Earlier  
Posted Nick Remark
#openstack-nova - 2019-03-20
15:40:25 lbragstad i have done something similar for this work in the past, but not the migration
15:42:16 openstackgerrit Dan Smith proposed openstack/nova-specs master: Add request-filter-image-types spec https://review.openstack.org/644625
16:08:48 bauzas mriedem: efried_rolling: FWIW, I left https://review.openstack.org/#/c/644412/5 waiting for other reviews, we could just +W it tonight EOB if you want
16:08:57 bauzas ie. US folks EOB I mean
16:09:19 bauzas that leaves melwitt, dansmith or other West Coast folks to balance if needed
16:09:51 mriedem ack
16:23:47 openstackgerrit Dan Smith proposed openstack/nova-specs master: Add request-filter-image-types spec https://review.openstack.org/644625
16:24:36 gmann lbragstad: mriedem do we really need system_scope=all ? until enforce_scope=false scope_type will not be checked just log warning so operator will have time to consume the scope_type things
16:25:46 gmann I mean as we have configuration variable to enable/disable the scope_type then, we can directly do "role:reader", scope_type: 'system'
16:29:30 kashyap What are the other volume drivers besides: Quobyte, Virtuozzo, SMBFS?
16:30:21 lbragstad gmann i think we do need "role:reader and system_scope:all", especially in the case where we are applying that to things like hypervisors
16:30:37 lbragstad otherwise we could accidentally open the hypervisor API up to anyone with the reader role on anything
16:31:14 lbragstad since the check string would be "role:reader or rule:admin_or_owner" instead of "(role:reader and system_scope:all) or rule:admin_or_owner"
16:47:58 openstackgerrit Kashyap Chamarthy proposed openstack/nova master: libvirt: Use 'writeback' QEMU cache mode when 'none' is not viable https://review.openstack.org/641981
16:47:59 openstackgerrit Kashyap Chamarthy proposed openstack/nova master: libvirt: vzstorage: Use 'writeback' QEMU cache mode https://review.openstack.org/643376
16:47:59 openstackgerrit Kashyap Chamarthy proposed openstack/nova master: libvirt: smbfs: Use 'writeback' QEMU cache mode https://review.openstack.org/643377
16:48:50 kashyap mdbooth: ^ Has the bare-minimum doc update. For the volume drivers text: the 'vzstorage' and 'smbfs' patch should also merge along with the main patch -- for the "doc to tell the truth"
16:49:17 mdbooth kashyap: Thanks
16:49:20 cfriesen kashyap: everything under virt/libvirt/volume?
16:50:49 gmann lbragstad: ok. make sense until enforce_scope is not removed or defaulted to True.
16:51:36 mnaser lbragstad, mriedem: late but better than ever, i tried hacking a little bit on what it would look like and i was also unsure of how an ideal transition path might look like
16:51:50 gmann lbragstad: so in that case requested cred will have to add system_scope=all for such request then only they are auth otherwise not
16:52:17 mnaser i think the concern is bob's openstack deployment who hasn't deleted their policy.json file or is currently overriding a few things that finds themselves exposing a lot of things after an upgrade
16:54:11 lbragstad mnaser how so?
16:54:18 gmann mnaser: any policy rule overridden in policy.json file will keep working as it is because we will add old policy rule as deprecated_rule in new rules. But yes if anyone reply on policy in code default thing then they will see this impact
16:54:26 lbragstad because their overrides are obsolete?
16:55:15 mnaser lbragstad: if someone had role:support to GET hypervisor list, and now we updated it that they need system scope now for that specific policy
16:55:23 mnaser they find themselves with a non functional policy at that point i guess
16:55:59 mnaser yeah i think the concern is that it would break existing policies
16:56:00 lbragstad if they have a special role for listing hypervisors and an override for that policy, then it should still work even if we change the default
16:56:13 gmann yeah
16:59:30 gmann if bob reply on GET hypervisor with default policy which is say "admin" currently, we will change this to say "role:reader and system_scope:all" or something which control it not to expose to non-admin
17:01:49 mnaser lbragstad: if we change the scope to system, wouldn't it stop working then.. because that role is probably project scoped?
17:01:55 mnaser project scoped to the 'admin' tenant
17:02:12 lbragstad roles aren't scoped to projects per se
17:02:45 lbragstad roles can be associated to actors on targets, actors can be groups or users, and targets can be projects, domains, or system
17:03:13 mnaser right, but bob's openstack cloud probably has it targeting projects right now, as 99% of our docs have always said
17:03:26 mnaser "if you want to give a role for X, create a project and add X role to Y user into it"
17:03:41 gmann also scope_type will not be enforced until it is explicitly set True by enforce_scope. enforce_scope default is false as of now.
17:08:46 mnaser but if its not enforced then could that not introduce other eissues?
17:09:45 eandersson Morning
17:09:56 mnaser role:reader and system_scope:system without it enforced means role:reader can get hypervisor list?
17:10:05 eandersson What is the difference from disk_gb and disk_available_least?
