/srv/irclogs.ubuntu.com/2013/11/06/#juju-dev.txt

* thumper looks00:00
thumpersinzui: no. sorry00:02
thumpersinzui: but I have felt that our upgrade story is too flakey00:03
thumperI have plans (in my head)00:03
thumperand half written down00:03
sinzuiyeah. Sometimes I need to wait forever for it to happen. I cannot predict if it is slow or will fail00:03
sinzuibut I think the 14 -> 16 upgrades are better than 12 -> 1400:04
thumper:)00:05
=== bjf is now known as bjf[afk]
=== gary_poster|away is now known as gary_poster
=== gary_poster is now known as gary_poster|away
axwthumper: I'm updating the API to support pushing secrets now. I was chatting with rogpeppe yesterday, and we discussed having a negotiation thing during login. Then fwereade and jam reminded us that you were keen on making bootstrap blocking, and secrets-pushing can go there03:52
axwso... I'm just going to add an API call to push secrets. sound ok?03:53
axwwe'll unconditionally call it when making an API connection for now, and later just during bootstrap03:53
thumpersure03:53
thumperand yes we want bootstrap synchronous03:53
thumperit would solve all manner of bootstrap issues03:53
thumpersure03:54
thumperwallyworld: FYI -  https://codereview.appspot.com/2232004304:04
wallyworldthumper: looing04:05
wallyworldlooking even04:05
* thumper goes to help with dinner, then swim04:05
thumperI'll be back later this evening04:05
=== thumper is now known as thumper-afk
wallyworld+1000 to synchronous bootstrap. a lot of us have been wanting that for ever04:06
wallyworldso long as there's feedback as it executes04:06
davecheneyWHOOOOOOOOOOOOT!04:15
axwooh04:16
axwyay for output :)04:16
sodreping ?06:13
sodrewhat is the standard way of including charmhelpers in a charm ?06:21
sodrei.e. should I branch charmhelpers and check it in together with the rest of my charm?06:22
bradmsodre: thats what I've done in my charms, but I don't know if its considered best practice06:23
sodrebradm: thanks.06:28
jamsodre: from everything I've seen you copy charmhelpers into your code06:35
sodrejam: alright :) That's how I'll do it then.06:36
jamaxw: I don't think we want to call it uncondionally during api.Open06:38
axwjam: why not?06:40
jamaxw: we only need to pass secrets 1 time, rather than the 100 times you ever call status/etc806:40
axwjam: sure, but detecting that requires feedback from the server - seems like a lot of work for something that's going to go away soon06:41
axwwe currently go to state each time we connect to see if we need to do it06:41
axwoops, race dector'd my machine06:48
axwdetector'd even06:48
jamrace decor'd sounds more interesting06:48
axwjam: if you replied, I missed it. last message I have is "we currently..."06:49
jamno, I didn't say anything06:49
axwok06:49
axwjam: I realise doing it every connection sucks, so if there's a non sucky way, I'm open to suggestions06:50
jamaxw: is it that hard to add an extra field to Login that says now that you've logged in, can you send the credentials06:50
jam?06:50
axwjam: the Login code knows nothing about environments or secrets. It's probably not hard, just felt a bit wrong. I don't know that area of the code well, though06:52
axwwell, it knows the state object of course06:52
jamaxw: so I think we need a state/api/client level interface that supports passing secrets in, no doubt about that.06:53
axwjam: ah, you're suggesting a result from Login that says the next call should be PushSecrets?06:55
jamaxw: looking at Login today, all it can return is an err06:55
jamand if we changed *that* behavior06:55
jamit would break things like the GUI06:55
axwyup06:55
jamI suppose that might be ok, since the GUI can't ever send secrets?06:55
axwone idea that came up was returning a special error06:55
axwright06:55
jamso you have to always connect via another means 1st time anyway06:55
jamI'd really like to run it by gary_poster|away or someone else on his team06:56
jamI think they're all mostly US time based06:56
axwok06:57
jamaxw: so the Client api for pushing up secrets is needed regardless, we'll likely use it in bootstrap, etc06:57
jamaxw: do you know about "directory.canonical.com" ?06:57
axwjam: yeah, I was thinking you were talking about the idea of adding secrets into the Login call itself, which I think is too much work06:57
axwjam: sure do06:57
jamso frankban is the only one in EU timezone. Huw is in AU, but he's more Web/UI focused.06:58
jamaxw: so I wouldn't put the secrets *into* Login, because I would avoid putting them on the wire as much as possible06:59
jamI was hoping Login had a nice way of telling you something after you login06:59
jamrather than only returning an err06:59
jamand that would give us a way to extend it with "please upload secrets" without telling clients to shove off06:59
jamerr => most clients will probably just disconnect right away06:59
axwjam: yeah. I think GUI requires it to be there already, but I can check with gary_poster|away07:00
jamaxw: I actually don't think it strictly does, though to install the GUI you would have had to pass the secrets07:00
jambecause, you have to "juju deploy" the gui07:00
jamso actually, I think we're ok there07:00
axwwell, sorry, that's what I meant07:00
axwimplicitly requires :)07:01
jamsorry I'm mostly catching up to something that you've probably thought more about07:01
jamso I think short term putting the err return in Login is ok07:01
axwthat's cool07:01
