Thursday, 2011-03-03

« Wednesday, 2011-03-02 Index Friday, 2011-03-04 »
*** reldan has joined #openstack00:00
*** pvo has quit IRC00:00
devcamcarjk0, kpepple: review is up: https://code.launchpad.net/~ken-pepple/nova/dynamicinstancetypes/+merge/5025700:00
devcamcarback in a few00:01
*** littleidea has quit IRC00:01
jk0cool00:01
jk0kpepple: we might get this yet tonight :)00:01
*** rds__ has quit IRC00:01
kpepplejk0: maybe00:02
kpepplejk0: how do you want to handle the style issues ?00:02
jk0I wasn't aware of any written guidelines on stuff like that, but I suppose it wouldn't hurt to fix them up since it was requested in the review00:03
jk0(I personally prefer it the way it is)00:03
*** joearnold has quit IRC00:05
kpepplejk0: okay, i'm updating nova-manage00:05
*** mray has quit IRC00:06
*** vvuksan has quit IRC00:12
kpepplejk0: i'm almost through all of them ... just running tests now.00:17
*** johnpur has quit IRC00:21
*** grapex has left #openstack00:28
devcamcarjk0: style nits were just to keep codebase consistent00:29
jk0I hear ya00:30
kpeppledevcamcar: on your last review note (954), don't i need the context as for the decorator ?00:34
devcamcarkpepple: shouldn't, its just a positional arg00:35
*** mustfg has quit IRC00:39
*** adiantum has quit IRC00:42
*** dubsquared has quit IRC00:42
*** adiantum has joined #openstack00:47
kpeppledevcamcar: on the "Why are all of these removed? There are a lot more." in regards to the docs -- i spoke with anne about this yesterday and she said it can be either way (they are generated docs) ... i'll put them back in00:48
devcamcarkpepple: if its stuff that is autogenerated it probably doesn't belong there.  i guess do whatever anne thinks is best there :)00:51
devcamcarkpepple: though if we're going to remove stuff like that its better to do it in its own branch00:51
kpeppledevcamcar: do you have a more preferred way of raising DB errors generated through the API ? or is just logging the DB error fine ...01:01
*** pvo has joined #openstack01:01
jk0kpepple: what lines are you referring to? the DBException (or whatever it's called)?01:02
kpepplejk0: the "exception.NotFound" from instance_types.py01:02
devcamcarkpepple: not sure, let me see if i can find an example01:03
openstackhudsonProject nova build #593: SUCCESS in 1 min 48 sec: http://hudson.openstack.org/job/nova/593/01:03
openstackhudsonTarmac: Fixes Bug #715424: nova-manage : create network crashes when subnet range provided is not enough , if the network range cannot fit the parameters passed, a ValueError is raised01:03
uvirtbotLaunchpad bug 715424 in nova "nova-manage : create network crashes when subnet range provided is not enough" [Low,Fix committed] https://launchpad.net/bugs/71542401:03
jk0ah01:03
jk0hm01:03
jk0I think we could get by logging the DB error (if that's where the real error lies)01:04
jk0unless devcamcar is referring to something else01:04
devcamcarjk0: yea01:04
*** pvo has quit IRC01:05
kpeppledevcamcar , jk0 : ok, setting up a nova.instance_types log and i'll LOG.exception them01:05
jk0ah yeah, .exception is the way to go01:05
jk0especially if we don't know where the exception is going to come from01:06
*** clauden_ has quit IRC01:06
jk0(just found what devcamcar was referring to)01:06
devcamcarword01:08
openstackhudsonProject nova build #594: SUCCESS in 1 min 44 sec: http://hudson.openstack.org/job/nova/594/01:08
openstackhudsonTarmac: Very simple change checking for < 0 values in "limit" and "offset" GET parameters. If either are negative, raise a HTTPBadRequest exception. Relevant tests included.01:08
*** adiantum has quit IRC01:12
*** reldan has quit IRC01:14
*** MotoMilind has quit IRC01:14
nelsonwoot01:16
kpepplejk0 , devcamcar : just pushed revno 696 which i believe addresses all the code review concerns01:17
jk0excellent01:17
*** adiantum has joined #openstack01:17
devcamcarnice01:18
*** sandywalsh has quit IRC01:18
*** perestrelka has quit IRC01:19
*** perestrelka has joined #openstack01:19
*** burris has quit IRC01:19
*** gregp76_ has joined #openstack01:24
*** littleidea has joined #openstack01:25
jk0kpepple / devcamcar shall we get this merged? :)01:26
*** cascone has joined #openstack01:28
devcamcar34+            instance_types.create(name, memory, vcpus, local_gb,01:29
devcamcar35+                                  flavorid, swap, rxtx_quota, rxtx_cap01:29
devcamcaryou can put that on multi lines if you want01:29
devcamcarits just for the defs01:29
devcamcarso01:29
devcamcar.create(name,01:30
devcamcar        memory,01:30
devcamcaretc01:30
devcamcaris fine01:30
jk0oh, *now* you like my method!01:30
jk0:P jjk01:30
devcamcarhah01:33
devcamcarkpepple: 817+        except:01:33
devcamcarpep8 probably going to complain about that01:33
kpeppledevcamcar: surprisingly it didn't (i have the pep8 bzr-commit hook)01:34
devcamcarcool01:34
kpeppledevcamcar: but noted ... let me change that01:34
devcamcarkpepple: gave it the lgtm01:36
devcamcarnice work!01:36
jk0\o/01:36
jk0thanks devcamcar01:37
kpeppledevcamcar: thx for all the help on this01:37
kpepplejk0: let me push this one last change in01:38
jk0werd01:38
devcamcari'm off, later gang01:38
jk0night night01:38
*** perestrelka has quit IRC01:39
*** pyros_xx has quit IRC01:39
*** dweimer has quit IRC01:39
*** maplebed has quit IRC01:39
*** dysinger has quit IRC01:39
*** eday has quit IRC01:39
*** cw has quit IRC01:39
jk0kpepple: I'll approve it when you push that thru01:39
*** dweimer has joined #openstack01:39
*** adiantum has quit IRC01:41
kpepplejk0: just pushed 697 which should be it01:41
* jk0 waits for the diff update01:41
*** perestrelka has joined #openstack01:43
*** pyros_xx has joined #openstack01:43
*** maplebed has joined #openstack01:43
*** dysinger has joined #openstack01:43
*** eday has joined #openstack01:43
*** cw has joined #openstack01:43
*** niven.freenode.net sets mode: +v eday01:43
*** pyros_xx has quit IRC01:43
jk0kpepple: approved. should merge whenever LP gets around to it :)01:44
kpepplejk0: very cool. thank for all the help on this.01:44
* kpepple wanders off in search of frosty beverages01:45
jk0no, thank YOU (you saved me a lot of work) :)01:45
jk0yeah, it is beer time now01:45
jk0l8r man01:45
*** perestrelka has quit IRC01:45
*** maplebed has quit IRC01:45
*** dysinger has quit IRC01:45
*** eday has quit IRC01:45
*** cw has quit IRC01:45
*** dovetaildan has joined #openstack01:45
kpepplejk0: later01:48
jk0kpepple: wait01:48
jk0kpepple: tests failed on hudson01:49
kpepplejk0: you got a link ... tests run fine on my machine01:49
jk0kpepple: oopsies -- rename your migration file to 00801:49
jk0I added 007 this evening :o01:49
jk0sorry, should have caught that01:49
* kpepple thinks migration files are going to be the death of him01:49
jk0haha01:49
jk0didn't we start out on like 003?01:49
kpepplejk0: yes. let me merge trunk and mv the file over.01:50
*** littleidea has quit IRC01:50
*** perestrelka has joined #openstack01:51
*** maplebed has joined #openstack01:51
*** dysinger has joined #openstack01:51
*** eday has joined #openstack01:51
*** cw has joined #openstack01:51
*** niven.freenode.net sets mode: +v eday01:51
*** adiantum has joined #openstack01:52
jk0well, at least it's an easy fix :)01:53
kpepplejk0: yeah, just running the tests01:53
kpepplejk0: okay, merged trunk, bzr mv migration file and re-pushed at revno 69901:54
*** gregp76_ has quit IRC01:54
jk0werd, one sec01:54
jk0waiting on LP of course01:55
jk0*caugh* wish we used github *caugh*01:55
* jk0 sweeps dead horse back under matt for now01:56
*** dendrobates is now known as dendro-afk01:56
jk0kpepple: approving. standby01:58
*** burris has joined #openstack02:02
jk0kpepple: merged. go on about your business ;)02:07
*** Ryan_Lane has joined #openstack02:07
openstackhudsonProject nova build #595: SUCCESS in 1 min 47 sec: http://hudson.openstack.org/job/nova/595/02:07
openstackhudsonTarmac: merges dynamic instance types blueprint (http://wiki.openstack.org/ConfigureInstanceTypesDynamically) and bundles blueprint (https://blueprints.launchpad.net/nova/+spec/flavors)02:08
kpepplejk0: excellent. thx.02:08
jk0you betcha~02:09
*** Ryan_Lane has quit IRC02:13
*** adjohn has quit IRC02:20
*** adiantum has quit IRC02:24
*** adiantum has joined #openstack02:25
*** adiantum has quit IRC02:31
*** adiantum has joined #openstack02:31
*** sandywalsh has joined #openstack02:34
*** mray has joined #openstack02:34
*** adiantum has quit IRC02:38
*** adiantum has joined #openstack02:50
*** MarkAtwood has joined #openstack02:50
*** MarkusT has quit IRC03:05
*** adiantum has quit IRC03:09
*** syah has quit IRC03:11
*** syah has joined #openstack03:13
*** adiantum has joined #openstack03:16
*** MarkusT has joined #openstack03:19
*** mdomsch has joined #openstack03:19
*** pvo has joined #openstack03:20
*** lamar has joined #openstack03:22
*** dendro-afk is now known as dendrobates03:23
*** mray has quit IRC03:31
*** mahadev has quit IRC03:35
*** RJD22 is now known as RJD22|away03:37
*** RJD22|away is now known as RJD2203:48
*** rchavik has joined #openstack03:48
*** mahadev has joined #openstack03:52
*** adiantum has quit IRC03:53
*** RJD22 is now known as RJD22|away03:53
*** mahadev has quit IRC03:56
*** adiantum has joined #openstack03:56
*** thielmann_ has joined #openstack03:59
*** MarkAtwood has quit IRC03:59
*** kainam has quit IRC04:00
*** arcane has joined #openstack04:00
*** MarkusT has quit IRC04:02
*** mahadev has joined #openstack04:03
*** RJD22|away is now known as RJD2204:05
*** dendrobates is now known as dendro-afk04:06
*** adiantum has quit IRC04:09
*** kazu has quit IRC04:16
*** adiantum has joined #openstack04:16
*** dirakx has joined #openstack04:18
*** adiantum has quit IRC04:23
*** adjohn has joined #openstack04:26
*** adiantum has joined #openstack04:29
*** pvo has quit IRC04:43
*** dendro-afk is now known as dendrobates04:45
*** lstoll has quit IRC04:53
*** lstoll has joined #openstack04:54
*** lamar has quit IRC04:57
*** lamar has joined #openstack05:01
*** littleidea has joined #openstack05:05
*** h1nchtastic has quit IRC05:10
*** h1nch has joined #openstack05:10
*** annegentle has quit IRC05:10
*** annegentle has joined #openstack05:11
*** fysa has quit IRC05:11
*** lamar has quit IRC05:24
*** adiantum has quit IRC05:25
*** dendrobates is now known as dendro-afk05:30
*** adiantum has joined #openstack05:30
*** localhost3 has quit IRC05:34
*** f4m8_ is now known as f4m805:45
*** littleidea has quit IRC05:49
*** fysa has joined #openstack05:54
*** adiantum has quit IRC05:57
*** MarkAtwood has joined #openstack05:58
*** adiantum has joined #openstack06:02
*** zenmatt has quit IRC06:17
*** littleidea has joined #openstack06:27
*** littleidea_ has joined #openstack06:46
*** littleidea has quit IRC06:46
*** littleidea_ is now known as littleidea06:46
*** MarkAtwood has quit IRC06:49
*** miclorb has quit IRC06:50
*** adiantum has quit IRC06:55
*** MarkAtwood has joined #openstack06:56
*** guigui has joined #openstack06:57
*** hazmat has joined #openstack06:58
*** adiantum has joined #openstack07:00
*** Manikandan has joined #openstack07:01
Manikandanhi all, in openstack compute i have to install both compute and client separately07:03
