Monday, 2020-04-27

*** ociuhandu has quit IRC00:07
*** tosky has quit IRC00:09
*** ociuhandu has joined #openstack-nova00:13
openstackgerritGhanshyam Mann proposed openstack/nova master: zuul: Switch to the Zuulv3 grenade job  https://review.opendev.org/70436400:14
*** ociuhandu has quit IRC00:18
*** hongbin has quit IRC00:41
*** hongbin has joined #openstack-nova00:43
openstackgerritKevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job  https://review.opendev.org/71443900:46
*** zhanglong has joined #openstack-nova01:21
*** Liang__ has joined #openstack-nova01:22
openstackgerritBrin Zhang proposed openstack/python-novaclient stable/train: Update master for stable/train  https://review.opendev.org/72329001:28
*** tetsuro has quit IRC01:43
*** songwenping_ has joined #openstack-nova01:47
*** songwenping__ has quit IRC01:50
*** tetsuro has joined #openstack-nova01:53
openstackgerritBrin Zhang proposed openstack/nova stable/train: Update master for stable/train  https://review.opendev.org/72329502:03
*** tbachman has quit IRC02:03
*** tbachman has joined #openstack-nova02:06
*** hongbin has quit IRC02:23
*** zhanglong has quit IRC02:31
*** zhanglong has joined #openstack-nova02:33
*** zhanglong has quit IRC02:39
*** ociuhandu has joined #openstack-nova02:40
openstackgerritxuyuanhao proposed openstack/nova master: failed to loads pyc file's classes  https://review.opendev.org/72330102:44
*** ociuhandu has quit IRC02:50
*** threestrands has joined #openstack-nova02:51
*** ociuhandu has joined #openstack-nova02:55
*** ociuhandu has quit IRC03:00
*** tetsuro has quit IRC03:08
*** sapd1 has joined #openstack-nova03:10
*** mkrai has joined #openstack-nova03:19
*** songwenping__ has joined #openstack-nova03:26
*** songwenping_ has quit IRC03:28
*** psachin has joined #openstack-nova03:31
*** ociuhandu has joined #openstack-nova03:33
*** factor has joined #openstack-nova03:34
*** tetsuro has joined #openstack-nova03:38
*** ociuhandu has quit IRC03:38
openstackgerritArthur Dayne proposed openstack/os-resource-classes master: Add new resource class: PSSD, VSSD  https://review.opendev.org/72330303:40
*** stephenfin has quit IRC03:59
*** stephenfin has joined #openstack-nova04:09
*** tbachman has quit IRC04:12
*** avolkov has joined #openstack-nova04:12
*** tbachman has joined #openstack-nova04:13
*** songwenping_ has joined #openstack-nova04:21
*** ircuser-1 has quit IRC04:23
*** ratailor has joined #openstack-nova04:24
*** songwenping__ has quit IRC04:24
*** ociuhandu has joined #openstack-nova04:27
*** ociuhandu has quit IRC04:34
*** evrardjp has quit IRC04:35
*** evrardjp has joined #openstack-nova04:35
openstackgerritArthur Dayne proposed openstack/os-resource-classes master: Add new resource class: SSD  https://review.opendev.org/72330304:46
*** mkrai has quit IRC04:59
*** mkrai_ has joined #openstack-nova04:59
*** yaawang_ has quit IRC05:13
*** yaawang_ has joined #openstack-nova05:14
*** vishalmanchanda has joined #openstack-nova05:18
openstackgerritKevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job  https://review.opendev.org/71443905:20
*** udesale has joined #openstack-nova05:29
*** links has joined #openstack-nova05:30
*** songwenping__ has joined #openstack-nova05:38
*** damien_r has joined #openstack-nova05:38
*** songwenping_ has quit IRC05:41
*** damien_r has quit IRC05:43
openstackgerritArthur Dayne proposed openstack/os-resource-classes master: Add new resource class: SSD  https://review.opendev.org/72330305:53
*** dpawlik has joined #openstack-nova05:56
*** ociuhandu has joined #openstack-nova06:02
*** ociuhandu has quit IRC06:06
*** songwenping_ has joined #openstack-nova06:12
bauzasgibi: I'm taking an half-day PTO this morning, see you this afternoon06:15
*** songwenping__ has quit IRC06:16
*** CeeMac has joined #openstack-nova06:16
openstackgerritAndrey Volkov proposed openstack/nova master: [WIP] Image auto signature  https://review.opendev.org/72332006:46
*** lennyb has quit IRC06:54
*** damien_r has joined #openstack-nova06:55
*** ociuhandu has joined #openstack-nova06:55
*** damien_r has quit IRC06:58
*** damien_r has joined #openstack-nova06:58
*** nightmare_unreal has joined #openstack-nova07:02
*** xek_ has quit IRC07:03
gibibauzas: good morning. ACK.07:05
*** slaweq has joined #openstack-nova07:07
*** songwenping__ has joined #openstack-nova07:08
*** iurygregory has quit IRC07:09
*** songwenping_ has quit IRC07:10
*** iurygregory has joined #openstack-nova07:10
*** mkrai_ has quit IRC07:11
*** ociuhandu has quit IRC07:13
*** ociuhandu has joined #openstack-nova07:13
*** tesseract has joined #openstack-nova07:14
*** maciejjozefczyk has joined #openstack-nova07:21
*** rpittau|afk is now known as rpittau07:22
*** tosky has joined #openstack-nova07:26
*** ociuhandu has quit IRC07:26
*** ociuhandu has joined #openstack-nova07:29
zigoWith ussuri, I'm getting:07:33
zigoroot@C1-z-controller-1>_ ~ # openstack flavor create --format shell octavia_65 --private --id 65 --ram 2048 --disk 4 --vcpus 107:33
zigoPolicy doesn't allow os_compute_api:os-flavor-manage:create to be performed. (HTTP 403) (Request-ID: req-30fe38ae-deb9-451f-9234-58edd691696b)07:33
zigoIs there something wrong with the scope enforcement? It's by default to False as it should be ...07:33
zigoWhen I set rule:admin_api instead, then it works. So something's wrong in oslo.policy or what?07:36
gibizigo: there was a wide change in the policy handling in Ussuri but the new behavior should be off by default07:38
zigoWhich is what I'm saying, it shouldn't be enforced by default, but it looks like it is!07:38
*** mkrai_ has joined #openstack-nova07:39
*** links has quit IRC07:39
*** links has joined #openstack-nova07:40
*** ccamacho has joined #openstack-nova07:43
gibizigo: did you use a admin token in the failed case?07:45
zigoI'm doing this as an admin user indeed.07:45
* gibi tries to recreate the problem in devstack07:46
*** yaawang_ has quit IRC07:49
gibiI have default policy config and it works for me http://paste.openstack.org/show/792738/07:49
*** yaawang_ has joined #openstack-nova07:50
* gibi going to restack it's devstack to be exactly RC1 07:51
zigogibi: You can try with the Debian packages, maybe ? :)07:52
zigoFor Buster:07:52
zigodeb http://buster-ussuri.debian.net/debian buster-ussuri-backports main07:52
zigodeb http://buster-ussuri.debian.net/debian buster-ussuri-backports-nochange main07:52
zigoOr if you are more adventurous, just from Experimental! :P07:52
*** yaawang_ has quit IRC07:54
*** yaawang_ has joined #openstack-nova07:55
gibizigo: I have to jump on a call for a while, gmann, johnthetubaguy, stephenfin  if you can help zigo in the meantime that would be appreciated07:56
gibizigo: I would check oslo.policy version as there was a late change there as well07:57
gibizigo: and you can try to rollback https://review.opendev.org/#/c/714822 maybe, but I'm not sure07:57
zigo# dpkg-query -W python3-oslo.policy07:58
zigopython3-oslo.policy     3.1.0-1~bpo10+107:58
zigoSo that's latest release ...07:59
gibiyepp, that is the last one07:59
*** yaawang_ has quit IRC08:02
*** yaawang_ has joined #openstack-nova08:03
zigoReverting that patch doesn't fix the problem.08:09
gibizigo: ack, then I'm out of ideas at the moment08:09
gibiand sitting on a call so will be slow responding08:10
*** xek has joined #openstack-nova08:10
*** rcernin has quit IRC08:13
*** songwenping_ has joined #openstack-nova08:15
*** songwenping__ has quit IRC08:18
*** threestrands has quit IRC08:20
zigoI can switch the packaging from rule:system_admin_api to rule:admin_api in the default policy.conf, but obviously, something is wrong that needs to be fixed.08:20
zigoOr is there a way to give the system_scope:all to my admin user?08:21
*** songwenping__ has joined #openstack-nova08:21
*** tkajinam has quit IRC08:23
fricklerzigo: you can call for system scoped tokens in the openstack client command08:24
*** mkrai_ has quit IRC08:24
*** songwenping_ has quit IRC08:24
zigofrickler: How?08:25
*** mkrai has joined #openstack-nova08:25
fricklerzigo: in devstack there is a "devstack-system-admin" section in /etc/openstack/config.yaml, let me try to do that manually08:27
frickleropenstack --os-auth-url https://192.168.42.13/identity --os-username admin --os-system-scope all  --os-user-domain-name default token issue08:29
