/srv/irclogs.ubuntu.com/2012/11/13/#juju-dev.txt

rogpeppedavecheney, fwereade_, dimitern: morning all07:18
dimiternrogpeppe: hiya :)07:18
TheMuemorning07:30
rogpeppeTheMue: yo!07:31
TheMuerogpeppe: hi07:32
TheMuerogpeppe: Today next round in your fight connecting MongoDB via SSL?07:33
rogpeppeTheMue: no, i got that working last week07:33
rogpeppeTheMue: (in a piece of example code, anyway)07:33
TheMuerogpeppe: Ah, ok, then I misinterpreted your answer to Dave.07:34
dimiternanybody has a handy link on how to write table-based tests for go?08:07
dimiternI can't seem to find it, and I'm sure there was one somewhere..08:07
TheMuedimitern: We're using them in some of our tests. I'll look for an example.08:20
TheMuedimitern: Hi btw.08:20
dimiternTheMue: hi :) 10x!08:20
TheMuedimitern: Take a look at state/state_test.go, line 235ff.08:26
TheMuedimitern: There's a var inferEndpointsTests defined as slice of unnamed structs.08:27
TheMuedimitern: The fields of those structs depend on your needed in- and outputs (to compare) or expected errors (have to be tested too).08:28
TheMuedimitern: It directly follows a number of struct values.08:29
dimiternTheMue: I see! 10x again, I'll use it as a reference08:29
TheMuedimitern: In TestInferEndpoints in line 378 you loop over the slice and perform actions and asserts depending on those table/slice values.08:30
TheMuedimitern: Cheers, it's a nice technique to cover a large number of different tests of the same kind.08:31
dimiternTheMue: interesting pattern - I see how expressive the table is - you can see every test at one place08:31
TheMuedimitern: Exactly. Doing it manually would need by far more code and is not so good readable.08:32
rogpeppefwereade_: i'm seeing a uniter test failure in trunk: http://paste.ubuntu.com/1355121/09:15
fwereade_rogpeppe, oh hell (takes a look)09:16
fwereade_rogpeppe, hm, I *think* I have a branch that addresses that somewhere -- anyway ty09:17
rogpeppefwereade_: np09:17
rogpeppefwereade_: it's failing consistently for me, BTW, but not always in the same test.09:18
TheMueAram: Moin09:52
Aramhello.09:52
rogpeppefwereade_: a fairly simple change: https://codereview.appspot.com/6849044/09:56
TheMueAram: We should talk about the container abstraction this morning. I don't think I've got the full picture, but as far as you (and fwereade_ ) talked about it I like the abstraction.10:00
fwereade_rogpeppe, LGTM10:04
rogpeppefwereade_: thanks10:04
rogpeppefwereade_: i've been meaning to get around to that for ages, and finally found a place where it made things easier10:05
fwereade_rogpeppe, yeah, it's much nicer10:05
fwereade_Aram, TheMue: re container abstraction, do you have anything resembling niemeyer-approval? that is my main concern10:06
TheMuefwereade_: Could you please rephrase it?10:07
fwereade_Aram, TheMue: I have a suspicion that it may be more expedient to proceed without introducing an abstraction niemeyer does not approve of, and then to propose a CL that demonstrably reduces complexity later10:08
Aramfwereade_: I believe it would significantly reduce complexity even now, especially for watchers.10:08
fwereade_Aram, TheMue: I like the idea but not enough to feel I have the resources for a protracted battle over it10:08
fwereade_Aram, if you think you can make a compelling case in code then that definitely changes the situation for the better :)10:09
TheMuefwereade_: Currently I want to know the advantages and disadvantages of a changed approach to see, if it's worth a change. Absolutely neutral.10:09
TheMuefwereade_: And Arams ideas sound reasonable to me so far.10:10
TheMuefwereade_: We made a first little analysis, where code has to be changed.10:11
TheMueAh, split is over.10:17
rogpeppeanyone else want to have a look at this? i think it's simple enough that I'll submit after two LGTMs: https://codereview.appspot.com/6849044/10:20
TheMuerogpeppe: *click*10:22
TheMuerogpeppe: LGTM, with +1 for fwereade_s comment10:33
Aramdavecheney: you have another review10:33
davecheneyAram: ty10:34
rogpeppeTheMue: thanks.10:39
Aramreboot10:39
AramI hate the damn vmware.10:41
AramI wish virtualbox didn't suck.10:41
TheMueAram: What concrete problem you have with vmware?10:44
