Friday, 2021-11-19

« Thursday, 2021-11-18 Index Sunday, 2021-11-21 »
opendevreviewStanislav Dmitriev proposed openstack/nova master: Retry image download if it's corrupted  https://review.opendev.org/c/openstack/nova/+/81850303:07
*** EugenMayer4 is now known as EugenMayer07:34
*** brinzhang_ is now known as brinzhang07:44
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Add PCI VPD Capability Handling  https://review.opendev.org/c/openstack/nova/+/80819907:45
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Support remote-managed SmartNIC DPU ports  https://review.opendev.org/c/openstack/nova/+/81211107:45
*** akekane_ is now known as abhishekk07:52
opendevreviewIlya Popov proposed openstack/nova master: Fix to use NUMA cell with free resources first  https://review.opendev.org/c/openstack/nova/+/80564908:22
opendevreviewDmitrii Shcherbakov proposed openstack/os-traits master: Add a trait for remote_managed port-capable nodes  https://review.opendev.org/c/openstack/os-traits/+/81851408:35
opendevreviewBalazs Gibizer proposed openstack/nova stable/xena: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81851508:47
opendevreviewBalazs Gibizer proposed openstack/nova stable/wallaby: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81851909:06
pslestangHey all10:27
pslestangI would like your opinion about a change I'd like to propose on instance_action 10:28
pslestangactually instance_action are never soft-deleted even if an instance is deleted10:28
pslestangI'd like to propose to add an option that let the operator choose if the instance_action have to be deleted or not10:29
pslestangsoft-deleted I mean10:29
pslestangsomething like delete_instance_actions_on_instance_delete = True/False10:30
pslestangwe would let it to False by default to avoid breaking what's actually10:31
pslestangas the api call is already filtering the instance_actions that are deleted we would add the possibility to get the instance_action delete with a --deleted flag10:34
sean-k-mooneystephenfin: by the way you deleted xenapi 2? cycles ago but we still have os-xenapi in our requirements.txt11:53
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/requirements.txt#L5811:53
sean-k-mooneyi assume we can just delete that now11:53
stephenfinoh, yeah, kill it with fire11:53
sean-k-mooneycool will do11:54
stephenfinwe could probably backport that too11:54
stephenfinI assume _dropping_ requirements is okay by stable policy11:54
sean-k-mooneyya it should be11:54
sean-k-mooneyit cant possibel break anyone unless we were depending on a transitive dep11:55
sean-k-mooneywhich we shoudl not be11:55
kashyappslestang: File a brief blueprint with your idea here: https://blueprints.launchpad.net/nova/+addspec12:06
kashyappslestang: If you want to write something longer about the design, you can even file a quick spec so it can be granularly discussed in Gerrit12:08
sean-k-mooneykashyap: pslestang  this woudl be an api change so a spec is always required12:15
kashyapsean-k-mooney: Sure.  I didn't wanted to impose big barriers right up, to at least get the design rolling12:16
sean-k-mooneyunless this is prosing a config option to alter the behavior of deleing the instance actions rows?12:16
kashyapYeah, I'm not sure of that12:16
sean-k-mooneybauzas: the first of the off path acclerator seris looks ready for review to me https://review.opendev.org/c/openstack/nova/+/808199 perhaps we should set the RP+1 flag on that?13:09
sean-k-mooneybauzas: also if you are around today can you take a look at this patch form lee https://review.opendev.org/c/openstack/nova/+/81171613:12
sean-k-mooneyor stephenfin ^ pretty simple patch ro ewciwq13:13
sean-k-mooney*to review13:13
stephenfinsure13:14
pslestangkashyap: sean-k-mooney ok understood, I will create a blueprint13:16
sean-k-mooneypslestang: can you discirbe your intent by the way do you want the instnace action ros to be deleted when the vm is deleted or do you want them to be simple marked as deleted but still present13:18
sean-k-mooneypslestang: they should currently get removed when the arcive delete rows command is run i belive13:18
pslestangsean-k-mooney: simply marked as deleted (soft delete only)13:23
pslestangsean-k-mooney: indeed the instance actions rows are moved in shadow tables and deleted when archiving13:33
sean-k-mooneyyes is that not the behavior we have today13:36
sean-k-mooneythe instance action rows are marked as deleted (but still present) and then archive later13:36
sean-k-mooneyand only delete when we purge deleted rows form the shadow tables13:36
bauzassean-k-mooney: done and don13:57
bauzasdone*13:57
bauzassean-k-mooney: I was currently looking at my RP labels13:57
opendevreviewBalazs Gibizer proposed openstack/nova stable/victoria: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81855914:49
