Thursday, 2017-07-06

*** hoonetorg has joined #openstack-keystone00:03
*** gagehugo has quit IRC00:20
*** gagehugo has joined #openstack-keystone00:23
*** zhurong has joined #openstack-keystone00:41
*** thorst has quit IRC00:43
*** ayoung has joined #openstack-keystone00:44
*** tobberyd_ has quit IRC00:50
*** tobberydberg has joined #openstack-keystone00:51
*** tobberydberg has quit IRC00:56
*** liujiong has joined #openstack-keystone01:24
*** ducttape_ has joined #openstack-keystone01:32
*** ducttape_ has quit IRC01:37
*** ducttape_ has joined #openstack-keystone01:42
*** ducttape_ has quit IRC01:46
*** ducttape_ has joined #openstack-keystone01:49
*** ducttape_ has quit IRC01:54
*** gyee has quit IRC01:58
*** edmondsw has joined #openstack-keystone02:38
*** edmondsw has quit IRC02:39
*** thorst has joined #openstack-keystone02:44
*** thorst has quit IRC02:49
*** Shunli has joined #openstack-keystone02:49
*** ducttape_ has joined #openstack-keystone02:49
*** dave-mccowan has quit IRC02:53
*** ducttape_ has quit IRC02:54
*** xuhaigang has quit IRC03:05
*** aojea has joined #openstack-keystone03:10
*** aojea has quit IRC03:15
*** xuhaigang has joined #openstack-keystone03:18
*** d0ugal has quit IRC03:19
*** d0ugal_ has joined #openstack-keystone03:19
*** markvoelker has quit IRC03:26
*** markvoelker has joined #openstack-keystone03:26
*** xuhaigang has quit IRC03:30
*** markvoelker has quit IRC03:30
*** edmondsw has joined #openstack-keystone03:41
*** xuhaigang has joined #openstack-keystone03:42
*** aselius has quit IRC03:43
*** edmondsw has quit IRC03:46
*** links has joined #openstack-keystone04:05
openstackgerritMerged openstack/python-keystoneclient master: Switch from oslosphinx to openstackdocstheme
*** Nakato has quit IRC04:09
*** Nakato has joined #openstack-keystone04:10
*** thorst has joined #openstack-keystone04:45
*** iurygregory has quit IRC04:47
*** iurygregory has joined #openstack-keystone04:48
*** thorst has quit IRC04:51
*** Shunli has quit IRC05:08
*** andymccr_ has joined #openstack-keystone05:11
*** lamt- has joined #openstack-keystone05:14
*** frickler_ has joined #openstack-keystone05:15
*** harlowja has quit IRC05:22
*** andymccr has quit IRC05:22
*** lamt has quit IRC05:22
*** frickler has quit IRC05:22
*** lamt- is now known as lamt05:22
*** lamt is now known as Guest4645705:22
*** Krenair has quit IRC05:24
*** markvoelker has joined #openstack-keystone05:27
*** edmondsw has joined #openstack-keystone05:29
*** Krenair has joined #openstack-keystone05:31
*** edmondsw has quit IRC05:33
*** aojea has joined #openstack-keystone05:36
*** dgonzalez has quit IRC05:44
*** dgonzalez has joined #openstack-keystone05:46
*** Shunli has joined #openstack-keystone05:46
openstackgerritMerged openstack/keystoneauth master: Optimize the link address
*** rcernin has joined #openstack-keystone05:59
*** markvoelker has quit IRC06:00
*** baffle has quit IRC06:03
*** baffle has joined #openstack-keystone06:03
*** rcernin has quit IRC06:04
*** Guest46457 has quit IRC06:08
*** lamt has joined #openstack-keystone06:08
*** tobberydberg has joined #openstack-keystone06:11
*** aselius has joined #openstack-keystone06:16
*** johnthetubaguy has quit IRC06:21
*** rha has quit IRC06:24
*** Shunli has quit IRC06:24
*** rha has joined #openstack-keystone06:26
*** johnthetubaguy has joined #openstack-keystone06:27
openstackgerritMerged openstack/python-keystoneclient master: Bring back intersphinx reference to keystoneauth
*** thorst has joined #openstack-keystone06:46
*** thorst has quit IRC06:52
*** tobberydberg has quit IRC06:54
*** tobberydberg has joined #openstack-keystone06:55
*** markvoelker has joined #openstack-keystone06:58
*** belmoreira has joined #openstack-keystone06:59
*** tobberydberg has quit IRC06:59
*** tesseract has joined #openstack-keystone07:04
*** tesseract-RH has joined #openstack-keystone07:04
*** tesseract has quit IRC07:04
*** tesseract-RH has quit IRC07:04
*** tesseract has joined #openstack-keystone07:05
*** vladiskuz has quit IRC07:17
*** tobberydberg has joined #openstack-keystone07:17
*** edmondsw has joined #openstack-keystone07:17
*** edmondsw has quit IRC07:21
*** tobberyd_ has joined #openstack-keystone07:28
*** markvoelker has quit IRC07:30
*** tobberydberg has quit IRC07:31
*** frickler_ is now known as frickler07:44
*** d0ugal_ has quit IRC07:46
*** d0ugal has joined #openstack-keystone07:46
*** d0ugal has quit IRC07:46
*** d0ugal has joined #openstack-keystone07:46
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:01
