21:59:26 <hub_cap> #startmeeting reddwarf
21:59:27 <openstack> Meeting started Tue Jan 29 21:59:26 2013 UTC.  The chair is hub_cap. Information about MeetBot at http://wiki.debian.org/MeetBot.
21:59:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
21:59:30 <openstack> The meeting name has been set to 'reddwarf'
21:59:36 <SlickNik> hello there
21:59:40 <datsun180b> hiya
21:59:40 <hub_cap> howdy SlickNik
21:59:40 <vipul> here
21:59:44 <hub_cap> and everyone else :)
21:59:54 <hub_cap> #link http://wiki.openstack.org/Meetings/RedDwarfMeeting
21:59:57 <juice> here
22:00:02 <juice> present
22:00:08 <hub_cap> lets give a minute for the tricklers
22:00:10 <dkehn> ding
22:00:12 <jcooley> afternoon
22:00:15 <SlickNik> sounds good.
22:00:41 <imsplitbit> bam
22:00:47 <hub_cap> lol hi imsplitbit
22:00:55 <imsplitbit> howdy
22:01:01 <imsplitbit> sorry I'm late
22:01:13 <hub_cap> ok lets rock this, we have enough
22:01:14 <datsun180b> he started a minute early
22:01:16 <grapex> Greets
22:01:17 <hub_cap> grapex says he will be late
22:01:20 <datsun180b> won't hold it against him though
22:01:21 <hub_cap> WOAH nice grapex!
22:01:31 <imsplitbit> grapex, you live!
22:01:48 <hub_cap> #topic action items
22:02:02 <hub_cap> vipul: link us your bp plz sir
22:02:06 <hub_cap> for quotas
22:02:17 <vipul> #link https://blueprints.launchpad.net/reddwarf/+spec/quotas
22:02:25 <SlickNik> cool, thanks...
22:02:40 <vipul> annashen, juice added a bunch to this one
22:02:49 <vipul> i think this needs a good review, and some discussion
22:02:55 <vipul> which i've put as part of the agenda later
22:02:57 <hub_cap> hokey. and we have a topic right?
22:03:05 <SlickNik> they've also got a bunch of info up on the openstack wiki...
22:03:34 <hub_cap> so the testr BP
22:03:40 <dkehn> link to the wiki again
22:04:00 <vipul> #link http://wiki.openstack.org/reddwarf-quotas
22:04:01 <SlickNik> #link http://wiki.openstack.org/reddwarf-quotas
22:04:01 <dkehn> gotit
22:04:02 <juice> grr yes the wiki is more complete let me link to that
22:04:09 <juice> thanks vipul and nik
22:04:10 <hub_cap> nice
22:04:26 <hub_cap> so lets defer too much convo to the actual topic in the meeting
22:04:30 <SlickNik> Yes, we have a topic for discussion on this,
22:04:31 <SlickNik> sounds good.
22:04:34 <hub_cap> and breeze thru these action items
22:04:46 <hub_cap> as for testr BP, i reviewed last wk. the only suggestion i have is that i dont think we need to put the files that are changing in the BPs
22:04:57 <vipul> testr Blueprint... I think we had some discussions here in the office, agreed to put everything testr related in /reddwarf/tests/unittest
22:04:57 <hub_cap> otherwise the content is good... cna someone link it?
22:05:05 <hub_cap> ok that makes sense
22:05:20 <vipul> #link https://blueprints.launchpad.net/reddwarf/+spec/testr-unit-tests
22:05:30 <SlickNik> thanks vipul
22:05:34 * CaptTofu is lurking
22:05:39 <hub_cap> HAI!
22:05:41 <vipul> i think the idea was to show where tests would live, right esp?
22:05:48 <hub_cap> ya ive seen a few of the BPs have full file listings
22:05:49 <SlickNik> welcome aboard, capt!
22:05:52 <esp> yeah I think so
22:05:53 <vipul> welcome CaptTofu
22:06:02 <CaptTofu> hi!
22:06:10 <vipul> but yea, generally probalby don't need to have every file being changed listed in the bp
22:06:14 <hub_cap> there was another recent one that had the 3 files (the guest conf grant chante one)
22:06:15 <CaptTofu> one needs a break from chef
22:06:37 <hub_cap> :)
22:06:38 <esp> we decided to kill off the 'functional' package and shove everything under unittest I think.
22:06:46 <hub_cap> ok that works for me esp
22:06:54 <esp> #link https://blueprints.launchpad.net/reddwarf/+spec/create-restricted-root-account
22:07:10 <esp> ^^ we are still working out the details of this one
22:07:23 <hub_cap> ya i love the content of that BP im just not sure we need the files at the top of it
22:07:25 <vipul> any opposition to having a seaprate dbaas.conf file?
