Friday, 2018-08-10

*** phuongnh has joined #openstack-barbican01:04
*** pcaruana has joined #openstack-barbican06:43
*** ducnv has quit IRC06:56
*** velizarx has joined #openstack-barbican07:05
*** jaosorior has quit IRC07:15
*** velizarx has quit IRC07:43
*** velizarx has joined #openstack-barbican07:50
*** salmankhan has joined #openstack-barbican09:09
*** pbourke has quit IRC09:16
*** pbourke has joined #openstack-barbican09:18
*** jaosorior has joined #openstack-barbican09:48
*** phuongnh has quit IRC10:04
*** serlex has joined #openstack-barbican10:25
*** dave-mccowan has joined #openstack-barbican10:55
*** dave-mccowan has quit IRC11:00
*** dave-mccowan has joined #openstack-barbican11:02
*** jaosorior has quit IRC12:03
*** vikram_darsi_ has joined #openstack-barbican12:12
vikram_darsi_Hi Team12:13
vikram_darsi_Any pointers on how to resolve this issue12:13
vikram_darsi_"ERROR barbicanclient.client [req-b3f2042b-608c-442b-a30b-6bc84b1dc143 admin admin] 4xx Client error: Not Found: Not Found. Sorry but your secret is in another castle."12:14
*** abishop has joined #openstack-barbican12:35
*** raildo has joined #openstack-barbican12:39
redrobotMan, some of our PKCS#11 tests are really terrible.12:59
*** velizarx has quit IRC13:19
*** velizarx has joined #openstack-barbican13:21
*** ade_lee has joined #openstack-barbican13:23
ade_leeredrobot, dave-mccowan ping -- rc1 day13:31
redrobot😳😳😳13:31
ade_leeredrobot, dave-mccowan still waiting on second +2 for https://review.openstack.org/#/c/575800/13:33
redrobotis it release day for castellan also?13:33
redrobotI thought the libs were due a while back?13:33
ade_leeredrobot, thats past -- I'll need to get a feature freeze exception13:34
redrobotgotcha13:34
ade_lee(been trying to push this change for awhile now)13:34
redrobotade_lee, ack, looking now... give me a sec to refresh my mind on cryptography.io rsa13:51
ade_leeredrobot, dave-mccowan -- also need feedback on https://review.openstack.org/#/c/58810414:14
dave-mccowanare you going for a FFE for the client?14:28
dave-mccowan.. in addition to castellan14:29
redrobotade_lee, merged the Castellan change.  RE: Validation, I think that in general, it's better to re-wrap exceptions though.14:34
ade_leeredrobot, we can do that in stein when we add the vault gate14:34
*** serlex has quit IRC14:35
ade_leedave-mccowan, I think so14:35
ade_leedave-mccowan, redrobot whats the process for getting a FFE?14:35
redrobotI'll take a look at that barbicanclient change later today after I finish updating my patch.14:35
redrobotade_lee, eeeeh... it's been a while since I've had to do that.  I think email the ML?14:35
ade_leeredrobot, if you dont mind, please look at the client change first - in case I need to do some hoops to get a FFE14:36
redrobotade_lee, ack... I'll bump it up then.14:36
ade_leedave-mccowan, please look too.  the client change changes behavior - so I want to be sure to get input from multiple sources14:37
ade_leedave-mccowan, do you know if there is a process other than emailing ML for FFE?14:38
*** velizarx has quit IRC14:39
*** salmankhan has quit IRC14:43
*** salmankhan has joined #openstack-barbican14:49
ade_leedave-mccowan, redrobot so -- maybe we push for FFE for the castellan change , but wait for the barbican-client one?14:52
ade_leeas the barbican-client one is a bug fix, we can always backport to rocky later once requirements repo is opened up again14:53
ade_leerm_work, will that work for you guys?14:53
*** vikram_darsi_ has quit IRC15:19
ade_leedave-mccowan, redrobot ping16:35
ade_leedave-mccowan, redrobot let me know when ya'll are back -- gotta talk rc116:49
*** rmcall has quit IRC16:50
* ade_lee getting lunch16:55
*** salmankhan has quit IRC16:58
redrobotade_lee, what's up?17:11
redroboteh, just missed you...17:16
ade_leeredrobot, dave-mccowan so I put up the email for the FFE for castellan17:47
redrobotade_lee, need +1s?17:48
ade_leeredrobot, dave-mccowan not going to do the same for the barbican-client change17:48
ade_leeredrobot, well - actually, right now , we need to figure out why its not merging ..17:48
ade_leeis. passing gate17:48
ade_leeso need some help with that ..17:49
ade_leeredrobot, for barbican rc1, I think the only change I'm really looking to get in is your change for thales17:49
ade_leeredrobot, if we can get it merged early next week, then I'll wait till then to cut rc1.  otherwise, we'll have to plan to have rc217:50
ade_leeand cut rc1 today17:50
redrobotade_lee, ack, I just have to clean up some pep8 errors and I'll get the non-WIP patch up17:50
ade_leeredrobot, ok - I'll review as soon as you get it up17:51