*** toddnni has quit IRC08:09
*** toddnni has joined #openstack-keystone08:10
*** aselius has quit IRC08:23
*** markvoelker has joined #openstack-keystone08:27
*** zhurong has quit IRC08:32
*** zhurong has joined #openstack-keystone08:39
*** thorst has joined #openstack-keystone08:48
*** toddnni has left #openstack-keystone08:50
*** toddnni has joined #openstack-keystone08:53
*** thorst has quit IRC08:53
*** markvoelker has quit IRC09:02
openstackgerritzhengliuyang proposed openstack/keystone master: A simple fix about explicit unscoped string
*** andymccr_ is now known as andymccr09:11
*** toddnni has left #openstack-keystone09:14
*** toddnni has joined #openstack-keystone09:15
*** thorst has joined #openstack-keystone09:49
*** thorst has quit IRC09:54
*** markvoelker has joined #openstack-keystone09:59
*** toddnni has left #openstack-keystone10:03
*** toddnni has quit IRC10:04
*** toddnni has joined #openstack-keystone10:04
*** liujiong has quit IRC10:22
*** liujiong has joined #openstack-keystone10:23
*** markvoelker has quit IRC10:32
openstackgerritzhengliuyang proposed openstack/keystone master: Confusing log messages in project hierarchy checking
*** liujiong has quit IRC10:42
*** edmondsw has joined #openstack-keystone10:53
*** edmondsw has quit IRC10:58
*** markvoelker has joined #openstack-keystone11:02
*** liujiong has joined #openstack-keystone11:06
*** thorst has joined #openstack-keystone11:12
*** thorst has quit IRC11:13
breton /win 2311:14
*** thorst has joined #openstack-keystone11:18
*** thorst_ has joined #openstack-keystone11:19
*** thorst has quit IRC11:22
*** ducttape_ has joined #openstack-keystone11:41
*** sjain has joined #openstack-keystone11:43
*** thorst_ has quit IRC11:44
sjainasettle: Hi, have the docs been shifted again? This link, is giving internal server error11:44
*** ducttape_ has quit IRC11:46
*** raildo has joined #openstack-keystone11:58
*** jmlowe has joined #openstack-keystone12:08
*** sjain has quit IRC12:10
*** edmondsw has joined #openstack-keystone12:14
*** jmlowe has quit IRC12:16
*** chlong_ has joined #openstack-keystone12:37
samueldmqmorning keystone12:44
*** jmlowe has joined #openstack-keystone12:56
openstackgerritDmitry Stepanenko proposed openstack/keystone master: [WIP]: Fix keystone entities duplication error
openstackgerritRaildo Mascena proposed openstack/keystone master: Fixing flushing tokens workflow
*** jsavak has joined #openstack-keystone13:03
*** lucasxu has joined #openstack-keystone13:19
*** zhurong has quit IRC13:22
*** ducttape_ has joined #openstack-keystone13:23
*** catintheroof has joined #openstack-keystone13:25
*** ducttape_ has quit IRC13:27
*** thorst has joined #openstack-keystone13:29
*** catintheroof has quit IRC13:36
*** ducttape_ has joined #openstack-keystone13:37
*** catintheroof has joined #openstack-keystone13:37
*** bknudson has joined #openstack-keystone13:37
*** ducttape_ has quit IRC13:37
*** ducttape_ has joined #openstack-keystone13:38
*** sjain has joined #openstack-keystone13:45
samueldmqsjain: morning13:59
sjainHi samueldmq, good morning!13:59
samueldmqsjain: any luck with setting up the env?13:59
sjainnopes, I cloned a fresh repo, started everything from the beginning, no luck yet14:00
sjainnow I'm trying on another machine14:00
sjainlets c how it goes there14:00
sjainI had a look at the, that has the same commands we were running14:01
sjainideally it should set up everything :(14:02
samueldmqsjain: forget sample_data for now14:03
*** aselius has joined #openstack-keystone14:03
samueldmqtry with bootstrap14:03
*** spzala has joined #openstack-keystone14:03
samueldmqlbragstad sent an email to the ML about removing that sample_data14:03
sjainokay, I tried with bootstrap, it didn't work14:04
