Jump to: navigation, search


Revision as of 17:40, 9 June 2020 by Brian-rosmaita (talk | contribs) (Sizing encrypted volumes)


This page contains a summary of the subjects covered during the Cinder project sessions at the Victoria PTG, held virtually June 2-5, 2020.

The Cinder Team at the Victoria (Virtual) PTG, June 2020.

This document aims to give a summary of each session. More context is available on the cinder PTG etherpad:

The sessions were recorded, so to get all the details of any discussion, you can watch/listen to the recording. Links to the recordings are located at appropriate places below.

Tuesday 02 June: Current Cinder Issues


Discuss the security issue when an attached volume exposes host information to non-admins

Discussion led by whoami-rajat

This was about https://bugs.launchpad.net/cinder/+bug/1740950 and Related-Bug: https://bugs.launchpad.net/cinder/+bug/1736773

The compute host is leaked in the volume-detail response, and also in the REST Attachments API.

We've already agreed that the volume-detail response will only display the host when called in an administrative context (the API response is already allowed to have a null value there, so there is no API change).

For the Attachments API response, need to do some research to see whether this field is needed and in what contexts. Doesn't look like Nova needs it, doesn't look like any of our os-brick connectors are using it, but on the other hand, the info has been available in the response so long that we need to be careful, because something could be using it. We have to be careful about what info is left out of the response, because if it's too restricted, the caller won't be able to connect to the backend.


  • short term, need to get policies in place to govern this
  • open issue: the proposal was to keep the default behavior, but that continues to allow the leakage of compute host name; would probably be better to have a more restrictive policy (since we don't believe that any services depend on it), and then operators can adjust the policies to allow users who have use cases that need this info to see it
  • ACTION - whoami-rajat to continue working on this

Sizing encrypted volumes

Discussion led by eharney and enriquetaso

When you create an encrypted volume, you lose some space for the LUKS header. This has shown up in some migration bugs. If you have an unencrypted volume and migrate to an encrypted type, it fails because there isn't enough space on the target to fit the entire source volume.

The exact amount of space lost isn't clear, it may vary by luks format and also iscsi (cryptsetup) vs rbd (luks). It's probably on the order of 1-2 MB, but we allocate space in GB. Whether you can do really fine-grained space allocation or not probably depends on the backend containing the volume. We also need to keep the gigabyte boundaries for accounting purposes (usage, quotas, charges, etc.) because that's what everyone's tooling expects.

Walt suggested that we change the API to allow a new size to be specified during a volume migration. For retype, Gorka suggested that we could allow a flag similar to the current migration_policy in the retype request, which gives the user the option to say it's OK to perform a migration if it's required. We could have a flag indicating that it's OK for the volume to be increased in size if it's required for the retype to succeed. This way we don't go behind the user's back -- we fail if the volume won't fit, and allow them to retype to a new size if they want the retype to succeed.


  • Take the Walt/Gorka approach. It will allow us to fix a bunch of bugs, and we can move to something more elaborate later if there's demand for it.
  • *ACTION* - Sofia - add a note to the docs explaining that retyping an unencrypted volume to the same size encrypted volume will most likely fail (so that users know not to try this in older releases)


Discussion led by rosmaita

(The team adjourned early so that the Cinder core security team could review the patches and plan for rolling out the changes for the bugfix for Launchpad Bug #1823200, which would become public the next day.)

Wednesday 03 June: Third Party Drivers


Bug: Fail to extend attached volume using generic NFS driver

Discussion led by lseki

Improvement proposal for LVM volume driver, direct attached storage via cinder

The proposer wasn't available, but we discussed the issue anyway.

Ceph iSCSI driver

Discussion led by hemna

Remove volume driver abc classes

Discussion led by eharney

Backup Driver issues

Discussion led by Shatadru

Backporting 'supported' status

Keeping 'unsupported' drivers in-tree

Ussuri Development Cycle Retrospective for Driver Developers

Broken RBD live migration

This wasn't actually a discussion, someone left a question on the etherpad and Gorka answered it.

Thursday 04 June: Cinder Improvements


Recent Security Issues

Quick discussion of OSSN-0086, which was announced yesterday.

Reviewing our reviewing strategies

Discussion led by eharney

Interop WG interlude

Looking at type annotation

Discussion led by eharney

Cinderclient CLI usability issue

Discussion led by rosmaita

OpenStack Client tangent

Because we were talking about working on the cinderclient, the question came up: what about the openstackclient? Since Jay is on the TC, and the TC is thinking about the unified client issue, we talked about this a bit.

Community Goals

Ussuri Development Cycle Retrospective

(We adjourned early for the Virtual Happy Hour, which was not recorded.)

Friday 05 June 2020: XP & TCB (cross-project and taking care of business)


Cinder/Glance creating image from volume with Ceph

Discussion led by abhishekk

Make cinder store of glance compatible with multiple stores

Disucssion led by abhishekk

Gate job for glance cinder store

Discussion led by whoami-rajat

Glance image co-location

Discussion led by jokke_

Refresh connection_info

Discussion led by eharney (lyarwood couldn't be here)

DR operations and broken volume connections

Related topic introduced by sfernand

Dynamic front-end QoS

Victoria spec review

Technical debt

Cycle Priorities and Schedule