Wednesday, 2016-08-31

« Tuesday, 2016-08-30 Index Thursday, 2016-09-01 »
bknudsonone thing that's kind of interesting -- I changed memcache.py to create a file on import, and I only get 1 instance of the file even though I've got uwsgi configured for multiple processes00:04
bknudsonso looks like they're all sharing the one file descriptor00:04
bknudsonso I wonder if they couldn't also be sharing other file descriptors?00:04
*** chlong has quit IRC00:16
*** sdake has joined #openstack-keystone00:16
*** sdake has quit IRC00:21
*** ddieterly has joined #openstack-keystone00:25
*** sdake has joined #openstack-keystone00:25
*** itisha has quit IRC00:30
*** tonytan4ever has quit IRC00:33
*** ravelar has joined #openstack-keystone00:37
*** spzala has joined #openstack-keystone00:39
dstanekbknudson: that's odd. are you using uwsgi in multiprocess mode?00:40
*** ravelar has quit IRC00:41
*** wangqun has joined #openstack-keystone00:41
lbragstaddstanek ah - damn!00:42
bknudsondstanek: I changed my trace so it's associated with a single _Host00:42
lbragstaddstanek I was wrong about https://review.openstack.org/#/c/355618/00:42
lbragstadthe last change I made00:42
lbragstadapparently alter isn't allowed in expand00:42
lbragstadcc dolphm ^00:42
bknudsondstanek: http://paste.openstack.org/show/564942/ and it prints out the pid00:42
dstanekbknudson: i need to provision a big VM now to try out those instructions00:42
bknudsondstanek: so this shows opened in pid 6474, then there were a couple of readlines in 6474, but then it goes to pid 6499!!00:43
*** spzala has quit IRC00:43
dstaneklbragstad: lol, can we fix that test to allow destructive things in our migrations?00:44
dstaneklbragstad: i can see why we wouldn't want to add a constraint in expand, but dropping one should be ok00:45
bknudsonuwsgi's got some options for keeping fds open: http://uwsgi-docs.readthedocs.io/en/latest/Options.html#safe-fd00:45
dstanekbknudson: have you looked at setting close-on-exec?00:47
bknudsondstanek: good q.00:47
bknudsonpython-memcached does "s = socket.socket(self.family, socket.SOCK_STREAM)"00:48
bknudsoncan I set CLOEXEC on that?00:48
dstanekmaybe. i would expect other problems with fds too00:49
dstanekbknudson: iirc when we moved from flub to uwsgi we had to make our apps load lazily00:50
dstanekand disable threading00:50
openstackgerritMerged openstack/keystone: Update developer docs for new rolling upgrade repos  https://review.openstack.org/35938300:50
bknudsonshould be easy to set a breakpoint and see where the non-lazy memcache conn is coming from. maybe it oslo.cache?00:51
bknudsondstanek: http://paste.openstack.org/show/564956/00:54
dstaneki wouldnt't think you would see it in a breakpoint. it's just there because of the fork00:54
*** asettle has joined #openstack-keystone00:54
*** shaleh has quit IRC00:55
bknudsondstanek: this is something that you just changed!00:57
bknudsonhttp://git.openstack.org/cgit/openstack/keystone/commit/keystone/common/cache/core.py?id=42eda48c78f1153081b4c193dc13c88561409fd300:57
dstanek?00:57
bknudsonthere's no apply_invalidation_patch anymore.00:58
dstanekbknudson: nope, that's all gone00:58
dstanekbknudson: did i fix on accident or make it worse?00:58
bknudsonfor some reason that was getting a memcache client00:58
bknudsongood q. Need to get new keystone I guess00:58
bknudsonI'll first try setting CLOEXEC on the socket.00:59
*** asettle has quit IRC00:59
bknudsonCLOEXEC didn't do it for whatever reason01:08
dolphmlbragstad: is there any reason that ALTER should be in the expand instead of the contract?01:11
*** esp has quit IRC01:12
dolphmlbragstad: actually, why does the blob column need to be nullable at all?01:12
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250101:13
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251001:14
stevemarrderose: o/01:16
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251001:17
rderosestevemar: :)01:17
rderosestevemar: have a couple more ideas on this; now brute force approach :)01:18
rderosestevemar: this one is ready https://review.openstack.org/#/c/358111/ :)01:19
bknudsondstanek: when I start up keystone with your patch there's no memcache sockets opened.01:20
bknudsonunfortunately, keystone doesn't seem to work at all after I applied the patch01:20
dstanekreally?01:20
bknudsonwell, after I upgraded everything01:20
dstanekwhat happens?01:20
bknudsondidn't mean to upgrade everything, accidentally did a pip install -U01:20
bknudson2016-08-31 01:19:01.759 1391 ERROR keystone.common.wsgi DBError: (pymysql.err.InternalError) (1054, u"Unknown column 'password.self_service' in 'field list'") [SQL: u'SELECT password.id AS password_id, password.local_user_id AS password_local_user_id, password.pa01:21
dstanekdid you db_sync?01:21
bknudsonnope, just did that and now I'm testing again.01:22
bknudsonremember how during the meeting I was poo-pooing your change and saying it didn't fix anything?01:22
*** david-lyle_ has joined #openstack-keystone01:23
bknudsonUsually this fails in a couple of seconds.01:23
bknudsonit's possible that this is fixed by one of the other library changes I picked up. I'll have to try it again without all these changes.01:24
bknudsonalso, can just wait until we pick up the new keystone with your change.01:24
bknudsonstill scary that this could be broken at any time by a change that opens a memcache conn on init.01:25
stevemarrderose: why can't we just set server_default to the created_at column?01:28
bknudsonbrowne: can you try with http://git.openstack.org/cgit/openstack/keystone/commit/keystone/common/cache/core.py?id=42eda48c78f1153081b4c193dc13c88561409fd3 to see if that fixes the memcache issues?01:29
rderosestevemar: because if fails for older versions of mysql01:30
rderose5.501:30
brownebknudson: sure, it'll take me a while, but i'll give it a shot01:30
stevemarrderose: that stinks01:30
rderosestevemar: for mysql versions 5.5 and older, we would need to use timestamp01:30
rderosestevemar: tell me about01:30
rderosestevemar: not giving up yet, I've got a few more tricks up my sleeve ;)01:30
bknudsonbrowne: what it looks like was happening is that there were some connections opened in one process that another process inherited01:31
bknudsonand they wound up stomping on each other.01:31
*** tonytan4ever has joined #openstack-keystone01:33
*** EinstCrazy has joined #openstack-keystone01:33
*** tonytan4ever has quit IRC01:38
openstackgerritDolph Mathews proposed openstack/keystone: Disallow new migrations in the legacy migration repository  https://review.openstack.org/36334301:40
*** chlong has joined #openstack-keystone01:41
openstackgerritDolph Mathews proposed openstack/keystone: Disallow new migrations in the legacy migration repository  https://review.openstack.org/36334301:42
*** ddieterly has quit IRC01:46
brownebknudson: interesting01:50
notmorganbknudson: socket weirdness?01:50
*** davechen has joined #openstack-keystone01:50
notmorganbrowne: or is this something not cache related?01:51
bknudsonnotmorgan: yes, it looked like 2 processes wound up sharing the memcache socket.01:51
notmorganah01:51
notmorganthat should be impossible. we had(?) a mutex to prevent that.01:51
bknudsonnotmorgan: http://paste.openstack.org/show/564942/01:51
notmorganor is this some wonkyness with thread local in memcache python lib01:51
notmorganwe may want to just quickly roll a pymemcache backend and call it a day01:51
bknudsonI added the pid to the "readline data" line01:51
notmorganbecause then we aren't thread localling deep in the python-memcache lib01:52
notmorganstevemar: what did I promise to do earlier today?. OH right, rev event -> dict01:52
bknudsonI don't think it has anything to do with use of thread local01:52
notmorganbknudson: well it might make things weird(er)01:52
* notmorgan has been dealing with cache issues all day01:54
* notmorgan looks at shade01:54
bknudsonwhat's the issue?01:54
notmorganmis used of dogpile in the case of shade01:54
notmorgan:P01:54
stevemarnotmorgan: oh right, that can go into rc01:55
notmorgannegative caching (None/False values being cached in a way that was breaking nodepool)01:55
*** spzala has joined #openstack-keystone01:55
stevemarbknudson: since you already looked at it https://review.openstack.org/#/c/358872/ or i can get dstanek to look at it in the morning if you're heads down on something02:00
bknudsonstevemar: I'd rather see if the bug goes away given dstanek's change02:01
stevemarbknudson: dstanek has something up?02:01
bknudsonstevemar: looks like http://git.openstack.org/cgit/openstack/keystone/commit/keystone/common/cache/core.py?id=42eda48c78f1153081b4c193dc13c88561409fd3 fixed it.02:01
dstaneknotmorgan: the mutex would prevent the forking behavior02:01
bknudsonby changing the code so that there aren't memcache clients created before forking02:02
stevemarbknudson: i mentioned that it might and you called me crazy02:02
bknudsonstevemar: I know. I'm eating crow now.02:02
stevemarbknudson: :)02:02
*** EinstCra_ has joined #openstack-keystone02:03
stevemarbknudson: nothing makes me happier than marking a bug as invalid02:03
bknudsonstevemar: the bug is valid. it's fixed.02:03
stevemarok ok, dupe, fix released; whatever takes it off my queue02:04
dstanekif i accidentally fixes 2 extra bugs with that commit what do i win?02:04
bknudsondstanek: you can tweet about it02:04
dstanekand maybe that deserves a #success02:05
bknudsondefinitely a #success.02:05
stevemardstanek: whats the first extra bug?02:05
stevemaror other extra bug02:05
stevemarbknudson: dstanek want to update https://bugs.launchpad.net/keystone/+bug/1609566 with details ?02:05
openstackLaunchpad bug 1609566 in OpenStack Identity (keystone) "500 error from revocation event deserialize" [Medium,In progress] - Assigned to Morgan Fainberg (mdrnstm)02:05
bknudsonstevemar: let's leave https://bugs.launchpad.net/keystone/+bug/1609566 open since we think that one might be something else.02:06
*** EinstCrazy has quit IRC02:06
bknudsonI haven't been able to test this very well yet.02:06
stevemarokay with me02:06
dstanekstevemar: i'm building a test environment as we speak so that i can check for myself02:06
stevemarcool02:06
stevemari was hoping it would close https://bugs.launchpad.net/keystone/+bug/1600393 and https://bugs.launchpad.net/keystone/+bug/1600394 :(02:07
openstackLaunchpad bug 1600393 in OpenStack Identity (keystone) "v2.0 catalog seen in v3 token" [High,Confirmed]02:07
openstackLaunchpad bug 1600394 in OpenStack Identity (keystone) "memcache raising "too many values to unpack"" [High,Confirmed]02:07
bknudsonthose 2 should be closed by the change02:07
bknudsonwell, I don't know about 1600393 now.02:07
stevemarbknudson: can you comment on 394?02:08
bknudsonI never saw that one myself.02:08
stevemarnevermind then02:09
