Tuesday, 2018-03-27

« Monday, 2018-03-26 Index Wednesday, 2018-03-28 »
*** panbalag has joined #openstack-keystone00:10
*** dave-mccowan has quit IRC00:10
*** odyssey4me has quit IRC00:11
*** odyssey4me has joined #openstack-keystone00:11
*** mvk has quit IRC00:16
*** panbalag has quit IRC00:18
*** rcernin has quit IRC00:19
*** rcernin has joined #openstack-keystone00:19
*** eEbx has quit IRC00:21
*** eEbx has joined #openstack-keystone00:21
*** Dinesh_Bhor has joined #openstack-keystone00:24
*** zhurong has joined #openstack-keystone00:27
*** mvk has joined #openstack-keystone00:29
*** NM has joined #openstack-keystone00:38
*** felipemonteiro has quit IRC00:39
*** NM has quit IRC00:43
*** harlowja has quit IRC00:53
*** voelzmo has joined #openstack-keystone01:09
*** annp has quit IRC01:10
*** annp has joined #openstack-keystone01:11
*** felipemonteiro has joined #openstack-keystone01:19
*** gyankum has joined #openstack-keystone01:27
*** voelzmo has quit IRC01:32
*** germs has joined #openstack-keystone01:52
*** germs has quit IRC01:52
*** germs has joined #openstack-keystone01:52
openstackgerritwanghui proposed openstack/keystone master: Move openstackdocstheme to extensions in api-ref  https://review.openstack.org/55670401:55
*** germs has quit IRC01:57
*** zhurong has quit IRC01:58
*** voelzmo has joined #openstack-keystone02:05
*** dave-mccowan has joined #openstack-keystone02:15
*** namnh has joined #openstack-keystone02:16
*** felipemonteiro has quit IRC02:20
*** dikonoo has joined #openstack-keystone02:21
*** dikonoor has quit IRC02:21
*** gyee has quit IRC02:26
*** daidv has joined #openstack-keystone02:34
*** voelzmo has quit IRC02:38
*** voelzmo has joined #openstack-keystone03:01
*** zhurong has joined #openstack-keystone03:23
*** voelzmo has quit IRC03:34
*** dave-mccowan has quit IRC03:49
*** voelzmo has joined #openstack-keystone03:51
*** germs has joined #openstack-keystone03:53
*** germs has quit IRC03:53
*** germs has joined #openstack-keystone03:53
*** germs has quit IRC03:58
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Init repo  https://review.openstack.org/55674404:02
*** voelzmo has quit IRC04:16
*** annp has quit IRC04:26
*** markvoelker has quit IRC04:27
*** AlexeyAbashkin has joined #openstack-keystone04:33
*** AlexeyAbashkin has quit IRC04:37
*** zhurong has quit IRC04:39
*** Dinesh_Bhor has quit IRC05:01
*** Dinesh_Bhor has joined #openstack-keystone05:03
*** dikonoo has quit IRC05:11
*** dikonoo has joined #openstack-keystone05:12
*** Mujahid has joined #openstack-keystone05:20
*** Mujahid has quit IRC05:25
*** markvoelker has joined #openstack-keystone05:28
*** germs has joined #openstack-keystone05:54
*** germs has quit IRC05:54
*** germs has joined #openstack-keystone05:54
*** germs has quit IRC05:59
*** dangtrinhnt has joined #openstack-keystone06:11
*** annp has joined #openstack-keystone06:12
*** namnh_ has joined #openstack-keystone06:17
*** namnh has quit IRC06:20
*** namnh has joined #openstack-keystone06:21
*** namnh_ has quit IRC06:21
*** namnh_ has joined #openstack-keystone06:22
*** namnh has quit IRC06:26
*** aojea has joined #openstack-keystone06:31
*** martinus__ has joined #openstack-keystone06:40
*** aojea has quit IRC06:40
*** pcaruana has joined #openstack-keystone06:53
*** jaosorior has quit IRC07:02
*** tesseract has joined #openstack-keystone07:15
*** rcernin has quit IRC07:25
*** gongysh has joined #openstack-keystone07:43
*** dims_ has joined #openstack-keystone07:48
*** dims has quit IRC07:49
*** AlexeyAbashkin has joined #openstack-keystone07:51
*** zhurong has joined #openstack-keystone07:53
*** jaosorior has joined #openstack-keystone07:53
*** germs has joined #openstack-keystone07:54
*** germs has quit IRC07:54
*** germs has joined #openstack-keystone07:54
*** germs has quit IRC07:59
*** mvk has quit IRC08:27
*** gyankum has quit IRC08:41
*** gyan_ has joined #openstack-keystone08:41
*** gyan__ has joined #openstack-keystone08:44
*** gyan_ has quit IRC08:47
*** mvk has joined #openstack-keystone08:55
*** Dinesh_Bhor has quit IRC08:56
*** zhurong has quit IRC09:00
*** ilush has joined #openstack-keystone09:20
*** mvk has quit IRC09:36
*** mvk has joined #openstack-keystone09:37
*** germs has joined #openstack-keystone09:55
*** germs has quit IRC10:00
*** gyan_ has joined #openstack-keystone10:03
*** gyan__ has quit IRC10:05
*** gyan__ has joined #openstack-keystone10:05
*** gyan_ has quit IRC10:08
*** gongysh has quit IRC10:11
*** namnh_ has quit IRC10:18
*** gongysh has joined #openstack-keystone10:28
*** zhurong has