=== cppforlife is now known as cppforlife_ === seelaman` is now known as seelaman === 18VABY2RP is now known as lazyPower === beuno_ is now known as beuno [01:57] Hello, I have tried to create my first charm. The install hook is here: http://paste.ubuntu.com/9759291/ , it fails on line 44 saying that the site does not exist. If you wouldn't mind giving me some guidance on this hook, it would be appreciated [01:59] jobot: I -think- you need to change this name: /etc/apache2/sites-available/suitecrm to /etc/apache2/sites-available/suitecrm.conf [01:59] jobot: there was a change somewhere along the way that I -think- requires the .conf extension on those files now. [02:00] Ok. Thank you. I will try that :) [02:16] on utopic, cloud-utils is marked recommends for lxc-templates, which appears to result in failed container creation with the local provider [02:17] potentially I just had my machine in a weird state, but it seems curious.. might try in a clean vm === kadams54 is now known as kadams54-away === axw_ is now known as axw === paulproteus_ is now known as paulproteus === kadams54 is now known as kadams54-away === urulama__ is now known as urulama === Spads_ is now known as Spads [08:54] good morning [08:55] I'm quite new to Juju and having problems [08:55] can anyone help me? Am I in the right place? [08:57] Muntaner: You are in the right place; ask a question and hopefully somebody will be able to answer it. :) [08:58] ok! I have two laptops connected to the same networks, 192.168.0.194 and 192.168.0.197 [08:58] on the second one, I installed devstack to do some tests [08:59] and I'm trieing to deploy services from the first laptop [08:59] with Juju, naturally :) [08:59] I set all the fields with juju-quickstrap [08:59] and I get this error: [08:59] RROR juju.cmd supercommand.go:323 index file has no data for cloud {RegionOne http://192.168.0.197:5000/v2.0} not found [09:00] is the devstack installation "incomplete" or I am doing something wrong on the first laptop? [09:01] it seems like the file "index.json" is missing from the devstack computer... I can read errors like these: [09:03] DEBUG juju.environs.simplestreams simplestreams.go:419 fetchData failed for "http://192.168.0.197:8080/v1/....../images/streams/v1/index.sjson": failed to GET object images/streams/v1/index.sjson from container con-366ffb69922d4b7892e6bef717239473 [09:06] and now I'm quite lost, don't know exactly what o do [09:06] to do * [09:07] Muntaner, can you give me a bit more background please [09:07] ? [09:07] whatever you need! [09:08] Muntaner, how is your deployment structured - 2 machines, each with 2 network interfaces? [09:08] two laptops, connected to the same network with internet access. They have the local IPs I wrote - 192.168.0.194 and 192.168.0.197 [09:09] I'm pretty sure they can see each other (from the first one, I'm able to login in the devstack running on the second one via the web browser) [09:09] ok, so are these IPs configured via DHCP or statically? [09:10] Probably static - I can't manage the network configuration [09:10] Muntaner, also, it will help if you can use paste.ubuntu.com to share some logs to see what errors you're getting [09:11] Can you give me a summary of the commands/operations you used? [09:12] here it is: http://paste.ubuntu.com/9760532/ [09:13] I used some basic commands... juju init, juju bootstrap, juju quickstart etc. [09:13] so you're using juju-quickstart - let me ask some of the folks working on this [09:13] rick_h_, hey, can you have a look at that log please ? ^^ [09:14] yes, yesterday I arrived to the same error by configuring manually environments.yawl [09:15] how did you install juju-quickstart? [09:15] 1217 sudo add-apt-repository ppa:juju/stable [09:15] 1218 sudo apt-get update [09:15] 1219 sudo apt-get install juju-quickstart [09:15] if needed, I can copypaste my environments.yawl aswell [09:16] dimitern: i'll ping frankban to look at that log, he should be joining soon. [09:16] Yes please - you can redact keys/passwords/etc. from it first [09:16] thanks urulama! [09:18] here it is my environments.yawl: http://paste.ubuntu.com/9760545/ [09:18] control-bucket and admin-secret have been autogenerated by clicking on the option in juju-quickstart [09:19] Muntaner, hmm.. ok so I believe the issue is you'll need to run sync-tools first to generate metadata for your private openstack installation [09:19] I'll ask a very silly question now: [09:19] Muntaner, I'll give you more info in a sec [09:19] do the laptop with devstack need to install anything about juju? [09:19] because, right now, it has nothing installed - just devstack [09:20] Muntaner, assuming you want to use the devstack laptop as "the cloud", no - you install the juju client (quickstart does that for you) and use it to bootstrap an environment on the other laptop [09:21] exactly, that was the test I wanted to do [09:21] just to get involved into the software and try some charms [09:23] Muntaner, that's *awesome* - thanks for trying Juju out! [09:23] Muntaner, I'm checking a few places first, but I think I can help you with your issue [09:23] Thanks, I already tried it in my laptop only - deploying Wordpress + MySQL has been a piece of cake :) [09:25] sweet! [09:30] Muntaner, ok, so let's try the easiest thing first [09:30] Muntaner, add the following to your environsments.yaml, e.g. just after the line "username:", with the same indentation [09:32] Muntaner, agent-metadata-url: https://streams.canonical.com/juju/tools [09:33] Muntaner, sorry - for 1.20.x use "tools-metadata-url" instead [09:33] or agent-metadata-url [09:33] ok, I try now and give feedback [09:33] ..instead *of [09:34] Muntaner, then, run $ juju bootstrap --debug 2>&1 > juju-bootstrap.log and paste that please [09:36] seems like nothing changed - juju-bootstrap.log is empty [09:37] I can copypaste whatever is needed [09:38] Muntaner, did you see output on the console? [09:38] yes, looks like they are the same errors [09:39] http://paste.ubuntu.com/9760633/ [09:39] new environments -> http://paste.ubuntu.com/9760637/ [09:40] Muntaner, hmm.. that's weird.. I'll have a look at the code to see what's happening [09:43] Muntaner, before anything - please try running $ juju-quickstart --upload-tools --debug and paste the log [09:45] yes, just a sec [09:53] btw I've reported a bug for your issue against quickstart, so we can think how to improve the experience in cases like yours - https://bugs.launchpad.net/juju-quickstart/+bug/1411574 [09:53] Bug #1411574: quickstart should detect private clouds somehow and generate metadata url in the environments.yaml [09:55] Muntaner, you might later try following the docs here - https://juju.ubuntu.com/docs/howto-privatecloud.html#deploying-private-clouds [09:56] I'm back now, sorry [09:59] result of juju-quickstart --upload-tools --debug: http://paste.ubuntu.com/9760712/ [10:05] Muntaner, thanks, it's weird how nothing has changed though.. try $ juju metadata validate-images and then also $ juju metadata validate-tools ? [10:07] so [10:08] juju metadata validate-images: http://paste.ubuntu.com/9760764/ [10:09] and juju metadata validate-tools: http://paste.ubuntu.com/9760771/ === rvba` is now known as rvba [10:19] shall I try something else, guys? [10:23] Muntaner, thanks, will get back to you shortly [10:24] ok! [10:40] Muntaner, let's try adding "images-metadata-url: http://cloud-images.ubuntu.com/releases/" to environments.yaml and re-run $ juju metadata validate-images [10:42] at the moment devstack isn't running - I'll try this in minutes [10:42] sorry [10:43] ok, no worries [10:44] did we just discover an hidden bug or this may be my bad configuration of the "net" ? [11:04] Muntaner, well, for one - it's definitely a bug with quickstart, as the user experience can be improved [11:05] Muntaner, but the reason it fails is insufficient configuration, so it's not a juju bug - at least not yet [11:09] aw ok. Now, I'm installing Ubuntu Server on the devstack laptop [11:10] Muntaner, what happened with devstack btw? why do you need to do this now? [11:13] dimitern, laptop owner decided to do so, needs Ubuntu server for other stuff. Btw, the previous devstack installation is "safe" on another partition with Linux Mint (the OS with who I was experimenting and encountered the problems) [11:14] Muntaner, ok, thanks for the info; I'll need to finish some other stuff now, but please let me know if you still have issues later. [11:17] jamespage, did you see my request for a review of https://code.launchpad.net/~gnuoy/charms/trusty/ceph-radosgw/next-support-ha/+merge/243263 if you have time?ay ? [12:33] dimitern, I did what you suggested [12:33] I get the same error [12:34] Muntaner, what did you do last? [12:34] I'm pasting it for you [12:35] http://paste.ubuntu.com/9761344/ [12:35] the environments.yawl is: http://paste.ubuntu.com/9761347/ [12:37] Muntaner, I think I have a solution - try theses steps: 1) keep tools-metadata-url set as before; 2) run $ juju metadata generate-images -d $HOME/.juju/metadata (paste any errors); 3) run $ juju metadata validate-images -d $HOME/.juju/metadata (should be fine, but again paste any errors); 4) run $ juju bootstrap --debug --metadata-source $HOME/.juju/metadata and paste the output [12:37] Muntaner, but first, remove "images-metadata-url" from environments.yaml [12:39] dimitern, error: unrecognized command: metadata generate-images [12:40] Muntaner, sorry - generate-image [12:40] ok! [12:41] dimitern, ERROR image id must be specified [12:41] I'll be back in an hour [12:41] boss calling, see you later [12:42] ok [12:42] and thanks :) [13:01] Muntaner, np - re that error, yes sorry - specifying image id (-i <..