| songwenping | hi, team. nova-conductor services block at starting after the control nodes' network reset(stop and start for 5min), what's the reason and any guys got this? | 01:01 |
|---|---|---|
| gibi | mgariepy: you might hit by https://bugs.launchpad.net/nova/+bug/2039803 | 08:31 |
| opendevreview | Elod Illes proposed openstack/nova stable/2023.1: add a regression test for all compute RPCAPI 6.x pinnings for rebuild https://review.opendev.org/c/openstack/nova/+/900306 | 09:43 |
| opendevreview | Elod Illes proposed openstack/nova stable/2023.1: Fix rebuild compute RPC API exception for rolling-upgrades https://review.opendev.org/c/openstack/nova/+/900336 | 09:43 |
| opendevreview | Elod Illes proposed openstack/nova stable/2023.1: Adding server actions tests to grenade-multinode https://review.opendev.org/c/openstack/nova/+/900337 | 09:43 |
| bauzas | elodilles: thanks for taking care of the RPC backports | 09:53 |
| elodilles | np :) | 10:18 |
| bauzas | elodilles: as a reminder, we'll need to modify the main change when backporting to Zed since one of the two modifications are related to a new RPC version that was added in Antelope | 10:19 |
| elodilles | bauzas: i had only a quick look at the zed version, but yes, i saw that there should be a conflict | 10:19 |
| elodilles | though as i saw probably it's trivial to resolve (famous last words? :)) | 10:20 |
| bauzas | elodilles: probably, I can take a look when I have time | 10:35 |
| opendevreview | Mark Goddard proposed openstack/nova master: Functional test test_boot_reschedule_with_proper_pci_device_count https://review.opendev.org/c/openstack/nova/+/760354 | 11:23 |
| opendevreview | Mark Goddard proposed openstack/nova master: Fix PCI passthrough race on reschedule (refresh) https://review.opendev.org/c/openstack/nova/+/710848 | 11:23 |
| dvo-plv | sean-k-mooney, I write to you regarding your comment https://review.opendev.org/c/openstack/nova/+/876075/27/nova/api/validation/extra_specs/hw.py#540 | 12:03 |
| dvo-plv | I found this doc https://review.opendev.org/c/openstack/glance/+/882133/3/doc/source/admin/useful-image-properties.rst | 12:03 |
| dvo-plv | but i can not find glance metadada and flavor extra spec which I have to extend | 12:04 |
| sean-k-mooney | ah right you have done this already | 12:04 |
| sean-k-mooney | dvo-plv: you have already done it in https://review.opendev.org/c/openstack/glance/+/882133/3/etc/metadefs/compute-libvirt.json | 12:04 |
| sean-k-mooney | that patch has everything you need to do in glance | 12:04 |
| sean-k-mooney | dvo-plv: all that is missing is the nova doc update to document the extra spec | 12:05 |
| dvo-plv | okay, I will test gibi's comments and update nova patch | 12:05 |
| sean-k-mooney | that is done in the user/flavor.rst doc | 12:05 |
| dvo-plv | soory, i did not get | 12:06 |
| sean-k-mooney | your current nova patch does not update doc/source/user/flavor.rst | 12:06 |
| sean-k-mooney | * doc/source/user/flavors.rst | 12:07 |
| sean-k-mooney | we list all the extra specs there https://github.com/openstack/nova/blob/master/doc/source/user/flavors.rst#extra-specs | 12:07 |
| sean-k-mooney | so you shoudl just add the packed format there in your patch too | 12:07 |
| sean-k-mooney | just as you did in the glance useful-imageproperties.rst | 12:08 |
| dvo-plv | okay, I based on the vif_multiqueue_enabled and it does not present in this doc, so I thought it has other purposes | 12:15 |
| sean-k-mooney | when vif_multiqueue_enabled was first intoduced it was only an image property | 12:17 |
| sean-k-mooney | we added it as a flavor extra spec in a sperate patch a few release later | 12:17 |
| dvo-plv | got it | 12:18 |
| sean-k-mooney | although it looks like we also forgot to update the doc when we added it | 12:18 |
| sean-k-mooney | so we shoudl proably fix that at some point | 12:18 |