sjainis it possible that the bootstrap and openstack command are working fine and the issue is communicating with the server14:05
lbragstadsamueldmq: cmurphy brought up a good point about sample_data14:05
samueldmqsjain: ok somehtign is really weird :(14:06
*** ducttape_ has quit IRC14:11
*** ducttape_ has joined #openstack-keystone14:11
samueldmqsjain: I am creating a brand new virtual env14:11
samueldmqand I will try from there14:12
samueldmqsjain: have you set up the fernet-keys repo?14:15
sjainno I haven't14:16
samueldmqthat's one of the things I think14:16
sjainyesterday we discussed here thatit won't be required14:16
samueldmqsjain: why?14:16
samueldmqkeystone is trying to use fernet, and you don't have a keys repo, it should fail14:17
lbragstadit should fail on start up14:17
sjainbecause we were hoping it would use default fernet keys14:17
samueldmqlbragstad: are tehre default fernet keys?14:18
*** links has quit IRC14:18
lbragstadno there aren't14:18
samueldmqif you don't set them up? I guess it will just fail14:18
samueldmqlbragstad: yes it should fail14:18
samueldmqsjain: create /etc/keystone/fernet-keys/14:18
lbragstadif there aren't any keys or a location for the keys on the system - keystone won't actually start14:18
sjainokay, I'll do that14:18
samueldmqsjain: and create three files inside that directory, named14:19
samueldmqand 314:19
lbragstadcmurphy: good afternoon14:19
lbragstador just use `keystone-manage fernet_setup`14:19
samueldmqlbragstad: hmm14:19
samueldmqsjain: yeah, just do keystone-manage fernet_setup14:19
sjainthat is giving me some error14:20
sjainjust a second14:20
*** sjain_ has joined #openstack-keystone14:21
samueldmqlbragstad: sjain: so, when running with uWSGI, it will create a keystone.db file in the current dir14:22
samueldmqif you want to try things again from 0. delete that thing14:22
samueldmqafter that, I did keystone-manage db_sync && keystone-manage bootstrap --bootstrap-password admin14:23
samueldmqand it worked just fine14:23
sjain_samueldmq: lbragstad this is the error I'm getting
samueldmqcmurphy: o/14:23
samueldmqsjain_: sudo14:23
lbragstadsjain_: you need to create the directory14:24
sjain_I created that14:24
samueldmqlbragstad: would it need sudo?14:24
samueldmqmaybe not, otherwise keystone process would need sudo too in order to be able to read14:24
sjain_yup with sudo it worked14:24
lbragstadmake sure you set access to the directory as the user running keystone14:24
samueldmqlbragstad: ++14:24
lbragstadwhatever process is running keystone will need to have read access to that directory14:25
samueldmqsjain_: and see my comment above, you will need to delete keystone.db file14:25
samueldmqso you'll have a fresh env when starting uwsgi again14:25
samueldmqlbragstad: sjain_: we need to add an instruction to run keystone-manage fernet_setup to
samueldmqin Configuring Keystone as an additional step after copying the sample config file to /etc/keystone/keystone.conf14:27
*** sjain has quit IRC14:27
samueldmqlbragstad:  "samueldmq: cmurphy brought up a good point about sample_data"14:29
samueldmqlbragstad: what was that? sorry my brain had skipped that message14:29
lbragstadsamueldmq: yeah - much of that section needs to be reworked14:30
cmurphysamueldmq: possibly this
samueldmqcmurphy: interesting14:30
samueldmqkeystone manage-boostrap as a command doesnt work14:30
samueldmqyou must provide --bootstrap-password14:30
samueldmqso that script is technically broken14:30
samueldmqunless, there is an env var ... wait :-)14:30
lbragstadsamueldmq: it uses envs14:31
samueldmqI am probably hungry14:31
lbragstadsamueldmq: go eat!14:31
samueldmqyeah, lunch time!14:31
cmurphythis script worked for me a year or so ago, it has probably bitrotted but i don't think keystone-manage bootstrap itself has changed very much14:31
lbragstadcmurphy: we had a couple fixes to make it more robust - but yeah, it shouldn't have changed much14:32
cmurphynowadays i just used devstack with keystone and some of the api services turned on14:32
*** tobberydberg has joined #openstack-keystone14:33
lbragstadanyone here interested in closing an oslo.cache bug?
