Wednesday, 2015-03-18

« Tuesday, 2015-03-17 Index Thursday, 2015-03-19 »
*** crc32 has quit IRC00:01
*** kebray has joined #openstack-barbican00:02
*** crc32 has joined #openstack-barbican00:12
*** rm_you|wtf is now known as rm_you00:20
*** dave-mccowan has joined #openstack-barbican00:34
openstackgerritMerged openstack/python-barbicanclient: Fixes tests on invalid payload secret creation and adds new exception  https://review.openstack.org/16498000:36
*** kebray has quit IRC00:52
*** crc32 has quit IRC02:11
*** crc32 has joined #openstack-barbican02:20
*** xaeth_afk is now known as xaeth02:39
*** kebray has joined #openstack-barbican02:49
*** tkelsey has joined #openstack-barbican02:56
*** tkelsey has quit IRC03:01
*** xaeth is now known as xaeth_afk03:05
*** gyee has quit IRC03:15
*** xaeth_afk is now known as xaeth03:23
*** crc32 has quit IRC03:27
*** crc32 has joined #openstack-barbican03:29
*** alee has quit IRC04:11
*** alee has joined #openstack-barbican04:12
*** dave-mccowan has quit IRC04:14
openstackgerritAde Lee proposed openstack/barbican: Add code to populate CA tables and select plugin based on ca_id  https://review.openstack.org/15007004:23
*** kebray has quit IRC04:30
*** kebray has joined #openstack-barbican04:31
*** xaeth is now known as xaeth_afk04:41
*** tkelsey has joined #openstack-barbican04:57
*** tkelsey has quit IRC05:02
openstackgerritAdam Harwell proposed openstack/python-barbicanclient: Removing assertItemsEqual workaround, fixed upstream  https://review.openstack.org/16530306:05
*** gitorres has joined #openstack-barbican06:25
*** kebray has quit IRC06:51
openstackgerritJoshua Hesketh proposed openstack/barbican: Add pip-check-reqs tox environment  https://review.openstack.org/16457607:42
*** woodster_ has quit IRC08:00
*** tkelsey has joined #openstack-barbican08:25
*** crc32 has quit IRC10:01
*** crc32 has joined #openstack-barbican10:40
*** usimha has joined #openstack-barbican11:33
usimhaHello! I'm getting the following error when I try starting barbican. Could anyone please help me? This is the error : http://pastebin.com/5kcM4HdF11:35
*** darrenmoffat has quit IRC11:55
*** darrenmoffat has joined #openstack-barbican11:56
*** woodster_ has joined #openstack-barbican12:00
*** david-lyle_afk is now known as david-lyle12:00
nickrmc84Are you trying to upgrade from a previous version?12:36
*** nickrmc84 is now known as nickrmc8312:37
*** jaosorior has joined #openstack-barbican12:38
jaosoriorwoodster_: ping12:42
jaosorioror redrobot12:43
woodster_jaosorior: morning (well for us over here anyway)12:43
jaosoriorwoodster_: Hey man... I finally got clearance to work on this blueprint http://specs.openstack.org/openstack/barbican-specs/specs/kilo/data-remove-tenant-secret-assoc.html do you know if it's still possible?12:47
jaosoriorI was also told that I still don't have clearance to work on the ACL-related stuff... but I told them to drop that since it was taken by Arun already12:47
*** usimha has quit IRC12:53
woodster_jaosorior, yeah redrobot is working with the TC to determine what gets in for Kilo (so past Thursday or not) so ping him later this morning. That said, even if that didn't land for Kilo I'd think it would be great to have that CR go in first thing for Liberty.12:54
jaosoriorwoodster_: Alright, I'll talk to him12:55
jaosorioreither way... damn, I have no clue how it took so long :/12:55
jaosoriorwoodster_: anyway, how are things there?12:55
woodster_jaosorior CRs not merged for Kilo (a specific commit/SHA) will just merge into Liberty. I'd say do the work anyway while you have the blessing to do so. Do you think you'd have it done by RC1 (April 6th I think)?12:56
woodster_jaosorior, I'm still trying to catch up after being off for 11 days :)12:56
jaosoriorwoodster_: vacations?12:57
jaosoriorI think I can do it by April 612:57
woodster_jaosorior, yeah, they are making us take all vacation during the  year now, no carry over. Not a bad policy really13:00
woodster_jaosorior, even if you don't finish by April 6th I'd say still do it so we have it starting in Liberty13:01
jaosorioralright13:01
openstackgerritMichael McCune proposed openstack/barbican: Moving containers tests to separate module  https://review.openstack.org/16250413:15
elmikoif anyone is looking for an ice softball review, ^^  =)13:17
elmiko*nice13:17
*** crc32 has quit IRC13:38
aleejaosorior, woodster_ https://review.openstack.org/#/c/150070/ all ready for a re-review13:41
*** gitorres has left #openstack-barbican13:42
*** usimha has joined #openstack-barbican13:49
usimhanickrmc83: Yes, I am.13:49
