| opendevreview | Jeffrey Zhang proposed openstack/nova master: Do not change nic queue count during live migration after vcpu hot resized https://review.opendev.org/c/openstack/nova/+/912082 | 05:44 |
|---|---|---|
| *** mklejn_ is now known as mklejn | 07:58 | |
| opendevreview | melanie witt proposed openstack/nova master: Support create with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870932 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support (resize|cold migration) with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870933 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support live migration with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/905512 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support rebuild with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870939 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support rescue with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/873675 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Add encryption support to qemu-img rebase https://review.opendev.org/c/openstack/nova/+/870936 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support snapshot with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870937 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Add backing_encryption_secret_uuid to BlockDeviceMapping https://review.opendev.org/c/openstack/nova/+/907960 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support encrypted backing files for qcow2 https://review.opendev.org/c/openstack/nova/+/907961 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Support cross cell resize with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/909595 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: libvirt: Introduce support for raw with LUKS https://review.opendev.org/c/openstack/nova/+/884313 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: libvirt: Introduce support for rbd with LUKS https://review.opendev.org/c/openstack/nova/+/889912 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Report ephemeral disk encryption in the metadata API https://review.opendev.org/c/openstack/nova/+/909945 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Deprecate legacy ephemeral storage encryption using dm-crypt https://review.opendev.org/c/openstack/nova/+/909947 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Documentation for ephemeral encryption https://review.opendev.org/c/openstack/nova/+/910034 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Consolidate vTPM and ephemeral encryption secret creation https://review.opendev.org/c/openstack/nova/+/912094 | 09:11 |
| opendevreview | melanie witt proposed openstack/nova master: Documentation for ephemeral encryption https://review.opendev.org/c/openstack/nova/+/910034 | 09:13 |
| melwitt | dansmith: ^ rebased, added some of the things we talked about, fixed the problem with rbd (I had missed updating a variable name that got changed). didn't add the decorator for checking key access yet | 09:16 |
| opendevreview | melanie witt proposed openstack/nova master: DNM test ephemeral encryption + resize: qcow2, raw, rbd https://review.opendev.org/c/openstack/nova/+/862416 | 09:20 |
| *** tobias-urdin4 is now known as tobias-urdin | 10:23 | |
| opendevreview | Merged openstack/python-novaclient master: Bump microversion to 2.96 https://review.opendev.org/c/openstack/python-novaclient/+/911575 | 10:33 |
| *** ralonsoh__ is now known as ralonsoh | 12:25 | |
| *** carloss_ is now known as carloss | 13:15 | |
| dansmith | melwitt: fixed which problem, the reason I couldn't boot from the snap? | 14:30 |
| fungi | bauzas: do you happen to know if nova had any development highlights to call out for 2024.1? today was supposed to be the deadline for collecting those, but we can usually work additions in if they're in the next week-ish | 14:31 |
| bauzas | fungi: shit, I forgot | 14:32 |
| bauzas | fungi: I'll work on it | 14:32 |
| fungi | no worries, there's a ton of stuff going on (always) | 14:32 |
| *** mklejn__ is now known as mklejn | 15:02 | |
| dansmith | melwitt: okay must be because using the same code you had before seems to work on qcow (i.e. boot from encrypted snap | 15:42 |
| elodilles | bauzas: if you are still around, fyi: https://review.opendev.org/c/openstack/releases/+/912275 | 16:00 |
| elodilles | bauzas: and this, respectively: https://review.opendev.org/c/openstack/releases/+/910940 | 16:01 |
| bauzas | elodilles: thanks I was about to ask you to create a new release for the client | 16:01 |
| bauzas | elodilles: +1d | 16:02 |
| elodilles | thx too o/ | 16:04 |
| dansmith | melwitt: so if I create an encrypted instance, snapshot it to an encrypted image, then boot an instance with an unencrypted flavor from that encrypted image, what do you expect to happen? | 16:10 |
| melwitt | dansmith: yes, sorry, by "rbd problem" I meant the weird qemu-img convert and the inability to boot from the snapshot. for rbd only | 17:04 |
| melwitt | dansmith: in that scenario I would expect the instance you booted to have encrypted disks, _unless_ the flavor is explicitly disabling encryption i.e. hw:ephemeral_encryption=false. if it's explicitly disabled in the flavor, the API should reject the request because of the conflict between flavor and image | 17:06 |
| dansmith | melwitt: ah, okay lemme try that I guess | 17:30 |
| dansmith | melwitt: so indeed, by default you get another encrypted stack which is maybe what you expect and maybe not | 17:30 |
| dansmith | however, if your goal is to get an unencrypted image, you'd currently have no way out of that situation if there was no negative flavor for you to use | 17:31 |
| melwitt | dansmith: the image has image properties requesting encryption so you should expect it | 17:31 |
| dansmith | if we add the snapshot=(rekey,samekey,nokey) option then you could, but you'd have to jump through another snapshot hook to sort of free yourself from the overhead of the encryption | 17:32 |
| dansmith | melwitt: I expect it for the image, but not the instance disk | 17:32 |
| dansmith | like, I expected to have an encrypted qcow backing file, but unencrypted (i.e. full speed) disk when I write | 17:32 |
| melwitt | dansmith: encryption is requested through image properties and flavors. the image has hw_ephemeral_encryption=true so it is expected to encrypt the disks | 17:33 |
