Tuesday, 2024-07-09

opendevreviewMerged openstack/nova master: Fix port group network metadata generation  https://review.opendev.org/c/openstack/nova/+/92353000:18
opendevreviewMohammed Naser proposed openstack/nova stable/2024.1: Fix port group network metadata generation  https://review.opendev.org/c/openstack/nova/+/92368900:26
*** bauzas_ is now known as bauzas02:11
*** bauzas_ is now known as bauzas03:03
opendevreviewmelanie witt proposed openstack/nova master: Support encrypted backing files for qcow2  https://review.opendev.org/c/openstack/nova/+/90796103:27
opendevreviewmelanie witt proposed openstack/nova master: Support rescue with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87367503:27
opendevreviewmelanie witt proposed openstack/nova master: Support snapshot with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87093703:27
opendevreviewmelanie witt proposed openstack/nova master: Support cross cell resize with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/90959503:27
opendevreviewmelanie witt proposed openstack/nova master: libvirt: Introduce support for raw with LUKS  https://review.opendev.org/c/openstack/nova/+/88431303:27
opendevreviewmelanie witt proposed openstack/nova master: libvirt: Introduce support for rbd with LUKS  https://review.opendev.org/c/openstack/nova/+/88991203:27
opendevreviewMerged openstack/nova stable/2024.1: add functional repoducer for bug 2065927  https://review.opendev.org/c/openstack/nova/+/92295004:08
opendevreviewMerged openstack/nova stable/2024.1: retry write_sys call on device busy  https://review.opendev.org/c/openstack/nova/+/92298405:41
opendevreviewmelanie witt proposed openstack/nova master: Consolidate vTPM and ephemeral encryption secret creation  https://review.opendev.org/c/openstack/nova/+/91209406:05
opendevreviewmelanie witt proposed openstack/nova master: libvirt: Add optional 'description' kwarg to create_secret()  https://review.opendev.org/c/openstack/nova/+/91998606:05
opendevreviewmelanie witt proposed openstack/nova master: Follow up for encryption secret create consolidation  https://review.opendev.org/c/openstack/nova/+/92158606:05
opendevreviewmelanie witt proposed openstack/nova master: Remove use of (hw:|hw_)ephemeral_encryption_format  https://review.opendev.org/c/openstack/nova/+/92134306:05
opendevreviewmelanie witt proposed openstack/nova master: Add EncryptDetails object for ephemeral encryption  https://review.opendev.org/c/openstack/nova/+/92134406:05
opendevreviewmelanie witt proposed openstack/nova master: Add database migration to ALTER encryption_options  https://review.opendev.org/c/openstack/nova/+/92158706:05
opendevreviewmelanie witt proposed openstack/nova master: Support create with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87093206:05
opendevreviewmelanie witt proposed openstack/nova master: Validate key manager create access in API  https://review.opendev.org/c/openstack/nova/+/91998906:05
opendevreviewmelanie witt proposed openstack/nova master: Clean up unused ephemeral encryption libvirt secrets  https://review.opendev.org/c/openstack/nova/+/91999006:05
opendevreviewmelanie witt proposed openstack/nova master: libvirt: "Auto heal" ephemeral encryption secrets on guest launch  https://review.opendev.org/c/openstack/nova/+/91999106:05
opendevreviewmelanie witt proposed openstack/nova master: Support (resize|cold migration) with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87093306:05
opendevreviewmelanie witt proposed openstack/nova master: Support live migration with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/90551206:05
opendevreviewmelanie witt proposed openstack/nova master: Support rebuild with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87093906:05
opendevreviewmelanie witt proposed openstack/nova master: Add Glance standardized encryption image properties  https://review.opendev.org/c/openstack/nova/+/92134506:05
opendevreviewmelanie witt proposed openstack/nova master: Support encrypted source images for qcow2  https://review.opendev.org/c/openstack/nova/+/91999206:05
opendevreviewmelanie witt proposed openstack/nova master: Add encryption support to qemu-img rebase  https://review.opendev.org/c/openstack/nova/+/87093606:05
opendevreviewmelanie witt proposed openstack/nova master: Add backing_encryption_secret_uuid to BlockDeviceMapping  https://review.opendev.org/c/openstack/nova/+/90796006:05
opendevreviewmelanie witt proposed openstack/nova master: Support encrypted backing files for qcow2  https://review.opendev.org/c/openstack/nova/+/90796106:05
