#openstack-meeting log

17:01:01 <johngarbutt> #startmeeting XenAPI
17:01:02 <openstack> Meeting started Wed Jan  9 17:01:01 2013 UTC.  The chair is johngarbutt. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:05 <openstack> The meeting name has been set to 'xenapi'
17:01:23 <johngarbutt> #topic Blueprints
17:01:31 <johngarbutt> Hi everyone!
17:01:38 <pvo> hello
17:01:40 <guitarzan> hello
17:02:05 <BobBall> morning!
17:02:15 <johngarbutt> cool, so before we start
17:02:25 <johngarbutt> has anyone got things they would like to cover?
17:02:39 <johngarbutt> lets build an agenda
17:02:48 <matelakat> Hi
17:03:04 <matelakat> Okay, so cinder - xenapinfs - copy from image.
17:03:34 <matelakat> idea: use the same code as in iscsi.
17:03:44 <matelakat> Just attach the volume to the cinder box.
17:03:47 <pvo> I had a few questions (not really agenda items) that I wanted to ask at the end
17:03:48 <johngarbutt> OK, lets start with that blueprint
17:03:54 <johngarbutt> pvo: cool
17:04:43 <westmaas> hello
17:05:03 <matelakat> I amended the xenapi-storage-manager-nfs blueprint to include that idea. #link https://blueprints.launchpad.net/cinder/+spec/xenapi-storage-manager-nfs
17:05:28 <matelakat> After that, we'll have a really complete volume driver for xenapi.
17:05:41 <johngarbutt> matelakat: that one is marked as finished, might want a new one for the rest
17:05:52 <rainya> pvo, thanks for reminder
17:06:00 <matelakat> Oh, ok.
17:06:08 <BobBall> Do #link's need to be put at the start of the text for the bot to recognise them?
17:06:19 <matelakat> will start a new one.
17:06:20 <toanster> hello
17:06:27 <johngarbutt> matelakat: any major questions?
17:06:35 <johngarbutt> pending reviews etc
17:06:42 <matelakat> oh, yes.
17:07:10 <matelakat> #link snapshot-support-for-xenapinfs https://review.openstack.org/#/c/18780/
17:07:47 <johngarbutt> OK
17:08:10 <johngarbutt> any more blueprint updates or pending reviews or burning questions about that kind of thing?
17:08:26 <matelakat> no.
17:08:44 <johngarbutt> I know there is Quantum OVS, if anyone feels they could take a look
17:09:13 <johngarbutt> #link https://review.openstack.org/#/c/15022/
17:09:57 <pvo> johngarbutt: got your note. Will take a peek.
17:10:09 <johngarbutt> pvo: thank you !
17:10:47 <johngarbutt> any more blueprint things? I saw config drive was coming along
17:10:52 <shengjie> hi, I have a quick update on the blueprint hbase-storage-backend
17:11:23 <johngarbutt> shengjie: fireway have you got a link?
17:11:53 <shengjie> https://blueprints.launchpad.net/ceilometer/+spec/hbase-storage-backend
17:12:15 <shengjie> we've pretty much finished the 1st phase implementation, will have it committed for review soon.
17:12:31 <shengjie> but to have better performance, hbase will need extra 2ndary indices
17:12:42 <johngarbutt> hang on, sorry, I am probably missing something
17:12:53 <johngarbutt> does that affect the XenAPI support in Ceilometer?
17:13:10 <BobBall> The Ceilometer meeting is meant to be at 15:00 UTC
17:13:14 <BobBall> on Thursday
17:13:36 <dhellmann> the ceilometer xenapi blueprint link is https://blueprints.launchpad.net/ceilometer/+spec/xenapi-support
17:13:45 <johngarbutt> my bad, I meant XenAPI related blueprints in previous bit
17:14:13 <shengjie> sorry, my bad
17:14:26 <johngarbutt> thanks, no progress reported there :-(
17:14:44 <johngarbutt> one other change I noticed, text console support for XenAPI from Internap
17:14:59 <johngarbutt> #link https://review.openstack.org/#/c/17959/
17:15:29 <johngarbutt> might interest people using horizon, it looks bad without this support
17:15:53 <johngarbutt> OK, shall we move to docs?
