opendevreview | Merged openstack/nova master: Fix port group network metadata generation https://review.opendev.org/c/openstack/nova/+/923530 | 00:18 |
---|---|---|
opendevreview | Mohammed Naser proposed openstack/nova stable/2024.1: Fix port group network metadata generation https://review.opendev.org/c/openstack/nova/+/923689 | 00:26 |
*** bauzas_ is now known as bauzas | 02:11 | |
*** bauzas_ is now known as bauzas | 03:03 | |
opendevreview | melanie witt proposed openstack/nova master: Support encrypted backing files for qcow2 https://review.opendev.org/c/openstack/nova/+/907961 | 03:27 |
opendevreview | melanie witt proposed openstack/nova master: Support rescue with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/873675 | 03:27 |
opendevreview | melanie witt proposed openstack/nova master: Support snapshot with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870937 | 03:27 |
opendevreview | melanie witt proposed openstack/nova master: Support cross cell resize with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/909595 | 03:27 |
opendevreview | melanie witt proposed openstack/nova master: libvirt: Introduce support for raw with LUKS https://review.opendev.org/c/openstack/nova/+/884313 | 03:27 |
opendevreview | melanie witt proposed openstack/nova master: libvirt: Introduce support for rbd with LUKS https://review.opendev.org/c/openstack/nova/+/889912 | 03:27 |
opendevreview | Merged openstack/nova stable/2024.1: add functional repoducer for bug 2065927 https://review.opendev.org/c/openstack/nova/+/922950 | 04:08 |
opendevreview | Merged openstack/nova stable/2024.1: retry write_sys call on device busy https://review.opendev.org/c/openstack/nova/+/922984 | 05:41 |
opendevreview | melanie witt proposed openstack/nova master: Consolidate vTPM and ephemeral encryption secret creation https://review.opendev.org/c/openstack/nova/+/912094 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: libvirt: Add optional 'description' kwarg to create_secret() https://review.opendev.org/c/openstack/nova/+/919986 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Follow up for encryption secret create consolidation https://review.opendev.org/c/openstack/nova/+/921586 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Remove use of (hw:|hw_)ephemeral_encryption_format https://review.opendev.org/c/openstack/nova/+/921343 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Add EncryptDetails object for ephemeral encryption https://review.opendev.org/c/openstack/nova/+/921344 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Add database migration to ALTER encryption_options https://review.opendev.org/c/openstack/nova/+/921587 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support create with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870932 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Validate key manager create access in API https://review.opendev.org/c/openstack/nova/+/919989 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Clean up unused ephemeral encryption libvirt secrets https://review.opendev.org/c/openstack/nova/+/919990 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: libvirt: "Auto heal" ephemeral encryption secrets on guest launch https://review.opendev.org/c/openstack/nova/+/919991 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support (resize|cold migration) with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870933 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support live migration with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/905512 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support rebuild with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870939 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Add Glance standardized encryption image properties https://review.opendev.org/c/openstack/nova/+/921345 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support encrypted source images for qcow2 https://review.opendev.org/c/openstack/nova/+/919992 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Add encryption support to qemu-img rebase https://review.opendev.org/c/openstack/nova/+/870936 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Add backing_encryption_secret_uuid to BlockDeviceMapping https://review.opendev.org/c/openstack/nova/+/907960 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support encrypted backing files for qcow2 https://review.opendev.org/c/openstack/nova/+/907961 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support rescue with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/873675 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support snapshot with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870937 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: Support cross cell resize with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/909595 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: libvirt: Introduce support for raw with LUKS https://review.opendev.org/c/openstack/nova/+/884313 | 06:05 |
