| *** mhen_ is now known as mhen | 02:09 | |
| opendevreview | Markus Hentsch proposed openstack/glance-specs master: Re-propose image encryption spec https://review.opendev.org/c/openstack/glance-specs/+/964755 | 09:21 |
|---|---|---|
| opendevreview | Markus Hentsch proposed openstack/glance master: Standardization of encrypted images https://review.opendev.org/c/openstack/glance/+/926295 | 10:16 |
| frickler | croelandt: https://review.opendev.org/c/openstack/glance/+/963294 could use another nudge :) | 10:50 |
| croelandt | frickler: ok I'll mention this in today's meeting in 2 hours | 11:55 |
| croelandt | see if Abhishek can take a look | 11:55 |
| croelandt | otherwise I'll merge it tomorrow :) | 11:56 |
| Luzi | Hi I am currently trying to test a db migration in glance. I have the migration script and the 'db migrate' output says: 'Migrated 3 rows'. | 13:25 |
| Luzi | The number is correct, but it somewhow doesn'T show up in my database. Can anyone think of a reason for this? | 13:25 |
| Luzi | I am testing on a simple devstack | 13:26 |
| opendevreview | Josephine Seifert proposed openstack/glance master: migrate cinder_encryption* to os_encrypt* in db for Image Encryption https://review.opendev.org/c/openstack/glance/+/926905 | 13:34 |
| Luzi | ^ that is the migration that seems to work, but somehow doesn't | 13:35 |
| croelandt | hey hey hey | 14:00 |
| croelandt | Glance meeting, sick PTL edition, let's go | 14:00 |
| croelandt | #startmeeting glance | 14:00 |
| opendevmeet | Meeting started Thu Dec 11 14:00:45 2025 UTC and is due to finish in 60 minutes. The chair is croelandt. Information about MeetBot at http://wiki.debian.org/MeetBot. | 14:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 14:00 |
| opendevmeet | The meeting name has been set to 'glance' | 14:00 |
| croelandt | #topic roll call | 14:00 |
| croelandt | o/ | 14:00 |
| mhen | o/ | 14:00 |
| Luzi | o/ | 14:00 |
| croelandt | rosmaita: are you around? | 14:02 |
| croelandt | abhishekk: are you around? | 14:04 |
| flelain_35 | o/ | 14:04 |
| abhishekk | o/ | 14:04 |
| rosmaita | o/ (though in another meeting) | 14:05 |
| croelandt | #topic Release/periodic job updates | 14:06 |
| croelandt | All good! | 14:06 |
| croelandt | #topic operator-required image properties (rosmaita) | 14:06 |
| croelandt | rosmaita: you have the floor, leave the other meeting | 14:06 |
| rosmaita | i want to make sure that the project team is cool with this proposal | 14:07 |
| croelandt | what's the big picture here? | 14:07 |
| rosmaita | the original design was that the image schema would be operator-extensible | 14:07 |
| rosmaita | i don't know if anyone uses that | 14:07 |
| rosmaita | anyway, the patch proposer was looking for a way to make some image properties mandatory for his cloud | 14:08 |
| rosmaita | and used a list config option | 14:08 |
| rosmaita | i suggested using the schema instead and making the properties required | 14:08 |
| rosmaita | that way, an end user can discover these properties | 14:08 |
| croelandt | We have so much stuff that may or may not be used | 14:09 |
| croelandt | This always surprises me | 14:09 |
| croelandt | every month I come across a feature I did not know about | 14:09 |
| rosmaita | so the infra people *hate* this feature | 14:10 |
| rosmaita | because it makes all clouds different | 14:10 |
| rosmaita | but variety is the spice of life | 14:10 |
| croelandt | so I don't think we can remove it | 14:10 |
| croelandt | it seems people actually use it | 14:10 |
| croelandt | now changing the way it works (while keeping backwards compatibility) is something that should have been discussed at PTG | 14:11 |
| rosmaita | ok, cool ... so then the next thing is that it needs to function properly | 14:11 |
| croelandt | or at least requires a spec | 14:11 |
| croelandt | is there one? | 14:11 |