nickrmc83ushima: Is it a live system you're updating? See this page http://docs.openstack.org/developer/barbican/contribute/database_migrations.html13:53
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398914:15
*** dave-mccowan has joined #openstack-barbican14:29
*** kebray has joined #openstack-barbican14:35
*** usimha has quit IRC14:38
*** usimha has joined #openstack-barbican14:38
*** rellerreller has joined #openstack-barbican14:42
*** zz_dimtruck is now known as dimtruck14:42
*** xaeth_afk is now known as xaeth15:00
*** kebray has quit IRC15:06
*** kfarr has joined #openstack-barbican15:13
jvrbanacelmiko, got a couple of really minor changes for you, but other than that it looks good!15:14
elmikojvrbanac: cool, thanks for taking a look =)15:15
*** dave-mccowan has quit IRC15:17
*** dave-mccowan has joined #openstack-barbican15:20
*** crc32 has joined #openstack-barbican15:26
*** crc32 has quit IRC15:30
*** administrait0r has joined #openstack-barbican15:36
*** usimha has quit IRC15:36
*** kebray has joined #openstack-barbican15:39
elmikoi'm seeing a test error in WhenTestingSimpleCMOrderValidator, but didn't touch that test. anyone else seeing this paste.openstack.org/show/193156/15:40
aleewoodster_, https://review.openstack.org/#/c/150070/ just needs a workflow :)15:43
openstackgerritMichael McCune proposed openstack/barbican: Moving containers tests to separate module  https://review.openstack.org/16250415:44
*** xaeth is now known as xaeth_afk15:46
*** SheenaG has joined #openstack-barbican15:48
jvrbanacelmiko, ping15:50
elmikojvrbanac: hey15:51
jvrbanacelmiko, thanks for the change. Is there a reason why on line 167 you're only asserting the last create_container ?15:53
* elmiko looks15:53
elmikojvrbanac: oops, oversite. i missed the indent15:54
elmikothanks15:54
openstackgerritMichael McCune proposed openstack/barbican: Moving containers tests to separate module  https://review.openstack.org/16250415:55
jvrbanacelmiko, np. I was looking at that and was like "am I missing something"15:55
elmikojvrbanac: no, i was missing something lol15:56
jvrbanacelmiko, thx15:58
elmikojvrbanac: np, thanks again for the reviews15:59
*** kebray has quit IRC16:06
*** kebray has joined #openstack-barbican16:07
openstackgerritMerged openstack/barbican: Remove unused etc/dev_tempest.conf file  https://review.openstack.org/16517216:12
openstackgerritChelsea Winfree proposed openstack/python-barbicanclient: Fixed deprecated type and encoding test and encoding bug  https://review.openstack.org/16521516:26
openstackgerritNathan Reller proposed openstack/barbican: Removed get_secret_type  https://review.openstack.org/16549716:35
openstackgerritChelsea Winfree proposed openstack/python-barbicanclient: Fix smoke test for client with bad data set  https://review.openstack.org/16522116:41
*** gyee has joined #openstack-barbican16:43
dave-mccowanelmiko i was the last one to touch _validate_pkcs10_data, but i'm not seeing that error in WhenTestingSimpleCMOrderValidator.  are you still seeing that?16:44
elmikodave-mccowan: i'll run it again.16:45
elmikodave-mccowan: rebuilding the tox env too16:45
elmikodave-mccowan: yea, same error16:47
dave-mccowanelmiko do you see the error on master? or just with your changes?16:49
elmikodave-mccowan: running against master now16:50
elmikodave-mccowan: yep, i see it on master too. i'll try a fresh checkout just to make completely sure16:50
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398916:51
*** administrait0r has left #openstack-barbican16:51
dave-mccowanelmiko i'm also doing a fresh clone now16:52
elmikodave-mccowan: i see it on fresh clone as well16:53
*** kebray has quit IRC16:55
aleewoodster_, redrobot -- https://review.openstack.org/#/c/150070/ is just waiting for a workflow ..16:57
*** openstackgerrit has quit IRC16:59
*** openstackgerrit has joined #openstack-barbican16:59
*** darrenmoffat has quit IRC17:02
dave-mccowanelmiko.  it works for me.  :-(   alee: any ideas?  elmiko's _validate_pkcs10_data fails during csr.get_pubkey() or csr.verify(), but works for others.  different version of OpenSSL?17:04
elmikodave-mccowan: huh, weird.17:04
aleedave-mccowan, elmiko - its been working for me so far17:05
dave-mccowanalee, elmiko works in the gate too17:05
aleeelmiko, what platform are you running this on?17:05
elmikoalee: f2117:05
aleeelmiko, yeah I'm running on f21 too.17:06
elmikoweird...17:06
aleeelmiko, did you do a tox -r17:06
alee?17:06
elmikoyea17:06
elmikoand i tried a fresh clonse as well17:06