opendevreviewmelanie witt proposed openstack/nova master: Support rescue with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87367506:05
opendevreviewmelanie witt proposed openstack/nova master: Support snapshot with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/87093706:05
opendevreviewmelanie witt proposed openstack/nova master: Support cross cell resize with ephemeral encryption for qcow2  https://review.opendev.org/c/openstack/nova/+/90959506:05
opendevreviewmelanie witt proposed openstack/nova master: libvirt: Introduce support for raw with LUKS  https://review.opendev.org/c/openstack/nova/+/88431306:05
opendevreviewmelanie witt proposed openstack/nova master: libvirt: Introduce support for rbd with LUKS  https://review.opendev.org/c/openstack/nova/+/88991206:05
opendevreviewRobert Hoffmann proposed openstack/nova master: Fix: clean up volume attachments  https://review.opendev.org/c/openstack/nova/+/92364606:23
opendevreviewTakashi Kajinami proposed openstack/nova master: Migrate MEM_ENCRYPTION_CONTEXT from root provider  https://review.opendev.org/c/openstack/nova/+/92181406:34
mikalsean-k-mooney: I've been off sick for the last week and a half. I'll take a look at your review comments ASAP...08:17
sean-k-mooneymikal: no worries we have a week and a half till spec freeze08:25
sean-k-mooneyim curently working on some backprot so my attention is else where at the moment08:26
opendevreviewsean mooney proposed openstack/nova stable/2024.1: port format inspector tests from glance  https://review.opendev.org/c/openstack/nova/+/92372209:41
opendevreviewsean mooney proposed openstack/nova stable/2024.1: Reproduce iso regression with deep format inspection  https://review.opendev.org/c/openstack/nova/+/92372309:42
opendevreviewsean mooney proposed openstack/nova stable/2024.1: Add iso file format inspector  https://review.opendev.org/c/openstack/nova/+/92372409:42
mikalsean-k-mooney: the bit I don't understand without reading more code (and perhaps you can short circuit that for me) is where we'd store the access token. So if nova provided the user with a token and the user took that token to kerbside, how does kerbside turn it back into a tcp host and port from nova?09:54
mikalsean-k-mooney: I guess I am hoping there's some existing websocket proxy mechanism that can be reused instead of changing the database schema, but I haven't felt well enough to dig into it yet.09:55
sean-k-mooneymikal: the token is stored in the cell db10:14
sean-k-mooneyso kerbside would call the console show api with the console token using a keyston token with the service role10:14
sean-k-mooneyand we would include the host specifc port/ip info in the responce10:14
mikalsean-k-mooney: oh that would be nice if it avoids changing the mysql schema. I will dig into this ASAP.10:18
sean-k-mooneymikal:i was basically hoping that https://docs.openstack.org/api-ref/compute/#show-console-connection-information would work for your usecase.10:18
sean-k-mooneythe main proablem i see with that today is 1.) ensuring it has the info you need, 2.) ensuring you can call it for the given teanta/project10:19
sean-k-mooneynormaly that api is called with a project scoped token10:19
sean-k-mooneyso what we might need is for the use to call kerbside with a project scoped token and for kerbside to call nova with the user provided keystone token + a service token to show the extra info10:20
sean-k-mooneythe user token will have the keystone project info allowing the api call to be scope to the correct project/tenant and the service user token (generated by kerbside) will grant access to any required hypervisor specific info10:21
sean-k-mooneythe console token(sepreate form the keystone token)  acks a the lookup key 10:22
sean-k-mooneyto pull the infor for the relevent instnace10:22
sean-k-mooneyi konw its kind of confusing to have 3 tokens at play but hopefully that makes sense10:22
mikalsean-k-mooney: yeah, I think that makes sense. I don't know how to code it, but I am sure that's a learnable thing.10:27
sean-k-mooneythis is not the best example since its using keyston auth not the sdk but https://github.com/openstack/nova/blob/master/nova/service_auth.py10:29
sean-k-mooneythe service token is just an addtional header with a second keyston token10:29
sean-k-mooneyits orginal use was "trust be bro when the user called me the user token had not expired yet"10:30
sean-k-mooneysince then we have now intoduced the service role and a service token with that role denotes a call form a cloud infra level service10:31
sean-k-mooneytypeically another openstack service but in this case kerbside10:31
