Wednesday, 2015-10-07

*** jhfeng has quit IRC00:01
*** woodster_ has quit IRC00:09
*** su_zhang has quit IRC00:26
*** mixos has joined #openstack-barbican00:35
*** su_zhang has joined #openstack-barbican00:47
*** spotz_zzz is now known as spotz00:51
*** jaosorior has quit IRC00:53
*** jaosorior has joined #openstack-barbican00:54
*** gyee has quit IRC00:58
*** jhfeng has joined #openstack-barbican01:04
*** jhfeng has quit IRC01:06
*** su_zhang has quit IRC01:07
*** stevemar_ has quit IRC01:11
*** ccneill_ has joined #openstack-barbican01:23
*** ccneill has quit IRC01:25
*** ccneill_ has quit IRC01:27
*** spotz is now known as spotz_zzz01:35
*** stevemar_ has joined #openstack-barbican02:00
*** vivek-ebay has quit IRC02:05
*** woodster_ has joined #openstack-barbican02:14
*** vivek-ebay has joined #openstack-barbican03:16
*** dave-mccowan has quit IRC03:16
*** zz_dimtruck is now known as dimtruck03:40
*** su_zhang has joined #openstack-barbican04:17
*** woodster_ has quit IRC04:19
*** vivek-ebay has quit IRC04:19
*** jaosorior has quit IRC04:34
*** jaosorior has joined #openstack-barbican04:34
*** Nirupama has joined #openstack-barbican04:40
*** everjeje has joined #openstack-barbican04:44
*** mixos has quit IRC05:22
*** dimtruck is now known as zz_dimtruck05:24
*** jamielennox is now known as jamielennox|away05:30
*** stevemar_ has quit IRC05:31
*** su_zhang has quit IRC05:46
*** edtubill has joined #openstack-barbican06:08
*** jamielennox|away is now known as jamielennox06:21
*** shohel has joined #openstack-barbican06:25
*** edtubill has quit IRC06:42
*** jaosorior has quit IRC08:57
*** jaosorior has joined #openstack-barbican08:58
*** everjeje has quit IRC09:16
*** darrenmoffat has quit IRC09:21
*** darrenmoffat has joined #openstack-barbican09:22
*** jaosorior has quit IRC09:55
*** jaosorior has joined #openstack-barbican09:55
*** mmdurrant has quit IRC10:09
*** jaosorior has quit IRC10:33
*** jaosorior has joined #openstack-barbican10:34
*** dave-mccowan has joined #openstack-barbican10:54
jaosoriordave-mccowan: Hey man, good morning11:00
dave-mccowangood morning ozz11:00
jaosoriorhow's it going?11:00
dave-mccowanit's going well....  the quiet between releases; good chance to catch up on stuff i've been putting off.11:01
jaosoriorhaha yeah11:01
jaosorioranything of yours that I've missed reviewing?11:02
jaosoriordave-mccowan: Waiting for a long deployment to finish, so I've got plenty of time for reviewing :P11:04
dave-mccowannope.  but, maybe one CR we could think about.    In this CR, the request was that "validation stuff" should stop leaking out of the validator.  since then, this problem has gotten worse.  as we add new features with per-project aspects, we're adding validation checks for ownership in the controllers.  ( got some checks for that this cycle)  do you have any fresh ideas there, or should we11:06
dave-mccowan give up?11:06
jaosoriordave-mccowan: good that you mention it. Let me finish up a CR and I'll take a better look into that.11:07
*** jamielennox is now known as jamielennox|away11:19
jaosoriordave-mccowan: No fresh ideas really. We should start doing some refactoring to fix things... I, however, want the validation classes to be more precise in what they do11:27
jaosoriorso perhaps we should separate between schema validation, and other types of validation11:27
dave-mccowanjaosorior centralizing ownership validation sounds like a good idea.  it would be a good reminder for developers to make sure those checks are implemented for new features too.11:37
jaosoriordave-mccowan: exactly11:38
dave-mccowanjaosorior i'm not sure there is anything useful in the current patch.  i think i'll abandon it and open a wishlist bug.  thoughts?11:40
jaosorior+1 to that11:41
*** mmdurrant has joined #openstack-barbican11:58
*** Nirupama has quit IRC12:01
*** david-ly_ has joined #openstack-barbican12:07
*** david-lyle has quit IRC12:09
*** david-ly_ is now known as david-lyle12:09
*** su_zhang has joined #openstack-barbican12:23
*** su_zhang has quit IRC12:56
dave-mccowanalee ping13:15