jambecause we don't have much juju client stuff that connects via the api in older versions07:02
jamjust add-unit and get07:02
jamand you are very unlikely to call either of those07:02
jamuntil you've run some other command07:02
jamwhich is why we could get away with it :)07:02
axwhehe07:02
jamaxw: it *was* why I picked those. That and they were pretty straightforward.07:02
jamaxw: if you don't mind investigating a bitd07:02
jambit07:02
jamcan you see if we can add a return parameter to Login that isn't an err?07:03
jamand see if old clients complain about it07:03
axwjam: sure, will do07:03
jamaxw: because if we can do that compatibly, I can see a use case for doing other things at Login time07:03
jamgiving hints about compatibility, etc07:03
axwI'll get the new API call working first, then go onto the Login stuff and look at that first07:03
jamso adding a struct to the return will be generally beneficial07:03
jambut if we need to go the err route, I think that's ok07:04
axwsounds good07:04
jamaxw: I would even go as far as propose the API call so that we can land it07:04
jamso you don't have to have that pending in a branch07:04
jamunless you think it might need tweaking based on your other results07:04
axwwe'll see, tho I expect the only thing that'll change is where it's called07:05
jam(one thought, bootstrap doesn't ever connect as a Client today, so it might just push the secrets direct into the DB, though the fact that we want bootstrap to hang around until the API is up, maybe it is sane to have it do the Client login as well...)07:05
jamaxw: in which case, it would just be the first thing that logged in07:05
jamaxw: I don't really like it being an err as a general quality thing07:06
axwyeah that did occur to me - we could just leave that bit alone once it's implemented for the general case07:06
jambut I could live with it07:06
axwyup, fair enough07:06
axwit's not an error, after all07:06
jamaxw: so looking at state/api/Login today, it just passes "nil" for the response struct07:07
axwjam: yeah, but does adding one after the fact break the clients? that's what you're asking me to investigate, right?07:08
jamaxw: right. I'm poking around right now :). If resp == nil ; resp = &struct{}{} and then we still call conn.codec.ReadBody(resp, isRequest)07:09
jamso it looks like07:09
jamcurrent clients will still consume a body response, and just throw it away07:09
jamwhich is fine07:09
axwcool07:09
jamaxw: but we should probably test that in practice :)07:09
axwand clients ignore extraneous fields, right?07:10
jamaxw: generally, yes07:10
jamJSON.Unmarshal loves throwing away unrecognized things07:10
axwheh07:10
jamaxw: AFAICT there's no way to pass it a Strict flag07:10
* jam => away for lunch and groceries07:13
axwlater07:14
jamaxw: to summarize before I go. It looks like putting it as an extra parameter is going to be just as much work and just as compatible with the existing clients, rather than changing the Err, so I'd rather do that.07:15
jambut, as always, testing with 1.16 against a running patched 1.17 is probably worthwhile07:15
axwjam: agreed, I will go with that.07:15
axw(and test)07:15
dimiternmorning all07:48
=== thumper-afk is now known as thumper
thumperfwereade, jam: do you guys have time for a catch up hangout?07:54
fwereadethumper, sure07:58
thumperfwereade, jam: https://plus.google.com/hangouts/_/76cpjgbfmbsvbg46v349h6l5ug?hl=en08:01
wallyworlddimitern: hi there. how close are you to finishing the get-environment migration to the api?08:32
dimiternwallyworld, get-env is done, finishing set-env now and proposing both08:35
wallyworlddimitern: great :-) cause i need the ability to get environ config via api and i figure your work will include that08:35
dimiternwallyworld, yeah08:36
dimiternwallyworld, basically, you can use client.api.state.EnvironConfig to get it, where client is the "c" receiver of the method08:37
wallyworldok, thanks08:38
wallyworldi need EnvironConfig() exposed in state/api/client08:39
axwwallyworld: is that for add-machine?08:39
wallyworldyeah08:39
wallyworldthe manual provisioning08:39
axwah08:39
* wallyworld -> dinner, bbiab08:41
jamfwereade: I take it you and tim already finished up?08:54
jamwallyworld, dimitern: I think we need to think reasonably carefully about exposing all of EnvironConfig via the Client API. Because it ends up having environ credentials which we don't want to expose to something like the GUI (I think).09:05
wallyworldjam: i need it to create an environs.Environ instance. we could audit the usage of that to see what's really needed. it will be messy09:06
jamwallyworld: what do you need for Environ given you are doing manual provisioning?09:06
jam(I have the feeling it is accidentally using something it shouldn't)09:07
jamjust so it can do something like get AuthorizedKeys09:07
wallyworldjam:  it's used in the manual provisioning code in a few places09:07
jamwhich we ran into for the Provisioner09:07
wallyworldsetting up auth is one such usage i think09:07
wallyworldfinding tools is another09:07
wallyworldi can't recall the third offhand09:07
jamwallyworld: given what you've been saying about avoiding provider storage at all, is that something we are trying to get away from?09:08
jamanyway, I can see it being necessary today, though I'd like us to understand what we really need, because we've run into several cases where we really didn't want it09:08
