Friday, 2011-04-01

« Thursday, 2011-03-31 Index Saturday, 2011-04-02 »
*** aliguori has quit IRC00:01
*** adiantum has quit IRC00:02
*** gregp76 has quit IRC00:04
*** Zangetsue has joined #openstack00:04
*** joearnold has quit IRC00:06
*** adiantum has joined #openstack00:06
*** jeffjapan has joined #openstack00:07
*** vernhart has quit IRC00:08
*** rds__ has quit IRC00:13
*** reldan has quit IRC00:14
*** pharkmillups has quit IRC00:18
*** j1mc is now known as j1mc_not_here00:21
*** joearnold has joined #openstack00:22
*** jeffjapan has quit IRC00:22
*** littleidea has quit IRC00:22
*** adiantum has quit IRC00:24
*** jeffjapan has joined #openstack00:25
*** joearnold has quit IRC00:27
*** aliguori has joined #openstack00:30
*** adiantum has joined #openstack00:31
*** winston-d has joined #openstack00:34
*** nelson has quit IRC00:36
*** nelson has joined #openstack00:37
*** mahadev has joined #openstack00:38
*** adjohn has quit IRC00:39
*** adiantum has quit IRC00:40
*** mahadev has quit IRC00:42
*** justinsb has quit IRC00:44
*** justinsb has joined #openstack00:45
*** adiantum has joined #openstack00:46
*** maplebed has quit IRC00:48
*** mahadev has joined #openstack00:49
*** clauden_ has quit IRC01:08
*** bluetux has joined #openstack01:12
*** adiantum has quit IRC01:12
*** dendrobates is now known as dendro-afk01:15
*** j1mc_not_here has quit IRC01:16
*** littleidea has joined #openstack01:16
*** j1mc_not_here has joined #openstack01:17
*** j1mc_not_here is now known as j1mc01:17
*** adiantum has joined #openstack01:18
*** Ryan_Lane has quit IRC01:26
*** burris has joined #openstack01:27
*** johnpur has quit IRC01:44
*** benbenhappy has joined #openstack01:46
*** dendro-afk is now known as dendrobates01:56
*** adiantum has quit IRC01:58
*** adiantum has joined #openstack02:02
*** adiantum has quit IRC02:13
*** burris has quit IRC02:15
HugoKuoexcuse me , how to update python-eventlet on ubuntu maverick ?02:17
*** adiantum has joined #openstack02:17
HugoKuoI check the python-eventlet version in my host is 0.9.1202:18
uvirtbotNew bug: #746909 in nova "Cannot ping or ssh instance when network manager is FlatManager" [Undecided,New] https://launchpad.net/bugs/74690902:21
*** kashyap has joined #openstack02:22
*** adiantum has quit IRC02:54
uvirtbotNew bug: #746922 in nova "DescribeAddresses returns all Floating IPs regardless of AllocateAddress" [Undecided,New] https://launchpad.net/bugs/74692202:56
*** dovetaildan has quit IRC02:58
*** adiantum has joined #openstack03:00
*** dovetaildan has joined #openstack03:00
*** adjohn has joined #openstack03:00
*** adjohn has quit IRC03:02
*** jfluhmann has quit IRC03:07
winston-dHugoKuo : on RHEL, i use easy_install to install/update python packages.03:07
*** littleidea has quit IRC03:21
HugoKuook thanks~03:22
HugoKuobtw , which boto version should be installed in nova?03:22
*** adiantum has quit IRC03:23
HugoKuobcz I failed to upload image to objectstore ...03:23
HugoKuoI remember that I face this problem before03:23
*** dendrobates is now known as dendro-afk03:30
*** AimanA is now known as HouseAway03:32
*** littleidea has joined #openstack03:33
*** adiantum has joined #openstack03:36
HugoKuoshould I install python-boto 2.0 ?03:52
*** zenmatt has quit IRC04:00
*** littleidea has quit IRC04:01
*** j1mc has quit IRC04:02
*** kashyap has quit IRC04:05
*** littleidea has joined #openstack04:08
*** adiantum has quit IRC04:09
*** mahadev has quit IRC04:09
*** adiantum has joined #openstack04:13
*** nRy has quit IRC04:20
*** adjohn has joined #openstack04:20
*** adiantum has quit IRC04:23
*** lionel has quit IRC04:24
*** lionel has joined #openstack04:25
*** mahadev has joined #openstack04:25
*** hadrian has quit IRC04:25
*** mahadev has quit IRC04:26
*** kashyap has joined #openstack04:26
*** RickB17_ has quit IRC04:27
*** adiantum has joined #openstack04:29
*** adiantum has quit IRC04:40
*** guynaor has joined #openstack04:41
*** guynaor has left #openstack04:41
*** adiantum has joined #openstack04:46
*** f4m8_ is now known as f4m804:49
*** adjohn has quit IRC04:58
*** adjohn has joined #openstack04:58
*** benbenhappy has quit IRC04:59
*** littleidea has quit IRC05:00
*** mahadev has joined #openstack05:01
*** mahadev has quit IRC05:06
*** ramkrsna has joined #openstack05:11
*** ramkrsna has joined #openstack05:11
*** benbenhappy has joined #openstack05:18
*** Ryan_Lane has joined #openstack05:43
*** littleidea has joined #openstack05:43
*** pharkmillups has joined #openstack05:45
*** jfluhmann has joined #openstack05:53
*** vernhart has joined #openstack05:55
*** rchavik has joined #openstack06:02
*** littleidea has quit IRC06:08
*** littleidea has joined #openstack06:12
*** daveiw has quit IRC06:18
*** benbenhappy has left #openstack06:19
*** adiantum has quit IRC06:30
zykes-soren: do you know if there's a newer libvirt package in ubuntu ?06:33
*** adiantum has joined #openstack06:36
*** benbenhappy has joined #openstack06:40
*** nerens has joined #openstack06:44
*** adiantum has quit IRC06:46
ttxzykes-: if you define "newer", I should be able to answer that06:47
*** pharkmillups has quit IRC06:48
zykes-ttx: 0.8.6+06:51
*** allsystemsarego has joined #openstack06:52
*** adiantum has joined #openstack06:53
*** lionel has quit IRC06:54
*** lionel has joined #openstack06:55
ttxzykes-: Natty has 0.8.806:56
zykes-ttx: that's a bit "too" new06:57
zykes-don't want to have to upgrade from lts06:58
ttxzykes-: our openstack PPA has a backported 0.8.8 for LTS06:58
ttxhttps://launchpad.net/~nova-core/+archive/trunk?field.series_filter=lucid06:59
zykes-oh06:59
zykes-nice!06:59
*** adiantum has quit IRC06:59
ttxzykes-: our PPA basically has everything required to run nova on 10.04 LTS, including the necessary library upgrades07:01
ttxand we are striving to make sure Natty can run Nova without any PPA addition.07:01
*** adiantum has joined #openstack07:03
*** rcc has joined #openstack07:03
*** flopflip_ has joined #openstack07:04
*** flopflip has quit IRC07:07
zykes-ah07:08
zykes-natty is 11.04 ?07:08
ttxwill be, yes.07:09
zykes-would it be hard to rebuild a package of virt-manager as well ?07:10
ttxzykes-: maybe... depends on the number of deps to also upgrade.07:11
*** benbenhappy has left #openstack07:30
sorenzykes-: Newer than what?07:31
HugoKuohttps://answers.launchpad.net/nova-deployment-tool/+question/151261      :\   bzr930   any clue?07:33
sorenI'm not sure anyone should be using that deployment tool.07:35
sorenit doesn't seem to have been touched in months.07:35
zykes-soren: 0.8.807:36
zykes-was ok : )07:36
zykes-soren: would it be possible to bp virt-manager ?07:36
sorenzykes-: Why?07:36
zykes-0.8.6 has more options for newer libvirt then 0.8.407:36
sorenNova's PPA is not a general purpose backport repository for virtualisation stuff.07:37
zykes-i know07:37
sorenok...07:37
sorenYou shoulnd't be using virt-manager to deal with Nova's virtual machines.07:37
zykes-i'm not, it was more of a general question07:37
sorenErr..07:38
sorenWell, of course it's possible to backport virt-manager.07:38
sorenYou can backport anything.07:38
soren*anything*07:38
zykes-;)07:38
*** onlany has joined #openstack07:39
HugoKuoalright :<07:48
HugoKuoforget about deployment tool :\07:48
*** Ryan_Lane has quit IRC07:56
*** omidhdl has joined #openstack07:57
*** adiantum has quit IRC07:59
*** daveiw has joined #openstack08:01
*** aixenv has quit IRC08:02
*** aixenv has joined #openstack08:03
*** adiantum has joined #openstack08:04
*** bkkrw has joined #openstack08:05
*** Nacx has joined #openstack08:09
*** irahgel has joined #openstack08:17
*** jeffjapan has quit IRC08:31
*** lionel has quit IRC08:41
*** reldan has joined #openstack08:42
*** littleidea has quit IRC08:45
HugoKuoManually install nova and test to upload image again08:46
HugoKuostill failed08:46
*** VoVo64 has joined #openstack08:48
*** adiantum has quit IRC08:49
*** adiantum has joined #openstack08:53
*** littleidea has joined #openstack08:54
onlanyHugoKuo, what is ur error message?08:59
HugoKuoTraceback (most recent call last):09:01
HugoKuo  File "/usr/bin/euca-upload-bundle", line 39, in <module>09:01
HugoKuo    from boto.s3 import Connection09:01
HugoKuoImportError: cannot import name Connection09:01
HugoKuohttps://answers.launchpad.net/nova/+question/15126109:01
*** MarcMorata has joined #openstack09:03
onlanyHugoKuo: https://bugs.launchpad.net/nova/+bug/62388809:05
uvirtbotLaunchpad bug 623888 in nova "euca-upload-bundle -b mybucket -m /tmp/vmlinuz-2.6.32-23-server.manifest.xml" [Undecided,Invalid]09:05
*** omidhdl has quit IRC09:07
HugoKuobut in boto1.9b is already installed09:08
HugoKuowhile I try to use Bexar would not have this problem.....it happens while I use trunk:bzr93009:09
onlanytried uplaoad manually?09:09
onlanyhttp://wiki.openstack.org/RunningNova/ManualImageRegistration09:09
*** adjohn has quit IRC09:17
*** ramkrsna has quit IRC09:24
*** Zangetsue has quit IRC09:27
HugoKuookok09:32
*** Zangetsue has joined #openstack09:32
HugoKuoI'm restore all my host now , make it clear09:32
*** littleidea has quit IRC09:32
*** adiantum has quit IRC09:33
*** adiantum has joined #openstack09:39
*** rds__ has joined #openstack09:40
HugoKuowhatever , I guess it'll failed even upload manually09:40
HugoKuolet me try it09:40
*** miclorb_ has quit IRC09:42
*** adiantum has quit IRC09:47
*** zigo-_- has joined #openstack09:51
*** MarcMorata has quit IRC09:51
*** Nacx has quit IRC09:51
*** MarcMorata has joined #openstack09:53
*** Nacx has joined #openstack09:54
*** adiantum has joined #openstack09:54
*** miclorb_ has joined #openstack09:59
*** ibarrera has joined #openstack10:02
*** miclorb_ has quit IRC10:03
*** reldan has quit IRC10:17
*** miclorb has joined #openstack10:19
*** naehring has joined #openstack10:26
*** adiantum has quit IRC10:27
naehringHi there! I've got a question regarding the flag "injected_network_template" in libvirt_conn.py. How do I define another destination file in the image? Is there an existing flag?10:29
*** adiantum has joined #openstack10:31
*** omidhdl has joined #openstack10:34
*** fabiand_ has joined #openstack10:39
*** omidhdl has quit IRC10:43
*** ramkrsna has joined #openstack10:43
*** miclorb has quit IRC10:45
*** adiantum has quit IRC10:46
naehringls10:50
*** adiantum has joined #openstack10:52
zigo-_-no such file or directory10:52
zigo-_-:)10:52
zigo-_-Is someone available to help me writing short man pages descriptions for swift binaries?10:54
zigo-_-Please, do not reply all at the same time, stop flooding ...10:55
*** reldan has joined #openstack10:56
*** adiantum has quit IRC10:59
*** lwollney has quit IRC11:04
*** adiantum has joined #openstack11:05
*** ramkrsna has quit IRC11:08
*** rcc has quit IRC11:11
*** adiantum has quit IRC11:27
*** ctennis has quit IRC11:34
*** RobertLaptop has quit IRC11:42
sorennaehring: I'd strongly advice to ignore it. Use dhcp to configure networking.11:45
naehringsoren: this is not possible for the case. I would like to use dhcp, but in this evalution the need the injection. I've enhanced it to support the destination os  for me now. I know, that dhcp is really the better solution :(11:48
*** ctennis has joined #openstack11:52
*** ctennis has joined #openstack11:52
*** rcc has joined #openstack11:55
alekibangozigo-_-: i can help editing a bit. but i do not know that much about swift.11:55
*** openstackjenkins has quit IRC11:55
*** openstackjenkins has joined #openstack11:56
alekibangobut as i would love to learn more, this might be good intro :)11:56
*** irahgel has quit IRC11:58
*** metoikos has joined #openstack11:58
*** irahgel has joined #openstack11:59
jaypipes*yawn*12:00
*** adjohn has joined #openstack12:00
*** garet_ has joined #openstack12:01
*** adjohn has quit IRC12:02
niksnutanybody know if it's possible to access nova-api via IPv6? it only seems to listen for IPv4 TCP connections here12:07
*** czajkowski has quit IRC12:08
*** czajkowski has joined #openstack12:08
*** drico has quit IRC12:09
*** bcwaldon has joined #openstack12:10
*** deshantm_laptop has joined #openstack12:14
*** f4m8 is now known as f4m8_12:15
garet_hello, i am discovering openstack and I am wondering if it is suitable to my needs12:17
garet_I have hypervisors with vpshere et citrix xenserver (and soon kvm boxes)12:17
