Re: [openstack-dev] [trove][all][tc] A proposal to rearchitect Trove

Amrith, Some good thoughts in your email. I've replied to a few specific pieces below. Overall I think it's a good start to a plan. On Sun, Jun 18, 2017 at 5:35 AM, Amrith Kumar wrote: > Trove has evolved rapidly over the past several years, since integration > in

Re: [openstack-dev] [keystone] Colleen Murphy for core

Congrats Colleen! On Tue, May 2, 2017 at 12:39 PM, De Rose, Ronald wrote: > Congrat Colleen, well deserved! > > > > -Ron > > > > *From:* Lance Bragstad [mailto:lbrags...@gmail.com] > *Sent:* Tuesday, May 2, 2017 11:16 AM > *To:* OpenStack Development Mailing List (not

[openstack-dev] [puppet] stepping down from puppet-openstack core

I am stepping down as core in the puppet openstack project. This is the culmination of a long and slow refocus of my work efforts into other areas. Additionally I'm not sure what the future holds for me at this point, and although it's possible that I will be doing puppet again but it's not fair

Re: [openstack-dev] [kolla][keystone] better way to rotate and distribution keystone fernet keys in container env

I don't think it would cause an issue if every controller rotated all at once. The issues are more along the lines of rotating to key C when there are tokens out there that are encrypted with keys A and B. In other words over-rotation. As long as your keys are properly staged, do the rotation all

Re: [openstack-dev] [keystone]PKI token VS Fernet token

On Fri, Feb 24, 2017 at 9:09 PM, joehuang wrote: > Hello, Matt, > > Thank you for your reply, just as what you mentioned, for the slow changed > data, aync. replication should work. My concerns is that the impact of > replication delay, for example (though it's quite low

Re: [openstack-dev] [keystone]PKI token VS Fernet token

> > > At last, we still have one question: > For public cloud, it is very common that multi regions are deployed. And > the distance is usually very far between the regions. So the transport > delay is really a problem. Fernet token requires the data must be the same. > Because of the slow

Re: [Openstack-operators] Sharing fernet tokens

://www.mattfischer.com/blog/?p=648 https://www.youtube.com/watch?v=702SRZHdNW8 On Wed, Feb 8, 2017 at 8:14 AM, Matt Fischer <m...@mattfischer.com> wrote: > I think that you just replied to me directly. But you are asking about > sharing keys. > > Since keys do not need to be in

Re: [Openstack-operators] Sharing fernet tokens

which simplifies the problem for you. On Tue, Feb 7, 2017 at 9:25 PM, Matt Fischer <m...@mattfischer.com> wrote: > Do you mean sharing tokens or keys? > > On Feb 7, 2017 11:34 AM, "Ignazio Cassano" <ignaziocass...@gmail.com> > wrote: > >> Hi everybody,

Re: [Openstack-operators] Sharing fernet tokens

Do you mean sharing tokens or keys? On Feb 7, 2017 11:34 AM, "Ignazio Cassano" wrote: > Hi everybody, > Can anyone talk me about Sebring fernet tokens in an openstack with more > than one controller? > Regards > Ignazio > > > >

Re: [openstack-dev] [puppet] Thank you.

Cody, Thank you for your contributions over the years. On Fri, Jan 20, 2017 at 12:29 PM, Cody Herriges wrote: > I attempted to send this out last week but think I messed it up by sending > from my work email address which isn't the one I am signed up to the lists > with.

Re: [Openstack-operators] OsOps Reboot

Will there be enough of us at the PTG for an impromptu session there as well? On Mon, Jan 23, 2017 at 9:18 AM, Mike Dorman wrote: > +1! Thanks for driving this. > > > > > > *From: *Edgar Magana > *Date: *Friday, January 20, 2017 at 1:23 PM > *To:

Re: [openstack-dev] [Trove] Resource not found when creating db instances.

Trove works fine with neutron. I would look deeper into your logs. Do you have any errors about issues with Rabbit message timeouts? If so your guest may have issues talking to Rabbit. That seems to be a common issue. On Wed, Jan 18, 2017 at 8:59 PM, Amrith Kumar wrote:

Re: [Openstack-operators] What would you like in Pike?

Another +1 for mult-attach please. On Mon, Jan 16, 2017 at 6:09 AM, Amrith Kumar wrote: > I echo this sentiment; attaching a single Cinder volume or a group of > volumes in a consistency group to multiple instances would be something I’d > like to see in Pike. > > > >

Re: [Openstack-operators] RabbitMQ 3.6.x experience?

