Displaying #traffic-server/2015-11-12.log:

Thu Nov 12 00:02:03 2015  _klk_:Joined the channel
Thu Nov 12 00:07:05 2015  blattj:Joined the channel
Thu Nov 12 00:40:34 2015  dxu:Joined the channel
Thu Nov 12 00:51:52 2015  dxu:Joined the channel
Thu Nov 12 02:42:12 2015  gancho:Joined the channel
Thu Nov 12 03:00:01 2015  _klk_:Joined the channel
Thu Nov 12 03:01:52 2015  gancho:Joined the channel
Thu Nov 12 03:43:33 2015  gancho:Joined the channel
Thu Nov 12 04:16:41 2015  blattj:Joined the channel
Thu Nov 12 04:18:29 2015  blattj1:Joined the channel
Thu Nov 12 04:23:07 2015  gancho:Joined the channel
Thu Nov 12 04:34:02 2015  gancho:Joined the channel
Thu Nov 12 04:40:28 2015  gancho_:Joined the channel
Thu Nov 12 04:48:08 2015  gancho:Joined the channel
Thu Nov 12 04:54:47 2015  gancho:Joined the channel
Thu Nov 12 06:15:58 2015  briang:@jpeach, btw if you're going to change the result = ink_atomic_cas((__int128_t *)&m_log_buffer.data, old_h.data, tmp_h.data);
Thu Nov 12 06:15:59 2015  briang:lines
Thu Nov 12 06:16:04 2015  briang:please change them in LogObject.cc too
Thu Nov 12 06:16:12 2015  briang:I just saw they the loggers also do the same thing.
Thu Nov 12 07:16:29 2015  shinya:Joined the channel
Thu Nov 12 07:20:55 2015  rhand:Joined the channel
Thu Nov 12 09:10:07 2015  Lethalman:Joined the channel
Thu Nov 12 11:03:31 2015  reveller1:Joined the channel
Thu Nov 12 13:04:29 2015  JSeymour:Joined the channel
Thu Nov 12 13:10:16 2015  niq:Joined the channel
Thu Nov 12 13:35:36 2015  sommarnatt:Joined the channel
Thu Nov 12 14:14:19 2015  reveller:Joined the channel
Thu Nov 12 14:27:51 2015  shinrich1:Joined the channel
Thu Nov 12 14:38:43 2015  reveller:Left the channel
Thu Nov 12 14:49:19 2015  esproul:Joined the channel
Thu Nov 12 15:12:34 2015  sudheerv:briang: ping
Thu Nov 12 16:42:33 2015  jrushford:Joined the channel
Thu Nov 12 16:48:40 2015  reveller:Joined the channel
Thu Nov 12 16:50:05 2015  reveller:Will there be a webcast of the Summit so Ithose who can't attend in person can watch/participate in the Summit?
Thu Nov 12 16:52:08 2015  amc:We hope so. The main room has a google hangout thing in it which we plan to use.
Thu Nov 12 16:52:30 2015  davet_:Joined the channel
Thu Nov 12 16:53:01 2015  sudheerv:google hangout seems to have a limit on max allowed participants
Thu Nov 12 16:53:09 2015  sudheerv:i think it was as low as 10 IIRC
Thu Nov 12 16:53:10 2015  Humbedooh:will we be able to see the Vest live?
Thu Nov 12 16:53:20 2015  Humbedooh:(the Vest clearly being amc)
Thu Nov 12 16:53:31 2015  jpeach:there is a youtube live thing for participants to view
Thu Nov 12 16:53:51 2015  jpeach:https://support.google.com/plus/answer/2553119?hl=en
Thu Nov 12 16:54:12 2015  amc:Humbedooh - yes, that's really the only reason people would want to see it live :-)
Thu Nov 12 16:54:23 2015  Humbedooh:yup
Thu Nov 12 17:15:48 2015  es:Joined the channel
Thu Nov 12 17:44:09 2015  blattj:Joined the channel
Thu Nov 12 17:59:34 2015  gancho:Joined the channel
Thu Nov 12 18:29:35 2015  es:Joined the channel
Thu Nov 12 19:40:19 2015  _klk_:Joined the channel
Thu Nov 12 19:45:17 2015  gancho_:Joined the channel
Thu Nov 12 20:16:02 2015  reveller:Left the channel
Thu Nov 12 21:18:10 2015  blattj:Joined the channel
Thu Nov 12 21:22:08 2015  PSUdaemon:jpeach, sudheerv: so it is shorts weather in sunnyvale?
