Tuesday, 2018-10-30

« Monday, 2018-10-29 Index Wednesday, 2018-10-31 »
*** gyee has quit IRC00:04
*** dnguyen has quit IRC00:21
*** Dinesh_Bhor has joined #openstack-keystone01:12
*** charz has joined #openstack-keystone01:26
*** Dinesh_Bhor has quit IRC02:01
*** Dinesh_Bhor has joined #openstack-keystone02:02
*** crislomabolivia has quit IRC02:05
*** erus has quit IRC02:36
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add limit check func  https://review.openstack.org/59652003:21
*** Dinesh_Bhor has quit IRC03:38
*** Dinesh_Bhor has joined #openstack-keystone03:41
*** erus has joined #openstack-keystone03:47
openstackgerritwangxiyuan proposed openstack/oslo.policy master: Avoid empty raise  https://review.openstack.org/61371203:48
*** dave-mccowan has quit IRC04:19
*** Dinesh_Bhor has quit IRC04:21
*** sapd1 has quit IRC04:38
*** Dinesh_Bhor has joined #openstack-keystone04:49
*** sapd1 has joined #openstack-keystone04:59
*** Dinesh_Bhor has quit IRC05:00
*** Dinesh_Bhor has joined #openstack-keystone05:15
*** jaosorior has quit IRC05:32
*** jaosorior has joined #openstack-keystone05:32
*** pcaruana has joined #openstack-keystone05:36
*** pcaruana has quit IRC05:47
*** shyamb has joined #openstack-keystone05:54
*** shyamb has quit IRC05:58
*** shyamb has joined #openstack-keystone05:58
*** shyamb has quit IRC06:07
*** wxy-xiyuan has quit IRC06:16
*** mnaser has quit IRC06:16
*** wxy-xiyuan has joined #openstack-keystone06:16
*** mnaser has joined #openstack-keystone06:17
*** masayukig[m]1 has quit IRC06:18
*** shyamb has joined #openstack-keystone06:28
*** hoonetorg has quit IRC06:29
*** shyamb has quit IRC06:32
*** shyamb has joined #openstack-keystone06:32
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add limit check func  https://review.openstack.org/59652006:37
*** hoonetorg has joined #openstack-keystone06:42
*** tonyb has quit IRC06:50
*** xek has joined #openstack-keystone07:01
*** lbudai has joined #openstack-keystone07:03
lbudaikmalloc: I've missed your answers yesterday regarding the token authorization failure. Thank you for them.07:05
lbudaiThe environment is openstack kilo07:05
*** shyamb has quit IRC07:10
lbudaikmalloc: I've tested the usernames/passwords used in the services config file, and i can use them in the "service" tenant. So that should be OK.07:10
vishakhacmurphy: Thanks for the reply. I have one node with devstack installed and the files keystone that are available in /etc/apache2/sites-available are keystone-wsgi-admin.conf and keystone-wsgi-public.conf. No file that you mentioned wsgi-keystone.conf.  And also when  created one keystone.conf, after enabling it, apache service failed.07:29
*** shyamb has joined #openstack-keystone07:45
*** shyamb has quit IRC07:49
*** pcaruana has joined #openstack-keystone07:57
*** pcaruana is now known as pcaruana|elisa|07:59
*** sapd1 has quit IRC08:10
cmurphyvishakha: just use the keystone-wsgi-public.conf one08:11
vishakhacmurphy: ok. I will update the public one. Thanks08:12
*** sapd1 has joined #openstack-keystone08:12
*** Dinesh_Bhor has quit IRC08:16
openstackgerritwangxiyuan proposed openstack/oslo.limit master: Add limit check func  https://review.openstack.org/59652008:23
*** Dinesh_Bhor has joined #openstack-keystone08:30
*** shyamb has joined #openstack-keystone08:48
openstackgerritinspurericzhang proposed openstack/keystone-tempest-plugin master: [Trivial Fix] update home-page url  https://review.openstack.org/61414708:49
openstackgerritMerged openstack/keystone master: Implement scope_type checking for credentials  https://review.openstack.org/59454708:58
*** shyamb has quit IRC09:36
*** Dinesh_Bhor has quit IRC09:55
*** Dinesh_Bhor has joined #openstack-keystone10:15
vishakhakmalloc: https://review.openstack.org/#/c/610479/ , For this  Document change is merged. Pl review10:20
