Tuesday, 2020-06-23

« Monday, 2020-06-22 Index Wednesday, 2020-06-24 »
*** Liang__ has joined #openstack-glance01:18
*** gyee has quit IRC01:23
openstackgerritGhanshyam Mann proposed openstack/glance stable/stein: Make greande jobs n-v for EM and oldest stable  https://review.opendev.org/73741702:06
*** rcernin has quit IRC02:41
*** rcernin has joined #openstack-glance02:42
*** rchurch has quit IRC04:23
*** rchurch has joined #openstack-glance04:24
*** evrardjp has quit IRC04:33
*** evrardjp has joined #openstack-glance04:33
*** udesale has joined #openstack-glance04:41
*** ratailor has joined #openstack-glance05:08
*** Liang__ has quit IRC05:17
*** Liang__ has joined #openstack-glance05:18
*** m75abrams has joined #openstack-glance05:31
abhishekkdansmith, ack, thank you05:31
*** belmoreira has joined #openstack-glance06:49
*** rcernin has quit IRC08:18
*** priteau has joined #openstack-glance08:57
abhishekkdansmith, ran two scenarios, added comment on the bug09:38
abhishekkhttps://bugs.launchpad.net/glance/+bug/1884596/comments/109:38
openstackLaunchpad bug 1884596 in Glance "image import copy-to-store will start multiple importing threads due to race condition" [Undecided,New]09:38
abhishekkjokke, ^^09:38
abhishekkdansmith, I will be back around 1430 UST09:39
*** udesale_ has joined #openstack-glance09:46
*** udesale has quit IRC09:49
*** ratailor_ has joined #openstack-glance09:51
*** ratailor has quit IRC09:54
*** tkajinam has quit IRC10:17
*** Liang__ has quit IRC10:23
*** jawad_axd has joined #openstack-glance11:43
*** lpetrut has joined #openstack-glance11:51
openstackgerritDirk Mueller proposed openstack/glance master: Switch from unittest2 compat methods to Python 3.x methods  https://review.opendev.org/73751212:17
*** ratailor_ has quit IRC12:44
dansmithabhishekk: ack13:34
dansmithabhishekk: my admin context hack *appears* to not have worked: https://zuul.opendev.org/t/openstack/build/72f025316f5344dba473f4f63c24a6ec/log/controller/logs/screen-g-api.txt#710313:35
dansmithwhich surprises me from reading the code, so I must be missing something13:35
abhishekkoh13:36
abhishekkjokke, this is another issue we found yesterday13:36
abhishekkhttps://bugs.launchpad.net/glance/+bug/188458713:38
openstackLaunchpad bug 1884587 in Glance "image import copy-to-store API should reflect proper authorization" [Undecided,New]13:38
dansmithabhishekk: can you confirm that a user should be able to do copy-to-store if they can read the image?13:40
*** m75abrams has quit IRC13:40
dansmithif not, I need to add admin credentials to nova for glance (which would be unfortunate), else I can help try to figure out getting users access to it in glance13:41
abhishekkdansmith, they should13:41
dansmithack sweet13:41
jokkedansmith: only if they own the image13:44
dansmithjokke: wait, really? why?13:44
jokkeuser x cannot copy public or shared image owned by user y13:45
dansmithbut I can download it and re-upload it and then copy it wherever I want13:45
jokkedansmith: as it consumes resources on user y's name13:45
dansmithresources for the second location?13:45
jokkeyep13:46
dansmithso, then if nova uses admin credentials for copying these images, they'll be charging the original user13:46
jokkeSpecially now when the limits are coming in this is getting important. If there is storage quota, we cannot let just anyone consume quota'd resource of some other user13:46
jokkedansmith: correct13:46
dansmiththis completely breaks the whole "nova copies the image to the correct rbd for you before boot" thing we discussed13:47
dansmithexcept for user-uploaded private images13:47
dansmithlike, if a cloud provides a public image anyone can use, that has to be pre-pushed to all the locations by the admin before a regular user can boot something that requires one of those locations13:48
jokkedansmith: the visibility is not factor, the owner is.13:48
jokkedansmith: correct, you would expect the user that is maintaining public images to do that.13:48
dansmithbut that means every image has to be pushed to every location ahead of time13:49
jokkeas long as you're the owner the visibility doesn't matter, you cn copy and what not your images. But you cannot as normal user just copy someone elses image all over the place13:49
