Tuesday, 2022-05-17

« Monday, 2022-05-16 Index Wednesday, 2022-05-18 »
opendevreviewMerged openstack/nova master: Drop lower-constraints.txt and its testing  https://review.opendev.org/c/openstack/nova/+/84002100:01
opendevreviewJulia Kreger proposed openstack/nova-specs master: Discussion: Options to address ironic driver rebalance  https://review.opendev.org/c/openstack/nova-specs/+/84201501:14
melwittelodilles: would like to have your opinion about one-off func test change vs backporting func test refactor https://review.opendev.org/c/openstack/nova/+/841483/2#message-295349b50b8233180cd5015ab8b977bab074765b at your convenience03:14
*** gibi_pto is now known as gibi05:51
opendevreviewRico Lin proposed openstack/nova-specs master: Add vIOMMU device support for libvirt driver  https://review.opendev.org/c/openstack/nova-specs/+/84031007:35
elodillesmelwitt: i've commented on the patch. (in general one-off maybe better, but if this would be needed multiple times and considering this smaller functional test refactor, maybe it is acceptable to backport it)08:37
*** akekane_ is now known as abhishekk09:36
gibisean-k-mooney: hi! I'm about to start fixing nits in the PCI tracking spec, but if you already in the middle of reviewing it then I can hold until your comments10:10
sean-k-mooneyim in the middel of reviewing but sofar i have no comments to add :)10:18
sean-k-mooneyso if you want to fix them go ahead10:18
gibiOK thans. I will fix the nits then soon10:22
opendevreviewBalazs Gibizer proposed openstack/nova-specs master: PCI device tracking in Placement  https://review.opendev.org/c/openstack/nova-specs/+/79104710:38
gibisean-k-mooney, stephenfin, melwitt: thanks for the reviews so far I fixed up the last batch of nits in the spec ^^10:38
erlonsean-k-mooney: melwitt: hey guys, good morning, can I get some eyes on the pre-livemigration rollback patch?11:48
erlonhttps://review.opendev.org/c/openstack/nova/+/83601411:48
sean-k-mooneyyep ill take a look although i currently dont have stable rights but ill confrim it hte patch looks sane11:54
sean-k-mooneyjust finsihing a spec review but ill be doen shortly11:54
sean-k-mooneygibi: +1 some nits and one question inline but im more or less +212:25
gibisean-k-mooney: thanks. I can trim down the required / forbidden traits tag to just having ``traits`` and implement required traits now similar in the first round. We can see if we need forbidden traits later ever12:30
sean-k-mooneyim not pushed really either way i was just thinkign about it as one filed wiht forbiden triat modedl with a - or ! if supproted12:32
sean-k-mooneyi dont think its much work to supprot forbidien traits so i dont really see any harm in including it12:33
sean-k-mooneyit wont expand scope that much12:33
sean-k-mooneyif other are ok with what you ahve propsoed im fine to upgrade to +212:33
sean-k-mooneybut i want to wait of melwitt and stephenfin  to comment12:33
gibisure, lets see what the others think12:34
gibiand thanks again for the review12:34
sean-k-mooneyno worreis. thanks for volenterring to take this on :)12:34
gibi:)12:34
opendevreviewribaudr proposed openstack/python-novaclient master: Microversion 2.91: Support specifying destination host to unshelve  https://review.opendev.org/c/openstack/python-novaclient/+/83165112:44
sean-k-mooneybauzas: i assume you are respining the keypair spec13:01
bauzassean-k-mooney: yes, I was about to ping you and gmann13:07
bauzasabout the x508 type13:08
bauzasI think we should continue to accept this parameter13:08
sean-k-mooneyfor listing13:09
sean-k-mooneynot for generation right13:09
sean-k-mooneyso we will keep type for show and import13:10
sean-k-mooneybut remove generation for all types in the microversion13:10
bauzassean-k-mooney: you can import a x508 public key https://github.com/openstack/nova/blob/972c06c608f0b00e9066d7f581fd81197065cf49/nova/api/openstack/compute/keypairs.py#L10513:11
sean-k-mooneyyes i know13:11
sean-k-mooneythat was never in doubt at least in my mind13:11
bauzasif so, we create a fingerprint13:12
sean-k-mooneyi was not sure if we could generate them but we can13:12
bauzassean-k-mooney: you can generate them too13:12
sean-k-mooneyyes i know i found the code13:12
sean-k-mooneyso i dont want the capablities to differ per type13:12
bauzasyes13:12
sean-k-mooneyso i dont want to kep generateion for x509 but drop it for ssh in teh new microverion13:13
bauzasso I'll remove this in the spec13:13
sean-k-mooneyack13:13
sean-k-mooneyso we will remvoe generation for all types13:13
sean-k-mooneybut keep type in the api for import and list13:13
sean-k-mooneycorrect?13:13
sean-k-mooneyand keep the generation code for older microverions13:13
bauzassean-k-mooney: yes, just stoping to accept no public key13:14
bauzasby the new microversion, yes13:15
sean-k-mooneythat works for me13:15
opendevreviewSylvain Bauza proposed openstack/nova-specs master: Proposes to remove keypair generation  https://review.opendev.org/c/openstack/nova-specs/+/84021713:29
*** haleyb_ is now known as haleyb13:38
kashyapgibi: FFS, now CentOS9S seem to fail this - https://review.opendev.org/c/openstack/nova/+/83892613:54
kashyapI just can't seem to get rid off my back13:54
kashyapIt's another unrelated random timeout: https://zuul.opendev.org/t/openstack/build/bcaf2154eeb545cdb7907d0c807513e913:55
*** dasm|off is now known as dasm13:56
gibikashyap: that was another disk detach issue14:23
sean-k-mooneyshould we make the c9s job non-voting14:31
sean-k-mooneyi have seen that fail quite offen with the detach issue14:31
kashyapgibi: Oh, damn; is that a real one?14:34
kashyapsean-k-mooney: Yeah, we should until that known issue is resolved.  I wonder if others disagree14:35
sean-k-mooneykashyap: i dont think its realated to your patch if that is what you are asking14:35
gibiI think we are still in the progress of landing the tempest patches that adds the waiter unit the guest boots up14:35
sean-k-mooneykashyap: but device detach is really really falky on centos 914:35
kashyapsean-k-mooney: No; I was asking if it's an unrelated new issue :)14:35
gibiit is not new14:35
