| *** auniyal5 is now known as auniyal | 01:27 | |
| noonedeadpunk | sean-k-mooney: but it's not yet feature freeze for 2025.2 if I read the schedule right? and this is is quite tiny, easy, so maybe it's the right place? ;) | 05:51 |
|---|---|---|
| sean-k-mooney | noonedeadpunk: we are well pass the spec approval freeze so this is something for next cycle | 09:58 |
| sean-k-mooney | noonedeadpunk: the spec freeze was milestone 2 | 09:58 |
| noonedeadpunk | ah, right, true | 10:02 |
| noonedeadpunk | I was looking for feature freeze | 10:02 |
| sean-k-mooney | that does not mean it cant merge early in 2026.1 as in late september/october | 10:03 |
| noonedeadpunk | it's kinda sad though, as this is pretty much the only way so far to get live migrations working reliable until gnutls is patched and with memory being encrypted | 10:03 |
| noonedeadpunk | or well... use tunnels... | 10:03 |
| sean-k-mooney | well its not actully fixing the issue | 10:03 |
| noonedeadpunk | yeah, true | 10:04 |
| sean-k-mooney | it just make it less likely as each coonenction gets it own rekey timer | 10:04 |
| sean-k-mooney | the workaroudn for now is to just disable tls3 with aes | 10:04 |
| sean-k-mooney | via the crypto polices | 10:04 |
| noonedeadpunk | which you can;'t do outside of EL | 10:04 |
| sean-k-mooney | i.e. disable the specific policy that has the issue | 10:04 |
| sean-k-mooney | EL? | 10:05 |
| noonedeadpunk | *RHEL | 10:05 |
| sean-k-mooney | oh well that not a rhel thing as far as im aware | 10:05 |
| noonedeadpunk | as I tried to place a gnutls config on ubuntu and qemu just ignores it | 10:05 |
| noonedeadpunk | so it's not a thing on debian/ubuntu | 10:05 |
| noonedeadpunk | Maybe it does work on centos/rocky - dunno | 10:05 |
| sean-k-mooney | i suspect it might be but uses a diffent location | 10:06 |
| noonedeadpunk | Ubuntu just dropped policy package with comment it never-ever worked on ubuntu 24.04 to start with | 10:06 |
| sean-k-mooney | https://wiki.debian.org/CryptoPolicy | 10:06 |
| noonedeadpunk | https://bugs.launchpad.net/ubuntu/+source/crypto-policies/+bug/2069129 | 10:06 |
| sean-k-mooney | so apprently it s a fedora thing? | 10:06 |
| sean-k-mooney | https://fedoraproject.org/wiki/Changes/CryptoPolicy | 10:07 |
| noonedeadpunk | well, I think anyway it does not work on debian/ubuntu | 10:07 |
| sean-k-mooney | form 2014 that they were loooking to upstream | 10:07 |
| noonedeadpunk | "crypto-policies is not supported on Ubuntu: it requires deep integration with the packages and their configurations. This integration doesn't exist and is unlikely to ever exist outside of redhat-based distributions" | 10:07 |
| sean-k-mooney | https://manpages.ubuntu.com/manpages/jammy/en/man8/update-crypto-policies.8.html | 10:08 |
| sean-k-mooney | well the pakcage for doing it is in ubuntu | 10:08 |
| noonedeadpunk | So 2069129 claims it never worked despoite being packaged | 10:08 |
| noonedeadpunk | which is the reason it's dropped | 10:08 |
| sean-k-mooney | ya so this is in rhel to make fips work | 10:08 |
| sean-k-mooney | i know cannonicals fipes supprot is a paied extra | 10:09 |
| noonedeadpunk | anyway, I didn't find the way so far to make ubuntu to use POLY1305 | 10:09 |
| sean-k-mooney | ack | 10:09 |
| noonedeadpunk | even though I blacklisted AES in gnutls config and gnutls output was like that: https://paste.openstack.org/show/b2VjO9rv4976Y4prCtt9/ | 10:10 |
| noonedeadpunk | seems that qemu was still doing what it wanted | 10:10 |
| sean-k-mooney | you using kolla right | 10:11 |
| noonedeadpunk | osa | 10:11 |
| sean-k-mooney | oh so not in a contianer then | 10:11 |
| sean-k-mooney | i was going to ask if you updated it in the contianer | 10:11 |
| noonedeadpunk | yeah, it's just on the node | 10:12 |
| sean-k-mooney | or suggest you try the centos libvirt contianer to see if that woudl work around it | 10:12 |
| noonedeadpunk | well... I probably could do that.... | 10:12 |
| sean-k-mooney | its possible that htey staic link it or something like that but debian is normlaly all in on dynmaic linking everything | 10:12 |
| sean-k-mooney | in your case i think tunnled migration or using just tcp if you are allow too is the best approch unless you want to carry that patch downstream until its landed upstream | 10:14 |
| sean-k-mooney | still to fix iti properly you will need the qemu fix when that is ready | 10:14 |
| noonedeadpunk | we have local drives as nova drives, which we expect to live migrate as well, which does not work with the trunnel; | 10:15 |