openstackgerritColleen Murphy proposed openstack/keystone master: Delete "Preparing your environment" section  https://review.openstack.org/61417210:33
openstackgerritwangqiang-bj proposed openstack/keystoneauth master: fix wrong spelling of "unnecessary"  https://review.openstack.org/61417810:40
*** lbudai has quit IRC10:45
*** shyamb has joined #openstack-keystone11:03
*** dave-mccowan has joined #openstack-keystone11:11
*** Dinesh_Bhor has quit IRC11:19
*** mvkr has quit IRC11:30
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides  https://review.openstack.org/61419511:48
*** erus has quit IRC11:59
lbragstadkmalloc ^ oslo.policy changes we were discussing late last week11:59
*** mvkr has joined #openstack-keystone12:02
*** raildo has joined #openstack-keystone12:16
openstackgerritCorey Bryant proposed openstack/keystone master: PY3: switch to using unicode text values  https://review.openstack.org/61119012:19
lbragstadcmurphy do you have thoughts on https://review.openstack.org/#/c/605169/7 ?12:29
cmurphylbragstad: i'm wondering what happens for upgrades, would a federated user end up with two entries in the table?12:38
cmurphyone from logging in before the change and one if they try to log in again afterward12:39
lbragstadthat's kinda what i was asking in the review, but more along the lines of the id format...12:40
lbragstadbut yeah, that's a good question12:40
cmurphyoh no I think it's fine, the unique_id comes from http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/mapped.py#n32812:46
cmurphyso it will be either the id of the local user or the name from REMOTE_USER12:47
cmurphyi agree with your nits about the release note though12:48
*** lbudai has joined #openstack-keystone12:58
*** shyamb has quit IRC13:01
openstackgerritLance Bragstad proposed openstack/keystone master: Pass context objects to policy enforcement  https://review.openstack.org/60553913:03
openstackgerritLance Bragstad proposed openstack/keystone master: Remove obsolete credential policies  https://review.openstack.org/59718713:25
*** dklyle has quit IRC13:37
*** dklyle has joined #openstack-keystone13:37
lbragstadvishakha https://review.openstack.org/#/c/589378/14/keystone/trust/backends/sql.py@192 we'll need to get a follow-up proposed for that13:52
*** dklyle has quit IRC14:02
*** david-lyle has joined #openstack-keystone14:02
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Add ability to pass in target data for the oslopolicy-checker  https://review.openstack.org/61331314:15
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: Pass in policy name as part of the oslopolicy-check check call  https://review.openstack.org/61422314:15
openstackgerritJuan Antonio Osorio Robles proposed openstack/oslo.policy master: WIP: Create OPA check  https://review.openstack.org/61422414:15
*** itlinux has quit IRC14:20
*** wxy| has joined #openstack-keystone14:23
openstackgerritwangxiyuan proposed openstack/keystone master: Deprecate eventlet related configuration  https://review.openstack.org/56876414:28
*** pcaruana|elisa| has quit IRC14:33
*** jmlowe has quit IRC14:41
*** raildo has quit IRC14:43
*** pcaruana|elisa| has joined #openstack-keystone14:45
*** raildo has joined #openstack-keystone14:50
*** jmlowe has joined #openstack-keystone15:02
*** dave-mccowan has quit IRC15:03
* lbragstad takes an early lunch to get a run in 15:03
*** itlinux has joined #openstack-keystone15:11
*** gyee has joined #openstack-keystone15:29
*** pcaruana|elisa| has quit IRC15:35
*** pcaruana|elisa| has joined #openstack-keystone15:50
kmallocvishakha: thanks15:54
kmalloclbragstad: ack15:54
kmalloclbragstad: hm.15:56
kmalloclbragstad: i think we need to do that both ways15:56
kmallocif old is overridden, use that check_str15:56
kmallocif new is overidden, use that check_str15:56
lbragstadi think i added test cases for both15:56
kmallocah15:56
