14:00:14 <pdeore> #startmeeting glance 14:00:14 <opendevmeet> Meeting started Thu Apr 28 14:00:14 2022 UTC and is due to finish in 60 minutes. The chair is pdeore. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:14 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:14 <opendevmeet> The meeting name has been set to 'glance' 14:00:14 <pdeore> #topic roll call 14:00:14 <pdeore> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda 14:00:19 <pdeore> o/ 14:00:24 <abhishekk> o/ 14:00:26 <dansmith> o/ 14:00:57 <pdeore> lets wait few minutes for everyone to join 14:02:28 <alistarle> o/ 14:02:29 <rosmaita> o/ 14:02:44 <mrjoshi> o/ 14:03:14 <pdeore> ok let's start 14:03:22 <pdeore> #topic release/periodic jobs 14:03:35 <pdeore> Milestone 1 is just 3 weeks away 14:03:47 <pdeore> I think almost all the specs are up for review 14:04:01 <pdeore> we will go through the list in next topic 14:04:17 <pdeore> Periodic job, all green except POST_FAILURE for fips job and one time out 14:04:35 <pdeore> moving ahead 14:04:39 <pdeore> #topic Specs For Review 14:04:52 <pdeore> Most of the specs up for review which needs some attention 14:05:01 <pdeore> New API for instant caching of image : https://review.opendev.org/c/openstack/glance-specs/+/838642 14:05:09 <pdeore> this one needs new revision 14:05:17 <pdeore> Expanding store details - https://review.opendev.org/c/openstack/glance-specs/+/835606 (one +2) 14:05:25 <pdeore> Delete API for metadef resource types - https://review.opendev.org/c/openstack/glance-specs/+/818192 14:05:27 <abhishekk> For instant caching I need to update the spec as per our PTG discussion, somehow I missed about updating existing API (queue image) rather than adding new API 14:05:46 <dansmith> pdeore: I was mostly okay with the stores-detail one, 14:05:57 <dansmith> so if it has added detail now hopefully it's good, I'll do that after the meeting 14:06:12 <pdeore> cool 14:06:38 <pdeore> the Delete api for metadef rd types spec is up for review from last cycle, kindly please review this so that we can have this change in this cycle :) 14:06:50 <pdeore> s/rd/rs 14:07:11 <pdeore> Update proposal for duplicate image download - https://review.opendev.org/c/openstack/glance-specs/+/734683 14:07:20 <pdeore> this one also needs to be updated 14:07:38 <pdeore> spec-lite: ability to purge all rows by glance-manage - https://review.opendev.org/c/openstack/glance-specs/+/819622 (one +2) 14:07:56 <abhishekk> this one is also sitting from last cycle 14:08:03 <pdeore> yeah 14:08:56 <pdeore> So all members, kindly review the spec and give your suggestions 14:09:13 <pdeore> moving ahead 14:09:15 <abhishekk> ack 14:09:18 <pdeore> #topic Secure RBAC 14:09:36 <dansmith> pdeore: where were you on the meeting??! 14:09:41 <pdeore> We couldn't get updates on this in policy pop up meeting this week due to some technical issue with meetpad, so it's moved to next week 14:09:58 <dansmith> that was annoying.. meetpad-- 14:10:03 <dansmith> sorry you got bit by that :( 14:10:10 <pdeore> dansmith, I was there but i was not able to hear anything :/ 14:10:25 <dansmith> pdeore: I know, I'm poking fun :) 14:10:32 <abhishekk> :D 14:10:33 <pdeore> :D :D 14:10:43 <dansmith> rescheduled quickly for next week and using another tool, so hopefully will be better :) 14:11:00 <abhishekk> pdeore, as I added in etherpad we do need to have that validation for POST APIs in client as well as API side 14:11:03 <pdeore> yeah hopefully :) 14:11:38 <dansmith> the heat cross-scope thing actually affects glance I imagine 14:11:52 <pdeore> abhishekk, ack 14:11:57 <dansmith> in that anything we nail down to system scope may be a problem for heat users that currently create things as admin 14:12:04 * jokke_ sneaks in 14:12:09 <dansmith> "we" meaning glance 14:12:28 <abhishekk> oh 14:12:38 <pdeore> ohh ok 14:12:43 <abhishekk> and I guess they are going to work on that during this cycle 14:12:52 <dansmith> it's a real mess and I'm not sure what the solution is going to be, but hopefully we'll get some more clarity next week 14:13:08 <dansmith> abhishekk: I don't know.. very little people working on heat these days, like horizon, who is also impacted 14:13:09 <abhishekk> ack, I will try to be there for next meeting 14:13:40 <abhishekk> I think then we are pretty much sorted out for RBAC 14:13:57 <dansmith> yeah 14:14:25 <pdeore> kindly please have a look at the glance policy matrix as well, #link https://review.opendev.org/c/openstack/glance/+/838857 14:14:32 <abhishekk> ok,lets wait for the outcome of next meeting then 14:14:32 <pdeore> I hope I have not missed anything there 14:14:44 <abhishekk> pdeore, ack, have you updated it after our discussion? 