14:00:01 #startmeeting glance 14:00:03 Meeting started Thu Apr 9 14:00:01 2020 UTC and is due to finish in 60 minutes. The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:04 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:06 The meeting name has been set to 'glance' 14:00:06 #topic roll call 14:00:15 #link https://etherpad.openstack.org/p/glance-team-meeting-agenda 14:00:18 o/ 14:01:53 o/ 14:02:07 looks like two of us 14:02:22 wait for 2-3 minutes for rosmaita and smcginnis 14:02:41 yeah 14:03:11 sorry, wasn't paying attention 14:03:29 no problem, lets start 14:03:30 #topic Updates 14:03:42 I have created PTG etherpad, 14:03:55 #link https://etherpad.openstack.org/p/Glance-Victoria-PTG-planning 14:04:09 Will publish it to openstack-discuss mailing list as well 14:04:41 Likely virtual PTG will be scheduled to start one week before from actual dates (not sure yet) 14:04:56 Feel free to add topics to PTG for discussion 14:05:08 Moving ahead 14:05:19 #topic release/periodic jobs update 14:05:36 o/ 14:05:38 This is Ussuri milestone 3 release week 14:05:42 smcginnis, o/ 14:05:56 We still have couple of specs open 14:06:09 1. checksum computation 14:06:17 2. deprecate admin role 14:07:15 IMO we should move deprecate admin role to next cycle 14:07:29 what is your opinion about the same 14:07:41 would rather deprecate now so we can remove next cycle 14:08:13 If it's not a lot of work to just add the deprecation message, I think we should get it done. 14:08:26 i think i already have patch up for that 14:08:48 rosmaita, have you seen jokke_ comment on the specs 14:08:57 no 14:09:14 this is the link of etherpad with important patches, https://etherpad.openstack.org/p/glance-ussuri-important_patches 14:10:19 jokke_, smcginnis I would like to have your views on checksum computation specs 14:10:24 i don't understand jokke_'s comment 14:10:29 #link https://review.opendev.org/708761 14:10:43 because if we change the default value, we need to give warning about that as well 14:11:05 and i think my release note addresses that? 14:11:27 https://review.opendev.org/#/c/716078/ 14:12:19 jokke_, rosmaita, smcginnis as per our glance-specs standard I can not get specs in unless every core voted +2 on it 14:12:32 What I'm saying is that while not under Embargo this is valid security concern and we should address is asap, not just make a note an expect deployers to act on it 14:12:36 all I'm saying 14:13:24 it's not like CVE worthy but definitely something we could do much better for our users 14:13:33 Tomorrow will be holiday and most of the people will be on leave on Monday due to Easter, so I would like to have this decision made by today 14:14:17 well, in the default config, you don't see any difference at all 14:14:33 I can't remember if it's still the case but iirc Glance treated project admin as admin in this regard 14:15:08 it depends on how you make someone a "project admin" 14:15:34 besides, i talked about this in public at the denver ptg 14:15:43 or summit, rather 14:15:53 there's even a slide making this exact point 14:16:31 rosmaita: indeed ... so how changing the default value based on this issue would not change anything? 14:17:37 so is your point that we should both deprecate *and* change the default value? 14:18:06 rosmaita: yes, like I said we should do both so we address the current issue while we deprecate this 14:18:20 act now, not next cycle 14:18:52 and that way we can give a cycle more for removal if there's suddenly lots of people depending on this and needing time for it 14:19:27 but that all can be figured out after we have fixed the current "admin" overloading and informed that this is been deprecated 14:21:02 so is your proposal: ussuri change default value, victoria deprecate option, wallaby remove option ? 14:21:39 sorry, laptop restarted suddenly 14:22:16 rosmaita, IMO he is saying deprecate and change the default value now, and remove in wallaby 14:22:29 rosmaita: that or change defaul & deprecate ussuri; remove V if no hard push from the operator community else remove W 14:23:08 there's not going to be a hard push from operator community, the only things i have heard about this is that it messes up policy configuration 14:23:16 either way is fine by me as long as we change that default value and address it now as it has been talked in public way too much 14:23:35 It will likely be 2-3 years before operators give any feedback, unfortunately. 14:24:07 rosmaita: that's great, we still need to initialize that discussion in the mailing list and give room for those voices as per the deprecation policy 14:24:41 smcginnis: that fine as well as long as we give them the opportunity so we actually follow the policy we assert on ;) 14:24:50 rosmaita, how much efforts are required to change the default value? 14:25:09 not much 14:25:36 just have to change the value and revise the release note 14:25:50 we should do it then 14:26:01 but i strongly feel that we must deprecate in ussuri 14:26:15 or this will be another one of those never ending deprecations 14:26:27 i will also need to revise spec, i guess 14:26:37 smcginnis, can I post m3 release patch on Tuesday/Wednesday 14:27:05 we still have 3/4 patches to get in, then config refresh patch 14:27:21 looking at the gate, it will easily take 3-4 days for the same 14:28:10 jokke_, kindly look checksum computation specs as well 14:28:14 abhishekk: perhaps we should tag m-3 (or skip it) and make sure these gets into RC-1 ... not like we have any feature work going in 14:28:47 Yeah, we can wait for RC1 if we want. 14:29:07 can we skip m-3? 14:29:28 Client lib needs to be released, but there is no requirement to do milestone releases for services anymore. 14:29:38 cool 14:29:47 so the checksum deprecation I'm much more worried about. As I feel that might end up being on of those never removed deprecations as I'm pretty sure tempest is gating on checksums 14:29:48 Only if we think someone might pick up those beta releases for testing. 