Monday, 2021-11-08

« Sunday, 2021-11-07 Index Tuesday, 2021-11-09 »
opendevreviewDavid Hill proposed openstack/nova stable/victoria: Ensure MAC addresses characters are in the same case  https://review.opendev.org/c/openstack/nova/+/81692700:12
*** gouthamr_ is now known as gouthamr04:07
*** erlon_ is now known as erlon04:07
opendevreviewRajat Dhasmana proposed openstack/nova-specs master: Add spec for volume backed server rebuild  https://review.opendev.org/c/openstack/nova-specs/+/80962105:02
*** ministry is now known as __ministry06:55
EugenMayergood morning. the default_availability_zone setting, where does it belong, on the nova-schedular service or nova-compute on the compute? Kind of make sense on the former07:52
EugenMayermaybe in common, when reading https://docs.openstack.org/nova/latest/configuration/config.html#DEFAULT.default_availability_zone - how to understand, for each of those values, which service use them? Since i use kolla, i have a lot of nova.conf files and default_schedule_zone could go on potentially several of those. How would i find those07:55
EugenMayerinformations in the docs?07:55
gibiEugenMayer: for some of the config the docs states which service uses them, but some it does not. In the latter case you need to look into the code08:55
gibiEugenMayer: based on a quick grep for CONF.default_availability_zone it is used by the scheduler and the api service09:01
bauzasgood morning09:12
bauzasgibi: EugenMayer: correct, we use the default AZ value in the API 09:13
bauzasif none AZ is provided, then we look at the default one, which is 'None'09:13
gibibauzas: o/09:14
bauzasif an operator sets the default_az value, then any instance which would be created will have an AZ09:14
bauzaseither the default AZ if the user doesn't ask for it, or then the AZ that the user provides with --az09:14
EugenMayerbauzas / gibi thank you. The question is in which group?09:21
opendevreviewIlya Popov proposed openstack/nova master: Fix to use NUMA cell with free resources first  https://review.opendev.org/c/openstack/nova/+/80564909:27
bauzasEugenMayer: sorry, missed your ping10:06
bauzasEugenMayer: you ask about the config group ?10:06
EugenMayeryes since beside one does not know which service, one does not know the group bauzas - kind of heavily lifting expected to look this up in the source code but well, i guess i could just contribute the docs and stop complaining :)10:07
opendevreviewMartin Kopec proposed openstack/nova master: Update Interop doc  https://review.opendev.org/c/openstack/nova/+/81698010:12
opendevreviewJan Hartkopf proposed openstack/nova master: add support for updating server's user_data  https://review.opendev.org/c/openstack/nova/+/81615710:48
*** tobias-urdin5 is now known as tobias-urdin11:06
opendevreviewwujian proposed openstack/nova master: Fix instance action event result inconsistent  https://review.opendev.org/c/openstack/nova/+/81699011:20
*** lbragstad7 is now known as lbragstad11:41
opendevreviewDavid Hill proposed openstack/nova stable/victoria: Ensure MAC addresses characters are in the same case  https://review.opendev.org/c/openstack/nova/+/81692711:48
gibilyarwood: hi! could please look at the stable/victoria backport of https://review.opendev.org/q/topic:bug/1944759 elodilles already has +2 on it12:14
* lyarwood clicks12:14
lyarwoodgibi: ACK'd12:15
gibithanks!12:15
gibibauzas: replied to your question in https://review.opendev.org/c/openstack/nova/+/815690/comment/764e7a47_1cdc2d2d/12:22
sean-k-mooneystephenfin: im going to respin this shortly can you remove your -2 on https://review.opendev.org/c/openstack/nova/+/80429212:29
sean-k-mooneylyarwood: ^ that is what we agreed to do at the ptg by the way so that will allow you to avoid issue with 3.1012:31
lyarwoodah cool sorry missed that12:31
sean-k-mooneyalthough we proably need to start testing with 3.10 this cycle at least non voting12:31
sean-k-mooneyim going to quickly repin my autopep8 patch and then that12:32
opendevreviewsean mooney proposed openstack/nova master: Add autopep8 to tox and pre-commit  https://review.opendev.org/c/openstack/nova/+/80618212:37
opendevreviewTakashi Kajinami proposed openstack/nova stable/xena: Clean up allocations left by evacuation when deleting service  https://review.opendev.org/c/openstack/nova/+/81695412:38
sean-k-mooneylyarwood: gibi  if we can merge ^ relitivily quickly that woudl be great as its enforcing that all patch pass autopep8 without needing file changes12:38
