Monday, 2016-01-11

« Sunday, 2016-01-10 Index Tuesday, 2016-01-12 »
openstackgerritStephen Balukoff proposed openstack/octavia: Add L7 database structures  https://review.openstack.org/26543000:04
openstackgerritStephen Balukoff proposed openstack/octavia: Update repos for L7 objects / methods  https://review.openstack.org/26552900:06
*** bana_k has joined #openstack-lbaas00:21
openstackgerritStephen Balukoff proposed openstack/octavia: Add L7 database structures  https://review.openstack.org/26543000:26
*** chlong has quit IRC00:32
openstackgerritStephen Balukoff proposed openstack/octavia: Update repos for L7 objects / methods  https://review.openstack.org/26552900:38
*** bana_k has quit IRC00:42
*** ducttape_ has quit IRC00:43
*** blogan_ has quit IRC00:47
*** chlong has joined #openstack-lbaas00:49
*** bochi-michael has joined #openstack-lbaas00:51
*** ducttape_ has joined #openstack-lbaas00:52
*** mixos has joined #openstack-lbaas00:53
*** ducttape_ has quit IRC00:54
*** _ducttape_ has joined #openstack-lbaas00:54
*** _ducttape_ has quit IRC01:05
*** chlong has quit IRC01:09
*** mixos has quit IRC01:13
*** mixos has joined #openstack-lbaas01:15
*** chlong has joined #openstack-lbaas01:23
openstackgerrittianqing proposed openstack/neutron-lbaas: Remove invalid fields of healthmonitor when its type is TCP/PING  https://review.openstack.org/26314101:37
*** mixos has quit IRC01:39
*** paco20151113 has joined #openstack-lbaas01:41
*** bana_k has joined #openstack-lbaas01:50
*** mixos has joined #openstack-lbaas01:57
openstackgerritPaco Peng proposed openstack/octavia: Move docstrings to the first line of the function definition  https://review.openstack.org/26514101:57
*** Tiancheng has joined #openstack-lbaas02:03
*** ducttape_ has joined #openstack-lbaas02:06
*** ducttape_ has quit IRC02:10
*** prabampm has joined #openstack-lbaas02:11
*** johnsom has quit IRC02:16
*** bana_k has quit IRC02:20
*** armax has joined #openstack-lbaas02:32
*** johnsom has joined #openstack-lbaas03:29
*** links has joined #openstack-lbaas03:48
*** ducttape_ has joined #openstack-lbaas03:49
*** ducttape_ has quit IRC03:53
*** prabampm1 has joined #openstack-lbaas04:02
*** prabampm has quit IRC04:03
*** prabampm1 has quit IRC04:06
*** bana_k has joined #openstack-lbaas04:31
*** davidlenwell_ is now known as davidlenwell04:35
*** prabampm has joined #openstack-lbaas04:43
*** ducttape_ has joined #openstack-lbaas04:50
*** ducttape_ has quit IRC04:56
*** armax has quit IRC04:58
openstackgerritPhillip Toohill proposed openstack/octavia: Remove OpenSSL from cert_parser  https://review.openstack.org/26546705:00
*** mixos has quit IRC05:02
*** yamamoto has joined #openstack-lbaas05:04
*** yamamoto has quit IRC05:04
*** yamamoto has joined #openstack-lbaas05:05
*** yamamoto has quit IRC05:05
*** blogan_ has joined #openstack-lbaas05:05
*** allan_h has joined #openstack-lbaas05:17
*** yamamoto has joined #openstack-lbaas05:18
*** allan_h has quit IRC05:19
*** yamamoto has quit IRC05:22
*** yamamoto has joined #openstack-lbaas05:22
openstackgerritPhillip Toohill proposed openstack/octavia: Remove OpenSSL from cert_parser  https://review.openstack.org/26546705:23
*** yamamoto has quit IRC05:25
openstackgerritPhillip Toohill proposed openstack/octavia: Remove OpenSSL from cert_parser  https://review.openstack.org/26546705:35
openstackgerritStephen Balukoff proposed openstack/octavia: WIP: Add L7 api  https://review.openstack.org/26569005:59
openstackgerritBrandon Logan proposed openstack/octavia: Implementing EventStreamer  https://review.openstack.org/21873506:15
*** yamamoto has joined #openstack-lbaas06:22
*** bochi-michael has quit IRC06:30
*** bochi-michael has joined #openstack-lbaas06:34
openstackgerritStephen Balukoff proposed openstack/octavia: WIP: Add L7 api  https://review.openstack.org/26569006:53
*** blogan_ has quit IRC07:00
*** paco20151113 has quit IRC07:22
*** yamamoto has quit IRC07:37
*** chlong has quit IRC07:39
openstackgerritStephen Balukoff proposed openstack/octavia: WIP: Add L7 api  https://review.openstack.org/26569008:15
*** openstackgerrit has quit IRC08:32
*** openstackgerrit has joined #openstack-lbaas08:33
*** yamamoto has joined #openstack-lbaas08:37
openstackgerritStephen Balukoff proposed openstack/octavia: WIP: Tests for L7 API  https://review.openstack.org/26571808:41
*** yamamoto has quit IRC08:44
*** bana_k has quit IRC08:44
*** numans has joined #openstack-lbaas09:09
*** bochi-michael has quit IRC09:11
openstackgerritElena Ezhova proposed openstack/neutron-lbaas: Add scenario test for load balancer's session persistence  https://review.openstack.org/20794509:23
