Earlier  
Posted Nick Remark
#openstack-nova - 2019-04-01
15:31:45 bauzas efried: sorry, just saw your question, well, like dansmith said, you need to provide a new PS to put off the check or gate pipeline
15:32:12 bauzas just use the right words, I wasn't understanding your question
15:32:25 efried nod.
15:33:37 bauzas but let's ask jaypipes to provide a follow-up post from http://www.joinfu.com/2014/01/understanding-the-openstack-ci-system/ :p
15:34:01 bauzas or just digest https://zuul-ci.org/docs/zuul/user/gating.html :p
15:34:49 bauzas huh, rather https://zuul-ci.org/docs/zuul/user/concepts.html
15:57:04 jaypipes bauzas: erm...
15:57:14 jaypipes bauzas: yeah, "Just Use Zuul CI"
16:07:25 bauzas jaypipes: FWIW, I give you credits on helping some French folk who was working on a Stackforge project named "Climate" to know why Jenkins was telling him -1 sometimes
16:07:51 bauzas then, 5 months after, he was working on Nova
16:08:02 bauzas err, 4
16:08:08 openstackgerrit Eric Fried proposed openstack/nova-specs master: Tools & docs for backlog & abandoned spec process https://review.openstack.org/648800
16:10:45 openstackgerrit Merged openstack/nova master: tests: Stub out privsep modules https://review.openstack.org/648747
16:18:49 openstackgerrit Eric Fried proposed openstack/nova-specs master: Abandon flavor-classes backlog spec https://review.openstack.org/649095
16:26:29 mnaser hmm
16:30:51 openstackgerrit Eric Fried proposed openstack/nova-specs master: Abandon instance-tasks backlog spec https://review.openstack.org/649100
16:34:09 openstackgerrit Eric Fried proposed openstack/nova-specs master: Abandon parallel-scheduler backlog spec https://review.openstack.org/649101
16:36:13 openstackgerrit Eric Fried proposed openstack/nova-specs master: Abandon same-instances-scheduling backlog spec https://review.openstack.org/649102
16:48:16 openstackgerrit Stephen Finucane proposed openstack/nova master: Raise Exception instead of Exception method call https://review.openstack.org/482200
17:58:43 mnaser just to confirm
17:58:50 mnaser nova-consoleauth is no longer technically needed as of stein
17:59:03 mnaser assuming all the "cleanup" of remaining things was killed off in rocky?
18:12:08 melwitt mnaser: right, not technically needed. only if you needed already existing console auths to work during a rolling upgrade, or if you have long TTL and didn't want things invalidated immediately
18:12:23 melwitt what do you mean by "cleanup" of remaining things?
18:14:32 mnaser melwitt: yeah I meant that if you didn't want things to be smooth and consoles not be invalidated
18:14:46 mnaser now curiously I have this other issue where the calculated token hash doesn't seem to match the one in the db..
18:16:10 mnaser I get token id `dc574410-2c5c-4762-ae0d-f1689372337f` .. the sha256 is b7cc4998dea5dd0a3b663fcbe8df7c487246b3d3e52ec3361530b091477e5b28 which matches the db entry
18:16:28 mnaser but when I do a print(token_hash) in the novncproxy codebase.. I get e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
18:17:29 melwitt hm, that's strange. I'm not aware of anything that could have changed there
18:17:43 mnaser ok, looks like the function is being called with token == ''
18:19:20 melwitt hm... empty string should mean that the GET url didn't have the token in it
18:19:55 mnaser yeah url im hitting has a token, im following it up the stack, im up to _get_connect_info_database() and that gets a token == none
18:20:00 melwitt that's where the token comes from (GET request param or cookie) in the novncproxy
18:23:04 melwitt mnaser: https://github.com/openstack/nova/blob/master/nova/console/websocketproxy.py#L195
18:23:26 mnaser melwitt: that gets called when we call /websockify which doesn't seem to have a token
18:23:34 mnaser print('path', self.path) in here shows
18:23:41 mnaser ('path', '/websockify')
18:25:10 mnaser oh crap, I have a dr appointment in 5 minutes gotta run, ill dig into this after if you don't keep looking
18:25:19 mnaser but looks like unless its not sending cookies with a token.. we can't do anything
18:25:34 melwitt ok. I'll keep looking. I'm not familiar with the /websockify path so I need to find what that is
18:26:47 melwitt because usually the path should be like this http://ip:port/?token=xyz
18:33:36 mnaser melwitt: indeed and xyz is there but it looks like the token lookup seems to happen in the websockify part
18:34:49 mnaser Weird thing is that code has been there for 5 years so..
