Thursday, 2026-03-12

« Wednesday, 2026-03-11 Index Friday, 2026-03-13 »
opendevreviewAshish Gupta proposed openstack/nova master: Add native threading support to test case ID propagation fixtures  https://review.opendev.org/c/openstack/nova/+/98017900:09
seyeongkimDo you think there’s a chance this patch could be merged into master, or does it need more work? https://review.opendev.org/c/openstack/nova/+/963665 Thanks!04:09
opendevreviewNicolai Ruckel proposed openstack/nova stable/2025.1: Preserve vTPM state between power off and power on  https://review.opendev.org/c/openstack/nova/+/97986605:22
opendevreviewAshish Gupta proposed openstack/nova master: Add native threading support to test case ID propagation fixtures  https://review.opendev.org/c/openstack/nova/+/98017907:10
Ugglagmann, gibi, 978494: Fix wrong strict assertion of quota class set id | https://review.opendev.org/c/openstack/nova/+/9784gibi  finally merged. What was just a matter of crossing fingers. :)07:49
*** ralonsoh_ is now known as ralonsoh07:50
Ugglagibi, bauzas if you can review / +w 979008: Update compute rpc alias for Gazpacho | https://review.opendev.org/c/openstack/nova/+/979008, 979016: Add service version for Gazpacho | https://review.opendev.org/c/openstack/nova/+/979016 and 979023: Add Gazpacho prelude section | https://review.opendev.org/c/openstack/nova/+/97902307:55
Ugglagibi, bauzas, and this one too: 980165: Amend vTPM live migration spec | https://review.opendev.org/c/openstack/nova-specs/+/980165 07:56
bauzassure, I'll review those patches08:11
bauzas(I'm used to :) )08:11
bauzassean-k-mooney: fwiw, I started to peek at numa aware vswitches numa affinity problems and I created functests here for reproducing : https://review.opendev.org/c/openstack/nova/+/979999/09:48
bauzasat the moment, I'm not seeing any issue by the fixtures, as the scheduler provides limits to the compute claim09:48
bauzasthat's only when the filter doesn't pass the limits or if the reqspec is modified that we no longer get the limits for the claim and then the compute doesn't look at the numa nodes affinities09:49
opendevreviewDominik proposed openstack/nova master: NUMA Topology with Resource Providers: Libvirt NUMA Migrate  https://review.opendev.org/c/openstack/nova/+/97117710:10
sean-k-mooneybauzas: the probelm is not in the schduler11:51
sean-k-mooneybauzas: so in the schduler it works its on the compute node11:51
sean-k-mooneybauzas: when we reproduced it in a devstack enve we saw the schduelr do the right thing but when the compute agent called the same code it did not11:52
sean-k-mooneybauzas: by the way the limits form the schdluer are not provided to the compute agenet11:53
sean-k-mooneywe reconsudct the instance numa toplogy blob in the compute and recompute the pining ectra we dont pass it over rpc today11:53
sean-k-mooneybauzas: my guess its this si really dumb and we are just not passing a parmater somewhere11:54
sean-k-mooneybauzas: as an asside if the numa shculder filter is not used numa is not suprpoted at all but  but ti ssond liek you may have fount part of the issue network_metadata is missgin?11:56
sean-k-mooneythe compute agent shoudl enfoce numa regardelss fothe schduler config obvioulsy but the point im making is we have alwasy said useign numa feature without the schduler filter is not supprot upstream the compute agenet protections are just a saftey net so that you can evenutally fix your scdhluer config without needing ot move your vms11:58
opendevreviewMerged openstack/nova master: Add service version for Gazpacho  https://review.opendev.org/c/openstack/nova/+/97901612:08
opendevreviewMerged openstack/python-novaclient master: Add version foot protector  https://review.opendev.org/c/openstack/python-novaclient/+/97825412:27
bauzassean-k-mooney: I'd appreciate if you could look at my func reproducer patch https://review.opendev.org/c/openstack/nova/+/97999913:21
bauzasI agree with you on the fact the compute claim should do the same than the filter and doublecheck the network metadata13:22
