Friday, 2021-11-05

« Thursday, 2021-11-04 Index Saturday, 2021-11-06 »
opendevreviewBrin Zhang proposed openstack/nova master: Replaces tenant_id with project_id from List/Update Servers APIs  https://review.opendev.org/c/openstack/nova/+/76429201:46
opendevreviewBrin Zhang proposed openstack/nova master: Replaces tenant_id with project_id from List/Update Servers APIs  https://review.opendev.org/c/openstack/nova/+/76429202:01
opendevreviewBrin Zhang proposed openstack/nova master: [Trival] Fix wrong microversion in TestClass name  https://review.opendev.org/c/openstack/nova/+/81677802:12
opendevreviewBrin Zhang proposed openstack/nova master: Replace all_tenants with all_projects in List Server APIs  https://review.opendev.org/c/openstack/nova/+/76531102:47
opendevreviewBrin Zhang proposed openstack/nova master: Replaces tenant_id with project_id from Rebuild Server API  https://review.opendev.org/c/openstack/nova/+/76638002:58
opendevreviewBrin Zhang proposed openstack/nova master: Replaces tenant_id with project_id from List/Update Servers APIs  https://review.opendev.org/c/openstack/nova/+/76429205:59
opendevreviewBrin Zhang proposed openstack/nova master: Replace all_tenants with all_projects in List Server APIs  https://review.opendev.org/c/openstack/nova/+/76531105:59
opendevreviewBrin Zhang proposed openstack/nova master: Replaces tenant_id with project_id from Rebuild Server API  https://review.opendev.org/c/openstack/nova/+/76638005:59
kashyapfrickler: Morning: https://listman.redhat.com/archives/libvir-list/2021-November/msg00171.html07:33
*** songwenping_ is now known as songwenping07:45
fricklerkashyap: nice, thx for that. we did change the bullseye job to use swap for now, that seems rather stable and is still faster than the serial variant08:17
kashyapNo problem; I think the series will be respun to use -accel for accelerator in general.  (https://gitlab.com/libvirt/libvirt/-/issues/233)08:19
gibielodilles: hi! you can upgrade your vote ;) on the victoria part of https://review.opendev.org/q/topic:bug/1944759 as the wallaby patches have landed09:46
elodillesgibi: \o/10:00
elodillesgibi: done10:00
gibithanks a lot10:00
elodillesno problem :)10:00
fricklerkashyap: already there. nice monster patch updating umpteen tests ;)10:10
kashyapfrickler: Yep, v2 (from Michal) is large because of the test noise - https://listman.redhat.com/archives/libvir-list/2021-November/msg00194.html10:11
kashyapfrickler: I'm just wiring up the XML config class in Nova.  And writing a commit message 10:11
EugenMayeris there really no better way or even usual default to start vms after a node reboot then adding resume_guests_state_on_host_boot to the nova conf and/or using virsh to add the autostart flag? There is no GUI nor nova API flag (openstack server create) flag to automatically create an instance with autostart?10:45
opendevreviewBalazs Gibizer proposed openstack/nova master: Use ReplaceEngineFacade fixture  https://review.opendev.org/c/openstack/nova/+/81682010:50
opendevreviewBalazs Gibizer proposed openstack/nova master: Fix interference in db unit test  https://review.opendev.org/c/openstack/nova/+/81473510:52
gibiEugenMayer: I think nova considers such automatic recovery as mostly outside of nova scope. An external service can detect the compute host failre and can implement automatic evacuation for some VMs while for others it can wait for the compute host recovery and implement auto startup.10:53
EugenMayergibi interesting. I understand that this is an good option, but it would be somewhat nice to have this as a possible build in default to, or?10:55
EugenMayerbut i understand, if you run hundreds of VMs the strategy to recover could be more suffistacted10:55
gibiEugenMayer: OpenStack has tools to build such behavior top of nova. I.e. https://docs.openstack.org/self-healing-sig/latest/use-cases/heat-mistral-aodh.html10:56
gibithe use case is vaild, I just don't think the implementation needs to be inside nova10:56
EugenMayerthank you for that article, will look into that. 10:58
opendevreviewLee Yarwood proposed openstack/nova master: nova-next: Deploy noVNC from source instead of packages  https://review.opendev.org/c/openstack/nova/+/81673811:07