dansmithI understand what you're saying, I understand the visibility has nothing to do with the mechanics13:49
dansmithwhat I'm saying is, a user that can see a public image and expect to boot it at edge site 2 can't do that, unless the image has been pre-pushed there13:50
dansmithor they can download/re-upload the image so they own the new one, and then it will work13:50
jokkedansmith: correct13:50
dansmithhopefully that confirmation also comes with a realization of that not being a very good experience :)13:51
jokkedansmith: and it should make sense that if you're maintaining public images for the cloud, you will make sure they are in the sites where they are supposed to be booted13:51
dansmithso in an edge cloud with hundreds of functions and thousands of sites, that pretty much defeats the whole purpose here13:52
dansmithespecially if it leads to users duplicating images in your cloud so they can be sure a function is available at a given site13:53
dansmithanyway, I realize there's a missing piece here to make this work13:53
dansmithso just to be clear,13:53
dansmithif I upload an image of Xgb, I'm charged for Xgb of image space and if I copy that to another store, I start getting charged for 2Xgb right?13:54
jokkethat's what I would expect if I'm charged for storage13:54
jokkeIt's resource consumed13:55
dansmithI understand13:55
jokkeSame if I spin 100 vm of same image I get charged 100 vms not one13:55
dansmithit's a little different for VMs of course, because people don't start VMs and then make them publicly usable like an image13:56
dansmithlike, if I'm not the owner, but the owner has copied the image to edge-2 and is being charged for it, I can boot an instance there "for free",13:57
dansmithand if they later remove it from that store, I will still consume the storage they were charged for because I have an image backed by that base image,13:57
dansmithwhich can't be deleted until I leave the site13:57
jokkeyeah ... This might be worthy of trying to get hold of the telcos and ask if it's a problem to them or if their automation will just deal with it.14:00
dansmiththe probably more expensive problem here is that nova will not be able to determine that an image isn't usable at a site until it schedules a VM there, starts a build and gets a 403 when it tries to copy the image14:00
dansmithI definitely know it won't work for several scenarios14:01
jokkeIf it's a problem for big enough usecase it might make sense to have that as configurable. But we can't just let that be the default behavior14:01
dansmithso, here are some options I can think of:14:01
dansmith1. Add an owner to a location so we can charge the right person. This will be just as leaky as the current thing, where the first person to boot it at a site gets unlucky and charged for the image14:01
dansmith2. Add a property to the image that says "this can always be copied" and have nova use admin creds to do the copy if that property is set (or glance allow it by non-owner if set)14:02
dansmithat the very least we need to check proper auth in the API so nova gets a 403 instead of a timeout waiting for something that will never happen, and glance starting a task that will just fail14:03
dansmithI'll see if I can cook that up14:03
dansmithwithout either 1 or 2, we basically can't run tempest against a setup like this because all tempest tests run under their own generated tenant, which will never own the image14:09
dansmithso we'll need a new test that does the download/upload and tries it14:10
abhishekkyes :(14:10
dansmiththat's super unfortunate because it's a lot more work and also means we don't just magically get more coverage by running the existing tests, which is what gave us the hint about the race condition :/14:11
abhishekkyes, really14:13
dansmithabhishekk: any opinions on which optional solution above is most palatable?14:13
openstackgerritDan Smith proposed openstack/glance master: WIP: Check authorization before import for image  https://review.opendev.org/73754814:14
abhishekkFor me 2nd one sounds reasonable14:15
dansmithokay I like that less muchly but it's something14:16
dansmithdoes glance have a reporting mechanism by which a user's resource usage is summarized?14:17
abhishekknope14:19