*** yamamoto has joined #openstack-lbaas09:36
*** yamamoto has quit IRC09:38
*** yamamoto has joined #openstack-lbaas09:39
*** bana_k has joined #openstack-lbaas09:40
*** bana_k has quit IRC09:47
*** yamamoto has quit IRC09:57
*** yamamoto has joined #openstack-lbaas09:57
*** yamamoto has quit IRC10:10
*** yamamoto has joined #openstack-lbaas10:11
*** Tiancheng has quit IRC10:32
*** yamamoto has quit IRC11:00
*** yamamoto has joined #openstack-lbaas11:00
*** yamamoto has quit IRC11:03
*** yamamoto has joined #openstack-lbaas11:03
*** yamamoto has quit IRC11:26
*** bana_k has joined #openstack-lbaas11:28
*** bana_k has quit IRC11:33
*** eezhova has joined #openstack-lbaas11:37
*** chlong has joined #openstack-lbaas11:57
*** rtheis has joined #openstack-lbaas12:09
*** rtheis_ has joined #openstack-lbaas12:20
*** rtheis has quit IRC12:22
*** yamamoto has joined #openstack-lbaas12:26
*** HenryG has quit IRC12:27
*** HenryG has joined #openstack-lbaas12:27
*** yamamoto has quit IRC12:30
*** alejandrito has joined #openstack-lbaas12:45
*** alejandrito has quit IRC12:46
*** alejandrito has joined #openstack-lbaas12:46
*** ljxiash has joined #openstack-lbaas12:58
*** nmagnezi has joined #openstack-lbaas12:59
*** yamamoto has joined #openstack-lbaas13:02
*** prabampm has quit IRC13:05
*** doug-fish has joined #openstack-lbaas13:09
*** links has quit IRC13:13
*** ducttape_ has joined #openstack-lbaas13:13
*** bana_k has joined #openstack-lbaas13:16
*** bana_k has quit IRC13:21
*** prabampm has joined #openstack-lbaas13:26
*** ducttape_ has quit IRC13:35
*** yamamoto has quit IRC13:42
*** bana_k has joined #openstack-lbaas14:00
*** yamamoto has joined #openstack-lbaas14:02
*** bana_k has quit IRC14:05
*** ducttape_ has joined #openstack-lbaas14:19
*** ducttape_ has quit IRC14:24
*** Tiancheng has joined #openstack-lbaas14:25
*** xiaohhui has quit IRC14:30
*** xiaohhui has joined #openstack-lbaas14:31
*** numans has quit IRC14:39
*** ducttape_ has joined #openstack-lbaas14:43
*** neelashah has joined #openstack-lbaas14:49
*** Tiancheng has quit IRC14:55
*** Tiancheng has joined #openstack-lbaas14:55
*** prabampm has quit IRC14:59
*** nmagnezi has quit IRC15:09
*** neelashah has quit IRC15:12
*** neelashah has joined #openstack-lbaas15:12
*** neelashah1 has joined #openstack-lbaas15:15
*** mixos has joined #openstack-lbaas15:16
*** neelashah has quit IRC15:17
*** neelashah has joined #openstack-lbaas15:19
*** neelashah1 has quit IRC15:20
*** mixos has quit IRC15:25
*** mixos has joined #openstack-lbaas15:27
*** neelashah1 has joined #openstack-lbaas15:42
*** neelashah has quit IRC15:43
*** neelashah has joined #openstack-lbaas15:45
*** neelashah1 has quit IRC15:46
*** neelashah has quit IRC15:49
*** neelashah has joined #openstack-lbaas15:50
*** neelashah1 has joined #openstack-lbaas15:53
*** neelashah has quit IRC15:54
*** neelashah has joined #openstack-lbaas15:57
*** sbalukoff has quit IRC15:57
*** neelashah1 has quit IRC15:58
*** neelashah1 has joined #openstack-lbaas16:03
*** neelashah has quit IRC16:04
*** neelashah has joined #openstack-lbaas16:07
*** neelashah1 has quit IRC16:08
blogangood morning16:08
*** Tiancheng has quit IRC16:12
xgermangood morning16:26
xgermanjohnsom is already on his way to San Antonio… how’s the weather? Do I need to bring a (rain) coat?16:27
blogan30% chance of rain wednesday and thursday16:27
blogancolder than normal 50s-60s16:28
*** mixos has quit IRC16:30
xgermanso basically - Seattle?16:30
*** ljxiash has quit IRC16:31
*** jwarendt has joined #openstack-lbaas16:31
*** bdrich has joined #openstack-lbaas16:33
bloganjust maybe!16:34
bloganwe changed the weather for yall16:34
*** mixos has joined #openstack-lbaas16:46
*** yamamoto has quit IRC16:53
*** armax has joined #openstack-lbaas16:55
*** mixos has quit IRC17:01
openstackgerritPhillip Toohill proposed openstack/neutron-lbaas: Pass service admin auth from the Octavia driver  https://review.openstack.org/26438217:02
*** mixos has joined #openstack-lbaas17:03
*** eranra has joined #openstack-lbaas17:05
*** mixos has quit IRC17:11
*** mixos has joined #openstack-lbaas17:12
*** yamamoto has joined #openstack-lbaas17:13
*** yamamoto has quit IRC17:13
*** bana_k has joined #openstack-lbaas17:28
*** bharathm has joined #openstack-lbaas17:28
*** ajmiller_ has joined #openstack-lbaas17:33
*** bana_k has quit IRC17:35
*** minwang2 has joined #openstack-lbaas17:36
*** ajmiller__ has joined #openstack-lbaas17:36
*** ajmiller has quit IRC17:36
*** bana_k has joined #openstack-lbaas17:37
*** ajmiller_ has quit IRC17:38
*** doug-fish has quit IRC17:41
*** doug-fish has joined #openstack-lbaas17:42
*** neelashah1 has joined #openstack-lbaas17:44