wallyworldpossibly. i'm initially looking to just do a straight port09:09
wallyworldagreed about seeing what we really need09:09
wallyworldwill get messy, so looking to do it in stages09:09
jamwallyworld: right, the main problem with just the straight port is that we can expose secrets that we don't want to commit to supporting09:09
wallyworldwell, we use State now to get a full env in the current code09:10
wallyworldso the cmd has secrets today doesn't it?09:10
jamwallyworld: yes, but it has straight DB access today. The issue is that this isn't the only point that uses Client09:10
jamGUI uses it directly, for example09:10
rogpeppe1mornin' all09:11
jamand we are trying to support juju -the-commandline that doesn't have raw access to EC2 creds09:11
wallyworldjam: ok, and you are saying as soon as we add that to the api the gui could misuse it09:11
jamso that you can share your env in a limited fashion09:11
jamwallyworld: I'm not saying the GUI would, because i trust Gary et al, but it is *an* api that is leaking security in a place where we weren't before09:11
rogpeppe1jam: what about the case where a GUI client actually needs to change cloud credentials?09:11
jamEnvironConfig specifically09:12
wallyworldjam: yes, that's what i meant09:12
jamis something we've been really careful about sharing09:12
rogpeppe1jam: or in fact, and client09:12
jamwhen it came to the agents09:12
rogpeppe1s/and/any/09:12
jamwallyworld: I think the specific security hole is some *other* code running in the same machine where the GUI (etc) are running and getting access to secrets.09:12
jamcertainly that was the Uniter issue09:12
* wallyworld nods09:12
jamwe didn't want any charm to be able to get access to EnvironConfig09:12
wallyworldjam: ok, so we may need to avoid the EnvironConfig via the api and stick to current method and refactor09:13
wallyworldjam: but get-environment uses it afaik09:13
jamrogpeppe1: that may be a use case that we need to support. *My* point is that we need to actually discuss it and decide from a security perspective rather than just saying "oh just expose this, no problem"09:13
dimiternjam, wallyworld, we already have a way to mask out secret attributes in environ config - take a look at the provisioner api's EnvironConfig09:13
rogpeppe1jam, wallyworld: i think that for the time being at any rate (pending user roles/permissions) we should not take away the ability for a client to see and change the environ configuration09:13
rogpeppe1jam: if we don't, we're breaking backwards compatibility09:14
jamwallyworld: from what I've understood from fwereade, get-environment and set-environment do far too much.09:14
wallyworldi can believe that09:14
jamand that is partially because we've sort of just shoved everything in EnvironConfig09:14
rogpeppe1jam: i guess it's possible we want to do that, but we should at least audit current users to check how much they rely on get-environment09:14
wallyworldlet's discuss after standup with dimitern et al09:14
fwereadejam, wallyworld: well, set-environment is terribly flaky by nature, but I think that's separate09:15
jamwallyworld: like you can trigger an upgrade via set-environment09:15
fwereadejam, wallyworld: yeah, that's something I would like to be very careful to avoid09:15
fwereadejam, wallyworld: we may or may not have code that tries to prevent that09:15
jamrogpeppe1, wallyworld: I would *guess* the #1 use case for it is to handle setting constraints, because we don't expose another way to set whole-environment values09:15
rogpeppe1i totally agree that there are somethings in the environ config that really should not be09:15
jamand you set whole-env values at bootstarp time09:16
fwereadejam, wallyworld: but the state method does basically depend on people calling it "right"09:16
wallyworldyeah09:16
fwereadejam, there are no constraints in environ config actually09:16
rogpeppe1jam: you can set constraints with it?09:16
jamfwereade: isn't that set in "juju set-environment" ?09:16
fwereadejam, nope, set-constraints09:16
jamit may not be EnvironConfig but part of that command?09:16
jamah, k09:16
rogpeppe1jam: if your environment credentials have been compromised and you need to change them, set-environment would seem like the right thing to use09:17
dimiternfwereade, wallyworld, jam, rogpeppe1: https://codereview.appspot.com/22210044/ set/get-environment09:18
rogpeppe1jam: and for debugging, i've certainly relied on get-environment before, for sanity checking (otherwise there's no way of actually finding out what environ config the agents are really using)09:18
rogpeppe1jam: but we should certainly consider (at least) erasing secrets from the return of get-environment09:19
wallyworlddimitern: tests?09:22
fwereaderogpeppe1, jam: I *think* that's dependent on user roles/permissions, isn't it?09:22
rogpeppe1fwereade: yeah, that's my thought09:22
rogpeppe1fwereade: and currently we treat the client as admin, so they get everything09:23
jamfwereade: so I don't have a particular stake in the matter, I just wanted to make sure it got discussed09:23
jamfwereade: it would seem a strong end-run around sharing a .jenv that didn't have env creds09:23
jamif the first thing you could do09:23
jamis run "juju get-env"09:23
jamand have access to them09:23
rogpeppe1fwereade: given they can deploy to machine 0 and read the database, there's not really any security hole that we're avoiding by making the environ config available09:24