*** logan_ has joined #openstack-nova08:31
*** aarents has quit IRC08:31
*** logan- has quit IRC08:32
*** Hazelesque has quit IRC08:32
*** Hazelesque has joined #openstack-nova08:33
*** logan_ is now known as logan-08:35
*** derekh has joined #openstack-nova08:38
*** martinkennelly has joined #openstack-nova08:40
nightmare_unrealhello what's greynade-py3 error for? my zuul build failed and it shows grenade-py3 FAILURE08:41
lyarwoodnightmare_unreal: link?08:47
lyarwoodI see https://review.opendev.org/#/c/548936/ landed, hopefully that didn't break the older jobs08:47
nightmare_unreallyarwood: https://review.opendev.org/#/c/715395/08:48
* lyarwood opens https://review.opendev.org/#/c/704364/08:48
openstackgerritLee Yarwood proposed openstack/nova master: zuul: Switch to the Zuulv3 grenade job  https://review.opendev.org/70436408:48
*** aarents has joined #openstack-nova08:49
lyarwoodnightmare_unreal: I'm not, appears a few other runs have hit that as well. It's unrelated to your change so for now feel free to recheck. The above ^ switch to a zuulv3 job might also correct it so feel free to rebase on to that change08:53
lyarwoodI'm not sure*08:53
nightmare_unreallyarwood:  okay thanks :) so I can trigger the build again ?08:54
lyarwoodnightmare_unreal: yes08:54
nightmare_unrealhow can I trigger it ?08:54
*** martinkennelly has quit IRC08:56
*** martinkennelly has joined #openstack-nova08:56
lyarwoodnightmare_unreal: recheck09:03
nightmare_unrealokay09:04
lyarwoodnightmare_unreal: ^ leave a comment with just that and zuul will rerun the jobs09:04
nightmare_unrealthanks :)09:04
lyarwoodnightmare_unreal: you can watch them here https://zuul.opendev.org/t/openstack/status09:04
lyarwoodnightmare_unreal: just use the 715395 change id09:04
*** jraju__ has joined #openstack-nova09:05
*** links has quit IRC09:05
*** songwenping_ has joined #openstack-nova09:07
*** songwenping__ has quit IRC09:11
*** sapd1 has quit IRC09:16
*** ttsiouts has joined #openstack-nova09:24
*** alex_xu has joined #openstack-nova09:36
*** tetsuro has quit IRC09:37
*** dtantsur|afk is now known as dtantsur09:49
gibizigo: did you manage to solve the issue with frickler's help?09:49
zigogibi: No ...09:51
zigoScope should not be enforced, but it is.09:51
zigoThis breaks all sorts of things, including in my puppet stuff.09:51
zigoAlso:09:54
zigo# openstack --os-system-scope all hypervisor list09:54
zigoPolicy doesn't allow os_compute_api:os-hypervisors:list-detail to be performed. (HTTP 403) (Request-ID: req-981105e1-a7aa-4fa2-9e52-ee7082ae7165)09:54
zigopolicy.conf has rule:system_reader_api09:54
zigoIf I switch that to rule:admin_api then it works...09:54
*** martinkennelly has quit IRC09:55
*** martinkennelly has joined #openstack-nova09:55
gibizigo: does it work with the default policy? (without having anything in the policy file)09:55
zigogibi: As in, "rm /etc/nova/policy.json" ?09:55
zigoroot@C1-z-controller-1>_ ~ # rm /etc/nova/policy.json09:56
zigoroot@C1-z-controller-1>_ ~ # openstack hypervisor list09:56
zigoThe server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-ccfb9f31-7cd9-439c-ad02-ae76f7c8c0d5)09:56
zigoNot great ... :(09:56
* gibi trying to get more insight from https://docs.openstack.org/nova/latest/configuration/policy-concepts.html09:58
gibiI don't have any policy.json for nova in devstack10:03
gibido you have a stacktrace for the above HTTP 500?10:04
*** mkrai has quit IRC10:06
*** mkrai_ has joined #openstack-nova10:07
*** mkrai_ has quit IRC10:10
*** mkrai has joined #openstack-nova10:10
*** Liang__ has quit IRC10:15
*** sapd1 has joined #openstack-nova10:18
gibilyarwood: thanks for the stable/stein release proposal, I'm +1, when you have time, could you hit https://review.opendev.org/#/q/topic:create-ussuri+(status:open+OR+status:merged)+project:openstack/nova ?10:21
*** rpittau is now known as rpittau|bbl10:32
*** songwenping__ has joined #openstack-nova10:41
*** ociuhandu has quit IRC10:42
*** sapd1_y has quit IRC10:44
*** ociuhandu has joined #openstack-nova10:44
*** songwenping_ has quit IRC10:45
*** ttsiouts has quit IRC10:49
*** ttsiouts has joined #openstack-nova10:54
*** ociuhandu has quit IRC11:03
fricklerzigo: your command confuses me, do you have other options set via environment? setting some project option will override system-scope without a warning. make sure that with "token issue" you see a system scoped token, not project or domain11:04
*** ociuhandu has joined #openstack-nova11:04
zigoYes I do ! :)11:04
zigoOk, will try.11:05
zigoI've restarted a cluster deployment from scratch, to see if Ussuri can be setup fully automatically again with my system, so can't try right now...11:05
zigoLater this afternoon.11:06
*** ociuhandu has quit IRC11:23
fricklerzigo: fyi, I don't get your error by default in devstack, but I do get it if I add "[oslo_policy] enforce_scope = True" into nova.conf. in that case, creating a flavor only works with system scope11:25
*** smcginnis has quit IRC11:40
*** smcginnis has joined #openstack-nova11:41
*** sapd1 has quit IRC11:41
gibiavolkov: hi! I asked for some clarification in https://bugs.launchpad.net/nova/+bug/187528711:46
openstackLaunchpad bug 1875287 in OpenStack Compute (nova) "VM unshelve failed if verify_glance_signatures enabled" [Undecided,Incomplete] - Assigned to Andrey Volkov (avolkov)11:46
*** martinkennelly has quit IRC11:46
*** martinkennelly has joined #openstack-nova11:46
*** martinkennelly has quit IRC11:51
*** bbowen_ has quit IRC11:53
*** bbowen_ has joined #openstack-nova11:53
*** AJaeger has joined #openstack-nova11:54
*** ociuhandu has joined #openstack-nova11:55
AJaegerstephenfin: is this what you wanted as babel cleanup: https://review.opendev.org/#/c/723206/2 ?11:55
*** nweinber has joined #openstack-nova11:57
gibibauzas: triaged the fresh bugs, nothing noteworthy so far. I'm releasing the (silently) held bug lock for the afternoon12:00
nightmare_unrealcan someone review this if they grt time : https://review.opendev.org/#/c/715395/12:05
nightmare_unrealthanks12:05
*** jraju__ has quit IRC12:06
*** ociuhandu has quit IRC12:06
avolkovgibi: hi, updated. if possible please leave your opinion what should we do with that12:09
gibiavolkov: thanks make more sense now12:11
stephenfinAJaeger: Oh, so we don't need the babel.cfg file either?12:12
*** ociuhandu has joined #openstack-nova12:12
gibiavolkov: do you agree that this bug is not a recent regression, it seems that we have the issue at least since rocky12:16
gibi?12:16
gibiavolkov: in the meantime I confirmed the bug as I was able to reproduce it12:20
*** ociuhandu has quit IRC12:24
*** ociuhandu has joined #openstack-nova12:24
AJaegerstephenfin: it's referenced from setup.cfg12:31
AJaegerstephenfin: I don't think we need it, I checked locally with it removed12:31
AJaegerstephenfin: I answered on the review12:33
stephenfinAJaeger: Sweet, thanks12:34
*** ociuhandu has quit IRC12:35
*** ociuhandu has joined #openstack-nova12:41
*** links has joined #openstack-nova12:45
*** artom has joined #openstack-nova12:46
*** sapd1 has joined #openstack-nova12:48
*** rpittau|bbl is now known as rpittau12:49
*** mkrai has quit IRC12:52
*** ociuhandu has quit IRC12:53
avolkovgibi: seems not a regression, I believe it was introduced with that verify_glance_signatures (mitaka?) or maybe with some refactoring further, it's definitely not urgent12:54
gibiavolkov: thanks.12:54
AJaegerany other nova core for two tiny cleanups, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ?12:55
*** lbragstad has joined #openstack-nova12:59
brinzhang_AJeager:is this necessary? https://review.opendev.org/#/c/723295/13:00
*** ociuhandu has joined #openstack-nova13:00
brinzhang_if not, I will abandon it13:00
*** martinkennelly has joined #openstack-nova13:05
*** sapd1 has quit IRC13:06
openstackgerritMerged openstack/python-novaclient master: doc: Update Testing document  https://review.opendev.org/72307813:08
*** eharney has joined #openstack-nova13:14
openstackgerritStephen Finucane proposed openstack/nova master: Use compression by default for 'SshDriver'  https://review.opendev.org/68439313:18
*** udesale_ has joined #openstack-nova13:20
*** udesale has quit IRC13:23
stephenfinsean-k-mooney: can you bump your vote on https://review.opendev.org/#/c/716223/ now?13:25
