| opendevreview | Hao Chen proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storag https://review.opendev.org/c/openstack/cinder/+/995607 | 01:14 |
|---|---|---|
| opendevreview | Fuli Qi proposed openstack/cinder-specs master: Add spec for retype volume including snapshots https://review.opendev.org/c/openstack/cinder-specs/+/989322 | 02:54 |
| opendevreview | Adam Harwell proposed openstack/cinder master: Add ASGI entry point for Cinder API https://review.opendev.org/c/openstack/cinder/+/995131 | 04:08 |
| opendevreview | Adam Harwell proposed openstack/cinder master: Add ASGI entry point for Cinder API https://review.opendev.org/c/openstack/cinder/+/995131 | 06:03 |
| opendevreview | Amithabh proposed openstack/cinder master: Shield backend driver exceptions from API response https://review.opendev.org/c/openstack/cinder/+/993715 | 07:01 |
| zigo | Hi team! | 08:39 |
| zigo | I'd like to discuss my patch over here: | 08:39 |
| zigo | https://review.opendev.org/c/openstack/cinder/+/979641 | 08:39 |
| zigo | I've been told that this: | 08:39 |
| zigo | volume_services = objects.ServiceList.get_all(context, | 08:39 |
| zigo | {'topic': topic, | 08:39 |
| zigo | 'disabled': False, | 08:39 |
| zigo | 'frozen': False}) | 08:39 |
| zigo | should already filter disabled hosts and that therefore, they wouldn't appear in the backend_state_map. However, I quickly vibe-coded this to check for this fact: | 08:39 |
| zigo | https://paste.opendev.org/show/bEFKllJ3DSoHBnifIUUT/ | 08:39 |
| zigo | and the restult is: it *IS* returning disabled hosts, which isn't what _update_backend_state_map() is expecting. | 08:39 |
| zigo | So I wonder: what's the way forward? Fix objects.ServiceList.get_all() so that it really takes into account 'disabled': False ? Or does my patch becomes valid then? | 08:39 |
| zigo | To me, my original patch is correct, OR we are changing a lot of things in the _service_query() which may have unexpected behaviors at other places. | 09:27 |
| zigo | This may indeed, breaks the scheduler. | 09:27 |
| zigo | eharney: Your thoughts ? | 09:28 |
| opendevreview | Anatoli Barzev proposed openstack/cinder master: Fix backup stuck in 'creating' when get_backup_device fails https://review.opendev.org/c/openstack/cinder/+/994113 | 12:51 |
| opendevreview | Anatoli Barzev proposed openstack/cinder master: Fix backup stuck in 'creating' when get_backup_device fails https://review.opendev.org/c/openstack/cinder/+/994113 | 13:46 |
| zigo | I wrote all in https://bugs.launchpad.net/cinder/+bug/2158889 | 13:52 |
| eharney | zigo: thanks for digging into it, will try to take a look | 13:53 |
| zigo | :) | 13:54 |
| jbernard | #startmeeting cinder | 14:01 |
| opendevmeet | Meeting started Wed Jul 1 14:01:34 2026 UTC and is due to finish in 60 minutes. The chair is jbernard. Information about MeetBot at http://wiki.debian.org/MeetBot. | 14:01 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 14:01 |
| opendevmeet | The meeting name has been set to 'cinder' | 14:01 |
| jbernard | #link https://etherpad.opendev.org/p/cinder-hibiscus-meetings | 14:01 |
| jbernard | courtesy ping: jungleboyj rosmaita smcginnis tosky whoami-rajat m5z e0ne geguileo eharney jbernard hemna fabiooliveira yuval tobias-urdin adiare happystacker dosaboy hillpd msaravan sp-bmilanov Luzi sfernand simondodsley zaubea nileshthathagar flelain wizardbit agalica lutimura kaisers aloke_dev Anoop_Shukla erlon Jyotsna | 14:01 |
| jbernard | #topic roll call | 14:02 |
| jbernard | o/ | 14:02 |
| simondodsley | o/ | 14:02 |
| erlon | o/ | 14:03 |
| rosmaita | o/ | 14:03 |
| auniyal | o/ | 14:03 |
| Jyotsna | o/ | 14:03 |
| jbernard | #topic annoucements | 14:05 |
| jbernard | periodic weekly jobs check | 14:05 |
| jbernard | all green | 14:05 |
| jayaanand | o/ | 14:06 |
| jbernard | so, festival of reviews is supposed to be this friday, it's a us holiday | 14:06 |
| jbernard | what do we want to do? | 14:06 |
| jbernard | everything is closed (including childcare) so i cant make it, but it could still go on if we have enough folks | 14:07 |
| jayaanand | We can meet for next to next week. Enjoy holidays | 14:09 |
| rosmaita | i will be on the road and don't think i can review and drive simultaneously | 14:09 |
| simondodsley | why not? | 14:10 |
| simondodsley | Don't you have a Tesla with FSD | 14:10 |
| rosmaita | my wife will not enjoy the discussion of bug fixes | 14:10 |
| jayaanand | :-) | 14:10 |
| harsh | o/ | 14:10 |
