Friday, 2017-09-08

« Thursday, 2017-09-07 Index Saturday, 2017-09-09 »
*** chrisshattuck has joined #openstack-keystone00:08
masunkarHello, I am trying to setup small openstack deployment, got an issue with keystone install, I am trying on ubuntu 17.04 + octa release, when i am trying to list images it is throwing error 500 on terminal, in logs EmptyCatalog: The service catalog is empty.00:08
*** chrisshattuck has quit IRC00:09
masunkarany pointer what might be wrong00:09
*** edmondsw has joined #openstack-keystone00:09
masunkarI can list catalog using openstack catalog list with out issues00:11
*** aahh has joined #openstack-keystone00:13
aahh@lbragstad : is it possible to get the project_id or name inside the identity/backend00:13
aahhwithout making use of the resource api00:13
*** aselius has quit IRC00:18
*** otleimat has quit IRC00:23
*** edmondsw has quit IRC00:24
*** thorst has joined #openstack-keystone00:27
*** edmondsw has joined #openstack-keystone00:31
*** agrebennikov has quit IRC00:38
*** efried has quit IRC00:47
*** efried has joined #openstack-keystone00:57
kmallocaahh: you need to use resource_api00:59
kmallocaahh: you cant guarantee (in many cases) the backend fore resource_api is the same as identity_api. recently we changed some things to allow for FKs between identity and resource01:01
kmallocaahh: but in *general* it is best practice to request from resource_api if you need data for the project01:01
kmallockeep in mind keystone will cache the result in the session thread local - so if you request resource_api.get_project(XXXX) multiple times, it will only hit the backend once.01:02
*** aahh has quit IRC01:03
*** panbalag has joined #openstack-keystone01:05
*** harlowja has quit IRC01:11
*** thorst has quit IRC01:16
*** itlinux has joined #openstack-keystone01:20
*** edmondsw has quit IRC01:21
*** edmondsw has joined #openstack-keystone01:22
*** Shunli has joined #openstack-keystone01:22
*** ricolin has joined #openstack-keystone01:24
*** zhurong has joined #openstack-keystone01:25
*** thorst has joined #openstack-keystone01:28
*** thorst has quit IRC01:46
masunkarcan somebody help with https://bugs.launchpad.net/keystone/+bug/171577001:50
openstackLaunchpad bug 1715770 in OpenStack Identity (keystone) "openstack image list throwing 500 error " [Undecided,New]01:50
*** thorst has joined #openstack-keystone02:07
*** thorst has quit IRC02:07
*** zhurong has quit IRC02:11
*** zhurong has joined #openstack-keystone02:14
*** panbalag has left #openstack-keystone02:15
*** jamesbenson has joined #openstack-keystone02:31
*** jamesbenson has quit IRC02:36
*** masunkar has quit IRC02:45
*** masunkar has joined #openstack-keystone02:45
*** catintheroof has joined #openstack-keystone02:48
*** catinthe_ has joined #openstack-keystone02:50
*** catintheroof has quit IRC02:51
lbragstadefried: any red flags here? https://bugs.launchpad.net/keystone/+bug/171577002:59
openstackLaunchpad bug 1715770 in OpenStack Identity (keystone) "openstack image list throwing 500 error " [Undecided,New]02:59
*** nicolasbock has quit IRC03:11
*** markvoelker has quit IRC03:12
*** edmondsw has quit IRC03:28
*** zxy has quit IRC03:38
*** zhouyaguo has joined #openstack-keystone03:45
*** catinthe_ has quit IRC03:56
*** chrisshattuck has joined #openstack-keystone03:59
*** thorst has joined #openstack-keystone04:08
*** thorst has quit IRC04:13
*** links has joined #openstack-keystone04:19
*** zsli_ has joined #openstack-keystone04:24
*** Shunli has quit IRC04:27
*** zhurong has quit IRC04:29
*** edmondsw has joined #openstack-keystone04:46
*** edmondsw has quit IRC04:52
*** zhurong has joined #openstack-keystone05:02
*** thorst has joined #openstack-keystone05:09
*** chrisshattuck has quit IRC05:12
*** markvoelker has joined #openstack-keystone05:13
*** thorst has quit IRC05:14
*** markvoelker has quit IRC05:47
*** aojea has joined #openstack-keystone05:48
*** dims has quit IRC05:54
*** jamesbenson has joined #openstack-keystone06:08
*** thorst has joined #openstack-keystone06:10
*** jamesbenson has quit IRC06:12
*** thorst has quit IRC06:15
*** harlowja has joined #openstack-keystone06:19
*** cfriesen has quit IRC06:20
*** zsli__ has joined #openstack-keystone06:25
*** zsli_ has quit IRC06:28
*** rcernin has joined #openstack-keystone06:32
*** edmondsw has joined #openstack-keystone06:35
*** harlowja has quit IRC06:40
*** edmondsw has quit IRC06:40
*** markvoelker has joined #openstack-keystone06:44
*** itlinux has quit IRC06:51
*** dims has joined #openstack-keystone06:51
openstackgerritzhengliuyang proposed openstack/keystone master: Two different API achieve listing role assignments  https://review.openstack.org/50197506:57
