Thursday, 2015-10-08

« Wednesday, 2015-10-07 Index Friday, 2015-10-09 »
*** openstackgerrit has quit IRC00:01
*** openstackgerrit has joined #openstack-keystone00:02
openstackgerritOpenStack Proposal Bot proposed openstack/keystoneauth: Updated from global requirements  https://review.openstack.org/23046400:05
*** sdake_ has joined #openstack-keystone00:11
*** sdake has quit IRC00:11
*** hrou has joined #openstack-keystone00:12
*** phalmos has joined #openstack-keystone00:12
*** _hrou_ has quit IRC00:15
*** henrynash has quit IRC00:21
*** annasort has quit IRC00:22
*** annasort has joined #openstack-keystone00:22
*** freerunner has quit IRC00:23
*** shadower has joined #openstack-keystone00:23
*** aix has quit IRC00:23
*** d0ugal has quit IRC00:24
*** btully has quit IRC00:25
*** aix has joined #openstack-keystone00:28
*** freerunner has joined #openstack-keystone00:28
*** Kennan_Vacation has joined #openstack-keystone00:29
*** d0ugal has joined #openstack-keystone00:30
*** d0ugal is now known as Guest7455400:30
*** phalmos has quit IRC00:31
*** jbell8 has joined #openstack-keystone00:32
*** _cjones_ has quit IRC00:33
*** stevemar_ has joined #openstack-keystone00:34
*** ChanServ sets mode: +o stevemar_00:34
*** jbell8 has quit IRC00:37
*** richm has joined #openstack-keystone00:40
*** woodster_ has joined #openstack-keystone00:40
*** harlowja has quit IRC00:44
*** richm has quit IRC00:45
*** gsilvis has quit IRC00:56
*** gsilvis has joined #openstack-keystone00:56
*** harlowja has joined #openstack-keystone00:59
*** dims has quit IRC01:00
*** richm has joined #openstack-keystone01:01
*** su_zhang has quit IRC01:01
openstackgerritMerged openstack/keystone: Reclassify get_project_by_name() controller method  https://review.openstack.org/23120701:06
*** gordc has joined #openstack-keystone01:16
*** gildub has quit IRC01:17
*** richm has quit IRC01:34
*** agireud has quit IRC01:38
*** btully has joined #openstack-keystone01:40
*** wwwjfy has quit IRC01:44
*** btully has quit IRC01:45
*** lhcheng has joined #openstack-keystone01:45
*** ChanServ sets mode: +v lhcheng01:45
*** roxanagh_ has quit IRC01:46
*** gildub has joined #openstack-keystone01:52
*** stevemar_ has quit IRC01:54
*** stevemar_ has joined #openstack-keystone01:55
*** ChanServ sets mode: +o stevemar_01:55
*** agireud has joined #openstack-keystone01:56
*** doug-fish has joined #openstack-keystone02:01
*** topol has joined #openstack-keystone02:03
*** ChanServ sets mode: +v topol02:03
*** doug-fish has quit IRC02:06
*** topol has quit IRC02:07
*** Kennan_Vacation is now known as Kennan02:08
*** sdake_ is now known as sdake02:15
*** geoffarnoldX is now known as geoffarnold02:18
*** markvoelker has joined #openstack-keystone02:20
*** markvoelker_ has joined #openstack-keystone02:23
*** markvoelker has quit IRC02:25
stevemar_jamielennox: holy smacks, that memcache stuff is brutal02:25
jamielennoxstevemar_: yea02:26
jamielennoxthere's not that many lines in that patch, but just figuring out where everything went took me a while to write02:26
*** sdake has quit IRC02:30
*** ngupta has joined #openstack-keystone02:39
*** wwwjfy has joined #openstack-keystone02:44
*** markvoelker has joined #openstack-keystone02:44
*** markvoelker_ has quit IRC02:47
*** haneef__ has joined #openstack-keystone02:51
*** mylu has joined #openstack-keystone02:53
*** haneef_ has quit IRC02:53
*** gordc has quit IRC02:59
*** sdake has joined #openstack-keystone03:02
lhchengjamielennox: question on KSM, if the memcache_server is not configured, it will cache the validated user_token in the in-process memory right?03:06
*** darrenc is now known as darrenc_afk03:08
*** tristanC has quit IRC03:10
*** tristanC has joined #openstack-keystone03:12
*** zzzeek has joined #openstack-keystone03:14
*** geoffarnold is now known as geoffarnoldX03:20
*** markvoelker has quit IRC03:25
*** su_zhang has joined #openstack-keystone03:27
morganjamielennox: the memcache code hurts my brain03:30
morganstevemar_: i just told people to bug topol about things.03:32
morganHehehehe *snicker*03:32
stevemar_morgan: uh oh03:33
*** darrenc_afk is now known as darrenc03:34
*** markvoelker has joined #openstack-keystone03:38
*** btully has joined #openstack-keystone03:42
*** markvoelker has quit IRC03:44
*** lhcheng has quit IRC03:46
*** markvoelker has joined #openstack-keystone03:47
*** markvoelker_ has joined #openstack-keystone03:49
*** markvoelker_ has quit IRC03:52
*** markvoelker has quit IRC03:52
*** roxanagh_ has joined #openstack-keystone03:54
*** fawadkhaliq has joined #openstack-keystone03:55
openstackgerritTony Wang proposed openstack/keystone: improve code and comments test_catalog  https://review.openstack.org/23231804:01
*** EinstCrazy has joined #openstack-keystone04:04
*** lhcheng has joined #openstack-keystone04:05
*** ChanServ sets mode: +v lhcheng04:05
*** david8hu has quit IRC04:07
*** david8hu has joined #openstack-keystone04:07
*** EinstCrazy has quit IRC04:09
*** dims has joined #openstack-keystone04:10
*** lhcheng has quit IRC04:10
*** roxanagh_ has quit IRC04:13
*** vivekd has joined #openstack-keystone04:14
*** mylu has quit IRC04:18
*** mylu has joined #openstack-keystone04:19
*** markvoelker has joined #openstack-keystone04:22
*** mylu has quit IRC04:23
*** mylu has joined #openstack-keystone04:24
*** mylu has quit IRC04:26
*** mylu has joined #openstack-keystone04:26
*** markvoelker has quit IRC04:27
*** hrou has quit IRC04:30
*** davechen has joined #openstack-keystone04:30
*** roxanagh_ has joined #openstack-keystone04:31
*** markvoelker has joined #openstack-keystone04:37
*** jaosorior has joined #openstack-keystone04:40
openstackgerritlei zhang proposed openstack/keystone: :qUpdate sample catalog templates  https://review.openstack.org/21871104:40
*** mylu has quit IRC04:40
*** markvoelker has quit IRC04:43
*** markvoelker has joined #openstack-keystone04:44
*** morgan has quit IRC04:47
*** morgan has joined #openstack-keystone04:50
*** ChanServ sets mode: +v morgan04:50
*** markvoelker has quit IRC04:53
*** Nirupama has joined #openstack-keystone05:02
*** GB21 has joined #openstack-keystone05:02
*** markvoelker has joined #openstack-keystone05:03
*** geoffarnoldX has quit IRC05:07
*** markvoelker has quit IRC05:08
openstackgerritDave Chen proposed openstack/keystone: Update sample catalog templates  https://review.openstack.org/21871105:08
*** mflobo has joined #openstack-keystone05:08
openstackgerritMerged openstack/keystone: Document httpd for accept on /identity, /identity_admin  https://review.openstack.org/19576605:09
*** ngupta has quit IRC05:12
*** EinstCrazy has joined #openstack-keystone05:14
*** markvoelker has joined #openstack-keystone05:18
*** EinstCrazy has quit IRC05:20
*** markvoelker has quit IRC05:22
*** lhcheng has joined #openstack-keystone05:30
*** ChanServ sets mode: +v lhcheng05:30
*** markvoelker has joined #openstack-keystone05:32
*** EinstCrazy has joined #openstack-keystone05:34
*** GB21 has quit IRC05:35
*** markvoelker has quit IRC05:37
*** roxanagh_ has quit IRC05:43
openstackgerritHidekazu Nakamura proposed openstack/keystone: Update development environment set up doc  https://review.openstack.org/22302005:46
*** zzzeek has quit IRC05:47
*** markvoelker has joined #openstack-keystone05:47
*** GB21 has joined #openstack-keystone05:50
*** lhcheng has quit IRC05:51
*** lhcheng has joined #openstack-keystone05:52
*** ChanServ sets mode: +v lhcheng05:52
*** markvoelker has quit IRC05:52
*** jaosorior has quit IRC05:54
*** jaosorior has joined #openstack-keystone05:54
openstackgerritTony Wang proposed openstack/keystone: improve code and comments in test_catalog  https://review.openstack.org/23231805:58
*** markvoelker has joined #openstack-keystone06:02
openstackgerritMerged openstack/keystone: functional tests for keystone on subpaths  https://review.openstack.org/19618606:05
*** su_zhang has quit IRC06:07
*** vivekd has quit IRC06:07
*** mflobo has left #openstack-keystone06:07
*** markvoelker has quit IRC06:08
*** flwang has quit IRC06:13
*** jaosorior has quit IRC06:13
*** lhcheng has quit IRC06:14
*** jaosorior has joined #openstack-keystone06:14
*** su_zhang has joined #openstack-keystone06:14
*** jaosorior has quit IRC06:16
*** jaosorior has joined #openstack-keystone06:17
*** vivekd has joined #openstack-keystone06:20
*** GB21 has quit IRC06:21
*** doug-fish has joined #openstack-keystone06:25
*** doug-fish has quit IRC06:29
*** btully has quit IRC06:30
*** itlinux has joined #openstack-keystone06:37
*** jbell8 has joined #openstack-keystone06:39
*** jvarlamova has joined #openstack-keystone06:39
*** pnavarro has joined #openstack-keystone06:39
*** roxanagh_ has joined #openstack-keystone06:44
*** markvoelker has joined #openstack-keystone06:46
*** gildub has quit IRC06:50
*** roxanagh_ has quit IRC06:50
*** markvoelker has quit IRC06:50
*** browne has quit IRC06:58
*** markvoelker has joined #openstack-keystone06:59
*** markvoelker has quit IRC07:04
*** rudolfvriend has joined #openstack-keystone07:04
*** su_zhang has quit IRC07:05
*** btully has joined #openstack-keystone07:06
*** jbell8 has quit IRC07:09
*** jbell8 has joined #openstack-keystone07:10
*** btully has quit IRC07:11
*** markvoelker has joined #openstack-keystone07:14
*** stevemar_ has quit IRC07:14
*** stevemar_ has joined #openstack-keystone07:14
*** ChanServ sets mode: +o stevemar_07:14
*** stevemar_ has quit IRC07:18
*** aix has quit IRC07:18
*** markvoelker has quit IRC07:18
*** fawadkhaliq has quit IRC07:20
*** Guest74554 is now known as d0ugal07:23
*** d0ugal has quit IRC07:23
*** d0ugal has joined #openstack-keystone07:23
*** ParsectiX has joined #openstack-keystone07:27
openstackgerritJamie Lennox proposed openstack/keystonemiddleware: Remove auth headers in AuthProtocol  https://review.openstack.org/22975107:27
*** markvoelker has joined #openstack-keystone07:28
*** markvoelker has quit IRC07:33
*** fhubik has joined #openstack-keystone07:33
*** kiran-r has joined #openstack-keystone07:35
*** woodster_ has quit IRC07:39
*** exploreshaifali has joined #openstack-keystone07:40
*** henrynash has joined #openstack-keystone07:40
*** ChanServ sets mode: +v henrynash07:40
*** markvoelker has joined #openstack-keystone07:43
*** fawadkhaliq has joined #openstack-keystone07:44
*** jaosorior has quit IRC07:45
*** roxanagh_ has joined #openstack-keystone07:47
*** aix has joined #openstack-keystone07:47
*** openstackstatus has quit IRC07:47
*** markvoelker has quit IRC07:48
*** openstackstatus has joined #openstack-keystone07:48
*** ChanServ sets mode: +v openstackstatus07:48
*** jaosorior has joined #openstack-keystone07:49
*** vivekd has quit IRC07:51
*** roxanagh_ has quit IRC07:52
*** markvoelker has joined #openstack-keystone07:58
*** markvoelker has quit IRC08:02
*** davechen has quit IRC08:13
*** henrynash has quit IRC08:24
*** markvoelker has joined #openstack-keystone08:26
*** jbell8 has quit IRC08:28
*** markvoelker has quit IRC08:31
*** akanksha_ has quit IRC08:38
*** markvoelker has joined #openstack-keystone08:40
*** jistr has joined #openstack-keystone08:40
*** markvoelker has quit IRC08:46
*** roxanagh_ has joined #openstack-keystone08:49
*** exploreshaifali has quit IRC08:49
*** roxanagh_ has quit IRC08:53
*** markvoelker has joined #openstack-keystone08:55
openstackgerritDave Chen proposed openstack/keystonemiddleware: update middlewarearchitecture.rst  https://review.openstack.org/21916208:57