gibiand it is not related to your patch14:35
sean-k-mooneykashyap: its unrelated to your patch14:35
kashyap(Yep, noted)14:36
sean-k-mooneygibi: i tought the tempest chagnes were landed on master14:38
sean-k-mooneyhttps://review.opendev.org/q/topic:wait_until_sshable_pingable14:39
sean-k-mooneyso https://review.opendev.org/c/openstack/tempest/+/817772?14:39
sean-k-mooneyhum tempest.api.compute.volumes.test_attach_volume.AttachVolumeMultiAttachTest14:41
sean-k-mooneyis what failed14:41
sean-k-mooneyso maybe that is not useing that yet14:41
sean-k-mooneyapprently it is https://github.com/openstack/tempest/blob/master/tempest/api/compute/volumes/test_attach_volume.py14:42
sean-k-mooneyperhaps test_resize_server_with_multiattached_volume is not14:42
gibiI noted this particular failure in https://bugs.launchpad.net/nova/+bug/1960346/comments/2914:43
sean-k-mooneyah14:43
sean-k-mooneyhttps://github.com/openstack/tempest/blob/master/tempest/api/compute/volumes/test_attach_volume.py#L495=14:43
sean-k-mooneyso we need to wait after that resize14:43
gibiafter resize we only wait for ACTIVE state then go and detach14:43
sean-k-mooneyor in teh resize call we need to wait for it to be sshable again14:43
gibiyepp14:44
sean-k-mooneyya14:44
sean-k-mooneyok i dont see a patch for that in the seriese at least not on the topic14:44
sean-k-mooneybut that makes sense why this is still failing14:44
gibiprobably it is easier to grep for detach calls and put a wait before them14:44
gibigmann: fyi ^^ https://bugs.launchpad.net/nova/+bug/1960346/comments/2914:45
sean-k-mooneyperhaps 14:45
sean-k-mooneyso we could put a wait here https://github.com/openstack/tempest/blob/569c7a89f54c94494fde46ce2aa4fbd26492e640/tempest/api/compute/base.py#L459-L469=14:45
sean-k-mooneyor14:46
sean-k-mooneywe could put a wait here https://github.com/openstack/tempest/blob/569c7a89f54c94494fde46ce2aa4fbd26492e640/tempest/api/compute/base.py#L547=14:46
sean-k-mooneyin detach14:46
sean-k-mooneyif we do it in detach it shoudl alway ensure that we check its sshabel when we are about to detach but we woudl likely need a flag to hadnel teh vm state14:47
sean-k-mooneye.g. if its not active14:47
gibiyeah14:48
sean-k-mooneypersonally while i dont really liek the wackamole approch i would prefer not to put it in detach14:49
sean-k-mooneyso put it in reszie ectra as those operations already have the instance and are changing the state14:49
gibibut not all VM lifecycle operation, not all resize, will be followed by a detach14:52
gibiso it is a waste to wait if no detach is done later14:53
sean-k-mooneyyes but we could wait in all cases whre we expect the vm to be active14:53
sean-k-mooneyya so it a questoin of how much knolage we want the autor and review of tempest chagne to need14:53
sean-k-mooneywe can be extra safe and alway wait when ever we expect a vm to be active14:54
sean-k-mooneyor we can put it in only when we expect to do a detach14:54
sean-k-mooneyin which case we shoudl not modify resize or detach and just add the wait in the respective tests14:54
sean-k-mooneyi think the pattern they are taking is to pass sshable to wait_until14:56
sean-k-mooneyand do that at the call site14:56
sean-k-mooneyas was done here https://review.opendev.org/c/openstack/tempest/+/840112/2/tempest/api/compute/base.py14:57
sean-k-mooneyso we woudl add wait_until='ACTIVE' a paramater to resize14:57
sean-k-mooneyand pass    wait_until='SSHABLE' in that test that is failing when we call resize_server14:58
gibiI think that wait_until thing is specificly for create_server14:58
gibiwe need to extend resize_server to make the wait14:59
gibithere is even something called as a validation resource to be passed around15:00
gibi... I'm putting something together...15:01
sean-k-mooneyi tought it was passed to  waiters.wait_for_server_status15:03
sean-k-mooneyhum perhaps not15:04
sean-k-mooneygibi: it was not ment to be specific to create server15:04
sean-k-mooneywe have the genirc waiters https://review.opendev.org/c/openstack/tempest/+/817635/15/tempest/common/waiters.py#57615:05
sean-k-mooneybut ya its not plumed into the wait for status waiter at leas not in that patch15:06
gibiyeah it is complicated as you need ssh set up including networking and keyts15:06
gibikeys15:06
sean-k-mooneyyep the pingable version was ment to aovid that15:07
sean-k-mooneyyou still need sec groups and network config15:07
sean-k-mooneybut slightly less overhead15:07
sean-k-mooneyin anycase it makes sense why resize is still flaky15:08
gibiyepp15:09
bauzasreminder : nova meeting in 47 mins here 15:13
gmannbauzas: sean-k-mooney: I am on same page for key generation things 1. remove only key generation support 2. keep 'type' as it is15:15
bauzas++15:15
gmanngibi: sean-k-mooney I am not surprise on c9s job unstable.15:19
gibisean-k-mooney, kashyap, gmann: https://review.opendev.org/c/openstack/tempest/+/84214015:19
sean-k-mooneygmann: do you know why that was made voting?15:19
sean-k-mooneyi was not expecting to have a voting job yet15:20
gmanngibi: sean-k-mooney but we should not make SSH-able by deafult in base class for all test but 842140 approach is good15:20
gmannsean-k-mooney: because it was passing and we want to see how long it will :)as non voting goes unmonitored 15:20
sean-k-mooneygmann: right but for nova we had said we did want it to be voting intially at the ptg15:21
gmanngibi: sean-k-mooney I think we can do those grep for detach and make them SSH-able. I tried to do in that series but might not have finished15:21
sean-k-mooneyso i was surpsed ot see it in the nova gate15:21
sean-k-mooneysicne we had not got around to creating the nova-next centos job yet15:21
sean-k-mooneybut i guess the templats got updated?15:21
gmannsean-k-mooney: you mean 'did not want it to be voting' if 'did want it to be voting' ?15:21
gibiactually I'm fine that is voting, this way we are forced to fix these missing waiters15:22
sean-k-mooneywe intially did not want he centos job to be voting in nova. i was suggesting adding one based on nova-next15:22
kashyapgibi: Oh, cool15:22
kashyap            wait_until in ("SSHABLE", "PINGABLE") and15:22
