*** AlexeyAbashkin has joined #openstack-keystone | 00:10 | |
*** itlinux has joined #openstack-keystone | 00:10 | |
*** catintheroof has joined #openstack-keystone | 00:11 | |
*** eckesicle has joined #openstack-keystone | 00:13 | |
*** AlexeyAbashkin has quit IRC | 00:14 | |
*** rcernin has joined #openstack-keystone | 00:21 | |
*** catintheroof has quit IRC | 00:32 | |
*** catintheroof has joined #openstack-keystone | 00:38 | |
*** gyee has quit IRC | 00:40 | |
*** catintheroof has quit IRC | 00:42 | |
*** catintheroof has joined #openstack-keystone | 00:44 | |
*** AlexeyAbashkin has joined #openstack-keystone | 00:46 | |
*** AlexeyAbashkin has quit IRC | 00:51 | |
*** catintheroof has quit IRC | 00:55 | |
*** catintheroof has joined #openstack-keystone | 00:56 | |
*** zzzeek has quit IRC | 00:58 | |
*** zzzeek has joined #openstack-keystone | 01:00 | |
*** thorst has joined #openstack-keystone | 01:16 | |
*** thorst has quit IRC | 01:17 | |
*** catintheroof has quit IRC | 01:20 | |
*** namnh has joined #openstack-keystone | 01:21 | |
*** catintheroof has joined #openstack-keystone | 01:21 | |
*** catintheroof has quit IRC | 01:24 | |
*** gmann_afk is now known as gmann | 01:25 | |
*** dave-mccowan has quit IRC | 01:26 | |
*** dave-mccowan has joined #openstack-keystone | 01:28 | |
*** wes_dillingham has quit IRC | 01:34 | |
*** rcernin has quit IRC | 01:43 | |
*** rcernin has joined #openstack-keystone | 01:44 | |
*** wes_dillingham has joined #openstack-keystone | 01:48 | |
openstackgerrit | Shan Guo proposed openstack/keystone master: Remove simple cert support https://review.openstack.org/515309 | 01:50 |
---|---|---|
*** catintheroof has joined #openstack-keystone | 01:55 | |
*** catintheroof has quit IRC | 02:00 | |
*** thorst has joined #openstack-keystone | 02:18 | |
*** thorst has quit IRC | 02:23 | |
*** annp has joined #openstack-keystone | 02:23 | |
*** catintheroof has joined #openstack-keystone | 02:28 | |
*** catintheroof has quit IRC | 02:33 | |
*** AlexeyAbashkin has joined #openstack-keystone | 02:47 | |
*** spzala has quit IRC | 02:50 | |
*** AlexeyAbashkin has quit IRC | 02:52 | |
*** spzala has joined #openstack-keystone | 03:02 | |
*** spzala has quit IRC | 03:06 | |
*** AlexeyAbashkin has joined #openstack-keystone | 03:08 | |
*** gvrangan has joined #openstack-keystone | 03:08 | |
*** AlexeyAbashkin has quit IRC | 03:12 | |
*** dave-mccowan has quit IRC | 03:14 | |
*** prashkre__ has joined #openstack-keystone | 03:14 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements https://review.openstack.org/470137 | 03:15 |
*** nicolasbock has quit IRC | 03:30 | |
*** aselius has quit IRC | 03:30 | |
*** markvoelker has quit IRC | 03:43 | |
openstackgerrit | Shan Guo proposed openstack/keystone master: Remove simple cert support https://review.openstack.org/515309 | 03:55 |
*** catintheroof has joined #openstack-keystone | 04:01 | |
*** spzala has joined #openstack-keystone | 04:03 | |
*** catintheroof has quit IRC | 04:05 | |
*** spzala has quit IRC | 04:07 | |
*** thorst has joined #openstack-keystone | 04:19 | |
*** annp has quit IRC | 04:20 | |
*** thorst has quit IRC | 04:24 | |
*** rmcallis has quit IRC | 04:27 | |
*** annp has joined #openstack-keystone | 04:28 | |
*** lamt has quit IRC | 04:51 | |
*** cburgess has quit IRC | 04:51 | |
*** suramya_ has joined #openstack-keystone | 04:51 | |
*** gvrangan has quit IRC | 04:52 | |
*** gvrangan has joined #openstack-keystone | 04:52 | |
*** rmcallis has joined #openstack-keystone | 04:53 | |
*** Suramya has joined #openstack-keystone | 04:53 | |
*** rmcallis has quit