Friday, 2025-07-25

« Thursday, 2025-07-24 Index Saturday, 2025-07-26 »
*** mhen_ is now known as mhen01:22
opendevreviewmelanie witt proposed openstack/nova master: Add hw_tpm_secret_security image property  https://review.opendev.org/c/openstack/nova/+/94019602:13
opendevreviewmelanie witt proposed openstack/nova master: Add hw:tpm_secret_security extra spec validation  https://review.opendev.org/c/openstack/nova/+/94019702:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: migrate legacy instances to new security policy  https://review.opendev.org/c/openstack/nova/+/94250102:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `user` secret security  https://review.opendev.org/c/openstack/nova/+/94250202:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `host` secret security  https://review.opendev.org/c/openstack/nova/+/94179502:13
opendevreviewmelanie witt proposed openstack/nova master: Add vtpm_secret_(uuid|value) to LiveMigrateData  https://review.opendev.org/c/openstack/nova/+/95262802:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support live migration of `host` secret security  https://review.opendev.org/c/openstack/nova/+/94148302:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `deployment` secret security  https://review.opendev.org/c/openstack/nova/+/94202102:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support live migration of `deployment` secret security  https://review.opendev.org/c/openstack/nova/+/92577102:14
opendevreviewmelanie witt proposed openstack/nova master: TPM: test live migration between hosts with different security  https://review.opendev.org/c/openstack/nova/+/95262902:14
opendevreviewmelanie witt proposed openstack/nova master: TPM: update instance request_spec with secret security  https://review.opendev.org/c/openstack/nova/+/95263002:14
opendevreviewmelanie witt proposed openstack/nova master: TPM: confirm secret security via hard reboot  https://review.opendev.org/c/openstack/nova/+/95584702:14
opendevreviewmelanie witt proposed openstack/nova master: Add hw_tpm_secret_security image property  https://review.opendev.org/c/openstack/nova/+/94019605:13
opendevreviewmelanie witt proposed openstack/nova master: Add hw:tpm_secret_security extra spec validation  https://review.opendev.org/c/openstack/nova/+/94019705:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: migrate legacy instances to new security policy  https://review.opendev.org/c/openstack/nova/+/94250105:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `user` secret security  https://review.opendev.org/c/openstack/nova/+/94250205:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `host` secret security  https://review.opendev.org/c/openstack/nova/+/94179505:13
opendevreviewmelanie witt proposed openstack/nova master: Add vtpm_secret_(uuid|value) to LiveMigrateData  https://review.opendev.org/c/openstack/nova/+/95262805:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support live migration of `host` secret security  https://review.opendev.org/c/openstack/nova/+/94148305:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `deployment` secret security  https://review.opendev.org/c/openstack/nova/+/94202105:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: support live migration of `deployment` secret security  https://review.opendev.org/c/openstack/nova/+/92577105:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: test live migration between hosts with different security  https://review.opendev.org/c/openstack/nova/+/95262905:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: update instance request_spec with secret security  https://review.opendev.org/c/openstack/nova/+/95263005:13
opendevreviewmelanie witt proposed openstack/nova master: TPM: confirm secret security via hard reboot  https://review.opendev.org/c/openstack/nova/+/95584705:13
jayaanand_we are addressing NFS volume extension issue we want to address in this resale and Nova dependency addressed in PR https://review.opendev.org/c/openstack/nova/+/680648. i am not able to reach out to author. please suggest way out  05:17
noonedeadpunkjayaanand_: so, do you consider taking over the patch and addressing the review point, or wanna original author to do that?06:37
noonedeadpunkAs with gerrit you can quite easily pull in the patch and update it06:37
noonedeadpunkthe only thing to remember now - is adding DSO to it...06:37
*** ykarel__ is now known as ykarel06:55
rpittaugibi: thanks for the answer and apologies if I haven't replied, I was distracted downstream, we found the root cause, it does not look related to nova, it was a red herring, here's the issue if you're curious https://551b5d3d5ab1e9429cee-63329dcd236a98c48b3784d0d458e269.ssl.cf5.rackcdn.com/openstack/a4a4e91242434212aaaf067deecc5292/controller/logs/screen-q-l3.txt06:58
