Wednesday, 2022-02-23

« Tuesday, 2022-02-22 Index Thursday, 2022-02-24 »
opendevreviewGhanshyam proposed openstack/nova master: API change to allow project admin to boot server on specific host  https://review.opendev.org/c/openstack/nova/+/83054302:14
opendevreviewmelanie witt proposed openstack/nova master: libvirt: Register defaults for undefined hw image properties  https://review.opendev.org/c/openstack/nova/+/80070802:50
opendevreviewmelanie witt proposed openstack/nova master: WIP manage: Add image_property commands  https://review.opendev.org/c/openstack/nova/+/82439205:09
*** bhagyashris_ is now known as bhagyashris06:28
*** amoralej|off is now known as amoralej07:06
kashyapgibi: Thank you for looking; just read your messages in the scroll!  Yeah, the QEMU error might not correlate with the Tempest failure, but it seems to have uncovered a latent libvirt bug09:00
kashyapMorning, BTW09:01
*** bhagyashris_ is now known as bhagyashris09:25
gibikashyap: o/ I tried to find the same error in any tempest-integrated-compute-centos-8-stream job but in the last 10 days of run I did not find the same error as reported in  https://bugs.launchpad.net/tripleo/+bug/1959014/comments/109:47
gibibauzas: I was about to update the tracking etherpad with the placement feature but I see you updating that in real time :)10:02
bauzasheh10:02
bauzaswas about to review the series10:03
bauzasthen I saw sean having done it10:03
bauzasgibi: WDYT of https://review.opendev.org/c/openstack/nova/+/808791 ?10:03
gibibauzas: I'm not worrying about it10:04
bauzasme too10:04
gibihence my +2 :)10:04
bauzasI'll review it again10:04
gibiack10:05
gibiI will go back to https://review.opendev.org/q/topic:bp%252Fpick-guest-arch-based-on-host-arch-in-libvirt-driver 10:05
gibiI saw chateaulav updated it after my comments10:05
bauzasgibi: well, I'm still torn by https://review.opendev.org/c/openstack/nova/+/808791/7/nova/virt/vmwareapi/constants.py#2210:19
bauzasI'm a vmware specialist tho but I assume we say the whole driver works with VC 5.1.010:19
bauzasI'm not* a vmware specialist, obviously10:19
bauzascan someone know Alban's IRC nick ?10:20
opendevreviewmelanie witt proposed openstack/nova master: manage: Add image_property commands  https://review.opendev.org/c/openstack/nova/+/82439210:29
kashyapgibi: (Sorry, was out for a run; weather is nice for a change) Hm, I'm feeling like we're 2 steps fwd, 1 step backward10:35
gibibauzas: Alban responded in review to update the versions so I'm still OK10:44
gibikashyap: I still in the 10:44
gibikashyap: I'm still in the winter mode an only use the pool10:44
gibi*and10:44
kashyapI can't swim yet, I can do "controlled not drowning" in a calm pool if you know what I mean :D10:45
gibi:)10:46
gibikashyap: about the bug, I'm not sure how to move forward10:46
kashyap(No worries.  I only began after 2 months...but keep walking 8-ish KM each day.  But it's no substitue for running)10:46
kashyapgibi: Back to the bug, it looks like it is not reproducible, right?10:46
kashyapgibi: Did you look for this?10:47
kashyap    "libvirt.libvirtError: Unable to read from monitor: Connection reset by peer"10:47
gibiI looked for the more specific raise libvirtError..virDomainGetBlockJobInfo.. failed.. regex10:48
gibibut I can check the more generic one10:48
kashyapgibi: Your search makes sense.10:50
kashyapYeah, what I'm wondering is, we don't see the _crash_ anymore:10:50
kashyap    "2022-01-25 13:13:35.058+0000: shutting down, reason=crashed"10:50
kashyapIs that what you found based on your searches?  That you can't find the crash anymore?10:51
gibiI did not find the same nova symptom, the libvirtError, in any upstream logs, so I did not look deeper 10:52
gibiI can also try to find the same tempest test failure10:53
gibiin upstream jobs10:53
gibiand if I found one then I can refine from there10:53
kashyapgibi: Nod.  But you wanted a TripleO job result, right?10:54
kashyapgibi: When you get a minute, can you please add your observation so far?  Just so that it gives an insight that several folks are looking at it - https://bugs.launchpad.net/tripleo/+bug/1959014/10:54
gibiI can look at the original triploo run from ^^ bug but I'm new to tripleo that why I tried to find a repro in a nova run 10:55
kashyapYeah, understood.  I'm "perpetually new" to TripleO too.  They're seeing this on TripleO, it looks like10:56
kashyapgibi: Good that we (you) ruled it out w/ plain upstream jobs, at least.  Thank you for the digging10:56
gibiI will look at the original run, and then update the bug what I see10:57
sean-k-mooneybauzas: i think https://blueprints.launchpad.net/nova/+spec/vmware-fcd is the blueprint for that by the way10:59
sean-k-mooneyits approved for the yoga cycle10:59
stephenfinIs it just me, or is anyone else not getting emails from Gerrit at the moment. I haven't seen anything since midday yesterday11:00
sean-k-mooneyalthouhg they are missing the commit message line for it11:00
