*** ociuhandu has quit IRC | 00:07 | |
*** tosky has quit IRC | 00:09 | |
*** ociuhandu has joined #openstack-nova | 00:13 | |
openstackgerrit | Ghanshyam Mann proposed openstack/nova master: zuul: Switch to the Zuulv3 grenade job https://review.opendev.org/704364 | 00:14 |
---|---|---|
*** ociuhandu has quit IRC | 00:18 | |
*** hongbin has quit IRC | 00:41 | |
*** hongbin has joined #openstack-nova | 00:43 | |
openstackgerrit | Kevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job https://review.opendev.org/714439 | 00:46 |
*** zhanglong has joined #openstack-nova | 01:21 | |
*** Liang__ has joined #openstack-nova | 01:22 | |
openstackgerrit | Brin Zhang proposed openstack/python-novaclient stable/train: Update master for stable/train https://review.opendev.org/723290 | 01:28 |
*** tetsuro has quit IRC | 01:43 | |
*** songwenping_ has joined #openstack-nova | 01:47 | |
*** songwenping__ has quit IRC | 01:50 | |
*** tetsuro has joined #openstack-nova | 01:53 | |
openstackgerrit | Brin Zhang proposed openstack/nova stable/train: Update master for stable/train https://review.opendev.org/723295 | 02:03 |
*** tbachman has quit IRC | 02:03 | |
*** tbachman has joined #openstack-nova | 02:06 | |
*** hongbin has quit IRC | 02:23 | |
*** zhanglong has quit IRC | 02:31 | |
*** zhanglong has joined #openstack-nova | 02:33 | |
*** zhanglong has quit IRC | 02:39 | |
*** ociuhandu has joined #openstack-nova | 02:40 | |
openstackgerrit | xuyuanhao proposed openstack/nova master: failed to loads pyc file's classes https://review.opendev.org/723301 | 02:44 |
*** ociuhandu has quit IRC | 02:50 | |
*** threestrands has joined #openstack-nova | 02:51 | |
*** ociuhandu has joined #openstack-nova | 02:55 | |
*** ociuhandu has quit IRC | 03:00 | |
*** tetsuro has quit IRC | 03:08 | |
*** sapd1 has joined #openstack-nova | 03:10 | |
*** mkrai has joined #openstack-nova | 03:19 | |
*** songwenping__ has joined #openstack-nova | 03:26 | |
*** songwenping_ has quit IRC | 03:28 | |
*** psachin has joined #openstack-nova | 03:31 | |
*** ociuhandu has joined #openstack-nova | 03:33 | |
*** factor has joined #openstack-nova | 03:34 | |
*** tetsuro has joined #openstack-nova | 03:38 | |
*** ociuhandu has quit IRC | 03:38 | |
openstackgerrit | Arthur Dayne proposed openstack/os-resource-classes master: Add new resource class: PSSD, VSSD https://review.opendev.org/723303 | 03:40 |
*** stephenfin has quit IRC | 03:59 | |
*** stephenfin has joined #openstack-nova | 04:09 | |
*** tbachman has quit IRC | 04:12 | |
*** avolkov has joined #openstack-nova | 04:12 | |
*** tbachman has joined #openstack-nova | 04:13 | |
*** songwenping_ has joined #openstack-nova | 04:21 | |
*** ircuser-1 has quit IRC | 04:23 | |
*** ratailor has joined #openstack-nova | 04:24 | |
*** songwenping__ has quit IRC | 04:24 | |
*** ociuhandu has joined #openstack-nova | 04:27 | |
*** ociuhandu has quit IRC | 04:34 | |
*** evrardjp has quit IRC | 04:35 | |
*** evrardjp has joined #openstack-nova | 04:35 | |
openstackgerrit | Arthur Dayne proposed openstack/os-resource-classes master: Add new resource class: SSD https://review.opendev.org/723303 | 04:46 |
*** mkrai has quit IRC | 04:59 | |
*** mkrai_ has joined #openstack-nova | 04:59 | |
*** yaawang_ has quit IRC | 05:13 | |
*** yaawang_ has joined #openstack-nova | 05:14 | |
*** vishalmanchanda has joined #openstack-nova | 05:18 | |
openstackgerrit | Kevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job https://review.opendev.org/714439 | 05:20 |
*** udesale has joined #openstack-nova | 05:29 | |
*** links has joined #openstack-nova | 05:30 | |
*** songwenping__ has joined #openstack-nova | 05:38 | |
*** damien_r has joined #openstack-nova | 05:38 | |
*** songwenping_ has quit IRC | 05:41 | |
*** damien_r has quit IRC | 05:43 | |
openstackgerrit | Arthur Dayne proposed openstack/os-resource-classes master: Add new resource class: SSD https://review.opendev.org/723303 | 05:53 |
*** dpawlik has joined #openstack-nova | 05:56 | |
*** ociuhandu has joined #openstack-nova | 06:02 | |
*** ociuhandu has quit IRC | 06:06 | |
*** songwenping_ has joined #openstack-nova | 06:12 | |
bauzas | gibi: I'm taking an half-day PTO this morning, see you this afternoon | 06:15 |
*** songwenping__ has quit IRC | 06:16 | |
*** CeeMac has joined #openstack-nova | 06:16 | |
openstackgerrit | Andrey Volkov proposed openstack/nova master: [WIP] Image auto signature https://review.opendev.org/723320 | 06:46 |
*** lennyb has quit IRC | 06:54 | |
*** damien_r has joined #openstack-nova | 06:55 | |
*** ociuhandu has joined #openstack-nova | 06:55 | |
*** damien_r has quit IRC | 06:58 | |
*** damien_r has joined #openstack-nova | 06:58 | |
*** nightmare_unreal has joined #openstack-nova | 07:02 | |
*** xek_ has quit IRC | 07:03 | |
gibi | bauzas: good morning. ACK. | 07:05 |
*** slaweq has joined #openstack-nova | 07:07 | |
*** songwenping__ has joined #openstack-nova | 07:08 | |
*** iurygregory has quit IRC | 07:09 | |
*** songwenping_ has quit IRC | 07:10 | |
*** iurygregory has joined #openstack-nova | 07:10 | |
*** mkrai_ has quit IRC | 07:11 | |
*** ociuhandu has quit IRC | 07:13 | |
*** ociuhandu has joined #openstack-nova | 07:13 | |
*** tesseract has joined #openstack-nova | 07:14 | |
*** maciejjozefczyk has joined #openstack-nova | 07:21 | |
*** rpittau|afk is now known as rpittau | 07:22 | |
*** tosky has joined #openstack-nova | 07:26 | |
*** ociuhandu has quit IRC | 07:26 | |
*** ociuhandu has joined #openstack-nova | 07:29 | |
zigo | With ussuri, I'm getting: | 07:33 |
zigo | root@C1-z-controller-1>_ ~ # openstack flavor create --format shell octavia_65 --private --id 65 --ram 2048 --disk 4 --vcpus 1 | 07:33 |
zigo | Policy doesn't allow os_compute_api:os-flavor-manage:create to be performed. (HTTP 403) (Request-ID: req-30fe38ae-deb9-451f-9234-58edd691696b) | 07:33 |
zigo | Is there something wrong with the scope enforcement? It's by default to False as it should be ... | 07:33 |
zigo | When I set rule:admin_api instead, then it works. So something's wrong in oslo.policy or what? | 07:36 |
gibi | zigo: there was a wide change in the policy handling in Ussuri but the new behavior should be off by default | 07:38 |
zigo | Which is what I'm saying, it shouldn't be enforced by default, but it looks like it is! | 07:38 |
*** mkrai_ has joined #openstack-nova | 07:39 | |
*** links has quit IRC | 07:39 | |
*** links has joined #openstack-nova | 07:40 | |
*** ccamacho has joined #openstack-nova | 07:43 | |
gibi | zigo: did you use a admin token in the failed case? | 07:45 |
zigo | I'm doing this as an admin user indeed. | 07:45 |
* gibi tries to recreate the problem in devstack | 07:46 | |
*** yaawang_ has quit IRC | 07:49 | |
gibi | I have default policy config and it works for me http://paste.openstack.org/show/792738/ | 07:49 |
*** yaawang_ has joined #openstack-nova | 07:50 | |
* gibi going to restack it's devstack to be exactly RC1 | 07:51 | |
zigo | gibi: You can try with the Debian packages, maybe ? :) | 07:52 |
zigo | For Buster: | 07:52 |
zigo | deb http://buster-ussuri.debian.net/debian buster-ussuri-backports main | 07:52 |
zigo | deb http://buster-ussuri.debian.net/debian buster-ussuri-backports-nochange main | 07:52 |
zigo | Or if you are more adventurous, just from Experimental! :P | 07:52 |
*** yaawang_ has quit IRC | 07:54 | |
*** yaawang_ has joined #openstack-nova | 07:55 | |
gibi | zigo: I have to jump on a call for a while, gmann, johnthetubaguy, stephenfin if you can help zigo in the meantime that would be appreciated | 07:56 |
gibi | zigo: I would check oslo.policy version as there was a late change there as well | 07:57 |
gibi | zigo: and you can try to rollback https://review.opendev.org/#/c/714822 maybe, but I'm not sure | 07:57 |
zigo | # dpkg-query -W python3-oslo.policy | 07:58 |
zigo | python3-oslo.policy 3.1.0-1~bpo10+1 | 07:58 |
zigo | So that's latest release ... | 07:59 |
gibi | yepp, that is the last one | 07:59 |
*** yaawang_ has quit IRC | 08:02 | |
*** yaawang_ has joined #openstack-nova | 08:03 | |
zigo | Reverting that patch doesn't fix the problem. | 08:09 |
gibi | zigo: ack, then I'm out of ideas at the moment | 08:09 |
gibi | and sitting on a call so will be slow responding | 08:10 |
*** xek has joined #openstack-nova | 08:10 | |
*** rcernin has quit IRC | 08:13 | |
*** songwenping_ has joined #openstack-nova | 08:15 | |
*** songwenping__ has quit IRC | 08:18 | |
*** threestrands has quit IRC | 08:20 | |
zigo | I can switch the packaging from rule:system_admin_api to rule:admin_api in the default policy.conf, but obviously, something is wrong that needs to be fixed. | 08:20 |
zigo | Or is there a way to give the system_scope:all to my admin user? | 08:21 |
*** songwenping__ has joined #openstack-nova | 08:21 | |
*** tkajinam has quit IRC | 08:23 | |
frickler | zigo: you can call for system scoped tokens in the openstack client command | 08:24 |
*** mkrai_ has quit IRC | 08:24 | |
*** songwenping_ has quit IRC | 08:24 | |
zigo | frickler: How? | 08:25 |
*** mkrai has joined #openstack-nova | 08:25 | |
frickler | zigo: in devstack there is a "devstack-system-admin" section in /etc/openstack/config.yaml, let me try to do that manually | 08:27 |
