Wednesday, 2014-05-21

« Tuesday, 2014-05-20 Index Thursday, 2014-05-22 »
*** matsuhashi has joined #openstack-swift00:07
*** jergerber has quit IRC00:11
openstackgerritJohn Dickinson proposed a change to openstack/swift: Change the default token logged length to 16  https://review.openstack.org/9450600:33
*** csd has quit IRC00:34
*** dmorita has joined #openstack-swift00:40
*** shri has quit IRC01:02
*** shakamunyi has quit IRC01:45
*** shakamunyi has joined #openstack-swift01:59
*** saschpe has quit IRC02:00
*** saschpe has joined #openstack-swift02:02
*** shakamunyi has quit IRC02:05
*** dvas has joined #openstack-swift02:18
*** dvas has quit IRC02:22
*** gyee has quit IRC02:36
openstackgerritJohn Dickinson proposed a change to openstack/swift: Change the default token logged length to 16  https://review.openstack.org/9450602:46
*** baojg has joined #openstack-swift02:55
*** hipster has quit IRC02:56
*** kenhui has joined #openstack-swift02:58
*** blazesurfer has joined #openstack-swift03:01
*** baojg has quit IRC03:01
blazesurferhi all03:02
*** baojg has joined #openstack-swift03:02
*** baojg_ has joined #openstack-swift03:07
*** baojg_ has quit IRC03:09
*** baojg has quit IRC03:09
*** baojg has joined #openstack-swift03:10
*** baojg_ has joined #openstack-swift03:17
*** dvas has joined #openstack-swift03:18
*** baojg has quit IRC03:20
*** kenhui has quit IRC03:21
*** dvas has quit IRC03:23
*** madhuri has joined #openstack-swift03:33
*** kenhui has joined #openstack-swift03:35
*** nosnos has joined #openstack-swift03:48
*** kenhui1 has joined #openstack-swift03:50
*** kenhui has quit IRC03:51
blazesurferhey guys04:07
blazesurferKeystone and ssl swift as well would any one have some time to discuss how it all works04:08
*** ppai has joined #openstack-swift04:14
*** dvas has joined #openstack-swift04:19
*** haomaiwang has joined #openstack-swift04:23
*** dvas has quit IRC04:23
*** psharma has joined #openstack-swift04:52
*** baojg has joined #openstack-swift04:59
*** baojg_ has quit IRC05:00
*** baojg has quit IRC05:00
*** igor_ has quit IRC05:02
*** kenhui has joined #openstack-swift05:04
*** blazesurfer has quit IRC05:05
*** igor has joined #openstack-swift05:06
*** kenhui2 has joined #openstack-swift05:07
*** kenhui has quit IRC05:07
*** kenhui has joined #openstack-swift05:07
*** kenhui1 has quit IRC05:08
*** ppai has quit IRC05:10
*** kenhui2 has quit IRC05:11
*** dvas has joined #openstack-swift05:19
*** dvas has quit IRC05:24
*** kenhui has quit IRC05:27
*** dvas has joined #openstack-swift05:30
*** dvas has quit IRC05:31
*** dvas has joined #openstack-swift05:40
*** elambert has joined #openstack-swift06:39
*** dvas has quit IRC06:41
*** zaitcev has quit IRC06:41
*** ppai has joined #openstack-swift06:41
*** Honghui has joined #openstack-swift06:52
*** nshaikh has joined #openstack-swift06:54
*** dvas has joined #openstack-swift07:12
*** dvas has quit IRC07:15
*** Ju has joined #openstack-swift07:17
*** sungju has quit IRC07:29
*** dvas has joined #openstack-swift07:37
openstackgerritA change was merged to openstack/swift: Make the new xprofile tests optional.  https://review.openstack.org/9440407:39
*** mlipchuk has joined #openstack-swift07:43
*** mlipchuk has quit IRC07:47
*** PVince81 has joined #openstack-swift07:50
*** mlipchuk has joined #openstack-swift08:04
*** nacim has joined #openstack-swift08:18
chmouelpconstantine_: cool glad you figured it out08:19
*** haomaiwang has quit IRC08:30
*** haomaiwang has joined #openstack-swift08:30
*** jamie_h has joined #openstack-swift08:31
*** haomaiw__ has joined #openstack-swift08:33
*** haomaiwang has quit IRC08:35
*** pberis has quit IRC08:39
*** pberis has joined #openstack-swift08:42
*** PVince81 has left #openstack-swift08:56
*** Honghui has quit IRC08:58
*** mmcardle has joined #openstack-swift09:00
*** mmcardle has quit IRC09:12
*** mmcardle has joined #openstack-swift09:16
*** sungju has joined #openstack-swift09:17
*** mkollaro has joined #openstack-swift09:18
*** acoles_away is now known as acoles09:20
*** mlipchuk has quit IRC09:21
*** mmcardle1 has joined #openstack-swift09:22
*** sungju has quit IRC09:22
*** mmcardle has quit IRC09:23
*** mandarine has left #openstack-swift09:23
*** mlipchuk has joined #openstack-swift09:40
*** sungju has joined #openstack-swift09:49
*** matsuhashi has quit IRC10:01
*** sungju has quit IRC10:03
*** sungju has joined #openstack-swift10:06
*** haomaiw__ has quit IRC10:15
*** haomaiwang has joined #openstack-swift10:16
*** haomaiw__ has joined #openstack-swift10:23
*** Honghui has joined #openstack-swift10:24
*** haomaiwang has quit IRC10:26
*** mmcardle1 has quit IRC10:34
*** mmcardle has joined #openstack-swift10:34
*** mlipchuk has quit IRC10:38
*** hipster has joined #openstack-swift10:41
*** nacim has quit IRC10:44
*** Honghui has quit IRC10:44
*** mmcardle has quit IRC10:45
*** hipster has quit IRC10:49
*** mlipchuk has joined #openstack-swift10:53
*** nacim has joined #openstack-swift10:58
openstackgerritConstantine Peresypkin proposed a change to openstack/swift: account to account copy implementation  https://review.openstack.org/7215711:04
*** ppai has quit IRC11:05
*** dvas has quit IRC11:07
*** dvas has joined #openstack-swift11:13
openstackgerritChristian Schwede proposed a change to openstack/python-swiftclient: Fix Python3 bugs  https://review.openstack.org/9434711:13
