Wednesday, 2026-07-01

opendevreviewHao Chen proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storag  https://review.opendev.org/c/openstack/cinder/+/99560701:14
opendevreviewFuli Qi proposed openstack/cinder-specs master: Add spec for retype volume including snapshots  https://review.opendev.org/c/openstack/cinder-specs/+/98932202:54
opendevreviewAdam Harwell proposed openstack/cinder master: Add ASGI entry point for Cinder API  https://review.opendev.org/c/openstack/cinder/+/99513104:08
opendevreviewAdam Harwell proposed openstack/cinder master: Add ASGI entry point for Cinder API  https://review.opendev.org/c/openstack/cinder/+/99513106:03
opendevreviewAmithabh proposed openstack/cinder master: Shield backend driver exceptions from API response  https://review.opendev.org/c/openstack/cinder/+/99371507:01
zigoHi team!08:39
zigoI'd like to discuss my patch over here:08:39
zigohttps://review.opendev.org/c/openstack/cinder/+/97964108:39
zigoI've been told that this:08:39
zigo        volume_services = objects.ServiceList.get_all(context,08:39
zigo                                                      {'topic': topic,08:39
zigo                                                       'disabled': False,08:39
zigo                                                       'frozen': False})08:39
zigoshould already filter disabled hosts and that therefore, they wouldn't appear in the backend_state_map. However, I quickly vibe-coded this to check for this fact:08:39
zigohttps://paste.opendev.org/show/bEFKllJ3DSoHBnifIUUT/08:39
zigoand the restult is: it *IS* returning disabled hosts, which isn't what _update_backend_state_map() is expecting.08:39
zigoSo I wonder: what's the way forward? Fix objects.ServiceList.get_all() so that it really takes into account 'disabled': False ? Or does my patch becomes valid then?08:39
zigoTo me, my original patch is correct, OR we are changing a lot of things in the _service_query() which may have unexpected behaviors at other places.09:27
zigoThis may indeed, breaks the scheduler.09:27
zigoeharney: Your thoughts ?09:28
opendevreviewAnatoli Barzev proposed openstack/cinder master: Fix backup stuck in 'creating' when get_backup_device fails  https://review.opendev.org/c/openstack/cinder/+/99411312:51
opendevreviewAnatoli Barzev proposed openstack/cinder master: Fix backup stuck in 'creating' when get_backup_device fails  https://review.opendev.org/c/openstack/cinder/+/99411313:46
zigoI wrote all in https://bugs.launchpad.net/cinder/+bug/215888913:52
eharneyzigo: thanks for digging into it, will try to take a look13:53
zigo:)13:54
jbernard#startmeeting cinder14:01
opendevmeetMeeting started Wed Jul  1 14:01:34 2026 UTC and is due to finish in 60 minutes.  The chair is jbernard. Information about MeetBot at http://wiki.debian.org/MeetBot.14:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:01
opendevmeetThe meeting name has been set to 'cinder'14:01
jbernard#link https://etherpad.opendev.org/p/cinder-hibiscus-meetings14:01
jbernardcourtesy ping: jungleboyj rosmaita smcginnis tosky whoami-rajat m5z e0ne geguileo eharney jbernard hemna fabiooliveira yuval tobias-urdin adiare happystacker dosaboy hillpd msaravan sp-bmilanov Luzi sfernand simondodsley  zaubea nileshthathagar flelain wizardbit agalica lutimura kaisers aloke_dev Anoop_Shukla erlon Jyotsna14:01
jbernard#topic roll call14:02
jbernardo/14:02
simondodsleyo/14:02
erlono/14:03
rosmaitao/14:03
auniyalo/14:03
Jyotsnao/14:03
jbernard#topic annoucements14:05
jbernardperiodic weekly jobs check14:05
jbernardall green14:05
jayaanando/14:06
jbernardso, festival of reviews is supposed to be this friday, it's a us holiday14:06
jbernardwhat do we want to do?14:06
jbernardeverything is closed (including childcare) so i cant make it, but it could still go on if we have enough folks14:07
jayaanandWe can meet for next to next week. Enjoy holidays 14:09
rosmaitai will be on the road and don't think i can review and drive simultaneously14:09
simondodsleywhy not?14:10
simondodsleyDon't you have a Tesla with FSD14:10
rosmaitamy wife will not enjoy the discussion of bug fixes14:10
jayaanand:-)14:10
harsho/14:10