| rosmaita | not sure this would need a spec, it's more of a bug that it doesn't work out of the box | 14:12 |
| rosmaita | anyway, take a look at my comments on PS1 of https://review.opendev.org/c/openstack/glance/+/969967 | 14:12 |
| croelandt | hm it does define a new format, right? | 14:12 |
| rosmaita | no | 14:13 |
| croelandt | oh no it's teh same format | 14:13 |
| croelandt | but parsed properly? | 14:13 |
| rosmaita | that's the way i see it | 14:13 |
| croelandt | ok so that is quite different | 14:13 |
| croelandt | so that is basically a no brainer here | 14:14 |
| croelandt | if we're not parsing the format we're documenting, this is a bug | 14:14 |
| rosmaita | ok, leave a comment on the patch to file a bug (the author can basically copy text from the commit message) | 14:16 |
| rosmaita | that's all from me | 14:16 |
| croelandt | and I mean we *must* fix it | 14:16 |
| croelandt | thanks for bringing this up | 14:16 |
| croelandt | #topic image encryption (mhen, Luzi) | 14:17 |
| croelandt | mhen: you are up | 14:17 |
| croelandt | Luzi: you too :) | 14:17 |
| mhen | couple small updates | 14:17 |
| mhen | abhishekk asked us to summarize the PTG results in the spec; I added this to the "Security impact" section | 14:17 |
| mhen | on https://review.opendev.org/c/openstack/glance-specs/+/964755 | 14:17 |
| mhen | dansmith also did a review on it, which I responded to | 14:18 |
| mhen | in the main patchset I added user documentation and an adjustment for the image conversion import plugin to correctly reject encrypted images as per spec | 14:18 |
| mhen | main patchset: https://review.opendev.org/c/openstack/glance/+/926295 | 14:19 |
| mhen | if anybody could review especially those added parts, I'd really appreciate it | 14:19 |
| croelandt | so are we exactly clear on what needs to be done across all OpenStack projects? | 14:20 |
| mhen | I mean we have both the specs and already implementation patchsets for it | 14:20 |
| mhen | the only thing that is still in the open is future usage in Nova for directly booting instances, i.e., encrypted ephemeral storage from those imagesg | 14:21 |
| mhen | but the spec already mentions that | 14:21 |
| mhen | but usage in Glance and Cinder is both described in specs as well as already implemented as patchsets | 14:22 |
| croelandt | so I don't want to end up merging something in Glance that then needs to be modified because Nova has different needs | 14:22 |
| croelandt | that is my concern | 14:22 |
| mhen | in Nova, the implementation patchset only covers the usage of resulting Cinder volumes for now, as ephemeral storage encryption is not ready on their side yet | 14:22 |
| croelandt | hm, ok | 14:23 |
| mhen | my interpretation of the PTG session is that we agreed on things that will make sure Nova can simply base on it later | 14:23 |
| mhen | at least dansmith was heavily involved in the discussion | 14:23 |
| croelandt | ok | 14:25 |
| croelandt | so yes, we could do another pass on the review | 14:25 |
| Luzi | In addition to the updated spec and patches, I rebased and updated the db migration patch: https://review.opendev.org/c/openstack/glance/+/926905 | 14:25 |
| abhishekk | luzi I will have a look at migration patch, (probably tomorrow during my day time) | 14:26 |
| Luzi | thank you abhishekk - it would be nice to now, why i don't see the migration in the db | 14:26 |
| croelandt | ok, anything else? | 14:27 |
| mhen | not from my side | 14:27 |
| croelandt | Luzi: all good for you as well? | 14:27 |
| Luzi | yeah | 14:27 |
| abhishekk | many of my patches are open, it will be good if we go | 14:27 |
| abhishekk | decompression patches before year end | 14:27 |
| abhishekk | and the one property protection related as well, it will help me to move further with eventlet removal | 14:28 |
| abhishekk | ALSO are we going to have meetings till new year? | 14:29 |