22:07:27 <esp> but yeah it involves adding a new config for the grant
22:07:45 <hub_cap> id prefer a separate guest conf file personally
22:07:56 <hub_cap> so we know where the split is if we create a different guest :)
22:08:09 <esp> k, I will fix the content of the BP
22:08:11 <hub_cap> but we got a bit OT on that one :)
22:08:30 <hub_cap> we are on housing multiple images action item
22:08:34 <cp16net> #agrees with hub_cap on separate guest conf
22:08:41 <hub_cap> i think weve beat that one to the ground right?
22:08:53 <SlickNik> lol, yea…I think so...
22:08:54 <hub_cap> :)
22:08:57 <vipul> esp: seems like we need a separate one then
22:09:21 <esp> vipul: yeah I'm good with that
22:09:33 <hub_cap> ya /me wants separate config.. it makes more sense
22:09:34 <vipul> just to be clear, there's gonna be a guestagent.conf.. and another conf for things like grants
22:09:45 <hub_cap> ok now im confused
22:09:46 <vipul> thigns that are hard-cdoed in dbaas.py could live there
22:09:48 <vipul> lol
22:09:49 <hub_cap> lets table this
22:09:49 <vipul> though so
22:09:52 <esp> also note that we are note going to put the actual GRANT stmt in the config but we'll build it in code as per steveleon
22:09:54 <vipul> come back to it
22:09:59 <hub_cap> and put it on the agenda so we can get thru action items
22:10:12 <esp> k
22:10:14 <hub_cap> vipul: can u amend the agenda?
22:10:24 <hub_cap> Slicknik working on making integration tests run post devstack install + local.sh run for CI <-- you are up SlickNik
22:10:32 <vipul> yep
22:10:38 <hub_cap> should we table this to the CI section?
22:10:42 <SlickNik> Okay, so I'm fixing up the two problematic tests...
22:11:01 <hub_cap> there are 2 action items SlickNik owns, go head and chat em up
22:11:16 <SlickNik> issues were being caused by apparmor and upstart trying to continuously start up mysql.
22:11:17 <hub_cap> problematic tests? speed wise? or mucking up content?
22:11:19 <hub_cap> AHH
22:11:31 <hub_cap> im pretty sure upstart _is_ the devil
22:11:43 <SlickNik> because of this the log files were never actually getting _fixed_
22:12:08 <hub_cap> ya, grapex told me about that one recently
22:12:14 <vipul> it's the restart tests - problem only seems to be evident on cloud servers.. since it's much slower
22:12:21 <SlickNik> anyhow, after these fixes are in all the blackbox tests should run clean.
22:12:45 <hub_cap> coolness
22:12:52 <SlickNik> Also, we had to take some smaller fixes to make the build/tests run under devstack-vm-gate.
22:12:56 <hub_cap> thats great news. then its hook into gerrit time :)
22:13:10 <grapex> Did it seem like there was anything we could change to make the tests catch that bug every time?
22:13:14 <hub_cap> cool SlickNik i figured there would be a bit of work there...
22:13:16 <cp16net> thats awesome news!
22:13:25 <grapex> Instead of just on the slower environment?
22:13:27 <SlickNik> and there's a couple more I need to code up that have to do with us always using for the host ip..
22:13:36 <SlickNik> vm-gate uses
22:13:37 <vipul> grapex: I think an explicit 'stop' call may work
22:13:45 <dkehn> and timeout issues with test_instance_created
22:14:03 <hub_cap> SlickNik: Ahhhh i was wondering why u mentioned removing that hardcode... thx for the info
22:14:22 <SlickNik> Should be able to get to that by tomorrow, so ever inching closer.
22:14:27 <hub_cap> so that takes care of 4, 5, and 6
22:14:30 <hub_cap> SlickNik: AWESOME
22:14:47 <vipul> hub_cap: http://eavesdrop.openstack.org/meetings/reddwarf/2013/reddwarf.2013-01-22-22.01.html
22:14:52 <hub_cap> vipul: #7 is you, once u and grapex figured out the apparmore thing u were good to og right?
22:14:53 <vipul> are you on the right one?
22:15:07 <hub_cap> WEAK vipul no im not
22:15:10 <hub_cap> stale link
22:15:20 <vipul> lol
22:15:29 <vipul> was cornfused
22:15:30 <SlickNik> heh, I was wondering too..
22:15:38 <hub_cap> so that takes care of 2, 3 and 4 :)
22:15:49 <juice> just one other note - on images, test and performance…I am digging into the over performance issues with the disk image builder images
22:16:15 <vipul> #info juice looking into why diskimage builder images are slower
22:16:18 <hub_cap> if its over performing lets not look at it too hard /rimshot
22:16:27 <juice> I wish
22:16:42 <cp16net> lol
22:16:46 <juice> hub_cap: its a dog
22:16:57 * hub_cap sheds a tear
22:17:04 <hub_cap> so i spoke w/ heckj wrt the api
22:17:04 <SlickNik> I think it's an overperforming underperformer :P
22:17:08 <hub_cap> :)
22:17:10 <vipul> heh
22:17:14 <heckj> ??
