Thursday, 2018-10-04

bauzasgibi: shouldn't we have a nova meeting14:03
gibi#startmeeting nova14:03
openstackMeeting started Thu Oct  4 14:03:20 2018 UTC and is due to finish in 60 minutes.  The chair is gibi. Information about MeetBot at
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:03
*** openstack changes topic to " (Meeting topic: nova)"14:03
openstackThe meeting name has been set to 'nova'14:03
tssuryaoops o/ again14:03
gibihi, I think I will be your guide today14:04
*** sean-k-mooney has joined #openstack-meeting14:04
*** lyarwood has joined #openstack-meeting14:04
gibilet's get started14:04
gibi#topic Release News14:04
*** cdent has joined #openstack-meeting14:04
*** openstack changes topic to "Release News (Meeting topic: nova)"14:04
gibi#link Stein release schedule:
* cdent wanders in late. time is hard.14:04
*** munimeha1 has quit IRC14:05
gibi#link Stein runway etherpad:
gibi#link runway #1: (gibi) [END: 2018-10-04] next patch is
gibi#link runway #2: (rgerganov) [END: 2018-10-12] one patch
gibi#link runway #3: (brinzhang)[END:2018-10-14]14:05
gibithe runway queue is empty14:06
*** awaugama has joined #openstack-meeting14:06
gibianything about release schedule or runways to discuss?14:06
gibithen moving on14:07
gibi#topic Bugs14:07
*** openstack changes topic to "Bugs (Meeting topic: nova)"14:07
gibino critical bugs14:07
gibi#link 60 new untriaged bugs (small decrease since last meeting):
gibi#link 5 untagged untriaged bugs (down 18 since the last meeting):*&field.status%3Alist=NEW14:08
gibithat is actually pretty good ^^14:08
gibithanks for whoever did the triage14:08
gibi#link bug triage how-to:
gibianything about bugs to discuss?14:09
openstackLaunchpad bug 1795920 in OpenStack Compute (nova) "SR-IOV shared PCI numa not working " [Undecided,Confirmed]14:09
sean-k-mooneywe did not fully implement the spec resulting in this bug14:10
sean-k-mooneyi am going to reporpose teh spec for completion if there are no objections14:10
gibisean-k-mooney: make sense to me. Thanks for taking care of it14:11
*** annp has joined #openstack-meeting14:11
gibiI think the silence means no objection :)14:11
gibianything else?14:11
gibion bugs14:12
gibiGate status14:12
gibi#link check queue gate status
bauzasgibi: you're correct on the assumption :)14:12
gibi3rd party CI14:12
gibi#link 3rd party CI status
gibithe gate feels faster for me but the parallel evacuation bug hit us hard14:12
gibimriedem proposed a patch to turn the test off but mdbooth has a fix up as well14:13
* gibi grabbing link14:13
bauzaswe can skip for now14:14
bauzasI'll +W the change14:14
gibibauzas: works for me14:14
bauzasand then we can test the change separately14:14
*** awaugama has quit IRC14:14
efriedFWIW, the fix fixes the test case14:14
*** awaugama has joined #openstack-meeting14:15
efriedBut dansmith is concerned (rightly so) about the scope/impact/side effects of the fix14:15
gibiI saw that mdbooth answered dansmith in the review so I think that discussion can move forward14:15
bauzasefried: sure, but we can ask to remove the skipTest in the change14:15
dansmithI see I have things to read this morning14:16
bauzasefried: so while other changes aren't impacted, we can check it works14:16
bauzasnothing really blocking the fix14:16
bauzasexcept maybe to have it rebased on top of
bauzasso that it can remove the skipTest14:16
bauzasmdbooth : ^14:17
efriedI just didn't want to have us forget about the fix because it's hard and the failure is no longer occurring because we simply skipped it.14:17
bauzasefried: I promise I won't :)14:17
bauzasand I guess matt won't too14:17
gibiOK I think we have a clear way forward. moving on :)14:17
*** hongbin has joined #openstack-meeting14:17
gibianything else about gate?14:18
gibi#topic Reminders14:18
*** openstack changes topic to "Reminders (Meeting topic: nova)"14:18
gibi#link high level nova PTG summary:
gibi#link Stein Subteam Patches n Bugs:
gibiany other reminder to note?14:19
