Monday, 2025-09-08

« Saturday, 2025-09-06 Index Tuesday, 2025-09-09 »
opendevreviewchandan kumar proposed openstack/watcher-dashboard master: Add Start and END time fields for continuous audit  https://review.opendev.org/c/openstack/watcher-dashboard/+/95723205:01
opendevreviewchandan kumar proposed openstack/watcher-dashboard master: Add Start and END time fields for continuous audit  https://review.opendev.org/c/openstack/watcher-dashboard/+/95723205:11
opendevreviewchandan kumar proposed openstack/watcher-dashboard master: Add option to SKIP Actions  https://review.opendev.org/c/openstack/watcher-dashboard/+/95820908:05
opendevreviewTakashi Kajinami proposed openstack/watcher master: Add basic common middlewares  https://review.opendev.org/c/openstack/watcher/+/96004413:19
tkajinamI happened to notice that watcher does not support CORS (due to lack of CORS middleware) and I wonder if ^^ can interest people13:20
opendevreviewTakashi Kajinami proposed openstack/watcher master: Add basic common middlewares  https://review.opendev.org/c/openstack/watcher/+/96004413:31
opendevreviewTakashi Kajinami proposed openstack/watcher master: Add basic common middlewares  https://review.opendev.org/c/openstack/watcher/+/96004414:32
sean-k-mooneytkajinam: Oh yes we shoudl fix that.14:59
sean-k-mooneytkajinam: we likely need to review our entire api tech stack in general and evauate how to eventually move on form using paste/paste deploy and wsme ectra15:00
sean-k-mooneylongterm just adopting flask and or fastapi i think is the direction we shoudl go in but that is less urgent then the eventlet removal15:01
sean-k-mooneypecan is a littel mroe maintained the rest of the rest api stack that is currently in place and i just dont know enough about it to knwo if we shoudl keep it or not longterm15:02
sean-k-mooneythere are some other middelware that we likely shoudl add like the requestid middlewar or request size but ill add a ptg topic for this15:04
tkajinampecan is used by a few projects like aodh or octavia so getting rid of it is a bit long term thing.15:04
sean-k-mooneyand ironic15:04
tkajinamyeah15:04
tkajinamthough it looks much more maintained than paste/PasteDeploy in my view 15:04
sean-k-mooneyand cyborg15:04
sean-k-mooneyyep so pecan is not the lib im concerned about15:05
tkajinamI think I the above change may add most of the common middlewares we use in multiple projects but yeah more concrete audit would be nice15:05
sean-k-mooneythe ones that give me pase are paste/paste-deploy, WSME and WebOB15:05
tkajinamactually "audit" middleware is the one we may want to discuss. and also healthcheck middleware though I know it's controversial15:06
sean-k-mooneythe oslo team maintance of the latter too is low but they are used in other places too15:06
tkajinamyeah15:06
tkajinamthough I'm hoping that we could somehow get rid of WSME... it's often in "dead" state due to its governance being outside of oslo15:07
sean-k-mooneythe healthcheck one i dont like because i dont think it provide any useful info over curling the microverion endpoint which requires no auth15:07
tkajinamsean-k-mooney, the one benefit of healthcheck middleware is the capability to "disable" the service using a flag file though I agree its benefit is "thin"15:07
sean-k-mooneytkajinam: ya so i think if we had identifed a replcement, like the eventlet remvoal we coudl collectively move to somethign else15:07
sean-k-mooneytkajinam: that now someitng i was aware of and not somethign i think we shoudl eb supproteing15:08
tkajinama few projects like octavia implements their own healthcheck plugin to do some deep check like messagebus communication.15:08
sean-k-mooneytkajinam: how is that implemented/conroled exactly15:08
sean-k-mooneyyes i had a workign implation for nova but we paused it to start removing eventlet15:09
tkajinamok it's not messagebus check but db access check15:09
sean-k-mooneyi had hopped to restart that effort eventually to add per-proces native healthchecks btu time15:09
tkajinamsean-k-mooney, https://github.com/openstack/octavia/blob/master/setup.cfg#L109-L11015:09
tkajinamthis would be a good entry point to look into it. I have to restore my old memory to explain it in detail, though15:10
sean-k-mooneyin my nova serisee i had checks for db conntiosn and libvirt i belive. i had not fully worked out howt to make rabbit comnnectivet just work15:11
sean-k-mooneybut that was on the list15:11
sean-k-mooneythe impoant point was to make it work for each process not just the rest api15:11
tkajinamyeah. I remember the old discussion to expose some endpoint (probably over unix domain socket) for liveness probe15:11
sean-k-mooneyyep we agreed to do it as http instead15:11
