/srv/irclogs.ubuntu.com/2011/07/27/#ubuntu-ensemble.txt

_mup_ensemble/robust-hook-exit r290 committed by jim.baker@canonical.com00:13
_mup_Refactoring, doc strings, and better comments wrt review00:13
_mup_ensemble/debug-log-relation-settings-changes r274 committed by jim.baker@canonical.com00:49
_mup_Merged trunk00:49
kim0Morning all07:30
jamespagemorning08:47
jamespagewhat do I need todo to get the jenkins and jenkins-slave formulas into principia? (see bug 793735)08:47
_mup_Bug #793735: import jenkins formula <new-formula> <Ensemble Formulas:In Progress> < https://launchpad.net/bugs/793735 >08:47
jamespageSpamapS: still around?08:52
SpamapSjamespage: insomnia seems to have caught me tonight. whats up?08:59
jamespageSpamapS: hey - I wanted to move forwards with the jenkins* formulas - wondered what needed to be done to get them accepted into principia?09:00
SpamapSOk, I went ahead and approved you for ensemble-composers09:01
SpamapSbzr push lp:principia/jenkins will work.. but bzr push lp:principia/jenkins-slave will run into the dreaded "no package exists" ug..09:01
jamespageSpamapS: thanks - I fake something in a PPA to work around that :-)09:03
jamespagecheers09:03
SpamapSsweeeet09:03
=== daker_ is now known as daker
jamespageSpamapS: both branches now pushed...09:32
SpamapSjamespage: fantastic09:32
jamespageI'll prob do some further work on them when jenkins lands in Oneiric09:33
SpamapSI saw that you are just blocked on NEW! :)09:33
jamespageyep09:34
jamespage6  packages pending and then its in09:34
adam_gSpamapS: any specific reason why default_storage_engine is set to innodb on install of mysql via the formula?09:51
SpamapSadam_g: because MyISAM is a piece of S*** that should die an unholy death. :)09:52
SpamapSErr, I'll rephrase ina positive light09:52
SpamapSBecause every time an alter table converts to InnoDB from MyISAM, an angel gets his wings.09:53
adam_ghehe09:53
adam_gwondering if it might be better to install defaults via install hooks, and let users tweak via their formula configs09:54
SpamapSYeah its probably a good idea to just make it the default09:57
SpamapSI did it at first when I was doing the master/slave stuff to make the snapshot simpler.09:57
adam_gah09:58
SpamapSwtf are you doing awake?10:00
* SpamapS should be sleeping too.. :-P10:00
niemeyerGood morning all13:18
wrtphiya13:21
niemeyerwrtp: Hey!13:21
wrtpniemeyer: i was looking at laptops to run ubuntu on. any good recommendations?13:24
wrtp(i saw the canonical recommended laptop list)13:24
niemeyerwrtp: I like the thinkpad series, and it's fairly common within Canonical13:25
wrtpi've still got an old thinkpad which i really liked13:25
niemeyerwrtp: Got the T410 at the moment13:25
wrtp(T21 possibly)13:25
wrtpdo they still have three mouse buttons and a nipple?13:25
niemeyerwrtp: That's the second one.. my last one lasted 4+ years13:26
wrtpmine *should* be still working except the display went dodgy13:26
niemeyerwrtp: The model I use have both the nipple and the trackpad13:26
niemeyerwrtp: I tend to pop the nipple out13:26
wrtpwhich is a pity. i ran plan 9 on it for years.13:26
niemeyer(context is everything! ;-)13:26
wrtpi like the nipple much better than the trackpad. good for chording.13:27
wrtp:-)13:27
wrtpi liked the fact that the display was 1400x120013:27
wrtpbut i doubt i'd get one similar now13:27
niemeyerYeah, they're pretty good laptops overall13:28
wrtpbattery life?13:28
niemeyerwrtp: I'm pretty sure they still exist13:28
niemeyerwrtp: Long.. still get 5h+ nowadays13:28
niemeyerwrtp: Got an SSD as well13:28
wrtpnot bad. and what about the X series? are they much smaller?13:28
wrtpSSD only? or SSD + hard drive?13:29
niemeyerwrtp: SSD only13:31
niemeyerwrtp: They are generally smaller, IIRC13:31
wrtpi bet that makes things fast.13:31
niemeyerwrtp: Like 13" or less13:31
niemeyerwrtp: It does.. boot times are unbelievable nowadays13:31
wrtpok. i think T series it is13:31