gibirpittau: no worries. I'm glad you found the root07:05
opendevreviewLajos Katona proposed openstack/nova master: DNM: Test pyroute2 bump to greate than 0.9.x  https://review.opendev.org/c/openstack/nova/+/95585807:20
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `user` secret security  https://review.opendev.org/c/openstack/nova/+/94250207:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `host` secret security  https://review.opendev.org/c/openstack/nova/+/94179507:36
opendevreviewmelanie witt proposed openstack/nova master: Add vtpm_secret_(uuid|value) to LiveMigrateData  https://review.opendev.org/c/openstack/nova/+/95262807:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: support live migration of `host` secret security  https://review.opendev.org/c/openstack/nova/+/94148307:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `deployment` secret security  https://review.opendev.org/c/openstack/nova/+/94202107:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: support live migration of `deployment` secret security  https://review.opendev.org/c/openstack/nova/+/92577107:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: test live migration between hosts with different security  https://review.opendev.org/c/openstack/nova/+/95262907:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: update instance request_spec with secret security  https://review.opendev.org/c/openstack/nova/+/95263007:36
opendevreviewmelanie witt proposed openstack/nova master: TPM: confirm secret security via hard reboot  https://review.opendev.org/c/openstack/nova/+/95584707:36
opendevreviewKamil Sambor proposed openstack/nova master: Replace eventlet.event.Event with threading.Event  https://review.opendev.org/c/openstack/nova/+/94975408:43
sean-k-mooneynoonedeadpunk: jayaanand_ so volume extened for voluem attach to a nova instnace is tecnhially not supported10:51
sean-k-mooneythe feature depend on https://review.opendev.org/c/openstack/nova-specs/+/94950410:51
sean-k-mooneyhttps://blueprints.launchpad.net/openstack/?searchtext=assisted-volume-extend10:52
noonedeadpunkfrankly, I think this topic even boils down to be able to detach root volume10:52
sean-k-mooneybasicaly there is a spec to properly supprot it but at present its not expected to fully work10:52
noonedeadpunkwhich was rejected due to absent usecase, if I'm not mistaken10:52
sean-k-mooneynoonedeadpunk: well no that slithgly idfferten10:52
noonedeadpunkit would solve it though?10:53
noonedeadpunklike a usecase of restoring volume from snapshot and from backup10:53
sean-k-mooneyonly for root voluems10:53
sean-k-mooneyyou can already do that10:53
noonedeadpunkbut rest you can already detach and resize...10:54
sean-k-mooneyyou can rebuild BFV guests 10:54
noonedeadpunkI'm side-=tracking now the topic a bit....10:54
noonedeadpunkBut how does rebuild helps?10:54
sean-k-mooneythat how you restore form snapshot10:54
noonedeadpunkand cinder just rejects to restore to volume that is attached?10:54
sean-k-mooneyno10:55
sean-k-mooneyif you have a nova vm booted form a cidner volume10:55
sean-k-mooneyyou can rebuild to restore form snapshot isnce antelope ish maybe longer10:55
noonedeadpunkhuh10:56
noonedeadpunkYeah, I know that rebuild does work10:56
sean-k-mooneyhttps://specs.openstack.org/openstack/nova-specs/specs/zed/implemented/volume-backed-server-rebuild.html10:56
sean-k-mooneythe comment i made about is, nova/cidner does not offically supprot extendeing nfs volumes that are in use10:56
noonedeadpunkThough I still don't get a bit about snapshots10:57
sean-k-mooneythat what https://blueprints.launchpad.net/nova/+spec/assisted-volume-extend is intended to resolve10:57
noonedeadpunkyeah, ok ,right10:57
sean-k-mooneyfor any other backend however that perfectly valid to do so fixing bugs in that area is not a bad thing10:58
noonedeadpunkor well, you mean instance snapshot, which is effectively a glance image, not cinder snapshots?10:58
sean-k-mooneyim just saying that even if we merged https://review.opendev.org/c/openstack/nova/+/680648 extending nfs would still not be supproted 10:58
noonedeadpunk++ fair enough10:58
sean-k-mooneynoonedeadpunk: nova has logic to do a cinder volume snapshot if it BFV10:58
noonedeadpunkoh...10:58
noonedeadpunkI missed that entirely10:59
sean-k-mooneywe still upload an empty glance iamge to hold metadata10:59
sean-k-mooneybut it just point to the cinder snapshot10:59
sean-k-mooneywe also have an addtion gem11:00
noonedeadpunkbut it's kinda... not very user frioendly? in terms of - you need to spawn snapshot in one specific way rather then other to be able to restore later?11:00
sean-k-mooneyif you have a BFV guest and it has addtional cidner data volume io belive a nova snapshot will snapshot all the disks11:00