AramIt just rewrote my routing table on my host10:45
TheMueIiirks10:45
Aramand the GUI is so, so, sloow.10:46
Aramand the updater never works.10:47
TheMueAram: Here I thankfully have no problems. Yesterday I had an update. But I don't know how far the Win and the OS X versions differ.10:49
Aramthe windows interface was rewritten in C#.10:50
Arameverything went down since then.10:50
TheMueAram: Doesn't Parallels also exist for Win?10:56
Aramno.10:56
TheMueAram: Could you please open the LXC document? So here we both can collect the pros and cons of the container abstraction and also add a first effort estimation.11:03
AramTheMue: after I'me done with breakfast, in the meantime please share the link11:05
TheMueAram: OK, here it is https://docs.google.com/a/canonical.com/document/d/1Chla4FgaMTlwXFdAzFv-ToN0iNsWKFECNGOCerC8PH0/edit11:05
niemeyerHello all11:37
TheMueniemeyer: Hiya11:37
niemeyerWhy did we switch the meeting time by 2h today?11:37
niemeyerWell, 1h..11:37
TheMueniemeyer: Oh, did we?11:38
TheMueniemeyer: I have it here as the same time as always. But DST is over, so maybe there's the reason for a movement.11:39
TheMues/as the/at the/11:39
niemeyerTheMue: Yep, but hemispheres shift DST in a different direction, so what is "same time" there is 2h off here11:39
niemeyerIt's great for me, but it's probably not nice for davecheney11:39
TheMueniemeyer: Iirks, yep, it's 10:40 there now.11:40
TheMueniemeyer: But also 6:40 right now for Mark. We have a wide span right now.11:41
niemeyerYep11:41
jamniemeyer: is there a reason that "go test -gocheck.v ./..." and "go test ./... -gocheck.v" do different things?11:43
jam(the former runs the current package's tests in verbose mode, and the latter runs all the tests in all subdirectories but without verbose mode)11:44
niemeyerjam: Probably a bug in go test11:46
niemeyerjam: Without looking, I'd guess that they're making a decision based on number of flags seen, without considering foreign flags11:46
Aramso, when is the meeting?11:59
Aramnow?11:59
jamnowish11:59
mrammSo, meeting is now11:59
jam1011:59
mrammfor those who have not been to a meeting before -- can you send me your G+ info11:59
davecheneyinvite anyone ?11:59
jam911:59
jam811:59
mrammso I can add you to the invite11:59
jamtoo fast... :)11:59
jammramm: john.meinel@canonical.com is fine12:00
dimiterndimiter.naydenov@canonical.com12:00
jammramm: I imagine martin.packman@canonical.com as well12:00
mgzright.12:00
mrammhttps://plus.google.com/hangouts/_/50b626916b5f85ebad8bc80dde5052b14aa7a6d7?authuser=0&hl=en-GB12:01
jamdimitern: ^^12:02
mrammeverybody should be invited now12:02
jammgz: ^^12:02
mgz...hangout is very unhappy12:06
mgzI think I need to not join last, too much junk being done that I can't disable12:07
mgz...and now the room is full, probably with a ghost of me12:08
mgzshould have just used machine downstairs12:09
jammgz: I'm guessing you can join downstairs still. I tried to paste the URL to w7z12:10
mgzta, will do that12:10
TheMueSee http://bazaar.launchpad.net/~themue/+junk/golxc/files for the LXC code.12:12
niemeyer        curl, err := charm.InferURL(c.CharmName, conf.DefaultSeries())12:32
niemeyerjam: Good news re.  Ian12:41
dimiternyeah :)12:41
jamniemeyer: thanks, it should good having him around.12:41
niemeyerjam: Will be nice to have more people close to davecheney  too12:41
jamdimitern, mgz: I was trying to mention it to you on mumble, but mgz never joined :)12:41
dimiternjam: I see, so it's confirmed12:42
jamdimitern: yeah12:42
fwereade_gents, since I appear not to be currently blocking anyone, I'm off to pick up laura from school12:45
Aramfwereade_: cheers.12:45
jamfwereade_: have a good evening.12:46
TheMuefwereade_: Enjoy, mine are coming on there own (or are out of school already). ;)12:49
TheMueAram: I added some first points about the container abstraction to the doc, but you surely have more.12:50
AramTheMue: would you be so kind to share the link with me again?12:50
AramI lost it12:50
TheMueAram: Sure, np, here: https://docs.google.com/a/canonical.com/document/d/1Chla4FgaMTlwXFdAzFv-ToN0iNsWKFECNGOCerC8PH0/edit12:51
Aramthanks12:51
=== fss is now known as offline
=== offline is now known as fss