joined #openstack-keystone10:31
*** gyan__ has quit IRC10:34
*** gyan__ has joined #openstack-keystone10:36
*** AlexeyAbashkin has quit IRC11:05
*** AlexeyAbashkin has joined #openstack-keystone11:07
*** marius1 has joined #openstack-keystone11:08
*** openstackgerrit has quit IRC11:33
*** gyan__ has quit IRC11:34
*** marius1 has quit IRC11:42
*** panbalag has joined #openstack-keystone11:50
*** ilush has quit IRC11:52
*** panbalag has quit IRC11:54
*** gongysh has quit IRC11:54
*** germs has joined #openstack-keystone11:56
*** germs has quit IRC11:56
*** germs has joined #openstack-keystone11:56
*** germs has quit IRC12:01
*** edmondsw has joined #openstack-keystone12:13
*** ilush has joined #openstack-keystone12:19
*** raildo has joined #openstack-keystone12:20
*** NM has joined #openstack-keystone12:27
*** zhurong has quit IRC12:27
*** markvoelker has quit IRC12:28
*** markvoelker has joined #openstack-keystone12:28
*** aojea has joined #openstack-keystone12:38
*** voelzmo has joined #openstack-keystone12:40
*** dave-mccowan has joined #openstack-keystone12:41
*** odyssey4me has quit IRC12:43
*** odyssey4me has joined #openstack-keystone12:43
*** voelzmo has quit IRC12:53
*** aojea has quit IRC12:54
*** tmcm has joined #openstack-keystone13:04
tmcmhello.13:04
tmcmi'm encountering some problems with a keystone database migration13:04
tmcm2018-03-27 08:57:12.882 22821 INFO migrate.versioning.api [-] 13 -> 14...13:04
tmcm2018-03-27 08:57:12.949 22821 CRITICAL keystone [-] Unhandled error: DBMigrationError: (pymysql.err.IntegrityError) (1452, u'Cannot add or update a child row: a foreign key constraint fails (`keystone`.`user`, CONSTRAINT `user_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `project` (`id`))') [SQL: u'UPDATE user SET domain_id=%(domain_id)s WHERE user.id = %(id_1)s'] [parameters: {u'id_1': u'74aad9087e11452babbe657276b4d006', 'domain_id':13:04
tmcmu'0b7ac3f80ecf4347a683c5ec8570bf6a'}]13:04
tmcmhas anyone seen something like this before?13:05
*** panbalag has joined #openstack-keystone13:17
*** jdennis has quit IRC13:19
*** jdennis has joined #openstack-keystone13:20
knikollalbragstad: is this the same as that other one? ^^13:21
*** jaosorior has quit IRC13:33
*** panbalag has quit IRC13:37
lbragstadknikolla: looksl ike it13:42
knikollalbragstad: makes me wonder if we can at all support online migrations13:43
knikollathat specific migration is going to lock the table for reads too13:43
knikollaor fail when a read is happening.13:43
lbragstador propose a backport that allows the migration to be successful13:44
knikollaoh wait. this is in mysql. the other was in postgresql?13:44
lbragstadthat might be a good thing to work on for office hours13:44
lbragstadyeah - one of the ones i looked at was using postgres13:45
*** panbalag has joined #openstack-keystone13:45
*** mchlumsky has joined #openstack-keystone13:48
tmcmlbragstad: should it be possible to upgrade the keystone db from mitaka to queens?13:49
lbragstadit should be...13:49
lbragstadall migrations should be in available in the queens source13:50
cmurphymy proposal to drop that foreign key is looking a whole lot better now i bet :P13:50
lbragstadyeah - it is13:50
lbragstadsomeone opened a bug for this last time we talked about it, right?13:51
lbragstadthis is the one? https://bugs.launchpad.net/keystone/+bug/175590613:51
openstackLaunchpad bug 1755906 in OpenStack Identity (keystone) "Occasional deadlock during db_sync --contract during Newton to Pike live upgrade" [High,Confirmed]13:52
tmcmi see the following:13:52
tmcm2018-03-27 09:51:23.348 24059 INFO migrate.versioning.api [-] 108 -> 109...13:52
tmcm2018-03-27 09:51:23.793 24059 INFO migrate.versioning.api [-] done13:52
tmcm2018-03-27 09:51:23.914 24059 INFO migrate.versioning.api [-] 0 -> 1...13:52
tmcm2018-03-27 09:51:23.945 24059 INFO migrate.versioning.api [-] done13:52
tmcmis that expected?13:52
tmcmi'm starting at 9613:52
lbragstadtmcm: what you're seeing there is all the old/legacy migrations being run13:53
tmcmok13:53
lbragstadfor context - all migration scripts were kept in a single directory prior to rolling upgrade support13:53
lbragstadhttps://github.com/openstack/keystone/tree/master/keystone/common/sql/migrate_repo/versions13:53
cmurphylbragstad: yeah that's the one13:54
lbragstadthen when we started working on the rolling upgrade requirements, we essentially froze that migration repository in favor of the expand, migrate, contract, repositories (which are located two directories up)13:54
lbragstadhttps://github.com/openstack/keystone/tree/master/keystone/common/sql13:55
