veeberswallyworld_: If i create an openstack, juju add-cloud and creds for it, how do I currently share access to others to it? Purely through adding a user and granting perms, or can I share some details so they can 'add-cloud' it them selves and then use credentials provided to them too?00:02
wallyworld_they can access it via your controller, so you need to give them add-model permission on the controller. they need to supply their own creds when they then add-model00:03
veeberswallyworld_: ack, thanks for clarifying00:03
wallyworld_add-model takes a --credential arg00:04
veebersaye, so you would have to provide that user with some creds too, it's not just a case of 'add user', 'grant add-model'00:04
wallyworld_veebers: no, they need to provide their own creds00:39
wallyworld_the --credential arg to add-model slurps up the creds from their local yaml file00:39
veeberswallyworld_: to be clear there is currently 0 caas support in jaas, right?01:30
wallyworld_not until they upgrade the controllers to 2.4 or 2.501:31
rick_h_wallyworld_: currently if you add a user with add-model they get house your creds on their models.01:32
rick_h_wallyworld_: or intake that back...do we autoupload the new users creds for that cloud on add-model?01:33
rick_h_I know I don't specify it when I do multi-user controllers with different nodels01:33
wallyworld_rick_h_: add-model takes a --credential arg - I think that's required for a user if their creds for that cloud aren't already in the controller01:33
wallyworld_so if i bootstrap, my creds for the cloud are uploaded01:34
rick_h_wallyworld_: it's not required. I never use it but do multi-user controllers all the time01:34
wallyworld_and if i add-model, that remains the case01:34
wallyworld_ok, i guess it defaults to the creds of the person who created the model;01:34
rick_h_wallyworld_: worth a quick bootstrap, add-user, grant check01:35
wallyworld_i think that's a bad decision IMO01:35
rick_h_wallyworld_: right but a second user running add-model doesn't have to use --credential either01:35
vinowallyworld: i have addressed ur review comments. We shd not be taking childID(). We use parentID that refersto MachineTagID which matches with Id in machine constraints.01:35
wallyworld_right, that's what i think is bad01:35
rick_h_Not judging, just biting how multi-year work now01:35
wallyworld_IMO a user shouyld need to specify their credential01:36
wallyworld_or be branted access to someone else's01:36
wallyworld_not just use them by magic01:36
vinowallyworld: whenever u get time. please take a look at PR.01:36
wallyworld_maybe there's a reason i'm miaaing01:36
vinoanastasiamac: i have PR for u to review forward port of exportBundle Client part.01:37
wallyworld_vino: i updated my comment to ask for Patent()01:37
rick_h_wallyworld_: because change in behavior would be something to watch out for. I'd suggest veebers do a quick 2 user test. I *think* the add-model call for the second user auto uploads a local credential for that user tbh01:37
wallyworld_PArent() even01:37
anastasiamacvino: sure, i'll look soon. thnx ;)01:37
wallyworld_rick_h_: yeah, worth checking. last time i tried, i could have sworn i neede dto use --credential01:37
vinoanastasiamac: it has a failure.01:37
* rick_h_ swears opposite lol01:38
wallyworld_as there was no cred for me in the controller01:38
vinoi am working on CI tests. I will correct PR which is already there for review by EOD.01:38
wallyworld_rick_h_: i could very well be wrong01:38
* rick_h_ avoids temptation to move to the computer to test01:38
wallyworld_rick_h_: veebers is on it :-)01:38
* vino going to have early lunch.01:38
veebersrick_h_: heh, leave it with me :-)01:39
anastasiamacrick_h_: i had bootstrapped my controller, disabled a credential in db and add-model with the same client credential... the command flipped validity on credential which proabbly means that add-model uploads default credential01:39
anastasiamacfrom the client...01:39
rick_h_veebers: <301:39
anastasiamac(or at least updates, rick_h_)01:39
wallyworld_rick_h_: i had an idea that seems plausible - the add-model grant should control access to clouds. right now it is assumed that a controller only has one cloud, but that's nmo longer the case with k8s, lxd clusters etc. so add-model should take a cloud arg01:40
wallyworld_that then controls visibility01:40
wallyworld_and that's what jaas would use to filter what gets offered01:40
rick_h_wallyworld_: seems on the right path01:41
wallyworld_yeah, we're working the idea into the doc, see how it pans out01:41
wallyworld_but it fits the model nicely01:41
rick_h_wallyworld_: yea basically forcing us to jump into multi-cloud controller stuff a bit faster because we have to. But that's the problem space.01:42
