| *** e0ne has quit IRC | 00:02 | |
| *** kevinbenton is now known as kevin | 00:05 | |
| *** kevin is now known as kevinbenton | 00:05 | |
| *** zns has quit IRC | 00:06 | |
| *** radez_g0n3 is now known as radez | 00:10 | |
| *** tango has quit IRC | 00:12 | |
| *** rcleere has quit IRC | 00:15 | |
| *** david_lyle_ has quit IRC | 00:23 | |
| *** matsuhashi has joined #heat | 00:23 | |
| *** saurabhs1 has quit IRC | 00:29 | |
| *** lnxnut has joined #heat | 00:32 | |
| *** saurabhs has joined #heat | 00:32 | |
| *** saurabhs has quit IRC | 00:35 | |
| *** shakayumi has joined #heat | 00:41 | |
| *** shakayumi has quit IRC | 00:41 | |
| *** shakayumi has joined #heat | 00:42 | |
| *** shakayumi has quit IRC | 00:42 | |
| *** pvaneckw has quit IRC | 00:44 | |
| *** nati_uen_ has joined #heat | 00:46 | |
| *** nati_uen_ has quit IRC | 00:47 | |
| *** nati_uen_ has joined #heat | 00:47 | |
| *** saurabhs has joined #heat | 00:49 | |
| *** nati_ueno has quit IRC | 00:49 | |
| *** ZZpablosan is now known as pablosan | 00:52 | |
| *** saurabhs has left #heat | 00:53 | |
| *** e0ne has joined #heat | 00:57 | |
| openstackgerrit | lvdongbing proposed a change to openstack/heat: Rename HARestarter to HARebuilder https://review.openstack.org/75803 | 00:58 |
|---|---|---|
| *** jcru has quit IRC | 01:00 | |
| *** e0ne has quit IRC | 01:02 | |
| *** harlowja_away is now known as harlowja | 01:05 | |
| *** therve has quit IRC | 01:15 | |
| *** therve has joined #heat | 01:15 | |
| *** gokrokve_ has quit IRC | 01:16 | |
| *** gokrokve has joined #heat | 01:16 | |
| *** gokrokve has quit IRC | 01:20 | |
| *** lnxnut has quit IRC | 01:27 | |
| *** lnxnut has joined #heat | 01:27 | |
| *** lnxnut has quit IRC | 01:31 | |
| *** nati_ueno has joined #heat | 01:35 | |
| *** nati_uen_ has quit IRC | 01:38 | |
| *** nati_ueno has quit IRC | 01:44 | |
| *** nati_ueno has joined #heat | 01:44 | |
| *** nosnos has joined #heat | 01:46 | |
| *** e0ne has joined #heat | 01:57 | |
| *** gokrokve has joined #heat | 02:01 | |
| *** e0ne has quit IRC | 02:02 | |
| *** fandi has joined #heat | 02:03 | |
| *** DaveJ__ has quit IRC | 02:07 | |
| *** erkules_ has joined #heat | 02:22 | |
| *** erkules has quit IRC | 02:25 | |
| *** radez is now known as radez_g0n3 | 02:25 | |
| *** nati_uen_ has joined #heat | 02:32 | |
| *** nati_ueno has quit IRC | 02:36 | |
| *** rpothier_ has quit IRC | 02:39 | |
| *** achampion has joined #heat | 02:40 | |
| *** rpothier has joined #heat | 02:40 | |
| *** radez_g0n3 is now known as radez | 02:41 | |
| *** erkules_ has quit IRC | 02:44 | |
| *** erkules_ has joined #heat | 02:47 | |
| *** cody-somerville has joined #heat | 02:47 | |
| *** radez is now known as radez_g0n3 | 02:55 | |
| *** e0ne has joined #heat | 02:57 | |
| *** derekh is now known as derekh_afk | 02:57 | |
| openstackgerrit | huangtianhua proposed a change to openstack/heat: Fix typo and remove unused code in nova_utils.py https://review.openstack.org/76740 | 02:59 |
| *** e0ne has quit IRC | 03:01 | |
| *** nati_uen_ has quit IRC | 03:02 | |
| *** LiangC has joined #heat | 03:05 | |
| *** WinnieTsang has joined #heat | 03:15 | |
| *** zhiyan_ is now known as zhiyan | 03:16 | |
| *** pablosan has quit IRC | 03:30 | |
| *** daneyon_ has joined #heat | 03:32 | |
| *** pablosan has joined #heat | 03:34 | |
| *** ramishra has joined #heat | 03:34 | |
| *** david-lyle has joined #heat | 03:36 | |
| *** coolsvap has quit IRC | 03:42 | |
| *** tspatzier has joined #heat | 03:50 | |
| *** e0ne has joined #heat | 03:57 | |
| *** e0ne has quit IRC | 04:01 | |
| *** Linz has joined #heat | 04:08 | |
| *** tspatzier has quit IRC | 04:18 | |
| *** pablosan is now known as ZZpablosan | 04:20 | |
| *** lnxnut has joined #heat | 04:29 | |
| *** saurabhs has joined #heat | 04:35 | |
| *** tspatzier has joined #heat | 04:43 | |
| *** asalkeld has quit IRC | 04:44 | |
| *** tspatzier has quit IRC | 04:50 | |
| *** e0ne has joined #heat | 04:57 | |
| *** matsuhashi has quit IRC | 05:00 | |
| *** lnxnut has quit IRC | 05:02 | |
| *** e0ne has quit IRC | 05:02 | |
| *** coolsvap has joined #heat | 05:04 | |
| sdake | annoying I just got a 1760$ gift card for amazon | 05:13 |
| sdake | and I spent 130$ there this morning | 05:13 |
| * sdake grumbles | 05:13 | |
| sdake | night all | 05:13 |
| *** Linz has quit IRC | 05:13 | |
| Slower | gnight sdake | 05:15 |
| *** coolsvap has quit IRC | 05:16 | |
| *** coolsvap has joined #heat | 05:17 | |
| *** sdake_ has joined #heat | 05:19 | |
| *** sdake_ has quit IRC | 05:19 | |
| *** sdake_ has joined #heat | 05:19 | |
| *** cmyster has joined #heat | 05:21 | |
| *** cmyster has quit IRC | 05:21 | |
| *** cmyster has joined #heat | 05:21 | |
| *** andersonvom has joined #heat | 05:32 | |
| *** maxskew_ has joined #heat | 05:42 | |
| *** maxskew has quit IRC | 05:45 | |
| *** nkhare has joined #heat | 05:54 | |
| *** killer_prince has quit IRC | 05:54 | |
| *** sballe has joined #heat | 05:55 | |
| *** e0ne has joined #heat | 05:57 | |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: SignalResponder move signed URL deleting to its own method https://review.openstack.org/74205 | 05:58 |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: Resource type implementations for structured software config https://review.openstack.org/74206 | 05:58 |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: REST deployment metadata method https://review.openstack.org/74203 | 05:58 |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: RPC method to fetch deployments metadata https://review.openstack.org/74202 | 05:58 |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: OS::Nova::Server support for software config https://review.openstack.org/67625 | 05:58 |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: Resource type implementation for software deployment https://review.openstack.org/67624 | 05:58 |
| openstackgerrit | Steve Baker proposed a change to openstack/heat: Nova server to ref cloud-config resources in user_data https://review.openstack.org/69238 | 05:58 |
| *** sballe has quit IRC | 05:59 | |
| *** e0ne has quit IRC | 06:01 | |
| openstackgerrit | Jenkins proposed a change to openstack/heat: Imported Translations from Transifex https://review.openstack.org/72566 | 06:09 |
| *** lazy_prince has joined #heat | 06:11 | |
| *** sdake_ has quit IRC | 06:13 | |
| SpamapS | stevebaker: o/ :) | 06:28 |
| stevebaker | \o | 06:28 |
| stevebaker | SpamapS: take a look at https://review.openstack.org/#/c/72533/3 | 06:28 |
| *** andersonvom has quit IRC | 06:29 | |
| SpamapS | stevebaker: poring over it right now | 06:30 |
| SpamapS | stevebaker: I like the clean separation we end up with between things we're setting at deploy time vs. things that are just set that way in the template. | 06:31 |
| stevebaker | SpamapS: the biggest hand-wavy bit is probably how the oac templates can be adapted to the new structure, especially splitting out the bm config/deployment. At least you can control the order of configs now so you can adopt a merge strategy on your image | 06:32 |
| SpamapS | stevebaker: we already have a merge strategy in oac for the sources... | 06:35 |
| SpamapS | stevebaker: so I think we can just extend that over this as well | 06:35 |
| stevebaker | nice | 06:35 |
| SpamapS | stevebaker: it might even be worth it to just designate a key as one that gets merged. | 06:36 |
| SpamapS | so "deployments" is expected to be a list and just always gets merged by sorting the keys | 06:36 |
| SpamapS | err | 06:37 |
| SpamapS | merged as the list | 06:37 |
| SpamapS | ... long day | 06:37 |
| cmyster | morning | 06:37 |
| stevebaker | SpamapS: here is the actual results from a metadata poll from a real (useless) template http://paste.openstack.org/show/70114/ | 06:37 |
| SpamapS | hm | 06:38 |
| SpamapS | so two levels of indirection, deployments and inputs | 06:38 |
| SpamapS | stevebaker: I really don't like that we have schema leaking in there | 06:38 |
| stevebaker | SpamapS: ignore the inputs, you can just use the config since the inputs have already been substituted into it by then | 06:38 |
| SpamapS | stevebaker: ah, and the config will just be part of the json with structuredconfig right? | 06:39 |
| SpamapS | I see escaped json in a string | 06:39 |
| SpamapS | which is... weird | 06:39 |
| stevebaker | hmm | 06:39 |
| SpamapS | I don't really see any situation where you'd want that. | 06:40 |
| SpamapS | stevebaker: anyway, unfortunately I have reached the cognitive wall for today | 06:41 |
| stevebaker | its because config is always a string, I'll have to think about that one | 06:43 |
| stevebaker | SpamapS: i too have reached making-sense threshold | 06:43 |
| SpamapS | stevebaker: with structureconfig, it makes a lot more sense to have config always be .. well.. structured. :) | 06:45 |
| SpamapS | anyway.. -> sleep | 06:45 |
| *** saju_m has joined #heat | 06:48 | |
| *** lindsayk has joined #heat | 06:49 | |
| openstackgerrit | ChenZheng proposed a change to openstack/heat: Sort requirement files in alphabetical order https://review.openstack.org/76775 | 06:50 |
| *** amritanshu_RnD has joined #heat | 06:52 | |
| *** amritanshu_RnD is now known as Guest75679 | 06:52 | |
| *** gokrokve has quit IRC | 06:53 | |
| *** chandan_kumar has joined #heat | 06:54 | |
| *** e0ne has joined #heat | 06:57 | |
| *** LiangC has quit IRC | 07:02 | |
| *** e0ne has quit IRC | 07:02 | |
| *** LiangC has joined #heat | 07:14 | |
| *** topol has quit IRC | 07:17 | |
| *** harlowja is now known as harlowja_away | 07:23 | |
| *** gokrokve has joined #heat | 07:23 | |
| *** gokrokve_ has joined #heat | 07:25 | |
| *** gokrokve has quit IRC | 07:28 | |
| *** daneyon_ has quit IRC | 07:29 | |
| *** gokrokve_ has quit IRC | 07:30 | |
| *** sirushti is now known as shortstop | 07:32 | |
| openstackgerrit | ChenZheng proposed a change to openstack/heat: Sort requirement files in alphabetical order https://review.openstack.org/76775 | 07:32 |