| opendevreview | Stephen Finucane proposed openstack/nova master: api: Add response body schemas for servers APIs (5/6) https://review.opendev.org/c/openstack/nova/+/956239 | 10:15 |
| opendevreview | Stephen Finucane proposed openstack/nova master: api: Add response body schemas for servers APIs (6/6) https://review.opendev.org/c/openstack/nova/+/956240 | 10:15 |
| opendevreview | Stephen Finucane proposed openstack/nova master: api: Add response body schemas for server shares APIs https://review.opendev.org/c/openstack/nova/+/956266 | 10:15 |
| opendevreview | Stephen Finucane proposed openstack/nova master: tests: Invert validation check https://review.opendev.org/c/openstack/nova/+/956241 | 10:15 |
| noonedeadpunk | anyway | 10:15 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/nova-specs master: Add 2026.1 specs folder https://review.opendev.org/c/openstack/nova-specs/+/956767 | 10:18 |
| opendevreview | Dmitriy Rabotyagov proposed openstack/nova-specs master: Propose enabling parallel live migrations for libvirt https://review.opendev.org/c/openstack/nova-specs/+/955783 | 10:19 |
| opendevreview | Merged openstack/nova master: Revert^2 "Support glance's new location API" https://review.opendev.org/c/openstack/nova/+/950623 | 10:35 |
| opendevreview | Takashi Kajinami proposed openstack/nova master: Migrate MEM_ENCRYPTION_CONTEXT from root provider https://review.opendev.org/c/openstack/nova/+/921814 | 10:45 |
| opendevreview | Takashi Kajinami proposed openstack/nova master: Detect AMD SEV-ES support https://review.opendev.org/c/openstack/nova/+/925685 | 10:45 |
| opendevreview | Takashi Kajinami proposed openstack/nova master: Add hw_mem_encryption_model image property https://review.opendev.org/c/openstack/nova/+/927706 | 10:45 |
| opendevreview | Takashi Kajinami proposed openstack/nova master: libvirt: Launch instances with SEV-ES memory encryption https://review.opendev.org/c/openstack/nova/+/926106 | 10:45 |
| tkajinam | Uggla, I wonder if I can ask for your help to move this series forward ^^^ I've been receiving emails regularly to ask progress about this work (from different parties, which is interesting) and I'm hoping that I can move it forward (getting it merged is the best but I at least need some feedback) | 10:46 |
| Uggla | Hi tkajinam, I'll do my best to try to review it and warn cores for reviews, as this is an important feature. | 10:50 |
| tkajinam | Uggla, thanks ! | 10:51 |
| sean-k-mooney | oh the sev work | 10:56 |
| sean-k-mooney | ya it woudl be good to compelte that this cycle givein it missed last cycle due to review bandwith | 10:56 |
| Uggla | sean-k-mooney I agree | 10:57 |
| tkajinam | support for sev-sep, which is more sophisticated version of sev, is reaching downstream distros, and tdx support was merged to the latest kernel. so I expect more people may be interested in using memory encryption features. | 11:11 |
| tkajinam | and this could be a base work to extend current sev support, to support more cpu features | 11:11 |
| opendevreview | Callum Dickinson proposed openstack/nova master: Fix image ID in libvirt metadata when unshelving https://review.opendev.org/c/openstack/nova/+/942973 | 11:28 |
| opendevreview | Callum Dickinson proposed openstack/nova master: Add more flavor metadata to libvirt guest XML https://review.opendev.org/c/openstack/nova/+/942974 | 11:28 |
| opendevreview | Callum Dickinson proposed openstack/nova master: Add image meta to libvirt XML metadata https://review.opendev.org/c/openstack/nova/+/942766 | 11:28 |
| opendevreview | Callum Dickinson proposed openstack/nova master: Add more flavor metadata to libvirt guest XML https://review.opendev.org/c/openstack/nova/+/942974 | 12:14 |
| opendevreview | Callum Dickinson proposed openstack/nova master: Add image meta to libvirt XML metadata https://review.opendev.org/c/openstack/nova/+/942766 | 12:14 |
| opendevreview | Johannes Beisiegel proposed openstack/nova master: fix: ensure to remove cinder attachments on delete of building instance https://review.opendev.org/c/openstack/nova/+/956789 | 14:01 |
| opendevreview | Johannes Beisiegel proposed openstack/nova master: fix: ensure to remove cinder attachments on delete of building instance https://review.opendev.org/c/openstack/nova/+/956789 | 14:02 |
| *** ykarel_ is now known as ykarel | 15:02 | |
| opendevreview | Rajesh Tailor proposed openstack/nova master: Add support for using cell-name in cell_v2 commands https://review.opendev.org/c/openstack/nova/+/954460 | 17:28 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!