Wednesday, 2019-03-06

« Tuesday, 2019-03-05 Index Thursday, 2019-03-07 »
clarkbmordred: ^ I think kjorg50's quetion might be answerable by you if those are pbrx built?00:02
clarkbkjorg50: while I don't know for sure my hunch is that the -base image is the base install image then the other three layer on top of that and set the CMD value to each of those commands00:03
* mordred has no idea - I do not believe anybody is using pbrx for image builds anymore00:03
*** dmellado has quit IRC00:03
mordredI'm guessing those are loci images?00:03
*** dmellado has joined #openstack-keystone00:04
kjorg50clarkb mordred - thanks for the responses. I think you are right about the keystone-base image. I am referring to these kolla image definitions https://github.com/openstack/kolla/tree/master/docker/keystone00:14
clarkbkjorg50: you'll oprobably have better luck asking in the kolla hcannel00:14
kjorg50I asked there too :)  thanks00:15
*** hoonetorg has quit IRC00:24
*** hoonetorg has joined #openstack-keystone00:26
*** markvoelker has joined #openstack-keystone00:49
*** ileixe has joined #openstack-keystone00:56
*** itlinux has joined #openstack-keystone00:57
*** whoami-rajat has joined #openstack-keystone01:09
*** gyee has quit IRC01:21
*** markvoelker has quit IRC01:22
*** kjorg50 has quit IRC01:34
*** itlinux_ has joined #openstack-keystone01:39
*** itlinux_ has quit IRC01:40
*** itlinux has quit IRC01:41
*** jhesketh has quit IRC01:57
*** lbragstad has quit IRC01:58
*** jhesketh has joined #openstack-keystone01:58
*** ileixe has quit IRC02:05
*** ileixe has joined #openstack-keystone02:08
*** markvoelker has joined #openstack-keystone02:19
*** lbragstad has joined #openstack-keystone02:51
*** ChanServ sets mode: +o lbragstad02:51
*** markvoelker has quit IRC02:52
*** markvoelker has joined #openstack-keystone03:49
*** markvoelker has quit IRC04:22
*** vishakha has joined #openstack-keystone05:11
*** shyamb has joined #openstack-keystone05:16
*** hoonetorg has quit IRC05:33
*** johnthetubaguy has quit IRC05:49
*** hoonetorg has joined #openstack-keystone05:50
*** johnthetubaguy has joined #openstack-keystone05:56
*** shyamb has quit IRC06:43
*** shyamb has joined #openstack-keystone06:48
*** markvoelker has joined #openstack-keystone06:49
*** lbragstad has quit IRC07:17
*** markvoelker has quit IRC07:21
*** shyamb has quit IRC07:33
*** shyamb has joined #openstack-keystone07:44
*** shyamb has quit IRC07:49
*** tkajinam has quit IRC08:09
*** awalende has joined #openstack-keystone08:15
*** markvoelker has joined #openstack-keystone08:19
*** pcaruana has joined #openstack-keystone08:29
*** shyamb has joined #openstack-keystone08:48
*** xek has joined #openstack-keystone08:49
*** markvoelker has quit IRC08:52
*** markvoelker has joined #openstack-keystone09:49
*** shyamb has quit IRC09:51
openstackgerritMerged openstack/keystone master: Drop py35 jobs  https://review.openstack.org/63990909:54
*** shyamb has joined #openstack-keystone10:19
*** markvoelker has quit IRC10:22
*** shyamb has quit IRC10:40
openstackgerritMerged openstack/python-keystoneclient master: Make tests pass in 2020  https://review.openstack.org/64002410:44
*** xek has quit IRC10:58
*** xek_ has joined #openstack-keystone10:58
*** FlorianFa has quit IRC11:01
*** FlorianFa has joined #openstack-keystone11:02
*** pcaruana has quit IRC11:04
*** shyamb has joined #openstack-keystone11:13
*** markvoelker has joined #openstack-keystone11:19
*** shyamb has quit IRC11:21
*** shyamb has joined #openstack-keystone11:21
*** pcaruana has joined #openstack-keystone11:32
*** shyamb has quit IRC11:43
*** shyamb has joined #openstack-keystone11:47
*** dave-mccowan has joined #openstack-keystone11:47
*** markvoelker has quit IRC11:52
*** xek_ has quit IRC11:54
*** raildo has joined #openstack-keystone11:59
*** mvkr has joined #openstack-keystone12:13
*** markvoelker has joined #openstack-keystone12:49
*** mchlumsky has joined #openstack-keystone13:02
*** TheJulia_sick is now known as TheJulia13:05
*** shyamb has quit IRC13:15
*** markvoelker has quit IRC13:22
*** phasespace has joined #openstack-keystone13:36
phasespaceGetting errors like this: "NoMatches: No 'keystone.auth.saml2' driver found, looking for 'keystone.auth.plugins.mapped.Mapped'"13:41
phasespaceAnyone know what the issue is?13:41