*** nosnos has quit IRC11:16
*** ppai has joined #openstack-swift11:18
*** shague_ has quit IRC11:19
*** shague_ has joined #openstack-swift11:19
*** dmorita has quit IRC11:21
*** otoolee has joined #openstack-swift11:30
*** sungju has quit IRC11:37
*** Honghui has joined #openstack-swift11:44
*** psharma has quit IRC11:48
*** ppai has quit IRC11:50
*** bvandenh has joined #openstack-swift11:59
acolesdfg: short answer is 'yes' :) i just added comment to review - would still be good to avoid the possible exceptions when disallowed section paths aren't found. thx12:01
*** ppai has joined #openstack-swift12:04
openstackgerritA change was merged to openstack/swift: Change the default token logged length to 16  https://review.openstack.org/9450612:08
*** tdasilva has joined #openstack-swift12:11
*** Honghui has quit IRC12:21
*** shague_ has left #openstack-swift12:22
*** ppai has quit IRC13:10
acolescschwede_: hi13:15
cschwede_Hi Alistair!13:20
acolescschwede_: hi. re the py 3 bugs patch - the header encoding part looks fine but i just noticed there is no unit test for the change to set content-type=''13:22
acolescschwede_: are you happy if i push a ne wpatch set adding just that test?13:22
acolesnew patch13:23
cschwede_acoles: new patch or just update the current patchset? I’m fine if you want to add anything on top of it13:24
acolescschwede_: sorry, update. ok, will do.13:25
cschwede_acoles: of course i can also do this if you prefer13:27
acolescschwede_: i have it ready to go13:28
cschwede_acoles: great, thanks a lot!13:28
openstackgerritgholt proposed a change to openstack/swift: Container sync no longer sending swift_bytes value  https://review.openstack.org/9446513:32
*** hipster has joined #openstack-swift13:49
*** dvas has quit IRC13:51
*** dvas_ has joined #openstack-swift13:51
openstackgerritAlistair Coles proposed a change to openstack/python-swiftclient: Fix Python3 bugs  https://review.openstack.org/9434713:54
acolescschwede_: ^^ i hope i didn't break anything!13:55
*** zaitcev has joined #openstack-swift14:00
*** ChanServ sets mode: +v zaitcev14:00
openstackgerritAlistair Coles proposed a change to openstack/python-swiftclient: Add keystone v3 auth support  https://review.openstack.org/9178814:09
*** dvas_ has quit IRC14:13
cschwede_acoles: thanks, will have a look soon (currently in a meeting)14:15
*** ophuk has quit IRC14:20
*** dvas_ has joined #openstack-swift14:29
*** shakamunyi has joined #openstack-swift14:30
*** dvas__ has joined #openstack-swift14:36
*** dvas_ has quit IRC14:36
*** haomaiw__ has quit IRC14:37
*** haomaiwa_ has joined #openstack-swift14:37
*** haomaiw__ has joined #openstack-swift14:39
*** dvas__ has quit IRC14:42
*** haomaiwa_ has quit IRC14:42
*** dvas__ has joined #openstack-swift14:43
*** dvas__ has quit IRC14:47
*** kevinc_ has joined #openstack-swift15:01
*** nacim has quit IRC15:05
notmynamegood morning world15:13
*** dvas__ has joined #openstack-swift15:14
*** lpabon has joined #openstack-swift15:15
notmynameugh 16k keystone tokens. not a good way to start the day ;-)15:16
notmynamecreiht: I love the "if you *only* have 10k req/sec" to swift :-)15:17
notmynameit's absolutely the right way to phrase it!15:17
creiht:)15:18
creihtnotmyname: sorry to bring it up15:18
notmynamecreiht: actually, I'm glad you did post that to the ML15:18
creihtbut it becomes more concerning to me now that others have promised that we will be running keystone15:18
notmynameit's the same story as "hey you are trying to make a one-size-fits-all solution, and you're completely ignoring a major use case"15:19
cschwede_hmm, can’t remember which talk it was, but for many deployments the average object size is 30-50kb - maybe? so 1/3 of the traffic would be only authentication :-/15:19
creihtyeah even for us, average object size is pretty small15:20
gholtAnd our traffic is mostly reads, not writes. And probably half those reads are HEADs.15:21
creihtright15:21
cschwede_gholt: ouch!15:21
creihtmakes it also really bad for all the libs/sdks that do silly things like do a head before every single operation15:22
notmynamePKI is a nice idea, as long as it isn't the current keystone variant of "encrypt the entire service catalog for every request". singed requests are a pretty cool thing (see tempurl)15:22
creihtlol15:22
notmynamesigned requests, too :-)15:22
creihtI like my requests slightly singed :)15:22
redbodon't worry, soon they'll just require kerberos auth for all clients15:23
notmynameredbo: that's not a completely horrible idea, actually ;-)15:23
scotticushey its worked since the 70s right?15:23
notmynameshoot keystone in the head and say "just use kerberos" :-)15:23
redboahh!15:24
scotticusi'm going to rename my go keystone bindings KeithStone.15:24
portantethree headed monster vs. hydra15:24
notmynamescotticus: heh15:24
notmynameredbo: note that I said it wasn't completely horrible. not that it was good :-)15:25
scotticusthere are still horrible aspects?15:25
*** bvandenh has quit IRC15:25
gholtMy guess is that Keystone just can't handle very many requests per second and that's what the bloated tokens are for. Seems the wrong way to scale Keystone though. Heh15:26