Thu Nov 12 21:22:28 2015  jpeach:for you? definitely
Thu Nov 12 21:22:45 2015  blattj:Left the channel
Thu Nov 12 21:24:23 2015  blattj:Joined the channel
Thu Nov 12 21:29:49 2015  zwoop:always shorts weather
Thu Nov 12 21:35:35 2015  sudheerv:zwoop: PSUdaemon: been a little cold recently
Thu Nov 12 21:35:52 2015  sudheerv:but, like jpeach said, it's shorts weather for you certainly :)
Thu Nov 12 21:35:56 2015  sudheerv:after all, there's no snow
Thu Nov 12 21:36:17 2015  zwoop:snow is no excuse for wearing pants
Thu Nov 12 21:41:44 2015  sudheerv:zwoop: then, what is ;)?
Thu Nov 12 21:42:12 2015  zwoop:20 below cold
Thu Nov 12 21:47:31 2015  sudheerv:and cold=0? :)
Thu Nov 12 21:47:51 2015  jpeach:zwoop: put some pants on!
Thu Nov 12 21:47:56 2015  zwoop:jpeach Make me!!
Thu Nov 12 21:48:07 2015  sudheerv:yeah, i can't believe i've never seen zwoop wearing any pants :p
Thu Nov 12 21:48:12 2015  jpeach:goes to fetch his belt
Thu Nov 12 21:48:17 2015  zwoop:jpeach lol
Thu Nov 12 21:48:46 2015  sudheerv:zwoop: have you *ever* worn any pants, like ever :)
Thu Nov 12 21:48:54 2015  zwoop:oh yeah
Thu Nov 12 21:48:58 2015  zwoop:it gets cold skiing in shorts
Thu Nov 12 21:49:01 2015  sudheerv:when you were 5 yrs old
Thu Nov 12 21:49:01 2015  sudheerv:??
Thu Nov 12 21:49:05 2015  sudheerv:haha
Thu Nov 12 21:50:07 2015  zwoop:https://www.flickr.com/photos/zwoop/5298132253/in/dateposted-public/
Thu Nov 12 21:50:08 2015  zwoop:see, pants
Thu Nov 12 21:51:22 2015  sudheerv:nice! that picture shows two things I thought I'd never see :)
Thu Nov 12 21:51:29 2015  sudheerv:you wearing pants and not wearing a cap
Thu Nov 12 21:51:37 2015  sudheerv:although, you are still wearing a helmet :)
Thu Nov 12 21:51:45 2015  zwoop:no-pants: https://www.flickr.com/photos/mhedstrom/13895649898/in/dateposted/
Thu Nov 12 21:51:53 2015  sudheerv:haha
Thu Nov 12 21:52:11 2015  zwoop:https://www.flickr.com/photos/mhedstrom/12442702554/in/dateposted/
Thu Nov 12 21:52:13 2015  zwoop:pants :)
Thu Nov 12 21:52:14 2015  zwoop:see
Thu Nov 12 21:52:39 2015  sudheerv:nice! you are a skiing guy
Thu Nov 12 21:53:00 2015  sudheerv:https://www.flickr.com/photos/mhedstrom/10610724835/in/photostream/
Thu Nov 12 21:53:05 2015  sudheerv:seriously?
Thu Nov 12 21:53:34 2015  zwoop:indeed
Thu Nov 12 21:53:53 2015  zwoop:that's me teaching briang how to use git. It got, ehm, gory.
Thu Nov 12 22:13:03 2015  sudheerv:cool
Thu Nov 12 22:13:15 2015  sudheerv:zwoop: jpeach: question about ats root privileges
Thu Nov 12 22:13:31 2015  sudheerv:traffic_server is started by manager as root and then it drops its permissions to admin userifd?
Thu Nov 12 22:13:45 2015  jpeach:yep
Thu Nov 12 22:13:45 2015  sudheerv:or it starts off as non-root and elevates as necessary?
Thu Nov 12 22:13:56 2015  sudheerv:umm..how does the cert reloading work?
Thu Nov 12 22:13:57 2015  zwoop:jpeach hmmm, you sure ?
Thu Nov 12 22:14:00 2015  jpeach:it has to start as root in order to elevate
Thu Nov 12 22:14:06 2015  zwoop:jpeach I thought manager gave up root before starting _server ?
Thu Nov 12 22:14:22 2015  sudheerv:does it have to start as root or is it enough if root owns the binary?