| rosmaita | also, if i had Tesla FSD, i would *really* have to pay attention to my driving! | 14:11 |
| jayaanand | How are the temperatures over there currently? Hope the weather is manageable | 14:12 |
| rosmaita | i'm at a bit of elevation so it's not too bad, though it is 28C right now at 10 in the morning | 14:13 |
| erlon | Let's push it to the next week? Otherwise we're going to miss 2 in a row | 14:14 |
| jbernard | ok, so move it to next friday? | 14:14 |
| jbernard | or monday? | 14:15 |
| rosmaita | monday would be too confusing | 14:15 |
| rosmaita | :D | 14:15 |
| jbernard | ok :) | 14:15 |
| rosmaita | so Friday July 10 | 14:15 |
| jbernard | we can push it to next friday then | 14:15 |
| rosmaita | and then we will do it again on July 17 | 14:16 |
| jbernard | so we'll have 2 in a fow | 14:16 |
| jayaanand | ok | 14:16 |
| jbernard | which is probably a good thing | 14:16 |
| jbernard | #topic driver security exceptions | 14:17 |
| rosmaita | #link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/44MLENT3AXUML7CYYLNWO6Z7LO6CQT6W/ | 14:18 |
| rosmaita | i will try to summarize | 14:18 |
| rosmaita | basically, there are 2 things going on with respect to how cinder drivers handle security issues | 14:19 |
| rosmaita | 1. people using LLMs to do security analysis | 14:19 |
| rosmaita | 2. an interest in using cinder volumes with ironic (the bare metal service) | 14:19 |
| rosmaita | so, security bug reports are being made | 14:20 |
| rosmaita | the intersection of 1 and 2 is that we make an assumption with cinder that the storage network is not exposed to end users | 14:20 |
| rosmaita | we depend on nova to make the connections etc so that volumes can be used with instances | 14:21 |
| rosmaita | with ironic, a regular end user has complete control of a server | 14:21 |
| rosmaita | with no hypervisor | 14:21 |
| rosmaita | so the request is that cinder needs to document what our expectations are for how cinder and storage networks are deployed | 14:22 |
| jbernard | quick question, are all of these ironic-related, or are any contained solely within cinder, or cinder/nova? | 14:22 |
| rosmaita | i think the bugs listed in that email are all general and independent of ironic | 14:23 |
| zigo | o/ | 14:23 |
| zigo | Please ping me at end of meeting. | 14:23 |
| rosmaita | the first one is a manila bug, the rest are all cinder | 14:23 |
| jbernard | zigo: ack | 14:23 |
| opendevreview | Takashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0 https://review.opendev.org/c/openstack/cinder/+/995691 | 14:23 |
| rosmaita | so, there are a few things going on | 14:24 |
| rosmaita | (a) drivers doing "bad" stuff like hard-coding http | 14:24 |
| jbernard | not all drivers support chap auth (or require it if they do) | 14:24 |
| rosmaita | (b) drivers having default values that are insecure | 14:25 |
| rosmaita | (c) what Jon said | 14:25 |
| rosmaita | so we need to think about how we as the cinder community want to handle this | 14:26 |
| jbernard | is the ask to address these issue, or just document their existence? | 14:26 |
| rosmaita | i think it's both | 14:26 |
| rosmaita | like turning off urllib3 warnings or hard=coding http should be fixed | 14:27 |
| rosmaita | but the request is also that we document what our expectations are | 14:27 |
| jbernard | seems fair | 14:27 |
| rosmaita | like, if the storage network has to be isolated | 14:27 |
| jbernard | i assumed this was understood for production deployments | 14:28 |
| rosmaita | it would be up to vendors to decide if they want to make changes to support ironic fully | 14:28 |
| rosmaita | jbernard: i did too, but the first generation of openstack deployers are gone, and the new generation doesn't have the assumed knowledge | 14:29 |
| erlon | If we have a common set of things to be aware/avoid, then should be easy to look them through the drivers. But it will be very hard to find hidden vulnerabilities, in each one of them | 14:29 |
| simondodsley | i'm not sure we should be flipping thins like CHAP support to be enabled by default - that could break many deployments | 14:29 |
| rosmaita | simondodsley: yes, that's why we need a discussion about the best way to handle this | 14:29 |
| rosmaita | possibly a security matrix to go along with the current driver supported features matrix? | 14:29 |
| simondodsley | also, there are many drivers out there today with no ongoing development - so how do we deal with those | 14:30 |
| jbernard | we need to document general expectations, and possibly update our driver matrix to include possible vulnerabilities | 14:30 |