opendevreview | melanie witt proposed openstack/nova master: libvirt: Introduce support for rbd with LUKS https://review.opendev.org/c/openstack/nova/+/889912 | 06:05 |
opendevreview | Robert Hoffmann proposed openstack/nova master: Fix: clean up volume attachments https://review.opendev.org/c/openstack/nova/+/923646 | 06:23 |
opendevreview | Takashi Kajinami proposed openstack/nova master: Migrate MEM_ENCRYPTION_CONTEXT from root provider https://review.opendev.org/c/openstack/nova/+/921814 | 06:34 |
mikal | sean-k-mooney: I've been off sick for the last week and a half. I'll take a look at your review comments ASAP... | 08:17 |
sean-k-mooney | mikal: no worries we have a week and a half till spec freeze | 08:25 |
sean-k-mooney | im curently working on some backprot so my attention is else where at the moment | 08:26 |
opendevreview | sean mooney proposed openstack/nova stable/2024.1: port format inspector tests from glance https://review.opendev.org/c/openstack/nova/+/923722 | 09:41 |
opendevreview | sean mooney proposed openstack/nova stable/2024.1: Reproduce iso regression with deep format inspection https://review.opendev.org/c/openstack/nova/+/923723 | 09:42 |
opendevreview | sean mooney proposed openstack/nova stable/2024.1: Add iso file format inspector https://review.opendev.org/c/openstack/nova/+/923724 | 09:42 |
mikal | sean-k-mooney: the bit I don't understand without reading more code (and perhaps you can short circuit that for me) is where we'd store the access token. So if nova provided the user with a token and the user took that token to kerbside, how does kerbside turn it back into a tcp host and port from nova? | 09:54 |
mikal | sean-k-mooney: I guess I am hoping there's some existing websocket proxy mechanism that can be reused instead of changing the database schema, but I haven't felt well enough to dig into it yet. | 09:55 |
sean-k-mooney | mikal: the token is stored in the cell db | 10:14 |
sean-k-mooney | so kerbside would call the console show api with the console token using a keyston token with the service role | 10:14 |
sean-k-mooney | and we would include the host specifc port/ip info in the responce | 10:14 |
mikal | sean-k-mooney: oh that would be nice if it avoids changing the mysql schema. I will dig into this ASAP. | 10:18 |
sean-k-mooney | mikal:i was basically hoping that https://docs.openstack.org/api-ref/compute/#show-console-connection-information would work for your usecase. | 10:18 |
sean-k-mooney | the main proablem i see with that today is 1.) ensuring it has the info you need, 2.) ensuring you can call it for the given teanta/project | 10:19 |
sean-k-mooney | normaly that api is called with a project scoped token | 10:19 |
sean-k-mooney | so what we might need is for the use to call kerbside with a project scoped token and for kerbside to call nova with the user provided keystone token + a service token to show the extra info | 10:20 |
sean-k-mooney | the user token will have the keystone project info allowing the api call to be scope to the correct project/tenant and the service user token (generated by kerbside) will grant access to any required hypervisor specific info | 10:21 |
sean-k-mooney | the console token(sepreate form the keystone token) acks a the lookup key | 10:22 |
sean-k-mooney | to pull the infor for the relevent instnace | 10:22 |
sean-k-mooney | i konw its kind of confusing to have 3 tokens at play but hopefully that makes sense | 10:22 |
mikal | sean-k-mooney: yeah, I think that makes sense. I don't know how to code it, but I am sure that's a learnable thing. | 10:27 |
sean-k-mooney | this is not the best example since its using keyston auth not the sdk but https://github.com/openstack/nova/blob/master/nova/service_auth.py | 10:29 |
sean-k-mooney | the service token is just an addtional header with a second keyston token | 10:29 |
sean-k-mooney | its orginal use was "trust be bro when the user called me the user token had not expired yet" | 10:30 |
sean-k-mooney | since then we have now intoduced the service role and a service token with that role denotes a call form a cloud infra level service | 10:31 |
sean-k-mooney | typeically another openstack service but in this case kerbside | 10:31 |
sean-k-mooney | so in theory all kerbside has to do is grab and reuse the users keyston token form the reques header, parse the console toke out of the url, generate a new keyston token form config with its own username/password ot use as the service token and call the get console endpoint | 10:33 |