kmallocalso, it's failing pyXX :)15:56
* lbragstad thinks he did, at least15:56
kmalloclet me 2x check15:56
kmalloci only read the commit15:56
*** aojea_ has joined #openstack-keystone15:57
kmalloclbragstad: let me drink more coffee15:58
kmallocbut at first glance this looks to only handle the case of the overidden old policy15:58
kmalloci'll confirm in a bit, but the order i'm aiming for is: New Str (if operator supplied), old str (if opperator applied), (new_default OR old_default)15:59
kmallocin order.15:59
kmalloccomma in that list indicates a STOP (do not process more rules)15:59
openstackgerritLance Bragstad proposed openstack/oslo.policy master: Make upgrades more robust with policy overrides  https://review.openstack.org/61419516:00
*** pcaruana|elisa| has quit IRC16:00
lbragstadfixed the failing tests, it was based on the patch that requires a new version of oslo.context16:00
kmallocah16:01
* kmalloc is here and mostly awake for meeting.16:01
lbragstadhttps://review.openstack.org/#/c/614195/2/oslo_policy/tests/test_policy.py@124016:02
*** dave-mccowan has joined #openstack-keystone16:23
*** dnguyen has joined #openstack-keystone16:30
openstackgerritGage Hugo proposed openstack/keystone master: Move to password validation schema  https://review.openstack.org/61429416:32
*** shyamb has joined #openstack-keystone16:38
*** ayoung has joined #openstack-keystone16:40
*** shyamb has quit IRC16:44
*** jrist has quit IRC16:51
*** aojea_ has quit IRC16:53
*** jrist has joined #openstack-keystone16:54
*** mvkr has quit IRC16:55
*** itlinux has quit IRC16:57
cmurphykmalloc: i was thinking of having somebody work on part of this https://bugs.launchpad.net/keystonemiddleware/+bug/1736985 specifically looking for where devstack is still using auth_host/auth_port/auth_protocol junk and fixing those, what do you think?17:01
openstackLaunchpad bug 1736985 in keystonemiddleware "many things that were deprecated long ago were never removed" [Low,In progress] - Assigned to Morgan Fainberg (mdrnstm)17:01
cmurphykmalloc: meaning can you hold off on fixing those bits for now if you were planning on it ;)17:03
*** wxy| has quit IRC17:04
ildikovlbragstad: sorry, I didn't get a response from James and I also missed the meeting thanks to the switch to winter time here already... :/17:05
*** itlinux has joined #openstack-keystone17:07
lbragstadildikov no worries, we'll try again next week17:13
ildikovlbragstad: we can do the edge call next week as usual17:14
kmalloccmurphy: yeah i just was hitting the bigger issue ones17:14
ildikovlbragstad: and bring it up on the Keystone meeting if we feel it reached that stage that it makes sense to discuss with the broader Keystone team?17:15
kmalloccmurphy: the pkiz/rev list ones were a bit more involved, the rest of those were planned to remain open17:15
kmalloccmurphy: also because i need to rework some of the workflow of ksm to drop the webob stuff from keystone when we build authcontext17:16
kmalloci tagged the pkiz/rev list work to that bug as the bug was "open ended" on the cleanup bits17:17
*** aojea_ has joined #openstack-keystone17:19
*** erus has joined #openstack-keystone17:22
*** aojea_ has quit IRC17:31
*** aojea_ has joined #openstack-keystone17:32
lbragstadildikov sounds good17:35
knikollacmurphy: i'm forwarding you an email from another outreachy applicant. When do you have time in the following days to sync up?17:39
*** aojea_ has quit IRC17:39
knikollaToday I'17:40
*** aojea_ has joined #openstack-keystone17:40
knikollaI'm swamped as well, but starting tomorrow I should have time.17:40
*** aojea_ has quit IRC17:44
*** ayoung has quit IRC17:46
*** lbudai has quit IRC17:48
openstackgerritGage Hugo proposed openstack/keystone master: Remove check for disabled v3  https://review.openstack.org/61340217:51
