Monday, 2020-04-27

*** ociuhandu has quit IRC		00:07
*** tosky has quit IRC		00:09
*** ociuhandu has joined #openstack-nova		00:13
openstackgerrit	Ghanshyam Mann proposed openstack/nova master: zuul: Switch to the Zuulv3 grenade job https://review.opendev.org/704364	00:14
*** ociuhandu has quit IRC		00:18
*** hongbin has quit IRC		00:41
*** hongbin has joined #openstack-nova		00:43
openstackgerrit	Kevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job https://review.opendev.org/714439	00:46
*** zhanglong has joined #openstack-nova		01:21
*** Liang__ has joined #openstack-nova		01:22
openstackgerrit	Brin Zhang proposed openstack/python-novaclient stable/train: Update master for stable/train https://review.opendev.org/723290	01:28
*** tetsuro has quit IRC		01:43
*** songwenping_ has joined #openstack-nova		01:47
*** songwenping__ has quit IRC		01:50
*** tetsuro has joined #openstack-nova		01:53
openstackgerrit	Brin Zhang proposed openstack/nova stable/train: Update master for stable/train https://review.opendev.org/723295	02:03
*** tbachman has quit IRC		02:03
*** tbachman has joined #openstack-nova		02:06
*** hongbin has quit IRC		02:23
*** zhanglong has quit IRC		02:31
*** zhanglong has joined #openstack-nova		02:33
*** zhanglong has quit IRC		02:39
*** ociuhandu has joined #openstack-nova		02:40
openstackgerrit	xuyuanhao proposed openstack/nova master: failed to loads pyc file's classes https://review.opendev.org/723301	02:44
*** ociuhandu has quit IRC		02:50
*** threestrands has joined #openstack-nova		02:51
*** ociuhandu has joined #openstack-nova		02:55
*** ociuhandu has quit IRC		03:00
*** tetsuro has quit IRC		03:08
*** sapd1 has joined #openstack-nova		03:10
*** mkrai has joined #openstack-nova		03:19
*** songwenping__ has joined #openstack-nova		03:26
*** songwenping_ has quit IRC		03:28
*** psachin has joined #openstack-nova		03:31
*** ociuhandu has joined #openstack-nova		03:33
*** factor has joined #openstack-nova		03:34
*** tetsuro has joined #openstack-nova		03:38
*** ociuhandu has quit IRC		03:38
openstackgerrit	Arthur Dayne proposed openstack/os-resource-classes master: Add new resource class: PSSD, VSSD https://review.opendev.org/723303	03:40
*** stephenfin has quit IRC		03:59
*** stephenfin has joined #openstack-nova		04:09
*** tbachman has quit IRC		04:12
*** avolkov has joined #openstack-nova		04:12
*** tbachman has joined #openstack-nova		04:13
*** songwenping_ has joined #openstack-nova		04:21
*** ircuser-1 has quit IRC		04:23
*** ratailor has joined #openstack-nova		04:24
*** songwenping__ has quit IRC		04:24
*** ociuhandu has joined #openstack-nova		04:27
*** ociuhandu has quit IRC		04:34
*** evrardjp has quit IRC		04:35
*** evrardjp has joined #openstack-nova		04:35
openstackgerrit	Arthur Dayne proposed openstack/os-resource-classes master: Add new resource class: SSD https://review.opendev.org/723303	04:46
*** mkrai has quit IRC		04:59
*** mkrai_ has joined #openstack-nova		04:59
*** yaawang_ has quit IRC		05:13
*** yaawang_ has joined #openstack-nova		05:14
*** vishalmanchanda has joined #openstack-nova		05:18
openstackgerrit	Kevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job https://review.opendev.org/714439	05:20
*** udesale has joined #openstack-nova		05:29
*** links has joined #openstack-nova		05:30
*** songwenping__ has joined #openstack-nova		05:38
*** damien_r has joined #openstack-nova		05:38
*** songwenping_ has quit IRC		05:41
*** damien_r has quit IRC		05:43
openstackgerrit	Arthur Dayne proposed openstack/os-resource-classes master: Add new resource class: SSD https://review.opendev.org/723303	05:53
*** dpawlik has joined #openstack-nova		05:56
*** ociuhandu has joined #openstack-nova		06:02
*** ociuhandu has quit IRC		06:06
*** songwenping_ has joined #openstack-nova		06:12
bauzas	gibi: I'm taking an half-day PTO this morning, see you this afternoon	06:15
*** songwenping__ has quit IRC		06:16
*** CeeMac has joined #openstack-nova		06:16
openstackgerrit	Andrey Volkov proposed openstack/nova master: [WIP] Image auto signature https://review.opendev.org/723320	06:46
*** lennyb has quit IRC		06:54
*** damien_r has joined #openstack-nova		06:55
*** ociuhandu has joined #openstack-nova		06:55
*** damien_r has quit IRC		06:58
*** damien_r has joined #openstack-nova		06:58
*** nightmare_unreal has joined #openstack-nova		07:02
*** xek_ has quit IRC		07:03
gibi	bauzas: good morning. ACK.	07:05
*** slaweq has joined #openstack-nova		07:07
*** songwenping__ has joined #openstack-nova		07:08
*** iurygregory has quit IRC		07:09
*** songwenping_ has quit IRC		07:10
*** iurygregory has joined #openstack-nova		07:10
*** mkrai_ has quit IRC		07:11
*** ociuhandu has quit IRC		07:13
*** ociuhandu has joined #openstack-nova		07:13
*** tesseract has joined #openstack-nova		07:14
*** maciejjozefczyk has joined #openstack-nova		07:21
*** rpittau\|afk is now known as rpittau		07:22
*** tosky has joined #openstack-nova		07:26
*** ociuhandu has quit IRC		07:26
*** ociuhandu has joined #openstack-nova		07:29
zigo	With ussuri, I'm getting:	07:33
zigo	root@C1-z-controller-1>_ ~ # openstack flavor create --format shell octavia_65 --private --id 65 --ram 2048 --disk 4 --vcpus 1	07:33
zigo	Policy doesn't allow os_compute_api:os-flavor-manage:create to be performed. (HTTP 403) (Request-ID: req-30fe38ae-deb9-451f-9234-58edd691696b)	07:33
zigo	Is there something wrong with the scope enforcement? It's by default to False as it should be ...	07:33
zigo	When I set rule:admin_api instead, then it works. So something's wrong in oslo.policy or what?	07:36
gibi	zigo: there was a wide change in the policy handling in Ussuri but the new behavior should be off by default	07:38
zigo	Which is what I'm saying, it shouldn't be enforced by default, but it looks like it is!	07:38
*** mkrai_ has joined #openstack-nova		07:39
*** links has quit IRC		07:39
*** links has joined #openstack-nova		07:40
*** ccamacho has joined #openstack-nova		07:43
gibi	zigo: did you use a admin token in the failed case?	07:45
zigo	I'm doing this as an admin user indeed.	07:45
* gibi tries to recreate the problem in devstack		07:46
*** yaawang_ has quit IRC		07:49
gibi	I have default policy config and it works for me http://paste.openstack.org/show/792738/	07:49
*** yaawang_ has joined #openstack-nova		07:50
* gibi going to restack it's devstack to be exactly RC1		07:51
zigo	gibi: You can try with the Debian packages, maybe ? :)	07:52
zigo	For Buster:	07:52
zigo	deb http://buster-ussuri.debian.net/debian buster-ussuri-backports main	07:52
zigo	deb http://buster-ussuri.debian.net/debian buster-ussuri-backports-nochange main	07:52
zigo	Or if you are more adventurous, just from Experimental! :P	07:52
*** yaawang_ has quit IRC		07:54
*** yaawang_ has joined #openstack-nova		07:55
gibi	zigo: I have to jump on a call for a while, gmann, johnthetubaguy, stephenfin if you can help zigo in the meantime that would be appreciated	07:56
gibi	zigo: I would check oslo.policy version as there was a late change there as well	07:57
gibi	zigo: and you can try to rollback https://review.opendev.org/#/c/714822 maybe, but I'm not sure	07:57
zigo	# dpkg-query -W python3-oslo.policy	07:58
zigo	python3-oslo.policy 3.1.0-1~bpo10+1	07:58
zigo	So that's latest release ...	07:59
gibi	yepp, that is the last one	07:59
*** yaawang_ has quit IRC		08:02
*** yaawang_ has joined #openstack-nova		08:03
zigo	Reverting that patch doesn't fix the problem.	08:09
gibi	zigo: ack, then I'm out of ideas at the moment	08:09
gibi	and sitting on a call so will be slow responding	08:10
*** xek has joined #openstack-nova		08:10
*** rcernin has quit IRC		08:13
*** songwenping_ has joined #openstack-nova		08:15
*** songwenping__ has quit IRC		08:18
*** threestrands has quit IRC		08:20
zigo	I can switch the packaging from rule:system_admin_api to rule:admin_api in the default policy.conf, but obviously, something is wrong that needs to be fixed.	08:20
zigo	Or is there a way to give the system_scope:all to my admin user?	08:21
*** songwenping__ has joined #openstack-nova		08:21
*** tkajinam has quit IRC		08:23
frickler	zigo: you can call for system scoped tokens in the openstack client command	08:24
*** mkrai_ has quit IRC		08:24
*** songwenping_ has quit IRC		08:24
zigo	frickler: How?	08:25
*** mkrai has joined #openstack-nova		08:25
frickler	zigo: in devstack there is a "devstack-system-admin" section in /etc/openstack/config.yaml, let me try to do that manually	08:27