notmynameok, before I respond and say something stupid on the ML, how can you compress PKI tokens and get any benefit? isnt' crypto data non-compressable?15:31
cschwede_notmyname: i would be very concerned if it is compressable15:31
creihtnotmyname: redbo just mentioned that it is likely because it is then base64 encoded or something like that to put in the header15:32
creihtI did a quick test of an example token from the docs15:32
cschwede_notmyname: i’m no keystone expert, but maybe pki tokens with a subset of services (ie only swift) might be possible=15:32
cschwede_s/=/?15:32
creihtbut then wouldn't you have to encode that back again15:32
creihtso yeah not sure how that would actually help15:32
notmynamecschwede_: not really. see RAX and the fact that "just" swift services has today at least 6 entries in the catalog15:32
creihtmore than that15:33
creihtbecause of cdn stuff15:33
notmynameah yes15:33
cschwede_ok, would have been too easy15:34
cschwede_hmm, maybe i’m still too jetlagged. „we“ are in charge of the keystone middleware for swift, right?15:36
notmynamecschwede_: half of it15:36
cschwede_so - (probably i miss something here) - let me draft an idea15:37
notmynamecschwede_: the keystone part basically builds an identity data structure and puts it in the wsgi env. the swift part implements the authorize() and interprets the identity data structure in the context of the swift ACL info15:38
redboI'm still holding a grudge because keystone gets to store things in memcache with pickles and for us it was some huge security problem.15:38
notmynameI like that pattern, actually. we use the same one for the swiftstack AD and LDAP integration15:38
cschwede_1. user sends data to swift for auth 2. swift asks (via middleware) keystone 3. keystone responds with a mb-sized token 4. middleware hashes that token, uses the hash as key for memcache and stores token as memcache value 5. middleware returns hashed token to user 6. user uses only the short token15:38
*** krtaylor has quit IRC15:38
cschwede_of course client needs to be aware of that  too. hmm. and caching introduces maybe problems due to expired tokens…15:39
gholtredbo: You should file a bug for that! Under an alias of course. ;)15:39
notmynamecschwede_: ya, you've just described tempauth15:39
cschwede_notmyname: ah, i’ve seen that before ;)15:39
notmynamecschwede_: the problem is that for swift the client would first auth against swift and not keystone15:39
redboin fact, just forget keystone15:40
notmynamecschwede_: which works, of course. just that it's different that all the existing docs and client behavior15:40
cschwede_notmyname: yes, that’s the problem (the different behavior).15:40
gholtWith compression, you compress before you encrypt. But anyway, stupid non-solution to the real problem.15:42
creihtgholt: yeah15:42
notmynamegholt: isn't that the basis of some recent attack? BEAST or CRIME or something15:42
redbowe haven't even mentioned that validating tokens requires shelling out to openssl.. how many times per second?15:42
creihtheh that's a different issue15:43
*** ophuk has joined #openstack-swift15:43
notmynameredbo: switch to libressl? /troll15:43
gholtnotmyname: Probably (on the crypto compression attack), heh15:45
notmynamelooks like my patch I threw over the wall last night was popular and is already merged (to by default limit the number of chars logged on the auth token)15:45
notmyname...speaking of auth tokens ^^15:45
notmynamecschwede_: do you know if there can be any sort of shared secret with keystone? how possible would it be to move from bearer tokens to signed requests for keystone+swift?15:47
notmynamecause I feel we have the worst of both right now15:48
openstackgerritDavid Goetz proposed a change to openstack/swift: Add ability to remove subsections from /info  https://review.openstack.org/9445815:49
cschwede_notmyname: sorry, don’t know (yet). i think i need to digg deeper into keystone15:49
cschwede_notmyname: with signed requests you have something similar to s3 in mind?15:50
*** gyee has joined #openstack-swift15:50
*** igor has quit IRC15:50
notmynamecschwede_: yes. or tempurl. same concept15:51
*** igor__ has joined #openstack-swift15:51
notmynameredbo: https://twitter.com/johnleach/status/469142817781338112  <<-- let's solve the overhead problem by using SOAP!15:51
cschwede_notmyname: well, it all depends on the client, right? so if we use a different way on the client side we would be able to use what we want, aren’t we?15:52
redbounfortunately when we do things that are different but we think better, we get in trouble15:52
notmynamecschwede_: ya. so "use signed requests" probably reduces down to "make everyone use signed requests". which sounds hard15:52
redboI'm glad nobody is paying attention, they'd probably get mad about tempurl.15:53
notmynamehttp://adam.younglogic.com/2014/02/compressed-tokens/15:54
*** kevinc_ has quit IRC15:59
*** kevinc_ has joined #openstack-swift16:01
creihtnotmyname: so I guess that brings us to the point of having to ask, at what point are tokens too big?16:12
notmynamecreiht: 128 bytes should be enough for anyone, right?16:13
creihtI think 10% encrypted size is a bit optimistic, but that's another thing16:13
notmyname(actually sercious)16:13
creihtheh16:13
notmynameya, I'm writing a response now16:13