*** tobberyd_ has quit IRC14:36
openstackgerritLance Bragstad proposed openstack/keystone master: Move caching docs into admin-guide
*** tobberydberg has quit IRC14:40
openstackgerritLance Bragstad proposed openstack/keystone master: Move caching docs into admin-guide
*** ducttape_ has quit IRC14:46
openstackgerritLance Bragstad proposed openstack/keystone master: Move caching docs into admin-guide
*** sjain_ has quit IRC14:52
*** sjain has joined #openstack-keystone14:53
lbragstadgagehugo: would you like to follow up on this one ?14:53
sjainlbragstad: what are the arguments that should be passed to keystone-manage fernet-setup?14:56
lbragstadsjain: the keystone-user and keystone-group arguments is the user and group expected to read from the key repository location14:57
lbragstadbut they are optional14:57
*** liujiong has quit IRC14:57
sjainI tried the command without those arguments, it is giving me an error, saying they are required14:58
lbragstadfor some reason I thought they were optional14:58
*** catintheroof has quit IRC14:58
lbragstadsjain: how are you running keystone?14:58
sjainwhat should be the values of those?14:58
lbragstadwith uwsgi?14:58
*** spzala has quit IRC15:01
*** catintheroof has joined #openstack-keystone15:02
sjainlbragstad: what should be the user and group values?15:02
lbragstadsjain: i'm recreating locally15:02
gagehugolbragstad sure15:02
gagehugolbragstad done15:05
openstackgerritGage Hugo proposed openstack/keystone master: Update security compliance documentation
*** ducttape_ has joined #openstack-keystone15:08
*** jsavak has quit IRC15:09
*** jsavak has joined #openstack-keystone15:09
*** ducttape_ has quit IRC15:10
*** ducttape_ has joined #openstack-keystone15:10
*** belmoreira has quit IRC15:11
*** jsavak has quit IRC15:14
*** jsavak has joined #openstack-keystone15:15
lbragstadsjain: try setting it as the user your logged in as15:17
sjainokay and group?15:18
lbragstadsjain: for now - try setting it the same as your user15:18
sjainit gives permission denied, even with sudo :|15:19
lbragstadsjain: try setting the permissions of /etc/keystone/fernet-keys to your user and group manually15:20
*** aojea has quit IRC15:21
*** aojea has joined #openstack-keystone15:21
lbragstadgagehugo: looks good - just last minor suggestion from me.15:23
openstackgerritGage Hugo proposed openstack/keystone master: Update security compliance documentation
gagehugolbragstad done! thanks15:26
lbragstadgagehugo: thank you!15:26
sjainlbragstad: I have changed the permissions but I'm still getting this
sjainshould I create the files too?15:30
lbragstadsjain: no - the tool should do that for you15:31
lbragstadsjain: ls -la /etc/keystone/15:31
lbragstadsjain: ls -la /etc/keystone/fernet-keys15:31
sjainls -lsa shows me full permission to the directory15:31
sjain4 drwxrwxrwx 2 riddle riddle 4096 Jul  6 19:52 fernet-keys15:31
lbragstadis riddle your user?15:32
lbragstadand you're running keystone-manage fernet_setup as riddle?15:32
sjainI'm logged in as riddle15:33
lbragstadwhat does ls -la /etc/keystone/fernet-keys show you?15:33
lbragstadsjain: see if you can match these permissions with your user
sjainbut I'm giving additional permissions to the ones you shared, that should not be the issue15:37
lbragstadsjain: it shouldn't but it's getting hung up somewhere - and i'm not sure where15:38
openstackgerritRaildo Mascena proposed openstack/keystone master: Fixing flushing tokens workflow
*** gyee has joined #openstack-keystone15:51
sjainlbragstad: there was some other way to do this fernet_setup?15:52
lbragstadsjain: you can manually create the keys - but that would be doing the same steps as what keystone-manage is doing15:53
sjaini can try that if we are not able to resolve this permission issue15:53
sjainany documentation for that?15:53
lbragstadsjain: no - not really15:54
morganit's interesting that you have a directory as 77715:54
*** tesseract has quit IRC15:54
lbragstadsjain: the thing is that if keystone-manage can't access that directory keystone won't be able to either i don't think15:54
morganlbragstad: ++15:54
morgansjain: you (as riddle) can't cd /etc/keystone/ or /etc/keystone/fernet-keys15:55
lbragstadwe actually have two doctor checks to ensure the permissions are right
morganlbragstad: also, is the '-' correct?15:55
sjainmorgan: yeah but even after that it is saying permission denied15:55
morganthat seems... weird.15:55
morgansjain: that sounds like something wonky on the filesystem15:55
morgansjain: you should be able to perform operations on those direrctories.15:56
sjainand I can cd into those directories15:56
