Thursday, 2025-08-28

« Wednesday, 2025-08-27 Index Friday, 2025-08-29 »
*** mhen_ is now known as mhen01:15
bauzaslooks like we have a CI pipeline issue :(08:16
bauzasUggla: ^08:16
bauzasexample here https://zuul.opendev.org/t/openstack/build/7626e6d8c1e3423f921fa65667467d6408:17
bauzastkajinam: please just add something when you say "recheck", something like "recheck timeout" :)=08:17
bauzasthis is fine tho, please don't recheck again08:18
Ugglabauzas, you "recheck" it again ?08:26
bauzaslemme check where we are in the gate for the series08:26
bauzasUggla: the first patch in the series is fine, and I see the next 3 ones in the check pipeline, so no need to recheck 08:29
drannouHello nova ! Quick question: we would like to harden nova-compute rights,  what is the strict minimum right nova-compute needed ? Does anyone already have a specific policy.json ?08:30
Ugglabauzas, I was not sure about the second one. Cool if they are in the pipeline.08:39
bauzasUggla: as a reminder, you can look at https://zuul.opendev.org/t/openstack/status?change=92181408:39
bauzasdrannou: not sure I understand your question, you're mixing API policies that are public and nova-compute RPC calls that are internal08:40
bauzasor are you talking of the privilege escalation that the nova-compute python service can do ?08:40
Ugglabauzas, yep I know about it. But I was probably too fast and I did not find it at a first glance.08:41
drannouonly nova-compute internal API (http) calls, let's imagine that I don't trust the nova-compute hosts (Vm escape), I would like to create dedicated role for nova-comptue with the strict minimum rights on API calls (neutron, glance, cinder, placement). Of course for RPC, I know that we have not "rights" available08:42
*** ralonsoh_ is now known as ralonsoh08:43
gibibauzas: Uggla: I saw grenade issues wiht09:04
gibi2025-08-27 17:29:17.139980 | compute1 | /opt/stack/old/devstack/functions-common: line 2189: 30613 Segmentation fault      sudo usermod -a -G "$group" "$user"09:04
gibiand general issues with "Error: Failed to update project openstack/nova"09:05
gibithe latter is random in differnt jobs09:05
gibibut I had not time to dig deeper09:05
bauzasthis is not on a single job09:05
gibior file bugs or notifiy infra09:05
bauzasI was about to see the next results09:05
bauzasbefore calling infra09:05
bauzasmaybe some node(s) are having issues09:05
bauzasgibi: I'll continue to follow-up, thanks for your help09:06
bauzasdrannou: oh, you're talking of a service persona09:06
Ugglathat's really weird to get a segfault on "sudo usermod".09:07
bauzasfor nova calling the other serfvices09:07
bauzasdrannou: there are good news for you, do you know about something called Secure RBAC ?09:07
bauzasUggla: I saw that once, IIRC this was due to a tainted kernel09:08
bauzasthat's just an user exception when calling sudo, but if you look at the system logs or dmesg, this is clear09:08
Uggla(OO)09:08
drannoubauzas: more (or may be) less :)09:18
bauzasdrannou: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-service-to-service-apis-to-the-service-role09:24
bauzasdrannou: and that's litterally what I'm currently reviewing https://review.opendev.org/c/openstack/nova/+/95757809:24
drannoubauzas: wonderful, I will check that thx09:33
opendevreviewStephen Finucane proposed openstack/nova master: db: Move regex helpers to utils  https://review.opendev.org/c/openstack/nova/+/95874510:10
opendevreviewStephen Finucane proposed openstack/nova master: tests: Clean up flavors tests  https://review.opendev.org/c/openstack/nova/+/95874610:10
opendevreviewStephen Finucane proposed openstack/nova master: api: Simplify API version check for flavor description  https://review.opendev.org/c/openstack/nova/+/95874710:10
opendevreviewStephen Finucane proposed openstack/nova master: api: Add ability to filter flavors by name  https://review.opendev.org/c/openstack/nova/+/95874810:10
opendevreviewStephen Finucane proposed openstack/nova master: api: Remove dead fields from flavors response  https://review.opendev.org/c/openstack/nova/+/95874910:10
opendevreviewStephen Finucane proposed openstack/nova master: WIP: api: Restrict additional query string arguments  https://review.opendev.org/c/openstack/nova/+/95875010:10
gibibauzas: Uggla: I see full green runs on patches now so I think at least the "Error: Failed to update project openstack/nova" issue is not happening any more (or not that frequently)j11:48
bauzasyup, probably a transient issue on some subnodes11:48
bauzaswe will see11:49
gibiyepp11:55