*** su_zhang has joined #openstack-barbican13:16
*** david-lyle has quit IRC13:16
dave-mccowanalee i noticed the discussion under this CR talking about why Nova get's 404 when trying to get a key.  looks like the work-around (or fix) is to add /v1 to the URI in the service catalog.13:16
aleedave-mccowan, lookiing ,,13:17
aleedave-mccowan, interesting .. let me take a look at my logs again ..13:20
*** jaosorior has quit IRC13:31
*** jaosorior has joined #openstack-barbican13:32
*** david-lyle has joined #openstack-barbican13:32
aleedave-mccowan, that doesn't appear to have helped13:50
*** spotz_zzz is now known as spotz13:51
dave-mccowanalee can you tell if Nova is using the right URI?  the comments imply that it is building it's own using only the secret id and catalog.13:51
aleedave-mccowan, I think you might be onto something --trying again ..13:54
*** jaosorior has quit IRC13:55
*** jaosorior has joined #openstack-barbican13:55
aleedave-mccowan, yes - you're right -- it looks like its not getting the right url13:56
aleedave-mccowan, I see the request in the nova-compute.log ..13:56
aleelet me try with that auth_token on the command line13:56
aleedave-mccowan, yes - its definitely not using the right url13:58
aleeie. not adding the v1 -- good catch13:58
aleedave-mccowan, but I think the endpoint in the service catalog now has v1 in i t..13:59
dave-mccowanalee i think there are two entries in the service catalog.  the admin and the non-admin.  did you catch both?14:00
aleedave-mccowan, yup14:00
*** spotz is now known as spotz_zzz14:01
*** spotz_zzz is now known as spotz14:01
aleedave-mccowan, there are some parameters in nova.conf that might help -- not sure how to use them ..14:05
*** jhfeng has joined #openstack-barbican14:06
dave-mccowanalee i think we need a fix to nova to get this work.14:10
aleedave-mccowan, I'm not sure -- maybe the versioning should be handled within the barbican client14:12
aleedave-mccowan, redrobot - should adding the '/v1' be something that is handled y the client?14:15
dave-mccowanalee that goes back to the philosophical debate in the CR.  it's definitely easier for us to fix in barbican-client, then get Nova to change.  should be an easy hack to get the client to change an un-versioned request to /v1/.  that will work until /v2/. :-)14:16
aleedave-mccowan, I'm just surprised this is broken ..14:16
alee(and no one cotttoned onto it)14:17
aleeare there no functional tests that test this?14:17
*** xaeth_afk is now known as xaeth14:18
dave-mccowanalee i think cross-project gate tests are rare :-(14:18
aleeI'd like to see if kfarr, rellerreller have this working14:18
aleedave-mccowan, trying the endpoint_template to see if I can work around it for now ..14:19
dave-mccowanis the key being ordered?  or pre-stored?14:19
dave-mccowanalee looking at the nova code with the link above, the template is parsed at 99 and /v1/ removed at 105.14:20
dave-mccowanalee ah... maybe put /v1/v1/ in the catalog. :-/14:20
aleedave-mccowan, well I can put /v1/v1 in the template14:21
aleedave-mccowan, we should look at what cinder does14:21
aleedave-mccowan, because they do it correctly14:21
aleeand the request goes through correctly there14:21
*** kfarr has joined #openstack-barbican14:21
aleekfarr, !14:22
kfarralee! Hi!   I got in late today and am still getting things set up14:22
aleekfarr, no worries.  dave-mccowan has pinpointed what the problem is ..14:22
aleekfarr, and now looking for a solution ..14:23
aleekfarr, when nova goes to get the key , it constructs a url without the v1 in it14:23
kfarralee oh ok, I know the fix for that, one sec14:23
dave-mccowankfarr check out our discussion here. you reviewed the patch we were looking at a couple months ago.
* dave-mccowan places bet kfarr comes back with /v1/v1/ :-)14:25
aleedave-mccowan, I'm using an old client-- let me try updating ..14:25
kfarrin nova.conf, put an entry for endpoint_template14:26
kfarrThis issue is fixed in Castellan, bte14:26
dave-mccowankfarr, alee.  interesting.  this code will strip off the {project_id} and leave /v1/, so it works.