*** bauzas_ is now known as bauzas | 10:34 | |
sean-k-mooney | at which point nova internaly can lookup the hyperviors specific info and return it to kerbside and you can set up the proxy forwardign | 10:34 |
sean-k-mooney | im not sure that flow will work for your usecase but if it does it woudl be very similar to how the other proxies work | 10:35 |
sean-k-mooney | they just happen to have direct db access and can bypass the api call to get the hypervior info | 10:35 |
opendevreview | sean mooney proposed openstack/nova stable/2023.2: port format inspector tests from glance https://review.opendev.org/c/openstack/nova/+/923727 | 10:37 |
opendevreview | sean mooney proposed openstack/nova stable/2023.2: Reproduce iso regression with deep format inspection https://review.opendev.org/c/openstack/nova/+/923728 | 10:37 |
opendevreview | sean mooney proposed openstack/nova stable/2023.2: Add iso file format inspector https://review.opendev.org/c/openstack/nova/+/923729 | 10:37 |
opendevreview | sean mooney proposed openstack/nova stable/2023.1: port format inspector tests from glance https://review.opendev.org/c/openstack/nova/+/923731 | 10:38 |
opendevreview | sean mooney proposed openstack/nova stable/2023.1: Reproduce iso regression with deep format inspection https://review.opendev.org/c/openstack/nova/+/923732 | 10:38 |
opendevreview | sean mooney proposed openstack/nova stable/2023.1: Add iso file format inspector https://review.opendev.org/c/openstack/nova/+/923733 | 10:38 |
mikal | sean-k-mooney: I think that flow would work. I have to go put a kid to bed though, I will try and get some more done on this tomorrow. | 10:42 |
sean-k-mooney | mikal:ack hopefuly your feeling better, dont push your self too hard to get back into things o/ | 10:44 |
mikal | sean-k-mooney: although, does kerbside even need the user token? Surely possession of the console token itself is sufficient and then kerbside just uses it to lookup the specific connection details? The advantage of that is that SPICE clients just fetch a URL without understanding openstack at all, and bam they're in a console. | 10:44 |
sean-k-mooney | the user token is needed by nova to lookup thte console token currently | 10:45 |
mikal | sean-k-mooney: I am a bit worried about the approval deadline, but such is life. | 10:45 |
sean-k-mooney | its a project scoped api | 10:45 |
sean-k-mooney | we might be able to make it work without it | 10:45 |
sean-k-mooney | i m just not sure what the uniq constrait is on the console token | 10:45 |
mikal | sean-k-mooney: oh, that's a bit sad. It would be nice if that could be a token a service account could look up. | 10:46 |
sean-k-mooney | i.e. is it uniquce globaly, per project ectra | 10:46 |
sean-k-mooney | if its globally uniq we may be abell to just use the service token but im not sure on the exact code paths inovlved | 10:46 |
mikal | sean-k-mooney: I would hope this tokens are effectively large random numbers, but yeah I see the point. | 10:46 |
sean-k-mooney | i belive they are uuids | 10:46 |
sean-k-mooney | but ya we can check that and see what makes sense | 10:47 |
mikal | Ok, this can be a tomorrow problem but thanks for the chat, its been helpful. | 10:48 |
opendevreview | Stephen Finucane proposed openstack/nova master: [codespell] Fixes for latest version https://review.opendev.org/c/openstack/nova/+/923738 | 11:03 |
opendevreview | Stephen Finucane proposed openstack/nova master: pre-commit: Bump versions https://review.opendev.org/c/openstack/nova/+/923739 | 11:03 |
elodilles | hi team, just a heads up: nova 29.1.0 (2024.1 Caracal), 28.2.0 (2023.2 Bobcat), 27.4.0 (2023.1 Antelope) stable versions have been released a couple of minutes ago | 11:16 |
*** bauzas_ is now known as bauzas | 11:30 | |
sean-k-mooney | ack we will likely nbeed to do another release of them for the iso format backprots once they land. we fixed up the ami regreession in the upstream backort but we can wait a week or so for thsoe to make there way though the upstream ci without the frantic queue jumping ectra | 11:32 |
elodilles | sean-k-mooney: ACK, thanks for the info, let me know when i can help with the backports & stable release | 11:36 |
opendevreview | sean mooney proposed openstack/nova master: fix qemu-img version dependent tests https://review.opendev.org/c/openstack/nova/+/923755 | 14:12 |
opendevreview | Jens Harbott proposed openstack/nova master: DNM: Test devstack change https://review.opendev.org/c/openstack/nova/+/923759 | 14:41 |
opendevreview | Jimmy McCrory proposed openstack/nova-specs master: Re-propose nova-audit spec for 2024.2 https://review.opendev.org/c/openstack/nova-specs/+/923761 | 14:48 |