openstackgerritGage Hugo proposed openstack/keystone master: Refactor flask domain config resources  https://review.openstack.org/61318218:10
cmurphyknikolla: weird, that person already reached out to me but about the other project, I hadn't responded to them yet18:20
cmurphyknikolla: I have time tomorrow18:21
kmalloci'll need to duck out for a few hours today18:24
kmallocdoggo needs to go to the vet (he's hurting =/ and is sad)18:24
kmalloccmurphy, lbragstad: how useful is json home *really*?18:25
kmallocknikolla: ^18:25
kmalloci get the feeling it's not really useful at all18:25
lbragstadi like it because it advertises API status18:26
kmallocfor the individual API endpoints18:26
kmallocthat is a fair assertion to the benefit18:26
lbragstadand we don't really have a replacement at the moment short of micro-versions =/18:26
kmalloci was less worried about the replacement bits18:26
kmalloci was more concerned with the "how useful is it"18:27
kmallocbecause it feels mostly useless, barring the api status (stable, experimental, deprecated)18:27
lbragstadimo - that's the important part... but i also don't consume it18:28
kmalloci don't think anyone really consumes it18:28
cmurphyi think having a way to advertise api status is really useful since we don't have microversions18:28
kmalloccmurphy: ++ i agree18:28
cmurphybut we've never socialized or documented this so i don't think anyone uses it18:28
kmallocand even with microversions...18:28
kmalloci'm mulling in my head the move to split auth to /auth18:29
*** itlinux has quit IRC18:29
kmallocand what that really means18:29
kmallocstill wanting to divorce crud api version from auth18:29
kmallocand what that means for auth discoverability (it could mean auth could be a separate service in it's own right)18:30
* lbragstad thinks he knows where this is going 18:31
kmallocespecially for the well-defined auth endpoints for web-sso18:31
lbragstad;)18:31
kmallocmostly for the web-sso enhancements in the short term.18:31
kmalloci don't want to encode all the well-defined points in /v3/auth if that makes sense18:32
kmalloclbragstad: you know my long term goals, but i'm looking at the 1-2 cycle bits right now18:32
*** cabledude has joined #openstack-keystone18:38
cabledudegood day experts...  I'm struggling with a Mitaka to Ocata upgrade.  nova_api will not start and keystone.log states this is due to MFA.  How would I disable MFA for nova user?18:41
cabledudefound this "user["options"]["multi_factor_auth_enabled"] = False" in the documentation but am unsure how to implement.  curl?18:42
cabledudealso seeing "Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL." when running openstack commands18:44
cabledudethey do complete successfully though18:44
lbragstadcabledude yeah - we don't really have good documentation around user options unfortunately18:47
lbragstadbut you could use curl to set user options directly18:47
lbragstadfor example https://docs.openstack.org/keystone/latest/admin/identity-security-compliance.html#setting-an-account-lockout-threshold18:48
lbragstaddoing a PATCH /v3/users/{user_id} with a payload like http://paste.openstack.org/show/733663/ would set that specific user option18:49
*** cabledude has quit IRC18:51
kmalloclbragstad: i'm trying to figure out how cabledude got that all enabled?18:52
lbragstadsame here- that should default to false?18:53
*** cabledude has joined #openstack-keystone18:53
cabledudeWould anyone be able to help me understand how to define user MFA rules?18:54
cabledudeday 4 of head banging on this.  any advice would be greatly appreciated!18:56
kmalloclbragstad: yeah18:56
kmalloccabledude: so. lets start with what have you done and what are you trying to accomplish18:57
kmalloccabledude: i wrote a huge chunk of that code, so let me see what i can do to help you18:57
kmallocit's thankfully not crazy complex18:57
kmalloc;)18:57
kmallocjust undocumented18:57
