Difference between revisions of "CinderYogaPTGSummary"
m (Update "Greetings, user survey discussion") |
m (add "in-flight image encryption") |
||
| Line 51: | Line 51: | ||
* action (rosmaita): start an etherpad for the response to operators | * action (rosmaita): start an etherpad for the response to operators | ||
* action (rosmaita): communicate our feedback to the User Survey team | * action (rosmaita): communicate our feedback to the User Survey team | ||
| + | |||
| + | ===In-flight image encryption update=== | ||
| + | Josephine Seifert (Luzi) updated us on the status of the in-flight encryption effort. | ||
| + | The current plan is to have "experimental Image Encryption without Secret Consumers". | ||
| + | The reason is to allow coding and reviewing of the Image Encryption work (and set up CI) while waiting for the Secret Consumers API. | ||
| + | (The Secret Consumers API in Barbican will allow services to register that a secret is in use (though the secret owner can still delete it by using a --force flag. The holdup is that microversioning needs to be introduced to the Barbican API before the new API can be added.) | ||
| + | |||
| + | The current idea is to release this as an Experimental feature and "officially" release when the Secret Consumers API is ready. This strategy is described in a Glance spec-lite: https://review.opendev.org/c/openstack/glance-specs/+/792134/ | ||
| + | |||
| + | What's required from the cinder team for this work is: | ||
| + | * os-brick -- will have the PGP encryption code to be used by the services. The patch for this is available for review: https://review.opendev.org/709432 | ||
| + | * cinder -- download image from glance will need to decrypt such images to write them to volumes | ||
| + | * cinder -- upload volume to image (maybe? need to check the spec) | ||
| + | * cinder -- will also need to use Secret Consumers when available (if cinder does encryption on upload) | ||
| + | ** may also want to add Secret registration to our current luks encrypted volume code to protect encryption key ids | ||
| + | * what about the glance cinder backend? | ||
| + | ** we have an optimized path that clones instead of downloads and copies onto the volume | ||
| + | ** need to handle this case | ||
| + | * what about the image-volume cache? | ||
| + | ** should these things not be included in the cache? | ||
| + | ** need to see what the spec says about this | ||
| + | |||
| + | |||
| + | The current cinder spec is: https://specs.openstack.org/openstack/cinder-specs/specs/xena/image-encryption.html | ||
| + | |||
| + | There isn't a patch yet for the cinder changes, though there is a glance PoC patch with placeholders for Secret Consumers: | ||
| + | https://review.opendev.org/c/openstack/glance/+/705445 | ||
| + | |||
| + | ====conclusions==== | ||
| + | * action (rosmaita) Review the cinder spec again. It was approved in Train, and hasn't really been looked at since. | ||
| + | * action (cinder team) Interested parties should also look at the spec again. | ||
| + | * action (whoami-rajat) Review the spec again specifically with cinder glance_store cases in mind. | ||
| + | * action (Luzi) Gorka pointed out that it will be easier to review if some cinder POC patches are available: | ||
| + | ** cinder patch (pending?) | ||
| + | ** cinder-spec (done) | ||
| + | ** os-brick patch (ready) | ||
| + | ** glance patch (ready) | ||
==Wednesday 20 October== | ==Wednesday 20 October== | ||
Revision as of 18:38, 25 October 2021
Contents
Introduction
This page contains a summary of the subjects covered during the Cinder project sessions at the Project Team Gathering for the Yoga development cycle, held virtually October 18-22, 2021. The Cinder project team met from Tuesday 19 October to Friday 22 October, for 4 hours each day (1300-1700 UTC).
This document aims to give a summary of each session. More context is available on the cinder Yoga PTG etherpad:
The sessions were recorded, so to get all the details of any discussion, you can watch/listen to the recording. Links to the recordings are located at appropriate places below.
