)]}'
{"docker/services/swift-proxy.yaml":[{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"90891f27b1265462c087682d5e73fcbae92b642b","unresolved":false,"context_lines":[{"line_number":152,"context_line":"              - /var/lib/docker-config-scripts/set_swift_keymaster_key_id.sh:/set_swift_keymaster_key_id.sh:ro"},{"line_number":153,"context_line":"            user: root"},{"line_number":154,"context_line":"            command: \"/set_swift_keymaster_key_id.sh\""},{"line_number":155,"context_line":"          map_merge:"},{"line_number":156,"context_line":"            - swift_proxy:"},{"line_number":157,"context_line":"                image: *swift_proxy_image"},{"line_number":158,"context_line":"                start_order: 2"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"9f91af0f_c425f9ac","line":155,"updated":"2018-01-05 20:04:43.000000000","message":"I think the issue is that you need to add your two new tasks here under the map_merge","commit_id":"6cc04a810bd27a4514e61383ee282b366f2097aa"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"752fe7e48628cbca6127516a97c595153dcd031d","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"            echo \"Creating barbican secret for swift cluster\""},{"line_number":112,"context_line":"            #TODO create uuid in mistral"},{"line_number":113,"context_line":"            order_href\u003d$(openstack secret order create --name swift_root_secret_uuid --payload-content-type\u003d\"application/octet-stream\" --algorithm aes --bit-length 256 --mode ctr key -f value -c \"Order href\")"},{"line_number":114,"context_line":"        set_swift_keymaster_key_id.sh:"},{"line_number":115,"context_line":"          mode: \"0700\""},{"line_number":116,"context_line":"          content: |"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"9f91af0f_fa5df214","line":113,"updated":"2018-01-09 16:36:12.000000000","message":"You probably want to verify first that the swift_root_secret_uuid does not exist.  Otherwise, you could  create a second secret with the same name with unpredictable results.\n\nIn fact, you can probably combine these two scripts -- \n\nsecret_href\u003d$(openstack secret list --name swift_root_secret_uuid -f value -c \"Secret href\")\n\nif not secret_href:\n   order_href \u003d ....\n   secret_href \u003d ....\n\nset secret_href in conf file\n\nNote that you may have a timing issue between creating the order and getting the generated secret.  You probably want to poll /block until the order is fulfilled.","commit_id":"2fbbbc0847681b73a9cfd536e343eb7b5e36a693"},{"author":{"_account_id":9625,"name":"Thiago da Silva","email":"thiagodasilva@gmail.com","username":"thiago"},"change_message_id":"c70dd358a224e803a8ae2edb20475d8846fbc501","unresolved":false,"context_lines":[{"line_number":110,"context_line":""},{"line_number":111,"context_line":"            echo \"Creating barbican secret for swift cluster\""},{"line_number":112,"context_line":"            #TODO create uuid in mistral"},{"line_number":113,"context_line":"            order_href\u003d$(openstack secret order create --name swift_root_secret_uuid --payload-content-type\u003d\"application/octet-stream\" --algorithm aes --bit-length 256 --mode ctr key -f value -c \"Order href\")"},{"line_number":114,"context_line":"        set_swift_keymaster_key_id.sh:"},{"line_number":115,"context_line":"          mode: \"0700\""},{"line_number":116,"context_line":"          content: |"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"5f93b717_e98fae20","line":113,"in_reply_to":"9f91af0f_fa5df214","updated":"2018-01-29 20:31:21.000000000","message":"@Ade,\nI added the check to make sure that it does not exist yet, before creating a new one, but I kept as two separate scripts for now. The reason is that the create script runs once in the bootstrap node, and the set script runs in every node that has a swift proxy (Default is all 3 controller nodes).\n\nI thought it was better to keep them this way to avoid any racing condition...","commit_id":"2fbbbc0847681b73a9cfd536e343eb7b5e36a693"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"ba1b3a4a77990573932fc388067999ba03ce656c","unresolved":false,"context_lines":[{"line_number":141,"context_line":"                sleep $loop_wait"},{"line_number":142,"context_line":"                ((loop_wait++))"},{"line_number":143,"context_line":"              fi"},{"line_number":144,"context_line":"            done"},{"line_number":145,"context_line":"      docker_config:"},{"line_number":146,"context_line":"        step_4:"},{"line_number":147,"context_line":"          map_merge:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"5f93b717_35f71262","line":144,"updated":"2018-01-30 17:55:22.000000000","message":"Whats the failure behavior here?  