Monday, 2022-11-14

« Saturday, 2022-11-12 Index Tuesday, 2022-11-15 »
opendevreviewGhanshyam proposed openstack/nova-specs master: Policy service role spec  https://review.opendev.org/c/openstack/nova-specs/+/86437903:35
opendevreviewJorhson Deng proposed openstack/nova master: Remove the redundance code in HostState.update  https://review.opendev.org/c/openstack/nova/+/86427403:51
opendevreviewJorhson Deng proposed openstack/nova master: Remove the redundance code in HostState.update  https://review.opendev.org/c/openstack/nova/+/86427403:53
opendevreviewJorhson Deng proposed openstack/nova master: Remove the redundance code in HostState.update  https://review.opendev.org/c/openstack/nova/+/86427503:56
opendevreviewGhanshyam proposed openstack/placement master: Policy defaults improvement spec  https://review.opendev.org/c/openstack/placement/+/86438505:19
UgglaGood morning nova08:45
sahido/08:59
sahidsean-k-mooney, bauzas anything missing regarding evacuate feature? do you think you will be able to have look on it for this release?09:00
sahidfeel free to let me know if i can be helpful on anything09:05
gibio/09:32
bauzassahid: I'll look at your spec tomorrow09:59
* bauzas is thrown under a loaded bus today09:59
sahidcool thank you bauzas 10:02
bauzassahid: as a reminder, we'll have our spec review day tomorrow, so just make sure to look at the new comments tomorrow afternoon if you can10:03
sahid_bauzas: sure ACK10:49
opendevreviewTakashi Natsume proposed openstack/nova master: Add a hacking rule for the setDaemon method  https://review.opendev.org/c/openstack/nova/+/85465313:04
*** dasm|off is now known as dasm14:46
opendevreviewSylvain Bauza proposed openstack/nova master: Reproducer for bug 1951656  https://review.opendev.org/c/openstack/nova/+/85067315:19
opendevreviewSylvain Bauza proposed openstack/nova master: Handle mdev devices in libvirt 7.7+  https://review.opendev.org/c/openstack/nova/+/83897615:19
opendevreviewSylvain Bauza proposed openstack/nova master: Deprecate mdev creation and hardfail on reboot when missing.  https://review.opendev.org/c/openstack/nova/+/86441815:19
opendevreviewribaudr proposed openstack/nova-specs master: Allow local scaphandre directory to be mapped to an instance using virtiofs  https://review.opendev.org/c/openstack/nova-specs/+/86188115:38
opendevreviewribaudr proposed openstack/nova-specs master: Allow local scaphandre directory to be mapped to an instance using virtiofs  https://review.opendev.org/c/openstack/nova-specs/+/86188116:14
gmanndansmith: can you review these specs related to RBAC (service role for nova and dropping system scope for placement) https://review.opendev.org/c/openstack/nova-specs/+/864379  https://review.opendev.org/c/openstack/placement/+/86438519:33
gmanndansmith: also can you help to understand placement APIs, they should be consider as internal APIs or external? I am considering later and not proposing service role to them19:34
dansmithgmann: hmm, well,19:41
dansmithwe kinda want people to use placement for some things, mostly admin-related though19:42
dansmithbut it's very much internal other than that19:42
dansmithnova should use an account with the service role to talk to placement I think19:42
gmanndansmith: so we need to keep policy open for admin-or-service role. or there are few APIs we can keep only service role ?19:43
dansmithgmann: we probably need to review.. the problem is that when something goes wrong, an admin deleting a stale allocation or something can be required,19:44
dansmithand even things like allocation candidates can be useful for admins19:44
dansmithso yeah I think probably admin-or-service for much of it probably makes sense, but we should probably review all the rules to be sure19:45
sean-k-mooneyso admin-or-service makes sense for things like the external events api19:45
sean-k-mooneybut things like the host-aggrates api should be admin only19:46
gmannok, I think spec is ok then and we can review every rule while doing code change19:46
sean-k-mooneythe os-assisated-volume-extend api would also be admin-or-service19:46
gmannsean-k-mooney: we are making them as service role only - this is for nova  https://review.opendev.org/c/openstack/nova-specs/+/86437919:46
sean-k-mooneyservice only would work but it has an upgrade impact19:47
gmannI think I covered all internal APIs there but if anything missing please comment19:47
sean-k-mooneyso service only woudl be be the end state we woudl like19:47
gmannyeah19:47
dansmithsean-k-mooney: he's asking about placement19:47
sean-k-mooneyim fine with service only by the way if its behind the new default falg19:47
sean-k-mooneyoh placment19:48
sean-k-mooneythats a more interesting case19:48
sean-k-mooneyim kind fo conflicted19:49
sean-k-mooneyon one hand it would be nice to be able to use placment standalone but if we ignore that usecase 19:49
