/srv/irclogs.ubuntu.com/2012/11/16/#juju-dev.txt

davecheneyping06:46
davecheneyTheMue: feel like doing some testing ?07:29
TheMuedavecheney: Morning.07:29
TheMuedavecheney: For sure.07:29
davecheneyTheMue: sudo add-apt-repository ppa:gophers/go07:31
dimiternmorning :)07:31
davecheneysudo apt-get install juju-core07:31
davecheneyhello!07:31
TheMuedimitern: Good morning.07:32
TheMuedavecheney: Does it conflict with my environment? Last time of done a test like that it harmed my .ssl07:33
davecheneywhat is a .ssl ?07:33
davecheneythemue what is a .ssl ?07:36
TheMuedavecheney: I meant the directory ~/.ssl (or has it been ~/.ssh). A test for roger removed all rights. ;)07:37
davecheneyno, it will not affect .ssh07:37
TheMuedavecheney: No, that has been the test for Roger. My question has been: How does those installations effect my environment? If it could lead to a conflict I would work with a copy of my VM.07:38
davecheneyinstall a package from a ppa will not harm your machine07:39
davecheneyit has not harmed mine07:39
davecheneyif you are concerned, please do not participate07:39
TheMuedavecheney: No, only wanted to get sure. Not that the ppa go conflicts with the manually installed go.07:41
davecheneyTheMue: yes, thta is correct, do not install the golang-{tip,stable,weekly} package from that ppa07:42
TheMuedavecheney: So what exactly shall I install now?07:44
davecheneysudo add-apt-repository ppa:gophers/go07:44
davecheneysudo apt-get install juju-core07:44
TheMuedavecheney: OK, one moment.07:44
davecheneyadd an sudo apt-get update in the middle07:45
TheMuedavecheney: Good, will do, the ppa is through.07:45
rogpeppedavecheney, TheMue: morning!07:46
davecheneymorning rog07:46
TheMuerogpeppe: Morning.07:46
davecheneyfun and games07:46
davecheneywho is still running precise ?07:46
rogpeppedavecheney: if you had a moment to have a look at some of my outstanding reviews, that would be marvellous...07:47
rogpeppedavecheney: i am07:47
TheMuedavecheney: I do.07:47
davecheneyfancy test 1.9.2 before I send out the release notification07:47
rogpeppedavecheney: i'll try the apt-get install07:47
rogpeppedavecheney: should i uninstall first?07:47
davecheneyrogpeppe: nope07:47
davecheneyhttps://docs.google.com/a/canonical.com/document/d/1siI1MeZmUP_NenX2Glhex1RODLChoU3ImzNfnVsg1Y807:48
TheMuedavecheney: So, install is through, installed juju-core_1.9.2-1~721~precise1_amd64.deb ok.07:48
rogpeppedavecheney: that comes up as an untitled document for me07:48
rogpeppedavecheney: with nothing in07:49
TheMuedavecheney: Regarding the document like for rogpeppe here.07:49
davecheneyrogpeppe: https://docs.google.com/a/canonical.com/document/d/1siI1MeZmUP_NenX2Glhex1RODLChoU3ImzNfnVsg1Y8/edit07:49
rogpeppedavecheney: do i need to apt-get update? (i already have already done apt-get install juju-core in the past)07:49
davecheneydpkg -l juju-core07:49
davecheneyif it says 1.9.2-107:49
davecheneyyou're good07:49
davecheneywhich juju07:50
davecheneyif that says /usr/bin/juju07:50
davecheneyyou're good07:50
rogpeppedavecheney: i tell a lie. it was just known to apt-cache, that's all.07:50
TheMuedavecheney: /usr/bin/juju and 1.9.2-1~721~precise1 here07:51
rogpeppedavecheney: as expected: http://paste.ubuntu.com/1362048/07:51
davecheneyTheMue: then follow the instructions in the document with respect to your environments.yaml and try to bootstrap07:52
rogpeppedavecheney: i guess i should uninstall pyjuju07:52
davecheneyrogpeppe: i'm surprised both could be installed at once07:52
rogpeppedavecheney: they couldn't07:53
rogpeppedavecheney: it failed doing the first install (and i have not done apt-get install juju-core in the past!)07:53
rogpeppedavecheney: after doing apt-get remove juju, it installed just fine07:55
davecheneytwo secs, changing machines07:56
davecheneyhow's it going ?08:03
rogpeppedavecheney: how's what going?08:04
davecheneyanyone tried 1.9.2 ?08:05
TheMuedavecheney: Hmm, I'm funnily missing my .juju directory. Dunno why yet.08:05
davecheneyTheMue: when was the last time you deployed juju ?08:06
rogpeppedavecheney: i think we should default the public-bucket setting to something useful08:06
davecheneyrogpeppe: already fixing it08:06
TheMuedavecheney: Before I made some changes here on my system to work with lxc.08:06
TheMuedavecheney: But isn't juju bootsrap intended to create an initial one?08:07
davecheneyTheMue: not our version08:07
davecheneydid the python version make one if missing ?08:07
rogpeppedavecheney: nope08:07
TheMuedavecheney: Yes, because it complains.08:07
davecheneyTheMue: please raise that as a bug, i don't think anyone has that on their radar08:08
TheMuedavecheney: I'll create one by hand. My latest tests have been for William, before Copenhagen. Grmlblx!08:08
davecheneyhttps://codereview.appspot.com/685105708:08
TheMuedavecheney: Yep, will do.08:08
rogpeppedavecheney: jujud version reports 1.9.1 BTW. should it be 1.9.2 ?08:10
