Wednesday, 2015-01-14

*** raildo has quit IRC		00:00
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Deprecate attributes from BaseIdentityPlugin https://review.openstack.org/147026	00:03
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements https://review.openstack.org/147028	00:04
*** chlong has joined #openstack-keystone		00:05
*** gyee has joined #openstack-keystone		00:07
*** erkules has quit IRC		00:09
*** tellesnobrega has quit IRC		00:09
*** dstanek has quit IRC		00:09
*** dstanek has joined #openstack-keystone		00:09
*** ChanServ sets mode: +v gyee		00:09
*** ChanServ sets mode: +v dstanek		00:10
*** jraim has joined #openstack-keystone		00:10
*** erkules has joined #openstack-keystone		00:10
*** tellesnobrega has joined #openstack-keystone		00:11
openstackgerrit	Merged openstack/keystone: Fixes several typos on configuration doc https://review.openstack.org/146258	00:13
openstackgerrit	OpenStack Proposal Bot proposed openstack/python-keystoneclient-federation: Updated from global requirements https://review.openstack.org/144785	00:15
*** LinstatSDR has joined #openstack-keystone		00:16
*** stevemar has joined #openstack-keystone		00:17
*** ChanServ sets mode: +v stevemar		00:17
*** ctracey has joined #openstack-keystone		00:23
openstackgerrit	Merged openstack/keystone: Fixes spacing in sentences on configuration doc https://review.openstack.org/146259	00:24
*** atiwari has joined #openstack-keystone		00:24
openstackgerrit	Merged openstack/keystone: Limit lines length on configuration doc https://review.openstack.org/146260	00:24
openstackgerrit	Merged openstack/keystone: Update Inherited Role Assignment Extension section https://review.openstack.org/146261	00:24
*** stevemar has quit IRC		00:27
*** david-lyle has joined #openstack-keystone		00:28
*** Tahmina has quit IRC		00:29
*** serverascode has joined #openstack-keystone		00:37
*** EmilienM is now known as EmilienM\|afk		00:39
*** LinstatSDR has quit IRC		00:40
*** gyee has quit IRC		00:46
*** zhiyan has joined #openstack-keystone		00:48
*** EmilienM\|afk has quit IRC		00:52
*** jraim has quit IRC		00:54
*** dougwig has quit IRC		00:54
*** EmilienM has joined #openstack-keystone		00:56
*** david-lyle has quit IRC		00:58
*** dougwig has joined #openstack-keystone		00:58
*** david-lyle has joined #openstack-keystone		00:58
*** jraim has joined #openstack-keystone		01:00
*** gyee has joined #openstack-keystone		01:03
*** ChanServ sets mode: +v gyee		01:03
*** david-lyle has quit IRC		01:05
*** EmilienM has quit IRC		01:07
*** gyee has quit IRC		01:08
*** EmilienM has joined #openstack-keystone		01:08
*** gyee has joined #openstack-keystone		01:08
*** ChanServ sets mode: +v gyee		01:08
*** samueldmq_ has joined #openstack-keystone		01:08
*** david-lyle has joined #openstack-keystone		01:09
*** atiwari has quit IRC		01:12
*** jraim has quit IRC		01:13
*** lhcheng has quit IRC		01:16
*** jraim has joined #openstack-keystone		01:19
*** rwsu has quit IRC		01:21
*** nkinder has joined #openstack-keystone		01:22
*** david-lyle has quit IRC		01:24
*** afazekas has quit IRC		01:25
*** david-lyle has joined #openstack-keystone		01:29
*** zzzeek has quit IRC		01:31
*** lsmola has quit IRC		01:31
openstackgerrit	wanghong proposed openstack/keystone: correct the help text of os_inherit https://review.openstack.org/146801	01:31
*** lsmola has joined #openstack-keystone		01:32
*** _cjones_ has quit IRC		01:33
*** _cjones_ has joined #openstack-keystone		01:33
*** david-lyle has quit IRC		01:35
*** dtroyer has quit IRC		01:37
*** _cjones_ has quit IRC		01:40
*** abhirc has joined #openstack-keystone		01:42
openstackgerrit	Merged openstack/keystone: Always return the service name in the catalog https://review.openstack.org/135808	01:44
openstackgerrit	Merged openstack/python-keystoneclient-federation: Updated from global requirements https://review.openstack.org/144785	01:49
*** david-lyle has joined #openstack-keystone		01:52
*** EmilienM has quit IRC		01:52
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Deprecate attributes from BaseIdentityPlugin https://review.openstack.org/147026	01:53
*** dtroyer has joined #openstack-keystone		01:55
*** EmilienM has joined #openstack-keystone		01:56
*** Guest85585 is now known as mfisch		01:59
*** david-lyle has quit IRC		01:59
*** mfisch has quit IRC		01:59
*** mfisch has joined #openstack-keystone		01:59
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor extract class for signing directory https://review.openstack.org/122281	01:59
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Refactor auth_token revocation list members to new class https://review.openstack.org/102403	01:59
*** chrisshattuck has joined #openstack-keystone		01:59
*** ayoung has joined #openstack-keystone		02:01
*** ChanServ sets mode: +v ayoung		02:01
*** dims__ has quit IRC		02:02
*** dims__ has joined #openstack-keystone		02:03
*** zhiyan has quit IRC		02:05
*** zhiyan has joined #openstack-keystone		02:06
*** richm has quit IRC		02:07
openstackgerrit	Dave Chen proposed openstack/keystone: Remove local conf information from paste-ini https://review.openstack.org/134125	02:07
*** dims__ has quit IRC		02:07
*** dtroyer has quit IRC		02:08
*** gyee has quit IRC		02:08
*** tellesnobrega has quit IRC		02:09
*** dtroyer has joined #openstack-keystone		02:09
*** samueldmq has quit IRC		02:09
*** vishy has quit IRC		02:11
*** cyeoh has quit IRC		02:14
*** afaranha has quit IRC		02:14
*** vishy has joined #openstack-keystone		02:14
*** cyeoh has joined #openstack-keystone		02:16
openstackgerrit	Brant Knudson proposed openstack/keystone: Move eventlet server options to a config section https://review.openstack.org/130962	02:19
*** tellesnobrega has joined #openstack-keystone		02:20
*** samueldmq has joined #openstack-keystone		02:20
*** afaranha has joined #openstack-keystone		02:20
*** LinstatSDR has joined #openstack-keystone		02:21
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Correct failures for check E122 https://review.openstack.org/146355	02:22
*** EmilienM has quit IRC		02:22
*** dtroyer has quit IRC		02:23
*** EmilienM has joined #openstack-keystone		02:23
*** samueldmq_ has quit IRC		02:24
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Enforce check F821 and H304 https://review.openstack.org/146356	02:24
*** dtroyer has joined #openstack-keystone		02:25
*** chrisshattuck has quit IRC		02:29
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Deprecate various methods and attributes https://review.openstack.org/147026	02:38
*** david-lyle has joined #openstack-keystone		02:40
*** erkules_ has joined #openstack-keystone		02:41
*** erkules has quit IRC		02:43
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add generic auth plugin documentation https://review.openstack.org/141680	02:44
*** stevemar has joined #openstack-keystone		02:46
*** ChanServ sets mode: +v stevemar		02:46
*** harlowja is now known as harlowja_away		02:46
*** mflobo_ has joined #openstack-keystone		02:46
*** cyeoh has quit IRC		02:47
*** lbragstad has quit IRC		02:47
*** mgagne has quit IRC		02:47
*** mflobo has quit IRC		02:48
*** mhu has quit IRC		02:48
*** rm_work has quit IRC		02:48
*** cyeoh has joined #openstack-keystone		02:48
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Add auth plugin params to doc https://review.openstack.org/141681	02:48
*** ctracey has quit IRC		02:52
*** rm_work has joined #openstack-keystone		02:53
*** mflobo has joined #openstack-keystone		02:53
openstackgerrit	Jamie Lennox proposed openstack/python-keystoneclient: Deprecate various methods and attributes https://review.openstack.org/147026	02:54
*** zhiyan has quit IRC		02:55
*** lbragstad has joined #openstack-keystone		02:55
wanghong	stevemar, ping, we do not need to modify etc/keystone.conf.sample now?	02:55
*** mflobo_ has quit IRC		02:56
stevemar	wanghong, which patch are you referring to?	02:56
openstackgerrit	wanghong proposed openstack/keystone: remove the Conf.signing.token_format option support https://review.openstack.org/144250	02:56
wanghong	stevemar, https://review.openstack.org/#/c/146801/	02:56
wanghong	this one	02:56
*** zhiyan has joined #openstack-keystone		02:57
stevemar	wanghong, hmm running `tox -e sample_config` should change etc/keystone.conf.sample (with the correct spacing)	02:58
stevemar	let me see what happens when i run it	02:58
*** ctracey has joined #openstack-keystone		02:58
*** mflobo_ has joined #openstack-keystone		02:58
*** mflobo has quit IRC		03:01
*** mhu has joined #openstack-keystone		03:02
*** mgagne has joined #openstack-keystone		03:04
*** mgagne is now known as Guest33025		03:05
*** abhirc has quit IRC		03:06
*** mhu has quit IRC		03:07
*** chrisshattuck has joined #openstack-keystone		03:07
openstackgerrit	Dave Chen proposed openstack/keystone: Skip endpoints which is not available https://review.openstack.org/144860	03:08
openstackgerrit	Steve Martinelli proposed openstack/keystone: correct the help text of os_inherit https://review.openstack.org/146801	03:08
*** lbragstad has quit IRC		03:08
wanghong	stevemar, you mean I should use tox command to change it?	03:08
stevemar	wanghong, i uploaded a new version, i ran the "tox -e sample_config" command when I pulled down the patch set	03:09
stevemar	wanghong, yep, i just ran it and uploaded it, there is a slight diff between what you proposed and what is auto-generated: https://review.openstack.org/#/c/146801/2..4/etc/keystone.conf.sample	03:09
stevemar	It's not a big issue, but in case someone adds a new config option and runs the tox command, then they will see a change that is not related to theirs	03:10
wanghong	stevemar, yep, I see	03:10
stevemar	wanghong, thanks for all your work with OSC lately btw!	03:10
*** lbragstad has joined #openstack-keystone		03:10
stevemar	i really appreciate it!	03:10