*** ddieterly has joined #openstack-keystone02:10
bknudsonUpdated https://bugs.launchpad.net/keystone/+bug/160039402:12
openstackLaunchpad bug 1600394 in OpenStack Identity (keystone) "memcache raising "too many values to unpack"" [High,Confirmed]02:12
stevemarthanks bknudson <302:12
bknudsonIt's nice to finally have some idea what the problem was.02:12
*** sdake has quit IRC02:16
*** sdake has joined #openstack-keystone02:17
*** Michaellaneous has quit IRC02:19
stevemarbknudson: the caching was broken :)02:22
*** tqtran has quit IRC02:22
*** EinstCrazy has joined #openstack-keystone02:24
*** spzala has quit IRC02:26
*** EinstCra_ has quit IRC02:27
*** david-lyle_ has quit IRC02:31
*** gyee has quit IRC02:31
*** ddieterly has quit IRC02:33
openstackgerritDolph Mathews proposed openstack/keystone: Fix nits in db migration dev docs  https://review.openstack.org/36335802:33
notmorganbknudson: oh we had a client pre-fork being made02:34
notmorgansigh02:34
*** tonytan4ever has joined #openstack-keystone02:34
*** tonytan4ever has quit IRC02:38
*** tonytan4ever has joined #openstack-keystone02:38
openstackgerritSteve Martinelli proposed openstack/keystone: Fix nits in db migration dev docs  https://review.openstack.org/36335802:50
*** chrisshattuck has joined #openstack-keystone02:52
*** chrisshattuck has quit IRC02:57
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250103:04
*** zouyapeng has quit IRC03:07
*** browne has quit IRC03:13
*** tqtran has joined #openstack-keystone03:21
*** dikonoor has joined #openstack-keystone03:26
*** ayoung has quit IRC03:27
*** esp has joined #openstack-keystone03:34
*** dikonoor has quit IRC03:34
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250103:38
*** woodster_ has quit IRC03:39
*** adriant has quit IRC03:41
openstackgerritHa Van Tu proposed openstack/keystone: Config logABug feature for Keystone api-ref  https://review.openstack.org/36337403:45
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250103:46
*** namnh has joined #openstack-keystone03:47
*** esp has quit IRC03:49
*** esp has joined #openstack-keystone03:51
*** Gorian has quit IRC04:13
*** crinkle_ has joined #openstack-keystone04:16
*** crinkle has quit IRC04:17
*** su_zhang has joined #openstack-keystone04:26
*** spzala has joined #openstack-keystone04:26
*** spzala has quit IRC04:31
*** ccneill_ has joined #openstack-keystone04:35
*** ccneill has quit IRC04:35
*** links has joined #openstack-keystone04:36
*** chlong has quit IRC04:38
*** chlong has joined #openstack-keystone04:39
*** esp has quit IRC04:45
*** chlong has quit IRC04:45
*** su_zhang has quit IRC04:47
*** ravelar has joined #openstack-keystone04:48
*** su_zhang_ has joined #openstack-keystone04:50
*** su_zhang_ has quit IRC04:52
*** su_zhang has joined #openstack-keystone04:53
*** esp has joined #openstack-keystone04:54
*** su_zhang has quit IRC04:57
*** chlong has joined #openstack-keystone04:57
*** asettle has joined #openstack-keystone04:57
*** asettle has quit IRC05:02
*** sdake has quit IRC05:10
*** sdake_ has joined #openstack-keystone05:10
*** ccneill_ is now known as ccneill05:11
*** jaosorior has joined #openstack-keystone05:21
*** roxanaghe has joined #openstack-keystone05:25
*** sdake_ has quit IRC05:26
*** dikonoor has joined #openstack-keystone05:27
*** ravelar has quit IRC05:27
*** roxanaghe has quit IRC05:32
*** sdake has joined #openstack-keystone05:33
*** richm has quit IRC05:40
*** ccneill has quit IRC05:50
*** markvoelker has joined #openstack-keystone05:58
*** pcaruana has joined #openstack-keystone06:15
openstackgerritHa Van Tu proposed openstack/keystone: Config logABug feature for Keystone api-ref  https://review.openstack.org/36337406:17
*** rcernin has joined #openstack-keystone06:21
*** sdake has quit IRC06:22
*** sheel has joined #openstack-keystone06:24
*** markvoelker has quit IRC06:34
openstackgerritUkesh Kumar proposed openstack/keystone: check for user existence, for role add to user  https://review.openstack.org/36260606:36
*** namnh has quit IRC07:03
*** tesseract- has joined #openstack-keystone07:08
*** jpena|off is now known as jpena07:13
*** spzala has joined #openstack-keystone07:26
*** markvoelker has joined #openstack-keystone07:30
*** spzala has quit IRC07:31
*** markvoelker has quit IRC07:35
*** spzala has joined #openstack-keystone07:42
*** spzala has quit IRC07:47
*** spzala has joined #openstack-keystone07:58
*** zzzeek has quit IRC08:00
*** joerch has joined #openstack-keystone08:00
*** markvoelker has joined #openstack-keystone08:01
*** zzzeek has joined #openstack-keystone08:01
*** spzala has quit IRC08:03
*** chlong has quit IRC08:06
*** markvoelker has quit IRC08:07
*** zhangjl has joined #openstack-keystone08:07
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843508:10
*** markvoelker has joined #openstack-keystone08:29
*** auggy has quit IRC08:30
*** rkrum has quit IRC08:30
*** auggy has joined #openstack-keystone08:31
*** markvoelker has quit IRC08:34
*** samueldmq has quit IRC08:38
*** samueldmq has joined #openstack-keystone08:39
*** ChanServ sets mode: +v samueldmq08:39
*** asettle has joined #openstack-keystone08:58
*** markvoelker has joined #openstack-keystone08:59
*** andreykurilin_ has joined #openstack-keystone09:00
*** markvoelker has quit IRC09:04
*** namnh has joined #openstack-keystone09:06
*** andreykurilin_ has quit IRC09:25
*** andreykurilin has joined #openstack-keystone09:26
*** andreykurilin has left #openstack-keystone09:26
*** markvoelker has joined #openstack-keystone09:29
*** markvoelker has quit IRC09:33
*** andreykurilin__ has quit IRC09:36
*** andreykurilin has joined #openstack-keystone09:36
*** code-R has joined #openstack-keystone09:45
*** code-R_ has joined #openstack-keystone09:48
*** code-R has quit IRC09:51
*** markvoelker has joined #openstack-keystone09:57
*** markvoelker has quit IRC10:02
openstackgerritDavanum Srinivas (dims) proposed openstack/keystone: [WIP] Testing latest u-c  https://review.openstack.org/31843510:10
*** richm has joined #openstack-keystone10:12
*** wangqun has quit IRC10:19
*** davechen has left #openstack-keystone10:24
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251010:25
*** markvoelker has joined #openstack-keystone10:26
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251010:26
*** markvoelker has quit IRC10:30
*** chrichip has joined #openstack-keystone10:34
*** EinstCrazy has quit IRC10:35
*** zhangjl has quit IRC10:36
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251010:48
*** sdake has joined #openstack-keystone10:49
*** chrichip has quit IRC10:50
*** chrichip has joined #openstack-keystone10:51
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251010:53
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250110:53
*** code-R_ has quit IRC10:54
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250110:55
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251010:55
*** chrichip has quit IRC10:56
*** markvoelker has joined #openstack-keystone10:56
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250110:56
*** chrichip has joined #openstack-keystone10:57
*** markvoelker has quit IRC11:00
*** code-R has joined #openstack-keystone11:03
*** chrichip has quit IRC11:10
*** chrichip has joined #openstack-keystone11:11
*** chrichip has quit IRC11:18
*** chrichip has joined #openstack-keystone11:19
*** namnh has quit IRC11:23
*** markvoelker has joined #openstack-keystone11:25
*** chrichip has quit IRC11:26
*** chrichip has joined #openstack-keystone11:27
*** markvoelker has quit IRC11:29
*** amakarov_away is now known as amakarov11:40
amakarovstevemar, today11:40
amakarovstevemar, starting right now11:41
*** chrichip has quit IRC11:44
*** chrichip has joined #openstack-keystone11:45
*** asettle has quit IRC11:53
*** markvoelker has joined #openstack-keystone11:56
*** ddieterly has joined #openstack-keystone11:57
*** asettle has joined #openstack-keystone11:58
*** asettle has joined #openstack-keystone11:59
*** spzala has joined #openstack-keystone11:59
*** chrichip has quit IRC12:00
*** chrichip has joined #openstack-keystone12:00
*** markvoelker has quit IRC12:01
*** ddieterly has quit IRC12:02
*** spzala has quit IRC12:03
*** jaosorior has quit IRC12:04
*** jaosorior has joined #openstack-keystone12:06
*** rodrigods has quit IRC12:09
*** rodrigods has joined #openstack-keystone12:09
*** jpena is now known as jpena|lunch12:12
*** ddieterly has joined #openstack-keystone12:12
*** sheel has quit IRC12:16
*** markvoelker has joined #openstack-keystone12:24
*** pauloewerton has joined #openstack-keystone12:28
*** markvoelker has quit IRC12:29
*** ddieterly has quit IRC12:29
*** Michaellaneous has joined #openstack-keystone12:31
MichaellaneousI am kinda majorly fucked I think.12:31
MichaellaneousSomeone suggest to me to delete default domain to solve some issue.12:31
MichaellaneousNow...nothing works.12:31
MichaellaneousHow can I reeanble token auth?12:31
stevemaro/12:32
stevemarMichaellaneous: you can recreate the default domain by running keystone-manage bootstrap12:33
MichaellaneousEither --bootstrap-password argument or OS_BOOTSTRAP_PASSWORD must be set.12:33
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914612:33
MichaellaneousI suppose I need a password.12:33
stevemarMichaellaneous: yep12:33
stevemaramakarov: thanks!12:34
*** openstackgerrit has quit IRC12:34
*** openstackgerrit has joined #openstack-keystone12:34
amakarovstevemar, let's wait for jenkins ))12:34
MichaellaneousERROR keystone DomainNotFound: Could not find domain: default12:34
Michaellaneous:(12:34
stevemarMichaellaneous: let me get some breakfast in me and i can help you out12:35
MichaellaneousThank you.12:35
*** su_zhang has joined #openstack-keystone12:36
MichaellaneousAlso one thing I don't understand, I have a full system backup of when it was working.12:38
MichaellaneousTrying to copy it over with a rescue system.12:39
MichaellaneousAnd...it still doesn't work.12:39
stevemarMichaellaneous: you're trying to create a fresh openstack install?12:42
MichaellaneousNo.12:42
MichaellaneousIt was working perfectly fine.12:42
MichaellaneousThen I deleted the default domain because LDAP wasn't working and someone suggested it.12:43
stevemarMichaellaneous: i saw a few messages yesterday from you aobut adding ldap12:43
MichaellaneousYeah.12:43
MichaellaneousWell I removed that again.12:43
MichaellaneousFrom the keystone conf12:43
stevemaralright, what was the output of the bootstrap command? anything *before* the error?12:44
Michaellaneous2016-08-31 14:34:24.095 12879 WARNING keystone.assignment.core [req-b51cb88f-6b5f-49b3-b808-f9fdafa262b8 - - - - -] Deprecated: Use of the identity driver config to automatically configure the same assignment driver has been deprecated, in the "O" release, the assignment driver will need to be expicitly configured if different than the default (SQL).12:45