rogpeppedavecheney: it's bootstrapped fine, for the record08:10
davecheneyrogpeppe: what tools did it download, from cloud-init-output08:10
rogpeppedavecheney: 1.9.208:11
rogpeppedavecheney: (from the status output)08:11
davecheneystrange, you sohld have a jujud on your system08:11
davecheneywhat are the md5 sums08:11
rogpeppe% md5sum /usr/bin/juju*08:11
rogpeppecec0c4334013c5141e6853335074df49  /usr/bin/juju08:11
rogpepped12c6225e72bd840f83d583f403f1842  /usr/bin/jujuc08:11
rogpeppe72aad860f374b312dd054b3a548489ed  /usr/bin/jujud08:11
rogpeppeaaahhh08:12
rogpeppemodification time on those files is november 1st08:12
rogpeppewhich might indicate that the apt-get install didn't.08:12
davecheneyshould be today08:12
davecheneydpkg -l juju-core08:12
rogpeppeno, ctime is this morning08:13
rogpeppeit's just apt-get setting mtime inappropriately08:13
rogpeppe(i wish things wouldn't do that - mtime is useful info)08:13
rogpeppedavecheney: ii  juju-core      1.9.1-0~708~pr Juju is devops distilled08:14
davecheneyy'all got the wrong version mate08:14
rogpeppedavecheney: i did apt-get update, and the version is still the same08:15
TheMueHmm, my problem seems to go deeper. Thankfully I've got a snapshot of an older vm. I'll look for my juju environment there.08:15
rogpeppedavecheney: (dpkg -l lists the same version, at any rate)08:15
rogpeppeTheMue: what errors do you get?08:16
rogpeppeTheMue: (this is useful stuff, to find out what problems people are likely to run into)08:16
TheMuerogpeppe: First my ~/.juju has been missing, now I get a "error: cannot query old bootstrap state: Access Denied".08:16
rogpeppeTheMue: sounds like your amazon keys are wrong08:17
davecheneyTheMue: that means you don't own your control bucket08:17
davecheneyeither your keys are wrong08:17
davecheneyor you down't own it08:17
rogpeppeTheMue: yeah, try renaming your control bucket08:17
rogpeppeTheMue: where did you get the name of the control bucket from?08:17
TheMueOne moment.08:17
rogpeppei wonder if we should derive the name of the control bucket from the AWS_ACCESS_KEY_ID and the environment name, and delete it from the environments.yaml config08:19
davecheneyTheMue: did you set control-bucket: juju-dist by mistake ?08:19
rogpeppei remember running into this issue08:19
rogpeppeTheMue: perhaps you could paste what you've currently got in your environments.yaml08:19
davecheneyrogpeppe: -1, that would mean someone else who had different amazon credentials could not drive a shared environment08:19
rogpeppedavecheney: they couldn't anyway - they couldn't access the bucket08:20
davecheneyrogpeppe: hmm08:20
davecheneythat is a point08:20
rogpeppedavecheney: anyway, i think the idea is to delete the control bucket and use instance tags, which amounts to much the same thing.08:20
davecheneyin that case +108:21
davecheneyraise an issue08:21
rogpeppedavecheney: so it'll go away of its own accord08:21
rogpeppedavecheney: oh.... except for upload-tools08:21
* davecheney waves fist at upload tools08:22
rogpeppedavecheney: for upload-tools (which only developers need), we could have another attribute08:23
rogpeppedavecheney: it's not really a control bucket in that case anyway08:23
davecheneyrogpeppe: yup, i don't think we need to advertise our developer hooks08:25
rogpeppedavecheney: i think we should document them like we document everything08:26
rogpeppedavecheney: but most people should not need 'em08:26
davecheneyso, anyone bootstrapped yet ?08:27
* davecheney afk for 20 mins, dinner is on the table08:32
rogpeppedavecheney: yeah sure, but you said i'd got the wrong version08:32
davecheneyapt-get update && apt-cache search juju-core08:34
rogpeppedavecheney: that doesn't tell me the juju-core version08:35
rogpeppedavecheney: dpkg -l says it's still 1.9.108:35
TheMuerogpeppe: It seem to be my values for control-bucket and admin-secret, found them in an old saved env. How can I obtain the get my ones? I alredy checked my amazon keys, they are correctly set in the environment (not yaml).08:39
rogpeppeTheMue: they can be anything08:39
rogpeppeTheMue: but the control-bucket must be unique08:39
rogpeppeTheMue: on s308:39
rogpeppeTheMue: just type some random alphanumeric characters for the control bucket name08:40
TheMuerogpeppe: OK, will take a uuid08:41
davecheneyrogpeppe: not sure what is wrong with your machine08:45
davecheneyhttp://ppa.launchpad.net/gophers/go/ubuntu/dists/precise/main/binary-amd64/Packages08:45
TheMuerogpeppe: Ah, this time it looks better. No error.08:45
davecheneythe ppa is up to date08:45
rogpeppeTheMue: what does this print for you? /usr/bin/jujud version08:46
TheMuerogpeppe: A fine "1.9.2-precise-amd64". :)08:46
TheMuedavecheney: So, after bootstrapping, what shall I test next for you?08:47
davecheneyTheMue: juju ssh -- 'uname -a'08:47
davecheneysorry juju ssh 0 -- 'uname -a'08:48