*** Nacx has joined #openstack07:04
*** adiantum has quit IRC07:08
*** brd_from_italy has quit IRC07:08
*** mgoldmann has joined #openstack07:09
*** hazmat has quit IRC07:10
*** adiantum has joined #openstack07:13
*** fysa_ has joined #openstack07:16
*** fysa has quit IRC07:18
*** fysa_ is now known as fysa07:18
*** naehring has joined #openstack07:22
*** slyphon has quit IRC07:25
*** reldan has joined #openstack07:28
*** masumotok has joined #openstack07:29
*** kashyap has joined #openstack07:30
*** mahadev has quit IRC07:33
*** fysa has quit IRC07:34
*** gasbakid has joined #openstack07:36
*** adiantum has quit IRC07:39
*** adiantum has joined #openstack07:40
*** fysa has joined #openstack07:41
*** rcc has joined #openstack07:43
*** allsystemsarego has joined #openstack07:44
*** gregp76_ has joined #openstack07:46
*** mdomsch has quit IRC07:51
*** reldan has quit IRC07:53
*** gregp76_ has quit IRC07:58
*** MarkAtwood has quit IRC08:09
*** noguchi has joined #openstack08:10
*** mahadev has joined #openstack08:11
*** littleidea has quit IRC08:21
*** 16WAAKRE3 has joined #openstack08:29
*** ewindisch has joined #openstack08:29
*** hazmat has joined #openstack08:30
*** 16WAAKRE3 has quit IRC08:30
*** ewindisch has quit IRC08:30
*** ewindisch has joined #openstack08:30
*** ewindisch has quit IRC08:32
*** mgoldmann has quit IRC08:34
*** miclorb has joined #openstack08:35
*** mgoldmann has joined #openstack08:36
*** DigitalFlux has joined #openstack08:37
*** ramkrsna has joined #openstack08:43
*** ramkrsna has joined #openstack08:43
*** Oneiropolo has joined #openstack08:45
Oneiropoloi have a question for about node fail over08:47
Oneiropolois there somebody can help?08:47
*** mahadev has quit IRC08:47
*** daveiw has joined #openstack08:48
kpeppleOneiropolo: what do you mean by node fail over ?08:48
Oneiropolowhen a server is broke down08:49
kpeppleOneiropolo: yeeesss :)08:49
Oneiropoloswift is using consistent hashing ring08:49
kpeppleOneiropolo: ahhh ... you are talking about swift ... i thought you were talking about nova (we have a new live migration feature coming)08:50
kpeppleOneiropolo: probably can't help you on the swift one ...08:50
Oneiropolooh, that sounds cool08:50
Oneiropolonova gonna have new feature .08:50
Oneiropoloanyway, my question is08:50
Oneiropolowhen a object node is fail.08:50
Oneiropolothere are some replications for that node data.08:51
Oneiropoloat that time, those replications serve the request directly?08:51
Oneiropoloor just give copy of the objects to eligible server?08:52
OneiropoloI know that swift is using consistent hashing ring.08:52
Oneiropolothat means that when a node on the ring is fail,08:52
Oneiropoloit doesn't affect other node as much08:52
*** slyphon has joined #openstack08:53
Oneiropoloso in the theory of consistent hashing08:53
Oneiropolothat means the objects which was fail node had should copied to node that right location of the ring.08:54
Oneiropoloi wanna know how swift handle this situation.08:55
*** mikemc_home has joined #openstack08:58
kpeppleOneiropolo: AFAIK, the ring should contain a mapping of object to the 3 partition / physical locations and it will handle the failure by pointing client to another (hopefully alive) location. is this what you are asking ?08:58
Oneiropoloyes08:59
Oneiropoloso, you mean when a node is fail, different node gonna serve that request?08:59
kpeppleOneiropolo: yes, the ring should point the to a different node09:01
Oneiropolodepend on consistent hashing algorithm09:01
kpeppleOneiropolo: yes09:02
Oneiropolothe object should go to right node.09:02
OneiropoloI don't know whether the replicas located in right place (depend on consistent hashing - on the ring)  or just copied to right place09:04
kpeppleOneiropolo: i am not sure on that09:04
Oneiropolookay.09:04
Oneiropolowhat is your guess?09:05
Oneiropolomaybe i need to check out sources but i don't have enough time now .09:05
kpeppleOneiropolo: from reading this (http://swift.openstack.org/overview_architecture.html), it appears that it is configurable09:06
*** Oneiropolo_ has joined #openstack09:07
Oneiropolo_i'm back09:07
*** MarcMorata has joined #openstack09:07
*** adjohn has quit IRC09:08
*** magglass1 has quit IRC09:09
*** j05h has quit IRC09:10
*** j05h has joined #openstack09:10
*** magglass1 has joined #openstack09:11
*** slyphon has quit IRC09:13
*** arun has quit IRC09:15
*** arun has joined #openstack09:15
*** arun has joined #openstack09:15
*** adiantum has quit IRC09:24
*** arun_ has quit IRC09:29
*** adiantum has joined #openstack09:31
*** irahgel has joined #openstack09:36
Oneiropolo_i wanna ask about swift ~09:37
wedjatjust ask09:40
Oneiropolo_thank you wedjat09:52
Oneiropolo_when a server node is fail09:52
Oneiropolo_like object09:52
Oneiropolo_how swift handle this situation ?09:52
Oneiropolo_i thought that09:53
Oneiropolo_it use the consistent hashing09:53
Oneiropolo_so, when a node is fail09:53
Oneiropolo_objects that the node served should move from replication server to service node09:54
*** gasbakid has quit IRC10:01
*** uksysadmin has joined #openstack10:04
Oneiropolo_on swift,10:06
Oneiropolo_devices can added to the ring during service running?10:06
*** daveiw has quit IRC10:16
*** Manikandan has quit IRC10:22
uksysadminjust updated to the latest nova from ppa:  2011.2~bzr757 and now getting ProgrammingError "You have an error in your SQL syntax ... (near ) \n LIMIT 0, 1' at line 3)  it looks like some quotes are missing around %s... anybody else get this?10:23
*** adiantum has quit IRC10:26
*** reldan has joined #openstack10:26
*** miclorb has quit IRC10:34
uvirtbotNew bug: #728342 in nova "ProgrammingError "You have an error in your SQL syntax ... (near ) \n LIMIT 0, 1' at line 3)" [Undecided,New] https://launchpad.net/bugs/72834210:36
*** adiantum has joined #openstack10:38
*** irahgel has quit IRC10:50
*** noguchi has left #openstack10:51
ttxuksysadmin: i'll try to reproduce that10:55
uksysadminttx: cheers10:58
ttxI reproduce it.11:02
*** cascone has quit IRC11:02
*** dragondm has joined #openstack11:04
*** skiold has joined #openstack11:07
ttxuksysadmin: confirmed, that's a critical regression, probably introduced at bzr75711:07
* ttx looks11:07
ttxI lack the sqlalchemy foo to understand why it fails... the definitions seem correct11:12
ttxI reproduce on sqlite, fwiw11:12
ttxkpepple, jk0: ^^11:12
*** h0cin has joined #openstack11:12
*** adiantum has quit IRC11:12
*** adiantum has joined #openstack11:19
*** irahgel has joined #openstack11:21
ttxhrm, looks like this would be wrong:11:23
ttxtype_data = instance_types.get_instance_type([inst['instance_type']])11:23
ttxshould be:11:23
ttxtype_data = instance_types.get_instance_type(inst['instance_type'])11:23
ttxbut then I hit another issue.11:23
*** Oneiropolo_ has quit IRC11:26
*** Oneiropolo has quit IRC11:26
ttxmore after lunch.11:28
BK_manguys, what version of boto do you have in Ubuntu?11:33
*** j05h has quit IRC11:33
*** rds__ has joined #openstack11:34
*** skiold has quit IRC11:36
uksysadminttx: noted, ta.11:38
sorenpython-boto | 1.9b-1ubuntu3 |         lucid | source, all11:38
sorenpython-boto | 1.9b-1ubuntu3 |      maverick | source, all11:38
sorenpython-boto | 1.9b-1ubuntu4 |         natty | source, all11:38
sorenBK_man: ^11:38
BK_mansoren: thanks. That's not a case for me. I really need to figure out which version of euca2ools I need to install to use it with Nova11:39
soren euca2ools | 1.2-0ubuntu10 |         lucid | source, all11:39
soren euca2ools | 1.2-0ubuntu10.1 | lucid-updates | source, all11:39
soren euca2ools | 1.2-0ubuntu11 |      maverick | source, all11:39
soren euca2ools | 1.2-0ubuntu11.1 | maverick-updates | source, all11:39
soren euca2ools | 1.3.1-0ubuntu6 |         natty | source, all11:39
sorenThose are known to work.11:39
BK_mansoren: 1.3.1 fails with euca-get-ajax-console claiming that there is no EC2 attribute 'get-ajax-console', 1.2 if failing due non-existent class ConnectionFailed in  euca2ools/__init__.py11:40
sorenAh.11:40
BK_mansoren: could you please simply run euca-get-ajax-proxy and tell me your output and version of euca2ools?11:41
BK_manproblematic string in euca-get-ajax-console is: from euca2ools import Euca2ool, InstanceValidationError, Util, ConnectionFailed11:41
*** guigui has quit IRC11:42
*** allsystemsarego has quit IRC11:43
*** adiantum has quit IRC11:46
uksysadminttx: nova/virt/libvirt_conn.py already has that change you noted : type_data = instance_types.get_instance_type([inst['instance_type']])11:46
sorenBK_man: tools/euca-get-ajax-console from  current nova trunk gives me: http://paste.ubuntu.com/574935/11:48
BK_mansoren: this is using which version of euca2ools?11:52
soren1.3.1-0ubuntu611:53
BK_mansoren: ok. could you please try to specify instance id?11:54
*** j05h has joined #openstack11:55
BK_mansoren: this is what i got:11:55
BK_manEC2Connection instance has no attribute 'get_ajax_console'11:55
sorenI do too.11:55
sorenAh.11:58
*** sateesh has joined #openstack11:59
sateeshCan some one point me to nova build for 2011.1.111:59
BK_mansateesh: it wan't released yet. You probably want to download a snapshot here: http://nova.openstack.org/tarballs/?C=M;O=D12:00
sateeshBK_man: thanks, do you when is it scheduled for release?12:03
BK_mansateesh: it should be released today. ask ttx for details12:03
sateeshBK_man: thanks12:04
uvirtbotNew bug: #728392 in nova "tools/euca-get-ajax-console fails with euca2ools 1.2 or 1.3.1" [Undecided,New] https://launchpad.net/bugs/72839212:06
sateeshAnybody tried spawning multiple instances parallelly?12:07
uksysadminsateesh, with -n parameter?12:10
*** perestrelka has quit IRC12:11
sateeshuksysadmin: no, running euca-run-instance <instance_id> commands simultaneously.12:11
*** perestrelka has joined #openstack12:11
uksysadminwhy would you do that?12:11
*** allsystemsarego has joined #openstack12:13
*** allsystemsarego has joined #openstack12:13
uvirtbotNew bug: #728398 in nova "tools/euca-get-ajax-console traps early without meaningful error message" [Undecided,New] https://launchpad.net/bugs/72839812:16
*** ctennis_ has quit IRC12:17
*** romain_lenglet_ has joined #openstack12:20
*** Nacx has quit IRC12:27
*** mikemc_home has quit IRC12:28
ttxuksysadmin: the extra pair of braces loses sqlalchemy.12:33
*** ctennis_ has joined #openstack12:34
*** sateesh has quit IRC12:34
uksysadminah - I see12:35
uksysadminI've just changed this and now get another error12:35
uksysadminwhich looks like a log file permissions error so gonna see why that's the case.  at least I don't get the SQL error now.12:37
ttxuksysadmin: "chardev: opening backend "file" failed" ?12:37
uksysadminyeah that's the one12:37
ttxuksysadmin: what was the last version you successfully used ?12:39