*** ttsiouts has quit IRC13:26
*** ratailor has quit IRC13:27
sean-k-mooneystephenfin: yes i guess so did rc 1 go out on thursday13:27
stephenfinsure did13:28
sean-k-mooneycool +w13:28
stephenfinta13:28
*** yankcrime is now known as _nick13:30
*** _nick is now known as yankcrime13:30
*** psachin has quit IRC13:35
gmannnightmare_unreal: lyarwood yeah there was some window when grenade job merge and one more fix. now it is all green13:39
nightmare_unrealyeah I just did recheck :) thanks13:40
*** tkajinam has joined #openstack-nova13:42
gmannzigo: hi, was that policy overridden ? that mentioned patch fixed the bug of passing the context project_id itself so that it is not allowed for all.13:46
zigogmann: The /etc/nova/policy.json file is the pristine one generated by the package (well, oslopolicy, this means).13:47
gmannzigo: ok, can you paste that policy line for flavor manage ?13:48
AJaegerbrinzhang_: It's not necessary13:48
zigogmann: "os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api"13:49
zigoOn top of the file, there is:13:50
zigo"system_admin_api": "role:admin and system_scope:all"13:50
gmannzigo: ok, and 'system_admin_api' rule ?13:50
gmannhumm there should be deprecated rule of old RULE_ADMIN_API that is what we have as default13:50
gmannbut you said you generated the file via oslo policy tool right? it is oslopolicy-sample-generator correct13:51
zigoRight !13:52
zigogmann: That's what I did:13:52
zigohttps://salsa.debian.org/openstack-team/services/nova/-/blob/debian/ussuri/debian/rules#L6413:52
zigo(later, the postinst of the package takes that file from nova-common and puts it in /etc/nova)13:53
zigoHum... not even ...13:53
zigoDirectly pacakged into /etc/nova13:53
zigoI should do the former, to have the file owned by root:nova / 640 though ...13:54
gmannzigo: let me check if that tool adding the default rule or not.13:56
*** mkrai has joined #openstack-nova13:57
*** ttsiouts has joined #openstack-nova13:58
zigogmann: I've sent the generated policy.json file to our swift cluster if you want to look at it: https://www.swisstransfer.com/d/b80904d3-1f15-4f1f-98f0-7e1db308bb5313:59
*** ttsiouts has quit IRC14:03
*** mkrai has quit IRC14:05
*** mkrai_ has joined #openstack-nova14:05
*** ttsiouts has joined #openstack-nova14:05
*** irclogbot_2 has joined #openstack-nova14:08
*** irclogbot_2 has quit IRC14:13
openstackgerritKevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job  https://review.opendev.org/71443914:13
gmannzigo: got it. that tool does not add the deprecated rules in sample file.14:14
zigogmann: And that's the issue ?!?14:15
gmannzigo: expectation is you keep only override rule in the policy file and other rule let it rely on defaults14:15
zigoRight.14:15
gmannzigo: not issue i think. because you are providing the file with rule override with new defaults14:15
gmannif you generate the file with that tool you get all the rule commented and you are supposed to un-comment the one you want to override.14:16
gmannhere what happen, nova get the rule in file and skip the default value with consideration that rule in file is what operator want14:17
gmannif you remove the rules from file which you want to reply on defaults then your old token will keep working.14:18
*** irclogbot_3 has joined #openstack-nova14:22
gmannzigo: also if rule is present in file then oslo skip deprecated rule to add. and I hope you generated file before nova start which initialize the policy14:23
*** irclogbot_3 has quit IRC14:25
*** irclogbot_3 has joined #openstack-nova14:26
*** ttsiouts has quit IRC14:27
*** irclogbot_3 has quit IRC14:29
zigogmann: If I remove the policy.json, then I get an error 500:14:29
zigo[pid: 1708|app: 0|req: 10/40] 192.168.101.2 () {32 vars in 628 bytes} [Mon Apr 27 14:29:08 2020] GET /v2.1/flavors/detail => generated 128 bytes in 91 msecs (HTTP/1.1 500) 3 headers in 215 bytes14:29
zigoNothing more in the logs ...14:29
*** irclogbot_1 has joined #openstack-nova14:30
zigogmann: The file needs to exist, though if it's empty, it looks like working ! :)14:32
zigogmann: Should I keep an empty file then?!?14:32
zigoIMO this is still a bug, because operators need to see what's currently in the policy, and can't guess the defaults.14:33
zigoI do want to provide such a policy file if possible.14:33
zigogmann: An empty policy.json is safe, right?14:33
dansmithif operators currently have to do anything to their policy file during an upgrade, then we have a real problem14:34
dansmithzigo: AFAIK, the policy file should be empty to take all the defaults, but I'm surprised it has to be present-but-empty.. not sure if that is new or not14:34
zigodansmith: I expect operators to use /etc/nova/policy.d, and I thought about explicitly shipping such a folder in the Nova Debian package.14:34
zigoAs much as I can tell, this is a new bug ! :P14:35
zigo(would have to check Train though...)14:35
*** irclogbot_1 has quit IRC14:35
dansmithzigo: and thus have no files in there nor an empty base file right?14:35
zigodansmith: What would happen if a rule is defined in both /etc/nova/policy.json and /etc/nova/policy.d/foo-operator.json ?14:36
zigoWill the policy.d have priority?14:36
dansmithno idea.. I didn't know we had a policy.d, tbh14:36
*** irclogbot_0 has joined #openstack-nova14:36
zigoBeause that'd be the most convenient way for everyone.14:36
zigoWe do need a way to tell operators what they can and cannot write in their config.14:37
dansmithbut I would expect a distro to install an empty policy.d directory, and not have to write an empty base policy file to avoid a 50014:37
*** READ10 has joined #openstack-nova14:37
zigodansmith: What I'm going to do is to write an empty policy.json (to avoid what I consider a bug), ship the generated policy.json in /usr/share/nova-common as an example, and create the policy.d folder.14:38
zigoI still think it's wrong that I can't use the generated policy.json though...14:38
dansmithzigo: ack, but if the behavior is changed, we need a bug filed14:38
zigoIt really is changed. I use to ship the /etc/nova/policy.json on all of my Nova packages, and so far, it wasn't a problem.14:39
dansmithzigo: well, we're trying to get people to have overrides and not hard-coded everything, but I understand.. what prevents you from using the generated file? deprecation warnings?14:39
*** irclogbot_0 has quit IRC14:39
zigoIt simply does *not* work.14:39
gmanndansmith: zigo file generated from tool is kind of override rule. default only work if rule not in file14:39
dansmithzigo: but why is the generated file not working?14:40
*** irclogbot_2 has joined #openstack-nova14:40
gmannzigo: did that worked for any deprecated rule for you, if you rule in file the if any rule deprecated in fast had same issue itthunk14:41
*** mlavalle has joined #openstack-nova14:41
zigoroot@C1-z-controller-1>_ ~ # openstack flavor create --ram 12288 --disk 10 --vcpus 4 cpu4-ram12-disk1014:41
zigoPolicy doesn't allow os_compute_api:os-flavor-manage:create to be performed. (HTTP 403) (Request-ID: req-7f1c4c5b-8df2-4ef7-8a88-8f2cae1899f1)14:41
zigodansmith: ^14:41
zigoThat's with the default policy.json file as per https://salsa.debian.org/openstack-team/services/nova/-/blob/debian/ussuri/debian/rules#L64 ...14:42
dansmithI don't know why that would be, although I'm not very familiar with policy stuff14:42
dansmithif that's the case, however, we've broken upgrade which we have to fix14:42
gmanndansmith: generated file from oslo tool does not add the deprecated rule so nova consider those rule as override rule and only new token pass14:43
dansmithgmann: same would go for any existing overrides the deployer has then?14:43
gmanndansmith: if no file and rely on default then there is no cange14:43
gmannchange14:43
gmanndansmith: if they have override all the rules then yes as they do not rely on default.14:43
gmannoslo does not add deprecated rule if they are present in file.14:44
dansmithgmann: the we broke upgrade for anyone using a distro's generated file from <=Ussuri right?14:44
dansmithI'm not sure what "override all the rules" has to do with this, or why it's different than "override one rule"14:45
*** irclogbot_2 has quit IRC14:45
gmanndansmith: "distro's generated file" is something i doubt that it is correct way or not. it is same issue they had in all the previous changed policy14:45