*** LinstatSDR has quit IRC		03:11
wanghong	stevemar, thanks :)	03:12
openstackgerrit	David Stanek proposed openstack/keystone: test for tools https://review.openstack.org/147056	03:13
openstackgerrit	David Stanek proposed openstack/keystone: test for tools https://review.openstack.org/147056	03:16
*** jraim has quit IRC		03:18
*** junhongl has quit IRC		03:18
*** junhongl has joined #openstack-keystone		03:19
*** jraim has joined #openstack-keystone		03:19
*** abhirc has joined #openstack-keystone		03:24
*** david-lyle has quit IRC		03:25
openstackgerrit	David Stanek proposed openstack/keystone: another test https://review.openstack.org/147057	03:26
openstackgerrit	David Stanek proposed openstack/keystone: test for tools https://review.openstack.org/147056	03:29
*** ayoung has quit IRC		03:31
*** dtroyer has quit IRC		03:36
*** lbragstad has quit IRC		03:38
*** dtroyer has joined #openstack-keystone		03:39
*** EmilienM has quit IRC		03:40
*** comstud has quit IRC		03:40
*** comstud has joined #openstack-keystone		03:41
*** ayoung has joined #openstack-keystone		03:43
*** ChanServ sets mode: +v ayoung		03:43
*** EmilienM has joined #openstack-keystone		03:44
*** jraim has quit IRC		03:45
*** jraim has joined #openstack-keystone		03:47
*** lbragstad has joined #openstack-keystone		03:47
*** dtroyer has quit IRC		03:52
*** dtroyer has joined #openstack-keystone		03:58
*** lbragstad has quit IRC		04:00
*** avozza is now known as zz_avozza		04:01
*** EmilienM has quit IRC		04:01
*** lbragstad has joined #openstack-keystone		04:02
stevemar	dstanek, quit testing for tools	04:02
dstanek	stevemar: serry :-(	04:02
*** LinstatSDR has joined #openstack-keystone		04:03
stevemar	dstanek, something something, da browns	04:03
*** chrisshattuck has quit IRC		04:05
*** EmilienM has joined #openstack-keystone		04:08
*** rushiagr_away is now known as rushiagr		04:12
*** dtroyer has quit IRC		04:13
*** Guest33025 has quit IRC		04:32
*** flwang has quit IRC		04:34
*** mgagne has joined #openstack-keystone		04:34
*** EmilienM has quit IRC		04:35
*** mgagne is now known as Guest57605		04:35
openstackgerrit	Dave Chen proposed openstack/keystone: Skip endpoints which is not available https://review.openstack.org/144860	04:35
*** klaas_ has joined #openstack-keystone		04:37
openstackgerrit	henry-nash proposed openstack/keystone: Split roles into their own backend within assignments https://review.openstack.org/144239	04:37
*** hichtakk has quit IRC		04:38
*** EmilienM has joined #openstack-keystone		04:38
*** hichtakk has joined #openstack-keystone		04:39
*** hichtakk has quit IRC		04:39
*** hichtakk has joined #openstack-keystone		04:39
*** hichtakk has quit IRC		04:40
*** flwang has joined #openstack-keystone		04:41
*** hichtakk has joined #openstack-keystone		04:41
*** _cjones_ has joined #openstack-keystone		04:41
*** hichtakk has quit IRC		04:41
*** hichtakk has joined #openstack-keystone		04:42
*** hichtakk has quit IRC		04:42
*** hichtakk has joined #openstack-keystone		04:42
*** hichtakk has joined #openstack-keystone		04:43
openstackgerrit	henry-nash proposed openstack/keystone: Correct doc string for grant driver methods https://review.openstack.org/144403	04:45
*** _cjones_ has quit IRC		04:45
openstackgerrit	henry-nash proposed openstack/keystone: Make controllers call the new, split out, role manager https://review.openstack.org/144494	04:46
openstackgerrit	henry-nash proposed openstack/keystone: Make unit tests call the new, split out, role manager https://review.openstack.org/144548	04:47
openstackgerrit	henry-nash proposed openstack/keystone: Refactor assignment manager/driver methods https://review.openstack.org/144650	04:48
*** klaas_ has quit IRC		04:49
openstackgerrit	henry-nash proposed openstack/keystone: Correct comment about circular dependency https://review.openstack.org/144850	04:49
*** klaas_ has joined #openstack-keystone		04:51
*** dims__ has joined #openstack-keystone		04:52
openstackgerrit	Merged openstack/keystonemiddleware: support micro version if sent https://review.openstack.org/130916	04:55
*** dims__ has quit IRC		04:57
*** vishy has quit IRC		04:57
*** ajayaa has joined #openstack-keystone		05:00
openstackgerrit	henry-nash proposed openstack/keystone: Move projects and domains to their own backend https://review.openstack.org/144824	05:02
*** vishy has joined #openstack-keystone		05:03
openstackgerrit	henry-nash proposed openstack/keystone: Remove unused pointer to assignment in identity driver https://review.openstack.org/145022	05:03
*** chrisshattuck has joined #openstack-keystone		05:04
openstackgerrit	henry-nash proposed openstack/keystone: Make controllers and managers reference new resource manager https://review.openstack.org/133525	05:04
openstackgerrit	henry-nash proposed openstack/keystone: Make unit tests call the new resource manager https://review.openstack.org/130954	05:05
*** lhcheng has joined #openstack-keystone		05:10
*** EmilienM has quit IRC		05:12
*** EmilienM has joined #openstack-keystone		05:16
*** zigo has quit IRC		05:20
*** zigo has joined #openstack-keystone		05:21
*** hichtakk has quit IRC		05:23
*** hichtakk has joined #openstack-keystone		05:23
*** hichtakk has quit IRC		05:23
*** hichtakk has joined #openstack-keystone		05:24
*** hichtakk has quit IRC		05:24
*** hichtakk_ has joined #openstack-keystone		05:25
*** hichtak__ has joined #openstack-keystone		05:26
*** hichtakk_ has quit IRC		05:26
*** comstud has quit IRC		05:38
*** comstud has joined #openstack-keystone		05:40
*** hichtak__ has quit IRC		05:41
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: On creation default service name to empty string https://review.openstack.org/146962	05:41
*** lbragstad has quit IRC		05:52
*** chrisshattuck has quit IRC		05:52
*** abhirc has quit IRC		05:54
*** lbragstad has joined #openstack-keystone		05:55
*** abhirc has joined #openstack-keystone		05:55
*** MasterPiece has joined #openstack-keystone		05:56
*** abhirc has joined #openstack-keystone		05:59
openstackgerrit	Steve Martinelli proposed openstack/keystone: Scope federated token with 'token' identity method https://review.openstack.org/130593	06:03
*** erkules_ is now known as erkules		06:04
openstackgerrit	OpenStack Proposal Bot proposed openstack/keystone: Imported Translations from Transifex https://review.openstack.org/145135	06:07
openstackgerrit	Merged openstack/keystone-specs: Service Provider for K2K https://review.openstack.org/135604	06:09
*** LinstatSDR has quit IRC		06:16
*** MasterPiece has quit IRC		06:44
*** stevemar has quit IRC		06:47
*** abhirc_ has joined #openstack-keystone		06:49
*** abhirc has quit IRC		06:51
*** lhcheng has quit IRC		06:51
*** abhirc_ has quit IRC		06:52
*** lhcheng has joined #openstack-keystone		06:52
openstackgerrit	ZhiQiang Fan proposed openstack/python-keystoneclient: Enable hacking rule F821 https://review.openstack.org/134096	06:56
*** lhcheng has quit IRC		06:56
*** zhiyan has quit IRC		07:08
*** zhiyan has joined #openstack-keystone		07:11
*** serverascode has quit IRC		07:12
*** andreaf has joined #openstack-keystone		07:15
*** serverascode has joined #openstack-keystone		07:16
*** oomichi_ has quit IRC		07:37
*** chlong has quit IRC		07:47
*** lhcheng has joined #openstack-keystone		07:54
*** lhcheng has quit IRC		07:58
*** jistr has joined #openstack-keystone		08:00
*** jaosorior has joined #openstack-keystone		08:03
openstackgerrit	henry-nash proposed openstack/keystone: Split the assignments controller https://review.openstack.org/132634	08:04
*** lbragstad has quit IRC		08:24
*** hichtakk has joined #openstack-keystone		08:25
*** nkinder has quit IRC		08:25
*** zz_avozza is now known as avozza		08:30
*** cyeoh has quit IRC		08:30
*** Guest57605 has quit IRC		08:31
*** cyeoh has joined #openstack-keystone		08:31
*** mgagne has joined #openstack-keystone		08:33
*** mgagne is now known as Guest5538		08:33
*** lbragstad has joined #openstack-keystone		08:34
*** jaosorior has quit IRC		08:36
*** nkinder has joined #openstack-keystone		08:37
*** avozza is now known as zz_avozza		08:37
*** zz_avozza is now known as avozza		08:37
*** links has joined #openstack-keystone		08:38
*** jaosorior has joined #openstack-keystone		08:38
*** cyeoh has quit IRC		08:43
*** cyeoh has joined #openstack-keystone		08:46
*** avozza is now known as zz_avozza		08:47
*** MasterPiece has joined #openstack-keystone		08:49
*** josecastroleon has joined #openstack-keystone		08:54
*** josecastroleon has quit IRC		08:56
*** josecastroleon has joined #openstack-keystone		08:56
*** jaosorior has quit IRC		08:58
*** jaosorior has joined #openstack-keystone		08:59
*** josecastroleon_ has joined #openstack-keystone		09:01
*** zz_avozza is now known as avozza		09:01
*** josecastroleon has quit IRC		09:04
*** josecastroleon_ has quit IRC		09:05
*** serverascode has quit IRC		09:09
*** serverascode has joined #openstack-keystone		09:12
*** josecastroleon has joined #openstack-keystone		09:21
*** nellysmitt has joined #openstack-keystone		09:25
*** jamielennox is now known as jamielennox\|away		09:31
*** dims__ has joined #openstack-keystone		09:31
*** dims__ has quit IRC		09:36
*** josecastroleon has quit IRC		09:38
*** josecastroleon has joined #openstack-keystone		09:39
*** Guest5538 has quit IRC		09:51
*** andreaf has quit IRC		09:53
*** mgagne has joined #openstack-keystone		09:55
*** mgagne is now known as Guest80979		09:55
*** vishy has quit IRC		09:59
*** dtantsur has joined #openstack-keystone		10:02
*** Sanchit has joined #openstack-keystone		10:02
Sanchit	Hi, I am having a setup of objectStorage which can handle a load of about 10,000 requests.	10:03
Sanchit	I am using UUID type tokens	10:03
Sanchit	Will my keystone server be able to handle the same load?	10:03
Sanchit	jamielennox\|away: Could you please help me regarding this query posted above	10:04
