Wednesday, 2015-10-07

*** jhfeng has quit IRC		00:01
*** woodster_ has quit IRC		00:09
*** su_zhang has quit IRC		00:26
*** mixos has joined #openstack-barbican		00:35
*** su_zhang has joined #openstack-barbican		00:47
*** spotz_zzz is now known as spotz		00:51
*** jaosorior has quit IRC		00:53
*** jaosorior has joined #openstack-barbican		00:54
*** gyee has quit IRC		00:58
*** jhfeng has joined #openstack-barbican		01:04
*** jhfeng has quit IRC		01:06
*** su_zhang has quit IRC		01:07
*** stevemar_ has quit IRC		01:11
*** ccneill_ has joined #openstack-barbican		01:23
*** ccneill has quit IRC		01:25
*** ccneill_ has quit IRC		01:27
*** spotz is now known as spotz_zzz		01:35
*** stevemar_ has joined #openstack-barbican		02:00
*** vivek-ebay has quit IRC		02:05
*** woodster_ has joined #openstack-barbican		02:14
*** vivek-ebay has joined #openstack-barbican		03:16
*** dave-mccowan has quit IRC		03:16
*** zz_dimtruck is now known as dimtruck		03:40
*** su_zhang has joined #openstack-barbican		04:17
*** woodster_ has quit IRC		04:19
*** vivek-ebay has quit IRC		04:19
*** jaosorior has quit IRC		04:34
*** jaosorior has joined #openstack-barbican		04:34
*** Nirupama has joined #openstack-barbican		04:40
*** everjeje has joined #openstack-barbican		04:44
*** mixos has quit IRC		05:22
*** dimtruck is now known as zz_dimtruck		05:24
*** jamielennox is now known as jamielennox\|away		05:30
*** stevemar_ has quit IRC		05:31
*** su_zhang has quit IRC		05:46
*** edtubill has joined #openstack-barbican		06:08
*** jamielennox\|away is now known as jamielennox		06:21
*** shohel has joined #openstack-barbican		06:25
*** edtubill has quit IRC		06:42
*** jaosorior has quit IRC		08:57
*** jaosorior has joined #openstack-barbican		08:58
*** everjeje has quit IRC		09:16
*** darrenmoffat has quit IRC		09:21
*** darrenmoffat has joined #openstack-barbican		09:22
*** jaosorior has quit IRC		09:55
*** jaosorior has joined #openstack-barbican		09:55
*** mmdurrant has quit IRC		10:09
*** jaosorior has quit IRC		10:33
*** jaosorior has joined #openstack-barbican		10:34
*** dave-mccowan has joined #openstack-barbican		10:54
jaosorior	dave-mccowan: Hey man, good morning	11:00
dave-mccowan	good morning ozz	11:00
jaosorior	how's it going?	11:00
dave-mccowan	it's going well.... the quiet between releases; good chance to catch up on stuff i've been putting off.	11:01
jaosorior	haha yeah	11:01
jaosorior	anything of yours that I've missed reviewing?	11:02
jaosorior	dave-mccowan: Waiting for a long deployment to finish, so I've got plenty of time for reviewing :P	11:04
dave-mccowan	nope. but, maybe one CR we could think about. https://review.openstack.org/#/c/171023/ In this CR, the request was that "validation stuff" should stop leaking out of the validator. since then, this problem has gotten worse. as we add new features with per-project aspects, we're adding validation checks for ownership in the controllers. (cas.py got some checks for that this cycle) do you have any fresh ideas there, or should we	11:06
dave-mccowan	give up?	11:06
jaosorior	dave-mccowan: good that you mention it. Let me finish up a CR and I'll take a better look into that.	11:07
*** jamielennox is now known as jamielennox\|away		11:19
jaosorior	dave-mccowan: No fresh ideas really. We should start doing some refactoring to fix things... I, however, want the validation classes to be more precise in what they do	11:27
jaosorior	so perhaps we should separate between schema validation, and other types of validation	11:27
dave-mccowan	jaosorior centralizing ownership validation sounds like a good idea. it would be a good reminder for developers to make sure those checks are implemented for new features too.	11:37
jaosorior	dave-mccowan: exactly	11:38
dave-mccowan	jaosorior i'm not sure there is anything useful in the current patch. i think i'll abandon it and open a wishlist bug. thoughts?	11:40
jaosorior	+1 to that	11:41
