500 Internal Server Error

From zigo at debian.org Sun Oct 2 15:53:51 2022 From: zigo at debian.org (Thomas Goirand) Date: Sun, 2 Oct 2022 17:53:51 +0200 Subject: suggestion goal for zed: getting swift and glance to support uwsgi Message-ID: <1dcfb330-c3c0-c82e-3b09-1fa2c7c15087@debian.org> Hi, As you may know, almost all of OpenStack now supports running on UWSGI. However, 2 projects remain incompatible with it: Glance and Swift. I've heard that it's now fixed with Glance, but I haven't checked the fact for myself. Has anyone already run Glance (with Swift as backend) under uwsgi, instead of eventlet? What's the status? Has all of the remaining issues been tackled? As for Swift, while upstream has even examples on how to run Swift over uwsgi, experience (in heavy load production) demonstrated that there are many issues running under uwsgi. That's a shame, because the uwsgi server makes most services (proxy, object, container and account servers) run twice as fast. Currently, the proxy and object servers aren't following the RFCs, and are incompatible with uwsgi, especially when chunks are involved (SLO/DLO in the pipeline). Also, it doesn't look like the Swift servers are thread safe. Switching to more than one thread just fails under heavy load. As a result, in production, we had to run double the amount of servers to handle the load. That's a huge waste of resources, IMO. It'd be great if upstream took it seriously to propose a uwsgi binary by default, and if the CI was using it. Note that I've already proposed such a patch [1], but it received zero votes, and not really getting attention upstream. Your thoughts anyone? Cheers, Thomas Goirand (zigo) P.S: This is just a suggestion for the work in the next cycle, I don't think I have the bandwidth to work on each individual project, and that my time is better spent on what I do best: Debian packaging of OpenStack and cluster deployment integration. [1] https://review.opendev.org/c/openstack/swift/+/821192 From noonedeadpunk at gmail.com Sun Oct 2 17:33:00 2022 From: noonedeadpunk at gmail.com (Dmitriy Rabotyagov) Date: Sun, 2 Oct 2022 19:33:00 +0200 Subject: suggestion goal for zed: getting swift and glance to support uwsgi In-Reply-To: <1dcfb330-c3c0-c82e-3b09-1fa2c7c15087@debian.org> References: <1dcfb330-c3c0-c82e-3b09-1fa2c7c15087@debian.org> Message-ID: Well, at very least in Xena I still do experience issues with uwsgi. It mostly depends on clients though and if they do support chunking properly. For example python-openstackclient works properly, but if you use python-glanceclient with ceph backend, as example, you will hit issues. And other projects, like heat, do still use glanceclient. Also interoperable import still was not working with uwsgi. I have not tested it on Yoga, but haven't saw patches that was aiming to fix it either. I think you have also missed to mention neutron, that does not really work with uwsgi and ovn as a ml2 driver. Not sure if that was fixed on Zed, but as of Yoga it was known not to work. ??, 2 ???. 2022 ?., 18:00 Thomas Goirand : > I've heard that it's now fixed with Glance, but I haven't checked the > fact for myself. Has anyone already run Glance (with Swift as backend) > under uwsgi, instead of eventlet? What's the status? Has all of the > remaining issues been tackled? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From clay.gerrard at gmail.com Sun Oct 2 21:41:14 2022 From: clay.gerrard at gmail.com (Clay Gerrard) Date: Sun, 2 Oct 2022 16:41:14 -0500 Subject: [Swift][Ussuri] Erasure Coding Quarantines In-Reply-To: <20220930165217.2901f9cf@niphredil.zaitcev.lan> References: <20220930165217.2901f9cf@niphredil.zaitcev.lan> Message-ID: On Fri, Sep 30, 2022 at 4:56 PM Pete Zaitcev wrote: > > Unfortunately, I'm not familiar with the exact details of this. > There was a window where depending on how linker worked, our > code could get linked with an incorrect zlib crc routine randomly. > > # When upgrading from liberasurecode<=1.5.0, you may want to continue writing # legacy CRCs until all nodes are upgraded and capabale of reading fragments # with zlib CRCs. liberasurecode>=1.6.2 checks for the environment variable # LIBERASURECODE_WRITE_LEGACY_CRC; if set (value doesn't matter), it will use # its legacy CRC. Set this option to true or false to ensure the environment # variable is or is not set. Leave the option blank or absent to not touch # the environment (default). For more information, see # https://bugs.launchpad.net/liberasurecode/+bug/1886088 # write_legacy_ec_crc = https://github.com/NVIDIA/swift/blob/master/etc/proxy-server.conf-sample#L326-L334 set it in your object-server [DEFAULT] confs too -- Clay Gerrard -------------- next part -------------- An HTML attachment was scrubbed... URL: From zigo at debian.org Sun Oct 2 22:02:51 2022 From: zigo at debian.org (Thomas Goirand) Date: Mon, 3 Oct 2022 00:02:51 +0200 Subject: suggestion goal for zed: getting swift and glance to support uwsgi In-Reply-To: References: <1dcfb330-c3c0-c82e-3b09-1fa2c7c15087@debian.org> Message-ID: <41eeb380-1df9-10d0-10de-d2f50e03cc46@debian.org> On 10/2/22 19:33, Dmitriy Rabotyagov wrote: > I think you have also missed to mention neutron, that does not really > work with uwsgi and ovn as a ml2 driver. Not sure if that was fixed on > Zed, but as of Yoga it was known not to work. To be honest, I never tried using OVN, so I didn't know. We've been using Neutron with uwsgi since at least rocky, without a glitch though. Why such a regression then? :( Cheers, Thomas Goirand (zigo) From ltomasbo at redhat.com Mon Oct 3 05:44:41 2022 From: ltomasbo at redhat.com (Luis Tomas Bolivar) Date: Mon, 3 Oct 2022 07:44:41 +0200 Subject: [ovn][neutron] RE: OVN BGP Agent query In-Reply-To: References:

Message-ID: On Fri, Sep 30, 2022 at 6:20 PM Ihtisham ul Haq wrote: > Hi Luis and Daniel, > > Please see inline response. > > > From: Daniel Alvarez Sanchez > > Sent: 29 September 2022 11:37 > > Subject: Re: OVN BGP Agent query > > > > Hi Ihtisham and Luis, > > > > On Thu, Sep 29, 2022 at 7:42 AM Luis Tomas Bolivar > wrote: > > > Some comments and questions inline > > > > > > On Tue, Sep 27, 2022 at 1:39 PM Ihtisham ul haq < > ihtisham.uh at hotmail.com> wrote: > > > > Hi Luis, > > > > > > > > Thanks for your work on the OVN BGP Agent. We are planning > > > > to use it in our OVN deployment, but have a question regarding it. > > > > > > Great to hear! Can you share a bit more info about this environment? > like > > > openstack version, target workload, etc. > > We plan to use this with Yoga version. Our workload consist of enterprise > users > with VMs running on Openstack and connected to their enterprise network via > transfer network(to which the customer neutron router is attached to). > And we also have public workload but with the ovn-bgp we only want to > we want to advertise the former. > > > > > > > > The way our current setup with ML2/OVS works is that our customer VM > IP routes > > > > are announced via the router IP(of the that customer) to the leaf > switch instead of > > > > the IP of the host where the neutron BGP agent runs. And then even > if the > > > > router fails over, the IP of the router stays the same and thus the > BGP route > > > > doesn't need to be updated. > > > > > > Is this with Neutron Dynamic Routing? When you say Router IP, do you > mean the virtual neutron router and its IP associated with the provider > network? What type of IPs are you announcing with BGP? IPs on provider > network or on tenant networks (or both)? > > Yes, that's with Neutron DR agent, and I meant virtual neutron router with > IP from the provider network. We announce IPs of our tenant network via the > virtual routers external address. > > > > If the router fails over, the route needs to be updated, doesn't it? > Same IP, but exposed in the new location of the router? > > Correct. > > > The route to the tenant network doesn't change, ie. > > 192.168.0.0 via 172.24.4.100 (this route remains the same regardless of > where 172.24.4.100 is). > > If there's L2 in the 172.24.4.0 network, the new location of > 172.24.4.100 will be learnt via GARP announcement. In our case, this won't > happen as we don't have L2 so we expose directly connected routes to > overcome this "limitation". > > Right, in our case we have a stretched L2 transfer network(mentioned above) > to which our gateway nodes and customer routers are connected to, so we can > advertise the IPs from the tenant network via the virtual router external > IP > and thus the location of the router isn't relevant in case of failover as > its > address will be relearned. > > > In the case of Neutron Dynamic Routing, there's no assumption that > everything is L3 so GARPs are needed to learn the new location. > > > > > > We see that the routes are announced by the ovn-bgp-agent via the > host IP(GTW) in our > > > > switch peers. If that's the case then how do you make sure that > during failover > > > > of a router, the BGP routes gets updated with the new host IP(where > the router > > > > failed over to)? > > > > > > The local FRR running at each node is in charge of exposing the IPs. > For the IPs on the provider network, the traffic is directly exposed where > the VMs are, without having to go through the virtual router, so a router > failover won't change the route. > > > In the case of VMs on tenant networks, the traffic is exposed on the > node where the virtual router gateway port is associated (I suppose this is > what you refer to with router IP). In the case of a failover the agent is > in charge of making FRR to withdraw the exposed routes on the old node, and > re-advertise them on the new router IP location > > > > > > > Can we accomplish the same route advertisement as our ML2/OVS setup, > using the ovn-bgp-agent? > > > > I think this is technically possible, and perhaps you want to contribute > that functionality or even help integrating the agent as a driver of > Neutron Dynamic Routing? > > Sounds good, our plan currently is to add this to the ovn-bgp-agent, > so we can announce our tenant routes via virtual routers external address > on > a stretched L2 network, to make it work with our use case. > Great to hear!! Just to make it clear, the ovn-bgp-agent current solution is to expose the tenant VM IPs through the host that has the OVN router gateway port, so for example, if the VM IP (10.0.0.5) is connected to the neutron virtual router, which in turns is connected to your provider network (your transfer network) with IP 172.24.4.10, and hosted in a physical server with IP 192.168.100.100, the route will be exposed as: - 10.0.0.5 nexthop 192.168.100.100 - 172.24.4.10 nexthop 192.168.100.100 As we are using FRR config "redistributed connected". As the traffic to the tenant networks needs to be injected into the OVN overlay through the gateway node hosting that ovn virtual router gateway port (cr-lrp), would it be ok if, besides those route we also advertise? - 10.0.0.5 nexthop 172.24.4.10 Cheers, Luis > > > -- > Ihtisham ul Haq > Diese E Mail enth?lt m?glicherweise vertrauliche Inhalte und ist nur f?r > die Verwertung durch den vorgesehenen Empf?nger bestimmt. Sollten Sie nicht > der vorgesehene Empf?nger sein, setzen Sie den Absender bitte unverz?glich > in Kenntnis und l?schen diese E Mail. Hinweise zum Datenschutz finden Sie > hier. > > -- LUIS TOM?S BOL?VAR Principal Software Engineer Red Hat Madrid, Spain ltomasbo at redhat.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ralonsoh at redhat.com Mon Oct 3 11:58:08 2022 From: ralonsoh at redhat.com (Rodolfo Alonso Hernandez) Date: Mon, 3 Oct 2022 13:58:08 +0200 Subject: [neutron] Bug deputy 26 September to 2 October Message-ID: Hello Neutrinos: This is the list of bugs of the past week: Medium: * https://bugs.launchpad.net/neutron/+bug/1991092: Retry port provisioning for "nova:xxx" device_owner ports only. Assigned * https://bugs.launchpad.net/neutron/+bug/1991222: neutron.provisioningblocks WSREP: referenced FK check fail. Assigned Low: * https://bugs.launchpad.net/neutron/+bug/1990999: Install and configure compute node in Neutron. Unassigned * https://bugs.launchpad.net/neutron/+bug/1991398: Update port with given IPv6 address on SLAAC/stateless_dhpc subnets fails always when IP address is given. Assigned Wishlist: * https://bugs.launchpad.net/neutron/+bug/1990842: [RFE] Expose Open vSwitch other_config column in the API. Assigned * https://bugs.launchpad.net/neutron/+bug/1991000: [tripleo] Provide a tag to the container that will be used to kill it. Assigned Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkopec at redhat.com Mon Oct 3 13:05:50 2022 From: mkopec at redhat.com (Martin Kopec) Date: Mon, 3 Oct 2022 15:05:50 +0200 Subject: [neutron] PTG topics and scheduling In-Reply-To: References:

Message-ID: perfect, thank you Lajos On Fri, 30 Sept 2022 at 17:39, Lajos Katona wrote: > Hi > We have this topic I think on the Neutron etherpad: > https://etherpad.opendev.org/p/neutron-antelope-ptg#L74 > So this can be a common topic which we can discuss for sure. > > Lajos > > Martin Kopec ezt ?rta (id?pont: 2022. szept. 30., P, > 16:41): > >> Hi Rodolfo, >> >> in QA we have "Clean up deprecated lib/neutron code" [3] topic up for a >> discussion. >> Is that something you plan to discuss? Would you like to? We can either >> move that topic to the neutron's schedule or keep it in ours and you may >> just comment/or attend our session - depending on how much input from the >> neutron team is required there. >> >> [3] https://etherpad.opendev.org/p/qa-antelope-ptg >> >> Thank you, >> >> On Fri, 30 Sept 2022 at 12:06, Rodolfo Alonso Hernandez < >> ralonsoh at redhat.com> wrote: >> >>> Hello all: >>> >>> Based on the schedule polls results, I've booked the Neutron meetings >>> from Tuesday to Thursday in Mitaka channel [1], from 13UTC to 16UTC. Of >>> course, if that is not enough, we can always use Friday to continue any >>> pending conversation. >>> >>> The operator hour (actually 2), will be on Friday (pending for >>> reservation), from 13UTC to 15UTC. >>> >>> Please continue adding any topic you want to discuss in the Neutron >>> etherpad [2]. There is a specific section for the Nova-Neutron cross-team >>> meeting. >>> >>> If you have any doubt or question, do not hesitate to let me know (IRC: >>> ralonsoh, mail: ralonsoh at redhat.com). You can also ping any core >>> reviewer in #openstack-neutron channel. >>> >>> See you in a few weeks! >>> >>> [1]https://ptg.opendev.org/ptg.html >>> [2]https://etherpad.opendev.org/p/neutron-antelope-ptg >>> >>> >> >> -- >> Martin Kopec >> Senior Software Quality Engineer >> Red Hat EMEA >> IM: kopecmartin >> >> >> >> -- Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: From pierre at stackhpc.com Mon Oct 3 16:21:12 2022 From: pierre at stackhpc.com (Pierre Riteau) Date: Mon, 3 Oct 2022 18:21:12 +0200 Subject: [cloudkitty] Another core team cleanup Message-ID: Hello, Almost exactly two years since the last core team cleanup [1], it's probably time to have another one. I don't think we have heard from these contributors in the last couple of years: Justin Ferrieu jferrieu at objectif-libre.com Luis Ramirez luis.ramirez at opencloud.es Luka Peschke mail at lukapeschke.com Maxime Cottret maxime.cottret at gmail.com St?phane Albert sheeprine at nullplace.com Jeremy Liu liuj285 at chinaunicom.cn Is everyone okay with removing cloudkitty-core membership for these users? Cheers, Pierre Riteau (priteau) [1] https://lists.openstack.org/pipermail/openstack-discuss/2020-October/017751.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From kennelson11 at gmail.com Mon Oct 3 17:34:06 2022 From: kennelson11 at gmail.com (Kendall Nelson) Date: Mon, 3 Oct 2022 12:34:06 -0500 Subject: PTG Schedule and Reminders Message-ID: Hello Everyone! The October 2022 Project Teams Gathering is right around the corner and the schedule is being setup by your team leads! Slots are going fast, so make sure to get your time booked ASAP! You can find the schedule and available slots on the PTGbot website [1]. The PTGbot site is the during-event website to keep track of what's being discussed and any last-minute schedule changes. It is driven via commands in the #openinfra-events IRC channel (on the OFTC network) where the PTGbot listens. If you have questions about the commands that you can give the bot, check out the documentation here[2]. Also, if you haven?t connected to IRC before, here are some docs on how to get setup![3] Lastly, please don't forget to register[4] (it is free after all!). Please let us know if you have any questions via email to ptg at openinfra.dev. Thanks! -Kendall (diablo_rojo) [1] PTGbot Site: https://ptg.opendev.org/ptg.html [2] PTGbot Documentation: https://github.com/openstack/ptgbot#open-infrastructure-ptg-bot [3] Setup IRC: https://docs.openstack.org/contributors/common/irc.html [4] PTG Registration: https://openinfra-ptg.eventbrite.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rafaelweingartner at gmail.com Mon Oct 3 18:02:18 2022 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Mon, 3 Oct 2022 15:02:18 -0300 Subject: [cloudkitty] Another core team cleanup In-Reply-To: References: Message-ID: I guess it is fine as they are not participating in the project anymore, and this has been a constant for the past two years or so. On Mon, Oct 3, 2022 at 1:26 PM Pierre Riteau wrote: > Hello, > > Almost exactly two years since the last core team cleanup [1], it's > probably time to have another one. I don't think we have heard from these > contributors in the last couple of years: > > Justin Ferrieu jferrieu at objectif-libre.com > Luis Ramirez luis.ramirez at opencloud.es > Luka Peschke mail at lukapeschke.com > Maxime Cottret maxime.cottret at gmail.com > St?phane Albert sheeprine at nullplace.com > Jeremy Liu liuj285 at chinaunicom.cn > > Is everyone okay with removing cloudkitty-core membership for these users? > > Cheers, > Pierre Riteau (priteau) > > [1] > https://lists.openstack.org/pipermail/openstack-discuss/2020-October/017751.html > -- Rafael Weing?rtner -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmann at ghanshyammann.com Mon Oct 3 19:59:14 2022 From: gmann at ghanshyammann.com (Ghanshyam Mann) Date: Mon, 03 Oct 2022 12:59:14 -0700 Subject: [all][tc] Technical Committee next weekly meeting on 2022 Oct 6 at 1500 UTC Message-ID: <1839f6e6053.e2f4eedf40797.2956987166661707844@ghanshyammann.com> Hello Everyone, The technical Committee's next weekly meeting is scheduled for 2022 Oct 6, at 1500 UTC. If you would like to add topics for discussion, please add them to the below wiki page by Wednesday, Oct 5 at 2100 UTC. https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Next_Meeting -gmann From jay at gr-oss.io Mon Oct 3 20:06:06 2022 From: jay at gr-oss.io (Jay Faulkner) Date: Mon, 3 Oct 2022 13:06:06 -0700 Subject: [release][ironic] Release desired for Ironic bugfix/N branches Message-ID: Hey all, I was attempting to perform a release of all maintained Ironic branches. The long term support branches cut as part of the integrated OpenStack release have been requested via gerrit, as documented ( https://review.opendev.org/c/openstack/releases/+/860125 ). We have intermediate bugfix releases as well, and I was hoping to get patch releases cut from these as well. As far as I can tell, there is no automation for performing these releases, or an official place to request them. If this is wrong; please correct me and I'm happy to go through the proper process. We know that the majority of consumers pull these from git directly; but checking pypi release notes, we had over 6000 downloads of the 21.0.0 and 20.2.0 releases during the 2/4 months of the Zed cycle they had respectively been released, so I do think there's value in releasing these even if it might be a small amount of manual effort. Below is a list of the Ironic projects, and associated bugfix/ branches I'd like to have a patch (bugfix) release cut for: ironic - bugfix/21.0 - bugfix/20.2 - bugfix/19.0 - bugfix/18.1 ironic-inspector - bugfix/11.0 - bugfix/10.12 - bugfix/10.9 - bugfix/10.7 ironic-python-agent - bugfix/9.0 - bugfix/8.6 - bugfix/8.3 - bugfix/8.1 Thanks, Jay Faulkner -------------- next part -------------- An HTML attachment was scrubbed... URL: From cboylan at sapwetik.org Mon Oct 3 20:50:24 2022 From: cboylan at sapwetik.org (Clark Boylan) Date: Mon, 03 Oct 2022 13:50:24 -0700 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: References: Message-ID: <7334a347-452b-40d6-9832-2c4c019e7370@app.fastmail.com> On Mon, Oct 3, 2022, at 1:06 PM, Jay Faulkner wrote: > Hey all, > > I was attempting to perform a release of all maintained Ironic > branches. The long term support branches cut as part of the integrated > OpenStack release have been requested via gerrit, as documented ( > https://review.opendev.org/c/openstack/releases/+/860125 ). > > We have intermediate bugfix releases as well, and I was hoping to get > patch releases cut from these as well. As far as I can tell, there is > no automation for performing these releases, or an official place to > request them. If this is wrong; please correct me and I'm happy to go > through the proper process. > > We know that the majority of consumers pull these from git directly; > but checking pypi release notes, we had over 6000 downloads of the > 21.0.0 and 20.2.0 releases during the 2/4 months of the Zed cycle they > had respectively been released, so I do think there's value in > releasing these even if it might be a small amount of manual effort. > > Below is a list of the Ironic projects, and associated bugfix/ branches > I'd like to have a patch (bugfix) release cut for: > > ironic > - bugfix/21.0 > - bugfix/20.2 > - bugfix/19.0 > - bugfix/18.1 > > ironic-inspector > - bugfix/11.0 > - bugfix/10.12 > - bugfix/10.9 > - bugfix/10.7 > > ironic-python-agent > - bugfix/9.0 > - bugfix/8.6 > - bugfix/8.3 > - bugfix/8.1 As mentioned in the openstack-releases IRC channel it seems that the Ironic project doesn't have ACLs to push their own manual tags [0]. It was also mentioned that the release team thought releases off of the bugfix branches would need manual releases. I think the lack of ACLs to do this by the Ironic project means that the release team needs to do it, or we need to modify the ACLs to allow the Ironic team to do the work. If the release team ends up doing the work, it would probably be a good idea to very explicitly list the branch, commit sha1, and version number for each of the needed releases. This way the release team doesn't have to guess if they are getting it correct when they make and push those tags. Separately, it seems like some of the intention here is to ensure that users of bugfix branches don't end up with stale installations. Updating the release tooling to handle releases off of these branches or delegating access to the Ironic team seem like an important piece of making that happen. Otherwise the overhead for doing this will be large enough that it is unlikely to happen often enough. Unfortunately, I don't know what is currently missing in the tooling to make that possible. [0] https://opendev.org/openstack/project-config/src/branch/master/gerrit/acls/openstack/ironic.config > > Thanks, > Jay Faulkner From smooney at redhat.com Tue Oct 4 00:48:16 2022 From: smooney at redhat.com (Sean Mooney) Date: Tue, 04 Oct 2022 01:48:16 +0100 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: <7334a347-452b-40d6-9832-2c4c019e7370@app.fastmail.com> References: <7334a347-452b-40d6-9832-2c4c019e7370@app.fastmail.com> Message-ID: On Mon, 2022-10-03 at 13:50 -0700, Clark Boylan wrote: > On Mon, Oct 3, 2022, at 1:06 PM, Jay Faulkner wrote: > > Hey all, > > > > I was attempting to perform a release of all maintained Ironic > > branches. The long term support branches cut as part of the integrated > > OpenStack release have been requested via gerrit, as documented ( > > https://review.opendev.org/c/openstack/releases/+/860125 ). > > > > We have intermediate bugfix releases as well, and I was hoping to get > > patch releases cut from these as well. As far as I can tell, there is > > no automation for performing these releases, or an official place to > > request them. If this is wrong; please correct me and I'm happy to go > > through the proper process. > > > > We know that the majority of consumers pull these from git directly; > > but checking pypi release notes, we had over 6000 downloads of the > > 21.0.0 and 20.2.0 releases during the 2/4 months of the Zed cycle they > > had respectively been released, so I do think there's value in > > releasing these even if it might be a small amount of manual effort. > > > > Below is a list of the Ironic projects, and associated bugfix/ branches > > I'd like to have a patch (bugfix) release cut for: > > > > ironic > > - bugfix/21.0 > > - bugfix/20.2 > > - bugfix/19.0 > > - bugfix/18.1 > > > > ironic-inspector > > - bugfix/11.0 > > - bugfix/10.12 > > - bugfix/10.9 > > - bugfix/10.7 > > > > ironic-python-agent > > - bugfix/9.0 > > - bugfix/8.6 > > - bugfix/8.3 > > - bugfix/8.1 > > As mentioned in the openstack-releases IRC channel it seems that the Ironic project doesn't have ACLs to push their own manual tags [0]. It was also mentioned that the release team thought releases off of the bugfix branches would need manual releases. I think the lack of ACLs to do this by the Ironic project means that the release team needs to do it, or we need to modify the ACLs to allow the Ironic team to do the work. > > If the release team ends up doing the work, it would probably be a good idea to very explicitly list the branch, commit sha1, and version number for each of the needed releases. This way the release team doesn't have to guess if they are getting it correct when they make and push those tags. > > Separately, it seems like some of the intention here is to ensure that users of bugfix branches don't end up with stale installations. Updating the release tooling to handle releases off of these branches or delegating access to the Ironic team seem like an important piece of making that happen. Otherwise the overhead for doing this will be large enough that it is unlikely to happen often enough. Unfortunately, I don't know what is currently missing in the tooling to make that possible. > > [0] https://opendev.org/openstack/project-config/src/branch/master/gerrit/acls/openstack/ironic.config its litrally been about 7 or 8 years since i did this but i had configred networkign-ovs-dpdk so that we could push sgined tags teh networking-ovs-dpdk-release group has the required acls to be able to create branches and tags. [access "refs/heads/*"] create = group networking-ovs-dpdk-release allows creating branches and enable branch creation and [access "refs/tags/*"] createSignedTag = group networking-ovs-dpdk-release enables pushing signed tags which used to get mirrored to github as well. this wont auto push the content to pypi i sued to also build the package locally an push it manually but that would enabel ironich to actully tag and push the content if they are added to the pypi repo as well. ideally however i think it woudl be better long term to just do this via the releases repo. im not entirly sure what prevent you just adding a new bugfix branch and sha there https://github.com/openstack/releases/blob/master/deliverables/zed/ironic.yaml#L9-L28 you can have one patch taht update all the bug fix branches acroos multipel release and then the release team just need to review one path. presumable this wont happen more frequently then say 1 a quater or once a month so that is proably doable vai the normal release process. > > > > > Thanks, > > Jay Faulkner > From ramishra at redhat.com Tue Oct 4 04:06:42 2022 From: ramishra at redhat.com (Rabi Mishra) Date: Tue, 4 Oct 2022 09:36:42 +0530 Subject: [TripleO] TripleO Antelope PTG Topics In-Reply-To: References: Message-ID: Hi All, Thanks for all the session proposals. I've moved the contents to the etherpad linked at the PTGBot site and added a draft schedule[1]. Please let me know if there is any conflict and we need to reschedule any of the sessions. Also, we can still accommodate a couple of sessions, if there are more topics to discuss. [1] https://etherpad.opendev.org/p/oct2022-ptg-tripleo On Thu, Sep 29, 2022 at 2:13 PM Rabi Mishra wrote: > Hi All, > > Gentle reminder. > > As we're only three weeks away, if you've any topics to discuss at the > PTG, please add them to the etherpad by this weekend. > > > -- > Regards, > Rabi Mishra > > > On Tue, Sep 13, 2022 at 5:28 PM Rabi Mishra wrote: > >> Hi All, >> >> Please add your session proposals to this etherpad[1]. We'll reserve >> time allocation based on proposed topics and work out a schedule in the >> coming weeks. >> >> [1] https://etherpad.opendev.org/p/tripleo-antelope-topics >> >> -- >> Regards, >> Rabi Mishra >> >> > > > -- Regards, Rabi Mishra -------------- next part -------------- An HTML attachment was scrubbed... URL: From clay.gerrard at gmail.com Tue Oct 4 13:28:12 2022 From: clay.gerrard at gmail.com (Clay Gerrard) Date: Tue, 4 Oct 2022 08:28:12 -0500 Subject: [Swift][Ussuri] Erasure Coding Quarantines In-Reply-To: References: <20220930165217.2901f9cf@niphredil.zaitcev.lan> Message-ID: On Mon, Oct 3, 2022 at 3:37 PM Reid Guyett wrote: > > Thanks for the follow-up. [...] From there the files were downloadable > again. > Nice work! > We are going to try to create a new liberasurecode package 1.6.2 for 20.04 > so we can set the environment variable to write legacy CRC headers until > all the nodes in the cluster can be upgraded. > I'm not sure if you need a new package, I think you have to set the env at runtime - but there's also a swift config option that will force the env to get set that you can turn off after full upgrade. > This is why we have testing environments. > This is why *competent* deployers and operators have testing environments - and it's the only thing that makes the terrible terrible reality of building and releasing software actually a net good. Couldn't do it without you; go FOSS! -- Clay Gerrard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rdhasman at redhat.com Tue Oct 4 13:56:38 2022 From: rdhasman at redhat.com (Rajat Dhasmana) Date: Tue, 4 Oct 2022 19:26:38 +0530 Subject: [cinder] cancelling this week's meeting Message-ID: Hello Argonauts, I won't be around to take the cinder meeting tomorrow (i.e. 05th October, 2022) and we are close to the PTG so there aren't many things to discuss. The agenda as of now is empty[1] so it shouldn't be a problem to skip this week's meeting. Also I would like to take this opportunity to remind everyone to add topics to the PTG etherpad[2] and that would be a better utilization of the cinder upstream meeting time. [1] https://etherpad.opendev.org/p/cinder-zed-meetings#L102 [2] https://etherpad.opendev.org/p/antelope-ptg-cinder-planning Thanks and regards Rajat Dhasmana -------------- next part -------------- An HTML attachment was scrubbed... URL: From rguyett at datto.com Mon Oct 3 20:37:50 2022 From: rguyett at datto.com (Reid Guyett) Date: Mon, 3 Oct 2022 20:37:50 +0000 Subject: [Swift][Ussuri] Erasure Coding Quarantines In-Reply-To: References: <20220930165217.2901f9cf@niphredil.zaitcev.lan> Message-ID: Hi, Thanks for the follow-up. I was able to find this cause in the IRC channel. I ultimately upgraded the other nodes to 20.04 in our test clusters and moved the quarantined objects back to where they belonged. From there the files were downloadable again. We are going to try to create a new liberasurecode package 1.6.2 for 20.04 so we can set the environment variable to write legacy CRC headers until all the nodes in the cluster can be upgraded. It is hard to find the information about the bug pre-upgrade. I didn't see it in the release notes for 2.25.2 (well they don't exist) and I don't see anything about it in the main Ubuntu Release notes. This is why we have testing environments. Reid ________________________________ From: Clay Gerrard Sent: Sunday, October 2, 2022 17:41 To: Pete Zaitcev Cc: Reid Guyett ; openstack-discuss at lists.openstack.org ; Matthew Grinnell Subject: Re: [Swift][Ussuri] Erasure Coding Quarantines KASEYA Warning: Sender @clay?.gerrard at gmail?.com is not yet trusted by your organization. Please be careful before replying or clicking on the URLs. Report Phishing Mark as Safe powered by Graphus? [EXTERNAL] On Fri, Sep 30, 2022 at 4:56 PM Pete Zaitcev < zaitcev at redhat.com> wrote: Unfortunately, I'm not familiar with the exact details of this. There was a window where depending on how linker worked, our code could get linked with an incorrect zlib crc routine randomly. # When upgrading from liberasurecode<=1.5.0, you may want to continue writing # legacy CRCs until all nodes are upgraded and capabale of reading fragments # with zlib CRCs. liberasurecode>=1.6.2 checks for the environment variable # LIBERASURECODE_WRITE_LEGACY_CRC; if set (value doesn't matter), it will use # its legacy CRC. Set this option to true or false to ensure the environment # variable is or is not set. Leave the option blank or absent to not touch # the environment (default). For more information, see # https://bugs.launchpad.net/liberasurecode/+bug/1886088 # write_legacy_ec_crc = https://github.com/NVIDIA/swift/blob/master/etc/proxy-server.conf-sample#L326-L334 set it in your object-server [DEFAULT] confs too -- Clay Gerrard Important Notice: This email is intended to be received only by persons entitled to receive the confidential and legally privileged information it presumptively contains, and this notice constitutes identification as such. Any reading, disclosure, copying, distribution or use of this information by or to someone who is not the intended recipient, is prohibited. If you received this email in error, please notify us immediately at legal at kaseya.com, and then delete it. To opt-out of receiving emails Please click here. The term 'this e-mail' includes any and all attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jean-francois.taltavull at elca.ch Tue Oct 4 12:32:52 2022 From: jean-francois.taltavull at elca.ch (=?utf-8?B?VGFsdGF2dWxsIEplYW4tRnJhbsOnb2lz?=) Date: Tue, 4 Oct 2022 12:32:52 +0000 Subject: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number In-Reply-To: References: <2aa77e24a33d48a69032f30b86e9cad8@elca.ch> <1b17c23f8982480db73cf50d04d51af7@elca.ch>

