Tuesday, 2012-07-24

« Monday, 2012-07-23 Index Wednesday, 2012-07-25 »
*** ncode has joined #openstack-meeting00:02
*** ncode has quit IRC00:02
*** ncode has joined #openstack-meeting00:02
*** novas0x2a|laptop has quit IRC00:06
*** s0mik has quit IRC00:07
*** danwent has quit IRC00:09
*** gongys has quit IRC00:20
*** mnewby has quit IRC00:22
*** nati_uen_ has quit IRC00:26
*** nati_ueno has joined #openstack-meeting00:27
*** nati_ueno has quit IRC00:31
*** kindaopsdevy has quit IRC00:37
*** ryanpetr_ has joined #openstack-meeting00:55
*** nati_ueno has joined #openstack-meeting00:59
*** ryanpetrello has quit IRC00:59
*** ncode has quit IRC01:00
*** anderstj has joined #openstack-meeting01:01
*** anderstj has quit IRC01:03
*** jdurgin has quit IRC01:03
*** ryanpetr_ has quit IRC01:08
*** joearnold has quit IRC01:13
*** joearnold has joined #openstack-meeting01:35
*** ryanpetrello has joined #openstack-meeting01:39
*** ryanpetrello has quit IRC01:54
*** ryanpetrello has joined #openstack-meeting01:56
*** shang has joined #openstack-meeting01:59
*** nati_uen_ has joined #openstack-meeting02:06
*** ryanpetr_ has joined #openstack-meeting02:06
*** Gordonz_ has joined #openstack-meeting02:06
*** Mandell_ has joined #openstack-meeting02:06
*** Mandell has quit IRC02:06
*** ryanpetrello has quit IRC02:06
*** nati_ueno has quit IRC02:07
*** xtoddx has quit IRC02:07
*** devcamcar has quit IRC02:07
*** devcamca- has joined #openstack-meeting02:07
*** xtoddx has joined #openstack-meeting02:07
*** cdub has quit IRC02:08
*** cdub has joined #openstack-meeting02:08
*** Gordonz has quit IRC02:08
*** anniec has quit IRC02:12
*** rkukura has quit IRC02:16
*** salv-orlando has left #openstack-meeting02:17
*** mnewby has joined #openstack-meeting02:19
*** anderstj has joined #openstack-meeting02:34
*** zhuadl has quit IRC02:39
*** matwood has joined #openstack-meeting02:48
*** shang has quit IRC03:00
*** shang has joined #openstack-meeting03:00
*** jgriffith has quit IRC03:07
*** Dr_Who has joined #openstack-meeting03:08
*** Dr_Who has joined #openstack-meeting03:08
*** blamar has quit IRC03:17
*** danwent has joined #openstack-meeting03:17
*** dwcramer has quit IRC03:23
*** ryanpetr_ has quit IRC03:24
*** joearnold has joined #openstack-meeting03:24
*** blamar has joined #openstack-meeting03:27
*** anderstj has quit IRC03:30
*** joearnold has quit IRC03:33
*** matwood has quit IRC03:35
*** bencherian has quit IRC03:37
*** anderstj has joined #openstack-meeting03:38
*** zhuadl has joined #openstack-meeting03:44
*** jgriffith has joined #openstack-meeting03:56
*** bencherian has joined #openstack-meeting03:56
*** zhuadl has quit IRC03:56
*** anderstj has quit IRC03:56
*** anderstj has joined #openstack-meeting04:08
*** joearnold has joined #openstack-meeting04:11
*** matwood has joined #openstack-meeting04:20
*** nati_uen_ has quit IRC04:27
*** ozstacker has quit IRC04:36
*** ozstacker has joined #openstack-meeting04:37
*** fergal has quit IRC04:38
*** anniec has joined #openstack-meeting04:49
*** Mandell_ has quit IRC04:51
*** matwood_ has joined #openstack-meeting04:55
*** matwood has quit IRC04:55
*** matwood_ is now known as matwood04:55
*** zhuadl has joined #openstack-meeting04:58
*** Dr_Who has quit IRC05:00
*** anniec has quit IRC05:03
*** garyk has quit IRC05:13
*** anderstj has quit IRC05:14
*** blamar has quit IRC05:21
*** garyk has joined #openstack-meeting05:49
*** ttrifonov_zZzz is now known as ttrifonov05:52
*** littleidea has quit IRC06:02
*** joearnold has joined #openstack-meeting06:02
*** GheRivero has joined #openstack-meeting06:16
*** jgriffith has quit IRC06:26
*** ttrifonov is now known as ttrifonov_zZzz06:53
*** mnewby has quit IRC06:54
*** ttrifonov_zZzz is now known as ttrifonov06:55
*** matwood has quit IRC07:02
*** joearnold has quit IRC07:05
*** Mandell has joined #openstack-meeting07:05
*** markmcclain has quit IRC07:07
*** matwood has joined #openstack-meeting07:23
*** danwent has quit IRC07:28
*** fergal has joined #openstack-meeting07:43
*** danwent has joined #openstack-meeting07:48
*** danwent has quit IRC07:49
*** derekh has joined #openstack-meeting08:01
*** darraghb has joined #openstack-meeting08:05
*** bencherian has quit IRC08:08
*** matwood has quit IRC08:18
*** jakedahn is now known as jakedahn_zz08:32
*** swarley has joined #openstack-meeting08:39
*** Mandell has quit IRC08:46
*** oubiwann has quit IRC09:16
*** oubiwann has joined #openstack-meeting09:56
*** zhuadl has quit IRC10:34
*** swarley has quit IRC10:48
*** markmcclain has joined #openstack-meeting11:24
*** zhuadl has joined #openstack-meeting11:26
*** ayoung-afk is now known as ayoung12:09
*** anniec has joined #openstack-meeting12:14
*** dprince has joined #openstack-meeting12:29
*** dprince has joined #openstack-meeting12:30
*** dwcramer has joined #openstack-meeting12:36
*** littleidea has joined #openstack-meeting12:46
*** flaviamissi has joined #openstack-meeting12:46
*** littleidea has quit IRC12:49
*** littleidea has joined #openstack-meeting12:51
*** littleidea has left #openstack-meeting12:51
*** GheRivero has quit IRC12:52
*** dwcramer has quit IRC13:12
*** jaypipes has quit IRC13:12
*** markmcclain has quit IRC13:16
*** Dr_Who has joined #openstack-meeting13:38
*** jaypipes has joined #openstack-meeting13:42
*** hggdh has quit IRC13:50
*** zhuadl has quit IRC13:58
*** hggdh has joined #openstack-meeting13:59
*** GheRivero has joined #openstack-meeting14:11
*** dtroyer is now known as dtroyer_zzz14:24
*** mattray has joined #openstack-meeting14:28
*** anderstj has joined #openstack-meeting14:28
*** dwcramer has joined #openstack-meeting14:31
*** matwood has joined #openstack-meeting14:32
*** dendrobates is now known as dendro-afk14:33
*** ryanpetrello has joined #openstack-meeting14:36
*** Dr_Who has quit IRC14:36
*** mnewby has joined #openstack-meeting14:36
*** markmcclain has joined #openstack-meeting14:37
*** bencherian has joined #openstack-meeting14:37
*** markmcclain has left #openstack-meeting14:38
*** ayoung has quit IRC14:40
*** maoy has joined #openstack-meeting14:40
*** PotHix has joined #openstack-meeting14:48
*** blamar has joined #openstack-meeting14:55
*** blamar has quit IRC14:57
*** blamar has joined #openstack-meeting14:58
*** dwcramer has quit IRC15:03
*** reed has quit IRC15:05
*** dwcramer has joined #openstack-meeting15:06
*** rnirmal has joined #openstack-meeting15:12
*** dabo has quit IRC15:12
*** sleepson- has quit IRC15:12
*** dabo has joined #openstack-meeting15:13
*** sleepsonthefloor has joined #openstack-meeting15:13
*** cp16net is now known as cp16net|away15:18
*** anderstj has quit IRC15:19
*** heckj has joined #openstack-meeting15:22
*** zul has quit IRC15:28
*** clarkb has joined #openstack-meeting15:28
*** yapeng has joined #openstack-meeting15:28
*** dendro-afk is now known as dendrobates15:32
*** darraghb has quit IRC15:38
*** ryanpetrello has quit IRC15:40
*** zul has joined #openstack-meeting15:43
*** mnewby has quit IRC15:43
*** anniec has quit IRC15:44
*** jgriffith has joined #openstack-meeting15:47
*** gyee has joined #openstack-meeting15:51
*** gyee has quit IRC15:54
*** johnpur has joined #openstack-meeting15:55
*** dendrobates is now known as dendro-afk15:56
*** danwent has joined #openstack-meeting16:01
*** AlanClark has joined #openstack-meeting16:04
*** davidkranz has quit IRC16:04
*** davidkranz has joined #openstack-meeting16:05
*** joearnold has joined #openstack-meeting16:25
*** alrs has joined #openstack-meeting16:25
*** matiu_ has joined #openstack-meeting16:26
*** littleidea has joined #openstack-meeting16:28
*** dendro-afk is now known as dendrobates16:29
*** kindaopsdevy has joined #openstack-meeting16:33
*** bencherian has quit IRC16:33
*** jog0 has quit IRC16:35
*** jog0 has joined #openstack-meeting16:35
*** s0mik has joined #openstack-meeting16:38
*** reed has joined #openstack-meeting16:44
*** milner has quit IRC16:45
*** ryanpetrello has joined #openstack-meeting16:48
*** GheRivero has quit IRC16:54
*** jakedahn_zz is now known as jakedahn16:55
*** s0mik has quit IRC16:55
*** s0mik has joined #openstack-meeting16:57
*** danwent has quit IRC16:57
*** dwcramer has quit IRC17:00
*** jaypipes has quit IRC17:00