*** eranra has quit IRC17:45
*** neelashah has quit IRC17:45
*** doug-fish has quit IRC17:47
*** neelashah has joined #openstack-lbaas17:47
*** neelashah1 has quit IRC17:48
*** ajmiller__ is now known as ajmiller17:49
*** neelashah1 has joined #openstack-lbaas17:51
*** neelashah has quit IRC17:52
*** numans has joined #openstack-lbaas17:55
*** neelashah1 has quit IRC17:56
*** neelashah has joined #openstack-lbaas17:56
*** numans has quit IRC18:06
*** kevo has joined #openstack-lbaas18:06
*** yamamoto has joined #openstack-lbaas18:13
*** madhu_ak has joined #openstack-lbaas18:16
openstackgerritPhillip Toohill proposed openstack/neutron-lbaas: Update admin auth data for devstack  https://review.openstack.org/26596818:17
ptoohillneutron.conf needs those same values, ajmiller johnsom blogan ^18:17
*** _cjones_ has joined #openstack-lbaas18:18
*** yamamoto has quit IRC18:21
*** Aish has joined #openstack-lbaas18:27
xgermanblogan I thought I saw a pack tenant_id -> project_id in neutron labs - Heat thinks they can keep tenant_id: https://review.openstack.org/#/c/239755/20/heat/tests/openstack/neutron/inline_templates.py18:27
rm_workxgerman: I think that's internally in our DB but externally on the API we take project_id?18:30
rm_workor at least, both?18:30
rm_worklet me look18:30
xgermanyeah, I don’t really understand why heat thinks they should do tenenat_id18:30
rm_worki think he is just saying he thinks it still expects tenant_id18:31
xgermanmmh, if we do both they should use the new one - my 2 ct18:31
rm_workhmmm18:31
rm_workhttps://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/extensions/loadbalancerv2.py#L15918:31
rm_worklooks like still project_id there too18:32
rm_workbut I remember there being a patch to change this18:32
rm_worksame as you :/18:32
rm_workblogan: blogan T_T18:32
xgermanyep18:32
*** bana_k has quit IRC18:32
*** bharathm has quit IRC18:33
*** bharathm has joined #openstack-lbaas18:40
*** neelashah has quit IRC18:44
*** barra204 has joined #openstack-lbaas18:55
*** shakamunyi has quit IRC18:56
*** diogogmt has joined #openstack-lbaas19:01
*** doug-fish has joined #openstack-lbaas19:03
*** doug-fish has quit IRC19:07
*** doug-fish has joined #openstack-lbaas19:07
*** shakamunyi has joined #openstack-lbaas19:12
*** barra204 has quit IRC19:12
*** neelashah has joined #openstack-lbaas19:15
openstackgerritPhillip Toohill proposed openstack/neutron-lbaas: Pass service admin auth from the Octavia driver  https://review.openstack.org/26438219:19
bloganxgerman: tenant_id for neutron-lbaas was never changed to project-id, just octavia19:22
xgerman:-=(19:22
bloganxgerman: the reason being, neutron itself hasn't done that change either and a lot of the tenant_id figuring out resides in neutron19:22
xgermanok, so, they are right19:23
dougwigWe should take and emit both. Don't care what we store it as.  And a helper accessor for internal method lookups.  iMO19:23
bloganunless heat is doing octavia stuff19:23
blogandougwig: we can start adding project_id into the bodies19:24
dougwigAnd silently accept with doc ing it.  There's no good reason to break anyone with that kind of thing imo.19:27
dougwigWithout doc ing19:27
blogani agree, just wait until neutron v3 to totally remove it19:27
doug-fishhey all, I'm talking with jpomeroy about the lbaas-dashboard and certificates ... and trying to make sure we understand how the SSL certificates page should be driven by the APIs19:28
doug-fishare we correct in assuming that the only container types that should be listed are certificate containers?19:28
doug-fishso we should exclude rsa and generic containers?19:28
xgermanrm_work - would know more. But I have only seen certificate containers so far19:29
rm_workfor LBaaS that is all we use19:29
ptoohillFor our impl we only utilize cert containers19:29
ptoohillyea19:30
doug-fishcool19:30
markvanrm_work: and those cert containers are equally applicable to other backends besides octavia, like haproxy?19:30
rm_workyes19:31
markvanrm_work: thx19:31
*** neelashah has quit IRC19:31
rm_workthe code to handle them is in neutron-lbaas19:31
rm_workso any driver can just ask "give me the cert and key for this LB" and it gets it19:31
*** neelashah has joined #openstack-lbaas19:31
rm_workthe octavia driver just ... doesn't ask, and passes the reference directly19:31
markvanok, that makes sense.   For octavia, it also has a cert_manager= local option, that would not be supported then?19:32
rm_workaugh19:32
rm_workcert_manager=local is ...19:33
rm_worka bit of a relic19:33
rm_workI don't know that it would ever really work19:33
markvanok19:33