>) for generate-image is required. You need to know your devstack available images. Here's an article providing pretty much all you need I think - http://blog.felipe-alfaro.com/2014/04/29/bootstraping-juju-on-top-of-an-openstack-private-cloud/ === Darkwing_ is now known as Darkwing === jrwren_ is now known as jrwren [13:49] dimitern, thanks, I'm following that post [13:52] great! [13:52] please let me know if you're successful [14:25] dimitern, is it hard to write own charms? [14:26] Muntaner, :) depends on what the charm does, but for simple things it's not hard at all [14:29] Muntaner, here's the right place to ask just this - any one of the guys like jcastro, lazyPower, mbruzek, from the ecosystem team can help you with that [14:29] o/ [14:29] * lazyPower reads scrollback [14:29] hi! [14:29] :) [14:31] Muntaner: thats subjective :) but if you were to ask me 1:1 i'd say - "Charm development isn't hard - but writing *good* charms requires a fair amount of thought and testing" [14:31] it's fine! was just curious about that ;) [14:31] btw, dimitern [14:31] I'm reading that post, I jumped the whole part inerent to OpenStack Glance [14:31] thats one of the things I love about charm development, its like any other software project. its an iterative process and you can prototype quickly in bash before you commit to a config management framework [14:32] regardless of that being something like chef/puppet or using our own charm helpers libraries to greenfield develop in python. [14:39] Muntaner, yeah - that happens to be the most important part :) [14:39] Muntaner: two days ago, i implemented a simple charm pretty quickly. You can look at it, it is pretty small in LOCs :) https://code.launchpad.net/~nicopace/+junk/simplewebservercharm [14:43] in your opinion, what is the best language to implement charms? is Java fine? [14:44] Muntaner you could [14:44] Muntaner: but as a Java developer I have tried that and it is not easy. [14:44] Muntaner: python [14:44] Muntaner: Technically you could write a charm in anything that runs on Ubuntu [14:45] Muntaner: the charm-helpers library makes python for charms the best. [14:45] Muntaner: but setting up the Java environment was a hassle for me, just to write the charm hooks in Java [14:46] you'd have to write part of the install hook in some other language to install the JRE. [14:46] but Muntaner it can be done [14:46] Muntaner: the fact is we support close to anything/everything - so long as you can encapsulate the logic in a format that resembles the events we model with the hooks. So as a java developer you can certainly write hooks in java but your pre-install will require you to install a JRE, and any third party deps you require - another option would be to write them in scala which is similar to java, but not quite right? [14:47] scala:java::ocaml:C++ [14:48] ok, I understand. Thanks for this lot of info [14:49] Muntaner: As a fellow Java Developer, I would be willing to help you with any questions you might have. Please feel free to IM me on IRC [14:49] mbruzek, thanks a lot :) [14:49] no problem at all [15:11] mbruzek, lazyPower, marcoceppi_, tvansteenburgh1: if any of you guys have a minute to do a review, I've got a critical security fix on the waitlist (queue not updating), mind taking a look? https://code.launchpad.net/~jose/charms/precise/owncloud/fix-poodle/+merge/246208 https://code.launchpad.net/~jose/charms/trusty/owncloud/fix-poodle/+merge/246205 [15:24] sorry to be off topic, but looking for macfarlan or a. rosales...a good channel to find either of them? [15:24] jshieh: arosales is CO based and should be around within the hour here. [15:24] jose: in standup will sync with you afterwords [15:24] okay [15:25] soudns good, thanks lazyPower! === Guest8667 is now known as balloons === roadmr is now known as roadmr_afk [16:15] dimitern, got some news [16:17] Muntaner, is it good? :) [16:21] dimitern, no, lol, I got new errors [16:22] dimitern, if you want I can copypaste them for you [16:25] Muntaner, yes please [16:27] dimitern, http://paste.ubuntu.com/9762355/ [16:27] care, it's quite long === roadmr_afk is now known as roadmr === kadams54 is now known as kadams54-away [16:41] jshieh: hello [16:41] sorry my network was done earlier this morning === kadams54-away is now known as kadams54 [16:56] dimitern, I'm going crazy, lol [16:57] Muntaner, *much* better! [16:57] Muntaner, you've managed to bootstrap almost :) [16:57] dimitern, wow! :D [16:57] dimitern, yep, what remains now? [16:58] Muntaner, but the image metadata seems incomplete - try validate-images and also make sure that image id b2731f9e-6971-4c91-bea3-39aa0e23e15b is in it === kadams54 is now known as kadams54-away === kadams54-away is now known as kadams54 [17:00] Muntaner, but first - change tools-metadata-url back and drop --upload-tools from bootstrap [17:00] *back to what it used to be (I see it empty) [17:01] I have to go unfortunately === urulama is now known as urulama__ === kadams54 is now known as kadams54-away === mbarnett` is now known as mbarnett [18:22] Hi guys.. is there any way that a charm is run using python2? [18:23] mwak_: hi there, cory_fu said you had some issues with hadoop charm? [18:24] asanjar: mwak_ had to leave for the weekend. :/ [18:25] We'll have to reconvene on Monday [18:25] cory_fu: do you have his email? [18:25] No. :/ [18:25] okay then, we wait till Monday [18:26] nicopace: What do you mean? charm hooks are run as binaries or #! directive. #!/usr/bin/python is python2 [18:27] yes... when i specify python3 as the hook.py interpreter, it say 'bad interpreter' [18:27] i ssh-ed into the unit, and it seems python3 is not installed! [18:28] jrwren: ^ [18:30] nicopace: try with #!/usr/bin/env python2 [18:30] nicopace: is this a precise host? i tend to use env to route those properly [18:31] or just #!/usr/bin/env python actually [18:31] also just saw your email to the list about apache2 tests - i haven't dug in, but thanks for taking a look at that :) [18:31] oh... if it is precise it uses python2 by default? [18:31] lazyPower: :D [18:32] nicopace: python2 is default across precise/trusty [18:33] but trusty has python3 interpreter in the base image i do beleive, if not its a simple apt-get install away [18:33] avoine, lazyPower: that actually works, but as i'm using charmhelpers i need python3 [18:33] charmhelpers is python2 compliant [18:33] as is amulet [18:34] that's strange... i think it is failing because it requires six [18:34] can you hand me a stacktrace of what you're looking at? we've had some issues with test dependencies in the past [18:34] sure [18:34] i think tvansteenburgh1 was the one that put a lot of those fixes in place during our last bug-run. [18:35] he's kind of a big deal when it comes to fixing python dependency chains :) === kadams54 is now known as kadams54-away === kadams54-away is now known as kadams54 [18:40] lazyPower: http://paste.ubuntu.com/9763023/ [18:41] the problem is that charmhelpers is requiring six, and it is not installed [18:41] yep, missing python dependency on the host. Which provider is this? [18:41] lxc [18:41] interesting, thats a cloud image. [18:42] if you add python-six to the install routine of the charm does it work as expected? [18:42] as in (apt-get install python-six) [18:42] i can't, as i'm using hooks.py [18:42] well... i can, but i have to add a middleman [18:50] nicopace: typically when there are pre-deps the install hook becomes a shell script that then calls hooks.py [18:53] eve all. can someone point me to where i can figure out what is causing the below (first time trying juju and trying to get it to use br0 for local containers to get network ip's.. [18:53] ERROR juju.provisioner provisioner_task.go:418 cannot start instance for machine "2": container failed to start [18:53] same error for machine 1 [18:55] captine: that can be for a variety of reasons and its not really clear unfortunately [18:56] captine: i'm assuming this is with regard to bridging for reaching into the containers from outside your host right? [18:56] lazyPower, am guessing [18:56] since the last time we were chatting, i havent looked at things until now [18:58] captine: when we last left off, we had just gotten the bridge adapter created and you were working through a bootstrap [18:58] yip [18:58] we need to look @ your template container configs and ensure the networking was applied to those - i'm betting it wasnt and we have a few options [18:59] template container configs? [18:59] you'll need inspect the 'config' file in /var/lib/lxc/juju-$series-lxc-template [18:59] i bet its pointing at lxcbr0 [18:59] these template containers get cloned to create the local provider machines [18:59] ok [19:00] let me check it [19:00] the line we are concerned with is: lxc.network.link = lxcbr0 [19:00] you'll need to change that to br0 and give it another go [19:01] changed them both [19:01] so now do i destroy the 2 machiens [19:01] and bootstrap again? [19:02] yep [19:04] ok. crossing fingers [19:05] lazyPower: sorry, i had to go out for some minutes [19:05] i understand [19:05] i'll try that [19:05] thanks! [19:05] nicopace: no worries [19:05] lazyPower, assuming this works, is there a way to stop the lxc containers starting automatically? may want to only start manually>? [19:05] captine: there is but i'm not aware off teh top of my head [19:06] np. will google [19:06] i'm fairly certain we are generating jobs in /etc/lxc/autostart or something similar to that [19:06] it *should* be as simple as removing those, but i cannot be certain as I have not done so before. Typically when i have containers I want to control i dont create them with juju [19:06] i build them with lxc-create [19:07] nicopace: if you look at charmhelpers/__init__.py you should see some bootstrap code that installs python-six packages. If it is empty, you can fix it by getting that file synced in. [19:08] lazyPower, does it work the same way with lxc-create? [19:08] would i need to do something to get br0 to be used? [19:08] captine: its 100% manual. you get zero magic from juju [19:09] ah [19:19] lazyPower, not sure it is working. agent state has been "pending" for 10 minutes [19:19] captine: it should be up within 30 seconds depending on disk io [19:20] so, if its still pending we have hit another issue [19:20] maybe i didnt destroy everything correctly. [19:20] what I suggest is actually removing those templates [19:20] destroy-environment, remove the templates [19:20] from /var/lib/lxc/juju [19:20] sudo lxc-destroy --name [19:21] remove any containers that are related to juju, destroy the local environment with -y --force, and then start from step 1, it'll re-download the templates and generate them according to teh config [19:22] lxc-destroy -- is that to remove the templates [19:22] or do i just rm -rf the templates? [19:22] from /var/lib.... [19:22] i would use lxc-destroy [19:23] we're basically resetting your local provider environment to square 1 [19:23] by removing the templates and containers, we're eliminating any traces of old config [19:23] and letting juju perform the setup according to the files we edited in our prior session [19:24] ok [19:24] done. [19:24] noting in /var/lib/lxc/ [19:25] bootstrapping now [19:29] lazyPower arosales jcastro: maas just got a little more interesting https://insights.ubuntu.com/2015/01/15/virtualbox-extensions-for-maas/ [19:29] nice! [19:33] lazyPower, still not working. should i remove lxc and juju with apt-get purge? then start again? [19:33] captine: its hard to say depending on why the containers are failing to start. can you try starting the container manually so we can debug? [19:34] lazyPower, so the container is not up ( "1": [19:34] instance-id: pending [19:34] series: trusty [19:34] how do i manually start that (sorry for pasting multiple rows. didnt think it would do that) [19:35] sudo lxc-start --name $container-name -d [19:35] so would the name be "1"? [19:35] negative, thats in the output from sudo lxc-ls --fancy [19:36] well. guess what. my machine must just be slow [19:36] just checked status again, and i see an ip address [19:36] woohooo [19:36] nice :) [19:36] remember on first boot [19:36] its goign to download those templates [19:37] so juju deploy cs:precise/wordpress -- the very first time its pulling down the 200mb cloud image and building that template container [19:37] then ti clones it and kicks off the charm [19:39] lazyPower, thanks a mil. I am connecting and it is working well [19:39] now the learning starts :) [19:40] awesome [19:40] captine: glad we got you sorted :) make sure you tell your friends about us here in #juju [19:40] marcoceppi_: thanks for the link talking a look === roadmr is now known as roadmr_afk [19:58] lazyPower, just a questions.. maybe a dumb one. i dont need to ssh to these lxc containers to run apt-get update and apt-get upgrade? or do I? [19:58] do they update when i run it on the hose? [19:58] host? [19:59] they dont [19:59] ok [19:59] cool. [19:59] think of them as isolated VM's. you'll need to apt-get update/upgrade [19:59] cool. so i can install management software into them etc. very cool. [19:59] and its typically a good pattern to adopt in your charm to do that during the install hook - but certain members like jrwren have their own opinions about it. [20:00] i reference you not out of finger pointing but knowing that you have good and valid reasons for avoiding that p attern jrwren <3 [20:00] :) [20:00] well, it will be months/years away from writing charms. am an accountant by trade, so dont get much time for my tech hobbie :) [20:03] lazyPower, what was ur blog address again for the setup of br0 etc... it didnt seem to save in my fabourites [20:03] captine: blog.dasroot.net [20:03] captine: it would be a good idea to back up those config files we modified in the event you *ever* need