Friday, 2020-11-13

*** tinwood has quit IRC02:10
*** tinwood has joined #openstack-barbican02:13
*** rm_work has quit IRC04:58
*** rm_work has joined #openstack-barbican04:58
*** tosky has joined #openstack-barbican06:24
*** jaosorior has joined #openstack-barbican08:00
*** tkajinam has quit IRC08:08
*** tkajinam has joined #openstack-barbican08:12
*** icey has quit IRC10:30
*** icey has joined #openstack-barbican10:36
*** raildo has joined #openstack-barbican13:24
*** JohnnyRainbow has joined #openstack-barbican14:06
JohnnyRainbowHi Guys, what is a proper name for dogtag_plugin...I don't get it why I got such error code when I'm trying to configure my barbican together with dogtag, but it seems failing, because of same naming in configuration...and tutorials are not consistent with naming, sometimes it is dogtag_plugin, sometimes dogtag_crypto, however I believe dogtag_plugin should be valid, as it is part of my14:11
JohnnyRainbowconfig...can you check what could be a reason of such fault?14:11
JohnnyRainbowError: https://paste.ofcode.org/38sny7mHdCMLQztTRbsS6ja14:11
JohnnyRainbowConfig: https://paste.ofcode.org/isXTpEMYaR2H4TcNbFUBZf14:11
openstackgerritMerged openstack/castellan stable/train: Use 'barbican_endpoint_type'config option to get endpoint from catalog  https://review.opendev.org/75944814:19
*** jaosorior has quit IRC14:25
redrobotJohnnyRainbow, all plugin namespaces/names are defined in setup.cfg: https://opendev.org/openstack/barbican/src/branch/master/setup.cfg#L5814:44
redrobotJohnnyRainbow, and the configuration options for dogtag are defined here: https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/dogtag_config_opts.py#L2514:45
redrobotJohnnyRainbow, I see where it can be confusing because enabled_secretstore_plugins = dogtag_crypto, but the config section is [dogtag_plugin]14:46
JohnnyRainbowthanks for hints, so if I understood from source code: secretstore plugin should be set to dogtag_crypto not to dogtag_plugin as section is named.  BTW what should be a location of setup.cfg in my host to be sure that it is valid as well for my version of barbican(stein)?15:04
redrobotJohnnyRainbow, good question ... I'm not sure.  I think it kind of depends on what method of installation you used.  If you installed an RPM, for example, you might be able to do list the rpm files to figure it out.15:06
redrobotJohnnyRainbow, setup.cfg doesn't change very often though.  Looks like the stein branch was the same: https://opendev.org/openstack/barbican/src/branch/stable/stein/setup.cfg#L5515:07
JohnnyRainbowunfortunaately I have ubuntu :) I was trying to find it by "find..." however it didn't help :)15:07
* redrobot is a fedora/red hat kinda guy15:08
JohnnyRainbowanyway, thanks for hints, I'm trying to modify it currently and see what are the results :)15:08
redrobotJohnnyRainbow, Does Ubuntu provide DogTag?  ...  I think we use fedora/centos on the gate because Ubuntu didn't package it at the time.15:09
JohnnyRainbowI have dogtag server installed as a docker container but barbican VMs are based on ubuntu15:09
JohnnyRainbowand container is based on centos 815:10
redrobotgotcha ... well, just a heads up on a possible issue you might run into:  The DogTag server package includes a python client library, which is what the barbican plugin uses to communicate with the DogTag Server15:13
redrobotif you have the server in a container, then the python lib might not be available in the same python site-libs that barbican is using15:13
JohnnyRainbowdo you mean connectivity issue or just "code" dependency?15:16
redrobotjust a code dependency15:16
JohnnyRainbowhmm...that sounds a bit worse for me, as connectivity is "easy" to be solved15:19
redrobotyeah, you can check by running > python3 -c 'import pki' < in the VM where you are running barbican15:20
redrobot(assuming you're not using virtualenvs)15:21
JohnnyRainbowyeah, I have error "No module named 'pki'"15:21
JohnnyRainbowcouldn't be that installed as a part of some package for ubuntu?15:22
redrobotpossibly? ... ade_lee do you know if that dogtag python module is packaged for Ubuntu?15:22
redrobotade_lee, or even updated regularly on PyPI?15:22
JohnnyRainbowso...should I try to install it via pip or pip3?15:25
redrobotYou can try https://pypi.org/project/dogtag-pki15:35
redrobotbut I am not 100% sure they keep it up-to-date15:35
JohnnyRainbowwhen I installed pki via pip3 I have this: http://paste.openstack.org/show/800001/15:44
