Tuesday, 2014-10-28

« Monday, 2014-10-27 Index Wednesday, 2014-10-29 »
*** kebray has quit IRC00:16
*** mkam has quit IRC00:22
*** juantwo has joined #openstack-barbican00:28
*** ayoung-dadmode is now known as ayoung00:33
*** juantwo has quit IRC01:06
*** juantwo has joined #openstack-barbican01:06
*** lisaclark1 has joined #openstack-barbican01:15
*** SheenaG1 has joined #openstack-barbican01:43
*** SheenaG11 has quit IRC01:46
*** paul_glass has joined #openstack-barbican01:50
*** paul_glass has quit IRC01:55
*** bdpayne has joined #openstack-barbican02:22
*** bdpayne has quit IRC02:22
*** lisaclark1 has quit IRC02:31
*** akoneru has quit IRC03:21
*** ayoung has quit IRC04:04
*** gyee has joined #openstack-barbican04:11
*** rsyed_away is now known as rsyed04:43
*** rsyed is now known as rsyed_away04:58
*** juantwo has quit IRC05:02
*** rsyed_away is now known as rsyed05:05
*** rsyed is now known as rsyed_away05:05
*** gyee has quit IRC05:19
*** jaosorior has joined #openstack-barbican07:50
*** woodster_ has quit IRC08:00
*** jamielennox_ has joined #openstack-barbican09:28
*** jamielennox_ has quit IRC09:53
*** SheenaG1 has quit IRC11:06
*** SheenaG1 has joined #openstack-barbican11:07
*** juantwo has joined #openstack-barbican12:14
*** paul_glass has joined #openstack-barbican12:18
*** ryanpetrello has quit IRC12:34
*** ryanpetrello has joined #openstack-barbican12:34
*** alee has quit IRC12:52
*** ryanpetrello has quit IRC13:02
*** ryanpetrello has joined #openstack-barbican13:05
*** ryanpetrello has quit IRC13:06
*** ryanpetrello has joined #openstack-barbican13:11
*** SheenaG1 has quit IRC13:13
*** nkinder has quit IRC13:14
*** ryanpetrello_ has joined #openstack-barbican13:26
*** tdink has joined #openstack-barbican13:35
*** paul_glass has quit IRC13:41
*** lisaclark1 has joined #openstack-barbican13:45
*** lisaclark1 has quit IRC13:45
*** paul_glass has joined #openstack-barbican13:46
*** paul_glass has quit IRC13:47
*** paul_glass has joined #openstack-barbican13:47
*** rsyed_away is now known as rsyed13:51
*** lisaclark1 has joined #openstack-barbican13:57
*** ryanpetrello has quit IRC13:59
*** ryanpetrello_ is now known as ryanpetrello13:59
*** zz_dimtruck is now known as dimtruck14:02
openstackgerritJohn Wood proposed a change to openstack/barbican: Add certificate plugin page  https://review.openstack.org/13144014:02
*** woodster_ has joined #openstack-barbican14:03
*** lisaclark1 has quit IRC14:03
*** nkinder has joined #openstack-barbican14:05
*** alee has joined #openstack-barbican14:05
*** akoneru has joined #openstack-barbican14:10
*** lisaclark1 has joined #openstack-barbican14:16
*** mkam has joined #openstack-barbican14:17
*** kebray has joined #openstack-barbican14:21
*** kgriffs|afk is now known as kgriffs14:22
*** lisaclark1 has quit IRC14:24
*** tdink has quit IRC14:26
*** tdink has joined #openstack-barbican14:27
*** tdink_ has joined #openstack-barbican14:39
*** ayoung has joined #openstack-barbican14:42
*** tdink has quit IRC14:42
*** mkam has quit IRC14:43
*** mkam has joined #openstack-barbican14:43
*** kgriffs is now known as kgriffs|afk14:46
*** ayoung has quit IRC14:46
*** kgriffs|afk is now known as kgriffs14:48
*** kgriffs is now known as kgriffs|afk14:48
*** paul_glass has quit IRC14:59
*** ayoung has joined #openstack-barbican15:00
*** paul_glass has joined #openstack-barbican15:09
*** lisaclark1 has joined #openstack-barbican15:10
*** lisaclark1 has quit IRC15:16
*** lisaclark1 has joined #openstack-barbican15:17
*** SheenaG1 has joined #openstack-barbican15:18
*** SheenaG1 has quit IRC15:23
*** jorge_munoz has joined #openstack-barbican15:25
*** SheenaG1 has joined #openstack-barbican15:25
*** dimtruck is now known as zz_dimtruck15:30
*** zz_dimtruck is now known as dimtruck15:36
openstackgerritPaul Kehrer proposed a change to openstack/barbican: sync global requirements now that pecan 0.8 is out  https://review.openstack.org/12928115:45