rogpeppe1jam: i think that having less privileged users is something we are aiming for, but we're not there yet09:24
fwereaderogpeppe1, jam: true, but I long-term expect people to create relatively restricted users and share .jenvs authing those users as themselves, rather than having anyone actually share their jenv files directly09:25
jamrogpeppe1: so I think with your work about api.Open we could actually support it for many commands very soon09:25
dimiternwallyworld, there are tests already that pass without change09:25
jamfwereade: sure, but if we don't actually think about security at get-environment, then it is a pretty clear whole09:25
jamhol09:26
jamhole09:26
jamanyway, meh. as I said, I wanted us to be aware of it more than anything09:26
wallyworlddimitern: for the new apis? EnvironmentGet/Set?09:26
dimiternwallyworld, oh, right09:26
jamadd-machine sounds like something that should explicitly *not* have an Environ since we aren't provisioning from the environ09:26
dimiternwallyworld, will add, thanks09:26
wallyworlddimitern: we've been adding new tests for those new things we add09:26
wallyworldnp09:26
jambut I can see where it just used it so far, so we can keep doing so09:26
wallyworldjam: right, so we need to understand how env is used in manual provisioning, cause that's why add-machine needs it09:27
wallyworldadd-machine per se doesn't need it09:27
wallyworldbut add machine calls into the manual provisioning api09:28
jamwallyworld: right, LXC Provisioner was asking for it too, and the *only* thing it pulled out of it was authorized keys09:28
jamwhich thumper had to work to fix09:28
wallyworldmanual does that too09:28
wallyworldplus some other stuff09:28
jambecause the MaaS environ can't be created if you strip secrets out of it09:28
jamso we'll run into this again with not being able to manually provision with MaaS if we just did the same thing.09:28
wallyworldsounds so09:29
wallyworldi've just read the manual provisioning code today for the firt time09:29
axwwallyworld, jam: a couple of things spring to mind: state/api.Info (could be gotten another way), and finding tools09:31
jamwallyworld: sure. So I would encourage you to see if you can do add-machine without a full EnvironConfig because it shouldn't really be using it. If it isn't worth the time, then we can hack it in09:31
jamwallyworld: so we do already have a Tools api for agents, I wonder how hard it would be to expose that for an "I want a machine over here".09:32
davecheneyis it call the null provider09:32
davecheneythe manual provider09:32
axwjam, wallyworld: don't we need the full env config for the provisioned machine's machine config though...?09:32
davecheneyor the ssh provider09:32
davecheneyplease help09:32
jamdavecheney: I'm *pretty* sure we settled on Manual provisioner. However, this is still about manually registering a machine to an env that could have a regular provider.09:33
jamaxw: I'm pretty sure we don't09:33
davecheneyjam: what is SABDFL decided to call it ?09:33
davecheneyi understand there was a ruling09:33
jamaxw: Uniter and Provisioner today don't have access to all of EnvironConfig09:33
jamdavecheney: he liked the phrase "manual registration"09:34
davecheneywell, that isn't helpful09:34
jamand not having the word "Provider" in there09:34
jambecause nothing is *providing* machines09:34
davecheney+1 for semantic correctness09:34
jamdavecheney: so the last bit I remember was "not having provider: in the environ config and using the term manually register new machines"09:34
davecheney-1,000 for usefullness :)09:34
fwereadeaxw, we should in general never need any of the stuff in environ config09:36
fwereadeaxw, authorized-keys is the only generally useful bit of it that springs to mind09:36
axwfwereade, jam: yeah I was just revising, that's only used for manual bootstrap09:36
fwereadeaxw, and *that* is pretty dumb and broken regardless :(09:36
jamaxw: right. manual bootstrap is pretty different09:37
fwereadeaxw, because *surely* the *useful* concept is "authorized users"09:37
fwereadedimitern, commented09:37
dimiternfwereade, thanks09:42
dimiternfwereade, not sure I get your comment about Key/Keys - it's what the command is supposed to do, no?09:42
fwereadedimitern, yeah, but I'm not sure it's actually very useful at an API level09:43
fwereadedimitern, I would prefer to keep the api small and orthogonal as much as possible09:43
fwereadedimitern, baking into it "and this is a use case that's sometimes helpful for the CLI doesn't seem like much of a win, when the cli can filter just fine"09:43
fwereadedimitern, it's kinda like `juju get` which I have a horrible feeling returns the crazy nonsense that the command outputs09:44
fwereadedimitern, the api for `juju get`09:44
fwereadedimitern, which is no use to man nor beast, and even if it is it should be constructed for the specific context it's used in, out of clear sensible atoms, rather than forcing that interpretation on every api user09:45
fwereadedimitern, anyway I could be convinced that Keys was sensible09:46
fwereadedimitern, not so much Key09:47
dimiternfwereade, but there's no need for Keys09:48
dimiternfwereade, it's either one key or all of them09:48
dimiternfwereade, are you saying to have Keys and use only one or zero keys when calling the command and have the rest of the logic moved to the command itself (key == "" -> all keys, else just that key) ?09:49