frickler | openstack --os-auth-url https://192.168.42.13/identity --os-username admin --os-system-scope all --os-user-domain-name default token issue | 08:29 |
*** logan_ has joined #openstack-nova | 08:31 | |
*** aarents has quit IRC | 08:31 | |
*** logan- has quit IRC | 08:32 | |
*** Hazelesque has quit IRC | 08:32 | |
*** Hazelesque has joined #openstack-nova | 08:33 | |
*** logan_ is now known as logan- | 08:35 | |
*** derekh has joined #openstack-nova | 08:38 | |
*** martinkennelly has joined #openstack-nova | 08:40 | |
nightmare_unreal | hello what's greynade-py3 error for? my zuul build failed and it shows grenade-py3 FAILURE | 08:41 |
lyarwood | nightmare_unreal: link? | 08:47 |
lyarwood | I see https://review.opendev.org/#/c/548936/ landed, hopefully that didn't break the older jobs | 08:47 |
nightmare_unreal | lyarwood: https://review.opendev.org/#/c/715395/ | 08:48 |
* lyarwood opens https://review.opendev.org/#/c/704364/ | 08:48 | |
openstackgerrit | Lee Yarwood proposed openstack/nova master: zuul: Switch to the Zuulv3 grenade job https://review.opendev.org/704364 | 08:48 |
*** aarents has joined #openstack-nova | 08:49 | |
lyarwood | nightmare_unreal: I'm not, appears a few other runs have hit that as well. It's unrelated to your change so for now feel free to recheck. The above ^ switch to a zuulv3 job might also correct it so feel free to rebase on to that change | 08:53 |
lyarwood | I'm not sure* | 08:53 |
nightmare_unreal | lyarwood: okay thanks :) so I can trigger the build again ? | 08:54 |
lyarwood | nightmare_unreal: yes | 08:54 |
nightmare_unreal | how can I trigger it ? | 08:54 |
*** martinkennelly has quit IRC | 08:56 | |
*** martinkennelly has joined #openstack-nova | 08:56 | |
lyarwood | nightmare_unreal: recheck | 09:03 |
nightmare_unreal | okay | 09:04 |
lyarwood | nightmare_unreal: ^ leave a comment with just that and zuul will rerun the jobs | 09:04 |
nightmare_unreal | thanks :) | 09:04 |
lyarwood | nightmare_unreal: you can watch them here https://zuul.opendev.org/t/openstack/status | 09:04 |
lyarwood | nightmare_unreal: just use the 715395 change id | 09:04 |
*** jraju__ has joined #openstack-nova | 09:05 | |
*** links has quit IRC | 09:05 | |
*** songwenping_ has joined #openstack-nova | 09:07 | |
*** songwenping__ has quit IRC | 09:11 | |
*** sapd1 has quit IRC | 09:16 | |
*** ttsiouts has joined #openstack-nova | 09:24 | |
*** alex_xu has joined #openstack-nova | 09:36 | |
*** tetsuro has quit IRC | 09:37 | |
*** dtantsur|afk is now known as dtantsur | 09:49 | |
gibi | zigo: did you manage to solve the issue with frickler's help? | 09:49 |
zigo | gibi: No ... | 09:51 |
zigo | Scope should not be enforced, but it is. | 09:51 |
zigo | This breaks all sorts of things, including in my puppet stuff. | 09:51 |
zigo | Also: | 09:54 |
zigo | # openstack --os-system-scope all hypervisor list | 09:54 |
zigo | Policy doesn't allow os_compute_api:os-hypervisors:list-detail to be performed. (HTTP 403) (Request-ID: req-981105e1-a7aa-4fa2-9e52-ee7082ae7165) | 09:54 |
zigo | policy.conf has rule:system_reader_api | 09:54 |
zigo | If I switch that to rule:admin_api then it works... | 09:54 |
*** martinkennelly has quit IRC | 09:55 | |
*** martinkennelly has joined #openstack-nova | 09:55 | |
gibi | zigo: does it work with the default policy? (without having anything in the policy file) | 09:55 |
zigo | gibi: As in, "rm /etc/nova/policy.json" ? | 09:55 |
zigo | root@C1-z-controller-1>_ ~ # rm /etc/nova/policy.json | 09:56 |
zigo | root@C1-z-controller-1>_ ~ # openstack hypervisor list | 09:56 |
zigo | The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-ccfb9f31-7cd9-439c-ad02-ae76f7c8c0d5) | 09:56 |
zigo | Not great ... :( | 09:56 |
* gibi trying to get more insight from https://docs.openstack.org/nova/latest/configuration/policy-concepts.html | 09:58 | |
gibi | I don't have any policy.json for nova in devstack | 10:03 |
gibi | do you have a stacktrace for the above HTTP 500? | 10:04 |
*** mkrai has quit IRC | 10:06 | |
*** mkrai_ has joined #openstack-nova | 10:07 | |
*** mkrai_ has quit IRC | 10:10 | |
*** mkrai has joined #openstack-nova | 10:10 | |
*** Liang__ has quit IRC | 10:15 | |
*** sapd1 has joined #openstack-nova | 10:18 | |
gibi | lyarwood: thanks for the stable/stein release proposal, I'm +1, when you have time, could you hit https://review.opendev.org/#/q/topic:create-ussuri+(status:open+OR+status:merged)+project:openstack/nova ? | 10:21 |
*** rpittau is now known as rpittau|bbl | 10:32 | |
*** songwenping__ has joined #openstack-nova | 10:41 | |
*** ociuhandu has quit IRC | 10:42 | |
*** sapd1_y has quit IRC | 10:44 | |
*** ociuhandu has joined #openstack-nova | 10:44 | |
*** songwenping_ has quit IRC | 10:45 | |
*** ttsiouts has quit IRC | 10:49 | |
*** ttsiouts has joined #openstack-nova | 10:54 | |
*** ociuhandu has quit IRC | 11:03 | |
frickler | zigo: your command confuses me, do you have other options set via environment? setting some project option will override system-scope without a warning. make sure that with "token issue" you see a system scoped token, not project or domain | 11:04 |
*** ociuhandu has joined #openstack-nova | 11:04 | |
zigo | Yes I do ! :) | 11:04 |
zigo | Ok, will try. | 11:05 |
zigo | I've restarted a cluster deployment from scratch, to see if Ussuri can be setup fully automatically again with my system, so can't try right now... | 11:05 |
zigo | Later this afternoon. | 11:06 |
*** ociuhandu has quit IRC | 11:23 | |
frickler | zigo: fyi, I don't get your error by default in devstack, but I do get it if I add "[oslo_policy] enforce_scope = True" into nova.conf. in that case, creating a flavor only works with system scope | 11:25 |
*** smcginnis has quit IRC | 11:40 | |
*** smcginnis has joined #openstack-nova | 11:41 | |
*** sapd1 has quit IRC | 11:41 | |
gibi | avolkov: hi! I asked for some clarification in https://bugs.launchpad.net/nova/+bug/1875287 | 11:46 |
openstack | Launchpad bug 1875287 in OpenStack Compute (nova) "VM unshelve failed if verify_glance_signatures enabled" [Undecided,Incomplete] - Assigned to Andrey Volkov (avolkov) | 11:46 |
*** martinkennelly has quit IRC | 11:46 | |
*** martinkennelly has joined #openstack-nova | 11:46 | |
*** martinkennelly has quit IRC | 11:51 | |
*** bbowen_ has quit IRC | 11:53 | |
*** bbowen_ has joined #openstack-nova | 11:53 | |
*** AJaeger has joined #openstack-nova | 11:54 | |
*** ociuhandu has joined #openstack-nova | 11:55 | |
AJaeger | stephenfin: is this what you wanted as babel cleanup: https://review.opendev.org/#/c/723206/2 ? | 11:55 |
*** nweinber has joined #openstack-nova | 11:57 | |
gibi | bauzas: triaged the fresh bugs, nothing noteworthy so far. I'm releasing the (silently) held bug lock for the afternoon | 12:00 |
nightmare_unreal | can someone review this if they grt time : https://review.opendev.org/#/c/715395/ | 12:05 |
nightmare_unreal | thanks | 12:05 |
*** jraju__ has quit IRC | 12:06 | |
*** ociuhandu has quit IRC | 12:06 | |
avolkov | gibi: hi, updated. if possible please leave your opinion what should we do with that | 12:09 |
gibi | avolkov: thanks make more sense now | 12:11 |
stephenfin | AJaeger: Oh, so we don't need the babel.cfg file either? | 12:12 |
*** ociuhandu has joined #openstack-nova | 12:12 | |
gibi | avolkov: do you agree that this bug is not a recent regression, it seems that we have the issue at least since rocky | 12:16 |
gibi | ? | 12:16 |
gibi | avolkov: in the meantime I confirmed the bug as I was able to reproduce it | 12:20 |
*** ociuhandu has quit IRC | 12:24 | |
*** ociuhandu has joined #openstack-nova | 12:24 | |
AJaeger | stephenfin: it's referenced from setup.cfg | 12:31 |
AJaeger | stephenfin: I don't think we need it, I checked locally with it removed | 12:31 |
AJaeger | stephenfin: I answered on the review | 12:33 |
stephenfin | AJaeger: Sweet, thanks | 12:34 |
*** ociuhandu has quit IRC | 12:35 | |
*** ociuhandu has joined #openstack-nova | 12:41 | |
*** links has joined #openstack-nova | 12:45 | |
*** artom has joined #openstack-nova | 12:46 | |
*** sapd1 has joined #openstack-nova | 12:48 | |
*** rpittau|bbl is now known as rpittau | 12:49 | |
*** mkrai has quit IRC | 12:52 | |
*** ociuhandu has quit IRC | 12:53 | |
avolkov | gibi: seems not a regression, I believe it was introduced with that verify_glance_signatures (mitaka?) or maybe with some refactoring further, it's definitely not urgent | 12:54 |
gibi | avolkov: thanks. | 12:54 |
AJaeger | any other nova core for two tiny cleanups, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ? | 12:55 |
*** lbragstad has joined #openstack-nova | 12:59 | |
brinzhang_ | AJeager:is this necessary? https://review.opendev.org/#/c/723295/ | 13:00 |
*** ociuhandu has joined #openstack-nova | 13:00 | |
brinzhang_ | if not, I will abandon it | 13:00 |
*** martinkennelly has joined #openstack-nova | 13:05 | |
*** sapd1 has quit IRC | 13:06 | |
openstackgerrit | Merged openstack/python-novaclient master: doc: Update Testing document https://review.opendev.org/723078 | 13:08 |
