#openstack-meeting log

19:05:03 <devananda> #startmeeting ironic
19:05:04 <openstack> Meeting started Mon Jul 15 19:05:03 2013 UTC.  The chair is devananda. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:05:05 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:05:08 <openstack> The meeting name has been set to 'ironic'
19:05:28 <devananda> so, hi! I've been gone a while
19:05:46 <devananda> thanks to NobodyCam for running things :)
19:06:00 <devananda> agenda:
19:06:01 <devananda> #link https://wiki.openstack.org/wiki/Meetings/Ironic
19:06:23 <devananda> i'm going to go slightly out of order, i think
19:06:38 <devananda> #topic pxe driver
19:06:57 <devananda> GheRivero: how's it going? the code's looking great!
19:07:18 <GheRivero> waiting for reviews both in pxe and glanceclient
19:07:33 <GheRivero> somw ideas/features are be done meanwhile
19:07:58 <anteaya> o/
19:08:17 <devananda> have you been able to do any testing of it? if not, is there a clear set of things you need for the code to get there?
19:09:03 <GheRivero> i have tested glanceclient service. Flavio is looking at it, so hopefully i-ll have some feedback in the following days
19:09:38 <GheRivero> and regarding pxe, i have plans to start looking at devstack-baremetal to test things tomorrow
19:09:51 <devananda> sounds good :)
19:10:11 <GheRivero> don't know if there is some devstack ironic work already done
19:10:22 <devananda> none. but there was baremetal integration a while back
19:10:37 <devananda> Nobodycam has work on a diskimage-builder element for ironic
19:10:42 <devananda> which, i think, is basically done
19:10:57 <devananda> so that might be a shorter path for you to get services stood up
19:11:10 <GheRivero> yeah, sure... then i will start with that
19:11:43 <devananda> OTOH, I find it difficult to do rapid development of code in dib-based images.... so, ofc, just do what works for you :)
19:12:11 <devananda> any questions on the PXE driver before we move on?
19:12:12 <GheRivero> :)
19:12:48 <devananda> #topic keystone auth
19:13:03 <romcheg> We have #link https://review.openstack.org/#/c/37102/ this review
19:13:23 <romcheg> Some tests still fail but I'm working on that.
19:13:53 <devananda> and we were just talking an hour ago about how we might do RBAC
19:14:28 <romcheg> RBAC is a nice idea
19:14:45 <devananda> i think it's good progress, and i'm happy to land admin auth first and refactor it to RBAC after, if that seems easier to you
19:15:04 <jog0> devananda: it may be worth talking to some keystone devs about this
19:15:25 <jog0> I know they have a new V3 API that changes things, and we *may* want to try it out
19:15:31 <jog0> partailly to help them
19:15:38 <romcheg> jog0: we use keystoneclient
19:15:54 <jog0> romcheg: does that have v3 API support already?
19:16:06 <romcheg> As I understand we do not depend on the version of API.
19:16:16 <romcheg> It just provides a middleware for authentication
19:16:50 <devananda> jog0: is there a difference in capabilities between keystone v2 and v3?
19:17:07 <jog0> devananda: AFAIK yes -- don't really know the details though
19:17:31 <devananda> hm, ok. who'd be good to ping?
19:17:39 <romcheg> I know some folks who said really nasty things about v3
19:17:46 <anteaya> new tokens in v2 are pki
19:17:54 <anteaya> sorry pki in v3
19:18:00 <anteaya> used to be uuid
19:18:08 <devananda> i've only very loosely been aware of nova v3, but haven't followed the work
19:18:25 <devananda> aiui, deployments are going to support both v2 and v3 for a while
19:19:31 <jog0> right, just think it may be good to sync up with keystone -- not saying we should do anything different just have a better understanding of it
19:20:06 <devananda> nothing wrong with that :)
19:20:12 <devananda> i'll see what i can learn about it
19:20:30 <anteaya> in terms of whom dolphm, bkundson, henrynash
19:20:43 <anteaya> that is who I think of when I think of keystone
19:20:59 <devananda> #action devananda to chat with dolphm, bkundson, or henrynash about keystone v3 in ironic
19:21:02 <jog0> ayoung as well
19:21:15 <anteaya> yes, ayoung
19:21:28 <devananda> #action devananda to chat with ... or ayoung
19:21:45 <devananda> thanks for the pointers
19:21:57 <devananda> moving on to the API ...
