Monday, 2024-05-20

« Sunday, 2024-05-19 Index Tuesday, 2024-05-21 »
wncsllnhey nova o/, I was looking at some low hanging fruits bugs to solve, I've found this one https://bugs.launchpad.net/nova/+bug/206569311:56
wncsllnsince I'm a beginner, someone could show me where I should fix, if is possible?11:56
wncsllnI undestood that foreign key may does not exist in another table11:57
sean-k-mooneywncslln: that might not be the best bug to start with12:04
sean-k-mooneythis tempest test is trying to delete an server that has not been completed spawning yet12:05
sean-k-mooneywhat failing is recordign the delete event on the instancee because the instnace does not currently exist in the instnace table12:06
sean-k-mooneythat is causing the foreign key to fail12:06
sean-k-mooneyso this is not an issue with the db schema12:06
sean-k-mooneywhats broken here is that we shoudl gracefuly handle that issue and either reject the delete at the api or complete the delete without an error12:07
sean-k-mooneyneither are trivial to do correctly. we likely do no want to reject the request as a user should always be able to delete an insance for billing reasons12:10
sean-k-mooneyso while a 409 conflict could be valid in other case it woudl be undesireable in this case12:11
sean-k-mooneythe simplest possibel fix in this case would be ot catch the excption to record the instance action and log/ignore it then proceeed with the delete12:11
sean-k-mooneythat would be a valid resolution to the bug but if the instance does not exist in the cell db it also means we cant mark it as deleted which means we have no way to interup the request to spawn it.12:13
sean-k-mooneywhich is why this is a hard thing to fix as a first bug12:13
wncsllnI see... I'll follow the bug updates to see the resolution and try to understand it12:15
wncsllnso sean-k-mooney, do you recommend any bug?12:16
sean-k-mooneywe do actully have a list of low hanging fruit bugs https://bugs.launchpad.net/nova/+bugs?field.tag=low-hanging-fruit i have not looked at that in a while12:17
sean-k-mooneybut perhaps one of those12:17
sean-k-mooneyperhaps https://bugs.launchpad.net/nova/+bug/201533012:18
sean-k-mooneyfor something  perhaps more featury then bug we have this tech debt reduction bug https://bugs.launchpad.net/nova/+bug/199413912:19
wncsllnI'll take a look on these. thanks!12:22
stanlive migrate says rolled back on the target server, what would be the appropriate logs to check for further troubleshooting?13:36
opendevreviewsean mooney proposed openstack/nova master: [WIP] ensure correct cleanup of multi-attach volumes  https://review.opendev.org/c/openstack/nova/+/91632214:36
dansmithbauzas: trivial patches to CI jobs, if you have a minute: https://review.opendev.org/c/openstack/nova/+/91973814:52
dansmithfirst one saves us *minutes* of setup time on the affected jobs, second one goes back to regular images as we discussed14:52
opendevreviewDan Smith proposed openstack/nova master: Enable OCaaS for several nova jobs  https://review.opendev.org/c/openstack/nova/+/91973815:24
opendevreviewDan Smith proposed openstack/nova master: Stop using split UEC image (mostly)  https://review.opendev.org/c/openstack/nova/+/91973915:24
dansmithmelwitt: ^15:24
dansmithgood catch!15:24
dansmithmelwitt: thanks!15:32
melwittnp15:33
sean-k-mooneydansmith: looks like we have upgraded the version of zuul?15:46
sean-k-mooneyThe RE2 syntax error is: invalid perl operator: (?!15:46
sean-k-mooneyclarkb: i rember ther was an annouchment about that a while ago but nova was not using any non RE2 regexes at the time15:47
sean-k-mooneyand i dont think we have added any since15:47
sean-k-mooneyclarkb: any idea why we are seeing https://review.opendev.org/c/openstack/nova/+/919738/1..2/.zuul.yaml#336 now15:47
sean-k-mooneyclarkb: is this just a warning currently?15:48
sean-k-mooneylooks like negitive matches are now triggering it15:50
sean-k-mooney  irrelevant-files:15:50
sean-k-mooney      - ^(?!.zuul.yaml)(?!nova/virt/libvirt/)(?!nova/privsep/).*$15:50
sean-k-mooneyi belive what we are trying to express in the nova-lvm jobs is15:51
sean-k-mooneywe should only run this on changes to .zuul.yaml nova/virt/libvirt/** and nova/privsep/**15:51
sean-k-mooneyso the way to fix this would be to use  relevant-files: instead right?15:52
sean-k-mooneygmann: ^15:52
sean-k-mooneyso relevent-files: "^(?:.zuul\.yaml|nova\/virt\/libvirt\/.*|nova\/privsep\/.*)$"15:58
sean-k-mooneydansmith: melwitt  am i correct that your preference is to move forward with https://review.opendev.org/c/openstack/nova-specs/+/907654 and then continue the converstaion in the implemenation review and loop back and update the spec if needed17:40
dansmithI think I said as much, but I wasn't anticipating your most recent concern, so if we need to nail that down, we should 17:41
sean-k-mooneymy main concenr is ensuring tha we can express if the instance is encypted (and optionally the format) and if the image is encypted (and the format) seperatly17:42
dansmithyeah I know, and as I just noted, I think that's a dangerous tripwire :)17:42
sean-k-mooneywhy so? the format so the image and root disk may not be the same.17:43
