Wednesday, 2018-02-07

« Tuesday, 2018-02-06 Index Thursday, 2018-02-08 »
gagehugolbragstad I have not00:14
lbragstadgagehugo: so your battery hasn't imploded...00:16
gagehugonot yet haha00:18
gagehugomy issue may have already been fixed though if I had it00:18
lbragstadwhen did you get yours?00:20
*** r-daneel has quit IRC00:23
*** brad[] has joined #openstack-keystone00:25
gagehugouh00:26
gagehugomar/april last year00:26
gagehugomine came up affected00:27
gagehugoI think it's literally a loose screw may be in the laptop00:27
lbragstadahh00:29
*** jessegler has quit IRC00:37
*** zhurong has joined #openstack-keystone00:42
*** gmann_ has joined #openstack-keystone01:03
*** wxy has joined #openstack-keystone01:08
openstackgerritMerged openstack/keystoneauth master: Zuul: Remove project name  https://review.openstack.org/54108001:08
*** gongysh has joined #openstack-keystone01:10
*** gongysh has quit IRC01:20
wxylbragstad: hi01:22
lbragstadwxy: o/01:22
wxylbragstad: I don't see JWT topic in https://etherpad.openstack.org/p/keystone-rocky-ptg01:23
lbragstadline 12401:23
lbragstad:)01:23
lbragstadhackathon01:23
wxylbragstad: lol. I searched for "JWT"..01:23
lbragstadthere - you should be able to search for it now01:24
lbragstadlol01:24
*** links has joined #openstack-keystone01:28
*** links has quit IRC01:29
lbragstadwxy: added some more details about it01:30
*** daidv has joined #openstack-keystone01:33
*** gmann_ has quit IRC01:46
*** gmann_ has joined #openstack-keystone01:46
*** masber has quit IRC01:59
*** gyee has quit IRC02:01
*** gongysh has joined #openstack-keystone02:10
*** Dave has quit IRC02:11
*** Dave_ has joined #openstack-keystone02:11
*** links has joined #openstack-keystone02:12
*** itlinux has joined #openstack-keystone02:14
*** Supun has joined #openstack-keystone02:45
*** Supun has quit IRC02:48
*** Supun has joined #openstack-keystone02:48
*** ayoung has joined #openstack-keystone02:52
*** namnh has joined #openstack-keystone03:18
*** itlinux has quit IRC03:25
*** Supun has quit IRC03:42
openstackgerritMerged openstack/keystone master: Finish refactoring self.*_api out of tests  https://review.openstack.org/54107403:46
openstackgerritMerged openstack/keystone master: Validate identity providers during token validation  https://review.openstack.org/53191503:46
openstackgerritMerged openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/54058303:47
openstackgerritMerged openstack/keystone master: Add cache invalidation when delete application credential  https://review.openstack.org/54032404:00
*** openstackgerrit has quit IRC04:04
*** itlinux has joined #openstack-keystone04:08
*** mvk has quit IRC04:21
*** harlowja has quit IRC04:32
*** nicolasbock has quit IRC04:32
*** namnh has quit IRC04:42
*** daidv has quit IRC04:44
*** Suramya has joined #openstack-keystone04:51
*** vish_18 has joined #openstack-keystone04:52
*** itlinux has quit IRC05:06
vish_18cmurphy: thanks !05:09
*** harlowja has joined #openstack-keystone05:37
*** zhurong has quit IRC05:39
*** Suramya_ has joined #openstack-keystone05:40
*** jaosorior has joined #openstack-keystone05:50
*** zhurong has joined #openstack-keystone05:53
*** openstackgerrit has joined #openstack-keystone06:03
openstackgerritMerged openstack/keystone master: Add scope_types to role policies  https://review.openstack.org/52617106:03
openstackgerritOpenStack Proposal Bot proposed openstack/oslo.policy master: Imported Translations from Zanata  https://review.openstack.org/54155306:07
*** annp has joined #openstack-keystone06:13
*** vish_18_ has joined #openstack-keystone06:18
vish_18_cmurphy: the orignal bug can be reproduced when we uncomment max_active_keys = 3 in master06:21
vish_18_cmurphy: ad setting driver = blah for fernet provider06:23
openstackgerritOpenStack Proposal Bot proposed openstack/keystone master: Imported Translations from Zanata  https://review.openstack.org/54156706:40