* TheMue still wonders at which point his ~/.juju has gone.08:48
davecheneyshuld be the precise kernel08:48
davecheneydefault-series is sitll busted08:48
rogpeppedavecheney: i've no idea what's wrong with my machine either. i've steered clear of all dpkg internals before now.08:48
davecheneysudo apt-get remove juju-core08:48
davecheneyapt-get update08:48
davecheneytry readding the ppa08:48
rogpeppeTheMue: you need plan 9's dump filesystem :-)08:48
davecheneycheck in /etc/apd/source.apt.d/08:48
TheMuerogpeppe: Gna, he again. :D08:49
TheMuerogpeppe: On OS X I've got my tome machine.08:49
rogpeppedavecheney: do you mean /etc/apt/sources.list.d ?08:49
rogpeppedavecheney: in there i see a file gophers-go-precise.list, containing this:08:50
rogpeppedeb http://ppa.launchpad.net/gophers/go/ubuntu precise main08:50
rogpeppedeb-src http://ppa.launchpad.net/gophers/go/ubuntu precise main08:50
TheMuedavecheney:  It returns "Linux domU-12-31-39-0E-C5-E1 3.2.0-32-virtual #51-Ubuntu SMP Wed Sep 26 21:53:42 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux"08:50
rogpeppewhich looks plausible to me08:50
rogpeppedeb http://ppa.launchpad.net/gophers/go/ubuntu precise main08:51
rogpeppedeb-src http://ppa.launchpad.net/gophers/go/ubuntu precise main08:51
davecheney3.2.0, that is precise08:51
davecheneyTheMue: try destroying that environemnt08:51
davecheneyadding "default-series: quantal" and bootstrapping again08:51
davecheneymy suspicion is that you will get precise again08:52
TheMuedavecheney: ok08:52
rogpeppedavecheney: i used curl to fetch the ppa.launchpad.net/gophers/.../Packages url and it gives me juju core with version 1.9.2 as expected08:53
davecheneyyeah, i should have suggested that08:53
rogpeppedavecheney: it doesn't mean i've actually got 1.9.2 installed now08:53
davecheneyyou can find the link here https://code.launchpad.net/~dave-cheney/+recipe/juju-core08:53
rogpeppedavecheney: i wonder if it's a caching issue08:54
davecheneyapt-get update | grep ppa08:55
davecheneyannoyingly it only syas the host08:55
davecheneynot the sub repo08:55
davecheneyif you see Ign08:55
davecheneythen it could be a cachcing issue08:55
davecheneyyou can remove the cache08:55
davecheneybut that would be getting a bit too serious08:55
davecheneyas long as you have the deb installed, that'll do08:55
rogpeppedavecheney: http://paste.ubuntu.com/1362136/08:55
rogpeppedavecheney: hmm, should it mention gophers there?08:56
davecheneyrogpeppe: mine doesn't :(08:56
davecheneywhich is shitful08:56
rogpeppedavecheney: well, when i just did add-apt-repository, it seemed to do something, so maybe  that was the problem08:57
TheMuedavecheney: Hmm, this time ssh after bootstrap needs a bit longer.08:58
rogpeppedavecheney: but apt-get update still leave me on 1.9.108:58
Aramhave to catch a plane guys08:58
Aramsee you later08:58
TheMuedavecheney: Ah, now: "Linux ip-10-244-154-239 3.2.0-32-virtual #51-Ubuntu SMP Wed Sep 26 21:53:42 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux" You're right.08:59
* rogpeppe has no idea what the relationship between apt and dpkg is09:00
davecheneyrogpeppe: dpkg is debian package == deb09:06
davecheneywhich handles package09:06
davecheneyapt is the bit that gets packages onto and off your system09:06
davecheneyTheMue: as i thought, that is still precise09:06
rogpeppedavecheney: i'm not sure i understand the distinction there09:06
rogpeppedavecheney: apt is just a glorified url fetcher?09:07
TheMuedavecheney: So not what you wanted.09:07
rogpeppedavecheney: except it must wrap dpkg to do the work, i guess09:07
davecheneyTheMue: nope, really annoyting #107406409:08
davecheneyrogpeppe: yes, apt calls dpkg09:08
davecheneyrogpeppe: in true python style, apt will cook you dinner if you treat it right09:08
davecheneyrogpeppe: dpkg is to tar, what apt is to wget09:08
davecheneyrogpeppe: and if you find using apt too cumbersome09:09
rogpeppedavecheney: ok, i see09:09
davecheneyther eis always aptitude, or synaptic09:09
rogpeppedavecheney: the only problem i have with apt is that it prints too much crap09:09
davecheneyrogpeppe: lets do some reviews09:12
davecheneyhttps://codereview.appspot.com/6851057/09:12
rogpeppedavecheney: i'll swap ya: https://codereview.appspot.com/6843059/09:13
davecheneydone!09:13
rogpeppedavecheney: (by no means a fair swap though!)09:13
davecheney... 800 lines09:14
rogpeppedavecheney: most of that is tests09:18
rogpeppedavecheney: the core code is actually not too big (and would be a lot smaller if it wasn't for the infernal complexity of x509)09:19
rogpeppedavecheney: thinking about it, i'm not sure that config is the right place to default the public bucket09:21
rogpeppedavecheney: oops09:22
rogpeppedavecheney: scratch that!09:22
rogpeppedavecheney: i thought i was looking at environs/config09:22
rogpeppedavecheney: LGTM09:22
niemeyerHello all!11:00
rogpeppeniemeyer: yo!11:00