*** andreaf has joined #openstack-keystone		10:10
*** vishy has joined #openstack-keystone		10:11
*** josecastroleon_ has joined #openstack-keystone		10:12
*** josecastroleon has quit IRC		10:15
*** vishy has quit IRC		10:21
*** aix has joined #openstack-keystone		10:22
*** yasu_ has joined #openstack-keystone		10:29
*** jistr has quit IRC		10:31
*** yasu_ has quit IRC		10:31
*** vishy has joined #openstack-keystone		10:34
*** dims__ has joined #openstack-keystone		10:41
*** lhcheng has joined #openstack-keystone		10:43
*** lhcheng has quit IRC		10:47
*** jistr has joined #openstack-keystone		10:48
breton	morganfainberg: here?	10:51
*** josecastroleon_ has quit IRC		10:55
*** josecastroleon_ has joined #openstack-keystone		10:56
*** avozza is now known as zz_avozza		10:59
*** dims__ has quit IRC		11:00
*** dims__ has joined #openstack-keystone		11:00
*** dims__ has quit IRC		11:05
*** aix has quit IRC		11:14
*** zz_avozza is now known as avozza		11:25
*** aix has joined #openstack-keystone		11:28
openstackgerrit	Marek Denis proposed openstack/keystone: Identify groups by name/domain in mapping rules. https://review.openstack.org/139013	11:30
*** dims__ has joined #openstack-keystone		11:44
openstackgerrit	Marco Fargetta proposed openstack/keystone: Multiple IdP authentication URL https://review.openstack.org/142743	11:51
*** rushiagr is now known as rushiagr_away		11:53
*** chlong has joined #openstack-keystone		12:06
*** topol has joined #openstack-keystone		12:22
*** ChanServ sets mode: +v topol		12:22
amakarov_away	ayoung, hi! My precious trust redelegation seems to move :) Can you please look at https://review.openstack.org/#/c/126897/ ?	12:25
*** amakarov_away is now known as amakarov		12:25
*** rushiagr_away is now known as rushiagr		12:31
*** avozza is now known as zz_avozza		12:55
*** boris-42 has joined #openstack-keystone		12:56
*** chlong has quit IRC		13:02
*** ajayaa has quit IRC		13:03
*** zz_avozza is now known as avozza		13:04
*** avozza is now known as zz_avozza		13:20
*** radez_g0n3 is now known as radez		13:29
*** zz_avozza is now known as avozza		13:40
*** LinstatSDR has joined #openstack-keystone		13:50
*** jbonjean has quit IRC		13:52
*** jbonjean has joined #openstack-keystone		13:53
*** gordc has joined #openstack-keystone		13:54
*** ajayaa has joined #openstack-keystone		14:01
*** joesavak has joined #openstack-keystone		14:01
amakarov	bknudson, greetings! I have an ancient patch here https://review.openstack.org/#/c/118590/ It seems I had to roll back any changes there except config descriptions. You are the last to comment there, can you please tell me is it actual now, as we are about to create a separate r/w LDAP ?	14:02
*** saltsa has joined #openstack-keystone		14:10
*** mattfarina has joined #openstack-keystone		14:11
*** nkinder has quit IRC		14:20
*** lhcheng has joined #openstack-keystone		14:20
*** zzzeek has joined #openstack-keystone		14:21
*** diegows has joined #openstack-keystone		14:21
*** MasterPiece has quit IRC		14:22
*** blinky_ghost has joined #openstack-keystone		14:22
blinky_ghost	hi all, can anybody explain me what this error means: DEBUG keystoneclient.session [-] Request returned failure status: 404 request /usr/lib/python2.7/site-packages/keystoneclient/session.py:345 WARNING keystonemiddleware.auth_token [-] Authorization failed for token WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Could not find token: 86f10d2315df46d281967fb511918165", "code": 404, "title": "Not Found"	14:23
blinky_ghost	}}	14:23
blinky_ghost	this happens in nova-api	14:24
*** lhcheng has quit IRC		14:25
rodrigods	blinky_ghost, seems like you're using an already expired token	14:26
*** Ctina_ has joined #openstack-keystone		14:27
amakarov	blinky_ghost, rodrigods, or something happened to token backend	14:27
blinky_ghost	rodrigods: I have a galera mysql db with 3 nodes where tokens are replicated. This happens when I reboot my server that has API and MYSQL VIP. Don't understand why because the DB is the same on all the controllers.	14:28
rodrigods	blinky_ghost, using memcached?	14:29
blinky_ghost	rodrigods: no, i use mysql, can I show you my conf?	14:30
rodrigods	blinky_ghost, I'm afraid I'd help more in the code level, don't have much experience configuring such deployments :(	14:32
rodrigods	blinky_ghost, maybe morganfainberg and ayoung can help you once they appear here :)	14:32
ayoung	amakarov, -2. Will never happen! Just kidding. +2a. Decided to give you two heart attacks for the price of one.	14:32
blinky_ghost	rodrigods: ok thanks	14:32
ayoung	blinky_ghost, I just ate a power pellet. You better run	14:32
ayoung	blinky_ghost, "Could not find token: 86f10d2315df46d281967fb511918165"	14:33
ayoung	someone is using something that looks like a token, but brother it ain't a token	14:33
blinky_ghost	ayoung what do you mean? :)	14:34
ayoung	blinky_ghost, ok, so the token is a uuid. It means that it is talking to a keystone server that does not know about that uuid pointing to a token. Could be a replication error between nodes?	14:35
ayoung	in Galera?	14:35
ayoung	blinky_ghost, the order would be something like this:	14:35
blinky_ghost	ayoung, maybe, that happens when I change my Mysql Virtual IP	14:35
blinky_ghost	or my API VIP	14:36
blinky_ghost	although galera is replicated I'm pretty sure of that	14:36
ayoung	usergoes to keystone1 to create a token. user sends token to nova. Nova tries to validate token with key2. Key 2 talks to an unsynced Galera instance?	14:36
blinky_ghost	ayoung: it makes sense, but replication in DB is working fine. Do you have any sugestion	14:37
ayoung	blinky_ghost how easy is it to reproduce?	14:39
blinky_ghost	ayoung: pretty easy: I have 3 nodes with Keepalived, and the first controller runs as master node, it has the VIPS. If I reboot that node, when it comes on line, my nova-api and glance starts failling. If I reboot the services, openstack services on all the nodes, it will start to work again.	14:41
ayoung	blinky_ghost, and Galera is running on the controller nodes?	14:41
*** richm has joined #openstack-keystone		14:41
*** radez is now known as radez_g0n3		14:42
blinky_ghost	ayoung: yes. on all 3. But I don't use haproxy for Galera. I only use Keepalived.	14:42
ayoung	rebooting Keystone probably fakes you out, as now you are getting all new tokens. So I suspect it is the scenario I just mentioned, or something similar	14:42
ayoung	but, reproduce, and then fire direct sql queries at the different galera instances	14:43
ayoung	select * from token where id = ?	14:43
ayoung	? being the failing id	14:43
blinky_ghost	ayoung: OK, testing	14:43
ayoung	blinky_ghost, are the keystone servers saving tokens in the same Galera instance or in separate ones?	14:45
blinky_ghost	ayoung: the same	14:46
ayoung	blinky_ghost, but maybe there is a time sync problem....when the node dies, there are tokens created in galera on the live nodes that are not yet persisted to the rebooting node. When the rebooting node comes back up, Galera has to sync up all of the changes from the nodes that did not reboot	14:48
ayoung	I'm just guessing here, but it smells like a replication problem	14:48
blinky_ghost	ayoung: OK, I'm trying to replicate the issue	14:53
*** trey has quit IRC		14:54
blinky_ghost	ayoung: 2015-01-14 14:55:57.532 4925 WARNING keystonemiddleware.auth_token [-] Retrying on HTTP connection exception: Unable to establish connection to http://172.16.21.20:35357/v2.0/tokens	14:57
blinky_ghost	ayoung: 2015-01-14 14:55:58.650 4925 DEBUG keystoneclient.session [-] REQ: curl -i -X GET http://172.16.21.20:35357/v2.0/tokens/9cf5e1b412324ecab28ae1efb031406d -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: TOKEN_REDACTED" _http_log_request /usr/lib/python2.7/site-packages/keystoneclient/session.py:155	14:57
* amakarov slowly regaining consciousness after ayoung's joke		14:57
amakarov	impossible!	14:58
*** bdossant has joined #openstack-keystone		15:03
blinky_ghost	ayoung: the token table has the same number of rows (1011) in all galera nodes	15:08
*** samueldmq_ has joined #openstack-keystone		15:08
*** nkinder has joined #openstack-keystone		15:10
breton	dstanek: ping	15:13
dstanek	breton: pong	15:13
breton	oh, great	15:13
morganfainberg	breton: also I am somewhat awake now, but 0300 my time I was asleep	15:14
*** abhirc has joined #openstack-keystone		15:14
breton	dstanek: i've saw that you own a bp about tests on rdbmses -- https://blueprints.launchpad.net/keystone/+spec/tests-on-rdbmses	15:14
morganfainberg	blinky_ghost: silly question are you on the latest oslo.db? (What version of oslo.db and what version of keystone are you running?)	15:15
dstanek	breton: yes	15:15
breton	morganfainberg: I wanted to talk about your comment on bug #1406314, but dstanek seems to be doing something about it already	15:16
uvirtbot	Launchpad bug 1406314 in keystone "db migration tests falsely succeed" [Undecided,New] https://launchpad.net/bugs/1406314	15:16
blinky_ghost	morganfainberg: openstack-keystone-2014.2.1-1 python-oslo-db-1.0.2-2	15:16
*** avozza is now known as zz_avozza		15:16
breton	dstanek: I've ran into a number of issues while testing Alembic and filed bug 1406314	15:17
morganfainberg	Sure. I'd love to see SQLite dropped from migration tests in general :p	15:17
breton	dstanek: and in the comments there morganfainberg suggests to do something like in nova	15:17
breton	dstanek: I did some research and would like to help with that bp	15:17
morganfainberg	blinky_ghost: there is/was a bug relating to fail to disconnect / reconnect to a db with a version of oslo.db.	15:18
dstanek	breton: i agree that the migration tests should not run against sqlite	15:18
breton	(it's pretty sad btw that https://review.openstack.org/#/c/126030/ didn't get in)	15:18
dstanek	breton: it would be great if you could run them against a real db	15:18
