14:05:49 <jbernard> #startmeeting cinder
14:05:49 <opendevmeet> Meeting started Wed Feb 26 14:05:49 2025 UTC and is due to finish in 60 minutes.  The chair is jbernard. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:05:49 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:05:49 <opendevmeet> The meeting name has been set to 'cinder'
14:05:52 <jbernard> #topic roll call
14:05:53 <yuval> 0/
14:05:54 <jbernard> o/
14:06:00 <whoami-rajat> Hi
14:06:02 <sfernand> hi
14:06:03 <Sai> o/
14:06:05 <jbernard> #link https://etherpad.opendev.org/p/cinder-epoxy-meetings
14:06:05 <akawai> o/
14:06:32 <abishop> o/
14:06:38 <Luzi> o/
14:06:45 <rosmaita> o/
14:09:32 <jbernard> welcome everyone
14:10:02 <jbernard> #topic annoucements
14:10:22 <jbernard> ff (feature freeze) is this week according to the schedule
14:10:33 <jbernard> #link https://releases.openstack.org/epoxy/schedule.html
14:11:13 <jbernard> this has been quite a week so far, some kind of stomach bug thing has nearly crushed my soul :/ BUT I'm getting better finally :)
14:11:42 <whoami-rajat> jbernard, good to know you are recovering
14:12:01 <jbernard> mhen, Luzi: brian (rosmaita) and I owe you a review for the encryption patch
14:12:18 <rosmaita> yes
14:12:31 <jbernard> whoami-rajat: thanks, i thought i might escape the winter season without any major sickness, but i was wrong! (again)
14:13:00 <whoami-rajat> :/
14:13:12 <jbernard> mhen, Luzi: this is on the priority list (among others) so hang in there and dont stress too much :)
14:13:58 <jbernard> there are many reviews needing feedback, if anyone has extra cycles, help in the review backlog is most appreciated
14:14:05 <msaravan> Hi
14:14:25 <Luzi> this week is feature freeze, isn't it?
14:14:29 <jbernard> msaravan: heya
14:14:37 <jbernard> msaravan: you have a patch needing feedback
14:14:41 <jbernard> #link https://review.opendev.org/c/openstack/cinder/+/942342
14:14:46 <jbernard> Luzi: yes
14:14:50 <msaravan> sure, will do it tonight
14:14:55 <jbernard> Luzi: technically :)
14:15:36 <jbernard> msaravan: sorry, this is the one related to cert based auth
14:15:47 <jbernard> msaravan: i meant you are in need of feedback
14:16:11 <jbernard> ^ this is a netapp patch that awaits reviews as well
14:16:18 <msaravan> I verified that, and that patch looks good.
14:16:30 <msaravan> I'll update my comments again.
14:18:28 <Sai> Thank you both of you for reviewing the cert based auth patch !! jbernard, msaravan
14:19:05 <jbernard> Sai, msaravan: re netapp ci, those issues will be resolved soon?
14:20:30 <jbernard> that's about it, in terms of current state
14:20:32 <jbernard> ff is coming
14:20:35 <jbernard> reviews are needed
14:20:55 <jbernard> any addition feedback on the encryption patch is much appreciated
14:21:05 <jbernard> #link https://review.opendev.org/c/openstack/cinder/+/926298
14:21:26 <jbernard> any testing or code comments are useful
14:21:52 <jbernard> ill open things up
14:21:56 <jbernard> #topic open discussion
14:21:58 <Sai> jbernard: Yes, we are on it and issues will be resolved soon.
14:22:04 <jbernard> Sai: excellent
14:24:51 <yuval> if nobody have anything I can bringup a small issue
14:25:01 <jbernard> yuval: sure
14:25:40 <yuval> https://review.opendev.org/c/openstack/os-brick/+/942689 - we use here env variable "VIRTUAL_ENV" This is special for os-brick, I wonder why and is it really needed?