sean-k-mooneyare you suggesting that we shoudl require the instance to be encypted if the image is17:44
dansmithyes and especially that we should not *decrypt* the image if you boot from it without that requirement17:44
sean-k-mooneyso i see that as being in conflict with allowing you to take an unecypted snapshot17:45
dansmiththat's kinda like having FDE enabled and dropping it because you upgraded to the next version of your OS and forgot to opt-in again17:45
dansmithwhy? you're specifically asking to have it de-crypted in that case17:45
sean-k-mooneyand you explcitly ask to not encypt the instance in the other17:45
sean-k-mooneywell implictly17:46
dansmithvery implicitly :)17:46
sean-k-mooneybut unless we make it a tristate17:46
sean-k-mooneyi think that equivlent17:46
dansmithwell, the other option would be to require your hw_ to be set to either match the format of the image, or explicitly request cleartext and we refuse to boot if it's not set to match17:46
dansmithbut I think that's just adding an extra hoop for people17:47
sean-k-mooneywell i wasd thinking that you might want to upload the image in gpg format to glance17:47
sean-k-mooneybut boot form a vm in luks format17:47
melwittI thought the debate here is whether or not to allow a change in encryption format going from image => root disk. because otherwise afaict hw:ephemeral_encryption (the bool) provides everything else?17:47
sean-k-mooneyafter all we cant boot form an image in gpg format right17:48
dansmithas I said in my reply, I think this is getting to the point of unnecessary layers that users don't care about (i.e. the distinction between glance and nova and cinder's notion of the encrypted-ness)17:48
dansmithsean-k-mooney: gpg format is useless.. it was added before and only because there wasn't userspace tooling for LUKS17:49
dansmithI think they're mostly using it as an example at this point and I thought they were going to drop that anyway17:49
sean-k-mooneyok but we cant boot form that17:49
dansmithcorrect17:49
sean-k-mooneywe could boot form it if we decypt or convert17:50
dansmithmelwitt: one or more of us is implying too much about the format of the image and the intent for booting new instances I guess.. the boolean doesn't really matter, it's the default we assume17:50
sean-k-mooneywell the bool is ment to be (should this instance have encypted ephemeral storage)17:51
dansmithmy concerns are that (a) we should never implicitly decrypt something and (b) we should not design something that requires us to do a (very expensive) format/encryption conversion for the usual case17:51
sean-k-mooneythat is indepenent of if its BFV or boot form image 17:51
sean-k-mooneywell the only way to avoid the format conversion would be luks iamge and luks encyption for qemu17:52
sean-k-mooneywe cant store dmcypt_plain images in glance can we?17:52
sean-k-mooneyif we can that woudl also be valid17:52
melwittI agree we should never implicitly decrypt something17:53
sean-k-mooneycant we boot form encypted iamges today?17:53
sean-k-mooneyi tought we always decypted them?17:53
dansmitheh?17:53
sean-k-mooneymaybe thats not a thing?17:53
melwitt(don't want any surprises)17:54
melwitt"today" meaning in the proposed patch series?17:54
sean-k-mooneyi might be mixing that up with signed images17:54
melwittin the series there is support for booting from encrypted images17:54
melwittoh, yeah you might be thinking of signed17:54
sean-k-mooneyno today meaning Caracal/master17:54
dansmiththat's kinda the whole point right?17:54
dansmith(booting from encrypted images"17:54
sean-k-mooneynot entirely. so i tought the gap we were trying to solve is booting vms with encypted local storage17:55
sean-k-mooneyirriespective of the encyption state in glance17:55
melwittI think the main point is booting encrypted from unencrypted but booting from encrypted quickly becomes an expectation bc of snapshotting imho17:56
dansmithwhat's the point of local storage encryption if snapshots are clear?17:56
sean-k-mooneythey wernt clear in the previosu iteration of the spec17:56
dansmithmaybe I'm completely off base here, but in a cloud snapshots are like the #2 most important unit of measure behind instances themselves17:56
melwittbecause the user might add private data after that (I thought?)17:56
dansmithyou need snaps for basically everything in the cloud workflow17:56
sean-k-mooneyi dont think that is true17:57
melwittbut like for example my laptop, the OS image was not encrypted but my disk is encrypted17:57
sean-k-mooney* i dont think snapshots is the #2 most imporant thing in a cloud workflow17:58
dansmithmelwitt: it's a bit different there because the OS is read-only and your user data is transportable separately from the OS image, whereas we don't really support that17:58
melwittthat's what I think the most common case probably is. but like I said I think if snapshot is a basic feature available in the cloud, I think users would expect to be able to boot from an encrypted snapshot as well17:58
dansmithsean-k-mooney: okay well, we disagree there then17:58
sean-k-mooneymelwitt: right but lest take an example17:59
sean-k-mooneyi boot a vm form an unencypted ubuntu image with a flavor that enabel instance encyption17:59