*** xaeth is now known as xaeth_afk14:28
aleedave-mccowan, kfarr -- juts updated my barbican-client , and now it works I think ..14:28
aleeso it seems the fix was in barbican client14:29
kfarralee, what was the fix?14:31
kfarrI really think you only need to specify the endpoint_template in nova.conf14:31
aleekfarr, I think specifying the endpoint_template in nova.conf will work14:31
aleekfarr, on the other hand, it seems that updating my barbican-client to the latest or similar appears to work too.14:32
aleetesting to confirm but it appears that the key was retrieved14:32
aleekfarr, dave-mccowan ie. using latest client means not having to specify endpoint_template14:33
aleeof course, I now have /v1 in the catalog now .. let me remove that ..14:33
aleenot that that shoudl make  a difference I think due to nova code dave-mccowan pointed out14:34
dave-mccowanalee, kfarr, i don't see any code in the client that allows for /v1/ and not /v1/.  are you sure you don't also have a change to endpoint template?14:34
kfarrOk, so in that code snippet in nova, it strips the v1, but only for when it passes the uri to the barbican client14:35
kfarrthe real issue is that when that code was written, barbican had the v1 in the service catalog14:35
kfarrthen somewhere along the way, that changed because keystone is now recommending removing the v114:35
kfarrso the code doesn't work unless you override the endpoint to have a v114:36
dave-mccowankfarr and you have to override with http://localhost:9311:/v1/foo, because line 105 strips off the end of the URI.14:37
kfarrYes that line strips off the v1, but that URI with the v1 stripped off is only used to create the barbican client14:39
kfarrThe problem is when it creates the secret_ref14:39
*** shohel has quit IRC14:39
kfarrbecause it manually builds the secret ref given a uuid14:39
*** xaeth_afk is now known as xaeth14:39
kfarrit uses: self._base_url + "/secrets/" + key_id14:40
kfarrBack in the __init__ function, if you don't provide an endpoint template, it goes to the endpoint catalog14:40
kfarrand the barbican uri in the endpoint catalog doesn't have a v114:41
kfarrself._base_url = _SESSION.get_endpoint(...)14:42
dave-mccowankfarr gotcha.  _base_url is not stripped of it last param.  which make me wonder, why do you have %(project_id)s in your example?14:42
kfarrbecause it does string formatting:14:42
dave-mccowankfarr is project id part of the secret ref?14:43
kfarrdave-mccowan, good point14:44
kfarrdave-mccown, then maybe you can just override it to this: http://localhost:9311/v1/14:45
*** zz_dimtruck is now known as dimtruck14:45
aleedave-mccowan, kfarr - is there a better way to test ?14:45
aleedave-mccowan, kfarr - the test will show the string being written to the unencrypted volume just fine.14:46
aleeand that we cant find the string in the encrypted volume14:46
aleehow is that different from not having written to the encryoted volume at all?14:47
*** silos has joined #openstack-barbican14:48
kfarralee, that's always how we demoed it14:48
aleekfarr, yup - not criticising the test -- it makes sense.  just wondering if we can do it in a way that proves we actually wrote the partition14:49
*** lvh has quit IRC14:49
aleekfarr, maybe I'll try mounting the disk ..14:50
dave-mccowancan you cat something before and after and show it growing?  also read and write, the value must have come back from somewhere.14:50
*** stevemar_ has joined #openstack-barbican14:51
aleeyeah -- maybe read ..14:51
*** lvh has joined #openstack-barbican14:51
kfarralee, just to clarify, were you able to get it working by modifying the endpoint_template or did you have to fiddle with other things too?14:52
dave-mccowanalee i assume if you can grep "/dev/stack-volumes/volume-*", you can also cat them.14:52
aleekfarr, give me just a sec -- I had added v1 to the catalog .. let me remove and connnnnnnnfirm14:54
*** kebray has joined #openstack-barbican14:57
*** kebray has quit IRC14:58
*** edtubill has joined #openstack-barbican14:58
*** kebray has joined #openstack-barbican14:59
*** diazjf has joined #openstack-barbican15:00
*** diazjf has left #openstack-barbican15:01
*** mixos has joined #openstack-barbican15:02
aleekfarr, but to be clear -- I updated my python client and then things started to work15:05
aleeno template change needed15:05
kfarralee do you know what is different about the new python client?15:05