*** mmdurrant has joined #openstack-barbican		11:58
*** Nirupama has quit IRC		12:01
*** david-ly_ has joined #openstack-barbican		12:07
*** david-lyle has quit IRC		12:09
*** david-ly_ is now known as david-lyle		12:09
*** su_zhang has joined #openstack-barbican		12:23
*** su_zhang has quit IRC		12:56
dave-mccowan	alee ping	13:15
*** su_zhang has joined #openstack-barbican		13:16
*** david-lyle has quit IRC		13:16
dave-mccowan	alee i noticed the discussion under this CR talking about why Nova get's 404 when trying to get a key. https://review.openstack.org/#/c/211114/1. looks like the work-around (or fix) is to add /v1 to the URI in the service catalog.	13:16
alee	dave-mccowan, lookiing ,,	13:17
alee	dave-mccowan, interesting .. let me take a look at my logs again ..	13:20
*** jaosorior has quit IRC		13:31
*** jaosorior has joined #openstack-barbican		13:32
*** david-lyle has joined #openstack-barbican		13:32
alee	dave-mccowan, that doesn't appear to have helped	13:50
*** spotz_zzz is now known as spotz		13:51
dave-mccowan	alee can you tell if Nova is using the right URI? the comments imply that it is building it's own using only the secret id and catalog.	13:51
alee	dave-mccowan, I think you might be onto something --trying again ..	13:54
*** jaosorior has quit IRC		13:55
*** jaosorior has joined #openstack-barbican		13:55
alee	dave-mccowan, yes - you're right -- it looks like its not getting the right url	13:56
alee	dave-mccowan, I see the request in the nova-compute.log ..	13:56
alee	let me try with that auth_token on the command line	13:56
alee	dave-mccowan, yes - its definitely not using the right url	13:58
alee	ie. not adding the v1 -- good catch	13:58
alee	dave-mccowan, but I think the endpoint in the service catalog now has v1 in i t..	13:59
dave-mccowan	alee i think there are two entries in the service catalog. the admin and the non-admin. did you catch both?	14:00
alee	dave-mccowan, yup	14:00
*** spotz is now known as spotz_zzz		14:01
*** spotz_zzz is now known as spotz		14:01
alee	dave-mccowan, there are some parameters in nova.conf that might help -- not sure how to use them ..	14:05
alee	#endpoint_template=<None>	14:05
*** jhfeng has joined #openstack-barbican		14:06
dave-mccowan	LOL https://github.com/openstack/nova/blob/master/nova/keymgr/barbican.py#L105	14:09
dave-mccowan	alee i think we need a fix to nova to get this work.	14:10
alee	dave-mccowan, I'm not sure -- maybe the versioning should be handled within the barbican client	14:12
alee	dave-mccowan, redrobot - should adding the '/v1' be something that is handled y the client?	14:15
alee	barbican-client?	14:16
dave-mccowan	alee that goes back to the philosophical debate in the CR. it's definitely easier for us to fix in barbican-client, then get Nova to change. should be an easy hack to get the client to change an un-versioned request to /v1/. that will work until /v2/. :-)	14:16
alee	dave-mccowan, I'm just surprised this is broken ..	14:16
alee	(and no one cotttoned onto it)	14:17
alee	are there no functional tests that test this?	14:17
*** xaeth_afk is now known as xaeth		14:18
dave-mccowan	alee i think cross-project gate tests are rare :-(	14:18
alee	I'd like to see if kfarr, rellerreller have this working	14:18
alee	dave-mccowan, trying the endpoint_template to see if I can work around it for now ..	14:19
dave-mccowan	is the key being ordered? or pre-stored?	14:19
dave-mccowan	alee looking at the nova code with the link above, the template is parsed at 99 and /v1/ removed at 105.	14:20
dave-mccowan	alee ah... maybe put /v1/v1/ in the catalog. :-/	14:20
alee	dave-mccowan, well I can put /v1/v1 in the template	14:21
alee	dave-mccowan, we should look at what cinder does	14:21
alee	dave-mccowan, because they do it correctly	14:21
alee	and the request goes through correctly there	14:21
*** kfarr has joined #openstack-barbican		14:21
alee	kfarr, !	14:22
kfarr	alee! Hi! I got in late today and am still getting things set up	14:22
alee	kfarr, no worries. dave-mccowan has pinpointed what the problem is ..	14:22
alee	kfarr, and now looking for a solution ..	14:23
