Friday, 2021-06-11

« Thursday, 2021-06-10 Index Saturday, 2021-06-12 »
*** opendevtest <opendevtest!~limnoria@104.239.144.232> has joined #openstack-nova01:16
*** Guest1653 <Guest1653!~limnoria@104.239.144.232> has joined #openstack-nova01:25
*** opendevmeet` <opendevmeet`!~limnoria@104.239.144.232> has joined #openstack-nova01:34
*** opendevmeet <opendevmeet!~limnoria@104.239.144.232> has joined #openstack-nova02:00
*** alex_xu <alex_xu!uid57351@id-57351.tooting.irccloud.com> has joined #openstack-nova02:13
*** spatel <spatel!~spatel@c-73-89-243-254.hsd1.ma.comcast.net> has joined #openstack-nova02:29
*** opendevmeet <opendevmeet!~limnoria@104.239.144.232> has joined #openstack-nova03:04
*** spatel <spatel!~spatel@c-73-89-243-254.hsd1.ma.comcast.net> has quit IRC (Quit: My MacBook has gone to sleep. ZZZzzz…)03:08
*** redrobot <redrobot!~redrobot@108-84-79-198.lightspeed.snantx.sbcglobal.net> has quit IRC (Remote host closed the connection)03:40
*** redrobot <redrobot!~redrobot@108-84-79-198.lightspeed.snantx.sbcglobal.net> has joined #openstack-nova04:04
*** ricolin_ <ricolin_!~ricolin@118.150.144.205> has joined #openstack-nova04:31
*** abhishekk <abhishekk!~akekane@116.74.162.143> has joined #openstack-nova04:34
*** ricolin <ricolin!~ricolin@118.150.144.205> has quit IRC (Ping timeout: 480 seconds)04:35
*** luksky <luksky!~luksky@hC1F2D42A.cust.netmar.net.pl> has joined #openstack-nova06:09
lyarwoodmelwitt: \o/ awesome thanks! 06:17
*** ralonsoh <ralonsoh!~ralonsoh@36.red-79-150-231.dynamicip.rima-tde.net> has joined #openstack-nova06:27
*** tosky <tosky!~luigi@dynamic-adsl-78-13-253-141.clienti.tiscali.it> has joined #openstack-nova07:14
*** akekane_ <akekane_!~akekane@116.74.160.116> has joined #openstack-nova07:16
*** rpittau|afk is now known as rpittau07:17
*** abhishekk <abhishekk!~akekane@116.74.162.143> has quit IRC (Ping timeout: 480 seconds)07:23
*** andrewbonney <andrewbonney!uid417545@id-417545.highgate.irccloud.com> has joined #openstack-nova07:27
*** hemna <hemna!~hemna@184.170.74.196> has quit IRC (Ping timeout: 480 seconds)07:29
*** kashyap <kashyap!~kashyap@nat-pool-bos-t.redhat.com> has joined #openstack-nova07:39
opendevreviewliujiong proposed openstack/nova master: Do not create attachment for old root volume  https://review.opendev.org/c/openstack/nova/+/79595007:53
*** lucasagomes <lucasagomes!~lucasagom@89.100.20.18> has joined #openstack-nova07:56
*** martinkennelly <martinkennelly!~martinken@192.198.151.43> has joined #openstack-nova07:58
*** martinkennelly_ <martinkennelly_!~martinken@192.198.151.43> has joined #openstack-nova07:58
*** opendevstatus is now known as Guest168408:09
*** derekh <derekh!~derekh@2a01:b340:80:6d6e:6423:15e0:3703:2> has joined #openstack-nova08:10
*** tosky <tosky!~luigi@dynamic-adsl-78-13-253-141.clienti.tiscali.it> has quit IRC (Ping timeout: 480 seconds)08:13
*** mgoddard- <mgoddard-!~mgoddard@238.240.125.91.dyn.plus.net> has joined #openstack-nova08:14
bauzasgibi: stephenfin: so, https://review.opendev.org/c/openstack/nova/+/795533 got a gate failure again 08:17
bauzascan we please accept then https://review.opendev.org/c/openstack/nova/+/795744 ?08:18
*** mgoddard <mgoddard!~mgoddard@187.240.125.91.dyn.plus.net> has quit IRC (Ping timeout: 480 seconds)08:18
*** mgoddard- is now known as mgoddard08:18
*** alistarle <alistarle!6dbefe39@107.161.19.109> has joined #openstack-nova08:18
*** liuyulong_ <liuyulong_!~yulong@111.202.93.98> has joined #openstack-nova08:23
bauzaslooking at project:openstack/nova label:Verified>=-2,Zuul -age:3d is:open we have a lot of changes getting -108:24