<86f048d7931c4cc482f6785437c9b5ea@elca.ch>

<671023b5ab3846dfb3a39ef313018eac@elca.ch>

<33f69d386462450b9964b2ed78284d57@elca.ch>

<1d1c1c3cc6184b529819bb8f3598813f@elca.ch> <3516ab2892694a17a76b56ccacc463f1@elca.ch> Message-ID: <104fac9ebe84471eb338e80d995b97fd@elca.ch> Hello Rapha?l, I restored the RGW keystone authentication and did some more tests. The problem is that the S3 request signature provided by ceilometer and the one computed by keystone mismatch. OpenStack release is Wallaby. keystone/api/s3tokens.py: ```` class S3Resource(EC2_S3_Resource.ResourceBase): @staticmethod def _check_signature(creds_ref, credentials): string_to_sign = base64.urlsafe_b64decode(str(credentials['token'])) if string_to_sign[0:4] != b'AWS4': signature = _calculate_signature_v1(string_to_sign, creds_ref['secret']) else: signature = _calculate_signature_v4(string_to_sign, creds_ref['secret']) if not utils.auth_str_equal(credentials['signature'], signature): raise exception.Unauthorized( <<<------------------------------------------we fall there message=_('Credential signature mismatch')) ```` From: Taltavull Jean-Fran?ois Sent: vendredi, 30 septembre 2022 14:48 To: 'Rafael Weing?rtner' Cc: openstack-discuss Subject: RE: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number ``` $ sudo /usr/bin/radosgw --version ceph version 15.2.16 (d46a73d6d0a67a79558054a3a5a72cb561724974) octopus (stable) ``` From: Rafael Weing?rtner > Sent: vendredi, 30 septembre 2022 12:37 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. No, I just showed you the code, so you can see how the authentication is being executed, and where/how the parameters are set in the headers. It is a bit odd, I have used this so many times, and it always works. What is your RGW instance version? On Fri, Sep 30, 2022 at 4:09 AM Taltavull Jean-Fran?ois > wrote: Do you mean the issue comes from how the `awsauth` module handles the signature ? From: Rafael Weing?rtner > Sent: jeudi, 29 septembre 2022 17:23 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. This is the signature used by the `awsauth` library: ``` def get_signature(self, r): canonical_string = self.get_canonical_string( r.url, r.headers, r.method) if py3k: key = self.secret_key.encode('utf-8') msg = canonical_string.encode('utf-8') else: key = self.secret_key msg = canonical_string h = hmac.new(key, msg, digestmod=sha) return encodestring(h.digest()).strip() ``` After that is generated, it is added in the headers: # Create date header if it is not created yet. if 'date' not in r.headers and 'x-amz-date' not in r.headers: r.headers['date'] = formatdate( timeval=None, localtime=False, usegmt=True) signature = self.get_signature(r) if py3k: signature = signature.decode('utf-8') r.headers['Authorization'] = 'AWS %s:%s' % (self.access_key, signature) On Thu, Sep 29, 2022 at 9:15 AM Taltavull Jean-Fran?ois > wrote: ``` $ python test_creds.py Executing test on: [FQDN/object-store/]. Rados GW admin context [/admin] and path [/usage?stats=True] used. Rados GW request URL [http://FQDN/object-store/admin/bucket?stats=True]. Rados GW host: FQDN Traceback (most recent call last): File "test_creds.py", line 45, in raise RGWAdminAPIFailed( __main__.RGWAdminAPIFailed: RGW AdminOps API returned 403 Forbidden ``` So the same as with ceilometer. Auth is done by RGW, not by keystone, and the ceph ?admin? user exists and owns the right privileges: ``` $ sudo radosgw-admin user info --uid admin [22/296]{ "user_id": "admin", "display_name": "admin user", "email": "", "suspended": 0, "max_buckets": 1000, "subusers": [], "keys": [ { "user": "admin", "access_key": ?admin_access_key", "secret_key": "admin_secret_key" } ], "swift_keys": [], "caps": [ { "type": "buckets", "perm": "*" }, { "type": "metadata", "perm": "*" }, { "type": "usage", "perm": "*" }, { "type": "users", "perm": "*" } ], ``` From: Rafael Weing?rtner > Sent: jeudi, 29 septembre 2022 12:32 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. Can you test you credentials with the following code? ``` import json import requests import os import six.moves.urllib.parse as urlparse class RGWAdminAPIFailed(Exception): pass if __name__ == '__main__': rados_gw_base_url = "put your RGW URL here. E.g. http://server.com:port/something" print("Executing test on: [%s]." % rados_gw_base_url) rados_gw_admin_context = "/admin" rados_gw_path = "/usage?stats=True" print("Rados GW admin context [%s] and path [%s] used." % (rados_gw_admin_context, rados_gw_path)) rados_gw_request_url = urlparse.urljoin(rados_gw_base_url, '/admin') + '/bucket?stats=True' print("Rados GW request URL [%s]." % rados_gw_request_url) rados_gw_access_key_to_use = "put your access key here" rados_gw_secret_key_to_use = "put your secret key here" rados_gw_host_name = urlparse.urlparse(rados_gw_request_url).netloc print("Rados GW host: %s" % rados_gw_host_name) module_name = "awsauth" class_name = "S3Auth" arguments = [rados_gw_access_key_to_use, rados_gw_secret_key_to_use, rados_gw_host_name] module = __import__(module_name) class_ = getattr(module, class_name) instance = class_(*arguments) r = requests.get( rados_gw_request_url, auth=instance, timeout=30) #auth=awsauth.S3Auth(*arguments)) if r.status_code != 200: raise RGWAdminAPIFailed( ('RGW AdminOps API returned %(status)s %(reason)s') % {'status': r.status_code, 'reason': r.reason}) response_body = r.text parsed_json = json.loads(response_body) print("Response cookies: [%s]." % r.cookies) radosGw_output_file = "/home//Downloads/radosGw-usage.json" if os.path.exists(radosGw_output_file): os.remove(radosGw_output_file) with open(radosGw_output_file, "w") as file1: file1.writelines(json.dumps(parsed_json, indent=4, sort_keys=True)) file1.flush() exit(0) ``` On Thu, Sep 29, 2022 at 4:09 AM Taltavull Jean-Fran?ois > wrote: python Python 3.8.10 (default, Sep 28 2021, 16:10:42) [GCC 9.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import awsauth >>> awsauth >>> From: Rafael Weing?rtner > Sent: mercredi, 28 septembre 2022 18:40 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. Can you also execute the following: ``` python import awsauth awsauth ``` That will output a path, and then you can `cat `, example: `cat /var/lib/kolla/venv/lib/python3.8/site-packages/awsauth.py` On Wed, Sep 28, 2022 at 1:21 PM Taltavull Jean-Fran?ois > wrote: I removed trailing ?/object-store/? from the last value of authentication_parameters I also: - disabled s3 keystone auth in RGW - created a RGW ?admin? user with the right privileges to allow admin API calls - put RGW in debug mode And here is what I get in RGW logs: get_usage string_to_sign=GET Wed, 28 Sep 2022 16:15:45 GMT /admin/usage get_usage server signature=BlaBlaBlaBla get_usage client signature=BloBloBlo get_usage compare=-75 get_usage rgw::auth::s3::LocalEngine denied with reason=-2027 get_usage rgw::auth::s3::AWSAuthStrategy denied with reason=-2027 get_usage rgw::auth::StrategyRegistry::s3_main_strategy_t: trying rgw::auth::s3::AWSAuthStrategy get_usage rgw::auth::s3::AWSAuthStrategy: trying rgw::auth::s3::LocalEngine From: Rafael Weing?rtner > Sent: mercredi, 28 septembre 2022 13:15 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. I think that the last parameter "/object-store/", should be only "". Can you test it? You are using EC2 credentials to authenticate in RGW. Did you enable the Keystone integration in RGW? Also, as far as I know, this admin endpoint needs a RGW admin. I am not sure if the Keystone and RGW integration would enable/make it possible for someone to authenticate as an admin in RGW. Can you check it? To see if you can call that endpoint with these credentials. On Wed, Sep 28, 2022 at 6:01 AM Taltavull Jean-Fran?ois > wrote: Pollster YML configuration : --- - name: "dynamic.radosgw.usage" sample_type: "gauge" unit: "B" value_attribute: "total.size" url_path: http:///object-store/admin/usage module: "awsauth" authentication_object: "S3Auth" authentication_parameters: ,,/object-store/ user_id_attribute: "user" project_id_attribute: "user" resource_id_attribute: "user" response_entries_key: "summary" ACCESS_KEY and SECRET_KEY have been created with ?openstack ec2 credentials create?. Ceilometer central is deployed with OSA and it uses awsauth.py module. From: Rafael Weing?rtner > Sent: mercredi, 28 septembre 2022 02:01 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. Can you show your YML configuration? Also, did you install the AWS authentication module in the container/host where Ceilometer central is running? On Mon, Sep 26, 2022 at 12:58 PM Taltavull Jean-Fran?ois > wrote: Hello Rafael, Thanks for the information about ceilometer patches but for now I?m testing with the credentials in the dynamic pollster config file. I will use barbican when I push all this to production. The keystone authentication performed by the rados gw with the credentials provided by ceilometer still does not work. I wonder if this could be a S3 signature version issue on ceilometer side, that is on S3 client side. This kind of issue exists with the s3 client ?s3cmd? and you have to add ??signature-v2? so that ?s3cmd? works well. What do you think ? Do you know which version of S3 signature ceilometer uses while authenticating ? From: Rafael Weing?rtner > Sent: mercredi, 7 septembre 2022 19:23 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. Jean, there are two problems with the Ceilometer. I just opened the patches to resolve it: - https://review.opendev.org/c/openstack/ceilometer/+/856305 - https://review.opendev.org/c/openstack/ceilometer/+/856304 Without these patches, you might have problems to use Ceilometer with Non-OpenStack dynamic pollsters and barbican credentials. On Wed, Aug 31, 2022 at 3:55 PM Rafael Weing?rtner > wrote: It is the RGW user that you have. This user must have the role that is needed to access the usage feature in RGW. If I am not mistaken, it required an admin user. On Wed, Aug 31, 2022 at 1:54 PM Taltavull Jean-Fran?ois > wrote: Thanks to your help, I am close to the goal. Dynamic pollster is loaded and triggered. But I get a ?Status[403] and reason [Forbidden]? in ceilometer logs while requesting admin/usage. I?m not sure to understand well the auth mechanism. Are we talking about keystone credentials, ec2 credentials, Rados GW user ?... For now, in testing phase, I use ?authentication_parameters?, not barbican. -JF From: Rafael Weing?rtner > Sent: mardi, 30 ao?t 2022 14:17 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. Yes, you will need to enable the metric/pollster to be processed. That is done via "polling.yml" file. Also, do not forget that you will need to configure Ceilometer to push this new metric. If you use Gnocchi as the backend, you will need to change/update the gnocchi resource YML file. That file maps resources and metrics in the Gnocchi backend. The configuration resides in Ceilometer. You can create/define new resource types and map them to specific metrics. It depends on how you structure your solution. P.S. You do not need to use "authentication_parameters". You can use the barbican integration to avoid setting your credentials in a file. On Tue, Aug 30, 2022 at 9:11 AM Taltavull Jean-Fran?ois > wrote: Hello, I tried to define a Rados GW dynamic pollster and I can see, in Ceilometer logs, that it?s actually loaded. But it looks like it was not triggered, I see no trace of ceilometer connection in Rados GW logs. My definition: - name: "dynamic.radosgw.usage" sample_type: "gauge" unit: "B" value_attribute: "total.size" url_path: http:///object-store/swift/v1/admin/usage module: "awsauth" authentication_object: "S3Auth" authentication_parameters: xxxxxxxxxxxxx,yyyyyyyyyyyyy, user_id_attribute: "admin" project_id_attribute: "admin" resource_id_attribute: "admin" response_entries_key: "summary" Do I have to set an option in ceilometer.conf, or elsewhere, to get my Rados GW dynamic pollster triggered ? -JF From: Taltavull Jean-Fran?ois Sent: lundi, 29 ao?t 2022 18:41 To: 'Rafael Weing?rtner' > Cc: openstack-discuss > Subject: RE: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number Thanks a lot for your quick answer, Rafael ! I will explore this approach. Jean-Francois From: Rafael Weing?rtner > Sent: lundi, 29 ao?t 2022 17:54 To: Taltavull Jean-Fran?ois > Cc: openstack-discuss > Subject: Re: [Ceilometer] Pollster cannot get RadosGW metrics when API endpoints are based on URL instead of port number EXTERNAL MESSAGE - This email comes from outside ELCA companies. You could use a different approach. You can use Dynamic pollster [1], and create your own mechanism to collect data, without needing to change Ceilometer code. Basically all hard-coded pollsters can be converted to a dynamic pollster that is defined in YML. [1] https://docs.openstack.org/ceilometer/latest/admin/telemetry-dynamic-pollster.html#the-dynamic-pollsters-system-configuration-for-non-openstack-apis On Mon, Aug 29, 2022 at 12:51 PM Taltavull Jean-Fran?ois > wrote: Hi All, In our OpenStack deployment, API endpoints are defined by using URLs instead of port numbers and HAProxy forwards requests to the right bakend after having ACLed the URL. In the case of our object-store service, based on RadosGW, the internal API endpoint is "https:///object-store/swift/v1/AUTH_" When Ceilometer RadosGW pollster tries to connect to the RadosGW admin API with the object-store internal endpoint, the URL becomes https:///admin, as shown by HAProxy logs. This URL does not match any API endpoint from HAProxy point of view. The line of code that rewrites the URL is this one: https://opendev.org/openstack/ceilometer/src/branch/stable/wallaby/ceilometer/objectstore/rgw.py#L81 What would you think of adding a mechanism based on new Ceilometer configuration option(s) to control the URL rewriting ? Our deployment characteristics: - OpenStack release: Wallaby - Ceph and RadosGW version: 15.2.16 - deployment tool: OSA 23.2.1 and ceph-ansible Best regards, Jean-Francois -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -- Rafael Weing?rtner -------------- next part -------------- An HTML attachment was scrubbed... URL: From fungi at yuggoth.org Tue Oct 4 14:45:35 2022 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 4 Oct 2022 14:45:35 +0000 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: References: Message-ID: <20221004144534.6xsc3ysyybuznpsd@yuggoth.org> On 2022-10-03 13:06:06 -0700 (-0700), Jay Faulkner wrote: [...] > We have intermediate bugfix releases as well, and I was hoping to get patch > releases cut from these as well. As far as I can tell, there is no > automation for performing these releases, or an official place to request > them. If this is wrong; please correct me and I'm happy to go through the > proper process. > > We know that the majority of consumers pull these from git directly; but > checking pypi release notes, we had over 6000 downloads of the 21.0.0 and > 20.2.0 releases during the 2/4 months of the Zed cycle they had > respectively been released, so I do think there's value in releasing these > even if it might be a small amount of manual effort. [...] It sounds like no releases have ever been made from any of the "bugfix" branches going back over two years since their creation. Is this a change in how the Ironic team views those branches, or was the intention always to tag releases on them but nobody had gotten around to it? -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: From fungi at yuggoth.org Tue Oct 4 14:53:32 2022 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 4 Oct 2022 14:53:32 +0000 Subject: [TripleO] TripleO Antelope PTG Topics In-Reply-To: References:

Message-ID: <20221004145332.jsu5vqckqxlsruyq@yuggoth.org> On 2022-10-04 09:36:42 +0530 (+0530), Rabi Mishra wrote: [...] > I've moved the contents to the etherpad linked at the PTGBot site [...] For future reference, you can also simply inform PTGBot that you have a different Etherpad URL, and it will update the site to list that one for you instead. -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: From peter.matulis at canonical.com Tue Oct 4 15:13:35 2022 From: peter.matulis at canonical.com (Peter Matulis) Date: Tue, 4 Oct 2022 11:13:35 -0400 Subject: [charms] Team Delegation proposal In-Reply-To: References:

Message-ID: What is the status of this proposal? On Wed, Aug 31, 2022 at 3:53 PM Peter Matulis wrote: > > > On Mon, Aug 8, 2022 at 4:25 PM Alex Kavanagh > wrote: > >> Hi Chris >> >> On Thu, 28 Jul 2022 at 21:46, Chris MacNaughton < >> chris.macnaughton at canonical.com> wrote: >> >>> Hello All, >>> >>> >>> I would like to propose some new ACLs in Gerrit for the openstack-charms >>> project: >>> >>> - openstack-core-charms >>> - ceph-charms >>> - network-charms >>> - stable-maintenance >>> >>> >> >> I think the names need to be tweaked slightly: >> >> - charms-openstack >> - charms-ceph >> - charms-ovn >> - charms-maintenance >> > > We would also need an ACL for the documentation: > > - charms-docs > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdratlif at globalnoc.iu.edu Tue Oct 4 15:45:45 2022 From: jdratlif at globalnoc.iu.edu (John Ratliff) Date: Tue, 04 Oct 2022 11:45:45 -0400 Subject: OpenStack Ansible Service troubleshooting Message-ID: <3041961ec183a2a9f3d037ff0ec9019aa5a5d0c6.camel@globalnoc.iu.edu> We've started deploying new Xena clusters with openstack-ansible. We keep running into problems with some parts of openstack not working. A service will fail or need restarted, but it's not clear which one or why. Recently, one of our test clusters (2 hosts) stopped working. I could login to horizon, but I could not create instances. At first it told me that a message wasn't answered quick enough. I assumed the problem was rabbitmq and restarted the container, but this didn't help. I eventually restarted every container and the nova- compute and haproxy services on the host. But this didn't help either. I eventually rebooted both hosts, but this made things worse (I think I broke the galera cluster doing this). After bootstrapping the galera cluster, I can log back into horizon, but I still cannot create hosts. It tells me "Exceeded maximum number of retries. Exhausted all hosts available for retrying build failures for instance [UUID]" If I look at the journal for nova-compute, I see this error: "libvirt.libvirtError: Failed to activate service 'org.freedesktop.machine1': timed out " Looking at systemd-machined, it won't start due to "systemd- machined.service: Job systemd-machined.service/start failed with result 'dependency'." I'm not sure what "dependency" it's referring to. In the cluster that does work, this service is running. But on both hosts on the cluster that do not, this service is not running. What should I be looking at here to fix? -- John Ratliff Systems Automation Engineer GlobalNOC @ Indiana University -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: not available URL: From noonedeadpunk at gmail.com Tue Oct 4 16:21:13 2022 From: noonedeadpunk at gmail.com (Dmitriy Rabotyagov) Date: Tue, 4 Oct 2022 18:21:13 +0200 Subject: OpenStack Ansible Service troubleshooting In-Reply-To: <3041961ec183a2a9f3d037ff0ec9019aa5a5d0c6.camel@globalnoc.iu.edu> References: <3041961ec183a2a9f3d037ff0ec9019aa5a5d0c6.camel@globalnoc.iu.edu> Message-ID: Hi John. Well, it seems you've made a bunch of operations that were not required in the first place. However, I believe that at the end you've identified the problem correctly. systemd-machined service should be active and running on nova-compute hosts with kvm driver. I'd suggest looking deeper at why this service systemd-machined can't be started. What does journalctl says about that? As one of dependency systemd-machined requires to have /var/lib/machines. And I do have 2 assumptions there: 1. Was systemd-tmpfiles-setup.service activated? As we have seen sometimes that upon node boot due to some race condition it was not, which resulted in all kind of weirdness 2. Don't you happen to run nova-compute on the same set of hosts where LXC containers are placed? As for example, in AIO setup we do manage /var/lib/machines/ mount with systemd var-lib-machines.mount. So if you happen to run nova-computes on controller host or AIO - this is another thing to check. ??, 4 ???. 2022 ?. ? 17:48, John Ratliff : > > We've started deploying new Xena clusters with openstack-ansible. We > keep running into problems with some parts of openstack not working. A > service will fail or need restarted, but it's not clear which one or > why. > > Recently, one of our test clusters (2 hosts) stopped working. I could > login to horizon, but I could not create instances. > > At first it told me that a message wasn't answered quick enough. I > assumed the problem was rabbitmq and restarted the container, but this > didn't help. I eventually restarted every container and the nova- > compute and haproxy services on the host. But this didn't help either. > I eventually rebooted both hosts, but this made things worse (I think I > broke the galera cluster doing this). > > After bootstrapping the galera cluster, I can log back into horizon, > but I still cannot create hosts. It tells me > > "Exceeded maximum number of retries. Exhausted all hosts available for > retrying build failures for instance [UUID]" > > If I look at the journal for nova-compute, I see this error: > > "libvirt.libvirtError: Failed to activate service > 'org.freedesktop.machine1': timed out " > > Looking at systemd-machined, it won't start due to "systemd- > machined.service: Job systemd-machined.service/start failed with result > 'dependency'." > > I'm not sure what "dependency" it's referring to. In the cluster that > does work, this service is running. But on both hosts on the cluster > that do not, this service is not running. > > What should I be looking at here to fix? > > -- > John Ratliff > Systems Automation Engineer > GlobalNOC @ Indiana University From ianyrchoi at gmail.com Tue Oct 4 16:46:03 2022 From: ianyrchoi at gmail.com (Ian Y. Choi) Date: Wed, 5 Oct 2022 01:46:03 +0900 Subject: [I18n] Zanata status + call for volunteers on Weblate migration Message-ID: Hi all, First, thank you all for contributing to OpenStack with globalization by contributing translations, coordinating translations with artifacts, and making sure that those translations are shipped with releases to all over the world (we are calling it I18n - Internationalization). While OpenStack I18n could be healthier with the tremendous help from translators as well as many OpenStack upstream contributors & teams such as infrastructure, release management, and documentation, the current translation platform we are using on https://translate.openstack.org relies on Zanata, an open-source translation platform which upstream activities were stopped [1]. Currently, there are several issues reported - most things have been resolved while it repeats / worses as time goes: - OpenID authentication issues for new registration users on translate.openstack.org [2] - Translation job failure issues since Zanata client did not work with a newer Java / job compatibility issues with Python versions [3] - Missing translation jobs for Xena/Yoga stable versions on Zanata [4] Considering the situation, to solve the root cause of the situation, I am calling for volunteers on Weblate migration. The detailed activities would continue from what the previous I18n PTL already investigated, identified, and documented to [5] [6]. There would be diverse work items with developer perspective as well as translators and operators. Hope that there are many volunteers to move forward. Meanwhile, I updated the "Translations & Priority" part on https://translate.openstack.org homepage. Note that stable versions are minimized to Horizon and dashboard projects, and ping me if there would be lots of translation work especially during R-3 to R-1. Looking forward to an enhanced open source translation platform landing soon with OpenInfra. With many thanks, /Ian [1] https://lists.fedoraproject.org/archives/list/trans at lists.fedoraproject.org/thread/F2JZTYSK3L5JAZY6VSVGDGNNQ4ATG4HP/ [2] https://lists.openstack.org/pipermail/openstack-i18n/2022-February/003550.html [3] https://review.opendev.org/c/openstack/project-config/+/850962 [4] https://lists.openstack.org/pipermail/openstack-discuss/2021-December/026441.html [5] https://blueprints.launchpad.net/openstack-i18n/+spec/renew-translation-platform [6] https://etherpad.opendev.org/p/I18n-weblate-migration From jay at gr-oss.io Tue Oct 4 16:57:16 2022 From: jay at gr-oss.io (Jay Faulkner) Date: Tue, 4 Oct 2022 09:57:16 -0700 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: <20221004144534.6xsc3ysyybuznpsd@yuggoth.org> References: <20221004144534.6xsc3ysyybuznpsd@yuggoth.org> Message-ID: It sounds like no releases have ever been made from any of the > "bugfix" branches going back over two years since their creation. Is > this a change in how the Ironic team views those branches, or was > the intention always to tag releases on them but nobody had gotten > around to it? > The primary consumer historically of bugfix branches have been downstream packagers of Ironic -- e.g. openshift. I'm pursuing creating releases of these because after doing some research, we have customers consuming these releases from pypi (6000 downloads of our Zed-cycle releases in 4 months). I do not want those deployers, consuming upstream artifacts, to miss out on backported bugfixes and patches that would be provided in a vendor release artifact. There is no urgency behind getting the bugfix releases made, but the current situation where the Ironic community maintains additional branches for longer term support but does not provide stable releases for customers puiling upstream release artifacts is not one I wish to perpetuate. -- Jay Faulkner -------------- next part -------------- An HTML attachment was scrubbed... URL: From fungi at yuggoth.org Tue Oct 4 17:01:36 2022 From: fungi at yuggoth.org (Jeremy Stanley) Date: Tue, 4 Oct 2022 17:01:36 +0000 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: References: <20221004144534.6xsc3ysyybuznpsd@yuggoth.org> Message-ID: <20221004170135.ocpvfbuvz3vpzlja@yuggoth.org> On 2022-10-04 09:57:16 -0700 (-0700), Jay Faulkner wrote: [...] > There is no urgency behind getting the bugfix releases made, but > the current situation where the Ironic community maintains > additional branches for longer term support but does not provide > stable releases for customers puiling upstream release artifacts > is not one I wish to perpetuate. That makes sense, but it's worth noting what you have now is not entirely dissimilar to how "extended maintenance" works for our official stable branches as well (continuing to merge some backported fixes, but not tagging any further point releases). -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: From jay at gr-oss.io Tue Oct 4 17:22:35 2022 From: jay at gr-oss.io (Jay Faulkner) Date: Tue, 4 Oct 2022 10:22:35 -0700 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: <20221004170135.ocpvfbuvz3vpzlja@yuggoth.org> References: <20221004144534.6xsc3ysyybuznpsd@yuggoth.org> <20221004170135.ocpvfbuvz3vpzlja@yuggoth.org> Message-ID: > That makes sense, but it's worth noting what you have now is not > entirely dissimilar to how "extended maintenance" works for our > official stable branches as well (continuing to merge some > backported fixes, but not tagging any further point releases). > > Yeah, I understand. This is all working towards a revision of Ironic release policy to ensure it's documented when/how these releases are supported. Right now we create bugfix releases as months 2 and 4 into the cycle, with no indication of support length. In fact; there are leftover bugfix/[] branches that are not maintained and have not yet been retired. Posts like this (and my efforts to get releases done) is part of my fact-finding for trying to ensure how Ironic manages releases is well documented and understood. -Jay Faulkner -------------- next part -------------- An HTML attachment was scrubbed... URL: From jay at gr-oss.io Tue Oct 4 18:18:32 2022 From: jay at gr-oss.io (Jay Faulkner) Date: Tue, 4 Oct 2022 11:18:32 -0700 Subject: [ironic][stable] Proposing EOL of ironic project branches older than Wallaby Message-ID: Hi all, Ironic has a large amount of stable branches still in EM. We need to take action to ensure those branches are either retired or have CI repaired to the point of being usable. Specifically, I'm looking at these branches across all Ironic projects: - stable/queens - stable/rocky - stable/stein - stable/train - stable/ussuri - stable/victoria In lieu of any volunteers to maintain the CI, my recommendation for all the branches listed above is that they be marked EOL. If someone wants to volunteer to maintain CI for those branches, they can propose one of the below paths be taken instead: 1 - Someone volunteers to maintain these branches, and also report the status of CI of these older branches periodically on the Ironic whiteboard and in Ironic meetings. If you feel strongly that one of these branches needs to continue to be in service; volunteering in this way is how to save them. 2 - We seriously reduce CI. Basically removing all tempest tests to ensure that CI remains reliable and able to merge emergency or security fixes when needed. In some cases; this still requires CI fixes as some older inspector branches are failing *installing packages* in unit tests. I would still like, in this case, that someone volunteers to ensure the minimalist CI remains happy. My intention is to let this message serve as notice and a waiting period; and if I've not heard any response here or in Monday's Ironic meeting (in 6 days), I will begin taking action on retiring these branches. This is simply a start; other branches (including bugfix branches) are also in bad shape in CI, but getting these retired will significantly reduce the surface area of projects and branches to evaluate. I know it's painful to drop support for these branches; but we've provided good EM support for these branches for a long time and by pruning them away, we'll be able to save time to dedicate to other items. Thanks, Jay Faulkner -------------- next part -------------- An HTML attachment was scrubbed... URL: From iurygregory at gmail.com Tue Oct 4 18:27:46 2022 From: iurygregory at gmail.com (Iury Gregory) Date: Tue, 4 Oct 2022 15:27:46 -0300 Subject: [ironic][stable] Proposing EOL of ironic project branches older than Wallaby In-Reply-To: References: Message-ID: Hi Jay, We had a discussion a few months ago about closing pre-train branches https://lists.openstack.org/pipermail/openstack-discuss/2022-June/029274.html Train Ussuri and Victoria we should probably raise this in the upstream meeting (to see what people will also think about it, in case we don't have responses here) Thanks! Em ter., 4 de out. de 2022 ?s 15:20, Jay Faulkner escreveu: > Hi all, > > Ironic has a large amount of stable branches still in EM. We need to take > action to ensure those branches are either retired or have CI repaired to > the point of being usable. > > Specifically, I'm looking at these branches across all Ironic projects: > - stable/queens > - stable/rocky > - stable/stein > - stable/train > - stable/ussuri > - stable/victoria > > In lieu of any volunteers to maintain the CI, my recommendation for all > the branches listed above is that they be marked EOL. If someone wants to > volunteer to maintain CI for those branches, they can propose one of the > below paths be taken instead: > > 1 - Someone volunteers to maintain these branches, and also report the > status of CI of these older branches periodically on the Ironic whiteboard > and in Ironic meetings. If you feel strongly that one of these branches > needs to continue to be in service; volunteering in this way is how to save > them. > > 2 - We seriously reduce CI. Basically removing all tempest tests to ensure > that CI remains reliable and able to merge emergency or security fixes when > needed. In some cases; this still requires CI fixes as some older inspector > branches are failing *installing packages* in unit tests. I would still > like, in this case, that someone volunteers to ensure the minimalist CI > remains happy. > > My intention is to let this message serve as notice and a waiting period; > and if I've not heard any response here or in Monday's Ironic meeting (in 6 > days), I will begin taking action on retiring these branches. > > This is simply a start; other branches (including bugfix branches) are > also in bad shape in CI, but getting these retired will significantly > reduce the surface area of projects and branches to evaluate. > > I know it's painful to drop support for these branches; but we've provided > good EM support for these branches for a long time and by pruning them > away, we'll be able to save time to dedicate to other items. > > Thanks, > Jay Faulkner > -- *Att[]'s* *Iury Gregory Melo Ferreira * *MSc in Computer Science at UFCG* *Ironic PTL * *Senior Software Engineer at Red Hat Brazil* *Social*: https://www.linkedin.com/in/iurygregory *E-mail: iurygregory at gmail.com * -------------- next part -------------- An HTML attachment was scrubbed... URL: From jdratlif at globalnoc.iu.edu Tue Oct 4 18:56:34 2022 From: jdratlif at globalnoc.iu.edu (John Ratliff) Date: Tue, 04 Oct 2022 14:56:34 -0400 Subject: OpenStack Ansible Service troubleshooting In-Reply-To: References: <3041961ec183a2a9f3d037ff0ec9019aa5a5d0c6.camel@globalnoc.iu.edu> Message-ID: On Tue, 2022-10-04 at 18:21 +0200, Dmitriy Rabotyagov wrote: > Hi John. > > Well, it seems you've made a bunch of operations that were not > required in the first place. However, I believe that at the end > you've > identified the problem correctly. systemd-machined service should be > active and running on nova-compute hosts with kvm driver. > I'd suggest looking deeper at why this service systemd-machined can't > be started. What does journalctl says about that? It's not very chatty, though I think your next question might answer the why. $ sudo journalctl -u systemd-machined -- Logs begin at Tue 2022-10-04 17:45:02 UTC, end at Tue 2022-10-04 18:43:45 UTC. -- Oct 04 18:43:37 os-comp1 systemd[1]: Dependency failed for Virtual Machine and Container Registration Service. Oct 04 18:43:37 os-comp1 systemd[1]: systemd-machined.service: Job systemd-machined.service/start failed with result 'dependency'. > > As one of dependency systemd-machined requires to have > /var/lib/machines. And I do have 2 assumptions there: > 1. Was systemd-tmpfiles-setup.service activated? As we have seen > sometimes that upon node boot due to some race condition it was not, > which resulted in all kind of weirdness It appears to be. The output looks very similar between the broken and working clusters. $ sudo systemctl status systemd-tmpfiles-setup ? systemd-tmpfiles-setup.service - Create Volatile Files and Directories Loaded: loaded (/lib/systemd/system/systemd-tmpfiles- setup.service; static; vendor preset: enabled) Active: active (exited) since Mon 2022-10-03 18:23:53 UTC; 24h ago Docs: man:tmpfiles.d(5) man:systemd-tmpfiles(8) Main PID: 1460 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 8192) Memory: 0B CGroup: /system.slice/systemd-tmpfiles-setup.service Warning: journal has been rotated since unit was started, output may be incomplete. However, /var/lib/machines does not appear to be correct. On the working cluster, this is mounted as an ext4 filesystem and has a lost+found directory along with a directory for a defined instance. There is no mount listed on the broken cluster, and the directory is empty. > 2. Don't you happen to run nova-compute on the same set of hosts > where > LXC containers are placed? As for example, in AIO setup we do manage > /var/lib/machines/ mount with systemd var-lib-machines.mount. So if > you happen to run nova-computes on controller host or AIO - this is > another thing to check. $ sudo journalctl -u var-lib-machines.mount -- Logs begin at Tue 2022-10-04 18:01:46 UTC, end at Tue 2022-10-04 18:52:53 UTC. -- Oct 04 18:43:37 os-comp1 systemd[1]: Mounting Virtual Machine and Container Storage (Compatibility)... Oct 04 18:43:37 os-comp1 mount[1272300]: mount: /var/lib/machines: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. Oct 04 18:43:37 os-comp1 systemd[1]: var-lib-machines.mount: Mount process exited, code=exited, status=32/n/a Oct 04 18:43:37 os-comp1 systemd[1]: var-lib-machines.mount: Failed with result 'exit-code'. Oct 04 18:43:37 os-comp1 systemd[1]: Failed to mount Virtual Machine and Container Storage (Compatibility). This appears to be the problem. It looks like /dev/loop0 is probably supposed to reference /var/lib/machines.raw. I tried running fsck on /dev/loop0, but it doesn't think there is a valid extX filesystem on any of the superblocks. Maybe /dev/loop0 is not really pointing to /var/lib/machines.raw? Not sure how to tell if that's the case. Maybe I should try to loopback this, or create a blank filesystem image. -- John Ratliff Systems Automation Engineer GlobalNOC @ Indiana University -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: not available URL: From jdratlif at globalnoc.iu.edu Tue Oct 4 20:22:58 2022 From: jdratlif at globalnoc.iu.edu (John Ratliff) Date: Tue, 04 Oct 2022 16:22:58 -0400 Subject: OpenStack Ansible Service troubleshooting In-Reply-To: References: <3041961ec183a2a9f3d037ff0ec9019aa5a5d0c6.camel@globalnoc.iu.edu> Message-ID: <529d89ba8e2f63fd711701473e12f335726e6073.camel@globalnoc.iu.edu> On Tue, 2022-10-04 at 14:56 -0400, John Ratliff wrote: > On Tue, 2022-10-04 at 18:21 +0200, Dmitriy Rabotyagov wrote: > > Hi John. > > > > Well, it seems you've made a bunch of operations that were not > > required in the first place. However, I believe that at the end > > you've > > identified the problem correctly. systemd-machined service should > > be > > active and running on nova-compute hosts with kvm driver. > > I'd suggest looking deeper at why this service systemd-machined > > can't > > be started. What does journalctl says about that? > > It's not very chatty, though I think your next question might answer > the why. > > $ sudo journalctl -u systemd-machined > -- Logs begin at Tue 2022-10-04 17:45:02 UTC, end at Tue 2022-10-04 > 18:43:45 UTC. -- > Oct 04 18:43:37 os-comp1 systemd[1]: Dependency failed for Virtual > Machine and Container Registration Service. > Oct 04 18:43:37 os-comp1 systemd[1]: systemd-machined.service: Job > systemd-machined.service/start failed with result 'dependency'. > > > > > As one of dependency systemd-machined requires to have > > /var/lib/machines. And I do have 2 assumptions there: > > 1. Was systemd-tmpfiles-setup.service activated? As we have seen > > sometimes that upon node boot due to some race condition it was > > not, > > which resulted in all kind of weirdness > > It appears to be. The output looks very similar between the broken > and > working clusters. > > $ sudo systemctl status systemd-tmpfiles-setup??????????????????????? > ? systemd-tmpfiles-setup.service - Create Volatile Files and > Directories > ???? Loaded: loaded (/lib/systemd/system/systemd-tmpfiles- > setup.service; static; vendor preset: enabled) > ???? Active: active (exited) since Mon 2022-10-03 18:23:53 UTC; 24h > ago > ?????? Docs: man:tmpfiles.d(5) > ???????????? man:systemd-tmpfiles(8) > ?? Main PID: 1460 (code=exited, status=0/SUCCESS) > ????? Tasks: 0 (limit: 8192) > ???? Memory: 0B > ???? CGroup: /system.slice/systemd-tmpfiles-setup.service > > Warning: journal has been rotated since unit was started, output may > be > incomplete. > > However, /var/lib/machines does not appear to be correct. On the > working cluster, this is mounted as an ext4 filesystem and has a > lost+found directory along with a directory for a defined instance. > > There is no mount listed on the broken cluster, and the directory is > empty. > > > 2. Don't you happen to run nova-compute on the same set of hosts > > where > > LXC containers are placed? As for example, in AIO setup we do > > manage > > /var/lib/machines/ mount with systemd var-lib-machines.mount. So if > > you happen to run nova-computes on controller host or AIO - this is > > another thing to check. > > $ sudo journalctl -u var-lib-machines.mount > -- Logs begin at Tue 2022-10-04 18:01:46 UTC, end at Tue 2022-10-04 > 18:52:53 UTC. -- > Oct 04 18:43:37 os-comp1 systemd[1]: Mounting Virtual Machine and > Container Storage (Compatibility)... > Oct 04 18:43:37 os-comp1 mount[1272300]: mount: /var/lib/machines: > wrong fs type, bad option, bad superblock on /dev/loop0, missing > codepage or helper program, or other error. > Oct 04 18:43:37 os-comp1 systemd[1]: var-lib-machines.mount: Mount > process exited, code=exited, status=32/n/a > Oct 04 18:43:37 os-comp1 systemd[1]: var-lib-machines.mount: Failed > with result 'exit-code'. > Oct 04 18:43:37 os-comp1 systemd[1]: Failed to mount Virtual Machine > and Container Storage (Compatibility). > > This appears to be the problem. It looks like /dev/loop0 is probably > supposed to reference /var/lib/machines.raw. I tried running fsck on > /dev/loop0, but it doesn't think there is a valid extX filesystem on > any of the superblocks. Maybe /dev/loop0 is not really pointing to > /var/lib/machines.raw? Not sure how to tell if that's the case. > > Maybe I should try to loopback this, or create a blank filesystem > image. > > > Okay, I'm not sure what happened here. The systemd unit mount file for var-lib-machines is different on the broken cluster than the working cluster. It talks about a btrfs system, but the /var/lib/machines.raw file is an ext4 filesystem, like the one on the working cluster. I copied the unit file from the working cluster to the broken cluster, and I could mount /var/lib/machines, get systemd-machined working, and create machines now. I have no idea what happened. I feel like there must have been a system update that changed (reverted from openstack-ansible?) something, but I'm just not sure. In any event, you helped me figure it out. Thanks. -- John Ratliff Systems Automation Engineer GlobalNOC @ Indiana University -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: not available URL: From noonedeadpunk at gmail.com Tue Oct 4 20:45:01 2022 From: noonedeadpunk at gmail.com (Dmitriy Rabotyagov) Date: Tue, 4 Oct 2022 22:45:01 +0200 Subject: OpenStack Ansible Service troubleshooting In-Reply-To: <529d89ba8e2f63fd711701473e12f335726e6073.camel@globalnoc.iu.edu> References: <3041961ec183a2a9f3d037ff0ec9019aa5a5d0c6.camel@globalnoc.iu.edu> <529d89ba8e2f63fd711701473e12f335726e6073.camel@globalnoc.iu.edu> Message-ID: Oh, well, I do recall now that package update could brake systemd mount, as in prior releases we placed our own systemd unit file in place and now we just leverage systemd overrides functionality [1]. I think what you can do is find out what package does provide this mount file and mark it for hold. Or cherry-pick and apply mentioned change. [1] https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/834183 ??, 4 ???. 2022 ?., 22:23 John Ratliff : > On Tue, 2022-10-04 at 14:56 -0400, John Ratliff wrote: > > On Tue, 2022-10-04 at 18:21 +0200, Dmitriy Rabotyagov wrote: > > > Hi John. > > > > > > Well, it seems you've made a bunch of operations that were not > > > required in the first place. However, I believe that at the end > > > you've > > > identified the problem correctly. systemd-machined service should > > > be > > > active and running on nova-compute hosts with kvm driver. > > > I'd suggest looking deeper at why this service systemd-machined > > > can't > > > be started. What does journalctl says about that? > > > > It's not very chatty, though I think your next question might answer > > the why. > > > > $ sudo journalctl -u systemd-machined > > -- Logs begin at Tue 2022-10-04 17:45:02 UTC, end at Tue 2022-10-04 > > 18:43:45 UTC. -- > > Oct 04 18:43:37 os-comp1 systemd[1]: Dependency failed for Virtual > > Machine and Container Registration Service. > > Oct 04 18:43:37 os-comp1 systemd[1]: systemd-machined.service: Job > > systemd-machined.service/start failed with result 'dependency'. > > > > > > > > As one of dependency systemd-machined requires to have > > > /var/lib/machines. And I do have 2 assumptions there: > > > 1. Was systemd-tmpfiles-setup.service activated? As we have seen > > > sometimes that upon node boot due to some race condition it was > > > not, > > > which resulted in all kind of weirdness > > > > It appears to be. The output looks very similar between the broken > > and > > working clusters. > > > > $ sudo systemctl status systemd-tmpfiles-setup > > ? systemd-tmpfiles-setup.service - Create Volatile Files and > > Directories > > Loaded: loaded (/lib/systemd/system/systemd-tmpfiles- > > setup.service; static; vendor preset: enabled) > > Active: active (exited) since Mon 2022-10-03 18:23:53 UTC; 24h > > ago > > Docs: man:tmpfiles.d(5) > > man:systemd-tmpfiles(8) > > Main PID: 1460 (code=exited, status=0/SUCCESS) > > Tasks: 0 (limit: 8192) > > Memory: 0B > > CGroup: /system.slice/systemd-tmpfiles-setup.service > > > > Warning: journal has been rotated since unit was started, output may > > be > > incomplete. > > > > However, /var/lib/machines does not appear to be correct. On the > > working cluster, this is mounted as an ext4 filesystem and has a > > lost+found directory along with a directory for a defined instance. > > > > There is no mount listed on the broken cluster, and the directory is > > empty. > > > > > 2. Don't you happen to run nova-compute on the same set of hosts > > > where > > > LXC containers are placed? As for example, in AIO setup we do > > > manage > > > /var/lib/machines/ mount with systemd var-lib-machines.mount. So if > > > you happen to run nova-computes on controller host or AIO - this is > > > another thing to check. > > > > $ sudo journalctl -u var-lib-machines.mount > > -- Logs begin at Tue 2022-10-04 18:01:46 UTC, end at Tue 2022-10-04 > > 18:52:53 UTC. -- > > Oct 04 18:43:37 os-comp1 systemd[1]: Mounting Virtual Machine and > > Container Storage (Compatibility)... > > Oct 04 18:43:37 os-comp1 mount[1272300]: mount: /var/lib/machines: > > wrong fs type, bad option, bad superblock on /dev/loop0, missing > > codepage or helper program, or other error. > > Oct 04 18:43:37 os-comp1 systemd[1]: var-lib-machines.mount: Mount > > process exited, code=exited, status=32/n/a > > Oct 04 18:43:37 os-comp1 systemd[1]: var-lib-machines.mount: Failed > > with result 'exit-code'. > > Oct 04 18:43:37 os-comp1 systemd[1]: Failed to mount Virtual Machine > > and Container Storage (Compatibility). > > > > This appears to be the problem. It looks like /dev/loop0 is probably > > supposed to reference /var/lib/machines.raw. I tried running fsck on > > /dev/loop0, but it doesn't think there is a valid extX filesystem on > > any of the superblocks. Maybe /dev/loop0 is not really pointing to > > /var/lib/machines.raw? Not sure how to tell if that's the case. > > > > Maybe I should try to loopback this, or create a blank filesystem > > image. > > > > > > > > Okay, I'm not sure what happened here. > > The systemd unit mount file for var-lib-machines is different on the > broken cluster than the working cluster. It talks about a btrfs system, > but the /var/lib/machines.raw file is an ext4 filesystem, like the one > on the working cluster. > > I copied the unit file from the working cluster to the broken cluster, > and I could mount /var/lib/machines, get systemd-machined working, and > create machines now. > > I have no idea what happened. I feel like there must have been a system > update that changed (reverted from openstack-ansible?) something, but > I'm just not sure. > > In any event, you helped me figure it out. Thanks. > > -- > John Ratliff > Systems Automation Engineer > GlobalNOC @ Indiana University > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew at andrewboring.com Tue Oct 4 22:28:23 2022 From: andrew at andrewboring.com (Andrew Boring) Date: Tue, 4 Oct 2022 18:28:23 -0400 Subject: [Keystone][Swift] Using policy.json to prohibit specific API operations by policy? Message-ID: <6DED637A-A6C0-4DB6-B1CE-00095A8069D0@andrewboring.com> Hi all, I'm looking to support a situation where one class of Keystone users in a given domain can create Swift containers (either within a single, dedicated project or within their own projects) but *cannot* change ACLs on those containers, while a second class of users *can* alter ACLs on their own containers. For example, User A is in the first class (defined by role) and can perform all CRUD operations, EXCEPT update pre-defined ACLmetadata on those containers. User B is in the second class and CAN update ACLs on their respecitive containers, like any other standard user. Something like this AWS policy condition ("Granting permissions to multiple accounts with added conditions") is directionally what I'm trying to achieve: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-1 Keystone docs imply that I can create policy.json files for all services: "You can define actions for OpenStack service roles in the /etc/PROJECT/policy.yaml files. For example, define actions for Compute service roles in the /etc/nova/policy.yaml file." -https://docs.openstack.org/keystone/yoga/admin/cli-manage-projects-users-and-roles.html But I can't find any indication that Swift actually supports this. So, does Swift support the Oslo policy.json stuff, and if so, is it documented anywhere? Is it simply a "install oslo policy and add it to the pipeline in proxy-server.conf"? If not, is there another/preferred way to achieve the desired restrictions on Swift API operations by policy for a given Keystone domain? Thanks. -- Andrew Boring andrew at andrewboring.com From ppiyakk2 at printf.kr Wed Oct 5 02:14:21 2022 From: ppiyakk2 at printf.kr (Seongsoo Cho) Date: Wed, 5 Oct 2022 11:14:21 +0900 Subject: [I18n] Zanata status + call for volunteers on Weblate migration In-Reply-To: References: Message-ID: Hi Ian. Thanks for letting us know the situation. I'd like to volunteer on Weblate migration. 2022? 10? 5? (?) 01:51, Ian Y. Choi ?? ??: > Hi all, > > First, thank you all for contributing to OpenStack with globalization > by contributing translations, coordinating translations with > artifacts, and making sure that those translations are shipped with > releases to all over the world (we are calling it I18n - > Internationalization). > > While OpenStack I18n could be healthier with the tremendous help from > translators as well as many OpenStack upstream contributors & teams > such as infrastructure, release management, and documentation, the > current translation platform we are using on > https://translate.openstack.org relies on Zanata, an open-source > translation platform which upstream activities were stopped [1]. > Currently, there are several issues reported - most things have been > resolved while it repeats / worses as time goes: > > - OpenID authentication issues for new registration users on > translate.openstack.org [2] > - Translation job failure issues since Zanata client did not work with > a newer Java / job compatibility issues with Python versions [3] > - Missing translation jobs for Xena/Yoga stable versions on Zanata [4] > > Considering the situation, to solve the root cause of the situation, I > am calling for volunteers on Weblate migration. The detailed > activities would continue from what the previous I18n PTL already > investigated, identified, and documented to [5] [6]. There would be > diverse work items with developer perspective as well as translators > and operators. Hope that there are many volunteers to move forward. > > Meanwhile, I updated the "Translations & Priority" part on > https://translate.openstack.org homepage. > Note that stable versions are minimized to Horizon and dashboard > projects, and ping me if there would be lots of translation work > especially during R-3 to R-1. > > Looking forward to an enhanced open source translation platform > landing soon with OpenInfra. > > > With many thanks, > > /Ian > > [1] > https://lists.fedoraproject.org/archives/list/trans at lists.fedoraproject.org/thread/F2JZTYSK3L5JAZY6VSVGDGNNQ4ATG4HP/ > [2] > https://lists.openstack.org/pipermail/openstack-i18n/2022-February/003550.html > [3] https://review.opendev.org/c/openstack/project-config/+/850962 > [4] > https://lists.openstack.org/pipermail/openstack-discuss/2021-December/026441.html > [5] > https://blueprints.launchpad.net/openstack-i18n/+spec/renew-translation-platform > [6] https://etherpad.opendev.org/p/I18n-weblate-migration > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramishra at redhat.com Wed Oct 5 03:16:25 2022 From: ramishra at redhat.com (Rabi Mishra) Date: Wed, 5 Oct 2022 08:46:25 +0530 Subject: [TripleO] TripleO Antelope PTG Topics In-Reply-To: <20221004145332.jsu5vqckqxlsruyq@yuggoth.org> References:

<20221004145332.jsu5vqckqxlsruyq@yuggoth.org> Message-ID: On Tue, Oct 4, 2022 at 8:25 PM Jeremy Stanley wrote: > On 2022-10-04 09:36:42 +0530 (+0530), Rabi Mishra wrote: > [...] > > I've moved the contents to the etherpad linked at the PTGBot site > [...] > > For future reference, you can also simply inform PTGBot that you > have a different Etherpad URL, and it will update the site to list > that one for you instead. > Thanks Jeremy. I somehow missed these details in PTGBot docs and thought using an auto-generated etherpad link would be better for consistency:) > -- > Jeremy Stanley > -- Regards, Rabi Mishra -------------- next part -------------- An HTML attachment was scrubbed... URL: From manchandavishal143 at gmail.com Wed Oct 5 05:47:53 2022 From: manchandavishal143 at gmail.com (vishal manchanda) Date: Wed, 5 Oct 2022 11:17:53 +0530 Subject: [horizon] Cancelling Today's Weekly meeting Message-ID: Hello Team, Since there are no agenda items [1] to discuss for today's horizon weekly meeting. Also, Today is a holiday for me. So let's cancel today's weekly meeting. Thanks & regards, Vishal Manchanda(irc:vishalmanchanda) [1] https://etherpad.opendev.org/p/horizon-release-priorities#L38 -------------- next part -------------- An HTML attachment was scrubbed... URL: From xek at redhat.com Wed Oct 5 09:18:42 2022 From: xek at redhat.com (Grzegorz Grasza) Date: Wed, 5 Oct 2022 11:18:42 +0200 Subject: [barbican] New team meeting time Message-ID: Hi Team, At our last meeting, it was proposed to move the meeting forward 1 hour (an hour early), from 1300 to 1200 UTC. [1] If there are no objections, I'll be making the change by the end of the week, before the next meeting takes place. / Greg [1] https://meetings.opendev.org/meetings/barbican/2022/barbican.2022-10-04-13.00.log.html#l-112 -------------- next part -------------- An HTML attachment was scrubbed... URL: From wodel.youchi at gmail.com Wed Oct 5 09:38:22 2022 From: wodel.youchi at gmail.com (wodel youchi) Date: Wed, 5 Oct 2022 10:38:22 +0100 Subject: [kolla-ansible] How to recover from unfinished upgrade In-Reply-To: References: Message-ID: Hi, Any one??? Regards. Le mer. 28 sept. 2022 ? 16:51, wodel youchi a ?crit : > Hi, > > I am testing the upgrade from xena to yoga and I made a mistake in > globals.yml, I forgot to specify the correct name of gnocchi ceph pool, so > my deployment went wrong. > I interrupted the deployment Ctrl+C I corrected the mistake, then I > restarted the upgrade and it got stuck somewhere else, but I couldn't find > where, I interrupted then restarted the deployment again and it got stuck > at the same place. > My questions : > - Is there a way to rollback the upgrade in case of a problem, then start > over? > - What is the best way to restart a broken upgrade process? > > > Regards. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From eblock at nde.ag Wed Oct 5 09:57:51 2022 From: eblock at nde.ag (Eugen Block) Date: Wed, 05 Oct 2022 09:57:51 +0000 Subject: [kolla-ansible] How to recover from unfinished upgrade In-Reply-To: References: Message-ID: <20221005095751.Horde.HRGeD0jS1HpzORRQKau0omH@webmail.nde.ag> Hi, the only thing I can provide is this page: https://docs.openstack.org/operations-guide/ops-upgrades.html#rolling-back-a-failed-upgrade But I'm not sure if they apply to kolla-ansible which I'm not familiar with. >> I interrupted the deployment Ctrl+C I corrected the mistake, then I >> restarted the upgrade and it got stuck somewhere else, but I couldn't find >> where, I interrupted then restarted the deployment again and it got stuck >> at the same place. Wouldn't it be a better idea to let the upgrade fail, maybe changes are rolled back automatically? Where does it fail? Apparently you can reproduce it, so I'd say paste the output of the failure. Regards, Eugen Zitat von wodel youchi : > Hi, > > Any one??? > > Regards. > > Le mer. 28 sept. 2022 ? 16:51, wodel youchi a > ?crit : > >> Hi, >> >> I am testing the upgrade from xena to yoga and I made a mistake in >> globals.yml, I forgot to specify the correct name of gnocchi ceph pool, so >> my deployment went wrong. >> I interrupted the deployment Ctrl+C I corrected the mistake, then I >> restarted the upgrade and it got stuck somewhere else, but I couldn't find >> where, I interrupted then restarted the deployment again and it got stuck >> at the same place. >> My questions : >> - Is there a way to rollback the upgrade in case of a problem, then start >> over? >> - What is the best way to restart a broken upgrade process? >> >> >> Regards. >> From stephenfin at redhat.com Wed Oct 5 12:45:37 2022 From: stephenfin at redhat.com (Stephen Finucane) Date: Wed, 05 Oct 2022 13:45:37 +0100 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete Message-ID: ? I'm planning on bringing this up in the nova rooms at the PTG in a few weeks, but I'm also raising it here since this potentially affects other service projects and I can't attend all of those room :) Many projects use the concept of "soft delete" in their database models. A soft deletable model typically has two additional columns, 'deleted' and 'deleted_at'. When deleting such a model, instead of actually deleting the database row (i.e. 'DELETE FROM table WHERE condition'), we set 'deleted' to 'True' and populate the 'deleted_at' column. This is helpful for auditing purposes (e.g. you can inspect all resources ever created, even after they've been "deleted") but bad for database performance (your tables can grow without bound). To work around the performance issues, most projects implement some kind of archive or purge command that will allow operators to periodically clean up these deleted resources. However, at least in nova, we've long since come to the conclusion that soft deleting isn't as useful as initially suspected and the need to run these commands is additional work for no benefit. We've moved toward not using it for all new models. With this said, it's going to be difficult to get away from soft-delete quickly. Not only are there database migrations involved, but operators will need to rework their tooling to adapt to a new, no-soft-delete world. As such, I'd like to propose a half-way measure of making soft-delete configurable. To do this, I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. When set to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see these models hard deleted rather than soft deleted when calling 'soft_delete'. This would avoid the need for operators to run the various project-specific purge tooling. The RFC patch for this is available for review [1]. I can also do this on a project-specific basis and have proposed a similar patch for nova [2], however, doing it in oslo.db means every project that uses 'SoftDeleteMixin' in their models will get this for free. Projects that don't (glance, cinder) can switch to using this mixin and also get it for free. As noted above, I intend to discuss this in the nova room at the PTG, but I'd be interested in people's thoughts ahead of time. Do you think this is a good idea? Should we proceed with it? Perhaps there are there better ways to do this? Let me know! Cheers, Stephen [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 [2] https://review.opendev.org/c/openstack/nova/+/860401 From senrique at redhat.com Wed Oct 5 12:55:10 2022 From: senrique at redhat.com (Sofia Enriquez) Date: Wed, 5 Oct 2022 09:55:10 -0300 Subject: Bug Report - 10-05-2022 Message-ID: This is a bug report from 09-28-2022 to 10-05-2022. Agenda: https://etherpad.opendev.org/p/cinder-bug-squad-meeting ----------------------------------------------------------------------------------------- Low - https://bugs.launchpad.net/cinder/+bug/1991634 "Toyou drivers report allocated_capacity_gb." Fix proposed to master. - https://bugs.launchpad.net/cinder/+bug/1991217 "[docs] Unsupported option in docs for cinder-manage quota check/sync." Fix proposed to master. - https://bugs.launchpad.net/cinder/+bug/1991154 "[docs] Service tokens documentation is misleading." Fix proposed to master. Cheers, -- Sof?a Enriquez she/her Software Engineer Red Hat PnT IRC: @enriquetaso @RedHat Red Hat Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From clay.gerrard at gmail.com Wed Oct 5 13:20:40 2022 From: clay.gerrard at gmail.com (Clay Gerrard) Date: Wed, 5 Oct 2022 08:20:40 -0500 Subject: [Swift][Ussuri] Erasure Coding Quarantines In-Reply-To: References: <20220930165217.2901f9cf@niphredil.zaitcev.lan>

Message-ID: On Wed, Oct 5, 2022 at 7:58 AM Reid Guyett wrote: > the env var only works in 1.6.2 but 20.04 ships with 1.6.1. > Oh shoot, yeah I have no idea what version is packaged downstream. Maybe we can get Thomas to backport the jammy package https://packages.ubuntu.com/jammy/liberasurecode1 to focal https://packages.ubuntu.com/focal/liberasurecode1 -- Clay Gerrard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rguyett at datto.com Wed Oct 5 12:58:39 2022 From: rguyett at datto.com (Reid Guyett) Date: Wed, 5 Oct 2022 12:58:39 +0000 Subject: [Swift][Ussuri] Erasure Coding Quarantines In-Reply-To: References: <20220930165217.2901f9cf@niphredil.zaitcev.lan>

