mattoliver | OK, new py2 compatible version seems quite simple.. no big deal. Just running tests again. Hopefully new patch set incoming. | 00:03 |
---|---|---|
opendevreview | Merged openstack/swift master: Comply with AWS signature calculation (s3v4) https://review.opendev.org/c/openstack/swift/+/833913 | 01:07 |
opendevreview | Matthew Oliver proposed openstack/swift master: tempurl: Deprecate sha1 signatures https://review.opendev.org/c/openstack/swift/+/525771 | 05:22 |
opendevreview | Matthew Oliver proposed openstack/swift master: formpost: deprecate sha1 signatures https://review.opendev.org/c/openstack/swift/+/833713 | 05:22 |
opendevreview | Matthew Oliver proposed openstack/python-swiftclient master: Add formpost subcommand to generate signature https://review.opendev.org/c/openstack/python-swiftclient/+/833954 | 06:25 |
opendevreview | Andre Aranha proposed openstack/swift master: Remove functools partial from digest https://review.opendev.org/c/openstack/swift/+/833983 | 10:28 |
opendevreview | Alistair Coles proposed openstack/swift master: sharder: fix and expand CleavingContext docstrings https://review.opendev.org/c/openstack/swift/+/833654 | 14:58 |
timburke | good morning | 15:38 |
opendevreview | Tim Burke proposed openstack/swift master: CHANGELOG for 2.29.1 https://review.opendev.org/c/openstack/swift/+/833718 | 19:46 |
opendevreview | Tim Burke proposed openstack/swift master: Stop partial()ing hashlib.new https://review.opendev.org/c/openstack/swift/+/834073 | 20:52 |
opendevreview | Tim Burke proposed openstack/swift master: Stop partial()ing hashlib.new https://review.opendev.org/c/openstack/swift/+/834073 | 20:53 |
timburke | almost meeting time! | 20:55 |
timburke | #startmeeting swift | 21:00 |
opendevmeet | Meeting started Wed Mar 16 21:00:12 2022 UTC and is due to finish in 60 minutes. The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot. | 21:00 |
opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 21:00 |
opendevmeet | The meeting name has been set to 'swift' | 21:00 |
timburke | who's here for the swift meeting? | 21:00 |
acoles | o/ | 21:00 |
mattoliver | o/ | 21:01 |
timburke | as usual, the agenda's at https://wiki.openstack.org/wiki/Meetings/Swift | 21:02 |
timburke | first up | 21:02 |
timburke | #topic ptg | 21:02 |
timburke | i signed up for meeting times, though i haven't put them on the etherpad yet. will do that shortly | 21:03 |
timburke | all 1300-1700 UTC (sorry mattoliver, you can definitely bail early ;-) | 21:04 |
mattoliver | kk | 21:04 |
mattoliver | Will just try and be a night owl that week | 21:05 |
acoles | I feel bad for Matt | 21:05 |
timburke | speaking of the etherpad, thanks for adding topics! we should have a good bit to talk about :-) | 21:06 |
timburke | if you haven't already, please register (i realized late last week that i still hadn't) | 21:07 |
timburke | #link https://openinfra-ptg.eventbrite.com/ | 21:07 |
timburke | that's all i've got for the ptg | 21:08 |
timburke | #topic 2.29.1 release | 21:08 |
timburke | i still want to get one more release out, and i think my deadline's this week | 21:08 |
timburke | it's smaller than the last couple releases, but i think that | 21:09 |
timburke | 's a good thing :-) | 21:09 |
timburke | if you have a chance, please look over the changelog | 21:09 |
timburke | #link https://review.opendev.org/c/openstack/swift/+/833718 | 21:09 |
mattoliver | Not swift release related, but I did push up a patch yesterday to add formpost sig generation support to swiftclient. | 21:09 |
mattoliver | but I guess its too late to do another swiftclient release | 21:09 |
mattoliver | cause then we can wait a cycle and remove the formpost tool from swift (if we squeezed it in) | 21:10 |
timburke | yeah, unfortunately, the client deadline passed a bit ago | 21:10 |
mattoliver | oh well. next time then, I guess no rush | 21:10 |
timburke | the big reason i want one more server release is that top item: "This is the final stable branch that will support Python 2.7." | 21:11 |
timburke | want to make sure we're broadcasting that loud and clear :-) | 21:11 |
mattoliver | yeah +1, thats important. | 21:11 |
timburke | next up | 21:12 |
timburke | #topic drop py2 from swiftclient | 21:12 |
timburke | are there any objections to getting moving on that, like, *now*? | 21:12 |
timburke | there's a change i wanted to approve, but it touches requirements, and we've got a py2-only requirement that's keeping the requirements-check job from passing | 21:13 |
acoles | timburke: did you want to get the SHA1 deprecation in this release https://review.opendev.org/c/openstack/swift/+/525771 ? | 21:13 |
timburke | *shrug* either way. it's sat around *this* long... | 21:14 |
acoles | maybe the swiftclient side needs fixing first anyway | 21:14 |
acoles | so, yeah, defer | 21:14 |
timburke | good point | 21:14 |
timburke | since we've already got the stable/yoga branch cut for swiftclient, it seems like dropping py2 ought to be ok | 21:16 |
timburke | well, i'm not hearing any objections, anyway ;-) | 21:18 |
timburke | #topic safer WSGI server reloads | 21:18 |
timburke | i was playing with our SIGUSR1 handling, and generally, it's pretty great: server reloads, and clients never notice | 21:19 |
timburke | sometimes, though, it all goes terribly: server re-exec's, then immediately dies, and client traffic stops | 21:19 |
acoles | :( | 21:20 |
timburke | this can happen if, say, you accidentally write out a config that's invalid. or if you're trying to switch between py2 and py3, but not all your proxy middlewares are installed for py3 | 21:20 |