*** liuyulong__ <liuyulong__!~yulong@111.202.93.98> has joined #openstack-nova08:24
*** tosky <tosky!~luigi@dynamic-adsl-78-13-253-141.clienti.tiscali.it> has joined #openstack-nova08:24
opendevreviewYongli He proposed openstack/nova master: Smartnic support - cyborg drive  https://review.opendev.org/c/openstack/nova/+/77136208:29
opendevreviewYongli He proposed openstack/nova master: smartnic support - new vnic type  https://review.opendev.org/c/openstack/nova/+/77136308:29
opendevreviewYongli He proposed openstack/nova master: smartnic support  https://review.opendev.org/c/openstack/nova/+/75894408:29
opendevreviewYongli He proposed openstack/nova master: smartnic support - reject server move and suspend  https://review.opendev.org/c/openstack/nova/+/77991308:29
opendevreviewYongli He proposed openstack/nova master: smartnic support - functional tests  https://review.opendev.org/c/openstack/nova/+/78014708:30
*** liuyulong <liuyulong!~yulong@111.202.93.98> has quit IRC (Ping timeout: 480 seconds)08:30
*** liuyulong <liuyulong!~yulong@111.202.93.98> has joined #openstack-nova08:31
*** liuyulong_ <liuyulong_!~yulong@111.202.93.98> has quit IRC (Ping timeout: 480 seconds)08:32
*** liuyulong__ <liuyulong__!~yulong@111.202.93.98> has quit IRC (Ping timeout: 480 seconds)08:33
*** Guest1685 <Guest1685!~limnoria@104.239.144.232> has joined #openstack-nova08:40
*** opendevstatus_ <opendevstatus_!~opendevst@104.130.70.91> has joined #openstack-nova08:46
*** opendevstatus_ is now known as opendevstatus__08:47
*** opendevstatus__ is now known as opendevstatus___08:47
*** opendevstatus___ is now known as opendevstatus____08:47
*** opendevstatus____ is now known as opendevstatus_____08:48
*** opendevstatus_____ is now known as opendevstatus______08:48
*** swp20 <swp20!ab084c14@107.161.19.109> has joined #openstack-nova08:53
*** opendevstatus______ <opendevstatus______!~opendevst@104.130.70.91> has quit IRC (Ping timeout: 480 seconds)08:58
*** Guest1684 <Guest1684!~opendevst@eavesdrop01.openstack.org> has quit IRC (Remote host closed the connection)08:58
lyarwoodbauzas: ack I've +W'd it to chip away at the gate failures08:59
bauzaslyarwood: ok, I'll also provide the revert change09:00
*** akekane_ is now known as abhishekk09:08
*** abhishekk <abhishekk!~akekane@116.74.160.116> has quit IRC (Quit: Bye...)09:08
*** opendevstatus_ <opendevstatus_!~opendevst@158.69.72.85> has joined #openstack-nova09:15
*** opendevstatus_ is now known as opendevstatus__09:16
*** opendevstatus__ is now known as opendevstatus___09:16
*** opendevstatus___ is now known as opendevstatus____09:16
*** opendevstatus____ is now known as opendevstatus_____09:16
*** opendevstatus_____ is now known as opendevstatus______09:16
*** opendevstatus______ <opendevstatus______!~opendevst@158.69.72.85> has quit IRC (Ping timeout: 480 seconds)09:25
*** opendevstatus <opendevstatus!~opendevst@104.239.144.232> has joined #openstack-nova09:33
*** brinzhang0 <brinzhang0!~brinzhang@218.29.111.74> has quit IRC (Remote host closed the connection)09:42
opendevreviewSylvain Bauza proposed openstack/nova master: Revert "Removing mypy to fix the nova CI"  https://review.opendev.org/c/openstack/nova/+/79597309:47
bauzaslyarwood: revert is up 09:48