On Tue, Jan 10, 2017 at 4:08 PM, Sam Morrison wrote: > > > On 10 Jan 2017, at 11:04 pm, Tomáš Vondra wrote: > > > > The version is 3.6.2, but the issue that I believe is relevant is still > not fixed: > >

Re: [Openstack-operators] RabbitMQ 3.6.x experience?

MIke, I did a bunch of research and experiments on this last fall. We are running Rabbit 3.5.6 on our main cluster and 3.6.5 on our Trove cluster which has significantly less load (and criticality). We were going to upgrade to 3.6.5 everywhere but in the end decided not to, mainly because there

Re: [Openstack-operators] [nova] Live migration performance tests on 100 compute nodes

On Wed, Dec 28, 2016 at 6:11 AM, Koniszewski, Pawel < pawel.koniszew...@intel.com> wrote: > Hello everyone, > > We made a research to see how live migration performance varies between > different configurations, especially we aimed to test tunneled vs > non-tunneled live migrations. To test live

Re: [openstack-dev] [keystone] Custom ProjectID upon creation

> > > > I'm surprised any AD administrator let Keystone write to it. I've always > hear the inverse that AD admins never would allow keystone to write to it, > therefore it was never used for Projects or Assignments. Users were > likewise read-only when AD was involved. > > I have seen normal LDAP

Re: [openstack-dev] [keystone] Pike PTL

Steve, Your tenure as PTL was excellent for the continued stability and performance of Keystone. You did a great job in taking feedback from operators also. Thanks for your work! On Nov 22, 2016 2:06 PM, "De Rose, Ronald" wrote: > Thank you Steve, we’ve been lucky to

[Openstack-operators] feedback on pymysql

As a part of our upgrades to Newton we are transitioning our services to use pymysql rather than the deprecated MySQL-Python [1]. I believe pymsql has been the default in devstack and the gate for sometime now and that MySQL-Python is essentially untested and not updated, hence our desire to

Re: [Openstack-operators] Properties missing in Nova Scheduler Filter

RZ2', 'config_options': {}} > > So there seems no request_spec present. There's an attribute "image" > within spec_obj that has an attribute properties of the type ImageMetaProps > that has all the vmware related properties that are defined the same way > then our properti

Re: [Openstack-operators] [puppet] openstack provider errors with openrc and keystone v3

There is a known issue where some providers fail when you have an openrc sourced. I remember it being glance that failed. Bug #1524599 On Nov 11, 2016 4:15 AM, "Justin Cattle" wrote: > There was two problems here! > > The puppet libs in use were coming from the wrong environment

Re: [Openstack-operators] Properties missing in Nova Scheduler Filter

Mario, If I remember right I had a similar issue with getting image_props when I was doing this to pull in custom properties. Through some trial and error and poking around with pdb I ended up with this: image_props = spec_obj.get('request_spec', {}).\ get('image',

Re: [openstack-dev] [Openstack-operators] [keystone][tripleo][ansible][puppet][all] changing default token format

How to add yourself to Planet OpenStack: https://wiki.openstack.org/wiki/AddingYourBlog As for SuperUser you could reach out to them if you think it's interesting for users/operators. Generally they'll want to publish it there first then you follow-up with your blog post a few days later. On

Re: [Openstack-operators] [openstack-dev] [keystone][tripleo][ansible][puppet][all] changing default token format

How to add yourself to Planet OpenStack: https://wiki.openstack.org/wiki/AddingYourBlog As for SuperUser you could reach out to them if you think it's interesting for users/operators. Generally they'll want to publish it there first then you follow-up with your blog post a few days later. On

Re: [Openstack-operators] Ceilometer/oslo.messaging connect to multiple RMQ endpoints

Unless this has drastically changed I thought the multiple entries was sort of like a "pick one" scenario rather than a "connect to all of them". You specify all the nodes in case one or more is down. I don't think it can be used to talk to multiple rabbit clusters. On Thu, Nov 3, 2016 at 5:28

Re: [Openstack-operators] [Nova][icehouse]Any way to rotating log by size

On Wed, Oct 19, 2016 at 10:22 AM, Sean M. Collins wrote: > Zhang, Peng wrote: > > [logger_root] > > level = DEBUG > > > So, you're setting the logging to level to DEBUG - if I understand > correctly. In a production environment that is going to fill up your > disks very

Re: [Openstack-operators] How do you even test for that?