blinky_ghost	morganfainberg: stupid question :) how do I update it? I use rpm centos 7 from RDO repo	15:19
morganfainberg	breton: that is likely a separate initiative from the bug you are referencing. (Nova thing). I added it as a comment of what we should also be doing to make the tests better.	15:19
dstanek	breton: i have a few changes for that to discuss at the mid-cycle	15:19
breton	dstanek: I want not only to run them once, but completely rewrite the test suite to always run them	15:19
breton	dstanek: I'll miss the midcycle :(	15:20
morganfainberg	blinky_ghost: ask ayoung , I know zero about RDO. And not sure off the top of my head the versions of Oslo.db that were broken.	15:20
morganfainberg	blinky_ghost: let me see if I can dig up the bug.	15:21
blinky_ghost	thanks	15:21
breton	morganfainberg: and it has some caveats. For example, oslo_db's code used in nova doesn't support Alembic	15:21
breton	morganfainberg: so, we'll have to either implement Alembic support on our side or push it to oslo_db	15:22
dhellmann	breton: the oslo.db team is working on alembic support	15:23
breton	dhellmann: how soon will it happen in test_migrations?	15:23
morganfainberg	blinky_ghost: https://bugs.launchpad.net/oslo.db/+bug/1374497 that was the bug	15:23
uvirtbot	Launchpad bug 1374497 in oslo.db/juno "change in oslo.db "ping" handling is causing issues in projects that are not using transactions" [High,Fix released]	15:23
dhellmann	breton: I'd have to check with them, I don't know off the top of my head	15:24
breton	dhellmann: well, from what I know, not soon	15:24
breton	I hope I'm wrong though	15:24
blinky_ghost	morganfainberg: I've just switched to memcache to test and the issue persists. Does that fix applies to memcache also?	15:24
zzzeek	hidey ho	15:24
*** stevemar has joined #openstack-keystone		15:24
*** ChanServ sets mode: +v stevemar		15:24
*** viktors has joined #openstack-keystone		15:25
morganfainberg	blinky_ghost: yes, it affects keystone if you use sql for anything. If you have the Oslo.db with the bug.	15:25
morganfainberg	zzzeek: hiya!	15:25
openstackgerrit	Merged openstack/keystone: Trust redelegation https://review.openstack.org/126897	15:25
morganfainberg	amakarov: ^^	15:26
amakarov	morganfainberg, http://www.youtube.com/watch?v=aAyAgIJHgdU	15:27
* amakarov wandering the size of cake to ask Heat team for :)		15:28
ayoung	morganfainberg, thought for the day. What if we split tokens up into two pieces: delegation agreement and issuing data. The delegation agreement would be persisted, the issuing data would not be. A valid token would always have the issuing data embedded, but might not have the delegation agreement embedded.	15:28
morganfainberg	blinky_ghost: looks like you need 1.0.2 Oslo.db. Or Redhat needs to patch that version with the fix (might be the case, they do lots of patching for rpms)	15:28
ayoung	amakarov, the cake is a lie. You know that.	15:28
zzzeek	breton / dstanek : whether or not the migration tests run against sqlite I’d suggest that they also run against PG and MySQL as well. the opportunistic test suite system allows this, it’s what neutron uses in this case	15:28
blinky_ghost	morganfainberg: can I apply the patch from here? https://review.openstack.org/#/c/125079/	15:29
morganfainberg	zzzeek: I agree, I want to drop SQLite for migration tests. It is pointless.	15:29
breton	zzzeek: nova does that too	15:29
morganfainberg	blinky_ghost: you can try to. You can also install a non-rpm version of Oslo.db	15:29
amakarov	ayoung, I know, just hoping they won't put me on a potato instead %)	15:30
zzzeek	if keystone is using alembic, unless you’ve implemented the new “Batch” system i dont know how you are running it against SQLIte	15:30
blinky_ghost	morganfainberg: how do I do that? :)	15:30
*** jbonjean has quit IRC		15:30
*** jbonjean has joined #openstack-keystone		15:30
morganfainberg	blinky_ghost: you could use pip, but that might break your system. I don't use centos really at this point or know about RDO specifics. ayoung and nkinder are better resources	15:31
breton	zzzeek: it doesn't yet	15:31
nkinder	yeah, pip usually steps on rpms and can cause weirdness	15:31
morganfainberg	zzzeek: we want alembic. But we have not gotten there yet.	15:31
blinky_ghost	morganfainberg: OK, but I use 1.0.2 version already: python-oslo-db-1.0.2-2	15:32
nkinder	blinky_ghost: are you using RDO Juno?	15:32
zzzeek	morganfainberg: so there’s some kind of thing in oslo.db that allows sqlalcemy-migrate to run into alembic migrations along a stream. i’m not invovled w it but its one of the transitional devices	15:32
ayoung	morganfainberg, could it be an error with dogpile?	15:32
morganfainberg	blinky_ghost: ah sorry I am precoffee	15:32
zzzeek	morganfainberg: id favor either flattening old sqlalchemy-migrate revs or porting them	15:32
breton	zzzeek: and I'm using it	15:32
zzzeek	breton: OK	15:32
ayoung	morganfainberg, you are hearby banned from answering questions until after coffee	15:33
breton	zzzeek: migration_cli	15:33
dstanek	breton: you can't always run the migrations against mysql and pg - that would be in the functional tests	15:33
zzzeek	breton: yup	15:33
morganfainberg	ayoung: unlikely this is a complete connection failure. This looks like a bad deployment option or keep alive causing db connections to tip over on vip move	15:33
ayoung	morganfainberg, treat that as Standing Operating Procedure	15:33
ayoung	have you had coffee yet?	15:33
morganfainberg	ayoung: since it isn't oslo.db (1.0.2 should be fixed)	15:33
dstanek	breton: our unit tests are already way too big and that is going in the opposite direction of what i'm looking to do	15:34
breton	dstanek: nova does that. Why can't we?	15:34
morganfainberg	S/keep alive/keepalived	15:34
dstanek	breton: as a developer i should have to have both of those installed - in fact i wold argue that you shouldn't use either in a unit test	15:34
blinky_ghost	ayoung: I switched to memcache in keystone but the issue persists	15:35
ayoung	blinky_ghost, you using 1.0.2? Or do you need an updated RPM for that	15:35
morganfainberg	ayoung: dude I just woke up :p. Misreading 1.0.2 for 1.0.1 isn't too bad	15:35
blinky_ghost	ayoung: python-oslo-db-1.0.2-2.el7.centos.noarch	15:35
* ayoung wants morganfainberg to hurry up and move to NYC		15:35
*** andreaf has quit IRC		15:35
morganfainberg	ayoung: can't even start looking till post midcycle :p	15:36
morganfainberg	dstanek: ++++++	15:36
ayoung	morganfainberg, heh. I'd offer you a couch, but with my two kids around, you'd be even less functional	15:36
morganfainberg	Haha. All good. I have to be in the Bay Area for travel atm, hence the lack of looking.	15:37
breton	dstanek: we miss bugs without it. Latest example -- https://review.openstack.org/#/c/145795/	15:37
dstanek	breton: if they were functional tests you could run them if you wanted to, but you are not bound to it - we can easily have jenkins gate on them	15:38
morganfainberg	Moving may need to wait until post kilo release due to ${Reasons}	15:38
*** richm has quit IRC		15:38
ayoung	blinky_ghost, ok, you said you can reproduce this at will, right? And it happens after reboot. Did you do a query for the missing tokenid against the database? And was it there?	15:38
dstanek	Reasons = 'dog ate my homework'	15:38
ayoung	dstanek, that is what happens when you dip your homework in beef gravy. Works really well.	15:39
blinky_ghost	ayoung: I didn't manage to see again the missing token, trying to find out	15:39
ayoung	blinky_ghost, OK. let me know when you complete that check.	15:40
dstanek	breton: for instance, my dev VM is a devstack, but i also run our unit tests on my mac where i don't have either database installed	15:40
morganfainberg	ayoung: he is seeing it using memcached as well (though there are other issues with memcache). He was saying there was a connection issue. I think there is an issue with keepalived here and moving VIPs as well.	15:40
breton	dstanek: so, make them functional?	15:40
morganfainberg	ayoung: I think I read that.	15:40
morganfainberg	Right	15:40
morganfainberg	blinky_ghost: ^^ is that correct?	15:40
blinky_ghost	ayoung: however as I said, I switched to keystone using memcached just to test and the issue remains	15:40
dstanek	breton: yes, i think anything that hits a real database or starts a service should be functional	15:40
morganfainberg	dstanek: ++ exactly.	15:41
ayoung	morganfainberg, a token should be written to the token table once it is issued. He said he had the same numbers in all of the servers. If the tokenid is missing, it means it was dropped.	15:41
breton	we have functional tests in Keystone?	15:41
morganfainberg	ayoung: or relocation lag	15:41
ayoung	There is a pun in there somewhere with ACID and dropping, but this is a family joint.	15:41
morganfainberg	Replication*	15:41
*** richm has joined #openstack-keystone		15:41
ayoung	morganfainberg, BTW, I might want to add an "explicit not default project" flag on get user as well.	15:42
morganfainberg	ayoung: explain?	15:42
breton	dstanek: in nova they are unit tests	15:42
ayoung	morganfainberg, we really should be consistant in what we return from an API and it was messing up Puppet	15:42
breton	dstanek: I'll check now though, wait a sec	15:43
morganfainberg	breton: and I'm saying migration tests should not be unit tests, but functional	15:43
ayoung	morganfainberg, when you do get user, the format of what you get back varies depending on if default project is set or not	15:43
morganfainberg	ayoung: we should figure a way to drop default project (v4!!)	15:43
morganfainberg	Sorry, bad joke	15:43
dstanek	breton: working on that - https://review.openstack.org/#/c/139137/ - another topic for the mid-cylce next week	15:43
ayoung	morganfainberg, agreed, but in the meantime, we should give people a way under the current API to get deterministic results	15:44
morganfainberg	ayoung: default project is awful.	15:44