alee	kfarr, when nova goes to get the key , it constructs a url without the v1 in it	14:23
kfarr	alee oh ok, I know the fix for that, one sec	14:23
dave-mccowan	kfarr check out our discussion here. you reviewed the patch we were looking at a couple months ago. http://eavesdrop.openstack.org/irclogs/%23openstack-barbican/%23openstack-barbican.2015-10-07.log.html	14:24
* dave-mccowan places bet kfarr comes back with /v1/v1/ :-)		14:25
alee	dave-mccowan, I'm using an old client-- let me try updating ..	14:25
kfarr	in nova.conf, put an entry for endpoint_template	14:26
kfarr	http://localhost:9311/v1/%(project_id)s	14:26
kfarr	This issue is fixed in Castellan, bte	14:26
kfarr	btw	14:26
dave-mccowan	kfarr, alee. interesting. this code will strip off the {project_id} and leave /v1/, so it works. https://github.com/openstack/nova/blob/master/nova/keymgr/barbican.py#L105	14:28
*** xaeth is now known as xaeth_afk		14:28
alee	dave-mccowan, kfarr -- juts updated my barbican-client , and now it works I think ..	14:28
alee	so it seems the fix was in barbican client	14:29
kfarr	alee, what was the fix?	14:31
kfarr	I really think you only need to specify the endpoint_template in nova.conf	14:31
alee	kfarr, I think specifying the endpoint_template in nova.conf will work	14:31
alee	kfarr, on the other hand, it seems that updating my barbican-client to the latest or similar appears to work too.	14:32
alee	testing to confirm but it appears that the key was retrieved	14:32
alee	kfarr, dave-mccowan ie. using latest client means not having to specify endpoint_template	14:33
alee	of course, I now have /v1 in the catalog now .. let me remove that ..	14:33
alee	not that that shoudl make a difference I think due to nova code dave-mccowan pointed out	14:34
dave-mccowan	alee, kfarr, i don't see any code in the client that allows for /v1/ and not /v1/. are you sure you don't also have a change to endpoint template?	14:34
kfarr	Ok, so in that code snippet in nova, it strips the v1, but only for when it passes the uri to the barbican client	14:35
kfarr	the real issue is that when that code was written, barbican had the v1 in the service catalog	14:35
kfarr	then somewhere along the way, that changed because keystone is now recommending removing the v1	14:35
kfarr	so the code doesn't work unless you override the endpoint to have a v1	14:36
dave-mccowan	kfarr and you have to override with http://localhost:9311:/v1/foo, because line 105 strips off the end of the URI.	14:37
kfarr	Yes that line strips off the v1, but that URI with the v1 stripped off is only used to create the barbican client	14:39
kfarr	The problem is when it creates the secret_ref	14:39
*** shohel has quit IRC		14:39
kfarr	because it manually builds the secret ref given a uuid	14:39
kfarr	https://github.com/openstack/nova/blob/master/nova/keymgr/barbican.py#L233	14:39
*** xaeth_afk is now known as xaeth		14:39
kfarr	it uses: self._base_url + "/secrets/" + key_id	14:40
kfarr	Back in the __init__ function, if you don't provide an endpoint template, it goes to the endpoint catalog	14:40
kfarr	and the barbican uri in the endpoint catalog doesn't have a v1	14:41
kfarr	self._base_url = _SESSION.get_endpoint(...)	14:42
dave-mccowan	kfarr gotcha. _base_url is not stripped of it last param. which make me wonder, why do you have %(project_id)s in your example?	14:42
kfarr	because it does string formatting:	14:42
kfarr	https://github.com/openstack/nova/blob/master/nova/keymgr/barbican.py#L99	14:42
dave-mccowan	kfarr is project id part of the secret ref?	14:43
kfarr	dave-mccowan, good point	14:44
kfarr	dave-mccown, then maybe you can just override it to this: http://localhost:9311/v1/	14:45
*** zz_dimtruck is now known as dimtruck		14:45
alee	dave-mccowan, kfarr - is there a better way to test http://docs.openstack.org/juno/config-reference/content/section_testing_encryption.html ?	14:45
alee	dave-mccowan, kfarr - the test will show the string being written to the unencrypted volume just fine.	14:46
alee	and that we cant find the string in the encrypted volume	14:46