frickler	openstack --os-auth-url https://192.168.42.13/identity --os-username admin --os-system-scope all --os-user-domain-name default token issue	08:29
*** logan_ has joined #openstack-nova		08:31
*** aarents has quit IRC		08:31
*** logan- has quit IRC		08:32
*** Hazelesque has quit IRC		08:32
*** Hazelesque has joined #openstack-nova		08:33
*** logan_ is now known as logan-		08:35
*** derekh has joined #openstack-nova		08:38
*** martinkennelly has joined #openstack-nova		08:40
nightmare_unreal	hello what's greynade-py3 error for? my zuul build failed and it shows grenade-py3 FAILURE	08:41
lyarwood	nightmare_unreal: link?	08:47
lyarwood	I see https://review.opendev.org/#/c/548936/ landed, hopefully that didn't break the older jobs	08:47
nightmare_unreal	lyarwood: https://review.opendev.org/#/c/715395/	08:48
* lyarwood opens https://review.opendev.org/#/c/704364/		08:48
openstackgerrit	Lee Yarwood proposed openstack/nova master: zuul: Switch to the Zuulv3 grenade job https://review.opendev.org/704364	08:48
*** aarents has joined #openstack-nova		08:49
lyarwood	nightmare_unreal: I'm not, appears a few other runs have hit that as well. It's unrelated to your change so for now feel free to recheck. The above ^ switch to a zuulv3 job might also correct it so feel free to rebase on to that change	08:53
lyarwood	I'm not sure*	08:53
nightmare_unreal	lyarwood: okay thanks :) so I can trigger the build again ?	08:54
lyarwood	nightmare_unreal: yes	08:54
nightmare_unreal	how can I trigger it ?	08:54
*** martinkennelly has quit IRC		08:56
*** martinkennelly has joined #openstack-nova		08:56
lyarwood	nightmare_unreal: recheck	09:03
nightmare_unreal	okay	09:04
lyarwood	nightmare_unreal: ^ leave a comment with just that and zuul will rerun the jobs	09:04
nightmare_unreal	thanks :)	09:04
lyarwood	nightmare_unreal: you can watch them here https://zuul.opendev.org/t/openstack/status	09:04
lyarwood	nightmare_unreal: just use the 715395 change id	09:04
*** jraju__ has joined #openstack-nova		09:05
*** links has quit IRC		09:05
*** songwenping_ has joined #openstack-nova		09:07
*** songwenping__ has quit IRC		09:11
*** sapd1 has quit IRC		09:16
*** ttsiouts has joined #openstack-nova		09:24
*** alex_xu has joined #openstack-nova		09:36
*** tetsuro has quit IRC		09:37
*** dtantsur\|afk is now known as dtantsur		09:49
gibi	zigo: did you manage to solve the issue with frickler's help?	09:49
zigo	gibi: No ...	09:51
zigo	Scope should not be enforced, but it is.	09:51
zigo	This breaks all sorts of things, including in my puppet stuff.	09:51
zigo	Also:	09:54
zigo	# openstack --os-system-scope all hypervisor list	09:54
zigo	Policy doesn't allow os_compute_api:os-hypervisors:list-detail to be performed. (HTTP 403) (Request-ID: req-981105e1-a7aa-4fa2-9e52-ee7082ae7165)	09:54
zigo	policy.conf has rule:system_reader_api	09:54
zigo	If I switch that to rule:admin_api then it works...	09:54
*** martinkennelly has quit IRC		09:55
*** martinkennelly has joined #openstack-nova		09:55
gibi	zigo: does it work with the default policy? (without having anything in the policy file)	09:55
zigo	gibi: As in, "rm /etc/nova/policy.json" ?	09:55
zigo	root@C1-z-controller-1>_ ~ # rm /etc/nova/policy.json	09:56
zigo	root@C1-z-controller-1>_ ~ # openstack hypervisor list	09:56
zigo	The server has either erred or is incapable of performing the requested operation. (HTTP 500) (Request-ID: req-ccfb9f31-7cd9-439c-ad02-ae76f7c8c0d5)	09:56
zigo	Not great ... :(	09:56
* gibi trying to get more insight from https://docs.openstack.org/nova/latest/configuration/policy-concepts.html		09:58
gibi	I don't have any policy.json for nova in devstack	10:03
gibi	do you have a stacktrace for the above HTTP 500?	10:04
*** mkrai has quit IRC		10:06
*** mkrai_ has joined #openstack-nova		10:07
*** mkrai_ has quit IRC		10:10
*** mkrai has joined #openstack-nova		10:10
*** Liang__ has quit IRC		10:15
*** sapd1 has joined #openstack-nova		10:18
gibi	lyarwood: thanks for the stable/stein release proposal, I'm +1, when you have time, could you hit https://review.opendev.org/#/q/topic:create-ussuri+(status:open+OR+status:merged)+project:openstack/nova ?	10:21
*** rpittau is now known as rpittau\|bbl		10:32
*** songwenping__ has joined #openstack-nova		10:41
*** ociuhandu has quit IRC		10:42
*** sapd1_y has quit IRC		10:44
*** ociuhandu has joined #openstack-nova		10:44
*** songwenping_ has quit IRC		10:45
*** ttsiouts has quit IRC		10:49
*** ttsiouts has joined #openstack-nova		10:54
*** ociuhandu has quit IRC		11:03
frickler	zigo: your command confuses me, do you have other options set via environment? setting some project option will override system-scope without a warning. make sure that with "token issue" you see a system scoped token, not project or domain	11:04
*** ociuhandu has joined #openstack-nova		11:04
zigo	Yes I do ! :)	11:04
zigo	Ok, will try.	11:05
zigo	I've restarted a cluster deployment from scratch, to see if Ussuri can be setup fully automatically again with my system, so can't try right now...	11:05
zigo	Later this afternoon.	11:06
*** ociuhandu has quit IRC		11:23
frickler	zigo: fyi, I don't get your error by default in devstack, but I do get it if I add "[oslo_policy] enforce_scope = True" into nova.conf. in that case, creating a flavor only works with system scope	11:25
*** smcginnis has quit IRC		11:40
*** smcginnis has joined #openstack-nova		11:41
*** sapd1 has quit IRC		11:41
gibi	avolkov: hi! I asked for some clarification in https://bugs.launchpad.net/nova/+bug/1875287	11:46
openstack	Launchpad bug 1875287 in OpenStack Compute (nova) "VM unshelve failed if verify_glance_signatures enabled" [Undecided,Incomplete] - Assigned to Andrey Volkov (avolkov)	11:46
*** martinkennelly has quit IRC		11:46
*** martinkennelly has joined #openstack-nova		11:46
*** martinkennelly has quit IRC		11:51
*** bbowen_ has quit IRC		11:53
*** bbowen_ has joined #openstack-nova		11:53
*** AJaeger has joined #openstack-nova		11:54
*** ociuhandu has joined #openstack-nova		11:55
AJaeger	stephenfin: is this what you wanted as babel cleanup: https://review.opendev.org/#/c/723206/2 ?	11:55
*** nweinber has joined #openstack-nova		11:57
gibi	bauzas: triaged the fresh bugs, nothing noteworthy so far. I'm releasing the (silently) held bug lock for the afternoon	12:00
nightmare_unreal	can someone review this if they grt time : https://review.opendev.org/#/c/715395/	12:05
nightmare_unreal	thanks	12:05
*** jraju__ has quit IRC		12:06
*** ociuhandu has quit IRC		12:06
avolkov	gibi: hi, updated. if possible please leave your opinion what should we do with that	12:09
gibi	avolkov: thanks make more sense now	12:11
stephenfin	AJaeger: Oh, so we don't need the babel.cfg file either?	12:12
*** ociuhandu has joined #openstack-nova		12:12
gibi	avolkov: do you agree that this bug is not a recent regression, it seems that we have the issue at least since rocky	12:16
gibi	?	12:16
gibi	avolkov: in the meantime I confirmed the bug as I was able to reproduce it	12:20
*** ociuhandu has quit IRC		12:24
*** ociuhandu has joined #openstack-nova		12:24
AJaeger	stephenfin: it's referenced from setup.cfg	12:31
AJaeger	stephenfin: I don't think we need it, I checked locally with it removed	12:31
AJaeger	stephenfin: I answered on the review	12:33
stephenfin	AJaeger: Sweet, thanks	12:34
*** ociuhandu has quit IRC		12:35
*** ociuhandu has joined #openstack-nova		12:41
*** links has joined #openstack-nova		12:45
*** artom has joined #openstack-nova		12:46
*** sapd1 has joined #openstack-nova		12:48
*** rpittau\|bbl is now known as rpittau		12:49
*** mkrai has quit IRC		12:52
*** ociuhandu has quit IRC		12:53
avolkov	gibi: seems not a regression, I believe it was introduced with that verify_glance_signatures (mitaka?) or maybe with some refactoring further, it's definitely not urgent	12:54
gibi	avolkov: thanks.	12:54
AJaeger	any other nova core for two tiny cleanups, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ?	12:55
*** lbragstad has joined #openstack-nova		12:59
brinzhang_	AJeager:is this necessary? https://review.opendev.org/#/c/723295/	13:00
*** ociuhandu has joined #openstack-nova		13:00
brinzhang_	if not, I will abandon it	13:00
*** martinkennelly has joined #openstack-nova		13:05
*** sapd1 has quit IRC		13:06
openstackgerrit	Merged openstack/python-novaclient master: doc: Update Testing document https://review.opendev.org/723078	13:08
*** eharney has joined #openstack-nova		13:14
openstackgerrit	Stephen Finucane proposed openstack/nova master: Use compression by default for 'SshDriver' https://review.opendev.org/684393	13:18
