IRC logs for #aegir, 2015-08-09 (GMT)

2015-08-08
2015-08-10
TimeNickMessage
[10:13:50]* Egyptian[Home] has quit (Remote host closed the connection)
[10:14:43]* cweagans has quit (Quit: Computer has gone to sleep.)
[10:42:30]* Egyptian[Home] has joined #aegir
[11:09:06]* fatguylaughing has quit (Quit: fatguylaughing)
[11:17:10]* Egyptian[Home] has quit (Ping timeout: 246 seconds)
[11:24:02]* ivanjaros has quit (Quit: https://drupal.org/user/135190)
[11:30:44]* Egyptian[Home] has joined #aegir
[12:47:16]* titanous has quit ()
[13:46:39]* cweagans has joined #aegir
[14:48:52]* cweagans has quit (Quit: Computer has gone to sleep.)
[15:51:09]* cweagans has joined #aegir
[16:01:06]<cweagans>.
[16:01:11]<cweagans>hefring: log pointer?
[16:01:11]<hefring>http://hefring.mig5.net/bot/log/aegir/2015-08-09#T582525
[16:21:58]<cweagans>ergonlogic: can't say I didn't try, I guess.
[16:32:19]<ergonlogic>cweagans: let's see
[16:32:50]* cweagans has left #aegir ("Gone.")
[16:32:52]* cweagans has joined #aegir
[16:33:38]<cweagans>I don't think he's going to change his position, and personally, I don't see how we could get ourselves back in the position of having a pile of code that does everything. I mean, maybe it'll work, but *why* would we do that? I just don't get it.
[16:34:14]<ergonlogic>fwiw, I'm not convinced that a Drupal site talking directly to the Kubernetes/Openshift (KOs?) REST API is secure
[16:34:22]<ergonlogic>sorry, commenting on the arch
[16:34:35]<cweagans>but whatever. idgaf. I just spun up Kubernetes in about a minute locally in a vagrant box, and now I'm working on openshift.
[16:35:21]<cweagans>Maybe not, but it's more secure than the entire world talking to KOs API. If the API server is locked down to nodes in the cluster, that's an improvement at least. I'm not sure how we'd go further than that, though.
[16:35:38]<cweagans>(all the nodes in the cluster can talk to the API through the kubectl command anyhow)
[16:35:58]<ergonlogic>so, I've met lots of old school sysadmins who would just refuse to have a web front-end speaking directly to provisioning systems
[16:36:31]<ergonlogic>well, I think a task queue is actually a good solution there
[16:37:12]<ergonlogic>if we encapsulate our calls to the KOs APIs in tasks, we can control thinga like what system use runs them, and such
[16:38:06]<ergonlogic>and not leave a huge attack surface open, if we authenticate directly to KOs via the webui
[16:38:41]<ergonlogic>it'S largely the reason we have a queue in Aegir now
[16:39:07]<ergonlogic>but I'm open to being convinced otherwise
[16:39:22]<ergonlogic>but I think it buys us a couple other things
[16:39:36]<ergonlogic>like async operations
[16:39:52]<ergonlogic>and websockets
[16:40:27]<ergonlogic>also scheduled tasks, if we go with celery
[16:41:10]<ergonlogic>I'd much rather write websockets in Python for some of this, rather than AJAX polling, for example
[16:41:28]<cweagans>I don't see any difference, actually. If I can log into the web frontend and queue a task, we'll keep track of that tasks status and success state through the queue (which will basically just report back to us when it's done). That's fine, but it's not very different from just telling the Openshift API "here's who I am. do this thing". They already have a queue that's running for this kind of thing, so why not just piggyback on what they've
[16:41:28]<cweagans> done?
[16:42:13]<cweagans>Websockets would make things more responsive, that's true. It could certainly be an optional component, though, as it's largely presentational, and the canonical data source is still the same (Kubernetes and Openshift)
[16:42:29]<ergonlogic>true
[16:42:59]<ergonlogic>I mostly worry about having the openshift credentials available to a web frontend
[16:44:57]<ergonlogic>the credentials for the queue would still have to be on the webui
[16:45:12]<cweagans>They'd have to be available somewhere, and the "docker way" is to just put them in the environment. In any case, if we can't trust the Drupal authentication/authorization mechanisms to do their job, we're kind of in trouble.
