Monday, 2016-03-28

« Sunday, 2016-03-27 Index Tuesday, 2016-03-29 »
*** zenoway has quit IRC00:02
*** achanda has quit IRC00:03
*** zenoway has joined #openstack-containers00:32
*** eghobo has joined #openstack-containers00:34
*** zenoway has quit IRC00:37
*** zz_dimtruck is now known as dimtruck00:43
*** jwcroppe has joined #openstack-containers00:44
*** jwcroppe has quit IRC00:44
*** jwcroppe has joined #openstack-containers00:44
*** jwcroppe has quit IRC00:44
*** jwcroppe has joined #openstack-containers00:45
*** jwcroppe has quit IRC00:45
*** eghobo has quit IRC00:55
*** achanda has joined #openstack-containers01:01
*** jwcroppe has joined #openstack-containers01:06
*** jwcroppe has quit IRC01:06
*** jwcroppe has joined #openstack-containers01:06
*** jwcroppe has quit IRC01:06
*** tbh has joined #openstack-containers01:15
*** yamamoto has joined #openstack-containers01:16
*** yamamoto has quit IRC01:28
*** achanda has quit IRC01:39
*** wangqun has joined #openstack-containers01:40
*** eghobo has joined #openstack-containers01:42
*** chuck_ has joined #openstack-containers01:50
*** chuck_ has quit IRC01:50
*** eghobo has quit IRC01:53
*** jwcroppe has joined #openstack-containers01:56
openstackgerritMerged openstack/python-magnumclient: Add marker/limit/sort-key/sort-dir features for container-list  https://review.openstack.org/29443902:09
*** sdake has joined #openstack-containers02:11
*** eghobo has joined #openstack-containers02:13
*** eghobo has quit IRC02:16
*** sdake has quit IRC02:18
*** achanda has joined #openstack-containers02:26
*** yamamoto has joined #openstack-containers02:29
*** houming has joined #openstack-containers02:45
*** dimtruck is now known as zz_dimtruck03:00
*** eghobo has joined #openstack-containers03:00
*** zenoway has joined #openstack-containers03:12
*** zenoway has quit IRC03:17
openstackgerritAaron Ding proposed openstack/magnum: Fix config error  https://review.openstack.org/29808703:18
*** zz_dimtruck is now known as dimtruck03:25
*** houming has quit IRC03:27
*** dimtruck is now known as zz_dimtruck03:28
*** houming has joined #openstack-containers03:28
*** zz_dimtruck is now known as dimtruck03:28
openstackgerritEli Qiao proposed openstack/magnum: Cleanup duplicated auth_url in k8scluster/master template  https://review.openstack.org/29809203:35
*** dimtruck is now known as zz_dimtruck03:38
*** achanda has quit IRC03:44
*** ramishra has quit IRC03:47
*** ramishra has joined #openstack-containers03:51
*** yuanying has quit IRC03:53
*** zz_dimtruck is now known as dimtruck03:59
*** eghobo has quit IRC04:02
*** eghobo has joined #openstack-containers04:12
openstackgerritMerged openstack/python-magnumclient: Add marker/limit/sort-key/sort-dir features for bay-list  https://review.openstack.org/29443104:28
openstackgerritMerged openstack/python-magnumclient: Add missing user message  https://review.openstack.org/29567404:31
*** pgreg has joined #openstack-containers04:48
*** yuanying has joined #openstack-containers04:56
pgregHi I like to help with adding some functionality/code-coverage tests, can anyone suggest where to start ?05:00
*** chandankumar has joined #openstack-containers05:06
*** zenoway has joined #openstack-containers05:11
*** zenoway has quit IRC05:15
*** janki91 has joined #openstack-containers05:20
*** dimtruck is now known as zz_dimtruck05:26
*** achanda has joined #openstack-containers05:31
*** ishant has joined #openstack-containers05:37
openstackgerritNguyen Hung Phuong proposed openstack/magnum: Fix typos in Magnum files  https://review.openstack.org/29810505:39
*** yuanying has quit IRC05:40
*** yuanying has joined #openstack-containers05:48
*** harshs has quit IRC05:51
*** vimal has joined #openstack-containers06:05
*** chandankumar has quit IRC06:09
*** harlowja_at_home has quit IRC06:12
*** zz_dimtruck is now known as dimtruck06:18
eliqiaopgreg: there is something I want to do to adding new functionality code coverage06:20
eliqiaopgreg: the things are currently, we have bay created on gate (k8s/mesos/swarm), we can add some more test cases to check if the scripts we created in cloud-init are all there and the content are correct.06:21
pgregeliqiao, sure! I would like to help06:21
eliqiaojust my sugestion, if you wish you can bring it to weekly meeting to discuss about if worthy landing them.06:22
eliqiaoif you decide to do, you can start from https://github.com/openstack/magnum/blob/master/magnum/tests/functional/python_client_base.py , add some utils functional in to base class so for all 3 coes can share them.06:23
*** harlowja_at_home has joined #openstack-containers06:23
pgregeliqiao, let me give it a try.06:25
