)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Eric Fried \u003copenstack@fried.cc\u003e"},{"line_number":5,"context_line":"CommitDate: 2019-11-25 17:40:59 -0600"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Spec: Ussuri: Encrypted Emulated Virtual TPM"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"There are a class of applications which expect to use a TPM device to"},{"line_number":10,"context_line":"store secrets. In order to run these applications in a virtual machine,"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":9,"id":"3fa7e38b_085f9975","line":7,"range":{"start_line":7,"start_character":0,"end_line":7,"end_character":14},"updated":"2019-12-04 15:46:17.000000000","message":"odd","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"}],"specs/ussuri/approved/add-emulated-virtual-tpm.rst":[{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"0f23d9af96e34874a9c55f7a11c86a170c64579a","unresolved":false,"context_lines":[{"line_number":17,"context_line":"useful to expose a virtual TPM device within the guest.  Accordingly, the"},{"line_number":18,"context_line":"suggestion is to add a placement trait which could be requested in the"},{"line_number":19,"context_line":"flavor or image which would cause such a device to be added to the VM by the"},{"line_number":20,"context_line":"relevent virt driver."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_00455e43","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":8},"updated":"2019-10-04 18:17:31.000000000","message":"\"relevant\"","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"780922b2299781ba986e8e87fab364fd57438b45","unresolved":false,"context_lines":[{"line_number":17,"context_line":"useful to expose a virtual TPM device within the guest.  Accordingly, the"},{"line_number":18,"context_line":"suggestion is to add a placement trait which could be requested in the"},{"line_number":19,"context_line":"flavor or image which would cause such a device to be added to the VM by the"},{"line_number":20,"context_line":"relevent virt driver."},{"line_number":21,"context_line":""},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"Problem description"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_610d348f","line":20,"range":{"start_line":20,"start_character":0,"end_line":20,"end_character":8},"in_reply_to":"3fa7e38b_00455e43","updated":"2019-10-04 22:55:22.000000000","message":"Done","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"0f23d9af96e34874a9c55f7a11c86a170c64579a","unresolved":false,"context_lines":[{"line_number":61,"context_line":"this is an implementation detail rather than an architectural limitation."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Support for emulated TPM also requires the \"swtpm\" binary and libraries to be"},{"line_number":64,"context_line":"available on the host.  If there is no way to check whether this is available"},{"line_number":65,"context_line":"from the hypervisor, we may need to add a hypervisor-specific nova.conf flag"},{"line_number":66,"context_line":"indicating that we want to enable emulated TPM support. This would presumably"},{"line_number":67,"context_line":"default to `false` for minimal surprise on upgrades."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"In order to request this functionality (and to allow scheduling to nodes that"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_c03986a3","line":66,"range":{"start_line":64,"start_character":24,"end_line":66,"end_character":55},"updated":"2019-10-04 18:17:31.000000000","message":"We might need deployer input here (kolla, tripleo) to understand how they would containerize this. It might affect if the virt driver will be able to check the presence of swtpm without a config option.","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"f4317a922d45e0c1a703793d5a5fe6e5cfcf9626","unresolved":false,"context_lines":[{"line_number":61,"context_line":"this is an implementation detail rather than an architectural limitation."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Support for emulated TPM also requires the \"swtpm\" binary and libraries to be"},{"line_number":64,"context_line":"available on the host.  If there is no way to check whether this is available"},{"line_number":65,"context_line":"from the hypervisor, we may need to add a hypervisor-specific nova.conf flag"},{"line_number":66,"context_line":"indicating that we want to enable emulated TPM support. This would presumably"},{"line_number":67,"context_line":"default to `false` for minimal surprise on upgrades."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"In order to request this functionality (and to allow scheduling to nodes that"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_93a7630c","line":66,"range":{"start_line":64,"start_character":24,"end_line":66,"end_character":55},"in_reply_to":"3fa7e38b_7bce43b5","updated":"2019-10-04 23:44:20.000000000","message":"So, in OSP/tripleo, I\u0027m pretty sure libvirtd and nova-compute are in different containers. swtpm is only needed in the libvirt container, correct? So `which swtpm` could end up being a false negative if it\u0027s not in the nova-compute container but in the libvirtd container.","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"22e54a0e71810463e0480d68e3f42962e7163092","unresolved":false,"context_lines":[{"line_number":61,"context_line":"this is an implementation detail rather than an architectural limitation."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Support for emulated TPM also requires the \"swtpm\" binary and libraries to be"},{"line_number":64,"context_line":"available on the host.  If there is no way to check whether this is available"},{"line_number":65,"context_line":"from the hypervisor, we may need to add a hypervisor-specific nova.conf flag"},{"line_number":66,"context_line":"indicating that we want to enable emulated TPM support. This would presumably"},{"line_number":67,"context_line":"default to `false` for minimal surprise on upgrades."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"In order to request this functionality (and to allow scheduling to nodes that"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_d3eb9b0f","line":66,"range":{"start_line":64,"start_character":24,"end_line":66,"end_character":55},"in_reply_to":"3fa7e38b_93a7630c","updated":"2019-10-04 23:58:14.000000000","message":"I guess it\u0027ll just be deployment tooling\u0027s responsibility to include swtpm in all the necessary containers - our job will be to communicate that to them.","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"780922b2299781ba986e8e87fab364fd57438b45","unresolved":false,"context_lines":[{"line_number":61,"context_line":"this is an implementation detail rather than an architectural limitation."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Support for emulated TPM also requires the \"swtpm\" binary and libraries to be"},{"line_number":64,"context_line":"available on the host.  If there is no way to check whether this is available"},{"line_number":65,"context_line":"from the hypervisor, we may need to add a hypervisor-specific nova.conf flag"},{"line_number":66,"context_line":"indicating that we want to enable emulated TPM support. This would presumably"},{"line_number":67,"context_line":"default to `false` for minimal surprise on upgrades."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"In order to request this functionality (and to allow scheduling to nodes that"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_7bce43b5","line":66,"range":{"start_line":64,"start_character":24,"end_line":66,"end_character":55},"in_reply_to":"3fa7e38b_c03986a3","updated":"2019-10-04 22:55:22.000000000","message":"processutils.execute(\u0027which swtpm\u0027)? Container or not, IIUC if that guy ain\u0027t there, you ain\u0027t doing it.\n\n[Later] That seems to gel with the code proposed last release [1][2]. But yeah, good to confirm with deployment tools.\n\n[1] https://review.opendev.org/#/c/631363/27/nova/virt/libvirt/utils.py@597\n[2] https://review.opendev.org/#/c/631363/27/nova/virt/libvirt/driver.py@589","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"0f23d9af96e34874a9c55f7a11c86a170c64579a","unresolved":false,"context_lines":[{"line_number":110,"context_line":"libvirt this would mean copying the file under"},{"line_number":111,"context_line":"/var/lib/libvirt/swtpm/\u003cinstance\u003e from within"},{"line_number":112,"context_line":"LibvirtDriver.migrate_disk_and_power_off()."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Shelve/unshelve could be supported by saving the persistent TPM data as a"},{"line_number":115,"context_line":"glance image during the shelve operation, and recreating it (and deleting"},{"line_number":116,"context_line":"the image) during unshelve."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_00b31e4f","line":113,"updated":"2019-10-04 18:17:31.000000000","message":"What about live migration? Assuming scheduling passes, it doesn\u0027t look like we need to update any XML, but we need to copy the persisten stuff just like in cold migration?","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"780922b2299781ba986e8e87fab364fd57438b45","unresolved":false,"context_lines":[{"line_number":110,"context_line":"libvirt this would mean copying the file under"},{"line_number":111,"context_line":"/var/lib/libvirt/swtpm/\u003cinstance\u003e from within"},{"line_number":112,"context_line":"LibvirtDriver.migrate_disk_and_power_off()."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"Shelve/unshelve could be supported by saving the persistent TPM data as a"},{"line_number":115,"context_line":"glance image during the shelve operation, and recreating it (and deleting"},{"line_number":116,"context_line":"the image) during unshelve."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_fbb9d314","line":113,"in_reply_to":"3fa7e38b_00b31e4f","updated":"2019-10-04 22:55:22.000000000","message":"I think that\u0027s correct.\n\n[Later] I updated this based on the proposed code from last release [1] which does some funkiness to copy the data *into* the VM before the move, and back out again. I need to dig into it more...\n\n[1] https://review.opendev.org/#/c/639934/","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"0f23d9af96e34874a9c55f7a11c86a170c64579a","unresolved":false,"context_lines":[{"line_number":125,"context_line":"image."},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"It should be noted that if a compute node goes down and the VM has to be"},{"line_number":128,"context_line":"rebuilt on another compute node then we\u0027re going to lose any emulated TPM data."},{"line_number":129,"context_line":"In the shared-storage case this is exactly analogous to taking the hard drive"},{"line_number":130,"context_line":"out of one physical machine and putting it into another physical machine."},{"line_number":131,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_a09a4ac2","line":128,"range":{"start_line":128,"start_character":0,"end_line":128,"end_character":31},"updated":"2019-10-04 18:17:31.000000000","message":"aka evacuated","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"0f23d9af96e34874a9c55f7a11c86a170c64579a","unresolved":false,"context_lines":[{"line_number":163,"context_line":"Other end user impact"},{"line_number":164,"context_line":"---------------------"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"There are no immediate plans to make emulated TPM work over shelve/unshelve."},{"line_number":167,"context_line":"To make this work reliably would require saving the persistent TPM data file"},{"line_number":168,"context_line":"to a glance image or swift object on \"shelve\" and then recover the data on"},{"line_number":169,"context_line":"\"unshelve\"."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_c0ebc60f","line":166,"updated":"2019-10-04 18:17:31.000000000","message":"So would we refuse the shelve operation entirely at the API level, or do it anyways, with a heavily documented caveat that the persitent TPM stuff will disappear?","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"780922b2299781ba986e8e87fab364fd57438b45","unresolved":false,"context_lines":[{"line_number":163,"context_line":"Other end user impact"},{"line_number":164,"context_line":"---------------------"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"There are no immediate plans to make emulated TPM work over shelve/unshelve."},{"line_number":167,"context_line":"To make this work reliably would require saving the persistent TPM data file"},{"line_number":168,"context_line":"to a glance image or swift object on \"shelve\" and then recover the data on"},{"line_number":169,"context_line":"\"unshelve\"."}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_a1132cb8","line":166,"in_reply_to":"3fa7e38b_c0ebc60f","updated":"2019-10-04 22:55:22.000000000","message":"It\u0027s possible we could support shelve, but there are some questions I need to find answers for...","commit_id":"59d65b57d8fbc8e8f0b98ec07d2fc79a2d357eb6"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":18,"context_line":"relevant virt driver."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":".. todo::"},{"line_number":21,"context_line":"    * Is it true emulation or is a physical TPM device required on the"},{"line_number":22,"context_line":"      host? (Looks like ``swtpm`` is a full software emulator, but would be"},{"line_number":23,"context_line":"      nice to get confirmation.)"},{"line_number":24,"context_line":"    * Do we care to make the encryption optional?"},{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_860acd24","line":23,"range":{"start_line":21,"start_character":6,"end_line":23,"end_character":32},"updated":"2019-11-11 20:54:49.000000000","message":"confirmed, full emulation, no special hardware needed","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":21,"context_line":"    * Is it true emulation or is a physical TPM device required on the"},{"line_number":22,"context_line":"      host? (Looks like ``swtpm`` is a full software emulator, but would be"},{"line_number":23,"context_line":"      nice to get confirmation.)"},{"line_number":24,"context_line":"    * Do we care to make the encryption optional?"},{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_4604d518","line":24,"range":{"start_line":24,"start_character":6,"end_line":24,"end_character":49},"updated":"2019-11-11 20:54:49.000000000","message":"Per penick \u0026 jroll, no.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":9452,"name":"James Penick","email":"penick@verizonmedia.com","username":"epim"},"change_message_id":"cbfbc3e49a496a677f57ff07b03eea17ae0a93dc","unresolved":false,"context_lines":[{"line_number":22,"context_line":"      host? (Looks like ``swtpm`` is a full software emulator, but would be"},{"line_number":23,"context_line":"      nice to get confirmation.)"},{"line_number":24,"context_line":"    * Do we care to make the encryption optional?"},{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"},{"line_number":28,"context_line":"      have to type it in?"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_e07c26ec","line":25,"updated":"2019-11-01 18:23:14.000000000","message":"I started to reply here but it turned into a novel. I\u0027ll add a comment on the use cases for where the encryption secret should come from.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":22,"context_line":"      host? (Looks like ``swtpm`` is a full software emulator, but would be"},{"line_number":23,"context_line":"      nice to get confirmation.)"},{"line_number":24,"context_line":"    * Do we care to make the encryption optional?"},{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"},{"line_number":28,"context_line":"      have to type it in?"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_8c98afcc","line":25,"in_reply_to":"3fa7e38b_c937d5af","updated":"2019-11-11 20:54:49.000000000","message":"Update:\n- Boot request comes in with \"give me an encrypted vTPM of $type and $version\" (no secret information)\n- Nova [1] randomly generates a passphrase and uploads it to the key manager. The key manager responds with a $secret_uuid.\n- Nova saves that $secret_uuid in the instance\u0027s system_metadata.\n- Nova creates a libvirt secret with name\u003d$instance_uuid [2], UUID\u003d$secret_uuid, usage type\u003d\u0027vtpm\u0027, ephemeral\u003d\u0027yes\u0027 [3], and private\u003d\u0027yes\u0027 [4], and sets its value to the generated passphrase. This step must be done once per instance per libvirtd process to get that secret loaded into memory. (Will need an ensure_vtpm_secret type of routine to do this only if not already done, to save on barbican traffic etc.)\n- Nova adds the relevant chunk to the instance\u0027s domain XML, containing $type, $version, and $secret_uuid and boots the VM. The vTPM appears in the VM as /dev/tpm0 and \"just works\" (no additional unlocking is required from within).\n- Once the guest boots, nova deletes (undefines) the secret.\n- When an instance is deleted, nova deletes the secret from the key manager.\n\n[1] This part could theoretically be done at the conductor, but since compute will need the secret anyway, we might as well do it all at compute.\n[2] Names are internal to the secret XML, but must be unique per libvirtd.\n[3] ephemeral ensures the secret never gets stored on disk\n[4] private means you can\u0027t dump the secret from virsh","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"b1ed198ed893f75b21dcde4944263a39f44db916","unresolved":false,"context_lines":[{"line_number":22,"context_line":"      host? (Looks like ``swtpm`` is a full software emulator, but would be"},{"line_number":23,"context_line":"      nice to get confirmation.)"},{"line_number":24,"context_line":"    * Do we care to make the encryption optional?"},{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"},{"line_number":28,"context_line":"      have to type it in?"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_c937d5af","line":25,"in_reply_to":"3fa7e38b_e07c26ec","updated":"2019-11-01 21:37:35.000000000","message":"Had some discussion with jroll today, which I still need to digest [1].\n\nSummary of the flow we discussed:\n- Boot request comes in with \"give me an encrypted vTPM\" (no specifics).\n- Nova creates a brand new libvirty secret per [2] using... random data? and grabs its $secret_uuid\n- Nova goes out to $configured_keymanager via castellan and creates a key there with $secret_uuid.\n- Nova boots the instance with the relevant XML\n\n      \u003ctpm model\u003d\u0027tpm-tis\u0027\u003e\n        \u003cbackend type\u003d\u0027emulator\u0027 version\u003d\u00272.0\u0027\u003e\n          \u003cencryption secret\u003d\u0027$secret_uuid\u0027/\u003e\n        \u003c/backend\u003e\n      \u003c/tpm\u003e\n\n- The VM user logs into the VM, sees a virginal TPM, and bootstraps it with whatever kind of secret satisfies the user\u0027s need.\n\nBut.\n\n- It is unclear to me where in the process nova tells libvirt what the secret itself is. For example, if the host reboots, or the VM is migrated, presumably the vTPM has to be decrypted by providing the secret corresponding to $secret_uuid. I get that nova could go get it from barbican, but I can\u0027t figure out how it\u0027s provided to libvirt.