IRC | 04:58 | |
*** rmcallis has joined #openstack-keystone | 04:59 | |
*** wes_dillingham has quit IRC | 05:00 | |
*** spzala has joined #openstack-keystone | 05:02 | |
*** cburgess has joined #openstack-keystone | 05:03 | |
*** lamt has joined #openstack-keystone | 05:04 | |
*** lamt is now known as Guest53850 | 05:04 | |
*** jaosorior has joined #openstack-keystone | 05:05 | |
*** spzala has quit IRC | 05:06 | |
*** masuberu has joined #openstack-keystone | 05:15 | |
*** masber has quit IRC | 05:18 | |
*** masber has joined #openstack-keystone | 05:20 | |
*** masuberu has quit IRC | 05:23 | |
*** markvoelker has joined #openstack-keystone | 05:43 | |
*** BenderRodriguez has quit IRC | 05:47 | |
*** spzala has joined #openstack-keystone | 06:03 | |
*** spzala has quit IRC | 06:07 | |
*** markvoelker has quit IRC | 06:18 | |
*** thorst has joined #openstack-keystone | 06:20 | |
*** spectr has joined #openstack-keystone | 06:22 | |
*** thorst has quit IRC | 06:25 | |
*** gvrangan has quit IRC | 06:26 | |
*** magicboiz has joined #openstack-keystone | 06:27 | |
*** magicboiz has quit IRC | 06:32 | |
*** aojea has joined #openstack-keystone | 06:32 | |
*** magicboiz has joined #openstack-keystone | 06:32 | |
*** gvrangan has joined #openstack-keystone | 06:32 | |
*** gvrangan has quit IRC | 06:44 | |
openstackgerrit | Shan Guo proposed openstack/keystone master: Remove simple cert support https://review.openstack.org/515309 | 06:53 |
*** magicboiz has quit IRC | 06:53 | |
*** magicboiz has joined #openstack-keystone | 06:55 | |
*** aojea has quit IRC | 06:58 | |
*** magicboiz has quit IRC | 07:00 | |
*** suramya_ has quit IRC | 07:01 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/keystonemiddleware master: Imported Translations from Zanata https://review.openstack.org/514529 | 07:02 |
*** aojea has joined #openstack-keystone | 07:03 | |
*** magicboiz has joined #openstack-keystone | 07:07 | |
*** aojea has quit IRC | 07:08 | |
*** markvoelker has joined #openstack-keystone | 07:14 | |
*** tesseract has joined #openstack-keystone | 07:22 | |
*** ioggstream has joined #openstack-keystone | 07:31 | |
*** thorst has joined #openstack-keystone | 07:33 | |
*** namnh has quit IRC | 07:34 | |
*** thorst has quit IRC | 07:38 | |
*** josecastroleon has joined #openstack-keystone | 07:41 | |
*** itlinux has quit IRC | 07:43 | |
*** markvoelker has quit IRC | 07:48 | |
*** prashkre__ has quit IRC | 07:53 | |
*** prashkre__ has joined #openstack-keystone | 07:53 | |
*** AlexeyAbashkin has joined #openstack-keystone | 07:56 | |
*** rcernin has quit IRC | 07:58 | |
*** magicboiz has quit IRC | 08:00 | |
*** magicboiz has joined #openstack-keystone | 08:03 | |
*** magicboiz has quit IRC | 08:08 | |
*** magicboiz has joined #openstack-keystone | 08:15 | |
*** rmcallis has quit IRC | 08:44 | |
*** markvoelker has joined #openstack-keystone | 08:45 | |
*** rmcallis has joined #openstack-keystone | 08:46 | |
*** namnh has joined #openstack-keystone | 08:51 | |
*** rmcallis has quit IRC | 08:53 | |
*** spzala has joined #openstack-keystone | 09:04 | |
*** spzala has quit IRC | 09:09 | |
*** markvoelker has quit IRC | 09:18 | |
*** thorst has joined #openstack-keystone | 09:34 | |
*** thorst has quit IRC | 09:39 | |
openstackgerrit | Rajat Sharma proposed openstack/keystone master: Install and configure in Installation Guide: Populate the Identity service database step fails https://review.openstack.org/515662 | 09:42 |