*** opendevmeet <opendevmeet!~limnoria@104.239.144.232> has joined #openstack-nova09:57
*** opendevmeet is now known as Guest168909:57
*** opendevmeet <opendevmeet!~limnoria@104.239.144.232> has joined #openstack-nova10:12
*** opendevstatus_ is now known as opendevstatus__10:12
*** opendevstatus__ is now known as opendevstatus___10:12
*** opendevstatus___ is now known as opendevstatus____10:12
*** opendevstatus____ is now known as opendevstatus_____10:12
*** opendevstatus_____ is now known as opendevstatus______10:12
*** opendevmeet is now known as Guest169110:12
*** ianw is now known as opendevmeet10:13
*** opendevmeet is now known as ianw10:13
*** Guest1691 is now known as opendevmeet10:13
*** opendevmeet <opendevmeet!~limnoria@104.239.144.232> has joined #openstack-nova11:15
*** Guest1712 <Guest1712!~opendevst@104.239.144.232> has quit IRC (Remote host closed the connection)11:17
*** Guest1713 <Guest1713!~opendevst@149.202.169.13> has quit IRC (Ping timeout: 480 seconds)11:18
*** opendevstatus <opendevstatus!~opendevst@104.239.144.232> has joined #openstack-nova11:19
opendevreviewMerged openstack/nova master: Removing mypy to fix the nova CI  https://review.opendev.org/c/openstack/nova/+/79574411:39
*** opendevstatus_ <opendevstatus_!~opendevst@104.130.219.52> has joined #openstack-nova11:42
*** opendevstatus_ is now known as opendevstatus__11:43
*** opendevstatus__ is now known as opendevstatus___11:43
*** opendevstatus___ is now known as opendevstatus____11:43
*** opendevstatus____ is now known as opendevstatus_____11:43
*** opendevstatus_____ is now known as opendevstatus______11:43
gibilyarwood, stephenfin, kashyap: rechecked https://review.opendev.org/c/openstack/nova/+/795533 as it hit https://bugs.launchpad.net/nova/+bug/191231011:51
kashyapgibi: Hi; /me clicks11:51
gibithe bug being "libvirt.libvirtError: unable to connect to server at"11:51
kashyapI guess it's the dreaded connection refused thing11:51
kashyapYep11:51
*** opendevstatus______ <opendevstatus______!~opendevst@104.130.219.52> has quit IRC (Ping timeout: 480 seconds)11:51
gibiaround the same time when the migration fails11:52
gibithere is an error 11:52
gibimultipathd is not running: exit code None: oslo_concurrency.processutils.ProcessExecutionError: [Errno 2] No such file or directory\11:52
gibion the dest compute11:53
gibiI don't know if it is related but at least it correlates by time11:53
gibiI've added the log links to the bug11:53
lyarwoodThat shouldn't be related no11:55
lyarwoodit's likely n-cpu fetching the connector from os-brick11:55
lyarwoodand os-brick is checking if multipathd is present on the host11:56
lyarwoodhttps://bugs.launchpad.net/nova/+bug/1931702 - FWIW I've raised this and will push a skip of the live migration with attached volume tests now 11:57
gibilyarwood: good stuff11:58
gibilyarwood: is there a way forward with the lockup other than skiping the test?11:59
lyarwoodgibi: yeah we don't have the complete console log as I guess it rotated 11:59
lyarwoodgibi: so I'll work out how to capture that and then raise a QEMU bug depending on what we see12:00
gibiohh, OK, cool12:00
lyarwoodgibi: as I'm assuming live migration has had some kind of impact here12:00
kashyaplyarwood: For the QEMU bug, do you think we have hope of reproducing this outside of the CI Gate?12:01
*** liuyulong_ <liuyulong_!~yulong@111.202.93.98> has joined #openstack-nova12:01
kashyaplyarwood: E.g. in the same Ubuntu env; same versions, migrating a paused instance -- can that do it?12:01
lyarwoodreally depends on what if anything we get back from the guestOS12:01
kashyapYeah; good point12:01
lyarwoodthe instance isn't paused in this latest failure12:01
*** liuyulong <liuyulong!~yulong@111.202.93.98> has quit IRC (Ping timeout: 480 seconds)12:08
masterpe[m]I have instances in the placement.allocations table but these instances does not exists anymore. "nova-manage placement audit" does not exists on Train. And I have tryed "nova-manage placement heal_allocations" but that does not work. Can I savely deleted those records in database?12:12
