Wednesday, 2017-01-04

« Tuesday, 2017-01-03 Index Thursday, 2017-01-05 »
*** agrebennikov has quit IRC00:22
*** jose-phillips has quit IRC00:25
*** itisha has quit IRC00:52
*** pt_15 has quit IRC00:54
*** trananhkma has joined #openstack-glance01:12
*** smatzek has joined #openstack-glance01:49
*** openstackgerrit has joined #openstack-glance02:11
openstackgerritDavanum Srinivas (dims) proposed openstack/glance_store: [WIP] Trying to add insecure/cafile for swift authentication  https://review.openstack.org/41639902:11
*** trananhkma has quit IRC02:12
*** smatzek has quit IRC02:22
*** trananhkma has joined #openstack-glance02:54
*** ducttape_ has quit IRC03:04
*** ducttape_ has joined #openstack-glance03:05
*** ducttape_ has quit IRC03:09
*** prateek has quit IRC03:36
*** prateek has joined #openstack-glance03:36
*** mvk has quit IRC03:38
*** prateek has quit IRC03:45
*** jamielennox is now known as jamielennox|away03:51
*** links has joined #openstack-glance03:56
*** jamielennox|away is now known as jamielennox03:59
*** ducttape_ has joined #openstack-glance04:02
*** pdeore has joined #openstack-glance04:21
*** ducttape_ has quit IRC04:25
*** ducttape_ has joined #openstack-glance04:26
*** ducttape_ has quit IRC04:26
*** ducttape_ has joined #openstack-glance04:26
*** bkopilov has quit IRC04:28
*** bkopilov has joined #openstack-glance04:40
*** nicolasbock has joined #openstack-glance04:42
*** adisky_ has joined #openstack-glance04:52
adisky_hi can anybody help me on this bug https://bugs.launchpad.net/glance/+bug/1595335?? I just want to know this is a bug or a new feature??04:56
openstackLaunchpad bug 1595335 in Glance "Add image location fails when show_multiple_locations = false" [Undecided,Confirmed]04:56
*** ratailor has joined #openstack-glance05:11
*** udesale has joined #openstack-glance05:42
*** prateek has joined #openstack-glance05:44
*** mvk has joined #openstack-glance05:50
*** mvk has quit IRC06:11
*** pdeore has quit IRC06:16
*** udesale has quit IRC06:18
*** udesale has joined #openstack-glance06:20
*** pdeore has joined #openstack-glance06:27
*** pcaruana has joined #openstack-glance06:51
*** bkopilov has quit IRC06:52
*** e0ne has joined #openstack-glance06:54
*** mosulica has joined #openstack-glance07:01
*** groen692 has joined #openstack-glance07:04
*** rcernin has joined #openstack-glance07:15
*** e0ne has quit IRC07:17
*** tesseract has joined #openstack-glance07:18
jokke_adisky_: that's not a bug ;)07:31
*** bkopilov has joined #openstack-glance07:33
adisky_ok ..thats a functionality???07:50
*** haplo37 has quit IRC07:57
*** ezoszed has joined #openstack-glance07:59
*** haplo37 has joined #openstack-glance08:06
*** tshefi has joined #openstack-glance08:22
*** zzzeek has quit IRC09:00
*** zzzeek has joined #openstack-glance09:00
*** pdeore__ has joined #openstack-glance10:05
*** pdeore has quit IRC10:07
*** mvk has joined #openstack-glance10:19
*** pdeore__ has quit IRC10:21
*** pdeore has joined #openstack-glance10:21
*** e0ne has joined #openstack-glance10:22
*** pdeore has quit IRC10:38
*** pdeore has joined #openstack-glance10:39
*** udesale has quit IRC10:53
*** links has quit IRC10:57
*** pdeore has quit IRC11:03
*** links has joined #openstack-glance11:21
*** ducttape_ has quit IRC11:25
*** ducttape_ has joined #openstack-glance11:36
*** smatzek has joined #openstack-glance11:40
*** ducttape_ has quit IRC11:54
*** catintheroof has joined #openstack-glance12:14
*** cdelatte has joined #openstack-glance12:30
*** openstackgerrit has quit IRC12:33
*** gabor_antal has joined #openstack-glance12:36
*** gabor_antal_ has joined #openstack-glance12:36
*** gabor_antal_ has quit IRC12:38
*** udesale has joined #openstack-glance12:55
*** mosulica has quit IRC13:03
*** itisha has joined #openstack-glance13:21
*** ratailor has quit IRC13:31
*** ratailor has joined #openstack-glance13:32
*** prateek has quit IRC13:41
*** wxy| has joined #openstack-glance13:43
*** ratailor has quit IRC13:55
*** agrebennikov has joined #openstack-glance14:10
*** zul has quit IRC14:14
*** zul has joined #openstack-glance14:15
*** seanhandley has left #openstack-glance14:15
*** ducttape_ has joined #openstack-glance14:20
*** smatzek has quit IRC14:21
*** udesale has quit IRC14:44
agrebennikovhi there everybody! Can somebody let me know if glance nowadays (more interested in mitaka) can terminate ssl on the api service? And also, is there a wsgi script I may use to run glance-api behind apache14:53
