#openstack-meeting log

14:00:01 <abhishekk> #startmeeting glance
14:00:01 <opendevmeet> Meeting started Thu Mar 10 14:00:01 2022 UTC and is due to finish in 60 minutes.  The chair is abhishekk. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:01 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:01 <opendevmeet> The meeting name has been set to 'glance'
14:00:03 <abhishekk> #topic roll call
14:00:10 <abhishekk> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:00:14 <abhishekk> o/
14:00:27 <pdeore> o/
14:00:57 <abhishekk> lets wait few minutes for others to join
14:01:17 <pdeore> yeah
14:01:33 <mrjoshi> o/
14:02:47 <abhishekk> I don't see anyone else around, lets start and others can join us in between
14:03:07 <abhishekk> We have small agenda today as well, with some review requests
14:03:12 <abhishekk> lets start
14:03:21 <abhishekk> #topic Updates
14:03:37 <abhishekk> Zed PTG planning etherpad is up
14:03:59 <abhishekk> if you haven't added your name to the list of attendees, kindly do it earliest
14:04:07 <abhishekk> #link https://etherpad.opendev.org/p/zed-ptg-glance-planning
14:04:20 <abhishekk> moving ahead
14:04:28 <abhishekk> #topic release/periodic jobs update
14:04:59 <abhishekk> We are done with the Yoga cycle with the rc1 release, so nothing is pending from our side
14:05:13 <rosmaita> o/
14:05:37 <abhishekk> periodic jobs all green \o/
14:05:50 <pdeore> \o/
14:05:56 <abhishekk> next one is rosmaita
14:06:11 <abhishekk> #topic lock_path required for glance_store cinder driver
14:06:21 <rosmaita> hello
14:06:30 <abhishekk> floor is yours
14:07:01 <rosmaita> doing a context switch - hope i put info in the etherpad, because i don't remember what this was about
14:07:23 <abhishekk> related to lock_path config option
14:07:29 <rosmaita> oh yeah, it's an issue that applies to the glance_store cinder driver
14:08:12 <abhishekk> #link https://docs.openstack.org/glance/latest/configuration/configuring.html#configuring-the-cinder-storage-backend
14:08:21 <jokke_> I thought Eajat already implemented that, no?
14:08:25 <jokke_> Rajat even
14:09:05 <abhishekk> I think rosmaita is talking about documenting the option
14:09:08 <rosmaita> probably not, it was fixed in koll-ansible, though
14:09:12 <rosmaita> yeah
14:09:30 <rosmaita> silly me, i looked at the glance_store docs and didn't see anything
14:09:36 <abhishekk> :D
14:09:43 <rosmaita> we can just add something to this page
14:09:52 <rosmaita> by "we" i mean i will put up a patch
14:09:59 <jokke_> ;)
14:10:03 <abhishekk> yes, this is the right place to mention
14:10:16 <rosmaita> that was really my question, how/where to doc this
14:10:18 <rosmaita> thanks!
14:10:22 <rosmaita> related, though
14:10:36 <rosmaita> the glance_store docs are out of date, still mention that it's used for Glare
14:10:54 <abhishekk> I will have a look at those and clean it up
14:11:03 <rosmaita> cool, that's all from me
14:11:15 <abhishekk> great, thank you
14:11:18 <abhishekk> moving ahead
14:11:30 <abhishekk> #topic Fips backports
14:11:41 <abhishekk> There are some backports posted for fips
14:12:02 <abhishekk> and owner wants our opinion about them
14:12:34 <abhishekk> Problem is the job which we converted to fips on master was non-voting during wallaby
14:13:05 <abhishekk> So I think that is not a valid backport (as per our policy)
14:13:13 <abhishekk> what is your opinion about it?
14:13:37 <jokke_> I don't think I have seen that job passing either so I'm pretty much against running it in stable branches just wasting infra resources
14:14:04 <abhishekk> https://review.opendev.org/q/project:openstack/glance+-branch:master+owner:afariasa
14:14:04 <jokke_> If we are talking just the testing job definitions to stable
14:14:08 <rosmaita> the owner wants to backport some changes, or just running the job in stable/wallaby
14:14:11 <rosmaita> ?