18:35:13 mnaser Unless the behaviour to forward token from cookie was removed with more recent novnc versions
18:35:29 melwitt yeah, I know. I'm puzzled as to what's going on here
18:35:55 mnaser We pull master novnc in OSA so mahbe its recent behaviour change
18:36:27 melwitt I'll take a look in novnc
18:37:03 mnaser Okay
18:37:11 melwitt I thought the cookie thing was a backup, if the token is not in the GET request params, but forwarding via cookie does sound really familiar
18:37:16 mnaser melwitt: we use vnc_lite.html in OSA. https://github.com/novnc/noVNC/commit/51f9f0098d306bbc67cc8e02ae547921b6f6585c
18:38:14 melwitt I had dug into this stuff back when I worked on the db backend for console auths, back when we were thinking we could pass the instance uuid in the GET request too (turns out bc of novnc limitations, more than one request param would not work)
18:38:50 melwitt (it only forwards the first request param)
18:39:05 mnaser So it always probably used a cookie but that seems to have been pulled out from vnc_lite.html which is for some historic reason what’s being used in OSA
18:40:14 melwitt huh, interesting
18:40:30 mnaser The worrying thing is I can’t find any token references in novnc
18:40:32 melwitt / If a token variable is passed in, set the parameter in a cookie.
18:40:33 melwitt / This is used by nova-novncproxy.
18:40:49 mnaser Where do you see this melwitt ?
18:40:51 melwitt seeing that all in red being removed. "used by nova-novncproxy" :P
18:41:03 melwitt mnaser: in the commit you linked https://github.com/novnc/noVNC/commit/51f9f0098d306bbc67cc8e02ae547921b6f6585c#diff-1d6838e3812778e95699b90d530543a1L173
18:41:20 mnaser ugh
18:41:42 mnaser What does devstack use
18:42:04 mnaser I wonder how it hasn’t been affected
18:42:15 melwitt must not be using lite?
18:43:07 melwitt bc this was removed from the vnc_lite.html file, unless I'm missing something
18:43:45 mnaser Of course
18:43:58 mnaser NOVNC_FROM_PACKAGE defined in jobs
18:44:43 melwitt http://logs.openstack.org/65/627765/12/check/tempest-full-py3/b00b2ab/controller/logs/devstacklog.txt.gz#_2019-04-01_08_01_25_051
18:45:17 mnaser Yikes well i guess we can ask novnc to revert
18:49:53 melwitt mnaser: I don't understand, how do you use lite vs not?
18:50:23 mnaser melwitt: vnc_lite seems to be what vnc_auto was a while ago
18:50:36 mnaser Searching the code doesn’t give any results for token
18:50:40 melwitt mnaser: and which one you use depends on the url you use?
18:51:05 melwitt yeah, ok. looks like we have to ask for a revert of at least that part
18:51:22 mnaser melwitt: I assume we’re using the lite which handled the token stuff and did the cookie handoff
18:51:45 melwitt mnaser: yeah, I'm just saying, how do you choose whether to use lite or not
18:51:56 mnaser dunno :P
18:52:01 melwitt haha ok
18:52:13 mnaser It seems like there’s something called token plugin
18:52:24 melwitt at first I was thinking, can we use non-lite but then you pointed out only lite was handling token
18:52:30 melwitt so my thought was moo
18:52:49 mnaser Don’t quote me on this stuff I’m going over it on my phone heh
18:53:30 melwitt :)
18:54:43 melwitt I do wonder why we have to rely on the cookie forwarding. I wonder why it doesn't just show up as a GET request param by the time we get it
18:54:59 melwitt from the way our code is written, it looks like the expectation was that the cookie was a fall back
18:55:14 melwitt but in practice, we were always falling back
18:56:41 melwitt going to see if I can find out
19:15:57 openstackgerrit Eric Fried proposed openstack/nova master: Correct lower-constraints.txt and the related tox job https://review.openstack.org/622972
19:16:34 openstackgerrit Eric Fried proposed openstack/nova master: Correct lower-constraints.txt and the related tox job https://review.openstack.org/622972
19:17:38 openstackgerrit Eric Fried proposed openstack/nova master: Mock time.sleep() in unit tests https://review.openstack.org/648762
19:25:36 mnaser melwitt: so I think the problem here is the /websockify HTTP request comes afterwards
19:26:01 mnaser so its GET /vnc_lite.html?token=foobar .. and then CONNECT /websockify
19:26:12 mnaser so you can't really reliably tie that GET request and the CONNECT request
19:26:28 mnaser UNLESS we sent a Set-Cookie: token when you visit vnc_lite.html
19:26:36 mnaser that would workaround it
19:27:18 melwitt mnaser: I see. well, from some googling it looks like something like this might work? GET /vnc_lite.html?path=/websockify?token=foobar
19:28:19 openstackgerrit Eric Fried proposed openstack/nova master: Add placement as required project to functional py36 and 37 https://review.openstack.org/649068
19:28:29 melwitt second ? should probably be a &
19:28:45 mnaser I think it would be cleaner to set-cookie
19:28:59 melwitt or maybe not

Earlier   Later