opendevreviewKashyap Chamarthy proposed openstack/nova master: libvirt: Introduce config classes for QEMU's "tb-cache"  https://review.opendev.org/c/openstack/nova/+/81682311:09
kashyapHuh, plural; it's a single class11:10
opendevreviewKashyap Chamarthy proposed openstack/nova master: libvirt: Introduce config class for QEMU's "tb-cache"  https://review.opendev.org/c/openstack/nova/+/81682311:12
kashyapNot sure if the above WIP requires a bp yet ... but I filed one prememptively (https://blueprints.launchpad.net/nova/+spec/control-qemu-tb-cache)11:14
gibikashyap: I think a specless bp is enough11:35
kashyapgibi: Cool; guessed as much.  :)11:36
sean-k-mooneyEugenMayer: https://docs.openstack.org/masakari/latest/ is really the service you likely want to have automatic evacuation of ha instnaces11:41
sean-k-mooneyyou can manually do it with mistal heat and aodh but masakari is a single service desinged to provide instance ha11:42
EugenMayermigrating from proxmox to openstack, i have VMs with multiple disks. I understand that i can import disks as images using 'openstack image create --import' - but how to create a multi-disk VM?11:43
EugenMayersean-k-mooney interesting. Currently, since we are not planning in cinder, auto-evacuation is not possible anyway11:43
sean-k-mooneyEugenMayer: the imporant thing to remember however for the "core" service like nova is that openstack design principal is not based on a declaritve model its inparitive. e.g. it is not intend to take action autonomusly  only when you interact with the system. so nova should never alter the state of a vm unless you make an api call11:44
EugenMayersean-k-mooney beside doing it from backup, which is rather a manual decision to do so. So not as cloudish as masakari would do it11:44
sean-k-mooneyEugenMayer: i hesitate to say this cause i dislike this code path but without cinder you can use masikari if you put the instnace state dir on an nfs share11:45
EugenMayersean-k-mooney understood. So it is more an API wrapper with high-level tasks, but it does not just act, that is for others to implement11:45
sean-k-mooneyEugenMayer: correct11:45
EugenMayersean-k-mooney nfs share is nothing else as cinder on horrible storage :)11:45
sean-k-mooneyyep and it used a diffeent code path then the one we normally use so less well tested11:45
sean-k-mooneywhich is why its better to avoid it11:46
EugenMayerright now, we go for local disks only, at least for the legacy VMs. K8s cluster is not yet decided. So most of the evacuate features / hot/live migration are not for us with the legacy vms11:46
sean-k-mooneyand the performance sucks vs a real shared stoage system11:46
sean-k-mooneyso back to your multi disk question11:46
sean-k-mooneyyou can create multi disk vms but its not how nova is typically used11:46
EugenMayerthe performance is the main / only reason we are not jumping on ceph or similiar. We have to be realistic, our network is 1GB11:46
EugenMayerwith an MTU of 1400, no jumbo or anything11:47
sean-k-mooneyin the falvor there are 3 storage options disk, ephemeral and swap11:47
sean-k-mooneydisk is the root disk size11:47
EugenMayercan i create VMs manually with any amount of disks since it's virsh in the end? I will only need this for the VMs i migrate - the ones i create from scratch are based on cloud-init and the proper disks you get using nova directly11:48
sean-k-mooneyephemeral is the total amount of addtional ephemeral storage, i belive by default if you dont otherwise say all the ephemeral storage will be created as a singel addtional disk11:48
sean-k-mooneyyou can however subdevide the ephemeral storage into multiple disk on the command line when you create the vm11:48
EugenMayerusing ephemeral storage we stopped, since the bug from 2016 that it cannot be resized :)11:49
sean-k-mooneyEugenMayer: no, as an end use you are not allowed to know the hypervior in use11:49
EugenMayernice, openstack server create is not the tool to go with here i guess11:49
sean-k-mooneyso you can just assume its virsh in the end11:49
