Monday, 2021-05-03

*** jmasud has quit IRC00:10
*** jamesmcarthur has joined #openstack-meeting00:46
*** jmasud has joined #openstack-meeting00:54
*** jamesmcarthur has quit IRC01:00
*** jamesmcarthur has joined #openstack-meeting01:01
*** jamesmcarthur has quit IRC01:06
*** jamesmcarthur has joined #openstack-meeting01:15
*** jmasud has quit IRC01:32
*** jmasud has joined #openstack-meeting01:37
*** jmasud has quit IRC01:46
*** ociuhandu has joined #openstack-meeting02:25
*** jmasud has joined #openstack-meeting02:28
*** ociuhandu has quit IRC02:29
*** evrardjp has quit IRC02:33
*** evrardjp has joined #openstack-meeting02:33
*** whoami-rajat has quit IRC02:49
*** jmasud has quit IRC03:03
*** jamesmcarthur has quit IRC03:38
*** jamesmcarthur has joined #openstack-meeting03:38
*** psachin has joined #openstack-meeting03:42
*** jamesmcarthur has quit IRC03:43
*** jmasud has joined #openstack-meeting04:04
*** jamesmcarthur has joined #openstack-meeting04:08
*** shanuintouch has joined #openstack-meeting04:43
*** vishalmanchanda has joined #openstack-meeting04:54
*** jmasud has quit IRC05:12
*** jmasud has joined #openstack-meeting05:16
*** udesale has joined #openstack-meeting05:34
*** manubk has joined #openstack-meeting06:14
*** jamesmcarthur has quit IRC06:36
*** jamesmcarthur has joined #openstack-meeting06:49
*** jmasud has quit IRC06:50
*** jmasud has joined #openstack-meeting07:01
*** Luzi has joined #openstack-meeting07:01
*** rpittau|afk is now known as rpittau07:19
*** jmasud has quit IRC07:43
*** tosky has joined #openstack-meeting07:50
*** whoami-rajat has joined #openstack-meeting07:56
*** jamesmcarthur has quit IRC08:05
*** jmasud has joined #openstack-meeting08:37
*** jmasud has quit IRC08:38
*** jmasud has joined #openstack-meeting08:49
*** jmasud has quit IRC08:50
*** ricolin has joined #openstack-meeting08:54
*** cgoncalves has quit IRC08:58
*** cgoncalves has joined #openstack-meeting09:00
*** e0ne has joined #openstack-meeting09:06
*** e0ne has quit IRC09:08
*** cgoncalves has quit IRC09:14
*** manubk has quit IRC09:15
*** cgoncalves has joined #openstack-meeting09:16
*** jbadiapa has joined #openstack-meeting09:25
*** ralonsoh_ has joined #openstack-meeting10:18
*** ralonsoh has quit IRC10:20
*** jbadiapa has quit IRC10:57
*** jamesmcarthur has joined #openstack-meeting12:03
*** jamesmcarthur has quit IRC12:04
*** jamesmcarthur has joined #openstack-meeting12:05
*** jamesmcarthur has quit IRC12:37
*** njohnston has joined #openstack-meeting12:44
*** e0ne has joined #openstack-meeting12:46
*** jamesmcarthur has joined #openstack-meeting12:46
*** jamesmcarthur has quit IRC12:51
*** jamesmcarthur has joined #openstack-meeting12:53
*** psachin has quit IRC12:53
*** rosmaita has joined #openstack-meeting12:56
*** eharney has joined #openstack-meeting12:59
*** jamesmcarthur has quit IRC13:00
Luzi#startmeeting image_encryption13:00
openstackMeeting started Mon May  3 13:00:29 2021 UTC and is due to finish in 60 minutes.  The chair is Luzi. Information about MeetBot at
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.13:00
*** openstack changes topic to " (Meeting topic: image_encryption)"13:00
openstackThe meeting name has been set to 'image_encryption'13:00
Luzi#topic Roll Call13:00
*** openstack changes topic to "Roll Call (Meeting topic: image_encryption)"13:00
Luzihi fungi, lets wait for redrobot13:01
*** jamesmcarthur has joined #openstack-meeting13:02
*** jamesmcarthur has quit IRC13:04
*** jamesmcarthur_ has joined #openstack-meeting13:04
Luziredrobot, are you there?13:05
*** jamesmcarthur_ has quit IRC13:08
*** stand has quit IRC13:08
Luzihi rosmaita13:12
Luziwell it seems redrobot is not available today...13:12
Luziso i will ask them tomorrow in the barbican meeting about the secret consumers13:12
rosmaitasounds good13:13