zigo-_-garet_: What do you wana know/do?12:19
garet_and I want to be able to easily deploy virtual machines to theses machines based on what they do (means if I have an oracle db server, I want it on VMWare), if a user wants a production vm, put it on xenserver and if I want development machines, I want it on kvm12:19
garet_will openstack be able to help me administer that seamlessly ?12:19
*** zul has quit IRC12:20
*** zul has joined #openstack12:20
zigo-_-I don't think openstack does VMWare just yet.12:20
zigo-_-It wont really be helpfull to have things automated for new customers.12:20
garet_zigo : i've read it's in cactus roadmap12:20
zigo-_-Maybe, I'm not familliar enough with it yet ... :)12:21
sorenOpenStack has support for VMWare vSphere.12:23
garet_in fact I don't find anywhere a clear definition of what is a compute node12:23
garet_does that stand for an hypervisor ?12:23
sorenCompute nodes are the nodes that actually run virtual machines.12:24
zigo-_-soren: Hi there! Did you get my email?12:25
alekibangozigo-_-:  btw...  getting public version of your code:    bzr branch lp:~thomas-goirand/nova/debian12:25
*** bcwaldon has quit IRC12:26
zigo-_-alekibango: Hello! :)12:26
zigo-_-I'm working on swift now.12:26
zigo-_-Doing stub man pages.12:26
alekibangodo you have some repo with it?12:26
zigo-_-alekibango: Do you know enough to give me short descriptions of each binaries?12:26
alekibangoi would try helping12:26
zigo-_-Cool!12:26
alekibangonot yet... but i will try12:26
zigo-_-Not yet.12:26
zigo-_-Let me finish what I'm doing right now...12:27
alekibangok12:27
garet_and can one define "per usage" distribution of virtual machines to classes of compute nodes (i.e. vmware boxes, kvm boxes) ?12:27
zigo-_-What's the bzr command to do a mv of a file? I tried and it complained ...12:27
alekibangoi will need to go downtown for hour or 2... so when i will be back, i will msg you12:27
zigo-_- bzr mv swift/swift-init.8 python-swift/12:27
zigo-_-bzr: ERROR: Could not move to python-swift: debian/mans/python-swift is not versioned.12:27
sorenzigo-_-: Um... When?12:28
zigo-_-What's that?12:28
zigo-_-How to fix?12:28
alekibangozigo-_-:  add mans first?12:28
sorenzigo-_-: No, the e-mail.12:28
zigo-_-soren: yesterday.12:28
alekibangonot sure... i am not using bzr much :)12:28
zigo-_-soren: Basically, I was saying that my debian init scripts were ready!12:28
sorenzigo-_-: I still don't see it.12:29
sorenWhat was the subject?12:29
zigo-_-"My latest push"12:29
sorenzigo-_-: HEh.. Gmail thinks it was spam.12:30
zigo-_-Google is 3v1l (tm), don't use their service.12:30
zigo-_-:)12:30
*** shentonfreude has joined #openstack12:30
deepyWith a subject like that, I'd say you deserved it :P12:31
zigo-_-I got stuck 30 seconds thinking about a subject...12:31
zigo-_-:)12:31
sandywalshamazon open sourcing EC2 fully: http://tinyurl.com/3s6zlb512:31
alekibango3v1 ??12:31
alekibangoah... evil :)12:31
alekibangoyes they are having fun being efil12:32
deepyNice one sandywalsh12:32
alekibangosandywalsh: wow12:32
rccwtf12:32
alekibangothats great news...12:32
rccthat's awesome12:32
alekibango:)12:32
*** CloudChris has joined #openstack12:33
rcc:D12:33
deepynova.sh completly failed form e12:34
deepyhttp://paste.openstack.org/show/1050/ - that's my log12:34
*** naehring has quit IRC12:42
*** icarus901 has quit IRC12:44
zigo-_-That's an april fool.12:45
zigo-_-I wont ever believe any news I see today.12:45
zigo-_-Oh, I knew without watching the URL content! :)12:45
alekibango:)12:50
zigo-_-Did you see www.debian.org, www.gentoo.org and so on? :)12:50
alekibangowow12:51
zigo-_-Another 04-fool ...12:52
*** dprince has joined #openstack12:52
alekibangoi do not like this one12:52
zigo-_-I don't either. Because it's quite truth that we are uselessly spreading efforts.12:53
alekibangoits not debian who is spreading efforts imho :)12:53
zigo-_-:)12:53
zigo-_-alekibango: Can you explain shortly what's the principles of Swift?12:55
zigo-_-Why does it has so many services?12:55
alekibangoit stores users, containers, blobs...12:56
zigo-_-Because it's one per functionality, and orders come from the message queue???12:56
*** bcwaldon has joined #openstack12:56
alekibangozigo-_-: you should wait hour or 2 for americans.. they will help12:57
*** rchavik has quit IRC12:57
uvirtbotNew bug: #746731 in nova "xenstore.py xapi plugin uses potentially insecure shell=True" [Medium,Confirmed] https://launchpad.net/bugs/74673112:57
zigo-_-Ok.12:58
alekibangolol i see my image in swift manual :)12:58
alekibangoi thought it will be used for nova...12:58
alekibangozigo-_-: so maybe i know about swift more than i know... :)12:58
*** ppetraki has joined #openstack13:03
*** iammartian has quit IRC13:06
*** mastermind has quit IRC13:06
*** hadrian has joined #openstack13:08
*** adiantum has joined #openstack13:13
*** deshantm_laptop has quit IRC13:15
alekibangozigo-_-: why i do not like debian.org joke:  it sounds like sort of collectivism for me...      --   Try imagine people in EU, Russia and China uniting  against common enemy - USA...    Or people united in one state controlled church over whole earth....13:17
alekibangoi rather sacrifice unity than truth and freedom.13:17
pvothis topic is too deep for an early friday morning. :)13:18
alekibangosorry pvo :)13:18
*** Zangetsue has quit IRC13:18
alekibangoi heard this argument about unity abused horrible ways many times already13:20
*** omidhdl has joined #openstack13:21
*** zenmatt has joined #openstack13:21
*** johnpur has joined #openstack13:23
*** ChanServ sets mode: +v johnpur13:23
*** hggdh has quit IRC13:23
zigo-_-pvo: Hi!13:23
*** hggdh has joined #openstack13:24
*** jfluhmann_ has joined #openstack13:24
*** sparkycollier has joined #openstack13:24
*** littleidea has joined #openstack13:26
pvohey zigo-_-13:26
*** omidhdl has quit IRC13:26
*** pvo is now known as pvo_away13:31
*** dmshelton has joined #openstack13:33
*** deshantm_laptop has joined #openstack13:34
*** omidhdl has joined #openstack13:34
annegentlealekibango: really? Which swift manual, which image? I created one using the same clipart as yours. :)13:36
*** deshantm_laptop has quit IRC13:37
alekibangoannegentle: maybe you are right, but they look sooo similar :)13:38
alekibangoi am glad you liked those images13:39
alekibangoannegentle: who could be best to ask for help with man pages  of swift binaries?13:40
zigo-_-soren: Is it ok if I add stuffs so that swift-proxy package generates keys by itself in /etc/swift?13:40
alekibangoyou know. debian has really strong policies, all binaries should have manual pages13:40
zigo-_-I also believe that small descriptions wont hurt!13:41
zigo-_-I already did swift-init ...13:41
zigo-_-And also rewrote the init scripts of swift.13:42
zigo-_-What was before was a good intention, but it's not policy compliant.13:42
zigo-_-Init scripts really should be editable by the admin, and have start, stop, etc.13:42
zigo-_-They are conf files, so they will stay if the package is removed, and as a consequence should check if the binary that they call is present on the hdd.13:43
zigo-_-Maybe what I did could be simplified though...13:43
zigo-_-But lintian will whine...13:44
annegentlealekibango: ummm... someone was working on them but I'm not sure who, I'll ask around.13:45
alekibangothanks...13:45
zigo-_-cheers13:46
alekibangozigo-_-: i now go out, when i will be back (~2hours), i will help editing... prepare repository...13:48
zigo-_-Ok !13:48
zigo-_-I've just pushed ...13:48
zigo-_-bzr+ssh://bazaar.launchpad.net/~thomas-goirand/swift/debian/13:48
*** mray has joined #openstack13:48
*** reldan has quit IRC13:49
alekibangoheh...  its bzr branch lp:~thomas-goirand/swift/debian13:50
*** littleidea has quit IRC13:55
*** littleidea has joined #openstack14:01
*** omidhdl has quit IRC14:02
*** Zangetsue has joined #openstack14:03
*** littleidea has quit IRC14:06
*** irahgel has quit IRC14:08
*** RobertLaptop has joined #openstack14:09
zigo-_-Yiaaaaaaaaaaa! swift is not lintian clean! :)14:10
*** irahgel has joined #openstack14:11
*** gondoi has joined #openstack14:17
zigo-_-s/not/now/14:18
*** imsplitbit has joined #openstack14:20
redbohrm.. I think you'll probably be sad to find how out of date that swift debian directory was before you forked.14:23
*** RobertLaptop_ has joined #openstack14:25
*** reldan has joined #openstack14:25
*** RobertLaptop has quit IRC14:26
*** mirrorbox has joined #openstack14:26
*** RobertLaptop_ has quit IRC14:27
*** RobertLaptop has joined #openstack14:27
*** dspano has joined #openstack14:28
*** fabiand_ has left #openstack14:29
*** adiantum has quit IRC14:31
*** fabiand_ has joined #openstack14:34
BK_manping ping. Could anybody run tools/euca-get-ajax-console <instanceID> ?14:35
* BK_man merged euca2ools with Ubuntu package and still gets EC2Connection instance has no attribute 'get_ajax_console' error on euca2ools 1.3.114:36
*** fabiand_ has quit IRC14:37
*** gondoi has quit IRC14:37
*** adiantum has joined #openstack14:46
*** onlany has quit IRC14:48
*** littleidea has joined #openstack14:50
redbomtaylor,soren: can someone sync the swift branches in openstack-ubuntu-packagers and/or whatever the buildd thing uses with what's in lp:swift/debian ?14:54
*** dendro-afk is now known as dendrobates14:54
uvirtbotNew bug: #747394 in nova "XenServer port needs to clear out vm-data/networking before issuing resetnetwork command" [Undecided,New] https://launchpad.net/bugs/74739414:57
sorenredbo: Will do.14:58
*** m_3 has quit IRC14:58
redbothanks14:59
sorenBK_man: I just proposed a fix for that.15:00
sorenBK_man: Well, "just" as in a couple of hours ago.15:00
*** littleidea has quit IRC15:00
sorenredbo: Er...15:01
BK_mansoren: what is bug#? or branch id?15:01
sorenBK_man: lp:~soren/nova/support-newer-euca2ools15:01
sorenBK_man: Forgot to file a bug :(15:02
*** jbryce has quit IRC15:02
*** mray1 has joined #openstack15:02
sorenredbo: I can't really merge them easily. They have no common ancestry.15:03
sorenredbo: I wonder why you're still maintaining it?15:03
*** mray1 has quit IRC15:04
*** mray2 has joined #openstack15:04
*** mray has quit IRC15:05
redbosoren: I don't know how it's supposed to work.  We've just been making changes in there as we need them.15:06
sorenredbo: But where are they used?15:06
*** kbringard has joined #openstack15:06
sorenredbo: Aren't you using the packages we build?15:06
*** Nacx has quit IRC15:06
*** m_3 has joined #openstack15:07
redbosoren: Not for anything I know of.  We don't really want to use the PPAs in production, and we use source install for dev?15:07
gholtMany of us have no idea how the packaging is supposed to work to be honest. Last we heard we were supposed to patch swift/debian15:08
*** mray2 has quit IRC15:08
sorenHow do you know that your changes to swift/debian work if you don't use them?15:08
* soren is rather confused15:08
gholtWe don't really, other than a quick test15:08
BK_mansoren: applied your patch - still don't working: http://paste.openstack.org/show/1054/15:08
redbowe do use those to build packages15:09
sorenBK_man: Err, my bad.15:09
redbosoren: that's what we use to build our production packages currently15:09
*** m_3 has quit IRC15:11
sorenAwesome. So Rackspace uses differently built packages on a different operating system.15:11
redbothat's why I was trying to get you to sync the other stuff up with ours :)15:11
soren*nod*15:11
sorenYou know that Jenkins stores the source packages so that you can build them yourself whereever you want, right?15:12
sorenThe ones that get uploaded to the PPA?15:12
kbringardI have a question about the glance update command15:13
kbringardif anyone has a moment to listen to me ramble15:13
gholtsoren: Is there a reason we'd want to do that instead of just pulling down swift/debian and building?15:13
redbosoren: No, I don't really know anything about Jenkins.  But like I said, we can't really use a PPA to deploy.  I guess we could make a "what we have deployed" PPA.15:14
sorengholt: The result should be the same, except one is completely automatic, the other is manual (i.e. error prone).15:14
sorengholt: And, everyone would be testing the same stuff.15:15
BK_mansoren: Jenkins should do basic testing from my point of view15:15
