| *** tosky has quit IRC | 00:07 | |
| *** redrobot has quit IRC | 01:07 | |
| *** jmlowe has quit IRC | 04:42 | |
| *** pcaruana has joined #openstack-barbican | 05:43 | |
| *** Luzi has joined #openstack-barbican | 06:00 | |
| *** openstackstatus has joined #openstack-barbican | 06:08 | |
| *** ChanServ sets mode: +v openstackstatus | 06:08 | |
| *** pcaruana has quit IRC | 06:56 | |
| *** dpawlik has joined #openstack-barbican | 07:03 | |
| *** dpawlik has quit IRC | 07:43 | |
| *** dpawlik has joined #openstack-barbican | 07:44 | |
| *** ivve has joined #openstack-barbican | 08:17 | |
| *** tosky has joined #openstack-barbican | 08:26 | |
| *** pcaruana has joined #openstack-barbican | 08:36 | |
| openstackgerrit | Lingxian Kong proposed openstack/barbican master: Improve devstack script for vault plugin https://review.opendev.org/682520 | 08:58 |
|---|---|---|
| *** lxkong has joined #openstack-barbican | 08:59 | |
| *** Luzi has quit IRC | 09:04 | |
| *** Luzi has joined #openstack-barbican | 09:19 | |
| *** Luzi has quit IRC | 09:21 | |
| *** njohnston_ has joined #openstack-barbican | 09:53 | |
| *** njohnston has quit IRC | 09:54 | |
| *** dpawlik has quit IRC | 10:45 | |
| *** dpawlik has joined #openstack-barbican | 11:21 | |
| *** dpawlik has quit IRC | 11:26 | |
| *** awalende has joined #openstack-barbican | 11:28 | |
| *** dpawlik has joined #openstack-barbican | 11:30 | |
| *** raildo has joined #openstack-barbican | 11:57 | |
| *** dpawlik has quit IRC | 12:28 | |
| *** dpawlik has joined #openstack-barbican | 12:31 | |
| *** dave-mccowan has joined #openstack-barbican | 12:34 | |
| *** redrobot has joined #openstack-barbican | 13:03 | |
| redrobot | #startmeeting barbican | 13:03 |
| openstack | Meeting started Tue Nov 19 13:03:11 2019 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:03 |
| openstack | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:03 |
| *** openstack changes topic to " (Meeting topic: barbican)" | 13:03 | |
| openstack | The meeting name has been set to 'barbican' | 13:03 |
| redrobot | #topic Roll Call | 13:03 |
| *** openstack changes topic to "Roll Call (Meeting topic: barbican)" | 13:03 | |
| redrobot | Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek | 13:04 |
| raildo | o/ | 13:05 |
| redrobot | Looks like it's just you and me raildo | 13:06 |
| raildo | redrobot, hum... so... let's have a dinner? talk about the new pokemon game? | 13:07 |
| redrobot | hahaha | 13:07 |
| redrobot | raildo, did you get Sword or Shield? | 13:07 |
| raildo | redrobot, jk, I don't have any topic to the meeting and I already read your summit recap, but I'm fine if you want to talk about any other topic :) | 13:07 |
| redrobot | I think we can just skip today. | 13:08 |
| redrobot | Maybe just a quick update on | 13:08 |
| redrobot | #topic Secret Consumers | 13:08 |
| *** openstack changes topic to "Secret Consumers (Meeting topic: barbican)" | 13:08 | |
| raildo | redrobot, I didn't bought the game, but I'm playing Death Stranding this last days and I'm about to ask for some PTO to finish playing it... what a game | 13:08 |
| redrobot | moguimar has a couple of patches under review still | 13:08 |
| raildo | redrobot, let's do it :) | 13:08 |
| raildo | I can review it as well, if you want to | 13:09 |
| redrobot | Also ade_lee and I talked to moguimar about getting a microversion in front of the Secret Consumer stuff | 13:09 |
| redrobot | that's it for the update | 13:09 |
| redrobot | #topic Games | 13:09 |
| *** openstack changes topic to "Games (Meeting topic: barbican)" | 13:09 | |
| redrobot | raildo, I heard Death Stranding got really bad reviews | 13:09 |