openstackgerritOpenStack Proposal Bot proposed openstack/magnum-ui: Imported Translations from Zanata  https://review.openstack.org/29753006:26
pgregeliqiao, "3 coes" ?06:27
pgreg3 cases06:27
eliqiao3 COES06:27
eliqiaoCOEs06:27
eliqiaoswarm/mesos/k8s06:27
pgregeliqiao, i am still in the process of getting familiar with some of the terms06:28
eliqiaopgreg: cool, no hurry.06:28
pgregeliqiao, is there a bug open for the ^^06:29
eliqiaopgreg: I don't think so.06:29
eliqiaofeel free to open a bug if you would like to do that.06:30
pgregeliqiao, ok np06:30
pgregeliqiao, sure think06:30
pgregthing*06:30
pgregeliqiao, while running `magnum service-list` i get "ERROR: Policy doesn't allow magnum-service:get_all to be performed (HTTP 403) (Request-ID: req-f8bde49f-0f21-4709-adf0-82b1e222b28a)"06:31
pgregIs there something, i am missing ?06:32
*** Marga_ has quit IRC06:32
eliqiaopgreg: are you using admin user?06:33
eliqiaoplease check /etc/magnum/policy.json magnum-service:get_all06:33
eliqiaothat is an admin api --- "magnum-service:get_all": "rule:admin_api"06:34
*** chandankumar has joined #openstack-containers06:38
pgregeliqiao, I was using an incorrect password ... thanks for pointing it out06:40
eliqiaonp06:44
*** pcaruana has joined #openstack-containers06:49
openstackgerritEli Qiao proposed openstack/magnum: Add insecure_registry column to baymoddel  https://review.openstack.org/29812407:00
openstackgerritEli Qiao proposed openstack/magnum: Support using insecure registry for k8s COE  https://review.openstack.org/29812507:00
openstackgerritEli Qiao proposed openstack/magnum: Support using insecure registry for swarm COE  https://review.openstack.org/29812607:00
openstackgerritEli Qiao proposed openstack/magnum: Doc: Add docs on how to your private registry  https://review.openstack.org/29812707:00
openstackgerritAaron Ding proposed openstack/magnum: Fix config error  https://review.openstack.org/29808707:09
openstackgerritMerged openstack/magnum: Add flannel's host-gw backend option  https://review.openstack.org/24186607:30
openstackgerritEli Qiao proposed openstack/magnum: Support using insecure registry for k8s COE  https://review.openstack.org/29812507:32
openstackgerritEli Qiao proposed openstack/magnum: Add insecure_registry column to baymoddel  https://review.openstack.org/29812407:32
openstackgerritEli Qiao proposed openstack/magnum: Doc: Add docs on how to your private registry  https://review.openstack.org/29812707:32
openstackgerritEli Qiao proposed openstack/magnum: Support using insecure registry for swarm COE  https://review.openstack.org/29812607:32
*** zenoway has joined #openstack-containers07:36
eliqiaowangqun: hi07:52
eliqiaowangqun: for your reply on https://review.openstack.org/#/c/297908/1 . I don't get why you are saying the patch function only changes container_name (alough it is yes that we can find update_container_name from test case)07:54
pgregeliqiao, Is there a separate entry required for localrc.conf - while building devstack - i.e for getting the tempest pre-req's/repo into `/opt/stack/tempest` ... I am following this link (http://docs.openstack.org/developer/magnum/dev/dev-functional-test.html) but unable to find /opt/stack/tempest/etc/tempest.conf07:54
eliqiaoI have no comments on it, just would like some other reviewer giving some comments.07:55
eliqiaopgreg: sorry, I don't quite get you.07:57
wangqunhi eli, I find the unit test only have the update name unit test. I don't ensure if it can update others.07:57
eliqiaowhat's functional testing are you trying to do?07:57
eliqiaowangqun: but why not?07:58
eliqiaotest case is nothing.........07:58
wangqunhmm...07:58
eliqiaoI am okay, just want to be clarify..07:58
wangqunI asked hongbin this quesion. https://bugs.launchpad.net/magnum/+bug/156140107:59
openstackLaunchpad bug 1561401 in Magnum "The container "Patch" function doesn't be used. We should delete it" [Undecided,In progress] - Assigned to wangqun (bjwqun)07:59
wangqunI don't ensure if it is needed.08:00
wangqunWhat do you think?08:00
pgregeliqiao, I am trying to run some of the existing tests to get a hang of it, which needs preparing the config-file, however I am unable to find (file from the link ^^^)08:01
pgregso just wondering if that is the correct place to start08:01
wangqunAlthough the contain has the update function. I don't konw why we don't use it.08:01
eliqiaowangqun: sure, remove it if it is useless, if someone requires it, they can add.08:03
wangqunOk08:03
eliqiaopgreg: yes, you need to install tempest if you want to do functional.api test08:04
eliqiaobut you can play with functional-k8s/functional-swarm/functional-mesos without tempest installed.08:04
eliqiaoI don't think http://docs.openstack.org/developer/magnum/dev/dev-functional-test.html is well documented because it maxed tempest test and local functional test.08:05
