Monday, 2016-04-11

« Sunday, 2016-04-10 Index Tuesday, 2016-04-12 »
*** jlwhite has quit IRC00:29
*** rderose has joined #osic00:40
*** rmevans has quit IRC02:17
*** rmevans has joined #osic02:24
*** asettle has quit IRC02:33
*** sgundur has left #osic03:04
*** rmevans has quit IRC03:17
*** nadeem has joined #osic03:20
*** onthecly has joined #osic04:04
*** onthecly has quit IRC04:08
*** karthikp has joined #osic04:17
*** rderose has quit IRC04:53
*** asettle has joined #osic05:28
*** karthikp has quit IRC06:02
*** nadeem has quit IRC07:02
*** xek has quit IRC07:24
*** asettle has quit IRC08:09
*** jlwhite has joined #osic10:26
*** ccneill has quit IRC10:56
*** sgundur has joined #osic12:16
*** b3rnard0_away is now known as b3rnard012:17
*** inc0 has joined #osic12:57
*** xek has joined #osic13:24
*** onthecly has joined #osic13:28
*** onthecly has joined #osic13:29
*** onthecly has quit IRC13:29
*** onthecly has joined #osic13:30
toangood morning osicers!13:39
clacomornings13:41
sarafrajgood morning13:44
lbragstado/13:45
dasmgood morning!13:46
*** rderose has joined #osic13:49
*** ametts has joined #osic13:55
electrocucarachamorning13:57
*** KrishR has joined #osic13:58
*** jthorne has joined #osic14:00
izaakkMorning!14:01
*** woodster_ has joined #osic14:03
anushGood morning from sunny Arizona14:05
dasmanush: good morning from cloudy San Antonio14:06
*** KLevenstein has joined #osic14:06
*** KLevenstein has quit IRC14:08
kencjohnstono/14:11
*** pushkaru has joined #osic14:11
pumaranikargood morning14:12
*** jlwhite has quit IRC14:12
*** anush_ has joined #osic14:13
*** Mudpuppy has joined #osic14:14
*** spotz_zzz is now known as spotz14:20
*** anush_ has quit IRC14:26
spotzmorning14:26
*** muralia_ has joined #osic14:28
*** muralia has quit IRC14:30
*** karthikp has joined #osic14:34
MudpuppyO/14:36
*** onthecly has quit IRC14:39
*** homerp_ has joined #osic14:40
*** sfinucan has joined #osic14:44
*** pumarani__ has joined #osic14:46
*** rahulunair has joined #osic14:46
*** pushkaru has quit IRC14:48
snetiMorning!!14:49
*** karthikp has quit IRC14:51
*** karthikp has joined #osic14:52
*** inc0 has quit IRC14:59
*** asingh has joined #osic15:08
*** inc0 has joined #osic15:16
*** homerp_ has quit IRC15:18
*** homerp_ has joined #osic15:21
*** navid_ has joined #osic15:30
*** asingh has quit IRC15:34
navid_hi15:35
navid_how can i reset the password on osic clster15:36
jthornenavid_: are you locked out or you want to change your password?15:37
*** ccneill has joined #osic15:37
navid_I havent activated the password at the time so the link is expired15:37
jthornenavid_: i can reset it. what's your email address?15:37
navid_navid.pustchi@intel.com15:39
navid_jthorne, thanks15:39
jthornenavid_: sending the new link to your email15:39
*** navid_ has quit IRC15:46
*** asingh has joined #osic15:47
pdardeauswift ptl will be at castle tomorrow and wed to help jumpstart osic swift within swift community15:58
pdardeauset up an etherpad for it: https://etherpad.openstack.org/p/SG5RJKiZr915:58
pdardeauanyone is welcome to drop by at any time15:59
pdardeaulocations TBD15:59
*** inc0_ has joined #osic16:08
*** inc0 has quit IRC16:11
*** nadeem has joined #osic16:12
*** ankur-gupta-f has quit IRC16:14
*** david-lyle_ is now known as david-lyle16:15
*** anush_ has joined #osic16:20
*** yarkot_ has joined #osic16:23
*** ankur-gupta-f has joined #osic16:24
*** karthikp has quit IRC16:29
*** karthikp has joined #osic16:29
*** homerp_ has quit IRC16:34
*** nadeem has quit IRC16:37
*** jthorne has quit IRC16:41
*** jthorne has joined #osic16:42
*** jthorne has quit IRC16:43
*** sfinucan has quit IRC16:43
*** jthorne has joined #osic16:44
*** homerp_ has joined #osic16:44
*** inc0_ has quit IRC16:44
*** ankur-gupta-f has left #osic16:48
*** rderose has quit IRC17:00
*** inc0 has joined #osic17:04
*** jlwhite has joined #osic17:06
*** jlwhite has quit IRC17:20
*** asingh has quit IRC17:22
*** asingh