*** zsli__ has quit IRC07:01
*** Shunli has joined #openstack-keystone07:07
*** thorst has joined #openstack-keystone07:11
*** thorst has quit IRC07:16
*** markvoelker has quit IRC07:18
*** tesseract has joined #openstack-keystone07:31
*** chlong has joined #openstack-keystone07:36
*** chlong has quit IRC07:45
*** thorst has joined #openstack-keystone08:12
*** markvoelker has joined #openstack-keystone08:15
*** thorst has quit IRC08:17
*** ioggstream has joined #openstack-keystone08:20
*** edmondsw has joined #openstack-keystone08:23
*** chlong has joined #openstack-keystone08:25
*** edmondsw has quit IRC08:27
openstackgerritThomas Duval proposed openstack/oslo.policy master: New version of the modification of the HTTPCheck.  https://review.openstack.org/50199208:28
*** chlong has quit IRC08:35
*** masunkar has quit IRC08:41
*** markvoelker has quit IRC08:49
*** chlong has joined #openstack-keystone08:51
*** chlong_ has joined #openstack-keystone08:54
*** chlong has quit IRC08:58
*** chlong_ has quit IRC09:04
*** thorst has joined #openstack-keystone09:13
openstackgerritThomas Duval proposed openstack/oslo.policy master: Modification to add additional information in the HTTPCheck request.  https://review.openstack.org/49846709:16
*** thorst has quit IRC09:17
*** chlong has joined #openstack-keystone09:21
*** chlong has quit IRC09:24
*** chlong has joined #openstack-keystone09:25
*** Shunli has quit IRC09:27
*** jamesbenson has joined #openstack-keystone09:44
*** jamesbenson has quit IRC09:48
*** chlong has quit IRC09:55
*** zhurong has quit IRC10:04
*** dklyle has joined #openstack-keystone10:09
*** edmondsw has joined #openstack-keystone10:11
*** david-lyle has quit IRC10:12
*** szaher has quit IRC10:12
*** thorst has joined #openstack-keystone10:14
*** szaher has joined #openstack-keystone10:15
*** edmondsw has quit IRC10:15
*** thorst has quit IRC10:18
*** nicolasbock has joined #openstack-keystone10:24
*** nicolasbock has quit IRC10:29
*** nicolasbock has joined #openstack-keystone10:42
*** markvoelker has joined #openstack-keystone10:46
-openstackstatus- NOTICE: Our CI systems experience a hickup, no new jobs are started. Please stay tuned and wait untils this resolved.10:47
*** rcernin has quit IRC11:09
*** thorst has joined #openstack-keystone11:14
*** thorst has quit IRC11:19
*** markvoelker has quit IRC11:20
*** efried is now known as fried_rice11:21
fried_ricelbragstad Looking...11:22
*** tesseract has quit IRC11:23
*** tesseract has joined #openstack-keystone11:27
*** zhouyaguo has quit IRC11:27
*** mvk has quit IRC11:31
fried_ricelbragstad Appears to be using ksa at 2.18.0 or earlier.  (Which I'm sure should be fine - just a data point.)11:34
*** rcernin has joined #openstack-keystone11:36
fried_riceOh, look, 2.18.0 is in the output.  I feel silly for doing my clever sleuthing.11:37
*** dklyle has quit IRC11:44
*** dklyle has joined #openstack-keystone11:44
fried_ricelbragstad Sorry, I don't see anything obvious.11:46
fried_riceWhat kind of auth is in play here?11:47
fried_riceWas thinking this could be that token expiration deal - but there should be a reauth triggered in BaseIdentityPlugin.get_access just before that call.11:47
fried_riceOh, duh, also, a short-lived osc process shouldn't be subject to that.11:49
