Thursday, 2017-12-07

« Wednesday, 2017-12-06 Index Friday, 2017-12-08 »
*** david-lyle has quit IRC00:13
*** edmondsw has quit IRC01:12
*** yamahata has joined #openstack-meeting-cp01:40
*** david-lyle has joined #openstack-meeting-cp01:48
*** david-lyle has quit IRC02:00
*** harlowja has quit IRC02:22
*** edmondsw has joined #openstack-meeting-cp02:33
*** edmondsw has quit IRC02:37
*** yamahata has quit IRC02:41
*** aselius has quit IRC02:52
*** coolsvap has joined #openstack-meeting-cp03:13
*** harlowja has joined #openstack-meeting-cp04:39
*** nhelgeson has quit IRC05:06
*** gouthamr has quit IRC05:24
*** harlowja has quit IRC05:30
*** brault has quit IRC06:54
*** kbyrne has quit IRC09:31
*** kbyrne has joined #openstack-meeting-cp09:34
*** ccha has quit IRC09:39
*** ccha has joined #openstack-meeting-cp09:40
*** andreaf has quit IRC09:42
*** andreaf has joined #openstack-meeting-cp09:42
*** sdague has joined #openstack-meeting-cp10:56
*** sdague has quit IRC10:57
*** sdague has joined #openstack-meeting-cp11:22
*** MarkBaker has joined #openstack-meeting-cp12:51
*** brault has joined #openstack-meeting-cp13:36
*** brault_ has joined #openstack-meeting-cp13:38
*** coolsvap has quit IRC13:38
*** brault_ has quit IRC13:39
*** brault_ has joined #openstack-meeting-cp13:39
*** brault has quit IRC13:40
*** MarkBaker has quit IRC13:53
*** edmondsw has joined #openstack-meeting-cp14:30
*** ttx has quit IRC14:42
*** ccha has quit IRC14:48
*** kbyrne has quit IRC14:48
*** _pewp_ has quit IRC14:48
*** lifeless has quit IRC14:48
*** breton has quit IRC14:48
*** fungi has quit IRC14:48
*** ameade has quit IRC14:48
*** TheJulia has quit IRC14:48
*** wxy has quit IRC14:48
*** robcresswell has quit IRC14:48
*** DuncanT has quit IRC14:48
*** johnthetubaguy has quit IRC14:48
*** gnarld_ has quit IRC14:48
*** eglute has quit IRC14:48
*** sdague has quit IRC14:48
*** nguyentrihai has quit IRC14:48
*** zigo has quit IRC14:48
*** jhesketh has quit IRC14:48
*** brault_ has quit IRC14:48
*** knikolla has quit IRC14:48
*** persia has quit IRC14:48
*** cmurphy has quit IRC14:48
*** melwitt has quit IRC14:48
*** kencjohnston has quit IRC14:48
*** benj_ has quit IRC14:48
*** notmyname has quit IRC14:48
*** hemna has quit IRC14:48
*** amrith has quit IRC14:48
*** tonyb has quit IRC14:48
*** homerp has quit IRC14:48
*** SergeyLukjanov has quit IRC14:48
*** fungi has joined #openstack-meeting-cp14:54
*** ameade has joined #openstack-meeting-cp14:54
*** TheJulia has joined #openstack-meeting-cp14:54
*** wxy has joined #openstack-meeting-cp14:54
*** robcresswell has joined #openstack-meeting-cp14:54
*** DuncanT has joined #openstack-meeting-cp14:54
*** johnthetubaguy has joined #openstack-meeting-cp14:54
*** nug has joined #openstack-meeting-cp14:54
*** eglute has joined #openstack-meeting-cp14:54
*** ttx has joined #openstack-meeting-cp14:54
*** breton has joined #openstack-meeting-cp14:54
*** lifeless has joined #openstack-meeting-cp14:54
*** _pewp_ has joined #openstack-meeting-cp14:54
*** ccha has joined #openstack-meeting-cp14:54
*** gouthamr has joined #openstack-meeting-cp14:54
*** brault_ has joined #openstack-meeting-cp14:54
*** sdague has joined #openstack-meeting-cp14:54
*** nguyentrihai has joined #openstack-meeting-cp14:54
*** knikolla has joined #openstack-meeting-cp14:54
*** zigo has joined #openstack-meeting-cp14:54
*** benj_ has joined #openstack-meeting-cp14:54
*** tonyb has joined #openstack-meeting-cp14:54
*** jhesketh has joined #openstack-meeting-cp14:54
*** notmyname has joined #openstack-meeting-cp14:54
*** hemna has joined #openstack-meeting-cp14:54
*** amrith has joined #openstack-meeting-cp14:54
*** persia has joined #openstack-meeting-cp14:54
*** homerp has joined #openstack-meeting-cp14:54
*** cmurphy has joined #openstack-meeting-cp14:54
*** melwitt has joined #openstack-meeting-cp14:54
*** kencjohnston has joined #openstack-meeting-cp14:54
*** SergeyLukjanov has joined #openstack-meeting-cp14:54
*** mtreinish has quit IRC14:55
*** yamahata has joined #openstack-meeting-cp14:58
*** mtreinish has joined #openstack-meeting-cp14:59
*** nug is now known as Guest2014815:20
*** kbyrne has joined #openstack-meeting-cp15:20
*** nikhil has joined #openstack-meeting-cp15:35
*** yamahata has quit IRC15:35
*** mriedem has joined #openstack-meeting-cp15:58
ildikov#startmeeting cinder-nova-api-changes16:00
