| *** Liang__ has joined #openstack-glance | 01:27 | |
| *** rcernin has quit IRC | 02:22 | |
| *** rcernin has joined #openstack-glance | 02:22 | |
| *** Liang__ has quit IRC | 03:28 | |
| *** Liang__ has joined #openstack-glance | 03:33 | |
| *** evrardjp has quit IRC | 04:33 | |
| *** evrardjp has joined #openstack-glance | 04:33 | |
| *** Liang__ has quit IRC | 04:36 | |
| *** Liang__ has joined #openstack-glance | 04:40 | |
| *** ratailor has joined #openstack-glance | 04:56 | |
| *** Liang__ has quit IRC | 05:00 | |
| openstackgerrit | Abhishek Kekane proposed openstack/glance-specs master: Make cinder driver compatible with multiple stores https://review.opendev.org/695152 | 05:11 |
|---|---|---|
| *** udesale has joined #openstack-glance | 05:35 | |
| *** m75abrams has joined #openstack-glance | 05:38 | |
| *** bhagyashris is now known as bhagyashris|brb | 05:50 | |
| *** Luzi has joined #openstack-glance | 05:58 | |
| *** brtknr has quit IRC | 06:15 | |
| *** bhagyashris|brb is now known as bhagyashris | 06:16 | |
| *** brtknr has joined #openstack-glance | 06:24 | |
| *** amoralej|off is now known as amoralej | 07:04 | |
| *** Liang__ has joined #openstack-glance | 07:11 | |
| *** mvkr has joined #openstack-glance | 07:13 | |
| *** tosky has joined #openstack-glance | 07:36 | |
| *** m75abrams has quit IRC | 07:53 | |
| *** rcernin has quit IRC | 07:57 | |
| *** rcernin has joined #openstack-glance | 08:15 | |
| *** rcernin has quit IRC | 08:29 | |
| *** rcernin has joined #openstack-glance | 08:44 | |
| *** Liang__ has quit IRC | 08:44 | |
| *** rcernin has quit IRC | 08:45 | |
| *** Liang__ has joined #openstack-glance | 08:45 | |
| *** priteau has joined #openstack-glance | 08:49 | |
| *** k_mouza has joined #openstack-glance | 08:59 | |
| *** Liang__ has quit IRC | 09:33 | |
| *** Liang__ has joined #openstack-glance | 09:39 | |
| *** tosky has quit IRC | 10:00 | |
| *** tosky has joined #openstack-glance | 10:01 | |
| *** k_mouza has quit IRC | 10:02 | |
| *** k_mouza has joined #openstack-glance | 10:10 | |
| *** Liang__ has quit IRC | 10:13 | |
| *** Liang__ has joined #openstack-glance | 10:14 | |
| *** Liang__ has quit IRC | 10:37 | |
| *** bhagyashris is now known as bhagyashris|brb | 10:37 | |
| *** priteau has quit IRC | 11:00 | |
| *** tkajinam has quit IRC | 11:04 | |
| *** bhagyashris|brb is now known as bhagyashris | 11:12 | |
| *** jmlowe has joined #openstack-glance | 11:43 | |
| *** udesale_ has joined #openstack-glance | 11:49 | |
| *** udesale has quit IRC | 11:52 | |
| *** priteau has joined #openstack-glance | 11:55 | |
| *** amoralej is now known as amoralej|lunch | 12:00 | |
| *** priteau has quit IRC | 12:12 | |
| *** priteau has joined #openstack-glance | 12:20 | |
| *** ratailor has quit IRC | 12:56 | |
| *** amoralej|lunch is now known as amoralej | 13:08 | |
| *** jdillaman has joined #openstack-glance | 13:32 | |
| *** Luzi has quit IRC | 13:41 | |
| dansmith | abhishekk: is this good to go or does it need more votes? https://review.opendev.org/#/c/739062/ | 13:54 |
| abhishekk | dansmith, need rosmaita to have a look | 13:54 |
| dansmith | ah okay, was wondering if it needed a specific person too | 13:55 |
| rosmaita | ack | 13:55 |
| abhishekk | glance has a policy that specs needs to be reviewed by all cores, which we are going to revisit in this meeting | 13:55 |
| dansmith | ah okay I didn't realize that | 13:58 |
| rosmaita | dansmith: left a question & comment for you on the spec | 14:08 |
| *** bhagyashris is now known as bhagyashris|dinn | 14:09 | |
| dansmith | rosmaita: replied | 14:12 |
| * dansmith notes how often irc becomes the async notification stream for gerrit comments | 14:13 | |
| rosmaita | dansmith: replied | 14:24 |
| dansmith | rosmaita: replied | 14:26 |
| rosmaita | dansmith: replied | 14:27 |
| dansmith | hehe, I have no further replies to notify you of | 14:28 |
| rosmaita | \o/ | 14:28 |