gibi#topic Stable branch status14:19
*** openstack changes topic to "Stable branch status (Meeting topic: nova)"14:19
gibi#link stable/rocky:,n,z14:19
gibi#link stable/queens:,n,z14:19
gibi#link stable/pike:,n,z14:20
gibi#link stable/ocata:,n,z14:20
gibimriedem is not here do somebody has a short summary about the stable status?14:20
gibiAre we still working on flushing out the last ocata release before EM?14:20
*** munimeha1_ has joined #openstack-meeting14:21
gibiwe have couple of patches in the ocata queue  so I guees those are needed to be released before EM14:22
gibianything else on stable?14:22
gibi#topic Subteam Highlights14:23
*** openstack changes topic to "Subteam Highlights (Meeting topic: nova)"14:23
*** mdbooth_ has joined #openstack-meeting14:23
gibiCells v2 (dansmith)14:23
*** mdbooth_ is now known as mdbooth14:23
dansmithno meeting this week,14:23
dansmithbut down cell is proceeding,14:23
dansmithand matt has a PoC up for the cross-cell migration stuff14:23
dansmithwhich is fairly amazing14:23
dansmithoh, and there's a bug with the console stuff we deprecated last cycle14:24
dansmithwhich melwitt has some patches up for.. I haven't fully grokked that situation but I think it's progressing as well14:24
dansmiththat's about it I think,.14:24
gibiScheduler (efried)14:24
efried#link Last NovaScheduler meeting minutes
bauzasgood luck14:25
efriedWe talked about the consumer gen series. I'll get through as much of that as I can today.14:25
efriedExtraction is still progressing.14:25
efried#link ML thread on "intended purpose" of traits
efriedwas mentioned and briefly discussed14:25
efriedTalked a bit further about how to handle configuring min_unit (and others) in a forward-looking (i.e. generic NRP) way. jaypipes agreed to look at the specs that might move us in that direction:14:25
efried#link kosamara's spec for modeling passthrough
efried#link sean-k-mooney's wip spec for generic device discovery/modeling
efriedIdea being to pick one of those so we can narrow our focus and move the ball forward.14:26
gibiefried: thanks14:26
gibiNotification (gibi)14:26
gibiI've cancelled the weekly meeting indefinitely due to low interest:
gibiso I guess this is the last report14:27
gibibut I still be around for notification work (too)14:27
gibiAPI (gmann)14:27
gibigmann left note on the wiki: no office hour this week.14:27
gmannno API office hour this week. i have added API related stein items in subteam etherpad  last week #link
gmannnot other update to share. will start reviewing those items14:28
*** Bhujay has joined #openstack-meeting14:28
gibigmann: thanks14:28
gibianything else subteam related?14:28
gibi#topci Stuck Reviews14:28
gibinothing on the agenda14:29
gibidoes anybody want to mention something here?14:29
gibi#topic Stuck Reviews14:29
*** openstack changes topic to "Stuck Reviews (Meeting topic: nova)"14:29
bauzasgibi: #undo is cool for such things ;)14:29
gibibauzas: the keyword was wrong, so nothing to undo14:30
gibi#topic Open discussion14:30
*** openstack changes topic to "Open discussion (Meeting topic: nova)"14:30
gibiwe have one item on the agenda14:30
gibiHPET support on x86 guests:
efriedI took a preliminary look at the code:14:30
efried#link HPET patch
* bauzas won't make the joke again14:30
efriedThe thing I thought we might want to discuss is a) how strict we should be in terms of making sure we get on a HPET-capable host if that was requested in the flavor14:30
efriedand b) whether we should be using traits in here14:31
efriedThe case for b) becomes stronger if a) is a yes.14:31
efriedrather, if a) is "we should be strict"14:31
sean-k-mooneyefried: if we request a hpet in the guest i think we shoudl refuse to spawn if the host cant supprot it14:31
gibiefried: would libvirt fail to spawn if the host does not support hpet ?14:32
efriedOkay. Not really having a handle on how users perceive this thing, that was my reaction too.14:32