dimiternfwereade, I thought we want to make the client API as close as possible to the CLI, logic included, so the GUI can provide the same features?09:50
fwereadedimitern, at the moment there's no need for keys because we have a set-env that was hacked together without much thought and it only uses one09:51
jamdimitern: so I would guess the point is to think about what is actually useful in an API. Today the CLI is actually deficient in that area. If I want 3 settings, I have to do 3 round trips, when you can easily implement the API to support multiple in one pass.09:51
dimiternfwereade, set-env accepts multiple key=value args09:51
fwereadedimitern, then all the more reason to allow us to ask for multiple values in get, surely?09:52
fwereadejam, exactly09:52
dimiternfwereade, ok, I'll change EnvironmentGet to accept zero or more keys09:53
fwereadejam, dimitern: we're trying to write a sane api that happens to allow for the CLI functionality09:53
fwereadejam, dimitern: rather than just writing an API for the CLI09:53
dimiternfwereade, and the CLI get-env will use it like that, except there'll be the bit that if key == "" -> return the map, otherwise, return just the value of the given key09:53
fwereadedimitern, sgtm, I'm not *that* much against Keys ;)09:55
dimiternfwereade, ok, because frankly I can't see the alternative09:55
fwereadedimitern, just ask for the whole env config?09:56
dimiternfwereade, always?09:56
dimiternfwereade, it seems unnecessary trafficwise09:56
jamdimitern: as a general guide, if it is less than 64kB it isn't worth filtering09:56
fwereadedimitern, gut feeling says that's simplest and always adequate, but maybe all those extra bytes add up to an annoying degree09:56
jamas the bandwidth cost == latency of a round tirp09:56
jamif its big, then we can do somethnig09:57
dimiternok, I'll get rid of Key/Keys and return the whole lot always then09:57
fwereadedimitern, cheers09:57
jamthat's at least the numbers I've found in the past09:57
jam100ms at 1M/s = 10009:58
jam100kb I guess is 12kB09:58
jamthough I've got 16MB and I've seen 300ms ping09:58
=== rogpeppe1 is now known as rogpeppe
rogpeppejam: just saw your conversation with axw about client secret-pushing. this is what i suggested yesterday - it seems to me that this is more-or-less where you ended up, is that right? http://paste.ubuntu.com/6363731/10:04
=== BradCrittenden is now known as ba
=== ba is now known as bac
axwrogpeppe: except not putting it into Login10:05
axwI started down that path this morning, it got a bit messy10:05
axwLogin will (after my next CL) respond with a flag saying that secrets need to be pushed10:05
axwbut it won't require it there and then10:05
rogpeppeaxw: ah, ok10:06
rogpeppeaxw: where did the messiness come from?10:06
axwrogpeppe: possibly just my misunderstanding of the API stuff, but it seemed wrong to add knowledge of environments in there. Now that I think of it though, it's going to have to anyway...10:07
rogpeppeaxw: yeah, that's what i was thinking10:07
axwwell, either approach will not be much of a change from what I've got now anyway10:07
rogpeppeaxw: cool10:08
axwrogpeppe: the other thing I wondered was about validating config that soon10:08
jamaxw: I'm wondering if we want it in api.Open or if we could do it one layer higher10:08
jamNewAPIConn is what the current CLI code ends up using, and it has the ENviron there10:09
axwis it possible the config is wrong at that point? then how do we fix it without being able to login?10:09
jamaxw: my gut instinct at https://code.launchpad.net/~axwalk/juju-core/api-push-env-secrets/+merge/194083 was that it looks like the wrong level10:09
rogpeppeaxw: if the config is wrong, you shouldn't be able to push it into the environment10:09
axwjam: I originally had it higher, in fact. It seemed better to me to keep the Login-results-stuff inside api.Open10:10
rogpeppeaxw: you can fix it by pushing a correct config10:10
axwrogpeppe: true, unless the correctness changes over time :p10:10
jamaxw: but having state/api know anything about environs secrets is ... dissapointing10:10
axwrogpeppe: ah, so I was just planning to push the secrets, not the entire config10:10
rogpeppeaxw: well, having a bad config doesn't make the environment inaccessible10:10
axwjam: true, but the apiserver is going to have to anyway, right?10:11
axwrogpeppe: I'm saying if we require login to successfully Validate config before letting the API client through10:11
axw(back to our discussion yesterday)10:12
rogpeppejam: i think that the api will need to know about environ secrets even when bootstrap is synchronous10:12
rogpeppeaxw: is that problematic?10:12
jamrogpeppe: axw: so it feels very strange to push "people connecting to the API should have environ and secrets" when we *really* want to get the environ state from the api10:12
axwrogpeppe: only if it's feasible that the first time you connect, config is bad. I think it's probably not, like you said.10:12
jamand it is only because of the handoff that we need it for the *very first* login.10:13
rogpeppejam: only the first client connecting needs environ and secrets10:13
jamrogpeppe: needs, but everything else looking at the function will go "where do I get these bits"10:13
rogpeppejam: we allow nil to be passed10:13
jamrogpeppe: "allow nil to be passed" is not very good API design.10:13
rogpeppejam: and when bootstrap is synchronous, we can have a separate API call10:14
