| mrjoshi | #startmeeting glance | 14:00 |
|---|---|---|
| opendevmeet | Meeting started Thu Feb 1 14:00:04 2024 UTC and is due to finish in 60 minutes. The chair is mrjoshi. Information about MeetBot at http://wiki.debian.org/MeetBot. | 14:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 14:00 |
| opendevmeet | The meeting name has been set to 'glance' | 14:00 |
| mrjoshi | #topic roll call | 14:00 |
| mrjoshi | #link https://etherpad.openstack.org/p/glance-team-meeting-agenda | 14:00 |
| mrjoshi | o/ | 14:00 |
| abhishekk | o/ | 14:01 |
| rosmaita | o/ | 14:01 |
| mrjoshi | PTL is not around today | 14:02 |
| croelandt | o/ | 14:02 |
| mrjoshi | shall we start? | 14:03 |
| croelandt | let's go! | 14:03 |
| mrjoshi | #topic release/periodic jobs updates | 14:03 |
| mrjoshi | M3 4 weeks from now | 14:04 |
| mrjoshi | Periodic jobs are all green | 14:04 |
| mrjoshi | moving ahead | 14:05 |
| mrjoshi | #topic Ceph capabilities settings for RBD glance_store driver | 14:05 |
| abhishekk | rosmaita, ^^ | 14:06 |
| rosmaita | hi | 14:07 |
| abhishekk | I think since we have rbd trash support now we don't need read only permission for volume pool | 14:07 |
| rosmaita | just want to point out that email/bug for anyone who wants to answer | 14:07 |
| rosmaita | i'm not so sure about that, but i don't know a lot about ceph | 14:08 |
| abhishekk | ack, thank you, Same goes with me, I have some supportive knowledge only | 14:09 |
| abhishekk | I will check and respond accordingly | 14:09 |
| mrjoshi | shall we move ahead? | 14:10 |
| abhishekk | yep | 14:11 |
| rosmaita | nothing more from me | 14:11 |
| mrjoshi | cool, moving ahead | 14:11 |
| mrjoshi | #topic What is the purpose of 'metadata_encryption_key' config option | 14:11 |
| mrjoshi | abhishekk, ^^ | 14:11 |
| abhishekk | that is me | 14:11 |
| abhishekk | I found it while testing location API work | 14:11 |
| abhishekk | I am wondering what is the use case behind this since it is just used while image upload and show case | 14:12 |
| abhishekk | location is not encrypted when location add api is used | 14:12 |
| abhishekk | So either we should enhance it or remove it | 14:12 |
| abhishekk | I will add this topic in upcoming PTG for more discussion | 14:13 |
| abhishekk | rosmaita, thank you for some inputs about it | 14:13 |
| rosmaita | np | 14:13 |
| rosmaita | it doesn't seem to be a useful capability | 14:13 |
| croelandt | The scrubber seems to be using it to decrypt the location | 14:13 |
| croelandt | but we're removing that so :) | 14:13 |
| rosmaita | well, i think the idea was there were some ancient backends where you had username/password in the location | 14:14 |
| rosmaita | and people didn't want that stuff sitting around in the database | 14:14 |
| rosmaita | but then they were perfectly ok with exposing it on image-show | 14:14 |
| croelandt | I see calls to crypt.urlsafe_encrypt, so are we not encrypting the location metadata in some circumstances? | 14:14 |
| rosmaita | which seems kind of ... sub-optimal | 14:14 |
| croelandt | oooh | 14:15 |
| rosmaita | yeah, i think by default we do not do it | 14:15 |
| abhishekk | and also threat-modeling is hovering over us, it is not advisable to store the key in config file | 14:15 |
| rosmaita | i agree | 14:16 |
| abhishekk | So either we remove it or we should enhance it to help us to overcome sec issue | 14:16 |
| rosmaita | i think the thing to do is just remove the capability | 14:16 |
| rosmaita | because to overcome the sec issue, we'd have to hand out the key to specific users who RBAC said are ok | 14:16 |
| rosmaita | i think it would be better to just use RBAC on the locations api directly | 14:17 |
| abhishekk | we can use barbican to store the key | 14:17 |