wallyworld_rick_h_: yeah, luckily most of the modelling woth clouds creds etc already had that in mind01:42
wallyworld_just tweaking the from end a bit01:42
rick_h_wallyworld_: yea01:42
rick_h_Because we modelled it for jaas so it's not too crazy01:43
wallyworld_rick_h_: veebers is aiming to have a doc out in the next day or so for review01:43
rick_h_wallyworld_: cool, I'll be good and patient :)01:44
rick_h_veebers: thank you! And don't hesitate to ask if there's any help we can be01:44
wallyworld_but i want it all *now*01:44
veebersrick_h_: I can't add-cloud to jaas for myself can I? Currently the clouds accessible with jaas is immutable?01:44
rick_h_veebers: correct.01:45
wallyworld_that may well be the case - i don't think KIMM exposes that01:45
veebersright, ok that meshes with my understanding good01:45
rick_h_No, there's been PoC to add openstack but it's not a feature flag for sure01:45
wallyworld_vino: strings.Split(unitMachine.Parent().String(), "-") can be replaced with Parent() I think01:46
thumperbabbageclunk: when did you want to chat?01:59
babbageclunkthumper: oh, now's good!01:59
veeberswallyworld_, rick_h_ what actions do I need creds for? I imagine deploying a charm (if it adds a model) right?02:04
wallyworld_you mean cloud creds?02:04
wallyworld_anything that calls the cloud apis02:05
wallyworld_deploying a charm doesn't add a model02:05
wallyworld_the model already exists02:05
veeberswallyworld_: sorry yes I mean cloud creds. Ok so a machine being added for a charm doesn't use cloud apis?02:06
veebersI'm getting straight in my head when creds are used, and how that relates to users etc.02:06
wallyworld_veebers: adding a machine does use creds to ask the cloud to spin up that vm02:07
veeberswallyworld_: ok, so I can add a user with just admin on a model, and that user can deploy a charm without providing creds in any way02:08
veebersIs there a way to see what creds where used for the deploy? I presume thats something like what anastasiamac mentioned just before02:09
wallyworld_veebers: that's what me and rick want you yo test - we're not sure if the creds of the model owner are used or if it is mandatory for a user who ohas been granted add-model access to spully their own always02:09
anastasiamacveebers: u can see what model is using in show-model02:09
anastasiamacveebers: i think u can also see all creds on the controller using 'show-credential"02:10
veeberswallyworld_: sorry, I need to confirm what creds have been used. I have created a user and have that user deploy a charm there was no need to add any creds or anything02:10
veebersUsers are split into different JUJU_DATA dirs02:10
anastasiamacveebers: i think "add-model' uses credentials too02:10
veebersanastasiamac: awesome, thanks02:10
wallyworld_veebers: so that implies we by default use the model owner creds which makes me a bit sad02:11
veebersyeah, it def uses the credential that the main user added02:11
veebersat least it tells you who the owner is :-P https://paste.ubuntu.com/p/GdZtfqDtft/02:12
anastasiamacvino: what pr did u need a review on?02:12
anastasiamacveebers: to use a 2nd user cred, u should b able to use 'add-model --credential'02:12
veebersanastasiamac: aye, thanks.02:13
veeberswallyworld_: hmm, seems that for add-model you need to define creds, it doesn't use any stored: https://paste.ubuntu.com/p/bxfC75fyrG/02:15
wallyworld_that's what i thought was the case but rick thought it may have used the stored owner creds, so good to know02:17
* wallyworld_ is happy it works that way02:17
veeberswallyworld_: you're ok with using model owner creds for deploys?02:18
wallyworld_yes because as per the above the creds are uploaded when the model is created02:18
wallyworld_so they need to be suplied by the ower when the model is set up02:18
veeberswallyworld_: right, and there is no option to use different creds when deploying something02:19
vinowallyworld: sorry. I quickly went outside to have brunch.02:28
vinothe parentId is machine-102:29
vinothats why i did that split.02:29
vinothe func Parent returns this way machine-'x'.02:31
anastasiamacvino: there r build failures on 8991. m ahppy to review once they r resolved :)02:35
vinoanastasiamac: yes. correct. i mentioned that to u. i want to finish this other 2 PRs. Didnt expect that failure. Will resolve by EOD for sure.02:36
rick_h_veebers: wallyworld_ I'm just staying if you have local creds for that cloud they'll auto upload/work02:43
veebersrick_h_: yeah, looks like juju was looking for aws creds: credentials not found: AWS_SECRET_ACCESS_KEY not found in environment02:43
wallyworld_rick_h_: ye, agreed, any local creds will work, but you must provide your own02:44
anastasiamacvino: no rush. m happy not to review :) just ping whenever it'll b ready02:45