\n- This flow assumes the \"nova user\" is the \"root of trust\", right? And that\u0027s okay?\n\n[1] http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-11-01.log.html#t2019-11-01T20:21:14\n[2] https://libvirt.org/formatsecret.html#vTPMUsageType","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"7eb27f445cfa256c21949b1eaca14badd59811d6","unresolved":false,"context_lines":[{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"},{"line_number":28,"context_line":"      have to type it in?"},{"line_number":29,"context_line":"    * Is the QEMU min version for ``encryption`` higher than 2.11 or 2.12?"},{"line_number":30,"context_line":"    * Is migration (live, cold, whatever) anything more than copying"},{"line_number":31,"context_line":"      ``/var/lib/libvirt/swtpm/$instance`` around? Is it different with"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_867a2a74","line":28,"updated":"2019-11-01 20:11:43.000000000","message":"Specifically on the last question - the docs say \"This secret is associated with a virtualized TPM (vTPM) and serves as a passphrase for deriving a key from for encrypting the state of the vTPM.\" So if it just encrypts the state on disk, it should have nothing to do with the VM\u0027s OS or user.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"ff3115be3d7b429fd63344adb3a611f96590b52b","unresolved":false,"context_lines":[{"line_number":25,"context_line":"    * Where does the ``\u003cencryption\u003e``\u0027s ``secret`` come from? Presumably"},{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"},{"line_number":28,"context_line":"      have to type it in?"},{"line_number":29,"context_line":"    * Is the QEMU min version for ``encryption`` higher than 2.11 or 2.12?"},{"line_number":30,"context_line":"    * Is migration (live, cold, whatever) anything more than copying"},{"line_number":31,"context_line":"      ``/var/lib/libvirt/swtpm/$instance`` around? Is it different with"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_66cb6e71","line":28,"in_reply_to":"3fa7e38b_867a2a74","updated":"2019-11-01 20:34:44.000000000","message":"\u003e So if it just encrypts the state on disk, it should have nothing to do with the VM\u0027s OS or user.\n\ns/on disk/on disk or in memory/","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":26,"context_line":"      it\u0027s not stored on the host somewhere, as that would defeat the"},{"line_number":27,"context_line":"      purpose. Is it a barbican thing? Does, like, the guest VM\u0027s root user"},{"line_number":28,"context_line":"      have to type it in?"},{"line_number":29,"context_line":"    * Is the QEMU min version for ``encryption`` higher than 2.11 or 2.12?"},{"line_number":30,"context_line":"    * Is migration (live, cold, whatever) anything more than copying"},{"line_number":31,"context_line":"      ``/var/lib/libvirt/swtpm/$instance`` around? Is it different with"},{"line_number":32,"context_line":"      encryption? Like, does something special have to be done to bring the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_ac9b2bc6","line":29,"range":{"start_line":29,"start_character":6,"end_line":29,"end_character":74},"updated":"2019-11-11 20:54:49.000000000","message":"Still don\u0027t know this answer. lyarwood suggested kashyap might be able to track down the answer.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"7eb27f445cfa256c21949b1eaca14badd59811d6","unresolved":false,"context_lines":[{"line_number":30,"context_line":"    * Is migration (live, cold, whatever) anything more than copying"},{"line_number":31,"context_line":"      ``/var/lib/libvirt/swtpm/$instance`` around? Is it different with"},{"line_number":32,"context_line":"      encryption? Like, does something special have to be done to bring the"},{"line_number":33,"context_line":"      key/secret along?"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"    Other TODOs inline."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_c684a260","line":33,"updated":"2019-11-01 20:11:43.000000000","message":"Hm, the libvirt docs only describe setting the secret, not fetching it, so it\u0027s probably safe to assume it\u0027s not possible to pull it out. So we might have to grab the secret from $somewhere (barbican?) and give it to libvirt on the new host.\n\nThis makes me wonder how it\u0027s stored in libvirt or qemu or whatever - presumably in memory? If a host reboots, do we need to inject the secret again?\n\nI wonder if we should just inject it on every instance start() call to ensure it\u0027s always there at startup.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":30,"context_line":"    * Is migration (live, cold, whatever) anything more than copying"},{"line_number":31,"context_line":"      ``/var/lib/libvirt/swtpm/$instance`` around? Is it different with"},{"line_number":32,"context_line":"      encryption? Like, does something special have to be done to bring the"},{"line_number":33,"context_line":"      key/secret along?"},{"line_number":34,"context_line":""},{"line_number":35,"context_line":"    Other TODOs inline."},{"line_number":36,"context_line":""}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_8cd0af2d","line":33,"in_reply_to":"3fa7e38b_c684a260","updated":"2019-11-11 20:54:49.000000000","message":"Migration is copying the files around. The files are encrypted using the secret. So unlocking them simply entails retrieving the secret (the same one that was used to create the vtpm initially) from the key manager and setting it up on the destination.\n\nLive migration should also be transferring the running state of the VM, which already contains the unencrypted vtpm, so that\u0027s an operation that can be done by an admin (someone other than the owner of the instance) that results in an unencrypted vtpm existing on a new host without accessing the secret. Not sure if that\u0027s a problem or not.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":73,"context_line":"-------------"},{"line_number":74,"context_line":"Support for emulated TPM requires:"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"* libvirt version 4.5.0 at a minimum. Support for ``encryption`` begins at"},{"line_number":77,"context_line":"  version 5.6.0."},{"line_number":78,"context_line":"* qemu 2.11 at a minimum, though qemu 2.12 is recommended by the author.  The"},{"line_number":79,"context_line":"  virt driver code should add suitable version checks (in the case of"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_8c9e6f67","line":76,"range":{"start_line":76,"start_character":10,"end_line":76,"end_character":23},"updated":"2019-11-11 20:54:49.000000000","message":"strike, since we don\u0027t care about unencrypted.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"* libvirt version 4.5.0 at a minimum. Support for ``encryption`` begins at"},{"line_number":77,"context_line":"  version 5.6.0."},{"line_number":78,"context_line":"* qemu 2.11 at a minimum, though qemu 2.12 is recommended by the author.  The"},{"line_number":79,"context_line":"  virt driver code should add suitable version checks (in the case of"},{"line_number":80,"context_line":"  LibvirtDriver, this would include checks for both libvirt and qemu)."},{"line_number":81,"context_line":"  Currently emulated TPM is only supported for x86, though this is an"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_aca1ebaa","line":78,"range":{"start_line":78,"start_character":2,"end_line":78,"end_character":72},"updated":"2019-11-11 20:54:49.000000000","message":"Need to validate this!","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":86,"context_line":"------"},{"line_number":87,"context_line":"A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":88,"context_line":"vTPM. This spec is specific to libvirt, so only the libvirt config is"},{"line_number":89,"context_line":"described::"},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"   [libvirt]"},{"line_number":92,"context_line":"   swtpm_enabled \u003d $bool (default False)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_6cabf387","line":89,"updated":"2019-11-11 20:54:49.000000000","message":"so I guess this is on the compute","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":91,"context_line":"   [libvirt]"},{"line_number":92,"context_line":"   swtpm_enabled \u003d $bool (default False)"},{"line_number":93,"context_line":""},{"line_number":94,"context_line":".. todo:: Do we want a separate ``swtpm_encryption_required \u003d $bool``? Or leave"},{"line_number":95,"context_line":"          this up to the guest? Any other config required for encryption?"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":".. todo:: Are the user/group conf opts necessary for `Instance Lifecycle"},{"line_number":98,"context_line":"          Operations`_?"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_ecc12350","line":95,"range":{"start_line":94,"start_character":10,"end_line":95,"end_character":73},"updated":"2019-11-11 20:54:49.000000000","message":"- No option to *not* encrypt.\n- Could have a conf opt indicating size of generated passphrase?","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":94,"context_line":".. todo:: Do we want a separate ``swtpm_encryption_required \u003d $bool``? Or leave"},{"line_number":95,"context_line":"          this up to the guest? Any other config required for encryption?"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":".. todo:: Are the user/group conf opts necessary for `Instance Lifecycle"},{"line_number":98,"context_line":"          Operations`_?"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"Traits, Extra Specs, Image Meta"},{"line_number":101,"context_line":"-------------------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_4c8157fb","line":98,"range":{"start_line":97,"start_character":10,"end_line":98,"end_character":23},"updated":"2019-11-11 20:54:49.000000000","message":"Not sure what I was asking here. The description of the lifecycle operations makes a compelling argument for the necessity of these options.\n\nJust need to document them here.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":138,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":139,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":140,"context_line":""},{"line_number":141,"context_line":".. todo:: Does anything need to be specified to enable encryption? To specify"},{"line_number":142,"context_line":"          the key thingy?"},{"line_number":143,"context_line":""},{"line_number":144,"context_line":"Note that the emulated TPM is just a process running on the host, so the"},{"line_number":145,"context_line":"concept of inventory doesn\u0027t apply. Thus there are no resource classes"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_2c765b41","line":142,"range":{"start_line":141,"start_character":10,"end_line":142,"end_character":25},"updated":"2019-11-11 20:54:49.000000000","message":"no","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":216,"context_line":"The ``ImageMetaProps`` object needs a new version adding ``hw_tpm_version`` and"},{"line_number":217,"context_line":"``hw_tpm_model``."},{"line_number":218,"context_line":""},{"line_number":219,"context_line":".. todo:: And something about encryption??"},{"line_number":220,"context_line":""},{"line_number":221,"context_line":"REST API impact"},{"line_number":222,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_ec6fe35d","line":219,"range":{"start_line":219,"start_character":10,"end_line":219,"end_character":42},"updated":"2019-11-11 20:54:49.000000000","message":"nope","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":229,"context_line":""},{"line_number":230,"context_line":"The guest will be able to use the emulated TPM for all the security enhancing"},{"line_number":231,"context_line":"functionality that a physical TPM provides, in order to protect itself against"},{"line_number":232,"context_line":"attacks from within the guest. Unless using encryption, the guest must still"},{"line_number":233,"context_line":"trust the host. If using encryption..."},{"line_number":234,"context_line":""},{"line_number":235,"context_line":".. todo:: What? Where\u0027s the trust? Barbican? Retinal scan???"},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"Notifications impact"},{"line_number":238,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_6c99b36b","line":235,"range":{"start_line":232,"start_character":31,"end_line":235,"end_character":60},"updated":"2019-11-11 20:54:49.000000000","message":"The root of trust is the user who creates the instance. Their creds are what grants access to the secret in the key manager.\n\nWe\u0027re accepting that compromised root would (probably) be able to pluck the unencrypted vtpm, and/or the secret while it\u0027s loaded in libvirtd, out of memory.","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":247,"context_line":"Performance Impact"},{"line_number":248,"context_line":"------------------"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"Negligible."},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"Other deployer impact"},{"line_number":253,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_0ca03f91","line":250,"updated":"2019-11-11 20:54:49.000000000","message":"extra keymgr api calls during instance create \u0026 delete","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":285,"context_line":"Work Items"},{"line_number":286,"context_line":"----------"},{"line_number":287,"context_line":""},{"line_number":288,"context_line":"* Add ``COMPUTE_SECURITY_TPM_ENCRYPTION`` to os-traits."},{"line_number":289,"context_line":"* API changes to prevalidate the flavor and image properties."},{"line_number":290,"context_line":"* Scheduler changes to translate flavor/image properties to placement-isms."},{"line_number":291,"context_line":"* Libvirt driver changes to"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_8cb50fd3","line":288,"range":{"start_line":288,"start_character":0,"end_line":288,"end_character":55},"updated":"2019-11-11 20:54:49.000000000","message":"nope","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":304,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":305,"context_line":"Unit and functional testing will be added."},{"line_number":306,"context_line":""},{"line_number":307,"context_line":".. todo:: Can we tempest this thing? How do we guarantee libvirt etc. versions"},{"line_number":308,"context_line":"          and presence of swtpm binaries? And/or could we do 3rd party CI?"},{"line_number":309,"context_line":""},{"line_number":310,"context_line":"Documentation Impact"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_acb80bc7","line":307,"range":{"start_line":307,"start_character":47,"end_line":307,"end_character":78},"updated":"2019-11-11 20:54:49.000000000","message":"Sean\u0027s plugin","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"bcb3f8ff452f78b50bf981a24f7ddf5e18030eac","unresolved":false,"context_lines":[{"line_number":305,"context_line":"Unit and functional testing will be added."},{"line_number":306,"context_line":""},{"line_number":307,"context_line":".. todo:: Can we tempest this thing? How do we guarantee libvirt etc. versions"},{"line_number":308,"context_line":"          and presence of swtpm binaries? And/or could we do 3rd party CI?"},{"line_number":309,"context_line":""},{"line_number":310,"context_line":"Documentation Impact"},{"line_number":311,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_6cb213e8","line":308,"range":{"start_line":308,"start_character":14,"end_line":308,"end_character":40},"updated":"2019-11-11 20:54:49.000000000","message":"not sure","commit_id":"4c3006b4d5fe9c625ea291ccd1e2f9a0b786af85"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"f83e9e47a01a108a65c7002ac683650c5ae75178","unresolved":false,"context_lines":[{"line_number":64,"context_line":"  implementation detail rather than an architectural limitation."},{"line_number":65,"context_line":"* the ``swtpm`` binary and libraries on the host."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":".. todo:: Confirm qemu versions. The above were valid for unencrypted; unclear"},{"line_number":68,"context_line":"          whether encrypted requires higher. Local PoC testing with 4.1.0."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Config"},{"line_number":71,"context_line":"------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_53becb00","line":68,"range":{"start_line":67,"start_character":0,"end_line":68,"end_character":74},"updated":"2019-11-12 15:39:42.000000000","message":"kashyap confirms the qemu version requirement is unchanged with encryption.","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"964e238de81a58b29807a5fb6dd9a363671b2979","unresolved":false,"context_lines":[{"line_number":64,"context_line":"  implementation detail rather than an architectural limitation."},{"line_number":65,"context_line":"* the ``swtpm`` binary and libraries on the host."},{"line_number":66,"context_line":""},{"line_number":67,"context_line":".. todo:: Confirm qemu versions. The above were valid for unencrypted; unclear"},{"line_number":68,"context_line":"          whether encrypted requires higher. Local PoC testing with 4.1.0."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"Config"},{"line_number":71,"context_line":"------"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_7125d409","line":68,"range":{"start_line":67,"start_character":0,"end_line":68,"end_character":74},"in_reply_to":"3fa7e38b_53becb00","updated":"2019-11-14 20:46:03.000000000","message":"✔","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"57368b56cc9e7e54cd3090db37acf40170befb6d","unresolved":false,"context_lines":[{"line_number":70,"context_line":"Config"},{"line_number":71,"context_line":"------"},{"line_number":72,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":73,"context_line":"  vTPM. This spec is specific to libvirt, so only the libvirt config is"},{"line_number":74,"context_line":"  described::"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"     [libvirt]"},{"line_number":77,"context_line":"     swtpm_enabled \u003d $bool (default False)"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_d6d370d2","line":76,"range":{"start_line":73,"start_character":8,"end_line":76,"end_character":14},"updated":"2019-11-14 20:38:39.000000000","message":"Um, no, we should put this somewhere more generic like [compute]. There\u0027s no reason we need a [$driver]swtpm_enabled for every potential $driver supporting this.","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"964e238de81a58b29807a5fb6dd9a363671b2979","unresolved":false,"context_lines":[{"line_number":70,"context_line":"Config"},{"line_number":71,"context_line":"------"},{"line_number":72,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":73,"context_line":"  vTPM. This spec is specific to libvirt, so only the libvirt config is"},{"line_number":74,"context_line":"  described::"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"     [libvirt]"},{"line_number":77,"context_line":"     swtpm_enabled \u003d $bool (default False)"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_912090fa","line":76,"range":{"start_line":73,"start_character":8,"end_line":76,"end_character":14},"in_reply_to":"3fa7e38b_d6d370d2","updated":"2019-11-14 20:46:03.000000000","message":"Done","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"f83e9e47a01a108a65c7002ac683650c5ae75178","unresolved":false,"context_lines":[{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Spawn"},{"line_number":141,"context_line":"~~~~~"},{"line_number":142,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":143,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":144,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"},{"line_number":145,"context_line":"   key ``tpm_secret_uuid``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_36c9bd59","line":142,"range":{"start_line":142,"start_character":20,"end_line":142,"end_character":37},"updated":"2019-11-12 15:39:42.000000000","message":"Should we have a conf option for the length of this passphrase?","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"f9ca4369f1034424f53c69957bbc3e5a44c84812","unresolved":false,"context_lines":[{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Spawn"},{"line_number":141,"context_line":"~~~~~"},{"line_number":142,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":143,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":144,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"},{"line_number":145,"context_line":"   key ``tpm_secret_uuid``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_e784d15f","line":142,"range":{"start_line":142,"start_character":20,"end_line":142,"end_character":37},"in_reply_to":"3fa7e38b_36c9bd59","updated":"2019-11-12 18:05:57.000000000","message":"jroll says not worth a conf opt unless someone asks.