sorengholt: WEll, that and swift/debian isn't what is used to build the ppa packages.15:15
gholtDidn't it used to be?15:15
BK_mansoren15:15
sorengholt: This was months ago.15:15
gholtI can keep track, and I work on the project. :P15:16
gholts/can/can't/15:16
BK_mansoren: that's a thing what we currently going to implement for our RHEL build15:16
*** dragondm has joined #openstack15:16
gholtWhich is a lot of the reason why we don't rely on those packages.15:16
gholtI'm fine with others packaging the code, btw. We just need to help them maintain it.15:17
sorenBK_man: I don't understand what you're saying.15:19
BK_mansoren: nova trunk -> build packages (Ubuntu, RHEL, Debian, ...) -> test -> upload15:19
sorenWhat is "test" here?15:19
BK_mansoren: upload only occurs when tests are completed.15:20
sorenBK_man: What tests?15:20
BK_mansoren: we are working on that. Integration. Bring up env, start daemons, create project, upload image, run instance, etc15:20
sorenOk.15:21
BK_mansoren: we'll be doing this for RHEL port.15:21
BK_mansoren: could you  please fix your euca-get-ajax-term branch?15:21
sorenI did.15:22
soren13 minutes ago.15:22
BK_mansoren: got it. sorry for disturbing you15:23
sorennp15:23
*** RobertLaptop has quit IRC15:23
BK_mansoren: is it working for you?15:23
BK_manUnknownError: An unknown error has occurred. Please try your request again.15:23
* BK_man going to debug this. No such file or directory :-(15:24
sorenBK_man: Let me test it again.15:25
BK_mansoren: something broken in my packaging (I actually trying to get this working on RHEL first time)15:26
sorenBK_man: It works for me.15:26
*** dendrobates is now known as dendro-afk15:29
*** m_3 has joined #openstack15:35
*** bkkrw has quit IRC15:35
*** RobertLaptop has joined #openstack15:35
*** daveiw has left #openstack15:35
sorenredbo: Alright, they're reasonably up-to-date now.15:36
sorenredbo: There are a few differences that I'm not sure how to reconcile.15:36
sorenredbo: I'd like to decomission lp:swift/debian ASAP. I had no idea it was used anymore.15:37
sorenredbo: We should all be testing the same stuff.15:37
gholtHow are we supposed to make packaging work now? Like if I add or remove a new bin?15:37
sorenSame thing, really, except instead of changing stuff in lp:swift/debian, you change it in the "real" packaging branch.15:38
gholtWhich is......15:38
sorenlp:~openstack-ubuntu-packagers/ubuntu/natty/swift/ubuntu/15:38
sorenI do believe you have write access to that.15:39
sorenLet me check.15:39
RickB17I'm attempting to use CloudFuse to mount a container in a Ubuntu 10.04.1 server.  I am receiving an "Unable to Authenticate" error.  Are there any utilities to use to verify my swift storage cloud is properly accepting request?  It works fine on a windows box running CyberDuck.15:39
*** gondoi has joined #openstack15:39
RickB17the above error is returned from the "cloudfuse" mount command15:39
btorchRickB17: can u authenticate on that ubuntu server using curl ?15:39
sorengholt: You didn't, but you do now.15:40
gholtsoren: But natty isn't even released yet.15:40
sorengholt: So...15:40
RickB17i believe so.  I receive a "HTTP/1.1 204 No Content" back15:40
sorengholt: That's exactly why we're developing against it?15:40
*** hazmat has quit IRC15:41
redboWe can probably build lucid packages from it.15:41
gholtI think you have a different goal that we do maybe.15:41
btorchRickB17: u getting the headers back ?  -i15:41
sorenredbo: Err... Yes. Jenkins does that for you already!15:42
*** garet_ has quit IRC15:42
sorenredbo: For every single commit to your trunk, Jenkins takes trunk, applies packaging for each of Lucid, Maverick and Natty, uploads source packages for each of them to a PPA, and builds binary packages.15:43
redboI don't know anything about jenkins :)  Maybe I'll learn, but right now building packages isn't that much of a headache.15:43
RickB17I see X-Storage-Token being returned along with a "X-Auth-Token:"15:43
RickB17sorry for my ignorance, i'm relatively new to swift.15:43
ttxredbo: it's *magic*15:43
sorenredbo: It's not about whether it's a head ache. It's a chore. It can be automated. As such, it should.15:43
gholtsoren: There's a swift-debian in jenkins that you'll probably want to kill too if you kill swift/debian15:44
btorchRickB17: no worries, cool .. let me test it on my saio15:44
*** dendro-afk is now known as dendrobates15:44
sorengholt: I will.15:44
* soren makes a note15:44
RickB17btorch: i have three nodes, one auth, one proxy, one storage.  the storage node has 3 zones (each a different drive)15:45
*** craniumslows has joined #openstack15:45
* soren cooks dinner15:45
* BK_man discovered problem s/netcat/nc/15:45
redboI guess I could pull .debs from the continuous PPA, but sometimes we need things that there's no PPA for.15:45
craniumslowsOpen stack dudes are about to talk here at the pre txlf dealio15:45
*** reldan has quit IRC15:46
redboIt's considerably easier just to cut our own packages, I think.15:46
deepyhttp://paste.openstack.org/show/1050/ - anyone know how I can repair that?15:47
redbottx: it's not magic enough :)15:48
kbringarddeepy: did you run nova-manage db sync?15:48
kbringardit looks like your db isn't getting created or you don't have write access to it15:50
gholtredbo: Where does it even put these packages? I clicked a crapload but haven't found anything but some tarballs here and there.15:50
*** craniumslows has quit IRC15:50
*** mahadev has joined #openstack15:50
*** craniumslows has joined #openstack15:50
redbogholt: iunno.15:51
gholtredbo: Lol. I wish things that weren't really broken would quit getting fixed.15:53
gholtI'm sure I'm missing the big picture though, just speaking for myself.15:54
*** mahadev has quit IRC15:55
*** hazmat has joined #openstack15:56
*** rcc has quit IRC15:57
gholtsoren: I'm still trying to figure out what's what. There's an lp:ubuntu/swift that it looks like you just updated, but I don't have access to commit to. And there's :~openstack-ubuntu-packagers/ubuntu/natty/swift/ubuntu which I do have access to, but doesn't have the update you just did.15:59
*** Daviey has quit IRC15:59
*** maplebed has joined #openstack16:01
redbogholt: it's just a priority mismatch.16:03
deepykbringard: yes, http://paste.openstack.org/show/1055/16:06
deepystupid breadcrumbs, rolling in under the enter key and making me unable to type16:06
craniumslowsHow hard is it to dig into django? I gotten change that front end up16:07
*** Daviey has joined #openstack16:08
*** pharkmillups has joined #openstack16:08
btorchRickB17: sorry got pulled into a conversation ... installing it now and testing it soon16:11
*** arun_ has joined #openstack16:12
RickB17btorch: Thanks, np.  Take your time.16:14
btorchRickB17: it worked for me16:15
*** enigma1 has joined #openstack16:15
btorchRickB17: http://paste.openstack.org/show/1056/16:15
RickB17btorch: thanks, let me check my syntax.16:16
btorchRickB17: don't remember but what error you were getting ? what version of swift ?16:16
RickB17"Unable to Authenticate" is my error16:16
btorchRickB17: I'm using swift 1.2.0 and maverick16:16
*** bcwaldon has quit IRC16:17
btorchRickB17: you provided a good authurl ?16:17
RickB17btorch:  Confirming that now.16:18
RickB17btorch:  authurl=https://proxyaddress:8080/auth/v1.0  same results16:19
RickB17btorch: tried it with dns name at first, changed to IP address, same results.16:20
RickB17btorch:  I followed http://swift.openstack.org/howto_installmultinode.html for setting it up.16:21
btorchRickB17: are you using devauth ?16:21
RickB17btorch:  I'm not entirely sure.  That may be the issue.16:22
*** MarcMorata has quit IRC16:25
*** MarcMorata has joined #openstack16:26
*** byeager has joined #openstack16:26
kbringarddeepy: that's odd, I'm not really sure :-/16:27
kbringardare you running the latest code?16:28
RickB17btorch:  I believe I am using devauth since in my proxy-server.conf i have auth and now swauth in the pipeline.16:28
RickB17*now = not16:28
btorchRickB17: you said you have an auth box right ? you should be pointing your authurl to the auth box address and not the proxyaddress as you mentioned above16:29
btorchRickB17: can you paste you auth config files on paste.openstack.org for me16:29
RickB17btorch:  k, i'll retry that.  Thats what I originally had, but i changed it when i seen your example.16:29
RickB17btorch:  sure thing16:29
*** dprince has quit IRC16:30
deepykbringard: I used nova.sh16:30
deepySo I am hoping that I run a new version16:31
kbringardhmm, probably, I don't know much about the nova.sh script16:31
kbringardwhat OS?16:31
deepyDebian16:31
btorchRickB17: http://paste.openstack.org/show/1057/16:32
kbringardwhich repos are you using? I've never tried running openstack on plain debian, but I know they tend to be pretty far behind in their versions (with security patches slipstreamed in)16:33
deepyEntirely possible16:34
kbringardI don't know how much leeway you have, but personally I've found that Ubuntu is the easiest to get openstack up and running on16:35
deepyI don't like Ubuntu at all and I avoid it16:35
kbringardif you just want to test it out and have a ubuntu machine, that's probably the best way to go16:35
*** MarcMorata has quit IRC16:35
*** gondoi has quit IRC16:36
kbringardyea, we're a redhat shop here... but I bit the bullet and build a ubuntu machine because I was pulling all of my hair out16:36
*** jtran has joined #openstack16:36
deepyI don't like how the VMs are all 64bit16:36
deepythe pre-built ones16:36
kbringardyou can get 32-bit ones... but they're ubuntu :-p16:36
RickB17btorch:  I added to your paste16:36
deepyboth ones on the website were 64bit16:37
kbringardif your machine is just for breaking with openstack, I'd try enabling the experimental repos16:37
kbringardthat way you'll be getting the more cutting edge packages in debian16:37
jtranhow do i go about submitting a unit test ?  Do I submit a bug as wishlist?16:37
jarrodwhat format does openstack take xen snapshots in?16:37
*** kirshil has quit IRC16:37
deepyCould you point to one of those 32bit Ubuntu VMs?16:38
kbringardhttp://uec-images.ubuntu.com/maverick/current/maverick-server-uec-i386.tar.gz16:38
kbringardhttp://uec-images.ubuntu.com/16:39
kbringardif you go there, you can choose your release16:39
deepyThat looks more Ubuntu than Nova16:39
kbringardthen click current and scroll down16:39
RickB17dtorch: http://paste.openstack.org/show/1059/      auth-server.conf output16:39
kbringarddeepy: oh, perhaps I was confused, I thought you were looking for images to import into nova16:39
kbringardsorry16:39
deepyAh, no heh16:39
btorchRickB17: you need to replace "X-Storage-Url" with your storage url provided by the auth headers16:40
RickB17btorch: ok16:40
*** jfluhmann_ has quit IRC16:40
deepyI am looking for a image with Nova so I can begin testing and evaluating without feeling down by the installation16:41
RickB17btorch: done and updated16:41
btorchRickB17: paste number ?16:41
RickB17http://paste.openstack.org/show/1060/16:42
btorchcool16:42
jarroddeepy which hypervisor are you using16:42
deepyvirtualbox16:42
jarrodah ok16:42
deepyand I'm on 32bit!16:43
RickB17btorch:  that was done on my auth box directly, not the box with cloudfuse.16:43
*** mahadev has joined #openstack16:43
*** craniumslows has left #openstack16:44
kbringarddeepy: even if you hate ubuntu, if you install it in a VM, it's super easy to get the latest trunk running16:44
kbringardhttp://cloud.ubuntu.com/2010/12/bleeding-edge-openstack-nova-on-maverick-updated-x2/16:44
RickB17btorch:  when i run it from the box with cloudfuse, i get the same results16:44
jarrodif you like redhat over ubuntu -- that sounds like a deep seeded issue16:45
kbringardtakes like, < 5 minutes16:45
deepyTo be honest I don't even like Linux at all, I very much prefer BSD, but I loathe Ubuntu enough to refuse to install it16:46
*** irahgel has left #openstack16:46
btorchRickB17: same curl results from the cloudfuse box ?16:46
RickB17btorch: yes, want me to post them?16:47
RickB17btorch: http://paste.openstack.org/show/1061/16:48
btorchRickB17: I'm wondering y you are getting 204 and not 200 ...16:49
btorchRickB17: can u paste you proxy-server.conf as well16:49
RickB17btorch: http://paste.openstack.org/show/1062/16:50
