Wednesday, 2015-04-15

*** stanzi has joined #openstack-barbican00:03
redrobotalee_afk can you review as well?00:03
dave-mccowanredrobot, signing off for a couple hours.  i'll be back to rebase and finish up.  i'm in california this week, so i have several hours left in the day still. :-)00:16
*** dave-mccowan has quit IRC00:16
*** stanzi has quit IRC00:16
*** stanzi has joined #openstack-barbican00:17
openstackgerritMerged openstack/barbican: Fix expectations of order certificate test cases
openstackgerritMichael McCune proposed openstack/barbican: [WIP] Adding MySQL fixes to migrations
openstackgerritMerged openstack/barbican: Fix generating a CSR with an encrypted private key
*** stanzi has quit IRC00:21
*** SheenaG has quit IRC00:27
*** dimtruck is now known as zz_dimtruck01:00
*** SheenaG has joined #openstack-barbican01:27
*** woodster_ has quit IRC01:40
*** SheenaG has quit IRC01:59
*** gyee has quit IRC02:02
*** SheenaG has joined #openstack-barbican02:09
*** kebray has joined #openstack-barbican02:13
*** kebray has quit IRC02:14
*** kebray has joined #openstack-barbican02:17
*** woodster_ has joined #openstack-barbican02:19
*** SheenaG has quit IRC02:29
*** tkelsey has joined #openstack-barbican02:36
*** tkelsey has quit IRC02:42
*** kebray has quit IRC02:48
*** kebray has joined #openstack-barbican02:48
*** SheenaG has joined #openstack-barbican02:54
*** alee_afk has quit IRC04:07
*** SheenaG has quit IRC04:07
*** alee has quit IRC04:08
*** alee has joined #openstack-barbican04:08
*** alee_afk has joined #openstack-barbican04:09
*** crc32 has joined #openstack-barbican04:28
*** SheenaG has joined #openstack-barbican04:34
*** dave-mccowan has joined #openstack-barbican04:39
*** alee has quit IRC04:43
*** SheenaG has quit IRC04:44
openstackgerritDave McCowan proposed openstack/barbican: Fix functional test test_rsa_order_certificate_from_csr
*** kebray has quit IRC05:34
*** crc32 has quit IRC06:15
*** tkelsey has joined #openstack-barbican06:39
*** tkelsey has quit IRC06:44
*** woodster_ has quit IRC06:50
*** chlong has quit IRC07:35
*** jaosorior has joined #openstack-barbican07:49
openstackgerritDave McCowan proposed openstack/barbican: Fix base64 decoding of payloads in one-step POST
*** dave-mccowan has quit IRC08:09
*** tkelsey has joined #openstack-barbican08:13
*** jamielennox is now known as jamielennox|away09:52
*** rellerreller has joined #openstack-barbican12:48
*** woodster_ has joined #openstack-barbican12:50
*** elmiko has quit IRC13:01
*** elmiko has joined #openstack-barbican13:01
*** gitorres has quit IRC13:19
*** david-lyle has quit IRC13:24
*** joesavak has joined #openstack-barbican13:28
*** gitorres has joined #openstack-barbican13:30
*** xaeth_afk is now known as xaeth13:59
*** paul_glass has joined #openstack-barbican14:02
*** alee_afk is now known as alee14:02
*** SheenaG has joined #openstack-barbican14:18
*** rellerreller has quit IRC14:19
*** rellerreller has joined #openstack-barbican14:23
*** zz_dimtruck is now known as dimtruck14:33
hockeynutjaosorior good morning/afternoon - see my update to
*** SheenaG has quit IRC14:40
redrobottop 'o the mornin' barbicaneers14:51
*** joesavak has quit IRC14:53
redrobotrellerreller or kfarr around?14:56
rellerrellerredrobot give me a few minutes14:56
rellerrellerredrobot I'm available now15:02
redrobotrellerreller heya!  just looking over your comments on the KMIP plugin changes15:02
redrobotrellerreller I tried looking for pykmip docs but didn't find any, so I just went with my best guess >_<15:03
redrobotrellerreller sounds like we need to keep the PEM -> DER and DER -> PEM code in the util class15:03
redrobotrellerreller and handle the conversion inside the KMIP plugin?15:03
rellerrellerredrobot Yes, we will need that code for KMIP plugin15:04
redrobotrellerreller k, I'll make those changes.   Hopefully Dave is done poking at our shared CR15:04
rellerrellerThe KMIP plugin uses DER encoding, so we will need them.15:05
redrobotrellerreller cool.  any good resources for me to spin up on pykmip?15:06