rm_workit was supposed to go along with a change to allow EITHER a ref OR actual certs to be passed in19:33
rm_workbut that part was never added to the API19:33
rm_workso there is no way to actually use it currently19:33
rm_workit can probably be removed :/19:33
rm_workconsidering adding a Swift driver19:34
doug-fishI feel like Indiana Jones19:34
rm_workheh19:34
*** minwang2 has quit IRC19:34
rm_workxgerman: are you flying currently? not flying yet? already arrived?19:35
rm_workxgerman: what is your state, RE: Flying19:35
doug-fishhas anyone had a chance to look at the lbaas-dashboard patches? We've got quite a few awaiting review19:35
rm_workhopefully we will this week19:35
*** ducttape_ has quit IRC19:36
*** minwang2 has joined #openstack-lbaas20:00
*** bharathm has quit IRC20:04
xgermanrm_work will start flying around 4 ish — was at lunch20:05
bloganrm_work: are you sitting? standing? talking? what is your state RE: physical body20:05
xgerman(4 ish pacific)20:05
xgermanblogan lol20:05
rm_workblogan: sitting20:14
rm_workxgerman: ok, so you get in late20:14
rm_workwon't try to meet you for BBQ dinner then :P20:14
xgermanwell, I will be hungry at 9 pm when I get in :-)20:14
xgermanjohnsom gets in way earlier20:15
bloganxgerman, rm_work: https://review.openstack.org/#/c/265322/20:19
rm_workblogan: what does like 118 return? doesn't 119 *run* the result of 118? my bash might be rusty, but .....20:22
rm_workhttps://review.openstack.org/#/c/265322/2/devstack/plugin.sh20:22
*** ducttape_ has joined #openstack-lbaas20:24
rm_workyeah you're forking the run of the result of 118, IIRC, which seems weird20:25
bloganyeah, but easiest way to assign it a variable, only problme with it is you won't see the output but i don't think thats a big deal20:30
bloganand my bash sucks so there could be a better way to do that but thats just the way i've seen it done20:30
rm_workalright20:33
rm_workwell, as long as that's the intention20:33
rm_workI was just confused because20:34
rm_work$(neutron port-create --name octavia-health-manager-listen-port --binding:host_id=$(h20:34
rm_workostname) lb-mgmt-net | awk '/ id | mac_address / {print $4}')20:34
rm_workat its heart is the return from "neutron port-create"20:34
rm_workwhich ... why would that return something that is valid bash code20:35
bloganyeah and grepping through taht to find the values20:35
openstackgerritPhillip Toohill proposed openstack/neutron-lbaas: Update admin auth data for devstack  https://review.openstack.org/26596820:35
blogans/grepping/awking20:35
rm_workwhat *value* would it return that would be valid bash20:35
openstackgerritPhillip Toohill proposed openstack/neutron-lbaas: Pass service admin auth from the Octavia driver  https://review.openstack.org/26438220:35
bloganits returning strings after the awk20:35
rm_work....20:36
rm_workwhat is an example of what it returns20:36
*** bharathm has joined #openstack-lbaas20:36
rm_work"rm -rf /" ? :P20:36
bloganuuid\nmac20:36
rm_workthat command is making a port, why would it return CODE?20:36
rm_workok so20:36
rm_workwhy would you EXECUTE a uuid?20:36
bloganwhen you create anything with neutron or nova it always returns text20:37
rm_work... ok20:37
rm_workit returns text20:37
rm_workthen you RUN the text20:37
rm_workthat it returned20:37
bloganno i'm assigning it a variable20:37
rm_workas bash20:37
rm_workuhh20:37
rm_workare we reading the same thing?20:37
rm_work118 you run the command and store the result in a variable20:37
bloganoh you're talking about 11920:37
rm_work119 you RUN the result that you just stored, and save THAT result in the same variable20:38
rm_workwhich if the result of 118 has id_and_mac="someUUID"20:38
rm_workthen you're going to have the result be an error20:38
rm_worklol20:38
rm_workyeah I don't exactly understand how this works20:38
bloganoh honestly i just pulled that off stackoverflow on how to basically split a string and then pull each token out20:38
bloganall i know is it works20:39
rm_work<_<20:39
rm_workit shouldn't20:39
bloganif you've got a better way to do that please do it20:39
bloganwell you could just copy those lines and run it yourself and see20:39
bloganbc it does20:39
rm_worki need to see what running "neutron port-create" returns20:39
rm_workdont' have a devstack box up right now20:39
blogana tabel of values like any neutron/nova20:40
ptoohillit returns a table thing doesnt it? like every call does20:40
bloganno different than neutron port-get20:40
ptoohillyea20:40
rm_workok but like, WHAT20:40
rm_workwhat is in the table20:40
bloganjust test it out!20:40
ptoohillso, i thought thats how you were supposed to pull it out20:40
rm_work[14:40:00]  <rm_work>dont' have a devstack box up right now20:40