| sean-k-mooney | dvo-plv: sorry i think i link the wrong doc | 12:19 |
| sean-k-mooney | dvo-plv: you shoudl update https://docs.openstack.org/nova/latest/configuration/extra-specs.html instead | 12:27 |
| sean-k-mooney | which is here https://github.com/openstack/nova/blob/e5e5e00579212cf0b3a58cf7248f7e9483c17461/doc/source/configuration/extra-specs.rst | 12:27 |
| sean-k-mooney | this doc is auto generated so you shoudl not need to modify it | 12:29 |
| sean-k-mooney | let me confirm on the docs preview job | 12:29 |
| sean-k-mooney | dvo-plv: https://5e2e8f3aeccddec75327-8da05f86af8a44d2353be3e602197c08.ssl.cf1.rackcdn.com/876075/27/check/openstack-tox-docs/8e3d058/docs/configuration/extra-specs.html#hw:virtio_packed_ring | 12:30 |
| sean-k-mooney | dvo-plv: so nova doc genreate is workign fine for your chage | 12:31 |
| dvo-plv | I also found this doc, it has in the web version https://docs.openstack.org/nova/latest/configuration/extra-specs.html, but it does not has so much info in the github https://github.com/openstack/nova/blob/master/doc/source/configuration/extra-specs.rst | 12:31 |
| dvo-plv | So i thought that it generate dynamicly | 12:32 |
| sean-k-mooney | we use sphinx directives to auto generate the contnet of the doc | 12:32 |
| sean-k-mooney | .. extra-specs:: hw | 12:33 |
| sean-k-mooney | is automatically generating all the hw: extra specs including the one your adding | 12:33 |
| sean-k-mooney | we have a sphix extention that does this https://github.com/openstack/nova/blob/e5e5e00579212cf0b3a58cf7248f7e9483c17461/doc/ext/extra_specs.py | 12:34 |
| sean-k-mooney | dvo-plv: it uses the info form the extra spec validators to generate the content | 12:35 |
| sean-k-mooney | so as long as we provide a vlaidator the doc is always up to date | 12:35 |
| dvo-plv | so, with docs all good | 12:40 |
| dvo-plv | i do not update anything else | 12:40 |
| dvo-plv | only fix gibi's comments | 12:40 |
| sean-k-mooney | correct the docs shoudl all be fine | 12:41 |
| sean-k-mooney | but gibis comments in the review are valid | 12:41 |
| sean-k-mooney | sepcialy = false handeling | 12:41 |
| dvo-plv | good that we clarify that, thanks | 12:41 |
| mgariepy | gibi, yes thanks i found it and applied the workarounds stuff. | 13:37 |
| SvenKieske | hi there, can anybody update me on the status of this spec? https://specs.openstack.org/openstack/nova-specs/specs/wallaby/approved/nova-support-webvnc-with-password-authentication.html | 13:55 |
| sean-k-mooney | SvenKieske: it was rejected | 13:56 |
| SvenKieske | I found out that it was not accepted for xena for non stated issues with it's design and then I can't find any updates anymore | 13:56 |
| sean-k-mooney | the issues with the diesign came down ot how insecure the passward based auth is | 13:56 |
| SvenKieske | mhm ok, don't want to argue about that, right now. | 13:57 |
| sean-k-mooney | our recomendation is to use vcrpyt instead | 13:57 |
| SvenKieske | related, I found the docs for the "auth_schemes" variable really lacking, as, there is no description of possible values: https://docs.openstack.org/nova/latest/configuration/config.html#vnc.auth_schemes | 13:58 |
| sean-k-mooney | there are 2 vauels vencrypt and none | 13:58 |
| SvenKieske | yeah, but only "none" is documented, leaving users to reading the source code, as usual in openstack land :) | 13:59 |
| sean-k-mooney | or all the vencrypt values below it | 13:59 |
| sean-k-mooney | which explcitly say "vnc.auth_schemes: must include vencrypt" | 13:59 |
| sean-k-mooney | but that is a small chagne we coudl make we do list the enum values in other config options | 14:00 |
| SvenKieske | regarding vcrypt: isn't that about tranport channel encryption? isn't that totally unrelated to user authentication and authorization? | 14:00 |
| sean-k-mooney | so user auth and autherisation shoudl be done at the OS level | 14:00 |