lbragstadtmcm: so - on a fresh install for example, db_sync will run all the "legacy" migrations, then it will run all the "expand" scripts, then "migrate", and finish with "contract"13:55
tmcmgood, your explanation matches my understanding13:56
tmcmhowever, i'm crashing in migrate13:56
tmcm2018-03-27 09:55:16.209 24143 INFO migrate.versioning.api [-] 13 -> 14...13:57
tmcm2018-03-27 09:55:16.368 24143 CRITICAL keystone [-] Unhandled error: DBMigrationError: (pymysql.err.IntegrityError) (1452, u'Cannot add or update a child row: a foreign key constraint fails (`keystone`.`user`, CONSTRAINT `user_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `project` (`id`))') [SQL: u'UPDATE user SET domain_id=%(domain_id)s WHERE user.id = %(id_1)s'] [parameters: {u'id_1': u'74aad9087e11452babbe657276b4d006', 'domain_id':13:57
tmcmu'0b7ac3f80ecf4347a683c5ec8570bf6a'}]13:57
*** germs has joined #openstack-keystone13:57
tmcmlooking at that module now13:57
lbragstadtmcm: would you be able to put a full trace in http://paste.openstack.org/ ?13:57
lbragstadsans sensitive information, if any...13:58
tmcmi'm looking in the repo now.  what is the difference between migrate_repo and data_migration_repo13:59
*** jamielennox has quit IRC14:01
*** germs has quit IRC14:02
*** jamielennox has joined #openstack-keystone14:02
*** r-daneel has joined #openstack-keystone14:02
lbragstadtmcm: migrate_repo is the "legacy" repository14:02
tmcmgot it14:02
lbragstadtmcm: https://docs.openstack.org/keystone/latest/contributor/database-migrations.html does a better job explaining the purpose and use of each14:02
tmcmthank you14:03
*** jaosorior has joined #openstack-keystone14:03
tmcmhttp://paste.openstack.org/show/715408/14:04
tmcmthat is from just "keystone-manage db_sync"14:05
lbragstadhmm - that looks slightly different that what was reported in https://bugs.launchpad.net/keystone/+bug/175590614:07
openstackLaunchpad bug 1755906 in OpenStack Identity (keystone) "Occasional deadlock during db_sync --contract during Newton to Pike live upgrade" [High,Confirmed]14:07
lbragstadhttps://github.com/openstack/keystone/blob/9c2e977b7e1764b20a9d2f5b0df44869445f50c5/keystone/common/sql/data_migration_repo/versions/014_migrate_add_domain_id_to_user_table.py14:08
lbragstadthis was actually something that was written in ocata, i think14:09
tmcmyeah, i'm looking at that now14:09
lbragstaddoes domain 0b7ac3f80ecf4347a683c5ec8570bf6a not exist?14:10
tmcmactually, it looks pretty similar to me given that #1755906 references postgres and i've got mariadb14:11
tmcmumm14:11
tmcmhold on14:11
lbragstadthe trace from 1755906 is showing it failing during contract due to deadlock14:11
tmcmoh14:12
tmcmhrm14:12
tmcmugh, damn14:16
lbragstadit looks like it's tripping on https://github.com/openstack/keystone/blob/9c2e977b7e1764b20a9d2f5b0df44869445f50c5/keystone/common/sql/data_migration_repo/versions/014_migrate_add_domain_id_to_user_table.py#L43-L4514:16
tmcmthat domain does not exist14:16
tmcmi wonder htf that happened14:16
*** ykarel has joined #openstack-keystone14:17
ykarelHi can someone look my comment on https://review.openstack.org/#/c/543060/5 and confirm14:17
lbragstadtmcm: is that a federated user?14:17
lbragstadlooks like it might be by reading the migration14:18
lbragstadykarel: oh - yes... that will get cleaned up14:18
lbragstador it can14:18
lbragstadwe have a couple configuration options to clean up, too14:18
ykarellbragstad, is it tracked somewhere, bug or bp?14:19
lbragstadykarel: a bug would work14:19
lbragstador we could just remove it and associate it with the removed-as-of-rocky blueprint14:19
lbragstadthe second option is more appropriate, imo14:19
ykarellbragstad, Ok14:20
ykarelplease track it somewhere so it isn't missed14:20
lbragstadykarel: if it makes you feel better, feel free to open a bug14:21
*** panbalag has left #openstack-keystone14:23
ykarellbragstad, Ok will open may be tomorrow14:24
tmcm|  8 | 74aad9087e11452babbe657276b4d006 | 0b7ac3f80ecf4347a683c5ec8570bf6a | heat_domain_admin |14:25
tmcmi should probably just nuke that.  heat is not even truly activated in my mitaka production cloud14:27
lbragstadykarel: done - https://bugs.launchpad.net/keystone/+bug/175928914:28
openstackLaunchpad bug 1759289 in OpenStack Identity (keystone) "keystone-manage token_flush fails unexpectedly" [Undecided,New]14:28
ykarellbragstad, ack14:28
*** ykarel is now known as ykarel|away14:29
lbragstadtmcm: interesting, that user must have existed prior to the domain unique constraint14:29
tmcmi believe so14:29