*** udesale_ has joined #openstack-nova		13:20
*** udesale has quit IRC		13:23
stephenfin	sean-k-mooney: can you bump your vote on https://review.opendev.org/#/c/716223/ now?	13:25
*** ttsiouts has quit IRC		13:26
*** ratailor has quit IRC		13:27
sean-k-mooney	stephenfin: yes i guess so did rc 1 go out on thursday	13:27
stephenfin	sure did	13:28
sean-k-mooney	cool +w	13:28
stephenfin	ta	13:28
*** yankcrime is now known as _nick		13:30
*** _nick is now known as yankcrime		13:30
*** psachin has quit IRC		13:35
gmann	nightmare_unreal: lyarwood yeah there was some window when grenade job merge and one more fix. now it is all green	13:39
nightmare_unreal	yeah I just did recheck :) thanks	13:40
*** tkajinam has joined #openstack-nova		13:42
gmann	zigo: hi, was that policy overridden ? that mentioned patch fixed the bug of passing the context project_id itself so that it is not allowed for all.	13:46
zigo	gmann: The /etc/nova/policy.json file is the pristine one generated by the package (well, oslopolicy, this means).	13:47
gmann	zigo: ok, can you paste that policy line for flavor manage ?	13:48
AJaeger	brinzhang_: It's not necessary	13:48
zigo	gmann: "os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api"	13:49
zigo	On top of the file, there is:	13:50
zigo	"system_admin_api": "role:admin and system_scope:all"	13:50
gmann	zigo: ok, and 'system_admin_api' rule ?	13:50
gmann	humm there should be deprecated rule of old RULE_ADMIN_API that is what we have as default	13:50
gmann	but you said you generated the file via oslo policy tool right? it is oslopolicy-sample-generator correct	13:51
zigo	Right !	13:52
zigo	gmann: That's what I did:	13:52
zigo	https://salsa.debian.org/openstack-team/services/nova/-/blob/debian/ussuri/debian/rules#L64	13:52
zigo	(later, the postinst of the package takes that file from nova-common and puts it in /etc/nova)	13:53
zigo	Hum... not even ...	13:53
zigo	Directly pacakged into /etc/nova	13:53
zigo	I should do the former, to have the file owned by root:nova / 640 though ...	13:54
gmann	zigo: let me check if that tool adding the default rule or not.	13:56
*** mkrai has joined #openstack-nova		13:57
*** ttsiouts has joined #openstack-nova		13:58
zigo	gmann: I've sent the generated policy.json file to our swift cluster if you want to look at it: https://www.swisstransfer.com/d/b80904d3-1f15-4f1f-98f0-7e1db308bb53	13:59
*** ttsiouts has quit IRC		14:03
*** mkrai has quit IRC		14:05
*** mkrai_ has joined #openstack-nova		14:05
*** ttsiouts has joined #openstack-nova		14:05
*** irclogbot_2 has joined #openstack-nova		14:08
*** irclogbot_2 has quit IRC		14:13
openstackgerrit	Kevin Zhao proposed openstack/nova master: [WIP] CI: add tempest-integrated-compute-aarch64 job https://review.opendev.org/714439	14:13
gmann	zigo: got it. that tool does not add the deprecated rules in sample file.	14:14
zigo	gmann: And that's the issue ?!?	14:15
gmann	zigo: expectation is you keep only override rule in the policy file and other rule let it rely on defaults	14:15
zigo	Right.	14:15
gmann	zigo: not issue i think. because you are providing the file with rule override with new defaults	14:15
gmann	if you generate the file with that tool you get all the rule commented and you are supposed to un-comment the one you want to override.	14:16
gmann	here what happen, nova get the rule in file and skip the default value with consideration that rule in file is what operator want	14:17
gmann	if you remove the rules from file which you want to reply on defaults then your old token will keep working.	14:18
*** irclogbot_3 has joined #openstack-nova		14:22
gmann	zigo: also if rule is present in file then oslo skip deprecated rule to add. and I hope you generated file before nova start which initialize the policy	14:23
*** irclogbot_3 has quit IRC		14:25
*** irclogbot_3 has joined #openstack-nova		14:26
*** ttsiouts has quit IRC		14:27
*** irclogbot_3 has quit IRC		14:29
zigo	gmann: If I remove the policy.json, then I get an error 500:	14:29
zigo	[pid: 1708\|app: 0\|req: 10/40] 192.168.101.2 () {32 vars in 628 bytes} [Mon Apr 27 14:29:08 2020] GET /v2.1/flavors/detail => generated 128 bytes in 91 msecs (HTTP/1.1 500) 3 headers in 215 bytes	14:29
zigo	Nothing more in the logs ...	14:29
*** irclogbot_1 has joined #openstack-nova		14:30
zigo	gmann: The file needs to exist, though if it's empty, it looks like working ! :)	14:32
zigo	gmann: Should I keep an empty file then?!?	14:32
zigo	IMO this is still a bug, because operators need to see what's currently in the policy, and can't guess the defaults.	14:33
zigo	I do want to provide such a policy file if possible.	14:33
zigo	gmann: An empty policy.json is safe, right?	14:33
dansmith	if operators currently have to do anything to their policy file during an upgrade, then we have a real problem	14:34
dansmith	zigo: AFAIK, the policy file should be empty to take all the defaults, but I'm surprised it has to be present-but-empty.. not sure if that is new or not	14:34
zigo	dansmith: I expect operators to use /etc/nova/policy.d, and I thought about explicitly shipping such a folder in the Nova Debian package.	14:34
zigo	As much as I can tell, this is a new bug ! :P	14:35
zigo	(would have to check Train though...)	14:35
*** irclogbot_1 has quit IRC		14:35
dansmith	zigo: and thus have no files in there nor an empty base file right?	14:35
zigo	dansmith: What would happen if a rule is defined in both /etc/nova/policy.json and /etc/nova/policy.d/foo-operator.json ?	14:36
zigo	Will the policy.d have priority?	14:36
dansmith	no idea.. I didn't know we had a policy.d, tbh	14:36
*** irclogbot_0 has joined #openstack-nova		14:36
zigo	Beause that'd be the most convenient way for everyone.	14:36
zigo	We do need a way to tell operators what they can and cannot write in their config.	14:37
dansmith	but I would expect a distro to install an empty policy.d directory, and not have to write an empty base policy file to avoid a 500	14:37
*** READ10 has joined #openstack-nova		14:37
zigo	dansmith: What I'm going to do is to write an empty policy.json (to avoid what I consider a bug), ship the generated policy.json in /usr/share/nova-common as an example, and create the policy.d folder.	14:38
zigo	I still think it's wrong that I can't use the generated policy.json though...	14:38
dansmith	zigo: ack, but if the behavior is changed, we need a bug filed	14:38
zigo	It really is changed. I use to ship the /etc/nova/policy.json on all of my Nova packages, and so far, it wasn't a problem.	14:39
dansmith	zigo: well, we're trying to get people to have overrides and not hard-coded everything, but I understand.. what prevents you from using the generated file? deprecation warnings?	14:39
*** irclogbot_0 has quit IRC		14:39
zigo	It simply does not work.	14:39
gmann	dansmith: zigo file generated from tool is kind of override rule. default only work if rule not in file	14:39
dansmith	zigo: but why is the generated file not working?	14:40
*** irclogbot_2 has joined #openstack-nova		14:40
gmann	zigo: did that worked for any deprecated rule for you, if you rule in file the if any rule deprecated in fast had same issue itthunk	14:41
*** mlavalle has joined #openstack-nova		14:41
zigo	root@C1-z-controller-1>_ ~ # openstack flavor create --ram 12288 --disk 10 --vcpus 4 cpu4-ram12-disk10	14:41
zigo	Policy doesn't allow os_compute_api:os-flavor-manage:create to be performed. (HTTP 403) (Request-ID: req-7f1c4c5b-8df2-4ef7-8a88-8f2cae1899f1)	14:41
zigo	dansmith: ^	14:41
zigo	That's with the default policy.json file as per https://salsa.debian.org/openstack-team/services/nova/-/blob/debian/ussuri/debian/rules#L64 ...	14:42
dansmith	I don't know why that would be, although I'm not very familiar with policy stuff	14:42
dansmith	if that's the case, however, we've broken upgrade which we have to fix	14:42
gmann	dansmith: generated file from oslo tool does not add the deprecated rule so nova consider those rule as override rule and only new token pass	14:43
dansmith	gmann: same would go for any existing overrides the deployer has then?	14:43
gmann	dansmith: if no file and rely on default then there is no cange	14:43
gmann	change	14:43
gmann	dansmith: if they have override all the rules then yes as they do not rely on default.	14:43
gmann	oslo does not add deprecated rule if they are present in file.	14:44
dansmith	gmann: the we broke upgrade for anyone using a distro's generated file from <=Ussuri right?	14:44
dansmith	I'm not sure what "override all the rules" has to do with this, or why it's different than "override one rule"	14:45