*** derekh has quit IRC17:00
*** xtoddx has quit IRC17:00
*** maoy has quit IRC17:00
*** matiu has quit IRC17:00
*** kiffer84 has quit IRC17:00
*** jeblair has quit IRC17:00
*** anniec has joined #openstack-meeting17:00
*** anniec_ has joined #openstack-meeting17:01
*** bencherian has joined #openstack-meeting17:02
*** dwcramer has joined #openstack-meeting17:02
*** maoy has joined #openstack-meeting17:02
*** jaypipes has joined #openstack-meeting17:02
*** derekh has joined #openstack-meeting17:02
*** xtoddx has joined #openstack-meeting17:02
*** matiu has joined #openstack-meeting17:02
*** kiffer84 has joined #openstack-meeting17:02
*** jeblair has joined #openstack-meeting17:02
*** derekh has quit IRC17:03
*** joearnold has quit IRC17:04
*** anniec has quit IRC17:05
*** anniec_ is now known as anniec17:05
*** mnewby has joined #openstack-meeting17:07
*** Mandell has joined #openstack-meeting17:11
*** kindaopsdevy has quit IRC17:12
*** jdurgin has joined #openstack-meeting17:12
*** kindaopsdevy has joined #openstack-meeting17:12
*** milner has joined #openstack-meeting17:15
*** ayoung has joined #openstack-meeting17:18
*** joearnold has joined #openstack-meeting17:28
*** anderstj has joined #openstack-meeting17:30
*** liemmn has joined #openstack-meeting17:31
*** garyk has quit IRC17:31
*** rafaduran has joined #openstack-meeting17:33
*** ryanpetrello has quit IRC17:33
*** dendrobates is now known as dendro-afk17:34
*** nati_ueno has joined #openstack-meeting17:39
*** jakedahn is now known as jakedahn_zz17:55
*** mnewby_ has joined #openstack-meeting17:56
*** mnewby_ has quit IRC17:56
*** adjohn has joined #openstack-meeting17:56
*** adjohn has quit IRC17:57
*** mnewby has quit IRC17:57
heckjhere for the keystone meeting? o/17:59
rafadurano/18:00
ayoungo/18:00
ayoungheckj, liemmn, I'm going kill the elluminate sesson.18:00
ayoungwe can use IRC for now18:01
heckjgotcha18:01
heckj#startmeeting18:01
openstackMeeting started Tue Jul 24 18:01:35 2012 UTC.  The chair is heckj. Information about MeetBot at http://wiki.debian.org/MeetBot.18:01
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.18:01
heckjOla all!18:01
heckjThe big topic for today is the PKI code review work/descriptions/etc from ayoung18:02
heckjBefore we get there, is there any immediate issues folks have?18:02
heckj#topic anything immediate?18:02
*** openstack changes topic to "anything immediate?"18:02
heckjthere's a new security bug that was alerted in today - received it, but haven't tested/verified against it.18:03
liemmnok18:03
*** mnewby has joined #openstack-meeting18:03
ayoungheckj, should we talking about that in a public chat room?18:04
ayoungIf it is OK to do so, please post the link18:04
heckjI don't think it's too butal of an exploit - https://bugs.launchpad.net/keystone/+bug/102856318:04
heckjsince it's a security vuln, you need to be explicitly subscribed to see it. I've added ayoung, termie, and dolph to it18:05
*** lcheng has joined #openstack-meeting18:05
heckjcontent: "Identity authentication does not check if user is enabled"18:05
ayoungheckj, ah, ok.  yeah,  LDAP enabled is going to need a little massaging, as that field doesn't exist in the base schema.  The others are checked in the authenticate call...we should hit some of that in todays walk through18:06
heckjcool18:06
ayoungI can chime in on the ticket18:06
heckjhave at at your time18:06
heckjLet's get into the main topic then18:07
heckj#topic PKI code review18:07
*** openstack changes topic to "PKI code review"18:07
*** s34n has joined #openstack-meeting18:07
*** bbrown has joined #openstack-meeting18:07
ayoungOK,  lets start with authenticate then...18:08
ayounghttps://review.openstack.org/#/c/7754/9/keystone/service.py18:08
ayoungline 26918:08
heckj#link https://review.openstack.org/#/c/7754/9/keystone/service.py18:09
ayoungThis is the call for either creating a new token, or validating an existing one18:09
ayoungon line 290,  you see the start of the big "if" that splits these two use cases18:09
ayoungbascially, if you pass in the password credential,  any existing token is ignored.  This logic is maintained18:10
ayoungthat majority of the heavy lifting is done by self.identity_api.get_user_by_name18:10
*** dendro-afk is now known as dendrobates18:11
ayounghmm...18:11
*** anderstj has quit IRC18:12
ayoung no,  the heavy lifting isin the common lines that are hidden, 1 sec18:12
*** joearnold has quit IRC18:12
ayounganyone know how to expand those?18:12
ayoungthe real heavy lifting is done by18:12
ayoungauth_info = self.identity_api.authenticate(context=context,18:12
ayoung                                                           user_id=user_id,18:12
ayoung                                                           password=password,18:12
ayoung                                                           tenant_id=tenant_id)18:12
ayoungline 277 prior to the patch18:13
heckjyeah, not sure - was just mucking with the interface to see that18:13
ayounghttps://github.com/openstack/keystone/blob/master/keystone/service.py#L27718:13
*** jjm3 has quit IRC18:13
ayoungas a note,  this call needs to be refactored,18:13
ayoungidentity api builds up the data that will be sent back as the authenticate response18:13
heckjclick on "preferences", then change context to "whole file" and you'll see the whole thing side by side18:13
*** danwent has joined #openstack-meeting18:14
ayoungheckj, thanks.  You guys with me?18:14
heckjwith you18:15
ayoungso line 31518:15
ayoungthat is what A:  checks that uid and password is correct and builds up the data for the token18:15
ayoungthere is a little postprocessing,  but let skip ahead to18:15
ayoungafter the if statement18:16
ayoungline 42618:16
heckj426?18:16
ayoungheckj yes18:16
ayoungI am skipping the token path for now18:16
ayounger18:16
ayoungthe path where an existing token is passed in18:17
ayoungand instead followng the userid and password are passed in18:17
heckjgimme a sec, catching up18:17
ayoung we'll go back to the else block in a second18:17
heckjokay - good18:18
ayoungto sum up:  line 315 creates the data for the token , line 426 signs it18:18
*** milner has quit IRC18:18
heckjwhat's "cms" stand for?18:18
ayoungcrypto message syntax18:18
heckjgot it18:18
ayoungit is the format of the signed document18:18
ayoungit is what is used for SMIME among other things18:19
ayoungand it maps to the following command line call:18:19
ayoung openssl cms  -sign -in auth_token.json  -nosmimecap  -signer cert.pem -inkey key.pem -outform DER -nodetach -nocerts  -noattr -out auth_token.signed18:19
ayoungthat call, and the corresponding call to verify are in18:20
ayounghttps://review.openstack.org/#/c/7754/9/keystone/common/cms.py18:20
ayoungnote that they are done using popen.  THis is the best supported parallelisation mechanism in Eventlet (AFAICT)18:20
ayoungso a new process is forked off,  then execs openssl ...18:21
ayoungthe output is read back into the parent process18:21
heckjyep, with ya18:21
ayoungso cms.cms_sign_text(json.dumps(token_data),18:21
ayounggets signed. on line 5418:22
ayoungcms_to_token (called line 73) does a little postprocessing18:22
ayoungstrips off the header, footer, and replaces  / with -18:22
liemmnayoung, so line 375 (checking token's length) basically allows the old-fashioned token support if it's not a CMS token, correct?18:22
heckjslaps it all together into one big string18:23
liemmn(service.py), sorry18:23
ayoungchops line returns to18:23
ayoungheckj, yes18:23
ayoungliemmn, that is correct18:23
liemmnthx18:23
ayoungliemmn, as does the check to see if it is disabled18:23
ayoungline...18:23
ayoung42218:23
liemmngot it18:23
ayoungand for now default is to disable18:23
heckjayoung: nice, looks good18:24
*** jakedahn_zz is now known as jakedahn18:24
ayoungOK,  heckj so the big thing I would change, and will do so in the near future...18:24
ayounglets jump back to service.py18:24
ayoungand look in that else block18:24
ayoungline 34018:25
ayoungwe read the old token out of the Header18:25
ayoungsomewhere earlier...18:25
ayoungand here we validate18:26
ayoungfirst by checking to see if it is in the datastore....there are pros and cons to doing this,  but this is the least change approach18:26
