Thursday, 2020-04-02

« Wednesday, 2020-04-01 Index Friday, 2020-04-03 »
*** udesale has joined #storyboard04:56
*** tosky has joined #storyboard08:02
*** udesale_ has joined #storyboard11:40
*** udesale has quit IRC11:43
*** ianychoi_ has joined #storyboard13:17
*** ianychoi has quit IRC13:20
*** ianychoi_ is now known as ianychoi13:23
*** jamesmcarthur has joined #storyboard15:55
*** jamesmcarthur has quit IRC16:11
*** jamesmcarthur has joined #storyboard16:12
*** jamesmcarthur has quit IRC16:16
*** jamesmcarthur has joined #storyboard16:18
*** jamesmcarthur has quit IRC16:21
*** udesale_ has quit IRC16:26
*** jamesmcarthur has joined #storyboard16:34
diablo_rojo_phonSotK: reminder we meet in about an hour ;)16:51
SotKdiablo_rojo_phon: thank you for the reminder :)17:21
*** jamesmcarthur has quit IRC17:28
*** jamesmcarthur has joined #storyboard17:29
*** ironfoot has quit IRC17:43
*** ironfoot has joined #storyboard17:43
*** jamesmcarthur has quit IRC17:54
*** jamesmcarthur has joined #storyboard17:55
diablo_rojo_phonSotK: fungi so are we meeting today?17:57
fungiwe can17:58
fungibelieve it or not i'm in the middle of trying to set swift write acls for our storyboard-dev attachments17:58
SotKooh nice17:59
diablo_rojo_phonWoohoo!17:59
fungii think i've just set the storyboard-dev-attachments container writeable by the openstackstoriesdev user18:01
*** jamesmcarthur has quit IRC18:24
*** jamesmcarthur has joined #storyboard18:25
*** jamesmcarthur has quit IRC18:26
*** jamesmcarthur has joined #storyboard18:26
*** diablo_rojo has quit IRC18:26
fungiokay, so it looks like the real attachments configuration documenting happens in the sample config, fair enough18:26
fungihttps://opendev.org/opendev/storyboard/src/branch/master/etc/storyboard.conf.sample#L201-L24818:26
*** diablo_rojo has joined #storyboard18:29
fungiseems i also need to set the X-Container-Meta-Temp-URL-Key to something18:32
SotKyeah we really are lacking some more detailed documentation for actually configuring StoryBoard18:35
fungii've been doing the acls and now the tempurl key metadata using swiftclient18:36
fungiseems to have gone smoothly so far18:36
fungii think it's all set now, i guess i need to restart the api server18:36
fungier, i suppose that's restarting apache since it's run from uwsgi?18:38
fungianyway, i've restarted apache now as well18:39
fungioh!18:39
fungii still need to add a clouds.yaml file18:39
fungioh, wait, i just need to comment out the cloud option instead18:41
fungisince i set all the other ones18:41
fungiso this is all set up with v1 legacy auth to start18:42
fungii'm more comfortable those are correct for the moment, since it's what i used with the instructions at https://support.rackspace.com/how-to/set-up-cloud-files-and-acls/18:43
fungionce that's working we can try switching to keystone auth and clouds.yaml18:44
mordredopenstacsksdk supports non-standard rackspace auth/18:44
mordred?18:44
mordredoh - ew - switftclient18:45
fungiyeah, i needed to either use swiftclient or direct curl to the api to set custom r/w acls for otherwise unprivileged accounts18:46
mordredhttps://opendev.org/openstack/openstacksdk/src/branch/master/openstack/object_store/v1/_proxy.py#L687-L71018:46
mordredthere's the code for setting temp url keys18:47
fungii did it via `swift -m ...`18:47
fungiseemed to work fine (also swiftclient docs have an explicit example of doing it there)18:47
fungii guess sdk can do swift acls as well? probably not plumbed through osc though?18:48
mordredyeah. just saying - if you can't do something with sdk - let me know. swiftclient and friends don't work with clouds.yaml so the mixed experience is pretty yuck18:48
mordredah - this is just for CLI?18:48
mordredok. I mean - plumbing that through would likely be more work :)18:49
fungiit was the manual steps of authorizing the custom user for read/write access18:49
mordrednod. I thought this was code running inside of storyboard and I was sad18:49
fungii think corvus said he did something similar to set things up for us to store job logs in rackspace's swift18:49
SotKnah we use sdk in storyboard itself18:49
mordred\o/18:50
fungibut yeah, as far as configuring sb itself i put the v1 auth parameters in the config for now but we can switch it to clouds.yaml18:50
fungithe documentation we have at the moment doesn't quite say what needs to be in clouds.yaml to support this, nor where the clouds.yaml file should be so that sb will find it18:51
mordredclouds.yaml should be in /etc/openstack/clouds.yaml or ~/.config/openstack/clouds.yaml18:52
mordredand the normal stuff we put in for other clouds.yaml should be fine - no need to use old v1 auth18:52
fungifor v1 auth, it seems to use the username and the api key, does using an api key work in clouds.yaml or does it need to be the login password?18:52
mordredapi key works if you install the rackspace plugin - but there's no need - I'd just use the login password18:53
SotKheh oops, an example clouds.yaml would've been a nice thing to include18:53
fungiahh, okay18:53
mordredthe rackspace api key thing is theatre - what they _want_ it to be is what application credentials now are - but they gave up many years ago and just stayed with theatre18:54
fungiyeah, i was mostly trying to make sure these credentials didn't have access to anything besides the one swift container we're using18:54
fungibut i think their account management for it is set up appropriately for that anyway18:54
* fungi double-checks18:55
mordredyeah. that's the thing - api-keys in rackspace aren't scoped to anything - and you can only have one per account18:55
mordredso they are effectively just "alternate password that you can't use to log in to the web dashboard"18:55