sean-k-mooneystephenfin: it know that you have abandoned us :P11:00
sean-k-mooneystephenfin: last email was 12:04 yesterday11:01
sean-k-mooneynot sure if i should have got anything since then11:01
bauzassean-k-mooney: yup, we approved it as a specless BP during a meeting, see the whiteboard11:01
sean-k-mooneybauzas: oh i know just wanted to highlight it to you incase you tought it was not approved11:02
sean-k-mooneyi noticed both you and gibi are +2 on it11:02
bauzassean-k-mooney: no, I'm tracking all the approved bps in https://etherpad.opendev.org/p/nova-yoga-blueprint-status11:02
sean-k-mooneybut ye have not +w so i was wondering if you were conceren that it was not approved11:02
bauzassean-k-mooney: and this one was in there so I was looking at it11:03
sean-k-mooneyack11:03
bauzassean-k-mooney: I eventually +W it 1 min ago11:03
bauzasas alban replied11:03
sean-k-mooneystephenfin: so https://review.opendev.org/c/openstack/placement/+/826719 meged 14 hours ago11:03
sean-k-mooneyand i dont have a gerrit email from it11:03
sean-k-mooneyso ya i havent got anythin since just after noon yesterday so looks like its not just you11:04
stephenfinsean-k-mooney: I emailed the list and mentioned it on #opendev11:29
sean-k-mooneygibi by the way your placment any triats series is now merged in case you didnt get the gerrit email :)11:31
sean-k-mooneystephenfin: was there anything in particalar you were looking for11:31
sean-k-mooneyor just noticed you got no emails form gerrit in a while11:31
stephenfinNo, just noticed the lack of emails11:32
sean-k-mooneyack11:32
stephenfin(Usually it's a firehose)11:32
sean-k-mooneylyarwood: sorry to bother you but do you know what i should do with https://review.rdoproject.org/r/c/openstack/placement-distgit/+/39716 the build failed because it coudl not resovle the centos8-stream repos its not related to the patch that merged so do i just abandon that?11:35
lyarwoodsean-k-mooney: The RDO folks normally close these out once the outage is over11:35
sean-k-mooneyok it showed up in my email so i was like do i need to do somehting with this11:36
sean-k-mooney Errors during downloading metadata for repository 'Stream-BaseOS':11:36
sean-k-mooneyis clearly not related to placement11:36
lyarwoodYeah it's infra 99% of the time11:37
sean-k-mooney2919c3f393bb2e897cead2e62c598acadeae3b8bd1603ef8e171e4274ff1b2e0-primary.xml.gz  is missing form the mirrors11:38
sean-k-mooneyso proably a sync issue11:38
sean-k-mooneylyarwood: how is life in openshift land11:38
lyarwoodYeah good, I've somehow ended up helping with the introduction of flavors into KubeVirt ^_^11:39
opendevreviewRajat Dhasmana proposed openstack/nova master: Add support for volume backed server rebuild  https://review.opendev.org/c/openstack/nova/+/82036811:40
sean-k-mooneyok so pod spec templates or something like that ya11:40
sean-k-mooneythe idea of flavors in a k8s env would be somewhat differnt then ours i expect since the intent with k8s is to be much more dynmic in terms of each pod spec is used for that one set of pods but not reused across unrelated pods11:43
sean-k-mooneyso unlike openstack if you udated the kubevirt flavor i would expect that to propagate to everything that used it11:44
gibikashyap: https://bugs.launchpad.net/tripleo/+bug/1959014/comments/15 tldr; I don't think the original problem was reproduced in later runs linked in the bug11:59
sean-k-mooneystephenfin: by the way nova is nolonger installable with -e because pbr cannot figure out the version12:00
gibisean-k-mooney: thanks for pushing the any-traits through. I will get back to the series to do the small nit followup and the perf measurements / tuning12:00
sean-k-mooneystephenfin: i know there is a bug with the current pbr due to metadata or somehting like that but do you know if the impact on nova is expected12:01
sean-k-mooneygibi: ack12:01
stephenfinsean-k-mooney: There is? I wasn't aware of anything12:02
sean-k-mooneyif you install with devstack12:02
sean-k-mooneythen clone nova and pip install -e  the clone12:02
sean-k-mooneythen when you restart the nova compute agent12:03
sean-k-mooneyor any of the rest12:03
sean-k-mooneyit will fail to run12:03
sean-k-mooneybecause pbr will not be able to figure out the version12:03
sean-k-mooneyso you ahve to do a non -e install currently12:03
sean-k-mooneywhich is annoying since you have to redo it every time you make a change12:04
gibihm, I haven't hit that issue yet ^^12:06
gibiprobably my pbr is older12:07
sean-k-mooneyhttps://paste.opendev.org/show/812529/12:09
sean-k-mooneystephenfin: gibi  that is what it looks liek in the journal12:09
stephenfinThat's weird. I haven't seen that eithe12:10
stephenfin*either12:10
sean-k-mooneyhave you done sudo pip install -e12:10
sean-k-mooneyof the repo or a differnt copy of the repo12:11
stephenfinI didn't need to. It does an editable install by default12:11
stephenfinDevStack that is12:11
gibiyeah I have the editable nova in devstack too12:11
