Friday, 2014-01-24

« Thursday, 2014-01-23 Index Saturday, 2014-01-25 »
kfox1111Oh.... heh. https://review.openstack.org/#/c/64874/ looks like it might let me work around that...00:00
radixSpamapS: so on retry-failed-update, what do you think about all the feedback that shardy and zane gave you?00:00
radixer, not shardy, the other steve :)00:01
*** andersonvom has quit IRC00:03
radixhuh, guess the gate got reset00:03
kfox1111shardy: Have you ever tried to use neutron lbaas with your Make LoadBalancer nested stack template configurable changeset?00:06
*** derekh has joined #heat00:06
randallburtkfox1111:  shardy is probably fast asleep atm00:07
kfox1111ah. ok. Thanks.00:07
SpamapSradix: I'm actually testing out the updatereplace suggestion now. I just wanted to get an incremental change up that worked with create failed only.00:08
radixokie doke00:08
*** gokrokve has quit IRC00:08
SpamapSradix: but the approach I've taken will end up being resurrected by update failure recovery anyway.. because on update failed, we don't want to force replacement, we want to force _the same update action as before_00:09
*** gokrokve has joined #heat00:09
*** rpothier_ has joined #heat00:10
*** gokrokve has quit IRC00:13
*** slong has joined #heat00:15
*** sjmc7 has quit IRC00:15
*** achampion has joined #heat00:15
*** TravT has joined #heat00:17
*** spzala has quit IRC00:19
*** slong has quit IRC00:26
*** matsuhashi has joined #heat00:27
*** jergerber has quit IRC00:33
*** tsmadds has joined #heat00:34
*** rcleere has quit IRC00:35
*** tsmadds has quit IRC00:38
*** pvaneck has quit IRC00:46
*** tango has quit IRC01:07
*** TravT has quit IRC01:09
openstackgerritA change was merged to openstack/heat: Always specify preserve_ephemeral on server rebuild  https://review.openstack.org/6829401:10
openstackgerritA change was merged to openstack/heat: add the validation of MaxSize ,MinSize and DesiredCapacity  https://review.openstack.org/6761801:11
*** radez_g0n3 has quit IRC01:22
openstackgerritJenkins proposed a change to openstack/heat: Updated from global requirements  https://review.openstack.org/6824001:26
*** kfox1111 has quit IRC01:31
*** blamar_ has joined #heat01:31
*** blamar has quit IRC01:34
*** blamar_ is now known as blamar01:34
*** tsmadds has joined #heat01:34
*** nosnos has joined #heat01:35
*** derekh has quit IRC01:38
*** tsmadds has quit IRC01:38
*** randallburt has quit IRC01:49
*** randallburt has joined #heat01:50
*** andersonvom has joined #heat02:00
*** john-n-seattle1 has left #heat02:00
*** asalkeld has quit IRC02:03
*** ramishra has joined #heat02:04
*** andersonvom has quit IRC02:05
*** radez_g0n3 has joined #heat02:07
*** obondarev has quit IRC02:09
*** obondarev has joined #heat02:10
*** radez_g0n3 has quit IRC02:11
*** radez_g0n3 has joined #heat02:13
*** spzala has joined #heat02:24
openstackgerrithuangtianhua proposed a change to openstack/heat: "version" section should be required in template  https://review.openstack.org/6589502:30
openstackgerrithuangtianhua proposed a change to openstack/heat: Fixes template not using the JSON or YAML format  https://review.openstack.org/6739602:30
*** asalkeld has joined #heat02:31
*** tsmadds has joined #heat02:35
openstackgerritZane Bitter proposed a change to openstack/heat: Fix AWS::StackId pseudo-parameter during stack update  https://review.openstack.org/6674102:35
*** tiantian has joined #heat02:38
openstackgerritA change was merged to openstack/heat: Adding Range constraint for SIZE property  https://review.openstack.org/6711402:38
*** ramishra has quit IRC02:38
*** rpothier has joined #heat02:39
openstackgerritRandall Burt proposed a change to openstack/python-heatclient: Add more defalt CA paths  https://review.openstack.org/6883602:39
*** tsmadds has quit IRC02:40
*** ramishra has joined #heat02:42
*** rpothier_ has quit IRC02:43
*** pablosan has quit IRC02:43
*** liang has joined #heat02:44
*** ramishra has quit IRC02:44
*** ramishra_ has joined #heat02:44
*** ramishra_ has quit IRC02:46
*** ramishra has joined #heat02:46
*** erkules_ has joined #heat02:49
*** tims has joined #heat02:50
*** erkules has quit IRC02:51
*** ramishra has quit IRC02:52
*** ramishra has joined #heat02:53
*** ramishra has quit IRC02:59
*** gokrokve has joined #heat03:03
*** randallburt has quit IRC03:07
*** ramishra has joined #heat03:11
*** funzo has quit IRC03:13
*** matsuhashi has quit IRC03:14
*** rongze has joined #heat03:14
*** ramishra has quit IRC03:16
*** ramishra has joined #heat03:18
*** ramishra has quit IRC03:22
*** ramishra_ has joined #heat03:22
*** kebray_ has quit IRC03:24
*** ramishra_ has quit IRC03:29
*** erkules_ is now known as erkules03:32
*** sballe has quit IRC03:33
*** ramishra has joined #heat03:33
*** sballe has joined #heat03:34
*** nanjj has joined #heat03:35
*** tsmadds has joined #heat03:36
*** oubiwann has quit IRC03:37
*** andersonvom has joined #heat03:38
*** liang has quit IRC03:38
*** jrist has quit IRC03:39
*** tango has joined #heat03:40
*** ramishra_ has joined #heat03:40
*** ramishra has quit IRC03:41
*** tsmadds has quit IRC03:41
*** ramishra has joined #heat03:42
*** ramishra_ has quit IRC03:42
*** ramishra has quit IRC03:46
*** ramishra_ has joined #heat03:46
*** ramishra_ has quit IRC03:51
*** ramishra has joined #heat03:51
*** liang has joined #heat03:51
*** jrist has joined #heat03:52
*** ramishra has quit IRC03:54
*** ramishra_ has joined #heat03:54
*** sballe has quit IRC03:56
*** ramishra_ has quit IRC04:01
*** spzala has quit IRC04:03
*** nanjj has quit IRC04:07
*** funzo has joined #heat04:08
*** ramishra has joined #heat04:08
*** gokrokve has quit IRC04:09
*** gokrokve has joined #heat04:09
*** andersonvom has quit IRC04:10
*** andersonvom has joined #heat04:10
*** andersonvom has quit IRC04:11
openstackgerritA change was merged to openstack/python-heatclient: Move environment and template file functions to own module  https://review.openstack.org/6622604:12
openstackgerritA change was merged to openstack/python-heatclient: Test coverage of empty environment  https://review.openstack.org/6622704:12
openstackgerritA change was merged to openstack/python-heatclient: Improve and unit-test template contents fetching  https://review.openstack.org/6622804:12
*** asalkeld has quit IRC04:13
*** gokrokve has quit IRC04:13
*** gokrokve has joined #heat04:16
*** harlowja is now known as harlowja_away04:19
*** tiantian has quit IRC04:25
*** rcleere has joined #heat04:25
*** asalkeld has joined #heat04:26
*** ramishra_ has joined #heat04:29
*** ramishra has quit IRC04:29
*** kebray_ has joined #heat04:31
*** ramishra_ has quit IRC04:34
*** ramishra has joined #heat04:34
*** tsmadds has joined #heat04:37
*** faramir has joined #heat04:38
*** matsuhashi has joined #heat04:39
*** tsmadds has quit IRC04:41
skraynevMorning! )04:44
*** ramishra has quit IRC04:45
*** ramishra has joined #heat04:46
*** edmund1 has quit IRC04:51
*** rongze has quit IRC04:54
*** rongze has joined #heat04:54
*** coolsvap has joined #heat04:59
openstackgerritSergey Kraynev proposed a change to openstack/heat: Remove default option for fixed_ips  https://review.openstack.org/6864804:59
*** rongze has quit IRC04:59
*** ramishra has quit IRC05:02
*** ramishra has joined #heat05:08
*** akuznetsov has joined #heat05:11
*** ramishra has quit IRC05:17
*** ramishra has joined #heat05:17
*** SergeyLukjanov_ is now known as SergeyLukjanov05:22
*** rongze has joined #heat05:25
*** rongze_ has joined #heat05:27
*** rongze has quit IRC05:29
*** rongze_ has quit IRC05:32
*** shadower_ has joined #heat05:36
*** shadower has quit IRC05:36
*** tsmadds has joined #heat05:37
*** ramishra has quit IRC05:38
*** ramishra_ has joined #heat05:38
*** tsmadds has quit IRC05:42
*** ramishra_ has quit IRC05:42
*** ramishra has joined #heat05:42
*** ramishra has quit IRC05:46
*** ramishra_ has joined #heat05:46
*** gokrokve has quit IRC05:47
*** gokrokve has joined #heat05:48
*** gokrokve has quit IRC05:53
*** ramishra_ has quit IRC05:53
*** ramishra has joined #heat05:55
*** ramishra has quit IRC06:00
*** ramishra has joined #heat06:00
openstackgerritJenkins proposed a change to openstack/heat: Imported Translations from Transifex  https://review.openstack.org/6450406:05