*** irclogbot_2 has quit IRC		14:45
gmann	dansmith: "distro's generated file" is something i doubt that it is correct way or not. it is same issue they had in all the previous changed policy	14:45
dansmith	gmann: doubt what is correct?	14:45
zigo	dansmith: Correct ! :)	14:45
gmann	dansmith: in case of "override one rule" other rule should not be in file. if they are then oslo cannot add deprecated rule	14:45
dansmith	gmann: I don't understand what you're saying	14:46
zigo	Also, how are operators supposed to double-guess what's currently in place, if I can't, as a package maintainer, generate what's currently in?	14:46
*** irclogbot_1 has joined #openstack-nova		14:46
dansmith	if they have one override in their file, everything is fine, but if they override all the rules then ...broken?	14:46
zigo	If I understand correctly, the issue is to not show what's deprecated in the policy. Well, can't we simply add an option to the generator, so it also adds the deprecated things?	14:47
gmann	dansmith: if they override one of all rule then rules with changed default will consider only override value not default right	14:47
dansmith	zigo: presumably they look at the /usr/share version and add what they want into their file, but I think ideally we'd want a file fully commented-out where things can be uncommented and changed, but our json format probably doesn't allow that	14:47
*** iurygregory has quit IRC		14:47
gmann	yeah, that ^^	14:47
*** iurygregory has joined #openstack-nova		14:48
zigo	dansmith: As much as I know, there's no way to add comments in a .json file.	14:48
zigo	Indeed.	14:48
dansmith	gmann: but I think zigo is saying that debian has taken the more user-friendly approach of just putting the generated file in place, and letting them alter it in-place	14:48
gmann	hummm	14:48
dansmith	zigo: right, it's frustrating, so I understand why the debian packages are the way they are	14:48
zigo	dansmith: Exactly what I was doing so far ! :)	14:48
dansmith	zigo: I'm sure you're not the only one	14:48
gmann	because oslo tool generate the rule with all commented	14:49
openstackgerrit	Stephen Finucane proposed openstack/nova master: objects: Add MigrationTypeField https://review.opendev.org/706013	14:49
openstackgerrit	Stephen Finucane proposed openstack/nova master: objects: Remove 'NovaObjectDictCompat' from 'Migration' https://review.opendev.org/723572	14:49
openstackgerrit	Stephen Finucane proposed openstack/nova master: objects: Remove 'NovaObjectDictCompat' from 'InstancePCIRequest' https://review.opendev.org/723573	14:49
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/stein: DNM: Add a placement audit command https://review.opendev.org/720839	14:49
dansmith	I would not be surprised if people generating their own packages or installing from pip do the same for audit reasons	14:49
dansmith	gmann: does it? how do you comment in json?	14:49
beekneemech	It uses YAML.	14:50
*** beekneemech is now known as bnemec		14:50
zigo	bnemec: As much as I know, there's no way to get services to load .yaml files, is there?	14:50
bnemec	zigo: Yes, YAML works fine.	14:50
zigo	Unless this has changed recently ...	14:50
gmann	ah its yaml generated - https://docs.openstack.org/nova/latest/configuration/sample-policy.html	14:50
dansmith	I've never seen it deployed in yaml file on a real system	14:50
bnemec	I think the default is still JSON though.	14:50
bnemec	IIRC, some service actually overrides that default so they get YAML by default.	14:51
zigo	bnemec: Last time I tried, maybe 2 or 3 releases ago, it didn't work.	14:51
*** irclogbot_1 has quit IRC		14:51
zigo	Commented yaml would work for me.	14:51
dansmith	zigo: except we can't require people to convert that as part of an upgrade	14:51
bnemec	It's always possible there's a bug. YAML is definitely supposed to work.	14:51
dansmith	bnemec: do any CI jobs use yaml?	14:52
*** irclogbot_0 has joined #openstack-nova		14:52
gmann	one things we can do is always add deprecated rule from oslopolicy-sample-generator	14:53
dansmith	just checked one I had handy and the only service with a policy file is neutron, and it's json	14:53
dansmith	gmann: but ... people with existing policy files can't be broken by this upgrade	14:53
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/rocky: DNM: Add a placement audit command https://review.opendev.org/720842	14:53
gmann	but again not all people use this or some other way to generate file like editing the old file	14:53
*** tkajinam has quit IRC		14:54
gmann	dansmith: true, existing policy should not break, here zigo case is it get generated newly with oslo tool which had new defaults but not deprecated	14:54
dansmith	gmann: I'm still trying to understand if people with a train-generated full policy file are going to be broken	14:55
*** irclogbot_0 has quit IRC		14:55
dansmith	I've not understood your answers there	14:55
gmann	if it is not re-generated then old policy keep working in both case 1. they have override different rule 2. or reply on default even have rule in fule	14:55
openstackgerrit	Stephen Finucane proposed openstack/nova master: Modify PciDevice.uuid generation code https://review.opendev.org/530487	14:55
openstackgerrit	Stephen Finucane proposed openstack/nova master: Add an online migration for PciDevice.uuid https://review.opendev.org/530905	14:55
nightmare_unreal	what can cause nova-live-migration zuul build to fail ??	14:55
gmann	dansmith: train generated file should keep working as it is.	14:55
*** sapd1 has joined #openstack-nova		14:56
gmann	what happened here is, policy file is generated freshly which had new 'system rule' but token are not refreshed	14:56
dansmith	gmann: what if someone's deploy script generates the file from the tooling, applies their two or three rule tweaks? then they're broken?	14:57
*** irclogbot_2 has joined #openstack-nova		14:57
dansmith	I see, the broken part is because the newly generated file will be rules that require scoped tokens or whatever?	14:57
gmann	dansmith: and they have other rule with new value present in file then broken. and that is case that they have override the rule but token not refreshed	14:57
gmann	dansmith: correct	14:58
bnemec	Right. This is why the deprecated rule behavior ORs with the old rule.	14:58
gmann	train policy will still have adimin_rule and keep working	14:58
dansmith	gmann: okay, understand why train configs still work, which is good	14:58
dansmith	gmann: I would expect the generate-then-tweak process is fairly widespread	14:59
*** irclogbot_2 has quit IRC		14:59
zigo	dansmith: Yes, "then they're broken" ...	14:59
gmann	humm and generate with 'oslopolicy-sample-generator' tool right ?	14:59
zigo	(ie: my case...)	14:59
zigo	Which I think is really wrong.	14:59
openstackgerrit	Stephen Finucane proposed openstack/nova master: objects: Add online migration for legacy NUMA objects https://review.opendev.org/537414	15:00
gmann	i mean we can explicitly add deprecated rule in that tool logic. but not sure if that solve all the cases	15:00
dansmith	gmann: yes	15:00
AJaeger	any nova core available for two tiny cleanups related to Babel/translations, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ?	15:00
dansmith	I dunno what to do about this though, since it's really a problem spread across multiple projects, lots of code, and some human assumptions	15:00
*** dklyle has joined #openstack-nova		15:00
bnemec	We can't always do that though or there's no way for deployers to get the new rule alone.	15:01
zigo	dansmith: I also expect the generated-then-not-touched case is also fairly widespread (my case in my CI) and it is broken as well currently.	15:01
dansmith	zigo: yup	15:01
gmann	as per my expectation, 'generate-then-tweak ' case also need operator review if something auto-re-generated is ok or not	15:01
*** irclogbot_2 has joined #openstack-nova		15:01
dansmith	gmann: not if they don't know they need to review	15:01
dansmith	gmann: they could have been doing this approach for years with no problem	15:02
gmann	humm	15:02
bnemec	Is this on a fresh install? If so, why isn't everything configured to handle the new policies?	15:02
dansmith	bnemec: no, not necessarily fresh deploy	15:02
zigo	I very much agree that it's the operator's responsibility to refresh the policy.json and re-tweak it carefully on each upgrade.	15:02
gmann	dansmith: they had same problem when policy was deprecated. here we did all policy changed instead of one or two	15:02
dansmith	gmann: you mean when the full policy file was deprecated?	15:03