opendevreviewsean mooney proposed openstack/nova master: This change replaces all hardcoded tox enve with generative envs  https://review.opendev.org/c/openstack/nova/+/80429212:44
lyarwoodsean-k-mooney: is that mostly picking up a rule we skip with flake8?12:46
sean-k-mooneyautopep8 actully read the tox file for what we skip12:46
sean-k-mooneybut yes12:46
sean-k-mooneyi dont know how to ignore that 1 new line for doc stings12:47
sean-k-mooneythat basicly the only change it really makes today12:47
lyarwoodah right that's why I was asking, I couldn't tell if it was picking up our skip list or not12:47
sean-k-mooneyya it reads the flake8 section12:48
sean-k-mooneyso it should respect ignore = E121,E122,E123,E124,E125,E126,E127,E128,E129,E131,E251,H405,W504,E731,H23812:49
sean-k-mooneyif we know what rule was adding the new line we could add it to the list12:49
lyarwoodtbh I'd rather do that and avoid the huge diff12:50
* lyarwood will look at https://www.flake8rules.com/ after lunch12:50
lyarwoodbrb12:50
sean-k-mooneywell its much smaller then black ecta but sure12:51
sean-k-mooneylooking at https://github.com/hhatto/autopep8#features there are seveeral that are fixing indentaiton or addign missing blank lines12:51
sean-k-mooneyit might be comeing form https://www.python.org/dev/peps/pep-0257/12:58
sean-k-mooney"""Insert a blank line after all docstrings (one-line or multi-line) that document a class -- generally speaking, the class's methods are separated from each other by a single blank line, and the docstring needs to be offset from the first method by a blank line."""13:01
sean-k-mooneyhttps://www.python.org/dev/peps/pep-0257/#multi-line-docstrings13:01
sean-k-mooneylyarwood: ^ that is where that si cominng form13:01
sean-k-mooneyah and its called out in the autopep8 13:02
sean-k-mooneyPut a blank line between a class docstring and its first method declaration. (Enabled with E301.)13:02
sean-k-mooneyE301 is inconsitent tabs and spaces13:03
sean-k-mooneyhttps://www.flake8rules.com/rules/E101.html13:03
lyarwoodand that's enabled so why isn't flake8 picking it up already?13:08
sean-k-mooneyits not part of pep813:08
lyarwoodah13:08
sean-k-mooneyE301 does not specify the docstring behavior13:08
sean-k-mooneyauto pep8 impleted as part of the E301 fixing13:09
lyarwoodsorry I thought you said it did, I see what you're sayingnow13:09
sean-k-mooneylyarwood: summerised it in the review https://review.opendev.org/c/openstack/nova/+/806182/3#message-f37506ed0411c71d9ce66de251196048da171b3413:13
gibisean-k-mooney: I have one question in autopep8 https://review.opendev.org/c/openstack/nova/+/806182/comment/e15200f9_a50f0219/13:15
sean-k-mooneywe can add it to test-requiremetns yes13:16
sean-k-mooneyi just did not to avoid installing it in enves that did not need it13:16
sean-k-mooneybut if you prefer that i can update it shortly13:16
gibihm, will we ever need to pin the version of autopep8?13:16
sean-k-mooneythis can be done with upperconstraitns13:17
sean-k-mooneyor inline13:17
sean-k-mooneyi dont think so but its a vaild question13:17
gibicurrently it can only be inline afaik. but anyhow we don't pin it now, and we can move it to test-requirements when we need to pin it 13:17
gibiso I'm +213:17
sean-k-mooneyfor line 69 yes since that does not include the base test env dep for the pep8 env the upper constratis form the base env still apply13:19
lyarwoodokay LGTM13:22
* lyarwood heads to the shops, back in ~30mins.13:23
lyarwoodoh wait, downstream meeting :|13:23
lyarwoodhelps if I look at the correct day in my cal13:23
opendevreviewMerged openstack/nova master: db: Remove legacy placement models  https://review.opendev.org/c/openstack/nova/+/81214613:26
opendevreviewMerged openstack/nova master: objects: Stop querying the main DB for keypairs  https://review.opendev.org/c/openstack/nova/+/81214713:26
bauzasgibi: +w'd your series13:50
gibibauzas: thanks13:50
gibimelwitt: hi! When you are up, we are waiting for you +A in https://review.opendev.org/c/openstack/nova/+/815689/2 so if you have time please check14:13
opendevreviewMerged openstack/nova master: Revert "tox: Encode specific Python versions"  https://review.opendev.org/c/openstack/nova/+/80416814:23
EugenMayerWhen doing a nova backup, it seems like ephemeral disks are entirely excluded. is this to be expected?14:30
sean-k-mooneyEugenMayer: yes14:30
sean-k-mooneyEugenMayer: snapshots and backups are only done of the root disk14:31