TheMuelunchtime13:02
rogpeppefwereade_, TheMue: i didn't quite get it right last time... https://codereview.appspot.com/685104313:06
* rogpeppe goes for lunch13:19
niemeyerrogpeppe: Enjoy13:25
AramTheMue: tell me when you're back.13:32
fssniemeyer: hi :-)13:43
fssniemeyer: could you take a look at that CL?13:44
fssniemeyer: https://codereview.appspot.com/6823060/13:44
niemeyerfss: Neat, I'll have a look this afternoon, thanks!13:45
fssniemeyer: great, thank you! :)13:47
TheMueAram: I'm back13:49
=== TheMue_ is now known as TheMue
fwereade_rogpeppe, LGTM14:38
rogpeppefwereade_: thanks14:39
rogpeppefwereade_: here's the followup: https://codereview.appspot.com/685304314:42
rogpeppefwereade_: not quite so trivial, i'm afraid. i'm *hoping* it's not too crackful.14:42
* fwereade_ looks14:43
TheMuerogpeppe: From my side also an LGTM to the first one, now looking at the second one.14:46
rogpeppeTheMue: ta v much14:47
TheMuerogpeppe: yw14:47
fwereade_rogpeppe, I'm conflicted on the second one... the extra suite is nice; the SetUpSuite/SetUpTest stuff is a bit off, maybe, but ok given that there's no neater fixture concept; but all the new SetUp/TearDown methods on other suites make me a bit sad14:53
fwereade_rogpeppe, I guess that's just a consequence of the decisions we've made, and it's not like they're hard to understand14:54
rogpeppefwereade_: yeah, i agree, they're annoying. it's a consequence of the inflexibility of our test harness unfortunately.14:54
fwereade_rogpeppe, if there's anything that qualifies as crack it's SetUpTest calls in SetUpSuite methods, but that's fruit from the same tree14:55
rogpeppefwereade_: yeah, that's my most dubious bit14:56
rogpeppefwereade_: but i'm like, why *shouldn't* we have a test context for a whole suite?14:56
rogpeppefwereade_: we could lose the SetUp/TearDown methods in environs, as they're a consequence of me adding LoggingSuite too.14:57
fwereade_rogpeppe, I'm +1 on LoggingSuite everywhere :)14:57
rogpeppefwereade_: me too. it's a pity it's not easy to make automatic14:58
fwereade_rogpeppe, is the cost of putting those SetUpTest calls the in SetUpTest methods prohbitive?14:58
rogpeppefwereade_: it can't be done, because that particular suite opens an environment in SetUpSuite and uses it for the entire suite run.14:58
rogpeppefwereade_: so we *need* the faked-up root inside SetUpSuite.14:59
fwereade_rogpeppe, can't you write the same file in each SetUpTest?14:59
rogpeppefwereade_: if the faked-up root isn't there for SetUpSuite, we can't open the environment14:59
fwereade_rogpeppe, I don't *think* a... gahh ok14:59
fwereade_rogpeppe, right, makes sense15:00
rogpeppefwereade_: part of the whole point of this is so i can add some code to environs/config that adds two default files to read without adding those attributes *everywhere* a config is made.15:00
fwereade_rogpeppe, what's your immediate response to the idea of having two FakeRootSuites, one of which does its thing at the test level, and one at the suite level?15:01
fwereade_rogpeppe, feels like the code to do so will be quite small, and will eliminate that Test/Suite issue15:01
fwereade_rogpeppe, which is IIRC in 2 places... right?15:02
rogpeppefwereade_: seems like make-work, but if you can think of decent names for 'em, that is a reasonable thing15:02
rogpeppefwereade_: yeah. but i really don't see why i shouldn't be able to use a Suite as i like. we've got a very inheritance-based view of this whole test suite thing.15:02
fwereade_rogpeppe, the only reason for it is that I worry that those Suite+Test bits will slide right by the eyes, even with the comment, and that in a year someone will spend 2 hours debugging ;p15:02
fwereade_rogpeppe, sure -- IMO the right answer is nestable Fixtures15:03
rogpeppefwereade_: call/defer :-)15:03
fwereade_rogpeppe, ha, indeed15:03
rogpeppefwereade_: no need for a "fixture" concept at all :-)15:04
rogpeppefwereade_: anyway....15:04
rogpeppefwereade_: have you got a reasonable name for the FakeRootSuite that sets up for the suite only rather than the tests?15:04
AramI don't like fixtures.15:04
rogpeppeSuiteFakeRootSuite? :-)15:04
rogpeppeAram: me neither.15:05