17:11:03 lbragstad mnaser that's why we write the policy like "(role:reader and system_scope:all) or role:admin_or_owner"
17:11:08 gmann no, as lbragstad mentioned we will add a special case of scope_type for that what keystone did - role:reader and system_scope:all
17:11:29 mnaser ok so we would have a policy enforcing both .. until we decide to cut it off
17:11:38 gmann true
17:11:39 mnaser so maybe a train could be a transitionary release i guess
17:11:43 mnaser and then we can flip the switch
17:12:10 lbragstad we need to write slightly more complicated policy check_strs to allow for the migration
17:12:18 gmann I suggest to flip in V to give 1 2 cycle of transition phase as this is huger change in policy
17:12:34 mnaser can you enable enforcement of system_scope?
17:12:36 lbragstad then we can offload more to oslo.policy using enforce_scope=True in the future and simplify the check strings
17:12:57 mnaser could a deployer enable it AND put rule:admin_or_owner set to nothing
17:13:05 mnaser and they'd be using 'the new system'
17:13:51 lbragstad yeah... if a deployer wants to opt into the new system, they just have to maintain a policy file with the *new* defaults, which omits the logical OR with oslo.policy migration
17:14:07 lbragstad it's clunky... but...
17:16:52 openstackgerrit Merged openstack/nova master: Add known issue for minimum bandwidth resource leak https://review.openstack.org/644694
17:40:24 NobodyCam Good Morning Nova folks
17:54:00 jaypipes NobodyCam: mornin :)
17:54:08 jaypipes or afternoon.
17:54:31 NobodyCam hey hey jaypipes long time!
17:56:39 eandersson jaypipes, do you happen to know the difference between free_disk_gb and disk_available_least?
17:56:49 eandersson I assume disk_available_least takes images etc into account?
17:57:07 eandersson Trying to figure out why a vm that was destroyed and re-created won't fit into the same compute again.
17:57:25 eandersson free_disk_gb is large enough to accommodate the vm
17:58:47 eandersson also, manually creating the vm on that compute worked (free_disk_gb is now 4, and disk_available_least is -33)
17:59:27 sean-k-mooney eandersson: disk_available_lest will sometime be the same but it can be wildly different depending on your storage backend
18:00:00 eandersson so this is probably due to the rocky upgrade
18:00:45 eandersson we don't use a specified storage backend
18:00:49 eandersson so what ever is default
18:01:10 eandersson brb
18:01:45 sean-k-mooney eandersson: google could me this https://gist.github.com/JCallicoat/43505cab0535057ca4fb
18:02:14 sean-k-mooney i wonder if we have that comment in our code
18:02:33 NobodyCam so dumb question, when creating new project / user it's just the _member_ role that is required to launch instances?
18:02:55 sean-k-mooney NobodyCam: by defualt yes
18:03:11 NobodyCam :)
18:03:21 sean-k-mooney although you have to also have a default quota of instnaces greater then 0
18:07:32 sean-k-mooney eandersson: what i ment by storage spefic backedn is it gets a little broken when using shared storage e.g. nfs or rbd
18:08:55 sean-k-mooney eandersson: if free_gb is positive and disk_available_lest is negitive it means your worst case over commited for the instance that are shduled to the host exceed that allowed by your over commit raitio
18:10:12 klindgren Question re: live migration + configdrive + iso9960. Instead of scping the file between HV's. Can why can't we just recreate the config drive on the destination host?
18:10:48 sean-k-mooney klindgren: i belive there was a libvirt bug that prevented
18:10:52 sean-k-mooney klindgren: but we could
18:10:54 klindgren Are files that re passed in via the a boot command, not started as part of the vm data? So the config drive would be incomplete?
18:11:53 sean-k-mooney klindgren: i think that depends. i think we store user-data in the db in the instance extra table
18:12:13 klindgren Yea, we changed the code (we have a new enough libvirt) on the scp to look for iso9961 vs iso9960. And the migration works, it just creates a sparsely populated file with no data in it on the dst.
18:12:20 sean-k-mooney klindgren: what files are you spscically refering to
18:13:11 klindgren Nova boot --file /seomdest=blah --file /anotherdest=asdf
18:13:27 klindgren Which gets put in to config drive under content/000, content/0001
18:14:17 sean-k-mooney klindgren: ya so openstack server create --user-data < my data> is stored in the db i dont think we store teh contets of files passed with --file
18:14:18 NobodyCam another dumb question: is there a trick to allowing the admin to launch service instances: I'm seeing Policy check for os_compute_api:os-hide-server-addresses failed with credentials <blah> when attempting to launch Octavia instances
18:20:31 sean-k-mooney NobodyCam: am the amdin account i think need but admin and _member_ roles
18:20:43 sean-k-mooney but the admin account still had a quota
18:21:14 sean-k-mooney in the case of octavir the octavia service account allso has a quota typeiclay it will be set to -1 to have no limit however
18:30:47 openstackgerrit Merged openstack/nova master: docs: Misc cleanups https://review.openstack.org/644616
18:32:21 mriedem klindgren: correct personality files (file injection) are not stored in the db so if they are only in the config drive and you rebuild the config drive on the dest, those will be gone
18:32:37 mriedem same issue for shelve/unshelve with a config drive + personality files
18:33:15 sean-k-mooney mriedem: personality files are also deprecated for removal for 2 release or more right?
18:33:32 mriedem correct https://specs.openstack.org/openstack/nova-specs/specs/queens/implemented/deprecate-file-injection.html
18:33:37 mriedem but it's an API so they aren't going to be removed

Earlier   Later