*** harlowja has quit IRC06:52
*** AlexeyAbashkin has joined #openstack-keystone07:22
*** martinus__ has joined #openstack-keystone07:42
*** AlexeyAbashkin has quit IRC07:42
*** rcernin has quit IRC07:48
*** akrzos has quit IRC07:50
*** AlexeyAbashkin has joined #openstack-keystone07:54
*** akrzos has joined #openstack-keystone08:02
*** annp has quit IRC08:14
*** annp has joined #openstack-keystone08:14
*** threestrands has quit IRC08:22
*** tesseract has joined #openstack-keystone08:24
*** zhurong has quit IRC08:25
*** zhurong has joined #openstack-keystone08:26
*** pcaruana has joined #openstack-keystone08:38
*** StefanPaetowJisc has joined #openstack-keystone08:48
*** StefanPaetowJisc has quit IRC08:59
openstackgerritMerged openstack/keystone master: Remove all v2.0 APIs except the ec2tokens API  https://review.openstack.org/54014109:01
openstackgerritMerged openstack/keystone master: Remove v2.0 extension documentation  https://review.openstack.org/54052509:01
*** StefanPaetowJisc has joined #openstack-keystone09:20
*** StefanPaetowJisc has quit IRC09:25
openstackgerritVishakha Agarwal proposed openstack/keystone master: Delete tokens from DB is not required in case of Fernet.    https://review.openstack.org/53732209:29
*** Adri2000 has joined #openstack-keystone09:56
Adri2000hello09:56
Adri2000is there a reason keystone doesn't default to using oslo_cache.memcache_pool?09:57
*** pcaruana has quit IRC09:57
*** namnh has joined #openstack-keystone09:57
openstackgerritbaiwenteng proposed openstack/python-keystoneclient master: pelling error Keytone  https://review.openstack.org/54164409:58
*** Exhar has quit IRC10:05
*** sambetts|afk is now known as sambetts10:10
*** Exhar has joined #openstack-keystone10:11
*** pcaruana has joined #openstack-keystone10:13
*** Exhar has quit IRC10:15
Adri2000related question: is it a known issue that the default dogpile.cache.memcached backend leaks open connections? (I've found this old bug report https://bugs.launchpad.net/keystone/+bug/1360446)10:18
openstackLaunchpad bug 1360446 in keystonemiddleware "client connection leak to memcached under eventlet due to threadlocal" [Medium,Fix released] - Assigned to Morgan Fainberg (mdrnstm)10:18
*** annp has quit IRC10:22
*** gongysh has quit IRC10:33
*** zhurong has quit IRC10:35
openstackgerritMerged openstack/keystone master: Update sample configuration file for Queens  https://review.openstack.org/54144710:37
*** Dave_ is now known as Dave10:41
*** StefanPaetowJisc has joined #openstack-keystone10:54
*** pcaruana has quit IRC11:09
*** dmellado has quit IRC11:21
*** dmellado has joined #openstack-keystone11:27
*** namnh has quit IRC11:28
*** mvk has joined #openstack-keystone11:36
*** nicolasbock has joined #openstack-keystone11:41
*** dmellado has quit IRC11:48
*** StefanPaetowJisc has quit IRC11:55
*** dmellado has joined #openstack-keystone11:59
*** edmondsw has joined #openstack-keystone12:02
*** raildo has joined #openstack-keystone12:11
*** pcaruana has joined #openstack-keystone12:13
*** dave-mcc_ has joined #openstack-keystone12:15
*** AlexeyAbashkin has quit IRC12:25
*** AlexeyAbashkin has joined #openstack-keystone12:40
openstackgerritMerged openstack/keystone master: Remove the deprecated "giturl" option  https://review.openstack.org/53346612:51
*** jmlowe has quit IRC13:07
*** gongysh has joined #openstack-keystone13:15
openstackgerritSuramya proposed openstack/keystone master: Reorganize api-ref: v3-ext trust.inc  https://review.openstack.org/53177213:25
openstackgerritSuramya proposed openstack/keystone master: Reorganize api-ref: v3-ext trust.inc  https://review.openstack.org/53177213:32