*** eharney has joined #openstack-nova | 13:14 | |
openstackgerrit | Stephen Finucane proposed openstack/nova master: Use compression by default for 'SshDriver' https://review.opendev.org/684393 | 13:18 |
*** udesale_ has joined #openstack-nova | 13:20 | |
*** udesale has quit IRC | 13:23 | |
stephenfin | sean-k-mooney: can you bump your vote on https://review.opendev.org/#/c/716223/ now? | 13:25 |
*** ttsiouts has quit IRC | 13:26 | |
*** ratailor has quit IRC | 13:27 | |
sean-k-mooney | stephenfin: yes i guess so did rc 1 go out on thursday | 13:27 |
stephenfin | sure did | 13:28 |
sean-k-mooney | cool +w | 13:28 |
stephenfin | ta | 13:28 |
*** yankcrime is now known as _nick | 13:30 | |
*** _nick is now known as yankcrime | 13:30 | |
*** psachin has quit IRC | 13:35 | |
gmann | nightmare_unreal: lyarwood yeah there was some window when grenade job merge and one more fix. now it is all green | 13:39 |
nightmare_unreal | yeah I just did recheck :) thanks | 13:40 |
*** tkajinam has joined #openstack-nova | 13:42 | |
gmann | zigo: hi, was that policy overridden ? that mentioned patch fixed the bug of passing the context project_id itself so that it is not allowed for all. | 13:46 |
zigo | gmann: The /etc/nova/policy.json file is the pristine one generated by the package (well, oslopolicy, this means). | 13:47 |
gmann | zigo: ok, can you paste that policy line for flavor manage ? | 13:48 |
AJaeger | brinzhang_: It's not necessary | 13:48 |
zigo | gmann: "os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api" | 13:49 |
zigo | On top of the file, there is: | 13:50 |
zigo | "system_admin_api": "role:admin and system_scope:all" | 13:50 |
gmann | zigo: ok, and 'system_admin_api' rule ? | 13:50 |
gmann | humm there should be deprecated rule of old RULE_ADMIN_API that is what we have as default | 13:50 |
gmann | but you said you generated the file via oslo policy tool right? it is oslopolicy-sample-generator correct | 13:51 |
zigo | Right ! | 13:52 |
zigo | gmann: That's what I did: | 13:52 |
zigo | https://salsa.debian.org/openstack-team/services/nova/-/blob/debian/ussuri/debian/rules#L64 | 13:52 |
zigo | (later, the postinst of the package takes that file from nova-common and puts it in /etc/nova) | 13:53 |
zigo | Hum... not even ... | 13:53 |
zigo | Directly pacakged into /etc/nova | 13:53 |
zigo | I should do the former, to have the file owned by root:nova / 640 though ... | 13:54 |
gmann | zigo: let me check if that tool adding the default rule or not. | 13:56 |
*** mkrai has joined #openstack-nova | 13:57 | |
*** ttsiouts has joined #openstack-nova | 13:58 | |
zigo | gmann: I've sent the generated policy.json file to our swift cluster if you want to look at it: https://www.swisstransfer.com/d/b80904d3-1f15-4f1f-98f0-7e1db308bb53 | 13:59 |
*** ttsiouts has quit IRC | 14:03 | |
*** mkrai has quit IRC | 14:05 | |
*** mkrai_ has joined #openstack-nova | 14:05 | |
*** ttsiouts has joined #openstack-nova | 14:05 | |
*** irclogbot_2 has joined #openstack-nova | 14:08 | |
*** irclogbot_2 has quit IRC | 14:13 | |
openstackgerrit | Kevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job https://review.opendev.org/714439 | 14:13 |
gmann | zigo: got it. that tool does not add the deprecated rules in sample file. | 14:14 |
zigo | gmann: And that's the issue ?!? | 14:15 |
gmann | zigo: expectation is you keep only override rule in the policy file and other rule let it rely on defaults | 14:15 |
zigo | Right. | 14:15 |
gmann | zigo: not issue i think. because you are providing the file with rule override with new defaults | 14:15 |
gmann | if you generate the file with that tool you get all the rule commented and you are supposed to un-comment the one you want to override. | 14:16 |
gmann | here what happen, nova get the rule in file and skip the default value with consideration that rule in file is what operator want | 14:17 |
gmann | if you remove the rules from file which you want to reply on defaults then your old token will keep working. | 14:18 |
*** irclogbot_3 has joined #openstack-nova | 14:22 | |
gmann | zigo: also if rule is present in file then oslo skip deprecated rule to add. and I hope you generated file before nova start which initialize the policy | 14:23 |
*** irclogbot_3 has quit IRC | 14:25 | |
*** irclogbot_3 has joined #openstack-nova | 14:26 | |
*** ttsiouts has quit IRC | 14:27 | |
*** irclogbot_3 has quit IRC | 14:29 | |
zigo | gmann: If I remove the policy.json, then I get an error 500: | 14:29 |
zigo | [pid: 1708|app: 0|req: 10/40] 192.168.101.2 () {32 vars in 628 bytes} [Mon Apr 27 14:29:08 2020] GET /v2.1/flavors/detail => generated 128 bytes in 91 msecs (HTTP/1.1 500) 3 headers in 215 bytes | 14:29 |
zigo | Nothing more in the logs ... | 14:29 |
*** irclogbot_1 has joined #openstack-nova | 14:30 | |
zigo | gmann: The file needs to exist, though if it's empty, it looks like working ! :) | 14:32 |
zigo | gmann: Should I keep an empty file then?!? | 14:32 |
zigo | IMO this is still a bug, because operators need to see what's currently in the policy, and can't guess the defaults. | 14:33 |
zigo | I do want to provide such a policy file if possible. | 14:33 |
zigo | gmann: An empty policy.json is safe, right? | 14:33 |
dansmith | if operators currently have to do anything to their policy file during an upgrade, then we have a real problem | 14:34 |
dansmith | zigo: AFAIK, the policy file should be empty to take all the defaults, but I'm surprised it has to be present-but-empty.. not sure if that is new or not | 14:34 |
zigo | dansmith: I expect operators to use /etc/nova/policy.d, and I thought about explicitly shipping such a folder in the Nova Debian package. | 14:34 |
zigo | As much as I can tell, this is a new bug ! :P | 14:35 |
zigo | (would have to check Train though...) | 14:35 |
*** irclogbot_1 has quit IRC | 14:35 | |
dansmith | zigo: and thus have no files in there nor an empty base file right? | 14:35 |
zigo | dansmith: What would happen if a rule is defined in both /etc/nova/policy.json and /etc/nova/policy.d/foo-operator.json ? | 14:36 |
zigo | Will the policy.d have priority? | 14:36 |
dansmith | no idea.. I didn't know we had a policy.d, tbh | 14:36 |
*** irclogbot_0 has joined #openstack-nova | 14:36 | |
zigo | Beause that'd be the most convenient way for everyone. | 14:36 |
zigo | We do need a way to tell operators what they can and cannot write in their config. | 14:37 |
dansmith | but I would expect a distro to install an empty policy.d directory, and not have to write an empty base policy file to avoid a 500 | 14:37 |
*** READ10 has joined #openstack-nova | 14:37 | |
zigo | dansmith: What I'm going to do is to write an empty policy.json (to avoid what I consider a bug), ship the generated policy.json in /usr/share/nova-common as an example, and create the policy.d folder. | 14:38 |
zigo | I still think it's wrong that I can't use the generated policy.json though... | 14:38 |
dansmith | zigo: ack, but if the behavior is changed, we need a bug filed | 14:38 |
zigo | It really is changed. I use to ship the /etc/nova/policy.json on all of my Nova packages, and so far, it wasn't a problem. | 14:39 |
dansmith | zigo: well, we're trying to get people to have overrides and not hard-coded everything, but I understand.. what prevents you from using the generated file? deprecation warnings? | 14:39 |
*** irclogbot_0 has quit IRC | 14:39 | |
zigo | It simply does *not* work. | 14:39 |
gmann | dansmith: zigo file generated from tool is kind of override rule. default only work if rule not in file | 14:39 |
dansmith | zigo: but why is the generated file not working? | 14:40 |
*** irclogbot_2 has joined #openstack-nova | 14:40 | |
gmann | zigo: did that worked for any deprecated rule for you, if you rule in file the if any rule deprecated in fast had same issue itthunk | 14:41 |
*** mlavalle has joined #openstack-nova | 14:41 | |
zigo | root@C1-z-controller-1>_ ~ # openstack flavor create --ram 12288 --disk 10 --vcpus 4 cpu4-ram12-disk10 | 14:41 |
zigo | Policy doesn't allow os_compute_api:os-flavor-manage:create to be performed. (HTTP 403) (Request-ID: req-7f1c4c5b-8df2-4ef7-8a88-8f2cae1899f1) | 14:41 |
zigo | dansmith: ^ | 14:41 |
zigo | That's with the default policy.json file as per https://salsa.debian.org/openstack-team/services/nova/-/blob/debian/ussuri/debian/rules#L64 ... | 14:42 |
dansmith | I don't know why that would be, although I'm not very familiar with policy stuff | 14:42 |
dansmith | if that's the case, however, we've broken upgrade which we have to fix | 14:42 |
gmann | dansmith: generated file from oslo tool does not add the deprecated rule so nova consider those rule as override rule and only new token pass | 14:43 |
dansmith | gmann: same would go for any existing overrides the deployer has then? | 14:43 |
gmann | dansmith: if no file and rely on default then there is no cange | 14:43 |
gmann | change | 14:43 |
gmann | dansmith: if they have override all the rules then yes as they do not rely on default. | 14:43 |
gmann | oslo does not add deprecated rule if they are present in file. | 14:44 |
dansmith | gmann: the we broke upgrade for anyone using a distro's generated file from <=Ussuri right? | 14:44 |