Message-ID: I'm not sure how to create a double quote in Outlook web app... We are going to try to create a new liberasurecode package 1.6.2 for 20.04 so we can set the environment variable to write legacy CRC headers until all the nodes in the cluster can be upgraded. I'm not sure if you need a new package, I think you have to set the env at runtime - but there's also a swift config option that will force the env to get set that you can turn off after full upgrade. In the IRC response, the env var only works in 1.6.2 but 20.04 ships with 1.6.1. The application setting you mentioned is in in Swift 2.27 and we are still in Ussuri (2.25.2) but still requires the compatible liberasurecode1 package. I'm not sure how to go about requesting this version to be available in the Focal repos. It seems like it should belong there since upgrading from 18.04 to 20.04 is a contributor to this problem. ________________________________ From: Clay Gerrard Sent: Tuesday, October 4, 2022 09:28 To: Reid Guyett Cc: Pete Zaitcev ; openstack-discuss at lists.openstack.org ; Matthew Grinnell Subject: Re: [Swift][Ussuri] Erasure Coding Quarantines KASEYA Warning: Sender @clay?.gerrard at gmail?.com is not yet trusted by your organization. Please be careful before replying. Report Phishing Mark as Safe powered by Graphus? [EXTERNAL] On Mon, Oct 3, 2022 at 3:37 PM Reid Guyett < rguyett at datto.com> wrote: Thanks for the follow-up. [...] From there the files were downloadable again. Nice work! We are going to try to create a new liberasurecode package 1.6.2 for 20.04 so we can set the environment variable to write legacy CRC headers until all the nodes in the cluster can be upgraded. I'm not sure if you need a new package, I think you have to set the env at runtime - but there's also a swift config option that will force the env to get set that you can turn off after full upgrade. This is why we have testing environments. This is why *competent* deployers and operators have testing environments - and it's the only thing that makes the terrible terrible reality of building and releasing software actually a net good. Couldn't do it without you; go FOSS! -- Clay Gerrard Important Notice: This email is intended to be received only by persons entitled to receive the confidential and legally privileged information it presumptively contains, and this notice constitutes identification as such. Any reading, disclosure, copying, distribution or use of this information by or to someone who is not the intended recipient, is prohibited. If you received this email in error, please notify us immediately at legal at kaseya.com, and then delete it. To opt-out of receiving emails Please click here. The term 'this e-mail' includes any and all attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From thierry at openinfra.dev Wed Oct 5 13:58:59 2022 From: thierry at openinfra.dev (Thierry Carrez) Date: Wed, 5 Oct 2022 15:58:59 +0200 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: <7334a347-452b-40d6-9832-2c4c019e7370@app.fastmail.com> References: <7334a347-452b-40d6-9832-2c4c019e7370@app.fastmail.com> Message-ID: <83e88d25-bc8a-76a3-f9cb-9b5339205721@openinfra.dev> Clark Boylan wrote: > [...] > If the release team ends up doing the work, it would probably be a good idea to very explicitly list the branch, commit sha1, and version number for each of the needed releases. This way the release team doesn't have to guess if they are getting it correct when they make and push those tags. Yes please. > Separately, it seems like some of the intention here is to ensure that users of bugfix branches don't end up with stale installations. Updating the release tooling to handle releases off of these branches or delegating access to the Ironic team seem like an important piece of making that happen. Otherwise the overhead for doing this will be large enough that it is unlikely to happen often enough. Unfortunately, I don't know what is currently missing in the tooling to make that possible. I'd say it's an unknown and the current release team members may not have bandwidth to explore what releasing on bugfix branches using a patch to openstack/releases could look like. Avoiding collisions between "normal" stable branch point updates and those bugfix branch point releases sounds tricky at best. We should try one manually and see how it goes first :) -- Thierry Carrez From jay at gr-oss.io Wed Oct 5 14:42:19 2022 From: jay at gr-oss.io (Jay Faulkner) Date: Wed, 5 Oct 2022 07:42:19 -0700 Subject: [release][ironic] Release desired for Ironic bugfix/N branches In-Reply-To: <83e88d25-bc8a-76a3-f9cb-9b5339205721@openinfra.dev> References: <7334a347-452b-40d6-9832-2c4c019e7370@app.fastmail.com> <83e88d25-bc8a-76a3-f9cb-9b5339205721@openinfra.dev> Message-ID: On Wed, Oct 5, 2022 at 7:18 AM Thierry Carrez wrote: > Clark Boylan wrote: > > [...] > > If the release team ends up doing the work, it would probably be a good > idea to very explicitly list the branch, commit sha1, and version number > for each of the needed releases. This way the release team doesn't have to > guess if they are getting it correct when they make and push those tags. > > Yes please. > > I'm cleaning up some CI right now; I'll make sure we get this information to the list soon so we can give it a shot :). > > Separately, it seems like some of the intention here is to ensure that > users of bugfix branches don't end up with stale installations. Updating > the release tooling to handle releases off of these branches or delegating > access to the Ironic team seem like an important piece of making that > happen. Otherwise the overhead for doing this will be large enough that it > is unlikely to happen often enough. Unfortunately, I don't know what is > currently missing in the tooling to make that possible. > > I'd say it's an unknown and the current release team members may not > have bandwidth to explore what releasing on bugfix branches using a > patch to openstack/releases could look like. Avoiding collisions between > "normal" stable branch point updates and those bugfix branch point > releases sounds tricky at best. > > I'm hoping this won't be an issue. Ironic policy (and it seems to be true in practice), says any release from master (including bugfix/x branches) must bump either the major or minor release number ( https://specs.openstack.org/openstack/ironic-specs/specs/15.1/new-release-model.html#releasing ). Thanks Thierry and Clark, I'll get you the information you all need to move forward soon! -Jay Faulkner -------------- next part -------------- An HTML attachment was scrubbed... URL: From elod.illes at est.tech Wed Oct 5 15:00:28 2022 From: elod.illes at est.tech (=?UTF-8?B?RWzFkWQgSWxsw6lz?=) Date: Wed, 5 Oct 2022 17:00:28 +0200 Subject: OpenStack Zed is officially released! Message-ID: <53d79ec4-8a16-08eb-ce32-f0ec773706ee@est.tech> Hello OpenStack community, The official OpenStack Zed release announcement has been sent out: http://lists.openstack.org/pipermail/openstack-announce/2022-October/002061.html Thanks to all who were a part of the Zed development cycle! This marks the official opening of the openstack/releases repository for 2023.1 Antelope releases, and freezes are now lifted. stable/zed is now a fully normal stable branch, and the normal stable policy applies from now on. Thanks, El?d Ill?s and the Release Management team From allison at openinfra.dev Wed Oct 5 15:12:52 2022 From: allison at openinfra.dev (Allison Price) Date: Wed, 5 Oct 2022 10:12:52 -0500 Subject: OpenStack Zed is officially released! In-Reply-To: <53d79ec4-8a16-08eb-ce32-f0ec773706ee@est.tech> References: <53d79ec4-8a16-08eb-ce32-f0ec773706ee@est.tech> Message-ID: Congratulations to all of the contributors! > On Oct 5, 2022, at 10:00 AM, El?d Ill?s wrote: > > Hello OpenStack community, > > The official OpenStack Zed release announcement has been sent out: > > http://lists.openstack.org/pipermail/openstack-announce/2022-October/002061.html > > Thanks to all who were a part of the Zed development cycle! > > This marks the official opening of the openstack/releases repository for > 2023.1 Antelope releases, and freezes are now lifted. stable/zed is now a fully normal stable branch, > and the normal stable policy applies from now on. > > Thanks, > > El?d Ill?s and the Release Management team From fungi at yuggoth.org Wed Oct 5 16:06:41 2022 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 5 Oct 2022 16:06:41 +0000 Subject: [dev][infra][tact-sig] Updating Zuul's default-ansible-version to 6 Message-ID: <20221005160640.buu6aevydtkgs4ly@yuggoth.org> Just a heads up for folks not following the OpenDev Collaboratory's service-announce mailing list... now that Zed is officially released, we'll be increasing the default Ansible version for Zuul jobs from 5 to 6 in preparation for Zuul to drop Ansible 5 support in coming weeks. See the full announcement here: https://lists.opendev.org/pipermail/service-announce/2022-October/000046.html -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: From gmann at ghanshyammann.com Wed Oct 5 17:46:13 2022 From: gmann at ghanshyammann.com (Ghanshyam Mann) Date: Wed, 05 Oct 2022 10:46:13 -0700 Subject: OpenStack Zed is officially released! In-Reply-To: <53d79ec4-8a16-08eb-ce32-f0ec773706ee@est.tech> References: <53d79ec4-8a16-08eb-ce32-f0ec773706ee@est.tech> Message-ID: <183a9415121.cde7b3d3208615.1637975538880544213@ghanshyammann.com> Congratulation to all the contributors for their 6 months of hard work and thanks to the release team for awesome work to continue doing the on-time release. -gmann ---- On Wed, 05 Oct 2022 08:00:28 -0700 El?d Ill?s wrote --- > Hello OpenStack community, > > The official OpenStack Zed release announcement has been sent out: > > http://lists.openstack.org/pipermail/openstack-announce/2022-October/002061.html > > Thanks to all who were a part of the Zed development cycle! > > This marks the official opening of the openstack/releases repository for > 2023.1 Antelope releases, and freezes are now lifted. stable/zed is now > a fully normal stable branch, > and the normal stable policy applies from now on. > > Thanks, > > El?d Ill?s and the Release Management team > From amy at demarco.com Wed Oct 5 17:51:42 2022 From: amy at demarco.com (Amy) Date: Wed, 5 Oct 2022 12:51:42 -0500 Subject: OpenStack Zed is officially released! In-Reply-To: <183a9415121.cde7b3d3208615.1637975538880544213@ghanshyammann.com> References: <183a9415121.cde7b3d3208615.1637975538880544213@ghanshyammann.com> Message-ID: Congrats Everyone!! Great job! Amy > On Oct 5, 2022, at 12:50 PM, Ghanshyam Mann wrote: > > ?Congratulation to all the contributors for their 6 months of hard work and thanks to the release team for awesome > work to continue doing the on-time release. > > -gmann > > ---- On Wed, 05 Oct 2022 08:00:28 -0700 El?d Ill?s wrote --- >> Hello OpenStack community, >> >> The official OpenStack Zed release announcement has been sent out: >> >> http://lists.openstack.org/pipermail/openstack-announce/2022-October/002061.html >> >> Thanks to all who were a part of the Zed development cycle! >> >> This marks the official opening of the openstack/releases repository for >> 2023.1 Antelope releases, and freezes are now lifted. stable/zed is now >> a fully normal stable branch, >> and the normal stable policy applies from now on. >> >> Thanks, >> >> El?d Ill?s and the Release Management team >> > From rdhasman at redhat.com Wed Oct 5 19:02:05 2022 From: rdhasman at redhat.com (Rajat Dhasmana) Date: Thu, 6 Oct 2022 00:32:05 +0530 Subject: OpenStack Zed is officially released! In-Reply-To: References: <183a9415121.cde7b3d3208615.1637975538880544213@ghanshyammann.com> Message-ID: Congratulations everyone! On Wed, Oct 5, 2022 at 11:26 PM Amy wrote: > Congrats Everyone!! Great job! > > Amy > > > On Oct 5, 2022, at 12:50 PM, Ghanshyam Mann > wrote: > > > > ?Congratulation to all the contributors for their 6 months of hard work > and thanks to the release team for awesome > > work to continue doing the on-time release. > > > > -gmann > > > > ---- On Wed, 05 Oct 2022 08:00:28 -0700 El?d Ill?s wrote --- > >> Hello OpenStack community, > >> > >> The official OpenStack Zed release announcement has been sent out: > >> > >> > http://lists.openstack.org/pipermail/openstack-announce/2022-October/002061.html > >> > >> Thanks to all who were a part of the Zed development cycle! > >> > >> This marks the official opening of the openstack/releases repository for > >> 2023.1 Antelope releases, and freezes are now lifted. stable/zed is now > >> a fully normal stable branch, > >> and the normal stable policy applies from now on. > >> > >> Thanks, > >> > >> El?d Ill?s and the Release Management team > >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From allison at openinfra.dev Wed Oct 5 20:37:29 2022 From: allison at openinfra.dev (Allison Price) Date: Wed, 5 Oct 2022 15:37:29 -0500 Subject: [zed] OpenInfra Live - October 6 at 1400 UTC Message-ID: <11530FD5-78FF-492E-B787-8156381747C7@openinfra.dev> Hi everyone, This week?s OpenInfra Live episode is brought to you by the OpenStack community who just delivered its 26th on-time release today! Join us to learn about the latest from community leaders about what was delivered in Zed and what we can expect in Antelope, OpenStack's 27th release targeting early 2023. Episode: OpenStack Zed: The End of the Alphabet, The Beginning of a New Era Date and time: October 6 at 1400 UTC You can watch us live on: YouTube: https://www.youtube.com/watch?v=MSbB3L9_MeY LinkedIn: https://www.linkedin.com/video/event/urn:li:ugcPost:6982723169144950786/ Facebook: https://www.facebook.com/events/390328576642133 WeChat: recording will be posted on OpenStack WeChat after the live stream Speakers: Kendall Nelson, OpenInfra Foundation Carlos Silva, Manila Jay Faulkner, Ironic Sylvain Bauza, Nova Lajos Katona, Neutron Wu Wenxiang, Skyline Martin Kopec, Interop Working Group Liye Pang, Venus Have an idea for a future episode? Share it now at ideas.openinfra.live . Thanks, Allison -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuta.kazato.nw at hco.ntt.co.jp Thu Oct 6 01:27:28 2022 From: yuta.kazato.nw at hco.ntt.co.jp (Yuta Kazato) Date: Thu, 06 Oct 2022 10:27:28 +0900 Subject: [tacker] Critical bug report and backport the fix Message-ID: Yasufumi, Ueha, Tacker and Release management team Hi, thanks for your agreements and supports it this issue. We could backport fix patches to stable/zed. I'm glad to release Openstack Zed:) https://releases.openstack.org/zed/ See you next Antelope vPTG! Yuta > Hi Yuta and Yasufumi, > > +1 > > And we have a patch for another critical bug related with pm interface. > The bug report [1] and the fix patch [2] have been already posted. > This patch also requires a backport to stable/zed. > > [1]https://bugs.launchpad.net/tacker/+bug/1990828 > [2]https://review.opendev.org/c/openstack/tacker/+/859377 > > Best Regards, > Ueha > > -----Original Message----- > From: Yasufumi Ogawa > Sent: Tuesday, September 27, 2022 10:42 AM > To: openstack-discuss at lists.openstack.org > Subject: Re: [tacker] Critical bug report and backport the fix > > Hi Yuta, > > On 2022/09/26 16:57, Yuta Kazato wrote: > > Hi tacker team, > > > > As you know, new bug report #1990793 [1] related to K8s resource name > > and v2 API is submitted by Masaki. > > The bug will appear if K8s resource name contains `-`. > > > > I think this is a critical issue because users often set resource > > names that contain `-`. > Agree. > > > Fortunately, the fix patch [2] has already been submitted. > > > > I suggest that we should backport the fix patch to the stable/zed > > branch before Zed release. > > What do you think? > We should fix the issue in stable/zed, or this k8s support doesn't work for many usecases. > > Yasufumi > > > > [1] https://bugs.launchpad.net/tacker/+bug/1990793 > > [2] https://review.opendev.org/c/openstack/tacker/+/859206 > > > > Yuta > > -- Yuta Kazato (?? ??) NTT Network Innovation Center. tel: +81-422-59-6754 mail:yuta.kazato.nw at hco.ntt.co.jp -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmann at ghanshyammann.com Thu Oct 6 01:41:26 2022 From: gmann at ghanshyammann.com (Ghanshyam Mann) Date: Wed, 05 Oct 2022 18:41:26 -0700 Subject: [Keystone][Swift] Using policy.json to prohibit specific API operations by policy? In-Reply-To: <6DED637A-A6C0-4DB6-B1CE-00095A8069D0@andrewboring.com> References: <6DED637A-A6C0-4DB6-B1CE-00095A8069D0@andrewboring.com> Message-ID: <183aaf46352.eeddc639217531.3862609893768540939@ghanshyammann.com> ---- On Tue, 04 Oct 2022 15:28:23 -0700 Andrew Boring wrote --- > Hi all, > > > I'm looking to support a situation where one class of Keystone users in a given domain can create Swift containers (either within a single, dedicated project or within their own projects) but *cannot* change ACLs on those containers, while a second class of users *can* alter ACLs on their own containers. > > For example, User A is in the first class (defined by role) and can perform all CRUD operations, EXCEPT update pre-defined ACLmetadata on those containers. User B is in the second class and CAN update ACLs on their respecitive containers, like any other standard user. > > Something like this AWS policy condition ("Granting permissions to multiple accounts with added conditions") is directionally what I'm trying to achieve: > https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-1 > > > Keystone docs imply that I can create policy.json files for all services: > > "You can define actions for OpenStack service roles in the /etc/PROJECT/policy.yaml files. For example, define actions for Compute service roles in the /etc/nova/policy.yaml file." > -https://docs.openstack.org/keystone/yoga/admin/cli-manage-projects-users-and-roles.html > > But I can't find any indication that Swift actually supports this. > > So, does Swift support the Oslo policy.json stuff, and if so, is it documented anywhere? Is it simply a "install oslo policy and add it to the pipeline in proxy-server.conf"? Swift does not use the oslo.policy or policy.json file mechanism to control the access on their APIs. I might be able to provide detail about their ACL mechanism but below doc explain some of it: - https://github.com/openstack/swift/blob/3ad39cd0b83a7f70d6c559c7b0e68a2e625be179/doc/source/overview_acl.rst -gmann > > If not, is there another/preferred way to achieve the desired restrictions on Swift API operations by policy for a given Keystone domain? > > Thanks. > > -- > Andrew Boring > andrew at andrewboring.com > > > > > > > From park0kyung0won at dgist.ac.kr Thu Oct 6 02:00:19 2022 From: park0kyung0won at dgist.ac.kr (=?UTF-8?B?67CV6rK97JuQ?=) Date: Thu, 6 Oct 2022 11:00:19 +0900 (KST) Subject: [metadata agent & keystone] Remote metadata server experienced an internal error? Message-ID: <2610420.159983.1665021619542.JavaMail.root@mailwas2> An HTML attachment was scrubbed... URL: From gmann at ghanshyammann.com Thu Oct 6 05:14:56 2022 From: gmann at ghanshyammann.com (Ghanshyam Mann) Date: Wed, 05 Oct 2022 22:14:56 -0700 Subject: [all][tc] Technical Committee next weekly meeting on 2022 Oct 6 at 1500 UTC In-Reply-To: <1839f6e6053.e2f4eedf40797.2956987166661707844@ghanshyammann.com> References: <1839f6e6053.e2f4eedf40797.2956987166661707844@ghanshyammann.com> Message-ID: <183abb7d9b7.1182af98b219360.2974238188609745154@ghanshyammann.com> Hello Everyone, Below is the agenda for tomorrow's TC meeting scheduled at 1500 UTC. https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Next_Meeting * Roll call * Follow up on past action items * Gate health check ** Bare 'recheck' state *** https://etherpad.opendev.org/p/recheck-weekly-summary ** Zuul config error *** https://etherpad.opendev.org/p/zuul-config-error-openstack * Zed cycle tracker checks ** https://etherpad.opendev.org/p/tc-zed-tracker * 2023.1 cycle PTG Planning ** TC + Leaders interaction sessions *** https://etherpad.opendev.org/p/tc-leaders-interaction-2023-1 ** TC PTG etherpad *** https://etherpad.opendev.org/p/tc-2023-1-ptg ** Schedule 'operator hours' *** https://lists.openstack.org/pipermail/openstack-discuss/2022-September/030301.html * 2023.1 cycle Technical Election & Leaderless projects ** Leaderless projects *** https://etherpad.opendev.org/p/2023.1-leaderless * Open Reviews ** https://review.opendev.org/q/projects:openstack/governance+is:open -gmann ---- On Mon, 03 Oct 2022 12:59:14 -0700 Ghanshyam Mann wrote --- > Hello Everyone, > > The technical Committee's next weekly meeting is scheduled for 2022 Oct 6, at 1500 UTC. > > If you would like to add topics for discussion, please add them to the below wiki page by > Wednesday, Oct 5 at 2100 UTC. > > https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Next_Meeting > > -gmann > > > From noonedeadpunk at gmail.com Thu Oct 6 05:24:55 2022 From: noonedeadpunk at gmail.com (Dmitriy Rabotyagov) Date: Thu, 6 Oct 2022 07:24:55 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References: Message-ID: Not having soft delete in the database is really quite bad for operators and it's not about tooling, but it's about audit purposes. If take nova as example, this also means that once server is deleted, event log will be also wiped with no way to see who and when has performed delete action. And that is really used feature, as we got requests like "why my VM has disappeared" at very least one a week. For other services having deleted_at at least points to the datetime where to search in the logs. At the same time I don't see any issue in having soft delete. It's just a matter of one systemd-timer, and too concerned about performance can set it to 1 day, thus almost no impact on db performance. So from operator perspective I can say this is very valuable feature and I personally do struggle regularly with neutron services where it's absent. And I would hate this to disappear at all, as it would be really a nightmare. ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : > ? > > I'm planning on bringing this up in the nova rooms at the PTG in a few > weeks, > but I'm also raising it here since this potentially affects other service > projects and I can't attend all of those room :) > > Many projects use the concept of "soft delete" in their database models. A > soft > deletable model typically has two additional columns, 'deleted' and > 'deleted_at'. When deleting such a model, instead of actually deleting the > database row (i.e. 'DELETE FROM table WHERE condition'), we set 'deleted' > to > 'True' and populate the 'deleted_at' column. This is helpful for auditing > purposes (e.g. you can inspect all resources ever created, even after > they've > been "deleted") but bad for database performance (your tables can grow > without > bound). To work around the performance issues, most projects implement > some kind > of archive or purge command that will allow operators to periodically > clean up > these deleted resources. However, at least in nova, we've long since come > to the > conclusion that soft deleting isn't as useful as initially suspected and > the > need to run these commands is additional work for no benefit. We've moved > toward > not using it for all new models. > > With this said, it's going to be difficult to get away from soft-delete > quickly. > Not only are there database migrations involved, but operators will need to > rework their tooling to adapt to a new, no-soft-delete world. As such, I'd > like > to propose a half-way measure of making soft-delete configurable. To do > this, > I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. > When set > to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see these > models hard deleted rather than soft deleted when calling 'soft_delete'. > This > would avoid the need for operators to run the various project-specific > purge > tooling. The RFC patch for this is available for review [1]. I can also do > this > on a project-specific basis and have proposed a similar patch for nova [2], > however, doing it in oslo.db means every project that uses > 'SoftDeleteMixin' in > their models will get this for free. Projects that don't (glance, cinder) > can > switch to using this mixin and also get it for free. > > As noted above, I intend to discuss this in the nova room at the PTG, but > I'd be > interested in people's thoughts ahead of time. Do you think this is a good > idea? > Should we proceed with it? Perhaps there are there better ways to do this? > Let > me know! > > Cheers, > Stephen > > [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 > [2] https://review.opendev.org/c/openstack/nova/+/860401 > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From artem.goncharov at gmail.com Thu Oct 6 05:48:19 2022 From: artem.goncharov at gmail.com (Artem Goncharov) Date: Thu, 6 Oct 2022 07:48:19 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References: Message-ID: Hey, If this is there mostly for audit purposes then I guess a more efficient solution is to introduce an audit table which will have no performance impact on the "current state" of service. Audit records are also never updated means performance here is relatively straight forward. Audit may become a "feature" with enable switch. This should be a better solution rather then letting db permanently grow and forcing admins to constantly "fight" against it. This also gives a much cleaner audit experience. Actually this is also not a new approach and is being followed in many places (i.e. auditd) Regards, Artem ---- typed from mobile, auto-correct typos assumed ---- On Thu, Oct 6, 2022, 07:27 Dmitriy Rabotyagov wrote: > Not having soft delete in the database is really quite bad for operators > and it's not about tooling, but it's about audit purposes. > > If take nova as example, this also means that once server is deleted, > event log will be also wiped with no way to see who and when has performed > delete action. And that is really used feature, as we got requests like > "why my VM has disappeared" at very least one a week. > > For other services having deleted_at at least points to the datetime where > to search in the logs. > > At the same time I don't see any issue in having soft delete. It's just a > matter of one systemd-timer, and too concerned about performance can set it > to 1 day, thus almost no impact on db performance. > > So from operator perspective I can say this is very valuable feature and I > personally do struggle regularly with neutron services where it's absent. > And I would hate this to disappear at all, as it would be really a > nightmare. > > ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : > >> ? >> >> I'm planning on bringing this up in the nova rooms at the PTG in a few >> weeks, >> but I'm also raising it here since this potentially affects other service >> projects and I can't attend all of those room :) >> >> Many projects use the concept of "soft delete" in their database models. >> A soft >> deletable model typically has two additional columns, 'deleted' and >> 'deleted_at'. When deleting such a model, instead of actually deleting the >> database row (i.e. 'DELETE FROM table WHERE condition'), we set 'deleted' >> to >> 'True' and populate the 'deleted_at' column. This is helpful for auditing >> purposes (e.g. you can inspect all resources ever created, even after >> they've >> been "deleted") but bad for database performance (your tables can grow >> without >> bound). To work around the performance issues, most projects implement >> some kind >> of archive or purge command that will allow operators to periodically >> clean up >> these deleted resources. However, at least in nova, we've long since come >> to the >> conclusion that soft deleting isn't as useful as initially suspected and >> the >> need to run these commands is additional work for no benefit. We've moved >> toward >> not using it for all new models. >> >> With this said, it's going to be difficult to get away from soft-delete >> quickly. >> Not only are there database migrations involved, but operators will need >> to >> rework their tooling to adapt to a new, no-soft-delete world. As such, >> I'd like >> to propose a half-way measure of making soft-delete configurable. To do >> this, >> I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. >> When set >> to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see these >> models hard deleted rather than soft deleted when calling 'soft_delete'. >> This >> would avoid the need for operators to run the various project-specific >> purge >> tooling. The RFC patch for this is available for review [1]. I can also >> do this >> on a project-specific basis and have proposed a similar patch for nova >> [2], >> however, doing it in oslo.db means every project that uses >> 'SoftDeleteMixin' in >> their models will get this for free. Projects that don't (glance, cinder) >> can >> switch to using this mixin and also get it for free. >> >> As noted above, I intend to discuss this in the nova room at the PTG, but >> I'd be >> interested in people's thoughts ahead of time. Do you think this is a >> good idea? >> Should we proceed with it? Perhaps there are there better ways to do >> this? Let >> me know! >> >> Cheers, >> Stephen >> >> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 >> [2] https://review.opendev.org/c/openstack/nova/+/860401 >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From noonedeadpunk at gmail.com Thu Oct 6 07:08:19 2022 From: noonedeadpunk at gmail.com (Dmitriy Rabotyagov) Date: Thu, 6 Oct 2022 09:08:19 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References:

Message-ID: Oh, yes, this is a good alternative. Actually I was thinking about smth like "openstack event list" (as only nova does have that) for quite a while, but without having the resources to lead and help out in implementation across projects I didn't dare to raise this topic. But it's probably high time to start discussing it at the very least and make a proposal as a community goal based on the outcome of these discussions. ??, 6 ???. 2022 ?., 07:48 Artem Goncharov : > Hey, > > If this is there mostly for audit purposes then I guess a more efficient > solution is to introduce an audit table which will have no performance > impact on the "current state" of service. Audit records are also never > updated means performance here is relatively straight forward. Audit may > become a "feature" with enable switch. > > This should be a better solution rather then letting db permanently grow > and forcing admins to constantly "fight" against it. This also gives a much > cleaner audit experience. Actually this is also not a new approach and is > being followed in many places (i.e. auditd) > > Regards, > Artem > > ---- > typed from mobile, auto-correct typos assumed > ---- > > On Thu, Oct 6, 2022, 07:27 Dmitriy Rabotyagov > wrote: > >> Not having soft delete in the database is really quite bad for operators >> and it's not about tooling, but it's about audit purposes. >> >> If take nova as example, this also means that once server is deleted, >> event log will be also wiped with no way to see who and when has performed >> delete action. And that is really used feature, as we got requests like >> "why my VM has disappeared" at very least one a week. >> >> For other services having deleted_at at least points to the datetime >> where to search in the logs. >> >> At the same time I don't see any issue in having soft delete. It's just a >> matter of one systemd-timer, and too concerned about performance can set it >> to 1 day, thus almost no impact on db performance. >> >> So from operator perspective I can say this is very valuable feature and >> I personally do struggle regularly with neutron services where it's absent. >> And I would hate this to disappear at all, as it would be really a >> nightmare. >> >> ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : >> >>> ? >>> >>> I'm planning on bringing this up in the nova rooms at the PTG in a few >>> weeks, >>> but I'm also raising it here since this potentially affects other service >>> projects and I can't attend all of those room :) >>> >>> Many projects use the concept of "soft delete" in their database models. >>> A soft >>> deletable model typically has two additional columns, 'deleted' and >>> 'deleted_at'. When deleting such a model, instead of actually deleting >>> the >>> database row (i.e. 'DELETE FROM table WHERE condition'), we set >>> 'deleted' to >>> 'True' and populate the 'deleted_at' column. This is helpful for auditing >>> purposes (e.g. you can inspect all resources ever created, even after >>> they've >>> been "deleted") but bad for database performance (your tables can grow >>> without >>> bound). To work around the performance issues, most projects implement >>> some kind >>> of archive or purge command that will allow operators to periodically >>> clean up >>> these deleted resources. However, at least in nova, we've long since >>> come to the >>> conclusion that soft deleting isn't as useful as initially suspected and >>> the >>> need to run these commands is additional work for no benefit. We've >>> moved toward >>> not using it for all new models. >>> >>> With this said, it's going to be difficult to get away from soft-delete >>> quickly. >>> Not only are there database migrations involved, but operators will need >>> to >>> rework their tooling to adapt to a new, no-soft-delete world. As such, >>> I'd like >>> to propose a half-way measure of making soft-delete configurable. To do >>> this, >>> I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. >>> When set >>> to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see >>> these >>> models hard deleted rather than soft deleted when calling 'soft_delete'. >>> This >>> would avoid the need for operators to run the various project-specific >>> purge >>> tooling. The RFC patch for this is available for review [1]. I can also >>> do this >>> on a project-specific basis and have proposed a similar patch for nova >>> [2], >>> however, doing it in oslo.db means every project that uses >>> 'SoftDeleteMixin' in >>> their models will get this for free. Projects that don't (glance, >>> cinder) can >>> switch to using this mixin and also get it for free. >>> >>> As noted above, I intend to discuss this in the nova room at the PTG, >>> but I'd be >>> interested in people's thoughts ahead of time. Do you think this is a >>> good idea? >>> Should we proceed with it? Perhaps there are there better ways to do >>> this? Let >>> me know! >>> >>> Cheers, >>> Stephen >>> >>> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 >>> [2] https://review.opendev.org/c/openstack/nova/+/860401 >>> >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbauza at redhat.com Thu Oct 6 07:38:04 2022 From: sbauza at redhat.com (Sylvain Bauza) Date: Thu, 6 Oct 2022 09:38:04 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References:

Message-ID: Le jeu. 6 oct. 2022 ? 07:54, Artem Goncharov a ?crit : > Hey, > > If this is there mostly for audit purposes then I guess a more efficient > solution is to introduce an audit table which will have no performance > impact on the "current state" of service. Audit records are also never > updated means performance here is relatively straight forward. Audit may > become a "feature" with enable switch. > > This should be a better solution rather then letting db permanently grow > and forcing admins to constantly "fight" against it. This also gives a much > cleaner audit experience. Actually this is also not a new approach and is > being followed in many places (i.e. auditd) > > This isn't true. Any operator that sees the Nova DBs [1] growing can use two commands (or just cron them) : nova-manage db archive_deleted_rows nova-manage db purge The first command will archive the soft-deleted records to another table and the second one will purge them. Here, I don't see why we would change this by a configuration option, but we can discuss this at the PTG like Stephen said. -Sylvain Regards, > Artem > > ---- > typed from mobile, auto-correct typos assumed > ---- > > On Thu, Oct 6, 2022, 07:27 Dmitriy Rabotyagov > wrote: > >> Not having soft delete in the database is really quite bad for operators >> and it's not about tooling, but it's about audit purposes. >> >> If take nova as example, this also means that once server is deleted, >> event log will be also wiped with no way to see who and when has performed >> delete action. And that is really used feature, as we got requests like >> "why my VM has disappeared" at very least one a week. >> >> For other services having deleted_at at least points to the datetime >> where to search in the logs. >> >> At the same time I don't see any issue in having soft delete. It's just a >> matter of one systemd-timer, and too concerned about performance can set it >> to 1 day, thus almost no impact on db performance. >> >> So from operator perspective I can say this is very valuable feature and >> I personally do struggle regularly with neutron services where it's absent. >> And I would hate this to disappear at all, as it would be really a >> nightmare. >> >> ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : >> >>> ? >>> >>> I'm planning on bringing this up in the nova rooms at the PTG in a few >>> weeks, >>> but I'm also raising it here since this potentially affects other service >>> projects and I can't attend all of those room :) >>> >>> Many projects use the concept of "soft delete" in their database models. >>> A soft >>> deletable model typically has two additional columns, 'deleted' and >>> 'deleted_at'. When deleting such a model, instead of actually deleting >>> the >>> database row (i.e. 'DELETE FROM table WHERE condition'), we set >>> 'deleted' to >>> 'True' and populate the 'deleted_at' column. This is helpful for auditing >>> purposes (e.g. you can inspect all resources ever created, even after >>> they've >>> been "deleted") but bad for database performance (your tables can grow >>> without >>> bound). To work around the performance issues, most projects implement >>> some kind >>> of archive or purge command that will allow operators to periodically >>> clean up >>> these deleted resources. However, at least in nova, we've long since >>> come to the >>> conclusion that soft deleting isn't as useful as initially suspected and >>> the >>> need to run these commands is additional work for no benefit. We've >>> moved toward >>> not using it for all new models. >>> >>> With this said, it's going to be difficult to get away from soft-delete >>> quickly. >>> Not only are there database migrations involved, but operators will need >>> to >>> rework their tooling to adapt to a new, no-soft-delete world. As such, >>> I'd like >>> to propose a half-way measure of making soft-delete configurable. To do >>> this, >>> I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. >>> When set >>> to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see >>> these >>> models hard deleted rather than soft deleted when calling 'soft_delete'. >>> This >>> would avoid the need for operators to run the various project-specific >>> purge >>> tooling. The RFC patch for this is available for review [1]. I can also >>> do this >>> on a project-specific basis and have proposed a similar patch for nova >>> [2], >>> however, doing it in oslo.db means every project that uses >>> 'SoftDeleteMixin' in >>> their models will get this for free. Projects that don't (glance, >>> cinder) can >>> switch to using this mixin and also get it for free. >>> >>> As noted above, I intend to discuss this in the nova room at the PTG, >>> but I'd be >>> interested in people's thoughts ahead of time. Do you think this is a >>> good idea? >>> Should we proceed with it? Perhaps there are there better ways to do >>> this? Let >>> me know! >>> >>> Cheers, >>> Stephen >>> >>> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 >>> [2] https://review.opendev.org/c/openstack/nova/+/860401 >>> >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbauza at redhat.com Thu Oct 6 07:48:49 2022 From: sbauza at redhat.com (Sylvain Bauza) Date: Thu, 6 Oct 2022 09:48:49 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References:

Message-ID: Le jeu. 6 oct. 2022 ? 09:38, Sylvain Bauza a ?crit : > > > Le jeu. 6 oct. 2022 ? 07:54, Artem Goncharov > a ?crit : > >> Hey, >> >> If this is there mostly for audit purposes then I guess a more efficient >> solution is to introduce an audit table which will have no performance >> impact on the "current state" of service. Audit records are also never >> updated means performance here is relatively straight forward. Audit may >> become a "feature" with enable switch. >> >> This should be a better solution rather then letting db permanently grow >> and forcing admins to constantly "fight" against it. This also gives a much >> cleaner audit experience. Actually this is also not a new approach and is >> being followed in many places (i.e. auditd) >> >> > This isn't true. Any operator that sees the Nova DBs [1] growing can use > two commands (or just cron them) : > nova-manage db archive_deleted_rows > nova-manage db purge > > The first command will archive the soft-deleted records to another table > and the second one will purge them. > My apologies, forgot to add the link https://docs.openstack.org/nova/rocky/cli/nova-manage.html#nova-database Also, forgot the footnote [1] actually only the nova cell DBs are supporting soft-delete records, we don't have this for the API DB. > Here, I don't see why we would change this by a configuration option, but > we can discuss this at the PTG like Stephen said. > -Sylvain > > > Regards, >> Artem >> >> ---- >> typed from mobile, auto-correct typos assumed >> ---- >> >> On Thu, Oct 6, 2022, 07:27 Dmitriy Rabotyagov >> wrote: >> >>> Not having soft delete in the database is really quite bad for operators >>> and it's not about tooling, but it's about audit purposes. >>> >>> If take nova as example, this also means that once server is deleted, >>> event log will be also wiped with no way to see who and when has performed >>> delete action. And that is really used feature, as we got requests like >>> "why my VM has disappeared" at very least one a week. >>> >>> For other services having deleted_at at least points to the datetime >>> where to search in the logs. >>> >>> At the same time I don't see any issue in having soft delete. It's just >>> a matter of one systemd-timer, and too concerned about performance can set >>> it to 1 day, thus almost no impact on db performance. >>> >>> So from operator perspective I can say this is very valuable feature and >>> I personally do struggle regularly with neutron services where it's absent. >>> And I would hate this to disappear at all, as it would be really a >>> nightmare. >>> >>> ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : >>> >>>> ? >>>> >>>> I'm planning on bringing this up in the nova rooms at the PTG in a few >>>> weeks, >>>> but I'm also raising it here since this potentially affects other >>>> service >>>> projects and I can't attend all of those room :) >>>> >>>> Many projects use the concept of "soft delete" in their database >>>> models. A soft >>>> deletable model typically has two additional columns, 'deleted' and >>>> 'deleted_at'. When deleting such a model, instead of actually deleting >>>> the >>>> database row (i.e. 'DELETE FROM table WHERE condition'), we set >>>> 'deleted' to >>>> 'True' and populate the 'deleted_at' column. This is helpful for >>>> auditing >>>> purposes (e.g. you can inspect all resources ever created, even after >>>> they've >>>> been "deleted") but bad for database performance (your tables can grow >>>> without >>>> bound). To work around the performance issues, most projects implement >>>> some kind >>>> of archive or purge command that will allow operators to periodically >>>> clean up >>>> these deleted resources. However, at least in nova, we've long since >>>> come to the >>>> conclusion that soft deleting isn't as useful as initially suspected >>>> and the >>>> need to run these commands is additional work for no benefit. We've >>>> moved toward >>>> not using it for all new models. >>>> >>>> With this said, it's going to be difficult to get away from soft-delete >>>> quickly. >>>> Not only are there database migrations involved, but operators will >>>> need to >>>> rework their tooling to adapt to a new, no-soft-delete world. As such, >>>> I'd like >>>> to propose a half-way measure of making soft-delete configurable. To do >>>> this, >>>> I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. >>>> When set >>>> to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see >>>> these >>>> models hard deleted rather than soft deleted when calling >>>> 'soft_delete'. This >>>> would avoid the need for operators to run the various project-specific >>>> purge >>>> tooling. The RFC patch for this is available for review [1]. I can also >>>> do this >>>> on a project-specific basis and have proposed a similar patch for nova >>>> [2], >>>> however, doing it in oslo.db means every project that uses >>>> 'SoftDeleteMixin' in >>>> their models will get this for free. Projects that don't (glance, >>>> cinder) can >>>> switch to using this mixin and also get it for free. >>>> >>>> As noted above, I intend to discuss this in the nova room at the PTG, >>>> but I'd be >>>> interested in people's thoughts ahead of time. Do you think this is a >>>> good idea? >>>> Should we proceed with it? Perhaps there are there better ways to do >>>> this? Let >>>> me know! >>>> >>>> Cheers, >>>> Stephen >>>> >>>> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 >>>> [2] https://review.opendev.org/c/openstack/nova/+/860401 >>>> >>>> >>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbauza at redhat.com Thu Oct 6 07:50:35 2022 From: sbauza at redhat.com (Sylvain Bauza) Date: Thu, 6 Oct 2022 09:50:35 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References:

Message-ID: Le jeu. 6 oct. 2022 ? 09:48, Sylvain Bauza a ?crit : > > > Le jeu. 6 oct. 2022 ? 09:38, Sylvain Bauza a ?crit : > >> >> >> Le jeu. 6 oct. 2022 ? 07:54, Artem Goncharov >> a ?crit : >> >>> Hey, >>> >>> If this is there mostly for audit purposes then I guess a more efficient >>> solution is to introduce an audit table which will have no performance >>> impact on the "current state" of service. Audit records are also never >>> updated means performance here is relatively straight forward. Audit may >>> become a "feature" with enable switch. >>> >>> This should be a better solution rather then letting db permanently grow >>> and forcing admins to constantly "fight" against it. This also gives a much >>> cleaner audit experience. Actually this is also not a new approach and is >>> being followed in many places (i.e. auditd) >>> >>> >> This isn't true. Any operator that sees the Nova DBs [1] growing can use >> two commands (or just cron them) : >> nova-manage db archive_deleted_rows >> nova-manage db purge >> >> The first command will archive the soft-deleted records to another table >> and the second one will purge them. >> > > My apologies, forgot to add the link > https://docs.openstack.org/nova/rocky/cli/nova-manage.html#nova-database > > Morning not caffeinated yet, sorry. Wrong link : https://docs.openstack.org/nova/latest/cli/nova-manage.html#db-archive-deleted-rows Also, forgot the footnote > [1] actually only the nova cell DBs are supporting soft-delete records, we > don't have this for the API DB. > > >> Here, I don't see why we would change this by a configuration option, but >> we can discuss this at the PTG like Stephen said. >> -Sylvain >> >> >> Regards, >>> Artem >>> >>> ---- >>> typed from mobile, auto-correct typos assumed >>> ---- >>> >>> On Thu, Oct 6, 2022, 07:27 Dmitriy Rabotyagov >>> wrote: >>> >>>> Not having soft delete in the database is really quite bad for >>>> operators and it's not about tooling, but it's about audit purposes. >>>> >>>> If take nova as example, this also means that once server is deleted, >>>> event log will be also wiped with no way to see who and when has performed >>>> delete action. And that is really used feature, as we got requests like >>>> "why my VM has disappeared" at very least one a week. >>>> >>>> For other services having deleted_at at least points to the datetime >>>> where to search in the logs. >>>> >>>> At the same time I don't see any issue in having soft delete. It's just >>>> a matter of one systemd-timer, and too concerned about performance can set >>>> it to 1 day, thus almost no impact on db performance. >>>> >>>> So from operator perspective I can say this is very valuable feature >>>> and I personally do struggle regularly with neutron services where it's >>>> absent. And I would hate this to disappear at all, as it would be really a >>>> nightmare. >>>> >>>> ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : >>>> >>>>> ? >>>>> >>>>> I'm planning on bringing this up in the nova rooms at the PTG in a few >>>>> weeks, >>>>> but I'm also raising it here since this potentially affects other >>>>> service >>>>> projects and I can't attend all of those room :) >>>>> >>>>> Many projects use the concept of "soft delete" in their database >>>>> models. A soft >>>>> deletable model typically has two additional columns, 'deleted' and >>>>> 'deleted_at'. When deleting such a model, instead of actually deleting >>>>> the >>>>> database row (i.e. 'DELETE FROM table WHERE condition'), we set >>>>> 'deleted' to >>>>> 'True' and populate the 'deleted_at' column. This is helpful for >>>>> auditing >>>>> purposes (e.g. you can inspect all resources ever created, even after >>>>> they've >>>>> been "deleted") but bad for database performance (your tables can grow >>>>> without >>>>> bound). To work around the performance issues, most projects implement >>>>> some kind >>>>> of archive or purge command that will allow operators to periodically >>>>> clean up >>>>> these deleted resources. However, at least in nova, we've long since >>>>> come to the >>>>> conclusion that soft deleting isn't as useful as initially suspected >>>>> and the >>>>> need to run these commands is additional work for no benefit. We've >>>>> moved toward >>>>> not using it for all new models. >>>>> >>>>> With this said, it's going to be difficult to get away from >>>>> soft-delete quickly. >>>>> Not only are there database migrations involved, but operators will >>>>> need to >>>>> rework their tooling to adapt to a new, no-soft-delete world. As such, >>>>> I'd like >>>>> to propose a half-way measure of making soft-delete configurable. To >>>>> do this, >>>>> I'd like to add a new flag in oslo.db, '[database] >>>>> enable_soft_delete'. When set >>>>> to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see >>>>> these >>>>> models hard deleted rather than soft deleted when calling >>>>> 'soft_delete'. This >>>>> would avoid the need for operators to run the various project-specific >>>>> purge >>>>> tooling. The RFC patch for this is available for review [1]. I can >>>>> also do this >>>>> on a project-specific basis and have proposed a similar patch for nova >>>>> [2], >>>>> however, doing it in oslo.db means every project that uses >>>>> 'SoftDeleteMixin' in >>>>> their models will get this for free. Projects that don't (glance, >>>>> cinder) can >>>>> switch to using this mixin and also get it for free. >>>>> >>>>> As noted above, I intend to discuss this in the nova room at the PTG, >>>>> but I'd be >>>>> interested in people's thoughts ahead of time. Do you think this is a >>>>> good idea? >>>>> Should we proceed with it? Perhaps there are there better ways to do >>>>> this? Let >>>>> me know! >>>>> >>>>> Cheers, >>>>> Stephen >>>>> >>>>> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 >>>>> [2] https://review.opendev.org/c/openstack/nova/+/860401 >>>>> >>>>> >>>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From ralonsoh at redhat.com Thu Oct 6 08:07:38 2022 From: ralonsoh at redhat.com (Rodolfo Alonso Hernandez) Date: Thu, 6 Oct 2022 10:07:38 +0200 Subject: Query about networking-onos for newer OpenStack releases In-Reply-To: References:

Message-ID: Hello Aditya: If you don't have any specific requirement, I would choose one of the Neutron in-tree ML2 plugins: ML2/OVS or ML2/OVN (and ML2/SR-IOV, that can run with the other two). About which one you can choose, I won't point you to any of them. I would prefer you to review the different architectures: * OVS: https://docs.openstack.org/liberty/networking-guide/scenario-classic-ovs.html (this is an old but still valid document to see the different ML2/OVS deployments) * OVN: https://www.openstack.org/videos/summits/austin-2016/practical-ovn-architecture-deployment-and-scale-of-openstack-networking Regards. On Wed, Oct 5, 2022 at 10:37 PM Aditya Sathish wrote: > Hi Lajos and Rodolfo, > > First of all thank you for your previous replies. After discussing it with > my team over here, we have decided to look at other alternatives beyond > ONOS for implementing an SDN controller with OpenStack. > > Lajos, as you mentioned about OVN, we can perform SDN control on the VM > instances using this. One extension we would like to do is to use OVN to > control an openflow hardware switch. The idea is to allow different users > over a network to access the VM instances. Any idea if I can get this done > through OVN? > > I also tried to check out OpenDayLight but even this has not been updated > in some time. > > Any replies would be greatly appreciated! > > Regards, > Aditya > > On Thu, Sep 22, 2022 at 12:22 PM Lajos Katona > wrote: > >> Seems gmail lost some chars from Rodolfo's address, resending. >> >> Lajos Katona ezt ?rta (id?pont: 2022. szept. 22., >> Cs, 17:55): >> >>> Hi, >>> Thanks for considering this question. I do not add this topic now to the >>> agenda, of course it can be discussed any time :-) >>> In openstack OVN as an SDN controller is tested, and more and more >>> companies are using it, so for long term I would check it. >>> OVN is now in-tree in Neutron code base, meaning that you don't need any >>> extra code, you can just use Neutron. >>> OVN uses OVS as soft switch and the OVN code is written in C, and >>> originally started by the same team who develops OVS. >>> >>> If you need any advice, or would like to discuss any topics with the >>> team just ping us on #openstack-neutron channel. >>> >>> Best wishes >>> Lajos Katona (lajoskatona) >>> >>> >>> Aditya Sathish ezt ?rta (id?pont: 2022. szept. 22., >>> Cs, 17:00): >>> >>>> Hi Lajos, >>>> >>>> Thank you for the email. Unfortunately, I'm not sure if I can dedicate >>>> time to maintain this release-on-release. However, I forked the >>>> networking-onos repository and currently verified it with DevStack Zed >>>> along with tempest. (https://github.com/adityasathis/networking-onos). >>>> Considering the changes so far involved only replacing some code to account >>>> for changes in the ML2 callback interface, I think the support should not >>>> be too time consuming if we assume that the ML2 plugin interface remains >>>> the same. >>>> >>>> If we cannot find a way to support networking-onos for long-term >>>> support, do you know a better way to understand the industry implementation >>>> of using SDN controllers with OpenStack? >>>> >>>> Regards, >>>> Aditya. >>>> >>>> On Thu, Sep 22, 2022 at 10:46 AM Lajos Katona >>>> wrote: >>>> >>>>> Hi, >>>>> Do you think that you can maintain networking-onos, if you think yes, >>>>> we can discuss this topic on next drivers meeting (as Rodolfo wrote >>>>> previously). >>>>> Just ping me on IRC (#openstack-neutron lajoskatona) and I add this >>>>> topic for you to the agenda: >>>>> https://wiki.openstack.org/wiki/Meetings/NeutronDrivers >>>>> >>>>> Best Wishes >>>>> Lajos Katona (lajoskatona) >>>>> >>>>> Aditya Sathish ezt ?rta (id?pont: 2022. szept. 20., >>>>> K, 17:48): >>>>> >>>>>> Hello! >>>>>> >>>>>> I am trying to integrate an SDN controller with our lab's OpenStack >>>>>> network. Currently, we have already deployed a version of ONOS to serve our >>>>>> needs and I have been following the SONA project which uses the >>>>>> networking-onos ML2 plugin with OpenStack. However, it seems that the >>>>>> networking-onos project has been retired since the Train release. >>>>>> >>>>>> Is there any way I can get ONOS to work with OpenStack Yoga? If not, >>>>>> what is the go-to way to integrate an SDN controller with OpenFlow support >>>>>> with Neutron?? >>>>>> >>>>>> Any help will be much appreciated. >>>>>> >>>>>> Regards, >>>>>> Aditya. >>>>>> >>>>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From geguileo at redhat.com Thu Oct 6 08:44:40 2022 From: geguileo at redhat.com (Gorka Eguileor) Date: Thu, 6 Oct 2022 10:44:40 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References:

Message-ID: <20221006084440.vvg6qdqdcmrdxusl@localhost> On 06/10, Dmitriy Rabotyagov wrote: > Oh, yes, this is a good alternative. > Actually I was thinking about smth like "openstack event list" > (as only nova does have that) for quite a while, but without having the > resources to lead and help out in implementation across projects I didn't > dare to raise this topic. But it's probably high time to start discussing > it at the very least and make a proposal as a community goal based on the > outcome of these discussions. > Hi, The Cinder team has also been exploring the idea of having transaction records to help operators see the series of operations on resources (to figure out what happened to a resource) as well as help see what operations are currently happening (great for planning upgrades or bouncing services to other nodes) [1]. If this is going to be a completely new feature in all projects we may want to agree on some commonalities such as naming and available functionality: - Transaction history, including deleted resources - Ongoing operations: - Detailed: All info for each of the transactions - Summary: - Global: i.e. 10 migrations, 3 attachments - By host: i.e. Host1: 5 migrations | Host2: 5 migrations, 3 attachments [1]: https://review.opendev.org/c/openstack/cinder-specs/+/845176/2/specs/zed/transaction-tracking.rst > ??, 6 ???. 2022 ?., 07:48 Artem Goncharov : > > > Hey, > > > > If this is there mostly for audit purposes then I guess a more efficient > > solution is to introduce an audit table which will have no performance > > impact on the "current state" of service. Audit records are also never > > updated means performance here is relatively straight forward. Audit may > > become a "feature" with enable switch. > > > > This should be a better solution rather then letting db permanently grow > > and forcing admins to constantly "fight" against it. This also gives a much > > cleaner audit experience. Actually this is also not a new approach and is > > being followed in many places (i.e. auditd) > > > > Regards, > > Artem > > > >>> With this said, it's going to be difficult to get away from > >>> soft-delete quickly. Not only are there database migrations > >>> involved, but operators will need to rework their tooling to adapt > >>> to a new, no-soft-delete world. As such, I'd like to propose a > >>> half-way measure of making soft-delete configurable. To do this, > >>> I'd like to add a new flag in oslo.db, '[database] > >>> enable_soft_delete'. When set to 'False' anyone using the > >>> 'SoftDeleteMixin' from oslo.db would see these models hard deleted > >>> rather than soft deleted when calling 'soft_delete'. This would I don't think it's a big deal, but from the Cinder perspective this would require additional work, because in our DB layer we only use the `soft_delete` method for 3 tables: Volume Types, Volume Type Access, and Group Type Access. All other tables use other mechanisms to do the soft deletes. Cheers, Gorka. > >>> avoid the need for operators to run the various project-specific > >>> purge tooling. The RFC patch for this is available for review [1]. > >>> I can also do this on a project-specific basis and have proposed a > >>> similar patch for nova [2], however, doing it in oslo.db means > >>> every project that uses 'SoftDeleteMixin' in their models will get > >>> this for free. Projects that don't (glance, cinder) can switch to > >>> using this mixin and also get it for free. > >>> > >>> As noted above, I intend to discuss this in the nova room at the PTG, > >>> but I'd be > >>> interested in people's thoughts ahead of time. Do you think this is a > >>> good idea? > >>> Should we proceed with it? Perhaps there are there better ways to do > >>> this? Let > >>> me know! > >>> > >>> Cheers, > >>> Stephen > >>> > >>> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 > >>> [2] https://review.opendev.org/c/openstack/nova/+/860401 > >>> > >>> > >>> From sbauza at redhat.com Thu Oct 6 12:20:54 2022 From: sbauza at redhat.com (Sylvain Bauza) Date: Thu, 6 Oct 2022 14:20:54 +0200 Subject: [nova][placement] add your PTG topics before Oct-06 please ! In-Reply-To: References: Message-ID: Le jeu. 29 sept. 2022 ? 10:14, Sylvain Bauza a ?crit : > Hi folks, > > as I said in the nova meeting, I'd like to create an agenda for our PTG > topics. Given the PTG is in 3 weeks, please provide your topics you'd like > to discuss at the PTG in [1] so I could look at them and try to provide an > agenda for them. > Eventually, I'd love to have most of the topics by Oct 6th as I said in > the title so the agenda would be on the Friday Oct 7th. > > Also, if you can't be in the Nova PTG sessions for all the PTG schedule > (between Tues and Fri for Nova), just add in the topic when you would like > to be around. > > As a reminder, please provide your topics today if you can, I'll provide an agenda by tomorrow with the existing topics, if we will have other topics, they would be discussed when we have time, then. Thanks, -S > Thanks, > -Sylvain > > [1] https://etherpad.opendev.org/p/nova-antelope-ptg > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jackdawblues at gmail.com Thu Oct 6 08:23:07 2022 From: jackdawblues at gmail.com (jackdaw blues) Date: Thu, 6 Oct 2022 11:23:07 +0300 Subject: [SECURITY] Openstack Security Assessments Message-ID: Hi all, I am currently leading a team of offensive security engineers and we are trying to create a checklist for each component of Openstack in the context of Security Assessment. At the end of the day what we want to end up with is common exploitable configuration weaknesses for each component. It will be against configuration or installation mistakes that result in unintended privileges or information disclosure, etc. Patch management isn't in scope. Not the exact output, but these links can give a good idea of the contents of the security assessment we are planning (these are for AWS): http://flaws.cloud/ http://flaws2.cloud/ Has anyone had any experience regarding the topic above? If so please feel free to connect. Regardless of the experience, if you want to contribute and at mark zero just like we are, you are still welcome and we can help each other create this assessment checklist. Cheers, Asil -------------- next part -------------- An HTML attachment was scrubbed... URL: From soukessou at gmail.com Thu Oct 6 13:32:20 2022 From: soukessou at gmail.com (samir oukessou) Date: Thu, 6 Oct 2022 14:32:20 +0100 Subject: Limit Access to a Group for a Project- Openstack 13 & 17 Message-ID: Dears, I have a question regarding Openstack, is it possible to limit access for a user to get read only on a specific project that he can only see the instances in that project and eliminate the actions edit,start,stop or delete instance ? i have tried some tests grant *member* role only to the group but all users in the group were able to do everything with the instances thank you in advance, Samir -------------- next part -------------- An HTML attachment was scrubbed... URL: From fungi at yuggoth.org Thu Oct 6 14:55:20 2022 From: fungi at yuggoth.org (Jeremy Stanley) Date: Thu, 6 Oct 2022 14:55:20 +0000 Subject: [security-sig] Openstack Security Assessments In-Reply-To: References: Message-ID: <20221006145520.wk3dhow2wrz3vyr5@yuggoth.org> [I'm keeping you in Cc since you don't appear to be subscribed to the mailing list, but please still respond to the list.] On 2022-10-06 11:23:07 +0300 (+0300), jackdaw blues wrote: > I am currently leading a team of offensive security engineers and > we are trying to create a checklist for each component of > Openstack in the context of Security Assessment. Welcome! As the current chair of the OpenStack Security SIG (Special Interest Group)[*], I'm happy to do what I can to help and encourage other community members to further enable your efforts. > At the end of the day what we want to end up with is common > exploitable configuration weaknesses for each component. It will > be against configuration or installation mistakes that result in > unintended privileges or information disclosure, etc. Patch > management isn't in scope. > > Not the exact output, but these links can give a good idea of the > contents of the security assessment we are planning (these are for > AWS): > http://flaws.cloud/ > http://flaws2.cloud/ > > Has anyone had any experience regarding the topic above? If so > please feel free to connect. Regardless of the experience, if you > want to contribute and at mark zero just like we are, you are > still welcome and we can help each other create this assessment > checklist. I'm not aware of any efforts along those lines yet, as far as a coordinated attempt at providing secure usage guidance to end users of OpenStack services, but it sounds like an interesting avenue for research. Most of our focus, to date, has been on solving vulnerabilities within the OpenStack services and tools, and providing guidance to people who deploy and run those services in order that they may better secure their installations. End user guidance has mostly been the realm of the organizations running the software, at least so far. [*] https://wiki.openstack.org/wiki/Security-SIG -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: From dms at danplanet.com Thu Oct 6 15:06:06 2022 From: dms at danplanet.com (Dan Smith) Date: Thu, 06 Oct 2022 08:06:06 -0700 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: (Sylvain Bauza's message of "Thu, 6 Oct 2022 09:38:04 +0200") References:

Message-ID: Sylvain Bauza writes: > This isn't true. Any operator that sees the Nova DBs [1] growing can use two commands (or just cron them) : > nova-manage db archive_deleted_rows > nova-manage db purge It's actually easier. Adding --purge to the first command removes the need to run the second. --Dan From ralonsoh at redhat.com Thu Oct 6 15:08:18 2022 From: ralonsoh at redhat.com (Rodolfo Alonso Hernandez) Date: Thu, 6 Oct 2022 17:08:18 +0200 Subject: [neutron][tempest][all] Broken CI, any job inherited from "devstack" Message-ID: Hello all: I broke the OpenStack CI (good start as Neutron PTL). I pushed [1] testing only against the Neutron CI. After making the needed changes [2], I thought any other job would be safe. I've opened [3]. The default OVN version installed in the CI, using Ubuntu 20.04, is v20.03, that is a bit old. I've proposed to bump to v21.06, extensively tested in the Neutron CI. Any tempest job from any project is inherited from this one. Once we have migrated to Ubuntu 22.04 during this cycle, we'll remove this forced OVN installation from source. Regards. [1]https://review.opendev.org/c/openstack/neutron/+/859642 [2]https://review.opendev.org/c/openstack/neutron/+/860078/ [3]https://bugs.launchpad.net/devstack/+bug/1991952 [4]https://review.opendev.org/c/openstack/devstack/+/860577 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ralonsoh at redhat.com Thu Oct 6 15:30:26 2022 From: ralonsoh at redhat.com (Rodolfo Alonso Hernandez) Date: Thu, 6 Oct 2022 17:30:26 +0200 Subject: [neutron][tempest][all] Broken CI, any job inherited from "devstack" In-Reply-To: References: Message-ID: Hello: I've filled [1]. We'll revert the Neutron patch. Regards. [1]https://bugs.launchpad.net/neutron/+bug/1991962 On Thu, Oct 6, 2022 at 5:08 PM Rodolfo Alonso Hernandez wrote: > Hello all: > > I broke the OpenStack CI (good start as Neutron PTL). I pushed [1] testing > only against the Neutron CI. After making the needed changes [2], I thought > any other job would be safe. > > I've opened [3]. The default OVN version installed in the CI, using Ubuntu > 20.04, is v20.03, that is a bit old. I've proposed to bump to v21.06, > extensively tested in the Neutron CI. Any tempest job from any project is > inherited from this one. > > Once we have migrated to Ubuntu 22.04 during this cycle, we'll remove this > forced OVN installation from source. > > Regards. > > [1]https://review.opendev.org/c/openstack/neutron/+/859642 > [2]https://review.opendev.org/c/openstack/neutron/+/860078/ > [3]https://bugs.launchpad.net/devstack/+bug/1991952 > [4]https://review.opendev.org/c/openstack/devstack/+/860577 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pierre at stackhpc.com Thu Oct 6 15:41:01 2022 From: pierre at stackhpc.com (Pierre Riteau) Date: Thu, 6 Oct 2022 17:41:01 +0200 Subject: [nova][cinder][glance][manila][masakari][tacker][oslo] Configurable soft-delete In-Reply-To: References: Message-ID: I would like to strongly second this: not having soft delete, or an equivalent for audit purposes (I am not attached to the actual implementation), would be a great loss. We actually have a long standing task to add soft delete to Blazar, which I am hoping will be merged in Antelope. As an operator, I also get annoyed by the lack of soft delete in Neutron, for example to answer the question: who was using this specific floating IP at this specific time? On Thu, 6 Oct 2022 at 07:28, Dmitriy Rabotyagov wrote: > Not having soft delete in the database is really quite bad for operators > and it's not about tooling, but it's about audit purposes. > > If take nova as example, this also means that once server is deleted, > event log will be also wiped with no way to see who and when has performed > delete action. And that is really used feature, as we got requests like > "why my VM has disappeared" at very least one a week. > > For other services having deleted_at at least points to the datetime where > to search in the logs. > > At the same time I don't see any issue in having soft delete. It's just a > matter of one systemd-timer, and too concerned about performance can set it > to 1 day, thus almost no impact on db performance. > > So from operator perspective I can say this is very valuable feature and I > personally do struggle regularly with neutron services where it's absent. > And I would hate this to disappear at all, as it would be really a > nightmare. > > ??, 5 ???. 2022 ?., 14:48 Stephen Finucane : > >> ? >> >> I'm planning on bringing this up in the nova rooms at the PTG in a few >> weeks, >> but I'm also raising it here since this potentially affects other service >> projects and I can't attend all of those room :) >> >> Many projects use the concept of "soft delete" in their database models. >> A soft >> deletable model typically has two additional columns, 'deleted' and >> 'deleted_at'. When deleting such a model, instead of actually deleting the >> database row (i.e. 'DELETE FROM table WHERE condition'), we set 'deleted' >> to >> 'True' and populate the 'deleted_at' column. This is helpful for auditing >> purposes (e.g. you can inspect all resources ever created, even after >> they've >> been "deleted") but bad for database performance (your tables can grow >> without >> bound). To work around the performance issues, most projects implement >> some kind >> of archive or purge command that will allow operators to periodically >> clean up >> these deleted resources. However, at least in nova, we've long since come >> to the >> conclusion that soft deleting isn't as useful as initially suspected and >> the >> need to run these commands is additional work for no benefit. We've moved >> toward >> not using it for all new models. >> >> With this said, it's going to be difficult to get away from soft-delete >> quickly. >> Not only are there database migrations involved, but operators will need >> to >> rework their tooling to adapt to a new, no-soft-delete world. As such, >> I'd like >> to propose a half-way measure of making soft-delete configurable. To do >> this, >> I'd like to add a new flag in oslo.db, '[database] enable_soft_delete'. >> When set >> to 'False' anyone using the 'SoftDeleteMixin' from oslo.db would see these >> models hard deleted rather than soft deleted when calling 'soft_delete'. >> This >> would avoid the need for operators to run the various project-specific >> purge >> tooling. The RFC patch for this is available for review [1]. I can also >> do this >> on a project-specific basis and have proposed a similar patch for nova >> [2], >> however, doing it in oslo.db means every project that uses >> 'SoftDeleteMixin' in >> their models will get this for free. Projects that don't (glance, cinder) >> can >> switch to using this mixin and also get it for free. >> >> As noted above, I intend to discuss this in the nova room at the PTG, but >> I'd be >> interested in people's thoughts ahead of time. Do you think this is a >> good idea? >> Should we proceed with it? Perhaps there are there better ways to do >> this? Let >> me know! >> >> Cheers, >> Stephen >> >> [1] https://review.opendev.org/c/openstack/oslo.db/+/860407 >> [2] https://review.opendev.org/c/openstack/nova/+/860401 >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From allison at openinfra.dev Thu Oct 6 15:20:18 2022 From: allison at openinfra.dev (Allison Price) Date: Thu, 6 Oct 2022 10:20:18 -0500 Subject: [zed] OpenInfra Live - October 6 at 1400 UTC In-Reply-To: <11530FD5-78FF-492E-B787-8156381747C7@openinfra.dev> References: <11530FD5-78FF-492E-B787-8156381747C7@openinfra.dev> Message-ID: <4708D1F9-B53C-4AF1-AAFE-21DF894E151A@openinfra.dev> Thank you to everyone who tuned into the OpenStack Zed episode of OpenInfra Live today! If you missed it, we have you covered! The Superuser recap [1] contains a link to the recording and I have attached the slides from the presentation to this thread for folks who want to explore the links that the contributors shared today. Congratulations again on completing another on-time release?now, onto Antelope! [1] https://superuser.openstack.org/articles/openstack-zed-the-end-of-the-alphabet-the-beginning-of-a-new-era-openinfra-live-recap/ > On Oct 5, 2022, at 3:37 PM, Allison Price wrote: > > Hi everyone, > > This week?s OpenInfra Live episode is brought to you by the OpenStack community who just delivered its 26th on-time release today! Join us to learn about the latest from community leaders about what was delivered in Zed and what we can expect in Antelope, OpenStack's 27th release targeting early 2023. > > Episode: OpenStack Zed: The End of the Alphabet, The Beginning of a New Era > > Date and time: October 6 at 1400 UTC > > You can watch us live on: > YouTube: https://www.youtube.com/watch?v=MSbB3L9_MeY > LinkedIn: https://www.linkedin.com/video/event/urn:li:ugcPost:6982723169144950786/ > Facebook: https://www.facebook.com/events/390328576642133