| dansmith | abhishekk: rosmaita: cinder can be a backend for glance, right? who owns the cinder resources? | 14:29 |
| rosmaita | dansmith: depends, either glance service user or individual tenant | 14:29 |
| rosmaita | depends on config, i mean, operator chooses, not end user | 14:30 |
| dansmith | okay, so... if it's configured for "tenant" and I perform a copy-image on someone else's image, that might mean I own the new cinder copy? | 14:31 |
| rosmaita | no, it would be the tenant -- which would mean you personally get a "free" image that they are paying storage for | 14:33 |
| dansmith | well, what I mean is.. right now if I copy-image on an image I own, it's clear that the cinder resource created is owned by me, | 14:34 |
| dansmith | but if I am not the owner, but am allowed to do this, does glance use the user/tenant in my request to pass to cinder to create the new resources? or does it specifically look at the owner of the image and send that user/tenant to cinder? | 14:34 |
| *** abhishekk is now known as abhishekk|away | 14:36 | |
| rosmaita | dansmith: that is a good question | 14:38 |
| openstackgerrit | Dan Smith proposed openstack/glance-specs master: Add copy-unowned-image spec https://review.opendev.org/739062 | 14:38 |
| rosmaita | i think it may come from the request, because this situation has never happened before | 14:38 |
| dansmith | yeah, that's what I was worried about | 14:38 |
| dansmith | what happens if you try to delete an image and it can't delete one of the cinder resources? does it fail or just ignore and keep going? | 14:39 |
| dansmith | if the latter, then the owner of the cinder resource is really who gets charged for the storage of it, and they can delete it when they want to, without impacting the owner | 14:39 |
| dansmith | are there other glance backends that would have this problem of using the request's owner to create the resources in a copy? | 14:43 |
| dansmith | if it's only cinder, then it's probably enough to just document that *if* you're using the cinder backend and *if* configured to have the requester own the resources, you probably shouldn't delegate this to non-owners | 14:43 |
| rosmaita | dansmith: it's an option for the swift driver, too | 14:47 |
| rosmaita | possibly S3? | 14:47 |
| rosmaita | you have opened a can of worms :) | 14:48 |
| dansmith | welp, even devstack and tempest can't easily use this feature without delegation of some kind, so... | 14:48 |
| dansmith | rosmaita: do swift and S3 have the same "owner or service user" options? | 14:49 |
| dansmith | I assume there's some way to map keystone tenants to s3 tenants in the s3 case? | 14:49 |
| rosmaita | swift does explicitly, don't know about S3 | 14:49 |
| rosmaita | S3 was only restored recently, i have no idea how it works | 14:50 |
| dansmith | well, then for swift and cinder, I rest on my documentation point. If s3 doesn't have a mapping, I would tend to imagine it either (a) has other problems or (b) leaves everything owned by one user | 14:52 |
| dansmith | actually, for swift and cinder, I would think that glance would see a 404 if the original owner's token is used to try to delete the owned-by-a-delegate location, and should just assume it was deleted from underneath them, so that it doesn't really impact deleting the image itself | 14:54 |
| dansmith | if it didn't, then it would be stuck in the case where the user just deleted the cinder resource themselves before the image | 14:54 |
| dansmith | who would be able to answer these questions? abhishekk|away ? | 14:54 |
| rosmaita | maybe jokke | 14:56 |
| dansmith | ack | 14:56 |
| *** bhagyashris|dinn is now known as bhagyashris | 14:56 | |
| rosmaita | but there is a good chance that no one knows, really | 14:57 |
| dansmith | does glance have CI jobs for cinder and swift backing stores? That'd be a good way to poke at it | 14:58 |