sean-k-mooneybauzas: gibi gmaan will any of ye have tiem to review stephenfin's https://review.opendev.org/q/topic:%22bp/flavor-search-by-name%22 flavor search by name series. im +2 on the first 4 patches which are pretty easy to review and deliver the main feature, im readign the 5th which is optional and does all the cleanup of the flavor api that we wanted to include in the same11:58
sean-k-mooneymicroversion but htat could happen in a seperate one if we don tget to it. the 6th wip patch just prevent using unrecongisned query args which again is optional and jsut api cleanup and can happen in a future release. so the first 4 patches which are pretty easy to review and the optional 5th patch wouuld be nice to review. we are still waitign on ci resutls for most of them11:58
sean-k-mooneybut it woudl be nice ot also compelte that spec.11:58
bauzasthe series was just created today, right?11:59
bauzasI looked at all the BPs on Monday and I didn't found any implementation for it11:59
sean-k-mooneyyes, an i know its very late to propose it it just short and easy to reveiw11:59
sean-k-mooneyif it goes to next cycle that also ok11:59
bauzasI can try then but this is also providing an API microversion, right ?11:59
sean-k-mooneyi just wanted to mention it before i go back to the sev one12:00
sean-k-mooneybauzas: yes it is 10112:00
bauzasif so, I need to make sure we won't have any issue as we couldn't revert a change if we find an issue12:00
sean-k-mooneythre are no other api changes im aware of competing for a micoverison at this point12:00
bauzassean-k-mooney: thanks for the SEV-ES series review btw.12:00
bauzassean-k-mooney: yup, I haven't found any12:00
sean-k-mooneythe microversion is they 4th patch the first 3 are just clean up12:00
bauzasokay, then I'll look at it today12:01
sean-k-mooneyby cleanup i mean code cleanup no externally visable changes12:01
gibisean-k-mooney: I can take a quick look 12:40
Ugglagibi, sorry was distracted and I have just noticed your msg about the patches run. Thanks for letting me know.13:08
gibisure no worries13:08
dansmithanyone else seeing python3.9 dep resolving failures?14:22
dansmithI'm wondering if placement should drop that job14:22
gibidansmith: yapp we should drop it F has no 3.9 requirements https://governance.openstack.org/tc/reference/runtimes/2025.2.html14:34
gibihttps://review.opendev.org/c/openstack/placement/+/953367 we need this14:35
gibijust approved14:35
dansmithack14:35
bauzassean-k-mooney: can you please review again the SEV-ES series ? https://review.opendev.org/c/openstack/nova/+/925685/ and upper15:58
sean-k-mooneyyep ill be around for the next 3 hours maybe a little longer so ill get to it once i push one watcher patch16:01
sean-k-mooneyits next on my todo list16:02
gmaansean-k-mooney: ack, i can check it today16:14
sean-k-mooneyno rush gibi  notcied a reduction in test coverge becuase stephn delete a test instead of moving it in the first patch16:21
sean-k-mooneygmaan: and im not expectign a respin16:21
gmaank16:21
sean-k-mooneyso we can pick that back up early next cycle16:21
gmaanso we are not targeting that for this?16:22
gmaanand this is still WIP, which is easy but big change https://review.opendev.org/c/openstack/nova/+/958750/116:25
sean-k-mooneywe were16:25
sean-k-mooneybut stephenfin is feeling unwell today and realsiticly its not going to land16:25
gmaanohk. got it.16:26
sean-k-mooneyso we can do it all early next cycle and still have 1 microversion for the feature and api cleanup16:26
gmaan++16:26
gmaandansmith: can you +w this devstack change (quick one) for service role https://review.opendev.org/c/openstack/devstack/+/95861216:27
dansmithgmaan: got it16:27
gmaanthanks16:27
gmaansean-k-mooney: whoami-rajat_ FYI, service API things on cinder/glance working now - https://zuul.opendev.org/t/openstack/build/03e62efae4054b7997f8fc6a4ca3db7c17:02
gmaanconsider configuring and devstack setting glance user in cinder properly https://zuul.opendev.org/t/openstack/build/03e62efae4054b7997f8fc6a4ca3db7c/log/controller/logs/etc/cinder/cinder_conf.txt#7417:02
gmaanthere are unit test etc failure in fixes, I will fix those and ping in cinder. glance channel 17:02
gmaanthis is testing change on top of fixes in glance, cinder, devstack https://review.opendev.org/c/openstack/cinder/+/95871917:03
sean-k-mooneyack i can join those if needed17:14
opendevreviewTakashi Kajinami proposed openstack/nova master: libvirt: Remove tpm supoort detection for libvirt < 8.0.0  https://review.opendev.org/c/openstack/nova/+/95230817:14
whoami-rajat_gmaan, ack, looks good, thanks17:41