dansmithgmann: doubt what is correct?14:45
zigodansmith: Correct ! :)14:45
gmanndansmith: in case of  "override one rule" other rule should not be in file. if they are then oslo cannot add deprecated rule14:45
dansmithgmann: I don't understand what you're saying14:46
zigoAlso, how are operators supposed to double-guess what's currently in place, if I can't, as a package maintainer, generate what's currently in?14:46
*** irclogbot_1 has joined #openstack-nova14:46
dansmithif they have one override in their file, everything is fine, but if they override all the rules then ...broken?14:46
zigoIf I understand correctly, the issue is to not show what's deprecated in the policy. Well, can't we simply add an option to the generator, so it also adds the deprecated things?14:47
gmanndansmith: if they override one of all rule then rules with changed default will consider only override value not default right14:47
dansmithzigo: presumably they look at the /usr/share version and add what they want into their file, but I think ideally we'd want a file fully commented-out where things can be uncommented and changed, but our json format probably doesn't allow that14:47
*** iurygregory has quit IRC14:47
gmannyeah, that ^^14:47
*** iurygregory has joined #openstack-nova14:48
zigodansmith: As much as I know, there's no way to add comments in a .json file.14:48
zigoIndeed.14:48
dansmithgmann: but I think zigo is saying that debian has taken the more user-friendly approach of just putting the generated file in place, and letting them alter it in-place14:48
gmannhummm14:48
dansmithzigo: right, it's frustrating, so I understand why the debian packages are the way they are14:48
zigodansmith: Exactly what I was doing so far ! :)14:48
dansmithzigo: I'm sure you're not the only one14:48
gmannbecause oslo tool generate the rule with all commented14:49
openstackgerritStephen Finucane proposed openstack/nova master: objects: Add MigrationTypeField  https://review.opendev.org/70601314:49
openstackgerritStephen Finucane proposed openstack/nova master: objects: Remove 'NovaObjectDictCompat' from 'Migration'  https://review.opendev.org/72357214:49
openstackgerritStephen Finucane proposed openstack/nova master: objects: Remove 'NovaObjectDictCompat' from 'InstancePCIRequest'  https://review.opendev.org/72357314:49
openstackgerritArtom Lifshitz proposed openstack/nova stable/stein: DNM: Add a placement audit command  https://review.opendev.org/72083914:49
dansmithI would not be surprised if people generating their own packages or installing from pip do the same for audit reasons14:49
dansmithgmann: does it? how do you comment in json?14:49
beekneemechIt uses YAML.14:50
*** beekneemech is now known as bnemec14:50
zigobnemec: As much as I know, there's no way to get services to load .yaml files, is there?14:50
bnemeczigo: Yes, YAML works fine.14:50
zigoUnless this has changed recently ...14:50
gmannah its yaml generated - https://docs.openstack.org/nova/latest/configuration/sample-policy.html14:50
dansmithI've never seen it deployed in yaml file on a real system14:50
bnemecI think the default is still JSON though.14:50
bnemecIIRC, some service actually overrides that default so they get YAML by default.14:51
zigobnemec: Last time I tried, maybe 2 or 3 releases ago, it didn't work.14:51
*** irclogbot_1 has quit IRC14:51
zigoCommented yaml would work for me.14:51
dansmithzigo: except we can't require people to convert that as part of an upgrade14:51
bnemecIt's always possible there's a bug. YAML is definitely supposed to work.14:51
dansmithbnemec: do any CI jobs use yaml?14:52
*** irclogbot_0 has joined #openstack-nova14:52
gmannone things we can do is always add deprecated rule from oslopolicy-sample-generator14:53
dansmithjust checked one I had handy and the only service with a policy file is neutron, and it's json14:53
dansmithgmann: but ... people with existing policy files can't be broken by this upgrade14:53
openstackgerritArtom Lifshitz proposed openstack/nova stable/rocky: DNM: Add a placement audit command  https://review.opendev.org/72084214:53
gmannbut again not all people use this or some other way to generate file like editing the old file14:53
*** tkajinam has quit IRC14:54
gmanndansmith: true, existing policy should not break, here zigo case is it get generated newly with oslo tool which had new defaults but not deprecated14:54
dansmithgmann: I'm still trying to understand if people with a train-generated full policy file are going to be broken14:55
*** irclogbot_0 has quit IRC14:55
dansmithI've not understood your answers there14:55
gmannif it is not re-generated then old policy keep working in both case 1. they have override different rule 2. or reply on default even have rule in fule14:55
openstackgerritStephen Finucane proposed openstack/nova master: Modify PciDevice.uuid generation code  https://review.opendev.org/53048714:55
openstackgerritStephen Finucane proposed openstack/nova master: Add an online migration for PciDevice.uuid  https://review.opendev.org/53090514:55
nightmare_unrealwhat can cause nova-live-migration zuul build to fail ??14:55
gmanndansmith: train generated file should keep working as it is.14:55
*** sapd1 has joined #openstack-nova14:56
gmannwhat happened here is, policy file is generated freshly which had new 'system rule' but token are not refreshed14:56
dansmithgmann: what if someone's deploy script generates the file from the tooling, applies their two or three rule tweaks? then they're broken?14:57
*** irclogbot_2 has joined #openstack-nova14:57
dansmithI see, the broken part is because the newly generated file will be rules that require scoped tokens or whatever?14:57
gmanndansmith: and they have other rule with new value present in file then broken. and that is case that they have override the rule but token not refreshed14:57
gmanndansmith: correct14:58
bnemecRight. This is why the deprecated rule behavior ORs with the old rule.14:58
gmanntrain policy will still have adimin_rule and keep working14:58
dansmithgmann: okay, understand why train configs still work, which is good14:58
dansmithgmann: I would expect the generate-then-tweak process is fairly widespread14:59
*** irclogbot_2 has quit IRC14:59
zigodansmith: Yes, "then they're broken" ...14:59
gmannhumm and generate with 'oslopolicy-sample-generator' tool right ?14:59
zigo(ie: my case...)14:59
zigoWhich I think is really wrong.14:59
openstackgerritStephen Finucane proposed openstack/nova master: objects: Add online migration for legacy NUMA objects  https://review.opendev.org/53741415:00
gmanni mean we can explicitly add deprecated rule in that tool logic. but not sure if that solve all the cases15:00
dansmithgmann: yes15:00
AJaegerany nova core available for two tiny cleanups related to Babel/translations, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ?15:00
dansmithI dunno what to do about this though, since it's really a problem spread across multiple projects, lots of code, and some human assumptions15:00
*** dklyle has joined #openstack-nova15:00
bnemecWe can't always do that though or there's no way for deployers to get the new rule alone.15:01
zigodansmith: I also expect the generated-then-not-touched case is also fairly widespread (my case in my CI) and it is broken as well currently.15:01
dansmithzigo: yup15:01
gmannas per my expectation, 'generate-then-tweak ' case also need operator review if something auto-re-generated is ok or not15:01
*** irclogbot_2 has joined #openstack-nova15:01
dansmithgmann: not if they don't know they need to review15:01
dansmithgmann: they could have been doing this approach for years with no problem15:02
gmannhumm15:02
bnemecIs this on a fresh install? If so, why isn't everything configured to handle the new policies?15:02
dansmithbnemec: no, not necessarily fresh deploy15:02
zigoI very much agree that it's the operator's responsibility to refresh the policy.json and re-tweak it carefully on each upgrade.15:02
gmanndansmith: they had same problem when policy was deprecated. here we did all policy changed instead of one or two15:02
dansmithgmann: you mean when the full policy file was deprecated?15:03