bauzasbut I'm still wondering why those limits are not passed, because functests say "yes this is passed unless reschedules without alternativesé"13:22
sean-k-mooneybauzas: the are not passed because we can race with tow diffent request13:33
sean-k-mooneyi.e. we cant safely use what the schduler has calulated without moving the instnace calim to the schduler13:33
sean-k-mooneybauzas: the instnace claim buidl the numa constraits form teh falvor/image locally on teh comptue agent13:41
sean-k-mooneymy guess based on what you discsoced is we are not incuding the network metadtaa in that13:42
opendevreviewTakashi Natsume proposed openstack/nova master: Update contributor guide for 2026.1 Gazpacho  https://review.opendev.org/c/openstack/nova/+/96189614:09
opendevreviewMerged openstack/nova stable/2025.2: [nova-tox-py312-threading]Ignore failing tests  https://review.opendev.org/c/openstack/nova/+/98001314:15
nicolairuckelIs the CI having a bad day today? There are random jobs failing for my changes.14:18
opendevreviewribaudr proposed openstack/nova master: Add Gazpacho prelude section  https://review.opendev.org/c/openstack/nova/+/97902314:22
nicolairuckelI had to rerun them because one of the gates failed (which was correct at that point) but one job was failing that ran before. So I rerun them again and now that one passed but another one fails.14:22
nicolairuckelhttps://review.opendev.org/c/openstack/nova/+/97890814:22
dansmithsean-k-mooney: IIRC, the only way the whole admin/instance password thing works is either by injection in libvirt (disabled/discouraged) or via metadata.. cloud-init seems to not even support this, but cloudbase-init (for windows) does.. that line up with your understanding?14:24
dansmithasking you because you're usually one of the more vocal anti-injection voices :)14:24
sean-k-mooneydansmith: liek alwasy there is a third option14:24
sean-k-mooneyit can be set via the qemu guest agent without injection14:24
sean-k-mooneybut yes cloudbase init is the only thing that generates it on the compute startup and post teh value back via metadta14:25
dansmiththat's the set-password thing, I know that.. that's sort of different than what I'm asking14:25
sean-k-mooneyya so your summery basicly matches my understanding14:25
dansmithsean-k-mooney: libvirt will generate/store it in sysmeta I think, cloudbase-init can rewrite it IIRC14:25
dansmithhmm, maybe it only does that during set.. so maybe I'm thinking of older rax/xen behavior.. you'd create an instance in horizon and immediately get back a "here's your admin password" dialog14:29
sean-k-mooneydansmith: by the way i didnt think we saved the admin-password14:29
sean-k-mooneyi tought we only returned it on create/rebuild (encyprted via your keypair)14:30
sean-k-mooneybut that was only in memory 14:30
sean-k-mooneyperhasp i imagined that14:30
dansmithwe store it in sysmeta in password_N keys14:30
sean-k-mooneythe reason i ask is i dont think its in server show14:30
dansmithI thought it was in the create response but I'm not seeing where that would be now14:31
dansmithit's not in server show14:31
sean-k-mooneyit is in the create respocne and in the rebuild responce14:31
sean-k-mooneyi assumed we did not have it in show because we did nto have it rather then not including it intentionally hence the question14:32
dansmithI just don't see where it could be actually used during create I mean14:32
sean-k-mooneyi guess we must14:33
sean-k-mooneyhttps://docs.openstack.org/api-ref/compute/#show-server-password14:33
dansmithI'll keep looking, not asking you for that, just if you knew of any other edges14:33
dansmithyep, that's the way to get it on a running instance14:33
sean-k-mooneywe likely kept it in its onw api to just not send it iin general when not needed14:33
sean-k-mooneydansmith: no none that come to mind at the moment14:34
dansmithack, I'll try to chase down what we're doing (or not) with the password on create (I wonder if that was only ever honored by xen),14:34