EugenMayerso using 'nova' is still hyperevisor agnostic, so it would be somewhat right? using virsh is discourage - that's what you mean, right?11:50
sean-k-mooneyopenstack provides an abstration api over multiple hyperviors like libvirt/kvm, hyperv, vmware  so yes the api is hypervior agnostic mostly11:51
sean-k-mooneyEugenMayer: using virsh is entirely unsupported11:51
sean-k-mooneywith opentask you can use virsh to inspect the xml for debugging11:52
EugenMayerright now, i'am planing on how to migrate my old VMs which might have 1-3 disks. I know how to do it with one-disk setups. openstack image create --import .. the launch from snapshot. With multiple disks it all seems more complicated11:52
sean-k-mooneybut beyond that you shoudl never use virsh to modify any vm created by nova11:52
EugenMayeri see, understood11:53
sean-k-mooneywith multi disk unfortunetly the only option that is supported via the api would be cinder11:53
EugenMayerwhich is not an option (i understand, those would be volumes)11:53
sean-k-mooneythe unsupproted way woudl be to create a mulit disk vm. stop it and then copy the data11:53
EugenMayercopy the data you mean, fs to fs?11:53
EugenMayeror as an image11:53
sean-k-mooneyyes or via a rescue image but avoiding glance11:54
sean-k-mooneyso boot a 3 disk vm then put it in rescue mode using a clonzilla image and have clonzilla reimage the disk using the orignal vm as the image source11:54
sean-k-mooneysomething like that11:54
EugenMayerwow, that sounds quiet complicated. But understood. I somehow create and instance with x disks, then using grml and somehow mount new disks and old disks and sync the filesystem11:55
sean-k-mooneythere are some generic tools that might help virt2virt i think is one? i have never used them myself11:56
sean-k-mooneyhttps://libguestfs.org/virt-v2v.1.html11:56
EugenMayerinteresting, thanks11:58
EugenMayersean-k-mooney i assume that the disk if find on my compute is, eventhough named 'disk' nothing else then jsut a qcow disk11:59
EugenMayerso i really consider going full force and trying to neither do nova-api nor virsh api, but replacing the disks. I understand this is not supported, but in the end, i do not run y types of hypevervisors and i need to migrate12:00
sean-k-mooneyyes you jsut need the qcow12:00
sean-k-mooneyya an simple scp and overridign the disk might work12:01
sean-k-mooneyprovided the disk dont have backing files12:01
EugenMayeri will need to either adjust the size via the XML or via the API12:01
sean-k-mooneyyou might need to first convert the qcow to a flatend one 12:01
EugenMayeryeah aware on how to do this, but i usually use flat12:01
EugenMayerthank you a lot, again!12:02
EugenMayerOne last question, is there an API based way to activate nested-virtualization on a VM? I use host-passthrough already, but not sure that is enough. I need this to run an ESXi which i soley run for image disk conversion 12:05
sean-k-mooneyno nested virt will be avaiable to the vm automatically if the host is configured to allow it12:05
sean-k-mooneyon older kernel you use to have to set teh nested virt flag in the intel-kvm or amd-kvm kernel module options12:06
sean-k-mooneyin newer kernels it default to enabled so that is no longer required12:06
sean-k-mooneyEugenMayer: you can check by installing linbvirt in the guest and runnign virt-host-validate12:07
sean-k-mooneyor just look for vmx or svm on the amd side in lscpu in the guest i think12:07
sean-k-mooneyso ya if your host is set up correctly then it shoudl just work12:08
sean-k-mooneywith that said my expeirnce with nested virt is mainly kvm on kvm and limited expericne with windows(docker/linux subsystem) usecases12:10
sean-k-mooneyboth of those can be made work in openstack but have never tired esxi12:10
kashyapEugenMayer: sean-k-mooney: Nested is enabled only in the newer _upstream_ kernels, though.12:17
kashyapSome distributions might not enable it by default12:17
sean-k-mooneywell its enabled on rhel for intel by default now but not for amd12:18
kashyapEugenMayer: So check before you run.  A handy tool is `virt-host-validate` (it'll check for a whole bunch of things, including /dev/kvm)12:18
kashyapYou can run it on a VM too12:18