morganwhat flavour of OS are you running? debian, ubuntu, rhel, fedora, other?15:56
lbragstadsjain: can you run `keystone-manage doctor` ?15:56
* morgan is curious if there is something like SELinux getting in the way15:56
sjainelementary, its linux based15:56
morganthis sounds like SELinux sec15:57
sjainlbragstad: something not good,
morgancan you do 'ls -z /etc/keystone' ?15:57
sjainit can't find that15:57
sjainmorgan: -z ?15:58
morganlbragstad: older than doctor15:58
morgansjain: shows SELinux contexts15:58
morganand elementary uses it15:58
sjainthere is no option15:58
morganiirc /etc/ is locked out of writes by normal users (security reasons)15:58
morgan-Z ... derp. sorry15:59
sjainyeah...permission denied15:59
sjainls: cannot open directory '/etc/keystone': Permission denied15:59
morgan sestatus15:59
morganmight be a good other command to show status of SELinux15:59
morganthis really does feel like something like SELinux getting in the way15:59
sjainit is not installed, I'll do that16:00
morganbecause file perms look sane16:00
morganah no need to install it16:00
*** david-lyle has joined #openstack-keystone16:00
morganuhm let me check something else16:00
morgantrying to think what else can be done16:01
morganwell you could make the config directory under riddle's home dir16:01
sjainthe keystone directory is already under home directory16:01
morganhonestly, i am just not familiar with elementary16:02
morganin applications like this16:02
sjainis there any way I can change those file permissions16:02
morganit could be any number of things being built into a desktop-linux system.16:02
morganwhich is what elementary looks to be16:02
sjainhmm right16:02
morganyou can use chmod to change permissions16:03
morganbut it likely will have similar issues16:03
sjainI have already tried chmod and chown16:03
morganif you can't cd / ls / touch a file in /etc/keystone it wont really change16:03
sjainbut I'm able to cd in that directory16:03
morganis this a desktop/laptop you're trying to setup for development?16:03
morganor a server... or?16:04
morgani recommend not installing keystone directly. i would use a virtual machine16:04
morganin that case16:04
morganit means you can use ubuntu or other known-working/known-quirk type environment16:04
morganit also means you don't need all the added library support in your laptop16:04
sjainohkay, then I'll use ubuntu for it16:04
morganit might be a lot easier :)16:05
morgani have an ubuntu laptop and tend to use ubuntu VMs for development16:05
sjainhmm but I was using virtualenv, so I thought it would be fine16:05
morganright. it helps16:05
morganit doesn't mean you wont need to install c-libs and other tools16:05
morganit isolates python16:06
sjainhmm right16:06
morgani prefer to use isolated environments so i don't accidently assume something is installed because i have it for desktop purposes16:06
morganalso, i don't need to run apache/nginx/etc on the laptop/main machine that way if i want to test the whole stack16:06
morgan(if you look at running a devstack for example, i would never run on a machine i cared about :P)16:07
morganso many things are installed to make stuff work16:07
morganlbragstad: i need to smack a bug down, just realized16:07
morgansomeone proposed an oslo_* import to ksa16:07
sjainokay I'll try to use a VM then16:08
sjainlets see how it goes there16:08
sjainthanks morgan, lbragstad!16:08
lbragstadsjain: anytime - hopefully it works a little better16:08
sjainyeah :)16:08
sjainlbragstad: what happened to this,
lbragstadsjain: i'd try rebasing that on master16:17
morgansjain: CI issue, rebase should help16:17
morganrebase/cleanup based upon any conflicts16:17
lbragstadthere is a lot of stuff happening in the docs16:17
morgannothing too crazy there :)16:17
sjainoh okay16:17
lbragstadstepping away to get a run in - biab16:23
*** rderose has joined #openstack-keystone16:25
*** sjain has quit IRC16:26
*** jsavak has quit IRC16:32
*** jsavak has joined #openstack-keystone16:33
*** jsavak has quit IRC16:37
*** jsavak has joined #openstack-keystone16:39
openstackgerritKelly Hall proposed openstack/keystone master: Trims whitespace from request headers
openstackgerritOmar Tleimat proposed openstack/keystone master: WIP: Add project tags
*** harlowja has joined #openstack-keystone17:13
*** zzzeek has quit IRC17:14
*** raildo has quit IRC17:19
*** raildo has joined #openstack-keystone17:22
*** jmlowe has quit IRC17:23
*** raildo has quit IRC17:26
*** dansmith has joined #openstack-keystone17:26
dansmithmorgan: hey, I have a question about ya'll's database migrationy stuff.. someone pointed me at you, are you the best person to ask?17:27
