| Posted | Nick | Remark | |
|---|---|---|---|
| #openstack-nova - 2019-07-03 | |||
| 13:06:51 | sean-k-mooney | right that is messy | |
| 13:07:36 | Luzi | sean-k-mooney, that seems good from my perspective, so automatic key creation for shelve and cross-cellresize, given a metadata parameter indicating a formerly encrypted image | |
| 13:08:06 | sean-k-mooney | yep and if that metadata paramter is not set just do what we do today | |
| 13:08:17 | Luzi | yes | |
| 13:08:25 | sean-k-mooney | so you can make it complete transparent to the end user and no api changes needed | |
| 13:09:37 | Luzi | that sounds good, I will add this to the spec :) | |
| 13:16:16 | lyarwood | mdbooth: https://review.opendev.org/#/c/668750/ - thoughts on this? Came across it last night while looking at upstream bugs and suddenly noticed this codepath is dead. We could just keep it but it hasn't been tested in ~3 years so it might be easier to start over with a clean volume driver. | |
| 13:18:18 | mdbooth | lyarwood: Hmm. It doesn't sound like we're going to implement native iscsi any time soon, tbh, due to lacking multipath and no upstream motivation to implement it. | |
| 13:18:35 | mdbooth | Making this just dead code which isn't like to be used any time soon. | |
| 13:18:42 | mdbooth | And which probably doesn't work anyway. | |
| 13:19:51 | mdbooth | lyarwood: Is os-brick based iscsi problematic? | |
| 13:20:42 | lyarwood | mdbooth: it has some rough edges wrt to multipath etc but the basic single path stuff also covered by this native support is QEMU is pretty solid | |
| 13:20:53 | lyarwood | s/is/in/g | |
| 13:21:23 | lyarwood | so yeah I'm fine nuking this for now and if anyone cares enough we can reintroduce it later in a broken out volume driver | |
| 13:21:30 | lyarwood | and have it actually tested in the gate etc | |
| 13:21:41 | mdbooth | lyarwood: +1 from me for nuking unusable code | |
| 13:22:21 | lyarwood | ack thanks | |
| 13:25:54 | shilpasd | efried: Hi, need discussion on https://review.opendev.org/#/c/667952/1/nova/conf/scheduler.py@188 | |
| 13:26:07 | efried | Sure shilpasd | |
| 13:26:29 | efried | I'm sure we must have discussed this during the spec review | |
| 13:26:30 | shilpasd | here saying 'enable_forbidden_aggregates_filter' conf option bydefault enabled | |
| 13:26:46 | efried | It must be about the performance penalty. | |
| 13:26:54 | shilpasd | efried: but what we observed for other request filters, its not so | |
| 13:27:33 | efried | Well, this one is doing a pretty expensive db lookup every time. The other filters are (I think) exclusively local processing. | |
| 13:27:48 | efried | Have you done any kind of performance analysis of this filter? | |
| 13:27:54 | efried | especially on a large database with lots of aggregates | |
| 13:28:39 | shilpasd | efried: not on that large scale | |
| 13:29:13 | efried | dansmith: you were also concerned about the performance of this filter. | |
| 13:30:14 | efried | Having thought about it some, we're better off being conservative unless we can demonstrate that the db lookup is super cheap. | |
| 13:30:25 | efried | So - leave the conf option as is shilpasd :) | |
| 13:30:30 | efried | I'll update the review. | |
| 13:31:07 | sean-k-mooney | efried: i think all the prefilters default to false so for consitency i would keep it as false too | |
| 13:31:21 | shilpasd | efried: great, thank you, we are keeping it as False | |
| 13:31:24 | sean-k-mooney | at least until we have info from deploymetns that its cheap and works well | |
| 13:31:56 | efried | sean-k-mooney: In this case I was suggesting that we remove the toggle entirely. You have to do enough other stuff to opt in, the only benefit you get by having it switched off is that you don't run the code. | |
| 13:32:05 | shilpasd | sean-k-mooney: thank you for opinion | |
| 13:32:31 | sean-k-mooney | ah right ok | |
| 13:33:17 | shilpasd | efried: thanks for discussion | |
| 13:33:22 | efried | yw | |
| 13:44:01 | gibi | stephenfin, efried: I'm +2 on the extra_spec validation spec https://review.opendev.org/#/c/638734 . alex_xu and bauzas had comments earlier. do we want to wait for them to chime in? | |
| 13:44:31 | stephenfin | gibi: alex_xu, sure, but I think bauzas is MIA now since it's summer and he's French | |
| 13:44:58 | gibi | stephenfin: OK, cool with me | |
| 13:46:04 | efried | probably want to get sean-k-mooney to re-ack as well | |
| 13:46:24 | sean-k-mooney | which reivew? | |
| 13:46:30 | efried | he has the medal for most comments in a single review on that one. | |
| 13:46:33 | efried | sean-k-mooney: https://review.opendev.org/#/c/638734 | |
| 13:46:37 | efried | extra spec validation | |
| 13:46:54 | sean-k-mooney | ah ok | |
| 13:47:10 | sean-k-mooney | am ya that is a medal i get a little too often | |
| 13:47:48 | sean-k-mooney | ill quickly re review it now | |
| 13:49:32 | efried | stephenfin: any merit in changing the topic of that spec and its patch (https://review.opendev.org/640733) to ...-extended to match the new bp? | |
