#openstack-meeting log

16:00:20 <jungleboyj> #startmeeting Cinder
16:00:22 <openstack> Meeting started Wed Oct  3 16:00:20 2018 UTC and is due to finish in 60 minutes.  The chair is jungleboyj. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:26 <openstack> The meeting name has been set to 'cinder'
16:00:29 <smcginnis> o/
16:00:37 <Luzi> o/
16:00:37 <rosmaita> o/
16:00:38 <mhen> o/
16:00:38 <ganso> hello
16:00:41 <abishop_> o/
16:00:42 <jungleboyj> Agenda link:  https://etherpad.openstack.org/p/cinder-stein-meeting-agendas
16:00:43 <whoami-rajat> Hi
16:00:48 <e0ne> hi
16:00:48 <jungleboyj> #link https://etherpad.openstack.org/p/cinder-stein-meeting-agendas
16:00:52 <eharney> hi
16:01:12 <jungleboyj> eharney is back!
16:01:16 <eharney> :)
16:01:17 <jungleboyj> @!
16:01:17 <_pewp_> jungleboyj ＼( ･_･)
16:01:52 <_erlon_> Hey
16:02:12 <xyang> hi
16:02:42 <jungleboyj> Ok.  So, it looks like we have a Quorum.
16:02:50 <jungleboyj> Lets get started.
16:03:04 <jungleboyj> #announcements
16:03:09 <jungleboyj> #topic announcements
16:03:18 * jungleboyj is apparently struggling to control the meeting.
16:03:49 <jungleboyj> I have sent out an e-mail to the mailing list proposing geguileo_PTO  as a stable core.
16:04:03 <jungleboyj> We discussed that at the PTG so that shouldn't be a huge surprise.  :-)
16:04:17 <jungleboyj> If anyone has concerns please let me know.
16:04:39 <jungleboyj> Also, I am working on getting releases of python-cinderclient and os-brick out.
16:05:07 <jungleboyj> I looked and it doesn't seem like there are too many outstanding patches.  Does anyone have anything important they need to get in before I do releases?
16:05:30 * smcginnis looks
16:06:47 <smcginnis> Looks like we're in decent shape for a release to me.
16:06:53 <jungleboyj> A reminder that we have an etherpad to talk about the mid-cycle:  https://etherpad.openstack.org/p/cinder-stein-mid-cycle-planning
16:07:05 <jungleboyj> #link https://etherpad.openstack.org/p/cinder-stein-mid-cycle-planning
16:07:09 <smcginnis> erlon: Can you check the response to your comments on https://review.openstack.org/#/c/604578/
16:07:15 <e0ne> there is nothing important to release python-brick-cinderclient-ext
16:07:38 <erlon> smcginnis, I will
16:07:45 <jungleboyj> We have lots of remote attendees.
16:07:58 <jungleboyj> Hope we could get some more on-site participation.
16:09:03 <jungleboyj> Please add topics as you come up with them.
16:09:17 <jungleboyj> erlon:  Yeah, if you can address that it would be appreciated and then we can do another release there.
16:10:29 <jungleboyj> smcginnis:  Thanks for double checking and confirming that things look pretty good.
16:10:33 <erlon> jungleboyj, smcginnis, yeah, comment was most something to be improved, but its a backport so
16:10:42 <jungleboyj> erlon:  Yeah.
16:10:45 <erlon> jungleboyj, are you releasing for rock as well?
16:11:06 <jungleboyj> erlon:  That is the plan if there are sufficient changes.  I haven't checked how many there have been.
16:11:44 <erlon> done
16:12:16 <jungleboyj> erlon: Thank you.
16:12:45 <smcginnis> rosmaita: Yay
16:12:59 <jungleboyj> smcginnis:  ?
16:13:19 <smcginnis> jungleboyj: Just saw that he had added his name to the midcycle attendance list.
16:13:37 <rosmaita> not guaranteed attendance yet, though
16:13:50 <jungleboyj> smcginnis:  Oh.  Yay indeed!  will be nice to have you there rosmaita !
16:13:58 <rosmaita> :)
16:14:04 <jungleboyj> Ok, moving on from Announcements.
16:14:25 <jungleboyj> #topic Image Encryption Proposal
16:14:33 <jungleboyj> Luzi: and mhen  You here?
16:14:38 <Luzi> yes
16:14:41 <mhen> o/
16:14:42 <mhen> hello all :)
16:14:46 <Luzi> hi :)
16:14:54 <mhen> as already announced on the ML we want to propose the introduction of image encryption in OpenStack
16:15:01 <mhen> #link http://lists.openstack.org/pipermail/openstack-dev/2018-September/135167.html
16:15:09 <jungleboyj> @!
16:15:09 <_pewp_> jungleboyj (ஐ╹◡╹)ノ
16:15:17 <jungleboyj> Right, have seen the notes on that.
16:15:22 <mhen> this will have impact on several projects including Cinder as well as Nova, Glance and OSC - for which we are currently writing individual specs
16:15:43 <mhen> for Cinder we basically want to add image decryption when converting an encrypted image into a volume
16:16:21 * smcginnis is glad eharney is back for this
16:16:23 <jungleboyj> Ok.