14:28:05 <jbernard> the change id is
14:28:07 <jbernard> Change-Id: Ib191c075ad1250822f6ac842f39214af8f3a02f0
14:28:39 <yuval> gorka is around? I see he wrote it
14:28:48 <jbernard> yuval: gorka left a pretty good commit message
14:29:04 <jbernard> yuval: but it's possible the conditions he encouterend in 2020 are no longer present
14:31:33 <yuval> why the hard limit on os-brick while nova and cinder dont need to set any special env variable
14:32:20 <jbernard> it looks like we need to ammend the privsep capabilities when running as non-root
14:32:20 <yuval> I meet this issue when working with kolla-ansible, insert the env variable to the kolla-docker is not trivial
14:32:47 <jbernard> does it break without this variable set?
14:33:19 <yuval> yes - permission issues happens
14:33:39 <yuval> its depends on the backend - if you need some cap's
14:35:22 <jbernard> i would consider the kolla-ansible environment, maybe there is something more accurate we can use to detect this, rather than VIRTUAL_ENV
14:35:24 <jbernard> maybe...
14:37:22 <rosmaita> maybe there is a clue in the bug? https://bugs.launchpad.net/os-brick/+bug/1884059
14:37:46 <whoami-rajat> so the issue Gorka saw was we needed to bypass read permissions in a virtual env, are we seeing this issue in other scenario? I'm not sure how/where kolla-ansible deploys os-brick
14:39:11 <yuval> its not doing anything special, the os-brick is deploy part of nova and cinder containers
14:39:46 <whoami-rajat> and you have observed that the read permission issue happens outside of virtual env as well?
14:40:26 <yuval> I believe maybe in more past days we were more cheap on giving process cap's
14:40:40 <yuval> whoami-rajat: yes, the process runs inside a docker
14:40:46 <yuval> maybe thats related
14:41:51 <jbernard> in general we try to elevate priveledges as little as possible, and only when absolutely needed; so perhaps this patch is slighly too narrow and needs to be revised.
14:41:52 <whoami-rajat> ok, and IIUC it's the nova compute container right? does cinder-volume container also face similar permission issues while using os-brick?
14:43:19 <yuval> I saw it in nova - when attaching volume (the lightbits backend moves a file from tmp to etc/...)
14:43:36 <yuval> I am sure in cinder container I will see the same behavior
14:44:00 <whoami-rajat> ok, we can try creating a volume from image, which triggers similar attach/detach workflow as nova does
14:44:10 <whoami-rajat> and if it succeeds, compare both container privileges
14:44:14 <whoami-rajat> I'm trying to understand what happened recently that is causing this issue since the code has been there since 2020
14:45:53 <yuval> its not that something was changed - so far I used special branches in kolla to add the env variable. but I really dont understand the need for this, so I am wonder if we can remove it
14:46:33 <yuval> https://opendev.org/openstack/cinder/src/branch/master/cinder/privsep/__init__.py
14:46:37 <yuval> looking at this
14:46:48 <yuval> also nova is the same
14:49:09 <whoami-rajat> yuval, i think that's different from what os-brick uses, i can see cinder one was implemented for cgroup throttling
14:49:51 <whoami-rajat> here the sys_admin_pctxt is used https://opendev.org/openstack/cinder/src/branch/master/cinder/privsep/cgroup.py#L26
14:50:36 <whoami-rajat> in os-brick, we use the "default" defined in os-brick itself https://github.com/openstack/os-brick/blob/master/os_brick/privileged/lightos.py#L23
14:51:14 <whoami-rajat> and nova might have it's own usage of it's privsep context that it creates which i don't know much about
14:51:51 <yuval> is there an alternative to using the default?
14:53:06 <whoami-rajat> i don't see a way to configure it, we can surely elevate the privileges by adding more capabilities, the only concern i have is the reason for doing it
14:53:06 <yuval> I see this comment in the code: # It is expected that most (if not all) os-brick operations can be
14:53:06 <yuval> # executed with these privileges.
14:53:44 <whoami-rajat> previously Gorka added the read permission for a specific case i.e. virtualenv, but I'm unsure about the issue you are facing
14:54:22 <whoami-rajat> i think it would be good to log a bug first with the issue faced
14:54:35 <yuval> I see ok
14:57:13 <jbernard> ok, last call
14:57:28 <rahman-lb> A very small patch related to docs https://review.opendev.org/c/openstack/cinder/+/942672
14:58:28 <jbernard> rahman-lb: added to the list
14:58:58 <jbernard> thank you everyone, have a good rest of the week!
14:59:01 <jbernard> #endmeeting