Friday, 2016-08-26

« Thursday, 2016-08-25 Index Saturday, 2016-08-27 »
*** lixiaoy1 has quit IRC00:27
*** gyee has quit IRC00:28
*** su_zhang has quit IRC00:30
*** zz_dimtruck is now known as dimtruck00:51
*** dave-mccowan has quit IRC01:06
*** dimtruck is now known as zz_dimtruck01:08
*** chlong has joined #openstack-barbican01:19
*** dave-mccowan has joined #openstack-barbican01:29
*** jamielennox is now known as jamielennox|away01:50
*** jamielennox|away is now known as jamielennox02:00
*** diazjf has joined #openstack-barbican02:07
*** su_zhang has joined #openstack-barbican02:34
*** rm_work has quit IRC02:48
*** rm_work has joined #openstack-barbican02:52
*** ntpttr has quit IRC02:53
*** jamielennox is now known as jamielennox|away02:56
*** diazjf has quit IRC02:58
*** ntpttr has joined #openstack-barbican03:00
openstackgerritCao Xuan Hoang proposed openstack/barbican: TrivialFix: Remove logging import unused  https://review.openstack.org/36085903:02
*** jamielennox|away is now known as jamielennox03:10
openstackgerritCao Xuan Hoang proposed openstack/barbican: TrivialFix: Remove cfg import unused  https://review.openstack.org/36086503:17
*** chlong has quit IRC03:37
*** su_zhang has quit IRC03:49
*** su_zhang has joined #openstack-barbican03:49
*** su_zhang has quit IRC03:54
*** dave-mccowan has quit IRC04:09
*** chlong has joined #openstack-barbican04:10
*** su_zhang has joined #openstack-barbican04:15
*** jaosorior has joined #openstack-barbican04:46
*** su_zhang has quit IRC04:58
*** su_zhang has joined #openstack-barbican04:59
*** su_zhang has quit IRC05:03
openstackgerritOpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/35231505:06
*** chlong has quit IRC05:21
*** andreas_s has joined #openstack-barbican07:00
openstackgerritgengchc2 proposed openstack/castellan: Correct castellan reraising of exception  https://review.openstack.org/36092707:13
*** jaosorior is now known as jaosorior_brb07:22
*** openstackgerrit has quit IRC08:18
*** openstackgerrit has joined #openstack-barbican08:18
*** jaosorior_brb is now known as jaosorior08:59
*** tkelsey has joined #openstack-barbican09:32
*** xek has joined #openstack-barbican09:47
*** xek has quit IRC09:47
*** xek has joined #openstack-barbican09:48
*** shohel has joined #openstack-barbican11:35
*** jaosorior has quit IRC11:53
*** jaosorior has joined #openstack-barbican11:54
*** woodster_ has joined #openstack-barbican12:34
*** nkinder has joined #openstack-barbican12:37
*** alee has quit IRC12:54
*** dave-mccowan has joined #openstack-barbican13:12
openstackgerritPankaj Khandar proposed openstack/barbican: Remove consumer check for project_id to match containers  https://review.openstack.org/25116813:25
*** shohel has quit IRC13:44
*** alee has joined #openstack-barbican13:55
*** zz_dimtruck is now known as dimtruck14:06
*** dimtruck is now known as zz_dimtruck14:16
*** su_zhang has joined #openstack-barbican14:18
*** michauds has joined #openstack-barbican14:18
*** randallburt has joined #openstack-barbican14:20
*** randallburt1 has joined #openstack-barbican14:22
*** randallburt has quit IRC14:24
*** zz_dimtruck is now known as dimtruck14:24
*** spotz_zzz is now known as spotz14:26
*** su_zhang has quit IRC14:28
*** su_zhang has joined #openstack-barbican14:29
*** chlong has joined #openstack-barbican14:32
*** su_zhang has quit IRC14:33
*** rhagarty has quit IRC14:45
*** andreas_s has quit IRC14:56
*** hockeynut has joined #openstack-barbican15:03
*** michauds has quit IRC15:27
*** pcaruana has quit IRC15:33
*** rm_mobile has joined #openstack-barbican15:45
*** michauds has joined #openstack-barbican15:58
*** jaosorior has quit IRC15:58
*** chlong has quit IRC16:07
*** edtubill has joined #openstack-barbican16:08
*** nkinder has quit IRC16:15
*** chlong has joined #openstack-barbican16:19
*** diazjf has joined #openstack-barbican16:20
diazjfredrobot ping16:22
redrobotdiazjf pong sucka!16:22
diazjfredrobot, wassup man! yo, have you ever seen an instance where Barbican eats up like 60% CPU outputs no logs, is still running, simple_crypto and regular queue.16:23
redrobotdiazjf negative, I haven't done much with simple_crypto16:24
redrobotdiazjf maybe arunkant has some insight?16:24
diazjfredrobot, ok I did swap out the pkcs-11 plugin for simple since I thought it may have been the HSM, but still had problems16:24
diazjfarunkant, redrobot, http://paste.openstack.org/show/564020/16:25
*** hockeynut has quit IRC16:28
arunkantdiazjf, how are you running uwsgi..is it using nginx for webserver ? Are there 11 instances of uwsgi worker processes?16:29
diazjfarunkant webserver, we should only have 8 which are child and 2 master.16:32