sean-k-mooneyyep also said that above its pretty handy but not well advertised in my experince12:18
kashyapsean-k-mooney: No, not even for RHEL for Intel12:19
kashyapsean-k-mooney: RHEL made it tech preview for AMD *and* Intel.12:19
kashyapThere it is, public docs: 12:19
kashyaphttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_virtualization/creating-nested-virtual-machines_configuring-and-managing-virtualization12:19
kashyapsean-k-mooney: Ah, I missed your virt-host-validate reference earlier; maybe we should include it in Nova docs somewhere too12:20
sean-k-mooneywell we retoactivly made it tech preview it was GA'd then we found issue on the intel support12:20
EugenMayerthank you both - sorry was at dinner12:21
kashyapYes, I'm saying about the current status.  "Retroactie" == well, if you spot blocker issues, then you must put it back to tech-preview12:21
kashyapEugenMayer: No prob.  In general, don't feel pressure to respond "instantly" on IRC12:22
kashyapIt's called "instant messaging"; not "instant responding" :D12:22
EugenMayerif i get helped i tend to keep myself as 'instant responding' - but not anybody else. If find this somewhat respecting the time of the answer-giver (what ever that word is:) )12:23
kashyapYes, sure.  That's contextual 12:24
EugenMayeri currently run debian:bullseye with the stable kernel 5.10, will check what status it has and maybe upgrade to backports or spin up an compute on a different OS 12:24
kashyapEugenMayer: Some 7 years ago I wrote this thing, because we used to a see a lot of "naked pings" - https://www.rdoproject.org/contribute/irc-etiquette/12:24
sean-k-mooneyEugenMayer: i think the change was made upstream after 5.10 in 5.14 so with 5.10 it might still be disabel by default12:25
* kashyap --> AFK; back later12:27
EugenMayerkashyap laters!12:27
EugenMayersean-k-mooney https://packages.debian.org/bullseye-backports/linux-image-amd64 so 5.14 could be it 12:28
opendevreviewLee Yarwood proposed openstack/nova master: nova-next: Deploy noVNC from source instead of packages  https://review.opendev.org/c/openstack/nova/+/81673813:39
opendevreviewLee Yarwood proposed openstack/nova master: nova-next: Deploy noVNC from source instead of packages  https://review.opendev.org/c/openstack/nova/+/81673813:55
dansmithgmann: if I have a policy rule with a specific scope_types= set, and then I override that rule with enforcer.set_rules({}) do you know what happens to the scope_types from the default?16:07
dansmithit seems like they are being kept through the override (which I would expect), but that's preventing me from overriding some rules to @ in the tests, like check_image before check_image:allow_volume_backed16:08
dansmithlbragstad: ^16:08
opendevreviewMerged openstack/nova master: [Trival] Fix wrong microversion in TestClass name  https://review.opendev.org/c/openstack/nova/+/81677816:10
lbragstaddansmith i think you're right in that it shouldn't override the scope_type 16:13
dansmithokay, so some of the tests we have hit two policies, and the tests try to @ the first one to make sure we test the second one,16:13
dansmithbut in the case of the "what happens when we enable scope checking" tests, I'm not sure how to get past that16:14
lbragstadoh... 16:14
dansmithother than to just assume that scope violations get caught by the first one16:14
lbragstadthe only way i could think of doing that today would be re-register the rules so that you can reset the scope type of the one you want to pass through 16:15
lbragstadbut that sounds clunky 16:15
dansmithyeah16:15
lbragstadwhat's the scope_type for check_image, project?16:16
dansmithor mock the enforce with a side_effect=[skip(), orig()]16:16
dansmithit was both (of course, like all of them) but I'm moving it back to just project since it's on an instance16:16
dansmith(and it's create_image, typo above)16:16
lbragstadah 16:17
dansmiththe tests allow me to skip the check that makes sure it's the exact rule name that triggers the failure,16:17
dansmithso I could just do that, but it kinda sidesteps the actual verification (although only for the system: contexts, which isn't so bad)16:18