rosmaitaalso, if i had Tesla FSD, i would *really* have to pay attention to my driving!14:11
jayaanandHow are the temperatures over there currently? Hope the weather is manageable14:12
rosmaitai'm at a bit of elevation so it's not too bad, though it is 28C right now at 10 in the morning14:13
erlonLet's push it to the next week? Otherwise we're going to miss 2 in a row 14:14
jbernardok, so move it to next friday?14:14
jbernardor monday?14:15
rosmaitamonday would be too confusing14:15
rosmaita:D14:15
jbernardok :)14:15
rosmaitaso Friday July 1014:15
jbernardwe can push it to next friday then14:15
rosmaitaand then we will do it again on July 1714:16
jbernardso we'll have 2 in a fow14:16
jayaanandok14:16
jbernardwhich is probably a good thing14:16
jbernard#topic driver security exceptions14:17
rosmaita#link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/44MLENT3AXUML7CYYLNWO6Z7LO6CQT6W/14:18
rosmaitai will try to summarize14:18
rosmaitabasically, there are 2 things going on with respect to how cinder drivers handle security issues14:19
rosmaita1. people using LLMs to do security analysis14:19
rosmaita2. an interest in using cinder volumes with ironic (the bare metal service)14:19
rosmaitaso, security bug reports are being made14:20
rosmaitathe intersection of 1 and 2 is that we make an assumption with cinder that the storage network is not exposed to end users14:20
rosmaitawe depend on nova to make the connections etc so that volumes can be used with instances14:21
rosmaitawith ironic, a regular end user has complete control of a server14:21
rosmaitawith no hypervisor14:21
rosmaitaso the request is that cinder needs to document what our expectations are for how cinder and storage networks are deployed14:22
jbernardquick question, are all of these ironic-related, or are any contained solely within cinder, or cinder/nova?14:22
rosmaitai think the bugs listed in that email are all general and independent of ironic14:23
zigoo/14:23
zigoPlease ping me at end of meeting.14:23
rosmaitathe first one is a manila bug, the rest are all cinder14:23
jbernardzigo: ack14:23
opendevreviewTakashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0  https://review.opendev.org/c/openstack/cinder/+/99569114:23
rosmaitaso, there are a few things going on14:24
rosmaita(a) drivers doing "bad" stuff like hard-coding http14:24
jbernardnot all drivers support chap auth (or require it if they do)14:24
rosmaita(b) drivers having default values that are insecure14:25
rosmaita(c) what Jon said14:25
rosmaitaso we need to think about how we as the cinder community want to handle this14:26
jbernardis the ask to address these issue, or just document their existence?14:26
rosmaitai think it's both14:26
rosmaitalike turning off urllib3 warnings or hard=coding http should be fixed14:27
rosmaitabut the request is also that we document what our expectations are14:27
jbernardseems fair14:27
rosmaitalike, if the storage network has to be isolated14:27
jbernardi assumed this was understood for production deployments14:28
rosmaitait would be up to vendors to decide if they want to make changes to support ironic fully14:28
rosmaitajbernard: i did too, but the first generation of openstack deployers are gone, and the new generation doesn't have the assumed knowledge14:29
erlonIf we have a common set of things to be aware/avoid, then should be easy to look them through the drivers. But it will be very hard to find hidden vulnerabilities, in each one of them 14:29
simondodsleyi'm not sure we should be flipping thins like CHAP support to be enabled by default - that could break many deployments14:29
rosmaitasimondodsley: yes, that's why we need a discussion about the best way to handle this14:29
rosmaitapossibly a security matrix to go along with the current driver supported features matrix?14:29
simondodsleyalso, there are many drivers out there today with no ongoing development - so how do we deal with those14:30
jbernardwe need to document general expectations, and possibly update our driver matrix to include possible vulnerabilities14:30
rosmaitai think the no ongoing development drivers will get marked unsupported14:30