openstackMeeting started Thu Dec  7 16:00:04 2017 UTC and is due to finish in 60 minutes.  The chair is ildikov. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
*** openstack changes topic to " (Meeting topic: cinder-nova-api-changes)"16:00
openstackThe meeting name has been set to 'cinder_nova_api_changes'16:00
ildikovjohnthetubaguy jaypipes e0ne jgriffith hemna mriedem patrickeast smcginnis diablo_rojo xyang1 raj_singh lyarwood jungleboyj stvnoyes16:00
jungleboyj@!16:00
_pewp_jungleboyj (。・∀・)ノ16:00
mriedemo/16:00
ildikovI don't think we can expect too many more for today16:01
ildikovso let's do a quick recap16:01
ildikovon this week's happenings16:01
ildikovwe have progress on the new attach patch in Nova, special and many thanks to mriedem16:01
* jungleboyj claps.16:01
ildikovthis is how the field looks like right now: https://review.openstack.org/#/q/topic:bp/multi-attach-volume+(status:open+OR+status:merged)16:01
ildikovdon't get caught up on the topic16:02
ildikovmriedem: so the question on my side now is that what's missing to be able to land the new attach patch and who's gonna do it?16:02
mriedemi will approve it once tests all pass16:03
mriedemhowever,16:03
mriedemhttps://bugs.launchpad.net/cinder/+bug/173677316:03
openstackLaunchpad bug 1736773 in Cinder "attachment-show is including `connection_info` for non-admin callers, it shouldn't" [High,Triaged] - Assigned to John Griffith (john-griffith)16:03
mriedemconcerns me16:03
ildikovin the sense of how we use it in the Nova code?16:03
ildikovor in general?16:03
mriedemdepending on if/how that gets fixed,16:03
mriedemit could break nova16:03
mriedemas far as i know, nova isn't passing an admin token to get the attachment details16:04
mriedemit's using the user token16:04
mriedemor the nova service user token16:04
mriedemso if a policy rule goes into place to only return connection_info for an admin, that will break our existing code because we won't be able to get the connection_info16:04
mriedemas i said in the bug,16:04
mriedemi think this is super latent with the os-initialize_connection volume action api16:05
mriedemi'm not sure if there are different policy controls in place for those APIs in cinder, i didn't get that far16:05
mriedemor if there are any policy controls in place at all16:05
ildikovso should we switch to admin for that call now?16:05
mriedemwell, it will depend16:05
mriedemas noted in the bug,16:06
mriedemthe connection_info dict in the response contains things like details about the target and credentials16:06
jungleboyj*Sigh*16:07
jungleboyjChanging that is going to break stuff I am working on as well.16:07
ildikovso Nova is not supposed to get it at all?16:07
mriedemlooks like this is a policy check on updating an attachment https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L207516:07
mriedemildikov: nova must get it16:07
mriedemwe use it to connect the volume to the host using brick16:08
mriedemcomparing to os-initialize_connection, there is a policy rule on that too https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L78216:08
ildikovok, so what does it depend on whether or not to use admin context to get those details?16:08
mriedemhttps://github.com/openstack/cinder/blob/master/cinder/policies/volume_actions.py#L16416:08
mriedemsame as https://github.com/openstack/cinder/blob/master/cinder/policies/attachments.py#L3716:09
mriedembut there isn't a policy rule for listing/showing attachment details16:09