Tuesday 19 October
recordings
- https://www.youtube.com/watch?v=Bon4Y-Us_to
- https://www.youtube.com/watch?v=EvW1go6Xa_w
- https://www.youtube.com/watch?v=oPngR_8RIJI
Greetings, user survey discussion
For the benefit of people who haven't attended, this is the way the cinder team works at the PTG:
- sessions are recorded
- please sign in on the "Attendees" section of this etherpad for each day
- all notes, questions, etc. happen in the etherpad; try to remember to preface your comment with your irc nick
- anyone present can comment or ask questions in the etherpad
- also, anyone present should feel free to ask questions or make comments during any of the discussions
- we discuss topics in the order listed in the etherpad, making adjustments as we go for sessions that run longer or shorter
- we stick to the scheduled times for cross-project sessions, but for everything else we are flexible
Next, we took a look at the Project Specific Feedback Responses from the latest User Survey. Here's an ethercalc that's organized to make the cinder-relevant responses easier to see:
https://ethercalc.openstack.org/=2021-user-survey
Our question on the survey was: "If there was one thing you would like to see changed (added, removed, fixed) in Cinder, what would it be?"
We received 39 responses (out of about 425 responses to the survey).
Looking through the responses, there were requests for features that we already have and some comments that we didn't understand. We decided send a response to the mailing list mentioning the implemented features and starting a discussion on the items we didn't understand. (Survey responses are anonymous, so we can't contact operators directly.) Amy Marrich (spotz, who facilitates the operator meetups) has mentioned that operators tend to follow the meetup twitter account, so a good way to contact operators is to post to the ML and then notify her to tweet out the link from the ops meetup account.
The quantitative responses (for example, how many deployments include cinder) are on the OpenStack analytics page: https://www.openstack.org/analytics/
Some feedback for the User Survey team:
- The data in the report on the website is really difficult to consume (it's displayed in non-resizable graphs, and it's difficult to distinguish the percentages for "interested", "testing" and "production"). There's an option to download as PDF, but that gives you the same non-resizable graphs. It would be helpful to be able to download the data as a CSV file.
- For the next survey, we want to add the question: What driver(s) are you using for your Cinder environment?
- We like our current question, but a lot of the answers are too vague -- do you have any suggestions on how to indicate to people that they should be clear and specific?
conclusions
- action (rosmaita): start an etherpad for the response to operators
- action (rosmaita): communicate our feedback to the User Survey team
In-flight image encryption update
Josephine Seifert (Luzi) updated us on the status of the in-flight encryption effort. The current plan is to have "experimental Image Encryption without Secret Consumers". The reason is to allow coding and reviewing of the Image Encryption work (and set up CI) while waiting for the Secret Consumers API. (The Secret Consumers API in Barbican will allow services to register that a secret is in use (though the secret owner can still delete it by using a --force flag. The holdup is that microversioning needs to be introduced to the Barbican API before the new API can be added.)
The current idea is to release this as an Experimental feature and "officially" release when the Secret Consumers API is ready. This strategy is described in a Glance spec-lite: https://review.opendev.org/c/openstack/glance-specs/+/792134/
What's required from the cinder team for this work is:
- os-brick -- will have the PGP encryption code to be used by the services. The patch for this is available for review: https://review.opendev.org/709432
- cinder -- download image from glance will need to decrypt such images to write them to volumes
- cinder -- upload volume to image (maybe? need to check the spec)
- cinder -- will also need to use Secret Consumers when available (if cinder does encryption on upload)
- may also want to add Secret registration to our current luks encrypted volume code to protect encryption key ids
- what about the glance cinder backend?
- we have an optimized path that clones instead of downloads and copies onto the volume
- need to handle this case
- what about the image-volume cache?
- should these things not be included in the cache?
- need to see what the spec says about this
The current cinder spec is: https://specs.openstack.org/openstack/cinder-specs/specs/xena/image-encryption.html
There isn't a patch yet for the cinder changes, though there is a glance PoC patch with placeholders for Secret Consumers: https://review.opendev.org/c/openstack/glance/+/705445
conclusions
- action (rosmaita) Review the cinder spec again. It was approved in Train, and hasn't really been looked at since.
- action (cinder team) Interested parties should also look at the spec again.
- action (whoami-rajat) Review the spec again specifically with cinder glance_store cases in mind.
- action (Luzi) Gorka pointed out that it will be easier to review if some cinder POC patches are available:
- cinder patch (pending?)
- cinder-spec (done)
- os-brick patch (ready)
- glance patch (ready)
Wednesday 20 October
recordings
Thursday 21 October
recordings
- https://www.youtube.com/watch?v=VCcqPb-VYV4
- https://www.youtube.com/watch?v=VTc4Do0aY6k
- https://www.youtube.com/watch?v=pvj8joZyhJ
