Tuesday, 2021-10-05

« Monday, 2021-10-04 Index Wednesday, 2021-10-06 »
gibi_jralbert: you need bauzas to wake up (he is in EU timezone)06:45
bauzasgood morning Nova07:17
bauzasgibi, _jralbert: what's up ?07:17
bauzasoh the reboot case07:17
bauzasthere is an open bug I need to correctly care https://bugs.launchpad.net/nova/+bug/190080007:18
gibibauzas: I knew that you know more08:37
bauzasgibi: I know you knew I know ;)08:38
* bauzas starts to work on some agenda for the PTG08:38
gibi:)08:38
opendevreviewBalazs Gibizer proposed openstack/nova master: DNM Trigger tests with new eventlet and dnspython  https://review.opendev.org/c/openstack/nova/+/81245608:55
opendevreviewLee Yarwood proposed openstack/nova master: zuul: Move live migration jobs back to voting  https://review.opendev.org/c/openstack/nova/+/81239209:46
opendevreviewLee Yarwood proposed openstack/nova master: Revert "zuul: Skip block migration with attached volumes tests due to bug #1931702"  https://review.opendev.org/c/openstack/nova/+/81247309:46
lyarwood^ okay this is looking good now 09:47
lyarwoodI can't believe I didn't see this earlier but there we go09:47
gibibetter later than never ;)09:47
bauzaslyarwood: I promise I'll look at your changes10:28
bauzaslyarwood: actually, I had a comment for the devstack change https://review.opendev.org/c/openstack/devstack/+/812391/4/lib/nova#30210:34
lyarwooddone10:36
* lyarwood -> lunch/fuel hunting10:39
lyarwoodactually I'm going to drop for a while this afternoon, could use the air ahead of being locked down until surgery next Tuesday, back online this evening UK time11:24
lyarwoodif anything comes up with the initiator change feel free to respin before I'm back11:25
kashyapgibi: For later: Does chengsheng's response on this help any bit? -- https://review.opendev.org/c/openstack/nova/+/762330/13:12
kashyapI'd like to make some time to get this to completion.  The lack of these two newer and better APIs is causing subtle live migration bugs :-(13:13
gibikashyap: added to my queue but wont reach it today13:17
kashyapDoes not have to be today :)13:18
*** artom_ is now known as artom13:18
gibikashyap: but thank you for the ping, I already forgot about his patch13:19
*** dpawlik2 is now known as dpawlik13:31
bauzasartom_: sean-k-mooney: looks to me some SRIOV live migration issue https://bugs.launchpad.net/nova/+bug/194461913:53
sean-k-mooneyill take a look but this is technially hardwoar offloade ovs if they are usign switch dev13:54
artom_bauzas, hrmm, looks we're not cleaning up properly in some cases13:55
sean-k-mooneycurrently we do not support live migration with vdpa13:55
artom_Though I don't like "provoke an error in pre_live_migration"13:55
bauzasartom_: can we triage this one ?13:55
*** artom_ is now known as artom13:55
sean-k-mooneyso if they are usign the sriov nic agent they may not use switchdev mode13:55
sean-k-mooneyif they are using switchdev mode then they have to use ovs hardware offload instead13:55
artombauzas, it'd be cool if they could upload full nova compute logs that include the error, ideally without the failure being "provoked" manually13:58
bauzasthey gave us some pastebin https://paste.ubuntu.com/p/ThQmDYtdSS/13:59
bauzasartom: ^13:59
artombauzas, yeah, I'm not a fan of them triggering the failure by manually creating the destination instance disk14:02
artomBut I suppose it *could* happen organically, so Nova needs to handle it correctly?14:02
bauzasartom: here, I don't really want to discuss about the bug, but rather about its upstream triage14:03
bauzasartom: if you think they need to give us some other verification, could you ask it in the bug report and punt it to the 'Incomplete' status ?14:04
artombauzas, valid, I suppose, then14:05
bauzasartom: ack, could you then triage it ?14:05
artomTbh, I don't know the gritty hardware details to understand what sean-k-mooney was saying about various levels of support in variou backends14:05
sean-k-mooneyim currently responding to it to level set what shoudl be supproted and what is not ssupproted14:06
sean-k-mooneyCheck the logs for: libvirt.libvirtError: Requested operation is not valid: PCI device 0000:03:04.1 is in use by driver QEMU, domain instance-0000000114:06
sean-k-mooney^ that seams to be the error they are reporting that breaks the roolback14:07
sean-k-mooneythat is not related to sriov live migration14:07
sean-k-mooneythat is cause by previou incorrect unshleves and possible cold migrations14:07
sean-k-mooneybauzas: artom  is aredally working on a fix for the in use device issue14:08
bauzaskk14:08
artomThe unshelve fix? It merged in master, currently sitting on Victoria in the backport train14:08
artomDepending on lyarwood's "controversial" helper backport here: https://review.opendev.org/c/openstack/nova/+/791481/114:09
sean-k-mooneyartom: that is part of it yes14:09
sean-k-mooneythe unsleve fix14:09
sean-k-mooneyalthough gibi also has another  upstream bug for it which i am looking for currently14:09
sean-k-mooneyoh actully no that was a different issue14:14
sean-k-mooneyso the in use port i am pretty sure was cause by the unshelve of a vm previously14:14
sean-k-mooneyits not related to the sriov live migration14:15
* bauzas needs to disappear for getting her kid, see you in 20 mins-ish14:18
sean-k-mooneybauzas: artom  im 99% sure this is hardware offload ovs not standard sriov by the way14:29
artomsean-k-mooney, what's the difference?14:38
sean-k-mooneyartom: they have very different code paths15:03
sean-k-mooneyartom: for standard sriov all the interface configuretion is doen by libvirt15:03
opendevreviewMerged openstack/nova master: nova-manage: Ensure mountpoint is passed when updating attachment  https://review.opendev.org/c/openstack/nova/+/81171315:03
sean-k-mooneyfor hardware offload ovs os-vif need to create ovs ports and add representor netdevs to ovs and the neutron l2 agent or ovn need to configure ovs to do thinks like vlan tagging15:04
sean-k-mooneyso the neutron contol path gose via ovn or the l2 agent not the sriov nic agent15:05
sean-k-mooneythe nic is in swtichdev mode not in legacy15:05
sean-k-mooneyvlan enfromanet is done via ovs not libvirt and you can use geneve/vxlan networks not just flat/vlan15:06
sean-k-mooneythere are some other difference too but those are the main ones15:11
yoctozeptofrickler: as centos has 5.1 - did you check the qemu cmdline there?15:12
fricklersean-k-mooney: continuing about the qemu on debian discussion: these are instances with the same flavor (256M ram) in ubuntu and debian https://paste.opendev.org/show/809797/15:13
frickleryoctozepto: didn't hold that job yet, can do tomorrow15:13
*** whoami-rajat__ is now known as whoami-rajat15:13
yoctozeptofrickler: ok15:13
yoctozeptoI feel it might be reserving an extra chunk of mem for no reason15:13
yoctozeptoas it specifies the size there twice explicitly15:14
fricklersean-k-mooney: the machine types look similar, but the added memory-backend option looks suspicous. but I assume that is added by libvirt, not nova?15:14
yoctozepto<< If "-machine memory-backend" is explicitly provided, "-m X" value must match specified backend's size >>15:15
yoctozeptoso by those semantics, it's just an unwieldy cmdline parsing assumption15:15
frickler(context: devstack jobs on debian are ooming when tempest runs non-serial, see https://review.opendev.org/c/openstack/devstack/+/789083 )15:15
yoctozeptoand should not consume more15:15
yoctozeptobut who knows (-:15:16
bauzasreminder, nova meeting in 44 mins here in this channel #openstack-nova15:16
sean-k-mooneyfrickler: yoctozepto  sorry was updating a bug reading back15:33
sean-k-mooneyfrickler: the macine types are similar but different version  pc-i440fx-4.2 vs  pc-i440fx-5.215:35