kashyap            CONF.validation.run_validation15:22
sean-k-mooneygibi: well im ok with it but i was expecting use to let it bake for a while15:23
gmannif detach things is only failing we ill keep identified the test waiting for SSH-able or can grep in advance.15:23
gmannand if more other failure start then we can think of making it non voting/15:23
gibigmann: ack15:24
sean-k-mooneygmann: gibi  actully i guess the issue is i missed this https://github.com/openstack/nova/commit/ed3abea3b239044bf72277d548da5e2277aed8f515:25
sean-k-mooneygibi: i did not think we had added centos based testing in or check/gate pipeline yet at all15:26
sean-k-mooneyso when i brought it up in the ptg i was epecting to let it bake for a few months15:26
gmannsean-k-mooney: yeah, centos stream is first  we are trying i think and c9s as voting15:26
sean-k-mooneybefore making it voting15:26
sean-k-mooneygmann: is this happing in other project too15:27
gmannbut I am not saying we have to it is like if they are stable we keep them voting and if unstable and no help from centos community then we can think of removing the distro testing frmo testing runtime. example opensuse15:27
sean-k-mooneybecause we wanted to add it to nova to test very speicific things namely newer libvirt and q35 by defualt15:27
gmannsean-k-mooney: happening failure or making it voitng?15:28
sean-k-mooneygmann: the testing runtime dose not define what os we test on in the indivigual projects15:28
gmannsean-k-mooney: we define minimum expectation of testing and those are needed to be stable as base distro or QA support15:29
sean-k-mooneyas in centos being listed in the testing runtime has never ment that nova or neutron tested with it15:29
sean-k-mooneygmann: centos has been in the pti for years but it was only added to nova in yoga by gibis patch15:29
gmannsean-k-mooney: it is not like that, it is meant as a minimum expectation from every project but as devstack itself and our CI/CD is mostly on ubuntu we are doing that only and centos etc are mostly tested in tripleo or so15:30
sean-k-mooneygmann: right i am privding feed back that that is not how it has worked previously15:30
gmannsean-k-mooney: not by gibi patch, it is made voting in tempest side I think lee adedd this c8s integrated job15:30
sean-k-mooneyso form my persepitve this is a change in expecation from teh QA team15:30
gmannsean-k-mooney: I know, we are trying if c9s as base can be stable as that is must needed for FIPS testing also which a community wide goal now. 15:31
sean-k-mooneyyep im aware of the fips intersect15:31
gmannsean-k-mooney: if c9s is not stable we will make it clear 1. can centos community help in making it stable 2. if no then let's not spend time on this and drop the entire support like opensuse we did15:31
bauzasI said it downstream but I saw something fun :  https://blueprints.launchpad.net/nova/+spec/update-userdata   Registered by Steve Baker on 2013-10-0715:32
gmannand having them voting is my main goal to know the data15:32
bauzason that date, I was just starting to work on Nova :)15:32
sean-k-mooneygmann: right so when i brogt it up at the ptg for the last 3 ptgs or more15:32
bauzasand my kid was 3yo :)15:32
sean-k-mooneyi started with not having it voting ot not blocke patche merging until it was table15:33
sean-k-mooneygmann: i wanted to have it voting eventuly too15:33
sean-k-mooneyand mensiton using fips testing as one of the reasons to do this as well as teting newer libvirt15:33
sean-k-mooneygmann: so i think we are aligned15:33
sean-k-mooneyjust was not expecting it to be voting until m2 honestly15:34
gmannsean-k-mooney: yeah, I think we are saying same thing. if that become unstable we will make it non voting even that is what QA plan is. but as long as it is passing (we will fix the detach things) it is ok to try15:34
sean-k-mooneygmann: untill we fix the detach thing i think its unstable which is why 15:34
sean-k-mooneylee had a patch to change it to voting at the end of the sshable series15:35
sean-k-mooneyhttps://review.opendev.org/c/openstack/devstack/+/834546 15:35
sean-k-mooneyi guess is what made the change15:35
gmannyeah  that is what I did, fixed most flaky test and see15:36
sean-k-mooneyit was proably meged too soone but that fine15:36
gmannbut sure, let me make all detach tests SSH-able whatever remaining 15:36
* sean-k-mooney opens https://review.opendev.org/c/openstack/tempest/+/84214015:37
gmanngibi: left 1 comment, rest lgtm https://review.opendev.org/c/openstack/tempest/+/842140/1/tempest/api/compute/base.py#48215:38
sean-k-mooneyhehe15:38
sean-k-mooneywe basically asked the same question15:38
sean-k-mooneybut i dont think we can hard code15:39
sean-k-mooneyto active15:39
sean-k-mooneywe can only set it to active if it was "sshaable" or "pingable"15:39
sean-k-mooneyif the instance was stopped when you resize it15:39
sean-k-mooneyit wont go to active after its resized15:39
gibiit was hardcoded to ACTIVE before the change15:40
gibiso I think we can hardcode it now too :)15:40
sean-k-mooneyi guess we dont resize stoped guests?15:40
gibiI guess so15:40
sean-k-mooneyok then they can update that when the add a test for that15:40
sean-k-mooneyso ok hardcode it15:40
gibicool15:40
gibiI will respin15:40
gmannif run validation is disabled then hard coded is ok15:40
gmannand we know detach will be the issue that time15:41
gmannthese carry forwards comments from previous PS are becoming more iterating now. I am sure 3rd person reviewing this first time will be confused on it if they are fixed or not - https://review.opendev.org/c/openstack/tempest/+/842140/2/tempest/api/compute/base.py15:46
gmann*irritating :) 15:47
gmannmay be just for me15:47
sean-k-mooneyya they are15:47
sean-k-mooneyi have started activly cleaning them up when i do reviews now15:47
sean-k-mooneyso i take a pass over a review comparing the old patch to new and and mark them as done if they are15:48
sean-k-mooneythen i do a reivew after the patch is "clean"15:48
sean-k-mooneyits a pain15:49
gmannyeah15:52
bauzas#startmeeting nova16:02