17:16:30 <matelakat> y
17:16:37 <johngarbutt> #topic docs
17:16:50 <johngarbutt> #link http://wiki.openstack.org/HypervisorSupportMatrix
17:16:55 <johngarbutt> I have updated this
17:17:01 <johngarbutt> any more ideas welcome
17:17:29 <johngarbutt> we have quite a lot of pending doc bugs, is there anyone with a bit of time for those?
17:18:28 <johngarbutt> #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.searchtext=xenapi
17:18:45 <johngarbutt> OK, just wanted to raise that
17:18:59 <johngarbutt> #topic qa
17:19:25 <johngarbutt> we have spoken about getting some tests, above and beyond smokestack, reporting into gerrit
17:19:43 <johngarbutt> is that still on anyones roadmap?
17:20:13 <johngarbutt> update from Citrix: internal CI is almost back up, based on DevStack
17:20:31 <pvo> johngarbutt: our QA folks are looking at that now.
17:20:35 <pvo> Not sure about their timeline though.
17:20:41 <johngarbutt> #link https://github.com/citrix-openstack/qa
17:20:44 <pvo> I can point you to the right folks, if you're interested.
17:21:07 <johngarbutt> pvo: cool, might be good, just to make sure no one else tries the same think
17:21:19 <johngarbutt> I know internap were interested at one point too
17:21:58 <johngarbutt> Citrix have tempest running against XenServer using DevStack using jenkins plus the above scripts, if that helps people
17:22:23 <johngarbutt> #topic bugs
17:22:33 <johngarbutt> OK any major bugs for people?
17:23:22 <johngarbutt> #topic Open Discussion
17:23:30 <johngarbutt> pvo: fire way
17:23:39 <johngarbutt> away^
17:24:15 <pvo> it was a quick question really,… I was wondering if anyone using XenServer/XCP uses the metadata service or xenstore?
17:24:21 <pvo> to pass data to instances.
17:24:21 <johngarbutt> also, any other questions or issues people would like to raise?
17:24:49 <Mr_T> i've got a question, but i think pvo might be beating me to it
17:24:49 <johngarbutt> We have tested the metadata service with nova-network and flatdhcp
17:24:55 <johngarbutt> it seemed to be working
17:25:09 <johngarbutt> with cloud-init picking up things
17:25:12 <pvo> johngarbutt: ya, the dhcp part is always the sticking point for us.
17:25:20 <pvo> we don't use DHCP, so there is the chicken-egg thing
17:25:26 <johngarbutt> right
17:25:36 <johngarbutt> link local address any good?
17:26:06 <BobBall> Could you briefly explain the chicken+egg thing for my benefit?
17:26:06 <pvo> johngarbutt: ya, that is where our conversations usually drift to. We'd talked some time ago about an ipv6 link local, but got some pushback here for that.
17:26:26 <pvo> BobBall: well, assumign we're not using linklocal addresses, we need a valid ip to talk to a metadata service.
17:26:30 <johngarbutt> config drive could be helpful alternative, but again, no metadata service at that point
17:26:39 <BobBall> ah of course
17:26:47 <pvo> so we use xenstore to inject the ips, but if we're already halfway there with some data, we end up putting it all there.
17:26:50 <johngarbutt> BobBall: metadata service is on an IP address, so you need the vif up
17:26:52 <westmaas> I think the general direction is configdrive + metadata service
17:27:07 <pvo> westmaas: ya, i was hoping to just copy someone's config : )
17:27:07 <johngarbutt> config drive for ip address?
17:27:22 <westmaas> configdrive for boot time data, metadata service for ongoing data that you need access to from the instance
17:27:28 <westmaas> johngarbutt: I'm not so clear on that, sorry :)
17:27:38 <pvo> johngarbutt: how about root password setting with windows?
17:27:40 <johngarbutt> hmm, metadata is fairly one shot at the moment with cloud init
17:27:47 <pvo> thats always ends up killing the config drive convo
17:27:54 <westmaas> and I more meant not xen specifically, but OS wide
17:28:06 <johngarbutt> agreed
17:28:17 <johngarbutt> I think most people think about a reboot to reset the password
17:28:27 <johngarbutt> cloud-init could re-read on reboot
17:28:31 <westmaas> in v3 of the api you can't set the password
17:28:33 <westmaas> I believe.