sean-k-mooneyfrickler: yoctozepto regarding sepcifying the memory twice 15:37
sean-k-mooney-machine pc-i440fx-5.2,accel=tcg,usb=off,dump-guest-core=off,memory-backend=pc.ram -cpu qemu64 -m 256 -object memory-backend-ram,id=pc.ram,size=26843545615:37
sean-k-mooneythe -m 256 is the old way to specify it and memory-backend=pc.ram -object memory-backend-ram,id=pc.ram,size=26843545615:37
sean-k-mooneyis the new way but you should be able to specify both15:38
sean-k-mooneywithout it increase the memory allcoation 15:38
sean-k-mooneyyoctozepto: frickler  those commandline should result in the same behavior as far as i can see but this delta is cause by differnt libvirt versions 15:39
sean-k-mooneythe nova generated xml shoudl be identicaly15:39
sean-k-mooneydebian is using libvirt 7.0.0 and ubuntu is using 6.0.015:40
sean-k-mooneyfrickler: do you have the actual job logs so we can compare the nova xmls and ensure they are the same15:46
sean-k-mooneyif the xml created by nova is the same in both cases this is a libvirt/qemu bug most likely15:47
bauzasnova meeting starting in 1 min15:59
bauzas#startmeeting nova16:00
opendevmeetMeeting started Tue Oct  5 16:00:20 2021 UTC and is due to finish in 60 minutes.  The chair is bauzas. Information about MeetBot at http://wiki.debian.org/MeetBot.16:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.16:00
opendevmeetThe meeting name has been set to 'nova'16:00
bauzashowdy folks16:00
dansmitho/16:00
elodilleso/16:00
gibio/16:00
bauzas#link https://wiki.openstack.org/wiki/Meetings/Nova#Agenda_for_next_meeting16:01
bauzasshould hopefully be quickier than last week16:01
bauzaslet's start, people will come along16:01
bauzas #topic Bugs (stuck/critical) 16:01
bauzas One Critical bug16:02
bauzas#link https://bugs.launchpad.net/nova/+bug/194598316:02
bauzasthat said, it's triaged incomplete for us and I think the root cause is on devstack16:02
sean-k-mooneyo/16:02
bauzasI voted on lyarwood's change, we're waiting for devstack cores to look at it16:03
sean-k-mooneyah the iscsi issue16:03
bauzascorrect16:03
gibiso we can get back the live migration coverage16:03
bauzasyup, that's what I was about to say16:03
bauzasthere is a Depends-On this change16:03
bauzasfor enabling again the job16:04
bauzas#link https://review.opendev.org/c/openstack/devstack/+/81239116:04
bauzas#link https://review.opendev.org/c/openstack/nova/+/81239216:04
bauzasI'm gonna approve the nova change 16:04
bauzasbut we need the devstack change first16:05
bauzasany questions about this one ? I think most of us covered this one16:05
sean-k-mooneyi think it has a bug16:05
sean-k-mooneyi dont see where iscsi-iname is set16:05
sean-k-mooneyunless that is a command?16:06
sean-k-mooneyah16:06
bauzasI expect this to be a command16:06
sean-k-mooneyit is16:06
sean-k-mooneyhttps://linux.die.net/man/8/iscsi-iname16:06
sean-k-mooneyok then it looks fine16:06
bauzasI verified our docs16:06
bauzasand it generates the FQDN and the port16:06
sean-k-mooneyyep16:06
bauzassomething like example.org:800816:06
bauzasok, moving on then16:07
bauzas #link 13 new untriaged bugs (+0 since the last meeting): #link https://bugs.launchpad.net/nova/+bugs?search=Search&field.status=New16:07
bauzaswe did a few triage16:07
bauzasthanks to the ones who did that16:07
bauzaswe still have a backlog and I'll try to see how to reduce it16:08
bauzasmore to discuss next week if I can't16:08
bauzas No open bug marked with xena-rc-potential tag #link https://bugs.launchpad.net/nova/+bugs?field.tag=xena-rc-potential16:08
bauzasactually this one is no longer needed, we're past RC16:08
bauzas #topic Gate status 16:08
bauzas Nova gate bugs #link https://bugs.launchpad.net/nova/+bugs?field.tag=gate-failure16:09
bauzasas we discussed, we're going to enable the live-migration job back16:09
bauzascongrats to lyarwood for his effort16:09
bauzas Placement periodic job status #link https://zuul.openstack.org/builds?project=openstack%2Fplacement&pipeline=periodic-weekly16:09
bauzasplacement periodic jobs look fine, nothing to say16:09
bauzasany other point to address about the gate status ?16:10
bauzasmost of the wonky issues we had last week were fixed (thanks gmann for tracking it, btw.)16:10
bauzasnothing ? okay, let's continue16:11
bauzas #topic Release Planning 16:11
bauzas Release tracking etherpad #link https://etherpad.opendev.org/p/nova-xena-rc-potential16:11
bauzas Final release candidates for both Nova and Placement are RC216:11
bauzas The new Xena OpenStack release will be on Wednesday (based on our RC2s)16:11
bauzas(or maybe Thursday, I'm unsure about the exact date)16:12
bauzasanything to mention about Xena ?16:12
sean-k-mooneyack is the review to the release repo proposed yet16:12
bauzaswe'll do a retrospective at the PTG16:12
bauzassean-k-mooney: you mean the final tags ?16:13
gibihttps://review.opendev.org/c/openstack/releases/+/81225116:13
bauzasthanks gibi16:13
sean-k-mooneyyes16:13
bauzasI'll look at it tonight16:13
bauzas #topic Review priorities 16:14
bauzas#link  https://review.opendev.org/q/status:open+(project:openstack/nova+OR+project:openstack/placement)+label:Review-Priority%252B116:15
bauzasI made a few runs over some16:15
bauzasI'll continue this week16:15
bauzasif people have changes they'd like to get reviews, ping me 16:15
bauzasok, I assume no asks16:17
bauzas #topic PTG Planning 16:17
bauzas every info is in the PTG etherpad #link https://etherpad.opendev.org/p/nova-yoga-ptg16:17
bauzasI started to look at it 16:17
bauzasfor the moment, I haven't moved the topics to group themselves by common interest, we only have a few of them16:17
bauzasin the last week, I'll shuffle them if needed16:18
bauzasnothing more boring than a placement-then-something-else-then-placement session :)16:18
gibibauzas: will there be TC - PTL meeting during the PTG?16:19
bauzasI guess americans would appreciate to wake up later if placement was grouped early in the morning their time :)16:19
bauzasgibi: excellent question, haven't heard yet16:19
gibihm If my memory serves we had such last time but I might be mistake16:19
gibin16:19
bauzasI even don't know if the TC came up with an agenda 16:19
bauzasdansmith: do you know if there will be some session like it ?16:20
dansmithum, 16:20
bauzasmaybe about the next upstream priorities ?16:20
dansmiththere's a ptl interaction session16:20
dansmiththere's a goals session16:20
dansmithI don't think there's a clear schedule yet, but the days (mon, thu, fri) are defined16:21
dansmithhttps://etherpad.opendev.org/p/tc-yoga-ptg16:21
bauzasok, I need to do homework then and look at them16:21
bauzasdansmith: thanks16:21
gibithanks16:21
bauzasI also need to look at the goals candidates16:21
bauzas(if we have some of them already)16:21
dansmithrbac, I think, at least16:22
dansmithshould be uncontentious16:22
dansmithbut the session doesn't mention specific16:22
dansmith*specifics16:22
bauzasI'd appreciate if we could exactly define the needed efforts for rbac into our project16:22
bauzasbut I'll take a look 16:22
bauzasone thing I wanted to stress on,16:23
bauzas we're missing at the moment cinder, neutron and keystone cross-project discussions16:23
sean-k-mooneyi think most of the rbac effrort will be with interacting with other project16:23
artomI thought we were done with rbac?16:23
sean-k-mooneye.g. making sure we can call neutron with system scopted tokens16:23
dansmithartom: we're done getting ready for rbac :)16:23
bauzasartom: sean-k-mooney: maybe, that's why I want to exactly know the key objectives for this proposed goal16:23
artomdansmith, right, I meant Nova is read, other projects aren't yet, hence the custom policy "workaround" that's currently up for review16:24
artom*ready16:24