lbragstadand no client support i don't think18:58
lbragstad:(18:58
kmallocyeah18:58
cabledudethx!  i have updated keystone via ubuntu upgrade docs.  i can run openstack commands successfully18:58
kmallocwe'll add that to SDK here18:58
kmalloclbragstad: ^18:58
lbragstadoh18:59
kmalloclbragstad: i wont even bother trying to add it to ksc.18:59
lbragstadnice18:59
kmalloclbragstad: i want to make ksc officially "bit rot" by the end of stien18:59
cabledudethe nova_api service will not start and complains about not having a service_token18:59
lbragstadat least we have an alternative to using cURL18:59
kmalloclbragstad: that is the plan18:59
kmallochmmm.18:59
kmallocthis is sounding like that bug where the dbsync somehow mis-matched the schema18:59
kmallocand the mfa table doesn't exist18:59
kmallocwell user_options19:00
cabledudekeystone.log say MFA rules not satisfied.19:00
kmalloccabledude: you didn't try and enable MFA rules for the nova user right?19:00
cabledudelet me check19:00
kmallocjust a plain upgrade19:00
kmalloccabledude: if you tried to enable rules i'd need to see what your user_options look like for the nova user19:00
cabledudei didn not "try" to enable rules for any user.  Just showed up after the upgrade.19:01
kmallocbut the long/short is that the MFA rules are a series of logical ORs in lists, so if you want to force a user to use PASSWORD and TOTP you can say [['password', 'totp']]19:01
cabledudemitaka to ocata19:01
kmallocok can you check the keystone log for exceptions?19:01
kmallocand 2, can you confirm the values in the nova user's 'user_options' field when you do a get_user19:02
kmalloci can tell you where to look in the DB if you can't do a user get on nova19:02
cabledudei have no MFA table :(19:02
kmallocthere isn't an MFA table19:02
kmallocit's going to be user_options table19:03
lbragstaduser options are a generic tool that we use for some aspects of MFA19:03
cabledudeah19:03
lbragstadamong other things19:03
kmallocthere are PCI-DSS specific mechanisms added into it, so you can exempt users from being locked out19:03
cabledudemy user options table is empty19:03
kmallocok19:03
kmallocthat is a good start, it should mean that the MFA rules are not being processed19:04
cabledudeok19:04
kmalloccan you login (not in keystonemiddleware) directly to keystone with the nova user's credentials?19:04
kmallocand if not, what is the keystone log saying when you try19:05
kmallocand/or what error are you getting back (401)19:05
kmalloc?19:05
*** aojea_ has joined #openstack-keystone19:06
cabledudeif i source  nova credentials and do a "nova list" for example I get Unable to establish connection to http://controller:8774/v2.119:06
cabledudebecause the nova_api service is not listening19:06
*** jmlowe has quit IRC19:07
cabledudekeystone.log shows "MFA Rules not processed for user `95b6745259944d1bb0f540874700f899`. Rule list: `[]` (Enabled: `True`). check_auth_methods_against_rules /usr/lib/python2.7/dist-packages/keystone/auth/core.py:388"19:07
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Remove PKI/PKIZ support  https://review.openstack.org/61367519:07
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Fix revocation list/PKI[z] removal nits.  https://review.openstack.org/61396619:08
kmalloccabledude: that is 100% ok19:08
kmalloccabledude: that has no impact, there are no MFA rules so there is nothing being processed19:08
kmallocsee the Rule List: []19:09
kmallocthat tells me we're doing the right thing19:09
kmalloc:)19:09
kmallocFWIW, debug logs are not always super useful in production19:09
kmallocyeah so you are going to want to use the nova users information from your nova.conf (authtoken section) and try and login to keystone with it19:10
cabledudeok so might you have any ideas why nova_api complains with " ERROR nova ImportError: cannot import name service_token"19:10