*** opendevstatus_ <opendevstatus_!~opendevst@104.130.219.164> has joined #openstack-nova12:13
*** opendevstatus_ is now known as opendevstatus__12:14
*** opendevstatus__ is now known as opendevstatus___12:15
*** opendevstatus___ is now known as opendevstatus____12:15
*** opendevstatus____ is now known as opendevstatus_____12:15
*** opendevstatus_____ is now known as opendevstatus______12:15
opendevreviewLee Yarwood proposed openstack/nova master: zuul: Skip block migration tests until bug #1931702 is resolved  https://review.opendev.org/c/openstack/nova/+/79599212:17
opendevreviewLee Yarwood proposed openstack/nova master: zuul: Skip block migration with attached volumes tests due to #1931702  https://review.opendev.org/c/openstack/nova/+/79599212:18
lyarwoodforgot to update the title sorry12:18
*** opendevstatus <opendevstatus!~opendevst@104.239.144.232> has quit IRC (Remote host closed the connection)12:18
*** opendevstatus <opendevstatus!~opendevst@104.239.144.232> has joined #openstack-nova12:20
fricklerlyarwood: interesting issue, is that with cirros as guest or something else?12:22
lyarwoodfrickler: yeah it's Cirros 0.5.212:22
*** opendevstatus <opendevstatus!~opendevst@104.239.144.232> has quit IRC (Remote host closed the connection)12:22
*** opendevstatus______ <opendevstatus______!~opendevst@104.130.219.164> has quit IRC (Ping timeout: 480 seconds)12:24
*** opendevstatus <opendevstatus!~opendevst@104.239.144.232> has joined #openstack-nova12:27
lyarwood^ should give us console logs at the time we send the detach to see how borked the guestOS is12:32
opendevreviewLee Yarwood proposed openstack/nova master: zuul: Skip block migration with attached volumes tests due to bug #1931702  https://review.opendev.org/c/openstack/nova/+/79599212:33
opendevreviewLee Yarwood proposed openstack/nova master: DNM Revert "zuul: Skip block migration with attached volumes tests due to #1931702"  https://review.opendev.org/c/openstack/nova/+/79599712:33
lyarwoodwhops, ^ there we go, git-review being slow again.12:33
lyarwoodgibi: https://review.opendev.org/c/openstack/nova/+/792415 simple docs review if you have time btw12:38
lyarwoodsean-k-mooney: https://review.opendev.org/c/openstack/nova-specs/+/794799 - would you mind taking a look at this?12:39
*** opendevstatus_ <opendevstatus_!~opendevst@213.32.72.249> has joined #openstack-nova12:43
*** opendevstatus_ is now known as opendevstatus__12:44
*** opendevstatus__ is now known as opendevstatus___12:44
*** opendevstatus___ is now known as opendevstatus____12:44
*** opendevstatus____ is now known as opendevstatus_____12:44
*** opendevstatus_____ is now known as opendevstatus______12:44
*** opendevstatus______ <opendevstatus______!~opendevst@213.32.72.249> has quit IRC (Ping timeout: 480 seconds)12:53
*** martinkennelly <martinkennelly!~martinken@192.198.151.43> has quit IRC (Remote host closed the connection)13:03
*** martinkennelly_ <martinkennelly_!~martinken@192.198.151.43> has quit IRC (Remote host closed the connection)13:03
*** martinkennelly <martinkennelly!~martinken@192.198.151.43> has joined #openstack-nova13:04
*** martinkennelly_ <martinkennelly_!~martinken@192.198.151.43> has joined #openstack-nova13:04
*** rloo <rloo!~rloo@2001:4998:ef83:17::105d> has joined #openstack-nova13:04
*** opendevstatus_ <opendevstatus_!