| *** tinwood has quit IRC | 02:10 | |
| *** tinwood has joined #openstack-barbican | 02:13 | |
| *** rm_work has quit IRC | 04:58 | |
| *** rm_work has joined #openstack-barbican | 04:58 | |
| *** tosky has joined #openstack-barbican | 06:24 | |
| *** jaosorior has joined #openstack-barbican | 08:00 | |
| *** tkajinam has quit IRC | 08:08 | |
| *** tkajinam has joined #openstack-barbican | 08:12 | |
| *** icey has quit IRC | 10:30 | |
| *** icey has joined #openstack-barbican | 10:36 | |
| *** raildo has joined #openstack-barbican | 13:24 | |
| *** JohnnyRainbow has joined #openstack-barbican | 14:06 | |
| JohnnyRainbow | Hi Guys, what is a proper name for dogtag_plugin...I don't get it why I got such error code when I'm trying to configure my barbican together with dogtag, but it seems failing, because of same naming in configuration...and tutorials are not consistent with naming, sometimes it is dogtag_plugin, sometimes dogtag_crypto, however I believe dogtag_plugin should be valid, as it is part of my | 14:11 |
|---|---|---|
| JohnnyRainbow | config...can you check what could be a reason of such fault? | 14:11 |
| JohnnyRainbow | Error: https://paste.ofcode.org/38sny7mHdCMLQztTRbsS6ja | 14:11 |
| JohnnyRainbow | Config: https://paste.ofcode.org/isXTpEMYaR2H4TcNbFUBZf | 14:11 |
| openstackgerrit | Merged openstack/castellan stable/train: Use 'barbican_endpoint_type'config option to get endpoint from catalog https://review.opendev.org/759448 | 14:19 |
| *** jaosorior has quit IRC | 14:25 | |
| redrobot | JohnnyRainbow, all plugin namespaces/names are defined in setup.cfg: https://opendev.org/openstack/barbican/src/branch/master/setup.cfg#L58 | 14:44 |
| redrobot | JohnnyRainbow, and the configuration options for dogtag are defined here: https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/dogtag_config_opts.py#L25 | 14:45 |
| redrobot | JohnnyRainbow, I see where it can be confusing because enabled_secretstore_plugins = dogtag_crypto, but the config section is [dogtag_plugin] | 14:46 |
| JohnnyRainbow | thanks for hints, so if I understood from source code: secretstore plugin should be set to dogtag_crypto not to dogtag_plugin as section is named. BTW what should be a location of setup.cfg in my host to be sure that it is valid as well for my version of barbican(stein)? | 15:04 |
| redrobot | JohnnyRainbow, good question ... I'm not sure. I think it kind of depends on what method of installation you used. If you installed an RPM, for example, you might be able to do list the rpm files to figure it out. | 15:06 |
| redrobot | JohnnyRainbow, setup.cfg doesn't change very often though. Looks like the stein branch was the same: https://opendev.org/openstack/barbican/src/branch/stable/stein/setup.cfg#L55 | 15:07 |
| JohnnyRainbow | unfortunaately I have ubuntu :) I was trying to find it by "find..." however it didn't help :) | 15:07 |
| * redrobot is a fedora/red hat kinda guy | 15:08 | |
| JohnnyRainbow | anyway, thanks for hints, I'm trying to modify it currently and see what are the results :) | 15:08 |
| redrobot | JohnnyRainbow, Does Ubuntu provide DogTag? ... I think we use fedora/centos on the gate because Ubuntu didn't package it at the time. | 15:09 |
| JohnnyRainbow | I have dogtag server installed as a docker container but barbican VMs are based on ubuntu | 15:09 |
| JohnnyRainbow | and container is based on centos 8 | 15:10 |
| redrobot | gotcha ... well, just a heads up on a possible issue you might run into: The DogTag server package includes a python client library, which is what the barbican plugin uses to communicate with the DogTag Server | 15:13 |
| redrobot | if you have the server in a container, then the python lib might not be available in the same python site-libs that barbican is using | 15:13 |
| JohnnyRainbow | do you mean connectivity issue or just "code" dependency? | 15:16 |
| redrobot | just a code dependency | 15:16 |
| JohnnyRainbow | hmm...that sounds a bit worse for me, as connectivity is "easy" to be solved | 15:19 |
| redrobot | yeah, you can check by running > python3 -c 'import pki' < in the VM where you are running barbican | 15:20 |
| redrobot | (assuming you're not using virtualenvs) | 15:21 |
| JohnnyRainbow | yeah, I have error "No module named 'pki'" | 15:21 |
| JohnnyRainbow | couldn't be that installed as a part of some package for ubuntu? | 15:22 |
| redrobot | possibly? ... ade_lee do you know if that dogtag python module is packaged for Ubuntu? | 15:22 |
| redrobot | ade_lee, or even updated regularly on PyPI? | 15:22 |
| JohnnyRainbow | so...should I try to install it via pip or pip3? | 15:25 |
| redrobot | You can try https://pypi.org/project/dogtag-pki | 15:35 |
| redrobot | but I am not 100% sure they keep it up-to-date | 15:35 |
| JohnnyRainbow | when I installed pki via pip3 I have this: http://paste.openstack.org/show/800001/ | 15:44 |