dansmithoh, so.. how does a user get charged for multiple locations in an image?14:20
dansmithdoes something external just have to look at locations and know to charge extra?14:20
dansmithor was jokke talking about quota?14:20
abhishekksorry got distracted, we have some config options around quota's but nothing about reporting mechanism14:44
dansmithabhishekk: okay does quota include the space consumed by an image in multiple locations?14:45
abhishekkyes14:46
dansmithokay14:46
dansmithabhishekk: if remove an image from an rbd store, and that image is in use by instances booted from it, what happens? does glance refuse to delete the location? does it get deleted from glance but persist in rbd?14:47
abhishekkdansmith, I never checked  this in rbd but I guess image gets deleted from glance14:49
abhishekkglance_store rbd driver has one exception ImageInUse but I never seen its raised14:49
dansmithabhishekk: when would the base image be deleted then? if glance stops tracking it does it go away automatically if the last vm is deleted? or do we leak that image?14:50
*** jawad_axd has quit IRC14:51
abhishekkdansmith, https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/rbd.py#L44414:51
*** priteau has quit IRC14:52
dansmithabhishekk: okay so the image won't get deleted if it's in use?14:52
abhishekkthat should be the case, but I never used/seen this exception raised14:53
dansmithit's raised on that line you just linked.. or do you mean you've never seen it happen in real life?14:54
abhishekkI mean, I never used to boot instance from rbd store and deleted it :(14:55
dansmithokay, so, let's assume that the code works, and the image won't be deleted:14:55
dansmithif I own an image, I copy it to the edge-2 store, start being charged quota (and maybe money)14:55
dansmithanother user boots an instance from that image in edge-2, for free14:56
dansmithnow until that other user deletes their instance, I can't stop being charged for the image in that location14:56
dansmiththat seems bad right?14:56
abhishekkyes14:57
dansmithanother question... is it true that public images can only be owned by admins?14:57
abhishekkI guess that's not the case15:03
dansmithokay15:04
dansmithI couldn't really find anything in the docs15:05
dansmithanyway, I'm concerned about the leakiness of this model, I guess specifically when multiple stores are used15:05
dansmithbut it sounds like going forward with option #2 above will at least alleviate some of the problem15:06
abhishekkgive me some time, my laptop crashed in afternoon :/, I am still setting it up15:07
dansmithno problem, sorry for all the questions, just trying to get up to speed15:07
*** m75abrams has joined #openstack-glance15:08
abhishekkits not documented but looking at policies public images can only be owned by admins seems true15:09
*** belmoreira has quit IRC15:09
dansmithis that policy changeable though?15:10
dansmithanyway, if only admin images can be public, it surely seems like allowing images to be copied if they're public would be reaonable, since they're....public :)15:10
abhishekkyes, that policy is changeable15:11
dansmithack15:12
dansmithdid we lose jokke due to timezone or something else?15:12
abhishekkno idea15:12
abhishekkhe might be in meeting, his calendar shows that15:14
abhishekkdansmith, still around?15:19
dansmithyeah15:19
abhishekkI boot vm from image which is in rbd store15:20
abhishekkdeleted it15:20
dansmiths/it/image/ ?15:20
abhishekkyes15:20
abhishekkimage got deleted from glance and not listed in rbd as well (sudo rbd ls images)15:20
abhishekknova shows below line in output of "nova show"15:21
abhishekk| image                                | Image not found (f8940ac5-5488-46c3-b6a4-185beab7711f)15:21
dansmiththat from nova is what is expected to happen if you delete the image, yeah15:21
dansmithso the image is deleted and the storage is still consumed by the base, but presumably when you delete the last VM using the base, the refcount will go to zero and the storage will come back?15:22
dansmithso this is a hidden storage consumption that we can't expose anywhere15:22
dansmiththat the user never paid for, if they didn't own the image15:22
dansmithbut certainly better that the original user doesn't keep getting charged15:23
abhishekkyes15:23