*** darrenmoffat has joined #openstack-barbican17:06
hockeynutI would love to get some comments on https://review.openstack.org/#/c/141138/ pleez....17:08
elmikoalee, dave-mccowan, as long as gate works and it's just me seeing errors i'm not gonna worry too much. thanks for the help17:08
aleeelmiko, maybe your version of the openssl libs?17:09
aleewhats the error you are seeing?17:09
aleedave-mccowan, hows it going on the patch?17:10
elmikoalee: http://paste.openstack.org/show/193156/17:10
dave-mccowanelmiko "openssl version" for me gives: "OpenSSL 1.0.2 22 Jan 2015"17:10
elmikodave-mccowan: OpenSSL 1.0.1k-fips 8 Jan 201517:10
elmikomaybe that's the issue17:11
arunkantany idea..why I see this error locally and not in openstack build.. ./functionaltests/api/v1/models/order_models.py:16:1: H302  import only modules.'from functionaltests.api.v1.models.base_models import BaseModel' does not import a module17:11
elmikodave-mccowan: unfortunately, that's the latest openssl that yum is providing me17:12
dave-mccowanelmiko if you want to spend the time, maybe add some print statements in that test?17:12
elmikodave-mccowan: maybe this afternoon, weird thing is that test was working about a week ago17:12
dave-mccowanelmiko:  i added the code for that test within the last week.  before that it was just "pass".17:14
elmikoheh lol17:14
dave-mccowanelmiko: if you're running in fips mode some how that could be an issue.  i'm using md5 in unit test which is not fips-allowed.17:15
elmikodave-mccowan: how would i know if i'm in fips mode?17:15
aleeelmiko, I'm running OpenSSL 1.0.1e-fips 11 Feb 201317:17
elmikoalee: sounds like you need a yum update ;)17:18
aleeelmiko, or maybe not :)17:18
elmikoha!17:18
kfarrarunkant, to fix that, you'd need to do: from functionaltests.api.v1.models import base_models, then in your code, say base_models.BaseModel17:18
aleeelmiko, let me update and see if it breaks me ..17:18
elmikoalee: no, i can't handle that negative karma17:19
arunkantkfarr, thanks. This is upstream code and it works fine in upstream build but it fails only in local build. That's why wondering what is different from upstream, checked pep8, hacking version etc. in local env and its same as upstream version17:21
dave-mccowanelmiko when you get a chance to play, you could comment out the try/except in _validate_pkcs10_data so we can see the exception raised by OpenSSL17:21
elmikodave-mccowan: ack17:21
aleedave-mccowan, whats interesting is that the error is not being propagated up17:21
aleeit just says "reason"17:21
kfarroh, arunkant, it's one of the extra hacking rules17:21
aleeelmiko, actually I'm on f2017:22
arunkantkfarr, where its excluded or defined? don't see in tox.ini .17:22
aleeso that is the latest openssl there17:22
elmikoalee: ah, makes sense17:23
aleeelmiko, it might be worth changing the test to use sha-256 instead of md517:23
aleeand seeing if that makes a difference17:23
aleebut yeah seeing what openssl is complaining about will help17:24
elmikodave-mccowan: there are 2 try/excepts in there, should i remove both?17:27
kfarrarunkant, hmm maybe you have a version installed that isn't supported?17:28
dave-mccowanelmiko.  sure.  but from the line number, we know it's the second block failing.17:28
elmikoah, gotcha17:29
dave-mccowanalee: agreed on missing reason string.  i must have dorked up the exception handling.  i'll fix and submit a patch.17:29
elmikodave-mccowan: OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_item_verify', 'unknown message digest algorithm')]17:30
openstackgerritNathan Reller proposed openstack/barbican: Removed get_secret_type  https://review.openstack.org/16549717:31
dave-mccowanelmiko swapping sha-256 for md5 sounds like the next thing to try17:32
elmikodave-mccowan: ok, is that a code change or a local config thing?17:32
*** rellerreller has quit IRC17:33
dave-mccowanelmiko barbican/tests/certificate_utils.py:32  change "md5" to "sha256"17:33
elmikodave-mccowan: thanks!17:34
elmikodave-mccowan: same error17:35
openstackgerritMerged openstack/barbican: Add code to populate CA tables and select plugin based on ca_id  https://review.openstack.org/15007017:37
aleewoohoo!17:37
elmikonice, grats alee17:37
aleewoodster_, thanks woodster -- I feel like my team just beat the other guys by 9 wickets !17:38
*** rellerreller has joined #openstack-barbican17:42
elmikodave-mccowan: so, fyi. i ran the tests on my fedora-20 machine and they worked fine. fedora-21 may be the issue17:44
