Tuesday, 2012-02-21

« Monday, 2012-02-20 Index Wednesday, 2012-02-22 »
*** GheRivero_ has quit IRC00:01
*** byeager has joined #openstack-dev00:07
rmkMaybe this is a bit open ended of a question but are there any obvious incompatibilities between the Essex dash and Diablo API?  I haven't dug into this much but deleting instances doesn't work via essex dash to diablo api, just wonder how deep that goes.00:08
*** dtroyer has quit IRC00:11
tomoe_hello. does anyone know the status of floating ip and melange integration?00:15
*** dolphm has joined #openstack-dev00:23
*** dtroyer has joined #openstack-dev00:30
*** eglynn__ has quit IRC00:36
openstackgerritVerification of a change to openstack/horizon failed: Improve usability of syspanel instance list.  https://review.openstack.org/428100:49
*** crobinso has quit IRC01:09
*** dolphm has quit IRC01:09
*** markvoelker has quit IRC01:10
*** bengrue has quit IRC01:10
*** dolphm has joined #openstack-dev01:17
*** dolphm has quit IRC01:45
*** andrewsmedina has quit IRC01:50
*** andrewsmedina has joined #openstack-dev01:58
*** anotherjesse has joined #openstack-dev02:08
*** Guest29011 has joined #openstack-dev02:08
*** rods has quit IRC02:08
Guest29011?02:09
*** negronjl has quit IRC02:13
*** Guest29011 has quit IRC02:14
*** jog0 has left #openstack-dev02:19
*** dtroyer has quit IRC02:24
*** jog0_ has joined #openstack-dev02:25
*** jog0_ has left #openstack-dev02:25
*** mjfork has quit IRC02:40
*** zul has quit IRC02:48
*** zul has joined #openstack-dev02:50
*** dtroyer has joined #openstack-dev02:55
*** novas0x2a|laptop has quit IRC03:02
*** novas0x2a|laptop has joined #openstack-dev03:02
*** jog0 has joined #openstack-dev03:03
*** jog0 has quit IRC03:03
*** andrewbogott_ is now known as andrewbogott__af03:11
*** pixelbeat has quit IRC03:13
*** jdg has quit IRC03:15
*** jdg has joined #openstack-dev03:16
*** dubsquared has quit IRC03:17
*** dubsquared has joined #openstack-dev03:18
*** heckj has quit IRC03:24
*** danwent has quit IRC03:38
*** mjfork has joined #openstack-dev03:47
*** stuntmachine has quit IRC04:13
*** hattwick has quit IRC04:20
*** dubsquared has quit IRC04:25
*** jdg has quit IRC04:29
*** mjfork has quit IRC04:38
*** hattwick has joined #openstack-dev04:40
*** jdg has joined #openstack-dev04:51
*** ootz0rz has joined #openstack-dev04:52
*** jdg has quit IRC04:56
*** jdg has joined #openstack-dev04:57
*** dubsquared has joined #openstack-dev05:01
*** dubsquared has quit IRC05:01
*** danwent has joined #openstack-dev05:02
*** dubsquared has joined #openstack-dev05:03
*** negronjl has joined #openstack-dev05:05
*** anotherjesse has quit IRC05:18
*** anotherjesse has joined #openstack-dev05:20
*** mnewby has quit IRC05:24
*** jdg has quit IRC05:24
*** mnewby has joined #openstack-dev05:28
*** ncode has joined #openstack-dev05:28
*** ncode has joined #openstack-dev05:28
*** mnewby has quit IRC05:30
*** ootz0rz has quit IRC05:30
*** anotherjesse has quit IRC05:55
*** quantum2112 has joined #openstack-dev05:57
*** anotherjesse has joined #openstack-dev06:00
*** sannes has joined #openstack-dev06:06
quantum2112hi06:06
*** deshantm has quit IRC06:07
quantum2112to create quantum network, what api is used? nova or quantum06:07
quantum2112quantum api seems to augment network creation, when do you use the quantum api to create network that can be used by nova?06:11
*** journeeman has joined #openstack-dev06:11
*** ootz0rz has joined #openstack-dev06:20
*** danwent has quit IRC06:24
*** bepernoot has joined #openstack-dev06:37
*** ncode has quit IRC06:42
*** journeeman has quit IRC06:42
*** viveksnv has joined #openstack-dev06:45
*** sannes has quit IRC06:46
*** journeeman has joined #openstack-dev06:49
*** anotherjesse has quit IRC06:50
*** bepernoot has quit IRC06:51
*** littleidea has quit IRC06:52
*** zaitcev has quit IRC06:53
*** littleidea has joined #openstack-dev06:53
*** eglynn__ has joined #openstack-dev07:02
*** eglynn__ has quit IRC07:07
*** littleidea has quit IRC07:11
*** adjohn has quit IRC07:12
*** viveksnv has quit IRC07:14
*** sleepsonthefloo has quit IRC07:17
justinsbIf I can crash the compute server, should I file the bug as a security vulnerability?07:31
*** dubsquared has quit IRC07:33
*** rmk has quit IRC07:48
*** rmk has joined #openstack-dev07:49
*** eglynn__ has joined #openstack-dev07:52
*** quantum2112 has quit IRC07:53
sorenjustinsb: Very likely, yes.08:16
*** rbasak has quit IRC08:20
justinsbsoren: Thanks ... I decided better to be safe than sorry, so I filed it as a vulnerability08:21
*** tomoe_ has quit IRC08:34
*** apevec has joined #openstack-dev08:35
*** zigo has joined #openstack-dev08:35
*** rbasak has joined #openstack-dev08:38
*** zigo has quit IRC08:38
*** zigo has joined #openstack-dev08:39
*** zigo has quit IRC08:46
*** zigo has joined #openstack-dev08:46
*** shevek_ has joined #openstack-dev08:58
*** hashar has joined #openstack-dev08:59
*** reidrac has joined #openstack-dev09:00
*** zigo has quit IRC09:00
*** zigo has joined #openstack-dev09:03
*** derekh has joined #openstack-dev09:03
*** darraghb has joined #openstack-dev09:05
*** zigo-_- has joined #openstack-dev09:12
*** zigo has quit IRC09:13
*** pixelbeat has joined #openstack-dev09:14
*** berendt has joined #openstack-dev09:15
*** mancdaz has joined #openstack-dev09:16
berendtcan somebody from the keystone or jenkins team have a look at the bug report #937265, the tarballs on jenkins are not usable at the moment09:16
*** ncode has joined #openstack-dev09:19
*** ncode has joined #openstack-dev09:19
*** shang has joined #openstack-dev09:19
*** ncode has quit IRC09:20
*** Mkenneth has joined #openstack-dev09:22
*** shang has quit IRC09:27
*** Mkenneth has quit IRC09:27
*** derekh has quit IRC09:30
*** shang has joined #openstack-dev09:32
*** derekh has joined #openstack-dev09:34
*** Mkenneth has joined #openstack-dev09:40
*** reed has quit IRC09:44
*** reed has joined #openstack-dev09:44
*** reed has quit IRC09:48
*** Vek has quit IRC09:50
*** jeremy_ has joined #openstack-dev10:07
*** HugoKuo_ has quit IRC10:22
*** Remco_ has joined #openstack-dev10:32
*** Ryan_Lane has quit IRC10:33
*** justinsb has quit IRC10:35
*** justinsb has joined #openstack-dev10:36
*** Ryan_Lane has joined #openstack-dev10:36
*** Remco_ has quit IRC10:42
*** Remco_ has joined #openstack-dev10:49
*** shang has quit IRC10:59
*** zykes_ has joined #openstack-dev11:07
zykes_anyone from netstack here ?11:07
*** tryggvil has quit IRC11:08
*** tryggvil has joined #openstack-dev11:08
*** tryggvil has quit IRC11:11
*** tryggvil has joined #openstack-dev11:11
*** shang has joined #openstack-dev11:13
*** hashar has quit IRC11:29
*** markmc has joined #openstack-dev11:31
*** mjfork has joined #openstack-dev11:39
*** Vek has joined #openstack-dev11:45
*** hub_cap has joined #openstack-dev11:50
*** hub_cap has quit IRC11:51
*** shang has quit IRC11:52
*** sandywalsh has joined #openstack-dev11:55
*** hashar has joined #openstack-dev11:56
*** rods has joined #openstack-dev12:00
*** shang has joined #openstack-dev12:05
*** hashar has left #openstack-dev12:06
*** Remco__ has joined #openstack-dev12:07
*** Remco_ has quit IRC12:08
*** sandywalsh has quit IRC12:09
*** Remco__ has quit IRC12:12
*** Remco_ has joined #openstack-dev12:13
*** dneary has joined #openstack-dev12:15
*** sandywalsh has joined #openstack-dev12:21
*** jeroenhn has joined #openstack-dev12:29
*** maploin has joined #openstack-dev12:32
*** maploin has quit IRC12:32
*** maploin has joined #openstack-dev12:32
*** journeeman has left #openstack-dev12:42
*** andrewbogott__af has quit IRC12:51
*** andrewbogott__af has joined #openstack-dev12:51
*** bsza has joined #openstack-dev12:57
*** dprince has joined #openstack-dev13:07
*** markvoelker has joined #openstack-dev13:09
*** rickfoosusa has joined #openstack-dev13:20
*** jeroenhn has quit IRC13:21
*** rickfoosusa has quit IRC13:22
*** Remco_ has quit IRC13:25
*** berendt has quit IRC13:35
zulmorning13:42
*** jeroenhn has joined #openstack-dev13:42
*** lts has joined #openstack-dev13:51
*** stuntmachine has joined #openstack-dev13:56
*** mattray has joined #openstack-dev13:57
*** berendt has joined #openstack-dev14:02
*** jeroenhn has quit IRC14:04
*** doude has joined #openstack-dev14:06
doudeHi all, someone can explain me how works the 'Simple Match' authorization policy in Keystone ?14:07
doudeor point out a documentation14:08
*** kbringard has joined #openstack-dev14:12
*** jeroenhn has joined #openstack-dev14:17
*** shang has quit IRC14:22
*** ayoung has joined #openstack-dev14:23
*** zykes_ has quit IRC14:34
*** stuntmachine has quit IRC14:35
*** shang has joined #openstack-dev14:36
*** stuntmachine has joined #openstack-dev14:43
*** sandywalsh has quit IRC14:43
*** littleidea has joined #openstack-dev14:44
*** deshantm has joined #openstack-dev14:45
annegentlecan an admin add Pete Johnson to openstack-cla? https://launchpad.net/~openstack-cla/+members#proposed14:46
annegentlealso I need David Mortman added to openstack-cla14:47
*** ewindisch has joined #openstack-dev14:52
ewindischhi14:52
*** blamar_ has quit IRC14:56
annegentlemtaylor jaypipes soren vishy ttx jeblair ^^ need some housekeeping on the openstack-cla list14:57
annegentlepretty please :)14:57
*** ncode has joined #openstack-dev14:58
*** ncode has joined #openstack-dev14:58
ttxannegentle: looking14:58
*** RobertLaptop has joined #openstack-dev14:58
annegentlettx: thanks14:59
annegentlePete Johnson and David Mortman are my two confirmed14:59
*** blamar has joined #openstack-dev15:00
ttxannegentle: done15:01
annegentlettx: appreciate it15:01
*** dneary has quit IRC15:02
*** kbringard has quit IRC15:04
*** kbringard has joined #openstack-dev15:05
*** joesavak has joined #openstack-dev15:12
*** dubsquared has joined #openstack-dev15:12
*** yamahata___ has joined #openstack-dev15:18
*** Remco_ has joined #openstack-dev15:20
*** dtroyer has quit IRC15:29
*** dolphm has joined #openstack-dev15:32
YorikSarHello! Can anyone review this change: https://review.openstack.org/141615:38
