Thursday, 2022-03-10

*** dasm|bbl is now known as dasm03:06
*** dasm is now known as dasm|off04:08
*** abhishekk is now known as akekane|home04:56
*** akekane|home is now known as abhishekk04:56
*** soniya29 is now known as soniya29|ruck08:11
abhishekk#startmeeting glance14:00
opendevmeetMeeting started Thu Mar 10 14:00:01 2022 UTC and is due to finish in 60 minutes.  The chair is abhishekk. Information about MeetBot at
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'glance'14:00
abhishekk#topic roll call14:00
*** dasm|off is now known as dasm14:00
abhishekklets wait few minutes for others to join14:00
abhishekkI don't see anyone else around, lets start and others can join us in between14:02
abhishekkWe have small agenda today as well, with some review requests14:03
abhishekklets start14:03
abhishekk#topic Updates14:03
abhishekkZed PTG planning etherpad is up14:03
abhishekkif you haven't added your name to the list of attendees, kindly do it earliest14:03
abhishekkmoving ahead14:04
abhishekk#topic release/periodic jobs update14:04
abhishekkWe are done with the Yoga cycle with the rc1 release, so nothing is pending from our side14:04
abhishekkperiodic jobs all green \o/14:05
abhishekknext one is rosmaita 14:05
abhishekk#topic lock_path required for glance_store cinder driver14:06
abhishekkfloor is yours14:06
rosmaitadoing a context switch - hope i put info in the etherpad, because i don't remember what this was about14:07
abhishekkrelated to lock_path config option14:07
rosmaitaoh yeah, it's an issue that applies to the glance_store cinder driver14:07
jokke_I thought Eajat already implemented that, no?14:08
jokke_Rajat even14:08
abhishekkI think rosmaita is talking about documenting the option14:09
rosmaitaprobably not, it was fixed in koll-ansible, though14:09
rosmaitasilly me, i looked at the glance_store docs and didn't see anything14:09
rosmaitawe can just add something to this page14:09
rosmaitaby "we" i mean i will put up a patch14:09
abhishekkyes, this is the right place to mention14:10
rosmaitathat was really my question, how/where to doc this14:10
rosmaitarelated, though14:10
rosmaitathe glance_store docs are out of date, still mention that it's used for Glare14:10
abhishekkI will have a look at those and clean it up14:10
rosmaitacool, that's all from me14:11
abhishekkgreat, thank you14:11
abhishekkmoving ahead14:11
abhishekk#topic Fips backports14:11
abhishekkThere are some backports posted for fips14:11
abhishekkand owner wants our opinion about them 14:12
abhishekkProblem is the job which we converted to fips on master was non-voting during wallaby14:12
abhishekkSo I think that is not a valid backport (as per our policy)14:13
abhishekkwhat is your opinion about it?14:13
jokke_I don't think I have seen that job passing either so I'm pretty much against running it in stable branches just wasting infra resources14:13
jokke_If we are talking just the testing job definitions to stable14:14
rosmaitathe owner wants to backport some changes, or just running the job in stable/wallaby14:14
abhishekkrosmaita, above is the list of patches we have 14:14
abhishekkit has some changes to correct the old behavior in tests14:14
abhishekkI think other option we can have is periodic job running against the stable/wallaby and stable/xena branch14:15
rosmaitai agree with jokke_ that the first step is to have the fips jobs actually green on these patches14:15
rosmaitain fact, i suggest we ask them to make the job voting in the patch so the zuul result is relevant14:16
rosmaitaand once it is good, they can revise the patch to make the job non-voting14:17
rosmaitaright now, zuul gives +1 and there's still a failure14:17
abhishekkI also told the same, will convey the decision to him14:17
abhishekkThey are still debugging the issue for the job14:17
jokke_I kind of disagree seeing how unstable that test run has been. Like it's fine for non-woting until it actually passes more than fails on it's own. Lets get it blocking the gate only after the job is stable14:17
rosmaitajokke_: it will only vote on the patch that contains the change14:18
rosmaitawe won't make it actually voting14:18
rosmaitai entirely agree that this job is too unstable to run in the stable branches14:19
abhishekkack, will discuss this with the owner14:19
jokke_rosmaita: well the thing is it's flaky ... so if it's marked voting there, DNM needs to be flagged for now14:19
rosmaitajokke_: right14:19
jokke_and that really won't get him anywhere closer to merge them :P14:20
rosmaitawell, it helps us14:20
rosmaitaright now , it looks like we are the blocker, because this green patch is sitting there14:20
rosmaitaso let' make zuul give it a -114:20
jokke_but yeah I'd say to get the test stable and perhaps voting in master is good start before worrying bringing it to stable14:20
jokke_rosmaita: fail14:21
rosmaitawell, that too14:21
jokke_fair even14:21
abhishekkthat's all, moving to Open discussion14:21
abhishekk#topic Open discussion14:21
abhishekkI think croelandt and pdeore added some patches for review requests14:22
abhishekk1st one is merged14:22
abhishekkI will just add the others for reference here14:22
abhishekk   Remove lower-constraints.txt (If4881229) - Agreed on during the review party14:22
abhishekk   glance help <subcommand>: Clearly specify which options are mandatory (I51ea4c43)14:22
abhishekk Implement API protection testing for metadef resource types ( Removed the lock as per suggestions)14:22
abhishekk Implement API protection testing for metadef properties  ( Removed the lock as per suggestions)14:22
croelandtyes, only the first 314:22