dansmith | I'm not sure what "override all the rules" has to do with this, or why it's different than "override one rule" | 14:45 |
*** irclogbot_2 has quit IRC | 14:45 | |
gmann | dansmith: "distro's generated file" is something i doubt that it is correct way or not. it is same issue they had in all the previous changed policy | 14:45 |
dansmith | gmann: doubt what is correct? | 14:45 |
zigo | dansmith: Correct ! :) | 14:45 |
gmann | dansmith: in case of "override one rule" other rule should not be in file. if they are then oslo cannot add deprecated rule | 14:45 |
dansmith | gmann: I don't understand what you're saying | 14:46 |
zigo | Also, how are operators supposed to double-guess what's currently in place, if I can't, as a package maintainer, generate what's currently in? | 14:46 |
*** irclogbot_1 has joined #openstack-nova | 14:46 | |
dansmith | if they have one override in their file, everything is fine, but if they override all the rules then ...broken? | 14:46 |
zigo | If I understand correctly, the issue is to not show what's deprecated in the policy. Well, can't we simply add an option to the generator, so it also adds the deprecated things? | 14:47 |
gmann | dansmith: if they override one of all rule then rules with changed default will consider only override value not default right | 14:47 |
dansmith | zigo: presumably they look at the /usr/share version and add what they want into their file, but I think ideally we'd want a file fully commented-out where things can be uncommented and changed, but our json format probably doesn't allow that | 14:47 |
*** iurygregory has quit IRC | 14:47 | |
gmann | yeah, that ^^ | 14:47 |
*** iurygregory has joined #openstack-nova | 14:48 | |
zigo | dansmith: As much as I know, there's no way to add comments in a .json file. | 14:48 |
zigo | Indeed. | 14:48 |
dansmith | gmann: but I think zigo is saying that debian has taken the more user-friendly approach of just putting the generated file in place, and letting them alter it in-place | 14:48 |
gmann | hummm | 14:48 |
dansmith | zigo: right, it's frustrating, so I understand why the debian packages are the way they are | 14:48 |
zigo | dansmith: Exactly what I was doing so far ! :) | 14:48 |
dansmith | zigo: I'm sure you're not the only one | 14:48 |
gmann | because oslo tool generate the rule with all commented | 14:49 |
openstackgerrit | Stephen Finucane proposed openstack/nova master: objects: Add MigrationTypeField https://review.opendev.org/706013 | 14:49 |
openstackgerrit | Stephen Finucane proposed openstack/nova master: objects: Remove 'NovaObjectDictCompat' from 'Migration' https://review.opendev.org/723572 | 14:49 |
openstackgerrit | Stephen Finucane proposed openstack/nova master: objects: Remove 'NovaObjectDictCompat' from 'InstancePCIRequest' https://review.opendev.org/723573 | 14:49 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/stein: DNM: Add a placement audit command https://review.opendev.org/720839 | 14:49 |
dansmith | I would not be surprised if people generating their own packages or installing from pip do the same for audit reasons | 14:49 |
dansmith | gmann: does it? how do you comment in json? | 14:49 |
beekneemech | It uses YAML. | 14:50 |
*** beekneemech is now known as bnemec | 14:50 | |
zigo | bnemec: As much as I know, there's no way to get services to load .yaml files, is there? | 14:50 |
bnemec | zigo: Yes, YAML works fine. | 14:50 |
zigo | Unless this has changed recently ... | 14:50 |
gmann | ah its yaml generated - https://docs.openstack.org/nova/latest/configuration/sample-policy.html | 14:50 |
dansmith | I've never seen it deployed in yaml file on a real system | 14:50 |
bnemec | I think the default is still JSON though. | 14:50 |
bnemec | IIRC, some service actually overrides that default so they get YAML by default. | 14:51 |
zigo | bnemec: Last time I tried, maybe 2 or 3 releases ago, it didn't work. | 14:51 |
*** irclogbot_1 has quit IRC | 14:51 | |
zigo | Commented yaml would work for me. | 14:51 |
dansmith | zigo: except we can't require people to convert that as part of an upgrade | 14:51 |
bnemec | It's always possible there's a bug. YAML is definitely supposed to work. | 14:51 |
dansmith | bnemec: do any CI jobs use yaml? | 14:52 |
*** irclogbot_0 has joined #openstack-nova | 14:52 | |
gmann | one things we can do is always add deprecated rule from oslopolicy-sample-generator | 14:53 |
dansmith | just checked one I had handy and the only service with a policy file is neutron, and it's json | 14:53 |
dansmith | gmann: but ... people with existing policy files can't be broken by this upgrade | 14:53 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/rocky: DNM: Add a placement audit command https://review.opendev.org/720842 | 14:53 |
gmann | but again not all people use this or some other way to generate file like editing the old file | 14:53 |
*** tkajinam has quit IRC | 14:54 | |
gmann | dansmith: true, existing policy should not break, here zigo case is it get generated newly with oslo tool which had new defaults but not deprecated | 14:54 |
dansmith | gmann: I'm still trying to understand if people with a train-generated full policy file are going to be broken | 14:55 |
*** irclogbot_0 has quit IRC | 14:55 | |
dansmith | I've not understood your answers there | 14:55 |
gmann | if it is not re-generated then old policy keep working in both case 1. they have override different rule 2. or reply on default even have rule in fule | 14:55 |
openstackgerrit | Stephen Finucane proposed openstack/nova master: Modify PciDevice.uuid generation code https://review.opendev.org/530487 | 14:55 |
openstackgerrit | Stephen Finucane proposed openstack/nova master: Add an online migration for PciDevice.uuid https://review.opendev.org/530905 | 14:55 |
nightmare_unreal | what can cause nova-live-migration zuul build to fail ?? | 14:55 |
gmann | dansmith: train generated file should keep working as it is. | 14:55 |
*** sapd1 has joined #openstack-nova | 14:56 | |
gmann | what happened here is, policy file is generated freshly which had new 'system rule' but token are not refreshed | 14:56 |
dansmith | gmann: what if someone's deploy script generates the file from the tooling, applies their two or three rule tweaks? then they're broken? | 14:57 |
*** irclogbot_2 has joined #openstack-nova | 14:57 | |
dansmith | I see, the broken part is because the newly generated file will be rules that require scoped tokens or whatever? | 14:57 |
gmann | dansmith: and they have other rule with new value present in file then broken. and that is case that they have override the rule but token not refreshed | 14:57 |
gmann | dansmith: correct | 14:58 |
bnemec | Right. This is why the deprecated rule behavior ORs with the old rule. | 14:58 |
gmann | train policy will still have adimin_rule and keep working | 14:58 |
dansmith | gmann: okay, understand why train configs still work, which is good | 14:58 |
dansmith | gmann: I would expect the generate-then-tweak process is fairly widespread | 14:59 |
*** irclogbot_2 has quit IRC | 14:59 | |
zigo | dansmith: Yes, "then they're broken" ... | 14:59 |
gmann | humm and generate with 'oslopolicy-sample-generator' tool right ? | 14:59 |
zigo | (ie: my case...) | 14:59 |
zigo | Which I think is really wrong. | 14:59 |
openstackgerrit | Stephen Finucane proposed openstack/nova master: objects: Add online migration for legacy NUMA objects https://review.opendev.org/537414 | 15:00 |
gmann | i mean we can explicitly add deprecated rule in that tool logic. but not sure if that solve all the cases | 15:00 |
dansmith | gmann: yes | 15:00 |
AJaeger | any nova core available for two tiny cleanups related to Babel/translations, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ? | 15:00 |
dansmith | I dunno what to do about this though, since it's really a problem spread across multiple projects, lots of code, and some human assumptions | 15:00 |
*** dklyle has joined #openstack-nova | 15:00 | |
bnemec | We can't always do that though or there's no way for deployers to get the new rule alone. | 15:01 |
zigo | dansmith: I also expect the generated-then-not-touched case is also fairly widespread (my case in my CI) and it is broken as well currently. | 15:01 |
dansmith | zigo: yup | 15:01 |
gmann | as per my expectation, 'generate-then-tweak ' case also need operator review if something auto-re-generated is ok or not | 15:01 |
*** irclogbot_2 has joined #openstack-nova | 15:01 | |
dansmith | gmann: not if they don't know they need to review | 15:01 |
dansmith | gmann: they could have been doing this approach for years with no problem | 15:02 |
gmann | humm | 15:02 |
bnemec | Is this on a fresh install? If so, why isn't everything configured to handle the new policies? | 15:02 |
dansmith | bnemec: no, not necessarily fresh deploy | 15:02 |
zigo | I very much agree that it's the operator's responsibility to refresh the policy.json and re-tweak it carefully on each upgrade. | 15:02 |
gmann | dansmith: they had same problem when policy was deprecated. here we did all policy changed instead of one or two | 15:02 |