YorikSarIt hangs there for some time already.15:39
*** Gordonz has joined #openstack-dev15:42
YorikSarThere is quite a mess with patchsets, #5 has some inline comments and #6 was approved by vishy15:42
*** zzed has joined #openstack-dev15:43
*** deshantm_ has joined #openstack-dev15:45
*** deshantm has quit IRC15:48
*** deshantm_ is now known as deshantm15:48
*** map_nw has joined #openstack-dev15:52
*** andrewbogott__af is now known as andrewbogott_15:55
*** andrewbogott_ has joined #openstack-dev15:55
*** andrewbogott_ is now known as andrewbogott15:56
*** reed has joined #openstack-dev15:57
*** ghe_rivero has joined #openstack-dev16:00
*** berendt has quit IRC16:02
*** davlap has joined #openstack-dev16:07
*** jperkin_ has left #openstack-dev16:08
*** shang has quit IRC16:09
*** dolphm has quit IRC16:11
*** kbringard has quit IRC16:11
*** shang has joined #openstack-dev16:12
*** Remco_ has quit IRC16:12
*** jeroenhn has quit IRC16:12
*** yamahata___ has quit IRC16:14
*** dolphm has joined #openstack-dev16:19
*** dolphm has quit IRC16:23
*** dolphm has joined #openstack-dev16:24
tr3buchetttx: just read http://fnords.wordpress.com/2012/02/21/open-dev-releases-quality/16:25
tr3buchet+1 :)16:25
*** jdg has joined #openstack-dev16:25
ttxtr3buchet: cool :)16:25
*** dneary has joined #openstack-dev16:28
*** dneary has quit IRC16:28
*** dneary has joined #openstack-dev16:28
*** danwent has joined #openstack-dev16:29
*** mdomsch has joined #openstack-dev16:30
*** ncode has quit IRC16:30
*** kbringard has joined #openstack-dev16:36
*** jaypipes has quit IRC16:39
*** apevec has quit IRC16:42
*** maplebed has joined #openstack-dev16:44
*** andrewsmedina has quit IRC16:46
*** dolphm has quit IRC16:49
*** andrewsmedina has joined #openstack-dev16:50
jdgHas anybody else seen devstack prompting for sudo passowrd lately?16:51
jdgI was having trouble creating instances and volumes, when watching screen I noticed I'm getting prompts16:52
*** dolphm_ has joined #openstack-dev16:55
bcwaldonjdg: yeah, I was seeing it in just the last screen window, and my ability to boot instances wasnt affected16:55
kbringardare any of the debian package maintainers here?16:56
jdgbcwadlon: Strange, it seems intermittent.  Guess I'll just keep an eye on it and see if i can find a pattern.16:57
jdgAt least it's not just me then  :)16:57
LinuxJedikbringard: try #openstack-packaging16:57
kbringardthanks LinuxJedi16:57
bcwaldonjdg: ok, I was using a vanilla 11.10 box with a user I created a added to sudo16:57
*** andrewbogott has quit IRC16:57
*** andrewbogott has joined #openstack-dev16:59
*** andrewbogott has joined #openstack-dev16:59
jdgbcwaldon: Pretty much the same setup here, for now maybe I'll just add my user to sudoers with no password required.  And later try to figure out why.16:59
*** cp16net has joined #openstack-dev16:59
*** Daviey has quit IRC17:02
*** n0ano has quit IRC17:05
ewindischrussellb: here?17:05
*** cp16net has quit IRC17:06
*** nati2 has joined #openstack-dev17:06
*** nikhil_ has quit IRC17:07
*** nikhil_ has joined #openstack-dev17:07
*** ghe_rivero is now known as ghe_ubuntu17:08
*** reidrac has quit IRC17:08
*** ghe_ubuntu is now known as ghe_rivero17:08
andrewbogottjdg: Yes, that's happening to me a lot, especially in nova-volume.  I have to tab through all my screens periodically and make sure nothing's blocked by a password prompt.17:09
*** zzed_ has joined #openstack-dev17:09
*** cp16net has joined #openstack-dev17:09
*** sleepsonthefloo has joined #openstack-dev17:09
andrewbogottI tried using nova-rootwrap but it didn't seem to help17:10
*** Daviey has joined #openstack-dev17:10
jdgandrewbogott:  Ok, exactly the same thing.  Once I finsih what I'm working on now I'll see if I can find a way to "fix" it.  Seems kinda strange.17:12
*** markmc has quit IRC17:12
*** zzed has quit IRC17:12
*** zzed_ is now known as zzed17:12
andrewbogottjdg:  I poked at it a while over the weekend and gave up and decided to live with it.  You'll make my day if you find a solution.17:13
jdgandrewbogott:  Temporarily I'm going to try adding my user to sudoers with NOPASSWD the next time I restart.  If I figure something more out I'll let you know.17:14
andrewbogottjdg:  Yeah, that's a valid approach.  I can't do that because my sudoers is automatically refreshed by puppet.17:14
jdgDOH!!!17:14
Ryan_Laneandrewbogott: can stick it into /etc/sudoers.d17:17
Ryan_Lanewhich devstack should be doing anyway :)17:17
andrewbogottHm...17:17
andrewbogottThat is an obvious, yet good, suggestion.17:18
Ryan_Lanedevstack really shouldn't edit the sudoers file on systems that support sudoers.d, unless sudoers.d is disabled17:18
*** corXi has quit IRC17:19
jdgRyan_Lane: Any thoughts on having a specific stack user added to sudoers.d with no password in stack.sh?17:19
Ryan_Lanesounds reasonable to me17:20
jdgAhh.. looks like it it already set there... hmm.17:20
jdgJust missing some commands perhaps17:21
andrewbogottIt says andrew ALL = (root) NOPASSWD: SETENV: NOVADEVCMDS17:21
andrewbogottthat means that NOVADEVCMDS is defined someplace, and that's the set of things I can do w/out a password?17:21
jdgandrewbogott: The NOVADEVCMDS should be defined in that file as well17:22
* andrewbogott nods17:22
jdgAnd Yes, that's the set of things you're allowed to do with NOPASSWD17:22
*** andrewsmedina has quit IRC17:23
jdgandrewbogott: So for iscsi volumes tgtadm needs added17:24
andrewbogottok, should be easy to fix this then.17:24
jdgI don't know what I am missing for Nova instances yet because I have no buffer in my screen :(17:24
andrewbogottYou know about ctrl-a [ ?17:25
jdgandrewbogott:  Oh WONDERFUL!!!!17:25
andrewbogottThen you can use arrow-keys.  And ctrl-a ] to exit the mode.17:25
andrewbogottI think it's meant for cut-n-paste but I only ever use it for scrolling.17:25
openstackgerritVerification of a change to openstack/nova failed: Scheduler notifications added.  https://review.openstack.org/419417:26
jdgAWESOME!!  Thank you!  I finally just started using screen instead of screwing around tyring to convert to upstart etc17:26
Ryan_LaneI use ctrl-a esc, then page-up/page-down (or ctrl-f, ctrl-b)17:26
jdgIt's actually much easier once you quit fighting it :)17:26
*** maploin has quit IRC17:27
Ryan_Laneesc again to leave the buffer17:27
jdgRyan_lane:  This is turning out to be a very productive morning for me.  :)17:27
*** Mkenneth has quit IRC17:27
andrewbogottPretty sure my keyboard doesn't have a page-up.  although there's probably some lucky keycombination for that.17:27
Ryan_LaneI didn't even know ctrl-[ worked :)17:27
Ryan_Laneyeah, ctrl-f, ctrl-b are page-up, page-down17:27
andrewbogottHm... is there a mnemonic for that or are those letters just picked at random?17:28
Ryan_Laneforward, and back17:28
andrewbogottv17:28
andrewbogottversus 'previous' and 'next' which do something else :/17:28
Ryan_Laneheh17:28
andrewbogottOf course, I use vi so I can't ever, ever complain about arbitrary key assignments.17:29
Ryan_Lane:D17:29
jdg:)17:29
*** reidrac has joined #openstack-dev17:29
jdgCome on p/n/w/q/s  vi makes perfect sense  :)17:29
*** reidrac has left #openstack-dev17:30
andrewbogottjdg:  Hm... looks to me like devstack rewrites that file on startup.  So we'll need to make a copy17:31
*** andrewsmedina has joined #openstack-dev17:32
*** blamar has quit IRC17:32
*** mnewby has joined #openstack-dev17:33
andrewbogottoh crap!  Ryan_Lane:  The problem was never that devstack was altering sudoers.  It's that if there's a parse error in one of the sudoers.d files then sudo errors out.17:33
Ryan_Lane:D17:33
jdgadrewboggott:  I was thinking of adding the "extras" in stack.sh and resubmitting back to git repo17:33
andrewbogottAnd, having just modified a sudoers.d file, I have learned this17:33
*** blamar has joined #openstack-dev17:33
Ryan_LaneI can see that :)17:33
andrewbogottjdg:  That's fair.  I'm working on a custom volume driver so I have to add extra stuff anyway.17:33
jdgLOL... we're doing the same thing it sounds like.  I have a list  :)17:34
andrewbogottum... what file system?17:34
andrewbogottRyan_Lane:  Can you use your omniscient might to change /etc/sudoers.d/stack_sh_nova_andrew so that I can edit it?17:35
jdgandrewbogott:  Just a basic volume driver of SolidFire devices.  Now I"m trying to figure out the remount bug/issue in Luanchpad17:35
* Ryan_Lane nods17:35
andrewbogottthanks.17:35
Ryan_Lanewhich instance?17:35
andrewbogottdriver-dev17:35
*** dtroyer has joined #openstack-dev17:35
openstackgerritVerification of a change to openstack/nova failed: Update api-paste.ini with new auth_token settings.  https://review.openstack.org/401617:36
Ryan_Lanejust remove it?17:36
andrewbogottchown andrew so I can fix it17:36
Ryan_Laneah17:36
Ryan_Lanedone17:36
andrewbogottAlthough maybe sudo won't tolerate a file that isn't owned by root... we'll see.17:36
Ryan_Laneit doesn't ;)17:37
andrewbogottIt warns but doesn't fail.17:38
*** ramyao has joined #openstack-dev17:38
*** sandywalsh has joined #openstack-dev17:40
*** n0ano has joined #openstack-dev17:40
*** berendt has joined #openstack-dev17:40
berendtcan somebody fix the build of the glance tarball on jenkins? it's broken since weeks17:40
*** ramyao has left #openstack-dev17:42
*** anotherjesse has joined #openstack-dev17:43
*** jog0 has joined #openstack-dev17:44
*** map_nw has quit IRC17:46
berendthow can i create a pdf of the documents provided in the repository compute-api?17:49
annegentleberendt: install maven, then run mvn clean generate-sources in the directory that contains the pom. See http://wiki.openstack.org/Documentation/HowTo17:50
berendtannegentle: thank you17:50
annegentleberendt: the PDF ends up in the target/webhelp directory since the pom file copies it out of the PDF dir into the webhelp dir17:50