alee	how is that different from not having written to the encryoted volume at all?	14:47
*** silos has joined #openstack-barbican		14:48
kfarr	alee, that's always how we demoed it	14:48
alee	kfarr, yup - not criticising the test -- it makes sense. just wondering if we can do it in a way that proves we actually wrote the partition	14:49
*** lvh has quit IRC		14:49
alee	kfarr, maybe I'll try mounting the disk ..	14:50
dave-mccowan	can you cat something before and after and show it growing? also read and write, the value must have come back from somewhere.	14:50
*** stevemar_ has joined #openstack-barbican		14:51
alee	yeah -- maybe read ..	14:51
*** lvh has joined #openstack-barbican		14:51
kfarr	alee, just to clarify, were you able to get it working by modifying the endpoint_template or did you have to fiddle with other things too?	14:52
dave-mccowan	alee i assume if you can grep "/dev/stack-volumes/volume-*", you can also cat them.	14:52
alee	kfarr, give me just a sec -- I had added v1 to the catalog .. let me remove and connnnnnnnfirm	14:54
*** kebray has joined #openstack-barbican		14:57
*** kebray has quit IRC		14:58
*** edtubill has joined #openstack-barbican		14:58
*** kebray has joined #openstack-barbican		14:59
*** diazjf has joined #openstack-barbican		15:00
*** diazjf has left #openstack-barbican		15:01
*** mixos has joined #openstack-barbican		15:02
alee	kfarr, but to be clear -- I updated my python client and then things started to work	15:05
alee	no template change needed	15:05
kfarr	alee do you know what is different about the new python client?	15:05
*** jaosorior has quit IRC		15:06
alee	kfarr, presumably it handles the versions? have not looked yet ..	15:06
*** jaosorior has joined #openstack-barbican		15:06
alee	kfarr, still confirming	15:06
*** kebray has quit IRC		15:14
*** everjeje has joined #openstack-barbican		15:17
*** alee_ has joined #openstack-barbican		15:19
alee	kfarr, dave-mccowan ok definitely works with new python-barbicanclient	15:24
kfarr	alee, great!	15:24
alee	kfarr, no special nova config required	15:24
* dave-mccowan wonders how o.O		15:25
alee	kfarr, dave-mccowan -- I also added a step where I cat the disk and grep for the phrase I wrote while on the vm	15:25
alee	works on the vm -- doesn't work outside	15:26
alee	as you'd expect	15:26
dave-mccowan	alee sweet. are you going to push some doc or wiki?	15:26
jaosorior	alee: What works with the new python-barbicanclient?	15:26
jaosorior	anybody knows where redrobot is?	15:27
jaosorior	People have been asking for a release of python-barbicanclient	15:27
alee	dave-mccowan, better than that -- I'm working on a fork of some scripts to put it all together	15:27
*** xaeth is now known as xaeth_afk		15:28
alee	dave-mccowan, the scripts will set up two vms - one with ipa (including dogtag) and one with barbican/ packstack	15:28
alee	and will set up and test volume encryption	15:28
alee	dave-mccowan, this is for the tokyo demo.	15:29
dave-mccowan	alee awesome. where will you run the demo? do you have a presentation?	15:29
alee	dave-mccowan, I'll also do silly things like register barbican as a service in ipa so we can get an ssl cert so we have https running on barbican	15:30
*** kebray has joined #openstack-barbican		15:30
alee	dave-mccowan, red hat booth	15:30
alee	dave-mccowan, there will be a video ..	15:30
alee	dave-mccowan, now that its working I can start putting it together	15:31
alee	dave-mccowan, I'll sned you the link to the repo once I update it	15:31
alee	jaosorior, I was using an old pythonclient and retrieving the key rom nova was failing with 404	15:32
dave-mccowan	alee thanks. any clue on where in the code the /v1/ is added back? i'm going to lose sleep. :-/ :-)	15:32
jaosorior	alee, ooh, I see	15:32
alee	jaosorior, the reason for that was that nova was constructing a url without the v1	15:32
alee	jaosorior, I updated my client and now it automagically works	15:33
jaosorior	alee: yeah, we did some changes to how the endpoints are handled	15:33
