Wednesday, 2025-11-05

« Tuesday, 2025-11-04 Index Thursday, 2025-11-06 »
opendevreviewMasanori Kuroha proposed openstack/nova master: Copy applied provider config  https://review.opendev.org/c/openstack/nova/+/94830405:41
opendevreviewMasanori Kuroha proposed openstack/nova master: Copy applied provider config  https://review.opendev.org/c/openstack/nova/+/94830406:32
mkurohabauzas: gibi: sean-k-mooney: I’ve updated the feature that copies the applied provider config files. I’d appreciate it if you could review it when you have time. https://review.opendev.org/c/openstack/nova/+/94830409:01
zigogmaan: Since you wrote these tests, any idea what could have gone wrong? https://bugs.launchpad.net/nova/+bug/213070309:23
bauzasmkuroha: as said in the change, pease reprovide the spec for 2026.1 so we could reapprove it 10:00
mkurohabauzas: I see, understood. I'll recreate it for the 2026.1 spec.10:09
bauzasmkuroha: thanks, ping me again once you're done, just copy the file and add in the history section something like "2025.2: Approved; 2026.1: Reproposed"10:10
bauzasshould be quick10:10
mkurohaok! thanks.10:14
opendevreviewMasanori Kuroha proposed openstack/nova-specs master: Copy the spec approved in 2025.2 to 2026.1  https://review.opendev.org/c/openstack/nova-specs/+/96615110:18
mkurohabauzas: Thank you for the comment, I created: https://review.opendev.org/c/openstack/nova-specs/+/96615110:20
opendevreviewMerged openstack/nova master: api: Pre-query not deleted members in server groups  https://review.opendev.org/c/openstack/nova/+/95969611:14
opendevreviewMerged openstack/nova master: setup: Remove pbr's wsgi_scripts  https://review.opendev.org/c/openstack/nova/+/90268811:15
opendevreviewMerged openstack/nova stable/2025.1: Update start_service() function in test  https://review.opendev.org/c/openstack/nova/+/96384511:40
opendevreviewMerged openstack/nova stable/2025.1: Adds regression test for bug LP#2085135  https://review.opendev.org/c/openstack/nova/+/96384611:40
opendevreviewMerged openstack/nova stable/2025.1: Reset the mapped field of nodes at service deletion  https://review.opendev.org/c/openstack/nova/+/96384712:25
sean-k-mooneyZhan[m]: if you have input on https://review.opendev.org/c/openstack/nova/+/966106/comment/80b6a2a0_591c5cab/ feel free to add to it12:26
sean-k-mooneyfor context of others ^ is related to https://bugs.launchpad.net/nova/+bug/2128665 which is a very specific edgecase that results in live migration downtime when using calico12:27
sean-k-mooneyit could impact other backend but shoudl not impact ml2/ovs or recent version fo ml2/ovn12:27
sean-k-mooneyim conflcited on if this shoudl be fixed, if it should be fixed as a bug or as a feature to split post-live-migration into networking and the rest12:28
opendevreviewMasanori Kuroha proposed openstack/nova-specs master: Copy the spec approved in 2025.2 to 2026.1  https://review.opendev.org/c/openstack/nova-specs/+/96615112:52
Zhan[m]sean-k-mooney: Thanks, I will put comments there too.14:00
Zhan[m]Just for my own understanding, because we are not using ovn: from what you describe, the ovn driver in some sense is not really depending on the port binding activation but via the RARP packet (which I assume will be sent as soon as the destination QEMU process is resumed)? 14:02
Zhan[m]calico is more of using the port binding activation as the trigger for switching the network to the dest QEMU so yes that's why we're hitting14:03
sean-k-mooneyZhan[m]: so the ml2/ovs ml2/linuxbrige (before they deleted it) and as of about a year ago ml2/ovn driver14:11
sean-k-mooneyall wired up the port is there was a portbinidng for the host14:11
sean-k-mooneynot just an active one14:11
sean-k-mooneyfor calico this si tricky because the tap does not exsit yet14:11
sean-k-mooneyZhan[m]: hoever we coudl modify the supprot for vif_type=tap to create the tap in pre-live-migrtion14:12
sean-k-mooneywe are condiering doing that for ovn14:12
sean-k-mooneybecuse ovn while it strcitly sepaking does not need it 14:12
sean-k-mooneycan take a long time to install the flow  in larger clouds14:12
sean-k-mooneybasically whith many vm and port the ovn db perfromcen cna resulting in reconsitaion taking over 30s in some cases14:13
sean-k-mooneyZhan[m]: we modifed ovn to allow the trafic swithc to be triggred by the RARP packet sent by qemu when the vm unpauses14:14
sean-k-mooneyZhan[m]: for ml2/ovs and ml2/linux bridge because they relyied on mac learning the RARP is the only thing that cause the traffic to be rerouted14:14
sean-k-mooneyfor calico that a bit harder becuase its an l3 backend so the mac learning frames are likely entirly ignored14:15
sean-k-mooneyZhan[m]: if you wanted to improve downtime mroe in calico then using the RARP to triger the update would be a consitent approch14:15