* ttx wonders if that's a regression in libvirt 0.8.8-1ubuntu1~ppamaverick112:40
uksysadmin2011.2~bzr74912:40
*** konquertech has joined #openstack12:41
*** konquertech has quit IRC12:42
ttxuksysadmin: the other issue is a regression in libvirt in PPA12:46
ttxsoren: ^12:46
ttxI downgraded to 0.8.3-1ubuntu14 and it works with my patch12:47
ttxuksysadmin: try sudo apt-get install libvirt-bin=0.8.3-1ubuntu14 libvirt0=0.8.3-1ubuntu14 python-libvirt=0.8.3-1ubuntu1412:47
* ttx pushes branch to fix12:48
sorenttx: Sorry, what's the issue?12:50
ttxuksysadmin: any chance you could file your log where soren can see it ?12:51
ttxsoren: libvirt in maverick PPA fails to start instances12:51
ttx"chardev: opening backend "file" failed"12:51
ttxuksysadmin can probably post the full log12:51
*** westmaas1 has quit IRC12:52
uksysadminyeah I'll get a log now... pastebin it?12:54
ttxyep12:54
*** zul has joined #openstack12:55
*** guigui1 has joined #openstack12:56
*** f4m8 is now known as f4m8_12:56
uksysadminsoren, ttx: http://paste.openstack.org/show/792/12:58
uksysadminI'll downgrade as suggested12:58
sorenI'll be able to reproduce in a minute.12:59
ttxuksysadmin: that's what I got too, thanks for the paste12:59
uksysadminnp12:59
ttxsoren: you might need my fix to bug 728342 to reach that point.12:59
uvirtbotLaunchpad bug 728342 in nova "Regression prevents to start any instance through libvirt" [Critical,In progress] https://launchpad.net/bugs/72834212:59
sorenttx: Awesomesauce.13:00
*** ramkrsna has quit IRC13:01
ttxnova-core: regression fix proposed as https://code.launchpad.net/~ttx/nova/lp728342/+merge/52061 -- give it some love before it blocks someone else13:02
uksysadminyeah confirmed the downgrade now works (with the extra square brackets removed in libvirt_conn.py for type_data = instance_types.get_instance_type...13:03
* ttx gets back to his regular schedule: releasing 2011.1.113:03
BK_manttx: release it, please :)13:03
ttxBK_man: before you find another bug :)13:04
* uksysadmin will also refrain from an apt-get update. Every little helps an' all that ;-)13:04
*** BK_man has quit IRC13:07
*** BK_man has joined #openstack13:07
*** kashyap has quit IRC13:07
*** omidhdl has joined #openstack13:11
uksysadminwould be nice to try that new version of libvirt as every now and again I get: libvirtError: internal error Process exited while reading console log output: char device redirected to /dev/pts/313:12
uksysadminseems suspiciously similar to that newer version's error13:13
*** ctennis_ has quit IRC13:14
*** ctennis_ has joined #openstack13:14
*** ctennis has left #openstack13:18
ttxok, it's out.13:19
*** annegentle has quit IRC13:20
BK_manttx: thanks!13:21
* uksysadmin starts a polite applause expecting others to follow13:21
*** annegentle has joined #openstack13:21
* iRTermite applauses like the sheep he's been requested to be. ;)13:22
uksysadminthat was one extra I was expecting13:24
DigitalFluxWhat's up with sudo on the compute workers ?!13:27
DigitalFlux(nova.root): TRACE: Stderr: 'sudo: no tty present and no askpass program specified\n'13:27
ttxDigitalFlux: usually this points to a broken nova_sudoers file13:27
DigitalFluxuksysadmin: Hi man13:27
ttxDigitalFlux: what user are you running nova under ? nova ? root ?13:28
DigitalFluxttx: Could you please give me a sudoers file that works ..13:28
DigitalFluxit's root i guess13:28
DigitalFluxchecking ..13:28
*** kazu has joined #openstack13:28
sorenDigitalFlux: What does the preceding lines say?13:28
DigitalFluxoh first time to notice that13:28
uksysadminDigitalFlux, g'day.13:28
DigitalFluxsoren: it's the 'nova' user13:28
DigitalFluxsoren: it's a long dnsmasq command13:29
DigitalFluxsoren: ttx: how can i just go and run it as root ?13:29
DigitalFluxconfig available for that ?13:29
*** MarcMorata has quit IRC13:29
sorenttx: Darn it, this is a libvirt bug.13:29
DigitalFluxuksysadmin: good day man :)13:29
DigitalFluxsoren: :(, another libvirt bug ?13:30
ttxDigitalFlux: I think that's a bad idea, better fix your nova_sudoers setup13:30
*** ironcamel has quit IRC13:30
DigitalFluxttx: and where is that ? :)13:30
ttxDigitalFlux: /etc/sudoers.d/nova_sudoers13:30
DigitalFluxttx: checking ..13:30
ttxDigitalFlux: (in Ubuntu packaging)13:30
BK_manDigitalFlux: https://github.com/abrindeyev/openstack-nova-rhel6/blob/bexar/SOURCES/openstack-nova-sudoers13:31
*** ironcamel has joined #openstack13:31
DigitalFluxttx: BK_man: I think this is identical to mine13:31
sandywalsh"The diff has been truncated for viewing." ... wuh?! damn you launchpad.13:31
sandywalsh:p13:31
ttxsandywalsh: it's for your owngood :)13:32
DigitalFluxso i should just enter that dnsmasq command here i guess13:32
sorenDigitalFlux: No, same one.13:32
BK_manDigitalFlux: mine should be different - it's from RHEL6 and carefully checked line by libe13:32
BK_mans/libe/line/13:32
DigitalFluxit's already there :(13:32
ttxDigitalFlux: does your /etc/sudoers #include /etc/sudoers.d ?13:32
DigitalFluxttx: OH ! :(13:33
DigitalFluxttx: The default suderos file was replaced by puppet13:33
uksysadminas we seem to be picking on libvirt today - that error I posted earlier regarding reading console log output: char device redirected to /dev/pts/3 seems to be related out of resource (ram)... basically fails ungracefully.13:33
BK_manDigitalFlux: echo '#includedir /etc/sudoers.d' >> /etc/sudoers13:33
DigitalFluxttx: and the include statement is hashed already13:33
ttxDigitalFlux: bad puppet.13:33
DigitalFluxBK_man: I think i should uncomment it, no ?13:33
BK_manDigitalFlux: no13:34
DigitalFluxBK_man: then it's already there ..13:34
*** MarcMorata has joined #openstack13:34
BK_manDigitalFlux: try it - give user nova shell, su - nova and execute sudo -l13:34
soren?!?13:34
soren14:33:49.111: 18995: info : virSecurityDACSetOwnership:99 : Setting DAC user and group on '/var/lib/nova/instances/instance-00000004/console.log' to '18995:1'13:34
*** adiantum has joined #openstack13:37
*** iammartian has quit IRC13:38
DigitalFluxBK_man: yeah, i see that sudo -l lists that nova should do dnsmasq13:38
DigitalFluxhowever i still have the same issue13:39
DigitalFluxnot solved13:39
*** arefaey has joined #openstack13:39
BK_manDigitalFlux: which issue?13:39
DigitalFluxthe 'Stderr: 'sudo: no tty present and no askpass program specified\n'' thingy13:39
sandywalshwhat's the correct way to init a logger in a module now? I thought it had to be more specific than nova.log.basicConfig()?13:41
BK_manDigitalFlux: ah, ok13:41
BK_manDigitalFlux: so where is your include in /etc/sudoers?13:41
BK_manDigitalFlux: mine is at the end13:41
zuli would appreciate if someone reviews nova-lxc please :)13:41
BK_manDigitalFlux: so in default config there is requiretty in the top of /etc/sudoers file and following include at the end of that file disables it specifically for user nova13:42
DigitalFluxBK_man: i don't have this requiretty line13:45
DigitalFluxBK_man: where should it go and what is the line exactly ?13:45
BK_manDigitalFlux: $ sudo grep requiretty /etc/sudoers13:46
BK_manDefaults    requiretty13:46
BK_manDigitalFlux: $ sudo grep requiretty /etc/sudoers.d/openstack-nova13:46
BK_manDefaults:nova !requiretty13:46
DigitalFluxBK_man: ok just to confirm as i forgot the sudoers file format :), it's #include or include ?13:46
*** matclayton has joined #openstack13:47
BK_manDigitalFlux: sudo grep include /etc/sudoers13:47
BK_man#includedir /etc/sudoers.d13:47
*** mgoldmann has quit IRC13:50
*** Nacx has joined #openstack13:51
*** mgoldmann has joined #openstack13:51
*** irahgel has quit IRC13:53
*** ramkrsna has joined #openstack13:53
*** ramkrsna has joined #openstack13:53
*** skiold has joined #openstack14:04
*** Ephur has joined #openstack14:06
DigitalFluxI still can't figure it out14:10
DigitalFluxthe files sames sane to me14:10
DigitalFluxpastebinning them ..14:10
*** omidhdl has left #openstack14:10
DigitalFluxHere is the sudoers file -> http://pastebin.com/zNpYL00X cc: BK_man, soren, ttx14:11
*** stewart has quit IRC14:11
*** stewart has joined #openstack14:11
DigitalFluxAnd here is nova_sudoers -> http://pastebin.com/5YBNfB3D14:12
*** mray has joined #openstack14:13
ttxDigitalFlux: sounds alright to me -- maybe try to restart a few things to get the /etc/sudoers change taken into account14:13
DigitalFluxttx: doing the restart loop ..14:14
creihtdoh, Oneiropolo is gone already :/14:15
*** dprince has joined #openstack14:17
DigitalFluxttx: same error :(14:17
*** gasbakid has joined #openstack14:19
DigitalFluxttx: I even replaced the sudoers file with the default that installs with Ubuntu server14:20
*** vvuksan has joined #openstack14:20
*** gondoi has joined #openstack14:21
*** irahgel has joined #openstack14:21
DigitalFluxttx: can u guide me on how to run nova as root for the moment14:21
DigitalFluxttx: just for a testing installation14:21
ttxDigitalFlux: never tried, but I guess it's just a matter of changing the user starting nova.14:22
DigitalFluxttx: hmm, checking the init scripts14:22
DigitalFluxso the commands is nova-volume --flagfile=/etc/nova/nova.conf nova14:27
DigitalFluxthat 2nd argument is the username ?14:27
*** rchavik has quit IRC14:31
DigitalFluxOK guys i surrender :) soren: ttx: BK_man14:31
DigitalFluxNova-compute and volume is operating using the root user14:31
DigitalFluxand i still get those ssh-askpass errors14:31
*** zenmatt has joined #openstack14:35
sorenlibvirt bug found and fixed.14:36
sorenWill upload in a few minutes if my tests work out.14:36
DigitalFluxsoren: this bug is related to my problem ?14:36
sorenDigitalFlux: Your sudo problem? No.14:37
DigitalFluxsoren: ok14:37
sorenDigitalFlux: Are you sure they14:37
sorenre running as root?14:37
DigitalFluxsoren: here is the o/p of the process list14:38
DigitalFluxsoren: http://pastebin.com/FCEC73Hc14:38
sorenDigitalFlux: And can you paste a full traceback of the error, please?14:38
DigitalFluxsoren: ok ...14:38
*** ppetraki has joined #openstack14:39
DigitalFluxsoren: here it is -> http://pastebin.com/w2gViL3514:39
sorenDigitalFlux: Multi-node install?14:42
DigitalFluxsoren: yup14:42
DigitalFluxsoren: just 2 nodes14:42
sorenDigitalFlux: it's a nova-network problem.14:42
sorenWrong box.14:42
sorenit just passes the error back through rpc.14:42
DigitalFluxDigitalFlux: hmm14:43
*** guynaor has joined #openstack14:46
*** guynaor has left #openstack14:47
ttxsoren: cool14:50
DigitalFluxUnexpected error while running command. Command: sudo brctl addbr br10014:50
*** irahgel has quit IRC14:51
*** zul has quit IRC14:54
*** mdomsch has joined #openstack14:56
*** irahgel has joined #openstack14:56
DigitalFluxnova-network is indeed having problems with ssh-askpass14:58
DigitalFluxok i will make nova on the controller node too start as root14:59
openstackhudsonProject swift build #209: SUCCESS in 37 sec: http://hudson.openstack.org/job/swift/209/15:01
openstackhudsonTarmac: s3api: use boto to get canonical string for signature15:01
openstackhudsonReplace the homegrown function to get a canonical string for signature.15:01