\n\nLet\u0027s shoot for approximately the size of an ssh key, which is 3072 bits (384 bytes) by default.","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"964e238de81a58b29807a5fb6dd9a363671b2979","unresolved":false,"context_lines":[{"line_number":139,"context_line":""},{"line_number":140,"context_line":"Spawn"},{"line_number":141,"context_line":"~~~~~"},{"line_number":142,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":143,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":144,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"},{"line_number":145,"context_line":"   key ``tpm_secret_uuid``."}],"source_content_type":"text/x-rst","patch_set":5,"id":"3fa7e38b_f111c4b0","line":142,"range":{"start_line":142,"start_character":20,"end_line":142,"end_character":37},"in_reply_to":"3fa7e38b_e784d15f","updated":"2019-11-14 20:46:03.000000000","message":"Done","commit_id":"18da93caba3d4617c2de715a49c6d0dafdeb32d5"},{"author":{"_account_id":10343,"name":"Jim Rollenhagen","email":"jim@jimrollenhagen.com","username":"jimrollenhagen"},"change_message_id":"012d7f6b8ee133313adb61c2e9597c9cdce9fe3b","unresolved":false,"context_lines":[{"line_number":63,"context_line":"  supported for x86, though this is an implementation detail rather than an"},{"line_number":64,"context_line":"  architectural limitation."},{"line_number":65,"context_line":"* the ``swtpm`` binary and libraries on the host."},{"line_number":66,"context_line":"* access to a key manager, such as barbican, for storing the passphrase used to"},{"line_number":67,"context_line":"  encrypt the virtual device\u0027s data."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Config"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_a36a14b2","line":66,"updated":"2019-11-15 18:20:49.000000000","message":"nit: maybe \"a castellan-compatible key manager\"?","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":63,"context_line":"  supported for x86, though this is an implementation detail rather than an"},{"line_number":64,"context_line":"  architectural limitation."},{"line_number":65,"context_line":"* the ``swtpm`` binary and libraries on the host."},{"line_number":66,"context_line":"* access to a key manager, such as barbican, for storing the passphrase used to"},{"line_number":67,"context_line":"  encrypt the virtual device\u0027s data."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"Config"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_82024f08","line":66,"in_reply_to":"3fa7e38b_a36a14b2","updated":"2019-11-19 20:30:13.000000000","message":"Done.\n\nIt also came to my attention that not all castellan-compatible backends necessarily deal properly with user tokens in request contexts. I\u0027ll spell that out a bit.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":74,"context_line":"  than the ``libvirt`` group::"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"     [compute]"},{"line_number":77,"context_line":"     swtpm_enabled \u003d $bool (default False)"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"},{"line_number":80,"context_line":"  the correct ownership -- that of the swtpm process libvirt will create -- but"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_8d1614f2","line":77,"updated":"2019-11-18 19:25:44.000000000","message":"It doesn\u0027t make sense to me to put this in [compute] when the required options to use it are in [libvirt]. Sure, maybe some other hypervisor at some point will be able to implement swtpm exactly like libvirt, but without needing this information. In all likelihood, however, that won\u0027t happen. I\u0027d much prefer to just see these co-located until the point at which it makes sense for them not to be.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":74,"context_line":"  than the ``libvirt`` group::"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"     [compute]"},{"line_number":77,"context_line":"     swtpm_enabled \u003d $bool (default False)"},{"line_number":78,"context_line":""},{"line_number":79,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"},{"line_number":80,"context_line":"  the correct ownership -- that of the swtpm process libvirt will create -- but"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_42569707","line":77,"in_reply_to":"3fa7e38b_8d1614f2","updated":"2019-11-19 20:30:13.000000000","message":"Okay.\n\nAlso, I think it makes more sense to name this `vtpm_enabled`, as we\u0027re calling this vtpm everywhere else. (Except swtpm_{user|group}, which actually refer to the swtpm binary, so they should stay.)","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":"     [libvirt]"},{"line_number":86,"context_line":"     swtpm_user \u003d $str (default \u0027tss\u0027)"},{"line_number":87,"context_line":"     swtpm_group \u003d $str (default \u0027tss\u0027)"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Traits, Extra Specs, Image Meta"},{"line_number":90,"context_line":"-------------------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_0db1c401","line":87,"updated":"2019-11-18 19:25:44.000000000","message":"I could probably figure this out on my own, but... what defines these values? Is it distro-dependent such that it matters what is in the swtpm package and systemd config? Is there not a socket or config file on disk somewhere or anything else we inspect to determine these values?","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":84,"context_line":""},{"line_number":85,"context_line":"     [libvirt]"},{"line_number":86,"context_line":"     swtpm_user \u003d $str (default \u0027tss\u0027)"},{"line_number":87,"context_line":"     swtpm_group \u003d $str (default \u0027tss\u0027)"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Traits, Extra Specs, Image Meta"},{"line_number":90,"context_line":"-------------------------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_62887321","line":87,"in_reply_to":"3fa7e38b_0db1c401","updated":"2019-11-19 20:30:13.000000000","message":"\u003e I could probably figure this out on my own, but... what defines\n \u003e these values? Is it distro-dependent such that it matters what is\n \u003e in the swtpm package and systemd config?\n\nYes. From what I\u0027ve seen, you can a) compile the swtpm binary with a flag to designate the default user/group, and also b) override that with a CLI option. In this environment, there\u0027s not a systemd aspect AFAICT; libvirt just invokes the binaries directly as needed.\n\nI should also note that \"swtpm package\" might be a bit optimistic. It might have been stuffed into a RH distro last year [1], but in my local testing on ubuntu I had to compile it from source.\n\n \u003e Is there not a socket or\n \u003e config file on disk somewhere or anything else we inspect to\n \u003e determine these values?\n\nI did look for something like that (because this is as distasteful to me as it is to you) but couldn\u0027t find anything. Until libvirt actually spins up the vtpm, there\u0027s no socket or running process yet for us to inspect (and of course we can\u0027t spin it up until we\u0027ve laid down the files, and we can\u0027t count on another one already running on the target). And at rest, I can\u0027t find any configuration files. The closest I can come is a /var/lib subdirectory that happens to be owned by the right user/group, but I have *no* idea if I can rely on that existing and continuing to exist. (Also not sure whether it gets laid down on install or on first use; the latter isn\u0027t helpful.)\n\n[1] https://bugzilla.redhat.com/show_bug.cgi?id\u003d1611829","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":115,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":116,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"    .. todo:: Or should we actually block that?"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":121,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_8dc4d461","line":118,"updated":"2019-11-18 19:25:44.000000000","message":"I don\u0027t think we should block it, but agree that hw:tpm_version to both query for and enable it makes sense.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":115,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":116,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"    .. todo:: Or should we actually block that?"},{"line_number":119,"context_line":""},{"line_number":120,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":121,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_22acbb86","line":118,"in_reply_to":"3fa7e38b_8dc4d461","updated":"2019-11-19 20:30:13.000000000","message":"Ack, removed the todo.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Note that the emulated TPM is just a process running on the host, so the"},{"line_number":126,"context_line":"concept of inventory doesn\u0027t apply. Thus there are no resource classes"},{"line_number":127,"context_line":"associated with this feature."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"},{"line_number":130,"context_line":"two values do not match, an exception will be raised from the API by the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_2dab6088","line":127,"updated":"2019-11-18 19:25:44.000000000","message":"I think what you mean here is that the TPM is emulated and has effectively infinite capacity and therefore we don\u0027t need to track it as a consumable resource. Right?\n\nThat it is \"just a process running on the host\" doesn\u0027t really mean anything related to whether or not we report it in inventory.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Note that the emulated TPM is just a process running on the host, so the"},{"line_number":126,"context_line":"concept of inventory doesn\u0027t apply. Thus there are no resource classes"},{"line_number":127,"context_line":"associated with this feature."},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"},{"line_number":130,"context_line":"two values do not match, an exception will be raised from the API by the"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_c2bcc7b6","line":127,"in_reply_to":"3fa7e38b_2dab6088","updated":"2019-11-19 20:30:13.000000000","message":"Okay, reworded, see if you like.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":151,"context_line":"#. Nova injects the XML_ into the instance\u0027s domain. The ``model`` and"},{"line_number":152,"context_line":"   ``version`` are gleaned from the flavor/image properties, and the ``secret``"},{"line_number":153,"context_line":"   is ``$secret_uuid``."},{"line_number":154,"context_line":"#. Once the instance boots, nova uses the ``virSecretUndefine`` API to delete"},{"line_number":155,"context_line":"   the secret. The instance\u0027s emulated TPM continues to function."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"Cold Boot"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_ad6f505e","line":154,"range":{"start_line":154,"start_character":3,"end_line":154,"end_character":26},"updated":"2019-11-18 19:25:44.000000000","message":"To me, \"instance boots\" is something you don\u0027t have control over or visibility to. I assume this means something related to actually spawning the domain, or maybe when we unpause it after receiving all the network events? If we can delete it before unpause that would probably be the cleanest and least-racy, and if we fail to get the network events, we don\u0027t need to do any more (TPM-related) cleanup.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":151,"context_line":"#. Nova injects the XML_ into the instance\u0027s domain. The ``model`` and"},{"line_number":152,"context_line":"   ``version`` are gleaned from the flavor/image properties, and the ``secret``"},{"line_number":153,"context_line":"   is ``$secret_uuid``."},{"line_number":154,"context_line":"#. Once the instance boots, nova uses the ``virSecretUndefine`` API to delete"},{"line_number":155,"context_line":"   the secret. The instance\u0027s emulated TPM continues to function."},{"line_number":156,"context_line":""},{"line_number":157,"context_line":"Cold Boot"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_a270ab0a","line":154,"range":{"start_line":154,"start_character":3,"end_line":154,"end_character":26},"in_reply_to":"3fa7e38b_ad6f505e","updated":"2019-11-19 20:30:13.000000000","message":"It\u0027s specifically _create_domain [1], which I\u0027m planning to wrap in a context manager [2], e.g. like [3], that defines the secret on entry and undefines it on exit. (I\u0027ll freely admit that what _create_domain is doing is utterly opaque to me. But that seems to be the critical section during which the secret needs to be defined to libvirt for this thing to work.)\n\nI\u0027ll reword this as \"Once libvirt has created the guest\", howzat?\n\n[1] https://opendev.org/openstack/nova/src/commit/0644f03241fee678adfadb3102b00760249aea3e/nova/virt/libvirt/driver.py#L6137-L6159\n[2] https://review.opendev.org/#/c/631363/32/nova/virt/libvirt/driver.py@5229\n[3] https://review.opendev.org/#/c/631363/32/nova/virt/libvirt/driver.py@6319","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":174,"context_line":"Fancy Stuff (Migrations, Etc.)"},{"line_number":175,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":176,"context_line":"Because only the instance owner has access to the key manager entry, lifecycle"},{"line_number":177,"context_line":"operations performed by the admin cannot result in a running VM."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"...except live migration, since the (already decrypted) running state of the"},{"line_number":180,"context_line":"vTPM is carried along to the destination."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_2d004066","line":177,"updated":"2019-11-18 19:25:44.000000000","message":"Please call out specifically \"host restart\" as something else that can\u0027t work. Just saying \"livecycle ... performed by the admin\" is not likely to resonate fully with everyone.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":174,"context_line":"Fancy Stuff (Migrations, Etc.)"},{"line_number":175,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":176,"context_line":"Because only the instance owner has access to the key manager entry, lifecycle"},{"line_number":177,"context_line":"operations performed by the admin cannot result in a running VM."},{"line_number":178,"context_line":""},{"line_number":179,"context_line":"...except live migration, since the (already decrypted) running state of the"},{"line_number":180,"context_line":"vTPM is carried along to the destination."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_e253036b","line":177,"in_reply_to":"3fa7e38b_2d004066","updated":"2019-11-19 20:30:13.000000000","message":"Done","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":191,"context_line":"  to match it."},{"line_number":192,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":193,"context_line":"* Change ownership back and move the directory out to"},{"line_number":194,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"This should allow support of cold/live migration, resizes that don\u0027t change the"},{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_2db280e6","line":194,"updated":"2019-11-18 19:25:44.000000000","message":"Le ugh.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":191,"context_line":"  to match it."},{"line_number":192,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":193,"context_line":"* Change ownership back and move the directory out to"},{"line_number":194,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"This should allow support of cold/live migration, resizes that don\u0027t change the"},{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_c24607a8","line":194,"in_reply_to":"3fa7e38b_2db280e6","updated":"2019-11-19 20:30:13.000000000","message":"Agree :(","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":192,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":193,"context_line":"* Change ownership back and move the directory out to"},{"line_number":194,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"This should allow support of cold/live migration, resizes that don\u0027t change the"},{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"},{"line_number":198,"context_line":"that it needs to unpack this directory."}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f51c1b14","line":195,"updated":"2019-11-19 20:30:13.000000000","message":"(@Dan FYI a lot of this section is cfriesen\u0027s original text. I think he was just talking through the various lifecycle operations to make sure they were addressed.)","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":194,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"This should allow support of cold/live migration, resizes that don\u0027t change the"},{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"},{"line_number":198,"context_line":"that it needs to unpack this directory."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Resizing will result in a reschedule, so shouldn\u0027t be a problem. If the admin"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_0de224d5","line":197,"range":{"start_line":197,"start_character":12,"end_line":197,"end_character":27},"updated":"2019-11-18 19:25:44.000000000","message":"Shelve, offload, unshelve will result in an instance with an empty TPM right? That\u0027s a problem for any real user of this.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":194,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"This should allow support of cold/live migration, resizes that don\u0027t change the"},{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"},{"line_number":198,"context_line":"that it needs to unpack this directory."