Whats happens if barbican is not available to the node for instance? Or if the timeouts expire?","commit_id":"ce80ec24c894d6453b90ca3aebc891bc884d27e2"},{"author":{"_account_id":9625,"name":"Thiago da Silva","email":"thiagodasilva@gmail.com","username":"thiago"},"change_message_id":"a293166e35d5e3b4fb374be3503cc62749a22a8b","unresolved":false,"context_lines":[{"line_number":141,"context_line":"                sleep $loop_wait"},{"line_number":142,"context_line":"                ((loop_wait++))"},{"line_number":143,"context_line":"              fi"},{"line_number":144,"context_line":"            done"},{"line_number":145,"context_line":"      docker_config:"},{"line_number":146,"context_line":"        step_4:"},{"line_number":147,"context_line":"          map_merge:"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3fa0c359_ad3ed426","line":144,"in_reply_to":"5f93b717_35f71262","updated":"2018-02-06 21:44:29.000000000","message":"The create actually fails first, so added a check there to check failure and print an hopefully \"useful\" error message and what to check","commit_id":"ce80ec24c894d6453b90ca3aebc891bc884d27e2"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"ba1b3a4a77990573932fc388067999ba03ce656c","unresolved":false,"context_lines":[{"line_number":145,"context_line":"      docker_config:"},{"line_number":146,"context_line":"        step_4:"},{"line_number":147,"context_line":"          map_merge:"},{"line_number":148,"context_line":"            - create_swift_secret:"},{"line_number":149,"context_line":"                # NOTE: Barbican should be started before creating secrets"},{"line_number":150,"context_line":"                start_order: 0"},{"line_number":151,"context_line":"                image: \u0026swift_proxy_image {get_param: DockerSwiftProxyImage}"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"5f93b717_35c5d2f1","line":148,"updated":"2018-01-30 17:55:22.000000000","message":"Recall that barbican is an optional service.  Is there logic somewhere that executes this only when encryption is enabled and barbican is available?","commit_id":"ce80ec24c894d6453b90ca3aebc891bc884d27e2"},{"author":{"_account_id":9625,"name":"Thiago da Silva","email":"thiagodasilva@gmail.com","username":"thiago"},"change_message_id":"a293166e35d5e3b4fb374be3503cc62749a22a8b","unresolved":false,"context_lines":[{"line_number":145,"context_line":"      docker_config:"},{"line_number":146,"context_line":"        step_4:"},{"line_number":147,"context_line":"          map_merge:"},{"line_number":148,"context_line":"            - create_swift_secret:"},{"line_number":149,"context_line":"                # NOTE: Barbican should be started before creating secrets"},{"line_number":150,"context_line":"                start_order: 0"},{"line_number":151,"context_line":"                image: \u0026swift_proxy_image {get_param: DockerSwiftProxyImage}"}],"source_content_type":"text/x-yaml","patch_set":7,"id":"3fa0c359_f9d022cc","line":148,"in_reply_to":"5f93b717_35c5d2f1","updated":"2018-02-06 21:44:29.000000000","message":"Made a change that checks if Encryption is enabled. The assumption in this case is that Encryption would only be enabled if Barbican is available, wdyt?","commit_id":"ce80ec24c894d6453b90ca3aebc891bc884d27e2"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"0296aca9d9fd760ab7a3c325cececf7db3cc4653","unresolved":false,"context_lines":[{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"      docker_config:"},{"line_number":156,"context_line":"        step_4:"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa0c359_6312ff0b","line":153,"updated":"2018-02-07 17:41:07.000000000","message":"Do we want a failure case somewhere to let operators/support know if this fails?  Also is 10 seconds a sufficient enough time?","commit_id":"a957be08cd2daf0f7f2ae1d66cc9c83e9616ebf4"},{"author":{"_account_id":9625,"name":"Thiago da Silva","email":"thiagodasilva@gmail.com","username":"thiago"},"change_message_id":"017408a47d58978c7b2d5a1796f7facb3cddd317","unresolved":false,"context_lines":[{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"      docker_config:"},{"line_number":156,"context_line":"        step_4:"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"3fa0c359_78c0657c","line":153,"in_reply_to":"3fa0c359_6312ff0b","updated":"2018-02-07 21:07:06.000000000","message":"I added the failure message. because of the loop_wait++ it should actually be 20 seconds, right? let me know if you think this should be adjusted...","commit_id":"a957be08cd2daf0f7f2ae1d66cc9c83e9616ebf4"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"94e26d399df75201e9334b39edb4be13bc47eb10","unresolved":false,"context_lines":[{"line_number":149,"context_line":"              else"},{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"            echo \"Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa0c359_bb2587c4","line":152,"updated":"2018-02-07 21:54:27.000000000","message":"Ah you\u0027re right. I missed the loop_wait++. It\u0027s actually more like 27 seconds.  My concern is that for a loaded environment it takes a while for barbican/swift to get their stuff together.  Additionally do we need to do this in a different step or are we sure that the start order will actually wait for the completion prior to starting up the service?  