~opendevst@104.130.26.53> has joined #openstack-nova13:13
*** opendevstatus_ is now known as opendevstatus__13:15
*** opendevstatus__ is now known as opendevstatus___13:15
*** opendevstatus___ is now known as opendevstatus____13:15
*** opendevstatus____ is now known as opendevstatus_____13:15
*** opendevstatus_____ is now known as opendevstatus______13:15
*** CeeMac <CeeMac!uid366483@id-366483.brockwell.irccloud.com> has quit IRC (Quit: Connection closed for inactivity)13:19
*** raildo_ <raildo_!~raildo@89.38.227.174> has joined #openstack-nova13:20
*** raildo <raildo!~raildo@177.37.131.171> has quit IRC (Read error: Connection reset by peer)13:24
*** opendevstatus______ <opendevstatus______!~opendevst@104.130.26.53> has quit IRC (Ping timeout: 480 seconds)13:24
*** spatel <spatel!~spatel@c-73-89-243-254.hsd1.ma.comcast.net> has joined #openstack-nova13:26
*** artom_ <artom_!~artom@205.233.59.73> has quit IRC (Remote host closed the connection)13:35
*** artom_ <artom_!~artom@205.233.59.73> has joined #openstack-nova13:35
opendevreviewLee Yarwood proposed openstack/nova master: libvirt: fup docs and typing for _hard_reboot flow  https://review.opendev.org/c/openstack/nova/+/79508113:37
lyarwoodWonderful now the nova-lvm job has failed randomly13:38
*** artom <artom!~artom@205.233.59.73> has joined #openstack-nova13:40
*** artom_ <artom_!~artom@205.233.59.73> has quit IRC (Ping timeout: 480 seconds)13:47
*** abhishekk <abhishekk!~akekane@116.74.160.116> has joined #openstack-nova13:48
*** artom <artom!~artom@205.233.59.73> has quit IRC (Remote host closed the connection)13:50
*** artom <artom!~artom@205.233.59.73> has joined #openstack-nova13:51
*** spatel <spatel!~spatel@c-73-89-243-254.hsd1.ma.comcast.net> has quit IRC (Quit: Textual IRC Client: www.textualapp.com)13:55
gibisorry I was pulled downstream, surfacing now...14:00
opendevreviewPierre Riteau proposed openstack/nova master: Fix typos in minimum version policy docs  https://review.opendev.org/c/openstack/nova/+/79557514:05
*** ralonsoh <ralonsoh!~ralonsoh@36.red-79-150-231.dynamicip.rima-tde.net> has quit IRC (Quit: Leaving)14:14
*** ralonsoh <ralonsoh!~ralonsoh@36.red-79-150-231.dynamicip.rima-tde.net> has joined #openstack-nova14:16
dansmithgmann: I was looking through nova's instance-get stuff to see if and how things have changed in preparation for system scope and RBAC stuff14:19
dansmithand it looks to me like we're still enforcing instance.project_id==context.project_id all the way down at the db layer in model_query()14:19
dansmithit only does that if we're a "user context", but I'm thinking that is going to be in the way of more flexible rbac stuff, if you can't even load an instance object to check a richer policy rule14:20
dansmitham I right in thinking that will have to change?14:20
gmanndansmith: currently we do not check get instance permission for other policy check which need instance object in target, are you saying to change that to check get instance permission first?14:26
dansmithgmann: we don't check for "get instance permission" before doing something like an update -- that's what you mean right?14:27
gmannyeah14:27
gibilyarwood: re: nova-lvm failure I see multiple hits of the same error in logstash but all fairly recent http://logstash.openstack.org/#dashboard/file/logstash.json?query=message%3A%5C%22WARNING%3A%20Failed%20to%20get%20udev%20device%20handler%20for%20device%20%2Fdev%2Fsda1%5C%2214:27
gibilyarwood: and apparently it is not nova-lvm specific14:28
dansmithgmann: okay, but the problem is.. in order to do some update type thing that we might grant in policy, we have to db.get_instance(), which will fail to find it in model_query because it filters the owner very deep14:28
gibilyarwood: or did I have a wrong signature?14:28