[16:45:24]<cweagans>idk. I could go either way, but I'm generally leaning toward lower complexity these days.
[16:45:28]<cweagans>your call.
[16:45:37]<ergonlogic>I'm all for less complexity
[16:45:49]<ergonlogic>but we can't sacrifice security either
[16:45:54]<ergonlogic>I'm not married tot he idea
[16:46:08]<ergonlogic>it's more of a serious concern
[16:46:34]<ergonlogic>and the implementation is definitely up for debate
[16:47:24]<ergonlogic>fwiw, I'm not talking about trying to take over orchestration from openshift
[16:47:29]<cweagans>right
[16:47:51]<cweagans>I think we could go with a lower complexity for now (mainly for the sake of getting things working), and make it more or less swappable, so that later, we can come in and add the separation of the web ui and the queue runner. Personally, I have no qualms about the web UI being able to just call the Openshift API, but I guess it's possible that others would.
[16:48:33]<cweagans>If that separation is needed for security's sake (even if it's false security ;) ), being able to disable the direct api calls and delegate to a queue is not a horrible requirement.
[16:48:38]<cweagans>like I said - I can go either way :)
[16:49:35]<ergonlogic>well, it'd also potentially mean moving logic out of Drupal
[16:50:58]<cweagans>That's true. We could probably make it a standalone Kubernetes/Openshift API library that can be used at either the Drupal or queue runner level.
[16:51:42]<ergonlogic>how much do you see Aegir abstracting openshift conpects, if at all?
[16:51:52]<ergonlogic>concepts
[16:52:35]<ergonlogic>I don't know that we want to expose the entire openshift API via a gui
[16:52:38]<cweagans>Honestly, not that much. In fact, I think abstracting things too far is actively harmful to our users. There's already a ton of docs written for Kubernetes and Openshift, and if we start using different terms for the same concepts (or groups of concepts), things will get really confusing really quickly.
[16:52:43]<cweagans>Yeah, definitely.
[16:53:09]<cweagans>But I think it's reasonable to, for instance, tell it to spin up a site or increase the number of app containers.
[16:53:31]<ergonlogic>right
[16:53:50]<ergonlogic>if we support multiple backends, we'll need to normalize terminology
[16:54:01]<cweagans>or assign routes based on the hostname or take backups. Things like that. But I don't think we'd want to allow putting other servers in the cluster from the Aegir UI. That seems like a job for Rán.
[16:54:37]<ergonlogic>but I think we should prioritize exposing those higher-level concepts, over the guts
[16:54:46]<cweagans>True, and that's one of the things that's turning me off from that particular idea. It gets to the point where we have to support the lowest common denominator from all the PaaSes out there, and possibly invent our own terminology to support it.
[16:54:50]<cweagans>That's fair.
[16:55:24]<ergonlogic>right
[16:55:49]<ergonlogic>that's why I suggested that Flynn would have to be more feature complete before we should really consider it
[16:56:06]<ergonlogic>as in, it'd have to have a feature-set comparable to openshift
[16:56:31]<ergonlogic>in which case, it probably has most of the same functions
[16:57:02]<cweagans>Hopefully. There may not be a mapping between some things, though. Kubernetes is on the more complex end of things, for sure - it has a lot of concepts that aren't present in any other PaaS
[16:57:04]<ergonlogic>but possibly different (maybe better) implementations
[16:57:17]<cweagans>Namespaces, RCs, and Pods, to be exact.
[16:57:23]<ergonlogic>yeah
[16:58:01]<ergonlogic>well, I'm fine with targeting openshift and kubernetes exclusively at this stage
[16:58:30]* cweagans too
[16:58:56]* cweagans probably won't go too far beyond that in the foreseeable future, either.
[16:58:56]<ergonlogic>but to the extent that it's practical, I'd like to try to keep backend swappability in mind
[16:59:04]<ergonlogic>no, true
[16:59:29]<ergonlogic>I doubt we're going to paint ourselves into a corner here
[16:59:32]* ivanjaros has joined #aegir
[16:59:32]<cweagans>We should definitely keep in mind, but I wouldn't be opposed to not writing any code to support it until we really need it.