efriedNo, right now the code is set up to be really forgiving. If you include the extra spec, but you spell it wrong, or the host isn't capable, it just spawns anyway with HPET off.14:32
gibiefried: I see14:32
efriedIf we make it stricter just in the driver, then the failure would be late, which isn't ideal, and is precisely what traits are meant for.14:33
sean-k-mooneywell spelling mistaks can be ignored but the later is a bug in my view14:33
efriedwe can't do anything about spelling the key wrong. But if you misspell "treu" that should be an early failure.14:33
sean-k-mooneyefried: we could report hpet suport as a cpu/compute node trait14:33
efriedyes, sean-k-mooney, exactly.14:33
gibiefried: I totally agree that if we want to fail we should fail in placement GET a_c14:34
efriedand either parlay hw:hpet=True into a required=<trait_name> or require the flavor to include the latter explicitly.14:34
*** liuyulong has joined #openstack-meeting14:34
efriedThis goes back to the discussion about having to say a thing twice, once to schedule and once to turn it on.14:35
efriedwhich is not an ideal ux14:35
sean-k-mooneyefried: well we  do not want traits to enable things correct so if we removed one of the two we would keep the extra spec and have nova generate the trait14:35
efriedif we make a call for this case, it sets a precedent for the whole ironic deploy template design too...14:35
gibiI like the idea of saying once "I want this to be turned on" and as a result the instance get scheduled accordingly and the feature is turned on in the backend14:36
efriedsean-k-mooney: I think that's probably the decision least likely to result in all-out war.14:36
efriedThe problem of course being that it's kind of arcane knowledge that some extra specs get parlayed into required traits. Doc doc doc.14:36
* sean-k-mooney wait im not onthe all-out war side this feels weird14:36
sean-k-mooneyefried: that is true but i think that is preferable to documentin you must ad extra spec x and trait y14:37
bauzasI don't have a particular opinion on that, except that fat-fingering shouldn't be a nova issue14:38
bauzaswhether it should be an direct extraspec trait or something we would transform is not really important for me14:38
sean-k-mooneytypos could be addresed seperatly with the extra spec validation proposal so i think thats a seperate issue14:38
efriedUsing strict=True when interpreting the bool value14:38
bauzasif you make typos in your flavor, it's your fault, right?14:39
efriedseems like a pretty low-risk, low-cost validation strategy14:39
efriedto some extent, yes. Like I say, there's no way we can validate the key, because there's not a prescriptive set of keys - you can put anything you want in there.14:39
jding1_I second that document both but only expose hw:hpet to extra spec and let now generate traits14:39
efriedBut we can at least validate that the value - of a known key - matches the "data type" we expect.14:39
jding1_let nova genarate traits14:40
efriedI would like to hear jaypipes and/or dansmith weigh in on this14:40
dansmithsorry, something unfortunate came up that is distracting me from paying attention here14:40
sean-k-mooneyefried: there is a scema for validate via the glace metdadef api already14:40
sean-k-mooneyfor extra spec validation that is14:40
gibiefried: then I guess we need to wait for them to express their oppinion on the review14:41
dansmithis this spec discussion about hpet and how to request it from placement?14:41
gibidansmith: I think it is a specless bp right now14:41
*** jamesmcarthur has quit IRC14:41
gibidansmith: and an implementation patch14:42
*** jamesmcarthur has joined #openstack-meeting14:42
dansmithI've only skimmed,14:42
efriedTo summarize:14:42
efriedWe add a trait, say HPET_CAPABLE, which x86 libvirt adds to the host RP next to other "capabilities".14:42
efriedOperator puts extra spec hw:hpet=True in their flavor.14:42