dansmithartom: ready, but not completed, AIUI16:24
bauzasme too16:24
sean-k-mooneynova can be called with the secure rbac16:24
sean-k-mooneythat does not mean it can call other project properly with it16:25
sean-k-mooneyor that they can call nova with it16:25
dansmithcan you manage aggregates with a non-project-scoped admin token?16:25
bauzaswe need at least some CI job running 16:25
sean-k-mooneyproably not16:25
dansmithand my next question was, if so, is it tested? :)16:25
bauzasto identify the potential gaps16:25
sean-k-mooneybauzas: yes that is part of the scope of the goal16:25
gibialso we have the specify-target-host-with-project-admin issue open16:25
sean-k-mooneyso likely we have work to do16:26
dansmithgibi: yeah, so beyond "meh, it probably works" I expect there are lots of corner cases like that16:26
bauzasgibi: correct, hence my "we need to understand the goal's objectives"16:26
gibiexactly16:26
dansmithhence, I said "done getting ready" :)16:26
gibi:)16:26
bauzaslol16:26
bauzasok, I think we're done with that for now :)16:26
gibiwe are ready to do the _real_ work :D16:26
sean-k-mooneywe can discuss more at the ptg but i think it would be nice if we aimed to have a RBAC job running by m116:26
sean-k-mooneyto give use time to fix the issue it will find16:27
artomCan we do a nova-only job for that?16:27
artomI keep hearing it's "all or nothing"16:27
gibisean-k-mooney: I'm not even sure tempest is ready to add RBAC testing16:27
dansmithgibi: I think it is16:27
sean-k-mooneylance has been working on some limited testing16:27
gibiahh OK16:27
artomActually, do we even need tempest?16:27
sean-k-mooneywith tempest16:27
sean-k-mooneyartom: yes we do16:28
dansmithgibi: glance is testing it with its tempest plugin16:28
artomSmells like something we can do in functional tests, no?16:28
dansmithbut it's much easier to test glance in isolation than nova16:28
sean-k-mooneyartom: no16:28
gibidansmith: cool, so we have an example16:28
sean-k-mooneywe need to test interservice interaction16:28
dansmithdefinitely need tempest, IMHO16:28
bauzasoh yes16:28
dansmithfunctional will definitely not cut it16:28
sean-k-mooneylances intiall testing show we cant boot with a neutron port16:28
bauzascan't see how we could achieve this without tempest16:28
sean-k-mooneybecause neturon as configured by devstack at lest currently cant send the network plugged event correctly16:28
dansmithsean-k-mooney: is that their fault or ours?16:29
sean-k-mooneyso we definetly need to do tempeest integration testing16:29
dansmithseems like it's likely ours16:29
bauzaswe need a job16:29
sean-k-mooneydansmith: not sure yet proably a mix of devstack config and our policy16:29
dansmithor maybe a combo I guess. if they use a system-scoped token but need to augment with project maybe16:29
dansmithsean-k-mooney: ack16:29
bauzasand first and foremost, we need people working on it, if so :)16:29
sean-k-mooneyi think it enabeld the new policy on our side but did not create the nova user with the right scope and neutron config16:29
dansmithsean-k-mooney: honestly, I probably need to think on how that event interface should work16:30
sean-k-mooneyso we enforced scope but the token neutron used did not have system scope but was an admin token16:30
dansmithlike maybe a system-scoped token that looks up any instance on the system is okay16:30
dansmithI would normally think that should be project-scoped, because instances are project-scoped and events are tied to instances16:31
dansmithbut it's intended to mostly be used by other services, so .. I dunno16:31
sean-k-mooneyi think it should be system scope16:31
bauzasdo we have sort of guidance from the keystone team about those events ?16:31
sean-k-mooneybecasue as you said this is for service to service interaction16:31
sean-k-mooneybut ya its tricky16:31
bauzasor is it us just picking what we want ?16:31
dansmithsean-k-mooney: but it's not something you can ever do without a project-scoped resource ...16:31
dansmithbauzas: we should probably consult a bit16:31
sean-k-mooneydansmith: yep which is why its tricky 16:32
dansmiththis is kinda my problem with system scope, is that it actually doesn't apply to a lot of stuff, because almost everything is a project-scoped resource16:32
artomCan ports ever be system-scope?16:32
artomInstances are obviously project-scope, but Neutron external events have to do with ports as well16:32
sean-k-mooneyim a little relucted to say that api should be project-admin however16:32
bauzasif that becomes a goal, we need some owner of this goal, just sayin' :)16:32
dansmithaggregates are the one example of a system-scoped resource I use a lot16:32
artomIs there some funky network topology that can have system-scoped ports?16:32
dansmithsean-k-mooney: that's another thing, definitely doesn't need admin16:32
sean-k-mooneydansmith: it proably shoudl be system-admin with project-ide set16:32
dansmithsean-k-mooney: that's project-scoped, AFAIK16:33
dansmithevents don16:33
dansmithdon't need to be admin either16:33
sean-k-mooneythe event api is admin only16:33
dansmiththey don't need to be, and I don't think they initially were16:33
sean-k-mooneysince enduser including operators are not ment to call it16:33
dansmithbut admin != scope16:34
dansmithanyway16:34
dansmithclearly needs some discussion and thinking16:34
sean-k-mooneywe could make it system member16:34
sean-k-mooneyso yes16:34
sean-k-mooneywe could drop admin but ya16:34
bauzascould we now put our thoughts into https://etherpad.opendev.org/p/nova-yoga-ptg L204 and move to other things ?16:34
sean-k-mooneylets defer for now16:34
sean-k-mooneyam sure but we might want a sperate etherpad16:34
sean-k-mooneylinked form there to go though this in more detail16:35
bauzassean-k-mooney: feel free to link to it16:35
bauzasalso, this ties to my other point 16:35
bauzasfor the moment, we don't have cinder, neutron and keystone cross project sessions at the PTG16:35
bauzasI'd recommend us to engage some talks with the keystone team so we could wrap some stuff about RBAC during the PTG :)16:35
bauzasjust sayin'16:35
sean-k-mooneyif we had a neutorn one i have one potential topic16:35
sean-k-mooneyhttps://etherpad.opendev.org/p/ovn_live_migration16:36
bauzasok, so, I guess I can ask the neutron folks and the keystone folks at least16:36
bauzasfor timeslots16:36
gibiI don't have any neutron topic at the momement16:36
bauzaslyarwood or others, do people feel wanting to discuss some cinder topics ?16:36
artomI believe he dropped off early today, might want to check with him async16:37
sean-k-mooneyi think lee had one topic but lee wont be able to attend the PTG16:37
bauzasgibi: I'll ask the neutron team if they have nova-specific concerns too16:37
bauzasI know lyarwood wants to address the Manila thing16:37
gibisure16:37
sean-k-mooneyRemoving os-volume proxy API during Yoga16:37
sean-k-mooneythat was the one that i tought lee might bring up16:37
bauzasbut here, the question is, do we need the Cinder team for discussing those topics ?16:38
artomThat doesn't really affect Cinder, does it?16:38
bauzasartom: that's my question16:38
bauzasdo we have topics to discuss that engage the cinder team ?16:38
bauzasI can leave this for next week16:38
sean-k-mooneythe manila thing beign supprot for virtio-fs16:39
sean-k-mooneyif so then no there is no interation nwith cinder in that case16:39
bauzasfor the keystone x-p session, do you think it would be nice for us getting the whole crew or only publicize our discussions about Secure RBAC so people like lance would join ?16:39
sean-k-mooneyassuming unified limits work will continue we might want to discuss that too but im not sure if there is anything left on the keystone side16:40