morgandansmith: i can try and help17:27
morgandansmith: i might know a thing or two about our migrations :P17:28
dansmithmorgan: I see multiple migrate repos, which I assume are arranged to allow an expand/contract sort of workflow17:28
dansmithand a bunch that are no-ops17:28
dansmithare the expand/migrate/contract repos supposed to walk in lockstep such that one numbered migration may not have any work to do for one of those phases?17:29
morganeach migration number has to be mirrored (expand / migrate / contract) regardless of if we have anything to do17:29
morganyou may run contract at a later point.17:29
openstackgerritJaewoo Park proposed openstack/keystone master: WIP: Add project tags
dansmithack, okay, and how does that overlap or not with the migrate_repo, which seems to be historical?17:30
morganwe did a hard break from "migrate_repo"17:30
morganit is strictly historical17:30
dansmithokay gotcha, when did that happen?17:30
morganwell, iirc we use it to populate schema before we do the expand/contract stuffs17:30
morganbut we never touch/change it at this point17:30
morganuhm... mitaka?17:30
morgani think17:30
morgani'd need to look at db_sync17:31
morganit might be smarter, but we've kept the migrate_repo for historical reasons17:31
dansmithso does db sync currently do a expand && migrate && contract for the simple case or something?17:31
morgani think you need to do "db_sync expand"17:31
morganif you want it to run only expand operations17:31
morganif you just "db_sync" it moves all of them to the latest.... but let me 2x check?17:32
morganyou might need to do each step17:32
dansmithI figured just doing db_sync would expand and contract for you, and you'd do something else if you want to only do one phase17:33
morgani think it does17:33
dansmithokay, makes sense17:33
morganand if you explicitly do --expand17:33
*** zzzeek has joined #openstack-keystone17:33
morganand then --contract you can break apart the actions17:33
dansmithso, here's the million dollar question17:33
morganshould i be scared? ;)17:34
dansmithlet's say I moved from newton to ocata, did my expand, then moved from ocata to pike, did another expand, then moved to queens, did another expand and then a contract,17:34
dansmiththeoretically that should work, but in practice do you think it will?17:34
morganit should.17:34
*** ducttape_ has quit IRC17:34
morganas long as you also --migrate in there17:34
dansmithright, expand/migrate, expand/migrate, expand/migrate/contract I guess17:35
morgani have no reason to belive (besides the horrible choice of using triggers) that it wouldn't work17:35
dansmithyeah, I'm concerned about the triggers17:35
morgani think it was a very bad choice, i lost the argument17:35
morgani would advocate to not use triggers if at all possible17:35
dansmithbut alas, here we are, so..17:35
morganso, besides issuees with triggers17:35
dansmithI saw a CONF.use_triggers or something.. is it really optional?17:36
morgani see no reason why it wouldn't work17:36
morganit basically is only optional if you're not doing online/rolling upgrades17:36
morganif you do offline upgrades, and make sure code is deployed in lockstep with the schema changes, triggers are not needed at all17:36
dansmithwell, if everything stays offline until the final phase, and if I'm doing my --migrate, does that mean I could avoid the triggers?17:36
morganthe triggers should be dropped in contract phases17:37
morganif you don't do any writes, the triggers have zero impact17:37
morganbesides needing "SUPER" access to create them17:37
dansmithonly writes for sure?17:37
morganthat is my understanding17:37
*** zzzeek has quit IRC17:37
dansmithno read-compatibility triggers?17:37
morgangod no17:37
dansmithokay, so, let me restate this again then:17:38
dansmithif I have CONF.use_triggers=False, then I should be able to expand/migrate/contract, expand/migrate/contract, expand/migrate/contract with everything offline and only start after all of that and be good, yes?17:38
morganread triggers would... trigger me :P sorry i couldn't resist17:38
dansmithbecause I need no triggers, and the migrate/contract will move things along that the triggers would otherwise handle?17:39
openstackgerritMerged openstack/keystone master: Migrated docs from devdocs to user docs
dansmithdid I esplode your brain?17:40
morgansorry have phone call17:40
dansmithk, np17:41
*** zzzeek has joined #openstack-keystone17:41
*** raildo has joined #openstack-keystone17:44
*** jsavak has quit IRC17:45
*** jsavak has joined #openstack-keystone17:45
openstackgerritMerged openstack/keystone master: Added a note for API curl examples