rogpeppejam: rather, a separate entry point in juju10:14
rogpeppejam: sometimes i think it's ok10:14
rogpeppejam: when the thing really is optional10:15
rogpeppejam: so we'd provide it as an argument only if we find a BootstrapConfig in the .jenv.10:15
rogpeppejam: hmm, actually there's perhaps another possibility10:16
rogpeppejam: we can actually know if we're the first to connect, because the .jenv file has no cached API address (well - that will be the case when we do actually cache API addresses...)10:17
rogpeppejam: what's your suggestion for the (juju) package API?10:18
jamrogpeppe: so we could just do a "Do you need secrets" call in NewAPIConn, and if it returns true, then call Client.SetSecrets()10:19
jamthough even there, NewAPIConn is used by agents10:19
jamI think10:19
axwjam: the agents use api.Open directly10:19
jamaxw: k, that would be pretty clear that the 99% case is not wanting to pass in the extra data, so we probably don't want to put it there.10:20
jamaxw: AFAICT the only thing we gain is 1 round trip which we are going to get rid of with doing it at bootstrap10:20
rogpeppejam: it looks to me as if NewAPIConn isn't used by anything except NewAPIClientFromName10:21
jamrogpeppe: it is a point where we already have the data we need, and it is called by NewAPIConnFromName which most (all?) CLI cmds will be using to connect.10:22
axwjam: sorry, confused. are you suggesting that I go back to doing the unconditional API call for the client?10:22
jamaxw: a thought, api.Open() could cache some status onto the api object itself, so that a follow up "api.DoIneedSecrets" doesn't have to do a round trip10:22
jambut we don't expose it directly in the return of api.Open10:22
jamaxw: well it was a "CheckIfWeNeedSecrets" unconditionally.10:23
jamthough the putting it in a result from Login and then caching that on the api.State object.10:25
rogpeppeif it's going to go away, i don't really mind an extra round trip for every API connection10:26
axwjam: what's the big difference between unconditionally calling "PushEnvironmentSecrets" instead of "CheckIfWeNeedSecrets" and t hen "PushEnvironmentSecrets"10:26
axwthe former does nothing if it's not needed10:26
jamrogpeppe: well today we get to remove about 5 round trips by caching the API address :)10:26
jambut after that it shows up more10:26
jamaxw: passing secrets over the wire when they aren't neededx10:27
rogpeppejam: we're talking about something which we're going to fix anyway, right?10:27
jamrogpeppe: right, I'm saying we add 1 round trip here, but then we take away 5 over there pretty soon, and eventually get back to this 110:27
rogpeppejam: so cluttering the API as little as possible seems like a reasonable approach10:27
dimiternrogpeppe, should DeepEquals work and return 2 for 2 identical map[string]interface{} values?10:29
axwsorry guys, gotta go help get my daughter ready for bed. I may be on a bit later10:29
rogpeppejam: we can probably use exactly the same logic that the mongo connection uses currently - no need to change the API at all10:29
rogpeppedimitern: yes10:29
dimiternrogpeppe, s/return 2/return true/10:29
dimiternrogpeppe, well it doesn't for some reason10:29
jamdimitern: are you sure about int types10:29
jamint 2 != int64 210:29
rogpeppedimitern: they're not identical then :-)10:29
jaminterface{} is really bad about this10:29
jamand the output in the log looks like10:29
jam{a: b} != {a: b} which is very WTF10:30
dimiternrogpeppe, I checked them key by key http://paste.ubuntu.com/6369724/10:30
rogpeppedimitern: ah, there's one other thing: it won't return true if some values are not comparable ISTR10:30
dimiternrogpeppe, perhaps like ca-cert?10:30
rogpeppedimitern: gospew is useful for diagnosing stuff like this10:30
jamdimitern: I would bet api-port is an 'int' on one side and something like 'int32' or 'int64' somewhere else10:30
jamor if this is data you got out of JSON, even float7410:31
rogpeppedimitern: i bet it's a JSON issue10:31
jamfloat6410:31
jamwhich writes out as int if it doesn't have a decimal10:31
rogpeppedimitern: remember that any numbers in json arrive as float64, as jam says10:31
dimiternboth ports look like ints10:31
jamI've hit that in the past10:31
jamprintf(float64(1)) == 110:31
jamnot 1.010:31
dimiterndamn!10:31
jamwhich is sort of a shame10:31
jamI've *definitely* been bit by that in the past10:31
dimiternso passing anything through the api which returns interface{} having possibly ints is doomed10:32
jamwell, "doomed" to get cast into a float10:32
jam:)10:32
jamunless you put it into a struct10:32
jamwe had that for "juju get" as well10:32
rogpeppejam: well printf("%v %v %v", int8(1), int16(1), int(1)) prints 1 1 110:32
jamrogpeppe: http://play.golang.org/p/Spp9lwRovO10:33
jamright, the issue is10:33
rogpeppedimitern: i've considered the possibility of doing UseNumber for all json stuff we send on the wire10:33
jamPrintf("%v", float64(1.0))10:33
jamalso returns just10:33
jam110:33
jamso you can't tell it is a float10:33
jamvs returning 1.010:33
dimiternrogpeppe, what's UseNumber10:34
rogpeppejam: yeah - i'm just pointing out there are *lots* of possible types there too. just fixing it for floats wouldn't fix it for those too10:34
rogpeppedimitern: http://golang.org/pkg/encoding/json/#Decoder.UseNumber10:34
rogpeppedimitern: BTW gospew reference: github.com/davecgh/go-spew/spew10:35