sean-k-mooneydansmith: you wanted some changes to the lib interface i think but not sure if that needs to be covered at the ptg16:41
dansmithno, I don't think soi16:41
dansmithI also think that the issues have been resolved with some of my recent changes to oslo.limit,16:41
dansmithbut I need to circle back16:41
dansmithregardless, nothing needing lots of discussion I don't think16:42
bauzasyeah16:42
bauzasso this is rbac only16:42
bauzaswe'll figure that out16:42
bauzasmoving on16:42
bauzas #topic Stable Branches16:42
bauzas Nova Wallaby 23.1.0 release is proposed #link https://review.opendev.org/c/openstack/releases/+/80900016:42
bauzas Nova Victoria 22.3.0 release is proposed #link https://review.opendev.org/c/openstack/releases/+/81229116:43
bauzas Nova Ussuri 21.2.3 release is proposed #link https://review.opendev.org/c/openstack/releases/+/81229216:43
bauzaselodilles: other things to mention ?16:43
elodillesi'll ping release folks to review those tomorrow16:43
bauzascool16:43
elodillesand maybe we could merge this: https://review.opendev.org/c/openstack/nova/+/81046116:43
bauzasoh 16:44
elodillesas far as i remember we agreed to accept this16:44
bauzasyup16:44
elodillesand I can backport it to older branches then16:44
elodillesand unblcok train-stein-rocky-queens-pike :)16:44
bauzasI guess you revisioned it because of the pin version ?16:44
elodillestox min version needed a bump as stephenfin marked16:45
bauzasyeah, that16:45
bauzasok, I'll +2 it16:45
elodillesthanks \o/16:45
elodillesthat's it i think16:45
bauzascool16:45
bauzas #topic Sub/related team Highlights 16:45
bauzas Libvirt (lyarwood)16:45
bauzaswell, he's off16:45
bauzasbut I haven't heard anything specifc16:46
bauzasmoving on16:46
bauzas #topic Open discussion 16:46
bauzasnothing in the agenda, floor is yours16:46
gibiit was a productive meeting16:47
bauzasI can't promise this everyweek16:48
bauzas#endmeeting16:48
opendevmeetMeeting ended Tue Oct  5 16:48:07 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)16:48
opendevmeetMinutes:        https://meetings.opendev.org/meetings/nova/2021/nova.2021-10-05-16.00.html16:48
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/nova/2021/nova.2021-10-05-16.00.txt16:48
opendevmeetLog:            https://meetings.opendev.org/meetings/nova/2021/nova.2021-10-05-16.00.log.html16:48
bauzasoh I forgot to mention the Big News16:48
bauzasshit16:48
bauzashttps://twitter.com/openinfradev/status/144501146824892007116:49
bauzasbribe me if you wanna get my opinion 16:49
bauzasbut I'm 99% sold on the destination16:49
bauzasclue #3 was easy16:49
gibilol16:53
dansmithwhen will that be?16:54
dansmithspring or fall?16:54
sean-k-mooneydansmith: presumably spring but good question16:56
sean-k-mooneyi had been assuming march/april16:56
dansmithwas hoping for fall to give a little more time16:56
gmannin Oct/Nov16:56
gmannyeah16:56
sean-k-mooneyoh ok16:56
dansmithI can't imagine being ready to travel by march16:56
dansmithgmann: ah cool16:56
sean-k-mooneyso the A release ptg then16:57
sean-k-mooneynot the Z release16:57
sean-k-mooneyso the next 2 PTGs will be virtual16:57
sean-k-mooneydansmith: i very quickly added somethign for the external event on lin 84 https://etherpad.opendev.org/p/nova-yoga-ptg feel free to edit as you see fit16:58
gmannI think PTG are not yet included/planned  but it may be as per previous format it might be summit+PTG16:58
sean-k-mooneyoh this was explictly for the summit16:58
sean-k-mooneyok16:58
dansmithyeah just summit16:58
sean-k-mooneyi assuem it was both16:58
sean-k-mooneywell the summit and fourm ware normally together right16:59
sean-k-mooneythen ptg is later16:59
sean-k-mooneyi guess we will see how it plays out16:59
gmannsean-k-mooney: dansmith bauzas just saw rbac things for PTG, I am going to check projects sessions/topics on RBAC with lbragstad (friday or next week) and then we can plan cross project if needed 16:59
bauzasgmann: cool thankq17:00
bauzassean-k-mooney: dansmith: oh I'd be disappointed if that'd be fall 202217:00
sean-k-mooneygmann: i was thinking it might make sense to have a singel cross project session on that goal and then if needed also cover it in the indiviual cross project seesion too17:00
gmannsean-k-mooney: good idea. 17:01
dansmithbauzas: not me, I'd be happy if we just assume no travel before 202517:01
bauzasthat said, the destination I found would be set for fall if COVID-19 wasn't a thing17:01
gmannbauzas: but it would not be so far from your place :)17:01
sean-k-mooneygmann: e.g. have nova/neutron breakouts if we need to talk about a spciric interction but cover the high level rbac topci is a comunity/multi project sesssion17:01
bauzasgmann: honestly, I'm desperate to move17:02
bauzasdansmith: hah, don't know what to say about this then :)17:02
sean-k-mooneydansmith: i dont really like to travel but i do miss the inperson hallway chats and withboarding work we get done with an inperson event17:03
bauzasthat ^17:03
sean-k-mooneyunless we go back to having midcycle or other checking events per milestone  its hard to cover everything in a virutal event at least the way we do them currently17:04
bauzasfun fact is, if that'd be April, I could literrally go get my car from this place and return to home17:04
bauzasmy *new17:04
sean-k-mooneyare you really planning on getting a tesla model y17:05
gmann:)17:05
bauzassean-k-mooney: let's wait for the OIF announcement either way17:05
bauzassean-k-mooney: I do17:05
bauzasmy Superb is nice but I wanna change17:05
dansmithbauzas: I'm disappointed in you17:05
dansmithcars that don't burn dinosaurs = boring17:05
bauzasdansmith: this car can litterally make you fart17:06
dansmithboring.17:06
bauzasso I wouldn't call it "boring"17:06
bauzas:p17:06
dansmithsoul-less.17:06
bauzasI'm pretty sure I can find some Spotify playlist that would groan17:06
bauzasdansmith: and automatic transmission, I know :p17:07
sean-k-mooneydansmith: i dont know some of the hydrogen eletic hybrid look pretty fun17:07
bauzasthe clutch is past story to me17:07
dansmithsean-k-mooney: has nothing to do with speed or performance17:07
sean-k-mooneyyou just dont like the generic stylig or is it the feel of the drive17:08
dansmithhas nothing to do with being ugly, has entirely to do with being soul-less17:09
* sean-k-mooney is currently looking to replace there 6 speed mini but not seeing many car i like to replace it with17:09
bauzasdansmith: :) 17:10
bauzasI understand people's reluctance 17:11
bauzasit's just me who wants a car that can drive full electric with some pleasure :)17:11
* bauzas looked at the Ioniq 5 and the new EV6 but eventually decided to go with the TMY17:12
sean-k-mooneyi dont like the ioniq 5 really17:13
sean-k-mooneyit looks too much like an estate and the sharp line remind me of the telsla pickup17:14
bauzasI don't like the interior and the trunk is small17:15
bauzasI tested it tho, nice to drive17:15
bauzasthe EV6 is on its way17:15
bauzasbut it costs nearly the TMY without the fun17:15
bauzasand... that's a Kia17:16
sean-k-mooneykia at least has a 7 year warrenty17:19
sean-k-mooneyi much prefer the ev6's styling but i dont need a car that size17:20
sean-k-mooneyim cosidering a peugeot e-208 but  not sure i can justify the price gien how little i drive17:21
sean-k-mooneythe 6 speed petrol is about 5-7k cheaper for similar specs17:22
bauzassean-k-mooney: Sophie drives a e20817:22
bauzaswe got a 7k€ incentive for buying it17:23
bauzasso yeah, without this, I totally agree with you on the fact this is horribly expensive17:23
sean-k-mooneydoes sophie like the e208 was it worht the investment17:26
sean-k-mooneywe can get part of the veical registration tax back and there is an ev grant too17:26
sean-k-mooneybut even with that factored in its still several grand more to get teh e versions17:27