This does not cover all your issues but after seeing mysql bugs between I and J and also J to K we now export and restore production control plane data into a dev environment to test the upgrades. If we have issues we destroy this environment and run it again. For longer running instances that's

Re: [Openstack-operators] Custom VM FQDNs and DNS integration

The last time I tried this, which was probably 18 months ago to be fair, there is no way for the VM to get it's own tenant name. You could pass it in with cloud-init if you want but its not in the metadata that I recall. For Designate however I don't know why you'd want this. You want the format

Re: [Openstack-operators] Murano in Production

Other that #1 that's exactly the same design we used for Trove. Glad to see someone else using it too for validation. Thanks. On Sep 22, 2016 11:39 PM, "Serg Melikyan" wrote: > Hi Joe, > > I can share some details on how murano is configured as part of the > default

Re: [Openstack-operators] Auto start running Nova Instances after reboot

On Mon, Sep 19, 2016 at 7:29 AM, Tobias Urdin wrote: > Hello, > > On your compute nodes in nova.conf > > [DEFAULT] > > resume_guests_state_on_host_boot = True > > > All instances that had a running state when the reboot occured will be > started again. > > Best regards

Re: [Openstack-operators] Murano in Production

+1 This was our concern also with Trove. If a tenant DoSes Trove we probably don't all get fired. The rest of rabbit is just too important to risk sharing. On Sun, Sep 18, 2016 at 6:53 PM, Sam Morrison wrote: > We run completely separate clusters. I’m sure vhosts give you

Re: [openstack-dev] [puppet] Core nominations

+1 to all. Thanks for your work guys! On Thu, Sep 15, 2016 at 6:59 AM, Emilien Macchi wrote: > While our group keeps moving, it's time to propose again new people > part of core team. > > Dmitry Tantsur / puppet-ironic > Dmitry is the guardian of puppet-ironic. He's driving

Re: [openstack-dev] [puppet] Puppet OpenStack PTL non-candidacy

On Fri, Sep 9, 2016 at 10:05 AM, Emilien Macchi wrote: > Hi, > > I wrote a little blog post about the last cycle in PuppetOpenStack: > http://my1.fr/blog/puppet-openstack-achievements-during-newton-cycle/ > > I can't describe how much I liked to be PTL during the last 18

Re: [openstack-dev] [keystone][nova][neutron][all] Rolling upgrades: database triggers and oslo.versionedobjects

On Thu, Aug 25, 2016 at 1:13 PM, Steve Martinelli wrote: > The keystone team is pursuing a trigger-based approach to support rolling, > zero-downtime upgrades. The proposed operator experience is documented here: > >

Re: [Openstack-operators] Keystone upgrade issues

Jonathan, Are you using caching for tokens (not the middleware cache but keystone cache)? There's a bug in the caching so that when it tries to read the cache and unpack the token its missing some fields. It's been fixed and backported but may not be in your packages:

Re: [Openstack-operators] [oslo] RabbitMQ queue TTL issues moving to Liberty

Has anyone had any luck improving the statsdb issue by upgrading rabbit to 3.6.3 or newer? We're at 3.5.6 now and 3.6.2 has parallelized stats processing, then 3.6.3 has additional memory leak fixes for it. What we've been seeing is that we occasionally get slow & steady climbs of rabbit memory

Re: [Openstack-operators] Mid-Cycle Meetup, NYC, August 25th, call for additional working group sessions

ion. Would it be possible >> to advance it to the morning (pre-lunch) on Friday, or Thursday please. >> >> >> >> Thanks, >> >> >> >> -amrith >> >> >> >> *From:* Chris Morgan [mailto:mihali...@gmail.com] >> *Sent:* Tues

Re: [openstack-dev] [puppet] proposal: start gating on puppet4

+1 from me also. This will help everyone who is trying to transition to it. On Wed, Aug 10, 2016 at 1:46 AM, Javier Pena wrote: > > > - Original Message - > > Hi, > > > > Today Puppet OpenStack CI is running unit and functional test jobs > > against puppet 3 and

Re: [Openstack-operators] Mid-Cycle Meetup, NYC, August 25th, call for additional working group sessions

I didn't see any plus ones on my idea for the db cleanup session so if we need to drop it to fit something that works for me. On Aug 9, 2016 12:29 PM, "Chris Morgan" wrote: > WG6, day one? That's 40 minutes. Would run alongside Large Deployment. > Currently that has the