Luziptg made it at least clear to me, that the secret consumer api is waiting for the microversions. and the microversion were/are waiting for the secure polices13:13
rosmaitathanks, that helps me understand the holdup13:14
fungii tried to give a summary to the tc during the ptg as well, notes start at line 51 here at the moment:13:15
fungi#link TC Xena PTG notes13:15
rosmaitacool, thanks for that summary13:16
rosmaitaLuzi: don't know if this will help, but cinder is also interested in the consumer API to harden our current handling of encryption keys for encrypted volumes13:17
Luzii know, we talked about it in the autumn ptg13:17
fungiduring the security sig session we talked about reviving past conversations around making barbican a base service, but step 1 would be finding use cases it enables. that might be one13:18
rosmaitayes, in order to have encrypted volumes in cinder, you must have a key manager service13:18
Luzirosmaita, do you use python-barbicanclient or castellan to interact with barbican=13:19
fungigagehugo: ^ for reference13:19
rosmaitai think castellan directly, but i believe that requires python-barbicanclient13:20
fungimore importantly, would users of that feature be interacting with barbican, or is it all filtered through the cinder api?13:20
Luzivolume encryption is transparant to users13:21
fungilike, should users be able to supply keys for encrypting volumes, and if so should they do that through the cinder api or barbican?13:21
rosmaitawell, we don't want them interacting with barbican, because without the consumer API, they can delete in-use keys13:21
*** jamesmcarthur has joined #openstack-meeting13:21
fungisure, i mean hypothetical future with consumer api13:21
rosmaitakeys are supplied automatically (generated by barbican)13:21
rosmaitawe haven't found a reliable way for users to upload keys that work13:22
rosmaitatoo many moving parts13:22
fungiso for this purpose, castellan and "a castellan-supported keystore" is sufficient i suppose13:22
rosmaitayes, though, red hat, for instance, uses barbican13:23
fungigot it. so doesn't support the argument for adding barbican to the base services list since we already have it covered by
fungi#link base services list13:24
rosmaitawell, maybe not13:26
rosmaitawe also have the upload-volume-to-image workflow13:26
rosmaitaforget that13:26
rosmaitaas long as you configure cinder and glance correctly, should work with another keystore13:27
fungimakes sense, thanks13:27
rosmaitathough we only test with barbican13:27
fungianyway, i didn't mean to hijack the meeting with tangential topics13:27
fungisorry about that13:27
Luzino worries13:27
Luziits more interesting than only have a discussion about waiting :D13:28
fungiso was the barbican clarification on consumer api and microversions the only real takeaway from the ptg?13:28
fungiand the "add microversion 1.1" change is still wip, since almost 9 months... any indication where the discussion on making it no longer wip is taking place? barbican meetings?13:30
rosmaitaLuzi: what are your plans for CI on this? I'm thinking maybe tests in cinder-tempest-plugin since the library will be in os-brick.  I wonder whether it makes sense to work on the os-brick part and get that working even without the consumer API?13:32
Luziyes in the barbican meetings, at least it should be there - i did not hear that secure polices were the reason the microversion were on hold until the ptg :/13:32
fungioh, the policy work is the blocker? i missed that13:33
rosmaitai think it may be a project bandwidth issue, not a technical issue13:33
fungisure, we're all far too familiar with that struggle13:34
Luzirosmaita, the os-brick part can be done without the secret consumer - but after that? how long would that be just dead code?13:34
Luziyeah the barbican team has much to do :/13:34
