Tuesday, 2012-04-17

« Monday, 2012-04-16 Index Wednesday, 2012-04-18 »
*** jgriffith_ has quit IRC00:00
*** ncode has quit IRC00:03
*** eglynn_ has quit IRC00:10
*** dtyarnell has joined #openstack-dev00:12
*** ayoung-afk is now known as ayoung00:14
*** dhellmann has quit IRC00:14
*** novas0x2a|laptop has quit IRC00:19
*** sniperd has quit IRC00:22
*** novas0x2a|laptop has joined #openstack-dev00:23
*** littleidea has quit IRC00:23
*** blamar has quit IRC00:27
*** Shrews has joined #openstack-dev00:29
*** eglynn_ has joined #openstack-dev00:29
*** LinuxJedi has joined #openstack-dev00:30
*** aa has quit IRC00:31
*** Shrews has quit IRC00:32
*** novas0x2a|laptop has quit IRC00:33
*** Mandell has quit IRC00:34
*** LinuxJedi has quit IRC00:35
*** Mandell has joined #openstack-dev00:36
*** torgomatic has joined #openstack-dev00:39
*** heckj has quit IRC00:39
*** aagonella has joined #openstack-dev00:40
*** aagonella has quit IRC00:44
*** troytoman-away is now known as troytoman00:44
*** mknight has joined #openstack-dev00:46
*** mknight is now known as mknight8800:47
*** mnewby has joined #openstack-dev00:47
*** mnewby has quit IRC00:49
*** lloydde has quit IRC00:50
*** Mandell has quit IRC00:51
*** adiantum has quit IRC00:52
*** giroro_ has joined #openstack-dev00:54
*** Ruetobas has quit IRC00:55
*** dwalleck has quit IRC00:57
*** troytoman is now known as troytoman-away01:00
*** dachary has joined #openstack-dev01:00
*** bsza has joined #openstack-dev01:01
*** cp16net has quit IRC01:02
*** torgomatic has quit IRC01:02
*** cp16net has joined #openstack-dev01:02
*** eglynn_ has quit IRC01:03
*** roge has quit IRC01:04
*** eglynn_ has joined #openstack-dev01:07
*** dubsquared has joined #openstack-dev01:14
*** mnewby has joined #openstack-dev01:14
*** fattarsi has quit IRC01:15
*** bsza1 has joined #openstack-dev01:17
*** maplebed has quit IRC01:17
*** bsza has quit IRC01:18
*** mnewby has quit IRC01:20
*** ayoung has quit IRC01:22
*** bsza1 has quit IRC01:24
*** LinuxJedi has joined #openstack-dev01:26
*** LinuxJedi has joined #openstack-dev01:27
*** asalkeld has left #openstack-dev01:30
*** dubsquared has quit IRC01:39
*** spiffxp has quit IRC01:52
*** adalbas has quit IRC01:56
creihtzykes-: yes, lunr :)02:04
*** Mandell has joined #openstack-dev02:19
*** issackelly has quit IRC02:20
*** maplebed has joined #openstack-dev02:20
*** pengyong has joined #openstack-dev02:38
*** vincentricci has quit IRC02:43
*** roge has joined #openstack-dev02:49
*** andrewsmedina has quit IRC02:51
*** dwalleck has joined #openstack-dev02:57
*** dwalleck_ has joined #openstack-dev02:59
*** dwalleck has quit IRC02:59
*** dtyarnell has quit IRC03:02
*** ctracey_ has joined #openstack-dev03:04
*** dwalleck_ has quit IRC03:06
*** dwalleck has joined #openstack-dev03:14
*** pengyong has quit IRC03:14
*** dwalleck_ has joined #openstack-dev03:15
*** dwalleck_ has quit IRC03:16
*** dwalleck_ has joined #openstack-dev03:16
*** dwalleck has quit IRC03:19
*** bsza has joined #openstack-dev03:29
*** shang has quit IRC03:32
*** dwalleck_ has quit IRC03:33
*** mdomsch has quit IRC03:46
*** shang has joined #openstack-dev03:49
*** mdomsch has joined #openstack-dev03:49
*** andrewsmedina has joined #openstack-dev03:51
*** mdomsch has quit IRC03:51
*** slynch has joined #openstack-dev04:15
*** dwalleck has joined #openstack-dev04:18
*** dwalleck has quit IRC04:18
*** dwalleck has joined #openstack-dev04:19
*** bsza has quit IRC04:20
*** dwalleck has quit IRC04:28
*** asalkeld has joined #openstack-dev04:33
*** hugokuo has joined #openstack-dev04:52
hugokuomorning04:52
*** eglynn_ has quit IRC04:54
hugokuoWhat's the difference between "execute run_tests.sh" with nosetests under /keystone/keystone " ?04:56
openstackgerritVerification of a change to openstack/glance failed: fix bug lp:980892,update glance doc.  https://review.openstack.org/657204:58
*** dwalleck has joined #openstack-dev05:03
openstackgerritVerification of a change to openstack/glance failed: fix bug lp:980892,update glance doc.  https://review.openstack.org/657205:05
*** dwalleck_ has joined #openstack-dev05:08
*** dwalleck has quit IRC05:08
*** dwalleck_ has quit IRC05:18
*** dwalleck has joined #openstack-dev05:19
*** sniperd has joined #openstack-dev05:21
*** sniperd has quit IRC05:42
*** bepernoot has joined #openstack-dev05:44
*** koolhead17 has joined #openstack-dev05:51
*** dhellmann has joined #openstack-dev05:51
*** ctracey_ has quit IRC05:52
*** bepernoot has quit IRC05:59
*** Mkenneth has joined #openstack-dev05:59
*** slynch has quit IRC06:02
openstackgerritVerification of a change to openstack/glance failed: fix bug lp:980892,update glance doc.  https://review.openstack.org/657206:02
*** heckj has joined #openstack-dev06:02
*** heckj has quit IRC06:03
*** davlaps has joined #openstack-dev06:06
*** davlaps has quit IRC06:06
*** Mkenneth has quit IRC06:11
*** dwalleck has quit IRC06:16
*** berendt has joined #openstack-dev06:20
*** adjohn has joined #openstack-dev06:37
*** justinsb has quit IRC06:48
*** justinsb has joined #openstack-dev06:55
*** roge has quit IRC07:05
*** bepernoot has joined #openstack-dev07:05
*** bepernoot has quit IRC07:06
*** Mkenneth has joined #openstack-dev07:07
*** reidrac has joined #openstack-dev07:09
*** sannes has quit IRC07:11
*** larsbutler has joined #openstack-dev07:26
*** mattstep has quit IRC07:32
*** Ryan_Lane has joined #openstack-dev07:33
*** darraghb has joined #openstack-dev07:37
*** mattstep has joined #openstack-dev07:38
*** Mandell has quit IRC07:58
*** littleidea has joined #openstack-dev07:58
*** adjohn has quit IRC08:03