| dansmith | I know why I don't but that was what I was trying to do to see if it worked (before I realized obviously it wouldn't) | 17:33 |
| dansmith | yeah, I understand why it's doing it, I'm just saying with my user hat on it was not what I was expecting | 17:33 |
| melwitt | meaning you didn't expect the encrypted snapshot Nova made to have hw_ephemeral_encryption=true set? or you expected the flavor to override the image property? | 17:34 |
| dansmith | no, the image has to have that set because it's encrypted, I was thinking the default was false in the flavor, but it's not, it's "default is do what the image says" ... which again I understand, | 17:35 |
| dansmith | but if I'm a user and I'm handed an encrypted image and I want to boot from it but don't want to take the write hit for an encrypted disk, I'm stuck unable to get out of that loop | 17:36 |
| dansmith | with just user tools | 17:36 |
| dansmith | or without downloading, unkeying and re-uploading the image | 17:36 |
| melwitt | no, the default is check the flavor and image and if either one says encryption=true, the disks get encrypted | 17:36 |
| melwitt | if one says encryption=true and the other says encryption=false, that is invalid and the api should reject it | 17:37 |
| dansmith | sure, but as a user, the flavor is the tool I'm given to control what the target environment looks like.. it's definitely confusing and grey with some stuff in both places for sure | 17:38 |
| dansmith | I'm just saying, I expected to be able to break out of the loop without having to download and unkey the image myself | 17:38 |
| melwitt | I am expecting to add the microversion for the snapshot api stuff btw, I put it in the spec reproposal. so there will be that | 17:38 |
| dansmith | yep, that will help for sure, but means I have to snapshot to get through | 17:39 |
| dansmith | so, I was just thinking: | 17:39 |
| dansmith | wait, let me pull up the image meta patch | 17:39 |
| melwitt | yeah, I guess .. I'm not sure how nova would know what to do if flavor and image can request it and image requests it. how could it know you want unencrypted | 17:40 |
| dansmith | okay, so I wasn't thinking about that true/false flag since it's not actually added by this series, but does that mean if I snapshot to encrypted image, | 17:41 |
| dansmith | leave the secret_uuid in place, but set hw_empheral_encryption=False, then I can boot from that image and get a non-encrypted root disk (backed by the encrypted image) ? | 17:41 |
| melwitt | ah, yeah. it was much earlier on in the series. I think it was even before I started working on it | 17:42 |
| dansmith | I was thinking you were just keying off the presence of the secret | 17:42 |
| melwitt | yeah I was thinking that. but I'm not sure if it will handle it correctly. well, actually I think it will complain because of what we talked about earlier, if hw_ephemeral_encryption_secret_uuid is present then we require hw_ephemeral_encryption_format. and I think I also added that it require hw_ephemeral_encryption too in that case. so I may need to change that to make it take the encrypted image => unencrypted disks | 17:44 |
| dansmith | this is sort of my complaint about using hw_ for all this oo, | 17:45 |
| dansmith | because the secret uuid is not anything to do with hw, or the resulting vm, it's purely an attribute of the image | 17:46 |
| dansmith | as is kinda luks as well | 17:46 |
| dansmith | but it seems to me that we should use the boolean flag to control whether or not you actually get an encrypted disk on your instance (which I think is why it was added originally) and the others to say "if so, this is how" and they also apply to the image in terms of "here is how you should interpret the data inside here" | 17:47 |
| melwitt | yeah. I have thought similar that the secret uuid in the image property can/should be able to stand alone | 17:47 |
| dansmith | tbh, glance should have been extended with a luks disk_format instead of what's going on here, but... | 17:47 |
| dansmith | yeah | 17:47 |
| dansmith | yeah, setting that =false doesn't change anything.. still works, boots, but is encrypted | 17:52 |
| melwitt | ok, good to know. I can change it to make it do the thing in that case | 17:52 |
| dansmith | okay cool I think that'd be good so I (as a user) has an out | 17:53 |
| dansmith | I can see an operator not wanting to allow you to exfiltrate an image that way, but there are a hundred other ways to do it and I think that if we rely on the image property there that they can use the image property permissions to block changes to it | 17:53 |
| melwitt | ack | 17:56 |
| *** blarnath is now known as d34dh0r53 | 18:09 | |
| JayF | bauzas: if you want to give a bullet point to the ironic driver in cycle highlights, I'm happy to draft a thing for you. Just let me know. If you want to do it, I'd highlight the SDK migration in addition to sharding :) | 20:20 |
| artom | Whoever thought that making the compute_rpcapi.rollback_live_migration_at_destination() a conditional *from the source* deserves... bad things. | 22:03 |
| artom | Although apparently it's safe to add conditions, since vpmem and mdevs has been added | 22:05 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Add cpuset_reserved helper to instance NUMA topology https://review.opendev.org/c/openstack/nova/+/910020 | 23:05 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Reproducer for not powering on isolated emulator threads cores https://review.opendev.org/c/openstack/nova/+/910021 | 23:06 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Power on cores for isolated emulator threads https://review.opendev.org/c/openstack/nova/+/909795 | 23:06 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: Reproducer test for live migration with power management https://review.opendev.org/c/openstack/nova/+/910022 | 23:06 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: pwr mgmt: handle live migrations correctly https://review.opendev.org/c/openstack/nova/+/909806 | 23:06 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: pwr mgmt: make API into a per-driver object https://review.opendev.org/c/openstack/nova/+/912320 | 23:06 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!