aleeredrobot, ping15:47
redrobotalee pong15:48
aleeredrobot, akoneru and I have questions about your rpm scripts15:48
aleeand spec file15:48
redrobotah yes, I got his email and have not had a chance to reply >_<15:48
aleeredrobot, akoneru is working on creating rpms for fedora/rhos15:48
aleeredrobot, you have time to answer questions now?15:49
redrobotYeah, I should be able to.15:49
aleeredrobot, so I notice that you have broken up the deliverables into serveral rpms15:49
*** lisaclark1 has quit IRC15:50
redrobotyes, I think we split it up into 3 rpms15:50
aleebarbican-common, barbican-api, barbican-worker, barbican-keystone-listener15:50
aleewhats the rationale for what goes in each package?15:51
redrobotalee so, barbican-common includes pretty much all of the python code15:52
redrobotbarbican-api adds the bits needed for the api.  I think it's just the upstart scripts that manage the api.15:53
redrobotone assumption of the current spec file is that uwsgi will be used in front of the api15:53
redrobotthat may not be true for a general-purpose package15:53
redrobotbarbican-worker includes just the script to run the worker process15:53
*** lisaclark1 has joined #openstack-barbican15:53
redrobotboth -api and -worker depend on core15:54
redroboterr common15:54
redrobotbarbican-keystone-listener includes the bits that are needed to run the keystone queue consumer.15:54
redrobotI think that one should depend on barbican-common as well, but I can't remember off the top of my head.  I didn't write that part.15:55
aleeredrobot, are any of these rpms required to be installed on a client?15:55
redrobotno, these are all server side15:55
akoneruredrobot, yeah, it depends on barbican-common15:56
redrobotI don't believe we've done any work to package the client.15:56
*** lisaclark1 has quit IRC15:56
aleeredrobot, interesting .. so how do we keep client and server api code in sync?15:56
redrobotthat's a good question, and I don't have a good answer for that.  The assumption was that the client would be installed from PyPI via pip15:57
openstackgerritThomas Dinkjian proposed a change to openstack/barbican: Smoke tests for secrets in Barbican Functional Tests  https://review.openstack.org/13037215:57
redrobotso, the latest client should work with whatever the latest server release is.15:58
redrobotfor Juno (2014.2), the client is 3.0.0, which is not yet released.15:58
aleeredrobot, I'm just wondering because we do things a little differently in dogtag.  we have an rpm that contains the python/java classes that used by both client and server (includign api)15:59
redrobotI see.  I think in our case that wouldn't be necessary since we don't share any code between server and client16:00
aleeredrobot, well we have api interfaces defined in there .. I'll take  look and see if it makes sense to consider changing.16:01
aleeredrobot, in any case, if these are all server side, is there any reason to keep them all separate>16:01
alee?16:01
akoneruredrobot, hmm. i tried running the build_rpm.sh script, but i am unsuccessful as of now, any specific steps i need to follow to get it right? (a doc would be great)16:02
redrobotakoneru the SPEC files are quite old, I wouldn't be surprised if they're stale.  build_rpm.sh was supposed to be used by a Jenkins job that was continuously building the packages, but that Jenkins server is offline now.16:02
redrobotalee Originally I split them up for purely aesthetic reasons.  The idea was that we could "yum install barbican-api" on the api nodes and "yum install barbican-worker" on the worker nodes.16:03