14:30:21 We already have released python-glanceclient 14:30:49 jokke_: see if this describes what you want: https://review.opendev.org/#/c/714626/2/specs/ussuri/approved/glance/spec-lite-deprecate-admin_role.rst 14:32:01 This is my action plan 14:32:23 1. Get important patch, https://review.opendev.org/#/c/718367/ in today 14:32:30 rosmaita: +2 on the deprecate admin role spec 14:32:34 2. Submit config refresh patch 14:32:46 3. Tag m-3 on monnday 14:33:12 File FFE for checksum and deprecate admin role (if required) and get them in rc-1 14:33:59 rosmaita: and if we don't have security bug for it, lets open public one so we can actually backport it and already get it out for those who are now looking into deploying steing or train 14:34:13 rosmaita, jokke_ smcginnis does it makes sense? 14:34:13 -g 14:35:07 so jokke_ your concern about the checksum, that would *not* be a reason to deprecate it in ussuri, is that right? 14:35:56 rosmaita: I just want to make sure we can actually remove it before marking it deprecated. (preferably get rid of the tempest test and depend the deprecation on that removal) 14:36:25 rosmaita: we have too many of these things just hanging because we make a decision and then QA just cockblocks us 14:37:16 well, this is a security concern 14:37:22 two things here: 14:37:31 (1) no change in the api or the response 14:37:45 (2) if you are actually validating the download, you need to use the secure method 14:38:20 so i think we can get this one through tempest, i can patch anything using checksum to validate to use multihash 14:38:47 but i think we need to deprecate first so they know we are serious 14:38:48 I second this 14:39:13 I thought that would have been the case with the default visibility as well and how well that went 14:39:25 or registry 14:39:51 We need to either submit patches to tempest, or at least announce on the ML so they know about the change. 14:40:14 smcginnis: what we need is commitment from them to agree it can be removed 14:40:25 it's not being removed 14:40:37 it's just not being populated any more 14:40:46 Honestly, if something isn't in refstack, they can't dictate to this team what stays or goes. 14:41:22 smcginnis: only way that statement is true is to drop tempest gating ... we've seen it too many times by now 14:41:53 as we have no way to force anything into tempest and they are in our gate 14:42:01 Well, that's my point with submitting patches to tempest. If we change something there, it doesn't just impact glance code. 14:42:04 so they very much do dictate what we can do 14:42:25 i think this is going to be different 14:42:36 Yeah 14:42:40 everyone thinks that download validation == security 14:42:46 and md5 == really bad 14:42:56 plus, we aren't modifying the image response 14:43:01 so no breaking 14:43:09 and multihash has been available since rocky 14:43:37 and has been used in glanceclient since rocky (second release) 14:44:11 so whereas the visibilility thing was kind of difficult to explain 14:44:18 this is pretty straightforward 14:44:33 I think we have discussed this when we have agreed on drafting the specs of checksum deprecation, and sounds straight forward 14:44:34 but the big thing here, is no telcos will use glance pretty soon 14:45:07 because they want no md5 anywhere 14:45:52 And with federally mandated things like FIPS, they may not be allowed to even if they want to. 14:46:14 Last 15 minutes, 14:46:34 anyway, i think we need the deprecation clock started on this one right away 14:46:40 i.e., in ussuri 14:46:59 and much as it sucks, we can fight it out in victoria 14:47:11 but i don't think there will be much fight on this one 14:47:23 +1 14:48:27 this is the actual deprecation note i am proposing: https://review.opendev.org/#/c/718147/1/releasenotes/notes/deprecate-checksum-a602853403e1c4a8.yaml 14:48:27 jokke_, we should do it now 14:49:05 So how I see this is, we have 3 options: 1) we deprecate, we potentially fight with qa for next 3 years to get rid of it and might buy us some user time as it's deprecated 2) we change the tempest tests to make sure it's not blocked, and then we deprecate and get rid of it or 3) (possibly as outcome of 1 but we could do it right away) we get security bug opened about it based on any gov policies 14:49:11 like FIPS preventing it's usage as unsecure and get rid of it right away 14:49:32 I'd prefer either 2) or 3) but I just have no iterest to fight the 1) route through 14:50:16 well, deprecating it now is consistent with security bug 14:50:20 some clients might have missed this: 16:49 < jokke_> like FIPS preventing it's usage as unsecure and get rid of it right away 14:51:29 i don't see any reason *not* to deprecate now 14:51:34 rosmaita: nope, if we take the security bug route, we can get rid of it in Ussuri and even backport it, deprecating it now will be earliest V which means that the telcos will be stuck with md5 until like 2025 unless we later on backport the removal through a bug 14:52:48 so what I'm saying is, we can either get rid of it without even worryig about deprecation if there is F.E. gov policy mandating us to do so. Or we might end up stuck with it for non-determined time 14:53:30 last 8 minutes, we can continue discussion on it #openstack-glance channel 14:53:37 Moving ahead 14:53:52 #topic glance-specs victoria patch 14:54:04 I have created glance-specs patch for victoria 14:54:29 please have a look at it so we can start adding specs for victoria 14:54:44 #topic Open discussion 14:55:07 jokke_, https://review.opendev.org/718367 14:55:14 have a look at it 14:55:27 Nothing from me. 14:55:54 as per docs we expect bool values for all-stores and allow-failure, so We are rejecting requests if it is not bool 14:57:13 is the client actually sending JSON bool or did I mess that up? 14:57:32 jokke_, fixed client yesterday 14:57:51 now it is sending JSON bool 14:58:30 last two minutes 14:59:06 I thought that might have been the case 14:59:59 time is up, switching back to openstack-glance for further discussion 15:00:06 thank you all 15:00:12 #endmeeting