EugenMayerwow, that is a huge bummer ;/14:31
EugenMayerIs there any way to workarround that? somehow using glance directly and creating an image per disk?14:31
sean-k-mooneyephemeral is not intended to be used for storing data that cant be recreated or safely lost14:31
sean-k-mooneyno it was exluded by design and cant be worked around14:32
sean-k-mooneywithout code changes14:32
EugenMayerWell, the problem is, there is no way to have multi-disk environment without defining one as ephemeral, right?14:32
sean-k-mooneynot without cinder14:32
EugenMayeryes, those are volumes then14:33
sean-k-mooneywith openstack and most cloud plathform the expected and recommended usecase is to have only 1 disk with any addtional storage provided via volumes14:33
kevkoHi nova team :) , testing wallaby and when I'm creating heat stack ..from time to time I see this error in nova .. is it known bug ? 14:34
kevkohttps://paste.opendev.org/show/810848/14:34
sean-k-mooneynot in nova that normally means you have an issue with neutron14:34
EugenMayersean-k-mooney i understand that since one scale that one disk easily, no need to add others. But those VMs are legacy and partially it is part of the application desing to have 2 disks (on premise things). But well, still that now is somewhat a huge showstopper is was not accounting for yet14:34
dansmithkevko: yeah, means neutron failed to send the even to nova to indicate that networking is ready14:35
sean-k-mooneykevko: if you create really large heat stacks and your neutron installation is slow then it can time out wireing up the ports14:35
sean-k-mooneyyou can workaround it by extending the timeout but the real fix is to tune your neutron deployment to support the workload14:36
kevkowell, it's really small heat template14:37
sean-k-mooneyis this in the upstream ci or a production issue in your deployment by the way14:37
sean-k-mooneyah you said you were testing it so i guess its in your lab14:38
sean-k-mooneywhat network backend are you using?14:38
EugenMayersean-k-mooney thank you for givin the definit answer. Not sure what i make out of it in terms of options/solutions but at least good to know it is intended and road blocked14:38
kevkowell, it is production problem also on client's side ..14:38
kevkoso i'm trying to replicate issue on lab 14:38
kevkoi can't see relevant errors in neutron 14:38
sean-k-mooneykevko: ack is this ml2/ovn? ml2/ovs?  cisco aci perhaps?14:39
sean-k-mooneykevko: on the neutron side you likely wont see an error more it wont have sent the event before the timeout exired14:39
sean-k-mooneykevko: if its close but not quite longenough you might actully see the network-vif-plugged event in the nova log after the timeout exired as an unexpected event14:40
dansmithsean-k-mooney: we should debug log the time we waited each time so that people can see if they're close to the deadline normally, or if it's normally 5 seconds, one 300 timeout is obviously an event that's never coming14:41
kevkoml2/ovs14:41
sean-k-mooneyif the env is using ml2/ovs you would need to check the neutron l2 agent log to see if it processed the port. for the other two you would hae to check the neutron server log i belive14:41
sean-k-mooneydansmith: ya that is not a bad idea,  on a related note i was speaking to bogdando downstream about also potentially queueing the event in the compute agent if no handeler with a TTL that might help in case that the event come before we start waiting but there are downsides to that. 14:43
dansmithsean-k-mooney: the entire point of that infrastructure is to make it hard to allow such things :)14:44
dansmithsean-k-mooney: we prepare the event before we do the thing that could cause it to be fired14:44
dansmithotherwise we turn it into a statistical race condition problem14:44
sean-k-mooneyyep i know i mentioned that we did not do that for a reason and we discused it before and rejected it14:44
* dansmith nods14:45
sean-k-mooneyam by the way i would like your in put on the healthcheck design at some point14:45
dansmithis something up to review?14:45
kevkosean-k-mooney: regarding above ... timeout for rpc response ? or which timeout ..sorry :/14:46
sean-k-mooneynot yet ill likely start on the spec tomorrow or later today but the open question i have is should the datastucture be  storge in a module gobal or passed via the context to each fucntion 14:46
sean-k-mooneykevko: ill get you the link to the docs but there is a vif_plug_timeout you should increase14:47