redrobotalee also, some assumptions can be made in those packages.  The api package will start the service, for example.16:04
*** gyee has joined #openstack-barbican16:04
aleeredrobot, can you explain to me a little about the worker nodes?16:04
aleeredrobot, or is there a arch doc I should look at?16:05
redrobotalee I think the diagram in this wiki is still relevant https://github.com/cloudkeep/barbican/wiki/Architecture16:06
aleeredrobot, I see - so the idea is that worker nodes could be on different machines.16:08
redrobotalee the dev configuration doesn't use a queue, so there's no need for worker processes.  A live deployment would have dedicated worker nodes that are constantly polling the queue.16:08
redrobotalee yep, that's the idea :)16:08
aleeredrobot, have you guys tested deploying like this?16:08
redrobotalee yes, we currently have one environment with 4x api nodes and 4x worker nodes.16:09
aleeredrobot, I just want to make sure the separation being done in the rpms is correct.16:09
alee(and it uses the rpms generated by this script)?16:09
redrobotalee we've not yet deployed the keystone consumers.16:09
redrobotalee nope, we decided to go with docker images for packaging.  RPMs were not moving fast enough for us in regards to dependencies.16:10
aleeok16:10
aleeredrobot, ok - I understand the separation you used now, thanks.16:11
aleeredrobot, the keystone listener is a separate process?16:11
akoneruredrobot, alee - that's all the questions i have. i will start looking into the dependencies and spec file now.16:12
redrobotalee yes, I haven't played with it much since it merged a couple of weeks ago, but as I understand it, it is a separate queue polling process as well.16:13
aleeredrobot, it would be deployed on the api node though?  or would it be deployed on its own box?16:13
redrobotalee I think that it would be deployed to either its own box, or alongside the workers, but preferably not alongside the api.16:14
redrobotalee the idea is that the api is publicly routable, but the worker nodes are not16:14
aleegotcha.16:15
aleeredrobot, is python-cryptography required for build/runtime?16:16
aleeredrobot, I see that its not in the spec file.16:17
redrobotalee so, python-cryptography (aka pyca/cryptography) is only required for the development (non-hsm) crypto plugin.  ...  I think.   So maybe it should be under the "suggested" part of the spec16:18
redrobotalee I don't think they have an official packager either.  We were having to fpm it when we were using rpms.16:19
redrobotalee it's also possible that we may be missing other dependencies.16:19
aleeredrobot, so the build succeeds without it?16:19
redrobotyeah, it should.  Let me refresh on the build script again16:20
* redrobot looks16:20
*** rellerreller has joined #openstack-barbican16:20
aleeredrobot, the only build requirement I see is python2-devel16:24
aleewe don't need anything else?16:24
redrobotalee I don't think so.  As I understand it "build requirements" is a list of RPMs that need to be installed on the machine where the RPM will be built.  I don't think the barbican python source has any build time dependencies other than python.16:26
aleeredrobot, we'll find out :)16:26
aleeredrobot, do we have any place where we store release tarballs?16:27
aleeredrobot, say for juno release ..16:27
redrobotalee not really.  Official OpenStack releases are stored in Launchpad.  But they only include the Cycle Milestones, RCs and the final release.16:27
redrobotalee ah yes, hang on16:27
redrobotalee this is Juno final https://launchpad.net/barbican/juno/2014.216:28
aleeredrobot, awesome - perfect thanks16:28
* redrobot spins up a centos box to test build_rpm.sh16:29