*** edmondsw has joined #openstack-keystone11:59
*** thorst has joined #openstack-keystone12:02
*** edmondsw has quit IRC12:04
*** raildo has joined #openstack-keystone12:05
*** edmondsw has joined #openstack-keystone12:07
*** tesseract has quit IRC12:14
*** tesseract has joined #openstack-keystone12:14
*** markvoelker has joined #openstack-keystone12:16
*** ioggstream has quit IRC12:28
*** markvoelker has quit IRC12:34
*** markvoelker has joined #openstack-keystone12:34
lbragstadfried_rice: yeah - i'm not sure, it looks like keystone populates a service catalog though12:41
cmurphymaybe a silly question but is it really projecct_name in the problem glance config or is it a typo in the bug comment?12:46
lbragstadcmurphy: oh - that's a valid question12:49
lbragstadi'm not sure what keystoneauth does in that case12:49
*** burnz has quit IRC12:52
*** burnz has joined #openstack-keystone12:53
*** panbalag has joined #openstack-keystone12:57
fried_ricelbragstad cmurphy Well, oslo_config behaves as though that line is absent - so what happens if project_name is missing?13:04
lbragstadi would assume it to change scoping13:05
lbragstadwhich might make sense because unscoped tokens do not contain a service catalog13:05
fried_ricewhee, good eye cmurphy!13:07
*** Dinesh_Bhor has quit IRC13:16
*** catintheroof has joined #openstack-keystone13:26
*** links has quit IRC13:31
knikollao/ morning/afternoon/evening everyone13:38
lbragstadknikolla: o/13:39
knikollalbragstad: was wondering what are you using for your blog13:40
lbragstadknikolla: squarespace,13:41
*** catinthe_ has joined #openstack-keystone13:41
lbragstadknikolla: i deployed my own wordpress for a while13:41
knikollaah, it felt too polished for a wordpress install13:41
lbragstadbut migrated to squarespace last spring13:41
lbragstadi know mhayden and cloudnull run really nice wordpress deploys though13:41
lbragstadtakes some tinkering and some custom templating, but it can be done13:41
lbragstadi've noticed some outages with squarespace however13:42
lbragstad(they had one this week)13:42
lbragstadfor me it's not a real big deal, but I do admin for other folks that have businesses on squarespace, and that's were it becomes more of a problem13:42
lbragstadghost.io is really nice, too13:43
lbragstadi've only ever run the trial for ghost, but i really liked the simplicity13:43
*** catintheroof has quit IRC13:44
knikollathey sure look nice but way outside of my budget for a dev blog.13:44
knikollai've been using jekyll/gh pages so far13:44
lbragstadyeah - when i signed up for squarespace the prices were lower and i used a discount13:44
knikollathinking of going to medium13:44
lbragstadpelican also seems interesting13:45
lbragstadit's all python based13:45
-openstackstatus- NOTICE: nodepool issue related to bad images has been resolved, builds should be coming back online soon. Restarted gerrit due to reasons. Happy Friday.13:46
knikollacan't believe Sydney will be my 4th summit already.13:52
lbragstadkmalloc: responded to https://review.openstack.org/#/c/501885/113:53
*** jamesbenson has joined #openstack-keystone14:15
*** agrebennikov has joined #openstack-keystone14:18
*** catintheroof has joined #openstack-keystone14:22
*** dave-mccowan has joined #openstack-keystone14:23
*** catinthe_ has quit IRC14:25
*** ioggstream has joined #openstack-keystone14:26
*** chrisshattuck has joined #openstack-keystone14:27
*** gyee has joined #openstack-keystone14:31
*** gyee has quit IRC14:39
*** gyee has joined #openstack-keystone14:41
*** cfriesen has joined #openstack-keystone14:45
*** nicolasbock has quit IRC14:47
*** nicolasbock has joined #openstack-keystone14:47
kmalloclbragstad: cool14:56
lbragstadkmalloc: trying to convert to a blanket update statement14:58
lbragstadhitting a few snags14:59
*** dklyle has quit IRC15:02
lbragstadkmalloc: currently, type is a member of the primary key constraint of the assignment table, i assume assignment_type is going to follow that pattern15:02
lbragstadin order to create a primary key constraint, aren't we going to have to make a new assignment table and do a rename?15:03
*** david-lyle has joined #openstack-keystone15:03
lbragstadsimilar to what we did here - https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/073_insert_assignment_inherited_pk.py ?15:03