*** links has quit IRC | 09:42 | |
*** Suramya has quit IRC | 09:50 | |
*** zhangjl has quit IRC | 09:50 | |
*** zhangjl has joined #openstack-keystone | 09:51 | |
*** gmann is now known as gmann_afk | 10:02 | |
*** daidv has quit IRC | 10:12 | |
*** eckesicle has quit IRC | 10:12 | |
*** markvoelker has joined #openstack-keystone | 10:15 | |
*** namnh has quit IRC | 10:36 | |
*** markvoelker has quit IRC | 10:49 | |
*** rmcallis has joined #openstack-keystone | 10:49 | |
*** rmcallis has quit IRC | 10:54 | |
*** robcresswell has quit IRC | 11:03 | |
*** annp has quit IRC | 11:03 | |
*** spzala has joined #openstack-keystone | 11:06 | |
*** spzala has quit IRC | 11:12 | |
*** thorst has joined #openstack-keystone | 11:35 | |
*** zhangjl has quit IRC | 11:39 | |
*** thorst has quit IRC | 11:40 | |
*** sambetts|afk is now known as sambetts | 11:41 | |
*** nicolasbock has joined #openstack-keystone | 11:43 | |
*** belmoreira has joined #openstack-keystone | 11:45 | |
*** thorst has joined #openstack-keystone | 11:46 | |
*** markvoelker has joined #openstack-keystone | 11:46 | |
*** ioggstream has quit IRC | 11:48 | |
*** raildo has joined #openstack-keystone | 12:07 | |
*** spzala has joined #openstack-keystone | 12:08 | |
*** spzala has quit IRC | 12:13 | |
*** wes_dillingham has joined #openstack-keystone | 12:16 | |
*** magicboiz has quit IRC | 12:16 | |
*** ioggstream has joined #openstack-keystone | 12:18 | |
*** markvoelker has quit IRC | 12:20 | |
*** markvoelker has joined #openstack-keystone | 12:27 | |
*** rm_work has quit IRC | 12:29 | |
*** rm_work has joined #openstack-keystone | 12:30 | |
*** rm_work has quit IRC | 12:30 | |
*** rm_work has joined #openstack-keystone | 12:30 | |
*** spzala has joined #openstack-keystone | 12:50 | |
*** spzala has quit IRC | 13:04 | |
*** catintheroof has joined #openstack-keystone | 13:04 | |
*** panbalag has joined #openstack-keystone | 13:13 | |
*** efried is now known as fried_rice | 13:14 | |
*** panbalag has left #openstack-keystone | 13:18 | |
lbragstad | o/ | 13:28 |
*** dansmith is now known as superdan | 13:30 | |
*** sheel has joined #openstack-keystone | 13:32 | |
*** catintheroof has quit IRC | 13:34 | |
*** catintheroof has joined #openstack-keystone | 13:42 | |
*** spectr has quit IRC | 13:49 | |
*** dave-mccowan has joined #openstack-keystone | 13:53 | |
*** arxcruz is now known as arxcruz|pto | 13:56 | |
*** Dinesh_Bhor has quit IRC | 14:04 | |
*** d0ugal_ has joined #openstack-keystone | 14:04 | |
*** d0ugal has quit IRC | 14:05 | |
*** spectr has joined #openstack-keystone | 14:09 | |
*** McClymontS has joined #openstack-keystone | 14:16 | |
*** dave-mccowan has quit IRC | 14:20 | |
*** McClymontS has quit IRC | 14:26 | |
*** spectr has quit IRC | 14:39 | |
openstackgerrit | Vladyslav Drok proposed openstack/keystoneauth master: Make none auth usable in CLI https://review.openstack.org/515730 | 14:45 |
*** josecastroleon has quit IRC | 14:46 | |
openstackgerrit | Vladyslav Drok proposed openstack/keystoneauth master: Make none auth usable in CLI https://review.openstack.org/515730 | 15:03 |
*** belmoreira has quit IRC | 15:09 | |
*** dave-mccowan has joined #openstack-keystone | 15:11 | |
*** AlexeyAbashkin has quit IRC | 15:13 | |
*** jmlowe_ has joined #openstack-keystone | 15:14 | |
*** jmlowe has quit IRC | 15:16 | |
*** links has joined #openstack-keystone | 15:19 | |
*** dave-mccowan has quit IRC | 15:21 | |
prashkre__ | kmalloc: Hi! Could you please review https://review.openstack.org/#/c/514885/ | 15:23 |
*** itlinux has joined #openstack-keystone | 15:30 | |
*** itlinux has quit IRC | 15:30 | |
cmurphy | kmalloc: you had this note to remove the simple_cert router: https://review.openstack.org/#/c/515309/6/keystone/version/service.py doesn't that break the API contract? | 15:35 |