opendevmeetMeeting started Tue May 17 16:02:02 2022 UTC and is due to finish in 60 minutes.  The chair is bauzas. Information about MeetBot at http://wiki.debian.org/MeetBot.16:02
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:02
opendevmeetThe meeting name has been set to 'nova'16:02
bauzassorry, was late 16:02
gibio/16:02
dansmitho/16:02
elodilleso/16:02
Ugglao/16:02
bauzas#link https://wiki.openstack.org/wiki/Meetings/Nova#Agenda_for_next_meeting16:02
* bauzas was having his brain locked due to some previous meeting16:02
bauzasand the heat wave here makes me melting16:03
bauzaslet's start then16:03
bauzas#topic Bugs (stuck/critical) 16:03
bauzas#info No Critical bug16:03
bauzas#link https://bugs.launchpad.net/nova/+bugs?search=Search&field.status=New 14 new untriaged bugs (-5 since the last meeting)16:03
bauzaskudos to Uggla for this excellent work16:03
bauzashe wrote a triage etherpad (yet again, this wasn't mandatory to do it) but in case you wanna know what he triaged https://etherpad.opendev.org/p/nova-bug-triage-2022051016:04
bauzas#link https://storyboard.openstack.org/#!/project/openstack/placement 26 open stories (0 since the last meeting) in Storyboard for Placement 16:04
bauzas#info Add yourself in the team bug roster if you want to help https://etherpad.opendev.org/p/nova-bug-triage-roster16:04
bauzaswhich leads me to the last point16:05
bauzassean-k-mooney: are you okay with holding the bug baton for this week ?16:05
sean-k-mooneyyes16:06
bauzasgracias16:06
bauzas#info Next bug baton is passed to sean-k-mooney16:06
bauzasany bugs to discuss before we move on ?16:06
bauzas#topic Gate status 16:07
bauzas#link https://bugs.launchpad.net/nova/+bugs?field.tag=gate-failure Nova gate bugs 16:07
bauzas#link https://zuul.openstack.org/builds?project=openstack%2Fplacement&pipeline=periodic-weekly Placement periodic job status 16:07
bauzas#link https://zuul.opendev.org/t/openstack/builds?job_name=nova-emulation&pipeline=periodic-weekly&skip=0 Emulation periodic job runs16:07
bauzasall the above seems fine ^16:07
bauzasand not fine like in a fire16:07
artomI think Uggla had a bug he wanted to double-check? Dunno if you want to leave that for the open discussion16:07
artomtriaged16:07
artom    1959186 (appears to be valid TBC tomorrow)16:07
bauzasartom: we can 16:08
sean-k-mooneyhttps://bugs.launchpad.net/nova/+bug/195918616:08
bauzasI'll leave it for open discussion then16:08
bauzaspeople can start digesting it meanwhile16:09
* bauzas has zero context yet16:09
sean-k-mooneyinitally this does not seam like a bug16:09
bauzas#info Please look at the gate failures and file a bug report with the gate-failure tag.16:09
sean-k-mooneybut know behavior but ya16:09
bauzas#info STOP DOING BLIND RECHECKS aka. 'recheck' https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures16:09
sean-k-mooneylets wait till later16:09
bauzas#topic Release Planning 16:09
bauzas#link https://releases.openstack.org/zed/schedule.html16:09
bauzas#info Zed-1 is due in 2 days16:09
bauzas\o/16:09
bauzasbefore we discuss about this milestone16:10
bauzas#info Spec review day happened last week on May 10th16:10
bauzas#info 2 specs were approved but a lot of them were reviewed. Kudos to the team for this hard work.16:10
gibi<316:10
bauzasI've seen lot of feedback there16:10
bauzasvery happy16:10
bauzasnow,16:10
bauzaszed-116:10
bauzasin theory, we only have one thing to take care of for this milestone16:11
bauzaslibraries releases16:11
sean-k-mooneyyep the release patches have been proposed16:12
sean-k-mooneyi have not looked at them yet16:12
sean-k-mooneyare theree any patches peopel would like to wait for?16:13
bauzasthat's my humble question16:13
sean-k-mooneythere is one patch in flight in os-vif but i dotn think we have to wait for that16:13
bauzasdo people care of something they'd like to see published before end of this cycle for the libs ?16:13
gibino need to wait, we can push out a new lib release any time it is freeee16:13
bauzasos-traits seems interesting to look at16:13
sean-k-mooneyyep we use cycle with intermdiaries 16:14
sean-k-mooneywhich requries at least 1 release per cycle16:14
sean-k-mooneybut we can have as many as we want16:14
bauzashttps://review.opendev.org/q/project:os-traits+is:open is empty :)16:14
bauzasoh shit16:14
sean-k-mooneyyep i think we close to approving spec that would add some16:14
bauzashttps://review.opendev.org/q/project:openstack/os-traits+is:open16:14
bauzasbetter now:)16:14
sean-k-mooneyso the manial share spec is still pending16:15
bauzasok, only the manila-related traits16:15
sean-k-mooneyso Uggla's patch cant merge yet16:15
bauzasand yeah the spec is pending16:15
bauzascorrect16:15
bauzasso, let's release os-traits by now16:15
sean-k-mooneywe can merge teh runtim patch but that is not urgent16:15
sean-k-mooney+116:16
bauzasand we'll publish a newer os-traits release once the spec is approved 16:16
bauzasUggla: ^16:16
elodillesnote: os-traits is in independent release model, so release patch won't be generated by release team16:17
bauzashttps://review.opendev.org/q/project:openstack/os-resource-classes+is:open is a bit more crap16:17
bauzasoh shit you're right16:17
bauzasI was looking at https://governance.openstack.org/tc/reference/projects/nova.html#deliverables16:17
Ugglabauzas, \o/16:17
bauzasbut it's not describing the release models16:17
sean-k-mooneyelodilles: os-traits isnt independint is it16:17
bauzasI'm lost with all the references16:18
sean-k-mooneyoh it is16:18
bauzasfor release models, this is another website unrelated to governance16:18
sean-k-mooneywell that does not make sense16:18
sean-k-mooneybecause placment is tightly coupled ot it16:18
elodillessean-k-mooney: it is16:18
sean-k-mooneyelodilles: placmentn currently only works with exactly one version of os-triats16:18
bauzasok, found the right doc https://releases.openstack.org/teams/nova.html16:18
sean-k-mooneyhttps://github.com/openstack/releases/blob/master/deliverables/_independent/os-traits.yaml16:19
bauzasthis leaves os-r-c and os-traits be independent16:19
sean-k-mooneyright but placment assert the exact numober of triat and resouce classes in its test16:19