rosmaitaor could be removed, we will have to decide14:30
rosmaitai think the main concern right now is that operators should not expect things to be secure right out of the box14:31
rosmaitawhich they probably shouldn't but i guess we haven't explicitly stated that anywhere14:31
simondodsleythis is a symptom of the times combined with the maturity of openstack in general14:32
jbernardrosmaita: where should a general expectations document live?14:33
erlonsimondodsley,setting security things by default seems the right think to me, even if that means breaking deployments. It should always happen with enough time warning for operators to act proactively ( which almost always don't happen), but changing them regardless we will act as a scream test. 14:33
rosmaitai guess in the cinder docs somewhere, we will have to discuss that too14:34
rosmaitawith a prominent link in the deployment guide14:34
simondodsleythe joke of it is, espeically when you talk about iSCSI CHAP is that it is only MD-3 and contains the key in free text if you know where to look - I could break a CHAP security system with my phone these days14:34
jbernardobjections to adding a 'security concerns' column to the driver matrix?14:34
erlonAnd since this is a cinder<->ironic issue, we should clearly flag ironic as a supported/not-supported feature for drivers 14:35
simondodsleythat would be an inverse column - people look for YEs in the matrix as a good thing - you need to pivot the column title14:35
jbernardsure14:35
jbernardessentially though, tenant access to the storage network is always going to be a risk14:36
simondodsleybut some drivers have ironic support for some, but not all the protocols they support - for example, there is no ironic support for NVMe-TCP14:36
erlonSomething like 'Ironic support' 14:37
eharneythe concerns aren't really specific to Ironic though, right?14:37
jbernardno, but the concerns are most prevalent if ironic is deployed, assuming storage network isolation14:38
jbernardi think step 1 for us is to update our deployment guide with expectations and security concepts to be aware of14:40
jbernardand possibly a driver matrix update to list known driver-specific issues14:41
rosmaitaand step 0 would be for all driver maintainers to read Jay's email and look at the bugs to see if they apply to their drivers14:41
jbernardyes14:42
jbernarddo we have repoted exploits for any of these, or is this what an LLM pass found?14:43
rosmaitano exploits were reported, just the possibility14:43
rosmaitaand i think also the fear that new drivers would repeat insecure old driver practices14:44
rosmaitaok, that's all from me ... something for everyone to start thinking about, we can discuss strategy more next week14:46
Anoop_ShuklaFrom driver side, are we expected to fix these?14:47
Anoop_ShuklaSecurity issues..14:48
rosmaitaAnoop_Shukla: i think it will depend on the bug14:48
Anoop_ShuklaRight..we will try to prioritise the ones where NetApp drivers are involved..14:49
rosmaitasome should definitely be fixed, like hard-coding http or turning off urllib3 warnings14:49
rosmaitait would be good to look at what it would take to make the config options more secure by default14:49
rosmaitalike, not checking certificates14:49
rosmaitai thihnk now, a lot of drivers don't check by default14:50
rosmaitaso the idea is, it's ok for an operator to not check certs if they don't want to, but the default should be secure14:50
jbernardrosmaita: +114:51
rosmaitaso that the operator has to make a conscious choice to operate insecurely14:51
Anoop_Shuklasure14:52
Anoop_ShuklaAre these reported to customers in a public page?14:52
jbernardthe ossa links are on launchpad14:53
Anoop_ShuklaOr is there a centralized security bug repo which is accessible to operators and users14:53
Anoop_Shuklaokay14:53
jbernardwe have 5 mins remaining14:54
rosmaitayeah, it's just the regular Launchpad, you have to search for the bugs14:54
JyotsnaHPE Alletra MP new driver patch : https://review.opendev.org/c/openstack/cinder/+/969373  and https://review.opendev.org/c/openstack/requirements/+/97432214:54
