Friday, 2018-08-10

vikram_darsi_Hi Team12:13
vikram_darsi_Any pointers on how to resolve this issue12:13
vikram_darsi_"ERROR barbicanclient.client [req-b3f2042b-608c-442b-a30b-6bc84b1dc143 admin admin] 4xx Client error: Not Found: Not Found. Sorry but your secret is in another castle."12:14
redrobotMan, some of our PKCS#11 tests are really terrible.12:59
ade_leeredrobot, dave-mccowan ping -- rc1 day13:31
ade_leeredrobot, dave-mccowan still waiting on second +2 for
redrobotis it release day for castellan also?13:33
redrobotI thought the libs were due a while back?13:33
ade_leeredrobot, thats past -- I'll need to get a feature freeze exception13:34
ade_lee(been trying to push this change for awhile now)13:34
redrobotade_lee, ack, looking now... give me a sec to refresh my mind on rsa13:51
ade_leeredrobot, dave-mccowan -- also need feedback on
dave-mccowanare you going for a FFE for the client?14:28
dave-mccowan.. in addition to castellan14:29
redrobotade_lee, merged the Castellan change.  RE: Validation, I think that in general, it's better to re-wrap exceptions though.14:34
ade_leeredrobot, we can do that in stein when we add the vault gate14:34
ade_leedave-mccowan, I think so14:35
ade_leedave-mccowan, redrobot whats the process for getting a FFE?14:35
redrobotI'll take a look at that barbicanclient change later today after I finish updating my patch.14:35
redrobotade_lee, eeeeh... it's been a while since I've had to do that.  I think email the ML?14:35
ade_leeredrobot, if you dont mind, please look at the client change first - in case I need to do some hoops to get a FFE14:36
redrobotade_lee, ack... I'll bump it up then.14:36
ade_leedave-mccowan, please look too.  the client change changes behavior - so I want to be sure to get input from multiple sources14:37
ade_leedave-mccowan, do you know if there is a process other than emailing ML for FFE?14:38
ade_leedave-mccowan, redrobot so -- maybe we push for FFE for the castellan change , but wait for the barbican-client one?14:52
ade_leeas the barbican-client one is a bug fix, we can always backport to rocky later once requirements repo is opened up again14:53
ade_leerm_work, will that work for you guys?14:53
ade_leedave-mccowan, redrobot ping16:35
ade_leedave-mccowan, redrobot let me know when ya'll are back -- gotta talk rc116:49
redrobotade_lee, what's up?17:11
ade_leeredrobot, dave-mccowan so I put up the email for the FFE for castellan17:47
redrobotade_lee, need +1s?17:48
ade_leeredrobot, dave-mccowan not going to do the same for the barbican-client change17:48
ade_leeredrobot, well - actually, right now , we need to figure out why its not merging ..17:48
ade_leeis. passing gate17:48
ade_leeso need some help with that ..17:49
ade_leeredrobot, for barbican rc1, I think the only change I'm really looking to get in is your change for thales17:49
ade_leeredrobot, if we can get it merged early next week, then I'll wait till then to cut rc1.  otherwise, we'll have to plan to have rc217:50
ade_leeand cut rc1 today17:50
redrobotade_lee, ack, I just have to clean up some pep8 errors and I'll get the non-WIP patch up17:50
ade_leeredrobot, ok - I'll review as soon as you get it up17:51
ade_leeredrobot, in the meantime though, any idea whats going on for castellan patch?17:51
ade_leeredrobot, dave-mccowan --
redrobotade_lee, weird... maybe a race condition where two secret stores in parallel are both successfully creating a kek ?17:55
ade_leeredrobot, yeah - I dont know .. trying one more recheck ..17:57
ade_leedave-mccowan, so just to re-iterate above17:58
ade_leedave-mccowan, for rc1, I'm basically waiting for redrobot fix for thales17:58
ade_leedave-mccowan, once that is in - I will cut rc117:58
ade_lee(rather than cutting today and re-cut next week for rc2)17:59
ade_leedave-mccowan, also -- if you can help figure out whats fgoing on in castellan patch not merging that would be great ..17:59
ade_leegonna try one more recheck -- but I'm a little at a loss ..18:02
dave-mccowani remember having that problem with find_or_create() before, with other objects.18:03
ade_leedave-mccowan, oh?  what was the issue/fix?18:04
dave-mccowanade_lee maybe this fix
dave-mccowanlol... no wonder it looks familiar:
openstackLaunchpad bug 1726378 in Barbican "MultipleResultsFound error in _find_or_create_kek_objects()" [High,Triaged]18:08
dave-mccowanade_lee at least we know it's nothing new18:09
ade_leedave-mccowan, um yeah --18:10
ade_leeso how did we get around it?18:10
ade_leecoz its rearing its ugly head again?18:11
dave-mccowani think all the timing bugs come out during release week.  probably the timing changes when zuul is under higher load.  (or gremlins)18:12
ade_leedave-mccowan, so recheck till it works?18:14
dave-mccowanwith fingers crossed18:14
ade_leeugh .. I guess the fix is to put some sort of lock there ..18:20
dave-mccowanyea, i'd think the whole point of a create_or_get() function would be to make it atomic.18:21
openstackgerritDoug Hellmann proposed openstack/castellan master: add python 3.6 unit test job
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Refactor PKCS#11 to allow configurable mechanisms
redrobotade_lee, dave-mccowan ^^19:17
ade_leeredrobot, ack -- looking19:26
ade_leeredrobot, ping19:28
ade_leeredrobot, so -- with the sensitive/not-sensitive change - you no longer needed that special directive for thales hsm?19:29
ade_leeredrobot, do you recall if changing this would break safenet?19:29
redrobotade_lee, that's correct, we shouldn't need to override the Thales sanity check19:37
redrobotade_lee, as far as I can tell it shouldn't break anything.19:37
redrobotthere's a few attributes on the keks that barbican could read now instead of just being able to extract the key, but I don't think it matters19:38
ade_leeredrobot, ok19:39
ade_leeredrobot, you tested all this presumably against thales?19:40
ade_leeredrobot, made one comment ..19:41
redrobotade_lee, yep, well, patch 119:41
redrobotade_lee, ah yes, good catch, let me fix that real quick19:41
ade_leeredrobot, well -- I pointed out something that might have ended up breaking up -- so maybe we should test patch 219:42
ade_lee(or 3) in this case ..19:42
ade_leedoes passing an extra non-defined param result in a runtime  exception?19:43
openstackgerritDouglas Mendizábal proposed openstack/barbican master: Refactor PKCS#11 to allow configurable mechanisms
redrobotade_lee, yeah19:43
ade_leeredrobot, I'll +2 once you confirm that it all works against thales ..19:44
ade_lee(including barbican-manage :))19:44
redrobotade_lee, for sure.  I have to run to the vet with my cat right now, but i'll be back before too long.19:46
ade_leeredrobot, ok- just update on patch and/or irc19:46
ade_leedave-mccowan, please review19:47
ade_leewe might even get this tagged today :/19:47
openstackgerritMerged openstack/castellan master: Add code to generate private keys
rm_workredrobot / dave-mccowan i guess that's fine, though we'd like to get it in ASAP and backport as far as possible :/21:30