*** markvoelker has quit IRC08:59
*** aix has quit IRC08:59
*** henrynash has joined #openstack-keystone09:02
*** ChanServ sets mode: +v henrynash09:02
*** markvoelker has joined #openstack-keystone09:03
*** marzif has joined #openstack-keystone09:07
*** markvoelker has quit IRC09:08
*** markvoelker has joined #openstack-keystone09:10
*** aix has joined #openstack-keystone09:11
*** fawadkhaliq has quit IRC09:13
*** markvoelker has quit IRC09:15
*** e0ne has joined #openstack-keystone09:23
*** henrynash has quit IRC09:27
*** vivekd has joined #openstack-keystone09:30
*** phalmos has joined #openstack-keystone09:33
*** phalmos has quit IRC09:35
*** phalmos has joined #openstack-keystone09:36
*** amakarov_away is now known as amakarov09:38
*** markvoelker has joined #openstack-keystone09:40
*** markvoelker has quit IRC09:45
*** roxanagh_ has joined #openstack-keystone09:50
*** roxanagh_ has quit IRC09:54
*** markvoelker has joined #openstack-keystone09:55
*** markvoelker has quit IRC09:59
*** markvoelker has joined #openstack-keystone10:04
*** GB21 has joined #openstack-keystone10:09
*** markvoelker has quit IRC10:09
*** marzif has quit IRC10:10
*** fawadkhaliq has joined #openstack-keystone10:13
*** fawadkhaliq has quit IRC10:18
*** markvoelker has joined #openstack-keystone10:19
*** markvoelker has quit IRC10:24
*** EinstCrazy has quit IRC10:30
*** markvoelker has joined #openstack-keystone10:33
*** markvoelker has quit IRC10:38
*** sdake has quit IRC10:41
*** henrynash has joined #openstack-keystone10:43
*** ChanServ sets mode: +v henrynash10:43
*** flwang has joined #openstack-keystone10:44
*** fawadkhaliq has joined #openstack-keystone10:45
*** markvoelker has joined #openstack-keystone10:47
*** kiranr has joined #openstack-keystone10:49
*** kiran-r has quit IRC10:51
*** henrynash has quit IRC10:51
*** roxanagh_ has joined #openstack-keystone10:51
*** phalmos has quit IRC10:52
*** markvoelker has quit IRC10:55
*** roxanagh_ has quit IRC10:56
*** wwwjfy has quit IRC10:58
*** markvoelker has joined #openstack-keystone11:02
*** pnavarro is now known as pnavarro|lunch11:05
*** markvoelker has quit IRC11:12
*** markvoelker has joined #openstack-keystone11:17
*** markvoelker has quit IRC11:24
*** markvoelker has joined #openstack-keystone11:32
*** topol_ has joined #openstack-keystone11:35
*** ChanServ sets mode: +v topol_11:35
*** markvoelker has quit IRC11:36
*** marzif has joined #openstack-keystone11:37
*** thiagop has joined #openstack-keystone11:39
*** markvoelker has joined #openstack-keystone11:47
*** markvoelker has quit IRC11:51
*** roxanagh_ has joined #openstack-keystone11:52
*** markvoelker has joined #openstack-keystone11:57
*** GB21 has quit IRC11:57
*** roxanagh_ has quit IRC11:59
*** markvoelker has quit IRC12:01
*** markvoelker has joined #openstack-keystone12:03
*** markvoelker has quit IRC12:08
*** markvoelker has joined #openstack-keystone12:12
*** markvoelker has quit IRC12:16
*** gordc has joined #openstack-keystone12:22
*** stevemar_ has joined #openstack-keystone12:31
*** ChanServ sets mode: +o stevemar_12:31
*** thiagop is now known as thiagop-away12:32
*** hrou has joined #openstack-keystone12:32
*** Nirupama has quit IRC12:33
*** thiagop-away is now known as thiagop-afk12:34
*** itlinux has quit IRC12:34
*** stevemar_ has quit IRC12:34
*** GB21 has joined #openstack-keystone12:36
*** itlinux has joined #openstack-keystone12:37
*** edmondsw has joined #openstack-keystone12:38
*** pnavarro|lunch is now known as pnavarro12:38
*** su_zhang has joined #openstack-keystone12:38
*** doug-fish has joined #openstack-keystone12:39
*** _afazekas has joined #openstack-keystone12:39
*** _afazekas has quit IRC12:40
*** markvoelker has joined #openstack-keystone12:41
*** doug-fish has quit IRC12:41
*** doug-fish has joined #openstack-keystone12:41
*** markvoelker has quit IRC12:45
*** markvoelker has joined #openstack-keystone12:46
*** markvoelker has quit IRC12:49
*** markvoelker has joined #openstack-keystone12:49
*** markvoelker has quit IRC12:50
*** markvoelker has joined #openstack-keystone12:50
*** roxanagh_ has joined #openstack-keystone12:56
*** boris-42 has quit IRC12:58
*** nicodemos has joined #openstack-keystone12:58
*** roxanagh_ has quit IRC13:01
*** zz_john5223 is now known as john522313:02
*** wwwjfy has joined #openstack-keystone13:05
*** doug-fis_ has joined #openstack-keystone13:08
*** afazekas_ has joined #openstack-keystone13:09
*** markvoelker_ has joined #openstack-keystone13:11
*** doug-fish has quit IRC13:11
*** su_zhang has quit IRC13:11
*** markvoelker has quit IRC13:12
*** topol_ has quit IRC13:20
*** topol has joined #openstack-keystone13:20
*** ChanServ sets mode: +v topol13:20
*** marzif has quit IRC13:20
*** marzif has joined #openstack-keystone13:22
*** btully has joined #openstack-keystone13:22
*** markvoelker_ has quit IRC13:23
*** kiranr has quit IRC13:23
*** topol has quit IRC13:25
openstackgerritDolph Mathews proposed openstack/keystone: Correct typo in copyright  https://review.openstack.org/23252813:25
*** vivekd_ has joined #openstack-keystone13:30
*** zzzeek has joined #openstack-keystone13:30
*** vivekd has quit IRC13:31
*** vivekd_ is now known as vivekd13:31
mordredjamielennox, morgan: btw - the reason to not call it type and to call it service_type is that type is an actual thing in python13:32
*** kun_huang has joined #openstack-keystone13:36
kun_huangwhere does the 'argument' come from at https://github.com/openstack/keystone/blob/master/keystone/common/kvs/backends/memcached.py#L8613:36
*** markvoelker has joined #openstack-keystone13:38
*** marzif has quit IRC13:41
*** marzif has joined #openstack-keystone13:41
*** afazekas_ has quit IRC13:42
*** boris-42 has joined #openstack-keystone13:43
*** markvoelker has quit IRC13:43
*** markvoelker has joined #openstack-keystone13:45
*** markvoelker has quit IRC13:50
*** sigmavirus24_awa is now known as sigmavirus2413:50
*** markvoelker has joined #openstack-keystone13:53
dolphmbknudson: any idea where the stable maintenance schedule is, specifically for security supported projects? the schedule seems to have disappeared13:54
bknudsondolphm: I think I remember dhellmann making some changes ...13:54
dolphmbknudson: the best i can find is this half-baked declaration https://security.openstack.org/vmt-process.html#supported-versions13:54
bknudsonas in, moving it to git repo13:54
bknudsondolphm: https://wiki.openstack.org/wiki/Releases ?13:55
bknudsonoh, that has a link to the new doc13:55
bknudsonhttp://docs.openstack.org/releases/13:55
bknudsonis that what you're looking for?13:55
bretonwhat do you think about switching from using ldap's search_ext_s instead of search_s13:56
breton?13:56
bknudsonbreton: search_s just winds up calling search_ext_s13:56
bknudsonthey're the same thing13:56
*** ngupta has joined #openstack-keystone13:56
dolphmbknudson: that's closer - i was looking for EOL dates13:56
dolphmand transition dates from supported to security-supported13:57
bretonbknudson: indeed13:57
*** markvoelker has quit IRC13:58
openstackgerritTom Cocozzello proposed openstack/keystone: Fixed missed translatable string inside exception  https://review.openstack.org/23254413:58
bknudsondolphm: I think I've seen the doc that has the plans... probably have a link somewhere13:58
*** roxanagh_ has joined #openstack-keystone13:58
bknudsonit would be nice to have the info on http://docs.openstack.org/releases/13:58
*** fawadkhaliq has quit IRC13:58
bknudsondolphm: this one? https://wiki.openstack.org/wiki/StableBranch#Support_phases13:59
*** marzif has quit IRC14:00
dolphmbknudson: oh yeah, that's closer... there's a page that uses those dates, plus the 14 month total support cycle, to publish precise EOL dates14:00
dolphmor there used to be14:00
*** marzif has joined #openstack-keystone14:01
bknudsondolphm: from the summit discussions there's no promise of 14 months. Eventually we just give up on it because nobody's keeping it running.14:01
bknudsonmaybe it will be easier to support the old releases with better dependency management tooling.14:02
*** marzif has quit IRC14:02
dolphmbknudson: ah, that sounds familiar. i didn't realize that would result in deleting the schedule altogether though14:02
*** _afazekas has joined #openstack-keystone14:03
dolphmit also used to be helpful to see how long past EOL various releases were...14:03
*** _afazekas has quit IRC14:03
bknudsonhow about add it to http://docs.openstack.org/releases/ ?14:03
bknudsonshould be able to find the eol date from the tags in git repos14:04
*** roxanagh_ has quit IRC14:04
*** markvoelker has joined #openstack-keystone14:06
*** markvoelker_ has joined #openstack-keystone14:08
bknudsondolphm: this page has dates, so this must be the one you were thinking of: https://wiki.openstack.org/wiki/Releases14:10
dolphmbknudson: but no dates in the future14:11
bknudsony, because it's not maintained anymore14:11
*** markvoelker has quit IRC14:11
dolphmso, new thing does not sufficiently replace old thing :(14:12
*** alejandrito has joined #openstack-keystone14:12
*** thiagop-afk is now known as thiagop14:20
*** csoukup has joined #openstack-keystone14:20
*** timcline has joined #openstack-keystone14:21
*** topol has joined #openstack-keystone14:27
*** ChanServ sets mode: +v topol14:27
*** stevemar_ has joined #openstack-keystone14:28
*** ChanServ sets mode: +o stevemar_14:28
*** sdake has joined #openstack-keystone14:29
*** david_cu has joined #openstack-keystone14:35
*** markvoelker_ has quit IRC14:35
*** e0ne has quit IRC14:37
*** jaosorior has quit IRC14:38
*** jaosorior has joined #openstack-keystone14:38
*** tonytan4ever has joined #openstack-keystone14:40
*** hrou has quit IRC14:42
*** hrou has joined #openstack-keystone14:42
openstackgerritHenrique Truta proposed openstack/keystone: Remove domain table references  https://review.openstack.org/16593614:42
*** lkjahsdkfj has joined #openstack-keystone14:44
*** lkjahsdkfj has quit IRC14:44
*** lkjahsdkfj has joined #openstack-keystone14:44
lbragstaddolphm: do you want a perf environment for - https://review.openstack.org/#/c/215212/10 ?14:45
*** uiyice has quit IRC14:45
*** lkjahsdkfj is now known as uiyice14:46
*** hrou has quit IRC14:47
*** kun_huang has left #openstack-keystone14:48
dolphmlbragstad: environment?14:48
dolphmlbragstad: i have a devstack install on baremetal we could use, just have to dig out the benchmark tools we used last time and run them14:48
lbragstaddolphm: i was reading your comment on that review about not having performance tested that patch yet, did you have any idea in mind for how you wanted to do that?14:48
lbragstadah, devstack, nevermind14:49
*** slberger has joined #openstack-keystone14:50
*** timcline has quit IRC14:51
dolphmlbragstad: re run these? https://gist.github.com/dolph/cb9de036e91eabdefebe14:51
*** timcline has joined #openstack-keystone14:51
*** timcline has quit IRC14:51
*** timcline has joined #openstack-keystone14:52
lbragstaddolphm: yeah, that's what I was thinking14:52
lbragstaddolphm: would we need to make that specific to get_catalog?14:53
*** pnavarro is now known as pnavarro|afk14:53
dolphmlbragstad: no, it's auth performance where we want to see an improvement, right?14:54
dolphmlbragstad: err, auths & validations14:54
*** mtreinish has quit IRC14:54
*** mtreinish has joined #openstack-keystone14:54
lbragstaddolphm: yeah, and that should cover get_catalog since get_catalog is used in both of those, makes sense14:54
*** markvoelker has joined #openstack-keystone14:55
*** e0ne has joined #openstack-keystone14:57
*** nate_gone has quit IRC14:58
*** fawadkhaliq has joined #openstack-keystone14:59
*** browne has joined #openstack-keystone15:01
*** fawadkhaliq has quit IRC15:04
*** marzif has joined #openstack-keystone15:06
dolphmlbragstad: running a benchmark now15:07
lbragstaddolphm: a base line without the patch?15:07
dstanekayoung: busy?15:10
dolphmlbragstad: already done. baseline: http://cdn.pasteraw.com/ckcktfzmzed96b2x8rvn2g2nybutpak15:10
dolphmlbragstad: nevermind, i just remembered this is my minimal devstack install. the service catalog is pretty sparse15:11
ayoungdstanek, always, but always time for you.15:12
lbragstaddolphm: ah, i think the bootstrap.py script is a parse catalog too15:12
dstanekayoung: :-)15:12
dstanekayoung: you reminded me the other day that i need to finish up my DNS catalog POC15:13
dstanekayoung: have you don't anything like that in the past?15:13
