Wednesday, 2023-05-17

« Tuesday, 2023-05-16 Index Thursday, 2023-05-18 »
whoami-rajat#startmeeting cinder14:00
opendevmeetMeeting started Wed May 17 14:00:02 2023 UTC and is due to finish in 60 minutes.  The chair is whoami-rajat. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'cinder'14:00
whoami-rajat#topic roll call14:00
raghavendrathi14:00
harshhi14:00
geguileohi! o/14:01
eharneyhi14:01
helenadantas[m]hi14:01
nahimsouza[m]o/14:01
crohmannhi there! 14:01
MatheusAndrade[m]o/14:01
keerthivasansuresho/14:02
jungleboyjo/14:02
caiquemello[m]o/14:02
whoami-rajat#link https://etherpad.opendev.org/p/cinder-bobcat-meetings14:02
rosmaitao/14:02
simondodsleyo/14:03
yuval0/14:04
thiagoalvoravelo/14:04
whoami-rajatgood number of people around today14:04
whoami-rajatlet's get started14:04
whoami-rajat#topic announcements14:05
whoami-rajatfirst, CVE-2023-208814:05
whoami-rajat#link https://lists.openstack.org/pipermail/openstack-discuss/2023-May/033614.html14:05
whoami-rajatyou can go through the verbose mail but i will summarize it here14:05
whoami-rajatwe've a security vulnerability (fixed now) which causes unauthorized access to volumes14:06
whoami-rajatit could be *accidental* and also *intentional*, so we should be more careful about the intentional case if any user with malicious intents tries it14:06
whoami-rajatThe fixes spanned across cinder, os-brick, glance and nova projects, which to my knowledge, everything is merged now14:06
whoami-rajatfrom master to all active stable branches (till yoga) -- xena is EM now14:07
crohmannwhoami-rajat: I believe there are required config changes for those who did not yet configure service_users / service_tokens / roles correctly right?14:07
whoami-rajatThanks to geguileo , rosmaita , dansmith and melwitt for fixing the cinder, glance and nova side of things respectively! (Also a lot of other people were involved)14:07
whoami-rajatcrohmann, yes correct, it has a deployment impact on upgrade14:08
geguileocrohmann: correct, there are configuration changes necessary in the deployments14:08
whoami-rajatwhich reminds me geguileo put up a doc patch related to this14:08
whoami-rajat#link https://review.opendev.org/c/openstack/cinder/+/88336014:08
rosmaitai'm reviewing it now!14:08
yuvalme also14:08
geguileohere's the current doc https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html14:08
whoami-rajatcrohmann, you can refer to it for the changes required ^14:08
yuvalits an improvement 14:08
yuvalI still didnt managed to configure my system...14:09
yuvalbut I missing core knowledge on keystone14:09
geguileoyuval: not much should be needed to be done on keystone...14:10
geguileojust make sure cinder and nova users have the service role14:10
geguileothen make nova send the service token by changing its configuration14:10
geguileoconfigure cinder to accept the token and validate it14:10
yuvalyes yes14:10
geguileoat a high level that should be all14:10
whoami-rajatthis should also be a brief doc for people in a hurry ^14:11
yuvalanybody else here using master and managed to make it work?14:11
geguileoin devstack nova should already be configured14:12
yuvalevery third party ci - once patchset will rebase will have to be updated14:12
geguileobecause devstack configures the service role in nova14:12
geguileoI don't think 3rd party needs to be updated14:12
geguileoas long as they do normal devstack deployment14:12
yuvalkolla-ansible?14:13
geguileoI made the cinder patch work even if cinder is not configured to accept the token14:13
geguileoyuval: no idea what kolla does...14:13
harshI use devstack. Will go through the doc and see how to integrate.14:14
yuvalgeguile can you share the devstack patch you added to support it?14:14
geguileoharsh: with devstack it should work out of the box without any changes14:14
harshok thanks :)14:15
geguileoyuval: I didn't have to add anything, devstack has been configuring nova to send tokens for a very long time14:15
yuvalI see14:15
geguileoit just adds the service role to the nova user and configures it, let me see if I can find the patch14:16
whoami-rajatdoes any of our third party CIs use deployment tools other than devstack?14:17
simondodsleythey shouldn't do14:17
geguileoyuval: I think this is the area where the role is created https://github.com/openstack/devstack/blob/34afa91fc9f830fc8e1fdc4d76e7aa6d4248eaaa/lib/keystone#L32514:17
drencromI made a ptch to nova for the service token stuff14:18