gmanndansmith: i see. and that is say system admin want to update server?14:29
gmannor any other project member want to update some other project server?14:30
dansmithwell, right, I'm thinking the case where you want to do something more powerful, like say "project X is under project Y, so let project Y people manage project X servers too"14:31
gmannhumm14:31
dansmithwhich is kinda the point of the RBAC work eventually, right? to make the policy actually let people do more complicated things like that.. no?14:31
gmanndansmith: I think that is separate things if we want to allow than current secure RBAC which does not allow these kind of things instead restricting access 14:33
gmannproject isolation is one things in new secure rbac but your use case is opposite to that14:34
dansmithhrm14:34
lyarwood<gibi "lyarwood: or did I have a wrong "> Yeah that's correct, iirc c-vol also hit something like this so maybe that's the duplicate? 14:35
dansmithgmann: my case is just my interpretation of what I thought the end goal was, so maybe I'm being too broad14:35
gibilyarwood: I see that we hit this during update_available_resource that simply skips the update and does not cause the job failure14:36
lyarwoodSorry gibi, ^ was for you, somehow replied in element (matrix) and I'm not sure what that looks like in vanilla irc.14:36
gibilyarwood: it quotes part of the original message so it work for me :)14:36
gmanndansmith: yeah because in most of the case we pass instance.project_id as target to oslo policy14:36
gibilyarwood: so most of the logstash hits are actual job SUCCESS as it only hit the during periodic14:36
gmanndansmith: if we want to allow cross project operation we have to change that model and db things too what you mentioned14:37
lyarwoodCool cool, the nova-lvm failure I saw was during instance deletion14:37
*** artom <artom!~artom@205.233.59.73> has quit IRC (Quit: Leaving)14:37
gibilyarwood: yeah, if we hit it during other operation then the test fails14:37
lyarwoodSo maybe we just need to retry on failure here14:37
lyarwoodAs it's just a basic lvs command14:37
gibilyarwood: but the hit in the periodic shows that the underlying issue it temprorary as the next periodic succeeds14:37
gibilyarwood: yeah, so a retry could help14:38
lyarwoodYup cool, I'll work on that on Monday14:38
gibicool14:38
*** artom <artom!~artom@205.233.59.73> has joined #openstack-nova14:38
gibilyarwood: should I open a bug report on it?14:39
gibiI have the context now14:39
gibiand still have time today :)14:39
gmanndansmith: yes, too broad :). I think in that case they should allocate that user a system token and ask to do other project things. but system to do project servers operation is another challenge what we discussded in PTG14:40
lyarwoodI already have14:40
opendevreviewMerged openstack/nova master: docs: Add releases to libvirt distro support matrix  https://review.opendev.org/c/openstack/nova/+/79241514:40
lyarwoodTagged under gate-failure14:40
lyarwoodSorry I thought that's what you were looking at14:40
gibino problem, then I go and add more info under that14:41
*** jangutter <jangutter!~jangutter@84.207.213.190> has joined #openstack-nova14:41
*** jangutter <jangutter!~jangutter@84.207.213.190> has quit IRC ()14:42
*** hemna <hemna!~hemna@184.170.74.196> has joined #openstack-nova14:42
lyarwoodCool thanks14:46
opendevreviewPierre Riteau proposed openstack/nova master: Fix typos in minimum version policy docs  https://review.opendev.org/c/openstack/nova/+/79557514:47
gibilyarwood: is this a new type of detach error https://zuul.opendev.org/t/openstack/build/02e6a99bf1574c978c663eb434705cbb/log/controller/logs/screen-n-cpu.txt?severity=0#34810 ?14:50