*** utlemming has quit IRC17:52
*** utlemming has joined #openstack-dev17:52
*** zzed has quit IRC17:52
*** jdurgin has joined #openstack-dev17:52
berendturgs.. have to install a lof of stuff for maven :( (Install     225 Packages)17:52
*** ghe_rivero has quit IRC17:53
*** zzed has joined #openstack-dev17:54
*** cp16net_ has joined #openstack-dev17:55
*** cp16net has quit IRC17:56
*** cp16net_ is now known as cp16net17:56
*** derekh has quit IRC17:57
*** shang has quit IRC17:57
*** doude has quit IRC17:58
*** hub_cap has joined #openstack-dev17:58
*** rods has quit IRC17:59
*** shevek_ has quit IRC18:00
*** stuntmachine has quit IRC18:01
*** stuntmac_ has joined #openstack-dev18:01
*** heckj has joined #openstack-dev18:03
*** mattstep has quit IRC18:03
*** mattstep has joined #openstack-dev18:04
*** gyee has joined #openstack-dev18:05
openstackgerritVerification of a change to openstack/nova failed: Extract get_network in quantum manager  https://review.openstack.org/409318:06
*** pixelbeat has quit IRC18:07
mortmanthanks annegentle :-)18:15
*** joesavak has quit IRC18:17
*** jakedahn has joined #openstack-dev18:20
*** lts has quit IRC18:23
zykesanotherjesse, here ?18:29
zykesor danwent ?18:29
*** adjohn has joined #openstack-dev18:29
anotherjesseI am (currently focusing on the keystone in #openstack-meeting)18:29
zykesah ok18:29
danwentzykes:  what's up?  sounds like I am the second choice :)18:30
*** zigo-_- has quit IRC18:30
zykesdanwent, done anything with the DNS stuff ?18:30
danwentzykes: nope, wasn't planning on doing any DNS stuff.  Though I imagine you saw the wikimedia patch that went into nova a while back (automatically adding DNS entries for allocated IPs)18:31
zykesi meant more for DNSaaS18:31
kbringardis the preferred Ubuntu for running diablo-stable 11.10?18:32
danwentzykes:  yeah, no plans on that front.18:32
kbringardfor a "production" environment18:32
zykesdanwent, why not ? :p18:32
danwentzykes: no time.18:32
zykesah18:32
zykeshire me ;Ã¥p18:33
danwentzykes: perhaps I gave you the wrong impression, but I was actually never planning on working on DNSaaS18:33
*** gyee has quit IRC18:33
danwentzykes: now if you want to work on other quantum stuff, perhaps :)18:33
ewindischrussellb: here?18:34
zykeshmmm, ttx here ?18:34
russellbewindisch: hey, yep18:34
russellbewindisch: so i guess the exception thing was the unit test problem?18:34
ewindischrussellb: yes, I fixed it in the latest patch18:35
*** gyee has joined #openstack-dev18:35
russellbewindisch: cool.18:36
ewindischI have another patch that fixes all the i18n issues (in debugging).  Otherwise, I'm still searching for feedback. The patch needs to come through today, if it is to make essex.18:36
russellbcool, well at this point I don't really have any objections, since it's sell contained.  I'm not in nova-core though, so I can't approve.18:37
russellbwhy is the new service needed btw?  the reply service?18:37
*** Ryan_Lane has quit IRC18:37
russellbdid you need it to implement the timeout, or something else?18:37
ewindischbecause we don't have a return path to the caller.18:38
ewindischwhen you do rpc.cast(), I don't know who you are or how to find you.18:38
russellbrpc.call() you mean?18:39
ewindischwell, rpc.call() is a pair of casts here.18:39
ewindischso the replies are cast() to the reply service and it publishes to an IPC queue. A call() blocks, subscribed to the IPC queue, until the reply message arrives.18:40
russellbok.18:43
*** bengrue has joined #openstack-dev18:48
*** Remco_ has joined #openstack-dev18:50
russellbewindisch: so this IPC queue ... "ipc:///tmp/zmq_reply_queue" ... is that creating a unix socket in tmp?18:51
*** lts has joined #openstack-dev18:51
*** adjohn has quit IRC18:51
ewindischyes. It isn't ideal, but I couldn't figure out another way of handling return casts without more data passed into call()18:52
russellbwell i was just thinking of suggesting /var/run/openstack-nova/ or something instead of /tmp18:52
russellbusing /tmp is kind of evil from a security perspective :)18:53
ewindischreasonable.18:53
russellbok I think I'm done with comments for real now, heh18:56
*** Mandell has quit IRC18:57
russellbewindisch: i guess ping the ML in response to your FFE thread asking for reviews to see if you can get it in?18:58
*** jog0_ has joined #openstack-dev18:58
ewindischrussellb: I already emailed vish, and everyone on the review is already there. I'm making that ipc change now, and I'll upload that with the i18n fixes.18:59
russellbcool, sounds good19:01
russellbthere's also the project meeting today where you could bring it up19:01
*** jog0 has quit IRC19:01
*** jog0_ is now known as jog019:01
heckjmarkmc: ping?19:02
*** heckj has quit IRC19:02
*** heckj has joined #openstack-dev19:02
*** viraptor has quit IRC19:02
*** shang has joined #openstack-dev19:03
*** Mandell has joined #openstack-dev19:03
zulanotherjesse: ping https://review.openstack.org/#change,435119:04
*** Drakiz has joined #openstack-dev19:05
heckjzul: lookin'19:06
heckjzul: approved19:07
zulheckj: thanks19:07
*** darraghb has quit IRC19:07
heckjdprince: ping19:08
*** RobertLaptop has left #openstack-dev19:11
anotherjesseheckj: termie and I communicated, and he will summarize our stance on default tenants19:11
termieheckj: hola, here's our thoughts19:12
dprinceheckj: hello19:12
heckjdprince: just commented on a couple of your change requests - tweaking setup.py19:12
heckjtermie: shoot!19:12
dprinceheckj: SUre. I already approved zul's MANIFEST.in patch...19:13
dprinceheckj: So my patch in combination with his makes this work.19:13
termieheckj: so, the existing api has been traditionally difficult to understand in that it allows two different types of responses from the same endpoint, at current nearly all calls in all systems require a tenant (and the couple that don't won't be hurt by it being present), so we think it'd be best to standardize on that call always returning a tenant or an error19:13
heckjAh - got it, missed that.19:13
heckjdprince: ^19:13
dprinceheckj: ack19:14
heckjtermie: 100% agreement there19:14
*** pixelbeat has joined #openstack-dev19:14
termieheckj: in the cases where a default tenant might be difficult the implementation can decide what it would like to do to pick one or whather to throw an error19:14
termieheckj: always accepting that a tenant can also be passed in to make the choice explicit19:15
heckjtermie: seems reasonable19:15
heckjtermie: how does that play into tokens, and do we want to support the strange condition where a user is defined without a tenant?19:16
termieheckj: tokens always have a tenant, no more unscoped tokens, and a user without a tenant can't do anything so we'd return an authentication error19:16
heckjtermie: I'd prefer to assert something that setting that up isn't valid - that a user must always be created in a baseline sense assocaited at least to a single tenant19:16
heckjtermie: sounds like we're on the same page19:16
termieheckj: we felt that you should still be allowed to create a user without a tenant, (for example if importing a user base) but then they have to be associated with one before they can log in19:17
termies/log in/authenticate/19:17
heckjthat seems reasonable - and a good use case.19:17
* heckj notes to add that in..19:17
termieheckj, anotherjesse: some other things that popped to mind from a ux standpoint, 1) we could return a list of valid tenants with the error message if no tenant was defined19:18
*** pixelbeat has quit IRC19:18
termieheckj, anotherjesse: 2) we could make a configurable default default tenant19:18
termiethe second would only be useful for simple systems, but might add too much confusion19:19
heckjtermie: at a minimum, I'd like to see a log message (log.ERROR) with a notice that the user attemped to auth and was denied because didn't have an assocaited tenant19:19
anotherjesseayoung: is the ldap work you are doing support specification of default tenant?19:19
termiethe first doesn't really have a precendent in the system yet19:19
*** spinningcog has joined #openstack-dev19:19
ayounganotherjesse, I'm not quite sure how to model it19:19
heckjtermie: I like (2)- but I can see a few use cases where you wanted want that automatically19:20
heckjgod I suck at typing reasonable sentences, lemme try that again ^19:20
termieheckj: s/wanted/wouldn't/g19:20
termie?19:20
spinningcogAnyone know what happened to the sampledata that used to be bundled with keystone?19:20
heckjtermie: I like the option 2, but know that some implementations wouldn't want that. i.e. to your point of being configurable, is good.19:21
heckjspinningcog: it's moved into devstack entirely19:21
anotherjesseheckj / termie - going with option 2 would mean a change to the API, client libraries, horizon, ...19:21
termiespinningcog: there is a bug open asking that it be provided in keystone again though19:21
termieanotherjesse: that's number 119:22
heckjanotherjesse: yeah, probably not somehting we should do before folsom, but I'd like to consider for the v.next API discussion19:22
heckjspinningcog: https://github.com/openstack-dev/devstack/blob/master/files/keystone_data.sh at the moment.19:22
termieanotherjesse: agreed, i don't mean to make that data for the computer, but rather to display in the error text19:22
spinningcogit makes sense to me that it should be included with keystone since the documentation for exercising the service/admin API's expects it to be available.19:22
ewindischrussellb: yeah… time is tight. vish wanted it before today's meeting.19:23
spinningcogthanks for letting me know where it is :)19:23
termiespinningcog: https://bugs.launchpad.net/keystone/+bug/93433119:23
uvirtbot`Launchpad bug 934331 in keystone "create a sample-data script for quick development use" [Medium,Confirmed]19:23
ewindischjust uploaded a new patch.  Maybe vish will review soon. ;-)19:23
termieanotherjesse: as in, just a ux thing, not an api design thing19:24