14:14:53 <pdeore> yes 14:15:23 <abhishekk> cool,I will have a look today or tomorrow 14:15:34 <pdeore> abhishekk, Thanks ! 14:15:40 <abhishekk> we will shift next topic to last 14:15:45 <pdeore> ok lets move ahead 14:15:46 <abhishekk> as it will be lengthy discussion 14:16:00 <pdeore> sure 14:16:04 <pdeore> #topic Policy Refactor part 2 14:16:19 <pdeore> As per discussion in PTG, the DNM patch has been submitted 14:16:24 <pdeore> #link https://review.opendev.org/c/openstack/glance/+/839491 14:16:46 <abhishekk> yeah and as I stated functional tests are passing as well as no impact on tempest side 14:16:58 <jokke_> ++ 14:17:13 <abhishekk> I skipped affected unittests so that you guys can get idea about it 14:17:56 <abhishekk> So once minimum two member will give go ahead on DNM patch I will start removing the code 14:18:11 <abhishekk> s/I/or pdeore 14:18:37 <dansmith> good stuff 14:18:50 <pdeore> let's move ahead 14:18:57 <pdeore> croelandt, I think next is you 14:18:58 <jokke_> I think that dnm is giving us as much confidence as we can get that the code is not used 14:19:06 <jokke_> so ++ on cleanup from me 14:19:33 <abhishekk> +1 14:19:33 <croelandt> yes, as discussed during PTG, we'll have a review "party" next week 14:19:49 <croelandt> kindly add your name in the little list so we can schedule it :) 14:19:58 <abhishekk> I think we should utilize the meeting time for it 14:20:00 <croelandt> I'll put together a small (no) list of patches 14:20:10 <croelandt> abhishekk: works for me :) 14:20:28 <abhishekk> +1 14:20:33 <pdeore> +1 14:20:46 <croelandt> and I guess that's it, I'll promise it will be fun 14:20:51 <croelandt> for some definition of "fun" 14:21:02 <abhishekk> :D 14:21:22 <jokke_> join review party, they say, it'll be fun, they say 14:21:34 <pdeore> :D :D 14:21:41 <jokke_> So that means no meeting next week? 14:22:01 <pdeore> yup :) 14:22:16 <abhishekk> we will keep 10 minutes and discuss face to face if there is anything in agenda 14:22:20 <pdeore> please add your availability to time proposed by croelandt 14:22:24 <croelandt> jokke_: instead you get two hours of patch reviews! 14:23:17 <pdeore> ok, let's move ahead 14:23:27 <pdeore> #topic glance-download import method 14:23:38 <pdeore> New glance-download import method - https://review.opendev.org/c/openstack/glance-specs/+/836132 14:23:45 <pdeore> new patch set is updated for this 14:23:48 <abhishekk> alistarle, pslestang do you have anything to add here 14:23:57 <pdeore> Expanding store details - https://review.opendev.org/c/openstack/glance-specs/+/835606 14:24:23 <abhishekk> I guess the spec is still missing info about minimum copying of metadata 14:24:35 <abhishekk> do you guys have any difficulty about it? 14:24:56 <pdeore> oops, please ignore last link .. :/ 14:25:22 <alistarle> Oh we thought we should follow the jokke_ comment 14:25:36 <abhishekk> that is a comment not the decision,right? 14:25:55 <alistarle> But no issue we can update if we need 14:26:08 <alistarle> I understand we have to then, so we'll do that shortly 14:26:32 <abhishekk> So jokke is insisting that we should stick to the fundamental of design 14:26:50 <abhishekk> that is, glance-direct method should just download the data like web-download 14:27:01 <abhishekk> s/glance-download 14:27:04 <dansmith> alistarle: would be great if we could see the revision before the next meeting too.. it's kindof a rush at 7am to re-review before the meetings :) 14:27:33 <abhishekk> So I have added one more suggestion to the spec 14:27:41 <abhishekk> Can we have two plugins for this solution 14:27:45 <abhishekk> 1. glance-download internal import method for importing the image from another glance 14:27:50 <abhishekk> 2. import-metadata external plugin like inject metadata for importing metadata from another glance 14:27:55 <abhishekk> And if glance-download method is enabled then it should have import-metadata enabled as well. 14:27:55 <alistarle> Yeah sorry, we sync up our side just before the meeting also 14:28:19 <pslestang> hello 14:28:20 <dansmith> two plugins means we have to hit the remote api more, probably less code-reuse, more opportunity to have it mis-configured 14:28:27 <dansmith> but if that's what we have to do then, it's better than noting 14:28:39 <abhishekk> I think this is better idea 14:28:52 <pslestang> abhishekk: if we do the import-metadata plugin we will have to be sure that it is run before the inject-metadat plugin 14:28:55 <abhishekk> we can work on second part if alistarle and pslestang finds it difficult 14:29:07 <dansmith> pslestang: right, easier to mis-configure 14:29:30 <jokke_> I don't think it needs to be even plugin, we can have a task down in the flow (we have quite a few there between establishing the image payload and the configurable plugins) which can be noop when there is no metadata to import 14:29:31 <abhishekk> yeah, but we can document it 14:29:39 <alistarle> dansmith: agree with the mis-configuration possibility, that's what we thought also 14:29:54 <abhishekk> that will also do 14:31:02 <abhishekk> see my only concern is if the image is unusable then it will be additional overhead to admin to get it in usable state 14:31:06 <dansmith> right, copy-image has a ton of flow steps, 14:31:22 <dansmith> so this would be the same.. an extra flow in the glance-download thing right? 14:31:27 <jokke_> Like I've been saying from very beginning, I'm not against importing the metadata and in long run we should have _consistent_ way of doing it ... which is why I'm dead against that being part of the internal plugin which job is to get the payload available for the rest of the ttaskflow 14:32:09 <abhishekk> yep, like extra flow in glance-download flow 14:32:33 <jokke_> I'm prefectly fine if there is a task in the import flow that does the importing of metadata should needed details be available 14:32:42 <alistarle> Ok, but what about updating the disk_format and container_type, shouldn't we put that here also ? In this extra step ? 14:33:24 <dansmith> alistarle: I'm not sure why it wouldn't be the same step 14:33:45 <dansmith> alistarle: you've just fetched the remote metadata and are about to apply it to the local image 14:33:57 <alistarle> Ok the glance-download never call the glance-api, except for downlading the data itself of course 14:34:42 <jokke_> alistarle: IMO yes, all the metadata operations into it's own task ... that way should we ever get to an agreement on the export, we can be consistent in one place handling the metadata regardless what the import plugin used is 14:34:48 <alistarle> call to remote glance-api to retrieve container, disk and metadata will be handled by the extra workflow step dedicated to that 14:35:03 <abhishekk> alistarle, I think you need to have one extra step/task to validate the hash as well to ensure we have entire image downloaded in source glance 14:35:34 <dansmith> maybe we're struggling with discussing in the abstract.. it would be helpful to have more detail in the spec, but maybe if we could get WIP code up we can actually discuss line-by-line instead of this? 14:35:51 <abhishekk> sounds good 14:36:04 <jokke_> the hash, if we can calculate it is fine to do in the dowload plugin, that is part of ensuring we have the payload 14:36:28 <abhishekk> ok 14:36:29 <jokke_> now we should not just fail it if we don't have the original hashing algo available 14:36:40 <dansmith> to be clear, I'm talking about this: https://github.com/openstack/glance/blob/a42fda92dc8fe160bea1dd4d22cb1135fab89022/glance/async_/flows/api_image_import.py#L802-L858 14:36:41 <alistarle> jokke_ Yes but we don't have the reference hash, as we don't call glance-api in that step, only data downloading 14:37:03 <dansmith> there can be a flow.add(_get_metadata), followed by flow.add(_get_the_image) 14:37:30 <dansmith> get the metadata and container/disk format, first, set on the image, then fetch the data into the image, then after this, inject_metadata would run and correct whatever is needed 14:38:09 <abhishekk> fine with me 14:39:35 <alistarle> fine with me also, and we don't fail if we don't have the right hashing algo 14:40:14 <jokke_> works for me ... IIRC taskflow is fine with registering variables that tasks inbetween does not know about so it shouldn't even require any piping through for the tasks in between 14:40:18 <dansmith> I dunno, that seems bad to just quietly say "we couldn't verify this image".. why woudl we do that? 14:40:49 <dansmith> like saying "I couldn't find the key to verify the image signature, so I'm going to assume it's fine" ? 