creihtI'm installing devstack to play with pki tokens a bit16:13
notmynamecool16:13
creihtwill probably be a bit though16:14
creihtand it is lunch time :)16:14
ophukso I moved my mount point from / to the normal default mount point and everything is working. Is there anywhere else other than account-server that you would need to set devices to tell it where to look for the mount point?16:15
notmynameophuk: there's a "devices" config setting in all of the storage server configs (account, container, object)16:19
*** nshaikh has quit IRC16:20
ophuknotmyname: oh - must of missed it when I looked for it on the example configs.16:21
openstackgerritOpenStack Proposal Bot proposed a change to openstack/python-swiftclient: Updated from global requirements  https://review.openstack.org/8925016:28
cschwede_notmyname: I added two links to https://wiki.openstack.org/wiki/Swift/PriorityReviews#Looking_for_something_to_review.3F that might be useful - think it’s a nice addition to Gerrit. Feel free to edit if this is not the right place, misleading etc.16:29
notmynamecschwede_: thanks16:29
openstackgerritOpenStack Proposal Bot proposed a change to openstack/swift: Updated from global requirements  https://review.openstack.org/8873616:29
notmynamecschwede_: ah, cool. those are great16:29
openstackgerritChristian Schwede proposed a change to openstack/python-swiftclient: fixed several pep8 issues  https://review.openstack.org/9351916:32
notmynameI like how openstack global requirements requires a newer version of swiftclient than swift itself does16:34
openstackgerritJohn Dickinson proposed a change to openstack/swift: taking the global reqs that we can  https://review.openstack.org/9466916:37
notmynamecan someone double check that for me? ^16:37
openstackgerritMark Seger proposed a change to openstack/swift: added Benchmarks/Load Generators section + link to getput  https://review.openstack.org/9467016:39
*** mlipchuk has quit IRC16:40
*** miqui has quit IRC16:47
openstackgerritJohn Dickinson proposed a change to openstack/swift: added Benchmarks/Load Generators section  https://review.openstack.org/9467016:49
*** miqui has joined #openstack-swift16:50
notmynamereminder that the swift team meeting is in 2 hours in #openstack-meeting. we'll do a summit recap and look at the TODO things that came from it: https://wiki.openstack.org/wiki/Meetings/Swift16:53
*** haomaiw__ has quit IRC17:02
*** saschpe has quit IRC17:08
*** kenhui has joined #openstack-swift17:09
*** saschpe has joined #openstack-swift17:10
*** kenhui has quit IRC17:21
*** kenhui has joined #openstack-swift17:22
*** shri has joined #openstack-swift17:26
*** kenhui has quit IRC17:28
*** kenhui has joined #openstack-swift17:29
openstackgerritA change was merged to openstack/swift: Add targeted config loading to swift-init  https://review.openstack.org/9293317:43
*** kenhui has quit IRC17:44
*** kevinc_ has quit IRC17:48
anticwclayg / notmyname:  the object-server middleware has timeout handling ... i assume this is needed because it's at the top/left of the pipeline?18:00
anticwother middleware stages simply won't get __call__ invoked in cases where there is no data?18:00
notmynameanticw: object server middleware?18:00
anticwhttps://github.com/openstack/swift/blob/master/swift/obj/server.py#L41218:01
anticwie. in the PUT method there is handling for .read timeouts - is that required for any middleware stage which consumes data via .read - or only just the top/left most?18:01
anticw(and is it even required for swob at all?  i can see it might be possible for the caller to deal with timeouts itself)18:02
notmynameanticw: that code is in the server, not the middleware. so it's on the bottom/right. still thinking about your other question18:02
anticwnotmyname: it's the only-stage isn't it?18:02
anticwso top/left = bottom/right surely?18:02
notmynamestorage nodes can (and often, at least with new cluster) have healthcheck and recon18:03
*** kenhui has joined #openstack-swift18:03
anticwnotmyname: i'm wondering if that timeout code predates swob and is still needed though18:04
notmynameanticw: I don't remember if swob does it or not. but in general if you're pulling data off the wsgi.input, then you should handle timeouts in case the client disconnects. I think.18:05
anticwnotmyname: we're pulling data from wsgi.input ... which is why i was asking the other day for a .peek vs .read18:05
notmyname:-)18:05
anticwthe solution seems to be dat = .read(...)   then later on wsgi.input = StringIO(data)18:05
anticwi'd love to know there is a cleaner way though18:06
*** erlon has joined #openstack-swift18:06
notmynameredbo: is normally the person I ask for wsgi/swob stuff :-)18:06
*** acoles is now known as acoles_away18:08
anticwi'm going to suggest for now they leave the timeout handling there and then see if i can tickle a slow-write/timeout later today18:08
notmynameanticw: remind me of the peek use case? look at the data but leave it in the bufer?18:08
anticwNSA hooks18:09
notmynameof course18:09
notmyname /me kickbans anticw ;-)18:09
anticwactually, different checksums :)18:09
creihtlol18:09
notmynamecreiht: you'd probably have a good perspective on this18:10
creihtheh18:10
notmynameanticw: can you compute it without the whole buffer (is it a streaming thing?)18:10