*** smatzek has joined #openstack-glance14:56
*** links has quit IRC14:59
*** udesale has joined #openstack-glance15:00
*** mosulica has joined #openstack-glance15:06
*** wxy|_ has joined #openstack-glance15:11
*** wxy| has quit IRC15:13
*** haplo37 has quit IRC15:13
*** zzzeek has quit IRC15:13
*** zzzeek has joined #openstack-glance15:14
*** haplo37 has joined #openstack-glance15:14
*** udesale has quit IRC15:25
*** udesale has joined #openstack-glance15:25
*** ativelkov_ has quit IRC15:27
*** Guest66666 has quit IRC15:29
*** Guest66666 has joined #openstack-glance15:29
*** ativelkov has joined #openstack-glance15:32
*** udesale has quit IRC15:35
*** mvk has quit IRC15:48
sigmavirusagrebennikov: I believe Glance itself has been able to terminate TLS since liberty. That said, Apache can do that for you as well. But I odn't believe we have wsgi scripts in tree for that15:57
*** dirk has joined #openstack-glance15:58
*** _ducttape_ has joined #openstack-glance15:59
agrebennikovsigmavirus, this is what I was afraid of... keeping in mind the main trend over the projects - use apache/nginx for running apis16:00
agrebennikovsigmavirus, per ssl on python - I'm jsut struggling with it for a while (trying to set it up with glance)16:01
sigmavirusagrebennikov: I do believe pbr has a way of generating them for us but I don't believe anyone's added those magic lines to our setup.cfg yet (nor am I certain that those magic lines would work the way we want them to)16:01
sigmavirusagrebennikov: I know there are some config options in Glance around TLS certificates but I've never configured Glance to do TLS termination16:01
*** ChanServ sets mode: -o sigmavirus16:02
agrebennikovsigmavirus, correct. But the problem is - whenever I set up those 3 lines (cert, key, ca) - api just stops responding16:02
agrebennikoveven though the docs are saying - is is all I need for making it working16:02
sigmavirusagrebennikov: nothing in logs?16:02
agrebennikovnope16:02
agrebennikovlet me puul up the latest, sec16:02
*** ducttape_ has quit IRC16:03
agrebennikovsince I gave up and switched to cinder :)16:03
sigmavirusagrebennikov: have you tried using openssl s_client to see if TLS is working?16:03
agrebennikovwhich works as wsgi16:03
sigmavirusagrebennikov: also need some basic details before I can be of very much help, e.g., python version, os, etc.16:03
agrebennikovok, this is openstack-ansible mitaka installation16:04
agrebennikovI'll bring the details in a bit.... have to spend some time on the meeting now. Are you around in general?16:04
*** rcernin has quit IRC16:09
agrebennikovso it is ubuntu, python2.7, openstack mitaka upstream16:10
agrebennikovsigmavirus, so yeah, the request just hangs16:11
sigmavirusagrebennikov: thta's not descriptive16:12
sigmaviruswhat request hangs?16:12
agrebennikovI understand that :)16:12
agrebennikovif I curl to the port of glance-api - request ends up with timeout16:12
agrebennikovsince glance doesn't respond16:13
agrebennikovthis happens if I curl with http16:13
agrebennikovif it is https - root@osa-cntl-glance-container-8dfe5d91:~# curl --insecure https://127.0.0.1:929216:13
agrebennikovcurl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure16:13
agrebennikovlet me go ahead and try to pdb and at least see which module it hangs in16:15
sigmavirusagrebennikov: so if you're using osa, are you not using a LB? Isn't that part of the reference architecture of that project?16:15
sigmavirusagrebennikov: more useful would be to see what openssl s_client tells you16:16
sigmavirusalso what details do you have about the certificate you've put in place? What CN do you have in it?16:16
agrebennikovI have an LB. But the problem is that it is not enough for the security team over here to terminate ssl on the balancer and I have to reconfigure it to terminate ssl on each service16:17