17:28:38 <johngarbutt> extension time
17:28:40 <johngarbutt> :-(
17:28:47 <pvo> johngarbutt: yea, that is what I proposed back in the Bexar timeframe….
17:28:55 <pvo> got some resistance to that idea then
17:28:58 <westmaas> or abandon that feature
17:29:09 <westmaas> just windows becomes a problem
17:29:11 <johngarbutt> vish seemed more keen in that summit XenAPI session on reset on reboot
17:29:20 <johngarbutt> we have cloud-init in windows now I think
17:29:23 <pvo> I think its reasonable to reboot an instance to reset a root password, but since people are used to not rebooting it may be a harder sell.
17:29:23 <johngarbutt> or very close
17:29:30 <pvo> so weve been trying to figure out a way around it
17:29:41 <johngarbutt> we could have xenstore kick cloud-init?
17:29:55 <johngarbutt> xen specific but not changing the core functionality
17:29:58 <pvo> johngarbutt: ah, hadn't seen cloud-init in windows yet
17:30:00 <pvo> that would be helpful.
17:30:13 <johngarbutt> hyper-v guys mentioned somehting about that
17:30:22 <johngarbutt> not sure if it is ready for prime time yet though
17:30:22 <pvo> is that in openstace github or just on the internets somewhere?
17:30:31 <pvo> openstack… that would have been
17:30:34 <pvo> ok
17:30:37 <pvo> will check that out
17:30:42 <johngarbutt> pvo: not sure, would have to google
17:31:11 <johngarbutt> I guess there meeting might be a good place, if peter is not around
17:31:13 <pvo> johngarbutt: ya, doing that now. will find
17:31:18 <johngarbutt> pvo: cheers
17:31:38 <westmaas> oh yeah mikal mentioned that to me too
17:31:46 <johngarbutt> so xen specific extension to cloud-init, does that sound bad?
17:32:10 <johngarbutt> to kick the standard on reboot password system
17:32:22 <westmaas> http://www.cloudbase.it/cloud-init-for-windows-instances/
17:32:29 <johngarbutt> the key requirment from HP was around ensuring they were never in a position to decrypt the password
17:33:03 <pvo> johngarbutt: yea, that part I was trying to figure out too.
17:33:07 <johngarbutt> I meant alexp not peter, oops
17:33:09 <johngarbutt> #link https://github.com/alexpilotti/cloudbase-init
17:33:11 <westmaas> yeah thats why we stopped storing it a while ago, but still there is the time its in transit
17:33:13 <pvo> curious to how they're solving it
17:33:20 <johngarbutt> pvo: it was ssh keys I think
17:33:25 <pvo> on windows?
17:33:28 <westmaas> but not for windows :)
17:33:28 <westmaas> haha
17:33:29 <westmaas> yea
17:33:31 <johngarbutt> they injected key used to encrypt a generated password
17:33:51 <pvo> if msft would just embrace openssh…
17:33:54 <johngarbutt> well, any key will do I guess, just make sure the user is the only one with the private bit
17:34:18 <johngarbutt> any symetric key thingy I guess
17:34:34 <pvo> DH works, but you need to bounce the messages back and forth.
17:34:45 <pvo> which is what we were looking at the metadata service *could* do.
17:34:45 <johngarbutt> that is what you do now right?
17:34:49 <pvo> but felt the wrong way.
17:34:51 <pvo> ya, thats all.
17:34:53 <johngarbutt> right
17:34:59 <pvo> the gentleman yields the floor
17:35:11 <johngarbutt> can we not use the keypair, like an ssh key somehow
17:35:30 <johngarbutt> user creates key, adds key to instance
17:35:37 <pvo> I'm sure we could with something custom in windows
17:35:38 <johngarbutt> normally crazy becuase it is windows
17:35:40 <pvo> for linux, its all solved.
17:35:47 <johngarbutt> right
17:36:04 <johngarbutt> trying to think about kerberos and ssl apis they have already
17:36:15 <johngarbutt> .NET includes the tools for this I think
17:36:28 <pvo> I'm wintarded, so I have no idea.