16:16:27 <jungleboyj> smcginnis:  Me too.
16:16:29 <mhen> (plus incorporating the already existing case of creating images from encrypted volumes, as eharney also mentioned on the ML today)
16:17:13 <mhen> our proposal for creating volumes from encrypted images would focus on volume backends supporting encryption, starting with Ceph and LVM - as we don't see a point in allowing encrypted images to be converted into unencrypted volumes
16:17:45 <mhen> any opinions on that?
16:18:23 <eharney> it seems like a reasonable idea, but folks relying on the glance<->cinder optimized cloning of images to volumes inside of Ceph are going to take a big perf hit when using this
16:18:36 <eharney> which is fine, just needs to be well understood
16:18:55 <smcginnis> Does anyone actually use ceph?
16:18:59 <smcginnis> (jk)
16:19:40 <erlon> eharney, why do loose the optimized cloning if you are not decrypting?
16:19:45 <eharney> i just started looking at this today but i haven't come up with any big objections to the general idea
16:20:05 <eharney> erlon: they have to decrypt if it's a gpg based encryption which is totally different from the normal luks volume encryption
16:20:16 <mhen> correct
16:20:45 <erlon> eharney, so, only if is a gpg?
16:21:02 <erlon> is it possible to use the same encryption method?
16:21:11 <eharney> well the proposal is that the images will be encrypted w/ gpg
16:21:20 <eharney> i don't think so, because they want to use a streamable format
16:21:28 <erlon> hmmm
16:21:51 <erlon> got it
16:23:11 <jungleboyj> Thoughts on not supporting going from an encrypted image to a non-encrypted volume?
16:24:20 <eharney> i'm not sure i understand the reason for that restriction
16:24:30 <jungleboyj> It seems to be that there are people who may have a backend that doesn't support encryption but want to access an encrypted image.
16:24:58 <jungleboyj> We could handle that like we do with other things like this where we don't allow it by default but allow the user to enable it if that is what they want.
16:25:57 <jungleboyj> *crickets*
16:26:10 <mhen> jungleboyj, fair point. However, the goal of the image encryption is to keep the data safe no matter where the image is transferred to and handled. Converting it into an unencrypted volume would mean exposing the data on this host essentially.
16:26:12 <eharney> if you consider a deployment where the Glance storage is in some less secured area than the Cinder backend, it makes sense to decrypt an image to an unencrypted volume
16:26:50 <eharney> it ends up exposed on the compute host anyway when it's attached
16:27:06 <jungleboyj> mhen:  Yeah.  That is why we would make it an option and default to not allowing it.
16:27:39 <mhen> eharney, with native LUKS this shouldn't be the case or am I wrong?
16:28:01 <mhen> in QEMU/LibVirt
16:28:48 <eharney> i forget, do we support QEMU's luks layer for iSCSI yet?  either way, i think most deployments use device-mapper for decryption
16:29:30 <jungleboyj> eharney:  Good question.  I am not sure.
16:29:52 <jungleboyj> Anyway, we don't have to solve the design issues right here.
16:30:06 <eharney> i can participate in spec reviews for this
16:30:21 <jungleboyj> It looks like other projects are adopting this functionality and it is something that we should also support.
16:30:25 <mhen> eharney, we would definetly appreciate that :)
16:31:12 <jungleboyj> eharney:  That would be appreciated.
16:32:06 <jungleboyj> So, any objections to a spec being proposed and us supporting this effort?
16:33:19 <rosmaita> no objection, makes sense for cinder to do this if glance/nova are doing it
16:33:30 <jungleboyj> rosmaita:  Yep.  :-)
16:33:31 <smcginnis> It sounds like a good thing to support, so I think we should at least work through the spec and see if we can work through any issues.
16:33:39 <rosmaita> and ironic
16:33:43 <jungleboyj> smcginnis:  ++
16:34:10 <jungleboyj> #action Luzi mhen  to propose a spec for implementation in Cinder
16:34:20 <mhen> we will do, thanks for your support :)
16:34:26 <jungleboyj> #action team to review the spec and work through design details
16:34:27 <mhen> we are currently planning to outsource the encryption/decryption functionality into the SDK, because it is used across several components, including Cinder
16:34:41 <jungleboyj> #action eharney  to provide Cinder encryption expertise.
16:34:52 <mhen> would that be alright for you?
16:35:03 <smcginnis> Makes sense.
16:35:53 <mhen> it's currently not in the requirements for Cinder, so it would need to be added
16:36:07 <jungleboyj> Ok.
16:36:35 <jungleboyj> mhen:  Is that the approach being taken in other services?
16:37:34 <mhen> jungleboyj, we don't know yet; we are currently still reaching out to all the other teams as well
16:38:07 <smcginnis> Having common things in a library will be much better than copying and pasting into each project.
16:38:14 <jungleboyj> smcginnis:  ++
16:38:25 <jungleboyj> Yeah, so obviously we would be open to that.
