#openstack-nova log

16:00:35 <bauzas> #startmeeting nova
16:00:35 <opendevmeet> Meeting started Tue May 31 16:00:35 2022 UTC and is due to finish in 60 minutes.  The chair is bauzas. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:35 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:35 <opendevmeet> The meeting name has been set to 'nova'
16:00:40 <bauzas> EHLO
16:00:53 <elodilles> o/
16:00:56 <Uggla> qo/
16:01:03 <gmann> o/
16:01:45 <bauzas> not sure if gibi is around, but let's start to discuss (he told me he couldn't be in our meeting)
16:02:59 <bauzas> #topic Bugs (stuck/critical)
16:03:04 <bauzas> #info No Critical bug
16:03:09 <bauzas> #link https://bugs.launchpad.net/nova/+bugs?search=Search&field.status=New 14 new untriaged bugs (-1 since the last meeting)
16:03:12 <bauzas> thanks elodilles :)
16:03:18 <bauzas> #link https://storyboard.openstack.org/#!/project/openstack/placement 26 open stories (0 since the last meeting) in Storyboard for Placement
16:03:18 <elodilles> o:)
16:03:26 <bauzas> #info Add yourself in the team bug roster if you want to help https://etherpad.opendev.org/p/nova-bug-triage-roster
16:03:36 <bauzas> elodilles: do you want to discuss about some bug ?
16:03:50 <elodilles> bauzas: nothing to discuss i think,
16:03:54 <bauzas> cool
16:04:11 <bauzas> thanks for the bug triage etherpad btw.
16:04:19 <elodilles> i only triaged two bugs and they were more or less clear (or incomplete)
16:04:30 <bauzas> nice
16:04:44 <bauzas> so, after you, we're done with the roster
16:04:58 <bauzas> if someone wants to triage, let me know now
16:05:04 <bauzas> for next week
16:05:57 <bauzas> ok, looks not
16:06:17 <bauzas> then, let's rerun the roster :)
16:06:23 <elodilles> ++
16:06:31 <bauzas> I'll be the next bug baton folk
16:06:50 <bauzas> I can run it for two weeks if needed as I'll ask to not have a meeting next week
16:07:13 <elodilles> i guess gibi is not here to object :)
16:08:14 <bauzas> heh, I'll see him f2f next week
16:08:20 <bauzas> so I could pass him the baton :p
16:08:32 <elodilles> :)
16:08:39 <bauzas> anyway
16:08:46 <bauzas> #info Next bug baton is passed to bauzas
16:08:59 * bauzas has to run then
16:09:13 <bauzas> meh, joking
16:09:20 <bauzas> next topic, then
16:09:24 <bauzas> #topic Gate status
16:09:28 <bauzas> #link https://bugs.launchpad.net/nova/+bugs?field.tag=gate-failure Nova gate bugs
16:09:35 <bauzas> #link https://zuul.openstack.org/builds?project=openstack%2Fplacement&pipeline=periodic-weekly Placement periodic job status
16:09:38 <bauzas> #link https://zuul.opendev.org/t/openstack/builds?job_name=nova-emulation&pipeline=periodic-weekly&skip=0 Emulation periodic job runs
16:09:43 <bauzas> #info Please look at the gate failures and file a bug report with the gate-failure tag.
16:09:47 <bauzas> #info STOP DOING BLIND RECHECKS aka. 'recheck' https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures
16:10:02 <bauzas> all the jobs look good to me
16:10:51 <bauzas> something to tell about the gate ?
16:11:57 <bauzas> ok, looks not, continuing
16:12:06 <bauzas> #topic Release Planning
16:12:11 <bauzas> #link https://releases.openstack.org/zed/schedule.html
16:12:16 <bauzas> #info Zed-2 is in 6 weeks
16:12:20 <bauzas> the tick is clicking
16:12:36 <bauzas> I'll ask for a spec review day maybe in two weeks's meeting
16:13:31 <bauzas> nothing to tell here, I'm slowing reviewing a few specs
16:14:05 <bauzas> and oh, this reminds me to modify Launchpad for those accepted blueprints
16:14:18 * bauzas forgot to do it last week
16:14:45 <bauzas> anything to talk about specs, per say ?
16:15:57 <bauzas> -
16:16:04 <bauzas> #topic OpenInfra Summit
16:16:13 <bauzas> #info bauzas, gibi and stephenfin will attend the summit (at least for those I know)
16:16:36 <bauzas> so, then I have a question for those around
16:16:47 <bauzas> shall we cancel next week's meeting ?
16:16:50 <bauzas> I have a vote !