pgregeliqiao, ok - but any pointers which would help me start off08:05
eliqiaopgreg: just ignore tempest if you don't install it. you can try "tox -e functional-k8s -- --concurrency=1" first08:06
eliqiaothat will creat a bay and do some basic testing (I think only 3 or 4 cases)08:07
pgregok let me try08:07
eliqiaodon't forget to update functional_creds.conf08:12
*** nihilifer has quit IRC08:16
*** nihilifer has joined #openstack-containers08:17
pgregeliqiao, http://pastebin.com/fa33eNdX, got some failures, not sure if there are related to missing dependencies ("No module named nose_plugin")08:17
eliqiaopgreg: sorry, I can not access pastebin.com08:18
eliqiaocan you paste it in http://paste.openstack.org/08:18
pgregeliqiao, sure no worries08:20
pgreghttp://paste.openstack.org/show/492011/08:20
eliqiaopgreg: have you do this:08:25
eliqiaoUPPER_CONSTRAINTS=/opt/stack/requirements/upper-constraints.txt08:25
eliqiaosudo pip install -c $UPPER_CONSTRAINTS -U -r test-requirements.txt08:25
*** yuanying has quit IRC08:31
*** yuanying has joined #openstack-containers08:31
*** yuanying has quit IRC08:32
pgregeliqiao, most of the deps are up-to-date, imo ... except for argparse and some warning which says "Ignoring dnspython3: markers u"python_version=='3.4'" don't match your environment"08:33
pgreghowever the same issue persists while running the tests08:33
pgregI have updated the contents of the above paste, plz have a look08:34
*** eghobo has quit IRC08:34
*** GheRiver1 has joined #openstack-containers08:35
pgreg... to get a better picture as I may be missing on the finer nuances08:35
*** yuanying has joined #openstack-containers08:39
pgregeliqiao, As I could not find any reference to the error ... ("ERROR: Policy doesn't allow magnum-service:get_all to be performed (HTTP 403) (Request-ID: req-f8bde49f-0f21-4709-adf0-82b1e222b28a)") I can file bug for this08:49
pgregif you think it would be good idea to add include this error in the trouble shooting guide or doc ...08:49
*** tbh has quit IRC08:51
*** noggin143 has joined #openstack-containers08:51
*** vlaza has joined #openstack-containers08:52
*** mikelk has joined #openstack-containers08:53
*** mikelk has quit IRC08:55
*** GheRivero has quit IRC08:57
*** GheRivero has joined #openstack-containers09:00
*** GheRiver1 has quit IRC09:03
*** achanda has quit IRC09:04
*** tbh has joined #openstack-containers09:05
*** vilobhmm11 has quit IRC09:09
*** noggin143 has left #openstack-containers09:10
*** achanda has joined #openstack-containers09:11
*** yuanying has quit IRC09:16
*** shu-mutou has joined #openstack-containers09:18
*** noggin143 has joined #openstack-containers09:24
*** agireud has quit IRC09:27
*** achanda has quit IRC09:28
*** agireud has joined #openstack-containers09:28
*** pcaruana has quit IRC09:42
*** pcaruana has joined #openstack-containers09:55
*** noggin143 has quit IRC09:56
*** noggin143 has joined #openstack-containers10:06
*** vimal has quit IRC10:09
eliqiaopgreg: can you try to install tempest and tempest-lib?10:11
openstackgerritwangqun proposed openstack/python-magnumclient: Fix the container-list with --limit 'a negative number'  https://review.openstack.org/29818610:14
eliqiaowangqun: hi I don't hit this issue on https://bugs.launchpad.net/magnum/+bug/156279010:17
openstackLaunchpad bug 1562790 in Magnum ""magnum container-list --limit -1 --bay swarmbay" with the "--limit -1" can get the contianers" [Undecided,New] - Assigned to wangqun (bjwqun)10:17
*** vimal has joined #openstack-containers10:18
wangqunHi Eli, You run the command "magnum container-list --limit -2 --bay swarmbay" and I can get them.10:20
wangqunBut the "limit" is a negtive number10:21
wangqunDo you not hit it?10:22
*** sidx64 has joined #openstack-containers10:27
*** achanda has joined #openstack-containers10:28
sidx64Guys, can someone tell me what the [trust] section in Magnum.conf needs to have? I keep getting10:32
sidx64"TrusteeCreateFailed_Remote: Failed to create trustee in domain None" every time I try to create a mesos bay.10:32
*** achanda has quit IRC10:33
*** mbound has joined #openstack-containers10:35
*** achanda has joined #openstack-containers10:36
eliqiaowangqun: I commented on the bug10:39
eliqiaopython-magnum don't support --limit at all10:40
*** shu-mutou is now known as shu-mutou-AFK10:40
wangqunhttps://review.openstack.org/#/c/294439/10:41
eliqiaosidx64: You can try to use tox -egenconfig to get config file example10:41
wangqunHi Eli. These has been fixed10:41
eliqiaowangqun: okay, let me update code10:42
sidx64eliqiao, I have the section in magnum, but I am unsure how to create a domain for this.10:47