| *** jprovazn has joined #heat | 07:32 | |
| *** yogesh has joined #heat | 07:40 | |
| *** nati_ueno has joined #heat | 07:46 | |
| openstackgerrit | Mitsuru Kanabuchi proposed a change to openstack/heat: Implement OS::Neutron::ExtraRoute as /contrib https://review.openstack.org/74899 | 07:52 |
| *** e0ne has joined #heat | 07:57 | |
| *** e0ne has quit IRC | 08:02 | |
| *** skraynev_afk is now known as skraynev | 08:06 | |
| skraynev | Morning | 08:06 |
| cmyster | morning | 08:07 |
| *** saju_m has quit IRC | 08:10 | |
| *** saju_m has joined #heat | 08:10 | |
| *** chandan_kumar has quit IRC | 08:16 | |
| *** aignatov_ is now known as aignatov | 08:17 | |
| *** ramishra has quit IRC | 08:23 | |
| *** yogesh has quit IRC | 08:23 | |
| *** ramishra has joined #heat | 08:23 | |
| *** saju_m has quit IRC | 08:25 | |
| *** gokrokve has joined #heat | 08:26 | |
| *** saju_m has joined #heat | 08:26 | |
| *** LiangC has quit IRC | 08:28 | |
| *** jistr has joined #heat | 08:30 | |
| *** gokrokve has quit IRC | 08:30 | |
| *** chandankumar_ has joined #heat | 08:32 | |
| *** giulivo has joined #heat | 08:39 | |
| *** lindsayk has quit IRC | 08:40 | |
| *** LiangC has joined #heat | 08:41 | |
| *** jrist has quit IRC | 08:41 | |
| *** saurabhs has quit IRC | 08:41 | |
| *** shardy_afk is now known as shardy | 08:46 | |
| shardy | morning all | 08:47 |
| *** e0ne has joined #heat | 08:47 | |
| openstackgerrit | Sergey Kraynev proposed a change to openstack/heat: Make OS::Nova::Server networks property updatable https://review.openstack.org/74299 | 08:48 |
| *** aignatov is now known as aignatov_ | 08:48 | |
| *** saju_m has quit IRC | 08:52 | |
| *** che-arne has quit IRC | 08:55 | |
| *** jrist has joined #heat | 08:55 | |
| *** aignatov_ is now known as aignatov | 08:55 | |
| *** aignatov is now known as aignatov_ | 08:56 | |
| *** aignatov_ is now known as aignatov | 08:57 | |
| cmyster | morning shardy | 08:58 |
| cmyster | shardy: I have a question about https://code.engineering.redhat.com/gerrit/#/c/19960/ if error 2013 was removed so connection retries can be used, why not remove the other two ? | 09:00 |
| cmyster | 3 even | 09:01 |
| cmyster | those are all standard server connection issues | 09:01 |
| *** ifarkas has joined #heat | 09:01 | |
| *** nati_ueno has quit IRC | 09:03 | |
| cmyster | https://review.openstack.org/#/c/73314/ even :) | 09:04 |
| shardy | cmyster: tbh the commit message and associated bug contain all the info I know | 09:05 |
| shardy | cmyster: it's adding an error code, just backporting an oslo commit | 09:06 |
| shardy | https://bugs.launchpad.net/heat/+bug/1275838 | 09:06 |
| cmyster | I see, I got it the other way around first time I read it | 09:07 |
| cmyster | but that was 7 am and before coffee :) | 09:08 |
| shardy | :) | 09:08 |
| cmyster | also, I retested ./stack on a clean machine again (F20 updated to latest) and there were many issues with it. | 09:08 |
| cmyster | I had to give it a few tries before it worked, and the problem was always with starting Neutron service for the first time | 09:09 |
| cmyster | went home pissed at it, did nothing, came today, and unstack stack fixed it | 09:09 |
| shardy | Such are the pitfalls of living life on the bleeding edge with devstack ;) | 09:10 |
| cmyster | bleeding edge-- | 09:10 |
| cmyster | its why I run slack | 09:10 |
| shardy | When I get devstack working I tend to leave it alone and just selectively update stuff | 09:11 |
| shardy | and I have another box running RDO for a stable test platform | 09:11 |
| cmyster | same | 09:11 |
| cmyster | I just copt tempest's config locally and then I only need to change the IP | 09:11 |
| shardy | packstack has some options to install and configure tempest for you IIRC | 09:12 |
| cmyster | was told that its broken ATM | 09:12 |
| cmyster | also packstack will be replaced soon... | 09:12 |
| cmyster | no idea if it will be fixed | 09:13 |
| *** asalkeld has joined #heat | 09:13 | |
| shardy | cmyster: it was broken a while back, but the bug I raised got closed, so I assumed it was now working: | 09:14 |
| shardy | https://bugzilla.redhat.com/show_bug.cgi?id=1016712 | 09:14 |
| openstackgerrit | Yongli He proposed a change to openstack-dev/heat-cfnclient: Exception message should not be localize https://review.openstack.org/76804 | 09:15 |
| cmyster | right, OK then, next time I need it | 09:15 |
| *** jdag_ has quit IRC | 09:15 | |
| *** nati_ueno has joined #heat | 09:16 | |
| *** jdag_ has joined #heat | 09:19 | |
| *** gokrokve has joined #heat | 09:26 | |
| *** ramishra has quit IRC | 09:29 | |
| *** gokrokve has quit IRC | 09:31 | |
| *** e0ne has quit IRC | 09:34 | |
| *** e0ne has joined #heat | 09:34 | |
| *** derekh_afk is now known as derekh | 09:34 | |
| *** jamieh has joined #heat | 09:35 | |
| *** lindsayk has joined #heat | 09:40 | |
| *** lindsayk has quit IRC | 09:45 | |
| *** ramishra has joined #heat | 09:45 | |
| *** che-arne has joined #heat | 10:02 | |
| openstackgerrit | ChenZheng proposed a change to openstack/python-heatclient: Sort requirement files in alphabetical order https://review.openstack.org/76812 | 10:04 |
| *** tomek_adamczewsk has joined #heat | 10:04 | |
| *** alexpilotti has joined #heat | 10:12 | |
| *** aignatov is now known as aignatov_ | 10:17 | |
| *** denis_makogon has quit IRC | 10:19 | |
| *** denis_makogon has joined #heat | 10:19 | |
| openstackgerrit | ChenZheng proposed a change to openstack/heat: Sort requirement files in alphabetical order https://review.openstack.org/76775 | 10:23 |
| *** gokrokve has joined #heat | 10:26 | |
| *** LiangC has quit IRC | 10:27 | |
| *** gokrokve_ has joined #heat | 10:28 | |
| *** gokrokve has quit IRC | 10:31 | |
| *** gokrokve_ has quit IRC | 10:32 | |
| *** mkollaro has joined #heat | 10:33 | |
| *** saju_m has joined #heat | 10:35 | |
| *** lindsayk has joined #heat | 10:41 | |
| *** faramir has joined #heat | 10:43 | |
| *** lindsayk has quit IRC | 10:45 | |
| *** jprovazn has quit IRC | 10:47 | |
| *** mkollaro has quit IRC | 10:52 | |
| *** mkollaro has joined #heat | 10:52 | |
| *** jufeng has joined #heat | 10:57 | |
| *** aignatov_ is now known as aignatov | 11:03 | |
| *** julienvey1 has quit IRC | 11:03 | |
| *** jufeng has quit IRC | 11:05 | |
| *** aignatov is now known as aignatov_ | 11:05 | |
| *** aignatov_ is now known as aignatov | 11:07 | |
| *** alexpilotti has quit IRC | 11:08 | |
| *** Tross has quit IRC | 11:12 | |
| openstackgerrit | Vyacheslav Vakhlyuev proposed a change to openstack/heat: Fix comparison with singletons in unit tests https://review.openstack.org/76209 | 11:12 |
| *** jprovazn has joined #heat | 11:14 | |
| *** nosnos has quit IRC | 11:14 | |
| *** jamieh has quit IRC | 11:16 | |
| *** jamieh has joined #heat | 11:19 | |
| *** jufeng has joined #heat | 11:19 | |
| *** fandi has quit IRC | 11:20 | |
| *** Tross has joined #heat | 11:20 | |
| *** gokrokve has joined #heat | 11:26 | |
| *** ramishra has quit IRC | 11:28 | |
| *** ramishra has joined #heat | 11:28 | |
| *** gokrokve has quit IRC | 11:31 | |
| *** lindsayk has joined #heat | 11:41 | |
| *** lindsayk has quit IRC | 11:45 | |
| *** alexpilotti has joined #heat | 11:46 | |
| *** jufeng has quit IRC | 11:57 | |
| *** blomquisg has quit IRC | 11:59 | |
| *** jufeng has joined #heat | 12:09 | |
| *** gokrokve has joined #heat | 12:26 | |
| *** gokrokve has quit IRC | 12:30 | |
| cmyster | dang, just hit that non zero exit code again | 12:34 |
| *** dims_ has quit IRC | 12:36 | |
| *** nkhare has quit IRC | 12:38 | |
| *** lindsayk has joined #heat | 12:42 | |
| *** lindsayk has quit IRC | 12:46 | |
| *** rbuilta has joined #heat | 12:49 | |
| *** saju_m has quit IRC | 12:53 | |
| *** rpothier has quit IRC | 12:54 | |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: migrate User/AccessKey resources to StackUser base class https://review.openstack.org/72763 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: StackUser add _delete_keypair function https://review.openstack.org/72762 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: engine: allow stack_user_project users to retrieve stack https://review.openstack.org/71300 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: Add test for StackUser._create_keypair https://review.openstack.org/72761 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: Add config options to specify stack domain admin https://review.openstack.org/76035 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: StackUser add suspend/resume support https://review.openstack.org/71930 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: migrate StackUser base class to stack domain users https://review.openstack.org/71210 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: heat_keystoneclient add delete_stack_domain_user_keypair https://review.openstack.org/71929 | 13:09 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: Modify stack_user_domain config option to take domain ID https://review.openstack.org/73978 | 13:09 |
| *** jufeng has quit IRC | 13:09 | |
| *** LiangC has joined #heat | 13:15 | |
| *** david-lyle has quit IRC | 13:16 | |
| *** achampion has quit IRC | 13:20 | |
| *** jdob has joined #heat | 13:25 | |
| *** gokrokve has joined #heat | 13:26 | |
| sdake | morning | 13:27 |
| shadower | afternoon | 13:28 |
| shardy | hi sdake | 13:29 |
| *** gokrokve has quit IRC | 13:30 | |
| pscheie_ | I' | 13:31 |
| pscheie_ | I've got some heat templates I inherited. In them, for some instances (resources), files are created on the instances. | 13:32 |
| pscheie_ | The files are constructed using the Fn::Join function. | 13:33 |
| *** blomquisg has joined #heat | 13:33 | |
| pscheie_ | But in some (most, actually) cases, the Fn::Base64 function is called on those files as well. | 13:34 |
| pscheie_ | What would be the point of the Base64 encoding? The files are just text files on the instances. | 13:34 |
| shardy | pscheie_: Fn::Base64 doesn't do anything atm | 13:34 |
| shardy | so there's no point in using it at all | 13:35 |