| SvenKieske | I mean, not totally unrelated, it's also a good security thing to do, but it does address a different problem, doesn't it? | 14:00 |
| sean-k-mooney | there are two seperate thigns here yes | 14:01 |
| SvenKieske | thanks for the information so far, it has been some time since I looked into novnc auth stuff. | 14:01 |
| sean-k-mooney | nova provides a vnc proxy where autherisation is granted to connect via a bearer token that is provided as part of the console show reponce | 14:01 |
| sean-k-mooney | if you enbale vencrypt that enabels cert base auth betwen the proxy and qemu | 14:02 |
| SvenKieske | yeah, that's the mechanism I'm used to, also from other virtualization solutions in the space | 14:02 |
| sean-k-mooney | which prevents direct access to the qemu consoles | 14:02 |
| SvenKieske | I didn't find any information so far though: is the bearer token stuff enabled by default? how to configure it? maybe I was looking at the wrong config values | 14:02 |
| sean-k-mooney | it is we use the token for 2 diffent things | 14:03 |
| sean-k-mooney | first its used for auth as it has an expiry and can only be issues by someone in the same porject | 14:03 |
| sean-k-mooney | second we use it to look up which instance to proxy the websocket conenction too | 14:04 |
| sean-k-mooney | so the porxy checks if the token is still valid and then uses it to lookup what host/tcp port to proxy too | 14:04 |
| SvenKieske | so it seems it's always enabled? at least here is no config toggle documented? https://docs.openstack.org/nova/latest/configuration/config.html#consoleauth | 14:05 |
| sean-k-mooney | combin that with vencrypt and that will mean the only way to conenct to the console is via the proxy | 14:05 |
| sean-k-mooney | SvenKieske: so console auth used to be a speerate service but it was roled into the other nova servies several years ago | 14:06 |
| sean-k-mooney | the token_tll is all that is left | 14:06 |
| sean-k-mooney | so yes will alwasy issue the token when you do openstack console url show <instance> | 14:06 |
| sean-k-mooney | with a default expiry of 10 minutes | 14:07 |
| sean-k-mooney | the current behavior of the proxy is to keep the active session alive after token expiry but we are addign a featue to terminate it this cycle | 14:07 |
| sean-k-mooney | it will be opt in via a config option since most end user will wont the current beahiovor | 14:08 |
| SvenKieske | okay, nice to know, thank you very much for the detailed explanations, as always :) | 14:19 |
| opendevreview | Merged openstack/nova stable/zed: Add debug logging when Instance raises OrphanedObjectError https://review.opendev.org/c/openstack/nova/+/888161 | 14:26 |
| opendevreview | John Garbutt proposed openstack/nova-specs master: Expose PCI device NUMA using PXB https://review.opendev.org/c/openstack/nova-specs/+/869416 | 14:26 |
| SvenKieske | opened a bug for our deployment scenario, as we don't currently seem to lock down the connection between proxy and qemu: https://bugs.launchpad.net/kolla-ansible/+bug/2043709 | 14:35 |
| sean-k-mooney | most installers dont | 14:35 |
| sean-k-mooney | its not even done in tripleo and redhat added the feature in nova :P | 14:35 |
| sean-k-mooney | but it is somethign we are planning to enable soon | 14:35 |
| sean-k-mooney | the main blocker to using this by defualt in installer is the need to do tls cert generation and rotaion | 14:36 |
| sean-k-mooney | we are currently in the process of movign our downstream product to use golang operator to deploy openstack on openshift | 14:37 |
| sean-k-mooney | and we plan ot leverage the fact that we have access to certmanager in that env to handle that for us | 14:37 |
| opendevreview | Pierre Riteau proposed openstack/nova master: Fix a couple of typos https://review.opendev.org/c/openstack/nova/+/892300 | 14:40 |
