| Posted | Nick | Remark | |
|---|---|---|---|
| #openstack-nova - 2019-07-16 | |||
| 11:26:22 | sean-k-mooney | which set up both the db connection and rabbitmq connection if its not already cached | |
| 11:35:46 | sean-k-mooney | ok so that is invoked when teh context target_cell context manager is used to lookup the instace by its uuid here https://github.com/openstack/nova/blob/master/nova/api/metadata/base.py#L680 | |
| 11:35:51 | slaweq | sean-k-mooney: thx for looking into this | |
| 11:37:30 | openstackgerrit | Balazs Gibizer proposed openstack/nova master: Use the safe get_binding_profile https://review.opendev.org/669817 | |
| 11:49:48 | gibi | efried: if you have time, could you look back to https://review.opendev.org/#/c/666857 ? | |
| 11:55:34 | sean-k-mooney | slaweq: im not 100% certin but the metadata api request that took 16 seconds may have been waiting on neutron for 12 second to respond with the security groups for the instance http://logs.openstack.org/09/666409/7/check/tempest-full/08f4c53/controller/logs/screen-q-svc.txt.gz#_Jul_11_23_43_16_660751 | |
| 12:01:29 | sean-k-mooney | slaweq: actully the device id of the port matches the instance id of the metadata request so yes its was waiting for neuton to return the security group info | |
| 12:02:05 | sean-k-mooney | when we are building the metata data we call neutron to get the security group info here https://github.com/openstack/nova/blob/master/nova/api/metadata/base.py#L145 | |
| 12:02:19 | sean-k-mooney | which does this https://github.com/openstack/nova/blob/46a3bcd80b41e99ec4923c7cf3d0f8dd8505e97c/nova/network/security_group/neutron_driver.py#L374-L409 | |
| 12:02:58 | sean-k-mooney | we list the ports associated with the server which we can see in the neutorn log here http://logs.openstack.org/09/666409/7/check/tempest-full/08f4c53/controller/logs/screen-q-svc.txt.gz#_Jul_11_23_43_04_463505 | |
| 12:03:48 | sean-k-mooney | then we retrive the securtiy group info which takes 12 seconds http://logs.openstack.org/09/666409/7/check/tempest-full/08f4c53/controller/logs/screen-q-svc.txt.gz#_Jul_11_23_43_16_660751 | |
| 12:04:08 | sean-k-mooney | it starts here http://logs.openstack.org/09/666409/7/check/tempest-full/08f4c53/controller/logs/screen-q-svc.txt.gz#_Jul_11_23_43_04_575879 | |
| 12:05:11 | sean-k-mooney | slaweq: what does "Synchronizing usage tracker for tenant" mean in the context of security groups? | |
| 12:07:39 | openstackgerrit | Balazs Gibizer proposed openstack/nova master: Defaults missing group_policy to 'none' https://review.opendev.org/657796 | |
| 12:26:56 | slaweq | sean-k-mooney: let me look at this now | |
| 12:31:23 | kashyap | aspiers: Hi, if you have a SUSE system near by, can you please check if any of the OVMF/EDK2 packages provide this file: /usr/share/OVMF/OVMF_CODE.fd | |
| 12:34:24 | slaweq | sean-k-mooney: it looks that this "Synchronizing usage tracker for tenant.." is done here: https://github.com/openstack/neutron/blob/master/neutron/quota/resource.py#L245 and it counts number of security groups in db and update quota usage in db for this tenant | |
| 12:34:37 | slaweq | sean-k-mooney: I will investigate this more, thx a lot for help | |
| 12:35:04 | sean-k-mooney | im updating the bug and tyring to see if its the same cause for other cases | |
| 12:35:15 | slaweq | sean-k-mooney: thx | |
| 12:35:56 | sean-k-mooney | i am not sure its the same issue in all cases but i did see a another 12 second wait to get netwrok info in another case | |
| 12:36:15 | sean-k-mooney | im currently confirming its coming form a metadta build request | |