pslestangsean-k-mooney: the behavior we have today is that on archiving all instances and their correponding rows (so instance actions) are moved in the shadows table 15:03
pslestangsean-k-mooney: when purging, instances and corresponding rows are deleted based on deleted_at column except for instance_actions, instance_actions_events (and task_log if I remember well) for which the deletion is based on created_at 15:05
* bauzas needs to stop earlier today as he needs to get his daughter and then going to an appointment15:11
bauzasfolks, have a good weekend 15:12
gibibauzas: o/15:21
gibisame to you15:21
opendevreviewBalazs Gibizer proposed openstack/nova stable/ussuri: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81856415:33
opendevreviewGustavo Santos proposed openstack/nova master: Reattach mdevs to guest on resume  https://review.opendev.org/c/openstack/nova/+/81537316:05
opendevreviewStephen Finucane proposed openstack/nova master: Use unittest.mock instead of third party mock  https://review.opendev.org/c/openstack/nova/+/71467616:34
opendevreviewBalazs Gibizer proposed openstack/nova stable/train: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81859816:42
opendevreviewArtom Lifshitz proposed openstack/nova master: api-ref: server rescue adminPass injection is conf-dependant  https://review.opendev.org/c/openstack/nova/+/81802216:50
opendevreviewBalazs Gibizer proposed openstack/nova stable/stein: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81860116:51
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Add PCI VPD Capability Handling  https://review.opendev.org/c/openstack/nova/+/80819916:53
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Support remote-managed SmartNIC DPU ports  https://review.opendev.org/c/openstack/nova/+/81211116:53
opendevreviewBalazs Gibizer proposed openstack/nova stable/rocky: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81860416:56
opendevreviewBalazs Gibizer proposed openstack/nova stable/queens: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81860517:00
opendevreviewBalazs Gibizer proposed openstack/nova stable/rocky: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81860417:05
opendevreviewBalazs Gibizer proposed openstack/nova stable/queens: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81860517:07
opendevreviewBalazs Gibizer proposed openstack/nova stable/queens: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81860517:09
opendevreviewBalazs Gibizer proposed openstack/nova stable/pike: Add a WA flag waiting for vif-plugged event during reboot  https://review.opendev.org/c/openstack/nova/+/81343717:13
*** whoami-rajat__ is now known as whoami-rajat17:42
johnthetubaguy[m]dansmith: just had a thought, if you delete a project in keystone, but now you need a project token to delete a server, the operator could get in quite a bad place now? Or is there something I am missing there?17:54
dansmithjohnsom: hmm17:55
johnsomdansmith Wrong nic?  o/ John17:56
dansmithyes, sorry 17:56
dansmithjohnthetubaguy[m]: hmm17:56
johnsomNP17:57
sean-k-mooneyjohnthetubaguy[m]: ya even domain scopetd tokens wont work17:57
sean-k-mooneycause the proejct is gone17:57
sean-k-mooneycan we just say dont do that :P17:57
dansmithyeah, they'd still be able to list those instances,17:57
johnthetubaguy[m]... now I think you create a project with a known uuid, but not if you deleted an old one17:57
johnthetubaguy[m]yeah, you can still see them and find the project uuid at least17:58
sean-k-mooneyjohnthetubaguy[m]: i tought the uuid was not user setable when creating users and proejcts17:58
dansmithbut we'd have to have some workaround, like if you delete with a domain scoped token, use the project id of the instance while deleting or something17:58
dansmithI think deleing projects in keystone before the resources are cleaned up is a general problem too right?17:58
dansmithlike, because you have to remember to do that today17:58
johnthetubaguy[m]sean-k-mooney: just checking, I remember it being wanted for region <-> region sync17:58
dansmiths/that/that cleanup/17:58
johnthetubaguy[m]I mean, its about getting a token for the correct project uuid, maybe that is allowed for deleted ones in certain cases, possibly...17:59
sean-k-mooneydansmith: well because admin is god today i think you can fix some of those issue on a project by project basis17:59
dansmithsean-k-mooney: right I know today it works17:59
sean-k-mooneyas in most porject allow you to list reouces by projects17:59
johnthetubaguy[m](as an aside, why my brain thinks up these things at 6pm on a Friday, is beyond me!)18:00
opendevreviewGustavo Santos proposed openstack/nova master: Reattach mdevs to guest on resume  https://review.opendev.org/c/openstack/nova/+/81537318:00