vinowallyworld: i didnt chk the Parent().Id(). I am chking it now.02:55
thumpervino: you should never have to do split type things with tags03:05
thumperif you find yourself wanting to, look to expose the correct method on the type instead03:05
vinohi thumper: I was looking at other window.03:11
vinothumper & wallyworld: agree. I have verified with Parent().Id() as well. I missed to look at it.03:12
veeberswallyworld_: If I add a custom cloud (say a k8s cluster) add a user and grant them add-model perms. They won't have a new entry in 'juju clouds', as the controller has been bootstrapped right? and when 'add-credential' the client will hit the controller to query for the auth type details etc.?03:24
wallyworld_juju clouds only shows the local yaml, yes. add-credential does look at what's in the controller03:26
veebersack, thanks03:26
anastasiamacwallyworld_: sure? add-credential operates on the client only03:27
wallyworld_sorry, i was thinking of the apd credential api facade endpoint03:27
wallyworld_what we invoke when uploading a credential as part of add model etc03:28
anastasiamacveebers: tread carefully ^^ :D03:28
anastasiamacwallyworld_: yes, that i agree with :D03:28
veeberswallyworld_, anastasiamac ah ok, so adding a credential for a new cloud would be an issue? (as per example above, someone adds cloud to their config, adds user and grants add-model perms, that user would have to manually add a cloud to allow them to add creds to allow them to add a model03:30
wallyworld_they specify creds when adding a model03:31
anastasiamacveebers: add-credenital command wil only add cred to this users client03:31
wallyworld_using --credential arg03:31
anastasiamacveebers: when they are add-model with --credential, u'll get the behavior u r after03:31
wallyworld_juju help add-model03:31
veeberswallyworld_, anastasiamac but thats for use for credentials that juju knows about03:33
anastasiamacveebers: no, that's for use of crednentials that are on the client03:33
wallyworld_no, it uploads the specified ones03:34
wallyworld_from the local yaml03:34
anastasiamacjuju *knows* about credntials on the client too...03:34
veeberswallyworld_, anastasiamac I might be confused, but if I'm granted access to a controller in a custom cloud (that someone has added on their end) how, ah wait I see, you can't add a cloud that juju doesn't know the type of any way, so it's always possible to add-credential for it03:35
wallyworld_when a cloud is added to a controller, the local yaml; becomes irrelevant03:36
wallyworld_the controller stores all necessary cloud info, regions, auth types etc03:36
veeberswallyworld_: I may be being dense, this is also on the edge of the multi-cloud controller discussion, but if I add a user with add-model perms to a controller with a k8s cloud, for that user to be able to actually add a model they would have to juju add-k8s with the details too to get creds access, as juju add-credential won't work for them as they wouldn't have the k8s cloud defined to add the creds to03:41
veebersadd-model --credentials with03:41
wallyworld_someone with add-model perms who wants to make a model doesn't use add-credential03:43
wallyworld_see above, you use the --credential arg to add-model03:43
wallyworld_add-credential is purely to update the local yaml03:43
anastasiamacveebers: wallyworld_ could we ho? like in standup?03:43
wallyworld_if we need to03:44
anastasiamacm in today's one03:44
vinowallyworld_ : i was messaging u. I missed '_'. I agree with that Parent().ID().Since u mentioned here in chat Parent() i was disagreeing. I have made changes.03:48
wallyworld_vino: sorry, been tied up, looking now04:05
vinosure wallyworld_ nws.04:05
wallyworld_lgtm ty04:05
veebersoh FYI the answer to the k8s cloud, add-models is that (currently) you would have to manually edit the credentials.yaml to add a credential to pass to 'add-model --credential'04:23
vinothx wallyworld_04:31
babbageclunkugh, of course the uniter API facades are still using the old registration signature.05:55
vinoanastasiamac: i have corrected the error in the PR.06:18
vinoJust moved the files to correct location.06:18
vinoIf u can take a look when u r free.06:18
anastasiamacvino: k. thnx06:24
kelvin_wallyworld_, got a few minutes to discuss CRD?06:26
anastasiamacvino: will look later on tonight - got hungry mouths to feed for now06:32
vinoya ya sure :)06:32
=== frankban|afk is now known as frankban
zeestratmanadart: thanks for the work on the LXD constraints. I guess you can mark this one as fixed and released: https://bugs.launchpad.net/juju/+bug/158210507:53
mupBug #1582105: lxd provider doesn't honour memory constraints <constraints> <juju-release-support> <lxd-provider> <juju:Triaged> <https://launchpad.net/bugs/1582105>07:53