Michaellaneous2016-08-31 14:34:24.247 12879 INFO keystone.cmd.cli [req-b51cb88f-6b5f-49b3-b808-f9fdafa262b8 - - - - -] Domain default already exists, skipping creation.12:45
Michaellaneous2016-08-31 14:34:24.253 12879 CRITICAL keystone [req-b51cb88f-6b5f-49b3-b808-f9fdafa262b8 - - - - -] DomainNotFound: Could not find domain: default12:45
*** woodster_ has joined #openstack-keystone12:48
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914612:50
*** jefrite has quit IRC12:51
MichaellaneousI have never done bootstrap before.12:52
MichaellaneousI followed this guide.12:52
Michaellaneoushttp://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html12:52
MichaellaneousAnd I mean it worked.12:52
stevemarMichaellaneous: ahhh "Domain default already exists, skipping creation."12:53
MichaellaneousYeah and the next error is Domain not found.12:53
stevemarMichaellaneous: interesting12:53
*** markvoelker has joined #openstack-keystone12:54
stevemarMichaellaneous: using mysql as your database?12:54
MichaellaneousMariaDB12:54
MichaellaneousYeah, mysql12:54
stevemarcan you display whatever is in one of the tables?12:55
*** jefrite has joined #openstack-keystone12:56
stevemarMichaellaneous: kinda like... http://paste.openstack.org/show/565167/12:56
MichaellaneousYeo hold on.12:57
stevemarcool12:57
MichaellaneousYep it's there.12:57
Michaellaneoushttps://i.imgur.com/oNRNPmK.png12:57
stevemarokay, its just got a funky ID instead of the usual "default"12:58
stevemari think the rdo guide does that now12:58
stevemarmeh, no difference12:58
stevemarso, what's your openrc file look like ?12:58
stevemaras long as that default domain is there, things are do-able12:58
*** markvoelker has quit IRC12:58
Michaellaneoushttp://pastebin.com/aKzSgtKM12:59
*** EinstCrazy has joined #openstack-keystone13:03
stevemarMichaellaneous: and whats the output of something like ... `openstack user list --debug`13:04
*** markvoelker has joined #openstack-keystone13:04
*** spzala has joined #openstack-keystone13:04
Michaellaneoushttp://pastebin.com/3VrnP60p13:05
MichaellaneousWaot.13:05
MichaellaneousUsing auth-plugin token endpoint?13:05
MichaellaneousThat...doesn't seem right.13:05
*** ddieterly has joined #openstack-keystone13:05
*** joerch has quit IRC13:05
MichaellaneousOh wait whoops..13:06
MichaellaneousSorry hold on.13:06
Michaellaneoushttp://pastebin.com/PtYbCEh213:06
MichaellaneousNow I sourced admin-openrc13:06
stevemarah okay13:06
*** ddieterly has quit IRC13:09
stevemarMichaellaneous: still failing to auth, that's not good13:10
*** markvoelker has quit IRC13:10
*** raildo has joined #openstack-keystone13:11
MichaellaneousHm...13:14
*** sdake_ has joined #openstack-keystone13:16
*** jpena|lunch is now known as jpena13:18
*** su_zhang has quit IRC13:18
*** sdake has quit IRC13:19
bretonMichaellaneous: > 'user_domain_name': 'default', 'project_domain_name': 'default'13:21
MichaellaneousYes?13:21
bretonMichaellaneous: it should probably be Default and Default (note the case)13:21
MichaellaneousNope didn't do it.13:21
MichaellaneousIt worked before with that.13:21
MichaellaneousIf I delete the keystone DB, do all of the identify stuff again.13:22
MichaellaneousHow much of my other services do I have to redo?13:22
*** sdake_ is now known as sdake13:22
MichaellaneousAll of it I presume.13:22
bretoni highly doubt that "default" as name will work and ever worked before13:24
stevemarMichaellaneous: eh, you can backup your db and try it13:24
MichaellaneousHow do I back it up?13:24
stevemarif it messes up, restore the old one, you'll be in no worse state13:24
bknudsonthe dbs typically do case-insensitive comparisons13:24
stevemarhttp://www.liquidweb.com/kb/how-to-back-up-mysql-databases-from-the-command-line/13:25
MichaellaneousActually...where is the keystone db saved.13:27
MichaellaneousWhen I use apache2 for auth.13:27
dstanekMichaellaneous: what's the current error?13:29
Michaellaneoushttp://pastebin.com/PtYbCEh213:29
stevemaramakarov: what about the invalidations, shouldn't those be conditional as well?13:30
*** su_zhang has joined #openstack-keystone13:31
dstanekMichaellaneous: do you have the server side log? the client side won't ever say why you got rejected13:31
Michaellaneous2016-08-31 15:33:02.201 12554 WARNING keystone.auth.controllers [req-b1d1eb85-cdc8-4a33-921a-c67c5b02cb76 - - - - -] Domain is disabled: 36d024eae7ea4865b87d1e29bd73cef513:33
Michaellaneous2016-08-31 15:33:02.202 12554 WARNING keystone.common.wsgi [req-b1d1eb85-cdc8-4a33-921a-c67c5b02cb76 - - - - -] Authorization failed. The request you have made requires authentication. from 127.0.0.113:33
dstanekMichaellaneous: can you enable it?13:33
Michaellaneousno13:33
dstanekwhy not?13:34
openstackgerritMerged openstack/keystone: Fix nits in db migration dev docs  https://review.openstack.org/36335813:34
MichaellaneousIt can't find the command openstack domain13:34
amakarovstevemar, looks like last rebase wasn't good :) What for region invalidation - it just should be there or we end up with false positive token validations13:35
dstanekMichaellaneous: since you are in such a bad place i would say back up you DB and do the update by hand13:36
MichaellaneousYou mean redo keystone.13:37
dstanekno, backup your DB and enable the domain13:37
rderosehenrynash: regarding 362510, just curious, what do you think it would do?  I mean, the column would no longer allow nulls, so it would have to apply the default value13:37
dstanekMichaellaneous: what release are you using?13:37
Michaellaneousmitaka13:37
MichaellaneousHow do I enable the domain by hand?13:38
rderosehenrynash: working on a test to prove this out, but I can't imagine it not working13:38
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914613:38
dstanekMichaellaneous: you'll have to update the database record13:38
dstanekMichaellaneous: do you have any account that works?13:38
MichaellaneousI don't have any openstack accounts that work,no.13:39
*** su_zhang has quit IRC13:39
stevemardstanek: probably not13:39
*** ddieterly has joined #openstack-keystone13:39
*** su_zhang has joined #openstack-keystone13:39
dstanekMichaellaneous: yeah, before you trash everything and spend all that time i'd try to manually fix it13:40
*** chrichip has quit IRC13:40
MichaellaneousYeah.13:40
*** EinstCrazy has quit IRC13:40
MichaellaneousHm...13:41
MichaellaneousI think I am getting closer.13:41
MichaellaneousWhen I tried to backup it says "No table "access_token".13:41
*** chrichip has joined #openstack-keystone13:41
MichaellaneousWhen I try to populate it I get the same error.13:41
dstanekwhat are you doing to backup?13:42
Michaellaneoussqldump13:42
Michaellaneousmysqldump: Got error: 1146: "Table 'keystone.access_token' doesn't exist" when using LOCK TABLES13:42
dstanekare you missing tables?13:42
*** su_zhang has quit IRC13:44
MichaellaneousMaybe?13:45
Michaellaneouswhat if I create the table and then populate the DB again13:46
*** chrichip has quit IRC13:46
MichaellaneousI don't understand why my full system backup did not work...13:46
lbragstaddolphm blob needs to be nullable so that triggers will prevent writes with the proper error on newton nodes during the migration?13:46
lbragstads/?//13:46
*** chrichip has joined #openstack-keystone13:47
dolphmlbragstad: so, if the old column is non-nullable, what error do you get on writes in newton?13:47
dstanekMichaellaneous: can you paste a list of tables you have using 'show tables'?13:48
MichaellaneousHold on I am trying to figure mysql out.13:50
MichaellaneousSometime doesnt want e to work13:50
Michaellaneousdstanek, http://pastebin.com/hL0vHRDJ13:52
*** esp has quit IRC13:54
dstanekMichaellaneous: odd. that looks correct13:54
*** ayoung has joined #openstack-keystone13:54
*** ChanServ sets mode: +v ayoung13:54
*** jamielennox|away is now known as jamielennox13:55
lbragstaddolphm you end up getting a 500 from sql saying it can't write to the credential table because blob is None (since the new code doesn't know about blob)13:59
lbragstaddolphm so - it's the same result just caused by a different error13:59
lbragstaddolphm this is the original error http://cdn.pasteraw.com/lv0hubtjes1an7km3h1nifsivcqb4xh14:00
lbragstadwhen blob is nullable14:00
*** links has quit IRC14:00
lbragstads/is/was not/14:01
dstaneklbragstad: does the alter not work after all or are you trying to find another way?14:01
*** jamielennox is now known as jamielennox|away14:01
lbragstaddstanek nope - the alter was right14:01
lbragstaddstanek I can alter the table to make blob nullable14:02
dstanekbknudson: i don't know what happened, but my env was cloning openstack all night and just finished14:02
*** chrichip has quit IRC14:02
lbragstaddstanek and the result is that triggers make the credential table read only14:02
*** jamielennox|away is now known as jamielennox14:02
lbragstaddstanek it just fails unit tests because of the banned sql operation14:02
bknudsondstanek: it does take a long time to setup & deploy14:03
*** chrichip has joined #openstack-keystone14:03
dstaneklbragstad: i added a comment on the review that shows how to stop that. did you see it?14:03
lbragstaddstanek yeah - modifying the patch and pushing for review14:04
*** sdake_ has joined #openstack-keystone14:06
*** sdake has quit IRC14:07
dstanekMichaellaneous: if that's not working you can either just run the 'update' since it's only a single row or maybe standup a new keystone node and see where you can get to14:08
Michaellaneousrun the update?14:08
*** tonytan4ever has quit IRC14:09
dolphmlbragstad: even with the trigger being BEFORE INSERT?14:09
lbragstaddolphm yep14:09
*** tonytan4ever has joined #openstack-keystone14:09
dolphmlbragstad: so, the column needs to be nullable but it will never contain a null value after a transaction?14:10
lbragstaddolphm once we make blob nullable the triggers are in place to make the credential table read only14:10
dstanekMichaellaneous: update that domain/project row in the database to enable it14:11
dolphmlbragstad: well, there's a tiny race there, but sure14:11
dolphmlbragstad: triggers are added later14:11
*** spzala has quit IRC14:12
dolphmlbragstad: you r patch has a confict btw14:12
lbragstaddolphm resolving it now14:12
*** spzala has joined #openstack-keystone14:12
openstackgerritLance Bragstad proposed openstack/keystone: Implement encryption of credentials at rest  https://review.openstack.org/35561814:13
Michaellaneousdstanek, ERROR 1146 (42S02): Table 'keystone.domain' doesn't exist14:15
*** spzala has quit IRC14:17
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449714:18
*** tonytan4ever has quit IRC14:18
*** esp has joined #openstack-keystone14:19
*** joerch has joined #openstack-keystone14:19
*** tonytan4ever has joined #openstack-keystone14:20
*** michauds has joined #openstack-keystone14:20
*** su_zhang has joined #openstack-keystone14:21
dstanekMichaellaneous: what's that from?14:23