17:37:08 <johngarbutt> pvo: cloud-base may have done this already
17:37:14 <johngarbutt> reading the readme for windows cloud init
17:37:21 <pvo> looking through it now
17:37:27 <johngarbutt> uses ssh key and password
17:37:40 <johngarbutt> time to xen extend it maybe
17:39:06 <johngarbutt> hmm
17:39:12 <johngarbutt> they don't encrpyt it yet
17:39:13 <johngarbutt> https://github.com/alexpilotti/cloudbase-init/blob/master/cloudbaseinit/plugins/windows/createuser.py#L47
17:39:21 <johngarbutt> they optionally generate it though
17:39:46 <johngarbutt> sounds like they have installed openssh or something
17:39:49 <johngarbutt> #link https://github.com/alexpilotti/cloudbase-init/blob/master/cloudbaseinit/plugins/windows/sshpublickeys.py
17:39:52 <johngarbutt> they inject the keys
17:40:05 <pvo> heh. that would be a fun fight to have again.
17:40:29 <johngarbutt> I see a fun summit session coming up
17:40:40 <pvo> we have that talk twice a year : )
17:41:00 <johngarbutt> ah, hello
17:41:27 <johngarbutt> alexpilotti: how does the change password work in cloudbase-init?
17:42:15 <alexpilotti> johngarbutt: hi!
17:42:30 <alexpilotti> johngarbutt: you mean the admin_pass in the metadata?
17:42:38 <johngarbutt> alexpillotti: sorry to drag you into an XenAPI meeting
17:42:42 <johngarbutt> yes that is the one
17:43:06 <johngarbutt> are there plans for encrypting that password?
17:43:16 <alexpilotti> johngarbutt: there's also anew patch from vishy to push the patch from the guest to the metadata
17:43:31 <alexpilotti> johngarbutt: that's the way we want to take
17:43:47 <alexpilotti> johngarbutt: to push the password, sorry, lapsus :-)
17:44:01 <johngarbutt> OK, push an encrypted one?
17:44:07 <alexpilotti> johngarbutt: yes
17:44:20 <johngarbutt> using the SSH key, or something else?
17:44:26 <alexpilotti> johngarbutt: yes
17:44:32 <johngarbutt> cool
17:44:40 <alexpilotti> johngarbutt: basically you encrypt it on the guest with the public key
17:44:42 <pvo> alexpilotti: this is assuming ssh is installed on teh windows machien?
17:44:44 <johngarbutt> does it reset on every reboot?
17:44:46 <pvo> <sp>
17:44:55 <alexpilotti> pvo: no, you just need OpenSSL
17:45:02 <pvo> alexpilotti: gotcha
17:45:13 <alexpilotti> johngarbutt: no, unless you confige it to do so
17:45:20 <alexpilotti> *configure
17:45:31 <johngarbutt> OK, so you set the password, then reboot, and it picks it up?
17:45:49 <alexpilotti> johngarbutt: even w/o reboot
17:45:50 <johngarbutt> or just on new machine create?
17:45:57 <alexpilotti> johngarbutt: at the first boot
17:46:33 <johngarbutt> so we were wondering about without the need for a reboot, are you polling the metadata service or something?
17:46:42 <alexpilotti> johngarbutt: yes
17:46:58 <alexpilotti> johngarbutt: we are mainly supporting DriveInit
17:47:28 <alexpilotti> johngarbutt: BTW did you guys implement ConfigDrive?
17:47:31 <johngarbutt> driveinit? sorry for all these questions!
17:47:45 <alexpilotti> johngarbutt: ConfigDrive, sorry :-)
17:47:46 <johngarbutt> mike still is taking that:
17:48:19 <alexpilotti> johngarbutt: I try to avoid the metadata service as much as possible
17:48:20 <johngarbutt> matelakat: you got the link for that?
17:48:30 <alexpilotti> johngarbutt: and ConfigDrive is the perfect solution
17:48:45 <alexpilotti> johngarbutt: one huge problem with vishy's approach to the password problem
17:48:59 <alexpilotti> is that it requires posting to the metadata service
17:49:00 <johngarbutt> right
17:49:00 <matelakat> #link https://review.openstack.org/#/c/18370/
17:49:18 <alexpilotti> matelakat: cool!
17:49:40 <johngarbutt> pvo: is that sounding better now?