jungleboyjWould be good to fix that with a policy setting so if there are people who want that exposed we can still get it.16:09
ildikovah, ok, yeah16:10
mriedemildikov: the issue is that i, as a non-admin user, can create a volume and attach it to an instance,16:10
mriedemand then get the details, as a non-admin, about the storage connection16:10
mriedemincluding target IP and credentials16:10
mriedemas i said, this has always been a problem with os-initialize_connection as far as i can tell16:10
mriedemthe main difference is there was never a CLI for initializing a connection to get the connection_info back, but the REST API was always there for anyone that knows how to use curl16:11
mriedemthere is a CLI for listing and showing volume attachment details16:11
ildikovok, put it together now16:12
ildikovhowever it's a problem in general not just from Nova's perspective16:12
ildikovso we need to figure out how to handle this16:13
ildikovbut do we need to hold the new attach patch on this?16:13
mriedemidk16:14
mriedemthe thing is,16:14
mriedemlet's say cinder adds a policy rule to not show connection_info unless you're an admin by default16:14
jungleboyjmriedem:  ++16:14
mriedemthat would require nova to add config and code for making sure we get an admin token for anytime we need that information,16:14
mriedemsince the user token might not cut it16:15
mriedemand if you backport that change,16:15
mriedemit means breaking all existing deployments16:15
mriedem^ if you also apply that policy change to os-initialize_connection16:15
ildikovdo you mean that for initialize or the new attach api?16:15
mriedemi think if you fix this for the new API you also have to fix it for os-initialize_connection16:16
mriedemit's the same issue16:16
ildikovok, but for os-initialize-connection that has nothing to do with what we do with the new flow16:16
mriedemi realize that16:16
mriedembut it doesn't make sense to say, "you can only get connection_info if you're an admin with this one API but not this other API"16:16
mriedeme.g.,16:16
mriedemi could attach a volume with the new flow,16:17
mriedemand then curl to os-initialize_connection to get those details16:17
ildikovyeah, I got the point16:17
ildikovso the question now whether or not to fix it?16:17
ildikovor whether or not fix and backport it?16:17
mriedemyeah16:18
mriedemif nova.conf is always configured to talk to cinder with a user that has the admin role, then it might be ok16:18
mriedembut i don't think we say anywhere that has to be the case16:19
ildikovyeah, that would solve the issue16:19
jungleboyjmriedem:  That seems like a reasonable limitation to set.16:19
mriedemthe only other service i know of that nova talks to with an admin token at times is neutron16:20
mriedemand that's to do things with the port binding profile16:20
mriedemwhich is like a connection_info for a volume16:20
ildikovwell, if the issue is that we basically don't want users to access the connection_info just haven't fixed that for whatever reason till now, then I guess that's ok if Cinder becomes another service like Neutron16:21
jungleboyjildikov: ++16:21
ildikovit seems that it would be nice to get this fixed at a certain point16:21
jungleboyjAnd if we can fix the connection_info with a policy then it gives users who don't want to use an admin user an option.16:21
mriedemdevstack sets up the neutron creds in nova.conf with an admin user https://github.com/openstack-dev/devstack/blob/master/lib/neutron-legacy#L37216:22
ildikovand I feel the pain, but at least good things come out of implementing the new flow if we fix for instance this one16:22
*** aselius has joined #openstack-meeting-cp16:23
mriedemwe don't set credentials in [cinder] in nova.conf in devstack at all16:23
mriedemso everything we test against today in CI is using the user token16:23
ildikovso it's Cinder code change, Nova code change plus devstack fix16:23