| pscheie_ | shardy, oh, I like that answer! I was hoping to remove the Base64 calls. | 13:35 |
| *** che-arne has quit IRC | 13:36 | |
| shardy | https://bugs.launchpad.net/heat/+bug/1072955 | 13:36 |
| shardy | pscheie_: ^^ looks like we've decided not to fix it | 13:36 |
| shardy | nobody has complained since the bug was raised in 2012, so probably reasonable :) | 13:37 |
| sdake | hey shardy | 13:37 |
| pscheie_ | What would be a use case for base64? | 13:37 |
| shardy | pscheie_: passing a non-text file in userdata | 13:38 |
| sdake | AWS requires data to be base64 encoded to passs it to the userdata | 13:38 |
| sdake | Heat base64 encodes all data already when passed to the userdata | 13:38 |
| sdake | so essentially, the Base64 step is unnecessary, and will result in non-usable userdata ;=) | 13:38 |
| pscheie_ | So, in heat it's redundant? | 13:38 |
| sdake | right | 13:39 |
| sdake | and if it were actually implemented hte result would be a nonworking system | 13:39 |
| *** ramishra has quit IRC | 13:40 | |
| pscheie_ | Is it necessary if one wants to maintain compatibility with AWS? | 13:40 |
| sdake | yes | 13:40 |
| sdake | the base64 intrinsic in heat is a noop | 13:41 |
| pscheie_ | Ah, that's probably why the calls are in these templates I inherited. | 13:41 |
| *** ramishra has joined #heat | 13:42 | |
| *** lindsayk has joined #heat | 13:42 | |
| shadower | hey, this is probably a stupid question, but I'm at my wits' end. I'm looking at this: https://github.com/openstack/heat/blob/master/heat/engine/parser.py#L547 which in turn calls this: https://github.com/openstack/heat/blob/master/heat/engine/update.py#L35. The __init__ method excepts 3 positional arguments (excluding self), but the caller only gives two (i.e. previous_stack is not passed). How does this not raise TypeError every time? | 13:42 |
| pscheie_ | sdake, I see that the Update Failure Recovery blueprint has been assigned to (none). | 13:43 |
| pscheie_ | I suppose that means its implementation is now further out on the horizon (?) | 13:43 |
| sdake | it got dropped from i3 | 13:44 |
| shardy | shadower: the first argument is self | 13:44 |
| sdake | I suspect our next fearless ptl leader will address it in early Juno :) | 13:44 |
| shardy | i.e the caller self==existing_stack | 13:44 |
| sdake | shardy it has 4 arguments | 13:44 |
| sdake | previous_stack is the last argument | 13:44 |
| shadower | shardy: of course it is, I'm an idiot. Thanks | 13:45 |
| sdake | nm ;-) | 13:45 |
| shardy | sdake: yeah, we're passing 4 arguments | 13:45 |
| *** rpothier has joined #heat | 13:45 | |
| *** andersonvom has joined #heat | 13:47 | |
| *** lindsayk has quit IRC | 13:47 | |
| *** rbuilta has quit IRC | 13:48 | |
| *** rbuilta has joined #heat | 13:51 | |
| *** zns has joined #heat | 13:52 | |
| *** aignatov is now known as aignatov_ | 13:58 | |
| *** tomek_adamczewsk has quit IRC | 13:59 | |
| *** sballe has joined #heat | 14:02 | |
| *** aweiteka has joined #heat | 14:04 | |
| *** fandi has joined #heat | 14:05 | |
| *** che-arne has joined #heat | 14:05 | |
| *** aignatov_ is now known as aignatov | 14:06 | |
| *** che-arne has quit IRC | 14:07 | |
| openstackgerrit | Anderson Mesquita proposed a change to openstack/heat: Alter stack_count_all_by_tenant to stack_count_all https://review.openstack.org/70853 | 14:16 |
| openstackgerrit | Anderson Mesquita proposed a change to openstack/heat: Change Stack timestamps to save correct info https://review.openstack.org/74519 | 14:16 |
| openstackgerrit | Anderson Mesquita proposed a change to openstack/heat: Unscoped List Stacks https://review.openstack.org/63041 | 14:16 |
| openstackgerrit | Anderson Mesquita proposed a change to openstack/heat: Fix stack_get_all call on stack watcher https://review.openstack.org/75495 | 14:16 |
| openstackgerrit | Anderson Mesquita proposed a change to openstack/heat: Change Resource timestamps to save correct info https://review.openstack.org/76644 | 14:16 |
| openstackgerrit | Anderson Mesquita proposed a change to openstack/heat: Add project to unscoped stack list response https://review.openstack.org/72789 | 14:16 |
| *** ramishra has quit IRC | 14:23 | |
| *** arbylee has joined #heat | 14:26 | |
| *** gokrokve has joined #heat | 14:26 | |
| sgran | hi | 14:28 |
| sgran | just a question that's not clear from the docs: can you use a waitcondition and an autoscaling group? | 14:28 |
| sgran | I'd like to do rolling scaling group updates, and have the iteration wait for the first to be 'in service' before moving to the second. This seems like a good way to do it, but it's not clear what the behavior will be | 14:29 |
| sgran | I'm using the havana code base right now | 14:30 |
| shardy | sgran: I don't think you can, because there's no way to specify the waitcondition via the LaunchConfig | 14:30 |
| sgran | I was going to put it in the UserData in the LaunchConfig | 14:31 |
| shardy | sgran: however, there's RollingUpdate interfaces which provide a rolling update capability including a PauseTime | 14:31 |
| shardy | unfortunately that just missed Havana.. | 14:31 |
| *** gokrokve has quit IRC | 14:31 | |
| *** jamieh has quit IRC | 14:31 | |
| shardy | sgran: https://review.openstack.org/#/c/43571/ | 14:32 |
| shardy | Or rather all of https://review.openstack.org/#/q/status:merged+project:openstack/heat+branch:master+topic:bp/as-update-policy,n,z | 14:34 |
| * IgorYozhikov is now away: went away... | 14:34 | |
| *** IgorYozhikov is now known as IYozhikov_away | 14:34 | |
| shardy | sgran: there is work going on which should enable native autoscaling resources, so in future you should be able to define a nested stack containing an instance, software configuration, network, wait condition, whatever & scale that nested stack out | 14:35 |
| shardy | but that work has not yet landed (radix posed an initial patch) | 14:36 |
| shardy | posted even | 14:36 |
| radix | yeah, please try it :) | 14:36 |
| sgran | what does the 'count' parameter do if it's greater then one? | 14:36 |
| sgran | greater than one* | 14:36 |
| shardy | https://review.openstack.org/#/c/74229/ | 14:36 |
| *** dims has joined #heat | 14:37 | |
| *** jamieh has joined #heat | 14:37 | |
| *** fandi has quit IRC | 14:38 | |
| shardy | sgran: it means you need to recieve $count signals before the WaitCondition is declared complete | 14:39 |
| shardy | So you could for example launch an AutoScaling group then wait for $count instances to be up before continuing | 14:40 |
| sgran | so if you then modify the LaunchConfig to be a new image id, what would happen? | 14:41 |
| sgran | would it again wait on the condition for each one? Or would it cycle the whole lot and wait for all of them to check in before declaring completion ? | 14:42 |
| sgran | if it does the latter, this might not be what I'm looking for | 14:43 |
| shardy | sgran: Yeah it's the latter | 14:43 |
| sgran | oh well, never mind :) | 14:43 |
| shardy | sgran: Although ignoring waitconditions for a second, the RollingUpdates does do what you want I think | 14:43 |
| sgran | I'll take a look at the rolling update stuff in due course | 14:43 |
| sgran | almost - it sounds like it has a hardcoded timer | 14:44 |
| shardy | It will do batched replacement of the instances not destroy the whole lot | 14:44 |
| *** Guest75679 has quit IRC | 14:44 | |
| sgran | I'd rather let it proceed if it finishes sooner | 14:44 |
| *** jcru has joined #heat | 14:44 | |
| *** radez_g0n3 is now known as radez | 14:44 | |
| shardy | sgran: Yeah, we don't have a good solution for that, but we're working on it | 14:44 |
| sgran | so I could set a timer of an hour, but mostly expect an instance replacement to take a few minutes | 14:44 |
| *** e0ne_ has joined #heat | 14:46 | |
| *** jcru_ has joined #heat | 14:47 | |
| *** jcru has quit IRC | 14:47 | |
| *** jcru_ has quit IRC | 14:49 | |
| *** spzala has joined #heat | 14:49 | |
| *** e0ne has quit IRC | 14:49 | |
| *** jcru has joined #heat | 14:49 | |
| *** ramishra has joined #heat | 14:54 | |
| *** cmyster has quit IRC | 14:56 | |
| *** ramishra has quit IRC | 14:56 | |
| *** ramishra has joined #heat | 14:57 | |
| *** lindsayk has joined #heat | 14:57 | |
| *** che-arne has joined #heat | 15:01 | |
| *** sabeen has joined #heat | 15:01 | |
| *** faramir has quit IRC | 15:01 | |
| *** ramishra has quit IRC | 15:02 | |
| *** che-arne has quit IRC | 15:04 | |
| *** tomek_adamczewsk has joined #heat | 15:06 | |
| *** ramishra has joined #heat | 15:07 | |
| *** jmckind has joined #heat | 15:08 | |
| *** gokrokve has joined #heat | 15:11 | |
| *** ZZpablosan is now known as pablosan | 15:11 | |
| *** gokrokve_ has joined #heat | 15:12 | |
| *** maxskew has joined #heat | 15:12 | |
| *** che-arne has joined #heat | 15:13 | |
| *** lnxnut has joined #heat | 15:14 | |
| *** jcru_ has joined #heat | 15:14 | |
| *** nati_uen_ has joined #heat | 15:14 | |
| *** gokrokve has quit IRC | 15:15 | |
| *** tspatzier has joined #heat | 15:16 | |
| *** blamar_ has joined #heat | 15:16 | |
| *** arbylee1 has joined #heat | 15:16 | |
| *** SpamapS_ has joined #heat | 15:16 | |
| *** _jmp___ has joined #heat | 15:17 | |
| *** nkhare has joined #heat | 15:17 | |
| *** zns has quit IRC | 15:18 | |
| *** _jmp___ is now known as _jmp_ | 15:19 | |
| *** john-n-seattle has joined #heat | 15:20 | |
| *** jcru has quit IRC | 15:21 | |
| *** arbylee has quit IRC | 15:21 | |
| *** aweiteka has quit IRC | 15:21 | |
| *** rbuilta has quit IRC | 15:21 | |
| *** jprovazn has quit IRC | 15:21 | |
| *** mkollaro has quit IRC | 15:21 | |
| *** nati_ueno has quit IRC | 15:21 | |
| *** giulivo has quit IRC | 15:21 | |
| *** chandankumar_ has quit IRC | 15:21 | |
| *** maxskew_ has quit IRC | 15:21 | |
| *** _jmp__ has quit IRC | 15:21 | |
| *** swygue has quit IRC | 15:21 | |
| *** blamar has quit IRC | 15:21 | |
| *** SpamapS has quit IRC | 15:21 | |
| *** john-n-s- has quit IRC | 15:21 | |
| *** blamar_ is now known as blamar | 15:21 | |