gibiso then that is the difference12:11
sean-k-mooneyso ye dont use a second repo for dev12:11
sean-k-mooneywith devstafck using reclone=ture i guess12:12
gibiI tend to pull from my dev repo to the devstack nova repo with git12:12
stephenfinYeah, me too12:12
sean-k-mooneyok you do it that way instead of installign the dev one after the fact12:12
stephenfinOr I push from the local to devstack12:12
stephenfin(that's slower because you've to change branches)12:13
sean-k-mooneyi dont like having to commit for it to take effect most of the time12:13
sean-k-mooneyand since i have reclone true set its not safe to do dev in the devstack managed one12:13
stephenfingit commit -asm TODO12:13
stephenfineasy as pie12:13
sean-k-mooneyya but that vs save and restart12:14
sean-k-mooneyanyway i think this is caused by the other pbr bug12:14
sean-k-mooneybut i think that has been fixed recently12:14
sean-k-mooneyhttps://review.opendev.org/c/openstack/pbr/+/662035 i think is realted to it12:15
stephenfinso using pbr 5.8.1, I can use an editable install and still get a valid version for another pbr-based project I have12:17
stephenfinso maybe it's the sudo part of things that's the issue12:17
sean-k-mooneyhttps://review.opendev.org/c/openstack/pbr/+/827977/1/releasenotes/notes/fix-pep517-metadata-regression-bc287e60e45b2732.yaml12:18
chateaulavso i have the `tools/hooks/post_test_hook.sh` file that was an accidental change, but i cant seem to remove that change from the patchset. i have tried reset to its original commit but it doesnt like that and i cant seem to simply discard it. any ideas12:20
gibihave you tried git rm tools/hooks/post_test_hook.sh ?12:21
chateaulavyeah but then that deletes the file itself, and i dont want to commit it as deleted, that is no different then the typechange it is recognizing12:21
gibiahh so it is a link on mater12:23
gibimaster12:23
chateaulavhttps://usercontent.irccloud-cdn.com/file/zqzGCZdB/image.png12:23
chateaulavadded 5 years ago12:23
chateaulavwhen i try to reset it it does a weird staged and ustaged change at the same time, which wont allow me to commit12:24
sean-k-mooneyyou can do git checkout -- <file>12:24
sean-k-mooneyto rest the file to what was in the parent commit12:24
chateaulavok, ill try that12:24
sean-k-mooneyor do git checkout <branch or commit> -- <file>12:24
sean-k-mooneyif you want to restrore it to a specific version12:24
gibi$ git checkout HEAD^ -- tools/hooks/post_test_hook.sh12:25
gibigibizer@riverbed:~/upstream/git/nova D[eaf971cfda driver/secheduler/docs for Adds Pick guest CPU architecture based on host arch in libvirt driver support]                     [000] [13:25:23]12:25
gibi$ git status12:25
gibiHEAD detached at FETCH_HEAD12:25
gibiChanges to be committed:12:25
gibi  (use "git restore --staged <file>..." to unstage)12:25
gibiahh sean-k-mooney was faster12:25
gibitypechange: tools/hooks/post_test_hook.sh12:25
chateaulavk12:26
opendevreviewJonathan Race proposed openstack/nova master: driver/secheduler/docs for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82205312:31
opendevreviewJonathan Race proposed openstack/nova master: zuul-job for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82837212:31
chateaulavperfect, appreciate the tip!12:31
sean-k-mooneygit restore i think can do somethign similar but its a much more recent tool in the git suite so not really famialr with how it works12:33
chateaulavyeah, i can definitely say this whole process has thouroughly expanded my understanding of git12:34
gibigit is nice but it has a learning curve 12:40
sean-k-mooneyhaving used svn and perforce(breifly) i will take the learning curve over checking out indivugual files anyday12:45
sean-k-mooneyi know other tools like mercuiral exist that work in a similar way12:46
sean-k-mooneybut with out a distibuted version contol system like git we could not work the way we do today12:46
chateaulavdefinitely12:47
sean-k-mooneyeven the kernels email based approch depend on it to generate the patch files that are submitted12:47
gibiagree12:48
gibiI use clearcase and svn before git. git is superior12:48
gibi*used12:48
sean-k-mooneythe centralised tools work fine if you can push to master12:49
sean-k-mooneybut unless everyone can commit directly they dont scale12:49
opendevreviewMerged openstack/nova master: VMware: Support volumes backed by VStorageObject  https://review.opendev.org/c/openstack/nova/+/80879112:50
yuvalHey guys12:53
yuvalafter elod upload12:53
yuvalhttps://review.opendev.org/c/openstack/nova/+/82160612:53
yuvalI think this is ready12:54
gibibauzas, sean-k-mooney, chateaulav: I'm satisfied with the series https://review.opendev.org/q/topic:bp%252Fpick-guest-arch-based-on-host-arch-in-libvirt-driver the last patch adding the tempest test seem to work (nova can boot VMs) but still has some failing test cases. I think we can accept the implementation without the gate job as we know chateaulav is working on it12:54