sean-k-mooneyif we take a snapshot of that then i would expect you to set the hw_ephemeral_encyption image property in the snapshot18:00
sean-k-mooneyand the OS_GLACE_* properties to recored the format18:00
dansmithwhat about cinder?18:01
sean-k-mooneycan you elaberate?18:01
dansmithyou want them to set that property on an encrypted image they upload just in case someone wants to boot from it?18:01
sean-k-mooneyno18:01
dansmithbecause if they don't you'll decrypt their data when you boot from it if you don't know to go set that intent flag18:01
sean-k-mooneybut if we were taking a snapshot of a BFV volume we could18:02
melwittI think that's where I differ in my thought, I don't think hw_ephemeral_encryption (the boolean) on the snapshot. only the secret uuid (os_glance_encrypt_key_id) which implies it is encrypted18:02
sean-k-mooneyit imples the image is18:02
sean-k-mooneybut not that only encypted guest can be crated form it18:02
melwittright18:03
sean-k-mooneyweither we set hw_ephemeral_encyption on the snapshot is a design choose we can make18:03
sean-k-mooneybut to me hw_ephemeral_encyption is the only thing on an image that says the resulting vm must be booted with encypted local storage18:03
dansmithmelwitt: wait, you think that if you snapshot an encrypted instance to an encrypted image and then create another instance from that, it should be de-crypted?18:04
melwittdansmith: no, I don't.. but somewhere along code review someone commented that I should not assume encrypted if the source is encrypted. originally I did assume encrypted if source encrypted18:05
gmannsean-k-mooney: yes, we can use the "files" (files is correct name of var, not relevent-files ) variable to define the  files we want to run  the job when they are changed.18:05
dansmithokay, I missed that I guess.. I definitely do not think we should ever decrypt unless specifically asked18:05
sean-k-mooneydansmith: so to me that means we shoudl reject booting form an image with OS_GLACE_* options18:06
dansmithso if we have the hw_ boolean on the image, I think that either we take the default to match the format, or we *require* it be set to something before we agree to use the image (i.e. tell me what you want me to do with this)18:06
sean-k-mooneyif the flavor or iamge does not have hw_ephemeral_encyption=True18:06
melwittok. I might have misunderstood what the person said. and tbh I need to double check what it's doing at the moment because I don't remember off the top of my head18:06
dansmithsean-k-mooney: we could, but I think we could also punch the users in the face18:06
sean-k-mooneyi think the glance feature is currently broken18:06
dansmiththere is no glance feature (now or in the future) to be clear18:07
sean-k-mooneybecuase to mean the exisitng option are only about the format of the image at rest18:07
sean-k-mooneywithout condiering the extra requiremns for nova/cinder18:07
sean-k-mooneyim confuges but someones at my door brb18:07
gmannsean-k-mooney: and when we have less number of files we want job to run it is better and much readable to define those via "files" var instead of excluding a lot of others via "irrelevant-files"18:08
melwittI think the comment was about the fetch_to_raw method, I originally made it base the destination format on the source format. i.e. if image is encrypted then created disks should be encrypted18:08
dansmithmelwitt: right and that's definitely what I think we should do.. I commented on that method, so I hope I didn't mis-convey that I thought decrypting was the right thing to do18:09
dansmithfetch_to_raw shouldn't really be making that policy decision18:09
dansmithIIRC, that comment was about assuming plain if the source was plain or something, in support of my argument here18:10
melwittdansmith: I may have misinterpreted. I can see the point that it shouldn't make the decision. I hadn't thought of that. either way I'll go back and fix it if it needs fixing because I'm not 100% sure at the moment18:10
melwitt*make the policy decision18:11
dansmithmelwitt: I think my comment was about what happens if you don't pass in explicit requirements to it, but not about what we should do at the high-level as a "policy"18:11
dansmithack18:11
melwittgotcha18:11
sean-k-mooneygmann: ya so the issue is we currently use a negitive regex and zuul has change the regex lib they use and that is not supproted18:11
sean-k-mooneygmann: so we will need to remove all our usages of negitive regex regardlels of which is shorter18:11
sean-k-mooneymelwitt: dansmith would it help to hop on a meet call?.18:12
gmannsean-k-mooney: you mean irrelevant-files is not supported now? and we need to use "'files' and negate=True" ?18:12
sean-k-mooneygmann: no i mean that rc2 does not supprot negitive suffix matches18:13
gmannI am not aware of that, if so then it is a big changes to all the openstack jobs18:13
sean-k-mooneyso we use irrelivent files with "(?! ... )"18:13
gmannsean-k-mooney: ohk, yes that is true. we have done those changes in Tempest too. got it18:13
sean-k-mooney"(?!" is not supported18:13
gmannyes18:13
sean-k-mooneyso when the first email was sent about this change im 99% certin nova was not flagged as needing anychanges18:14