*** zul has joined #openstack15:03
sorenttx: libvirt fix accepted into natty proper, and the maverick and lucid ppa's.15:03
*** littleidea has joined #openstack15:04
ttxsoren: cool15:05
ttxtrying that now15:05
ttxhm, I'll let it build first15:06
*** hazmat has quit IRC15:08
*** mustfg has joined #openstack15:09
sorennatty will be a while before it's published. maverick and lucid not entirely as much.15:09
*** skiold has quit IRC15:10
*** reldan has quit IRC15:12
*** skiold has joined #openstack15:15
mustfgi can someone help me with ssh ´ing into instances created in VLAN mode ? how can i do that ?15:17
vishymustfg: what is the problem?15:19
*** dendro-afk is now known as dendrobates15:21
*** reldan has joined #openstack15:22
*** hazmat has joined #openstack15:23
ttxvishy: please have a look at https://code.launchpad.net/~ttx/nova/lp728342/+merge/52061 -- should be ready to go if you're OK with it15:24
*** mahadev has joined #openstack15:25
sorenttx: It already has two +1's.15:25
vishyttx: saw it, didn't mention anything because there are already two approves15:25
sorenttx: I've just approved it.15:25
ttxsoren: ack, thanks15:25
*** blueadept has joined #openstack15:26
vishysoren: so you found another bug in libvirt?15:27
*** MarkAtwood has joined #openstack15:27
*** msassak has joined #openstack15:27
sorenvishy: Found, fixed, uploaded, sent upstream.15:28
*** MarkAtwood has quit IRC15:28
soren..and accepted upstream, apparantly.15:28
*** MarkAtwood has joined #openstack15:28
sorenhttp://libvirt.org/git/?p=libvirt.git;a=commit;h=e5f3b90e975a21222985641abb4ebaef0e616714 if anyone should care.15:29
vishysoren: cool.  I still haven't gotten lxc to work properly yet.  But I haven't had time to give it a real try since the new libvirt showed up in the ppa15:29
ttxsoren: fix worksforme15:29
soren\o/15:30
*** mahadev has quit IRC15:31
*** littleidea has quit IRC15:31
*** jero has joined #openstack15:31
kpepplettx: just getting up ... and seeing the regression. what needs to be done ?15:31
ttxkpepple: should be fixed now15:31
ttxa few more minutes while hudson digests it15:32
kpepplettx: is that lp728342 ?15:32
ttxyes15:32
*** slyphon has joined #openstack15:32
*** westmaas has quit IRC15:32
sorenIt's in.15:32
*** grapex has joined #openstack15:33
ttxkpepple: nothing like getting your regressions fixed while you sleep :)15:33
*** mahadev has joined #openstack15:33
*** hvaldivia has joined #openstack15:34
kpepplettx: it is my preferred method ... but not the best way to wake up :(15:34
hvaldiviaHi everybody15:34
hvaldiviaI have a question...15:34
*** Vek has quit IRC15:35
ttxhvaldivia: that's good, because we sometimes have answers.15:35
hvaldiviahahaha. wait I'm thinking how to ask my question15:36
kpepplettx: just as a bit of postmortem ... i see why this wasn't caught in unittest (due to the fakes) but why didn't smoketests catch this ? i thought we launched instances there15:36
sorenkpepple: We do, but they're not run prior to merge.15:37
hvaldiviaIf I set --fixed_range=10.0.0.0/1215:37
hvaldiviait means that my vms will have ips in that range (10.0.0.0/12)15:37
sorenkpepple: Yet, at least.15:37
openstackhudsonProject nova build #596: SUCCESS in 1 min 46 sec: http://hudson.openstack.org/job/nova/596/15:37
openstackhudsonTarmac: Fix regression in the way libvirt_conn gets its instance_types15:37
hvaldivialater What does it mean: nova-manage network create 192.168.0.0/24 1 25515:38
hvaldiviaCan I use nova-manage network create 10.0.0.0/24 1 25515:38
hvaldiviaWhat is the differences?15:38
vishyhvaldivia: no15:38
kpepplesoren: where can we access the smoketest run results -- is that the same hudson/jenkins site ?15:38
vishy10.0.0.0/24 1 256 will work though15:39
sorenkpepple: Not yet.15:39
vishykpepple: smoketests aren't run automatically on trunk yet15:39
kpepplesoren , vishy: so as a followup ... how do i execute smoketests locally ?15:39
sorenkpepple: I used to run some smokte tests on trunk, but trunk needs to be fixed before they can start to run again.15:39
hvaldiviavishy: ok but hat does it mean: nova-manage network create 192.168.0.0/24 1 25515:39
hvaldivia?15:39
*** hazmat has quit IRC15:39
vishykpepple: you need to run the system and source an rc file15:40
*** mustfg has quit IRC15:40
hvaldiviawhy no use 10.0.0.0/24 1 256. Here the tutorial http://docs.openstack.org/openstack-compute/admin/content/ch03s03.html15:40
hvaldiviaI am a little confused15:40
vishykpepple: highly recommend these smoketests: lp:~anso/nova/smoketests_fixes15:40
vishywith those you can cd <checkout>/smoketests/15:41
vishyand do python run_tests.py15:41
kpepplevishy: do i run those on a driver systems against the running test system ?15:42
vishyhvaldivia: nework create should always use a subset of fixed_range if you want to avoid issues15:42
vishykpepple: well you can run it locally from the network host15:42
kpepplevishy: ok15:43
vishykpepple: if you want to run them remotely, you need to add a route to get in to the instances private ips and security group rules15:43
*** slyphon has quit IRC15:43
*** mahadev has quit IRC15:43
vishye.g. route add -net <private_range> gw <network host ip>15:44
hvaldiviavishy: ok I think, I understood.15:44
vishyeuca-authorize -P tcp -p 22 default15:44
*** mdomsch has quit IRC15:44
vishyeuca-authorize -P icmp -t -1:-1 default15:44
*** mustfg has joined #openstack15:46
*** mray has quit IRC15:50
*** mahadev has joined #openstack15:50
rds__Hi guys, I'm having some problem with nova-compute(after libvirt upgrade from ppa), here's the error http://pastebin.com/9jQzqvBx15:53
*** imsplitbit has joined #openstack15:53
rds__anyone who can help?15:53
rds__thanks15:53
vishyrds__: yes libvirt bug, soren just patched it15:56
*** mray has joined #openstack15:56
rds__vishy, ok, thanks :)15:57
*** mdomsch has joined #openstack15:57
sorenrds__: It's in the ppa already.15:59
*** naehring has quit IRC16:00
kpepplevishy: anything i need to source before i run your smoketests16:00
* soren wanders off for a while16:00
*** dendrobates is now known as dendro-afk16:02
vishykpepple: yes, a normal rc file16:03
*** maplebed has quit IRC16:04
*** reldan has quit IRC16:05
*** ccustine has joined #openstack16:06
rds__soren, I'm upgrading it now, thanks16:06
jk0ttx: got a bug link?16:07
jk0I'll look at it now16:07
ttxjk0: the fix is in -- was bug 72834216:08
jk0oh good16:08
jk0thanks16:08
uvirtbotttx: Error: Could not parse data returned by Launchpad: The read operation timed out16:08
ttxuvirtbot: no, not this one16:08
uvirtbotttx: Error: "no," is not a valid command.16:08
ttx:P16:08
kpepplevishy: i think i see my problem ... what is the user dependency -- admin user named admin ?16:10
*** mustfg has quit IRC16:10
kpepplevishy: ignore, i got it16:10
vishykpepple: cool.  Our integration testing for anso package builds uses those tests along with vagrant http://ansolabs.no-ip.org:9000/job/vagrant_smoketests/16:12
*** hazmat has joined #openstack16:12
*** Ryan_Lane has joined #openstack16:13
*** rnirmal has joined #openstack16:15
*** reldan has joined #openstack16:18
*** drico has quit IRC16:22
*** rds__ has quit IRC16:23
*** drico has joined #openstack16:23
vishywhat no python-argparse in the glance ppa?16:26
*** hazmat has quit IRC16:28
*** kashyap has joined #openstack16:29
*** kazu has quit IRC16:29
*** arefaey has quit IRC16:35
*** tripson_ has quit IRC16:37
*** guigui1 has quit IRC16:37
*** dendro-afk is now known as dendrobates16:38
*** nelson has left #openstack16:39
*** jdarcy has joined #openstack16:40
BK_mansleepsonthefloor: around?16:40
*** nelson has joined #openstack16:42
*** hvaldivia has quit IRC16:43
*** perestrelka has quit IRC16:46
*** burris has quit IRC16:48
*** reldan has quit IRC16:49
*** gasbakid has quit IRC16:49
*** hvaldivia has joined #openstack16:49
*** uksysadmin has quit IRC16:49
*** gasbakid has joined #openstack16:50
*** neckwarmer has left #openstack16:54
*** pothos_ has joined #openstack16:56
*** imsplitbit has quit IRC16:57
*** viirya has quit IRC16:57
*** johnpur has joined #openstack16:57
*** ChanServ sets mode: +v johnpur16:57
*** viirya has joined #openstack16:57
*** blueadept has quit IRC16:57
*** pothos has quit IRC16:57
*** pothos_ is now known as pothos16:58
*** pothos has quit IRC17:01
*** pothos has joined #openstack17:01
*** zenmatt has quit IRC17:01
*** jaypipes has joined #openstack17:01
*** zenmatt has joined #openstack17:02
*** gdusbabek has quit IRC17:02
*** pandemicsyn has quit IRC17:02
*** gdusbabek has joined #openstack17:02
*** pandemicsyn has joined #openstack17:03
*** thatsdone has joined #openstack17:03
*** odyi has quit IRC17:07
*** odyi has joined #openstack17:07
*** odyi has joined #openstack17:07
*** nelson has quit IRC17:08
*** nelson has joined #openstack17:08
*** thatsdone has quit IRC17:10
openstackhudsonProject nova build #597: SUCCESS in 1 min 45 sec: http://hudson.openstack.org/job/nova/597/17:13
openstackhudsonTarmac: This fix changes a tag contained in the DescribeKeyPairs response from <keypairsSet> to <keySet> so that Amazon EC2 access libraries which does more strict syntax checking can work with Nova.17:13
*** slyphon has joined #openstack17:14
*** skiold has quit IRC17:15
slyphondoes anyone provide commercial support contracts available for swift?17:16
slyphons/available//17:16
DigitalFluxHi17:16
*** spectorclan has joined #openstack17:17
DigitalFluxcannot run lease-init script \\/usr\\/lib\\/pymodules\\/python2.6\\/bin\\/nova-dhcpbridge: No such file or directory\\n'\n"]17:20
DigitalFluxI had to install dnsmasq manually, it was not included as a dependency of nova-network17:20
DigitalFluxis this normal ?17:20
*** westmaas has joined #openstack17:20
jarroddigitalflux i did the same thing17:21
DigitalFluxjarrod: and it throws the above error ?17:21
jarrodoh, i received no error17:22
DigitalFluxhmm17:23
jarrodbut it seems like its looking for that script in that path17:23
jarrodfigure out why its not there17:23
DigitalFluxnova-dhcpbridge is located at /usr/bin/nova-dhcpbridge17:23
DigitalFluxnot in /usr/lib/pymodules/python2.6/bin/nova-dhcpbridge17:23
*** littleidea has joined #openstack17:23
DigitalFluxWhy it's even looking at this dir !17:23
*** joearnold has joined #openstack17:26
*** gondoi_ has joined #openstack17:27
*** dsockwell has quit IRC17:28
*** gondoi has quit IRC17:28
*** dsockwell has joined #openstack17:28
BK_manDigitalFlux: --dhcpbridge=/usr/bin/nova-dhcpbridge17:29
BK_manDigitalFlux: put that line in /etc/nova/nova.conf17:29
DigitalFluxBK_man: ok thanks17:29
DigitalFluxBK_man: i just created a symlink actually17:30
BK_manDigitalFlux: see other possible flags: https://github.com/abrindeyev/openstack-nova-rhel6/blob/master/SOURCES/openstack-nova-cc-config.conf17:30