*** adjohn has joined #openstack-dev08:07
*** adjohn has quit IRC08:07
*** hashar has joined #openstack-dev08:07
*** koolhead17 has quit IRC08:09
*** Oneiroi^gone is now known as oneiroi08:10
*** pixelbeat has joined #openstack-dev08:21
*** rbasak has quit IRC08:24
*** derekh has joined #openstack-dev08:25
*** koolhead17 has joined #openstack-dev08:28
*** littleidea has quit IRC08:33
*** dneary has joined #openstack-dev08:36
*** dneary has quit IRC08:36
*** dneary has joined #openstack-dev08:36
*** rbasak has joined #openstack-dev08:37
*** danpb has joined #openstack-dev08:44
*** Ryan_Lane has quit IRC08:53
*** Ryan_Lane has joined #openstack-dev09:01
*** Ryan_Lane has quit IRC09:12
*** hashar has quit IRC09:26
*** dneary has quit IRC09:37
*** tryggvil_ has joined #openstack-dev09:43
*** blamar has joined #openstack-dev09:44
*** dneary has joined #openstack-dev09:54
*** blamar has quit IRC10:17
*** LinuxJedi has quit IRC10:27
*** dneary has quit IRC10:33
*** bepernoot has joined #openstack-dev10:35
*** adiantum has joined #openstack-dev10:35
*** hashar has joined #openstack-dev10:37
*** bepernoot has quit IRC10:39
*** bepernoot has joined #openstack-dev10:39
*** LinuxJedi has joined #openstack-dev10:47
*** dneary has joined #openstack-dev10:50
*** dneary has quit IRC10:50
*** dneary has joined #openstack-dev10:50
*** garyk has joined #openstack-dev10:55
*** adalbas has joined #openstack-dev10:57
*** chmouel has quit IRC11:08
*** chmouel has joined #openstack-dev11:10
*** adiantum has quit IRC11:20
*** sdake has quit IRC11:42
*** dneary has quit IRC11:46
*** maploin has joined #openstack-dev11:59
*** maploin has quit IRC12:00
*** maploin has joined #openstack-dev12:00
*** dneary has joined #openstack-dev12:04
*** eglynn_ has joined #openstack-dev12:08
*** lts has joined #openstack-dev12:09
*** hashar has quit IRC12:18
*** alaski has joined #openstack-dev12:20
*** alaski has quit IRC12:26
*** alaski has joined #openstack-dev12:27
*** eneabio_ has joined #openstack-dev12:37
*** hashar has joined #openstack-dev12:45
*** roge has joined #openstack-dev13:00
*** tryggvil_ has quit IRC13:07
*** andrewsmedina has quit IRC13:08
*** eneabio_ has quit IRC13:17
*** tryggvil_ has joined #openstack-dev13:19
*** bpg has joined #openstack-dev13:26
*** glenc has quit IRC13:28
*** glenc has joined #openstack-dev13:29
*** brni_sku1 has quit IRC13:29
*** pknouff has quit IRC13:29
*** brni_skul has joined #openstack-dev13:29
*** pknouff has joined #openstack-dev13:29
*** dneary has quit IRC13:29
*** andrewsmedina has joined #openstack-dev13:31
*** ayoung has joined #openstack-dev13:38
*** dneary has joined #openstack-dev13:49
*** dneary has quit IRC13:49
*** dneary has joined #openstack-dev13:49
*** sdake has joined #openstack-dev13:49
*** crobinso has joined #openstack-dev13:57
*** dneary has quit IRC14:00
*** GheRivero_ has joined #openstack-dev14:17
*** dneary has joined #openstack-dev14:18
*** dneary has quit IRC14:18
*** dneary has joined #openstack-dev14:18
*** Gordonz has joined #openstack-dev14:27
*** Gordonz has quit IRC14:28
*** Gordonz has joined #openstack-dev14:29
*** tr3buchet has quit IRC14:31
*** eglynn_ has quit IRC14:34
*** tr3buchet has joined #openstack-dev14:35
*** eglynn_ has joined #openstack-dev14:35
*** cp16net has quit IRC14:38
*** cp16net has joined #openstack-dev14:38
*** hashar has quit IRC14:40
*** dhellmann has quit IRC14:41
*** Mkenneth has quit IRC14:44
*** LinuxJedi has quit IRC14:44
*** dneary has quit IRC14:48
*** rkukura has joined #openstack-dev14:49
*** Mandell has joined #openstack-dev14:54
*** hashar has joined #openstack-dev14:59
*** hashar is now known as hasharAW15:03
*** dneary has joined #openstack-dev15:04
*** dneary has quit IRC15:04
*** dneary has joined #openstack-dev15:04
*** Mandell has quit IRC15:07
*** dneary has quit IRC15:11
*** dneary has joined #openstack-dev15:13
*** dneary has quit IRC15:13
*** dneary has joined #openstack-dev15:13
*** reidrac has quit IRC15:15
maploincan I send a patch to Gerrit to a different branch than master? i.e. stable/essex?15:16
*** littleidea has joined #openstack-dev15:16
maploinoh, got it. Nevermind.15:17
Kiallmaploin, if the patch has not need accepted + merged to master beforehand, it wont be accepted15:18
*** hasharAW has quit IRC15:18
Kiallall commits to stable/* must be cherry-pick's from master (with a few exceptions..)15:18
*** dneary has quit IRC15:19
*** Gordonz_ has joined #openstack-dev15:23
*** mikal has quit IRC15:26
*** Gordonz has quit IRC15:27
*** dubsquared has joined #openstack-dev15:27
*** issackelly has joined #openstack-dev15:27
*** mikal has joined #openstack-dev15:27
*** kindaopsdevy has joined #openstack-dev15:27
*** bepernoot has quit IRC15:30
*** Shrews has joined #openstack-dev15:31
maploinKiall: yeah, I needed to do it this way because it wouldn't apply cleanly to master. But I submitted an equivalent fix to master.15:31
*** dneary has joined #openstack-dev15:32
*** maplebed has quit IRC15:32
Kiallmaploin, I *think* the policy is still cherry-pick once its approved to master+fixup..15:33
*** Shrews has quit IRC15:33
Kiallone of the reasons being, the change-id should be the same - so an fix can be identified as included in both master+stable/bla etc15:33
maploinKiall: hm... but the same fix can't be applied to both master and stable since the two branches have diverged. Are you saying that commits must be made to first sync the two branches and then apply the same patch? (that doesn't make sense)15:35
Kiallmaploin, not quite.. The fix must be approved for master first, once that happens, the fix can be backported to stable/* (cherry pick+make whatever changes are necessary to backport)15:36