sean-k-mooneynow zuul is omitting a waring18:14
gmannyeah18:14
sean-k-mooneyand i was wondering if anyone is currently fixing this18:14
gmannI am not aware if anyone fixing those. we fixed a few of them in 'branches' variant in past18:15
sean-k-mooneydansmith: melwitt when i said new galnce feature i was refering to the ablity to store an encypted image, which would require supprot in nova/cinder to create an instance/volume form them18:15
sean-k-mooneyfrom my perspective melwitt spec has nothign to do with that18:16
dansmithglance won't have any changes to allow storing an encrypted image18:16
dansmithit's already storing them for cinder18:16
sean-k-mooneyhttps://github.com/openstack/glance-specs/blob/master/specs/2024.1/approved/glance/image-encryption.rst18:17
sean-k-mooneyso that is not going to be implemnted18:17
dansmithit's just a spec to capture the standardization of the properties at this point18:17
dansmithit was originally going to involve some other pieces but I think it's all removed.. either way, as melwitt has demonstrated with her series already, no glance support is required or expected here AFAIK18:18
sean-k-mooneyok but form my perspective os_glance_encrypt_format has nothing to do with the local encyption series18:18
dansmithI understand you feel that way18:18
melwittfwiw sean-k-mooney I don't think it does/has to have something to do with the local encryption series but I'm not following what/why that matters (?)18:20
sean-k-mooneymelwitt: it matter because dan is asserting that if os_glance_encrypt_format is set we cant boot a instnace without encyption form it18:20
sean-k-mooneywhere as i think decypting the image in that case is the correct behavior because the image is not set to enable encyption18:21
melwittsean-k-mooney: from what I understand we were thinking we would be able to if hw_ephemeral_encryption=false or hw:ephemeral_encryption=false on the image or flavor. like if someone explicitly conveys they want it to be decryped18:22
sean-k-mooneywe could make it a trisate and have hw_ephemeral_encryption=false have a diffent menaing then hw_ephemeral_encryption not set18:22
sean-k-mooneybut that is ofthen confusing to users18:22
melwittat least so far (and from before I started working on it), hw_ephemeral_encryption=false has meant explicitly don't encrypt, not set means "don't care", hw_ephemeral_encryption=true18:24
sean-k-mooneyright that is what i expect hw_ephemeral_encryption=false to mean18:25
melwitt*hw_ephemeral_encryption=true means specifically want encrypted18:25
sean-k-mooneybut i also expect unset hw_ephemeral_encryption to maintian the exsiting behavior18:25
sean-k-mooneywhich woudl be unencypted18:25
melwittit does, but I think if the source image is encrypted, the default behavior should be to maintain the encryption no?18:26
dansmith++18:26
sean-k-mooneycorrect18:26
melwittok. I'm not sure we are really disagreeing :)18:26
sean-k-mooneyand for encypted iamges we would do what18:26
* dansmith is so confused18:26
sean-k-mooneyi woudl expect use to reject booting them18:27
* dansmith tables flips18:27
sean-k-mooneyyou have not enabled encyption in nova using either the flavor or image property we are specifying18:27
sean-k-mooneyso there is no way for use to schdule to a host that supprots the feature18:27
melwittI just said encrypted images implies encrypted if hw_ephemeral_encryption is unset, if hw_ephemeral_encryption=false is present, decrypt it18:27
sean-k-mooneyright so i dont think that a backwars compatiabel change.18:28
sean-k-mooneywe coudl make that work but then we have to document this very diffently18:28
melwittyeah I mean if the source image is encrypted and hw_ephemeral_encryption is unset and no host in the cloud supports local encryption, I think it would reject that request and the person has to come back with hw_ephemeral_encryption=false?18:28
sean-k-mooneyright os i dont like relying on an no valid host for that determination18:29
sean-k-mooneyif we want to make this work then i think we shoudl not have image properties to enable instance encyption18:29
sean-k-mooneyand instead just have the flavor extra spec and enabel encyption if the OS_GLANCE_ENCYPTION*18:30
sean-k-mooneyimage property is there18:30
melwittI think the problem with that is then it gives users no way to control it. since flavors are generally admin only created18:30
sean-k-mooneythey woudl contol it by uploading an encypted image18:30
melwitt🤔 18:31
sean-k-mooneyi really think the sandardsation attpemt for the image properies in glance is incorrect18:32
sean-k-mooneyi dont disagree with it in principal but18:32
sean-k-mooneywith the implication it has for nova/cinder18:32
sean-k-mooneydansmith: am i correct in saying you want a single way to express that a given image is encypted and all resouces careated form it should remain encypted" while allso allowing it to be explcitly unecypted via a snapshot18:33
melwittwell the glance image properties are not doing anything to request encryption, they're just describing the image. and on our side I think we should default to encrypted if the source is encrypted, with hw_ephemeral_encryption=false (our image prop, not glance's) being the way out of that if someone wants that18:34