sean-k-mooneykevko: that is really jsut a workaround however14:47
kevkoso, bump number of neutron workers ? 14:47
sean-k-mooneyhttps://docs.openstack.org/nova/latest/configuration/config.html#DEFAULT.vif_plugging_timeout14:47
dansmithkevko: in all likelihood, you're not just a couple seconds late for a *5* minute timeout.. much more likely that it's never coming and changing the timeout will just make things more painful14:48
sean-k-mooneyyep14:48
sean-k-mooneykevko: what you really need to do is look at the neutron agent logs on the compute14:48
dansmithkevko: you should see messages in the nova-compute log saying that the event actually showed up but was discarded - if you don't, then changing the timeout just makes your system worse14:48
sean-k-mooneyand see when the port was added and how far it got in wiring it up14:48
kevkosean-k-mooney: same log + neutron-ovs-agent 10 minutes +/- ago https://paste.opendev.org/show/810850/14:52
sean-k-mooneykevko: are you using iptbals by the way or openvswtich firewall driver14:54
kevkoovs14:54
* gibi has to drop off early today o/14:54
sean-k-mooneyok in that case in wallaby the port is plugged by libvirt as part of the instance creation14:54
sean-k-mooneygibi: o/14:54
opendevreviewDan Smith proposed openstack/nova master: Log VIF event wait times  https://review.opendev.org/c/openstack/nova/+/81703014:55
dansmithsean-k-mooney: ^14:55
sean-k-mooneykevko: at least presently since i have not backported the change to delegate taht to os-vif yet14:55
sean-k-mooneyoh you are using the Stopwatch functionality instead of time.now and subtracting ya that is nicer14:56
kevkosean-k-mooney: what does it mean ? :/14:56
kevkochecking bad logs ? 14:56
sean-k-mooneykevko: that was to dansmith he has already created a patch to log the elapsed time14:57
sean-k-mooneykevko: https://review.opendev.org/c/openstack/nova/+/817030/1/nova/compute/manager.py#49114:57
sean-k-mooneykevko: oh you ment about libvirt plugging the interafce not os-vif14:57
kevkoyeah14:57
sean-k-mooneyin wallaby when we call plug on os-vif for port wiht  hybrid-plug=false, such as when using the ovs firewall, os-vif just ensure the ovs bridge exists and the port is actully added to the bridge by libvirt14:58
sean-k-mooneyso the port wont be added until libvirt tries to start the vm14:59
sean-k-mooneythe neutron agent only starts wiring up the port after its created by libvirt but in this code path it will happen only after libvirt starts the vm15:00
sean-k-mooneyin the pasued state15:00
sean-k-mooneyif you were usign a differnt network backedn the behaivor would be differnt in nova15:00
sean-k-mooneywell potentially in any case which is why i asked15:01
sean-k-mooneywith your configuration the port will only be created at this point https://github.com/openstack/nova/blob/400d25fdeb45fe53be1069996ffaa3783eb4402b/nova/virt/libvirt/driver.py#L7209-L721215:03
sean-k-mooneyfor other configurtion it would happen eairler here https://github.com/openstack/nova/blob/400d25fdeb45fe53be1069996ffaa3783eb4402b/nova/virt/libvirt/driver.py#L720515:03
sean-k-mooneykevko: if creating the guest took a long time its possible that we woudl time out waiting for the even but that is a low proablity15:05
sean-k-mooneykevko: if you put the neutron l2 agent in debug mode it will print the addtion and removal of the port in the ovsdb and also message as it configures them15:06
sean-k-mooney*debug log level15:06
kevkohmm, so issue is not in workers .. 15:06
sean-k-mooneykevko: likely not15:07
kevkook, i will try to turn on neutron debug log and see15:07
sean-k-mooneykevko: i would suggest putting noa and neutron into debug mode on the host then booting another vm and check if while its waitign the domain is succesfully created in libvirt and the tap device is added to ovs15:07
sean-k-mooneyif it is then you shoudl check the agent log to see if it deteched it and started to process it15:08
kevkothank you sean-k-mooney, probably i will ask you tomorrow15:16
sean-k-mooneylyarwood: by the way im just stack a clean devstack then im going to work on the qemu wapper that we discussed last week. ill ping you when i have something15:17
opendevreviewElod Illes proposed openstack/nova stable/stein: Reject open redirection in the console proxy  https://review.opendev.org/c/openstack/nova/+/80293515:21
lyarwoodsean-k-mooney: ack sounds good15:29
opendevreviewElod Illes proposed openstack/nova stable/stein: address open redirect with 3 forward slashes  https://review.opendev.org/c/openstack/nova/+/81703715:29