| croelandt | so | 14:29 |
| croelandt | #topic One easy patch per core dev (not mandatory :p): | 14:29 |
| croelandt | I had | 14:29 |
| croelandt | #link https://review.opendev.org/c/openstack/glance/+/963294 | 14:29 |
| croelandt | for you abhishekk ^ | 14:30 |
| croelandt | frickler: ^ | 14:30 |
| croelandt | and yeah I know I need to re-read the decompression patches | 14:30 |
| croelandt | #topic Open Discussion | 14:30 |
| croelandt | I'll be around next week | 14:30 |
| flelain_35 | Hey everyone, I'd like to draw your attention on this spec related to Temp URL generation for image download whatever the object storage backend is (https://review.opendev.org/c/openstack/glance-specs/+/970214) | 14:30 |
| abhishekk | 25th is Thursday so that will off | 14:30 |
| rosmaita | croelandt: what's the idea of this? patches that we are watching, or have reviewed, or merged? | 14:30 |
| croelandt | then on PTO for the resto f the year | 14:30 |
| abhishekk | croelandt: I will have a look | 14:30 |
| flelain_35 | If possible to tackle it in this section :) | 14:30 |
| croelandt | rosmaita: the idea of what? | 14:30 |
| flelain_35 | otherwise as a topic next week | 14:31 |
| croelandt | flelain_35: I can already tell the lines are too long, I'm surprised the CI passes | 14:31 |
| rosmaita | sorry, meant to ask "what is the goal of this section of the agenda?" | 14:31 |
| croelandt | rosmaita: "Open Discussion" is "talk about anything you want" because sometimes people are shy about editing theagenda | 14:32 |
| croelandt | or come up with last minute topics | 14:32 |
| croelandt | we just want people to not wait for a week because the agenda was not updated | 14:32 |
| flelain_35 | croelandt: mhh, we'll have a look at that. Weird the CI did not complain, right! | 14:32 |
| croelandt | flelain_35: temp URLs would be backend specific, right? | 14:33 |
| rosmaita | no, when i asked, the section of the meeting was "#topic One easy patch per core dev (not mandatory :p):" | 14:33 |
| croelandt | "f store backend does not support temp URL, method would stay unimplemented" | 14:33 |
| croelandt | rosmaita: oh | 14:33 |
| croelandt | yeah the idea is to put one patch you +2ed and think is really easy to review and say "come on, don't be lazy, just go push this" | 14:33 |
| flelain_35 | croelandt: yeah, for sure. Now, what else than Swift and S3? | 14:33 |
| croelandt | so don't put the encryption patch in that section | 14:34 |
| croelandt | but rather a small bug fix, something you can't really ninja approve, but still don't want to rot for 5 years in the queue | 14:34 |
| rosmaita | croelandt: ok, thanks | 14:34 |
| croelandt | rosmaita: I expect a link from you in this section next week! | 14:35 |
| flelain_35 | croelandt: f store backend? | 14:35 |
| rosmaita | croelandt: ack | 14:35 |
| croelandt | I'm not good at copy pasting with a mouse so the starting "i" is missing | 14:35 |
| flelain_35 | croelandt: ok thx, I understand it now :) yeah, we'd have to handle that on a backend techno basis. | 14:36 |
| opendevreview | Antonin Ruan proposed openstack/glance-specs master: [spec] Generate temp URL for images in object storage backend https://review.opendev.org/c/openstack/glance-specs/+/970214 | 14:37 |
| croelandt | ok | 14:37 |
| croelandt | we'll take a look at teh spec | 14:37 |
| croelandt | anything else before we close? | 14:37 |
| rosmaita | flelain_35: my swift knowledge is pretty old, but aren't temp urls kind of insecure? | 14:37 |
| womax | just update the line count being wrong at the begining | 14:37 |
| flelain_35 | croelandt: we see interesting advantages to go there. DL from nova w/o dealing with creds there, giving Ironic the ability to use S3 as a backend, ... | 14:37 |
| flelain_35 | rosmaita: haven't seen anything about that yet. Do you have any ref in mind? | 14:38 |
