| opendevreview | Raghavendra Tilay proposed openstack/cinder master: HPE 3PAR: use vlan iscsi ips https://review.opendev.org/c/openstack/cinder/+/878684 | 05:48 |
|---|---|---|
| opendevreview | YuehuiLei proposed openstack/cinder master: cinder-backup:use snapshot_id create backup https://review.opendev.org/c/openstack/cinder/+/873862 | 06:03 |
| opendevreview | YuehuiLei proposed openstack/cinder master: cinder-backup:use snapshot_id create backup https://review.opendev.org/c/openstack/cinder/+/873862 | 06:12 |
| yuval | geguileo: anyway to bypass the token issue? without changing the configurations? | 08:49 |
| yuval | geguileo: also can you review: https://etherpad.opendev.org/p/cve-2023-2088-FAQ | 08:50 |
| geguileo | yuval: what do you mean bypass the token issue_ | 10:29 |
| geguileo | ? | 10:29 |
| geguileo | without the token the cloud is exposed to attacks on iSCSI and FC backends | 10:29 |
| geguileo | yuval: we do have a section in the cinder docs explaining how to configure the tokens | 10:30 |
| geguileo | don't know what more people need... | 10:30 |
| geguileo | could you point out what is missing there? | 10:31 |
| yuval | its just there are so much doc's I am not sure what is wrong what is right | 10:32 |
| yuval | for example I checked the cinder.conf inline comments | 10:32 |
| yuval | I didnt see a place for username or project name | 10:32 |
| geguileo | yuval: In the main cinder configuration page there is a warning, in red: https://docs.openstack.org/cinder/latest/configuration/index.html | 10:32 |
| yuval | [service_user] | 10:33 |
| yuval | # | 10:33 |
| yuval | # From cinder | 10:33 |
| yuval | # | 10:33 |
| yuval | # | 10:33 |
| yuval | # When True, if sending a user token to an REST API, also send a service token. | 10:33 |
| yuval | # (boolean value) | 10:33 |
| yuval | #send_service_user_token = false | 10:33 |
| yuval | # PEM encoded Certificate Authority to use when verifying HTTPs connections. | 10:33 |
| yuval | # (string value) | 10:33 |
| yuval | #cafile = <None> | 10:33 |
| yuval | # PEM encoded client certificate cert file (string value) | 10:33 |
| geguileo | yuval: then we have a page describen what needs to be done https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html | 10:33 |
| yuval | #certfile = <None> | 10:33 |
| yuval | # PEM encoded client certificate key file (string value) | 10:33 |
| yuval | #keyfile = <None> | 10:33 |
| yuval | # Verify HTTPS connections. (boolean value) | 10:33 |
| yuval | #insecure = false | 10:33 |
| yuval | # Timeout value for http requests (integer value) | 10:33 |
| yuval | #timeout = <None> | 10:33 |
| yuval | # Collect per-API call timing information. (boolean value) | 10:33 |
| yuval | #collect_timing = false | 10:33 |
| yuval | # Log requests to multiple loggers. (boolean value) | 10:33 |
| yuval | #split_loggers = false | 10:33 |
| yuval | ok, I will check it out, thanks, in few days I will be smarter | 10:33 |
| geguileo | yuval: please use etherpad, pastebin, or links to samples instead of writing so many lines here ;-) | 10:33 |
| yuval | yea, not problem | 10:34 |
| geguileo | yuval: I believe the cinder release note also included the link there, let me check | 10:34 |
| yuval | I added few questions here: https://etherpad.opendev.org/p/cve-2023-2088-FAQ | 10:34 |
| geguileo | yuval: ok, the link is also in the release note: https://github.com/openstack/cinder/blob/6df1839bdf288107c600b3e53dff7593a6d4c161/releasenotes/notes/redirect-detach-nova-4b7b7902d7d182e0.yaml | 10:35 |
| geguileo | yuval: the release note is basically in all the important sections | 10:36 |
| geguileo | the rendered version can be read in the release notes pages, for example: https://docs.openstack.org/releasenotes/cinder/2023.1.html#relnotes-22-0-0-3-stable-2023-1 | 10:37 |