morganfainberg	ayoung: ?nodefualtproject	15:44
ayoung	morganfainberg, it is based on an outdated assumption. OpenStack has evolved significantly	15:44
ayoung	morganfainberg, something like that	15:44
ayoung	morganfainberg, I suspect that richm will have dealt with the issue in Puppet shortly, so it won't really be a huge deal, but it might be a good feature to keep in mind	15:45
morganfainberg	Well, can't puppet just ignore default project values in get_user? Or is this a token issue?	15:45
ayoung	there is some generalizable rule in there	15:46
ayoung	I think that it probably can, and just was written to parse the data by someone that didn't realize it was an optional value	15:46
richm	I think I have fixed the issue - https://review.openstack.org/133601	15:46
morganfainberg	Someone could cram in extra data to he user and break puppet too	15:46
breton	dstanek: morganfainberg: they are unit everywhere -- in nova, in neutron. But they could be skipped if connection to rdbmses are missing	15:46
morganfainberg	It would be better to only look for what you need/want.	15:46
morganfainberg	breton: and that is wrong imo.	15:47
dstanek	morganfainberg: ++	15:47
morganfainberg	Because SQLite does not represent anything close to usable (especially in migrations) and why do we need to test migrations in unit tests?	15:47
viktors	morganfainberg: sorry, but why not? )	15:48
*** r-daneel has joined #openstack-keystone		15:48
ayoung	richm, you made "ignore tenant" an option. Does that make sense? When would you ever want the default tenant?	15:49
amakarov	lbragstad, hi! Are you here?	15:49
morganfainberg	It is fine if we only have unit tests but since we are moving to having other options that have real rdbms, why should we keep trying to claim we're testing migrations against a non-production (that doesn't really mirror a real rdbms) system	15:49
morganfainberg	Heck, I'd like to drop SQLite completely from keystone	15:49
dstanek	also it is unlikely that i'll break migrations by change non-migration code so i don't want the penalty of running all of those tests	15:49
richm	ayoung: I'm not sure, but with the patch I can deploy using sql r/w, ldap r/w, and ldap r/o identity backends	15:49
morganfainberg	But that is a different bit of work	15:50
dstanek	our unit tests should run in under 30 seconds and i consider it a bug that they take 3 minutes	15:51
viktors	dstanek: migration tests can be skipped locally, but they will run on gates	15:51
morganfainberg	richm: I recommend doing, instead of "ignore tenant", look for values you want.	15:51
viktors	morganfainberg: I like idea with SQLIte :)	15:51
morganfainberg	viktors: to drop it?	15:51
viktors	morganfainberg: yes	15:51
richm	"ignore tenant" is almost never used	15:51
breton	morganfainberg: in nova testing against postgresql and mysql is done in unit tests. The test engine checks if the connection to db is available and doesn't run the tests if not	15:51
breton	morganfainberg: but in gates the connection to dbs exist, so the tests will always run there	15:52
viktors	same in glance, heat, etc	15:52
dstanek	viktors: but by definition the are functional tests and not unit tests - we just didn't have functional tests in projects until recently	15:52
morganfainberg	breton: why does it have to be in unit tests? We are splitting testing into two categories: unit (does the basic code logic work) and functional (restful, including other services such as a rdbms)	15:52
morganfainberg	breton: so let us move the migration tests to the test suite that is appropriate for it - that has the other services available.	15:53
viktors	dstanek: hmmm... Maybe	15:53
morganfainberg	And then make SQLite die.	15:54
morganfainberg	>.>	15:54
viktors	:)	15:54
dstanek	i don't like the idea that they tests may not run in the gate because the connection is not there	15:54
morganfainberg	similar to making eventlet die.	15:54
*** jorge_munoz has joined #openstack-keystone		15:54
morganfainberg	dstanek: ++ if the test should run, it should fail if it didn't run	15:55
viktors	dstanek: we checked db connection on gates carefully already	15:55
morganfainberg	viktors: that's fine, but unit tests are still the wrong place for these tests. Unit tests should require zero external services.	15:56
viktors	morganfainberg: ok, agree with it	15:56
*** Guest80979 is now known as mgagne		15:57
*** mgagne has joined #openstack-keystone		15:57
morganfainberg	dstanek: there will need to be a way to skip migration tests in functional. As functional tests (long term) should be able to run against a live deployment. If you so want. But that is far future thinking.	15:57
lbragstad	amakarov: o/	15:57
*** henrynash has joined #openstack-keystone		15:58
*** ChanServ sets mode: +v henrynash		15:58
dstanek	the way it should work is a functional test sets the db, runs the tests and fails if they fail - all very explicit	15:58
breton	so, we wait for functional testing appear in keystone and then do stuff on migration tests?	15:58
viktors	dstanek: it can be added easily	15:58
morganfainberg	henrynash: I'm slowly making my way through your changeset(s)	15:58
dstanek	breton: you can start to get them to work on other DBs	15:59
blinky_ghost	morganfainberg, ayoung I'm not being able to see the token ID to replicate the issue again, so I changed to memcache. I see this: [root@controller03 ~(keystone_admin)]# nova --debug list	15:59
morganfainberg	henrynash: is it slow because there is a lot there still. I haven't forgotten you ;)	15:59
henrynash	morganfainberg: consider it a tour of all that assignments once had to offer :-)	15:59
blinky_ghost	REQ: curl -i 'http://172.16.21.20:5000/v2.0/tokens' -X POST -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "{SHA1}ef219838a90eb46612297d84ee1261bf1bdb63d2"}}}'	15:59
blinky_ghost	then I see this	15:59
blinky_ghost	INFO (connectionpool:187) Starting new HTTP connection (1): 172.16.21.20	15:59
blinky_ghost	DEBUG (shell:803) HTTPConnectionPool(host='172.16.21.20', port=5000): Max retries exceeded with url: /v2.0/tokens (Caused by <class 'httplib.BadStatusLine'>: '')	15:59
dstanek	breton: if you have a few read https://etherpad.openstack.org/p/keystone-functional-tests - i'd love to hear your thoughts	16:00
breton	dstanek: thanks, I will	16:00
morganfainberg	blinky_ghost: it looks like keystone is not live on that port yet or is hung / not responding. I wouldn't be surprised if you are having issues with the db and keepalived failing over / moving the vip	16:00
viktors	morganfainberg, dstanek: please, ping me, if you'll need a help with dropping SQLite :)	16:01
*** diegows has quit IRC		16:01
blinky_ghost	morganfainberg: But I don't understand keepalived is running on all the nodes	16:01
morganfainberg	blinky_ghost: since keystone is hit first due to the way the tokens are issued / handled.	16:01
richm	. . . and I can't find anywhere in the current juno puppet code where ignore_default_tenant is used	16:01
dstanek	viktors: will do - adding that to the mid-cycle etherpad so we can come up with actionable steps for you	16:01
richm	so perhaps it was something that was used in a much earlier release - I don't think it is needed anymore	16:02
marekd	dstanek: where is midcycle etherpad?	16:02
viktors	dstanek: is there any etherpad at the moment?	16:02
blinky_ghost	morganfainberg: can I show you my conf to see if something is wrong?	16:03
morganfainberg	blinky_ghost: I don't know your deployment and I can only guess. I don't know what else to say :(. I'm fairly certain it isn't keystone in general, as we would have a lot more yelling about it.	16:03
morganfainberg	blinky_ghost: I don't know if I can help based on config alone. What happens if you move the db off the nodes with keystone? And reboot keystone nodes? Second in that config, what happens if you reboot a db node?	16:04
morganfainberg	blinky_ghost: maybe try and standup an isolated keystone node on different hardware than dbs and reboot the db nodes - and debug from there.	16:05
dstanek	marekd: viktors: https://etherpad.openstack.org/p/kilo-keystone-midcycle	16:05
morganfainberg	How fast does it recover that way? How fast is the vip moved via keepalived ? Etc. there are a lot of variables when adding in HA. And a lot of ways of doing HA.	16:07
*** zz_avozza is now known as avozza		16:08
blinky_ghost	morganfainberg: what happens is: I reboot controller01, comes online and all the VIPS failback to it. As soon at that happens I start getting timeouts. Then I go to my other nodes, controller02 and 3, restart keystone and nova-api and it starts working everything back.	16:08
morganfainberg	blinky_ghost: why are the VIPs failing back to it? Because you have a hard-set master?	16:10
blinky_ghost	morganfainberg: I also notice that in controller02 when I restarted keystone, it took a LOT of time to restart	16:10
morganfainberg	Are you deploying keystone under eventlet or Apache?	16:10
blinky_ghost	morganfainberg: seems that something is stuck in the previous master (controller02)	16:10
blinky_ghost	eventually dies but it takes a lot of time restarting the services	16:11
blinky_ghost	morganfainberg: how do I check that? :)	16:11
morganfainberg	This looks like the oslo.db issue and/or an issue where MySQL connection is not valid anymore because you ripped the connection out from under it and gave it a new target daemon to talk to	16:11
morganfainberg	Also. Can you immediately talk to the db when the vip fails back.	16:12
blinky_ghost	morgainfainberg: yes, it's pretty fast to failback	16:12
morganfainberg	Galera can take time to become responsive once it rejoins a cluster (needs to sync data). A node is not always viable right away.	16:13
morganfainberg	blinky_ghost: I am honestly at my limit of what I can debug without being on the systems (and I can't help on that front).	16:13