dave-mccowanelmiko if it is a fips problem, the other thing to change is certificate_utils.py:27.  change 1024 to 2048.   if you can print the return string from create_good_csr() and paste it to me, i'll take a look.17:44
elmikodave-mccowan: k17:44
elmikodave-mccowan: should i leave the sha256 in place?17:45
dave-mccowanelmiko yes17:45
elmikok17:45
aleedave-mccowan, seems like the problem is in the specification of the message digest algorithm -- is sha256 a valid identifier?17:45
aleeelmiko, good to know about f21/f2017:46
elmiko;)17:46
aleeelmiko, means openssl libs changes likely the problem17:46
dave-mccowanelmiko, alee: https://bugzilla.redhat.com/show_bug.cgi?id=115726017:46
openstackbugzilla.redhat.com bug 1157260 in openssl "openvpn/openssl certificate verify failed" [Unspecified,Closed: wontfix] - Assigned to tmraz17:46
aleedave-mccowan, if so, we need something that works for both17:46
elmikodave-mccowan: ah, so perhaps this is a known issue17:47
chellygelredrobot, https://review.openstack.org/16553417:47
dave-mccowanelmiko, alee.  known working-as-designed in f21.  i'll research and fix by using secure algorithms in the unit tests.17:48
aleedave-mccowan, elmiko what it means is that we should not be using md5 in the unit tetss17:48
elmikodave-mccowan: ok, so changing 1024->2048 fails as well. the output from create_good_csr() looks like a normal certificate17:49
elmikowell, cert request17:49
aleedave-mccowan, I was actually going to flag that in the review before but forgot17:49
aleeelmiko, I think we need the right representation of sha25617:49
elmikoalee: ok, cool17:49
aleesha256? sha-256??17:49
elmikoi used sha25617:50
reaperhulksha256 should map properly for the EVP interfaces inside openssl17:50
reaperhulkwhat's the problem here :)17:50
dave-mccowanreaperhulk i used md5 to sign a csr in a unit test script.  fedora21 fails to verify, since it knows better.17:51
elmikoreaperhulk: i've run into an issue running the tox unit tests on my fedora21 machine17:51
reaperhulkAh, yeah, not surprising17:51
dave-mccowanreaperhulk barbican/tests/certificate_utils.py:25  what parameters do you recommend for create_good_csr() in unit test?17:52
reaperhulkis this in an open CR or landed on master?17:52
dave-mccowanreaperhulk landed.17:53
reaperhulkah there we go, found it17:53
reaperhulkThat should be sha25617:55
reaperhulksha1 would also be fine (CSR signatures aren't hugely relevant except to prevent tampering from submitter to the CA) but sha256 is more modern obviously17:55
aleereaperhulk, the problem is that does not appear to be working for elmiko17:58
elmikoyea17:58
elmikoalee: also, "sha-256" was no good17:58
elmikothat made it worse lol17:59
aleewell at least it was different :)17:59
openstackgerritArun Kant proposed openstack/barbican: Adding per secret ACL support with db layer changes (Part 1)  https://review.openstack.org/16433418:00
openstackgerritArun Kant proposed openstack/barbican: Adding Secret ACL controller layer changes (Part 2)  https://review.openstack.org/16433518:00
reaperhulkelmiko: send me a CSR generated that triggers that ASN1_item_verify failure18:00
*** crc32 has joined #openstack-barbican18:00
openstackgerritArun Kant proposed openstack/barbican: Adding Container ACL controller layer changes (Part 3)  https://review.openstack.org/16520518:01
openstackgerritArun Kant proposed openstack/barbican: Adding policy layer changes for ACL support (Part 4)  https://review.openstack.org/16520718:01
reaperhulkThat error should only happen when it doesn't know the NID for the given digest OID18:02
elmikoMIIBWjCBxAIBADAbMRkwFwYDVQQDDBBob3N0LmV4YW1wbGUubmV0MIGfMA0GCSqG18:02
elmikoSIb3DQEBAQUAA4GNADCBiQKBgQCo2ypQZkNa8yJybbgJY/2K8DEWrdvshgW+oJGu18:02
elmikoqF66fHtxy0EAqAS5kttHy3vC7uGPMFtwP3R1sP8xFPyaadD5mfOhWXbKDu6yE5Jt18:02
elmikoy1/j5ncjbvk1CMgPaonxDsBRkntpvpuV/7XfPzqsET4lDFXV3j3ga+UIQyP4cJnG18:02
*** kebray has joined #openstack-barbican18:02
elmikonoVlwQIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEAmgEIYneZxXPmeIIWppNaS2v718:02
elmikoBIbeS5Gh+TLiQ2nppky3+4Odi4JMJJqWKPZoNwaEAa/016EVG23M4jAAZSsjdnFW18:02
elmiko6uHaPStC5/R9PVFxFCXjhUxmWngrFJq+rIwDfvKA+i4Czr5nw5HXUgpNp02dT7OR18:02
elmikof/WVlYGnifTKWE7jgcU=18:02
elmiko-----END CERTIFICATE REQUEST-----18:03
elmikooops, meant to priv msg18:03
arunkantwoodster_, alee,  jaosorior ..can use your review comments on above per secret related 4 patches18:03
elmikosry18:03
reaperhulkelmiko: mind dropping that in a gist or pastebin?18:03
elmikoreaperhulk: yes, sorry18:03
elmikoreaperhulk: https://gist.github.com/elmiko/927b12f8adf7d750a0fc18:04