*** tspatzier has joined #heat06:13
*** gokrokve has joined #heat06:14
*** rongze has joined #heat06:25
*** nkhare has joined #heat06:27
*** SergeyLukjanov is now known as SergeyLukjanov_06:29
*** rongze has quit IRC06:29
*** ramishra_ has joined #heat06:33
*** ramishra has quit IRC06:36
*** tzumainn has quit IRC06:49
*** ramishra_ has quit IRC06:52
*** ramishra has joined #heat06:52
openstackgerritSergey Kraynev proposed a change to openstack/heat: Showing member list for nested resources  https://review.openstack.org/6597006:54
openstackgerritA change was merged to openstack/heat: Implement adopt-stack  https://review.openstack.org/6273006:58
openstackgerritA change was merged to openstack/heat: Implement adopt-stack for nested stacks  https://review.openstack.org/6472006:59
openstackgerritA change was merged to openstack/heat: Enable better sub-classing of common Schema class  https://review.openstack.org/6568807:00
*** kebray_ has quit IRC07:02
*** jprovazn_ has joined #heat07:04
*** ramishra_ has joined #heat07:07
*** ramishra_ has quit IRC07:07
*** ramishra has quit IRC07:08
*** rongze has joined #heat07:09
*** aignatov_ is now known as aignatov07:13
*** ramishra has joined #heat07:20
*** SergeyLukjanov_ is now known as SergeyLukjanov07:22
*** ramishra has quit IRC07:26
*** ramishra has joined #heat07:26
*** ramishra has quit IRC07:28
*** ramishra_ has joined #heat07:28
*** ramishra_ has quit IRC07:31
*** ramishra has joined #heat07:31
*** ramishra has quit IRC07:32
*** ramishra has joined #heat07:32
*** lsmola_ has joined #heat07:35
*** ramishra_ has joined #heat07:38
*** SergeyLukjanov is now known as SergeyLukjanov_a07:39
*** tsmadds has joined #heat07:39
*** ramishra has quit IRC07:39
*** SergeyLukjanov_a is now known as SergeyLukjanov_07:40
*** matsuhashi has quit IRC07:42
*** nosnos has quit IRC07:43
*** tsmadds has quit IRC07:43
*** aignatov is now known as aignatov_07:47
*** ramishra has joined #heat07:48
*** ramishra_ has quit IRC07:49
*** SergeyLukjanov_ is now known as SergeyLukjanov07:49
*** tango has quit IRC07:53
*** ramishra_ has joined #heat07:56
*** ramishra has quit IRC07:57
*** ramishra has joined #heat08:00
*** sergmelikyan has quit IRC08:00
*** ramishra_ has quit IRC08:00
openstackgerritLee Li proposed a change to openstack/python-heatclient: Using common methods from oslo cliutils  https://review.openstack.org/6712008:00
*** gokrokve has quit IRC08:08
*** gokrokve has joined #heat08:08
*** ramishra has quit IRC08:10
*** ramishra_ has joined #heat08:10
*** e0ne has joined #heat08:11
openstackgerrithuangtianhua proposed a change to openstack/heat: Fix errors on OS::Neutron::Port resource  https://review.openstack.org/6887008:11
*** gokrokve has quit IRC08:12
*** ramishra_ has quit IRC08:15
therve'morning08:15
*** ramishra has joined #heat08:15
therveskraynev, Don't do recheck no bug please08:16
*** ramishra has quit IRC08:18
*** ramishra_ has joined #heat08:18
skraynevtherve: hello, ok. If I get error again,  I will create bug.08:18
therveMost of the time it exists08:19
*** ramishra_ has quit IRC08:22
*** ramishra has joined #heat08:22
therveIt looks like bug #1223469 reappeared08:25
*** giulivo has joined #heat08:26
tspatzierhi therve08:28
thervetspatzier, Hello08:28
tspatzierI have a question on a review: https://review.openstack.org/6717108:28
*** tomek_adamczewsk has joined #heat08:29
tspatzierThere is a gerrit code review message that says I should do a merge locally and submit a new patch. But after it a jenkins message that says everything is ok.08:29
tspatzierdo I have to do anything?08:29
*** jamieh has joined #heat08:31
thervetspatzier, Hum, that's strange.08:31
tspatzierI did a rebase locally without any conflicts.08:32
tspatzierShould I just wait and see what happens?08:32
*** ramishra has quit IRC08:33
therveLet's see if I can reapprove08:34
*** ramishra has joined #heat08:35
openstackgerritSerg Melikyan proposed a change to openstack/heat: Fixed OS::Neutron::Pool creation  https://review.openstack.org/6779208:38
*** aignatov_ is now known as aignatov08:40
*** tsmadds has joined #heat08:40
*** ifarkas has joined #heat08:40
*** jistr has joined #heat08:40
*** ramishra_ has joined #heat08:42
*** ramishra has quit IRC08:42
*** aignatov is now known as aignatov_08:42
*** alienyyg has joined #heat08:42
pshchelomorning all :)08:43
*** alienyyg has quit IRC08:43
*** ramishra has joined #heat08:44
*** tsmadds has quit IRC08:44
*** aignatov_ is now known as aignatov08:44
skraynevtherve: need your attention.08:45
*** tsmadds has joined #heat08:45
therveskraynev, Hi08:46
skraynevtherve: hi) I want ask about tenant_id option08:46
thervetspatzier, Looks to be in the queue08:46
therveskraynev, Yes08:46
skraynevtherve: I know, that for neutron resources it was unused (according not correct working f.e.https://review.openstack.org/#/c/60607/)08:47
*** ramishra_ has quit IRC08:48
*** ramishr__ has joined #heat08:48
*** tspatzier has quit IRC08:48
skraynevtherve: and now we don't add this parameter in resource's schema08:49
therveYes because it's not a good idea08:50
skraynevtherve: but as huangtianhua said here https://review.openstack.org/#/c/68870/, we have this option in Net resource08:50
therveYeah that was a mistake08:50
skraynevtherve: and I have a little doubt about should we remove it or not?08:50
therveRemoving stuff is hard08:51
*** ramishra has quit IRC08:51
skraynevtherve: why is it hard? has it some requirements?08:52
therveskraynev, Because we care about backward compatibility08:52
*** pshchelo has quit IRC08:53
skraynevtherve: OMG. again this hell phrase 'backward compatibility' )))08:53
*** pshchelo has joined #heat08:53
skraynevtherve: anyway, thanks. you helped me to find an answer.08:54
*** pshchelo has joined #heat08:54
*** nkhare has quit IRC08:57
*** ramishr__ has quit IRC09:00
*** ramishra has joined #heat09:01
*** ramishra_ has joined #heat09:06
*** ramishra has quit IRC09:07
*** nkhare has joined #heat09:10
*** ramishra_ has quit IRC09:12
openstackgerritPavlo Shchelokovskyy proposed a change to openstack/python-heatclient: Fix order of arguments in assertEqual  https://review.openstack.org/6403909:26
*** derekh has joined #heat09:27
openstackgerritA change was merged to openstack/heat: Add a new "UpdateWaitConditionHandle" resource  https://review.openstack.org/6324509:27
*** julienvey has joined #heat09:29
*** shardy_afk is now known as shardy09:31
*** nanjj has joined #heat09:31
*** SergeyLukjanov is now known as SergeyLukjanov_a09:31
*** SergeyLukjanov_a is now known as SergeyLukjanov_09:32
*** tomek_adamczewsk has quit IRC09:34
*** tspatzier has joined #heat09:43
openstackgerritPavlo Shchelokovskyy proposed a change to openstack/python-heatclient: Add `update_type` as parameter to stack-update  https://review.openstack.org/6427409:46
*** nanjj has quit IRC09:47
*** tomek_adamczewsk has joined #heat09:50
*** chandankumar_ has quit IRC09:56
*** ramishra has joined #heat10:10
*** che-arne has joined #heat10:11
*** che-arne|2 has joined #heat10:11
*** che-arne|2 has quit IRC10:11
*** bvandenh has joined #heat10:12
*** aignatov is now known as aignatov_10:13
*** nkhare has quit IRC10:13
*** nkhare has joined #heat10:25
*** rongze has quit IRC10:27
*** cody-somerville has quit IRC10:28
openstackgerritA change was merged to openstack/heat: Fix order of arguments in assertEqual (patch 2/2)  https://review.openstack.org/6441510:28
openstackgerritA change was merged to openstack/heat: Ignore tox -e cover generated files  https://review.openstack.org/6703010:28
openstackgerritA change was merged to openstack/heat: Database model for software config/deployment  https://review.openstack.org/5887610:28