Thu Nov 12 22:14:28 2015  jpeach:no if it did that server would not be able to elevate back to root to reloas
Thu Nov 12 22:14:35 2015  zwoop:jpeach does that mean that it sets it's UID back to root again before starting server ?
Thu Nov 12 22:14:44 2015  zwoop:because, on a running system, _manager runs as a non-root user
Thu Nov 12 22:14:52 2015  jpeach:I would *like* that to be true, but apparantly it would break Y!
Thu Nov 12 22:15:06 2015  zwoop:hmmm
Thu Nov 12 22:15:51 2015  zwoop:nobody 1876 0.0 0.2 173928 21764 ? Sl Oct12 17:05 /server/bin/traffic_manager
Thu Nov 12 22:15:51 2015  zwoop:nobody 1882 1.1 4.0 2810076 330580 ? Sl Oct12 511:12 /server/bin/traffic_server -M --httpport ip-in=[71.6.199.13]:80:fd=7,ip-in=[71.6.153.205]:80:fd=8,ip-in=[66.240.241.23]:80:fd=9,443:fd=10:ssl
Thu Nov 12 22:16:18 2015  zwoop:how does manager restore its root privilege? That seems crazy that Unix even allows that?
Thu Nov 12 22:16:35 2015  zwoop:or is this some posix capabilities crud ?
Thu Nov 12 22:16:43 2015  sudheerv:zwoop: may be, even manager does the same thing?
Thu Nov 12 22:16:50 2015  sudheerv:starts off as root, but, drops to nobody
Thu Nov 12 22:16:52 2015  sudheerv:?
Thu Nov 12 22:16:59 2015  jpeach:real, effective and saved credentials
Thu Nov 12 22:17:00 2015  sudheerv:but, starts server in between?
Thu Nov 12 22:17:23 2015  zwoop:ah, so it retains the root. Lame.
Thu Nov 12 22:17:42 2015  zwoop:sudheerv but it has to restart it if it crashes
Thu Nov 12 22:18:12 2015  sudheerv:yeah, does it always elevate to root just in time to start server?
Thu Nov 12 22:18:18 2015  sudheerv:similar to what server does in reloading certs
Thu Nov 12 22:18:20 2015  sudheerv:?
Thu Nov 12 22:18:53 2015  zwoop:I guess so
Thu Nov 12 22:19:48 2015  amc:It doesn't retain root if you are using POSIX capabilities.
Thu Nov 12 22:20:04 2015  amc:It retains the DAC privilege so that it can re-elevate that as needed.
Thu Nov 12 22:20:32 2015  _klk_:Joined the channel
Thu Nov 12 22:20:50 2015  sudheerv:-bash-4.1$ ps -eo euid,ruid,cmd | grep traffic
Thu Nov 12 22:20:50 2015  sudheerv: 0 0 /home/y/bin64/traffic_cop
Thu Nov 12 22:20:50 2015  sudheerv: 99 0 /home/y/bin/traffic_manager
Thu Nov 12 22:20:50 2015  sudheerv: 99 99 /home/y/bin/traffic_server -M --httpport 80:fd=8,443:fd=9:ssl,ip-in=[127.0.0.1]:80:fd=10
Thu Nov 12 22:20:51 2015  sudheerv:83035 83035 grep traffic
Thu Nov 12 22:20:51 2015  amc:You should be able to construct an ElevateAccess object to provide the capability in a scope.
Thu Nov 12 22:20:58 2015  sudheerv:zwoop: managers ruid seems to be root
Thu Nov 12 22:21:04 2015  sudheerv:it only demotes its euid
Thu Nov 12 22:21:17 2015  sudheerv:server being a child always inherits the same privileges?
Thu Nov 12 22:21:19 2015  sudheerv:0, 99
Thu Nov 12 22:21:19 2015  sudheerv:?
Thu Nov 12 22:21:37 2015  jpeach:sudheerv: my goal is to eventually drop privilege permanently i server
Thu Nov 12 22:21:54 2015  sudheerv:jpeach: so, server showing 99,99 for ruid and euid
Thu Nov 12 22:21:59 2015  sudheerv:how is it able to go back to 0 for reloading?
Thu Nov 12 22:22:14 2015  sudheerv:this whole thing is confusing as hell :)
Thu Nov 12 22:22:17 2015  amc:But it's showing 99,99 now, according to your paste.