fungiright, and i have this account set for no access to manage users, billing and payments, ticket access, product access18:56
SotKthe support for legacy auth is mostly to work around trouble with getting SAIO to play nice with openstacksdk without just disabling its auth (passing the credentials to openstack.connect works, but I failed to craft a clouds.yaml that could successfully do the same)18:56
mordredSotK: that's weird :)18:57
fungiso the account is set with no permissions for anything in the dashboard, and then i used swiftclient to set specific r/w acls for it to just the one container we're using it with18:57
mordred\o/18:58
fungii guess i can copy the clouds.yaml we put on our zuul executors bit just change the credentials18:58
fungisince in theory they have the right parameters for talking to rackspace in a similar way18:59
SotKmordred: I agree, its possible I just failed to find the right magic18:59
mordredfungi: yah19:01
*** jamesmcarthur has quit IRC19:15
*** jamesmcarthur has joined #storyboard19:16
*** jamesmcarthur has quit IRC19:16
*** jamesmcarthur has joined #storyboard19:16
fungimordred: interestingly, there's no /etc/openstack/clouds.yaml or ~zuul/.config/openstack/clouds.yaml on our zuul executors19:23
fungioh!19:24
fungiwe encode it in job configuration for the swift uploads19:24
fungidon't mind me19:24
mordred:)19:28
fungiand i guess it doesn't actually splat out a clouds.yaml anywhere, seems to plumb values straight into the sdk19:37
*** jamesmcarthur has quit IRC20:02
*** jamesmcarthur has joined #storyboard20:02
*** jamesmcarthur has quit IRC20:19
fungimordred: if you get time, can you see whether the /etc/openstack/clouds.yaml on storyboard-dev looks like it has sufficient data for interacting with rackspace swift?20:21
fungii'm curious how storyboard works out which region to use20:21
fungisince it just asks for a cloud name but no region20:21
fungidoes openstacksdk default to the first region in the clouds.yaml if none are specified for a call?20:22
fungior is swift effectively regionless?20:22
*** jamesmcarthur has joined #storyboard20:26
mordredfungi on it20:26
mordredfungi: python -c 'import openstack ; c = openstack.connect(cloud="openstackci-rax") ; print(c.service_catalog)'20:28
mordredfungi: as root verifies that it can log in and get a catalog20:28
mordredfungi: root@storyboard-dev01:~# python -c 'import openstack ; c = openstack.connect(cloud="openstackci-rax") ; print(c.list_containers())'20:29
mordredfungi: fails - but I think it is correct to fail?20:29
mordredfungi: openstacksdk defaults to the first region if there is only one region20:29
mordredfungi: openstacksdk defaults to the first region - or alternately you can just say "region_name" instead of giving a list of regions20:30
fungiyeah, it should be able to stat the storyboard-dev-attachments container with that account though20:32
fungiat least i was able to stat it with that account using swift v1 auth and the api key for that account20:33
mordredcool. let me try20:33
mordredfungi: no - it does not like that20:34
mordredare we sure it's the right project-id?20:34
mordredfungi: python -c 'import openstack ; openstack.enable_logging(http_debug=True) ; c = openstack.connect(cloud="openstackci-rax") ; print(c.get_container("storyboard-dev-attachments"))'20:35
mordredin case you want to try it yourself and see the http trace20:35
mordredyes - that's the right project id20:36
fungisame project id as we use elsewhere for openstackci-rax yeah20:36
mordredfungi: this is the same project as our other accounts witha second user?20:37
fungiyep20:37
mordrednod. then yeah20:38
mordredso - in general, it doesn't seem happy doing a head of that container20:38
mordredfor me20:38
fungii was able to `swift -A https://auth.api.rackspacecloud.com/v1.0 -U openstackstoriesdev -K REDACTED stat storyboard-dev-attachments` using the api key for it20:38
*** iurygregory has quit IRC20:38
*** iurygregory has joined #storyboard20:39
mordreddoes that command have the ability to do an http trace?20:39
fungimaybe, checking20:39
mordredfungi: and can you put the api key somewhere I could get at it?20:39
fungiyeah, --debug should do it20:40
fungithere's a working swiftclient install on bridge.o.o at ~fungi/swiftclient/bin/swift if you want to see it for yourself20:41
fungiadding --debug to the command above shows the full requests and responses20:42
mordredfungi: ORD not DFW20:43
mordredchanging the region in clouds.yaml fixes it20:44
mordred(and it's ORD that the api-key version is going to20:44
fungioh20:44
fungihuh20:44
fungistrangely there's now one in both dfw and ord20:46
mordredfungi: python -c 'import openstack ; c = openstack.connect(cloud="openstackci-rax") ; print(c.get_container("storyboard-dev-attachments"))' now works in case you want to verify20:47
fungithe one in dfw is the public one i created a while back, i wonder how the private ord one came about20:47
fungimaybe the commands i ran to set acls also created a container, and defaulted to ord somehow?20:48
fungianyway thanks! i have enough to experiment with now20:49
*** jamesmcarthur has quit IRC21:03
*** jamesmcarthur has joined #storyboard21:03
*** jamesmcarthur has quit IRC21:08
*** iurygregory has quit IRC21:12
*** jamesmcarthur has joined #storyboard21:26
*** jamesmcarthur has quit IRC21:26
*** jamesmcarthur has joined #storyboard21:26
fungiwell, anyway, i think it should be working at this point, i'll recheck the webclient series to get some fresh previews22:04
*** openstackstatus has quit IRC22:56
*** openstack has joined #storyboard22:58
*** ChanServ sets mode: +o openstack22:58
*** tosky has quit IRC23:00
« Wednesday, 2020-04-01 Index Friday, 2020-04-03 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!