alee	jaosorior, so sometime someone fixed the client to make them handle the endpoint and add back the v1	15:33
alee	jaosorior, maybe even you :)	15:33
jaosorior	it was me actually haha	15:33
jaosorior	IIRC, it's been a while	15:34
jaosorior	which makes me think	15:34
jaosorior	damn, you must have had a pretty old client	15:34
alee	jaosorior, well - the client has only been updated in fedora recently	15:34
jaosorior	alee, I see	15:35
jaosorior	but yeah, we need to poke redrobot about a new python-barbicanclient release	15:35
dave-mccowan	jaosorior do you have a link to the CR? i want to add it as a comment to another CR, for people who run across this issue.	15:35
alee	jaosorior, and even then it was later than that -- I think I had version 3.2.X	15:35
*** kebray has quit IRC		15:35
alee	jaosorior, and no I have version 3.3.x	15:35
alee	jaosorior, so 3.2.X to 3.3.0	15:36
alee	jaosorior, that doesn't sound that long ago ..	15:37
jaosorior	alee: Then it might been another issue than what I'm thinking	15:37
jaosorior	what I had done is enable the getting of the endpoint through the keystone catalog, which we weren't doing before	15:38
alee	jaosorior, right -- but the keystone catalog entry used to include a v1 in it -- it no longer does	15:39
alee	jaosorior, so code must have been added between 3.2 and 3.3 to add it back	15:39
*** kebray has joined #openstack-barbican		15:39
alee	(or handle it properly)	15:40
jaosorior	dave-mccowan: https://review.openstack.org/#/c/195453/	15:40
*** david-lyle has quit IRC		15:41
*** kebray has quit IRC		15:42
*** david-lyle has joined #openstack-barbican		15:42
*** vivek-ebay has joined #openstack-barbican		15:43
*** arunkant has quit IRC		15:48
*** david-ly_ has joined #openstack-barbican		15:55
*** david-lyle has quit IRC		15:55
*** david-ly_ has quit IRC		15:56
*** david-lyle has joined #openstack-barbican		15:56
openstackgerrit	Douglas Mendizábal proposed openstack/barbican: Add RBAC docs for Cloud Administrator Guide https://review.openstack.org/231222	15:57
*** lisaclark1 has joined #openstack-barbican		16:01
*** lisaclark1 has quit IRC		16:02
*** arunkant has joined #openstack-barbican		16:03
*** lisaclark1 has joined #openstack-barbican		16:04
*** xaeth_afk is now known as xaeth		16:07
*** kebray has joined #openstack-barbican		16:08
lisaclark1	morning barbicaneers	16:11
lisaclark1	does anyone know if there is a summary of all blueprints / bug fixes in the Liberty release? or must I review the launchpads of our 3 milestone releases and the 2 RCs to get this summary view?	16:12
*** su_zhang has quit IRC		16:14
redrobot	mornin' lisaclark1	16:18
redrobot	lisaclark1 I don't think there's such a page yet. Once RC2 becomes Liberty 1.0.0 then the release page will have all that info.	16:19
redrobot	lisaclark1 just like https://launchpad.net/barbican/kilo/2015.1.0 for Kilo	16:20
jaosorior	redrobot: Any python-barbicanclient release coming soon? :D	16:21
redrobot	jaosorior haven't taken a look recently, but we're definitely due for one	16:21
redrobot	jaosorior how much can we still change the openstack cli plugin after release?	16:22
*** spotz is now known as spotz_zzz		16:23
lisaclark1	thanks redrobot. that's the page for Liberty that I want ;-)	16:29
arunkant	dave-mccowan: ping	16:38
dave-mccowan	arunkant pong	16:38
arunkant	dave-mccowan: Just now saw your comment on https://review.openstack.org/#/c/211114/	16:38
arunkant	you mentioned its fixed by another review. But the issue is on nova side and not on barbicanclient	16:39
dave-mccowan	alee,kfarr, jaosorior, and i have been talking about it this morning. alee got his deployment working by upgrading to a client with jaosorior's fix.	16:40
arunkant	dave-mccowan: Was he testing nova emphermal or cinder volume encryption..cinder volume encryption works in devstack because default encryption_api_url has /v1 in it	16:42
*** vivek-ebay has quit IRC		16:42
arunkant	dave-mccowan: whereas nova ephemeral tries to use keystoneclient to leverage version discovery which does not work	16:44
