| opendevreview | Yian Zong proposed openstack/manila master: Adds a new Manila driver for Dell PowerFlex storage backend https://review.opendev.org/c/openstack/manila/+/880527 | 05:00 |
|---|---|---|
| opendevreview | Dan Smith proposed openstack/devstack-plugin-ceph master: Add qemu-block-extra https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/881479 | 14:05 |
| opendevreview | Dan Smith proposed openstack/devstack-plugin-ceph master: Revert "Temporary pin the ceph jobs nodeset to Focal" https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/865315 | 14:07 |
| *** toabctl_ is now known as toabctl | 14:46 | |
| *** iurygregory_ is now known as iurygregory | 15:00 | |
| Uggla | Hello gouthamr, can we discuss about the manila api "lock" for nova ? It appears we have another need that was not seen during PTG. | 16:16 |
| opendevreview | Dan Smith proposed openstack/devstack-plugin-ceph master: Revert "Temporary pin the ceph jobs nodeset to Focal" https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/865315 | 16:43 |
| gouthamr | hi Uggla | 17:13 |
| gouthamr | sure we can | 17:13 |
| Uggla | gouthamr, do you want me to explain the new findings we have ? | 17:14 |
| gouthamr | Uggla: i don't have the spec ready yet; but i think i caught some of the discussion on the nova channel last week; was this about the ability for all users in the project to view the ACLs? | 17:15 |
| Uggla | gouthamr, oh yes. We need to "mask" the IP of the compute that we will have in export_location as an example. | 17:16 |
| Uggla | the idea is to not leak any internal ip to "regular" user. | 17:17 |
| gouthamr | ack; im thinking of a way to do this | 17:20 |
| Uggla | then is especially true for access-list | 17:20 |
| gouthamr | nova, i presume would be using a service token to create the access-rule and list access? | 17:21 |
| Uggla | hum today I'm using a regular user. But yes I think we could use a service token. | 17:22 |
| gouthamr | it'd be a suggestion for us to implement something where we could identify the user | 17:23 |
| Uggla | to be honest I'm unsure what is a service token. | 17:24 |
| opendevreview | kiran pawar proposed openstack/manila master: [NetApp] Recreate security cert during vserver create. https://review.opendev.org/c/openstack/manila/+/877615 | 17:26 |
| Uggla | gouthamr, Can I help somewhere to speed up this ? | 17:27 |
| gouthamr | Uggla: service token is my parlance for a token representing an internal openstack "service" user account.. the service user account for nova is called "nova" on devstack.... | 17:27 |
| gouthamr | today this user has an "admin" role assigned | 17:27 |
| gouthamr | but, the goal is to use a new "service" role by default | 17:28 |
| gouthamr | https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-service-to-service-apis-to-the-service-role | 17:29 |
| Uggla | ok | 17:32 |
| gouthamr | i don't think the role matters currently though | 17:33 |
| gouthamr | as long as the user you use is privileged in some way - i.e., either has "admin" or "service", we can make this work | 17:33 |
| Uggla | ok | 17:34 |
| gouthamr | i can spec this up on the manila side and i am hoping it'll be transparent to nova | 17:34 |
| gouthamr | i.e., no API request schema change to create, list, delete access rules... | 17:35 |
| Uggla | gouthamr, also just to be sure the lock mecanism should prevent user to delete the share and the access-list associated. | 17:35 |
| gouthamr | ack Uggla | 17:37 |
| Uggla | gouthamr, also regarding the API, I think I will be able to adapt. | 17:37 |
| Uggla | gouthamr, may I help you in writting the spec or something else ? | 17:37 |
| gouthamr | Uggla: yes; i could use the help in review and refining :) | 17:38 |
| Uggla | gouthamr, sorry to push a little on that, but the fact that user can see internal stuff is a blocker for us. :( And I really would like to merge all that stuff in this cycle. | 17:40 |
| gouthamr | Uggla++ agreed; this is a security concern - although i would hope that these IPs aren't reachable by design - it's best to keep them hidden | 17:41 |
| Uggla | gouthamr, of course these IPs are restricted but nova cores really try to not leak information. I could not negociate on that point. :) | 17:45 |
| gouthamr | ack Uggla | 17:46 |
| gouthamr | i think johnthetubaguy had once complained about cephx keys in the same way -- we expected a "permissive" project structure where everyone under a project was trusted | 17:47 |
| gouthamr | but, if you as a user looks at the access list for a CEPHFS share today, you'd see the access keys of all other users that had access to the share | 17:48 |
| Uggla | gouthamr, oh yes sounds like a similar pb. | 17:48 |
| Uggla | even worse I guess. | 17:49 |
| gouthamr | yes | 17:50 |
| Uggla | I also know that I need to check with CEPHFS, I will implement that right after the client part. | 17:50 |
| gouthamr | Uggla++ | 17:52 |
| Uggla | something great is that we have a user who wants to use all that stuff to provide public cloud services. He already did some tests. | 17:52 |
| gouthamr | Uggla: oh that's awesome!! | 17:55 |
| Uggla | gouthamr, yep that's cool. But he needs our feature and also some improvements on qemu/libvirt that should come at the end of the year. | 17:57 |
| gouthamr | Uggla: i see; is the qemu/libvirt timeline for a specific distro? or upstream package changes as well? | 17:58 |
| Uggla | gouthamr, the improvements are for upstream, currently when a share is "mapped" to a vm using vitiofs, it prevents to do several features (live migration as an example). | 18:00 |
| gouthamr | nice; i think i'm subscribed to a downstream tracker for that Uggla | 18:01 |
| Uggla | gouthamr, fyi here is the BZ I opened on that topic: https://bugzilla.redhat.com/show_bug.cgi?id=2185031 | 18:02 |
| opendevreview | Dan Smith proposed openstack/devstack-plugin-ceph master: Revert "Temporary pin the ceph jobs nodeset to Focal" https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/865315 | 20:59 |
| opendevreview | Goutham Pacha Ravi proposed openstack/devstack-plugin-ceph master: [WIP] Test the Native CephFS job with Ubuntu Jammy https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/881519 | 21:44 |
| opendevreview | Dan Smith proposed openstack/devstack-plugin-ceph master: Revert "Temporary pin the ceph jobs nodeset to Focal" https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/865315 | 23:07 |
| opendevreview | Goutham Pacha Ravi proposed openstack/devstack-plugin-ceph master: [WIP] Test the Native CephFS job with Ubuntu Jammy https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/881519 | 23:51 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!