bnemec	I mean, that deployment method hasn't been recommended since policy in code went in however many years ago.	15:03
*** irclogbot_2 has quit IRC		15:03
dansmith	AFAIK, plenty of people never migrated to empty policy files	15:03
zigo	bnemec: On a fresh install, with the currently default generated policy.json, things a broken. That's the issue I've reported to begin with! :)	15:03
dansmith	bnemec: but not everyone likes that, and distros still generate full policy files, which is why we're here	15:03
gmann	dansmith: for example, single policy was changed in some cycle.	15:04
bnemec	So that's a problem anyway. Ussuri installs should be configured correctly to handle the new policy.	15:04
dansmith	gmann: which is why it's quite likely that people's deployment scripts moved to generate-and-tweak.. like, generate and then sed, sed, sed	15:04
bnemec	Even if we include the deprecated rules in the generated policy, it just pushes the breakage off one release.	15:04
gmann	i mean that was always problem in past also.	15:04
dansmith	bnemec: but it involves a change in user behavior right?	15:05
dansmith	they have to now get scoped tokens?	15:05
bnemec	Once the deprecated rule is dropped in the subsequent release you break then instead of now.	15:05
bnemec	I think that's only true if enforce_scope is true.	15:05
gmann	true, scope token in this case and changed in admin->non-admin etc in past	15:05
dansmith	but that's the whole reason we're here, because zigo is taking all the defaults, and it's broken	15:05
dansmith	bnemec: ^	15:06
gmann	'taking all the defaults' not default but only new default without deprecated things.	15:06
gmann	'default' still mean 'new + old'	15:06
dansmith	gmann: sorry I don't understand those two comments	15:07
zigo	Bug filled: https://bugs.launchpad.net/nova/+bug/1875418	15:07
openstack	Launchpad bug 1875418 in OpenStack Compute (nova) "Generated policy.json in Ussuri is broken by default" [Undecided,New]	15:07
stephenfin	zigo: why can't we just stop including a generated policy file in the package?	15:07
dansmith	he can, he said that	15:07
zigo	stephenfin: How are operators supposed to double-guess what they can use?	15:07
gmann	dansmith: i mean current defaults are "new default + old deprecated defaults" and file generated was half bald with 'new defaults' only	15:07
zigo	stephenfin: That's actually exactly what I'll be doing: provide an empty policy.json. But that's really not user friendly.	15:08
stephenfin	zigo: You have a openstack-nova-doc package, yeah? It's documented in there	15:08
zigo	stephenfin: I'd very much prefer having a policy.json that reflects what's currently enforced in Nova.	15:08
gmann	i might be wrong but re-generating the policy file is something you are intentionally changing so adopt all change instead of half	15:08
dansmith	stephenfin: he's saying that's a sucky user experience, and he's right despite how clean it seems to us	15:08
*** irclogbot_3 has joined #openstack-nova		15:09
*** links has quit IRC		15:09
dansmith	gmann: before this, generating the file and tweaking the rules you want ended up with all things at the same generation. If you tweaked a rule that we removed, then sure it's broken, but now people will be introducing old "syntax" to a generated file of new "syntax", and also not realize that as soon as they generate the file, they need scoped tokens right?	15:10
gmann	and this is always a problem from starting if deployer rely on re-generated file which does not include the deprecated-but-supported rule	15:10
zigo	stephenfin: Just did that and uploaded the package: https://salsa.debian.org/openstack-team/services/nova/-/commit/48bc8889ae8a787104b76e95c3e1dfc5893d146b	15:10
zigo	Though really, that's really not user friendly to do that.	15:11
gmann	dansmith: right.	15:11
*** irclogbot_3 has quit IRC		15:11
dansmith	gmann: so another question.. if I don't take the generated file, continue to run with the deprecated defaults, but need to tweak something.. how do I see the generated old defaults file? is there a flag to the tool? or do I have to look at train docs?	15:11
gmann	but how to fix all those script to generate file, we can do something on oslopolicy-sample-generator	15:11
stephenfin	zigo: Forgive me but is that not the normal way config files work? They're used for overrides, not defaults	15:12
dansmith	stephenfin: but they're usually fully commented-out so you can see all the options in place while you're overriding	15:12
zigo	stephenfin: If I'm listening to you, then my Nova package should ship an empty /etc/nova/nova.conf? Are you serious ?!?	15:12
zigo	:)	15:13
*** irclogbot_0 has joined #openstack-nova		15:13
gmann	dansmith: train doc, or nova policy reference file.	15:13
dansmith	gmann: that sucks	15:13
gmann	yeah, tool is not adding them	15:13
zigo	I think I'll give another try with the yaml thing, see if that works, and if I can ship a fully commented out one.	15:13
zigo	That's still not nice, because it'd be supposed to work if all comments get removed ... If you know what I mean.	15:14
dansmith	zigo: do you treat policy like config or what? what if they've modified their policy file?	15:14
stephenfin	zigo: Not empty, but IMO we shouldn't be including values with defaults ¯\_(ツ)_/¯	15:14
zigo	Just same as in for nova.conf, where commented out stuff are supposed to be the default.	15:14
stephenfin	I mean, that's how other config files works	15:14
dansmith	stephenfin: that's the developer-focused "look at how clean this is" approach, but it sucks for admins	15:14
stephenfin	znc.conf jumps to mind, since I was hacking on over the weekend	15:14
stephenfin	ditto for sssd.conf	15:15
stephenfin	or krb5.conf	15:15
zigo	dansmith: For most packages, I don't have them as CONFFILES (these files, marked by dpkg as "prompt user if there's a change on upgrade...).	15:15
* stephenfin had a dull weekend		15:15
*** irclogbot_0 has quit IRC		15:15
gmann	stephenfin: if oslopolicy-sample-generator add complete default (new + deprecated) then config case is same otherwise it is issue	15:15
stephenfin	dansmith: yeah, maybe. I just figured everyone was doing 'man [app].conf'	15:15
zigo	So policy.json files live in /usr/share/FOO-common/policy.json and are copied to /etc/FOO only if /etc/FOO doesn't have a policy.json file.	15:15
bnemec	I'm still confused why this would be failing on scope. enforce_scope is false by default.	15:16
zigo	This way, no prompt on upgrade, and the old version is kept.	15:16
zigo	Except I didn't do that for Nova, I don't know why ...	15:16
zigo	So in the Nova case, /etc/nova/policy.json IS a CONFFILE.	15:16
gmann	bnemec: we have 'system:all' string in check_str for new defaults of system scope role	15:16
dansmith	gmann: so it sounds like we need a big warning reno about this at the very least	15:16
zigo	(and then dpkg will prompt on upgrade if there's some diff)	15:16
dansmith	gmann: we probably also should switch to yaml by default, and make sure our CI jobs are using them that way	15:17
*** irclogbot_3 has joined #openstack-nova		15:17
gmann	bnemec: https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L104	15:17
stephenfin	bnemec: I suspect the oslo-generate-policy command is using the scoped policies, but nova is still defaulting to non-scoped (to avoid breaking upgrades, funnily enough)	15:17
dansmith	the yaml is better in every respect, except for compatibility	15:17
gmann	https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L36	15:17
stephenfin	yaml++	15:17
bnemec	gmann: Why? Isn't the scope check built-in to the policy enough?	15:17
zigo	stephenfin: Looks like you're right yeah.	15:17
gibi	dansmith: I need to read back after my current call	15:18
gmann	bnemec: when enforce_scope is true then yes otherwise we need to differentiate the system vs project - https://github.com/openstack/nova/blob/347d656c35fdf0c309039a7c1f352f82c6950868/nova/policies/base.py#L36	15:18
zigo	stephenfin: How would we make oslo-generate-policy to use non-scoped policies then?	15:18
dansmith	gibi: definitely needs your review	15:18
bnemec	That seems like it's completely defeating the purpose of enforce_scope.	15:18
stephenfin	zigo: not sure you want to do that	15:18
stephenfin	you'd be generated deprecated configuration	15:19
stephenfin	*generating	15:19
dansmith	stephenfin: the deprecated form is supposed to be the default we assume if no policy file	15:19
*** irclogbot_3 has quit IRC		15:19
zigo	stephenfin: If nova.conf defaults to non-scoped, but policy.json to scoped, then we do have a problem.	15:19