abhishekk Implement API protection testing for metadef tags  ( Removed the lock as per suggestions)14:22
abhishekkLast 3 are from glance-tempest-plugin and related to s-rbac function tests14:23
croelandt2) and 3) we agreed on during the party but never re-reviewed iirc14:23
abhishekkI did :D14:23
abhishekkIf you guys have some time, please review these patches14:23
abhishekk2 and 3 is trivial14:24
abhishekklast 3 are functional and related to metadef s-rbac tests14:24
pdeoreSo, as per Dan's suggestion about removing the lock and namespacing the namespace, I've updated these patches... 14:24
abhishekkanything else guys?14:26
alistarleYep, I have a question about a new glance import method to match multi-region use-case14:27
alistarleI have prepared a patch about a "glance-download" (instead of web-download) import method, to allow a glance image to be download directly from another glance, what do you think about that ?14:27
abhishekkanother glance deployment?14:28
alistarleYes my use-case is more about a glance in other region14:28
alistarleLet's say you uploaded an image in RegionOne (VM snaphshot by example), and you want this image to be present in RegionTwo (as a backup), currently I need to download locally and use glance-direct, or use web-download14:29
abhishekkdo you know we have copy-imge import method?14:29
alistarleYes but copy-image is to copy an image between backends of the same glance14:30
jokke_alistarle: are you using glanceclient for it or requests directly?14:30
alistarleHere it is to copy image between multiple region, so multiple glance deployments14:30
jokke_I kind of like the idea as long as we're not adding p-gc as requirement14:30
alistarlejokke_: good question, I POC it with glanceclient, but it add a lot of mess (and maybe a circular dependency to add glanceclient as a glance requirements), maybe requests is better14:31
abhishekkand also it will be better if we have this discussion in PTG with a proposal/spec up for reference14:32
jokke_alistarle: specially as I assume it's just one API call, it probably is fairly simple case14:32
alistarleOnly thing is we need to forward the RequestContext into the tasks API, to use client keystone token to call the remote glance, otherwise we can have a security issue if using admin credentials here14:32
alistarleThat was my only concern in my patch, that's why I wanted to get your opinion before going further14:33
jokke_alistarle: yeah I was just going to say, what you need to pass as the import call body is the auth uri for the target deployment and token14:33
jokke_So bit more json parsing there which is annoyance for testing but very trivial to do in client14:34
alistarleHmmm I would say image ID and region is enough, as the token will be valid in all regions14:34
alistarleso we can rely on the token the user give use by calling the /import route14:34
jokke_alistarle: that's only if you have federated keystone though ... does exclude your second usecase of separate deployments out14:35
jokke_so maybe poc it like that to have the mechanics in place and then add the parsing of the body for optional keystone auth uri and token in case the source is actual separate deployment14:36
alistarlejokke_: Yep it require ferederated keystone, but do you think it is ok to send a token and auth information in the JSON body of import ?14:36
jokke_alistarle: sure, why not. Just need to make sure we don't log it14:37
abhishekkalistarle, can you build/submit a proposal for the same with actual solution you are using14:37
abhishekkwe dont log import body anywhere14:37
jokke_no different than sending your token as header on the request itself security wise14:37
alistarleHmm true14:38
jokke_that said, I'd implement it only accepting token, not username & password14:39
jokke_at least that's timelimited exposure14:39
alistarleOk so I will make a POC and a spec for that, at least it sound good to you :) 14:39
abhishekkyeah, interesting feature14:39
alistarlejokke_: I agree yes14:39
jokke_for me, can't speak for abhishekk & rest :P14:39
jokke_but I like the idea14:40
abhishekkthank you alistarle 14:40
abhishekkanything else guys14:41
jokke_not from me14:41
abhishekkcroelandt, pdeore ?14:41
alistarleThat's ok for me too, thanks :) 14:41
pdeoreno, nothing from me too 14:41
abhishekkOne more thing I almost forget to mention14:41
abhishekkpdeore, has volunteered to chair the weekly meeting from next week14:42
abhishekkthank you very much pdeore 14:42
rosmaitanice, thank you14:42
jokke_ \\o \o/ o// o/714:42
croelandtgoo for me14:42
croelandtpdeore: congrats!14:43
rosmaitacroelandt: "goo"? do you mean "goulash"?14:43
abhishekkthank you all14:43
pdeoreThanks to you abhishekk for believing on me :) 14:43
croelandtrosmaita: I always want goulash14:43
jokke_croelandt: I'm sure she will let you chair one every once in a while if you ask nicely14:43
croelandtjokke_: what if I don't ask?14:43
jokke_croelandt: then you better not miss one ... we're good at voluntolding people :P14:44
abhishekkthen we have different role for you :D14:44
pdeore:D :D14:44
croelandtthere is no escaping the pain14:44
abhishekkabsolutely not :P14:45
abhishekklets wrap up for the day, thank you again14:45
abhishekkhave a nice weekend ahead14:45
jokke_thanks all14:45
opendevmeetMeeting ended Thu Mar 10 14:45:35 2022 UTC.  Information about MeetBot at . (v 0.1.4)14:45
opendevmeetMinutes (text):
pdeoreThank you all !!14:45
*** gmann is now known as gmann_afk16:13
*** gmann_afk is now known as gmann16:29
*** dasm is now known as dasm|off23:58

Generated by 2.17.3 by Marius Gedminas - find it at!