sean-k-mooneyjohnthetubaguy[m]: part of the probelm is there is nothing keystone can do to prevent you deleteing the project as it never know if its in use today18:01
sean-k-mooneywell unified limits/placment  might help18:01
johnthetubaguy[m]yeah, its nasty, I remember the os-purge discussions in berlin (and a few other places)18:01
sean-k-mooneybut we dont track all resouce in palcment so not really18:02
johnthetubaguy[m]sean-k-mooney: you are correct on the uuid thing, we don't allow that in create (yet!) https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=create-project-detail#create-project18:02
dansmithhaving to re-create the project to clean up the resources is pretty gross anyway,18:02
dansmithso I don't know that we should depend on that for this problem18:02
johnthetubaguy[m]yeah, I was more fixed on: "how to get me a project xyz token again", and possible ways to do that, which might be the wrong question18:03
dansmithright I know18:04
dansmithso, even though it's a hack,18:04
dansmithif you show up with a domain-scoped token trying to delete an instance,18:04
dansmithoh actually,18:04
sean-k-mooneyithe issue with domain is the project is not part of the domain anymore18:05
dansmithI was about to say "we can do the same is this instance in this domain? yes? then delete and use context.project_id=instance.project_id"18:05
sean-k-mooneysicne we deleted it18:05
opendevreviewGustavo Santos proposed openstack/nova master: Reattach mdevs to guest on resume  https://review.opendev.org/c/openstack/nova/+/81537318:05
dansmithbut we don't know what domain it was from18:05
dansmithright18:05
sean-k-mooneyso we could start storign the domain in nova18:05
johnthetubaguy[m]although then if I delete a federation domain, then go whoops lots of instances, we might be back in the same problem18:05
sean-k-mooneythen we can say ha you are a domain admin and this belogs to that domain so sure delete away18:06
dansmithwell, right so that would be the longer-term "nova actually knows about domains" thing18:06
johnthetubaguy[m]I don't mind going to keystone for the project_id doesn't match and you are a domain token case, its admin, doesn't need to be that efficient?18:06
dansmithsean-k-mooney: yep18:06
dansmithjohnthetubaguy[m]: but the project is gone, so we can't tell if the project is in the domain you're in18:06
dansmithbecause we can't look it up anymore18:06
sean-k-mooneykeystone dose not allwo you to move projet between domains right18:07
johnthetubaguy[m]doh, of course18:07
dansmith(unless it's soft-deleted in keystone?)18:07
johnthetubaguy[m]although if you delete the domain as well? (like delete the customer that had its own domain, or delete some federation thing)18:07
sean-k-mooneyjohnthetubaguy[m]: we would need to use a system scopted token or a new type of token at that point18:08
dansmithjohnthetubaguy[m]: even the old plan of system scoped users being god has this same problem really.. we'd still need to do something hacky to decide what project_id to record in the instance action, since that non-project god user showed up to delete it18:08
dansmithwe'd know you have permission because you're god, but the delete would 500 today until we fix the assumption that project_id!=None18:09
sean-k-mooneywell yes but we could use all 0 as you have suggesed before18:09
johnthetubaguy[m]I mean we have the all zeros project uuid to play with, but maybe this only matters to the delete call?18:09
johnthetubaguy[m]at least its a super edge case18:09
dansmithsean-k-mooney: right, point being that same hack/workaround would have been needed anyway18:09
sean-k-mooneyyep and we also have the problem of deleteing the nova created resocues in other projects18:10
sean-k-mooneywhich might just be the vms prots18:10
dansmithtrue18:10
sean-k-mooneyalthoguh bfv so also cinder18:10
johnthetubaguy[m]hmm, very true18:10
sean-k-mooneywe could use our admin token for those service if we needed too in this case but im not sure that will work18:11
sean-k-mooneyif we assume our neutron section has a domain scoped admin token on the root domain18:11
sean-k-mooneysince the project is gone it will still be invalid18:11
dansmiththe whole project deletion before cleanup thing is really pretty problematic18:12
sean-k-mooneymaybe we need to jsut check "has role admin and project does not exist"18:12
dansmithwell, that's a good thought18:12
dansmithit's a little more power than you expect18:12
sean-k-mooneywe are defineing admin now as alwasy the oeprator of the cloud right18:12
dansmithtoday all domain admins are pretty much powerful across the hierarchy until nova knows about domains itself18:13
dansmithso maybe that's not so bad?18:13
johnthetubaguy[m]how do we know the poject doesn't exist? we go check keystone in the case where context.project_id != instance.project_id ?18:14