lbragstadand you want to test the second check fails with a system-scoped token?16:18
dansmithI mean it would still ensure the behavior, it's just that the tests currently disable the first check with @ to hit the second for all the context16:18
dansmithjust trying to change as little as possible about the test behavior of course16:18
dansmithmaybe I'll just put a #NOTE in there and leave it for review16:18
lbragstadsure - and that's not necessarily realistic given the discussions the other day16:19
dansmithhttps://termbin.com/z7yz16:22
dansmiththis ^ works16:22
dansmithso we keep the strict checking for the non-scope-enforcing case, but relax it (as allowed by common_policy_check()) if we are scope-obsessed16:23
dansmithoh you know, I could use the base rule name instead of none to be even more explicit16:24
dansmiththe problem is I would get this from the checker:16:24
dansmith    testtools.matchers._impl.MismatchError: !=:16:24
dansmithreference = "Policy doesn't allow os_compute_api:servers:create_image:allow_volume_backed to be performed."16:24
dansmithactual    = "Policy doesn't allow os_compute_api:servers:create_image to be performed."16:24
dansmithbecause we failed on the earlier check before we got to create_image:allow_volume_backed16:24
dansmithanyway, I'm mostly just talking to myself out loud at this point :)16:26
lbragstadyeah - that makes sense16:29
lbragstad i guess my question now is if we think nesting checks like that is going to be a common pattern, or a one off thing here and there16:30
lbragstadfeels like a one-off thing16:31
dansmithit's more a result of nova's test pattern as anything16:32
dansmithbut yeah I'll see as I keep going through it16:32
lbragstadif it's common, i think we should have a better answer for it?16:33
lbragstador potentially consolidate the checks 16:33
dansmithyup16:34
opendevreviewSylvain Bauza proposed openstack/nova master: [doc] propose Review-Priority label for contribs  https://review.opendev.org/c/openstack/nova/+/81686116:43
gmanndansmith: lbragstad yeah, we have this type of multi policy enforcement in nova and I think in neutron there are many. 16:50
gmannbut do we have mixed type of scope_type in such multi policy in single API?16:51
gmannthat sounds not correct if we do have16:51
dansmithgmann: so far that hypervisors "give a different view for projecty people" is the only multi-scope one I know of16:51
gmanndansmith: or it is different APIs like resource creation for GET test etc16:52
gmanndansmith: lbragstad I am thinking to allow tests to disable (set to None) the scope_type but yes only for testing16:53
dansmithgmann: yeah, let me continue through more of this to see how many are a problem16:53
gmanndansmith: in nova case where it is unit tests we can handle with mocking API controller method itself if it is different APIs.16:54
dansmithgmann: yeah, maybe, or just ensure that a system token gets stopped at the parent policy check16:54
gmannyeah with switching the CONF.encorce_scope to false first and then true16:56
dansmithgmann: yeah, index:get_all_tenants and index are in the same boat :/17:06
gmanndansmith: you mean with the new direction or existing scope_type?17:08
gmannbut in both case anyone allow to do index:get_all_tenants should be allow to do index right?17:09
dansmithgmann: I mean checking index before index:get_all_tenants and failing the scope check17:09
dansmithgmann: that's not the problem17:09
gmannbut both are same scope_type17:09
gmannoh no, sorry17:09
dansmithgmann: the problem is that both aren't allowed for system:* but we'll fail on the first one before we get to the second one, even if we set the check_str=*17:09
dansmithit's not actually a problem because as you mention, their scope restriction will be the same, it's just a matter of verification in the tests17:10
gmannyeah17:10
dansmithlet me propose a change to common_policy_check and see what you think17:10
gmann+117:10
gibibottom line: ospurge works and can be used but it does not handle default security group yet.17:15
gibihups17:15
gibiwrong window17:15
opendevreviewDan Smith proposed openstack/nova master: WIP: Allow per-context rule in error messages  https://review.opendev.org/c/openstack/nova/+/81686517:37