fwereade_rogpeppe, heh, that question has indeed been exercising me15:05
fwereade_rogpeppe, basically, no I don't15:05
fwereade_rogpeppe, I think maybe I'd prefer a FakeRoot with unqualified SetUp and TearDown15:06
fwereade_rogpeppe, and, well, no tests, so it ain't a suite, but I'm not sure whether that'll be popular15:07
rogpeppefwereade_: none of the fixtures are suites in that respect15:07
fwereade_rogpeppe, indeed, I just seem to recall that argument falling on deaf ears in the past15:07
rogpeppefwereade_: i like the idea, but i'm not sure it'll get through15:08
rogpeppeniemeyer: any thoughts?15:09
niemeyerrogpeppe: None.. I don't know what the context/problem we're trying to solve is15:11
rogpeppeniemeyer: i'll try to explain15:11
rogpeppeniemeyer: in this CL (https://codereview.appspot.com/6853043) i've added FakeRootSuite (a slightly different name for the FakeHomeSuite we talked about)15:11
rogpeppeniemeyer: in at least one context, we need a fake home/root for the extent of a suite run, rather than to be set up every test.15:12
rogpeppeniemeyer: the question is: what's a good way to do that?15:12
rogpeppeniemeyer: in this CL, i'm calling both FakeRootSuite.SetUpSuite and FakeRootSuite.SetUpTest within the test suite's SetUpSuite method15:13
rogpeppeniemeyer: which has the desired effect, but is perhaps non-intuitive.15:13
rogpeppeniemeyer: another possibility is to lose the "Suite" suffix and simply have SetUp and TearDown methods (so it's clear they can be called in any context)15:14
TheMuerogpeppe: You've got a comment.15:15
rogpeppeTheMue: thanks15:15
niemeyerrogpeppe: Why do we need a suite in that case?15:20
niemeyerrogpeppe: How many tests are using this?15:20
niemeyerrogpeppe: Or rather, how many suites15:21
rogpeppeniemeyer: 1215:21
rogpeppeniemeyer: using FakeRootSuite15:21
niemeyerrogpeppe: Wow, why do they need it?15:22
rogpeppeniemeyer: in most places they're replacing ad-hoc $H15:22
rogpeppeOME setup code15:22
niemeyerrogpeppe: Which I assume it's just os.Setenv("HOME", foo) + os.Setenv("HOME", oldenv)?15:23
rogpeppeniemeyer: plus making the relevant directories15:23
niemeyerrogpeppe: That's c.MkDir()15:23
rogpepperogpeppe: os.Mkdir(filepath.Join(home, ".juju"), 0777) etc15:24
rogpeppeniemeyer: this just abstracts out the relevant piece from JujuConnSuite15:25
rogpeppeniemeyer: as we discussed15:25
niemeyerrogpeppe: I think I'd rather fix gocheck so that it preserves the environment across runs, and have a trivial SetupHome directory15:25
rogpeppeniemeyer: that would be better, of course. i didn't think gocheck changes were on the cards.15:26
rogpeppeniemeyer: fancy doing it?15:29
rogpeppeniemeyer: can we put this in in the meantime? then it's all abstracted out and easy to remove in one fell swoop.15:32
niemeyerrogpeppe: I'd prefer to solve the issue at once15:43
rogpeppeniemeyer: ok, sounds good.15:43
niemeyerrogpeppe: Even because that whole thing is taking more time to talk about than to do it15:43
niemeyerrogpeppe: How many lines does this function have? 3?15:43
rogpeppeniemeyer: about 26 all told15:44
rogpeppeniemeyer: not including function headers15:44
niemeyerrogpeppe: :-)15:45
niemeyerrogpeppe: Put it in a loop and let's count again!15:45
niemeyerrogpeppe: No, seriously.. this is trivial15:45
rogpeppeniemeyer: i agree that it would not have been much work to add yet another place that set up $HOME and created a skeleton juju directory, but it felt wrong, which was why i mentioned it to you recently15:45
rogpeppeniemeyer: and we agreed to do this15:45
rogpeppeniemeyer: and now i've done it you don't like it, which is a bit galling15:46
niemeyerrogpeppe: Also, why are we creating .ssh and .juju directories?15:46
niemeyerrogpeppe: I've seen one or two places that create it15:47
rogpeppeniemeyer: so that we can pick up authorized keys and (in a CL later in the pipeline) tls certs from the "home" dir15:47
niemeyerrogpeppe: .ssh, specifically15:47
rogpeppeniemeyer: so that we don't need to add attributes to every single place that creates a juju config15:47
niemeyerrogpeppe: I'm concerned that we continue to grow up stock harness15:48
rogpeppeniemeyer: i'm concerned by the number of places we have to change if we change anything about the config.15:48