agrebennikovcn is a wildcard, works perfectly with keystone and cinder behind apache16:17
*** dillaman has quit IRC16:23
agrebennikovhttp://paste.openstack.org/show/593879/16:25
agrebennikovbasically this is the last pattern from pdb16:25
*** jose-phillips has joined #openstack-glance16:28
*** dillaman has joined #openstack-glance16:28
*** ezoszed has quit IRC16:29
*** groen692 has quit IRC16:30
sigmavirusagrebennikov: don't set "ca_certs" because that means that the client is supposed to provide a certificate to authenticate with16:31
sigmavirusIn other words, only use cert_file and key_file16:31
*** _ducttape_ has quit IRC16:33
*** ducttape_ has joined #openstack-glance16:33
sigmavirusrosmaita_: ping16:39
agrebennikovsigmavirus, I have to use ca16:40
agrebennikovand it is used across all the services :/16:41
sigmavirusagrebennikov: you need to use client certificate authentication?16:44
sigmavirusagrebennikov: if that's teh case, you're not passing it appropriately from what I can tell from your curl command16:44
*** mosulica has quit IRC16:45
*** edmondsw_ has joined #openstack-glance16:45
*** edmondsw_ has quit IRC16:45
sigmavirusjokke_: ping16:51
*** TravT has joined #openstack-glance17:04
*** wxy|_ has quit IRC17:14
agrebennikovsigmavirus, this is completely offtopic from what I can tell. If there is any issue with the certs themselves I'd expect to get an error. While here I definitely have a code issue since it is hanging somewhere17:15
sigmavirusagrebennikov: when you start glance, do a list your processes. Glance should be spawning subprocesses to listen which is why you think you're seeing a hang17:16
sigmavirusAnd glance just feeds the certs into the ssl module of Python17:16
*** tshefi has quit IRC17:18
agrebennikovsigmavirus, I'm using single process service to avoid it17:18
*** smatzek has quit IRC17:19
sigmavirusagrebennikov: also whether or not you're using client certificate verification is absolutely relevant17:19
sigmavirusIf your client does not provide the certificate that the server expects, you'll never complete teh TLS handshake17:19
sigmavirusagrebennikov: if you don't know what I'm talking about, then you shouldn't be using it because ca_certs is not doing what you think it's doing17:20
*** mvk has joined #openstack-glance17:21
*** tesseract has quit IRC17:21
agrebennikovsigmavirus, nevertheless this option doesn't make any difference17:30
agrebennikovwsgi server just hangs17:30
*** e0ne has quit IRC17:31
*** nicolasbock has quit IRC17:34
agrebennikovsigmavirus, but.... seems you were right about CA :) in fact the problem was in the connection between api to registry. when I removed registry_ca_file - it started to work17:37
agrebennikovsigmavirus, thanks! :)17:37
sigmavirusHTH17:38
*** smatzek has joined #openstack-glance17:46
*** flwang1 has joined #openstack-glance17:47
*** aleph1 is now known as agarner17:59
*** dharinic is now known as dharinic|lunch18:16
smatzekI'm looking for some clarity on the show_multiple_locations setting.  In Newton it is deprecated for removal and the release notes point at setting things in policy.json to control this behavior.  Using policy.json alone to control this behavior doesn't work in Newton and it appears to not work yet in Ocata.  Is removal of this property and migration to use only policy to control this still planned for Ocata?18:33
stevellesmatzek: I would not expect actual removal to happen in Ocata18:36
flwang1stevelle: i think smatzek is asking if we can fix it in Ocata :)18:37
flwang1if it doesn't work now18:37
flwang1smatzek: may i know more background?18:37
flwang1smatzek: are you looking for using this option?18:37
flwang1or i should reword it: are you trying to use multi locations?18:38
stevelleflwang1: you're probably right, I'm only answering the half I can speak to right now :)18:38
smatzekshow_multiple_locations must be set to allow Nova snapshot of a Ceph backed instance to a Ceph backed Glance.  I need this functionality.18:38
flwang1stevelle: btw, congrats for glance core and happy new year :)18:38
