Jump to: navigation, search

Difference between revisions of "CinderWallabyPTGSummary"

m (Conclusions)
m (add Removal of nested quota drivers summary)
Line 101: Line 101:
 
* getting the foundational "X" work done during W is important for making the X goal accomplishable during the X cycle
 
* getting the foundational "X" work done during W is important for making the X goal accomplishable during the X cycle
  
===Removal of nested quota drivers===
+
===Removal of nested quota driver===
 +
Rajat (whoami-rajat) pointed out that the nested quota driver was deprecated in Train and scheduled to be removed in Ussuri, with an effort instead to support scopes and unified limits.  Rajat has a patch up to remove it: https://review.opendev.org/#/c/758913/
 +
 
 +
There was no objection to the proposed removal; the deprecation period has long passed.
 +
 
 +
Rajat intends to follow up with some code to fix how we query/set quotas.  There is currently no validation in this code, and as a result, an operator can use a project name when setting a quota and the API reports success.  But since you should be using a UUID, such a quota is never applied since cinder has no record of a quota being assigned to that project.  This is both confusing to operators and annoying once they figure out what happened.  Gorka pointed out that he has seen quite a few downstream bugs around this issue.
 +
====Conclusions====
 +
* Rajat added project-id validation as part of microversion 3.62 and there were no objections, so it looks like we've agreed that a cinder API call is allowed to make a call to another service (within reason, of course).
 +
* By default, this is an operator-facing call, so it's not like the API is going to be hammered with these requests.
 +
 
 
===Cleanup improvements ===
 
===Cleanup improvements ===
 
===Quotas: "Remove quota usage cache"===
 
===Quotas: "Remove quota usage cache"===

Revision as of 18:49, 2 November 2020

Contents

Introduction

This page contains a summary of the subjects covered during the Cinder project sessions at the Wallaby PTG, held virtually October 26-30, 2020. The Cinder project team met from Tuesday 27 October to Friday 30 October, for 3 hours (1300-1600 UTC) with an extra hour scheduled for "hallway time", though Wednesday and Thursday's hallway time was spent in cross-project meetings with the Glance team.

The Cinder Team at the Wallaby (Virtual) PTG, October 2020.


This document aims to give a summary of each session. More context is available on the cinder PTG etherpad:


The sessions were recorded, so to get all the details of any discussion, you can watch/listen to the recording. Links to the recordings are located at appropriate places below.

Tuesday 27 October

recordings

Summit Follow-up

Divisive language in code/docs/infrastructure

Basic idea (from [0]): "The OpenInfra Foundation (OIF) Board of Directors supports removal of wording identified as oppressive, racist and sexist by members of our communities from the software and documentation they produce. While we know there will be challenges, both technical and non-technical, this is an action we feel is important."

The working group driving this effort had a Forum session last week, and met at the PTG yesterday:


Rosmaita reported on a quick grep of the cinder codebase for the obvious offensive usages of master/slave and blacklist/whitelist

  • in the main cinder code, 'slave' shows up as a parameter to some oslo.db library calls, so we can't change this until they fix it
  • there is usage of master/slave in some of the drivers
  • also, blacklist/whitelist occurs in some drivers


Amy Marrich (spotz), who's on the working group driving the effort, attended the session and emphasized some points to the team:

  • the working group is proposing "The Stance" to the TC. When approved, it will give the individual project teams some guidance
  • we're not the only open source community doing this; there's a list on the etherpad of other open source projects and what changes they've made/are making
  • don't need to go back and change everything in our history, but projects should follow the guidance in new code/docs
  • projects can make the documentation more inclusive regardless of what happens in the code
  • the idea is to leave it to the projects to make appropriate changes; no plans to introduce churn by generated patches changing 'master' to something else for all projects
  • waiting to see what upstream git does about 'master' being the default trunk branch name. Github has changed it to 'main' for new projects created on github

The current Cinder PTL is personally on board with this effort because it's being done in a thoughtful way and all changes will go through the normal code review process [1]. Additionally, some employers (for example, Red Hat [2]) are encouraging this effort in open source projects in which they are involved.

[0] https://etherpad.opendev.org/p/vSummit2020__DivisiveLanguage
[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-October/018181.html
[2] https://www.redhat.com/en/blog/making-open-source-more-inclusive-eradicating-problematic-language

Conclusions
  • My sense of the cinder PTG session was that the cinder team is generally supportive of the effort (or, at least not opposed to it). What this means in practice is not allowing non-inclusive terms into new docs/code
  • Changes to existing code will be fought out in Gerrit as usual
  • ACTION - rosmaita - update the cinder code review guide to mention this once the TC proposal has been accepted

The openstackclient situation

This was discussed at the Forum last week: https://etherpad.opendev.org/p/vSummit2020_FeatureGap

Seem to still be in the same situation, namely:

  • need better support for microversions
  • is still too big (requires many, many dependencies)


Some operators, at least, would really like to only have one client to work with, but first there needs to be feature parity between the OSC CLI and the individual project CLIs.