reaperhulkhuh, looks like a totally normal CSR18:05
reaperhulkwhat happens if you do this on the CLI in fedora 2118:05
reaperhulkopenssl req -in <that csr> -verify18:05
elmikoi'll give it a try, would i need to make that csr a single string? (no linebreaks)18:06
reaperhulkno, save it to a file and pass the file name to the -in parameter.18:06
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398918:06
elmikoreaperhulk: ack, thanks18:06
elmikoreaperhulk: i get "verify OK" and the csr18:08
reaperhulkthe plot thickens...18:09
reaperhulkelmiko: which test fails for you?18:11
elmikoreaperhulk: http://paste.openstack.org/show/193156/18:13
elmikook, got a successful run18:13
* reaperhulk blinks18:14
elmikoreaperhulk, alee, dave-mccowan, using this patch http://paste.openstack.org/show/193219/18:14
reaperhulkand if you change it back to 1024 it fails still?18:14
elmikobasically, dave-mccowan suggestions18:14
elmikoi'll try again, but i think so18:15
reaperhulkSomebody needs to remind Fedora's OpenSSL packagers that making changes like this does not improve security materially but does cause massive confusion. Convince upstream to do it so all OpenSSL works that way and you're fine...18:15
reaperhulkThis is going to cause me no end of trouble in pyca/cryptography, ugh18:15
*** rellerreller has quit IRC18:16
elmikoreaperhulk: it does work with 102418:16
elmikoi think had the try/except removed before when i tried with 102418:16
reaperhulkAh18:16
elmikoso, just changing to sha256 seems to work18:16
reaperhulkwell it should still change to 2048 if we're going to talk about best practice (although that will significantly slow down the unit test)18:16
reaperhulkbut I'm fine either way18:16
reaperhulkglad it's working18:16
elmikosorry for the extended boon-doggle18:17
aleeelmiko, good catch though18:17
elmikoi only saw it because of the rebase18:17
dave-mccowanthanks all.  i can take it from here and fix.18:17
elmikothanks again for all the help/hand-holding, i gotta grab some lunch. bbl18:18
*** jkf has joined #openstack-barbican18:18
aleejvrbanac, redrobot so - how do I run the functional tests?18:26
*** igueths has joined #openstack-barbican18:27
redrobotalee which project?18:27
aleeredrobot, barbican server?18:27
iguethsHi all.18:27
redrobotalee ... I think you need a working Keystone, then configure your Barbican in test to use it18:27
redrobotalee after that tox -e functional18:28
jvrbanacalee, yep18:28
*** kebray has quit IRC18:29
aleeredrobot, jvrbanac seems simple enough  - do you guys have any scripts you run to set up a vm?18:29
redrobotalee my dev box is a mac, so I use a Vagrant box to run linux and run Postgres + Keystone in docker containers https://github.com/rackerlabs/dockerstack18:30
reaperhulkredrobot why not boot2docker for that?18:31
redrobotreaperhulk dunno...  I've been doing it longer than boot2docker has been around.18:31
reaperhulkthat's a pretty good reason ;)18:32
*** rellerreller has joined #openstack-barbican18:37
aleeredrobot, so how do I use this -- download the repo and run something like "vagrant up" or something like that?18:37
redrobotalee you use a Fedora box for dev right?  I would just run the containers there18:39
aleeyeah18:39
openstackgerritJohn Vrbanac proposed openstack/barbican: Fixing errors and warnings on the sphinx docs  https://review.openstack.org/16555618:48
redrobotalee give me a sec, I'll send you the commands to run18:48
*** kebray has joined #openstack-barbican18:50
*** jaosorior has quit IRC18:52
*** xaeth_afk is now known as xaeth18:53
redrobotalee https://gist.github.com/dmend/e6c5b3f0bc6913d766f618:55
redrobotalee then you just change the barbican paste config to use the keystone authentication block18:55
aleeredrobot, cool - thanks18:57
aleeredrobot, fyi - I'm working on a bunch of functional tests for the cert api18:57
aleeredrobot, once those run correctly, I think we can say that the cert api is "finished"18:58
redrobotalee awesome!18:58
aleeredrobot, which is not going to happen in the next day or two.18:58
redrobotyeah, I figured a few things are going to slip past Kilo-318:58
redrobot:(18:59
aleeredrobot, but "identify ca" is done - with the exception of a bug that I need woodster_ to help resolve18:59
redrobotalee nice!18:59
redrobotI think I'll call the cert API done as well, and we'll just iterate on any bugs found during the RC cycle18:59
alee:)19:00
aleedone-ish ?19:00
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398919:00
redrobotalee it's done, but not done done19:00