| raildo | redrobot, well, it's totally different for everything that I've played before, so I can understand those reviews | 13:10 |
| redrobot | raildo, heh, interesting. I'm a fan of Norman Reedus, so maybe I should check it out ... | 13:12 |
| redrobot | but then again I don't have a PS4 | 13:12 |
| redrobot | :-\ | 13:12 |
| raildo | redrobot, ack, do you guys have made a microversion for barbican before? I mean, it will not be a big deal for you guys, is that correct? | 13:12 |
| redrobot | raildo, we've never had a microversion before | 13:12 |
| redrobot | but I don't think it should be too hard | 13:12 |
| redrobot | just route to the path and then check the header? | 13:12 |
| redrobot | I'll have to look at what other projects are doing | 13:12 |
| redrobot | the PITA part is that we use Pecan | 13:13 |
| redrobot | because old-school OpenStack said so. :-| | 13:13 |
| raildo | redrobot, hum, kinda... I think that we made once for Keystone, and it was not that simple, but nothing on keystone is simple haha | 13:13 |
| redrobot | lol | 13:13 |
| raildo | redrobot, but it worth giving a research on this microversion stuff on Openstack, just to confirm that will not be a PITA | 13:14 |
| redrobot | raildo, yep, good point | 13:15 |
| raildo | redrobot, but let's talk about what is important, I'm already raising money for my PS5 :) | 13:15 |
| redrobot | #action redrobot and moguimar to look into microversion stuff | 13:15 |
| redrobot | raildo, π€£π€£π€£ | 13:16 |
| redrobot | I'm still trying to justify to the Mrs why a new Switch game keeps showing up every two weeks, lol | 13:16 |
| redrobot | Alrighty, thanks for coming raildo... see you online! | 13:17 |
| redrobot | #endmeeting | 13:17 |
| *** openstack changes topic to "OpenStack Barbican Train Cycle Development - Weekly Meeting Agenda: https://etherpad.openstack.org/p/barbican-weekly-meeting" | 13:17 | |
| openstack | Meeting ended Tue Nov 19 13:17:19 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:17 |
| openstack | Minutes: http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-11-19-13.03.html | 13:17 |
| openstack | Minutes (text): http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-11-19-13.03.txt | 13:17 |
| openstack | Log: http://eavesdrop.openstack.org/meetings/barbican/2019/barbican.2019-11-19-13.03.log.html | 13:17 |
| raildo | redrobot, see ya, have a good one! | 13:17 |
| *** redrobot has quit IRC | 13:21 | |
| *** awalende has quit IRC | 13:26 | |
| efried_pto | o/ barbican, anyone still around? | 13:28 |
| *** efried_pto is now known as efried | 13:28 | |
| efried | raildo? | 13:29 |
| raildo | efried, hey | 13:29 |
| efried | Hi! I'm Eric, generally work in Nova, working on a feature that needs to talk to barbican (via standard key-manager API) which is really new to me, hoping to get a little... hand-holding :) | 13:30 |
| efried | I'm trying to get devstack to produce a barbican endpoint for me. I started by adding this to my local.conf: | 13:31 |
| efried | PROJECTS="openstack/barbican $PROJECTS" | 13:31 |
| efried | enable_plugin barbican https://opendev.org/openstack/barbican | 13:31 |
| raildo | efried, cool, do you have a spec link, or any patch to be reviewed? I can point for some folks to help you with that | 13:32 |
| raildo | ade_lee, dave-mccowan ^^ | 13:32 |
| efried | I would be happy to have some more eyes on the spec (https://review.opendev.org/#/c/686804/) but that's not really why I'm here. | 13:33 |
| raildo | efried, well, understanding the context always make easier to help you :) | 13:34 |
| efried | I think I understand the principle well enough from a design perspective - and even code (https://review.opendev.org/#/c/631363/32/nova/crypto.py) - to make it work in real life. | 13:34 |