| yuval | yes I read: https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html | 10:38 |
| yuval | I didnt manage to make it work | 10:38 |
| opendevreview | Eric Harney proposed openstack/cinder stable/2023.1: Make paramiko import optional https://review.opendev.org/c/openstack/cinder/+/880604 | 10:40 |
| geguileo | yuval: what part was not clear on the doc? Because we can improve it | 10:42 |
| yuval | I wrote it in the https://etherpad.opendev.org/p/cve-2023-2088-FAQ | 10:44 |
| yuval | I will update if more things are not clear | 10:44 |
| yuval | in some places you assume the reader knows what "appropriate" or "decent" - but he(me) dont know | 10:45 |
| yuval | like here: fill in the appropriate configuration for your service user (username, project_name, etc.) | 10:45 |
| yuval | authtype is needed for example? | 10:45 |
| yuval | If yes, do I need a password? | 10:45 |
| geguileo | yuval: the doc assumes you know how the rest of your cinder.conf and nova.conf contents | 10:48 |
| geguileo | behave | 10:48 |
| geguileo | so the user is the configuration for the keystone user you want to use for the service token | 10:49 |
| geguileo | usually it's the same as what's in section "[keystone_authtoken]" | 10:49 |
| geguileo | with the exception of "send_service_user_token" | 10:49 |
| geguileo | that needs to be added | 10:49 |
| geguileo | and yes, auth type is necessary | 10:52 |
| yuval | geguileo I appreciate the response I will do my best to figure it out. Thanks | 10:53 |
| geguileo | yuval: I'll write a patch now to explain that in the doc, give me a couple of minutes | 10:53 |
| yuval | Thanks | 10:53 |
| geguileo | yuval: I'm refactoring the whole doc to make it easier to read | 11:01 |
| geguileo | so it will take me more than a couple of minutes :-( | 11:01 |
| opendevreview | YuehuiLei proposed openstack/cinder master: Remove six from inspur volume driver https://review.opendev.org/c/openstack/cinder/+/883355 | 11:26 |
| opendevreview | Gorka Eguileor proposed openstack/cinder master: Doc: Improve service token https://review.opendev.org/c/openstack/cinder/+/883360 | 11:51 |
| geguileo | yuval: ^ please, let me know if that helps | 11:51 |
| yuval | Thanks | 11:51 |
| geguileo | yuval: I haven't had time to actually verify the commands, but I believe they should work | 11:52 |
| yuval | geguileo: I can do that and will let you know | 11:53 |
| geguileo | yuval: thanks, ping me if there's anything that's not clear of if it doesn't work | 11:55 |
| yuval | Got it | 11:55 |
| *** thelounge553 is now known as thelounge55 | 13:18 | |
| yuval | geguileo: you aware that if I run the remove command without any token related configured - it will remove the volume | 13:22 |
| yuval | just the attachment is not removed | 13:22 |
| yuval | but actually the volume is removed from the vm | 13:22 |
| geguileo | yuval: what are we talking about? | 13:22 |
| geguileo | yuval: did I write a remove command in the doc? | 13:23 |
| yuval | if I do: openstack server add volume yuval_vm2 yuval_vol2 | 13:23 |
| yuval | I see the volume in the vm | 13:23 |
| yuval | then I do: openstack server remove volume yuval_vm2 yuval_vol1 | 13:23 |
| yuval | we got the exception | 13:23 |
| yuval | 409 conflict | 13:23 |
| yuval | volume is stuck in detaching | 13:24 |
| yuval | yuval_vol2 | detaching | 13:24 |
| geguileo | yuval: you are saying with this incorrectly configured, right? | 13:24 |
| yuval | yea | 13:24 |
| yuval | $ lsblk | 13:24 |
| yuval | NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT | 13:24 |
| yuval | vda 253:0 0 1G 0 disk | 13:24 |