ptoohillor 'the way'20:40
rm_work118 yes20:40
rm_work119 wtf20:40
rm_workthere is nothing wrong with what 118 does20:40
rm_workthat looks perfectly correct20:40
ptoohillthat should be the value that was parsed from the table with awk20:41
rm_workyes.20:41
rm_workthen you run that value20:41
rm_workas bash code20:41
rm_workon line 11920:41
rm_workexec(the_returned_uuid)20:42
ptoohillhe got a return of values20:42
ptoohilloh, then hes doing it again20:42
ptoohillyea, why is 119 needed20:42
ptoohillwhich is what i think adam is getting at20:42
rm_work119 SHOULD totally break this20:42
rm_workwhat does 118 return20:42
ptoohillwell its just reassignment right?20:43
rm_work"echo ec2602e8-b8a3-11e5-8adb-28cfe9205489" ?20:43
rm_workno20:43
ptoohillif anything he doesnt need that line at all20:43
ptoohillwhat would that do then?20:43
rm_work("ls")20:43
rm_worktry that in BASH20:43
rm_worklol20:43
rm_work("123456")20:43
rm_workit's an exec20:43
rm_workfork & execute20:43
ptoohilltrue20:44
ptoohillyea, im not sure what thats there for then20:44
rm_workit should not just be extraneous, it should be actively breaking this20:44
ptoohillmagic blogan bashing20:44
rm_workI guess I will have to spin up devstack to see what neutron's port create function returns20:45
rm_workmaybe it returns a table of "echo" commands20:45
rm_work>_>20:45
ptoohillit shouldnt :P20:45
ptoohillmaybes its the new thing though20:46
rm_workI would like to see where blogan copied this from20:46
ptoohillhe decided to run and hide20:47
ptoohill:P20:47
rm_worklol20:47
ptoohillthink hes on his 1-120:47
rm_workah20:47
rm_workdo you have devstack up that you could run a port-create and gist the output?20:47
ptoohillnot up, just failed20:47
rm_workk20:48
rm_worklet me try to bring one up really quick I guess <_<20:48
ptoohilltrying again20:48
ptoohillit didnt like my py3 env20:48
rm_workreally quick -> 25min20:48
ptoohill:(20:48
ptoohillyea ><20:48
ptoohillmines running again20:48
ptoohillit should stack this time20:48
rm_workwell I started one20:50
ptoohillwell I started one20:50
ptoohilltoo20:50
rm_work:P will see20:50
ptoohill:P20:51
*** amotoki has joined #openstack-lbaas20:52
ptoohillsob20:53
dougwigptoohill: ping.20:53
ptoohilldougwig: pong20:53
dougwigptoohill: regarding your cert review, are there really no higher level routines that do all that parsing gunk for us?20:54
ptoohillThat was a rework to remove OopenSSL20:54
*** doug-fish has quit IRC20:54
ptoohillWhat are you think about? Those are the api I was asked to use, I supposed we could look more into it, or maybe im unsure which part youre talking about.20:55
*** doug-fish has joined #openstack-lbaas20:55
ptoohillmaybe i just coded something silly?20:55
dougwigand that's good, but why are we taking apart chains and such inside an lbaas module?  there aren't routines to just stash and verify those without a bunch of tweaking?20:56
dougwigand aside from that, why'd the cert in the test change? if it's compatible, shouldn't the old test cert be valid?20:56
ptoohillOh, hmm. Good question. Honestly, im not incredibly familiar and had to do some learning to rework it20:56
ptoohilli would need to ask/verify with carlos/adam for more info20:56
ptoohillthat cert was invalid from the get go20:56
ptoohill:/20:57
dougwighahaha.20:57
dougwigok, at some point my wi-fi challenged review will come back. let me know, and i'll flip it around.20:58
*** doug-fish has quit IRC20:59
ptoohillIll see if i can get hold of carlos, maybe this is something we can clear up tomorrow or something. I think he went this route because we needed some data within the certs like SAN/hostnames for some reason20:59
*** doug-fish has joined #openstack-lbaas21:00
dougwigfor SNI maybe?21:05
ptoohillOh yea21:07
ptoohillthats right, we needed the hostnames for SNI21:07
ptoohillThough, i dont have an answer if theres something else that can do this21:07
ptoohilli know crypto is becoming the 'standard' and this is the way carlos intially did it. I'm asking him now for more info21:08
dougwigi'm surprised that we didn't just ask for the hostname along with the cert for SNI.  be easier than trying to infer it.21:11
dougwigbut i'm way way late on that feedback.21:12
*** bdrich has quit IRC21:12
ptoohillWe would need a list of hosnames and the cert they match to when we just get a container. unless barbican gives some of that data i think this was required. though, thats just me and my 'knowledge'21:13
*** madhu_ak has quit IRC21:16
*** madhu_ak has joined #openstack-lbaas21:19
dougwigweird flight.  odd combo of dead calm and drink spilling turbulence.  :)21:20
