Friday, 2018-07-27

« Thursday, 2018-07-26 Index Saturday, 2018-07-28 »
*** kei_yama has quit IRC00:01
*** kei_yama has joined #openstack-swift00:03
mattoliveraumorning00:06
*** linkmark has quit IRC00:07
*** itlinux has joined #openstack-swift00:15
openstackgerritMerged openstack/swift master: Remove contentdir hack  https://review.openstack.org/58589400:17
*** gyee has quit IRC00:23
*** itlinux has quit IRC00:25
openstackgerritMerged openstack/swift master: make probe tests voting in the gate  https://review.openstack.org/58590000:42
openstackgerritMerged openstack/swift master: Remove some unnecessary SkipTests  https://review.openstack.org/58591000:49
*** kei_yama has quit IRC01:23
*** kei_yama has joined #openstack-swift01:26
openstackgerritNguyen Hai proposed openstack/swift master: add lower-constraints job  https://review.openstack.org/55625501:59
openstackgerritNguyen Hai proposed openstack/swift master: add lower-constraints job  https://review.openstack.org/55625501:59
*** psachin`` has joined #openstack-swift02:23
*** psachin`` has quit IRC02:33
*** links has joined #openstack-swift03:52
*** itlinux has joined #openstack-swift04:22
*** pcaruana has joined #openstack-swift04:28
*** pcaruana has quit IRC04:30
*** kei_yama has quit IRC04:44
*** kei_yama has joined #openstack-swift04:56
*** itlinux has quit IRC05:05
*** cshastri has joined #openstack-swift05:14
*** silor has joined #openstack-swift05:33
*** zigo_ has joined #openstack-swift05:53
*** zigo has quit IRC05:53
*** bharath12345 has joined #openstack-swift06:07
*** bharath12345 has quit IRC06:07
*** pavelk has quit IRC06:42
*** tesseract has joined #openstack-swift06:52
*** rcernin has quit IRC07:00
openstackgerritTim Burke proposed openstack/swift master: Add support for multiple root encryption secrets  https://review.openstack.org/57787407:05
openstackgerritTim Burke proposed openstack/swift master: WIP: multi-key KMIP keymaster  https://review.openstack.org/58645507:05
*** ccamacho has joined #openstack-swift07:20
*** gkadam has joined #openstack-swift07:49
*** mikecmpbll has joined #openstack-swift07:58
*** geaaru has joined #openstack-swift08:01
*** lifeless has quit IRC08:54
*** d0ugal has joined #openstack-swift09:09
*** lifeless has joined #openstack-swift09:11
*** andymccr- has joined #openstack-swift09:47
*** andymccr_ has quit IRC09:50
*** andymccr has quit IRC10:04
*** andymccr- is now known as andymccr10:05
*** cshastri has quit IRC11:02
*** kei_yama has quit IRC11:15
*** cshastri has joined #openstack-swift11:17
*** d0ugal has quit IRC11:41
*** linkmark has joined #openstack-swift12:03
*** bharath12345 has joined #openstack-swift12:05
*** armaan has joined #openstack-swift12:22
*** armaan has quit IRC12:41
*** armaan has joined #openstack-swift12:45
*** armaan has quit IRC12:49
*** armaan has joined #openstack-swift12:50
*** armaan has quit IRC12:54
*** bharath12345 has quit IRC13:28
*** jistr is now known as jistr|mtg13:32
*** ianychoi has joined #openstack-swift13:56
*** ianychoi_ has quit IRC14:00
openstackgerritTim Burke proposed openstack/swift master: Stop holding on to sys.exc_info tuples quite so much  https://review.openstack.org/57047714:01
*** links has quit IRC14:10
*** jlvacation is now known as jlvillal14:18
*** links has joined #openstack-swift14:29
*** jistr|mtg is now known as jistr14:39
*** links has quit IRC15:02
openstackgerritTim Burke proposed openstack/swift master: Stop logging overlapping tracebacks  https://review.openstack.org/54680815:04
openstackgerritTim Burke proposed openstack/swift master: Have yield_suffixes just take a partition_path  https://review.openstack.org/57822115:13
*** cshastri has quit IRC15:15
*** andymccr has quit IRC15:34
*** andymccr has joined #openstack-swift15:35
*** gkadam has quit IRC15:38
-openstackstatus- NOTICE: A zuul config error slipped through and caused a pile of job failures with retry_limit - a fix is being applied and should be back up in a few minutes15:40