bauzashttps://releases.openstack.org/teams/nova.html#independent16:19
bauzassean-k-mooney: we discussed this at the PTG right ? 16:20
sean-k-mooneyso it only works form a unit test perspecive with exactly one version of os-traits/os-rescoue classes16:20
bauzasand we agreed on a proposal16:20
sean-k-mooneyyep16:20
sean-k-mooneyrelax the test16:20
bauzasyup16:20
bauzasso let's do it16:20
sean-k-mooneyyep16:20
sean-k-mooneyjust pointing out that indpenent did not make sense wiht that context16:20
sean-k-mooneybut ok we can wait to release it until we have new traits16:21
sean-k-mooneyand fix the test in the interim16:21
bauzaspoint is, we should only care of os-vif and client releases for placement and nova, that's it16:21
bauzas(for zed-1 I mean)16:21
sean-k-mooneyyep16:21
bauzasgmann: btw. this is not going well for https://review.opendev.org/c/openstack/os-vif/+/84002016:23
bauzasbut let's discuss this on open discussion ^16:23
bauzasand let's continue the agenda16:23
bauzas#topic Review priorities16:23
bauzas#link https://review.opendev.org/q/status:open+(project:openstack/nova+OR+project:openstack/placement+OR+project:openstack/os-traits+OR+project:openstack/os-resource-classes+OR+project:openstack/os-vif+OR+project:openstack/python-novaclient+OR+project:openstack/osc-placement)+label:Review-Priority%252B116:23
bauzas#link https://review.opendev.org/c/openstack/project-config/+/837595 Gerrit policy for Review-prio contributors flag. Naming bikeshed in there.16:23
bauzasreviews are welcome on ^16:24
bauzasI see gibi having concerns on the naming16:24
gibiI have no good suggestion16:24
gibiso feel free to ignore me16:24
gibimy problem on the current naming is that is sounds like a core approves that something is a prioirty16:27
gibibut the aim is instead that the core says "I will review this"16:27
bauzasgibi: I can propose something else16:27
bauzasto unblock the patch16:27
bauzas#link https://docs.openstack.org/nova/latest/contributor/process.html#what-the-review-priority-label-in-gerrit-are-use-for Documentation we already have16:27
sean-k-mooneybauzas: sure go for it16:27
bauzasnext topic,16:28
bauzas#topic Stable Branches 16:28
bauzaselodilles: I haven't seen you updating the section16:28
bauzasso far, so good ?16:28
elodilles#info ussuri and older branches are still blocked, newer branches should be OK16:29
bauzasI think we said last week, newer branches *are* OK :)16:29
elodillesi haven't got any further with the investigation of ussuri branch :/16:29
*** erlon_ is now known as erlon16:29
*** ganso_ is now known as ganso16:29
*** hemna5 is now known as hemna16:29
*** andrewbonney_ is now known as andrewbonney16:29
*** ricolin_ is now known as ricolin16:29
elodillesbauzas: yes, unfortunately nothing news :(16:30
bauzasdamn, looks like we have a netsplit at the time of the meeting16:30
elodillesyepp, it seems :S16:30
sean-k-mooneypeople will be back soon proably16:30
bauzashopefully yes16:30
sean-k-mooneylooks like mainly NA folks16:31
bauzaslet's continue then16:31
bauzassean-k-mooney: yeah, one OFTC server seems to have killed the conns16:31
elodillesnothing more to add for now :X16:31
bauzaselodilles: at one time, we'll need to cut the rope on the older branches16:31
sean-k-mooneyolder starting form ?16:32
elodillesbauzas: indeed. now ussuri is in bad shape for weeks now...16:32
sean-k-mooneyhum 16:32
bauzassean-k-mooney: ussuri16:32
sean-k-mooneyso we woudl be droping train and below too16:33
elodillesactually it fails due to multiple intermittent failures16:33
bauzaswe need help or some action in order to mitigate the blocker16:33
bauzaselodilles: yup, constant rechecks16:33
sean-k-mooneybauzas: what is the blocker exactly16:33
bauzasthe failure ratio is so high it becomes unpractical to merge16:34
sean-k-mooneyright but on what issue16:34
bauzasa couple of them16:34
* sean-k-mooney has not looked at stable/ussiri16:34
bauzaselodilles: we tracked them, right16:34
sean-k-mooneyok i was wonderign if there was one we shoudl look at specificly16:34
elodillessean-k-mooney: guest kernel panics, volume timeouts, 16:34
sean-k-mooneyas in volume detach16:35
sean-k-mooneyis it resize related?16:35
sean-k-mooneybecasue we noticed today that reize is not suing hte sshable change yet16:35
sean-k-mooneygibi proposed a patch to cover that16:35
elodillesalso this bug comes up often: https://bugs.launchpad.net/nova/+bug/190173916:36
sean-k-mooneyim not familar with that16:36
sean-k-mooneylooks like lee fixed that in V but it has not been backported16:37
gibiit is a mix of fixes already due to zuul migration and ubuntu version cahgne16:37
gibichnage16:37
sean-k-mooneyok we can proably move on but if you have a list elodilles  please share16:37
elodillessean-k-mooney: well it's on the recheck list on this patch: https://review.opendev.org/c/openstack/nova/+/83803316:38
elodilles:/16:38
sean-k-mooneycan we ask infra to force merge that16:39
elodillessean-k-mooney: it won't help to other patches, they will need the same rechecks16:39
sean-k-mooneyyes i know 16:40
bauzasin general, we can try to release the jobs 16:40
bauzasin order to merge one specific patch we want16:40
elodillesyes, one way is to decrease the test coverage16:41
gmann+1, better than force merge16:41
bauzaswe did that in some past16:41
sean-k-mooneyok16:41
gibihere that would mean to cut out devstack based jobs16:41
sean-k-mooneywe can make some non voting for now16:41
gibian rely on unit and functional16:41
gibi*and16:41
bauzasthis was ages ago16:41
gmannyeah just for temporary  time16:41
elodillesgibi: or some volume related tests. though i don't know which is worse :S16:41
bauzasbut I still remember the magic formula16:41
gibigmann: it would not be temporary if we disable jobs we will never fix tem16:42
gibithem16:42
sean-k-mooneywell i asusme we have  a limited set of patches that we want to merge and we woudl turn these abck on like droping lc jobs16:42
sean-k-mooneyso i was epecting disable patch then revert16:42
bauzasgibi: the idea is to relax the jobs before merging patches we want and then enabling again the jobs16:43