gibiyuval: you are next :)12:54
kashyapgibi: Ah-ha!  Reading.  Thanks for the thorough response12:54
yuvalgibi: thanks12:54
chateaulavgibi: thanks for the reviews and help!12:55
gibichateaulav: no problem. thanks for working on this feature12:55
opendevreviewFelix Huettner proposed openstack/nova stable/queens: Gracefull recovery when attaching volume fails  https://review.opendev.org/c/openstack/nova/+/83060213:04
gibiyuval: I'm +213:05
*** amoralej is now known as amoralej|lunch13:09
gibisean-k-mooney: I think pedro answered your question here https://review.opendev.org/c/openstack/nova/+/82838713:10
sean-k-mooneythey responded but didnt really adress my concern13:26
sean-k-mooneygibi: we could proceed with this update but i think this has the inverse problem13:27
sean-k-mooneythe old doc described live_migration_downtime as the maxium but failed to capture it was best effort13:28
sean-k-mooneythe new docs to me at least imples that live_migration_downtime is  the minium downtime and it can be larger13:28
sean-k-mooneyto me live_migration_downtime is the maxium downtime we have asked libvirt to not exceed but its best effort13:29
sean-k-mooneyso it shoudl be less then that but in some case may be larger13:30
gibiI see 13:30
gibiyou are right13:31
sean-k-mooneygibi: so i doen know if we want to merge the update as is or rephrase13:49
kashyapgibi: Very clear analysis in the bug; nice work!  To tie up the loose end, they're temporarily going to skip it - https://review.opendev.org/c/openstack/openstack-tempest-skiplist/+/82824313:49
*** whoami-rajat__ is now known as whoami-rajat13:59
opendevreviewMerged openstack/nova master: VmWare: Remove unused legacy_nodename regex  https://review.opendev.org/c/openstack/nova/+/80633614:00
*** amoralej|lunch is now known as amoralej14:02
opendevreviewRajat Dhasmana proposed openstack/nova master: Add support for volume backed server rebuild  https://review.opendev.org/c/openstack/nova/+/82036814:04
pmonteirpedro ans14:12
pmonteirops, sry14:13
opendevreviewPedro Monteiro Azevedo de Moura Almeida proposed openstack/nova master: Update live_migration_downtime definition  https://review.opendev.org/c/openstack/nova/+/82838714:27
pmonteirsean-k-mooney: hey, saw u and gibi were talking about the change above today and I agree with the comment u left there, I didn't understand what u meant in the first comment, but got it now! If u can take a look when u have some time, pls do :D14:33
gibipmonteir: sure, I will check14:35
pmonteirthank you! :)14:51
sean-k-mooneypmonteir: thanks im fine with the new wording so +214:55
gibipmonteir: then it is approved :)15:01
mfohey folks! i'm looking for patch reviewers/feedback for bug 1960758, if you have a chance :)  thanks in advance!15:04
mfohttps://bugs.launchpad.net/nova/+bug/196075815:04
mfo(UEFI libvirt servers can't boot on Ubuntu 20.04 hypervisors with Ussuri/Victoria)15:04
pmonteirthanks for the answering so quickly, guys! :)15:08
opendevreviewFelix Huettner proposed openstack/nova stable/queens: Gracefull recovery when attaching volume fails  https://review.opendev.org/c/openstack/nova/+/82986115:09
dansmithbauzas: do you have opinions on my comment about splitting this up? https://review.opendev.org/c/openstack/nova/+/820368/815:10
dansmithbauzas: it's huge right now, in terms of what all it touches15:10
bauzasdansmith: looking15:11
dansmithI can help him split it if you think it's important, but if I'm the only one I'll shut up15:11
bauzasdansmith: nah, I agree with you15:12
sean-k-mooneymfo:i think we alredy fixed this15:12
bauzasadding a microversion plus a new event by the same change is large15:12
dansmithbauzas: okay, can you slap a quick comment on there? I'll work with him to split after the next rev15:12
dansmithbauzas: I assume this is still on the slate for merging yeah?15:13
bauzasdansmith: doing it nbow15:13
dansmithbauzas: <315:13
sean-k-mooneymfo: teh secvure boot firemware shoudl not require secure boot to function it just supports it15:13
sean-k-mooneymfo: so nova should not need to have any logic to select the non secure boot version15:13
sean-k-mooneymfo: i aslo done se any fix againt master15:14
bauzasdansmith: done15:14
dansmiththanks15:14
bauzasI explained why it's important to split15:15
sean-k-mooneyyou seam to have started with a sable only patch https://review.opendev.org/c/openstack/nova/+/82898015:15
sean-k-mooneywhich i dont think is correct15:15
mfosean-k-mooney, thanks for looking. i'll follow up on the sec boot firmware (no) needs that you mentioned.   and this is "fixed" on wallaby and later/master w/ the implementation of secboot spec/support, due a refactor (this a bit buried in the commit msg, but the research has been done to go w/ stable-only. :) 15:18
mfoand, seconding pmonteir above, thx for answering so quickly!15:19
sean-k-mooneymfo: the secure booth ovmf image shoudl work without secure boot enabled howevdr15:19
