Wednesday, 2022-03-16

mattoliverOK, new py2 compatible version seems quite simple.. no big deal. Just running tests again. Hopefully new patch set incoming. 00:03
opendevreviewMerged openstack/swift master: Comply with AWS signature calculation (s3v4)  https://review.opendev.org/c/openstack/swift/+/83391301:07
opendevreviewMatthew Oliver proposed openstack/swift master: tempurl: Deprecate sha1 signatures  https://review.opendev.org/c/openstack/swift/+/52577105:22
opendevreviewMatthew Oliver proposed openstack/swift master: formpost: deprecate sha1 signatures  https://review.opendev.org/c/openstack/swift/+/83371305:22
opendevreviewMatthew Oliver proposed openstack/python-swiftclient master: Add formpost subcommand to generate signature  https://review.opendev.org/c/openstack/python-swiftclient/+/83395406:25
opendevreviewAndre Aranha proposed openstack/swift master: Remove functools partial from digest  https://review.opendev.org/c/openstack/swift/+/83398310:28
opendevreviewAlistair Coles proposed openstack/swift master: sharder: fix and expand CleavingContext docstrings  https://review.opendev.org/c/openstack/swift/+/83365414:58
timburkegood morning15:38
opendevreviewTim Burke proposed openstack/swift master: CHANGELOG for 2.29.1  https://review.opendev.org/c/openstack/swift/+/83371819:46
opendevreviewTim Burke proposed openstack/swift master: Stop partial()ing hashlib.new  https://review.opendev.org/c/openstack/swift/+/83407320:52
opendevreviewTim Burke proposed openstack/swift master: Stop partial()ing hashlib.new  https://review.opendev.org/c/openstack/swift/+/83407320:53
timburkealmost meeting time!20:55
timburke#startmeeting swift21:00
opendevmeetMeeting started Wed Mar 16 21:00:12 2022 UTC and is due to finish in 60 minutes.  The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot.21:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.21:00
opendevmeetThe meeting name has been set to 'swift'21:00
timburkewho's here for the swift meeting?21:00
acoleso/21:00
mattolivero/21:01
timburkeas usual, the agenda's at https://wiki.openstack.org/wiki/Meetings/Swift21:02
timburkefirst up21:02
timburke#topic ptg21:02
timburkei signed up for meeting times, though i haven't put them on the etherpad yet. will do that shortly21:03
timburkeall 1300-1700 UTC (sorry mattoliver, you can definitely bail early ;-)21:04
mattoliverkk21:04
mattoliverWill just try and be a night owl that week21:05
acolesI feel bad for Matt21:05
timburkespeaking of the etherpad, thanks for adding topics! we should have a good bit to talk about :-)21:06
timburkeif you haven't already, please register (i realized late last week that i still hadn't)21:07
timburke#link https://openinfra-ptg.eventbrite.com/21:07
timburkethat's all i've got for the ptg21:08
timburke#topic 2.29.1 release21:08
timburkei still want to get one more release out, and i think my deadline's this week21:08
timburkeit's smaller than the last couple releases, but i think that21:09
timburke's a good thing :-)21:09
timburkeif you have a chance, please look over the changelog21:09
timburke#link https://review.opendev.org/c/openstack/swift/+/83371821:09
mattoliverNot swift release related, but I did push up a patch yesterday to add formpost sig generation support to swiftclient. 21:09
mattoliverbut I guess its too late to do another swiftclient release21:09
mattolivercause then we can wait a cycle and remove the formpost tool from swift (if we squeezed it in)21:10
timburkeyeah, unfortunately, the client deadline passed a bit ago21:10
mattoliveroh well. next time then, I guess no rush21:10
timburkethe big reason i want one more server release is that top item: "This is the final stable branch that will support Python 2.7."21:11
timburkewant to make sure we're broadcasting that loud and clear :-)21:11
mattoliveryeah +1, thats important. 21:11
timburkenext up21:12
timburke#topic drop py2 from swiftclient21:12
timburkeare there any objections to getting moving on that, like, *now*?21:12
timburkethere's a change i wanted to approve, but it touches requirements, and we've got a py2-only requirement that's keeping the requirements-check job from passing21:13
acolestimburke: did you want to get the SHA1 deprecation in this release https://review.opendev.org/c/openstack/swift/+/525771 ?21:13
timburke*shrug* either way. it's sat around *this* long...21:14
acolesmaybe the swiftclient side needs fixing first anyway21:14
acolesso, yeah, defer21:14
timburkegood point21:14
timburkesince we've already got the stable/yoga branch cut for swiftclient, it seems like dropping py2 ought to be ok21:16
timburkewell, i'm not hearing any objections, anyway ;-)21:18
timburke#topic safer WSGI server reloads21:18
timburkei was playing with our SIGUSR1 handling, and generally, it's pretty great: server reloads, and clients never notice21:19
timburkesometimes, though, it all goes terribly: server re-exec's, then immediately dies, and client traffic stops21:19
acoles:(21:20
timburkethis can happen if, say, you accidentally write out a config that's invalid. or if you're trying to switch between py2 and py3, but not all your proxy middlewares are installed for py321:20
timburkeso i put together a couple changes21:21