rellerrellerredrobot me :)15:07
rellerrellerredrobot Let me ask Peter if he put up any docs on pypi. If not then you will need to ask us.15:08
rellerrellerredrobot Documentation is a big item for us in the near future. We just have not gotten around to much of that yet.15:08
redrobotrellerreller hehe, alrighty.  KMIP is definitely something I want to learn more about.  How far along is the Server side of pykmip?15:09
aleeredrobot, I'll try it out once the next version is out there -- hopefully it will be a little more stable.  I expect there will be dogtag changes required too.15:09
*** kebray has joined #openstack-barbican15:10
rellerrellerredrobot The server side still has a ways to go. Right now most of the development is on the client side.15:10
*** kebray has quit IRC15:10
redrobotrellerreller I see.  I was thinking that once the server is in good working order we could add a Devstack gate to barbican to test the KMIP plugin(s) against it.15:11
*** kebray has joined #openstack-barbican15:11
rellerrellerredrobot Our strategy is to start with the client side, so we have an open source library to talk to a device. Then we will focus on server side more.15:11
rellerrellerredrobot I would like to add a gate soon. I know that there was talk of adding hardware to support this.15:11
rellerrellerredrobot tkelsey may know more15:12
redrobotrellerreller yep, I was planning on checking up on the status with tkelsey in Vancouver.15:13
*** darrenmoffat has quit IRC15:13
*** darrenmoffat has joined #openstack-barbican15:14
rellerrellerredrobot I would like to see that happen. I think that will help us out a lot15:17
*** igueths has joined #openstack-barbican15:28
iguethsjvrbanac: Ping.15:29
woodster_redrobot, alee, rellerreller, elmiko please review this small CR...that migration file needs to be pulled in before Kilo releases please15:33
redrobotwoodster_ I looked at it earlier, but I'm not sure what the answer to his question is.15:33
redrobotwoodster_: lisaclark said we may be able to ping our DBAs for an answer.15:33
woodster_redrobot, this CR is just add missing fields to the retry table...ha, sorry this is the link:
redrobotwoodster_ oh, I thought you were talking about elmiko 's migration CR15:35
elmikowoodster_, redrobot, yea not sure about that question15:35
elmikowoodster_, redrobot, the weird part is that if you examine the schema (for either mysql or postgresql) before the migration i had a question about, the constraint key listed in the migration doesn't exist15:43
elmikoand looking at the code in i couldn't see the uniquie constraint on the foreignkey for project_id15:44
woodster_elmiko, I'll have more time to take a look at things today...I'd like to understand things a bit more as well15:45
elmikowoodster_: cool, thanks15:46
*** joesavak has joined #openstack-barbican15:47
*** rellerreller has quit IRC15:49
openstackgerritSteve Heyman proposed openstack/python-barbicanclient: Initial setup for command line tests
*** SheenaG has joined #openstack-barbican15:59
*** peter-hamilton has joined #openstack-barbican16:00
*** kebray has quit IRC16:02
*** rm_you| is now known as rm_you16:03
rm_workgrats jraim :P16:14
*** dave-mccowan has joined #openstack-barbican16:20
*** kebray has joined #openstack-barbican16:22
dave-mccowanredrobot, good morning16:25
*** dave-mccowan has quit IRC16:25
*** dave-mccowan has joined #openstack-barbican16:25
redrobotgood morning dave-mccowan !  I'm fixing the functional tests in our shared CR16:27
redrobotdave-mccowan there's only one failing test, but it appears you checked in your local config file, so the gate failed for all tests since it was unable to reach the keystone service16:28
redrobotdave-mccowan I think I can finish the CR on my own.16:28
jraimrm_work: thanks :)16:30
jvrbanacigueths, whats up?16:32