KiallBut.. There are always exceptions ;) Sometimes that just doesnt work!15:37
*** danwent has joined #openstack-dev15:38
*** maploin has quit IRC15:40
*** bpg has quit IRC15:41
*** bpg has joined #openstack-dev15:41
*** danwent has left #openstack-dev15:42
*** dneary has quit IRC15:42
*** dneary has joined #openstack-dev15:43
*** dneary has joined #openstack-dev15:43
*** garyk has quit IRC15:44
*** rkukura has quit IRC15:45
*** littleidea has quit IRC15:48
*** Shrews has joined #openstack-dev15:48
*** dachary has quit IRC15:50
*** LinuxJedi has joined #openstack-dev15:50
*** dtroyer_zzz is now known as dtroyer15:56
*** eglynn_ has quit IRC15:56
*** troytoman-away is now known as troytoman15:57
rohit404#osds-seacliff-d15:57
*** dhellmann has joined #openstack-dev15:58
*** Mandell has joined #openstack-dev16:00
*** eglynn_ has joined #openstack-dev16:02
*** Shrews has quit IRC16:03
*** mestery has joined #openstack-dev16:03
*** j05h has joined #openstack-dev16:04
*** mestery has quit IRC16:05
rohit404test16:06
*** Ryan_Lane has joined #openstack-dev16:07
*** LinuxJedi has quit IRC16:11
*** dneary has quit IRC16:11
*** troytoman is now known as troytoman-away16:13
*** LinuxJedi has joined #openstack-dev16:14
*** lloydde has joined #openstack-dev16:16
*** maplebed has joined #openstack-dev16:16
*** littleidea has joined #openstack-dev16:17
*** Gordonz_ has quit IRC16:20
*** bepernoot has joined #openstack-dev16:20
*** Gordonz has joined #openstack-dev16:20
*** sannes has joined #openstack-dev16:20
*** bepernoot has joined #openstack-dev16:20
*** dneary has joined #openstack-dev16:24
*** dneary has quit IRC16:24
*** dneary has joined #openstack-dev16:24
*** dachary has joined #openstack-dev16:25
*** dachary has quit IRC16:29
*** garyk has joined #openstack-dev16:31
*** lloydde has quit IRC16:32
*** Gordonz has quit IRC16:36
*** spiffxp has joined #openstack-dev16:37
*** koolhead17 has quit IRC16:38
*** dneary has quit IRC16:39
*** troytoman-away is now known as troytoman16:42
*** markmcclain has joined #openstack-dev16:42
*** mdomsch has joined #openstack-dev16:43
*** oneiroi is now known as Oneiroi^gone16:49
*** vincentricci has joined #openstack-dev16:50
*** eglynn_ has quit IRC16:52
*** eglynn_ has joined #openstack-dev16:53
*** dhellmann has quit IRC16:54
*** dachary has joined #openstack-dev16:54
*** dneary has joined #openstack-dev16:56
*** dneary has quit IRC16:56
*** dneary has joined #openstack-dev16:56
*** Mandell has quit IRC16:56
*** troytoman is now known as troytoman-away16:56
*** LinuxJedi has quit IRC16:57
*** dtroyer is now known as dtroyer_zzz16:57
*** Ryan_Lane has quit IRC16:58
*** maplebed has quit IRC16:59
*** littleidea has quit IRC16:59
*** Mandell has joined #openstack-dev17:00
*** dtroyer_zzz is now known as dtroyer17:01
*** LinuxJedi has joined #openstack-dev17:01
*** dachary has quit IRC17:01
*** littleidea has joined #openstack-dev17:01
*** dhellmann has joined #openstack-dev17:01
*** j05h has quit IRC17:02
*** littleidea has quit IRC17:02
*** dachary has joined #openstack-dev17:02
*** dachary has quit IRC17:03
*** dachary has joined #openstack-dev17:03
*** torgomatic has joined #openstack-dev17:03
*** hashar has joined #openstack-dev17:03
*** lloydde has joined #openstack-dev17:03
*** maplebed has joined #openstack-dev17:04
*** dneary has quit IRC17:08
*** Mandell has quit IRC17:08
*** kindaopsdevy has quit IRC17:09
*** j05h has joined #openstack-dev17:10
Kiallvishy, ping17:10
*** littleidea has joined #openstack-dev17:10
vishyKiall: sup?17:10
Kiallre https://bugs.launchpad.net/nova/+bug/96652917:10
uvirtbotLaunchpad bug 966529 in nova "floating ip does not move with live migration with multi_host" [Medium,Triaged]17:10
Kiallyou note that the DHCP is moved during a migration? Did that make it in?17:11
KiallI didn't notice that working during my tests17:11
*** dachary has quit IRC17:12
KiallAlso .. I've just implemented the ability for all nova-network instances to share a single fixed ip, so the instances gateway etc doesnt need to change..17:12
*** torgomatic has quit IRC17:12
vishyKiall: yes it made it in17:12
Kiall(eg no need to loose connectivity when the instance migrates, before DHCP is re-ran)17:12
*** torgomatic has joined #openstack-dev17:12
*** koolhead17 has joined #openstack-dev17:13
vishyKiall: interesting, we have a client that does that, you need ebtables rules to block?17:13
KiallYea, exactly17:13
KiallTurned out to be a pretty small patch once I corrected my typo's ;)17:13
vishyKiall: you can give out the gateway of the switch as well17:14
vishyKiall: the fix for changing the host is basically a one liner17:14
vishy(host ip)17:14
vishybut the ebtables rules they are managing separately17:14
WormManyay! puppet!17:15
*** eglynn_ has quit IRC17:15
WormMan(we're up to 20 VLANs now...)17:15
Kiallone liner? Did I miss something built in to have all nova-networks use the same IP?17:15
KiallI basically ended up with this.. https://gist.github.com/240759217:16
WormManKiall: not sure what version you're on, but there have been some naming of hosts for assigned IPs fixed in Essex, but I'm not sure if that helps you with migration, other than adding another step to update host in the floating table when you migrate17:19
*** dneary has joined #openstack-dev17:19
WormMan(it fixes the glitch when a shared nova-network gets restarted so it sees the floating ips it's supposed to manage still)17:20
*** kbringard has joined #openstack-dev17:20
*** dtyarnell has joined #openstack-dev17:20
*** blamar has joined #openstack-dev17:20
WormMan(and maybe the fixed table, I don't remember the exact diffs)17:21
