15:00:49 #startmeeting manila 15:00:49 Meeting started Thu Feb 28 15:00:49 2019 UTC and is due to finish in 60 minutes. The chair is tbarron. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:50 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:52 The meeting name has been set to 'manila' 15:00:56 o/ hey 15:00:57 .o/ 15:01:01 hello 15:01:03 hi 15:01:08 I'm back from traveling 15:01:22 bswartz: welcome back! 15:01:24 o/ 15:01:30 carlos_silva: welcome 15:01:47 dviroel_: hello! not sure I've seen you here before 15:01:58 hello 15:02:07 hey 15:02:16 ping gouthamr xyang toabctl ganso tpsilva 15:02:23 lseki: welcome! 15:02:34 lseki: and thanks for patches 15:02:35 tbarron: thank you! 15:02:50 tbarron: thank you :) 15:03:02 agenda: https://wiki.openstack.org/wiki/Manila/Meetings#Next_meeting 15:03:09 * tbarron waits a couple minutes 15:03:24 tbarron: actually it is my second time. 15:03:26 tbarron, dviroel_ has joined our team! 15:03:37 dviroel_: that's great! 15:04:03 o/ 15:04:10 o/ 15:04:16 \o 15:04:18 bswartz, wb, thanks for the review in the tls patch :) 15:04:58 ok let's get started 15:05:07 #topic announcements 15:05:27 The TC election has started. 15:05:44 unfort we don't have bswartz as a candidate this time 15:05:53 * tbarron nudges him for next time 15:05:57 BUT 15:06:15 we have till 5 March to vote 15:06:30 #link http://lists.openstack.org/pipermail/openstack-discuss/2019-February/003227.html 15:06:39 Please vote if you are eligible. 15:07:17 Participation is valuable for its own sake. 15:07:59 o/ 15:08:01 In that healthy participation helps keep Open Stack with open governance vital. 15:08:07 gouthamr: hey! 15:08:09 gouthamr: \o 15:08:32 Next: Forum submission topic deadline is next Friday. 15:08:43 I intend to submit after our meeting next week. 15:08:53 We have a brainstorming etherpad here: 15:09:08 #link http://lists.openstack.org/pipermail/openstack-discuss/2019-February/003059.html 15:09:20 oh that's the email saying where it is 15:09:27 just follow the links 15:09:36 so far I' 15:09:49 so far I'm the only one who has put anything on that etherpad 15:10:20 Finally, feature freeze is 7 March - one week from today 15:10:25 tbarron: do we have an etherpad for the PTG as well? 15:10:30 that's also client library change 15:10:38 amito: not yet, I'll post it 15:10:59 stein schedule again is: 15:11:06 #link https://releases.openstack.org/stein/schedule.html 15:11:35 amito, all: we will be at PTG and at summit we will have onboarding and project status and Forum sessions for manila 15:11:51 if you will be there and want to help with these ping me 15:12:21 Any questions/comments on these announcments? Any other announcements? 15:12:52 #topic Tracking our work 15:13:09 #link https://wiki.openstack.org/wiki/Manila/SteinCycle 15:13:40 in light of feature freeze, the most important thing to do is reviews on the manage with multi-tenancy work 15:13:56 #link https://review.openstack.org/#/q/topic:bp/manage-unmanage-with-share-servers+(status:open+OR+status:merged) 15:14:25 i've been reviewing and goutham has done some good review work here as well I think as toabctl 15:14:30 but we need more eyes! 15:14:50 This is a significant change for manila and we want to merge it. 15:15:04 Thanks to ganso and his team for their great work. 15:15:05 indeed, the closer we get to feature freeze, the riskier it is to have our gate broken, as other projects such as cinder, nova, neutron, etc may merge changes that break our gate 15:15:37 All that said, there are probably things that more review eyes will see and that we should fix up. 15:15:50 So please review. 15:15:52 so, the best thing is to do reviews as soon as possible while our gate is stable, so we don't have to fix things in the last minute, risking not being able to merge the features that are ready now waiting for review 15:16:14 Don't think "oh I can't review that whole thing" -- do what you can 15:16:32 Don't think - oh I'm not a core, etc. etc. 15:16:41 Gah, gerrit crashed my browser 15:16:59 Don't say: oh my browser crashed, I can't review :) 15:17:07 ok, nuf said 15:17:12 Press "Open All" at your own risk 15:17:18 lol 15:17:24 ganso crashed your browser 15:17:32 What else is vital for next week's deadline? 