14:00:04 #startmeeting glance 14:00:04 Meeting started Thu Feb 1 14:00:04 2024 UTC and is due to finish in 60 minutes. The chair is mrjoshi. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:04 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 14:00:04 The meeting name has been set to 'glance' 14:00:04 #topic roll call 14:00:04 #link https://etherpad.openstack.org/p/glance-team-meeting-agenda 14:00:09 o/ 14:01:07 o/ 14:01:49 o/ 14:02:11 PTL is not around today 14:02:46 o/ 14:03:09 shall we start? 14:03:42 let's go! 14:03:59 #topic release/periodic jobs updates 14:04:11 M3 4 weeks from now 14:04:39 Periodic jobs are all green 14:05:34 moving ahead 14:05:42 #topic Ceph capabilities settings for RBD glance_store driver 14:06:47 rosmaita, ^^ 14:07:02 hi 14:07:23 I think since we have rbd trash support now we don't need read only permission for volume pool 14:07:26 just want to point out that email/bug for anyone who wants to answer 14:08:28 i'm not so sure about that, but i don't know a lot about ceph 14:09:27 ack, thank you, Same goes with me, I have some supportive knowledge only 14:09:42 I will check and respond accordingly 14:10:41 shall we move ahead? 14:11:02 yep 14:11:04 nothing more from me 14:11:23 cool, moving ahead 14:11:25 #topic What is the purpose of 'metadata_encryption_key' config option 14:11:33 abhishekk, ^^ 14:11:34 that is me 14:11:44 I found it while testing location API work 14:12:21 I am wondering what is the use case behind this since it is just used while image upload and show case 14:12:33 location is not encrypted when location add api is used 14:12:49 So either we should enhance it or remove it 14:13:02 I will add this topic in upcoming PTG for more discussion 14:13:20 rosmaita, thank you for some inputs about it 14:13:30 np 14:13:39 it doesn't seem to be a useful capability 14:13:45 The scrubber seems to be using it to decrypt the location 14:13:51 but we're removing that so :) 14:14:12 well, i think the idea was there were some ancient backends where you had username/password in the location 14:14:26 and people didn't want that stuff sitting around in the database 14:14:44 but then they were perfectly ok with exposing it on image-show 14:14:54 I see calls to crypt.urlsafe_encrypt, so are we not encrypting the location metadata in some circumstances? 14:14:59 which seems kind of ... sub-optimal 14:15:07 oooh 14:15:27 yeah, i think by default we do not do it 14:15:42 and also threat-modeling is hovering over us, it is not advisable to store the key in config file 14:16:22 i agree 14:16:28 So either we remove it or we should enhance it to help us to overcome sec issue 14:16:32 i think the thing to do is just remove the capability 14:16:56 because to overcome the sec issue, we'd have to hand out the key to specific users who RBAC said are ok 14:17:15 i think it would be better to just use RBAC on the locations api directly 14:17:17 we can use barbican to store the key 14:18:01 that's true 14:18:17 for removing it, we need to follow deprecation life cycle 14:18:19 so i guess the question is whether there's any point keeping the data encrypted in the DB 14:18:51 we already store some encrypted data for image signature verification 14:19:00 if i am not wrong 14:19:29 I guess its more easy to remove it :D 14:19:41 less code to maintain 14:20:22 there is also 'digest_algorithm' option which is not used anywhere in glance 14:21:48 I think I am done, lets decide about it in PTG 14:21:54 mrjoshi, we can move ahead 14:22:03 ok 14:22:08 #topic Important Reviews 14:22:29 Centralized cache DB - #link https://review.opendev.org/q/topic:%22centralized-cache-db%22 14:22:42 please review it 14:23:01 :D 14:23:08 documentation part is pending, but end to end code is ready 14:23:24 Remove incorrect validation for glance-download import method - #link https://review.opendev.org/c/openstack/python-glanceclient/+/907290 - (Required Backport till Antelope ) 14:23:25 S3: Do not log access Key - #link https://review.opendev.org/q/I8dc564bed33d6fc71965f4f573ae9109b410b1d4 - (Required Backport till Zed/Yoga ) 14:23:25 #link https://review.opendev.org/c/openstack/glance_store/+/906484 14:23:27 from code to tempest to grenade it is there 14:23:43 nice work 14:24:50 thank you ;) 14:25:12 ^ There are two patches for that access key security issue in the S3 driver 14:25:15 I am learning from dansmith :D 14:26:20 croelandt, I think you can approve them 14:27:25 shall we move to open discussion? 14:27:28 yes 14:27:45 moving ahead 14:27:50 abhishekk: yes, apparently we also want to backport them to Z & Y 14:27:59 rosmaita, thank you for mail, lets wait for couple of weeks 14:28:11 yes, let's see what happens 14:28:11 croelandt, we can once these merges 14:28:20 #topic Open Discussion 14:28:27 I need to drop for another meeting 14:28:32 Thank you!! 14:28:50 abhishekk: i thought you wanted to talk about launchpad maintenance? 14:28:53 launchpad maintainance - https://launchpad.net/glance, https://launchpad.net/glance-store, https://launchpad.net/python-glanceclient 14:28:59 we can revisit this next week 14:29:08 works for me! 14:29:11 thanks 14:29:24 mrjoshi: thanks for running the meeting 14:29:51 shall we wrap up then? 14:30:02 rosmaita, thanks! 14:30:11 i don't have anything more 14:30:23 croelandt, ^^ 14:31:18 Nothing :) 14:31:22 cool, let's wrap up then 14:31:23 thanks for taking care of this meeting 14:31:34 no problem :) 14:31:47 Thanks everyone for Joining!!! 14:32:12 #endmeeting