dave-mccowan	alee ^^ arunkant from code inspection, i agreed with you. i did not expect it to work. but, it did for alee.	16:45
arunkant	dave-mccowan: we tested nova emphermal part last week and it works when specify /v1 in devstack local conf or in barbican endpoint in service catalog..	16:47
arunkant	alee: Were you testing nova emphermal storage or cinder volume encryption ?	16:48
alee	arunkant, testing cinder volume encryption -- and using packstack	16:48
alee	arunkant, where is the encryption_api_url set?	16:49
arunkant	alee, okay..yes..that works because https://github.com/openstack/cinder/blob/master/cinder/keymgr/key_mgr.py#L29	16:49
arunkant	alee, so default URL has /v1 in it and it works in devstack without any change.	16:50
alee	arunkant, ok yes -- have not had any issues with cinder	16:50
alee	arunkant, I had issues with nova until I unpgraded my client	16:50
*** xaeth is now known as xaeth_afk		16:51
arunkant	alee, so it works as that URL is used as-is when creating secret_ref in cinder side..https://github.com/openstack/cinder/blob/master/cinder/keymgr/barbican.py#L46 and https://github.com/openstack/cinder/blob/master/cinder/keymgr/barbican.py#L217	16:52
*** lisaclark1 has quit IRC		16:52
alee	arunkant, why are we creating the url at all? don't we return a reference to the secret in the order?	16:54
arunkant	alee, but in nova emphermal storage case..it does not as there is no default defined and they try to identify url using keystoneclient version discovery..https://github.com/openstack/nova/blob/master/nova/keymgr/barbican.py#L102	16:54
arunkant	alee, I think..service client stores only secret uuid ..	16:54
alee	arunkant, perhaps that should be changed -- this code will not work when we have barbican federation	16:55
arunkant	alee, so they need to construct secret_ref URL when they need to read the secret..	16:55
arunkant	alee, yes it needs to be changed to provide "version" as additional parameter for version discovery	16:56
alee	arunkant, so to be clear ..	16:57
arunkant	So may be add additional input in https://github.com/openstack/nova/blob/master/nova/keymgr/barbican.py#L93	16:57
*** kebray has quit IRC		16:57
alee	arunkant, when i was cinder volume encryption with old barbican client, I was able to order and store the key in cinder, but was not able to retrive the key from nova to attach it to a vm	16:58
alee	arunkant, because nova was not adding the v1	16:58
alee	arunkant, I would think it goes through the code you mention above.	16:59
*** silos has left #openstack-barbican		16:59
alee	arunkant, with the new python-barbicanclient, it just works	16:59
alee	arunkant, do you have a link so I can test nova ephemeral?	17:00
arunkant	For cinder volume encryption.. For us, we tested like 4 weeks or may be earlier..it was working in devstack with default config	17:00
arunkant	alee, its quite similar to cinder volume..but only thing is in devstack..you will need to set encryption_api_url , with /v1, in addition to setting keymt api_class	17:03
arunkant	s/keymt/ keymgr	17:03
openstackgerrit	Christopher Solis proposed openstack/barbican: Update Devstack documentation https://review.openstack.org/230276	17:03
*** lisaclark1 has joined #openstack-barbican		17:03
alee	arunkant, and then test in exactly the same way?	17:04
arunkant	alee, this was the devstack conf ..http://paste.openstack.org/show/475637/	17:06
*** su_zhang has joined #openstack-barbican		17:11
arunkant	alee, I agree keymgr code on nova ephemeral storage should be modified to leverage version discovery and may be on cinder side, version discovery support needs to be added.	17:11
alee	arunkant, I'll try it out	17:12
*** vivek-ebay has joined #openstack-barbican		17:13
*** spotz_zzz is now known as spotz		17:15
kfarr	arunkant alee in castellan, version discovery was implemented. Hopefully in the next cycle we will be working on replacing the nova and cinder key managers with castellan	17:24
arunkant	kfarr : +1	17:26