| *** ramishra has quit IRC | 15:21 | |
| *** achampion has joined #heat | 15:22 | |
| *** aignatov is now known as aignatov_ | 15:22 | |
| *** ramishra has joined #heat | 15:22 | |
| *** funzo has quit IRC | 15:22 | |
| *** funzo_ has joined #heat | 15:22 | |
| *** aignatov_ is now known as aignatov | 15:24 | |
| *** vijendar has joined #heat | 15:28 | |
| *** jprovazn has joined #heat | 15:28 | |
| *** david-lyle has joined #heat | 15:29 | |
| *** zns has joined #heat | 15:29 | |
| *** chandankumar_ has joined #heat | 15:30 | |
| *** swygue has joined #heat | 15:30 | |
| *** giulivo has joined #heat | 15:30 | |
| *** aweiteka has joined #heat | 15:30 | |
| *** mkollaro has joined #heat | 15:32 | |
| *** mkollaro has quit IRC | 15:32 | |
| *** mkollaro has joined #heat | 15:32 | |
| *** rbuilta has joined #heat | 15:32 | |
| *** tspatzier has quit IRC | 15:32 | |
| *** funzo_ is now known as funzo | 15:33 | |
| *** topol has joined #heat | 15:35 | |
| *** fandi has joined #heat | 15:38 | |
| *** alexheneveld has joined #heat | 15:38 | |
| *** Tross has quit IRC | 15:39 | |
| *** lazy_prince is now known as killer_prince | 15:41 | |
| *** dims has quit IRC | 15:41 | |
| *** ramishra has quit IRC | 15:41 | |
| *** ramishra has joined #heat | 15:42 | |
| *** LiangC has quit IRC | 15:42 | |
| *** dims has joined #heat | 15:42 | |
| *** rcleere has joined #heat | 15:47 | |
| *** nati_uen_ has quit IRC | 15:49 | |
| *** ramishra has quit IRC | 16:00 | |
| *** jmckind has quit IRC | 16:01 | |
| *** tims1 has joined #heat | 16:04 | |
| *** nkhare has quit IRC | 16:06 | |
| *** tims has quit IRC | 16:07 | |
| openstackgerrit | Jason Dunsmore proposed a change to openstack/heat: Handle API limit exception in nova_utils.refresh_server https://review.openstack.org/71660 | 16:08 |
| *** zhiyan has quit IRC | 16:09 | |
| *** coolsvap has quit IRC | 16:10 | |
| *** zhiyan has joined #heat | 16:11 | |
| *** aignatov is now known as aignatov_ | 16:11 | |
| *** Linz has joined #heat | 16:13 | |
| sergmelikyan | Guys, why Router Interface may be deleted before floating IP? I am getting this error during stack deletion: | 16:15 |
| sergmelikyan | [8:11:28 PM] Alexander Tivelkov: NeutronClientException: 409-{u'NeutronError': {u'message': u'Router interface for subnet 24a73454-7264-4c03-9464-22050794f679 on router 416488de-d38a-4d43-b475-8ecdf57202c5 cannot be deleted, as it is required by one or more floating IPs.', u'type': u'RouterInterfaceInUseByFloatingIP', u'detail': u''}} | 16:15 |
| *** zhiyan has quit IRC | 16:20 | |
| *** jmckind has joined #heat | 16:20 | |
| larsks | sergmelikyan: Did you assign any floating ips outside of heat? | 16:25 |
| larsks | (That is, did you ever run "nova add-floating-ip" or the neutron equivalent)? | 16:25 |
| *** julienvey has joined #heat | 16:30 | |
| *** tims1 has quit IRC | 16:33 | |
| shardy | check-tempest-dsvm-neutron-heat-slow SUCCESS in 22m 01s | 16:34 |
| shardy | \o/ | 16:35 |
| *** tomek_adamczewsk has quit IRC | 16:40 | |
| *** aweiteka has quit IRC | 16:41 | |
| *** mkollaro has quit IRC | 16:42 | |
| *** aignatov_ is now known as aignatov | 16:43 | |
| *** lindsayk has quit IRC | 16:44 | |
| *** radez is now known as radez_g0n3 | 16:44 | |
| *** lindsayk has joined #heat | 16:44 | |
| *** radez_g0n3 is now known as radez | 16:47 | |
| *** daneyon has joined #heat | 16:48 | |
| *** zns has quit IRC | 16:50 | |
| *** zns has joined #heat | 16:50 | |
| *** tomek_adamczewsk has joined #heat | 16:52 | |
| *** jistr has quit IRC | 17:00 | |
| *** killer_prince is now known as lazy_prince | 17:01 | |
| *** pablosan has quit IRC | 17:01 | |
| *** pablosan has joined #heat | 17:02 | |
| *** jmckind has quit IRC | 17:04 | |
| *** e0ne_ has quit IRC | 17:06 | |
| *** Linz_ has joined #heat | 17:07 | |
| *** alexheneveld has quit IRC | 17:07 | |
| *** mkollaro has joined #heat | 17:08 | |
| *** Linz has quit IRC | 17:10 | |
| daneyon | shardy: I made the changes that you requested to this patch: https://review.openstack.org/#/c/74450/ When you have a moment, do you mind reviewing? | 17:12 |
| shardy | daneyon: lgtm, but I think you actually want stevebaker as he -1'd it ;) | 17:14 |
| shardy | Looks like his comment was addressed so I'll go ahead and approve | 17:15 |
| daneyon | :-) | 17:15 |
| openstackgerrit | A change was merged to openstack/heat-templates: Adds Support for OpenShift Origin v3.0 on Fedora 19 https://review.openstack.org/74450 | 17:20 |
| openstackgerrit | A change was merged to openstack/heat-templates: Added HOT Template for 2 Servers Without Floating IPs https://review.openstack.org/65552 | 17:21 |
| *** sdake_ has joined #heat | 17:24 | |
| *** aweiteka has joined #heat | 17:26 | |
| *** fandi has quit IRC | 17:28 | |
| *** fandi has joined #heat | 17:29 | |
| *** aignatov is now known as aignatov_ | 17:35 | |
| *** gokrokve_ has quit IRC | 17:37 | |
| *** radez is now known as radez_g0n3 | 17:37 | |
| *** gokrokve has joined #heat | 17:37 | |
| daneyon | shardy: Thanks again for your help. | 17:39 |
| *** radez_g0n3 is now known as radez | 17:40 | |
| shardy | daneyon: np | 17:40 |
| *** julienvey has left #heat | 17:41 | |
| *** gokrokve has quit IRC | 17:41 | |
| *** zns has quit IRC | 17:43 | |
| *** dtalton has joined #heat | 17:45 | |
| *** dtalton has left #heat | 17:46 | |
| *** derekh has quit IRC | 17:46 | |
| *** WinnieTsang has quit IRC | 17:47 | |
| *** SpamapS_ is now known as SpamapS | 17:48 | |
| *** SpamapS has quit IRC | 17:48 | |
| *** SpamapS has joined #heat | 17:48 | |
| SpamapS | g'morning | 17:51 |
| *** jmckind has joined #heat | 17:52 | |
| *** pvaneck has joined #heat | 17:54 | |
| *** aignatov_ is now known as aignatov | 17:57 | |
| shadower | hey | 17:59 |
| *** cadenzajon has joined #heat | 18:00 | |
| *** tomek_adamczewsk has quit IRC | 18:03 | |
| *** harlowja_away is now known as harlowja | 18:12 | |
| *** lindsayk has quit IRC | 18:13 | |
| *** alexheneveld has joined #heat | 18:15 | |
| *** tango has joined #heat | 18:21 | |
| *** shakayumi has joined #heat | 18:22 | |
| *** alexheneveld has quit IRC | 18:25 | |
| *** lindsayk has joined #heat | 18:25 | |
| *** WinnieTsang has joined #heat | 18:27 | |
| *** lindsayk1 has joined #heat | 18:28 | |
| *** bvandenh_ has quit IRC | 18:29 | |
| *** lindsayk has quit IRC | 18:29 | |
| *** shakayumi has quit IRC | 18:29 | |
| *** gokrokve has joined #heat | 18:30 | |
| *** gokrokve has quit IRC | 18:30 | |
| *** gokrokve_ has joined #heat | 18:30 | |
| *** shakayumi has joined #heat | 18:30 | |
| *** shakayumi has quit IRC | 18:30 | |
| *** saurabhs has joined #heat | 18:30 | |
| *** lindsayk1 has quit IRC | 18:31 | |
| *** cadenzajon_ has joined #heat | 18:33 | |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: Make user_creds_id a parser.Stack attribute https://review.openstack.org/76928 | 18:33 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: fix DB API user_creds_get for non-existent ID https://review.openstack.org/76929 | 18:33 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: Add user_creds_delete to the DB API https://review.openstack.org/76930 | 18:33 |
| openstackgerrit | Steven Hardy proposed a change to openstack/heat: Delete user_creds on stack delete https://review.openstack.org/76931 | 18:33 |
| sdake_ | SpamapS any word on the retry idea | 18:33 |
| sdake_ | SpamapS the blueprint shadower pointed out | 18:34 |
| *** chandan_kumar has joined #heat | 18:35 | |
| *** cadenzajon has quit IRC | 18:35 | |
| SpamapS | sdake_: I'm still working through morning emails, and handing off a tripleo issue. :-P | 18:35 |
| sdake_ | if you could take a quick look so shadower can head to bed that would rock :) | 18:35 |
| shadower | sdake_: I'm waiting for stevebaker anyways | 18:35 |
| shadower | no worries | 18:35 |
| sdake_ | shadower ok cool | 18:36 |
| *** e0ne has joined #heat | 18:36 | |
| shadower | like I won't be here *all* night but I can be aronud another 2-3 hrs | 18:36 |
| sdake_ | stevebaker is not on a mon-fri schedule - hopefully he is in today :) | 18:37 |
| *** saju_m has joined #heat | 18:37 | |
| shadower | oh | 18:38 |
| sdake_ | aweiteka any luck with the instance group feature | 18:39 |
| sdake_ | I think jpeeler could use your work in the origin template or you two could collaborate | 18:40 |
| aweiteka | sdake, i haven't had a chance to attempt | 18:40 |
| SpamapS | shadower: ah you're up here :) | 18:40 |
| sdake_ | aweiteka cool just curious | 18:40 |
| aweiteka | sdake, yeah, i'm happy to collab on this stuff. | 18:40 |
| SpamapS | sdake_: ok so caught up now .. | 18:40 |
| SpamapS | shadower: the "escape hatch" is exactly what I'm pursuing now. | 18:41 |
| *** saju_m has quit IRC | 18:41 | |
| aweiteka | jpeeler, ping me if you're stuck or anything. no sense in making this too painful :) funzo helped me a bunch | 18:41 |
| jpeeler | aweiteka: what work is sdake referring to? | 18:42 |
| SpamapS | Basically instead of using state in the db to keep track of completed updates, I'm just going to tell stack-update to short-circuit to the resource that failed. | 18:42 |
| SpamapS | zaneb: ^ | 18:42 |
| zaneb | why does launchpad insist on sending me emails from myself? | 18:42 |
| tango | SpamapS: Hi Clint, I am available to help on the retry update if you need a hand with looking at code or coding something. | 18:43 |
| SpamapS | zaneb: launchpad is inherently narcissistic. | 18:43 |
| aweiteka | jpeeler, here's my contrib to openshift heat https://github.com/openstack/heat-templates/tree/master/openshift-enterprise/heat/neutron/highly-available | 18:43 |
| SpamapS | tango: thank you! | 18:43 |
| tango | just let me know what I can work on | 18:43 |
| jpeeler | ah the HA stuff, ok cool | 18:43 |
| *** yogesh has joined #heat | 18:44 | |
| zaneb | SpamapS: by 'short-circuit' you mean 'kill and replace'? | 18:44 |
| SpamapS | zaneb: tell me if you think this will work. If I can push down hints to stack-update to tell it where in the graph to pick up the update.. we don't have to store state.. we can just continue from wherever the admin says to continue from. | 18:44 |