efriedNova looks at hw:hpet=True and adds required=HPET_CAPABLE to the GET /a_c request14:42
efriedlibvirt sees hw:hpet=True and switches HPET on in the guest.14:42
dansmithefried: yeah, was just typing that out.. what's wrong with that approach?14:42
efrieddansmith: Nothing, I'm good with it. Wanted to make sure you were.14:43
* cdent is confused14:43
dansmitham I missing the thing I should hate there?14:43
*** armax has joined #openstack-meeting14:43
cdentwhy is this differerent from requiring a trait?14:43
efriedWell, I find it slightly arcane that we're special-casing an extra spec to push a required trait t othe placement request14:43
dansmithwe're not?14:43
bauzasefried: just one point14:43
efriedcdent: Oh, because we're using it to switch on a thing in the guest, as well as making it part of the scheduling decision.14:44
dansmithyou can already do required=$trait in a flavor yeah?14:44
dansmithoh, I see, but..14:44
bauzasefried: we're talking a lot of transforming extra specs into traits and/or request groups14:44
dansmithisn't that kinda the approach we have with GPUs already?14:44
bauzasefried: I think someone should take his guts and write something clean for that14:44
efrieddansmith: This is the whole crux of the ironic deploy template discussion right now.14:44
bauzasefried: it could be me because $NUMA, or it could be you14:44
cdentthe use of traits in the  GET /a_c part seems solid and normal14:44
dansmithefried: it is, except that the deploy template is more than just one thing14:44
bauzasdansmith: we directly ask a resource class in the flavor14:45
cdentit's the issue of having to transform from hw:hpet=True that is odd14:45
efrieddansmith: take the UEFI example - that's just one thing, right?14:45
dansmithcdent: we don't14:45
bauzasdansmith: here, I think efried is asking to hide this into an extra spec14:45
cdentdansmith: that's what efried described abvoe14:45
bauzasI'm not opposed to, I just want to make the mapping easy14:45
dansmithcdent: oh sorry, I see, I missed those two steps14:45
dansmithwhy wouldn't we just put the required trait in the flavor?14:45
dansmiththat said, the whole point of the request filter stuff is to translate novaisms into placementisms to some degree14:46
efrieddansmith: Because then the operator has to remember to say both things, which kind of sucks.14:46
dansmithefried: oh, because libvirt doesn't see the request we made to placement, thus doesn't see that we asked for it,14:46
dansmithbut it can see the flavor14:46
bauzasefried: like I said, my NUMA spec proposes some transformation-ism from an extra spec to a list of numbered request groups14:46
dansmithand that the flavor asked for that trait14:46
* dansmith is catching up14:46
*** kopecmartin|ruck is now known as kopecmartin|scho14:47
bauzaswe have allocations, right?14:47
sean-k-mooneydansmith: even if it could see the trait we do not enable capablite based on traits14:47
bauzasfor VGPUs, we exactly know what the user asked14:47
dansmithsean-k-mooney: currently.14:47
dansmiththis seems like the trait version of what we do for GPU to me14:47
efriedSo here's the spectrum:14:47
efried- Operator says hw:hpet=True and we magically add required=HPET_CAPABLE to the placement call.14:47
efried- Operator says required=HPET_CAPABLE and libvirt uses that as its prompt to set it on the guest <== this is what jaypipes hates14:47
efried- Operator says both hw:hpet=True,required=HPET_CAPABLE, which is poor ux because if he forgets one or the other, he doesn't get what he wants.14:47
sean-k-mooneydansmith: or ever if i understand jaypipes view on that14:48
dansmithefried: jaypipes said he hates it?14:48
efriedWell, he hates the principle14:48
dansmithI guess that's on the review?14:48
efriedhe hasn't weighed in on HPET specifically14:48
efriedbut using traits to effect guest config he has come down hard on.14:48
dansmithI feel like there might be some confusion about how this does or does not overlap with the ironic case14:48