ayoungdstanek, its been disccused from time to time, but I am not sure how to do the project filtering side of it15:14
ayoungI mean, with the current approach, we can make endpoints private.  If things are in DNS...they are not private, are they?15:14
dstanekin my current POC no, but  we could do magic with dnssec to make that happen15:15
*** aix has quit IRC15:16
dstanekayoung: generally speaking how useful is the filtering?15:16
ayoungdstanek, I think very15:17
ayoungif you have multiple nova, it is how people select the right one15:17
ayoungdstanek, oooh, dnssec...interesting..tell me more about that.15:17
openstackgerritMerged openstack/keystonemiddleware: Handle memcache pool arguments collectively  https://review.openstack.org/21234115:17
*** su_zhang has joined #openstack-keystone15:18
dstanekyou mean multiple nova in a region and a user needs to use a particular one?15:18
dolphmlbragstad: going to build a full devstack install and run it again, but meetings for now15:18
dstanekwe can force authentication to the dns server and provide custom catalogs (i think)15:18
dstanekso many rfcs with so many extensions and hacks15:18
dstanekhard to keep track of what is real and what people just really want to do15:19
lbragstaddolphm ok, need me to do anything?15:19
dolphmlbragstad: get the roles caching patch passing ;)15:19
lbragstaddolphm sounds good, i just bit the bullet and switched to textual15:20
dolphmlbragstad: enjoy!15:21
*** roxanagh_ has joined #openstack-keystone15:22
*** david-ly_ has joined #openstack-keystone15:22
*** david-lyle has quit IRC15:23
lbragstaddolphm you said you have a patch locally for https://review.openstack.org/#/c/215212/10/keystone/catalog/core.py15:23
*** timcline has quit IRC15:23
lbragstaddolphm if you have a diff, i can push that for review15:24
*** timcline has joined #openstack-keystone15:24
*** david-ly_ is now known as david-lyle15:24
*** alejandrito has quit IRC15:25
*** alejandrito has joined #openstack-keystone15:25
dolphmlbragstad: i don't keep patches locally15:26
*** jbell8 has joined #openstack-keystone15:26
dstanekayoung: i'm not quite sure how filtering and the service catalog standardization spec play together15:30
*** hrou has joined #openstack-keystone15:31
ayoungdstanek, ok, lets think how we want this to work.  Our goal is to get the vcatalog out of the token, right?15:31
*** roxanagh_ has quit IRC15:31
ayoungbut, when a user needs to do "openstack server create" they need to know where to find the appropriate compute server15:31
ayoungNow, if there were only one endpoint per service, I guess we would do something like15:32
ayoung"give me the compute server for domain mycompany.rackspace.com"15:32
*** phalmos has joined #openstack-keystone15:33
*** doug-fis_ is now known as doug-fish15:33
ayoungthat would be a URI record with the nova server in it, and we'd have to figure out the quere params:15:33
bknudsondolphm: https://wiki.openstack.org/wiki/StableBranchRelease has some more info about stable branches, too15:34
*** ParsectiX has quit IRC15:34
dolphmbknudson: hey, very bottom of that page has what i was looking for!15:35
dstanekayoung: so....15:35
dstanekayoung: dig +noque +nocmd +nostats _services._tcp.RegionOne.example-cloud.local PTR @104.239.230.3915:35
dstanekthat will get you a list of services for the RegionOne region15:36
dstanekdig +noque +nocmd +nostats _os-compute._tcp.RegionOne.example-cloud.local PTR @104.239.230.3915:36
dstanekthat will get you the endpoints for the compute region15:36
*** tonytan4ever has quit IRC15:37
dstanekayoung: and then for the details get the SRV and TXT records for the endpoint you want to hit15:37
ayoungdstanek, URI, I think, not SRV15:37
dstanekayoung: depends on the spec you are following - this is how i think dns-sd it done15:38
dstanekdns service discovery is the rfc that documents apple's bonjour protocol15:38
dolphmlbragstad: okay, new baseline, but still have a relatively small catalog ... didn't enable any optional services. http://cdn.pasteraw.com/7uw5n9flpze72dfyxyy4tzj5rnn36tz15:39
dstanekayoung: right now my goal is just to get something working and then worry about the exact rfc details later15:40
dstanekayoung: i just have a bit more client work and then i think it's "working"15:40
ayoungdstanek, regardless of spec, we dopn't want SRV records.  We want to be able to point multiple services at the same host, on the same port (443)15:41
dstanekayoung: and that won't work with this? the txt record would have the path to use15:42
ayoungdstanek, TXT works15:42
ayoungits just, I think, being superseded by URI15:42
ayoungThere is no way in a TXT record to say "this is a URI"  but I know they are often used that way15:43
*** hrou has quit IRC15:44
dstanekayoung: it's part of the rfc6763 protocol - the registered names also have a list of the key/value pairs for the txt record15:44
dstanekayoung: so i have this mostly working as-is and i think with a little focus i can have a workable demo by tomorrow15:44
ayoungdstanek, fantastic15:45
dolphmlbragstad: initial result: 2.7% performance improvement by adding caching to the catalog with 5 services in the catalog. running each variation several times now to get a more accurate number.15:45
lbragstaddolphm cool, and that was without the patch15:45
dolphmlbragstad: we need to thoroughly profile fernet validations15:46
ayoungdstanek, yeah, looks like URI are too new to depend on : https://tools.ietf.org/html/rfc7553  June 201515:46
dstanekdolphm: i want to make the catalog 100% faster :-)15:46
ayoungwe'll use them when we can15:46
*** dims has quit IRC15:46
lbragstaddolphm ok15:46
dolphmdstanek: by killing it or what?15:46
*** gyee has joined #openstack-keystone15:46
*** ChanServ sets mode: +v gyee15:46
bknudsondolphm: doesn't it depend on how many projects there are?15:46
dstanekdolphm: putting it in DNS15:46
*** timcline_ has joined #openstack-keystone15:46
bknudsonsince you get a different catalog for each project15:47
bknudsonor does it do the replacement afterwards?15:47
dolphmbknudson: uhh, what's "it"?15:47
dstanekayoung: i have the catalog browsable in Bonjour GUI Browser a few weeks ago, but i think i broke it when i started to use custome service types that are not IANA registered15:48
bknudsondolphm: the token catalog code... wherever it is that keystone puts the project id in the catalog15:48
ayoungdstanek, what record types do you need?15:48
bknudsonalso it can put the user ID in the catalog15:48
dstanekayoung: i also have not (and do not want!) implemented the part of the spec that will allow self registration15:49
dstanekayoung: _os_itentity._tcp isn't real. for a while i was using _http._tcp for everything, but it isn't granular enough15:49
*** itlinux has quit IRC15:49
ayoungdstanek, That looks like a SRV record to me15:50
dolphmbknudson: the method signature is get_catalog(self, user_id, tenant_id), which is the call i'm testing caching on. not sure if that answers your question?15:50
ayoungdstanek, for example _kpasswd._tcp  is SRV15:50
*** pnavarro|afk is now known as pnavarro15:50
*** timcline has quit IRC15:50
bknudsondolphm: y, don't you want to move that down to where it gets the catalog without replacements?15:51
bknudsonthen it won't depend on user_id and tenant_id15:51
dstanekayoung: yes, it's a SRV record, but it represents a service type15:51
*** _cjones_ has joined #openstack-keystone15:51
*** njohnston has joined #openstack-keystone15:51
lbragstadbknudson isn't that only a concern if you are filtering catalog content based on the project you're scoping to15:52
dstanekayoung: it may just be the crappy Mac client i was using because in theory it shouldn't need to know the service type15:52
dstanekayoung: http://www.dns-sd.org/servicetypes.html15:52
ayoungdstanek, those "are" PTR records:15:52
bknudsonlbragstad: no, every time you get a catalog it replaces $(tenant_id)s in the compute endpoint with whatever project your token is scoped to15:52
*** fawadkhaliq has joined #openstack-keystone15:52
ayounghttp://paste.fedoraproject.org/276485/43195671/15:52
dolphmbknudson: what call would that be?15:53
ayoungthat is just the name15:53
lbragstadbknudson ah, never mind, I was thinking of something else15:53
dstanekayoung: ah, right, right. they point to the service instances15:53
bknudsondolphm: trying to find it... probably buried in the catalog driver15:53
lbragstaddolphm bknudson  https://github.com/openstack/keystone/blob/master/keystone/catalog/backends/sql.py#L289-L29015:54
bknudsonlbragstad: that's it.15:54
lbragstaddolphm bknudson it looks like that happens in the drivers15:54
bknudsonwhat a crappy design!15:54
bknudsonmove it up to the manager15:54
bknudsonunless somehow the driver can do the replacement better.15:55
dolphmbknudson: yep15:55
lbragstadweird, the actual url formatting method is in the manager already15:57
lbragstadbut it's called from the driver....15:57
*** vivekd has quit IRC15:57
*** dims has joined #openstack-keystone15:57
lbragstadhttps://github.com/openstack/keystone/blob/master/keystone/catalog/core.py15:57
lbragstadactually - https://github.com/openstack/keystone/blob/master/keystone/catalog/core.py#L4515:57
dolphmlbragstad: are you talking about format_url?15:57
lbragstaddolphm yeah15:58
dolphmlbragstad: that's not in the manager, it's a function in the core module15:58
bknudsonalso, we sure need a get_catalog and get_v3_catalog in the driver!15:58
lbragstaddolphm yeah, you're right15:58
dolphmbknudson: duh15:58
bknudsonthat should be way up in the controller15:58
dolphmbknudson: *just* like we need v2 and v3 tokens to be stored differently in the db for uuid, etc15:59
*** dims_ has joined #openstack-keystone15:59
lbragstadso, we should refactor the driver to just give us everything, then format it according to the catalog version needed15:59
dolphmlbragstad: yep16:00
lbragstadthen when we do caching on the catalog, we can cache the whole thing, instead of catalog + tenant pairs16:00
dolphmright16:00
dolphmwell16:00
dolphmthat works for the base catalog driver16:00
dolphmthe obfuscated catalog driver will have to be per pair still16:00
lbragstadwhy is that?16:00
*** _cjones_ has quit IRC16:01
*** _cjones_ has joined #openstack-keystone16:02
dolphmlbragstad: because it hides catalog entries per tenant or per user or whatever16:02
bknudsony, the endpoint filtering16:02
*** dims has quit IRC16:02
bknudsonyou'll have to pass the tenant_id or user_id in or whatever it needs16:02
lbragstadah16:03
morganYou dont need to cache the filtered version16:03
bknudsonbut you don't have to do the replacement or v2-to-v3 conversion16:03
dolphmmorgan: i was just about to say that16:03
dolphmif it called the same single cached method16:03
lbragstadjust cache the *whole* thing16:03
bknudsonI think the filtering is done via sql?16:03
bknudsonbut of course the join could be reimplemented in python16:03
lbragstadthen the expensive part becomes the formatting operation16:03
morganbknudson: so refactor that part to use the full catalog ;)16:03
morganThere are two other ways to approach it but they arent "easy" because it requires alternative cache regions. A lot of code to make that happen in keystone16:04
dolphmmorgan: did you see the patch i posted? it adds a second cache region16:05
dolphmnot super hard, most of the APIs were already in place16:05
*** e0ne has quit IRC16:05
morganAh16:05
lbragstadit wasn't that much code either16:05
morganNo didnt see16:05
dolphmmorgan: https://review.openstack.org/#/c/215212/10/keystone/catalog/core.py,unified16:05
morganAh not too bad16:06
dolphmwhoa, do you not have to restart apache2 anymore to apply code changes to keystone in devstack?16:07
*** marzif has quit IRC16:08
*** marzif has joined #openstack-keystone16:08
lbragstaddolphm why exactly did you need to have a second region for catalog again?16:09
bknudsondolphm: apache will start new instances whenever it feels like it16:09
lbragstad#feature16:09
dstanekayoung: this feels like it's a lot of DNS calls (even though they should the light and cached)16:10