rogpeppeniemeyer: i've been wondering about the best place to pass the root CA certificate around.11:03
rogpeppeniemeyer: my current thinking is that it can be a new field in state.Info11:04
rogpeppeniemeyer: does that seem reasonable to you?11:04
niemeyerrogpeppe: Yeah, seems right11:05
rogpeppeniemeyer: cool11:05
rogpeppeniemeyer: the only slight wrinkle is that Environ.StateInfo can't currently return it (and even if it did, you wouldn't want to trust it)11:05
rogpeppeniemeyer: but i think that's just something we document11:06
niemeyerrogpeppe: Hmm.. yeah11:07
niemeyerrogpeppe: We can fix it easily, I guess, if we find a better way11:07
niemeyerrogpeppe: But feels like a good way in principle11:07
rogpeppeniemeyer: great11:07
rogpeppeniemeyer: i derailed yesterday and added a new RootCertPEM argument to StartInstance, then realised this morning that it's unnecessary. but Bootstrap still needs another argument (unless we want to deduce the root cert from the state server cert, which i'm reluctant to do)11:09
niemeyerrogpeppe: Bootstrap the function or Bootstrap the method?11:10
rogpeppeniemeyer: Bootstrap the method11:10
niemeyerrogpeppe: Why do we need the root cert there?11:10
rogpeppeniemeyer: because the newly bootstrapped instance needs to know the root CA cert11:11
rogpeppeniemeyer: so that it can pass it to new instances11:11
niemeyerrogpeppe: Hmm.. why?11:11
rogpeppeniemeyer: so that the new instances can verify they're talking to the right server11:11
niemeyerrogpeppe: Shouldn't they use the server cert for that?11:12
rogpeppeniemeyer: TLS authentication works by verifying against root CAs, no?11:12
niemeyerrogpeppe: How can the client tell if a signature for which I'm providing a cert is a root cert or not?11:13
rogpeppeniemeyer: it can tell that the cert provided by the server is signed by the same root cert it was given at bootstrap time11:14
rogpeppeniemeyer: which is all we need... i think11:14
niemeyerrogpeppe: That works too, for sure.. it'd be easy to make the server cert itself work as well11:15
niemeyerrogpeppe: Maybe we don't want that, though..11:15
rogpeppeniemeyer: how would that work? i went off that route ages ago at your prompting11:15
niemeyerrogpeppe: I don't think there's any off route done so far11:16
rogpeppeniemeyer: we can verify the server cert name, which could be useful11:16
niemeyerrogpeppe: What you've implemented is not my wishes.. it's barebones TLS11:16
rogpeppeniemeyer: i'm talking about my original thoughts about certificate distribution, which verified against the certificates directly, not against a root CA.11:16
niemeyerrogpeppe: That's what I'm talking about too.. I'm not suggesting changing anything that is in place right now11:17
rogpeppeniemeyer: i'm not quite sure what you mean by "make the server cert itself work as well"11:17
niemeyerrogpeppe: Okay, nevermind11:17
rogpeppeniemeyer: by passing around the root CA cert, we make it possible to upgrade server certs in the future11:18
niemeyerrogpeppe: So you want to send the root cert to every client11:18
rogpeppeniemeyer: yeah11:18
niemeyerrogpeppe: That starts to feel more like an environment setting11:18
rogpeppeniemeyer: the client needs to know it before it connects to the state, so it's not that useful as part of the environment settings11:19
rogpeppeniemeyer: but i can certainly see it as an environment setting in the future11:19
rogpeppeniemeyer: so that we can update the root certificate11:19
niemeyerrogpeppe: Indeed11:20
niemeyerrogpeppe: So, should we do that now instead of waiting and fixing?11:24
rogpeppeniemeyer: i don't think there's any particular need - it will really be adding rather than fixing, i think11:24
rogpeppeniemeyer: i think we'll still need the mechanisms i'm putting in place11:25
niemeyerrogpeppe: Cool11:25
rogpeppeniemeyer: it would be great to get some feedback on https://codereview.appspot.com/6843059/ if you have some time today, BTW12:34
niemeyerrogpeppe: Will run through the whole queue today still12:35
rogpeppeniemeyer: yeah, but i know this'll be near the bottom 'cos it's big :-(12:35
niemeyerrogpeppe: You'll have some feedback before the end of your day still12:36
rogpeppeniemeyer: cool, that would be lovely12:36
rogpeppeniemeyer: it's a pity it turned out so big - conceptually it's only about 6 operations12:37
niemeyerrogpeppe: I know.. it's just dense12:37
rogpeppeniemeyer: yes. there are a lot of little decisions went into some parts of it.12:38
TheMuelunchtime, bbl12:54
niemeyerTheMue: Enjoy13:00
TheMueAnd back again.13:16
TheMueniemeyer: Thx.13:16
niemeyerTheMue: Wow :)13:16
niemeyerTheMue: That's fast13:17
TheMueniemeyer: Yeah, want to step out earlier today. ;)13:17
TheMueNow I have to think about a good unit testing for lxc.13:20
rogpeppeniemeyer: ping13:39
niemeyerrogpeppe: hi13:39
rogpeppeniemeyer: just wanted to check something for reasonableness13:39
niemeyerrogpeppe: Sure thing13:39