has joined #osic17:23
*** anush_ has quit IRC17:29
*** homerp_ has left #osic17:36
*** karthikp has quit IRC17:47
*** karthikp has joined #osic17:48
*** yarkot_ has quit IRC17:48
*** sfinucan has joined #osic17:50
*** homerp_ has joined #osic17:51
*** jlwhite has joined #osic18:01
*** anush_ has joined #osic18:02
*** nadeem has joined #osic18:04
*** nadeem has quit IRC18:05
*** ankur-gu_ has joined #osic18:05
*** jlwhite has quit IRC18:05
*** jlwhite has joined #osic18:06
*** nadeem has joined #osic18:06
*** karthikp has quit IRC18:09
*** karthikp has joined #osic18:09
*** inc0 has quit IRC18:11
*** ccneill has quit IRC18:13
*** ccneill has joined #osic18:17
*** homerp_ has left #osic18:41
gmmahahi neutron experts, had a quick Q.. have you ever come across an issue where neutron fails with 'Authorization failed for token' when scheduling multiple VMs18:42
gmmahaand never recovers from that state..18:42
gmmahai started a 1000 VM schedule and after a certain limit neutron starts throwing 'Authorization failed for token' and just wont recover from this state18:43
*** anush_ has quit IRC18:44
hockeynuttoken expired perhaps?18:44
gmmahahockeynut: if the token expired, shouldnt it get a new one by authenticating?18:45
hockeynutone would think - unless you authenticate once then use that token for a time period longer than the token's lifespan18:46
ankur-gu_gmmaha: my guess is token authentication only happens upon initial request, so if it times out theres no call to re-authenticate18:46
hockeynutweve had that issue with some barbican tests - token lives for X and we try to use it at X+118:46
gmmahahockeynut: ankur-gu_: ohh wow.. ok18:51
gmmahadidnt know that it wont request for token when it expires18:51
ankur-gu_but im no expert. So don't take my word for it. Just an assumption18:52
*** karthikp has quit IRC18:57
*** karthikp has joined #osic18:58
*** yarkot_ has joined #osic19:00
*** jlwhite has quit IRC19:05
*** ankur-gu_ has quit IRC19:18
*** ccneill has quit IRC19:19
*** ccneill has joined #osic19:20
*** jlwhite has joined #osic19:21
gmmahadolphm: lbragstad: is the above claim true? shouldnt services get fresh tokens if the current one in use expires?19:35
gmmahahockeynut: thanks for the info.. i thought i was deploying it all wrong and was scrubbing my setup19:36
hockeynutnp - good luck!19:38
dolphmgmmaha: services should definitely get fresh tokens if the one they have expires19:45
dolphmgmmaha: i wonder if you need to increase the token lifespan in keystone.conf? it's possible it's set to a shorter duration than your long-running operation requires19:45
dolphmgmmaha: i believe the default is just an hour (which is aggressively low to discover these issues - you probably want something longer like 2-72 hours, depending on security concerns, etc)19:46
gmmahadolphm: thanks..19:46
dolphmgmmaha: keystone.conf [token] expiration19:46
gmmahai can increase the timeout of the key.. but have you ever heard of any service (neutron in this case) running into a situation liek this?19:47
gmmahadolphm: will increase it and see if i get something19:47
gmmahaif the token fails to auth and if say the token hasnt expired yet19:48
gmmahaand i ran the test twice.. both times the no. of successful VMs were very close. So wondering if there is a security failsafe where so many requests within a given period of time, we block that token from requesting anymore19:50
*** rmevans has joined #osic19:54
*** anush_ has joined #osic19:58
dolphmgmmaha: i suspect it's the client's token that is expiring, not neutron's19:59
dolphmgmmaha: if it was a quota issue, you should get a different status code / message20:00
dolphmgmmaha: or if it was a sudden change in authorization, it'd be a 403 (you're authenticated, but not allowed to do that)20:00
gmmahadolphm: aah ok..20:00
gmmahadolphm: the way i create the 1000 VMs was one command.. 'openstack server list --min 1000 --max 1000 ......'20:01