rosmaitawell, as long as we get some CI on it, it can be run all the time13:35
rosmaitawill probably require some devstack patches to enable whatever config you need in the services13:35
Luziokay, i think looking into the cinder-tempest-plugin would be a good start13:35
rosmaitabut we already use barbican for the encrypted volume tests in cinder-tempest-plugin, so a lot of what you will need is there13:36
rosmaitabecause you really could release this feature without consumer API13:36
rosmaitawouldn't have to worry about data leakage :)13:37
Luziwell thats only the case if glance is okay with it13:37
rosmaitait's kind of a bad hack, but you could do what cinder did with the cinder_encryption_key_deletion_policy metadata13:38
Luziand image encryption requires users to interact with secrets13:38
fungiup-side to zuul is you can implement the job completely in proposed changes with depends-on to the various features you need in different projects, and completely run it13:39
fungiso you don't have to wait for reviewers to approve stuff13:40
rosmaitawithout the consumer API,  the danger is that an end user might delete an in-use key by mistake ... is that correct?13:40
Luziyes it is13:40
rosmaitaand once the consumer api is available, there will only be a minor change in the workflow, i think13:41
Luziso you propose to release the feature and add secret consumers later?13:43
rosmaitawell, at least get it "almost" ready13:43
rosmaitaglance team is ok with releasing stuff as EXPERIMENTAL13:43
Luziwell that would help i think.13:43
rosmaitai'm just worried that if consumer api isn't available until M-3, this whole thing has to wait for Y13:44
Luzirosmaita, me too :/13:44
rosmaitai'm trying to find our release note from adding automatic key handling to glance13:44
rosmaitawe have a warning in there about the keys13:45
* redrobot sneaks in through the back door13:45
Luzii will talk to the glance team, if they are okay with having only experimental image encryption, than i will start working on this13:46
rosmaitafound it, it's in the glance release notes13:46
fungiredrobot: we saved a seat for you13:46
rosmaitathird bullet point13:46
Luziyeah, i have to discuss this with the glance team13:47
Luzihi redrobot13:47
rosmaitaeven if they don't want to release it, we can get everything in place and not tell anyone about it until it's ready13:48
Luzii will look through the remaining work - it should be the cinder part and the tests13:49
Luziglance is just missing the secret consumer part and os-brick should also be ready13:50
rosmaitaok, cool13:50
Luziredrobot, did you catch up and do you have any updates?13:50
rosmaitai think your brick patch needed tests13:50
rosmaitaor have you added them an i am out of date?13:51
Luzido you mean unit tests?13:52
redrobotTrying to catch up... sorry no updates on Barbican things.  I've been trying to squash a Hashicorp Vault bug13:52
rosmaitaLuzi: yes, i am out of date on your patch!13:53
Luzito many tasks for only one redrobot :(13:53
Luziyeah it has unit tests :)13:53
rosmaitaLuzi: when you get a chance, please resolve the merge conflict on that (it's probably in requirements or lower-constraints), which will re-run the CI13:54
rosmaitai'll put it on my list to get that reviewed early this week13:54
Luziyes, i will do that13:54
Luziokay do you have anything else you want to talk about?13:55
rosmaitayeah, i think if you can get an end-to-end test in cinder-tempest-plugin that would be fantastic13:55
rosmaitaand you would be ready for the consumer api13:55
*** zaneb has joined #openstack-meeting13:56
rosmaitacinder-tempest-plugin also has tests that interact with glance, so that part is there too13:56
Luziokay thank you13:57
*** zaneb has quit IRC13:58
Luziif thats all, thank you for joining today and have a nice week13:58
Luzi#endmeeting image_encryption13:58