*** agrebennikov has quit IRC15:04
*** agrebennikov has joined #openstack-keystone15:04
*** masunkar has joined #openstack-keystone15:05
*** masunkar_ has joined #openstack-keystone15:06
*** ricolin has quit IRC15:07
*** masunkar has quit IRC15:10
lbragstadactually - i might have an idea15:12
*** links has joined #openstack-keystone15:20
*** itlinux has joined #openstack-keystone15:21
*** links has quit IRC15:26
gagehugoo/15:38
gagehugolbragstad https://review.openstack.org/#/c/494018/ merged15:39
*** rmascena has joined #openstack-keystone15:39
lbragstadnice!15:39
*** raildo has quit IRC15:41
openstackgerritGage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno  https://review.openstack.org/47239615:44
masunkar_lbragstad https://bugs.launchpad.net/keystone/+bug/1715770 is updated with few more details16:07
openstackLaunchpad bug 1715770 in OpenStack Identity (keystone) "openstack image list throwing 500 error " [Undecided,New]16:07
*** tesseract has quit IRC16:08
*** ioggstream has quit IRC16:10
*** masunkar_ has quit IRC16:12
*** otleimat has joined #openstack-keystone16:16
*** masunkar has joined #openstack-keystone16:18
*** mvk has joined #openstack-keystone16:19
kmallocknikolla: i wont be in sydney summit.16:31
kmallocmissing two summits in a row.16:31
kmallocit's a weird feeling16:31
kmallocwait... 3 sumits in a row.16:31
*** szaher has quit IRC16:31
kmalloci skipped barcelona, boston, and now sydney16:31
knikollakmalloc: :(16:33
*** szaher has joined #openstack-keystone16:37
*** rcernin has quit IRC16:40
lbragstaddatabase migrations make my head spin16:49
*** harlowja has joined #openstack-keystone17:00
*** aahh has joined #openstack-keystone17:07
*** jmlowe has quit IRC17:09
*** jmlowe has joined #openstack-keystone17:10
*** szaher has quit IRC17:15
kmallocyup17:17
kmalloclbragstad: update assignment set assignment_type = type;17:26
kmalloclbragstad: should copy the value from assignment.type to assignment.assignment_typel17:26
kmalloclbragstad: should copy the value from assignment.type to assignment.assignment_type *17:26
lbragstadhmm - i thought i tried that.. let me push what i have here17:27
lbragstadi changed a bunch of stuff17:27
kmallocyou'll need to run it as connection.execute(<sql>)17:28
kmallocinstead of connection.update17:29
kmallocor whathaveout17:29
lbragstadright17:38
lbragstadfinally got the migration passing - but i think this is going to run into edge cases with sql versus sqlite17:38
lbragstadrefactoring the backend to understand the new type17:38
*** aselius has joined #openstack-keystone17:43
*** panbalag has quit IRC17:56
lbragstadgrabbing lunch quick18:00
*** mjax has joined #openstack-keystone18:08
mjaxlbragstad: The token issued from openstack token issue, and the token generated for the user in keystone after password authentication are different right?18:22
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags logic into manager  https://review.openstack.org/49972718:34
openstackgerritGage Hugo proposed openstack/keystone master: Implement backend logic for project tags  https://review.openstack.org/49972618:34
openstackgerritGage Hugo proposed openstack/keystone master: Add JSON schema validation for project tags  https://review.openstack.org/48448318:34
openstackgerritGage Hugo proposed openstack/keystone master: Add database migration for project tags  https://review.openstack.org/48445618:34
openstackgerritGage Hugo proposed openstack/keystone master: Add policy for project tags  https://review.openstack.org/48675718:34
openstackgerritGage Hugo proposed openstack/keystone master: Refactor removal of duplicate projects/domains  https://review.openstack.org/49157418:34
openstackgerritGage Hugo proposed openstack/keystone master: Implement project tags API controller and router  https://review.openstack.org/49972818:34
*** rmascena is now known as raildo18:34
lbragstadmjax: nope - those tokens are generated using the same process18:46
mjaxlbragstad: hmm, I have a bit of confusion. My default configs on devstack have auth_method = password, but every time I make a command (eg openstack image list) it will reprompt me for a password. Does that mean I just need to change the authentication method to token in order to be able to make multiple requests after providing my password once18:51