rogpeppeniemeyer: the juju command now reads from the user's home directory (to get the root CA certificate)13:39
rogpeppeniemeyer: and i'm slightly reluctant to add fake home directory wrapping to every single test in cmd/juju13:40
rogpeppeniemeyer: and there is an easy workaround, but i'm not sure you'll like it, hence my asking13:40
rogpeppeniemeyer: i'm making juju.NewConn take a root certificate argument (same as juju.Bootstrap - if it's nil, it's read from $HOME/.juju)13:41
rogpeppeniemeyer: all the calls in cmd/juju call juju.NewConn(env, nil)13:41
niemeyerrogpeppe: Sounds reasonable13:42
rogpeppeniemeyer: the workaround is to make them call juju.NewConn(env, defaultRootCertPEM), where defaultRootCertPEM is a variable that's always nil except when testing13:42
niemeyerrogpeppe: Well, I can foresee cases where we'll want to define it in code too13:42
rogpeppeniemeyer: i'm not sure what you mean13:43
niemeyerrogpeppe: But it's not really important right now13:43
niemeyerrogpeppe: "always nil"13:43
rogpeppeniemeyer: another possibility is to add a flag that specifies the filename or the root certificate itself.13:44
niemeyerrogpeppe: "or the root" or "of the root"?13:44
rogpeppeniemeyer: both :-)13:44
niemeyerrogpeppe: So I don't understand what this means13:44
rogpeppeniemeyer: the filename of the root certificate, or the root certificate itself (as a literal string)13:45
niemeyerrogpeppe: You're suggesting we overload a single argument to mean both a filename and the data for the cert?13:45
rogpeppeniemeyer: no, i'm saying the flag might specify either - we'd need to decide13:46
rogpeppeniemeyer: or we might have two flags13:46
niemeyerrogpeppe: Why is that different from Bootstrap?13:46
niemeyerrogpeppe: The whole thing is starting to feel a bit hackish, to be honest..13:47
niemeyerrogpeppe: We have a mechanism to read the environment data from disk abstracted away13:47
niemeyerrogpeppe: and then we take that data, and go back to disk to look for more13:47
* niemeyer looks at some code13:47
rogpeppeniemeyer: we need to be able to save something to disk and then recover that, and that's what this is about13:48
rogpeppeniemeyer: the thing that i think is most hackish is the interface in the juju package, which really shouldn't know about $HOME stuff really, probably.13:49
niemeyerrogpeppe: This looks like the wrong place to be doing this13:49
niemeyerrogpeppe: Exactly13:49
rogpeppeniemeyer: i'd prefer to pass something into the juju calls that abstracts out the data saving and restoring13:49
niemeyerrogpeppe: I think we should put that in the environment configuration as you originally suggested, given that we've already said we're going to be distributing that to all machines anyway13:49
niemeyerrogpeppe: (which means it *is* an env setting, after all)13:50
rogpeppe:-|13:50
rogpeppeniemeyer: we still need some way of saving data and restoring it13:50
niemeyerrogpeppe: This means we could put the whole logic within the existing functions that deal with pulling the env out of disk from environs13:50
rogpeppeniemeyer: the environment config only gets us some of the way13:50
niemeyerrogpeppe: If the root cert isn't found there, we generate it in place around the logic that is already managing $HOME stuff13:51
niemeyerrogpeppe: So we avoid the two-worlds situation13:51
rogpeppeniemeyer: the place that's already managing $HOME stuff is environs/config13:52
rogpeppeniemeyer: and i'm not convinced that should be the place that generates a certificate and key13:52
niemeyerrogpeppe: Uh.. no?13:52
niemeyerrogpeppe: Look for any logic about $HOME there13:52
rogpeppeniemeyer: i'm thinking about authorized_keys13:53
niemeyerrogpeppe: Ah, okay13:53
niemeyerrogpeppe: But see ReadEnvirons13:53
rogpeppeniemeyer: yeah, that's a reasonable place (but not with that name)13:54
niemeyerInteresting.. I guess we're not yet generating the default environments.yaml in the Go port?13:54
rogpeppeniemeyer: no. this was talked about this morning actually.13:54
rogpeppeniemeyer: i didn't realise the python version did13:55
niemeyerrogpeppe: Oh, what was the context/conclusion?13:55
rogpeppeniemeyer: TheMue was trying to get a working juju live13:55
rogpeppeniemeyer: i think davecheney might've raised an issue actually13:56
rogpeppeniemeyer: personally, i think it would be better as a separate command13:56
TheMuerogpeppe: I have raised it after dave asked me to do so.13:56
rogpeppeniemeyer: juju generate-environment, or something13:57
rogpeppeTheMue: cool13:57
niemeyerrogpeppe: A separate command won't make the first-user experience any simplre13:57
niemeyersimpler13:57
rogpeppeniemeyer: no, but unexpected side-effects aren't great either13:57
niemeyerrogpeppe: They're not great if they're not great13:57
rogpeppeniemeyer: when does the python version generate a new environments.yaml? when it can't find one?13:58
niemeyerrogpeppe: What's the actual problem?13:58
