Tuesday, 2015-03-31

« Monday, 2015-03-30 Index Wednesday, 2015-04-01 »
*** dave-mccowan has joined #openstack-barbican00:00
*** everjeje has quit IRC00:16
openstackgerritMerged openstack/python-barbicanclient: Negative tests for orders  https://review.openstack.org/16815001:09
*** nkinder has joined #openstack-barbican01:30
*** kebray has quit IRC02:33
aleeredrobot, whoop whoop for https://review.openstack.org/#/c/166497/ ?02:42
redrobotalee haha, indeed02:42
*** crc32 has quit IRC02:44
openstackgerritChelsea Winfree proposed openstack/barbican: Introducing container types and examples to quickstart guide  https://review.openstack.org/16915103:17
openstackgerritJohn Wood proposed openstack/barbican: Restore worker tasks processing catching exceptions  https://review.openstack.org/16803903:38
openstackgerritJohn Wood proposed openstack/barbican: Add more info on setting up Dockerized Keystone  https://review.openstack.org/16911403:49
*** alee has quit IRC04:12
woodster_Curses Devstack!!!!:04:12
woodster_https://www.irccloud.com/pastebin/Q7GrB0gs04:12
*** alee has joined #openstack-barbican04:12
*** kebray has joined #openstack-barbican04:19
*** kebray has quit IRC04:19
*** kebray has joined #openstack-barbican04:20
rm_workwoodster_: i hope you're testing changes in your own devstack first so you can quickly catch issues :P04:40
woodster_Will it quickly check zuul issues which I'm guessing is what that is?04:41
woodster_...or hoping that is04:41
rm_workhmm04:43
rm_workyou think that one is a zuul issue?04:44
rm_workI think that error COULD be caused by a barbican issue. but, maybe it is just an SSH/pypi timeout bug or something04:44
woodster_well if a barbican issue then it slipped past the gate and then infected the rest of the CRs04:45
rm_workT_T04:45
rm_workah that was on your non-code change04:46
rm_worksucktastic04:46
woodster_sad panda for sure04:46
woodster_just in time for release week04:46
rm_workugh04:47
rm_work2015-03-31 04:21:13.173 |   HTTP error 404 while getting http://pypi.ORD.openstack.org/packages/source/X/XStatic-Angular-Irdragndrop/XStatic-Angular-Irdragndrop-1.0.2.1.tar.gz#md5=7f57941bb72f83fe01875152ddb24ce1 (from http://pypi.ORD.openstack.org/simple/xstatic-angular-irdragndrop/)04:47
rm_work2015-03-31 04:21:13.174 |   Could not install requirement XStatic-Angular-Irdragndrop>=1.0.2.1 (from horizon==2015.1.dev110) because of error 404 Client Error: Not Found04:47
rm_workso04:48
rm_workjust hitting that URL in a browser gives a 40404:48
rm_workdoes not seem great04:48
rm_workThe requested URL /packages/source/X/XStatic-Angular-Irdragndrop/XStatic-Angular-Irdragndrop-1.0.2.1.tar.gz was not found on this server.04:48
rm_worksomething got f'ed up in the openstack pypi mirror for that package04:49
woodster_did you get all of that from the devstack logs, or did you have to run it locally?04:52
rm_workdevstack logs04:54
rm_workinteresting that horizon uses Angular.js :P04:56
rm_worknice, infra is aware of the issue, and is working on fixing it05:47
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex  https://review.openstack.org/16918106:07
*** jamielennox is now known as jamielennox|away06:49
*** tkelsey has joined #openstack-barbican06:58
*** tkelsey has quit IRC07:05
*** jaosorior has joined #openstack-barbican07:28
*** woodster_ has quit IRC07:40
*** kebray has quit IRC08:13
-openstackstatus- NOTICE: CI Check/Gate pipelines currently stuck due to a bad dependency creeping in the system. No need to recheck your patches at the moment.08:52
*** ChanServ changes topic to "CI Check/Gate pipelines currently stuck due to a bad dependency creeping in the system. No need to recheck your patches at the moment."08:52
*** tkelsey has joined #openstack-barbican09:00
*** everjeje has joined #openstack-barbican09:10
*** jamielennox|away is now known as jamielennox09:41
*** jamielennox is now known as jamielennox|away09:47
*** darrenmoffat has joined #openstack-barbican10:12
*** ChanServ changes topic to "Kilo RC1 due April 9 https://launchpad.net/barbican/+milestone/kilo-rc1"11:48
-openstackstatus- NOTICE: Check/Gate unstuck, feel free to recheck your abusively-failed changes.11:48