| efried | At the moment I'm just trying to do some local testing, so I need a real(ish) barbican service to be alive in my devstack. | 13:34 |
| *** redrobot has joined #openstack-barbican | 13:36 | |
| efried | The TL;DR on the design is this: | 13:36 |
| efried | I want libvirt to produce a particular kind of virtual device for the VM, and I want it to encrypt the contents of that virtual device on the host disk so it's "safer". I want to use a passphrase to do that, and that passphrase is to be maintained in the keymgr service. | 13:36 |
| redrobot | β | 13:36 |
| raildo | efried, have you checked this link: https://docs.openstack.org/barbican/latest/contributor/devstack.html? | 13:36 |
| efried | o/ redrobot! | 13:36 |
| raildo | redrobot, hey, efried is trying to get a barbican endpoint with devstack | 13:37 |
| redrobot | ack | 13:37 |
| raildo | redrobot, spec review https://review.opendev.org/#/c/686804/ | 13:37 |
| redrobot | yeah, that link should be the one ... but there's a good chance it may be a bit outdated | 13:37 |
| efried | raildo: aha, no :) I started by looking at a barbican CI job to find those local.conf plugin lines, and then when that wasn't working I looked at https://docs.openstack.org/barbican/latest/install/install-ubuntu.html -- which is clearly non-devstack-oriented. | 13:38 |
| efried | btw, with the aforementioned lines in my local.conf | 13:39 |
| efried | PROJECTS="openstack/barbican $PROJECTS" | 13:39 |
| efried | enable_plugin barbican https://opendev.org/openstack/barbican | 13:39 |
| efried | ...stacking "succeeded" but my barbican service seemed ill. Endpoints and confs look okay, but these services appeared: | 13:39 |
| efried | devstack@barbican-keystone-listener.service devstack@barbican-retry.service devstack@barbican-svc.service | 13:39 |
| efried | IIUC I should be seeing at least one more service, barbican-worker? | 13:39 |
| redrobot | efried, not necessarily ... barbican-worker is only needed when barbican-svc is configured to use rabbit | 13:41 |
| redrobot | efried, I think by default it does not use rabbit | 13:41 |
| efried | o, okay. | 13:41 |
| *** awalende has joined #openstack-barbican | 13:41 | |
| redrobot | svc should be listening on 9311 | 13:41 |
| efried | Well, horrible things seemed to be happening in the logs: | 13:42 |
| efried | Fri Nov 15 12:23:27 2019 - uWSGI worker 2 screams: UAAAAAAH my master disconnected: i will kill myself !!! | 13:42 |
| *** awalende has quit IRC | 13:42 | |
| *** awalende has joined #openstack-barbican | 13:42 | |
| tosky | argh, I missed the meeting | 13:44 |
| *** ade_lee has quit IRC | 13:44 | |
| redrobot | tosky, you can add yourself to the ping reminder if you want to be pinged next week: https://etherpad.openstack.org/p/barbican-weekly-meeting | 13:46 |
| redrobot | efried, ugh, yeah uwsgi does not seem happy | 13:46 |
| redrobot | efried, is there anything under /var/log/barbican/main.log ? | 13:46 |
| tosky | redrobot: I've just one review (right now) | 13:46 |
| redrobot | tosky, link? | 13:46 |
| efried | redrobot: I don't have a /var/log/barbican directory | 13:46 |
| tosky | redrobot: https://review.opendev.org/#/c/690123/ | 13:46 |
| redrobot | tosky, I'll take a look | 13:47 |
| tosky | redrobot: the idea is to backport it to all supported branches (so up to rocky, now that queens is in EM) | 13:47 |
| redrobot | efried, oh it's devstack huh ... | 13:47 |
| redrobot | efried, anything in the barbican-svc screen? | 13:47 |
| redrobot | efried, the uwsgi log is not helpful, but barbican-api should be logging why it's dying | 13:48 |
| efried | oo, this looks promising: !!! UNABLE to load uWSGI plugin: ./python_plugin.so: cannot open shared object file: No such file or directory !!! | 13:48 |