rogpeppeniemeyer: a second or two at an absolute maximum, over all the tests, is not going to affect things badly.15:49
niemeyer% grep '"\.ssh"' * -r 2>/dev/null | grep _test | wc -l15:49
niemeyer215:49
rogpeppeniemeyer: try grepping for "authorized-keys"15:50
niemeyerrogpeppe: Yep?15:51
rogpeppeniemeyer: almost every one of those is there because we can't use the usual config default of reading the .ssh directory.15:52
rogpeppeniemeyer: i'm just about to add two more equivalent attributes15:53
rogpeppeniemeyer: and i'd quite like not to add the new attributes (which can likewise be sourced by reading from $HOME) to every place that currently mentions "authorized-keys"15:54
niemeyerrogpeppe: Okay, so you want to replace that one-line entry in the dummy configuration by a member suite and multiple function calls that setup up a fake environment?15:54
niemeyerrogpeppe: Doesn't seem like an improvement at all to me?15:54
rogpeppeniemeyer: if fixtures weren't so heavy weight, it would be just two function calls, but yeah, you're probably right, it's not worth it. i'll abandon.15:56
niemeyerrogpeppe: A lighter function of it might be interesting, but I'm concerned that I've seen more meta-development happening around TLS than actual progress15:57
rogpeppeniemeyer: yeah. :-|15:57
rogpeppeniemeyer: how about this? it's the specific case that caused me to want to generalise to FakeRootSuite. https://codereview.appspot.com/6843046/16:25
niemeyerrogpeppe: Do we need to switch all the tests?16:27
niemeyerrogpeppe: What's the specific tests being implemented?16:27
rogpeppeniemeyer: sorry, what do you mean by "switch all the tests"?16:28
rogpeppeniemeyer: are you asking whether it's necessary to set up the directory for all the tests?16:28
niemeyerrogpeppe: Yes, I'm asking about the feature we're adding.. this is adding logic to a test suite that wasn't there before16:29
niemeyerrogpeppe: So supposedly there are quite a few tests there which do not need additional harness16:30
rogpeppeniemeyer: yes, that's true. should i split the suite?16:30
niemeyerrogpeppe: Can we do nothing?16:30
rogpeppeniemeyer: we can do nothing if we're prepared to have an x509 certificate sitting in the middle of every textual config in that file.16:30
rogpeppeniemeyer: personally, i think that would clutter the code quite badly16:31
niemeyerrogpeppe: You're creating an .ssh directory, not a .x509 one.. I'm having to guess what you have in mind at this point16:31
rogpeppeniemeyer: the .ssh directory is just a convenience. it means we don't need to specifically mention authorized-keys in the configurations. i can remove it if you like.16:32
niemeyerrogpeppe: Can we talk about the problem we're solving?16:33
rogpeppeniemeyer: ok16:33
niemeyerrogpeppe: You continue to ask my opinion without context16:33
rogpeppeniemeyer: i'm trying to add some values to the environs.Config16:33
niemeyerrogpeppe: Why?16:33
niemeyerrogpeppe: nothing in the conversation we had in UDS requires changes to Config, IIRC16:34
rogpeppeniemeyer: so that we can specify the tls root certificate in environments.yaml16:34
niemeyerrogpeppe: That's not what we discussed?16:34
rogpeppeniemeyer: it seems to me that it was, but ok... we need to get a root certificate from somewhere. where do we get it from?16:34
niemeyerrogpeppe: Nope16:35
niemeyerrogpeppe: We never talked about any changes in environments.yaml16:35
rogpeppeniemeyer: ok, so... we16:35
niemeyerrogpeppe: and we certainly won't be asking people to configure root certificates in their environments.yaml.. that would be a freaking terrible user experience16:35
rogpeppeniemeyer: ok, so... how do we know what the root certificate is?16:36
niemeyerrogpeppe: Oh no16:36
niemeyerrogpeppe: Please tell me you still remember the conversation we had at UDS.. :-(16:36
rogpeppeniemeyer: i thought i did16:36
* niemeyer saddens16:36
rogpeppeniemeyer: so, *somehow*, juju.Conn needs to know what the root certificate is, so it can sign the certificate that goes out to the bootstrap node16:37
niemeyerrogpeppe: Yep, it generates it16:38
rogpeppeniemeyer: ok, so what about the next time, when we connect to the environment again?16:38