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Resizing will result in a reschedule, so shouldn\u0027t be a problem. If the admin"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_5593af00","line":197,"range":{"start_line":197,"start_character":12,"end_line":197,"end_character":27},"in_reply_to":"3fa7e38b_0de224d5","updated":"2019-11-19 20:30:13.000000000","message":"That\u0027s because shelve-offload doesn\u0027t preserve the local instance directory?\n\nYeah, that\u0027s a problem. I\u0027m open to suggestions. The ones that come to mind aren\u0027t lovely:\n\n- Store the data within the snapshot. Would have to find a way to get it there, and also a way to peel it back out afterward. Booting the snapshot on a host that doesn\u0027t know how to do the latter could result in the guts of your VM being able to see that file. It\u0027s encrypted, so that\u0027s maybe not a show-stopper, but it\u0027s still very icky.\n- Store the data file in the instance record itself. This would work for all the lifecycle operations (as opposed to putting it in the instance dir). The thing ought to be pretty small (my test ones are just over 4KB, though I haven\u0027t really exercised them much) but that doesn\u0027t seem like the kind of thing we want to pollute the db with.\n- Similarly the snapshot metadata.\n- Create a separate glance image for the file. Associate the two via metadata. Pull it down and unpack it during unshelve (and un-everything-else).\n- Don\u0027t natively support these operations; require admin/orchestrator to save/restore the file.\n\nBTW, not sure I agree that \"any real user\" relies on the shelve-offload operation. In particular, I think the use case that\u0027s driving this work relies on the VM with the vTPM being alive all the time, so I wouldn\u0027t expect they would ever want to offload it. But I\u0027ll ask.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"fe30f57c24c03bf62564d285853b3f9eee6df4e8","unresolved":false,"context_lines":[{"line_number":194,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":195,"context_line":""},{"line_number":196,"context_line":"This should allow support of cold/live migration, resizes that don\u0027t change the"},{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"},{"line_number":198,"context_line":"that it needs to unpack this directory."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Resizing will result in a reschedule, so shouldn\u0027t be a problem. If the admin"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d3afb7dd","line":197,"range":{"start_line":197,"start_character":12,"end_line":197,"end_character":27},"in_reply_to":"3fa7e38b_5593af00","updated":"2019-11-19 21:31:26.000000000","message":"\u003e That\u0027s because shelve-offload doesn\u0027t preserve the local instance\n \u003e directory?\n\nShelve offload removes all residue of the instance from the host. The expectation is that when unshelved, the instance will be running on a different nost\n\n \u003e Yeah, that\u0027s a problem. I\u0027m open to suggestions. The ones that come\n \u003e to mind aren\u0027t lovely:\n \u003e \n \u003e - Store the data within the snapshot. Would have to find a way to\n \u003e get it there, and also a way to peel it back out afterward. Booting\n \u003e the snapshot on a host that doesn\u0027t know how to do the latter could\n \u003e result in the guts of your VM being able to see that file. It\u0027s\n \u003e encrypted, so that\u0027s maybe not a show-stopper, but it\u0027s still very\n \u003e icky.\n\nYou can\u0027t do this really. The image format needs to be one of the ones glance supports, so just appending the data (or encapsulating in a tar or something) is not legit. I think there are some cases where you can store another object in glance that is an opaque file sidecar kind of thing, but I\u0027m not sure. I\u0027m less concerned about restoring to a host that doesn\u0027t support this as the scheduler should prevent that -- it\u0027s more about losing the contents.\n\n \u003e - Store the data file in the instance record itself. This would\n \u003e work for all the lifecycle operations (as opposed to putting it in\n \u003e the instance dir). The thing ought to be pretty small (my test ones\n \u003e are just over 4KB, though I haven\u0027t really exercised them much) but\n \u003e that doesn\u0027t seem like the kind of thing we want to pollute the db\n \u003e with.\n\nNo, and we don\u0027t have anywhere to put it currently that I can think of.\n\n \u003e - Similarly the snapshot metadata.\n \u003e - Create a separate glance image for the file. Associate the two\n \u003e via metadata. Pull it down and unpack it during unshelve (and\n \u003e un-everything-else).\n\nThis may be what I was talking about above. If so, I think this is the only thing that sounds reasonable from your list, despite the complexity.\n\n \u003e - Don\u0027t natively support these operations; require\n \u003e admin/orchestrator to save/restore the file.\n\nNope. Shelve/Unshelve is a user operation. Further, it\u0027s the mechanism behind cross-cell resize, so people will be hitting those paths even more frequently, and without even specifically asking for shelve, in the future.\n\n \u003e BTW, not sure I agree that \"any real user\" relies on the\n \u003e shelve-offload operation. In particular, I think the use case\n \u003e that\u0027s driving this work relies on the VM with the vTPM being alive\n \u003e all the time, so I wouldn\u0027t expect they would ever want to offload\n \u003e it. But I\u0027ll ask.\n\nWell, I don\u0027t think you get to make that assumption. Further, remember that AWS\u0027 instance start/stop is equivalent to our shelve/unshelve, and a lot of people in the scientific community and especially people using accelerators actually _want_ shelve to be start/stop. I would expect a lot of those same advanced users to be pursuing this feature. Plus, as I said, soon resize/migrate will be a silent front for shelve/unshelve when crossing cells (which users don\u0027t have visibility to), so whenever you say \"shelve isn\u0027t interesting to these users\", just s/shelve/resize/ and see if that still fits :)","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"},{"line_number":198,"context_line":"that it needs to unpack this directory."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Resizing will result in a reschedule, so shouldn\u0027t be a problem. If the admin"},{"line_number":201,"context_line":"resizes from a flavor with TPM to a flavor without TPM nova won\u0027t care, but it"},{"line_number":202,"context_line":"might cause problems in the guest."},{"line_number":203,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_4ddc9c17","line":200,"range":{"start_line":200,"start_character":0,"end_line":200,"end_character":64},"updated":"2019-11-18 19:25:44.000000000","message":"What does rescheduling have to do with any of this? Maybe you mean \"rescheduling will still pick a host with TPM support\" ? It sounds like you\u0027re referring to the horrid copying of the state above during a resize.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":197,"context_line":"device, and shelve/unshelve, as long as the \"destination\" is able to determine"},{"line_number":198,"context_line":"that it needs to unpack this directory."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"Resizing will result in a reschedule, so shouldn\u0027t be a problem. If the admin"},{"line_number":201,"context_line":"resizes from a flavor with TPM to a flavor without TPM nova won\u0027t care, but it"},{"line_number":202,"context_line":"might cause problems in the guest."},{"line_number":203,"context_line":""}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_957a87b8","line":200,"range":{"start_line":200,"start_character":0,"end_line":200,"end_character":64},"in_reply_to":"3fa7e38b_4ddc9c17","updated":"2019-11-19 20:30:13.000000000","message":"Yeah, I don\u0027t really understand this paragraph (another one from cfriesen). I\u0027ll just remove it. Anything involving rescheduling will make sure the target is capable and bounce if it isn\u0027t, end of story.\n\nReally we just have to address all the scenarios involving the virtual device files.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":203,"context_line":""},{"line_number":204,"context_line":"Rebuilding to a new image is problematic if the new image specifies a TPM"},{"line_number":205,"context_line":"trait and the current host cannot provide TPM support. This will cause the"},{"line_number":206,"context_line":"rebuild to fail. In this case, the user would need to rebuild with a suitable"},{"line_number":207,"context_line":"image."},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"It should be noted that if a compute node goes down and the VM has to be"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_8dd5b4e8","line":206,"range":{"start_line":206,"start_character":0,"end_line":206,"end_character":15},"updated":"2019-11-18 19:25:44.000000000","message":"As expected because the scheduler will fail to validate the host right? That\u0027s not any more problematic than any other rebuild-related impossibility.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":203,"context_line":""},{"line_number":204,"context_line":"Rebuilding to a new image is problematic if the new image specifies a TPM"},{"line_number":205,"context_line":"trait and the current host cannot provide TPM support. This will cause the"},{"line_number":206,"context_line":"rebuild to fail. In this case, the user would need to rebuild with a suitable"},{"line_number":207,"context_line":"image."},{"line_number":208,"context_line":""},{"line_number":209,"context_line":"It should be noted that if a compute node goes down and the VM has to be"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_82c1efe6","line":206,"range":{"start_line":206,"start_character":0,"end_line":206,"end_character":15},"in_reply_to":"3fa7e38b_8dd5b4e8","updated":"2019-11-19 20:30:13.000000000","message":"Agreed. Should I just cut this paragraph?","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":221,"context_line":"* Use physical passthrough (``\u003cbackend type\u003d\u0027passthrough\u0027\u003e``) of a real"},{"line_number":222,"context_line":"  (hardware) TPM device. This is not feasible with current TPM hardware because"},{"line_number":223,"context_line":"  (among other things) changing ownership of the secrets requires a host"},{"line_number":224,"context_line":"  reboot."},{"line_number":225,"context_line":"* Use glance or object store to save the TPM data for operations such as"},{"line_number":226,"context_line":"  shelve/unshelve. This would be more complicated than the proposed solution"},{"line_number":227,"context_line":"  (if arguably less hackish) so if we can make the directory copyin/out thing"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_cdf88c7d","line":224,"updated":"2019-11-18 19:25:44.000000000","message":"...and it also won\u0027t fit with this entire model since you\u0027d need to track inventory right?","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":221,"context_line":"* Use physical passthrough (``\u003cbackend type\u003d\u0027passthrough\u0027\u003e``) of a real"},{"line_number":222,"context_line":"  (hardware) TPM device. This is not feasible with current TPM hardware because"},{"line_number":223,"context_line":"  (among other things) changing ownership of the secrets requires a host"},{"line_number":224,"context_line":"  reboot."},{"line_number":225,"context_line":"* Use glance or object store to save the TPM data for operations such as"},{"line_number":226,"context_line":"  shelve/unshelve. This would be more complicated than the proposed solution"},{"line_number":227,"context_line":"  (if arguably less hackish) so if we can make the directory copyin/out thing"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_f51f3b6d","line":224,"in_reply_to":"3fa7e38b_cdf88c7d","updated":"2019-11-19 20:30:13.000000000","message":"Oh, every aspect of the design would have to change. But physical passthrough is such a nonstarter (for the reasons stated) that it\u0027s not worth going into any more detail.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":225,"context_line":"* Use glance or object store to save the TPM data for operations such as"},{"line_number":226,"context_line":"  shelve/unshelve. This would be more complicated than the proposed solution"},{"line_number":227,"context_line":"  (if arguably less hackish) so if we can make the directory copyin/out thing"},{"line_number":228,"context_line":"  work, we should do that."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"Data model impact"},{"line_number":231,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_6d2f18f6","line":228,"updated":"2019-11-18 19:25:44.000000000","message":"Not sure how \"the directory thing\" helps with shelve/unshelve at all.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":225,"context_line":"* Use glance or object store to save the TPM data for operations such as"},{"line_number":226,"context_line":"  shelve/unshelve. This would be more complicated than the proposed solution"},{"line_number":227,"context_line":"  (if arguably less hackish) so if we can make the directory copyin/out thing"},{"line_number":228,"context_line":"  work, we should do that."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"Data model impact"},{"line_number":231,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_b52543c1","line":228,"in_reply_to":"3fa7e38b_6d2f18f6","updated":"2019-11-19 20:30:13.000000000","message":"Yeah, see above. Needs work.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af15abd81c80268afc5ddbfe08c7f4c57162f771","unresolved":false,"context_lines":[{"line_number":336,"context_line":""},{"line_number":337,"context_line":"There may or may not be value in a CI job to perform various operations on an"},{"line_number":338,"context_line":"instance with a vTPM and validate the operation of the device via ssh to the"},{"line_number":339,"context_line":"guest."},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"Documentation Impact"},{"line_number":342,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_6d1878d2","line":339,"updated":"2019-11-18 19:25:44.000000000","message":"I would expect that CI validation that resize/migrate and hard reboot would be very important for this.","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a0089feace8ad3535f2247d5ea2e7599012af1cc","unresolved":false,"context_lines":[{"line_number":336,"context_line":""},{"line_number":337,"context_line":"There may or may not be value in a CI job to perform various operations on an"},{"line_number":338,"context_line":"instance with a vTPM and validate the operation of the device via ssh to the"},{"line_number":339,"context_line":"guest."},{"line_number":340,"context_line":""},{"line_number":341,"context_line":"Documentation Impact"},{"line_number":342,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":6,"id":"3fa7e38b_d8da7677","line":339,"in_reply_to":"3fa7e38b_6d1878d2","updated":"2019-11-19 20:30:13.000000000","message":"Done","commit_id":"4b3e90f7bc0186f8e48e197f2bcb4d503052fba9"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Proposed change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"In recent libvirt and qemu (and possibly other hypervisors as well) there is"},{"line_number":37,"context_line":"support for an emulated vTPM device. We propose to modify nova to make use"},{"line_number":38,"context_line":"of this capability."},{"line_number":39,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_96bcbb6c","line":36,"range":{"start_line":36,"start_character":27,"end_line":36,"end_character":67},"updated":"2019-11-21 03:13:42.000000000","message":"both hyperv and vmware vsphere support vTPM\n\nnot sure about xen or powervm but  i suspect xen will get it for free from qemu/libvirt support","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"82fccd9cda593afffd4c607f5c6383cc76b677cb","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Proposed change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"In recent libvirt and qemu (and possibly other hypervisors as well) there is"},{"line_number":37,"context_line":"support for an emulated vTPM device. We propose to modify nova to make use"},{"line_number":38,"context_line":"of this capability."},{"line_number":39,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_c63010ec","line":36,"in_reply_to":"3fa7e38b_3d1271fe","updated":"2019-12-04 17:14:20.000000000","message":"by the way the out of tree hyperv driver has had support for vtpm for the better part of 4 years\nhttps://github.com/openstack/compute-hyperv/commit/f37ce8b6bb0eb88a367239698ba7c3df3b64db38\n\nbut they never upstream it","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Proposed change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"In recent libvirt and qemu (and possibly other hypervisors as well) there is"},{"line_number":37,"context_line":"support for an emulated vTPM device. We propose to modify nova to make use"},{"line_number":38,"context_line":"of this capability."},{"line_number":39,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_d671ccdf","line":36,"range":{"start_line":36,"start_character":27,"end_line":36,"end_character":67},"in_reply_to":"3fa7e38b_96bcbb6c","updated":"2019-11-21 17:54:24.000000000","message":"Noted. This spec is about libvirt only. We\u0027re not going to declare support for xen, even if it happens to just work, because a) it\u0027s deprecated, and b) I don\u0027t want to have to test it.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":33,"context_line":"Proposed change"},{"line_number":34,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":35,"context_line":""},{"line_number":36,"context_line":"In recent libvirt and qemu (and possibly other hypervisors as well) there is"},{"line_number":37,"context_line":"support for an emulated vTPM device. We propose to modify nova to make use"},{"line_number":38,"context_line":"of this capability."},{"line_number":39,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_3d1271fe","line":36,"in_reply_to":"3fa7e38b_d671ccdf","updated":"2019-11-22 01:09:09.000000000","message":"Oh ya I know I was just confirming this is a feature in other hypervisors","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":69,"context_line":"  the passphrase used to encrypt the virtual device\u0027s data. (The key manager"},{"line_number":70,"context_line":"  implementation\u0027s public methods must be capable of consuming the user\u0027s auth"},{"line_number":71,"context_line":"  token from the ``context`` parameter which is part of the interface.)"},{"line_number":72,"context_line":"* Access to an object-store service, such as swift, for storing the file the"},{"line_number":73,"context_line":"  host uses for the virtual device data during operations such as"},{"line_number":74,"context_line":"  shelve-offload."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Config"},{"line_number":77,"context_line":"------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_f6a2cf3e","line":74,"range":{"start_line":72,"start_character":2,"end_line":74,"end_character":17},"updated":"2019-11-21 03:13:42.000000000","message":"so i take it the idea of using glance for this has been dropped.