[16:59:33]<cweagans>yeah
[16:59:47]<ergonlogic>right, that's fine
[17:02:19]<ergonlogic>fwiw, I know Antoine has an opinion on the webui-backend-credentials issue.
[17:02:34]<ergonlogic>I trust his security sensibility
[17:02:59]<ergonlogic>and much deeper sysadmin experience than mine
[17:04:11]<ergonlogic>anyway, goodnight
[17:04:25]<cweagans>Alrighty. We can discuss more later. Have a good night!
[17:04:34]<ergonlogic>and thanks again for such a detailed argument in the gh issue
[17:05:05]<cweagans>one other thing here that might be of interest: http://kubernetes.io/v1.0/docs/admin/authorization.html
[17:05:06]<cweagans>and no problem
[17:05:11]<cweagans>it's the least I can do :)
[17:05:56]<ergonlogic>no, the least you can do is nothing :p
[17:06:12]<ergonlogic>I appreciate the effort
[17:40:32]* attiks has joined #aegir
[17:46:57]* attiks has quit (Quit: WeeChat 0.4.2)
[17:47:19]* attiks has joined #aegir
[17:49:32]* cweagans has quit (Quit: Gone.)
[17:51:28]* attiks has quit (Client Quit)
[18:51:42]* ivanjaros has quit (Quit: https://drupal.org/user/135190)
[19:10:01]* ivanjaros has joined #aegir
[19:41:13]* e-anima has joined #aegir
[20:11:34]* thunderWilly has joined #aegir
[20:12:24]* e-anima has quit (Ping timeout: 264 seconds)
[00:01:13]* titanous has joined #aegir
[00:10:53]* mstenta has joined #aegir
[01:03:05]* shaneonabike has joined #aegir
[01:04:30]* shaneonabike has left #aegir ()
[02:20:17]* ivanjaros has quit (Quit: https://drupal.org/user/135190)
[02:35:02]* gboudrias has quit (Remote host closed the connection)
[02:37:45]* Egyptian[Home] has quit (Remote host closed the connection)
[03:39:29]* ivanjaros has joined #aegir
[03:50:33]<formatC_vt_>is anyone know why we do drush_bootstrap(DRUSH_BOOTSTRAP_DRUPAL_ROOT) when we deleting platform?
[03:54:22]<formatC_vt_>i can't delete broken platform because this function returns DRUSH_NO_SITE
[04:12:20]* gboudrias has joined #aegir
[04:12:32]* cweagans has joined #aegir
[04:14:45]<cweagans>Hey ergonlogic - I was up super late working with Openshift. it's pretty amazing. The UI is still not that great, and is mostly ready only for important things (though you can create new projects from a Github repo). In any case, I dug into the API a bit, and they have a really full featured role/permission based access control system. You can restrict a user so much that they can only see the names of the projects that they have access to
[04:14:45]<cweagans> (and nothing else), or you can give them the world and let them start changing kubernetes settings. It's pretty robust too. I tried to break it every why I know how, but it's more or less modeled after selinux.
[04:14:51]<cweagans>it's very, very well done.
[04:15:16]<cweagans>The UI is also horribly unusable and not really useful in general, so I think there's a great place for us to fit in
[04:15:33]<cweagans>Finally, they have some ansible scripts that will do an automated install of Openshift (including the kubernetes components)
[04:30:36]* cweagans has quit (Quit: Computer has gone to sleep.)
[05:06:50]* shaneonabike has joined #aegir
[05:08:14]* shaneonabike has left #aegir ()
[05:52:33]* mstenta has quit (Read error: Connection reset by peer)
[05:53:57]* mstenta has joined #aegir
[06:20:28]* cweagans has joined #aegir
[06:23:57]<cweagans>hefring: log pointer?
[06:23:57]<hefring>http://hefring.mig5.net/bot/log/aegir/2015-08-09#T582643
[06:59:28]* Egyptian[Home] has joined #aegir
[07:14:12]* mstenta has quit (Quit: Leaving.)
[07:14:22]* mstenta has joined #aegir
[07:30:33]* ivanjaros has quit (Quit: https://drupal.org/user/135190)
[08:08:12]* cweagans has quit (Quit: Computer has gone to sleep.)
[09:26:27]* cweagans has joined #aegir
[09:41:40]* thunderWilly has quit (Read error: Connection reset by peer)