| yuval | |-vda1 253:1 0 1015M 0 part / | 13:24 |
| yuval | `-vda15 253:15 0 8M 0 part | 13:24 |
| geguileo | yuval: then configure it correctly lol | 13:24 |
| yuval | but is that expected? | 13:24 |
| yuval | shouldn't it keep the volume attached to the vm? | 13:25 |
| geguileo | yuval: if you don't configure things correctly? then anything can happen, yeah | 13:25 |
| geguileo | yuval: this is not a user thing, this is a deployment tool issue | 13:25 |
| geguileo | if you don't have the right deployment, shift happens | 13:25 |
| yuval | but the breach its trying to fix isn't still open? | 13:25 |
| rosmaita | "if you don't configure things correctly? then anything can happen, yeah" <-- needs to be on a T-shirt | 13:26 |
| yuval | :)) | 13:26 |
| *** thelounge551 is now known as thelounge55 | 13:26 | |
| geguileo | yuval: is it? is the volume unmapped from storage? | 13:27 |
| yuval | what you mean unmapped? | 13:27 |
| geguileo | yes | 13:27 |
| yuval | the vm detach the volume | 13:28 |
| yuval | I must go now... be back in 30 min | 13:28 |
| geguileo | sure, and that's ok | 13:28 |
| geguileo | that's not the vulnerability | 13:28 |
| geguileo | and in any case, if the admin doesn't configure things correctly IT'S THEIR PROBLEM | 13:28 |
| geguileo | they will have to go around cleaning things up afterwards | 13:29 |
| whoami-rajat | Cinder meeting in #openstack-meeting-alt at 1400 UTC | 13:59 |
| whoami-rajat | jungleboyj rosmaita smcginnis tosky whoami-rajat m5z e0ne geguileo eharney walshh_ jbernard sfernand enriquetaso hemna fabiooliveira yuval tobias-urdin adiare happystacker dosaboy | 13:59 |
| whoami-rajat | simondodsley, the link you shared says this, You need permission | 14:42 |
| whoami-rajat | This form can only be viewed by users in the owner's organization. | 14:42 |
| whoami-rajat | Try contacting the owner of the form if you think this is a mistake. Learn More. | 14:42 |
| simondodsley | whoami-rajat, on it. Marketing are so .... | 14:48 |
| whoami-rajat | simondodsley, cool thanks | 14:48 |
| simondodsley | whomai-rajat, form permissions fixed | 14:51 |
| whoami-rajat | simondodsley, +1 | 14:56 |
| enriquetaso | #startmeeting cinder_bs | 15:04 |
| opendevmeet | Meeting started Wed May 17 15:04:23 2023 UTC and is due to finish in 60 minutes. The chair is enriquetaso. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:04 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:04 |
| opendevmeet | The meeting name has been set to 'cinder_bs' | 15:04 |
| enriquetaso | Hello, cinder bug meeting | 15:04 |
| jbernard | \o/ | 15:05 |
| enriquetaso | Full report of bugs: | 15:05 |
| enriquetaso | #link https://lists.openstack.org/pipermail/openstack-discuss/2023-May/033735.html | 15:05 |
| enriquetaso | hi jbernard ! | 15:05 |
| enriquetaso | #topic [RBD] Retyping of in-use boot volumes renders instances unusable (possible data corruption) | 15:05 |
| enriquetaso | #link https://bugs.launchpad.net/cinder/+bug/2019190 | 15:05 |
| enriquetaso | While trying out the volume retype feature in cinder, we noticed that after an instance is | 15:05 |
| enriquetaso | rebooted it will not come back online and be stuck in an error state or if it comes back | 15:05 |
| enriquetaso | online, its filesystem is corrupted. | 15:05 |
| enriquetaso | eharney, thinks that may also be a Nova issue, so I'll add Nova team to the bug report | 15:06 |
| eharney | the report indicates that the volume is migrated to a different ceph pool but the instance points to the old location | 15:07 |
| dansmith | geguileo: if you get a chance to review my changes here per the feedback, I'd appreciate it: https://review.opendev.org/c/openstack/tempest/+/882876 | 15:10 |