dansmithsean-k-mooney: gmann: So, going back to last week's discussion about extra specs...15:56
dansmithsounds like system reader and project admin should be able to see extra specs at this point to be the most compatible with existing stuff yeah?15:57
dansmith(i.e. any system user can see them, only admin on the project side can see them)15:57
sean-k-mooneyi think project reader shoudl be able to see extra specs15:58
sean-k-mooneyi dont think you should need project admin15:59
dansmithI know you do, but today regular users can't right?15:59
sean-k-mooneythey can15:59
sean-k-mooneyits systrem_reader_or_project_reader i think today15:59
dansmithoh, maybe that explains why the test is so weird15:59
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/nova/policies/flavor_extra_specs.py#L7816:00
dansmithheh yeah okay16:00
sean-k-mooneyadding/removing obviously should be system scoped i think16:00
dansmiththe test conflates a lot of stuff, I guess for that reason, so I'll have to split things apart a bit because system can't see the servers, and thus can't see the embedded flavor16:01
sean-k-mooneyah right16:01
dansmithhrm,16:12
dansmithpretty sure there's a bug in the create test that is testing index perms for create16:12
dansmithhttps://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/tests/unit/policies/test_flavor_extra_specs.py#L235-L25416:13
dansmiththe test purports to check update,16:13
melwittgibi: ack, will look16:13
dansmithbut it's actually checking index, which is rule_name instead of rule16:13
dansmithand it's stubbing out update for everybody instead of index16:14
opendevreviewMerged openstack/nova stable/victoria: Reproduce bug 1944759  https://review.opendev.org/c/openstack/nova/+/81091416:14
dansmithand the test actually asserts that system reader can update extra specs16:15
lyarwoodelodilles / gibi ; https://review.opendev.org/q/I26b2a14e0b91c0ab77299c3e4fbed5f7916fe8cf do either of you recall why we don't need this on >= stable/victoria ?16:18
lyarwoodseeing some weird behaviour downstream where we hit the 2to3 issues on py39 thanks to virtualenv and setuptools versions but upstream it looks like UC is downgrading setuptools for us during the run16:21
kashyapfrickler: lyarwood: Unrelated: just for info: MichalP from libvirt has completed both things: switching to '-accel' by default, and wiring up tb-cache.  I tested his v2 series, and looks good: https://listman.redhat.com/archives/libvir-list/2021-November/msg00236.html16:22
lyarwoodawesome thanks16:23
* kashyap will wire that up to the Nova spec-less bp that he posted the other day16:24
elodilleslyarwood: i think it is related to victoria and newer runs over focal on gate and we haven't encounter the use_2to3 errors there16:31
lyarwoodelodilles: interesting, I get the feeling this might have something to do with the pip version tbh16:36
lyarwoodelodilles: the weirdness downstream where we don't downgrade setuptools during the run as we do upstream that is16:36
gmanndansmith: we need to have separate policy now for this. for listing via 1. GET /flavors/{flavor_id}/os-extra_specs/ -  system-reader-or-project-reader 2. showing extraspec in GET /servers APIs response we need project_reader 3. PUT/rebuild /servers we need to add project_member16:53
dansmithgmann: yeah, but I think the existing tests are wrong16:53
elodilleslyarwood: so the issue in nova was with the l-c job as it used decorator==3.4.0, which uses the use_2to3 from setuptools. In victoria the l-c.txt has decorator==4.1.0 set, which is not having the use_2to3 anymore16:53
dansmithgmann: for both create and update16:53
gmannis it?16:53
dansmithgmann: if not I need help understanding this: https://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/tests/unit/policies/test_flavor_extra_specs.py#L235-L25416:53
dansmithgmann: we're checking update, but we're making policy for update be @16:53
dansmithgmann: and we're running the check against index16:54
dansmithif I run the check against update and don't stub update with @, I get a fail16:54
lyarwoodelodilles: sorry was on a call16:56
gmanndansmith: yeah, so we are checking this policy https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/flavor_manage.py#L12416:56
lyarwoodelodilles: https://bugs.launchpad.net/designate/+bug/1946340 is the issue that we are hitting downstream, same root cause as the decorator problem just a different package16:56