jcastrowrtp: the T410's and 420's seems to be popular at Canonical14:00
wrtpjcastro: thanks. BTW what's the difference between T410 and T420? the levovo web site does not seem to want to talk about the T41014:04
jcastrowrtp: the 420 replaces the 41014:07
wrtpoh, that's easy then :-)14:07
wrtpi can't believe that displays have got *smaller* since i last bought a thinkpad in 2003!14:10
kim0SpamapS: hmm we're being compared to cloudformations .. http://cloud.ubuntu.com/2011/06/so-what-is-ensemble-anyway/#comment-1635 14:14
kim0I think cloudformations only launches a collection of machines and that's it .. it doesn't really manage them afterwards ?!14:15
jcastrowrtp: they make "s" series with higher res screens, they are hard to find and more expensive, search for 410s and 420s.14:26
jcastrokim0: wow, some of the comments in that article, heh14:26
niemeyerwrtp: Yeah, I'm not a big fan of the widescreen laptops either..14:39
niemeyerwrtp: But I guess everyone else has won. ;-)14:40
hallynniemeyer: :(14:40
wrtpjcastro: s series are still only 900 vertical pixels. my old one was 1050...14:41
wrtpniemeyer: yeah. boo hiss. i like my vertical space. still i'll survive!14:42
jcastroyeah but it's like they all stopped making 4:314:44
hazmatwrtp, the x220 is doing pretty nice by me, although i think there are some sandy bridge graphics updates that need onieric, i'm using classic no effects.. the x220 can take two ssd drives (msata, and regular), although the regular has to be a 7mm device. speed and battery life are both very nice14:46
hazmatthe ips screen rocks as well14:46
hazmatthey also sell an optional battery slice for the x220, which can extend battery life to the 20+ hr mark in addition to a 9-cell14:47
hazmatthe 's' identifier on a series identifies switchable/discrete graphics afaik.. they do sell high quality ips screens on some models without the 's'14:48
jcastrohazmat: yeah I have an X220 and it's pretty awesome14:48
hazmatniemeyer, ping15:14
niemeyerhazmat: Yo15:14
hazmati took a step back and lookedat what's needed to finish up security. there's a question, i'd like to get your feedback on.. do you have time for a voice chat?15:15
niemeyerhazmat: Not right now, I'm about to leave for lunch15:23
niemeyerhazmat: and some friends just arrived to have lunch with us (which is why it took a moment, sorry)15:23
niemeyerhazmat: But will be happy to talk after lunch15:23
hazmatniemeyer, nevermind, there really is only way to look at the problem.. i think i've got it worked out, thanks and enjoy15:24
hazmati'll paste my internal dialogue later ;-)15:24
niemeyerhazmat: Cool.. I've started looking at your new security branch already, btw15:24
niemeyerhazmat: It worked this time15:25
hazmatniemeyer, re the question.. https://pastebin.canonical.com/50336/15:25
hazmatniemeyer, i'm going to add to the add_machine_state, add_unit_state to create otp principals and store the token directly on the relevant states15:25
niemeyerhazmat: Cool, I'll put some thinking on that after lunch.. now I really need to step out!15:27
niemeyerbiab15:27
_mup_ensemble/expose-provider-ec2 r301 committed by jim.baker@canonical.com15:36
_mup_Assign the provider machine its machine id in the provisioning agent to simplify provider APIs15:36
SpamapSnegronjl: ping?15:36
robbiewm_3: ping15:41
_mup_ensemble/expose-provision-machines r292 committed by jim.baker@canonical.com15:41
_mup_Merged trunk15:41
_mup_ensemble/expose-provision-machines-reexpose r301 committed by jim.baker@canonical.com15:42
_mup_Merged upstream branch expose-provision-machines15:42
negronjlSpamapS: pong15:47
SpamapSnegronjl: wondering about your gem issue.15:53
negronjlSpamapS: testing a workaround now.  I'll let you know15:54
negronjlSpamapS:  successfully worked around the issue by packaging bundler into a .deb ( so no gem install anymore ).15:56
negronjlSpamapS:  however the issue with ensemble still persists.  we just found a fix around the issue.15:57