gibias far as I see it fails to detach from the live domain 14:51
gibias the device is not there any more14:51
*** dklyle <dklyle!~dklyle@134.134.139.72> has joined #openstack-nova14:51
gibihmm, there is a DeviceRemovedEvent that was ignored :/14:51
gibisounds like a bug in the nova detach code14:51
gibiI will file a bug and look into the root case14:52
*** david-lyle <david-lyle!~dklyle@jfdmzpr05-ext.jf.intel.com> has quit IRC (Remote host closed the connection)14:57
dansmithgmann: sorry I got pulled away14:59
dansmithgmann: yeah, so I think I might be missing some keystone knowledge here.. and perhaps I'm trying to put too much capability in the projects for flexibility in terms of mapping people to abilities or somethin15:00
gmanndansmith: afaik, one of the point to have system admin was this -to isolate project level stuff and remove project admin which was kind of global admin before new rbac15:03
gmannas current project admin is admin to that project only15:03
gmanncurrent i mean after new rbac15:04
dansmithyeah, I know that's one of the big tenets15:05
dansmithgmann: okay I think I've straightened myself out on the cross-project thing15:40
dansmithgmann: specifically related to enforcing policies in the api, I have another question15:41
dansmithgmann: presumably if you have some role that lets you update a resource but not show it (possible if you configure policy that way), then you could not be able to show a resource, but make some trivial update to it and get a copy of it in the result of the PUT15:42
dansmithI assume we would consider that acceptable because you gave that user update perms and the update call returns the resource...15:42
dansmithjust thinking of a case where you want some script to be able to reboot an instance but not see the metadata for it which contains a license key or something15:43
gmanndansmith: yeah that's true. PUT has permission to show all info so they get. 15:44
dansmithokay, I figure that's the most straightforward thing to do -- not break the result of PUT just because you don't have get perms15:44
gmanndansmith: in that case, we can introduce the new policy to restrict those metadata 15:44
dansmithyeah, sure, and that's legit, but I just wonder if someone would interpret restricting get to mean "they can never see this resource any way at all" which won't be the case15:45
gmanndansmith: other way I think neutron does (need to check again) is check GET policy before PUT and deny if they do not have access to GET.15:45
dansmithmeaning require get and put perms to do a PUT, or just check get perms before returning the result?15:46
gmanndansmith: I think yes, let me check. that is what i remember when i discussed it with amotoki in Toyko time.15:46
dansmiththe latter may make sense, but is probably not worth it, IMHO.. the former seems wrong15:46
*** rpittau is now known as rpittau|afk15:47
dansmithwrite-implies-read makes sense, write-requires-read does not, IMHO15:48
*** lucasagomes <lucasagomes!~lucasagom@89.100.20.18> has quit IRC (Quit: Leaving)15:56
gmanndansmith: cannot find that, will check later15:56
dansmithgmann: no worries, not important at the moment, just curious15:57
gmanndansmith: what we can do is restrict the PUT response if GET is not permit. GET-not-permit in this case (where PUT is allowed) means do not show server info instead of no access to server15:58
dansmithgmann: yeah, that's the only thing that makes sense I think.. but I think you can argue that it's not worth that level of granularity15:59