sean-k-mooneywe should not need to filter like this form my understandig15:19
sean-k-mooneydo you know why this is requried15:20
mfoack, i'll be following up on that.15:20
sean-k-mooneyif we can get a statement as to why this is requried we could proably proceed with the minimal stabel only backport15:20
sean-k-mooneybut that obviouly has risk too15:21
sean-k-mooneyi agree that backportign the secure boot feature is likely not viable15:21
mfoer, it was my assumption that it didn't work bcz of secboot ovmf image requirements; but per your statement, it might as well be something w/ ubuntu's qemu or ovmf pkgs. which i'll go check/debug further on why secboot.fd isn't booting.15:22
sean-k-mooneybut we woudl at least need som unit tests to vover this change15:22
mfosean-k-mooney, understood.  you mean something like just booting VMs in bios and uefi mode, or something more specific like checking the rendered libvirt xml and check for the ovmf image used too?15:24
sean-k-mooneyso to test https://review.opendev.org/c/openstack/nova/+/828979/2/nova/virt/libvirt/driver.py#583415:25
sean-k-mooneywe should ensure in a unit test that we include a ovm path that has .secboot.fd15:25
sean-k-mooneyas the first option15:25
sean-k-mooneyand that the non secboot.fd path is chosen15:25
sean-k-mooneywe should also check what appens if all the path have secboot.fd15:25
sean-k-mooneyalso i wonder if all distos use the same nameing convention15:26
mfogot it.15:27
chateaulavso i have additional package installs defined in the stack.sh for my proposed CI to ensure devstack has the supported requirements. is that the correct place or is there a better method due to how it builds. these only need installed on the compute15:27
opendevreviewRajat Dhasmana proposed openstack/python-novaclient master: Add parameter to rebuild boot volume  https://review.opendev.org/c/openstack/python-novaclient/+/82716315:27
mfosean-k-mooney, since we're testing against a limited option set (the hardcoded paths array), there's only that nameing convention to check (if i got your point right :)15:29
bauzaswow, time flies and I'm on the policy changes15:29
bauzas...15:29
sean-k-mooneymfo: so on centos 9 there is no version aviiable without secureboot form the set15:31
sean-k-mooney'/usr/share/OVMF/OVMF_CODE.secboot.fd' is the only one of the 3 that is present15:31
sean-k-mooneymfo: there is a singel non secureboot capable image at /usr/share/edk2/ovmf/OVMF_CODE.cc.fd15:32
sean-k-mooneybut that will not be checked15:32
mfosean-k-mooney, ok. so, if for some reason that patch is still required, we're better checking if there's another option available before ignoring secboot.fd.15:33
sean-k-mooneyyes15:33
sean-k-mooneyso redhat will be releaseign osp 17 based on stable wallaby on rhel 9 later this year15:33
sean-k-mooneyand the current patch would break uefi i belive in that case15:34
sean-k-mooneyhowever i dont know if we have the same issue where we woudl need to use the '/usr/share/OVMF/OVMF_CODE.fd' image if secure boot is not requested15:34
bauzasgmann: around ?15:34
bauzasor maybe dansmith ?15:34
bauzascontext is https://review.opendev.org/c/openstack/nova/+/828670/4/nova/api/openstack/compute/server_groups.py15:34
gmannbauzas: hi15:35
bauzaswe'll change the API behaviour15:35
bauzasas you need to be in the right project to getting the server groups15:35
bauzasit's OK for me15:35
mfohmm, but this isnt an issue in wallaby, right?  as it uses a diff method to pick the ovmf files, based on descriptor files from qemu (eg, /usr/share/qemu/firmware/)15:35
bauzasbut,15:35
mfosean-k-mooney, ^15:35
dansmithbauzas: that's *your* project id15:35
bauzasgiven it will change the behaviour, do we all agree we don't need a microversion ?15:36
dansmithbauzas: so it should be no different than today15:36
bauzasdansmith: well,15:36
sean-k-mooneymfo: ack ya it might not be an issue there15:36
bauzaspreviously you were giving none as a value15:36
mfosean-k-mooney, ok cool.15:36
sean-k-mooneyas you said its using a differnt method15:36
bauzasdansmith: tomorrow, you'll get an exception, right?15:36
sean-k-mooneybut we need tobe careful not to break other distors is my point15:36
sean-k-mooneymfo: so we might need to sort the options or soemthing instead15:37
dansmithbauzas: this is already limited to admin yeah?15:37
mfosean-k-mooney, absolutely; thx for your insight on that.15:37
bauzasdansmith: ah i see15:37
mfosean-k-mooney, i'll go check the secboot ovmf image boot issues, and abandon/update the patches as appropriate.15:38
bauzasdansmith: you'll get all the servergroups for your project id15:38
dansmithbauzas: this is just providing a basically no-op target object so that the check that includes admin and project_id works15:38
mfosean-k-mooney, thanks again for you help and advice on this.15:38
gmannbauzas: dansmith humm this is "all_projects server group list" which we said to allow all admin from any proejct15:38