_mup_ensemble/expose-provider-ec2 r302 committed by jim.baker@canonical.com15:58
_mup_Remove direct passing of machine_id for EC2 provider implementation and fix incorrect usage of Instance instead of ProviderMachine15:58
SpamapSnegronjl: heh.. it really is a bug in gem... it shouldn't expect a login environment.15:59
robbiewSpamapS: hey...do you have the link to that google doc we had in dublin, listing all the projects we wanted to work with, e.g. HotandHairy ;)16:02
SpamapSrobbiew: I think jcastro and m_3 have it16:02
robbiewjcastro: ^^...can you share that with me?16:02
jcastroon it16:10
wrtphazmat: thanks, that's useful16:16
jcastrorobbiew: doc title is "Ensemble & Principia"16:16
jcastroI don't own the doc so it won't let me reshare it with you16:16
robbiewjcastro: thnx16:16
jcastroI can jet you a copy via mail though if you just want to read it16:16
jcastroalso, all the hot and hairy ones I filed, and have a "hot" tag in lp16:17
robbiewjcastro: who owns the doc, sabdfl?16:17
m_3robbiew: hey16:18
jcastrorobbiew: jono16:19
jcastrorobbiew: he likely owns all the other messaging ones too, I'll send him a note to add you as an owner to all of them16:20
robbiewjcastro: ffs16:20
robbiewjcastro: send me the link16:20
robbiewI should be able to view it...not showing up in a search though16:20
robbiewm_3: nevermind...jcastro responded ;)16:22
m_3cool... yeah, I'm not the owner either16:22
=== koolhead11 is now known as kooolhead11|afk
jamespagejcastro: ep-lite rocks BTW17:11
jamespagesooo much lighter than etherpad - it even runs in a t1.micro17:12
m_3jamespage: are you using that standalone or as part of some other "conference" stack?17:16
jamespagem_3: so we setup etherpad for UDS - but it was hard and the package is pretty ugly17:17
jamespageI just tried out ep-lite - http://ec2-46-137-10-1.eu-west-1.compute.amazonaws.com:9001/p/pad-with-daviey17:17
jamespagereally small footprint compared to etherpad17:17
jamespagereally small17:17
m_3ep-lite should just require node and npm17:17
jamespagem_3: yep - that was pretty much it17:18
m_3awesome17:18
jamespagenpm pulled the rest of the deps17:18
jamespageit can backend to sqlite or mysql17:18
m_3did you do a formula?  that's on my list for node apps17:19
SpamapSjamespage: what services does it use for data storage?17:20
SpamapSoh17:20
SpamapSshould read the whole conversation before joining17:20
jamespagem_3: not yet17:20
jamespagem_3: would you mind if I had a go at one?17:21
m_3jamespage: sure man... go ahead17:21
jamespagem_3: ta17:21
m_3jamespage: I've got some node/npm boilerplate you're welcome to17:22
jamespagem_3: point me at it :-)17:22
m_3lemme get it into lp (in github at the moment)17:22
jcastrojamespage: oooh, very nice.17:28
jcastrojamespage: yeah the page made a bunch of performance claims, but I wasn't ready to believe it until someone tried it. Great to hear it's slimmed down though17:28
jcastroit'd be a heck of a nice formula to have handy for conferences, LUGs, etc.17:29
jcastroand would also be a nice demo one too, since you could just fire it up, give people  the url, and then people could play with it right there17:30
m_3jamespage: lp:~mark-mims/+junk/nodeapp17:32
jamespagem_3: ta17:33
niemeyerYo!17:34
m_3niemeyer: hey17:36
niemeyerm_3: Hey Mark17:36
niemeyerhazmat: SO, in the paste you provided earlier, it's not clear to me what you mean with "OTP serialization directly to the relevant nodes"17:39
=== daker is now known as daker_
hazmatniemeyer, basically the otp principal.. creates a permanent named principal with credentials stored to the otp node, along with acl using the otp credentials, the otp principal can be serialized to give a path:otp_user:otp_password info that can be utilized to retrieve the permanent credentials17:52
hazmatniemeyer, in particular i'm saying that machine_state and unit states would have that otp serialization directly as part of their contents17:53
