| rosmaita | rm_work: make sure you read through https://wiki.openstack.org/wiki/OSSN/OSSN-0075 before doing anything else | 12:45 |
|---|---|---|
| rosmaita | rm_work: there's a glance-manage command that will do what you want ... it's separate from the 'glance-manage db purge' command because of ^^ | 12:46 |
| rosmaita | rm_work: but if you decide you really do want to re-use image ids, there's 'glance-manage db purge_images_table' | 12:46 |
| rosmaita | rm_work: finally found it, I thought this was documented somewhere: https://docs.openstack.org/glance/latest/admin/db.html#purging-the-images-table | 12:53 |
| rosmaita | actually, start reading here: https://docs.openstack.org/glance/latest/admin/db.html#high-level-database-architecture | 12:54 |
| rm_work | Thanks a ton! Will read through that. | 13:08 |
| rm_work | I think that OSSN-0075 doesn’t really apply because we’re doing this as part of a deployment automation thing. We delete and immediately recreate, and if the recreate failed (admittedly not atomic) we would see a broken pipeline | 13:12 |
| rm_work | It’s for an ironic boot image that must be specified by uuid in the actual service config | 13:12 |
| rm_work | Wish we didn’t have to purge literally all of them, just the single one | 13:13 |
| opendevreview | Brian Rosmaita proposed openstack/glance-specs master: Fix redirects https://review.opendev.org/c/openstack/glance-specs/+/858377 | 13:15 |
| rosmaita | rm_work: you might want to put something on the PTG etherpad, about a 'targeted purge' that could take an image_id as input | 13:17 |
| rm_work | Hmm, ok | 13:18 |
| rosmaita | other thing might be using the age parameter on the existing command | 13:18 |
| rm_work | Well, it’s going to be like … ansible deletes the image, purges, makes the new image | 13:18 |
| rosmaita | yeah, the age parameter is age_in_days, so not very fine-grained | 13:19 |
| rm_work | So I’d need to limit it to “only stuff deleted in the last 5 mins”, which I think is the opposite of how that option works :( | 13:19 |
| rm_work | Well, also it’s a “greater than X” right? | 13:19 |
| rm_work | I’d need “less than X” | 13:20 |
| rosmaita | yeah, you're right | 13:20 |
| rm_work | To be honest, this is really just because there’s no “relaxed image” | 13:20 |
| rm_work | … uhh sorry, autocorrect | 13:20 |
| rm_work | “Replace image” command | 13:21 |
| rm_work | Which would solve the security issue since only the owner of the image could do it | 13:21 |
| rm_work | Though would allow for a malicious switch out I guess | 13:21 |
| rosmaita | exactly | 13:21 |
| rm_work | Could be admin only? :/ | 13:21 |
| rosmaita | yeah, i don't know ... would definitely require some discussion | 13:23 |
| rosmaita | rm_work: https://etherpad.opendev.org/p/antelope-ptg-glance-planning | 13:24 |
| rm_work | Yeah for now I think it’s ok to just purge… users here don’t really use custom images so my concern is very low | 13:24 |
| rm_work | But I’ll add it, thanks for the link | 13:24 |
| rosmaita | cool | 13:24 |
| rm_work | Looks more complex than just dropping a single line like I’m used to in Octavia, heh | 13:26 |
| rm_work | I’ll do it after I get my coffee and am on my laptop | 13:26 |
| rosmaita | rm_work: btw, the link to the spec mentioned in the docs above isn't working ... this may be helpful in why this isn't an easy issue: https://specs.openstack.org/openstack/glance-specs/specs/rocky/implemented/glance/mitigate-ossn-0075.html | 13:26 |
| rm_work | Yes, useful, thanks. I do understand the issue, and I think you probably made the right choice here. I’m going to debate a bit about whether there’s an easy way for us to avoid this altogether. | 13:33 |
| rm_work | Maybe we can just force a reconfiguration of ironic and restart the services every time we replace the image (likely the right call, thinking about it now) | 13:33 |
| rm_work | I think the issue was in the past the two deployments were not really connected, so in isolation it made sense to just reuse the ID. | 13:34 |
| rosmaita | rm_work: if you come up with a workable solution, would be nice of you to update the docs to describe the use case/solution, because I imagine other operators have this same issue | 13:35 |
| rm_work | I think it might just be us doing something dumb because of a series of innocuous decisions that led to this state of affairs 😅 | 13:35 |
| rm_work | In retrospect | 13:35 |
| rosmaita | :D | 13:36 |
| rm_work | The more I consider it, the more reusing the image ID seems unnecessary | 13:36 |
| -opendevstatus- NOTICE: As of the weekend, Zuul only supports queue declarations at the project level; if expected jobs aren't running, see this announcement: https://lists.opendev.org/pipermail/service-announce/2022-September/000044.html | 13:38 | |
| opendevreview | Brian Rosmaita proposed openstack/glance-specs master: Fix redirects https://review.opendev.org/c/openstack/glance-specs/+/858377 | 13:57 |
| jokke_ | rm_work: Wouldn't it be easier to tell ironic use the new image id after the recreate | 14:01 |
| jokke_ | rm_work: Glance does allow you to specify the image id whn creating (as long as it doesn't collide) so you could just used different IDs between the runs when you actually need different images | 14:02 |
| jokke_ | just a thought | 14:03 |
| opendevreview | Brian Rosmaita proposed openstack/glance-specs master: Fix redirects https://review.opendev.org/c/openstack/glance-specs/+/858377 | 14:11 |
| rm_work | Right, yes, we’d upload a new image and then tell Ironic to use it | 14:26 |
| rm_work | It’s just a little backwards right now the way we deploy things, so need to figure out how/if we want to fix it | 14:26 |
| *** EugenMayer8 is now known as EugenMayer | 17:33 | |
| opendevreview | Cyril Roelandt proposed openstack/glance master: docs: hw_rng_model: Document that it has no effect since 'Ussuri' https://review.opendev.org/c/openstack/glance/+/703657 | 18:19 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!