| opendevreview | Sylvain Bauza proposed openstack/nova-specs master: Proposes mdev live-migration support in libvirt https://review.opendev.org/c/openstack/nova-specs/+/900636 | 15:12 |
| admin1 | i get this "Build of instance 6c7b960d-ede4-4218-99b0-2f9d55f84dab aborted: Volume d53a7298-685a-43cd-89a3-13b9d6207dcd did not finish being created even after we waited 187 seconds or 61 attempts. And its status is creating" -- this is due to a 20gb image which is not present in the hypervisors and they need to be downloaded from glance first to | 16:12 |
| admin1 | use as base image .. which variables in nova.conf do I need to use to fix this ? | 16:12 |
| opendevreview | Sylvain Bauza proposed openstack/nova-specs master: Proposes mdev live-migration support in libvirt https://review.opendev.org/c/openstack/nova-specs/+/900636 | 16:20 |
| opendevreview | Merged openstack/nova stable/yoga: Add debug logging when Instance raises OrphanedObjectError https://review.opendev.org/c/openstack/nova/+/888162 | 16:47 |
| opendevreview | Balazs Gibizer proposed openstack/nova master: Allow enabling cpu_power_management with 0 dedicated CPUs https://review.opendev.org/c/openstack/nova/+/901188 | 17:11 |
| opendevreview | John Garbutt proposed openstack/nova-specs master: Expose PCI device NUMA using PXB https://review.opendev.org/c/openstack/nova-specs/+/869416 | 17:14 |
| Continuity__ | admin1: block_device_allocate_retries and block_device_allocate_retries_interval | 17:24 |
| *** Continuity__ is now known as Continuity | 17:25 | |
| Continuity | in nova.conf will allow you to adjust those timeouts | 17:25 |
| opendevreview | John Garbutt proposed openstack/nova-specs master: Add spec for PCI Groups https://review.opendev.org/c/openstack/nova-specs/+/899719 | 17:39 |
| opendevreview | John Garbutt proposed openstack/nova-specs master: Add spec for PCI Groups https://review.opendev.org/c/openstack/nova-specs/+/899719 | 17:43 |
| opendevreview | John Garbutt proposed openstack/nova-specs master: Add spec for PCI Groups https://review.opendev.org/c/openstack/nova-specs/+/899719 | 17:44 |
| opendevreview | Jing Geng proposed openstack/nova-specs master: APIImpact https://review.opendev.org/c/openstack/nova-specs/+/901145 | 17:45 |
| opendevreview | Artom Lifshitz proposed openstack/nova master: DNM: Debug log if host state not updated from compute https://review.opendev.org/c/openstack/nova/+/901196 | 18:03 |
| admin1 | Continuity, thanks .. is block_device_allocate_retries: 600 and block_device_allocate_retries_interval: 5 an accpetable value ? | 18:10 |
| opendevreview | Merged openstack/nova master: Fix python shebang https://review.opendev.org/c/openstack/nova/+/898594 | 19:02 |
| Continuity | admin1: yeah that should be fine | 20:24 |
| Continuity | it means it will wait 5 seconds and try 600 times | 20:24 |
| opendevreview | Merged openstack/nova master: Drop remaining deprecated upgrade_levels option for nova-cert https://review.opendev.org/c/openstack/nova/+/898613 | 20:50 |
| opendevreview | Merged openstack/nova stable/xena: Add debug logging when Instance raises OrphanedObjectError https://review.opendev.org/c/openstack/nova/+/888163 | 20:53 |
| opendevreview | melanie witt proposed openstack/nova master: libvirt: Configure and teardown ephemeral encryption secrets https://review.opendev.org/c/openstack/nova/+/826754 | 23:19 |
| opendevreview | melanie witt proposed openstack/nova master: imagebackend: Add support to libvirt_info for LUKS based encryption https://review.opendev.org/c/openstack/nova/+/826755 | 23:19 |
| opendevreview | melanie witt proposed openstack/nova master: Add encryption support to convert_image https://review.opendev.org/c/openstack/nova/+/870934 | 23:19 |
| opendevreview | melanie witt proposed openstack/nova master: Support create with ephemeral encryption for qcow2 https://review.opendev.org/c/openstack/nova/+/870932 | 23:19 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!