to start the server I keep getting "no pg_hba.conf entry for host". But looking at the postgres instance, there is an entry in pg_hba.conf that contains all the correct fields. I tried exposing the postgres instance, and no luck. When I run "psql" from a shell on the rails server with all the stuff from my config, I can get to the database. There is only 1 pg_hba.conf on the postgres instance.21:35
jcastrobut if a charm is named "aws-analytics" or something and does report data to AWS for the purpose of analytics, then yeah, I'd expect that21:35
jcastroif the fields are correct then the rails instance would have had a working connection to the db already right?21:37
dalek57jcastro: yeah, which is why I'm so baffled. The database.yml looks good to me. When I copy out all the fields and use them as arguments to psql, I get the connection21:38
=== roadmr_afk is now known as roadmr
=== kadams54 is now known as kadams54-away
tvansteenburgh1cory_fu, kwmonroe: wildfly charms promulgated22:47
cory_fuThank you22:47
cory_fuYou're the best22:47
=== tvansteenburgh1 is now known as tvansteenburgh
cory_fuDoes anyone know how the tomcat charm is intended to be used?  https://manage.jujucharms.com/charms/trusty/tomcat22:51
cory_fuSpecifically, how does one give a site (war, etc) to it to serve?22:51
josecory_fu: it should, web, if it's opening port 8022:57
cory_fuNo, I mean that it doesn't support any clearly defined way to get a WAR into it (particularly from another charm) to get tomcat to serve it.22:58
cory_fuI was wondering if I'm missing something22:58
cory_fumbruzek: I just noticed you're the maintainer.  ^^22:58
mbruzekcory_fu: Yes I am22:59
cory_fuCan you answer that question?22:59
mbruzekcory_fu: I wrote openmrs charm too22:59
mbruzekcory_fu: subordinate charm.  Check my openmrs22:59
kwmonroembruzek: over the implicit juju-info interface?23:00
cory_fumbruzek: We're reviewing http://bazaar.launchpad.net/~miqe/charms/trusty/openbook/trunk/view/head:/README.md23:00
mbruzekkwmonroe: cory_fu: correct juju-info interface23:01
mbruzekcory_fu: kwmonroe: I am busy right now, but I can take a look later23:01
cory_fuSo juju-info is the *recommended* way to do that?  Me no likey23:01
mbruzekcory_fu: the interface was named "tomcat-war"  but it is simply juju-info relation23:03
=== kadams54-away is now known as kadams54
asanjarmbruzek: it was mutable config issue23:13
mbruzekasanjar: The root of all EVIL23:13
asanjarmbruzek: lol23:14
dalek57cory_fu: what is the best way to get the host address with charm helpers? It looks like there's some promising stuff in charmhelpers.core.host; do those come with deterministic ordering?23:32
=== mmcc` is now known as mmcc
lazyPowercory_fu: if you're co-locating with a subordinate, and provide an implicit interface to exchange the data for the WAR to the parent service - i think thats a more acceptable pattern23:47
lazyPowerbut i'm also just starting to explore this territory and the pattern might turn out to be complete tripe23:47

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!