| Posted | Nick | Remark | |
|---|---|---|---|
| #openstack-nova - 2019-04-01 | |||
| 16:07:25 | bauzas | jaypipes: FWIW, I give you credits on helping some French folk who was working on a Stackforge project named "Climate" to know why Jenkins was telling him -1 sometimes | |
| 16:07:51 | bauzas | then, 5 months after, he was working on Nova | |
| 16:08:02 | bauzas | err, 4 | |
| 16:08:08 | openstackgerrit | Eric Fried proposed openstack/nova-specs master: Tools & docs for backlog & abandoned spec process https://review.openstack.org/648800 | |
| 16:10:45 | openstackgerrit | Merged openstack/nova master: tests: Stub out privsep modules https://review.openstack.org/648747 | |
| 16:18:49 | openstackgerrit | Eric Fried proposed openstack/nova-specs master: Abandon flavor-classes backlog spec https://review.openstack.org/649095 | |
| 16:26:29 | mnaser | hmm | |
| 16:30:51 | openstackgerrit | Eric Fried proposed openstack/nova-specs master: Abandon instance-tasks backlog spec https://review.openstack.org/649100 | |
| 16:34:09 | openstackgerrit | Eric Fried proposed openstack/nova-specs master: Abandon parallel-scheduler backlog spec https://review.openstack.org/649101 | |
| 16:36:13 | openstackgerrit | Eric Fried proposed openstack/nova-specs master: Abandon same-instances-scheduling backlog spec https://review.openstack.org/649102 | |
| 16:48:16 | openstackgerrit | Stephen Finucane proposed openstack/nova master: Raise Exception instead of Exception method call https://review.openstack.org/482200 | |
| 17:58:43 | mnaser | just to confirm | |
| 17:58:50 | mnaser | nova-consoleauth is no longer technically needed as of stein | |
| 17:59:03 | mnaser | assuming all the "cleanup" of remaining things was killed off in rocky? | |
| 18:12:08 | melwitt | mnaser: right, not technically needed. only if you needed already existing console auths to work during a rolling upgrade, or if you have long TTL and didn't want things invalidated immediately | |
| 18:12:23 | melwitt | what do you mean by "cleanup" of remaining things? | |
| 18:14:32 | mnaser | melwitt: yeah I meant that if you didn't want things to be smooth and consoles not be invalidated | |
| 18:14:46 | mnaser | now curiously I have this other issue where the calculated token hash doesn't seem to match the one in the db.. | |
| 18:16:10 | mnaser | I get token id `dc574410-2c5c-4762-ae0d-f1689372337f` .. the sha256 is b7cc4998dea5dd0a3b663fcbe8df7c487246b3d3e52ec3361530b091477e5b28 which matches the db entry | |
| 18:16:28 | mnaser | but when I do a print(token_hash) in the novncproxy codebase.. I get e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | |
| 18:17:29 | melwitt | hm, that's strange. I'm not aware of anything that could have changed there | |
| 18:17:43 | mnaser | ok, looks like the function is being called with token == '' | |
| 18:19:20 | melwitt | hm... empty string should mean that the GET url didn't have the token in it | |
| 18:19:55 | mnaser | yeah url im hitting has a token, im following it up the stack, im up to _get_connect_info_database() and that gets a token == none | |
| 18:20:00 | melwitt | that's where the token comes from (GET request param or cookie) in the novncproxy | |
| 18:23:04 | melwitt | mnaser: https://github.com/openstack/nova/blob/master/nova/console/websocketproxy.py#L195 | |
| 18:23:26 | mnaser | melwitt: that gets called when we call /websockify which doesn't seem to have a token | |
| 18:23:34 | mnaser | print('path', self.path) in here shows | |
| 18:23:41 | mnaser | ('path', '/websockify') | |
| 18:25:10 | mnaser | oh crap, I have a dr appointment in 5 minutes gotta run, ill dig into this after if you don't keep looking | |
| 18:25:19 | mnaser | but looks like unless its not sending cookies with a token.. we can't do anything | |
| 18:25:34 | melwitt | ok. I'll keep looking. I'm not familiar with the /websockify path so I need to find what that is | |
| 18:26:47 | melwitt | because usually the path should be like this http://ip:port/?token=xyz | |
| 18:33:36 | mnaser | melwitt: indeed and xyz is there but it looks like the token lookup seems to happen in the websockify part | |
| 18:34:49 | mnaser | Weird thing is that code has been there for 5 years so.. | |
| 18:35:13 | mnaser | Unless the behaviour to forward token from cookie was removed with more recent novnc versions | |
| 18:35:29 | melwitt | yeah, I know. I'm puzzled as to what's going on here | |
| 18:35:55 | mnaser | We pull master novnc in OSA so mahbe its recent behaviour change | |
| 18:36:27 | melwitt | I'll take a look in novnc | |
| 18:37:03 | mnaser | Okay | |
| 18:37:11 | melwitt | I thought the cookie thing was a backup, if the token is not in the GET request params, but forwarding via cookie does sound really familiar | |
| 18:37:16 | mnaser | melwitt: we use vnc_lite.html in OSA. https://github.com/novnc/noVNC/commit/51f9f0098d306bbc67cc8e02ae547921b6f6585c | |
| 18:38:14 | melwitt | I had dug into this stuff back when I worked on the db backend for console auths, back when we were thinking we could pass the instance uuid in the GET request too (turns out bc of novnc limitations, more than one request param would not work) | |
| 18:38:50 | melwitt | (it only forwards the first request param) | |