*** woodster_ has joined #openstack-barbican12:01
*** alee has quit IRC12:21
*** nkinder has quit IRC13:12
*** alee has joined #openstack-barbican13:35
dave-mccowanalee ping13:46
aleedave-mccowan, good morning13:46
dave-mccowanalee good morning :-)13:47
dave-mccowanalee did something change in the code with retrieving containers?  after rebasing and fixing code review comments, my validator can't get stored containers from the repo using the code that used to work.13:48
aleedave-mccowan, not sure -- I have been using your code but have not rebased in a couple of days.  Let me rebase and see whats there.13:49
dave-mccowanalee if i upload my current code to gerrit, can you take a look?13:51
aleedave-mccowan, yup13:51
dave-mccowanalee cool. thanks!13:52
openstackgerritDave McCowan proposed openstack/barbican: Implement validators and tests for stored key certificate orders  https://review.openstack.org/16729113:54
aleewoodster_, redrobot - any idea whats going on in the devstack gate?13:57
dave-mccowanalee ^^ validate_refs_in_order() doesn't find the stored container in the two functional tests that fail running with this patch.  maybe something changed with how project_id is used?13:57
aleeI've been waiting for woodster_  patch to land.13:57
dave-mccowanalee the openstackstatus bot sent the all clear and said to "recheck"13:58
*** nkinder has joined #openstack-barbican13:58
aleedave-mccowan, ok - let me set those ..13:58
*** ametts has joined #openstack-barbican13:59
*** paul_glass has joined #openstack-barbican14:03
*** zz_dimtruck is now known as dimtruck14:04
aleedave-mccowan, when you call validate_refs_in_order, you are passing in project.id -- which is the internal project id.14:10
aleedave-mccowan, but your search within that function is using the external_project_id14:11
aleedave-mccowan, hence the reason the search is not finding your containers14:12
dave-mccowanalee thanks.  which one should i be using in both places.  external?14:14
aleemost likely yes -- thats what the query needs14:15
dave-mccowanalee thanks!  that's what i needed.14:16
aleedave-mccowan, so looking at your changes ..14:20
aleedave-mccowan, I understand that this is a little tricky in that we're waiting for the acl changes to merge14:21
aleedave-mccowan, I was going to say that when the acl changes merge , we'd be able to confirm the existence of the container without reference to the project_id14:22
aleebut then I also realized that we'd likely need the project_id to determine access permissions14:23
aleedave-mccowan, so I think there needs to be only one validation function called.14:23
aleeright now your patch has two validation functions.14:24
dave-mccowanalee yea.  the first one validates the format of container ref (all it can do), the second one validates the container contents, once it is retrieved.  i could remove the first one, but it is most consistent with all the other orders.14:27
aleedave-mccowan, I'm responding on gerrit -- I think we need only one validation function14:27
aleedave-mccowan, remember that the validation of the container_ref should only take place for stored key requests14:28
*** xaeth_afk is now known as xaeth14:29
aleedave-mccowan, commented14:35
dave-mccowanalee ok.  i had in the back of my mind to future-proof the code, in case other order types needed containers someday.  but, it would be cleaner to fix that to make it specific to stored key certificate requests.  i'll make those changes.  thanks!14:38
aleedave-mccowan, yeah - I was thinking about that but its not clear you can do that simply because of the "custom" cert request type.  A custom cert request could use a "container_ref" parameter that looks nothing like what we need in the stored key case.14:40
woodster_rm_work, are you there?14:47
*** dave-mccowan has quit IRC14:54
aleewoodster_, ping14:58
woodster_alee, hey there14:59
aleewoodster_, hey -- I need to solve a problem with the cas defined , and need your help to figure out how to do it.14:59
