Earlier  
Posted Nick Remark
#openstack-nova - 2019-07-02
21:37:01 efried right, but "using encrypted storage backends" is not part of this spec
21:37:06 efried that's already supported
21:38:29 sean-k-mooney right but that means on the host the iamge is still encrypted as its streamed into an encpted file
21:39:12 sean-k-mooney so when you do a nova rescue and you boot form a different image you still need to pass the encyption key to qemu so it can open that encypted file a use it
21:39:26 efried Not "still encrypted". decrypted to clear, then re-encrypted with a different key (and possibly a different algorithm, etc)
21:40:09 efried so yes, *if* your storage backend is encrypted, regardless of whether you're using *image* encryption (this feature), then you'll need to manage slinging keys around.
21:40:15 sean-k-mooney the decypted to clear happens in memory. but when i was referign to still encrypted i ment after it was re encrypted
21:40:31 efried I'm saying they're separate and unrelated.
21:40:33 sean-k-mooney ok so long as that all works that is cool
21:40:39 efried I think
21:40:50 sean-k-mooney i just was suprised that it was never mention in the spec
21:43:44 sean-k-mooney i could cahcne my +1 to a -1 i guess until josephine seifert replies to confirm but i whould have expect this to at least be mentioned in the spec if all it was is "it jsut works"
22:12:27 mriedem dansmith: you know how this set_host_enabled is a blocking rpc call? if this is an ironic compute service managing 1000 compute nodes (1000 resource providers) and we have to sync the trait on all of them, i'm not sure if that would take more than 60 seconds but it might - thinking this change should use the long_rpc_timeout for that call now - agree?
22:21:27 mriedem weee looks like the gate is crapping itself too atm
22:23:00 openstackgerrit Merged openstack/nova-specs master: Policy Default Refresh spec https://review.opendev.org/547850
22:26:24 dansmith mriedem: yeah makes sense to make it a long rpc call
22:26:55 dansmith mriedem: even for the single compute case, if placement is bogged or something, we could still take a while to set the trait
22:31:13 openstackgerrit Merged openstack/nova stable/queens: Restore connection_info after live migration rollback https://review.opendev.org/662471
22:35:54 mriedem melwitt: can you hit this remaining queens backport? https://review.opendev.org/#/c/629597/
22:47:51 openstackgerrit Merged openstack/nova-specs master: Spec: Use OpenStack SDK in Nova https://review.opendev.org/662881
22:50:06 sean-k-mooney heh if only the rest of the repo had a 10 minute merge trun around time
23:06:54 openstackgerrit Matt Riedemann proposed openstack/nova master: Sync COMPUTE_STATUS_DISABLED from API https://review.opendev.org/654596
23:07:15 mriedem it is done https://review.opendev.org/#/q/topic:bp/pre-filter-disabled-computes+(status:open+OR+status:merged)
23:08:23 openstackgerrit Merged openstack/nova-specs master: Libvirt: add vPMU spec for train https://review.opendev.org/651269
23:09:25 sean-k-mooney mriedem: as in you have split it out int different patches and its now ready for review?
23:09:33 mriedem hells yeah
23:09:37 mriedem it's glorious
23:10:16 sean-k-mooney cool im poking at similar code for my own prefilter stuff so ill see if ther are any trick i shoudl "borrow" form my onw stuff
23:10:58 sean-k-mooney mriedem: did you drop the custom trait stuff since os-tratis 1.15 is released
23:11:03 mriedem yes
23:11:08 mriedem technically efried did that for me
23:11:21 sean-k-mooney cool
#openstack-nova - 2019-07-03
00:40:10 melwitt alex_xu: hey, would appreciate to have your thoughts on the unified limits spec around the proxy API/deprecation and migration parts https://review.opendev.org/602201
00:40:36 melwitt *especially the proxy API/deprecation and migration parts
00:45:24 openstackgerrit Merged openstack/nova stable/rocky: Init HostState.failed_builds https://review.opendev.org/668520
00:45:31 openstackgerrit Merged openstack/nova master: Stabilize unshelve notification sample tests https://review.opendev.org/668675
01:21:45 openstackgerrit Merged openstack/nova stable/queens: Fail to live migration if instance has a NUMA topology https://review.opendev.org/629597
02:06:59 openstackgerrit Merged openstack/nova stable/queens: libvirt: Avoid using os-brick encryptors when device_path isn't provided https://review.opendev.org/656464
06:17:01 openstackgerrit Artom Lifshitz proposed openstack/nova master: [WIP] Introduce live_migration_claim() https://review.opendev.org/635669
06:17:02 openstackgerrit Artom Lifshitz proposed openstack/nova master: New objects for NUMA live migration https://review.opendev.org/634827
06:17:03 openstackgerrit Artom Lifshitz proposed openstack/nova master: LM: add support for sending NUMAMigrateData to the source https://review.opendev.org/634828
06:17:03 openstackgerrit Artom Lifshitz proposed openstack/nova master: LM: add support for updating NUMA-related XML on the source https://review.opendev.org/635229
06:17:04 openstackgerrit Artom Lifshitz proposed openstack/nova master: RPC changes to prepare for NUMA live migration https://review.opendev.org/634605
06:17:04 openstackgerrit Artom Lifshitz proposed openstack/nova master: NUMA live migration support https://review.opendev.org/634606
06:17:05 openstackgerrit Artom Lifshitz proposed openstack/nova master: CONF.enable_numa_live_migration is not needed >= Train https://review.opendev.org/640021
07:02:59 openstackgerrit Yongli He proposed openstack/nova master: Add server sub-resource topology API https://review.opendev.org/621476