bnemecI mean, that deployment method hasn't been recommended since policy in code went in however many years ago.15:03
*** irclogbot_2 has quit IRC15:03
dansmithAFAIK, plenty of people never migrated to empty policy files15:03
zigobnemec: On a *fresh* install, with the currently default generated policy.json, things a broken. That's the issue I've reported to begin with! :)15:03
dansmithbnemec: but not everyone likes that, and distros still generate full policy files, which is why we're here15:03
gmanndansmith: for example, single policy was changed in some cycle.15:04
bnemecSo that's a problem anyway. Ussuri installs should be configured correctly to handle the new policy.15:04
dansmithgmann: which is why it's quite likely that people's deployment scripts moved to generate-and-tweak.. like, generate and then sed, sed, sed15:04
bnemecEven if we include the deprecated rules in the generated policy, it just pushes the breakage off one release.15:04
gmanni mean that was always problem in past also.15:04
dansmithbnemec: but it involves a change in user behavior right?15:05
dansmiththey have to now get scoped tokens?15:05
bnemecOnce the deprecated rule is dropped in the subsequent release you break then instead of now.15:05
bnemecI  think that's only true if enforce_scope is true.15:05
gmanntrue, scope token in this case and changed in admin->non-admin etc in past15:05
dansmithbut that's the whole reason we're here, because zigo is taking all the defaults, and it's broken15:05
dansmithbnemec: ^15:06
gmann'taking all the defaults' not default but only new default without deprecated things.15:06
gmann'default' still mean 'new + old'15:06
dansmithgmann: sorry I don't understand those two comments15:07
zigoBug filled: https://bugs.launchpad.net/nova/+bug/187541815:07
openstackLaunchpad bug 1875418 in OpenStack Compute (nova) "Generated policy.json in Ussuri is broken by default" [Undecided,New]15:07
stephenfinzigo: why can't we just stop including a generated policy file in the package?15:07
dansmithhe can, he said that15:07
zigostephenfin: How are operators supposed to double-guess what they can use?15:07
gmanndansmith: i mean current defaults are "new default + old deprecated defaults" and file generated was half bald with 'new defaults' only15:07
zigostephenfin: That's actually exactly what I'll be doing: provide an empty policy.json. But that's really not user friendly.15:08
stephenfinzigo: You have a openstack-nova-doc package, yeah? It's documented in there15:08
zigostephenfin: I'd very much prefer having a policy.json that reflects what's currently enforced in Nova.15:08
gmanni might be wrong but re-generating the policy file is something you are intentionally changing so adopt all change instead of half15:08
dansmithstephenfin: he's saying that's a sucky user experience, and he's right despite how clean it seems to us15:08
*** irclogbot_3 has joined #openstack-nova15:09
*** links has quit IRC15:09
dansmithgmann: before this, generating the file and tweaking the rules you want ended up with all things at the same generation. If you tweaked a rule that we removed, then sure it's broken, but now people will be introducing old "syntax" to a generated file of new "syntax", and also not realize that as soon as they generate the file, they need scoped tokens right?15:10
gmannand this is always a problem from starting if deployer rely on re-generated file which does not include the deprecated-but-supported rule15:10
zigostephenfin: Just did that and uploaded the package: https://salsa.debian.org/openstack-team/services/nova/-/commit/48bc8889ae8a787104b76e95c3e1dfc5893d146b15:10
zigoThough really, that's really not user friendly to do that.15:11
gmanndansmith: right.15:11
*** irclogbot_3 has quit IRC15:11
dansmithgmann: so another question.. if I don't take the generated file, continue to run with the deprecated defaults, but need to tweak something.. how do I see the generated old defaults file? is there a flag to the tool? or do I have to look at train docs?15:11
gmannbut how to fix all those script to generate file, we can do something on oslopolicy-sample-generator15:11
stephenfinzigo: Forgive me but is that not the normal way config files work? They're used for overrides, not defaults15:12
dansmithstephenfin: but they're usually fully commented-out so you can see all the options in place while you're overriding15:12
zigostephenfin: If I'm listening to you, then my Nova package should ship an empty /etc/nova/nova.conf? Are you serious ?!?15:12
zigo:)15:13
*** irclogbot_0 has joined #openstack-nova15:13
gmanndansmith: train doc, or nova policy reference file.15:13
dansmithgmann: that sucks15:13
gmannyeah, tool is not adding them15:13
zigoI think I'll give another try with the yaml thing, see if that works, and if I can ship a fully commented out one.15:13
zigoThat's still not nice, because it'd be supposed to work if all comments get removed ... If you know what I mean.15:14
dansmithzigo: do you treat policy like config or what? what if they've modified their policy file?15:14
stephenfinzigo: Not empty, but IMO we shouldn't be including values with defaults ¯\_(ツ)_/¯15:14
zigoJust same as in for nova.conf, where commented out stuff are supposed to be the default.15:14
stephenfinI mean, that's how other config files works15:14
dansmithstephenfin: that's the developer-focused "look at how clean this is" approach, but it sucks for admins15:14
stephenfinznc.conf jumps to mind, since I was hacking on over the weekend15:14
stephenfinditto for sssd.conf15:15
stephenfinor krb5.conf15:15
zigodansmith: For most packages, I don't have them as CONFFILES (these files, marked by dpkg as "prompt user if there's a change on upgrade...).15:15
* stephenfin had a dull weekend15:15
*** irclogbot_0 has quit IRC15:15
gmannstephenfin: if oslopolicy-sample-generator add complete default (new + deprecated) then config case is same otherwise it is issue15:15
stephenfindansmith: yeah, maybe. I just figured everyone was doing 'man [app].conf'15:15
zigoSo policy.json files live in /usr/share/FOO-common/policy.json and are copied to /etc/FOO only if /etc/FOO doesn't have a policy.json file.15:15
bnemecI'm still confused why this would be failing on scope. enforce_scope is false by default.15:16
zigoThis way, no prompt on upgrade, and the old version is kept.15:16
zigoExcept I didn't do that for Nova, I don't know why ...15:16
zigoSo in the Nova case, /etc/nova/policy.json *IS* a CONFFILE.15:16
gmannbnemec: we have 'system:all' string in check_str for new defaults of system scope role15:16
dansmithgmann: so it sounds like we need a big warning reno about this at the very least15:16
zigo(and then dpkg will prompt on upgrade if there's some diff)15:16
dansmithgmann: we probably also should switch to yaml by default, and make sure our CI jobs are using them that way15:17
*** irclogbot_3 has joined #openstack-nova15:17
gmannbnemec: https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L10415:17
stephenfinbnemec: I suspect the oslo-generate-policy command is using the scoped policies, but nova is still defaulting to non-scoped (to avoid breaking upgrades, funnily enough)15:17
dansmiththe yaml is better in every respect, except for compatibility15:17
gmannhttps://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L3615:17
stephenfinyaml++15:17
bnemecgmann: Why? Isn't the scope check built-in to the policy enough?15:17
zigostephenfin: Looks like you're right yeah.15:17
gibidansmith: I need to read back after my current call15:18
gmannbnemec: when enforce_scope is true then yes otherwise we need to differentiate the system vs project - https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L3615:18
zigostephenfin: How would we make oslo-generate-policy to use non-scoped policies then?15:18
dansmithgibi: definitely needs your review15:18
bnemecThat seems like it's completely defeating the purpose of enforce_scope.15:18
stephenfinzigo: not sure you want to do that15:18
stephenfinyou'd be generated deprecated configuration15:19
stephenfin*generating15:19
dansmithstephenfin: the deprecated form is supposed to be the default we assume if no policy file15:19
*** irclogbot_3 has quit IRC15:19
zigostephenfin: If nova.conf defaults to non-scoped, but policy.json to scoped, then we do have a problem.15:19