kmalloc | Yeh probably. | 15:35 |
kmalloc | I think that note predated our TC agreement | 15:36 |
kmalloc | And such | 15:36 |
cmurphy | gotcha | 15:36 |
kmalloc | Let's nuke the note | 15:36 |
kmalloc | Leave the api | 15:36 |
kmalloc | If it works at all. | 15:37 |
kmalloc | If it doesn't, we may need to fix it too | 15:37 |
*** sheel has quit IRC | 15:41 | |
*** McClymontS has joined #openstack-keystone | 15:45 | |
openstackgerrit | Vladyslav Drok proposed openstack/keystoneauth master: Make none auth usable in CLI https://review.openstack.org/515730 | 15:46 |
*** McClymontS has quit IRC | 15:47 | |
*** jaosorior has quit IRC | 15:48 | |
*** BenderRodriguez has joined #openstack-keystone | 15:49 | |
*** BenderRodriguez has quit IRC | 15:49 | |
*** BenderRodriguez has joined #openstack-keystone | 15:49 | |
*** itlinux has joined #openstack-keystone | 15:57 | |
itlinux | hello all.. | 16:04 |
*** dave-mccowan has joined #openstack-keystone | 16:04 | |
itlinux | I have two env.. running Ocata.. both same LDAP servers.. both can pull the users fine but one of them cannot retrieve the group list.. the other can.. any suggestions on what to look for? | 16:04 |
*** fried_rice has quit IRC | 16:05 | |
itlinux | I get this in the logs There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. fill_context | 16:17 |
itlinux | any tips? | 16:17 |
itlinux | TY | 16:18 |
*** fried_rice has joined #openstack-keystone | 16:18 | |
*** robcresswell has joined #openstack-keystone | 16:19 | |
*** catintheroof has quit IRC | 16:23 | |
*** jmlowe_ has quit IRC | 16:23 | |
*** dave-mccowan has quit IRC | 16:26 | |
*** catintheroof has joined #openstack-keystone | 16:27 | |
*** ioggstream has quit IRC | 16:28 | |
*** catintheroof has quit IRC | 16:35 | |
*** catintheroof has joined #openstack-keystone | 16:36 | |
*** links has quit IRC | 16:38 | |
*** catintheroof has quit IRC | 16:39 | |
lbragstad | itlinux: that warning is actually being removed because it's not really an issue https://review.openstack.org/#/c/514810/ | 16:39 |
lbragstad | context ^ | 16:39 |
*** catintheroof has joined #openstack-keystone | 16:39 | |
*** sambetts is now known as sambetts|afk | 16:41 | |
*** dave-mccowan has joined #openstack-keystone | 16:50 | |
*** AlexeyAbashkin has joined #openstack-keystone | 16:53 | |
*** AlexeyAbashkin has quit IRC | 16:57 | |
*** dave-mccowan has quit IRC | 17:03 | |
*** dave-mccowan has joined #openstack-keystone | 17:03 | |
itlinux | so how do I make this work.. users shows up and groups do not | 17:07 |
itlinux | thanks | 17:07 |
*** rmcallis has joined #openstack-keystone | 17:07 | |
*** prashkre__ is now known as prashkre | 17:18 | |
prashkre | kmalloc: https://review.openstack.org/#/c/514885/ needs your review. could you please add it to your list. | 17:21 |
*** itlinux has quit IRC | 17:28 | |
*** rmascena has joined #openstack-keystone | 17:28 | |
*** dave-mccowan has quit IRC | 17:29 | |
*** jmlowe has joined #openstack-keystone | 17:30 | |
*** raildo has quit IRC | 17:31 | |
hogepodge | cmurphy: or anyone else, can you give me a high-level overview of project-lived credentials? | 17:37 |
hogepodge | I want to understand... | 17:37 |
lbragstad | hogepodge: sure | 17:42 |
* lbragstad will try but cmurphy will keep him honest | 17:43 | |
lbragstad | hogepodge: so - I find it easy to thinking about using the application example | 17:43 |
hogepodge | ok | 17:44 |
lbragstad | if you and i work on a team that uses openstack to host an application, and that application needs access to various openstack APIs | 17:44 |