*** fysa has quit IRC16:53
*** lionel_ has joined #openstack16:53
*** joearnold has joined #openstack16:56
*** fysa has joined #openstack16:59
*** JulioBell has quit IRC17:00
*** JulioBell has joined #openstack17:01
btorchRickB17: ok looks to me you are using devauth,  run your cloudfuse command and show me the pastes for the command/output and also the new lines that show up in your auth logs and proxy logs17:02
*** Ryan_Lane has joined #openstack17:04
RickB17btorch: http://paste.openstack.org/show/1063/17:05
btorchRickB17: dude you are using http17:07
RickB17btorch: one second yeah just noticed17:07
RickB17btorch: mistype i had https before let me repaste17:07
btorchcool17:07
RickB17btorch: same error, let me update the paste17:08
btorchRickB17: can u use IPs instead of hostnames too17:08
RickB17btorch: will do17:08
RickB17btorch: http://paste.openstack.org/show/1064/17:09
btorchI'm changing my setup to use ssl as well .. since the only difference I see is that17:09
btorchRickB17: ok now I get the same issue as you17:10
RickB17btorch: it doesn't appear to even put any entries in the logs anywhere17:11
RickB17btorch: I really appreciate you taking the time to work on this with me.17:12
btorchRickB17: let me bring my devauth back and try http and https with it17:13
*** bcwaldon has joined #openstack17:20
*** lionel_ has quit IRC17:26
*** lionel_ has joined #openstack17:27
*** RobertLaptop has quit IRC17:28
*** rlucio has joined #openstack17:30
*** omidhdl has joined #openstack17:30
btorchRickB17: having some problems myself with cloudfuse while using devauth ... not sure why right now17:32
RickB17btorch: okay.  but it should work if i disable ssh?17:32
RickB17btorch: if thats the case, i can get by with that for now since it's all internal17:33
btorchRickB17: right now I'm trying with everything proxy/auth on http since I assume if I have auth on https I will get that unable to authenticate17:33
RickB17btorch: do you have a blog or anything?17:34
btorchRickB17: give that a try... you should just need auth to be on http... my previous setup I had auth on http (swauth)17:34
btorchRickB17: about this ? :)17:34
RickB17btorch: about your experiences with swift or IT in general17:35
btorchRickB17: yeah zeroaccess.org but I'm not extremely active on it.. I try :(17:35
*** adiantum has quit IRC17:36
RickB17btorch:  I will add it to my feed :-D17:36
*** RobertLaptop has joined #openstack17:41
RickB17redbo: are you the author of cloudfuse? (https://github.com/redbo/cloudfuse)17:42
*** hazmat has quit IRC17:43
btorchRickB17: no redbo is ... he went out for lunch when he gets back I was gonna ask him about the https thing17:43
*** diegoparrilla has joined #openstack17:43
RickB17btorch: perfect.  Thanks.  I'll watch the chat here.17:44
btorchRickB17: does it work if you change auth to HTTP ?17:44
RickB17btorch: haven't tested yet.  Will try it now.17:44
edaysandywalsh: hey! read your oauth wiki page. when you talk about a child zone needing to ask the parent zone to authenticate, are you assuming an external auth service will be setup in the same zone structure as nova? if so, why? it seems auth shouldn't need to follow the same zone boundaries as nova17:45
*** joearnold has quit IRC17:45
btorchRickB17: once I move my swauth to http it works ... the storage-url uses https but that is because I use pound to proxy it over to http on the backend17:46
*** joearnold has joined #openstack17:46
sandywalsheday, right. I'm assuming a single over-arching auth service outside of the zones17:46
sandywalsheday, gets way to complicated to keep an auth per zone17:46
sandywalsh*too17:46
edaysandywalsh: but the diagrams show auth bouncing through every zone boundary17:47
sandywalsheday, that was thinking out loud stuff ... later on I suggest it's easier to keep it outside17:47
sandywalsheday, I should make that more explicit17:47
edaysandywalsh: ahh, ok. I saw that as a final example, but didn't seem to get much attention. my vote would be for that :)17:48
btorchRickB17: yeah it's definately something with auth https17:48
sandywalsheday, definitely ... the other ones are too chatty17:49
*** JulioBell has quit IRC17:49
openstackjenkinsProject nova build #761: SUCCESS in 2 min 33 sec: http://jenkins.openstack.org/job/nova/761/17:49
openstackjenkinsTarmac: Added synchronize_session parameter to a query in fixed_ip_disassociate_all_by_timeout() and fix #735974.17:49
edaysandywalsh: yeah, and would require excessive auth layers (one per zone)17:49
btorchRickB17: http://paste.openstack.org/show/1065/17:49
*** metoikos has quit IRC17:50
sandywalsheday, yup, the authz stuff at the end is where it gets really interesting ... touches on instance naming and could be used for caching as well17:50
edaysandywalsh: as for authz on projects, don't think of instances belonging to a user and project, rather think of them only beloning to a single 'owner', which may be a user, project, or something else (this is a change coming in diablo most likely with splitting out auth service)17:50
RickB17btorch: this may be a stupid question, but what areas of the config do i have to change to disable ssl?17:50
RickB17btorch: at first glance i see it on the proxy server conf17:51
edaysandywalsh: so then authz tuples can just be (owner,verb), and no need to flatten projects/instances17:51
sandywalsheday, hmm, don't see how that would work. You need to know the subject for the permissions17:51
btorchRickB17: just for the auth-server in the auth-server.conf disable the cert_file and key_file and just restart the service17:52
*** adiantum has joined #openstack17:52
sandywalsheday, "(Alice) (can_halt) (ami-1234)"17:52
sandywalsheday, but she can't halt ami-66617:52
btorchRickB17: you can leave the proxy-server with https .. I don't have a problem with the storage url being https at lease17:53
btorchs/lease/least/17:53
edaysandywalsh: sure, but thats resolved at a zone. Alice would be authed with the tuples (alice,can_halt), (bob,can_halt), and (shared_project,can_halt)17:53
edaysandywalsh: and then a zone can apply those, using the instance.owner == tuple[0]17:54
RickB17btorch: i guess it just doesn't like me.... The server could not comply with the request since it is either malformed or otherwise incorrect.<br /><br />17:54
RickB17btorch: 400 bad request17:54
sandywalsheday, rather than try to synchronize project information between public/private zones, just flatten down to "instances" as the most-common-denominator17:54
btorchRickB17: is that from restarting it ?17:55
sandywalsheday, let the deployment worry about its project hierarchy17:55
RickB17btorch: no from rerunning cloudfuse17:55
btorchRickB17: what about curl ?17:55
sandywalsheday, issue is when ZoneA adds Fred to the project ... when does ZoneB learn of that?17:56
sandywalsheday, (need to write that down)17:56
edaysandywalsh: what would you flatten? if we just have (owners,action) tuples that can apply to any resource? (instance, network, volume, etc.)17:56
*** littleidea has joined #openstack17:56
RickB17btorch: cannot connect to host.  Let me check some stuff out..17:57
btorchRickB17: also is there a reason you are using devauth instead of swauth ?17:57
edaysandywalsh: well, fred would get ('project',can_do_something) tuple added in the auth step, so next time fred logs in he can start doing stuff for project17:57
RickB17btorch: no reason other than thats how it was in the setup guide17:57
redbobtorch,RickB17: what's the deal?17:57
btorchRickB17: for the 1.2 or 1.3 docs ?17:57
sandywalsheday, right ... fred would need to log in again. That may be fine first round17:57
edaysandywalsh: nova won't manage whos in what project, the auth service just provides the (owner,perms) pairs17:57
sandywalsheday, right, agreed17:58
RickB17btorch: i used http://docs.openstack.org/openstack-object-storage/admin/os-objectstorage-admin-book.pdf17:58
*** littleidea has quit IRC17:58
sandywalsheday, still think the subject is required though ... still not clear why your think we can leave it out. Can you elaborate?17:58
redboit's probably being a pain about self-signed certs17:59
edaysandywalsh: can you elaborate on the question more first? not quite sure I get it ;)17:59
RickB17btorch: if swauth is the recommended method i would like to use that.  Do have a link offhand that i could reference?18:00
sandywalsh eday you say the tuples can just be (subject, verb) ... but I don't see how you can leave out ,object). We can't allow blanket can_foo and we can't assume that object owner is sufficient18:01
sandywalsheday, ami-1234.owner = Alice, but Bob could have permission to manage the instance.18:01
sandywalsheday, irc suck for this :)18:02
sandywalsh*sucks18:02
gholtRickB17: If you're using code from trunk, using http://swift.openstack.org/ docs is best.18:02
edaysandywalsh: sure, so when bob issues a 'halt' request, bobs auth step returns (Alice,can_halt) as one of the tuples18:02
* btorch should prbably add that to my nook :)18:02
gholtRickB17: If you're using the latest stable release (1.2 for Swift), the guide pdf should be fine.18:03
RickB17gholt: thanks, i will read the auth section there.18:03
sandywalsheday, how can Zone B auth do that when it doesn't know about the shared group that Bob and Alice are in. Only Zone A knows that.18:04
*** burris has joined #openstack18:04
edaysandywalsh: well, forget about 'zones' for a sec, they would both contact the same auth service, no?18:05
sandywalsheday, no, not in a federated case. Private/public deployments. MyCo -> ServiceProvider18:05
*** littleidea has joined #openstack18:07
*** littleidea has quit IRC18:07
edaysandywalsh: we may be getting ahead of ourselves then with authz here... hmm. first we need to be clear where auth tokens can be verified and where authz tuples are stored18:07
vishyin your wiki page18:08
redbobtorch: I pushed a change where it doesn't check the CA when authenticating.  I'll probably make it an option later.18:08
edaysandywalsh: asuming these are the same, wherever the child zone verifies the token, it would be the same place that manage the relationships (in the form of tuples) and returns those18:09
sandywalsheday, quite possibly. I think we can agree that there is an external service to the zones. I'm just thinking ahead I guess.18:09
vishysandywalsh: authn should return all of the subjects, so the subjects for Bob are: Bob, SharedAliceBobGroup, sysadmin18:09
openstackjenkinsProject nova build #762: SUCCESS in 2 min 28 sec: http://jenkins.openstack.org/job/nova/762/18:09
openstackjenkinsTarmac: Add checking if the floating_ip is allocated or not before appending to result array in DescribeAddresses.18:09
btorchredbo: cool I'll pull it down and recompile it in a sec18:09
sandywalshvishy, Hmm, that's a possibility as well. I prefer the flattening though. Smaller set size (I think :)18:10
sandywalsheday, correct.18:10
edaysandywalsh: can you explain the flattening? what exactly are you flatting from->to?18:11
sandywalsheday, the main takeaway is the all this policy enforcement needs to come out of nova18:11
vishysandywalsh: that is the point of authz in the prototype branch18:11
sandywalsheday, Zone A (private cloud) has a bunch of groups. Zone B (Service Provider) doesn't know about these groups. It only knows about Instance ID and the broader project/account they belong to (for billing)18:12
sandywalsheday, so Zone A needs to flatten all these groups down to just their Instance IDs so Zone B can deal with it18:12
*** dmshelton has quit IRC18:13
vishyI don't think ZoneB needs anything but ids18:13
sandywalshvishy, yes, but I don't think that will work in the federated case ... since objects are not shared between deployments18:13
sandywalshvishy, agreed18:13
vishysandywalsh: but zoneA doesn't need to know about ZoneBs ids18:14
edaysandywalsh: why would instance ids need to be passed between zones?18:14
sandywalshvishy, yes it would ... otherwise how would it select an instance to work with? Zone B fabricates the instance ID and returns it to Zone A after the boot() call18:15
vishyif zoneA makes a request to zoneB, zoneB is responsible for authZ.  ZoneB requests subjects from ZoneA (included in validation of token) and verifies authz internally.18:15
*** MarcMorata has joined #openstack18:15
vishythat way zoneA doesn't need to track anything about the object in zone A aside from that it is in zoneb18:15