*** xaeth is now known as xaeth_afk19:04
*** xaeth_afk is now known as xaeth19:11
kfarrHey everyone, if you have a chance, please review KMIP's asymmetric key support https://review.openstack.org/#/c/163989/ :)  I'll be reviewing other Barbican patches for a little while, too19:12
redrobotkfarr will do!19:14
*** tkelsey has quit IRC19:17
aleeredrobot, so if I understand the above scripts and commands then - I 'm setting up a container with the latest ubuntu on it with a postgres db and a keystone instance19:28
aleeredrobot, I then need to go onto the instance and set up barbican? or will those scripts do that too?19:28
aleeredrobot, ah nm -- I think I got it19:33
alee:q19:34
*** rm_you| has joined #openstack-barbican19:36
*** Sheena_ has quit IRC19:37
*** Sheena_ has joined #openstack-barbican19:38
*** tdink has quit IRC19:39
*** tdink_ has joined #openstack-barbican19:39
*** rm_you has quit IRC19:39
*** lbragstad has quit IRC19:39
*** lbragstad has joined #openstack-barbican19:40
redrobotredrobot sorry was afk.  yeah, one container runs postgres, the other runs keystone, and the stand alone script just adds barbican users to keystone19:40
redrobotalee ^^19:40
aleeredrobot, yup - very nice19:41
rellerrellerredrobot when is the freeze?19:41
redrobotrellerreller anything not merged by tonight will get booted to RC119:41
*** gyee has quit IRC19:41
rellerrellerThe asymmetric key support is almost done. kfarr is wrapping up the test code.19:41
rellerrellerWe can have a final version out in the next 1-2 hours.19:42
redrobotrellerreller I saw that... I owe her a review19:42
rellerrellerredrobot thanks!19:42
*** crc32 has quit IRC19:53
*** tdink_ has quit IRC19:57
*** tdink has joined #openstack-barbican19:58
*** kgriffs|afk has quit IRC19:58
*** kgriffs|afk has joined #openstack-barbican19:59
*** kgriffs|afk is now known as kgriffs19:59
aleeredrobot, ping20:03
aleeredrobot, so to get the functional tests running -- what needs to be changed in the config files20:04
aleeredrobot, I see for example that I need to change the port for the keystone server in barbican-functional.conf20:05
aleeto uri=http://localhost:35357/v320:05
aleeredrobot, but what else?20:05
aleeredrobot, at this point it looks like all my keystone requests are failing with 401s20:07
hockeynutalee 1) update etc/barbican/barbican-api-paste.ini (comment out unauth path, uncomment authenticated path) then change IP addr for keystone.  Depending on your keystone setup you will need to update id/pw too20:07
hockeynutalee also update etc/barbican/barbican-functional.conf to point to your keystone and barbican (which may be localhost) and check ids/passwords20:08
hockeynutalee after that, "bin/barbican.sh install" (which will install the updated etc/barbican/barbican-api-paste.ini to /etc20:08
hockeynutthen you can "tox -e functional" to run the functional tests20:08
rm_workhockeynut: that last step isn't necessary to run the functional tests with tox, is it?20:09
rm_workthe barbian.sh install20:09
rm_workyou can just "run it"20:09
rm_workbarbican.sh start ?20:09
hockeynutrm_work in general I do an install if I have grabbed new base code...but yes, you can do start20:09
rm_workk just checking20:09
hockeynutif things look odd then do install :-)20:09
rm_worksince IIRC you said it pulls from ./etc before /etc20:10
rm_workyeah k20:10
hockeynutI also zap my database before each start - but that's just me20:10
rm_worki often do too >_>20:10
hockeynutrm /var/lib/barbican/barbican.sqlite20:10
hockeynutone less thing to worry about - I have no personal SLA for data loss on my local server :-D20:10
rm_workBTW what is config.py20:11
rm_workit has a sqlalchemy URL pointing to sqlite:////tmp/barbican.db20:11
rm_workwhich seems odd, is that cruft?20:11
*** kebray has quit IRC20:11
hockeynutthat might be a good Q for woodster_20:11
hockeynutsqlalchemy is black magic to me20:11
rm_workI have to assume this file isn't actually used for anything20:12
hockeynutI wouldn't go that far20:12
rm_workwell, if it were... that file would exist at some point, which it doesn't seem to, but yeah maybe it's a mock thing or something20:13
hockeynutbut if true then it should be removed.  woodster_ is that file used?20:13
hockeynutredrobot might know as well.  or jvrbanac or reaperhulk or chellygel20:13
hockeynutbasically barbicaneer.* :-)20:13
rm_workheh20:13
rm_workalee: yeah the issue i had with 401s was mostly that it doesn't read from /etc/barbican config files if ./etc/barbican config files exist20:14
rm_workalee: which seems like a weird cascading to me, but yeah20:14