anticwwell, you can do it with the whole bugger using body.req ... but then you consume a lot of ram and fall over for large PUTs18:11
anticwso it really has to be incremental18:11
notmynameright18:11
anticwthere isn't anything amazing here going on, let me ask them to just push the code out for the world to see18:11
notmynamecreiht: what do you think about a .peek()?18:11
creihtseems problematic18:12
creihtbut somewhat related18:12
anticw.peek isn't wsgi spec18:12
anticwso i'm not sure it makes sense18:12
creihtwell let me rethink that18:13
notmynamebasically you need read() + tell() within the buffered chunk18:13
notmynameright?18:13
creihtit has been a while since I have messed with18:13
creihtnotmyname: yeah I was kinda thinking it might be nice to have a generic "observer" middleware that others could subclass to do things that want to watch the body or whatever18:13
notmynameif you have to rebuild the wsgi.input do you have to create a new wsgi request?18:13
creihtbecause otherwise it is kind of a pain to get right18:13
anticwlemme quickly pastebin what i think they are doing ... i checked the code they have done and it's a bit hard to follow18:14
creihtand yeah I'm not sure off the top of my head how doable it is18:14
notmynamecreiht: whoa. look at you going all "let's do some pluggable extensible framework" think ;-)18:14
notmyname*thing18:14
notmynamecreiht: can it be middleware-middleware?18:14
creihtyeah not sure you can even make it work as I'm not sure if you can send the chunks through the middleware pipeline18:15
notmynameyo need a tee middleware18:15
creihtit has been a while since I have played with it18:15
*** dvas__ has quit IRC18:16
anticwcreiht: http://pastebin.com/XhrN1KcM18:17
creihtbut that's why I was saying that it might need a separate hook18:17
anticwpseudo-pseudo code to explain what i think should be going on18:17
creihtanticw: the usual problem with that type of pattern is you end up putting all of the object in memory18:20
anticwcreiht: originally that's what it did and blew up18:21
anticwi'm hoping in this case data is only a limited amount of data ... a few kB to mB18:21
anticwi just asked and am told this works - but it's not clear from their code if it is holding references to all of this18:22
anticwoh, and in related/other news --- if you get a MemoryError exception in swift pipelines ... you get no useful logs :)18:22
creihtheh18:23
anticwcreiht: https://github.com/openstack/swift/blob/master/swift/obj/server.py#L41818:24
creihtyeah sorry I'm not much help here18:24
creihtI'm kinda in the middle of something myself18:24
openstackgerritPete Zaitcev proposed a change to openstack/swift: Pluggable Back-ends for account and container servers  https://review.openstack.org/4771318:25
anticwcreiht: np, much appreciated all the same ... notmyname too!18:25
creihtI would have to take some time to do some experimentation myself18:25
*** gvernik has joined #openstack-swift18:28
notmynamemeeting in 30 minutes18:31
*** igor__ has quit IRC18:34
*** igor_ has joined #openstack-swift18:35
creihtnotmyname: so a quick hack test on devstack with compression token goes from 5974 bytes to 1160 bytes18:36
creihtjust fyi18:36
notmynamecreiht: ah, good info. thanks18:36
anticwpki tokens?18:36
notmynameso 1:5 (ish)18:36
creihtyeah18:36
anticwrackspace and swiftstack don't use those...18:36
anticwand those people who do end up with a lot of complexity when it comes to revocation18:37
creihtheh yeah there are still a ton of other issues18:37
anticwi'm more or less convinced pki tokens are a solution in search of even more things to break18:37
creihtlol18:37
notmynameanticw: did you see the ML thread creiht started this morning? http://lists.openstack.org/pipermail/openstack-dev/2014-May/035463.html18:38
anticwonce you start dealing with some of the revocation and other stuff various things require, you end up doing excatly the things pki token advocates claim you avoid18:38
anticwnotmyname: i didn't reading now18:38
notmynameanticw: and Rackspace, during a keynote at the openstack summit, promised to start using "real" keystone18:38
anticwbut since this came up18:38
anticwlet me put this gently18:38
creihtanticw: yeah thanks for the input18:39
anticwPKI TOKENS ARE RETARDED AND SHOULD DIE18:39
notmyname:-)18:39
creihtlol18:39
anticwnotmyname: i talked to joearnold about this in passing18:39
anticwi want to talk to you more ... about a new mac-based auth scheme18:39
anticwsimilar to what aws does18:39
anticw... are you free for lunch?18:39
notmynameanticw: this week? maybe friday.18:40
anticwthe goal would be to avoid replay-attacks and concerns about tokens leaking18:40
notmynameright18:40
notmynameso bearer tokens are out18:40
anticwlike in 20 minutes :)  my date cancelled on me!18:40
notmynameanticw: heh. no, not today. swift team meeting (and I'm sitting at home with a broken collar bone instead of being in the office)18:41
ctenniswas your date someone on the keystone team?18:41
zaitcevwhat happened man, this sounds crazy18:41
anticwthat sucks ... i hope there is a good story to that?18:41
anticwctennis: unlike most people around SF ... i do not luvs the keystone18:42
notmynamezaitcev: anticw: unfortunately no. biking home and my feet slipped off the pedals. cracked my helmet and broke a bone18:42
zaitcevaww18:42