dansmithgmann: ^17:37
dansmithgmann: that lets me pass a function that will decide if we should fail on index or index:get_all_tenants17:37
dansmithit means that we don't actually pass the parent check to make sure the child check is the one that fails, but only in the case where the scope_types= is what causes us to fail17:38
dansmith(in the case where we have overridden the parent check to be @)17:39
gmanndansmith: can you give some example of rule_name in this ^^ case?17:43
dansmithgmann: https://termbin.com/0w1b17:45
dansmiththat's snips from multiple places, hopefully that makes sense17:47
dansmithI would push up my actual test changes, but they are a TOTAL mess atm :)17:48
gmanndansmith: so in case of project scoped context they will fail on all-tenant as it will index policy17:49
gmannand for system reader case, it will fail on index but we want to skip that and test all-tenant right?17:50
dansmithfor project member, it will fail index:get_all_tenants17:51
dansmithfor project admin, it will succeed17:51
dansmithfor system * it will fail on index (because of scope check requiring project)17:51
dansmiththe callable makes sure we assert the right rule name in the error message for system:* and project:member17:51
gmannyeah for system* so how you will test index:get_all_tenants when index will fail first17:52
dansmithwell, that's my point.. we won't :)17:52
gmannyeah17:52
dansmithin reality, it doesn't matter because they will be stopped there (operator can't override scope_types in their config file)17:52
dansmithif you think we really need to, then we have to do something more complicated17:53
dansmithyour NOTE in there about rule_name=None, however, seems intended for this purpose, but is less specific than what I have there17:53
gmanndansmith: no, I was thinking from operator perspective. so index policy has to be system+project scoped so yeah test passing/failing on system for all-tenant is ok17:54
gmanndansmith: by this "for system * it will fail on index (because of scope check requiring project)" do you mean you will modify index policy to project scoped only?17:55
gmannif so then we need to to little magic in multi-policy like if system scoped token then check all-tenant policy only and not index-policy. 17:57
dansmithgmann: yeah that's what I'm doing, working on making those project-only again17:57
dansmithI think for these cases, enforce_scope=project will handle that for us17:58
gmannso we want system user to do only 1. get all tenant instances and 2. get single tenant instances with all-tenant=true but NOT 3. get specific tenant instances directly 17:59
gmann?17:59
dansmithgmann: what we discussed on wednesday (and before) is that system users don't get to see project resources, so they can never list instances18:00
gmannas filtering instances of single tenant-id is only allowed with all-tenant parameter 18:00
gmanndansmith: ^^ this is one way to do for them in nova imementation 18:00
gmannwe may want to change that in that case18:00
dansmithgmann: okay I'm confused18:02
gmanndansmith: may be I am confusing with current and newthings. system I mean domain admin who will be allowed to do all-tenant instances 18:02
dansmithI'm working on https://review.opendev.org/c/openstack/governance/+/815158/7/goals/selected/yoga/consistent-and-secure-rbac.rst line 14418:03
dansmithgmann: ah, no I'm talking about system:* specifically :)18:03
gmanndansmith: ohk, so new-system as per our discussion 18:03
dansmithyeah18:03
gmanndansmith: say with doamin-admin, we want index to be project+domain or just project ?18:04
gmannbecause we have to think on filter instance by tenant also in this case18:05
dansmithgmann: yeah I think it'll be domain+project at that point18:05
gmannohk, +118:05
gmannthat will make sense. that what i was asking but sorry confused with system 18:05
dansmithall good, it's all very confusing :)18:05
gmannso now onwards we talk on new things on old way:)18:05
gmannI make note of that18:06
gmanns/on/not18:06
dansmithheh18:07
gmanndansmith: I am sure these multi-policy testing stuff will be more conflicted in the 'GET server with additional attributes' 18:07