*** dimtruck is now known as zz_dimtruck16:34
*** david-lyle has joined #openstack-barbican16:36
diazjfarunkant behavior only happens in 1/3 nodes, same deploy16:37
*** tkelsey has quit IRC16:39
*** nkinder has joined #openstack-barbican16:46
arunkantdiazjf : sorry..got distracted..not sure why cpu is taking as there is nothing much cpu intensive logic in barbican. Are you using threads by any chance?16:47
arunkantdiazjf: nothing else ring bells ..you may want to isolate whether cpu is taking time in user code or kernel calls. I think there is way to check that.16:49
arunkantredrobot: ping ..16:55
diazjfarunkant, thanks man. I'll keep debugging17:00
*** chlong has quit IRC17:02
*** su_zhang has joined #openstack-barbican17:03
openstackgerritPankaj Khandar proposed openstack/barbican: Remove consumer check for project_id to match containers  https://review.openstack.org/25116817:03
*** nkinder has quit IRC17:04
*** diazjf has quit IRC17:06
*** diazjf has joined #openstack-barbican17:16
*** zz_dimtruck is now known as dimtruck17:37
*** rm_mobile has quit IRC17:46
*** rm_mobile has joined #openstack-barbican17:46
*** rm_mobile has quit IRC17:46
*** rm_mobile has joined #openstack-barbican17:46
*** diazjf has quit IRC18:03
*** rm_mobile has quit IRC18:13
*** ntpttr has quit IRC18:27
*** ntpttr has joined #openstack-barbican18:28
*** ntpttr has quit IRC18:28
*** ntpttr- has joined #openstack-barbican18:28
*** phschwartz has quit IRC18:31
*** tkelsey has joined #openstack-barbican18:36
*** su_zhang has quit IRC18:40
*** tkelsey has quit IRC18:41
*** phschwartz has joined #openstack-barbican18:58
*** su_zhang has joined #openstack-barbican19:11
*** su_zhang has quit IRC19:16
*** michauds has quit IRC19:18
*** michauds has joined #openstack-barbican19:18
*** alee has quit IRC19:19
*** michauds has quit IRC19:22
*** michauds has joined #openstack-barbican19:23
*** spotz is now known as spotz_zzz19:32
*** jraim has quit IRC20:02
*** su_zhang has joined #openstack-barbican20:03
*** su_zhang has quit IRC20:08
*** alee has joined #openstack-barbican20:08
*** su_zhang has joined #openstack-barbican20:17
*** randallburt1 has quit IRC20:22
*** su_zhang has quit IRC20:27
*** jraim has joined #openstack-barbican20:35
*** edtubill has quit IRC20:50
*** spotz_zzz is now known as spotz20:55
redrobotarunkant pong20:57
arunkantredrobot : Hi doug.. I have question about procedure for getting exception for multiple backend reviews ..looks like newton feature freeze is on Aug 2920:59
openstackgerritMerged openstack/barbican: Updated from global requirements  https://review.openstack.org/35231520:59
redrobotarunkant Yeah, I think we may need one20:59
redrobotarunkant I'll look into it20:59
arunkantredrobot: All of the reviews are ready. It may still will take some time to get it reviewed though.21:00
redrobotarunkant looks like the first patch is failing the gate: https://review.openstack.org/#/c/348092/21:01
redrobotarunkant the other patches won't be able to land until that one passes since they depend on it21:01
arunkantredrobot: thanks. I have also added same item in next weeks meeting agenda .21:02
arunkantredrobot: I think its a temporary failure as it was passing earlier. If i remember execution was killed ..will check logs again.21:03
redrobotarunkant try a manual recheck, if not it's not going to get re-tested21:03
arunkantredrobot: okay ..just did it.. it was some random failure..21:05
*** su_zhang has joined #openstack-barbican21:17
*** su_zhang has quit IRC21:22
*** su_zhang has joined #openstack-barbican21:27
woodster_Just noticed that the secret store crypto adapter doesn't extend the secret store class!: https://github.com/openstack/barbican/blob/master/barbican/plugin/store_crypto.py#L5021:40
woodster_redrobot: arunkant alee ^^^^21:40
woodster_duck (tape) typing saves the day21:41
arunkantwoodster_ : yes..its special type of secret store plugin..adapter..which has its own plugin  for crypto operations , different from store operation21:43
woodster_arunkant: it should extend the secret store base like this one though: https://github.com/openstack/barbican/blob/master/barbican/plugin/kmip_secret_store.py#L14221:44
arunkantwoodster_ : kmip plugin , similar to dogtage kra plugin, does not have any separate crypto operations. All of its SecretStore API operations are self-contained .21:47
woodster_arunkant: store_crypto is an adapter between the higher level secret store plugins (KMIP, Dogtag are examples), and the lower level 'crypto' plugins (HSM, insecure software plugin). This call is what loads and locates those types of plugins: https://github.com/openstack/barbican/blob/master/barbican/plugin/store_crypto.py#L7621:49