zigo	Choose your side comrade ! :)	15:19
gmann	zigo: yeah, agree.	15:20
stephenfin	dansmith: Yes, because we care about upgrades. New deployments would ideally be overriding nova's defaults though	15:20
stephenfin	zigo: I assume there's no way to distinguish between new installs and upgrades?	15:20
dansmith	stephenfin: he generates those for upgrades too he just said	15:20
zigo	stephenfin: There is, if you're talking about packaging.	15:20
stephenfin	I am	15:21
dansmith	stephenfin: and, unless we default the enforce_scope on, and detail the differences between scoped tokens for users of new deployments, it's not that cut and dried	15:21
*** irclogbot_0 has joined #openstack-nova		15:21
zigo	That's an argument given to the .postinst script of the package.	15:21
stephenfin	dansmith: it sounds like we can do that for a new installation (default enforce_scope to on)	15:22
zigo	It's defined here: https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#summary-of-ways-maintainer-scripts-are-called	15:22
dansmith	stephenfin: we don't now though, AFAIK	15:22
stephenfin	we wouldn't do it - the package would	15:22
stephenfin	it would override the nova default	15:23
zigo	I'd very much you give operators at least one more cycle to enforce this.	15:23
*** irclogbot_0 has quit IRC		15:23
zigo	Then just set enforce_scope to True by default in Victoria ...	15:23
stephenfin	zigo: I'd like to know if the following combination is possible/makes sense	15:23
dansmith	stephenfin: not sure how you could coordinate that across every deployment tool	15:23
stephenfin	new installation: enforce_scope = True (override), use Ussuri policy.json	15:24
stephenfin	upgrade: enforce_scope = False (nova default), use Train policy.json	15:24
stephenfin	?	15:24
stephenfin	dansmith: we do that kind of stuff in TripleO, albeit higher than the package level	15:25
*** irclogbot_3 has joined #openstack-nova		15:25
dansmith	stephenfin: right but everyone needs to do that.. tripleo, kolla, debian, ubuntu, rdo, $mycustomthing	15:25
*** jamesdenton has joined #openstack-nova		15:25
*** brinzhang_ has quit IRC		15:25
*** brinzhang_ has joined #openstack-nova		15:26
zigo	stephenfin: This is going to be horrible to manage with puppet-nova...	15:27
stephenfin	I didn't think we generated policy.json for RDO/OSP, and I assume Ubuntu will take whatever Debian does. I can't argue with $mycustomthing though, no	15:27
zigo	stephenfin: You assume wrong ! :)	15:27
zigo	Ubuntu do their own crap ...	15:27
*** irclogbot_3 has quit IRC		15:27
stephenfin	\o/	15:27
gmann	I was checking to remove 'system:all' from new default but that leads to over-permission issue	15:27
zigo	I tried for years to fight this, it never worked, because of marketting reasons.	15:27
*** brinzhang_ has quit IRC		15:28
zigo	And there's all sorts of issues because of this. :)	15:28
*** mkrai_ has quit IRC		15:28
*** brinzhang_ has joined #openstack-nova		15:28
*** irclogbot_3 has joined #openstack-nova		15:28
zigo	Like, people trying to use whatever horizon plugin that I was packaging but they didn't, and it broke on Ubuntu, but they don't care because "it's not in main" ...	15:28
zigo	The usual thing with Ubuntu... :)	15:29
gmann	i thought policy-in-code was the time when we asked (or should) deployer to not to re-generate the complete policy file instead keep override rule only	15:29
stephenfin	gmann: Yeah, I think that's the big disconnect here	15:29
stephenfin	so doing different things for new installation/upgrade probably isn't an option	15:30
stephenfin	an empty JSON is bad for users	15:30
stephenfin	that leaves us with including a commented-out YAML, and modifying oslo-policy-generator to include deprecated rules, right?	15:31
gmann	lbragstad: did you faced this issue for keystone also? newly generated file with new default only and old token broken as deprecated rule is disappeared	15:31
stephenfin	fwiw, I really, really want to avoid the latter option :)	15:31
*** irclogbot_3 has quit IRC		15:31
gmann	stephenfin: true.	15:31
gmann	later is kind of argument that people rely on 'no deprecated rule' in generated file to end up over permission and leak API	15:32
zigo	stephenfin: This leaves us with "generate policy.json and nova.conf that are maching and working together by default" indeed !	15:33
gmann	so we may fix one upgrade but break other	15:33
zigo	If I had such an option as "oslopolicy-sample-generator --use-scoped" and/or "--dont-use-scoped" then I would generate the config file twice, as a favor to Debian users, so they could see both ...	15:35
openstackgerrit	Merged openstack/python-novaclient master: Remove future imports https://review.opendev.org/723153	15:35
zigo	It's probably too late in this cycle to do that, though.	15:35
lbragstad	gmann isn't that the intended behavior you want?	15:36
gmann	lbragstad: yeah, that is intended as per me :) but problem is for upgrade used to re-generated the fresh file and still think default works is broken	15:38
*** irclogbot_2 has joined #openstack-nova		15:38
*** _mlavalle_1 has joined #openstack-nova		15:38
gmann	zigo: we can do but still user need to change their script to add new option to that tool '--dont-use-scoped' or other.	15:38
dansmith	gmann: lbragstad: to avoid me having to google.. what is the different thing that users have to do to get a scoped token?	15:38
lbragstad	the request to keystone to get a token changes a bit, but users can invoke that with clients by setting a different property in their cloud config	15:39
dansmith	okay so their openrc or clouds.yaml (or whatever) has to change	15:40
lbragstad	yes	15:40
*** mlavalle has quit IRC		15:40
dansmith	and are those two things getting generated as scoped by default nowadays?	15:40
dansmith	or can you not ask for scoped until something else changes?	15:41
lbragstad	i guess it depends on what generates those files	15:41
lbragstad	you're asking if openrc or clouds.yaml is generated with project-scope by default?	15:41
* gibi is reading back		15:43
dansmith	lbragstad: yeah, like.. has everyone since stein (as an example) been getting scoped tokens and not knowing it?	15:43
dansmith	just trying to figure out how impactful the move to requiring them will be	15:44
lbragstad	dansmith yeah - to do anything useful, most people will need a scoped token of some form	15:44
lbragstad	historically, that scope has always been project	15:45
lbragstad	or - project-scope has been the standard for getting anything done, like booting a server	15:45
dansmith	I'm confused	15:46
dansmith	lbragstad: I thought that when we move to this new scoped policy that users need to be getting scoped tokens that they likely haven't been getting in the past?	15:46
dansmith	which is why zigo's token immediately stopped working and launched us into this discussion	15:46
lbragstad	dansmith sorry - let me back up	15:46
lbragstad	keystone has supported scoped tokens for a long time - uses have always been able to get a scoped token	15:47
lbragstad	in the past, that token has always been scoped to a project	15:47
dansmith	sure, I get that	15:47
lbragstad	the new system is using a different scope target	15:47
lbragstad	and some APIs are going to require that new target, instead of a project-scoped tokne	15:47
lbragstad	which is why zigo's old token (which i'm assuming is project-scoped) stopped workin	15:48
lbragstad	working*	15:48
*** raildo has joined #openstack-nova		15:48
zigo	If we require everyone to change something in their openrc, it will break a lot of user who wont understand.	15:48
zigo	Maybe that's needed, I don't even understand what this scope thingy is for, but just warning everyone here.	15:48
zigo	At least, if we're moving to that direction, then we must have some kind of correct error message output in the clients.	15:48
gmann	but 'system' scope is not default user has to explicit request that	15:48
dansmith	I'm trying to figure out if realistically everyone is going to need to change their openrc, or only people who got their openrc from horizon before some release, or ...	15:49
dansmith	I know openrc can come from various places, but trying to figure out the "scope" of the impact	15:49
dansmith	does devstack generate scope-having openrcs?	15:49
lbragstad	yes	15:49
zigo	lbragstad: What does it look like?	15:50
zigo	export OS_SCOPE= ?	15:50
lbragstad	it does it with clouds.yaml, actually	15:50
lbragstad	https://opendev.org/openstack/devstack/src/branch/master/tools/update_clouds_yaml.py#L56	15:50
lbragstad	export OS_SYSTEM_SCOPE=all	15:51