JyotsnaAddressed feedback for reviewers and submitted patchset. Both Zuul and all 3 CIs are passed (iSCSI, FC and NVMe). We are awaiting +2 on both the PRs. As it is critical for us to provide timelines to customers, we would be grateful for help in moving it towards merge.14:54
jbernardzigo: what's up?14:54
zigoI wanted to discuss this: https://bugs.launchpad.net/cinder/+bug/215888914:54
zigoI found out that the backend_host_map is currently wrong if one sets cluster= in cinder.conf14:55
zigoTo me, there's 2 possible fixes: either the one I originally proposed, which is, check the value of .disable for each service, one by one.14:55
zigoOr 2/ go all the way in the get_all_service() and fix the filtering so that it we add a new parameter to ignore the other hosts of the clusters when filtering.14:55
zigoAnd I'd like to know what the team think is best.14:56
zigoMaybe I'm asking too soon, and I should give everyone enough time to look at the bug I opened?14:56
jbernardlooking at your patch, it doens't look like there's strong objection to the approach14:58
jbernardjust some clarifying questions so far14:58
zigoSo, I should probably add some comments in the code as to why it should be this way?14:58
jbernardtrying to parse as fast as i can, rosmaita and/or eharney - do either of you have comment? i think you've looked at this before?14:59
opendevreviewTakashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0  https://review.opendev.org/c/openstack/cinder/+/99569115:00
JyotsnaMay I request reviewer's attention again on HPE new driver patches after the rework submitted. We have to provide tentative dates to customers. May I request <erlon> for +1 in case he is OK with rework on patch.15:00
rosmaitai did take a quick look at the original patch a while back but it seemed like the change it was making wasn't going to fix the problem, or that i was misunderstanding the problem15:00
rosmaitalooks like zigo was able to vibe code a reproducer, though15:02
zigoIndeed !15:02
jbernardok, so this might just need more time for folks to reviews15:02
zigoI can add it to the bug.15:02
jbernardzigo: could help to increase visibility15:03
opendevreviewSimon Dodsley proposed openstack/cinder master: Add a reference CBT volume driver for vendors  https://review.opendev.org/c/openstack/cinder/+/99570315:03
zigoThanks, I believe that's enough then ! :)15:05
jbernardzigo: let's give folks some more time, i don't see an objection to the approach15:05
zigoSure !15:05
jbernardwe're 5 mins over, i think we can wrap unless there's something urgent that missed the agenda15:06
jbernard#endmeeting15:06
opendevmeetMeeting ended Wed Jul  1 15:06:46 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:06
opendevmeetMinutes:        https://meetings.opendev.org/meetings/cinder/2026/cinder.2026-07-01-14.01.html15:06
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/cinder/2026/cinder.2026-07-01-14.01.txt15:06
opendevmeetLog:            https://meetings.opendev.org/meetings/cinder/2026/cinder.2026-07-01-14.01.log.html15:06
jbernardthanks everyone15:06
erlonJyotsna: what do you mean by 'tentative dates to customers'?15:09
erlonJyotsna: how is the CI status?15:10
JyotsnaAll passed15:11
JyotsnaWe have promised customer for new driver with lot of fixes in it which they are waiting so we have to update them when it will be released 15:12
opendevreviewTakashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0  https://review.opendev.org/c/openstack/cinder/+/99569115:12
jayaanandzigo: pending review comments from my end, I will review again15:15
zigoI'm writing in the PR, and adding the bug so it's linked to it.15:16
zigoDo not trust me on the SQLAlchemy stuff, I'm not 100% sure of what I'm writing ! :)15:16
opendevreviewThomas Goirand proposed openstack/cinder master: Remove disabled services from state_map  https://review.opendev.org/c/openstack/cinder/+/97964115:16
opendevreviewTakashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0  https://review.opendev.org/c/openstack/cinder/+/99569115:18
zigoSpecifically, I'm unsure how to decypher https://github.com/openstack/cinder/blob/85611cbc18efd44f27cce2b5dfb8b2d156230ba8/cinder/db/api.py#L76415:18