*** dave-mccowan has quit IRC16:32
*** dave-mccowan has joined #openstack-barbican16:33
iguethsjvrbanac: Not much, just wanted to make you aware of the fact that the seemingly random changes in were as a result of my running autopep8 against the file, not anything I did manually (assuming you weren't already that is). So what I'm going to try next is reverting those other lines to what they were previously and only focus on the new stuff I put in, although I'm not sure if16:36
iguethsthis is going to cause an overall Pep8 failure in the gate as a result.16:36
redrobotigueths I don't think it will cause a pep8 failure.  My guess is that the autopep8 tool has a lower threshold for splitting a line than is needed16:42
redrobotigueths so it auto split those lines, even though they pass pep8 without the modification.16:42
iguethsredrobot: I suppose this is possible.16:44
*** jaosorior has quit IRC16:52
*** rellerreller has joined #openstack-barbican16:53
peter-hamiltonrellerreller: i'm here16:54
rellerrellerredrobot peter-hamilton is our lead for pykmip16:55
rellerrellerredrobot feel free to ask him any questions you might have about the library16:55
rellerrellerDoes anyone have the link to the Liberty design session proposal etherpad? I went to, but I received a page loading error.16:57
elmikorellerreller: works for me16:58
rellerrellerelmiko Thanks. That is strange. I tried a different browser and it worked.16:59
rellerrellerThanks for giving me some insight :)17:00
*** ccneill has joined #openstack-barbican17:00
ccneillhi guys, anyone else having issues with oslo_policy this morning?17:01
ccneill11:55:21    •ccneill ∞ from Barbican: 2015-04-15 11:51:08.698 49835 WARNING oslo_config.cfg [-] Option "policy_default_rule" from group "DEFAULT" is deprecated. Use option "policy_default_rule"  │17:01
ccneill                     ∞ from group "oslo_policy".                                                                                                                                                   │17:01
ccneill11:55:21    •ccneill ∞ 2015-04-15 11:51:08.698 49835 WARNING oslo_config.cfg [-] Option "policy_file" from group "DEFAULT" is deprecated. Use option "policy_file" from group "oslo_policy".       │17:01
ccneill11:55:53    •ccneill ∞ from nosetests: ImportError: No module named oslo_policy, in barbican/barbican/api/                                                                              │17:01
ccneill11:56:51    •ccneill ∞ tried setting this in etc/barbican/barbican-api.conf: [oslo_policy]                                                                                                         │17:01
ccneill11:56:51    •ccneill ∞ policy_default_rule = default                                                                                                                                               │17:01
ccneill11:56:51    •ccneill ∞ policy_file=/etc/barbican/policy.json                                                                                                                                       │17:01
ccneill11:56:55    •ccneill ∞ no luck                                                                                                                                                                     │17:01
ccneill11:59:34    •ccneill ∞ fresh install, fresh db, up-to-date with master... I'm at a loss :/17:01
ccneillsorry for the spam17:02
hockeynutI got the same result as ccneill - we made a change recently with oslo.policy IIRC17:03
ccneilllooks like it's in the requirements.txt17:03
ccneilloslo.policy>=0.3.1,<0.4.0  # Apache-2.017:03
hockeynutmy oslo.policy is 0.3.217:03
hockeynuttrying with clean .tox env17:06
hockeynutworks now17:18
hockeynuttox -r or I just zapped .tox/functional/17:19
rellerrellerIs anyone having trouble with getting devstack running? My machine is acting funny. Not sure if I can blame devstack or not.17:22
*** kebray has quit IRC17:29
ccneillhockeynut: woot, looks like that worked17:31
rellerrellerI made someone else pull the latest from devstack, and their machine also exhibited the same behavior.17:32