lbragstad | today - we have a couple ways to make that happen | 17:44 |
kmalloc | prashkre: it is on my list, as soon as I have dealt with plumbing emergency | 17:44 |
lbragstad | 1.) you or I can put our username and passwords in an application configuration file and the application accesses OpenStack as our users | 17:45 |
hogepodge | that's what I do! :-) | 17:45 |
hogepodge | (hey ci/cd system, here's my personal login lol) | 17:46 |
lbragstad | 2.) we have a dedicated user created for the application to use (which might require opening a service ticket to the corporate ldap team to create some user - which kinda defeats the purpose ) | 17:46 |
* lbragstad is sorry | 17:46 | |
lbragstad | i apologize - but that makes you the perfect user for this conversation then! | 17:46 |
lbragstad | both options 1 and 2 are pretty bad | 17:47 |
lbragstad | and they likely violate company security policies | 17:47 |
lbragstad | instead - the whole concept of application credentials was to make it so you or I can generate an application specific password in keystone - then use that in the application configuration file | 17:47 |
hogepodge | I distract them from that violation by setting up rogue torrent servers for them to deal with. ;-) | 17:48 |
lbragstad | lol | 17:48 |
hogepodge | how is it different from case 2? | 17:48 |
lbragstad | so - application credentials are similar to case 2 initially | 17:49 |
lbragstad | but we eventually want to be able to associate specific operations to application credentials | 17:49 |
lbragstad | (give me an application specific credential that can only list instances) | 17:49 |
hogepodge | ok, cool | 17:50 |
lbragstad | which should hopefully help with damage control if the application is compromised | 17:50 |
hogepodge | when you say eventually... | 17:50 |
*** mwynne has joined #openstack-keystone | 17:50 | |
lbragstad | yeah... | 17:50 |
lbragstad | that's were things get fuzzy, because we have a mountain of policy/rbac issues to fix across openstack too, in order for that to be a reality | 17:51 |
lbragstad | (but, we do have a plan) | 17:51 |
hogepodge | so post queens? | 17:51 |
lbragstad | yes | 17:51 |
lbragstad | but - once you have an application credential | 17:51 |
lbragstad | how long should it live for | 17:51 |
lbragstad | ? | 17:51 |
mwynne | Hi guys. I have a quick question. I have 2 keystone apache processes using 100+% CPU while the stack is basically idle, killing my controller. Any idea how I can troubleshoot this issue? | 17:51 |
mwynne | 31476 keystone 20 0 647660 144180 12996 S 115.6 0.9 727:18.22 apache2 | 17:51 |
lbragstad | ^ that essentially the question that makes project-lived or user-lived application creds make snese | 17:51 |
lbragstad | hogepodge: one of the biggest things we wanted to avoid with app creds, was when a team member leaves the application stops working | 17:52 |
lbragstad | if i put my username and password in the application configuration file, and i get fire, then our app doesn't work | 17:53 |
lbragstad | the same would be true if we associate app creds to the user life cycle | 17:53 |
lbragstad | which is why we thought it important to associate them to the project | 17:53 |
*** itlinux has joined #openstack-keystone | 17:53 | |
lbragstad | mwynne: can you share a little more on how you have keystone configured? | 17:54 |
lbragstad | hogepodge: but that also means that anytime someone leaves the team, the application credential should be rotated (because I could write down the application credential and still access API with it even after I get fired) | 17:55 |