sean-k-mooneyhonestly it woudl be better if we sotred this in barbiacna but this is hella old14:34
dansmithyeah, that's an idea I guess if we were going to modernize it14:35
sean-k-mooneysame for keyparis in keyston or barbican14:35
dansmiththe cloudbase-init post back to metadata sort of can't be private, so I guess it still needs to encrypt it manually or something14:35
dansmithit's all pretty crusty hacks for 202614:36
sean-k-mooneyya so that realying on just ssl at the infra level14:36
sean-k-mooneybut also cloudbase dont really do openstack stuff anymore14:36
sean-k-mooneyso we coudl perhaps deprecate/remove that14:36
sean-k-mooneyi think that was partly put in because we dont have a way for such an agent to call barbican or similar14:37
dansmithwhat I mean is, no verifiable SSL cert for the metadata service14:37
sean-k-mooneyi.e. we dont have the k8s thing of providing a bootstrap/service token 14:37
dansmithyeah, deprecate would be best here I think.. but I also want to know if windows users are still relying on the nova->cloudbase-init for the initial password setting part14:38
sean-k-mooneydansmith: by the way we alwasy encyrpt the password with your keypair at least when storign it/returning it14:39
sean-k-mooneyi dont knwo if cloud-base was doing that when posting it14:40
sean-k-mooneyor if that was on the metadta api side14:40
sean-k-mooneyim hoping it was in cloudbase14:40
sean-k-mooneyso that nova was never handelign the plaintext password14:40
dansmithyep14:40
sean-k-mooneywindows user do often use this but they can use winrm (an i think ssh in newer windwos) or userdata to set the inital password14:41
dansmithalso, it looks like the password on create is only used  by libvirt if we do injection or if we're creating config_drive.. I haven't yet seen that we store it if not doing either of htose14:41
sean-k-mooneythey likely wont14:41
sean-k-mooneybut that does at least work14:41
dansmithoh also, I'm not sure if the admin password on create is encrypted ... it seems like not.. once you do set-admin-password its only encrypted, you're right about that14:42
sean-k-mooney... i dont alwasy like to be right14:42
dansmithyeah, ssh in newer windows for sure14:42
dansmithsean-k-mooney: FWIW, the adminPass generated on boot is stored in plaintext in the config_drive in meta_data.json15:31
dansmithnot stored in the database, so not visible via usual http metadata, but.. that would be easy to mount world-readable somewhere and expose your root password _if_ you decided to use it15:32
sean-k-mooneynot ideal. i hope we seting it to 440 or 400 today but ya with out nova providsion storage encycrption storing it in the configdriver vs root disk does nto really chagne the postture15:33
dansmithit's either fat or iso9660, so no permissions.. depends on how you mount it15:35
dansmithor if you have an OS that automounts CDs, it probably mounts it 55515:35
sean-k-mooneyoh you mean in the guest rather then on the host15:35
dansmithyes15:35
sean-k-mooneyack15:36
dansmithI meant expose your root password to any random untrusted thing that is running that can read world-readable things on the filesystem15:36
sean-k-mooneyi tought you ment an operator or soemoen with acess to read the file on the host 15:36
sean-k-mooneybut yes so it wont automoutn by default however cloud init will do that15:36
sean-k-mooneyso if you have a clodu iamge i think its bindmounted in o /etc/cloud/config....15:37
sean-k-mooneyi have never looked at hwo that is doen in the guest really so im not sure what permissison it will use15:37
dansmithWindows will "mount" it automatically and a general-purpose OS would automount it15:37
dansmithlike ubuntu-desktop would end up with it mounted15:38
sean-k-mooneyoh right the DE(gnome) ectra woudl 15:38
sean-k-mooneynot really sure now to avoid that other then contineut to advise agians enabling the fature15:39
dansmithsince cloud-init won't set the root password from that (AFAICT) then it's not a big deal there, but on Windows where cloudbase-init would/did it'd be readable15:39