15:18:28 vkmc: how goes the uswgi stuff? 15:18:50 it's going well, I'm currently working on a bug that was spotted yesterday 15:18:55 #link https://bugs.launchpad.net/manila/+bug/1818081 15:18:56 Launchpad bug 1818081 in Manila "Problem using version specific endpoints when deploying with uWSGI" [High,New] - Assigned to Victoria Martinez de la Cruz (vkmc) 15:19:06 hopefully this unblocks cephfs gate 15:19:15 o/ vkmc: https://review.openstack.org/#/c/639805/ 15:19:18 thanks gouthamr for getting to the bottom of it 15:19:30 aaaand fixing it 15:19:35 :D 15:19:39 yeah this is an interesting story about our test coverage 15:19:46 :D sorry, bothered me quite a bit 15:19:46 why is this a cephfs only issue? 15:20:05 what does uswgi have to do with the cephfs back end? 15:20:16 we need that one and also, to unblock the third party cis, we would need to update the version of the client they are using... not sure how we can do that 15:20:45 I'll let gouthamr address this one since he found that 15:21:14 i actually don't know about this client incompatibility 15:21:28 did we introduce something in the client that breaks third party CIs?' 15:21:41 no, I was referring to tbarron's question 15:21:48 ohh 15:22:27 i think the third party failures we saw are a separate issue that we need to investigate but 15:22:31 yeah, all of our first party drivers run some version of a regex to remove tests that don't pertain to the manila-share service 15:22:45 yeah, talk about that one ^^ 15:23:06 ganso observed we're only running 7 tests (out 500+?) on the container driver 15:23:18 no wonder it's so reliable 15:23:19 gouthamr: I already enabled the full regex on the core manage/unmanage patch 15:23:34 gouthamr: and it added something like 5 minutes to the job 15:23:37 the container driver is not feature complete, it should be running more than 7 tetss 15:23:41 from 43 to 48 IIRC 15:23:41 tests* 15:24:03 ganso: nice, good, are you specifying a regex at all 15:24:20 gouthamr: no, it is picking up the default now 15:24:23 manila_tempest_tests.api 15:25:10 ganso: good stuff... my current thought is we don't care about the 5-10 min losses to run the full test suite against these driverd 15:25:49 anyways because we had those regexes there were tests that would have failed on other back ends than cephfs with uwsgi 15:26:01 gouthamr: why does uwsgi cause those tests to fail? 15:26:51 oh, when deploying with uwsgi we have a proxy, and the proxy path shows up in the URLs 15:27:09 so it's not uwsgi, it's that theres a proxy involved? 15:27:28 and there's code in the manila API to only accept either /v1/xyzzy or /v2/xyzzy as the URL paths, and no proxy components 15:28:02 i suspect we will have further issues here, besides the ones that vkmc and i have already addressed 15:28:08 tbarron: yes 15:28:48 the other issues could be in the object links ('href') or pagination, either of which we currently don't test with tempest 15:28:51 so we can treat these as bugs but i want to get enough of this stuff fixed by next week that the uwsgi changes can merge 15:29:15 so folks please prioritize these reviews 15:29:20 yes, unless the uwsgi change is breaking some gate, i think it can merge 15:29:36 amito: you've done some good work on the openstack sdk 15:29:39 yeah, that fix you submitted should fix ceph gates 15:29:45 tbarron: thanks :) 15:29:50 tbarron: hope it gets reviewed soon 15:29:56 amito: do you know if the feature deadline freeze applied to it? 15:29:59 and third parties needs to be fixed by updating the python-manilaclient version 15:30:23 vkmc: i still don't get that part 15:30:31 tbarron: I don't think so, gouthamr - you said they don't have a release, right? 15:30:39 in non third parties we are using python-manilaclient==1.26.1.dev7 15:30:50 amito: i think that's right, just checking ... 