blinky_ghost	morganfainberg: I understand, so openstack services should start after mysql is synced	16:14
blinky_ghost	on that node	16:14
morganfainberg	I would say yes. Second I recommend not failing VIPs around because a node is back online. I'd leave the vip pointed at a currently live node.	16:15
*** markvoelker has joined #openstack-keystone		16:15
*** samueldmq_ has quit IRC		16:15
blinky_ghost	morganfainberg: If I reboot controller02 and 3 I don't have issues because the VIP doesn't move.	16:16
blinky_ghost	however If I have to restart the node where VIPS are I get problems	16:16
morganfainberg	So it is an issue with the vip moving at all	16:17
morganfainberg	This feels like the Oslo.db bug tbh	16:17
morganfainberg	But again, I am at my limit of what I can debug without being on the machines.	16:17
morganfainberg	There are a lot of variables here.	16:18
blinky_ghost	morganfainberg: I can give you access no problem :)	16:18
morganfainberg	blinky_ghost: unfortunately I need to go, I need to eat and then pick up someone at the airport so I can get to a meeting	16:18
blinky_ghost	morganfainberg: ok thank you for your help	16:19
morganfainberg	blinky_ghost: sorry, I can't take you up on that. I can't jump on every broken openstack cluster to debug issues like this.	16:19
blinky_ghost	ok thanks anyway :)	16:20
*** abhirc has quit IRC		16:21
morganfainberg	You might have some luck in turning on sqlalchemy debugging in keystone, see what it says about connections and requests.	16:21
blinky_ghost	ok I'll try that	16:21
*** abhirc has joined #openstack-keystone		16:22
ayoung	blinky_ghost, ask in #rdo	16:24
ayoung	this is more configuration stuff than straight keystone, and I'd be surprised if you were the only person seeing it	16:24
ayoung	I've little to no experience with the replication etc side of MySQL/Galera	16:25
*** uvirtbot has quit IRC		16:25
blinky_ghost	ayoung: ok, thanks	16:25
*** avozza is now known as zz_avozza		16:26
*** jbonjean has quit IRC		16:28
*** abhirc has quit IRC		16:28
*** jbonjean has joined #openstack-keystone		16:28
ayoung	morganfainberg, reposting this: What if we split tokens up into two pieces: delegation agreement and issuing data. The delegation agreement would be persisted, the issuing data would not be. A valid token would always have the issuing data embedded, but might not have the delegation agreement embedded. I think that is what AE tokens really requires	16:28
* ayoung realizes subject verb agreement off. "the AE tokens spec really requires"		16:29
morganfainberg	So. Delegation agreement is created when? And how often?	16:29
morganfainberg	And I have 1hr to eat, get ready, and get to the airport. So, I might disappear for a few here.	16:30
*** amakarov has quit IRC		16:30
*** tsufiev has quit IRC		16:30
*** amakarov has joined #openstack-keystone		16:31
morganfainberg	But I'll read back-scroll when I get back.	16:31
*** afaranha_ has joined #openstack-keystone		16:31
*** tsufiev has joined #openstack-keystone		16:33
breton	dstanek: I've read the etherpad. What effort is required to run migration tests? Do I understand correctly that a devstack instance will be set up to run them?	16:34
amakarov	ayoung, imho delegation agreement has much in common with assignment, so we can look there. How do we want to treat assignments using AE tokens?	16:35
ayoung	amakarov, yep	16:37
ayoung	amakarov, I want a unified mechanism for delegations	16:38
ayoung	so role assignment is a delegation agreement	16:38
ayoung	trust is a delegation agreement, etc	16:38
ayoung	you could do a token using the existing trust code.	16:38
ayoung	:P	16:38
amakarov	ayoung, do you have a spec for this unified mechanism? :)	16:39
*** markvoelker has quit IRC		16:40
stevemar	marekd, your group-name code has comment errors	16:41
*** amakarov has quit IRC		16:41
*** tsufiev has quit IRC		16:41
*** amakarov has joined #openstack-keystone		16:41
ayoung	amakarov, not yet.	16:43
ayoung	amakarov, I wrote this up from the other direction: starting with policy: https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/	16:44
*** tsufiev has joined #openstack-keystone		16:44
ayoung	amakarov, I want to be able to enforce the rule "you can only delegate (a subset of) what you yourself have"	16:45
*** bdossant has quit IRC		16:45
ayoung	amakarov, I'm just wondering if we could parallelize it a bit. THe AE token spec is already taking the form of spliting the dynamic info from the static wrt to the token, and only signing the dynamic. I'd like to make the static side of that more explicit	16:46
amakarov	ayoung, as I see, if we want recalculate everything then we need effective way to do it. And the less different ways shall we have the better	16:46
openstackgerrit	Bogun Dmitriy proposed openstack/keystone: FIX multiple SQL backend usage validation https://review.openstack.org/138113	16:46
ayoung	amakarov, Oh yes!	16:46
amakarov	ayoung, so this mechanism of yours is of a huge importance :)	16:46
ayoung	amakarov, it really needs hierarchical roles to make sense, though	16:47
ayoung	I guess, though, that we could just start by creating a superadmin with every role imaginiable...but ugh	16:47
ayoung	ideally we would say "if you are an admin, you can delegate just the member role, as admin implies member"	16:48
*** gyee has joined #openstack-keystone		16:48
*** ChanServ sets mode: +v gyee		16:48
amakarov	ayoung, this is not the first time I see this dilemma: either admin has all roles and constraints validation is strait-forward or he is a "special" one with no roles, but with a flag or some "I own everything" token.	16:51
ayoung	amakarov, so look at the reviews I link to in that blog post. We can do this step by step, I think	16:51
*** atiwari has joined #openstack-keystone		16:52
* amakarov goes surfing ayoung's blog		16:52
*** radez_g0n3 is now known as radez		16:54
*** Guest8210 is now known as redrobot		16:54
*** dims__ has quit IRC		17:00
*** dims__ has joined #openstack-keystone		17:01
*** dtantsur is now known as dtantsur\|afk		17:03
*** dtroyer has joined #openstack-keystone		17:04
*** joesavak has quit IRC		17:05
*** dims__ has quit IRC		17:05
*** viktors is now known as viktors\|afk		17:06
*** joesavak has joined #openstack-keystone		17:07
*** jsavak has joined #openstack-keystone		17:08
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add minimum release support notes for federation https://review.openstack.org/146758	17:10
*** joesavak has quit IRC		17:12
samueldmq	henrynash, ping - I have the role assignments refactoring working	17:13
samueldmq	henrynash, just cleaning the code	17:13
henrynash	samueldmq: very cool	17:14
samueldmq	henrynash, didn't submit yesterday because of some tests, you know how things work :p	17:14
henrynash	samueldmq: np	17:14
*** links has quit IRC		17:21
*** rwsu has joined #openstack-keystone		17:29
*** _cjones_ has joined #openstack-keystone		17:31
*** _cjones_ has quit IRC		17:32
*** EmilienM is now known as EmilienM\|afk		17:32
*** zz_avozza is now known as avozza		17:33
*** bknudson has quit IRC		17:33
*** _cjones_ has joined #openstack-keystone		17:36
*** diegows has joined #openstack-keystone		17:37
*** gordc has quit IRC		17:38
*** jistr has quit IRC		17:39
*** amakarov is now known as amakarov_away		17:43
*** jaosorior has quit IRC		17:43
*** avozza is now known as zz_avozza		17:43
openstackgerrit	ayoung proposed openstack/keystone: Unscoped to Scoped only https://review.openstack.org/142591	17:44
*** topol has quit IRC		17:45
dstanek	breton: the idea is that they will run in a devstack - either your existing one or a new one created by infra when run as a gate test	17:45
stevemar	did revocation events go into icehouse?	17:46
*** KanagarajM has joined #openstack-keystone		17:46
stevemar	or just juno?	17:46
stevemar	ayoung, ^	17:46
stevemar	henrynash, same question for endpoint policy	17:46
*** jsavak has quit IRC		17:53
*** KanagarajM has quit IRC		17:54
*** joesavak has joined #openstack-keystone		17:54
breton	dstanek: the problem with that is that I'll have to hold a whole devstack just to test my single migration test	17:57
breton	dstanek: now running migration test is as easy as ./run_tests my_migration_test	17:58
*** jaosorior has joined #openstack-keystone		17:59
*** abhirc has joined #openstack-keystone		18:07
*** chlong has joined #openstack-keystone		18:10
*** harlowja_away is now known as harlowja		18:10
*** zz_avozza is now known as avozza		18:14
*** gordc has joined #openstack-keystone		18:21
henrynash	stevemar: endpoint policy was Juno	18:25
*** EmilienM\|afk is now known as EmilienM		18:29
*** lhcheng has joined #openstack-keystone		18:32
openstackgerrit	Lin Hua Cheng proposed openstack/keystone: On creation default service name to empty string https://review.openstack.org/146962	18:36
*** bknudson has joined #openstack-keystone		18:36
*** ChanServ sets mode: +v bknudson		18:36
openstackgerrit	guang-yee proposed openstack/keystone-specs: X.509 SSL certificate authentication https://review.openstack.org/105913	18:36
*** pabelanger has joined #openstack-keystone		18:37
*** rushiagr is now known as rushiagr_away		18:37
dstanek	breton: you can probably get by without a full devstack as long as you have the right things available (like mysql)	18:37
pabelanger	greetings. Had a question about keystone.conf and public_endpoint. Should the value be http://server:5000 or http://server:5000/v2.0 or http://server:5000/v3? I believe it should only be http://server:5000 if I want to assign it a value	18:38
*** atiwari has quit IRC		18:40
*** atiwari has joined #openstack-keystone		18:42
morganfainberg	gyee, you're in the office tomorrow right?	18:44
morganfainberg	gyee, just making sure you're planning on being there :)	18:45
gyee	morganfainberg, yes, I'll be there	18:46
*** atiwari has quit IRC		18:46
gyee	pabelanger, should be http://server:5000	18:46