sidx64I am trying to follow this: https://marc.ttias.be/openstack-dev/2016-02/msg02176.php10:48
sidx64but I cannot run openstack domain create command - It doesn't exist10:48
sidx64"openstack domain create magnum10:49
sidx64"10:49
sidx64eliqiao10:49
sidx64openstack: 'domain' is not an openstack command. See 'openstack --help'10:49
*** wangqun has quit IRC10:50
*** yamamoto has quit IRC10:59
*** janki91 has quit IRC11:02
openstackgerritMerged openstack/magnum: Remove the "Patch" function  https://review.openstack.org/29790811:03
pgregeliqiao, I think this is related to another issue filed https://bugs.launchpad.net/magnum/+bug/155303511:03
openstackLaunchpad bug 1553035 in Magnum "Missing tempest package in test-requirement" [Undecided,New] - Assigned to Eli Qiao (taget-9)11:03
pgregeliqiao, "sudo pip install tempest tempest-lib" was successful11:04
pgregstill the issue persists11:04
*** noggin143 has quit IRC11:05
eliqiaopgreg: can you try to load magnum in your python enviroment?11:08
eliqiaotempest (10.0.0)11:08
eliqiaotempest-lib (0.14.0)11:08
eliqiaothis is my version11:08
*** pcaruana has quit IRC11:09
pgreg$ pip freeze | grep tempest11:09
pgregtempest==10.0.011:09
pgregtempest-lib==1.0.011:09
eliqiaosidx64: sorry, I don't know the detail, maybe you can turn to wanghua(the author) or hongbin for help.11:09
sidx64Sure thing  :) thank you anyway11:10
*** achanda has quit IRC11:11
eliqiaopgreg: add tempest to test-requirements.txt, and rerun tox again11:12
eliqiaotox is running in a virtual enviroment(not in your host)11:12
eliqiaoif that's not work, delete .tox and rerun tox11:12
*** noggin143 has joined #openstack-containers11:14
openstackgerritEli Qiao proposed openstack/magnum: Support using insecure registry for k8s COE  https://review.openstack.org/29812511:16
openstackgerritEli Qiao proposed openstack/magnum: Add insecure_registry column to baymoddel  https://review.openstack.org/29812411:16
openstackgerritEli Qiao proposed openstack/magnum: Doc: Add docs on how to your private registry  https://review.openstack.org/29812711:16
openstackgerritEli Qiao proposed openstack/magnum: Support using insecure registry for swarm COE  https://review.openstack.org/29812611:16
*** noggin143 has quit IRC11:17
*** pcaruana has joined #openstack-containers11:23
pgregeliqiao, 'tox -e py27' goes through successfully, which installs all the deps, from test-req.txt, not the import error is not a issue any more ...11:23
pgregeliqiao, but still see a "RuntimeError: Not Authorized", so I tried "magnum service-list" which works fine, and re-checked ...11:24
pgregif I am using the admin credentials properly this time.11:24
*** chandankumar has quit IRC11:27
*** chandankumar has joined #openstack-containers11:28
pgregeliqiao, also 'tempest-lib==1.0.0' is not upgraded to 0.14.011:37
*** sid_cerner has joined #openstack-containers11:39
*** wangqun has joined #openstack-containers11:40
*** tbh has quit IRC11:49
*** wangqun has quit IRC11:52
*** noggin143 has joined #openstack-containers11:55
*** pauloewerton has joined #openstack-containers11:55
*** shu-mutou-AFK has quit IRC11:56
*** houming has quit IRC12:07
*** tbh has joined #openstack-containers12:08
*** noggin143 has quit IRC12:09
*** achanda has joined #openstack-containers12:12
*** mbound has quit IRC12:15
pgregeliqiao, was able to get the 4 tests working, looks like one of them still fails12:16
*** achanda has quit IRC12:17
*** noggin143 has joined #openstack-containers12:20
*** tbh has quit IRC12:27
*** yamamoto has joined #openstack-containers12:28
*** sergmelikyan has joined #openstack-containers12:30
*** julim has joined #openstack-containers12:36
*** mbound has joined #openstack-containers12:36
*** pcaruana has quit IRC12:39
*** yamamoto has quit IRC12:44
*** yamamoto has joined #openstack-containers12:47
*** yamamoto has quit IRC12:52
*** pcaruana has joined #openstack-containers12:52
*** jzb has quit IRC12:52
*** mbound has quit IRC12:53
*** yamamoto has joined #openstack-containers12:55
*** kushal has quit IRC12:56
*** rlrossit has joined #openstack-containers12:58
*** dimtruck is now known as zz_dimtruck13:01
*** gsagie has joined #openstack-containers13:04
*** sidx64 has quit IRC13:04
*** gsagie has left #openstack-containers13:05
*** yamamoto has quit IRC13:12
*** achanda has joined #openstack-containers13:15
*** julim has quit IRC13:17
*** yamamoto has joined #openstack-containers13:17
*** kushal has joined #openstack-containers13:19
*** achanda has quit IRC13:19
*** yamamoto has quit IRC13:21
*** julim has joined #openstack-containers13:23
*** zz_dimtruck is now known as dimtruck13:24
*** absubram has quit IRC13:24
*** banix has joined #openstack-containers13:26
*** ishant has quit