22:17:21 <hub_cap> hi lurker
22:17:26 * heckj waves
22:17:36 <heckj> I thought I'd been summoned
22:17:44 <hub_cap> nope just talked _about_
22:17:59 <hub_cap> we exchanged emailses about the spec and what some good lessons learned are, ill foward them to u vipul
22:18:15 <vipul> soudns good
22:18:23 <hub_cap> #action hub_cap to forward joe hecks (so i dont mention his irc name heckj) email to vipul
22:18:29 <heckj> heh
22:18:33 <hub_cap> see how i did that there :P
22:18:51 <hub_cap> so our internal team does _not_ like the 1.0 2.0 spec change
22:18:56 <hub_cap> so we might just roll w/ a 1.1 spec
22:19:00 <heckj> vipul, hub-cap: I don't think anything was terribly private in there, do with it as you please
22:19:10 <hub_cap> <3 heckj
22:19:22 <hub_cap> and we are currently reviewing the internal 1.0 spec as per our doc writer, it should be up soon
22:19:33 <vipul> hub_cap... what's the issue with 1.1 vs 2.0?
22:19:37 <heckj> mostly my with-a-bourbon reflections on what went ok and what fucked up doing spec writing and pimping
22:19:48 <hub_cap> mmmm bourbon
22:20:05 <hub_cap> well since we havent changd the api significantly from the 1.0 api, why not roll w/ 1.1 since its just mroe features
22:20:18 <hub_cap> was their question.. and it makes sense
22:20:28 <vipul> right, agreed, not a compatilibity change
22:20:29 <hub_cap> no reason to go 2.0 until we break the 1x contract
22:20:31 <hub_cap> yup
22:20:41 <SlickNik> gotcha
22:21:01 <vipul> hub_cap: you have a 1.1 API flushed out?
22:21:14 <hub_cap> vipul: nope we have a full day meeting planned next wk
22:21:24 <hub_cap> so any features u have already fleshed out, send our way
22:21:29 <hub_cap> or btter yet, blueprint :)
22:21:33 <vipul> hub_cap: please forward our way
22:21:40 <vipul> hub_cap: we have a snapshots blueprint just filed
22:21:51 <vipul> I need to come up with an API around it
22:21:52 <hub_cap> DEF. itll be up on the database-api (but ill send u a working copy first)
22:21:55 <vipul> that's not quite int he BP yet
22:21:58 <hub_cap> cool
22:22:13 <hub_cap> ya id like ot not reinvent the wheel for that since uve done it already
22:22:21 <hub_cap> and we have done work for the my.cnf edits api as well
22:22:32 <hub_cap> so we can turn it into a nice little doc and go bakc and forth a bit on it
22:22:43 <hub_cap> #link http://wiki.openstack.org/Reddwarf
22:22:47 <hub_cap> ^ ^ needs love
22:22:47 <vipul> cool... hopefuly next couple of weeks we can get a few of thos big items flushed out
22:22:55 <hub_cap> vipul: i think next week ill have something for u
22:23:13 <hub_cap> i do like that yall put the quotas BP up on that, and i like even more the under construction sign is still there :)
22:23:24 <hub_cap> (sorry ive moved on to the next action item)
22:23:46 <vipul> #action everyone add more content to wiki
22:23:53 <hub_cap> #agreed
22:24:10 <hub_cap> juice: percona bits to integration, hows that comin?
22:24:11 <juice> I can document the disk image builder stuff there
22:24:17 <hub_cap> nice plz do juice
22:24:27 <juice> hub_cap: that was handed off to two folks here
22:24:40 <juice> I think they are just working on getting the flags/switches in there
22:24:52 <vipul> SlickNik or I can document how to get RD intalled with devstack
22:24:55 <hub_cap> great. who is the new handler?
22:24:56 <juice> Though I don't know if they have yet gotten guest agent to set status to ACTIVE
22:24:59 <SlickNik> #action SlickNik to document info about the new devstack - redstack build to the wiki
22:25:07 <vipul> thanks
22:25:22 <SlickNik> no worries, I'll run it by you vipul...
22:25:24 <vipul> kaganos, kmansel
22:25:29 <hub_cap> ok perfect
22:25:31 <kaganos> hey
22:25:40 <vipul> updates on Percona image?
22:25:42 <kaganos> sorry, we're head down into something here ...
22:25:46 <kaganos> what was the question?