arunkantwoodster_ , yes . In KMIP and dogtag , there is no separate encryption plugin used/needed . So we don't have similar plugin invoked when storing or reading it back.21:52
woodster_arunkant: my only point is that the store_crypto.py#L50 class above is a secret store class, that should extend the base one. It also needs to override the get_plugin_name() method you are adding, and then delegate to the lower level crypto plugin to get its plugin name. This is the part that was tricky the last time we spoke, as there can currently only be21:56
woodster_one store crypto adapter class, and one crypto plugin. So with the current code you can have BOTH a PKCS11 AND a software-only plugin21:56
*** su_zhang has quit IRC22:02
arunkantwoodster_ : So far, I see through there is logic to create crypto context for adapter plugins as they have additional functionality which is not there in base secret store plugins..e.g.https://github.com/openstack/barbican/blob/master/barbican/plugin/resources.py#L27022:03
woodster_arunkant: that's correct...they need more support to work as they are lower level...they don't store secrets for themselves, they rely on barbican to do that22:04
*** su_zhang has joined #openstack-barbican22:05
woodster_arunkant: so if you want both a PKCS11 and a software plugin installed (for example) you probably need to change things. Somehow you need to tell the secret store crypto adapter to use a specific crypto plugin I'd think. Maybe you've already crossed that bridge though22:06
arunkantwoodster_ : I don't have strong preference either way.. I can see the argument to have adapter kind of approach instead of direct sub-classing SecretStoreBase because of their differences in functionality22:06
woodster_arunkant: well technically that IS a secret store implementation, so it really should in the current implementation extend that base class. That's independent of the multi-backend changes you want to put in22:07
arunkantwoodster_ , yes, in multiple backend changes, that's why when we store secret store data..we store both plugin information i.e. store plugin and crypto_plugin22:08
arunkantSo even if store plugin is same for PKCS and software only plugin, we can find out which crypto plugin to use based on mapping data available in secret_stores table22:09
arunkantwoodster_ , I am talking about project level preference ..not in secrets side metadata. That is same as earlier.22:10
woodster_arunkant: so your part 3 CR addresses that then? At the end of the day, if you can test that both the PCKS11 and the simple crytpo plugins work at the same time, that's cool22:11
woodster_arunkant: I mean part 3 appears to address that...not a question sorry22:12
arunkantwoodster_ : yes it does..there are unit tests around that https://review.openstack.org/#/c/357544/3/barbican/tests/plugin/util/test_multiple_backends.py ( line 366 onwards)22:13
woodster_arunkant: I still don't see how the plugin name could be coming from the crypto adapter plugin though. I'd think you need to add your method at line 362 here: https://review.openstack.org/#/c/354285/10/barbican/plugin/interface/secret_store.py   ...to the crypto adapter plugin here:22:19
woodster_https://github.com/openstack/barbican/blob/master/barbican/plugin/store_crypto.py#L5022:19
woodster_arunkant: said another way, how is line #58 here getting invoked?: https://review.openstack.org/#/c/354285/10/barbican/plugin/crypto/simple_crypto.py22:20
arunkantwoodster_ , name comes from this logic ..https://review.openstack.org/#/c/357544/3/barbican/plugin/util/multiple_backends.py (line 160-162) . If secret store does not plugin name (which is the case for adapter plugin)..it uses crypto plugin name22:22
woodster_arunkant: ah ok I htink I got it...that's some stout logic in that file22:23
woodster_arunkant: so you've gotten pkcs11 and simple crypto running at the same time in the same instance then? sounds cool22:24
*** michauds has quit IRC22:25
arunkantwoodster_ , yes, I have verified via running functional tests in local environment against db and kmip device ..will further check by adding pkcs11 in mix next week22:26
*** dimtruck is now known as zz_dimtruck22:27
woodster_arunkant: sounds cool thanks22:48
*** spotz is now known as spotz_zzz23:03
*** jraim has quit IRC23:09
*** su_zhang has quit IRC23:51
*** su_zhang has joined #openstack-barbican23:56
*** su_zhang has quit IRC23:56
*** su_zhang has joined #openstack-barbican23:56
« Thursday, 2016-08-25 Index Saturday, 2016-08-27 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!