niemeyerrogpeppe: We read it from disk16:38
rogpeppeniemeyer: juju.Conn reads it from disk?16:38
niemeyerrogpeppe: Man.. we did talk about this before16:38
niemeyerrogpeppe: We talked even about what the parameters should be16:39
rogpeppeniemeyer: ok, i've obviously distorted over the last week16:40
rogpeppeniemeyer: please outline very briefly what you understood from our conversation16:40
rogpeppeniemeyer: hold on, are you saying that there should be no way of making a juju connection without having a home directory?16:41
niemeyerrogpeppe: We need to pass some information into it so that we can decide what to use16:41
niemeyerrogpeppe: IIRC we also agreed that if we provided nil, we'd automatically read the file16:42
rogpeppeniemeyer: scratch that16:42
* rogpeppe thinks16:44
rogpeppeniemeyer: so we don't want to allow people to have different root CAs for different environments?16:45
rogpeppeniemeyer: my thought was that if no certificate was specified in environments.yaml, one would be read from $HOME, same as authorized-keys today16:47
rogpeppeniemeyer: when we were talking about passing the information in, i was thinking that was about the saved temporary root certificate, not the permanent root cert.17:00
rogpeppeniemeyer: i'm sorry if i've derailed.17:01
TheMue*: So, I'm stepping out.17:16
rogpeppeniemeyer: can we perhaps G+ this, before i go further awry?17:16
TheMueAram: Thanks for the detailed informations, we'll continue tomorrow.17:16
rogpeppeniemeyer: for the recording, this CL is what i understood by passing some information independently of the config: https://codereview.appspot.com/681911517:23
rogpeppes/recording/record/17:23
rogpeppeniemeyer: that certificate and key being independent of the root cert and key17:23
rogpeppeniemeyer: which is what i was planning to put into the config.17:24
* rogpeppe is going to have to leave in 25 minutes17:37
niemeyerrogpeppe: I think our previous model still holds17:50
niemeyerrogpeppe: There's no need to put anything in environments.yaml.. the user shouldn't have to do that17:51
rogpeppeniemeyer: ok. i thought perhaps the user may want to specify a root CA in environments.yaml. anyway, here's a possible sketch of how things might work without putting anything in environments.yam (the functions and methods that would need to change) http://paste.ubuntu.com/1356036/17:58
rogpeppeniemeyer: does that make more sense to you?18:00
rogpeppeniemeyer: slightly modified: http://paste.ubuntu.com/1356050/18:05
niemeyerrogpeppe: Looking18:07
rogpeppeniemeyer: BTW i was not going to force the user to put anything extra in environments.yaml (hence the file-reading default in environs/config, like authorized-keys)18:07
niemeyerrogpeppe: So there's no reason to change Config..18:07
niemeyerrogpeppe: authorized-keys handles a file that is not juju-specific18:08
niemeyer/ generated and written to $HOME/.juju/<environ-name>-temp-cert.pem18:09
niemeyerrogpeppe: Why temp-cert?18:09
niemeyer/ The temporary root certificate is required only18:10
niemeyer/ for the first connection to a juju environment.18:10
rogpeppeniemeyer: that's for making the bootstrap instance safe against cloudinit-peekers, but... come to think of it, we'd agreed that wasn't a priority, right?18:10
niemeyerrogpeppe: I'm sure we've agreed to not do this dance at UDS18:10
rogpeppeniemeyer: yeah, ok, that's cool18:11
niemeyerrogpeppe: Was that a different Roger I was talking to? :)18:11
rogpeppeniemeyer: one that has been looking at the wrong set of notes, it seems :-)18:11
niemeyerrogpeppe: Yeah, lesson taken here.. I should certainly not have assumed that the conversation would be enough18:13
rogpeppeniemeyer: ok, updated version: http://paste.ubuntu.com/1356068/18:14
rogpeppeniemeyer: it still seems to me that the extra arguments are unnecessary if we can store the root cert in the config, but i'm happy to go this way.18:16
niemeyerrogpeppe: Stuffing things in the configuration to avoid parameters to a function is poor reasoning18:18
niemeyerrogpeppe: We should put that in the environment configuration if we're indeed using that as an environment setting18:19