*** dimtruck is now known as zz_dimtruck16:32
*** paul_glass has quit IRC16:32
*** tdink has joined #openstack-barbican16:35
*** tdink_ has quit IRC16:36
*** zz_dimtruck is now known as dimtruck16:37
*** jaosorior has quit IRC17:03
*** paul_glass has joined #openstack-barbican17:12
*** kebray has quit IRC17:26
*** kebray has joined #openstack-barbican17:26
*** rellerreller has quit IRC17:29
*** lisaclark1 has joined #openstack-barbican17:35
*** lisaclark1 has quit IRC17:44
*** lisaclark1 has joined #openstack-barbican17:44
*** lisaclark2 has joined #openstack-barbican17:49
*** lisaclark2 has quit IRC17:50
*** lisaclark2 has joined #openstack-barbican17:51
*** lisaclark1 has quit IRC17:52
*** dimtruck is now known as zz_dimtruck17:59
*** zz_dimtruck is now known as dimtruck18:01
*** lisaclark2 has quit IRC18:09
*** lisaclark1 has joined #openstack-barbican18:09
*** akoneru is now known as akoneru_lunch18:10
redrobotakoneru finally had a chance to look at the build_rpm.sh script again18:10
redrobotbut you're out to lunch... hehe.18:11
rm_workhmm, should pack up food soon?18:34
redrobotrm_work I think the plan is to leave it there for people to graze18:34
chellygeljust take it when you are ready to leave18:34
rm_workheh k i should actually plug in my crockpot then O_o18:35
*** kebray has quit IRC18:47
*** kebray has joined #openstack-barbican18:51
*** lisaclark1 has quit IRC18:59
*** lisaclark1 has joined #openstack-barbican19:03
*** paul_glass has quit IRC19:04
*** akoneru_lunch is now known as akoneru19:08
*** codekobe____ is now known as codekobe19:14
akoneruredrobot, ping19:14
aleeredrobot, ping19:18
aleeredrobot, spoke with jamielennox .  It looks like they will not need the extra design session, so we can use it for a barbican topic.19:19
*** lisaclark1 has quit IRC19:30
*** gyee has quit IRC19:31
redrobotalee awesome19:59
*** ayoung has quit IRC20:07
*** nkinder has quit IRC20:08
*** kebray has quit IRC20:15
redrobotalee how does this sound for the last design session: Barbican per-user entity-level authorization20:32
redrobotThe goal of this session is to find the correct OpenStack-wide way forward for providing entity-level authorization (authorization for individual secrets/containers/etc.)   There has been a lot of discussion around this topic since last summit without a resolution.  Keystone policy currently cannot address this use case, and there is some resistance to adding it to Barbican, since Authorization falls within Keystone's domain.20:32
*** lisaclark1 has joined #openstack-barbican20:43
*** kebray has joined #openstack-barbican20:44
*** lisaclark1 has quit IRC20:44
*** lisaclark1 has joined #openstack-barbican20:56
*** lisaclark1 has quit IRC20:56
*** lisaclark1 has joined #openstack-barbican20:56
*** juantwo has quit IRC21:00
*** lisaclark1 has quit IRC21:00
akoneruredrobot, ping.21:03
redrobotakoneru pong21:04
akoneruredrobot, you were looking for me during lunch?21:04
redrobotakoneru yeah, I was looking at the build_rpm.sh script.21:05
redrobotakoneru as far as I can tell it still works.  It does have some prerequistes and assumptions though21:05
akoneruredrobot, oh. ok. Any steps i need to follow? I created a dist directory and placed the tar file there.21:06
akoneruredrobot, i get errors from the rpmbuild command, seems like i need to set some environment variables to get the paths right?21:07
*** dimtruck is now known as zz_dimtruck21:07
akoneruredrobot, i mean rpmbuild on the spec file.21:08
redrobotakoneru yeah, you need to set up a file called ~/.rpmmacros21:08
akoneruredrobot, oh. ok.21:08
redrobotthere you can define what %_topdir should be21:08
redrobotalso, the build_rpm.sh script assumes you want to GPG sign the build.  For dev purposes, you can remove the "--sign" part from the rpmbuild command.21:09
redrobotmaking the tarball can be done with "python setup.py sdist"21:09