22:25:49 <hub_cap> #action kaganos and kmansel own percona bits for integration
22:25:58 <hub_cap> kaganos: just wondering update on status, no worries
22:26:03 <kaganos> k
22:26:11 <hub_cap> do what u gotta do we can talk in #reddwarf later
22:26:14 <kaganos> status="working on it...
22:26:16 <kaganos> "
22:26:17 <hub_cap> :)
22:26:24 <hub_cap> ha i got my smiley in your quotes
22:26:41 <hub_cap> so grapex and steveleon, how did the test reviews go?
22:27:19 <vipul> I know the final review got merged...
22:27:24 <vipul> guest agent 100%
22:27:44 <grapex> There's one open from Deniz Demir I haven't looked at yet. Sorry, I've been ill.
22:27:45 <hub_cap> nice!!
22:27:45 <steveleon> yup
22:27:53 <steveleon> had some help from grapex....
22:27:56 <hub_cap> grapex: caught the black lung
22:28:00 <SlickNik> grapex is here!
22:28:07 <SlickNik> hope you're feeling better...
22:28:09 <hub_cap> and consequently is also a merman
22:28:10 <annashen> what's black lung
22:28:11 <grapex> Thanks
22:28:20 <juice> grapex: flu or cold?
22:28:20 <vipul> too many cigarettes
22:28:23 <grapex> hub_cap: water is the essence of liquid
22:28:24 <CaptTofu> cigarattitis
22:28:28 <steveleon> vipul, you were saying that there was some intermittent failures with some tests
22:28:46 <hub_cap> grapex: :)
22:28:50 <vipul> steveleon: yes, saw that last night on the 'coverage' patch... sqllite tests fail from time to time
22:29:10 <vipul> since they are run parallel
22:29:23 <steveleon> ugh... i wonder if it is the fake id we are passing
22:29:36 <hub_cap> did yall do the randomizing thing to it?
22:29:40 <grapex> vipul: lifeless mentioned that if we ran those tests with sqlite in memory only, we'd get rid of those parallel problems
22:30:02 <hub_cap> isint that what the nova/cinder/etal tests do?
22:30:06 <vipul> we probably should just do that... no point in having a separate file, since i think we teardown/recreate db
22:30:09 <vipul> on each test
22:30:37 <grapex> vipul: Yeah, we never actually make use of persiting the sqlite db.
22:30:43 <grapex> I'll make a blueprint to change that.
22:30:55 <vipul> #action grapex to file BP on in-memory sqlite
22:31:04 <steveleon> wouldnt a bug be sufficient?
22:31:20 <juice> I think it's just a param for connecting to sqllite
22:31:20 <vipul> steveleon, bug works too, shoudl be small
22:31:25 <grapex> steveleon: Is it breaking anything yet?
22:31:27 <juice> db:men or something like that
22:31:36 <SlickNik> rackers just want to flaunt the fact that they can create new bps :P
22:31:43 <steveleon> i havent seen
22:31:52 <steveleon> but it has been passing most of the time
22:31:53 <grapex> I say bp because we'll need to update redstack too. :(
22:32:16 <steveleon> i havent seen it fail running it locally
22:32:31 <SlickNik> Ah, I see grapex…
22:32:31 <steveleon> ok bp sounds good
22:32:42 <vipul> last action item...
22:32:45 <hub_cap> ok so the last action item is qutoas
22:32:46 <steveleon> i think it might just be a name change
22:33:05 <steveleon> so instead of specifying the filename, you specify ":memory:"... or something like that
22:33:22 <vipul> hub_cap you mentioned there was no consensus?
22:33:29 <datsun180b> that sounds about right
22:33:35 <hub_cap> wellllll..... vipul
22:33:38 <datsun180b> wrt :memory: and sqlite
22:33:58 <hub_cap> the consensus is that everyone has their own till someone ponys up and works on the kyestone one
22:34:15 <hub_cap> so that seems to me that we could do that as well
22:34:36 <hub_cap> we will be using repose so i dont think we will be contributing cycles to it, but we welcome reviews to makeing it a better system...
22:34:46 <hub_cap> i know currently we only have max volumes and max geebees
22:35:06 <vipul> i'd like to get a solution in there, that doesn't involve fixing up CI to support Java
22:35:14 <vipul> so that's why i lean towards an embedded solution
22:35:26 <hub_cap> sure, we might just keep the java bits internal
22:35:27 <vipul> a stop-gap until its added to keystone, or some place better
22:35:33 <hub_cap> apt-get install apache-tomcat ;)
22:36:06 <hub_cap> cool.. well that maeks the quotas conversation easy
22:36:14 <hub_cap> lets go on to CI tho as per th emeeting
22:36:15 <vipul> might be that simple.. but it'll be a much bigger deal in openstack-ci me thinks
22:36:29 <hub_cap> yup
22:36:35 <juice> hub_cap: why do you like the repose solution?