gmmahaand that command is done and it stops20:01
dolphmgmmaha: how long did that operation take before you saw a failure?20:01
gmmahadolphm: ohh a hour past and i got 484 Vms active20:02
gmmahaAfter that nothing20:02
gmmahaall theother just failed since20:02
*** inc0 has joined #osic20:05
dolphmgmmaha: token is expired :)20:06
dolphmgmmaha: again, the default token lifespans are aggressively low20:07
gmmahadolphm: is there a limit on no. of tokens keystone can issue in a given time period?20:07
dolphmgmmaha: 24 hours is a popular value for production deployments20:07
gmmahaI am curious how come the system never recovered from this state20:07
dolphmgmmaha: good question - that's one reason why the current default is low as well20:07
gmmahai let it sit for anthoer 3 hours while it was slowly erroring out on the remaining 516 VMs20:08
dolphmgmmaha: with UUID tokens, yes, you'll fill up the database. a low expiration means fewer active tokens20:08
dasmdolphm: 24h as default for production? seems very long. i thought it's pretty low value to prevent possible breakouts.20:08
dolphmgmmaha: if you switch to Fernet tokens, there's no limit, and you can increase the default lifespan much higher with no performance penalty20:08
dolphmdasm: breakouts as in compromised tokens?20:08
dasmdolphm: and... you will talk about fernet tokens at Summit (ad :P)20:09
dasmdolphm: yes.20:09
*** yarkot_ has quit IRC20:09
dolphmdasm: that's a security / user experience tradeoff that you have to weigh yourself as a deployer20:09
gmmahadolphm: so since the scheduling was done with 'A' token when it expired, noen ofthe subsequent requests bothered to change the token to a non-expired one?20:10
gmmahaInteresting!! :)20:10
dolphmdasm: but to your point, an hour is so low that no one will ever bother us upstream to lower the default any lower :P20:10
dolphmgmmaha: they can't -- your client generated the token20:10
gmmahadolphm: haha.. :D20:10
gmmahadolphm: aaaah20:10
gmmahaok.. that makes sense now20:10
dolphmgmmaha: and at some point, the services just noticed that your token was expired, so they started disregarding the subsequent requests20:11
dasmdolphm: :)20:11
dolphmgmmaha: that's a fun problem if you're interested in solving it :P20:11
gmmahadolphm: :)20:11
gmmahadolphm: not going to say no to that. :P20:12
gmmahadolphm: thanks much for taking the time to explain..20:14
gmmahamakes a lot of sense now20:14
*** inc0 has quit IRC20:16
dstanekdolphm: i don't think you know what fun means20:17
dasmdstanek: probably everything depends on point of view ;)20:18
*** rmevans has quit IRC20:19
dstanekdasm: true, so it's fun for dolphm to watch gmmaha solve it :=)20:29
* gmmaha has started the tests again with increased timeout20:29
gmmahadstanek: haha.. if only gmmaha knew how to20:30
dasmdstanek: xD20:30
*** rderose has joined #osic20:31
*** anush_ has quit IRC20:42
*** ccneill has quit IRC20:44
*** nadeem has quit IRC20:54
*** ccneill has joined #osic20:55
*** Mudpuppy has quit IRC20:58
*** anush_ has joined #osic21:02
*** homerp_ has joined #osic21:04
*** ankurgupta has joined #osic21:21
*** ChanServ sets mode: +o ankurgupta21:21
*** ankurgupta has left #osic21:21
*** homerp_ has left #osic21:32
*** sfinucan has quit IRC21:33
*** b3rnard0 is now known as b3rnard0_away21:54
*** anush_ has quit IRC21:59
*** anush_ has joined #osic22:00
*** raddaoui has joined #osic22:16
*** jlwhite_ has joined #osic22:28
*** jlwhite has quit IRC22:28
*** asettle has joined #osic22:36
*** KrishR has quit IRC22:41
*** spotz is now known as spotz_zzz22:42
*** anush_ has quit IRC22:46
*** jthorne has quit IRC22:48
*** ametts has quit IRC22:48
*** asingh has quit IRC23:02
*** asingh has joined #osic23:03
*** karthikp has quit IRC23:08
*** asingh has quit IRC23:11
*** jlwhite_ has quit IRC23:21
*** ccneill has quit IRC23:46
*** rahulunair has quit IRC23:52
« Sunday, 2016-04-10 Index Tuesday, 2016-04-12 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!