gmanndansmith: so first policy check of update has to be @16:56
lyarwoodelodilles: and with stable/wallaby upstream we don't appear to be hitting it because our upper constraints correctly downgrades setuptools during a run16:57
gmanndansmith: so that we allow update policy for everyone and see if flavor extraspec in flavor update API response is included as per extra spec policy16:57
dansmithgmann: ...but then you're just asserting that the user can run index, not that update is properly checking the thing right?16:57
lyarwoodelodilles: I'm just lost as to why this isn't happening downstream16:57
dansmithgmann: the test is asserting that project reader can create/update flavor extra specs16:58
johnsomlyarwood We removed the EOL driver that needed suds-jurko from Designate: https://review.opendev.org/c/openstack/designate/+/81338016:58
gmanndansmith: this test is for 'updating flavor return the extra specs if policy allow'16:58
johnsomstable branches will need to be pinned 16:58
lyarwoodjohnsom: right it's a dep of oslo.vmware as well so it's still pulled in by nova during a unit/functional run16:59
gmanndansmith: for create/update flavor is separate tests16:59
dansmithgmann: okay I see test_update_flavor_extra_specs_policy and test_flavor_update_with_extra_specs_policy16:59
dansmithgmann: are you saying the latter is for the "and can see the result" variant?17:00
dansmithif so, that's majorly confusing :)17:00
gmanndansmith: yeah, i should have name it something like test_flavor_update_return_extra_specs_policy17:00
gmannor more clear17:01
dansmithI have a hard time reasoning about these tests, with very few comments and sparse naming,17:02
dansmithbecause they're trying to replicate things super deep in an api request (as in this case)17:02
gmanndansmith: yeah,multi-policy operation it is confusing but I agree I should have add more comments there17:03
elodilleslyarwood: nova had only this l-c job failure with 'decorator', but other projects had different other packages that failed and had to be replaced/updated. Most probably some packages' version are older at your downstream job than the upstream.17:12
kevkosean-k-mooney: is this related to mi issue ? :/ https://paste.opendev.org/show/810855/ ? 17:59
sean-k-mooneykevko: you get the error if the port has been created in ovs but the tapdevice is not present on the host in the same network namespace as ovs18:51
sean-k-mooneyactully no that is a slightly idffernt error18:52
sean-k-mooneyin this case the port has been revomed form the ovsdb.18:52
sean-k-mooneythis might be a race with the vm deletion18:52
dansmithgmann: are you okay with this? https://pastebin.com/hGzKL2ap19:33
dansmithgmann: it makes the tests much less verbose, easier to reason about (IMHO) and easier to refactor when we move things around19:34
gmanndansmith: sure, looks good to me.19:39
dansmithgmann: okay cool :)19:39
dansmithgmann: why is this index and not show? https://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/api/openstack/compute/views/servers.py#L236-L23719:49
gmanndansmith: because we used single policy for listing all extraspecs in flavor APi and in server API response also. 19:50
gmannbut with new granular one we can name them like servers:show:flavor_extraspecs19:51
dansmithgmann: right, but index means "can you list" and show means "can you see the actual thing" right?19:51
gmanndansmith: yes19:51
dansmithseems like the server-embedded flavor is more of a "show" than "index" to me19:51
dansmithah,19:53
dansmithI guess it's because a show on a flavor including extra specs means "listing" the extra specs inside19:53
gmanndansmith: but that is list right? not single extraspec. we usually used show for getting single resource details and index for list19:53
dansmithI think that's probably just an implementation detail about how we store those..seems confusing from the outside, but I see now19:53
gmannthis one https://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/api/openstack/compute/flavors_extraspecs.py#L5919:54
dansmithyep, I understand now19:55
dansmithmakes sense if you consider extra specs their own thing and a flavor as a container of them. I know that's how we do it, it just a little confusing if you think of the flavor as a whole thing :)19:56
gmannyeah19:56
gmanndansmith: i am thinking do we need separate policy for showing extra-specs?19:57
dansmithshowing individual specs?19:58
gmannI mean if flavor can be seen by anyone then we show extraspecs also to them or have policy to show flavor detail itself?19:59