*** openstackgerrit has quit IRC20:14
*** openstackgerrit has joined #openstack-barbican20:15
hockeynutrellerreller about the ccneil security CR - I think both tagging *and* putting them into a new class (at the same level as SecretsTestCase) would make sense - yes?20:15
woodster_rm_work, not sure what that config.py is for actually...redrobot, do you know? I think we could remove that one]20:15
*** kfarr has quit IRC20:15
aleerm_work, so it reads from ./etc/barbican config files?20:15
rm_workalee: yes20:15
aleewhich is fine actually20:15
rm_workalee: it chooses ./etc before /etc T_T20:16
aleeI'm still getting 404s though20:16
alee40120:16
rm_workhmm20:16
hockeynutalee I always do the install after any change to etc/barbican/barbican* just to be sure they're in sync20:16
hockeynutalee what are you using for keystone?20:16
rellerrellerhockeynut I would be good with your suggestion20:16
rm_workyeah alee what is the keystone url20:16
woodster_rm_work...it shouldn't read ./etc/....  (where . is the cwd inside a barbican local repo).  I recall it will read ~/barbican-api.conf if you have one though.20:17
aleeidentity_uri = http://localhost:3535720:17
aleerm_work, thats whats in the paste.ini20:17
rm_workwoodster_: it definitely will chose /home/adam/barbican/etc/barbican/ configs before it reads from /etc/barbican/ configs20:17
woodster_rm_work, yeah I faintly recall that :)20:18
rm_workalee: for the functional tests you need it specified in the functional config with /v320:18
*** kfarr has joined #openstack-barbican20:18
*** kebray has joined #openstack-barbican20:18
hockeynutalee or at least they have to match (I use both v2 and v3)20:18
aleeuri=http://localhost:35357/v320:18
rm_worketc/barbican/barbican-functional.conf20:18
rm_workuri=http://localhost:5000/v320:19
rm_workis what I use20:19
hockeynutalee the 35357 port is specified in the etc/barbican/barbican-api-paste.ini.  5000 goes in the etc/barbican/barbican-functional.conf20:20
aleehockeynut, so there are two ports?20:20
hockeynutalee yes, one for barbican admin stuff, the other for the real work from the test20:21
hockeynutalee I use a docker image (thanks to jvrbanac) for my identity - so my barbican-api-paste.ini file has: identity_uri = http://192.168.59.104:3535720:21
jvrbanacalee, hockeynut that is only because you're using boot2docker right?20:22
aleehockeynut, I used redrobot scripts to set up my keystone instance --- so the commands look something like this ..20:22
hockeynutjvrbanac yes, that IP addr is from boot2docker20:22
aleehttps://gist.github.com/dmend/e6c5b3f0bc6913d766f620:23
hockeynutalee an easy test is to postman/curl to your identity with the id/pw you're using for the tests and be sure that works20:23
woodster_jvrbanac, hockeynut, what sequence do you use with boot2docker to set up a local Barbican network?20:24
jvrbanacwoodster_, I don't use boot2docker. I run Linux, so I don't need that20:24
hockeynutboot2docker destroy20:25
hockeynutboot2docker init20:25
hockeynutboot2docker start20:25
hockeynut$(boot2docker shellinit) then docker run similiar to what dmend gist said20:25
*** tkelsey has joined #openstack-barbican20:25
woodster_jvrbanac, ha! A real man's OS20:25
aleehockeynut, jvrbanac so -- the auth requests should be going to 5000?20:25
hockeynutc'mon woodster_  you know CP/M is the real mans OS20:26
hockeynutalee yes.  35357 is used by barbican server20:27
jvrbanacalee, yeah20:27
aleekeystoneclient.auth.identity.v3: DEBUG: Making authentication request to http://localhost:5000/v3/auth/tokens20:27
aleerequests.packages.urllib3.connectionpool: INFO: Starting new HTTP connection (1): localhost20:27
aleerequests.packages.urllib3.connectionpool: DEBUG: "POST /v3/auth/tokens HTTP/1.1" 401 11420:27
aleekeystoneclient.session: DEBUG: Request returned failure status: 40120:27
aleeso it looks like its going to the right place20:27
aleehmm .. so in the functional tests config it says ..20:28
aleeusername=admin20:28
aleeproject_name=admin20:28
aleepassword=secretadmin20:28
aleedomain_name=Default20:28
hockeynutdepending on how you have it setup that id/pw may be wrong.  I use jvrbanac stuff so password=password for me20:29
hockeynutalee your URL does look fine, so it must be the id/pw20:29
aleeyeah -- I think thats what redrobot script does ..20:29
*** tkelsey has quit IRC20:29
rm_workalee: yeah mine is password=password as well20:30
jvrbanacalee, hockeynut, woodster_, we should probably have a something in our docs that gives some instructions around this stuff20:30