| croelandt | that is my concern as well | 14:38 |
| rosmaita | well, just that anyone with the temp url can download the data | 14:38 |
| rosmaita | they used to be unrestricted public urls | 14:39 |
| flelain_35 | rosmaita/croelandt: that's why it's temporary and useabale only for DL | 14:39 |
| flelain_35 | AFAIK Ironic has kept it to operate on its images DL | 14:40 |
| rosmaita | ok, but temporary as in microseconds or minutes | 14:40 |
| womax | rosmaita: configurable but current default in Ironic is 20 minutes | 14:40 |
| rosmaita | that's kind of a big window, but i guess i need to read the spec | 14:41 |
| croelandt | yeah gotta figure out the details here | 14:41 |
| womax | obviously we may figure maximum duration allowed, ig ironic has kind of a large window to let bm server boot properly and url still be valid when needed | 14:42 |
| womax | but maybe (at least for if used only for nova behind) it could be reduced without too much problems | 14:43 |
| rosmaita | womax: do you know what happens to a download in progress if the temp url expires? | 14:43 |
| womax | no didn't test it specificly and it didn't happen either while I was playing with them | 14:43 |
| rosmaita | it's probably documented somewhere | 14:44 |
| womax | my best guess is that as it is an established HTTP connection it would continue | 14:44 |
| womax | but that just guessing | 14:44 |
| rosmaita | i suspect you are correct, but i don't know either | 14:44 |
| rosmaita | i can see someone adding a bugfix or feature to swift that could cut off the download, though | 14:45 |
| flelain_35 | womax: yeah I do think so too | 14:46 |
| flelain_35 | I could add that Ironic project seems to be keen on having such a feature on Glance | 14:47 |
| rosmaita | so, apologies for being "that guy who didn't read the spec yet", is the goal of proposing this to speed up downloads? | 14:47 |
| flelain_35 | rosamaita: first, for us at OVHcloud is give Ironic a way to use S3 as easily as Swift | 14:48 |
| flelain_35 | rosmaita: second would be to see Glance as an actual Control Plane node, delegating images DL (and why not UL at some point) to computes - avoiding Glance to be a bottleneck on such flows | 14:48 |
| flelain_35 | and w/o spreading backend creds all over the place | 14:49 |
| croelandt | so you currently have a temp url implementation for swift that works with glance store? | 14:49 |
| rosmaita | i'm just wondering whether enhancing the glance cache might be a better way to go | 14:49 |
| rosmaita | croelandt: it bypasses glance store completely, i believe | 14:50 |
| flelain_35 | I believe rosmaita is right | 14:50 |
| croelandt | so why not bypass the glance store for s3 as well? | 14:51 |
| flelain_35 | womax: what do you think? | 14:51 |
| womax | croelandt: for the time being i only implemented s3 temp url in ironic to match features for swift | 14:52 |
| womax | i did nothing in glance | 14:52 |
| rosmaita | well, the problem is that if we modify how the swift glance_store works under the covers, it can easily break ironic | 14:52 |
| womax | but for the spec we propse I think, as drivers lives in glance_store update would be need there aswell | 14:52 |
| rosmaita | because their tempurl generation depends on how we currently do things | 14:52 |
| rosmaita | and naming conventions, etc | 14:52 |
| womax | rosmaita: I think actually ironic does not use glance_sotre for swift | 14:53 |
| rosmaita | yeah, but if we change the way images are stored in swift, ironic is out of luck | 14:53 |
| womax | it used custom field to define *one* swift store and then tries to download every image from there | 14:53 |
| womax | actually we would not change how they are stored but only add a way to access it | 14:53 |
| womax | ironic would still works without modification, but changes there would be good to make use of a the new feature | 14:54 |