ptoohilldougwig: It seems that crc32|znc  was convinced to use this level for it for whatever reason, he may jump in here and can explain better. But he went with this. Also, on the hostname topic, if we want to take in the hosts we would need to create another object of sorts that contains the barbican container and a mapping of names/cert since we read DNSName entries from intermediates.21:32
bloganrm_work: you may remove that -1 and do a +A at any time :)21:34
rm_workdougwig: so the old cert in the test was actually invalid, and the parsing in PyOpenSSL was incomplete and didn't notice it was invalid21:34
rm_workdougwig: the parsing is more accurate/complete in cryptography so it caught the error in the test cert21:34
rm_workblogan: yep :P21:34
ptoohillrm_work: carlos mentioned that he was using something else but was convinced to go this route21:34
rm_workso, AFAIK there is no good upstream cert parsing utility21:34
rm_workI was hoping cryptography would *add* some functions for this21:35
rm_workbut they don't exist at the moment21:35
rm_workoslo was another option but getting new code into oslo is pain21:35
ptoohillasyn1 he said he was using that, but im not famililar enough in either direction to have opinion21:35
*** crc32 has joined #openstack-lbaas21:36
ptoohillHere he is21:36
ptoohillThough I dont know if dougwig hit turbulence again and we lost him. :)21:36
rm_workasyn1?21:37
rm_workoh21:38
rm_workASN121:38
ptoohillcrc32:  The original question was why are we not using a higher level lib to do this parsing. You mentioned asyn1 as a higher level lib but was convinced to go another route. I was under the impression we needed this level to parse out hostnames, can asyn1 do that?21:38
ptoohillasn121:38
ptoohillyea, cp21:38
rm_workASN1 is still pretty low level21:38
rm_workalmost LOWEST level, in fact21:38
blogancan any1 do that?21:38
rm_workcryptography's parsing is higher level than using ASN1 to parse the cert :/21:38
dougwigtrying...  blogan, you can +A if it doesn't go through21:38
rm_workwell, *it* is using asn1 to parse the cert, because asn1 is a schema21:38
bloganrm_work: http://unix.stackexchange.com/questions/217877/single-parenthesis-in-bash-variable-assignment21:39
crc32what ever we usee needs to get hostnames from both the CN of the subject names as well as from the AlternateNames from an extension field.21:39
dougwigthat seems like a helper that should live in barbican or oslo.21:39
rm_workdougwig: oslo maybe21:39
crc32if anyone wants to use a another library thats fine. I guess we difffer on what a High level library is.21:39
rm_workdougwig: barbican is looking to drop certificate support longterm21:40
rm_workdougwig: and split into KMS (barbican, going forward) and a CMS (some new project)21:40
crc32at the time I wrote it even barbican cryptography wasn't parsing it out.21:40
dougwigcrc32: if you have to crack a chain of int ca's, it's not high-level to me.  :)21:40
dougwigbut we're academic now, because it's in the gate.21:40
blogani like academies21:40
xgermanrm_work barbican wants to split again...21:41
rm_workhttps://pypi.python.org/pypi/pem/21:41
rm_workbut it is currently failing build, so.... lol21:41
crc32thats fine dougwigg. is there a library then that does this? I can generate certs for testing.21:41
xgermanthose people!!21:41
rm_workxgerman: it'd be better for us if they did :/21:41
bloganbarbican = barbisplit21:41
rm_workthough I am thinking for generation I'd rather use Anchor anyway21:41
xgermanyep, barbican't21:42
xgermanAnchor +!21:42
rm_workyour anchor plugin for the cert manager interface is ready, right?21:42
xgermanyep, works21:42
rm_worki'd like to merge that and switch over to it in devstack if we can during the midcycle21:42
rm_workif we have time21:42
crc32asyn1 to me just feels like XML parsing. Except theres no illusion that a human can read the actual format.21:42
xgermanAnchor is not in devstack… but I don;t see why not21:42
xgermanI runs fine for me in a screen (though manually installed)21:42
rm_workxgerman: it's just a thing to install21:43
dougwigrm_work: if barbican splits, can we get a sane API that doesn't delete in-use resources?  :)21:43
rm_workheh21:43
rm_workmaybe21:43
rm_workcrc32: the pem library maybe21:43
rm_workcrc32: https://pypi.python.org/pypi/pem/21:43
rm_workimport pem21:43
rm_workpem.parse(pem_string)21:43
rm_workand it gives a list of certs21:43
rm_workor keys21:44
rm_workor whatever21:44
rm_workthough the failing build status in master concerns me slightly21:44
rm_workbut it looks to support py2/py321:44
rm_workand has zero deps21:44
rm_workOH lol hynek manages this21:44
rm_workwhelp21:45
rm_workyeah we should probably use this21:45
rm_worklet me poke at him21:45