16:16:57 <bauzas> #startvote Cancel Nova meeting next week ? (yes/no)
16:16:57 <opendevmeet> Begin voting on: Cancel Nova meeting next week ? Valid vote options are , yes, no, .
16:16:57 <opendevmeet> Vote using '#vote OPTION'. Only your last vote counts.
16:17:09 <bauzas> #vote yes
16:17:12 <elodilles> #vote yes
16:17:12 <gmann> though I will travel but ok for me to cancel,
16:17:16 <gmann> #vote yes
16:17:20 <Uggla> #vote yes
16:17:23 <gmann> *I will not travel
16:17:32 <bauzas> gmann: you'll be missed
16:17:54 <bauzas> I'll close the vote
16:17:58 <bauzas> but, before this
16:18:09 <bauzas> if someone wants run the meeting, he can
16:18:25 <bauzas> this is just I'm not sure we'll have a quorum then
16:18:47 <bauzas> let's end the vote
16:18:48 <bauzas> #endvote
16:18:48 <opendevmeet> Voted on "Cancel Nova meeting next week ?" Results are
16:18:48 <opendevmeet> yes (4): Uggla, gmann, elodilles, bauzas
16:19:14 <bauzas> so,
16:19:25 <bauzas> I haven't seen interest by someone to run it,
16:19:47 <bauzas> #agreed June 7th nova meeting is CANCELLED.
16:19:59 <bauzas> I'll send an email accordingly
16:20:23 <bauzas> one last point, if some people read our minutes,
16:20:26 <bauzas> #info We'll provide a Nova meet-and-greet Operators feedback  session on Wednesday,  June 8, 2:50pm - 3:20pm. Operators are welcome.
16:20:45 <bauzas> I can proxy any opinions or thoughts at the forum, btw.
16:20:54 <bauzas> stick around on IRC, you could be pinged
16:21:53 <gmann> bauzas: good idea. is there any etherpad i can add topic?
16:22:05 <bauzas> gmann: I surely can create one
16:22:06 <gmann> I would like to get soem feedback on SRBAC especially on scope thing
16:22:29 <gmann> thanks, that will be great I will not be there but I think you can discuss it and I will add details in etherpad
16:22:32 <bauzas> gmann: so you imagine some feedback etherpad, or rather some etherpad for adding notes before and remarks after ?
16:22:40 <bauzas> ah, I see
16:22:47 <gmann> bauzas: latter one
16:22:59 <bauzas> gmann: this is an excellent idea, let's setup this
16:23:05 <gmann> +1
16:23:28 <bauzas> gmann: I wish the Forum sessions would have their own etherpads tho
16:23:29 <gmann> we are trying to get this topic for ope meetup also but getting per project feedback also will be great
16:23:53 <gmann> bauzas: yeah, that also work, anywhere I can add this topic so that you remember it
16:24:05 <bauzas> gmann: oh, you meant about operators feedback at our meet-and-greet ? gotcha.
16:24:11 <gmann> yeah
16:24:26 <bauzas> gmann: then, I'll start an etherpad and I'll discuss this with gibi as he co-hosts
16:24:34 <gmann> thanks
16:24:47 <bauzas> this is a good point, we have a few things we'd like operators to play witgh
16:24:53 <bauzas> like the unified limits
16:24:58 <gmann> indeed
16:25:16 <bauzas> remember tho, operators play old versions, so they couldn't be that helpful
16:25:23 <bauzas> but this is not a reason to ask
16:25:33 <bauzas> to not* ask
16:25:39 <gmann> yeah, just if we can get initial feedback what they think on these new things
16:25:45 <bauzas> gotcha
16:25:50 <bauzas> and brilliant idea
16:26:01 <bauzas> gmann: you're doing my homework !
16:26:12 <gmann> :)
16:26:35 <bauzas> ok, next topic, I guess ?
16:27:09 <bauzas> looks so
16:27:20 <bauzas> #topic Review priorities
16:27:25 <bauzas> #link https://review.opendev.org/q/status:open+(project:openstack/nova+OR+project:openstack/placement+OR+project:openstack/os-traits+OR+project:openstack/os-resource-classes+OR+project:openstack/os-vif+OR+project:openstack/python-novaclient+OR+project:openstack/osc-placement)+label:Review-Priority%252B1
16:27:42 <bauzas> #link https://review.opendev.org/c/openstack/project-config/+/837595 Gerrit policy for Review-prio contributors flag. Naming bikeshed in there.
