[openstack-dev] [keystone][devstack][rally][python-novaclient][magnum] switching to keystone v3 by default
Andrey Kurilin
akurilin at mirantis.com
Thu Dec 1 18:13:16 UTC 2016
On Thu, Dec 1, 2016 at 7:39 PM, Morgan Fainberg <morgan.fainberg at gmail.com>
wrote:
> On Dec 1, 2016 8:25 AM, "Andrey Kurilin" <akurilin at mirantis.com> wrote:
> >
> > As I replied at IRC, please do not mix two separate issues!
> > Yes, we have several scenarios which are not support keystone v3 yet. It
> is an issue, but it is unrelated issue to described in the first mail.
> > We have a job which is configured with proper IDENTITY_API_VERSION flag
> and should be launched against Keystone v2, but there is only keystone v3
> and it is a real issue.
> >
> > On Thu, 1 Dec 2016 at 17:48, Lance Bragstad <lbragstad at gmail.com> wrote:
> >>
> >> FWIW - i'm seeing a common error in several of the rally failures [0]
> [1] [2] [3]. Dims also pointed out a few bugs in rally for keystone v3
> support [4].
> >>
> >> I checked with the folks in #openstack-containers to see if they were
> experiencing anymore fallout, but it looks like the magnum gate is under
> control [5]. We're currently in #openstack-keystone talking through options
> for the rally situation in case anyone feels like joining.
> >>
> >>
> >> [0] http://logs.openstack.org/87/404887/4/check/gate-rally-
> dsvm-neutron-existing-users-rally/ff60a83/console.html#_
> 2016-12-01_08_05_55_268772
> >> [1] http://logs.openstack.org/43/405143/3/check/gate-rally-
> dsvm-neutron-existing-users-rally/3ee975b/console.html#_
> 2016-12-01_08_39_02_618302
> >> [2] http://logs.openstack.org/83/394583/26/check/gate-rally-
> dsvm-cli/af28c0f/console.html#_2016-12-01_14_09_19_584427
> >> [3] http://logs.openstack.org/83/394583/26/check/gate-rally-
> dsvm-neutron-existing-users-rally/26cd009/console.html#_
> 2016-12-01_14_15_17_147016
> >> [4] https://bugs.launchpad.net/rally?field.searchtext=keystone+v3
> >> [5] http://eavesdrop.openstack.org/irclogs/%23openstack-containers/%
> 23openstack-containers.2016-12-01.log.html#t2016-12-01T14:57:00
> >>
> >> On Thu, Dec 1, 2016 at 6:39 AM, Spyros Trigazis <strigazi at gmail.com>
> wrote:
> >>>
> >>> I think for magnum we are OK.
> >>>
> >>> This job [1] finished using keystone v3 [2]
> >>>
> >>> Spyros
> >>>
> >>> [1] http://logs.openstack.org/93/400593/9/check/gate-
> functional-dsvm-magnum-api/93e8c14/
> >>> [2] http://logs.openstack.org/93/400593/9/check/gate-
> functional-dsvm-magnum-api/93e8c14/logs/devstacklog.txt.
> gz#_2016-12-01_11_32_58_033
> >>>
> >>> On 1 December 2016 at 12:26, Davanum Srinivas <davanum at gmail.com>
> wrote:
> >>>>
> >>>> It has taken years to get here with a lot of work from many folks.
> >>>>
> >>>> -1 for Any revert!
> >>>>
> >>>> https://etherpad.openstack.org/p/v3-only-devstack
> >>>> http://markmail.org/message/aqq7itdom36omnf6
> >>>> https://review.openstack.org/#/q/status:merged+project:
> openstack-dev/devstack+branch:master+topic:bp/keystonev3
> >>>>
> >>>> Thanks,
> >>>> Dims
> >>>>
> >>>> On Thu, Dec 1, 2016 at 5:38 AM, Andrey Kurilin <akurilin at mirantis.com>
> wrote:
> >>>> > Hi folks!
> >>>> >
> >>>> > Today devstack team decided to switch to keystone v3 by default[0].
> >>>> > Imo, it is important thing, but it was made in silent, so other
> project was
> >>>> > unable to prepare to that change. Also, proposed way to select
> Keystone API
> >>>> > version via devstack configuration doesn't work(IDENTITY_API_VERSION
> >>>> > variable doesn't work [1] ).
> >>>> >
> >>>> > Switching to keystone v3 broke at least Rally and Magnum(based on
> comment to
> >>>> > [0]) gates. Also, python-novaclient has two separate jobs for
> checking
> >>>> > compatibility with keystone V2 and V3. One of these jobs became
> redundant.
> >>>> >
> >>>> > That is why I submitted a revert [2] .
> >>>> >
> >>>> > PS: Please, do not make such changes in silent!
> >>>> >
> >>>> > [0] - https://review.openstack.org/#/c/386183
> >>>> > [1] -
> >>>> > https://github.com/openstack-infra/project-config/blob/
> master/jenkins/jobs/rally.yaml#L70-L74
> >>>> > [2] - https://review.openstack.org/405264
> >>>> >
> >>>> > --
> >>>> > Best regards,
> >>>> > Andrey Kurilin.
> >>>> >
> >>>> > ____________________________________________________________
> ______________
> >>>> > OpenStack Development Mailing List (not for usage questions)
> >>>> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>> >
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Davanum Srinivas :: https://twitter.com/dims
> >>>>
> >>>> ____________________________________________________________
> ______________
> >>>> OpenStack Development Mailing List (not for usage questions)
> >>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>>
> >>>
> >>> ____________________________________________________________
> ______________
> >>> OpenStack Development Mailing List (not for usage questions)
> >>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>
> >> ____________________________________________________________
> ______________
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> > ____________________________________________________________
> ______________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> This has been a long running set of changes that has been in the works for
> a long, long, long time. We have tried this before and have made a number
> of changes needed for this. I agree there should have been at least one
> more email announcement that this is occurring, I am a big -1 on revert. We
> need to be at v3 only this cycle.
>
I agree that moving to keystone v3 is important thing for whole OpenStack
and as I said in IRC, I have a patch for porting all "keystone v2 only"
scenarios to support v3 as well, but it doesn't relate to the subject of my
mail.
> V2 is inherently insecure compared to v3. I apologize for the headache,
> but I am going to ask politely that we/rally-team work on correcting the
> scenario instead of reverting the change. This only improves OpenStack at
> this point.
>
> work on correcting the scenario
:( I do not know how much times I should repeat, but I'll do it one more
time: the problem is not in our scenarios. We have a job for checking
keystone V2. This is only one job which has "keystone v2 only" scenarios
and it became failure since "IDENTITY_API_VERSION" variable of job doesn't
do what should do(setup keystone v2).
Thanks to Boris B. (aka breton) we have possible fix -
https://review.openstack.org/#/c/405536
> Thanks for understanding.
> --Morgan
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Best regards,
Andrey Kurilin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161201/1d9ea084/attachment.html>
More information about the OpenStack-dev
mailing list