bknudsonthis was causing gate failures in grenade because stuff was being upgraded while keystone was service requests16:10
bknudsonserving16:10
ayoungdstanek, what would be the optimized case? If all I want to do is nova boot, I really should only need to ask "where is my nova server"16:11
dstanekayoung: yeah, i don't know :-( right now it would be a handful of DNS calls16:11
ayoungdstanek, otoh, If I need to know Sahara or Trove or whatnot, I should be able to ask for just that16:12
dolphmlbragstad: so that i could invalidate the entire region at once without having to enumerate cache keys to invalidate16:12
dolphmlbragstad: and not invalidate the rest of keystone's cache along with16:12
lbragstaddolphm ah, ok16:12
* morgan will revisit making devstack use uwsgi soon.16:12
morganShould make gate better and easier to move other apis to apache16:13
dolphmmorgan: on that note, https://developer.rackspace.com/blog/keystone_horizon_nginx/16:14
morganYah.16:15
morganI was going to rework devstack to setup apache all at once then make uwsgi do the heavy lifting in the same procedural way we do today16:15
*** su_zhang has quit IRC16:15
morganSo keystone and horizon would be moved over16:16
morganWould also open the door for someone to easily use nginx ;)16:16
*** timcline_ has quit IRC16:17
*** timcline has joined #openstack-keystone16:18
*** arunkant_ has joined #openstack-keystone16:19
*** mylu has joined #openstack-keystone16:24
dolphmmorgan: so use apache + uwsgi in the gate?16:24
morganYah16:25
*** timcline_ has joined #openstack-keystone16:25
morganWill remove the "reatart apache" issue almost completely16:25
bknudsonbefore devstack update the keystone instructions with how to set it up.16:25
*** jsavak has joined #openstack-keystone16:25
morganAmong other things16:26
morganbknudson: the plan is a wip for devstack to show it works16:26
openstackgerritMerged openstack/keystone: Enable hardcoded_bind_all_interfaces Bandit test  https://review.openstack.org/22569016:26
morganThen deal with docs.16:26
bknudsonthat works for me.16:26
morganOr find someone who is better at doc writing :P16:27
*** geoffarnold has joined #openstack-keystone16:27
*** kiran-r has joined #openstack-keystone16:27
bknudsonhttps://uwsgi-docs.readthedocs.org/en/latest/Apache.html#mod-proxy-uwsgi ?16:27
morganYep16:27
morganOr just mod_proxy16:27
morganBoth work16:27
* morgan may have done a POC already16:28
*** mylu has quit IRC16:28
ayoungmorgan, we don't have any logic in the mapping backend like the SHA256 id_mapping code, do we?  We have any way to map a long UserID to a sha256 haed one?16:28
*** timcline has quit IRC16:28
morganayoung: huh?16:29
*** geoffarn_ has joined #openstack-keystone16:29
morganNot sure what youre asking16:29
dstanekayoung: i guess if the know the region domain then you could do 2 queries16:30
dstanekayoung: https://gist.github.com/dstanek/093f851fdea8ebfd893d16:30
*** geoffarnold has quit IRC16:32
ayoungmorgan, in the Federation mapping code, do we have a way of taking in a long userid like this: glance/openstack.ayoung.os1.test@AYOUNG.OS1.TEST  so a s a sha256 version16:33
morganUhm... Dunno off the top of my head16:33
morganSorry =/16:34
ayoungmorgan, we've been able to replace the service users with Kerberos services, but the names get too long16:34
ayoungI might be able to do something to split on the REALM though16:34
ayoungso it should only be  glance/openstack.ayoung.os1.test16:34
morganIt shouldnt be hard to do a sha256 hook in for the mapping table16:34
morganI thought we used that for federated users alreafy16:35
ayoungmorgan, trying to do this in the existing code base, though16:35
*** jsavak has quit IRC16:35
ayoungthat is what I thought, too16:35
morganDomain_id + user_id16:35
morganHashed to sha25616:35
*** jsavak has joined #openstack-keystone16:35
*** lhcheng has joined #openstack-keystone16:35
*** ChanServ sets mode: +v lhcheng16:35
morganPretty sure we do that for ephemeral users16:35
ayoungmorgan, but the logic seems to be in the domain_specific_backend code only, and only for ldap over SQL16:36
ayoungI thought so too...16:36
ayoungmaybe I missed it16:36
morganmarekd, stevemar_, ^16:36
*** jistr has quit IRC16:38
*** arunkant_ has quit IRC16:38
ayoungdstanek, publicURL._os-compute._tcp  could be publicURL._os-compute._https.  THe text should be "URI=https://FQDN/compute/v2.1  I think16:38
ayoungbut you are on to something here.16:38
*** janonymous_ has joined #openstack-keystone16:38
ayoungmorgan, yeah, so when we URLEncode the USer ID that is that long principal, we overflow the DB columnet by 1 character16:39
janonymous_Hi , Could somebody help me with : https://review.openstack.org/#/c/193866/ , i think i have to abandon this change :(16:39
ayoungjanonymous_, what abandon?16:41
*** jsavak has quit IRC16:41
janonymous_ayoung: This patch .16:41
morganjanonymous_: it's just a conversion of strings needed16:42
ayoungjanonymous_, typo.  I meant "why"16:42
morganPretty easy16:42
*** phalmos has quit IRC16:42
*** jasonsb has joined #openstack-keystone16:42
morganYou need to convert an output string to a something the method can work with. So uou might need tk just str() or similar16:42
dolphmjanonymous_: you want someone to abandon it for you? or you want help getting it to pass jenkins?16:43
janonymous_If someone could help me to pass it with gate it would be better. As morgan suggested i tried unicode , string also but it still failed , i donno why16:44
dstanekayoung: we could add that in there. i modeled the openstack services after the _http._tcp service16:44
ayoungdstanek, so their approach is to do it as two pieces:  FQDN in one query, suburl in a second?16:45
ayoungI guess that is fine. Slightly more terse, slightly harder to cut and paste16:45
janonymous_ayoung: Ohh, because of the reason i mentioned :(16:46
dstanekayoung: yes, i believe so; once i get it working i'll revisit the RFC and impl16:46
ayoungdstanek, so then the question is how to map from project to catalog, if it is not in the token16:47
dstanekayoung: what do you mean? a project specific catalog?16:48
*** agireud has quit IRC16:48
*** roxanaghe has quit IRC16:48
*** rudolfvriend has quit IRC16:48
*** fhubik has quit IRC16:49
*** drjones has joined #openstack-keystone16:49
*** ayoung is now known as ayoung-afk16:50
*** agireud has joined #openstack-keystone16:51
*** _cjones_ has quit IRC16:52
*** arunkant_ has joined #openstack-keystone16:54
*** jsavak has joined #openstack-keystone16:54
*** drjones has quit IRC16:54
*** _cjones_ has joined #openstack-keystone16:55
*** timcline_ has quit IRC16:56
*** timcline has joined #openstack-keystone16:56
*** drjones has joined #openstack-keystone16:58
*** jsavak has quit IRC16:58
*** jsavak has joined #openstack-keystone16:58
stevemar_morgan: catching up...16:58
*** su_zhang has joined #openstack-keystone17:00
*** _cjones_ has quit IRC17:01
dstanekjanonymous_: it's possible that we just can't do that patch; our version takes into account that the Message is a special object17:03
*** jaosorior has quit IRC17:04
*** jaosorior has joined #openstack-keystone17:04
dolphmlbragstad: profiled an entire benchmark run, this is with the catalog caching patch https://gist.github.com/dolph/3bf24039b83a147eeb5c17:05
dstanekjanonymous_: the Python 2.7 version of assertRaisesRegexp explicitly turns the message into a string using str() and that just won't work17:05
lbragstaddolphm nice, get_token_data seems to be right up there, that makes sense17:06
lbragstaddolphm and closely after that there is _populate_roles17:07
*** mylu has joined #openstack-keystone17:07
lbragstaddolphm btw, i think i narrowed down one of the issues with the role caching patch17:07
*** jaosorior has quit IRC17:08
janonymous_dstanek: Please suggest what should be done17:08
dstanekjanonymous_: probably abandon17:08
dstanekjanonymous_: we may be able to simplify our version, but i don't see how we can get rid of it17:09
janonymous_dstanek: I was thinking of that in the first place but i thought there might be some solution17:09
janonymous_dstanek: but anyway  i think that's fine for me17:09
*** jsavak has quit IRC17:09
dstanekjanonymous_: the problem is that we can't call the 2.7 version is an i18n exception17:10
*** jsavak has joined #openstack-keystone17:10
dolphmlbragstad: something is wrong with the catalog caching patch if it's calling the sql backend just as much as it's hitting the manager :-/17:10
*** thiagop is now known as thiagop-afk17:11
lbragstaddolphm is the profiler only using one user?17:11
dolphmlbragstad: it's the benchmark in that gist -- yes17:11
dolphmwell, two: admin & demo17:11
lbragstaddolphm hmmm17:11
lbragstaddolphm so, keystone should only be making two full trips to the database17:11
dolphmgoddammit devstack doesn't run with caching enabled rofl17:12
*** afazekas_ has joined #openstack-keystone17:12
morgandolphm: correct17:12
dstanekjanonymous_: just commented on the review17:12
* dolphm facepalm17:12
lbragstaddolphm oops17:12
morgandolphm: explicit choice17:12
dolphmnow my whole day makes sense17:12
lbragstaddolphm that fine though, now we have a profiled fernet run!17:13
*** amakarov is now known as amakarov_away17:13
dolphmlbragstad: now we're going to have a profiled fernet run with caching!17:13
dolphmlbragstad: i was expecting a double digit percent improvement from the catalog caching patch, maybe i'll see that now17:14
lbragstaddolphm ++17:14
*** dims has joined #openstack-keystone17:15
janonymous_dstanek: I'll abandon the patch then . But anyone willing to work on that please feel free to reopen the same :)17:15
dstanekjanonymous_: i think the best we can do it reduce that method to 2 or 3 lines17:17
*** dims has quit IRC17:18
*** drjones has quit IRC17:18
*** dims_ has quit IRC17:19
*** _cjones_ has joined #openstack-keystone17:19
*** roxanaghe has joined #openstack-keystone17:19
*** fawadkhaliq has quit IRC17:19
*** itlinux has joined #openstack-keystone17:20
lbragstaddolphm i might see a problem with caching roles17:20
lbragstaddolphm we cache on user_id + tenant_id right now17:21
*** janonymous__ has joined #openstack-keystone17:22
lbragstaddolphm but https://github.com/openstack/keystone/blob/0e1d261ecf1adcf6f12c2c390ca26300376b1a32/keystone/tests/unit/test_v3_auth.py#L2153 will fail if a user is added to a group,17:22
*** janonymous_ has quit IRC17:22
lbragstaddolphm we might need to invalidate the role cache when a user is added to a group17:22
*** timcline_ has joined #openstack-keystone17:24
*** tonytan4ever has joined #openstack-keystone17:24
*** mylu has quit IRC17:25
*** timcline has quit IRC17:25
*** mylu has joined #openstack-keystone17:26
openstackgerritHenrique Truta proposed openstack/keystone: Restricting domain_id update  https://review.openstack.org/20721817:27
dolphmmorgan: what's the pypi module that keystone's memcache_pool depends on?17:29
*** timcline_ has quit IRC17:29
*** timcline has joined #openstack-keystone17:30
dolphmmorgan: python-memcached?17:30
*** timcline_ has joined #openstack-keystone17:31
*** geoffarn_ is now known as geoffarnoldX17:31
*** exploreshaifali has joined #openstack-keystone17:31
*** hrou has joined #openstack-keystone17:31
morganYeah. Think so17:32
dstanekdolphm: yeah17:32
*** shadower has quit IRC17:32
*** timcline has quit IRC17:34
*** mylu has quit IRC17:35
*** marzif has quit IRC17:35
*** john5223 is now known as zz_john522317:36
*** janonymous__ has quit IRC17:39
*** geoffarnoldX is now known as geoffarn_17:40
*** e0ne has joined #openstack-keystone17:40
bretonyes, python-memcached17:41