lbragstadtmcm: you could try and create that domain14:31
lbragstador just create *a* domain, then update that user's domain to the freshly created one14:31
lbragstad(just incase anyone is using that account)14:31
lbragstadbut it doesn't sound like that is the case14:31
lbragstadkmalloc: do we need to deprecate keystone-manage commands when the backing functionality has been removed (e.g. keystone-manage token_flush)?14:32
tmcmi'm certain no one is using that account14:33
tmcmdeleting that user before the db_sync allows it to finish14:33
tmcmthanks!14:33
lbragstadtmcm: no problem14:33
*** wxy| has joined #openstack-keystone14:33
*** mchlumsky has quit IRC14:34
tmcmon to the next database migration problem :)  (glance, iirc)14:34
lbragstadlol14:39
*** spilla has joined #openstack-keystone14:39
*** mchlumsky has joined #openstack-keystone14:41
kmalloclbragstad: deprecate, yeah, just so we don't break anyone (make them do nothing but emit a warning)14:43
*** ykarel|away has quit IRC14:46
*** felipemonteiro has joined #openstack-keystone14:57
*** felipemonteiro_ has joined #openstack-keystone15:04
*** voelzmo has joined #openstack-keystone15:06
*** pcaruana has quit IRC15:10
*** dikonoo has quit IRC15:11
*** jaosorior has quit IRC15:12
*** germs has joined #openstack-keystone15:13
*** germs has quit IRC15:13
*** germs has joined #openstack-keystone15:13
*** ykarel|away has joined #openstack-keystone15:15
*** germs has quit IRC15:18
*** ilush has quit IRC15:20
*** openstackgerrit has joined #openstack-keystone15:26
openstackgerritLance Bragstad proposed openstack/keystone master: Log warning when using token_flush  https://review.openstack.org/55688915:26
*** gagehugo has quit IRC15:43
*** gagehugo has joined #openstack-keystone15:44
*** spilla has quit IRC15:48
*** spilla has joined #openstack-keystone15:48
*** spilla has quit IRC15:53
*** gyee has joined #openstack-keystone16:00
kmallocLbradstad: I would, so we don't break tooling, but we can gut it to just a warning "hey don't do this" in one fell swoop16:00
*** germs has joined #openstack-keystone16:01
*** germs has quit IRC16:01
*** germs has joined #openstack-keystone16:01
kmallocIrccloud on mobile browser got worse, no name completion now :(16:01
lbragstadkmalloc: i took a crack at it https://review.openstack.org/#/c/556889/16:02
kmallocCool.16:02
lbragstadreminder that the keystone weekly meeting is happening in #openstack-meeting-alt16:02
*** voelzmo has quit IRC16:08
*** germs_ has joined #openstack-keystone16:08
*** germs has quit IRC16:10
*** dave-mccowan has quit IRC16:10
*** mvk has quit IRC16:11
*** germs_ has quit IRC16:11
*** germs has joined #openstack-keystone16:12
*** germs has quit IRC16:12
*** germs has joined #openstack-keystone16:12
*** germs has quit IRC16:22
*** pcaruana has joined #openstack-keystone16:25
*** felipemonteiro has quit IRC16:28
*** germs has joined #openstack-keystone16:29
*** germs has quit IRC16:29
*** germs has joined #openstack-keystone16:29
*** germs has quit IRC16:32
openstackgerritMerged openstack/keystone master: Updated from global requirements  https://review.openstack.org/55640516:33
*** pcichy has joined #openstack-keystone16:37
*** germs has joined #openstack-keystone16:43
*** germs has quit IRC16:43
*** germs has joined #openstack-keystone16:43
*** felipemonteiro_ has quit IRC16:45
*** david-lyle has joined #openstack-keystone16:46
*** jgr is now known as jgrassler16:53
*** dikonoo has joined #openstack-keystone16:53
*** germs_ has joined #openstack-keystone16:55
*** germs has quit IRC16:56
*** dave-mccowan has joined #openstack-keystone16:56
*** NM has quit IRC16:56
hrybackiproposed OO topics: Grooming the list we just talked about and then doing spec reviews we didn't get to?17:00
*** NM has joined #openstack-keystone17:00
*** NM has quit IRC17:01
lbragstad#startmeeting keystone-office-hours17:01
openstackMeeting started Tue Mar 27 17:01:33 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.17:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.17:01
*** openstack changes topic to " (Meeting topic: keystone-office-hours)"17:01
*** ChanServ changes topic to "Queens release schedule: https://releases.openstack.org/queens/schedule.html | Meeting agenda: https://etherpad.openstack.org/p/keystone-weekly-meeting | Bugs that need triaging: http://bit.ly/2iJuN1h | Trello: https://trello.com/b/wmyzbFq5/keystone-rocky-roadmap"17:01
openstackThe meeting name has been set to 'keystone_office_hours'17:01
hrybackibridge is open btw: https://redhat.bluejeans.com/8559013623/17:01