*** jaosorior has quit IRC15:06
aleekfarr, presumably it handles the versions?  have not looked yet ..15:06
*** jaosorior has joined #openstack-barbican15:06
aleekfarr, still confirming15:06
*** kebray has quit IRC15:14
*** everjeje has joined #openstack-barbican15:17
*** alee_ has joined #openstack-barbican15:19
aleekfarr, dave-mccowan ok  definitely works with new python-barbicanclient15:24
kfarralee, great!15:24
aleekfarr, no special nova config required15:24
* dave-mccowan wonders how o.O 15:25
aleekfarr, dave-mccowan -- I also added a step where I cat the disk and grep for the phrase I wrote  while on the vm15:25
aleeworks on the vm -- doesn't work outside15:26
aleeas you'd expect15:26
dave-mccowanalee sweet.  are you going to push some doc or wiki?15:26
jaosorioralee: What works with the new python-barbicanclient?15:26
jaosorioranybody knows where redrobot is?15:27
jaosoriorPeople have been asking for a release of python-barbicanclient15:27
aleedave-mccowan, better than that -- I'm working on a fork of some scripts to put it all together15:27
*** xaeth is now known as xaeth_afk15:28
aleedave-mccowan, the scripts will set up two vms - one with ipa (including dogtag) and one with barbican/ packstack15:28
aleeand will set up and test volume encryption15:28
aleedave-mccowan, this is for the tokyo demo.15:29
dave-mccowanalee awesome.  where will you run the demo?  do you have a presentation?15:29
aleedave-mccowan, I'll also do silly things like register barbican as a service in ipa so we can get an ssl cert so we have https running on barbican15:30
*** kebray has joined #openstack-barbican15:30
aleedave-mccowan, red hat booth15:30
aleedave-mccowan, there will be a video ..15:30
aleedave-mccowan,  now that its working I can start putting it together15:31
aleedave-mccowan, I'll sned you the link to the repo once I update it15:31
aleejaosorior, I was using an old pythonclient and retrieving the key rom nova was failing with 40415:32
dave-mccowanalee thanks.  any clue on where in the code the /v1/ is added back?  i'm going to lose sleep. :-/ :-)15:32
jaosorioralee, ooh, I see15:32
aleejaosorior, the reason for that was that nova was constructing a url without the v115:32
aleejaosorior, I updated my client and now  it automagically works15:33
jaosorioralee: yeah, we did some changes to how the endpoints are handled15:33
aleejaosorior, so sometime someone fixed the client to make them handle the endpoint and add back the v115:33
aleejaosorior, maybe even you :)15:33
jaosoriorit was me actually haha15:33
jaosoriorIIRC, it's been a while15:34
jaosoriorwhich makes me think15:34
jaosoriordamn, you must have had a pretty old client15:34
aleejaosorior, well - the client  has only been updated in fedora recently15:34
jaosorioralee, I see15:35
jaosoriorbut yeah, we need to poke redrobot about a new python-barbicanclient release15:35
dave-mccowanjaosorior do you have a link to the CR?  i want to add it as a comment to another CR, for people who run across this issue.15:35
aleejaosorior, and even then it was later than that -- I think I had version 3.2.X15:35
*** kebray has quit IRC15:35
aleejaosorior, and no I have version 3.3.x15:35
aleejaosorior, so 3.2.X to 3.3.015:36
aleejaosorior, that doesn't sound that long ago ..15:37
jaosorioralee: Then it might been another issue than what I'm thinking15:37
jaosoriorwhat I had done is enable the getting of the endpoint through the keystone catalog, which we weren't doing before15:38
aleejaosorior, right -- but the keystone catalog entry used to include a v1 in it -- it no longer does15:39
aleejaosorior, so code must have been added between 3.2 and 3.3 to add it back15:39
*** kebray has joined #openstack-barbican15:39
alee(or handle it properly)15:40
*** david-lyle has quit IRC15:41
*** kebray has quit IRC15:42
*** david-lyle has joined #openstack-barbican15:42
*** vivek-ebay has joined #openstack-barbican15:43
*** arunkant has quit IRC15:48
*** david-ly_ has joined #openstack-barbican15:55
*** david-lyle has quit IRC15:55
*** david-ly_ has quit IRC15:56
*** david-lyle has joined #openstack-barbican15:56
openstackgerritDouglas Mendizábal proposed openstack/barbican: Add RBAC docs for Cloud Administrator Guide
*** lisaclark1 has joined #openstack-barbican16:01
*** lisaclark1 has quit IRC16:02
*** arunkant has joined #openstack-barbican16:03
*** lisaclark1 has joined #openstack-barbican16:04
*** xaeth_afk is now known as xaeth16:07
*** kebray has joined #openstack-barbican16:08
lisaclark1morning barbicaneers16:11