rogpeppedimitern: spew.Dump(someVal) is useful for seeing everything (recursively and with types) inside a value10:36
jamdimitern: see rev 1722 of juju-core where I mention that cmd.Get also suffers from auto-cast to float6410:36
dimiternok, thanks rogpeppe10:37
jamdimitern: note that the discussion from juju get is that clients just shouldn't count on it being an Int object10:40
jamso you could also go that way10:40
jamotherwise you need to run the type decoding on the client side10:40
jamafter getting the map10:40
jameven UseNumber10:40
jamjust gives you stuff that you can then chose what you cast it to10:40
rogpeppejam: i *think* i'm marginally in favour of using UseNumber throughout10:41
rogpeppejam: it means that we can transmit int64 losslessly too10:41
jamrogpeppe: UseNumber means we just have strings so you still don't have an actual int or float10:42
rogpeppejam: indeed, but at least it's explicitly something else10:42
jamrogpeppe: as I said before, you then *still* need to run the "interpret everything as an explicit type" code on the client10:42
rogpeppejam: and we can make the schema package work with json.Number10:43
jamso the decision 2 months ago was, don't worry about it.10:43
jamit doesn't change the cli10:43
jamas we are printing it out into JSON anyway10:43
jamor possibly YAML10:43
jamso the only thing that might care is someone calling the API directly, and they're already screwed10:43
rogpeppejam: how so?10:44
rogpeppejam: or do you mean calling the api package directly?10:44
jamrogpeppe: they just have a string on the wire that is a float, So all the code we have to try and cast thing into appropriate types, but on the wire its just a string10:44
rogpeppejam: it doesn't look like a string on the wire10:45
jamrogpeppe: anyway, quite a bit of effort for almost 0 gain10:45
rogpeppejam: it looks like a normal json number10:45
jamrogpeppe: it doesn't look like an int or a float on the wire. it looks like a sequence of bytes10:45
jamaka "string"10:45
rogpeppejam: it fits exactly the usual json syntax for a number10:45
jamrogpeppe: sure, but it *isn't* a float or an int10:45
rogpeppejam: no? i'm not sure i see the difference.10:45
rogpeppejam: json only has one number type10:46
jamthe fact that an object is an int or a float needs to be transmitted separately10:46
jamwhich means we have to re-implement the code to interpret what the value of this field should be10:46
jamand it was determined in the last discussion10:46
jamthat it wasn't actually worth doing that10:46
jamI don't quite see how that's changed10:46
jamUseNumber doesn't actually help until we have a way to cast it10:46
rogpeppejam: ah, i see what you mean10:46
jamso yes, *if* we implement client-side casting, then we can UseNumber at that point10:47
rogpeppejam: yeah, i think i agree that we can transmit all numbers as exactly the same type10:47
rogpeppejam: and we can define that to be float6410:47
jamrogpeppe: so in the config structure, it does define what the actual type of that number is10:48
jamand we have code to do the work, and it runs behind the API, but then all that info gets discarded on the wire, so we have to do it again on the client10:48
rogpeppejam: standup?10:48
jamyep, sorry10:48
dimiternfwereade, added tests https://codereview.appspot.com/22210044/10:54
fwereadedimitern, cheers10:54
* TheMue => lunch11:35
=== rvba` is now known as rvba
=== gary_poster|away is now known as gary_poster
rogpeppenatefinch: ping13:15
natefinchrogpeppe: hey13:15
rogpeppenatefinch: hangout?13:15
natefinchsure13:16
rogpeppenatefinch: https://plus.google.com/hangouts/_/calendar/am9obi5tZWluZWxAY2Fub25pY2FsLmNvbQ.mf0d8r5pfb44m16v9b2n5i29ig?authuser=113:16
dimiternfwereade, thanks for pointing out agent-version - it was totally possible to change it with EnvironmentSet - now it's not and I added a specific test about it14:15
dimiternfwereade, updated https://codereview.appspot.com/22210044/14:15
fwereadedimitern, sweet, tyvm14:16
rogpeppejam: do you fancy a quick chat about the charm streaming stuff? i was just about to write yet another reply, but thought perhaps a higher bandwidth connection might be useful14:33
mattywfwereade, thanks for looking at my mps - hope it's not wasting too much of your time, I'll take another look at them tomorrow14:41
fwereademattyw, dude, it's my job :)14:41
fwereademattyw, not a waste at all14:41
mattywfwereade, sweet! did you see my reply, what do you mean by dirty? the commit history??14:42
fwereademattyw, it just looked like the proposed branch hadn't had history merged in14:42
fwereademattyw, so I can't (easily) tell which are your changes and which just happened in the interim14:43
fwereademattyw, just merge trunk through the pipeline and propose again14:43
mattywfwereade, oh ok, I hadn't noticed that, I'll take another look14:43
mattywwho's a good person to talk to about the charm store?14:47
rogpeppemattyw: what do you want to talk about?14:48
sodresmoser: is example-sync still working ?15:34
TheMuestrange, shut eth0 on a ec2 machine, but status still reports it as running15:39
mgzTheMue: that's from the instance existing, not the state reporting though, no?15:40
TheMuemgz: no, status reporting15:41
TheMuemgz: from the perspective of ec2 it is still running, which is ok15:41
TheMuemgz: juju ssh fails as expected15:42
TheMuemgz: pinging the machine fails too, so I would expect that also machine 0 would fail to reach the machine :/15:44