sean-k-mooneyalthough i could be miss remeberting11:00
noonedeadpunkanyway....11:01
noonedeadpunkthis is really very different topic11:01
sean-k-mooneynoonedeadpunk: no when they do rebuild it just updates the root disk, they can resotre the other volumes via cinder too indepently11:01
noonedeadpunkI guess I wanted just to help out with the process of how one could work collaboratively on other patch11:01
sean-k-mooneynoonedeadpunk: whihc you did11:01
sean-k-mooneythey 5 year old patch they found might be useful fo rother backends11:02
noonedeadpunksean-k-mooney: frankly - I feel this being very confusing. And still not covering cinder-backups for root volumes...11:03
sean-k-mooneyi belive you can just use cidner to do ther backups for a root volume11:03
sean-k-mooneythe only part you cant do that way i belive is the restore11:03
noonedeadpunkyou just can't recover without destroying the instance, yeah11:03
sean-k-mooneythe way to fix that would be to make 2 changes11:04
sean-k-mooneywell kind of 111:05
sean-k-mooneywhen you shleve an instance the volume should move to the reserved state11:05
sean-k-mooneyonce the instnace is shleve offloaded11:05
sean-k-mooneyif cidner allowed you to restore in the reserved state then you coudl do it via cidner api11:05
noonedeadpunkI think last time discussed the problem was on how/where to store attachment order or smth like that11:05
sean-k-mooneyi said 2 becaue it might be valid to consier putting the volume in reserved after stop11:06
noonedeadpunkbut now.. .I'm not sure if you also have to get it detached...11:06
noonedeadpunkyeah. that might be actually a good point...11:06
sean-k-mooneyand then allow you to restore when its stopped or change the rebuild api to optionally take a volume snapshot uuid instead of an image11:06
noonedeadpunkwell, I think you should be then able also to revert the snapshot with cinder api when it's shelved11:07
noonedeadpunkas I think it's almost the same check for restore snapshot/backup11:08
sean-k-mooneyi think right now cidner need it ot be in aviable state11:08
sean-k-mooneyrather then reserved11:08
noonedeadpunkright11:08
sean-k-mooneyi think that the limiitation11:08
sean-k-mooneyits alwasy been a bit fo a rough spot11:09
sean-k-mooneyi was not as apposed to the idea of detaching the root volume as other were although i htink that only realy make sense in a shelved like state11:10
noonedeadpunkyes, totally, it should be shelved. Though indeed detaching makes complicated reverse order of attach11:11
noonedeadpunkand reserved state sounds indeed more prespective...11:11
sean-k-mooneyone thing i wish we had a better way of supproting in nova is virual media, i wish we had a simple way to attach iso at runtime. currently you can pass the disk type when you attach a cinder voluem outside of server create11:12
sean-k-mooneyso while you can create a volume form an iso and attaach it to a vm it will be attached as a block device11:12
sean-k-mooneyrescue has alwasy been the hack but it woudl have been nice if nova coudl supprot boot over http or pxe or other metod that were less reliant on glance for metadta storage11:13
sean-k-mooneywe are seeing pain point aroudn that for folks wanting to bring a bunch of pet form vmware or other cloud over to openstack11:14
sean-k-mooneyi.e. the dont nessiarly want to create a glance image and delete it for every vm but also dont nessiarly want to have to use a volume either11:15
sean-k-mooneyso part of me wishes nova supprot takeing a http/ftp path to a disk image and usign that. or coudl attatch addtional disk after boot form glance or swift or elsewhere11:16
sean-k-mooneybeign able to detach and or replace the root disk woudl be a natural extention of that11:17
noonedeadpunkthat sounds like smth that potentiallly could posses a security concern in the fuiture11:17
noonedeadpunkin terms of http/ftp11:17
sean-k-mooneyno downloading random things form the internet :P11:17
sean-k-mooneyhow11:17
sean-k-mooneybut ya the thing is that nova cant trust glance to do the right thing11:18
sean-k-mooneyit has to do the security checks itself11:18
noonedeadpunkwell exactly - how to limit downloading random thing from the internet :)11:18
sean-k-mooneyso your right11:18
noonedeadpunklike glance web-download already scares me enough from time to time11:18
sean-k-mooneywell it basiclly woudl be that11:18
sean-k-mooneyglance supprot referencig an image on an external web sever11:18
sean-k-mooneyim just talkign about the same capablity in nova directly 11:19
noonedeadpunkbut also creating a voilume from iso usually kinda works for vmware migrations.... or rescue at worst...11:19
noonedeadpunkwell in Glance one can disable that quite easily, just to mention that11:19
sean-k-mooneyya so at server create you can annotat the volume as being an iso or rather disk_type=cdrom11:20