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":69,"context_line":"  the passphrase used to encrypt the virtual device\u0027s data. (The key manager"},{"line_number":70,"context_line":"  implementation\u0027s public methods must be capable of consuming the user\u0027s auth"},{"line_number":71,"context_line":"  token from the ``context`` parameter which is part of the interface.)"},{"line_number":72,"context_line":"* Access to an object-store service, such as swift, for storing the file the"},{"line_number":73,"context_line":"  host uses for the virtual device data during operations such as"},{"line_number":74,"context_line":"  shelve-offload."},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Config"},{"line_number":77,"context_line":"------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_564f1c91","line":74,"range":{"start_line":72,"start_character":2,"end_line":74,"end_character":17},"in_reply_to":"3fa7e38b_f6a2cf3e","updated":"2019-11-21 17:54:24.000000000","message":"Yes, see Alternatives, L317. More details from yesterday\u0027s conversation in -glance: http://eavesdrop.openstack.org/irclogs/%23openstack-glance/%23openstack-glance.2019-11-20.log.html#t2019-11-20T15:20:40","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Config"},{"line_number":77,"context_line":"------"},{"line_number":78,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":79,"context_line":"  vTPM. This config option would apply to future drivers\u0027 implementations as"},{"line_number":80,"context_line":"  well, but since this spec and current implementation are specific to libvirt,"},{"line_number":81,"context_line":"  it is in the ``libvirt`` rather than the ``compute`` group::"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"     [libvirt]"},{"line_number":84,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"},{"line_number":87,"context_line":"  the correct ownership -- that of the swtpm process libvirt will create -- but"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_b6669728","line":84,"range":{"start_line":78,"start_character":0,"end_line":84,"end_character":41},"updated":"2019-11-21 03:13:42.000000000","message":"we normally dont do this.\n\nwe could but im wondering why?\nis this going to control the reporting of the compute capablity traits?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":81,"context_line":"  it is in the ``libvirt`` rather than the ``compute`` group::"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"     [libvirt]"},{"line_number":84,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"},{"line_number":87,"context_line":"  the correct ownership -- that of the swtpm process libvirt will create -- but"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_bddbc14b","line":84,"in_reply_to":"","updated":"2019-11-22 01:09:09.000000000","message":"correct all of the examples you gave do not alter the devices that are presented to the guest and are not things you can request via flavour extra spec or image metadata property. the closest from that list would be the hyperv remotefx value the graphics card exposed but again I do not believe you can request it via the flavour or image","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Config"},{"line_number":77,"context_line":"------"},{"line_number":78,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":79,"context_line":"  vTPM. This config option would apply to future drivers\u0027 implementations as"},{"line_number":80,"context_line":"  well, but since this spec and current implementation are specific to libvirt,"},{"line_number":81,"context_line":"  it is in the ``libvirt`` rather than the ``compute`` group::"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"     [libvirt]"},{"line_number":84,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"},{"line_number":87,"context_line":"  the correct ownership -- that of the swtpm process libvirt will create -- but"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_468a0b1b","line":84,"range":{"start_line":78,"start_character":0,"end_line":84,"end_character":41},"in_reply_to":"3fa7e38b_b6669728","updated":"2019-11-21 17:54:24.000000000","message":"\u003e we normally dont do this.\n\nWe don\u0027t? Perhaps I don\u0027t know what you mean by \"this\".\n\nhttps://docs.openstack.org/nova/latest/configuration/config.html#cache.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#ephemeral_storage_encryption.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#glance.enable_certificate_validation\nhttps://docs.openstack.org/nova/latest/configuration/config.html#mks.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#profiler.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#rdp.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#serial_console.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#spice.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#spice.agent_enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#vmware.pbm_enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#vnc.enabled\nhttps://docs.openstack.org/nova/latest/configuration/config.html#DEFAULT.enable_network_quota\nhttps://docs.openstack.org/nova/latest/configuration/config.html#api.enable_instance_password\nhttps://docs.openstack.org/nova/latest/configuration/config.html#database.mysql_enable_ndb\nhttps://docs.openstack.org/nova/latest/configuration/config.html#hyperv.enable_instance_metrics_collection\nhttps://docs.openstack.org/nova/latest/configuration/config.html#hyperv.enable_remotefx\nhttps://docs.openstack.org/nova/latest/configuration/config.html#oslo_messaging_kafka.enable_auto_commit\nhttps://docs.openstack.org/nova/latest/configuration/config.html#scheduler.enable_isolated_aggregate_filtering\nhttps://docs.openstack.org/nova/latest/configuration/config.html#workarounds.enable_numa_live_migration\n\n \u003e we could but im wondering why?\n \u003e is this going to control the reporting of the compute capablity\n \u003e traits?\n\nYes. Passively happening to have the right qemu/libvirt versions and swtpm installed doesn\u0027t necessarily mean you want to allow guests to have vTPMs on this host; you have to say so explicitly.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":81,"context_line":"  it is in the ``libvirt`` rather than the ``compute`` group::"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"     [libvirt]"},{"line_number":84,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"* To enable live migration, nova must be able to lay down the vtpm data with"},{"line_number":87,"context_line":"  the correct ownership -- that of the swtpm process libvirt will create -- but"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fadfed08","line":84,"in_reply_to":"3fa7e38b_bddbc14b","updated":"2019-11-23 00:12:42.000000000","message":"Without it the user gets control (via image meta); the admin can\u0027t prevent a user from creating a vTPM except by doing weird workaroundy things like making sure swtpm is not installed or accessible. I guess it\u0027s kind of like \"putting the TPM device in the PCI whitelist\" which is something the admin has to do generally for $device to be able to be given to $vm.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":97,"context_line":"  node\u0027s configuration."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"* New standard keystoneauth1 auth/session/adapter options for ``[swift]`` will"},{"line_number":100,"context_line":"  be introduced. These must also beset in the compute node\u0027s configuration."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Traits, Extra Specs, Image Meta"},{"line_number":103,"context_line":"-------------------------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_964a7b80","line":100,"range":{"start_line":100,"start_character":33,"end_line":100,"end_character":38},"updated":"2019-11-21 03:13:42.000000000","message":"\"be set\" thats two word right? beset as a single word has a different meaning.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":97,"context_line":"  node\u0027s configuration."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"* New standard keystoneauth1 auth/session/adapter options for ``[swift]`` will"},{"line_number":100,"context_line":"  be introduced. These must also beset in the compute node\u0027s configuration."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Traits, Extra Specs, Image Meta"},{"line_number":103,"context_line":"-------------------------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_9ae279d3","line":100,"range":{"start_line":100,"start_character":33,"end_line":100,"end_character":38},"in_reply_to":"3fa7e38b_8673234e","updated":"2019-11-23 00:12:42.000000000","message":"Done","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":97,"context_line":"  node\u0027s configuration."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"* New standard keystoneauth1 auth/session/adapter options for ``[swift]`` will"},{"line_number":100,"context_line":"  be introduced. These must also beset in the compute node\u0027s configuration."},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"Traits, Extra Specs, Image Meta"},{"line_number":103,"context_line":"-------------------------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_8673234e","line":100,"range":{"start_line":100,"start_character":33,"end_line":100,"end_character":38},"in_reply_to":"3fa7e38b_964a7b80","updated":"2019-11-21 17:54:24.000000000","message":"Yup.\n\n/me marks calendar","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":133,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":134,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":137,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":138,"context_line":"associated with this feature."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"},{"line_number":141,"context_line":"two values do not match, an exception will be raised from the API by the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_763a5fe6","line":138,"range":{"start_line":136,"start_character":0,"end_line":138,"end_character":29},"updated":"2019-11-21 03:13:42.000000000","message":"the only draw back to this is it means we wont be able to put a quota on this with unified limits if we wanted that in the future. you could just use max int but yes this is also reasonable. im not sure you would necessarily want to but a quota on vtpms but i just said i would mention it.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":133,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":134,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":135,"context_line":""},{"line_number":136,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":137,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":138,"context_line":"associated with this feature."},{"line_number":139,"context_line":""},{"line_number":140,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"},{"line_number":141,"context_line":"two values do not match, an exception will be raised from the API by the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_468f6b22","line":138,"range":{"start_line":136,"start_character":0,"end_line":138,"end_character":29},"in_reply_to":"3fa7e38b_763a5fe6","updated":"2019-11-21 17:54:24.000000000","message":"Noted. Certainly at this point since there\u0027s no demand for quotas on vTPMs, it\u0027s not worth the extra design/code to artificially impose inventory for them.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":141,"context_line":"two values do not match, an exception will be raised from the API by the"},{"line_number":142,"context_line":"flavor/image validator."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":".. _here: https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_1.2_vs_TPM_2.0"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Instance Lifecycle Operations"},{"line_number":147,"context_line":"-----------------------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_362067b0","line":144,"range":{"start_line":144,"start_character":0,"end_line":144,"end_character":82},"updated":"2019-11-21 03:13:42.000000000","message":"this is kind of in a weird place. you might want to move it to the references section.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":141,"context_line":"two values do not match, an exception will be raised from the API by the"},{"line_number":142,"context_line":"flavor/image validator."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":".. _here: https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_1.2_vs_TPM_2.0"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Instance Lifecycle Operations"},{"line_number":147,"context_line":"-----------------------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7acbfd48","line":144,"range":{"start_line":144,"start_character":0,"end_line":144,"end_character":82},"in_reply_to":"3fa7e38b_0695f331","updated":"2019-11-23 00:12:42.000000000","message":"Actually, this one is pointing to a subsection of the doc that\u0027s specifically pertinent to this section of the spec, but not really generally. I\u0027ll add a link to the top of that wp page in References.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":141,"context_line":"two values do not match, an exception will be raised from the API by the"},{"line_number":142,"context_line":"flavor/image validator."},{"line_number":143,"context_line":""},{"line_number":144,"context_line":".. _here: https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_1.2_vs_TPM_2.0"},{"line_number":145,"context_line":""},{"line_number":146,"context_line":"Instance Lifecycle Operations"},{"line_number":147,"context_line":"-----------------------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_0695f331","line":144,"range":{"start_line":144,"start_character":0,"end_line":144,"end_character":82},"in_reply_to":"3fa7e38b_362067b0","updated":"2019-11-21 17:54:24.000000000","message":"Ack","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":156,"context_line":"          will not boot automatically, and will instead have to be powered on"},{"line_number":157,"context_line":"          manually by its owner."},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"          Other lifecycle operations which are by default admin-only, such as"},{"line_number":160,"context_line":"          hard reboot, will only work when performed by the VM owner, meaning"},{"line_number":161,"context_line":"          the owner must be given the appropriate policy roles to do so;"},{"line_number":162,"context_line":"          otherwise these operations will be in effect disabled."},{"line_number":163,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_560e433d","line":160,"range":{"start_line":159,"start_character":70,"end_line":160,"end_character":21},"updated":"2019-11-21 03:13:42.000000000","message":"hard reboot is not admin only by default is it? i always though a tenant could do that.\n\nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dreboot-server-reboot-action-detail#reboot-server-reboot-action\n\nif the server is locked you need admin privaladges but in general a hard reboot should be doabel by the tenant.\n\nim not sure of an example of an admin only lifecyle action that woudl qualify for this instead of hard reboot.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":156,"context_line":"          will not boot automatically, and will instead have to be powered on"},{"line_number":157,"context_line":"          manually by its owner."},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"          Other lifecycle operations which are by default admin-only, such as"},{"line_number":160,"context_line":"          hard reboot, will only work when performed by the VM owner, meaning"},{"line_number":161,"context_line":"          the owner must be given the appropriate policy roles to do so;"},{"line_number":162,"context_line":"          otherwise these operations will be in effect disabled."},{"line_number":163,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_86d6c3f1","line":160,"range":{"start_line":159,"start_character":70,"end_line":160,"end_character":21},"in_reply_to":"3fa7e38b_560e433d","updated":"2019-11-21 17:54:24.000000000","message":"You\u0027re right, it looks like there\u0027s no policy distinction between hard and soft reboot [1]. Dan asked for this to be called out; maybe I misunderstood, will ask.\n\n[1] https://opendev.org/openstack/nova/src/commit/1cd5563f2dd2b218db2422397c8aab394d484626/nova/policies/servers.py#L304","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":162,"context_line":"          otherwise these operations will be in effect disabled."},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":165,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":166,"context_line":"          migration is by default enabled for the owner; the point is that it,"},{"line_number":167,"context_line":"          unlike other operations, would actually work if performed by the"},{"line_number":168,"context_line":"          admin because of the above.)"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_160c4b40","line":168,"range":{"start_line":165,"start_character":59,"end_line":168,"end_character":38},"updated":"2019-11-21 03:13:42.000000000","message":"non adims such as the vm owner cannot live migrate by default. it will work if triggerd by the admin but the clarification is confusingly worded.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":162,"context_line":"          otherwise these operations will be in effect disabled."},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":165,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":166,"context_line":"          migration is by default enabled for the owner; the point is that it,"},{"line_number":167,"context_line":"          unlike other operations, would actually work if performed by the"},{"line_number":168,"context_line":"          admin because of the above.)"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_26ffcf66","line":168,"range":{"start_line":165,"start_character":59,"end_line":168,"end_character":38},"in_reply_to":"3fa7e38b_160c4b40","updated":"2019-11-21 17:54:24.000000000","message":"Right again [1]; I\u0027ll reword.\n\n[1] https://opendev.org/openstack/nova/src/commit/1cd5563f2dd2b218db2422397c8aab394d484626/nova/policies/migrate_server.py#L37","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":162,"context_line":"          otherwise these operations will be in effect disabled."},{"line_number":163,"context_line":""},{"line_number":164,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":165,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":166,"context_line":"          migration is by default enabled for the owner; the point is that it,"},{"line_number":167,"context_line":"          unlike other operations, would actually work if performed by the"},{"line_number":168,"context_line":"          admin because of the above.)"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_1a1d29bd","line":168,"range":{"start_line":165,"start_character":59,"end_line":168,"end_character":38},"in_reply_to":"3fa7e38b_26ffcf66","updated":"2019-11-23 00:12:42.000000000","message":"Done","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"},{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_d601d308","line":172,"range":{"start_line":172,"start_character":48,"end_line":172,"end_character":55},"updated":"2019-11-21 03:13:42.000000000","message":"who should? the operator/deployer or the tenant?