vishys/about the object in zone A/about the object in zone B18:16
sandywalshvishy, yes, but Zone B doesn't know the context of the permissions that Zone A supplied. It only knows <this user> and [ list of instance ids]18:16
vishyo18:16
vishyno18:16
edayvishy: agreed, except zone b should not request subject from zone a, it would just do that form the auth service, no?18:16
vishyit knows groups when it auths the token against zone As Authn18:16
sandywalsheday, when I say zone B I mean the Auth service running at the service provider, not nova itself.18:17
vishyeday correct Zone As auth service18:17
zigo-_-soren: Where may I find the modified version of KVM that I need to package?18:17
RickB17btorch,redbo: I download the latest source, but still receive a simple "Unable to authenticate." with SSL enabled.  When i disable SSL on the auth server i receive this output: http://paste.openstack.org/show/1066/18:17
sandywalshvishy, the Groups of Zone a have no meaning in Zone B18:17
btorchhmm having problems pulling from github18:17
edaysandywalsh: if they shared a common auth service, they would, no?18:18
sandywalshvishy, zone_a> nova_manage create project Foo ... Zone B never sees that18:18
btorchRickB17: curl ?18:18
sandywalsheday, ah ... I don't think we can assume that can we?18:18
sandywalshMy private nova cloud has to use the Service Provider auth service?18:19
edaysandywalsh: if we're talking about the same user, we need to, no?18:19
RickB17btorch: http://paste.openstack.org/show/1067/18:19
redbowhaaaat... how could that happen?18:19
sandywalsheday, I don't think so , OAuth doesn't require that.18:19
RickB17btorch: could it be something with that 204 no content?18:19
zigo-_-Hey, can anyone do dpkg -l euca2ools on a working Openstack server, and tell me the version number?18:19
* zigo-_- needs to know if the Debian version is ok ...18:19
vishysandywalsh: if the instance was launched in zoneB by a user coming from zoneA18:20
vishythen the owner is coming from zoneA18:20
sandywalshyes18:20
btorchRickB17: no ... devauth returns 204  and swauth returns 200s .. that's fine18:20
RickB17btorch: ok18:20
vishyso as long as zoneA returns a group that is that owner, zoneB should be good18:21
RickB17btorch: http://paste.openstack.org/show/1068/18:21
RickB17btorch: added second output18:21
sandywalshvishy, but that group doesn't exist in zone B. All Zone B knows is "Alice" and her authenticated token.18:22
zigo-_-Please, I need a bit of support to do my Debian packaging ...18:22
zigo-_-What's the euca2ools version required?18:22
vishyZoneB knows the owner specified on instance launch18:22
*** hazmat has joined #openstack18:22
vishyI do agree though that anything more complicated than "owner" is going to be problematic18:23
sandywalshvishy, yes, but Bob may have permission control that instance as well ... not the the person that created it.18:23
vishysandywalsh: i think that is going to have to be handled with overrides.18:23
sandywalsh*to control18:23
sandywalshvishy, can you explain an override?18:24
vishyso alice has to make an override call to zone b and say: allow zonea.Bob, or allow zonea.AliceAndBob18:24
vishysandywalsh: but zoneB doesn't need to have a concept of the actual structure in zoneA, it just knows that X opaque ZoneA identifier is good.18:24
sandywalshvishy, I'm not sure. I think I have a scheme where zone A can handle groups by flattening the groups on the Zone A side.18:25
edayvishy, sandywalsh: or zone B is just configured to grab authz info from the auth service in zone a18:25
sandywalshvishy, yes, agreed18:25
vishysandywalsh: as i said in the notes i added to your wiki page, I think that if we pass this through the services, authz doesn't need to be shared.18:25
sandywalsheday, thought about that too .. that tricky, but possible I think.18:26
vishysandywalsh: if you are flattening groups as you suggest then we have to share authz which i'm trying to avoid18:26
sandywalsh<looking>18:26
edaysandywalsh: because if we get mroe specific, we have a public cloud (rackspace) and private company (myco) using rackspace for bursting. myco has it's own auth/groups/whatever, and doesn't want to loose those when bursting. it configures a rackspace account with billing info/auth service (no configured users in rackspace, just an auth endpoint)18:28
edaysandywalsh: rackspace that can just bill the CC for that account for anything created under that auth service. which allows remote authz management, no?18:29
sandywalshcorrect18:29
edayvishy, sandywalsh: or am I way off base? :)18:29
sandywalsheday, from the service provider perspective I think that's the correct approach.18:29
sandywalshvishy, I need to think about this override thing a little more. At first blush it seems problematic, but that could just be my lack of understanding.18:30
vishysandywalsh: it is implemented in a basic form in the prototype branch if that helps18:30
sandywalshvishy, pushing down to the services I don't like though. It makes child zones complicated and puts the auth "processing" code all over the place (vs just enforcement can_do_this())18:31
vishysandywalsh: how do you handle things like swift then?  It puts authz colocated with the objects18:32
sandywalshvishy, yes, I've looked at the branch, but I'm thinking from a practicality perspective. Can Zone A effectively keep those overrides in order.18:32
*** lvaughn_ has quit IRC18:33
sandywalshvishy, it may be like eday says, if MyCo wants to use a Service Provider is needs to keep calling Zone B to keep the permissions up to date.18:33
sandywalshicky though18:33
*** lvaughn has joined #openstack18:33
edaysandywalsh: what makes that icky?18:34
*** MarcMorata has quit IRC18:34
sandywalsheday, smells like a poor mans replication scheme18:34
edaysandywalsh: replication? I guess I see it as if we're already federating authn, why not authz?18:35
edaypushing overrides between zones seems more like poor mans replication, and is bound to get out of sync18:36
vishyif granting permissions is done the same way in all deployments, i don't see how it is any more complicated18:36
*** lvaughn_ has joined #openstack18:36
sandywalsheday, that's what I'm talking about ... pushing overrides18:36
uvirtbotNew bug: #747618 in swift "Fix .admin get_user privileges." [Critical,In progress] https://launchpad.net/bugs/74761818:36
vishyif alice wants to grant permissions to bob, she makes an auth call locally, and it is passed to the other zone, either through the service or by federated authz18:36
vishyi don't see what random crazy updates are getting pushed18:37
edayvishy: yeah. i guess with override it sounded like it was something remote zones would store in some way18:37
*** sebastianstadil has quit IRC18:37
vishyeday: yes, but it is only stored in the remote zone18:38
*** lvaughn has quit IRC18:38
sandywalsheday, well, it would need to store it ... it would need to store the override (policy)18:38
sandywalshhmm18:38
vishyeday: zoneA doesn't store it because the object belongs to zoneB18:38
edayvishy: if it's not stored remotely (outside the canonical authz service), I think we're all saying the same thing :)18:38
sandywalshvishy, so if I have 3 service providers I need to issue that override to all three?18:39
vishysandywalsh: no, it is per object18:39
edayvishy: ohh, you're talking about storing it with the object?18:39
vishyif you are talking per owner overrides, then it might be a little more complicated18:39
vishybut i think the amount of data there is pretty small.  It could create syncing problems as zones are added and removed i suppose18:40
edayvishy: I was talking about the per-owner perms, not per-object18:40
vishyeday: ok I'm with you now18:41
sandywalshvishy, well, I don't mind doing per-object permissions, but I don't think it's needed. If Zone A knows the permissions, it can just supply it when Alice authenticates. Why bother replicating it?18:41
vishyso what is the solution you are suggesting?  ZoneB makes a call back to ZoneA for per-owner perms?18:41
sandywalshthat's what my wiki page talks about ... not having to update Zone B. Having Zone supply everything (possible since groups are flattened)18:42
vishyowner permissions do make more sense belonging to the Zone where the user is.  object permissions have to be in zone where the object is.18:43
sandywalshvishy, no call back ... permissions are supplied at auth time by Zone A18:43
sandywalshI don't think the service provider should need to know about those complexities18:43
sandywalshit just needs to know Tenant ID, Instance ID and User ID18:43
sandywalshZone A supplies the tuples of valid permissions (with Actions)18:44
edaysandywalsh: why does it need instance id? just the auth token, no?18:44
vishysandywalsh: then auth in zone a needs to keep track of all of the objects in zoneB18:44
edaysandywalsh: the auth service should not track instance (and netowrk, volume, ...) ids18:44
sandywalshvishy, yes, it needs to know all "externally managed" resources18:45
vishyeday: +118:45
edaysandywalsh: that's really heavy-weight for an auth service. what about when there are 10M swift objects? (resources)18:45
vishyyes that model blows up for swift pretty quickly18:46
sandywalshhmm18:46
sandywalshvalid point18:46
sandywalshbut clean :)18:46
creihtwe've learned that most models blow up for swift pretty quickly :)18:46
edaysandywalsh: it seems just managing <accounts> (which are users, projects, groups, etc) and relationships between those accounts. it then returns a tuple of (account,perms)18:46
edaycreiht: damn you for building extremely scalable systems :)18:47
creihtlol18:47
sandywalsheday, so we're still managing resources in auth, just projects/groups instead of instance ids18:47
sandywalshlet's say an order of magnitude savings (nothing to sneeze at of course)18:48
vishyi look at object_ids as belonging to authz18:48
vishywhich is internal to the service18:48
vishyso that could be swifts current implementaton or a pluggable policy engine like the prototype authz18:48
sandywalshvishy, you just +1'ed eday for saying it shouldn't belong to authz :)18:48
vishysandywalsh: no i think it shouldn't belong to authn or any federated auth service18:49
sandywalsh(the 'internal to the service' thing worries me)18:49
sandywalshah, I'm talking about it being in AuthZ ... not AuthN18:49
edaysandywalsh: possibly multiple orders... could be millions of resources with a couple users/groups18:49
vishysandywalsh: why? actions are completely service-specific.18:49
sandywalshstill a large bunch of objects to manage18:49
*** bkkrw has joined #openstack18:50
sandywalshvishy, but they're just boolean checks (can_foo(user, object)) ... nothing more fancy.18:50
vishyif authz is mapping groups to actions and objects, the actions and objects are specific to the service18:50
edayvishy: but 'groups' are not service specific, ie, admin in swift == admin in nova perhaps18:50
vishyeday: correct18:50
vishyeday: which is why groups are returned by authn18:51
sandywalshalso, the service provider needs to know about every group from every customer.18:51
vishyand they are federated/etc.18:51
edayvishy: ok, but I see those as the input to authz, not authn18:51
vishysure, the input18:51
vishysomething calls authn, gets the groups and passes them to authz18:52
creihtIt also gets bad, if for every single object access, you have to make an authz request18:52
sandywalshcreiht, yes18:52
vishy(or handles it internally like swift does)18:52
sandywalshthat's a lot of data for every service to maintain isn't it?18:53
edayvishy: and by authz, you imagine a per-service authz service?18:53
vishyeday: i think most of the services will share one authz service, but it would not be shared accross providers18:55
edayvishy: but now authz is split into two... group listing in the authN step, and authz just to get perms for those groups per service18:55
vishyso burrow, glance, nova might share the same authz, only because it makes setting policies a little easier, but i think they could just as easily use three separate ones.18:55
edayvishy: it would be nice to store those together and return once18:56
*** joearnold has quit IRC18:56
vishyeday: then you have to move objects back into authn though18:56
