Tuesday, 2017-01-31

*** EricGonczer_ has joined #openstack-dns		00:05
*** EricGonczer_ has quit IRC		00:27
*** haplo37 has quit IRC		00:32
*** haplo37 has joined #openstack-dns		00:33
*** EricGonczer_ has joined #openstack-dns		00:59
*** catintheroof has quit IRC		01:02
*** ducttape_ has joined #openstack-dns		01:22
*** mlavalle has quit IRC		01:35
*** catintheroof has joined #openstack-dns		01:37
*** catintheroof has quit IRC		01:37
*** catintheroof has joined #openstack-dns		01:37
*** ducttape_ has quit IRC		02:06
*** EricGonczer_ has quit IRC		02:10
*** ducttape_ has joined #openstack-dns		02:33
openstackgerrit	Tim Simmons proposed openstack/designate: Use exit code 1 for failed designate-manage pool commands https://review.openstack.org/426970	02:46
*** catintheroof has quit IRC		03:09
*** catintheroof has joined #openstack-dns		03:11
*** catintheroof has quit IRC		03:15
*** cliles has quit IRC		03:15
*** cliles has joined #openstack-dns		03:22
*** ducttape_ has quit IRC		03:23
*** EricGonczer_ has joined #openstack-dns		03:48
*** EricGonczer_ has quit IRC		03:55
*** ducttape_ has joined #openstack-dns		04:13
*** ducttape_ has quit IRC		04:33
*** cliles has quit IRC		04:46
*** ducttape_ has joined #openstack-dns		05:35
*** ducttape_ has quit IRC		05:41
*** richm has joined #openstack-dns		07:01
*** ducttape_ has joined #openstack-dns		07:06
*** ducttape_ has quit IRC		07:11
*** abalutoiu has quit IRC		07:47
*** abalutoiu has joined #openstack-dns		08:05
*** nkinder has joined #openstack-dns		08:18
*** richm has quit IRC		09:54
*** ducttape_ has joined #openstack-dns		10:07
*** ducttape_ has quit IRC		10:12
*** richm has joined #openstack-dns		10:38
*** nkinder has quit IRC		10:59
*** ducttape_ has joined #openstack-dns		11:38
*** ducttape_ has quit IRC		11:43
*** leitan has joined #openstack-dns		12:01
*** catintheroof has joined #openstack-dns		12:22
*** nkinder has joined #openstack-dns		12:30
*** EricGonczer_ has joined #openstack-dns		13:02
*** ducttape_ has joined #openstack-dns		13:06
*** EricGonczer_ has quit IRC		13:07
*** EricGonc_ has joined #openstack-dns		13:07
*** ducttape_ has quit IRC		13:28
*** nkinder has quit IRC		13:35
*** catinthe_ has joined #openstack-dns		13:36
*** catintheroof has quit IRC		13:40
*** brensen has joined #openstack-dns		13:43
brensen	anyone here played with the designate policy file? I'm trying to create a role which can only change a record, but so far it looks like the user still has rights to do more than just that	13:45
brensen	running mitaka still :(	13:45
brensen	I've tried to create this rule: "admin_or_owner_or_easyssl" : "rule:admin or rule:owner or rule:easyssl",	13:48
brensen	and apply to: "update_record" : "rule:admin_or_owner_or_easyssl",	13:48
*** EricGonc_ has quit IRC		13:48
*** EricGonczer_ has joined #openstack-dns		13:49
brensen	but the user with only the easyssl role in the project can still set ttl's on domains and create recordsets etc	13:49
*** EricGonczer_ has quit IRC		13:52
*** cleong has joined #openstack-dns		13:56
mugsie	brensen: we used to have a quite detailed policy file in HP Cloud	13:57
mugsie	can you link your file?	13:57
*** nkinder has joined #openstack-dns		13:58
brensen	https://thepasteb.in/p/GZhpcQwA3RR7qCX	14:00
brensen	we push this thing with puppet so the sorting is a bit weird :p	14:00
brensen	openstack role assignment list --user easyssl_user --project easyssl_project --names	14:04
brensen	+---------+--------------+-----------------+	14:04
brensen	\| Role \| User \| Project \|	14:04