| enriquetaso | Okay, I need to read the report again, but I'll leave a comment | 15:11 |
| enriquetaso | #topic Volume upload to glance as image,use compression to accelerate gzip. Occasionally, there may be errors | 15:12 |
| enriquetaso | #link https://bugs.launchpad.net/cinder/+bug/2019549 | 15:12 |
| enriquetaso | Fix proposed to master: | 15:12 |
| enriquetaso | #link https://bugs.launchpad.net/cinder/+bug/2019943 | 15:12 |
| enriquetaso | I think the bug report need more information like if it's using cinder as glance backend, so I left some questions on the bug report | 15:13 |
| enriquetaso | maybe whoami-rajat is interesting in keeping a eye on ^ | 15:13 |
| eharney | the explanation in the patch seems to make sense | 15:13 |
| whoami-rajat | enriquetaso, ack | 15:14 |
| enriquetaso | okay, last one | 15:17 |
| enriquetaso | #topic [DELL Unity] Image volume creation fail in Unity | 15:17 |
| enriquetaso | #link https://bugs.launchpad.net/cinder/+bug/2019943 | 15:17 |
| enriquetaso | I think I may be a config problem instead of a cinder problem | 15:17 |
| enriquetaso | but I haven't reproduce the problem | 15:18 |
| geguileo | dansmith: I didn't follow the previous reviews, but I see a bunch of changes that I really don't like... :-( | 15:18 |
| dansmith | geguileo: hence why I'm holding it up for your review.. I was fine with your original one (except for the missing validations part) so I'm not opinionated | 15:19 |
| geguileo | dansmith: my patch allowed some of the tests to pass in multiple circumnstances: protected by policy, without keystone middleware enforcing the service role, and with keystone middleware enforcing it | 15:20 |
| geguileo | Did someone think I checked multiple exceptions because I was lazy? r:-?? | 15:21 |
| dansmith | geguileo: ack, I personally don't think we should make those ether-or in tempest like that because it's easy for a bug in the test (like using the wrong creds) to hide a problem | 15:21 |
| dansmith | geguileo: but comment there and let's get feedback from the tempest people | 15:21 |
| whoami-rajat | geguileo, dansmith sorry to interrupt your conversation but bug squad meeting is going on :D | 15:22 |
| geguileo | dansmith: the thing is always the same, tempest is one thing for one people another for other, but whatever... | 15:22 |
| geguileo | whoami-rajat: oh, so very sorry!!! | 15:22 |
| dansmith | whoami-rajat: oh terribly sorry | 15:22 |
| enriquetaso | i think we are almost over :P | 15:23 |
| whoami-rajat | no worries, I mean enriquetaso is the chair here | 15:23 |
| enriquetaso | any thoughts on +bug/2019943 | 15:23 |
| enriquetaso | anyone familiar with koalla + DELL emc | 15:23 |
| whoami-rajat | Unable to fetch connection information from backend: multiple UnityHost with name ay-openstackctrl-02 found. | 15:24 |
| whoami-rajat | hmm, seems like a deployment/configuration related issue | 15:25 |
| enriquetaso | okay, I'll add koalla to the bug report | 15:26 |
| enriquetaso | thanks! | 15:26 |
| enriquetaso | that's all for me | 15:26 |
| enriquetaso | #endmeeting | 15:26 |
| opendevmeet | Meeting ended Wed May 17 15:26:32 2023 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 15:26 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/cinder_bs/2023/cinder_bs.2023-05-17-15.04.html | 15:26 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/cinder_bs/2023/cinder_bs.2023-05-17-15.04.txt | 15:26 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/cinder_bs/2023/cinder_bs.2023-05-17-15.04.log.html | 15:26 |
| whoami-rajat | thanks! | 15:26 |
| * dansmith looks both ways to see if the street is clear | 15:26 | |
| whoami-rajat | geguileo, dansmith please continue, I didn't mean to interrupt the conversation | 15:27 |