Michaellaneoushold on a moment14:24
*** spedione|AWAY is now known as spedione14:24
dolphmdoes anyone use the file or path query operators in gerrit? i can't get something basic like this working: project:openstack/keystone file:"^keystone/*"14:26
lbragstaddolphm  try - file:"^keystone/common/sql/@"14:28
*** spzala has joined #openstack-keystone14:28
lbragstaddolphm  or in your case project:openstack/keystone file:"^keystone/@"14:28
dolphmlbragstad: thank you! that works - is that documented somewhere?!14:29
*** tonytan4ever has quit IRC14:30
dolphmrderose: if you use Partial-Bug on a patch, then the last patch in the series that finally fixes the bug should still be Closes-Bug14:31
*** tonytan4ever has joined #openstack-keystone14:31
rderosedolphm: okay14:31
dolphmrderose: otherwise the bug will be left hanging open14:32
lbragstaddolphm i clicked on a link somewhere a long time ago14:32
lbragstaddolphm but i think it was after a bunch of random googling14:32
rderosedolphm: thanks, done14:32
*** ksavich has joined #openstack-keystone14:33
Michaellaneousdstanek, it's when I wanna look at what is inside the domain table14:33
Michaellaneousbut everything is fucked14:33
Michaellaneousi cant even drop keystone14:33
dolphmrderose: is an arbitrary date for all databases really the best possible solution?14:34
rderosedolphm: the only possible solution :)14:35
rderosedolphm: unless we drop support for mysql 5.514:35
dolphmrderose: well, it's certainly not the *only* possible solution for ALL databases14:36
*** su_zhang has quit IRC14:36
rderose:)14:36
rderosedolphm: true14:36
rderosedolphm: I've tried a number of different options and this is the only one the works14:36
*** su_zhang has joined #openstack-keystone14:37
*** david-lyle_ has joined #openstack-keystone14:37
dolphmrderose: on 5.514:37
rderosedolphm: for 5.5, I would need to change the column type to timestamp14:37
rderosedolphm: however, this wouldn't work for postgres14:37
rderosedolphm: so would have to do something different there14:38
*** ddieterly is now known as ddieterly[away]14:38
dolphmrderose: what's wrong with timestamp in postgres?14:39
bknudsondoes openstack say what the min version of mysql is?14:39
bknudsonI assume you can't use 1.014:40
dolphmbknudson: packagers do14:40
*** ddieterly[away] is now known as ddieterly14:40
*** ravelar has joined #openstack-keystone14:40
dstanekMichaellaneous: sounds like you need to start over then. almost seems like you mysql installation is somehow messed up14:40
Michaellaneousyeh14:40
rderosedolphm: I don't know zzzeek mentioned in that in yesterday's chat, "for POstgresql , sqlite others you need to stick with the DateTime + server_default=func.now()"14:40
*** su_zhang has quit IRC14:41
dolphmrderose: so, it's easy to check the engine and set a different server default14:41
*** su_zhang has joined #openstack-keystone14:41
rderosedolphm: right, but different column type14:41
rderose?14:41
dolphmrderose: besides datetime?14:42
rderosedolphm: right, mysql timestamp and postgres would be datetime14:42
dolphmrderose: i'm just suggesting you at least vary the default across engines, not the column type14:43
*** tonytan4ever has quit IRC14:43
dolphmrderose: so all of mysql receives the terrible default, but postgres is correct14:43
Michaellaneouswait14:43
MichaellaneousI deleted keystone14:43
Michaellaneousstarted over14:43
rderosedolphm: but I would have to vary the column type for it to work14:43
*** tonytan4ever has joined #openstack-keystone14:43
Michaellaneousit still gives me error that I am not authorized14:43
dolphmrderose: the next step would be identify the server's mysql version, and then only setting the terrible default in 5.514:43
rderosedolphm: or, given the complexity, hardcoding an arbitrary date :)14:44
rderosedolphm: as this doesn't have any side effects, since I'm updating the column values14:44
rderosedolphm: I understand the issue though, but given everything, this seems like an acceptable solution14:45
dstanekMichaellaneous: did you setup keystone already?14:47
rderosedolphm: because even if I identify the mysql version, I'm still forced to change the column type for that version, right?14:47
MichaellaneousI started from here: http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html14:48
dolphmrderose: i guarantee we're going to get a bug report for password created in the past - when it's something other than epoch14:48
dstanekrderose: are you still struggling with a default date?14:48
dstanekMichaellaneous: what step did you get to?14:48
rderosedstanek: welcome to my wordl14:49
rderose*world14:49
*** tonytan_brb has joined #openstack-keystone14:49
dolphmrderose: when people run this migration 15 months from now, how will that arbitrary date choice by impacted by other PCI features?14:49
dstanekrderose: :-) it's weird because i have done it in the past. what is the problem? it just doesn't work?14:49
rderosedolphm: no way, it's being set in the model and a default is defined in the model14:49
MichaellaneousNext site openstack service create \14:49
Michaellaneous  --name keystone --description "OpenStack Identity" identity14:49
rderosedolphm: how a about I guarantee we won't get a bug report14:50
rderose?14:50
rderosedolphm: I'm updating the created_at value14:50
rderosedolphm: see the update statement after making it not nullable14:50
*** tonytan4ever has quit IRC14:50
rderosedolphm: so when you run the migration, I overwrite the arbitrary default value14:51
dstanekMichaellaneous: are you using the ADMIN_TOKEN or did you create a real user?14:51
Michaellaneousadmin token14:51
dolphmrderose: then why choose an non-obvious arbitrary date if it's going to be discarded?14:52
dstanekdoes you OS_TOKEN environment value match what you have in the keystone.conf?14:52
rderosedolphm: so that I can make the column not nullable14:52
MichaellaneousYep.14:52
*** markvoelker has joined #openstack-keystone14:52
rderosedolphm: otherwise, I can't14:52
dolphmrderose: i'm asking about the specific date14:53
dolphmrderose: why choose something non-obviously arbitrary? why not epoch? why not the date the migration is actually run?14:53
rderosedolphm: oh14:53
bknudsonhttp://uwsgi-docs.readthedocs.io/en/latest/PythonDecorators.html#uwsgidecorators.postfork -- "uWSGI is a preforking (or “fork-abusing”) server"14:53
dolphmrderose: why not anything else other than a hardcoded value that will result in bug reports?14:53
bknudsonthat's a funny thing to say14:53
rderosedolphm: tried to do that, passing in a date, it didn't work14:53
dolphmrderose: you're just passing a string14:54
dolphmrderose: you can pass any string14:54
rderosedolphm: tell me about it14:54
rderose"'" + now + "'"14:54
rderosedidn't work14:54
rderosedolphm: tried server_default = now14:54
Michaellaneousdstanek, I got it. In a later config you disabled auth token14:55
bknudsonuwsgi - "If this behavior is undesirable for some reason, use the lazy-apps option."14:55
bknudsonI'll try this dstanek ^14:55
*** afred312 has joined #openstack-keystone14:55
bknudsonhttp://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html14:55
rderosedstanek: short story, server_default doesn't work with mysql 5.5 or older14:55
rderosedstanek: for default datetime values14:56
dstanekrderose: so are you going to manually alter columns?14:57
dstanekbknudson: yeah, that's what i was talking about yesterday14:57
dstanekbknudson: that fixes all fds.14:57
bknudsonoh, I didn't catch that.14:57
rderosedstanek: hardcoded in a date value as the server_default14:57
bknudsonoh, I thought that was a change you made in your code to make things lazy-load.14:58
bknudsonwhich is essentially what happened to fix the memcache issue14:58
bknudsonhttp://uwsgi-docs.readthedocs.io/en/latest/Options.html#lazy-apps14:58
bknudsonthere's also options "cheap" and "cheaper"14:59
bknudson(uwsgi has lots of options)14:59
*** david-lyle_ has quit IRC14:59
rderosezzzeek: what do you think of this option: https://review.openstack.org/#/c/362501/14/keystone/common/sql/migrate_repo/versions/105_add_password_date_columns.py15:02
zzzeekrderose: that's fine15:03
rderosedolphm: ^15:03
rderose:)15:03
zzzeekrderose: well, problem, if an applciation later on tries to insert data15:03
zzzeekrderose: now you get a garbage date in there15:03
rderosezzzeek: the application layer sets this value and the model has a default defined15:04
zzzeekrderose: you have an UPDATE right there: stmt = password_table.update().values(created_at=now)   why not just do an UPDATE on this column as well then set NOT NULL afterwards?15:04
*** dmellado is now known as dmellado|mtg15:04
zzzeekrderose: then you dont even need the server_default15:05
zzzeekrderose: FYI, when you do the ALTER and set NOT NULL with the default, it is doing the UPDATE in any case15:05
zzzeekyou just dont see it15:05
*** jamielennox is now known as jamielennox|away15:05
zzzeekrderose: there shouldnt be a server_default here at all if the app is relied upon to set the date in all cases15:05
*** slberger has joined #openstack-keystone15:06
zzzeekrderose: otherwise, someday something will be broken and the symptom will be, "hardcoded august 29 date in all our DB rows"15:06
rderosezzzeek: right, but I can't set it as nullable due to rolling upgrades issue15:07
zzzeekrderose: 1. create column as "nullable=True"  2. UPDATE column with date   3. ALTER column set nullable=False15:07
zzzeekrderose: oh youre worried about a write in between the UPDATE and the ALTER?15:08
rderosezzzeek: during a rolling upgrade, is old code adds a record, I could have a null value, right?15:08
rderose* if old code...15:08
*** jaosorior has quit IRC15:08
zzzeekrderose: yes.  but also, once you set this server default hardoded to august 29, then for the next N days, old code will be putting crap in there15:09
dstanekbknudson: yeah, we had to lazy load applications because we had database connections and other service connection being cloned and that cause all kinds of havoc15:09
zzzeekrderose: you must change the datatype to TIMESTAMP for MySQL 5.5 only15:09
rderosezzzeek: right, but then datetime for everything else15:10
bknudsondstanek: I will likely propose a doc change and devstack change to set lazy loading for keystone.15:10
rderosezzzeek: seems more complicated to do that15:10
zzzeekrderose: the datatype is actually called TIMESTAMP on Postgresql in any case15:10
dstanekbknudson: cool. add me as a review pls15:10
bknudsondstanek: I wonder if the openstack-ansible does uwsgi?15:11
*** ddieterly is now known as ddieterly[away]15:11
*** ddieterly[away] is now known as ddieterly15:11
rderosezzzeek: what about other versions of mysql, sqlite15:11
rderose?15:11