07:25:22 openstackgerrit Balazs Gibizer proposed openstack/nova stable/stein: Stabilize unshelve notification sample tests https://review.opendev.org/668806
07:34:06 openstackgerrit Lee Yarwood proposed openstack/nova master: Get rid of args to RBDDriver.__init__() https://review.opendev.org/668564
07:52:02 openstackgerrit Lee Yarwood proposed openstack/nova master: libvirt: Remove unreachable native QEMU iSCSI initiator config code https://review.opendev.org/668750
08:37:32 openstackgerrit Boxiang Zhu proposed openstack/nova master: Make evacuation respects anti-affinity rule https://review.opendev.org/649963
08:47:40 kashyap johnthetubaguy: You about by any chance? If so, the Secure Boot spec requires the final +2 (& a +W), assuming you're satisfied with all the things I've addressed: https://review.opendev.org/#/c/506720/
09:57:28 kashyap alex_xu: Hi, maybe you can give the final ACK (if you don't spot anything else): https://review.opendev.org/649963
11:23:34 openstackgerrit Josephine Seifert proposed openstack/nova-specs master: Spec for the Nova part of Image Encryption https://review.opendev.org/608696
11:26:32 Luzi sean-k-mooney, I added a few sentences concerning the lifecycle
11:56:30 openstackgerrit Artom Lifshitz proposed openstack/nova master: NUMA live migration support https://review.opendev.org/634606
11:56:31 openstackgerrit Artom Lifshitz proposed openstack/nova master: CONF.enable_numa_live_migration is not needed >= Train https://review.opendev.org/640021
12:37:45 sean-k-mooney Luzi: thanks ill re review but overall i liked the spec
12:41:55 sean-k-mooney Luzi: so all server operations like shelve,rescure, mirgrations will all work
12:42:04 Luzi yes
12:43:01 sean-k-mooney and for shelve if the instance is create form an encypted image teh snapshot that is created automaticly by shelve will be encrypted
12:46:34 Luzi I will have a deeper look into this, but we only wanted to create encrypted images when a user triggers the encryption
12:47:43 sean-k-mooney without a change to the shelve api the user would not be able to say use encyption since for shvele and cross cell resize a snapshot is created automatically
12:48:05 sean-k-mooney rather then the user calling the snapshot api directly
12:48:50 sean-k-mooney so we would really want the encyption to be sticky. e.g. if the instacne was created form an encypeted image defult to encyption
12:52:47 Luzi well it seems there are three options here:
12:53:26 Luzi 1. leaving this alone, so there would not be any encryption during shelve
12:53:46 Luzi 2. automaticly encryption - which is a huge problem for glance, btw...
12:54:52 Luzi or 3. let the user trigger the encryption (and maybe deny the operation, when the original image was encrypted)
12:55:43 Luzi the last one would need a metadata change, so we can check, whether the snapshot could be taken without encryption
12:55:57 Luzi but it seems to be the most reasonable way
12:56:56 sean-k-mooney well if we do 1 if i wanted to steal you sensitive data all i have to do is shelve you instnace grap a copy of the snapshot which is in the clear and unshelve it
12:57:09 Luzi there was a misunderstanding here with the word snapshot, so thank you for the hint
12:57:20 Luzi yeah, thats not nice from a security perspective :D
12:57:37 sean-k-mooney 2 and 3 are the most secure
12:58:10 sean-k-mooney the issue with 3 woudl be that its would be fine for shelve to be exteded with a "encypte this please" option
12:58:22 sean-k-mooney resize im less sure about
12:58:52 Luzi 2 would not be practically as automatically creating secrets for a ressource of another project is horrible
12:58:56 sean-k-mooney for resize we only create a snapshot if its a cross cell resize
12:59:20 sean-k-mooney a normal resize wont create a snapshot
12:59:29 Luzi so i will add number three in the spec and will have a look into resize too
12:59:38 sean-k-mooney and as an unprivaldaged user i cant tell if its cross cell or not
13:00:10 Luzi thank you, that was reasonable the best review I got so far :D
13:01:10 sean-k-mooney :) well hopefully we can get this landed soon. as i said the rest of the spec looks good to me
13:02:13 sean-k-mooney just to undersdand the problem with option 2, what is the issue with createing keys automatically
13:02:52 sean-k-mooney i had assumed we would use the same key we are currently using
13:03:23 sean-k-mooney rather then create a new one but i also have not considered it much
13:03:37 Luzi who will delete a newly created key bound to an image?
13:04:17 Luzi well if its not exactly the same image anymore, would you encrypt it with the same key?
13:04:47 sean-k-mooney well for shelve we delete the image we created when unshelving
13:05:20 Luzi so there would be a point for nova to create and delete a key, that would be okay
13:05:25 sean-k-mooney and for cross cell resize we auto delete teh image snapthot when we create the instnace on the dest node
13:05:26 sean-k-mooney so nova
13:06:01 sean-k-mooney yes in both cases nova could create a temperoy key and it could delete it at the correct time
13:06:02 Luzi i know that discussion from cinder and glance, there cinder creates a key which glance has to delete - that is not a good practise
13:06:51 sean-k-mooney right that is messy
13:07:36 Luzi sean-k-mooney, that seems good from my perspective, so automatic key creation for shelve and cross-cellresize, given a metadata parameter indicating a formerly encrypted image
13:08:06 sean-k-mooney yep and if that metadata paramter is not set just do what we do today
13:08:17 Luzi yes
13:08:25 sean-k-mooney so you can make it complete transparent to the end user and no api changes needed
13:09:37 Luzi that sounds good, I will add this to the spec :)

Earlier   Later