*** che-arne has quit IRC10:30
*** che-arne has joined #heat10:32
*** EmilienM has quit IRC10:32
*** tomek_adamczewsk has quit IRC10:32
*** EmilienM has joined #heat10:32
*** asalkeld has quit IRC10:38
*** aignatov_ is now known as aignatov10:41
*** cody-somerville has joined #heat10:42
*** liang has quit IRC10:54
openstackgerritPavlo Shchelokovskyy proposed a change to openstack/heat: Fix order of arguments in assertEqual (patch 1/2)  https://review.openstack.org/6145711:01
*** nkhare has quit IRC11:11
openstackgerritAngus Salkeld proposed a change to openstack/heat: Update olso gettextutils  https://review.openstack.org/6775811:15
openstackgerritAngus Salkeld proposed a change to openstack/heat: Update oslo db  https://review.openstack.org/6775911:15
openstackgerritAngus Salkeld proposed a change to openstack/heat: Update base oslo modules  https://review.openstack.org/6775711:15
*** ramishra has quit IRC11:20
*** ramishra_ has joined #heat11:20
*** ramishra has joined #heat11:23
*** rongze has joined #heat11:25
*** ramishra_ has quit IRC11:25
*** rongze has quit IRC11:32
*** agileclipse has joined #heat11:34
*** agileclipse has quit IRC11:36
openstackgerritA change was merged to openstack/heat: Remove dependencies on pep8, pyflakes and flake8  https://review.openstack.org/6712911:38
openstackgerritA change was merged to openstack/heat: Make LB-updating in rolling update more reliable  https://review.openstack.org/6831111:38
*** tspatzier__ has joined #heat11:40
*** tspatzier has quit IRC11:43
*** sirushti has quit IRC11:43
*** ramishra has quit IRC11:44
*** ramishra has joined #heat11:45
*** sirushti has joined #heat11:45
*** ramishra has quit IRC11:47
*** ramishra has joined #heat11:48
*** _ruhe is now known as ruhe11:49
*** tspatzier__ has quit IRC11:53
*** tspatzier__ has joined #heat11:54
*** coolsvap_away has joined #heat11:54
*** coolsvap has quit IRC11:55
*** coolsvap_away has quit IRC11:58
*** e0ne has quit IRC12:08
*** e0ne has joined #heat12:09
*** ramishra_ has joined #heat12:10
*** ramishra has quit IRC12:13
*** tango has joined #heat12:16
*** rongze has joined #heat12:18
*** ramishra_ has quit IRC12:29
*** chandankumar_ has joined #heat12:31
openstackgerritMitsuru Kanabuchi proposed a change to openstack/heat: Implements resource type NetworkGateway  https://review.openstack.org/6228712:33
*** chandankumar_ has quit IRC12:34
DaveJ_Hi guys12:42
DaveJ_seening an old issue where stack delete fails12:42
DaveJ_is there anyway to manually remove stacks ?12:42
DaveJ_looks like all the resources have been deleted12:42
*** liang has joined #heat12:46
*** liang has quit IRC12:54
*** achampion has quit IRC12:55
*** sgordon has joined #heat12:58
shardyDaveJ_: Have you tried just re-running stack-delete, and if so what is the error in the /var/log/heat/engine.log?12:59
DaveJ_It's complaining about a resource that has already been deleted (a network port)13:00
DaveJ_2014-01-24 13:00:05.359 14101 TRACE heat.engine.resource PortNotFoundClient: Port 2cc2416c-9e04-4df8-9f17-03a1ab31dc1f could not be found13:00
*** SergeyLukjanov_ is now known as SergeyLukjanov13:01
*** SergeyLukjanov is now known as SergeyLukjanov_13:02
*** SergeyLukjanov_ is now known as SergeyLukjanov13:03
shardyDaveJ_: What version of Heat are you using?13:04
shardyAFAICS that exception should be caught and ignored in both master and stable/havana13:04
shardyhttps://github.com/openstack/heat/blob/stable/havana/heat/engine/resources/neutron/port.py#L11013:04
*** ruhe is now known as _ruhe13:07
*** SergeyLukjanov is now known as SergeyLukjanov_13:11
*** tspatzier has joined #heat13:12
*** tspatzier__ has quit IRC13:13
*** tspatzier__ has joined #heat13:15
DaveJ_Yeah I'm using latest Havana from RDO13:15
DaveJ_Just checked the source file and it has that exception block, but must not be getting hit.13:15
shardyDaveJ_: Hmm, sounds odd, maybe a bug - would be nice to figure out why, are you able to debug a little further?13:17
shardymaybe change the except neutron_exp.NeutronClientException to except Exception and log the type in the except block?13:17
*** tspatzier has quit IRC13:18
*** _ruhe is now known as ruhe13:18
*** nkhare has joined #heat13:19
DaveJ_shardy: yep - just going to grab lunch then have another look13:19
*** tspatzier__ has quit IRC13:19
shardyDaveJ_: Ok, thanks!13:19
*** aweiteka has joined #heat13:22
*** andersonvom has joined #heat13:23
*** SergeyLukjanov_ is now known as SergeyLukjanov13:24
*** jdob has joined #heat13:27
DaveJ_shardy: looks like the exception is being caught here https://github.com/openstack/heat/blob/stable/havana/heat/engine/resources/network_interface.py#L8313:34
DaveJ_The status code is 013:34
*** pafuent has joined #heat13:36
shardyDaveJ_: Is it a PortNotFoundClient exception getting raised?13:36
shardymaybe we need a or like in the link I pasted13:36
DaveJ_dam it - forgot to print that out.  I'll re-create it, and figure out what instance it actualy is.13:37
DaveJ_yeah I think a specific check like the other block would work.  I raise a bug and make that change.13:37
shardyDaveJ_: Maybe the top level _handle_not_found_exception in the base NeutronResource needs updating, and the per-resource functions removing13:39
*** openstackgerrit has quit IRC13:42
*** DandyPandy has quit IRC13:43
*** scollier has quit IRC13:43
*** blamar has quit IRC13:43
*** mkollaro has joined #heat13:44
*** DandyPandy has joined #heat13:45
*** abramley has quit IRC13:45
*** harlowja_away has quit IRC13:45
*** scollier has joined #heat13:47
*** Tross1 has joined #heat13:47
*** Tross has quit IRC13:47
*** blamar has joined #heat13:47
*** achampion has joined #heat13:49
*** gilliard has quit IRC13:50
*** abramley has joined #heat13:50
radixgood morning heaters13:52
*** Michalik has quit IRC13:53
therveHey radix13:53
radixmorning therve :)13:58
*** tzumainn has joined #heat14:02
*** dims has quit IRC14:02
*** dims has joined #heat14:05
*** SergeyLukjanov is now known as SergeyLukjanov_14:07
*** SergeyLukjanov_ is now known as SergeyLukjanov14:09
*** sballe has joined #heat14:21
pshchelohi all, have a question about allowed_pattern. How should it be specified in the template? special quotes or smth?14:21
pshchelobecause http://paste.openstack.org/show/61822/ does not work it seems14:21
thervepshchelo, I think you need quotes14:24
*** Michalik has joined #heat14:26
pshchelowhich kind? both " and ' do not work. or should I quote the parameter in the command line too?14:26
*** arbylee has joined #heat14:27
*** faramir has quit IRC14:27
*** blomquisg has joined #heat14:28
*** radez_g0n3 is now known as radez14:28
*** arbylee has quit IRC14:30
*** arbylee has joined #heat14:30
shardypshchelo: You have to specify a full match not just the fragment14:32
shardypshchelo: try '^server.*'14:32
*** jasond` has quit IRC14:34
pshcheloshardy, thanks, that worked14:36
*** SergeyLukjanov is now known as SergeyLukjanov_14:41
*** SergeyLukjanov_ is now known as SergeyLukjanov14:41
*** nkhare has quit IRC14:47
*** SergeyLukjanov is now known as SergeyLukjanov_14:51
*** ppetit has joined #heat14:55
*** jasond` has joined #heat14:59
*** alexpilotti has joined #heat15:03
*** vijendar has joined #heat15:04
*** tims1 has joined #heat15:07
*** tims has quit IRC15:09
*** vijendar has quit IRC15:11
sdakemorning15:13
*** aignatov is now known as aignatov_15:14
*** SergeyLukjanov_ is now known as SergeyLukjanov15:19
*** cmyster has joined #heat15:20
*** aignatov_ is now known as aignatov15:22
*** rongze has quit IRC15:31
*** jergerber has joined #heat15:54
*** jergerber has quit IRC15:55
*** jergerber has joined #heat15:55
*** oubiwann has joined #heat15:57
*** ramishra has joined #heat15:58
*** randallburt has joined #heat15:59
*** gokrokve has joined #heat16:01
*** coolsvap has joined #heat16:06
*** ramishra has quit IRC16:06
*** pablosan has joined #heat16:07
*** ramishra has joined #heat16:07
shardywindow 3316:11
shardyoops16:11