dansmithadvise against enabling what, configdrive?15:39
sean-k-mooneythe admin password injection15:39
sean-k-mooneynot config drive15:39
dansmiththere's no way to disable that part AFAICT15:40
dansmiththe admin password is always generated in the API and passed to driver.spawn().. if libvirt is creating a config_drive, it will put it in there.. no injection enabling required15:40
sean-k-mooneyoh ok was not aware of that. i assuem we only do that on windows images base on the os_type value in glance15:40
dansmithif cloudbase-init was running, sees it and honors it then...15:41
dansmithno, I'm testing this with a linux guest15:41
sean-k-mooneyoh ok. perhasp we shoudl add a flag for that somewher then15:41
dansmith$ grep -Po admin_pass.*?, /mnt/openstack/latest/meta_data.json15:43
dansmithadmin_pass": "CExk4PUfQLgA",15:43
dansmithwell, it doesn't matter for linux guests regardless because cloud-init won't use it15:43
dansmithand for windows guests, if they rely on that, it has to work15:43
sean-k-mooneydansmith: do you know what other palthforms do. i asume aws and kubvirt have a similar issue15:43
dansmithit's not really related to what I'm doing so it doesn't matter, I just thought I'd point it out based on the conversation above15:44
sean-k-mooneyack15:44
dansmithFWIW, I don't see anywhere that we allow a POST/PUT from cloudbase-init via metadata to locally generate and set it15:46
dansmithdo you know that's a thing for sure?15:46
sean-k-mooneyit is but its hard to find ill grab a link15:53
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/nova/api/metadata/password.py#L5815:54
sean-k-mooneydansmith: it can only be set once via that flow 15:54
sean-k-mooneyhttps://github.com/openstack/nova/commit/a2101c4e7017715af0a29675b89e14ee2884bd8915:55
dansmithoh thanks.. how does that get linked from the actual handler that services the GET? I didn't see it ... (don't answer, I can dig)15:55
dansmithso it already has to be encrypted in the way we're expecting in that case I guess.. all we do is split it into pieces15:56
sean-k-mooneymy guess is that handeler is jsut alwasy used for both but not sure15:56
dansmiththis stuff is so gross15:57
sean-k-mooneythat was my reaction when i rediscoved it exested a few years ago i dont know if i have the linke to the cloudbase init code but i thikn its useing the keypair to encyrpt it15:58
dansmithit has to if it wants horizon to be able to use it I think15:58
dansmithwell, horizon lets the user choose a private key to decrypt with so.. I guess that could be something else, IDK15:58
dansmiththe cloudbase-init code is available, I haven't gone looking through it yet but I will15:59
sean-k-mooneyit has to be the private key that releated to the publick key for the server16:01
sean-k-mooneyhttps://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metadata/services/httpservice.py#L71-L8116:02
sean-k-mooneyhttps://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/plugins/common/setuserpassword.py#L5016:03
sean-k-mooneyhttps://github.com/cloudbase/cloudbase-init/blob/master/cloudbaseinit/metadata/services/base.py#L115-L12616:03
dansmithyep, so same as nova basically16:04
sean-k-mooneyso it alwasy the first public key in the list which for opentack is where we put the ssh/x509 pub key form the servers keypair16:04
sean-k-mooneyyep so it shoudl be end to end encypted16:05
sean-k-mooneyalthogh i hate the idea that horizon has a view where you can send it your private key ever16:05
sean-k-mooneyhopefully they do that clint side with javascript of somehtign liek that16:06
dansmithyep they do16:07
dansmithand yep, showing the password in cleartext ever seems like an anti-pattern anyway16:07
dansmithI assume there has to be some windows-specific workflow that requires it be generated on the instance at first boot or something16:07
dansmithlike maybe post-sysprep or some such16:07
dansmithpost-un-sysprep I mean16:07