dansmith | gmann: you mean when the full policy file was deprecated? | 15:03 |
bnemec | I mean, that deployment method hasn't been recommended since policy in code went in however many years ago. | 15:03 |
*** irclogbot_2 has quit IRC | 15:03 | |
dansmith | AFAIK, plenty of people never migrated to empty policy files | 15:03 |
zigo | bnemec: On a *fresh* install, with the currently default generated policy.json, things a broken. That's the issue I've reported to begin with! :) | 15:03 |
dansmith | bnemec: but not everyone likes that, and distros still generate full policy files, which is why we're here | 15:03 |
gmann | dansmith: for example, single policy was changed in some cycle. | 15:04 |
bnemec | So that's a problem anyway. Ussuri installs should be configured correctly to handle the new policy. | 15:04 |
dansmith | gmann: which is why it's quite likely that people's deployment scripts moved to generate-and-tweak.. like, generate and then sed, sed, sed | 15:04 |
bnemec | Even if we include the deprecated rules in the generated policy, it just pushes the breakage off one release. | 15:04 |
gmann | i mean that was always problem in past also. | 15:04 |
dansmith | bnemec: but it involves a change in user behavior right? | 15:05 |
dansmith | they have to now get scoped tokens? | 15:05 |
bnemec | Once the deprecated rule is dropped in the subsequent release you break then instead of now. | 15:05 |
bnemec | I think that's only true if enforce_scope is true. | 15:05 |
gmann | true, scope token in this case and changed in admin->non-admin etc in past | 15:05 |
dansmith | but that's the whole reason we're here, because zigo is taking all the defaults, and it's broken | 15:05 |
dansmith | bnemec: ^ | 15:06 |
gmann | 'taking all the defaults' not default but only new default without deprecated things. | 15:06 |
gmann | 'default' still mean 'new + old' | 15:06 |
dansmith | gmann: sorry I don't understand those two comments | 15:07 |
zigo | Bug filled: https://bugs.launchpad.net/nova/+bug/1875418 | 15:07 |
openstack | Launchpad bug 1875418 in OpenStack Compute (nova) "Generated policy.json in Ussuri is broken by default" [Undecided,New] | 15:07 |
stephenfin | zigo: why can't we just stop including a generated policy file in the package? | 15:07 |
dansmith | he can, he said that | 15:07 |
zigo | stephenfin: How are operators supposed to double-guess what they can use? | 15:07 |
gmann | dansmith: i mean current defaults are "new default + old deprecated defaults" and file generated was half bald with 'new defaults' only | 15:07 |
zigo | stephenfin: That's actually exactly what I'll be doing: provide an empty policy.json. But that's really not user friendly. | 15:08 |
stephenfin | zigo: You have a openstack-nova-doc package, yeah? It's documented in there | 15:08 |
zigo | stephenfin: I'd very much prefer having a policy.json that reflects what's currently enforced in Nova. | 15:08 |
gmann | i might be wrong but re-generating the policy file is something you are intentionally changing so adopt all change instead of half | 15:08 |
dansmith | stephenfin: he's saying that's a sucky user experience, and he's right despite how clean it seems to us | 15:08 |
*** irclogbot_3 has joined #openstack-nova | 15:09 | |
*** links has quit IRC | 15:09 | |
dansmith | gmann: before this, generating the file and tweaking the rules you want ended up with all things at the same generation. If you tweaked a rule that we removed, then sure it's broken, but now people will be introducing old "syntax" to a generated file of new "syntax", and also not realize that as soon as they generate the file, they need scoped tokens right? | 15:10 |
gmann | and this is always a problem from starting if deployer rely on re-generated file which does not include the deprecated-but-supported rule | 15:10 |
zigo | stephenfin: Just did that and uploaded the package: https://salsa.debian.org/openstack-team/services/nova/-/commit/48bc8889ae8a787104b76e95c3e1dfc5893d146b | 15:10 |
zigo | Though really, that's really not user friendly to do that. | 15:11 |
gmann | dansmith: right. | 15:11 |
*** irclogbot_3 has quit IRC | 15:11 | |
dansmith | gmann: so another question.. if I don't take the generated file, continue to run with the deprecated defaults, but need to tweak something.. how do I see the generated old defaults file? is there a flag to the tool? or do I have to look at train docs? | 15:11 |
gmann | but how to fix all those script to generate file, we can do something on oslopolicy-sample-generator | 15:11 |
stephenfin | zigo: Forgive me but is that not the normal way config files work? They're used for overrides, not defaults | 15:12 |
dansmith | stephenfin: but they're usually fully commented-out so you can see all the options in place while you're overriding | 15:12 |
zigo | stephenfin: If I'm listening to you, then my Nova package should ship an empty /etc/nova/nova.conf? Are you serious ?!? | 15:12 |
zigo | :) | 15:13 |
*** irclogbot_0 has joined #openstack-nova | 15:13 | |
gmann | dansmith: train doc, or nova policy reference file. | 15:13 |
dansmith | gmann: that sucks | 15:13 |
gmann | yeah, tool is not adding them | 15:13 |
zigo | I think I'll give another try with the yaml thing, see if that works, and if I can ship a fully commented out one. | 15:13 |
zigo | That's still not nice, because it'd be supposed to work if all comments get removed ... If you know what I mean. | 15:14 |
dansmith | zigo: do you treat policy like config or what? what if they've modified their policy file? | 15:14 |
stephenfin | zigo: Not empty, but IMO we shouldn't be including values with defaults ¯\_(ツ)_/¯ | 15:14 |
zigo | Just same as in for nova.conf, where commented out stuff are supposed to be the default. | 15:14 |
stephenfin | I mean, that's how other config files works | 15:14 |
dansmith | stephenfin: that's the developer-focused "look at how clean this is" approach, but it sucks for admins | 15:14 |
stephenfin | znc.conf jumps to mind, since I was hacking on over the weekend | 15:14 |
stephenfin | ditto for sssd.conf | 15:15 |
stephenfin | or krb5.conf | 15:15 |
zigo | dansmith: For most packages, I don't have them as CONFFILES (these files, marked by dpkg as "prompt user if there's a change on upgrade...). | 15:15 |
* stephenfin had a dull weekend | 15:15 | |
*** irclogbot_0 has quit IRC | 15:15 | |
gmann | stephenfin: if oslopolicy-sample-generator add complete default (new + deprecated) then config case is same otherwise it is issue | 15:15 |
stephenfin | dansmith: yeah, maybe. I just figured everyone was doing 'man [app].conf' | 15:15 |
zigo | So policy.json files live in /usr/share/FOO-common/policy.json and are copied to /etc/FOO only if /etc/FOO doesn't have a policy.json file. | 15:15 |
bnemec | I'm still confused why this would be failing on scope. enforce_scope is false by default. | 15:16 |
zigo | This way, no prompt on upgrade, and the old version is kept. | 15:16 |
zigo | Except I didn't do that for Nova, I don't know why ... | 15:16 |
zigo | So in the Nova case, /etc/nova/policy.json *IS* a CONFFILE. | 15:16 |
gmann | bnemec: we have 'system:all' string in check_str for new defaults of system scope role | 15:16 |
dansmith | gmann: so it sounds like we need a big warning reno about this at the very least | 15:16 |
zigo | (and then dpkg will prompt on upgrade if there's some diff) | 15:16 |
dansmith | gmann: we probably also should switch to yaml by default, and make sure our CI jobs are using them that way | 15:17 |
*** irclogbot_3 has joined #openstack-nova | 15:17 | |
gmann | bnemec: https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L104 | 15:17 |
stephenfin | bnemec: I suspect the oslo-generate-policy command is using the scoped policies, but nova is still defaulting to non-scoped (to avoid breaking upgrades, funnily enough) | 15:17 |
dansmith | the yaml is better in every respect, except for compatibility | 15:17 |
gmann | https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L36 | 15:17 |
stephenfin | yaml++ | 15:17 |
bnemec | gmann: Why? Isn't the scope check built-in to the policy enough? | 15:17 |
zigo | stephenfin: Looks like you're right yeah. | 15:17 |
gibi | dansmith: I need to read back after my current call | 15:18 |
gmann | bnemec: when enforce_scope is true then yes otherwise we need to differentiate the system vs project - https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L36 | 15:18 |
zigo | stephenfin: How would we make oslo-generate-policy to use non-scoped policies then? | 15:18 |
dansmith | gibi: definitely needs your review | 15:18 |
bnemec | That seems like it's completely defeating the purpose of enforce_scope. | 15:18 |
stephenfin | zigo: not sure you want to do that | 15:18 |
stephenfin | you'd be generated deprecated configuration | 15:19 |
stephenfin | *generating | 15:19 |
dansmith | stephenfin: the deprecated form is supposed to be the default we assume if no policy file | 15:19 |
*** irclogbot_3 has quit IRC | 15:19 | |
zigo | stephenfin: If nova.conf defaults to non-scoped, but policy.json to scoped, then we do have a problem. | 15:19 |
zigo | Choose your side comrade ! :) | 15:19 |