niemeyerhazmat: That's the bit I don't get17:53
hazmatthis allows say the  provisioning agent to access it from the machine state and then launch the machine agent with it17:53
niemeyerhazmat: Wasn't the plan to have a location where these OTP details are managed?17:53
niemeyerhazmat: It sounds like you're saying that OTP will be spread around, but I'm not sure if that's the case.  Is it?17:53
hazmatniemeyer, right but the otp credentials themselves need to be passed between multiple processes, i thought it was just a one time transfer from the launching process to the launched process. but really its needed much earlier (at the cli time) so we can associate the proper acl to named principal on created nodes17:54
niemeyerhazmat: The OTP principle and the timing sounds fine.. I'm wondering about the organization of nodes17:55
hazmatniemeyer, the permanent principal that the otp stores is stored in only one place, the otp serialization (access to that permanent principal) is stored on the relevant domain object for an agent, so that the process launching the domain object can access it to pass along to the domain agent17:55
niemeyerhazmat: Hmm.. it sounded to me like having a location where these exchanges happen would be cleaner17:56
niemeyerhazmat: Otherwise we can't really tell at any given point in time which OTPs are unclaimed, for instance17:57
niemeyerhazmat: Without having to dig through node content17:57
hazmatniemeyer, the otp is gone after use, and the launching process should remove it from the state when launching the domain agent17:57
niemeyerhazmat: Yeah, the above comment take that into account17:58
niemeyertakes17:58
hazmatniemeyer, on phone with isp.. trying to resolve internet issues.. bbiam17:59
* hazmat is over his isp.. time for a new one.. 18:00
hazmatNicke, the unclaimed otps are those that still exist, the otp serialization on the domain state, is removed prior to the launch of the domain agent18:01
hazmattheir is a defined location for the exchange the otp node itself, but that has an acl protection to only allow access to someone with the otp credentials18:02
niemeyerhazmat: Ok, so maybe I misunderstood what you mean there18:03
niemeyerhazmat: This makes it sound like otherwise, for instance: " the otp serialization (access to that permanent principal) is stored on the relevant domain object for an agent"18:03
hazmatthe otp credentials are stored transiently on the domain state, so we can allow for the indirection nesc to reference the named principal during domain node creation, and so the process that will create the corresponding domain state agent to access it to pass along18:03
hazmati originally was going to forgo this and just have the otp created by the launching process, but its needed much earlier by the cli to associate the acls18:04
hazmatto domain objects created by the cli18:04
niemeyerhazmat: Sorry.. I don't understand stil18:04
niemeyerl18:04
niemeyerhazmat: What I mean is this..18:04
niemeyerThere's a machine node18:05
niemeyer/machines/machine-018:05
* hazmat nods18:05
niemeyerThis node is protected by an ACL so that it can only be read by relevant parties18:05
hazmatand a corresponding /otp/otp-xyz node18:05
niemeyerYes..18:05
niemeyerWhen that gets put in place, which protection is /machines/machine-0 taking, and what's inside /otp/otp-xyz?18:06
niemeyerhazmat: Lacking some interactivity.. maybe we should video?18:09
hazmatniemeyer, i disconnected again..  could you repeat last line?18:12
niemeyer<niemeyer> When that gets put in place, which protection is /machines/machine-0 taking, and what's inside /otp/otp-xyz?18:12
niemeyer<niemeyer> hazmat: Lacking some interactivity.. maybe we should video?18:12
hazmatniemeyer, these are my last comments not sure what got missed https://pastebin.canonical.com/50354/18:13
hazmatniemeyer, sure18:13
niemeyerhazmat: Ok, I think we're on the same page18:14