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"},{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_bacf3526","line":172,"in_reply_to":"3fa7e38b_3d95913d","updated":"2019-11-23 00:12:42.000000000","message":"Dan suggested we should block here because users who *do* use snapshot will expect it to work, and will not be thinking about snapshot when they spawn, but will then be very unhappy when they try it and it doesn\u0027t work.\n\nBut I agree that we should not force deployments to have a swift setup to use a vTPM, especially if they don\u0027t use snapshot (i.e. never shelve, backup, cross-cell resize, etc.). It would also be nice to accommodate those who never want their vTPM carried along with their snapshots, which depending on the usage is certainly possible.\n\nSo I see both sides, and I\u0027m not sure what the right answer is. (I can see conf opt\u0027ing this to death...)","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"},{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_3d95913d","line":172,"in_reply_to":"3fa7e38b_661707a5","updated":"2019-11-22 01:09:09.000000000","message":"do we need swift at all for spawn. not everyone use snapshots so those that don\u0027t should still be able to use the feature without swift.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":169,"context_line":""},{"line_number":170,"context_line":"Spawn"},{"line_number":171,"context_line":"~~~~~"},{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_661707a5","line":172,"range":{"start_line":172,"start_character":48,"end_line":172,"end_character":55},"in_reply_to":"3fa7e38b_d601d308","updated":"2019-11-21 17:54:24.000000000","message":"The deployer does need to make sure there\u0027s a swift, but that\u0027s covered in Prerequisites (L72). This section is talking about what the spawn operation on the compute needs to do. (Implementation detail whether the swift check should be done by compute manager or virt driver.)","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":171,"context_line":"~~~~~"},{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."},{"line_number":176,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":177,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":178,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_1cff8d01","line":175,"range":{"start_line":174,"start_character":58,"end_line":175,"end_character":12},"updated":"2019-11-21 03:13:42.000000000","message":"well i dont think we want to allow that. shoudl we not reject those lifecylce operation excluding evacuate that might break the instance if swift is not avilable.\n\nalso i assume a ceph deploymetn with the rados gateway to provdie the swift api would also be fine.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."},{"line_number":176,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":177,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":178,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_bd82e1fd","line":175,"in_reply_to":"","updated":"2019-11-22 01:09:09.000000000","message":"I\u0027m not sure that is a desirable tradeoff. for small deployment swift is pretty heavy requirement even if you can use ceph with the rados gateway to use a single storage backend for nova glance cinder and provide a swift api","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":171,"context_line":"~~~~~"},{"line_number":172,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":173,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":174,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":175,"context_line":"   instance."},{"line_number":176,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":177,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":178,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_e6221701","line":175,"range":{"start_line":174,"start_character":58,"end_line":175,"end_character":12},"in_reply_to":"3fa7e38b_1cff8d01","updated":"2019-11-21 17:54:24.000000000","message":"Dan asked for this too. The idea behind the early check is so you don\u0027t spawn an instance, and that works, but then try to snapshot it later and that fails and you\u0027re like wtf.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":191,"context_line":".. note:: Special logic may be required when `booting from image"},{"line_number":192,"context_line":"          \u003cvtpm-booting-from-image_\u003e`_."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"Cold Boot"},{"line_number":195,"context_line":"~~~~~~~~~"},{"line_number":196,"context_line":"...and any other operation that starts the guest afresh. These must be"},{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7c2c8192","line":194,"range":{"start_line":194,"start_character":0,"end_line":194,"end_character":9},"updated":"2019-11-21 03:13:42.000000000","message":"cold boot is the Start api action right\nhttps://docs.openstack.org/api-ref/compute/?expanded\u003dstart-server-os-start-action-detail#start-server-os-start-action","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":191,"context_line":".. note:: Special logic may be required when `booting from image"},{"line_number":192,"context_line":"          \u003cvtpm-booting-from-image_\u003e`_."},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"Cold Boot"},{"line_number":195,"context_line":"~~~~~~~~~"},{"line_number":196,"context_line":"...and any other operation that starts the guest afresh. These must be"},{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_4679abf9","line":194,"range":{"start_line":194,"start_character":0,"end_line":194,"end_character":9},"in_reply_to":"3fa7e38b_7c2c8192","updated":"2019-11-21 17:54:24.000000000","message":"Sounds right, but I don\u0027t know.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":194,"context_line":"Cold Boot"},{"line_number":195,"context_line":"~~~~~~~~~"},{"line_number":196,"context_line":"...and any other operation that starts the guest afresh. These must be"},{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_bc3679e6","line":197,"range":{"start_line":197,"start_character":41,"end_line":197,"end_character":44},"updated":"2019-11-21 03:13:42.000000000","message":"they?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":194,"context_line":"Cold Boot"},{"line_number":195,"context_line":"~~~~~~~~~"},{"line_number":196,"context_line":"...and any other operation that starts the guest afresh. These must be"},{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_c66cbb37","line":197,"range":{"start_line":197,"start_character":41,"end_line":197,"end_character":44},"in_reply_to":"3fa7e38b_bc3679e6","updated":"2019-11-21 17:54:24.000000000","message":"Bothers me to use a plural pronoun in a singular context, but there\u0027s no way to make everyone happy here. Will reword.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":194,"context_line":"Cold Boot"},{"line_number":195,"context_line":"~~~~~~~~~"},{"line_number":196,"context_line":"...and any other operation that starts the guest afresh. These must be"},{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5adac1e8","line":197,"range":{"start_line":197,"start_character":41,"end_line":197,"end_character":44},"in_reply_to":"3fa7e38b_c66cbb37","updated":"2019-11-23 00:12:42.000000000","message":"Done","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"},{"line_number":201,"context_line":"   ``system_metadata``."},{"line_number":202,"context_line":"#. Retrieve the passphrase associated with ``$secret_uuid`` via the configured"},{"line_number":203,"context_line":"   key manager API."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_1c76ada5","line":200,"range":{"start_line":200,"start_character":3,"end_line":200,"end_character":8},"updated":"2019-11-21 03:13:42.000000000","message":"get? retrieve? glean is a alternative to cloud-init create by the openstack infra team as a python 3 version with less dependences then cloud-init has.\n\nalso this is kind of a sentence fragment its not state that it is the nova compute agnet or more specifically the livbirt driver that will lookup the uuid from the system metadata.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"},{"line_number":201,"context_line":"   ``system_metadata``."},{"line_number":202,"context_line":"#. Retrieve the passphrase associated with ``$secret_uuid`` via the configured"},{"line_number":203,"context_line":"   key manager API."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_bd974139","line":200,"in_reply_to":"","updated":"2019-11-22 01:09:09.000000000","message":"Yes I recognise it :) I just avoid using it when discuss instance boots due to its use as a project name. that is more to avoid confusing people on the infra channel","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"},{"line_number":201,"context_line":"   ``system_metadata``."},{"line_number":202,"context_line":"#. Retrieve the passphrase associated with ``$secret_uuid`` via the configured"},{"line_number":203,"context_line":"   key manager API."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_77656f44","line":200,"range":{"start_line":200,"start_character":3,"end_line":200,"end_character":8},"in_reply_to":"3fa7e38b_1c76ada5","updated":"2019-11-21 17:54:24.000000000","message":"\u003e get? retrieve? glean is a alternative to cloud-init create by the\n \u003e openstack infra team as a python 3 version with less dependences\n \u003e then cloud-init has.\n\nThis is \"glean\" the English word. It\u0027s ironic that we designate special meaning to a trove of regular words, making it hard to glean the intended meaning at a swift glance.\n\n \u003e also this is kind of a sentence fragment its not state that it is\n \u003e the nova compute agnet or more specifically the livbirt driver that\n \u003e will lookup the uuid from the system metadata.\n\nAgain, this whole section is talking about how compute makes these operations work, but I can clarify L148-9 further.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":197,"context_line":"performed by the instance owner, as only she has access to the key manager"},{"line_number":198,"context_line":"entry."},{"line_number":199,"context_line":""},{"line_number":200,"context_line":"#. Glean the ``$secret_uuid`` from the ``tpm_secret_uuid`` of the instance\u0027s"},{"line_number":201,"context_line":"   ``system_metadata``."},{"line_number":202,"context_line":"#. Retrieve the passphrase associated with ``$secret_uuid`` via the configured"},{"line_number":203,"context_line":"   key manager API."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7ad53db6","line":200,"in_reply_to":"3fa7e38b_bd974139","updated":"2019-11-23 00:12:42.000000000","message":"Done","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":207,"context_line":"Destroy"},{"line_number":208,"context_line":"~~~~~~~"},{"line_number":209,"context_line":"It would be nice to delete the key with UUID ``$secret_uuid`` via the key"},{"line_number":210,"context_line":"manager when ``destroy_disks\u003dTrue``. However, this would mean that all variants"},{"line_number":211,"context_line":"of `booting from snapshots \u003cvtpm-booting-from-image\u003e`_ with a fresh instance"},{"line_number":212,"context_line":"(e.g. boot from image, unshelve of an offloaded server) could never work."},{"line_number":213,"context_line":"Therefore it must be left up to the user to prune these keys."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Migrations and their ilk"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_3c9e09b8","line":212,"range":{"start_line":210,"start_character":37,"end_line":212,"end_character":73},"updated":"2019-11-21 03:13:42.000000000","message":"so part of me say we shoudl not support that  at least initially but i know there are use case for that so i guess we have to live with it.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":207,"context_line":"Destroy"},{"line_number":208,"context_line":"~~~~~~~"},{"line_number":209,"context_line":"It would be nice to delete the key with UUID ``$secret_uuid`` via the key"},{"line_number":210,"context_line":"manager when ``destroy_disks\u003dTrue``. However, this would mean that all variants"},{"line_number":211,"context_line":"of `booting from snapshots \u003cvtpm-booting-from-image\u003e`_ with a fresh instance"},{"line_number":212,"context_line":"(e.g. boot from image, unshelve of an offloaded server) could never work."},{"line_number":213,"context_line":"Therefore it must be left up to the user to prune these keys."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Migrations and their ilk"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_dabd5168","line":212,"range":{"start_line":210,"start_character":37,"end_line":212,"end_character":73},"in_reply_to":"3fa7e38b_3c9e09b8","updated":"2019-11-23 00:12:42.000000000","message":"Yeah, so jroll and I discussed a way to tweak the spec that would remove this ick, and simplify some other things as well. TL;DR: the vTPM sticks exclusively with the instance, not with the image. So all and only operations that have an instance associated with them to start with will keep the vTPM data associated with the original instance:\n- Unshelve\n- Rebuild (any TPM meta on the new image is ignored, though I reckon we should error if the version/model conflict with the existing)\n- Resize / migrate (as noted below) including cross-cell\n- Rescue (this one shouldn\u0027t need to go to swift)\n\nWhereas any operations that don\u0027t start off with an instance will either get a fresh new vTPM (if requested via the flavor/image as usual) or none at all. That may just be Spawn (from a snapshot of an instance that had a vTPM).\n\n...and Evacuate is still simply busted, sorry.\n\nIn addition to allowing us to delete secrets again, this also removes the need to ever store the secret UUID or swift obj info in the image meta. And it eliminates the question of having \"cloned\" the same vTPM by spawning multiple instances from the same image.\n\nThis seems like a crisp enough line that, if well documented, it should be sensible and acceptable to users.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"003b1bbb4145bc0b0e44781ad92e92dc3486dd89","unresolved":false,"context_lines":[{"line_number":207,"context_line":"Destroy"},{"line_number":208,"context_line":"~~~~~~~"},{"line_number":209,"context_line":"It would be nice to delete the key with UUID ``$secret_uuid`` via the key"},{"line_number":210,"context_line":"manager when ``destroy_disks\u003dTrue``. However, this would mean that all variants"},{"line_number":211,"context_line":"of `booting from snapshots \u003cvtpm-booting-from-image\u003e`_ with a fresh instance"},{"line_number":212,"context_line":"(e.g. boot from image, unshelve of an offloaded server) could never work."},{"line_number":213,"context_line":"Therefore it must be left up to the user to prune these keys."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Migrations and their ilk"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_155f3a0f","line":212,"range":{"start_line":210,"start_character":37,"end_line":212,"end_character":73},"in_reply_to":"3fa7e38b_dabd5168","updated":"2019-11-23 00:23:42.000000000","message":"nts: There was concern that this could end you up with multiple swift objects per instance, but like the snapshot resulting from shelve or backup, it is either always new or supersedes the previous. We simply don\u0027t create the swift obj for the createImage action, because there\u0027s no operation where we would use it. Rebuild doesn\u0027t rely on a prior backup because it\u0027s happening on the original host where the data file still resides.\n\n...and evacuate is still simply busted, sorry.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":210,"context_line":"manager when ``destroy_disks\u003dTrue``. However, this would mean that all variants"},{"line_number":211,"context_line":"of `booting from snapshots \u003cvtpm-booting-from-image\u003e`_ with a fresh instance"},{"line_number":212,"context_line":"(e.g. boot from image, unshelve of an offloaded server) could never work."},{"line_number":213,"context_line":"Therefore it must be left up to the user to prune these keys."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Migrations and their ilk"},{"line_number":216,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fca391fd","line":213,"range":{"start_line":213,"start_character":0,"end_line":213,"end_character":61},"updated":"2019-11-21 03:13:42.000000000","message":"i feel like this could be very easily leaked or never cleaned up by users. is there a quotat on the number of keys you can store in barbican. some users that dont look to closely might not know this key is being created on there behalf.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":210,"context_line":"manager when ``destroy_disks\u003dTrue``. However, this would mean that all variants"},{"line_number":211,"context_line":"of `booting from snapshots \u003cvtpm-booting-from-image\u003e`_ with a fresh instance"},{"line_number":212,"context_line":"(e.g. boot from image, unshelve of an offloaded server) could never work."},{"line_number":213,"context_line":"Therefore it must be left up to the user to prune these keys."},{"line_number":214,"context_line":""},{"line_number":215,"context_line":"Migrations and their ilk"},{"line_number":216,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5763931a","line":213,"range":{"start_line":213,"start_character":0,"end_line":213,"end_character":61},"in_reply_to":"3fa7e38b_fca391fd","updated":"2019-11-21 17:54:24.000000000","message":"It\u0027s not *so* different than the fact that \u0027shelve\u0027 creates a glance image which, if you never unshelve, is \"leaked\". But yeah, I agree in principle. The best we can do is document it.\n\n[Later] Or keep track of whether an instance has ever been snapshotted, as posited below (L303).","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":216,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":217,"context_line":"For the libvirt implementation, the emulated TPM data is stored in"},{"line_number":218,"context_line":"``/var/lib/libvirt/swtpm/\u003cinstance\u003e``. Certain lifecycle operations require"},{"line_number":219,"context_line":"that directory to be copied verbatim to the \"destination\". For (cold/live)"},{"line_number":220,"context_line":"migrations, only the user that nova-compute runs as is guaranteed to be able to"},{"line_number":221,"context_line":"have ssh keys set up for passwordless access, and it\u0027s only guaranteed to be"},{"line_number":222,"context_line":"able to copy files to the instance directory on the destination node. We"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5cb42536","line":219,"range":{"start_line":219,"start_character":69,"end_line":219,"end_character":73},"updated":"2019-11-21 03:13:42.000000000","message":"depending on how live migtion is coded it actully wont be coppied seperate form teh rest of the vm state it will be embeded. so nova only needs to care about copying it for cold migrates/resizes","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":216,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":217,"context_line":"For the libvirt implementation, the emulated TPM data is stored in"},{"line_number":218,"context_line":"``/var/lib/libvirt/swtpm/\u003cinstance\u003e``. Certain lifecycle operations require"},{"line_number":219,"context_line":"that directory to be copied verbatim to the \"destination\". For (cold/live)"},{"line_number":220,"context_line":"migrations, only the user that nova-compute runs as is guaranteed to be able to"},{"line_number":221,"context_line":"have ssh keys set up for passwordless access, and it\u0027s only guaranteed to be"},{"line_number":222,"context_line":"able to copy files to the instance directory on the destination node. We"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_32406506","line":219,"range":{"start_line":219,"start_character":69,"end_line":219,"end_character":73},"in_reply_to":"3fa7e38b_5cb42536","updated":"2019-11-21 17:54:24.000000000","message":"...below","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":222,"context_line":"able to copy files to the instance directory on the destination node. We"},{"line_number":223,"context_line":"therefore propose the following procedure for relevant lifecycle operations:"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"* Copy the directory into the local instance directory, changing the ownership"},{"line_number":226,"context_line":"  to match it."