*** openstack changes topic to "OpenStack Meetings ||"13:58
openstackMeeting ended Mon May  3 13:58:33 2021 UTC.  Information about MeetBot at . (v 0.1.4)13:58
openstackMinutes (text):
*** zaneb has joined #openstack-meeting13:58
*** rosmaita has left #openstack-meeting14:00
*** Luzi has quit IRC14:08
*** shanuintouch has quit IRC14:41
*** dklyle has joined #openstack-meeting14:48
*** zbr has quit IRC14:51
*** zbr has joined #openstack-meeting14:52
*** e0ne has quit IRC15:02
*** jmasud has joined #openstack-meeting15:07
*** macz_ has joined #openstack-meeting15:26
*** macz_ has quit IRC15:38
*** e0ne has joined #openstack-meeting15:38
*** jmasud has quit IRC15:44
*** dklyle has quit IRC15:48
*** macz_ has joined #openstack-meeting15:48
*** dklyle has joined #openstack-meeting15:48
*** udesale has quit IRC15:51
*** lbragstad_ is now known as lbragstad15:51
*** jmasud has joined #openstack-meeting15:59
*** rpittau is now known as rpittau|afk16:32
*** gyee has joined #openstack-meeting16:46
*** SWDevAngel has joined #openstack-meeting17:04
*** e0ne has quit IRC17:33
*** jamesmcarthur has quit IRC17:40
*** jamesmcarthur has joined #openstack-meeting17:57
*** jamesmcarthur has quit IRC18:13
*** jamesmcarthur has joined #openstack-meeting18:15
*** e0ne has joined #openstack-meeting18:16
*** jamesmcarthur has quit IRC18:17
*** jamesmcarthur has joined #openstack-meeting18:30
*** jmasud has quit IRC18:42
*** bbowen has quit IRC18:44
*** bbowen has joined #openstack-meeting18:47
*** jamesmcarthur has quit IRC18:49
*** jamesmcarthur has joined #openstack-meeting18:51
*** dklyle has quit IRC19:01
*** david-lyle has joined #openstack-meeting19:02
*** vishalmanchanda has quit IRC19:13
*** jmasud has joined #openstack-meeting19:16
*** jamesmcarthur has quit IRC19:18
*** manpreet has joined #openstack-meeting19:35
*** jamesmcarthur has joined #openstack-meeting19:44
*** jmasud has quit IRC19:50
*** jamesmcarthur has quit IRC19:52
*** jamesmcarthur has joined #openstack-meeting19:52
*** gyee has quit IRC19:53
*** cgoncalves has quit IRC19:53
*** SpamapS has quit IRC19:53
*** lbragstad has quit IRC19:54
*** priteau has quit IRC19:54
*** icey has quit IRC19:54
*** gyee has joined #openstack-meeting19:55
*** cgoncalves has joined #openstack-meeting19:55
*** SpamapS has joined #openstack-meeting19:55
*** lbragstad has joined #openstack-meeting19:55
*** priteau has joined #openstack-meeting19:55
*** icey has joined #openstack-meeting19:55
*** SWDevAngel has quit IRC20:03
*** armax has joined #openstack-meeting20:05
*** armax has left #openstack-meeting20:06
*** jamesmcarthur has quit IRC20:13
*** jamesmcarthur has joined #openstack-meeting20:14
*** ircuser-1 has joined #openstack-meeting20:27
*** jbadiapa has joined #openstack-meeting20:31
*** slaweq_ has joined #openstack-meeting20:35
*** jbadiapa has quit IRC20:41
*** jmasud has joined #openstack-meeting20:51
*** slaweq_ has quit IRC20:56
*** jamesmcarthur has quit IRC21:02
*** timburke has joined #openstack-meeting21:31
*** manpreet has quit IRC21:44
*** jamesmcarthur has joined #openstack-meeting21:54
*** e0ne has quit IRC21:56
*** jamesmcarthur has quit IRC21:59
*** whoami-rajat has quit IRC22:03
*** ralonsoh_ has quit IRC22:09
*** bcafarel has quit IRC22:30
*** bcafarel has joined #openstack-meeting22:31
*** eharney has quit IRC22:47
*** tosky has quit IRC22:50
*** eharney has joined #openstack-meeting23:00
*** jamesmcarthur has joined #openstack-meeting23:07
*** rcernin has joined #openstack-meeting23:07
*** jamesmcarthur has quit IRC23:13
*** jamesmcarthur has joined #openstack-meeting23:17
*** jamesmcarthur has quit IRC23:22
*** macz_ has quit IRC23:24
*** jmasud has quit IRC23:32
*** jmasud has joined #openstack-meeting23:45
*** jamesmcarthur has joined #openstack-meeting23:49
*** jamesmcarthur has quit IRC23:54

Generated by 2.17.2 by Marius Gedminas - find it at!