gibibauzas: and will we do it for every patch we want to merge?16:43
bauzasand see whether the failure ratio drops again16:43
gmannyeah that is what I thought, enabling them again16:43
gibibauzas: it would work iff we would have patches in queue that fixes those breaks but we dont16:43
bauzasgibi: no, we need to identify a set of patches we'd like to merge in order to help with CI stability16:43
gibiwe don't have the fixes :/16:44
gibiit is not like merge these 5 patches to stabilize ussuri, we don't have those 5 patches ready16:44
gibiwe have random patches backported and waiting 16:44
gmannhumm16:44
bauzasok, we won't obviously solve this problem by now16:45
gmannone thing to note if we are removing integration tests coverage then it is better to make branch EOL like we did for ocata16:45
gibiso something like: 1) collect the issue to be fixed in ussurit to stabilize CI 2) create fixes for them 3) force merge them 4) profit16:45
bauzaslet's state we all know about this problem and we'll figure out the solutions later16:45
bauzasgibi: yeah, sounds 1/ and 2/ are not done yet16:45
elodillesmaybe if that "SSHABLE" fix helps things in ussuri we have one, but still we probably have other failures16:45
gibielodilles: a buncs of SSHABLE already landed, so we should see them help16:46
gmannelodilles: that is again difficult as we are not supposed to use tempest master for ussuri so not all master change will go for ussuri testing16:46
bauzaselodilles: ideally an etherpad of doom may help gathering ideas and feedback16:46
gibigmann: ahh16:46
gibithat explains16:46
gmannI have patch  up to cap tempest for ussuri but that is not merged yet16:46
sean-k-mooneygmann: wait we are not?16:46
sean-k-mooneygmann: temest is ment to be branchless upstream16:47
gmannbut we have stopped ussuri support in tempest master16:47
sean-k-mooneyhum16:47
sean-k-mooneybecause of what reason?16:47
gmannsean-k-mooney: yes and master tempest is for SUpported branch and we cannot support EM branches16:47
sean-k-mooneypython version ?16:47
sean-k-mooneyshoudl that not be a project choice16:48
gmannEM branches - #link https://docs.openstack.org/tempest/latest/stable_branch_support_policy.html16:48
sean-k-mooneytempest should not have to support it16:48
sean-k-mooneybut project that support em branches shoudl still be able to choose which tempest to run16:48
gmannsean-k-mooney: we have to pin tempest for EM branch so that using master there can break them anytime16:48
gmannsean-k-mooney: yeah, you can but no guarantee if master tempest will work16:49
gmannas long as it is passing it is ok to use16:49
sean-k-mooneyack16:49
sean-k-mooneyso i think i would prefer to keep tempest uncapped until ti breaks16:50
elodilles(well, i guess changes on tempest master can affect not only EM branches, but they are affected most likely)16:50
sean-k-mooneyelodilles: well nova uses microversion16:50
sean-k-mooneyso it should work form our point of view16:50
gmannelodilles: for supported branches we make sure tempest does not break them but for EM it is not the case16:50
sean-k-mooneychagnes to tempest should not break our stable branches expcti if there ar package dep issues16:50
gmannplan is : by default devstack will cap the tempest in ussuri and project can override it in jobs16:51
bauzasI need to timestop the conversation16:51
sean-k-mooneywhich i guess is why this was done16:51
gmannyeah, we can discuss it in qa or nova channel after meeting16:51
sean-k-mooney+116:51
elodilles+116:51
bauzasgmann: sean-k-mooney: gibi: you're all free to continue the conversation after the meeting16:51
bauzascool16:51
gmannsure16:51
bauzasmoving on quickly16:52
* gibi will pass out after the meet :/16:52
bauzas#topic Open discussion 16:52
bauzasUggla: do you want to discuss https://bugs.launchpad.net/nova/+bug/195918616:52
bauzas ?16:52
bauzasUggla: you left this bug with comments on your triage etherpad16:52
Ugglayep16:52
UgglaIt appears valid to me, but I would like a crosscheck.16:53
sean-k-mooneyi dont think it is16:53
sean-k-mooneythere is a long runnign knwon issue that you cant delete in use image form glance if it uses ceph16:54
sean-k-mooneythat only happens if you use raw images16:54
sean-k-mooneyat that enabel our copy on write shallow clone code path16:54
bauzassounds at least unrelated to nova16:54
sean-k-mooneywhich i suspect is what is happening here with the snapshot16:54
bauzasmaybe valid but not on our side16:54
bauzasright?16:54
dansmith_it's really desired behavior even16:55
sean-k-mooneythere have been some feature request in this area16:55
sean-k-mooneysome peopel woudl like too break the shallow copy16:55
dansmith_I think it'd be a feature on the glance side, IIRC16:55
*** dansmith_ is now known as dansmith16:55
sean-k-mooneyya so they have not providded enough info in the bug16:56
sean-k-mooneywe do not know the image type16:56
dansmithnova doesn't even know about the linkage after it's created right? so if the link is broken, nova is fine with it16:56
sean-k-mooneyto confirm wone way or another16:56
sean-k-mooneyam im not sure16:56
bauzasdansmith: hence my point, unrelated to the project16:57
bauzas=> Opinion16:57
levy14have a feature proposal, but not in the agenda yet. may I ask here and gauge interest/feasibility?16:57
dansmithbauzas: yeah16:57
sean-k-mooneythere is some metadata on teh image but i dont know if we read that when we create the new vm16:57
sean-k-mooneyor tack it on our side16:57
bauzassean-k-mooney: we can add glance as a service project in the bug report16:57
bauzasand mark it invalid on our side16:57
bauzaswe'll see it coming back if that's really a nova bug 16:58
bauzasUggla: works for you ?16:58
Ugglayes16:58
bauzasOK, sold16:58
bauzas#agreed https://bugs.launchpad.net/nova/+bug/1959186 to be punted to Glance16:59
sean-k-mooneyill do that  and ask for more info in the bug16:59
bauzasI wanted to discuss https://review.opendev.org/c/openstack/os-vif/+/840020 but we're at time17:00
bauzasthanks all17:00
bauzas#endmeeting17:00