heckjtermie: ++19:24
* anotherjesse backs away from default tenant discussion - looks like you guys can handle it ;)19:24
ayoungspinningcog, if you run the unit tests,  they populate a sqlite database with some sample data.  I've had some success using that, too19:24
heckjanotherjesse: HEY! Come back here19:24
heckj;-)19:24
*** zzed_ has joined #openstack-dev19:24
anotherjesseheckj: for sql/kvs I think having default tenant is the right thing19:25
*** zzed_ has quit IRC19:25
heckjtermie - I hesitate to open this can of worms, but how do you suggestion I describe the relationship of roles in the current API.19:25
ayounganotherjesse, if that is the case,  then LDAP, too19:25
anotherjesseif you work with ayoung about how to model it in LDAP (perhaps it is just the first tenant or an attribute of the user?)19:25
termieayoung: you're in the most difficult of the default tenant stuff, what do you think about.... and anotherjesse just finished what i was going to say19:26
heckjanotherjesse: I like the idea - it makes the UX experience much, much better19:26
anotherjessefor clarification - right now dashboard & CLI are implemented assuming tenant is required to be specified19:26
ayoungtermie, well, I am trying to use the default schemas.  My thinking is that we are most likely to be in the situation where the user list is not under out control19:26
ayoungso lets try to come up with a solution if we can't add default tenant to the user record19:27
termieheckj: i think sorta like this, tenants == resource, user == authentication credentials associated with various resources (tenants), roles == granular control of a resource (tenant) for given auth creds (user)19:27
anotherjessedashboard has a hack that lists all the tenants for the user and choses the first (with the idea eventually it could store your last used tenant at the dashboard layer and always default to that)19:27
ayoungremember,  this is for access to modify configuration for machines,  not to access the machines themselves.  I think explicit tenant specification is probably a good thing19:28
*** zzed has quit IRC19:28
heckjtermie: at the moment, roles are being returned as words - keep with that setup until the next API, or do we want to try and explicitly document through the actions/capabilities/etc setup that was discussed back at Diablo summit?19:28
ayoungIf we can modify the use record,  we have to figure out where to store the default tenant19:28
heckjtermie: I'm having trouble reconciling what we want to do, and when, with that past discussion and what's defined and available in V2 API19:29
termieheckj: roles are being returned the way things expect them at the moment, but the name of a role itself is no longer interesting once rbac hits19:29
ayoungheckj, actions etc probably don't belong in the IdM store19:29
termieheckj: the roles just map to rulesets19:29
ayoungah..is all of that being pushed into Keystone?19:29
termieheckj: and the rulesets are defined by the services19:29
*** cp16net has quit IRC19:29
ayoungrulesets and actions?19:29
termieayoung: i can point you at the policy stuff in nova19:30
ayoungtermie, thanks, please do19:30
heckjtermie - is this still relevant: http://etherpad.openstack.org/canhaz19:30
heckj?19:30
*** cp16net has joined #openstack-dev19:30
termieheckj: not vastly so since there is already a working implementation19:30
termiehttps://github.com/openstack/nova/blob/master/nova/policy.py19:30
heckjtermie: kk - I'll dump that as a reference19:30
termieand https://github.com/openstack/nova/blob/master/etc/nova/policy.json19:31
heckjtermie - what's your thinking for timing on "when RBAC hits"?19:31
*** zzed has joined #openstack-dev19:31
termieheckj: well, it's already there in nova, we just need to copy it over, i'd prefer to do it soon19:31
heckjtermie - can we pull it of prior to march 1st?19:31
termieheckj: i think we might be able to, it will require a meeting or two to make sure we don't miss some controls we need19:32
heckjtermie - Ok, how can I help coordinate that? I'd like to get it in - not feeling like I know what the critical pieces are19:32
*** pixelbeat has joined #openstack-dev19:33
termieit feels pretty clear in my mind, but the default rules for how we modify keystone data are probably a bit wider-sweeping than just guessing at19:33
termieheckj: so what is left to iron out, to me, is deciding who is allowed to modify, for example, which tenants a user is in (probably something like keystone:tenant_admin role can add the user), who can modify service info (because that is above tenant, possibly only keystone:admin could do that)19:34
*** hub_cap has quit IRC19:34
termieheckj: but i do think having an example set of code for it out is pretty critical19:35
termie'cause most people don't understand teh system on first glance19:35
termie(it's the old double-pointer problem)19:35
heckjtermie: ++, I sure didn't - and I'm not sure I entirely get it now until I walk through it a few more times19:35
termiei'm okay with taking on the initial bits, but it probably means updating aa decent amount of tests, because many of them have been naive to permissions19:36
heckjtermie: want to get a patch set for it and use that as a discussion piece with the code? We could either do a meeting based on that later this week or use next tuesday's keystone meeting for that discussion19:36
ayoungtermie, let me get this straight:  we need to be able to have keystones back end record 1:  resources in openstack,  like glance servers,  nova,  and the like.  2.  lists of actions on each one,  and 3.  assignments of roles that can perform those actions?19:36
termieheckj: yeah, i'm expecting to be swamped in reviews and email today19:36
heckjI figured you would be19:37
termieayoung: not exactly19:37
heckjtermie, ayoung: I figured we'd be driving that from a config file or such (i.e. policy.json) that we have for each service to start, build manipulating that into an API for the next rev of that API19:38
termieayoung: right now the services have their "actions" (we aren't using actions as a term as it is misleading since they are abstract rules that usually map to a specific action)19:38
ttxzykes: yes ?19:38
termieayoung: keystone will only be handling the assignment of roles in this first rev19:38
zykesttx, is there any activity in the nordics ?19:38
ayoungtermie, assignment of a user to a role in a tenant, right?19:39
termieayoung: and deciding who can modify keystone data, with a set of code similar to policy.json19:39
termieerm, policy.py19:39
termieayoung: yeah19:39
termieayoung: so for now, we're not doing anything to modify what rules exist in the api (that would be providing a policy service), so services are all managing their rules via config file19:40
dprinceheckj: thanks for sending my branch. One question though. Do keystone branches need 2 core approvals? Are we in a 'get-r-done' mode or something?19:41
ayoungtermie, so instead of adding in a new concept,  we can make an administrative role for each tenant,  and use that to manage tenant membership19:41
ttxzykes: define activity19:41
termieayoung: and the services define which roles they care about by including a match for that role in their rules19:41
zykesttx, is there someone that's chatting about it from here ?19:41
termieayoung: that's my current thinking (though i don't know which new concept you're refering to)19:41
heckjdprince: for most of the code, yes - two approvals, but I'm pushing to get some things out of the way quickly that seem relatively simple19:41
ayoungtermie, "actions"  and the like19:41
ttxzykes: I know of at least one developer in Denmark, if that counts as "activity in the nordics"19:42
termieayoung: there is no managing of rules19:42
termieayoung: only roles19:42
ayoungso that still begets the question of who can manage the managers19:42
*** ncode has joined #openstack-dev19:42
*** ncode has joined #openstack-dev19:42
zykesah, i meant more like companies19:42
termieayoung: we'll have a static config file like policy.json for keystone19:42
termieayoung: that defines which conditions need to be matched for somebody to be allowed to change something19:42
ttxsoren: you had the name of a company working on OpenStack in Sweden, IIRC ?19:42
ttxsoren: if yes and you remember the name, cc zykes19:42
termieayoung: an example would be something like "to change the membership of this tenant" you need "to have the tenant_admin role within that tenant"19:43
ayoungtermie, OK,  so the roles will be in the Identity backend,  buyt how they are processed will be read out of a confi file19:43
ayoungand changing rules would require a server restart19:43
termieayoung: only within keystone, they will be used differently by the services19:43
ayoungtermie, understood19:43
termieayoung: for the naivest implementation a server restart, sure, but that is not really an interesting problem19:44
*** Ryan_Lane has joined #openstack-dev19:44
*** pixelbeat has quit IRC19:44
termieayoung: you cna just reload the file often, if you wanted19:44
ayoungtermie, kill -HUP19:44
ayoungreread the config file19:44
termieayoung: i am saying it isn't worth talking about whether a server restart is required for this, since it obviously is not as soon as we write something to load it without restart19:44
ayoungright19:45
ayoungOK...so what does it mean if someone is a member of a tenant, but they are not assigned to any roles in that tenant?19:45
termieayoung: doesn't mean anything unless some service thinks it should19:45
*** rods has joined #openstack-dev19:45
termieayoung: i would expect a service like nova to allow stuff like "list instances"19:45
ayoungtermie, so by extension,  a default tenant  would mean even less19:46
termieayoung: unrleated19:46
termieayoung: default tenant != default tenant if you have no tenants, it means the default to choose from your available tenants if you don't specify one19:46