lisaclark1does anyone know if there is a summary of all blueprints / bug fixes in the Liberty release?  or must I review the launchpads of our 3 milestone releases and the 2 RCs to get this summary view?16:12
*** su_zhang has quit IRC16:14
redrobotmornin' lisaclark116:18
redrobotlisaclark1 I don't think there's such a page yet.  Once RC2 becomes Liberty 1.0.0 then the release page will have all that info.16:19
redrobotlisaclark1 just like for Kilo16:20
jaosoriorredrobot: Any python-barbicanclient release coming soon? :D16:21
redrobotjaosorior haven't taken a look recently, but we're definitely due for one16:21
redrobotjaosorior how much can we still change the openstack cli plugin after release?16:22
*** spotz is now known as spotz_zzz16:23
lisaclark1thanks redrobot.  that's the page for Liberty that I want ;-)16:29
arunkantdave-mccowan: ping16:38
dave-mccowanarunkant pong16:38
arunkantdave-mccowan: Just now saw your comment on
arunkantyou mentioned its fixed by another review. But the issue is on nova side and not on barbicanclient16:39
dave-mccowanalee,kfarr, jaosorior, and i have been talking about it this morning.  alee got his deployment working by upgrading to a client with jaosorior's fix.16:40
arunkantdave-mccowan: Was he testing nova emphermal or cinder volume encryption..cinder volume encryption works in devstack because default encryption_api_url has /v1 in it16:42
*** vivek-ebay has quit IRC16:42
arunkantdave-mccowan: whereas nova ephemeral tries to use keystoneclient to leverage version discovery which does not work16:44
dave-mccowanalee ^^     arunkant from code inspection, i agreed with you.  i did not expect it to work.  but, it did for alee.16:45
arunkantdave-mccowan: we tested nova emphermal part last week and it works when specify /v1 in devstack local conf or in barbican endpoint in service catalog..16:47
arunkantalee: Were you testing nova emphermal storage or cinder volume encryption ?16:48
aleearunkant, testing cinder volume encryption -- and using packstack16:48
aleearunkant, where is the encryption_api_url  set?16:49
arunkantalee, okay..yes..that works because
arunkantalee, so default URL has /v1 in it and it works in devstack without any change.16:50
aleearunkant, ok  yes -- have not had any issues with cinder16:50
aleearunkant, I had issues with nova until I unpgraded my client16:50
*** xaeth is now known as xaeth_afk16:51
arunkantalee, so it works as that URL is used as-is when creating secret_ref in cinder side.. and
*** lisaclark1 has quit IRC16:52
aleearunkant, why are we creating the url at all?  don't we return a reference to the secret in the order?16:54
arunkantalee, but in nova emphermal storage does not as there is no default defined and they try to identify url using keystoneclient version discovery..
arunkantalee, I think..service client stores only secret uuid ..16:54
aleearunkant, perhaps that should be changed -- this code will not work when we have barbican federation16:55
arunkantalee, so they need to construct secret_ref URL when they need to read the secret..16:55
arunkantalee, yes it needs to be changed to provide "version" as additional parameter for version discovery16:56
aleearunkant,  so to be clear ..16:57
arunkantSo may be add additional input in
*** kebray has quit IRC16:57
aleearunkant, when  i was cinder volume encryption with old barbican client, I was able to order and store the key in cinder, but was not able to retrive the key from nova to attach it to a vm16:58
aleearunkant, because nova was not adding the v116:58
aleearunkant, I would think it  goes through the code you mention above.16:59
*** silos has left #openstack-barbican16:59
aleearunkant, with the new python-barbicanclient, it just works16:59
aleearunkant, do you have a link so I can test nova ephemeral?17:00
arunkantFor cinder volume encryption.. For us, we tested like 4 weeks or may be was working in devstack with default config17:00
arunkantalee, its quite similar to cinder volume..but only thing is in will need to set encryption_api_url , with /v1, in addition to setting keymt api_class17:03
arunkants/keymt/ keymgr17:03
openstackgerritChristopher Solis proposed openstack/barbican: Update Devstack documentation
*** lisaclark1 has joined #openstack-barbican17:03
aleearunkant, and then test in exactly the same way?17:04
arunkantalee, this was the devstack conf ..