gagehugomjax I think openstackclient gets a new token for each command18:54
gagehugoso it'll need your password each time18:54
mjaxgagehugo: i see, are there any config settings that I can modify so that it gets a token once, and then keeps using it until it expires?18:56
gagehugomjax I'm not sure to be honest, I don't use it that often18:56
gagehugoI just export my password as an env variable, but that might not be the most secure18:57
mjaxgagehugo: alright. Main reason is because I've written a custom identity driver that makes API calls to our company server for authentication. Wanted to minimize the potential load that could have18:57
*** Zara has joined #openstack-keystone18:58
gagehugoah18:59
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Make assignment type not an Enum  https://review.openstack.org/50188519:02
lbragstadkmalloc: ^ that's going to fail 3 tests because of FKs19:02
lbragstadkmalloc: but i already things it's too complicated19:03
kmalloc?19:03
kmallocsay that last line again?19:03
lbragstadthink*19:03
kmallocah19:03
lbragstadmy fingers started the weekend early19:04
kmallocuhm.19:04
kmallocwhy are you trying to do this via the ORM?19:04
kmallocit's going to really be super complex19:04
kmallocand painful19:04
lbragstadyeah - we did that here https://github.com/openstack/keystone/blob/master/keystone/common/sql/migrate_repo/versions/073_insert_assignment_inherited_pk.py19:05
kmalloci wouldn't do that19:05
lbragstadit is painful and probably wrong19:05
kmalloci would just use update19:05
kmallocdirectly19:05
kmallocerm19:05
kmallocexecute19:05
lbragstadso - don't create a new table19:05
lbragstad?19:05
kmallocright19:05
kmallocadd the column19:06
kmalloc(nullable)19:06
kmalloc.execute('update assignment set assignment_type = type')19:06
kmallocupdate new column to non-null19:06
kmallocit should be done specifically in SQL, not in ORM19:08
kmalloc(the update)19:08
kmallocthe contract phase is where assignment_type is made non-null afaict19:08
kmallocunless data migrate is assumed to be run when everything has been upgraded19:09
kmallocagain. the whole rolling upgrade bit makes next to no sense to me.19:09
kmallocit's very inconsistent from what i gather19:09
aahhhi , is there any way to fetch the project name on the identity backend19:09
kmallocis migrate after everything is upgraded to new code?19:09
kmallocis it run before code upgrade?19:10
lbragstadnope19:10
kmallocaahh: use resource_api19:10
lbragstadexpand is run with all but one node on N19:10
kmallocok19:10
lbragstadmigrate is run with all but one node on N19:10
kmallocso the data update has to be in contract19:10
lbragstadthen you start upgrading everything from N to N + 119:10
kmallocagain19:10
lbragstadthe non-null bit does19:11
kmalloci think the rolling upgrade process is broken19:11
kmallocno, you have to do the update *when* everything is on N+119:11
lbragstadif you do a rolling upgrade and don't issue a real-only lock19:11
kmallocyou can't have N anywhere, or it might write a non-updated entry into the table19:11
lbragstadon the assignment tabel19:11
kmallocif you have a non-N+1 node *ever* once the migrate is issued, read lock or not19:12
kmalloci think the rolling upgrade process is busted .19:12
lbragstadwell - if you used an N node to do something to the assignment table you'd get an error19:12
lbragstadsaying it's read only or whatever19:13
lbragstadbut the data wouldn't be modified19:13
kmallocthen you have to drop the N node before unlocking19:13
lbragstadright19:13
kmallocand the read lock would affect all nodes19:13
lbragstadthat's the trick19:13
kmalloci....19:13
kmalloc*shrug*19:13
kmalloci think the process is poorly designed19:13
lbragstadi'm not saying it's right... i'm just saying it's an alternative19:13
kmallocthe weay i would do it: 1) expand schema19:14
kmalloc2) update to new code (code smart enough to look in both places/write to both places)19:14
kmalloc3) data migrate19:14