*** kebray has joined #openstack-barbican17:46
*** SheenaG has quit IRC17:47
*** kebray has quit IRC17:49
*** openstackstatus has quit IRC17:58
*** openstackstatus has joined #openstack-barbican17:59
*** ChanServ sets mode: +v openstackstatus17:59
*** kebray has joined #openstack-barbican18:01
-openstackstatus- NOTICE: Gerrit has stopped emitting events so Zuul is not alerted to changes. We will restart Gerrit shortly to correct the problem.18:01
*** ChanServ changes topic to "Gerrit has stopped emitting events so Zuul is not alerted to changes. We will restart Gerrit shortly to correct the problem."18:01
rellerrellerredrobot woodster_ Are we supposed to vote on the design talks today? I noticed that I am the only one to vote. I mean that's cool because I will get to hear what I want, but maybe others are interested in stuff.18:06
woodster_rellerreller: ha! Yeah we should be promoting that in the channel today18:11
*** ccneill has quit IRC18:12
*** tkelsey has quit IRC18:15
*** ChanServ changes topic to "Kilo RC1 due April 9"18:24
-openstackstatus- NOTICE: Gerrit has been restarted. New patches, approvals, and rechecks between 17:30 and 18:20 UTC may have been missed by Zuul and will need rechecks or new approvals added.18:24
hockeynutits tax day and my wife is a CPA so this afternoon is her big firm party to celebrate survival - I'm disappearing around 3 to join in18:30
*** SheenaG has joined #openstack-barbican18:34
aleeredrobot, dave-mccowan -- how are we doing on the patch -- is there a new version ready?19:07
redrobotalee not yet, I have the devstack gate passing, but I'm still working on some KMIP changes19:08
redrobotalee once I get KMIP working I'll upload a new patch.  And i'll make dogtag changes in a follow up CR19:08
aleeredrobot, once you put it up, I can run it against dogtag and tell you what changes to make19:09
redrobotalee sounds good19:09
aleeor put up a fllow-up cr myself.19:09
redrobotalee I'm thinking maybe another 45 min or so.19:09
aleeredrobot, ok19:09
chellygelredrobot could i get a link to the cli documentation you mentioned earlier? i am here:
redrobotchellygel that's the correct docs19:16
chellygelso creating a new section for cli in this?19:16
redrobotchellygel add a new "CLI Authentication" sub-section to the existing authentication section for the clientrc docs.19:17
chellygelcool beans will doo, thanks redrobot :D19:17
redrobotchellygel np :)19:17
openstackgerritJohn Vrbanac proposed openstack/python-barbicanclient: Raising errors from the client instead of ksclient
*** david-lyle has joined #openstack-barbican19:30
*** crc32 has joined #openstack-barbican19:38
*** ccneill has joined #openstack-barbican19:41
*** igueths has quit IRC19:43
*** igueths has joined #openstack-barbican19:46
*** crc32 has quit IRC20:05
*** crc32 has joined #openstack-barbican20:09
*** xaeth is now known as xaeth_afk20:09
*** ccneill_ has joined #openstack-barbican20:10
redrobotrellerreller I think this CR is getting too big.  I'm going to make the KMIP changes in a follow-up CR.20:11
openstackgerritChelsea Winfree proposed openstack/python-barbicanclient: Fix the clientrc file to match defaults and add docs
*** ccneill has quit IRC20:11
*** dave-mccowan has quit IRC20:12
rellerrellerredrobot So what will the scope be? Will it be for just store_crypto or include dogtag as well?20:13
redrobotrellerreller just store_crypto20:13
*** dave-mccowan has joined #openstack-barbican20:13
openstackgerritDouglas Mendizábal proposed openstack/barbican: Fix base64 decoding of payloads in one-step POST
rellerrellerredrobot So you will have two follow-up CRs for dogtag and kmip? And they will both be included in the release this week?20:14
redrobotrellerreller yeah... we shouldn't release until this is all fixed/tested for KMIP and DogTag20:14
redrobotrellerreller there's no point in releasing an RC1 if we know it's broken20:14
rellerrellerredrobot That is good to hear.20:15
redrobotrellerreller I'd rather have a late RC1 than have to turn around and release an RC2 right away.20:15
rellerrellerredrobot I am ok with that.20:15
rellerrellerredrobot Is the OpenStack powers that be ok with a possibly late RC1?20:15