rogpeppeniemeyer: ISTM that the configuration parameters currently hold everything necessary for connecting to an environment, and the root certificate is such a thing, hence i thought it a good fit.18:19
rogpeppeniemeyer: but tbh changing the configuration is a right pain, so i'm happy to go this way18:19
niemeyerrogpeppe: We have only one configuration that is not an actual configuration, admin-secret, and that's a bad idea.. it's been cargo-culted from py18:20
rogpeppeniemeyer: we can get rid of that when we talk directly to the our own servers, i think18:20
niemeyerrogpeppe: It's not about being a pain or not, and it's not about avoid parameters to a function or not.. the question is simple: is this an environment configuration setting? If it's not, let's not put in the config18:20
rogpeppeniemeyer: i see where you're coming from. i was thinking of environment as "a juju environment" rather than as a provider environment.18:22
rogpeppeniemeyer: anyway, does the above API look reasonable to you?18:25
niemeyerrogpeppe: Yeah, it doesn't say how started machines get their cert, but what's there looks good18:26
rogpeppeniemeyer: do started machines have a cert?18:26
rogpeppeniemeyer: rather, will they?18:26
niemeyerrogpeppe: Oh nos18:26
rogpeppeniemeyer: i thought we were using passwords for client identification18:27
niemeyerrogpeppe: Why do we need a root cert?18:27
rogpeppeniemeyer: so that clients know who they're talking to18:27
niemeyerrogpeppe: and how does that happen?18:27
rogpeppeniemeyer: via TLS.18:28
rogpeppeniemeyer: no client certificate necessary there.18:28
niemeyerrogpeppe: Yes, and how can TLS verify that the client is talking to the right server18:28
rogpeppeniemeyer: because it verifies that the server holds a private key and the certificate that certifies that key18:28
niemeyer<rogpeppe> niemeyer: do started machines have a cert?18:28
niemeyer<rogpeppe> niemeyer: because it verifies that the server holds a private key and the certificate that certifies that key18:28
rogpeppeniemeyer: ah, started state machines, yes.18:29
rogpeppeniemeyer: others don't need a cert.18:29
rogpeppeniemeyer: perhaps we should just make the private key and certificate available in the state.18:31
rogpeppeniemeyer: then a started machine that needs to become a state server can fetch it when necessary18:32
rogpeppeniemeyer: no need for any additions to the above API if we do that.18:33
rogpeppeniemeyer: gotta go. i hear a voice from below. tomorrow i will move forward as discussed.18:35
niemeyerrogpeppe: We've already discussed this at length before18:35
niemeyerrogpeppe: My opinion is still the same18:35
fssniemeyer: I have another CL for you, but I'm not sure if you will like this one...19:30
niemeyerfss?19:31
fssniemeyer: I'm going to start testing tsuru with go version of juju, but before I've adapted python version to work with vpc19:31
fssniemeyer: https://codereview.appspot.com/6850044/19:31
niemeyerfss: I won't like it or dislike it either :)19:31
niemeyerfss: I'm interested on the concept, though19:32
niemeyerfss: How was it done?19:32
fssniemeyer: actually, we don't mind if it does not get merged, but some deadlines pushed me to do so19:32
niemeyerfss: That's certainly fair19:32
niemeyerfss: It might even get merged19:33
niemeyerfss: But ideally we should have talked about that beforehadn19:33
niemeyerfss: How was the change done?19:33
fssniemeyer: I see, sorry about that :-)19:33
fssniemeyer: we've added two new environment settings: vpc_id and subnet_id19:34
fssat this point, every machine in an environment is launched in the same subnet_id19:34
niemeyerfss: How do you handle private ip vs. public ip?19:34
fssniemeyer: that's a good question, I don't handle this yet :-(19:37
niemeyerfss: Okay19:37
niemeyerfss: Yeah, looks like a few things there19:37
fssniemeyer: well, I will work on this now. What approach would you suggest?19:37
niemeyerfss: Expose?19:37
niemeyerfss: What about juju expose?19:41
fssniemeyer: hmm, I didn't look at that too =/19:41
niemeyerfss: Okay, there are a few complicators for an actual implementation19:42
niemeyerfss: The subnet_id/vpc_id must also be internally managed19:43