*** su_zhang has joined #openstack-barbican17:11
arunkantalee, I agree keymgr code on nova ephemeral storage should be modified to leverage version discovery and may be on cinder side, version discovery support needs to be added.17:11
aleearunkant, I'll try it out17:12
*** vivek-ebay has joined #openstack-barbican17:13
*** spotz_zzz is now known as spotz17:15
kfarrarunkant alee in castellan, version discovery was implemented.  Hopefully in the next cycle we will be working on replacing the nova and cinder key managers with castellan17:24
arunkantkfarr : +117:26
kfarrThough there still is a possible problem if federated Barbican is implemented because Castellan also does the manual recreation of secret refs17:29
*** xaeth_afk is now known as xaeth17:44
lisaclark1hi barbicaneers: quick poll of the room.  anyone happen to have a summit registration ticket that they're not able to use?17:44
kfarrlisaclark1 I have a registration code that I will not be using!  I will only be there in spirit :(17:47
lisaclark1kfarr: sorry to hear you won't be there :-(.  did you register with your code already and have an eventbrite ticket?17:48
kfarrlisaclark1, no I do not have an eventbrite ticket17:48
lisaclark1thanks kfarr.  i have a code also, but at this date it gives you a discount off the ticket price, but not a $0 ticket.  i was hoping to find someone that did register their code but isn't using their ticket.17:49
kfarrlisaclark1, oh I see!17:50
*** kebray has joined #openstack-barbican17:59
*** xek has quit IRC18:07
*** xek has joined #openstack-barbican18:08
*** su_zhang has quit IRC18:14
*** xaeth is now known as xaeth_afk18:22
*** silos has joined #openstack-barbican18:26
openstackgerritChristopher Solis proposed openstack/barbican: Update Devstack documentation
*** xaeth_afk is now known as xaeth18:29
*** su_zhang has joined #openstack-barbican18:34
arunkantcan a core look into this and possibly provide workflow..
*** lisaclark1 has quit IRC18:43
*** jaosorior has quit IRC18:47
*** jaosorior has joined #openstack-barbican18:47
jaosoriorredrobot ping18:47
redrobotjaosorior pong18:47
*** kebray has quit IRC18:58
*** kebray has joined #openstack-barbican19:01
*** su_zhang has quit IRC19:02
*** kebray has quit IRC19:04
*** diazjf has joined #openstack-barbican19:12
*** diazjf has left #openstack-barbican19:14
*** lisaclark1 has joined #openstack-barbican19:19
arunkantkfarr: ping .19:20
kfarrarunkant pong!19:21
arunkantkfarr: Hi..question about kmip plugin. Is it possible to specify multiple host in kmip server host ?19:22
kfarrarunkant, no, it only supports one host19:22
kfarrarunkant, I think that was how the talk of federated Barbican got started, because each Barbican can only have one backend, including KMIP19:23
arunkantkfarr: how are deployments supposed to provide HA around KMIP servers ?19:24
arunkantkfarr: One backend is fine..but the question is more around having multiple KMIP servers containing same data..primarily for high availability19:25
*** nelsnels_ has joined #openstack-barbican19:25
*** nelsnelson has quit IRC19:25
*** ryanpetrello has quit IRC19:27
kfarrarunkant, oh ok.  I did not realize that any of the other backends had failover options?  The current design meets our needs so far, but you pose an interesting point19:27
*** ryanpetrello has joined #openstack-barbican19:27
arunkantkfarr, in some clients library, client can switch to different server if the one of them happens to be down/unreachable for some reason. Otherwise client application has to implement that logic.19:30
*** lisaclark1 has quit IRC19:31
*** su_zhang has joined #openstack-barbican19:33
*** jaosorior has quit IRC19:36
*** su_zhang has quit IRC19:37
arunkantalee, in barbican, does dogtag plugin supports multiple host for client connection ?19:41
aleearunkant, not sure I understand what you mean by that ?19:42
aleearunkant, can I connect from where to where ? and what is multiple?19:43
openstackgerritMerged openstack/barbican: Updated from global requirements
arunkantalee, the question is around having multiple dogtag servers for HA ..does plugin supports that ?19:43