IRC13:28
*** sidx64 has joined #openstack-containers13:35
*** noggin143 has quit IRC13:41
*** noggin143 has joined #openstack-containers13:46
*** vlaza has quit IRC13:46
*** yamamoto has joined #openstack-containers13:47
*** openstackgerrit has quit IRC13:48
*** hongbin has joined #openstack-containers13:48
*** openstackgerrit has joined #openstack-containers13:48
*** dimtruck is now known as zz_dimtruck13:50
*** sidx64 has quit IRC13:51
*** yamamoto has quit IRC13:52
*** mbound has joined #openstack-containers13:54
*** chandankumar has quit IRC13:57
*** sigmavirus24_awa is now known as sigmavirus2413:59
*** apuimedo has joined #openstack-containers13:59
*** mbound has quit IRC13:59
*** yamamoto has joined #openstack-containers14:12
*** muralia has joined #openstack-containers14:22
*** muralia_ has quit IRC14:25
*** adrian_otto has joined #openstack-containers14:26
*** zz_dimtruck is now known as dimtruck14:27
*** noggin143 has quit IRC14:29
*** pauloewerton has quit IRC14:34
*** rpothier has joined #openstack-containers14:35
*** chandankumar has joined #openstack-containers14:41
*** sdake has joined #openstack-containers14:42
*** csoukup has joined #openstack-containers14:43
*** sdake has quit IRC14:46
*** sdake has joined #openstack-containers14:47
*** jberkus has joined #openstack-containers14:50
*** pauloewerton has joined #openstack-containers14:56
*** fawadkhaliq has joined #openstack-containers14:58
*** JoseMello has joined #openstack-containers15:01
*** apuimedo has quit IRC15:07
*** Marga_ has joined #openstack-containers15:12
*** Marga_ has quit IRC15:13
dimshongbin : adrian_otto : is there a summary of significant changes for Magnum in Mitaka anywhere?15:13
*** Marga_ has joined #openstack-containers15:13
adrian_otto2.0.0 release notes15:13
hongbinNo from me15:14
*** yamamoto has quit IRC15:16
*** yamamoto has joined #openstack-containers15:17
*** achanda has joined #openstack-containers15:17
*** vimal has quit IRC15:19
-openstackstatus- NOTICE: Gerrit is restarting on review.openstack.org in an attempt to address an issue reading an object from the ec2-api repository15:20
*** yamamoto has quit IRC15:21
*** achanda has quit IRC15:22
*** absubram has joined #openstack-containers15:23
*** pgreg_ has joined #openstack-containers15:25
*** noggin143 has joined #openstack-containers15:25
*** bpokorny has joined #openstack-containers15:26
*** yamamoto has joined #openstack-containers15:28
*** pgreg has quit IRC15:28
*** fawadkhaliq has quit IRC15:28
*** Drago1 has joined #openstack-containers15:32
*** Drago1 has quit IRC15:32
*** Drago1 has joined #openstack-containers15:32
*** pgreg_ has quit IRC15:38
*** gangil has joined #openstack-containers15:38
*** gangil has quit IRC15:38
*** gangil has joined #openstack-containers15:38
*** pgreg has joined #openstack-containers15:38
dimsadrian_otto : can't seem to find things today, can you please point me in the right direction? (url?)15:39
dimsadrian_otto : i see a list of bug id's in here - https://github.com/openstack/magnum/releases under 2.0.015:42
*** EricGonczer_ has joined #openstack-containers15:46
*** malini has joined #openstack-containers15:47
*** gangil has quit IRC15:49
*** noggin143 has quit IRC15:53
*** noggin143 has joined #openstack-containers15:55
*** pgreg has quit IRC15:56
*** askb has joined #openstack-containers15:57
*** EricGonc_ has joined #openstack-containers15:58
*** gordc has joined #openstack-containers15:59
*** EricGonczer_ has quit IRC16:02
*** jberkus has quit IRC16:05
*** noggin143 has quit IRC16:06
*** noggin143 has joined #openstack-containers16:08
*** jberkus has joined #openstack-containers16:08
*** adrian_otto has quit IRC16:09
*** dimtruck is now known as zz_dimtruck16:13
*** Marga_ has quit IRC16:13
*** harshs has joined #openstack-containers16:16
*** zenoway has quit IRC16:19
*** adrian_otto has joined #openstack-containers16:24
*** fawadkhaliq has joined #openstack-containers16:25
*** madhuri has joined #openstack-containers16:28
*** yamamoto has joined #openstack-containers16:28
*** hieulq has joined #openstack-containers16:31
*** gangil has joined #openstack-containers16:33
*** gangil has quit IRC16:33
*** gangil has joined #openstack-containers16:33
*** harshs has quit IRC16:34
*** zz_dimtruck is now known as dimtruck16:35
*** harshs has joined #openstack-containers16:36
*** yamamoto has quit IRC16:36
*** noggin143 has quit IRC16:42
*** david-lyle_ has joined #openstack-containers16:44
*** david-lyle has quit IRC16:44
*** noggin143 has joined #openstack-containers16:44
*** noggin143 has quit IRC16:47
*** malini has quit IRC16:47
*** noggin143 has joined #openstack-containers16:47
*** david-lyle has joined #openstack-containers16:48
*** david-lyle_ has quit IRC16:49
*** malini has joined #openstack-containers16:51
*** noggin143 has quit IRC16:51
*** tbh has joined #openstack-containers16:53
*** noggin143 has joined #openstack-containers16:54
*** harshs has quit IRC17:02
*** Marga_ has joined #openstack-containers17:02
*** malini has quit IRC17:06
*** noggin143 has quit IRC17:08
adrian_ottocoreyob: you around?17:12