JohnnyRainbowsuch dogtag-pki is full server or only client? :) Cause I'm not sure if my barbican VMs needs full combo :)15:44
redrobotJohnnyRainbow, it's just the python client lib.15:48
ade_leeredrobot, JohnnyRainbow I'd hve to check if the pip module is kept up to date - but yeah, its the python client lib15:49
ade_leeiirc dogtag is packaged in ubuntu -- at least the server is, so the client packages are too15:50
ade_leeJohnnyRainbow, for ubuntu questions, my suggestion is that you head over to #dogtag-pki and ask tjaalton -- he's the ubuntu packager for dogtag and ipa15:51
JohnnyRainbowok, good hint15:52
JohnnyRainbowI've seen there is a dogtag-pki package, but it looks like a combo package which require around 1GB of space...I believe only client is needed from barbican side :)15:52
ade_leeyes - only client side is needed15:53
JohnnyRainbowbut unfortunately there is no package like dogtag-pki-client :)15:53
JohnnyRainbowonly combo package and dogtag-pki-console-theme and dogtag-pki-server-theme15:54
JohnnyRainbowanyway, let me ask guys from dogtag-pki channel15:54
ade_leeJohnnyRainbow, I'd ask tjaalton - he would know if there is a ubuntu client package15:54
ade_leeJohnnyRainbow, the pypi package might work for you though - it doesn't look like its been updated since last year, but I doubt the api has changed in a way that would affect our usage of it15:55
redrobotade_lee, looking at that last paste from JohnnyRainbow with the pip installed dogtag-pki, it looks like it's not Python3 compatible. :(15:58
ade_leeredrobot, ah ..15:59
JohnnyRainbowhttp://paste.openstack.org/show/800002/ -> when I installed manually all relations via pip, I faced such issue...seems like some dependency issues16:07
redrobotJohnnyRainbow, line 1 in that paste shows that the pki module has a syntax error.  My guess is that it's python2 code that does not work in python316:09
JohnnyRainbowhmm...isn't that fully python3?16:10
redrobotGiven that the dogtag-pki package in PyPI is over a year old, I'd say no.  You can try looking through the code in /usr/local/lib/python3.6/dist-packages/pki/main.py on your VM16:22
ade_leeredrobot, yeah except that dogtag folks seem to indicate that dogtag 10.7 was python 3 only16:23
redrobothmm...16:24
redrobotI'm having a hard time getting dogtag-pki pip installed locally16:24
redrobotgcc is not happy about something16:24
JohnnyRainbowhttp://paste.openstack.org/show/800005/ -> that error seems more than strange as I have such configuration applied: http://paste.openstack.org/show/800004/16:28
JohnnyRainbowso how it is not configured if it's configured? :)16:28
redrobotJohnnyRainbow, yeah, that's not a great error text ... that's usually a secondary failure though.16:30
JohnnyRainbowshould I somehow configure it twice by any chance?16:31
redrobotNo ... the plugin manager reports that error when it fails to load a backend16:31
redrobota better error message would be > No secret store plugins have been loaded16:32
JohnnyRainbowsooo...the question is why and how to load it?16:33
redrobotJohnnyRainbow, seems the dogtag plugin was loading per your paste: http://paste.openstack.org/show/800001/ ... it's just that the pip installed dogtag-pki is broken in python316:34
redrobotJohnnyRainbow, note that line 1 is the root error, and line 17 is a secondary error of not "being configured" which is misleading16:35
JohnnyRainbowhttp://paste.openstack.org/show/800006/ - seems at the second barbican VM error is a bit different...like a format of kra.pem, right?16:41
JohnnyRainbowthat would be strange, as it is newly created certificate on top of newest ipa :)16:41
redrobot> The certificate/key database is in an old, unsupported format.16:41
redrobotyeah, that's odd :-\16:42
JohnnyRainbowhmm...but I have different error code at every single barbican VM...seems like installation via pip provided some confusion to nodes :)16:43
JohnnyRainbowhttp://paste.openstack.org/show/800008/ -> that is from another node16:43
*** JohnnyRainbow has quit IRC17:51
openstackgerritAde Lee proposed openstack/barbican master: DNM: testing FIPS gate job  https://review.opendev.org/76066520:54
openstackgerritAde Lee proposed openstack/barbican master: DNM: testing FIPS gate job  https://review.opendev.org/76066521:15
openstackgerritAde Lee proposed openstack/barbican master: DNM: testing FIPS gate job  https://review.opendev.org/76066521:38
*** jmlowe has quit IRC21:49
*** tosky has quit IRC23:43

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!