*** darraghb has quit IRC17:21
KiallWormMan, not sure I understand?17:21
*** dtroyer is now known as dtroyer_zzz17:22
KiallThis suggests the fixed_ip should move just fine, and that floating needs a workaround for the moment.. https://bugs.launchpad.net/nova/+bug/96652917:22
uvirtbotLaunchpad bug 966529 in nova "floating ip does not move with live migration with multi_host" [Medium,Triaged]17:22
WormManKiall: with the old mutli-host stuff it doesn't track the hostname of nova-network that manages the IP, if nova-network gets restarted(reboot) it doesn't pick up those floating IPs again and you have to re-assign them17:23
openstackgerritVerification of a change to openstack/horizon failed: html escape the console log in refresh  https://review.openstack.org/661817:23
WormManprobably not a problem for you... yet :)17:24
Kiallyet ;)17:24
vishyKiall: why not http://paste.openstack.org/show/12920/17:24
KiallWill be upgrading to essex once I get multi_host+migration going..17:24
*** dachary has joined #openstack-dev17:24
*** blamar has quit IRC17:25
*** j05h has quit IRC17:25
vishyKiall: multi_host + migration moving the dhcp doesn't work until essex17:25
WormManmmm, break time17:25
KiallYea, I've got essex on a few servers to test against..17:25
*** dhellmann has quit IRC17:26
*** torgomatic has quit IRC17:26
Kiallvishy, your suggestion means the gateway IP needs to be "hard coded" when creating the network.. right?17:26
Kiallvs mine has one chosen for you when that network is first brought up..17:27
KiallNot sure which I (personally) prefer ;)17:27
KiallDefining it in advance probably does make sense, and would prevent "shared" entries in the DB17:28
*** dachary has quit IRC17:29
*** LinuxJedi has quit IRC17:30
*** dubsquared has quit IRC17:32
*** dtroyer_zzz is now known as dtroyer17:33
*** markmcclain has quit IRC17:33
*** LinuxJedi has joined #openstack-dev17:34
*** dhellmann has joined #openstack-dev17:34
*** mdrnstm has quit IRC17:34
*** dhellmann has quit IRC17:34
vishyKiall: advance is better17:35
vishywe already reserve the .1 ip17:35
*** jdg has joined #openstack-dev17:35
vishymight as well use it17:35
Kialltrue17:36
*** adjohn has joined #openstack-dev17:38
KiallIf this works, then its just the floating IPs to get moved ;) Fingers crossed!17:38
*** kbringard has quit IRC17:39
*** dneary has quit IRC17:39
*** dhellmann has joined #openstack-dev17:41
*** jdg has quit IRC17:41
*** dneary has joined #openstack-dev17:41
*** adjohn has quit IRC17:41
*** mnewby has joined #openstack-dev17:42
*** GheRivero_ has quit IRC17:45
*** lloydde has quit IRC17:46
*** eglynn_ has joined #openstack-dev17:48
*** adjohn has joined #openstack-dev17:48
*** dhellmann has quit IRC17:48
*** Mandell has joined #openstack-dev17:49
*** eglynn_ has quit IRC17:53
*** eglynn_ has joined #openstack-dev17:53
*** littleidea has quit IRC17:54
*** dachary has joined #openstack-dev17:55
*** mestery has joined #openstack-dev17:55
*** maplebed has quit IRC17:56
*** mestery has quit IRC17:56
*** mestery has joined #openstack-dev17:57
*** Shrews has joined #openstack-dev17:59
*** mnewby has quit IRC17:59
openstackgerritVerification of a change to openstack/horizon failed: html escape the console log in refresh  https://review.openstack.org/661817:59
*** LinuxJedi_ has joined #openstack-dev18:00
*** eglynn_ has quit IRC18:02
*** eglynn_ has joined #openstack-dev18:02
*** mikal has quit IRC18:02
*** LinuxJedi has quit IRC18:03
*** maplebed has joined #openstack-dev18:03
*** mikal has joined #openstack-dev18:04
*** Shrews has quit IRC18:04
*** kindaopsdevy has joined #openstack-dev18:08
*** mathrock has joined #openstack-dev18:10
*** markmcclain has joined #openstack-dev18:10
*** torgomatic has joined #openstack-dev18:10
*** lloydde has joined #openstack-dev18:11
*** hashar has quit IRC18:12
*** dneary has quit IRC18:13
*** kindaopsdevy_ has joined #openstack-dev18:14
*** littleidea has joined #openstack-dev18:15
*** zaitcev has joined #openstack-dev18:15
*** dtroyer is now known as dtroyer_zzz18:17
*** kindaopsdevy has quit IRC18:18
*** kindaopsdevy_ is now known as kindaopsdevy18:18
*** mestery_ has joined #openstack-dev18:18
*** blamar has joined #openstack-dev18:19
*** mestery has quit IRC18:20
*** blamar has quit IRC18:21
*** blamar has joined #openstack-dev18:21
*** GheRivero_ has joined #openstack-dev18:23
*** hashar has joined #openstack-dev18:24
*** mathrock has quit IRC18:25
*** maplebed has quit IRC18:25
*** Mandell has quit IRC18:26
*** zul has joined #openstack-dev18:27
*** dtroyer_zzz is now known as dtroyer18:27
*** dneary has joined #openstack-dev18:27
*** dneary has quit IRC18:28
*** dneary has joined #openstack-dev18:28
*** utlemming has quit IRC18:29
*** danpb has quit IRC18:29
*** Gordonz_ has joined #openstack-dev18:29
*** lts has quit IRC18:30
*** Mandell has joined #openstack-dev18:30
*** Gordonz__ has joined #openstack-dev18:31
*** jdg has joined #openstack-dev18:31
*** lts has joined #openstack-dev18:31
*** utlemming has joined #openstack-dev18:33
*** maplebed has joined #openstack-dev18:33
*** Gordonz_ has quit IRC18:34
*** mdrnstm has joined #openstack-dev18:35
*** kindaopsdevy has quit IRC18:36
*** dneary has quit IRC18:36
*** mathrock has joined #openstack-dev18:37
mathrockping?18:37
mathrockAny one interested in the PKI auth for keystone stuff18:37
russellbI know ayoung is18:38
ayoungyep18:39
*** Ryan_Lane has joined #openstack-dev18:39
ayoungwhere is it happening?18:39
ayoungmathrock, where?18:39
mathrockI'm in a hallway in the Hyatt18:39