| zaneb | wait, no I misread that | 18:44 |
| SpamapS | zaneb: It puts the automation off, and is not a long term solution. | 18:45 |
| SpamapS | zaneb: but we can basically say what resources to consider "already done" and then the update will continue diffing from there. | 18:45 |
| zaneb | SpamapS: so, your issue will be that after an update we store the 'new' template in the database... so you won't know how to update the subsequent resources as it stands | 18:46 |
| zaneb | this may be fixable by keeping the old template in the db | 18:46 |
| SpamapS | that's after a successful update though, right? | 18:46 |
| SpamapS | If it fails we lose the new template we were working on. | 18:47 |
| SpamapS | which is "the problem" | 18:47 |
| zaneb | and I guess if you skip ahead to the failing ones, you won't have the problem of trying to re-update stuff that has been updated | 18:47 |
| zaneb | SpamapS: depends if rollback is enabled. if not then it goes to the new one | 18:47 |
| zaneb | even if the update failed | 18:48 |
| SpamapS | oh, ok that does make things more complicated | 18:48 |
| zaneb | https://github.com/openstack/heat/blob/master/heat/engine/parser.py#L590 | 18:48 |
| SpamapS | zaneb: well I'm poking at the state-storing-and-loading stuff now.. but .. it is Thursday.... :-P | 18:48 |
| SpamapS | some places it is already Friday :-P | 18:49 |
| *** shakayumi has joined #heat | 18:50 | |
| *** shakayumi has quit IRC | 18:50 | |
| tango | SpamapS: would it help to consider the case of rollback disabled first and get retry working, then consider the case of rollback enabled? | 18:50 |
| zaneb | we do have the backup stack in the db now... maybe we can do something clever with the template | 18:50 |
| *** shakayumi has joined #heat | 18:51 | |
| *** shakayumi has quit IRC | 18:51 | |
| *** Linz_ has quit IRC | 18:51 | |
| *** saju_m has joined #heat | 18:51 | |
| *** Linz has joined #heat | 18:51 | |
| *** shakayumi has joined #heat | 18:51 | |
| SpamapS | tango: we can't use rollback ever. | 18:52 |
| *** shakayumi has quit IRC | 18:52 | |
| SpamapS | tango: the orchestration of rolling back a database schema change is really complex. We have to roll forward, with old software and new software, to make it work. | 18:52 |
| *** shakayumi has joined #heat | 18:52 | |
| *** shakayumi has quit IRC | 18:53 | |
| *** shakayumi has joined #heat | 18:53 | |
| tango | SpamapS: got it. Then should we say that if the user wants to be able to retry failed update, make sure to disable rollback? | 18:55 |
| SpamapS | shadower: I'll have some conclusions from my efforts today by the time you are back online. | 18:55 |
| shadower | SpamapS: okay, cool. Let me know if I can help anything | 18:55 |
| shadower | *with anything | 18:55 |
| SpamapS | tango: rollback must be explicitly enabled, so I think we're o-k there. There's nothing to retry if rollback is enabled anyway, as things are put back in place (in theory.. unless rollback fails too.. doh) | 18:55 |
| SpamapS | shadower: much appreciated | 18:55 |
| *** dtalton has joined #heat | 18:56 | |
| shadower | SpamapS: not sure it's feasible for everyone to work on the same thing but if the work can be split out, I'm happy to help | 18:56 |
| SpamapS | shadower: that is what I'm hoping I can do | 18:59 |
| *** mkollaro has quit IRC | 18:59 | |
| shadower | cool | 18:59 |
| SpamapS | shadower: if you wanted to spike on my short-circuit idea.. by all means go for it. I'm going to push a little further on recovering automatically before switching to that. | 18:59 |
| openstackgerrit | Jeff Peeler proposed a change to openstack/heat: Document schema properties for Neutron router resources https://review.openstack.org/76665 | 18:59 |
| SpamapS | shadower: but I suspect you are about done for the next 12 hours or so :) | 19:00 |
| *** dtalton has quit IRC | 19:00 | |
| *** che-arne has quit IRC | 19:01 | |
| shardy | If anyone feels like passing on some review-love, I finally got the gate tests (including the non-voting slow job) working for the instance-users remaining patches: | 19:01 |
| openstackgerrit | Jason Dunsmore proposed a change to openstack/heat: Make the first line of every file consistent. https://review.openstack.org/76591 | 19:01 |
| shardy | https://review.openstack.org/#/q/status:open+project:openstack/heat+branch:master+topic:bug/1089261,n,z | 19:01 |
| openstackgerrit | Jeff Peeler proposed a change to openstack/heat: Document schema properties for Neutron subnet resource https://review.openstack.org/76655 | 19:01 |
| shardy | stevebaker: ^^ | 19:01 |
| shadower | SpamapS: yea I'm no longer thinking straigth | 19:03 |
| *** kebray has joined #heat | 19:13 | |
| sdake | SpamapS would the retry of the lifecycle operations mitigate your problems? | 19:13 |
| stevebaker | morning | 19:13 |
| sdake | morning stevebaker | 19:14 |
| shadower | morning | 19:14 |
| * stevebaker hasn't read any backscroll yet | 19:14 | |
| SpamapS | sdake: I'm not sure I understand what you mean. | 19:15 |
| SpamapS | sdake: any retrying automatically at an individual operational level is insufficient. "shit happens" | 19:16 |
| *** randallburt has joined #heat | 19:16 | |
| *** randallburt has quit IRC | 19:16 | |
| sdake | it solves the overload problem doesn't it? | 19:16 |
| *** randallburt has joined #heat | 19:16 | |
| SpamapS | maybe | 19:16 |
| *** tspatzier has joined #heat | 19:17 | |
| SpamapS | sdake: and what about the next neutron bug or novaclient bug which renders us dead? | 19:17 |
| sdake | is overload the only problem you see in practice? | 19:17 |
| SpamapS | sdake: no, I've also seen network issues cause a timeout. | 19:17 |
| sdake | well I get its not perfect, thats why I used the word mitigate :) | 19:17 |
| sdake | wouldn't a retry mitigate network issues? | 19:18 |
| SpamapS | sdake: one thing that has happened, for instance, is that we reboot a machine to update its software (with rebuild) and the machine takes longer than usual to come back up and ping its' wait condition. Oops.. stack dead. | 19:18 |
| SpamapS | We could just have days long timeouts. | 19:19 |
| *** randallburt1 has joined #heat | 19:19 | |
| SpamapS | sdake: mitigation is really not what I'm looking for. There is a massive hole that mitigation makes smaller.. but we can only shrink it to the size of one stack + one problem. | 19:19 |
| sdake | the problem you just raised - waitconditions not being responded to in a specific amount of time can be mitigated by changing the timeout value of the wait conditions | 19:19 |
| SpamapS | sdake: I don't think you're understanding me. We need a plan to recover from the problems we don't know about. | 19:20 |
| sdake | SpamapS I understand mitigation is not what you want, but its better then nothing :) | 19:20 |
| stevebaker | shardy: yay for passing heat-slow :) | 19:20 |
| SpamapS | Its really not better than nothing. | 19:20 |
| *** randallburt has quit IRC | 19:20 | |
| SpamapS | It just delays the impending doom. | 19:21 |
| sdake | so some large percentage of time it mitigates, and some small percentage of time it delays impending doom | 19:21 |
| SpamapS | like sending terminators back in time to save john conner. | 19:21 |
| sdake | i think this is better then all the time impending doom | 19:21 |
| *** alexheneveld has joined #heat | 19:21 | |
| SpamapS | sdake: I think it is a false sense of "better". | 19:22 |
| SpamapS | anyway, I think I need to drop off irc/email/etc. so I can make progress.. so.. many... distractions.. ;) | 19:22 |
| sdake | SpamapS enjoy | 19:23 |
| *** aignatov is now known as aignatov_ | 19:23 | |
| stevebaker | sdake: school has been back for a month now, so I'm back to working gentlemen's hours | 19:23 |
| sdake | stevebaker sounds good | 19:23 |
| sdake | school still in session on the other side of the planet :( | 19:23 |
| sdake | I already went through school once | 19:24 |
| sdake | I dont see a great need to do it two more times | 19:24 |
| *** chandan_kumar has quit IRC | 19:24 | |
| stevebaker | shardy: do you run tempest locally against domain users? | 19:24 |
| *** zhiyan_ has joined #heat | 19:25 | |
| *** jcru_ has quit IRC | 19:34 | |
| *** kebray has quit IRC | 19:35 | |
| *** saju_m has quit IRC | 19:35 | |
| *** mkollaro has joined #heat | 19:37 | |
| *** zns has joined #heat | 19:40 | |
| *** akuznetsov has quit IRC | 19:43 | |
| *** akuznetsov has joined #heat | 19:43 | |
| *** chandan_kumar has joined #heat | 19:50 | |
| *** WinnieTsang has quit IRC | 19:53 | |
| *** WinnieTsang has joined #heat | 19:55 | |
| openstackgerrit | Jeff Peeler proposed a change to openstack/heat: Add host_routes property to Neutron subnet resource https://review.openstack.org/76950 | 19:56 |
| *** radez is now known as radez_g0n3 | 19:57 | |
| *** nati_ueno has joined #heat | 19:59 | |
| *** radez_g0n3 is now known as radez | 20:01 | |
| *** fandi has quit IRC | 20:06 | |
| *** zns has quit IRC | 20:11 | |
| andersonvom | shardy: ping. =] | 20:11 |
| *** TonyBurn has quit IRC | 20:12 | |
| andersonvom | shardy, sdake: does randallburt1's comments address your concerns regarding https://review.openstack.org/#/c/72745/5/heat/engine/resources/server.py ? | 20:12 |
| *** tspatzier has quit IRC | 20:16 | |
| *** cmyster has joined #heat | 20:17 | |
| openstackgerrit | A change was merged to openstack/heat: Replace '+' with string interpolation operation https://review.openstack.org/75794 | 20:17 |
| cmyster | evening | 20:17 |
| *** zns has joined #heat | 20:18 | |
| *** therve_ has joined #heat | 20:20 | |
| *** alexheneveld has quit IRC | 20:21 | |
| *** kebray has joined #heat | 20:22 | |
| *** therve_ has quit IRC | 20:25 | |
| *** kebray has quit IRC | 20:32 | |
| *** kebray has joined #heat | 20:33 | |
| *** rbuilta has quit IRC | 20:37 | |
| *** randallburt1 has quit IRC | 20:39 | |
| *** daneyon has quit IRC | 20:43 | |
| *** zns has quit IRC | 20:48 | |