ayoungif it is not in the backend, we can assume "disabled" or "invalid token"18:27
ayoungnote that this is in Keystone18:27
ayounga remote service does not go through this code path18:27
ayoungup to line 374 is fairly close to the old logic18:27
ayoungand then we hit 375 which liemmn pointed out before...18:28
ayoungUUID tokens are shorter18:28
*** kindaopsdevy has quit IRC18:28
ayoungthere is also some interspersed logic here for expiry, which we maintain18:29
ayoungthe common lines,  like the block at 39418:30
*** matiu_ has quit IRC18:30
ayoungis for building up the response to the verify call18:30
*** matiu_ has joined #openstack-meeting18:30
*** matiu_ has joined #openstack-meeting18:30
ayoungand should be refactored into the identity api18:30
ayoungthus, this code should be much simpler ideally18:30
liemmn+1 for shorter methods :)18:31
ayoungline 385 on is all really common code18:31
ayoungOK..jump ahead to 43018:31
*** mnewby_ has joined #openstack-meeting18:31
ayoungregardless of password or token, if we issue a new token, once we sign it, we need to persist it18:31
ayoungthe big change is that the ID is no longer a uuid18:32
ayoung431: token_ref = self.token_api.create_token(18:32
ayoungso this code is per-backend.  Lets look at the SQL one18:32
ayounghttps://review.openstack.org/#/c/7754/9/keystone/token/backends/sql.py18:33
ayoungline 3118:33
ayoungwe have dropped the id column18:33
ayoungbecause it is confusing18:33
ayoungwell, not dropped18:33
*** mnewby has quit IRC18:33
*** mnewby_ is now known as mnewby18:33
ayoungbut it is no longer the primary key18:33
ayoungthe id *is* the signed document18:34
ayoungway too long to be indexable by MySQL etc18:34
ayoungbuy SQL Alchemy insists on a primary key18:34
ayoungso that is18:34
ayoungid_hash18:34
ayoungcamn anyone guess what that is?18:34
*** mnewby has quit IRC18:34
ayounghint on line 6518:34
liemmnnice18:35
heckjquick md5 of the signed token, eh?18:35
ayoungyep18:35
ayoungrkukura gets props for the idea18:35
ayoungIt is short enough and unique enough for our purposes18:35
s34nunique enough?18:35
s34nwhat is the collission rate?18:36
ayoungs34n, s34n on md5?  QUite small18:36
ayoungand for these18:36
heckjs34n: unique for a primary key in SQLAlchemy - it has the standard md5 hashing characteristics18:36
ayoungbecause the docs are so similar,  even smaller18:36
ayoungMD5 is sensitive to small changes in the document.  2 dos that are similar are more likely to have different MD5s than wildly differen docs.18:37
s34nsomething is tickling my brain on that. Something I recently read on md5 collisions. Let me research. I'm probably wrong.18:37
ayoungthatis, of course, a laymans understanding, and would proabably make most people that know stats annoyed18:38
ayoungs34n, we should also be flushing the tokens after they are expired somehow.  We are not doing that now,  but once we do,  collisions should be statistically sufficiently ignorable18:39
ayoungs34n, note that UUIDs have the same problem18:39
ayoungOK,  before we move on to the auth_)token middlewar18:40
ayounge18:40
ayoungI'd like to talk a bit about SQL migration18:40
heckjkk18:40
ayoungnote that I had to change https://review.openstack.org/#/c/7754/9/keystone/common/sql/migrate_repo/versions/001_add_initial_tables.py18:40
ayoungthat is because if you automate the table creation for tokens,  they will be defined according to the new schema,  with the id_hash column18:41
ayoungand 001 needs to define them the way that they are today,  with id as the pkey18:41
ayounghence line 38 defining the table explicitly18:41
ayoungand dropping the import of the token into the migrate code18:41
ayoungon line 2618:42
ayoungthen,  because we are altering a table,  it is really hard to do it right in sqlalchemy...maybe impossible18:42
ayoungso upgrade and downgrade is done using goo-ole-SQL18:42
heckjgot it18:42
ayoungI have different files fdor mysdql and sqlite.  I've been told that Postgres follows the sqlite18:43
ayounglets assume you are doign an on-the-fly upgrade18:43
ayoungthe old uuid token goes into the id and the id_hash columns...no harm there18:43
ayoungand the old authenticate code kicks in (same thing that liemmn noted above)18:43
ayoungonly new tokens are signed and hashed for realz18:43
ayoungon downgrade, we just dump all data18:44
heckjayoung: sounds good18:44
ayoungheckj, thanks18:44
ayoungthat is why for mysql we can get away with an altertable command.  it changes the column name, anddrops the pkey, but maintains the data18:44
ayoungfor sqlite etc we do it more explicitly18:45
ayoungOK,  brief aside on config before auth_token18:45
ayounghttps://review.openstack.org/#/c/7754/9/keystone/config.py18:45
ayoungline 128 is all we need18:46
*** devananda has joined #openstack-meeting18:46
ayoungas the majoprity of the values we use we accepted in an earlier patch18:46
ayoungopnce PKI is beat on somewhat, I'll submite a patch that flips line 129 to False18:46
ayoungOK, any questions so far?18:47
heckjayoung: lookin' good so far!18:47
liemmnlooks good...  Is the default token validity 3650 days?18:47
ayounghttps://review.openstack.org/#/c/7754/9/keystone/middleware/auth_token.py18:47
ayoungliemmn, um...let me see18:47
*** dtroyer_zzz is now known as dtroyer18:47
* ayoung just closed that tab18:47
liemmn13718:47
heckjliemmn: yep18:48
liemmnThat's a long time :)18:48
ayoungyeah...that should be 118:48
ayoungthat might be for the cert...let me check18:48
ayoungthat is not for token time out18:48
ayoungthat mechanism has not changed18:48
liemmnoh, ok... makes sense18:49
*** mdomsch has joined #openstack-meeting18:49
ayoungOK auth_token middleware, line 39218:49
ayoungagain, we gate on length18:49
ayoungverify UUID token is the old path...on line validation18:50
ayoungbasically the red lines from line 350 to 39218:50
ayoungmoved to line 57118:51
liemmnstill wondering if there is value in caching these bigger cms tokens, since we are not incurring network cost anymore18:51
ayoungliemmn, yes there is18:51
ayoungif it is cached you don't have to do the fork/exec of openssl18:51
heckjayoung: so as long as your local cache is good, you only take the decrypt hit once18:52
ayoungheckj, that is right18:52
liemmnok18:52
ayoungline 613 is where we verify signed tokens18:52
*** adjohn has joined #openstack-meeting18:52
ayoungagain, using the code in keystone/common/cms.py18:52
ayoungbascially adds back in the header,  - to / and line breaks18:53
ayoungthen run through the openssl code18:53
ayoungfor now,  I am just assuming one ca and one signing cert18:53
ayoungthey are fetched on demand18:54
liemmnayoung, you have a typo error on line 628 and 631...  "this" -> "self"18:54
ayoungsee the exception blocks in line 62718:54
heckjayoung: so a deployment expectation is that you'd likely drop in a ca and cert on every machine running the auth_token middleware, restricted directory, and they use it direclty as needed18:54
ayoungheckj, yes18:54
ayoungheckj, however18:55
ayoungyou might want to keep the fetch18:55
ayoungespecially for the signing cert18:55
ayoungas that might expire. or you might have to deal with a security breach18:55
ayoungbreech18:55
ayoungbreak in18:55
heckjheh18:55
heckjyeah, got it18:55
*** jakedahn is now known as jakedahn_zz18:55
ayoungheckj, in the future, I want auth_token to allow a list of keystone servers.  We prime the pump with one18:56
ayoungand the rest are fetched from the service catalog18:56
ayoungthen, in the signed token, it indicates "I was signed by foo"18:56
heckjayoung: reasonable for the larger installations18:56
ayoungand we fetch the cert for foo18:56
ayoungheckj, it will also allow for federation, etc18:57
ayoungwe can specify that a given signing cert can only sign for a specific domain....18:57
notmynameheckj: just to get in under the wire, the keystone middleware was merged into swift. should be released next week in the next swift release18:57
heckjnotmyname: thxusir18:57
ayoungOK... the rest of the patch is commentary:  tests and so forth18:58
termie;win 118:58
ayoungthere is one thing I've found that makes me self-nack, but I did't want to speak up until after this walk through18:58