*** Vek has joined #openstack17:31
*** DigitalFlux has quit IRC17:31
*** littleidea has quit IRC17:35
*** h1nchtastic has joined #openstack17:36
*** h1nch has quit IRC17:37
*** kashyap has quit IRC17:37
*** kashyap has joined #openstack17:37
*** blueadept has joined #openstack17:38
*** piken_ has joined #openstack17:38
*** joearnold has quit IRC17:39
*** Ryan_Lane is now known as Ryan_Lane|away17:40
*** sirp_ has quit IRC17:40
*** sirp_ has joined #openstack17:40
*** piken has quit IRC17:41
*** kainam has joined #openstack17:47
*** Nacx has quit IRC17:47
*** m_3 has quit IRC17:49
*** MarkAtwood has quit IRC17:49
*** arun has quit IRC17:49
*** arcane has quit IRC17:49
*** m_3 has joined #openstack17:50
*** MarkAtwood has joined #openstack17:51
*** arun has joined #openstack17:51
*** m_3 has quit IRC17:51
*** kashyap has quit IRC17:51
*** piken__ has joined #openstack17:51
uvirtbotNew bug: #728587 in nova "OS API /limits resource" [Undecided,In progress] https://launchpad.net/bugs/72858717:51
*** gregp76 has joined #openstack17:52
jaypipessirp_: I'm now done with jury duty, fyi17:52
edayjaypipes: guilty? :)17:52
*** m_3 has joined #openstack17:52
jaypipeseday: not guilty on all 5 counts.17:53
*** piken_ has quit IRC17:54
edayheh17:54
*** zul has quit IRC17:55
jaypipeseday: has anything been decided on Auth standardization in the past three days?17:56
jaypipeseday: I have re-read your email describing Swift and Nova entities and I'm still confused.17:57
jaypipeseday: for instance, in your first sentence after the "Nova" heading, you say "Nova currently has users and groups."17:57
*** MarkAtwood has quit IRC17:57
*** arun has quit IRC17:57
jaypipeseday: bu then you don't explain what a "group" is in the entire paragraph.17:57
jaypipeseday: in fact the term "group" isn't used at all after that first sentence. :(17:58
*** aliguori has joined #openstack17:59
*** m_3 has quit IRC18:01
jaypipescreiht: where can I read some developer-specific docs about auth model in Swift? I can't seem to figure it out. Some Swift URIs seem to use: http://user:key@authurl/container/objname and yet others seem to say that the URI structure is http://user:key@authurl/account/container/objname. Yet others have referred to the URI as http://user:account:key@authurl/container/objname. Which is it?18:01
*** aryan_ has joined #openstack18:02
jaypipescreiht: the above question is re: 2 bugs in Glance I'm trying to get fixed (bug #713126 and bug #717431)18:03
uvirtbotLaunchpad bug 713126 in glance "Swift backend does not support POST" [Critical,In progress] https://launchpad.net/bugs/71312618:03
uvirtbotLaunchpad bug 717431 in glance "Swift backend not taking into account new Swift account:user:key in URI" [High,Confirmed] https://launchpad.net/bugs/71743118:03
*** aryan__ has quit IRC18:03
*** pothos has quit IRC18:03
*** pothos_ has joined #openstack18:03
*** pothos_ is now known as pothos18:04
edayjaypipes: ahh, perhaps I meant 'project' there for Nova18:04
*** m_3 has joined #openstack18:04
edayjaypipes: for swift, the account is always in the URI18:05
jaypipeseday: I think you may have meant "role", but it's not clear18:05
*** mahadev has quit IRC18:05
edayjaypipes: and swift (the service, no auth) only operates in the context of accounts... users is just something optional in an auth layer for swauth18:05
edayjaypipes: the users in swauth allow for different acls for the same account18:06
edayjaypipes: (and this is done via the "groups"18:06
*** zul has joined #openstack18:07
*** grapex has quit IRC18:07
*** hvaldivia has quit IRC18:07
*** rcc has quit IRC18:07
*** londo_ has quit IRC18:07
edayjaypipes: http://swift.openstack.org/overview_auth.html explains it pretty well18:07
*** hvaldivia1 has joined #openstack18:07
*** westmaas has quit IRC18:07
*** jdarcy has quit IRC18:07
*** matclayton has quit IRC18:07
*** westmaas has joined #openstack18:07
*** ppetraki has quit IRC18:07
*** grapex has joined #openstack18:07
edayjaypipes: reread email, "Nova currently has users and groups" should be "Nova currently has users and projects"18:07
*** matclayton has joined #openstack18:08
*** matclayton has left #openstack18:08
*** jdarcy has joined #openstack18:08
jaypipeseday: and for Swift, the account is NOT in the URI in the Swift docs. Could you point me to where you are getting that info?18:08
*** ppetraki has joined #openstack18:08
edayjaypipes: the account is set by the token auth server in the service URL18:08
edayjaypipes: for example, you speak to auth.openstack.org and get back a X-Storage-URL base of swift.openstack.org/v1/account_id18:09
*** j05h has quit IRC18:11
*** flashn has quit IRC18:13
*** flashn has joined #openstack18:13
*** MarcMorata has quit IRC18:13
*** soren has quit IRC18:14
*** Seoman has joined #openstack18:16
edayjaypipes: all operations then happen on top of that18:16
edayjaypipes: and http://docs.openstack.org/openstack-object-storage/developer/content/ch03s01.html#d5e307 does have it in there...18:16
jaypipeseday: You say "Nova currently has users and projects". Sure, but then you go ahead and talk about the concept of "roles" as well, and don't explain what they are.18:16
jaypipeseday: and please show me where the docs are for that in Swift. I can't find them.18:16
*** kbringard has joined #openstack18:16
uvirtbotNew bug: #728597 in nova "OSAPI passes instance_id as unicode" [Low,In progress] https://launchpad.net/bugs/72859718:16
*** soren_ has joined #openstack18:16
jaypipeseday: part of my frustration with Swift is the client tools. In Glance, we're using swift.common.client.Connection() and it's related methods like get_object(), put_container(), etc. NOWHERE is there a mention of account anywhere in swift.common.client.Connection()...18:16
jaypipess/it's/its18:16
*** joearnold has joined #openstack18:16
johnpureday|jaypipes: have you looked at: http: //plansthis.com/auth?18:16
*** arun has joined #openstack18:17
*** arun has joined #openstack18:17
*** MarkAtwood has joined #openstack18:17
*** troytoman-away is now known as troytoman18:18
jaypipeseday: sorry if I find all that documentation obtuse... it just doesn't explain how to *use* the Swift client to access multiple users and accounts... there's just no examples at all of using swift.common.client.Connection.18:18
*** j05h has joined #openstack18:18
jaypipeseday: have you used swift.common.client to actually programmatically connect to a Swift server?18:19
johnpursheesh, how did that space get in there? http://plansthis.com/auth18:19
edayjohnpur: yeah, I read it this morning18:22
*** BK_man has quit IRC18:22
*** comstud has quit IRC18:22
*** cdbs has quit IRC18:22
*** dsockwell has quit IRC18:22
*** devcamcar has quit IRC18:22
*** soosfarm_ has quit IRC18:22
edayjaypipes: I've not tried using swift.common.client, I'm just approaching it from HTTP directly18:22
*** devcamcar has joined #openstack18:23
*** cdbs has joined #openstack18:23
*** cdbs has joined #openstack18:23
*** viirya has quit IRC18:23
*** zykes- has quit IRC18:23
*** widodh has quit IRC18:23
*** mfoemmel has quit IRC18:23
*** Daviey has quit IRC18:23
jaypipescreiht: is swift.common.client even complete code? Should we not be using it?18:23
*** mfoemmel has joined #openstack18:23
*** viirya has joined #openstack18:23
*** ianweller has quit IRC18:23
*** zykes- has joined #openstack18:23
*** widodh has joined #openstack18:24
*** soosfarm has joined #openstack18:24
*** dsockwell has joined #openstack18:24
*** jesse__ has joined #openstack18:24
*** jesse__ is now known as anotherjesse18:24
*** mahadev has joined #openstack18:25
*** jdarcy_ has joined #openstack18:25
*** thielmann__ has joined #openstack18:26
edayjaypipes: it looks complete, the version/account is just passed as part of the url18:27
*** ianweller has joined #openstack18:27
*** ianweller is now known as Guest363318:27
*** magglass2 has joined #openstack18:28
*** etet has quit IRC18:28
edayjaypipes: for example: client.get_container('http://swift.com/v1/my_account', token, 'my_container')18:28
*** MotoMilind has joined #openstack18:28
*** jdarcy_ has quit IRC18:28
*** allsystemsarego_ has joined #openstack18:28
*** irahgel1 has joined #openstack18:28
*** irahgel has quit IRC18:28
*** rackerhacker has quit IRC18:28
*** elasticdog has quit IRC18:28
*** jdarcy has quit IRC18:28
*** thielmann_ has quit IRC18:28
*** magglass1 has quit IRC18:28
*** ppetraki has quit IRC18:28
*** allsystemsarego has quit IRC18:28
*** gasbakid has quit IRC18:28
*** retr0h has joined #openstack18:29
*** retr0h has joined #openstack18:29
MotoMilindJust wanted to confirm that Dashboard doesn't (yet) provide user management functionality, just role management.  Thanks.18:29
*** Guest3633 is now known as ianweller18:30
*** ianweller has joined #openstack18:30
anotherjesseMotoMilind: dashboard supports user/project management in the django admin app18:30
anotherjesseMotoMilind: go to /admin18:30
anotherjessejaypipes / eday this document / branch is a day of work of seeing what ideas from discussions fit nova / openstack18:30
*** ppetraki has joined #openstack18:30
jaypipesanotherjesse: hope to see it on the ML soon.18:31
*** jdarcy has joined #openstack18:31
*** gasbakid has joined #openstack18:31
*** elasticdog has joined #openstack18:31
jaypipeseday: hmm, ok.18:32
*** rackerhacker has joined #openstack18:32
*** devcamca- has joined #openstack18:32
*** cdbs has quit IRC18:32
*** tr3buchet has quit IRC18:32
*** lool has quit IRC18:32
*** devcamcar has quit IRC18:32
*** arun has quit IRC18:32
*** notmyname has quit IRC18:32
*** yosh has quit IRC18:32
*** lool has joined #openstack18:32
*** arun has joined #openstack18:33
*** arun has joined #openstack18:33
*** notmyname has joined #openstack18:33
*** ChanServ sets mode: +v notmyname18:33
*** mfoemmel has quit IRC18:33
*** taihen has quit IRC18:33
*** taihen has joined #openstack18:33
*** cdbs has joined #openstack18:33
*** Daviey has joined #openstack18:33
edayjaypipes: there are no openstack docs really that I can find on how it assume a token server passes back the base service URLs. That's in the rackspace version of the docs (rackspace.com/cloud api docs)18:33
jaypipeseday: so, is the plan to have all OS services use the Swift-style auth system?18:34
*** tr3buchet has joined #openstack18:34
*** mfoemmel has joined #openstack18:34
*** yosh has joined #openstack18:34
tr3buchetinteresting18:34
edayjaypipes: there is no plan right now18:34
jaypipesanotherjesse: have you guys investigated using repoze.what instead of re-inventing a lot of those wheels?18:34
edayjaypipes: we still can't have a discussion since different folks are discussing it privately18:35
jaypipeseday: uhm, there seem to be a whole lot of plans going on behind the scenes off of the mailing lists...18:35
edayjaypipes: I was trying to drive discussioon on the ML the past couple days so we could have a plan, but unless folks are willing to participate, it's pointless, so I stopped18:36
jaypipeseday: yep. I'm catching up on emails since was in jury stuff ...18:36
*** spectorclan has quit IRC18:36
*** jfluhmann has quit IRC18:39
*** jfluhmann has joined #openstack18:40
MotoMilindWhoa, tight.  I can go to /admin for user management, nifty.  Thanks!18:40