| SpamapS | zaneb: around? | 20:50 |
| zaneb | yo | 20:50 |
| SpamapS | zaneb: so I'm poking at this.. and it ocurrs to me that I need to store not just the snippet, but the _resolved_ snippet with all the runtime data... | 20:50 |
| zaneb | SpamapS: yes, because the parameters and whatnot change too :( | 20:51 |
| SpamapS | yeah | 20:51 |
| SpamapS | which also leads to zomg 3 way merge.. :-P | 20:51 |
| zaneb | that also occurred to me only after I wrote that blueprint | 20:51 |
| SpamapS | which makes me think.. hmm.. maybe a retry command is in order.. | 20:51 |
| SpamapS | tango: ^ | 20:51 |
| tango | SpamapS: Hi Clint | 20:52 |
| SpamapS | zaneb: so perhaps what is needed is to store the new "to be updated to" stack in a state that makes it invisible to the user. | 20:52 |
| SpamapS | tango: I believe you had suggested that we need a separate retry and update. :) | 20:53 |
| zaneb | backup stack? | 20:53 |
| SpamapS | Haven't looked closely at that. | 20:53 |
| SpamapS | but that seems backwards | 20:53 |
| zaneb | true | 20:54 |
| SpamapS | also.. zomg.. swallowing DB exceptions in resource code is making me twitch | 20:54 |
| zaneb | we do that? | 20:54 |
| SpamapS | zaneb: ok so if I store the new target stack in a similar way to the backup stack though, that may be what I need... | 20:54 |
| SpamapS | zaneb: yes a lot | 20:54 |
| tango | SpamapS: you mean the difference between changing the template and using the previous template? | 20:55 |
| zaneb | SpamapS: you mean how we just fail the resource rather than bailing out of the whole operation? | 20:55 |
| SpamapS | zaneb: https://git.openstack.org/cgit/openstack/heat/tree/heat/engine/resource.py#n736 | 20:56 |
| SpamapS | and.. many more | 20:56 |
| *** ifarkas has quit IRC | 20:56 | |
| SpamapS | zaneb: no, we log error and then put our hands on our ears and go "LALALALALALALA" | 20:56 |
| zaneb | ick | 20:56 |
| SpamapS | zaneb: https://git.openstack.org/cgit/openstack/heat/tree/heat/engine/resource.py#n757 worse | 20:56 |
| SpamapS | also it is blanket Exception | 20:56 |
| zaneb | I'm pretty sure that's only there because hald of the unit tests would fail without it | 20:56 |
| SpamapS | so we miss things like "oh thats not actually a resource object you're trying to call methods on" | 20:57 |
| SpamapS | anyway, focus... must focus.. | 20:57 |
| SpamapS | zaneb: I think in the grander scheme of things.. this all goes back to taskflow... | 20:58 |
| SpamapS | zaneb: if we start thinking in terms of active workflows.. and not so much "stacks" ... we can reason about this easier. | 20:58 |
| SpamapS | because what I'm doing is facilitating an active workflow by saving states and then providing resume capability.. :-P | 20:59 |
| SpamapS | ok.. back to the cone of silence | 20:59 |
| *** zns has joined #heat | 20:59 | |
| *** cmyster has quit IRC | 21:02 | |
| *** Tross has joined #heat | 21:05 | |
| *** e0ne has quit IRC | 21:05 | |
| *** zns has quit IRC | 21:12 | |
| sdake | andersonvom re 72745 - if you don't pass any password to the nova client, does a root password get set? | 21:12 |
| sdake | andersonvom what I was thinking was not actually passing the parameter would result in no password being set by nova | 21:13 |
| sdake | this is how I would expect it would behave | 21:13 |
| sdake | not create an empty password for root | 21:13 |
| andersonvom | sdake: apparently that can be setup differently, so it will depend on your specific setup | 21:15 |
| andersonvom | sdake: in my tests here, if you pass None or '' to nova (on create) it just generates a new password | 21:15 |
| sdake | what if you dont pass the argument at all? | 21:16 |
| shardy | sdake: it's defaulted to None in the client | 21:16 |
| shardy | andersonvom: ugh :( | 21:16 |
| sdake | so by adding this, we aren't actually changing anything | 21:16 |
| sdake | nova behaves as the user configures it | 21:16 |
| *** gokrokve has joined #heat | 21:17 | |
| andersonvom | sdake: precisely. just giving the user the opportunity to set their own passwords | 21:17 |
| shardy | andersonvom: seems like something you should be able to give the user a choice about to me :( | 21:17 |
| sdake | in the current master(without patch) nova would create a password | 21:17 |
| sdake | IMNSHO nova is broken | 21:17 |
| sdake | it needs to not do that if None is passed | 21:17 |
| sdake | so if you file a bug and link it in the review, I'll +2 the patch | 21:17 |
| andersonvom | shardy: choice about what? | 21:18 |
| sdake | (and also make the patch pass None if none is actually specified) | 21:18 |
| shardy | andersonvom: users should have the choice to not set a password, and rely on a keypair instead | 21:18 |
| sdake | with that course of action we can assume nova will either do one of two things - fix the bug - or not fix the bug - in either case Heat doesn't make the security situation worse | 21:18 |
| *** erkules_ is now known as erkules | 21:19 | |
| arbylee1 | fyi, nova code that generates the pass https://github.com/openstack/nova/blob/master/nova/compute/manager.py#L2601-L2602 | 21:19 |
| arbylee1 | (i believe) | 21:19 |
| *** gokrokve_ has quit IRC | 21:20 | |
| sdake | andersonvom as the code is, since None is not passed, if nova later fixed this problem (which I do indeed feel is a problem) we would end up loading empty passwords into the root user | 21:20 |
| sdake | might put a link to the bug in the commit log as well ;-) | 21:21 |
| andersonvom | shardy: we're not really changing behavior here. If no password is specified, it will be as if the option didn't even exist, so the user does have a choice, right? | 21:21 |
| andersonvom | sdake: agreed. I can change it to pass None if it's am empty string | 21:21 |
| shardy | andersonvom: my problem was that we're pulling the random passwords back from nova, storing them, and exposing them as resource attributes | 21:21 |
| shardy | but I also believe this is a nova bug, None should not create a root password at all | 21:22 |
| shardy | cloud-init disables root ssh logins, so that minimises the risk I guess, but it still seems wrong to me | 21:22 |
| sdake | I hadn't thought about the resource attirbutes | 21:23 |
| *** denis_makogon has quit IRC | 21:23 | |
| *** radez is now known as radez_g0n3 | 21:23 | |
| andersonvom | shardy: worst case scenario, I guess we could store and display the password only once to the user. nova does give you the password back, it's only fair that the user have access to it at some point | 21:23 |
| sdake | that creates an attack vector through heat | 21:23 |
| *** dmakogon_ has joined #heat | 21:23 | |
| *** radez_g0n3 is now known as radez | 21:24 | |
| jasond`` | wouldn't they just say to disable the "enable_instance_password" option? | 21:24 |
| *** Michalik has quit IRC | 21:24 | |
| shardy | andersonvom: I think we should only allow users to specify a password explicitly, then there's no attribute required, because it's a property | 21:24 |
| *** spzala has quit IRC | 21:24 | |
| sdake | shardy+1 | 21:24 |
| shardy | jasond``: Can you do that on a per-instance basis though? | 21:25 |
| shardy | from the review it sounds like a global nova thing, which seems like a bug | 21:25 |
| jasond`` | shardy: yeah, it's global | 21:25 |
| zaneb | shardy: +1 | 21:25 |
| shardy | if the server create took a create_random_rootpw arg, and the user had to choose it I'd have less of an issue with it | 21:25 |
| *** sabeen has quit IRC | 21:26 | |
| sdake | the property approach exposes no security threats that wouldn't already be there with nova, so I could live with that | 21:28 |
| sdake | we don't want to make openstack *less* secure by our actions | 21:28 |
| andersonvom | shardy: when you say property, do you mean parameter? i.e. there's no need for the user to retrieve the information from the attribute because they're the ones who set the pwd in the first place? | 21:28 |
| sdake | andersonvom bingo | 21:29 |
| sdake | but the property can be retrieved via get_prop | 21:29 |
| shardy | andersonvom: yes, I mean resource property, which defaults to None | 21:29 |
| sdake | then if you really wanted to display it to the user, you could abuse the outputs section :) | 21:29 |
| arbylee1 | sdake: I don't think that's true for admin_pass. the value is only returned after create | 21:29 |
| shardy | so if the user sets it explicitly (even if it's via the RandomString resource), they already know the value | 21:30 |
| shardy | arbylee1: that's what we're arguing is a nova bug | 21:30 |
| shardy | passing admin_pass=None should not set an admin password at all | 21:30 |
| sdake | if nova wants to autocreate a password, that is fine, but that should not be the default just because of some global config option! | 21:30 |
| sdake | thought exercise: | 21:31 |
| shardy | maybe there should also be a random_admin_pass=True arg to nova, but doing that for admin_pass=None is just wrong IMO | 21:31 |
| sdake | 10k vms deployed in a data center on nova | 21:31 |
| sdake | someone figures out magically how to predict the passwords created | 21:31 |
| arbylee1 | shardy: even if you explicitly set a password, admin_pass doesn't come back on the server object afaik. it's not just the autogenerated passwords | 21:31 |
| sdake | now what? | 21:31 |
| shardy | sdake: or we have a bad vulnerability in heat, then we really really don't want to be storing those 10k passwords | 21:32 |
| shardy | (or any credentials for anything IMO) | 21:32 |
| sdake | shardy points out a second thought experiment :) | 21:33 |
| sdake | now if the user were to abuse get_prop in an output section to display the property that would be their prerogative - and they would have to deal with the consequences :) | 21:33 |
| sdake | sorry get_param | 21:34 |
| *** shakayumi has quit IRC | 21:35 | |
| andersonvom | ok... so we can make it as a param and allow the user to set it. if they don't, just pass None to nova and file a bug with nova to fix that. would that work? | 21:36 |