rm_workat first i was like "why are they setting it to NOT the default devstack password" and then realized there is no default, i've just been using the same scripts for so long that I assume it's 'password'20:31
hockeynutjvrbanac absolutely.  will also cover this in our google hangout on functionaltests20:31
aleeyeah -- that works a little better20:31
woodster_hockeynut that sounds good20:31
aleeat least now I'm getting tokens20:31
hockeynutalee doing the programmer dance...20:31
rm_workalee: you using my barbican devstack script by chance?20:31
aleealthough the functional tests are still failing20:31
*** kebray has quit IRC20:31
aleerm_work, nope -- where is that ?20:32
jvrbanachockeynut, we probably need to update this as well: http://docs.openstack.org/developer/barbican/setup/keystone.html20:32
hockeynutjvrbanac yes!20:32
rm_workalee: https://wiki.openstack.org/wiki/BarbicanDevStack20:32
rm_workalee: at the bottom, "The Easy Way"20:32
jvrbanacrm_work, http://docs.openstack.org/developer/barbican/setup/devstack.html20:33
jvrbanaclol20:33
rm_workjvrbanac: heh20:33
jvrbanacsoooo many docs!20:33
rm_workvagrant is good20:34
hockeynutjvrbanac + oo20:34
aleerm_work, cool - I may try "the easy way"20:34
rm_worki don't have it set up though, so a simple batch script is easier20:34
aleeI like the sound of that20:34
*** xaeth is now known as xaeth_afk20:34
aleelike the "easy button"20:34
rm_workalee: yeah, though I haven't modified that since the functional tests changed a little, so the file still needs to be updated with the different password I think20:35
*** kebray has joined #openstack-barbican20:35
rm_workmight do that now20:35
aleeok guys -- need to step out for a bit - thanks for the help -- will be trying this out later tonight20:35
*** alee is now known as alee_afk20:36
dave-mccowanhockeynut  Hangout on functional tests?  Sounds interesting.  When is that?20:38
rm_workah20:38
rm_workso yeah20:38
rm_workhockeynut: the default barbican devstack password IS set to "password"20:38
hockeynutdave-mccowan I'm actually on vacation this week - will schedule it for early next week20:38
rm_workper barbican/contrib/devstack/local.conf20:38
chellygelhttps://review.openstack.org/#/c/165221/ o/ could use a +1 workflow~20:38
hockeynutrm_work cool - that's what I thought/hoped :-)20:38
rm_workso the fact that the functional config defaults to something ELSE is weird20:38
rm_workand should probably be changed :P20:39
hockeynutOMG chellygel so demanding!20:39
rm_workscrew it, i'll submit that20:39
chellygelhahaha20:39
chellygelive got 4 hours and counting waiting for the juno vm to run devstack gate on the last thing20:39
chellygeltempest juno is da best vm o/ 4 hours and 13 min20:40
rm_workchances of making gate: low :P20:40
hockeynutchellygel werkflo done20:40
openstackgerritAdam Harwell proposed openstack/barbican: Make the default functional config use the right password  https://review.openstack.org/16559120:41
rm_workdid it before I forgot20:41
*** elmiko_ has joined #openstack-barbican20:42
*** elmiko has quit IRC20:45
*** elmiko_ is now known as elmiko20:46
rm_workalee_afk: updated my script to fix the issue until the CR fix lands, so should be all green for now :)20:58
openstackgerritJohn Wood proposed openstack/barbican: Allow business logic and plugins to retry tasks  https://review.openstack.org/16559420:59
woodster_redrobot, jvrbanac, hockeynut: can one of you take a look at this?: https://review.openstack.org/#/c/15756521:02
*** rellerreller has quit IRC21:07
*** jamielennox is now known as jamielennox|away21:31
hockeynutwoodster_ a few questions on ^21:33
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398921:37
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398921:40
*** dave-mccowan has quit IRC22:04
*** jamielennox|away is now known as jamielennox22:12
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398922:21
*** igueths has quit IRC22:23
*** kfarr has quit IRC22:24
*** dimtruck is now known as zz_dimtruck22:30
*** gyee has joined #openstack-barbican22:48
openstackgerritMerged openstack/python-barbicanclient: Fixed deprecated type and encoding test and encoding bug  https://review.openstack.org/16521523:11
openstackgerritMerged openstack/python-barbicanclient: Fix smoke test for client with bad data set  https://review.openstack.org/16522123:11
*** kebray has quit IRC23:21
*** SheenaG has quit IRC23:49
*** SheenaG has joined #openstack-barbican23:51
*** dave-mccowan has joined #openstack-barbican23:56
« Tuesday, 2015-03-17 Index Thursday, 2015-03-19 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!