22:36:36 <vipul> yep, have an item to dicuss futher later anyway
22:36:38 <hub_cap> #topic testing-ci
22:36:56 <hub_cap> so i tihnk we got updated w/ whats going on w/ CI right? lets summarize
22:37:28 <hub_cap> #info SlickNik working on getting CI tests working w/ devstack vm gate, fixing small issues, support to come soon
22:37:29 <SlickNik> yes..
22:37:32 <hub_cap> is that good?
22:37:47 <hub_cap> anything more to add SlickNik?
22:38:13 <SlickNik> #info dkehn also working on devstack-vm-gate
22:38:18 <SlickNik> nope that's it.
22:38:35 <vipul> should have it pushed up to openstack CI this week (hopefully)
22:38:36 <SlickNik> The black box tests should be good to go soon.
22:38:43 <grapex> SlickNik: Nice!
22:38:54 <dkehn> thats if no more issues
22:39:04 <vipul> yup
22:39:10 <SlickNik> Just some more closing up on the devstack-vm-gate issues that keep cropping up. :)
22:39:25 <hub_cap> thatll be so cool
22:39:38 <hub_cap> ok do we have any unit test stuffs to talk about?
22:39:46 <hub_cap> if so ill mod the title otehrwise ill skip it
22:39:56 <vipul> nope
22:40:21 <hub_cap> hokey
22:40:27 <hub_cap> #topic quota consensus
22:40:41 <hub_cap> so i feel like we have consensus, let me sumarize
22:41:00 <hub_cap> #info quota support that mirrors cinder/nova will be added to reddwarf for the short to medium term
22:41:15 <hub_cap> #info eventually we will use what the other openstack projects use but that has yet to materialize
22:41:20 <juice> but rackspace is using repose
22:41:25 <hub_cap> #info rax to use repose internally
22:41:35 <vipul> hub_cap.. quick question about repose.. won't you need to add repose APIs ?
22:41:36 <juice> can I ask why you guys like that solution
22:42:02 <hub_cap> juice:  rax wrote repose, and uses it :)
22:42:19 <juice> hub_cap: that's a good answer
22:42:20 <hub_cap> vipul: ya if we _have_ to add apis we can
22:42:34 <vipul> hub_cap: ok..
22:42:41 <juice> as a matter of design/architecture what do you like about it
22:42:44 <vipul> hub_cap: rate limits, we ok with similar approach to nova?
22:42:46 <hub_cap> rate limits will be another one too...
22:43:02 <hub_cap> vipul: ya i think so vipul, we should call them limits, not quotas
22:43:06 <hub_cap> to support rate and absolute
22:43:19 <vipul> yup.. limits.py, possibly a request filter
22:43:29 <hub_cap> juice: we are evaluating it now, so lets give u that answer next wk
22:43:33 <hub_cap> :D
22:43:35 <juice> okie
22:43:38 <hub_cap> djohnstone: is your man for that
22:43:54 <djohnstone> back looking at that tomorrow
22:43:57 <vipul> hub_cap: there may be two use cases, one a filter (rate limits) and quotas really are checked upon time of creation)
22:43:59 <hub_cap> he just started on it but he can give a summary next meeting
22:44:05 <vipul> so may make sense to have them different
22:44:13 <hub_cap> vipul: likely there will be 2 different things
22:44:19 <hub_cap> i just meant we need to support limits of all types
22:44:25 <hub_cap> not that the code shoudl be the same :D
22:44:28 <vipul> ya
22:44:29 <vipul> ok
22:44:47 <hub_cap> i mean, if yall get limits done and they are AWESOME then we might use them :P
22:44:56 <vipul> #action djohnstone to give us an update on Repose?
22:45:06 <hub_cap> lol question mark at the end of that hah
22:45:08 <djohnstone> thanks vipul
22:45:12 <cp16net> lol
22:45:19 <vipul> makes it optional :D
22:45:27 <hub_cap> hahah nice
22:45:50 <hub_cap> ok we feel good about limits?
22:45:56 <vipul> ok we good, juice?
22:46:04 <SlickNik> Sounds like a plan to me.
22:46:07 <juice> yup
22:46:24 <hub_cap> coolness
22:46:33 <hub_cap> #topic User Management
22:46:49 <vipul> this is regarding the BP linked earlier...
22:47:06 <vipul> we wnat to be able to control grants given to root user on 'enableRoot'
22:47:08 <SlickNik> esp was briefly mentioning it earlier as well...
22:47:09 <hub_cap> ah okey. shall we discuss the multi config file together?
22:47:25 <hub_cap> vipul: i dont blame u for that. i think we talked about that too a while ago
22:47:44 <vipul> yes... any opposition to having those grants live in a separate config (different from guestagent.conf)
22:47:57 <vipul> since dbaas.py -- has a ton of grants/sql statement hard coded
22:48:01 <steveleon> so is it established that there will be a new conf file used only for root-privileges purposes?