ildikovalso I need to run in 10 minutes :/16:24
jungleboyjBummer.  More moving pieces.16:24
ildikovso questions16:24
mriedemwell, it requires some thought on how you roll something like this out16:25
mriedemif you're going to backport it16:25
mriedemi think if you add a policy control for both cinder APIs,16:25
*** MarkBaker has joined #openstack-meeting-cp16:25
mriedemit has to default to admin_or_owner to not break existing code16:25
mriedemwith clear documentation that if you change that to admin-only, then the [cinder] creds in nova.conf must be an admin user16:25
jungleboyjmriedem:  That sounds good.16:26
ildikovagreed16:27
ildikovso would this all happen before thinking about landing the new attach code?16:27
mriedemif the fix in cinder is backward compatible, then no16:28
jungleboyjmriedem:  Why is that?16:28
ildikovso I guess we need to chat with jgriffith to ensure it is backward compatible16:28
mriedembecause i would prefer to not merge code that is immediately broken16:29
mriedemthe release note on the new flow attach code in nova says that this is all basically internal plumbing changes, no impacts to existing stuff,16:29
mriedemand should work as long as computes are upgraded and cinder 3.44 is available16:29
mriedemi don't want to add a "oh btw you need to run with an admin user now for cinder too btw for this new code to work"16:29
ildikovwhich should still be true with admin_or_owner, right?16:30
mriedem"even though this was always a problem"16:30
mriedemildikov: yes admin_or_owner is fine16:30
ildikovwell, we said we would fix both16:30
mriedemthe user token is the owner of the instance and volume16:30
jungleboyjmriedem:  Fair enough.16:30
ildikovso if we break one we break the other one too16:30
mriedemotherwise you can't GET the volume16:30
ildikovyeah, that's what I meant16:30
ildikovjust stopped to be sure at anything recently16:30
mriedemso i'll update the bug with notes16:32
mriedemand thoughts16:32
mriedemjohn is at kubecon?16:32
ildikovyes, he is16:32
mriedemok16:32
ildikovhe's occasionally available, he has a talk I don't know when16:32
ildikovso let's hold the code until we had a chat with him about this16:33
ildikovwe might have a cinderclient soon with the shared_targets microversion16:33
jungleboyjildikov:  Yes, I would like to get that through today.16:33
ildikovmriedem: should I bump the microversion in the new attach patch if that gets out in the meantime?16:33
jungleboyjI guess I could ninja merge the 3.48 patch.16:33
ildikovjungleboyj: nice, thanks!16:33
ildikovjungleboyj: yeah, that's just a version bump, nothing else if everything else is in place16:34
jungleboyjWould kind-of like jgriffith 's sign off though.16:34
mriedemwhat is 3.4816:34
mriedem?16:34
mriedemshared_targets?16:34
ildikovyes16:34
jungleboyjmriedem: Yep.16:34
mriedemmeh - at this point i think what we have is ok based on our discussion yesterday16:34
mriedemthe multiattach code in nova can always check that cinder has 3.4816:35
mriedembefore it allows attaching a multiattach volume to >1 instance16:35
ildikovwe just didn't have some previous microversion changes implemented in the client16:35
mriedemi would say don't rush the cinder side16:35
mriedemwe're not blocked16:35
ildikovwell, it's almost done16:35
mriedemexcept for all the client stuff it sounds like, plus a release, etc16:35
ildikovand then we have one less thing to keep in mind, which might be nice every now and then16:35
ildikovthe stuff is mainly on the gate now16:36
ildikovand the client side changes need to land anyway otherwise we mess up like the last time...16:36
ildikovok, let's talk to jgriffith and then we will see where things are and move forward16:36
jungleboyj:-)  I will see if jgriffith pops on later.  If he doesn't I will just merge it and propose the release.16:36
mriedemdon't you guys have other cores?16:37
mriedemi know sean is gone too16:37
