#openstack-meeting log

13:00:45 <Luzi> #startmeeting image_encryption
13:00:46 <openstack> Meeting started Mon Aug  5 13:00:45 2019 UTC and is due to finish in 60 minutes.  The chair is Luzi. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:00:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:00:49 <openstack> The meeting name has been set to 'image_encryption'
13:01:13 <Luzi> #topic Roll Call
13:01:14 <moguimar> o/
13:01:17 <mhen> o/
13:01:41 <fungi> aloha
13:01:49 <redrobot> \o
13:04:58 <Luzi> #topic Barbican Consumer API Update
13:05:17 <Luzi> I've seen moguimar working on it :)
13:05:28 <moguimar> yup
13:05:31 <moguimar> https://review.opendev.org/#/c/674302/
13:05:38 <moguimar> just started scratching barbican and the spec
13:05:46 <moguimar> will work a bit more on it after the meeting
13:06:07 <moguimar> and tomorrow is my biggest fish to fry
13:06:16 <moguimar> it is*
13:08:02 <redrobot> I'll also be working on getting client side support on openstacksdk
13:08:33 <Luzi> wow, thats something efried would like to hear I think :D
13:08:47 <redrobot> We've noted the Nova spec for openstacksdk
13:08:50 <redrobot> #link https://blueprints.launchpad.net/nova/+spec/openstacksdk-in-nova
13:08:53 <efried> o/ Sorry I'm late
13:09:13 <Luzi> so only good news from Barbican side :D
13:09:17 <redrobot> On the agenda for tomorrow we'll talk about possibly deprecating python-barbicanclient in favor of openstacksdk
13:09:25 <efried> +1000
13:09:29 <redrobot> as we would prefer not to maintain 3 clients.
13:09:36 <efried> Let me know if you need help with that strategy
13:09:41 <efried> I know zip about barbican btw
13:09:43 <redrobot> thanks efried
13:09:51 <efried> but I know about deprecating python-*client in favor of sdk
13:10:35 <fungi> as a user i know that i like being able to use one client to interact with services, rather than potentially dozens ;)
13:11:00 <fungi> (client/library that is)
13:11:02 <redrobot> cool.  After the team discussion in our weekly meeting tomorrow I'll send something to the ML to figure out timelines for deprecating python-barbicanclient
13:12:04 <Luzi> #topic Image Encryption Specs
13:12:57 <Luzi> we have a topic from cinder side
13:13:14 <Luzi> jungleboyj or hemna_ is one of you here?
13:14:30 <Luzi> otherwise I would start with a little problem which we encountered in the nova spec
13:14:41 <efried> While we're waiting for them...
13:14:41 <efried> In the nova meeting last week, it was decided that dansmith gets to cast the deciding vote as to whether to grant a freeze exception for
13:14:41 <efried> #link nova side of image encryption https://review.opendev.org/608696
13:14:41 <efried> dansmith returns from vacation today, so he'll have a pile of catchup to do. He's US Pacific time.
13:15:16 <Luzi> it is about the scheduling on libvirt hosts only and our originally proposed metadata "image_key_id"
13:16:13 <Luzi> the point is that we wanted to allow anyone to just set a "image_key_id" to a server and use it to encrypt any images that are created from the server
13:17:05 <Luzi> but: then it would be possible to set that metadata on a server which is on a host which does not support image encryption
13:17:11 <efried> #link relevant Nova meeting logs http://eavesdrop.openstack.org/meetings/nova/2019/nova.2019-08-01-21.00.log.html#l-59
13:17:48 <Luzi> in that case the driver will just ignore that metadata and create an unencrypted image, which is bad user experience
13:19:09 <Luzi> mhen and i discussed that it would be the best option for now to make "image_key_id" immutable. So that is just can be set in the server create step.
13:22:48 <Luzi> in a future task, an appropriate validation could be introduced, when setting this metadata
13:22:59 <Luzi> what do you think about this?
13:24:17 <efried> If there's no way to do that validation when attempting to set the value, then I guess that's fine
13:27:48 <Luzi> efried, okay, I will add this to the spec
13:30:14 <Luzi> from cinder we got the request for some clarification around the changes to os_brick, which would be nearly the same as the abandoned oslo spec
13:30:51 <Luzi> #link https://review.opendev.org/#/c/618754/
13:31:19 <Luzi> i will add this as a patch to the cinder spec as requested
13:32:14 <rosmaita> apologies for being late
13:32:21 <rosmaita> ChangeMe
13:32:39 <rosmaita> i's only a VM
13:32:52 <rosmaita> guess this is too early for me
13:34:22 <Luzi> rosmaita, I just mentioned, that the changed in os_brick will be nearly the same as we proposed in the abandoned olso spec
13:34:28 <Luzi> see link above
13:34:39 <rosmaita> ok, great
13:35:09 <Luzi> last topic from my side: i will be on vacation for the next two weeks, meanwhile mhen will be the one chairing the meeting and answering questions :)
13:35:57 <mhen> will try my best
13:36:07 <Luzi> #topic Open Discussion
13:36:28 <Luzi> are there any other questions?
13:38:12 <fungi> sounds like great progress--thanks for working on this!
13:39:24 <Luzi> okay, thank you all for attending this meeting :)
13:39:52 <Luzi> #endmeeting image_encryption