ade_leeredrobot, in the meantime though, any idea whats going on for castellan patch?17:51
ade_leeredrobot, dave-mccowan -- http://logs.openstack.org/00/575800/3/gate/castellan-functional-devstack/3168702/controller/logs/screen-barbican-svc.txt.gz#_Aug_10_16_23_10_11376817:54
dave-mccowan\o17:54
redrobotade_lee, weird... maybe a race condition where two secret stores in parallel are both successfully creating a kek ?17:55
ade_leeredrobot, yeah - I dont know .. trying one more recheck ..17:57
ade_leedave-mccowan, so just to re-iterate above17:58
ade_leedave-mccowan, for rc1, I'm basically waiting for redrobot fix for thales17:58
ade_leedave-mccowan, once that is in - I will cut rc117:58
ade_lee(rather than cutting today and re-cut next week for rc2)17:59
ade_leedave-mccowan, also -- if you can help figure out whats fgoing on in castellan patch not merging that would be great ..17:59
ade_leegonna try one more recheck -- but I'm a little at a loss ..18:02
dave-mccowani remember having that problem with find_or_create() before, with other objects.18:03
ade_leedave-mccowan, oh?  what was the issue/fix?18:04
dave-mccowanade_lee maybe this fix https://review.openstack.org/#/c/515339/18:07
dave-mccowanlol... no wonder it looks familiar: https://bugs.launchpad.net/barbican/+bug/172637818:08
openstackLaunchpad bug 1726378 in Barbican "MultipleResultsFound error in _find_or_create_kek_objects()" [High,Triaged]18:08
dave-mccowanade_lee at least we know it's nothing new18:09
ade_leedave-mccowan, um yeah --18:10
ade_leeso how did we get around it?18:10
*** raildo_ has joined #openstack-barbican18:10
ade_leecoz its rearing its ugly head again?18:11
dave-mccowani think all the timing bugs come out during release week.  probably the timing changes when zuul is under higher load.  (or gremlins)18:12
*** raildo has quit IRC18:14
ade_leedave-mccowan, so recheck till it works?18:14
dave-mccowanwith fingers crossed18:14
ade_leeugh .. I guess the fix is to put some sort of lock there ..18:20
dave-mccowanyea, i'd think the whole point of a create_or_get() function would be to make it atomic.18:21
openstackgerritDoug Hellmann proposed openstack/castellan master: add python 3.6 unit test job  https://review.openstack.org/58958718:34
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Refactor PKCS#11 to allow configurable mechanisms  https://review.openstack.org/59004219:16
redrobotade_lee, dave-mccowan ^^19:17
*** pcaruana has quit IRC19:19
ade_leeredrobot, ack -- looking19:26
ade_leeredrobot, ping19:28
ade_leeredrobot, so -- with the sensitive/not-sensitive change - you no longer needed that special directive for thales hsm?19:29
ade_leeredrobot, do you recall if changing this would break safenet?19:29
redrobotade_lee, that's correct, we shouldn't need to override the Thales sanity check19:37
redrobotade_lee, as far as I can tell it shouldn't break anything.19:37
redrobotthere's a few attributes on the keks that barbican could read now instead of just being able to extract the key, but I don't think it matters19:38
ade_leeredrobot, ok19:39
ade_leeredrobot, you tested all this presumably against thales?19:40
ade_leeredrobot, made one comment ..19:41
redrobotade_lee, yep, well, patch 119:41
redrobotade_lee, ah yes, good catch, let me fix that real quick19:41
ade_leeredrobot, well -- I pointed out something that might have ended up breaking up -- so maybe we should test patch 219:42
ade_lee(or 3) in this case ..19:42
ade_leedoes passing an extra non-defined param result in a runtime  exception?19:43
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Refactor PKCS#11 to allow configurable mechanisms  https://review.openstack.org/59004219:43
redrobotade_lee, yeah19:43
ade_leeredrobot, I'll +2 once you confirm that it all works against thales ..19:44
ade_lee(including barbican-manage :))19:44
redrobotade_lee, for sure.  I have to run to the vet with my cat right now, but i'll be back before too long.19:46
ade_leeredrobot, ok- just update on patch and/or irc19:46
ade_leedave-mccowan, please review19:47
ade_leewe might even get this tagged today :/19:47
*** ade_lee has quit IRC20:25
*** raildo_ has quit IRC20:41
*** abishop has quit IRC20:47
openstackgerritMerged openstack/castellan master: Add code to generate private keys  https://review.openstack.org/57580021:09
*** dave-mccowan has quit IRC21:24
*** dave-mccowan has joined #openstack-barbican21:28
rm_workredrobot / dave-mccowan i guess that's fine, though we'd like to get it in ASAP and backport as far as possible :/21:30
*** dave-mccowan has quit IRC22:19

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!