stevelleflwang1: thx and hny18:39
flwang1smatzek: oh, yes, if you're using ceph, you need it18:39
smatzekso my question is, to get this functionality in Newton, and currently in Ocata I must continue to set this deprecated setting, per https://github.com/openstack/glance/blob/master/glance/api/v2/images.py#L29418:39
smatzekand where I'm looking for clarity is if the code above will change in Ocata to make it so that conf setting goes away and it's 100% controlled by policy.18:40
flwang1smatzek: hmm... that code is only using for locations update18:40
smatzekwhich is used during the Nova snapshot flow18:41
flwang1i don't think the nova/ceph CoW functions will be impacted by that line18:41
flwang1oh, really? i didn't dig18:41
flwang1smatzek: you mean nova will call that line?18:42
smatzekwhen Nova ephemeral disk and Glance backing store are both Ceph backed Nova creates a queued image, does efficient snapshot direct in Ceph and updates the image location via PATCH API to point at the new RBD object.18:42
smatzekwhat's really driving this question is my proposed change to OpenStack-Ansible to set show_multiple_locations=True when Ceph is in use in this review  https://review.openstack.org/#/c/413174/118:43
flwang1ah18:43
flwang1i see, you're talking about nova snapshot, sorry i missed it18:43
smatzekthe question is, if that property isn't going to be necessary in Ocata for the Nova Snapshot flow to work, should we be setting it in OpenStack-Ansible master/Ocata.  So I'm wondering if the current Ocata behavior will change to be 100% controlled via policy.18:44
flwang1smatzek: we met each other btw,  at rochester lab in 201318:45
flwang1smatzek: at that moment, you worked for VMcontrol team IIRC :D18:46
smatzekyep, I worked on VMControl at that time.  Now I'm working on OpenStack and Ceph cluster deployments using ansible.18:46
flwang1awesome18:47
flwang1i will look into this and will comment on your patch18:47
flwang1but it's not a promise we can fix it in Ocata18:48
flwang1i may need to talk with rosmaita_18:48
sigmavirusflwang1: rosmaita_'s on a much deserved vacation :)18:48
flwang1sigmavirus: ha, good to know, thanks18:49
sigmavirusjust so you didn't get worried about him having disappeared ;)18:49
smatzekflaper87 may also know since his tag is in other glance comments talking about removal of that property.18:50
flwang1smatzek: yep, i think so, i will try and get back asap18:51
*** pcaruana has quit IRC18:52
smatzekI'm not really worried about if it goes away in Ocata or not.  If it's staying for Ocata, fine by me, we just need to know how to set the property (or not) for Ocata. Another item of note, is that mfedosin put a similar change into DevStack here: https://review.openstack.org/#/c/279630/18:53
flwang1ok, i see. no problem19:03
*** e0ne has joined #openstack-glance19:13
*** dharinic|lunch is now known as dharinic19:18
*** e0ne has quit IRC19:27
*** e0ne has joined #openstack-glance19:29
*** mosulica has joined #openstack-glance19:29
*** flwang1 has quit IRC19:34
*** raginbajin has quit IRC19:36
*** lifeless has quit IRC19:36
*** slunkad has quit IRC19:36
*** cburgess has quit IRC19:36
*** d34dh0r53 has quit IRC19:36
*** dharinic has quit IRC19:36
*** eglute has quit IRC19:36
*** eglute has joined #openstack-glance19:36
*** d34dh0r53 has joined #openstack-glance19:36
*** slunkad has joined #openstack-glance19:36
*** cburgess has joined #openstack-glance19:36
*** lifeless has joined #openstack-glance19:36
*** raginbajin has joined #openstack-glance19:38
*** dharinic has joined #openstack-glance19:41
*** mosulica has quit IRC19:42
dharinicsigmavirus: Would you like to have a look at this if free? It seems very close to merging. https://review.openstack.org/#/c/367528/19:56
sigmavirusThanks for the reminder dharinic19:58
dharinicSure sigmavirus :)19:58
sigmavirusI had tested it and it looks to be working correctly19:58
dharinicGreat.19:58
dharinicstevelle, hemanthm https://review.openstack.org/#/c/367528/20:00
hemanthmdharinic: ack, added to review queue20:01
dharinicAwesome. Thanks hemanthm20:02