adrian_ottoI wanted to ask you about your objection to https://review.openstack.org/259930 (Add docs for docker registry)17:13
*** EricGonc_ has quit IRC17:14
*** sergmelikyan has quit IRC17:17
*** noggin143 has joined #openstack-containers17:19
*** noggin143 has quit IRC17:21
*** achanda has joined #openstack-containers17:22
*** david-lyle has quit IRC17:24
*** noggin143 has joined #openstack-containers17:25
*** david-lyle has joined #openstack-containers17:25
*** achanda has quit IRC17:27
*** noggin143 has quit IRC17:28
openstackgerritAdrian Otto proposed openstack/magnum: Add docs for docker registry  https://review.openstack.org/25993017:29
coreyobadrian_otto what objection? I don't see any comment from me on that change17:30
adrian_ottooh, that's weird.17:32
adrian_ottocoreyob: here it is: https://review.openstack.org/25470517:33
*** malini has joined #openstack-containers17:33
adrian_ottofrom 2016-01-0717:33
*** suro-patz has joined #openstack-containers17:34
coreyobah yeah that's the same security issue that I brought up at the midcycle. having that username and password on the box means anyone who has access to the cluster temporarily can grab those creds. then even after their own access is revoked, they retain access via that username/password17:36
coreyobplus if the user that takes those credentials didn't already have access to swift or whatever other services that username/password have access to, they've just escalated to having access17:37
coreyobbut at this point, this has already merged https://review.openstack.org/#/c/261285 so the username and password are already on the cluster so the security issue already exists. adding another place that they are stored on the cluster doesn't make it any worse really17:38
coreyobactually maybe that isn't true. that other change just created them, it didn't use them17:39
*** rods has joined #openstack-containers17:39
coreyobso maybe they aren't on the cluster yet17:39
adrian_ottoso can we make an actionable suggestion to make the feature possible without this risk, or a way to reduce the scope of the risk further?17:39
*** hieulq has quit IRC17:41
coreyobfor the registry specifically I don't think there is a way to use swift as a backend without having a username and password on the cluster. the only way to fix it that I've thought of would be to block users of the cluster from accessing it by disabling sshd and blocking host filesystem mounting through docker17:44
*** Marga_ has quit IRC17:44
*** Marga_ has joined #openstack-containers17:46
*** achanda has joined #openstack-containers17:46
*** abe_music has joined #openstack-containers17:46
adrian_ottothe blocking of host filesystem mounting would need to be done with an apparmor or selinux rule, right?17:46
*** abe_music has quit IRC17:47
*** sergmelikyan has joined #openstack-containers17:48
coreyobpresumably. possible a docker authorization plugin, kernel-level stuff like apparmor and selinux would be better17:48
adrian_ottoso Magnum could have a 'secure bay' mode that works in this way that must be enabled before the docker registry v2 (docker distribution) feature can be turned on.17:48
adrian_ottoso you could have some bays that work in that way, and other bays that allow bind mounting17:48
*** malini has quit IRC17:49
adrian_ottoI suppose that could be expressed as a baymodel flag17:49
coreyobyou could still allow mounting for everything except the path with the secrets presumably17:50
adrian_ottoor anything above it17:50
coreyobtrue17:51
adrian_ottoso that leaves very little to allow17:51
coreyobGETing the bay would have to hid the password too presumably since it is a bay attribute in that change17:51
adrian_ottobut we could move them somewhere else like /secrets17:51
adrian_ottoso you'd only need to prohibit /secrets and /17:51
coreyoband if the registry was going to be run as a container, that would pose a problem too17:52
coreyobbecause the password would be available in the container and users have access to the container17:52
*** malini has joined #openstack-containers17:53
adrian_ottoso really the issue is that we don't have a way to create a trust token that only works for swift, and only for a specific use of swift17:53
coreyobthe option that we discussed at midcycle was actually around the CA sign process17:54
adrian_ottono, thinking further it's worse17:54