aleearunkant, gotcha -- so right now -- dogtag plugin can only talk to a single dogtag ca .. but ..19:44
aleedogtag has the ability to clone cas.19:45
aleeso you basically end up with another ca that has the same signing certs and keys -- to all extents and purposes the same ca as the original19:45
arunkantalee, I am guessing cloning means creating passive server with same data..19:46
aleewith data replicated between them using the underlyting db19:46
aleearunkant, they can be active active19:46
aleeas they issue certs within different serial number ranges19:46
aleeand the data is replicated19:46
*** everjeje has quit IRC19:46
*** dhellmann has quit IRC19:47
aleeso if you had such a scenario - then you could put a load balancer in fron ofthe cas19:47
*** dhellmann has joined #openstack-barbican19:47
aleeand configure the plugin to talk to the vip on the load baklancer19:47
arunkantalee, okay...what will be the process to make barbican use that cloned server in case primary went down for some reason ?19:47
aleewell - if its a load balancer and one server is down, the vip will automatically direct all traffic to the other server19:48
aleeincidentally both cas and kras are cloned19:49
arunkantalee, haproxy (LB) kind of solution can handle dogtag session and request offloading to available server ?19:50
openstackgerritMerged openstack/barbican: Add RBAC docs for Cloud Administrator Guide
aleearunkant, this is how dogtag customers handle HA and load balancing for just dogtag deployments19:51
arunkantalee, okay. great. Thanks for clarifying it.19:51
aleearunkant, np -- let me know if you're trying to set it up :)19:52
arunkantalee, will reach out to you guys in near future..trying to understand how barbican plugin servers HA is handled.19:53
*** xaeth is now known as xaeth_afk19:55
*** lisaclark1 has joined #openstack-barbican20:16
*** kebray has joined #openstack-barbican20:17
*** kfarr has quit IRC20:26
*** xaeth_afk is now known as xaeth20:27
*** xaeth is now known as xaeth_afk20:39
*** xaeth_afk is now known as xaeth20:46
*** su_zhang has joined #openstack-barbican20:52
*** atiwari1 has quit IRC20:53
*** spotz is now known as spotz_zzz21:03
*** mixos has quit IRC21:07
*** silos has left #openstack-barbican21:08
*** lisaclark1 has quit IRC21:27
*** jamielennox|away is now known as jamielennox21:32
*** edtubill has quit IRC21:36
*** diazjf has joined #openstack-barbican21:40
*** diazjf has quit IRC21:40
*** spotz_zzz is now known as spotz21:48
*** kebray has quit IRC21:48
*** xaeth is now known as xaeth_afk21:52
*** spotz is now known as spotz_zzz21:57
*** su_zhang_ has joined #openstack-barbican22:07
*** lisaclark1 has joined #openstack-barbican22:07
*** lisaclark1 has quit IRC22:08
*** su_zhang has quit IRC22:11
*** lisaclark1 has joined #openstack-barbican22:12
*** kebray has joined #openstack-barbican22:17
jhfenghave anyone tried using softHSM with Barbican in devstack ?22:24
*** lisaclark1 has quit IRC22:35
*** stevemar_ has quit IRC22:36
*** stevemar_ has joined #openstack-barbican22:37
*** lisaclark1 has joined #openstack-barbican22:38
*** dimtruck is now known as zz_dimtruck22:41
*** stevemar_ has quit IRC22:41
*** su_zhang has joined #openstack-barbican22:49
*** su_zhang_ has quit IRC22:52
*** david-lyle has quit IRC22:54
*** david-lyle has joined #openstack-barbican22:55
*** lisaclark1 has quit IRC22:57
*** lisaclark1 has joined #openstack-barbican22:57
*** stevemar_ has joined #openstack-barbican22:59
*** lisaclark1 has quit IRC23:01
*** jhfeng has quit IRC23:06
*** david-lyle has quit IRC23:10
*** david-lyle has joined #openstack-barbican23:10
*** david-lyle has quit IRC23:14
*** yuanying has quit IRC23:16
*** david-lyle has joined #openstack-barbican23:17
*** david-ly_ has joined #openstack-barbican23:19
*** yuanying has joined #openstack-barbican23:19
*** david-lyle has quit IRC23:21
*** mixos has joined #openstack-barbican23:29
*** david-ly_ is now known as david-lyle23:31
*** kebray has quit IRC23:42
*** stevemar_ has quit IRC23:47

Generated by 2.14.0 by Marius Gedminas - find it at!