* lbragstad grabs water quick17:02
lbragstadi'll be on in about 3 minutes17:02
* hrybacki visits a water closet17:02
*** NM has joined #openstack-keystone17:03
cmurphy:/ guys i love your faces but i can't have a multi-hour video conference every week, that starts to feel a lot like work17:03
gagehugowhen you have them everyday, why not have another one?17:05
gagehugo:(17:05
hrybackivideo calls are the only way I can stay on topic these days -_- my current role is wrecking me17:05
*** wxy| has quit IRC17:05
cmurphyi'm starting an etherpad for the help wanted list https://etherpad.openstack.org/p/keystone-help-wanted-list17:08
cmurphyif you need my input on the call just ping me17:08
hrybackiadding that to the OO etherpad cmurphy17:10
kmalloccmurphy: can i entice you with doggo cam again? (soon to be puppy cam too)17:10
kmalloc(2 more weeks and puppy arrives)17:11
cmurphykmalloc: hmmmmmmmm maybe17:11
kmalloccmurphy: ooh sec.17:11
cmurphypuppies aside a video call isn't easily reconsumeable even if it's recorded, so it's harder for say wxy to come back to it and figure out what happened17:12
*** felipemonteiro_ has joined #openstack-keystone17:14
lbragstadtrue17:17
kmallochttps://usercontent.irccloud-cdn.com/file/ss1edaf7/OMG%20PUPPY17:18
kmallocFor your puppy consumption needs.17:18
hrybackiThe video call was so that someone can drive a specific conversation e.g. look at this review with me. Like, someone outside of the core team for example could ask for more immediate input and get feedback if they are having troubles with just comments on reviews17:19
*** dave-mccowan has quit IRC17:19
cmurphythey can do that on irc17:19
cmurphyand we can jump on a call if irc isn't cutting it for a given discussion17:20
hrybackiI guess I was shooting for some consistency17:20
*** AlexeyAbashkin has quit IRC17:21
hrybackibut it is what the team wants :)17:21
gagehugoyeah I like the video call for focused conversation (ie reviews,specs)17:21
gagehugobut otherwise irc can probably cover most of what we need17:22
cmurphyplease go ahead with it, it's just evening here for me so i'm going to relax and stuff and am available if needed specifically17:22
*** spilla has joined #openstack-keystone17:29
lbragstadjgrassler: updated https://review.openstack.org/#/c/396331/20 to summarize the meeting17:31
*** dave-mccowan has joined #openstack-keystone17:34
jgrasslerlbragstad: Thanks!17:34
lbragstadjgrassler: no problem17:34
jgrasslerlbragstad: I'll update the spec tomorrow morning (gotta dash now)17:34
lbragstadjgrassler: yeah - no worries17:34
*** NM has quit IRC17:39
*** tesseract has quit IRC17:40
*** NM has joined #openstack-keystone17:43
lbragstadhrybacki: reviewed https://review.openstack.org/#/c/523973/17:45
hrybackilbragstad: ack, thank you! looking now17:45
lbragstadlooks good, just a few suggestions, but I think we can probably take this to some of the other projects and get feedback17:45
hrybackilbragstad: ack. Need folks to ask a few hard questions so we can flesh it out in a meaningful way rather than just speculating imo17:46
*** dikonoo has quit IRC17:49
*** pcaruana has quit IRC17:51
*** spilla has quit IRC17:59
kmalloclbragstad: the mysql and pgsql errors are different18:00
kmallocone is an issue, loosk like with the dataset18:00
kmallocthe other is a deadlock18:00
lbragstadhuh18:01
lbragstadfor mysql, are you specifically referencing the issue brought up this morning by tmcm?18:01
kmallocyep18:01
kmallocthat looks to be an issue with the FK constraint cannot be made, there is bad data18:01
kmalloclike project.id reference in a column that doesn't exist in the project table18:02
kmalloc(example)18:02
lbragstadkmalloc: yeah - we found out that the domain being referenced didn't actually exist18:02
kmallocyep18:02
kmallocthe hard part here is... we don't really test pgsql18:02
kmallocthis might be a pgsql issue18:02
lbragstadthere was some discussion about postgres support, but i don't know where that ended up18:03
kmallocwell, let me check the gate, but... i think we aren't testing pgsql meaningfully18:03
openstackgerritLance Bragstad proposed openstack/keystone master: Log warning when using token_flush  https://review.openstack.org/55688918:03
lbragstadi thought i remember various TC members being involved there18:03
lbragstadiirc - it was a long discussion and i never kept up with it18:04
gyeelbragstad: https://bugs.launchpad.net/keystone/+bug/175846018:04
openstackLaunchpad bug 1758460 in OpenStack Identity (keystone) "UUID (or any persistent) token providers unable to validate federation token" [Undecided,New]18:04