gmann | zigo: yeah, agree. | 15:20 |
stephenfin | dansmith: Yes, because we care about upgrades. New deployments would ideally be overriding nova's defaults though | 15:20 |
stephenfin | zigo: I assume there's no way to distinguish between new installs and upgrades? | 15:20 |
dansmith | stephenfin: he generates those for upgrades too he just said | 15:20 |
zigo | stephenfin: There is, if you're talking about packaging. | 15:20 |
stephenfin | I am | 15:21 |
dansmith | stephenfin: and, unless we default the enforce_scope on, and detail the differences between scoped tokens for users of new deployments, it's not that cut and dried | 15:21 |
*** irclogbot_0 has joined #openstack-nova | 15:21 | |
zigo | That's an argument given to the .postinst script of the package. | 15:21 |
stephenfin | dansmith: it sounds like we can do that for a new installation (default enforce_scope to on) | 15:22 |
zigo | It's defined here: https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#summary-of-ways-maintainer-scripts-are-called | 15:22 |
dansmith | stephenfin: we don't now though, AFAIK | 15:22 |
stephenfin | we wouldn't do it - the package would | 15:22 |
stephenfin | it would override the nova default | 15:23 |
zigo | I'd very much you give operators at least one more cycle to enforce this. | 15:23 |
*** irclogbot_0 has quit IRC | 15:23 | |
zigo | Then just set enforce_scope to True by default in Victoria ... | 15:23 |
stephenfin | zigo: I'd like to know if the following combination is possible/makes sense | 15:23 |
dansmith | stephenfin: not sure how you could coordinate that across every deployment tool | 15:23 |
stephenfin | new installation: enforce_scope = True (override), use Ussuri policy.json | 15:24 |
stephenfin | upgrade: enforce_scope = False (nova default), use Train policy.json | 15:24 |
stephenfin | ? | 15:24 |
stephenfin | dansmith: we do that kind of stuff in TripleO, albeit higher than the package level | 15:25 |
*** irclogbot_3 has joined #openstack-nova | 15:25 | |
dansmith | stephenfin: right but everyone needs to do that.. tripleo, kolla, debian, ubuntu, rdo, $mycustomthing | 15:25 |
*** jamesdenton has joined #openstack-nova | 15:25 | |
*** brinzhang_ has quit IRC | 15:25 | |
*** brinzhang_ has joined #openstack-nova | 15:26 | |
zigo | stephenfin: This is going to be horrible to manage with puppet-nova... | 15:27 |
stephenfin | I didn't think we generated policy.json for RDO/OSP, and I assume Ubuntu will take whatever Debian does. I can't argue with $mycustomthing though, no | 15:27 |
zigo | stephenfin: You assume wrong ! :) | 15:27 |
zigo | Ubuntu do their own crap ... | 15:27 |
*** irclogbot_3 has quit IRC | 15:27 | |
stephenfin | \o/ | 15:27 |
gmann | I was checking to remove 'system:all' from new default but that leads to over-permission issue | 15:27 |
zigo | I tried for years to fight this, it never worked, because of marketting reasons. | 15:27 |
*** brinzhang_ has quit IRC | 15:28 | |
zigo | And there's all sorts of issues because of this. :) | 15:28 |
*** mkrai_ has quit IRC | 15:28 | |
*** brinzhang_ has joined #openstack-nova | 15:28 | |
*** irclogbot_3 has joined #openstack-nova | 15:28 | |
zigo | Like, people trying to use whatever horizon plugin that I was packaging but they didn't, and it broke on Ubuntu, but they don't care because "it's not in main" ... | 15:28 |
zigo | The usual thing with Ubuntu... :) | 15:29 |
gmann | i thought policy-in-code was the time when we asked (or should) deployer to not to re-generate the complete policy file instead keep override rule only | 15:29 |
stephenfin | gmann: Yeah, I think that's the big disconnect here | 15:29 |
stephenfin | so doing different things for new installation/upgrade probably isn't an option | 15:30 |
stephenfin | an empty JSON is bad for users | 15:30 |
stephenfin | that leaves us with including a commented-out YAML, and modifying oslo-policy-generator to include deprecated rules, right? | 15:31 |
gmann | lbragstad: did you faced this issue for keystone also? newly generated file with new default only and old token broken as deprecated rule is disappeared | 15:31 |
stephenfin | fwiw, I really, really want to avoid the latter option :) | 15:31 |
*** irclogbot_3 has quit IRC | 15:31 | |
gmann | stephenfin: true. | 15:31 |
gmann | later is kind of argument that people rely on 'no deprecated rule' in generated file to end up over permission and leak API | 15:32 |
zigo | stephenfin: This leaves us with "generate policy.json and nova.conf that are maching and working together by default" indeed ! | 15:33 |
gmann | so we may fix one upgrade but break other | 15:33 |
zigo | If I had such an option as "oslopolicy-sample-generator --use-scoped" and/or "--dont-use-scoped" then I would generate the config file twice, as a favor to Debian users, so they could see both ... | 15:35 |
openstackgerrit | Merged openstack/python-novaclient master: Remove future imports https://review.opendev.org/723153 | 15:35 |
zigo | It's probably too late in this cycle to do that, though. | 15:35 |
lbragstad | gmann isn't that the intended behavior you want? | 15:36 |
gmann | lbragstad: yeah, that is intended as per me :) but problem is for upgrade used to re-generated the fresh file and still think default works is broken | 15:38 |
*** irclogbot_2 has joined #openstack-nova | 15:38 | |
*** _mlavalle_1 has joined #openstack-nova | 15:38 | |
gmann | zigo: we can do but still user need to change their script to add new option to that tool '--dont-use-scoped' or other. | 15:38 |
dansmith | gmann: lbragstad: to avoid me having to google.. what is the different thing that users have to do to get a scoped token? | 15:38 |
lbragstad | the request to keystone to get a token changes a bit, but users can invoke that with clients by setting a different property in their cloud config | 15:39 |
dansmith | okay so their openrc or clouds.yaml (or whatever) has to change | 15:40 |
lbragstad | yes | 15:40 |
*** mlavalle has quit IRC | 15:40 | |
dansmith | and are those two things getting generated as scoped by default nowadays? | 15:40 |
dansmith | or can you not ask for scoped until something else changes? | 15:41 |
lbragstad | i guess it depends on what generates those files | 15:41 |
lbragstad | you're asking if openrc or clouds.yaml is generated with project-scope by default? | 15:41 |
* gibi is reading back | 15:43 | |
dansmith | lbragstad: yeah, like.. has everyone since stein (as an example) been getting scoped tokens and not knowing it? | 15:43 |
dansmith | just trying to figure out how impactful the move to requiring them will be | 15:44 |
lbragstad | dansmith yeah - to do anything useful, most people will need a scoped token of some form | 15:44 |
lbragstad | historically, that scope has always been project | 15:45 |
lbragstad | or - project-scope has been the standard for getting anything done, like booting a server | 15:45 |
dansmith | I'm confused | 15:46 |
dansmith | lbragstad: I thought that when we move to this new scoped policy that users need to be getting scoped tokens that they likely haven't been getting in the past? | 15:46 |
dansmith | which is why zigo's token immediately stopped working and launched us into this discussion | 15:46 |
lbragstad | dansmith sorry - let me back up | 15:46 |
lbragstad | keystone has supported scoped tokens for a long time - uses have always been able to get a scoped token | 15:47 |
lbragstad | in the past, that token has always been scoped to a project | 15:47 |
dansmith | sure, I get that | 15:47 |
lbragstad | the new system is using a different scope target | 15:47 |
lbragstad | and some APIs are going to require that new target, instead of a project-scoped tokne | 15:47 |
lbragstad | which is why zigo's old token (which i'm assuming is project-scoped) stopped workin | 15:48 |
lbragstad | working* | 15:48 |
*** raildo has joined #openstack-nova | 15:48 | |
zigo | If we require everyone to change something in their openrc, it *will* break a lot of user who wont understand. | 15:48 |
zigo | Maybe that's needed, I don't even understand what this scope thingy is for, but just warning everyone here. | 15:48 |
zigo | At least, if we're moving to that direction, then we must have some kind of correct error message output in the clients. | 15:48 |
gmann | but 'system' scope is not default user has to explicit request that | 15:48 |
dansmith | I'm trying to figure out if realistically everyone is going to need to change their openrc, or only people who got their openrc from horizon before some release, or ... | 15:49 |
dansmith | I know openrc can come from various places, but trying to figure out the "scope" of the impact | 15:49 |
dansmith | does devstack generate scope-having openrcs? | 15:49 |
lbragstad | yes | 15:49 |
zigo | lbragstad: What does it look like? | 15:50 |
zigo | export OS_SCOPE= ? | 15:50 |
lbragstad | it does it with clouds.yaml, actually | 15:50 |
lbragstad | https://opendev.org/openstack/devstack/src/branch/master/tools/update_clouds_yaml.py#L56 | 15:50 |
lbragstad | export OS_SYSTEM_SCOPE=all | 15:51 |
lbragstad | that's going to tell keystone to give you a system-scoped token instead of a project-scoped token | 15:51 |