sean-k-mooneymelwitt: i can see that18:34
sean-k-mooneybut in that case if the souce image is encypted 18:34
sean-k-mooneywhen we boot the instance if encyption is not enable din the iamge or the flavor18:35
melwittright18:35
sean-k-mooneywe should write hw_ephemeral_encryption=true to the instance system metadata18:35
sean-k-mooneycorrect?18:35
sean-k-mooneyto record that this instance is using encyption so we can schdule and so it is propagated by default to future snapshots18:35
melwittit will be automatically (as image_hw_ephemeral_encryption=true)18:36
melwittimage properties are stored in system metadata already18:36
melwitt(meaning today, not only with the proposed patch series)18:36
sean-k-mooneywell we just said hw_ephemeral_encryption was unset but the image was encypted18:36
melwittoh, ok sorry. I see what you're saying now18:37
sean-k-mooneybasically if someone creates an image with os_glance_encrypt_format=luks18:38
melwitthm yeah, currently we are covered to maintain encrypted disks via BDM attributes but you're right that doesn't cover the scheduling piece18:38
sean-k-mooneyand we boot a vm form that with a normal flavor with no extra spec18:38
sean-k-mooneywe would need to populate image_hw_ephemeral_encryption=true and image_hw_ephemeral_encryption_format=luks18:39
melwittyeah, I think I understand what you're saying. we wouldn't have the image prop nor flavor extra spec to make sure we're always scheduled to hosts that support local encryption18:39
sean-k-mooneyyep18:39
sean-k-mooneyso we proably dont need hw_ephemeral_encryption_format and could just use os_glance_encrypt_format if we will never suport format convertion18:40
melwittyeah, ok. I think it would make sense to set image_hw_ephemeral_encryption=true in system metadata if we are doing it by implication from the source image. or else need some other way to deal with it18:40
sean-k-mooneyok its getting late for me and dinner/breakfest is calling. im not sure where we are on this topic.18:44
sean-k-mooneyto me it was imporant to be able to take an unecypted image and create an encypted instance form that (vai selecting an encypted flavor)18:45
sean-k-mooneyand by default i would expect snapshots form that encypted instance to stay encypted18:45
sean-k-mooneydan has a different usecase which is taking an encypted image and booting an encypted instance form that18:46
sean-k-mooneysnapshots creates an intersection fo both usescases18:46
melwittI think we all agree on that, it was only the idea of letting the user request or control the encryption format that was being debated18:46
sean-k-mooneywell previosuly i agured that should not be exposed at all18:47
melwitt(agree on flavor hw:ephemeral_encryption=true|false)18:47
sean-k-mooneyi.e. the format used should not be exposed ot the user. that was reintroduced this cycle for the lvm upgrae case18:47
melwittok, so it seems like you and dan agree about that then? provide only the boolean and don't expose a hw_ephemeral_encryption_format ... and the glance image format os_glance_encrypt_format is not related to that, it's only related to describing the image18:48
melwittoh, you mean to support them converting lvm => luks?18:48
sean-k-mooneyyes18:49
melwittif so I forgot that was the reasoning 18:49
melwittok, my bad if I forgot18:49
sean-k-mooneythat why plain came back into the spec18:49
melwittso I get your point is if we are ever going to support format conversions18:50
melwittok.. I thought plain was already in the spec but tbh I can't remember for sure18:50
sean-k-mooneyit was pre zed18:50
sean-k-mooneyand then in antelope and bobcat we removed it and said we woudl only implmeent luks18:51
sean-k-mooneyand we have reverted back now18:51
sean-k-mooneycaracal also only supproted luks18:51
melwitt? I didn't think I changed anything regarding that from bobcat. I need to go look at it 18:52
melwittok, if that's the case then I expect to need to revise the currently proposed spec18:52
sean-k-mooneyi guess this is a delete between the libvirt and non libvirt spec version18:53
melwittI do think maybe it could be a user pain point if we don't give them a way to go lvm => luks 18:53
sean-k-mooneysince the libvirt spec say " As highlighted at the start of this spec this initial support will only be for the LUKSv1 encryption format."18:53
sean-k-mooneymelwitt: right so i was expecting that to happen via a live migrate or similar18:54
sean-k-mooneylvm ->  luks18:54
sean-k-mooneyso this is part of the probelm with having two specs for this18:54
melwittyeah, ok. so maybe what it should say is that's what we support at this time and hw_ephemeral_encryption_format should only be introduced if we are adding the ability to convert formats18:55
sean-k-mooneythe libvirt spec say we will only support luks18:55
sean-k-mooneyright the parent spec says we can supprot plain but then that also implese we can have a diffent image vs instnace encyption format18:56
melwittI think at the very least that would be an additional patch(es) later in the series. the intent was definitely to start with only luks18:56
