21:00:12 <timburke> #startmeeting swift 21:00:12 <opendevmeet> Meeting started Wed Mar 16 21:00:12 2022 UTC and is due to finish in 60 minutes. The chair is timburke. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:00:12 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 21:00:12 <opendevmeet> The meeting name has been set to 'swift' 21:00:22 <timburke> who's here for the swift meeting? 21:00:39 <acoles> o/ 21:01:07 <mattoliver> o/ 21:02:11 <timburke> as usual, the agenda's at https://wiki.openstack.org/wiki/Meetings/Swift 21:02:38 <timburke> first up 21:02:41 <timburke> #topic ptg 21:03:05 <timburke> i signed up for meeting times, though i haven't put them on the etherpad yet. will do that shortly 21:04:11 <timburke> all 1300-1700 UTC (sorry mattoliver, you can definitely bail early ;-) 21:04:12 <mattoliver> kk 21:05:04 <mattoliver> Will just try and be a night owl that week 21:05:56 <acoles> I feel bad for Matt 21:06:08 <timburke> speaking of the etherpad, thanks for adding topics! we should have a good bit to talk about :-) 21:07:20 <timburke> if you haven't already, please register (i realized late last week that i still hadn't) 21:07:22 <timburke> #link https://openinfra-ptg.eventbrite.com/ 21:08:03 <timburke> that's all i've got for the ptg 21:08:12 <timburke> #topic 2.29.1 release 21:08:39 <timburke> i still want to get one more release out, and i think my deadline's this week 21:09:01 <timburke> it's smaller than the last couple releases, but i think that 21:09:06 <timburke> 's a good thing :-) 21:09:27 <timburke> if you have a chance, please look over the changelog 21:09:30 <timburke> #link https://review.opendev.org/c/openstack/swift/+/833718 21:09:44 <mattoliver> Not swift release related, but I did push up a patch yesterday to add formpost sig generation support to swiftclient. 21:09:56 <mattoliver> but I guess its too late to do another swiftclient release 21:10:18 <mattoliver> cause then we can wait a cycle and remove the formpost tool from swift (if we squeezed it in) 21:10:38 <timburke> yeah, unfortunately, the client deadline passed a bit ago 21:10:52 <mattoliver> oh well. next time then, I guess no rush 21:11:20 <timburke> the big reason i want one more server release is that top item: "This is the final stable branch that will support Python 2.7." 21:11:36 <timburke> want to make sure we're broadcasting that loud and clear :-) 21:11:58 <mattoliver> yeah +1, thats important. 21:12:05 <timburke> next up 21:12:16 <timburke> #topic drop py2 from swiftclient 21:12:36 <timburke> are there any objections to getting moving on that, like, *now*? 21:13:32 <timburke> there's a change i wanted to approve, but it touches requirements, and we've got a py2-only requirement that's keeping the requirements-check job from passing 21:13:37 <acoles> timburke: did you want to get the SHA1 deprecation in this release https://review.opendev.org/c/openstack/swift/+/525771 ? 21:14:10 <timburke> *shrug* either way. it's sat around *this* long... 21:14:22 <acoles> maybe the swiftclient side needs fixing first anyway 21:14:33 <acoles> so, yeah, defer 21:14:42 <timburke> good point 21:16:08 <timburke> since we've already got the stable/yoga branch cut for swiftclient, it seems like dropping py2 ought to be ok 21:18:00 <timburke> well, i'm not hearing any objections, anyway ;-) 21:18:11 <timburke> #topic safer WSGI server reloads 21:19:06 <timburke> i was playing with our SIGUSR1 handling, and generally, it's pretty great: server reloads, and clients never notice 21:19:48 <timburke> sometimes, though, it all goes terribly: server re-exec's, then immediately dies, and client traffic stops 21:20:52 <acoles> :( 21:20:58 <timburke> this can happen if, say, you accidentally write out a config that's invalid. or if you're trying to switch between py2 and py3, but not all your proxy middlewares are installed for py3 21:21:20 <timburke> so i put together a couple changes 21:21:24 <timburke> #link https://review.opendev.org/c/openstack/swift/+/833124 21:22:27 <timburke> adds a --check-config option to all the WSGI servers -- they'll go through all the normal set-up stuff right up to the point of opening sockets 21:23:08 <mattoliver> oh nice 21:23:09 <timburke> with that, you can verify the config before sending the reload signal 21:23:44 <timburke> if you want to use it in a systemd unit, though, the ExecReload gets a little hairy 21:23:58 <timburke> #link https://review.opendev.org/c/openstack/swift/+/833174 21:24:24 <timburke> tries to make that a good bit better by introducing a new swift-reload command 21:24:48 <timburke> it'll handle the config check, sending the signal, and waiting for the reload to complete 21:25:34 <timburke> so by the time it terminates, the clients should only be able to connect to servers running the new config 21:26:10 <timburke> that second one still needs a boatload of tests, though 21:26:13 <mattoliver> what happens is the config is wrong, errors and leaves the old servers still running? 21:26:54 <timburke> yup -- swift-reload exits non-zero and doesn't send any signal 21:27:17 <mattoliver> assumed so, but just wanted to confirm :) 21:27:40 <mattoliver> this is really cool! 21:28:22 <timburke> next cool thing for me to hack on would be making more use of the systemd notify socket :-) 21:28:42 <timburke> that's all i've got 21:28:48 <timburke> #topic open discussion 21:28:55 <timburke> what else should we talk about this week? 21:29:41 <mattoliver> I dont have too much, I dumped it all into the PTG etherpad :P 21:30:08 <mattoliver> I made a follow up sha1 deprecation of formpost 21:30:35 <mattoliver> but to make it work I had to give formpost some extra love too. Can't deprecate sha1 when it only supported sha1 :P 21:30:57 <mattoliver> Which is what snowballed into creating a swiftclient subcommand for formpost 21:31:24 <mattoliver> #link https://review.opendev.org/c/openstack/swift/+/833713 21:31:30 <timburke> thanks for all that :-) i had this feeling like there might be some scope creep 21:31:55 <mattoliver> #link https://review.opendev.org/c/openstack/python-swiftclient/+/833954 21:33:26 <mattoliver> The first deprecates sha1, but for the moment still allows it (don't have to specify in config) but if you do you'll get deprecation warnings in log. So slightly different then tempurls. 21:36:01 <mattoliver> Anyway, just a heads up. 21:36:39 <timburke> how do we feel about the approach i took for tempurl? should i continue to allow sha1 by default but log a warning? i think i'd considered it, but backed off when i thought about how it would encourage ops to explicitly set the allowed_digests (to quiet the warning) which might cause pain later if we ever wanted to drop sha256, say 21:37:28 <mattoliver> I think for tempurl it's ok. we've supported other digests for ages, so they have to opt in. 21:37:47 <timburke> it seemed like "more secure by default" was fairly defensible stance to take -- but in the extreme, like we'd have for formpost, i'm not sure it holds up 21:38:17 <mattoliver> formpost they haven't had a chance yet, so wanted to make sure it's still all ok. although I did change the default to sha512, so lazy people will migrate by default ;) 21:38:51 <timburke> mattoliver, still a question of how long *clients* have supported sha256 tempruls, though :-/ 21:40:07 <timburke> well, as long as we're planning on both these things moving forward in the next cycle, i suppose we could wait to hash it out until the PTG :P 21:40:18 <mattoliver> true :) 21:41:48 <timburke> all right, i'm'a call it and let acoles get to bed :-) 21:41:58 <mattoliver> kk :) 21:41:59 <timburke> thank you for coming, and thank you for working on swift! 21:42:03 <timburke> #endmeeting