sean-k-mooneythe allcoations endpoint proaably shoudl be service only however we would stant nova-manage heal allcotions to still work19:50
sean-k-mooneyperhaps readonly access for admin 19:51
sean-k-mooneyi dont know. admin-or-service could be applied ot all the admin apis as a first step but i dont knwo if we want to prevent an admin form doing some things19:51
sean-k-mooneylike im tempeted to say the rp and invetory create/update apis shoudl be service only but we allow admins to add traits via the api or tweak the allcoation ratios19:52
sean-k-mooneythe reshape api proably shoudl be service only but im not sure any others fall into that 19:53
sean-k-mooneyusecase19:53
dansmithadmins deleting stale allocations though...19:54
dansmithyeah, reshape can be service only I think19:55
sean-k-mooneywithout using the nova-manage command?19:55
dansmithI think since placement isn't as user-facing it might make sense to just leave it as admin-or-service19:55
dansmithat least focus on other stuff19:55
sean-k-mooneyi think s/admin/admin-or-owner/ for everythign other then reshape19:55
dansmithadmin or service you mean?19:56
gmannyeah, that is what i was thinking to leave them as admin-or-service 19:56
sean-k-mooneysorry admin-or-service19:56
sean-k-mooneyyes19:56
dansmithI assume that when you do things through nova-manage we still use the environment's creds, not the service ones right?19:56
sean-k-mooneyi think nova manage uses the creds in the nova.conf19:56
sean-k-mooneyi have never actully check however but i always tought it got them form there19:57
dansmithhmm, it just means you might have to have nova.conf and service creds on your workstation if that's where you fix things from19:57
dansmithusing regular creds would make more sense to me19:57
sean-k-mooneyi dont think we supprot clouds.yaml with nova-mange19:57
sean-k-mooneyi can check quickly i guess19:57
sean-k-mooneyi assuemd the config sicne we get the db creds form the config19:58
dansmithwell, db creds are different19:58
sean-k-mooneyso i kind of assume we did the same for placment19:58
dansmithbut yeah I dunno I guess19:58
sean-k-mooneyhttps://github.com/openstack/nova/blob/master/nova/cmd/manage.py#L2356-L236019:58
sean-k-mooneyso we get the admin context and then use the placment client19:59
sean-k-mooneyso given this is reusing or normal placment code i woudl think its using the config19:59
dansmiththat's pretty terrible for audit logging19:59
dansmith"a system did this automatically" is what any action by service roles should look like, but it was actually a human20:00
sean-k-mooneyperhaps at least it would show as the nova user but your right that you would not be able to tell nova-compute vs nova-mange aprart20:00
sean-k-mooneybut what that means is if nova-comptue can work with the placment policy then nova-manage should too20:00
dansmithit's not that you can't tell the services apart,20:01
dansmithit's that you can't tell services from humans20:01
dansmithwhich is generally why you don't share passwords among humans, but often do among services20:02
sean-k-mooneyya20:02
dansmithanyway, if we use a service account in nova-manage, then those cases could be service-only for the moment,20:02
dansmithI just don't know that it matters as much as other things20:02
sean-k-mooneyalthough there is noting to stop a rouge admin form just using the nova user and password in the cloud.yaml but your more concerned with the fact nova-mange does not allow you to do anything else20:03
dansmithI'm just concerned about the audit logging for the non-rogue-admin case20:04
sean-k-mooneyya so im not really sure that easy to fix20:04
sean-k-mooneyout of scope of gmann's specs in any case but we have some clint singoltons in use20:05
sean-k-mooneyif we want to share the code between nova-manage and the rest of nova im not sure how easy it woudl be to enable you to use creds form clouds.yaml20:06
dansmithdefinitely out of scope20:06
dansmithI'm just *also* saying that placement remaining admin-or-service while we focus elsewhere seems fine, without having to even have this argument :)20:06
sean-k-mooneyhehe  ya im fine with that too20:06
sean-k-mooneythe usage api need to remain project_reader20:07
sean-k-mooneybut the rest can be admin-or-service for now20:07
gmannack. thanks 20:07
sean-k-mooneydansmith: i got sidetracked with downstream stuff today but ill update the fqdn sepc in my morning20:08
opendevreviewGhanshyam proposed openstack/nova-specs master: Policy service role spec  https://review.opendev.org/c/openstack/nova-specs/+/86437921:03
opendevreviewGhanshyam proposed openstack/nova-specs master: Policy service role spec  https://review.opendev.org/c/openstack/nova-specs/+/86437921:05
gmanndansmith: ^^ updated21:05
*** dasm is now known as dasm|off22:44
« Saturday, 2022-11-12 Index Tuesday, 2022-11-15 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!