Re: [Openstack-operators] External access to OpenStack services

I'd say that operators running Glance, which is probably almost everyone, just put a public glance endpoint in the catalog. Maybe there's some special cases beyond that but that's the base design. On Jul 30, 2016 6:22 PM, "Serguei Bezverkhi (sbezverk)" wrote: > Hi Joseph, >

Re: [openstack-dev] [puppet] Propose Sofer Athlan-Guyot (chem) part of Puppet OpenStack core

+1 from me! On Jul 28, 2016 9:20 AM, "Emilien Macchi" wrote: > You might not know who Sofer is but he's actually "chem" on IRC. > He's the guy who will find the root cause of insane bugs, in OpenStack > in general but also in Puppet OpenStack modules. > Sofer has been

Re: [Openstack-operators] Ops MidCycle Registration

I’ve paid that too. > > > > -amrith > > > > *From:* Matt Fischer [mailto:m...@mattfischer.com] > *Sent:* Thursday, July 14, 2016 6:26 PM > *To:* Erin Disney <e...@openstack.org> > *Cc:* openstack-operators@lists.openstack.org > *Subject:* Re: [Openstack-operators] O

Re: [Openstack-operators] Ops MidCycle Registration

Thanks Erin. I did this just now and it charged me $22.09. Not a big deal, but what's the extra? Taxes? On Jul 14, 2016 3:43 PM, "Erin Disney" wrote: > All- > > Thank you for your patience as we finalized details for the Ops MidCycle > in New York this August. If you plan to

Re: [Openstack-operators] Next Ops Midcycle NYC August 25-26

That's my comment I spoke to Mark V about it this morning and he's working on it already, so you may want to coordinate with him. On Thu, Jul 7, 2016 at 11:20 AM, Amrith Kumar wrote: > I see a comment in https://etherpad.openstack.org/p/NYC-ops-meetup about > “OpenStack East

Re: [openstack-dev] [Openstack-operators] [puppet] [desginate] An update on the state of puppet-designate (and designate in RDO)

We're using Designate but still on Juno. We're running puppet from around then, summer of 2015. We'll likely try to upgrade to Mitaka at some point but Juno Designate "just works" so it's been low priority. Look forward to your efforts here. On Tue, Jul 5, 2016 at 7:47 PM, David Moreau Simard

Re: [Openstack-operators] [puppet] [desginate] An update on the state of puppet-designate (and designate in RDO)

We're using Designate but still on Juno. We're running puppet from around then, summer of 2015. We'll likely try to upgrade to Mitaka at some point but Juno Designate "just works" so it's been low priority. Look forward to your efforts here. On Tue, Jul 5, 2016 at 7:47 PM, David Moreau Simard

Re: [openstack-dev] [Openstack-operators] [nova] Rabbit-mq 3.4 crashing (anyone else seen this?)

For the record we're on 3.5.6-1. On Jul 5, 2016 11:27 AM, "Mike Lowe" wrote: > I was having just this problem last week. We updated to 3.6.2 from 3.5.4 > on ubuntu and stated seeing crashes due to excessive memory usage. I did > this on each node of my rabbit cluster and haven’t

Re: [openstack-dev] [Openstack-operators] [nova] Rabbit-mq 3.4 crashing (anyone else seen this?)

Yes! This happens often but I'd not call it a crash, just the mgmt db gets behind then eats all the memory. We've started monitoring it and have runbooks on how to bounce just the mgmt db. Here are my notes on that: restart rabbitmq mgmt server - this seems to clear the memory usage. rabbitmqctl

Re: [Openstack-operators] [nova] Rabbit-mq 3.4 crashing (anyone else seen this?)