kmallocaaaaah19:10
kmallocthat is a very different issue.19:10
cabledudeoh!19:10
kmallocthat makes me think something isn't installed19:10
kmallocthat is telling you that the module service_token isn't importable19:10
cabledudestill a keystone config issue?  or nova?19:11
kmallocif you look in the Nova log, you should see a more in depth exception19:11
kmallocno this isn't likely to be a keystone issue19:11
kmallocor it is a keystonemiddleware one19:11
kmallocbut not a keystone server one19:11
kmallocthis is something wrong trying to start nova-api at the python level19:11
kmalloclike, a package isn't installed19:12
kmallochow was your nova installed? distribution? (ubuntu/rdo/etc)? with git? docker?19:12
kmallocsomething else?19:12
cabledudeubuntu19:12
cabledudeinitially mitaka then followed the keystone upgrade doc to ocata19:13
kmallochmm19:13
cabledudefound here https://docs.openstack.org/releasenotes/keystone/ocata.html19:13
kmallocyou might have an out of date version of dependencies19:13
cabledudesweet...19:13
cabledude2018-10-30 13:09:46.027 30194 CRITICAL nova [-] ImportError: cannot import name service_token 2018-10-30 13:09:46.027 30194 ERROR nova Traceback (most recent call last): 2018-10-30 13:09:46.027 30194 ERROR nova   File "/usr/bin/nova-api", line 10, in <module> 2018-10-30 13:09:46.027 30194 ERROR nova     sys.exit(main()) 2018-10-30 13:09:46.027 30194 ERROR nova   File "/usr/lib/python2.7/dist-packages/nova/cmd/api.py", li19:14
kmallocsec19:14
cabledudefrom nova-api.log19:14
lbragstadcabledude can you throw that into a paste? http://paste.openstack.org/ ?19:15
cabledudethere's more to it if you need the rest19:15
cabledudesure hang on19:15
kmallocyeah you don't have keystoneauth1 or an out dated version of keystoneauth installed19:16
kmalloclbragstad: ^ that is from keystoneauth1.loading import service_token19:16
kmallocmy guess is it is about when folks moved from ksc to ksa19:16
cabledudePaste #73366419:17
kmallocyeah so you'll need the correct version of keystoneauth installed on the system/venv/whatever that nova is running19:18
kmallocyou're missing that dependency or an out dated version of keystoneauth119:19
kmallocit might also be missing other dependencies19:19
cabledudeI have python-keystoneauth1                  2.18.0-0ubuntu2~cloud0 and python3-keystoneauth1                 2.18.0-0ubuntu2~cloud019:19
cabledudeany idea what versions I would need?19:20
kmalloclooking19:20
kmallocat least 2.1619:21
kmallocso 2.18 should do it19:21
kmallocbut not sure why you can't load for nova19:21
cabledudedo I need tokenless_auth configured?19:22
kmallocno19:22
kmallocthe issue is that the nova API python code isn't able to find keystoneauth1.service_token module19:23
cabledudedo I need both python and python3 keystoneauth1 modules?19:23
kmallocare you running nova under python3 (i didn't think that was going to work)19:23
kmallocalso, i have *no* idea how ubuntu has packaged this19:24
cabledudeHa!19:24
kmalloci am not involved in the packaging of oepnstack (for any distro)19:24
kmallocthis looks like py2.719:24
kmallocfrom the traceback19:24
kmallocso i wouldn't worry about python319:25
kmallocon the same node you have nova installed19:25
kmallocdo "python"19:25
kmallocand then type "from keystoneauth1 import service_token"19:25
kmallocsee if it loads19:25
kmallocif not, check to make sure the correct version of keystoneauth1 is in-fact installed where nova is looking for it19:25
cabledude>>> from keystoneauth1 import service_token Traceback (most recent call last):   File "<stdin>", line 1, in <module> ImportError: cannot import name service_token >>>19:26
kmallochrm. ok19:26
lbragstadcomputer says "no"19:26
*** aojea_ has quit IRC19:26
cabledudeagain... :(19:26
kmallocyou might want to do import keystoneauth119:26
kmallocand then keystoneauth1.__version__19:27