kfarr	Though there still is a possible problem if federated Barbican is implemented because Castellan also does the manual recreation of secret refs	17:29
*** xaeth_afk is now known as xaeth		17:44
lisaclark1	hi barbicaneers: quick poll of the room. anyone happen to have a summit registration ticket that they're not able to use?	17:44
kfarr	lisaclark1 I have a registration code that I will not be using! I will only be there in spirit :(	17:47
lisaclark1	kfarr: sorry to hear you won't be there :-(. did you register with your code already and have an eventbrite ticket?	17:48
kfarr	lisaclark1, no I do not have an eventbrite ticket	17:48
lisaclark1	thanks kfarr. i have a code also, but at this date it gives you a discount off the ticket price, but not a $0 ticket. i was hoping to find someone that did register their code but isn't using their ticket.	17:49
kfarr	lisaclark1, oh I see!	17:50
*** kebray has joined #openstack-barbican		17:59
*** xek has quit IRC		18:07
*** xek has joined #openstack-barbican		18:08
*** su_zhang has quit IRC		18:14
*** xaeth is now known as xaeth_afk		18:22
*** silos has joined #openstack-barbican		18:26
openstackgerrit	Christopher Solis proposed openstack/barbican: Update Devstack documentation https://review.openstack.org/230276	18:29
*** xaeth_afk is now known as xaeth		18:29
*** su_zhang has joined #openstack-barbican		18:34
arunkant	can a core look into this and possibly provide workflow..https://review.openstack.org/#/c/208344/	18:43
*** lisaclark1 has quit IRC		18:43
*** jaosorior has quit IRC		18:47
*** jaosorior has joined #openstack-barbican		18:47
jaosorior	redrobot ping	18:47
redrobot	jaosorior pong	18:47
*** kebray has quit IRC		18:58
*** kebray has joined #openstack-barbican		19:01
*** su_zhang has quit IRC		19:02
*** kebray has quit IRC		19:04
*** diazjf has joined #openstack-barbican		19:12
*** diazjf has left #openstack-barbican		19:14
*** lisaclark1 has joined #openstack-barbican		19:19
arunkant	kfarr: ping .	19:20
kfarr	arunkant pong!	19:21
arunkant	kfarr: Hi..question about kmip plugin. Is it possible to specify multiple host in kmip server host ?	19:22
kfarr	arunkant, no, it only supports one host	19:22
kfarr	arunkant, I think that was how the talk of federated Barbican got started, because each Barbican can only have one backend, including KMIP	19:23
arunkant	kfarr: Oh..so how are deployments supposed to provide HA around KMIP servers ?	19:24
arunkant	kfarr: One backend is fine..but the question is more around having multiple KMIP servers containing same data..primarily for high availability	19:25
*** nelsnels_ has joined #openstack-barbican		19:25
*** nelsnelson has quit IRC		19:25
*** ryanpetrello has quit IRC		19:27
kfarr	arunkant, oh ok. I did not realize that any of the other backends had failover options? The current design meets our needs so far, but you pose an interesting point	19:27
*** ryanpetrello has joined #openstack-barbican		19:27
arunkant	kfarr, in some clients library, client can switch to different server if the one of them happens to be down/unreachable for some reason. Otherwise client application has to implement that logic.	19:30
*** lisaclark1 has quit IRC		19:31
*** su_zhang has joined #openstack-barbican		19:33
*** jaosorior has quit IRC		19:36
*** su_zhang has quit IRC		19:37
arunkant	alee, in barbican, does dogtag plugin supports multiple host for client connection ?	19:41
alee	arunkant, not sure I understand what you mean by that ?	19:42
alee	arunkant, can I connect from where to where ? and what is multiple?	19:43
openstackgerrit	Merged openstack/barbican: Updated from global requirements https://review.openstack.org/231224	19:43
arunkant	alee, the question is around having multiple dogtag servers for HA ..does plugin supports that ?	19:43
alee	arunkant, gotcha -- so right now -- dogtag plugin can only talk to a single dogtag ca .. but ..	19:44
alee	dogtag has the ability to clone cas.	19:45
alee	so you basically end up with another ca that has the same signing certs and keys -- to all extents and purposes the same ca as the original	19:45