*** Adri2000 has quit IRC18:42
*** magglass2 has quit IRC18:48
*** rdw has quit IRC18:49
*** fysa has quit IRC18:50
*** magglass1 has joined #openstack18:50
*** magglass1 has joined #openstack18:50
*** rdw_ has joined #openstack18:50
*** nRy has joined #openstack18:52
*** Adri2000 has joined #openstack18:54
*** lool has quit IRC18:55
*** m_3 has quit IRC18:55
*** vvuksan has quit IRC18:56
*** paltman has quit IRC18:56
anotherjessejaypipes: the code is a proof of concept - using repoze.what (or another solution) is interesting18:57
*** lool has joined #openstack18:57
jaypipesanotherjesse: or, another question, why not use swift's auth design?18:58
*** grapex has quit IRC18:58
anotherjessejaypipes: what parts of it?18:58
anotherjesseswift has internal account18:59
anotherjessethe point of this proposal is that projects shouldn't have accounts18:59
edayanotherjesse: projects in the nova sense, or projects as in other services?19:00
nelsonquestion: should I be caching the auth token for $SOME_TIME, or should I be making a call to the auth server every time?19:00
edayanotherjesse: and if services don't use accounts, what do resources (server, swift object, ...) belong to?19:00
jaypipesanotherjesse: the design of Swift. in other words, having a middleware that inserts an X-Auth-Groups header in the environ and services down the pipe use that header's value...19:00
nelsonThe auth token times out after a period of time ... but if I ask the auth server for another one, it just gives me the same one.19:01
*** zul_ has joined #openstack19:01
jaypipesnelson: for Swift, I assume?19:01
*** zul has quit IRC19:02
anotherjessejaypipes: I think we do that19:02
anotherjessejaypipes: it is that we need to do more19:02
anotherjessejaypipes: if we are pulling out the concept of users/projects from nova19:02
anotherjessewe need to add the ability to implement rbac and other policy questions19:02
jaypipeseday: in your ML email on auth, you say this about Swift: "All operations are done in the context of a user and account. A user19:03
jaypipesmay not be a member of the account it's acting on since resources can specify ACLs, this is especially true for public resources (where user is undefined or anonymous)." Could you explain that?19:03
anotherjessethe IDM is in charge of roles (eg, groups and whatnot)19:03
edayanotherjesse: swauth already has that in there with "groups" and acl's stored per container19:03
jaypipesanotherjesse: and Swift does that by deferring to an external authz service that populates that X-Auth-Groups header...19:03
anotherjessejaypipes: that is not authz - that is authn19:04
edayjaypipes: I was wrong about swift with users, one of the swift guys followed up and explained that's just one auth middleware (groups). swift is only accounts19:04
jaypipesanotherjesse: no, that is what is *returned* by the authn middleware and *used* by the authz middleware.19:04
jaypipeseday: k19:05
nelsonjaypipes: yes, this is for swift.19:05
nelsonjaypipes: there is a user/key pair, and account/token pair.19:06
jaypipesnelson: IIRC, you should just pass the token in every request after receiving it from the authentication service... the middleware should be checking the expiration of the token and updating the expiration date of that token... I think. :)19:06
nelsonThe auth server takes in user/key and gives back account/token.19:07
jaypipesya19:07
nelsonAll the other services use account/token, although token is not needed if you've made a container public for reading or writing.19:07
nelsonjaypipes: no, tokens definitely time out, and then you need to use a user/key to get a new one.19:08
anotherjessejaypipes: do you know if there is a diagram kinda like http://twitpic.com/45qpvz/full19:08
anotherjessefor how swift works?19:09
*** Xenith has quit IRC19:09
*** Xenith has joined #openstack19:09
nelsonanotherjesse: I haven't seen one.19:10
jaypipesanotherjesse: no idea. :(19:10
nelsonbut if you ask the auth server for another token, it will give you the same one. So ... my question is along the lines of "How often do I need to ask the auth server for a token".19:10
notmynamenelson: the auth server should return a TTL for the token19:10
*** vvuksan has joined #openstack19:10
anotherjessejaypipes: http://paste.openstack.org/show/798/ is the text that built that (using an open source project called sdedit)19:11
notmynameyou should be able to cache it for that time, but be sure to re-auth if you get a 401 from swift (eg the token could have been revoked)19:11
jaypipesnelson: so in swift, you can't have a user in >1 account? :(19:11
anotherjessenelson: mike mayo says ~24 hours19:11
nelsonCuz surely it needs to give back auth tokens that change faster than their timeouts.19:11
anotherjessejaypipes: cloud servers have the same model19:11
jaypipesannegentle: what model?19:12
nelsonnotmyname: it sends back a date, but it's now.19:12
edayanotherjesse: that is how swift works, minus the 'user' return when compute checks the token (only groups/account is returned)19:12
anotherjesseeday: we need user for audit logging19:12
jaypipesanotherjesse: that is an implementation detail.19:12
notmynamenelson: in general, you should be able to cache it indefinitely as long as you also handle getting 401s19:12
anotherjesseeday: cool - as we said in the proposal we wanted to be as similar to existing patterns as possible19:13
edayanotherjesse: well, "user" should just be the auth'd account19:13
nelsonjaypipes: afaik, the mapping is from one user to one account19:13
anotherjesseeday: I disagree19:13
jaypipesnelson: well that's poop.19:13
anotherjesseeday: account != user19:13
jaypipesnotmyname: is that true? in swift a user can only be in one account?19:13
edayanotherjesse: services should only deal with accounts IMO, which can be users, projects, ...19:13
anotherjesseeday: disagree - we need to know the "Account" and "who is doing this" (eg the user)19:14
anotherjessethe who is for more for usability / logging19:14
nelsonnotmyname: Hmmm.... that might be the simplest solution. Keep it until the server barfs on it.19:14
edayanotherjesse: but what if user is just another account?19:14
anotherjesseeday: it can be!19:14
edayanotherjesse: I agree the need for detailed logging19:14
anotherjesseeday: or it can be different if you need to19:14
creihtnelson: re caching, probably a good idea :)19:14
anotherjesseeg, a simple linux PAM identity backend would just say: account = user19:14
*** Ryan_Lane|away is now known as Ryan_Lane19:14
notmynamejaypipes: swift only knows about accounts, containers, and objects. the auth system is what maps the token/creds to a auth account/user/group/etc19:15
*** rlucio has joined #openstack19:15
anotherjessea sophisticated AD/LDAP integration would use groups/projects as accounts & ldap users as user19:15
* nelson puts his headspace back into the code.19:15
edayanotherjesse: I just don't see the need for a abstract IDM to expose any other types than accounts and groups19:15
jaypipesnotmyname: sorry, it's that last part of that sentence that has been so confusing... token/creds map to an account? or MORE than one account? and what is a "group" in that sense?19:15
anotherjesseeday: the IDM is something we plugin to19:16
nelsoncreiht: but before I do that ... I have a sweet patch to client.py.  It lets you use put_object_chunked and send chunks as you get them.19:16
anotherjesseeday: not something we implement - eg - use someones ldap or pam or activedirectory ...19:16
nelsoncreiht: all will be published when I'm confident it's working.19:16
edayanotherjesse: i'm not saying the IDM won't deal with these, they of course need to with different backends, but the server (compute, swift, ...) should not be aware of those things19:16
notmynamejaypipes: it's all up to the auth implementation (which is probably talking in circles). swift will ask the auth server (via the middleware) if the given token is allowed for the swift account.19:17
*** paltman has joined #openstack19:17
jaypipesnotmyname: but does the swift account allow multiple users?19:17
nelsonjaypipes: of course.19:17
Ryan_Lanewhy would an account need multiple users?19:18
*** joearnol_ has joined #openstack19:18
*** irahgel1 has left #openstack19:18
edayanotherjesse: so, I think we do need another field being returned in the token check, saying which account ID is performing the action, I just wouldn't call that a user (since it's an account ID)19:18
nelsonjaypipes: in principle there is no reason why multiple users couldn't be handed back the same X-Storage-URL.19:18
Ryan_Lanelike in the case of a business account?19:18
*** troytoman is now known as troytoman-away19:18
anotherjesseRyan_Lane: an account is a project in rackspace parlance19:18
Ryan_Laneahhhh ok19:18
*** ramkrsna has quit IRC19:18
*** joearnold has quit IRC19:18
jaypipesnelson: sorry, above you just said that "The auth server takes in user/key and gives back account/token.". That implies the user and account are a one-to-one relationship, otherwise a user/key combo would return a *list* of accounts...19:19
creihtI think you guys are overcomplicating the auth server stuff :)19:19
*** photron has joined #openstack19:19
nelsonjaypipes: no, user maps to account;not vice-versa.19:19
jaypipescreiht: well it's not like the stuff is particularly well documented.19:19
anotherjessecreiht: all we are saying is what you do with sending user + account19:19
edayanotherjesse: so I'm confused what the difference between 'user' and 'account' is with what the token server returns during the service check19:19
jaypipesnelson: wha? see this is what's driving me crazy...19:19
edaycreiht: yes :)19:20
anotherjesseeday: I agre the names are confusing - we are using account / user in its rackspace cloud meaning19:20
nelsonjaypipes: you use a user/key to get an account/token.19:20
creihtstepping back a bit19:20
jaypipesnelson: if I give the auth server a user and a key, and a user can be mapped to >1 account, then how the heck would giving the auth server a user and a key not return the *list* of accounts that the user belongs to?19:20
creihtswift, internally, only has a notion of accounts, containers for an account, and objects for a container19:20
nelsonjaypipes: internally, swift consults the auth server to see if the token is valid for that account, but only the auth server cares about user/key.19:20
anotherjesseeday: in nova parlance: sending token to auth would return an opaque project & user identifier19:21
edayanotherjesse: rackspace doesn't have a concept of users though...19:21
anotherjesseeday: it does actually - it just isnt' documented well :)19:21
nelsonjaypipes: you asked if one account could have multiple users; the answer is yes.19:21
notmynamejaypipes: for RAX the globablization project will do just that: return endpoints for each swift cluster (with perhaps a default one)19:21
anotherjesseeday: the rackspace model is: an account has many users.  a user belongs to a single account19:21
nelsonjaypipes: you also asked if one user could have multiple accounts; the answer is no.19:21