sean-k-mooneywe just dont expost that filed form the bdm on volume attach and we shoudl11:20
sean-k-mooneythere are other disk types like lun11:20
noonedeadpunkbut actually - that is kinda a good point, of why multiple volumes can't be attached on boot...11:21
sean-k-mooneywhich can ony be set on boot too that are needed for scsi v3 command instead of scsi v211:21
sean-k-mooneyyou can have multipel volumes11:21
sean-k-mooneyso you can have the root be a image or a volume and you can have arbitry number of addtional cinder data volumes11:21
noonedeadpunkah, indeed, you can pass block_device_mapping_v211:22
sean-k-mooneythat what peole do when migrating they create 1 volume per disk in vmware11:22
sean-k-mooneynoonedeadpunk: yep but even without that you can use the syntatic sugar commadn in osc11:22
sean-k-mooneyyou just repeate --volume  for each addtional volume11:22
sean-k-mooneyosc will internally comptue the block_device_mapping_v2 object for you, that what it alwasy doing when you use volumes internally11:24
sean-k-mooneythe issue with the attach api is we only expose some of the filed setable via BDMv2 structure11:25
sean-k-mooneyso nova hwas the ablity at server create to create more complex topolgies then you can create post boot via attach11:25
opendevreviewBalazs Gibizer proposed openstack/nova master: Print ThreadPool statistics  https://review.opendev.org/c/openstack/nova/+/94834012:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Document native threading mode and tuneables  https://review.opendev.org/c/openstack/nova/+/94936412:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Allow services to start with threading  https://review.opendev.org/c/openstack/nova/+/94831112:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Run nova-next with n-sch in threading mode  https://review.opendev.org/c/openstack/nova/+/94845012:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Do not yield in threading mode  https://review.opendev.org/c/openstack/nova/+/95099412:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Run nova-api and -metadata in threaded mode  https://review.opendev.org/c/openstack/nova/+/95195712:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Allow to start unit test without eventlet  https://review.opendev.org/c/openstack/nova/+/95343612:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Run unit test with threading mode  https://review.opendev.org/c/openstack/nova/+/95347512:02
opendevreviewBalazs Gibizer proposed openstack/nova master: [test]RPC using threading or eventlet selectively  https://review.opendev.org/c/openstack/nova/+/95381512:02
opendevreviewBalazs Gibizer proposed openstack/nova master: [CI]Make nova-tox-py312-threading voting  https://review.opendev.org/c/openstack/nova/+/95579112:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Warn on long task wait time for executor  https://review.opendev.org/c/openstack/nova/+/95266612:02
opendevreviewBalazs Gibizer proposed openstack/nova master: [test]Speed up fs retry tests by mocking sleep  https://review.opendev.org/c/openstack/nova/+/95590413:51
opendevreviewBalazs Gibizer proposed openstack/nova master: [test]Speed up ironic console test by decreasing timeout  https://review.opendev.org/c/openstack/nova/+/95590513:51
opendevreviewBalazs Gibizer proposed openstack/nova master: [test]Speed up RBD test by decreasing retry interval  https://review.opendev.org/c/openstack/nova/+/95590613:51
opendevreviewBalazs Gibizer proposed openstack/nova master: [test]Speed up qemu announce test by mocking sleep  https://review.opendev.org/c/openstack/nova/+/95590713:51
gibiI have to run a lot of unittest lately so I use a bit of time to speed them up ^^ https://review.opendev.org/c/openstack/nova/+/95590713:51
gibiwong link, I wanted to point to the topic https://review.opendev.org/q/topic:%22unit-test-speedup%2213:51
gibithese are very small unit test only patches for easy wins13:52
opendevreviewDmitriy Rabotyagov proposed openstack/nova-specs master: Propose enabling parallel live migrations for libvirt  https://review.opendev.org/c/openstack/nova-specs/+/95578313:56
noonedeadpunkum... what the broken crap is `autopep8`?14:27
noonedeadpunkthis is pretty much ridiculous: https://zuul.opendev.org/t/openstack/build/b483760112414b64b045615b76bde31414:29
noonedeadpunkah, so it tried to handle >80 this wayu, lol14:33
opendevreviewDmitriy Rabotyagov proposed openstack/nova master: [WIP] Allow to perform parallel live migrations  https://review.opendev.org/c/openstack/nova/+/95578414:33