| sdake | I think you would want to add it as a property to the resource | 21:36 |
| sdake | and use get_param in the hotness | 21:36 |
| sdake | but ya, that wfm | 21:36 |
| sdake | and put a link to the nova bug in the commit log pls :) | 21:37 |
| *** Michalik has joined #heat | 21:37 | |
| sdake | shardy that sound good? | 21:37 |
| *** shakayumi has joined #heat | 21:41 | |
| andersonvom | sdake: so, the only thing missing here (https://review.openstack.org/#/c/72745/5/heat/engine/resources/server.py) is to remove it as an attribute, right? since it's already a property | 21:41 |
| *** shakayumi has quit IRC | 21:41 | |
| sdake | I suspect default should be None rather then '' | 21:41 |
| andersonvom | true, that as well | 21:42 |
| sdake | but I'm not sure if that would work - need to test it | 21:42 |
| shardy | andersonvom, sdake: +1 sounds good | 21:43 |
| *** zns has joined #heat | 21:43 | |
| sdake | andersonvom and the removal of the db_api insertion of admin_pass as well | 21:43 |
| jasond`` | sdake: i was looking at the python-novaclient source. None or '' would work | 21:44 |
| andersonvom | sdake: also, it can't default to None, because it's a String property, so it won't pass the validation | 21:44 |
| shardy | andersonvom: You just don't specify a default | 21:44 |
| andersonvom | I knew something forced us to default it to empty string | 21:44 |
| shardy | and make the property optional | 21:45 |
| andersonvom | shardy: but that will make it required | 21:45 |
| shardy | it's not a mandatory property | 21:45 |
| *** chandan_kumar has quit IRC | 21:45 | |
| shardy | we pass None (which IIRC Properties gives us anyway) unless the user sets it to something | 21:45 |
| sdake_ | jasond'' for some reason I have a preference for None | 21:45 |
| *** kebray has quit IRC | 21:46 | |
| jasond`` | sdake_: yeah, None eliminates the question about whether or not Nova will create a server with an empty root password | 21:47 |
| *** randallburt has joined #heat | 21:47 | |
| andersonvom | shardy: humm... I'll take another look into it. I could swear trying to do without the default and required false but it didn't work. maybe I missed something | 21:47 |
| *** randallburt has quit IRC | 21:47 | |
| sdake_ | jasond'' well it doesn't eliminate the question, but from a heat perspective it does since we don't pass any optoins for it :) | 21:47 |
| *** randallburt has joined #heat | 21:47 | |
| jasond`` | well yeah :) | 21:47 |
| sdake_ | andersonvom a comment around the resource property might be handy so people don't muck with it with a link to the review | 21:48 |
| sdake_ | typically it wouldn't matter, but changing the code is dangerous and not obvious | 21:49 |
| stevebaker | shardy: Here is a tempest change which switches to using standard credentials. Works locally for me with your patch series https://review.openstack.org/#/c/76981/ | 21:50 |
| *** wchrisj has joined #heat | 21:50 | |
| *** lnxnut has quit IRC | 21:51 | |
| shardy | stevebaker: awesome! So what user will the tests get run as now? | 21:51 |
| sdake_ | shardy are parameters stored in the db? | 21:52 |
| stevebaker | devstack demo user, demo tenant | 21:52 |
| *** pablosan is now known as ZZpablosan | 21:52 | |
| andersonvom | sdake_: they are. in plain text, if I'm not mistaken | 21:53 |
| shardy | stevebaker: Ok cool, I'm planning to submit a patch flipping deferred_auth_method to trusts, but we'll need another devstack patch adding heat_stack_owner role to the demo user first | 21:53 |
| *** jprovazn has quit IRC | 21:53 | |
| *** lnxnut has joined #heat | 21:53 | |
| andersonvom | sdake_: (even if the param is marked as hidden) | 21:54 |
| *** lnxnut has quit IRC | 21:54 | |
| stevebaker | shardy: my only concern with these landing now is they might break the tripleo cloud several ways. You may need to work with lifeless and SpamapZ to make sure all the config changes are in place first | 21:54 |
| *** lnxnut has joined #heat | 21:54 | |
| shardy | stevebaker: Yeah, I was planning to mark the patch WIP and get the gate working, then solicit feedback from folks as to whether we're happy to make the switch | 21:54 |
| shardy | would be good to kill stuff like the horizon password field | 21:55 |
| *** kebray has joined #heat | 21:55 | |
| sdake_ | andersonvom that still exposes us to attacks on the heat db then, and I'm not quite sure what to do about it | 21:57 |
| sdake_ | maybe shardy has some ideas | 21:57 |
| andersonvom | sdake_: this is already happening, since we pass all our passwords as params currently | 21:57 |
| sdake_ | yup | 21:58 |
| andersonvom | =\ | 21:58 |
| *** lnxnut_ has joined #heat | 21:58 | |
| shardy | well if you use ssh keys, you have no need to have any credentials stored in the heat db | 21:58 |
| *** lnxnut has quit IRC | 21:58 | |
| randallburt | sdake_: , andersonvom sorry to be late to the party, but what I'm hearing is that we have two issues: the general one about admin_pass which *is* being encrypted, and a separate issue altogether around the fact that we don't encrypt parameters marked as "hidden" | 21:59 |
| *** rpothier has quit IRC | 21:59 | |
| randallburt | shardy: the *if* is the important part though. | 21:59 |
| sdake_ | shardy vm information password is still passed even in our sample templates - eg things like the db password | 21:59 |
| randallburt | IMO, we should still handle the "if you don't" part | 21:59 |
| shardy | randallburt: we could definitely look at encrypting more stuff in the DB | 22:00 |
| *** jmckind has quit IRC | 22:00 | |
| randallburt | shardy: totally agreed. seems we have the info already to know "when" to do it, at least in the parameter case. | 22:00 |
| shardy | randallburt: sure, it's just a question of making incremental steps in a more secure direction :) | 22:00 |
| shardy | randallburt: letting nova create random passwords for every instance and storing them all seems like an incremental step in the wrong direction tho ;) | 22:01 |
| sdake_ | randallburt I would put the credentials of the root account at higher priority then the credentials of the applications they export | 22:01 |
| sdake_ | the second they being the vms sorry for bad grammar :) | 22:02 |
| randallburt | shardy: I'd agree except there's no way to get them out of Nova and its swallowed and lost if you create your instances via Heat. | 22:02 |
| shardy | randallburt: sure, if the user had to explictly select a random_admin_pass option I'd have not problem with it at all | 22:02 |
| randallburt | sdake_: fair enough, but again, the patch around admin pass does encrypt the data | 22:02 |
| sdake_ | the only reason they are not swallowed by nova is because it doesn't have to permently record them in its db | 22:03 |
| shardy | I just think the current nova functionality is broken | 22:03 |
| *** Tross has quit IRC | 22:03 | |
| sdake_ | I suspect if nova had to record the passwords, it would swallow them :) | 22:03 |
| randallburt | shardy: true, but that's not under our control, is it? or are you saying add that to the resource and *skip* Nova's functionality unless its selected? | 22:03 |
| shardy | randallburt: I'm saying lets fix nova | 22:03 |
| shardy | or at least ask if they're willing to entertain the idea :) | 22:04 |
| sdake_ | the fact that nova behaves in a broken way is orthogonal to encrypting and storing root credentials in the heat db | 22:04 |
| sdake_ | nova doesn't store private credentials, only public credentials | 22:05 |
| sdake_ | eg id_rsa.pub | 22:05 |
| randallburt | shardy: not sure I agree Nova is "broken" in this respect, they have functionality that works in a certain way. As an orchestration service, I think it behoves us to support that functionality. That being said, this can be a stop-gap until Nova is fixed and we have Barbican to handle all the other sensitive data we're already keeping around in plain text. | 22:06 |
| shardy | randallburt: having any interface do stuff when you pass a None argument is broken IMO | 22:06 |
| sdake_ | shardy i agree | 22:07 |
| *** jdob has quit IRC | 22:07 | |
| shardy | especially when the API defaults that argument to None which implies no side-effects | 22:07 |
| shardy | (the novaclient python API) | 22:07 |
| randallburt | shardy: oh, I see. I thought you were referring to the password generation in general, not the conditions under which it does it. | 22:07 |
| randallburt | sorry, its what I get for missing the scollback ;) | 22:08 |
| shardy | randallburt: It's the interface and the default-ness I'm arguing against | 22:08 |
| shardy | if nova grows a random_admin_pass boolean option that's totally cool with me :) | 22:08 |
| randallburt | shardy: gotcha. So my question then is accept this now with some changes that ignore None and don't pass that arg on to Nova at all, and then work on geting Nova to do something "better"? | 22:09 |
| sdake_ | i think storing the root password in the db, even ecrypted is suboptimal as well | 22:10 |
| shardy | randallburt: lets just add the property, optional, which will default to None anyway, but not the attribute and db resource_data stuff | 22:10 |
| randallburt | sdake_: I don't disagree, but what's the option (that allows password retrieval if needed) other than to wait for barbican. | 22:10 |
| shardy | then we can see if nova will fix (or accept a patch) for their stuff | 22:10 |
| randallburt | shardy: I still lose the password if its generated which kinda blows away half the use case for the feature. | 22:11 |
| shardy | and argue about the attributes stuff later :) | 22:11 |
| randallburt | shardy: ok, so we add the attribute in server.py and then we can add the retrieval stuff in cloud_server.py since its our users that have asked for and need this functionality. | 22:12 |
| shardy | randallburt: well if the nova interface is likely to change, we don't want to merge something which will break folks later? | 22:12 |
| shardy | s/likely/I'd like to see it/ ;) | 22:12 |