aleewoodster_,  basically , there is a problem with updating the ca table.  because of the uniqueness constraint that is there - the update function I wrote is not working.15:00
aleewoodster_,  let me get the right test case ..15:00
aleewoodster_,  try this test in test_repositories_certificate_repositories.py15:02
aleetest_should_update  (at the end)15:03
aleewoodster_,  comment out the skip15:03
*** joesavak has joined #openstack-barbican15:03
*** dave-mccowan has joined #openstack-barbican15:06
rm_workwoodster_: i am now15:13
rm_workwhats up15:13
aleewoodster_, any thoughts?15:14
openstackgerritMerged openstack/barbican: Creating initial commit for containers quickstart guide  https://review.openstack.org/16907815:14
rm_workwoodster_: containers being wonky?15:15
*** jsavak has joined #openstack-barbican15:18
*** joesavak has quit IRC15:21
aleewoodster_, is the right way to do this by constructing an update() transaction and then calling session.execute() ?15:26
*** kebray has joined #openstack-barbican15:31
*** atiwari has joined #openstack-barbican15:35
woodster_sorry, planning meetings today....15:37
woodster_alee, is this a test already in the code base then?15:37
aleewoodster_, yeah -- its been skipped coz it was not working15:38
aleewoodster_, looking at sqlalchemy docs -- let me try a couple of things15:38
aleewoodster_, so the code in question is ..15:43
aleedef update_entity() in CertificateAuthorityRepo() in repositories.py15:45
openstackgerritMerged openstack/barbican: Write task retry info to database from server.py  https://review.openstack.org/16649715:45
aleeyay15:45
aleewoodster_, if you comment out the skip and run the test I mentioned you will see that it fails because of a constraint exceptionm15:47
aleewoodster_, looks like its trying to do an insert instead of an update15:48
aleewoodster_,  ok - I see code in there (for example in ContainerConsumerRepo to handle the IntegrityError case15:55
rm_workalee: I think that is done in ContainerConsumerRepo due to that feature being idempotent15:55
rm_worknot sure if that applies to other situations15:55
aleerm_work, I'm not sure I understand what is happening there ..15:57
aleerm_work, oh ok -- if it exists already, then ignore the update?15:57
rm_workalee: yeah, and consider it "done", not an error15:57
rm_workbecause all we care is that it exists "once"15:57
rm_workwhereas for other operations that aren't idempotent, that would be an actual failure15:58
aleeok - that doesn't apply in my casew15:58
rm_workand masking it the way I did for consumers could hide a real problem15:58
rm_workyesd15:58
rm_work*yeah15:58
*** nickrmc83 has quit IRC16:21
*** nickrmc83 has joined #openstack-barbican16:23
*** jkf has joined #openstack-barbican16:26
*** tkelsey has quit IRC17:06
*** xaeth is now known as xaeth_afk17:06
*** dimtruck is now known as zz_dimtruck17:09
*** tkelsey has joined #openstack-barbican17:12
openstackgerritMerged openstack/barbican: Introducing container types and examples to quickstart guide  https://review.openstack.org/16915117:13
*** xaeth_afk is now known as xaeth17:16
*** tkelsey has quit IRC17:17
*** tkelsey has joined #openstack-barbican17:36
rm_workchellygel: you there? or is everyone away in planning17:38
chellygelrm_work, i are here17:39
rm_workchellygel: in the CA Plugins17:39
rm_worklike, for example, the symantec one you were writing17:39
rm_workget_default_signing_cert17:40
rm_workyou have a TODO to retrieve that17:40
rm_workbut… are we really returning that?! is this necessary?17:40
*** tkelsey has quit IRC17:40
rm_workI don't really understand the use-case17:40
rm_workand the docstrings in the abstract class don't illuminate much17:40
chellygelhonestly, i havent touched that part of barbican in a while rm_work . i'd need to check that out in context.17:40
rm_workT_T k17:40
chellygeli dont remember anything about a default signing cert17:41
chellygelthat's my todo??17:41
rm_workyes17:41
rm_workdef get_default_signing_cert(self):17:41
rm_work        # TODO(chellygel) Add code to get the signing cert17:41