16:28:14 <bauzas> #link https://docs.openstack.org/nova/latest/contributor/process.html#what-the-review-priority-label-in-gerrit-are-use-for Documentation we already have
16:28:48 <bauzas> looks we found a consensus on my proposal for https://review.opendev.org/c/openstack/project-config/+/837595
16:29:04 <bauzas> sean-k-mooney: could you then please provide a new rev for it ? ^
16:30:38 <sean-k-mooney> ah i tought you were going to update it but sure
16:31:33 <bauzas> sean-k-mooney: oh, I can do it
16:32:17 <bauzas> #action bauzas to update https://review.opendev.org/c/openstack/project-config/+/837595
16:33:10 <bauzas> sean-k-mooney: no worries, I'll take it
16:33:36 <bauzas> next topic then
16:33:38 <bauzas> #topic Stable Branches
16:33:55 <bauzas> elodilles: feel free to take the mic
16:34:00 <elodilles> #info ussuri is unblocked, thanks to gmann's tempest pinning patches
16:34:17 <bauzas> \o/
16:34:21 <gmann> yeah, and stable/victoria is also pinned with old tempest
16:34:27 <elodilles> #info stable branches are now unblocked, but intermittent failures need further investigations. melwitt's tracking etherpad: https://etherpad.opendev.org/p/nova-stable-branch-ci
16:34:32 <elodilles> gmann: thanks! \o/
16:34:33 <gmann> took almsot 1 week to get all these merged
16:34:42 <elodilles> :S
16:34:57 <elodilles> #info placement's stable/branches are unblocked back till victoria (see melwitt's etherpad ^^^)
16:35:12 <bauzas> \o/ agai,
16:35:17 <gmann> cyborg-tempest plugin job which is non voting in nova gate also will be fixed by #link https://review.opendev.org/c/openstack/cyborg-tempest-plugin/+/843329
16:36:27 <elodilles> gmann: ack, thanks for that, too!
16:36:41 <elodilles> (that's all from my side)
16:36:42 <bauzas> :)
16:36:51 <bauzas> greatly appreciated, thanks gmann
16:37:03 <gmann> np!
16:37:18 <bauzas> and thanks melwitt for the tracking
16:37:24 <bauzas> moving on
16:37:29 <bauzas> we have one last item
16:37:48 <bauzas> #topic Open discussion
16:38:00 <bauzas> (levy14) Discuss ability to call Barbican from inside VM without supplying credentials
16:38:03 <bauzas> levy14: around ?
16:38:06 <levy14> yep
16:38:25 <levy14> was not around last week to put it on the agenda
16:38:34 <bauzas> levy14: I'll be honest, I'm not sure we have quorum for discussing your point today, but we can try
16:39:36 <levy14> but my org would greatly benefit if any code in a vm could call barbican to fetch secrets. now there are secrets in code, in config files, injected but not properly handled. I'd like to get rid of that.
16:39:59 <levy14> without having to put the credentials in the code, I mean
16:40:31 <levy14> I see this as a big security improvement for users of nova
16:40:50 <sean-k-mooney> i actuly see it as the opisite form a nova point of view
16:40:57 <sean-k-mooney> is potentally a large security whole
16:41:22 <sean-k-mooney> nova today almost excilulive does not handel any tenatn secrets
16:41:45 <bauzas> yup, that's what we said
16:41:48 <sean-k-mooney> nova or admins by default cannot retirve secrets form barbican
16:42:00 <sean-k-mooney> only the user can
16:42:05 <levy14> I understand. but that forces users of nova to improvise. and it's not good what users do. the outcome is nasty.
16:42:32 <sean-k-mooney> yep thats also true
16:42:46 <levy14> if there would be a feature to allow this specific use case, that would make life of nova users much better
16:42:48 <sean-k-mooney> realisticaly the simpelte way to achive this today id via an external vender data service
16:43:06 <sean-k-mooney> which could inject a bootstrap token via the metadta api
16:43:25 <sean-k-mooney> simialr to how nova-join works https://opendev.org/x/novajoin#design
16:43:35 <levy14> the problem with that is that I cannot realitically get it implemented across the federation of sites we represent
16:43:38 <sean-k-mooney> https://docs.openstack.org/nova/latest/admin/vendordata.html
16:44:31 <sean-k-mooney> levy14: what you are trying to achive is somethign simialr to k8s ablity to inject secrets into the pods right
16:45:16 <sean-k-mooney> kubernets allows secreates to be injected via config maps or other mechanium such that the pod applciation can the interact with the k8s apis
16:45:40 <sean-k-mooney> levy14: what you want is a way for nova instance to be able to bootstrap talkign to keystone/barbican
16:45:53 <sean-k-mooney> so that they can programitacly get teh secretes that are stored there
16:45:57 <levy14> not necessarily. I would like a transparent mechanism. that watches for outgoing https reguests to barbican and adds a header with the auth to access the secrets. based on some form of vm identity
16:46:14 <sean-k-mooney> levy14: nova does not controll the guest networking
16:46:25 <sean-k-mooney> so such a serice woudl be outside our scope
16:46:48 <levy14> sean-k-mooney: they can do that today, if they inject a secret. but that needs them to properly tend and handle the secret with care. users don't care, they are sloppy.