ayoungtermie, not really.  if it means something,  then a default tenant means something19:46
ayoungtermie, understood.  Sounds like it really is a UI concept19:47
termieayoung: it is not a global default tenant, it just means which one gets picked of your existing tenants if you don't specify it on the authenticate call19:47
ayoungor a default to be used for "list roles" if you don't specify "for which tenant"19:47
termieayoung: no19:47
termieayoung: only authenticate call, after that your token includes a tenant19:48
heckjayoung: "list roles" without specifying a tenant should result in an erro19:48
heckjayoung: but as termie mentions, as soon as you auth, you have a tenant against which you can apply that command as a default19:48
ayoungheckj, better example would be List users19:48
heckjayoung: same, yeah19:49
ayoungtermie comment there is : NOTE(termie): I'd prefer if this listed only the users for a given19:49
ayoung                      tenant.19:49
termieayoung: no calls are made without a tenant, your token has a tenant once you authenticate19:49
ayoungtermie, yes,  I get it19:49
anotherjessetermie: since you guys are chatting for a long time - I'm thinking of posting a bug about https://github.com/openstack/keystone/blob/master/tests/test_keystoneclient.py#L47 (setting roles should be done by role api not via metadata)19:49
termieayoung: whether calls do something specific based on your tenant is an api design issue (and an ugly leftover from legacy api design where it exists currently)19:49
termieanotherjesse: yes pls, let's get rid of the old stuff19:50
ayoungtermie, so your preference would be to always specify Tenant for API calls?19:50
anotherjessetermie: I hit that when I was exploring a zookeeper backend for keystone19:50
termieayoung: not exactly, depending on what you are talking about19:50
ayoungtermie, so not "always"  bu "if the tenant id is relavant to the call"19:51
ayoungbut19:51
termieayoung: your tenant _will_ always be specified by your token, when you list users for a tenant i think you should include the tenant you want to list users for19:51
termieayoung: rather than have the call be contextually scoped to who you are acting as19:51
ayoungright...that is what I was trying to say...for calls where the result set is scoped to the tenant19:51
zykesofftopic question, is anyone hiring developers ? :)19:51
heckjanotherjesse: ++19:51
termieayoung: then we're tentatively in agreement, i'm still not sure we're talking about the same thing since you've talked abotu what appears to be 3 different hings in close successsion19:52
ayoungsorry19:53
heckjayoung: I think you're on the right page19:53
anotherjessetermie / heckj - https://bugs.launchpad.net/keystone/+bug/93810319:53
uvirtbot`Launchpad bug 938103 in keystone "don't set roles via metadata in backend api " [Undecided,New]19:53
ayoungtermie, they are related, though19:53
termieayoung: (or in agreeement about what i am saying at least, not necessarily on the stuff being discussed)19:53
ttxzykes: I think most companies around here are.19:53
ttxzykes: http://www.openstack.org/jobs/19:53
zykesoverseas as well ? : )19:53
termieayoung: i'll list that under subjected relatedness ;)19:53
termies/subjected/subjective/19:53
termieayoung: one thing is related to who is allowed to do things, another is related to how you determine who you are, another is related to how you determine who you are talking about when making api calls19:54
ayoungtermie,  still thinking about whether default tenant should be specified in authentication.  If we change the APIs such that they are never modified by the callers tenant ID,  then  I don't think it is19:55
termieayoung: that is only for api calls within keystone, the other services still need to know which tenant you are19:55
ayoungtermie, tenant ID is this implicit context in calls.  It becomes necessary when 1.  calls need to be scoped to tenants and 2.  authenticate calls don't allow you to specify tenant19:55
sorenttx: Err... No, that doesn't ring a bell at all.19:56
ayoungfor example,  basic auth,  or kerberso for that matter19:56
ewindischdoes gerrit automatically install anything in pip-requires?19:56
*** mdomsch has quit IRC19:56
termieayoung: again, that is not something that matters to other services, they are agnostic to keystone internal structure and require a specific tenant19:57
termieayoung: inside keystone it is still useful to have a token be scoped to a tenant so that we can determine if that user has permissions on that tenant without an additional look up19:57
ayoungtermie, so would default tenant be solely for Keystone use?19:57
termieayoung: the goal of having the tenant be specified in calls like list_users would be to make it easier for an admin user to list the users for another tenant19:58
termieayoung: the default tenant is how we specify which of your tenants you are associated with if you do not provide a tenant, that is it, only19:58
ayoungI should have types: sole for use with keystone19:58
termieayoung: all other systems respond exactly the same way19:58
termieayoung: they just get a token with a tenant attached19:58
termieayoung: same as they always have19:58
termies/always have/always eventually have/19:59
heckjheh19:59
*** hub_cap has joined #openstack-dev19:59
termiei gotta go eat pretty soon19:59
ayoungtermie, the reason I am making such a fuss is that I think the dominant use case will not support changing the user object20:00
heckjtermie: I'm good20:00
ayoungone possibility is that we keep a shadow object in the local identity store,20:00
termieayoung: i don't understand that statement, could you elaborate?20:00
ayoungtermie, corporate LDAP20:01
termiethe previous one, not the shadow object, which is relatively understandable20:01
ayoungOpenstack is run in a lab20:01
ayoungif you log in using keystione,  you authenticate against corp LDAP,20:01
ayoungbut we keep a user object in the local LDAP, too20:01
termielocal ldap?20:01
ayoungit "shadows" the corp ldap20:01
ayoungtermie, yes20:02
ayounglocal LDAP is for storing tenatns and roles20:02
ayoungas well as assignments20:02
ayoungand Keystone is allowed to modify it20:02
termiewhy would we store that in ldap, rather than say, sql20:02
ayoungtermie, because LDAP will allow the passthrough to corporate to work seamlessly20:02
ayoungfairly common approach20:02
termieayoung: so where is the "local" one living?20:03
ayoungtermie, remember, the virtual machines running in the ldap also need an Identity tore20:03
ayoungstore20:03
ayoungtermie, in the Lab20:03
ayounglocal LDAP is probably running on the same server as keystone20:03
termieso you are referring to a case where the virtual machines are also using ldap as a login20:04
ayoungtermie, yeop20:04
ayoungyep20:04
ayoungbut even ignoring hts,  say we use SQL as the local20:04
ayoungyou still have the same general solution20:04
ayoungauthenticate to corporate LDAP,  but keep a user record in the local SQL DB20:04
ttxewindisch: try asking jeblair or mtaylor20:05
termieayoung: alright, with you there, where does not being able to modify the user fit in?20:05
ewindischttx: for now, I've just decided to toss the module out of pip-requires...20:06
ayoungtermie, I was assuming we would not have to keep a local user object20:06
*** jog0 has quit IRC20:06
ayoungthat we would only fetch the user object from the corp LDAP20:06
*** jog0 has joined #openstack-dev20:06
ayoungI'd still prefer that20:06
ayoungas,  right now,  the only thing we'd need to stick in the local user is the default tenant20:06
termieayoung: will corp not support tenants?20:06
ewindischvishy: if you can spare a moment to review the zeromq branch, I'd be grateful.20:07
termieayoung: i.e., will they always be stored locally20:07
ayoungtermie, if Corp is AD,  changing the schema is prohibitive20:07
termieayoung: is that a yes or a no20:07
ayoungtermie, it is  a no20:08
ayoungwith some caveats20:08
termieayoung: sorry, let me rephrase, do we have to support storing tenants locally20:08
ayoungtermie, yes20:08
ayoungOK,  let me try to be clearer20:08
termieayoung: what is the benefit of not caching a local copy of the user with additional data? we still auth against corp, but stack some more metadata locally20:09
termieayoung: if, in the common case, we aren't going to be able to get tenants out of the corp auth and still need to keep copies around20:09
ayoungtermie, we will always need to go to corp ldap to authenticate, as we will not be allowed to cache a copy of the password hash.20:10
ayoungso the question is "do we really need to cache locally"20:10
ayoungunderstand.20:10
ayoungthe tenants are in a different subtree in LDAP,  and roles assignements are under them20:10
termieayoung: if we are already managing tenants locally then managing additional metadata does not seem weird20:10
ayoungso right now,  we don't really need the user subtree20:10
ayoungtermie, users are not under tentnats20:11
ayoungall that the tenants have is a collection of roels20:11
ayoungroles20:11
ayoungroles have a list of users assigned to those roles20:11
ayoungbut that list is just a primary key20:11
ayoungso, with corp LDAP,  we don't need any user object locally20:11
termieayoung: but you do if you want to add additional data, like, default tenant20:12
ayoungright20:12
termieayoung: so... we do need it20:12
ayoungunless I can figure out another way,  yes20:12
termieayoung: unless there is some other way to go about it20:12
termieit doesn't seem like a problem to me though if we're already managing other stuff in there20:12
termiewe still auth against corp and then pull up our associated user20:13
ayoungtermie, what happens if we auth to corporate, and we don't have a local record?20:13
ayoungwe still don't have a default tenant20:13
termieayoung: yup, but we also don't even have tenants until people assign them20:13
ayoungyes20:13