mgzTheMue: 'running' is an ec2 instance state, not a juju machine status15:44
mgzone thing `juju status` does is call DescribeInstances and report the instance state of all instances juju is managing15:45
TheMuemgz: yep, ok, wrong wording, agent-state is still started, not down15:45
TheMuemgz: the instance state is correct with running15:46
mgzTheMue: try for instance, euca-stop-instances on that, then see what it reports15:46
mgz"for instance"? too many instances.15:46
TheMuemgz: :)15:46
TheMuemgz: I tried to simulate a netsplit. stoping or terminating a machine is fine for the status reporting.15:47
jcsackett:q!15:50
jcsackettexit15:50
jcsackett...i hate when i get windows mixed up.15:51
mgz:D15:51
fwereadebbiab15:52
TheMueyeah, bootstrap node has no connection to the agents on that machine anymore. and status reports still that everything is fine.15:52
benji:w plan-to-use-jcsackett's-window-management-skills-against-him.txt15:53
benjioops15:53
mgzehehe15:54
jcsacketttruthfully it's less window management and more "what has focus" issues. :-P15:55
benjisloppy focus is the only way15:55
natefinchMan, I really want to be able to use juju to deploy juju's mongodb in HA :/16:04
mgznatefinch: you are not the first to have this thought16:04
natefinchmgz: chickens and their stupid eggs16:05
natefinchok, so what we do, is use the manual provider to bootstrap the bootstrap for a real provider...16:07
* natefinch checks out the mongodb charm to see if there's anything he can crib16:11
=== natefinch is now known as natefinch-afk
sinzuijamespage, I just released https://launchpad.net/juju-core/+milestone/1.16.3 to address the cgroup-lite bug that affects lxc16:26
* sinzui doesn't want to do any more 1.16 releases16:26
mgzsinzui: jamespage is at the openstack summit, so I think he's probably not online right now16:37
sinzui:)16:37
=== mind_ is now known as WEBBRANDON
=== WEBBRANDON is now known as webbrandon
bachi sinzui18:53
sinzuiHi bac18:53
bacsinzui: can you join us in #juju-gui?18:53
* rogpeppe is done for the day19:18
rogpeppeg'night all19:18
natefinch-afkmorning thumper20:19
thumpermorning20:19
natefinch-afkwhat color do *you* want the bike shed to be? :)20:19
=== natefinch-afk is now known as natefinch
thumperwhich shed are we talking about?20:20
thumperif it is the ensure-ha chat20:20
thumperI'm likely to dive in :)20:20
thumperbut firstly20:20
natefinchyeah ,ha20:20
thumper*STOP CROSS POSTING EVERYONE!!!!*20:20
natefinchwow, I missed that roger had posted to juju, not just juju-dev20:23
thumpersince I don't use gmail, I get everything showing twice20:24
natefinchwell, you have no one but yourself to blame for that one ;)20:25
=== BradCrittenden is now known as bac
bachi marcoceppi20:47
marcoceppio/ bac20:47
bachey marcoceppi, we need a change to charmtools proof to make the endpoint an option to the proof call.  i've got a branch that seems to work that i'd like to propose20:48
marcoceppibac: couldn't you guys just call proof with --offline and then call your endpoint seperately?20:49
bacmarcoceppi: long term that's probably a good solution20:52
bacmarcoceppi: please have a look at https://code.launchpad.net/~bac/charm-tools/proof-endpoint/+merge/194227 and see what you think.20:54
marcoceppi:\ I don't like it, but it's nothing to do with the code, it's just exactly the reason I put the offline flag within proof in the first place20:56
marcoceppiOnce this is in, it's pretty much there until a 2.020:57
bacmarcoceppi: we're not offline.  we just need to configure the address of the server.20:57
marcoceppiwell20:57
marcoceppibac: the idea behind offline was for charmworld. Since charmworld knows it's own api it won't need charm-tools to do it since it can invoke it itself20:57
bacmarcoceppi: i don't know the history but i don't understand how offline has anything to do with charmworld.  i thought it was to allow people to use your tool when offline.  the two seem orthogonal.20:59
marcoceppibac: offline was just the way the feature was named, as it turns off remote checking21:00
rick_h_marcoceppi: the thing with offline is we still need to run proof and then run our own checks21:02
rick_h_marcoceppi: so we need to double the calls, build a combined list of issues, etc21:02
rick_h_marcoceppi: the hope was that using proof in 'online always' mode would make sure we're all seeing the same messages/list of issues21:03
rick_h_marcoceppi: but we can break it apart.21:03
rick_h_marcoceppi: we'll work on that path.21:03
marcoceppiOTP, rick_h_ if the URL is different then it should be run outside of that21:03
rick_h_marcoceppi: rgr21:03
marcoceppirick_h_ bac: I don't mean to be disagreeable, however, I don't have time to cut this as a 1.1.3 before I start traveling given my current workload21:03
rick_h_marcoceppi: understand21:04
bacmarcoceppi: i've retracted my MP.  i understand your concerns.21:18
marcoceppibac: thanks, sorry again. I really want to accomodate you guys as much as possible - let me know if there's anything else I can help with o/21:19
* thumper -> gym22:49
=== bradm_ is now known as bradm
davecheneyall: which pocket is Juju going to ship in 14.04 ?23:40
davecheneymramm:  which pocket is Juju going to ship in 14.04 ?23:56
wallyworld_thumper: since you are ocr,  https://codereview.appspot.com/22580043 plus i wouldn't mind a quick hangout if you are free23:58

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!