*** acoles_away is now known as acoles18:42
zaitcevand my doc called me with MRI results and referred to surgeon, set after hackathon18:42
anticwnotmyname: ok, that's a crappy story ... never tell it again ... make up some stuff about defending the nation from rogue terrorists18:42
notmynameheh. ya, my wife said something similar :-)18:43
ctennissome of us choose to believe there was a disagreement on the storage policy implementation and you lost18:43
notmynamelol18:43
notmynamepeluse_...persuaded....me to choose his implementation :-)18:43
notmynamespeaking of...time to go take more advil18:44
zaitcevyeah, ibuprofen has anti-swelling properties18:45
openstackgerritA change was merged to openstack/swift: added Benchmarks/Load Generators section  https://review.openstack.org/9467018:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/swift: Updated from global requirements  https://review.openstack.org/8873618:55
*** krtaylor has joined #openstack-swift18:55
*** shakamunyi has quit IRC18:57
zaitcevclayg: I implemented the spirit of your "missive", I think, but there's a side effect: I cannot split up the big patch as I hoped anymore, so I'll ask you to review the https://review.openstack.org/4771318:58
zaitcevclayg: before, there was inheritance, so I hoped to do Step 1: just create the class, Step 2: change methods for HEAD, Step 3: change methods for PUT, etc.19:00
notmynamemeeting time in #openstack-meeting19:00
zaitcevumm, I need to run19:00
*** cds has quit IRC19:00
zaitcevI'll read the meeting log later19:00
notmynamezaitcev: kk19:00
*** kevinc_ has joined #openstack-swift19:04
*** kenhui has quit IRC19:07
*** kenhui has joined #openstack-swift19:07
*** ChanServ changes topic to ""Swift: It's not just another object storage" -- cschwede"19:15
*** kevinc_ has quit IRC19:17
*** kenhui has quit IRC19:20
*** kenhui has joined #openstack-swift19:22
*** schofield has joined #openstack-swift19:28
*** dvas___ has joined #openstack-swift19:34
*** gvernik has left #openstack-swift19:47
*** kenhui has quit IRC19:48
*** kevinc_ has joined #openstack-swift19:49
*** acoles is now known as acoles_away19:50
dfgclayg: you there?19:55
notmynamedfg: he's at gluecon today so is only in and out online19:58
dfggluecon?20:00
dfgis that where horses go? is clay that old?20:00
dfgalright- anyway- i'll talk to him later20:00
glangethey shoot horses, don't they?20:03
*** tdasilva has left #openstack-swift20:03
*** lpabon has quit IRC20:04
*** schofield has left #openstack-swift20:04
*** jeblair has joined #openstack-swift20:16
openstackgerritDavid Goetz proposed a change to openstack/swift: xLO bug with auth tokens expiring during download.  https://review.openstack.org/9216520:25
*** r-daneel has joined #openstack-swift20:39
*** pberis has quit IRC20:52
*** fifieldt has joined #openstack-swift20:57
*** kevinc_ has quit IRC20:59
*** pberis has joined #openstack-swift21:10
*** dvas___ has quit IRC21:38
*** dvas has joined #openstack-swift21:38
*** kevinc_ has joined #openstack-swift21:39
*** jamie_h has quit IRC21:42
*** kenhui has joined #openstack-swift21:44
*** dvas has quit IRC21:45
*** pberis has quit IRC21:49
*** hipster has quit IRC21:55
*** krtaylor has quit IRC22:05
*** cihhan has joined #openstack-swift22:07
cihhanHi all! I have installed keystone and swift using: http://docs.openstack.org/havana/install-guide/install/apt/content/index.html -- However, I have two questions: How can I create multiple users? And how can I use SSL between the client and the proxy server (also between the proxy server and the storage nodes)?22:14
*** anticw_ has joined #openstack-swift22:27
*** fbo_away has joined #openstack-swift22:29
*** ondergetekende has quit IRC22:29
*** Mikalv has quit IRC22:31
*** Mikalv has joined #openstack-swift22:32
*** portante has quit IRC22:33
*** ondergetekende has joined #openstack-swift22:33
*** notmyname_ has joined #openstack-swift22:33
*** ChanServ sets mode: +v notmyname_22:33
*** anticw has quit IRC22:33
*** gholt has quit IRC22:33
*** fbo has quit IRC22:33
*** notmyname has quit IRC22:33
*** fbo_away is now known as fbo22:33
*** notmyname_ is now known as notmyname22:34
*** igor__ has joined #openstack-swift22:34
*** acolesz has joined #openstack-swift22:35
*** acolesz is now known as acoles22:35
*** ChanServ sets mode: +v acoles22:35
*** portante has joined #openstack-swift22:35
*** ChanServ sets mode: +v portante22:35
*** acoles_away has quit IRC22:38
*** igor_ has quit IRC22:38
*** gholt has joined #openstack-swift22:38
*** ChanServ sets mode: +v gholt22:38
*** kenhui has quit IRC22:40
*** r-daneel has quit IRC22:41
notmynamecihhan: still here? I can help with that22:41
notmynamezaitcev: isnt' WIP the -1 workflow now?22:42
zaitcevnotmyname: no idea, sorry. could be.22:42
cihhannotmyname, yep still around :) that would be really great22:44
*** pberis has joined #openstack-swift22:45
notmynamecihhan: both work, but why are you using havana docs to install and not icehouse docs?22:46
cihhannotmyname: i think i gave the wrong one, i used icehouse documentation.22:46
notmynamecihhan: ok, just checking that there aren't special circumstances22:47
cihhannotmyname: btw, i think both are the same22:47
notmynamecihhan: did you get everything installed ok? your 2 questions seemed to be post-install questions22:47