to go back through and edit them on another system [20:03] thanks [20:04] I just like the speed of skipping the apt-get update upgrade step. [20:04] updates will prompt you that there is a collision and you may have to manually edit them again, but ubuntu is good about not clobbering user updates to config files. [20:04] i best get a local apt-mirror setup to install from [20:05] read up on setting up a squid deb proxy :) [20:05] path of least resistance [20:06] I like the speed because EC2 IOOPs are very slow and IOOPS on my slow spinning rust drives are also very slow. I'd likely not care on all SSD. [20:06] lazyPower, whats the best way to backup the files? just copy to fileserver? or is there a good tool? [20:08] captine: i myself just keep a git repository of all my config stuff on my NAS [20:08] i need to learn to use git more [20:09] just installed it on a vm at work to try to get our IT department to use it for application rule file (IBM Cognos files)... but am not very good with it [20:09] going to crash. thanks again for all the help [20:09] cheers [20:10] cheers Caguax :) [20:10] er.. yeah [20:10] cheers lazyPower === wendar_ is now known as wendar [20:38] marcoceppi_: lazyPower: mbruzek: jose: niedbalski_: tvansteenburgh1: dpb1: Got a good question from the openstack folks I wanted to get your opinion on [20:39] * dpb1 listens [20:39] * mbruzek waves [20:40] apparmour [20:40] :-) [20:41] Policy states, "Should make use of AppArmor to increase security." [20:41] https://jujucharms.com/docs/authors-charm-policy [20:41] But we don't make any references to how this can be accomplished in the charm, and we unfortunately don't have any good examples. [20:42] I am a +1 for security, but how do we enforce this or if a user says, "Great how do I do this" what is the answer? [20:42] * arosales ends question [20:43] hey arosales :) there's a handful of policies in /etc/apparmor.d/ on most ubuntu systems that can serve as a too-quick introduction to apparmor [20:44] sarnold: hello :-) [20:44] arosales: jdstrand has a series of short-and-sweet blog posts about apparmor that are a decent enough introduction, too, https://penguindroppings.wordpress.com/2014/06/06/application-isolation-with-apparmor-part-iv/ [20:44] Perhaps the right answer here is to reach out to the ubuntu security team and formulate some examples in the docs [20:45] arosales: one thing that I'd love to see in juju charms is making use of the relation information to help create flexible policies [20:45] arosales: This policy predates me, but I have not seen a charm using apparmor. I suspect *someone* knows how to do that [20:45] sarnold: do you feel this is handled inside the app, or are there extra measure the charm should be taking? [20:45] arosales: it depends; e.g., installing mysql from the archive will automatically get the packaged apparmor policies installed [20:46] good point sarnold [20:46] good point, but others may not . . . [20:46] arosales: but if you're creating a charm for software that doesn't already supply its own policy, you could bundle it alongside the charm, drop it into /etc/apparmor.d/, and .. *waves hands about making sure it's loaded before the service is started* [20:47] arosales: one complicating factor is that apparmor policies currently can't be nested; the local provider uses LXC, which uses apparmor to enforce some of its policies. so, local deployed charms wouldn't be able to use their own policy. (this is being addressed but probably won't be ready for many months.) [20:49] arosales: jdstrand and sbeattie also put together an apparmor "policy template" language, apparmor-easyprof, that _might_ be a suitable starting place for charm authors to smack out some quick template-based policies -- which might be useful for tuning them based on configurations [20:49] interesting re lxc, didn't think of that [20:50] I think the mysql init stuff may have mechanisms in place to cope, I haven't looked in ages. [20:50] sarnold: do you have a link to the "policy template" lauguage? [20:51] sarnold: do you know of any issues with xen or kvm in app armour policies? [20:51] arosales: hrm, I'm having trouble finding links to apparmor-easyprof examples; it's used a bit with snap / click packaging but those tools aren't exactly easy to learn from [20:52] arosales: i agree that we need to get documentation around this or link to the proper docs in our charming series docs [20:52] arosales: xen / kvm should work just fine; libvirtd does have apparmor policies confining portions of the systems (e.g. shared host/guest filesystems sometimes have trouble, and need extended policies) -- but the kvm-emulated machine or xen-emulated machine get their own