lbragstad	that's going to tell keystone to give you a system-scoped token instead of a project-scoped token	15:51
zigo	lbragstad: So, that's to be added to the admin openrc ?	15:51
dansmith	but most users want a project scoped token right?	15:52
lbragstad	to get back to your impact question - changes to openrc are primarly admin related	15:52
lbragstad	dansmith yes	15:52
dansmith	lbragstad: ah, okay so admins need to tweak their openrc bug regular users will not?	15:52
lbragstad	people who aren't accessing system-level APIs shouldn't need to set this new value and get system-scoped tokens	15:52
gmann	true. otherwise it might be over permission issue for rule changed from admin->system-reader etc	15:52
lbragstad	yes - for the most part	15:53
dansmith	okay that wasn't clear to me before, so that's good news	15:53
dansmith	zigo: I guess you were using an admin user?	15:53
zigo	dansmith: not only myself, but puppet-openstack too, yeah !	15:54
openstackgerrit	Merged openstack/nova stable/ussuri: Update .gitreview for stable/ussuri https://review.opendev.org/722518	15:54
openstackgerrit	Merged openstack/nova stable/ussuri: Update TOX_CONSTRAINTS_FILE for stable/ussuri https://review.opendev.org/722520	15:54
zigo	dansmith: What first started breaking was puppet-octavia that couldn't create the Octavia flavor.	15:54
dansmith	okay	15:54
zigo	Then I tried as the admin user, and didn't understand what was going on...	15:54
lbragstad	fwiw - we describe the concept and motivation behind all the scopes here - https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes	15:55
zigo	lbragstad: Thanks, I'll read it all.	15:55
dansmith	lbragstad: yeah I read that and I get it,	15:56
dansmith	I thought there would still be a change to the user mechanics though	15:56
dansmith	but likely because most of our discussions focus on our usage, which is generally admin	15:56
*** ociuhandu has quit IRC		15:56
lbragstad	dansmith unfortunately, because policy is completely configuration based, there could be deployments where this gets messy because the deployer wanted to let end users list hypervisors (or something weird like that)	15:57
dansmith	yeah, so those users will need to learn something different now right?	15:58
dansmith	does that mean they've lost (or will lose) the ability to list hypervisors and their instances with a single token?	15:58
lbragstad	possibly - but it depends on how the deployer setup their custom policy	15:58
dansmith	because I can imagine that sucking for scripts	15:59
lbragstad	yeah - i completely agree	15:59
gmann	yeah if both policy are override for same permission then they keep working	15:59
gmann	if mix like one override and one was relying on default, now re-generated file will mesh up the single token	16:00
*** ociuhandu has joined #openstack-nova		16:00
lbragstad	zigo i typically put system users behind a different cloud profile, so i set system_scope: all in my clouds.yaml under a different name	16:02
*** tesseract has quit IRC		16:02
lbragstad	then i use --os-cloud system-admin or --os-cloud project-user (or whatever)	16:02
lbragstad	ymmv - but if found that useful in the past when managing different scopes	16:03
lbragstad	i found*	16:03
dansmith	problem is, kinda, that we're enforcing our view on what is system-level information now in a way that they can't override	16:03
dansmith	for single-tenant clouds, that just introduces unnecessary overhead for a distinction they don't care about	16:04
*** rpittau is now known as rpittau\|afk		16:07
gmann	when we enable scope by default at some point they anyways have to change their tokens.	16:08
lbragstad	dansmith yeah - that's true	16:09
dansmith	what I mean is, the scope-based system introduces complexity	16:09
gmann	for single-tenant clouds, it might be weird	16:09
zigo	GOT MY FIRST INSTANCE ON USSURI UP AND RUNNING !!! \o/	16:12
* gibi finished reading bag		16:13
gibi	back	16:13
gmann	anyways 're-generate fresh policy file' case for me is 'they want the new default-only always' and if old things stop working that need audit carefully from release notes or warnings.	16:13
lbragstad	they'll need to be aware of the context they're operating on	16:13
* zigo is going to make an announcement about general availability of Ussuri for Debian ! :P		16:13
gibi	gmann, dansmith: do I understand correctly that we need at least a release notes update to document what zigo has found? What else we need to / can do in Ussuri?	16:14
gmann	like uncap 'hacking' version in our requirement file which mean 'we will adopt the new changes always and if broken we fix our code'	16:14
sean-k-mooney	gmann: well hacking is used by multiple project but not all projects will want to use the same checks	16:15
sean-k-mooney	nova and neuton have completely different approchs to self.assert* methods	16:16
gmann	sean-k-mooney: true, that is why many projects cap it	16:16
sean-k-mooney	neutron blocked the use of any not in py27 and nova used mock the lib	16:16
*** iurygregory has quit IRC		16:17
gmann	gibi: dansmith lbragstad in addition to release note for nova ussuri, should we have a clear doc from oslo/keystone or somewhere generic on 'how to generate and use policy file and how deployer can be broken for xyz cases'. i mean a single recommended way instead of supporting all possible way deployment doing ?	16:18
*** jangutter has quit IRC		16:18
sean-k-mooney	gmann: well that would be in oslo.policy correct	16:19
*** jangutter has joined #openstack-nova		16:19
sean-k-mooney	or rather should be	16:19
sean-k-mooney	e.g. discribing how the lib should be used by developers	16:19
gmann	I am not sure, we have. but lbragstad or bnemec can point to if there is any.	16:20
*** ociuhandu has quit IRC		16:20
*** ociuhandu has joined #openstack-nova		16:21
gmann	i meant explicitly saying, 'this way of re-genrating policy file or having not-override rule in policy file etc etc can break you if you do not carefully audit on upgrades'	16:21
*** elod has quit IRC		16:22
*** elod has joined #openstack-nova		16:23
*** gibi_ has joined #openstack-nova		16:24
* gibi_ lost network connectivity		16:24
*** jangutter has quit IRC		16:25
*** udesale_ has quit IRC		16:26
*** artom has quit IRC		16:26
*** raildo has quit IRC		16:26
*** vesper11 has quit IRC		16:26
*** haleyb has quit IRC		16:26
*** tobiash has quit IRC		16:26
*** hoonetorg has quit IRC		16:26
*** iokiwi has quit IRC		16:26
*** tobias-urdin has quit IRC		16:26
*** noonedeadpunk has quit IRC		16:26
*** gibi has quit IRC		16:26
*** rmk has quit IRC		16:26
*** tonyb has quit IRC		16:26
*** averi has quit IRC		16:26
*** yankcrime has quit IRC		16:26
*** AJaeger has quit IRC		16:26
*** jangutter has joined #openstack-nova		16:26
openstackgerrit	Takashi Natsume proposed openstack/nova master: Fix list rendering in the accelerator support doc https://review.opendev.org/721846	16:27
lbragstad	gmann we have this	16:28
lbragstad	https://bugs.launchpad.net/oslo.policy/+bug/1853170	16:28
openstack	Launchpad bug 1853170 in oslo.policy "Need documentation on recommended operator workflow for deprecated policies" [High,Triaged]	16:28
openstackgerrit	Takashi Natsume proposed openstack/nova master: Update contributor guide for Victoria https://review.opendev.org/722647	16:28
*** irclogbot_2 has quit IRC		16:28
*** vesper11 has joined #openstack-nova		16:29
*** irclogbot_1 has joined #openstack-nova		16:30
lbragstad	gmann i don't think there is anything in review for that, yes	16:30
lbragstad	yet*	16:30
*** KeithMnemonic has joined #openstack-nova		16:30
*** hoonetorg has joined #openstack-nova		16:31
*** raildo has joined #openstack-nova		16:31
*** udesale_ has joined #openstack-nova		16:31
*** artom has joined #openstack-nova		16:31
gmann	lbragstad: i see, thanks	16:32
*** gibi has joined #openstack-nova		16:32
stephenfin	melwitt: confident enough to bump your +1 to +2 now? https://review.opendev.org/#/c/720725/	16:32
*** AJaeger has joined #openstack-nova		16:32
*** haleyb has joined #openstack-nova		16:32
*** tobiash has joined #openstack-nova		16:32
*** tobias-urdin has joined #openstack-nova		16:32
*** iokiwi has joined #openstack-nova		16:32
*** noonedeadpunk has joined #openstack-nova		16:32
*** averi has joined #openstack-nova		16:32
*** rmk has joined #openstack-nova		16:32
*** tonyb has joined #openstack-nova		16:32
*** yankcrime has joined #openstack-nova		16:32
*** evrardjp has quit IRC		16:35
*** gibi_ has quit IRC		16:35
gibi	gmann: I have to stop for today. If you start writing a reno update for the policy thing then please link it to me and I will read it first thing in the morning	16:35