zigoChoose your side comrade ! :)15:19
gmannzigo: yeah, agree.15:20
stephenfindansmith: Yes, because we care about upgrades. New deployments would ideally be overriding nova's defaults though15:20
stephenfinzigo: I assume there's no way to distinguish between new installs and upgrades?15:20
dansmithstephenfin: he generates those for upgrades too he just said15:20
zigostephenfin: There is, if you're talking about packaging.15:20
stephenfinI am15:21
dansmithstephenfin: and, unless we default the enforce_scope on, and detail the differences between scoped tokens for users of new deployments, it's not that cut and dried15:21
*** irclogbot_0 has joined #openstack-nova15:21
zigoThat's an argument given to the .postinst script of the package.15:21
stephenfindansmith: it sounds like we can do that for a new installation (default enforce_scope to on)15:22
zigoIt's defined here: https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#summary-of-ways-maintainer-scripts-are-called15:22
dansmithstephenfin: we don't now though, AFAIK15:22
stephenfinwe wouldn't do it - the package would15:22
stephenfinit would override the nova default15:23
zigoI'd very much you give operators at least one more cycle to enforce this.15:23
*** irclogbot_0 has quit IRC15:23
zigoThen just set enforce_scope to True by default in Victoria ...15:23
stephenfinzigo: I'd like to know if the following combination is possible/makes sense15:23
dansmithstephenfin: not sure how you could coordinate that across every deployment tool15:23
stephenfinnew installation: enforce_scope = True (override), use Ussuri policy.json15:24
stephenfinupgrade: enforce_scope = False (nova default), use Train policy.json15:24
stephenfin?15:24
stephenfindansmith: we do that kind of stuff in TripleO, albeit higher than the package level15:25
*** irclogbot_3 has joined #openstack-nova15:25
dansmithstephenfin: right  but everyone needs to do that.. tripleo, kolla, debian, ubuntu, rdo, $mycustomthing15:25
*** jamesdenton has joined #openstack-nova15:25
*** brinzhang_ has quit IRC15:25
*** brinzhang_ has joined #openstack-nova15:26
zigostephenfin: This is going to be horrible to manage with puppet-nova...15:27
stephenfinI didn't think we generated policy.json for RDO/OSP, and I assume Ubuntu will take whatever Debian does. I can't argue with $mycustomthing though, no15:27
zigostephenfin: You assume wrong ! :)15:27
zigoUbuntu do their own crap ...15:27
*** irclogbot_3 has quit IRC15:27
stephenfin\o/15:27
gmannI was checking to remove 'system:all' from new default but that leads to over-permission issue15:27
zigoI tried for years to fight this, it never worked, because of marketting reasons.15:27
*** brinzhang_ has quit IRC15:28
zigoAnd there's all sorts of issues because of this. :)15:28
*** mkrai_ has quit IRC15:28
*** brinzhang_ has joined #openstack-nova15:28
*** irclogbot_3 has joined #openstack-nova15:28
zigoLike, people trying to use whatever horizon plugin that I was packaging but they didn't, and it broke on Ubuntu, but they don't care because "it's not in main" ...15:28
zigoThe usual thing with Ubuntu... :)15:29
gmanni thought policy-in-code was the time when we asked (or should) deployer to not to re-generate the complete policy file instead  keep override rule only15:29
stephenfingmann: Yeah, I think that's the big disconnect here15:29
stephenfinso doing different things for new installation/upgrade probably isn't an option15:30
stephenfinan empty JSON is bad for users15:30
stephenfinthat leaves us with including a commented-out YAML, and modifying oslo-policy-generator to include deprecated rules, right?15:31
gmannlbragstad: did you faced this issue for keystone also? newly generated file with new default only and old token broken as deprecated rule is disappeared15:31
stephenfinfwiw, I really, really want to avoid the latter option :)15:31
*** irclogbot_3 has quit IRC15:31
gmannstephenfin: true.15:31
gmannlater is kind of argument that people rely on 'no deprecated rule' in generated file to end up over permission and leak API15:32
zigostephenfin: This leaves us with "generate policy.json and nova.conf that are maching and working together by default" indeed !15:33
gmannso we may fix one upgrade but break other15:33
zigoIf I had such an option as "oslopolicy-sample-generator --use-scoped" and/or "--dont-use-scoped" then I would generate the config file twice, as a favor to Debian users, so they could see both ...15:35
openstackgerritMerged openstack/python-novaclient master: Remove future imports  https://review.opendev.org/72315315:35
zigoIt's probably too late in this cycle to do that, though.15:35
lbragstadgmann isn't that the intended behavior you want?15:36
gmannlbragstad: yeah, that is intended as per me :) but problem is for upgrade used to re-generated the fresh file and still think default works is broken15:38
*** irclogbot_2 has joined #openstack-nova15:38
*** _mlavalle_1 has joined #openstack-nova15:38
gmannzigo: we can do but still user need to change their script to add new option to that tool '--dont-use-scoped'  or other.15:38
dansmithgmann: lbragstad: to avoid me having to google.. what is the different thing that users have to do to get a scoped token?15:38
lbragstadthe request to keystone to get a token changes a bit, but users can invoke that with clients by setting a different property in their cloud config15:39
dansmithokay so their openrc or clouds.yaml (or whatever) has to change15:40
lbragstadyes15:40
*** mlavalle has quit IRC15:40
dansmithand are those two things getting generated as scoped by default nowadays?15:40
dansmithor can you not ask for scoped until something else changes?15:41
lbragstadi guess it depends on what generates those files15:41
lbragstadyou're asking if openrc or clouds.yaml is generated with project-scope by default?15:41
* gibi is reading back15:43
dansmithlbragstad: yeah, like.. has everyone since stein (as an example) been getting scoped tokens and not knowing it?15:43
dansmithjust trying to figure out how impactful the move to requiring them will be15:44
lbragstaddansmith yeah - to do anything useful, most people will need a scoped token of some form15:44
lbragstadhistorically, that scope has always been project15:45
lbragstador - project-scope has been the standard for getting anything done, like booting a server15:45
dansmithI'm confused15:46
dansmithlbragstad: I thought that when we move to this new scoped policy that users need to be getting scoped tokens that they likely haven't been getting in the past?15:46
dansmithwhich is why zigo's token immediately stopped working and launched us into this discussion15:46
lbragstaddansmith sorry - let me back up15:46
lbragstadkeystone has supported scoped tokens for a long time - uses have always been able to get a scoped token15:47
lbragstadin the past, that token has always been scoped to a project15:47
dansmithsure, I get that15:47
lbragstadthe new system is using a different scope target15:47
lbragstadand some APIs are going to require that new target, instead of a project-scoped tokne15:47
lbragstadwhich is why zigo's old token (which i'm assuming is project-scoped) stopped workin15:48
lbragstadworking*15:48
*** raildo has joined #openstack-nova15:48
zigoIf we require everyone to change something in their openrc, it *will* break a lot of user who wont understand.15:48
zigoMaybe that's needed, I don't even understand what this scope thingy is for, but just warning everyone here.15:48
zigoAt least, if we're moving to that direction, then we must have some kind of correct error message output in the clients.15:48
gmannbut 'system' scope is not default user has to explicit request that15:48
dansmithI'm trying to figure out if realistically everyone is going to need to change their openrc, or only people who got their openrc from horizon before some release, or ...15:49
dansmithI know openrc can come from various places, but trying to figure out the "scope" of the impact15:49
dansmithdoes devstack generate scope-having openrcs?15:49
lbragstadyes15:49
zigolbragstad: What does it look like?15:50
zigoexport OS_SCOPE= ?15:50
lbragstadit does it with clouds.yaml, actually15:50
lbragstadhttps://opendev.org/openstack/devstack/src/branch/master/tools/update_clouds_yaml.py#L5615:50
lbragstadexport OS_SYSTEM_SCOPE=all15:51