sean-k-mooneyhttp over tcp rahter then http over unix socket15:12
tkajinamwhich is much more sophisticated than hack-scripts with ss -npa | grep foo15:12
tkajinamyeah we don't have to expose it over network15:12
sean-k-mooneyi used the eventlet webserver in my initall version but cherrypy cheroot or the standardlib webserver are likely what we would use now15:12
tkajinamironic selected cheroot and a few other followed it15:13
tkajinamso cheroot would be the base choice15:13
sean-k-mooneyits nice to be able too for k8s or collectd but it was going to default to not being enabled.15:13
sean-k-mooneyyep i say jayf's email that why im aware of it15:13
sean-k-mooneyim tore betwen no external deps and just using that since others are15:13
tkajinam+10015:14
sean-k-mooneyi dont realy want to have to deal with ssl myself if if restart that work :)15:14
sean-k-mooneybut its also not like this woudl need to be high performace so spanign a single tread in the background shoudl be enough15:14
sean-k-mooneyanyway that liek item number 20 on my list of "this would be ncie to do"15:15
tkajinamsomeone should seriously consider the way to create AI agents to share these tasks  :-P15:16
sean-k-mooneyhonestly, not somethign qute this complex, i have been using ai a bit to help do some of these tasks that i normlaly dont get too15:16
sean-k-mooneyim looking at your core patch and i have 2 questions15:17
sean-k-mooney1 how do we know this is working and prove that in ci (we can actully do that in a followup).15:18
sean-k-mooney2, i have not looked yet but since we have paste-deploy i was expecting an past.ini change but i cant find that in watcher15:19
sean-k-mooneyi guess that measn we are not supprotign configurable midelware today15:20
tkajinam1. For CORS middleware we can probably import the existing tests from ironic, though as far as I know it's not quite common to validate the feature in individual projects15:20
tkajinamand I have no clear idea about the other middlewares, mainly http_proxy_to_wsgi15:20
tkajinam2. watcher is not using paste/paste deploy. It uses fixed set of middlewares when setting up the app15:20
tkajinamthe logic I'm touching in the change shows it15:21
tkajinamthere are a few additional middleware like authtoken middleware loaded in different places15:21
sean-k-mooneyack, i think a good start would be for us to turn on the tls_proxy if we dont alreay have it adn confirm things liek the link in teh respocne get https correctly ectra15:21
tkajinamyeah. that sounds reasonable15:21
opendevreviewchandan kumar proposed openstack/watcher-dashboard master: Add option to SKIP Actions  https://review.opendev.org/c/openstack/watcher-dashboard/+/95820915:22
tkajinamthough I have to check if any API in watcher may return full URL, instead of partial paths)15:22
sean-k-mooneyya we dont need to do that now15:22
sean-k-mooneybut given the recent mailing list dicussion it somethign i need to confirm in general15:23
sean-k-mooneytkajinam: https://docs.openstack.org/api-ref/resource-optimization/#response-example implies it does but ill check now15:23
sean-k-mooneyagain not really in scope fo your patch but while we are here checking this and fileign a bug/todo makes sense15:24
tkajinamI can file bugs. will let you know once I create ones15:26
sean-k-mooneydviroel: just an fyi we have a bug in watcherclient15:27
sean-k-mooneyits not doign version negocation prerly and jsut tryign to use 1.515:27
tkajinamone thing we can probably discuss is whether we consider lack of CORS support is a "bug"15:27
sean-k-mooneyit shoudl default to either 1.0 or the latest supproted by the clodu we are talking too15:27
sean-k-mooneytkajinam: its tecnially a featuer but we can reviwe and dicuss. its proably not sometihing we will merge for 2025.215:28
tkajinamok15:28
tkajinamno rush15:28
sean-k-mooneybut i coudl see it as a secuirty hardening but that shoudl be backported15:28
sean-k-mooneyim just not sure we will have time to include it for RC1 and im hoping to avoid rc215:28
dviroelsean-k-mooney: hum, ack, and there is no workaround for that right? no configuration, just hardcoded?15:29
opendevreviewchandan kumar proposed openstack/watcher-dashboard master: Fix translation context for watcher action states  https://review.opendev.org/c/openstack/watcher-dashboard/+/95918915:30
sean-k-mooneytkajinam: https://paste.opendev.org/show/bPBx4xyrrml8IDgrk3BP/15:30
sean-k-mooneyso yes we do return the full url15:30
tkajinamah, ok15:30
sean-k-mooneyso we shoudl also check that that will work using the forwared hearder once we enabel tls in ci15:31
sean-k-mooneydviroel: you can set it with --os-infra-optim-api-version 1.415:31