*** ChanServ changes topic to "A zuul config error slipped through and caused a pile of job failures with retry_limit - a fix is being applied and should be back up in a few minutes"15:40
*** gyee has joined #openstack-swift15:52
*** gkadam has joined #openstack-swift15:53
*** gkadam has quit IRC15:54
*** gkadam has joined #openstack-swift15:55
*** openstackgerrit has quit IRC16:04
*** silor has quit IRC16:11
*** mikecmpbll has quit IRC16:11
*** links has joined #openstack-swift16:14
*** links has quit IRC16:17
*** links has joined #openstack-swift16:17
*** links has quit IRC16:23
*** tesseract has quit IRC16:32
*** bharath12345 has joined #openstack-swift17:03
*** bharath12345 has quit IRC17:13
*** mikecmpbll has joined #openstack-swift17:25
*** geaaru has quit IRC18:01
*** openstackgerrit has joined #openstack-swift19:30
openstackgerritMerged openstack/swift master: add lower-constraints job  https://review.openstack.org/55625519:30
*** silor has joined #openstack-swift19:32
notmynamehello, owlrd19:48
*** ccamacho1 has joined #openstack-swift20:00
*** ccamacho has quit IRC20:01
*** itlinux has joined #openstack-swift20:03
itlinuxhello swift guys, I am using Tripleo and the controllers are configured to use swift, I need to limit the usage on this since this is production and we do not want to have dev, eng, fill up the drives on the controllers, what's the best way to set quota (bytes for each project). Thanks20:17
notmynameitlinux: will the account quotas work for you?20:24
itlinuxaccount meaning x user? No I have AD it will be hard to do that..20:25
itlinuxI am not sure if there is only one account set but I assume that each tenant / AD has their own..20:25
itlinuxbased on each project20:25
notmynameno, "account" meaning swift account, not user20:28
notmynamethe "AUTH_foobar" part of the url20:28
itlinuxthat could work..20:29
itlinuxsince I believe there is only one account by default20:30
itlinuxnotmyname: what's the best way to check and verify that.. TY20:31
notmynameverify what?20:32
itlinuxthat I have only one account?20:32
notmynameare you running any utilization reports in your cluster?20:33
itlinuxno now.. this is all new deployment prodcution and some of this just pop up..20:36
itlinuxhttp://paste.openstack.org/show/726766/20:36
notmynameitlinux: what auth system are you using? keystone?20:41
itlinuxkeystone backend AD20:41
notmynameso keystone has mapped some AD users to swift right? in order to pass out storage urls when the user gets an auth token20:42
itlinuxI have not mapped any specific users for swift in AD20:48
notmynameno, I mean you've got some users that auth against keystone. and they get back a token and storage url. what's the global set of storage urls that can be returned?20:50
notmynamethat will tell you the answer to the question above. how many swift accounts are being used in the cluster?20:52
itlinuxok.. what command will that show the option..20:53
itlinuxif there is a command to do that..20:53
notmynameno idea. that's your keystone config.20:53
itlinux let me check one sec..20:54
notmynamedoesn't keystone figure out the swift storage url with a template? isn't it normally "AUTH_$(tenantid)" or soemthing like that?20:54
notmynameif that's the case, then do you have any idea how many tenant ids are being used?20:54
itlinuxyea but I have not done any of that since tripleo handles that part so I have not checked..20:55
itlinuxabout 2000 or so20:55
notmynameok, so unless there's been some config change to intentionally map every tenant in keystone to the same swift url, you're using a bunch of different swift accounts (ie one per keystone tenant id)20:57
*** gkadam has quit IRC20:58
itlinuxI guess that's correct20:58
itlinuxwhich means 2000 or so accounts..20:58
notmynameyou can set an individual quota on each of those accounts in swift21:00
itlinux ok how?21:00
itlinuxthat's going to be a lot of management to deal with also .. I was hoping to set the quota on a project21:01
notmynameI thought project was the same as tenant in keystone21:01
itlinuxwell a project = 1 with many tenants (users) and yes now the changed the names tenants = projects..21:02
itlinuxso I want to have tenant(project) many users and set a quota to that not x user per se..21:02
notmynamehow to set an account quote: as a reseller admin, you POST the "x-account-quota-bytes: <number of bytes>" header to the account you want to limit21:03