| 13:49:48 | efried | I could understand if you want to keep them grouped with the old ones, as currently. | |
| 13:49:51 | efried | either way | |
| 13:49:57 | stephenfin | I'm happy with either too | |
| 13:50:14 | stephenfin | so I'll leave it but won't object if you want to change it :) | |
| 13:50:21 | efried | I only glanced at the number of results https://review.opendev.org/#/q/topic:bp/flavor-extra-spec-image-property-validation+(status:open+OR+status:merged) -- no idea how related/unrelated they actually are. | |
| 13:50:38 | efried | is your work really a continuation of that? | |
| 13:50:55 | stephenfin | To be honest, not really now. It's the same idea but on a broader scale | |
| 13:51:14 | stephenfin | Perhaps I should have a totally different name. Open to suggestions | |
| 13:51:39 | stephenfin | Given that I'm not doing image metadata validation now, a new name would definitely be a good idea | |
| 13:51:40 | efried | Oh, let's not go through the paperwork of changing the blueprint and stuff. | |
| 13:51:54 | efried | but yeah, that's a point | |
| 13:55:02 | sean-k-mooney | cool your going with my stevador suggestion for cyborge extra spec valdaditon or other services. | |
| 13:55:05 | sean-k-mooney | almsot done | |
| 13:55:19 | stephenfin | yeah, it was a good one | |
| 13:57:12 | efried | sean-k-mooney: I saw (but did not read) you discussing image encryption with Luzi. Where are you on that spec? | |
| 13:57:34 | efried | I noticed she added a sentence on (no) impact on lifecycle operations; is that sufficient to address your concern from the previous PS? | |
| 13:58:14 | efried | also lyarwood: are you +1 on that? Your words imply so, but there's no vote. | |
| 13:58:37 | efried | talking about https://review.opendev.org/#/c/608696/ btw | |
| 13:58:47 | sean-k-mooney | efried: nova should create a tempory key on shelve and encypte the snapshot if the instance image was encypted and delete the key when unshelving. same for cross cell resize | |
| 13:58:49 | Luzi | efried, i have to reconsider shelve and cross-cell resize | |
| 13:59:00 | lyarwood | efried: yeah sorry the comments were against an older PS so I couldn't vote | |
| 13:59:15 | efried | okay, cool, thanks all. I'll hold off and wait for a new PS | |
| 13:59:27 | sean-k-mooney | either that or we need to expsoe it on the shelve/resize api endpoint for the end user to decide | |
| 14:00:39 | openstackgerrit | Dakshina Ilangovan proposed openstack/nova-specs master: Spec: Provider config YAML file https://review.opendev.org/612497 | |
| 14:00:53 | efried | sean-k-mooney, Luzi: But that changes everything. | |
| 14:01:28 | openstackgerrit | Matt Riedemann proposed openstack/nova stable/queens: Init HostState.failed_builds https://review.opendev.org/668911 | |
| 14:01:30 | sean-k-mooney | efried: what changes everything? auto encypte or api endpoint or both | |
| 14:01:49 | efried | Auto encrypt: As previously written, you didn't keep track of whether a server was originated from an encrypted image. Now you would have to. | |
| 14:01:49 | efried | API endpoint: now you need a microversion (right?) | |
| 14:02:06 | sean-k-mooney | yes | |
| 14:02:26 | sean-k-mooney | too ^ we would need a microversion | |
| 14:02:44 | sean-k-mooney | not sure about keeping track of if it was encypted | |
| 14:03:01 | sean-k-mooney | i think Luzi said there was a metadta key on the image/instance | |
| 14:03:22 | efried | I thought the spec said we forget about that. | |
| 14:03:27 | sean-k-mooney | i assume it would be in the embeded copy of hte image meta we store in the request spec | |
| 14:04:20 | efried | "...the encryption-related | |
| 14:04:20 | efried | additional metadata properties become irrelevant and thus may be discarded | |
| 14:04:20 | efried | instead of being carried over into the server's metadata." | |
| 14:04:24 | Luzi | efried, i thought so until sean-k-mooney asked me, we misinterpreted the word snapshot | |
| 14:06:05 | efried | I'm on the fence about whether it's better to encrypt automatically or on-demand when doing things involving snapshot. | |
| 14:06:36 | efried | but it seemed reasonable as written (on-demand) | |
| 14:06:45 | efried | and simpler | |
| 14:06:50 | sean-k-mooney | either would be ok. what i dont think is ok would be that shelve and cross cell resize alway result in unencypted snap shots with no way to encyrpte them | |
| 14:07:20 | efried | (cross-cell resize creates a snapshot?) | |
| 14:07:23 | sean-k-mooney | so if we do the microversion bump or auto encypt i think both are fine | |
| 14:07:25 | sean-k-mooney | efried: yes | |
| 14:07:50 | efried | okay | |
| 14:07:52 | sean-k-mooney | efried: for corss cell resize we can rely on direct connectivity to the host | |
| 14:08:22 | efried | if we auto-encrypt, then we should do the same for the already-considered snapshot case (createImage) | |