I\u0027m not entirely sure of the docker start order with docker-puppet/paunch","commit_id":"ab1a421cc6166f3643a15caf9d9ed7c3b3d8eebb"},{"author":{"_account_id":9625,"name":"Thiago da Silva","email":"thiagodasilva@gmail.com","username":"thiago"},"change_message_id":"9f1fa0041b8a48b39f9677ec61b4766d45b1e572","unresolved":false,"context_lines":[{"line_number":149,"context_line":"              else"},{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"            echo \"Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa0c359_8cfdd76f","line":152,"in_reply_to":"3fa0c359_21606832","updated":"2018-02-08 20:21:43.000000000","message":"@Alex, understood and I agree that if the start_order is not followed that could create a race condition.\n\nIs there any set of automated (eg., unit, functional) testing to verify this? Not sure how to improve the situation, since *I dont think* we could change the steps. \n\nBasically we need Swift to be installed so that we can set set the configuration file and I don\u0027t think we could start the proxy in step_5 since other services depend on it, right?","commit_id":"ab1a421cc6166f3643a15caf9d9ed7c3b3d8eebb"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"a4159cd1d2b2c2b35420c518f9c16a3208ab651a","unresolved":false,"context_lines":[{"line_number":149,"context_line":"              else"},{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"            echo \"Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa0c359_ccc8bf23","line":152,"in_reply_to":"3fa0c359_8cfdd76f","updated":"2018-02-08 20:50:52.000000000","message":"I don\u0027t think we have any specific tests to verify this.  I\u0027ll ask around.","commit_id":"ab1a421cc6166f3643a15caf9d9ed7c3b3d8eebb"},{"author":{"_account_id":9625,"name":"Thiago da Silva","email":"thiagodasilva@gmail.com","username":"thiago"},"change_message_id":"c0562d2cfc190b9d3123f59323d9bce15a25c7e1","unresolved":false,"context_lines":[{"line_number":149,"context_line":"              else"},{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"            echo \"Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa0c359_c13f4423","line":152,"in_reply_to":"3fa0c359_bb2587c4","updated":"2018-02-07 23:16:40.000000000","message":"@Alex, that\u0027s a really good question, I\u0027d just hope that start_order would work. OTOH, Barbican itself gets set-up in step_3 along with keystone, so by the time it gets to step4, the create script just makes a call to create a secret and everything should be in order already?? maybe? hopefuly? ;)\n\nNot sure what the alternative would be? push the create script to step_3? we would need to get the auth credentials (L131-L138) some other way...","commit_id":"ab1a421cc6166f3643a15caf9d9ed7c3b3d8eebb"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"eef3de8240953d1521fc45cc054364d89377e0b9","unresolved":false,"context_lines":[{"line_number":149,"context_line":"              else"},{"line_number":150,"context_line":"                echo \"no key, wait for $loop_wait and check again\""},{"line_number":151,"context_line":"                sleep $loop_wait"},{"line_number":152,"context_line":"                ((loop_wait++))"},{"line_number":153,"context_line":"              fi"},{"line_number":154,"context_line":"            done"},{"line_number":155,"context_line":"            echo \"Failed to set secret in keymaster.conf, check if Barbican is enabled and responding properly\""}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa0c359_21606832","line":152,"in_reply_to":"3fa0c359_c13f4423","updated":"2018-02-07 23:19:05.000000000","message":"So the create script would be fine, my concern is the updating of the swift config before the swift proxy starts.  I guess it\u0027s one of those things that\u0027ll be exposed with some testing. I\u0027m just concerned it\u0027s a race condition","commit_id":"ab1a421cc6166f3643a15caf9d9ed7c3b3d8eebb"},{"author":{"_account_id":14985,"name":"Alex Schultz","email":"aschultz@next-development.com","username":"mwhahaha"},"change_message_id":"a4159cd1d2b2c2b35420c518f9c16a3208ab651a","unresolved":false,"context_lines":[{"line_number":180,"context_line":"                    start_order: 1"},{"line_number":181,"context_line":"                    image: *swift_proxy_image"},{"line_number":182,"context_line":"                    net: host"},{"line_number":183,"context_line":"                    detach: false"},{"line_number":184,"context_line":"                    volumes:"},{"line_number":185,"context_line":"                        list_concat:"},{"line_number":186,"context_line":"                          - {get_attr: [ContainersCommon, volumes]}"}],"source_content_type":"text/x-yaml","patch_set":10,"id":"3fa0c359_4f96e14e","line":183,"range":{"start_line":183,"start_character":20,"end_line":183,"end_character":33},"updated":"2018-02-08 20:50:52.000000000","message":"I asked sbaker and this (detach: false) will cause paunch to block so these two tasks will run before the swift_proxy container launches.  If it was detach: true, then they would all launch one after each other without waiting","commit_id":"ab1a421cc6166f3643a15caf9d9ed7c3b3d8eebb"}]}