chellygelwhat file / line?17:41
rm_workbarbican/plugin/symantec.py17:42
rm_workline 6517:42
chellygelah rm_work that was alee that added that line17:42
chellygeland assigned it to me :P17:42
rm_worklol17:43
rm_workalee: ^^17:43
chellygelcause that doesn't make sense in the symantec context17:43
rm_workright?17:43
rm_workI think17:43
chellygelwe dont have access to a signing cert.17:43
rm_workcorrect17:43
rm_workand also, why would we ever return our signing cert...17:43
rm_worklike...17:43
rm_workoh actually nm i get why17:43
rm_workspecifically for self-signed, we need to know what cert to trust17:44
rm_work(I am taking over the Snakeoil CA plugin CR)17:44
chellygelah very cool17:44
aleerm_work, chellygel - whats up?17:51
rm_workalee: I think I figured it out17:52
aleerm_work, chellygel - you need to import the signing cert in order to trust the chain17:52
rm_workyes17:52
aleechellygel, you absolutely should have access to the symantec signing cert -- although for you maybe thats published somewhere or already installed in a browser.17:53
rm_workright, that17:54
rm_workit's published, not easily accessable to the plugin17:54
aleerm_work, well if its published -- its definitely accessible to the plugin17:55
rm_workvia what though?17:55
aleewget?17:55
rm_workrequests -> open some URL?17:55
rm_workthat seems <_<17:56
aleeyup17:56
rm_workprobably don't want to do that there thouhg17:56
rm_worki guess at least cache it? for some period of time?17:56
aleeor if it does not change often - put it in the config17:56
rm_workthat's a little awkward17:56
rm_worki guess so <_<17:56
*** zz_dimtruck is now known as dimtruck17:57
aleerm_work, the plugin can specify the expiration time of the ca_info17:57
aleefor the symantec plugin, that could be essentially forever ..17:57
rm_workheh, guess so17:58
rm_workstill seems awkward17:58
aleewhy?17:58
rm_workwas going to say "because why are we the middle-man for getting symantec's public cert", but i guess that's exactly what we are17:58
rm_workT_T17:58
aleerm_work, right17:59
rm_workmiddleman 4 life17:59
*** xaeth is now known as xaeth_afk18:03
rm_workalright, updated18:04
rm_workwould like to get this in, don't know if it qualifies18:04
*** jamielennox|away is now known as jamielennox18:04
openstackgerritAdam Harwell proposed openstack/barbican: Create snakeoil certificate plugin  https://review.openstack.org/14057518:06
openstackgerritMerged openstack/barbican: Initial connect up retry task submit and re-enqueue  https://review.openstack.org/16711018:06
*** xaeth_afk is now known as xaeth18:10
openstackgerritArun Kant proposed openstack/barbican: Adding ACL db model changes (Part 1)  https://review.openstack.org/16433418:47
openstackgerritArun Kant proposed openstack/barbican: Adding ACL db repository changes (Part 2)  https://review.openstack.org/16771218:48
openstackgerritArun Kant proposed openstack/barbican: Adding Secret ACL controller layer changes (Part 3)  https://review.openstack.org/16433518:48
openstackgerritArun Kant proposed openstack/barbican: Adding Container ACL controller layer changes (Part 4)  https://review.openstack.org/16520518:48
openstackgerritArun Kant proposed openstack/barbican: Adding policy layer changes for ACL support (Part 5)  https://review.openstack.org/16520718:48
*** jaosorior has quit IRC18:52
rm_workah was about to post comments on #2 ;p18:53
*** ametts has quit IRC18:59
arunkantrm_work, just resolved the merged conflict and need to apply in all 5 parts. So changes should be same as earlier patch. You can add them in earlier patch. I will reply and address in next patch if needed.19:00
rm_workyeah it's fine, was only a couple, ported them to the newest patchset and posted19:00
*** everjeje has quit IRC19:06
arunkantrm_work, can you check my reply comment regarding expiration on #2?19:10
rm_workah weird19:14
rm_worki could have sworn there was, from when I was writing the client code for it19:14
rm_workbut now i can't find any trace19:14
rm_workmust be going slightly nutty19:14
arunkantI see its applicable for secrets.19:14
rm_workyeah19:16