*** Daisy has joined #openstack-meeting18:58
ayoungI will buy a beer at the meetup if anyone can guess what it is18:58
ayoungI will provide one hint:  it is not in any of the files in this patch18:59
ayoungany guesses?18:59
ayounggoing once....18:59
ayounggoing twice....18:59
heckjlack of docs18:59
ayoungnope18:59
heckj:-)19:00
DaisyHi19:00
ayoungheckj, I would be willing to checking withou tdocs19:00
ayoungas the default behavior hasn;'t changed19:00
ayoungno the missig feature is ec2 and s3 tokens in contrib19:00
heckjayoung: yeah, I'm fine with it - but we'll want to describe how to use the new features very quickly19:00
ayoungI think those will work as is by default19:00
ayoungbut not with PKI tokens19:00
ayoungthey only generate UUID tokens...which actually might be fine19:01
DaisyIs this CI weekly meeting?19:01
ayoungbut they should be using common code for token generation19:01
ayoungDaisy, not yet19:01
ayoungstill keystone19:01
ayoungI'm waxing poetic19:01
ayoungheckj, anyway...now that you know, I'll let you decide whether to nack on that...I think it is ok to do in a separate patch19:01
liemmnvery cool, ayoung... thanks for the walkthru!19:02
ayoungMy pleasure19:02
ayoungnow go forth and review!19:02
liemmn:)19:02
*** dprince has quit IRC19:02
liemmnof course19:02
* mtaylor taps foot patiently...19:02
heckj#endmeeting19:03
*** openstack changes topic to "OpenStack meeting channel. See http://wiki.openstack.org/Meetings for schedule and http://eavesdrop.openstack.org/meetings/openstack-meeting/ for meeting logs"19:03
openstackMeeting ended Tue Jul 24 19:03:14 2012 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)19:03
heckjsorry, sorry...19:03
openstackMinutes:        http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-18.01.html19:03
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-18.01.txt19:03
openstackLog:            http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-18.01.log.html19:03
ayoungheckj, one last thing...I am pretty sold on Domains.  I think we should chop off the groups concept, and anything not essential, and merge it into identity19:03
* jeblair steps on mtaylor's foot19:03
ayoungnot in contrib19:03
heckjayoung: awesome work, thanks for the walkthrough19:03
ayoungbut since gyee is not here...we should plan on discussing that in depth next week19:03
mtaylor#startmeeting19:04
openstackMeeting started Tue Jul 24 19:04:18 2012 UTC.  The chair is mtaylor. Information about MeetBot at http://wiki.debian.org/MeetBot.19:04
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.19:04
mtaylorbwahahaha. I haz taken over!19:04
Daisy:)19:04
DaisyHello !19:04
*** aclark_ has joined #openstack-meeting19:04
mtaylorhi there.19:04
clarkbhello19:04
mtayloranybody else want to talk about, you know, things?19:04
*** AlanClark has quit IRC19:04
Daisyany agenda ?19:05
annegentlestuff and things!19:05
mtaylorwe normally start through just with some updates from folks on anything they've done, then open up the floor for things19:05
Daisyok19:05
mtaylorso... clarkb - what's been up in your world?19:05
clarkbI get to go first whee!19:06
clarkbI am trying to think about what happened week before last because OSCON19:06
clarkbgerritlib is now its own project with tests and stuff as well as all the packaging foo19:07
*** aclark_ has quit IRC19:07
jeblairclarkb: is that ready for a release no that gerritbot can consume it?19:07
jeblairs/no that/so that/19:07
clarkbjeblair: I think so, unless we want to PBR it first19:07
mtaylornope. pbr is killing me at the moment19:07
clarkbbut functionally PBR isnt necessary19:07
jeblairokay, i'll see about cutting a release then.19:08
clarkbsounds good.19:08
mtaylorclarkb: if it has the right jobs and stuff, you should be able to cut a release by tagging it19:08
jeblairmtaylor: i think i need to register it first...?19:08
*** milner has joined #openstack-meeting19:08
*** aclark_ has joined #openstack-meeting19:08
*** milner has quit IRC19:08
mtayloryup19:08
*** milner has joined #openstack-meeting19:09
clarkboh yes, that was the big thing I was forgetting. Zuul is now a little smarter. If a job not at the front of the queue has a failure all of the jobs behind it are cancelled to free resources19:09
mtaylorregister it and then go to the project page and add openstackci as a maintainer19:09
clarkb(they will be rerun again anyways so there is little sense in burning up CPU cycles running them multiple times)19:09
jeblairmtaylor: (i'll do that)19:09
mtaylorclarkb: awesome! I think that will be quite handy19:10
clarkbso far it appears to have been working. I haven't seen any really long job queues since that patch went in19:10
jeblairclarkb: indeed, it's already made a difference.19:10
*** kindaopsdevy has joined #openstack-meeting19:10
clarkbjeblair fixed a bug in Zuul to make this possible19:11
mtaylorjeblair: sounds like the baton is being passed there19:11
clarkbother than that I added asciidoc building dependencies to build slaves, just merged in the bits that should make selenium testing possible, and I can't think of anything else at them moment19:12
jeblairmtaylor: zuul has three contributors now!19:12
mtaylorjeblair: w00t!19:13
mtaylorjeblair: watch out- you're going to eclipse openstack itself19:14
jeblairmtaylor: don't get me started on eclipse.19:14
mtaylorjeblair: you wanna use netbeans instead?19:14
jeblairmtaylor: who has the floor? :)19:15
mtaylorjeblair: you do19:15
jeblairso, in addition to working with clarkb on some of the zuul stuff he already mentioned, i also make a few more changes to zuul:19:16
jeblairsuppression of duplicate events (so we don't test something twice if it's approved twice)19:16
jeblairand the option to delay testing of changes until at least the -merge job of the change ahead has passed19:17
*** heckj has quit IRC19:17
mtaylor++19:17
Daisyhi19:17
jeblairi'm currently working on getting zuul to change tests in a better order19:17
mtaylorthe change to gerrit for that seemed to be reasonably painless19:18
jeblairspecifically, to recognize dependencies between changes, and to merge-gate them in the correct order.19:18
jeblair(and not merge-gate them until they can actually be merged)19:18
DaisyI'm working on the document translation process. I come here to see if somebody can help me to integrate the translation process in CI.19:18
DaisyI got some chance to read CI documents. I still have some questions.19:18
DaisyThe Puppet Modules "Doc Server" is not existed. Is it still being used ?19:19
jeblairthe change to gerrit is to facilitate zuul understanding when a change is ready to be merged (does it have the needed approvals)19:19
jeblairDaisy: we'd love to talk about that! can you wait a few more minutes?19:19
mtaylorjeblair: yeah, that seemed like a generally good (and thankfully small patch)19:19
jeblairi'll start working on upstreaming it once we have a little experience with it.19:20
Daisyjblair: sure19:20
jeblairthere are three core projects that are still not participating in the devstack gate19:20
mtayloragree. you put that on review-dev just now, yeah?19:20
mtaylorjeblair: swift and what else?19:20
jeblairmtaylor: hasn't merged yet, but i'll do it after the meeting19:20
jeblairswift, cinder, and quantum19:21
jeblairquantum has been outstanding since mid-april; supposedly if this change merges, the exercises should pass: https://review.openstack.org/#/c/8642/19:21
mtaylorah yes19:21
jeblaircinder is being actively worked on by jaypipes and jgriffith19:22
jeblairit passes exercises now, but has a problem with a tempest smoke test19:22
jeblairand the last time i ran the swift check, it passed19:22
mtaylorfancy!19:22
jeblairnotmyname: you around?19:22
notmynameyup19:22
jeblairwhat do you think about turning on devstack-gate for swift?19:22
notmynameanything changed since we last talked about it?19:23
notmynamefailure modes, etc19:23
*** kindaopsdevy has quit IRC19:24
*** kindaopsdevy has joined #openstack-meeting19:24
notmynameis it currently running in a non-gating fashion now?19:24
jeblairnope.  devstack has been fixed so that it doesn't try to use swift3 when swift is enabled, so the gate-test passes now (or did last time i ran it)19:24
notmynamegood19:24