gyeetell me with a straight face, how much do we care about UUID provider at this point, even in stable/pike :-)18:04
kmallocgyee: not18:05
kmallocgyee: it was deleted in Rocky18:05
gyeeheh18:05
gyeegotta ask18:05
kmallocif it is a major bug, we can fix as long as P isn't EOL18:05
kmallocand if the bug is in Q, we can address it18:05
gyeeP is near EOL18:05
lbragstadgyee: i already pulled that plug18:05
cmurphylbragstad: it got a resolution https://governance.openstack.org/tc/resolutions/20170613-postgresql-status.html but it was not really a real decision18:06
lbragstadand started rewriting all the interfaces in that part of keystone18:06
kmallocbut frankly, i wouldn't care about the P bug unless it's critical, and if the bug is in Q too18:06
kmallocsince technically we support uuid in both P and Q18:06
gyeethat bug's been there since P18:06
gyeeonly for UUID provider though18:06
kmallocas a stable core, i'd merge a fix for Q and backport to P18:06
kmallocbut i wouldn't write the code myself.18:07
kmallocif that helps you out18:07
gyeethat's enough info for me to convey back to the decision makers :-)18:08
gyeethanks guys18:08
kmallocgyee: and i say that as the only keystone-stable-core member :P18:08
kmallocgyee: my recommendation to the decision makers is "fernet"18:08
gyeekmalloc, agree18:09
kmallocgyee: if you are writing the fix, propose straight to Q but comment that it cannot be merged to master because uuid has been removed.18:09
gyeekmalloc, nah, I'll push for fernet, no point of touching UUID18:09
kmallocand once it's good (inc. a test) port to P18:09
kmalloci figured18:09
kmallocbut just in case you have to ;)18:10
kmallocand then ping me directly so we can push it through (if you end up needing it)18:10
cmurphygyee: with my internal hat on, our other product already does fernet so you could copy that implementation :)18:10
gyeecmurphy, most of the stuff are already there, just the rotation bit needs work18:11
kmalloclbragstad: i'm also going to reference the TC resolution regarding PGSQL there.18:12
kmalloclbragstad: it's going to take a bit more work to know what and why PG is having the issues.18:12
kmalloclbragstad: i'm guessing it is an issue with load on the DB and a table lock.18:12
kmalloclbragstad: possibly a delete operation18:12
*** voelzmo has joined #openstack-keystone18:18
lbragstadgyee: in case you're interested https://review.openstack.org/#/q/status:open+project:openstack/keystone+branch:master+topic:token-provider-refactor18:19
lbragstadi'm not sure if you are maintaining an out-of-tree token provider anywhere18:19
*** voelzmo_ has joined #openstack-keystone18:20
lbragstadkmalloc: you mean reference it in the bug?18:20
gyeelbragstad, no out-of-tree, I got pulled in to reverify the federation stuff recently18:20
lbragstadgyee: oh18:20
gyeebut I haven't touch that stuff in awhile18:20
kmalloclbragstad: yeah18:20
lbragstadkmalloc: ok18:20
*** felipemonteiro__ has joined #openstack-keystone18:21
kmalloclbragstad: just commented on the code18:21
kmalloclbragstad: i think we might need zzzeek to help us here.18:21
hrybackilbragstad: where was that community tag stuff doc'd again?18:22
hrybackilbragstad: disregard18:22
lbragstadhere? https://governance.openstack.org/tc/reference/tags/index.html18:22
lbragstadkmalloc: thanks for digging18:22
hrybackiaye18:22
*** voelzmo has quit IRC18:22
hrybackilbragstad: update pushed18:24
* hrybacki fetches lunch18:24
*** felipemonteiro_ has quit IRC18:25
lbragstadsweet18:26
kmalloclbragstad: i downgraded the bug to medium18:27
kmallocit's PGonly and it's contract18:28
lbragstadkmalloc: ack - so we're waiting on feedback then?18:28
kmalloczzzeek: if you could help out some, trying to chase down potential deadlocks in a contract phase https://bugs.launchpad.net/keystone/+bug/175590618:28
openstackLaunchpad bug 1755906 in OpenStack Identity (keystone) "Occasional deadlock during db_sync --contract during Newton to Pike live upgrade" [Medium,Confirmed]18:28
kmalloczzzeek: i just don't see it, and it's happening in PG but not MySQL AFAICT18:28
*** AlexeyAbashkin has joined #openstack-keystone18:35
zzzeekkmalloc: we're spuporting postgresql again?18:35
kmalloczzzeek: no, just a best effort, feel free to say "not my problem/can't help"18:36
zzzeekkmalloc: postgresql is very locky at the DDL level18:36
kmallocjust said I would ask -- mostly to be sure we aren't doing something dumb that could bite us in MySQL as well18:36
kmalloczzzeek: yeah PG is very locky for integrity reasons(tm)18:36
zzzeekkmalloc: so, what did you have in mind here?18:37