*** atiwari has joined #openstack-keystone		18:47
*** atiwari has quit IRC		18:47
*** atiwari has joined #openstack-keystone		18:50
*** _cjones_ has quit IRC		18:57
*** _cjones_ has joined #openstack-keystone		19:01
*** bdossant has joined #openstack-keystone		19:06
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Hierarchical Multitenancy Improvements https://review.openstack.org/135309	19:06
*** _cjones_ has quit IRC		19:07
*** _cjones_ has joined #openstack-keystone		19:08
rodrigods	^quick review: follow up changes to HMT (like new ways to retrieve the hierarchy and recursive deletion from a sub-hierarchy)	19:08
*** ajayaa has quit IRC		19:09
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: Hierarchical Multitenancy Improvements https://review.openstack.org/135309	19:09
openstackgerrit	David Stanek proposed openstack/keystone: WIP: Force SQLite to properly deal with foreign keys https://review.openstack.org/126030	19:12
*** atiwari has quit IRC		19:12
ayoung	rodrigods, so a spec name like that is not super descriptive. What should it really be? What kind of improvements?	19:14
ayoung	and are you collecting different ideas under one spec?	19:14
rodrigods	ayoung, agree	19:14
rodrigods	ayoung, we agreed to have all small improvements points to be described in one spec	19:15
rodrigods	since we thought the reseller spec has enough content as it is a much more complex concept	19:15
ayoung	rodrigods, fair enough....I wonder, though if there is a more common thread in these imporments	19:15
rodrigods	what do you mean?	19:16
ayoung	well, delete of the subtree and granular control...	19:16
rodrigods	ayoung, split it in two or more specs, you mean?	19:17
ayoung	just trying to name it better.	19:17
rodrigods	ayoung, aarg naming :(	19:18
rodrigods	really open to suggestions :)	19:18
ayoung	rodrigods, heh...so I probably would recommend splitting in the abstract. These really are 3 unrelated features. But then, I think only the first (structure of the response) requires a spec	19:19
ayoung	recursive delete is almost a bug fix in my mind	19:19
ayoung	and the default policy changes are going to be hard on some people....	19:19
*** atiwari has joined #openstack-keystone		19:19
rodrigods	ayoung, makes sense	19:19
ayoung	I would almost say HMT should require an updated policy file, otherwise don't use it	19:19
ayoung	that really doesn't need to be in this spec, but a spec showing how we need to clean up policy would be super valuable	19:20
rodrigods	ayoung, which we already have, right?	19:20
rodrigods	:)	19:20
ayoung	rodrigods, I think we need tests showing that it is safe to do the "domain matches" logic that henrynash was worried about	19:20
*** atiwari has quit IRC		19:20
rodrigods	can the recursive deletion be a specless bp?	19:20
ayoung	yeah...how about paring this spec down to Change the format of a returned project hierarchy to better reflect the	19:21
ayoung	hierarchy	19:21
rodrigods	ayoung, ++	19:22
*** aix has quit IRC		19:22
ayoung	rodrigods, how we do specs is a growning, changing process. I struggle with this on the policy stuff. I almost think that the dynamic policy blob post I wrote should be the spec, with all of the sub-specs included in it. I would like it to be a single, coherent document.	19:23
*** atiwari has joined #openstack-keystone		19:23
ayoung	at what point does a feature need a spec? No clue	19:23
rodrigods	ayoung, yeah...	19:24
ayoung	I'd argue that, in the interest of trackability, we keep specs small and self contained	19:24
rodrigods	++	19:24
ayoung	think "user stories" in an agile methodology more so than a specification in a Big Design Up Front effort	19:24
ayoung	rodrigods, for example, when I review that spec, I need to think about 3 things in order to edit and, hopefully approve. As a reviewer, I can more easily approve each of those separately	19:25
rodrigods	ayoung, there is also the other side: approve fast atomic changes that are more useful in the near future	19:26
ayoung	++	19:26
rodrigods	totally agree that having "polemic" topics such as default policy may slow a lot the spec approval	19:27
ayoung	rodrigods, I would like to have, maybe, two spec templates: small features and large overviews	19:27
esp	hey folks anyone up to schooling me on using keystone v3 https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json	19:27
ayoung	esp, heh...topical	19:27
esp	ayoung: :)	19:28
ayoung	esp, so, that file needs something non-obvious:	19:28
ayoung	you have to define an admin domain	19:28
* esp listening		19:28
esp	ah, yeah gyee clued me into that	19:28
ayoung	esp, OK, so you edit the file and use it, and then you break horizon	19:28
esp	so I created a Cloud Admin	19:28
*** radez is now known as radez_g0n3		19:28
esp	lol	19:28
ayoung	esp, Horizon can't deal with domain scoped tokens	19:28
ayoung	it doens';t know how to fetch them	19:29
esp	well not yet but we are working on it	19:29
ayoung	esp, "we?"	19:29
pabelanger	gyee, thanks	19:29
esp	ayoung: https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow	19:29
ayoung	esp, ah...	19:29
ayoung	esp, thanks for the pointer	19:30
esp	np, I needed to share that sooner than later ;)	19:30
ayoung	esp, then could I get your eyeballs on a required review for that?	19:30
ayoung	esp, https://review.openstack.org/#/c/121281/	19:30
esp	so let’s say that horizon is close to getting domain-scoped-tokens support (it’s still needs some fixin’)	19:30
esp	yes sir	19:31
ayoung	esp, what is your gerrit id?	19:31
esp	daniel-a-nguyen	19:32
ayoung	esp, thanks. added you to it.	19:32
esp	thx	19:33
ayoung	esp, OK, so what else do you need help with on the cloudsample policy file?	19:33
esp	k, so I’m using the upstream policy.v3cloudsample.json	19:33
esp	and I made this change for cloud admin	19:33
esp	"cloud_admin": "rule:admin_required and domain_id:0613cd4e12bc4f5bbf01886c9432daf0",	19:34
esp	then I tried to list projects using the openstack cli	19:34
ayoung	esp want to see the unspeakable things I am proposing for it?	19:35
esp	hahah	19:35
esp	yes	19:35
*** atiwari has quit IRC		19:35
ayoung	esp, https://review.openstack.org/#/c/123509/	19:35
* esp looking		19:36
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: New query params to retrieve the project hierarchy https://review.openstack.org/135309	19:36
esp	ayoung: http://paste.openstack.org/show/158000/	19:36
rodrigods	ayoung, ^	19:36
*** bdossant has quit IRC		19:36
*** atiwari has joined #openstack-keystone		19:37
*** nkinder has quit IRC		19:38
openstackgerrit	Rodrigo Duarte proposed openstack/keystone-specs: New query params to retrieve the project hierarchy https://review.openstack.org/135309	19:38
*** atiwari has quit IRC		19:38
morganfainberg	ayoung, almost done reviewing the unscoped token review.	19:40
morganfainberg	ayoung, erm, no-rescope	19:40
*** chrisshattuck has joined #openstack-keystone		19:40
morganfainberg	ayoung, just making sure tests are covering eveyrthing	19:40
rodrigods	ayoung, https://blueprints.launchpad.net/keystone/+spec/recursive-deletion	19:41
esp	ayoung: so, a silly question. does the https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json work with the openstack client, should I be using curl instead?	19:42
*** atiwari has joined #openstack-keystone		19:42
ayoung	esp, hmmmm	19:42
ayoung	esp, I would guess "no"	19:42
ayoung	it does not work with OSC	19:42
esp	cool	19:42
esp	so let me try curl	19:43
ayoung	OSC doesn't know what kind of token to request either, just like Horizon doesn't	19:43
esp	gotcha, that helps	19:43
ayoung	esp, which is why I'm pushing "domain is-a-project"	19:43
ayoung	esp https://review.openstack.org/#/c/143763/	19:43
esp	yeah I see what you are sayin	19:43
*** atiwari has quit IRC		19:43
ayoung	unfortunatly only WIP as the tests need some serious reworking	19:43
esp	np, for newbies like me it’s a bit confusing what the relationship is between a domain and a project	19:44
ayoung	esp, yeah, so the goal is to allow people to always work with projects, just some projects will be special	19:45
*** atiwari has joined #openstack-keystone		19:47
esp	k, I’ll start following along more closely to this. thx!	19:47
ayoung	esp, raildo was going to take that one and run with it, but I think I know how to fix it....	19:49
*** atiwari has quit IRC		19:49
ayoung	esp but please look ath the auth plugins fix to Django Openstack auth	19:49
ayoung	that one has long reaching consequences, and ... well I should write up a blog post on where we are going there, too	19:50
ayoung	but the short is that it should make V3 support much more correct	19:50
*** atiwari has joined #openstack-keystone		19:51
esp	k, will start there	19:51
*** dims__ has joined #openstack-keystone		19:51
esp	ayoung: this patch is the one that will shove a domain scoped token into horizon https://review.openstack.org/#/c/141153/	19:52
*** atiwari has quit IRC		19:52
ayoung	esp let me see if I can fix Keystone instead, but I'll add that to my review list	19:52
esp	gotcha	19:53
*** atiwari has joined #openstack-keystone		19:53
ayoung	esp, added the other RHers from IdM on that review, as they are also part of the effort: jamielennox\|away and nkinder	19:53
esp	awesome, that should help us out. I’ll get back to ya on how things look with my curl testing.	19:54
*** dims__ has quit IRC		19:56
*** avozza is now known as zz_avozza		19:59
openstackgerrit	Dean Troyer proposed openstack/python-keystoneclient: Handle Keystone default admin_endpoint and public_endpoint settings https://review.openstack.org/147284	20:02
*** pabelanger has left #openstack-keystone		20:03
*** david-lyle has joined #openstack-keystone		20:10
*** dims__ has joined #openstack-keystone		20:11
*** _cjones_ has quit IRC		20:11
*** lhcheng is now known as lhcheng_afk		20:29
*** harlowja is now known as harlowja_away		20:30
*** _cjones_ has joined #openstack-keystone		20:30
*** topol has joined #openstack-keystone		20:35
*** ChanServ sets mode: +v topol		20:35
*** harlowja_away is now known as harlowja		20:38
openstackgerrit	Steve Martinelli proposed openstack/keystone: Classifying extensions and defining process https://review.openstack.org/146793	20:46