mriedembut16:37
jungleboyjYep ....16:37
jungleboyjmriedem:  Don16:37
jungleboyj't get me started .16:37
mriedemi'd just rather not rush things16:37
mriedemyou want to make me core?16:37
mriedemjoking16:38
ildikovok, we can skip the version bump and just get things tidy in the cinderclient for it's own sake16:38
mriedembut i can hear your gears grinding from here16:38
jungleboyjmriedem:  That could be arranged.16:38
ildikovok guys, I need to run16:38
jungleboyjI wish I could remove some of the other cores to more realistically show the state of things.16:38
jungleboyjildikov:   Ok, thank you.16:38
ildikovis there anything else we need to chat/could decide about here?16:38
mriedemnope16:39
jungleboyjI will continue to curate the client patches.16:39
ildikovok, cool, thank you both16:39
ildikovlet's keep in touch on the channels16:39
jungleboyjildikov:  Will do.16:39
ildikovjungleboyj: thank you16:39
ildikovjungleboyj: and you're the PTL, you can do whatever you want ;)16:39
ildikovchat later guys!16:39
ildikov#endmeeting16:39
*** openstack changes topic to "OpenStack Meetings || https://wiki.openstack.org/wiki/Meetings"16:39
openstackMeeting ended Thu Dec  7 16:39:53 2017 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:39
openstackMinutes:        http://eavesdrop.openstack.org/meetings/cinder_nova_api_changes/2017/cinder_nova_api_changes.2017-12-07-16.00.html16:39
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/cinder_nova_api_changes/2017/cinder_nova_api_changes.2017-12-07-16.00.txt16:39
openstackLog:            http://eavesdrop.openstack.org/meetings/cinder_nova_api_changes/2017/cinder_nova_api_changes.2017-12-07-16.00.log.html16:39
*** mriedem has left #openstack-meeting-cp16:40
*** yamahata has joined #openstack-meeting-cp16:58
*** felipemonteiro_ has joined #openstack-meeting-cp17:06
*** yamahata has quit IRC17:06
*** harlowja has joined #openstack-meeting-cp17:08
*** nhelgeson has joined #openstack-meeting-cp17:28
*** brault_ has quit IRC17:39
*** brault has joined #openstack-meeting-cp17:40
*** brault has quit IRC17:45
*** felipemonteiro_ has quit IRC18:22
*** nikhil has quit IRC18:34
*** edmondsw has quit IRC19:00
*** felipemonteiro_ has joined #openstack-meeting-cp19:10
*** felipemonteiro__ has joined #openstack-meeting-cp19:11
*** felipemonteiro_ has quit IRC19:15
*** harlowja has quit IRC19:21
*** edmondsw has joined #openstack-meeting-cp19:35
*** edmondsw has quit IRC19:39
*** edmondsw has joined #openstack-meeting-cp19:41
*** edmondsw has quit IRC19:45
*** edmondsw has joined #openstack-meeting-cp19:52
*** edmondsw has quit IRC19:56
*** edmondsw has joined #openstack-meeting-cp19:58
*** edmondsw has quit IRC19:58
*** edmondsw has joined #openstack-meeting-cp19:58
*** brault has joined #openstack-meeting-cp19:58
*** edmondsw has quit IRC20:02
*** edmondsw has joined #openstack-meeting-cp20:07
*** edmondsw has quit IRC20:12
*** nguyentrihai has quit IRC21:29
*** Guest20148 has quit IRC21:43
*** eglute has quit IRC21:43
*** MarkBaker has quit IRC21:45
*** Guest20148 has joined #openstack-meeting-cp21:48
*** eglute has joined #openstack-meeting-cp21:48
*** felipemonteiro__ has quit IRC21:57
*** Guest20148 has quit IRC22:36
*** eglute has quit IRC22:36
*** Guest20148 has joined #openstack-meeting-cp22:42
*** eglute has joined #openstack-meeting-cp22:42
*** yamahata has joined #openstack-meeting-cp22:44
*** felipemonteiro_ has joined #openstack-meeting-cp22:57
*** gouthamr has quit IRC22:59
*** markvoelker has quit IRC23:03
*** markvoelker has joined #openstack-meeting-cp23:04
*** MarkBaker has joined #openstack-meeting-cp23:05
*** MarkBaker has quit IRC23:05
*** harlowja has joined #openstack-meeting-cp23:07
*** felipemonteiro_ has quit IRC23:22
*** yamahata has quit IRC23:29
*** gouthamr has joined #openstack-meeting-cp23:41
« Wednesday, 2017-12-06 Index Friday, 2017-12-08 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!