vishy(and actions)18:56
edayvishy: not objects, just perms on groups18:56
edayor, actions on groups18:56
vishyif you don't allow per-object permissions you could do it that way18:57
edayany per-object access overrides can still happen inside the service (nova.instance records, not an external service)18:57
sandywalshin my proposal, only Zone A keeps a reference to all objects it owns (even if externally managed). For the Service Provider AuthZ is pretty easy.18:57
vishyeday: I don't know if permissions can be shared18:58
vishyeday: between deployments18:58
edayvishy: why not?18:58
vishyZoneB may not want to allow users to create floating ips for example18:59
edayvishy: if my private cloud uses my orgs user/group structure, why can't that auth endpoint be used when bursting into the public cloud?18:59
vishythat means they have to validate against their own authn service anyway18:59
sandywalshthat's a decision for Zone A when it gives the Users Auth info18:59
sandywalshAlice, can_create_floating_ip, *18:59
*** drico has joined #openstack19:00
vishybut that isn't a decision for zone A19:00
vishyit is a policy decision for zone B19:00
sandywalshah, I see your point19:00
edayvishy: isn't that a deployment constraint, not a auth constraint?19:00
sandywalshwell, that's easy to layer on19:00
vishyzones have to be able to manage their own policies19:00
vishythe main purpose of authz is to allow for policies to be enforced19:00
sandywalshboth are required: Zone A may give Alice permission, but Zone B may deny it19:01
edayit's like a deployment that doesn't have volumes, any volume_perms would be ignored19:01
sandywalshyes19:01
*** dmshelton has joined #openstack19:01
vishysigh I'm starting to be convinced that we have to federate authz as well19:01
vishy:(19:01
sandywalshwe don't have to, but the problem is more manageable if we do.19:02
edayI don't see that as a bad thing19:02
sorengholt: What yo usee on lp:ubuntu/swift is months old.19:03
RickB17I'm receiving a code 400, message Bad HTTP/0.9 request from the curl command when requesting auth token from my auth-server.  http://paste.openstack.org/show/1070/19:03
sorengholt: The other URL (which is the correct one) wasn't updated. I hadn't pushed my changes yet.19:03
sandywalshI need to capture this thread ... is this room logged anywhere?19:03
RickB17btorch: this may be linked to why my cloudfuse isn't working i would imagine19:03
sorenzigo-_-: Is there a modified version of KVM that you need to package?19:03
edaysandywalsh: http://eavesdrop.openstack.org/irclogs/%23openstack.2011-04-01.log19:04
sandywalsheday, thx19:04
RickB17btorch: this error only shows up when the certs are disabled on the auth-server19:05
edayvishy: you could also set some overrides when configuring the auth service. for example, when zoneB is configured with (billing info, authA endpoint, ...), it could also have "never allow floating_ip perms"19:05
zigo-_-soren: I thought you said nova needs a specific version?19:06
zigo-_-Or was I dreaming?19:06
edayvishy: so it's not so much authz, but more of a configured filter when using the authz service19:06
vishyeday: i think if a zone is using an external auth service, it will probably always want to have some sort of proxy to validate/remove permisions it doesn't like19:07
devcamcarcreiht: you around?19:07
*** Zangetsue_ has joined #openstack19:07
vishyeday: I still don't see how the combined model handles per-object permissions well, and i really like the conceptual simplicity of authn and authz separate19:08
vishybut i do see your point about the splitting being a little odd19:08
edayvishy: per-object would just store group/action in the object record like swift19:08
*** Zangetsue has quit IRC19:09
*** Zangetsue_ is now known as Zangetsue19:09
edayvishy: and we could keep authn/authz seperate too, I would just want to keep the group listing in authz, not return it as part of authn19:09
creihtdevcamcar: kinda19:09
creihtwhat's up?19:09
vishyeday: hmm, interesting, seems like groups have a lot to do with membership to me19:10
edayvishy: they do, but thats all authz, not authn19:10
devcamcarcreiht: just trying to track down some rsync issues i'm seeing19:10
creihtbtw, in swift right now we don't do per object permissions, just container level19:10
sandywalshah, interesting19:10
devcamcarcreiht: http://paste.openstack.org/show/1072/19:11
edayvishy: ie, openid from google isn't going to return a list of groups for authz19:11
devcamcarrsync is returning a lot of 5s19:11
vishyeday: so IDM plugs into authz then?19:11
sandywalshand is authz done against groups or done against users -> containers?19:11
devcamcarwhich according to docs is a "network protocol error" or something like that19:11
creihtdevcamcar: that can mean a lot of things :)19:11
devcamcarcreiht: yea, unfortunately19:11
vishyeday: I'm just trying to figure out where I plug in my AD19:11
*** gondoi has joined #openstack19:12
edayvishy: some systems are both authN and AuthZ, and I think AD would fit there19:12
sandywalsheday, I think the assumption is, if you want to do bursting you need to use an authn that can supply the permission tuples19:12
*** ironcamel has quit IRC19:12
sandywalsheday, under the hood it can be anything (AD, etc), but the permissions need to be layered on to talk to a Service Provider19:13
edaysandywalsh: actually it's authz returning that, but we've been talking about a authn/authz all in one19:13
redbodevcamcar: you could try running that manually, without --quiet19:13
creihtdevcamcar: most likely it had some sort of problem connecting to the remote machine (either network issue, or that node is really busy)19:14
sandywalsheday, yes, authz would return it. What's the value in combining them?19:14
creihtI think that error may also come up if rsyncd isn't enabled on the remote machine19:14
edaysandywalsh: it's a multi-step token->user OK (authn), user->(groups,actions) (authz). we can split those, but I think we shouldn't do token->user->groups as "authN", since it's mixing the two19:15
btorchRickB17: the latest cloudfuse pull that I got from github worked with https auth19:15
btorchredbo: thanks19:15
RickB17btorch: thanks i did download the .c file recompile and install it.  i posted above what i feel is the casue of my problem.19:15
uvirtbotNew bug: #747665 in glance "glance update won't update custom properties" [Undecided,New] https://launchpad.net/bugs/74766519:16
edayand I wonder if we need to keep those as separate endpoints and have the extra RTT even if it's the same service19:16
vishyeday: seems like optionally separate is valuable19:16
RickB17btorch: i'm just trying to figure out why it's doing it.  when i disable the certs i get a 400 error in my auth-server syslog when requesting a token from the cloudfuse machine using curl19:16
vishyeday: but for the service we ship we can put them together19:16
edayvishy: for AD, would you want to store (group,action) in ad, and if not, where?19:16
edayvishy: ok, and just use our own rest auth protocol? or somehow tack this onto another?19:17
sandywalsheday, we're back at (group, action) again, where'd the Object go? Is this being stored per-object?19:17
edaysandywalsh: no objects for per-owner perms19:17
vishyeday: doesn't owner become the object in that case?19:18
edaysandywalsh: per-object perms are stored inside the object record in the service (I think) like swift does19:18
btorchRickB17: on the proxy conf did u disable ssl for the filter:auth as well ?19:18
devcamcarcreiht: seems that rsync is running everywhere19:18
vishyso it is actually (group, action, group) ?19:18
sandywalsheday, I don't think that sufficient. You can't blanket permit Alice to halt instances.19:18
edayvishy: huh?19:19
sandywalshthat's19:19
RickB17btorch: no, should have i?19:19
sandywalshvishy, I think that makes more sense (group, action, group)19:19
vishy(alice -> can_halt -> alice's objects)19:19
*** clauden_ has joined #openstack19:19
vishy(alice -> can_halt -> bob's objects)19:19
sandywalshyes19:19
creihtdevcamcar: are the rsync errors isolated to one or a few machines or pretty evenly distributed?19:19
edayohh, I'm assuming it's <account> -> [(group,action),...]19:19
btorchRickB17: if your auth-server is no longer running with the certs/key (ssl) then yes.. it should be false19:19
edaythe first tuple is always the authN'd account19:20
devcamcarcreiht: distributed19:20
vishyah ok19:20
vishygood same page then19:20
edayyeah :)19:20
sorenzigo-_-: Of KVM? No.19:20
sorenzigo-_-: libvirt, though.19:20
RickB17btorch: since cloudfuse works with https i just re-enabled the certs19:20
sandywalsheday, sorry I'm missing that19:20
edayvishy: anyways, back to AD, where would you store (group,action) ?19:20
vishyeday: regarding rest auth protocol -> don't know that yet.19:20
btorchRickB17: ok then go back to how you used to have things and it should work now19:21
vishyeday: I'm considering the AD question19:21
edaysandywalsh: account->[(group,action),...] == (account,group,action),...19:21
sandywalsheday, group = object group?19:21
zigo-_-soren: Ok, that is done then! :)19:21
*** brd_from_italy has joined #openstack19:21
zigo-_-I got all up and running now.19:21
edayvishy: might be nice to just support existing out of the box, which means they may need to be separate depending on the type. something like LDAP could be all-in-one19:21
creihtdevcamcar: it is kinda hard to say without being on the machine19:22
zigo-_-The only main issue is nova-compute not having accessl to the libvirt socket file.19:22
vishyeday: the simplest policy engine is just a conf file19:22
creihtI would try running the command manually, and see if it presents an better info19:22
edaysandywalsh: I should say, group==owner of object19:22
zigo-_-I have to chown it once libvirt-bin starts ...19:22
*** hadrian has quit IRC19:22
RickB17btorch: still getting unable to authenticate.  no logs are showing up in my syslog on the auth-server when i run the command, but when i run curl it does.19:22
vishyeday: policies could go into ldap but i'm not sure if there is good support in ldap for it19:22
Ryan_Lanewhat kind of policies?19:23
zigo-_-soren: Where do I find the uec-publish-tarball command?19:23
edayRyan_Lane: user X can reboot19:23
zigo-_-Which package?19:23
Ryan_Laneahhh ok19:23
edayRyan_Lane: is that a good fit fot ldap?19:23
Ryan_Laneand of course, now it's time to go to lunch :D19:23
Ryan_Laneheh19:23
Ryan_Laneback in like an hour19:23
vishyeday: the important thing is the policies have to be programattically overridable as well19:23
sandywalsheday, then I don't get it. (account, owner of object, action) ... why not just (account, object, action) ?19:23
*** Ryan_Lane is now known as Ryan_Lane|food19:23
*** adiantum has quit IRC19:23
edaysandywalsh: because we don't want to store every object ID in the authZ service19:24
vishysandywalsh: auth already manages owners, so it means no extra data has to move in19:24
sandywalshok, gotch ... thanks19:24
sandywalshgotcha19:24
sandywalshvishy, re: AD, people are violently opposed to extending their AD schemas19:24
vishyeday, sandywalsh: although if we have federated auth then i suppose it is a little troublesome19:25
btorchRickB17: you have the latest cloudfuse trunk ?19:25
edayvishy: and those overrides would exist in the same authZ policy store?19:25
RickB17btorch: whats the easiest way to determine the version?19:25
vishyeday: does auth have to provide a way for other services to do owner overrides?19:25
RickB17btorch: i ran it from the repo19:25
edayvishy: or for per-object overrides, in the object record of the given service?19:25
vishys/services/zones19:25
sandywalshvishy, eday Zone A would remember who created the instance, so it could supply that list19:26
zigo-_-soren: Should I package "cloud-utils" as well? Why isn't it in the depends of one of the nova packages?19:26
*** jmaltin has joined #openstack19:26
devcamcarcreiht: yea, was hoping to get lucky and have it be something you'd seen before19:26
*** dendrobates is now known as dendro-afk19:26
creihtrsync can also tend to error a lot more when there is a lot of network activity19:26
btorchRickB17: ok let me go back to devauth :(19:27
edaysandywalsh: list of what, for what? im confused :)19:27