niemeyerhazmat: The point I was missing was really about the "the otp serialization (access to that permanent principal) is stored on the relevant domain object for an agent" comment18:14
niemeyerhazmat: It felt like the domain object itself (e.g. /machines/machine-0) was protected by the OTP, and the real password was within it18:15
hazmatniemeyer, okay.. so that get's removed effectively when the domain agent is launched.18:15
niemeyerhazmat: But the description in the paste clearly states otherwise, so it's all good18:15
hazmatniemeyer, cool18:15
niemeyerhazmat: What gets removed when the domain agent is launched?18:15
hazmatniemeyer, the otp serialization (otp_node_path:otp_user:otp_pass) on the domain state18:16
niemeyerhazmat: Ok, we're still out of sync apparently.. you mean the domain object (/machines/machine-0) is protected by the OTP?18:16
hazmatniemeyer, no.. but the domain object has the otp serialization in it, after the launch of the domain agent, that data is stale18:17
niemeyerhazmat: Why does it need it?18:17
hazmatniemeyer, the domain agent doesn't need the otp serialization in the state, but the process that launches the domain agent does so it can pass it to the domain agent18:17
niemeyerhazmat: Ahh, I think I get it, ok18:18
niemeyerhazmat: Nice, makes sense18:18
niemeyerhazmat: That was the confusion.. it sounded like the OTP was *protecting* the domain node18:19
hazmatniemeyer, yeah.. after i thought it about their really weren't any options to work around it.. we need the named principals referenceable from the cli at state creation time, by the time the system is getting around to launching the domain agent, its too late for most of the acl grants18:19
hazmatniemeyer, ah.. yeah. the otp is serialized in the domain node, and only protects the named principal in the otp node18:20
hazmatniemeyer, so i took a step back yesterday to try and figure out how many more branches and work are needed to get both identity and security policies activated.. being realistic its probably about 1.5 weeks.18:21
niemeyerhazmat: That's fine18:22
niemeyerhazmat: Things are looking good.. and I won't do anything else today before killing that review queue :)18:23
hazmatniemeyer, cool18:23
niemeyerhazmat: First review on https://code.launchpad.net/~hazmat/ensemble/security-connection-redux/+merge/69369 delivered19:27
niemeyerhazmat: We'll probably need a voice conversation on some of the topics there19:27
_mup_ensemble/expose-provider-ec2 r301 committed by jim.baker@canonical.com19:57
_mup_Recover from bzr error19:57
_mup_ensemble/expose-provider-ec2 r302 committed by jim.baker@canonical.com19:59
_mup_Merged trunk and resolved conflicts.19:59
jimbakerSo much for that attempt... argh, the only thing worse than a complicated conflict is bzr breaking down20:02
jimbaker(in addition to the conflict!)20:02
niemeyerjimbaker: How's it breaking down?20:05
jimbakerniemeyer, lost some of its metadata20:05
niemeyerHuh20:05
jimbakeri can recover the diff, but this is the context of merging upstream and resolving all the conflicts that was generated with the recent provider refactoring20:06
niemeyerhazmat: ping20:07
niemeyerhazmat: Not sure if your connection is flaky still, or if you're off20:07
hazmatniemeyer, back, its been flaky still, should have a new isp on monday though20:09
niemeyerhazmat: Cool.. not sure if you got this:20:10
niemeyer<niemeyer> hazmat: First review on https://code.launchpad.net/~hazmat/ensemble/security-connection-redux/+merge/69369 delivered20:10
niemeyer<niemeyer> hazmat: We'll probably need a voice conversation on some of the topics there20:10
hazmatniemeyer, nope i didn't thanks for the replay20:11
niemeyerhazmat: Oh my..20:11
jimbakeri hate to do this, but i'm going to break the commit into two pieces this time (the merge AND the conflicts)20:11
niemeyerhazmat: I think I messed up something20:11
niemeyerhazmat: Feels like I already reviewed security-policy-rules20:12