ptoohillany problems with that license?21:45
ptoohillprobably not, just curoius21:46
rm_workI'm asking him about it21:46
rm_workshouldn't be, it's MIT and is just a lib21:46
bloganneturon-lbaas jobs have been purring like a kitten lately, i haven't seen them have false negatives in a while21:46
ptoohillyea21:46
*** bdrich has joined #openstack-lbaas21:46
dougwigmit is a bsd derivative, as is apache. should be fine21:46
ptoohillyou just jinx yourself blogan21:46
rm_workblogan: why u do dis21:47
ptoohillwell, everyone21:47
rm_work^^^21:47
blogani know21:47
rm_workjinxed by blogan21:47
blogani just had to say it21:47
ptoohill><21:47
dougwigthere's a joke in there about blogan being a jinx or something.21:47
crc32import pem21:47
bloganthere's a jinx about dougwig being joke21:48
crc32ImportError: No module named OpenSSL.SSL21:48
bloganbeing a21:48
crc32yes thats cute21:48
rm_worklolwat21:48
ptoohillheh21:48
rm_workit says no deps21:48
rm_workthat is not no deps21:48
rm_workpoking the author now, he still hasn't responded21:48
dougwigimport blogan21:48
dougwigNotFound: check tow lot21:48
bloganbwahahahaha you so funny21:49
bloganthats like a 2 year old joke now21:49
dougwigi have good source material.21:49
blogan2014 called they want their joke back21:49
rm_worklol wow yeah this is part of the twisted plugin for it which we don't even need... lame21:49
xgermanI like the tow joke ;-)21:50
crc32ImportErrorno module name twisted.internet???21:50
crc32I think I got the wrong pem package21:50
blogantwisted imports the internet??21:50
blogani mean it defines the internet21:50
crc32pem==15.0.0 <-- is this our package?21:50
rm_workcrc32: no this is it21:50
rm_worki see why it's happening21:51
crc32no dependencies my ass21:51
rm_workI'm going to get him to fix it21:51
rm_workor submit a patch against it to fix it21:51
rm_workcrc32: try "pem==0.3.0"21:52
rm_work:P21:52
ptoohillSo my patches for 'remove OpenSSL' are still valid, this should be anotehr review to update to new lib?21:52
ptoohillor just drop these and wait?21:52
rm_workptoohill: yes21:52
rm_workptoohill: first one21:52
ptoohillkk21:52
dougwigthey're in the gate already, fine to let them go21:53
ptoohillgood deal21:53
crc32I guess thats the new development model. Tear out existing working functionality in favor of search for a library that does it "higher level". Then fix the library when you find its broken.21:53
*** ducttape_ has quit IRC21:54
rm_workyeah essentially21:54
rm_workbetter than littering the same code all over the place and trying to maintain it in a ton of places21:54
crc32to quote a soon to be ex lbaas-developer "It is what it is".21:54
rm_workheh21:55
ptoohillYea, i certainly see value in not having to maintain it ourself, but if its not stable I dont want to use it21:55
rm_workI'm finding out21:55
rm_workit's maintained by one of the main crypto/pyopenssl devs that I already know21:55
rm_workso21:55
crc32just find a working library. I'm not cool with the lets break our code and fix some one elses library instead mentality.21:55
crc32ah thats explains it.21:56
rm_workjust give me a bit to find out what's going on21:56
ptoohillcrc32: On that note, i see your point, but I also think if we can remove 'low level code that doesnt really need to be part of ours then why not? It makes us a cleaner, hopefully more stable product21:57
ptoohillAssuming the libs we use are stable, but...21:57
dougwigi think half the lbaas team is on this flight.21:57
ptoohillon that note, we had neutron crap on us even this weekend21:58
ptoohillso yea21:58
ptoohillnice21:58
xgermandougwig mine is at 4 pm so… still time to break somethinh but I need to start getting to the airport ;-)21:59
*** davidlenwell has quit IRC22:05
*** woodster_ has joined #openstack-lbaas22:06
ptoohillway to go blogan: http://logs.openstack.org/68/265968/2/check/gate-neutron-lbaasv2-dsvm-listener/47ab84d/console.html22:12
*** doug-fish has quit IRC22:12
ptoohillHe did it, hes a walking curse22:13
*** doug-fish has joined #openstack-lbaas22:13
crc32yea go for it.who's a walking curse?22:14
ptoohillblogan22:14
ptoohillHe just HAD to say SOMETHING22:14
ptoohillNow everything will go up in flames22:15
bloganson of a22:15
crc32yea now he's getting mad at me for no reason.22:15
ptoohilllol22:15
ptoohilllol22:15
crc32I forget what I said but he snapped and put his head phones on.22:15
ptoohillHe realized he cursed the rest of the week and is ashamed22:16
bloganreally wish you could use assertEquals in classmethods22:16
crc32I remember when I used to be the one on the team with a temper. Then I had a heart attack.22:16
