#openstack-barbican log

13:00:55 <redrobot> #startmeeting barbican
13:00:55 <openstack> Meeting started Tue Jan 12 13:00:55 2021 UTC and is due to finish in 60 minutes.  The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:58 <openstack> The meeting name has been set to 'barbican'
13:01:17 <redrobot> #topic Roll Call
13:01:20 <redrobot> Courtesy ping for ade_lee dave-mccowan hrybacki jamespage Luzi lxkong mhen moguimar raildo rm_work xek nearyo
13:01:28 <Luzi> o/
13:01:38 <redrobot> As usual our agenda can be found here:
13:01:40 <redrobot> #link https://etherpad.opendev.org/p/barbican-weekly-meeting
13:01:41 <moguimar> o/
13:03:21 <rajivmucheli> redrobot i am currently testing barbican upgrade to victoria release, i see the below from the barbican-api pod when i execute barbican-api --version :
13:03:21 <rajivmucheli> root@barbican-api-59765f4fcb-z27rq:/# barbican-api --version
13:03:23 <rajivmucheli> from paste import httpserver
13:03:23 <rajivmucheli> 2021-01-12 13:03:08,716.716 243 INFO barbican.model.repositories [-] Setting up database engine and session factory
13:03:24 <rajivmucheli> 2021-01-12 13:03:08,745.745 243 INFO barbican.model.repositories [-] Not auto-creating barbican registry DB
13:03:24 <rajivmucheli> 2021-01-12 13:03:08,746.746 243 INFO barbican.api.app [-] Barbican app created and initialized
13:03:25 <rajivmucheli> 2021-01-12 13:03:08,760.760 243 WARNING datadog.dogstatsd [-] Error submitting packet: [Errno 111] Connection refused, dropping the packet and closing the socket: ConnectionRefusedError: [Errno 111] Connection refused
13:03:25 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 CRITICAL barbican [-] Unhandled error: OSError: [Errno 98] Address already in use
13:03:25 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican Traceback (most recent call last):
13:03:26 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/bin/barbican-api", line 17, in <module>
13:03:26 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican     run()
13:03:27 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/bin/barbican-api", line 14, in run
13:03:27 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican     httpserver.serve(application, host='0.0.0.0', port='9311')
13:03:28 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/lib/python3.8/site-packages/paste/httpserver.py", line 1338, in serve
13:03:28 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican     server = WSGIThreadPoolServer(application, server_address, handler,
13:03:29 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/lib/python3.8/site-packages/paste/httpserver.py", line 1157, in __init__
13:03:29 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican     WSGIServerBase.__init__(self, wsgi_application, server_address,
13:03:30 <rajivmucheli> 2021-01-12 13:03:08,768.768 243 ERROR barbican   File "/var/lib/openstack/lib/python3.8/site-packages/paste/httpserver.py", line 1136, in __init__
13:04:04 <redrobot> rajivmucheli hey, thanks for joining.  We just started the weekly meeting, so maybe we can talk about it after the meeting is over?
13:04:07 <rajivmucheli> this is my 1st IRC meeting, apologise if i missed to update any pre-req, i can do it now, if guided.
13:04:14 <rajivmucheli> sure
13:04:30 <redrobot> no worries
13:04:35 <redrobot> just a suggestion for next time
13:04:49 <redrobot> try not to paste logs here as it floods the channel with messages
13:04:54 <redrobot> try using http://paste.openstack.org/ instead
13:05:13 <redrobot> OK, let's get started with the meeting
13:05:23 <redrobot> #topic Aciton Items From Last Meeting
13:05:33 <redrobot> #link http://eavesdrop.openstack.org/meetings/barbican/2021/barbican.2021-01-05-13.02.html
13:05:44 <redrobot> Looks like we didn't have any Action Items last week
13:05:52 <redrobot> (ps. thanks moguimar for running the meeting last week)
13:06:09 <redrobot> Moving on ...
13:06:20 <redrobot> #topic Liaison Updates
13:06:21 <moguimar> maybe check on the AI from your last meeting
13:06:25 <redrobot> moguimar?  tosky?
13:06:37 <moguimar> Oslo is droping lower constraints
13:06:47 <moguimar> and taking cursive under its umbrella
13:06:56 <moguimar> open to barbican contributions
13:07:04 <redrobot> I had a topic for Cursive in the agenda, but we can talk about it now
13:07:22 <redrobot> #topic Cursive
13:07:49 <redrobot> #link https://opendev.org/x/cursive
13:08:04 <moguimar> do you want to add anything else to that statement?