vishyso we have three "users" A.Alice A.Bob B.Frank19:27
RickB17btorch: i don't mind going to swauth since it's the recommended method.  WOuld that make it easier?19:27
RickB17btorch: appears like i will ahve to go that way anyhow.19:27
vishyalice wants to allow bob and frank to terminate her instances19:27
*** pharkmillups has quit IRC19:27
vishyso she says A -> (A.bob, allow-halt, alice)19:28
edayvishy: and A and B are different auth services?19:29
vishyright19:29
RickB17btorch: http://paste.openstack.org/show/1073/        swift version info19:29
devcamcarcreiht: yea i'm watching rsync logs and it does eventually seem to right itself19:29
edayoh jeez, this is going to be a mess :)19:29
btorchRickB17: I would use swauth19:29
vishyhow does she say that she wants to allow frank to terminate19:29
devcamcarcreiht: just feels a bit brittle right now19:29
vishy?19:29
edayvishy: don't allow it? :)19:29
RickB17btorch: can you point me to a quick read to change it over? is it just a couple config file changes?19:29
zigo-_-root@GPLHost:node3320>_ ~# uec-publish-tarball ubuntu1010-UEC-localuser-image.tar.gz dub-bucket x86_6419:29
zigo-_-Fri Apr  1 19:28:51 UTC 2011: ====== extracting image ======19:29
zigo-_-tar: maverick-server-uec-amd64-floppy: Wrote only 8704 of 10240 bytes19:29
vishyhehe19:29
zigo-_-tar: maverick-server-uec-amd64.img: Cannot write: No space left on device19:29
sandywalsheday, right, don't allow it19:29
creihtif it fails it will come back around and try again the next pass19:30
zigo-_-Is there a way to tell it not to use /tmp ???19:30
sandywalsheday, list of permissions19:30
edayvishy: or, if they share an authN system we can allow it19:30
edayand have different authZ for various auth groups19:30
vishyeday, sandywalsh: so I can't allow users using another auth system to access my instances19:30
sandywalsheday, vishy but that's won't be the case in the public/private19:30
edayfor example, authN may be openID, and public/private both provide authZ using openIDs19:30
sandywalshvishy, they can, but the AuthZ needs to layer on the permissions tuples19:30
sandywalsheday, does openID allow that?19:31
sandywalshI can supply permissions?19:31
*** aixenv has quit IRC19:31
sandywalsh(like SAML assertions?)19:31
edaysandywalsh: no, openID doesn't, your authZ service does19:31
RickB17btorch: i see info in http://swift.openstack.org/1.2/howto_installmultinode.html, i'll follow that for the swauth setup and then give it a try.19:31
sandywalshright19:31
edaysandywalsh: openID gives you a common authN ID that all authZ systems can use19:32
sandywalshgotcha19:32
edayvishy: so, I would say we punt and allow it if your underlying authN/authZ service is configure to do so19:32
vishyeday: so we can do it as long as the AuthN service is the same19:32
vishybut if there are two authz services19:32
btorchRickB17: give this a try http://paste.openstack.org/show/1074/19:32
btorchRickB17: that's for the proxy-server.conf19:33
vishywhich one do i tell to give permissions19:33
edayvishy: the one that owns things needs to give permissions19:33
vishyso i send the permission request to a19:33
edayvishy: otherwise security is fundamentally broken19:33
vishyA -> (B.Frank, allow-halt, alice)19:34
vishyand as long as A can validate that B.Frank is who he says he is he can terminate alices instances19:34
sandywalshB.Frank or A.Frank?19:34
edayyeah, but now it's a mess to get B.franks perms from one place... hmm19:34
*** littleidea has joined #openstack19:34
vishyso i think what we are saying is that a deployment always validates with its own authz system19:35
sandywalshsince Frank is authn'ed on Zone A, it's a token from there.19:35
sandywalshso it would be A.Frank?19:35
edaythis is where we would need a per-object lookup depending on the owner19:35
RickB17bortch: ok, i have applied that, then ran swif-init all restart19:35
edayvishy: we are?19:35
RickB17btorch: on the proxy-server19:35
btorchRickB17: after you make the proxy-server.conf to use swauth and restart the service you will need to create the swatuh account as that doc show19:35
btorchRickB17: yes.. you will no longer need the auth box19:35
vishyeday: if frank tries to terminate alice's instances in A, then A is going to check its own authz to see if frank can19:36
btorchRickB17: later if you want you can always run a proxy there just for auth if you like19:36
edayvishy, sandywalsh: if B.frank authN's to nova zone, and it tries to reboot A.alice's instance, it would need to use A's authz server19:36
sandywalshvishy, yes, B validates, but A supplies the perms19:36
sandywalsheday, yes, but the permissions are all supplied in the zone A namespace. Zone B only has to do set comparisons19:37
vishyin that case, we don't really need to federate authz, we just need to be able to specify that we are allowing actions from users from an external authn service19:37
*** aixenv has joined #openstack19:37
sandywalshvishy, yes, I think that's correct19:37
edaysandywalsh: set comparisons? huh?19:37
edaysandywalsh: B's auth only did the ID check19:38
sandywalsheday, authz (sorry)19:38
RickB17btorch: running the add-user command now.  is it okay to use the same username/pw as with Devauth?19:38
btorchRickB17: yes in fact you should do this19:38
edayvishy: we still need to federate, how else would you get A's perms?19:39
RickB17btorch: should it take a long time to complete?  it's been running for ... about a minute now?19:39
vishyso authz in this model is responsible for managing: users/groups/roles/organizations (membership in general) and action policies19:39
btorchswauth-add-user -a -s AUTH_66962e4e335341c8b6463ccf3da2c4c1 -A https://127.0.0.1:8080/auth/ system root testpass19:40
vishyeday: only a needs a's perms?19:40
btorchRickB17: that was for u19:40
btorchRickB17: forgot the -K19:40
vishyeday: why would B need A's permissions?  In a bursting scenario?19:40
btorchRickB17: -K supersecretkeythatichanged19:40
RickB17btorch: swauth-add-user -K swauthkey -a system root testpass        this is whats in the doc.19:41
edayvishy: yeah... what if authz A and authz B are priate clouds, and they're using instances in zoneC19:41
edayerr, private19:41
sandywalshvishy, eday I think zone B just treats the values in the perm groups as opaque objects (exception for the user id). But the actions and object groups are simple Set checks.19:41
RickB17btorc: when i ran yoru command it came back instantly with "403 Forbidden"19:41
btorchRickB17: yeah but swauth-add-user will default to http ... your proxy is on https19:41
vishyeday: So zone C needs to make sure that it ok for "Alice" to launch instances and potentially start spending cash by checking her permissions with A19:42
sandywalshvishy, yes, in the bursting case19:42
RickB17btorch: what is the -s value?19:42
edayperhaps we should stop using 'zoneX' and say novaX and authX.. I'm confused by what service we're actually talking about in a zone sometimes19:42
*** mahadev has quit IRC19:42
vishyeday: good idea19:42
sandywalsh+119:42
btorchRickB17: I might be forgeting something ... the -s is so that it will use the same account hash that devauth had created before19:42
vishyok another sticking point19:42
vishyhow does a service define with auth what the possible actions are?  Does it need to?19:43
sandywalshvishy, authz_B needs to make sure it's ok for Alice to spend cash, it does so with the perms that were sent when Alice authenticated19:43
edayvishy: service API discovery19:43
*** kakella has joined #openstack19:44
edayvishy: of course this can vary between deployments, so if you wrote an auth manager to use a given endpoint, it may not be inclusive of all zones it can burst to19:44
btorchRickB17: try this swauth-list -K supersecretkeythatichanged -A https://127.0.0.1:8080/auth/19:44
btorchRickB17: I'm assuming your super_admin_key  is still that from your last paste19:44
sandywalshvishy, eday can't it just send them all?19:45
RickB17btorch: yeah i changed it :-D i never posted the real one.  I've been replacing it.  I get 403 forbidden19:45
RickB17btorch: let me make sure i didn't make any typos19:45
edaysandywalsh: sure, but different versions may have different sets of "all", but that should be fine19:45
sandywalshvishy, eday and authzB will only use what's needed?19:45
edayreason to upgrade :)19:45
sandywalsh:)19:45
btorchRickB17: if that works hehe .. the list should give you back an empty {} I believe19:45
sandywalshvishy, eday I have to drop off ... but great discussion!19:45
edaysandywalsh: yeah, have a good weekend!19:46
sandywalshvishy, eday summit!19:46
RickB17btorch: i did make a typo, now i get a 500 server error19:46
sandywalsheday, vishy thanks ... you too19:46
RickB17btorch: list failed: 500 server error....internal server error.19:46
vishyagreed19:46
edayI think we can write a more detailed proposal to discuss now :)19:47
btorchRickB17: the proxy-server.conf I pasted for you I also made a typo .. should be "default_swift_cluster = local#https://10.118.56.31:8080/v1#https://127.0.0.1:8080/v1"19:47
btorchRickB17: you running this from within the proxy box right ?19:47
edayof course there is still the namespace issue and how to know what remote auth service to use19:47
RickB17btorch: yes from the proxy box19:47
RickB17btorch: ok fixed the http to https as well as verified the secretkey19:49
sandywalsheday, vishy http://paste.openstack.org/show/1075/19:50
sandywalshtrimmed down19:50
RickB17Traceback (most recent call last):19:50
RickB17  File "/usr/bin/swauth-list", line 70, in <module>19:50
RickB17    parsed.path += '/'19:50
RickB17AttributeError: can't set attribute19:50
btorchRickB17: also restart memcache just to be safe19:50
btorchRickB17: can u  paste the whole command with the output on paste.openstack.org19:51
RickB17btorch: http://paste.openstack.org/show/1076/19:51
btorchRickB17: also the new proxy-server.conf unless u are using the one I pasted19:52
btorchRickB17: add / at the end of auth19:52
kbringardI have a question about glance update19:53
RickB17btorch: http://paste.openstack.org/show/1077/19:53
kbringardwhen I try to update the properties for an image, it only seems to take the first one that I specify19:53
RickB17btorch: now i'm getting 403 access denied to resource19:53
kbringardand each subsequent run overwrites what was already there19:53
kbringardoh wait, actually... it's just the type= that gets blasted19:54
kbringardand you can't get it back in there19:55
kbringardthis is probably that bug justinb was talking about19:55
*** zenmatt has quit IRC19:56
*** omidhdl has quit IRC19:56
kbringardah, OK, I think I nailed down the failure case19:59
btorchRickB17: hmm and adding an account ? swauth-add-account20:00
RickB17btorch: yeah i'll send you the output20:00
RickB17btorch: http://paste.openstack.org/show/1078/20:01
RickB17btorch: lol nope20:01
RickB17btorch: add user....20:01
RickB17btorch: should it be add-user?20:02
btorchRickB17: I'm just trying to test things out ... you can add an account too20:02
sorenzigo-_-: Because it's not needed?20:03
RickB17btorch: jumping into a quick meeting be back in 5-1020:03
sorenzigo-_-: Nova functions perfectly fine without client tools.20:03
zigo-_-Oh ok, got you.20:03
zigo-_-So then, uec-publish-tarball connects to what?20:03
btorchRickB17: http://paste.openstack.org/show/1080/20:04
*** rlucio has quit IRC20:04
zigo-_-soren???20:05
zigo-_-Gone for 30 more minz idle? :)20:05
sorenzigo-_-: whuh?20:06
zigo-_-uec-publish-tarball connects to what?20:06
zigo-_-:)20:07
sorenzigo-_-: uec-publish-tarballs talks to nova-objectstore and nova-api.20:07
zigo-_-Ok, thanks.20:07
zigo-_-Or to glance, right?20:07
soren...why?20:07
sorenNo.20:07
zigo-_-Ah...20:07
zigo-_-Swift is a replacement for nova-objectstore, no?20:07
zigo-_-And I thought that Glance would be between the client and swift ...20:08
zigo-_-I'm not getting it right, am I?20:08
sorenNot exactly :)20:08
*** kashyap has quit IRC20:08
sorenSwift is a proper object store.20:08
zigo-_-Then what is Glance about?20:09
sorenGlance is an image registry.20:09
zigo-_-That uses Swift, no?20:09
sorenThe OpenStack image registry, so to speak.20:09
sorenBefore Glance came along, Nova exposed an interface identical to Amazon EC2.20:10
sorenYou'd upload an image to S3 (nova-objectstore), and ask EC2 (nova-api) to "register" this image.20:10