brensen	+---------+--------------+-----------------+	14:04
brensen	\| easyssl \| easyssl_user \| easyssl_project \|	14:04
brensen	+---------+--------------+-----------------+	14:04
mugsie	ah, the user is in the project?	14:06
brensen	see above	14:07
mugsie	so they are getting allowed as they are an "owner"	14:07
mugsie	"zone_primary_or_admin" : "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"	14:07
mugsie	"admin_or_owner" : "rule:admin or rule:owner",	14:07
mugsie	"owner" : "tenant:%(tenant_id)s",	14:08
brensen	I was trying to figure out this owner role	14:08
brensen	so anyone with any role in the project is considered an owner?	14:08
mugsie	it checks the tenant_id of the user, and sees if it matched the tenant id of the zone	14:08
mugsie	by default, yeah	14:08
brensen	hmmm	14:08
mugsie	so, you should create a second role	14:08
mugsie	dns_writer or something	14:08
mugsie	and create a admin_or_writer rule	14:09
mugsie	and then replace the references to admin_or_owner with admin_or_writer	14:10
brensen	I think I get it, thanks... I was really confused about the "owner" thing because it was pointing to tenant_id	14:10
mugsie	yeah	14:10
mugsie	the policy engine is weird	14:11
brensen	thanks for your help!	14:11
mugsie	no problem	14:11
mugsie	timsim: https://review.openstack.org/#/c/408262/ frees up the newton gate	14:26
*** ducttape_ has joined #openstack-dns		14:27
*** mlavalle has joined #openstack-dns		14:29
*** ducttape_ has quit IRC		14:31
openstackgerrit	Graham Hayes proposed openstack/designate: RRTYPE list in API https://review.openstack.org/337744	14:54
*** tdink has joined #openstack-dns		15:00
carthaca_	Hi, designate worker target setup stopped working and I don't have a clue why - in dev everything is fine http://paste.openstack.org/show/597038/, but I simply see no error or configuration differences in our prod. Maybe anyone here can point me where to look please? We are on newton	15:00
*** EricGonczer_ has joined #openstack-dns		15:03
*** richm has quit IRC		15:04
mugsie	carthaca_: is the config in kolla the same as the hand edited one?	15:07
carthaca_	the worker section is the same	15:08
mugsie	is the pool setup the same?	15:10
mugsie	that is what is failing I think	15:10
*** nkinder has quit IRC		15:13
carthaca_	order naming etc are mixed up, but in general it should be the same	15:14
carthaca_	I will check in detail once more :slightly_smiling_face:	15:14
timsim	Yeah check the backend type names, and maybe peek at your pools table.	15:17
timsim	Need some more logging in there.	15:17
mugsie	++	15:18
carthaca_	yeah, I'm already directly comparing on db level - but after a while one is getting blind	15:19
timsim	Trust me, it's still better than how the configuration used to be :x	15:19
mugsie	yeah	15:19
mugsie	oh, the bad old days	15:19
mugsie	I blame Kiall :D	15:20
timsim	Yeah, he's not here to defend himself, all Kiall's fault.	15:20
openstackgerrit	Merged openstack/designate-specs: Update documentation url https://review.openstack.org/408393	15:20
mugsie	writing nested, related ini files like http://replygif.net/i/1136.gif	15:21
*** richm has joined #openstack-dns		15:21
*** nkinder has joined #openstack-dns		15:21
*** richm has quit IRC		15:39
*** richm has joined #openstack-dns		15:41
*** catinthe_ has quit IRC		15:45
timsim	mugsie: can you get Kiall to +A this: https://review.openstack.org/#/c/426970/	15:48
brensen	I still can't get it to work.... :( I'm trying to simplify it a bit now by only allowing designate calls for 3 roles but it still allows my easyssl user to update a zone	15:48
