#openstack-glance log

14:00:37 <croeland1> #startmeeting glance
14:00:37 <opendevmeet> Meeting started Thu Dec  4 14:00:37 2025 UTC and is due to finish in 60 minutes.  The chair is croeland1. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:00:37 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
14:00:37 <opendevmeet> The meeting name has been set to 'glance'
14:00:40 <croeland1> #topic roll call
14:00:40 <croeland1> o/
14:00:43 <mhen> o/
14:00:45 <croelandt> o/
14:00:53 <croelandt> #link https://etherpad.openstack.org/p/glance-team-meeting-agenda
14:01:06 <rosmaita> o/
14:01:23 <rosmaita> i just realized that i'm supposed to be in a different meeting now
14:02:31 <croelandt> always multitask
14:02:50 <abhishekk> o/
14:03:41 <abhishekk> i am not sure rajat is around or not :/
14:03:45 <whoami-rajat> hello
14:03:51 <croelandt> yeah
14:03:53 <croelandt> let's start
14:03:54 <abhishekk> hey
14:04:01 <abhishekk> thanks for attending
14:04:01 <croelandt> #topic Release/periodic job updates
14:04:07 <croelandt> Everything good \o/
14:04:14 <croelandt> #topic  Important stable patches - http://tiny.cc/glance-maintained
14:04:27 <croelandt> Yeah so Bence's patch are still failing because of the test refactor
14:04:32 <croelandt> I really have to talk to him about that
14:04:41 <croelandt> #topic Glance download image from specific store
14:04:48 <croelandt> #link https://review.opendev.org/c/openstack/glance-specs/+/963239
14:04:53 <croelandt> So this was merged or is currently being merged
14:04:59 <croelandt> thanks Abhishek for working on that
14:05:06 <croelandt> thanks rosmaita and dansmith for the reviews
14:05:09 <abhishekk> thank you for reviews and suggestions
14:05:18 <croelandt> #topic Decompression plugin
14:05:25 <croelandt> The patches are still under review
14:05:35 <croelandt> I've fallen behind on reviews, I need to spend some time looking at that
14:05:37 <whoami-rajat> np, I'm double booked so will do context switching
14:05:56 <croelandt> #topic Image encryption
14:06:06 <croelandt> mhen: I see you're here, do you want to say something about this?
14:06:13 <croelandt> Also whoami-rajat for the Cinder side of encryption
14:07:01 <mhen> currently checking an edge case with old images and compression in Cinderö
14:07:06 <mhen> *Cinder
14:07:21 <mhen> but may not be an issue at all, need to check this
14:07:44 <mhen> other than that the changes as discussed in the PTG are pretty much done
14:08:05 <croelandt> what about Nova?
14:09:24 <abhishekk> mhen: Could you please somewhere on the spec list out the concerns discussed in PTG and what we opted for that, if possible?
14:10:12 <mhen> Nova has a blueprint now: https://blueprints.launchpad.net/nova/+spec/luks-image-encryption
14:11:27 <mhen> abhishekk: I could add my summary notes from the PTG to the Glance spec if that helps
14:11:57 <abhishekk> mhen: that would be great
14:12:50 <mhen> will do
14:12:55 <abhishekk> So glance is good to go
14:13:06 <croelandt> yeah my concern is more about Nova/Cinder
14:13:54 <abhishekk> ack,
14:14:35 <croelandt> mhen: do you think your work in Nova/Cinder will be approved?
14:16:20 <mhen> can't really tell; entirely depends on whether the implementation is now satisfactory for everyone this time
14:17:28 <abhishekk> I think we should have one more cross project meeting to see where this is heading
14:18:03 <croelandt> yeah
14:18:09 <croelandt> this may happen soon :)
14:18:46 <croelandt> Anything to add on this topic?
14:19:12 <mhen> not from my side at least
14:19:20 <rosmaita> cinder has a meeting on friday to review specs
14:20:08 <croelandt> oh interesting
14:20:16 <croelandt> is encryption on the agenda?
14:20:27 <croelandt> are you or whoami-rajat joining this meeting?
14:20:38 <rosmaita> well, there is a spec for it
14:20:41 <rosmaita> https://etherpad.opendev.org/p/cinder-festival-of-reviews
14:22:12 <croelandt> ok can encryption be added to the agenda for tomorrow?
14:22:13 <rosmaita> and yeah, i will be there
14:22:14 <croelandt> mhen: ^
14:22:19 <croelandt> can mhen join? :)
14:22:32 <rosmaita> everyone can join!
14:22:58 <whoami-rajat> croelandt, i will see if it doesn't conflict with the weekend plans :D
14:23:07 <rosmaita> although to be pedantic, everyone *may* join, whether they can or not is up to them
14:23:09 <whoami-rajat> it's generally late at night for me
14:23:20 <mhen> I'll try to attend
14:23:51 <abhishekk> its late for rajat means its almost early morning for me :P
14:23:54 <mhen> 14:00 UTC right?