| rosmaita | womax: i am not saying you might change things, i am saying that if *we* change things for glance purposes, it could break you | 14:54 |
| womax | oh ok | 14:54 |
| womax | I see what you mean, even if I don't really know what kind of change could break compatibility but it may indeed be a problem later on | 14:55 |
| rosmaita | that's the main reason to put this into glance_store instead of doing it externally, it gives you some assurance that we won't go nuts and improve things for glance but break ironic (or whoever) | 14:55 |
| *** vhari_ is now known as vhari | 14:55 | |
| croelandt | yep, rosmaita is right | 14:59 |
| croelandt | bypassing the store seems a bit fragile | 14:59 |
| womax | I am not sure to fully understand. As spec does also propose both change to glance_store, to generate temp URL, and change to glance api to access the feature in glance_store | 15:00 |
| womax | so no store bypassing | 15:00 |
| womax | but maybe I did propose it wrong and it should be splitted in a spec for glance_store and then one for glance | 15:01 |
| flelain_35 | womax: yes, thx for those details | 15:01 |
| croelandt | to be fair we have not read the spec yet | 15:02 |
| croelandt | so maybe we read it and talk about it again later | 15:02 |
| croelandt | how does that sound? | 15:02 |
| flelain_35 | croelandt: sure, and sorry that was a cold pick! :) | 15:02 |
| womax | croelandt: sounds good to me | 15:03 |
| flelain_35 | croelandt: do you think there's value in breaking down changes we expect for both glance and glance_store? | 15:03 |
| croelandt | there is value in making it as easy as possible for us to understand | 15:04 |
| croelandt | now I'm not sure how much the current spec breaks things up | 15:04 |
| flelain_35 | croelandt: ok - we're gonna think it through again and I suggest we discuss it again next week | 15:05 |
| flelain_35 | Thank you very much! | 15:06 |
| rosmaita | ok, keep in mind that we (glance team) don't know all about how ironic does it, or necessarily approve of the tempurl approach | 15:06 |
| rosmaita | i mean, keep that in mind when explaining your proposal to us | 15:06 |
| croelandt | yeah, OpenStack works very much in silos | 15:07 |
| croelandt | and also, a lot of people are just developers for component X | 15:07 |
| croelandt | we are not sysadmins running actual OpenStack installs | 15:07 |
| croelandt | so sometimes actual issues are far from obvious to us | 15:07 |
| croelandt | but ok, let's talk more next week and let's end this meeting here | 15:08 |
| croelandt | Thanks everyone for joining! | 15:08 |
| croelandt | #endmeeting | 15:08 |
| opendevmeet | Meeting ended Thu Dec 11 15:08:13 2025 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:08 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/glance/2025/glance.2025-12-11-14.00.html | 15:08 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/glance/2025/glance.2025-12-11-14.00.txt | 15:08 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/glance/2025/glance.2025-12-11-14.00.log.html | 15:08 |
| opendevreview | Ivan Anfimov proposed openstack/glance-specs master: Remove url tags from README https://review.opendev.org/c/openstack/glance-specs/+/970699 | 20:46 |
| opendevreview | Ivan Anfimov proposed openstack/glance-specs master: Remove url tags from README https://review.opendev.org/c/openstack/glance-specs/+/970699 | 20:50 |
| vischan2 | Hello glance team, this is my first patch contribution to glance, so apologies if I am not following the the correct process to request for this. My patch has '+2 Code-Review' on https://review.opendev.org/c/openstack/glance/+/970048. Based on documentation, it appears I need another +2 Code-review (?). If the core team has a moment, can I request for review '+1 Workflow' on this minor patch fix? | 22:57 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!