randallburtno16:11
randallburtwindow 4216:11
randallburt;)16:11
shardy:)16:12
*** openstackgerrit has joined #heat16:12
*** ifarkas has quit IRC16:13
*** alexpilotti_ has joined #heat16:14
*** alexpilotti has quit IRC16:16
*** alexpilotti_ is now known as alexpilotti16:16
*** ramishra_ has joined #heat16:22
openstackgerritJun Jie Nan proposed a change to openstack/heat: Enabled source code coverage for contrib directory  https://review.openstack.org/6895316:24
*** ramishra has quit IRC16:25
*** gokrokve has quit IRC16:26
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add Docker resources to docs  https://review.openstack.org/6875316:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Rename rackspace.rst to contrib.rst  https://review.openstack.org/6875216:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add Rackspace resources summary to docs  https://review.openstack.org/6879316:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Restructure Rackspace resources  https://review.openstack.org/6874716:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Reorganize docker-plugin for consistency  https://review.openstack.org/6874816:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Allow force registration of docker resource  https://review.openstack.org/6874916:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Change Docker resource mapping name  https://review.openstack.org/6875016:29
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Generate docs for contrib plugins  https://review.openstack.org/6875116:29
*** ramishra has joined #heat16:30
*** ramishra_ has quit IRC16:31
*** oubiwann has left #heat16:32
openstackgerritJun Jie Nan proposed a change to openstack/heat: Added testr-args option support for tox coverage  https://review.openstack.org/6703616:34
*** edmund has joined #heat16:35
*** SergeyLukjanov is now known as SergeyLukjanov_16:37
*** ramishra has quit IRC16:39
*** ramishra has joined #heat16:42
*** gokrokve has joined #heat16:43
edmundAnyone know how we create/generate the REST API documentation (http://api.openstack.org/api-ref-orchestration.html)? The APIs related to GETs don't show what the XML or JSON looks like in the detail16:44
*** arbylee has quit IRC16:45
*** aignatov is now known as aignatov_16:45
*** ramishra has quit IRC16:46
*** russellb is now known as rustlebee16:46
*** ramishra has joined #heat16:46
shardyHi edmund: It's created via the api-site repo:16:46
shardyhttps://github.com/openstack/api-site16:46
*** arbylee has joined #heat16:47
thervehttps://github.com/openstack/api-site/tree/master/api-ref/src/wadls/orchestration-api/src/v1/samples more exactly16:48
shardyedmund: Here's an example of how you can add an example response to the doc:16:48
shardyhttps://review.openstack.org/#/c/65484/2/api-ref/src/wadls/orchestration-api/src/v1/orchestration-api.wadl16:48
shardyedmund: As you've noticed, not all of them have example responses yet16:48
*** gokrokve has quit IRC16:49
*** ramishra has quit IRC16:51
*** ramishra has joined #heat16:51
*** ramishra_ has joined #heat16:52
*** ramishra has quit IRC16:52
*** cmyster has quit IRC16:53
*** aignatov_ is now known as aignatov16:53
*** aignatov is now known as aignatov_16:54
openstackgerritJun Jie Nan proposed a change to openstack/heat: Refactor software config db model to use LongText  https://review.openstack.org/6896716:57
*** ramishra_ has quit IRC16:57
*** ramishra has joined #heat16:59
*** aignatov_ is now known as aignatov16:59
*** e0ne has quit IRC17:00
*** david-lyle is now known as david-lyle_17:00
*** aignatov is now known as aignatov_17:00
*** e0ne has joined #heat17:00
*** ppetit has quit IRC17:00
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add Docker resources to docs  https://review.openstack.org/6875317:01
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Rename rackspace.rst to contrib.rst  https://review.openstack.org/6875217:01
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add Rackspace resources summary to docs  https://review.openstack.org/6879317:01
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add force_resource_mapping option  https://review.openstack.org/6874617:01
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Restructure Rackspace resources  https://review.openstack.org/6874717:01
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Reorganize docker-plugin for consistency  https://review.openstack.org/6874817:01
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Allow force registration of docker resource  https://review.openstack.org/6874917:02
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Change Docker resource mapping name  https://review.openstack.org/6875017:02
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Generate docs for contrib plugins  https://review.openstack.org/6875117:02
*** ruhe is now known as _ruhe17:04
*** e0ne has quit IRC17:04
*** bnemec is now known as beekneemech17:06
*** ramishra_ has joined #heat17:06
*** ramishra has quit IRC17:06
*** david-lyle has joined #heat17:06
*** pvaneck has joined #heat17:10
*** ramishra_ has quit IRC17:13
*** SergeyLukjanov_ is now known as SergeyLukjanov17:17
*** kfox1111 has joined #heat17:18
openstackgerritPablo Andres Fuente proposed a change to openstack/heat: Global environment ignores files starting with dot  https://review.openstack.org/6897117:18
*** pshchelo has quit IRC17:24
edmundshardy, thank!17:26
*** sjmc7 has joined #heat17:27
*** arbylee has quit IRC17:31
*** jistr has quit IRC17:32
sjmc7shardy, you have a sec?17:33
shardysjmc7: sure17:33
sjmc7thanks. since the merge a few days ago to move some functions to the keystone v3 api17:34
*** gokrokve has joined #heat17:34
sjmc7it's introduced a problem running for me because keystone by default sets a domain id of 'default'17:34
sjmc7which isn't recognized by our identity server - is that something you've seen?17:34
sjmc7it's been in keystone since last june, but is only used for v3 calls so i haven't come across it til now17:35
shardysjmc7: Well all requests via the v3 API use the default domain unless you specify one17:35
sjmc7right - and that default is hardcoded to be 'default' ?17:35
randallburtshardy:  any heartburn over me approving https://review.openstack.org/#/c/60991?17:36
shardysjmc7: I believe that is the, uh, default, unless you have overriden it with default_domain_id in keystone.conf17:36
shardyrandallburt: Nope, I think thats all good now17:37
sjmc7ok, so this is something our identity guys have configured unusually, so we'll need to always provide one17:37
randallburtshardy:  cool, thanks!17:37
shardysjmc7: Possibly, I need more info really to fully understand your issue17:38
shardysjmc7: Are you running with latest master keystone?17:38
sjmc7no - keystone's running on HP cloud17:38
shardysjmc7: So you're running heat in standalone mode against HP cloud's API's?17:39
sjmc7yeah17:39
shardyHrm, I didn't test that17:39
sjmc7i wouldn't expect you to :)17:39
sjmc7if i comment out the 'default' assignment in keystoneclient all is well again. i'm trying to figure out if there's an issue i can bug someone about or whether it's just getting to the point where the version mismatch is too much17:40
shardysjmc7: Well that is a use-case (standalone) which we want to support, but it may be difficult until the public cloud providers update to icehouse, because for this v3 stuff to work, really we're relying on icehouse keystone (mostly due to bugfixes)17:40
sjmc7that was what i was afraid of. ok, understood17:41
shardysjmc7: If you pass domain=None does it work?17:41
sjmc7yeah17:41
sjmc7so that's the workaround17:41
shardySo maybe that's a viable workaround - we could pass that into keystoneclient, but I'll have to test to ensure that works OK for the non-standalone case17:42
*** SergeyLukjanov is now known as SergeyLukjanov_a17:42
sjmc7sure. that's not something i can pass as a header, is it?17:42