| rosmaita | i think the no ongoing development drivers will get marked unsupported | 14:30 |
| rosmaita | or could be removed, we will have to decide | 14:30 |
| rosmaita | i think the main concern right now is that operators should not expect things to be secure right out of the box | 14:31 |
| rosmaita | which they probably shouldn't but i guess we haven't explicitly stated that anywhere | 14:31 |
| simondodsley | this is a symptom of the times combined with the maturity of openstack in general | 14:32 |
| jbernard | rosmaita: where should a general expectations document live? | 14:33 |
| erlon | simondodsley,setting security things by default seems the right think to me, even if that means breaking deployments. It should always happen with enough time warning for operators to act proactively ( which almost always don't happen), but changing them regardless we will act as a scream test. | 14:33 |
| rosmaita | i guess in the cinder docs somewhere, we will have to discuss that too | 14:34 |
| rosmaita | with a prominent link in the deployment guide | 14:34 |
| simondodsley | the joke of it is, espeically when you talk about iSCSI CHAP is that it is only MD-3 and contains the key in free text if you know where to look - I could break a CHAP security system with my phone these days | 14:34 |
| jbernard | objections to adding a 'security concerns' column to the driver matrix? | 14:34 |
| erlon | And since this is a cinder<->ironic issue, we should clearly flag ironic as a supported/not-supported feature for drivers | 14:35 |
| simondodsley | that would be an inverse column - people look for YEs in the matrix as a good thing - you need to pivot the column title | 14:35 |
| jbernard | sure | 14:35 |
| jbernard | essentially though, tenant access to the storage network is always going to be a risk | 14:36 |
| simondodsley | but some drivers have ironic support for some, but not all the protocols they support - for example, there is no ironic support for NVMe-TCP | 14:36 |
| erlon | Something like 'Ironic support' | 14:37 |
| eharney | the concerns aren't really specific to Ironic though, right? | 14:37 |
| jbernard | no, but the concerns are most prevalent if ironic is deployed, assuming storage network isolation | 14:38 |
| jbernard | i think step 1 for us is to update our deployment guide with expectations and security concepts to be aware of | 14:40 |
| jbernard | and possibly a driver matrix update to list known driver-specific issues | 14:41 |
| rosmaita | and step 0 would be for all driver maintainers to read Jay's email and look at the bugs to see if they apply to their drivers | 14:41 |
| jbernard | yes | 14:42 |
| jbernard | do we have repoted exploits for any of these, or is this what an LLM pass found? | 14:43 |
| rosmaita | no exploits were reported, just the possibility | 14:43 |
| rosmaita | and i think also the fear that new drivers would repeat insecure old driver practices | 14:44 |
| rosmaita | ok, that's all from me ... something for everyone to start thinking about, we can discuss strategy more next week | 14:46 |
| Anoop_Shukla | From driver side, are we expected to fix these? | 14:47 |
| Anoop_Shukla | Security issues.. | 14:48 |
| rosmaita | Anoop_Shukla: i think it will depend on the bug | 14:48 |
| Anoop_Shukla | Right..we will try to prioritise the ones where NetApp drivers are involved.. | 14:49 |
| rosmaita | some should definitely be fixed, like hard-coding http or turning off urllib3 warnings | 14:49 |
| rosmaita | it would be good to look at what it would take to make the config options more secure by default | 14:49 |
| rosmaita | like, not checking certificates | 14:49 |
| rosmaita | i thihnk now, a lot of drivers don't check by default | 14:50 |
| rosmaita | so the idea is, it's ok for an operator to not check certs if they don't want to, but the default should be secure | 14:50 |
| jbernard | rosmaita: +1 | 14:51 |
| rosmaita | so that the operator has to make a conscious choice to operate insecurely | 14:51 |
| Anoop_Shukla | sure | 14:52 |
| Anoop_Shukla | Are these reported to customers in a public page? | 14:52 |
| jbernard | the ossa links are on launchpad | 14:53 |
| Anoop_Shukla | Or is there a centralized security bug repo which is accessible to operators and users | 14:53 |
| Anoop_Shukla | okay | 14:53 |
| jbernard | we have 5 mins remaining | 14:54 |
| rosmaita | yeah, it's just the regular Launchpad, you have to search for the bugs | 14:54 |