| randallburt | shardy: that's something we face every day. we'd never change any resource ever. | 22:12 |
| randallburt | shardy: oh, gotcha. | 22:12 |
| sdake_ | randallburt I get that our views on the security implications don't fit the use case, but I'd need someone more versed in security to convince me | 22:12 |
| sdake_ | like folks from the openstack SRT for example | 22:13 |
| shardy | randallburt: well lets have a discussion with the nova folks, and revisit this heat discussion in a few days time | 22:13 |
| randallburt | shardy: I still disagree though. The interfaces could change and expand every six months. We should still support the features that will be available in Icehouse, even if we know it will change in Juno (for example) | 22:13 |
| sdake_ | shardy is there a global openstack srt list this could be taken to? | 22:14 |
| randallburt | shardy: even if we move the password store/retrieve to contrib? | 22:14 |
| shardy | randallburt: there are aspects of the neutron API we don't support because it's wrong too | 22:14 |
| shardy | randallburt: if you submit a separate patch for the contrib resource I imagine it will be looked at with considerably less scrutiny ;) | 22:15 |
| randallburt | shardy: I understand. Not our call, IMO, but those reasons are quite different in that this *is* a user-facing functionality, but I won't debate that to death :) | 22:15 |
| randallburt | shardy: I thought so. ;) | 22:16 |
| randallburt | andersonvom: sound good to you? | 22:16 |
| *** e0ne has joined #heat | 22:16 | |
| sdake_ | randallburt I'm open to having real security experts analyze the problem - I'm just not sure who in openstack to contact for that | 22:16 |
| shardy | randallburt: my concern, particularly for the core resources, is stability, so it makes no sense to merge a new iterface if it's behavior may change in six weeks time | 22:16 |
| andersonvom | randallburt: I'm on it! | 22:17 |
| shardy | sdake_: I think a post to openstack-dev may suffice, if this functionality is documented? | 22:17 |
| sdake_ | shardy I mean storing the root password in the heat db | 22:17 |
| sdake_ | not the fact that nova is broke n:) | 22:18 |
| randallburt | shardy: no worries, then. andersonvom can move the patch from server to contrib for now and we can start talking to Nova and whoever we figure out has some more expertise in these things. thanks andersonvom! | 22:18 |
| *** alexheneveld has joined #heat | 22:18 | |
| randallburt | whoo. just in time. I got to run the youngest to fencing. bbiab | 22:18 |
| shardy | sdake_: I would much prefer we did not do that, so yeah if that happens in the contrib patch maybe we should ask for some wider review | 22:19 |
| sdake_ | shardy I'm not on the srt for heat - maybe stevebaker knows who leads up that effort and can point some other reviewers on the submission | 22:19 |
| shardy | sdake_: with the move to trusts, we'll finally remove the need to store any credentials inside the heat DB, I'm really opposed to starting to do it again unless it's really unavoidable | 22:20 |
| stevebaker | what change are we talking here? | 22:20 |
| *** e0ne has quit IRC | 22:21 | |
| shardy | stevebaker: https://review.openstack.org/#/c/72745/5 | 22:21 |
| sdake_ | shardy we do store the parameters (which often contain credentials) in the db | 22:22 |
| sdake_ | not as an argument for why we should do so | 22:22 |
| sdake_ | but as pointing it out as another place that needs addressing | 22:22 |
| shardy | sdake_: sure, we can look at that as a seperate issue | 22:23 |
| sdake_ | agree | 22:23 |
| * shardy needs some sleep | 22:23 | |
| shardy | night all | 22:23 |
| sdake_ | later shardz | 22:23 |
| *** shardy is now known as shardy_afk | 22:23 | |
| *** lnxnut_ has quit IRC | 22:24 | |
| *** lnxnut has joined #heat | 22:29 | |
| *** randallburt has quit IRC | 22:29 | |
| openstackgerrit | Jason Dunsmore proposed a change to openstack/heat: Don't install cloud-init on Rackspace images https://review.openstack.org/76993 | 22:33 |
| openstackgerrit | Jason Dunsmore proposed a change to openstack/heat: Ensure that the NoCloud data source is loaded https://review.openstack.org/76994 | 22:33 |
| *** lnxnut has quit IRC | 22:33 | |
| *** spzala has joined #heat | 22:35 | |
| *** achampion has quit IRC | 22:37 | |
| *** radez is now known as radez_g0n3 | 22:40 | |
| *** vijendar has quit IRC | 22:41 | |
| *** lnxnut has joined #heat | 22:44 | |
| *** Tross has joined #heat | 22:44 | |
| *** kebray has quit IRC | 22:45 | |
| *** aweiteka has quit IRC | 22:45 | |
| *** jcru has joined #heat | 22:48 | |
| *** jcru has quit IRC | 22:48 | |
| *** lnxnut has quit IRC | 22:48 | |
| *** jcru has joined #heat | 22:48 | |
| *** zns has quit IRC | 22:49 | |
| *** ZZpablosan is now known as pablosan | 22:50 | |
| *** rpothier has joined #heat | 22:51 | |
| *** alexheneveld has quit IRC | 22:55 | |
| *** wchrisj has quit IRC | 22:57 | |
| *** kebray has joined #heat | 22:59 | |
| *** pvaneckw has joined #heat | 23:01 | |
| *** pvaneck has quit IRC | 23:01 | |
| *** blomquisg has quit IRC | 23:04 | |
| *** kebray has quit IRC | 23:06 | |
| *** pvaneck has joined #heat | 23:07 | |
| SpamapS | What if we just never failed stack-update ? | 23:07 |
| SpamapS | retry _forever_ | 23:07 |
| SpamapS | lifeless: ^^ isn't that basically what you were thinking? | 23:08 |
| *** pvaneckw has quit IRC | 23:08 | |
| SpamapS | zaneb: ^^ Thoughts on this crazy idea? | 23:08 |
| zaneb | what could possibly go wrong | 23:10 |
| lifeless | SpamapS: that would be ok, but the 500 thing is different iMNSHO | 23:10 |
| lifeless | SpamapS: we're not timing out today, we're stopping early because heat has unreasonable expectations about 5xx HTTP status codes | 23:10 |
| lifeless | SpamapS: simple rate limits like most public clouds have will emit 500s on over-rate users. | 23:11 |
| lifeless | SpamapS: iz bug :) | 23:11 |
| SpamapS | lifeless: so, backing up a bit | 23:11 |
| *** rcleere has quit IRC | 23:11 | |
| SpamapS | lifeless: even if we chase down every call to every external library and make them retry indefinitely... | 23:11 |
| zaneb | lifeless: that implies that we should retry in e.g. novaclient, no? | 23:11 |
| SpamapS | lifeless: we may have something happen that causes heat to fail and thus leaves a heat stack in a FAILED state.. | 23:12 |
| SpamapS | lifeless: which currently has only one remedy.. delete the entire stack. | 23:12 |
| *** WinnieTsang has quit IRC | 23:12 | |
| SpamapS | lifeless: I am searching for an answer to that problem, not the 500 problem specifically.. which is only one of many problems we are likely to encounter because of the FAILED state. | 23:13 |
| *** pvaneck has quit IRC | 23:14 | |
| *** pvaneck has joined #heat | 23:14 | |
| *** WinnieTsang has joined #heat | 23:16 | |
| lifeless | SpamapS: so I don't think we're connecting | 23:18 |
| lifeless | SpamapS: I mean - I agree that a failed update has to be recoverable | 23:19 |
| lifeless | SpamapS: but, *normal* situations should never lead to manual intervention. | 23:19 |
| SpamapS | Yeah, two separate things | 23:19 |
| SpamapS | I want to give us the actual ability _to manually intervene_ | 23:19 |
| SpamapS | since without that, we're talking about removing the entire datacenter of machines if we missed even one hiccup | 23:20 |
| lifeless | right | 23:20 |
| lifeless | so retry forever as a strategy | 23:20 |
| lifeless | where is the manual intervention there? | 23:20 |
| SpamapS | lifeless: the implementation is challenging | 23:21 |
| SpamapS | https://etherpad.openstack.org/p/update-failure-recovery | 23:21 |
| SpamapS | lifeless: retry forever is basically an alternative to this big state-resolving monster that you see there. | 23:22 |
| lifeless | looking | 23:23 |
| lifeless | maybe its time to move all this stuff into concoord distributed state machines | 23:23 |
| *** topol has quit IRC | 23:23 | |
| *** zns has joined #heat | 23:24 | |
| SpamapS | lifeless: yes. feature freeze is Monday. | 23:24 |
| lifeless | ah yes | 23:25 |
| SpamapS | lifeless: so I'm looking for a short term escape hatch so we can handle problems like this in the interim. | 23:25 |
| SpamapS | lifeless: one thought I had was to just allow administrators to forcibly short-circuit the update process. | 23:25 |
| lifeless | assert updated? | 23:30 |
| *** maxskew_ has joined #heat | 23:33 | |
| *** maxskew has quit IRC | 23:37 | |
| SpamapS | lifeless: the problem is that we do updates in parallel. So while we know what failed, we don't actually know what succeeded. | 23:37 |
| *** spzala_ has joined #heat | 23:37 | |
| *** sdake__ has joined #heat | 23:40 | |
| *** sgran_ has joined #heat | 23:40 | |
| *** pablosan_ has joined #heat | 23:43 | |
| *** SpamapS_ has joined #heat | 23:43 | |
| *** spzala has quit IRC | 23:45 | |
| *** sdake_ has quit IRC | 23:45 | |
| *** _jmp_ has quit IRC | 23:45 | |
| *** sgran has quit IRC | 23:45 | |
| *** pablosan has quit IRC | 23:45 | |
| *** SpamapS has quit IRC | 23:45 | |
| *** openstackgerrit has quit IRC | 23:45 | |
| *** yogesh has quit IRC | 23:45 | |
| *** arbylee has joined #heat | 23:45 | |
| *** mkollaro has quit IRC | 23:46 | |
| *** Linz has quit IRC | 23:46 | |
| *** pablosan_ has quit IRC | 23:46 | |
| *** pablosan_ has joined #heat | 23:46 | |
| *** _jmp_ has joined #heat | 23:47 | |
| *** _jmp_ is now known as Guest76806 | 23:47 | |
| *** arbylee1 has quit IRC | 23:48 | |
| *** arbylee has quit IRC | 23:49 | |
| *** SpamapS_ is now known as SpamapS | 23:53 | |
| *** SpamapS has quit IRC | 23:53 | |
| *** SpamapS has joined #heat | 23:53 | |
| lifeless | SpamapS: so what do you mean precisely by short-circuit the update process? | 23:54 |
| zaneb | lifeless: he means jump ahead past all the stuff that already succeeded, and carry on where we left off | 23:58 |
| SpamapS | in pondering this a bit more.. | 23:59 |
| SpamapS | I wonder if we can keep a journal | 23:59 |
| SpamapS | which would give us the exact ones to ignore | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!