*** AlexeyAbashkin has quit IRC13:34
*** AlexeyAbashkin has joined #openstack-keystone13:35
*** AlexeyAbashkin has quit IRC13:40
*** Supun has joined #openstack-keystone13:41
*** jmlowe has joined #openstack-keystone13:46
*** AlexeyAbashkin has joined #openstack-keystone13:55
*** markvoelker has joined #openstack-keystone13:57
*** r-daneel has joined #openstack-keystone14:04
*** links has quit IRC14:09
*** r-daneel has quit IRC14:12
*** daidv_ has joined #openstack-keystone14:13
*** r-daneel has joined #openstack-keystone14:31
openstackgerritColleen Murphy proposed openstack/keystone master: Drop domain id foreign key from user table  https://review.openstack.org/53934714:33
lbragstadour in progress column is *so* close to being empty14:56
lbragstadhttps://trello.com/b/5F0h9Hoe/keystone-queens-roadmap14:56
*** spilla has joined #openstack-keystone14:57
cmurphy\o/14:58
knikollao/14:59
lbragstadwe have a few patches with 2 +2s15:03
lbragstadso long as there isn't anything outstanding, we could probably start pushing those through15:03
lbragstadhttps://review.openstack.org/#/c/540529/15:03
lbragstadhttps://review.openstack.org/#/c/540499/15:04
lbragstadhttps://review.openstack.org/#/c/539342/15:04
knikollalbragstad: nothing like deletion patches to start the day15:08
cmurphy:D15:08
lbragstadmmm fresh cup of coffee, a negative overall diff... what gets better than that?15:09
lbragstadhttp://lists.openstack.org/pipermail/openstack-dev/2018-February/127039.html is a good idea15:10
lbragstadwe used to do that more often when we did midcycle meet ups15:11
knikollalbragstad: i see references to 35357 in the doc patches, did we reach a consensus on what to do with the second port now that we don't need it?15:11
lbragstadknikolla: yeah - good question.. i have scroll back for you15:11
lbragstadi talked to a couple of the ubuntu maintainers (since cmurphy might be able to help with the suse side and hrybacki might be able to help with the redhat side)15:12
lbragstadknikolla: http://paste.openstack.org/show/664112/15:12
lbragstadcorey is going to work on a patch and reach out when he does15:13
lbragstadonce he does that, we should be able to update the second NOTE in our installation guide here - https://docs.openstack.org/keystone/latest/install/keystone-install-ubuntu.html#install-and-configure-components15:13
*** Supun has quit IRC15:14
lbragstadand we can simplify our installation guide15:14
*** david-lyle has quit IRC15:15
knikollasweet, but that means i have to -1 the docs patch.15:15
lbragstadwhich one?15:15
knikollahttps://review.openstack.org/#/c/54049915:15
knikollado a search&replace for 35357 and make it 500015:16
knikollaor that can be a follow up patch.15:17
lbragstadthe default apache configuration installed from keystone packages will still listen on port 35357 and 500015:17
lbragstadso v3 will be available for both15:17
lbragstads/for/on/15:17
knikollabut aren't we going to remove 35357? at least that's what i got out of the convo u linked to15:18
lbragstadmost likely, it depends on what they decide to use (they could use ports 80, 443, 5000, etc...)15:19
knikollai kind of like the /identity path instead of a port.15:19
knikollaand use apache just for proxying.15:19
lbragstadyeah15:20
lbragstadthat's an option too15:20
lbragstadthe ubuntu packages actually set things up like that15:20
lbragstadhttps://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/keystone/tree/debian/keystone.conf#n5615:21
knikollalbragstad: our red hat install does the same.15:21
lbragstadcool15:22
*** gongysh has quit IRC15:23
knikollalbragstad: approved all three doc changes.15:23
knikollawe can worry about ports and paths later.15:24
lbragstadknikolla: thanks - i think we should definitely work through that stuff in rocky, probably talk about it at the PTG15:24
*** AlexeyAbashkin has quit IRC15:24
*** AlexeyAbashkin has joined #openstack-keystone15:24
knikollasounds good.15:25
knikollalbragstad: when does master open for rocky?15:31
lbragstadas soon as we get a release candidate cut15:32
lbragstadand we have a stable/queens branch created for keystone15:32
lbragstadthen we're technically ready for rocky development15:32