mathrockyou're remote, correct?18:39
mathrockHow do you want to work this?18:39
ayoungmathrock, I'm in Westfrod, MA18:39
ayoungwestford18:40
mathrockok18:40
ayoungtelepathy?18:40
mathrockso the etherpad is: http://etherpad.openstack.org/FolsomPKISupport18:40
justinsbPKI FTW18:40
*** dhellmann has joined #openstack-dev18:40
ayoungso  my opinion is that we should work towards reuse as opposed to inventing something new18:41
mathrocksure18:41
ayounghence:  mod_wsgi and apache,  mod_nss for SSL and cert support and so on18:41
ayoungthat sets  REMOTE_USER and we can use that18:41
mathrockthat would be the easiest route from my point of view18:42
mathrocksince I have experience with that18:42
ayoungthe real issue is the issuingin of certificates18:42
mathrockI don't know how the keystone folks feel about fronting it with HTTPD18:42
ayoungThe "reuse" path would be Dogtag...but that is Java.  Which is I think the real blocker18:42
ayoungnot fronting18:42
ayoungreplacing18:42
ayoungwith httpd, there is no need for eventlet18:43
ayoungplus,  eventlet seems to be introducing issues....18:43
ayoungSince I am on a rampage,  I also want to get away from using ports other than 443...call me adreamer18:44
ayoungbut I'm not the only one18:44
cloudflythere should be a security standard for this18:44
cloudflyTLS vs SSL vs whatever18:44
ayoungcloudfly +518:44
cloudflywhat algorithms are supported18:45
cloudflywhat ports18:45
mathrocki agree with 443 and ssl/tls18:45
cloudflyetc etc18:45
cloudflyi mean every api should support the same minimum set18:45
ayoungthe other issue with going off of 443 is that we have SELinux conflicts18:45
ayoungother services own those ports.18:45
mathrockayoung: basically my need is client cert auth to keystone instead of username/password18:45
cloudfly443 no joke18:45
cloudflymathrock can't you just store the token?18:46
mathrockinitially I don't want keystone to worry about certificate issuance and management18:46
ayoungmathrock, so I think that thie right solution for that is a different middleware18:46
cloudflyi have a similar requirement for something i am working on18:46
justinsbMaybe we punt on the cert issuance for now, and leave it up to the implementer18:46
mathrockcert issuance could be a separate service entirely18:46
cloudflymathrock that would be nice18:46
ayoungjustinsb, I think that is the first step...we need to lay out the whole road map,  but provide an attainable path forward18:47
cloudflyalso could open a path for two factor18:47
cloudflysigned certs and all18:47
cloudflyi feel like in general a lot of this should involve some sort of security governance18:47
cloudflyand that's not happening18:47
cloudflyand it's going to bite us in the ass if someone without policy experience isn't involved.18:47
ayoungSo ... looking at the LDAP Identity provider,  we would have to modify the authenticate call to drop the password check18:48
mathrockbasically, my organization already has a formal certificate issuance and management process18:48
mathrockall users have x509 certs18:48
cloudflyi mean the api server has a token checking method18:48
mathrockand we use they all over the place to signed/encrypted email, authentication to web apps, etc18:48
cloudflyso i assume it would just be a similar method18:48
ayoungmathrock, so do you really even need keystone?18:48
cloudflyactually18:48
mathrockyes18:49
cloudflywhy not make certificates a plugin to keystone?18:49
ayoungI would think that for X509 orgs, they would rather go X509 to Dashboard/Glance/Nova18:49
cloudflylike any other auth mech?18:49
mathrocknot everyone who has a cert will need to use openstack18:49
*** markmcclain has quit IRC18:49
mathrockand we don't need to reimplement authN/authZ18:49
ayoungmathrock, so that becomes authorization, not authentication18:49
mathrockit's just a different auth method18:49
ayoungwhich right now is done by querying Keystone18:49
ayoungbut could be a direct LDAP call18:49
ayoungmathrock, lets distinguish authz and authn18:49
mathrockayoung: we've already hacked in support to horizon for PKI auth18:49
cloudflyi think you should avoid direct ldap queries18:49
ayoungcloudfly, why?18:50
cloudflyportability18:50
*** kindaopsdevy has joined #openstack-dev18:50
mathrockthe trick is that keystone only supports auth via user/pass or unscoped token->scoped token18:50
ayoungcloudfly, why do two network hops ?18:50
ayoungglance->keystone->ldap...18:50
cloudflyportability18:50
ayoungcloudfly, I'd argu that LDAP is more portable than Keystone....18:50
ayoungBut anyway18:50
*** dneary has joined #openstack-dev18:50
*** dneary has quit IRC18:50
*** dneary has joined #openstack-dev18:50
cloudflyright now it is =D18:50
ayoungI would say that Keystone and LDAP are two different middleware pieces and we should support both18:51
justinsbIs it enough just to add client cert verification to keystone, use that to replace password auth, as a first step?18:51
ayoungjustinsb, yes.18:52
ayoungalthough we have to modify the ID providers too18:52
ayoungso that they can work either way18:52
justinsbID providers?18:52
*** aa has joined #openstack-dev18:52
ayoungjustinsb, I'll provide a link 1 sec18:52
ayounghttps://github.com/openstack/keystone/tree/master/keystone/identity/backends18:52
*** koolhead17 has quit IRC18:53
ayounghttps://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py  line 13818:53
ayoungactually, line 147 is the passwrod check18:53
ayoungpassword18:53
ayoungfor LDAP it is a different file,  but the logic is similar18:53
ayounghttps://github.com/openstack/keystone/blob/master/keystone/identity/backends/ldap/core.py18:54