| efried | redrobot: I don't have a barbican-api (as a systemctl service, anyway) | 13:49 |
| redrobot | aha! that would definitely be an issue | 13:49 |
| redrobot | sorry, barbican-svc | 13:49 |
| efried | okay, so what's ./python_plugin.so? The name and lack of path will make it hard to track down (/me gets Sherlock cap & pipe) | 13:50 |
| efried | I'm afraid this might be messier than it should be due to a few false starts, but here's the whole -svc journal: | 13:53 |
| efried | http://paste.openstack.org/show/786346/ | 13:53 |
| redrobot | efried, what OS are you using? | 13:53 |
| efried | ubuntu bionic | 13:53 |
| redrobot | efried, ImportError: No module named barbican.api.app ... that's strange | 13:54 |
| *** abishop has left #openstack-barbican | 13:54 | |
| redrobot | I wonder if this is a Python2 vs Python3 issue? | 13:54 |
| redrobot | seems uwsgi is attempting to run under Python 2 | 13:54 |
| efried | that's entirely possible. This machine has been devstack'd before | 13:54 |
| efried | I've clean'd and restacked with USE_PYTHON3=true, but I'm not sure it really took. | 13:55 |
| redrobot | Try pip3 list to see if barbican is there? | 13:55 |
| efried | barbican (9.0.1.dev17, /opt/stack/barbican) | 13:55 |
| efried | python-barbicanclient (4.9.1.dev7, /opt/stack/python-barbicanclient) | 13:55 |
| efried | (barbicanclient might be left over from when I was dorking with OSC) | 13:56 |
| redrobot | so, guessing that pip2 list doesn't have it (hence uwsgi not finding it) | 13:56 |
| redrobot | I'm not sure how to reconfigure uwsgi to use python3 though | 13:56 |
| efried | true story, pip2 only shows python-barbicanclient. | 13:56 |
| efried | redrobot: I don't mind doing a full restack here if that's simplest. | 13:56 |
| redrobot | efried, quick and dirty would be to pip2 install -e path/to/barbican | 13:57 |
| redrobot | and restart the service | 13:57 |
| redrobot | if that doesn't work, then yeah, re-stack | 13:57 |
| efried | and when I restack, should I... not try to USE_PYTHON3? | 13:58 |
| redrobot | efried, PYTHON3 thing should work ... not sure why it didn't for you. :( | 13:59 |
| redrobot | efried, https://opendev.org/openstack/barbican/src/branch/master/playbooks/legacy/barbican-devstack-functional-base/run.yaml#L50 | 13:59 |
| *** njohnston_ is now known as njohnston | 14:00 | |
| * moguimar is one hour late again | 14:01 | |
| efried | redrobot: okay, I've seen that var before, perhaps I can add that to my local.conf and things will be better... | 14:02 |
| * efried restacks | 14:03 | |
| * redrobot crosses fingers π€π€ | 14:04 | |
| efried | Poor suicidal uwsgi, she didn't deserve that. | 14:04 |
| *** ade_lee has joined #openstack-barbican | 14:18 | |
| *** ade_lee_ has joined #openstack-barbican | 14:22 | |
| *** awalende has quit IRC | 14:25 | |
| *** awalende has joined #openstack-barbican | 14:26 | |
| *** ade_lee has quit IRC | 14:26 | |
| *** jaosorior has joined #openstack-barbican | 14:49 | |
| *** dpawlik has quit IRC | 15:11 | |
| rm_work | efried: you can maybe also look at what Octavia does, we have barbican Gates and use it in devstack a lot | 15:24 |
| rm_work | But I don't think it's really anything more than what you listed | 15:24 |
| efried | rm_work: okay, thanks for the tip. FWIW I did a full clean and restack with both of the py3 vars set, and ended up in the same place (uwsgi hates life because that .so is missing because, I think, it's trying to run under py2 whereas barbican is installed as py3). | 15:25 |
| rm_work | I use https://GitHub.com/rm-you/devstack_deploy to deploy my own devstacks and it does barbican stuff | 15:25 |