opendevreviewGireesh Awasthi proposed openstack/cinder master: NetApp NFS/NVME Driver – Optimizes the efficiency of pool stats update  https://review.opendev.org/c/openstack/cinder/+/96838016:10
tkajinamo/ I'd appreciate it if https://review.opendev.org/c/openstack/cinder/+/995691 can get some attention. This is required to umblock bumping tooz in global u-c16:40
tkajinamunblock *16:40
opendevreviewTakashi Kajinami proposed openstack/cinder master: Apply consistent irrenevant-files for grenade-skip-level-always  https://review.opendev.org/c/openstack/cinder/+/99572116:45
opendevreviewTakashi Kajinami proposed openstack/cinder master: Apply consistent irrelevant-files for grenade jobs  https://review.opendev.org/c/openstack/cinder/+/99572116:48
opendevreviewSimon Dodsley proposed openstack/cinder master: Add Changed Block Tracking (CBT) backup framework and changed-blocks API  https://review.opendev.org/c/openstack/cinder/+/99092318:12
opendevreviewMerged openstack/cinder master: Dell PowerFlex: Handle missing errorCode in NVMe-oF REST error responses  https://review.opendev.org/c/openstack/cinder/+/98874218:31
opendevreviewEric Harney proposed openstack/cinder master: Use specific http sub-module for status codes  https://review.opendev.org/c/openstack/cinder/+/90761618:44
opendevreviewEric Harney proposed openstack/cinder master: Use specific http sub-module for status codes  https://review.opendev.org/c/openstack/cinder/+/90761618:48
opendevreviewAnoop Kumar Shukla proposed openstack/cinder master: [docs] add logging guidelines for contributor guide  https://review.opendev.org/c/openstack/cinder/+/99412119:08
opendevreviewRajat Dhasmana proposed openstack/cinder master: Add volume group snapshot support (2/2)  https://review.opendev.org/c/openstack/cinder/+/99573719:21
opendevreviewSimon Dodsley proposed openstack/cinder master: LVM: add Changed Block Tracking backup support for thin volumes  https://review.opendev.org/c/openstack/cinder/+/99573819:24
opendevreviewSimon Dodsley proposed openstack/cinder-tempest-plugin master: Add worst-case Changed Block Tracking (CBT) scenario test  https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/99574119:29
opendevreviewAlexander Deiter proposed openstack/cinder master: Infinidat: create a single host object per connector  https://review.opendev.org/c/openstack/cinder/+/99574319:38
opendevreviewSimon Dodsley proposed openstack/cinder master: Add Changed Block Tracking (CBT) backup framework and changed-blocks API  https://review.opendev.org/c/openstack/cinder/+/99092319:42
opendevreviewRajat Dhasmana proposed openstack/cinder master: WIP: Add RBD groups support (1/2)  https://review.opendev.org/c/openstack/cinder/+/99518919:54
opendevreviewRajat Dhasmana proposed openstack/cinder master: Add volume group snapshot support (2/2)  https://review.opendev.org/c/openstack/cinder/+/99573719:54
opendevreviewSimon Dodsley proposed openstack/cinder master: Add Changed Block Tracking (CBT) backup framework and changed-blocks API  https://review.opendev.org/c/openstack/cinder/+/99092320:47
opendevreviewSimon Dodsley proposed openstack/cinder master: LVM: add Changed Block Tracking backup support for thin volumes  https://review.opendev.org/c/openstack/cinder/+/99573820:47
opendevreviewSimon Dodsley proposed openstack/cinder master: FlashArray: add Changed Block Tracking backup support  https://review.opendev.org/c/openstack/cinder/+/99098220:48
opendevreviewSimon Dodsley proposed openstack/cinder master: Add a reference CBT volume driver for vendors  https://review.opendev.org/c/openstack/cinder/+/99570320:48
opendevreviewAnthony Galica proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storage  https://review.opendev.org/c/openstack/cinder/+/99560722:22
opendevreviewAnthony Galica proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storage  https://review.opendev.org/c/openstack/cinder/+/99560722:35
opendevreviewAnthony Galica proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storage  https://review.opendev.org/c/openstack/cinder/+/99560722:36

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!