bauzaslet's discuss this off this topic17:27
bauzastl;dr: yes she likes it17:28
sean-k-mooneyhehe sure :)17:28
dansmithsean-k-mooney: you know that I *wrote* the external events API right? :)17:34
sean-k-mooneydansmith: yes i do17:43
sean-k-mooneyi was adding that cotext for other reading it17:43
dansmithsean-k-mooney: okay just trying not to be offended by you 'splaining what it was originally intended for on the etherpad :)17:44
dansmithmkay17:44
sean-k-mooneyyou orginally worte it for the dhcp server race when using quantum instead of nova network right17:44
sean-k-mooneythe reason i put the "must not be called by humans part is really the warnign we have in the api ref by the way"17:45
* sean-k-mooney well i mess up those quotes17:45
sean-k-mooneymainly the last line17:45
sean-k-mooney"Unless you are writing Neutron, Cinder or Ironic code you should not be using this API."17:46
dansmithsean-k-mooney: yeah I know, and that's what is making me think maybe just saying that network-* events come only from system-scoped things, but I dunno17:46
sean-k-mooneyya althoght we have had a usecase propsed int he past where an operator might want to send a network-changed event to referesh the network info cache17:47
dansmithwell, we used to have a dedicated API for that, but yes, that's kinda what I mean... those sorts of things17:47
sean-k-mooneyits an interesting problem. i dont think we have any other cases where we might want to very the policy based on a sub feild of the request body17:47
sean-k-mooneyin this case the event type17:48
dansmithwell, I think we can just manually enforce that in code17:48
dansmithI dunno, I just don't want to call this system scope only and eliminate the possibility to use it for human-triggered things in the future17:48
sean-k-mooneyi dont think oslo policy can do this today so ya we would have to do it on the nova side17:48
sean-k-mooneywell if we assume it remaind amin only the the operator could create a system scoped token ot interact with it17:49
sean-k-mooneybut its not exactly a user freindly approch17:49
dansmithbut that's not necessarily always an admin thing17:50
gmanndefault value or scope cannot by handle dynamically in oslo but yes a new policy enforcement  based on request field can be added in code17:50
sean-k-mooneythis is one api that is currently not usable by nova client or osc by the way17:51
dansmithI know17:51
sean-k-mooneythe reason i bring that up is i have wondered if we should close that gap in the past17:51
sean-k-mooneybut i have never actully looked at doing that since right now we have no usage that is human trigggered17:51
lbragstadcould you rewrite the policy to be service specific?17:52
lbragstadinstead of system-specific?17:52
sean-k-mooneylbragstad: how woudl we tell which service called it? do you mean make ti depened on the event type17:53
gmannis that mean the very original design of having multiple system and system_id in enforcement ?17:53
dansmithsean-k-mooney: I think novaclient has an api for this, you just mean there's no CLI right?17:54
gmannlike system per service or so17:54
sean-k-mooneydansmith: yes no cli but we likely have the python bindigns for it17:54
dansmithyeah okay17:54
dansmithno CLI makes sense while there's no CLI-able event I think17:54
sean-k-mooneyi would expect neutron to just deletagte to novaclinet internally17:54
lbragstadsean-k-mooney does nova need to know which service called that API/17:56
dansmithno17:56
artomThough currently only Neutron does, IIRC17:56
dansmithit doesn't need to know that neutron only sends network events, but... that's kinda the point17:56
artomAnd it's obvious that neutron does from the ebent name17:56
sean-k-mooneyartom: cinder and cyborg also call it17:57
dansmithit's waiting for a thing, doesn't really need to know that neutron sent it, it just only really works if that's the case :)17:57
sean-k-mooneyartom: cinder for swap volume i think and cybrog for the arq binding completion17:57
artomsean-k-mooney, I thought cinder swap volume was another "proper" API?17:57
artomvolume-update...17:57
sean-k-mooneyperhaps but there are cinder volume event17:58
sean-k-mooneydansmith: so ya neutron is using cinder client https://github.com/openstack/neutron/blob/master/neutron/notifiers/nova.py#L84-L9117:58
sean-k-mooney*novaclient17:58
artomYeah https://docs.openstack.org/api-ref/compute/?expanded=update-a-volume-attachment-detail#update-a-volume-attachment17:58
sean-k-mooneyartom: it uses for volume extetnions not swap sorry17:59
artomAnyways, we're off point here17:59
sean-k-mooneyartom: this is the list of events currently https://github.com/openstack/nova/blob/50fdbc752a9ca9c31488140ef2997ed59d861a41/nova/objects/external_event.py#L18-L3618:00
dansmithcurrently neutron is using a project token to send these,18:00
artom"power-update" is weird18:00
artomWhen/how does that happen?18:00
dansmithis that because that's the token and client that neutron uses to interact with nova or other things in a sensible way, or just because it has no knowledge that a system scoped token would be right?18:01
dansmithartom: ironic, IIRC18:01
dansmithartom: it's not just neutron :)18:01
* artom stands corrected18:01
lbragstadyeah - i think it's using the nova service user, which has the admin role18:01
lbragstadand we haven't really gone through that migration yet, from a policy perspective18:02
dansmithlbragstad: meaning it's just naive and not like that user/client is project-scoped for other stuff? 18:03
dansmitheven still, if neutron is sending an event for an instance or group of ports or something, having it be project-scoped in that call to the event thing also helps to prevent any missteps in sending events to other instances18:05
dansmithlike if there was some port change thing going on, during ownership transfer, or anything else18:05
dansmiththis goes back to my "the interface is specific to project-scoped resources, so it feels like it too should be project-scoped"18:05
lbragstadiiuc - it's using the nova service user, which just happens to have the admin role (probably for legacy reasons) and that's why it works18:07
lbragstadso - because the nova user has the 'admin' role on the service project, it can update external server events for instance 'foo' in project bar... 18:07
dansmithyeah, well the default policy makes the api admin-only anyway18:07
sean-k-mooneyyes so its relyin gon haveing a user with admin rights18:08
sean-k-mooneythat can be the nova user or a common service user18:09
lbragstadcorrect - but it's not enforcing tenancy in any way - from what i can tell18:09
sean-k-mooneyi dont think it is either today18:09
sean-k-mooneysince this is mainly a service to service api18:09
dansmiththe api?18:10
dansmithit uses the context to look up the instances it creates the events for, so it should be scoped to the project of the token18:11
sean-k-mooneythe external events api does not assert that the user that created teh event is a has any relationship with the project reosuce that is being modified18:11
dansmithor I guess if you're admin then it lets you see them all, but it should still be tight if you're not admin18:12
dansmithyou won't be able to look up instances you don't have access to, and you'll fail with a 404 I think18:12
sean-k-mooneywell this has been admin only for as long as i can rememebr it exsiting18:12
dansmithor just not send those events, I guess, I'm not sure, but..18:13
dansmithsean-k-mooney: by default you mean :)18:13
sean-k-mooneyyes by default18:13
dansmithI'm just saying I don't think that the api is not tenant-safe18:13
sean-k-mooneywell while you can get a responce form tha tapi when you do a post we dont supprot get request on it correct18:14