kmallocif you could look at the migration and give a "yeah no clear issues that would impact, this is an edge case"18:38
kmallocthat is good for me18:38
zzzeekkmalloc: are the deadlocks against the normal app server running SELECT statements?18:38
kmallocthe deadlock is happening in a contract phase (new FK constraint) while selects are happening18:38
openstackgerritGage Hugo proposed openstack/keystone master: Make tags filter match subset rather than exact  https://review.openstack.org/55310818:39
gagehugolbragstad added a releasenote18:39
*** AlexeyAbashkin has quit IRC18:39
kmallocthis is the no-downtime(limited downtime) upgrade thing18:39
kmalloczzzeek: this is the migrtation in question https://github.com/openstack/keystone/blob/master/keystone/common/sql/contract_repo/versions/014_contract_add_domain_id_to_user_table.py18:40
zzzeekkmalloc: this is adding a foreign key in the contract, huh18:41
kmallocbecause we can't add the forign key in expand... lets just say the no-downtime thing has been headaches18:42
kmallocand pivoting the whole table is also... very detrimental18:42
zzzeekkmalloc: i dont see a quick win on this thered' ahve to be some hey make sure the app server isn't running while the migration happens thing, e.g. more locks18:42
kmalloczzzeek: and for all i know the triggers is causing issues18:43
zzzeekkmalloc: online schema migrations for PG seems like a non-starter given the status of PG18:43
kmallocgood to know18:43
kmalloci'll respond with that and reference this convo18:43
zzzeekkmalloc: yo're doing the triggers w/ PG as well?18:43
kmallocsigh18:43
*** voelzmo_ has quit IRC18:43
kmallocagainst all my protests18:43
zzzeekkmalloc: oh I was arguing in *favor* of the triggers :)18:43
kmalloci greatly dislike them.18:43
kmallocthey're so very hard to debug.18:44
kmallocesp. when the app can do all the logic.18:44
zzzeekkmalloc: im not saying this bug cant be fixed but it would require thinking, looking, coding, and testing and i dont know we have resources for that for PG18:44
kmallocyeah thats fine18:44
kmalloci'll reference this as well confirming my statement, it's just not something we have resources for18:44
zzzeekyes18:44
kmallocbut we will happily accept external help18:44
kmallocand if they have a fix, we'll evaluate it18:45
kmallocand include it if we can.18:45
kmalloclbragstad: ^, marked the bug as incomplete18:49
lbragstadkmalloc: zzzeek thanks18:49
kmalloclbragstad: if they can supply help, we'll accept it18:49
lbragstadgagehugo: works for me locally18:49
kmalloclbragstad: otherwise, we should update our documentation, live-schema changes only supported/tested under MySQL, PGSQL is recommended that live-schema changes not be performed (downtime-only)18:50
kmalloclbragstad: acutally,w e sould update docs for that anyway18:50
lbragstadright18:50
lbragstadkmalloc: when should we remove keystone-manage token_flush?18:52
lbragstadSolar?18:52
kmalloclbragstad: sure.18:53
*** ykarel|away has quit IRC18:54
*** germs_ has quit IRC19:00
*** voelzmo has joined #openstack-keystone19:03
openstackgerritLance Bragstad proposed openstack/keystone master: Log warning when using token_flush  https://review.openstack.org/55688919:04
*** thomasduval has joined #openstack-keystone19:09
*** thomasduval has left #openstack-keystone19:10
hrybackilbragstad: cmurphy perhaps we could conduct an audit of our API vs scope levels19:14
*** NM has quit IRC19:15
*** pcichy has quit IRC19:15
hrybackifor example, I assumed user related actions would be domain-scoped as opposed to system-scoped. BUT if user/group actions are system-scoped that would resolve our earlier issue lbragstad19:16
*** NM has joined #openstack-keystone19:17
*** voelzmo has quit IRC19:19
*** voelzmo has joined #openstack-keystone19:19
*** voelzmo_ has joined #openstack-keystone19:19
openstackgerritLance Bragstad proposed openstack/keystone master: Removal of deprecated direct driver loading  https://review.openstack.org/35081519:20
*** voelzmo_ has quit IRC19:20
*** voelzmo has quit IRC19:20
lbragstadhrybacki: i think some of that would audit would have been taken care of when we implement scope_types19:23
hrybackilbragstad: ack. I'm just thinking doing part of it now would make sure we have a sane, consistent messgae in the spec19:24
hrybackie.g. are user operations domain or system level discussion19:24
lbragstadsure19:24
lbragstadwe could put a disclaimer for that specific case in the spec19:26