jeblairit's not running regularly with swift, only when this change is tested: https://review.openstack.org/#/c/8809/19:25
notmynameI'd like to either wait a week before gating, but I'm ok with adding it in a non-gating manner now. we've got a release next monday, and I'd hate to add stuff that slows down that process right before the release19:25
notmyname* either wait a week, or add it now in a non-gating manner19:26
jeblairthat works for me.  we can aim to add it after the release next week.19:26
notmynameactually, is it possible to add it as a non-gating test before gating on it?19:26
jeblairnotmyname: it's possible, but quite a bit of effort for not much reward.  (it would require a separate job and consume twice the test resources)19:28
jeblairtriggering rechecks of https://review.openstack.org/#/c/8809/ will let us spot check that everything's still working, and of course, that change itself won't merge unless everything is working.19:29
mtaylorany more on swift gating?19:32
mtaylorfrom my end, I'm happy to report that we've moved all of our main servers over to puppetmaster now19:32
mtayloryay19:32
jeblairmtaylor: the new layout looks lovely19:32
clarkbgrep helps when looking for things :)19:33
mtaylorthat's what happens when you run in to the puppet people at oscon19:33
mtaylorso thanks bodepd19:33
mtaylorI've also got the first pass at puppet-dashboard installed19:34
mtaylorbut it's having issues when it's run via apache19:34
mtaylorso it seems there might be ruby debugging in my future19:34
notmynamesorry, got called away for a customer issue. jeblair: mtaylor: let's enable it next week after the release19:34
jeblairnotmyname: sounds good19:35
mtaylor++19:35
mtaylorI think that's all I've got on my end19:35
mtaylor#topic documentation translations19:35
*** openstack changes topic to "documentation translations"19:35
mtaylorDaisy: howdy19:35
mtaylorannegentle: you around?19:35
Daisyhi19:36
*** adjohn has quit IRC19:36
*** bencherian has quit IRC19:36
annegentleye19:37
annegentleyes, even19:37
*** Daisy_ has joined #openstack-meeting19:37
Daisy_Hi, I'm back19:37
mtaylorDaisy_: awesome. we're all yours19:37
Daisy_:)19:37
Daisy_first of all, I have some questions after reading CI documents.19:37
Daisy_The Puppet Modules "Doc Server" is not existed. Is this still used ?19:38
Daisy_And, I cannot find openstack-manuals job definition in YAML scripts.19:39
mtayloropenstack-manuals I believe is still manually done in jenkins, yeah?19:39
jeblairi think so19:39
mtaylorand also, the Doc Server moduel is not used and is gone19:39
Daisy_oh.19:39
jeblairwe need to convert that to job filler -- we should be able to now that we have shell scripts19:39
mtaylorjeblair: ++19:40
Daisy_manually defined some jobs ?19:40
jeblairand maven support19:40
*** Daisy has quit IRC19:40
*** kindaopsdevy_ has joined #openstack-meeting19:40
mtaylorDaisy_: yeah - the old way we used to make jobs in jenkins was just through the web ui19:40
Daisy_ok. I see.19:41
mtaylorit's not scalable, so we've been replacing it - but we havne't fully converted everything yet19:41
Daisy_I see the job definitions through web UI.19:41
Daisy_ok. thanks.19:41
Daisy_Let me describe my requirements.19:41
Daisy_Can I have a job run regularly, like, once per 12 hours in Jenkins?19:42
Daisy_What language can be used to describe such job ? python script or YAML ?19:42
jeblairDaisy_: yes, you can run a job on a schedule19:43
jeblairDaisy_: (but we like to have jobs run in response to events as much as possible -- anything that happens in gerrit can generate an event that triggers a jenkins job)19:43
*** kindaopsdevy has quit IRC19:43
*** kindaopsdevy_ is now known as kindaopsdevy19:43
jeblairDaisy_: and if you want to hook a job up to an outside event source -- like a translation service -- if it has events or hooks, we can look at triggering jobs from that too.19:44
jeblairDaisy_: but otherwise, a schedule is easy to do.19:44
mtaylorDaisy_: ++19:44
mtayloryeah - is the job wanting to grab translatoins from somewhere and publish them?19:44
jeblairDaisy_: as for how to describe a job...19:45
Daisy_Now we are using Transifex to host the translation. The DocBooks are sliced into pieces. I found it was not convenient to see the whole translated documents under such situation. I'm looking for a way to show the latest translation result.19:45
Daisy_Even the translation is not completed, we can see a document with mixed languages, some parts are translated, some parts are still in Englisn.19:45
jeblairDaisy_: the jenkins job_filler yaml files are the way we'd like to define the jobs in jenkins -- if the jobs are more than one or two lines of shell script, you should write a script (python or shell, whatever you need), and then call that from the jenkins job you specify with yaml.19:46
mtaylorDaisy_: do you have a link to the transifex project?19:46
Daisy_I have.19:46
Daisy_https://www.transifex.net/projects/p/openstack-manuals-i18n/19:46
mtaylorcool. so, in general it seems like we need to figure out how to get data back out of transifex19:48
mtayloris transifex watching the trunk git repos?19:48
Daisy_And, what's more, after document transaltion, there will be documents in different languages. How to show these in website? I have no idea.19:48
mtaylornow that's a question for annegentle19:49
Daisy_Transifex uses its client to push the resources to transifex website and pull the translation back to local file disk.19:49
annegentleDaisy_: I believe the openstack-manuals github repo's www folder will have to have new index.html that enables display of the translated documents19:50
annegentlebetter yet, we'd have a CMS front end that could handle this, but for now it's hand-written HTML linking19:50
* annegentle wonders how publican handles?19:50
mtaylorwell lookie there19:51
mtaylorhttp://pypi.python.org/pypi/transifex-client/19:51
clarkbso we would probably want a python script that pulls translations from transifex and submits them to gerrit?19:52
Daisy_maybe. I remember the transifex client is also writen in python.19:53
*** ayoung has quit IRC19:53
Daisy_http://help.transifex.com/features/client/index.html#user-client19:53
jeblairyeah, there's a similar job that pulled translations from launchpad we can base it on19:53
mtaylorhow are the new things being update right now19:54
mtayloras in, who owns that?19:54
jeblairbasically, git checkout, pull translations, commit and git-review19:54
*** thingee has joined #openstack-meeting19:54
Daisy_what is git checkout ?19:54
mtaylorDaisy_: it looks like you are the owner of https://www.transifex.com/projects/p/openstack-manuals-i18n/19:54
Daisy_Yes, I created it.19:54
mtaylorDaisy_: how do you update the source strings to be translated when new changes are made in git19:55
*** mnewby has joined #openstack-meeting19:55
mtaylordo you personally run the tx command?19:55
Daisy_msg mtaylor Yes for now.19:56
mtaylorok. so, steps moving foward are going to be:19:56
mtaylora) getting a transifex account made for jenkins19:56
mtaylorb) getting that jenkins account added to the openstack-manuals-i18n project19:56
annegentlesorry all, have to run to a meeting, but I will read the logs19:56
mtaylorc) getting a jenkins job that pushes new base changes to transifex19:57
mtaylord) getting a jenkins job that pulls new translations from transifex and submits them to gerrit19:57
Daisy_correct !19:57
jeblairi'll take (a)19:58
mtayloractually - heckj and GabrielHurley run the openstack uhub19:58
mtaylorhub19:58
mtaylorso what we _really _ want is to get the openstackci user added to that hub19:58
clarkbwe should probably add this project to the hub if possible19:58
Daisy_ok. I will request again.19:58
mtaylorand the manuals project added to that hub19:58
mtaylorand we need to get the CI team added as admins of that hub19:58
Daisy_who can add that project to hub ?19:58
mtaylorI'll take on tracking down heckj and gabriel19:58
Daisy_thank you, mtaylor !19:59
mtaylorDaisy_: I think we'll be doing good if we can just get account permissions sorted this week19:59
jeblairDaisy_: can you join us in #openstack-infra ?19:59
*** markmc has joined #openstack-meeting19:59
Daisy_when is #openstack-infra?19:59