| 18:39:05 | mnaser | So it always probably used a cookie but that seems to have been pulled out from vnc_lite.html which is for some historic reason what’s being used in OSA | |
| 18:40:14 | melwitt | huh, interesting | |
| 18:40:30 | mnaser | The worrying thing is I can’t find any token references in novnc | |
| 18:40:32 | melwitt | / If a token variable is passed in, set the parameter in a cookie. | |
| 18:40:33 | melwitt | / This is used by nova-novncproxy. | |
| 18:40:49 | mnaser | Where do you see this melwitt ? | |
| 18:40:51 | melwitt | seeing that all in red being removed. "used by nova-novncproxy" :P | |
| 18:41:03 | melwitt | mnaser: in the commit you linked https://github.com/novnc/noVNC/commit/51f9f0098d306bbc67cc8e02ae547921b6f6585c#diff-1d6838e3812778e95699b90d530543a1L173 | |
| 18:41:20 | mnaser | ugh | |
| 18:41:42 | mnaser | What does devstack use | |
| 18:42:04 | mnaser | I wonder how it hasn’t been affected | |
| 18:42:15 | melwitt | must not be using lite? | |
| 18:43:07 | melwitt | bc this was removed from the vnc_lite.html file, unless I'm missing something | |
| 18:43:45 | mnaser | Of course | |
| 18:43:58 | mnaser | NOVNC_FROM_PACKAGE defined in jobs | |
| 18:44:43 | melwitt | http://logs.openstack.org/65/627765/12/check/tempest-full-py3/b00b2ab/controller/logs/devstacklog.txt.gz#_2019-04-01_08_01_25_051 | |
| 18:45:17 | mnaser | Yikes well i guess we can ask novnc to revert | |
| 18:49:53 | melwitt | mnaser: I don't understand, how do you use lite vs not? | |
| 18:50:23 | mnaser | melwitt: vnc_lite seems to be what vnc_auto was a while ago | |
| 18:50:36 | mnaser | Searching the code doesn’t give any results for token | |
| 18:50:40 | melwitt | mnaser: and which one you use depends on the url you use? | |
| 18:51:05 | melwitt | yeah, ok. looks like we have to ask for a revert of at least that part | |
| 18:51:22 | mnaser | melwitt: I assume we’re using the lite which handled the token stuff and did the cookie handoff | |
| 18:51:45 | melwitt | mnaser: yeah, I'm just saying, how do you choose whether to use lite or not | |
| 18:51:56 | mnaser | dunno :P | |
| 18:52:01 | melwitt | haha ok | |
| 18:52:13 | mnaser | It seems like there’s something called token plugin | |
| 18:52:24 | melwitt | at first I was thinking, can we use non-lite but then you pointed out only lite was handling token | |
| 18:52:30 | melwitt | so my thought was moo | |
| 18:52:49 | mnaser | Don’t quote me on this stuff I’m going over it on my phone heh | |
| 18:53:30 | melwitt | :) | |
| 18:54:43 | melwitt | I do wonder why we have to rely on the cookie forwarding. I wonder why it doesn't just show up as a GET request param by the time we get it | |
| 18:54:59 | melwitt | from the way our code is written, it looks like the expectation was that the cookie was a fall back | |
| 18:55:14 | melwitt | but in practice, we were always falling back | |
| 18:56:41 | melwitt | going to see if I can find out | |
| 19:15:57 | openstackgerrit | Eric Fried proposed openstack/nova master: Correct lower-constraints.txt and the related tox job https://review.openstack.org/622972 | |
| 19:16:34 | openstackgerrit | Eric Fried proposed openstack/nova master: Correct lower-constraints.txt and the related tox job https://review.openstack.org/622972 | |
| 19:17:38 | openstackgerrit | Eric Fried proposed openstack/nova master: Mock time.sleep() in unit tests https://review.openstack.org/648762 | |
| 19:25:36 | mnaser | melwitt: so I think the problem here is the /websockify HTTP request comes afterwards | |
| 19:26:01 | mnaser | so its GET /vnc_lite.html?token=foobar .. and then CONNECT /websockify | |
| 19:26:12 | mnaser | so you can't really reliably tie that GET request and the CONNECT request | |
| 19:26:28 | mnaser | UNLESS we sent a Set-Cookie: token when you visit vnc_lite.html | |
| 19:26:36 | mnaser | that would workaround it | |
| 19:27:18 | melwitt | mnaser: I see. well, from some googling it looks like something like this might work? GET /vnc_lite.html?path=/websockify?token=foobar | |
| 19:28:19 | openstackgerrit | Eric Fried proposed openstack/nova master: Add placement as required project to functional py36 and 37 https://review.openstack.org/649068 | |
| 19:28:29 | melwitt | second ? should probably be a & | |
| 19:28:45 | mnaser | I think it would be cleaner to set-cookie | |
| 19:28:59 | melwitt | or maybe not | |
| 19:30:02 | melwitt | mnaser: ok. I can see if I can figure out how to do that, unless you want to | |
| 19:32:32 | mnaser | melwitt: im looking around right now, just need to figure out where the HTTP requests are handled in nova-novncconsole | |
| 19:32:35 | mnaser | ill welcome all help :P | |
| 19:32:44 | mnaser | *novncproxy | |
| 19:34:15 | mnaser | think it relies on upstream this https://github.com/novnc/websockify/blob/master/websockify/websocketproxy.py#L267 | |
| 19:34:26 | mnaser | self.token_plugin = kwargs.pop('token_plugin', None) | |
| 19:34:28 | mnaser | oh I wonder what that is | |
| 19:35:39 | melwitt | mnaser: I looked at that and it doesn't seem like something that would help us. but I could be wrong https://github.com/novnc/websockify/wiki/Token-based-target-selection | |