22:48:14 <vipul> possibly this would be a config file that is gearted towards configuring dbaas.py
22:48:14 <hub_cap> so _why_ do we need yet another conf file?
22:48:32 <hub_cap> why cant we just put anotehr option in the conf file
22:48:47 <hub_cap> i thought, when i read that last night, that we were putting it all in the standard reddwarf.conf and got confused
22:48:49 <datsun180b> dbaas.py is going to get even more grants and statements shortly :3
22:48:51 <vipul> we _could_... although the thinking is that we're configuring a subset of the geust agent
22:48:52 <hub_cap> not the guest.conf
22:49:12 <vipul> no, not guest.conf that's diff
22:49:27 <hub_cap> vipul: but there is no notion of having > 1 config file anywehre in openstack... it just seems like its going against the current so to speak
22:49:33 <hub_cap> ok so these are run by the guest, right?
22:49:34 <hub_cap> the grants
22:49:40 <datsun180b> they are
22:49:43 <steveleon> correct
22:49:50 <hub_cap> why would the grants not be in the conf file that is given to the guest
22:49:51 <vipul> right... where do we move hard-coded sql statements
22:50:00 <steveleon> i was under the impression that you didnt want the option in the guestagent.conf
22:50:08 <hub_cap> steveleon: i was confused last night when i said that
22:50:15 <hub_cap> i saw reddwarf.conf i thought in that blueprint
22:50:16 <datsun180b> i vote pull them not into a static config file but as a module to be imported by dbaas.py
22:50:24 <esp> initially we were putting the full GRANT stmt in the config file which was pretty gross
22:50:39 <grapex> Is the idea that the image could be build with a conf file that lives in it with the grants, and the dynamic conf file would just point to it?
22:50:45 <steveleon> my opinion is to put them in the guestagent.conf
22:50:45 <esp> datsun180b: that's the approach sorta
22:51:17 <esp> so the ?.conf file will have a property:  root_grant= create delete update alter ….
22:51:18 <vipul> datsun180b.. there are certain things may need to enumerated.. like a list of privs that guest agnet could construct a grant statement from
22:51:22 <hub_cap> they are config values.... everyone will have different config values for their setups
22:51:24 <steveleon> put a list of all the privileges that root will have in a config file.. preferably guestagent.conf
22:51:33 <esp> and we will use the properties to build the GRANT stmt in code.
22:51:40 <hub_cap> steveleon: it _only_ seems right to put them there steveleon... im sorry for confusion
22:51:41 <steveleon> and dbaas.py will read from it and generate a grant sql query
22:51:53 <hub_cap> i feel like the email i sent out last night has caused all this
22:52:06 <esp> nah, we've been going back and forth on this
22:52:09 <hub_cap> general rule of thumb. if its a config that only the guest will use, put it in the guest.conf
22:52:19 <esp> it's already changed like 5
22:52:20 <esp> x
22:52:26 <hub_cap> if it sgonna differ from install to install put it in _a_ conf (not code)
22:52:29 <vipul> so... i see two tracks.. put them in a module imported by dbaas.py... another to add to reddwarf-guestagent.conf
22:52:46 <hub_cap> so given that both of those are true, it seems it should be ina config right?
22:52:52 <datsun180b> we have our own homegrown Query class to facilitate guest agent queries, we can build a Grant to go with it
22:53:01 <esp> yep, I see no big deal putting it into reddwarf-guestagent.conf
22:53:09 <hub_cap> esp: #agreed
22:53:11 <grapex> I like the config idea too.
22:53:15 <vipul> right, let's go with reddwaf-guestagent.conf
22:53:32 <esp> datsun180b: let's chat after, seems like that direction I'm going
22:53:36 <vipul> #info static grants to be configurable through reddwarf-guestagent.conf
22:53:44 <hub_cap> #agreed
22:53:46 <steveleon> another thing that surge from this discussion is the ability to have a disable-root feature
22:53:49 <SlickNik> I prefer having it in a conf, rather than a module since it really is configuration.
22:53:52 <cp16net> #agreed
22:54:08 <vipul> ok.. next item around this
22:54:13 <vipul> adding a new API to disable root user
22:54:15 <steveleon> this will make it easier for support to see if and how long the user have used root privileges
22:54:20 <vipul> #link https://blueprints.launchpad.net/reddwarf/+spec/revoke-root-user-api
22:54:24 <vipul> steveleon just filed
22:54:46 <vipul> any reason to not add this API?