melwittyeah, I dunno if maybe I should consolidate the specs and just not have the libvirt one going forward? I dunno18:56
sean-k-mooneyyour right that the libvirt one has not changed for what its worth18:57
sean-k-mooneyit has and still does say you would only support luks and the generic one says we will supprot muliple formants and has doen for multipel cycles18:57
melwittok. I'll go through it and make it clear that for now/for early patches it's luks only. and that hw_ephemeral_encryption_format is coupled with format changes and that may or may not be something we add on in later patches18:58
sean-k-mooneythose two are in conflict since this is not being implemented in any other driver18:58
sean-k-mooneyok but then that also bring up the config option18:58
melwittwell, I guess (and we have comments about this on the spec) hw_ephemeral_encryption_format=plain could/would be a way to say "I want lvm encryption specifically"18:58
sean-k-mooneywe dont need [ephemeral_storage_encryption]/default_format if its luks only18:59
sean-k-mooneymelwitt: but we dont want to use that to request legacy lvm encyption right18:59
melwittand the debate on that one is should the cloud (and only the cloud) dictate the format19:00
melwittand that providing a choice of format is implying a mixed cloud, which afaik we don't officially support19:00
sean-k-mooneywe supprot mixed clouds with diffent images_type backends in nova19:00
sean-k-mooneybut we just dont support move operations between images_type backends19:00
melwittyeah I think that's where the comments are at right now, is we don't want to assume a mixed cloud being possible and you get what you get depending on what cloud you're on and what it provides19:00
sean-k-mooneywell its very common ot have some comptues use local storage and other use ceph19:01
sean-k-mooneywither that local storage is lvm or file backed (qcow/raw) is proably workload dependent19:02
melwittok. so if that's the case, then that would be the only real purpose of a hw_ephemeral_encryption_format19:02
melwittI think that will be what drives the existence of hw_ephemeral_encryption_format -- whether or not we are saying we support a mix of lvm and luks hosts19:02
sean-k-mooneyyes but landing on a host with the legacy lvm supprot would not be vlaid for hw_ephemeral_encryption_format19:02
sean-k-mooneyhw_ephemeral_encryption_format should be the new feature exclively right19:03
melwittthere are placement traits for the format19:03
melwittso we could schedule based on that if we had a mix19:03
sean-k-mooneyright but im saying that COMPUTE_EPHEMERAL_ENCRYPTION_PLAIN does not imply lvm19:03
sean-k-mooneyit impikes nova si cable of booting the instance with stoage that uses the dmcypt_plain encyption format19:04
melwittit does in the universe of the local encryption feature as far as I understand it19:04
melwittbecause I didn't think we were wanting to offer dm-crypt plain for anything new19:04
sean-k-mooneyit could be a rbd volume mounted with dmcypt no?19:05
melwittso the only thing COMPUTE_EPHEMERAL_ENCRYPTION_PLAIN could mean is lvm and [ephemeral_storage_encryption]enabled=true or whatever19:05
sean-k-mooneymelwitt: so to me COMPUTE_EPHEMERAL_ENCRYPTION_PLAIN imples using the new feature which also impleis storign seperate secrets for each disk in barbican ectra19:05
melwittthat is not my understanding that we would be supporting rbd with dm-crypt plain19:06
sean-k-mooneythe spec does not say you will implment it19:06
sean-k-mooneybut takeing a step back and looking at the trait defintion that woudl be a vaild implmeation in nova19:06
melwittI think (and I could be wrong because I never discussed this with Lee) but I think PLAIN was intended to be for retrofitting legacy (lvm) encryption into the new model19:06
melwittand no longer use the config options for lvm encryption19:07
sean-k-mooneyperhaps but i would not consider the legacy lvm supprot to be a valid impletation with regards to reporting COMPUTE_EPHEMERAL_ENCRYPTION19:08
melwittthe spec has always said "deprecate legacy lvm config and make lvm encrypt work with the flavor/image model"19:08
sean-k-mooneyperhaps we would need to granfather it in for upgrade reasons19:08
sean-k-mooneybut today if you use the legacy feature its not reflected in the bdms right19:08
melwittyeah I think the intent was/is to consolidate the way in which local encryption is requested and scheduled and all that19:08
melwittto make it all work the same way19:09
melwittI'm not sure about lvm in BDMs, I have to double check19:09
sean-k-mooneyyes but my understaindg is that it was replacing and "adopting" the existing lvm volumes19:09
sean-k-mooneyi.e. we would back populate the bdms with the encyption flags and format info19:09
melwittmy understanding is that it also provides the mechanism for requesting lvm going forward19:10
sean-k-mooneyso lvm encyption is not somethign you request today its config drivven only19:10
melwittI think it's supposed to be all of that. replace/adopt + support creating new instances with lvm using flavor/image and no more lvm encryption config options19:10
melwittright..19:11
sean-k-mooneybut the new lvm instance would not use the config options19:11
