#openstack-meeting log

13:04:45 <Luzi> #startmeeting image_encryption
13:04:45 <opendevmeet> Meeting started Mon Apr 15 13:04:45 2024 UTC and is due to finish in 60 minutes.  The chair is Luzi. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:04:45 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:04:45 <opendevmeet> The meeting name has been set to 'image_encryption'
13:04:53 <Luzi> #topic Roll Call
13:04:54 <fungi> ahoy!
13:04:58 <Luzi> hi
13:05:11 <Luzi> #topic Image Encryption Spec
13:05:58 <Luzi> So in the PTG the Nova team approached the Cinder and Glance team with new requirements and ideas for the image encryption.
13:07:11 <fungi> is there a summary of the new requirements?
13:07:35 <Luzi> When we started to evaluate the image encryption a few years ago the tooling to encrypt images with LUKS for endusers were not easy and would have required root privilege and other things
13:08:02 <Luzi> now qemu has tooling which makes it easier, and my colleague already tested it
13:08:25 <fungi> oh very cool
13:08:34 <Luzi> as Nova and Cinder both use LUKS encryption especially Nonva would like to not have to convert between gpg and LUKS
13:09:37 <Luzi> so with this "new" qemu features and Glance being just a storage for images, we agreed to rework the whole spec to use LUKS instead of GPG
13:10:24 <Luzi> in that way, there are no decrypting mechanisms needed in nova - and cinder will only need to convert from qcow2-LUKS to raw LUKS blocks
13:10:34 <Luzi> (as far as i did understand it)
13:10:47 <fungi> sounds more efficient too
13:10:51 <Luzi> yeah
13:11:31 <Luzi> but we still need to standardize all possible metadata in glance and look through all possible workflows
13:11:56 <Luzi> so I wrote a new Spec that incorporates this.
13:12:27 <Luzi> #link https://review.opendev.org/c/openstack/glance-specs/+/915726
13:12:50 <Luzi> It is also very fortunate to have the Secret Consumers in Barbican, because we will still need them
13:13:00 <Luzi> they may even get a bigger role
13:13:47 <Luzi> so... that is a big change
13:13:52 <fungi> indeed
13:13:58 <fungi> thanks for the update!
13:14:18 <Luzi> but in the end we hope that with the alignment in all services we will have better overall workflows
13:14:28 <fungi> the end result sounds like it will be easier to maintain long-term at least
13:14:33 <Luzi> yea
13:14:54 <Luzi> although - this could have happened a bit earlier for my taste :D
13:15:11 <fungi> of course
13:15:36 <fungi> it's a significant course change which invalidates a lot of earlier work
13:15:54 <Luzi> well - I will focus on getting the patch through and looking into Cinder and what work need to be done there
13:16:24 <fungi> maybe this will at least help increase the review priority for the new parts
13:16:43 <Luzi> overall the feature will be smaller and more easy to review
13:16:56 <Luzi> which is good i think
13:17:53 <Luzi> yeah
13:18:07 <Luzi> #topic Open Discussion
13:18:19 <Luzi> do you have anything you want to talk about?
13:20:19 <fungi> i did not, but other than the new nova requirements was there anything else useful to come out of ptg discussions about image encryption?
13:23:51 <Luzi> hm some things in how nova and cinder are handling the passphrase or key to encrypt decrypt their LUKS - but I think that is mainly a part on their sides, we would focus on Glance
13:24:26 <Luzi> #link https://etherpad.opendev.org/p/dalmatian-ptg-cinder#L393
13:25:30 <fungi> interesting, that's useful to note in the design, i guess
13:25:47 <fungi> thanks!
13:26:54 <Luzi> okay, anything else?
13:27:09 <fungi> nothing on my end, nope
13:28:39 <Luzi> okay, thank you for joining this meeting and have a nice week
13:28:46 <fungi> thanks, you too!
13:28:46 <Luzi> #endmeeting image_encryption