niemeyerfss: We shouldn't have to ask people to learn about the crazy interface/API Amazon puts in place to get things going19:43
fssniemeyer: my terminal was freak, sorry19:44
niemeyer<niemeyer> fss: We shouldn't have to ask people to learn about the crazy interface/API Amazon puts in place to get things going19:44
niemeyerfss: np19:44
niemeyerThat was about19:44
niemeyer<niemeyer> fss: The subnet_id/vpc_id must also be internally managed19:44
fssniemeyer: I see, but how would juju manage it? creating new vpc's and subnet's?19:45
niemeyerfss: Yeah, I haven't really detailed anything19:49
niemeyerfss: in my mind, that is19:49
niemeyerfss: But the principle is that the user shouldn't have to know all the ins and outs to make use of juju19:49
niemeyerfss: So that necessarily means managing vpc's, subnet's, and I suppose elastic IPs19:50
niemeyerfss: Which makes it somewhat involved19:50
fssniemeyer: but in the case that I'm creating a VPN connection between a VPC and my internal network, I have to know19:50
niemeyerfss: But we'll have to really put some thinking in place and actually do it19:50
niemeyerfss: Well, you can bootstrap the environment, and then do whatever, I think19:51
fssniemeyer: I see19:51
niemeyerfss: Am I missing important details there?19:51
fssniemeyer: in our scenario, we have a security/networking team. They created the VPC, VPN connection and the subnet, and gave to us the id of the subnet and the vpc, that's why I took this approach, where the juju user already knows the id of the vpc and the subnet19:53
niemeyerfss: Sounds like a reasonable scenario19:54
niemeyerfss: We should support it, but we should also have a default mechanism that doesn't require everybody to have a security/networking team :-)19:55
fssniemeyer: sure, makes sense19:56
fssniemeyer: I definitely should talked to you before, or at least to some one that is not in the same environment that I am19:58
niemeyerfss: Doesn't feel like you wasted too much time, though19:58
niemeyerfss: There's just more to be considered and handled19:59
niemeyerfss: Have you been playing with the Go port already?20:00
niemeyerfss: What are the chances of getting you using the port sooner rather than later?20:00
niemeyerfss: So that we could jointly develop this there?20:01
fssniemeyer: not yet, but I want do to this in our next big weekend in brazil20:01
niemeyerfss: :)20:01
niemeyerfss: Any chance of getting some of you in a sprint in the south of Brazil soon?20:02
fssniemeyer: I want to start hacking it out on thursday, and I'll let you know20:02
fssniemeyer: I don't, next FISL? :-P20:03
fssI don't know*20:03
niemeyerfss: No, I mean a specific event to get this going20:03
fssniemeyer: hmm, I think there's a chance20:03
niemeyerfss: I want to add support in the Go version real soon20:04
niemeyerfss: We could try to organize a one week sprint here to get these concepts in place20:04
niemeyerfss: Then you could either use the Go version, or port the chances we make to Python, so we have compatibility20:05
fssniemeyer: I will talk to my sponsors :-)20:09
fssniemeyer: they'll probably ask if you can come here too20:09
niemeyerfss: Cool, it would be great to have the juju-involved developers here for a week20:09
fss:-)20:09
niemeyerfss: I can't this time around, specifically, but maybe in the future20:09
niemeyerfss: Something about babies20:10
fssniemeyer: hmm, I see20:10
niemeyerfss: I'd be game for an event in town, though20:10
niemeyerfss: and really, it's not too expensive to have that kind of event all things considered20:10
fssniemeyer: PythonBrasil is two weeks from now :-)20:11
niemeyerfss: I know.. I had to tell Tatiana the same story, unfortunately (in that sense)20:12
fssniemeyer: talking about PythonBrasil, I have to go, we need to add some new stuff to the website, and before that I'm going to get some traffic jam :-(20:16
niemeyerfss: Have fun there20:16
fssniemeyer: thanks20:23
davecheneybooh - amazon are blocking pings to ap-southeast-2 hosts23:39
davecheneyit is ~30 ms from me23:39
davecheneybut I can't confirm23:39
davecheneyin related news23:40
davecheneym1.small, i/o still really slow23:40
davecheneycloudinit takes ~10 mins23:40

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!