justinsbAh - got it!  Putting the password as the only authn method probably doesn't belong there!18:54
ayoungit actually does a simple_bind to test the password18:54
ayoungjustinsb, well, by the time you get this far, you should already be authenticated18:55
ayoungif the Web server does Client auth...at least the REMOTE_USER should be set already, and then we should be looking at ROLES18:55
justinsbI think we're in agreement here.  I think we need to abstract / replace the password verification18:56
*** dhellmann has quit IRC18:56
justinsbLDAP bind is one technique; utils.check_password is another18:56
ayoungSo split authenticate into two calls.  authenticate as is does the password ch3eck.  For X509 that gets skipped.  Then  second is to do the metadata lookup18:56
*** zul has quit IRC18:56
justinsbRight - agreed!18:56
ayoungjustinsb, I think you are close18:56
ayoungif we specify basic auth or the current API,  then passwrod goes through an Identity Provider specific method18:57
*** jdg has quit IRC18:57
*** dachary has quit IRC18:57
ayoungif we instead do client certs,  it gets evaluated by a different middleware piece, perhaps the web server18:57
justinsbSo client cert would just check with that middleware?18:58
*** Oneiroi^gone is now known as oneiroi18:58
*** blamar has quit IRC18:58
ayoungBTW, if anyone wants to test out,  I have HTTPD set up this way: http://adam.younglogic.com/2012/03/ssl-nss-easy/    http://adam.younglogic.com/2012/03/client-certs-nss/   http://adam.younglogic.com/2012/04/keystone-httpd/18:59
ayoungone change from that last one is that we should probably first do it as a different virtual host,  one that listend on ports 5000 and the admin port18:59
ayoungjustinsb, yeah,  client cert would be an alternative middleware19:00
*** lts has quit IRC19:00
ayoungOK.  so now that we have the solution lets talk about the problems19:01
*** littleidea has quit IRC19:01
*** mestery_ has quit IRC19:01
*** alaski has quit IRC19:01
*** dhellmann has joined #openstack-dev19:01
*** adjohn has joined #openstack-dev19:01
*** blamar has joined #openstack-dev19:01
ayoung1.  Once a user specifies an X509 cert,  they are never prompted again for some interaction.  This lends itself to XSRF attacks amoung other things19:01
ayoungthus,  2 factor is probably essential19:01
*** alaski has joined #openstack-dev19:02
*** eglynn_ has quit IRC19:02
*** eglynn_ has joined #openstack-dev19:02
*** littleidea has joined #openstack-dev19:02
*** alpha_ori has joined #openstack-dev19:02
ayoungall the other drawbacks of Keystone are still there:  it drives more network traffic than the rest of openstack combined, as every service needs to phone home to Keyston to confirm tokens19:03
ayoungthe Tokens  show up in the URL names, and thus will show up in logs etc.19:04
*** camm_ has quit IRC19:04
*** LinuxJedi_ has quit IRC19:04
*** camm has joined #openstack-dev19:07
ogelbukhi thought keystone api 2.0 puts token in headers19:07
justinsbayoung: On the XSRF front, the attack would be that I put it into an iframe & then grab the contents?19:08
*** lts has joined #openstack-dev19:10
mathrockayoung: did you want to get rid of tokens entirely?19:11
ayoungmathrock, I thought that was apparent!19:11
ayoungI want to replace tokens with and X509 based system19:11
*** camm has quit IRC19:11
ayoungThe X509 can have the roles embedded in them, so remote systems do not need to go back to Keystone to confirm19:12
ayoungIt will cur network chatter down immensely19:12
ayoungthe X509's can be issued by Keystone, or by something else19:13
*** camm has joined #openstack-dev19:13
justinsbI think we should assume that many users will have existing PKI systems, and it would be hard to add roles into them19:14
justinsbAnd also then you'd have to reissue a cert to add a user to a role19:14
ayoungjustinsb, OK,  so the rule is "Authentication is centralized, authorization is local"19:14
ayoungcerts can be short lived19:15
mathrockayoung, the problem with roles baked in certs makes it difficult to remove/modify roles19:15
mathrockcerts are just for identity19:15
ayoungmathrock, that is why certs should be short lived19:15
mathrocknot authorization19:15
ayoungmathrock, "just because it has always been done that way doesn't mean it is right."19:15
ayoungin this case,  we can provide an additional cert19:15
ayoungshort lived19:15
ayoungthe user uses their corporate assigned cert (long term)19:16
ayoungto get a short lived cert19:16
ayoungshort lived cert is issued by a subordinate CA19:16
ayoungDashborad et alles only accept certs from the subordinate CA19:16
ayoungthen,  when the user hits it from their browser,  if the cert is invalid,  they are redirected to the auth page.19:17
*** dhellmann has quit IRC19:17
ayoungthey can enter in a second factor if required19:17
ayoungand they get issued another short lived cert19:17
*** littleidea has quit IRC19:17
justinsbBut step #1 could still be just "validate cert" for Keystone?19:17
ayoungso, yes,  if I remove a role today,  you will have to wait until the end of the day for the user to not have access to it...the alternative if OCSP or CRLs19:18
ayoungjustinsb, as I said, yes19:18
ayoungnecessary but not sufficient19:18
ayoungand,  might I add, pretty trivial19:18
justinsbCool!19:18
justinsbI think fixing the Keystone traffic issue might be separate ?19:18
*** kindaopsdevy has quit IRC19:19
*** kindaopsdevy_ has joined #openstack-dev19:19
ayoungjustinsb, builds on top of...19:19
justinsbBut maybe that issue isn't specific to certs?19:20