bknudsonor any of the myriad other deployers15:11
zzzeekrderose: if you guys dont mind applications shoving a garbage date in there until all the old applications have been turned off, that's fine, sounds like a recipe for very embarrassing bugs IMO15:11
*** ddieterly is now known as ddieterly[away]15:11
dolphmzzzeek: ++15:12
rderosezzzeek: that's what Dolph said, although, I am updating that date after creating the column, so overwriting the values15:12
zzzeekrderose: changing datatype here not a big deal.  just call it TIMESTAMP15:12
zzzeekrderose: derr this is a brand new column.  it will work fine15:12
dstanekbknudson: they are just starting to15:12
rderosezzzeek: what about other versions of mysql and sqlite?15:13
rderosewill timestamp work?15:13
zzzeekrderose: SQLite doesn't have "real" datatypes so it doesnt matter what you name it there, SQLAlchemy's TIMESTAMP datatype will write strings to it like the DateTime type does15:13
dstanekbknudson: https://review.openstack.org/#/c/357539/10/templates/keystone-uwsgi.ini.j215:14
zzzeekrderose: I'd keep the func.now() default.  MySQL 5.5 w/ TIMESTAMP will accept it.   the only caveat is that only one column on the table can have this default for mysql 5.515:14
bknudsondstanek: "lazy-apps = true" -- these guys know what they're doing!15:14
rderosezzzeek: okay, let me try that.  thanks :)15:14
*** tonytan4ever has joined #openstack-keystone15:15
dstanekbknudson: i think that's common in Python land since apps typically do too much at import15:16
bknudson"add-header = Connection: close" -- that's going to lower your efficiency considerably.15:17
dstanekbknudson: only if you expect pipelined requests15:18
*** tonytan_brb has quit IRC15:18
bknudsonuwsgi server doesn't handle http pipelining anyways.15:19
dstaneki wonder what the middleware behavior is15:19
bknudsonpipelining has only been part of the http spec for 17 years.15:20
*** chrisshattuck has joined #openstack-keystone15:20
*** ddieterly[away] is now known as ddieterly15:20
*** ksavich has quit IRC15:20
dstanekbknudson: yep, it's too new15:20
*** hockeynut has joined #openstack-keystone15:21
*** pcaruana has quit IRC15:22
*** rcernin has quit IRC15:22
*** su_zhang has quit IRC15:25
*** su_zhang has joined #openstack-keystone15:26
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914615:28
*** esp has quit IRC15:29
rderosezzzeek: so like this: https://review.openstack.org/#/c/362501/15/keystone/common/sql/migrate_repo/versions/105_add_password_date_columns.py15:29
*** ksavich_ has joined #openstack-keystone15:30
*** su_zhang has quit IRC15:30
bknudsonbrowne was seeing this using apache... not sure if there's a similar option for lazy application loading there.15:30
*** browne has joined #openstack-keystone15:31
dstaneknot sure. i've never used mod-wsgi for anything real before15:33
*** dmellado|mtg is now known as dmellado15:33
*** code-R has quit IRC15:35
rderosezzzeek: getting an error: (sqlite3.OperationalError) Cannot add a column with non-constant default [SQL: u'\nALTER TABLE password ADD created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL']15:35
rderosezzzeek: will try to code around sqlite15:36
*** tonytan_brb has joined #openstack-keystone15:36
zzzeekrderose: yep15:36
bknudsonbrowne can switch to uwsgi15:36
*** tesseract- has quit IRC15:36
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250115:36
*** dikonoor has quit IRC15:37
brownebknudson: so that fix won't help me if i'm using eventlet still?15:37
*** tonytan4ever has quit IRC15:38
bknudsonbrowne: the commit should fix the problem for now. I'm worried that something will come along later that will break it again.15:38
*** ccneill has joined #openstack-keystone15:39
brownebknudson:  ok cool.  i'll give it a shot here soon.  just need an environment again15:39
Michaellaneousdstanek, I got everything to work agian15:40
MichaellaneousThank you.15:40
*** sdake_ is now known as sdake15:40
dstanekMichaellaneous: np. did you see when you went wrong the first time?15:40
Michaellaneousnot really15:43
Michaellaneousi mean it worked before15:43
Michaellaneousthen someone told me to delete the default domain and do it with bootstrap instead15:44
Michaellaneousthat is when everything went downholl15:44
Michaellaneousbecause stupid LDAP won't work15:44
MichaellaneousDoes anybody here have a working LDAP configuration for openstack?15:44
browneMichaellaneous: yes15:45
brownebut ldap settings are very specific for each server15:45
Michaellaneousyeah i realize that15:45
Michaellaneouscould you still give me your confs15:45
MichaellaneousI guess keystone15:45
*** code-R has joined #openstack-keystone15:46
browneare you using multi-domain backend?15:46
*** EinstCrazy has joined #openstack-keystone15:46
*** EinstCrazy has quit IRC15:48
dstanekMichaellaneous: once you already have a default domain there is no reason to recreate it. 'keystone-manage bootstrap' is the new way to do it, but for now the old way still works15:48
*** markvoelker has quit IRC15:48
brownewell, there are caveats with the default domain15:49
browneonly keystone-manage boostrap will create it with an ID of "default"15:49
browneotherwise you need to edit keystone.conf and add the generated UUID for that domain and restart keystone15:49
dstanekMichaellaneous: Michaellaneous here's how devstack configures it: https://github.com/openstack-dev/devstack/blob/master/lib/keystone#L22415:50
lbragstaddolphm dstanek stevemar https://review.openstack.org/#/c/355618/ passed with switching blob to be nullable in the expand step15:50
dstanekMichaellaneous: here's some ldif stuff from their setup https://github.com/openstack-dev/devstack/tree/master/files/ldap15:50
*** michauds has quit IRC15:51
dstanekmy successful ldap deployments are limited to having devstack set it up for me15:51
*** rcernin has joined #openstack-keystone15:54
Michaellaneoushmmmm15:56
Michaellaneouswhat does the manager ldi do?15:56
*** diltram has joined #openstack-keystone15:56
diltramhey, is there any documentantion how to implement keystone sessions in new projects?15:57
*** sheel has joined #openstack-keystone15:57
diltramI'm working on Octavia and we're trying to add that in two ways, on frontend apis and also on backend because we're using Service VM and we need to communicate with nova/neutron/barbican15:57
diltramI used all class specified here - http://docs.openstack.org/developer/keystoneauth/migrating.html#authentication-plugins15:58
ayoungstevemar, so, we are not very nice to people.  The Keystone page gives no indication that you need to use the openstack CLI to do anything. http://docs.openstack.org/developer/keystone/15:58
diltramand when I'm creating new Neutron/Nova client using that session I'm getting that I need to specify url endpoint when I'm not using auth15:59
diltramplugin15:59
ayoungwe need a link that says " here is how you do things to keystone"  that points to http://docs.openstack.org/cli-reference/openstack.html15:59
henrynashdid ATC codes get sent out already for Barcelona?15:59
dstanekhenrynash: a while ago15:59
diltramhenrynash: yes15:59
dstaneki got mine maybe a month ago15:59
henrynashdstanek: that's what I thought...15:59
ayoungAAAAAH ! and not even internal anchorts15:59
henrynashdstanek: i seem to have lost my email....ok, I';; go hunting16:00
henrynashdstanek: do you remember who the From address was?16:00
*** gyee has joined #openstack-keystone16:00
dstanekfungi i think16:02
henrynashdstanek: ok, got it, thx16:03
fungishould show up as From: Jeremy Stanley <jeremy@openstack.org> (that's my work e-mail, i pretty much only use it for sending summit discount codes and security advisories)16:03
*** edtubill has joined #openstack-keystone16:04
*** michauds has joined #openstack-keystone16:04
fungii'm not generally a fan of using mailboxes on servers i don't run ;)16:04
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250116:07
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable  https://review.openstack.org/36250116:08
*** links has joined #openstack-keystone16:11
dstanekfungi: that's pretty hardcore16:11
fungiyou should see my tinfoil hat collection16:12
*** asettle has quit IRC16:12
*** ianw has quit IRC16:13
*** pauloewerton has quit IRC16:13
*** asettle has joined #openstack-keystone16:13
*** chrichip has quit IRC16:16
*** asettle has quit IRC16:17
*** chrichip has joined #openstack-keystone16:17
stevemarayoung: :( i recall we had some osc commands there16:18
ayoungstevemar, is that generated from git keystone/docs?16:18
stevemarayoung: we have http://docs.openstack.org/developer/keystone/configuration.html#example-usage16:19
stevemarand http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-services16:19
ayoungstevemar, we need to bump that up to its own page, I think16:20
ayoungtoo buried16:20
ayoungstevemar, if you are looking for help about how to do things with a remote keystone server, it is kind of frustrating to only see things about how to manage your own.  Which do you think is the dominant use case?16:23
*** eandersson has quit IRC16:25
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251016:27
openstackgerritRon De Rose proposed openstack/keystone: Fixes migration where password created_at is nullable before 105 fix  https://review.openstack.org/36251016:27
*** roxanaghe has joined #openstack-keystone16:28
*** ddieterly is now known as ddieterly[away]16:28
Michaellaneousso if I included my openstack with ldap16:32
Michaellaneoushow...do I configure roles and users with it16:33
*** ddieterly[away] is now known as ddieterly16:34
*** esp has joined #openstack-keystone16:36
stevemarayoung: the whole "configuration" page needs to be more prominent16:38
ayoungstevemar, worth a docs discussion at the summit, with that as one topic16:38
*** aswadr_ has joined #openstack-keystone16:39
stevemarayoung: wrote it down to remind myself in a few weeks16:39
stevemaramakarov: still around?16:42
amakarovstevemar, o/16:42
stevemaramakarov: can you create a release note for the work, then i'm +2 :)16:42
*** ddieterly is now known as ddieterly[away]16:42
amakarovstevemar, ack, will do16:42
*** ianw has joined #openstack-keystone16:43
*** ddieterly[away] is now known as ddieterly16:49
*** daemontool has joined #openstack-keystone16:50
*** ddieterly is now known as ddieterly[away]16:52
*** roxanaghe has quit IRC16:52
*** rreimberg has joined #openstack-keystone16:53
*** roxanaghe has joined #openstack-keystone16:54
amakarovstevemar, are there release notes for newton? I don't see the folder in the source tree17:00
stevemaramakarov: they all get dumped together under releasenotes/notes17:01
stevemaramakarov: magic happens based on git merges, and the site knows how to display them http://docs.openstack.org/releasenotes/keystone/17:02