| dansmith | I dunno what tempest-integrated-storage is, but otherwise I don't see a lot of real tempest/devstack jobs :/ | 15:00 |
| *** k_mouza_ has joined #openstack-glance | 15:11 | |
| *** k_mouza has quit IRC | 15:13 | |
| *** m75abrams has joined #openstack-glance | 15:17 | |
| *** m75abrams has quit IRC | 15:26 | |
| *** amoralej is now known as amoralej|off | 15:57 | |
| *** udesale_ has quit IRC | 16:29 | |
| jokke | dansmith: rosmaita: abhishekk|away: If the delayed delete is used, the image gets "deleted" and the scrubber goes and deletes the data at some point, I'm not even sure how this works in the tenant owned images where the credentials are not obviously available. IIRC without delayed delete, the delete fails if all the locations can't be deleted. | 17:21 |
| dansmith | jokke: and in the non-delayed case, the delete happens with the tenant's token, not the service user? | 17:22 |
| jokke | dansmith: if the resource in the store is owned by the user tenant, correct | 17:23 |
| dansmith | if the resource is *configured* to be owned by the user tenant, I assume you mean? | 17:23 |
| jokke | So I'm thinking we probably should document this process as _not_ supported unless the stores are configured to use service credentials | 17:23 |
| dansmith | ack | 17:24 |
| dansmith | jokke: do you know what happens if the tenant owns the resource, the tenant deletes it before it deletes the instance and glance sees the 404 from, say, cinder? | 17:24 |
| dansmith | because I think that resources you don't own but are directly referenced are generally 404'd, looking like the I-already-deleted-it case if they end up owned by a different person | 17:25 |
| jokke | I think we get over that, but not 100% sure. And at least glance returns differently. We return forbidden if you don't own the image, but can see it and 404 only if you can't see the resource | 17:26 |
| dansmith | right, that's the same as other services I think | 17:27 |
| dansmith | if you try to even get /servers/instance-i-dont-own, you get a 404 not a 401 | 17:27 |
| dansmith | anyway, nova will only use this for rbd, where the resources are all unowned anyway, so it shouldn't be a problem for this use-case, and I imagine the primary case for granting copy permissions on public images will be for this nova situation | 17:28 |
| dansmith | so documenting the caveats seems fine to me | 17:28 |
| dansmith | and if people start wanting to do this more powerfully, then the glance team can iterate from there | 17:29 |
| jokke | dansmith: that's what I'm thinking too | 17:30 |
| jokke | dansmith: I don't see a reson to try to solve any weird corner cases on a work you decided to take on that already blew on your face on it's complexity | 17:32 |
| dansmith | heh, thanks | 17:32 |
| *** k_mouza_ has quit IRC | 17:49 | |
| *** priteau has quit IRC | 17:52 | |
| *** mvkr has quit IRC | 18:08 | |
| *** dosaboy has quit IRC | 21:17 | |
| *** mvkr has joined #openstack-glance | 21:20 | |
| *** dosaboy has joined #openstack-glance | 21:25 | |
| *** dosaboy has quit IRC | 21:40 | |
| *** dosaboy has joined #openstack-glance | 21:45 | |
| openstackgerrit | Dan Smith proposed openstack/glance master: WIP Add a policy knob for allowing non-owned image copying https://review.opendev.org/738703 | 22:37 |
| *** nicolasbock has quit IRC | 22:47 | |
| *** gmann has quit IRC | 22:47 | |
| *** vkmc has quit IRC | 22:47 | |
| *** coreycb has quit IRC | 22:47 | |
| *** mnaser has quit IRC | 22:50 | |
| *** TheJulia has quit IRC | 22:50 | |
| *** CeeMac has quit IRC | 22:51 | |
| *** NobodyCam has quit IRC | 22:52 | |
| *** rm_work has quit IRC | 22:52 | |
| *** rajinir_ has quit IRC | 22:52 | |
| *** lseki has quit IRC | 22:53 | |
| *** donnyd has quit IRC | 22:53 | |
| *** tkajinam has joined #openstack-glance | 22:54 | |
| *** tosky has quit IRC | 23:01 | |
| *** rcernin has joined #openstack-glance | 23:17 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!