timburke | so i put together a couple changes | 21:21 |
timburke | #link https://review.opendev.org/c/openstack/swift/+/833124 | 21:21 |
timburke | adds a --check-config option to all the WSGI servers -- they'll go through all the normal set-up stuff right up to the point of opening sockets | 21:22 |
mattoliver | oh nice | 21:23 |
timburke | with that, you can verify the config before sending the reload signal | 21:23 |
timburke | if you want to use it in a systemd unit, though, the ExecReload gets a little hairy | 21:23 |
timburke | #link https://review.opendev.org/c/openstack/swift/+/833174 | 21:23 |
timburke | tries to make that a good bit better by introducing a new swift-reload command | 21:24 |
timburke | it'll handle the config check, sending the signal, and waiting for the reload to complete | 21:24 |
timburke | so by the time it terminates, the clients should only be able to connect to servers running the new config | 21:25 |
timburke | that second one still needs a boatload of tests, though | 21:26 |
mattoliver | what happens is the config is wrong, errors and leaves the old servers still running? | 21:26 |
timburke | yup -- swift-reload exits non-zero and doesn't send any signal | 21:26 |
mattoliver | assumed so, but just wanted to confirm :) | 21:27 |
mattoliver | this is really cool! | 21:27 |
timburke | next cool thing for me to hack on would be making more use of the systemd notify socket :-) | 21:28 |
timburke | that's all i've got | 21:28 |
timburke | #topic open discussion | 21:28 |
timburke | what else should we talk about this week? | 21:28 |
mattoliver | I dont have too much, I dumped it all into the PTG etherpad :P | 21:29 |
mattoliver | I made a follow up sha1 deprecation of formpost | 21:30 |
mattoliver | but to make it work I had to give formpost some extra love too. Can't deprecate sha1 when it only supported sha1 :P | 21:30 |
mattoliver | Which is what snowballed into creating a swiftclient subcommand for formpost | 21:30 |
mattoliver | #link https://review.opendev.org/c/openstack/swift/+/833713 | 21:31 |
timburke | thanks for all that :-) i had this feeling like there might be some scope creep | 21:31 |
mattoliver | #link https://review.opendev.org/c/openstack/python-swiftclient/+/833954 | 21:31 |
mattoliver | The first deprecates sha1, but for the moment still allows it (don't have to specify in config) but if you do you'll get deprecation warnings in log. So slightly different then tempurls. | 21:33 |
mattoliver | Anyway, just a heads up. | 21:36 |
timburke | how do we feel about the approach i took for tempurl? should i continue to allow sha1 by default but log a warning? i think i'd considered it, but backed off when i thought about how it would encourage ops to explicitly set the allowed_digests (to quiet the warning) which might cause pain later if we ever wanted to drop sha256, say | 21:36 |
mattoliver | I think for tempurl it's ok. we've supported other digests for ages, so they have to opt in. | 21:37 |
timburke | it seemed like "more secure by default" was fairly defensible stance to take -- but in the extreme, like we'd have for formpost, i'm not sure it holds up | 21:37 |
mattoliver | formpost they haven't had a chance yet, so wanted to make sure it's still all ok. although I did change the default to sha512, so lazy people will migrate by default ;) | 21:38 |
timburke | mattoliver, still a question of how long *clients* have supported sha256 tempruls, though :-/ | 21:38 |
timburke | well, as long as we're planning on both these things moving forward in the next cycle, i suppose we could wait to hash it out until the PTG :P | 21:40 |
mattoliver | true :) | 21:40 |
timburke | all right, i'm'a call it and let acoles get to bed :-) | 21:41 |
mattoliver | kk :) | 21:41 |
timburke | thank you for coming, and thank you for working on swift! | 21:41 |
timburke | #endmeeting | 21:42 |
opendevmeet | Meeting ended Wed Mar 16 21:42:03 2022 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 21:42 |
opendevmeet | Minutes: https://meetings.opendev.org/meetings/swift/2022/swift.2022-03-16-21.00.html | 21:42 |
opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/swift/2022/swift.2022-03-16-21.00.txt | 21:42 |
opendevmeet | Log: https://meetings.opendev.org/meetings/swift/2022/swift.2022-03-16-21.00.log.html | 21:42 |
acoles | the tempurl deprecation process warrants some more thought | 21:42 |
acoles | at PTG if not before | 21:42 |
acoles | I mean, the deprecation of SHA1 | 21:42 |
acoles | g'night! | 21:43 |
mattoliver | In formpost I defaulted to SUPPORTED_DIGESTS in for allowed_digests rather then DEFAULT_ALLOWED_DIGESTS. So sha1 is still allowed but gets logged in deprecation warnings. And figured I could change this to DEFAULT_ALLOWED_DIGESTS when I wanted to pull the deprecation trigger. | 21:45 |
mattoliver | night Al! | 21:45 |
timburke | mattoliver, speaking of formpost -- what do you think about https://review.opendev.org/c/openstack/swift/+/701498 ? | 21:49 |
mattoliver | Oh nice! Sorry never saw that. Yeah that makes sense. Would make it more useful. I wonder when it comes to the swiftclient sub module, if we could add the swift endpoint host name to the form, rather then telling people they need to add it... although we avoid auth check, so only if the endpoint is on hand? | 21:55 |
opendevreview | Tim Burke proposed openstack/python-swiftclient master: Drop support for Python 2 https://review.opendev.org/c/openstack/python-swiftclient/+/829682 | 22:09 |
mattoliver | oh exciting. That's one project down :) | 22:23 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!