sean-k-mooneyor in an envionment variable15:31
dviroelright, have been doing that to test15:32
sean-k-mooneyso there is but we shoudl file a bug and fix it and backprot it in the next few weeks15:32
sean-k-mooneyright now i bet it just using the hardcoded max version instad of checkign what the max version supproted by the server is and usign that15:33
sean-k-mooneydviroel: ill file a bug for that now and then file a second bug for not having tls testing enabeld in ci upstream15:34
sean-k-mooneytkajinam: we will proably need to include the oslo midellware for that too.15:34
dviroelack sean-k-mooney - tks15:35
sean-k-mooneyhttps://bugs.launchpad.net/python-watcherclient/+bug/212234315:41
sean-k-mooneydviroel: do you have an opipion on if we should treat a lack of CORS supprot in the wsgi application as a feature or a bug?15:42
sean-k-mooneyif your using apache i think it can handel the CORS enforcement for you but that is not true for wsgi servers in general15:43
sean-k-mooneyand since the middleware pipeline is not configurabel it limits the options to workaround this. we dont need to decied now but we proably shoudl dicuss this at the irc call15:44
tkajinamsean-k-mooney, yes and it may require additional knowledge about request patterns in watcher service15:44
tkajinamwhile we "bake" default options when we are adding CORS middleware, which may be more convienient for users15:44
sean-k-mooneytkajinam: to me its not a question o fif we shoudl do it really, we shoudl supprot it for  no other reason then consitency with everythign else IMO but i wonder if we should backprot or not15:45
tkajinamyeah15:46
tkajinamthat's what I was wondering, too15:46
tkajinamanyway I'll create a bug about CORS middleware then we can discuss details later according to it15:47
tkajinamI've been juggling a few things and haven't created it yet15:47
sean-k-mooneybeing entirly transparent now that we knwo that this gap exists we will proably need to backprot this internally so unless elod or other stable cores object to it we will propably want to do that upstream at least to epoxy 15:48
opendevreviewTakashi Kajinami proposed openstack/watcher master: Fix missing CORS middleware  https://review.opendev.org/c/openstack/watcher/+/96004415:58
sean-k-mooneytkajinam: thanks. we will still likely need to adjust the spec file but if we are using a lower min its more likely the  thirdparty job will pass.16:01
sean-k-mooneythat wont block the patch form moving by the way it just something we will have to account for when consdierign doing backports16:02
sean-k-mooneyi dont belive any of the middlewares you are adding are particalarly new16:02
tkajinamsean-k-mooney, yes16:03
tkajinamI pulled it from octavia but seems they bumped the min for some reason16:03
tkajinamironic has much lower lower-bound so I used it instead16:03
sean-k-mooneyack.16:04
dviroelsean-k-mooney: sorry, i was out for lunch...16:50
dviroelwe could treat as a bug yeah, just need to check if is backportable, based on the changes required... 16:51
opendevreviewTakashi Kajinami proposed openstack/watcher master: Fix missing X-OpenStack-Request-ID header  https://review.opendev.org/c/openstack/watcher/+/96015417:07
opendevreviewTakashi Kajinami proposed openstack/watcher master: Add capability to parse forward headers  https://review.opendev.org/c/openstack/watcher/+/96015717:20
tkajinamsean-k-mooney, I've reported a few bugs related to missing middlewares and proposed separate changes for each. I wrote these as "bug fixes" (just in case we want to discuss backports) but I'm fine converting these to features.17:21
tkajinamjust fyi.17:21
dviroelsean-k-mooney: if  you have time, pls check this 1 line patch: https://review.opendev.org/c/openstack/watcher/+/959354  - threading job is unstable due to the missing devstack configs (like disabling real metrics) - other option is copy these configs to the job... i think that is easier to just inherit from the non-threading job...17:36
dviroelwill make CI more stable17:36
opendevreviewTakashi Kajinami proposed openstack/watcher master: Drop PasteDeploy  https://review.opendev.org/c/openstack/watcher/+/96016517:50
sean-k-mooneydviroel: approved https://review.opendev.org/c/openstack/watcher/+/95935418:20
dviroelty18:30
opendevreviewDouglas Viroel proposed openstack/watcher-specs master: Add 2026.1 spec dirs and move specs implemented in 2025.2  https://review.opendev.org/c/openstack/watcher-specs/+/96017718:35
opendevreviewMerged openstack/watcher master: Update prometheus-threading parent jop  https://review.opendev.org/c/openstack/watcher/+/95935418:35
« Saturday, 2025-09-06 Index Tuesday, 2025-09-09 »

Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!