19:22:12 <devananda> #topic All the API
19:22:32 <devananda> seems to be the focus of several of us lately :)
19:23:09 <devananda> lucasagomes and jimjiang have patches up for API additions
19:23:19 <devananda> and I have a patch (and a few deps) up for RPC
19:23:26 <lucasagomes> any news bout the patch vs put ?
19:23:32 <NobodyCam> sorry was late.. will read the log
19:23:43 <devananda> i chatted with martyn last week, i think, about it
19:24:02 <devananda> and IIRC he agreed that PATCH was the right thing for changing some (but not all) properties of an object
19:24:12 <devananda> whereas PUT essentially replaces the object
19:24:24 <devananda> it preserves the uuid, but requires all the other fields to be complete
19:24:39 <ayoung> What is ironic?
19:24:55 <devananda> I think we will want to implement both PUT and PATCH for most resources and sub resources
19:24:58 <anteaya> hey ayoung it is the offshoot of nova baremetal driver
19:25:05 <devananda> ayoung: bare metal provisioning service
19:25:06 <anteaya> it is in incubation now
19:25:24 <ayoung> Oh, I thought we were talking about an Ubuntu distribution
19:25:43 <anteaya> ah okay, good to get that cleared up
19:26:32 <devananda> lucasagomes: eg, if i PUT /v1/nodes/abcd {'properties': { ... } }, it would replace the properties
19:26:33 <anteaya> we have a channel too, #openstack-ironic
19:27:03 <lucasagomes> right so for sub resources we would use PUT
19:27:07 <devananda> lucasagomes: but if I PATCH /v1/nodes/abcd {'properties': {'foo': 'bar'} } it would only add (or replace) that specific item
19:27:20 <lucasagomes> devananda, gotcha
19:27:51 <lucasagomes> so both should be supported for both (resources and sub-resources)
19:28:14 <devananda> i think so? unless someone has a reason otherwise?
19:28:56 <lucasagomes> I don't have any strong opnion about it, I'm deferring to the others
19:29:35 <devananda> ack
19:30:15 <lucasagomes> ok, another thing about the api: internally translated names
19:30:27 <lucasagomes> I think we agreed to only translate the id -> uuid
19:31:02 <lucasagomes> because openstack uses uuid across all the other projects
19:31:02 <devananda> right
19:31:35 <lucasagomes> but other fields like extra->metadata we won't translate anymore and just expose it as extra
19:31:43 <lucasagomes> everybody agree with that?
19:32:48 <romcheg> +1
19:32:53 <devananda> fine with me
19:32:56 <lucasagomes> cooleo
19:33:01 <anteaya> seems to be a reasonable approach thus far
19:33:19 <GheRivero> +1
19:34:00 <devananda> also, particularly on the API front, i feel like my absence has been slowing ya'll down
19:34:50 <devananda> i would like to merge all the current api work today, then hammer out any direction/scope/RPC etc stuff with folks this week
19:35:11 <devananda> I'll be at OSCON next week, which means less time on IRC
19:35:55 <devananda> and i think getting the API at least functional very soon is a priority
19:35:55 <anteaya> let pasta at OSCON probably, eh?
19:35:58 <lucasagomes> that would be good to merge some of the patches
19:36:02 <anteaya> s/let/less
19:36:15 <devananda> anteaya: hah. it's portland. there'll be plenty i can eat ;)
19:36:24 <anteaya> :D
19:36:51 <devananda> anything else on the api, before we move on?
19:37:21 <devananda> #topic object trees
19:37:38 <devananda> martyn and i talked about this last week, and i think we got it conceptually sorted
19:37:45 <devananda> though i dont think he put a patch up yet
19:37:59 <romcheg> I didn't see any
19:38:09 <devananda> the gist of the question is: the API needs to expose related resource UUIDs
19:38:24 <devananda> GET /node/1234 needs to return the UUIDs of its chassis and all its ports
19:38:35 <devananda> but those aren't part of the RPC-style object
19:38:36 <devananda> so
19:38:51 <devananda> we can do a trivial query in the API layer
19:39:23 <devananda> dbapi.get_ports_by_node() and such
19:39:40 <devananda> and then we don't need to worry about nested RPC objects at all :)
19:40:25 <lucasagomes> sounds reasonable
19:40:40 <romcheg> This will cause loading a lot of data a user might not need
19:40:45 <devananda> probably a simple patch could implement taht for all three objects
19:40:52 <lucasagomes> would it also be possible to access some of the resources like : GET /node/1234/ports ?