dansmithokay, I haven't gotten to that yet18:07
gmannthere are many embedded confusing policy  there18:07
dansmithyeah18:08
dansmithgmann: I wish I had thought of this before I started the refactor,18:11
dansmithbut I also think these tests should provide just the list of who can do a thing, and have it subtract those from the all_contexts lists, and assert which ones can't18:12
dansmithit would make things a lot less verbose and easier to read I think,18:12
dansmithand since you assert that auth+unauth==all, I don't think you lose anything by making it less verbose18:12
gmanndansmith: yeah, and I am realizing now asserting on actual scope_type (for multi-policy API) can give us more clarity on 'who can do a thing'  so that we fix the mulit-policy things on scope_type if there is under or over -permission  18:16
gmannI am thinking not to skip/mock scope_type checks for multi-policy API, skip/mock scope_type only when different APIs policy need to be skipped for testing separate operation on same resoruce18:17
dansmithgmann: I think I know what you mean, and I think I agree :)18:18
gmanndansmith: are you handing the server-boot-on-specific-host case also? this one- https://review.opendev.org/c/openstack/nova-specs/+/79301118:20
gmannif not then I can re-spin the spec as it need microversion bump also. I think we have clear direction now as per wed discussion.18:20
dansmithgmann: not yet18:20
dansmithgmann: I'll skip that one in what I'm doing for now then18:21
gmannok18:21
EugenMayeris there any way to open a serial tty on the terminal when using nova?18:31
EugenMayerI would like to have this on the terminal so c&p is integrated18:34
dansmithgmann: I'm still failing flavor policy but I think I'm going to clean up what I have a little and push it up to get some read on it before I delve into another module18:36
dansmith(failing flavorextraspecs because they depend on server policy to be clear)18:36
gmanndansmith: ohk, in that case can we just set_override CONF.enforce_scope=false for server request and then enable before flavorextraspecs  ?18:45
gmannor you mean 'os_compute_api:os-flavor-extra-specs:index' policy18:45
sean-k-mooneyEugenMayer: you can specify addtion serial port18:46
sean-k-mooneyin the image propertiese18:46
sean-k-mooneythe first will be use for the console but the rest could be used for host comumnication it that is what you wanted18:46
dansmithgmann: I mean those tests appear to do things like servers/detail before/after flavor extra specs work and fail with contexts that don't work anymore18:47
dansmithgmann: I will clean then up, or hack around in the first patch, but I'm about out of steam for the week18:47
dansmithand want to get something up that is close18:47
gmanndansmith: with new direction, this policy needs to be made more granular now. 1. for flavor API showing extraspecs for system user 2. flavor extraspecs in GET servers for porject users18:49
dansmithah, right because of the nested flavors right?18:50
gmannyeah18:50
sean-k-mooneygmann: personally i think even project reader shoudl be able to see extra specs18:50
sean-k-mooneyyou cant really choose between flavor properly without seing them18:50
gmannsean-k-mooney: so indexing the flavor extra specs are system+project things but having extraspec in GET response if only project things18:51
sean-k-mooneyim not sure what you meen by indexing flagor extra specs18:51
gmanndansmith: we might need such granularity in more policy as we de-coupling the system form project resources but need to check case by case18:51
opendevreviewDan Smith proposed openstack/nova master: WIP: Revert project-specific APIs for servers  https://review.opendev.org/c/openstack/nova/+/81620618:51
dansmithgmann: ack18:51
gmannsean-k-mooney: i mean this '/flavors/{flavor_id}/os-extra_specs/'18:52
sean-k-mooneyi think that should really be readable by everyone18:52
sean-k-mooneyi know there are reason to hide it in some cases but in general by default i think it shoudl be open18:53
sean-k-mooneyand i think the same really shoudl be true of the server show18:53