opendevmeetMeeting ended Tue May 17 17:00:16 2022 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)17:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/nova/2022/nova.2022-05-17-16.02.html17:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/nova/2022/nova.2022-05-17-16.02.txt17:00
opendevmeetLog:            https://meetings.opendev.org/meetings/nova/2022/nova.2022-05-17-16.02.log.html17:00
bauzasgmann: https://review.opendev.org/c/openstack/os-vif/+/840020 seems problematic to merge17:00
sean-k-mooneybauzas: the failures are unrelated i think17:00
sean-k-mooneythere were db issues17:00
gmannyeah let's see I did recheck on this17:00
sean-k-mooneythe patch is just remvoing lower constraitns there are no code changes17:01
bauzassean-k-mooney: ok17:01
bauzasall good then17:01
* bauzas has to stop in order to see some folk face-to-face17:01
sean-k-mooneybauzas: i looked durign the metting thanks for bring it ot my attention i tought that merged already17:02
bauzasnp17:02
bauzashappy to help17:02
gibilevy14: I suggest to type your idea in here, or add it to the agenda for next week17:02
* bauzas has to invest time and money to figure out how to max out his new 10gbps fiber connection17:02
levy14My org found a lot of code that runs in VMs contains credentials in code or config files. I would like to be able to make calls (HTTP requests) to a secret store (Barbican) without providing credentials, and Nova to add them automatically, based on the VM's identity. Much like AWS instance profiles and Azure managed identities work. How should I proceed with this?17:03
levy14will try to add it to teh agenda for the next time17:03
bauzaslevy14: feel free to add it by yourself in https://wiki.openstack.org/wiki/Meetings/Nova#Agenda_for_next_meeting17:03
bauzasyou only need LP creds17:03
levy14so no need to create a blueprint for it?17:04
bauzaslevy14: that's what we'll figure out at the meeting :)17:04
levy14cool, will add it. if any feedback here, will try to capture that too.17:04
Ugglabauzas, leaving IRC, see you in 1h call me on my cell if needed.17:05
sean-k-mooneylevy14: that kind of sound like something that was propsoed before17:06
bauzasUggla: bien sûr et à toute :)17:06
sean-k-mooneyrelated to jwt tokenes or something like that17:06
levy14sean-k-moonehy: any idea why it is not yet available? any serious blocker? as we see it as a huge security improvement.17:07
sean-k-mooneylevy14: so you would lke to have the ablity to request that a set of barbican securest are automaticly injected wehn a vm is created17:07
sean-k-mooneylevy14: well you woudl have to opt into this behavior on a pervm basis17:07
sean-k-mooneyand that woudl requrie an api change to request it on boot17:07
sean-k-mooneyto say which secret or secrets to inject17:08
levy14nope, I would like to be able to write code that just calls barbican to get a secret, without having to deal with any credentials. nor inject them.17:08
sean-k-mooneylevy14: so basically becacuse no oen has asked for it or step up to do the work17:08
sean-k-mooneywehre would that code run17:08
levy14in the vm17:09
sean-k-mooneywell you can do that today17:09
levy14in whatever language17:09
sean-k-mooneycall barbical from the vm17:09
sean-k-mooneybut you would need an applciation credental or simialr in the vm to make that call17:09
sean-k-mooneylevy14: nova cant run code in the vm for you by the way17:09
levy14that is what I want to avoid. people are putting those in code or in config files. or injecting them, without properly handling it. and it's a mess.17:10
levy14how about not needint that at all. all all https calls going of from a vm to (at least) barbican get added a (temp) access token of the vm's identity17:10
sean-k-mooneythat would be a security risk17:11
sean-k-mooneysince by default nova is not allows to access the users secrets17:11
levy14it is not about running code in the vm by nova. it is about intercepting outbound http(s) calls and if the destination is barbican, add the token17:11
sean-k-mooneyeven admin cannot get them by default17:11
dmendiza[m]👀17:12
sean-k-mooneylevy14: you would need to intercept the request using a man in the midel proxy17:12
sean-k-mooneykind of like the metadta proxy17:12
sean-k-mooneylevy14: i think what you want is more like this https://review.opendev.org/c/openstack/keystone/+/78455817:13
levy14well, can we use the vm's identity (I don't even know if there is such a think in nova)17:13
sean-k-mooneyits nto what you asked for but providign a jwt token to the vm via metadta17:13
sean-k-mooneylevy14: vms dont have identity's17:13
sean-k-mooneya vm is a resouce that is owned by a project not a user17:14
levy14ok, is there a good reason why it cannot get an identity? for this specific purpose. to allow the vm to impersonate a user and access secrets?17:15
sean-k-mooneyyou mean grab the token form the request that was used to boot the vm and then use that to call barbican17:15
levy14that would be an option, yes17:15
sean-k-mooneywell that would be a giant red flag form an auti perspetivce17:16
levy14although e.g. what aws does is generate short lived temp tokens on request for this purpose17:16
levy14ut in the end, any solution that allows users to grab secrets from bbarbican with a well-known identity, and without being a security risk, would be fine17:17
levy14I just want to end this cancer of credentials in code repos17:17
sean-k-mooneyusign jwt is proably trhe way to go17:18
sean-k-mooneythere was someone looking at extening keystone to supprot just json web tokens to be able to issue a new keystone token17:18
sean-k-mooneyand then useing vendor data or nova metadta to provide the token ot the vm17:19
sean-k-mooneyvia the metadtat servie17:19
levy14I am not sure I understand how those would help17:19
sean-k-mooneythe vm could get a jwt token form the metadata endpoing without auth based in the vm mac and ip via curl17:19
sean-k-mooneyand then use that to issue a full keystone token17:20
sean-k-mooneyand make requesuts17:20
levy14and how would the metadata endpoint know what identity to issue a jwt token for?17:21
levy14I mean where is the ip/mac <-> identity info coming from?17:21