redrobotalso, the scripts assumes that PWD is the barbican project root.21:09
*** tdink has quit IRC21:10
redrobotIf you get stuck, I can maybe write a step-by-step wiki or something to that effect.21:10
akoneruredrobot, hmm. ok. i will get back to you tomorrow - same time?21:11
*** tdink has joined #openstack-barbican21:11
redrobotakoneru yep, I'll be here all day tomorrow.  Also, this guide helped me a  lot when I was getting started with RPMs21:11
redrobothttps://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/ch-creating-rpms.html21:11
akoneruredrobot, i should get it running with the information you gave me21:11
akoneruredrobot, yeah, i bookmarked it already :). Thanks!21:12
*** nkinder has joined #openstack-barbican21:12
*** tdink has quit IRC21:13
*** tdink_ has joined #openstack-barbican21:13
aleeredrobot, sounds good to me although I want to get some ideas also on https://review.openstack.org/12735321:16
aleethat is --- per secret policy21:16
redrobotalee I was going to add that CR to the etherpad for the session.  Would definitely be good for attendees to read through that blueprint for context.21:17
aleeredrobot, it handles both the case you mentioned above and LBaaS which is currently using trusts21:17
aleeredrobot, with the idea that trusts are too heavy handed.21:18
alee(as they are currently formulated)21:18
* redrobot nods21:18
redrobotI hope we can get some keystone folks to join in on the fun21:18
aleeso yeah -- you might want to include that in the session description21:19
aleeredrobot, yeah - I think keystone folks are essential21:19
aleeredrobot, this will be a problem faced by many projects.21:19
woodster_redrobot: YES to that 4th session topic idea!21:22
*** zz_dimtruck is now known as dimtruck21:24
*** alee is now known as alee_on_way_home21:42
*** alee_on_way_home has quit IRC21:47
rm_workyeah, need some keystone folks to explain why it isn't just handled properly in keystone <_<21:49
rm_workwhich I get now that it was explained, but i'm still a little bit bitter about21:50
*** SheenaG1 has quit IRC21:53
*** akoneru has quit IRC21:57
*** dimtruck is now known as zz_dimtruck22:01
*** kebray has quit IRC22:09
*** kebray has joined #openstack-barbican22:10
*** ryanpetrello has quit IRC22:19
*** rsyed is now known as rsyed_away22:36
*** gyee has joined #openstack-barbican22:39
*** jorge_munoz has quit IRC22:42
*** ryanpetrello has joined #openstack-barbican22:44
*** tdink_ has quit IRC22:45
*** zz_dimtruck is now known as dimtruck22:49
*** ryanpetrello has quit IRC22:53
openstackgerritJohn Vrbanac proposed a change to openstack/barbican: Adding docs around running tests and devstack  https://review.openstack.org/13034522:56
openstackgerritJohn Vrbanac proposed a change to openstack/barbican: Adding docs around running tests and devstack  https://review.openstack.org/13034522:57
openstackgerritJohn Vrbanac proposed a change to openstack/barbican: Taking a first stab at putting together setup docs  https://review.openstack.org/12974223:02
openstackgerritDouglas Mendizábal proposed a change to openstack/python-barbicanclient: Update Order models  https://review.openstack.org/13159823:02
openstackgerritJohn Vrbanac proposed a change to openstack/barbican: Adding docs around running tests and devstack  https://review.openstack.org/13034523:02
openstackgerritJohn Vrbanac proposed a change to openstack/barbican: Adding simple getting involved doc  https://review.openstack.org/13038123:03
*** alee_on_way_home has joined #openstack-barbican23:04
*** kebray has quit IRC23:07
*** lisaclark1 has joined #openstack-barbican23:17
*** lisaclark1 has quit IRC23:22
*** mkam has quit IRC23:42
*** rsyed_away is now known as rsyed23:53
« Monday, 2014-10-27 Index Wednesday, 2014-10-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!