dansmiththere's nothing to get18:14
sean-k-mooneyand the info you get back is pretty limited in general18:14
dansmiththere's no persistence18:14
dansmithI'm saying you can't POST events for instances you don't own18:14
sean-k-mooneyright so since it most a write only api18:14
dansmithit is entirely write-only18:14
sean-k-mooneysure you can18:14
gmanndansmith: sean-k-mooney I remember the discussion of need of  service specific role for such cross service API. system scope in this API was not concluded/discussed permission for this at the time of moving to new defaults.18:15
sean-k-mooneywell ok you saying if you change the policy to allow anyone call it18:15
sean-k-mooneythen it wont work18:15
dansmith                     objects.InstanceList.get_by_filters(18:15
dansmith                         cctxt, {'uuid': instance_uuids_by_cell[cell_uuid]},18:15
dansmithsean-k-mooney: this ^ will not work for instances you don't own if you are not admin18:15
gmanneither project scope or both or need service user specific role for such operation18:15
sean-k-mooneydo we have a db level check to enforce that18:15
dansmithsean-k-mooney: that's how that interface works right?18:16
dansmithI mean, it certainly was when the code was written :)18:16
sean-k-mooneyin the port bindign case the event are all submited as tyepically the nova user regradesss of who owns the port18:17
sean-k-mooneydansmith: the user token is never used18:17
dansmith...right, as admin yes?18:17
sean-k-mooneyalso even if it was the even it decupled form a user action18:18
sean-k-mooneyyes as admin18:18
dansmithwhat are we arguing about again?18:18
sean-k-mooneywether the resouce that is being evented on is own by the user/project assocated with teh keyton token used to send the event to nova i think18:19
sean-k-mooneyi kind of got confused by what you were saying would and would not work and im not sure you were following me either18:19
dansmithhttps://github.com/openstack/nova/blob/7967ad78649a1f8d7ffc34ae28274ee89b0011cf/nova/db/main/api.py#L1413-L141618:20
dansmiththis ^ is where we enforce you can only see your own instances in the DB layer, if not admin18:20
dansmithwhich makes that API not allow non-admins (if so granted) able to send events to instances they do not own18:20
sean-k-mooneyi see18:21
dansmithif the nova user neutron uses has admin, that's why it can send events to any instance, as expected18:21
dansmithI'm talking about if someone were to drop the admin requirement from the policy, or if we later add a human-initiated event, the API is not insecure18:21
sean-k-mooneyright i tought we were trying to remove those low level db enfrocements form the code18:22
dansmithin response to this:18:22
dansmith[11:09:14]  <lbragstad> correct - but it's not enforcing tenancy in any way - from what i can tell18:22
dansmith[11:09:33]  <sean-k-mooney> i dont think it is either today18:22
gmanndansmith: so your proposal is to allow only project scoped (owner or admin) not system right?18:22
dansmithsean-k-mooney: not those, AFAIK.. tons of stuff would need to change at the top, and always provide a project-level filter down or we'd be querying tons of information all the time that we need to filter in python18:22
sean-k-mooneydansmith: right so its the db laywer not the api that enforcing that18:22
gmannsean-k-mooney: we have that as TODO to move admin-checks from DB to API layer side18:23
dansmithgmann: no I'm saying we allow either and enforce scope type based on the event_type in the event, which are probably all system right now (but need to look)18:23
dansmithgmann: you're not talking about removing the project filtering from the DB queries entirely right?18:24
gmannyeah it is all system-admin for now18:24
dansmith(not that it matters for this conversation, because this API behaves the same as all our other ones at the moment, which rely on db filtering)18:24
gmanndansmith: not filtering but like if admin then we check admin policy and call separate DB interface itself at API layer and do not check is_admin in DB18:25
dansmithgmann: right ++18:25
gmannon event type: keeping system scope is for  human-initiated event ?18:27
dansmithno18:28
gmannmaking them system-only was not right thing at initial implementation  18:28
dansmithhonestly, I don't even know what to say anymore: I think neutron declaring a project id when making the call is not bad,18:28
sean-k-mooneyi think we just converted admin_api to system_admin_api as an itital step18:28
dansmithwhich makes it a project-scoped interface It hink18:28
gmannyeah18:29
dansmithI'm just saying I don't want this interface to just be forever tagged as system-only18:29
dansmithif we want to make some events system-only, then let's do that per-event,18:29
dansmithbut even in the neutron case, I think scoping it by project is probably not a bad idea anyway18:29
sean-k-mooneydansmith: so currently neutron get the credentails form the config so if we wanted to make it non admin they would need to have some other way to generate the token that is used18:30
dansmithsean-k-mooney: not saying non-admin for network events18:30
dansmithI'm saying probably not system18:30
dansmiththere's like a 3D chart here I think :)18:30
dansmithor maybe 7D I dunno18:30
gmanndansmith: agree, and that per event check we can do in code itself as you mentioned earlier. if x_event then context.scope == 'system'18:31
dansmithgmann: exactly18:31
dansmithbtw,18:31
dansmithI thought at one point we were supposed to get the ability for neutron to say "here's the user's token for context, and here's my token for auth"18:32
sean-k-mooneyright but the network-vif-pluged event for example is sent when but the dhcp server has configured the enttry for the ip and the l2 agent has installed flow rules ectra. so it has to create the token form a config file18:32
sean-k-mooneyit cannot use the user token18:32
dansmithso we could scope to the user's project from their token, but elevate the ability to do systemy things with the service's token18:32
lbragstadi think there is a policy check for that?18:32
dansmithsean-k-mooney: it doesn't have to use the user's token18:32
dansmithsean-k-mooney: are you saying it doesn't know anything about the project that owns the port?18:33
dansmithbecause all it needs is the project_id18:33
sean-k-mooneyno the port has a project_id assocatied with it18:34
dansmithright, so it can use an admin token generated from creds from the conf, scoped to that project yeah?18:34
sean-k-mooneybut the xproejct_override work that lbragstad  has been workign on only works with system tokens18:34
dansmithfine?18:34
sean-k-mooneyso its a system admin toke with the project_id also set which is what we started with18:35
sean-k-mooneyyour just saying the project_id should come form the port18:35
sean-k-mooneynot be hardcoded in the config18:35
dansmithwhat we started with was the assertion that it *has* to be that way18:35
dansmithactuall,y18:35
dansmithI think what we started with was "let's discuss this high-bandwidth at ptg" which is *really* what I'd like18:36
sean-k-mooneyok sure. although this is the second deiscussion i have had on this topic as i started talking to lbragstad about it a few weeks ago18:38
dansmithyeah, clearly he needs to be in said high-bandwidth discussion18:39
sean-k-mooneyso i was strating form an assumtion that the neutron config would have the creds for a system scoped token and possibly use the project override mechanium18:39
sean-k-mooneyim totally fine with and actully like the idea that neutron would overried the project_id with the ide of the port or network owner18:40
lbragstadoverride == use the project id pass-through functinality?18:40