Yes! This happens often but I'd not call it a crash, just the mgmt db gets behind then eats all the memory. We've started monitoring it and have runbooks on how to bounce just the mgmt db. Here are my notes on that: restart rabbitmq mgmt server - this seems to clear the memory usage. rabbitmqctl

Re: [Openstack-operators] Bandwidth limitations

f the QOS policies in Openstack, > however I'd like them to be applied automatically. Using predefined flavors > as described by Matt Fischer above seems like a good approach, are there > any solutions for non-predefined flavors? > > > - Original message - > From:

Re: [Openstack-operators] Bandwidth limitations

We've been using this for some time now (since at least Kilo). We set them per flavor not per instance. https://wiki.openstack.org/wiki/InstanceResourceQuota Bandwidth limits Nova Extra Specs keys: - vif_inbound_average - vif_outbound_average - vif_inbound_peak - vif_outbound_peak

Re: [openstack-dev] [cinder] [keystone] cinder quota behavior differences after Keystone mitaka upgrade

On Tue, Jun 28, 2016 at 12:32 PM, Potter, Nathaniel < nathaniel.pot...@intel.com> wrote: > Hi all, > > > > I did some digging into this on the cinder side, and it gets a little > complicated. So, before the target and context are passed into the > _authorize_show method, they’re retrieved through

Re: [openstack-dev] [cinder] [keystone] cinder quota behavior differences after Keystone mitaka upgrade

he hierarchy, by looking at the parent and > seeing if it is a project acting as a domain. > > Henry > keystone core > > On 27 Jun 2016, at 17:13, Matt Fischer <m...@mattfischer.com> wrote: > > We upgraded our dev environment last week to Keystone stable/mitaka. Since > then

[openstack-dev] [cinder] [keystone] cinder quota behavior differences after Keystone mitaka upgrade

We upgraded our dev environment last week to Keystone stable/mitaka. Since then we're unable to show or set quotas on projects of which the admin is not a member. Looking at the cinder code, it seems that cinder is pulling a project list and attempting to determine a hierarchy. On Liberty

[Openstack-operators] OpenStack Trove Ocata Virtual Midcycle

cross-posting per Amrith Kumar to operators: (note I'd recommend a reply to the openstack-dev thread or directly to amr...@tesora.com) After we discussed and announced this mid-cycle, there has been some feedback that (a) it would be better to hold the mid-cycle earlier, and (b) NYC was not the

Re: [Openstack-operators] Keystone's DB_SYNC from Kilo to Liberty

IIRC there are some debug/verbose flags you can pass in. Get anything from them? On Jun 23, 2016 5:37 AM, "Alvise Dorigo" wrote: > Hi, > I've a Kilo installation which I want to migrate to Liberty. > I've installed the Liberty Keystone's RPMs and configured the minimun

Re: [Openstack-operators] [Openstack-Operators] Keystone cache strategies

On Tue, Jun 21, 2016 at 7:04 PM, Sam Morrison <sorri...@gmail.com> wrote: > > On 22 Jun 2016, at 10:58 AM, Matt Fischer <m...@mattfischer.com> wrote: > > Have you setup token caching at the service level? Meaning a Memcache > cluster that glance, Nova etc would talk to

Re: [Openstack-operators] [Openstack-Operators] Keystone cache strategies

Have you setup token caching at the service level? Meaning a Memcache cluster that glance, Nova etc would talk to directly? That will really cut down the traffic. On Jun 21, 2016 5:55 PM, "Sam Morrison" <sorri...@gmail.com> wrote: > > On 22 Jun 2016, at 9:42 AM, Matt Fischer

Re: [Openstack-operators] [Openstack-Operators] Keystone cache strategies

On Tue, Jun 21, 2016 at 4:21 PM, Sam Morrison <sorri...@gmail.com> wrote: > > On 22 Jun 2016, at 1:45 AM, Matt Fischer <m...@mattfischer.com> wrote: > > I don't have a solution for you, but I will concur that adding revocations > kills performance especially as that t

Re: [openstack-dev] [puppet] vision on new modules

On Wed, Jun 8, 2016 at 2:42 PM, Emilien Macchi wrote: > Hi folks, > > Over the last months we've been creating more and more modules [1] [2] > and I would like to take the opportunity to continue some discussion > we had during the last Summits about the quality of our

Re: [openstack-dev] [keystone][all] Incorporating performance feedback into the review process

On Fri, Jun 3, 2016 at 1:35 PM, Lance Bragstad wrote: > Hey all, > > I have been curious about impact of providing performance feedback as part > of the review process. From what I understand, keystone used to have a > performance job that would run against proposed patches

Re: [Openstack-operators] Uptime and SLA's

We do this a few different ways, some of which may meet your needs. For API calls we measure a simple, quick, and impactless call for each service (like heat stack-list) and we monitor East from West and vice versa. The goal here is nothing added to the DBs, so nothing like neutron net-create.