stevemaramakarov: you can look at https://github.com/openstack/keystone/blob/master/releasenotes/notes/mapping_populate-521d92445505b8a3.yaml as an example17:03
*** code-R_ has joined #openstack-keystone17:06
*** pauloewerton has joined #openstack-keystone17:06
*** spzala has quit IRC17:09
*** code-R has quit IRC17:09
amakarovstevemar, should I add prelude part?17:09
stevemaramakarov: sure, "Tokens can now be cached when issued"17:10
stevemaramakarov: "prelude" and "new feature"17:10
*** ksavich_ has quit IRC17:11
stevemarbreton: were you going to backport the caching fix?17:12
stevemarbreton: i'm eager to get mfisch to test it out17:12
*** ddieterly[away] is now known as ddieterly17:13
openstackgerritAlexander Makarov proposed openstack/keystone: Pre-cache new tokens  https://review.openstack.org/30914617:14
amakarovstevemar, ^17:15
bretonstevemar: in progress17:15
*** su_zhang has joined #openstack-keystone17:15
*** markvoelker has joined #openstack-keystone17:15
*** jpena is now known as jpena|off17:17
*** code-R_ has quit IRC17:21
*** itisha has joined #openstack-keystone17:22
*** ddieterly is now known as ddieterly[away]17:22
*** su_zhang has quit IRC17:23
*** su_zhang has joined #openstack-keystone17:23
*** su_zhang has quit IRC17:24
stevemaramakarov: thx!17:24
stevemarbreton: thx to you too :)17:24
*** joerch has quit IRC17:24
stevemardolphm: want to take a final look at https://review.openstack.org/#/c/309146/2117:24
*** su_zhang has joined #openstack-keystone17:25
*** ddieterly[away] is now known as ddieterly17:27
*** bradjones has quit IRC17:38
*** bradjones has joined #openstack-keystone17:38
*** tonytan_brb has quit IRC17:38
*** pcaruana has joined #openstack-keystone17:39
*** bradjones is now known as Guest3037417:39
*** ddieterly is now known as ddieterly[away]17:43
*** markvoelker has quit IRC17:43
dolphmstevemar: why does it need to default to off? keystone.conf is supposed to represent our production-friendly defaults, and disabling caching is not production friendly at all17:45
dolphmi don't even understand why it should be optional17:45
stevemardolphm: both dstanek and bknudson seem a bit skeptical about the invalidation it can do, i'm okay with flipping it to default=True in one release17:50
lbragstadi'm breaking for lunch quick but when I get back I'm going to finish up some documentation on the rotation process for credential keys17:51
dolphmstevemar: what is the benefit of keeping it as false in the mean time? what do we expect to gain?17:51
stevemardolphm: stability, it'll continue to work as expected17:52
dolphmstevemar: i expect it to work faster17:52
stevemarbknudson: dstanek want to chime in here? i may not be speaking for you both correctly enough17:54
rderosestevemar: anything you want me to do for: https://review.openstack.org/#/c/358111/17:56
rderosestevemar: or, are you still digging into this one?17:56
stevemarrderose: still digging18:00
stevemargot distracted18:00
rderosestevemar: okay, cool18:00
stevemarrderose: should be good though18:00
rderosestevemar: alright18:00
bretonstevemar: dstanek: why does the patch combine both key_mangler and invalidation strategy?18:00
bknudsonstevemar: dolphm I haven't been able to do any perf testing on it and without that I wouldn't want it enabled.18:01
bretonstevemar: dstanek: oh i got it, nevermind18:02
bretonstevemar: dstanek: so... do we expect dogpile.cache to be 0.6.2 in stable/mitaka?18:02
stevemarbreton: oh... right18:03
bretonstevemar: dstanek: i thought relying on a new release of a lib is no-no18:03
bknudsonwe can't rely on a new lib being available on stable18:03
breton*for backporting18:03
stevemarbreton: for mitaka we're capped at 0.5.718:03
stevemarhttps://github.com/openstack/requirements/blob/stable/mitaka/upper-constraints.txt18:03
stevemardng18:03
* breton sighs18:04
bretonmaybe we could take an old version of dstanek's patch, the one that doesn't use strategy18:04
*** spzala has joined #openstack-keystone18:05
*** chrisshattuck has quit IRC18:05
*** thumpba has joined #openstack-keystone18:05
stevemarbreton: well that stinks18:06
*** su_zhang has quit IRC18:07
*** xenogear has joined #openstack-keystone18:12
*** gagehugo_ has quit IRC18:13
*** nk2527 has quit IRC18:13
*** chrisshattuck has joined #openstack-keystone18:14
*** xenogear has quit IRC18:17
*** ccneill has quit IRC18:17
*** tonytan4ever has joined #openstack-keystone18:18
*** spedione is now known as chris_hultin18:22
bretondstanek: are any of your old patches, that monkeypatched Region, good enough?18:22
*** ddieterly[away] is now known as ddieterly18:24
dstanekbreton: maybe? i think it would be pretty easy to convert that to be a subclass of Region again without going back18:24
dstanekbreton: the monkey patching shouldn't be necessary since i changed everthing in keystone to use the new create_region18:25
bretondstanek: i don't understand about create_region. How does it prevent us from monkeypatching?18:26
*** ccneill has joined #openstack-keystone18:26
dstanekbreton: it doesn't prevent it. i just think we can get by without it since we can return our own region18:27
dstanekbreton: but if it's easier to monkey patch, i'm fine with it.18:27
bretondstanek: oh, ok, i got it.18:28
*** jaugustine has joined #openstack-keystone18:32
Michaellaneousdo I have to enable LDAP before I do all that user/domain/roles shit?18:35
*** xenogear has joined #openstack-keystone18:40
*** ddieterly is now known as ddieterly[away]18:41
*** gagehugo has joined #openstack-keystone18:44
*** ddieterly[away] is now known as ddieterly18:45
*** ddieterly is now known as ddieterly[away]18:46
*** esp has quit IRC18:46
stevemarMichaellaneous: enabling ldap can be your last step18:46
Michaellaneousokay18:46
Michaellaneousthat makes little sense to me18:46
Michaellaneoushow am I gonna create users/roles then?18:46
stevemarMichaellaneous: you create users/roles and all that for your default domain, when that's all setup and working you can create another domain (foo), and associate it with an ldap connection18:48
Michaellaneousohhhhhh18:48
Michaellaneousand I use the admin of the default domain18:48
Michaellaneousto add users to the ldap domain18:48
*** thumpba has quit IRC18:49
*** thumpba has joined #openstack-keystone18:49
stevemarMichaellaneous: slightly... you use the admin of the default domain, think of him as the overall cloud admin, to create projects that the ldap users can use.18:49
Michaellaneousokay18:49
stevemarMichaellaneous: the ldap users should be able to just log in18:49
stevemarno need to "create" them, we strictly read from ldap18:49
Michaellaneousbut I still have to create roles for the ldap stuff.18:49
stevemarright18:49
Michaellaneousyeah and there is why I fall falt18:49
Michaellaneousnot sure how to associate an existing ldap user18:50
Michaellaneouswith...rights, and projects.18:50
stevemarMichaellaneous: i've got a blog post written up on this stuff, let me shoot it over to you18:50
Michaellaneousthat would be amazing18:50
stevemarMichaellaneous: https://developer.ibm.com/opentech/2015/08/14/configuring-keystone-with-ibms-bluepages-ldap/ -- except i don't setup the default bits18:50
stevemarMichaellaneous: maybe try whipping this all up with a devstack instance first? that would save you some of the pain you had earlier in trying to salvage stuff18:51
Michaellaneousoh it works all now again18:51
*** amakarov is now known as amakarov_away18:51
Michaellaneousi use a 6 server setup18:51
Michaellaneousand this has to be running for in a few days18:51
Michaellaneousso if I start again with DevStack and something goes wrong?18:51
Michaellaneouscan devstack even do multiple serverS?18:51
stevemarMichaellaneous: not easily, i think it's possible but i've never tried18:52
Michaellaneousyeah see18:52
MichaellaneousI have like 5 high powered servers18:52
stevemarif you've got the default stuff working then stick with that18:52
MichaellaneousLDAP is a project requirement18:52
Michaellaneousmy chef wants it18:52
Michaellaneousbecause this is used with students18:52
Michaellaneousand creating multiple accounts for each service we have running is a pain18:52
*** david-lyle_ has joined #openstack-keystone18:52
*** david-lyle_ has quit IRC18:52
stevemarMichaellaneous: most folks create the service accounts, like admin/nova/etc, in sql, its just a one time setup18:53
*** nk2527 has joined #openstack-keystone18:53
MichaellaneousYeah I have done that18:53
MichaellaneousI just want user accounts on ldap18:53
MichaellaneousThe service can stay like that.18:53
MichaellaneousSo step one is to create a new domain18:53
stevemarMichaellaneous: yep18:55
MichaellaneousDo I need a domain specific config for my default doman?18:55
stevemari updated the page again18:56
stevemarMichaellaneous: no, just for non-default ones18:56
*** sheel has quit IRC18:56
Michaellaneousdo you have phpldap?18:57
*** ddieterly[away] is now known as ddieterly18:59
Michaellaneousstevemar, just so I can compare the values with your ldap strcutre19:00
bretondstanek: why did you redefine get, set, get_multi etc in https://review.openstack.org/#/c/349704/10/keystone/common/cache/core.py ?19:00
*** esp has joined #openstack-keystone19:01
stevemarMichaellaneous: i do not19:04
Michaellaneousdamn19:04
stevemari used jxplorer19:04
Michaellaneouslemme try to figure this out and I'll come back to you in a minute19:05
MichaellaneousI don't have ibmPerson19:06
Michaellaneousobviously. what else could I use19:06
MichaellaneousinetOrgPerson?19:06
stevemarinetOrgPerson ?19:07
Michaellaneoushttps://i.imgur.com/Lb5t7JW.png19:07
stevemarlooks like it19:08
Michaellaneousdamn I don't have a uid tho19:08
Michaellaneousill just use the date created as ID19:10
dstanekbreton: you mean in my older reviews?19:11
*** links has quit IRC19:13
Michaellaneousstevemar, http://pastebin.com/8BGyJruK19:14
Michaellaneoushttps://i.imgur.com/FmSRH4J.png19:14
Michaellaneoushttps://i.imgur.com/37mR4VP.png19:14
dstanekbreton: i think all you need to do is make RegionInvalidationManager as subclass of CacheRegion and maybe rename to CacheRegion like i had in older reviews19:15
dstanekbreton: then rename the invalidate_method to invalidate19:15
dstanekbreton: and for bonus point rename the vars used to hold a reference to the region (currently name *invalidation_manager)19:16
*** ddieterly is now known as ddieterly[away]19:16
Michaellaneousstevemar, I followed your guide, and it seems...everything is working19:20
*** ddieterly[away] is now known as ddieterly19:20
MichaellaneousExcept I can't find the user19:20
*** daemontool has quit IRC19:23
*** gyee has quit IRC19:29
stevemarMichaellaneous: hmm, maybe one of the ldap query/scope options is bad19:30
Michaellaneousin the apache2 keystone log19:30
MichaellaneousI always get a warning that domaind efalt cold not be found19:30
Michaellaneousbut...I can still run commands19:30