| 12:37:07 | artom | lyarwood, heya, could you hit https://review.opendev.org/#/q/topic:bug/1832028+(status:open+OR+status:merged) ? | |
| 12:37:25 | artom | And we'd need to find another stable core, with mriedem having a much earned PTO | |
| 12:52:18 | lyarwood | artom: just hit the stable/stein one, quick open question around testing | |
| 12:52:58 | lyarwood | artom: I'm not sure if we need another DMN testing change in Neutron on stable/stein for this or if everything in Nova stable/stein is already enough | |
| 12:54:53 | openstackgerrit | Matthew Booth proposed openstack/nova master: Failing unit test for bug 1836212 https://review.opendev.org/671023 | |
| 12:54:54 | openstack | bug 1836212 in OpenStack Compute (nova) "libvirt: Failure to recover from failed detach" [Undecided,New] https://launchpad.net/bugs/1836212 | |
| 12:55:04 | efried | gibi: on it | |
| 12:55:11 | efried | Anyone know where cfriesen has been lately? | |
| 13:12:53 | efried | gibi: are you still here? | |
| 13:17:07 | kashyap | efried: I was wondering, too. | |
| 13:17:12 | kashyap | Probably buried in downstream stuff | |
| 13:17:58 | efried | kashyap: Do you know anything about the libvirt patches to make vTPM more secure? | |
| 13:18:22 | kashyap | efried: I do, peripherially. And funny you ask! | |
| 13:18:40 | kashyap | Just today I was browsing that vTPM thread on upstream libvirt list | |
| 13:19:12 | kashyap | The patch series is at v5, and almost ready to be merged | |
| 13:19:18 | openstack | bugzilla.redhat.com bug 1728030 in libvirt "RFE: Add encryption of TPM emulator state" [Unspecified,New] - Assigned to libvirt-maint | |
| 13:19:18 | efried | RH has already written a patch https://www.redhat.com/archives/libvir-list/2019-July/msg00584.html | |
| 13:19:18 | efried | LibVirt RFE: https://bugzilla.redhat.com/show_bug.cgi?id=1728030 | |
| 13:19:22 | kashyap | efried: https://www.redhat.com/archives/libvir-list/2019-July/msg00854.html | |
| 13:19:31 | kashyap | "PATCH v5 00/20] Add support for vTPM state encryption | |
| 13:19:32 | kashyap | " | |
| 13:19:43 | efried | cool, I don't know how to read any of that, so "almost ready to be merged" is a good bit of info. | |
| 13:20:06 | kashyap | It has gone through a good few rounds of feedback from long-time reviewers upstream | |
| 13:20:12 | efried | when that happens, will there need to be any special affordance in the nova design to enable it? | |
| 13:20:31 | efried | like, do we have to (conditionally based on available libvirt version) do something different to the xml? | |
| 13:20:41 | kashyap | efried: Probably the config classes and XML exposure, and the relevant calls in libvirt/driver.py? | |
| 13:20:59 | efried | I guess at the very least we would have to expose a trait saying that "more secure vTPM is available here" | |
| 13:21:16 | kashyap | Right, on the version conditionals | |
| 13:21:52 | efried | But someone needs to be working on the code in the first place. It hasn't been touched since the PTG. | |
| 13:22:28 | kashyap | efried: Yeah, if the author has gone AWOL, then probably "punt it to backlog"? | |
| 13:22:36 | kashyap | When they come back, it can be revived. | |
| 13:22:38 | efried | no can do | |
| 13:22:53 | kashyap | Sorry, what do you mean? | |
| 13:22:55 | efried | more likely "find new owner asap" | |
| 13:22:58 | kashyap | Ah | |
| 13:23:03 | efried | downstream pressure | |
| 13:23:14 | kashyap | Ah-ha, nod. | |
| 13:23:41 | kashyap | It is a useful, self-contained solution -- for those who want it. | |
| 13:27:05 | kashyap | efried: You do know that the core vTPM stuff is merged in upstream libvirt, yeah? | |
| 13:27:22 | kashyap | (The series linked above is for the vTPM state being ecrypted) | |