dansmithoh, I thought that came from some people wanting to be able to exclude extra_specs from the view of regular users, without removing the rest of the flavor19:59
dansmithsean-k-mooney: ?19:59
sean-k-mooneydansmith: no i was suggesting we might want to allow that in the futre currently some public cloud hide all extra specs form there users there is not filterign today20:00
dansmithsean-k-mooney: there's a separate rule for showing them now20:01
sean-k-mooneyin the server reponce or in flavor list20:01
sean-k-mooneyi tought there was just one for both20:02
gmannin flavor and server response both20:02
gmannyeah currently one for both20:02
gmannand default to reader so kind of everyone as default 20:02
sean-k-mooneywhat i think woudl be nice at some point woudl be to be able to filter out any non namespace extra spec an any namespaced on related to filtering20:03
sean-k-mooneythat way operators that want to hide infra detail can do so but still expsoe the rest fo the extra specs20:03
sean-k-mooneysome extra specs ar thigns a user really want to know like does this have a gpu20:04
sean-k-mooneyother are really things that are important to the admin and schduler only20:04
gmannthat is little complex to handle but anyways let's leave them as it is then if it get updated in future20:06
sean-k-mooneygmann: well that would not be implemeted as a policy it would likely need to be a new api microverions20:07
sean-k-mooneyor at least a code change that would implement the filtering20:07
gmannsean-k-mooney: but you said that should be configurable right not hard-coded is_admin check?20:08
sean-k-mooneyright now if operator use extra specs for filtering and want to hide that form user there only option is to hide all the extra specs which is an interoperatty issue20:08
sean-k-mooneygmann: good quetion i assuem configurble jsut for interop but admin only  for some might make sense. anyway in the context of dans patch we shoudl nto change anythign form what we have today20:09
sean-k-mooneygmann: i just dont really think the exsitg policy fully solve that use case but operators are not complaing so lets not change it for now20:09
gmannsean-k-mooney: or they are not even know it :) as it is allow to show extra specs to everyone as default 20:10
gmannbut yes if someone has overridden the policy then it make sense 20:10
gmannlet's leave those as it is. 20:11
gmanndansmith: sean-k-mooney so in that case, we can leave it as single policy itself instead of granular i suggested earlier 20:11
gmannmaking them granular for flavor and servers response might confuse and make things complex 20:12
dansmithgmann: still need a different one for server/flavor but yep20:12
dansmithoh, no we definitely need those two,20:12
gmanndansmith: because of default ?20:12
dansmithbecause of the scope_types20:12
sean-k-mooneyi can see where scope_types come into other issue by why is it relevent here? you want to not check scope types on the server endpoint?20:13
gmannand with flavor one default as system-project-reader and server one as project-reader ?20:14
dansmithflavor one is project,system but the embedded one is just project20:14
gmannembedded in server reposne right?20:14
sean-k-mooneyisned the embeded on contole by the server detail policy20:14
sean-k-mooneye.g. its only expose via server detail20:15
gmannsean-k-mooney: no, as separate policy after detail policy20:15
sean-k-mooneynot /server/uuid/extra_specs right20:15
dansmithsure, we could rely on that, but all these tests are disabling the parent check to obsess over the child one being right,20:15
dansmithwhich would imply that they need to be different20:15
gmannyeah, like if operator want to show server detail to their owner but not extra-specs20:16
dansmiththe test will thus assert that system:reader can view the embedded one, but it can't actually20:16
sean-k-mooneygmann: right but if they showed the falavor name you could look it up or at least what it is now20:16
sean-k-mooneyyou could not compare embeeded to currnt but not sure how much that is relevent20:17
gmannas long as we allow project for both flavor or embedded it is ok i think20:17
sean-k-mooneydansmith: i have not looked at the test so ill trust your judgement if you think havign two woudl be useful but im not sure when it would make sense to have tehm set differently20:17
gmannsean-k-mooney: like we will not add system scope for embedded one as system cannot GET /servers/server-id anyways20:19