14:23:59 <croelandt> abhishekk: hahha
14:24:12 <rosmaita> yes, 1400 UTC
14:24:16 <mhen> ack
14:25:03 <croelandt> good
14:25:08 <croelandt> #topic Open Discussion
14:25:16 <croelandt> Any topic other than encryption? :)
14:25:20 <mhen> o/
14:25:40 <mhen> https://bugs.launchpad.net/cinder/+bug/2133728
14:26:03 <mhen> just so that Glance is aware, Cinder currently allows bypassing its property protection feature
14:26:10 <mhen> ref: https://docs.openstack.org/glance/latest/admin/property-protections.html
14:27:15 <mhen> I don't know if a adding warning message on the Glance docs page with a recommendation about restricting that specific Cinder API would be advisable until this is fixed in Cinder?
14:27:39 <mhen> e.g. setting `volume_extension:volume_image_metadata:set` in the Cinder API RBAC to admin only
14:28:57 <croelandt> Ideally, fix this in Cinder and then you don't need to mention it in Glance? :D
14:29:33 <rosmaita> i always thought that for boot from volume, nova fetched the image the volume was created from, and used its properties
14:29:51 <rosmaita> but apparently, it uses the image properties that are copied onto the volume
14:30:33 <rosmaita> so that would mean that if an image is deactivated, nova will still let you boot from it if you have created a volume from it first
14:31:08 <rosmaita> whereas nova will not let you boot from an image that is not 'active'
14:31:15 <mhen> croelandt: yes but, how long will it take? I just stumbled upon this but personally will not be able to work on this myself in the forseeable future - that's why I was proposing adding a warning for now until somebody is able/willing to address it in Cinder.
14:31:43 <croelandt> hm
14:31:50 <croelandt> not sure a warning would be helpful
14:32:05 <croelandt> also rosmaita volunteered to fix the bug
14:32:13 <abhishekk> the warning should be in cinder imo
14:32:34 <rosmaita> not really, cinder has never claimed to have property protections
14:33:19 <mhen> abhishekk: I respectfully disagree; I discovered the Glance docs page about this feature and thought "neat" - only by accident did I discover that I can bypass this. Somebody that might be enabling this in Glance never reads the Cinder docs because they don't seem relevant to them.
14:34:05 <abhishekk> ack, croelandt I think we should highlight it then
14:35:02 <rosmaita> i think we may need to have a bit of a discussion at the next PTG around how image properties are set/consumed for boot-from-volume
14:35:14 <croelandt> and to think we wanted to get rid of that feature
14:35:38 <rosmaita> well, if glance gets rid of the feature, then nothing to fix in cinder!
14:36:48 <mhen> please read the use case example in the bug report and reconsider ;)
14:37:14 <mhen> (especially concerning the upcoming rework of the confidential computing stuff by takashi)
14:37:34 <croelandt> rosmaita: we had this one guy write an email 6 months after I sent the survey to inform me that he planned on maybe using the feature
14:37:51 <croelandt> ok so Glance can document the issue
14:37:58 <rosmaita> we used it extensively at rackspace, back in the day
14:38:15 <whoami-rajat> abhishekk, haha, i mean it starts early but it's 2 hours so ends 9:30 our time -- i can work late but meetings are hard at night :(
14:38:34 <abhishekk> :D
14:38:46 <rosmaita> i think mhen's workaroud (change the policy setting) is a good idea, i think this hasn't been reported earlier because people don't really use that API much
14:39:08 <rosmaita> i think most people just expect the image properties to be inherited from the image
14:40:55 <croelandt> again it's nice you're volunteering to fix this
14:41:05 * croelandt is on his way to becoming BDFL
14:42:57 <rosmaita> good thing croelandt isn't the boss of me
14:43:04 <croelandt> this can change!
14:43:09 <croelandt> though I doubt it
14:43:45 <croelandt> ok anything else to add about property protections?
14:44:15 <mhen> nothing from my side
14:44:22 <mhen> thanks for your consideration!
14:45:43 <croelandt> ok
14:45:47 <croelandt> Let's call it a day, then!
14:45:50 <croelandt> Thanks everyone for joining
14:45:56 <croelandt> #endmeeting
14:46:15 <croelandt> hm
14:46:32 <croelandt> #endmeeting
14:46:40 <croelandt> Isn't that supposed to give me confirmation?
14:46:44 <abhishekk> it doesn't want to end us :P
14:46:53 <mhen> add #please ;D
14:47:05 <abhishekk> haha
14:47:49 <abhishekk> #endmeeting
14:48:04 <croelandt> is the bot dead? :)
14:48:18 <mhen> we are now in a never-ending meeting for the rest of our lives
14:48:21 <abhishekk> bring infra in :P
14:48:23 <rosmaita> no, you started the meeting as croelandt1
14:48:32 <rosmaita> so i don't think it's recognizing you now
14:48:39 <croelandt> oh
14:48:42 <abhishekk> hahaha
14:48:45 <croeland1> #endmeeting