*** ngupta has quit IRC17:43
*** tull has joined #openstack-keystone17:43
*** ngupta has joined #openstack-keystone17:45
*** itlinux has quit IRC17:46
*** itlinux has joined #openstack-keystone17:46
*** fawadkhaliq has joined #openstack-keystone17:48
*** itlinux has quit IRC17:51
*** devkulkarni has joined #openstack-keystone17:56
*** jsavak has quit IRC17:59
*** janonymous_ has joined #openstack-keystone17:59
devkulkarniHi keystone team, since yesterday solum's devstack gate is failing.. the logs indicate that job is getting authorization failure while setting up solum's user and roles.. here is the stack trace: http://logs.openstack.org/88/230588/5/check/gate-solum-devstack-dsvm/4fc57f8/logs/devstacklog.txt.gz#_2015-10-08_17_04_10_665 .. I need some guidance on how to fix this issue.18:00
*** lhcheng has quit IRC18:01
bknudsondevkulkarni: why still using keystone and not openstack CLI?18:01
devkulkarnibknudson: haven't gotten around to switching over the openstack cli yet..18:02
bknudsonit's probably failing to auth since devstack is setting identity api version to v3 and keystone CLI only supports v2.18:02
devkulkarnibknudson: I see18:02
bknudsonbut I think that happened a while ago, not yesterday18:02
*** lhcheng has joined #openstack-keystone18:03
*** ChanServ sets mode: +v lhcheng18:03
devkulkarnibknudson: you think switching over openstack cli might help? does it work with v3 by default?18:03
*** nicodemos_ has joined #openstack-keystone18:03
bknudsondevkulkarni: openstack CLI works with v3 and v2.18:04
*** nicodemos_ has quit IRC18:04
bknudsonthere's lots of examples in there as shown in the logs18:04
devkulkarnibknudson: I see.. here is a strange thing though.. I have a devstack setup in which I tried both ks and osc commands18:04
devkulkarnibknudson: yes.18:05
devkulkarnibknudson: for example, I tried ' keystone role-list ' and 'openstack role list' both required me to use admin creds18:05
*** zz_john5223 is now known as john522318:06
devkulkarniwithout admin, I was getting Authorizationfailure for both18:06
*** kiran-r has quit IRC18:06
devkulkarnisince the error that I am getting on the devstack gate is similar, I am wondering if something else would need to be changed as well18:06
bknudsondevkulkarni: by default you do need to be an admin to list roles.18:06
bknudsondevkulkarni: maybe need to check some keystone logs or get debug info on the keystone cli call18:08
*** su_zhang has quit IRC18:09
devkulkarnibknudson: yes.. but because without admin I am seeing Authorization failure for both keystone and osc, I am wondering if the gate failure is due to not using the osc client or something else18:09
*** dims has joined #openstack-keystone18:09
devkulkarnibknudson: I will try changing over to osc18:09
devkulkarniis there a good comprehensive documentation of all the commands and available options for osc keystone somewhere?18:10
*** su_zhang has joined #openstack-keystone18:16
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521218:17
dolphmlbragstad: creation is faster by 16.7% and validation is faster by 7.5% with ^ https://gist.github.com/dolph/3bf24039b83a147eeb5c18:17
*** itlinux has joined #openstack-keystone18:17
lbragstaddolphm awesome!18:17
*** exploreshaifali has quit IRC18:19
dolphmlbragstad: looking at the remaining profile, your roles patch has the potential to shave another 10% off that18:19
lbragstaddolphm yeah, i think that's going to be tricky18:20
lbragstadcaching roles that is18:20
lbragstadworking on it now18:20
lbragstadi pulled down the patch that adds caching to roles and I'm looking at some of the issues with it18:21
dolphmlbragstad: i added revised the catalog caching patch based on something i missed that profiling revealed :)18:23
lbragstaddolphm i see you added caching to get_v3_catalog18:24
lbragstaddolphm is that what you mean?18:24
dolphmlbragstad: yep!18:26
dolphmlbragstad: i didn't realize that the driver's base implementation wasn't being used at all in sql's case (which makes sense, but anyway)18:26
*** phalmos has joined #openstack-keystone18:27
lbragstaddolphm interesting18:27
lbragstaddolphm trying to fix the role caching patch with http://cdn.pasteraw.com/pgjae8ibogjf1b4hubtxyosctr9db20 (or along the lines of)18:29
stevemar_devkulkarni: yep, all the commands are here; http://docs.openstack.org/developer/python-openstackclient/command-list.html18:29
*** zhenq has joined #openstack-keystone18:29
devkulkarnithanks stevemar_18:29
lbragstaddolphm but i think i'm still missing something18:29
lbragstaddolphm that's a bridge we'll have to figure out how to cross if we want that extra 10%18:30
dolphmlbragstad: what makes you say that you're missing something?18:31
lbragstaddolphm because https://github.com/openstack/keystone/blob/0e1d261ecf1adcf6f12c2c390ca26300376b1a32/keystone/tests/unit/test_v3_auth.py#L2153 still fails after i added that diff18:32
*** itlinux has quit IRC18:32
lbragstaddolphm i think it's because i'm trying to invalidate the cache in another region?18:33
lbragstaddolphm so from the idenitty manager, i'm trying to invalidate stuff in the assignment manager, which i'm not sure is possible...18:36
dolphmlbragstad: fwiw, here's the ranked list of things that get_token_data() spends it's time on http://cdn.pasteraw.com/mo8y8iixeuyegdrnmxbaqfvevojzoff18:38
dolphmfor some reason service providers is also slow, and there's no federation in this deployment.18:38
dolphmlbragstad: anyway, i'm looking at the roles patch...18:39
*** geoffarn_ is now known as geoffarnoldX18:41
lbragstaddolphm let me push a new version of that patch, it'll make it easier to review18:41
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521218:41
dolphmlbragstad: fixed builds ^18:41
*** doug-fish has quit IRC18:43
*** e0ne has quit IRC18:44
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571518:44
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571518:45
lbragstaddolphm new patch up ^18:46
lbragstadwith my attempt to invalidate based on add_user_to_group18:46
dolphmlbragstad: looking18:47
*** agireud- has joined #openstack-keystone18:48
*** e0ne has joined #openstack-keystone18:49
*** agireud has quit IRC18:49
*** agireud- is now known as agireud18:49
dolphmlbragstad: so you probably need to take the same approach i did - i didn't want to explicitly enumerate user+tenant pairs to invalidate catalogs. you don't want to explicitly enumerate user project pairs to invalidate assignments either18:50
*** su_zhang has quit IRC18:50
ayoung-afkdevkulkarni, service tenant is probably in a different domain18:50
dolphmlbragstad: solution, create a new cache region and you can invalidate the entire thing at once18:50
*** ayoung-afk is now known as ayoung18:50
lbragstaddolphm ok, looking at your patch again18:52
*** itlinux has joined #openstack-keystone18:52
*** itlinux has quit IRC18:55
dolphmlbragstad: my patch is going to fail tests, dammit18:59
dolphmlbragstad: this is where i'm at with your patch, but i'm going to go back and fix mine http://cdn.pasteraw.com/nguo0grjpb4z4ukl1vjmr6mr5s767xv19:00
lbragstaddolphm pull down your diff now19:00
lbragstadpulling*19:01
lbragstaddolphm are the tests on your patch failing with AttributeError: 'CacheRegion' object has no attribute 'expiration_time' ?19:10
dolphmlbragstad: with the patch i started on top of yours, yes19:11
openstackgerritSam Leong proposed openstack/keystone: add initiator to v2 calls for additional auditing  https://review.openstack.org/23112319:11
lbragstaddolphm ok19:12
openstackgerritSam Leong proposed openstack/keystone: add initiator to v2 calls for additional auditing  https://review.openstack.org/23112319:12
*** telemonster has quit IRC19:12
openstackgerritBrant Knudson proposed openstack/keystone: Update test modules passing on py34  https://review.openstack.org/23163519:13
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet key writing for python 3  https://review.openstack.org/23171019:13
openstackgerritBrant Knudson proposed openstack/keystone: Fix fernet padding for python 3  https://review.openstack.org/23171119:13
openstackgerritBrant Knudson proposed openstack/keystone: Handle fernet payload timestamp differences  https://review.openstack.org/23271119:13
bknudsonit's going to be really hard to get python3 support without dogpile supporting it19:16
*** geoffarnoldX has quit IRC19:17
bknudsonI thought I was making progress on test_fernet_provider but that's not going to work now19:17
lbragstadbknudson why is that/19:18
dolphmbknudson: it's dependent on dogpile somehow?19:18
bknudsonbecause now it's calling a bunch of functions that do caching.19:18
dolphmbknudson: when caching is disabled?19:19
bknudsonkeystone.tests.unit.token.test_fernet_provider.TestValidate.test_validate_v3_token_federated_info calls create_domain19:19
bknudsonhmmm, maybe this was failing before and I didn't notice it due to the other issues19:19
openstackgerritDolph Mathews proposed openstack/keystone: Add caching to get_catalog  https://review.openstack.org/21521219:20
bknudsonI swear this wasn't failing a couple days ago.19:20
morganDogpile should work with py319:20
dolphmlbragstad: alright my patch is passing *all* the tests now, not just the ones i was running before :P19:20
bknudsonmaybe we're calling it wrong?19:20
bknudsonTypeError: Unicode-objects must be encoded before hashing19:20
morganPython-memcache is probably still not py3 compat19:20
dolphmlbragstad: might want to rebase on top of it so you're not looking at test failures that aren't your fault!19:20
bknudsonfrom /opt/stack/keystone/.tox/py34/lib/python3.4/site-packages/dogpile/cache/util.py19:21
morganKey generator needs a fix19:21
dolphmpython-memcached *19:21
lbragstaddolphm which patch did you completely fix up?19:21
morganWe can write our own keygenerator19:21
morganAnd bypass that19:21
dolphmlbragstad: catalog caching19:21
lbragstadhttps://review.openstack.org/#/c/215212/12 dolphm  ?19:21
lbragstadok19:21
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571519:21
bknudsonok, let me take a stab19:22
bknudsonI think oslo.cache has some example code19:22
bknudsonactually, maybe oslo.cache will solve all our problems.19:23
bknudsonmaybe we should switch to that.19:23
*** tqtran_ has joined #openstack-keystone19:26
openstackgerritSonali proposed openstack/keystone: Do not rebuild revoke_tree on each validate-token  https://review.openstack.org/23271519:29
dolphm\o/ lbragstad ^^19:31
lbragstadoh, nice!19:32
stevemar_dolphm: lbragstad refering to the do not rebuild revoke tree?19:33
lbragstadstevemar_ yep19:33
stevemar_lbragstad: yup, we had someone looking at that internally19:34
stevemar_be nice to them, it's their first patch19:34
lbragstadstevemar_ I'm *always* nice19:34
lbragstad:)19:34
*** itlinux has joined #openstack-keystone19:34
stevemar_lbragstad: you, yeah, it's true19:35
lbragstadstevemar_ adding myself to that one, for sure19:35
*** timcline_ has quit IRC19:39
*** timcline has joined #openstack-keystone19:40
*** jsavak has joined #openstack-keystone19:40
lbragstaddolphm running tests against my patch now19:41
*** su_zhang has joined #openstack-keystone19:41
*** e0ne has quit IRC19:42
*** timcline_ has joined #openstack-keystone19:43
*** timcline has quit IRC19:43
*** jsavak has quit IRC19:45
*** jsavak has joined #openstack-keystone19:46
openstackgerritBrant Knudson proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587319:47
openstackgerritBrant Knudson proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587319:48
*** akanksha_ has joined #openstack-keystone19:52
*** mylu has joined #openstack-keystone19:54
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Custom fixture to avoid external call in HttpCheck  https://review.openstack.org/23272519:55
*** tqtran_ is now known as tqtran19:58
devkulkarnibknudson, ayoung: ping20:00
devkulkarnibknudson: so I changed solum's devstack setup code to use osc20:00
devkulkarniI am running into an issue for the service create command.20:01
devkulkarnion gate logs, I am seeing this error: http://paste.openstack.org/show/475786/20:01
devkulkarnibut on my local devstack, I am seeing this: http://paste.openstack.org/show/475787/20:01
devkulkarninotice that the flags for the two seem to be different20:02
devkulkarnion my local devstack, the version of openstack client installed is 1.7.120:02