levy14so that vm creators/users can control it (so that that user gets access to the ecrets the code in the vm will try to fetch)17:22
sean-k-mooneylevy14: that comes for nova/neutron17:22
levy14so in the end nova/neutron does have an identity for each vm?17:23
sean-k-mooneyno17:23
sean-k-mooneyit used an external service17:23
sean-k-mooneynova suport external dynimc vender data17:23
sean-k-mooneyservice like nova-join can use that to add extra info into the metadata aviable to the vm17:24
levy14interesting17:25
sean-k-mooneyhttps://review.opendev.org/q/topic:bp%252Fjson-web-tokens17:25
sean-k-mooneyi think that is the keystone feature17:25
sean-k-mooneylet me see if i can find any more info17:25
levy14I am very curious in any solution that gets me closer to this17:25
sean-k-mooneyits been a while since this came up17:25
sean-k-mooneylike 2 years or more17:25
sean-k-mooneylevy14: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/stein/json-web-tokens.html17:26
levy14thanks for the links, will do some reading17:27
levy14and add this to the next meeting's agenda17:27
sean-k-mooneylevy14: this likely woudl have to be implemted outsdie fo nova. if it was in nova we would need a very detailed spec of how to do this safely17:29
sean-k-mooneyjust to set expecations17:29
levy14I understand17:30
levy14we're a federation of openstack sites, so solutions that require each site to config this would be problematic. I was hoping for a nova-native solution. even if it's going to take a while.17:31
sean-k-mooneylevy14: jrosser  was asking about this before17:31
sean-k-mooneylevy14: just checked my irc logs let me get you a link17:32
sean-k-mooneythey did a poc of injecting the token https://paste.opendev.org/show/798996/17:32
sean-k-mooneyhttps://meetings.opendev.org/irclogs/%23openstack-nova/%23openstack-nova.2020-10-13.log.html#t2020-10-13T15:30:0517:33
sean-k-mooneylevy14: it was based on https://cloud.google.com/compute/docs/instances/verifying-instance-identity17:33
jrossersean-k-mooney: I totally ran out of time to take that further17:33
jrosserbut still interesting if it can be made to work with an external thing like step-ca (that was my use case)17:34
sean-k-mooneyjrosser: maybe you can expalin it to levy14 and they could find resouce to work on it17:34
sean-k-mooneyjrosser: i have not been following keystoen recently but i belive tehy are also working on some oath/openid connect supprot this cycle17:35
sean-k-mooneynot sure if that is related17:35
sean-k-mooneythis https://review.opendev.org/q/topic:bp%252Foauth2-client-credentials-ext17:36
levy14in any case, adding it to the agenda and we'll see next time17:37
levy14thanks for the links17:37
jrosserlevy14: I have POC code to insert a signed jwt into the metadata17:42
jrosserhttps://github.com/bbc/nova/commit/c0e9a98fb96d0dff73d0a5c5e7ebad8078fd85a117:44
sean-k-mooneyjrosser: didnt knwo you worked for/with the bbc17:45
sean-k-mooneyor that they used openstack17:45
sean-k-mooneythats cool17:45
jrosserwe use it in the R&D labs17:45
sean-k-mooneyeven still that is nice to hear17:45
sean-k-mooneyeven if its only for R&D17:46
sean-k-mooneyand not production17:46
sean-k-mooneyjrosser: your poc is that integrated with keystone in any way. can the jwt token be sued to auth with keystone17:47
sean-k-mooneyto then bootstrap to calling barbican17:47
sean-k-mooneyor did you just use it for the vm verifcation usecase17:47
jrosserthe idea (pretty much copied from what GCP do) is that you could validate that jwt against a published CA cert at some well known location17:48
sean-k-mooneyya ok17:48
jrosserand that is sufficient to say that the VM is what it claims to be17:48
sean-k-mooneyso keystone i think now support using jwt to auth and get a keystone token17:49
sean-k-mooneyso your poc is not tied into that17:49
jrosserright - though i guess the JWT payload can be pretty arbitrary so i'm not sure how much that would intersect17:49
jrosserhmmm hashicorp vault can authenticate with a JWT17:53
jrossernow that would be really interesting to make work17:54
sean-k-mooneyjrosser: levy14's usecases is to use something to allow the vm to auth to barbican17:55
sean-k-mooneyjrosser: basically so that you dont need to sotre creds in teh applicaitons configs17:56
jrosserright - i believe that such things are very straightforward in aws17:56
sean-k-mooneyjrosser: and since keystone now accpets jwt tokes to auth with my theory was17:56
sean-k-mooneyif we added a jwt token in the metadta you coudl use that to get a keystone token and then use that to call barbican17:57
sean-k-mooneyand sicne jwt tokesn can expire you could allow that only for x mintues after teh server is booted for intial bootstrap17:57
sean-k-mooneyanyway its not my usecase so i wont worry about it for now17:58
sean-k-mooneybut it could be a ncie feature if openstack could provide a simialr workflow17:59
sean-k-mooneyits proably not a nova feature however17:59
sean-k-mooneyot not mainly17:59
sean-k-mooneya nova feature17:59
*** melwitt_ is now known as melwitt18:08
jrosserseems it is fernet or jws for keystone, not a mixture18:09
jrosserand it does seem more clean to have keystone issue a token then then is in the metadata18:10
sean-k-mooneywell for there usecase tehy are tryign to prevent having to put credeitals in the vm to begin with18:10
sean-k-mooneyso they need somthign to bootstrap form 18:10
sean-k-mooneyi think k8s solves this by definign env vars that are only accepable in the container18:11
sean-k-mooneyso you can get your pods secret18:11
sean-k-mooneythe metadta serivce is the closest thing we have to that18:11
jrosseroh i am confusing the existing jws stuff in keystone with that new jwt auth patch18:13
* sean-k-mooney just skimed the open patches so may also be confusign some thigns18:14
*** artom__ is now known as artom19:08
*** ianw_ is now known as ianw19:11
*** hemna6 is now known as hemna19:34
*** dasm is now known as dasm|off21:49
*** mfo is now known as Guest72921:52
*** mfo_ is now known as mfo21:52
« Monday, 2022-05-16 Index Wednesday, 2022-05-18 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!