openstackgerritMerged openstack/keystone master: Fix list users by name  https://review.openstack.org/52991415:41
openstackgerritMerged openstack/keystone master: Reorganize api-ref: v3-ext trust.inc  https://review.openstack.org/53177215:41
*** idlemind has quit IRC15:46
*** idlemind has joined #openstack-keystone15:47
openstackgerritSuramya proposed openstack/keystone master: Reorganize api-ref: v3-ext federation identity-provider  https://review.openstack.org/53341415:56
openstackgerritMerged openstack/keystone master: Remove v2 and v2-admin API documentation  https://review.openstack.org/54052916:00
*** pcaruana has quit IRC16:03
*** Supun has joined #openstack-keystone16:09
*** david-lyle has joined #openstack-keystone16:18
*** gyee has joined #openstack-keystone16:45
*** Supun has quit IRC16:45
*** markvoelker_ has joined #openstack-keystone16:47
*** itlinux has joined #openstack-keystone16:49
*** markvoelker has quit IRC16:49
openstackgerritColleen Murphy proposed openstack/keystone master: Drop domain id foreign key from user table  https://review.openstack.org/53934716:54
openstackgerritMerged openstack/keystone master: Remove v2.0 from documentation guides  https://review.openstack.org/54049916:56
openstackgerritMerged openstack/keystone master: Update curl request documentation to remove v2.0  https://review.openstack.org/53934216:56
*** harlowja has joined #openstack-keystone17:11
*** markvoelker_ has quit IRC17:14
*** markvoelker has joined #openstack-keystone17:14
*** harlowja has quit IRC17:17
*** AlexeyAbashkin has quit IRC17:26
*** tesseract has quit IRC17:27
openstackgerritGage Hugo proposed openstack/keystone master: Reorganize api-ref: v3 os-pki  https://review.openstack.org/53045917:44
gagehugobah17:45
openstackgerritGage Hugo proposed openstack/keystone master: Reorganize api-ref: v3 os-pki  https://review.openstack.org/53045917:46
gagehugocmurphy: fixed the merge conflict17:47
cmurphyhuh i didn't notice it was merge conflicting17:48
*** Supun has joined #openstack-keystone17:59
*** cfriesen has left #openstack-keystone18:02
*** harlowja has joined #openstack-keystone18:11
*** Supun has quit IRC18:11
lbragstadgagehugo: nice - thanks18:15
*** harlowja has quit IRC18:18
*** raildo has quit IRC18:19
lbragstaddoes anyone want to do a project interview during the PTG? http://lists.openstack.org/pipermail/openstack-dev/2018-February/127085.html18:19
lbragstadcc wxy unified limits would be a good topic18:19
lbragstadknikolla: cmurphy fyi - https://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/keystone/commit/?id=915d787af42096b0fad715e49759cd357e47787e18:20
lbragstadfrom coreycb18:20
knikollalbragstad: yay!18:20
lbragstadthat will get rolled out with rc118:21
lbragstadso - i guess the next question is, do we need an rc2 if that becomes the new documentation?18:21
lbragstads/documentation/apache configuration/18:21
lbragstaddo we need new documentation for that configuration?18:21
*** raildo has joined #openstack-keystone18:22
*** r-daneel_ has joined #openstack-keystone18:28
knikollalbragstad: a search and replace for 35357 -> 5000 at a minimum18:28
lbragstadack18:28
lbragstadwe should be able to get that done today18:28
lbragstadand merged before tomorrow18:28
knikollaack, i'll review18:28
*** Supun has joined #openstack-keystone18:28
*** r-daneel has quit IRC18:29
*** r-daneel_ is now known as r-daneel18:29
knikollawe should also have redhat and suse (cmurphy) remove 35357, so that there's consistency18:29
knikollain their packages18:29
cmurphyyeah i can work on that this week18:29
knikollacool :)18:30
*** Supun has quit IRC18:38
*** Supun has joined #openstack-keystone18:38
*** sambetts is now known as sambetts|afk18:41
*** Supun has quit IRC18:57
*** Supun has joined #openstack-keystone19:00
mordredcmurphy, lbragstad: I just found a super-edge-casey bug in keystoneauth version discovery ... requesting version='latest' ona service that does not have any version discovery document but also has an unversioned endpoint in the catalog results in a traceback19:04