brensen	"tenant" : "tenant:%(tenant_id)s",	15:48
brensen	"member" : "role:_member_",	15:48
brensen	"designate" : "role:designate",	15:48
brensen	"cloud_admin" : "role:admin",	15:48
brensen	"admin": "rule:designate or rule:member or rule:cloud_admin",	15:48
brensen	"zone_primary_or_admin" : "('PRIMARY':%(zone_type)s and rule:admin) OR ('SECONDARY':%(zone_type)s and rule:cloud_admin)",	15:48
brensen	"default" : "rule:admin",	15:48
brensen	"target" : "tenant:%(target_tenant_id)s",	15:48
brensen	"update_zone" : "rule:admin",	15:48
brensen	"find_zones" : "rule:admin",	15:49
brensen	"get_zones" : "rule:admin",	15:49
brensen	head of the policy file	15:49
mugsie	timsim: he did already :D	15:49
mugsie	brensen: humm :/	15:50
brensen	does this look good?	15:50
mugsie	ok, I am standing up a new stack anyway right now	15:50
mugsie	yeah	15:50
mugsie	let do a bit of tweaking	15:50
brensen	ok, glad I'm not stupid	15:50
mugsie	:)	15:51
timsim	woah, read my mind from like 7000 miles awawy	15:51
brensen	full file: https://thepasteb.in/p/r0h0cy9p15XJXCZ	15:51
brensen	still on mitaka btw	15:52
brensen	not sure if that matters	15:52
mugsie	brensen: you restarted designate-api and designate-central right?	15:52
brensen	oh damn, does central also need a kick?	15:52
mugsie	it should be the same - we havent made changes to the policy engine in years	15:52
mugsie	yeah	15:52
brensen	doh!	15:52
brensen	let me try	15:52
brensen	kicking	15:53
brensen	openstack zone list	15:53
brensen	forbidden	15:53
brensen	yay!	15:53
brensen	well now I DO feel stupid :facepalm"	15:53
mugsie	heh - don't	15:54
brensen	I thought the api would take care of the policies	15:54
mugsie	no, api is a thin shim that just does light validation	15:54
mugsie	and passes it to central, where the business logic is	15:54
brensen	nice to at least end the day with success! ty all	15:55
mugsie	that is what I call a good day :)	15:55
*** richm has quit IRC		15:58
*** ducttape_ has joined #openstack-dns		16:03
*** richm has joined #openstack-dns		16:10
*** richm has quit IRC		16:10
openstackgerrit	Graham Hayes proposed openstack/designate: Allow for zones / pools with no attributes https://review.openstack.org/427272	16:12
*** richm has joined #openstack-dns		16:13
*** richm has quit IRC		16:14
*** tdink has quit IRC		16:14
*** tdink has joined #openstack-dns		16:14
*** ducttape_ has quit IRC		16:19
*** nkinder has quit IRC		16:19
*** ducttape_ has joined #openstack-dns		16:19
*** richm has joined #openstack-dns		16:20
*** tdink_ has joined #openstack-dns		16:24
*** tdink has quit IRC		16:24
*** nkinder has joined #openstack-dns		16:25
*** _ducttape_ has joined #openstack-dns		16:29
*** richm has left #openstack-dns		16:31
*** richm has joined #openstack-dns		16:31
*** ducttape_ has quit IRC		16:32
*** _ducttape_ has quit IRC		16:40
*** ducttape_ has joined #openstack-dns		16:41
openstackgerrit	Merged openstack/designate: Use exit code 1 for failed designate-manage pool commands https://review.openstack.org/426970	16:44
*** _ducttape_ has joined #openstack-dns		16:44
*** ratoder has joined #openstack-dns		16:45
*** ducttape_ has quit IRC		16:47
openstackgerrit	Graham Hayes proposed openstack/designate: Validate NS records on a pool during an update https://review.openstack.org/427317	17:23
mugsie	timsim: there is a few patches up there now for review	17:32
mugsie	working my way through things slowly	17:32
* timsim looks		17:32
timsim	!m mugsie	17:32
openstack	timsim: Error: "m" is not a valid command.	17:32