| rosmaita | that's true | 14:18 |
| abhishekk | for removing it, we need to follow deprecation life cycle | 14:18 |
| rosmaita | so i guess the question is whether there's any point keeping the data encrypted in the DB | 14:18 |
| abhishekk | we already store some encrypted data for image signature verification | 14:18 |
| abhishekk | if i am not wrong | 14:19 |
| abhishekk | I guess its more easy to remove it :D | 14:19 |
| abhishekk | less code to maintain | 14:19 |
| abhishekk | there is also 'digest_algorithm' option which is not used anywhere in glance | 14:20 |
| abhishekk | I think I am done, lets decide about it in PTG | 14:21 |
| abhishekk | mrjoshi, we can move ahead | 14:21 |
| mrjoshi | ok | 14:22 |
| mrjoshi | #topic Important Reviews | 14:22 |
| mrjoshi | Centralized cache DB - #link https://review.opendev.org/q/topic:%22centralized-cache-db%22 | 14:22 |
| abhishekk | please review it | 14:22 |
| rosmaita | :D | 14:23 |
| abhishekk | documentation part is pending, but end to end code is ready | 14:23 |
| mrjoshi | Remove incorrect validation for glance-download import method - #link https://review.opendev.org/c/openstack/python-glanceclient/+/907290 - (Required Backport till Antelope ) | 14:23 |
| mrjoshi | S3: Do not log access Key - #link https://review.opendev.org/q/I8dc564bed33d6fc71965f4f573ae9109b410b1d4 - (Required Backport till Zed/Yoga ) | 14:23 |
| mrjoshi | #link https://review.opendev.org/c/openstack/glance_store/+/906484 | 14:23 |
| abhishekk | from code to tempest to grenade it is there | 14:23 |
| rosmaita | nice work | 14:23 |
| abhishekk | thank you ;) | 14:24 |
| croelandt | ^ There are two patches for that access key security issue in the S3 driver | 14:25 |
| abhishekk | I am learning from dansmith :D | 14:25 |
| abhishekk | croelandt, I think you can approve them | 14:26 |
| mrjoshi | shall we move to open discussion? | 14:27 |
| abhishekk | yes | 14:27 |
| mrjoshi | moving ahead | 14:27 |
| croelandt | abhishekk: yes, apparently we also want to backport them to Z & Y | 14:27 |
| abhishekk | rosmaita, thank you for mail, lets wait for couple of weeks | 14:27 |
| rosmaita | yes, let's see what happens | 14:28 |
| abhishekk | croelandt, we can once these merges | 14:28 |
| mrjoshi | #topic Open Discussion | 14:28 |
| abhishekk | I need to drop for another meeting | 14:28 |
| abhishekk | Thank you!! | 14:28 |
| rosmaita | abhishekk: i thought you wanted to talk about launchpad maintenance? | 14:28 |
| mrjoshi | launchpad maintainance - https://launchpad.net/glance, https://launchpad.net/glance-store, https://launchpad.net/python-glanceclient | 14:28 |
| abhishekk | we can revisit this next week | 14:28 |
| rosmaita | works for me! | 14:29 |
| abhishekk | thanks | 14:29 |
| rosmaita | mrjoshi: thanks for running the meeting | 14:29 |
| mrjoshi | shall we wrap up then? | 14:29 |
| mrjoshi | rosmaita, thanks! | 14:30 |
| rosmaita | i don't have anything more | 14:30 |
| mrjoshi | croelandt, ^^ | 14:30 |
| croelandt | Nothing :) | 14:31 |
| mrjoshi | cool, let's wrap up then | 14:31 |
| croelandt | thanks for taking care of this meeting | 14:31 |
| mrjoshi | no problem :) | 14:31 |
| mrjoshi | Thanks everyone for Joining!!! | 14:31 |
| mrjoshi | #endmeeting | 14:32 |
| opendevmeet | Meeting ended Thu Feb 1 14:32:12 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 14:32 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/glance/2024/glance.2024-02-01-14.00.html | 14:32 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/glance/2024/glance.2024-02-01-14.00.txt | 14:32 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/glance/2024/glance.2024-02-01-14.00.log.html | 14:32 |
| *** tosky_ is now known as tosky | 23:14 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!