opendevreviewBalazs Gibizer proposed openstack/nova master: Print ThreadPool statistics  https://review.opendev.org/c/openstack/nova/+/94834015:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Document native threading mode and tuneables  https://review.opendev.org/c/openstack/nova/+/94936415:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Allow services to start with threading  https://review.opendev.org/c/openstack/nova/+/94831115:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Run nova-next with n-sch in threading mode  https://review.opendev.org/c/openstack/nova/+/94845015:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Do not yield in threading mode  https://review.opendev.org/c/openstack/nova/+/95099415:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Run nova-api and -metadata in threaded mode  https://review.opendev.org/c/openstack/nova/+/95195715:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Allow to start unit test without eventlet  https://review.opendev.org/c/openstack/nova/+/95343615:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Run unit test with threading mode  https://review.opendev.org/c/openstack/nova/+/95347515:07
opendevreviewBalazs Gibizer proposed openstack/nova master: [test]RPC using threading or eventlet selectively  https://review.opendev.org/c/openstack/nova/+/95381515:07
opendevreviewBalazs Gibizer proposed openstack/nova master: [CI]Make nova-tox-py312-threading voting  https://review.opendev.org/c/openstack/nova/+/95579115:07
opendevreviewBalazs Gibizer proposed openstack/nova master: Warn on long task wait time for executor  https://review.opendev.org/c/openstack/nova/+/95266615:07
opendevreviewBalazs Gibizer proposed openstack/nova master: [vncproxy]Handle ssl.wrap_socket removal in py312  https://review.opendev.org/c/openstack/nova/+/95591515:07
gibi^^ this last one is not a pure eventlet removal so I can accept a request to split the commit to two one that is independnet form the eventlet series and one that just adds the related tests back to the threading job after the first patch lands15:08
opendevreviewBalazs Gibizer proposed openstack/nova master: [vncproxy]Handle ssl.wrap_socket removal in py312  https://review.opendev.org/c/openstack/nova/+/95591515:09
opendevreviewBalazs Gibizer proposed openstack/nova master: Warn on long task wait time for executor  https://review.opendev.org/c/openstack/nova/+/95266615:09
sean-k-mooneygibi: i have not looked but i woudl only spliti it if you think we might need to backport it indepently16:57
opendevreviewBalazs Gibizer proposed openstack/nova master: [vncproxy]Handle ssl.wrap_socket removal in py312  https://review.opendev.org/c/openstack/nova/+/95591518:16
opendevreviewBalazs Gibizer proposed openstack/nova master: Warn on long task wait time for executor  https://review.opendev.org/c/openstack/nova/+/95266618:16
sean-k-mooneymelwitt: so preserving the tmp data as distastful as it may be is probely technialy a feature not a bug19:33
sean-k-mooneyall the code i have looked at point to use assumign the data is preerved but the libvirt code never did that by default19:33
sean-k-mooneythat means however that vTPM in nova is unsutable for storign encyption keys like those used by bitlocker19:34
sean-k-mooneyadn its only sutable today to provide storage for messuered boot or to provide cyrpograpic random numbers19:35
sean-k-mooneythe nvram sitution i have not had time to track down19:37
sean-k-mooneyit may hae been a simialr logic on libvirt side where they assuemd it was oke to delet ewhen the domain in undefined and we assuemd it would be preserved like the disks19:37
sean-k-mooneymelwitt: if we cant backport supprot for this upstream because we agree its a feature not a bug i think we at least need to backport a warning in our docs19:38
clarkbisn't the problem that operating systems like windows will use it without your input?19:56
clarkbso while it may not be suitable today their decisions may force a behavior choice?19:57
melwittI'm seeing the grenade-skip-level-always job failing a lot lately on "2025-07-25 19:16:25.748 | + inc/upgrade:save_mysql_dbs:45            :   timeout 120 mysqldump -uroot -psecretdatabase neutron"22:50
melwittsean-k-mooney: thanks for digging into it. I agree on backporting at least a warning in the docs. personally I would support backporting use of the VIR_DOMAIN_UNDEFINE_KEEP_TPM flag given the severity of the unexpected behavior but I'm not sure if there could be any other issues with doing that22:57
gmaanmelwitt: yeah, it is known issue in grenade job. gibi added timeout to DB dump so that job will fail early than waiting for long time23:08
gmaanand this is one fix he is trying https://review.opendev.org/c/openstack/grenade/+/95586523:08
melwittgmaan: ahh ok, thanks! I was looking but did not find any hint about it23:11
gmaanyeah, unfortunately nothing much in logs whihc can help to debug23:11
« Thursday, 2025-07-24 Index Saturday, 2025-07-26 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!