niemeyerhazmat: Hmm.. the connection-redux branch probably had it embedded20:12
hazmatniemeyer, yeah.. there are a pre-requisites on all the merge proposals20:12
niemeyerhazmat: Ok.. I'll copy over the review..20:13
niemeyerhazmat: Feel free to address specific points on the respective branches.20:13
niemeyerhazmat: This way you can merge stuff faster20:13
_mup_ensemble/expose-provider-ec2 r301 committed by jim.baker@canonical.com20:14
_mup_Merged upstream expose-provision-machines-reexpose (conflicts later)20:14
niemeyerhazmat: Alright, I think I fixed the mess20:16
hazmatniemeyer, your point #8 on security-connection bears some thinking about20:16
hazmatthat's definitely got some implications for the rest of the approach20:16
niemeyerhazmat: security-policy-rules is the one that requires conversations20:16
hazmatniemeyer, yup20:16
niemeyerhazmat: security-connection-redux is back in review with a +120:16
hazmatniemeyer, cool20:16
niemeyerhazmat: Only minor points there20:17
hazmatniemeyer, re why #2 on connection, the reason for the mixin is to ease testing, ssh conn requires ability to ssh into local host non-interactively.20:18
hazmatto test based on usage20:18
niemeyerhazmat: It can be a base then, and live within the same package20:24
niemeyerhazmat: Multiple-inheritance, separate packages, mixins.. feels like a lot for overloading a method20:25
hazmatniemeyer, sounds good, i'll probably end up with a second mixin to have policies active b4 we have transport level security for intra-environment communications20:26
hazmater. second connection class using the mixin20:26
niemeyerhazmat: You don't need to have a second class using the mixin.. Just use that same base20:28
hazmatniemeyer, ah.. base, right, yeah.. that makes more sense20:28
niemeyerhazmat: Yeah ZK => SZK => SSHSZK20:29
hazmatSZK name is a bit of misnomer.. since its not transport level.. if you have an idea on rename.. i'm all ears. i was thinking PolicyConnection.. but that sounds strange as well.20:29
_mup_ensemble/expose-provider-ec2 r302 committed by jim.baker@canonical.com20:45
_mup_Resolved text conflicts, but some merge problems remain20:45
niemeyerhazmat: That wasn't a naming suggestion :-)20:46
niemeyerhazmat: Just illustrating the inhertiance20:46
niemeyerhazmat: Hmm20:47
hazmatniemeyer, understood, just making a naming request additional to that20:47
niemeyerhazmat: PolicyConnection?20:47
hazmatniemeyer, yeah.. i guess that makes as much sense.. it just felt strange20:48
niemeyerhazmat: RuledConnection :-)20:48
hazmatTheOneRing with s/connect/wear, doc string.. "And in the darkness bind them"  ;-)20:49
hazmatyeah.. policyconn sounds good20:49
_mup_ensemble/states-with-principals r298 committed by kapil.thangavelu@canonical.com20:59
_mup_a new method to OTPPrincipal, that creates a principal, adds it to token db, and returns the otp serialized data in one shot, also a general reuse test function to enable otp cleanup from tests that may encounter them.20:59
_mup_ensemble/expose-provider-ec2 r303 committed by jim.baker@canonical.com21:05
_mup_Added missing machine_id settings to mocks in test_launch21:05
hazmatniemeyer, the only place we really need topoloy data for things that might not be in the topology is the unit, since we need to retrieve the service21:07
hazmatniemeyer, we could remedy by just putting the service in the initial data for the unit node21:08
hazmatalthough that would change the rule interface to make them content based..21:08
_mup_ensemble/expose-provider-ec2 r304 committed by jim.baker@canonical.com21:08
_mup_Fix mock tests around the merged ProviderMachine21:08
hazmatperhaps a slippery slope21:08
niemeyerhazmat: Not sure I get what you mean.. there are more cases of topology being used for things that might not be in the topology in that branch21:09
hazmatniemeyer, most/all of the other use is for relations21:09
niemeyerhazmat: Yeah.. but e..g.21:11
