Open Stack

On Dec 1, 2016 8:25 AM, "Andrey Kurilin" <akurilin at mirantis.com> wrote:
>
> As I replied at IRC, please do not mix two separate issues!
> Yes, we have several scenarios which are not support keystone v3 yet. It
is an issue, but it is unrelated issue to described in the first mail.
> We have a job which is configured with proper IDENTITY_API_VERSION flag
and should be launched against Keystone v2, but there is only keystone v3
and it is a real issue.
>
> On Thu, 1 Dec 2016 at 17:48, Lance Bragstad <lbragstad at gmail.com> wrote:
>>
>> FWIW - i'm seeing a common error in several of the rally failures [0]
[1] [2] [3]. Dims also pointed out a few bugs in rally for keystone v3
support [4].
>>
>> I checked with the folks in #openstack-containers to see if they were
experiencing anymore fallout, but it looks like the magnum gate is under
control [5]. We're currently in #openstack-keystone talking through options
for the rally situation in case anyone feels like joining.
>>
>>
>> [0]
http://logs.openstack.org/87/404887/4/check/gate-rally-dsvm-neutron-existing-users-rally/ff60a83/console.html#_2016-12-01_08_05_55_268772
>> [1]
http://logs.openstack.org/43/405143/3/check/gate-rally-dsvm-neutron-existing-users-rally/3ee975b/console.html#_2016-12-01_08_39_02_618302
>> [2]
http://logs.openstack.org/83/394583/26/check/gate-rally-dsvm-cli/af28c0f/console.html#_2016-12-01_14_09_19_584427
>> [3]
http://logs.openstack.org/83/394583/26/check/gate-rally-dsvm-neutron-existing-users-rally/26cd009/console.html#_2016-12-01_14_15_17_147016
>> [4] https://bugs.launchpad.net/rally?field.searchtext=keystone+v3
>> [5]
http://eavesdrop.openstack.org/irclogs/%23openstack-containers/%23openstack-containers.2016-12-01.log.html#t2016-12-01T14:57:00
>>
>> On Thu, Dec 1, 2016 at 6:39 AM, Spyros Trigazis <strigazi at gmail.com>
wrote:
>>>
>>> I think for magnum we are OK.
>>>
>>> This job [1] finished using keystone v3 [2]
>>>
>>> Spyros
>>>
>>> [1]
http://logs.openstack.org/93/400593/9/check/gate-functional-dsvm-magnum-api/93e8c14/
>>> [2]
http://logs.openstack.org/93/400593/9/check/gate-functional-dsvm-magnum-api/93e8c14/logs/devstacklog.txt.gz#_2016-12-01_11_32_58_033
>>>
>>> On 1 December 2016 at 12:26, Davanum Srinivas <davanum at gmail.com> wrote:
>>>>
>>>> It has taken years to get here with a lot of work from many folks.
>>>>
>>>> -1 for Any revert!
>>>>
>>>> https://etherpad.openstack.org/p/v3-only-devstack
>>>> http://markmail.org/message/aqq7itdom36omnf6
>>>>
https://review.openstack.org/#/q/status:merged+project:openstack-dev/devstack+branch:master+topic:bp/keystonev3
>>>>
>>>> Thanks,
>>>> Dims
>>>>
>>>> On Thu, Dec 1, 2016 at 5:38 AM, Andrey Kurilin <akurilin at mirantis.com>
wrote:
>>>> > Hi folks!
>>>> >
>>>> > Today devstack team decided to switch to keystone v3 by default[0].
>>>> > Imo, it is important thing, but it was made in silent, so other
project was
>>>> > unable to prepare to that change. Also, proposed way to select
Keystone API
>>>> > version via devstack configuration doesn't work(IDENTITY_API_VERSION
>>>> > variable doesn't work [1] ).
>>>> >
>>>> > Switching to keystone v3 broke at least Rally and Magnum(based on
comment to
>>>> > [0])  gates. Also, python-novaclient has two separate jobs for
checking
>>>> > compatibility with keystone V2 and V3. One of these jobs became
redundant.
>>>> >
>>>> > That is why I submitted a revert [2] .
>>>> >
>>>> > PS: Please, do not make such changes in silent!
>>>> >
>>>> > [0] - https://review.openstack.org/#/c/386183
>>>> > [1] -
>>>> >
https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/rally.yaml#L70-L74
>>>> > [2] - https://review.openstack.org/405264
>>>> >
>>>> > --
>>>> > Best regards,
>>>> > Andrey Kurilin.
>>>> >
>>>> >
__________________________________________________________________________
>>>> > OpenStack Development Mailing List (not for usage questions)
>>>> > Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Davanum Srinivas :: https://twitter.com/dims
>>>>
>>>>
__________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>>
>>>
__________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
__________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

This has been a long running set of changes that has been in the works for
a long, long, long time. We have tried this before and have made a number
of changes needed for this. I agree there should have been at least one
more email announcement that this is occurring, I am a big -1 on revert. We
need to be at v3 only this cycle.

V2 is inherently insecure compared to v3. I apologize for the headache, but
I am going to ask politely that we/rally-team work on correcting the
scenario instead of reverting the change. This only improves OpenStack at
this point.

Thanks for understanding.
--Morgan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161201/74aaf674/attachment.html>