| efried | redrobot, raildo: FYI ^ | 15:25 |
| rm_work | I haven't updated it in a while but the core idea is that it's very simple | 15:25 |
| rm_work | Hmm weird | 15:26 |
| rm_work | Yeah I don't think I've done devstack with python3 yet unless that's the default | 15:26 |
| efried | yeah, we think I'm having simply a py2/3 conflict. | 15:26 |
| efried | heh, it's about to be | 15:26 |
| rm_work | My devstack strategy is to do the absolute most minimal amount of local config possible to make it spin up | 15:26 |
| rm_work | Because that seems to work best π | 15:27 |
| efried | That's a sound philosophy. | 15:27 |
| efried | Unfortunately, I've already done a bunch of finagling to try to get my devstack up with some... "experimental" pieces | 15:27 |
| efried | in particular, a locally-compiled libvirt & qemu | 15:27 |
| rm_work | But hmm, I don't know if our barbican gate is py3 or not, if it isn't it will be very shortly tho | 15:27 |
| efried | whether you like it or not https://review.opendev.org/#/c/649097 :P | 15:28 |
| rm_work | So I think it should work | 15:28 |
| rm_work | Heh | 15:28 |
| efried | well, *something* ain't working | 15:28 |
| rm_work | I should try a test patch in our gates that requires that | 15:28 |
| efried | latest run included: | 15:28 |
| efried | USE_PYTHON3=True | 15:28 |
| efried | DEVSTACK_GATE_USE_PYTHON3=True | 15:28 |
| efried | RECLONE=True | 15:28 |
| efried | PROJECTS="openstack/barbican $PROJECTS" | 15:28 |
| efried | enable_plugin barbican https://opendev.org/openstack/barbican | 15:29 |
| efried | and bailed with | 15:30 |
| efried | Nov 19 09:18:41 canuc devstack@barbican-svc.service[4423]: open("./python_plugin.so"): No such file or directory [core/utils.c line 3721] | 15:30 |
| efried | Nov 19 09:18:41 canuc devstack@barbican-svc.service[4423]: !!! UNABLE to load uWSGI plugin: ./python_plugin.so: cannot open shared object file: No such file or directory !!! | 15:30 |
| efried | and | 15:30 |
| efried | Nov 19 09:18:41 canuc devstack@barbican-svc.service[4423]: unable to load app 0 (mountpoint='') (callable not found or import error) | 15:30 |
| efried | Nov 19 09:18:41 canuc devstack@barbican-svc.service[4423]: No module named barbican.api.app | 15:30 |
| rm_work | let me look again at our config | 15:32 |
| rm_work | yeah nothing special :/ | 15:36 |
| rm_work | devstack gate job literally just adds barbican as a required project, nothing else it seems... and should be py3 | 15:37 |
| johnsom | That is a missing bindep. It is the python3-dev package I think | 15:37 |
| *** ivve has quit IRC | 15:37 | |
| johnsom | I am not 100% sure what installs it for the gates | 15:38 |
| rm_work | we pull in `python3-sphinxcontrib-svg2pdfconverter-common`, i wonder if that does it via recursive deps | 15:39 |
| rm_work | hmm but that's rpm platform, not dpkg, so ubuntu doesn't use it | 15:39 |
| johnsom | That is new for the pdf docs, I doubt it | 15:40 |
| johnsom | I thought it was in the devstack bindep.txt, but I canβt look at the moment | 15:41 |
| johnsom | Zuul ansible also still installs some stuff, it might be in there | 15:42 |
| rm_work | i don't even see a bindep in devstack | 15:43 |
| rm_work | hmm, tempest requires it | 15:45 |
| rm_work | https://github.com/openstack/tempest/blob/master/bindep.txt#L10 | 15:46 |
| rm_work | so possibly as a side-effect of the only gates that we use barbican being tempest gates | 15:46 |
| rm_work | ah also oslo.utils | 15:46 |
| rm_work | and openstack-zuul-jobs ?? | 15:47 |
| rm_work | and python-novaclient <_< | 15:47 |
| rm_work | so like | 15:47 |
| rm_work | a ton of stuff should be requiring it -- it might be some other issue, my guess is that it'd be installed | 15:47 |