kmallocand see what version it thinks you have19:27
*** aojea_ has joined #openstack-keystone19:27
kmalloci am pretty certain that the version you have is 2.15 or earlier19:27
cabledude>>> keystoneauth1.__version__ '2.6.0' >>>19:28
kmallocyeah19:28
kmalloccheck to make sure you don't have keystoneauth1 installed via pip19:28
kmallocbut that is the issue19:28
kmalloc2.6 is WAY older than what you need19:28
kmalloc2.16 or later (And chances are 2.18 or later)19:28
*** nelsnelson has joined #openstack-keystone19:29
cabledude2.6 is older than 2.16?19:29
kmallocyes19:29
kmalloc2.6 is ~10 releases older19:30
kmallocthat isn't 2.1.619:30
kmallocit's 2.16.019:30
cabledudeah19:30
*** aojea_ has quit IRC19:30
cabledudeok hang tight a sec while I mess thing up more...19:31
kmallocsemver is <major release>.<minor release>.<patch level>19:31
*** aojea_ has joined #openstack-keystone19:31
kmallocmajor release is going to break lots of things between them19:31
kmallocminor releases tend to be additive and not majorly breaking/minor changes19:31
kmallocand patches are "OMG this was so broken, we fixed a bug"19:31
kmallocor "there was a typo"19:31
kmallocetc.19:31
kmallocpatch level is non-breaking by definition19:32
kmalloc(barring serious security flaws)19:32
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Stop supporting revocation list  https://review.openstack.org/61365119:36
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Remove PKI/PKIZ support  https://review.openstack.org/61367519:36
openstackgerritMorgan Fainberg proposed openstack/keystonemiddleware master: Fix revocation list/PKI[z] removal nits.  https://review.openstack.org/61396619:37
kmalloclbragstad, ayound, edmondsw: ^ fixed the concerns. some things are in the followup nits because I kept having weird rebases re-introduce typos19:39
kmallocayoung* ^19:39
lbragstadthanks19:40
cabledudekmalloc thank you!  2.6 was installed via pip.  uninstalled and version is now 2.18 and nova starts!19:45
kmalloccabledude: happy to help!19:45
kmalloccabledude: you can always use pip --freeze to check that in the future19:45
cabledudei never use pip.  but guess I must have at some point 2 years ago when I set up the stack19:46
*** jmlowe has joined #openstack-keystone19:48
kmalloci recommend immutable infrastructure19:49
kmallocfor cases like this19:49
kmallocobviously, db servers need to be upgraded (schema)19:49
kmallocbut typically i recommend re-deploying the control plane if you can, clean VM, container, something19:49
kmallocthat way you aren't carrying forward awkward things like 2-year-old pip installs19:49
*** ayoung has joined #openstack-keystone19:50
kmalloccabledude: glad we could help you solve the case of the weirdly out of date keystoneauth1 package19:50
*** aojea_ has quit IRC19:52
*** nelsnelson has quit IRC19:56
*** nelsnelson has joined #openstack-keystone19:58
*** pcaruana|elisa| has joined #openstack-keystone20:12
*** pcaruana|elisa| has quit IRC20:32
*** imacdonn has quit IRC20:33
*** imacdonn has joined #openstack-keystone20:34
*** mvkr has joined #openstack-keystone20:37
*** erus has quit IRC20:54
*** aojea_ has joined #openstack-keystone20:57
*** imus has quit IRC20:58
*** raildo has quit IRC21:13
*** nels has joined #openstack-keystone21:14
openstackgerritayoung proposed openstack/oslo.policy master: Unit test for CLI  https://review.openstack.org/61435621:14
*** nelsnelson has quit IRC21:15
openstackgerritMerged openstack/keystone master: Set Default and resource limit as defined schema  https://review.openstack.org/61047921:24
openstackgerritMerged openstack/keystone master: Delete "Preparing your environment" section  https://review.openstack.org/61417221:25
ayoungcmurphy, lbragstad knikolla https://review.openstack.org/#/c/607346/  Bump. Lets get that through21:32
lbragstadI'll take a look either tonight or tomorrow21:34