gmann	gibi: ok, I will update the upgrade section for now to mention the re-generated policy file case. and later we can work on some generic doc (bug/1853170).	16:37
gibi	gmann: ack, thanks	16:37
*** ChanServ has quit IRC		16:42
*** ChanServ has joined #openstack-nova		16:45
*** tepper.freenode.net sets mode: +o ChanServ		16:45
*** evrardjp has joined #openstack-nova		16:46
*** sapd1_x has joined #openstack-nova		16:47
*** udesale_ has quit IRC		16:50
*** derekh has quit IRC		17:03
*** ociuhandu has quit IRC		17:06
*** ociuhandu has joined #openstack-nova		17:06
*** _mlavalle_1 has quit IRC		17:09
*** mlavalle has joined #openstack-nova		17:11
*** ociuhandu has quit IRC		17:12
*** dtantsur is now known as dtantsur\|afk		17:18
*** jangutter has quit IRC		17:20
*** gibi has quit IRC		17:20
*** bbowen_ has quit IRC		17:22
*** haleyb has quit IRC		17:26
*** tobiash has quit IRC		17:26
*** iokiwi has quit IRC		17:26
*** tobias-urdin has quit IRC		17:26
*** noonedeadpunk has quit IRC		17:26
*** rmk has quit IRC		17:26
*** tonyb has quit IRC		17:26
*** averi has quit IRC		17:26
*** yankcrime has quit IRC		17:26
*** AJaeger has quit IRC		17:26
*** artom has quit IRC		17:26
*** raildo has quit IRC		17:26
*** jangutter has joined #openstack-nova		17:26
*** AJaeger has joined #openstack-nova		17:29
*** haleyb has joined #openstack-nova		17:29
*** tobiash has joined #openstack-nova		17:29
*** tobias-urdin has joined #openstack-nova		17:29
*** iokiwi has joined #openstack-nova		17:29
*** noonedeadpunk has joined #openstack-nova		17:29
*** averi has joined #openstack-nova		17:29
*** rmk has joined #openstack-nova		17:29
*** tonyb has joined #openstack-nova		17:29
*** yankcrime has joined #openstack-nova		17:29
*** raildo has joined #openstack-nova		17:29
*** artom has joined #openstack-nova		17:29
*** nightmare_unreal has quit IRC		17:32
*** vishalmanchanda has quit IRC		17:34
*** ChanServ has quit IRC		17:39
*** ChanServ has joined #openstack-nova		17:42
*** tepper.freenode.net sets mode: +o ChanServ		17:42
*** tbachman has quit IRC		17:42
*** ociuhandu has joined #openstack-nova		17:42
sean-k-mooney	stephenfin: can you take a look at https://review.opendev.org/#/c/722407/	17:43
sean-k-mooney	stephenfin: it needt to merge before your change can merge	17:44
*** jangutter has quit IRC		17:46
*** jangutter has joined #openstack-nova		17:47
*** jangutter has quit IRC		17:47
*** jangutter has joined #openstack-nova		17:48
AJaeger	any nova core available for two tiny cleanups related to Babel/translations, please? https://review.opendev.org/#/c/723206/2 and https://review.opendev.org/#/c/720725/1 ?	17:48
*** tbachman has joined #openstack-nova		17:51
*** READ10 is now known as READ10\|away		17:57
*** factor has quit IRC		17:58
openstackgerrit	Merged openstack/python-novaclient master: Use unittest.mock instead of third party mock https://review.opendev.org/723152	18:01
*** hoonetorg has quit IRC		18:02
*** factor has joined #openstack-nova		18:04
*** jangutter has quit IRC		18:18
openstackgerrit	Merged openstack/nova master: Add placeholder migrations for Ussuri backports https://review.opendev.org/722546	18:19
*** ociuhandu has quit IRC		18:20
*** ociuhandu has joined #openstack-nova		18:20
*** jangutter has joined #openstack-nova		18:29
*** iurygregory has joined #openstack-nova		18:34
*** READ10\|away is now known as READ10		18:45
*** xek_ has joined #openstack-nova		18:46
*** dpawlik has quit IRC		18:47
*** xek has quit IRC		18:49
openstackgerrit	Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645	18:51
openstackgerrit	Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645	18:51
*** JamesBenson has joined #openstack-nova		18:53
*** ttsiouts has joined #openstack-nova		18:59
*** ociuhandu has quit IRC		19:03
*** ociuhandu has joined #openstack-nova		19:06
*** ttsiouts has quit IRC		19:13
*** ttsiouts has joined #openstack-nova		19:13
*** ociuhandu has quit IRC		19:20
*** READ10 has quit IRC		19:24
*** bbowen has joined #openstack-nova		19:24
*** ociuhandu has joined #openstack-nova		19:27
*** ttsiouts has quit IRC		19:44
*** ttsiouts has joined #openstack-nova		19:45
*** jangutter_ has joined #openstack-nova		19:54
*** dklyle has quit IRC		19:56
*** jangutter has quit IRC		19:57
openstackgerrit	Merged openstack/nova master: Fix list rendering in the accelerator support doc https://review.opendev.org/721846	19:59
*** dklyle has joined #openstack-nova		20:00
*** brinzhang_ has quit IRC		20:14
*** brinzhang_ has joined #openstack-nova		20:14
*** songwenping_ has joined #openstack-nova		20:14
*** ttsiouts has quit IRC		20:15
*** songwenping__ has quit IRC		20:17
*** jangutter_ has quit IRC		20:18
*** xek_ has quit IRC		20:21
*** nweinber has quit IRC		20:26
*** jangutter has joined #openstack-nova		20:27
*** gibi has joined #openstack-nova		20:36
*** ccamacho has quit IRC		20:38
openstackgerrit	Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645	20:47
gmann	dansmith: gibi stephenfin please check, i have added this upgrade notes for clarification on policy file things - https://review.opendev.org/#/c/723645/	20:50
*** ociuhandu has quit IRC		20:57
*** ociuhandu has joined #openstack-nova		20:58
*** damien_r has quit IRC		21:00
*** igordc has joined #openstack-nova		21:07
*** brinzhang has joined #openstack-nova		21:08
melwitt	gmann: do we have people ready to review https://review.opendev.org/722551 ? wondering if I should wait on reviewing the nova change	21:09
gmann	melwitt: i pinged few tempest core,may be we can get +A from masayukig once he wake up.	21:10
*** ociuhandu has quit IRC		21:11
melwitt	ok	21:11
*** brinzhang_ has quit IRC		21:11
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of assertRequestMatchesUsage() https://review.opendev.org/723694	21:12
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of _check_allocation_during_evacuate() https://review.opendev.org/723695	21:12
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Add nova-manage placement heal_allocations CLI https://review.opendev.org/723696	21:12
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Don't heal allocations for deleted servers https://review.opendev.org/723697	21:12
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of FakeResponse https://review.opendev.org/723698	21:12
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Heal allocations with incomplete consumer information https://review.opendev.org/723699	21:12
gmann	melwitt: or let's wait for these patches first to have ussuri branch setup properly - https://review.opendev.org/#/q/topic:qa-ussuri-release+status:open	21:14
*** rcernin has joined #openstack-nova		21:14
melwitt	gmann: ah k	21:14
*** ociuhandu has joined #openstack-nova		21:19
*** maciejjozefczyk has quit IRC		21:28
*** ociuhandu has quit IRC		21:29
*** martinkennelly has quit IRC		21:33
*** martinkennelly has joined #openstack-nova		21:38
*** ociuhandu has joined #openstack-nova		21:39
*** ttsiouts has joined #openstack-nova		21:42
*** martinkennelly has quit IRC		21:46
*** slaweq has quit IRC		21:49
*** ociuhandu has quit IRC		21:49
*** ttsiouts has quit IRC		21:51
*** slaweq has joined #openstack-nova		21:52
*** raildo has quit IRC		21:56
*** slaweq has quit IRC		22:03
*** ociuhandu has joined #openstack-nova		22:18
*** jangutter has quit IRC		22:18
*** gibi has quit IRC		22:21
*** gibi has joined #openstack-nova		22:22
*** jangutter has joined #openstack-nova		22:27
*** ociuhandu has quit IRC		22:29
*** yaawang has joined #openstack-nova		22:32
*** yaawang_ has quit IRC		22:33
openstackgerrit	Ghanshyam Mann proposed openstack/nova master: Clarify the policy new defaults upgrade notes https://review.opendev.org/723645	22:48
*** tkajinam has joined #openstack-nova		22:49
*** tkajinam has quit IRC		22:49
*** tkajinam has joined #openstack-nova		22:50
*** abaindur has joined #openstack-nova		22:54
*** lbragstad has quit IRC		22:56
*** tosky has quit IRC		23:02
*** jangutter_ has joined #openstack-nova		23:12
*** jangutter has quit IRC		23:13
*** igordc has quit IRC		23:14
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Partial cherry-pick of report client changes https://review.opendev.org/723750	23:14
openstackgerrit	Artom Lifshitz proposed openstack/nova stable/queens: DNM: Add a placement audit command https://review.opendev.org/723751	23:14
*** avolkov has quit IRC		23:22
*** bbowen has quit IRC		23:32
*** bbowen has joined #openstack-nova		23:32

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!