*** aswadr_ has quit IRC19:31
Michaellaneousalso, looking at that log it still seems to try and get the user from keystone19:32
Michaellaneousas opposed to ldap19:32
*** sdake_ has joined #openstack-keystone19:32
*** sdake has quit IRC19:33
*** sdake has joined #openstack-keystone19:35
*** sdake_ has quit IRC19:36
stevemarMichaellaneous: sorry, was in a meeting - how are things now?19:42
stevemarlbragstad: will you merge dolphm's changes from https://review.openstack.org/#/c/360723/ into your base implementation?19:43
Michaellaneousgive me a second19:43
Michaellaneousah19:45
Michaellaneousahahhhhh19:45
Michaellaneousit works19:45
*** ddieterly has quit IRC19:45
Michaellaneousroot@wildcat:~# openstack user show testuser --domain ldapdomain19:46
Michaellaneous+-----------+------------------------------------------------------------------+19:46
Michaellaneous| Field     | Value                                                            |19:46
Michaellaneous+-----------+------------------------------------------------------------------+19:46
Michaellaneous| domain_id | c8a0996b5f4b4d299a1aa8698aff68cc                                 |19:46
Michaellaneous| id        | 06e5d6e104789f805f5161609f99a982e39b63c5b885e6c5366c7e96b595e0d9 |19:46
Michaellaneous| name      | testuser                                                         |19:46
Michaellaneous+-----------+------------------------------------------------------------------+19:46
Michaellaneousyeah boiii19:46
stevemarMichaellaneous: so you did that as your cloud admin correct?19:47
Michaellaneousyes19:47
stevemarMichaellaneous: nice19:47
Michaellaneousnormal admin openrc file19:47
stevemarnow you can try to authenticate as that user :)19:47
Michaellaneoushold on, gotta fix groups first19:47
stevemarMichaellaneous: a minimal set of options should be ... $ openstack token issue --os-username testuser --os-password MYPASS --os-user-domain-name ldapdomain --os-auth-url YOUR_URL --os-identity-api-version 319:48
stevemarthis is assuming you are using a newish openstackclient19:48
stevemar~2.6.019:48
Michaellaneouswell, I still have issues with groups19:48
stevemarwomp womp :(19:49
Michaellaneousnope19:49
Michaellaneousit was my stupidity19:49
Michaellaneousall fixed19:49
stevemardolphm: does the config option in precaching make it non +2 able?19:49
stevemarMichaellaneous: nice19:49
stevemardolphm: cause i'm either upsetting you or bknudson :)19:50
stevemarcan't please everyone :(19:50
bknudsonthey could also post performance results19:50
dolphmbknudson: steve did, i believe amakarov_away did, and i was hoping to see lbragstad's results myself19:51
bknudsonalso, my complaint isn't about the config option. I asked that the code be refactored so that it works correctly first.19:51
Michaellaneousstevemar, one thing is strange tho19:52
Michaellaneouswhen I say "what groups is this user in"19:52
Michaellaneousit correctly tells me "students"19:52
Michaellaneousbut when I do it the other way around19:52
Michaellaneousi dont get any answer19:52
MichaellaneousI think it has to do with memberattribute19:52
stevemar18:38:55 <bknudson> what if there was a config option to enable pre-caching of tokens?19:52
bknudsonif people are seeing better performance then I would be fine with this.19:52
bknudsonI'm fine with there being no config option19:53
stevemar*tosses up hands in frustration*19:53
bknudsonI'm not fine with the complexity of the implementation19:53
stevemarMichaellaneous: sounds like it, if it's working for most other things it's probably a setting you're missing19:53
stevemaror have set incorrectly19:53
bknudsonstevemar: I made that comment because I didn't think there was any proof that the performance was improved19:53
lbragstadi believe the performance bot tested it but we had to make changes since osa didn't enable caching19:54
stevemarbknudson: what is it about the implementation you do not like?19:54
stevemarscrap this, i'm going to approve it19:55
stevemardolph, make you already smart ansible even smarter19:55
stevemarat this point we're being douches to amakarov_away19:55
dstanekbreton: stevemar: looking at https://review.openstack.org/362785 - this check only happens if fernet is comfigured right?19:56
*** code-R has joined #openstack-keystone19:57
bknudsonit's having to set for both self._validate_v3_token, self._validate_token, and self.validate_non_persistent_token19:57
bknudsonthere should only be one path to get a token so that they can all share the cache19:57
bknudsonthere's also a self._validate_v2_token19:58
*** su_zhang has joined #openstack-keystone19:58
Michaellaneousso19:59
Michaellaneousthis is my group thingie20:00
Michaellaneoushttp://pastebin.com/0JgBZDBD20:00
Michaellaneousand as I said. I can find groups via users, but the other way around I get no output20:00
Michaellaneousthe fact that it works one way but no the other20:00
Michaellaneousbothers me20:00
Michaellaneousand directly looking for the group works too20:01
dstanekMichaellaneous: have you debugged the queries to see what they are doing?20:02
Michaellaneouswhere can I do that?20:02
Michaellaneousi havent foudn the log for that20:02
stevemaryeah, the keystone server logs should have that info20:03
dstaneksetting the debug setting in the config like we talked about yesterday20:03
*** gyee has joined #openstack-keystone20:03
stevemarMichaellaneous: depends on where, but /var/logs/apache2/keystone.log ?20:03
*** tonytan4ever has quit IRC20:03
stevemaralso you'd need to be in debug mode20:03
stevemarMichaellaneous: but you'd be able to see the exact query it's trying to perform using ldapsearch20:03
dstanek[DEFAULT]/debug and [ldap]/debug_level i think20:03
stevemarMichaellaneous: with that, you can take that query and run it from a terminal, see where it's going wrong20:04
*** chrisshattuck has quit IRC20:04
openstackgerritChris Spencer proposed openstack/keystone: Add documentation on how to set a user's tenant.  https://review.openstack.org/36329220:04
dstanekbknudson: one path means there is no choice20:07
*** chrisshattuck has joined #openstack-keystone20:07
*** sigmavirus is now known as sigmavirus|awa20:07
bknudsondstanek: that is very zen20:08
Michaellaneousi cant make a lot of this debug output20:08
bknudsonif v2 doesn't work, I can use v3 or validate_non_persistent_token instead!20:08
Michaellaneoushttp://pastebin.com/JE53gFvd20:09
dstanekyou may just feel like it's a v2 kinda day20:09
*** esp has quit IRC20:09
*** code-R_ has joined #openstack-keystone20:09
stevemarMichaellaneous: whats the output of `openstack group list  --user testuser --user-domain ldapdomain20:10
*** chrissha_ has joined #openstack-keystone20:10
Michaellaneous+------------------------------------------------------------------+-----------+20:10
Michaellaneous| ID                                                               | Name      |20:10
Michaellaneous+------------------------------------------------------------------+-----------+20:10
Michaellaneous| b402b47b00f008e89e48cfb0f94aa91407c4baaafdd0c015335786f7bf253000 | testgroup |20:10
Michaellaneous+------------------------------------------------------------------+-----------+20:10
dstanekMichaellaneous: that looks to be client output again20:10
Michaellaneousbut I don't have a testgroup20:11
Michaellaneousin my default domain client setup20:11
bknudsondstanek: btw - changing to lazy-apps=true worked.20:11
bknudsonI'll propose changes to keystone docs and devstack20:12
*** code-R has quit IRC20:12
*** chrisshattuck has quit IRC20:12
stevemarMichaellaneous: the groups are coming from ldap, not from your keystone default domain20:13
Michaellaneousyes20:13
Michaellaneousbut thats good20:13
stevemarMichaellaneous: so... that's correct to me20:13
Michaellaneousisnt it?20:13
Michaellaneousi also tried login to dashboard20:13
Michaellaneousit says "Not part of any projects"20:13
Michaellaneouswhich is also good20:13
Michaellaneousi think20:13
dstanekbknudson: awesome. it also fixes bugs we didn't know we had20:13
stevemarMichaellaneous: did you grant a role on a project to either the ldap user or ldap group?20:13
bknudsondstanek: y, I wonder if opening sockets too early is a bug? (and if there would be any way to detect it for a test)20:14
Michaellaneousnot yet20:14
bknudsondstanek: I guess it would save a little bit of memory to be able to lazy-load=false20:15
bknudsoncould fork a process that imports keystone and loads application and checks for open files20:17
bknudsonbut then it would depend on the configuration and whatever libs do20:18
dstanekbknudson: back in the day i put a lot of work into flup to deal with these issues. basic architecture was a parent process that we easy to preload with code and data, then children that really did the work20:18
stevemarMichaellaneous: okay, so even though the ldap user can login, they won't be able to do much until they have access to work on a project20:18
dstanekthere was actually 2 levels or parents P0 -> P1 -> children20:18
openstackgerritChris Spencer proposed openstack/keystone: Add documentation on how to set a user's tenant.  https://review.openstack.org/36329220:19
stevemarMichaellaneous: you, as the cloud admin, can create them a project in the domain we created earlier, and grant individual users access or entire groups20:19
bknudsondstanek: that's a sensible setup20:19
dstanekyou could HUP P0 to create a new P1 process with new code and as the number of children grew on the new process it would reap the old ones20:19
dstanekallow for a hotswap of code with no downtime at all20:19
bknudsonI wonder if uwsgi's emperor mode allows that20:20
Michaellaneousstevemar, yeah just figuring out how :V20:20
bknudsonthere's probably 20 uwsgi options about it20:20
bknudson"set the Emperor tolerance about cursed vassals" ??20:21
bknudson"put the Emperor in Tyrant mode"20:21
bknudson"run the emperor in BroodLord mode"20:21
*** esp has joined #openstack-keystone20:21
dstanek++ for tyrant20:22
bknudsontyrants are better than broodlords?20:22
stevemarbknudson: no dictator mode option?20:22
stevemarwhat about overlord?20:23
*** chrissha_ has quit IRC20:23
dstanek--as-Trump?20:23
bknudson"set the maximum time (in seconds) a mule can take"20:23
bknudson"Zerg mode"20:24
bknudsonuwsgi is pretty wacky20:25
Michaellaneousstevemar, works!20:25
Michaellaneouswell, i still cant view users in group20:25
Michaellaneousbut it works20:25
*** hockeynut has quit IRC20:26
*** chrisshattuck has joined #openstack-keystone20:27
*** jdennis has quit IRC20:37
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449720:37
*** jdennis has joined #openstack-keystone20:38
lbragstadin order for us to land the grenade change for encrypted credentials (https://review.openstack.org/#/c/362450/) , we need to have a merged release note20:41