*** richm has quit IRC		17:42
*** _ducttape_ has quit IRC		17:42
elarson	I'm convinced the openstack bot will never implement !m ;)	17:44
*** nkinder has quit IRC		17:46
mugsie	:D	17:46
* timsim wonders if pull requests are accepted		17:46
timsim	https://github.com/openstack-infra/gerritbot	17:47
timsim	mugsie: did you see this failed again? https://review.openstack.org/#/c/408262/	17:48
mugsie	ah, crap, how did that job get into newtoen	17:50
*** catintheroof has joined #openstack-dns		17:55
mugsie	timsim: https://review.openstack.org/427334 fixes that	17:55
*** richm has joined #openstack-dns		17:56
timsim	mugsie: Should we turn worker on by default now?	18:06
timsim	https://github.com/openstack/designate/blob/master/designate/worker/__init__.py#L29-L30	18:06
mugsie	timsim: damn	18:06
mugsie	yes	18:06
timsim	But we can't kill pool-manager for another cycle after that right?	18:07
mugsie	nope	18:08
mugsie	oh	18:08
mugsie	did we ever introduce periodic-* to worker model?	18:09
timsim	https://github.com/openstack/designate/blob/master/designate/cmd/pool_manager.py#L54-L56 lol	18:09
timsim	Um, not sync. Recovery, yes.	18:09
timsim	It'd be pretty easy to put sync in though.	18:09
mugsie	we would need sync in for the deafault switch	18:10
timsim	hm. I guess we could do that next cycle, and kill pool-manager, already past feature freeze now aren't we	18:11
mugsie	little bit	18:12
timsim	meh. Would be nice to get it done.	18:13
mugsie	we can put it in, as its not a feature	18:13
mugsie	and ultimatly, its up to me	18:13
timsim	Yeah really it's just a thing to send notifies to every zone.	18:14
timsim	Shouldn't we just be setting all those to pending notify and then let that happen?	18:14
timsim	Because we don't want it to do what it did in pool manager.	18:14
mugsie	that could work	18:14
mugsie	and yeah, dropping that code would eb good	18:15
*** richm has quit IRC		18:18
*** ducttape_ has joined #openstack-dns		18:28
*** ducttape_ has quit IRC		18:33
*** ducttape_ has joined #openstack-dns		18:43
openstackgerrit	Merged openstack/designate: change from domain to zone at configfile https://review.openstack.org/418861	18:47
*** ducttape_ has quit IRC		18:49
*** ducttape_ has joined #openstack-dns		19:00
*** ducttape_ has quit IRC		19:00
openstackgerrit	Graham Hayes proposed openstack/python-designateclient: Show proper error on over quota commands https://review.openstack.org/427357	19:00
*** ducttape_ has joined #openstack-dns		19:01
*** _ducttape_ has joined #openstack-dns		19:02
*** ducttape_ has quit IRC		19:05
*** _ducttape_ has quit IRC		19:14
*** mlavalle has quit IRC		19:17
*** abalutoiu has quit IRC		19:29
*** pcaruana has quit IRC		19:31
*** tdink has joined #openstack-dns		19:34
*** tdink_ has quit IRC		19:36
*** f13o_ has joined #openstack-dns		19:42
*** f13o_ has quit IRC		19:43
*** ducttape_ has joined #openstack-dns		19:56
*** ducttape_ has quit IRC		20:01
*** abalutoiu has joined #openstack-dns		20:06
*** ducttape_ has joined #openstack-dns		20:21
timsim	mugsie: If we were going to mass set `delayed_notify` that'd be one query per zone in the system wouldn't it? Which is probably not a good idea to do on a timer every so often?	20:28
mugsie	in most systems - every 24 hours should be OK	20:28
mugsie	but	20:29
mugsie	yeah	20:29
mugsie	what does the current one do?	20:29
timsim	lol. Tries to get all the zones via one big query over RPC from pool_mgr -> central (which times out when that gets big), and then blasts through them one at a time.	20:31