| * whoami-rajat assures dansmith that street is indeed clear | 15:27 | |
| dansmith | geguileo: anyway, I certainly didn't mean to strike a nerve there so please comment on the changes where you have a problem and let's just figure out what works for everyone, including the tempest cores and I'll make the changes | 15:28 |
| dansmith | whoami-rajat: no, that was my fault. since we moved to oftc and don't have topic changes by the meeting bots it's hard to tell sometimes | 15:28 |
| whoami-rajat | ah yes correct, we used to have those changed on freenode | 15:30 |
| geguileo | dansmith: I know you didn't, and I should have kept a closer look on the review to make my comment before you spent time making the changes, so it's on me. I added the comments. Thanks for waiting for my review. | 15:40 |
| dansmith | geguileo: no need to apologize, there was lots going on and I was just trying to parallelize getting this into a landable state, so it's not a waste. I'll circle back there in a bit. | 15:41 |
| dansmith | geguileo: I should have said on my reply now: this is your patch, I was trying to accelerate things with stuff I could do. You're *more* than welcome to take it over as you see fit and I'll be glad to step aside | 16:14 |
| dansmith | I'm just _willing_ to make changes, not _required_ :) | 16:15 |
| geguileo | lol | 16:15 |
| geguileo | dansmith: I appreciate your help with that one :-) | 16:15 |
| dansmith | okay, if that changes just say so :) | 16:15 |
| dansmith | btw, unrelated, | 16:16 |
| dansmith | I've mostly fixed this cinder ceph-mn job if anyone is interested: https://review.opendev.org/c/openstack/cinder/+/882955 | 16:17 |
| dansmith | it looks to me like it still might have some cinder-specific config that needs tweaking for the last failing test | 16:17 |
| dansmith | but the ceph and compute/volume failures are all fixed | 16:17 |
| geguileo | dansmith: a comment/question on each of the ceph patches | 16:28 |
| dansmith | I replied to the first, working on the second now :) | 16:28 |
| dansmith | done | 16:31 |
| geguileo | dansmith: thanks for the replies | 16:32 |
| dansmith | I'll fix the inverted disabled thing now | 16:32 |
| opendevreview | Dan Smith proposed openstack/cinder master: Enable validations for ceph-mn job https://review.opendev.org/c/openstack/cinder/+/882955 | 16:33 |
| geguileo | dansmith: I assume that the devstack-plugin-ceph patch can be merged, right? | 16:34 |
| dansmith | geguileo: yeah | 16:34 |
| dansmith | the cinder one can too since the job is non-voting, but if there's some easy flag to fix the retype thing I can just throw that in there | 16:34 |
| geguileo | dansmith: but isn't the cinder one based on the other one that is already changing the TEMPEST_RUN_VALIDATION to true? | 16:35 |
| dansmith | Um, I think there's another step in the inheritance isn't there? Lemme check. | 16:36 |
| dansmith | oh yep, you're right | 16:37 |
| dansmith | nova has another layer | 16:37 |
| geguileo | ok | 16:37 |
| dansmith | I started with this and did the ceph plugin one after I realized I needed the migration flag.. cool, I'll abandon the cinder one | 16:38 |
| geguileo | dansmith: thanks | 16:39 |
| opendevreview | Merged openstack/devstack-plugin-ceph stable/wallaby: Cap cinder-tempest-plugin version for stable/wallaby https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/871920 | 19:33 |
| *** elodilles is now known as elodilles_ooo | 19:42 | |
| opendevreview | Goutham Pacha Ravi proposed openstack/devstack-plugin-ceph master: Update default ceph version to "quincy" https://review.opendev.org/c/openstack/devstack-plugin-ceph/+/883444 | 20:35 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!