sjmc7it seems unusual to default to 'default' instead of being left None17:43
*** SergeyLukjanov_a is now known as SergeyLukjanov_17:43
shardysjmc7: yeah, maybe that's a keystoneclient bug17:43
sjmc7ok. if it's not too specific to us maybe it can go into the heat config, otherwise i'll workaround it17:45
*** topol has joined #heat17:46
shardysjmc7: None works for me too, where do you see the 'default' assignment in keystoneclient?17:47
sjmc7in httpclient - one sec, will get the line number and commit17:47
sjmc7shardy - lines 184 and 202 in keystoneclient/httpclient.py, 2239c3b27c657dc0ffe2dbd0f95325e0ed7ae7c517:49
*** aignatov_ is now known as aignatov17:49
*** harlowja has joined #heat17:51
*** aignatov is now known as aignatov_17:51
*** tango has quit IRC17:52
*** derekh has quit IRC17:52
shardysjmc7: I think that is a bug, otherwise it will never work with any non-default default_domain_id17:56
shardywhich is probably what you're seeing17:56
shardysjmc7: I can look at sending a keystoneclient patch, unless you're planning to do so?17:56
openstackgerritRandall Burt proposed a change to openstack/heat: Refactor CLB to work with groups  https://review.openstack.org/6558617:57
sjmc7shardy - if you're able to, that would be great. if not, i can at least file a ticket, but i haven't spent a great deal of time looking at keystone17:59
openstackgerritRandall Burt proposed a change to openstack/heat: Rackspace Cloud Networks resource  https://review.openstack.org/6879017:59
*** yogesh has joined #heat18:00
shardysjmc7: https://bugs.launchpad.net/python-keystoneclient/+bug/127245118:07
sjmc7ah, great, thanks shardy. i'll keep an eye on the issue - if nobody comes up with a good reason for the code i'll try and find time to submit a patch18:08
shardysjmc7: I'm looking at it now, will submit a patch later today hopefully18:09
sjmc7you move fast! awesome, thanks18:09
shardysjmc7: If you can subscribe to the bug and test my fix when it's posted that would be great18:10
sjmc7sure thing18:10
*** mkollaro has quit IRC18:11
*** SergeyLukjanov_ is now known as SergeyLukjanov18:12
*** harlowja has quit IRC18:14
*** kfox1111 has quit IRC18:14
*** kfox1111 has joined #heat18:16
*** harlowja has joined #heat18:16
openstackgerritJason Dunsmore proposed a change to openstack/heat: Add personality files property to Server resource  https://review.openstack.org/6868518:22
openstackgerritJason Dunsmore proposed a change to openstack/heat: Add privateIPv4 attribute to Server resource  https://review.openstack.org/6868618:22
openstackgerritJason Dunsmore proposed a change to openstack/heat: Native Nova Server compatibility for Cloud Server  https://review.openstack.org/5804318:22
*** spzala has joined #heat18:26
*** che-arne has quit IRC18:27
*** arbylee has joined #heat18:32
*** tango has joined #heat18:33
*** arbylee has quit IRC18:41
openstackgerritPablo Andres Fuente proposed a change to openstack/heat: Global environment ignores files starting with dot  https://review.openstack.org/6897118:43
openstackgerritJason Dunsmore proposed a change to openstack/heat: Make Server compatible with Nova Key Pair resource  https://review.openstack.org/6823018:43
shardysjmc7: can you provide a cut/paste of the engine backtrace you're seeing please?18:44
sjmc7sure. in the keystone bug?18:45
shardysjmc7: yeah attached to the bug would be ideal, thanks18:45
*** nati_ueno has joined #heat18:50
*** BullSherd has joined #heat18:51
BullSherdWow, Google is making really strange things http://goo.gl/YEkaMA18:51
BullSherdfunny haha xD18:51
*** BullSherd has left #heat18:51
pafuentHi. What should I do when the patches on which my patch depends on are merged? Should I rebase my patch and remove the dependencies or leave the patch as is?18:51
shardypafuent: Yep, just do git checkout master; git pull; git checkout <topic branch>; git rebase -i origin18:52
shardythen when you next do git review the dependencies will be updated18:52
pafuentshardy: The <topic branch> is the same that had the dependencies on it?18:53
shardypafuent: yup18:54
pafuentshardy: Thanks18:54
*** e0ne has joined #heat18:56
sjmc7done, shardy19:02
sjmc7let me know if you need anything else19:02
*** gokrokve_ has joined #heat19:02
*** jprovazn_ has quit IRC19:02
shardysjmc7: Thanks, will do - I hit some problems testing the simple fix (s/'default'/None) so may have to dig a bit deeper19:02
sjmc7ok, shardy. hopefully someone'll know why those assignments were added; it seems strange19:03
*** tsmadds has quit IRC19:04
shardysjmc7: by the looks of it it's because some v3 API interfaces expect a domain or you get this:19:04
shardyhttp://paste.openstack.org/show/61843/19:05
sjmc7urgh19:05
*** gokrokve has quit IRC19:05
shardyI may need to speak to one of the keystone devs and/or spend some more time looking at the keystone API code to undestand what's happening19:05
sjmc7ok, thanks. i can try and track down one of our keystone guys19:06
shardyI don't see how it can be reasonable to expect the clients to know what the default domain ID is, since it's a server-side setting19:06
sjmc7right. and i don't know if there's a way to provide it in lots of cases19:06
shardysjmc7: Ok, sounds good, I was going to spend a bit more time looking then probably speak to jamielennox about it, probably not till Monday now tho19:07
sjmc7ok, great19:07
shardyFor a moment there it looked like a nice simple fix ;)19:07
sjmc7:)  in my heart i knew it would be19:07
sjmc7tricky19:07
*** gokrokve has joined #heat19:08
openstackgerritAnderson Mesquita proposed a change to openstack/python-heatclient: Add support for build info API  https://review.openstack.org/6648319:09
*** arbylee has joined #heat19:10
*** arbylee has quit IRC19:11
*** arbylee has joined #heat19:12
*** gokrokve_ has quit IRC19:12
*** vijendar has joined #heat19:15
*** david-lyle has quit IRC19:15
*** dims has quit IRC19:21
*** morazi has joined #heat19:30
*** nati_ueno has quit IRC19:32
*** nati_ueno has joined #heat19:35
*** gokrokve has quit IRC19:39
*** tango has quit IRC19:40
*** akuznetsov has quit IRC19:47
*** cmyster has joined #heat19:49
*** harlowja is now known as harlowja_away19:53
*** tsmadds has joined #heat20:00
*** tsmadds has quit IRC20:05
*** rwsu has quit IRC20:14
*** rwsu has joined #heat20:20
*** nati_ueno has quit IRC20:28
*** rbrady has joined #heat20:31
rbradystevebaker: ping20:32
rbradySpamapS: ping20:32
*** radez is now known as radez_g0n320:44
*** tspatzier has joined #heat20:49
SpamapSrbrady: pong, wassup?20:49
*** _ruhe is now known as ruhe20:53
rbradySpamapS: I'm still wrestling heat with a heat template.  Do you know of a usage example of: https://github.com/openstack/tripleo-heat-templates/blob/master/nova-compute-group.yaml to deploy muitlple compute nodes?20:54
*** tsmadds has joined #heat20:56
rbradySpamapS: I'm less interested in the compute nodes and more interested in multi-* nodes.  I've tried a couple of different approaches and I either get an error in heat validate-template or when i tried to simply copy resources and change the name I get a random key error from merge.py20:56
*** yogesh has quit IRC20:56
openstackgerritJason Dunsmore proposed a change to openstack/heat: Native Nova Server compatibility for Cloud Server  https://review.openstack.org/5804320:56
openstackgerritVijendar Komalla proposed a change to openstack/heat: Delete rackspace database resource  https://review.openstack.org/6814420:59
zanebrbrady: what is the validation error you're seeing?21:00
*** tsmadds has quit IRC21:00
rbradyzaneb: with one approach I'm seeing "ERROR: Every Resource object must contain a Type member."21:01
rbradyzaneb: with the other approach I'm seeing http://paste.openstack.org/show/61852/21:02
*** bvandenh has quit IRC21:04
zanebI don't grok tripleo, so only SpamapS can help you with the second ;)21:05
zanebthe first one is weird though, since the templates I'm looking at appear to be correct21:06