19:42:05 <devananda> romcheg: ah! sorry, i meant get_port_list() and get_node_list() and such -- dbapi methods that only return a list of UUIDs
19:42:23 <devananda> romcheg: we'll need to add an optional filter to the get_*_list() methods
19:42:32 <devananda> lucasagomes: yes, that is desirable as well
19:42:49 <devananda> lucasagomes: same for things like GET /node/1234/properties
19:43:04 <devananda> lucasagomes: any sub-resource should be queriable directly.
19:43:18 <lucasagomes> right
19:43:22 <devananda> s/any/the important/
19:44:19 <devananda> lucasagomes: is this ^ API stuff soemthing you're comfortable running with?
19:45:26 <lucasagomes> these are things I'm learning while doing :)
19:45:55 <devananda> that's fine :)
19:46:54 <devananda> you seem to have a good handle on it
19:47:51 <devananda> moving on...
19:47:53 <lucasagomes> ty
19:48:01 <devananda> #topic diskimage-builder element
19:48:16 <devananda> NobodyCam seems to be afk
19:48:28 <devananda> so I'll chime in with what I know
19:48:44 <devananda> it exists, it builds, and apparently can be launched by heat!
19:48:59 <devananda> also, running it outside of heat isn't quite as great, but can be done too
19:49:41 <devananda> however, I run into a rabbit queue problem when ever I try to use the ironic-api and ironic-conductor services inside said dib-built image...
19:49:47 <devananda> working with NobodyCam to track that down
19:50:13 <devananda> we have 10 minutes left, so ...
19:50:16 <devananda> #topic open discussion
19:50:18 <lucasagomes> thats the problem of the api talking to the wrong topic?
19:50:32 <devananda> lucasagomes: i think so. or something
19:50:54 <devananda> lucasagomes: i don't see any msgs in rabbit, even though the api service sent one, and set up a receiver queue for the reply
19:50:56 <lucasagomes> I remember you mentioned that, I didn't have a chance to look at it, will give the element a spin tomorrow
19:51:19 <lucasagomes> hmm
19:51:55 <devananda> when i run both services locally (on laptop, outside of VM) they work
19:52:01 <devananda> by which i mean, they talk to eachother
19:52:04 <GheRivero> Regarding file injection... http://lists.openstack.org/pipermail/openstack-dev/2013-July/011769.html
19:52:30 <GheRivero> tldr: avoid it while possible and move to cloud-init and drive-config
19:52:58 <devananda> GheRivero: yes! thanks for pointing that out. huge ++ from me on avoiding file injection
19:53:24 <jbjohnso> though it warrants some discussion on the dance to securely proceed without a drive
19:53:28 <lucasagomes> +1 to avoid that too, we should not touch the user fs
19:54:11 <jbjohnso> which could be done if something is hooking some secure point to point path between the instance and some trusted peer
19:54:37 <jbjohnso> e.g. bridge filtered protocol to switch (falls apart in some potential net configs) or serial channel
19:54:51 <devananda> jbjohnso: initially, let's assume a trusted tenant (so we dont need secured firmware) and let's assume the network is otherwise secured (eg, via SDN and separate provision/tenant nets)
19:55:07 <devananda> those are both constraints placed on the nova-baremetal driver today
19:55:36 <jbjohnso> devananda, well, as long as you concentrate all the security sketchiness into one place...
19:56:07 <jbjohnso> devananda, e.g. if you support https for almost everything and have a dubiously secure 'get client certificate' dance
19:56:39 <jbjohnso> devananda, then you could focus on adjusting the security of the client certificate without perturbing other stuff
19:57:34 <devananda> jbjohnso: i'm saying, today, ironic is not providing security at the hardware or network layer. it's sole (present) job is: put this image on that machine and turn it on.
19:57:59 <devananda> jbjohnso: we need to be /able/ to handle secure boot, yes. but we need to boot something first ;)
19:58:36 <devananda> jbjohnso: and opening up the user's machine image and injecting files into it is unrelated to secure boot
19:58:53 <devananda> if the boot pathway is not secure in the first place, file injection is no more so.
19:59:29 <jbjohnso> well, times up
19:59:31 <devananda> we're just about out of time :)
19:59:35 <devananda> thanks everyone!
19:59:45 <romcheg> thanks
19:59:51 <devananda> #endmeeting