Zhan[m]Indeed it's tricky I think for l3 in general, thanks for the explanation.14:26
Zhan[m]but wondering if ml2/ovs can switch traffic with the RARP, what is the role that the port binding is playing here?14:27
Zhan[m]the way we use calico that i do see port bindings to the destination are created in pre live migraiton14:28
opendevreviewJulien LE JEUNE proposed openstack/nova stable/2024.2: Adds regression test for bug LP#2044235  https://review.opendev.org/c/openstack/nova/+/96160214:29
opendevreviewJulien LE JEUNE proposed openstack/nova stable/2024.2: nova-conductor puts instance in error state  https://review.opendev.org/c/openstack/nova/+/96177514:29
opendevreviewJulien LE JEUNE proposed openstack/nova stable/2024.2: nova-conductor puts instance in error state  https://review.opendev.org/c/openstack/nova/+/96177514:34
opendevreviewHenry Richter proposed openstack/nova master: Preserve vTPM state between power off and power on  https://review.opendev.org/c/openstack/nova/+/95565715:18
opendevreviewNicolai Ruckel proposed openstack/nova master: Preserve UEFI NVRAM variable store  https://review.opendev.org/c/openstack/nova/+/95968215:29
nicolairuckelsean-k-mooney, thanks for your feedback. That fixed almost everything.15:40
nicolairuckelI was so sure I already tried that but maybe that was before you told me that I need to recreate the VM.15:41
sean-k-mooneycool ill pull in your updated code later in the week15:41
nicolairuckelthanks15:41
sean-k-mooneyi tried the version i comment on but i didnt try removing the code i commened on15:41
nicolairuckelI also had to revert my changes to one of the tests because the XML changed.15:44
nicolairuckelThat's fine, you shouldn't have to spend extra time on my mistakes. :D15:44
sean-k-mooneywell this is part of doing code review15:45
sean-k-mooneymakign sure we only change what needs to be changed15:45
sean-k-mooneyso its fine i have that devstack set up so ill test it when i have time15:45
sean-k-mooneynicolairuckel: you left a coulpe of prints 15:46
sean-k-mooneyhttps://review.opendev.org/c/openstack/nova/+/959682/9/nova/tests/functional/libvirt/test_uefi.py#6115:46
sean-k-mooneythat shoudl be removed15:46
opendevreviewBalazs Gibizer proposed openstack/nova master: [CI]nova-alt-configurations tests eventlet  https://review.opendev.org/c/openstack/nova/+/96592215:47
opendevreviewBalazs Gibizer proposed openstack/nova master: Move monkey_patch from init to the entrypoints  https://review.opendev.org/c/openstack/nova/+/96592315:47
opendevreviewBalazs Gibizer proposed openstack/nova master: Default native threading for sch, api and metadata  https://review.opendev.org/c/openstack/nova/+/96592415:47
sean-k-mooneynicolairuckel: im on a call so cant review realtime but skiming over it that was the only thing that imidatly jumped out to me15:48
nicolairuckeloh, right15:49
nicolairuckelthanks15:49
opendevreviewNicolai Ruckel proposed openstack/nova master: Preserve UEFI NVRAM variable store  https://review.opendev.org/c/openstack/nova/+/95968215:50
opendevreviewNicolai Ruckel proposed openstack/nova master: Preserve UEFI NVRAM variable store  https://review.opendev.org/c/openstack/nova/+/95968215:51
gmaanzigo: ack, I will check that16:02
zigoCheers.16:02
opendevreviewBalazs Gibizer proposed openstack/nova master: Default native threading for sch, api and metadata  https://review.opendev.org/c/openstack/nova/+/96592416:46
gibidansmith: sean-k-mooney: ^^ this (and its ancestors) are fixed up now based on the yesterday's dicussion16:46
opendevreviewNicolai Ruckel proposed openstack/nova master: Preserve UEFI NVRAM variable store  https://review.opendev.org/c/openstack/nova/+/95968217:02
opendevreviewPavlo Shchelokovskyy proposed openstack/nova master: Implement placement:same_subtree flavor extra spec  https://review.opendev.org/c/openstack/nova/+/96620517:19
opendevreviewMerged openstack/nova-specs master: Copy the spec approved in 2025.2 to 2026.1  https://review.opendev.org/c/openstack/nova-specs/+/96615117:32
melwittdansmith: I think I have to make more updates to the vTPM patches :(  sean commented on the spec review about not having any new sys meta key for storing the TPM security policy https://review.opendev.org/c/openstack/nova-specs/+/961564/3/specs/2026.1/approved/vtpm-live-migration.rst#181,18:00
melwittin the current version, I still used a sys meta key to stash the policy because I was thinking of a scenario where the operator may want to disallow 'user' (legacy) vTPM instances and I had been thinking I needed to store it to know to add the USER required trait for scheduling (to prevent scheduling of 'user' if configured). but I guess I could just make the logic in the request filter add the USER trait if there is vTPM but no policy18:01
melwitt in the flavor instead18:01
melwittdansmith: what do you think?18:03