melwittright19:11
sean-k-mooneywe would use the flavor/iamge properties19:11
sean-k-mooneyand unlike the adoptied ones19:11
sean-k-mooneyeach lvm disk would have its own key19:11
sean-k-mooneyjust like with qcow19:11
melwittyes, that is what I thought the spec was intending19:12
melwittto not have two separate ways of doing local encryption19:12
sean-k-mooneyright19:12
melwittand in the process lvm gains some new user friendly abilities as a result19:12
sean-k-mooneybut that would only result in host tha tuse lvm reporting COMPUTE_EPHEMERAL_ENCRYPTION19:13
sean-k-mooneyafter we supprot upgrading the exiting instnaces19:13
melwittok. so all that said, my understanding was that for the current chunk we're trying to do now in dalmatian we are only doing luks and leaving lvm as the legacy config options at this time19:13
sean-k-mooneyyep19:13
sean-k-mooneythats what i tought too19:13
sean-k-mooneyso supporting rbd,raw/flat,qcow19:14
sean-k-mooneybut not lvm19:14
melwittok. so it seems then that we would hold off on introducing hw_ephemeral_encryption_format until we work on the lvm support19:14
melwittright19:14
sean-k-mooneyand the exisitng lvm fature will be deprecate but not removed until we can adopt them into the new framework19:14
sean-k-mooneyyes we would only need hw_ephemeral_encryption_format if we supprot somethign other hten luksv119:15
sean-k-mooneywhich also means if os_glance_encrypt_format is set to anything other then luks we shoudl reject that too right19:16
melwittok, I think we all agree about that. so I'll update the spec to explain this in a lot of detail 😂 and that hw_ephemeral_encryption_format will not be part of this first chunk and that it would come into play only when we work on adding support for lvm19:16
sean-k-mooneyand do we agree the same is true for the config option19:17
melwittI think it would be reasonable to reject that yes, if os_glance_encrypt_format is not luks. we won't be able to honor it19:17
sean-k-mooneyok19:17
melwittI think I made the config option a choices= where the only choice is luks19:18
melwittbut I'll double check and make it that if it isn't already19:18
sean-k-mooneyok19:18
sean-k-mooneyif its only luks then i dont think we need it personally19:18
melwittthat's a fair point. I suppose all it could potentially be helping with transparency but I could see the argument not to have it19:20
opendevreviewMerged openstack/nova master: Enable OCaaS for several nova jobs  https://review.opendev.org/c/openstack/nova/+/91973819:20
sean-k-mooneyi think what we are setteling on is we only need 1 extra spec/image property the boolean hw:ephemeral_encryption/hw_ephemeral_encryption19:20
melwittthat is also my understanding19:20
sean-k-mooneyand if that is unset and the image in encyped then the vm would be encypted too19:20
sean-k-mooneymeaning you dont have to opt in for encypted images19:20
melwittyes, that's what I understand as well19:21
sean-k-mooneyso there is only one last bit i want to check19:21
sean-k-mooneywill we allow an opt out via the flavor i.e. hw:ephemeral_encryption=false and os_glance_encrypt_format=luks19:22
sean-k-mooneyshould that be a 409 conflict19:22
sean-k-mooneyor decypt the image19:22
melwittthe main thing is I think we want to avoid an unpleasant surprise on that. similar to the encrypted rescue image, not to just decrypt it 19:22
melwittI think the desire based on current code review comments is that it would decrypt in that case19:22
sean-k-mooneypersonally im feeling like hw:ephemeral_encryption=false and os_glance_encrypt_format=luks woudl be a 409 conflict at least for now19:22
melwittyeah, I think it would be fair to start with that19:23
sean-k-mooneythe reason i hesitate there is it would allow anyoen in the same project (realy that has access to the image secret) to trivially/acidentaly decypt the image19:23
melwittand tack on a separate patch that enables the ability to request decryption19:24
melwittbecause it's like a user experience thing. not really "required" but nice to have to give users that ability19:24
sean-k-mooneyits not uncommon for peopel to query flavors by size and select the first one that they find19:24
melwittyeah. that would be my only concern with it as well19:24
sean-k-mooneyto be fair if thte image had os_glance_encrypt_format=luks hw_ephemeral_encryption=ture19:25
sean-k-mooneyi think we all agree it should be a 409 conflict if the flavor has hw:ephemeral_encryption=false19:25
sean-k-mooneybut since the arguement is being made that os_glance_encrypt_format=luks effectivly implies hw_ephemeral_encryption=ture19:26
sean-k-mooneyim wonderin if we shoudl also imply it when comparing ot a flavor with  hw:ephemeral_encryption=false19:26
melwittI expect we all agree that's an ok first step. we've been trying to keep patches smaller in this thing as well so I have been splitting smaller things like that into their own patch19:26
sean-k-mooneyok19:26
sean-k-mooneyso before this converstaion i was tending to say "ok ill approve the spec and we can take it to the implemeation" no i feel like we were not on the same page but have got much closer19:27
sean-k-mooneyso my stomach say i shoudl have breakfast/dinner19:27