*** TravT has quit IRC20:08
stevellesmatzek: seems like we need to fix that policy / conf option code so that the conf becomes truly optional, and policy works by-itself.20:09
smatzekstevelle, yes that's the way I read the code as well and I'm wondering if that is still planned to make Ocata or not.  Given the date and cut offs I'm guessing it won't make Ocata20:10
smatzekthis release note says it will be removed in Ocata. https://github.com/openstack/glance/blob/stable/newton/releasenotes/notes/deprecate-show-multiple-location-9890a1e961def2f6.yaml20:11
stevellesmatzek: we don't have a patch submitted to make the above true that I have found. Further I am -1 on removing the conf option until the above is true for at least 1 full cycle, so I am against removing it in Ocata and would want to push that removal out to a later cycle TBD.20:12
smatzekthanks20:13
stevellesmatzek: if you want to help by contributing the needed glance patch, that could help. I am core in OSA as well and we can make sure the right thing happens there.20:13
smatzekthanks.  The OSA review link was noted above.  Based on this, I think we need to get that submitted to master / backported to Newton, but we can take that up over in the openstack-ansible channel or the review itself.20:15
stevellesmatzek: yeah, adding a comment on the review now.20:17
*** TravT has joined #openstack-glance20:24
*** TravT has quit IRC20:27
*** TravT has joined #openstack-glance20:27
*** TravT_ has joined #openstack-glance20:31
*** TravT has quit IRC20:31
*** TravT has joined #openstack-glance20:39
*** TravT_ has quit IRC20:39
*** d0ugal has quit IRC20:39
*** d0ugal has joined #openstack-glance20:55
*** adisky_ has quit IRC21:09
*** flwang1 has joined #openstack-glance21:11
*** e0ne has quit IRC21:17
*** _ducttape_ has joined #openstack-glance21:23
*** ducttape_ has quit IRC21:26
*** _ducttape_ has quit IRC21:27
flwang1smatzek: still around?21:30
smatzekyep21:30
flwang1smatzek: may i know how did you test the multi locations?21:30
flwang1did you just set show_multiple_locations=false and set get_image_location and delete_image_location with admin only in policy file?21:31
smatzekset up OpenStack with Ceph backed Nova and Ceph backed Glance without the show_multiple_locations property set in glance api conf.  Launch and instance from horizon.  Snapshot instance from horizon.  Fails with 403 from Glance inside Nova compute.21:32
flwang1smatzek: ok, i see, thanks21:32
smatzekpolicy.json has:      "context_is_admin":  "role:admin",21:33
smatzek    "default": "role:admin",21:33
smatzek and     "delete_image_location": "",21:33
smatzek    "get_image_location": "",21:33
smatzek    "set_image_location": "",21:33
smatzekso admin has policy authority to the actions21:33
flwang1yep, i understand. basically we need to replace the check at https://github.com/openstack/glance/blob/master/glance/api/v2/images.py#L294 with a policy check21:34
smatzekthough you could do this without Nova in the picture with Glance alone, create an image in the queued state and then use the PATCH api, http://developer.openstack.org/api-ref/image/v2/?expanded=update-an-image-detail, to add the location21:36
flwang1right, got it21:37
flwang1thanks for the clarification21:37
*** ducttape_ has joined #openstack-glance22:06
*** smatzek has quit IRC22:13
*** openstack has joined #openstack-glance22:53
*** openstackgerrit has joined #openstack-glance23:01
openstackgerritDharini Chandrasekar proposed openstack/glance: Stricter checks for registry API calls  https://review.openstack.org/41676623:01
*** agrebennikov has quit IRC23:08
*** jamielennox is now known as jamielennox|away23:11
*** jamielennox|away is now known as jamielennox23:14
*** ducttape_ has quit IRC23:16
*** ducttape_ has joined #openstack-glance23:17
*** ducttape_ has quit IRC23:21
*** cdelatte has quit IRC23:23
*** ducttape_ has joined #openstack-glance23:24
*** ducttape_ has quit IRC23:35
*** ducttape_ has joined #openstack-glance23:35
*** ducttape_ has quit IRC23:40
*** ducttape_ has joined #openstack-glance23:40
« Tuesday, 2017-01-03 Index Thursday, 2017-01-05 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!