lbragstadthat's going to tell keystone to give you a system-scoped token instead of a project-scoped token15:51
zigolbragstad: So, that's to be added to the admin openrc ?15:51
dansmithbut most users want a project scoped token right?15:52
lbragstadto get back to your impact question - changes to openrc are primarly admin related15:52
lbragstaddansmith yes15:52
dansmithlbragstad: ah, okay so admins need to tweak their openrc bug regular users will not?15:52
lbragstadpeople who aren't accessing system-level APIs shouldn't need to set this new value and get system-scoped tokens15:52
gmanntrue. otherwise it might be over permission issue for rule changed from admin->system-reader etc15:52
lbragstadyes - for the most part15:53
dansmithokay that wasn't clear to me before, so that's good news15:53
dansmithzigo: I guess you were using an admin user?15:53
zigodansmith: not only myself, but puppet-openstack too, yeah !15:54
openstackgerritMerged openstack/nova stable/ussuri: Update .gitreview for stable/ussuri  https://review.opendev.org/72251815:54
openstackgerritMerged openstack/nova stable/ussuri: Update TOX_CONSTRAINTS_FILE for stable/ussuri  https://review.opendev.org/72252015:54
zigodansmith: What first started breaking was puppet-octavia that couldn't create the Octavia flavor.15:54
dansmithokay15:54
zigoThen I tried as the admin user, and didn't understand what was going on...15:54
lbragstadfwiw - we describe the concept and motivation behind all the scopes here - https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes15:55
zigolbragstad: Thanks, I'll read it all.15:55
dansmithlbragstad: yeah I read that and I get it,15:56
dansmithI thought there would still be a change to the user mechanics though15:56
dansmithbut likely because most of our discussions focus on our usage, which is generally admin15:56
*** ociuhandu has quit IRC15:56
lbragstaddansmith unfortunately, because policy is completely configuration based, there could be deployments where this gets messy because the deployer wanted to let end users list hypervisors (or something weird like that)15:57
dansmithyeah, so those users will need to learn something different now right?15:58
dansmithdoes that mean they've lost (or will lose) the ability to list hypervisors and their instances with a single token?15:58
lbragstadpossibly - but it depends on how the deployer setup their custom policy15:58
dansmithbecause I can imagine that sucking for scripts15:59
lbragstadyeah - i completely agree15:59
gmannyeah if both policy are override for same permission then they keep working15:59
gmannif mix like one override and one was relying on default, now re-generated file will mesh up the single token16:00
*** ociuhandu has joined #openstack-nova16:00
lbragstadzigo i typically put system users behind a different cloud profile, so i set system_scope: all in my clouds.yaml under a different name16:02
*** tesseract has quit IRC16:02
lbragstadthen i use --os-cloud system-admin or --os-cloud project-user (or whatever)16:02
lbragstadymmv - but if found that useful in the past when managing different scopes16:03
lbragstadi found*16:03
dansmithproblem is, kinda, that we're enforcing our view on what is system-level information now in a way that they can't override16:03
dansmithfor single-tenant clouds, that just introduces unnecessary overhead for a distinction they don't care about16:04
*** rpittau is now known as rpittau|afk16:07
gmannwhen we enable scope by default at some point they anyways have to change their tokens.16:08
lbragstaddansmith yeah - that's true16:09
dansmithwhat I mean is, the scope-based system introduces complexity16:09
gmannfor single-tenant clouds, it might be weird16:09
zigoGOT MY FIRST INSTANCE ON USSURI UP AND RUNNING !!! \o/16:12
* gibi finished reading bag16:13
gibiback16:13
gmannanyways 're-generate fresh policy file' case for me is 'they want the new default-only always' and if old things stop working that need audit carefully from release notes or warnings.16:13
lbragstadthey'll need to be aware of the context they're operating on16:13
* zigo is going to make an announcement about general availability of Ussuri for Debian ! :P16:13
gibigmann, dansmith: do I understand correctly that we need at least a release notes update to document what zigo has found? What else we need to / can do in Ussuri?16:14
gmannlike uncap 'hacking' version in our requirement file which mean 'we will adopt the new changes always and if broken we fix our code'16:14
sean-k-mooneygmann: well hacking is used by multiple project but not all projects will want to use the same checks16:15
sean-k-mooneynova and neuton have completely different approchs to self.assert* methods16:16
gmannsean-k-mooney: true, that is why many projects cap it16:16
sean-k-mooneyneutron blocked the use of any not in py27 and nova used mock the lib16:16
*** iurygregory has quit IRC16:17
gmanngibi: dansmith lbragstad in addition to release note for nova ussuri, should we have a clear doc from oslo/keystone or somewhere generic on 'how to generate and use policy file and how deployer can be broken for xyz cases'. i mean a single recommended way instead of supporting all possible way deployment doing ?16:18
*** jangutter has quit IRC16:18
sean-k-mooneygmann: well that would be in oslo.policy correct16:19
*** jangutter has joined #openstack-nova16:19
sean-k-mooneyor rather should be16:19
sean-k-mooneye.g. discribing how the lib should be used by developers16:19
gmannI am not sure, we have. but lbragstad or bnemec can point to if there is any.16:20
*** ociuhandu has quit IRC16:20
*** ociuhandu has joined #openstack-nova16:21
gmanni meant explicitly saying, 'this way of re-genrating  policy file or having not-override rule in policy file etc etc can break you if you do not carefully audit on upgrades'16:21
*** elod has quit IRC16:22
*** elod has joined #openstack-nova16:23
*** gibi_ has joined #openstack-nova16:24
* gibi_ lost network connectivity16:24
*** jangutter has quit IRC16:25
*** udesale_ has quit IRC16:26
*** artom has quit IRC16:26
*** raildo has quit IRC16:26
*** vesper11 has quit IRC16:26
*** haleyb has quit IRC16:26
*** tobiash has quit IRC16:26
*** hoonetorg has quit IRC16:26
*** iokiwi has quit IRC16:26
*** tobias-urdin has quit IRC16:26
*** noonedeadpunk has quit IRC16:26
*** gibi has quit IRC16:26
*** rmk has quit IRC16:26
*** tonyb has quit IRC16:26
*** averi has quit IRC16:26
*** yankcrime has quit IRC16:26
*** AJaeger has quit IRC16:26
*** jangutter has joined #openstack-nova16:26
openstackgerritTakashi Natsume proposed openstack/nova master: Fix list rendering in the accelerator support doc  https://review.opendev.org/72184616:27
lbragstadgmann we have this16:28
lbragstadhttps://bugs.launchpad.net/oslo.policy/+bug/185317016:28
openstackLaunchpad bug 1853170 in oslo.policy "Need documentation on recommended operator workflow for deprecated policies" [High,Triaged]16:28
openstackgerritTakashi Natsume proposed openstack/nova master: Update contributor guide for Victoria  https://review.opendev.org/72264716:28
*** irclogbot_2 has quit IRC16:28
*** vesper11 has joined #openstack-nova16:29
*** irclogbot_1 has joined #openstack-nova16:30
lbragstadgmann i don't think there is anything in review for that, yes16:30
lbragstadyet*16:30
*** KeithMnemonic has joined #openstack-nova16:30
*** hoonetorg has joined #openstack-nova16:31
*** raildo has joined #openstack-nova16:31
*** udesale_ has joined #openstack-nova16:31
*** artom has joined #openstack-nova16:31
gmannlbragstad: i see, thanks16:32
*** gibi has joined #openstack-nova16:32
stephenfinmelwitt: confident enough to bump your +1 to +2 now? https://review.opendev.org/#/c/720725/16:32
*** AJaeger has joined #openstack-nova16:32
*** haleyb has joined #openstack-nova16:32
*** tobiash has joined #openstack-nova16:32
*** tobias-urdin has joined #openstack-nova16:32
*** iokiwi has joined #openstack-nova16:32
*** noonedeadpunk has joined #openstack-nova16:32
*** averi has joined #openstack-nova16:32
*** rmk has joined #openstack-nova16:32
*** tonyb has joined #openstack-nova16:32
*** yankcrime has joined #openstack-nova16:32
*** evrardjp has quit IRC16:35
*** gibi_ has quit IRC16:35
gibigmann: I have to stop for today. If you start writing a reno update for the policy thing then please link it to me and I will read it first thing in the morning16:35
