Wednesday, 2025-02-19

« Tuesday, 2025-02-18 Index Thursday, 2025-02-20 »
jbernard#startmeeting cinder14:01
opendevmeetMeeting started Wed Feb 19 14:01:36 2025 UTC and is due to finish in 60 minutes.  The chair is jbernard. Information about MeetBot at http://wiki.debian.org/MeetBot.14:01
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:01
opendevmeetThe meeting name has been set to 'cinder'14:01
jbernard#topic roll call14:01
jbernardo/14:01
sfernandhi14:01
whoami-rajathi14:01
Luzio/14:01
mheno/14:01
jbernard#link https://etherpad.opendev.org/p/cinder-epoxy-meetings14:02
abishopo/14:02
msaravanhi14:02
jbernardwe'll get started in  a couple of minutes14:04
Saio/14:05
rosmaitao/14:05
toskyo/14:05
yuval_o/14:07
jbernardok, welcome everyone14:10
jbernardsorry for the delay, today is another snow day so schools are closed where i live14:10
jbernardlets see14:11
jbernard#topic annoucements14:11
jbernardi need to register for the ptg14:12
jbernardand if you plan to attend, it looks like the registration link is here14:12
jbernard#link http://ptg.openinfra.dev/14:12
jbernardclient library release (final) is this week14:13
jbernardthis is os-brick for us14:13
jbernard#topic image encryption14:14
jbernard^ i have tested this locally and it all seems to work for me14:15
rosmaita\o/14:15
Luziyay14:15
mhennice, thank you for testing14:15
jbernardi have notest that I need to transcribe into the review14:15
mhenwe primarily tested rbd (Ceph) and (iirc) lvm backends using DevStack14:15
mhena bunch of other storage backends are failing in the patchset's Zuul pipeline (StorPool, HPE etc.)14:15
jbernardbut the weather/school-closings have been quite the ordeal in recent weeks14:15
jbernardmhen: are the failings related to the changes? (i haven't looked at those yet)14:16
mhensadly, we neither have the necessary expertise nor available resources to evaluate and test integration with those proprietary storage systems ourselves14:16
mhenas a result, we cannot easily discern from the logs if the failures are our fault and need to be addressed in a patchset or not14:16
jbernardhmm14:16
mhensome log links also 40414:17
mhen(for IBM)14:17
jbernarddo you know the set of failing 3rd party CIs?14:17
whoami-rajatit would be good to see if those failures are similar in other patches, if yes then probably unrelated14:18
jbernardwe need to get that sorted before we could potentially merge14:18
whoami-rajatalso are they failing consistently with every recheck or they passed as well?14:18
jbernardmhen: im can help track down folks to get input of specific failures14:19
mhenso, would it be valid to trigger the Zuul build a few times in succession and note down repeatedly failing backends?14:21
mhen... and then trying to get in touch with folks responsible for them (through you jbernard) specifically?14:21
jbernardthat was my thought too, if we have current results I can use those to reach out to folks14:22
whoami-rajatshould be visible from older history but if there have been major changes in patchsets then we can retrigger it14:22
whoami-rajati see other third party CIs passing so probably failures are not related to your patch14:23
whoami-rajatalso do we know if we run encryption tests in third party CIs?14:23
whoami-rajatIIUC this change will only affect encryption workflow14:23
rosmaitathird party CIs are supposed to run the encryption tests14:24
rosmaitathey can use the fixed-key setup if they don't want to run barbican in their ci14:24
jbernardi think it's up to the vendor to configure the exact subset of tests to run, im assuming it would/could differ from vendor to vendor14:24
mhendoes Zuul make a rebase itself before testing or would it be advisable to rebase the patchset every once in a while to incorporate potential fixes that might have landed on main in the meantime?14:24
jbernardi could be wrong then, if the logs are present, we should be able to tell14:25
jbernardin general though, i think we need two things:14:26
jbernard1. verify the chagnes are not effecting other drivers14:27
jbernard2. at least 1 other reviewer is needed14:27
whoami-rajathitachi and nec CI are running some encryption tests14:27
whoami-rajatnec: https://cinder-cilogs.openstack.nec-solutioninnovators.com/98/926298/10/20250218090527/NEC-ISCSI/console.txt14:27
whoami-rajathitachi: http://ec2-18-177-230-241.ap-northeast-1.compute.amazonaws.com/refs/changes/98/926298/10/iscsi/stestr_results.html14:27
whoami-rajatboth iscsi ones14:28
whoami-rajatalso they're passing so looks good14:28
whoami-rajatone other concern i had14:28
whoami-rajatrecently Dan smith made me aware about his changes to use gpt as a format instead of raw14:29
whoami-rajat#link https://review.opendev.org/q/topic:%22bp/glance-as-defender%22+status:open14:29
whoami-rajatI'm not 100% sure if it keeps backward compatibility (should be) but good to check it against your patch as well if it doesn't create any conflict14:29