*** itlinux has joined #openstack-keystone19:26
*** ilush has joined #openstack-keystone19:29
*** harlowja has joined #openstack-keystone19:34
*** mvk has joined #openstack-keystone19:34
*** ilush has quit IRC19:35
*** NM has quit IRC19:40
*** germs has joined #openstack-keystone19:55
*** germs has quit IRC19:55
*** germs has joined #openstack-keystone19:55
*** NM has joined #openstack-keystone19:57
*** edmondsw has quit IRC19:58
*** edmondsw has joined #openstack-keystone19:59
*** edmondsw_ has joined #openstack-keystone20:01
*** germs has quit IRC20:02
*** germs has joined #openstack-keystone20:02
*** germs has quit IRC20:02
*** germs has joined #openstack-keystone20:02
*** edmondsw has quit IRC20:04
*** edmondsw_ has quit IRC20:04
*** edmondsw has joined #openstack-keystone20:04
*** edmondsw has quit IRC20:04
*** tmcm has quit IRC20:17
*** germs has quit IRC20:30
gagehugois Solar the official name?20:31
cmurphynot yet20:32
lbragstadoh - shoot, i should probably wip my review then20:34
*** aojea has joined #openstack-keystone20:34
gagehugoI liked stein20:37
*** ilush has joined #openstack-keystone20:53
*** edmondsw has joined #openstack-keystone20:59
*** edmondsw_ has joined #openstack-keystone21:00
*** dave-mccowan has quit IRC21:01
*** ilush has quit IRC21:02
*** edmondsw has quit IRC21:04
*** edmondsw_ has quit IRC21:05
*** raildo has quit IRC21:10
*** itlinux has quit IRC21:15
lbragstadknikolla: are you happy with response here https://review.openstack.org/#/c/556022/ ?21:18
*** itlinux has joined #openstack-keystone21:20
adriantlbragstad: want me to update the auth receipt spec and move that down?21:23
adriantor would you prefer doing it as another patch?21:23
lbragstadadriant: oh - we can do that in another patch set... we talked about that in today's meeting and i said i was going to propose a follow on21:24
lbragstadbut i haven't gotten to it yet21:24
adriantcool :)21:24
adriantsorry I wasn't able to attend21:24
cmurphyi think kmalloc was also hoping for a final look from ayoung21:25
*** r-daneel has quit IRC21:25
lbragstadadriant: no worries - it's not the best time for APAC21:26
adriantAs I start making progress on the implementation WIP I'll come by for office hours and ask silly questions!21:26
*** felipemonteiro__ has quit IRC21:28
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Log queens specifications with previous releases  https://review.openstack.org/55706021:28
*** NM has quit IRC21:32
*** edmondsw has joined #openstack-keystone21:35
openstackgerritMerged openstack/keystone master: Make tags filter match subset rather than exact  https://review.openstack.org/55310821:35
*** edmondsw has quit IRC21:36
*** oikiki has joined #openstack-keystone21:42
*** martinus__ has quit IRC21:45
kmalloccmurphy: only because ayound was commenting on it21:45
kmalloccmurphy: but i'm fine with it +A now21:46
kmalloclbragstad, adriant: ^21:46
openstackgerritMerged openstack/keystone master: Fix integer -> method conversion for python3  https://review.openstack.org/55533921:46
*** felipemonteiro has joined #openstack-keystone21:47
knikollalbragstad: pushed it :)21:51
openstackgerritMerged openstack/keystone-specs master: Add spec for MFA auth receipts  https://review.openstack.org/55367021:52
adriantwoo!21:53
adriantnow I have to actually implement it. Which shouldn't be so bad21:54
*** anyone is now known as eschwartz21:58
*** itlinux has quit IRC22:05
*** mchlumsky has quit IRC22:12
*** lbragstad has quit IRC22:15
*** rcernin has joined #openstack-keystone22:16
*** aojea has quit IRC22:24
*** germs has joined #openstack-keystone22:31
*** germs has quit IRC22:31
*** germs has joined #openstack-keystone22:31
*** lbragstad has joined #openstack-keystone22:32
*** ChanServ sets mode: +o lbragstad22:32
*** lbragstad has quit IRC22:32
*** germs has quit IRC22:36
*** felipemonteiro has quit IRC22:38
*** tmcm has joined #openstack-keystone22:56
*** felipemonteiro has joined #openstack-keystone23:07
*** AlexeyAbashkin has joined #openstack-keystone23:12
*** AlexeyAbashkin has quit IRC23:17
*** felipemonteiro has quit IRC23:25
*** harlowja has quit IRC23:32
*** DevX has quit IRC23:33
*** germs has joined #openstack-keystone23:35
*** germs has quit IRC23:35
*** germs has joined #openstack-keystone23:35
*** germs has quit IRC23:36
*** germs has joined #openstack-keystone23:36
*** germs has quit IRC23:36
*** germs has joined #openstack-keystone23:36
*** germs has quit IRC23:58
*** germs has joined #openstack-keystone23:59
*** germs has quit IRC23:59
*** germs has joined #openstack-keystone23:59
« Monday, 2018-03-26 Index Wednesday, 2018-03-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!