niemeyerrogpeppe: Sounds.. sensible? :)13:58
rogpeppeniemeyer: i dunno. if i call juju bootstrap accidentally on the wrong machine, i'm not sure i want it to lay a turd in my home directory13:59
rogpeppeniemeyer: particularly as it might contain some secret information.13:59
rogpeppeniemeyer: but i can see the ease-of-use argument too13:59
niemeyerrogpeppe: You mean an automatically generated environments.yaml will contain secret information? That'd be curious. :)14:00
rogpeppeniemeyer: i thought it might take some info from environment variables (e.g. AWS_SECRET_KEY) but i guess it doesn't need to14:00
niemeyerrogpeppe: Either way, let's get over it. It's a default sample file.. I think it's working fine so far.14:00
rogpeppeniemeyer: so which provider does it provide an entry for?14:01
rogpeppeniemeyer: or does it perhaps provide an entry for all known providers?14:01
niemeyerrogpeppe: We support a single provider.. the answer seems straightforward14:01
rogpeppeniemeyer: we will support many.14:01
niemeyerrogpeppe: Probably the local one in the future.. ec2 right now14:01
niemeyerPlus commented out samples14:01
rogpeppeniemeyer: i wonder if it might actually be good to generate a sample file with entries for all providers.14:02
rogpeppeniemeyer: then the user can choose the one they want14:02
niemeyer<niemeyer> Plus commented out samples14:02
niemeyerrogpeppe: The local provider is going to be ubiquitous14:02
niemeyerrogpeppe: We can keep it as the default14:02
rogpeppeniemeyer: yeah.14:02
niemeyerrogpeppe: Either way, we don't have to solve that now.. the current answer is obvious14:02
rogpeppeniemeyer: so... do we want a method on EnvironProvider that returns a sample environment config?14:03
rogpeppeniemeyer: so that we don't always produce a sample with the same control-bucket or admin-secret, for example14:03
rogpeppeniemeyer: (that's always a stumbling block)14:04
niemeyerrogpeppe: I suggest renaming ReadEnvirons to LoadEnvirons, and bundling it there14:04
niemeyerrogpeppe: only in the case where "" is used, specifically14:05
rogpeppeniemeyer: that sounds reasonable14:05
rogpeppeniemeyer: so would we store the root CA certificate in environments.yaml or in a file alongside it?14:06
niemeyerrogpeppe: Maybe we don't even have to rename, actually.. just document it properly14:06
niemeyerrogpeppe: I think the current mechanism we are putting in place works best14:06
niemeyerrogpeppe: <env name>.pem14:06
rogpeppeniemeyer: so if we fail to load the configuration because the <env-name>.pem file exists, we generate it?14:08
niemeyerrogpeppe: s/exists/doesn't exist/, sounds sane14:09
rogpeppeniemeyer: are you actually suggesting we go back to my original plan of having root-cert and root-private-key  as attributes in the config?14:09
niemeyer<niemeyer> rogpeppe: I think the current mechanism we are putting in place works best14:10
niemeyerrogpeppe: Although, maybe we do need it14:10
rogpeppe[13:50:03] <niemeyer> rogpeppe: (which means it *is* an env setting, after all)14:10
niemeyerrogpeppe: Yes, of course, we need the settings too14:10
niemeyerrogpeppe: Otherwise we can't send14:10
rogpeppeniemeyer: exactly14:10
niemeyerrogpeppe: root-pem, though, I assume14:11
rogpeppeniemeyer: pem is just the format; root-cert describes what it is14:11
rogpeppeniemeyer: root-cert-pem if you like, but i don't think the "pem" is necessary at that level14:12
niemeyerrogpeppe: So far I've seen a single file being used14:12
niemeyerrogpeppe: For both cert and key14:12
rogpeppeniemeyer: yes, but in the config it makes sense to have two attributes14:12
rogpeppeniemeyer: i started off with one14:12
rogpeppeniemeyer: but it made things awkward14:13
niemeyerrogpeppe: If we have two attributes, let's have two files too14:13
niemeyerrogpeppe: It actually seems to make sense to have two files14:13
rogpeppeniemeyer: agreed14:13
rogpeppeniemeyer: that's what i'd done previously14:13
niemeyerrogpeppe: Why did it change?14:13
rogpeppeniemeyer: when they weren't stored in the config, it made sense to keep them together as a blob14:14
niemeyerrogpeppe: I'm not sure about how that's related14:14
rogpeppeniemeyer: maybe it was just a consequence of me re-branching from an earlier version14:15
niemeyerrogpeppe: Okay, either way..14:15
niemeyerrogpeppe: What are we doing then?14:15
rogpeppeniemeyer: i'm not entirely happy about losing another week's worth of work, but there we go14:15
niemeyerrogpeppe: root-cert, root-private-key + root-cert-path, root-private-key-path?14:16
niemeyerrogpeppe: Why are you losing anything?14:16
niemeyerrogpeppe: None of that logic is in place yet?14:16
niemeyerrogpeppe: and I hope such a simple change doesn't take *a week*14:16
rogpeppeniemeyer: because all the stuff i've been doing this week relies on passing around root-cert explicitly14:16
niemeyerrogpeppe: I did all of the config refactoring in two days14:17