kmalloc4) contract (where possible... one cycle out because code is writing to multiple places)19:14
kmallocanyway.19:14
lbragstadso does that mean we need to support new Enum types for global role assignments this release?19:15
lbragstadif we don't remove type in the migration?19:15
kmallochm.19:15
lbragstadand write to both places?19:15
kmallocexcept old code cant handle the new types19:15
kmallocso, i guess that doesn't work either19:16
kmallocyou'll break previous keystones if it gets an enum type it doesn't understand (or any assignment it doesn't get)19:17
lbragstadright19:17
kmallocyou're going to have to make it a new table then ... i guess.19:17
lbragstador...19:17
kmallocnot just a new column.19:17
kmallocbecause we can't have rows that are null for .type19:18
kmallocit will break old keystones.19:18
lbragstadyeah19:19
kmallocok so we have to do: new assignment table19:19
aahhwould this be the right way to do it19:19
kmallocsolution19:19
aahhhttp://paste.openstack.org/show/620751/19:19
kmalloclbragstad: make global roles a new assignment table19:19
kmallocassignment_global19:19
kmallocand *only* use that for global roles19:19
kmallocso old code never sees it19:20
kmallocnew code looks at both places.19:20
lbragstadnew code only looking in the new global_assignment table for global roles, right?19:20
kmallocyes19:20
lbragstadit essentially just aggregates everything together19:20
lbragstadyeah - that would work19:20
lbragstadso we just keep assignment.type as an Enum?19:21
lbragstad(i was under the impression the idea behind getting rid of Enum was to avoid migrations when we wanted to support new types)19:21
kmallocso we make a contract that does the enum type changeover19:21
kmallocexplicitly.19:21
kmallocand we make the code still do the "enforcement" of types where needed19:22
kmallocit doesn't matter if enum exists or not to Queens code19:22
kmallocso we can explicitly deal with changing the type in a contract19:22
lbragstadbut let's say we get down the road and want to add another assignment type for some reason19:22
lbragstadare we going to have to add another table or Enum type?19:23
kmallocright, so we require the contract to happen19:23
lbragstad(require a migration)19:23
kmallocthe contract fixes the table.19:23
kmallocand does an alter to make it non-enum19:23
kmallocsec19:24
kmallochttps://www.irccloud.com/pastebin/5Dn7SMAj/19:26
kmalloclbragstad: ^19:26
lbragstadhuh19:27
lbragstadok19:27
lbragstadthat makes sense19:27
lbragstaddoes alter table create a new table and perform a copy?19:28
lbragstadbehind the scenes?19:28
kmallochm...19:28
kmallocpossibly19:28
kmalloci am not sure19:28
kmalloci would put that in a contract phase19:28
kmallocftr19:29
kmallocit is assumed a contract will be run before (if N+1 = Y), you do the Y -> Y+1 upgrade19:29
kmallocright?19:29
lbragstadthe contract is only run after *all* nodes are on N + 119:30
lbragstadwe don't support running contact with a mixed pool19:30
kmallocright19:30
kmallocbut before you run Y->Y+119:30
kmallocanother upgrade19:30
kmalloccontract will be run19:30
kmalloc?19:30
lbragstadyes - if i understand the question19:30
kmallocso, to move from N+1 to N+2, you have to run contract at N+119:30
lbragstad30 expand, 30 migrate, 30 contract, 31 expand, 31 migrate, 31 contract, ....19:31
lbragstadactually - that's not right19:31
kmalloccontract will be run before N+1 -> N+2 happens19:32
kmallocright?19:32
kmallocthat is all i care about19:32
lbragstadyeah19:32
kmallocthen19:32
lbragstadN is a release or a migration number?19:32
kmallocin a contract alter19:32
kmallocrelease19:32
lbragstadok19:32
lbragstadyes - all migrations must be run for a release before upgrading to another release19:32
kmallocgood19:32
kmallocthen we can just migrate the enum alter in contract phase19:33
lbragstad(unless the skip-level upgrade session next week changes that)19:33
kmalloci'd push so very hard against that19:33
kmallocwe're struggling to get plain upgrade to upgrade working19:33
lbragstadi'm not quite sure what skip-level mean19:33
lbragstadmeans*19:33
kmallocN->N+219:33
kmallocno N+1 state19:33