Thu Nov 12 22:22:24 2015  sudheerv:yes, that's what i'm asking
Thu Nov 12 22:22:31 2015  sudheerv:how does cert reload work
Thu Nov 12 22:22:33 2015  amc:Right. It's using POSIX capabilities to do that.
Thu Nov 12 22:22:59 2015  amc:It retains in its real capability set the DAC (disregard access controls) privilege.
Thu Nov 12 22:23:07 2015  amc:It can retrieve that temporarily if needed.
Thu Nov 12 22:23:15 2015  amc:Hold on.
Thu Nov 12 22:24:14 2015  amc:Look here for an example - https://github.com/apache/trafficserver/blob/master/proxy/Main.cc#L1420
Thu Nov 12 22:24:40 2015  amc:This is part of the change set for log rotation. It tries to open the file and if that doesn't work, elevates and tries again.
Thu Nov 12 22:25:00 2015  amc:I had to do that for jpeach's sake, so that it would work without elevation if the file perms were OK.
Thu Nov 12 22:25:32 2015  amc:The construction of the ElevateAccess object recovers the privilege and its destruction drops them.
Thu Nov 12 22:26:47 2015  sudheerv:cool
Thu Nov 12 22:27:00 2015  sudheerv:so, all of this magic happens bcoz of POSIX CAP?
Thu Nov 12 22:27:18 2015  amc:Yes.
Thu Nov 12 22:27:28 2015  sudheerv:cool, thanks
Thu Nov 12 22:27:28 2015  amc:if you don't ahve that, then the ruid of _server will be 0.
Thu Nov 12 22:28:09 2015  sudheerv:so, if someone doesn't link to POSIX CAP, they will run server as root?
Thu Nov 12 22:28:15 2015  sudheerv:that's a security risk, no?
Thu Nov 12 22:30:49 2015  amc:Yes, it's a risk. It does run as effective UID not root, so it's tolerable.
Thu Nov 12 22:31:03 2015  amc:That's why POSIX capabilities are used if available.
Thu Nov 12 22:31:04 2015  sudheerv:yeah, but, the threads seem to be started off with ruid=0
Thu Nov 12 22:31:21 2015  sudheerv:so, there's still some potential risk
Thu Nov 12 22:31:25 2015  amc:Yes, I think that's correct.
Thu Nov 12 22:31:46 2015  sudheerv:hmm..cool, interesting to know..
Thu Nov 12 22:31:52 2015  sudheerv:this stuff is just too confusing
Thu Nov 12 22:32:56 2015  amc:I think jpeach meant he would like to get to the state where traffic_server doesn't ahve to start as root.
Thu Nov 12 22:33:02 2015  jpeach:yes
Thu Nov 12 22:33:17 2015  jpeach:then traffic_manager is the privileged helper
Thu Nov 12 22:35:08 2015  _klk_:Joined the channel
Thu Nov 12 22:35:32 2015  sudheerv:that makes sense
Thu Nov 12 22:35:50 2015  sudheerv:alternately, we could say, no reload supported?
Thu Nov 12 22:36:05 2015  jpeach:that seems like it would suck
Thu Nov 12 22:36:08 2015  sudheerv:and permanently give up eleavtion during run time?
Thu Nov 12 22:36:15 2015  sudheerv:security vs functionality
Thu Nov 12 22:36:35 2015  sudheerv:fwiw, there are configs it seems to allow/disallow that
Thu Nov 12 22:36:46 2015  sudheerv:(assuming i'm reading the code correctly)
Thu Nov 12 22:36:58 2015  jpeach:I hate that you then have to figure out the interactions
Thu Nov 12 22:37:32 2015  sudheerv:proxy.config.ssl.cert.load_elevated
Thu Nov 12 22:37:47 2015  sudheerv:whoever doesn't want to take the risk, can turn that off no?
Thu Nov 12 22:38:07 2015  jpeach:there's other stuff
Thu Nov 12 22:38:13 2015  sudheerv:yeah, i see settings there too
Thu Nov 12 22:38:36 2015  sudheerv:proxy.config.plugin.load_elevated
Thu Nov 12 22:38:45 2015  sudheerv:only these two actually
Thu Nov 12 23:06:55 2015  niq:Joined the channel
Thu Nov 12 23:06:55 2015  niq:Joined the channel
Thu Nov 12 23:11:12 2015  blattj:Joined the channel
Thu Nov 12 23:34:09 2015  thumbs:Joined the channel
Thu Nov 12 23:55:55 2015  Top_Cat:Joined the channel

Comments