zigo | lbragstad: So, that's to be added to the admin openrc ? | 15:51 |
dansmith | but most users want a project scoped token right? | 15:52 |
lbragstad | to get back to your impact question - changes to openrc are primarly admin related | 15:52 |
lbragstad | dansmith yes | 15:52 |
dansmith | lbragstad: ah, okay so admins need to tweak their openrc bug regular users will not? | 15:52 |
lbragstad | people who aren't accessing system-level APIs shouldn't need to set this new value and get system-scoped tokens | 15:52 |
gmann | true. otherwise it might be over permission issue for rule changed from admin->system-reader etc | 15:52 |
lbragstad | yes - for the most part | 15:53 |
dansmith | okay that wasn't clear to me before, so that's good news | 15:53 |
dansmith | zigo: I guess you were using an admin user? | 15:53 |
zigo | dansmith: not only myself, but puppet-openstack too, yeah ! | 15:54 |
openstackgerrit | Merged openstack/nova stable/ussuri: Update .gitreview for stable/ussuri https://review.opendev.org/722518 | 15:54 |
openstackgerrit | Merged openstack/nova stable/ussuri: Update TOX_CONSTRAINTS_FILE for stable/ussuri https://review.opendev.org/722520 | 15:54 |
zigo | dansmith: What first started breaking was puppet-octavia that couldn't create the Octavia flavor. | 15:54 |
dansmith | okay | 15:54 |
zigo | Then I tried as the admin user, and didn't understand what was going on... | 15:54 |
lbragstad | fwiw - we describe the concept and motivation behind all the scopes here - https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes | 15:55 |
zigo | lbragstad: Thanks, I'll read it all. | 15:55 |
dansmith | lbragstad: yeah I read that and I get it, | 15:56 |
dansmith | I thought there would still be a change to the user mechanics though | 15:56 |
dansmith | but likely because most of our discussions focus on our usage, which is generally admin | 15:56 |
*** ociuhandu has quit IRC | 15:56 | |
lbragstad | dansmith unfortunately, because policy is completely configuration based, there could be deployments where this gets messy because the deployer wanted to let end users list hypervisors (or something weird like that) | 15:57 |
dansmith | yeah, so those users will need to learn something different now right? | 15:58 |
dansmith | does that mean they've lost (or will lose) the ability to list hypervisors and their instances with a single token? | 15:58 |
lbragstad | possibly - but it depends on how the deployer setup their custom policy | 15:58 |
dansmith | because I can imagine that sucking for scripts | 15:59 |
lbragstad | yeah - i completely agree | 15:59 |
gmann | yeah if both policy are override for same permission then they keep working | 15:59 |
gmann | if mix like one override and one was relying on default, now re-generated file will mesh up the single token | 16:00 |
*** ociuhandu has joined #openstack-nova | 16:00 | |
lbragstad | zigo i typically put system users behind a different cloud profile, so i set system_scope: all in my clouds.yaml under a different name | 16:02 |
*** tesseract has quit IRC | 16:02 | |
lbragstad | then i use --os-cloud system-admin or --os-cloud project-user (or whatever) | 16:02 |
lbragstad | ymmv - but if found that useful in the past when managing different scopes | 16:03 |
lbragstad | i found* | 16:03 |
dansmith | problem is, kinda, that we're enforcing our view on what is system-level information now in a way that they can't override | 16:03 |
dansmith | for single-tenant clouds, that just introduces unnecessary overhead for a distinction they don't care about | 16:04 |
*** rpittau is now known as rpittau|afk | 16:07 | |
gmann | when we enable scope by default at some point they anyways have to change their tokens. | 16:08 |
lbragstad | dansmith yeah - that's true | 16:09 |
dansmith | what I mean is, the scope-based system introduces complexity | 16:09 |
gmann | for single-tenant clouds, it might be weird | 16:09 |
zigo | GOT MY FIRST INSTANCE ON USSURI UP AND RUNNING !!! \o/ | 16:12 |
* gibi finished reading bag | 16:13 | |
gibi | back | 16:13 |
gmann | anyways 're-generate fresh policy file' case for me is 'they want the new default-only always' and if old things stop working that need audit carefully from release notes or warnings. | 16:13 |
lbragstad | they'll need to be aware of the context they're operating on | 16:13 |
* zigo is going to make an announcement about general availability of Ussuri for Debian ! :P | 16:13 | |
gibi | gmann, dansmith: do I understand correctly that we need at least a release notes update to document what zigo has found? What else we need to / can do in Ussuri? | 16:14 |
gmann | like uncap 'hacking' version in our requirement file which mean 'we will adopt the new changes always and if broken we fix our code' | 16:14 |
sean-k-mooney | gmann: well hacking is used by multiple project but not all projects will want to use the same checks | 16:15 |
sean-k-mooney | nova and neuton have completely different approchs to self.assert* methods | 16:16 |
gmann | sean-k-mooney: true, that is why many projects cap it | 16:16 |
sean-k-mooney | neutron blocked the use of any not in py27 and nova used mock the lib | 16:16 |
*** iurygregory has quit IRC | 16:17 | |
gmann | gibi: dansmith lbragstad in addition to release note for nova ussuri, should we have a clear doc from oslo/keystone or somewhere generic on 'how to generate and use policy file and how deployer can be broken for xyz cases'. i mean a single recommended way instead of supporting all possible way deployment doing ? | 16:18 |
*** jangutter has quit IRC | 16:18 | |
sean-k-mooney | gmann: well that would be in oslo.policy correct | 16:19 |
*** jangutter has joined #openstack-nova | 16:19 | |
sean-k-mooney | or rather should be | 16:19 |
sean-k-mooney | e.g. discribing how the lib should be used by developers | 16:19 |
gmann | I am not sure, we have. but lbragstad or bnemec can point to if there is any. | 16:20 |
*** ociuhandu has quit IRC | 16:20 | |
*** ociuhandu has joined #openstack-nova | 16:21 | |
gmann | i meant explicitly saying, 'this way of re-genrating policy file or having not-override rule in policy file etc etc can break you if you do not carefully audit on upgrades' | 16:21 |
*** elod has quit IRC | 16:22 | |
*** elod has joined #openstack-nova | 16:23 | |
*** gibi_ has joined #openstack-nova | 16:24 | |
* gibi_ lost network connectivity | 16:24 | |
*** jangutter has quit IRC | 16:25 | |
*** udesale_ has quit IRC | 16:26 | |
*** artom has quit IRC | 16:26 | |
*** raildo has quit IRC | 16:26 | |
*** vesper11 has quit IRC | 16:26 | |
*** haleyb has quit IRC | 16:26 | |
*** tobiash has quit IRC | 16:26 | |
*** hoonetorg has quit IRC | 16:26 | |
*** iokiwi has quit IRC | 16:26 | |
*** tobias-urdin has quit IRC | 16:26 | |
*** noonedeadpunk has quit IRC | 16:26 | |
*** gibi has quit IRC | 16:26 | |
*** rmk has quit IRC | 16:26 | |
*** tonyb has quit IRC | 16:26 | |
*** averi has quit IRC | 16:26 | |
*** yankcrime has quit IRC | 16:26 | |
*** AJaeger has quit IRC | 16:26 | |
*** jangutter has joined #openstack-nova | 16:26 | |
openstackgerrit | Takashi Natsume proposed openstack/nova master: Fix list rendering in the accelerator support doc https://review.opendev.org/721846 | 16:27 |
lbragstad | gmann we have this | 16:28 |
lbragstad | https://bugs.launchpad.net/oslo.policy/+bug/1853170 | 16:28 |
openstack | Launchpad bug 1853170 in oslo.policy "Need documentation on recommended operator workflow for deprecated policies" [High,Triaged] | 16:28 |
openstackgerrit | Takashi Natsume proposed openstack/nova master: Update contributor guide for Victoria https://review.opendev.org/722647 | 16:28 |
*** irclogbot_2 has quit IRC | 16:28 | |
*** vesper11 has joined #openstack-nova | 16:29 | |
*** irclogbot_1 has joined #openstack-nova | 16:30 | |
lbragstad | gmann i don't think there is anything in review for that, yes | 16:30 |
lbragstad | yet* | 16:30 |
*** KeithMnemonic has joined #openstack-nova | 16:30 | |
*** hoonetorg has joined #openstack-nova | 16:31 | |
*** raildo has joined #openstack-nova | 16:31 | |
*** udesale_ has joined #openstack-nova | 16:31 | |
*** artom has joined #openstack-nova | 16:31 | |
gmann | lbragstad: i see, thanks | 16:32 |
*** gibi has joined #openstack-nova | 16:32 | |
stephenfin | melwitt: confident enough to bump your +1 to +2 now? https://review.opendev.org/#/c/720725/ | 16:32 |
*** AJaeger has joined #openstack-nova | 16:32 | |
*** haleyb has joined #openstack-nova | 16:32 | |
*** tobiash has joined #openstack-nova | 16:32 | |
*** tobias-urdin has joined #openstack-nova | 16:32 | |
*** iokiwi has joined #openstack-nova | 16:32 | |
*** noonedeadpunk has joined #openstack-nova | 16:32 | |
*** averi has joined #openstack-nova | 16:32 | |
*** rmk has joined #openstack-nova | 16:32 | |
*** tonyb has joined #openstack-nova | 16:32 | |
*** yankcrime has joined #openstack-nova | 16:32 | |
*** evrardjp has quit IRC | 16:35 | |
*** gibi_ has quit IRC | 16:35 | |
gibi | gmann: I have to stop for today. If you start writing a reno update for the policy thing then please link it to me and I will read it first thing in the morning | 16:35 |