niemeyerhazmat: How can you assign permissions to /relations/relation-10 based on the users of this relation, given that the id was just created?21:11
hazmatniemeyer, yeah.. the relation top level node also needs some consideration21:11
niemeyerhazmat: The path doesn't even include the sequence number!21:12
hazmatniemeyer, it could also be addressed the same way, using content21:12
hazmatas part of the rule interface21:12
niemeyerhazmat: Using content in what sense?>21:13
hazmatyeah.. as i noted in the mp.. i regard that branch as the most incomplete of the bunch.. its definitely going to need more work.. i just wanted to get more discussion ont he approach21:14
hazmatniemeyer, node data 21:14
hazmatniemeyer, for a relation including the services and their roles.. for the unit node including its service21:14
hazmatthe rule could then dispatch both on path and content, which as you correctly point out is needed for any sequence node acl to be contextually aware21:15
niemeyerhazmat: Do we have that data there today?21:15
hazmatniemeyer, not in the relation-id node.. we do have them in the role container node below21:16
hazmatmost of the domain object nodes are empty nodes at create time21:16
hazmatmachines, units, relations, etc.21:17
niemeyerhazmat: It feels awkward to be sending data to zookeeper to fix a deficiency in our API21:17
hazmatniemeyer, its effectively just identity storing identity information on the relevant domain nodes.21:18
niemeyerhazmat: It's storing data in zookeeper in a place that is not necessary, besides for fixing a deficiency in our API21:18
niemeyerhazmat: It's indeed a slippery slope..  I'd like to take a step back and ponder for a while about possible approaches that avoid that kind of cross-dependency entirely21:19
hazmatniemeyer, well.. we can choose not to store it ;-)21:19
niemeyerhazmat: LOL21:19
_mup_ensemble/expose-provider-ec2 r305 committed by jim.baker@canonical.com21:21
_mup_Fixed remaining mocks in ec2 provider tests21:21
hazmatone of the other nice things i like about the policy rule approach, its very easy to apply the acls to an entire tree, or diff a tree and see if there acls missing/etc, or do an upgrade on them en mass. its just a tree walk reusing the same rule interface21:21
hazmatniemeyer, in some sense the api we have right now is the strange, one we have domain objects with no identity information, because we store identity in a secondary index, but the object in isolation lacks any context.21:22
hazmati'll think about alternate approaches and we can revisit, i should continue on with the identity work21:23
niemeyerhazmat: That's not entirely true21:24
niemeyerhazmat: The object owns its identity, and there is context about what is there in most contexts21:24
niemeyerhazmat: The "secondary index" is not an index, but a relationship description21:25
niemeyerhazmat: that's also interesting, because what is being looked for is not information about the domain object either, but about its relations21:28
niemeyerWell, for units that's not true21:29
_mup_ensemble/expose-provider-ec2 r306 committed by jim.baker@canonical.com21:43
_mup_Pass through machine data to DummyLaunchMachine.start_machine to fix common tests21:43
niemeyerhazmat: Btw, _very_ nice break up of branches21:52
niemeyerhazmat: Thanks a ton for that21:52
niemeyerIt'd be crazy otherwise21:52
hazmatniemeyer, np... hoping to continue that with the rest of the work21:52
niemeyerhazmat: I'm getting to the end of the pile.. it feels like that issue we're both brainstorming on is the only critical..21:53
niemeyerhazmat: Let's think some more on that and tomorrow we can catch up for a decision21:53
hazmatniemeyer, yeah.. i'm going to think about it some more, we should reconnect about it tomorrow.21:53
niemeyerhazmat: +1 :)21:53
hazmatniemeyer, re identity its not true for units or relations nodes, they only have identity with the topology, and those are both the ones the topology gets consulted by the rules for.21:56