sean-k-mooneybut we woudl need code change to neutron to do that. today the best we can do via the config would be a system_admin token18:41
sean-k-mooneylbragstad: yes18:41
sean-k-mooneyproject_id passtough is what i mean by overried18:41
hemnacan you boot an instance on behalf of another tenant (as admin) ?18:41
sean-k-mooneylbragstad: neutron currently uses the same nova  client to send all external events to nova https://github.com/openstack/neutron/blob/master/neutron/notifiers/nova.py#L84-L9118:42
sean-k-mooneyhemna: as in server create no18:43
lbragstadyeah - i hit that issue when i configured nova to enforce scope and worked on the project-id passthrough functionality in ksa and ksm18:43
sean-k-mooneyhemna:you can start a server18:43
hemnaok dang.  thanks18:43
sean-k-mooneylbragstad: neutron also batchs sending events today18:44
sean-k-mooneyso i think they reuse the client for multiple events for diffeenr resouces18:44
lbragstadok - so that's the PUT portion of that API, right?18:45
sean-k-mooneyits a post but yes https://docs.openstack.org/api-ref/compute/#create-external-events-os-server-external-events18:45
dansmithsean-k-mooney: they never batched before, are you sure?18:46
lbragstadok - nevermind, i thought i saw that API expose a PUT method 18:46
sean-k-mooneyhttps://github.com/openstack/neutron/blob/master/neutron/notifiers/nova.py#L14618:46
dansmithsean-k-mooney: or do you mean batches of ports for a single instance?18:46
sean-k-mooneydansmith: ^18:46
dansmithokay I thought you said you didn't know the interface was intended for batches? :)18:47
dansmithpretty sure that's new (since I last looked) because I was surprised how long after the interface was written that it was still doing singles18:47
dansmithoh, this is network-changed I think18:48
sean-k-mooneythis was network changed yes18:48
lbragstadok - and the goal is to continue allowing this stuff work to work without having to refactor neutron to use system-scope?18:49
dansmithack, I would have been looking at vif-plugged18:49
dansmith(which looks to be single-shot)18:50
dansmithlbragstad: I don't think that's a goal18:50
dansmithlbragstad: my intent on arguing here is about declaring this API as forever system-scope-only18:50
dansmithI don't really care if neutron uses system scope for its actions here, although I think providing a project_id is a good idea so we're only hitting instances for that project in a given post18:51
lbragstadoh - ok18:52
lbragstadso your concern is more that we're using a really big hammer to only interact with project resources18:53
gmannand it can be default to project-member (owner), project-admin is not needed as such 18:53
dansmithgmann: the actual policy rule default I'm not so concerned about18:54
dansmithI think we could probably set that rule to default to "scope:system and role:admin" or whatever,18:54
dansmithbut I just don't want that to be a constant18:54
sean-k-mooneygmann: im not sure we really want normaly project_member to be able to call it by default18:55
fricklersean-k-mooney: those instances are not from a job but I created them manually, so I can do further debugging as needed. "xml generated by nova" is what I can see with "virsh dumpxml"? or do I need to get it from the logs?18:55
sean-k-mooneyat least for how it work today18:55
dansmithgmann: by the way, what do you see as being the avenue if we change the allowed scopes in the future for an interface?18:55
gmannor I am thinking if adding new scope 'service_scope' can help in making those API to cross-service based interaction-only.18:56
dansmithmeaning, what if something is scope_types=['system'] and we add project to that? how do we signal or microversion that?18:56
gmanndansmith: not microversion but only in releasenotes as it change the configuration only. like we do for every policy change18:56
sean-k-mooneyfrickler: i was thinking if from the logs18:56
sean-k-mooneyfrickler: nova prints the xml we send to libvirt at debug level18:57
dansmithgmann: but that won't always work right? like if we go from "you have to be project scoped" to "or you can be system scoped but with a projectid override".. certainly a client needs to know that the behavior has changed right?18:57
sean-k-mooneyfrickler: we will need that xml if we want to have some of our libvirt folks look at the qemu output and node if its valide or not18:57
dansmithgmann: because that's my concern here over deciding scope for this interface now and wanting to change it later, because it seems like it's something that will be very hard to change later without confusing behavior effects18:58
sean-k-mooneygmann: chanign policy with out a microversion has always made me uncomfortable for what its worth18:58
dansmithif something is fundamentally system-scoped, then fine,18:58
dansmithbut if it's not, then it's just adding a layer of potential breakage later18:59
dansmithlike I keep saying, aggregates are clearly system-scoped to me, but few other things are, IMHO18:59
gmanndansmith: yes for 'project scope'->'system with project_id' is something we need to discuss if we need to add microvesion or not. with NOTE: new policies are not microversioned.18:59
dansmith(or at least, I have few other examples that I think are legit)18:59
gmannbut supporting both for a release or so18:59
dansmithgmann: welp, FWIW, that makes me rather nervous :/19:00
dansmithespecially knowing that our customers don't run adjacent releases19:00
opendevreviewLance Bragstad proposed openstack/nova master: DNM: Attempt to expose external events API to project users  https://review.opendev.org/c/openstack/nova/+/81260119:00
opendevreviewLance Bragstad proposed openstack/nova master: DNM: Update external events policy to allow for project-id passthrough  https://review.opendev.org/c/openstack/nova/+/81260219:00
opendevreviewLance Bragstad proposed openstack/nova master: DNM: Update policy to allow for service-specific auth targets  https://review.opendev.org/c/openstack/nova/+/81260319:00
lbragstaddansmith cover your eyes - fstrings on the way 19:00
sean-k-mooneygmann: new policyes i can may see as not requiring a microverson. any change in default policy behaivor for any endpoint however i kind of feell like it should be a microversion19:00
dansmithlbragstad: *shudder*19:00
gmannsean-k-mooney: new policy are change in default behavior too19:00
dansmithsean-k-mooney: policies can be changed by the operators, so I don't think that means they need microversions,19:01
sean-k-mooneye.g. if add a new policy has no visable effect then fine but if it changes the behaivor in any way by default i think it needs a microversion19:01
dansmithsean-k-mooney: but new core unchangeable policy things like "system-scope plus project id" are different to me19:01
sean-k-mooneydansmith: i agree that operators can certly change policy and alter behavior and that does not affect the microversion today19:02
gmannyeah  "system-scope plus project id"  is completely different new thing 19:02
sean-k-mooneybut im not really sure where the line is19:02
sean-k-mooneygmann: i might be missing something but im not really convicned it is19:03
dansmithgmann: that's my concern over deciding the fate of this event api, FWIW19:03
sean-k-mooneywhat makes that different then changing an api form project member to say project admin19:03
dansmithsean-k-mooney: it is definitely a different thing to me19:03
dansmithsean-k-mooney: it requires you know that the thing be new enough *and* that you need a different client behavior to make it work19:04
dansmithneither of which are discoverable from the outside19:04
dansmithsean-k-mooney: because of the client behavior change required19:04
sean-k-mooneyis there not a client behaivor change requried with enabling scope enforce too19:04