dansmithgetting the two to work is also making me hate life, so maybe a note in the test would be better20:19
gmannso any extra things to show in sevrer reponse has to be moved to project=scoped only as parent policy is project-scoped only20:20
dansmiththese tests are hard to debug sometimes, figuring out which context can do a thing that shouldn't be allowed20:20
gmanndansmith: I tried too be more optimize there may be. instead those can be simple/readable with more separate tests for allowed and not-allowed 20:22
dansmithgmann: they're very obsessive which is good, they're just hard to debug, but more infra around them can make it easier20:24
gmannsure20:25
opendevreviewAlexey Stupnikov proposed openstack/nova master: Test aborting queued live migration  https://review.opendev.org/c/openstack/nova/+/77625020:34
opendevreviewAlexey Stupnikov proposed openstack/nova master: Test aborting queued live migration  https://review.opendev.org/c/openstack/nova/+/77625020:46
dansmithgmann: why does this not include other_project_* and legacy_admin ? https://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/tests/unit/policies/test_flavor_extra_specs.py#L39920:53
dansmithgmann: is it because we're not passing a context to the index check so we're not *actually* preventing those users from doing the flavor extra specs index on servers, because the server rule should have stopped them?20:54
dansmithgmann: by the way, this is what I'm trying to get the tests to (only showing the context setup): https://pastebin.com/UKcd62Th20:56
dansmithwhich I think is a lot easier to read, especially with the comments20:56
gmanndansmith: RE: other_project_* and legacy_admin - yes as server rule will take care of accessing server23:10
dansmithgmann: ack23:11
gmannand in flavor, as there is no project_id there so anyone can access 23:11
dansmithgmann: well, right but in the server tests, I think the casual reader (and definitely the policy-editing operator) would expect that to be the server's project_id23:12
dansmithmeaning, when accessing the flavor on a server23:13
dansmithi.e. here https://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/tests/unit/policies/test_flavor_extra_specs.py#L32723:14
dansmithso I will put a note in there, but that's probably another reason to have the rules eventually be separate and to pass a target with the proper project_id in it23:14
gmanndansmith: yeah, we can put project_id in current rule too for safer side (if server can be seen by anyone but extra specs not) here - https://github.com/openstack/nova/blob/171138146a648d22474b7021ac730e26f03455f8/nova/api/openstack/compute/views/servers.py#L23623:16
dansmithyeah23:17
dansmithanyway, note added23:17
dansmithI will try to finish this up tomorrow and get another version posted with more of it cleaned up23:17
gmanndansmith: and on this: https://pastebin.com/UKcd62Th23:18
gmannin ScoptType: self.admin_authorized_contexts  need to include project_admin also right?23:19
dansmithgmann: no? system-only for creating flavors right?23:20
gmannor you can name self.system_admin_authorized_contexts   and self.project_admin_authorized_contexts  23:20
dansmithwell, flavor extra_specs anyway23:20
gmanndansmith: ohk, so only for flavor or generically ?23:20
dansmithI guess in the new way, project admin should be able to do that for project-private flavors, since admin==operator23:21
dansmithI didn't change the policy on create/update (yet) so that's why it's sytem-only there23:21
gmannohk23:22
dansmithI left it that way because I haven't done flavor yet, only flavor extra_specs because the servers change broke those tests,23:22
dansmithso I'm a little out of order,23:22
gmanngot it23:22
dansmithso I just didn't tweak that yet23:22
gmanni can take those. this way it will be more clear on who access what.23:23
gmannand I am almost done with listing all rule in wiki table, might be ready by tonight or tomorrow23:24
dansmithokay, I will try to get this cleaned up and updated in gerrit tomorrow so maybe we can use it as a pattern going forward23:24
gmann+1, thanks23:24
clarkbnova should consider removing nova-live-migration-ceph from the gate queue as the job is non voting23:41
opendevreviewMerged openstack/nova master: Add autopep8 to tox and pre-commit  https://review.opendev.org/c/openstack/nova/+/80618223:54
« Sunday, 2021-11-07 Index Tuesday, 2021-11-09 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!