*** janonymous_ has quit IRC20:02
devkulkarniany ideas what is the right way of invoking service create command20:02
*** tonytan4ever has quit IRC20:03
*** mylu has quit IRC20:03
*** jsavak has quit IRC20:03
bknudsondevkulkarni: you've probably got your env vars set for identity version v2 while the gate has the env vars set to v3.20:03
devkulkarnibknudson: oh!20:03
*** mylu has joined #openstack-keystone20:03
*** jsavak has joined #openstack-keystone20:04
devkulkarnibknudson:  you are right20:04
devkulkarnibknudson: will change local to v3 and try20:04
bknudsonmost of the openstack commands normalize the arguments but looks like this one is different20:04
*** mylu has quit IRC20:05
devkulkarnibknudson: no longer getting syntax error on my local env..which is good for me to exercise the gate again20:06
*** mylu has joined #openstack-keystone20:06
devkulkarnibknudson: thanks for the tip20:06
*** itlinux has quit IRC20:06
*** mylu has quit IRC20:08
*** tonytan4ever has joined #openstack-keystone20:09
*** mylu has joined #openstack-keystone20:09
*** jsavak has quit IRC20:11
*** browne has quit IRC20:15
*** browne has joined #openstack-keystone20:15
*** sdake has quit IRC20:17
*** jsavak has joined #openstack-keystone20:20
*** mylu has quit IRC20:23
*** mylu has joined #openstack-keystone20:23
*** sdake has joined #openstack-keystone20:23
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571520:24
*** pnavarro has quit IRC20:24
lbragstaddolphm the only test that is failing is keystone.tests.unit.test_v2_keystoneclient.ClientDrivenTestCase.test_role_create_member_role but other than that it passes ^20:24
*** jsavak has quit IRC20:24
lbragstaddolphm if you want to try and pull that down and see what you get for performance20:24
*** mylu has quit IRC20:25
dolphmlbragstad: what's up with that test?20:25
*** jsavak has joined #openstack-keystone20:25
*** mylu has joined #openstack-keystone20:25
lbragstaddolphm i'm not quite sure, i'm still digging into it, doesn't seem assignment specific http://cdn.pasteraw.com/g6ixrm4vfenqy42jqysfc5fjziwsoce20:26
lbragstaddolphm oh...20:28
dolphmlbragstad: role deleted and cache not invalidated?20:29
*** mylu has quit IRC20:30
lbragstaddolphm something like that, but maybe i'm missing an invalidate call in the assignment v2 path20:30
lbragstaddolphm looking in the assignment/router.py and i don't see an operation for v2 role delete20:31
dolphmlbragstad: you want to hand caching and cache invalidation at the manager layer, not the router/controller layer20:32
lbragstaddolphm right, i'm just trying to track down where i'm missing that from somewhere else in the pipeline20:33
dolphmlbragstad: hint: http://cdn.pasteraw.com/h4yubbxfp1iijv8eyhymjd2cwimckw020:33
lbragstadyep, i think that's it20:34
lbragstaddolphm rerunning and pushing a new version20:34
*** pnavarro has joined #openstack-keystone20:36
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571520:39
lbragstaddolphm passed tests20:39
dolphmlbragstad: token creation is 13.6% faster on the first benchmark run20:43
*** edmondsw has quit IRC20:43
dolphmlbragstad: token validation is 1.3% faster on the first benchmark run20:44
*** mylu has joined #openstack-keystone20:44
*** mylu has quit IRC20:45
*** timcline_ has quit IRC20:46
*** devkulkarni1 has joined #openstack-keystone20:46
*** timcline has joined #openstack-keystone20:46
dolphmlbragstad: running two more benchmarks, but token creation is ~28% faster with both patches in place20:47
*** mylu has joined #openstack-keystone20:47
*** devkulkarni has quit IRC20:47
*** su_zhang has quit IRC20:48
dolphmlbragstad: we should look at compressing things in memcache next. spending cpu time on compression and decompression would be more time efficient than hitting the network.20:48
dolphmmorgan: ^20:48
dolphmmorgan: it'd be a part of dogpile, i assume? if it's not already doing compression20:49
lbragstaddolphm so with both patches it's about 28% faster?!20:50
dolphmlbragstad: fernet token creation, yes20:50
lbragstadmfisch ^20:50
morganUhm.20:50
lbragstaddolphm does your benchmark record response times?20:51
dolphmlbragstad: yes, scroll to the bottom https://gist.github.com/dolph/3bf24039b83a147eeb5c20:52
*** jsavak has quit IRC20:52
dolphmlbragstad: unpatched is pure stable/liberty. role caching is catalog caching + role caching20:53
lbragstaddolphm awesome20:53
*** jsavak has joined #openstack-keystone20:53
openstackgerritBrant Knudson proposed openstack/keystone: switch to oslo.cache  https://review.openstack.org/19587320:53
dolphmthat's 28.6% faster on token creation, to be more precise20:53
lbragstaddolphm it's nice that *with* caching the token creation and token validation times are more consistent with each other20:53
dolphmand 11.8% faster on token validation20:54
dolphmtotal20:54
lbragstad76 ms response times for create and 79 ms for validation20:54
*** jsavak has quit IRC20:54
*** jsavak has joined #openstack-keystone20:55
dolphmlbragstad: and this is a profile of keystone during the benchmark run with both patches applied https://gist.githubusercontent.com/dolph/3bf24039b83a147eeb5c/raw/f735cd38c3b4af3a51e5bb514ca0b665d0845805/role-caching-patch.profile20:55
lbragstaddolphm nice, that's a significant improvement from the last profile20:56
lbragstads/last/original/20:56
dolphmlbragstad: so now, this is where we're spending time in get_token_data() http://cdn.pasteraw.com/etbwfte0d04dik9s60ojufggjbhlksq20:57
lbragstadreally?20:58
dolphmreally.20:58
lbragstad_populate_service_providers?20:58
dolphmyep.20:58
lbragstado.O20:58
dolphmAND THERE ARE NONE!20:58
*** ig0r_ has joined #openstack-keystone20:58
*** raildo is now known as raildo-afk20:59
*** mylu has quit IRC21:00
lbragstaddolphm hmm, there isn't anything special about get_enabled_service_providers() that i can see21:01
*** mylu has joined #openstack-keystone21:01
*** ig0r_ has quit IRC21:03
bknudsonit might be the first thing to hit the database so needs to do a checkout21:04
bknudsonof the connection21:04
dolphmlbragstad: it spends all it's time hitting sql21:04
*** ig0r_ has joined #openstack-keystone21:05
dolphmlbragstad: iterating on get_enabled_service_providers(), as best i can tell from reading the profile21:05
*** mylu_ has joined #openstack-keystone21:05
*** mylu has quit IRC21:06
openstackgerritLance Bragstad proposed openstack/keystone: Add caching to role assignments  https://review.openstack.org/21571521:07
*** mylu_ has quit IRC21:08
*** mylu has joined #openstack-keystone21:09
*** jsavak has quit IRC21:09
*** GB21 has quit IRC21:10
*** ig0r_ has quit IRC21:10
*** pnavarro has quit IRC21:11
*** timcline_ has joined #openstack-keystone21:11
*** topol has quit IRC21:12
*** mylu has quit IRC21:13
*** timcline has quit IRC21:15
*** spandhe has joined #openstack-keystone21:15
*** su_zhang has joined #openstack-keystone21:18
*** ayoung has quit IRC21:21
*** csoukup has quit IRC21:25
*** fawadkhaliq has quit IRC21:27
*** nicodemos has quit IRC21:27
*** sdake has quit IRC21:28
SpamapSmorgan: did you know that pinterest also made their own python memcache client lib? https://github.com/pinterest/pymemcache21:30
dolphmlbragstad: alright, i'm out for the week - wedding this weekend. performance patches are all yours!21:31
lbragstaddolphm sounds good, thanks for the help!21:32
*** jsavak has joined #openstack-keystone21:35
morganSpamapS: yes21:35
*** tonytan4ever has quit IRC21:36
morganIt is way better than the main one everyone uses. But it doesnt do hashring (yet?) or multi server really well21:36
*** jsavak has quit IRC21:39
SpamapSmorgan: https://github.com/pinterest/pymemcache/blob/master/pymemcache/client/hash.py21:39
SpamapSoh thats just regular hash21:39
*** jsavak has joined #openstack-keystone21:39
SpamapSoh no21:40
SpamapSmorgan: it uses Rendevouz hashing21:40
SpamapSmorgan: https://en.wikipedia.org/wiki/Rendezvous_hashing21:40
SpamapSmorgan: so it's actually the better choice for eventlet-ers now ;)21:41
SpamapSmorgan: that was added June 2621:43
SpamapSwell, clanedstined's Rendevouz was, and then now it's private21:43
*** sigmavirus24 is now known as sigmavirus24_awa21:43
*** jbell8 has quit IRC21:46
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Custom fixture to avoid external call in HttpCheck  https://review.openstack.org/23272521:52
*** jimbaker has joined #openstack-keystone21:54
*** gordc has quit IRC21:55
dstanekso when using ksc's service_catalog what makes the decision to use v2 vs v3?21:58
jamielennoxdstanek: what do you mean?21:58
dstanekuggg...i think i found it21:58
*** mylu has joined #openstack-keystone21:58
jamielennoxthere's a v2 and v3 object, the factory() creats the right one21:58
dstanekjamielennox: i think ServiceCatalog.factory is what i was looking for21:58
dstanekjamielennox: i just hacked the client to use DNS for the catalog and not i'm trying to see how easy it would be use do it for real22:00
jamielennoxdstanek: so i've always considered that an option, and basically you don't do it there22:00
jamielennoxthe thing that calls the service catalog is get_endpoint() in an auth plugin, i think you want to override that and not use the catalog at all22:01
dstanekjamielennox: i don22:06
dstanek't see get_endpoint in the auth plugins22:06
*** thiagop-afk is now known as thiagop22:06
dstanekoh, wait. maybe in auth.base22:07
jamielennoxdstanek: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/base.py#L27222:07
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Custom fixture to avoid external call in HttpCheck  https://review.openstack.org/23272522:10
dstanekjamielennox: hmmm...i was thinking of just changing the factory to know about DNS as an alternative to v2 or v322:10
dimsstevemar_: bknudson: thanks for the reviews. the code looks much better now :) ^^22:11
jamielennoxfactory kind of involves you knowing the entire catalog and then searching it22:11
jamielennoxget_endpoint will only ask you for one thing at a time22:11
jamielennoxi guess it depends how you are using dns22:12
dstanekjamielennox: https://gist.github.com/dstanek/093f851fdea8ebfd893d22:12
dstanekjamielennox: goal was service discovery and a few weeks ago you could browse the service catalog in a Bonjour GUI, but i somehow broke that along the way22:13
*** mylu has quit IRC22:14
*** mylu has joined #openstack-keystone22:14
jamielennoxdstanek: SRV doesn't give you a port right?22:14
dstanekthe SRV does include the port22:14
jamielennoxdstanek: https://review.openstack.org/#/c/223429/22:14
jamielennoxi went with TXT22:14
dstanekjamielennox: how are you handling muliple services with multiple urls?22:16
dstanekjamielennox: i'm implementing the DNS-SD rfc (or at least trying to )22:16
jamielennoxdstanek: i'm not apparenlty - i'm not completely sure of how this should be done properly22:17
jamielennoxTXT seemed right because i could get a full "http://xxxx:yyy/zzzz" style response22:17
jamielennoxbut this is an auth endpoint and i didn't really envision there would be multiple entries22:18
dstanekjamielennox: in the rfc the srv record holds the domain and port and a txt record holds path and other metadata22:18
*** geoffarnold has joined #openstack-keystone22:18
jamielennoxyea, i need to read that spec properly22:18
dstanekme too :-)22:19
*** david_cu has quit IRC22:19
dstaneki just wanted to get something working - and now i'm told not to use bind9 so i have to see what the replacement is22:19
jamielennoxi saw that comment22:19
*** alejandrito has quit IRC22:20
jamielennoxi'm considering that a comment from admins, i don't care where they host the records22:20
jamielennoxanyway the reason to do get_endpoint is you will be passed params like service_type so that you know what records to look for rather than load them all in advance22:22
jamielennoxto properly implement the service catalog interface you are going to have to find all endpoints22:22
dstanekjamielennox: yeah, i'm already filtering base on some of them, but didn't get to them all yet22:23