termieayoung: so there isn't an extra step, we're still referencing a user that exists in corp and probividing additional data (so far tenants and roles, and hopefully soon default tenant)20:14
termieayoung: the first tenant being assigned to can be its default, so we can handle it in that step20:15
ayoungit really isn't a question until they have 2 or more20:15
openstackgerritVerification of a change to openstack/nova failed: Extract get_network in quantum manager  https://review.openstack.org/409320:16
*** stuntmac_ has quit IRC20:16
*** stuntmachine has joined #openstack-dev20:16
termieayoung: well, you can either just pick the first tenant result every time as default20:16
termieayoung: or store the additional data20:16
ewindischrussellb: I know your'e not core, but if you can mark a 'lgtm' I'd appreciate it (if you're okay with doing so, of course)20:16
termieayoung: i need to go eat though20:16
ayoungtermie, problem is, with LDAP,  there is no ordering guarantees with queries20:16
ayounggo eat20:16
russellbewindisch: k20:17
russellbewindisch: did you try it after moving to /var/run/nova/ ?  I just wasn't sure if something was already creating that dir20:18
ewindischI did…. but I didn't run pep8, I had a spurious newline, so I've uploaded a new patch.20:18
*** dolphm_ has quit IRC20:19
russellbok.20:19
*** dolphm has joined #openstack-dev20:19
ewindischIt does a mkdir, chown, chmod on the directory… for good measure20:19
wwkeyboard2I see a failure with this build https://jenkins.openstack.org/job/gate-nova-unittests/1130/console but no indication what the failure was20:20
*** wwkeyboard2 is now known as wwkeyboard20:20
ewindisch(which actually lead me to find some places where we might have unsafe use of os.mkdir in the code… should file some bug reports...)20:20
*** zykes- has joined #openstack-dev20:21
*** zykes has quit IRC20:25
*** mattray has quit IRC20:26
*** davidkranz has joined #openstack-dev20:33
*** dprince has quit IRC20:34
russellbewindisch: last couple of tweaks noted in review, then I'll +1 it20:34
*** jaypipes has joined #openstack-dev20:35
*** jaypipes has quit IRC20:36
*** andrewsmedina has quit IRC20:36
*** shang has quit IRC20:36
*** jaypipes has joined #openstack-dev20:38
termieayoung: so, i'd say then store it, we can update it with calls to update user20:39
ewindischrussellb: updated.20:40
russellbewindisch: done20:42
russellbnice work20:42
ewindischthanks20:42
*** andrewsmedina has joined #openstack-dev20:42
*** joesavak has joined #openstack-dev20:45
YorikSarjohan_-_: here?20:46
*** ncode has quit IRC20:47
*** mikeyp has joined #openstack-dev20:49
ayoungtermie, the thing is,  I don't want to write a custom schema for Keystone.  There are standard schema's shipped with the LDAP servers and I am using them with the knowledge that they are in the format that all other applications expect.  If we were to do tenatns as posix groups,  for example,  then I would put the default tenant ID as the gid field in the posixUser object.20:49
ayoungI've tried to write the LDAP code so that the end user can use their existing schema if they so desire20:50
anotherjesseI have a silly launchpad question - is there a button I can click to see "open bugs" without "fix commited" being included?20:51
joesavakjesse: try an advanced search: https://bugs.launchpad.net/keystone/+bugs?advanced=120:52
anotherjessejoesavak: thx20:52
anotherjesseseems like it would be a link by default - give me the list of stuff that needs to be done20:53
joesavaki agree20:53
termieayoung: are we doing them as posix groups? are there other schemas we could add as different options?20:53
termieayoung: as in, if we can map it appropriately based on some standard schemas maybe we can just have a few different implementations based on those20:53
ayoungtermie, I am not doing them as posix groups20:54
ayoungI went with a simpler schema20:54
anotherjessedanwent or other quantum folks - can we get a review on https://review.openstack.org/#change,424220:54
ayoungthe tenants are "groupsOfNames"20:54
ayoungthe roles are "organizationalRoles"20:54
ayoungand membership in the role is in the attribute roleOccupant20:54
danwentanotherjesse: will do20:55
ayoungtermie, https://review.openstack.org/#patch,sidebyside,4362,1,keystone/identity/backends/ldap/role.py20:55
ayoungline 40-ish20:55
termieayoung: i am just asking whether there are any other schemas that we can have code for that would solve this problem for some significant portion of users20:56
Ryan_Laneunlikely20:56
ayoungRyan_Lane, I assume "unlikey" is in response to "other schemes"?20:57
termieRyan_Lane: welcome to the convo, we're trying to decide how to allow a user to make one of their tenants a default if they don't provide a tenant20:57
Ryan_LaneI think ayoung's schema choice is appropriate20:57
Ryan_Laneah20:57
Ryan_Lanehn20:57
Ryan_Lane*hm20:57
termieRyan_Lane: options so far seem to be: store additional local user data20:57
Ryan_Lanethat's a good question20:57
Ryan_Laneor add a default on their account, via some attribute20:58
termieyou guys wanna chat about it a little bit? i haven't even gotten to start reveiws or email yet20:58
ayoungRyan_Lane, so my assumption has been that for most uses people are not going to be able/want to modify the user record20:59
*** hashar has joined #openstack-dev20:59
openstackgerritVerification of a change to openstack/nova failed: xenapi: nova-volume support for multiple luns  https://review.openstack.org/426720:59
ayoungso if we want user specific data, we need to handle it some other way20:59
*** markmc has joined #openstack-dev20:59
*** hashar has quit IRC21:00
*** hashar has joined #openstack-dev21:00
*** zzed has quit IRC21:00
Ryan_Laneprobably true21:00
Ryan_Lanemodifying the user account for this one specific case is kind of annoying21:00
ayoungRyan_Lane, agreed21:00
Ryan_Laneis there any way around it, though?21:00
ayoungand,  if we state that they can modify it,  it messes up the case where they have an existing LDAP install,  and they want to use their existing user objects.  Modiofying the schema ex-post-facto PITA21:01
ayoungRyan_Lane, probably21:01
*** zzed has joined #openstack-dev21:02
ayoungsomethuing ugly like recording the default tenant for a user inside the Tenant tree somewhere21:02
Ryan_Lanelet's see what inetorguser has for this...21:02
ayoungRyan_Lane, so the question I have is,  if we need to store this one piece of data,  is it going to scope creep to "store configuration options for users"21:02
ayoungRyan_Lane, nothing pretty21:03
Ryan_Lane:(21:03
ayoung ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ em21:03
ayoung ployeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ ini21:03
ayoung tials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo21:03
ayoung $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre21:03
ayoung ferredLanguage $ userSMIMECertificate $ userPKCS12 ) )21:03
Ryan_Laneinetorgperson* that is21:03
ayoungRyan_Lane, posixAccount  has MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )21:04
ayoung        MAY ( userPassword $ loginShell $ gecos $ description ) )21:04
ayoungbut that is likely to be used for something else21:04
Ryan_Lanenot all ldap servers implement posixaccount, either21:05
Ryan_LaneAD has it, but most people don't enable it21:05
Ryan_Laneso, there's nothing inherently wrong in making a schema21:05
Ryan_Laneas long as everyone knows it will be written once and hopefully never changed21:06
Ryan_Laneunless it's changed in backwards compatible ways, and even then, very rarely21:06
ayoungRyan_Lane, yes,  but I am not sure that this usage calls for it,  and I'd prefer the simpler solution if it exists21:07
* Ryan_Lane nods21:07
*** cp16net has quit IRC21:07
*** hub_cap has quit IRC21:07
*** cp16net has joined #openstack-dev21:07
ayoungif, OTOH hand this is essential,  it really seems to me to be part of storing configuration information about the user, and we will have a wider array of values to store than just "default tenant"21:07
*** hub_cap has joined #openstack-dev21:07
*** hub_cap has quit IRC21:08
Ryan_Laneyeah. we need to know what all of them are ahead of time, if that's the route to go21:10
Ryan_Laneotherwise things become much more painful down the line21:10
ayoungSo,  as you can see, I am little wary here21:10
*** stuntmachine has quit IRC21:11
ayoungseems to me that user preferences like that are really a Horizon issue,  as that is far more likely to care about configuration options....21:11
ayoungOf course,  they are going to want to store them in Keystone....21:11
*** stuntmachine has joined #openstack-dev21:12
*** apevec has joined #openstack-dev21:14
ayoungRyan_Lane, I thin we can safely use the "Secretary" field of the inetorguser21:14
ayoungdoes anyone even have secretaries any more?21:14
Ryan_Laneheh21:15
Ryan_Laneis it only horizon that cares about this?21:15
*** stuntmachine has quit IRC21:17
*** zns has joined #openstack-dev21:18
*** stuntmachine has joined #openstack-dev21:24
*** bhall has joined #openstack-dev21:25
*** davidkranz has quit IRC21:28
*** mikeyp has quit IRC21:29
wwkeyboardlooks like gate-nova-unittests is hosed, who should I notify?21:32
jk0mtaylor or jblair21:33
wwkeyboardthanks, then I'll wait till after the meeting21:34
*** rackerjoe has joined #openstack-dev21:35
russellbewindisch: i didn't think that change should affect your driver, since it's just nova.rpc.amqp ..21:42
ewindischrussellb: it changes common. I'd need to check..21:42
russellbnah, common tests21:43
ewindischah21:43
russellbjust removing some tests21:43
*** heckj has quit IRC21:45
*** pixelbeat has joined #openstack-dev21:45
*** heckj has joined #openstack-dev21:45
*** eglynn__ has quit IRC21:45
YorikSarvishy: When can I bother you with Nexenta driver review?21:45
*** eglynn__ has joined #openstack-dev21:46
vishynever!21:46
vishy:)21:46
vishyit looks like there are still comments on your last patchset of the dependent review21:46