Re: [openstack-dev] [puppet] proposal about puppet versions testing coverage

On Wed, May 25, 2016 at 1:09 PM, Emilien Macchi wrote: > Greating folks, > > In a recent poll [1], we asked to our community to tell which version > of Puppet they were running. > The motivation is to make sure our Puppet OpenStack CI test the right > things, that are really

Re: [openstack-dev] [puppet] Proposing Ivan Berezovskiy for puppet-openstack-core

+1 from me! On Thu, May 19, 2016 at 8:17 AM, Emilien Macchi wrote: > Hi, > > I don't need to introduce Ivan Berezovskiy (iberezovskiy on IRC), he's > been doing tremendous work in Puppet OpenStack over the last months, > in a regular way. > > Some highlights about his

Re: [openstack-dev] [all] Deprecated options in sample configs?

> > > If config sample files are being used as a living document then that would > be a reason to leave the deprecated options in there. In my experience as a > cloud deployer I never once used them in that manner so it didn't occur to > me that people might, hence my question to the list. > >

Re: [openstack-dev] [all] Deprecated options in sample configs?

On Tue, May 17, 2016 at 12:47 PM, Andrew Laski <and...@lascii.com> wrote: > > > > On Tue, May 17, 2016, at 02:36 PM, Matt Fischer wrote: > > On Tue, May 17, 2016 at 12:25 PM, Andrew Laski <and...@lascii.com> wrote: > > I was in a discussion earlier abo

Re: [openstack-dev] [all] Deprecated options in sample configs?

On Tue, May 17, 2016 at 12:25 PM, Andrew Laski wrote: > I was in a discussion earlier about discouraging deployers from using > deprecated options and the question came up about why we put deprecated > options into the sample files generated in the various projects. So, why >

Re: [Openstack-operators] Meeting summary, minutes, definition of 'users'

that's "openstack-private@some.random.domain" and > > nothing we're in control of, but I guess I'll find out when it > > bounces back to my reply. > > Aah, as Matt Fischer pointed out in IRC just now, it seems to be > forwarded through an outlook.com subscriber account befor

Re: [Openstack-operators] Meeting summary, minutes, definition of 'users'

It's a google group. The only clue I had was this in the headers: X-Auto-Response-Suppress: All X-MS-Exchange-Inbox-Rules-Loop: tgree...@outlook.com X-MS-TNEF-Correlator: I reached out to that person and no response. On Tue, May 17, 2016 at 10:42 AM, Jeremy Stanley wrote:

Re: [Openstack-operators] [glance] glance-registry deprecation: Request for feedback

On May 11, 2016 10:03 PM, "Flavio Percoco" wrote: > > Greetings, > > The Glance team is evaluating the needs and usefulness of the Glance Registry > service and this email is a request for feedback from the overall community > before the team moves forward with anything. > >

Re: [openstack-dev] [Openstack-operators] [glance] glance-registry deprecation: Request for feedback

On May 11, 2016 10:03 PM, "Flavio Percoco" wrote: > > Greetings, > > The Glance team is evaluating the needs and usefulness of the Glance Registry > service and this email is a request for feedback from the overall community > before the team moves forward with anything. > >

Re: [openstack-dev] [puppet] Stepping down from puppet core

On Tue, May 10, 2016 at 9:11 AM, Clayton O'Neill wrote: > I’d like to step down as a core reviewer for the OpenStack Puppet > modules. For the last cycle I’ve had very little time to spend > reviewing patches, and I don’t expect that to change in the next > cycle. In

Re: [openstack-dev] [keystone] Token providers and Fernet as the default

On Mon, May 2, 2016 at 5:26 PM, Clint Byrum wrote: > Hello! I enjoyed very much listening in on the default token provider > work session last week in Austin, so thanks everyone for participating > in that. I did not speak up then, because I wasn't really sure of this > idea

Re: [openstack-dev] [Keystone] State of Fernet Token deployment

On Mon, Apr 18, 2016 at 12:52 PM, Morgan Fainberg wrote: > > > On Mon, Apr 18, 2016 at 7:29 AM, Brant Knudson wrote: > >> >> >> On Fri, Apr 15, 2016 at 9:04 PM, Adam Young wrote: >> >>> We all want Fernet to be a reality. We ain't

Re: [openstack-dev] [puppet] Stepping down from puppet-openstack-core

On Mon, Apr 18, 2016 at 9:37 AM, Sebastien Badia wrote: > Hello here, > > I would like to ask to be removed from the core reviewers team on the > Puppet for OpenStack project. > > I lack dedicated time to contribute on my spare time to the project. And I > don't work anymore on