lbragstadright - i'm not sure how they plan to implement that though19:33
kmallocnot sure if it's downtime19:33
kmallocright now, skip-level with downtime is easy19:34
lbragstadit could mean downtime and stopping at N + 1 to run the migrations (which technically would work for us)19:34
kmallocyep. and since no collapses are happening19:34
kmalloc*shrug* it's pretty trivial to do that19:34
kmallocand isn't anything crazy19:34
lbragstadok - so19:35
lbragstadcan we document this here - https://etherpad.openstack.org/p/keystone-non-enum-migration ?19:35
kmallocyeah give me a few19:36
kmallocneed to do a reboot here and toss in some more ram (new ram sticks arrived)19:36
lbragstadack19:37
kmalloclbragstad: 128GB of ram ;)19:37
lbragstadkmalloc: you can send any of that my way if you want19:37
kmallochehe19:37
*** raildo has quit IRC19:59
*** aahh has quit IRC20:10
*** lucasxu has joined #openstack-keystone20:14
*** otleimat has quit IRC20:18
lbragstadkmalloc: not sure if i've completely documented your approaches https://etherpad.openstack.org/p/keystone-non-enum-migration20:26
lbragstadbut i have 4.5 so far20:26
kmalloci'll look in a sec20:26
kmalloclbragstad: added to the global_assignment one20:28
kmallocit hits both marks20:28
kmalloclbragstad: expanded more actually20:32
kmallocthere ya go20:32
kmallocApproach #2 is the way I would do it20:32
kmallocfwiw20:32
lbragstadreading20:38
lbragstadkmalloc: approach #2?20:39
lbragstador approach #3?20:39
kmallocsorry #320:40
kmallocthe one I added to20:40
lbragstadso - the switch to enum only happens when Queens code is running20:40
kmallocthe switch from enum is queens-only code20:41
kmallocin the schema20:41
kmallocwhich is why it's done in contract20:41
kmalloctechnically it could happen in migrate, but i'm playing it super safe here20:41
kmallocthe impact should be zero to convert ENUM -> varchar20:42
kmallocexcept, unrecognized values could end up in the column, which would make the non-queens keystone freak the f*** out20:42
lbragstadso - for the duration of the queens release, global roles would be persisted in assignment_global and everything else would be in assignment like it is today20:43
kmallocyeah20:43
kmallocand that is just for allowing no-freakouts for pike keystone20:43
kmallocthat said, we could drop the enum in migrate (minor locking outage)20:43
kmallocand as long as no one created roles that keystone doesn't understand we could put the values for global roles in the .type column20:44
kmallocwe probably want to make queens code resilient to unknown role types20:44
kmallocas well20:44
*** lucasxu has quit IRC20:44
kmalloclbragstad: i added to option #520:46
kmallocto clarify what could be done w/o a separate table and just an alter20:47
lbragstadwhen would you issue the alter?20:51
lbragstadin the contract?20:51
kmallocin migrate?20:51
kmalloci am not sure when the best time to do that would be20:51
lbragstadwouldn't that require pike to understand VARCHAR types?20:51
kmallocoh. yeah still contract.20:51
kmallocugh, SQLAlchemy might balk at getting a string back when an enum is expected20:51
kmallocwe might not be able to do #520:52
lbragstadyeah - it does20:52
kmallocwe'd have to ask zzzeek20:52
lbragstadknikolla: ran into that yesterday20:52
kmallocok so #5 is off the table20:52
kmallocwe might be able to make a magic column type that can handle either ENUM or VARCHAR20:52
kmalloc... but that might be a lot of work20:52
lbragstadkmalloc: that's probably above my sql skill level20:53
lbragstadbut if someone has a way to do it i'm all ears20:53
kmalloci could try20:55
kmallocit's a lot of work.20:55
kmalloclet me poke at something real quick20:55
lbragstadkmalloc: no need to spin cycles on it if you don't have the bandwidth20:55
lbragstadkmalloc: let's say we do number #320:59
kmallocokie20:59
lbragstadwe could just have the queens code use two different sql models pointing to two separate tables20:59
lbragstadlike you said20:59
*** otleimat has joined #openstack-keystone20:59
lbragstadif the queens code is asked to store a global role assignment, it does so in the assignment_global table21:00