phasespaceSaw it mentioned in this channel previously: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-09-22.log.html13:41
phasespaceerrr, kmalloc : you guys were discussing this issue. did you figure out what it was?13:42
*** jamesmcarthur has joined #openstack-keystone13:45
*** pcaruana has quit IRC13:51
*** pcaruana has joined #openstack-keystone14:01
*** FlorianFa has quit IRC14:09
openstackgerritColleen Murphy proposed openstack/keystone master: Add keystone's technical vision reflection  https://review.openstack.org/64137414:13
*** jamesmcarthur has quit IRC14:18
*** markvoelker has joined #openstack-keystone14:19
*** lbragstad has joined #openstack-keystone14:20
*** ChanServ sets mode: +o lbragstad14:20
*** erus has joined #openstack-keystone14:34
eruso/14:34
*** jamesmcarthur has joined #openstack-keystone14:35
*** jamesmcarthur has quit IRC14:36
*** jamesmcarthur_ has joined #openstack-keystone14:36
lbragstado/14:42
*** markvoelker has quit IRC14:52
knikollao/14:59
cmurphyphasespace: we have a bug for that i think https://bugs.launchpad.net/keystone/+bug/1793845 but if you're just using the saml2 plugin all you need to do is add saml2 to [auth]/methods and not set saml2=anything15:10
openstackLaunchpad bug 1793845 in OpenStack Identity (keystone) "Federation Protocol saml2 fails on Rocky" [Medium,Triaged]15:10
*** awalende has quit IRC15:15
*** awalende has joined #openstack-keystone15:16
*** awalende has quit IRC15:20
phasespacethanks, got it working15:28
*** xek_ has joined #openstack-keystone15:30
*** xek__ has joined #openstack-keystone15:32
*** xek_ has quit IRC15:35
*** markvoelker has joined #openstack-keystone15:50
*** pcaruana has quit IRC15:53
*** erus has quit IRC15:56
*** erus has joined #openstack-keystone15:56
*** pcaruana has joined #openstack-keystone16:06
*** erus has quit IRC16:15
*** erus has joined #openstack-keystone16:19
*** markvoelker has quit IRC16:22
*** ileixe has quit IRC16:33
*** imacdonn has quit IRC16:36
*** imacdonn has joined #openstack-keystone16:36
*** pcaruana has quit IRC16:55
*** gyee has joined #openstack-keystone17:06
*** awalende has joined #openstack-keystone17:17
*** markvoelker has joined #openstack-keystone17:19
*** awalende has quit IRC17:22
knikollalbragstad: never has been doing code reviews on test cases been so easy thanks to "with self.test_client() as c"17:22
kmallocknikolla: :)17:25
kmallocglad to have been able to make that possible or at least semi-possible17:25
knikollaglory to kmalloc17:25
kmallocflask has improved a few things for keystone17:26
lbragstadyeah - it saved a few key strokes for me17:44
* lbragstad actually just summarized all the policy work and is about to send that note to the mL17:45
*** jamesmcarthur_ has quit IRC17:50
*** jamesmcarthur has joined #openstack-keystone17:50
*** jamesmcarthur has quit IRC17:50
*** jamesmcarthur has joined #openstack-keystone17:51
*** markvoelker has quit IRC17:52
*** markvoelker has joined #openstack-keystone18:50
*** jamesmcarthur has quit IRC18:50
*** jamesmcarthur has joined #openstack-keystone18:51
*** jamesmcarthur has quit IRC18:55
lbragstadhttp://lists.openstack.org/pipermail/openstack-discuss/2019-March/003552.html19:05
openstackgerritMerged openstack/keystonemiddleware master: Fix debug tox environment  https://review.openstack.org/64018319:05
* lbragstad finds lunch-like objects19:06
*** erus has quit IRC19:07
*** erus has joined #openstack-keystone19:07
*** erus has quit IRC19:08
*** markvoelker has quit IRC19:22
openstackgerritLance Bragstad proposed openstack/keystone master: Add service developer documentation for scopes  https://review.openstack.org/63856319:33
*** xek has joined #openstack-keystone19:42
*** xek has quit IRC19:44
*** xek_ has joined #openstack-keystone19:44
*** xek__ has quit IRC19:45
*** lbragstad has quit IRC20:00
*** lbragstad has joined #openstack-keystone20:00
*** ChanServ sets mode: +o lbragstad20:00
*** raildo has quit IRC20:04
*** raildo has joined #openstack-keystone20:08
*** markvoelker has joined #openstack-keystone20:19
openstackgerritLance Bragstad proposed openstack/keystone master: Allow domain users to access the limit API  https://review.openstack.org/62102320:28
openstackgerritLance Bragstad proposed openstack/keystone master: Add tests for project users interacting with limits  https://review.openstack.org/62102420:28