22:54:48 <hub_cap> hmm... this is going to be a contention point :)
22:54:48 <datsun180b> esp: please do
22:55:04 <hub_cap> well... we dont add it cuz once u enable root your support model changes
22:55:11 <hub_cap> but thats a rackspace specific thing
22:55:22 <vipul> right, but you have a history of if it was ever enabled
22:55:35 <datsun180b> breaking the seal voids your warranty, in short
22:55:36 <vipul> so it's something that you could still use to determine that
22:55:40 <hub_cap> datsun180b: exactly
22:55:48 <hub_cap> vipul: there is, ther is a root history table
22:55:49 <grapex> I guess I don't see the point of disabling root once you have it, since by then the support model already changes.
22:56:05 <hub_cap> well the support model should not govern the code
22:56:13 <grapex> True
22:56:13 <hub_cap> and thats why i said "its a rax specific thing"
22:56:20 <vipul> grapex: there may be scenarios when the user needs it for a period of time to diagnose an issue.. but possible needs to turn it off when done
22:56:22 <hub_cap> so im kinda at odds w/ my brain here
22:56:22 <grapex> but I'm trying to figure out why someone would want that
22:56:36 <hub_cap> i see from a permissions standpoint
22:56:43 <hub_cap> dont want root being enabled remotely forever
22:56:50 <hub_cap> but want to get in, touch something, and get out
22:56:51 <hub_cap> right?
22:56:54 <grapex> vipul: I think then that may be a different concept. It seems like you're giving someone temporary root permissions, like say someone in support. Like it could be a mgmt api.
22:56:57 <esp> does the calling root create api to enable root multiple times have the same effect as resetting the root password?
22:57:02 <vipul> right, and another tangent.. problay wnat a role-based access to the 'enableRoot' API
22:57:04 <steveleon> hub_cap: correect
22:57:10 <grapex> esp: Yes
22:57:22 <vipul> hub_cap: exactly
22:57:37 <vipul> grapex: i don't see managemnt api something end user would have access to
22:57:50 <vipul> i see a 'dba' at some company that needs temporary elevated access
22:58:31 <hub_cap> ok i think that we need to talk internally about this
22:58:44 <vipul> hub_cap.. ok, we just filed this today.. please review, add comment to BP
22:58:45 <esp> yeah I'm not sold yet :)
22:58:48 <hub_cap> #action hub_cap to get back to vipul on root rmemove
22:58:53 <hub_cap> wow rmemove?!?!
22:58:58 <cp16net> yeah well we have history of when root was enabled
22:59:01 <hub_cap> #action hub_cap to learn how to type
22:59:28 <vipul> cp16net: right, that's what would be the determining thing for your suppor tmodel i'd imagine
22:59:36 <esp> cp16net: yeah the history thing is cool.  we were pondering how disable would fit in
22:59:51 <vipul> esp: temporary elevated privileges
22:59:55 <datsun180b> how can we determine which users can and can't use which api functions? would that eventually just grow into ACLs on api calls?
22:59:58 <cp16net> yeah we need to talk about this internally to figure that out
23:00:08 <vipul> datsun180b: we need to add additonal roles i think to API
23:00:35 <vipul> enableRoot shoudl only be accessible with a higher privileged user i thnk
23:00:38 <hub_cap> we need a policy like nova possibly...
23:00:40 <vipul> that's a different discussion
23:00:41 <datsun180b> user, superuser, and mgmt?
23:00:46 <vipul> yep
23:00:55 <cp16net> that could be handled with keystone right?
23:01:00 <hub_cap> but it can be whatever u want it to be... its configurable (nova policy)
23:01:02 <hub_cap> exactly cp16net
23:01:03 <esp> maybe would could enable root with a timeout…but perhaps that just complicates things...
23:01:19 <hub_cap> esp: naw, some people want root 200% of the tiem :)
23:01:29 <cp16net> thats x2
23:01:31 <datsun180b> just an authentication that doesn't allow renewals
23:01:34 <SlickNik> esp: I thought about that, but I don't like it...
23:01:38 <datsun180b> there's your timeout
23:01:39 <esp> yeah makes sense
23:02:14 <hub_cap> ok so we never changed topic to the dbaas.py/conf file, but we have consensus ya?
23:02:20 <hub_cap> ill topic change and jot it down
23:02:24 <vipul> oh yea, forgot that was a separate item
23:02:28 <vipul> we're good on that one now
23:02:29 <SlickNik> esp: I don't think that there would be a one size fits all timeout, so then we'd have to get into the business of configuring that, which could potentially get messy
23:02:34 <hub_cap> ok lets just #info it then
23:02:35 <datsun180b> throwing my hat in for that one
23:02:51 <esp> SlickNik: yep.  I hear ya.
23:02:52 <cp16net> SlickNik: yeah that would be messy quickly
23:02:52 <vipul> #info grants will go into reddwarf-guestagent.conf, not a separate file
23:02:57 <hub_cap> #info guest conf for configurable sql queries until we have a better solution
23:02:59 <hub_cap> doh u beat me to it
23:03:07 <hub_cap> #topic open discussion
23:03:16 <hub_cap> i dont have long, i have to run and clean my house (closing is thursday)
23:03:27 <cp16net> JOY
23:03:29 <hub_cap> thats my open discussion :)
23:03:34 <SlickNik> fun
23:03:38 <esp> hub_cap: congrats!