openstackgerrit	Steve Martinelli proposed openstack/keystone: Classifying extensions and defining process https://review.openstack.org/146793	20:47
*** atiwari has quit IRC		20:56
*** david-lyle has quit IRC		21:01
*** Ctina__ has joined #openstack-keystone		21:06
*** Ctina_ has quit IRC		21:09
*** _cjones_ has quit IRC		21:10
*** Ctina__ has quit IRC		21:11
*** _cjones_ has joined #openstack-keystone		21:13
*** nkinder has joined #openstack-keystone		21:14
*** topol has quit IRC		21:26
*** atiwari has joined #openstack-keystone		21:27
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add links to extensions that point to api specs https://review.openstack.org/147311	21:32
openstackgerrit	Steve Martinelli proposed openstack/keystone: Add links to extensions that point to api specs https://review.openstack.org/147311	21:37
*** diegows has quit IRC		21:42
*** david-lyle has joined #openstack-keystone		21:42
*** zz_avozza is now known as avozza		21:43
*** chlong has quit IRC		21:47
*** stevemar has quit IRC		21:48
openstackgerrit	Tom Cameron proposed openstack/keystone: Add docstrings to remaining functions https://review.openstack.org/147313	21:49
*** david-lyle has quit IRC		21:49
openstackgerrit	Tom Cameron proposed openstack/keystone: Add docstrings to remaining functions https://review.openstack.org/147313	21:51
*** r-daneel has quit IRC		21:53
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignments Filters Performance https://review.openstack.org/137202	21:56
openstackgerrit	Samuel de Medeiros Queiroz proposed openstack/keystone: Improve List Role Assignment Tests https://review.openstack.org/137021	21:56
*** nellysmitt has quit IRC		21:59
*** radez_g0n3 is now known as radez		22:01
*** atiwari has quit IRC		22:03
*** atiwari has joined #openstack-keystone		22:03
*** Ctina__ has joined #openstack-keystone		22:05
*** joesavak has quit IRC		22:10
*** _cjones_ has quit IRC		22:11
atiwari	morganfainberg, do you have a min for quick question?	22:12
*** _cjones_ has joined #openstack-keystone		22:13
openstackgerrit	Tom Cameron proposed openstack/keystone: Add docstrings to remaining functions https://review.openstack.org/147313	22:14
*** mattfarina has quit IRC		22:18
ayoung	atiwari, I think he's in transit, might not actually be able to respond	22:18
atiwari	ayoung, thanks	22:18
atiwari	I am going to drop on dev mailing list	22:18
atiwari	ayoung, are you coming to mid-cycle meet next week?	22:19
*** dims__ has quit IRC		22:20
*** dims__ has joined #openstack-keystone		22:21
*** blinky_ghost has quit IRC		22:23
*** diegows has joined #openstack-keystone		22:24
*** dims__ has quit IRC		22:25
openstackgerrit	Brant Knudson proposed openstack/keystonemiddleware: Add python-memcached to test-requirements https://review.openstack.org/146332	22:29
*** EmilienM is now known as EmilienM\|afk		22:32
*** david-lyle has joined #openstack-keystone		22:33
*** mflobo_ has quit IRC		22:34
*** bknudson has quit IRC		22:37
*** josecastroleon_ has quit IRC		22:39
*** gordc has quit IRC		22:39
*** afaranha has quit IRC		22:39
*** radez is now known as radez_g0n3		22:44
*** dims__ has joined #openstack-keystone		22:45
dstanek	atiwari: hi	22:52
atiwari	dstanek, hi	22:52
dstanek	atiwari: trouble with your Mac i see	22:52
atiwari	thanks for looking	22:53
atiwari	dstanek, can you give more details	22:53
dstanek	atiwari: what version of openssl do you have? i have heard that it's not easy to get openssl working on Mac	22:53
atiwari	OpenSSL 1.0.1k 8 Jan 2015”	22:54
dstanek	atiwari: i'm creating a new venv to see if i can replicate	22:55
*** jamielennox\|away is now known as jamielennox		22:56
openstackgerrit	Merged openstack/python-keystoneclient: Updated from global requirements https://review.openstack.org/146166	23:00
dstanek	atiwari: looks like the venv was created properly and the tests are now running	23:01
dstanek	openssl tests are failing :-(	23:01
*** bknudson has joined #openstack-keystone		23:03
*** ChanServ sets mode: +v bknudson		23:03
openstackgerrit	Brant Knudson proposed openstack/python-keystoneclient: Switch from oslo.utils to oslo_utils https://review.openstack.org/145968	23:04
*** Ctina__ has quit IRC		23:04
dstanek	atiwari: you seem to be using cryptography and i think i am not	23:04
dstanek	atiwari: oh, nm - i was looking in a different VM - it's at least installed into py27	23:05
*** abhirc has quit IRC		23:06
atiwari	dstanek, so you did not get the error?	23:07
*** dims__ has quit IRC		23:07
*** abhirc has joined #openstack-keystone		23:08
*** _cjones_ has quit IRC		23:09
morganfainberg	atiwari: finishing up a meeting will be done in an hour or so.	23:10
atiwari	morganfainberg, np I am talking to dstanek	23:10
*** _cjones_ has joined #openstack-keystone		23:11
*** dims__ has joined #openstack-keystone		23:15
*** david-lyle has quit IRC		23:16
*** _cjones_ has quit IRC		23:18
dstanek	atiwari: no, i get this: CalledProcessError: Command 'openssl' returned non-zero exit status 0	23:22
dstanek	atiwari: i have a much older version though	23:22
atiwari	you can upgrade and try	23:22
dstanek	OpenSSL 0.9.8za 5 Jun 2014	23:22
atiwari	I think that is not recommended	23:23
*** _cjones_ has joined #openstack-keystone		23:25
gyee	atiwari, just install homebrew and your life will be easier on mac	23:27
atiwari	I used the homebrew	23:28
atiwari	and used the same to install openssl	23:28
atiwari	:(	23:28
gyee	still no love?	23:28
atiwari	no	23:28
atiwari	look at this http://lists.openstack.org/pipermail/openstack-dev/2014-August/044539.html	23:28
atiwari	close	23:28
*** carlosmarin has joined #openstack-keystone		23:30
gyee	can you run openssl cli?	23:30
*** abhirc has quit IRC		23:32
dstanek	atiwari: what does 'otool -L _Cryptography_cffi_70441dc9x8be47966.so' tell you it's linking against?	23:32
*** dims__ has quit IRC		23:32
dstanek	gyee: homebrew is OK - i would be nice if mac had real package managemet	23:33
*** _cjones_ has quit IRC		23:33
atiwari	am I suppose to give full path on the lib?	23:34
atiwari	otool -L _Cryptography_cffi_70441dc9x8be47966.so	23:34
atiwari	error: /Library/Developer/CommandLineTools/usr/bin/otool: can't open file: _Cryptography_cffi_70441dc9x8be47966.so (No such file or directory)	23:34
atiwari	(keystone279)ARVTIWAR-M-J00G:keystone arvtiwar$ otool -L _Cryptography_cffi_70441dc9x8be47966.so	23:34
dstanek	atiwari: yes	23:34
dstanek	it's in your traceback	23:34
atiwari	otool -L /Users/arvtiwar/cloudDev/openstack/keystone/.tox/py27/lib/python2.7/site-packages/cryptography/_Cryptography_cffi_70441dc9x8be47966.so	23:35
atiwari	/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)	23:35
atiwari	/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 0.9.8)	23:35
atiwari	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)	23:35
atiwari	is it not linking to the latest?	23:35
dstanek	atiwari: doesn't look like it - your paths were likely messed up with crytography was installed	23:37
atiwari	hmm	23:37
atiwari	but these two command give me the correct result	23:39
gyee	atiwari, I am running openssl 1.0.1e	23:39
gyee	try 'brew install openssl'	23:39
atiwari	which openssl	23:39
atiwari	/usr/bin/openssl	23:39
atiwari	(keystone279)ARVTIWAR-M-J00G:keystone arvtiwar$ openssl version	23:39
atiwari	OpenSSL 1.0.1k 8 Jan 2015	23:39
atiwari	which openssl	23:39
atiwari	/usr/bin/openssl	23:40
atiwari	(keystone279)ARVTIWAR-M-J00G:keystone arvtiwar$ openssl version	23:40
dstanek	gyee: i think he already did that	23:40
atiwari	OpenSSL 1.0.1k 8 Jan 2015	23:40
atiwari	which openssl	23:40
atiwari	/usr/bin/openssl	23:40
atiwari	(keystone279)ARVTIWAR-M-J00G:keystone arvtiwar$ openssl version	23:40
atiwari	OpenSSL 1.0.1k 8 Jan 2015	23:40
atiwari	which openssl	23:40
atiwari	/usr/bin/openssl	23:40
atiwari	(keystone279)ARVTIWAR-M-J00G:keystone arvtiwar$ openssl version	23:40
atiwari	OpenSSL 1.0.1k 8 Jan 2015	23:40
atiwari	let me try	23:40
*** _cjones_ has joined #openstack-keystone		23:40
gyee	interesting	23:40
dstanek	atiwari: you may need to relink 'brew link --force openssl'	23:40
dstanek	your /usr/bin/openssl is 1.x?	23:40
atiwari	let me try that	23:40
gyee	why it is still loading 0.9.8?	23:41
dstanek	http://chriskief.com/2014/03/25/installing-cryptography-via-pip-with-macports-or-homebrew/	23:41
atiwari	ghee you have to create soft link and delete the old one	23:42
atiwari	dstanek, no that does not solve the issue	23:42
dstanek	gyee: if mac is like linux it will do dynamic loading based off an env variable	23:43
atiwari	brew unlink openssl && brew link --force openssl	23:43
atiwari	Unlinking /usr/local/Cellar/openssl/1.0.1k... 0 symlinks removed	23:43
atiwari	Linking /usr/local/Cellar/openssl/1.0.1k... 1146 symlinks created	23:43
dstanek	atiwari: you will have to recompile cryptography me thinks	23:43
atiwari	so it will be just "pip install cryptography"	23:44
atiwari	right	23:44
atiwari	it is in keystone dependency	23:44
gyee	is your openssl linked with cms enabled?	23:44
dstanek	i would trash the venv and rebuild	23:44
gyee	nm `which openssl` \| grep -i cms	23:44
gyee	s/linked/compiled/	23:45
atiwari	let me try	23:49
gyee	also, like dstanek said, run 'otool -L `which openssl`' to see which dl it is loading	23:50
gyee	the fact that it is loading the 0.9.8 dls means your installation is likely fubar	23:50
dstanek	i think that morganfainberg was recently having an issue with macs and libs	23:52
*** chrisshattuck has quit IRC		23:57
*** avozza is now known as zz_avozza		23:58
*** jorge_munoz has quit IRC		23:59
dstanek	this is where my Mac-fu ends and my hatred begins.... 'man install_name_tool' and good luck!	23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!