| Jyotsna | HPE Alletra MP new driver patch : https://review.opendev.org/c/openstack/cinder/+/969373 and https://review.opendev.org/c/openstack/requirements/+/974322 | 14:54 |
| Jyotsna | Addressed feedback for reviewers and submitted patchset. Both Zuul and all 3 CIs are passed (iSCSI, FC and NVMe). We are awaiting +2 on both the PRs. As it is critical for us to provide timelines to customers, we would be grateful for help in moving it towards merge. | 14:54 |
| jbernard | zigo: what's up? | 14:54 |
| zigo | I wanted to discuss this: https://bugs.launchpad.net/cinder/+bug/2158889 | 14:54 |
| zigo | I found out that the backend_host_map is currently wrong if one sets cluster= in cinder.conf | 14:55 |
| zigo | To me, there's 2 possible fixes: either the one I originally proposed, which is, check the value of .disable for each service, one by one. | 14:55 |
| zigo | Or 2/ go all the way in the get_all_service() and fix the filtering so that it we add a new parameter to ignore the other hosts of the clusters when filtering. | 14:55 |
| zigo | And I'd like to know what the team think is best. | 14:56 |
| zigo | Maybe I'm asking too soon, and I should give everyone enough time to look at the bug I opened? | 14:56 |
| jbernard | looking at your patch, it doens't look like there's strong objection to the approach | 14:58 |
| jbernard | just some clarifying questions so far | 14:58 |
| zigo | So, I should probably add some comments in the code as to why it should be this way? | 14:58 |
| jbernard | trying to parse as fast as i can, rosmaita and/or eharney - do either of you have comment? i think you've looked at this before? | 14:59 |
| opendevreview | Takashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0 https://review.opendev.org/c/openstack/cinder/+/995691 | 15:00 |
| Jyotsna | May I request reviewer's attention again on HPE new driver patches after the rework submitted. We have to provide tentative dates to customers. May I request <erlon> for +1 in case he is OK with rework on patch. | 15:00 |
| rosmaita | i did take a quick look at the original patch a while back but it seemed like the change it was making wasn't going to fix the problem, or that i was misunderstanding the problem | 15:00 |
| rosmaita | looks like zigo was able to vibe code a reproducer, though | 15:02 |
| zigo | Indeed ! | 15:02 |
| jbernard | ok, so this might just need more time for folks to reviews | 15:02 |
| zigo | I can add it to the bug. | 15:02 |
| jbernard | zigo: could help to increase visibility | 15:03 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: Add a reference CBT volume driver for vendors https://review.opendev.org/c/openstack/cinder/+/995703 | 15:03 |
| zigo | Thanks, I believe that's enough then ! :) | 15:05 |
| jbernard | zigo: let's give folks some more time, i don't see an objection to the approach | 15:05 |
| zigo | Sure ! | 15:05 |
| jbernard | we're 5 mins over, i think we can wrap unless there's something urgent that missed the agenda | 15:06 |
| jbernard | #endmeeting | 15:06 |
| opendevmeet | Meeting ended Wed Jul 1 15:06:46 2026 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:06 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/cinder/2026/cinder.2026-07-01-14.01.html | 15:06 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/cinder/2026/cinder.2026-07-01-14.01.txt | 15:06 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/cinder/2026/cinder.2026-07-01-14.01.log.html | 15:06 |
| jbernard | thanks everyone | 15:06 |
| erlon | Jyotsna: what do you mean by 'tentative dates to customers'? | 15:09 |
| erlon | Jyotsna: how is the CI status? | 15:10 |
| Jyotsna | All passed | 15:11 |
| Jyotsna | We have promised customer for new driver with lot of fixes in it which they are waiting so we have to update them when it will be released | 15:12 |
| opendevreview | Takashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0 https://review.opendev.org/c/openstack/cinder/+/995691 | 15:12 |
| jayaanand | zigo: pending review comments from my end, I will review again | 15:15 |
| zigo | I'm writing in the PR, and adding the bug so it's linked to it. | 15:16 |
| zigo | Do not trust me on the SQLAlchemy stuff, I'm not 100% sure of what I'm writing ! :) | 15:16 |
| opendevreview | Thomas Goirand proposed openstack/cinder master: Remove disabled services from state_map https://review.opendev.org/c/openstack/cinder/+/979641 | 15:16 |
| opendevreview | Takashi Kajinami proposed openstack/cinder master: Fix interface mismatch detected by tooz 9.0.0 https://review.opendev.org/c/openstack/cinder/+/995691 | 15:18 |