Conclusions
  • The key thing from my point of view is that OSC-everywhere is not going to be a community goal this cycle
  • Cinder team members interested in this effort should contact Stephen Finucane (nova core, core on some other projects) to help make this happen
  • ACTION - rosmaita - this came up later in the PTG, but we need to make sure that the team working on the openstackclient is aware that python-brick-cinderclient-ext support in OSC is an important issue for cinder

Community Goal for Wallaby

As of right now, only one goal has been accepted (though it looks like there will be another, see the next section), namely, "Migrate from oslo.rootwrap to oslo.privsep": https://review.opendev.org/#/c/755590/

Cinder is on the list of projects still using rootwrap, but I took a look and think it's only with regard to using rootwrap to escalate to run privsep (and there doesn't seem to be another way to do that). As part of the goal, there will be a hacking check introduced to make sure people aren't using rootwrap.

The spirit of the goal (though it's not required) is to make sure that projects are using good privsep rules, not wide-open rules. It would be good to use python commands for what we need instead of just calling a CLI to accomplish them. So we may want to invest some time into making our current privsep calls use python code.

Conclusions
  • Looks like cinder can meet the "letter" of the goal easily
  • Anyone on the team interested in security ... would be good to look into satisfying the "spirit" of the goal because that would be good for the project

"consistent and secure policies" update

There's a "Policy Popup Group" who's working on this. They held a Forum session and met at the PTG.


There's pretty much general consensus that this work needs to be completed to finally close Bug #968696 ("admin anywhere is admin everywhere"), a bug so old that it only has 6 digits (and the one that Adam Young wrote a song about). It's looking like it will happen in two stages:


During Wallaby, in Cinder we need to work on test coverage to define the baseline policy behavior. Rajat has started some of this work, and incorporated the system-scope into the new project-level-default-volume-types API. Lance Bragstad has proposed some patches to help us along: https://review.opendev.org/#/q/topic:secure-rbac+project:openstack/cinder

Conclusions
  • we look OK for W
  • ACTION - rosmaita - put up the policy.json deprecation note when the language is available
  • getting the foundational "X" work done during W is important for making the X goal accomplishable during the X cycle

Removal of nested quota driver

Rajat (whoami-rajat) pointed out that the nested quota driver was deprecated in Train and scheduled to be removed in Ussuri, with an effort instead to support scopes and unified limits. Rajat has a patch up to remove it: https://review.opendev.org/#/c/758913/

There was no objection to the proposed removal; the deprecation period has long passed.

Rajat intends to follow up with some code to fix how we query/set quotas. There is currently no validation in this code, and as a result, an operator can use a project name when setting a quota and the API reports success. But since you should be using a UUID, such a quota is never applied since cinder has no record of a quota being assigned to that project. This is both confusing to operators and annoying once they figure out what happened. Gorka pointed out that he has seen quite a few downstream bugs around this issue.

Conclusions

  • Rajat added project-id validation as part of microversion 3.62 and there were no objections, so it looks like we've agreed that a cinder API call is allowed to make a call to another service (within reason, of course).
  • By default, this is an operator-facing call, so it's not like the API is going to be hammered with these requests.

Cleanup improvements

Quotas: "Remove quota usage cache"

Robustifying the volume driver interface

Vocabulary Minute

The team then adjourned to meetpad for Happy Hour.

Wednesday 28 October

recordings

Updates from TC Meeting

Kioxia: Add new driver

Update on Image Encryption Efforts

Sizing encrypted volumes (continued)

Cross-project meeting with Glance team

Thursday 29 October (Gorka's Day)

We declared this to be "Gorka's Day" because he contributed so many topics to be discussed.

recordings

Reset state robustification

Ceph: Minimum supported version

Ceph: Should we change rbd_exclusive_cinder_pool default?

Replication

Availability zone and volume type for backup restore

Cross-project meeting with Glance team

Friday 30 October

recordings

Cinder/PTG business

Removing deprecated encryptors from os-brick

Improvements to service down

new specs (and other stuff that has been sitting around)

"volume list query optimization"

Two proposed specs on the same topic (mutually assured destruction)

digression: deprecate thick-provisioned LVM?

Support revert any snapshot to the volume

Backend Capabilities

Replace md5 with oslo version

how to test the optimized glance-cinder image-volume workflow?

Team roles & business

current roles

proposed

tactical (short term)

Late Topics

attachments API - exposing connection info

keeping connection info up to date

cinder attach/detach service

autospeccing mocks

Retrieved from "https://wiki.openstack.org/w/index.php?title=CinderWallabyPTGSummary&oldid=176672"