14:14:29 <abhishekk> rosmaita, above is the list of patches we have
14:14:43 <abhishekk> it has some changes to correct the old behavior in tests
14:15:31 <abhishekk> I think other option we can have is periodic job running against the stable/wallaby and stable/xena branch
14:15:59 <rosmaita> i agree with jokke_ that the first step is to have the fips jobs actually green on these patches
14:16:49 <rosmaita> in fact, i suggest we ask them to make the job voting in the patch so the zuul result is relevant
14:17:09 <rosmaita> and once it is good, they can revise the patch to make the job non-voting
14:17:24 <rosmaita> right now, zuul gives +1 and there's still a failure
14:17:35 <abhishekk> I also told the same, will convey the decision to him
14:17:49 <abhishekk> They are still debugging the issue for the job
14:17:54 <jokke_> I kind of disagree seeing how unstable that test run has been. Like it's fine for non-woting until it actually passes more than fails on it's own. Lets get it blocking the gate only after the job is stable
14:18:12 <abhishekk> agree
14:18:18 <rosmaita> jokke_: it will only vote on the patch that contains the change
14:18:24 <rosmaita> we won't make it actually voting
14:19:00 <rosmaita> i entirely agree that this job is too unstable to run in the stable branches
14:19:13 <abhishekk> ack, will discuss this with the owner
14:19:26 <jokke_> rosmaita: well the thing is it's flaky ... so if it's marked voting there, DNM needs to be flagged for now
14:19:35 <rosmaita> jokke_: right
14:19:50 <abhishekk> +1
14:20:17 <jokke_> and that really won't get him anywhere closer to merge them :P
14:20:29 <rosmaita> well, it helps us
14:20:44 <rosmaita> right now , it looks like we are the blocker, because this green patch is sitting there
14:20:53 <rosmaita> so let' make zuul give it a -1
14:20:55 <jokke_> but yeah I'd say to get the test stable and perhaps voting in master is good start before worrying bringing it to stable
14:21:05 <jokke_> rosmaita: fail
14:21:05 <rosmaita> well, that too
14:21:08 <jokke_> fair even
14:21:18 <abhishekk> ok
14:21:43 <abhishekk> that's all, moving to Open discussion
14:21:49 <abhishekk> #topic Open discussion
14:22:05 <abhishekk> I think croelandt and pdeore added some patches for review requests
14:22:11 <abhishekk> 1st one is merged
14:22:28 <abhishekk> I will just add the others for reference here
14:22:43 <abhishekk> https://review.opendev.org/c/openstack/python-glanceclient/+/821409   Remove lower-constraints.txt (If4881229) - Agreed on during the review party
14:22:43 <abhishekk> https://review.opendev.org/c/openstack/python-glanceclient/+/797779   glance help <subcommand>: Clearly specify which options are mandatory (I51ea4c43)
14:22:43 <abhishekk> https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802792 Implement API protection testing for metadef resource types ( Removed the lock as per suggestions)
14:22:43 <abhishekk> https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802794/14 Implement API protection testing for metadef properties  ( Removed the lock as per suggestions)
14:22:45 <croelandt> yes, only the first 3
14:22:46 <abhishekk> https://review.opendev.org/c/openstack/glance-tempest-plugin/+/802795/12 Implement API protection testing for metadef tags  ( Removed the lock as per suggestions)
14:23:06 <abhishekk> Last 3 are from glance-tempest-plugin and related to s-rbac function tests
14:23:07 <croelandt> 2) and 3) we agreed on during the party but never re-reviewed iirc
14:23:16 <abhishekk> I did :D
14:23:39 <croelandt> :D
14:23:47 <abhishekk> If you guys have some time, please review these patches
14:24:01 <abhishekk> 2 and 3 is trivial
14:24:22 <abhishekk> last 3 are functional and related to metadef s-rbac tests
14:24:26 <pdeore> So, as per Dan's suggestion about removing the lock and namespacing the namespace, I've updated these patches...
14:25:50 <jokke_> ack
14:26:48 <abhishekk> anything else guys?
14:27:07 <alistarle> Yep, I have a question about a new glance import method to match multi-region use-case
14:27:42 <alistarle> I have prepared a patch about a "glance-download" (instead of web-download) import method, to allow a glance image to be download directly from another glance, what do you think about that ?
14:28:14 <abhishekk> another glance deployment?
14:28:42 <alistarle> Yes my use-case is more about a glance in other region
14:29:29 <alistarle> Let's say you uploaded an image in RegionOne (VM snaphshot by example), and you want this image to be present in RegionTwo (as a backup), currently I need to download locally and use glance-direct, or use web-download
14:29:47 <abhishekk> do you know we have copy-imge import method?
14:30:09 <alistarle> Yes but copy-image is to copy an image between backends of the same glance
14:30:21 <jokke_> alistarle: are you using glanceclient for it or requests directly?