mhenwe use a dedicated disk_format (luks), everything within it (e.g. raw or gpt) should be irrelevant to Glance as it is only visible to the guest14:32
mheni.e. the blob starts with the LUKS header, not the GTP or MBR (raw) header14:33
mhen*GPT14:33
mhenany MBR or GPT header is encrypted payload of the LUKS blob14:34
mhenwill keep it in mind though, maybe something comes up14:35
mhenthanks for pointing this out14:35
whoami-rajatok, makes sense14:35
mhenI will take trying to discern reproducible failures of storage CIs from occasional hiccups as an action item and reach out to jbernard for those I can identify14:38
jbernardmhen: sounds good, i can do the tracking-down and requesting input part14:39
jbernardif such is needed14:39
mhenthanks for offering the assitance, much appreciated!14:41
mhen*assistance14:41
jbernardis anyone available to review part (or the whole) of this patch?14:41
jbernardif the ci results are favorable, we still need additional review input14:41
yuval_which patch?14:41
jbernardyuval_: image encryption14:41
jbernard#link https://review.opendev.org/c/openstack/cinder/+/92629814:41
yuval_I can try but I dont think I have enough knowledge 14:42
jbernardno worries, even part is helpful14:45
rosmaitai will take a look too14:45
jbernardthanks14:45
jbernard#topic open discussion14:46
whoami-rajatmhen, just to clarify the workflow, we encrypt the whole image (LUKS header) and inside the image it could have/not have the partition table (GPT/MBR), we create an encrypted volume out of it with same keys and then os-brick/cryptsetup decrypts it and we can use the volume/image as it is14:46
mhenwhoami-rajat: correct. We copy the LUKS data over one to one into the volume and simply re-use the LUKS encryption natively.14:48
mhenfor qcow2+LUKS images it's a different story as we need to convert those to (raw) LUKS in Cinder beforehand14:48
whoami-rajatokay, got it, thanks14:49
whoami-rajatmhen, also do we have support in nova to decrypt the LUKS+raw image if we launch a VM from it directly?14:49
mhennot in this iteration of the feature yet as Nova did not want to adopt it yet the last time we had a talk with them iirc14:51
mhenthey have their qcow2+LUKS14:51
whoami-rajatok, so the only way to use these encrypted images is through encrypted volumes14:51
whoami-rajatinteresting, does nova also support encrypting it's disks created from images?14:52
mhenwhen the current patchset(s) land, you may use either qcow2+LUKS or raw LUKS images through Cinder volumes; concerning qcow2+LUKS there is also some Nova-side implementation for that in particular but I don't know the current state14:54
mhenthere have been multiple attempts at ephemeral storage encryption in Nova in the past14:54
mhenI believe the latest idea was to use the qcow2+LUKS (native LUKS feature of qcow2) format as-is as a backing file or something14:54
yuval_since we close to ending just want to put out I have 2 patches that are no-code(just doc's) that I would like to merge: https://review.opendev.org/c/openstack/cinder/+/93963514:54
andreiI have small question, where can I check a list of drivers that will be removed from codebase?14:55
yuval_https://review.opendev.org/c/openstack/cinder/+/93957014:55
whoami-rajatmhen, ok, i wasn't aware, thanks for all the info!14:55
whoami-rajatandrei, recently we haven't removed any driver from codebase but we do mark it as unsupported, you can check the support matrix for unsupported drivers14:56
whoami-rajat#link https://docs.openstack.org/cinder/latest/reference/support-matrix.html14:56
whoami-rajat#link https://docs.openstack.org/cinder/latest/reference/support-matrix.html#operation_supported14:56
whoami-rajatthis is more precise14:56
andreiwhoami-rajat, thank you!14:57
mhenre qcow2+LUKS in Nova: https://blueprints.launchpad.net/nova/+spec/ephemeral-encryption-libvirt (search on this page for "qcow2" - there are a few related patchsets)14:57
whoami-rajat++14:59
jbernardok, last call everyone15:00
whoami-rajatyuval_, the doc claims to be supporting retype but i don't see that being overriden in the lightos driver?15:00
whoami-rajatdo you mean host-assisted retype?15:00
whoami-rajatdon't mean to hold the meeting, we can discuss in cinder channel15:02
jbernardno worries15:03
jbernardthank you everyone15:03
jbernard#endmeeting15:03
opendevmeetMeeting ended Wed Feb 19 15:03:39 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:03
opendevmeetMinutes:        https://meetings.opendev.org/meetings/cinder/2025/cinder.2025-02-19-14.01.html15:03
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/cinder/2025/cinder.2025-02-19-14.01.txt15:03
opendevmeetLog:            https://meetings.opendev.org/meetings/cinder/2025/cinder.2025-02-19-14.01.log.html15:03
whoami-rajatthanks!15:04
« Tuesday, 2025-02-18 Index Thursday, 2025-02-20 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!