niemeyerrogpeppe: I'm hoping this is significantly simpler14:17
rogpeppeniemeyer: i'm not saying that it'll take a week14:17
niemeyerrogpeppe: You just said that14:17
rogpeppeniemeyer: but that most of what i've done this week i'll need to redo14:17
niemeyerrogpeppe: Woah?14:17
niemeyerrogpeppe: I really don't see how that's possible14:18
rogpeppeniemeyer: well, i hope not14:18
niemeyerrogpeppe: Sending the server pem to the machine is done the same way.. generating keys is done the same way..14:18
niemeyeretc14:18
rogpeppeniemeyer: anyway, i should be able to drag out my earlier branch which implements exactly root-cert, root-private-key + root-cert-path, root-private-key-path AFAIR14:18
niemeyerrogpeppe: Changing a parameter to a config.Foo() should be on the trivial side14:18
rogpeppeniemeyer: maybe you're right14:19
niemeyerrogpeppe: This should really not take long if one is actually focusing on doing it14:19
niemeyerrogpeppe: We can also continue to move the existing branches forward, since this is trivial to adapt in a follow up14:20
rogpeppeniemeyer: i've got quite a few branches for review, but now none of them are valid.14:20
niemeyerrogpeppe: Why?14:20
rogpeppeniemeyer: well, because they all use the mechanism that we've decided we're not going to use. but if you think it's ok to move forward from there, that seems better to me.14:21
niemeyerrogpeppe: I think pretty much everything I've seen so far looks like progress14:21
rogpeppeniemeyer: good14:21
niemeyerrogpeppe: We still need Bootstrap, etc14:21
niemeyerrogpeppe: Tweaking Bootstrap on a follow up to take the cert from the config should be on the trivial side14:22
rogpeppeniemeyer: change Bootstrap to take a config.Config argument rather than a PEM []byte, right?14:23
niemeyerrogpeppe: Bootstrap already takes an env, doesn't it?14:25
=== TheMue_ is now known as TheMue
rogpeppeniemeyer: ah, good point14:25
mgzguess I should actually add this channel to the list of ones I should sit in now...14:27
niemeyerrogpeppe: I'll step out for lunch.. back in a bit14:27
rogpeppeniemeyer: enjoy!14:27
TheMueniemeyer: Enjoy.14:30
* niemeyer respawns15:32
TheMueniemeyer: One question about Open vSwitch. Just seen it again in the slides Mark sent to us. Which role does is have together with LXC? I never used Open vSwitch before.15:39
niemeyerTheMue: It's responsible for the routing15:57
niemeyerTheMue: But don't worry about it for now15:57
TheMueniemeyer: OK, already thought so. Just wanted to have it confirmed.15:57
niemeyerTheMue: We may end up not even needing it in step one15:58
niemeyerTheMue: Since VPC can deal with multiple IPs15:59
niemeyerTheMue: Of course, we actually have to get VPC working in the first place :)15:59
TheMueniemeyer: Hehe, yep.16:01
=== mmcloud_ is now known as mmcloud
niemeyerHmm, we still haven't done the config-per-charm thingy16:37
niemeyerI'll put that on my list for next week16:37
niemeyerrogpeppe: What is MaxPathLen is Certificate?16:58
rogpeppe niemeyer: i believe it's the maximum number of delegations from root to leaf16:58
TheMueHmm, tests needing root rights aren't nice. But the first one passes.16:58
niemeyerrogpeppe: Have you checked?16:59
rogpeppeniemeyer: nope16:59
rogpeppeniemeyer: i'll check16:59
niemeyerrogpeppe: Seems worthy of understanding before dumping a number there16:59
rogpeppeniemeyer: good point. i was right... almost. 0 is a more appropriate value.17:03
niemeyerrogpeppe: :-)17:03
niemeyerrogpeppe: What does it mean?17:03
rogpeppeniemeyer: it's the number of intermediates in the chain17:03
niemeyerrogpeppe: Downstream or upstream?17:04
rogpeppeniemeyer: from root to leaf17:04
rogpeppeniemeyer: or vice versa17:04
niemeyerrogpeppe: Is this pointing out the number of certificates that are part of the chain that certifies the present certificate, or is it the number of certificates that may be certified by the certificate being created?17:06
rogpeppeniemeyer: it's the number of certificates in any chain derived from the certificate we're creating17:07
rogpeppeniemeyer: if MaxPathLen was 1, then the root certificate we're creating would be able to create certificates that could create certificates verifiable against our root certificate17:08
niemeyerrogpeppe: Why would we restrict this?17:08
rogpeppeniemeyer: it depends how important we deem the root certificate17:09
niemeyerrogpeppe: In which sense?17:09
rogpeppeniemeyer: if we don't mind a state server being able to create certificates for new environments, then we should allow delegation, yeah17:10
rogpeppeniemeyer: choosing no delegation was a totally arbitrary decision - i don't know enough about our security model to know if we want to allow that or not17:11
niemeyerrogpeppe: Okay, sounds good then.. it's cool to keep it at zero until we understand17:11
niemeyerrogpeppe: How about this "anyServer"?17:12
rogpeppeniemeyer: i'll leave the field in, with a comment17:12