dansmithbauzas: wait, are you talking about server groups or all_projects?15:38
gmannbauzas: dansmith if we do not pass project_id then it will fail as PROJECT_ADMIN expect project id15:38
bauzasdansmith: then my only concern is why it's for "all_projects" ?15:38
bauzasdansmith: my question is for https://review.opendev.org/c/openstack/nova/+/828670/4/nova/api/openstack/compute/server_groups.py15:39
dansmithoh, I was looking at the wrong window, not the one from your link sorry15:39
bauzasdansmith: here, we go into all_projects but we restrict to the specific project_id15:39
bauzasI don't see why we need it then15:39
gmannbauzas: it is context_project id so any admin requesting can pass the policy15:39
dansmithbauzas: it's just because the target needs to have the things we're checking15:40
gmannwe can see here, legacy admin is allowed https://review.opendev.org/c/openstack/nova/+/828670/4/nova/tests/unit/policies/test_server_groups.py#22415:40
dansmithit doesn't do any filtering15:40
gmannyeah15:40
opendevreviewAlexey Stupnikov proposed openstack/nova master: Add functional tests to reproduce bug #1960412  https://review.opendev.org/c/openstack/nova/+/83001015:40
opendevreviewAlexey Stupnikov proposed openstack/nova master: Run clean up calls when queued live migration is aborted  https://review.opendev.org/c/openstack/nova/+/82857015:40
bauzasgmann: dansmith: this, I understand but why are we targeting the specific project_id ?.15:41
bauzasin the context I mean15:41
dansmithit's *your* project_id, not an instance project_id or a server group project_id15:41
dansmithso it will always match15:41
dansmithbecause it's in the rule15:42
bauzasdansmith: it's noop, right?15:42
gmannbauzas: that is our default checks as per PROJECT_ADMIN check_str which require project_id to be present15:42
dansmithyes, but since we re-use that rule elsewhere, we need a project_id in there that will match, since we don't care about actual project_id checking for this resource15:42
dansmithit's confusing for sure.. it's one of the reasons I *hate* our policy engine15:42
gmannhttps://github.com/openstack/nova/blob/master/nova/policies/base.py#L11815:42
dansmithit's just impossible to look at and understand without study each time15:43
bauzasdansmith: OK, I trust you then15:43
gmanndansmith: at least now it will protect s to dis-allow system admin15:43
bauzaswill remove my -115:43
dansmithwhich is also why I think we need to be working towards a future where operators aren't expected to be able to tweak it like they are today15:43
gmannhaving project_id in check_str is good way to differentiate from system user. once we enable scope as hardcoded then we can remove all these noop checks with context.project_id 15:44
bauzasgmann: explain me why we need to touch https://review.opendev.org/c/openstack/nova/+/828670/4/nova/policies/attach_interfaces.py15:46
bauzasand why the role no longer needs admins15:46
bauzasoh, because we want to remove those wrong system-scoped roles15:46
gmannbauzas: yeah, and GET project reader can do and create/delete interface project member15:47
bauzasgmann: but then, if I'm admin of project 10, I can't longer attach interfaces for servers owned by project 2 ?15:47
bauzasor even list them ?15:48
bauzassorry if those sound silly questions, but I better need to ramp up on the policies things in order to be able to merge this stuff before tomorrow15:48
gmannbauzas: with new policy only yes, that is isolation we are doing. keep project admin restrictive to their project operatrions (except list all project resources if we have in that API)15:48
gmannprojectA admin will be restrictive to do projectA things not projectB things.  (with all project resource list case)15:49
bauzasgmann: is that a breaking change if we merge this change by now ?15:49
bauzasor can admins use the legacy policies for a while ?15:50
gmannbauzas: we do support legacy policy as deprecated so until we remove them it will keep woprking with old token15:50
gmannbauzas: yes, by default new policy are disabled. scope check as well as new default15:50
bauzasok 15:51
bauzasI better understand :)15:51
bauzasgmann: just tbc, until https://review.opendev.org/c/openstack/nova/+/828670/4/nova/policies/attach_interfaces.py#30 is removed or default changes to new policies, nothing changes ?15:51
gmannbauzas: this is good way to know what all allowed as default with these policy change https://review.opendev.org/c/openstack/nova/+/828670/4/nova/tests/unit/policies/test_attach_interfaces.py#2915:51
opendevreviewJonathan Race proposed openstack/nova master: driver/secheduler/docs for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82205315:52
opendevreviewJonathan Race proposed openstack/nova master: zuul-job for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82837215:52
bauzasgmann: heh, the patch is hairy, I'm not yet there15:52
bauzasgosh, we're rushing out of time 15:52
gmannbauzas: true, or operator enable it with config option enforce_scope=True, enforce_new_defaults=True15:52