edayanotherjesse: hmm, we juse send account ID to IDM and get backa  token.. the account:user thing is just a swauth thing, not a racskapce thing19:21
edayand I can't type19:22
anotherjesseit is also in ozone19:22
nelsoncreiht: could you read what I just wrote and verify that I'm not misleading jay?19:22
creihtanotherjesse: that actually isn't the rackspace model :)19:22
jaypipesfuck, I give up. I don't understand how an account can have multiple users, and a user can't have multiple accounts. that simply doesn't make sense.19:22
creihteveryhing is scrolling too fast19:22
nelsonEVERYBODY STOP SO THAT CREIHT CAN CATCH UP.19:22
edayjaypipes: we're talking about different things here.. some do, some don't :)19:22
nelson:)19:22
creihtnelson: you are basically correct19:22
creihtlol19:22
nelsoncreiht: tnx.19:22
jaypipescreiht: sorry, how can an account have multiple users and a user not have multiple accounts? that doesn't make sense.19:23
nelsonjaypipes: accounts and users are different things. It's just like you can have multiple coins in your pocket, but the could in your pocket all belong to you.19:23
notmynamejaypipes: swift has no concept of users. it only asks the auth service if a token can access the swift account. the auth service is free to map accounts to users in a many-to-many way19:23
creihtwith swauth, you a user is assigned to a specific account, but with ACLS, you can give a user on one account access to a user on another count19:23
nelsonjaypipes: what notmyname just said!19:23
creihtaccount19:23
creihterm access to a container on another account19:23
creihtso trying again to step back a bit19:24
jaypipesgod this stuff is so over complicated.19:24
creihtthe current rackspace auth, only has a notion of accounts (and no users)19:24
*** littleidea has joined #openstack19:25
nelsondevauth?19:25
notmynamenelson: no, the rackspace cloud auth19:26
nelsonoh, so devauth introduces the idea of users?19:26
creihtnelson: correct19:26
creihtwe use it internally for other legacy reasons19:26
creihtswift actually easily supports multiple auth systems at once19:26
*** mgoldmann has quit IRC19:26
nelsonsure, because it only cares about account/tokens.19:27
creihtthat is why we have the reseller prefeix19:27
nelsonbut how does it know which auth system to consult to verify the token is valid for the account?19:27
creihtprefix19:27
nelsonis there a mapping from reseller prefix to auth system?19:27
notmynameyes19:27
nelsonAHA! (light bulb moment)19:28
creihtnelson: more or less, but isn't totally obvious at first19:28
jaypipesnothing about any of it is "totally obvious".19:28
creihtWe have a slightly modified auth middleware at RS that delegates which auth system to use based on the prefix19:28
nelson:) I feel your pain, jay, but stick with it. You'll get there.19:28
creihtlol19:28
notmynameto me, the complicated part is that for ALCs (authorization), the auth system gives swift an opaque string that can be used to compare against the swift account and/or container for permissions purposes19:30
creihtso lets get back to basics19:30
notmynamesure sure. that's really an optimization for scalability rather than a key feature19:30
creihtthe whole purpose of auth is to determine if a given request can be made19:31
redbo_fun-da-mentals19:31
creihtheh19:31
jaypipescreiht: yes, we know that. thx.19:31
* creiht sighs19:31
anotherjessecreiht: auth = authorization or authentication?19:32
creihti usually mean both19:32
creihtbut mostly authorization19:33
anotherjessecreiht: in swift do they have to be implemented at the same layer (eg authorization might be controlled by one system, authentication by another)19:33
creihtsince authentication usually happens totally outside the end systems19:33
jaypipescreiht: an authn middleware should reply to a request that a user/key combination can enter a system and what groups, if any, the user belongs to. an authz middleware should return whether a user can complete a specific action. would you agree with this?19:33
*** littleidea has quit IRC19:33
notmynamethe auth middleware in swift only does authorization. the authentication step happens out-of-band of swift19:34
creihtanotherjesse: a little bit of both19:34
creihtin the current implementation, authorization is based off of the idea of groups19:35
creihtthe external auth system keeps track of the mapping of user<->groups19:35
creihtwhen swift validates a request with swauth, swauth returns the groups that the user belogs19:36
jaypipescreiht: isn't the "account" a "group"?19:36
*** mdomsch has quit IRC19:36
anotherjessecreiht: authentication happens outside of swift (as deployed in rackspace) and authorization is pluggable in swift - so while it has a rackspace specific authz process, it can be changed?19:36
creihtjaypipes: yes, the easiest groups are the account, and the account:user19:36
jaypipescreiht: wait! what is "the account:user"?19:37
creihta unique string that identifies the user19:37
anotherjessejaypipes: I think that is the string that authz parses?19:37
creihtsince user by itself wouldn't be unique19:37
anotherjessecreiht: how does the rest of swift know the account?19:37
anotherjessecreiht: does it parse the "account:user" string19:37
creihtthat way on another account, I could grant a container read acces to group "account:user" which would give that specific user access19:38
edaycreiht: but account:user is only swauth, not swift service?19:38
*** Vek has quit IRC19:38
jaypipessorry, I'm not understand what the "account:user" is and how a "unique string that identifies the user" is a "group"?19:38
vishyanotherjesse, creiht: we modeled the proposal after swauth in a lot of ways19:38
vishyso it would be easy to plugin19:39
*** widodh has quit IRC19:39
redbo_yeah, account:user is just part of authentication, not authorization.19:39
*** widodh has joined #openstack19:40
vishy(changed the groups syntax slightly from "$account", "$account:$user" to "account:$account" and "user:$user"19:40
creihteday: yes that is specific to swauth19:40
edaycreiht: you may want to drop 'user' for now, and just talks about what swift service does/needs, not swauth (since that's a specific auth middleware)19:41
*** redbo_ is now known as redbo19:41
* creiht backs up again19:41
creiht:)19:41
creihtso given a request, the auth middelware provides two functions (1 for authentication and 1 for authorization)19:42
vishysince there is so much discussion going on right now19:42
vishytermie and jesse and I have been working on a proposal for authn authz19:42
vishyand we have sample code19:42
notmynamesample code!? but arguing is so much more productive! ;-)19:43
vishy!19:43
vishywe're just polishing up the proposal, but I will provide a link in a sec19:43
vishysince everyone is debating about it at the moment :)19:43
anotherjessenotmyname: lolz19:44
jaypipesvishy: generally discussing something is done before proposing something, which is why we brought it up on the IRC channel.19:45
vishyjaypipes: we have discussed it a lot19:45
jaypipesvishy: where?19:45
vishyjaypipes: far too much imo.  Bexar design summit mailing list, discussions amongst groups.19:46
jaypipesvishy: anyway, we're not debating, we're trying to understand from creiht how the Swift auth system actually works.19:46
* creiht throws hands up and gets back to work19:46
creihtgholt wrote the auth stuff anyways :)19:46
edayhaha19:47
jaypipesvishy: all I remember discussing re: auth at the bexar design summit was jorge's short session on it, and there was little discussion in that session.19:47
edayvishy: as long as a service only deals with accounts and relationships/roles with other accounts (not users, projects, ...) I'm happy19:47
jaypipesvishy: re: mailing list and auth discussions, I see the thread eday started, but I see no responses from any Anso guys.19:48
btorchdos nova come with any nova.conf.sample somewhere ? the admin guide has some flags on ch03s03.html but that doesn't seem to be all possible flags19:48
edayvishy: and every resource (container, object, server, network, ...) should have one owner (an account) and has acls for other accounts to access it (the relationship/roles)19:49
btorchnova-compute --help (I guess all those flags right ?)19:49
edayvishy: I *think* thats what the etherpad with your proposal has, correct?19:49
*** joearnol_ has quit IRC19:50
*** clauden_ has joined #openstack19:54
nelsonwhat's the difference between x-auth-token and x-storage-token19:54
redbox-storage-token is eternally deprecated19:55
nelsoncurl is giving me back identical values for them.19:55
vishyhttp://plansthis.com/auth19:55
vishy(proposal)19:55
nelsonredbo: so it hands back the same thing under two names so that programs looking for x-storage-token will still work?19:56
*** jero has quit IRC19:56
redboyes19:56
nelsonHTTPNoContent(headers={'x-auth-token': token,    'x-storage-token': token, 'x-storage-url': url})19:57
nelsonum, yeah, I'd guess so!19:57
nelsonmaybe this has already been done, but maybe get_auth should only be returning one of them?19:58
*** Seoman has quit IRC19:59
*** h0cin has quit IRC20:05
*** anotherjesse has quit IRC20:06
*** jero has joined #openstack20:06
*** dfg has joined #openstack20:12
*** MarkAtwood has quit IRC20:12
*** blamar has joined #openstack20:15
*** jaypipes has quit IRC20:16
*** Ryan_Lane has quit IRC20:16
annegentlebtorch: I've found that sometimes not all the flags show up in the --help, but that's a good start. Here's another link too:20:17
edayvishy: in http://wiki.openstack.org/AuthnAuthz?action=AttachFile&do=view&target=auth.gif, can you define exactly what "user" and "account" are (and the types) on the return of "auth_middleware"20:17
annegentlebtorch: http://wiki.openstack.org/FlagsGrouping20:18
vishyeday: the same user and account passed in to the idm20:18
vishys/idm/authn20:19
vishy(when creating the token)20:19
edayvishy: ok20:19
vishythe account is important because it is how we define ownership20:20
edayvishy: so, IMO, user,pass (or perhaps it's an email, or access key, ...) should map to an account20:20
vishythe user is only important for logging in most cases20:20
edayso it should be user_account, but the raw thing the IDM took in20:20
vishyeday: I think that is a very non-userfriendly way to use it20:20
vishyI don't want to have to remember a different password for every account20:21
vishyand it doesn't allow special acls outside of the account20:21
edayvishy: why would you need to?20:21
btorchannegentle: cool thanks20:21
vishysay i want to give access to a given instance ot another project or another user20:21
edaythen you use the account representing that user20:21
vishyyou have problems with ownership in that case20:22
vishysay i give launch permission in my project to you20:22
edayvishy: it's a simple user:pass==another account in IDM. it's the same thing, just now a real account ID rather than a random blob that only the IDM should be aware of20:22