geguileothe code that adds the service user to nova: https://github.com/openstack/devstack/blob/34afa91fc9f830fc8e1fdc4d76e7aa6d4248eaaa/lib/nova#L81614:18
geguileodrencrom: you mean to configure it by default instead of relying on devstack or the deployment tool?14:19
whoami-rajat"The ResellerAdmin role is used by Nova and Ceilometer" -- interesting14:20
geguileohttps://github.com/openstack/nova/commit/41c64b94b0af333845e998f6cc195e72ca5ab6bc14:20
geguileo^ I think that's the other nova patch14:20
drencromSorry I messed up, I did a patch to configure it automatically on juju charms14:20
geguileodrencrom: nice!14:20
drencrombut it is already working in nova and cinder by my tests14:20
drencromI'm working on the same thing for cinder charms now14:21
geguileodrencrom++14:21
whoami-rajatdrencrom++14:21
geguileoyuval: Did you change your nova config for ALL the nova services and confirm on boot with debug that they are using that config?14:22
geguileoI'm saying it because it has happened to me in the past14:22
geguileoI update a .conf file, but that's not the one that the service is actually using, or I forget to restart the service14:23
crohmannwhoami-rajat: I know I asked about the required config change myself. But could we maybe continue with the weekly and postpone the discussion about the CVE related config changes?14:23
geguileoIt would be embarassing if people knew how many times that has happened to me14:23
yuvalcurrently I tested just nova-compute,nova-api cinder-volume, cinder-api14:23
yuvalcrohmann: agree we can continue the conf issue on the cinder chat14:24
yuvalafter the meeting14:24
whoami-rajatcrohmann, agreed, i just didn't want to interrupt the flow of discussions but we've a lot more to discuss14:25
whoami-rajatlet's discuss this after the meeting14:25
whoami-rajatin the meantime you can go through the email14:25
whoami-rajatnext announcement, Festival of XS reviews 14:26
whoami-rajat#link https://etherpad.opendev.org/p/cinder-festival-of-reviews14:26
whoami-rajatthis is the third week of the month so we will have festival of XS reviews this friday (19 May)14:26
whoami-rajatsince bluejeans is out and meetpad sucks (at least for me), we will use google meet for which i will create a meeting link before the festival starts14:26
whoami-rajatso stay alert on the cinder channel if you would like to join14:27
whoami-rajatnext, Forum session for Vancouver summit14:27
whoami-rajat#link https://lists.openstack.org/pipermail/openstack-discuss/2023-May/033625.html14:27
whoami-rajatthe date for forum sessions was extended and now the deadline is tomorrow14:27
whoami-rajatThe date is extended to Thursday May, 18th at 7:00 UTC14:28
whoami-rajatif you are planning to attend, you can submit a forum session here14:28
whoami-rajat#link https://openinfrafoundation.formstack.com/forms/forum_expansion14:28
rosmaitai completely missed that, thanks for mentioning it14:28
zaitcevBy that you mean the festival or forum? But either way both are interesting.14:28
whoami-rajatnp, would be good to have more people joining14:28
whoami-rajatzaitcev, the forum, we don't require form filling for festival, it's open for all :D14:29
whoami-rajatfinally the Upcoming events14:30
whoami-rajatM-1 just passed, we released os-brick with the new CVE fix14:30
whoami-rajatpython-cinderclient and python-brick-cinderclient-ext didn't have functional changes so abandoned those releases14:31
whoami-rajatos-brick 6.3.0 should contain the CVE fix14:31
whoami-rajat#link https://pypi.org/project/os-brick/6.3.0/14:31
whoami-rajatnow on to the future events14:31
whoami-rajat1) OpenInfra Summit & PTG in Vancouver: June 13-15, 202314:31
whoami-rajat2) Bobcat-2 Milestone: July 6th, 202314:32
simondodsleyanyone here going to Vancouver? Would be good to meet in person again.14:32
whoami-rajatM-2 will include driver freeze (volume + target)14:32
whoami-rajatalso forgot to mention we've spec freeze before that14:33
whoami-rajatSpec freeze 23 June, 202314:33
whoami-rajatsimondodsley, I'm planning to but the process is complicated for me so can't guarantee it14:34
zaitcevsimondodsley: I'm going, although I haven't even registered and booked a hotel yet.14:34
nahimsouza[m]simondodsley: from netapp, me and caiquemello are planning to go14:34
eharneysimondodsley: i'll be there14:34
jungleboyjsimondodsley:  Wish I could be but it conflicts with a workshop in Shanghai that I need to be at.14:36
simondodsleycool - we'll have to arrange a meetup for those that are there. Pure is having a Happy Hour in the Brass Fish on the Tuesday evening - so you can all come to that if you want14:37