sorenThis is the interface uec-publish-tarball uses (since it was made for EC2 and Eucalyptus).20:10
sorenSwift can use several backends. One is Swift, I believe.20:11
sorenI have very little experience with Glance, I'm afraid.20:11
*** vernhart has quit IRC20:11
zigo-_-Thanks, that helps.20:11
kbringardsoren: so you can use the objectstore still with glance if you set up an s3 connector and tell it to connect to your objectstore api frontend, yea?20:12
zigo-_-soren: I still have an issue with the unix rights of libvirt over here...20:14
zigo-_-I had to Should-start: libvirt-bin, and then write a chown in nova-compute.20:15
zigo-_-That's not in my bzr, of course...20:15
zigo-_-Just a hack on my test server.20:15
*** pothos_ has joined #openstack20:15
zigo-_-Got to find a proper solution.20:15
*** troytoman-away is now known as troytoman20:15
*** zenmatt has joined #openstack20:16
*** pothos has quit IRC20:17
*** pothos_ is now known as pothos20:17
zigo-_-soren: But otherwise, I think you can pull from me for both swift and nova. Swift is now lintian clean, with some stubs manpages, and more extended descriptions.20:18
RickB17btorch: back20:22
btorchRickB17: http://paste.openstack.org/show/1080/20:23
RickB17btorch: got it, running through it now.  Thanks.20:23
*** paltman has quit IRC20:23
RickB17btorch: http://paste.openstack.org/show/1082/20:24
RickB17btorch: 403 Forbidden returned20:24
*** BK_man has quit IRC20:25
*** BK_man has joined #openstack20:25
RickB17btorch: anyway of resetting all permissions?20:26
btorchRickB17: not sure what's going on with your 403s there !? gholt any ideas on that ? he is going from devauth to swauth20:26
btorchRickB17: this works  ? curl -i -GET https://127.0.0.1:8080/healthcheck20:27
BK_mandid anybody tested  ajaxterm stuff? Can't get it running, ajaxterm.py is returning Not Authorized: http://paste.openstack.org/show/1083/20:27
*** paltman has joined #openstack20:28
RickB17curl: (58) unable to use client certificate (no key found or wrong pass phrase?)20:28
btorchRickB17: use -k20:29
btorchcurl -i -k20:29
*** adiantum has joined #openstack20:29
RickB17curl -i -k -GET https://127.0.0.1:8080/healthcheck20:29
RickB17curl: (58) unable to use client certificate (no key found or wrong pass phrase?)20:29
btorchRickB17: you got the correct cert_file/key_file in place in the proxy-server.conf ?20:31
RickB17btorch: should be,  shoudl i regenerate them? copy them from the auth or storage node?20:32
RickB17btorch: I have to head out.  I appreciate your time and help today.  I'm assuming your a regular in this room, so I catch you back here?20:35
btorchRickB17: cool sorry we couldn't get this working20:35
btorchRickB17: yeah I'll be around20:35
*** sebastianstadil has joined #openstack20:36
*** hazmat has quit IRC20:36
*** sebastianstadil has quit IRC20:37
*** vernhart has joined #openstack20:45
*** Ryan_Lane|food is now known as Ryan_Lane20:46
*** brd_from_italy has quit IRC20:47
*** brd_from_italy has joined #openstack20:51
*** joearnold has joined #openstack20:51
*** shentonfreude has quit IRC20:51
nelsonin .../proxy/server.py, is "# this is a temporary hook for migrations to set PUT timestamps" to be taken seriously?20:54
*** zenmatt has quit IRC20:55
nelsonBecause as far as I can see from reading the source, that's the only way to set the Last-Modified: header.20:55
kbringardjaypipes: thanks for the note on that glance update thing20:55
kbringardjaypipes: it looks like the code was merged between when I made the notes and when I checked out the code, so I kept seeing purge_props=False set, and was really confused why it was blasting the stuff20:56
*** nelson has quit IRC20:56
kbringardhaha20:56
*** nelson has joined #openstack20:56
kbringardor rather, the apt repo I installed from didn't have this version... or something20:56
kbringardthat's what I get I suppose :-)20:56
*** BK_man has quit IRC20:58
*** brd_from_italy has quit IRC21:00
*** Ep5iloN_1 has joined #openstack21:01
*** adiantum has quit IRC21:02
*** sebastianstadil has joined #openstack21:02
*** _vinay has quit IRC21:03
*** imsplitbit has quit IRC21:03
*** Ep5iloN_ has quit IRC21:03
*** dendro-afk is now known as dendrobates21:06
jaypipeskbringard: so, everything ok now? :)21:06
*** h0cin has quit IRC21:06
kbringardalmost, I checked out the latest code and installed it, but then realized it installed to /usr/local/bin and the deb was /usr/bin21:07
*** ironcamel has joined #openstack21:09
*** ctennis has quit IRC21:10
*** MarcMorata has joined #openstack21:10
*** zenmatt has joined #openstack21:12
kbringardhrmm21:13
*** zigo-_- has quit IRC21:13
kbringardjaypipes: if I'm reading this correctly, it says it was merged to branch 100, right?21:14
jaypipeskbringard: one sec.21:14
*** adiantum has joined #openstack21:14
jaypipeskbringard: yes21:15
kbringardhmmmmmm21:15
kbringardii  glance                          2011.2~bzr100-0ubuntu0ppa1~maverick2                        OpenStack Image Registry and Delivery Service - Daemons21:15
kbringardii  python-glance                   2011.2~bzr100-0ubuntu0ppa1~maverick2                        OpenStack Image Registry and Delivery Service - Python library21:15
*** clauden_ has quit IRC21:15
kbringardbut it's still happening21:15
kbringardI also removed the dpkg and installed the latest source instead21:16
*** Zangetsue has quit IRC21:16
kbringardwith the same results21:16
kbringardso it may not actually be fixed21:16
*** Zangetsue has joined #openstack21:16
*** dspano has quit IRC21:20
*** johnpur has quit IRC21:22
*** shawndecuir has joined #openstack21:23
*** ctennis has joined #openstack21:25
*** ctennis has joined #openstack21:25
uvirtbotNew bug: #747799 in glance "Delete image of size 0 gives AttributeError " [Undecided,New] https://launchpad.net/bugs/74779921:27
*** bcwaldon has quit IRC21:29
*** RobertLaptop has quit IRC21:29
*** adiantum has quit IRC21:29
*** ppetraki has quit IRC21:32
jaypipeskbringard: hmm :( perhaps the ppa hasn't updated...21:33
kbringardwell, I looked in /usr/lib/pymodules/python2.6/glance/registry/db/api.py21:33
kbringardand I see the purge_props=False in there21:34
kbringardI dunno, my brain hurts and it's Friday21:35
kbringardI'll dig back into it on Monday when I'm not over this week :-D21:35
kbringardthanks for the help21:35
*** hazmat has joined #openstack21:35
*** adiantum has joined #openstack21:36
*** Zangetsue has quit IRC21:36
*** Zangetsue has joined #openstack21:36
*** enigma1 has quit IRC21:37
*** icarus901 has joined #openstack21:37
jaypipeskbringard: sounds good :)21:38
btorchwhere does nova get the dns nameserver,domain,search from ? I have tried changing the networks table with the proper info and also setting up the dhcp_domain,flat_network_dns flags21:39
btorchusing kvm21:40
kbringardbtorch: I think it gets it all from dnsmasq21:41
kbringardbut, because the --config-file= is blank21:41
kbringardit only takes what's explicitly passed on the command line21:41
btorchkbringard: aww good point21:41
kbringardI actually have a merge which allows you to specify a dnsmasq.conf file21:41
kbringardso you can control those things21:41
kbringardbut I got it in after the freeze, so we're waiting21:42
btorchkbringard: who calls dnsmasq ? nova-network ?21:42
kbringardyea21:42
kbringardhttps://bugs.launchpad.net/nova/+bug/74257821:42
uvirtbotLaunchpad bug 742578 in nova "Wishlist: Nova-network dnsmasq settings are static" [Wishlist,In progress]21:42
btorchkbringard: is that in just one py file ?21:43
kbringardyea, it's in21:43
kbringarduhm21:43
kbringardnova/network/linux_net.py21:43
kbringardyou can add the flags manually to that code21:44
kbringardor you can add my lines (it's like 4 of them) and use a dnsmasq.conf file21:44
kbringardas you like21:44
*** zaccone has joined #openstack21:44
zacconeHello everybody21:44
kbringardbtorch: look for this line: cmd = ['sudo', '-E', 'dnsmasq',21:45
kbringardall the flags it passes are after that21:45
zacconeDid anybody managed to run NFS client on standard system image taken from http://smoser.brickies.net/ubuntu/ttylinux-uec/ ?21:45
*** burris has quit IRC21:45
btorchkbringard: cool found it thanks21:45
zacconemount: mounting 10.0.2.15:/nfs/cloud1 on /tmp/test/ failed: No such deviceWhen i try to mount anything via NFS I only get21:46
kbringardno worries 21:46
*** dendrobates is now known as dendro-afk21:46
*** allsystemsarego has quit IRC21:46
zacconemount: mounting 10.0.2.15:/nfs/cloud1 on /tmp/test/ failed: No such device21:46
kbringardI'm outa here, have a good weekend guys21:46
*** kbringard has quit IRC21:46
zacconewhile mounting it on the source machine works fine.21:46
*** Zangetsue_ has joined #openstack21:49
*** Zangetsue has quit IRC21:49
*** Zangetsue_ is now known as Zangetsue21:49
smoserzaccone, i dont know. i would guess that you would need some nfs moundes in order to do that.21:52
*** burris has joined #openstack21:52
smoserthe kernel is a standard ubuntu kernel see the readme21:52
smoserso you can get modules for it21:52
zacconesmoser: this is more like problem in image and busybox, which is quite badly equipped.21:53
smoserwell, it could be, yes.21:53
smoserbut i dont think so21:53
smosermost likely that kernel has:21:54
smoser CONFIG_NFS_FS=m21:54
smoserand i dont think i would have put the nfs module inside the image21:54
smoserso without that you're not getting nfs21:54
smoseri woudl suspect that ttylinux's busybox *does* have support for nfs mounts21:54
smoserthat ttylinux-uec image is basically ttylinux + ubuntu kernel21:54
zacconesmoser: you mean that my ubuntu server kernel is misconfigured, i mean without nfs ?21:55
zacconesmoser: well i managed to do mount 10.0.2.15:/nfs/cloud1 /tmp/test on that 10.0.2.15 machine21:55
zacconejust to check whether it's server or client problem.21:55
zacconewell i don't feel like reconfiguring the kernel on the Ubuntu server :/22:00
*** adiantum has quit IRC22:00
*** rds__ has quit IRC22:03
*** bcwaldon has joined #openstack22:11
*** shawndecuir has left #openstack22:11
btorchkbringard thanks22:12
zacconehm, I've got another question.22:13
*** adiantum has joined #openstack22:13
zacconeWhenever I start the system22:13
zacconeI only have one openstack instance that's always in the scheduling state. I then have to use euca-run-instances to run another instance that is running fine. owever every time it has other instance Id (i-000001,2,3,4 etc). and different IP addres.22:14
zacconeHow can i automate that process and have the the same instance being run?22:15
*** gondoi has quit IRC22:16
*** dmshelton has quit IRC22:20
*** rds__ has joined #openstack22:21
*** bkkrw has quit IRC22:30
*** lvaughn_ has quit IRC22:31
*** fysa has quit IRC22:31
*** bcwaldon has quit IRC22:33
*** kakella has left #openstack22:36
*** MarcMorata has quit IRC22:37
*** Zangetsue has quit IRC22:39
openstackjenkinsProject swift build #234: SUCCESS in 28 sec: http://jenkins.openstack.org/job/swift/234/22:47
openstackjenkinsTarmac: Now:22:47
openstackjenkins.super_admin may get any user info22:47
openstackjenkins.reseller_admin may not get .reseller_admin info22:47
openstackjenkins.admin may not get .reseller_admin or .admin info22:47
openstackjenkinsusers can't get any user info22:47
*** lvaughn_ has joined #openstack22:47
*** fysa has joined #openstack22:47
*** bcwaldon has joined #openstack22:50
*** troytoman is now known as troytoman-away22:51
*** Ryan_Lane has quit IRC22:51
*** bcwaldon has quit IRC22:52
*** zaccone has quit IRC22:53
*** dendro-afk is now known as dendrobates22:55
*** joearnold has quit IRC22:56
*** adiantum has quit IRC23:02
*** jmaltin has quit IRC23:03
*** nid0 has quit IRC23:03
*** hazmat has quit IRC23:04
*** maplebed has quit IRC23:07
*** Ryan_Lane has joined #openstack23:10
uvirtbotNew bug: #747855 in nova "euca-describe-images shows all glance images as Private" [Undecided,New] https://launchpad.net/bugs/74785523:11
*** adiantum has joined #openstack23:15
*** dragondm has quit IRC23:24
uvirtbotNew bug: #747867 in swift "Replicator double quarantine" [High,Confirmed] https://launchpad.net/bugs/74786723:36
*** troytoman-away is now known as troytoman23:41
« Thursday, 2011-03-31 Index Saturday, 2011-04-02 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!