redrobotrellerreller yeah... it's already late :)20:16
rellerrellerredrobot OK, c'est la vie.20:16
dave-mccowanredrobot, other than review and test, is there anything left for this CR?20:16
redrobotdave-mccowan nope, I want to be done with this CR, and add changes in separate CRs20:17
redrobotdave-mccowan I'm going to fix the KMIP secret_store now.20:17
redrobotdave-mccowan I noticed you skipped a test in the rsa smoke tests20:17
redrobotdave-mccowan would you mind looking into fixing it in a separate CR?20:18
dave-mccowanredrobot, sounds good.  i'll do that.20:18
*** tkelsey has joined #openstack-barbican20:20
rellerrellerredrobot Let me know when you have something for KMIP. I can run some tests here to verify things.20:20
*** tkelsey has quit IRC20:24
openstackgerritChelsea Winfree proposed openstack/python-barbicanclient: Adding payload flag to get secret
*** gyee has joined #openstack-barbican20:44
*** gyee has quit IRC20:44
*** rellerreller has quit IRC21:00
*** gyee has joined #openstack-barbican21:00
woodster_redrobot, should folks still be trying to vote on design sessions by EOD today?21:02
redrobotwoodster_ meh... I'd rather people spend the time reviewing stuff for RC121:02
woodster_redrobot, cool just checking21:03
*** ccneill_ has quit IRC21:06
*** joesavak has quit IRC21:11
*** ccneill_ has joined #openstack-barbican21:12
aleeredrobot, ping21:22
redrobotalee pong21:22
aleeredrobot, hey - where were your instructions on setting up  the docker containers for the functional tests?21:23
aleeredrobot, I recall I used them to set up a keystone container and postgres container21:23
redrobotalee maybe?21:23
aleeyeah - thats it .. thanks21:24
*** dave-mcc_ has joined #openstack-barbican21:28
*** dave-mccowan has quit IRC21:30
*** kebray has quit IRC21:32
*** kebray has joined #openstack-barbican21:37
aleeredrobot, hey - when I try to run the functional tests with tox -e functional, I get "ImportError: No module named oslo_policy"  -- any idea?21:39
aleeredrobot, trying tox -r -e fnctional ..21:40
*** paul_glass has quit IRC21:43
*** ccneill_ is now known as ccneill21:45
*** jamielennox|away is now known as jamielennox21:46
dave-mcc_alee, i've been getting that too.  my workaround has been nosetests functionaltests, but i'd love to fix it right.  my tox -e cover is also broken with the oslo_policy error21:48
aleedave-mcc_, worked for me to do tox -r -e functional21:48
aleeredrobot, ping21:57
redrobotalee pong21:57
aleeredrobot, need some help with my config ..21:57
aleeso I have my old containers up and it looks like keystone is running21:58
redrobotalee can you curl localhost:5000?21:58
aleeie. I can go to localhost:5000 and get a respionse21:58
aleeredrobot, but all my functional tests are failing with 40121:58
redrobotalee the command adds these users:
redrobotyou should be able to use teh admin_user credentials to run the functional tests21:59
redrobotand also the barbican service credentials in the API to validate tokesn21:59
*** ccneill has quit IRC22:00
aleeredrobot, so yeah -- I think these users should be there - as I just started the containers I had before22:00
aleeredrobot, how can I validate the usrs are there?22:00
aleeincidentally I have the following in barbican-functional.conf22:01
*** xaeth_afk is now known as xaeth22:02
redrobottry running the keystone_data script again.  If the users are there it'll give you errors about duplicate names and such22:02
aleeredrobot, is the OS_SERVICE_ENDPOINT http://localhost:5000/v2.0  ?22:06
redrobotalee yep22:07
redrobotalee nope, sorry22:07
redrobotalee it's http://localhost:35357/v2.022:07
aleeok - no errors - so those must not have been there22:09
*** xaeth is now known as xaeth_afk22:12
aleeredrobot, ok - now a different error ..22:13
aleeFile "/home/alee/barbican/barbican/functionaltests/common/", line 141, in get_base_url22:13
alee    base_url = endpoint['key-manager'][0].get('url')22:13
aleeKeyError: 'key-manager22:13
aleeredrobot, must be missing service catalog entries?22:14