17:49:50 <johngarbutt> I think that is starting to join up
17:49:52 <pvo> johngarbutt: much. Thanks.
17:49:56 <alexpilotti> which means that the guest needs to have write access to the metadata service *cough*
17:50:07 <johngarbutt> hmm, yes...
17:50:15 <alexpilotti> with all the security issues that you can immagine
17:50:23 <alexpilotti> we found a solution:
17:50:24 <johngarbutt> hence push into the guest, I see
17:50:42 <johngarbutt> alexpilotti: do tell
17:50:47 <alexpilotti> the guest passes the encrypted password to the host on an internal channel
17:50:57 <alexpilotti> and the host writes to the metadata
17:51:06 <alexpilotti> this is hypervisor specific
17:51:08 <johngarbutt> oh right, which is where XenAPI has been using xenstore
17:51:09 <johngarbutt> right
17:51:24 <alexpilotti> Hyper-V has a technology called KVP exchange for that
17:51:36 <alexpilotti> I wantedt to ask what is available on Xen
17:51:42 <johngarbutt> I wondered about, user pushes password, nova cli helps encrypt with key
17:51:42 <alexpilotti> *wanted
17:51:44 <pvo> alexpilotti: this is how we do it now
17:52:02 <pvo> a diffie-hellman exchange to pass it back and forth.
17:52:07 <alexpilotti> pvo: cool. Do you have a blueprint or a reference patch?
17:52:16 <pvo> alexpilotti: I can find one.
17:52:23 <pvo> we've been using it for some time now
17:52:47 <alexpilotti> because IMHO having the guest writing directly to the metadata service is a huge risk of DOS and scalability problems
17:53:04 <pvo> alexpilotti: if you're running one monolithic, sure.
17:53:11 <johngarbutt> #link https://github.com/openstack/nova/blob/master/nova/virt/xenapi/agent.py#L166
17:53:12 <pvo> if youre running one per compute on loopback, less so
17:53:15 <alexpilotti> while passing the info to the host and having the driver doing it via nova api is IMO way safer
17:53:18 <pvo> yea, that link
17:53:54 <alexpilotti> johngarbutt pvo: tx, I'm going to take a look at it
17:54:21 <johngarbutt> if we don't catch each other, fancy same time next week to just follow up?
17:54:34 <alexpilotti> sure
17:54:38 <BobBall> Note that XS does have some KVP equivalent which is needed by SCVMM - although this isn't currently suitable for wider distribution I believe
17:54:41 <pvo> sure
17:55:09 <alexpilotti> would you guys like to schedule a meeting next week?
17:55:32 <alexpilotti> maybe we should fetch somebody from KVM as well
17:55:37 <johngarbutt> Mr_T: your question?
17:55:48 <Mr_T> oh, thanks - i was curious if anyone happened to know the size limit of files ("personalities") injected to instances via xenstore?
17:55:49 <johngarbutt> alexpilotti: sure
17:56:16 <Mr_T> i've heard it's somewhere around 2k, but wasn't able to find a more specific answer
17:56:22 <johngarbutt> not sure myself, smaller is better, that I remember
17:56:39 <johngarbutt> is that a nova or a XenAPI limit?
17:56:48 <pvo> its a limitation in how much data you can put into a xenstore value
17:56:56 <pvo> its a xenapi limit
17:57:00 <johngarbutt> right
17:57:12 <johngarbutt> #link https://github.com/openstack/nova/blob/master/nova/virt/xenapi/agent.py#L219
17:57:15 <alexpilotti> k guys, let's sync on -dev after the meeting ends?
17:57:27 <johngarbutt> alexpilotti: sure, thank you!
17:57:31 <pvo> alexpilotti: I gotta run to my next meeting, but I'll follow up there later.
17:57:33 <alexpilotti> tx!
17:57:44 <johngarbutt> That is time for us
17:57:46 <BobBall> Believe the limit is 4k but I'd have to check up on that
17:58:05 <johngarbutt> #action BobBall: check xenstore limit
17:58:12 <johngarbutt> that does ring a bell
17:58:18 <johngarbutt> many thanks all
17:58:25 <johngarbutt> same time next week hopefully
17:58:26 <Mr_T> thank you
17:58:35 <johngarbutt> #endmeeting