bauzasoh wait14:49
dansmithI think that is because of the traits being complex in the ironic case, and needing to be basically parsed to extract the key=value aspect14:49
sean-k-mooneydansmith: jaypipes  has said previouly that we should not use reired=X to enable X in the context of secure boot and other things14:49
dansmithbut I could be wrong14:49
bauzasfor VGPUs, we only get allocations14:49
efriedFor the ironic case, if we just stick to the UEFI case, which is 1:1, it's a good parallel.14:49
bauzasso we don't really know the traits14:49
efriedbut yeah, the multifaceted deploy templates gets off into deeper weeds.14:49
bauzaswe only see whether we have a specific resource class14:49
dansmithcan we maybe just schedule a hangout with the man himself instead of everyone parroting what they think he intends?14:49
bauzasfor HPET, we would need to pass the request down the virt driver14:49
dansmithI think we could burn through this quicker that way anyway14:50
dansmithinstead of everyone watching this14:50
efriedwfm. jding1_ would you be available for a google hangout?14:50
bauzas+1 even14:50
bauzasbut I have to run in a call right after this meeting14:50
*** jchhatbar has joined #openstack-meeting14:50
jding1_will see what time14:51
efriedjding1_: and cfriesen too14:51
sean-k-mooneysure that siad i also do not like using traits to enable features e.g. retuired=hpet_capable give you a hpet unless i can do that with everything like hugepages14:51
*** cfriesen has joined #openstack-meeting14:51
efriedIt's probably worth writing up these three alternatives at least into the blueprint template, if not into a short spec.14:51
gibiefried: I agree14:51
*** rbudden has quit IRC14:52
efriedcfriesen: You may want to read the scrollback. Or I can catch you up in -nova after the meeting.14:52
* cdent ducks out early14:53
*** cdent has quit IRC14:53
gibidansmith: will you organize the hangouts session for this?14:53
cfriesenefried: checking scrollback now14:53
*** janki has quit IRC14:53
dansmithgibi: that won't go well, given my week14:53
sean-k-mooneycfriesen:  did you also have a topic related to vtpm that you wanted to get eyes on?14:54
dansmithI'm sure efried wants that job14:54
efriedI can write words, but not sure where I should put them.14:54
gibiefried: put it in the blueprint as a start14:54
cfriesensean-k-mooney: yeah, I wasn't sure if I was going to make it so I didn't put it on the agenda14:54
efriedI could work with cfriesen/jding1_ on a short spec and we could discuss there, if that'll ease schedules.14:54
gibiefried: thank you14:54
efriedI don't think I have authority to edit the bp, and not sure the whiteboard is a good spot for it.14:55
cfriesenIf people have a few minutes...there's a sort of similar question around how flexible to make the virtual TPM stuff. (
sean-k-mooneycfriesen: i think we are just done with the hpet topic if you want to use the last 5 mins14:55
efriedcfriesen, jding1_: I'll write up the essentials and propose a spec review we can discuss on, and then give it over to y'all to fill in the details and make it buildable?14:56
jaypipessorry folks, reading back...14:56
gibicfriesen: go ahead you have 3 minutes :)14:56
cfriesenefried: sounds good.  Sean had suggested specifying the tpm type and version number, (with version defaulting to something if not specified).  then nova would translate that to a resource/trait request.14:56
*** gagehugo has joined #openstack-meeting14:56
*** rbudden has joined #openstack-meeting14:57
efriedso same design pattern14:57
cfriesenalternately we could have the flavor specify it directly in placement terminology14:57
jding1_efried: sounds good14:57
*** bobh has quit IRC14:58
cfriesenso for tpm we have an actual spec14:58
*** davidsha has joined #openstack-meeting14:58
cfriesenmaybe we want to put the alternatives in there and use that as proxy for the hpet discussion?14:58