sean-k-mooneytkajinam: this is my main comment on the second sev patch https://review.opendev.org/c/openstack/nova/+/925685/comment/6a462652_db266f95/ if you have time can you respond whil i continue to review the rest17:42
sean-k-mooneytkajinam: if you agree that we shoudl accomidate SEV_ES hosts with no SEV slot then we can adress that in a patch at the end of the seriese17:44
tkajinamsean-k-mooney, thanks and checking it now17:47
sean-k-mooneyi dont think there si any hardware today that exclsivly supprot SEV-ES and not vanila SEV so i doing think its an edgecase we will actully hit17:47
sean-k-mooneybut i dont know if that will change going forward so just calling it out17:48
opendevreviewMerged openstack/nova master: Add service role in Nova policy  https://review.opendev.org/c/openstack/nova/+/95757817:52
tkajinamsean-k-mooney, I've replied to your comment about sev/sev-es support. at this moment kernel requires that sev is enabled when sev-es is enabled and I followed that logic.17:58
sean-k-mooneyack that works for me17:59
sean-k-mooneyi just didnt want use to encode somethign that that might not hold true in general17:59
tkajinamit can be changed in the future and we can decouple these checks when kernel actually changes its logic17:59
sean-k-mooney+117:59
sean-k-mooneytkajinam: ill loop back to the lower patches but i am +2 on the main ones18:05
tkajinamsean-k-mooney, thanks !18:06
sean-k-mooneytkajinam: is it late or very early for you18:08
sean-k-mooneytkajinam: i have never internalised what timezone you are in18:08
tkajinam;-)18:09
tkajinamIt's 3 am in UTC+9 so it's "still" late time here18:11
tkajinamsome may say it's early though18:11
dansmith2300 is late, 0300 is definitely early18:12
gmaanI think sun rises there that time or may be an hr later :)18:14
sean-k-mooneysunrise is my favorit time to wake up or fall asleep although i do the latter much more frequently18:15
gmaan:) later for me during weekends 18:15
tkajinamok I'm leaving before sunrise. I'll check the status of these patches and work on follow-ups once I wake up 18:18
sean-k-mooneytkajinam: i have +2w'd the series now18:21
tkajinamsean-k-mooney, thank you ! \o/18:22
sean-k-mooneytkajinam: none of the comments i left rise to the point of needing a respin but if you submit a followup im happy to review18:22
sean-k-mooneyUggla: https://bugs.launchpad.net/nova/+bug/2121617 fun little bug. apprently you cant set the region_name in our config for manilla and for legacy reason barbican and cidner dont use a option called region_name for that like eveythign else18:46
sean-k-mooneyUggla: we shoudl fix the endpoint discovery logic for manilla and backport that but we should also deprecate the non standar names and supprot the standard ones for cidner/barbican18:47
sean-k-mooneyi didnt check the rest of the config options for consitency but we proably shoudl when fixign this.18:48
sean-k-mooneyyou coudl make manilla work in a multi region setup today if you explcitly set the url however we also do not supprot that so your stuck. you cant use the manilla shares feature in a multi region openstack unless the same instance of manilla is used by all regions18:50
sean-k-mooneysetting https://docs.openstack.org/nova/latest/configuration/config.html#manila.auth_url might work if you configre it to talk to the local keyston region api but that would assume each region has its own keystoen with federation which is not really how people deploy multi region openstack18:51
sean-k-mooneyso ya we shoudl plan to fix and backport some subset of this but its not a regression intoduced this cycle so we can fix it as a normal bug18:54
opendevreviewMerged openstack/nova master: Migrate MEM_ENCRYPTION_CONTEXT from root provider  https://review.opendev.org/c/openstack/nova/+/92181420:36
opendevreviewMerged openstack/nova master: Detect AMD SEV-ES support  https://review.opendev.org/c/openstack/nova/+/92568520:36
opendevreviewMerged openstack/nova master: Add hw_mem_encryption_model image property  https://review.opendev.org/c/openstack/nova/+/92770621:03
opendevreviewMerged openstack/nova master: libvirt: Launch instances with SEV-ES memory encryption  https://review.opendev.org/c/openstack/nova/+/92610623:24
opendevreviewMerged openstack/nova master: Add functional test scenario for mixed SEV RPs  https://review.opendev.org/c/openstack/nova/+/95856223:25
opendevreviewMerged openstack/nova master: Purge nested SEV RPs when SEV is disabled  https://review.opendev.org/c/openstack/nova/+/95862623:27
« Wednesday, 2025-08-27 Index Friday, 2025-08-29 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!