adrian_ottoI see the issue with multi-user bays now.17:54
adrian_ottoif you have multiple users that each have access to a bay, and they can get access to the trust token, then they can fool with each others registry contents. Ick.17:55
coreyobI'm recalling now that we talked about having the ca-sign be ephemeral so that we could easily rotate the CA to revoke access and we could restrict access to ca-sign to only users that had at least as much access as the trust so they couldn't escalate17:55
coreyobalthough we have to be able to rotate the trust too, so n/m17:57
adrian_ottohow would we know the scope of access of the identity requesting ca-sign?17:57
coreyobmaybe I forgot some part of that solution17:57
*** gordc has left #openstack-containers17:57
coreyobso yeah the other thing we talked about like you said, was single-user bays so that the trust expired as soon as the user's creds were revoked in identity17:58
adrian_ottoI keep coming back to the thought that a "secure" bay can only allow single-user access.17:58
*** noggin143 has joined #openstack-containers17:58
*** askb has quit IRC18:00
coreyoband by "secure" bay you mean one that maintains the security of keystone for the rest of the openstack cloud18:00
adrian_ottoyes18:01
*** sergmelikyan has quit IRC18:09
*** sergmelikyan has joined #openstack-containers18:12
*** david-lyle_ has joined #openstack-containers18:12
*** david-lyle has quit IRC18:14
*** rods has quit IRC18:15
*** pcaruana has quit IRC18:16
*** rods has joined #openstack-containers18:17
*** JoseMello has quit IRC18:19
*** rods has quit IRC18:21
*** rods has joined #openstack-containers18:23
*** EricGonczer_ has joined #openstack-containers18:26
*** pcaruana has joined #openstack-containers18:30
*** EricGonczer_ has quit IRC18:31
*** Tango has joined #openstack-containers18:32
*** EricGonczer_ has joined #openstack-containers18:32
*** kdas_ has joined #openstack-containers18:33
*** noggin143 has quit IRC18:33
*** sdake_ has joined #openstack-containers18:34
*** noggin143 has joined #openstack-containers18:34
*** sdake_ has quit IRC18:35
*** kushal has quit IRC18:35
*** hongbin has quit IRC18:36
*** hongbin has joined #openstack-containers18:36
*** sdake has quit IRC18:37
*** sergmelikyan has quit IRC18:37
*** sdake has joined #openstack-containers18:39
*** banix_ has joined #openstack-containers18:42
*** banix has quit IRC18:43
*** banix_ is now known as banix18:43
*** sdake has quit IRC18:44
*** sdake has joined #openstack-containers18:48
*** madhuri has quit IRC18:48
*** malini has quit IRC18:50
*** achanda has quit IRC18:51
*** achanda has joined #openstack-containers18:54
*** fawadkhaliq has quit IRC18:55
*** fawadkhaliq has joined #openstack-containers18:55
*** eghobo has joined #openstack-containers18:58
*** zenoway has joined #openstack-containers18:58
*** vilobhmm11 has joined #openstack-containers19:02
*** EricGonczer_ has quit IRC19:10
*** vlaza has joined #openstack-containers19:13
*** chandankumar has quit IRC19:19
*** noggin143 has quit IRC19:24
*** noggin143 has joined #openstack-containers19:26
*** eghobo has quit IRC19:33
*** sdake_ has joined #openstack-containers19:36
*** fawadkhaliq has quit IRC19:38
*** sdake has quit IRC19:38
*** fawadkhaliq has joined #openstack-containers19:38
*** zenoway has quit IRC19:40
*** zenoway has joined #openstack-containers19:42
*** eghobo has joined #openstack-containers19:42
*** Drago2 has joined #openstack-containers19:43
*** noggin143 has quit IRC19:43
*** Drago2 has quit IRC19:44
*** Drago2 has joined #openstack-containers19:44
*** Drago1 has quit IRC19:45
*** clenimar has quit IRC19:45
*** harshs has joined #openstack-containers19:46
*** omnipresent has joined #openstack-containers19:50
*** omnipresent has quit IRC19:53
*** zenoway has quit IRC19:53
*** zenoway has joined #openstack-containers19:54
*** vlaza has quit IRC19:58
*** EricGonczer_ has joined #openstack-containers19:59
*** sdake has joined #openstack-containers20:03
*** sdake_ has quit IRC20:06
*** omnipresent has joined #openstack-containers20:09
*** zenoway_ has joined #openstack-containers20:12
*** zenoway has quit IRC20:12
*** omnipresent has quit IRC20:14
*** vlaza has joined #openstack-containers20:16
*** zenoway has joined #openstack-containers20:18
*** zenoway_ has quit IRC20:20
*** tbh has quit IRC20:20
*** fawadkhaliq has quit IRC20:24
*** fawadkhaliq has joined #openstack-containers20:25
*** zenoway has quit IRC20:25
*** vlaza has quit IRC20:27
*** ybathia has joined #openstack-containers20:27
*** zenoway has joined #openstack-containers20:28
*** adrian_otto has quit IRC20:31
*** suro-patz has quit IRC20:40
*** sdake_ has joined #openstack-containers20:43
openstackgerritMerged openstack/magnum: Remove minion dependency on master  https://review.openstack.org/27540520:43