*** jsavak has quit IRC17:50
*** jsavak has joined #openstack-keystone17:52
*** zzzeek has quit IRC17:53
*** zzzeek has joined #openstack-keystone18:00
morgandansmith: ok back in 3m18:00
morgancall is over need to check on something18:00
*** jsavak has quit IRC18:01
*** ducttape_ has joined #openstack-keystone18:01
*** jsavak has joined #openstack-keystone18:02
*** ducttape_ has quit IRC18:02
*** ducttape_ has joined #openstack-keystone18:03
*** dave-mccowan has joined #openstack-keystone18:03
morgandansmith: ok back18:07
morganok so, yes expand/migrate/contract will move everything along18:07
morganyou don't need triggers except in the case of running old keystone (ocata) with new keystone (pike) against a common (pike) schema18:07
dansmithmorgan: okay, so next question is what gets tested in the gate? expand/migrate + triggers no contract?18:08
morganwe don't test triggers atm18:08
dansmithorly, okay18:08
morganbecause we don't have the test for old/new keystone18:08
morgani mean we test it18:08
morganlike unit tests18:08
*** zzzeek_ has joined #openstack-keystone18:08
morganbut not real functional active keystones (i think)18:08
*** zzzeek has quit IRC18:09
morganwe do test the expand/migrate/contract [unit tests]18:09
dansmithokay, well, I was really worried the answer was going to be "embrace the triggers" so I'm in a good spot I think18:09
dansmiththanks for your time18:09
morganmy answer would have been "please try not to use triggers unless you really need it"18:09
morgani think waht you just described will be 100% a-ok, and triggers can be ignored.18:10
* dansmith puts the "morgan said it would work" sticker on it18:15
*** jsavak has quit IRC18:24
*** jsavak has joined #openstack-keystone18:25
cmurphymorgan: i think we have rolling upgrade tests now (cc lbragstad)18:31
lbragstadcmurphy: we do - but it is experimental18:32
cmurphylbragstad: still, > unit tests :)18:33
lbragstadthat stuff just merged recently - let me find the commits18:33
morgancmurphy: yeah wasn't every patch18:35
morganbut in either case that wasn't super relevant for what dansmith was looking for in this case18:36
dansmithyeah I think the triggers are scary, but I thought I'd have to use them18:36
dansmithknowing I don't means I ignore until that changes :)18:36
lbragstaddansmith: you weren't interested in a rolling upgrade - correct?18:37
lbragstaddansmith: ok18:38
dansmithI mean, I'm not for this situation I'm asking about18:38
lbragstaddansmith: the case you were looking for was the following:18:40
lbragstad"‎<‎dansmith‎>‎ let's say I moved from newton to ocata, did my expand, then moved from ocata to pike, did another expand, then moved to queens, did another expand and then a contract,"18:41
lbragstadso - only interested in additive schema changes?18:41
dansmithlbragstad: well, that was me guessing at the best approach18:41
dansmithlbragstad: what I'm looking for is:18:41
dansmithlbragstad: the ability to shut things down, roll through a few releases of schema/data migrations and pop up on the other side on N+X where X>118:42
dansmithlbragstad: for dumb old school migrations, that's pretty mechanical, so I was making sure there was some way to push the migration bit before the contract bit18:42
lbragstadyou want to migrate through multiple release but service uptime isn't a concern18:43
lbragstadif i'm understanding correctly18:43
dansmithtrading service uptime for less frequent updates18:44
dansmithif that's your kink18:44
*** jsavak has quit IRC18:51
*** jsavak has joined #openstack-keystone18:51
*** jsavak has quit IRC18:52
*** jsavak has joined #openstack-keystone18:53
*** tobberydberg has joined #openstack-keystone18:56
*** tobberydberg has quit IRC19:01
*** jmlowe has joined #openstack-keystone19:03
lbragstaddansmith: fwiw - so long as expand/migrate/contract for a release is run in lock-step, you shouldn't have to deal with triggers, and they shouldn't exist outside of that series of events19:06
dansmithyeah that's what I gather19:06
dansmithwhich is what I'm shooting for here19:06
lbragstaddansmith: we have a patch to harden that case -
lbragstadcc morgan cmurphy it'd be great to get your opinion on that ^19:07
lbragstaddansmith: sorry it took me a bit to confirm - i needed to step through it. but yeah - that should be possible19:08
lbragstaddansmith: is that specific upgrade case something you're seeing a lot of (if i can ask)?19:09
dansmithlbragstad: well, there's a growing desire by a certain type of deployer to do that approach, yeah19:11
dansmithlbragstad: I'm highly resistant to us (as a community) saying that we support upgrades of more than one step at a time in any way19:12