notmynameok, so it sounds like swift's per-account quotas won't work for you21:03
itlinuxno I do not manage those users..21:04
itlinuxsome other teams do manage the AD..I just add them to the projects (tenants) they will work on21:05
notmynamethere are many definitions of "account" in your system. we're not talking about the same one21:05
notmynameI am only talking about a swift account. the place you store stuff. which is completely independent of any AD system or auth system or anything like that.21:06
itlinuxok let me clear for account I mean the user which is part of the (project/tenant) space..21:07
notmynameswift accounts are used when the auth system says a given token is ok to use with a particular http method against a particular swift account21:07
itlinuxsounds good thanks for that21:07
itlinuxok21:07
notmynameAFAIK, keystone has the idea of "tenants", which have been renamed into "projects"21:08
notmynameI don't know how keystone works with an AD backend21:09
itlinuxthat's correct.. the merge happen.. for the AD backend.. that's a tricky one I guess..21:10
itlinuxdo you want to check out the swift.conf file??21:10
notmynameso I'm not sure what you have set up. I don't understand your use of the word "project". is that something internal to your company? something related to AD? somethng related to keystone?21:10
itlinuxmaybe to get an idea ..21:10
notmynameno, the swift.conf file wouldn't help. all the mapping of these concepts happens outside of swift (ie in keystone)21:11
itlinuxno no.. projects = tenants now... same thing.. I just use them to idenfity a space where (user-a, user-b etc.. do their deployments)21:12
notmynameto be fair, I *still* don't have a great mental model of the logical things in keystone and how they fit together, so I'm working against my own ignorance here21:12
itlinuxwell thanks for helping out to cover the issue on how it could be solved..21:13
*** silor has quit IRC21:13
itlinuxmuch appreciated21:13
notmynamebut I don't think we solved it yet! :-)21:13
itlinuxI know..21:13
itlinuxworking toward it..21:13
notmynameit sounds like you've got a bunch of different people (to avoid the word "users") who are using swift. some of them work on the same thing and share a quota. you'd like to ensure that together they don't exceed the quota, but you're not sure if they are sharing the same storage url in swift or not21:15
notmynameI tried to avoid "user", "account", and "project" there :-)21:15
itlinuxyes that's right21:16
notmynameso *if* they are all using the same storage url, then you can set an quota on the swift account. the swift account is the shared storage url.21:17
notmynamethe keystone administrator should be able to answer if they share a swift storage url or not21:17
notmynamehowever, if they don't share a storage url, then you will have to find a quota solution somewhere else21:17
itlinuxlet me dig on that and see..21:18
notmynameI'd recommend something that ties the auth system to a utilization system. so you get the utilization for all the storage urls, group them and sum the values, then allow or deny subsequent requests via the auth system based on their current utilization against the quota21:18
itlinuxnotmyname: I got this from the glance-api.conf swift_store_config_file=/etc/glance/glance-swift.conf which is a file calling the user=service:glance21:25
itlinuxand it has a password and the default domain for example.. on for that account..21:25
openstackgerritThiago da Silva proposed openstack/swift master: Update saio sample config files  https://review.openstack.org/58670321:29
notmynametdasilva: yes!21:31
tdasilvaquick question regarding upgrade of swift cluster, do we document anywhere if there's an expectation that backend services should be upgraded before proxy?21:34
itlinuxnotmyname looking at the account-server.conf it looks like it calls a user (swift)21:34
itlinuxI guess I could do a quota on that user21:35
tdasilvaitlinux: that's just the linux user running the service21:35
itlinuxahh ok tdasilva: I am using OOO21:36
tdasilvanot to be confused with a user of the cluster21:36
itlinuxso trying to do quota on that..21:36