| zigo | Specifically, I'm unsure how to decypher https://github.com/openstack/cinder/blob/85611cbc18efd44f27cce2b5dfb8b2d156230ba8/cinder/db/api.py#L764 | 15:18 |
| opendevreview | Gireesh Awasthi proposed openstack/cinder master: NetApp NFS/NVME Driver – Optimizes the efficiency of pool stats update https://review.opendev.org/c/openstack/cinder/+/968380 | 16:10 |
| tkajinam | o/ I'd appreciate it if https://review.opendev.org/c/openstack/cinder/+/995691 can get some attention. This is required to umblock bumping tooz in global u-c | 16:40 |
| tkajinam | unblock * | 16:40 |
| opendevreview | Takashi Kajinami proposed openstack/cinder master: Apply consistent irrenevant-files for grenade-skip-level-always https://review.opendev.org/c/openstack/cinder/+/995721 | 16:45 |
| opendevreview | Takashi Kajinami proposed openstack/cinder master: Apply consistent irrelevant-files for grenade jobs https://review.opendev.org/c/openstack/cinder/+/995721 | 16:48 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: Add Changed Block Tracking (CBT) backup framework and changed-blocks API https://review.opendev.org/c/openstack/cinder/+/990923 | 18:12 |
| opendevreview | Merged openstack/cinder master: Dell PowerFlex: Handle missing errorCode in NVMe-oF REST error responses https://review.opendev.org/c/openstack/cinder/+/988742 | 18:31 |
| opendevreview | Eric Harney proposed openstack/cinder master: Use specific http sub-module for status codes https://review.opendev.org/c/openstack/cinder/+/907616 | 18:44 |
| opendevreview | Eric Harney proposed openstack/cinder master: Use specific http sub-module for status codes https://review.opendev.org/c/openstack/cinder/+/907616 | 18:48 |
| opendevreview | Anoop Kumar Shukla proposed openstack/cinder master: [docs] add logging guidelines for contributor guide https://review.opendev.org/c/openstack/cinder/+/994121 | 19:08 |
| opendevreview | Rajat Dhasmana proposed openstack/cinder master: Add volume group snapshot support (2/2) https://review.opendev.org/c/openstack/cinder/+/995737 | 19:21 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: LVM: add Changed Block Tracking backup support for thin volumes https://review.opendev.org/c/openstack/cinder/+/995738 | 19:24 |
| opendevreview | Simon Dodsley proposed openstack/cinder-tempest-plugin master: Add worst-case Changed Block Tracking (CBT) scenario test https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/995741 | 19:29 |
| opendevreview | Alexander Deiter proposed openstack/cinder master: Infinidat: create a single host object per connector https://review.opendev.org/c/openstack/cinder/+/995743 | 19:38 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: Add Changed Block Tracking (CBT) backup framework and changed-blocks API https://review.opendev.org/c/openstack/cinder/+/990923 | 19:42 |
| opendevreview | Rajat Dhasmana proposed openstack/cinder master: WIP: Add RBD groups support (1/2) https://review.opendev.org/c/openstack/cinder/+/995189 | 19:54 |
| opendevreview | Rajat Dhasmana proposed openstack/cinder master: Add volume group snapshot support (2/2) https://review.opendev.org/c/openstack/cinder/+/995737 | 19:54 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: Add Changed Block Tracking (CBT) backup framework and changed-blocks API https://review.opendev.org/c/openstack/cinder/+/990923 | 20:47 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: LVM: add Changed Block Tracking backup support for thin volumes https://review.opendev.org/c/openstack/cinder/+/995738 | 20:47 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: FlashArray: add Changed Block Tracking backup support https://review.opendev.org/c/openstack/cinder/+/990982 | 20:48 |
| opendevreview | Simon Dodsley proposed openstack/cinder master: Add a reference CBT volume driver for vendors https://review.opendev.org/c/openstack/cinder/+/995703 | 20:48 |
| opendevreview | Anthony Galica proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storage https://review.opendev.org/c/openstack/cinder/+/995607 | 22:22 |
| opendevreview | Anthony Galica proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storage https://review.opendev.org/c/openstack/cinder/+/995607 | 22:35 |
| opendevreview | Anthony Galica proposed openstack/cinder master: Hitachi: fix VCP-volume zombie issue on B20 storage https://review.opendev.org/c/openstack/cinder/+/995607 | 22:36 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!