mordredinstead of falling back to using the endpoint in the catalog19:04
kmallocmordred: gross19:05
mordredkmalloc: yah. like I said -it's SUPER edge case, and I'll be working with the service in quesiton to get a version discovery document added19:05
kmallock19:05
*** Exhar has joined #openstack-keystone19:05
kmallocwe should prob. get a bug on it.19:05
mordredyah19:06
cmurphynice19:06
*** Supun has quit IRC19:09
cmurphyhey kmalloc i had a crazy idea, can you tell me if it's ridiculous https://review.openstack.org/#/c/539347/19:11
cmurphyayoung is not a fan19:11
kmallocit's ridiculous, but not sure if good or bad until i look at it ;) [ok that doesn't help heheh]19:11
kmalloclooking19:11
cmurphy:P19:11
kmallochonestly, i prefer to drop the FK.19:12
cmurphythat's what that does19:12
kmallocyeah19:12
kmallocit's a tough sell because it changes behavior(ish) in some cases.19:12
kmallocthe FK was a bad call when it was added19:13
kmalloclet me think about the ramifications, but i'd like to see it go if it doesn't impact things too much19:13
cmurphythanks kmalloc19:13
*** r-daneel_ has joined #openstack-keystone19:13
kmallocman, i'm cold today. not sure why19:14
*** r-daneel has quit IRC19:14
*** r-daneel_ is now known as r-daneel19:14
cmurphyi'm rationalizing that since it doesn't break tempest then it's not really changing behavior that badly19:14
kmallocright.19:14
cmurphybut the counter to that is maybe we don't have enough coverage19:14
kmallocwe def. don't have enough coverage :P19:15
cmurphylol19:15
kmallocbut that aside...19:15
*** jmlowe_ has joined #openstack-keystone19:16
*** jmlowe has quit IRC19:17
*** knasim-wrs has joined #openstack-keystone19:17
knasim-wrshi folks, I've migrated my deployment to Fernet and see a degradation in performance around VM Live Migration events19:18
knasim-wrsI am tracking the services (Cinder, Neutron, Nova) to see if the AUTH calls they make out to Keystone in Pike, have increased dramatically. In the meantime I was thinking of enabling caching19:19
knasim-wrsdoes Keystone offer an in-process cache? Something that does not require integration with Memcached or Redis19:19
kmallocyou should enable caching in general, it improves performance for tokens/validation by a large amount19:19
openstackgerritMonty Taylor proposed openstack/keystoneauth master: WIP Handle unversioned endpoints with no discovery document  https://review.openstack.org/54184419:19
kmallocdon't do in-process caching19:19
kmallocyou will be sad, because something will cache on some requests but not others19:20
kmallocand you might get failures/successes because tokens expire/revoke and it is only reflected on some processes19:20
knasim-wrskmalloc: Thanks. So you're saying enable cache/enabled = True19:20
mordredkmalloc, cmurphy, lbragstad: ^^ that fixes the immediate issue - but clearly needs tests and I left a TODO in there about another check that sohuld be added19:20
knasim-wrsbut what about the caching backend?19:20
kmalloci would, but you should be running with memcache or redis, memcache is the one with the most drivetime19:20
kmallockeystone ALSO does per-request caching for the data from the DB, but that cache is only to minimize SQL round-trips19:21
knasim-wrswon't be able to get Memcached in the product at this stage... shipping out next month19:21
kmalloceach of the services that use keystonemiddleware should also use caching for the tokens19:21
kmallocthat can be done in-memory, but again, memcache is a much much better choice19:21
knasim-wrsk19:21
kmallocmemcache scales keystone and auth/validation by a lot19:22
knasim-wrsso memcache is better, and I can consider that for our next software release. But for now I am going to enable the internal caches19:22
kmallocbe careful on that. do extensive testing and expect some wonky behavior19:22