dansmithyou show up for the delete with a domain token,18:14
dansmithwhich means we go to do the "is this in your domain" check,18:14
johnthetubaguy[m]ah, only with domain tokens, right18:14
dansmithand if the project is 404 we assume yes18:14
johnthetubaguy[m]ah, right, I quite like that 🤔18:15
dansmithand in the future,18:15
dansmithif nova starts supporting domains properly,18:15
dansmithwe would have domain_id on the instance and would be able to drop the 404 check and just say "yep, it's in your domain, go for it"18:16
sean-k-mooneynova could jsut stick the domain of an instance in the instance_system_metadata tabel for now if we wanted too18:16
sean-k-mooneybut ya18:16
sean-k-mooneywe could start validating it18:16
johnthetubaguy[m]that has nice symetry with the list instances across all projects18:16
dansmiththat will suck for listing though, which was the primary thing we said should work, so we might as well just do it properly and add it to the table18:17
dansmithjohnthetubaguy[m]: right18:17
sean-k-mooneydansmith: ya we can add it to the tahble but ideally not to alot of tables18:17
dansmithjust need it on instance18:18
sean-k-mooneywhat about the request_spec18:18
sean-k-mooneyor other api db tablels18:18
sean-k-mooneywe might need to stor it in the build qruest or reuest spec before we create the instnace in the cell db18:19
sean-k-mooneyanyway we can figure that out18:19
dansmithwell, okay maybe once in there too, I have to go refresh my memory on those.. I think we do have project (but not user?) on reqspec?18:19
dansmithyeah18:19
sean-k-mooneybut it sound like we need doamin awareness sooner rater then later18:20
sean-k-mooneywe have both https://github.com/openstack/nova/blob/master/nova/objects/request_spec.py#L69-L7018:20
dansmithwell, we need it for this to all work like people expect18:21
sean-k-mooneypersonally i expect that if delete your stuff in keystone first everythign is borked but yes we do18:21
dansmithhaha18:21
dansmithwell, that's because you're smart :)18:21
dansmithbut I meant the expectation of domain users/admins behaving well within their domain18:22
sean-k-mooneyi totally see how this could get messy if your not using keystone internal user manamged however18:22
johnthetubaguy[m]I am fairly sure, tempest just did that for me though :)18:22
sean-k-mooneylike someone makes an active directory change when you move team18:22
dansmithyeah, I think it's more the projects than the users,18:23
dansmithbut yeah totally18:23
sean-k-mooneyhuh the build request only has the project https://github.com/openstack/nova/blob/master/nova/objects/build_request.py#L4318:24
dansmith[10:19:53]  <dansmith> well, okay maybe once in there too, I have to go refresh my memory on those.. I think we do have project (but not user?) on reqspec?18:25
sean-k-mooneyi would guess there arbou 3 tabels we woudl have to add it too instnace, build_requst and request spec18:25
dansmithI meant BR  above^ because it's what we need before it's created,18:26
dansmithbut yeah maybe reqspec too, since we use that if a cell is down I guess18:26
sean-k-mooneyah ya18:26
dansmithactually,18:26
dansmithwe might only need it on reqspec, since I think  we have that the whole time, which means we could join it to BR if we need to18:27
dansmithbut anyway, just gotta do it, shouldn't be terrible18:27
sean-k-mooneyyep if we have it in at least one location in the api db and cell db for each instance we shoudl be ok18:27
dansmithyeah18:28
sean-k-mooneywe would need the other serivce to have the same logic however so maybe a keysotne middelware change18:28
sean-k-mooneyregarding the "its a domain admin and the project nolonger exists" logic18:28
sean-k-mooneyso that when we call neutron and cinder it actully works18:29
dansmithactually works would be good18:29
sean-k-mooneyi missed the list dicussion18:29
sean-k-mooneyis that server list --all-tenats18:30
dansmithyeah18:30
dansmithI gotta run do something, back later18:30
sean-k-mooneyok to me the simpelt way to do that is again with domain tokens and scope it to the project in that domain18:30
sean-k-mooneyok im going to finsih soon but ^  is how i asuemd that would work18:30
sean-k-mooneyif you really wanted all proejct then you would use a domain token on the root domain, assuming keystone exposes that18:31
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Add PCI VPD Capability Handling  https://review.opendev.org/c/openstack/nova/+/80819920:11
opendevreviewDmitrii Shcherbakov proposed openstack/nova master: [yoga] Support remote-managed SmartNIC DPU ports  https://review.opendev.org/c/openstack/nova/+/81211120:11
« Thursday, 2021-11-18 Index Sunday, 2021-11-21 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!