| Luzi | #startmeeting image_encryption | 13:04 |
|---|---|---|
| opendevmeet | Meeting started Mon Apr 15 13:04:45 2024 UTC and is due to finish in 60 minutes. The chair is Luzi. Information about MeetBot at http://wiki.debian.org/MeetBot. | 13:04 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 13:04 |
| opendevmeet | The meeting name has been set to 'image_encryption' | 13:04 |
| Luzi | #topic Roll Call | 13:04 |
| fungi | ahoy! | 13:04 |
| Luzi | hi | 13:04 |
| Luzi | #topic Image Encryption Spec | 13:05 |
| Luzi | So in the PTG the Nova team approached the Cinder and Glance team with new requirements and ideas for the image encryption. | 13:05 |
| fungi | is there a summary of the new requirements? | 13:07 |
| Luzi | When we started to evaluate the image encryption a few years ago the tooling to encrypt images with LUKS for endusers were not easy and would have required root privilege and other things | 13:07 |
| Luzi | now qemu has tooling which makes it easier, and my colleague already tested it | 13:08 |
| fungi | oh very cool | 13:08 |
| Luzi | as Nova and Cinder both use LUKS encryption especially Nonva would like to not have to convert between gpg and LUKS | 13:08 |
| Luzi | so with this "new" qemu features and Glance being just a storage for images, we agreed to rework the whole spec to use LUKS instead of GPG | 13:09 |
| Luzi | in that way, there are no decrypting mechanisms needed in nova - and cinder will only need to convert from qcow2-LUKS to raw LUKS blocks | 13:10 |
| Luzi | (as far as i did understand it) | 13:10 |
| fungi | sounds more efficient too | 13:10 |
| Luzi | yeah | 13:10 |
| Luzi | but we still need to standardize all possible metadata in glance and look through all possible workflows | 13:11 |
| Luzi | so I wrote a new Spec that incorporates this. | 13:11 |
| Luzi | #link https://review.opendev.org/c/openstack/glance-specs/+/915726 | 13:12 |
| Luzi | It is also very fortunate to have the Secret Consumers in Barbican, because we will still need them | 13:12 |
| Luzi | they may even get a bigger role | 13:13 |
| Luzi | so... that is a big change | 13:13 |
| fungi | indeed | 13:13 |
| fungi | thanks for the update! | 13:13 |
| Luzi | but in the end we hope that with the alignment in all services we will have better overall workflows | 13:14 |
| fungi | the end result sounds like it will be easier to maintain long-term at least | 13:14 |
| Luzi | yea | 13:14 |
| Luzi | although - this could have happened a bit earlier for my taste :D | 13:14 |
| fungi | of course | 13:15 |
| fungi | it's a significant course change which invalidates a lot of earlier work | 13:15 |
| Luzi | well - I will focus on getting the patch through and looking into Cinder and what work need to be done there | 13:15 |
| fungi | maybe this will at least help increase the review priority for the new parts | 13:16 |
| Luzi | overall the feature will be smaller and more easy to review | 13:16 |
| Luzi | which is good i think | 13:16 |
| Luzi | yeah | 13:17 |
| Luzi | #topic Open Discussion | 13:18 |
| Luzi | do you have anything you want to talk about? | 13:18 |
| fungi | i did not, but other than the new nova requirements was there anything else useful to come out of ptg discussions about image encryption? | 13:20 |
| Luzi | hm some things in how nova and cinder are handling the passphrase or key to encrypt decrypt their LUKS - but I think that is mainly a part on their sides, we would focus on Glance | 13:23 |
| Luzi | #link https://etherpad.opendev.org/p/dalmatian-ptg-cinder#L393 | 13:24 |
| fungi | interesting, that's useful to note in the design, i guess | 13:25 |
| fungi | thanks! | 13:25 |
| Luzi | okay, anything else? | 13:26 |
| fungi | nothing on my end, nope | 13:27 |
| Luzi | okay, thank you for joining this meeting and have a nice week | 13:28 |
| fungi | thanks, you too! | 13:28 |
| Luzi | #endmeeting image_encryption | 13:28 |
| opendevmeet | Meeting ended Mon Apr 15 13:28:46 2024 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 13:28 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/image_encryption/2024/image_encryption.2024-04-15-13.04.html | 13:28 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/image_encryption/2024/image_encryption.2024-04-15-13.04.txt | 13:28 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/image_encryption/2024/image_encryption.2024-04-15-13.04.log.html | 13:28 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!