zanebrbrady: one thing to note is that https://raw.github.com/openstack/tripleo-heat-templates/master/nova-compute-instance.yaml is not in the HOT format21:06
zanebso if you have a tool that is merging in parts of a HOT template, that could be the problem21:07
*** harlowja_away is now known as harlowja21:07
* rbrady is off to go look at file formats21:08
*** yogesh has joined #heat21:08
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add Docker resources to docs  https://review.openstack.org/6875321:08
openstackgerritAnderson Mesquita proposed a change to openstack/heat: Add Rackspace resources summary to docs  https://review.openstack.org/6879321:08
zanebrbrady: heat_template_format_version -> HOT; HeatTemplateFormatVersion -> not HOT21:11
rbradyzaneb: thanks for clearing that up.  I was just looking at the docs and couldn't see much of a difference other than the date and casing21:12
SpamapSrbrady: hm21:12
SpamapSzaneb: we're still CFN-ish21:12
SpamapSzaneb: we'll convert to HOT when software config is ready21:13
zanebbtw, last I checked you can't use HOT templates as provider templates either21:13
zanebSpamapS: OK, maybe that is not the issue then21:13
SpamapSthe merge tool we have is _pure evil_21:13
SpamapS<-- author21:13
randallburtzaneb:  I though shardy fixed that at one point, but I haven't tried it in an age tbh21:13
*** topol has quit IRC21:14
zanebok, that's possible too21:14
zanebSpamapS: what are you merging, out of curiosity?21:14
zanebwe may grow some more libraries to help with that at some point21:14
SpamapSzaneb: we have pieces of template that we need to re-use at the sub-server level21:15
andersonvomshardy, zaneb: you guys around?21:15
SpamapSzaneb: they're 100% metadata though, so hot-software-config will solve the merge problem entirely for us21:15
zanebSpamapS: OK, carry on then ;)21:16
SpamapSzaneb: some of the things we use it for could also be done via nested stacks... but my early luck was bad with those, so sometimes we just merge two templates into one without changing anything21:16
zanebandersonvom: let's say that I am :)21:17
andersonvomzaneb: =P I wanted to chat and see if we reached any consensus re the unscoped list stacks21:18
zanebit's pretty late in the UK, so I don't imagine we'll see shardy back before Monday21:18
SpamapSrbrady: can you share overcloud-with-many-cinder.yaml ?21:19
rbradySpamapS:  do you see anything obvious with this http://paste.openstack.org/show/61857/ creating this error in the merge: http://paste.openstack.org/show/61852/21:19
zanebI think there was consensus that we shouldn't allow any of this in the default policy.json21:19
zanebrandallburt: ^ correct?21:19
rbradySpamapS: yeah21:19
zanebandersonvom: but I don't think there's consensus about the rest of it yet21:19
randallburtzaneb:  yup21:19
rbradySpamapS: if I could get it to build. :)21:19
SpamapSrbrady: ok hm21:20
randallburtandersonvom:  sounded to me like we were ok for policy for v1 and something "better" using trusts in v2? zaneb not sure what you mean by "the rest of it"21:20
SpamapSrbrady: kind of looks like you need to add a BlockStorageImage parameter to overcloud-source.yaml21:20
SpamapSbut.. I have no idea why21:21
zanebrandallburt: I mean this particular implementation, with another global admin flag21:21
randallburtzaneb:  gotcha, though I'm not sure how we'd get around it unless/until the keystone stuff gets sorted.21:21
randallburtand last I looked the patches seemed stalled.21:21
zanebrandallburt: I left another comment you may not have seen yet21:22
randallburtzaneb:  k. lemme check21:22
*** gondoi has quit IRC21:22
zanebbut mainly waiting on feedback from shardy21:22
rbradySpamapS: no joy21:22
zanebhe is the expert in this stuff and has been digging into it very deeply21:22
randallburtzaneb:  oh, I see. You mean in the policy take the absence of a tenant as the "admin" flag?21:23
zanebmmm, not quite21:23
* shardy reads backscroll21:24
zanebI'm not sure how you figure out a request is for all tenants without having a different URL21:24
*** gondoi has joined #heat21:24
zanebbut my idea was just to put tenant=None in the context if it's for all tenants21:25
zanebinstead of really_admin or admin_me_harder or whatever it was21:25
randallburtzaneb:  I see. and whoops. we've said his name too many times.21:25
randallburtand IIRC, there is a tenentless call for all stacks as part of that patch (or another one). andersonvom?21:26
SpamapSrbrady: can you toss what you're trying to do into a gerrit review (make it WIP or draft or something) so I can look at it? Hard to speculate at this point.21:26
zanebrandallburt: oh, it is a separate url? I don't recall seeing that in that patch... may be in a related one21:26
rbradySpamapS: yes...thanks.  I'll get it up in a few min21:26
randallburtzaneb:  I was mis-remembering21:28
zanebok21:28
* zaneb is not losing it21:28
randallburtyeah, so this says, if you are the service admin and call /stacks, you get all of them, not just yours.21:28
shardyzaneb: The idea was to move to a v2 API where the stacks GET doesn't have any tenant in the path, then the results are either scoped to the token, or in the case of a service scoped token you return results for all tenants21:29
randallburtI'm getting all these management api patches confused21:29
shardybut I don't understand any use-case where it makes sense to allow one identity to do lifecycle operations on all stacks21:29
randallburtshardy:  and the proposal was to use the policy to limit that as I recall, but not sure where we landed there.21:30
zanebrandallburt: and also if you are the service admin, you can read/manipulate everyone's stacks, not just yours?21:30
shardyit just seems too high risk to me, and there are existing keystone workflows which would allow it21:30
randallburtzaneb:  without policy enforcement, yes21:30
shardyrandallburt: Yeah I think we reached the point yesterday where we all went "hmm" and went away to think about it ;)21:30
randallburtk21:31
shardyrandallburt: Does your use case actually require lifecycle operations vs just listing stuff though?21:31
shardyThats the thing making me really concerned21:31
randallburtshardy:  yes, but that's not really dependent on this per-se21:31
randallburtthe big thing is accessing all the stacks regardless of tenant, but the "hole" in this patch is the requirement imposed by that timestamp code in parser.21:32
shardyrandallburt: As you pointed out yesterday, there are existing, much much less riskly ways to do that, e.g trusts or temporary project assignments21:32
*** achampion has quit IRC21:32
zanebSo if we add a policy rule like: "stacks:global_index": "forgetaboutit"... then we just have to determine whether a particular request is for the global index or is tenant-scoped, and then apply the correct policy21:33
shardyrandallburt: So, what I thought we agreed to was just a global list stacks, and I can understand the use-case, ie an efficient way to get the status of everything21:33
*** sgordon has quit IRC21:33
randallburtshardy:  yes, but again, i can't list stacks without having carte-blanche to the stack itself (iirc, andersonvom should probably correct me if I've misunderstood)21:33
zaneband leave it up to the operator to determine that policy21:33
*** ruhe is now known as _ruhe21:33
shardyrandallburt: but the patch as proposed now goes way beyond that, and tbh the idea of merging it is giving me nightmares re CVE's ;)21:34
zanebrandallburt: you can but enforcement at the database level is not sufficient to achieve that21:34
openstackgerritPablo Andres Fuente proposed a change to openstack/heat: Enforce event purge process to remove older events  https://review.openstack.org/6902121:34
randallburtzaneb:  not sure I understand. I thought the whole sticking point was https://github.com/openstack/heat/blob/master/heat/engine/parser.py#L60-L6321:36
randallburtand for that to work, even for global-stack-list, the user would have to have access to all stacks regardless of tenant21:37