hogepodge | great, this is all good information | 17:56 |
mwynne | lbragstad: Sorry, what do you need to know specifically? Want my keystone.conf? | 17:56 |
lbragstad | hogepodge: that's essentially the gist of project-lived versus user-lived application credentials | 17:58 |
lbragstad | (fwiw - mordred is picking that up this release) | 17:58 |
lbragstad | mwynne: sure - that might be a start, omitting sensitive information if you have any | 17:59 |
mwynne | lbragstad: http://paste.openstack.org/show/624843/ | 18:01 |
hogepodge | thanks, we're just trying to come up with something succinct and correct to say in our project roadmap presentation | 18:01 |
hogepodge | this helps a lot | 18:01 |
lbragstad | hogepodge: awesome | 18:01 |
mwynne | lbragstad: I get a pretty constant stream of these: 2017-10-27 18:02:29.034 31476 INFO keystone.common.wsgi [req-bacff250-4223-43b4-8594-e77a63be7ab0 d9f834e0d74a4ab7a55318d412b0f2ea 4f779ae189834a9a9e193b1b9d7546a6 - default default] GET http://10.10.10.5:35357/v3/auth/tokens | 18:02 |
lbragstad | mwynne: you have eventlet configuration options defined but you're running in apache, right? | 18:03 |
mwynne | lbragstad: Correct. I was wondering why those were there.... | 18:03 |
lbragstad | mwynne: yeah - that's a log telling you someone is validating a token (or a service) | 18:03 |
mwynne | lbragstad: should I remove those settings from eventlet? | 18:04 |
lbragstad | mwynne: you could - but i was more or less just curious | 18:04 |
lbragstad | i think those should be specific to keystone's eventlet support in tree | 18:04 |
lbragstad | otherwise apache should be handling that for you | 18:04 |
mwynne | Will those have any effect if I'm using apache? | 18:05 |
lbragstad | they shouldn't | 18:05 |
mwynne | ok | 18:05 |
*** harlowja has quit IRC | 18:05 | |
mwynne | lbragstad: This stack has 90 tenants, 90 networks, and 180 vms | 18:05 |
*** harlowja has joined #openstack-keystone | 18:05 | |
mwynne | So, quite a bit of stuff. | 18:06 |
mwynne | but I wouldn't have thought apache would be totally pinned while everything's idle | 18:06 |
lbragstad | mwynne: have you tried configuring caching in keystone? | 18:06 |
mwynne | lbragstad: no. what's require for that? | 18:06 |
lbragstad | https://docs.openstack.org/keystone/latest/admin/identity-caching-layer.html | 18:07 |
lbragstad | there are a couple options in keystone.conf that will let you turn it on | 18:07 |
lbragstad | and optionally point to a memcached deployment | 18:07 |
lbragstad | we've seen that have significant performance improvements | 18:08 |
mwynne | if I modify these I just need to restart the apache service? | 18:09 |
lbragstad | if you want to point to a memcached service, you'll have to make sure that's running | 18:10 |
lbragstad | other wise - keystone will cache in process | 18:10 |
lbragstad | so - worst possible case is that you won't notice a difference until each thread has cached a specific response | 18:10 |
mwynne | Yeah, the memcached service is running. | 18:10 |
lbragstad | oh - then yeah... kicking keystone after making those changes should be all you need | 18:11 |
mwynne | lbragstad: there's no keystone service, right? Just apache? | 18:11 |
lbragstad | keystone is the service but it can run in a web service like apache, so restarting apache will restart keystone | 18:12 |
mwynne | lbragstad: Right, thanks. | 18:13 |
mwynne | lbragstad: It might look better... | 18:14 |
*** wes_dillingham has quit IRC | 18:14 | |
mwynne | You just might be a life saver :) | 18:14 |
lbragstad | mwynne: did it work? | 18:15 |