gmanngibi: ok, I will update the upgrade section for now to mention the re-generated policy file case. and  later we can work on some generic doc (bug/1853170).16:37
gibigmann: ack, thanks16:37
*** ChanServ has quit IRC16:42
*** ChanServ has joined #openstack-nova16:45
*** tepper.freenode.net sets mode: +o ChanServ16:45
*** evrardjp has joined #openstack-nova16:46
*** sapd1_x has joined #openstack-nova16:47
*** udesale_ has quit IRC16:50
*** derekh has quit IRC17:03
*** ociuhandu has quit IRC17:06
*** ociuhandu has joined #openstack-nova17:06
*** _mlavalle_1 has quit IRC17:09
*** mlavalle has joined #openstack-nova17:11
*** ociuhandu has quit IRC17:12
*** dtantsur is now known as dtantsur|afk17:18
*** jangutter has quit IRC17:20
*** gibi has quit IRC17:20
*** bbowen_ has quit IRC17:22
*** haleyb has quit IRC17:26
*** tobiash has quit IRC17:26
*** iokiwi has quit IRC17:26
*** tobias-urdin has quit IRC17:26
*** noonedeadpunk has quit IRC17:26
*** rmk has quit IRC17:26
*** tonyb has quit IRC17:26
*** averi has quit IRC17:26
*** yankcrime has quit IRC17:26
*** AJaeger has quit IRC17:26
*** artom has quit IRC17:26
*** raildo has quit IRC17:26
*** jangutter has joined #openstack-nova17:26
*** AJaeger has joined #openstack-nova17:29
*** haleyb has joined #openstack-nova17:29
*** tobiash has joined #openstack-nova17:29
*** tobias-urdin has joined #openstack-nova17:29
*** iokiwi has joined #openstack-nova17:29
*** noonedeadpunk has joined #openstack-nova17:29
*** averi has joined #openstack-nova17:29
*** rmk has joined #openstack-nova17:29
*** tonyb has joined #openstack-nova17:29
*** yankcrime has joined #openstack-nova17:29
*** raildo has joined #openstack-nova17:29
*** artom has joined #openstack-nova17:29
*** nightmare_unreal has quit IRC17:32
*** vishalmanchanda has quit IRC17:34
*** ChanServ has quit IRC17:39
*** ChanServ has joined #openstack-nova17:42
*** tepper.freenode.net sets mode: +o ChanServ17:42
*** tbachman has quit IRC17:42
*** ociuhandu has joined #openstack-nova17:42
sean-k-mooneystephenfin: can you take a look at https://review.opendev.org/#/c/722407/17:43
sean-k-mooneystephenfin: it needt to merge before your change can merge17:44
*** jangutter has quit IRC17:46
*** jangutter has joined #openstack-nova17:47
*** jangutter has quit IRC17:47
*** jangutter has joined #openstack-nova17:48
AJaegerany nova core available for two tiny cleanups related to Babel/translations, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ?17:48
*** tbachman has joined #openstack-nova17:51
*** READ10 is now known as READ10|away17:57
*** factor has quit IRC17:58
openstackgerritMerged openstack/python-novaclient master: Use unittest.mock instead of third party mock  https://review.opendev.org/72315218:01
*** hoonetorg has quit IRC18:02
*** factor has joined #openstack-nova18:04
*** jangutter has quit IRC18:18
openstackgerritMerged openstack/nova master: Add placeholder migrations for Ussuri backports  https://review.opendev.org/72254618:19
*** ociuhandu has quit IRC18:20
*** ociuhandu has joined #openstack-nova18:20
*** jangutter has joined #openstack-nova18:29
*** iurygregory has joined #openstack-nova18:34
*** READ10|away is now known as READ1018:45
*** xek_ has joined #openstack-nova18:46
*** dpawlik has quit IRC18:47
*** xek has quit IRC18:49
openstackgerritGhanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes  https://review.opendev.org/72364518:51
openstackgerritGhanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes  https://review.opendev.org/72364518:51
*** JamesBenson has joined #openstack-nova18:53
*** ttsiouts has joined #openstack-nova18:59
*** ociuhandu has quit IRC19:03
*** ociuhandu has joined #openstack-nova19:06
*** ttsiouts has quit IRC19:13
*** ttsiouts has joined #openstack-nova19:13
*** ociuhandu has quit IRC19:20
*** READ10 has quit IRC19:24
*** bbowen has joined #openstack-nova19:24
*** ociuhandu has joined #openstack-nova19:27
*** ttsiouts has quit IRC19:44
*** ttsiouts has joined #openstack-nova19:45
*** jangutter_ has joined #openstack-nova19:54
*** dklyle has quit IRC19:56
*** jangutter has quit IRC19:57
openstackgerritMerged openstack/nova master: Fix list rendering in the accelerator support doc  https://review.opendev.org/72184619:59
*** dklyle has joined #openstack-nova20:00
*** brinzhang_ has quit IRC20:14
*** brinzhang_ has joined #openstack-nova20:14
*** songwenping_ has joined #openstack-nova20:14
*** ttsiouts has quit IRC20:15
*** songwenping__ has quit IRC20:17
*** jangutter_ has quit IRC20:18
*** xek_ has quit IRC20:21
*** nweinber has quit IRC20:26
*** jangutter has joined #openstack-nova20:27
*** gibi has joined #openstack-nova20:36
*** ccamacho has quit IRC20:38
openstackgerritGhanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes  https://review.opendev.org/72364520:47
gmanndansmith: gibi stephenfin please check, i have added this upgrade notes for clarification on policy file things - https://review.opendev.org/#/c/723645/20:50
*** ociuhandu has quit IRC20:57
*** ociuhandu has joined #openstack-nova20:58
*** damien_r has quit IRC21:00
*** igordc has joined #openstack-nova21:07
*** brinzhang has joined #openstack-nova21:08
melwittgmann: do we have people ready to review https://review.opendev.org/722551 ? wondering if I should wait on reviewing the nova change21:09
gmannmelwitt: i pinged few tempest core,may be we can get +A from masayukig once he wake up.21:10
*** ociuhandu has quit IRC21:11
melwittok21:11
*** brinzhang_ has quit IRC21:11
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of assertRequestMatchesUsage()  https://review.opendev.org/72369421:12
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of _check_allocation_during_evacuate()  https://review.opendev.org/72369521:12
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Add nova-manage placement heal_allocations CLI  https://review.opendev.org/72369621:12
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Don't heal allocations for deleted servers  https://review.opendev.org/72369721:12
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of FakeResponse  https://review.opendev.org/72369821:12
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Heal allocations with incomplete consumer information  https://review.opendev.org/72369921:12
gmannmelwitt: or let's wait for these patches first to have ussuri branch setup properly - https://review.opendev.org/#/q/topic:qa-ussuri-release+status:open21:14
*** rcernin has joined #openstack-nova21:14
melwittgmann: ah k21:14
*** ociuhandu has joined #openstack-nova21:19
*** maciejjozefczyk has quit IRC21:28
*** ociuhandu has quit IRC21:29
*** martinkennelly has quit IRC21:33
*** martinkennelly has joined #openstack-nova21:38
*** ociuhandu has joined #openstack-nova21:39
*** ttsiouts has joined #openstack-nova21:42
*** martinkennelly has quit IRC21:46
*** slaweq has quit IRC21:49
*** ociuhandu has quit IRC21:49
*** ttsiouts has quit IRC21:51
*** slaweq has joined #openstack-nova21:52
*** raildo has quit IRC21:56
*** slaweq has quit IRC22:03
*** ociuhandu has joined #openstack-nova22:18
*** jangutter has quit IRC22:18
*** gibi has quit IRC22:21
*** gibi has joined #openstack-nova22:22
*** jangutter has joined #openstack-nova22:27
*** ociuhandu has quit IRC22:29
*** yaawang has joined #openstack-nova22:32
*** yaawang_ has quit IRC22:33
openstackgerritGhanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes  https://review.opendev.org/72364522:48
*** tkajinam has joined #openstack-nova22:49
*** tkajinam has quit IRC22:49
*** tkajinam has joined #openstack-nova22:50
*** abaindur has joined #openstack-nova22:54
*** lbragstad has quit IRC22:56
*** tosky has quit IRC23:02
*** jangutter_ has joined #openstack-nova23:12
*** jangutter has quit IRC23:13
*** igordc has quit IRC23:14
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of report client changes  https://review.opendev.org/72375023:14
openstackgerritArtom Lifshitz proposed openstack/nova stable/queens: DNM: Add a placement audit command  https://review.opendev.org/72375123:14
*** avolkov has quit IRC23:22
*** bbowen has quit IRC23:32
*** bbowen has joined #openstack-nova23:32

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!