14:41:14 <abhishekk> later seems better 14:41:28 <jokke_> dansmith: as that's what we do with any hashes currently ... say with nova snapshots, we never get hash and we do not fail because it's not there 14:41:47 <dansmith> jokke_: if there is no hash, then fine, but if there is... 14:42:01 <dansmith> you said "hash_algo" not "hash" above 14:42:31 <jokke_> dansmith: if we don't have algorithm to replicate the calculation, say like with MD5 with modern security hardened systems, we still don't fail it 14:42:35 <dansmith> regardless, this is the kind of detail that should be in the spec, where we can explain the decision on things like this, and justify why that is so we have it for the future 14:43:05 <abhishekk> I think alistarle and pslestang got enough idea about what to donow 14:43:15 <abhishekk> s/donow/ do now 14:43:16 <dansmith> jokke_: yeah, I don't think that's what we *should* do, but perhaps there's some "glance doesn't do this in other places anyway" detail that I'm mis-assuming 14:43:53 <dansmith> abhishekk: agreed, and I would just say, it would be great to iterate on this quicker :) 14:44:10 <jokke_> dansmith: so you're saying that we should never accept image because it's hash was calculated with something we cannot support? 14:44:11 <abhishekk> So I would suggest we can have updated spec before next week and we can discuss it for 5/10 minutes in our review party 14:44:15 <alistarle> Ok fine, regarding the glanceclient, we plan to do another spec dedicated to that right ? 14:44:17 <abhishekk> if croelandt permits 14:44:25 <abhishekk> alistarle, yes 14:44:57 <jokke_> dansmith: and with that force the user to do it all manually, in which case we do not enforce it either 14:45:46 <dansmith> jokke_: yeah, if an image has a hash value and we can't calculate that, we shouldn't just silently ignore it.. we should flag it as unverified, or reject unless there's a force, or require them to pre-calculate with a different algo 14:45:47 <abhishekk> 15 minutes left, I have one topic in Open discussion 14:46:40 <dansmith> jokke_: but to be clear, I'm not arguing this specifically for the glance-download, I'm just talking about in general.. I'd like to see the discussion of the logic in the spec and do some pondering on it for this case 14:47:45 <dansmith> abhishekk: good to move on, I can follow up with jokke_ in -glance after this about hashing generalities :) 14:47:51 <dansmith> pdeore: ^ 14:48:01 <abhishekk> dansmith, cool 14:48:04 <jokke_> I'm fine with that 14:48:11 <pdeore> ok, lets move to open discussion 14:48:20 <pdeore> #topic Open Discussion 14:48:22 <abhishekk> that is me 14:49:10 <abhishekk> today we noticed that our gate is broken (doc job) due to oslo.policy 3.12.0 which is released last night 14:49:32 <abhishekk> I have reported a bug 14:49:44 <abhishekk> #link https://bugs.launchpad.net/oslo.policy/+bug/1970725 14:50:00 <abhishekk> so can we blacklist the 3.12.0 version in our requirements.txt ? 14:50:24 <jokke_> yes, I thought after the discussion at the morn that you had already done it 14:50:52 <abhishekk> nah, I didn't, wanted to make sure this is the right step 14:51:09 <dansmith> I think you can, but I would check with people in -qa first 14:51:50 <jokke_> yup, always in these kind of situations better keep gate going before someone else goes and puts the new version as dependency in their requirements 14:52:20 <jokke_> When the gate is working, it generally much easier to find time for long term solutions 14:52:25 <abhishekk> ack, will submit the patch right away after the meeting 14:52:34 <jokke_> and affects much less people that way 14:52:51 <abhishekk> yep 14:53:19 <abhishekk> that's it from me 14:53:27 <abhishekk> will submit a patch after the meeting 14:53:31 <jokke_> Is it just something we are doing in our docs job or are others broken as well? 14:54:02 <dansmith> I saw it broken in another project as well, 14:54:04 <rosmaita> probably broke cinder too because rajat put up the ptach to oslo.oplicy 14:54:13 <dansmith> yeah 14:54:37 <jokke_> ok, so if we're not even the only one, then for sure bl it on requirements and free up gate 14:54:58 <abhishekk> ack 14:55:18 <jokke_> abhishekk: put the bug link into the commit message and ping me when the patch is up, please 14:55:22 <jokke_> I ninja it in 14:55:25 <abhishekk> yes 14:55:36 <abhishekk> I will add related-bug tag 14:55:47 <pdeore> 5 min left, anyone has anything else to discuss? 14:55:47 <jokke_> sounds good 14:55:55 <abhishekk> nothing from me 14:57:27 <pdeore> ok, Thanks everyone for joining !! 14:57:30 <rosmaita> just catching up ... we will do review party during next week's meeting? 14:57:34 <jokke_> thanks all 14:57:39 <pdeore> See you all in review party!! 14:57:48 <abhishekk> thank you 14:57:53 <abhishekk> rosmaita, yes 14:57:55 <pdeore> yes, 14:58:02 <rosmaita> ty 14:58:02 <abhishekk> same time as our weekly meeting 14:58:19 <rosmaita> that makes it easier to schedule! 14:58:47 <abhishekk> yes 14:59:32 <pdeore> #endmeeting