},{"line_number":227,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":228,"context_line":"* Change ownership back and move the directory out to"},{"line_number":229,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Since the expected ownership on the target may be different than on the source,"},{"line_number":232,"context_line":"and is (we think) impossible to detect, the admin must inform us of it via the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_dc79f581","line":229,"range":{"start_line":225,"start_character":1,"end_line":229,"end_character":59},"updated":"2019-11-21 03:13:42.000000000","message":"just to be clear this shoudl not be requried for live migraton. qemu should embed the tpm data in the vmstate it transfers.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":222,"context_line":"able to copy files to the instance directory on the destination node. We"},{"line_number":223,"context_line":"therefore propose the following procedure for relevant lifecycle operations:"},{"line_number":224,"context_line":""},{"line_number":225,"context_line":"* Copy the directory into the local instance directory, changing the ownership"},{"line_number":226,"context_line":"  to match it."},{"line_number":227,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":228,"context_line":"* Change ownership back and move the directory out to"},{"line_number":229,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":230,"context_line":""},{"line_number":231,"context_line":"Since the expected ownership on the target may be different than on the source,"},{"line_number":232,"context_line":"and is (we think) impossible to detect, the admin must inform us of it via the"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_925039d7","line":229,"range":{"start_line":225,"start_character":1,"end_line":229,"end_character":59},"in_reply_to":"3fa7e38b_dc79f581","updated":"2019-11-21 17:54:24.000000000","message":"...below","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":233,"context_line":"new ``[libvirt]swtpm_user`` and ``[libvirt]swtpm_group`` Config_ options if"},{"line_number":234,"context_line":"different from the default of ``tss``."},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":237,"context_line":"the device."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_3cecc927","line":236,"range":{"start_line":236,"start_character":34,"end_line":236,"end_character":38},"updated":"2019-11-21 03:13:42.000000000","message":"again live migation should not need to do these extra steps.\nim basing htis on the qemu docs for migration\n\nhttps://github.com/qemu/qemu/blob/6a5d22083d50c76a3fdc0bffc6658f42b3b37981/docs/specs/tpm.txt#L324-L383\n\ni may be misreading them but im pretty sure it will not requrie nova to copy anything in the live migration case.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":233,"context_line":"new ``[libvirt]swtpm_user`` and ``[libvirt]swtpm_group`` Config_ options if"},{"line_number":234,"context_line":"different from the default of ``tss``."},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":237,"context_line":"the device."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_72925d4d","line":236,"range":{"start_line":236,"start_character":34,"end_line":236,"end_character":38},"in_reply_to":"3fa7e38b_3cecc927","updated":"2019-11-21 17:54:24.000000000","message":"Hm, when I first read that reference, I thought manual intervention *would* be necessary, but now I think I see what you\u0027re saying. I\u0027ll have to test it out. But at least as of [1] (specifically at PS9, which was the last time cfriesen touched it) they seemed to think it was necessary.\n\n...or maybe they just implemented it there because cold/live migrate goes through a common path and it was easier not to condition it? No idea :(\n\n[1] https://review.opendev.org/#/c/639934/9","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":233,"context_line":"new ``[libvirt]swtpm_user`` and ``[libvirt]swtpm_group`` Config_ options if"},{"line_number":234,"context_line":"different from the default of ``tss``."},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":237,"context_line":"the device."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fa65ad1d","line":236,"in_reply_to":"3fa7e38b_5dcbad51","updated":"2019-11-23 00:12:42.000000000","message":"I still haven\u0027t tested this, but don\u0027t want to lose track, so I\u0027m putting a TODO in the spec to confirm it.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":233,"context_line":"new ``[libvirt]swtpm_user`` and ``[libvirt]swtpm_group`` Config_ options if"},{"line_number":234,"context_line":"different from the default of ``tss``."},{"line_number":235,"context_line":""},{"line_number":236,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":237,"context_line":"the device."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5dcbad51","line":236,"in_reply_to":"3fa7e38b_72925d4d","updated":"2019-11-22 01:09:09.000000000","message":"Cool I haven\u0027t tested it but the migrate to localhost example where they use different temp dirs implies the state is transferred","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":236,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":237,"context_line":"the device."},{"line_number":238,"context_line":""},{"line_number":239,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"},{"line_number":240,"context_line":"or remove the vTPM from an instance that did have one, and those should \"just"},{"line_number":241,"context_line":"work\". Resizing from one version/model to a different one will also \"just work\""},{"line_number":242,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":243,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":244,"context_line":"we convey the virtual device data as described above."},{"line_number":245,"context_line":""},{"line_number":246,"context_line":"Snapshots, etc."},{"line_number":247,"context_line":"~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_9cdcdd74","line":244,"range":{"start_line":239,"start_character":0,"end_line":244,"end_character":53},"updated":"2019-11-21 03:13:42.000000000","message":"+1","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":251,"context_line":""},{"line_number":252,"context_line":"The compute driver\u0027s snapshot operation needs to:"},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"* Save the vTPM data file to swift."},{"line_number":255,"context_line":"* Save the swift object ID and digital signature (sha256) of the file to the"},{"line_number":256,"context_line":"  instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":257,"context_line":"  ``tpm_object_sha256`` keys."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_bcd7594f","line":254,"range":{"start_line":254,"start_character":1,"end_line":254,"end_character":35},"updated":"2019-11-21 03:13:42.000000000","message":"is it a single file or a directory of files.\nwe may need to tar.gz the directory and save that instead.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":251,"context_line":""},{"line_number":252,"context_line":"The compute driver\u0027s snapshot operation needs to:"},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"* Save the vTPM data file to swift."},{"line_number":255,"context_line":"* Save the swift object ID and digital signature (sha256) of the file to the"},{"line_number":256,"context_line":"  instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":257,"context_line":"  ``tpm_object_sha256`` keys."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_d23eb127","line":254,"range":{"start_line":254,"start_character":1,"end_line":254,"end_character":35},"in_reply_to":"3fa7e38b_bcd7594f","updated":"2019-11-21 17:54:24.000000000","message":"It *appears* to be a single file in a single directory named after the instance. But yes, probably safer to zip up the whole directory.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":251,"context_line":""},{"line_number":252,"context_line":"The compute driver\u0027s snapshot operation needs to:"},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"* Save the vTPM data file to swift."},{"line_number":255,"context_line":"* Save the swift object ID and digital signature (sha256) of the file to the"},{"line_number":256,"context_line":"  instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":257,"context_line":"  ``tpm_object_sha256`` keys."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fa4e0d94","line":254,"range":{"start_line":254,"start_character":1,"end_line":254,"end_character":35},"in_reply_to":"3fa7e38b_d23eb127","updated":"2019-11-23 00:12:42.000000000","message":"Done","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":259,"context_line":"  properties on the image. (This ensures that the image can only be used on"},{"line_number":260,"context_line":"  capable hosts.)"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"For operations which create a snapshot, but which also delete the instance"},{"line_number":263,"context_line":"(such as shelve-offload), the compute manager must copy the ``tpm_object_id``,"},{"line_number":264,"context_line":"``tpm_object_sha256``, and ``tpm_secret_uuid`` into the snapshot\u0027s image"},{"line_number":265,"context_line":"metadata."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fccab19d","line":262,"range":{"start_line":262,"start_character":55,"end_line":262,"end_character":74},"updated":"2019-11-21 03:13:42.000000000","message":"shelve offload delete the domain but not the instnace in the nova db so this info could be stored in instance system metadata? is this for the ability to create multipel instance form teh shapshot because if so would we not need to always do this?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":259,"context_line":"  properties on the image. (This ensures that the image can only be used on"},{"line_number":260,"context_line":"  capable hosts.)"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"For operations which create a snapshot, but which also delete the instance"},{"line_number":263,"context_line":"(such as shelve-offload), the compute manager must copy the ``tpm_object_id``,"},{"line_number":264,"context_line":"``tpm_object_sha256``, and ``tpm_secret_uuid`` into the snapshot\u0027s image"},{"line_number":265,"context_line":"metadata."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7dcb0949","line":262,"in_reply_to":"3fa7e38b_5231610a","updated":"2019-11-22 01:09:09.000000000","message":"I am not sure. If your did I wonder if it could cause issues with unshelve. If ceph did a copy on wright clone for the new instance and the you unshelved the original instance I wonder if the snapshot delete would fail","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":259,"context_line":"  properties on the image. (This ensures that the image can only be used on"},{"line_number":260,"context_line":"  capable hosts.)"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"For operations which create a snapshot, but which also delete the instance"},{"line_number":263,"context_line":"(such as shelve-offload), the compute manager must copy the ``tpm_object_id``,"},{"line_number":264,"context_line":"``tpm_object_sha256``, and ``tpm_secret_uuid`` into the snapshot\u0027s image"},{"line_number":265,"context_line":"metadata."}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5231610a","line":262,"range":{"start_line":262,"start_character":55,"end_line":262,"end_character":74},"in_reply_to":"3fa7e38b_fccab19d","updated":"2019-11-21 17:54:24.000000000","message":"Ugh, sorry, I got mixed up again, you\u0027re right. I guess this is for the backup/restore case?\n\n[Later] No, the backup/restore APIs still don\u0027t actually delete the instance. So I guess the only thing we\u0027re talking about is the actual snapshot (createImage) API [1]?\n\nBut since you bring it up, when I shelve or backup, is there anything stopping me from just spawning a new VM from those images? IOW unless I\u0027m somehow restricted to only unshelve/restore, then it seems like maybe we *should* always put the metadata in the glance image. (And if we do, I\u0027m not sure there\u0027s a good reason to put it in the instance sysmeta.)\n\n[1] https://docs.openstack.org/api-ref/compute/?expanded\u003dcreate-image-createimage-action-detail#create-image-createimage-action","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":260,"context_line":"  capable hosts.)"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"For operations which create a snapshot, but which also delete the instance"},{"line_number":263,"context_line":"(such as shelve-offload), the compute manager must copy the ``tpm_object_id``,"},{"line_number":264,"context_line":"``tpm_object_sha256``, and ``tpm_secret_uuid`` into the snapshot\u0027s image"},{"line_number":265,"context_line":"metadata."},{"line_number":266,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5cbbc50d","line":263,"range":{"start_line":263,"start_character":62,"end_line":263,"end_character":75},"updated":"2019-11-21 03:13:42.000000000","message":"what is this? is it a reference to a swift object?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":260,"context_line":"  capable hosts.)"},{"line_number":261,"context_line":""},{"line_number":262,"context_line":"For operations which create a snapshot, but which also delete the instance"},{"line_number":263,"context_line":"(such as shelve-offload), the compute manager must copy the ``tpm_object_id``,"},{"line_number":264,"context_line":"``tpm_object_sha256``, and ``tpm_secret_uuid`` into the snapshot\u0027s image"},{"line_number":265,"context_line":"metadata."},{"line_number":266,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_72349dfb","line":263,"range":{"start_line":263,"start_character":62,"end_line":263,"end_character":75},"in_reply_to":"3fa7e38b_5cbbc50d","updated":"2019-11-21 17:54:24.000000000","message":"Yes, see L255-7.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":286,"context_line":""},{"line_number":287,"context_line":"* Because the vTPM data can only be unlocked via a key only accessible to the"},{"line_number":288,"context_line":"  original instance owner, a snapshot with ``tpm_object_*`` metadata can only"},{"line_number":289,"context_line":"  be used by that original owner to boot (restore, unshelve, rebuild, etc.) an"},{"line_number":290,"context_line":"  instance."},{"line_number":291,"context_line":"* Booting with \"conflicting vTPMs\" (e.g. rebuild, your instance already had a"},{"line_number":292,"context_line":"  vTPM, and the new image specifies a different one) will give you your"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_fc5871f9","line":289,"range":{"start_line":289,"start_character":27,"end_line":289,"end_character":32},"updated":"2019-11-21 03:13:42.000000000","message":"owner in this case is the tenants keystone user right?\nnot the project? that has some other implication in the case an unhappy employee leaves and there account is deactivated.\n\ni assume there is no way to make the key be owned by the project right instead of a user.\n\nif there is not i think it fine as long as we docuemnt this.\n\ni would prefer it to be too secure rather then less secure.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":286,"context_line":""},{"line_number":287,"context_line":"* Because the vTPM data can only be unlocked via a key only accessible to the"},{"line_number":288,"context_line":"  original instance owner, a snapshot with ``tpm_object_*`` metadata can only"},{"line_number":289,"context_line":"  be used by that original owner to boot (restore, unshelve, rebuild, etc.) an"},{"line_number":290,"context_line":"  instance."},{"line_number":291,"context_line":"* Booting with \"conflicting vTPMs\" (e.g. rebuild, your instance already had a"},{"line_number":292,"context_line":"  vTPM, and the new image specifies a different one) will give you your"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_9dfb6579","line":289,"in_reply_to":"","updated":"2019-11-22 01:09:09.000000000","message":"sure but I was wondering was actually happens with barbican as a concrete example we don\u0027t have to detail that in the spec I was just wondering how it works","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":286,"context_line":""},{"line_number":287,"context_line":"* Because the vTPM data can only be unlocked via a key only accessible to the"},{"line_number":288,"context_line":"  original instance owner, a snapshot with ``tpm_object_*`` metadata can only"},{"line_number":289,"context_line":"  be used by that original owner to boot (restore, unshelve, rebuild, etc.) an"},{"line_number":290,"context_line":"  instance."},{"line_number":291,"context_line":"* Booting with \"conflicting vTPMs\" (e.g. rebuild, your instance already had a"},{"line_number":292,"context_line":"  vTPM, and the new image specifies a different one) will give you your"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7a08dd2b","line":289,"in_reply_to":"3fa7e38b_9dfb6579","updated":"2019-11-23 00:12:42.000000000","message":"The configuration should use\n\n [key_manager]\n auth_type \u003d token\n\nWhen nova calls a castellan API, it\u0027ll pass the result of credential_factory(CONF, context) [1], which will be the context.auth_token, as the `context` param. The backend uses that to create a ksa Session (e.g. [2] for the barbican backend) and uses that Session to talk to the service.\n\n[1] https://opendev.org/openstack/castellan/src/branch/master/castellan/common/utils.py#L95\n[2] https://opendev.org/openstack/castellan/src/branch/master/castellan/key_manager/barbican_key_manager.py#L124-L126","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":286,"context_line":""},{"line_number":287,"context_line":"* Because the vTPM data can only be unlocked via a key only accessible to the"},{"line_number":288,"context_line":"  original instance owner, a snapshot with ``tpm_object_*`` metadata can only"},{"line_number":289,"context_line":"  be used by that original owner to boot (restore, unshelve, rebuild, etc.) an"},{"line_number":290,"context_line":"  instance."