sean-k-mooneybut i also dont really want to leave this open19:27
sean-k-mooneyso melwitt how do you want to proceed19:28
melwittyeah so I was thinking if os_glance_encrypt_format=luks (and really mainly just the presence of os_glance_encrypt_key_id) then if hw:ephemeral_encryption=false is in direct conflict and would act the same as the image conflict. until we offer decryption later if we do that19:28
sean-k-mooneyack i think that is logicaly consitent19:29
sean-k-mooneyi feel like os_glance_encrypt_key_id is only valid if all the other os_glance_encrypt_* are dfeind 19:30
melwittsean-k-mooney: I think it would probably be best to update the spec now. either way I will update it -- if it gets approved as-is I will still have an amendment proposed shortly. to not forget all this stuff19:30
melwittso either way is fine with me19:30
melwittI agree. I think that is the intent in the standardized properties anyway19:30
sean-k-mooneyso its not clear to me if we shoudl be checking any spefici one of those keys or if any of them exist19:30
melwittyeah.. I'll probably add validation for that just to make a better experience. I'm not sure if they are all required to be set from a glance perspective. like, will glance reject upload of an image that only sets one or a subset of them? or maybe if it does allow it, it will fill it defaults itself19:32
melwittso either way on the nova side we would expect/require them all to be set if one is set19:32
sean-k-mooneyso the glance spec used ot have a seperate nova spec https://review.opendev.org/c/openstack/nova-specs/+/608696/11/specs/train/approved/image-encryption.rst19:32
sean-k-mooneyfor how we would use those19:32
melwittfrom my perspective at a minimum if os_glance_encrypt_key_id is set, then os_glance_encrypt_format is required19:33
sean-k-mooneyin that they explictly talk about adding supprot for decypting the encyped image when booting the instnace19:33
sean-k-mooneymelwitt: ya i think those two are requried and likely the type as well i.e. symetic19:33
melwittah ok19:34
sean-k-mooneyhaving said that i think we are only going to support symmetric encption19:34
melwittah right19:34
sean-k-mooneyso i guess if its single valued19:34
sean-k-mooneyit does not matter for now19:34
sean-k-mooneymelwitt: you know what would help 19:36
melwittyeah, we can adapt that as we go along. if we think more than just those two should be required to be present to be valid19:36
melwittbecause the other use case is an individual user uploading an encrypted image19:36
sean-k-mooneyin your spec can you define the only values of the os_glance_encrypt* properties that will actully work for now19:36
melwittso not sure if they will be required to provide all image properties19:36
sean-k-mooneylike will you be using os_glance_decrypt_size?19:37
sean-k-mooneyi dont think you are your using virt_size + 1G in the check right19:38
melwittsure I can add specifics about which ones we are requiring19:38
melwittthere is a check for that somewhere actually19:38
sean-k-mooneywell it might hjsut be good to say hay nova is not using os_glance_decrypt_size19:38
melwitttoday we validate image size in some way and I had to add the "plus overhead" to the calc if encrypted for it to pass19:39
sean-k-mooneyright19:39
sean-k-mooneybut if i rememebr reviewing that code we do not use os_glance_decrypt_size19:39
melwittyeah I guess really i could use os_glance_decrypt_size instead for the validation if the image is encrypted. since that's what we actually care about, is if the decrypted size will fit in the chosen flavor19:40
melwittno we didn't have os_glance* properties proposed at the time19:40
sean-k-mooneyos_glance_decrypt_size and os_glance_decrypt_container_format i think are for the usecase of booting form an encypted iamge and decypting it on the host19:40
melwittwell, sorry19:40
sean-k-mooneywhich would imply they expect the virtual_size to include the overhead19:41
melwittthey were proposed already but we were not planning to use them initially19:41
sean-k-mooneywhen its encypted19:41
melwittbut at the ptg we agreed to use them so I will be changing where needed to use those instead of what I had put19:41
sean-k-mooneysure but os_glance_decrypt_size is defied as "size after payload decryption"19:41
sean-k-mooneywhich would be the size of the data insid ethe luks encyption19:42
sean-k-mooneynot the size on disk fo the encypted images19:42
sean-k-mooneyso i dont think it actully helps us 19:42
melwittright.. maybe I'm getting confused19:42
sean-k-mooneyi think this is explcitly for the usecase of booting non encypted instance form an encypted image19:43
sean-k-mooneyso that we woudl know how big it is after we strip the encyption from it19:43
melwittthe point I was meaning really is I'll use them when applicable19:43
sean-k-mooneyack19:43
sean-k-mooneyok ill chat ot you tomorrow o/19:44
melwittok I see what you're saying19:44
melwittok, seeya tomorrow o/19:44
opendevreviewMerged openstack/nova master: Enable virtio-scsi in nova-next  https://review.opendev.org/c/openstack/nova/+/91845821:41
« Sunday, 2024-05-19 Index Tuesday, 2024-05-21 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!