lbragstadso I rebased the credential encryption doc patch on master so that it can merge before the implementation20:42
lbragstadsince the implementation needs to have the grenade change merged first20:42
lbragstaddoc patch is now here - https://review.openstack.org/#/c/354497/1520:42
openstackgerritBrant Knudson proposed openstack/keystone: Update sample uwsgi config for lazy-apps  https://review.openstack.org/36392920:44
lbragstadcc stevemar dolphm browne dstanek ^20:45
brownelgtm20:45
lbragstadbrowne https://review.openstack.org/#/c/354497/1520:46
brownelbragstad: thx, i'll rereview20:47
mfischstevemar: yo here now20:48
mfischsorry I missed you earlier20:48
stevemarmfisch: yo20:48
stevemari just DMed ya stuff20:48
mfischyep I see20:48
stevemarmfisch: lemme know if you have any q's20:49
mfischok so backport will be tough20:49
mfischstevemar: back on battery power ;)20:50
mfischstevemar: testing this one will not be easy since I need to upgrade all my policy files and driver to20:52
mfischtoo20:52
mfischwho was the other person affected? was it browne ?20:53
brownemfisch: the caching issues? if so, yes20:54
mfischyeah20:54
browneyeah, plan to try brant's fixes out once i get an environment up and running again20:54
mfischwhat are those?20:55
bknudsonI didn't fix anything. dstanek did it.20:55
bknudsonI was able to verify locally20:55
browneoh, right my bad. dstanek20:55
*** raildo has quit IRC20:56
lbragstaddolphm do you think we should just collapse the entire credential encryption doc into configuration.rst?20:56
mfischstan-bran same thig20:56
bknudsonmfisch: do you use uwsgi?20:57
*** slberger has quit IRC20:58
mfischno20:58
mfischnot anymore20:58
mfischoh wait sorry yes, I read that backwards20:58
bknudsonI'm getting an error in devstack : AttributeError: 'module' object has no attribute 'RegionInvalidationStrategy'20:59
bknudsonoddly, from /usr/local/bin/keystone-manage --config-file /etc/keystone/keystone.conf db_sync20:59
*** slberger has joined #openstack-keystone21:00
bknudsonoh, I need to update /opt/stack/requirements it keeps loading old libs21:00
bknudsonit's strange that devstack overwrites upper-constraints.txt21:01
*** tonytan4ever has joined #openstack-keystone21:04
*** ravelar has quit IRC21:06
*** ravelar has joined #openstack-keystone21:07
*** tonytan4ever has quit IRC21:09
*** ayoung has quit IRC21:10
*** ravelar has quit IRC21:11
*** code-R_ has quit IRC21:13
*** pauloewerton has quit IRC21:13
mfischbrowne: let me know your results wrt caching21:14
bknudsonmfisch: did you set lazy-apps=true in the uwsgi config?21:15
brownemfisch: will do21:15
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449721:16
dstanekbknudson: mfisch: browne: may the caching be with you21:17
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449721:18
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449721:18
mfischbknudson: looking21:19
mfischbknudson: I dont think so, at least I dont see it21:19
*** spzala has quit IRC21:21
lbragstaddolphm thanks for the doc review - fixed in ^21:21
*** spzala has joined #openstack-keystone21:22
bknudsonaccording to https://bugs.launchpad.net/keystone/+bug/1537617 , this is fixed already, but devstack is disabling catalog caching ... I'm going to propose changing devstack config since the bug is fixed.21:22
openstackLaunchpad bug 1537617 in OpenStack Identity (keystone) "caching of the catalog does not invalidate across processes" [High,Fix released] - Assigned to Morgan Fainberg (mdrnstm)21:22
bretondstanek: https://review.openstack.org/362785 -- right, only if fernet is configured.21:24
dstanekbreton: i check and it looks like the repository is configured by default21:24
bretondstanek: configured where?21:25
*** spzala has quit IRC21:26
dstanekin keystone.conf.fernet_tokens21:28
openstackgerritLance Bragstad proposed openstack/keystone: Document credential encryption  https://review.openstack.org/35449721:28
bretondstanek: the check that i remove verifies that the directory exists and not empty21:29
bretondstanek: i don't like it, because i am moving fernet keys to backends21:29
dstanekbreton: i like that check early if we can do it21:30
bretondstanek: and in this case fernet_api is instantiated along with token_api21:30
dstaneki'm a believe in failing loud and early as opposed to failure *sometime* later21:31
bretondstanek: in apache it will fail on first request anyway. It will not prevent apache from starting.21:31
*** slberger1 has joined #openstack-keystone21:31
*** slberger has quit IRC21:31
bretondstanek: but i will be happy to hear an option how not to remove the check and have the keys in a backend21:32
bknudsondoing the check depends on which backend is chosen, so checking should be a function of the backend.21:34
*** thumpba has quit IRC21:41
bretonbknudson: yep. How do i create the keys via the backend then?21:44
bknudsonwhat do you mean?21:45
lbragstadeach backend would have to implement an interface21:45
lbragstadI would think?21:45
lbragstadthe file based backend would go about creating keys like it does on disk. other backends might require something different21:46
bknudsonI assume an sql backend would do an INSERT to put the key there21:47
bretoninitially there is no keys at all. I need to create them using a backend. To do it, i need to create an instance of fernet_api in load_backends(). load_backends() creates in instance of token_api.21:47
*** chris_hultin is now known as spedione|AWAY21:47
lbragstadbknudson yeah - and it would have to check the rows of the table in order to determine if the keys were valid for example21:47
bretonso, in order to create the keys, i need to call call fernet_api.create_keys(). To get fernet_api, i need to call load_backends, which in turn creates token_api, which fails because there are no keys.21:50
bknudsonseems like the key store would be a sub-backend of fernet? (like id_generator is a sub-backend of identity)21:50
bretonbknudson: what about encryption keys?21:51
bretoni was actually hoping to have this discussion at the summit and for now trying to hit all the issues there are :p21:51
bknudsonencryption keys for what? the fernet keys?21:52
bretonbknudson: encryption keys for credentials encryption21:52
bretonbknudson: they are fernet keys too, right?21:53
lbragstadyes21:53
bknudsony, I haven't looked into that much... maybe it's a common backend and not related to the token provider.21:53
lbragstadsomewhat common, but it is a separate backend21:53
*** chrichip has quit IRC21:54
lbragstadwe don't make the credential api rely on the fernet token provider to encrypt credentials21:54
bknudsonbreton: please review the credential encryption stuff and make sure it's going to work for you!21:54
bretonbknudson: will do21:54
bknudsonlbragstad: don't both the credential api and token provider have a key store?21:54
lbragstadbknudson right now they are both stored on disk21:55
*** chrichip has joined #openstack-keystone21:55
bknudsonlbragstad: is it the same store?21:55
lbragstadno21:55
lbragstadit can't be21:55
lbragstadfernet tokens are encrypted with different keys than credentials21:55
bknudsondo you think you'd want to have tokens in sql and credentials on disk?21:56
lbragstadi would consider sharing the same key between the two providers a security vulnerability21:56
bknudsonor vice-versa21:56
lbragstadI would probably prefer them on disk21:56
bknudsontoo bad21:57
lbragstadsince the presence of a staged key doesn't require me to have them replicated using a backend21:57
bretoni don't know what i want yet, maaaaybe it will be etcd.21:57
lbragstadalso - my credentials key rotation policy might be less frequent than my token key rotation policy21:58
*** chrisshattuck has quit IRC22:04
bknudsonare tokens somehow more secure than credentials?22:05
rderosestevemar dolphm: this one is ready: https://review.openstack.org/#/c/362501/22:06
rderosestevemar dolphm: timestamp type worked like a charm :)22:06
lbragstadbknudson tokens are also cipher text22:06
lbragstadwhich is leaked to users22:06
lbragstadcredential are encrypted and the cipher text is only available to keystone - it should never escape22:07
lbragstadso i would imagine a more frequent rotation policy for tokens22:07
lbragstadbut - that's obviously subject to each deployment22:07
lbragstadand nothing should stop an operators from rotating as much as they want22:08
*** spzala has joined #openstack-keystone22:10
*** esp has quit IRC22:10
*** adriant has joined #openstack-keystone22:11
*** esp has joined #openstack-keystone22:11
*** ccneill has left #openstack-keystone22:12
*** asettle has joined #openstack-keystone22:14
*** spzala has quit IRC22:15
*** spzala has joined #openstack-keystone22:15
*** asettle has quit IRC22:19
bknudsonmordred: are you saying we should switch keystone to twisted?22:24
*** slberger1 has left #openstack-keystone22:24
dstaneki'd rather die22:24
mordredbknudson: YES!22:24
*** su_zhang has quit IRC22:32
*** chrisshattuck has joined #openstack-keystone22:32
*** chrisshattuck has quit IRC22:46
bretonsounds good, +1 :p22:58
*** esp has quit IRC23:08
*** edtubill has quit IRC23:10
*** michauds has quit IRC23:11
*** jamielennox|away is now known as jamielennox23:14
*** mlovell has joined #openstack-keystone23:14
*** jamielennox is now known as jamielennox|away23:22
lbragstadstevemar what's out plan with credential encryption?23:23
lbragstadour*23:23
*** gyee has quit IRC23:24
*** hockeynut has joined #openstack-keystone23:26
*** jamielennox|away is now known as jamielennox23:28
*** esp has joined #openstack-keystone23:32
*** chrichip has quit IRC23:36
*** jamielennox is now known as jamielennox|away23:36
*** chrichip has joined #openstack-keystone23:37
openstackgerritAdrian Turjak proposed openstack/keystone-specs: Optional MFA via password + TOTP auth plugin  https://review.openstack.org/34511323:40
*** gyee has joined #openstack-keystone23:41
*** chrichip has quit IRC23:42
*** chrichip has joined #openstack-keystone23:43
adriantFor security purposes, how do people feel about replacing the default openrc.sh file in Horizon to one that uses token_auth (thus doesn't store the password locally at all)?23:46
adriantexample: http://paste.openstack.org/show/565460/23:46
bretonanybody uses openrc files from horizon?23:47
adriantWhile keeping a password in local memory isn't hugely unsafe, it really should be avoided, and token auth allows a good alternative.23:47
adriantfor CLI stuff, yeah23:47
adriantbreton: Is there an easier default than using the openrc files?23:48
adriantI'm asking here first because it's a security/auth question really.23:49
adriantbreton: http://docs.openstack.org/user-guide/common/cli-set-environment-variables-using-openstack-rc.html23:51
« Tuesday, 2016-08-30 Index Thursday, 2016-09-01 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!