notmynametdasilva: I did once in a blog post somewhere. not sure if that's in the admin guide in our docs or anything21:36
tdasilvazaitcev, notmyname: just wondering if it's worth doing all the dance in the PUT+POST to support any order of upgrade21:38
itlinuxyes notmyname: the user are configured with admin_tenant_name = %SERVICE_TENANT_NAME%21:38
tdasilvawhy can't we just say: you must upgrade backend services before upgrading proxy21:38
itlinuxand the admin is admin_user = %SERVICE_USER%21:38
notmynametdasilva: I'd be totally for putting the restriction on it21:39
zaitcevThe simple answer is that the dance is not all the, so looks like worth the effort.21:39
tdasilvazaitcev: not sure this https://etherpad.openstack.org/p/swift-put-post  is worth it21:40
notmynametdasilva: we've had upgrade guidance in the changelog for stuff like that before. I think it makes sense to do it again21:40
tdasilvazaitcev: anyway we spin it, it's just a hack to support people upgrading anyway they want21:41
zaitcevI think you still need the safety. The problem is, I don't remember what happens when new proxy is trying to put to old object. I think it just creates a broken object that auditor later quarantines.21:46
zaitcevBut at one point I had them stuck and auditor would not take them.21:46
zaitcevSeeing at what our customers to do their clusters I really don't want to trust them with upgrade instructions. They can perform simple actions like "upgrade storage first, proxy next". Well, barely. But then they can easily find an old node that was forgotten.21:48
zaitcevbrb21:49
tdasilvazaitcev: i see your point, i'm just weighing your words on keeping user safe from inability to follow instructions with the need to add hacks to our code21:51
notmynametdasilva: zaitcev: scratch everything I said. we need to either order upgrades21:52
notmynameeg an all-in-one deployment model (PACO on each node, in a multi-node cluster) is relatively common. we need to ensure that upgrading one server doesn't break thinks when that upgraded proxy talks to the older object server21:52
* tdasilva nods21:56
notmynametdasilva: at some point, I'd love to unify the sample configs in etc/ and the saio ones in doc/saio/ (and ones in examples/ and ones proposed under tools/)21:57
tdasilvanotmyname: yeah, that would be nice! ....talking about that...21:59
tdasilvakota_: please remind me again what do we need to do to enable s3 testing in all our functional tests in the gate?21:59
tdasilvaremove swift3 support from devstack?22:00
*** itlinux has quit IRC22:05
*** itlinux has joined #openstack-swift22:10
timburkeÏyeah, iirc22:12
*** mikecmpbll has quit IRC22:28
*** geaaru has joined #openstack-swift22:34
zaitcevtdasilva, notmyname: At some point PUT+POST had a simple back-off mechanism that allowed a proxy to switch dynamically between new and old and that was not only any-order, but also zero-configuration upgrade. In the current patch, the operator is required to flip a setting once all nodes are upgraded. So, all this buys you is safety.22:43
notmynamethat's good (a flip to "on" when all servers are upgraded)22:43
zaitcevclayg made me take that automation out22:43
zaitcevOkay, if you say so, I don't mind.22:43
notmynameand that removes the need to worry about upgrade order22:43
zaitcevIt made it easier to test22:44
notmynamegood for clayg :-)22:44
timburkefwiw, i'd kinda like to still have the graceful degradation -- have a some config on the *object* server to say which protocol versions to accept22:48
timburkestill get the testability improvements (only need the one SHA to test v1-only and v2-only) and you get the seamless upgrade22:49
timburkei feel like 'a flip to "on" when all servers are upgraded' is only useful if lurking old servers can't read data written with the new stuff (so, situations like the disable_encryption option)22:51
timburkebut that shouldn't be an issue here...22:51
*** itlinux has quit IRC23:37
*** itlinux has joined #openstack-swift23:50
*** itlinux has quit IRC23:50
*** itlinux has joined #openstack-swift23:51
*** itlinux has quit IRC23:51
« Thursday, 2018-07-26 Index Saturday, 2018-07-28 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!