*** bauzas_ is now known as bauzas | 15:03 | |
sean-k-mooney | gibi: stephenfin melwitt can ye review https://review.opendev.org/c/openstack/nova/+/923755 please | 15:15 |
sean-k-mooney | tl;dr is centos and other rhel derived distros compile out some image formats like QED and other depend on the version | 15:16 |
sean-k-mooney | so that adds a check to ensure qemu supprot the relevent format otherwise it skips the test | 15:17 |
sean-k-mooney | elodilles: ^ when it comes to backproting the iso regression support we have a choice to backport that skip patch as is or squash it into the patch that addes the version dependent tests. do you have any preference | 15:20 |
stephenfin | sean-k-mooney: done. Left a comment. Can bump to +2 if you don't want to rework | 15:36 |
sean-k-mooney | we are use Exception else where in the file so i would prefer to keep it the same | 15:46 |
sean-k-mooney | stephenfin: you are correct we likely could be more specific here, this will eventually be moved to oslo too and we are expecting to rework it when we do that | 15:47 |
stephenfin | ack | 15:48 |
JayF | sean-k-mooney: what's the ETA on that being oslo'd? | 15:56 |
sean-k-mooney | JayF: dan is on pto this week so not until we have fully finished all the backports for the iso format regression and he is back | 15:58 |
JayF | ack ty | 15:58 |
sean-k-mooney | so this cylce but proably not this week or next | 15:58 |
sean-k-mooney | if we need to keep it in tree for this cycle its not the end of the world but i think we would like to move it before the non-client lib freeze | 15:59 |
sean-k-mooney | so we proably need to do it in july | 15:59 |
tkajinam | Considering how image format handling can be tricky I wonder if we want to keep them in-tree for some time to simplify backports of further regression fixes. ex. keeping these in-tree for 2024.2 and oslo'ing these in 2025.1 | 16:07 |
tkajinam | This is not a very strong opinion though. | 16:07 |
tkajinam | Is the meeting today canceled, right ? I think bauzas is off this week. | 16:10 |
clarkb | separately having them in a central lib that can be bumped easily to affect all related services at once may be easier than managing in separaet trees and backporting separateyl | 16:10 |
tkajinam | yeah. it makes maintenance of future branches much easier | 16:11 |
tkajinam | we may probably be able to do "psudo-"backport even after we oslo-nize the code | 16:11 |
tkajinam | I was wondering how I can move https://review.opendev.org/c/openstack/nova-specs/+/907702 forward but I guess people have been busy with CVE fix. I'd bring maybe this next week. I saw SEV-SNP support was finally merged into kernel/QEMU/libvirt so I would work on SNP support in 2025.1 hopefully. | 16:13 |
sean-k-mooney | as i siad for dalmation we can likely live with it in tree if we have too | 17:44 |
sean-k-mooney | i am hoping the detection code will stay pretty stable at this point | 17:45 |
sean-k-mooney | but we may need to be reactive to any future issue that people find as this start perculating into production | 17:45 |
sean-k-mooney | long term however we dont want ot have to port things like iso supprot to glance and cinder ectra | 17:45 |
sean-k-mooney | if we can jsut have it in a shared lib | 17:46 |
opendevreview | Jay Faulkner proposed openstack/nova master: [ironic] Ensure we test iterators when needed https://review.opendev.org/c/openstack/nova/+/923781 | 17:51 |
JayF | ^ is literally a one line, 6 character unit test change if someone wants an easy review (we only had one place that we were mis-testing against a list) | 17:52 |
sean-k-mooney | is that related to the sdk thing | 17:53 |
sean-k-mooney | oh yep | 17:53 |
JayF | Just fulfilling my promise to circle back after that bug was filed and ensure we didn't have any others in that shape | 17:53 |
sean-k-mooney | JayF: i have directly approved it | 17:56 |
JayF | nice, thanks | 17:57 |
JayF | I'm about to open up your metadata patch series after lunch :D | 17:57 |
opendevreview | Merged openstack/nova master: fix qemu-img version dependent tests https://review.opendev.org/c/openstack/nova/+/923755 | 18:52 |
*** bauzas_ is now known as bauzas | 18:54 | |
opendevreview | Merged openstack/nova master: [ironic] Ensure we test iterators when needed https://review.opendev.org/c/openstack/nova/+/923781 | 19:11 |
*** bauzas_ is now known as bauzas | 20:58 | |
opendevreview | Jay Faulkner proposed openstack/nova master: WIP: [ironic] Send additional metadata for ironic https://review.opendev.org/c/openstack/nova/+/923797 | 22:59 |
JayF | sean-k-mooney: ^ I wouldn't mind collapsing 923797 with yours, I don't see why they have to be separate, but wanted your $.02 before I did it | 23:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!