vishyif you login using your account, how does the system know that i should own the instance20:23
redbonelson: yeah, we should probably remove that.  It actually dates back to long before openstack.20:23
vishyownership simplifies authz in a number of ways20:23
vishyas well as data retrieval20:23
edayvishy: because I would POST to /version/your_account/servers, not /version/my_account/servers20:24
edayvishy: I'm all for ownership, and agree it simplifies things20:24
vishyeday: so you are passing account, you're just doing it in the url20:24
*** ctennis_ has quit IRC20:24
edayvishy: yes, but I'm passing a IDM account ID, not a random user string20:24
vishyi don't want to require a resty url interface to use the system, so account must be included in the IDM20:24
*** mfoemmel has quit IRC20:24
*** Ryan_Lane has joined #openstack20:25
edayvishy: I'm not saying "user" shouldn't be in there, I'm saying "user" should be another account20:25
*** mfoemmel has joined #openstack20:25
vishyeday: I gotta go get some food, perahps this would be easier over skype when i get back?20:25
edayvishy: and IDM does user:pass<->account_id translation, and services *only* deal with account IDs20:26
edayvishy: sure20:26
*** zul_ is now known as zul20:26
*** gasbakid has quit IRC20:33
*** adiantum has quit IRC20:42
*** greenisus has joined #openstack20:44
*** Adri2000 has quit IRC20:47
*** miclorb_ has joined #openstack20:55
vishyeday: bakc20:59
vishys/bakc/back20:59
*** allsystemsarego_ has quit IRC21:00
*** littleidea has joined #openstack21:00
creihtI have at least found a feature in the lp slowness in that if I click on a link then realize that I clicked on the wrong link, I usually have time to click on the correct link before the wrong page shows up :)21:00
edaycreiht: haha, I use that "feature" too :)21:03
edayvishy: I'm ready whenever21:03
*** zul has quit IRC21:04
*** jesse_ has joined #openstack21:04
*** Adri2000 has joined #openstack21:05
*** mahadev has quit IRC21:05
*** jesse_ is now known as anotherjesse21:08
*** littleidea has quit IRC21:10
*** blueadept has quit IRC21:11
*** dprince has quit IRC21:12
*** jero has quit IRC21:14
*** jero has joined #openstack21:15
openstackhudsonProject swift build #210: SUCCESS in 29 sec: http://hudson.openstack.org/job/swift/210/21:16
openstackhudson* Tarmac: Refactor proxy for concurrency and code reuse21:16
openstackhudson* Tarmac: Skip the swift3 middleware tests if boto is not installed (since it is an optional component)21:16
*** joearnold has joined #openstack21:17
*** mahadev has joined #openstack21:18
johnpurfolks, there is a new blog post talking about OpenStack governance updates here: http://www.openstack.org/blog/2011/03/openstack-governance-update/21:26
johnpurdetails on the OpenStack governance model are here: http://wiki.openstack.org/Governance/Model21:27
*** MarkAtwood has joined #openstack21:30
*** joearnold has quit IRC21:30
devcamca-soren, mtaylor, jaypipes: i could use an assist fixing hudson for openstack-dashboard21:31
*** Vek has joined #openstack21:34
devcamca-http://paste.openstack.org/show/799/21:34
*** ctennis has joined #openstack21:36
*** greenisus has quit IRC21:38
*** littleidea has joined #openstack21:38
devcamca-let me rephrase21:41
devcamca-is anyone on that has access to our hudson environments?21:41
devcamca-been trying to get this fixed for 4 days now21:41
*** littleidea has quit IRC21:42
btorchok, what is this --key supposed to be when trying to use  euca-run-instances  ? I have tried to use novacreds and novacreds.zip21:42
kpepplevishy: thank you for the auth.gif picture. question: does identity:Service in your diagram map to something like LDAP or is it a openstack service that mediates/proxies/relays to it ? or does it matter ...21:44
annegentlebtorch: it's from the euca-add-keypair command, not from the novacreds collection of creds21:45
btorchhehe did I miss that step or that is not mentioned on the installation/configuration ? I don't remember seeing it but I'll double check it21:46
annegentlebtorch: yeah I'm looking also, I think it's missing from the manual install instructs21:47
mtaylordevcamca-: yeah - I keep meaning to look at that...21:47
annegentlebtorch: well it's really a config step21:47
* mtaylor bitches: this is the reason I hate venv ...21:47
annegentlebtorch: yeah it's missing from http://docs.openstack.org/openstack-compute/admin/content/ch05s01.html, I'll add it21:48
annegentlebtorch: good catch, thanks for asking21:48
johnpuryay, Monty is here!21:48
mtaylordevcamca-: ok. sadly, given the time you've been waiting, that seems to be an easy fix - can you try again please?21:48
devcamca-mtaylor: its odd, i dont know what changed21:49
devcamca-yep trying now21:49
mtaylordevcamca-: it was the change from hudson to jenkins - there was a /tmp/distribute-*tar.gz in /tmp owned by the hudson user21:49
devcamca-ah hah21:49
devcamca-makes sense21:49
*** devcamca- is now known as devcamcar21:49
mtaylordevcamca-: of course, the fact that the build was leaving stuff around in tmp is a bit fail - but not really your fault21:49
mtaylorthere are a bazillion leftover tmpdirs in there ...21:50
devcamcarmtaylor: odd21:50
devcamcarmtaylor: why is that?21:50
mtaylordevcamcar: some of the openstack test suites create stuff in tempdirs and then don't cleanup after themselves21:50
btorchannegentle: cool thanks21:50
* mtaylor thought jaypipes was fixing that...21:50
devcamcarmtaylor: ah, so nothing to do with this repo21:51
anticwswift q, in testing bexar i see a lot of .db.pending databases accumulating over time21:53
anticwwhat process(es) would normally be responsible for dealing with that21:53
anticw(the pending all seem to have 0 filesize)21:54
*** anotherjesse has quit IRC21:59
*** bcwaldon has joined #openstack22:03
*** Ephur has quit IRC22:05
*** photron has quit IRC22:08
devcamcarmtaylor: its been about 15 mins since I clicked approve, and no word from hudson22:11
devcamcarmtaylor: hm, looks like it merged but no notification was sent out. maybe i'm just being impatient22:14
*** hazmat has joined #openstack22:14
mtaylordevcamcar: sometimes the emails take a bit22:15
devcamcarmtaylor: yea i think everything is happy again22:15
mtaylordevcamcar: yay!22:16
openstackhudsonProject swift build #211: SUCCESS in 29 sec: http://hudson.openstack.org/job/swift/211/22:16
openstackhudson* Tarmac: Add a "Getting Swift" section to the getting started doc22:16
openstackhudson* Tarmac: Ability to fasttrack auditing of zero byte files.22:16
devcamcarmtaylor: thanks!22:17
*** Hello92 has joined #openstack22:18
*** bcwaldon has quit IRC22:22
Hello92So, say I have 8 nodes that are each swift + compute + ceph nodes all in one (is that a good idea?), on a gigabit lan, and I want to start the 8th virtual machine on the "cloud", how long after I give the command can I expect the vm up and running? Is it a matter of several seconds? Minutes? Milliseconds?22:22
*** Vek has quit IRC22:26
*** adiantum has joined #openstack22:28
*** kbringard has quit IRC22:29
*** joearnold has joined #openstack22:29
*** aliguori has quit IRC22:30
*** joearnold has joined #openstack22:31
openstackhudsonProject swift build #212: SUCCESS in 29 sec: http://hudson.openstack.org/job/swift/212/22:31
openstackhudsonTarmac: update functional tests configuration22:31
*** m_3 has joined #openstack22:33
*** hstrange has joined #openstack22:36
*** hstrange has quit IRC22:37
*** greenisus has joined #openstack22:41
*** greenisus has quit IRC22:47
*** Ryan_Lane has quit IRC22:47
occI'm trying to set up a multi node compute cluster, where cloud controller would not run any VMs, and compute nodes would not run anything relating to the API or cloud controller. I couldn't find which services should be on which servers (documentation simply says "Install all the nova- packages and dependencies"). Is there a document explaining the roles of these services?22:48
btorchwhat's up with this virbr0 ? I'm using the flat manage and I think the iptables might be kind of messed up22:48
btorchI have created the br100 with eth2  as part of it ... br100 is configured with 10.0.0.10 within the 10.0.0.0/8 network22:49
annegentleocc: ok, this is an overview: http://docs.openstack.org/openstack-compute/admin/content/ch05.html and are you quoting from http://docs.openstack.org/openstack-compute/admin/content/ch05.html?22:52
occannegentle: yep, but it's not descriptive enough. Like- do I need 1 nova-network instance on the cloud controller, or do I need to install nova-network on every node? same for scheduler and volume22:53
occannegentle: sorry, I was quoting from http://docs.openstack.org/openstack-compute/admin/content/ch03s02.html#d5e23922:55
annegentleocc: yeah those just walk through a 2-node install22:56
uvirtbotNew bug: #728750 in openstack-dashboard "UserData kb page not found" [Undecided,New] https://launchpad.net/bugs/72875022:56
occhmm, is there anywhere I could get help from?22:57
*** adiantum has quit IRC23:00
*** dovetail1an has joined #openstack23:00
*** dovetail1an has joined #openstack23:01
*** dovetaildan has quit IRC23:02
annegentleocc: I think you're basically wanting the same config as dubsquared has done - see http://www.dubsquared.com/?p=43 and http://www.dubsquared.com/?p=100. You should just need nova-compute on the compute node.23:05
*** adiantum has joined #openstack23:08
annegentleocc: he's not on IRC right now, but you could ask him questions on the blog post23:09
hvaldivia1Hi everybody.23:10
hvaldivia1FlatDHCPManager uses dnsmaq for the ips, right?23:10
rluciocan anyone comment on whether or not any xen based hypervisor, say on ubuntu or rhel, is supported?  or is it just xenserver23:10
rlucio* for bexar23:11
hvaldivia1Would it be possible to set dnsmaq as a dchp-proxy or relay to get the IPs from a DHCP Server in other machine?23:11
*** ppetraki has quit IRC23:13
hvaldivia1Does anyone have an idea?23:15
*** hazmat has quit IRC23:15
vvuksanhvaldivia1: I doubt it23:16
vvuksanhvaldivia1: because nova-network will add MAC address and IP to dnsmasq static mapping23:16
*** maplebed has joined #openstack23:19
hvaldivia1nova-network uses nova.conf ( fixed_range, etc ) —> IP and MAC —> dnsmasq —> VM?23:20
hvaldivia1Is that right?23:20
occannegentle: thanks23:20
hvaldivia1Ok, it would be hard to modify nova-network to support dhcp-proxy23:21
*** maplebed has quit IRC23:22
*** maplebed has joined #openstack23:22
*** littleidea has joined #openstack23:26
*** mray has quit IRC23:28
*** freeflyi1g has joined #openstack23:32
*** hvaldivia1 has quit IRC23:33
*** adiantum has quit IRC23:35
*** jero has quit IRC23:35
*** freeflying has quit IRC23:35
*** londo_ has joined #openstack23:38
*** slyphon has quit IRC23:39
*** MarkAtwood has quit IRC23:39
*** adiantum has joined #openstack23:43
*** MotoMilind has quit IRC23:47
*** joearnold has quit IRC23:56
*** adiantum has quit IRC23:56
*** littleidea has quit IRC23:58
« Wednesday, 2011-03-02 Index Friday, 2011-03-04 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!