dansmithmelwitt: ack, yeah I guess I thought we were still going to stamp it in the sysmeta regardless of where the decision came from, but I guess we can just make that "virtual" and always look at the flavor18:12
dansmithI hate to have to revise it again and do my testing again, but.. yeah18:12
melwittdansmith: yeah, I'm getting confused thinking about it but I'm remembering now that was I was thinking was that we would need to be able to differentiate between a legacy vTPM instance vs a new defaulted 'user' vTPM instance,18:13
melwittbecause if the operator wanted to disallow new 'user' instances, I think they also wouldn't want to block pre-existing legacy instances from doing things like resize18:14
melwittin order to tell the difference between an old vTPM instance and a new defaulted one, we would have to store it in sys meta. that's why I did it18:14
melwittbut sys meta is not viewable in the scheduler request filter ... so I'm not sure how that could be18:16
dansmithwell, before, we needed to know if they had opted into user or were being defaulted, so that we didn't migrate against their will, right?18:19
dansmithbut if we only change via resize then we don't need to know the difference.. user is user until resize and then it's not user18:19
dansmiths/not/potentially not/18:19
melwittyeah...thinking18:21
* melwitt looks through the patches18:22
melwittthis is another place where I see use of the sys meta key https://review.opendev.org/c/openstack/nova/+/941483/35/nova/virt/libvirt/driver.py#10803 if we want to be able to set the LibvirtLiveMigrateData fields to None for new defaulted instances18:23
melwittfor the object backleveling check18:24
dansmithright but you'll just do instance.flavor.get('security', 'user') above right?18:24
dansmithoh, well,18:24
dansmithyou'll actually do something like:18:25
dansmithistpm = instance.flavor.get('tpm_model', None)18:25
dansmithif istpm: security = instance.flavor.get('security', None) else: security = None18:25
dansmithand then the rest will be the same right?18:25
melwittit's confusing because I think you would only want to set those to None if the instance is new enough for the fields to be relevant ... or maybe that doesn't matter?18:28
dansmithif it has a model but no security, then it's user18:29
dansmithif it has a model and security, then $security18:29
melwittwhether it's a legacy vTPM instance vs a new defaulted 'user' vTPM instance18:29
dansmithif it has no model, then that's your None case, regardless of if it's new or old18:30
melwitthm yeah, ok. 18:30
dansmithI mean.. right?18:31
melwittyeah I had kept thinking we wouldn't want to set None if it's legacy, but I guess it doesn't really hurt anything or matter18:31
melwittin my mind it was like, "if legacy, don't do anything different than it is today"18:32
dansmithno, legacy user and new user are the same AFAIK18:32
melwitti.e. it doesn't matter if we prevent backport of a live migrate object for legacy vTPM because it can't happen18:33
dansmithwell, technically user migrations can happen if the user is the one doing the migration (if the admin has granted them that right) so we should have that work right?18:33
* dansmith hasn't gotten that far in the series of course18:34
dansmithbut like if I want to delegate live migrate ability to project manager role or something that should work18:34
melwittno, 'user' mimics legacy completely including not being live migratable18:34
dansmithor if the user doing the migration has been granted access to the key in barbican, it should work fine right?18:34
melwittfor 'host' yes18:35
dansmithokay I'm confused.. you're building in "user security is never migratable just because" behavior?18:35
melwittbut yeah, for 'user' LibvirtLiveMigrateData should never be in play18:35
melwittthat's what the spec intended anyway, 'user' just means legacy same-as-today behavior18:36
melwitt(i.e. live migrate rejected in the API)18:37
dansmithhrm18:37
dansmithI was assuming that user would be migratable if the key was accessible to the user doing the migration18:38
melwittit could be, but the spec as far as I understood it left a mode for exact-same-as-today18:38
dansmithbecause it should be basically "deployment" at that point in terms of setting it up on the remote side, just using the context token instead of the service user18:38
melwittright18:39
mikalsean-k-mooney (and I guess anyone else): https://review.opendev.org/c/openstack/kolla-ansible/+/966111 might be of interest. The author is asserting that Nova supports having more than one graphical console enabled at any given time, which is news to me. I tried pointing him at the docs but it hasn't worked out for me. Honestly, maybe I'm wrong. A19:08
mikalsecond opinion would be appreciated.19:08
sean-k-mooneymikal: so yes it can be on diffent host19:09