16:38:28 <smcginnis> mhen: Is this a library that is already tracked in openstack/requirements?
16:38:43 <Luzi> yes
16:38:53 <Luzi> its used in the openstack-client for example
16:39:00 <smcginnis> Perfect. Should be fine then.
16:39:06 <mhen> called "openstacksdk"
16:39:37 <eharney> cinder would use openstacksdk?
16:40:51 <rosmaita> that seems counterintuitive
16:40:56 <jungleboyj> eharney:  That is how I am reading it.
16:41:10 <mhen> another alternative would have been glanceclient, but I thought the individual client libraries are to be unified in the SDK?
16:41:13 <eharney> yeah, it sounds not so great to me
16:41:36 <smcginnis> Anyway, details we can work through in the implementation.
16:41:44 <jungleboyj> smcginnis:  ++
16:42:33 <rosmaita> mhen: you may want to take a look at how the image signature stuff was pulled out into the cursive library for both glance and nova to consume
16:42:49 <rosmaita> i think that may be a more typical pattern
16:43:32 <jungleboyj> So, lets move on.
16:43:43 <mhen> rosmaita, that's quite funny - we recently added image signature generation to osc, where we first added it to cursive library but the devs suggested moving it to the sdk
16:43:56 <jungleboyj> Are there any other topics or should we spend a few minutes on bug triage?
16:44:59 <rosmaita> mhen: interesting
16:45:01 <jungleboyj> Ok.  Looks like we can move on.  #topic bug triage
16:45:11 <jungleboyj> #topic bug trieage
16:45:13 <smcginnis> #fail
16:45:14 <jungleboyj> #topic bug triage
16:45:16 <smcginnis> :)
16:45:23 * jungleboyj glares at smcginnis
16:46:14 <jungleboyj> First, eharney  we have been waiting for you input on this bug:
16:46:25 <jungleboyj> #link https://bugs.launchpad.net/cinder/+bug/1788619
16:46:25 <openstack> Launchpad bug 1788619 in Cinder "disk cachemodes should be restricted with multiattached volumes" [High,New]
16:46:44 <eharney> well this one's easy to triage for cinder - it's a nova issue :)
16:47:01 <jungleboyj> eharney:  Oh, ok.
16:47:18 <jungleboyj> So, there isn't anything we need to do here?
16:47:51 <eharney> no
16:48:31 <jungleboyj> Ok.  That is good.
16:49:23 <jungleboyj> eharney:  Thanks.
16:50:03 <jungleboyj> #link https://bugs.launchpad.net/cinder/+bug/1782714
16:50:04 <openstack> Launchpad bug 1782714 in Cinder "Properties of an attached volume are lost after live migration" [Medium,New]
16:50:17 <jungleboyj> So, it looks like the reporter responded to this one.
16:50:28 <jungleboyj> whoami-rajat:  Did anyone get a chance to look at this?
16:51:06 <whoami-rajat> jungleboyj: don't think so.
16:51:39 <whoami-rajat> geguileo_PTO:  has been off since past 2-3 days i guess
16:52:23 <jungleboyj> Ok.  And he had taken a look at that.  So.  Follow up when he is back.
16:52:30 <jungleboyj> whoami-rajat:  Other bugs to look at?
16:52:44 <whoami-rajat> jungleboyj: yes
16:52:48 <whoami-rajat> https://bugs.launchpad.net/cinder/+bug/1793364
16:52:48 <openstack> Launchpad bug 1793364 in OpenStack Compute (nova) "mysql db opportunistic unit tests timing out intermittently in the gate (bad thread switch?)" [High,Confirmed]
16:53:01 <whoami-rajat> jungleboyj: ok will do
16:54:19 <jungleboyj> Hmmm, ok.  So looks like this is being seen across multiple projects.
16:54:57 <whoami-rajat> jungleboyj: yes, the manila team confirmed it too on their gate.
16:56:22 <jungleboyj> mriedem:  Confirmed in Cinder.
16:56:56 <whoami-rajat> jungleboyj: yes, cause the problem was originally found in nova and cinder.
16:57:38 <erlon> jungleboyj, https://bugs.launchpad.net/cinder/+bug/1789944
16:57:38 <openstack> Launchpad bug 1789944 in Cinder "cinder-tempest-plugin CG tests are broken" [High,In progress] - Assigned to Miriam Yumi (miriamyumi)
16:58:14 <erlon> Someone else was mentioning the bugs on the consistency group tests a few weeks ago
16:58:45 <erlon> the fix should be ready: https://review.openstack.org/598999
16:59:29 <erlon> oops, fix: https://review.openstack.org/#/c/599720/
16:59:54 <jungleboyj> erlon:  Ah, good.  Hopefully we can get that through.
17:00:02 <jungleboyj> eharney: smcginnis  ^^
17:00:10 <erlon> nice
17:00:20 <jungleboyj> Otherwise, will need to look into the next bug that whoami-rajat  has proposed.
17:00:27 <jungleboyj> And with that.  We are out of time here.
17:00:51 <jungleboyj> Thank you everyone for meeting.
17:00:56 <jungleboyj> #endmeeting