knasim-wrs1) enable caching in the keystonemiddleware in all the services19:23
kmallocin-process caching in openstack is, imo, a mistake19:23
kmallocwe test in the gate with memcache fwiw.19:23
kmallocbut if you're ok with the edge cases, then it can help for sure.19:23
kmalloc(in-process that is)19:23
kmallocmordred: thanks19:24
kmallocmordred: yeah def. need tests. but that is a good starting place.19:24
mordredkmalloc: I happened to have a convenient live-against-public-cloud reproduction case locally so I could verify that that fixes the behavior - figured just pushing it up would record the issue19:25
mordreduntil we cna get it fleshed out more better19:25
knasim-wrsyeah I see that we have the in-process cache enabled in some of our services:19:25
knasim-wrshttps://thepasteb.in/p/NxhVxEGNAW8FN19:26
knasim-wrskmalloc: For the caching backends in keystone I have these options in Pike19:27
knasim-wrskmalloc: For the caching backends in keystone I have these options in Pike19:28
knasim-wrshttps://thepasteb.in/p/P1hvmok0pLkUl19:28
*** Supun has joined #openstack-keystone19:28
knasim-wrsset to dogpile.cache.null19:28
lbragstadi was tinkering with dogpile.cache.memcached recently19:28
lbragstaddebugging some openstack-ansible issues19:28
knasim-wrshow was it LanceƉ19:29
knasim-wrsjust looking for a stable in-process cache that scales decently19:29
knasim-wrsenough for us to get the product out... right now Live Migration times in Pike after transitioning to Fernet has gone up to 70 seconds19:29
knasim-wrsthat is too long19:29
knasim-wrswe were in the 30-45 sec range in Newton19:30
lbragstadthe problem we were hitting was with multiple cache backends configured, which keystone should shard data across, making it an even better choice19:30
kmalloclbragstad: there was some bug around that... i think we fixed it?19:30
lbragstadyep - well, partially19:30
lbragstadi have a link19:30
lbragstadthis was the fix https://review.openstack.org/#/c/533314/19:31
kmallocyah. that one19:31
lbragstadhttps://bugs.launchpad.net/keystone/+bug/174303619:31
openstackLaunchpad bug 1743036 in oslo.cache "Multiple memcached back-end instances breaks caching" [Undecided,Confirmed] - Assigned to Morgan Fainberg (mdrnstm)19:31
kmallocugh19:31
kmallocthought that was it.19:31
lbragstadbut - there is a work around for it19:31
kmalloci have a fix for it, but it's going to be a lot of code19:32
lbragstadit more or less boils down to client issues, based on our last discussions19:32
kmallocso backend_argument can be used again19:32
kmallocit is not easy to fix unfortunately19:32
*** markvoelker has quit IRC19:33
*** markvoelker_ has joined #openstack-keystone19:33
*** jmlowe has joined #openstack-keystone19:33
*** jmlowe has quit IRC19:33
lbragstadknasim-wrs: i think one place i might start19:33
lbragstadwould be to try and install memcached locally with the keystone servers19:33
lbragstadand just let keystone use it's own local memcached deployment19:34
*** jmlowe_ has quit IRC19:34
lbragstadworst case performance would be a token hitting each server for validation before returning to one that has already validated it19:34
lbragstad(since each memcached instance is going to store it's own copy of the token)19:35
knasim-wrsI floated that idea by our architect. We would need to add memcached as a managed service since our platform supports HA (that is services run active-standby) so you can switch over on node failures19:35
lbragstadthen you're not dealing with in-process caching per se19:35
knasim-wrsand so that got turned down fast as its too late in the release cycle19:36
lbragstad:(19:36
knasim-wrswhich is why I thought the next best option is in-process caching19:36
lbragstadi see what you mean19:36
kmallocalso, i think newton era had some fernet performance issues... lbragstad correct me if i'm wrong19:37
knasim-wrsnow with Fernet tokens I am also getting tons of these error messages:19:37