mtaylorlet's check back in next week and ensure that we've got that done and can start making jobs19:59
Daisy_I'd like to join.19:59
jeblairDaisy_: we can continue to talk about this in that channel19:59
*** s34n has left #openstack-meeting19:59
Daisy_so the next meeting is #openstack-infra?20:00
jeblairDaisy_: we're in that channel all the time20:00
*** cp16net|away is now known as cp16net20:00
Daisy_great to know that ! a day meeting in Tuesday !20:00
jeblairDaisy_: no, most of the infrastructure/ci people are in that channel all the time and available to talk about this sort of thing20:00
Daisy_ok, thanks.20:00
mtaylorcool. I think that's good for this week. thanks everybody!20:01
mtaylor#endmeeting20:01
*** openstack changes topic to "OpenStack meeting channel. See http://wiki.openstack.org/Meetings for schedule and http://eavesdrop.openstack.org/meetings/openstack-meeting/ for meeting logs"20:01
openstackMeeting ended Tue Jul 24 20:01:49 2012 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:01
openstackMinutes:        http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-19.04.html20:01
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-19.04.txt20:01
openstackLog:            http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-19.04.log.html20:01
*** Daisy_ has quit IRC20:05
*** joearnold has joined #openstack-meeting20:07
*** littleidea has quit IRC20:08
*** anderstj has joined #openstack-meeting20:13
*** littleidea has joined #openstack-meeting20:13
*** littleidea has quit IRC20:18
*** littleidea has joined #openstack-meeting20:18
*** nati_ueno has quit IRC20:26
*** rnirmal has quit IRC20:30
*** joearnold has quit IRC20:31
*** alrs has quit IRC20:35
*** Mandell_ has joined #openstack-meeting20:35
*** jakedahn_zz is now known as jakedahn20:38
*** Mandell has quit IRC20:39
*** gyee has joined #openstack-meeting20:40
*** adjohn has joined #openstack-meeting20:43
*** alrs has joined #openstack-meeting20:52
*** nati_ueno has joined #openstack-meeting20:52
*** nati_ueno has quit IRC20:53
*** bcwaldon has joined #openstack-meeting20:54
*** bencherian has joined #openstack-meeting20:54
*** anderstj has quit IRC20:57
*** salv-orlando has joined #openstack-meeting20:59
ttxo/21:00
ttxheckj, notmyname, bcwaldon, jgriffith, vishy, devcamcar, danwent: around ?21:00
jgriffitho/21:01
notmynamehere21:01
danwento/21:01
vishyo/21:01
ttxno heckj21:01
*** maoy has quit IRC21:02
ttxvishy: bcwaldon around you ?21:02
vishyno he is not21:02
bcwaldonyes21:02
bcwaldonttx: I have arrived21:03
ttxlet's start and reorder to let heckj some time to join21:03
ttx#startmeeting21:03
openstackMeeting started Tue Jul 24 21:03:12 2012 UTC.  The chair is ttx. Information about MeetBot at http://wiki.debian.org/MeetBot.21:03
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:03
ttxAgenda @ http://wiki.openstack.org/Meetings/ProjectMeeting21:03
ttx#info We are halfway through F3, so will look into progress, especially on essential stuff21:03
ttx#info Will also look into upcoming Swift 1.5.121:03
ttx#topic Actions from previous meeting21:03
*** openstack changes topic to "Actions from previous meeting"21:03
ttx* ttx to see how danwent could track bugs outside quantum without creating noise21:03
*** gabrielhurley has joined #openstack-meeting21:03
ttxSent an email explaining options21:04
danwentttx: yeah, sorry, i've been behind following up on that.21:04
ttxgabrielhurley: standing in for devcamca- ?21:04
gabrielhurleyttx: yessir21:04
gabrielhurleysorry I'm late21:04
ttxawesome. Nobody replacing heckj yet ?21:04
ttx#topic Swift status21:04
*** openstack changes topic to "Swift status"21:04
ttx#link https://launchpad.net/swift/+milestone/1.5.121:04
ttxnotmyname: hello!21:05
notmynamehowdy!21:05
ttxnotmyname: I targeted a few existing blueprints to 1.5.1 based on https://github.com/notmyname/swift/blob/1.5.1-changelog/CHANGELOG21:05
notmynamethanks21:05
notmynameso, about 1.5.121:05
ttxWas wondering if blueprints should be retroactively created for Illumos compatibility or logger UDP support ?21:05
ttxor are those minor features ?21:05
notmynameya, I was planning on creating those21:05
ttxok, cool21:05
notmynamewe want to call this swift 1.6.021:05
notmynamebased on the amount of changes and the significance of some of the changes21:06
ttxnotmyname: sounds ok to me, just need to rename the milestone21:06
ttxnotmyname: should I do so now ?21:06
notmynameyes, please21:06
ttx#info Renamed to https://launchpad.net/swift/+milestone/1.6.021:07
*** heckj has joined #openstack-meeting21:07
notmynamethanks21:07
ttxheckj: you're next ;)21:07
heckjo/ (sorry I'm late)21:07
notmynamewe will start the testing/QA process for the release tomorrow21:07
ttxnotmyname: you should probably bump the version to 1.6.0/False before21:07
notmynamettx: I should be able to get the final commit hash by friday pm or on the weekend so you can cut the release on monday am21:08
notmynameok, good call on the version bump21:08
notmynameI'll take care of that21:09
ttxnotmyname: sounds good. When you have the commitid you sent to QA, I'll cut milestone-proposed from it21:09
ttxso that others can do QA as well21:09
notmynameI should have that tomorrow21:09
ttx#action notmyname to retroactively create some blueprints to cover 1.6.0 main features21:09
ttxI see one 1.6.0-targeted bug: bug 102683021:09
ttxShould it be considered blocking 1.6.0 right now ?21:10
* jgriffith wonders if he's still in IRC?21:10
*** jgriffith has quit IRC21:10
creihtmaybe he put his keyboard on mute? ;)21:10
uvirtbotLaunchpad bug 1026830 in swift "replication will never reload the ring file if it is initially empty" [High,In progress] https://launchpad.net/bugs/102683021:10
creihtholy irc lag batman21:10
* creiht hides again21:10
notmynamethat's been committed21:11
ttxnotmyname: bug status didn't catch up yet. Will update21:11
notmynamesorry, dealing with customer issues at the same time...21:11
*** dwcramer has quit IRC21:11
ttxnotmyname: anything else ?21:11
*** jgriffith has joined #openstack-meeting21:12
notmynameah I see what happened21:12
notmynameThe linked patch was abandoned and a different one was merged instead21:12
notmynameI probably forgot the bug number in the updated patch commit message21:12
ttxok, can you set FixCommitted ? (and maybe link to the commit of the patch)21:12
notmynameno, I have nothing else. questions?21:12
ttx#topic Keystone status21:13
*** openstack changes topic to "Keystone status"21:13
ttxheckj: o/21:13
heckjo/21:13
ttx#link https://launchpad.net/keystone/+milestone/folsom-321:13
ttxheckj: Looks like slow progress overall...21:13
heckjyep - good on the PKI stuff, but others need to get seriously re-evaluated21:14
ttxEspecially the 3 "not started" blueprints sound a bit unlikely to make it now ?21:14
heckjThe AD based backend is still likely to get some traction, but the temp objects is suspect21:14
heckjLiemnn is moving on to other projects, and has had to defer our the policy documentation work beyond what he's already done21:15
heckjI'll be reviewing this this week and marking things out of the F3 milestone where there's no sign or hope of progress.21:15
ttxheckj: is it still worth keeping that target in ? https://blueprints.launchpad.net/keystone/+spec/document-deployment-suggestions-policy ?21:15
ttxSounds like doc that could be done post-F3, fwiw21:16
heckjI'm going to make a call for help on that - I feel from a deployment point of view, it's very important and needs to be done. It's somewhat doc related, so I'll try and sync with Anne to see what I can find there21:16
ttxheckj: still working on an alpha-level v3 API ?21:17
heckjttx: yep, just not much progress with OSCON last week21:17
ttxheckj: anything else ?21:17
heckjthat's it from me21:18
ttxQuestions about Keystone ?21:18
*** johnpostlethwait has joined #openstack-meeting21:18
ttx#topic Glance status21:19
*** openstack changes topic to "Glance status"21:19
ttxbcwaldon: o/21:19
ttx#link https://launchpad.net/glance/+milestone/folsom-321:19
bcwaldonttx: hey21:19
ttxGeneral progress looks good...21:19
ttxLet's look into the essential stuff in more detail:21:19
bcwaldonok21:19
ttx* https://blueprints.launchpad.net/glance/+spec/api-v2-store-access (Not started)21:19