openstackgerritLance Bragstad proposed openstack/keystone master: Remove limit policies from policy.v3cloudsample.json  https://review.openstack.org/62102520:28
*** jamesmcarthur has joined #openstack-keystone20:30
*** vishakha has quit IRC20:35
*** markvoelker has quit IRC20:53
*** raildo has quit IRC20:59
*** irclogbot_1 has joined #openstack-keystone21:09
*** nkinder has joined #openstack-keystone21:09
openstackgerritGage Hugo proposed openstack/keystone master: WIP - Add flask hook for authentication timings  https://review.openstack.org/63482621:13
*** whoami-rajat has quit IRC21:18
*** jamesmcarthur has quit IRC21:24
*** jamesmcarthur has joined #openstack-keystone21:24
*** irclogbot_1 has quit IRC21:28
*** jamesmcarthur has quit IRC21:28
timothyb89hi all, bit of a performance question... should token revocation lists be cached?21:33
timothyb89I've been debugging some api slowness and based on some profiles, it seems to be hitting the database for the revocation list 2x every request, and as far as I can tell never touches the cache21:35
timothyb89for reference: https://drive.google.com/file/d/16U2KOJOa2q7Fu57l6zokmvF6IaVI2ro9/view?usp=sharing21:35
lbragstadtimothyb89 interesting.. if you have ``keystone.conf [oslo_cache] caching=True`` then by default token revocation should be on21:37
timothyb89yup, that's set, and everything else seems to be hitting the cache as it ought to21:37
timothyb89also have a debug log with cache debugging enabled: http://paste.openstack.org/show/747377/21:38
timothyb89don't see anything involving 'revoke' or 'token_events', but perhaps that won't show up so obviously21:38
lbragstadso - this is the token revocation list API logic21:40
lbragstadit looks like we only cache one method - https://git.openstack.org/cgit/openstack/keystone/tree/keystone/revoke/core.py#n5321:40
lbragstadfor listing all token revocation events21:40
lbragstadbut the token provider API calls a different method for validating a token against a set of revocation events21:42
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/provider.py#n13321:42
lbragstadwhich isn't cached - https://git.openstack.org/cgit/openstack/keystone/tree/keystone/revoke/core.py#n12521:42
lbragstad=/21:42
timothyb89ah, that would do it21:42
lbragstadmisleading, though21:42
lbragstadi can understand the confusion21:42
lbragstadseveral releases ago we had even worse performance with checking tokens against a list of revocation events because we were doing everything in python21:43
lbragstadwe took another approach to take the important data from the token and build smarter SQL queries so we leveraged more the database for that check21:43
timothyb89possible followup question, maybe my profile data is misleading, but it looks like check_validation gets called twice per request?21:46
lbragstadwhat API are you calling?21:46
timothyb89just listing all projects repeatedly in a benchmark21:46
timothyb89apologies, check_revocation is called twice21:47
* lbragstad squints at the performance chart21:48
lbragstadok - so middle of the page? left side and middle columns?21:49
timothyb89recommend opening the svg in a browser if you aren't already, it's interactive and much more readable that way21:49
timothyb89yup21:49
lbragstadoh - sweet21:50
*** markvoelker has joined #openstack-keystone21:50
lbragstadso 27% of the request is spent in check_revocation?21:50
timothyb89the first time, yes21:50
timothyb89with another call later costing an additional 22%21:51
lbragstadand 22.7%21:51
lbragstadgot it21:51
lbragstadwhat tool did you use to generate this?21:51
timothyb89https://github.com/benfred/py-spy21:51
lbragstadi'll make a note to read this21:53
*** mchlumsky has quit IRC21:53
timothyb89good to hear - thanks!21:54
lbragstadhmm21:54
lbragstadvalidate_token is getting called twice, too21:54
lbragstad(which makes sense)21:54
lbragstadconsidering check_revocation is getting called twice and it's only used in that API21:55
lbragstadwell - the first token validation is actually happening in middleware21:56
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n24321:58
lbragstad^ that gets invoked from keystonemiddleware i believe21:58
*** phasespace has quit IRC22:00
lbragstadhuh22:01
timothyb89hmm, that seems to match the data at least22:01
lbragstadso - it looks like...22:01