timburke#link https://review.opendev.org/c/openstack/swift/+/83312421:21
timburkeadds a --check-config option to all the WSGI servers -- they'll go through all the normal set-up stuff right up to the point of opening sockets21:22
mattoliveroh nice21:23
timburkewith that, you can verify the config before sending the reload signal21:23
timburkeif you want to use it in a systemd unit, though, the ExecReload gets a little hairy21:23
timburke#link https://review.opendev.org/c/openstack/swift/+/83317421:23
timburketries to make that a good bit better by introducing a new swift-reload command21:24
timburkeit'll handle the config check, sending the signal, and waiting for the reload to complete21:24
timburkeso by the time it terminates, the clients should only be able to connect to servers running the new config21:25
timburkethat second one still needs a boatload of tests, though21:26
mattoliverwhat happens is the config is wrong, errors and leaves the old servers still running?21:26
timburkeyup -- swift-reload exits non-zero and doesn't send any signal21:26
mattoliverassumed so, but just wanted to confirm :) 21:27
mattoliverthis is really cool! 21:27
timburkenext cool thing for me to hack on would be making more use of the systemd notify socket :-)21:28
timburkethat's all i've got21:28
timburke#topic open discussion21:28
timburkewhat else should we talk about this week?21:28
mattoliverI dont have too much, I dumped it all into the PTG etherpad :P 21:29
mattoliverI made a follow up sha1 deprecation of formpost21:30
mattoliverbut to make it work I had to give formpost some extra love too. Can't deprecate sha1 when it only supported sha1 :P21:30
mattoliverWhich is what snowballed into creating a swiftclient subcommand for formpost21:30
mattoliver#link https://review.opendev.org/c/openstack/swift/+/83371321:31
timburkethanks for all that :-) i had this feeling like there might be some scope creep21:31
mattoliver#link https://review.opendev.org/c/openstack/python-swiftclient/+/83395421:31
mattoliverThe first deprecates sha1, but for the moment still allows it (don't have to specify in config) but if you do you'll get deprecation warnings in log. So slightly different then tempurls.21:33
mattoliverAnyway, just a heads up. 21:36
timburkehow do we feel about the approach i took for tempurl? should i continue to allow sha1 by default but log a warning? i think i'd considered it, but backed off when i thought about how it would encourage ops to explicitly set the allowed_digests (to quiet the warning) which might cause pain later if we ever wanted to drop sha256, say21:36
mattoliverI think for tempurl it's ok. we've supported other digests for ages, so they have to opt in.21:37
timburkeit seemed like "more secure by default" was fairly defensible stance to take -- but in the extreme, like we'd have for formpost, i'm not sure it holds up21:37
mattoliverformpost they haven't had a chance yet, so wanted to make sure it's still all ok. although I did change the default to sha512, so lazy people will migrate by default ;)21:38
timburkemattoliver, still a question of how long *clients* have supported sha256 tempruls, though :-/21:38
timburkewell, as long as we're planning on both these things moving forward in the next cycle, i suppose we could wait to hash it out until the PTG :P21:40
mattolivertrue :) 21:40
timburkeall right, i'm'a call it and let acoles get to bed :-)21:41
mattoliverkk :)21:41
timburkethank you for coming, and thank you for working on swift!21:41
timburke#endmeeting21:42
opendevmeetMeeting ended Wed Mar 16 21:42:03 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)21:42
opendevmeetMinutes:        https://meetings.opendev.org/meetings/swift/2022/swift.2022-03-16-21.00.html21:42
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/swift/2022/swift.2022-03-16-21.00.txt21:42
opendevmeetLog:            https://meetings.opendev.org/meetings/swift/2022/swift.2022-03-16-21.00.log.html21:42
acolesthe tempurl deprecation process warrants some more thought21:42
acolesat PTG if not before21:42
acolesI mean, the  deprecation of SHA121:42
acolesg'night!21:43
mattoliverIn formpost I defaulted to SUPPORTED_DIGESTS in for allowed_digests rather then DEFAULT_ALLOWED_DIGESTS. So sha1 is still allowed but gets logged in deprecation warnings. And figured I could change this to DEFAULT_ALLOWED_DIGESTS when I wanted to pull the deprecation trigger.21:45
mattolivernight Al!21:45
timburkemattoliver, speaking of formpost -- what do you think about https://review.opendev.org/c/openstack/swift/+/701498 ?21:49
mattoliverOh nice! Sorry never saw that. Yeah that makes sense. Would make it more useful. I wonder when it comes to the swiftclient sub module, if we could add the swift endpoint host name to the form, rather then telling people they need to add it... although we avoid auth check, so only if the endpoint is on hand? 21:55
opendevreviewTim Burke proposed openstack/python-swiftclient master: Drop support for Python 2  https://review.opendev.org/c/openstack/python-swiftclient/+/82968222:09
mattoliveroh exciting. That's one project down :) 22:23

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!