dstanekjamielennox: i got some nova commands working and that's really what my goal was22:24
jamielennoxfair enough, i'd love to see if something like this is possible22:25
dstanekthe biggest problem is that i do lotso dns queries, but i think that's just the way it goes22:25
jamielennoxso you could cache this on the auth plugin22:26
jamielennoxi do that already for discovery22:27
morganSpamapS: yeah those additions were very newish22:29
dstanekdnspython has some caching capabilities too. i just haven't looked into it much22:29
SpamapSmorgan: indeed22:30
*** hrou has quit IRC22:33
*** _hrou_ has joined #openstack-keystone22:33
*** arunkant has quit IRC22:37
*** slberger has left #openstack-keystone22:38
*** devkulkarni has joined #openstack-keystone22:40
morgansolution: stop making keystone a configuration of the endpoints :P use consul or ZK and have endpoints self-register22:40
morgandolphm: ^ :P22:40
jamielennoxwell you wouldn't manage the dns entries via keystone22:41
jamielennoxthere's pacemaker, hostname dns and all sorts of other things you could use to keep the hosts static22:42
jamielennoxi don't think self-register is a win22:42
*** devkulkarni1 has quit IRC22:42
*** _hrou_ has quit IRC22:49
*** ngupta has quit IRC22:50
morganjamielennox: with consul it is. the host is configured to know it's endpoint when it registers with keystone, when it drops consul/ZK would drop it from the catalog22:50
morganyou need to know DNS/IP/Whatever for CMS anyway22:50
jamielennoxmorgan: i don't consider that a catalog job, the same pattern is already done via loadbalancer which the catalog is pointing to22:51
morganconsul also has a healthcheck that would auto-drop things out if needed. it is a bit of a redesign, but the whole "configure keystone via APIs to do something we have to manage elsewhere" but do it less well than the other systems seems flawed22:51
*** jsavak has quit IRC22:51
morganthe catalog shouldn't be something keystone has to care about except for translating to old clients22:52
morganis more my point22:52
morgankeystone-as-the-catalog is a suboptimal design and lacks in many ways.22:52
*** jsavak has joined #openstack-keystone22:52
morganthere are other ways to get the data to the clients without needing to do API config to point at a load balancer for example22:53
jamielennoxi don't know the consul formats or anything, i'd be ok with one url that keystone returns instead of a catalog, but i'm not sure why consul/zk is better than haproxy22:53
jamielennox(for this case)22:53
morganthe point of consul is that is knows what APIs are available and even has a DNS interface22:54
morganand is is distributed22:54
morganso if nova needs to know where glance is, it can reference consul22:54
jamielennoxso dns seems a terrible way to refer to something that is expected to auto-register and occasionally fall out22:55
morgannah.22:55
jamielennoxttls22:55
morganit's a fairly proven mechanism.22:55
morganstill better than what we do today22:56
morgani think keystone is doing way too much22:56
morganand it does a poor job at many of the things22:56
morganthe catalog is definitely a place where we've missed22:56
stevemar_morgan: yep22:57
stevemar_morgan: it should be much easier to get the catalog22:57
jamielennoxi would agree with that22:57
morganthere is a nice x-project session to talk about a DLM/Distributed-KVS system (ZK/consul) so once that decison has been codified for openstack we can look at the strengths of the system rather than NIHing it22:57
morganconsul is explicitly designed for service discovery22:58
morganZK is not as good at it, but is pretty close22:58
morganZK is a better DLM and has better python bindings22:58
*** jbell8 has joined #openstack-keystone22:59
*** henrynash has joined #openstack-keystone22:59
*** ChanServ sets mode: +v henrynash22:59
morganbut the long/short is we have a distributed system that changes over time. and we have mixed in a bad way admin and config tasks for the catalog (service discovery)22:59
jamielennoxthat's going to be an interesting discussion, but i don't think it's got such keystone implications22:59
morgani think it absolutely has keystone implications22:59
morganas once that is lined up we should make ZK or Consul the backend for the catalog23:00
*** timcline_ has quit IRC23:00
morganand stop configuring it in keystone...23:00
morganwhen a service comes up, it connects to the local agent for consul/ZK and says "I am nova-api" for example, and there is a healthcheck enabled. nova-api then appears in the catalog. if it's behind a LB, thats fine, you can jump into the LB config23:01
morganconfigure this all at the endpoint side23:01
jamielennoxbut you never want that anyway, you want the LB in the catalog23:01
jamielennoxand haproxy/whatever people are using does that23:01
morganso it tags in on the LB's service23:01
morganbut it still should NOT be an API call in keystone to setup23:02
jamielennoxsure, but puppet/ansible whatever you are spawning these things with can do that23:02
*** gordc has joined #openstack-keystone23:02
morganno.23:02
jamielennoxmorgan: absolutely agree it's not a keystone call23:02
jamielennoxthe LB address goes into catalog23:02
jamielennoxthen you talk to the LB when bringing up/down endpoints23:02
morganthe LB address shouldn't be a Keysotne call either23:02
jamielennoxto that - meh23:03
jamielennoxyou add an entry per service, and if you're dealing with load balancers you do it once23:03
morganexcept every time I want to add another entry / lb I still need to make a keystone call23:03
morganand every time I want to drop something out23:03
morganI need to make a keystone call23:03
morganwhat if I want 4 nova-apis?23:04
morganthen 1023:04
morgandifferent regions, etc23:04
morganpull in/out regions, etc23:04
morganthis is all silly to be keystone calls23:04
morganthe keystone catalog is poorly implemented and does a lot of "stand up new X" stuff badly23:04
jamielennoxand i would agree with that, but adding new regions or endpoints to a deployment should be a big decision23:05
*** gordc has quit IRC23:05
morganbut that shouldn't mean "we make this painful and done poorly in keystone to make it a big decision"23:05
jamielennoxthe overhead of having to deal with keystone there should be not an issue23:05
morganexcept it is archaic23:06
morganand really could be much much simpler23:06
morganthis should be trivial to standup a new set of endpoints or region23:06
jamielennoxmaybe if they come out with 1 DLM service, not abstraction, not new oslo library but one required service23:06
morganthat is the plan23:06
morgana single DLM that is a hard requirement for openstack23:06
jamielennoxotherwise i'd prefer to handle it ourselves than have a dozen backends23:06
morganno abstraction23:06
morganand write to the DLMs explicit bindings23:07
morganthat is what we are pushing for23:07
morganeither consul or zookeeper23:07
morgannot "either or" not "both" not "whatever you feel like"23:07
dimsmorgan: "pushing for" where? openstack-specs?23:07
morgandims: there was a ML thread on it23:07
morganand there is a summit session on it23:08
morganand from there x-project spec will come up23:08
dimsmorgan: cool just want to make sure i pay attention :)23:08
morganactually i think openstack-spec has one already23:08
jamielennoxok, i'll look again based on the outcome of that, but i still don't consider it a huge keystone win23:08
morganjamielennox: I think it's a medium win for keystone, but a major win for openstack23:08
jamielennoxyep23:08
morgandims: harlowja was working on the spec23:08
dimsright23:09
morganjamielennox: but medium wins for keystone are big wins for deployers and adoption of openstack23:09
morganjamielennox: keystone should never have "major wins", if we do at this point we probably screwed up somewhere23:09
jamielennoxv4!23:09
harlowjawhat i do23:09
morganharlowja: DLM discussion23:09
harlowjaoh23:09
harlowjaya23:09
jamielennoxah - you're not PTL anymore, that's not going to get to you as muc23:09
jamielennoxh23:09
*** su_zhang has quit IRC23:09
morganjamielennox: nope. I'm all for v4 once we split Crud from auth (now)23:10
harlowjai'm hoping it becomes less of a discsussion in general, and becomes more of an acceptance/realization23:10
harlowjai think the discussion sorta isn't useful much anymore (but meh, i'm very biased, haha)23:10
morganharlowja: i think we need to use the "lock the door and no you can't leave until you accept this"23:10
harlowja+123:10
morganmethod of "discussion"23:10
morgan:)23:10
morgancc mordred ^23:10
harlowjawaterboarding not included, lol23:10
*** jsavak has quit IRC23:11
jamielennoxsomeone should do some reading on what's legal in japan...23:12
harlowjaha23:12
harlowjathe thing that bugs me, is that etc.d, and coreos, (docker?) have all understood what this kind of thing can offer, and they move there projects forward, if openstack gets stuck in discussion around this stuff, i generally feel it will make itself irrelevant by doing that23:13
harlowjabuuuuut ya, let's all make sure ^ doesn't happen23:13
harlowjaand thats my speech for today, ha23:14
morganharlowja: mordred is on the same page as is flaper8723:15
* harlowja reads backlog and sees u guys already talked about some of this, hahaha23:16
morgani think we have a good amount of "seriously we should just do this"23:16
morgansanity to add to the room23:16
morganyah23:16
harlowjaif u guys have questions about kazoo (the zookeeper python client); bug me and all23:17
*** arunkant_ has quit IRC23:17
harlowjaidk what other consul, etc.d have for python clients (if anything at all)23:17
harlowjai can even make little demo scripts for u guys to try to see what a service catalog, thinks coming online/going offline, and others getting notified of this look like...23:18
harlowjanot really that hard to do ^23:18
harlowja*using kazoo23:18
morganharlowja: lets get the DLM solidified at the summit then...23:19
dstanekjamielennox: still hanging around?23:19
jamielennoxdstanek: yea23:19
morganharlowja: I then plan to build that all into keystonemiddleware23:19
harlowjacool23:19
morganharlowja: or at least get help to do so23:20
harlowjahopefully more than jelly solid to23:20
morganharlowja: i think people will appreciate the DLM stuff as it will make all the crappy locking go away (long term)23:20
morganharlowja: i prefer consul fwiw, but i think ZK is an easier sell23:20
morganand as long as we land on one of them, yay23:20
harlowjais there a decent python client for consul?23:20
jamielennoxmarekd: did we never provide a complete saml CLI plugin?23:20
morganharlowja: not as good as zk's but yes23:21
dstanekjamielennox: is there a different way to write this so that i don't have to generate the entire catalog to find a single url? http://git.openstack.org/cgit/openstack/python-keystoneclient/tree/keystoneclient/service_catalog.py#n25423:21
* harlowja doesn't really know (i'm a kazoo core reviewer, blah blah, so haven't looked around much, ha)23:21
morganharlowja: it is fully functional, just not as refined/clean23:21
morganharlowja: consul uses a local agent on every machine with a couple cluster masters, so the python client always talks to the local agent23:21
jamielennoxdstanek: this is why i think you're better off with get_endpoint because it asks for one item23:21
dstanekmorgan: speak of zk - i've mostly implemented dns-sd for the service catalog23:22
morgandstanek: nice23:22
morganharlowja: but like i said, i think ZK is going to be an easier sell23:22
harlowjajava!23:22
harlowjabut java!23:22
dstanekjamielennox: but anything that wants to use a catalog will have to use my dns abstraction anyway right?23:22
jamielennoxdstanek: what wants to use a catlog?23:22
morganharlowja: and i can work around any ZK specific limitations for "OMG WE HAVE THE BETTER TOOLS"23:22
jamielennoxdirectly?23:22
*** dims has quit IRC23:23
dstanekjamielennox: no idea, but it's a public api23:23
jamielennoxdstanek: so with the session stuff i've tried to hide all that as much as possible23:24