| JohnnyRainbow | such dogtag-pki is full server or only client? :) Cause I'm not sure if my barbican VMs needs full combo :) | 15:44 |
| redrobot | JohnnyRainbow, it's just the python client lib. | 15:48 |
| ade_lee | redrobot, JohnnyRainbow I'd hve to check if the pip module is kept up to date - but yeah, its the python client lib | 15:49 |
| ade_lee | iirc dogtag is packaged in ubuntu -- at least the server is, so the client packages are too | 15:50 |
| ade_lee | JohnnyRainbow, for ubuntu questions, my suggestion is that you head over to #dogtag-pki and ask tjaalton -- he's the ubuntu packager for dogtag and ipa | 15:51 |
| JohnnyRainbow | ok, good hint | 15:52 |
| JohnnyRainbow | I've seen there is a dogtag-pki package, but it looks like a combo package which require around 1GB of space...I believe only client is needed from barbican side :) | 15:52 |
| ade_lee | yes - only client side is needed | 15:53 |
| JohnnyRainbow | but unfortunately there is no package like dogtag-pki-client :) | 15:53 |
| JohnnyRainbow | only combo package and dogtag-pki-console-theme and dogtag-pki-server-theme | 15:54 |
| JohnnyRainbow | anyway, let me ask guys from dogtag-pki channel | 15:54 |
| ade_lee | JohnnyRainbow, I'd ask tjaalton - he would know if there is a ubuntu client package | 15:54 |
| ade_lee | JohnnyRainbow, the pypi package might work for you though - it doesn't look like its been updated since last year, but I doubt the api has changed in a way that would affect our usage of it | 15:55 |
| redrobot | ade_lee, looking at that last paste from JohnnyRainbow with the pip installed dogtag-pki, it looks like it's not Python3 compatible. :( | 15:58 |
| ade_lee | redrobot, ah .. | 15:59 |
| JohnnyRainbow | http://paste.openstack.org/show/800002/ -> when I installed manually all relations via pip, I faced such issue...seems like some dependency issues | 16:07 |
| redrobot | JohnnyRainbow, line 1 in that paste shows that the pki module has a syntax error. My guess is that it's python2 code that does not work in python3 | 16:09 |
| JohnnyRainbow | hmm...isn't that fully python3? | 16:10 |
| redrobot | Given that the dogtag-pki package in PyPI is over a year old, I'd say no. You can try looking through the code in /usr/local/lib/python3.6/dist-packages/pki/main.py on your VM | 16:22 |
| ade_lee | redrobot, yeah except that dogtag folks seem to indicate that dogtag 10.7 was python 3 only | 16:23 |
| redrobot | hmm... | 16:24 |
| redrobot | I'm having a hard time getting dogtag-pki pip installed locally | 16:24 |
| redrobot | gcc is not happy about something | 16:24 |
| JohnnyRainbow | http://paste.openstack.org/show/800005/ -> that error seems more than strange as I have such configuration applied: http://paste.openstack.org/show/800004/ | 16:28 |
| JohnnyRainbow | so how it is not configured if it's configured? :) | 16:28 |
| redrobot | JohnnyRainbow, yeah, that's not a great error text ... that's usually a secondary failure though. | 16:30 |
| JohnnyRainbow | should I somehow configure it twice by any chance? | 16:31 |
| redrobot | No ... the plugin manager reports that error when it fails to load a backend | 16:31 |
| redrobot | a better error message would be > No secret store plugins have been loaded | 16:32 |
| JohnnyRainbow | sooo...the question is why and how to load it? | 16:33 |
| redrobot | JohnnyRainbow, seems the dogtag plugin was loading per your paste: http://paste.openstack.org/show/800001/ ... it's just that the pip installed dogtag-pki is broken in python3 | 16:34 |
| redrobot | JohnnyRainbow, note that line 1 is the root error, and line 17 is a secondary error of not "being configured" which is misleading | 16:35 |
| JohnnyRainbow | http://paste.openstack.org/show/800006/ - seems at the second barbican VM error is a bit different...like a format of kra.pem, right? | 16:41 |
| JohnnyRainbow | that would be strange, as it is newly created certificate on top of newest ipa :) | 16:41 |
| redrobot | > The certificate/key database is in an old, unsupported format. | 16:41 |
| redrobot | yeah, that's odd :-\ | 16:42 |
| JohnnyRainbow | hmm...but I have different error code at every single barbican VM...seems like installation via pip provided some confusion to nodes :) | 16:43 |
| JohnnyRainbow | http://paste.openstack.org/show/800008/ -> that is from another node | 16:43 |
| *** JohnnyRainbow has quit IRC | 17:51 | |
| openstackgerrit | Ade Lee proposed openstack/barbican master: DNM: testing FIPS gate job https://review.opendev.org/760665 | 20:54 |
| openstackgerrit | Ade Lee proposed openstack/barbican master: DNM: testing FIPS gate job https://review.opendev.org/760665 | 21:15 |
| openstackgerrit | Ade Lee proposed openstack/barbican master: DNM: testing FIPS gate job https://review.opendev.org/760665 | 21:38 |
| *** jmlowe has quit IRC | 21:49 | |
| *** tosky has quit IRC | 23:43 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!