15:30:56 in third parties we are using python-manilaclient==1.26 15:31:09 tbarron: I still need to complete some unit-tests though 15:31:32 amito: kk 15:31:33 and there is a recent fix we merged in the client that fix how we resolve urls 15:31:51 oh! 15:31:54 devstack fails if we try to deploy manila with uwsgi and without that client side fix 15:32:04 ouch, yes :( 15:32:12 #link https://review.openstack.org/#/c/634345/ 15:32:17 this is the fix I'm talking about 15:32:32 vkmc: will this be fixed if we release a new client to pypi? 15:32:39 tbarron, yes 15:32:44 +1 15:32:59 gouthamr: vkmc: k, we'll propose that asap 15:33:07 assuming third party ci's update their client version if we release a new client to pypi 15:33:07 tbarron: you need to release one next week anyway 15:33:18 anything else we need to get into the client? 15:33:25 vkmc: don't think they need to update anything 15:33:25 nope, that's all 15:33:25 tosky: ack 15:33:32 gouthamr, cool 15:33:54 they're not using the LIBS_FROM_GIT devstack var, which makes them get python-manilaclient from pypi 15:34:05 nope, that's all <- last famous words... I want to see that ci go green with gouthamr patch 15:34:26 i'll propose the release today then. If anyone thinks of something else that we need in the client let me know but I don't see outstanding reveiws. 15:34:56 oh 15:35:05 manage-unmange for share servers :) 15:35:11 ganso must be sleeping 15:35:17 I'm here 15:35:23 * bswartz gets his large trout ready 15:35:23 because he's been working all night 15:35:42 lol 15:35:45 ganso smells fishy now 15:36:44 ganso are you running libs_from_git in netapp ci for python-manilaclient in order to get your patch? 15:37:01 tbarron: we don't run netapp-ci on python-manilaclient 15:37:09 tbarron: and tempest doesn't need python-manilaclient 15:37:14 ganso: ack 15:37:45 vkmc: gouthamr ^^ then why does their 3rd party CI fail with uswgi? 15:38:21 I think we'll take this one to #openstack-manila - 15:38:41 http://13.56.179.158/logs/38/631338/18/upstream-check/manila-cDOT-no-ss/bc0a2a2/logs/devstacklog.txt.gz#_2019-02-25_17_02_00_926 15:38:47 ganso, devstack needs it 15:38:47 we need to get the manage share servers stuff and the uwsgi stuff merged, let's review and figure out how to do it. 15:38:56 http://13.56.179.158/logs/38/631338/18/upstream-check/manila-cDOT-no-ss/bc0a2a2/logs/local.conf.txt.gz 15:39:03 same problem as vkmc mentioned 15:39:13 I was looking at the wrong patch 15:39:24 i see "LIBS_FROM_GIT=" 15:39:37 we could trigger run netapp-ci there just in case it is a random failure 15:40:08 so netapp CI can add the uwsgi patch additionally and we'll know that pypi will work for 3rd parties 15:40:18 when we publish to pypi 15:40:31 after the manage pythonclient patch merges 15:41:03 #topic bugs 15:41:07 jgrosso you are up 15:41:10 YAY! 15:41:15 :) 15:41:22 jgrosso: welcome back! 15:41:41 thanks !! PTO for ever very rusty 15:42:11 https://etherpad.openstack.org/p/manila-bug-triage-pad 15:42:27 We have a section called NEW 15:42:55 I am trying to triage these as soon as they come in 15:43:07 true history ^ 15:43:10 jgrosso++ 15:43:27 I saw him triaging my wsgi bug 3 minutes after I reported it 15:43:28 bug 3 in mono (Ubuntu) "Custom information for each translation team" [Undecided,Fix committed] https://launchpad.net/bugs/3 15:43:30 jgrosso++ 15:44:35 so I am going to try and get all new bugs set with Importance 15:44:43 first if there is nothing there 15:45:36 can some explain this bug 15:45:48 https://bugs.launchpad.net/manila/+bug/1816486 15:45:50 Launchpad bug 1816486 in Manila " Allow configuring availability_zones in share types" [Undecided,New] 15:46:03 ooh, doc bug 15:46:08 another good thing if it's obvious is low hanging fruit b/c we have a bunch of outreachy folks interested in picking these up 15:46:21 tbarron++ 15:46:32 thanks jgrosso, that was a tracker for me to go add docs, will probably get to it after milestone 3 15:46:50 ok 15:47:01 jgrosso: i'll modify the title to say [Doc] in the title 15:47:13 https://bugs.launchpad.net/manila/+bug/1817316 15:47:14 Launchpad bug 1817316 in Manila "security service password is stored in plaintext" [Undecided,New] 15:47:28 jgrosso: when you see DOCIMPACT like that at the top it's auto-generated b/c someone put a tag in their mainline commit ... 