*** e0ne has quit IRC14:58
sean-k-mooneyefried: yes same pattern. if we model hugepages in placement in the futre i would also like to translate hw:mem_page_size into traits too14:59
gibicfriesen: hpet is a bit special as it only uses traits not resource classes14:59
cfriesengibi: ah, good point14:59
gibiwe are running out of time14:59
gibicontinue this on #openstack-nova14:59
gibithank you all14:59
*** _erlon_ has joined #openstack-meeting14:59
*** openstack changes topic to "OpenStack Meetings ||"15:00
openstackMeeting ended Thu Oct  4 15:00:02 2018 UTC.  Information about MeetBot at . (v 0.1.4)15:00
gagehugo#startmeeting security15:01
openstackMeeting started Thu Oct  4 15:01:27 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:01
*** openstack changes topic to " (Meeting topic: security)"15:01
openstackThe meeting name has been set to 'security'15:01
*** takashin has left #openstack-meeting15:01
gagehugo#chair lhinds15:01
openstackCurrent chairs: gagehugo lhinds15:01
gagehugoping eeiden fungi gagehugo lhinds nickthetait browne redrobot15:02
* redrobot is only half here... also in an IRL meeting.15:02
*** cdent has joined #openstack-meeting15:03
jaypipesefried: I don't see why we don't just have trait:HPET=require in the flavor extra specs?15:03
efriedjaypipes: move to -nova pls15:03
gagehugo#topic ossa/ossn15:03
*** openstack changes topic to "ossa/ossn (Meeting topic: security)"15:03
jaypipeswhy add some magic "if I see hw:hpet extra spec, then create a trait:HPET=require" automatically?15:04
*** cdent has left #openstack-meeting15:04
gagehugo was made public yesterday I believe15:04
openstackLaunchpad bug 1795800 in OpenStack Identity (keystone) "Username enumeration via response timing difference" [Undecided,New]15:04
*** bobh has joined #openstack-meeting15:04
nickthetaitah yes15:05
gagehugogetting the timings to match up was deemed not an easy task15:06
gagehugo#topic Documentation15:07
*** openstack changes topic to "Documentation (Meeting topic: security)"15:07
gagehugoI think doug pushed some tox changes to the security-doc repos15:07
*** iyamahat has quit IRC15:08
gagehugo#topic Threat Analysis Docs15:10
*** openstack changes topic to "Threat Analysis Docs (Meeting topic: security)"15:10
gagehugoSame 3 are up for review15:10
*** bobh has quit IRC15:10
gagehugo#topic general discussion15:10
*** openstack changes topic to "general discussion (Meeting topic: security)"15:10
gagehugofungi nickthetait redrobot do you guys have anything?15:11
*** ttsiouts has quit IRC15:11
fungiother than that new security hardening bug you linked for keystone, nothing from me15:12
fungialso the two cinder potential ossa public bugs we mentioned last week still need some help15:12
smcginnisfungi: Not sure I'm aware of those.15:12
openstackLaunchpad bug 1784871 in OpenStack Security Advisory "ScaleIO (thin) volumes contain previous data (follow-up to 1699573)" [Undecided,Confirmed]15:13
*** e0ne has joined #openstack-meeting15:13
smcginnisgagehugo: Ah, thanks!15:13
openstackLaunchpad bug 1714858 in OpenStack Security Advisory "Some APIs don't check the owner policy" [Undecided,Incomplete]15:14
fungione of them looks like it probably needs us to issue an advisory? less sure about the other one15:14
gagehugofungi: ack, I'll look them over15:14
fungi(us being members of the vmt, but assistance from other interested parties is also welcome since they're public reports)15:15
*** annp has quit IRC15:16
gagehugoIs anyone going to be in Berlin?15:16
gagehugonext summit is little over a month away15:17
nickthetaitI cant :'(15:18
gagehugoI don't think I will be either unfortunately15:18
gagehugoIf no one else has anything, we can end early15:21
gagehugogive back a few mins15:22
*** jding1_ is now known as jackding15:23
gagehugoThanks everyone, have a good weekend!15:23
*** openstack changes topic to "OpenStack Meetings ||"15:23
openstackMeeting ended Thu Oct  4 15:23:24 2018 UTC.  Information about MeetBot at . (v 0.1.4)15:23
openstackMinutes (text):