ttxHow complex is that ? Still doable in time ? ETA for code proposal ?21:20
bcwaldonI've been in some offline conversations about it21:20
bcwaldonwe can get the basic functionality in easily21:20
bcwaldonand it absolutely will be for f321:20
bcwaldontrying to determine what the best approach is21:20
ttxok21:20
ttx* https://blueprints.launchpad.net/glance/+spec/api-v2-links21:20
bcwaldonmarkwash should be able to knock that out pretty easily21:21
bcwaldonhe's been pulled in a bunch of different directions and hasn't had time to get back to it21:21
ttxWould be good to knock everything we can as early as possible :)21:21
bcwaldonI can pick it up if he can't21:21
bcwaldonyes, I'm going to sync up with him after this21:21
ttx* https://blueprints.launchpad.net/glance/+spec/separate-client21:21
ttxThat's blocking on https://blueprints.launchpad.net/python-glanceclient/+spec/glance-client-parity , right ? How close is that ?21:21
bcwaldonI've got code for it, just waiting on the nova piece21:21
bcwaldonwhich I am also working on21:21
bcwaldoneverything is slowly falling into place21:22
ttxnova ?21:22
bcwaldonI'm at the *last* blocker21:22
bcwaldonyes, we need to rewrite the glance client code in nova to talk to new client21:22
bcwaldonwait!21:22
bcwaldonwrong bp21:22
bcwaldonwe need to port over the client ssl code from old glance client21:22
bcwaldonthats the last thing21:22
bcwaldonfor glance-client-parity21:22
ttxHmm.. so separate-client is blocked on... what ?21:23
bcwaldonwell, it's soft-blocked on nova integration21:23
bcwaldonintegrate-glance-client21:23
bcwaldon...I think thats the proper name21:24
ttxHmm, do you agree to set the status of this one to Blocked until the Nova part is solved ?21:24
bcwaldonif that makes you happier, sure!21:24
ttxWill make my life simpler. This is not the only blueprint I track :)21:25
ttxETA for integrate-glance-client ?21:25
bcwaldonI started it a couple of times and realized there was more python-glanceclient work to be done21:26
bcwaldonthat work just landed yesterday, so I am now shooting for the end of this week21:26
ttxIs glance-client-parity the last thing blocking python-glanceclient 1.0 release ?21:26
ttxYou talked several time about curtting a release for the client code21:26
ttxbut I haven't seen it yet ;)21:27
bcwaldonyes, that is the blocker21:27
ttxack21:27
bcwaldonbar21:27
ttx* https://blueprints.launchpad.net/glance/+spec/api-v2-image-caching21:27
ttxWill this be complete once https://review.openstack.org/#/c/9930/ is in ?21:27
bcwaldonin review right now21:27
bcwaldonyes21:27
ttxSounds good, hopefully most of those will be in better shape a week from now21:28
ttxa.k.a. "before the end of the month"21:28
ttxbcwaldon: Anything else ?21:28
bcwaldonttx:  I might go a different path with python-glanceclient versioning21:28
bcwaldonttx: different as in releasing all the work Ive been doing under a v0.221:29
bcwaldonrather than straight to v121:29
ttxbcwaldon: sounds a bit more careful indeed21:29
bcwaldonyes21:29
ttxpeople tend to find bugs21:29
bcwaldonand I'm kind of breaking my own rule by going from v0 to v121:29
bcwaldonthe project is in a weird spot, and I want to make the best next step21:29
ttxQuestions on Glance ?21:30
ttx#topic Quantum status21:30
*** openstack changes topic to "Quantum status"21:30
ttx#link https://launchpad.net/quantum/+milestone/folsom-321:31
ttxdanwent: yo21:31
danwenthey21:31
ttxGood progress on High/Essential stuff... let's see the Essential ones in more detail21:31
ttx* https://blueprints.launchpad.net/quantum/+spec/provider-networks21:31
danwentthe worst one is assigned to me :)21:31
ttxWill this be completed once https://review.openstack.org/#/c/9069/ hits ? Or is there more to it ?21:31
danwentthat patch is part 2 of 321:31
danwentpart 1 merged recently.21:31
danwentpart 3 is fairly small, so i'm not too worried.21:32
ttxdanwent: ok21:32
ttx* https://blueprints.launchpad.net/quantum/+spec/quantum-v2-public-networks21:32
ttxWill this be completed once https://review.openstack.org/#/c/9845/ hits ?21:32
danwentyes21:32
ttxand the last one :)21:32
ttx* https://blueprints.launchpad.net/quantum/+spec/quantum-l3-fwd-nat21:32
danwentthis is mostly just hung up on terminology discussions, which I think we cleared up meeting yesterday21:32
danwent(comment was about previous link)21:32
danwentyeah, that's the biggest item outstanding, and its on me.21:32
ttxAny progress on that ? ETA ?21:32
danwentprogress has been slower than I like in the past week.21:33
ttxwonder why21:33
danwentbut I have some volunteers to help as well, so I'll probably split it into two by next week.21:33
danwenta lot of the underlying stuff is there thanks to the dhcp work, so i'm not too concerned21:33
ttxdanwent: two parts: both essential ?21:33
danwentif its not good progress by next week though, definitely would be worried.21:33
danwentyes21:34
ttxok21:34
danwentbut worked on by two people21:34
ttxYou mentioned last week that there were a lot of blueprints, but you wanted to track them all because someone said they would do it...21:34
ttxBut there are a number of unassigned blueprints in there. So I'd think they should have an assignee or be removed from the F3 goals ?21:34
danwentyeah, i saw your script called those out.21:34
danwentcurrently, i have things assigned to F-3, as when people finish up their essential/high BPs, they often look for other ways to help21:35
danwentI could probably create a tag for that though, if you prefer21:35
ttxNo that's ok21:35
ttxJust thought that they would be busy enough with one of the other 28 blueprintds21:35
danwentwe actually have a very large number of people contributing these days.21:36
ttxdanwent: some other projects use the series goal = Folsom with no milestone for the "wishlist fof folsom if there is time left" thing21:36
danwentthat's a good idea.  i'll switch to that.21:37
ttxVery visible under https://blueprints.launchpad.net/quantum/folsom21:37
*** aclark_ has quit IRC21:37
ttxdanwent: Anything else ?21:37
danwentnot that I can think of.21:37
ttxQuestions on Quantum ?21:37
ttx#topic Cinder status21:38
*** openstack changes topic to "Cinder status"21:38
ttxjgriffith: howdy!21:38
jgriffithhey there21:38
ttx#link https://launchpad.net/cinder/+milestone/folsom-321:38
ttxLooking at targeted blueprints...21:38
ttx* https://blueprints.launchpad.net/cinder/+spec/cinder-notifications21:38
jgriffithThe first two have landed21:38
ttxThis one is marked "Deferred", does that mean it's been pushed back to Grizzly ?21:38
jgriffithThe only one that is outstanding is the migration21:38
*** nati_ueno has joined #openstack-meeting21:38
ttxremove-extra-dbapi-methods is completed ? I can set it to "Implemented" ?21:39
jgriffithYes,21:39
jgriffithI'll need to see if cp16net is going to pick back up the notifications21:39
jgriffithThat just leaves the migration21:39
ttxFor the notifications: please update when you know (set priority and status)21:40
jgriffithttx: Will do21:40
ttx* https://blueprints.launchpad.net/cinder/+spec/migrate-nova-volumes-to-cinder21:40
ttxThis one is a bit undefined... No priority, no assignee, series goal unset, unknown status... Could you explain what's expected from that one ?21:41
jgriffithThat's coming up with a plan to do a clean and tested migration21:41
jgriffithI don't have anything to add "yet"21:41
ttxjgriffith: Sounds like high priority to me... who is working on that ?21:42
jgriffithNot yet, but hopefully later this week21:42
jgriffithIt's going to be the highest priortiy21:42
ttxWho will be working on that ?21:42
jgriffithAlso need to come up with tests etc (ie live clusters)21:42
*** dendrobates is now known as dendro-afk21:42
jgriffithttx: Me for sure...21:42
ttxjgriffith: so OK if I mark it yours, Not started and High prio ?21:43
jgriffithttx: I suspect vishy will have some input :)21:43
*** heckj has quit IRC21:43
jgriffithttx: Yep21:43
ttxAre those 3 the only features missing in Folsom Cinder ?21:43
ttxhmm those 2 actually21:43
jgriffithNo... I still have a few things I'm trying to get finished21:43
jgriffithWell... striclty speaking yes21:43
jgriffithI still have to get everyting working on parity21:44
jgriffithGet devstack defaulting to cinder etc21:44
ttxok21:44