*** rtheis_ has quit IRC22:17
*** doug-fish has quit IRC22:17
*** rtheis has joined #openstack-lbaas22:17
*** rtheis has quit IRC22:18
crc32finally pem loaded.22:19
crc32I needed service_identity twisted pyopenssl. Some how I got pyasn1.22:19
crc32hey rm_work which method disects an x509?22:20
rm_workpem.parse()22:22
rm_workjust pass the pem string to it and it gives you a list back of certs22:23
rm_workI tried it on your test certs from octavia and it worked great22:23
rm_workeven filtered the junk22:23
ptoohilldougwig: 1.0.1?22:27
ptoohill1.1.0?22:28
*** davidlenwell has joined #openstack-lbaas22:29
crc32it picked up the subject alt names?22:29
dougwigptoohill: 1.0.1 is fine. we've probably missed bumps of it in the past.22:29
ptoohill:)22:29
bloganptoohill: looks like that is failing bc that test is sending in odd tenant_ids and neutron-lbaas doesn't do validation on it, but octavia validates that its a uuid22:30
ptoohillthe one i pasted?22:30
bloganyeah22:31
bloganbut then i'd expect it to faill all the time22:31
ptoohilli was seeing provisioning status22:31
bloganso tahts the confusing piece22:31
bloganwhat do you mean?22:31
crc32ptoohill what are you getting for the SNI hosts on this cert http://pastebin.com/xe9GAP7i22:36
*** neelashah has quit IRC22:37
crc32I get back a Certificate inst but  the library is hiding the methods on this object. I don't see any methods that are usfull in getting the SNI attrs22:38
rm_workoh, yeah no22:38
rm_workpem is literally just for splitting, lol22:39
rm_workyou'd still need to load each up with cryptography to get the altnames out22:39
rm_workit just replaces the text parsing stuff22:39
crc32you mean like its just using the "--- BEGIn <BLAH> ----22:40
crc32 to detect the object type?22:40
rm_workyes22:40
rm_workwait do we even do that still?22:40
crc32I don't unless you consider parsing "--- <BLAH BLAH BLH>----" to be a low level operation that we are against.22:41
rm_workah yeah right, we do it with IMDs22:41
rm_worki mean... eh?22:41
rm_worki don't care a lot, was just trying to mollify dougwig22:41
rm_workfor parsing out subjectAltNames, cryptography *is* high level22:42
*** doug-fis_ has joined #openstack-lbaas22:42
dougwigcrc32: parsing protocol strings is low-level by definition. i'm not sure we are "against" it.22:42
ptoohillIf PEM lib is 'saving' one line of code I dont see another dep worth it22:42
rm_workthe only "low level" thing we do that we could really have a library do is parsing the intermediates string into individual certs22:42
crc32thats low level?22:42
dougwigwas just asking if there was something higher-level, not trying to require it. seems odd that a language like python has such poor utility routines for certs.22:43
rm_worknotice the quotes22:43
crc32ok as long as you find a way to get the SNI hosts and that method is RFC complient meaning subjectAltNames then go for it.22:43
dougwigcrc32: if parsing strings is high-level for you, we have very different definitions.22:43
rm_workstring parsing is, in general, not something I *ever* want to be responsible for22:43
crc32Reeating: ok as long as you find a way to get the SNI hosts and that method is RFC complient meaning subjectAltNames then go for it.22:43
dougwigeh, question answered, we can move on.  if we find a really good abstraction, we can revisit.22:44
blogansounds like we should do our library22:44
bloganown22:44
crc32dougwig I already knew we had differen't definitions between high and low level. For example back in the day C was still considered high level for me.22:44
bloganimport neutron_lbaas_octavia_cert_parsing_library22:44
rm_workblogan: that's what we do now :P22:45
bloganboom release it22:45
dougwigcrc32: well, we're in the context of a python wsgi app, not in the context of machine code.  it's all bout frame of reference.  :)22:45
*** doug-fis_ has quit IRC22:46
crc32dougwig: yea I can agree with tha.22:52
openstackgerritPhillip Toohill proposed openstack/neutron-lbaas: Pass service admin auth from the Octavia driver  https://review.openstack.org/26438222:54
*** mixos has quit IRC22:54
*** crc32 has quit IRC23:08
openstackgerritMerged openstack/neutron-lbaas: Replace deprecated library function os.popen() with subprocess  https://review.openstack.org/26559023:09
*** crc32 has joined #openstack-lbaas23:13
*** crc32 has quit IRC23:15
*** crc32 has joined #openstack-lbaas23:15
openstackgerritMerged openstack/neutron-lbaas: Remove OpenSSL from cert_parser  https://review.openstack.org/26545723:17
*** ducttape_ has joined #openstack-lbaas23:25
*** amotoki has quit IRC23:25
*** alejandrito has quit IRC23:40
Aishrm_work: hi23:56
« Sunday, 2016-01-10 Index Tuesday, 2016-01-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!