lbragstadand during an upgrade let's say someone goes to validate a global role assignment against a pike node21:00
lbragstadit would fail, because pike doesn't understand that21:01
lbragstadright?21:01
kmallocright21:01
lbragstadis that a problem?21:01
kmallocit wouldn't know what the role is21:01
kmallocit wouldn't even get the global role21:01
lbragstadto be able to have successful global role action for a pool of keystone nodes and have the next request not understand it?21:01
lbragstad(from a data model it would be fine, but from a mixed API upgrade perspective, it might seem inconsistent or confusing)21:02
kmallocthis is why i think the rolling upgrade is ludicrous21:03
kmallocthe API may respond differently between versions21:03
kmallocthis is crazypants imo21:03
* lbragstad sigh21:03
kmallocyou always have this issue running multiple versions of keystone21:03
lbragstadright21:04
kmallocit's not that the API contract has changed21:04
lbragstadwhat if we say screw it and make it a partial outage21:04
kmalloci'm fine with that21:04
lbragstadassignments are read-only if you want to do a rolling upgrade21:04
lbragstadthat's the best we can do21:04
kmallocthat is just an addendum to approach #321:04
kmallocthe rest still needs to be that way because ENUM vs VARCHAR21:05
lbragstadi'm going to walk through a read-only case21:05
*** rcernin has joined #openstack-keystone21:06
kmallocokie21:10
*** edmondsw has quit IRC21:21
*** thorst has quit IRC21:32
lbragstadkmalloc: modified approach #4 and added #4a21:39
lbragstadkmalloc: thoughts on #4a?21:43
*** mvk has quit IRC21:48
*** ioggstream has joined #openstack-keystone21:55
*** jamesbenson has quit IRC21:59
*** jamesbenson has joined #openstack-keystone22:04
*** mvk has joined #openstack-keystone22:04
*** catintheroof has quit IRC22:08
*** jamesbenson has quit IRC22:08
kmalloc4a looks ok22:19
*** rcernin has quit IRC22:19
kmallocit's still an outage22:19
kmallocand might be a hard down vs partial outage22:20
kmallocnew keystone can't read non-enum22:20
kmallocoh22:20
kmallocassignment vs assignments22:20
kmallocyeah22:20
kmallocthat is fine.22:20
lbragstadyeah22:21
lbragstadit's tricky :)22:21
kmallocstill a bit wonky22:21
kmallocbut not bad22:21
kmalloc*shrug*22:21
kmallocyou're still going to get "different responses" from the global role enabled keystone if a global role is created22:21
lbragstadwell- a global role won't be createable until after the migration22:22
lbragstadassignments have to be read only22:22
kmallocok22:23
kmallocthen22:23
kmallocnot terrible22:23
kmallocit just means queens is not really rolling upgradable22:23
kmallocit's partial outage22:23
lbragstadi can't seem to find a way to make it consistent and writable during a rolling upgrade22:23
lbragstadright22:23
*** aojea has quit IRC22:23
lbragstadif you have pike and queens running at the same time and way writeable backends... you're going to have to deal with possible inconsistent APIs for the duration of the migration22:24
lbragstadwant writeable*22:24
kmalloci really think the rolling update should be scratched.22:31
kmalloctbh22:31
kmalloci have no issue with minimal downtime goal, aka schema can be upgraded independently in most cases from the code22:32
kmallocbut we should stop trying to make a guarantee that you can actually run different versions of keystone22:32
*** thorst has joined #openstack-keystone22:32
kmallocif we ever update an api (especially around auth) with featuresets like global roles, it's not an API contract break really22:33
kmallocit just means the API is returning additional (and sane) content22:33
kmallocin accordance with the contract22:33
*** thorst has quit IRC22:37
*** dave-mccowan has quit IRC22:39
*** edmondsw has joined #openstack-keystone22:49
*** chrisshattuck has quit IRC22:51
*** ioggstream has quit IRC22:53
*** edmondsw has quit IRC22:54
*** thorst has joined #openstack-keystone23:14
*** thorst has quit IRC23:19
*** otleimat has quit IRC23:19
*** gyee has quit IRC23:32
« Thursday, 2017-09-07 Index Saturday, 2017-09-09 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!