| efried | rm_work: the problem doesn't seem to be that *barbican* isn't installing as py3 - pip3 shows it. | 15:49 |
| efried | The problem seems to be that some component of the -svc is running under or expecting py2. | 15:50 |
| efried | like ... uwsgi? | 15:50 |
| rm_work | yeah i mean it's possible it's missing a dep | 15:50 |
| *** pcaruana has quit IRC | 15:50 | |
| rm_work | and so uwsgi is failing to run stuff right | 15:51 |
| rm_work | not sure | 15:51 |
| *** pcaruana has joined #openstack-barbican | 15:51 | |
| efried | stack@canuc:~/devstack$ cat /usr/local/bin/barbican-wsgi-api | 15:51 |
| efried | #!/usr/bin/python3.6 | 15:51 |
| efried | ... | 15:51 |
| efried | that looks okay | 15:51 |
| efried | let me try something redrobot suggested earlier - pip2 installing barbican and restarting the service. That seems... wrong, but if it makes things work for me, I guess it's good enough for now. I'm not trying to make this happen in the gate (yet). | 15:53 |
| efried | I... think that worked | 15:55 |
| efried | openstack secret list <== no output (before it was giving a 5xx) | 15:55 |
| rm_work | woo | 15:56 |
| rm_work | weird tho :/ | 15:57 |
| rm_work | so, maybe for you this is fine for now and you just want to get it working so you can test your thing | 15:57 |
| redrobot | efried, seems the issue is that uwsgi is running on py2 | 15:57 |
| rm_work | but i hope this is not an upcoming gate issue | 15:57 |
| redrobot | rm_work++ | 15:57 |
| efried | yeah, it looks like it just might be. | 15:58 |
| efried | It should be easy to propose a sniffer patch that adds USE_PYTHON3=True to one of the barbican jobs, no? | 15:58 |
| efried | better yet, an empty patch that Depends-On: https://review.opendev.org/#/c/649097 ? | 15:58 |
| * efried ==> mtg | 15:59 | |
| *** awalende has quit IRC | 16:01 | |
| efried | Things seem to be working from OSC, I was able to create and retrieve a secret. Thanks for the help redrobot, rm_work, raildo! | 16:06 |
| efried | Do you want me to try to break the gate with py3? | 16:07 |
| raildo | awesome :) | 16:07 |
| redrobot | efried, yes, please do! :D | 16:07 |
| efried | k, I'm not 100% sure how best to do that, but I'll try. | 16:07 |
| efried | next thing I'm going to need to figure out is how to set up my nova.conf properly to talk to barbican via keymgr api... | 16:08 |
| redrobot | efried, are you using python-barbicanclient or openstacksdk? | 16:08 |
| *** awalende has joined #openstack-barbican | 16:08 | |
| efried | redrobot: Um, the 'openstack' command, whatever that's doing under the covers. | 16:10 |
| efried | oh | 16:10 |
| efried | sorry | 16:10 |
| efried | from nova | 16:10 |
| efried | from nova I'm using the key manager API. | 16:10 |
| redrobot | openstack cli == python-barbicanclient | 16:11 |
| redrobot | not sure what you mean by "key manager API" | 16:11 |
| redrobot | we have 3 clients -___- | 16:11 |
| efried | sorry, I'm multitasking, which I suck at. | 16:11 |
| efried | redrobot: castellan.key_manager | 16:12 |
| efried | .API() | 16:12 |
| *** awalende has quit IRC | 16:12 | |
| redrobot | efried, ah, that one | 16:12 |
| *** awalende has joined #openstack-barbican | 16:12 | |
| efried | https://review.opendev.org/#/c/631363/32/nova/crypto.py | 16:12 |
| *** awalende has quit IRC | 16:13 | |
| redrobot | efried, https://docs.openstack.org/castellan/train/user/index.html#authentication | 16:13 |
| *** awalende has joined #openstack-barbican | 16:14 | |
| *** awalende has quit IRC | 16:14 | |
| efried | redrobot: so in this case what's important is that nova be talking to barbican on behalf of the *user*. So it sounds like I want | 16:15 |