arunkant	alee, okay..so I am guessing cloning means creating passive server with same data..	19:46
alee	with data replicated between them using the underlyting db	19:46
alee	arunkant, they can be active active	19:46
alee	as they issue certs within different serial number ranges	19:46
alee	and the data is replicated	19:46
*** everjeje has quit IRC		19:46
*** dhellmann has quit IRC		19:47
alee	so if you had such a scenario - then you could put a load balancer in fron ofthe cas	19:47
*** dhellmann has joined #openstack-barbican		19:47
alee	and configure the plugin to talk to the vip on the load baklancer	19:47
arunkant	alee, okay...what will be the process to make barbican use that cloned server in case primary went down for some reason ?	19:47
alee	well - if its a load balancer and one server is down, the vip will automatically direct all traffic to the other server	19:48
alee	incidentally both cas and kras are cloned	19:49
arunkant	alee, okay...so haproxy (LB) kind of solution can handle dogtag session and request offloading to available server ?	19:50
alee	yes	19:50
openstackgerrit	Merged openstack/barbican: Add RBAC docs for Cloud Administrator Guide https://review.openstack.org/231222	19:51
alee	arunkant, this is how dogtag customers handle HA and load balancing for just dogtag deployments	19:51
arunkant	alee, okay. great. Thanks for clarifying it.	19:51
alee	arunkant, np -- let me know if you're trying to set it up :)	19:52
arunkant	alee, will reach out to you guys in near future..trying to understand how barbican plugin servers HA is handled.	19:53
*** xaeth is now known as xaeth_afk		19:55
*** lisaclark1 has joined #openstack-barbican		20:16
*** kebray has joined #openstack-barbican		20:17
*** kfarr has quit IRC		20:26
*** xaeth_afk is now known as xaeth		20:27
*** xaeth is now known as xaeth_afk		20:39
*** xaeth_afk is now known as xaeth		20:46
*** su_zhang has joined #openstack-barbican		20:52
*** atiwari1 has quit IRC		20:53
*** spotz is now known as spotz_zzz		21:03
*** mixos has quit IRC		21:07
*** silos has left #openstack-barbican		21:08
*** lisaclark1 has quit IRC		21:27
*** jamielennox\|away is now known as jamielennox		21:32
*** edtubill has quit IRC		21:36
*** diazjf has joined #openstack-barbican		21:40
*** diazjf has quit IRC		21:40
*** spotz_zzz is now known as spotz		21:48
*** kebray has quit IRC		21:48
*** xaeth is now known as xaeth_afk		21:52
*** spotz is now known as spotz_zzz		21:57
*** su_zhang_ has joined #openstack-barbican		22:07
*** lisaclark1 has joined #openstack-barbican		22:07
*** lisaclark1 has quit IRC		22:08
*** su_zhang has quit IRC		22:11
*** lisaclark1 has joined #openstack-barbican		22:12
*** kebray has joined #openstack-barbican		22:17
jhfeng	have anyone tried using softHSM with Barbican in devstack ?	22:24
*** lisaclark1 has quit IRC		22:35
*** stevemar_ has quit IRC		22:36
*** stevemar_ has joined #openstack-barbican		22:37
*** lisaclark1 has joined #openstack-barbican		22:38
*** dimtruck is now known as zz_dimtruck		22:41
*** stevemar_ has quit IRC		22:41
*** su_zhang has joined #openstack-barbican		22:49
*** su_zhang_ has quit IRC		22:52
*** david-lyle has quit IRC		22:54
*** david-lyle has joined #openstack-barbican		22:55
*** lisaclark1 has quit IRC		22:57
*** lisaclark1 has joined #openstack-barbican		22:57
*** stevemar_ has joined #openstack-barbican		22:59
*** lisaclark1 has quit IRC		23:01
*** jhfeng has quit IRC		23:06
*** david-lyle has quit IRC		23:10
*** david-lyle has joined #openstack-barbican		23:10
*** david-lyle has quit IRC		23:14
*** yuanying has quit IRC		23:16
*** david-lyle has joined #openstack-barbican		23:17
*** david-ly_ has joined #openstack-barbican		23:19
*** yuanying has joined #openstack-barbican		23:19
*** david-lyle has quit IRC		23:21
*** mixos has joined #openstack-barbican		23:29
*** david-ly_ is now known as david-lyle		23:31
*** kebray has quit IRC		23:42
*** stevemar_ has quit IRC		23:47

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!