16:47:13 <sean-k-mooney> one posiablity but its a hack
16:47:28 <sean-k-mooney> woudl be to take teh token we are invoked with and include it in the metadata
16:47:35 <sean-k-mooney> that token would expire
16:48:01 <sean-k-mooney> but it woudl be suffient for the app to bootsrap potenally by issueing an application credetial
16:48:25 <levy14> sean-k-mooney: it was just a suggestion. or a way to describe what I expect to happen, don't know which project implements it. I thought I bring it up in nova, as it seems some sort of vm identity is needed for it to work
16:48:46 <sean-k-mooney> if you want the http request to be intercepted transparently you would need service function chaning or similar to implement that
16:49:08 <sean-k-mooney> levy14: that the thing vms dont have an identiy
16:49:14 <sean-k-mooney> they are owned by porjects
16:49:24 <sean-k-mooney> secrets are owned by users
16:49:28 <levy14> sean-k-mooney: maybe they should start having one
16:49:46 <sean-k-mooney> perhaps
16:49:56 <levy14> or secrets in barbican can be set up so that an entire project has access to them?
16:50:14 <sean-k-mooney> im not sure but that would still not allow nova to access them
16:50:33 <sean-k-mooney> services and cloud admins cannot acces barbican secrets
16:50:44 <levy14> so the possibilities are:
16:50:48 <sean-k-mooney> that is doen intentiolly for improved security
16:51:01 <levy14> 1. metadata service
16:51:19 <levy14> 2. interception of network calls outgoing from a vm
16:52:30 <sean-k-mooney> those are two possiblities yes
16:52:42 <levy14> any other?
16:52:49 <sean-k-mooney> for 1 you would have to define what the metadata service will provide the vm
16:53:03 <levy14> and anyone sees this as a valuable feature for nova?
16:53:05 <sean-k-mooney> 2 is not in scope of nova
16:53:36 <sean-k-mooney> levy14: if it was done securly maybe.
16:53:52 <sean-k-mooney> but i also see it as a non trivial feature
16:54:11 <jrosser_> i did some more looking at this after it was discussed ~ 1 week ago
16:54:22 <levy14> sean-k-mooney: I am sure is non-trivial
16:54:53 <jrosser_> and came to the same conclusion that there was no user associated with a VM so it was not possible to generate a usable token, even though it was possible to assert the identity of the vm
16:55:00 <levy14> sean-k-mooney: but I see it very valuable to have
16:55:27 <bauzas> timebox : we only have 5 mins left
16:55:55 <sean-k-mooney> levy14: do you feel comfortable wrting a spec propsoal even an incomplete one with your usecases
16:56:09 <sean-k-mooney> levy14: and or would you be able to implement this with our guidance
16:56:11 <bauzas> yes, we should rather discuss this by a spec
16:56:31 <levy14> sean-k-mooney: I can try writing an (incomplete) spec, I am not up to implement it myself
16:56:41 <sean-k-mooney> jrosser_: i could see us adding a --application-credetial or something to the api
16:57:00 <sean-k-mooney> jrosser_: i.e. you precreate one and tell nova to pass it to the guest via the metadtaa service
16:57:03 <jrosser_> i think that spcifying a service user for a VM might be enough
16:57:40 <jrosser_> anyway this is a rabbit hole and i don't want to disrupt your meeting
16:57:58 <bauzas> jrosser_: no worries, we don't have other discussions
16:58:47 <bauzas> at least, looks to me we have a consensus : levy14 will provide an incomplet spec or a backlog one
16:58:54 <bauzas> levy14: do you know about https://specs.openstack.org/openstack/nova-specs/specs/backlog/index.html ?
16:59:09 <jrosser_> tldr was that other $clouds let you associate a service user (thats already in your project) with that VM, and that combined with a JWT from the metadata  to auth against keystone would give you a token for that service user
16:59:36 <bauzas> anyway, we're at the last minute for our meeting
16:59:48 <levy14> I saw the page, seemed convoluted. next week I'm at openinfra, but for the week after that I'll try to create a spec.
16:59:50 <sean-k-mooney> jrosser_: i think the closest thing to a service user we have in openstack in an application credential
17:00:46 <bauzas> levy14: ok, then, we're done today
17:00:54 <bauzas> thanks folks
17:00:56 <bauzas> #endmeeting