sean-k-mooneyso in theory all kerbside has to do is grab and reuse the users keyston token form the reques header, parse the console toke out of the url, generate a new keyston token form config with its own username/password ot use as the service token and call the get console endpoint10:33
*** bauzas_ is now known as bauzas10:34
sean-k-mooneyat which point nova internaly can lookup the hyperviors specific info and return it to kerbside and you can set up the proxy forwardign10:34
sean-k-mooneyim not sure that flow will work for your usecase but if it does it woudl be very similar to how the other proxies work10:35
sean-k-mooneythey just happen to have direct db access and can bypass the api call to get the hypervior info10:35
opendevreviewsean mooney proposed openstack/nova stable/2023.2: port format inspector tests from glance  https://review.opendev.org/c/openstack/nova/+/92372710:37
opendevreviewsean mooney proposed openstack/nova stable/2023.2: Reproduce iso regression with deep format inspection  https://review.opendev.org/c/openstack/nova/+/92372810:37
opendevreviewsean mooney proposed openstack/nova stable/2023.2: Add iso file format inspector  https://review.opendev.org/c/openstack/nova/+/92372910:37
opendevreviewsean mooney proposed openstack/nova stable/2023.1: port format inspector tests from glance  https://review.opendev.org/c/openstack/nova/+/92373110:38
opendevreviewsean mooney proposed openstack/nova stable/2023.1: Reproduce iso regression with deep format inspection  https://review.opendev.org/c/openstack/nova/+/92373210:38
opendevreviewsean mooney proposed openstack/nova stable/2023.1: Add iso file format inspector  https://review.opendev.org/c/openstack/nova/+/92373310:38
mikalsean-k-mooney: I think that flow would work. I have to go put a kid to bed though, I will try and get some more done on this tomorrow.10:42
sean-k-mooneymikal:ack hopefuly your feeling better, dont push your self too hard to get back into things o/ 10:44
mikalsean-k-mooney: although, does kerbside even need the user token? Surely possession of the console token itself is sufficient and then kerbside just uses it to lookup the specific connection details? The advantage of that is that SPICE clients just fetch a URL without understanding openstack at all, and bam they're in a console.10:44
sean-k-mooneythe user token is needed by nova to lookup thte console token currently10:45
mikalsean-k-mooney: I am a bit worried about the approval deadline, but such is life.10:45
sean-k-mooneyits a project scoped api10:45
sean-k-mooneywe might be able to make it work without it10:45
sean-k-mooneyi m just not sure what the uniq constrait is on the console token10:45
mikalsean-k-mooney: oh, that's a bit sad. It would be nice if that could be a token a service account could look up.10:46
sean-k-mooneyi.e. is it uniquce globaly, per project ectra10:46
sean-k-mooneyif its globally uniq we may be abell to just use the service token but im not sure on the exact code paths inovlved10:46
mikalsean-k-mooney: I would hope this tokens are effectively large random numbers, but yeah I see the point.10:46
sean-k-mooneyi belive they are uuids10:46
sean-k-mooneybut ya we can check that and see what makes sense10:47
mikalOk, this can be a tomorrow problem but thanks for the chat, its been helpful.10:48
opendevreviewStephen Finucane proposed openstack/nova master: [codespell] Fixes for latest version  https://review.opendev.org/c/openstack/nova/+/92373811:03
opendevreviewStephen Finucane proposed openstack/nova master: pre-commit: Bump versions  https://review.opendev.org/c/openstack/nova/+/92373911:03
elodilleshi team, just a heads up: nova 29.1.0 (2024.1 Caracal), 28.2.0 (2023.2 Bobcat), 27.4.0 (2023.1 Antelope) stable versions have been released a couple of minutes ago11:16
*** bauzas_ is now known as bauzas11:30
sean-k-mooneyack we will likely nbeed to do another release of them for the iso format backprots once they land. we fixed up the ami regreession in the upstream backort but we can wait a week or so for thsoe to make there way though the upstream ci without the frantic queue jumping ectra11:32
elodillessean-k-mooney: ACK, thanks for the info, let me know when i can help with the backports & stable release11:36
opendevreviewsean mooney proposed openstack/nova master: fix qemu-img version dependent tests  https://review.opendev.org/c/openstack/nova/+/92375514:12
opendevreviewJens Harbott proposed openstack/nova master: DNM: Test devstack change  https://review.opendev.org/c/openstack/nova/+/92375914:41
