15:03:47 #startmeeting karbor 15:03:48 Meeting started Tue Nov 15 15:03:47 2016 UTC and is due to finish in 60 minutes. The chair is saggi. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:49 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:03:51 The meeting name has been set to 'karbor' 15:03:53 Hello everyone 15:03:56 hey 15:04:02 hi 15:04:02 hey 15:04:19 hey 15:05:23 #topic Multi-tenant Isolation in Managing the Checkpoints(leon_wang) 15:05:58 I updated the patch today. 15:06:16 I note that saggi said that we should consider cross-site solutions about checkpoints. 15:06:42 chenying:yes,and i've updated it. 15:06:51 We also need to remember that we do want multiple projects to see the same checkpoints since restoring to a new project is a possibility. 15:07:39 saggi: what do you mean that multiple projects to see the same checkpoints? 15:07:51 tenant==project 15:07:59 yes 15:08:33 have you checked the latest patch? 15:08:48 https://review.openstack.org/#/c/372846/11/doc/source/specs/checkpoint-tenant-isolation.rst 15:08:49 It means that different tenant would restore a new site form the same checkpoints data. 15:09:05 A major issue with your proposal is that the format needs to change if you are doing single or multi-site. 15:10:02 The use might want to start with a single site and then change to a cross-site setup 15:11:10 saggi: I don't think it's a problem because the solution between single and multi are seprate. 15:11:20 That is the problem 15:12:07 leon_wang: the same checkpoint should be used for both single and cross site 15:12:15 What I mean is that no matter user start with a single or multi site, the solution I proposed will be ok. 15:13:21 yuval: You mean the project_id can not be modified? 15:13:37 leon_wang: not sure I understand what you mean 15:14:46 I thought that cross-site means different site with one keystone, just is several sites with different AZ. 15:15:02 yuval: You can consider it when we use iphone, after the cellphone reboot,it would forcely need user to input the password. 15:15:18 But as saggi said, these tenant maybe is from different keystone. 15:15:40 chenying: in Ocata design summit we thought about limiting to a federated keystone 15:16:07 So the cross-site is about Karbor or OpenStack? 15:17:57 How to control the access permission about the checkpoint data? Does it means that every tenant can restore the same checkpoint data to a new site? 15:18:03 yuval: As you showed the demo in the summit, the cross-site means different Keystone or one Keystone? 15:18:30 leon_wang: in the summit, two completely different sites were presented. But no isolation was there 15:18:37 These tenants come form different openstack(keystone)/ 15:18:54 chenying:every tenant can access the checkpoint by project_pwd. 15:18:55 leon_wang: it means that if one site sees the same bank as the other, it can access all checkpoints (which is not desireable) 15:20:56 however, we did say that there is the use case of non federated, separate keystone services 15:21:42 yuval: I think that if user from other Keystone uses Karbor, the checkpoint_pwd will gurantee him to get access to his checkpoints. 15:21:57 leon_wang: site a is down. I don't think another tenant can acess the bank with project_pwd of site A. 15:23:30 chenying:I mean if the site is down,then the identity about project_id will not work, then user can use project_pwd. 15:24:01 leon_wang: Try and find me on IRC tomorrow and we'll talk about the requirements and your spec so that we can finish it quickly. OK? 15:24:01 what is project_pwd? 15:24:02 the project_pwd is created when a user creates a checkpoint. 15:24:29 leon_wang: I'll bring you up to speed with all the requirements and constraints. 15:24:50 chenying:when user A uses the system the first time, the system will generate a uuid corresponding with every project_id and then return it to user. You can consider it as a kind of password(can be modified by users?) with project_id. 15:25:08 saggi: ok, thanks. 15:25:19 #topic Protection Plugin API: https://review.openstack.org/397156 and https://review.openstack.org/348163 (yuval?) 15:25:44 yes, I'm updating the spec as well as implementation of the protection plugin api 15:26:39 it is important for Ocata, please dedicate some time to review it so we can get it in before the end of Ocata 15:26:42 yuval: It seems the link doesn't work. 15:26:57 yuval: I will review these patches tomorrow. 15:27:04 leon_wang: both links work for me 15:27:12 [ https://review.openstack.org/397156 ] and [ https://review.openstack.org/348163 ] 15:27:37 Got it 15:28:28 yuval: Anything more you want to say about it? 15:28:43 that's it for now 15:28:59 #topic The road to stability 15:29:20 I don't see people opening or closing bugs. 15:29:49 yuval:can you simply describe what you will do, please? 15:31:02 leon_wang: in the patches above? The intention is to stabilize the Protection Plugin API, and have it enable both simple and extreme use cases 15:31:06 saggi: Sorry I had to prepare for my exam last two weeks, I will check the bug I reported these days. 15:32:52 ok. 15:33:40 I'm also to blame and I am going to start taking stock and opening bugs for stuff that I find need to be fixed. 15:33:45 The small things do count. 15:34:02 Please make sure to check the bug list 15:34:25 #topic open discussion 15:34:39 Anyone has anything they want to talk about? 15:35:09 Yes, i have a tiny question. 15:35:53 I just want to know if it's difficult to call REST API of Cinder. 15:36:06 In general? 15:36:20 How to implement it? 15:36:45 In Karbor? 15:36:47 I don't think so. We can use client of cinder in karbor. 15:37:03 For example, if I want to create a volume, then how can i call the get() in Cinder? 15:37:42 chenying: If don't use client? 15:37:59 leon_wang: There's the API docs. 15:38:06 chenying: sorry, If don't use Karbor? 15:38:09 leon_wang: But best to use the cinderclient library. 15:38:36 leon_wang: But this sound like it's not related to karbor, so if you have questions about cinder, please ask in #openstack-cinder or #openstack-dev. 15:38:46 We can use the cinderclient library. don't need use it in karbor. 15:38:53 leon_wang: Do you want to call cinder from a protection plugin? 15:38:54 smcginnis: If I want to create a tiny program, is it difficult? 15:39:59 leon_wang: Usually no. 15:40:25 saggi: no 15:41:54 I don't know if the project out of OpenStack can call REST API in Cinder or Karbor? 15:42:40 leon_wang: I don't think it's related to this meeting in any case. I think http://docs.openstack.org/developer/python-cinderclient/ is a place to start 15:43:15 saggi: ok, thanks 15:43:39 Anything else? 15:44:45 saggi: no 15:44:59 saggi Is there any progress about freezer integration? 15:45:40 chenying: Oh, right 15:45:44 I was in their meeting 15:46:13 The support invoking freezer without setting up a job first. What we call (stateless) 15:46:30 It will not put information in the freezer DB etc. This is good since we want to own that informatino. 15:46:39 So on that front things are good. 15:47:14 About not having to install freezer-scheduler on every node. They are thinking about supporting that but it's still early. 15:47:38 This means that for anyone to get guest cooperation they will need to fully deploy freezer. 15:47:46 At least for now 15:48:30 saggi I see. That mean that only the restfull api of freezer can be called in karbor? 15:48:58 That is all we need 15:50:05 saggi: Ok we only consider integrate the solution about app protection? 15:50:15 in freezer 15:51:12 We don't need their storage since we can just put it in the bank and we don't need their full volume feature since we do it anyway. 15:51:16 What else is there? 15:52:54 Ok we can discuss freezer tomorrow in karbor irc channel. 15:53:05 OK 15:53:09 Anything else? 15:54:00 nope 15:54:33 Thanks everybody. 15:54:33 #endmeeting