lbragstadkeystone overrides a hook from keystonemiddleware22:01
lbragstad(so that keystonemiddleware doesn't attempt to put the token on the wire to a keystone service to validate like it would for another service)22:02
lbragstadthat's this code22:02
lbragstadhttps://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n24122:02
lbragstadwhich is overriding the keystonemiddleware auth_token implementation - https://git.openstack.org/cgit/openstack/keystone/tree/keystone/server/flask/request_processing/middleware/auth_context.py#n23322:03
lbragstadso - that's the first validation22:03
lbragstadthe second is when we get a little further in request processing, but still in middleware22:03
lbragstadand we're creating a context object (so we can do things like policy enforcement based on the authorization associated to the token) - and we validate the token in that, too22:04
lbragstadso - i'm not sure how feasible this might be22:10
lbragstadbut iiuc - we could attempt to eliminate the time spent in that middle column if we try and reuse the first token validation somehow?22:10
lbragstadthat might be tricky though22:10
timothyb89that would make sense, passing that data around sounds fun, though22:17
openstackgerritLance Bragstad proposed openstack/keystone master: WIP: Only validate tokens once per request  https://review.openstack.org/64149922:19
lbragstadtimothyb89 ^ does that help?22:19
lbragstadi'll be honest, i didn't test it22:20
lbragstadso i'm not sure if it'll work 100%22:20
timothyb89oh, cool! I'll try it out and see22:20
lbragstadi'm just curious if that speeds up requests by about ~20%22:20
*** phasespace has joined #openstack-keystone22:21
*** markvoelker has quit IRC22:22
lbragstaddo you happen to have measurements in time in addition to percentages?22:23
timothyb89I have some stats on me now, but could rerun my benchmark22:25
lbragstadpercentages are good22:26
lbragstadi was just curious what kind of times you were seeing22:26
timothyb89mean response time for list projects was 29ms, 22ms min, 100ms max, std dev of 11.8ms - over 100 requests22:26
lbragstadis the client local to the benchmark box?22:26
timothyb89in this case yes22:26
* lbragstad nods22:26
timothyb89some more comprehensive data: https://docs.google.com/spreadsheets/d/1AaIR4a1JNzngjyO3F0emw9T2ZsdcZprE_MXuM2MsTvM/edit?usp=sharing22:29
lbragstadhah - just a little bit22:29
timothyb89seemed to hit a latency floor of ~20ms no matter how many resources we threw at it :)22:30
timothyb89vs uuid tokens which could return in < 10ms22:30
lbragstadinteresting22:31
*** erus has joined #openstack-keystone22:31
lbragstadyou're using pypy?22:32
timothyb89tried it, at least, but it wasn't really faster and was less consistent22:32
lbragstadhuh22:33
timothyb89turned out we were IO bound due to mysql latency22:33
lbragstadlast i tried running anything with pypy was about 4 years ago22:33
lbragstadso avg response time for requests when using uuid was ~20 ms?22:34
timothyb89well, plain token validation (no project list) was 7ms +/- 6ms22:35
lbragstadgot it22:35
timothyb89token validation with fernet is 34ms +/- 16ms22:36
timothyb89so the best case was much better22:36
lbragstadi'm noticing only slightly better performance locally22:51
lbragstadwithout my patch GET /v3/projects took 0.06 seconds, with the patch i'm noticing about 0.054 or 0.047 in the best case22:52
*** rcernin has joined #openstack-keystone22:52
lbragstadmaybe that's in line with your numbers, though?22:52
timothyb89currently trying to deploy the patch myself, will hopefully be able to say for certain22:54
*** tkajinam has joined #openstack-keystone23:01
*** dave-mccowan has quit IRC23:06
timothyb89lbragstad: alright, tentative result is response time down to 22ms +/- 11.5 ms, with a new record low response time of 15.5 ms23:13
timothyb89lbragstad: new profile result as well: https://drive.google.com/file/d/1fSQaB-sDGAdeV9bSLSne7chSiFugOtgb/view?usp=sharing23:14
timothyb89savings appears to be right about as expected, roughly 23% faster :)23:18
*** markvoelker has joined #openstack-keystone23:19
timothyb89(disclaimer, though, I applied the patch to our stable/rocky tree, so YMMV on master)23:28
*** markvoelker has quit IRC23:53
« Tuesday, 2019-03-05 Index Thursday, 2019-03-07 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!