| 13:27:24 | efried | kashyap: Yeah | |
| 13:27:49 | kashyap | Yeah, just double-confirming. Just checked with DanPB, he said he hasn't looked at the v5 libvirt series yet | |
| 13:27:49 | efried | like, the base design (what we have merged) could be completed any time somebody wanted to pick it up and run with it. | |
| 13:28:15 | artom | lyarwood, yeah, good point, lemme look into that | |
| 13:33:09 | sean-k-mooney | kashyap: has it been released in a libvirt version | |
| 13:33:22 | kashyap | sean-k-mooney: The vTPM state being encrypted? | |
| 13:33:26 | kashyap | No, it is still in review upstream. | |
| 13:33:35 | kashyap | (As noted above) | |
| 13:33:50 | sean-k-mooney | ok then we cant have a feature that depends on that untill its released. not just merged | |
| 13:34:00 | sean-k-mooney | or in this case still under review | |
| 13:34:17 | sean-k-mooney | but unencrypted vTPM can still proceed | |
| 13:34:59 | kashyap | Right, I know the rule. But as long as it is in an upstream libvirt release, it should damn well be fine to have a feature depend on a brand new upstream release | |
| 13:35:02 | sean-k-mooney | it shoudl hopefully be minor to extend unencypted vTPM to encyrpeted once the feature is released | |
| 13:35:16 | sean-k-mooney | yep | |
| 13:35:33 | sean-k-mooney | just need to be in a livirt releases tar | |
| 13:35:44 | sean-k-mooney | it doesnt need to be in a distro | |
| 13:36:10 | kashyap | Right. That's good. In the past there was an absolute bonkers discussion that libvirt release should "bake" in a distro for a month | |
| 13:36:18 | kashyap | ... and receive some "testing" and some such utter nonsense. | |
| 13:36:24 | kashyap | Glad we are doing away with that crap. | |
| 13:37:01 | sean-k-mooney | well the reason for "master is not enough" is like use other porject somtimes merge stuff and revert it before a release | |
| 13:37:19 | sean-k-mooney | so it has to be released but it does not need to be packaged | |
| 13:37:47 | kashyap | sean-k-mooney: Right, I'm with you on that -- so long as it's in a released tarball, we should be (and are) good. | |
| 13:41:13 | tssurya | thanks gibi :) | |
| 13:44:05 | artom | lyarwood, wrote some words on https://review.opendev.org/#/c/670645/2 | |
| 13:44:19 | efried | artom: btw, I did *not* get around to opening that bug yesterday. | |
| 13:44:25 | efried | in case you had a yen to do it | |
| 13:45:29 | artom | lyarwood, if you agree with said words, I shall do the needful for that as well | |
| 13:46:58 | lyarwood | artom: I am if we can run A against stable/stein, I'm not sure that we can | |
| 13:47:21 | lyarwood | artom: A being OVS hybrid same host | |
| 13:47:25 | sean-k-mooney | artom: that is the backport | |
| 13:47:36 | artom | lyarwood, any reason we can't add it to stein's experimental job? | |
| 13:47:45 | artom | sean-k-mooney, yeah, lyarwood is concerned about testing | |
| 13:47:49 | artom | (rightfully so) | |
| 13:48:09 | lyarwood | artom: yeah I just don't know if we just inherit that all from master or if we need to change stuff | |
| 13:48:13 | sean-k-mooney | you should be able to backport the DNM test | |
| 13:48:21 | lyarwood | I'll try experimental first and go from there | |
| 13:48:46 | sean-k-mooney | and merge in the neutorn-iptabels job too if needed | |
| 13:49:23 | artom | And since https://review.opendev.org/#/c/670593/1 popped up when looking through my reviews trying to find the one where efried'd bug manifested itself, it'd be cool if someone could look at that as well, but there's no "natural" person for that area (simple change, but involved understanding SRIOV and device tagging) | |