13:08:30 <redrobot> A little background for folks:  Cursive is a digital signing library
13:09:07 <redrobot> it's used by a few projects and the original maintainers have moved on to other things
13:09:25 <redrobot> There was an ML discussion to get new maintainers since it's still used by OpenStack
13:09:39 <redrobot> Let me fish that ML link
13:10:03 <tosky> (sorry , nothing from me, and I haven't even updated the cursive patch)
13:10:08 <redrobot> #link http://lists.openstack.org/pipermail/openstack-discuss/2020-December/019430.html
13:10:19 <redrobot> TL;DR Oslo owns Cursive now
13:10:46 <redrobot> but our team will also have core reviewer votes as we are somewhat SMEs for crypto stuff
13:10:56 <tosky> and guess why :)
13:11:07 <redrobot> tosky ?
13:12:19 <redrobot> why is that? 🤔
13:13:21 <tosky> guess why you are considered SMEs for crypto stuff :D
13:13:44 <redrobot> 🤔🤔🤔
13:14:50 <tosky> maybe the fact that barbican is "crypto stuff" :)
13:15:02 <redrobot> lol
13:15:06 <tosky> ok, ok, it was a cheap attempt of joking
13:15:33 <redrobot> I lol'ed for real though 😝
13:16:02 <redrobot> moguimar can we get an updated dashboard link that pulls in Cursive reviews?
13:16:11 <moguimar> will do
13:16:17 <redrobot> Thanks!
13:16:39 <redrobot> #action moguimar to use his gerrit-foo to make us a new dashboard link that includes Cursive reviews
13:16:54 <redrobot> OK, moving on
13:17:00 <redrobot> #topic Kanban Review
13:17:17 <redrobot> #link https://tree.taiga.io/project/dmend-openstack-barbican/kanban
13:17:33 <redrobot> No updates from me here
13:17:57 <redrobot> Just got back into the office yesterday after a few weeks off, so I'm just starting to get back into the swing of things
13:20:10 <redrobot> #topic Cycle checkin
13:20:14 <redrobot> #link https://releases.openstack.org/wallaby/schedule.html
13:20:28 <redrobot> Wallaby-2 milestone is coming up next week
13:20:51 <redrobot> I will try to get the Microversions patch and Secret Consumers patches up before then
13:21:00 <redrobot> 🤞🤞
13:21:43 <redrobot> Also, it does not look like we have any specs for review this cycle:
13:21:45 <redrobot> #link https://review.opendev.org/q/project:openstack/barbican-specs+status:open
13:22:04 <redrobot> So if you're thinking of a spec for Wallaby now is the time to get it up for review.
13:23:43 <redrobot> Any questions/comments about Wallaby-2?
13:25:46 <redrobot> OK, moving on
13:25:49 <redrobot> #topic Bug Review
13:25:53 <redrobot> #link https://storyboard.openstack.org/#!/project_group/barbican
13:26:07 <redrobot> Looks like no new bugs in the Barbican Storyboards
13:26:30 <redrobot> #link https://bugs.launchpad.net/castellan/+bugs?orderby=-id&start=0
13:26:35 <redrobot> and also no new bugs in Castellan
13:26:49 <redrobot> #topic Wayward Reviews
13:27:00 <redrobot> #link https://tinyurl.com/y3ydwmkl
13:28:42 <moguimar> https://review.opendev.org/c/openstack/barbican/+/768512
13:30:50 <redrobot> moguimar I think I will -1 that one
13:31:20 <redrobot> the MKEK and HMAC labels don't have defaults in the config
13:31:22 <redrobot> #link https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L50-L51
13:31:53 <redrobot> and the rest of the instructions in that doc all use the convention of $HSM_NAME_mkek_0 and $HSM_NAME_hmac_0
13:31:54 <moguimar> I see
13:32:00 <moguimar> I just think the new name is more generic
13:32:15 <redrobot> I think the new name looks ugly :-P
13:32:41 <moguimar> yeah, but when you see something like that, you know you can name it whatever
13:32:47 <moguimar> not a fixed value
13:32:49 <redrobot> at least make both barbican_hmac_0 or my_hmac and my_mkek
13:32:58 <moguimar> sure
13:33:06 <moguimar> my_... works
13:33:24 <moguimar> make that suggestion then
13:34:03 <redrobot> will do
13:34:32 <moguimar> https://review.opendev.org/c/openstack/barbican/+/767275
13:34:49 <moguimar> it took me a while on this one to actually look at the classifiers
13:34:54 <moguimar> in pypi
13:35:19 <redrobot> LGTM
13:35:50 <redrobot> https://review.opendev.org/c/openstack/barbican/+/768000
13:35:58 <moguimar> and translations
13:36:00 <moguimar> https://review.opendev.org/c/openstack/barbican/+/768000
13:36:02 <moguimar> yeah, same
13:36:34 <moguimar> needs approval
13:36:36 <moguimar> https://review.opendev.org/c/openstack/barbican/+/769090
13:37:26 <moguimar> ah, I see you have already reviewed those
13:37:44 <moguimar> https://review.opendev.org/c/openstack/castellan/+/767726
13:37:50 <moguimar> wanna ship this one?
