| opendevreview | Ghanshyam proposed openstack/osc-placement master: Updating python testing as per Yoga testing runtime https://review.opendev.org/c/openstack/osc-placement/+/819203 | 00:08 |
|---|---|---|
| opendevreview | Ghanshyam proposed openstack/os-vif master: Updating python testing as per Yoga testing runtime https://review.opendev.org/c/openstack/os-vif/+/819204 | 00:08 |
| opendevreview | Ghanshyam proposed openstack/os-traits master: Updating python testing as per Yoga testing runtime https://review.opendev.org/c/openstack/os-traits/+/819205 | 00:08 |
| opendevreview | Ghanshyam proposed openstack/placement master: Updating python testing as per Yoga testing runtime https://review.opendev.org/c/openstack/placement/+/819206 | 00:08 |
| opendevreview | Ghanshyam proposed openstack/os-resource-classes master: Test all supported python version https://review.opendev.org/c/openstack/os-resource-classes/+/819207 | 00:16 |
| opendevreview | Ghanshyam proposed openstack/python-novaclient master: Updating python testing as per Yoga testing runtime https://review.opendev.org/c/openstack/python-novaclient/+/819208 | 00:16 |
| *** EugenMayer9 is now known as EugenMayer | 00:56 | |
| mnaser | sdmitriev1: perhaps you can take the time to fix the merge conflict? | 03:21 |
| *** tkajinam is now known as Guest6741 | 06:15 | |
| bauzas | happy turkey day everyone | 08:50 |
| nautik | Hello! I updated a merge request from a few months ago and it seems there is a "DellEMC PowerFlex CI" build failing with a message "EMC_PowerFlex_NOVA [...] : NOT_REGISTERED". Other builds (VMware, IBM...) succeeded. | 08:50 |
| nautik | is that expected or should I do something about it? | 08:50 |
| nautik | the mr is https://review.opendev.org/c/openstack/nova/+/781076 | 08:50 |
| frickler | nautik: that means that this 3rd party CI is offline. not related to your patch, nothing you can do about it | 08:56 |
| frickler | except possibly trying to contact the CI operators, but that task should be on the nova team in general, not on you as patch author | 08:57 |
| nautik | ok cool! thank you for the feedback, then this MR is ready for review | 09:07 |
| nautik | (not sure if I need to add some tags or do anything more to make it visible?) | 09:07 |
| frickler | nautik: just give it a couple of days, this week is also holiday season in some parts of the world. I there is no response after that, you could try pinging folks here again | 09:11 |
| frickler | s/I/If/ | 09:12 |
| nautik | right, forgot that! Thank you and have a good day :) | 09:15 |
| opendevreview | Dmitrii Shcherbakov proposed openstack/nova master: [yoga] Support remote-managed SmartNIC DPU ports https://review.opendev.org/c/openstack/nova/+/812111 | 12:17 |
| opendevreview | Merged openstack/nova master: Retry image download if it's corrupted https://review.opendev.org/c/openstack/nova/+/818503 | 13:05 |
| sdmitriev1 | mnaser: good call, will look into that | 13:44 |
| opendevreview | Stanislav Dmitriev proposed openstack/nova stable/xena: Retry image download if it's corrupted https://review.opendev.org/c/openstack/nova/+/819179 | 13:55 |
| opendevreview | Stanislav Dmitriev proposed openstack/nova stable/wallaby: Retry image download if it's corrupted https://review.opendev.org/c/openstack/nova/+/819180 | 13:55 |
| opendevreview | Stanislav Dmitriev proposed openstack/nova stable/victoria: Retry image download if it's corrupted https://review.opendev.org/c/openstack/nova/+/819181 | 13:55 |
| lyarwood | gibi: https://review.opendev.org/c/openstack/nova/+/818357 would you mind taking a look at this? | 14:09 |
| gibi | sure | 14:09 |
| gibi | done | 14:11 |
| gibi | thanks for updating our docs | 14:11 |
| opendevreview | Merged openstack/nova stable/xena: Ensure MAC addresses characters are in the same case https://review.opendev.org/c/openstack/nova/+/816882 | 15:07 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Add nova-ovs-hybrid-plug job https://review.opendev.org/c/openstack/nova/+/817303 | 15:52 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: DNM: Try disabling bind-time events https://review.opendev.org/c/openstack/nova/+/819349 | 15:52 |
| *** artom_ is now known as artom | 15:53 | |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Add nova-ovs-hybrid-plug job https://review.opendev.org/c/openstack/nova/+/817303 | 16:00 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: DNM: Try disabling bind-time events https://review.opendev.org/c/openstack/nova/+/819349 | 16:00 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Add nova-ovs-hybrid-plug job https://review.opendev.org/c/openstack/nova/+/817303 | 16:21 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: DNM: Try disabling bind-time events https://review.opendev.org/c/openstack/nova/+/819349 | 16:21 |
| opendevreview | Ghanshyam proposed openstack/nova master: Updating tests with Yoga testing runtime https://review.opendev.org/c/openstack/nova/+/819194 | 16:56 |
| opendevreview | Ghanshyam proposed openstack/nova master: Updating tests with Yoga testing runtime https://review.opendev.org/c/openstack/nova/+/819194 | 17:38 |
| opendevreview | Merged openstack/nova master: docs: Update libvirt distro support matrix for Xena https://review.opendev.org/c/openstack/nova/+/818357 | 17:40 |