opendevreviewJimmy McCrory proposed openstack/nova-specs master: Re-propose nova-audit spec for 2024.2  https://review.opendev.org/c/openstack/nova-specs/+/92376114:48
*** bauzas_ is now known as bauzas15:03
sean-k-mooneygibi: stephenfin melwitt can ye review https://review.opendev.org/c/openstack/nova/+/923755 please15:15
sean-k-mooneytl;dr is centos and other rhel derived distros compile out some image formats like QED and other depend on the version 15:16
sean-k-mooneyso that adds a check to ensure qemu supprot the relevent format otherwise it skips the test15:17
sean-k-mooneyelodilles: ^ when it comes to backproting the iso regression support we have a choice to backport that skip patch as is or squash it into the patch that addes the version dependent tests. do you have any preference15:20
stephenfinsean-k-mooney: done. Left a comment. Can bump to +2 if you don't want to rework15:36
sean-k-mooneywe are use Exception else where in the file so i would prefer to keep it the same15:46
sean-k-mooneystephenfin: you are correct we likely could be more specific here, this will eventually be moved to oslo too and we are expecting to rework it when we do that15:47
stephenfinack15:48
JayFsean-k-mooney: what's the ETA on that being oslo'd?15:56
sean-k-mooneyJayF: dan is on pto this week so not until we have fully finished all the backports for the iso format regression and he is back15:58
JayFack ty15:58
sean-k-mooneyso this cylce but proably not this week or next15:58
sean-k-mooneyif we need to keep it in tree for this cycle its not the end of the world but i think we would like to move it before the non-client lib freeze15:59
sean-k-mooneyso we proably need to do it in july15:59
tkajinamConsidering how image format handling can be tricky I wonder if we want to keep them in-tree for some time to simplify backports of further regression fixes. ex. keeping these in-tree for 2024.2 and oslo'ing these in 2025.116:07
tkajinamThis is not a very strong opinion though.16:07
tkajinamIs the meeting today canceled, right ? I think bauzas is off this week.16:10
clarkbseparately having them in a central lib that can be bumped easily to affect all related services at once may be easier than managing in separaet trees and backporting separateyl16:10
tkajinamyeah. it makes maintenance of future branches much easier16:11
tkajinamwe may probably be able to do "psudo-"backport even after we oslo-nize the code16:11
tkajinamI was wondering how I can move https://review.opendev.org/c/openstack/nova-specs/+/907702 forward but I guess people have been busy with CVE fix. I'd bring maybe this next week. I saw SEV-SNP support was finally merged into kernel/QEMU/libvirt so I would work on SNP support in 2025.1 hopefully.16:13
sean-k-mooneyas i siad for dalmation we can likely live with it in tree if we have too17:44
sean-k-mooneyi am hoping the detection code will stay pretty stable at this point17:45
sean-k-mooneybut we may need to be reactive to any future issue that people find as this start perculating into production17:45
sean-k-mooneylong term however we dont want ot have to port things like iso supprot to glance and cinder ectra17:45
sean-k-mooneyif we can jsut have it in a shared lib17:46
opendevreviewJay Faulkner proposed openstack/nova master: [ironic] Ensure we test iterators when needed  https://review.opendev.org/c/openstack/nova/+/92378117:51
JayF^ is literally a one line, 6 character unit test change if someone wants an easy review (we only had one place that we were mis-testing against a list)17:52
sean-k-mooneyis that related to the sdk thing17:53
sean-k-mooneyoh yep17:53
JayFJust fulfilling my promise to circle back after that bug was filed and ensure we didn't have any others in that shape17:53
sean-k-mooneyJayF: i have directly approved it17:56
JayFnice, thanks17:57
JayFI'm about to open up your metadata patch series after lunch :D 17:57
opendevreviewMerged openstack/nova master: fix qemu-img version dependent tests  https://review.opendev.org/c/openstack/nova/+/92375518:52
*** bauzas_ is now known as bauzas18:54
opendevreviewMerged openstack/nova master: [ironic] Ensure we test iterators when needed  https://review.opendev.org/c/openstack/nova/+/92378119:11
*** bauzas_ is now known as bauzas20:58
opendevreviewJay Faulkner proposed openstack/nova master: WIP: [ironic] Send additional metadata for ironic  https://review.opendev.org/c/openstack/nova/+/92379722:59
JayFsean-k-mooney: ^ I wouldn't mind collapsing 923797 with yours, I don't see why they have to be separate, but wanted your $.02 before I did it23:00

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!