knasim-wrshttps://thepasteb.in/p/RghnlRzyJw5uz19:37
lbragstadit wasn't so much fernet being the problem, but the entire token validation process changed as a result of token writing a token reference to disk19:37
kmallocknasim-wrs: that is using old tokens with fernet19:37
*** AlexeyAbashkin has joined #openstack-keystone19:37
kmallocthose are uuids19:38
lbragstadso - by way of switching to fernet, we uncovered a lot of performance improvements we could make19:38
kmallocyou have things trying to validate uuid tokens.19:38
knasim-wrsjeez19:38
lbragstadthe result was a bunch of fixes to our caching implementation to make it more scalable19:38
kmallocyou can only use a single token backend.19:38
kmallocand old tokens when you switch backends will fail19:38
kmallocit's expected.19:39
lbragstadright19:39
lbragstadknasim-wrs: do you have to have a graceful turn over?19:39
lbragstadbetween the switch from UUID -> Fernet?19:39
knasim-wrswe create the fernet repo during bootstrap and then set the provider etc19:39
knasim-wrsso I don't understand how services are sending over UUID tokens19:40
knasim-wrsit also reports this:19:40
knasim-wrs2018-02-05 21:42:57.766 48706 WARNING keystonemiddleware.auth_token [-] A valid token was submitted as a service token, but it was not a valid service token. This is incorrect but backwards compatible behaviour. This will be removed in future releases.19:40
lbragstadthey could be holding on to a token prior to the switch19:40
lbragstadclients should re-authenticate if they get a 40419:40
lbragstadwhich will return a new token19:41
lbragstadin the new format19:41
knasim-wrsyeah clients are fine. It is just blowing up performance to authenticate again via Password19:41
knasim-wrsneed to investigate further19:41
lbragstadi did an experiment with a graceful switch19:41
lbragstadand i wrote about the changes you'd need to make if  you didn't want "token downtime" during the migration from uuid -> fernet19:42
lbragstadhttps://www.lbragstad.com/blog/migrating-token-formats-without-downtime in case that helps19:42
knasim-wrsbeautiful19:42
knasim-wrsi'll look into this to see if we missed anything19:43
lbragstadbut it appears something is trying to pass a uuid token after you make the switch to fernet19:43
knasim-wrsas for in-process caching, is dogpile.cache.null ok?19:43
knasim-wrsyeah19:43
kmallocnull is no caching19:43
kmallocit's a do-nothing cache19:43
kmallocdogpile.cache.memory should be in-process19:43
lbragstadunless you have half the cluster running uuid and the other half issuing fernet19:43
knasim-wrsyeah that issue needs to be fixed first19:44
lbragstadthen token validation is going to be at the mercy of your load balancer algorithm19:44
knasim-wrsyeah we'd have a lot of cache misses if the transition from UUID -> fernet is not graceful or the cache is not flushed on transition19:45
knasim-wrswhat is oslo_cache.dict? In process?19:45
kmallocyeah19:46
kmallocsame thing i think19:46
kmallocit does some cleanup though19:46
kmallocoslo_cache.dict is better than dogpile.cache.memory19:46
lbragstadhttps://github.com/openstack/oslo.cache/blob/master/oslo_cache/backends/dictionary.py19:47
mordredkmalloc: blast19:49
kmallocmordred: ?19:49
kmallocdidn't work19:49
kmalloc?19:49
mordredkmalloc: I'd love to be able to use the stuff in oslo.cache in shade/sdk's caching layer19:50
kmallocah19:50
kmallocyeah19:50
kmalloc=/19:50
mordredkmalloc: but it pulls in oslo.config and friends19:50
kmallocyup19:50
kmallocit's why KSA doesn't use it19:50
mordredI wonder if we could just split those dogpile plugins into their own thing19:50
*** pcaruana has joined #openstack-keystone19:52
kmallocwell i mean... you could.19:53
kmallocyou lose a bunch of the nice-config stuff that we did for the cache regions19:54
kmallocbut those backends should mostly work with just dogpile.cache19:54
kmallocmaybe need to just vendor the backend into shade (the in-mem one)19:54