justinsbe.g. We could use a system like Zookeeper as a cache, which notifies subscribers on changes19:20
*** lloydde has quit IRC19:20
ayoungjustinsb, but the only good solution is to use certs.  Otherwise, we have to query a central auth server.  OK. we could use Kerberos.19:20
ayoungnope,  tokens are too short lived,  everything is a cache miss19:20
ayoungtoo many changes...too many notifications19:21
ayoungso zookeeper is really a poor replacement for a CRL mechanism....19:21
*** kindaopsdevy_ has quit IRC19:21
mathrockOK, since it seems like we've agreed to minimally support client cert auth, let's work towards that.19:22
mathrockBasically re-implement the 2-way ssl thing19:22
ayoungOK,  so X509 to Keystone is useless if the rest of the system is insecure19:22
ayoungso yes,  first step is an X50919:22
*** adjohn has quit IRC19:22
ayoungbut lets not stop there, or this is a finger drill19:22
*** Ryan_Lane has quit IRC19:22
*** berendt1 has joined #openstack-dev19:23
*** dneary has quit IRC19:23
*** lts has quit IRC19:24
*** Mandell has quit IRC19:25
*** berendt1 has quit IRC19:25
*** torgomatic_ has joined #openstack-dev19:25
*** dtroyer is now known as dtroyer_zzz19:25
*** dachary has joined #openstack-dev19:26
mathrocki agree that we'll need to go beyond just cert auth19:26
*** blamar has quit IRC19:26
mathrockbut at least we can start working that first step19:26
mathrockok, we're off19:26
mathrockthanks for the discussion19:26
justinsbCool!  Sounds like a plan!19:26
mathrocka bit tricky over irc, but I think we got some consensus19:27
*** alpha_ori has quit IRC19:27
zaitcevGoddamit Justin where is your Etherpad19:27
zaitcevEven Caitlin created one (although its content was largely unrelated to the discussion)19:27
*** torgomatic has quit IRC19:27
*** maplebed has quit IRC19:27
zaitcevgtg lunch19:27
*** zaitcev has quit IRC19:28
*** eglynn_ has quit IRC19:30
*** mathrock has quit IRC19:31
*** z has joined #openstack-dev19:32
zIs it normal to have anything other than OpenStack LLC as a Copyright entry in a file?19:33
zhttps://github.com/openstack/nova/commit/1b207d44340f88d560b469d0a30f99839a63dc61#nova/api/openstack/compute/contrib/security_groups.py19:33
zI would have thought that Justin being in there is redundant given the CLA which he must have signed to contribute?19:33
*** mestery has joined #openstack-dev19:40
*** mestery has quit IRC19:41
Kiallz, personally, I don't like it.. But it seems its okay19:41
KiallGive it 5 years, and the copyright headers are going to be a joke ;)19:41
*** mestery has joined #openstack-dev19:41
zI suspect more like 12 months... :)19:42
*** ncode has joined #openstack-dev19:44
*** ncode has joined #openstack-dev19:44
*** hashar has quit IRC19:49
*** dtroyer_zzz is now known as dtroyer19:56
*** Mandell has joined #openstack-dev20:00
*** adjohn has joined #openstack-dev20:00
*** bepernoot has quit IRC20:00
openstackgerritVerification of a change to openstack/horizon failed: Add distribute to test-requires.  https://review.openstack.org/662620:00
*** novas0x2a|laptop has joined #openstack-dev20:01
*** j05h has joined #openstack-dev20:07
*** maplebed has joined #openstack-dev20:11
*** Mandell has quit IRC20:13
*** maplebed has quit IRC20:16
*** maplebed has joined #openstack-dev20:22
*** maplebed has quit IRC20:24
*** j05h has quit IRC20:26
*** Mandell has joined #openstack-dev20:27
*** mathrock has joined #openstack-dev20:28
justinsbzaitcev: Ooops, sorry.  Was there a particular session you were looking for?20:28
*** dhellmann has joined #openstack-dev20:30
*** uvirtbot has quit IRC20:31
*** maplebed has joined #openstack-dev20:31
*** termie has quit IRC20:34
*** jdg has joined #openstack-dev20:35
*** eglynn_ has joined #openstack-dev20:36
*** termie has joined #openstack-dev20:37
*** alpha_ori has joined #openstack-dev20:38
*** maplebed has quit IRC20:38
*** GheRivero_ has quit IRC20:40
*** dtroyer is now known as dtroyer_zzz20:40
*** dhellmann has quit IRC20:43
*** dtroyer_zzz is now known as dtroyer20:45
*** dachary1 has joined #openstack-dev20:45
*** dachary has quit IRC20:45
*** lloydde has joined #openstack-dev20:47
*** eglynn_ has quit IRC20:50
*** adalbas has quit IRC20:50
*** cdub has joined #openstack-dev20:50
*** eglynn_ has joined #openstack-dev20:52
*** andrewsmedina has left #openstack-dev20:53
*** adjohn has quit IRC20:53
*** dhellmann has joined #openstack-dev20:54
*** blamar has joined #openstack-dev20:55
*** Mandell has quit IRC20:55
*** zaitcev has joined #openstack-dev20:55
*** blamar has quit IRC20:55
*** blamar has joined #openstack-dev20:56
*** alpha_ori has quit IRC20:56
*** dhellmann has quit IRC20:56
*** alpha_ori has joined #openstack-dev20:57
*** littleidea has joined #openstack-dev20:57
*** jdg has quit IRC20:58
*** alaski has quit IRC20:58
*** dhellmann has joined #openstack-dev21:00
*** mathrock has quit IRC21:00
* zaitcev pokes justinsb 21:00