sean-k-mooneyand also i think it did work a long long long time ago19:09
sean-k-mooneybut i have no idea if it actully works today with the libvirt driver19:09
sean-k-mooneyare they asseting that you can have both on the same host19:09
sean-k-mooneywe have config option tha twoudl imply that and the console proxy coudl handel that19:10
mikalTo my reading of their comments, they agree you can only have one type per instance, but that different instances can have different console types. I don't think this is true, but maybe I'm on drugs.19:10
sean-k-mooneybut teh only time i have mixed it is vnc or spice for livbirt and the serial proxy for ironic19:10
mikalSo yeah, I think they think they can mix on a single nova host, not say have different ones per cell.19:10
sean-k-mooneywell its not even at the cell level 19:11
sean-k-mooneyit will work at the indigiual compute node level19:11
sean-k-mooneyi can quickly check in devstack i guess19:11
mikalI find https://review.opendev.org/c/openstack/kolla-ansible/+/966111/2/ansible/roles/nova-cell/templates/nova.conf.j2 quite hard to read, but I don't see any logic there which stops it from rendering a nova.conf which has both VNC and SPICE enabled in one nova.conf, which I think we're agreeing wont work?19:13
sean-k-mooneymikal: https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L782519:14
sean-k-mooneyso it is posibel in the code to have spice and vnc19:14
sean-k-mooneybut you can also conenct via serial too19:14
sean-k-mooneymikal: this alines with what i remember for what its worth19:14
sean-k-mooneyits entrily config driven19:14
mikalI didn't think the domain XML could specify both VNC and SPICE, which I think is what that code you link to would do if you enabled both?19:15
sean-k-mooneymikal: no i actully do expect ti to work because that work in libvirt19:15
mikalThere's no guard to have only one for a given instance?19:15
sean-k-mooneymikal: im tryign to think if i currently have a debian devstack where i can check this19:15
mikalI am slightly surprised that https://libvirt.org/formatdomain.html#graphical-framebuffers doesn't seem to actually mention any limits.19:16
mikalHuh, maybe I am simply wrong.19:16
mikalI can never tell from the oVirt docs what is a forward looking statement vs what got built, but oVirt appears to have supported this. https://www.ovirt.org/develop/release-management/features/virt/multiple-consoles.html19:19
mikalSo yeah, I think I am wrong.19:19
sean-k-mooneyto be clear they can enabel that in kolla-ansible without needign any changes to it via config overrieds19:20
sean-k-mooneybut it might be nicer not to have to do that19:20
mikalYeah, I am just going to remove my -1 from that review and bravely run away. I'll let someone else have an opinion on the best way to do things in ansible, that's not really my thing.19:21
sean-k-mooneymikal: https://termbin.com/4c0u19:23
sean-k-mooneyso ya nova vm with vnc and spice booted on debian 13 (trixie)19:23
mikalI am comfortable with being wrong here, and will now slink away to pretend none of this happened.19:24
mikalSorry for bothering you in your evening.19:24
sean-k-mooneymikal: so this is somethign we dont test but can and proably should19:24
sean-k-mooneybut tis been a very very long time since i last did this19:24
sean-k-mooneyliek eailly 8 + years19:24
sean-k-mooneymikal: dont be sorry19:25
sean-k-mooneyits good to know this still works19:25
mikalYeah, I need to think about it some more. I _could_ add CI for it on the Kerbside side, but its really outside of Kerbside's set of concerns, and I have other priorities like actually getting TLS working right in the Kolla-Ansible role so I can propose it upstream. So I will at it to my backlog and see where that takes me later.19:26
mikalI have to run or I'll be late for work, talk more later. Thanks for your help.19:26
sean-k-mooneywe can just enabel it in the job that is currently testing spice19:26
sean-k-mooneymikal: no worreis chat to soon o/19:26
opendevreviewmelanie witt proposed openstack/nova master: TPM: support instances with `user` secret security  https://review.opendev.org/c/openstack/nova/+/94250219:53
opendevreviewMerged openstack/nova master: Add hw:tpm_secret_security extra spec validation  https://review.opendev.org/c/openstack/nova/+/94019720:23
opendevreviewMerged openstack/nova master: Add handling for vTPM secret permission error  https://review.opendev.org/c/openstack/nova/+/96364820:23
opendevreviewGhanshyam proposed openstack/nova master: Fix test_simple_tenant_usage test  https://review.opendev.org/c/openstack/nova/+/96622320:29
gmaanzigo:  this should fix the issue in test_simple_tenant_usage  https://review.opendev.org/c/openstack/nova/+/96622320:31
« Tuesday, 2025-11-04 Index Thursday, 2025-11-06 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!