13:38:03 <moguimar> we decided on single approval, but you can put your finger on it =P
13:39:14 <redrobot> done
13:40:10 <redrobot> Easy one https://review.opendev.org/c/openstack/barbican-specs/+/769264
13:41:09 <moguimar> I was like "again? didn't I just +w this one?"
13:41:58 <redrobot> hehe
13:42:29 <moguimar> and it is finally snowing
13:42:32 <redrobot> I think that's it for easy reviews
13:42:38 <moguimar> yeah
13:42:48 <redrobot> Yeah, it's really freakin' cold over here too
13:42:53 <moguimar> open discussion? so rajivmucheli can have his questions?
13:42:59 <redrobot> woke up to 32 F ( 0 C)
13:43:05 <redrobot> #topic Open Discussion
13:43:38 <rajivmucheli> if this is better http://paste.openstack.org/show/801555/ ?
13:46:43 <redrobot> rajivmucheli yes, much better, thank you
13:46:49 <redrobot> > [Errno 98] Address already in use
13:47:05 <redrobot> my guess is there may be some other service running on that port?
13:47:09 <rajivmucheli> yes, the ps -ef shares the o/p
13:48:26 <rajivmucheli> ideally, barbican-api --version should ideally share an o/p, right ? i have the same setup to create openstack containers, i dont get this error for other services.
13:48:38 <openstackgerrit> Merged openstack/barbican-specs master: remove unicode from code  https://review.opendev.org/c/openstack/barbican-specs/+/769264
13:49:28 <redrobot> not sure what you mean by o/p ?
13:49:46 <rajivmucheli> output **
13:51:48 <redrobot> well, output should go to stdout, but I think that error means that the process can't bind to the 0.0.0.0:9311 address
13:51:57 <redrobot> maybe there is another process using that port?
13:52:10 <redrobot> are you running only this barbican container?
13:53:14 <rajivmucheli> yes, only barbican-api container is running in the barbican pod
13:53:14 <redrobot> Is this an exec command after you started the container?
13:53:29 <rajivmucheli> yes, its an exec into the container.
13:53:33 <redrobot> OH!
13:53:37 <redrobot> yeah, that won't work
13:53:49 <redrobot> when you start the container a barbican-api process binds to that port
13:54:02 <redrobot> that command is trying to exec a new process, so it won't work
13:54:26 <redrobot> what you can do instead is something like "curl http://0.0.0.0:9311" outside the container
13:54:33 <redrobot> and if things are working you should get a response
13:54:49 <rajivmucheli> okay, i wanted this confirmation! prior to upgrading to victoria release
13:55:08 <rajivmucheli> thanks, so barbican is designed to work this way on port 9311 ?
13:57:41 <rajivmucheli> is it possible to get a secret by its name ? i see its restricted to URI only https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/barbican.html#secret-get.
13:58:22 <redrobot> currently we do not support getting secret by name
13:58:33 <redrobot> but you can use only the UUID, not the full URI
13:58:46 <redrobot> And yes, barbican runs on port 9311 by default
13:58:53 <redrobot> but you can configure that any way you want
13:59:04 <redrobot> also bin/barbican-api is not necessarily a production-ready script
13:59:16 <redrobot> I think Kolla uses uwsgi in front of barbican
13:59:36 <redrobot> but you can also use apache+mod_wsgi
14:00:18 <redrobot> Aaaand we're out of time for the meeting
14:00:27 <redrobot> (but I'll stick around if you still have questions rajivmucheli)
14:00:33 <redrobot> Thanks for joining everyone
14:00:35 <redrobot> #endmeeting