niemeyerrogpeppe: 'k17:12
rogpeppeniemeyer: ah yes, "anyServer" :-)17:12
rogpeppeniemeyer: ok, so the default when doing tls authentication is to verify the host name17:12
rogpeppeniemeyer: a certificate is issued for a particular host name17:12
rogpeppeniemeyer: but in our case, when we issue the cert, we don't know the host name17:13
niemeyerrogpeppe: Yeah17:13
niemeyerrogpeppe: In fact, I think in many cases we won't even *have* a hostname17:13
rogpeppeniemeyer: so we cheat, by issuing with a known CommonName (which is used for the host name), and setting the host name to that when verifying17:13
niemeyerrogpeppe: Where do we put that info?17:14
rogpeppeniemeyer: it's in the tls.Config struct17:15
niemeyerrogpeppe: Where?17:15
rogpeppeniemeyer: you can see it used in the checkTLSConnection function in the tests17:16
rogpeppeniemeyer: tls.Config.ServerName17:16
niemeyerrogpeppe: The documentation says this is used for virtual hosting17:17
rogpeppeniemeyer: yeah17:17
rogpeppeniemeyer: so we've got a "virtual host" which is any server we choose to name...17:17
TheMueSo, I'm off. Have a nice weekend.17:17
niemeyerrogpeppe: What happens if we don't put that in?17:17
rogpeppeTheMue: have a good one17:17
niemeyerTheMue: Thanks, you too!17:17
rogpeppeniemeyer: it takes the host name from the net.Conn AFAIR17:18
rogpeppeniemeyer: and then the authentication fails17:18
niemeyerrogpeppe: Hmm.. strange17:18
niemeyerrogpeppe: It has an explicit VerifyHostname17:18
TheMuerogpeppe: Will have, tomorrow with a Celtic Night, Malts, Guiness, Stew, Folk Music ...17:18
rogpeppeTheMue: have fun17:20
rogpeppe!17:20
rogpeppeTheMue: enjoy the irish tunes...17:20
TheMuerogpeppe: Yeah, will do so.17:20
rogpeppeniemeyer: i'll just have a look.17:20
niemeyerrogpeppe: I'm checking too17:21
niemeyerrogpeppe: If that works, I'd prefer to have it set to in the generated certificate "*", which is closer to the actual convention used in certs, and not mangle it when connecting17:23
niemeyerrogpeppe: That would mean people can actually use real hostname checking by merely generating a real certificate, if they wish17:24
rogpeppeniemeyer: i tried using *17:24
rogpeppeniemeyer: it doesn't work17:24
niemeyerrogpeppe: What happens?"17:24
rogpeppeniemeyer: unless you set ServerName to "*" of course17:24
rogpeppeniemeyer: one mo, i'll show you17:25
rogpeppeniemeyer: hmm, i was absolutely certain i'd tried it and it failed... but it works. http://play.golang.org/p/FijZRXselX17:29
rogpeppeniemeyer: that's much better. i couldn't believe it wasn't possible to do it.17:30
rogpeppe"*" it is17:30
niemeyerrogpeppe: Superb17:30
* rogpeppe thinks that's probably one of the larger programs around to have run in the go playground17:32
negronjlm_3: ping17:45
negronjlsorry ... wrong channel :)17:45
niemeyerrogpeppe: Phew, delivered!17:53
rogpeppeniemeyer: yay! well done.17:53
niemeyerrogpeppe: Looking good.. some comments, but nothing significant17:54
rogpeppeniemeyer: that's relief :-)17:54
rogpeppea17:54
rogpeppeniemeyer: i've succeeded in merging the environs/config root-cert changes, BTW and all tests are now passing, which is a relief.17:56
rogpeppeniemeyer: the consequential changes were much bigger than i'd like though, i'm afraid. https://codereview.appspot.com/684606618:03
niemeyerrogpeppe: No worries18:06
niemeyerrogpeppe: I predict they'll all be easily agreeable changes18:06
rogpeppeniemeyer: yeah, there's nothing particular controversial there.18:06
rogpeppely18:06
rogpeppeniemeyer: "*" isn't a universal wildcard unfortunately. we'll still have to set ServerName: http://play.golang.org/p/n4MTKb6fLM18:10
rogpeppeniemeyer: "*" doesn't match "something.com"18:10
rogpeppeniemeyer: this seems relevant: http://www.tbs-certificats.com/FAQ/en/320.html18:11
niemeyerrogpeppe: Hm18:14
rogpeppeniemeyer: we'll still use "*" as a common name though18:16
rogpeppeniemeyer: i was *sure* i'd encountered an issue with it :-)18:16
niemeyerrogpeppe: Okay, I guess we can go with "unknown" as a hostname for now and check later18:16
rogpeppeniemeyer: sounds reasonable.18:17
rogpeppeniemeyer: i'll leave CommonName = "*"18:17
niemeyerrogpeppe: We could set the ServerName based on whether we have a CommonName == "*" in the future, I guess18:18
rogpeppeniemeyer: we don't know the common name until the handshake is done, and then it's too late18:19
rogpeppeniemeyer: we could use InsecureSkipVerify and then do our own checking i suppose18:19
niemeyerrogpeppe: Perhaps, but that's too early I think.. CommonName == "*" + "unknown" sounds fine for now18:21
rogpeppeniemeyer: agreed18:21
rogpeppeniemeyer: time to stop for the day. thanks for the review; will address on monday. have a great weekend!18:22
niemeyerrogpeppe: Thanks a lot for the hard work, and have a pleasant weekend too!18:23
=== rog is now known as Guest2621

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!