ttxjgriffith: Anything else ?21:44
jgriffithttx: Nah21:44
ttx#topic Nova status21:44
*** openstack changes topic to "Nova status"21:44
vishyhi!21:44
ttxvishy: hey21:44
ttx#link https://launchpad.net/nova/+milestone/folsom-321:44
ttxSlow progress overall. I'm a bit concerned with the two Essential ones, which look stalled since F2:21:45
ttx* https://blueprints.launchpad.net/nova/+spec/finish-uuid-conversion (mikal)21:45
vishyyes I just tried to ping mikal today21:45
ttxBeen "almost there" for a long time... What's left to do here ? Any chance that it would land before next week ?21:45
vishyhe hasn't updated the review for a week21:45
ttxWill chase him tomorrow morning21:45
ttx* https://blueprints.launchpad.net/nova/+spec/general-host-aggregates (jog0)21:46
vishyhe's is still working on the general host stuff21:46
vishyI think he's making good progress though21:46
vishyI want to defer trusted messaging and user configurable rbac21:46
vishyI don't think either of those will make it21:46
jog0ttx, vishy: I am working on step 2 right now and hope to start step 3 later this week21:46
ttxvishy: sounds like a good idea21:46
*** anderstj has joined #openstack-meeting21:46
ttxjog0: there are only 3 steps right ?21:47
ttxWould be good to have all code merged or proposed by next week21:47
ttx(i.e. bp in "Needs code review" status)21:47
vishythe no-db-nova-compute is questionable21:47
jog0ttx: there is a step 4 and 5 that involve extra testing and updated docs only.21:47
jog0ttx:  sounds good21:48
vishyrussel is making good progress but it is a big change. We'll see how it is next week21:48
vishyconfig drive is underway. Extract volumes i will mark complete as soon as jgriffith is done moving the gating tests over21:48
ttx* https://blueprints.launchpad.net/nova/+spec/volume-usage-metering -> Low ?21:49
vishyyun is making progress on the transactional task management. I don't know if the whole thing will make it in, but perhaps some more incremental improvements21:49
ttxor should that just move to Cinder ?21:49
vishyit looks like nova-volumes might still exist so I don't mind it being in there a slow21:49
*** dwcramer has joined #openstack-meeting21:50
ttx#action vishy to defer trusted messaging and user configurable rbac to Grizzly21:51
ttxFinally, would be great if we could have some triaging done on Nova bugs, so that we have a clearer, prioritized view on what needs to be fixed before Folsom release21:51
ttxIn particular we have 85+ New/Undecided bugs that need some feedback21:51
ttxSee https://launchpad.net/~nova-bugs to join the effort21:51
ttxvishy: Anything else ?21:52
ttxhyper-v-revival -> should probably be "started" given what I heard21:52
vishyttx: only a mention to nova-core that sdague still needs some more votes!21:52
vishythe other 3 will be added tomorrow21:53
vishyttx: yes21:53
ttxQuestions on Nova ?21:53
ttx#topic Horizon status21:53
*** openstack changes topic to "Horizon status"21:53
ttx#link https://launchpad.net/horizon/+milestone/folsom-321:53
ttxSlow progress overall... Still feeling on track ?21:54
ttxgabrielhurley: ^21:54
gabrielhurleyttx: hello!21:54
*** dendro-afk is now known as dendrobates21:54
gabrielhurleyttx: things are picking up steam, I think we're doin' alright.21:54
ttxhttps://blueprints.launchpad.net/horizon/+spec/ext-roles is marked Blocked... Could you elaborate on what it's blocking on ? Isn't clear from the blueprint whiteboard.21:54
gabrielhurleyttx: quantum being the biggest, I've seen code there and it's pretty close21:54
gabrielhurleythe ext-roles sounds like it has to be bumped based on joe and vish's comments in this meeting21:55
ttxwhich comments ?21:55
gabrielhurleyIt was blocked based on keystone, et. al. supporting RBAC (particularly rolling up RBAC to keystone)21:55
gabrielhurleyso Keystone not having that and/or the v3 API falling short, plus Vish saying user-configurable policy being bumped... I'm not hopeful for seeing this come together21:55
ttxok, could you clarify if this is dropped to Grizzly before next week ?21:56
gabrielhurleyttx: definitely can21:56
ttx#action gabrielhurley/devcamcar to clarify droppage of ext-roles due to lack of RBAC support21:57
ttxgabrielhurley: anything else you wanted to mention21:57
ttx?21:57
gabrielhurleyttx: not especially. beyond the roles/RBAC blueprint everything else is on track.21:57
ttxQuestions for Horizon ?21:57
ttx#topic Other Team reports21:58
*** openstack changes topic to "Other Team reports"21:58
ttxannegentle, jaypipes, mtaylor, *: ?21:58
*** ohnoimdead has joined #openstack-meeting21:58
markmcttx, you wanted to catch up on stable branch status21:58
* markmc haz status21:58
ttxmarkmc: shoot21:58
markmcok21:58
markmcit's been 4 weeks since 2012.1.121:58
ttxmarkmc matches *21:59
markmcmost activity in nova21:59
markmc20+ fixes21:59
markmc1 of the a serious security fix21:59
markmcalso ~5 fixes in keystone21:59
markmcnothing really in glance and horizon21:59
markmcfigure it'd be good to do a nova and keystone 2012.1.2 release soon21:59
*** lcheng has quit IRC22:00
ttxmarkmc: will look at the security pipe and let you know if we are in good shape22:00
markmcttx, ok22:00
markmcttx, what do you think of doing a release next week?22:00
ttx#action ttx to confirm green light to nova and keystone 2012.1.222:00
markmcoh, and any stable-maint members - please take a look at:22:00
ttxmarkmc: pending that last item, sure22:00
*** lzyeval has joined #openstack-meeting22:00
markmc     https://review.openstack.org/9534   Handle local & remote exceptions consistently.22:00
markmc     https://review.openstack.org/10155  Adding networking rules to vm's on compute service startup22:00
markmcttx, cool22:01
ttxAny other team lead with a status report ?22:01
ttx#topic Open discussion22:01
*** openstack changes topic to "Open discussion"22:01
*** ohnoimdead has quit IRC22:01
ttxAny last-minute comment ?22:01
ttxwell then...22:02
ttx#endmeeting22:02
*** openstack changes topic to "OpenStack meeting channel. See http://wiki.openstack.org/Meetings for schedule and http://eavesdrop.openstack.org/meetings/openstack-meeting/ for meeting logs"22:02
openstackMeeting ended Tue Jul 24 22:02:42 2012 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)22:02
openstackMinutes:        http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-21.03.html22:02
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-21.03.txt22:02
openstackLog:            http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-07-24-21.03.log.html22:02
ttxGetting harder to fit in one hour22:02
ttxBut I WON'T ADMIT DEFEAT22:03
*** markmc has quit IRC22:03
*** Mandell_ has quit IRC22:04
*** flaviamissi has quit IRC22:05
*** gabrielhurley has left #openstack-meeting22:05
*** Mandell has joined #openstack-meeting22:06
*** littleidea_ has joined #openstack-meeting22:14
*** matiu_ has quit IRC22:16
*** littleidea has quit IRC22:18
*** littleidea_ is now known as littleidea22:18
*** anniec has quit IRC22:23
*** lzyeval has quit IRC22:24
*** gyee has quit IRC22:32
*** rafaduran has quit IRC22:34
*** alrs has quit IRC22:36
*** anniec has joined #openstack-meeting22:36
*** Mandell has quit IRC22:43
*** Mandell has joined #openstack-meeting22:43
*** dwcramer has quit IRC22:47
*** bbrown has left #openstack-meeting22:47
*** mattray has quit IRC22:51
*** anderstj has quit IRC22:55
*** dendrobates is now known as dendro-afk22:56
*** dwcramer has joined #openstack-meeting23:01
*** anniec has quit IRC23:03
*** anniec_ has joined #openstack-meeting23:03
*** anniec has joined #openstack-meeting23:06
*** anniec_ has quit IRC23:07
*** dtroyer is now known as dtroyer_zzz23:11
*** thingee has quit IRC23:14
*** tr3buchet has quit IRC23:16
*** PotHix has quit IRC23:19
*** dtroyer_zzz is now known as dtroyer23:24
*** joearnold has joined #openstack-meeting23:43
*** ryanpetrello has joined #openstack-meeting23:44
*** joearnold has quit IRC23:49
*** joearnold has joined #openstack-meeting23:50
*** jakedahn is now known as jakedahn_zz23:51
*** joearnold has quit IRC23:52
*** salv-orlando has quit IRC23:55
*** joearnold has joined #openstack-meeting23:58
« Monday, 2012-07-23 Index Wednesday, 2012-07-25 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!