mwynne | I think so | 18:15 |
lbragstad | \o/ | 18:15 |
mwynne | CPU usage seems much better, for now, at least. | 18:15 |
mwynne | Thank you so much! | 18:15 |
lbragstad | yeah - anytime | 18:15 |
lbragstad | hopefully you'll notice quicker response times in overall APIs \ | 18:15 |
mwynne | lbragstad: An unexpected error prevented the server from fulfilling your request. (HTTP 500) | 18:16 |
mwynne | :( | 18:16 |
lbragstad | uh oh | 18:16 |
lbragstad | keystone logs? | 18:16 |
* lbragstad wonders if python-memcached is installed | 18:17 | |
mwynne | ERROR keystone.common.wsgi OperationalError: (pymysql.err.OperationalError) (1040, u'Too many connections') | 18:17 |
lbragstad | mwynne: oh - depending on how many instances of keystone you're running, you could be running out of mysql connections | 18:18 |
lbragstad | 1.) reduce the amount of keystone servers | 18:19 |
lbragstad | 2.) increase mysql connection limits | 18:19 |
lbragstad | those would be my two guesses | 18:19 |
mwynne | my.conf: max_connections = 151 | 18:19 |
mwynne | increase that and restart the service? | 18:19 |
mwynne | Can I see what the current number of connections is? | 18:19 |
mwynne | To ensure that's the limit being hit? | 18:20 |
lbragstad | mwynne: you might be able to do something like this - https://stackoverflow.com/questions/7432241/mysql-show-status-active-or-total-connections | 18:22 |
mwynne | lbragstad: Just found that :) | 18:22 |
lbragstad | :) | 18:23 |
mwynne | Thanks again for all your help! | 18:23 |
lbragstad | yep - are you hitting that limit? | 18:23 |
mwynne | Yup | 18:24 |
lbragstad | nice | 18:24 |
mwynne | increased and restarted | 18:24 |
mwynne | looks better | 18:24 |
mwynne | and faster :D | 18:24 |
lbragstad | no more 500s? | 18:24 |
mwynne | Nope | 18:25 |
lbragstad | sweet | 18:25 |
mwynne | APIs seem faster | 18:25 |
lbragstad | good deal | 18:25 |
mwynne | Learn something new every day. It's weird that the installation instructions tell you to install memcached but don't tell you to configure any services to actually use it :S | 18:25 |
lbragstad | caching usually have a pretty good effect on API performance, especially when enabled for most subsystems | 18:25 |
lbragstad | s/have/has/ | 18:26 |
lbragstad | did you just follow the basic installation guide or did you use a deployment tool? | 18:26 |
mwynne | lbragstad: Can I enable that elsewhere? | 18:26 |
mwynne | I've done both. This deployment was done with puppet though. | 18:26 |
lbragstad | ok | 18:26 |
lbragstad | mwynne: you can enable "global" caching in keystone, but then you can also opt into turning on caching for various subsystems (e.g. caching for tokens, users, catalogs, etc..) | 18:27 |
lbragstad | which is detailed here - https://docs.openstack.org/keystone/latest/admin/identity-caching-layer.html | 18:27 |
*** clenimar has quit IRC | 18:28 | |
mwynne | if I just enabled it in [cache] then it's enabled globally? | 18:28 |
lbragstad | yeah | 18:28 |
lbragstad | that option comes from oslo.cache | 18:28 |
mwynne | Ok. Is that generally bad? | 18:28 |
lbragstad | which is the library we use to cache stuff | 18:28 |
lbragstad | no, it's not bad | 18:28 |
mwynne | memcached is configured for 64MB of memory. will it need more? | 18:29 |
mwynne | Any idea? | 18:29 |
lbragstad | it just defaults to off, but all keystone sub-systems default to caching if the global toggle is enabled | 18:29 |
lbragstad | mwynne: that i'm not sure - that might depend in how long you intend to cache data | 18:29 |
mwynne | Ah, good point. | 18:29 |