Re: [openstack-dev] [Keystone] State of Fernet Token deployment

Thanks Brant, I will missing that distinction. On Mon, Apr 18, 2016 at 9:43 AM, Brant Knudson <b...@acm.org> wrote: > > > On Mon, Apr 18, 2016 at 10:20 AM, Matt Fischer <m...@mattfischer.com> > wrote: > >> On Mon, Apr 18, 2016 at 8:29 AM, B

Re: [openstack-dev] [Keystone] State of Fernet Token deployment

On Fri, Apr 15, 2016 at 8:04 PM, Adam Young wrote: > We all want Fernet to be a reality. We ain't there yet (Except for mfish > who has no patience) but we are getting closer. The goal is to get Fernet > as the default token provider as soon as possible. The review to do

Re: [openstack-dev] [keystone]Liberty->Mitaka upgrade: is it possible without downtime?

On Thu, Apr 14, 2016 at 7:45 AM, Grasza, Grzegorz wrote: > > From: Gyorgy Szombathelyi > > > > Unknown column 'user.name' in 'field list' > > > > in some operation when the DB is already upgraded to Mitaka, but some > > keystone instances in a HA setup are still

Re: [openstack-dev] [keystone]Liberty->Mitaka upgrade: is it possible without downtime?

Unfortunately Keystone does not handle database upgrades like nova. and they do tend to be disruptive. I have not tried Liberty to mitaka myself, but have you tried to validate a token granted on a mitaka node against the liberty one? If you are lucky the other nodes will still be able to

Re: [openstack-dev] [keystone] Newton midycle planning

Would like to try and make it, no promises, so don't decide based on me, but, I'm with Adam: R-14 June 27-01 or R-11 July 18-22 work On Wed, Apr 13, 2016 at 8:19 PM, Adam Young wrote: > On 04/13/2016 10:07 PM, Morgan Fainberg wrote: > > It is that time again, the time to

Re: [openstack-dev] [keystone][performance][profiling] Profiling Mitaka Keystone: some results and asking for a help

On Mon, Apr 11, 2016 at 8:11 AM, Dina Belova wrote: > Hey, openstackers! > > Recently I was trying to profile Keystone (OpenStack Liberty vs Mitaka) > using this set of changes > > (that's

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Michael Xin | Manager, Security Engineering - US > Product Security |Rackspace Hosting > Office #: 501-7341 or 210-312-7341 > Mobile #: 210-284-8674 > 5000 Walzem Road, San Antonio, Tx 78218 > > -------

Re: [Openstack-operators] [nova] Removing seeded flavors

Another remove vote. The only people this may affect are people standing up test clouds or new to OpenStack. For those folks that use puppet, the puppet community will be adding a provider to setup flavors since it's a feature that's been missing. I'll add a vote for removal, given how varied

[openstack-dev] [puppet] puppet-trove remove templated guestagent.conf

Right now puppet-trove can configure guestagent.conf in two ways. First via config options in the guestagent class and second via a templated file that taskmanager.pp handles by default [1]. I'd like to drop this behavior, but it's not backwards compatible so would like to discuss. First the

Re: [Openstack-operators] [nova] RFEs: communication channel and process

On Mar 21, 2016 3:28 PM, "Tim Bell" wrote: > > On 21/03/16 17:24, "Markus Zoeller" wrote: > > >Hello dear ops, > > > >I'd like to make you aware of discussion [1] on the openstack-dev ML. > >I'm in the role of maintaining the bug list in Nova and was

Re: [Openstack-operators] [openstack-operators] Fernet key rotation

Fernet key rotation is easy. 1) You don't need a maintenance window 2) You can do one node at a time even with a long delay between 3) You don't need to restart anything We rotate approximately weekly. On Wed, Mar 16, 2016 at 3:44 PM, Ajay Kalambur (akalambu) < akala...@cisco.com> wrote: > Hi

Re: [openstack-dev] [all][zaqar][cloudkitty] Default ports list

On Thu, Mar 10, 2016 at 2:29 PM, Xav Paice wrote: > Remember that we're talking here about all the projects, not just > keystone. I can't see that we'll move everything to subpaths at any time > soon, and until that point we still need to at least make an informal >