*** blake has joined #openstack-keystone19:56
mordredkmalloc: yah - I'll poke around at options for that in this next cycle - I could also use some distributed locking support for the rate-limiting task manager20:01
kmallocright20:01
*** jmlowe has joined #openstack-keystone20:02
*** Supun has quit IRC20:04
*** pcaruana has quit IRC20:07
openstackgerritColleen Murphy proposed openstack/keystone master: Drop domain id foreign key from user table  https://review.openstack.org/53934720:08
openstackgerritLance Bragstad proposed openstack/keystone master: Replace port 35357 with 5000 for ubuntu guide  https://review.openstack.org/54185720:09
lbragstadcmurphy: knikolla ^20:09
knikollaeasy +220:10
openstackgerritMerged openstack/keystone master: Reorganize api-ref: v3 os-pki  https://review.openstack.org/53045920:12
cmurphywhen I install keystone from cloud-archive:queens on ubuntu i still get the old vhost file20:19
cmurphylbragstad: is that commit just in a staging repo or waiting to be synced somewhere?20:20
lbragstadit apparently is going to be sync'd when RC1 goes out20:20
lbragstadat least when i was talking to coreycb in #openstack-pkg earlier20:21
cmurphyah okay20:21
*** AlexeyAbashkin has quit IRC20:33
*** mvk_ has joined #openstack-keystone20:34
*** blake has quit IRC20:36
*** mvk has quit IRC20:36
*** blake has joined #openstack-keystone20:36
*** blake has quit IRC20:48
*** blake has joined #openstack-keystone20:48
*** dave-mcc_ has quit IRC20:49
*** dave-mccowan has joined #openstack-keystone20:50
*** blake__ has joined #openstack-keystone20:50
*** blake has quit IRC20:53
*** blake__ is now known as blake20:55
*** timothyb89 has quit IRC21:09
*** timothyb89 has joined #openstack-keystone21:10
openstackgerritMerged openstack/oslo.policy master: Imported Translations from Zanata  https://review.openstack.org/54155321:16
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Repropose JWT specification for Rocky  https://review.openstack.org/54190321:17
openstackgerritMerged openstack/keystone master: Replace port 35357 with 5000 for ubuntu guide  https://review.openstack.org/54185721:23
*** Suramya has quit IRC21:23
*** Suramya_ has quit IRC21:23
*** raildo has quit IRC21:24
lbragstadcmurphy: you don't know if rderose has looked at https://review.openstack.org/#/c/539347/14 yet, do you?21:31
lbragstadit doesn't look like he's commented on it21:33
lbragstadi remember he was in a session with dstanek for like a day figuring out the whole multiple user references thing21:34
cmurphylbragstad: i haven't talked to him about it21:35
lbragstadi might send an email to see if he'd be able to take a look at it21:35
lbragstadsince i don't see him on irc21:35
cmurphyokay21:35
*** threestrands has joined #openstack-keystone21:39
*** panbalag has left #openstack-keystone21:46
*** spilla has quit IRC22:07
lbragstadcurious if anyone wants to give https://bugs.launchpad.net/keystone/+bug/1748027 a read22:07
openstackLaunchpad bug 1748027 in OpenStack Identity (keystone) "The v3 users API should account for different scopes" [Undecided,New]22:07
lbragstadbefore i start creating a bunch of them for every FIXME we landed in policies for scope_types22:07
*** r-daneel has quit IRC22:08
cmurphylbragstad: lgtm22:09
lbragstadsweet22:09
*** rcernin has joined #openstack-keystone22:25
lbragstadstepping away for a bit, i'll be on tonight though22:33
*** knasim-wrs has quit IRC22:34
*** blake has quit IRC22:45
*** blake has joined #openstack-keystone22:46
*** itlinux has quit IRC22:50
*** blake has quit IRC22:52
*** martinus__ has quit IRC22:53
*** masber has joined #openstack-keystone23:27
*** edmondsw has quit IRC23:37
*** itlinux has joined #openstack-keystone23:43
*** dave-mccowan has quit IRC23:45
*** markvoelker_ has quit IRC23:45
*** dave-mccowan has joined #openstack-keystone23:47
« Tuesday, 2018-02-06 Index Thursday, 2018-02-08 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!