dstanekjamielennox: if you don't think anyone should be using it i can just make a get_data() that returns 123:24
jamielennoxyou do session.get('/path', service_type='type', region_name='XXX', interface='public')23:24
dstanekmorgan: somehow i broke the bonjour support though23:24
morganuh.23:24
jamielennoxthat will call get_endpoint with that info23:25
jamielennoxanyone that is using the service catalog directly should be moved over at this point23:25
*** thiagop has quit IRC23:26
dstanekjamielennox: i don't know. it still feels like i have to create a ServiceCatalog subclass so i can handle the v2 vs v3 interfaces and such23:26
mordredmorgan, harlowja: I prefer consul because it's opinionated23:27
mordredZK is great technology23:27
morganmordred: ++23:27
mordredbut it's great techology that you use as a building block to build your opinion23:27
morgani'm happy as long as we (openstack) are opinionated23:27
jamielennoxdstanek: but assumedly you wouldn't have a catalog in the token to read23:27
mordredand I think that gets us in to trouble in openstack23:27
morganabout the tech we're using23:27
morganand how we are using it23:27
harlowjaif the features exist, and are pretty much the same across all (and the client isn't crap) i honestly just want one/any of them, lol23:28
mordredif we use zookeeper, we'll wind up with an oslo library that implements that various primitives that you need to have in the 'right' way23:28
dstanekjamielennox: that's a good point...23:28
mordredwhich we could TOTALLY do23:28
mordredand be successful23:28
harlowjakazoo23:28
harlowja?23:28
*** csoukup has joined #openstack-keystone23:28
mordredbut it seems like a longer path to me23:28
dstanekwhat are we using zk for?23:28
jamielennoxdstanek: i'm happy to say that if you want to use newer features you have to be using session23:28
harlowjahttp://kazoo.readthedocs.org/23:28
harlowja'A wide range of recipe implementations' ..23:28
jamielennoxstevemar_: do we not have a complete saml2 plugin?23:29
openstackgerritSam Leong proposed openstack/keystone: add initiator to v2 calls for additional auditing  https://review.openstack.org/23112323:29
harlowja'Pure-Python based implementation of the wire protocol, avoiding all the memory leaks, lacking features, and debugging madness of the C library' ...23:29
stevemar_jamielennox: we should23:29
mordredharlowja: I will read through the kazoo stuff, if you read through the consul stuff23:29
harlowjasureee :)23:29
jamielennoxstevemar_: i see an unscoped plugin that takes all the right params, i see a scoped plugin that takes a token23:29
jamielennoxstevemar_: but i can't see anything that lets me provide all the password and idp_id and a project_id together23:30
stevemar_jamielennox: oh you are asking for one that does both at once?23:30
jamielennoxand just have it scope it as it should23:30
stevemar_jamielennox: i think marekd had one in ksc23:30
dstanekmorgan: when you have a few checkout https://gist.github.com/dstanek/093f851fdea8ebfd893d and see if that makes sense to you. it's the DNS based catalog23:30
jamielennoxstevemar_: i thought we had one23:30
stevemar_https://github.com/openstack/python-keystoneclient/blob/master/setup.cfg#L4023:31
harlowjamordred and ask if u want to know anything about kazoo, cause ya, i'm sorta core in that library, ha23:31
stevemar_or does that just do the latter? i think it just does the latter23:31
morgandstanek: will look in a few doing some updates on things23:31
mordredharlowja: cool23:31
dstanekmorgan: no hurry. just trying to get the client working the right way instead of my hacks23:31
morgannod23:31
jamielennoxstevemar_: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L91423:32
jamielennoxstevemar_: so it just inherits from v3.Token, but replaces "token": with "saml":23:32
harlowjahttps://github.com/rgs1/zk_shell is also nice, shell like interface to zookeeper (which also uses kazoo)23:32
harlowjamordred on the consul docs, where is there any references to what the actual api is?, is it rest based? something binary?23:33
harlowjaif u know23:34
mordredhttps://www.consul.io/docs/agent/http.html23:34
harlowjaah, thx23:34
dstanekmorgan: harlowja: reading back on the convo - if the endpoints self register we should make that pluggable - so zk isn't the only option23:34
mordredharlowja: there's also a DNS-based API for reading info out23:34
mordredharlowja: https://www.consul.io/docs/agent/dns.html23:34
harlowjadstanek i've got mixed feelings on that23:34
mordreddstanek: absolutely disagree23:34
harlowjamordred cool, dns like thingy, interesting23:34
dstanekmordred: why is that?23:34
mordreddstanek: if we make a choice for zk or consul or whatever, we should, as openstack, make one choice - there is no benefit to pluggability here23:35
mordredother than making things harder23:35
jamielennoxstevemar_: that's kind of a blow, how is marekd actually using it like this?23:35
harlowjamordred any idea the best python client for consul? i might just set that up in ubuntu or something and mess around23:35
morgandstanek: what mordred said but aslo consider that we want things to work the same way across clouds.23:35
mordredharlowja: I do not23:35
dstanekmordred: maybe, but you could argue that we keep adding dependencies and making things harder anyway23:36
harlowjamore pain23:36
mordreddstanek: right. I want to remove them and to remove choice23:36
harlowjato the pain!23:36
morgandstanek: and the DLMs work differently in many cases23:36
morganso the abstraction is a lot of overhead and potentially very limiting23:36
mordredwhat morgan said23:36
morganwe should play to the strengths of the choice made.23:36
morganharlowja: the consul python lib is the best option23:36
harlowjacool23:36
harlowjathe other interesting thing that's in my mind here is the other things that are getting sucked into openstack that aren't using consul, but are prefering zookeeper, this is the other part of the question imho23:37
harlowja(but idk of which projects are using consul that much)23:37
*** mylu has quit IRC23:37
harlowjahttp://docs-draft.openstack.org/61/209661/29/check/gate-openstack-specs-docs/2ff62fa//doc/build/html/specs/chronicles-of-a-dlm.html#proposed-change (some listed here)23:37
*** mylu has joined #openstack-keystone23:38
harlowjakafka i think requires zookeeper? same with mesos23:38
harlowjajuju as well23:38
harlowja^ just something to think about23:38
dstanekmordred: morgan: then i think rfc 6763 should be consider too23:38
harlowjai might be able to point u at some people that will say from experience 'please don't use DNS' for this :-/23:39
harlowjaif u want to hear some stories, haha23:39
morgandstanek: consul provides that by default23:39
dstanekharlowja: really? seems like the natural thing23:39
stevemar_jamielennox: create 2 plugins?23:39
mordredharlowja: and docker and coreos use etcd23:40
morgandns is a fine tool for discovery - but I would argue that it should be used for discovering "consul"23:40
mordredharlowja: I would point those people at google23:40
morgannot for every service23:40
jamielennoxstevemar_: i know we solved this problem in the ksa-saml2 repo, but there's no way i can use this from CLI23:40
*** su_zhang has joined #openstack-keystone23:40
mordredharlowja: who use dns for this23:40
*** dims has joined #openstack-keystone23:40
morganserv records and the like are good for a known entry point23:40
mordredharlowja: at larger scale than anyone else23:40
harlowjathey might already have left to google, lol23:40
harlowjahaha23:40
mordredDNS is the most scalable system in the world23:40
mordredanybody who says don't use it23:40
mordreddoes not know how to ops23:40
morganbut i'd still use consul DNS even past the base level serv record23:41
morganfwiw23:41
harlowjakk, i've just heard painful stories, lol23:41
mordredsure23:41
morganprobably people who have caching resolvers doing bad things23:41
mordredthere are people who tell war stories about using DRBD too23:41
harlowja:)23:41
mordredbut it turns out it's rock solid23:41
morganlike caching NXDOMAIN and the like23:41
mordredyou just have to not to bad things23:42
dstanekharlowja: you could say the same about OpenStack :-( more painful stories than success stories23:42
harlowjalol23:42
morganmordred: I still hate DRBD backing nfs read-only filesystems23:42
mordredmorgan: sure. but that's because nfs is stupid23:42
mordredDRBD is an excellent active-passive failover block device23:42
mordredif you use it for anything else, you're in for pain23:42
mordredbut if you use it as a hot/cold standby block device in a 2 node config23:42
mordredit's unbeatable23:43
dstanekmordred: the problem i am having with DNS is that my implementation does a lot of requests to the server; sure it's cacheable, but i feel like i'm doing something wrong23:43
*** mylu has quit IRC23:43
morganmordred: 2 node with an arbitrator and proper STONITH23:43
mordredmorgan: don't need an abitrator23:43
morganmordred: but yeah23:43
mordredin 2 node drbd23:43
mordredyou just need a crossover cable23:43
morganmordred: i've had a lot of issues with split brain in heartbeat/drbd the arbitrator made a big difference23:43
*** henrynash has quit IRC23:44
mordrednot with a crossover cable you haven't23:44
mordredyou will have that pain if you use the switching fabric23:44
mordredbut you would not use the switching fabric if you want success23:44
morganyes, but that is because of endlessly faulty cables and bad DC folks. the arbitrator was something i could control :P23:44
mordredyou wold use 2 bonded direct cat6 cables between interfaces23:44
*** su_zhang has quit IRC23:44
morgani couldn't fire DC hands23:45
mordredwell, then there is your first problem23:45
mordredand it's certainly not DRBD's fault23:45
mordrednon-trusted people with access to power23:45
mordredwill kill you every time23:45
morganwell, it was somewhat of drbd being hard to debug with an occasionally faulty cable and then being unable to diagnose that23:45
morganbecause of bad dc "smart" hands23:45
morganbut that aside23:46
morgani still don't like drbd23:46
morganbut i also usually need more than 2 nodes in the systems I design. wrong use-cases23:46
morgandrbd with > 2 nodes makes me worry.23:46
*** zhenq has quit IRC23:47
mordredyes23:47
mordreddon't use it for that23:48
mordredit's very good at doing one simple task23:48
mordredand doing it in a rocksolid manner23:48
mordredif you try to do anything else23:48
mordredit will be very bad for you23:48
morgani will admit drbd has gotten way better23:49
morganit did have some rather nasty bugs a while ago23:49
morganbut if i discount it in every case, i'm no better than the guy who blocked using XFS (in favor of ext4 when ext4 was new) because of "data loss bugs in xfs"23:49
openstackgerritDavanum Srinivas (dims) proposed openstack/oslo.policy: Custom fixture to avoid external call in HttpCheck  https://review.openstack.org/23272523:50
*** su_zhang has joined #openstack-keystone23:51
*** harlowja has quit IRC23:52
*** harlowja has joined #openstack-keystone23:52
morgandstanek: you're going to also need a paired txt record to show the URL base unless there is a JSON home like document at root / with srv records23:55
morgandstanek: because endpoints may not be on /23:55
morganmiht be on say /compute23:55
morganor /identity23:55
morgandstanek: otherwise i don't think that setup is really wonky23:56
dstanekmorgan: there's already txt records due to the rfc23:56
morganah i see it now23:56
dstanekhmmmm...can i add a file to a gist or do i have to have a second one?23:56
morganyou can add files iirc23:57
*** EinstCrazy has joined #openstack-keystone23:57
dstanekoh, i can clone...maybe that'll work23:57
jamielennoxstevemar_, morgan: finally got passed the nasty cache review, next is https://review.openstack.org/#/c/212342/ and it's easy23:58
« Wednesday, 2015-10-07 Index Friday, 2015-10-09 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!