YorikSarvishy: There is doubts on the exception handling in manager, but I believe that they are not too relevant here.21:47
YorikSarvishy: If you can push foward that change too (one more time), it'd be great21:48
adam_gis it currently possible to incrementally migrate a keystone sql backend? AFAICS, anything declared as part of a sql model in a backend driver will be created as part of migration v01.21:54
mikalOh, are we bothering vishy for code reviews? I should join the queue...21:55
anotherjesseadam_g: not sure - maybe dolphm or termie knows21:56
anotherjesseadam_g: assuming you are talking about the current branch21:56
adam_ganotherjesse: yes21:56
adam_gim looking at trying to add a sql backend for services, but the way in which migrations are handled seems strange21:57
*** nati2 has quit IRC21:58
Ryan_Laneayoung: if only horizon needs default tenants, then can't we let horizon stick in into its daabase?21:58
ayoungRyan_Lane, I don't think that is the case21:58
ayoungI think that default tenants are across the boards21:59
ayoungwhere as other config options will be Horizon specific21:59
Ryan_Laneah21:59
termieadam_g: that is the current case until we make a release22:00
*** stuntmachine has quit IRC22:00
termieadam_g: part of the release process will be to freeze those22:00
Ryan_Laneayoung: I can't think of a reasonable way to handle this, except for adding schema22:00
*** eglynn has joined #openstack-dev22:00
*** pixelbeat has quit IRC22:01
anotherjessezul: ubuntu might be interested in the patch to migrate users from nova's deprecated auth to keystone users22:01
adam_gtermie: gotcha, so if im adding a new table, just tack it onto the current models and not worry about a migration script?22:01
termieadam_g: assuming it is a table we want ;)22:01
ayoungRyan_Lane, create a groupOfNames called defaultForUsers under the tenants22:01
ayoungkeystone will have to make sure a user is in exactly one22:02
Ryan_Lanehow to ensure a user doesn't get added in more than one?22:02
termieadam_g: but yeah, you'll have to include it in that script if it is an extension22:02
ayoungRyan_Lane, brute force22:02
Ryan_Laneheh22:02
anotherjessezul: there are reviews out if you want to read them https://review.openstack.org/#change,4334 and https://review.openstack.org/#change,430422:02
*** joesavak has quit IRC22:03
ayoungseriously, though,  Keystone can assume responsiblity for setting this.  If someone does an end run around keystone,  the answer is non-determinisitc22:03
* Ryan_Lane nods22:03
*** eglynn__ has quit IRC22:03
Ryan_Lanewhat if none is set at all?22:03
ayoungRyan_Lane, I expect that to be quite common.22:04
ayoungProbably an error condition.22:04
*** gabrielhurley has joined #openstack-dev22:04
ayoungRyan_Lane, an authenticate call made without an explicit tenant for a user that has no default tenant set will return HTTP 40322:05
Ryan_Laneah ok22:05
Ryan_Lanethat sounds reasonable22:05
ayoungRyan_Lane, one possibility is22:05
ayoungwe use the member field of the Tenant to specify the users that have it as default22:06
ayoungand then we use a role for users to specify access22:06
*** deshantm has quit IRC22:06
Ryan_Lanecould we use a role as default?22:06
ayoungso if we need a default role,  we make organizationalRole cn=default.22:06
ayoungRyan_Lane, precisely22:06
Ryan_Lanesince roles sit under tenants, it could work to just add a defaulttenant role22:07
*** andrewsmedina has quit IRC22:07
ayoungI think it is the most elegant solution,  then membership is really just another role22:07
Ryan_Laneyeah22:08
ayoungRyan_Lane, when listing members of a tenant,  we would find all roles,  grap all of the attributes roleOccupant and then perform a unique-sort on the list22:08
*** cp16net has quit IRC22:09
Ryan_Lanehm. wait, you are saying tenant membership would be a role?22:10
Ryan_Laneor that default tenant membership would be a role?22:10
ayoungRyan_Lane, both22:11
ayoungRyan_Lane, one role would be for general membership22:11
Ryan_Laneso, the groupofnames tenant wouldn't have a list of members?22:11
ayoungRyan_Lane, seems a bit heavy handed, doesn't it?22:11
Ryan_Laneno22:11
ayoungAh...so one role for general membership22:12
Ryan_Laneit makes sense to have a tenant with a list of members, even if they have no roles22:12
ayoungOK...so we don't use the member attribute22:12
ayoungor we use it,  and then make a default Role22:12
Ryan_Lanewhy not?22:12
ayoungand membership is the roleOccupant values of that role22:12
Ryan_Lanelemme pastebin what I'm thinking22:13
*** troytoman-away is now known as troytoman22:13
YorikSarvishy: I wrote a little something on SnapshotIsBusy cnahge. I think, all other discussion should be held in some other change or thread. Can you approve it?22:15
*** zykes- has quit IRC22:15
Ryan_Laneayoung: http://pastebin.com/qJCBn07c22:15
vishyYorikSar: I will take a look soon22:15
vishyYorikSar: still catching up on email from my 4 day vacation :)22:15
Ryan_Laneayoung: there's advantages to keeping a list of members in the tenant22:16
openstackgerritVerification of a change to openstack/nova failed: Avoid copying file if dst is a directory.  https://review.openstack.org/436822:16
Ryan_Lanehere's one: http://pastebin.com/dMRT87gE22:16
Ryan_Laneayoung: ^^ now I can extend that tenant to also be a posix group, which can be used in instances that are connected to the same LDAP store22:17
ayoungRyan_Lane, OK,  that works for me22:17
ayoungI think that was what I was origianlly thinking22:17
Ryan_Lanewhich is amazingly useful for private clouds22:17
ayoungRyan_Lane, OK,  we are on the same sheet22:17
ayoungof music22:17
Ryan_Lanecool22:17
Ryan_Lanethat seems like a reasonable implementation22:18
jdgHas anybody tried attaching iSCSI volumes in a devstack setup lately?22:18
ayoungRyan_Lane, now,  for role,  I am using organizationalRole.  Any issue with that?22:18
Ryan_Lanenone that I can think of22:19
ayoungwe could, potentiall, use something differnet for default tenants22:19
ayoungIE another group of names22:19
Ryan_Lanetrue, but it makes searching harder22:19
*** ewindisch has quit IRC22:19
ayoungtermie, would you have any issue with us using a role to identify the default tenants for a user?22:20
YorikSarvishy: Looking forward to your comments. Unfortunately, time shift gives me not much time to interact here.22:20
anotherjessejdg: what is the issue you are seeing?22:20
*** zykes has joined #openstack-dev22:20
jdganotherjesse:  Not sure "exactly" yet, but the attach never happens, and I get an assert in nova-compute22:21
termieayoung: i haven't been apying attention to your convo but last i checked role was under tenant, so wouldn't you hvae to find the tenant first in order to find the role?22:21
*** nikhil__ has quit IRC22:21
termieayoung: i'm okay with a hack where you have a role that gets filtered out of the results though (like with an underscore or something)22:21
*** nikhil__ has joined #openstack-dev22:21
jdghttp://paste.openstack.org/show/4930/22:21
jdganotherjesse: there's still one issue in sudoers.d that I hadn't sorted yet as you see in the pastebin but that's no big deal.22:22
ayoungtermie, we pretty much have to do something like this to find all roles for a user now anyway22:22
Ryan_Lanetermie: you can do a recursive search22:23
jdgI'm not sure what's up with the iscsiadm --rescan command, and I can't get it to run outside either.22:23
Ryan_Lane(roleoccupant=<user>)22:23
ayoungRyan_Lane, so it would be something like22:23
termieayoung: well, one does not find all roles for a user, you find all teh roles within a tenant for a user22:23
anotherjessejdg: are you using a the solidfire driver?22:23
*** rackerjoe has quit IRC22:23
ayoung(&(roleoccupant=<user>)(cn=defaultRole))22:23
Ryan_Lane(&(roleoccupant=<user>)(cn=_default_tenant))22:23
Ryan_Laneindeed22:23
Ryan_Laneheh22:23
jdganotherjesse: yes22:23
*** zaitcev has joined #openstack-dev22:24
Ryan_Lanethen you can walk up the tree to find the tenant22:24
ayoungtermie, yes,  but we *can* query for all roles for a user22:24
ayoungRyan_Lane, no need22:24
ayoungthe tenenat will be in the DN22:24
* Ryan_Lane nods22:24
Ryan_Lanethat's what I meant22:24
jdganotherjesse: was trying to figure out if there was a way to use the generic iscsi driver, but I tested the driver with devstack when I submitted22:24
jdgSo I'm suspicious that maybe something changed in the manager code22:25
*** zykes has quit IRC22:25
*** zykes has joined #openstack-dev22:25
anotherjessejdg: perhaps - I just created an instance, a volume and attached them22:27
Ryan_Lanevishy: I'm starting to think I should just abandon these change, and defer this bug to folsom: https://review.openstack.org/#change,3524,patchset=122:27
Ryan_Lanethoughts?22:27
Ryan_Lanethe reason I think so, is because filtering support is missing for way more than just describeinstance22:27
jdganotherjesse: via iscsi or LVM?22:27
Ryan_Laneit's missing everywhere it is supported22:27
anotherjessejdg: iscsi22:27
jdganotherjesse:  Well there goes that theory  :)22:28
anotherjesseI'm double checking that22:28
*** mattray has joined #openstack-dev22:28
jdganotherjesse:  Local volumes work fine (w/ the exception of the sudo permissions)22:28
*** zykes- has joined #openstack-dev22:28
jdganotherjesse:  If you have iscsi your results will be great for me to hear, maybe something in the way I implemented the SF driver22:29
jdganotherjesse:  But I'm still hung up on the iscsiadm --rescan that I can't seem to make work on any system22:30
anotherjessejdg: d0h - it was on the same machine - creating another volume22:30
andrewbogottjdg:  By chance, does euca-describe-instances hang for you?22:30
jdgandrewbogott:  I can try it, typically I try to use just nova api if possible.22:31
andrewbogottIt hangs via Horizon as well.22:31
andrewbogottI switched to euca to reduce variables...22:31
anotherjessejdg: created another volume which is definitely on another machine22:31
jdgandrewbogott:  Nope, I'm good on horizon and via nova api22:31