simondodsleyyou can register here: https://forms.gle/J9m6N3h6WGLguDLT614:37
simondodsleymarketing went a bit mad so take the title of the event with a pinch of salt14:38
whoami-rajateveryone will meet at PTG but i understand you're referring to something unofficial14:39
whoami-rajatgood to see lot of people joining14:39
whoami-rajatanyway, we've less time so let's move to topics -- because i see a big one14:39
whoami-rajat#topic Cinder-Backup very slow / inefficient when using chunked drivers, e.g. S314:39
whoami-rajatcrohmann, that's you14:40
crohmannYes. Sorry about me not attending the last two meetings. Life got in the way.14:40
whoami-rajatno worries, good that you could make it today14:40
crohmannI'd really love to see "the" alternative to RBD as cinder-backup driver to reach usable performance levels. I am asking for someone to dive into the bottlenecks here. I added some measurements to the referenced bug (not mine BTW)14:41
crohmannBasically currently the drivers based the chunked approach as simply not fast enough to be usable. And I blieve a real deep-dive into the issue and possible performance gains is required to make this fly.14:43
crohmannBe it multi-threading the read -> hash -> compress -> upload pipeline or use streaming IO or whatever14:44
crohmannzaitcev: Did offer to look into this in the past?14:44
zaitcevcrohmann: I promised but I did not. Sorry about that. It is assigned to me semi-officially.14:45
crohmannI did not want to pin you personally to this issue. I'd rather have some sort of aggreement that having alternatives in the form of object storage as backup target would be good and that the current performance is too slow for larger volumes.14:47
crohmannTo quote myself: "Consider an not crazy big 8TiB volume is being backed up in full.14:47
crohmannAt 1 GiB/s the volume backup will still take ~2.5 hrs to complete"14:47
crohmannWith no core support for this issue I am really afraid to invest any time in more testing or even restructuring the data flow there.14:49
simondodsleysorry for the interrupt - the form link I sent earlier for the Pure Vanvcouver event had a permissions error - this has now been fixed14:52
crohmannwhoami-rajat: that's all I have on this issue really. I am simply seeking clarity if using object storage to cinder backups is viable14:53
whoami-rajatcrohmann, thanks for bringing this up, i understand the concern but unless we've someone to commit to working on it, we can't do much here14:55
whoami-rajati don't think it's trivial and will require quite a bit of testing14:55
whoami-rajatthereby consuming lot of cycles14:56
whoami-rajatanyway, if anyone plans on taking this up, you can contact crohmann14:56
crohmannsaidly yes. But what good is a driver that does not perform well enough to be usable? There had to be some performance targets when this was added right? Backing up a test volume of 1GiB is not helping.14:57
jbernardo/ i might be interested, im also looking at the s3 spec, crohmann maybe we can catch up later14:57
whoami-rajatgreat!14:58
crohmannjbernard: gladly. Do you have my email? Just drop me a line christian.rohmann@inovex.de. I might have a working student who could also take this apart and rework the data flow. But in the end this needs to go through review.14:58
jbernardcrohmann: jobernar@redhat.com14:58
jbernardcrohmann: will do14:58
crohmannthanks!14:59
whoami-rajatwe've another topic but not much time to discuss14:59
whoami-rajatif anyone is aware about the tooz situation, please leave a comment here 14:59
whoami-rajat#link https://review.opendev.org/c/openstack/os-brick/+/87310014:59
whoami-rajati think gates should be working fine by now so a recheck should be good to try15:00
whoami-rajatwe're out of time15:00
whoami-rajattake a look at review requests15:00
whoami-rajatthanks everyone for attending15:00
whoami-rajat#endmeeting15:00
opendevmeetMeeting ended Wed May 17 15:00:35 2023 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:00
opendevmeetMinutes:        https://meetings.opendev.org/meetings/cinder/2023/cinder.2023-05-17-14.00.html15:00
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/cinder/2023/cinder.2023-05-17-14.00.txt15:00
opendevmeetLog:            https://meetings.opendev.org/meetings/cinder/2023/cinder.2023-05-17-14.00.log.html15:00
jungleboyjThank you!15:00
harshthank you :)15:00
« Tuesday, 2023-05-16 Index Thursday, 2023-05-18 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!