dansmithbasically, three options: 1. PUT requires GET to work at all (bad) 2. PUT will show you the result even if you don't have GET (acceptable) 3. PUT will only show you the result if you also have GET (acceptable)16:00
dansmith#2 is easy/default, #3 is doable16:00
gmannyeah, we can do #3 if anyone ask for that and have that requirement of allow-write but no-read16:01
dansmith++16:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Add debug log for device detach libvirt error  https://review.opendev.org/c/openstack/nova/+/79604316:14
gibilyarwood: I think I found out that libvirt has an extra way to tell us that a device we try to detach is missing. So our handler in nova does not recognize it as VIR_ERR_DEVICE_MISSING but handles it as unexpected and blows16:16
gibilyarwood: I pushed a patch that adds a debug log to show what error code libvirt returns in this case16:16
gibihttps://bugs.launchpad.net/nova/+bug/193171616:17
gmanndansmith: i was wrong on neutron check GET permission to update resource.  They check GET permission in PUT/DELETE just to decide whether to return 403 or 404 if PUT is not permitted. - https://github.com/openstack/neutron/blob/master/neutron/api/v2/base.py#L671-L68516:23
dansmithgmann: ah, another interesting wrinkle16:23
gmannyeah :)16:24
opendevreviewAde Lee proposed openstack/nova master: Add check job for FIPS  https://review.opendev.org/c/openstack/nova/+/79051916:27
*** liuyulong_ <liuyulong_!~yulong@111.202.93.98> has quit IRC (Remote host closed the connection)16:30
*** liuyulong_ <liuyulong_!~yulong@111.202.93.98> has joined #openstack-nova16:31
*** derekh <derekh!~derekh@2a01:b340:80:6d6e:6423:15e0:3703:2> has quit IRC (Quit: Leaving)17:00
*** abhishekk <abhishekk!~akekane@116.74.160.116> has quit IRC (Quit: Bye...)17:04
*** andrewbonney <andrewbonney!uid417545@id-417545.highgate.irccloud.com> has quit IRC (Quit: Connection closed for inactivity)17:09
*** ralonsoh <ralonsoh!~ralonsoh@36.red-79-150-231.dynamicip.rima-tde.net> has quit IRC (Quit: Leaving)17:19
-opendevstatus- NOTICE: Zuul is being restarted for server reboots17:47
*** CeeMac <CeeMac!uid366483@id-366483.brockwell.irccloud.com> has joined #openstack-nova17:49
*** raildo__ <raildo__!~raildo@177.37.131.171> has joined #openstack-nova17:56
*** raildo__ is now known as raildo17:57
*** raildo_ <raildo_!~raildo@89.38.227.174> has quit IRC (Ping timeout: 480 seconds)18:02
*** alex_xu <alex_xu!uid57351@id-57351.tooting.irccloud.com> has quit IRC (Quit: Connection closed for inactivity)18:07
*** david-lyle <david-lyle!~dklyle@134.134.139.72> has joined #openstack-nova18:44
*** dklyle <dklyle!~dklyle@134.134.139.72> has quit IRC (Remote host closed the connection)18:44
*** raildo <raildo!~raildo@177.37.131.171> has quit IRC (Quit: Leaving)19:45
*** swp20 <swp20!ab084c14@107.161.19.109> has quit IRC (Quit: Connection closed)19:47
*** donnyd <donnyd!sid368272@id-368272.tooting.irccloud.com> has joined #openstack-nova20:54
*** donnyd <donnyd!sid368272@id-368272.tooting.irccloud.com> has quit IRC ()21:06
*** donnyd <donnyd!sid368272@id-368272.tooting.irccloud.com> has joined #openstack-nova21:06
*** rloo <rloo!~rloo@2001:4998:ef83:17::105d> has quit IRC (Quit: Leaving...)21:56
opendevreviewGhanshyam proposed openstack/nova stable/train: DNM: testing  https://review.opendev.org/c/openstack/nova/+/79607022:06
*** tosky <tosky!~luigi@dynamic-adsl-78-13-253-141.clienti.tiscali.it> has quit IRC ()22:13
*** luksky <luksky!~luksky@hC1F2D42A.cust.netmar.net.pl> has quit IRC (Ping timeout: 482 seconds)22:16
« Thursday, 2021-06-10 Index Saturday, 2021-06-12 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!