abhishekkso that brings another doubt for me when will be that InUse exception will be raised?15:24
abhishekkdansmith, going for dinner, will be back in 20 mins15:26
dansmithyeah15:26
dansmithabhishekk: ack15:26
dansmithabhishekk: jokke: I wonder if we should be granting copy ability to the user so that you can say things in policy like "anything public can be copied" or "if the image is shared to you as a member, you can copy", etc ?15:33
*** lpetrut has quit IRC15:44
*** gyee has joined #openstack-glance15:59
*** m75abrams has quit IRC16:33
*** udesale_ has quit IRC17:05
abhishekkdansmith, sorry was out due to power outage17:06
dansmithabhishekk: np17:18
dansmiththe gate has made no progress testing my auth patch since you left anyway :)17:18
abhishekkohh, release traffic :)17:25
dansmithabhishekk: did you see my question about policy?17:32
abhishekkmissed, looking now17:33
abhishekkneed to explore, but second one like if the image is shared as a member then can copy should be reasonable17:34
dansmithpresumably if it's defined by policy then an admin could also grant he first right?17:36
dansmith*the first17:36
dansmithand if we were to gain this ability, then we could configure a devstack to allow copying public images and get the desired test coverage, as well as enable the case where a user and operator want this to "just work"17:37
dansmithwithout breaking the default of it not working17:37
dansmithI would think this would be more flexible and desirable than just a flag on an image, even if a little bit more complicated17:38
abhishekkin glance policy check is done at different different layers, so going to be much complicated17:38
dansmithpolicy check is done at *multiple* different layers, or at a different layer than we'd need for this to work?17:39
abhishekkpolicy check is done at *multiple* different layers17:42
dansmithokay, so it would be okay to do a policy check at the top/API layer, but might be defeated by another check somewhere down in the stack that doesn't know what we're doing.. is that your concern?17:43
abhishekkyes17:45
dansmithokay17:46
dansmithis that something that is unchangeable in glance, or is there a desire to consolidate policy checks up to the higher layer (as we have done in nova)?17:47
abhishekkit has been in planning since 3-4 cycles, but we didn't have much contributors to do it17:50
dansmithmeaning, is the distributed checking in lots of places the desired approach by design, or just a consequence of things being added by different authors?17:50
dansmithwhat has been, moving policy checks up to the api?17:50
abhishekkalso there are some known issue with location API17:51
abhishekkhttps://review.opendev.org/#/c/528021/2/specs/rocky/approved/glance/policy-refactor.rst17:55
dansmithoye okay17:55
dansmithmy takeaway from that is that refactoring this path to check policy at the API is probably reasonable in _approach_, the feasibility of it notwithstanding17:56
dansmithI would rather do the refactoring of the bits needed to enable this to be a policy knob, than punt on "it's too hard" and add another image flag, unless it's *really* hard17:57
dansmithbut we should probably hear from jokke for an opinion right?17:57
abhishekkyes17:57
dansmithwhat is the best way to do that? glance meeting?17:58
abhishekkyes17:58
abhishekkI will add this topic in discussion agenda17:58
dansmithokay, I put it on my calendar17:59
abhishekkack18:00
openstackgerritAbhishek Kekane proposed openstack/glance master: WIP: Fix race condition in copy image operation  https://review.opendev.org/73759618:28
*** jawad_axd has joined #openstack-glance18:50
abhishekksigning out for the day19:25
openstackgerritCyril Roelandt proposed openstack/python-glanceclient master: Do not use the six library.  https://review.opendev.org/73567019:57
*** rchurch has quit IRC20:28
*** rchurch has joined #openstack-glance20:30
*** tkajinam has joined #openstack-glance22:53
*** rcernin has joined #openstack-glance23:02
*** rcernin has quit IRC23:08
*** rcernin has joined #openstack-glance23:08
*** kgz has quit IRC23:29
*** freerunner has quit IRC23:30
*** freerunner has joined #openstack-glance23:31
*** kgz has joined #openstack-glance23:32
« Monday, 2020-06-22 Index Wednesday, 2020-06-24 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!