*** pberis has quit IRC22:48
cihhannotmyname: one one VM, i have installed keystone and swift proxy and on 2 other VMs, i have installed storage (im using VMs bcs i can snapshot if i make some big mistake)22:48
*** pconstantine_ has quit IRC22:49
*** omame has quit IRC22:49
cihhannotmyname, do i need anything more?22:50
cihhannotmyname, based on the documentation, that should be all; right?22:50
notmynamecihhan: when you say you have installed "storage" what do you mean?22:52
notmynameon the 2 other VMs22:52
cihhannotmyname, i mean this part: http://docs.openstack.org/icehouse/install-guide/install/apt/content/installing-and-configuring-storage-nodes.html22:53
notmynamecihhan: cool22:53
notmynamecihhan: how you done any api requests to it? is it working?22:54
cihhanfrom proxy i can do 'swift list/upload/download', is that what you mean?22:55
notmynamecihhan: ya. or even `curl -i http://swift.whatever/healthcheck`22:56
cihhani havent checked curl -- let me try it now22:56
cihhanfor curl, on proxy, i m trying this 'curl -i http://PROXY_IP/healthcheck'22:58
cihhanbut it s waiting22:58
notmynamecihhan: did you configure ssl?22:59
cihhannotmyname, nope not yet22:59
notmynamecihhan: what port is it listening on?23:02
cihhanbased on proxy-server.conf, it is 808023:03
notmynamecihhan: then that's your issue above. do `curl -i http://swift:8080/healthcheck`23:04
cihhannotmyname, i think there is something wrong with my configuration. when i do 'netstat -a | grep swift', i dont get anything23:05
cihhannotmyname, is that usual?23:07
notmynamecihhan: are your swift processes running?23:08
cihhannotmyname, yes seems to be23:08
cihhanat least i can see swift-proxy in ps and swift list myfiles give me the right output23:09
notmynamedid you try the /healthcheck request to the right port?23:09
notmynameoh, ok. then you're good23:09
cihhannotmyname, i wonder if i did everything correctly since curl didnt work23:10
*** pconstantine has joined #openstack-swift23:10
*** nosnos has joined #openstack-swift23:10
notmynamecihhan: can you pastebin what you are seeing?23:11
notmynamewhat's the IP and port of your proxy server?23:11
cihhannotmyname, i cant share the IP since it would cause me headache, but let me pastebin the proxy-server.conf -- would that be enough?23:11
notmynamecihhan: not right now23:12
notmynamecihhan: if the swift CLI tool is giving you good output, then it works. I want to make sure the curl stuff works too (since that's the "real" API)23:12
*** omame has joined #openstack-swift23:14
notmynamecihhan: did you set up the envvars for the CLI?23:14
notmynameif so, then `swift stat -v` should also work23:15
cihhannotmyname, when i try 'curl -i http://swift.PROXY_IP_ADDRESS:8080/healthcheck', i get 'curl: (6) Could not resolve host: swift.PROXY_IP_ADDRESS'23:15
cihhannotmyname, yeah swift stat works23:15
cihhanbut im trying it on the proxy23:16
notmynamecihhan: are you using a hostname or the IP address. 'cause eg "swift.192.168.100.100" doesn't make any sense23:16
cihhanim using IP23:16
notmynameok, so don't put a subdomain in front of the IP23:16
cihhanin that case, it s just waiting forever23:17
notmynamedo you have the IP in an envvar? I'd like to be able to give you commands you can copy and paste without having to translate23:17
cihhani can write it in /etc/hosts and export as IP_ADDRESS if u wish23:17
notmynameI think you'd only do one of those things. not both23:18
cihhannotmyname, hang on23:18
cihhanon proxy, when i try 'curl -i proxy:8080/healthcheck' it worked fine23:19
cihhanby mistake i tried it on a client VM i created23:19
cihhanthat s why it took forever23:19
notmynameok23:19
cihhanbut on proxy it works fine23:19
notmynamecihhan: ok. now I think we can get to your questions :-)23:19
notmynamecihhan: first is about SSL, right?23:19
cihhannotmyname, i think before that i have another question: how can i connect using a client?23:20
cihhanby client, i mean another machine23:20
notmynamecihhan: didn't you just do that? curl and the swift cli are clients23:20
notmynamethat sounds like a routing issue in your setup. if you can ping the server from another box, you should be able to connect23:21
cihhannotmyname, as i mentioned, curl worked fine if i do it on the proxy. when i do it on the client vm (which is a vm without anything) it waits and says connection timed out23:21
notmynamecihhan: right. so can you ping the proxy from the client vm?23:21
cihhanyeah i can ping but somehow i cant ssh... there is something wrong with the routing as u mentioned i think23:22
cihhanlet me meanwhile check it23:22
cihhannotmyname, corrected -- it was a small configuration issue -- now it s working fine23:23
notmynameok, great23:24
cihhannotmyname, thanks a lot :)23:24
cihhannotmyname, now we can check SSL and multiple users? :)23:24
notmynamecihhan: ya. SSL is "easy"23:24
cihhannotmyname, fingers crossed and listening to u :)23:24
notmynameswift doesn't do ssl, so use an external tool to do that. it could be a load balancer (like haproxy), or a dedicated tool like stud or stunnel23:25
notmynamecihhan: this is how every production swift cluster does it. terminate the ssl external to the swift process and the forward the connection to swift (either on the same box or not)23:25