23:03:41 <steveleon> are you living in the bay-area now?
23:03:42 <vipul> #action vipul to file BP on additional roles in reddwarf (user, superuser, admin)
23:04:10 <SlickNik> FYI, it's worth a mention that the tests are successfully running on RAX cloud :)
23:04:20 <vipul> woah nice
23:04:21 <hub_cap> WOOO
23:04:28 <grapex> Cool
23:04:35 <esp> vipul: is that to address the revoke api call? or something else?
23:04:36 <hub_cap> steveleon: i will be flying out soon to look for a place, im in an apartment here
23:04:41 <cp16net> awesome
23:04:43 <hub_cap> in austin
23:04:57 <vipul> esp: it will be related to that... as well as limiting who can call 'enableRoot
23:04:59 <hub_cap> vipul: i tink that we should not be specific on that
23:05:09 <hub_cap> if we do a policy like nova does, it wont matter what _roles_ u want
23:05:21 <hub_cap> if u can say a user of role X can execute things in module Y
23:05:28 <hub_cap> which is what the nova policy file does
23:05:38 <vipul> hub_cap: ok, will mention that in BP.. have a policy that dictates RBAC
23:05:57 <cp16net> #define RBAC?
23:06:08 <vipul> role based access control :D
23:06:08 <SlickNik> Role Based Access Control, I believe.
23:06:15 <cp16net> ok :)
23:06:29 <hub_cap> vipul: yar
23:06:44 <hub_cap> it _kinda_ does that currently
23:06:56 <vipul> right, but it's limited to user/admin only?
23:07:05 <hub_cap> its limited to whatever u want really
23:07:06 <SlickNik> Currently just admin/non-admin, right?
23:07:09 <hub_cap> as long as u configure it
23:07:19 <hub_cap> https://github.com/openstack/nova/blob/master/etc/nova/policy.json
23:07:27 <hub_cap> u can make yoru own groups
23:07:45 <vipul> #info https://github.com/openstack/nova/blob/master/etc/nova/policy.json
23:07:47 <vipul> just what i needed
23:07:55 <hub_cap> its just a Yes/No system really, so u can make the groups yourself based on the expressions
23:07:56 <cp16net> nice
23:08:19 <cp16net> what applies this policy though?
23:08:22 <vipul> where do you implement the rule
23:08:29 <vipul> admin_or_owner example
23:08:30 <hub_cap> "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
23:08:32 <hub_cap> "context_is_admin":  "role:admin",
23:08:42 <hub_cap> those are at the top
23:08:45 <vipul> oh duh
23:08:48 <hub_cap> so u can say what the roles are :)
23:08:56 <hub_cap> and then put them accordingly in teh stuf down below
23:09:05 <hub_cap> :D
23:09:16 <SlickNik> I see.
23:09:16 <vipul> and it's just a filter that get's added to wsgi?
23:09:33 <hub_cap> now that im not 101% sure about but that _seems_ like itd be the only place for it
23:09:38 <hub_cap> i havent looked into how it works
23:09:48 <vipul> ok, cool that's a good start thanks for the info
23:10:08 <hub_cap> np!!
23:10:20 <hub_cap> i think itll hold us over till keystone has decent rbac
23:10:40 <hub_cap> god i wish thsi was all in nova-common
23:10:45 <hub_cap> err, oslo-incubator
23:10:48 <cp16net> yeah that _could_ work temp
23:11:10 <hub_cap> ok im out of things to discuss
23:11:14 <hub_cap> anyone else?
23:11:15 <vipul> yea temp is fine
23:11:19 <vipul> nope.. i'm good
23:11:20 <hub_cap> vipul: sweet
23:11:24 <hub_cap> welcome back esp
23:11:25 <hub_cap> :P
23:11:31 <vipul> excess flood?
23:11:37 <cp16net> esp's water was rising...
23:11:42 <cp16net> :-P
23:11:46 <esp> sorry..
23:11:51 <vipul> heh
23:11:54 <hub_cap> his float bobber got too high and pulled the blug
23:11:56 <hub_cap> *plug
23:12:01 <hub_cap> #action hub_cap still cant type
23:12:08 <esp> man tough crowd today.
23:12:08 <hub_cap> wait thats mroe info
23:12:13 <hub_cap> LOL
23:12:16 <hub_cap> ok im gonna call this
23:12:16 <cp16net> keep trying and surely one day....
23:12:24 <hub_cap> cp16net: LAWL
23:12:26 <hub_cap> #endmeeting