gmann | gibi: ok, I will update the upgrade section for now to mention the re-generated policy file case. and later we can work on some generic doc (bug/1853170). | 16:37 |
gibi | gmann: ack, thanks | 16:37 |
*** ChanServ has quit IRC | 16:42 | |
*** ChanServ has joined #openstack-nova | 16:45 | |
*** tepper.freenode.net sets mode: +o ChanServ | 16:45 | |
*** evrardjp has joined #openstack-nova | 16:46 | |
*** sapd1_x has joined #openstack-nova | 16:47 | |
*** udesale_ has quit IRC | 16:50 | |
*** derekh has quit IRC | 17:03 | |
*** ociuhandu has quit IRC | 17:06 | |
*** ociuhandu has joined #openstack-nova | 17:06 | |
*** _mlavalle_1 has quit IRC | 17:09 | |
*** mlavalle has joined #openstack-nova | 17:11 | |
*** ociuhandu has quit IRC | 17:12 | |
*** dtantsur is now known as dtantsur|afk | 17:18 | |
*** jangutter has quit IRC | 17:20 | |
*** gibi has quit IRC | 17:20 | |
*** bbowen_ has quit IRC | 17:22 | |
*** haleyb has quit IRC | 17:26 | |
*** tobiash has quit IRC | 17:26 | |
*** iokiwi has quit IRC | 17:26 | |
*** tobias-urdin has quit IRC | 17:26 | |
*** noonedeadpunk has quit IRC | 17:26 | |
*** rmk has quit IRC | 17:26 | |
*** tonyb has quit IRC | 17:26 | |
*** averi has quit IRC | 17:26 | |
*** yankcrime has quit IRC | 17:26 | |
*** AJaeger has quit IRC | 17:26 | |
*** artom has quit IRC | 17:26 | |
*** raildo has quit IRC | 17:26 | |
*** jangutter has joined #openstack-nova | 17:26 | |
*** AJaeger has joined #openstack-nova | 17:29 | |
*** haleyb has joined #openstack-nova | 17:29 | |
*** tobiash has joined #openstack-nova | 17:29 | |
*** tobias-urdin has joined #openstack-nova | 17:29 | |
*** iokiwi has joined #openstack-nova | 17:29 | |
*** noonedeadpunk has joined #openstack-nova | 17:29 | |
*** averi has joined #openstack-nova | 17:29 | |
*** rmk has joined #openstack-nova | 17:29 | |
*** tonyb has joined #openstack-nova | 17:29 | |
*** yankcrime has joined #openstack-nova | 17:29 | |
*** raildo has joined #openstack-nova | 17:29 | |
*** artom has joined #openstack-nova | 17:29 | |
*** nightmare_unreal has quit IRC | 17:32 | |
*** vishalmanchanda has quit IRC | 17:34 | |
*** ChanServ has quit IRC | 17:39 | |
*** ChanServ has joined #openstack-nova | 17:42 | |
*** tepper.freenode.net sets mode: +o ChanServ | 17:42 | |
*** tbachman has quit IRC | 17:42 | |
*** ociuhandu has joined #openstack-nova | 17:42 | |
sean-k-mooney | stephenfin: can you take a look at https://review.opendev.org/#/c/722407/ | 17:43 |
sean-k-mooney | stephenfin: it needt to merge before your change can merge | 17:44 |
*** jangutter has quit IRC | 17:46 | |
*** jangutter has joined #openstack-nova | 17:47 | |
*** jangutter has quit IRC | 17:47 | |
*** jangutter has joined #openstack-nova | 17:48 | |
AJaeger | any nova core available for two tiny cleanups related to Babel/translations, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ? | 17:48 |
*** tbachman has joined #openstack-nova | 17:51 | |
*** READ10 is now known as READ10|away | 17:57 | |
*** factor has quit IRC | 17:58 | |
openstackgerrit | Merged openstack/python-novaclient master: Use unittest.mock instead of third party mock https://review.opendev.org/723152 | 18:01 |
*** hoonetorg has quit IRC | 18:02 | |
*** factor has joined #openstack-nova | 18:04 | |
*** jangutter has quit IRC | 18:18 | |
openstackgerrit | Merged openstack/nova master: Add placeholder migrations for Ussuri backports https://review.opendev.org/722546 | 18:19 |
*** ociuhandu has quit IRC | 18:20 | |
*** ociuhandu has joined #openstack-nova | 18:20 | |
*** jangutter has joined #openstack-nova | 18:29 | |
*** iurygregory has joined #openstack-nova | 18:34 | |
*** READ10|away is now known as READ10 | 18:45 | |
*** xek_ has joined #openstack-nova | 18:46 | |
*** dpawlik has quit IRC | 18:47 | |
*** xek has quit IRC | 18:49 | |
openstackgerrit | Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645 | 18:51 |
openstackgerrit | Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645 | 18:51 |
*** JamesBenson has joined #openstack-nova | 18:53 | |
*** ttsiouts has joined #openstack-nova | 18:59 | |
*** ociuhandu has quit IRC | 19:03 | |
*** ociuhandu has joined #openstack-nova | 19:06 | |
*** ttsiouts has quit IRC | 19:13 | |
*** ttsiouts has joined #openstack-nova | 19:13 | |
*** ociuhandu has quit IRC | 19:20 | |
*** READ10 has quit IRC | 19:24 | |
*** bbowen has joined #openstack-nova | 19:24 | |
*** ociuhandu has joined #openstack-nova | 19:27 | |
*** ttsiouts has quit IRC | 19:44 | |
*** ttsiouts has joined #openstack-nova | 19:45 | |
*** jangutter_ has joined #openstack-nova | 19:54 | |
*** dklyle has quit IRC | 19:56 | |
*** jangutter has quit IRC | 19:57 | |
openstackgerrit | Merged openstack/nova master: Fix list rendering in the accelerator support doc https://review.opendev.org/721846 | 19:59 |
*** dklyle has joined #openstack-nova | 20:00 | |
*** brinzhang_ has quit IRC | 20:14 | |
*** brinzhang_ has joined #openstack-nova | 20:14 | |
*** songwenping_ has joined #openstack-nova | 20:14 | |
*** ttsiouts has quit IRC | 20:15 | |
*** songwenping__ has quit IRC | 20:17 | |
*** jangutter_ has quit IRC | 20:18 | |
*** xek_ has quit IRC | 20:21 | |
*** nweinber has quit IRC | 20:26 | |
*** jangutter has joined #openstack-nova | 20:27 | |
*** gibi has joined #openstack-nova | 20:36 | |
*** ccamacho has quit IRC | 20:38 | |
openstackgerrit | Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645 | 20:47 |
gmann | dansmith: gibi stephenfin please check, i have added this upgrade notes for clarification on policy file things - https://review.opendev.org/#/c/723645/ | 20:50 |
*** ociuhandu has quit IRC | 20:57 | |
*** ociuhandu has joined #openstack-nova | 20:58 | |
*** damien_r has quit IRC | 21:00 | |
*** igordc has joined #openstack-nova | 21:07 | |
*** brinzhang has joined #openstack-nova | 21:08 | |
melwitt | gmann: do we have people ready to review https://review.opendev.org/722551 ? wondering if I should wait on reviewing the nova change | 21:09 |
gmann | melwitt: i pinged few tempest core,may be we can get +A from masayukig once he wake up. | 21:10 |
*** ociuhandu has quit IRC | 21:11 | |
melwitt | ok | 21:11 |
*** brinzhang_ has quit IRC | 21:11 | |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of assertRequestMatchesUsage() https://review.opendev.org/723694 | 21:12 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of _check_allocation_during_evacuate() https://review.opendev.org/723695 | 21:12 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Add nova-manage placement heal_allocations CLI https://review.opendev.org/723696 | 21:12 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Don't heal allocations for deleted servers https://review.opendev.org/723697 | 21:12 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of FakeResponse https://review.opendev.org/723698 | 21:12 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Heal allocations with incomplete consumer information https://review.opendev.org/723699 | 21:12 |
gmann | melwitt: or let's wait for these patches first to have ussuri branch setup properly - https://review.opendev.org/#/q/topic:qa-ussuri-release+status:open | 21:14 |
*** rcernin has joined #openstack-nova | 21:14 | |
melwitt | gmann: ah k | 21:14 |
*** ociuhandu has joined #openstack-nova | 21:19 | |
*** maciejjozefczyk has quit IRC | 21:28 | |
*** ociuhandu has quit IRC | 21:29 | |
*** martinkennelly has quit IRC | 21:33 | |
*** martinkennelly has joined #openstack-nova | 21:38 | |
*** ociuhandu has joined #openstack-nova | 21:39 | |
*** ttsiouts has joined #openstack-nova | 21:42 | |
*** martinkennelly has quit IRC | 21:46 | |
*** slaweq has quit IRC | 21:49 | |
*** ociuhandu has quit IRC | 21:49 | |
*** ttsiouts has quit IRC | 21:51 | |
*** slaweq has joined #openstack-nova | 21:52 | |
*** raildo has quit IRC | 21:56 | |
*** slaweq has quit IRC | 22:03 | |
*** ociuhandu has joined #openstack-nova | 22:18 | |
*** jangutter has quit IRC | 22:18 | |
*** gibi has quit IRC | 22:21 | |
*** gibi has joined #openstack-nova | 22:22 | |
*** jangutter has joined #openstack-nova | 22:27 | |
*** ociuhandu has quit IRC | 22:29 | |
*** yaawang has joined #openstack-nova | 22:32 | |
*** yaawang_ has quit IRC | 22:33 | |
openstackgerrit | Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645 | 22:48 |
*** tkajinam has joined #openstack-nova | 22:49 | |
*** tkajinam has quit IRC | 22:49 | |
*** tkajinam has joined #openstack-nova | 22:50 | |
*** abaindur has joined #openstack-nova | 22:54 | |
*** lbragstad has quit IRC | 22:56 | |
*** tosky has quit IRC | 23:02 | |
*** jangutter_ has joined #openstack-nova | 23:12 | |
*** jangutter has quit IRC | 23:13 | |
*** igordc has quit IRC | 23:14 | |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of report client changes https://review.opendev.org/723750 | 23:14 |
openstackgerrit | Artom Lifshitz proposed openstack/nova stable/queens: DNM: Add a placement audit command https://review.opendev.org/723751 | 23:14 |
*** avolkov has quit IRC | 23:22 | |
*** bbowen has quit IRC | 23:32 | |
*** bbowen has joined #openstack-nova | 23:32 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!