lbragstad | for example - https://github.com/openstack/keystone/blob/master/keystone/conf/token.py#L97-L104 | 18:30 |
lbragstad | you can adjust those knobs per sub-system | 18:30 |
lbragstad | so you can hold on to cached catalog information longer than cached token information | 18:30 |
lbragstad | (for example) | 18:30 |
mwynne | Ah, ok. Interesting stuff. | 18:31 |
lbragstad | that might be one way to avoid allocating more that 64MB of memory | 18:32 |
lbragstad | and take the performance hit of invalidating cache entries more often | 18:33 |
mwynne | Cool | 18:34 |
mwynne | I'll look into that more | 18:34 |
*** dave-mccowan has joined #openstack-keystone | 18:38 | |
*** clenimar has joined #openstack-keystone | 18:40 | |
*** dave-mccowan has quit IRC | 18:44 | |
*** ioggstream has joined #openstack-keystone | 18:44 | |
*** wes_dillingham has joined #openstack-keystone | 18:45 | |
itlinux | hi is there a way to add AD users to local groups? | 19:19 |
itlinux | I wonder if I can do this.. LDAP users to local groups.. by openstack role add --group xxxxxx --users ldap account.. | 19:21 |
itlinux | thanks! | 19:21 |
*** catintheroof has quit IRC | 19:29 | |
*** tesseract has quit IRC | 19:33 | |
*** ioggstream has quit IRC | 19:36 | |
*** dave-mccowan has joined #openstack-keystone | 19:37 | |
*** catintheroof has joined #openstack-keystone | 19:41 | |
*** LobsterRoll has joined #openstack-keystone | 19:41 | |
*** wes_dillingham has quit IRC | 19:43 | |
*** LobsterRoll is now known as wes_dillingham | 19:43 | |
*** catintheroof has quit IRC | 19:45 | |
*** dave-mccowan has quit IRC | 19:49 | |
*** rcernin has joined #openstack-keystone | 19:57 | |
*** itlinux has quit IRC | 20:01 | |
*** aselius has joined #openstack-keystone | 20:09 | |
*** wes_dillingham has quit IRC | 20:11 | |
*** jmlowe has quit IRC | 20:14 | |
*** prashkre has quit IRC | 20:18 | |
*** dave-mccowan has joined #openstack-keystone | 20:33 | |
*** dave-mccowan has quit IRC | 20:38 | |
*** thorst has quit IRC | 20:38 | |
*** McClymontS has joined #openstack-keystone | 20:39 | |
*** itlinux has joined #openstack-keystone | 20:41 | |
*** nkinder has quit IRC | 20:52 | |
cmurphy | lbragstad: hogepodge sorry I was out, sounds like the question got answered? | 21:01 |
cmurphy | itlinux: as far as I know you can't do that, because users and groups are both part of the identity driver and you can only have one backend for a driver | 21:03 |
hogepodge | cmurphy: yes, thanks! | 21:04 |
*** itlinux has quit IRC | 21:07 | |
*** itlinux has joined #openstack-keystone | 21:15 | |
*** McClymontS has quit IRC | 21:27 | |
*** rcernin has quit IRC | 21:28 | |
*** rmascena has quit IRC | 21:31 | |
*** wes_dillingham has joined #openstack-keystone | 21:33 | |
*** itlinux has quit IRC | 21:44 | |
*** wes_dillingham has quit IRC | 21:49 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements https://review.openstack.org/470137 | 22:02 |
openstackgerrit | OpenStack Proposal Bot proposed openstack/pycadf master: Updated from global requirements https://review.openstack.org/470137 | 22:03 |
*** dave-mccowan has joined #openstack-keystone | 22:15 | |
*** thorst has joined #openstack-keystone | 22:24 | |
*** dave-mccowan has quit IRC | 22:24 | |
*** thorst has quit IRC | 22:29 | |
*** itlinux has joined #openstack-keystone | 22:33 | |
*** itlinux has quit IRC | 22:46 | |
*** fried_rice is now known as efried | 23:22 | |
*** thorst has joined #openstack-keystone | 23:27 | |
*** thorst has quit IRC | 23:38 | |
*** thorst has joined #openstack-keystone | 23:49 | |
*** thorst has quit IRC | 23:49 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!