andrewbogotthm, ok.  Thanks for checking.22:32
*** lts has quit IRC22:32
*** zykes has quit IRC22:32
*** dneary has quit IRC22:32
jdganotherjesse:  and it attached no problem?22:32
anotherjessejdg: successful attachment22:33
anotherjessejdg: sorry I didn't find the bug - perhaps vishy or sleepsonthefloo can help22:33
jdganotherjesse:  DOHHHHH... well that leaves my driver as a "special" case22:33
*** Remco_ has quit IRC22:34
jdganotherjesse:  No, that's great... you at least narrowed it down to my driver (most likely)22:34
jdganotherjesse: Thanks for taking the time!22:34
jdganotherjesse:  Whatever it is, it has to be in my export implementation which is only a few lines of code22:34
jdg:)22:35
*** ewindisch has joined #openstack-dev22:42
*** pixelbeat has joined #openstack-dev22:43
gyeeanotherjesse, you have a list of which extension will be ported over to KSL and by when?22:44
*** berendt has quit IRC22:44
*** ewindisch has quit IRC22:45
*** heckj has quit IRC22:46
openstackgerritVerification of a change to openstack/nova failed: Clarify use of Use of deprecated md5 library  https://review.openstack.org/434222:49
anotherjessegyee: dolph is working on exposing the actual extension api22:50
gyeeI also see some gaps in the middleware as well22:50
anotherjessegyee: then there is the cert based token validation - https://bugs.launchpad.net/keystone/+bug/928047 (which is HIGH meaning for E4)22:50
uvirtbot`Launchpad bug 928047 in keystone "port cert validation from keystone master to redux" [High,Confirmed]22:50
anotherjessegyee: is there a bug for that already (the middleware gap?)22:50
gyeefor example, the memcache functionality in E3 is no longer there in KSL22:51
gyeeauth_token.py used to support caching22:51
anotherjessegyee: filing a bug - the auth_token that was pulled over was from diablo22:53
anotherjessemaking it HIGH22:53
anotherjessegyee: https://bugs.launchpad.net/keystone/+bug/93825322:55
uvirtbot`Launchpad bug 938253 in keystone "need to update auth_token to most recent version" [High,Confirmed]22:55
*** ewindisch has joined #openstack-dev22:55
*** hazmat has joined #openstack-dev22:58
*** ayoung has quit IRC22:59
*** ewindisch has quit IRC22:59
*** apevec has quit IRC23:00
*** jog0_ has joined #openstack-dev23:00
*** apevec has joined #openstack-dev23:02
anotherjessegyee: still around?23:02
*** Gordonz has quit IRC23:03
*** jog0 has quit IRC23:03
*** jog0_ is now known as jog023:03
*** spinningcog has quit IRC23:05
*** spinningcog has joined #openstack-dev23:05
*** deshantm has joined #openstack-dev23:05
*** markmc has quit IRC23:07
gyeeanotherjesse, thanks, sorry I was in a meeting23:09
*** davlap has quit IRC23:12
*** davlap has joined #openstack-dev23:13
*** dtroyer has quit IRC23:13
*** nati2 has joined #openstack-dev23:14
*** davlap has quit IRC23:14
*** markvoelker has quit IRC23:15
openstackgerritVerification of a change to openstack/nova failed: blueprint host-aggregates: xenapi implementation  https://review.openstack.org/376123:15
anotherjessegyee: looking for the PDF/spec info for the SSL cert23:15
anotherjessevalidation23:16
anotherjessehttps://github.com/openstack/keystone/tree/milestone-proposed/keystone/content is where the legacy code is23:16
gyeenot sure if there's a pdf on it23:18
anotherjesseis there a wadl or ?23:18
gyeelemme check23:18
*** cp16net has joined #openstack-dev23:18
anotherjesseactually prefer a text description (can be blueprint or ...)23:18
*** zzed has quit IRC23:20
gyeeanotherjesse, it was under doc/source/ssl.rst23:21
gyeethere was a BP as well23:22
anotherjessegyee - thanks - updating the cert bug23:22
*** dneary has joined #openstack-dev23:23
*** dneary has quit IRC23:23
*** dneary has joined #openstack-dev23:23
anotherjessegyee: if you want to add yourself to https://bugs.launchpad.net/keystone/+bug/928047 (click this affects you?)23:24
uvirtbot`Launchpad bug 928047 in keystone "port cert validation from keystone master to redux" [High,Confirmed]23:24
*** kbringard has quit IRC23:24
anotherjessegyee: so the remaining extensions are:23:24
anotherjesses3/ec2 - which already exist in the port23:24
anotherjesseos-ksadm which exists23:25
mikalDoes Mark McLoughlin hang out on irc? What's his nick?23:25
anotherjessemikal: markmc23:26
anotherjesseI thnk23:26
anotherjesseos-kscatalog - doesn't exist - and we propose delaying to folsom23:26
gyeeI am also interested in hp-idm-serviceid extension since it address a security vulnerability23:26
andrewbogottok... when I click on Project->Access and Security, I get a hang.  The last thing that nova-api says is 'Connected to AMQP server on localhost'23:27
andrewbogottcan anyone suggest what it might be waiting for?  I don't see anything interesting in any of my logs.23:27
andrewbogott(My next step will be to add debug lines to the horizon code :( )23:27
anotherjesseaccess & security lists secgroups, keypairs & floating ips23:28
anotherjessegyee: see private chat ping23:28
*** cp16net has quit IRC23:28
anotherjesseandrewbogott: what happens when you hit each of those list commands individually from nova cli?23:28
* andrewbogott digs in the code to see what gets listed23:29
openstackgerritVerification of a change to openstack/nova failed: Alter output format of volume types resources  https://review.openstack.org/436123:30
sleepsontheflooandrewbogott - what does n-net say?23:30
anotherjesseandrewbogott: nova floating-ip-list; nova secgroup-list; nova keypair-list23:30
andrewbogottIt is floating-ip-list that is hanging.23:31
andrewbogottLooks like a lock file issue... "Attempting to grab file lock "iptables" for method "apply"... from (pid=6137) inner /opt/stack/nova/nova/utils.py:832"23:31
andrewbogottsleepsonthefloo:  So maybe there's just a file I need to rm?23:32
andrewbogottactually, it looks like n-net has been stuck since startup23:32
sleepsontheflooandrewbogott - possibly.  I'd say that an old iptables lock and misconfigured sudo are two common issues of n-net hangs23:32
spinningcogI'm trying to issue 'keystone tenant-create --name=admin' like what is specified in the devstack keystone_data.sh script. However I get the error message:  You must provide a username via either --username or env[OS_USERNAME]23:33
anotherjessespinningcog: are you using devstack?23:33
andrewbogottsleepsonthefloo:  How do I purge an old iptables lock?23:33
spinningcoganotherjesse: no, I'm just trying to set up some user on a standalone keystone23:33
Vekso are jeblair / mtaylor looking into the unit tests hosage?23:34
spinningcoganotherjesse: Since the documentation is a bit sparese, I was using the keystone_data.sh script as a source for learning how to use it23:34
sleepsontheflooandrewbogott: I believe the old lock will be in /opt/stack/nova do you see anything there *.lock?23:34
spinningcoganotherjesse: I don't see how I can add any users into keystone since it relies on having an admin token to use the 'keystone' command, and I'm not sure how to load one23:35
anotherjessespinningcog: so the way devstack works is that it uses an admin token to then run those commands, https://github.com/cloudbuilders/devstack/blob/master/stack.sh#L132323:35
andrewbogottsleepsonthefloo:  Yep!  And it's 23 hours old, which seems suspicious.23:35
anotherjesseit sets some env variables that keystone cli uses then23:35
andrewbogottI will kill it and restart devstack...23:35
andrewbogott...or... maybe I don't need to restart anything23:36
andrewbogottanotherjesse, sleepsonthefloo:  Hey, now it's working!  Thank you!23:36
anotherjesseandrewbogott: it is a bug that horizon times out23:37
andrewbogottvs. reporting an error you mean?23:37
anotherjesseif something like: start devstack, kill nova-network, then horizon has a bad experience (no error/timeout)23:37
sleepsontheflooanotherjesse - there is also a bug that nova never times out rpc.calls23:37
andrewbogotttoday I was trying to create a keypair, so having the ip lookup fail (rather than hang) would've been /way/ better.  As it is I couldn't access the key gui due to an unrelated lockup.23:38
* anotherjesse isn't sure I like the way those GUIs are combines (access&security vs 3 different panels) - but I've not thought enough to argue either way23:40
*** tomoe_ has joined #openstack-dev23:40
andrewbogottHm... getting around that bug allowed me to create an instance which caused my entire node to crash.  Big Points!23:41
bcwaldonjeblair: can you look at why the unittest job failed for this review https://review.openstack.org/#change,436123:43
*** hashar has quit IRC23:43
*** jog0 has quit IRC23:43
*** jog0 has joined #openstack-dev23:43
*** rkukura has joined #openstack-dev23:44
jeblairbcwaldon: looking23:45
*** rods has quit IRC23:45
sleepsontheflooandrewbogott - the default rpc timeout is 3600 seconds.  I'll propose dropping that to something that you would have noticed.23:46
andrewbogottLike maybe 1 :)23:47
* andrewbogott has a short attention span23:47
*** mattray has quit IRC23:48
*** mikeyp has joined #openstack-dev23:48
openstackgerritVerification of a change to openstack/nova failed: Clarify use of Use of deprecated md5 library  https://review.openstack.org/434223:52
*** jdg has quit IRC23:54
*** jdg has joined #openstack-dev23:54
sleepsontheflooandrewbogott: https://review.openstack.org/#change,4376 I suggested 1023:55
jeblairbcwaldon: this commit broke it: https://github.com/openstack/nova/commit/13ebb49925c4081b01e1a11f3c3f02eac527d27823:56
andrewbogottThat's more realistic.23:56
*** stuntmachine has joined #openstack-dev23:57
bcwaldonyay23:57
jeblairbcwaldon: that patch removed "nose" from pip-requires23:57
jeblairand added it to test-requires23:57
jeblairbut the current nova-venv build job doesn't know anything about test-requires23:57
jeblairhrm, maybe it does...23:58
jeblairit's in nova's build_venv script23:59
« Monday, 2012-02-20 Index Wednesday, 2012-02-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!