Re: [openstack-dev] [all][zaqar][cloudkitty] Default ports list

This is not the first time. Monasca and Murano had a collision too[1]. When this happens the changes trickle down into automation tools also and complicates things. [1] https://bugs.launchpad.net/murano/+bug/1505785 On Wed, Mar 9, 2016 at 3:30 PM, Xav Paice wrote: > From an

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

On Wed, Mar 9, 2016 at 7:19 AM, Adam Young <ayo...@redhat.com> wrote: > On 03/09/2016 01:11 AM, Tim Bell wrote: > > > From: Matt Fischer < <m...@mattfischer.com>m...@mattfischer.com> > Reply-To: "OpenStack Development Mailing List (not for usage questions)&q

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

> > > I don't think your example is right: "PKI will validate that token > without going to any keystone server". How would it track revoked tokens? > I'm pretty sure that they still get validated, they are stored in the DB > even. > > I also disagree that there are different use cases. Just

Re: [openstack-dev] [keystone] [horizon] [qa] keystone versionless endpoints and v3

On Tue, Feb 23, 2016 at 8:49 PM, Jamie Lennox <jamielen...@gmail.com> wrote: > > > On 18 February 2016 at 10:50, Matt Fischer <m...@mattfischer.com> wrote: > >> I've been having some issues with keystone v3 and versionless endpoints >> and I'd like to

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

ith a keystone endpoint. I'm under the impression that > the different token formats have different use-cases, so am wondering if > there is a conceptual reason why multiple token formats are an either/or > scenario. > > > On 3/8/2016 8:06 AM, Matt Fischer wrote: > > T

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

This would be complicated to setup. How would the Openstack services validate the token? Which keystone node would they use? A better question is why would you want to do this? On Tue, Mar 8, 2016 at 8:45 AM, rezroo wrote: > Keystone supports both tokens and ec2

Re: [Openstack-operators] Liberty Identity install: keystone.service not being created in DB

I think you can ignore that no handlers message, it's not the issue. You should check /var/log/keystone/keystone-manage.Log to find the original issue. You can also run the dbsync with the verbose flag IIRC. On Mar 5, 2016 3:38 PM, "Christopher Hull" wrote: > > Hi all; > >

Re: [openstack-dev] [puppet] proposal to create puppet-neutron-core and add Sergey Kolekonov

+1 from me! gmail/openstack-dev is doing its thing where I see your email 4 hours before Emilien's original, so apologies for the reply ordering On Fri, Mar 4, 2016 at 8:49 AM, Cody Herriges wrote: > Emilien Macchi wrote: > > Hi, > > > > To scale-up our review process, we

Re: [Openstack-operators] Horizon bug fixed in Liberty, how should we ask a backport to Kilo ?

The backport is pretty easy. You click on Cherry pick and if there's no conflict it just works. Like so: https://review.openstack.org/#/c/287928/ It still needs to go through the review process so you will need to ping some horizon developers in IRC. Getting that packaged may take longer. On

Re: [openstack-dev] [puppet] how to run rspec tests? r10k issue

This worked great. Thanks for this and the upstream fix. On Fri, Feb 26, 2016 at 6:25 AM, Sofer Athlan-Guyot <sathl...@redhat.com> wrote: > Hi Matt, > > Matt Fischer <m...@mattfischer.com> writes: > > > I ended up symlinking the r10k binary I have insta

Re: [openstack-dev] [puppet] Austin Design Summit space needs

On Wed, Feb 24, 2016 at 8:30 AM, Emilien Macchi wrote: > Puppet OpenStack folks, > > As usual, Thierry Carrez sent an e-mail to PTLs about space needs for > the next OpenStack Summit in Austin. > > > We can have 3 kinds of slots: > > * Fishbowl slots (Wed-Thu) - we had 2 in

Re: [openstack-dev] [all] A proposal to separate the design summit

> > > * would it better to keep the ocata cycle at a more normal length, and > >then run the "contributor events" in Mar/Sept, as opposed to Feb/Aug? > >(again to avoid the August black hole) > > > > Late March is treacherous in the US, as spring break is generally around > the last week

Re: [openstack-dev] [all] A proposal to separate the design summit

On Mon, Feb 22, 2016 at 11:51 AM, Tim Bell wrote: > > > > > > On 22/02/16 17:27, "John Garbutt" wrote: > > >On 22 February 2016 at 15:31, Monty Taylor wrote: > >> On 02/22/2016 07:24 AM, Russell Bryant wrote: > >>> On Mon, Feb 22,

  1   2   3   >