dansmithsean-k-mooney: what kinds of things could be in flavor extra specs that would be sensitive?18:54
dansmithtopology of the instance isn't really sensitive if you can see the rest of the instance, IMHO18:54
dansmithtrying to think of what else could be in there though18:54
sean-k-mooneydansmith: non standard extra spec used for filters18:54
sean-k-mooneythat about it18:55
dansmithsomething they passed during create to cause it to be scheduled in some way right?18:55
sean-k-mooneywe could exclude un namescased extra specs and the filter ones by default for non admin18:55
dansmiththat's not really something we should show to member but hide from reader18:55
dansmith(which I think is your point)18:56
sean-k-mooneyyes 18:56
sean-k-mooneywe likely would want to hide https://github.com/openstack/nova/blob/master/nova/api/validation/extra_specs/aggregate_instance_extra_specs.py#L5318:57
sean-k-mooneyanything prefixed with aggregate_instance_extra_specs: or that is not namespaced18:57
sean-k-mooneyform member and reader18:57
sean-k-mooneybut hw:mem_page_size=large e.g. this flavor use hugepages is proably relevent to memebers18:57
dansmithdo we hide that today?18:58
sean-k-mooneyi dont know what the default is since im almost alwasy admin when i interact but its contoled by poligy18:58
sean-k-mooney*policy18:58
sean-k-mooneyhowever its all or nothing18:58
dansmithokay18:58
sean-k-mooneywe dont filter18:58
dansmithbut regardless, I think you point (which I agree with) is that there doesn't likely need to be any that we distinguish between project member and reader18:59
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/nova/policies/flavor_extra_specs.py18:59
dansmithand that's kinda the point of reader, AIUI18:59
gmannit is reader by default currently 18:59
sean-k-mooneyPROJECT_READER_OR_SYSTEM_READER18:59
sean-k-mooneyyep18:59
dansmith++18:59
sean-k-mooneygmann: i toght you were suggestign changing that19:00
* dansmith thought so too19:01
gmannsean-k-mooney: no, i mean we need to make it granular for GET servers so that we can remove system_reader from GET server as they cannot GEt server right19:01
sean-k-mooneyflavor unless you use the flavor access api to me are system resouces19:01
gmannflavor API will be same so no change19:01
dansmithgmann: yes, because you can get these either through servers or flavors,19:02
gmannyeah19:02
dansmithyeah19:02
sean-k-mooneyi cant find it but i tought we had a policy for if this si shown in server detail by the way19:03
sean-k-mooneymaybe re never added it19:03
sean-k-mooneyi guess ya we just have this one policy https://github.com/openstack/nova/blob/master/nova/policies/flavor_extra_specs.py#L7619:05
gmannyeah, this one19:08
lyarwoodmelwitt: FWIW the nova-next change to noVNC from source did actually fail on a novnc test with the latest run https://zuul.opendev.org/t/openstack/build/f626656bc01b4cb7aee847e21f3b4b4c - I don't have the energy to look into it now but will take a look on Monday.19:27
sean-k-mooneyis openstack server restore undelete?19:35
sean-k-mooneyi tought it was restore form backup but i guess not19:35
lyarwoodhttps://docs.openstack.org/api-ref/compute/#restore-soft-deleted-instance-restore-action - yup it restores soft deleted instances19:37
sean-k-mooneyok in my head i put backup and restore together19:37
lyarwoodsean-k-mooney: I thought you just spawned a new instance from the backup image?19:38
sean-k-mooneyyou do a rebuild19:39
sean-k-mooneywell it depend on why you are doing it19:39
sean-k-mooneyinfra failure then sure but if its just to roleback guest state tehn rebuild19:40
melwittlyarwood: ack, I'll look and see if anything stands out to me19:50
opendevreviewLee Yarwood proposed openstack/nova master: DNM - Test tempest-integrated-compute-centos-8-stream  https://review.opendev.org/c/openstack/nova/+/79999619:58
*** blmt is now known as Guest503620:04
opendevreviewmelanie witt proposed openstack/nova master: nova-next: Deploy noVNC from source instead of packages  https://review.opendev.org/c/openstack/nova/+/81673820:39
*** yoctozepto8 is now known as yoctozepto21:28
« Thursday, 2021-11-04 Index Saturday, 2021-11-06 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!