bauzasgmann: ok, perfect and I guess this is correctly documented so I'm not afraid15:52
gmannboth config are false (disabled) by default in yoga15:53
bauzasgmann: thanks gmann, continuing to review15:53
chateaulavgibi: added final changes in this last patchset to the driver patch, and the zuul ci should be good this time around (fingers crossed)15:53
gibichateaulav: ack, I will check it before I leave today15:53
chateaulavccol15:55
bauzasgibi: fwiw, I'm on the policies series that you +1d, I'm leaving a ton of comments to help you better understandingh15:55
gibibauzas: thanks that will help if you want to convince me to upgrade my vote15:57
gmannbauzas: gibi thanks for reviews. I need to go away for 20 min (taking breakfast) and then will return if any query while review. 15:58
*** gmann is now known as gmann_afk15:59
*** gmann_afk is now known as gmann16:17
opendevreviewStephen Finucane proposed openstack/nova master: libvirt: Ignore LibvirtConfigObject kwargs  https://review.opendev.org/c/openstack/nova/+/83064416:17
opendevreviewStephen Finucane proposed openstack/nova master: libvirt: Remove unnecessary TODO  https://review.opendev.org/c/openstack/nova/+/83064516:17
opendevreviewStephen Finucane proposed openstack/nova master: libvirt: Add vIOMMU device to guest  https://review.opendev.org/c/openstack/nova/+/83064616:17
opendevreviewStephen Finucane proposed openstack/nova master: libvirt: Rename some config objects  https://review.opendev.org/c/openstack/nova/+/83064716:17
opendevreviewStephen Finucane proposed openstack/nova master: libvirt: Shuffle methods around  https://review.opendev.org/c/openstack/nova/+/83064816:17
opendevreviewStephen Finucane proposed openstack/nova master: WIP: libvirt: Remove handling for older libvirt versions  https://review.opendev.org/c/openstack/nova/+/83064916:17
opendevreviewStephen Finucane proposed openstack/nova master: WIP: libvirt: Return objects from Guest.get_interfaces  https://review.opendev.org/c/openstack/nova/+/83065016:17
opendevreviewStephen Finucane proposed openstack/nova master: WIP: libvirt: Don't fetch guest architecture repeatedly  https://review.opendev.org/c/openstack/nova/+/83065116:17
opendevreviewStephen Finucane proposed openstack/nova master: WIP: libvirt: Prepare for manual PCIe address management  https://review.opendev.org/c/openstack/nova/+/83065216:17
opendevreviewStephen Finucane proposed openstack/nova master: WIP: libvirt: Start managing PCIe address allocation  https://review.opendev.org/c/openstack/nova/+/83065316:17
stephenfinIgnore those. They're nowhere near done. Just pushing so I remember to finish them at some point16:18
sean-k-mooneystephenfin: am... i tought we were not gong to tdo that16:19
sean-k-mooneybut ok16:19
sean-k-mooneyi mean its been in our downstream backlog for ever16:19
opendevreviewPedro Monteiro Azevedo de Moura Almeida proposed openstack/nova master: Update live_migration_downtime definition  https://review.opendev.org/c/openstack/nova/+/82838716:21
opendevreviewElod Illes proposed openstack/nova stable/wallaby: skip test_tagged_attachment in nova-next  https://review.opendev.org/c/openstack/nova/+/83065616:26
bauzasgmann: once you're back, question in https://review.opendev.org/c/openstack/nova/+/829626/9/nova/api/openstack/compute/views/servers.py#44316:27
gmannchecking16:28
bauzasgibi: other cores : I'm +2 on the whole new-policy-rules series except one patch, reviews welcome16:31
bauzasgmann: can you then please answer my question ?16:33
bauzasI have a hardstop in 30 mins and I want to briefly look at the last unified-limits patch before I go16:33
gmannok16:34
gmannbauzas: replied, by default if target are not passed in policy it take context'sproject_id itself16:39
gmannand DB query are based on requester project_id so it gets only requesting project instances until all-tenant is requested 16:39
bauzasgmann: ok, then I'm confused, why did we need to add the target be explicitely project_id ?16:40
gmannbauzas: same as discussed before. PROJECT_ADMIN|MEMBER|READER has project_id i check_str of rule so we need to pass project_id in target which can pass. it is done to separate out the system user if scope are disabled. otherwise system reader can also pass policy.16:41
stephenfinsean-k-mooney: We're still not necessarily going to do it, but it's come up so often that it seems something we should _eventually_ do16:42
gmannbauzas: once we remove the enforce_scope as configurable (enable it hardcoded) then we can remove those and cleanup16:42
stephenfinNow just to find the time to actually do it, heh16:42
gmannbauzas: passing requester project_id and checking that against requester itself is ally bogus thing we have to do for now.16:42
bauzasok, it's a bit of a spaghetti code to me but I trust you16:43
bauzaseither way, +2d the whole series16:43
bauzasyou need to find someone next to jab it16:43