gmannsean-k-mooney: project member to say project admin, operator can always change it back via policy.yaml 19:04
lbragstadhttps://review.opendev.org/c/openstack/nova/+/812601/1/nova/policies/server_external_events.py would be example of how to expose this to project users19:04
lbragstadbut https://review.opendev.org/c/openstack/nova/+/812602/1/nova/policies/server_external_events.py would be using project id pass-through 19:05
dansmithsean-k-mooney: yep, that's definitely a change in line with the one described above, but less concerning than just a single policy change to use a different role I think19:05
sean-k-mooneylbragstad: thats assuming we standardise an new service role? or does that already exist19:06
lbragstadit's not standardized - just an example19:06
dansmithlbragstad: yeah, the second is my preference19:07
sean-k-mooneythe resaond i was asking is the idea of a service role is a new construct to me adn would have to be standarised i think if we were to use it in code19:07
gmanndansmith: added sysmte+project-id case in PTG etherpad L22719:07
dansmithlbragstad: and then perhaps we limit it per event, so to say "we know neutron uses system scope, so we're limiting network-* events to system scoped contexts to avoid users being able to send those"19:07
dansmithgmann: thanks19:07
sean-k-mooney the second i think is just the system_amdin_or_owner policy right19:07
dansmithsean-k-mooney: no19:08
dansmithsean-k-mooney: it's system scope WITH a project override, or a regular project token19:08
gmannyeah19:08
sean-k-mooneysorry not admin or owner19:08
sean-k-mooneyok19:08
lbragstaddansmith yeah - if nova can pack that as target data - you could do something like role:service and networking:%(event_type)s19:08
sean-k-mooneyya i see the differnce19:08
dansmithalso, lbragstad I'm fine with the policy not allowing regular users to hit the API until/unless we have a human-oriented event19:08
dansmithlbragstad: because it's just a default19:08
dansmithlbragstad: oh we could do that too I guess19:09
dansmithlbragstad: I don't think we apply the policy like that today, but we could19:09
gmannbut that need policies per event19:09
dansmithlbragstad: I was thinking more like hard-coded python to check the scope after we look at the event type19:09
dansmithgmann: right, I like it less, but it's an option19:09
lbragstado.p should generalize the target data19:10
lbragstads/should generalize/generalizes/19:10
lbragstadi'm not sure if it supports regular expressions though 19:10
dansmithI dunno what your point is19:10
gmanndansmith: lbragstad oh or we can make check_str with OR-per-event and like what lbragstad mentioned 19:10
dansmithI'm saying I think there's something to be said for it not being in the actual rule19:11
fricklersean-k-mooney: https://paste.opendev.org/show/809803/ , I can also give you or others access to the held nodes if you want to have a look yourselves19:11
gmannso single policy, check str with event_x AND project OR event_y AND system19:11
dansmithtbh, I think some of these overly complex policy rules are asking for admins to get confused, write a policy wrong and break or expose something they don't expect19:11
lbragstadyeah - i was just throwing it out there as an option if you wanted a way to restrict some users from posting networking events19:11
dansmithwhich makes me wonder if putting this in the policy rule is the right thing, but.. it's an option and I don't totally hate it19:11
dansmithlbragstad: ack19:12
lbragstadotherwise - if you consider it business logic, putting it in the service itself makes sense 19:12
sean-k-mooneyfrickler: so in both cases the nova generated xml is more or less identical as we woudl expect meanign any delta in behavior is a libvirt bug19:12
dansmithyeah, "unless the admin could/would need to change it, put it in code"19:12
sean-k-mooneyfrickler: we are simplely setting the memory with <memory>262144</memory> we are not speficying any of the advance memory backing config19:13
dansmithlbragstad: another question: would it be rude for me to say I'm officially burned out on policy stuff for like at least 24 hours?19:13
lbragstadjoin the club 19:13
dansmithhaha19:14
lbragstad:) 19:14
lbragstadit's only tuesday, too19:14
dansmithI know, I was going to say "for the week" but realized there's a lot of week left :/19:14
sean-k-mooneywell i for one am planning on not thining about this until the ptg19:15
dansmithsean-k-mooney: I think you are a LIAR19:15
sean-k-mooneylbragstad: that said im going to try and re review the latest version of your ooo changes19:15
lbragstadevery time i try *not* thinking about policy, i think about policy 19:16
sean-k-mooneydansmith: :) i still find our approch to policy to be very very non intuitive19:16
dansmithsean-k-mooney: you just proved me right!19:16
lbragstadgoing out on a limb here, but if a sub-system takes 5 years to change, it's probably more than just non-intuitive :)19:18
dansmithheh19:20
sean-k-mooneyisnt the replacemnt for it ment to be simpler and more intunitieve to show forward progress :)19:21
*** tamas_erdei is now known as terdei20:32
opendevreviewMerged openstack/nova stable/ussuri: [stable-only] Pin virtualenv and setuptools  https://review.opendev.org/c/openstack/nova/+/81046121:08
opendevreviewmelanie witt proposed openstack/nova stable/train: [stable-only] Pin virtualenv and setuptools  https://review.opendev.org/c/openstack/nova/+/81255321:30
opendevreviewmelanie witt proposed openstack/nova stable/train: [stable-only] Pin virtualenv and setuptools  https://review.opendev.org/c/openstack/nova/+/81255321:34
opendevreviewmelanie witt proposed openstack/nova stable/train: [stable-only] Pin virtualenv and setuptools  https://review.opendev.org/c/openstack/nova/+/81255321:40
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Add PCI VPD Capability Handling  https://review.opendev.org/c/openstack/nova/+/80819921:51
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Support remote-managed SmartNIC DPU ports  https://review.opendev.org/c/openstack/nova/+/81211121:51
opendevreviewmelanie witt proposed openstack/nova master: Add logic to enforce local api and db limits  https://review.opendev.org/c/openstack/nova/+/71213923:41
opendevreviewmelanie witt proposed openstack/nova master: Enforce api and db limits  https://review.opendev.org/c/openstack/nova/+/71214223:41
opendevreviewmelanie witt proposed openstack/nova master: Update quota_class APIs for db and api limits  https://review.opendev.org/c/openstack/nova/+/71214323:41
opendevreviewmelanie witt proposed openstack/nova master: Update limit APIs  https://review.opendev.org/c/openstack/nova/+/71270723:41
opendevreviewmelanie witt proposed openstack/nova master: Update quota sets APIs  https://review.opendev.org/c/openstack/nova/+/71274923:41
opendevreviewmelanie witt proposed openstack/nova master: Tell oslo.limit how to count nova resources  https://review.opendev.org/c/openstack/nova/+/71330123:41
opendevreviewmelanie witt proposed openstack/nova master: Enforce resource limits using oslo.limit  https://review.opendev.org/c/openstack/nova/+/61518023:41
opendevreviewmelanie witt proposed openstack/nova master: Add legacy limits and usage to placement unified limits  https://review.opendev.org/c/openstack/nova/+/71349823:41
opendevreviewmelanie witt proposed openstack/nova master: Update quota apis with keystone limits and usage  https://review.opendev.org/c/openstack/nova/+/71349923:41
opendevreviewmelanie witt proposed openstack/nova master: Add reno for unified limits  https://review.opendev.org/c/openstack/nova/+/71527123:41
« Monday, 2021-10-04 Index Wednesday, 2021-10-06 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!