timsim	We can make that process better, but still not ideal by instructing the worker to send notifies to a whole shard, so it'd just blast the queue with notify events for every zone in the shard, but it'd just be one database query per shard. If you're sharding nicely, it wouldn't be so bad, but I'm sure most people won't.	20:34
mugsie	yeah	20:34
mugsie	well, depending on how many workers, it should shard itself OK	20:35
mugsie	but we would need to tell people to have multiple workers	20:35
*** mlavalle has joined #openstack-dns		20:37
timsim	I think that actually happens based on how you shard the producers.	20:37
mugsie	oh, thats right	20:37
mugsie	we don thave any repeat tasks on workers - they are dumb	20:37
timsim	yeah	20:37
timsim	It sucks we can't just do a `update zones set delayed_notify=1 where status!='DELETED';`	20:39
timsim	I guess that could tie things up if there were a lot of zones anyway maybe.	20:39
timsim	I guess I could have the worker do something gross like divide the number of zones by the sync interval/100 with a min step size of 500 zones and issue the notifies in bunches. I'm not a huge fan of a task that could sit there and run for 24 hours though	20:45
*** tdink has quit IRC		20:48
*** tdink has joined #openstack-dns		20:49
*** leitan has quit IRC		20:53
*** _ducttape_ has joined #openstack-dns		20:54
*** leitan has joined #openstack-dns		20:54
*** ducttape_ has quit IRC		20:57
*** leitan has quit IRC		21:00
*** kentb1 has joined #openstack-dns		21:04
*** tdink has quit IRC		21:30
*** tdink has joined #openstack-dns		21:30
*** catintheroof has quit IRC		21:38
*** catintheroof has joined #openstack-dns		21:38
*** catintheroof has quit IRC		21:39
*** cleong has quit IRC		21:44
*** _ducttape_ has quit IRC		21:46
*** ducttape_ has joined #openstack-dns		21:46
*** richm has joined #openstack-dns		21:55
*** tdink has quit IRC		22:02
*** catintheroof has joined #openstack-dns		22:05
*** catintheroof has quit IRC		22:05
*** catintheroof has joined #openstack-dns		22:06
*** catintheroof has quit IRC		22:11
*** ducttape_ has quit IRC		22:14
*** kentb1 has quit IRC		22:15
*** f13o has joined #openstack-dns		22:17
*** nkinder has joined #openstack-dns		22:23
*** richm has quit IRC		22:25
*** ducttape_ has joined #openstack-dns		22:31
*** f13o has quit IRC		22:33
*** tdink has joined #openstack-dns		22:34
*** tdink has quit IRC		22:36
*** tdink has joined #openstack-dns		22:36
openstackgerrit	Graham Hayes proposed openstack/designate-dashboard: Actually show attribute on zone info page https://review.openstack.org/427490	22:41
*** EricGonczer_ has quit IRC		22:53
openstackgerrit	Graham Hayes proposed openstack/python-designateclient: Add attribute support to create zone cli https://review.openstack.org/427497	23:01
*** _ducttape_ has joined #openstack-dns		23:03
openstackgerrit	Graham Hayes proposed openstack/python-designateclient: Show proper error on over quota commands https://review.openstack.org/427357	23:03
mugsie	timsim: Kiall ^^^ can I get a review ?	23:04
openstackgerrit	Graham Hayes proposed openstack/python-designateclient: Add attribute support to create zone cli https://review.openstack.org/427497	23:05
*** ducttape_ has quit IRC		23:06
*** _ducttape_ has quit IRC		23:29
*** ducttape_ has joined #openstack-dns		23:30
*** ducttape_ has quit IRC		23:35
openstackgerrit	Graham Hayes proposed openstack/designate: RRTYPE list in API https://review.openstack.org/337744	23:58

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!