lbragstadthanks ayoung21:34
ayoungthanks21:34
openstackgerritayoung proposed openstack/keystone-specs master: Tokens with subsets of roles  https://review.openstack.org/18697921:43
openstackgerritayoung proposed openstack/keystone-specs master: Allow a remote service to Validate Federation Mapping  https://review.openstack.org/24558821:47
*** david-lyle has quit IRC22:08
*** aojea_ has quit IRC22:24
openstackgerritGage Hugo proposed openstack/keystone master: Remove compatability shim  https://review.openstack.org/61436122:27
*** dklyle has joined #openstack-keystone22:28
*** xek has quit IRC22:31
*** dnguyen has quit IRC23:01
*** dnguyen has joined #openstack-keystone23:02
*** prometheanfire has joined #openstack-keystone23:12
prometheanfirenew verions of future seem to break keystone https://review.openstack.org/61431423:13
kmallocoh that isn't fun23:22
mordredprometheanfire: TIL about future23:22
kmallocprometheanfire: looks like it'23:23
kmallocs realted to pysaml23:23
kmallocprometheanfire: this is not going to be a quick turnaround/fix23:24
kmallocbut it's odd that changing future broke that23:25
kmallocprometheanfire: lets just drop py27 support on keystone today :P23:25
kmalloceasy fix! :P23:26
mordred++23:27
mordreddropping py27 support in zuul was the most glorious day23:27
kmallochonestly, if i thought i could get away with dropping py27 today I would23:27
mordredwe're getting closer ...23:27
kmallocand then propose a patch that rips out everysingle use of six23:27
kmalloci know... "closer"23:28
kmalloctbh, keystone could probably get away with it today.23:28
kmallocsince it would be trivial to deploy it in a container23:28
kmallocfor the OSes that don't have 3x23:28
kmallocbut.....23:28
kmallochmmmm23:28
kmalloccmurphy: it might not be doable to test the 404 thing easily23:34
kmalloccmurphy: in unit tests that is23:34
kmallocmight need to be functional/tempest23:34
clarkbfwiw the TC does have a statement of distro support23:36
clarkband currently that requires python223:36
prometheanfirewooo23:41
prometheanfirekill py27, good for me :P23:41
prometheanfireclarkb: I think we know :P23:41
kmallocclarkb: my comment is mostly just snark23:52
kmallocclarkb: because i don't want to chase a fix in pysaml for a py27 issue23:52
clarkbfair enough. I mostly point it out because there is/was a ton of confusion over switching test base distros and how that affects python versions23:53
clarkbwe've had a policy n place for a long long time and I guess many are unaware of it?23:53
kmallocthe only concern i had was ambiguity (on the py35 front) based upon the resolutions and wording that was to the effect of "should not drop py35"23:54
kmallocpy27 i figured would die sometime in the next cycle or 323:54
kmallocdue to EOL timeframes23:54
*** dnguyen has quit IRC23:54
kmallocand distro support23:54
kmallochonestly, i would love to see openstack py37+ only23:55
kmallocfor lots and lots of reasons23:55
kmallocbut that is not realistic23:55
kmallochm. there should be no reason future change impacts this23:57
kmallocprometheanfire: ^ afaict23:57
kmalloci'm looking into it now, but.... it seems like this is something else going on23:57
clarkboh actually I may know this one23:58
clarkbit looks like the same problem twine had23:58
kmallocthat future is impacting the import of html?23:58
clarkbno, it was some other dep had dropped html?23:59
clarkbfungi: ^ if you are still around I think you helped fix this?23:59
kmallochmmmm23:59
kmallocyeah something lost html somewhere23:59
clarkbhtml was a dep of a thing and that thing dropped html then all the things broke23:59
kmalloc*grump*23:59
kmallocok you know what, i think i jsut want to add html to keystone's requirements then23:59
clarkbthat should do it23:59
« Monday, 2018-10-29 Index Wednesday, 2018-10-31 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!