| efried | [key_manager] | 16:15 |
| efried | auth_type = 'token' | 16:15 |
| efried | and that's all. Does that sound right to you? | 16:15 |
| efried | and it defaults to barbican as the backend iiuc | 16:15 |
| redrobot | efried, if it's Castellan->Barbican then token won't work, b/c you'd need a keystone token, and that'll expire at some point (I think) | 16:16 |
| efried | ohh, so I actually need to recreate the API() every time I want to chat? | 16:16 |
| * redrobot grumbles something about efried asking hard questions ... | 16:17 | |
| efried | wait, then why would the keymgr methods take a `context` param. | 16:17 |
| efried | yeah, and the API() bootstrap doesn't | 16:18 |
| redrobot | efried, context is a bit of a misnomer. context should be "auth" | 16:18 |
| redrobot | and that could be password or token or whatever | 16:18 |
| efried | time to hack up a test program | 16:19 |
| *** awalende has joined #openstack-barbican | 16:19 | |
| rm_work | efried: for octavia we do "on-behalf-of" and kinda hijack the user's context from their request | 16:19 |
| redrobot | efried, if I recall correctly, https://opendev.org/openstack/castellan/src/branch/master/castellan/common/utils.py#L95 was supposed to abstract auth away from client code | 16:20 |
| redrobot | so you call that function | 16:20 |
| redrobot | to get a context | 16:20 |
| redrobot | which looks at your conf | 16:20 |
| rm_work | but nova wouldn't be able to do that with no existing request context | 16:20 |
| redrobot | and picks out the right thing | 16:20 |
| efried | I don't know what "on-behalf-of" is, but hijacking the user's context is exactly what needs to happen here. | 16:20 |
| efried | rm_work: Yes, I do have the user's request context. | 16:20 |
| rm_work | ah so yeah that's what we do | 16:20 |
| redrobot | for the record, hijacking context from user probably won't work with anything other than Castellan->Barbican | 16:21 |
| redrobot | e.g. you can't hijack context for Castellan->Vault | 16:21 |
| redrobot | or rather, it would be ignored | 16:21 |
| redrobot | for the Vault case | 16:21 |
| * redrobot realizes Castellan auth is still kind of a mess | 16:21 | |
| efried | that's an interesting data point, gtk. Cause my actual use case (customer) is using a home-grown secret service. | 16:22 |
| redrobot | efried, in that case, you'll probably need a custom Castellan backend for that secret service | 16:23 |
| redrobot | and when you write that you can decide what to do with context (if anything at all) | 16:24 |
| efried | Okay, pawing through the code, it looks like the barbican backend methods are set up to dtrt with `context` (without involving that credential_factory thing) | 16:29 |
| efried | ...but based on the class name being exactly 'RequestContext' :( | 16:29 |
| efried | which it happens to be in nova, but seemingly by luck | 16:29 |
| efried | this seems to gel with how the libvirt compute driver is using the keymgr for encrypted lvm, so <shrug> | 16:31 |
| *** jmlowe has joined #openstack-barbican | 16:33 | |
| *** jaosorior has quit IRC | 16:48 | |
| *** jaosorior has joined #openstack-barbican | 17:02 | |
| *** awalende has quit IRC | 17:09 | |
| *** awalende has joined #openstack-barbican | 17:17 | |
| *** awalende has quit IRC | 17:20 | |
| *** awalende_ has joined #openstack-barbican | 17:20 | |
| *** ivve has joined #openstack-barbican | 17:21 | |
| *** awalende_ has quit IRC | 17:24 | |
| openstackgerrit | Eric Fried proposed openstack/barbican master: DNM: Test the gate on py3 https://review.opendev.org/695052 | 17:57 |
| efried | redrobot, rm_work, raildo: ^ | 17:57 |
| rm_work | yeah was gonna do similar in octavia | 18:02 |