*** mathrock has joined #openstack-dev21:01
*** dachary1 has quit IRC21:01
*** Ryan_Lane has joined #openstack-dev21:01
*** kindaopsdevy_ has joined #openstack-dev21:02
*** adalbas has joined #openstack-dev21:02
*** dtroyer is now known as dtroyer_zzz21:02
*** mnewby has joined #openstack-dev21:03
*** Mandell has joined #openstack-dev21:03
*** adjohn has joined #openstack-dev21:03
*** dtroyer_zzz is now known as dtroyer21:03
*** novas0x2a|laptop has quit IRC21:03
*** koolhead17 has joined #openstack-dev21:05
*** mdomsch has quit IRC21:06
*** jdg has joined #openstack-dev21:06
*** rkukura has joined #openstack-dev21:07
*** berendt has quit IRC21:08
*** mnewby has quit IRC21:08
*** markmcclain has joined #openstack-dev21:08
*** dhellmann has quit IRC21:10
*** dhellmann has joined #openstack-dev21:13
*** littleidea has quit IRC21:13
*** dhellmann has quit IRC21:14
*** adjohn has quit IRC21:14
*** novas0x2a|laptop has joined #openstack-dev21:15
*** littleidea has joined #openstack-dev21:15
*** dachary has joined #openstack-dev21:17
*** maplebed has joined #openstack-dev21:17
*** maplebed has joined #openstack-dev21:18
*** kbringard has joined #openstack-dev21:20
*** kbringard has quit IRC21:22
*** troytoman-away is now known as troytoman21:26
*** mathrock has quit IRC21:27
*** Ryan_Lane has quit IRC21:28
*** Gordonz__ has quit IRC21:30
*** Ryan_Lane has joined #openstack-dev21:32
*** dhellmann has joined #openstack-dev21:32
*** crobinso has quit IRC21:32
*** kindaopsdevy_ has quit IRC21:34
*** markmcclain has quit IRC21:35
*** rkukura has quit IRC21:36
*** cdub has quit IRC21:37
*** adjohn has joined #openstack-dev21:41
*** adjohn has quit IRC21:43
*** novas0x2a|lapto1 has joined #openstack-dev21:46
*** dhellmann has quit IRC21:46
*** novas0x2a|laptop has quit IRC21:47
*** dachary has quit IRC21:48
mikalIs there existing code somewhere in nova to handling simple test config files?21:49
mikalFor example, I want to sstash a couple of values in a text file for later access21:49
mikalBut it would be nice to reuse someone's implementation if there is one21:49
*** adjohn has joined #openstack-dev21:50
*** blamar has quit IRC21:54
*** Ryan_Lane has quit IRC21:57
*** adjohn has quit IRC21:57
*** dachary has joined #openstack-dev21:58
*** dachary has quit IRC21:58
*** dachary has joined #openstack-dev21:58
*** dtroyer is now known as dtroyer_zzz22:00
*** ayoung has quit IRC22:01
*** dachary has joined #openstack-dev22:02
*** armaan1 has joined #openstack-dev22:03
*** troytoman is now known as troytoman-away22:03
*** dtroyer_zzz is now known as dtroyer22:03
*** dachary has quit IRC22:03
*** dachary has joined #openstack-dev22:03
*** dtroyer is now known as dtroyer_zzz22:04
*** maplebed has quit IRC22:04
*** eglynn_ has quit IRC22:04
*** armaan1 has left #openstack-dev22:04
*** eglynn_ has joined #openstack-dev22:11
*** adalbas has quit IRC22:12
*** troytoman-away is now known as troytoman22:14
*** dtroyer_zzz is now known as dtroyer22:15
*** bsza has joined #openstack-dev22:15
*** novas0x2a|lapto1 has quit IRC22:15
*** kindaopsdevy has joined #openstack-dev22:18
*** kindaopsdevy has left #openstack-dev22:18
*** adjohn has joined #openstack-dev22:21
*** issackelly has quit IRC22:21
*** Mandell has quit IRC22:24
*** dtroyer is now known as dtroyer_zzz22:25
*** LinuxJedi has joined #openstack-dev22:28
*** Ryan_Lane has joined #openstack-dev22:29
*** adjohn has quit IRC22:30
*** oneiroi is now known as Oneiroi^gone22:31
*** Mandell has joined #openstack-dev22:32
*** maplebed has joined #openstack-dev22:35
*** dtroyer_zzz is now known as dtroyer22:35
*** Mandell has quit IRC22:37
*** ctracey_ has joined #openstack-dev22:37
*** blamar has joined #openstack-dev22:38
*** adjohn has joined #openstack-dev22:39
*** dubsquared has joined #openstack-dev22:39
*** bsza has quit IRC22:40
*** dhellmann has joined #openstack-dev22:40
*** troytoman is now known as troytoman-away22:40
*** markmcclain has joined #openstack-dev22:41
*** bsza has joined #openstack-dev22:41
*** dhellmann has quit IRC22:45
*** dhellmann has joined #openstack-dev22:45
*** maplebed has quit IRC22:47
*** issackelly has joined #openstack-dev22:48
*** dubsquared has left #openstack-dev22:49
*** adjohn has quit IRC22:50
*** markmcclain has quit IRC22:50
*** issackelly has quit IRC22:51
*** LinuxJedi has quit IRC22:51
*** dhellmann has quit IRC22:52
*** Adri2000 has quit IRC22:52
*** dhellmann has joined #openstack-dev22:52
*** LinuxJedi has joined #openstack-dev22:54
*** dhellmann has quit IRC22:55
*** tryggvil_ has quit IRC22:58
*** Ryan_Lane has quit IRC22:58
*** mestery has quit IRC22:58
*** LinuxJedi has quit IRC22:58
*** lloydde has quit IRC22:59
*** eglynn_ has quit IRC23:00
*** dtroyer is now known as dtroyer_zzz23:00
*** issackelly has joined #openstack-dev23:00
*** jdg has quit IRC23:01
*** kindaopsdevy has joined #openstack-dev23:03
*** kindaopsdevy has left #openstack-dev23:04
*** dtroyer_zzz is now known as dtroyer23:04
*** zaitcev has quit IRC23:06
*** Ryan_Lane has joined #openstack-dev23:07
*** littleidea has quit IRC23:07
*** bsza has quit IRC23:12
*** ctracey_ has quit IRC23:13
*** issackelly has quit IRC23:14
*** LinuxJedi has joined #openstack-dev23:20
*** eglynn_ has joined #openstack-dev23:21
*** mathrock has joined #openstack-dev23:27
*** eglynn_ has quit IRC23:27
*** Adri2000 has joined #openstack-dev23:30
zykes-pixelbeat: can you get newer swift packages ?23:30
*** cp16net has quit IRC23:30
*** LinuxJedi has quit IRC23:30
*** cp16net has joined #openstack-dev23:31
*** eglynn_ has joined #openstack-dev23:31
*** markmcclain has joined #openstack-dev23:31
*** Mandell has joined #openstack-dev23:32
*** uvirtbot has joined #openstack-dev23:33
*** LinuxJedi has joined #openstack-dev23:34
*** LinuxJedi has quit IRC23:43
*** mathrock has quit IRC23:44
*** dachary has quit IRC23:46
*** LinuxJedi has joined #openstack-dev23:48
*** blamar has quit IRC23:53
*** blamar has joined #openstack-dev23:53
*** littleidea has joined #openstack-dev23:56
pixelbeatzykes-, what swift issue/version do you have/want exactly?23:57
*** cp16net has quit IRC23:58
*** cp16net has joined #openstack-dev23:59
pixelbeatzykes-, oh I assumed 1.4.8 was there rather than 1.4.623:59
*** dachary has joined #openstack-dev23:59
« Monday, 2012-04-16 Index Wednesday, 2012-04-18 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!