14:30:33 <alistarle> Here it is to copy image between multiple region, so multiple glance deployments
14:30:49 <jokke_> I kind of like the idea as long as we're not adding p-gc as requirement
14:31:21 <alistarle> jokke_: good question, I POC it with glanceclient, but it add a lot of mess (and maybe a circular dependency to add glanceclient as a glance requirements), maybe requests is better
14:32:03 <abhishekk> and also it will be better if we have this discussion in PTG with a proposal/spec up for reference
14:32:20 <jokke_> alistarle: specially as I assume it's just one API call, it probably is fairly simple case
14:32:31 <alistarle> True
14:32:50 <alistarle> Only thing is we need to forward the RequestContext into the tasks API, to use client keystone token to call the remote glance, otherwise we can have a security issue if using admin credentials here
14:33:14 <alistarle> That was my only concern in my patch, that's why I wanted to get your opinion before going further
14:33:33 <jokke_> alistarle: yeah I was just going to say, what you need to pass as the import call body is the auth uri for the target deployment and token
14:34:10 <jokke_> So bit more json parsing there which is annoyance for testing but very trivial to do in client
14:34:23 <alistarle> Hmmm I would say image ID and region is enough, as the token will be valid in all regions
14:34:56 <alistarle> so we can rely on the token the user give use by calling the /import route
14:35:08 <jokke_> alistarle: that's only if you have federated keystone though ... does exclude your second usecase of separate deployments out
14:36:21 <jokke_> so maybe poc it like that to have the mechanics in place and then add the parsing of the body for optional keystone auth uri and token in case the source is actual separate deployment
14:36:50 <alistarle> jokke_: Yep it require ferederated keystone, but do you think it is ok to send a token and auth information in the JSON body of import ?
14:37:25 <jokke_> alistarle: sure, why not. Just need to make sure we don't log it
14:37:33 <abhishekk> alistarle, can you build/submit a proposal for the same with actual solution you are using
14:37:43 <abhishekk> we dont log import body anywhere
14:37:53 <jokke_> no different than sending your token as header on the request itself security wise
14:38:31 <alistarle> Hmm true
14:39:18 <jokke_> that said, I'd implement it only accepting token, not username & password
14:39:28 <jokke_> at least that's timelimited exposure
14:39:35 <alistarle> Ok so I will make a POC and a spec for that, at least it sound good to you :)
14:39:53 <abhishekk> yeah, interesting feature
14:39:54 <alistarle> jokke_: I agree yes
14:39:57 <jokke_> for me, can't speak for abhishekk & rest :P
14:40:04 <abhishekk> :D
14:40:15 <jokke_> but I like the idea
14:40:35 <abhishekk> ++
14:40:48 <abhishekk> thank you alistarle
14:41:00 <abhishekk> anything else guys
14:41:06 <jokke_> not from me
14:41:25 <abhishekk> croelandt, pdeore ?
14:41:25 <alistarle> That's ok for me too, thanks :)
14:41:45 <pdeore> no, nothing from me too
14:41:48 <abhishekk> One more thing I almost forget to mention
14:42:03 <abhishekk> pdeore, has volunteered to chair the weekly meeting from next week
14:42:13 <abhishekk> thank you very much pdeore
14:42:32 <rosmaita> nice, thank you
14:42:38 <jokke_> \\o \o/ o// o/7
14:42:49 <croelandt> goo for me
14:42:58 <abhishekk> :D
14:43:00 <croelandt> pdeore: congrats!
14:43:11 <rosmaita> croelandt: "goo"? do you mean "goulash"?
14:43:25 <abhishekk> thank you all
14:43:28 <pdeore> Thanks to you abhishekk for believing on me :)
14:43:41 <croelandt> rosmaita: I always want goulash
14:43:46 <jokke_> croelandt: I'm sure she will let you chair one every once in a while if you ask nicely
14:43:56 <abhishekk> haha
14:43:56 <croelandt> jokke_: what if I don't ask?
14:44:18 <jokke_> croelandt: then you better not miss one ... we're good at voluntolding people :P
14:44:27 <abhishekk> then we have different role for you :D
14:44:28 <pdeore> :D :D
14:44:50 <croelandt> there is no escaping the pain
14:45:00 <abhishekk> absolutely not :P
14:45:17 <abhishekk> lets wrap up for the day, thank you again
14:45:22 <abhishekk> have a nice weekend ahead
14:45:27 <jokke_> thanks all
14:45:35 <abhishekk> #endmeeting