| EugenMayer | What are the thoughs about moving secrets into the meta-data service which are shared e.g. by cluster nodes? Is this considered heavily unsecure? AFAIC each instance can only access it's own meta-data and cannot read any other instance meta-data, right? (Is this actually a nova or neutron question?) | 17:44 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Add nova-ovs-hybrid-plug job https://review.opendev.org/c/openstack/nova/+/817303 | 18:16 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: DNM: Try disabling bind-time events https://review.opendev.org/c/openstack/nova/+/819349 | 18:16 |
| sean-k-mooney | EugenMayer: am well you are partly correct | 18:16 |
| sean-k-mooney | EugenMayer: ech isntance is only able to access its onw metadata | 18:16 |
| sean-k-mooney | however the metadata is also avaiable vai the api | 18:16 |
| sean-k-mooney | so anywone in the project can access it via the api | 18:17 |
| EugenMayer | yes sure, every openstack admin cann access it .. but this one can also simply access the storage and read anything. | 18:17 |
| sean-k-mooney | we also do not encypty the metaddat in any way in the nova db or when its sent to the instance | 18:17 |
| EugenMayer | I understand. It is plain text, send plain text | 18:18 |
| sean-k-mooney | yep | 18:18 |
| sean-k-mooney | so as an end user you can do this but you really shoudl use barbican | 18:18 |
| sean-k-mooney | https://docs.openstack.org/barbican/latest/ | 18:19 |
| sean-k-mooney | EugenMayer: it provices and implementation fo a secure key manager which user and openstack can use | 18:19 |
| EugenMayer | interesting - usually i would rather use vault | 18:19 |
| sean-k-mooney | EugenMayer: it has a vault plugin | 18:20 |
| sean-k-mooney | https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html#enabling-multiple-barbican-backends | 18:21 |
| EugenMayer | what is the actually key USP of barbican compared to vault? Is there any auto-scoping of instances into "their namespace" or something like that? If it is just "if you have a speciifc token you can check in a secret KV for values you are interested in" i rather would use vault | 18:21 |
| EugenMayer | i see | 18:21 |
| EugenMayer | sean-k-mooney: i know i repeat myself - but nevertheless, thank you very much! | 18:23 |
| sean-k-mooney | EugenMayer: basically openstack a as a project has decalred that we will not manage securets in each project | 18:23 |
| sean-k-mooney | we use castellan to provide a generic key manager https://github.com/openstack/castellan | 18:23 |
| sean-k-mooney | and then barbican provides a secrets as a service api that endusers or sevices can use | 18:24 |
| sean-k-mooney | castellan support barbican as a secret store and barbican support several backend to actully store the secrets | 18:24 |
| EugenMayer | I'am yet not sure i will need either of this. all secrets except this one are handled in k8s, this one is just to provision rke2. So i might stick to a chef-databag here since i use it to provision rke2 anyway | 18:25 |
| sean-k-mooney | if you dont need to expose secrets as a service via openstack by the way castalan can also use vault directly | 18:25 |
| sean-k-mooney | https://github.com/openstack/castellan/blob/master/castellan/key_manager/vault_key_manager.py | 18:25 |
| EugenMayer | interesting, simple wrapper to read/write from the KV | 18:27 |
| sean-k-mooney | https://docs.openstack.org/nova/latest/configuration/config.html#key_manager.backend you just ned to set that to valult and populate the related config options that are needed | 18:27 |
| sean-k-mooney | EugenMayer: i dont know how much its used/tested | 18:28 |
| sean-k-mooney | i dont often work on this part of the code but hoefully that helps | 18:29 |
| EugenMayer | I would not go the wrapper, arround the wrapper arround the wrapper way for this. If i need this, i will stick to vault directly IMHO. But it def. is good to know how things are handled and valued in the ecosystem | 18:29 |
| EugenMayer | meta-data is plaintext only, eventhough per instance, can be exploited if having enough API access (obviously). barbican to the rescue, will require a token to read from the storage, so knowledge required | 18:30 |
| sean-k-mooney | EugenMayer: metadata will also show up in your debug logs in some cases | 18:30 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Add nova-ovs-hybrid-plug job https://review.opendev.org/c/openstack/nova/+/817303 | 18:30 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: DNM: Try disabling bind-time events https://review.opendev.org/c/openstack/nova/+/819349 | 18:30 |
| sean-k-mooney | so its really not intended for private stuff | 18:31 |
| sean-k-mooney | EugenMayer: also just so you are aware instance metadta is included in nova notificaitons | 18:32 |
| sean-k-mooney | amqp is ment to be secured because it contains sensitive things but its just more reason not to store passwords/keys in it if you can avoid it | 18:33 |
| EugenMayer | understood, thank you! | 18:35 |
| opendevreview | Stephen Finucane proposed openstack/nova master: Deprecate the zvm driver https://review.opendev.org/c/openstack/nova/+/819365 | 18:50 |
| opendevreview | Stephen Finucane proposed openstack/nova master: Deprecate the powervm driver https://review.opendev.org/c/openstack/nova/+/819366 | 18:55 |
| opendevreview | Stephen Finucane proposed openstack/nova master: Deprecate the zvm driver https://review.opendev.org/c/openstack/nova/+/819365 | 18:56 |
| artom | Zombie developer removing zombie code | 19:01 |
| stephenfin | mmm, brainz | 19:22 |
| opendevreview | Merged openstack/nova master: db: Don't use legacy 'Row()' methods https://review.opendev.org/c/openstack/nova/+/817746 | 19:50 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!