zanebrandallburt: right, but the problem is that if we allow _that_ at the database level, we allow everything because the database level is the only place where permissions are checked21:37
randallburtandersonvom:  do I have the right of it?21:37
zanebrandallburt: so different APIs need to have different policies21:37
zaneblist = ok, create/delete/update/read = not ok21:37
randallburtzaneb:  so prevent tenantless stack creates/deletes/updates at the db level?21:38
andersonvomrandallburt: catching up here, one sec21:38
zanebbut you can't enforce that at the DB level; the DB doesn't know what API the user called21:38
*** tspatzier has quit IRC21:38
randallburtzaneb:  doesn't matter though. preventing that at the db level doesn't effect the use case21:38
randallburtif the admin user can't manipulate the stacks without having to impersonate/trust/whatever, that's fine by me.21:39
*** SergeyLukjanov is now known as SergeyLukjanov_21:39
zanebrandallburt: I'm not saying we need to check it at the DB level. I'm saying that our API policy controls are not sufficiently granular21:40
randallburtzaneb:  currently or "cannot be made to be"?21:40
zanebcurrently21:40
andersonvomshardy, zaneb, randallburt: yes, that is correct. you can't list the stacks without having access to that particular stack because of the timestamp21:40
zanebbecause the 'really_admin' flag applies equally to every api call21:41
randallburtok, so if the patch included a "locked down" policy file, then it would be acceptable (in the interim, of course)?21:41
shardyzaneb: So this is kinda where I was headed with request-scoping-policy, which was to make all DB calls scoped to a project, and improve our policy support so more granular rule definitions can be supported21:41
zanebit would be better, but not nearly as good as a policy file where you can enable it for just this one API, and not for every API21:42
shardybut this management stuff has kinda derailed the former so I've stopped working on the latter21:42
shardyzaneb: Well I think you could do that with the existing policy mechanism, just not in a very elegant way21:43
randallburtzaneb:  true but I don't think you can express it that way, can you?21:43
randallburtor what shardy said.21:43
zaneb<zaneb> So if we add a policy rule like: "stacks:global_index": "forgetaboutit"... then we just have to determine whether a particular request is for the global index or is tenant-scoped, and then apply the correct policy21:43
zanebquoting myself ^21:43
randallburtbasically three rules that say stack-create, stack-update, and stack-delete and service-admin = nope21:43
*** jdob has quit IRC21:43
zanebabove may be crazy; I don't know21:44
zanebwhat it requires is some way of knowing that you want the global list21:44
randallburtzaneb:  not crazy, but I think would require a separate uri for stacks:global_index, but not sure.21:44
zanebthat doesn't involve a magical hard-coded thing21:44
*** nkhare has joined #heat21:45
randallburtwhich IIRC, was one of the original approaches.21:45
*** aweiteka has quit IRC21:45
zanebyeah, hence my suggestion that this might by our v1 approach21:45
zanebI believe we get to decide in the code which policy we want to enforce though21:46
randallburtso we're back to GET v1/stacks in the api?21:46
zanebit's not determined automatically on the basis of the URL21:46
randallburtzaneb:  yes, I think so.21:46
shardyrandallburt: well the point is that for the v2 API, that will be the path for *all* GET stacks21:46
zanebwe just need the *user* to distinguish the requests somehow21:46
zanebby URL or other means21:47
*** tango has joined #heat21:47
randallburtyup and yup21:47
shardyso we still need a non path related way to distinguish global vs scoped21:47
zaneb /v1/<tenant_id/stacks?global=yesplease would be fine also21:47
randallburtzaneb:  k. andersonvom what do you think?21:48
zanebmagic header would work21:48
shardyzaneb: but how would query parameters be enforcable in the policy?21:48
zanebnull tenant id would work21:48
shardymaybe it would be, I'm not sure21:48
zanebshardy: dunno, where is the policy enforced?21:48
randallburtshardy:  they'd map to some param in some function which could then enforce the policy.21:49
shardyzaneb: There's an oslo policy enforcer module21:49
shardyhttps://github.com/openstack/heat/blob/master/heat/openstack/common/policy.py21:49
shardywe're not making full use of that atm21:49
zanebbadly worded question21:49
zanebwhere do we tell the policy enforcer which policy to enforce?21:50
andersonvomzaneb: @policy.enforce decorator21:50
zanebhttps://github.com/openstack/heat/blob/master/heat/api/openstack/v1/util.py#L3221:50
shardyhttps://github.com/openstack/heat/blob/master/heat/common/policy.py21:50
zanebso if we have a separate index_global handler for the query version, then it happens for free21:51
zanebalternative might be ugly, but definitely do-able21:51
shardyyeah the decorator basically calls the policy.enforce with a scope and target, but currently we only use the scope argument21:51
zanebso if ?global is set, enforce stack_index_global policy, otherwise enforce stack_index policy21:52
zanebmake that stacks:global_index and stacks:index21:53
randallburtGET v1/tenant/stacks/all ? might be easier to map to a decorated handler21:53
zanebrandallburt: namespace conflict21:54
randallburtoh, yeah. forgot its not terribly sophisticated when it comes to routing.21:54
andersonvomrandallburt, shardy, zaneb: I may have missed something in the convo, but how does all this get around the fact that for us to list stacks we need access to get_stack as well?21:55
randallburtit doesn't :(21:55
zanebit's not so much that the routing is unsophisticated, as that a user can create a stack called "all", and that is its URL21:55
randallburtstupid name-based lookups ;)21:56
zanebandersonvom: so, if the request is global we set tenant to some special value (maybe None?) in the context21:56
zanebandersonvom: and the db allow access to everything in that case21:56
*** tsmadds has joined #heat21:57
zanebso we're forcing the user to decide at the point of calling the API, "is this global or tenant-scoped?"21:57
randallburtwhich doesn't really alieviate the underlying issues in the current patch without adding the policy/api parts in it or in another patch21:57
zaneb(which, btw is something that should be decided explicitly anyway)21:57
shardyzaneb: well that's basically where we headed with this patch, only the special value is defined in the policy21:57
shardyusing None is not a good plan IMO21:57
zanebshardy: probably right on the None. special value would be better21:58
randallburtso this patch is good then ;)21:58
zanebI don't agree that what I'm talking about is the same as what's in the patch21:59
openstackgerritA change was merged to openstack/heat: Make endpoint_type configurable  https://review.openstack.org/5771721:59
openstackgerritA change was merged to openstack/heat: Fix error in RS Auto Scale properties schema  https://review.openstack.org/6791321:59
zanebas I was saying, we're forcing the user to decide at the point of calling the API, "is this global or tenant-scoped?"21:59
shardyrandallburt: No, because it's not limited to listing stacks21:59
shardy;)21:59
zaneband we're enforcing whether this is allowed at the point of the API call21:59
*** andrew_plunk has joined #heat22:00
randallburtso how do we get around that agian? because you guys are saying "policy and api enforcement" but you still need to get any stack regardless of tenant for it to work.22:00
shardyrandallburt: well maybe we have to fix those timestamp attributes to make it work22:01
*** tsmadds has quit IRC22:01
zanebrandallburt: if context.tenant == GLOBAL_TENANT: return stack22:01
andersonvomshardy: if we change the timestamp, then the patch becomes list only again22:01
randallburtandersonvom:  and that's ok.22:01
randallburtzaneb:  that's essentially what it does now, though22:02