niemeyerhazmat: The _identity_ is the node name..21:58
hazmatniemeyer, unit-000000 ? relation-00000? without consulting the topology.. the unit doesn't know it services, nor the relation it services.21:58
hazmatits21:59
niemeyerhazmat: Exactly.. it doesn't know its relationships..21:59
hazmatniemeyer, its more than just relationships.. although arguable the relationships are lending identity here.. but for example the unit doesn't even know its name22:00
niemeyerhazmat: A bit like saying that the identity of /home/hazmat is in /etc/passwd..22:00
niemeyerhazmat: There's information in there about it, but it stands on its own22:01
hazmatniemeyer, but i know hazmat is the user name just from the path.. in the case of units.. the name itself is unknown22:01
niemeyerhazmat: hazmat is your id.. like unit-00000022:01
niemeyerhazmat: Your name is K.T.22:01
niemeyerhazmat: and is in /etc/passwd22:01
niemeyerhazmat: This is another thing I'm wondering about that.. it's not clear why we're using the service name rather than the id on the ACLs22:02
hazmatniemeyer, we probably should be using the id everywhere for acls22:02
hazmatniemeyer, i started doing that when i was working on machines more recently.. the machine_state.id == 0, 1, 2.. is not particularly useful in this context for identification22:03
hazmater. internal_id everywhere22:03
niemeyerhazmat: Uh.. why not?  It's effectively the same thing?22:04
hazmatniemeyer, because the acl is a global namespace of principals, we should be able to identify a principal from its name, names like '0', '1', are rather ambigious compared to 'machine-xyz'22:05
niemeyerhazmat: Gotcha22:05
hazmatniemeyer, and in the case of service names, we don't prevent service name reuse22:06
niemeyerhazmat: Either way, "0" in this context is akin to "wordpress/2" for a unit name.. it's really oriented for users22:06
hazmatyup22:06
niemeyerhazmat: When we're handling it internally, internal_id is good22:06
hazmathmm.. hard to store the otpprincipal data on the domain state with a known principal name against a sequence node, the name is ..22:12
hazmatperhaps an additional topology index matching domain objects to principal names22:13
niemeyerYeah.. trying to lock the drawer with the key inside22:16
niemeyerhazmat: Actually, not really.. what's the actual issue?22:17
niemeyerhazmat: The otp just needs to be created beforehand22:17
niemeyerhazmat: so that the name may be stored within the domain node, if I get what you mean22:17
niemeyerOkay.. I'm heading to a dinner with a friend that is in town.  Will be happy to talk about these details tomorrow morning.22:20
hazmatniemeyer, the otp creates a named principal, typically that should correspond to the identity of the domain object, but for sequence nodes, identity is rather ambigious.22:24
hazmati could just use random names based on type...22:24
hazmatand store in the topology, but then the lookup process for the identity token is complicated22:25
hazmateasier for sequence nodes to just be updated with acls post creation22:47
jimbakernegronjl_, i need to do some additional refactoring and docs on robust-hook-exit branch per the review. then i can merge it into trunk23:39
negronjl_jimbaker: thx I appreciate it23:39
=== negronjl_ is now known as negronjl
jimbakernegronjl_, np. occasionally these branches prompt some appraisal that there's too much previous tech debt, so that's why it's taking some additional time23:41
* SpamapS thinks the only tech debt that is troubling is all the hoops we jump through marked "Twisted"23:53
jimbakerSpamapS, i think the attention we are paying to move to deterministic tests is a good one, but it is hard to do for sure23:58
jimbakerit was so much easier to just write tests that would simply sleep 200 ms and sweep the problems under the rug23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!