opendevreviewFlorian proposed openstack/nova master: Add check for PCIe devices attach limit for volume and ports  https://review.opendev.org/c/openstack/nova/+/95558416:09
opendevreviewMerged openstack/nova master: Update compute rpc alias for Gazpacho  https://review.opendev.org/c/openstack/nova/+/97900816:24
opendevreviewMerged openstack/nova master: Add Gazpacho prelude section  https://review.opendev.org/c/openstack/nova/+/97902316:24
opendevreviewMerged openstack/nova-specs master: Amend vTPM live migration spec  https://review.opendev.org/c/openstack/nova-specs/+/98016517:59
Matko[m]Would anybody know if the ironic driver can or ever consumed in any shape or form the memcache_servers and memcache_secret_key configs from the ironic section in nova.conf?21:25
Matko[m]I'm doing some cleanup in openstack-helm and found those configs are configured in the ironic section: https://opendev.org/openstack/openstack-helm/src/branch/master/nova/templates/configmap-etc.yaml#L166-L17221:25
Matko[m]I want to remove them as I couldn't find anything consumed them, even through libraries. I want to cover all bases and confirm with the Nova team this is actually not used.21:25
sean-k-mooneyMatko[m]: the ironic driver used to use tooz to provide a distibute hash ring21:26
sean-k-mooneyi think tha tmight have eben able to use memcache to store it21:26
sean-k-mooneyhttps://opendev.org/openstack/tooz/src/branch/master/tooz/drivers/memcached.py21:27
sean-k-mooneyso maybe if it was integrated via that21:27
sean-k-mooneyMatko[m]: it woudl proably be better to also check with the ironic folks21:27
sean-k-mooneythis i beilve is what it sued form that lib https://opendev.org/openstack/tooz/src/branch/master/tooz/hashring.py#L3021:28
sean-k-mooneyMatko[m]: thos ecould also be commign form the keystoneAuth optiosn we add21:29
Matko[m]yes, I found the usage of tooz. However there is nothing feeding the config to tooz21:29
Matko[m]I did look into keystoneauth too21:30
Matko[m]There is no trace of memcache in keystoneauth project: https://github.com/search?q=repo%3Aopenstack%2Fkeystoneauth+memcache&type=code21:30
Matko[m]No dependency on oslo.cache or dogpile that might consume the config: https://github.com/openstack/keystoneauth/blob/master/requirements.txt21:30
Matko[m]I'll ask the Ironic team then.21:30
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/nova/conf/ironic.py21:30
sean-k-mooneythat is where that config section is regeistered and its not an option we are addign explcitly21:31
sean-k-mooneyso that measn it coming from either keystoen auth or the sdk i think21:31
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/nova/conf/ironic.py#L128-L13121:31
sean-k-mooneyso if those have any effect i suspect it via the sdk/keystoneAuth common logic not anythin ironic specific21:32
Matko[m]I looked into those as well and couldn't find anything. The openstack-helm code I linked to was added 9 years ago. And I wonder/suspect if it was a bad copy/paste from similar code in the chart for keystone_authtoken which has memcache configs.21:33
sean-k-mooneydid you check our current config ref21:33
Matko[m]yes21:33
Matko[m]I would also assume list_opts would list and include all the supported configs in the docs.21:33
sean-k-mooneyya we generate the config ref form that 21:34
Matko[m]https://docs.openstack.org/nova/latest/configuration/config.html#ironic21:34
Matko[m]if it doesn't ring a bell to anybody, then I'll conclude it was a bad copy/paste.21:34
sean-k-mooneyi dont see them there 21:34
sean-k-mooneyso i think they are not used any more21:34
Matko[m]alright, thanks for your help and time21:35
sean-k-mooneyi suspect they may have been used when we use the python-ironic client21:35
sean-k-mooneywe swapped to the sdk about 3-4 releases ago21:35
opendevreviewAshish Gupta proposed openstack/nova master: Add native threading support to test case ID propagation fixtures  https://review.opendev.org/c/openstack/nova/+/98017922:33
« Wednesday, 2026-03-11 Index Friday, 2026-03-13 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!