gmannbauzas: this is TODO to cleanup once scope are enabled https://github.com/openstack/nova/blob/134c4791ff8233264b7862db692e058f60ae2f80/nova/policy.py#L18016:43
gmannbauzas: thanks a lot. 16:44
bauzasgmann: ok, I see16:44
bauzasthanks for the explanations16:44
gmannbauzas: and other key bit we need to improve after secure rbac is to remove the admin checks from DB which will make it more cleaner16:44
gmannbut those are things to do after we ship secure rbac as default 16:45
sean-k-mooneystephenfin: ack17:01
bauzasalso +2d the whole unified-limits series, melwitt17:03
* bauzas disappears now and will do one last round of review tomorrow17:04
bauzasdon't be afraid folks, if you get +2/+W before Friday, you're all good17:04
* bauzas disappears by now17:04
melwittthank you bauzas!17:08
gibibauzas: ack, I will look first thing in the morning tomorrow17:32
whoami-rajatdansmith, bauzas hey, just to clear my understanding regarding your comments on change https://review.opendev.org/c/openstack/nova/+/82036818:07
whoami-rajatthe ask is to divide the patch into two parts, one adding new event (requires MV bump) and other adding rebuild support (requires yet another MV bump)18:07
whoami-rajatso the two patches will be 2.91 and 2.9218:07
*** amoralej is now known as amoralej|off18:07
dansmithno,18:07
dansmiththe event doesn't need a version bump, just your api change18:08
dansmithevent first, then api change18:08
dansmithI would put the cinder volume change and test in a separate early patch too and we can sink that quickly, IMHO18:08
whoami-rajathmm, I'm still slightly confused, the addition of a new event has required an MV bump, so you're saying don't do the bump at all or use 2.91 for it as well ? https://review.opendev.org/c/openstack/nova/+/820368/8/nova/api/openstack/compute/schemas/server_external_events.py18:10
dansmithuh18:11
dansmithokay I didn't realize we started adding microversions for new event names18:12
dansmithpretty sure that didn't happen in the earlier days (was never my intent) but clearly has been happening since v51 or so18:13
dansmithso yeah maybe not worth splitting in that case, I guess18:13
dansmithI'd update with the other comments and then we can see what bauzas thinks18:13
dansmithit's just such a large cut of things all over the API18:13
whoami-rajatI can understand it's a burden to review it but having no prior experience working in nova, I also don't have much ideas to do it in a better way18:15
whoami-rajatI will update with the given tests (and continue work on the tempest test) until then18:15
whoami-rajats/tests/comments18:16
dansmithyep, sounds good18:16
whoami-rajatcool, thanks!18:16
whoami-rajatdansmith, i think we also have novaclient release this week right?18:17
dansmithI dunno, but seems likely18:17
whoami-rajatSo i also have a novaclient patch modifying the rebuild command https://review.opendev.org/c/openstack/python-novaclient/+/82716318:18
whoami-rajatit's currently failing on docs since it can't find MV 2.91 in docs (will be available after API patch merges)18:18
opendevreviewJonathan Race proposed openstack/nova master: driver/secheduler/docs for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82205318:19
opendevreviewJonathan Race proposed openstack/nova master: zuul-job for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82837218:19
dansmithwhoami-rajat: okay I would have thought depends-on would take care of that, but yeah if it's just the doc failure that's easy to overlook18:19
whoami-rajatI had the same thought and I'm not sure how this has worked in the past since every client change (having MV bump) requires API change to merge first18:20
dansmithyeah18:22
opendevreviewJonathan Race proposed openstack/nova master: zuul-job for Adds Pick guest CPU architecture based on host arch in libvirt driver support  https://review.opendev.org/c/openstack/nova/+/82837218:22
chateaulavhave a good day everyone, I have the emulation ci running now to see if it corrects the IDE error, and will have that finished tomorrow18:25
opendevreviewMerged openstack/nova master: Update live_migration_downtime definition  https://review.opendev.org/c/openstack/nova/+/82838720:12
opendevreviewRajat Dhasmana proposed openstack/nova master: Add support for volume backed server rebuild  https://review.opendev.org/c/openstack/nova/+/82036820:38
opendevreviewsean mooney proposed openstack/nova master: add healthcheck endpoint to proxy commands  https://review.opendev.org/c/openstack/nova/+/83070323:42
sean-k-mooney[m]depends-on does not work for tox but it can work for devstack based test if the project is listed in the jobs required_projects23:45
sean-k-mooney[m]so yes if you are working on a client change the api change need to merge first if you are dont test that alls the api or otherwise depend on the microversion unless you have mocked the nova api23:47
« Tuesday, 2022-02-22 Index Thursday, 2022-02-24 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!