*** jsavak has quit IRC19:16
rm_workno, it is just my memory messing with me, i think19:17
rm_workyou're fine19:17
arunkantokay...thanks for checking19:17
openstackgerritAde Lee proposed openstack/barbican: Fix error in setting and updating ca and preferred ca tables  https://review.openstack.org/16947119:35
aleeredrobot, woodster_ jvrbanac, hockeynut ^^ a nice small patch to review please19:37
*** tkelsey has joined #openstack-barbican19:37
*** tkelsey has quit IRC19:41
hockeynutalee looks good, just waiting for the functional tests to agree :-)19:48
aleecool19:48
aleewoodster_, aargh .. one of your commits totally changed test_certificate_resources.py .. and now I have to try and merge ..19:50
*** paul_glass has quit IRC19:57
*** paul_glass has joined #openstack-barbican20:02
woodster_alee, sorry about that....I had to add tests to get coverage up to 100% and might have done some refactorings :\20:08
woodster_alee, sorry couldn't help with your db issue20:08
aleewoodster_, I resolved it -- see https://review.openstack.org/#/c/169471/20:09
aleewoodster_, please review20:09
woodster_alee, I see that...looking now20:10
aleewoodster_, I have done a bunch of refactoring too -- ie. replacing all mocks with real repos.20:10
aleewoodster_, so now I have to figure out how to merge your changes in20:10
woodster_alee, inspired by jvrbanac were you? :)20:11
aleewoodster_, sorta -- I realized I needed to fix the code to do some actual repo retrievals and that was hard to model with mocks20:12
aleewoodster_, plus the mocks really do hide errors as I found out20:12
aleewoodster_, I think I may end up throwing away your changes, applying mine and then re-adding your changes20:13
woodster_alee, jvrbanac and reaperhulk have been preaching that for a while over here...true unit testing with mocks is painful and error prone it seems20:13
woodster_alee, well I won't be too bummed if you replace them as long as the coverage is there20:14
aleewoodster_, yeah -- I've been converting a bunch of tests and have uncovered quite a few errors20:14
woodster_alee, I think some of those test classes were repository/database related ones already though20:19
openstackgerritThomas Herve proposed openstack/python-barbicanclient: Fix order listing on the command line.  https://review.openstack.org/16948120:22
*** jkf has quit IRC20:35
*** david-lyle has quit IRC20:40
openstackgerritMerged openstack/barbican: Imported Translations from Transifex  https://review.openstack.org/16918120:56
*** nkinder has quit IRC20:57
*** nkinder has joined #openstack-barbican20:57
*** dimtruck is now known as zz_dimtruck20:57
*** zz_dimtruck is now known as dimtruck20:58
*** chadlung has joined #openstack-barbican21:05
*** chadlung has quit IRC21:08
*** chadlung has joined #openstack-barbican21:08
*** xaeth is now known as xaeth_afk21:10
*** atiwari has quit IRC21:22
*** atiwari has joined #openstack-barbican21:24
openstackgerritMerged openstack/barbican: Adding reference doc page for containers  https://review.openstack.org/16899221:29
*** atiwari has quit IRC21:30
*** atiwari has joined #openstack-barbican21:31
*** xaeth_afk is now known as xaeth21:34
openstackgerritChelsea Winfree proposed openstack/barbican: Adding GET and DELETE for containers quickstart guide  https://review.openstack.org/16951821:40
*** nkinder has quit IRC21:42
*** chadlung has quit IRC21:51
*** paul_glass has quit IRC21:56
*** xaeth is now known as xaeth_afk22:06
openstackgerritMerged openstack/barbican: Fix error in setting and updating ca and preferred ca tables  https://review.openstack.org/16947122:12
*** alee has quit IRC22:21
*** nkinder has joined #openstack-barbican22:38
*** dimtruck is now known as zz_dimtruck22:47
*** dave-mccowan has quit IRC23:04
*** atiwari1 has joined #openstack-barbican23:16
*** atiwari has quit IRC23:18
*** tkelsey has joined #openstack-barbican23:38
*** tkelsey has quit IRC23:42
*** dave-mccowan has joined #openstack-barbican23:50
*** kebray has quit IRC23:54
« Monday, 2015-03-30 Index Wednesday, 2015-04-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!