redrobotalee yeah, I think so.22:14
aleeredrobot, cool - functional tests running --  I will check out what dogtag changes need to be made22:24
*** igueths has quit IRC22:39
dave-mcc_redrobot, do you want to merge before or after the "big one"? it still needs another +222:40
redrobotdave-mcc_ I don't have a preference... the gate seems to be backed up for like 6+ hours :-\22:42
dave-mcc_redbot, i guess there is a way for me to rebase on the big-one before it merges, and get it in line behind?22:45
redrobotdave-mcc_ yeah, if you do a "git review -d 173396" to pull down our joint CR, then22:46
redrobotdave-mcc_ "git cherry-pick SHA_FOR_NEXT_CR_IN_LINE"22:46
redrobotthen git review22:47
redrobotit'll ask if you want to make a dependency when you submit it22:47
*** stanzi has joined #openstack-barbican22:48
*** stanzi has quit IRC22:53
*** stanzi has joined #openstack-barbican22:54
*** stanzi has quit IRC22:54
dave-mcc_redrobot, do you need convert_pem_to_der() functions for kmip?  i have some with unit tests that i can push if you want.22:54
*** stanzi has joined #openstack-barbican22:54
redrobotdave-mcc_ I just wrote a bunch too, >_<22:55
redrobotdave-mcc_ pem_to_der is easy22:55
redrobotdave-mcc_ der to pem is a apin22:55
dave-mcc_redrobot, yea, i found that out.  both pyopenssl and pycrypto seem to only know pkcs#122:56
dave-mcc_redrobot, i've got literals for public_der and private_der to put into for testing.  have you already done that too?22:58
redrobotdave-mcc_ not yet. let me push a WIP so you can see what I've got22:58
*** stanzi has quit IRC22:58
*** stanzi has joined #openstack-barbican22:59
openstackgerritDouglas Mendizábal proposed openstack/barbican: Fix KMIP Secret Store input/output
*** dimtruck is now known as zz_dimtruck22:59
dave-mcc_redrobot, here's what i did.    they work and only use crypto libraries.  the only problem is the to_pem for private key is PKCS#1, instead of PKCS#8.23:03
*** stanzi has quit IRC23:03
redrobotdave-mcc_ heh... well, we need to figure out how to return a PKCS#8 :-\23:04
dave-mcc_redrobot, apparently, depending on which version of pyOpenSSL you're using you can get one or the other :-/23:05
redrobotdave-mcc_ super lame...23:05
redrobotdave-mcc_ what are you using for the private one?  M2Crypto?23:06
dave-mcc_redrobot, just from Crypto.PublicKey import RSA23:07
dave-mcc_from OpenSSL import crypto23:07
dave-mcc_redrobot, i tried both for the private_key to PEM and got PKCS#1 for both of them23:08
dave-mcc_redrobot, "-----BEGIN RSA PRIVATE KEY-----" is the header for PKCS#123:11
*** chlong has joined #openstack-barbican23:11
*** alee has quit IRC23:11
dave-mcc_redrobot, so your code is representing PKCS#1 in the private key conversion23:12
*** alee has joined #openstack-barbican23:12
reaperhulkPEM_write_BIO_PrivateKey is what you want to call :D23:27
reaperhulkbut don't do that, that's C23:27
dave-mcc_redrobot, i compared the results of your conversion with what i get from the openssl command line for the keys in
elmikowoodster_: i ran into an error with the migration you have up for review23:29
dave-mcc_redrobot, the public key cases work in both directions.23:29
woodster_elmiko, ugh23:31
*** nickrmc84 has joined #openstack-barbican23:32
*** crc32 has quit IRC23:32
woodster_elmiko, yeah clearly alembic/sqlalchemy is not giving us good dialect selection :\23:33
elmikowoodster_: sadly no =(23:34
elmikowoodster_: i'm not sure what the offending line wants though, i tried with a bool but that didn't do it23:34
*** arunkant has quit IRC23:38
*** nickrmc83 has quit IRC23:39
*** arunkant has joined #openstack-barbican23:39
elmikowoodster_: ok, so question. does that Column need server_default or just default?23:45
elmikoi only ask because default='False' works for me23:45
*** stanzi has joined #openstack-barbican23:46
woodster_elmiko: I believe that won't work on records already in the table23:47
elmikowoodster_: well that's no fun23:49

Generated by 2.14.0 by Marius Gedminas - find it at!