manadartzeestrat: Ack. Thanks.07:55
zeestratmanadart: No problemo. Just so I understand correctly, those new LXD constraints work for LXD containers deployed on machines on all the different clouds right?08:25
manadartzeestrat: Yes, all LXD containers will honour constraints - deployed by provider, or as machines on other substrates.08:26
zeestratmanadart: Cool stuff. Thanks again.08:26
manadartzeestrat: There is a current known issue for the provider.08:26
manadartUnless you specify one of the applicable constraints (cores/mem/instance-type) there will be a default mem limit of 3.5GB on the controller.08:27
manadartBut only the controller.08:27
mupBug #1784075: LXD provider places a limit on memory for the controller but not for a workload machine <docteam> <juju:Triaged> <https://launchpad.net/bugs/1784075>08:28
=== alephnull_ is now known as alephnull
zeestratGood to know08:30
jamespagemorning folks08:45
jamespagehttps://discourse.jujucharms.com/t/juju-2-4-1-has-been-released/80 advertised cosmic support, but the release streams for juju tools don't include cosmic references?08:46
jamespagehmm neither to the proposed streams08:47
manadartReview if anyone is inclined: https://github.com/juju/juju/pull/899210:15
manadartEnds up being a simple fix.10:15
manadartjamespage: You need to use the daily image stream.10:20
jamespagemanadart: I thought juju only published proposed and stable streams?10:21
manadartjamespage: Ah, I mean when bootstrapping/adding machines. It worked for me when I used config image-stream=daily and --series=cosmic.10:24
=== frankban is now known as frankban|afk
rick_h_hml: how did the review of ian's comments go? Do we have a path forward that's ok?18:48
hmlrick_h_: I’ve grocked Ian’s comments on the PR - when is a good time to chat?18:48
rick_h_hml: eating lunch at the computer atm. Give me 10 or 15?18:49
hmlrick_h_:  sure18:49
rick_h_hml: k, free when you are19:02
hmlrick_h_: ready, which HO?19:02
rick_h_hml: let's use standup please19:02
hmlrick_h_: omw19:02
hmlrick_h_: manadart  approved pr 8987, the cinder thing, did you want it manually tested by someone else before landing?19:31
rick_h_hml: is that the one that needs a manual test? Did he test it then or just review it?19:43
hmlrick_h_: yes, i believe he just reviewed it, not test19:44
rick_h_hml: yea then we do need a test by a 3rd party please19:44
hmlrick_h_: ack19:44
hmlveebers: yes, the lxd remote bootstrap stuff in discourse  uses a trust password and interactive21:00
hmlbut if you read the credentials.yaml - that gets morfed into a certificate and big values21:00
hmlit’s a validation error in initialization args - changing the type to interactive in credentials.yaml to see what happens21:01
veebershml: that's odd that it gets changed, is that happening during bootstrap?21:01
hmlveebers: during add-credentials i believe21:02
hmlveebers: my hack worked21:02
hmlfiling a bug.  (most likely to myself  :-D )21:02
veebershml: nice!21:03
hmlveebers: i figured it would work because the controller instance does get created and installed… it’s just the validation function that fails21:04
hmlveebers: and pmatulis beat me to it21:05
veebersheh :-)21:06
hmlwallyworld: ping.21:07
wallyworldhml: hey, otp in k8s call, give me 3021:08
hmlwallyworld:  sounds good21:08
wallyworldhml:just finished, but release call starting. so maybe pop in there?21:29
hmlwallyworld: omw21:29
veebershml: might be worth posting that bug on the discourse post for LXD Clustering? In case other people get tripped up by it they'll at least see a fix is underway21:34
babbageclunkWeirdly, it seems like things are mostly working with raft leases.22:19
veebersbabbageclunk: yay \o/22:19
babbageclunkno, spoke too soon...22:25
veebers /o\22:26
babbageclunkok, think I've cracked it!22:32
* veebers refuses to celebrate at this early stage22:32
babbageclunkat least, whacked that more22:32
veebersmy arms get tired otherwise22:32
babbageclunkDo we think it's better to a) be careful not to wrap/trace errors when we're checking for specific singleton errors or b) always make sure to use errors.Cause at the point of the check?22:35
babbageclunkthumper, wallyworld: ^22:35
wallyworldthe latter22:36
wallyworldwe can't control what happens downstream22:36
wallyworldand we want to allow annotation etc22:36
babbageclunkYeah, I was just thinking that too - otherwise we need to be vigilant about all the layers in between.22:36
thumperbabbageclunk: ping22:44
thumperbabbageclunk: ping22:44
babbageclunkthumper: poong22:45
babbageclunkimpatient much?22:45
thumperbabbageclunk: https://hangouts.google.com/hangouts/_/canonical.com/juju-sts22:45
thumpercan you join us please?22:45

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!