apparmor policies no trouble [20:52] fyi i filed a bug on it here https://github.com/juju/docs/issues/229 [20:52] arosales: what may be a good starting poitn would be to get a charm school video about security enhnacement with apparmor profiles on a simple charm - like pick the day1 charm and put in some nginx app armor policies [20:53] however app armor itself is a beast of a topic and goes into a broad range of things as sarnold has pointed out === kadams54 is now known as kadams54-away [20:53] and o/ sarnold :) [20:54] jhobbs: thanks [20:54] hey lazyPower :) [20:54] I've got to head off for lunch, but I'll be back ~hour :) [20:54] lazyPower: ya I think at a min we need some docs to point users on how to accomplish this [20:55] sarnold: if you come across those links please send them onto us :-) [20:55] arosales: i have a marching order over this next week to get some visualizations done for my slides / video over charm relationships - i can add an addendum to that for app armor as a follow up task. [20:55] sarnold: thanks for the input here, much appreciated [20:55] the policies are easy enough; the hard part is tying them together to handle e.g. running under lxc, getting them loaded before programs start, etc.. [20:56] i've ran into some really good articles that we - being juju charmers, are not warehousing, but i can distill that info into a digestible doc for starting out with app armor and link to the app armor community documentation which goes into further depth how to write them [20:56] lazyPower: if you have some time to start some docs on apparmor that wold be helpful [20:56] yeah, i'll try tos queeze it in :) [20:56] maybe as a slack task [20:56] lazyPower: sounds good [21:02] arosales: so as it's a should and not a must hasn't probably been looked at much. the policies are installed with packages on the archive, but I guess this is more directed to packages which are installed from an external sourcec [21:02] arosales: agree with contacting the security team, if we can get examples it would make it easier for all authors to understand what is and how it works - without reference in our own docs it's tedious work to understand it [21:04] arosales: and if we can get the security team to contribute those docs - would probably be better than me putting down the crumbs of info i have picked up from blog posts over the last 3 years. [21:04] sooooooo... theres *that* little tidbit of info [21:05] jose: ya some folks read that should in policy and want to follow it but don't know how, and we don't give docs on how to do so unfortunately [21:05] perhaps some "shoulds" in the policy should be best practice [21:06] policy is usually a little more black and white and not gray. These are valid points the openstack folks like jhobbs are pointing out [21:06] i agree with that statement, a should sounds like it can or cannot [21:06] policy should be true/false [21:06] I believe this specific one would apply to charms that gather things from outside [21:06] jose: lazyPower: but regardless of where it lives we should reach out to the security team and get some good docs around app armor [21:07] +1 on that [21:10] jose: lazyPower: also how do you guys evaluate a charm "following the spirit of Ubuntu?" [21:11] another policy item that is kind of vague, but a good one [21:11] arosales: http://en.wikipedia.org/wiki/Ubuntu_%28philosophy%29 and CoC [21:11] * arosales has read that :-) [21:11] arosales: http://www.ubuntu.com/about/about-ubuntu/our-philosophy [21:11] just wants to know how you guys evaluate that against a charm [21:11] but to be honest [21:11] jose: lazyPower: we allow for a charm to deploy propritary bits so does that go against the philosophy? [21:12] i am probably the most lienient about that line in policy [21:12] as i haven't nacked anything for not being in the spirit of ubuntu [21:12] well my point is "spirt of ubuntu" could mean a lot of different things [21:13] arosales: I wouldn't say so. It is giving you the opportunity to deploy software easily, which is the purpose of a charm [21:13] how does one consistantly review a charm against that policy statement [21:13] arosales: well, if it follows the PCBSD spirit, its clearly not in the ubuntu spirit [21:13] * lazyPower rimshots [21:14] don't get me wrong I like following the spirit of ubuntu big +1 there [21:14] arosales: I read that as a reason to nack a charm if it is doing something illegal or wrong. [21:14] but the policy is unclear [21:14] arosales: so, what if the charm were to deploy say - a fully pre-loaded XXX photo distribution hub [21:14] my question is how do multiple different reviewers consitantly grade a charm against this line in a similiar manner? [21:15]