15:47:38 tbarron: got it 15:47:43 jgrosso: this is an interesting one 15:47:47 reported by SAP 15:48:06 and I asked about it some this morning 15:48:08 plaintext just scares me 15:48:18 when attached to password 15:48:28 well it's plaintext only visible to cloud admins, not to cloud users 15:48:39 not the best combination, I agree 15:48:41 but SAP security auditors still don't like that 15:48:53 and I bet govt auditors too 15:49:02 yeah I bet not 15:49:14 so I asked whether any projects are using barbican to protect these secrets yet 15:49:27 asked via our downstream openstack security team 15:49:38 so far it appears not 15:49:46 but I think this should be a PTG topic 15:49:58 anyone know of any projects doing this? 15:50:34 We could do a better job of handling secrets like the ones in security services 15:50:47 I wonder if we should add this as a potential cross-project forum session 15:50:54 At the time the feature was added, there wasn't a facility to make that easy 15:51:00 I don't think the issue is at all unique to manila 15:51:43 any project that stores passwords for external storage, external network equipment, external security/identity services, etc. 15:51:52 s/passwords/credentials/ 15:52:00 would have this kind of issue 15:52:09 probably we should ask not WWCD 15:52:15 what would Cinder do? 15:52:19 but WWKD 15:52:22 keystone 15:52:49 keystone allows one to use LDAP etc. as back end right? 15:53:20 Ultimately what manila does is slighly unique and there are real security risks 15:53:33 But there should be a generalized way to avoid the worst of those risks, and we should take advantage of it 15:53:44 bswartz:+1 15:54:05 so let's find out the best practice as a baseline and go from there 15:54:08 One issue early in the life of OpenStack was that no project wanted to depends on any other project because it created deployment complexity 15:54:29 i feel we can remove password if present, technically it's not in the API 15:54:32 Now perhaps there's a well-accepted thing we can depend on 15:54:42 bswartz: well we can try to do encryption with a plugin maybe 15:54:53 i.e, the NetApp backend is storing it in its driver-specific "backend_details" field 15:55:36 tbarron: it's not our core strength, we'd either do a poor job, or waste a lot of time duplicated work others have done in order to do a good job 15:55:52 duplicating 15:56:10 tbarron: Have we had a deep bug scrub recently for the manila upstream bugs? 15:56:12 i.e, whatever we're going to implement, we've to figure out if a backend wants to store a secret in teh database... so, if a backend's currently doing that, we can just remove it from the API response citing security impact 15:56:16 bswartz: agree and that's why I want to find out if there's a best practice in some other project already 15:56:23 jgrosso: no 15:56:34 jgrosso: that's why we hired you :) 15:56:46 good so I would like to have one :) 15:56:46 * tbarron is joking, jgrosso was hired for many jobs 15:56:55 jgrosso: +100 :) 15:57:11 jgrosso: consider yourself fully deputized to drive it 15:57:23 can we all agree on an hour meeting to go through some of these bugs ? 15:57:33 I will try an organize them the best I can 15:57:40 before said meeting 15:57:54 0, 15:58:06 jgrosso: so just propose it on openstack-discuss with [manila] at front of $subject 15:58:17 I shall :) 15:58:36 jgrosso: make sure to do it early in the morning east coast time so gouthamr has to get up early 15:58:49 also have not touched storyboard but did get a sandbox 15:59:04 tbarron: yeah we can get that slacker up early ;) 15:59:12 * gouthamr sigh, trout coffee 15:59:29 time check 15:59:57 if there's anything else for today please take it to #openstack-manila 16:00:06 tbarron: I do 16:00:10 Thanks everyone! We're making some good progress. 16:00:11 tbarron: will discuss there 16:00:18 ganso: thanks 16:00:21 #endmeeting