*** sdake has quit IRC20:43
*** banix has quit IRC20:49
*** sergmelikyan has joined #openstack-containers20:50
*** achanda has quit IRC20:52
*** eil397 has joined #openstack-containers20:55
*** eil397 has left #openstack-containers20:56
*** suro-patz has joined #openstack-containers20:57
*** harshs has quit IRC20:58
*** fawadkhaliq has quit IRC20:59
*** pauloewerton has quit IRC21:00
*** fawadkhaliq has joined #openstack-containers21:00
openstackgerritMerged openstack/magnum: Fix typos in Magnum files  https://review.openstack.org/29810521:04
*** achanda has joined #openstack-containers21:04
*** rods has quit IRC21:05
*** rods has joined #openstack-containers21:06
*** Marga_ has quit IRC21:06
*** Marga_ has joined #openstack-containers21:06
*** harshs has joined #openstack-containers21:10
TangoPing Yolanda21:14
*** EricGonczer_ has quit IRC21:14
*** EricGonczer_ has joined #openstack-containers21:15
*** julim has quit IRC21:18
eghobohongbin: if i would like to run kub test at gate with fedora 23, what should i change?21:19
hongbineghobo: I guess you can submit a patch that depends on the fedora 23 patch21:20
Tangoeghobo: Do you mean the public Fedora Atomic 23 image?21:21
eghoboyes, the same as i used for hw21:21
TangoCoreyb has a patch for this:  https://review.openstack.org/#/c/276232/21:22
TangoIt just need some refactoring, as noted in the comment21:22
TangoBasically removing several files which have been broken out into another patch which has merged21:23
eghobogot it, thx21:23
*** EricGonczer_ has quit IRC21:27
*** sdake_ is now known as sdake21:27
*** bpokorny has quit IRC21:27
*** bpokorny has joined #openstack-containers21:30
*** suro-patz has quit IRC21:33
*** ybathia has quit IRC21:33
*** rpothier has quit IRC21:35
*** achanda has quit IRC21:37
*** sergmelikyan has quit IRC21:40
*** Drago2 has quit IRC21:42
*** Drago1 has joined #openstack-containers21:43
*** ybathia has joined #openstack-containers21:50
*** adrian_otto has joined #openstack-containers21:51
*** adrian_otto has quit IRC21:54
*** dflorea has joined #openstack-containers21:55
*** suro-patz has joined #openstack-containers21:56
*** adrian_otto has joined #openstack-containers21:57
*** rlrossit has quit IRC22:01
*** achanda has joined #openstack-containers22:04
*** dimtruck is now known as zz_dimtruck22:15
*** Marga_ has quit IRC22:19
*** Marga_ has joined #openstack-containers22:19
*** zenoway has quit IRC22:28
*** zenoway has joined #openstack-containers22:31
*** harlowja has joined #openstack-containers22:32
*** harlowja has quit IRC22:32
*** harlowja has joined #openstack-containers22:33
*** mbound has joined #openstack-containers22:35
*** zenoway has quit IRC22:36
*** mbound has quit IRC22:39
*** banix has joined #openstack-containers22:40
*** fawadkhaliq has quit IRC22:48
*** csoukup has quit IRC22:49
*** fawadkhaliq has joined #openstack-containers22:49
*** harlowja has quit IRC22:54
*** harlowja has joined #openstack-containers22:54
*** david-lyle_ is now known as david-lyle22:57
*** Drago1 has quit IRC22:58
*** bpokorny_ has joined #openstack-containers23:02
*** bpokorny_ has quit IRC23:02
*** bpokorny_ has joined #openstack-containers23:03
*** ybathia has quit IRC23:04
*** bpokorny has quit IRC23:04
*** bpokorny_ has quit IRC23:11
*** yuanying has joined #openstack-containers23:11
*** ybathia has joined #openstack-containers23:13
*** absubram has quit IRC23:15
*** harshs has quit IRC23:20
*** harlowja has quit IRC23:25
*** harlowja has joined #openstack-containers23:25
*** vilobhmm11 has quit IRC23:26
*** jwcroppe_ has joined #openstack-containers23:27
openstackgerritMerged openstack/magnum: Fix config error  https://review.openstack.org/29808723:29
openstackgerritMerged openstack/magnum: Cleanup duplicated auth_url in k8scluster/master template  https://review.openstack.org/29809223:29
*** jwcroppe has quit IRC23:30
*** shakamunyi has joined #openstack-containers23:30
*** barra204 has quit IRC23:32
*** zenoway has joined #openstack-containers23:34
*** zenoway has quit IRC23:39
*** achanda has quit IRC23:41
*** zz_dimtruck is now known as dimtruck23:44
*** fawadkhaliq has quit IRC23:50
*** fawadkhaliq has joined #openstack-containers23:50
*** fawadkhaliq has quit IRC23:52
*** fawadkhaliq has joined #openstack-containers23:52
*** EricGonczer_ has joined #openstack-containers23:54
*** hongbin has quit IRC23:56
*** sigmavirus24 is now known as sigmavirus24_awa23:58
*** fawadkhaliq has quit IRC23:59
*** fawadkhaliq has joined #openstack-containers23:59
« Sunday, 2016-03-27 Index Tuesday, 2016-03-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!