*** pcaruana has quit IRC19:12
dansmithbut the step-by-step approach should be a reasonable way to achieve the same result (i.e. hitting each release, even if not running)19:12
dansmithso I figure if you want to trade uptime for (lower) upgrade frequency, that's cool, and this is how you do it19:13
lbragstaddansmith: sure - i agree19:13
dansmithif you want high uptime, you keep on top of things19:13
lbragstaddansmith: i ask because i wonder if a dedicated section to the upgrade docs would have cleared that up sooner
dansmithso, knowing keystone did this trigger deal, I just wanted to confirm that triggers wouldn't complicate the process too much19:14
dansmithlbragstad: if I had read the docs at all before asking, then maybe so :)19:14
dansmithI think the "minimal downtime" section implies that db_sync does expand/migrate/contract in a way that would still work for this,19:15
dansmithbut I still would have come to ask for validation :)19:15
lbragstadok - good to know19:16
*** ducttape_ has quit IRC19:21
*** ducttape_ has joined #openstack-keystone19:22
*** ducttape_ has quit IRC19:24
*** ducttape_ has joined #openstack-keystone19:24
*** ducttape_ has quit IRC19:31
*** ducttape_ has joined #openstack-keystone19:41
*** lbragstad has quit IRC19:58
*** lbragstad has joined #openstack-keystone20:03
*** ChanServ sets mode: +o lbragstad20:03
openstackgerritSamriddhi proposed openstack/keystone master: Removed apache-httpd guide from docs
*** ducttape_ has quit IRC20:19
openstackgerritSamuel Pilla proposed openstack/python-keystoneclient master: WIP: Add project tags to keystoneclient
*** ducttape_ has joined #openstack-keystone20:27
*** raildo has quit IRC20:34
*** raildo has joined #openstack-keystone20:50
*** sghosh has joined #openstack-keystone20:54
*** raildo has quit IRC20:55
*** butt is now known as hemna20:57
*** lucasxu has quit IRC20:57
*** raildo has joined #openstack-keystone20:57
*** jmlowe has quit IRC21:01
*** jsavak has quit IRC21:06
*** jmlowe has joined #openstack-keystone21:09
*** raildo has quit IRC21:15
*** dgedia has joined #openstack-keystone21:23
dgediaHi, I am trying to install Senlin manually and running into this error when I try to execute  the "openstack cluster build info" command : CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Identity server rejected authorization necessary to fetch token data: ServiceError: Identity server rejected authorization necessary to fetch token data21:24
*** jmlowe has quit IRC21:25
*** ducttape_ has quit IRC21:28
*** thorst has quit IRC21:33
*** ducttape_ has joined #openstack-keystone21:33
*** bknudson has quit IRC21:33
openstackgerritGage Hugo proposed openstack/keystone master: Add project tags api-ref documentation and reno
*** jmlowe has joined #openstack-keystone21:42
gagehugolbragstad do we want to try to get moving again?21:54
*** catintheroof has quit IRC21:55
*** aojea has quit IRC22:00
lbragstadgagehugo: oh - yes22:05
lbragstadgagehugo:  that would be great22:05
*** dave-mccowan has quit IRC22:05
gagehugoI think it fell to the wayside right when the whole osic thing happened :(22:06
lbragstadyeah - that sounds about right22:07
*** ducttap__ has joined #openstack-keystone22:08
*** ductta___ has joined #openstack-keystone22:11
openstackgerritOctave Orgeron proposed openstack/keystone master: Enables MySQL Cluster support for Keystone
*** ducttape_ has quit IRC22:11
*** ducttap__ has quit IRC22:13
openstackgerritEric Fried proposed openstack/keystoneauth master: normalize_version_number([1]) => (1, 0) and docs
*** rderose has quit IRC22:21
gagehugolbragstad I can put it on the meeting agenda for next week22:22
lbragstadgagehugo: that'd be great22:22
*** edmondsw has quit IRC22:23
*** edmondsw has joined #openstack-keystone22:28
*** edmondsw has quit IRC22:32
*** edmondsw has joined #openstack-keystone22:56
*** edmondsw has quit IRC23:00
*** lbragstad has quit IRC23:03
*** thorst has joined #openstack-keystone23:04
*** thorst has quit IRC23:09
*** thorst has joined #openstack-keystone23:33
*** thorst has quit IRC23:34
*** lbragstad has joined #openstack-keystone23:36
*** ChanServ sets mode: +o lbragstad23:36
openstackgerritJaewoo Park proposed openstack/keystone master: WIP: Add project tags
-openstackstatus- NOTICE: has been cleaned up and rebooted, and should return to building rotation23:44
openstackgerritJaewoo Park proposed openstack/keystone master: WIP: Add project tags
openstackgerritKelly Hall proposed openstack/keystone master: Trims whitespace from request headers

Generated by 2.15.3 by Marius Gedminas - find it at!