| rm_work | i'll see what happens there first tho | 18:03 |
| redrobot | efried, not sure I see where you flipped the switch | 18:16 |
| efried | redrobot: The Depends-On | 18:16 |
| redrobot | efried, ooooh. got it. | 18:17 |
| *** dpawlik has joined #openstack-barbican | 18:30 | |
| efried | So clearly this bit was a red herring | 19:25 |
| efried | https://zuul.opendev.org/t/openstack/build/04b79b5e4df14901a0c989ff615ad8a7/log/logs/screen-barbican-svc.txt.gz#4-5 | 19:25 |
| efried | But this is running uwsgi under py3 as "expected" https://zuul.opendev.org/t/openstack/build/04b79b5e4df14901a0c989ff615ad8a7/log/logs/screen-barbican-svc.txt.gz#22 | 19:27 |
| efried | There's another voting job that's failing, but I can't get to the logs, and anything 'grenade' has been pretty crappy lately, so I wouldn't be surprised if it's spurious. | 19:27 |
| efried | Anyway, I think we can conclude that whatever snafu is happening in my devstack is likely a local config problem. Which is gtk. | 19:28 |
| efried | ah, there go the logs from the grenade one... | 19:28 |
| efried | the grenade fail is here https://zuul.opendev.org/t/openstack/build/ac433b3305ba454f845990f98a3bf481/log/logs/grenade.sh.txt.gz#38749 | 19:31 |
| efried | I want to say I've seen this one before (PyYAML conflict) but can't remember where or what the resolution was. | 19:31 |
| redrobot | hmm... | 19:31 |
| *** dpawlik has quit IRC | 19:41 | |
| *** dpawlik has joined #openstack-barbican | 19:48 | |
| openstackgerrit | Eric Fried proposed openstack/barbican master: Gate on py3 https://review.opendev.org/695052 | 19:55 |
| efried | redrobot: Got a consult from mriedem, this might fix ^ | 19:56 |
| efried | if so, it will be a thing you'll actually want to merge in some form. | 19:56 |
| redrobot | πππ | 19:56 |
| efried | cause that USE_PYTHON3=True patch ought to be merging in the next 24h. | 19:56 |
| *** gmann is now known as gmann_afk | 19:57 | |
| *** dpawlik has quit IRC | 20:22 | |
| *** tosky has quit IRC | 20:27 | |
| *** openstackgerrit has quit IRC | 20:35 | |
| *** dpawlik has joined #openstack-barbican | 20:45 | |
| *** dpawlik has quit IRC | 20:58 | |
| *** gmann_afk is now known as gmann | 21:03 | |
| *** awalende has joined #openstack-barbican | 21:15 | |
| *** dpawlik has joined #openstack-barbican | 21:18 | |
| *** dpawlik has quit IRC | 21:23 | |
| *** awalende has quit IRC | 21:30 | |
| *** ade_lee has joined #openstack-barbican | 21:44 | |
| *** raildo has quit IRC | 21:45 | |
| *** awalende has joined #openstack-barbican | 21:45 | |
| *** ade_lee_ has quit IRC | 21:46 | |
| *** ade_lee has quit IRC | 21:49 | |
| *** awalende has quit IRC | 22:01 | |
| *** awalende has joined #openstack-barbican | 22:14 | |
| *** ade_lee has joined #openstack-barbican | 22:15 | |
| *** ade_lee has quit IRC | 22:18 | |
| *** ade_lee has joined #openstack-barbican | 22:18 | |
| *** awalende has quit IRC | 22:19 | |
| *** ade_lee has quit IRC | 22:20 | |
| *** ade_lee has joined #openstack-barbican | 22:20 | |
| *** awalende has joined #openstack-barbican | 22:21 | |
| *** ade_lee has quit IRC | 22:21 | |
| *** ade_lee has joined #openstack-barbican | 22:21 | |
| *** awalende has quit IRC | 22:29 | |
| *** awalende has joined #openstack-barbican | 22:29 | |
| *** pcaruana has quit IRC | 22:33 | |
| *** awalende has quit IRC | 22:35 | |
| *** jaosorior has quit IRC | 22:45 | |
| *** jaosorior has joined #openstack-barbican | 22:49 | |
| *** jaosorior has quit IRC | 22:52 | |
| *** tosky has joined #openstack-barbican | 23:24 | |
| *** tosky has quit IRC | 23:26 | |
| *** efried has quit IRC | 23:30 | |
| *** ivve has quit IRC | 23:54 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!