cihhannotmyname, hmmmm i saw some documents talking about ssl but they were not or at least i couldnt make them work :)23:26
cihhanok that makes sense.23:26
notmynamecihhan: any other questions around that?23:26
cihhanyes23:27
cihhani want to have multiple users if possible23:27
cihhancan i do that?23:27
cihhanim thinking like dropbox -- every user has a username and passwd23:27
notmynameof course.23:28
notmynamewhat auth system are you using?23:28
cihhankeystone23:28
notmyname(note that unless you are using other openstack components, there is not requirement in swift to use keystone)23:29
notmynamecihhan: then it's simply a matter of adding the users to keystone, identifying with keystone, and using the creds passed back23:30
cihhani have tried that but couldnt do it23:30
notmynamecihhan: and for that I'd point you to the keystone docs, since I don't know how to do that off the top of my head23:30
cihhanmaybe it was some misconf23:30
cihhanwhat do u suggest other than keystone?23:30
cihhanif keystone is not suggested in my case23:31
cihhani have installed keystone just for authentication services23:31
notmynamecihhan: are you using other openstack components or just swift?23:31
notmynamecihhan: and how are you integrating it in to your existing infrastructure?23:31
cihhanim using just swift23:32
cihhani have vmware vsphere for hypervisor and im creating VMs to install swift on them -- i dont have multiple physical machines but i have a server available23:32
notmynamecihhan: do you have requirements to integrate into any other identity system or is this a standalone service?23:32
notmynamehmm..../me isn't a fan of running swift on virtual machines23:33
cihhanthis is mainly for testing purpose -- maybe later i can move to the phsyical machines23:33
notmynamecihhan: if it's just for testing, then the simplest thing would be to use the included tempauth system23:34
notmynameassuming you won't have much churn in the users nor have a lot of them (where "a lot" ~= 50)23:34
cihhanwell i dont think that i will have 50 clients -- but in case of large number, what should i do?23:35
notmynamecihhan: again, depends if you need to integrate in to existing systems or not (eg AD or LDAP). if not, use something like swauth. if so, use something like swiftstack23:36
notmyname(disclosure, I work for swiftstack)23:36
notmynamecihhan: but for today, if you are looking at some kicking-the-tires sort of testing, then use the included tempauth23:39
cihhannotmyname, the truth is im a student and swift will be used for the research purpose mainly and i dont have expertise in it.23:39
cihhanwell at least for now :)23:39
notmynamecihhan: cool. what sort of research?23:39
cihhansecurity :)23:40
*** jogo has joined #openstack-swift23:41
cihhananyway, so i ll try tempauth first23:41
notmynamecihhan: that's a broad subject. what specifically are you looking at? are you looking at swift or just uswing swift to store data?23:41
jogoI got a question about your memcache client23:42
cihhandata storage security and we will use swift for the storage23:42
jogoany plans on spinning that out into a library as it would be a nice thing for other projects to  use23:42
notmynamejogo: "plans" is such a strong word :-)23:42
cihhannotmyname, im not sure how much im supposed to say as a student without my advisor's approval, so im sort of trying to keep it abstract here23:43
notmynamejogo: it works for us, and we haven't heard a clamoring for it in other places, so I don't think it's at the top of anyone's todo list23:43
*** kevinc_ has quit IRC23:44
* jogo clamors 23:44
jogonotmyname: I ask because I was thinking we should make devstack closer to production -- and for production we (I) recomend using a real memcache server instead of oslos junk23:45
notmynamecihhan: that's ok. you should be able to set up tempauth by looking at the sample proxy config file. it's very well commented23:45
cihhannotmyname, thanks a lot for the suggestions and your help :)23:45
jogoso  I noticed we already install memcached in devstack for swift  and then I saw your nice memcache client23:45
jogowhich sounds really useful23:45
notmynamejogo: in general, we're probably not too opposed to putting it in an external library. but you'll get some pushback if "external library" comes with hooks to other things. that is, we're not going to like replacing a simple py module with something that adds a lot of dependencies. or any, actually23:47
jogonotmyname: no objections from me on that23:47
jogonotmyname: I just want to use it in nova/oslo23:47
notmynamejogo: "use it" is better than "include it in"23:48
notmyname:-)23:48
jogonotmyname: amen to that23:48
notmynamejogo: so I guess I'm trying to say, "yes that might be something we'd like" :-)23:49
notmynameor at least not be too opposed to23:49
notmynamecihhan: glad to see you coming by with questions. don't be afraid to ask23:49
*** openstackgerrit has quit IRC23:49
*** openstackgerrit has joined #openstack-swift23:50
cihhannotmyname, thanks a lot :)23:50
notmynamecihhan: np. glad to help23:50
zaitcevI'm having a problem with Devstack, apparently... http://logs.openstack.org/13/47713/16/check/check-swift-dsvm-functional/9b6998f/console.html23:50
*** csd has joined #openstack-swift23:53
« Tuesday, 2014-05-20 Index Thursday, 2014-05-22 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!