andersonvomshardy: plus, I would love to remove that code! seems very inefficient to me ;)22:02
shardyandersonvom: Yeah, it's just a question of how we do it, since the stack-list output includes the creation_time22:03
randallburtwell, if you're up for doing that, andersonvom I'd agree wholeheartedly. I think its going to be pretty tricky, tbh.22:03
andersonvomzaneb: I agree with randallburt, that's pretty much the gist now. instead of context.tenant —> context.is_service_admin22:03
zanebright, but it does it based on a global flag that's only tied to the user via some magic hard-coded values instead of being to both a user and a particular request by a policy22:03
shardythere *must* be a way to do this cleanly without giving write access to everything tho22:03
andersonvomzaneb: oh, I see what you're saying22:04
andersonvomI think22:04
andersonvomshardy: can't we just use whatever came from the database? without trying to fetch it again?22:04
randallburtshardy:  why are we even doing that lookup there when those data elements get pulled on load anyway?22:05
randallburtmaybe not as tricky as I thought.22:05
shardyandersonvom: probably, and randallburt I don't know ;)22:05
pafuentSpamapS: Are you arround?22:06
zanebandersonvom: all that Timestamp stuff is crazy btw. you can basically just remove it and nothing will change22:06
andersonvomzaneb: that was my feeling precisely22:06
zanebandersonvom: I say this as the author of it ;)22:06
andersonvomLOL22:06
shardyI'm going to have to go guys, getting late..22:07
randallburtandersonvom:  so lets give that a shot then. Remove or move that timestamp stuff to someplace sane and see if it breaks, then we can revisit this patch and see how it changes22:07
zanebshardy: o/22:07
randallburtnight, shardy and thanks!22:07
shardygood discussion, speak again Monday, have a good weekend!22:07
shardyo/22:07
andersonvomshardy: g'night! thanks for chatting22:07
zanebrandallburt: that's a good thing to do, but doesn't make this patch a good solution22:07
randallburtbut it changes the need for it22:08
zanebbecause it still requires operators to match up to hard-coded stuff in the api22:08
*** shardy is now known as shardy_afk22:08
randallburtthat timestamp stuff is the sole reason for the "global access to everything" in stack-get22:08
zaneband it still makes it implicit whether a request will return everything or tenant-local stuff22:08
zanebbased on a hard-coded tenant name22:08
SpamapSpafuent: sort of. :) Did you see my messages on the bug tracker?22:09
randallburtright, I'm saying there's probably little or no need for the more contriversial aspects of this patch if the timestamp goes away and then andersonvom's work becomes much easier to align with these suggestions22:09
randallburtso yeah, this patch will look very different after that change22:09
andersonvomrandallburt, zaneb: how about this: I'll try to change the timestamp stuff and include a way that makes the request for all stacks explicit as an added bonus22:09
randallburtif not replaced by a different one.22:09
zanebrandallburt: understood, but this doesn't seem like the policy,json or the API we want to go forward with22:10
andersonvomzaneb: but this is a workaround just for v1, right?22:10
randallburtandersonvom:  sounds good to me, and yes, once we start for serious on v2, most of this won't be needed.22:10
pafuentSpamapS: I just see your comment22:10
zanebin v2, how will you indicate that you want the global list of stacks, not just the tenant-local one?22:11
zanebit seems to me that needs to be explicit too22:11
randallburtit will happen based on your token and roles, IIRC.22:11
randallburtif you call /stacks in v2, you get a list of "all the things you can see"22:11
pafuentSpamapS: I saw the patch of Chmouel and seems to be struggling with the migration22:11
randallburtand can then filter that down if there's more than one tenant for the project you have rights to22:12
andersonvomrandallburt: I guess what zaneb is talking about is that if you have access to your stacks PLUS all stacks, that you should be able to differentiate the two requests, IIRC22:12
zanebrandallburt: what does a global-scope token look like?22:12
SpamapSpafuent: right, so if you can get it done, that would solve the ordering problem properly. :)22:12
pafuentSpamapS: Why not solve the purge issue first and then solve the other one22:12
zanebandersonvom: yes, exactly22:12
randallburtzaneb:  dunno tbh, its what I understood from shardy22:12
SpamapSpafuent: because then you have to revert the purge patch?22:12
randallburtand in v2 the tenant stuff is reversed.22:13
pafuentSpamapS: Nope, because it cold be merge sooner22:13
randallburtits not /v2/tenant/stacks, its /v2/stacks and /v2/stacks/tenant22:13
zanebit's still there, it's just a header instead of in the URL22:13
pafuents/cold/could22:13
*** blomquisg has quit IRC22:13
SpamapSpafuent: so I think it is a waste of time to review a patch which is entirely unnecessary after another patch, which is nearly done and ready, lands.22:13
randallburtright, but your tenant id may have roles that allow you to see/manage other tenants things in the domain/project/whatever22:14
randallburtso its RBAC and not policy22:14
* SpamapS wonders if there is a word that means "community with too much terminology"22:15
pafuentSpamapS: That is true. I was asking this because the migration seems to be harder than my patch. I'll try to pick up the event-list bug.22:16
randallburtSpamapS:  keystone? :)22:16
SpamapSpafuent: the migration should not be hard. I think the answer is to just go back to having the integer ID as the primary key.22:16
SpamapSrandallburt: openstack?22:16
randallburteven better22:16
pafuentSpamapS_22:17
andersonvom:P22:17
pafuentSpamapS: Ok. I will check the migration on Monday (or the weekend if I have time)22:18
SpamapSpafuent: let me know if I can help. :)22:19
SpamapSpafuent: I was thinking of looking at it next week too.22:20
zanebrandallburt: in that case yes, it sounds like everything is just temporary until v2. Not sure how we'll enforce RBAC at the DB level though?22:22
randallburtzaneb:  another days discussion probably ;)22:22
* zaneb suspects more than one day ;)22:23
randallburtindeed22:23
*** pafuent has left #heat22:34
*** nkhare has quit IRC22:34
openstackgerritJenkins proposed a change to openstack/heat: Updated from global requirements  https://review.openstack.org/6824022:35
*** cmyster has quit IRC22:39
openstackgerritJenkins proposed a change to openstack/python-heatclient: Updated from global requirements  https://review.openstack.org/6904122:40
*** giulivo has quit IRC22:41
*** IlyaE has joined #heat22:45
openstackgerritSteve McLellan proposed a change to openstack/heat: Disallow security_groups for Servers with neutron Ports assigned to them  https://review.openstack.org/6905222:45
openstackgerritJason Dunsmore proposed a change to openstack/heat: Add personality files property to Server resource  https://review.openstack.org/6868522:47
*** jasond` has quit IRC22:48
*** tsmadds has joined #heat22:57
*** tsmadds has quit IRC23:02
*** david-lyle has joined #heat23:02
*** pvaneck has quit IRC23:04
*** john-n-seattle2 has joined #heat23:04
*** jergerber has quit IRC23:07
*** vijendar has quit IRC23:08
*** vijendar has joined #heat23:09
*** che-arne has joined #heat23:09
*** topol has joined #heat23:11
*** topol has quit IRC23:12
*** topol has joined #heat23:13
*** arbylee has quit IRC23:17
*** alexpilotti has quit IRC23:18
*** yogesh has quit IRC23:19
*** morazi has quit IRC23:20
*** jamieh has quit IRC23:22
*** topol has quit IRC23:25
*** andersonvom has quit IRC23:29
*** vijendar has quit IRC23:30
*** vijendar has joined #heat23:30
*** vijendar has quit IRC23:31
*** faramir has joined #heat23:50
*** sjmc7 has quit IRC23:55
*** tsmadds has joined #heat23:58
« Thursday, 2014-01-23 Index Saturday, 2014-01-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!