},{"line_number":291,"context_line":"* Booting with \"conflicting vTPMs\" (e.g. rebuild, your instance already had a"},{"line_number":292,"context_line":"  vTPM, and the new image specifies a different one) will give you your"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_0da18ef7","line":289,"range":{"start_line":289,"start_character":27,"end_line":289,"end_character":32},"in_reply_to":"3fa7e38b_fc5871f9","updated":"2019-11-21 17:54:24.000000000","message":"The keymgr determines the ownership of the key based on the RequestContext when the instance is created. Any time the key needs to be accessed subsequently, the keymgr service needs to be convinced that *that* RequestContext is allowed to do so. How all of that works is (and should remain) a total black box to me (and to nova).","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":299,"context_line":"  (wrote) to the vTPM. (It may be possible to mitigate this by mounting"},{"line_number":300,"context_line":"  ``/var/lib/libvirt/swtpm/`` on shared storage. That, of course, would bring"},{"line_number":301,"context_line":"  in additional security concerns.)"},{"line_number":302,"context_line":"* As `previously mentioned \u003cDestroy_\u003e`_, nova can never delete keys from the"},{"line_number":303,"context_line":"  key manager."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Alternatives"},{"line_number":306,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_5cfe65af","line":303,"range":{"start_line":302,"start_character":2,"end_line":303,"end_character":14},"updated":"2019-11-21 03:13:42.000000000","message":"it can if there is no snapshot involved which would be the most likely case.  e.g. the tpm is enable by the flavor and you just grab a normal ubunut cloud image with no special metadata and boot a vm.\n\nin this case its perfectly fine to delete the key if no shapshot has been taken.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":299,"context_line":"  (wrote) to the vTPM. (It may be possible to mitigate this by mounting"},{"line_number":300,"context_line":"  ``/var/lib/libvirt/swtpm/`` on shared storage. That, of course, would bring"},{"line_number":301,"context_line":"  in additional security concerns.)"},{"line_number":302,"context_line":"* As `previously mentioned \u003cDestroy_\u003e`_, nova can never delete keys from the"},{"line_number":303,"context_line":"  key manager."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Alternatives"},{"line_number":306,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_8d17beee","line":303,"range":{"start_line":302,"start_character":2,"end_line":303,"end_character":14},"in_reply_to":"3fa7e38b_5cfe65af","updated":"2019-11-21 17:54:24.000000000","message":"How do you know no snapshot has been taken? This would entail saving state across the entire lifespan of the instance. I... guess that\u0027s something we could do. Instance.system_metadata[\u0027has_ever_been_snapshotted\u0027] \u003d $bool. That seems kind of icky, but not too horrible. Thoughts?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":300,"context_line":"  ``/var/lib/libvirt/swtpm/`` on shared storage. That, of course, would bring"},{"line_number":301,"context_line":"  in additional security concerns.)"},{"line_number":302,"context_line":"* As `previously mentioned \u003cDestroy_\u003e`_, nova can never delete keys from the"},{"line_number":303,"context_line":"  key manager."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Alternatives"},{"line_number":306,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_9d304557","line":303,"in_reply_to":"3fa7e38b_8d17beee","updated":"2019-11-22 01:09:09.000000000","message":"that would work yes. I don\u0027t know if we can easily query glance for snapshots of an instance by setting a boil could work but could get out of sync","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":300,"context_line":"  ``/var/lib/libvirt/swtpm/`` on shared storage. That, of course, would bring"},{"line_number":301,"context_line":"  in additional security concerns.)"},{"line_number":302,"context_line":"* As `previously mentioned \u003cDestroy_\u003e`_, nova can never delete keys from the"},{"line_number":303,"context_line":"  key manager."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"Alternatives"},{"line_number":306,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_15189a73","line":303,"in_reply_to":"3fa7e38b_9d304557","updated":"2019-11-23 00:12:42.000000000","message":"If we go with the \"images don\u0027t carry vTPM data\" theme mentioned above, this becomes n/a.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":307,"context_line":""},{"line_number":308,"context_line":"* Rather than using a trait, we could instead use arbitrarily large inventories"},{"line_number":309,"context_line":"  of ``1_2``/``2_0`` resource classes. Unless it can be shown that there\u0027s an"},{"line_number":310,"context_line":"  actual limit we can discover, this just isn\u0027t how we do things."},{"line_number":311,"context_line":"* Use physical passthrough (``\u003cbackend type\u003d\u0027passthrough\u0027\u003e``) of a real"},{"line_number":312,"context_line":"  (hardware) TPM device. This is not feasible with current TPM hardware because"},{"line_number":313,"context_line":"  (among other things) changing ownership of the secrets requires a host"}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_dc233557","line":310,"range":{"start_line":310,"start_character":32,"end_line":310,"end_character":64},"updated":"2019-11-21 03:13:42.000000000","message":"the use case of this is allowing quotas on via unified limts but since that is not a thing yet we can likely punt that down the line.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3a652098684405b9da2e0a66d3dc8b3a32d4f0c8","unresolved":false,"context_lines":[{"line_number":370,"context_line":"(e.g. by inspecting memory) the vTPM\u0027s contents and/or the passphrase while"},{"line_number":371,"context_line":"it\u0027s in flight. Beyond using private+ephemeral secrets in libvirt, no further"},{"line_number":372,"context_line":"attempt is made to guard against a compromised root user."},{"line_number":373,"context_line":""},{"line_number":374,"context_line":"Notifications impact"},{"line_number":375,"context_line":"--------------------"},{"line_number":376,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7ce7a110","line":373,"updated":"2019-11-21 03:13:42.000000000","message":"what will we  do to lock down acess to the swift object containing the vtpm also how will user be able to find and remove these vtpm files form swift if they are deleteing the snapshots. dose swift allow use to lock acess to the object with a key or to a single autheicated user so only the user that created teh vm can acess it?","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"22a72b61b222da939e5e793595b358e4c840302e","unresolved":false,"context_lines":[{"line_number":370,"context_line":"(e.g. by inspecting memory) the vTPM\u0027s contents and/or the passphrase while"},{"line_number":371,"context_line":"it\u0027s in flight. Beyond using private+ephemeral secrets in libvirt, no further"},{"line_number":372,"context_line":"attempt is made to guard against a compromised root user."},{"line_number":373,"context_line":""},{"line_number":374,"context_line":"Notifications impact"},{"line_number":375,"context_line":"--------------------"},{"line_number":376,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_cdda96e7","line":373,"in_reply_to":"3fa7e38b_7ce7a110","updated":"2019-11-21 17:54:24.000000000","message":"\u003e what will we  do to lock down acess to the swift object containing\n \u003e the vtpm\n\nI don\u0027t think \"we\" (nova) will do any locking down. Presumably the deployer can take steps to make their swift more secure.\n\n \u003e dose swift\n \u003e allow use to lock acess to the object with a key or to a single\n \u003e autheicated user so only the user that created teh vm can acess it?\n\nAgain, I believe permission to manage a swift object is based on the RequestContext. I can spell that out here.\n\nAs mentioned above, part of the security model here is the fact that the data file itself is encrypted. Granted, having a copy in swift makes it easier (at least provides more places) to grab it. Which is kind of what the example on L359-67 tries to say.\n\n \u003e also how will user be able to find and remove these vtpm\n \u003e files form swift if they are deleteing the snapshots.\n\nYup, good question, but one that can be left to the implementation and documentation. I can at least mention here that we should use a sane naming convention for the keymgr secrets and the swift objects so that they are easy to find and associate.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"ef9d57a579fbc0227ffb6aa375c4eb2903b180f5","unresolved":false,"context_lines":[{"line_number":370,"context_line":"(e.g. by inspecting memory) the vTPM\u0027s contents and/or the passphrase while"},{"line_number":371,"context_line":"it\u0027s in flight. Beyond using private+ephemeral secrets in libvirt, no further"},{"line_number":372,"context_line":"attempt is made to guard against a compromised root user."},{"line_number":373,"context_line":""},{"line_number":374,"context_line":"Notifications impact"},{"line_number":375,"context_line":"--------------------"},{"line_number":376,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_d52762b5","line":373,"in_reply_to":"3fa7e38b_7d39c93c","updated":"2019-11-23 00:12:42.000000000","message":"I think this also becomes n/a, since we delete both the secret and the swift obj when we destroy the instance.","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b7199f1de8bc98109806e7ff252898aba54de17a","unresolved":false,"context_lines":[{"line_number":370,"context_line":"(e.g. by inspecting memory) the vTPM\u0027s contents and/or the passphrase while"},{"line_number":371,"context_line":"it\u0027s in flight. Beyond using private+ephemeral secrets in libvirt, no further"},{"line_number":372,"context_line":"attempt is made to guard against a compromised root user."},{"line_number":373,"context_line":""},{"line_number":374,"context_line":"Notifications impact"},{"line_number":375,"context_line":"--------------------"},{"line_number":376,"context_line":""}],"source_content_type":"text/x-rst","patch_set":8,"id":"3fa7e38b_7d39c93c","line":373,"in_reply_to":"3fa7e38b_cdda96e7","updated":"2019-11-22 01:09:09.000000000","message":"Ack","commit_id":"fd2e2bd29c4930b3fa714f8c42b7346190b11160"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":22,"context_line":"Currently there is no way to create virtual machines within nova that provide"},{"line_number":23,"context_line":"a virtual TPM device to the guest."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_08c4790d","line":22,"updated":"2019-12-04 15:46:17.000000000","message":"style nit: any chance of a newline under these headers?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Problem description"},{"line_number":21,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":22,"context_line":"Currently there is no way to create virtual machines within nova that provide"},{"line_number":23,"context_line":"a virtual TPM device to the guest."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"Use Cases"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_8b006337","line":22,"in_reply_to":"3fa7e38b_08c4790d","updated":"2019-12-04 19:09:12.000000000","message":"Is that just a personal preference? (My preference is to lose the unnecessary newline and save vspace, so unless there\u0027s another reason...)","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Support the virtualizing of existing applications and operating systems which"},{"line_number":28,"context_line":"expect to make use of physical TPM devices. At least one hypervisor"},{"line_number":29,"context_line":"(libvirt/qemu) currently supports the creation of an emulated TPM device which"},{"line_number":30,"context_line":"is associated with a per-VM \"swtpm\" process on the host, but there is no way to"},{"line_number":31,"context_line":"tell nova to enable it."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_88006937","line":30,"range":{"start_line":30,"start_character":28,"end_line":30,"end_character":35},"updated":"2019-12-04 15:46:17.000000000","message":"``swtpm`` (or link to the docs [1])\n\n[1] https://github.com/stefanberger/swtpm/wiki","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Support the virtualizing of existing applications and operating systems which"},{"line_number":28,"context_line":"expect to make use of physical TPM devices. At least one hypervisor"},{"line_number":29,"context_line":"(libvirt/qemu) currently supports the creation of an emulated TPM device which"},{"line_number":30,"context_line":"is associated with a per-VM \"swtpm\" process on the host, but there is no way to"},{"line_number":31,"context_line":"tell nova to enable it."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_cbb41b85","line":30,"range":{"start_line":30,"start_character":28,"end_line":30,"end_character":35},"in_reply_to":"3fa7e38b_88006937","updated":"2019-12-04 19:09:12.000000000","message":"Made ``literal`` and added the link in the References section.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"474f823ddf3cf98e06f7765a9229cbadfe9075b3","unresolved":false,"context_lines":[{"line_number":27,"context_line":"Support the virtualizing of existing applications and operating systems which"},{"line_number":28,"context_line":"expect to make use of physical TPM devices. At least one hypervisor"},{"line_number":29,"context_line":"(libvirt/qemu) currently supports the creation of an emulated TPM device which"},{"line_number":30,"context_line":"is associated with a per-VM \"swtpm\" process on the host, but there is no way to"},{"line_number":31,"context_line":"tell nova to enable it."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"Proposed change"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_f15c64f1","line":30,"range":{"start_line":30,"start_character":28,"end_line":30,"end_character":35},"in_reply_to":"3fa7e38b_88006937","updated":"2019-12-04 17:38:42.000000000","message":"just noting in passign that there are other vtpm implemation too that as a seperate effort my want to be enabeld in the future. such as https://github.com/keylime/keylime\n\nso we might not want o use the name swtpm in configure options and docs so that the same options can be reused it you use a different software vtpm implementation.\n\nthis i would hope shoudl be fairly transparent to nova but just said i woudl mention it.\n\nthis spec is focusing on the swtpm implementation which is fine.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Config"},{"line_number":77,"context_line":"------"},{"line_number":78,"context_line":"All of the following apply to the compute (not conductor/scheduler/api)"},{"line_number":79,"context_line":"configs:"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_28f05566","line":78,"range":{"start_line":78,"start_character":67,"end_line":78,"end_character":71},"updated":"2019-12-04 15:46:17.000000000","message":"API","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":75,"context_line":""},{"line_number":76,"context_line":"Config"},{"line_number":77,"context_line":"------"},{"line_number":78,"context_line":"All of the following apply to the compute (not conductor/scheduler/api)"},{"line_number":79,"context_line":"configs:"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_4ba82b1f","line":78,"range":{"start_line":78,"start_character":67,"end_line":78,"end_character":71},"in_reply_to":"3fa7e38b_28f05566","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":78,"context_line":"All of the following apply to the compute (not conductor/scheduler/api)"},{"line_number":79,"context_line":"configs:"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":82,"context_line":"  vTPM. This config option would apply to future drivers\u0027 implementations as"},{"line_number":83,"context_line":"  well, but since this spec and current implementation are specific to libvirt,"},{"line_number":84,"context_line":"  it is in the ``libvirt`` rather than the ``compute`` group::"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"     [libvirt]"},{"line_number":87,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* To enable move operations (anything involving rebuilding a vTPM on a new"},{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_8885c9b0","line":87,"range":{"start_line":81,"start_character":0,"end_line":87,"end_character":41},"updated":"2019-12-04 15:46:17.000000000","message":"Why do we need this? Can we not enable it for everyone by default? Is there an expense in doing so?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":78,"context_line":"All of the following apply to the compute (not conductor/scheduler/api)"},{"line_number":79,"context_line":"configs:"},{"line_number":80,"context_line":""},{"line_number":81,"context_line":"* A new config option will be introduced to act as a \"master switch\" enabling"},{"line_number":82,"context_line":"  vTPM. This config option would apply to future drivers\u0027 implementations as"},{"line_number":83,"context_line":"  well, but since this spec and current implementation are specific to libvirt,"},{"line_number":84,"context_line":"  it is in the ``libvirt`` rather than the ``compute`` group::"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"     [libvirt]"},{"line_number":87,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* To enable move operations (anything involving rebuilding a vTPM on a new"},{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_0b49d38c","line":87,"range":{"start_line":81,"start_character":0,"end_line":87,"end_character":41},"in_reply_to":"3fa7e38b_8885c9b0","updated":"2019-12-04 19:09:12.000000000","message":"See previous discussion https://review.opendev.org/#/c/686804/8/specs/ussuri/approved/add-emulated-virtual-tpm.rst@84","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":87,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* To enable move operations (anything involving rebuilding a vTPM on a new"},{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"},{"line_number":91,"context_line":"  -- that of the swtpm process libvirt will create -- but we can\u0027t detect a"},{"line_number":92,"context_line":"  priori what that ownership will be. Thus we need a pair of config options on"},{"line_number":93,"context_line":"  the compute indicating the user and group that should own vtpm data on that"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_a880c59d","line":90,"range":{"start_line":90,"start_character":43,"end_line":90,"end_character":47},"updated":"2019-12-04 15:46:17.000000000","message":"vTPM","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":87,"context_line":"     vtpm_enabled \u003d $bool (default False)"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* To enable move operations (anything involving rebuilding a vTPM on a new"},{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"},{"line_number":91,"context_line":"  -- that of the swtpm process libvirt will create -- but we can\u0027t detect a"},{"line_number":92,"context_line":"  priori what that ownership will be. Thus we need a pair of config options on"},{"line_number":93,"context_line":"  the compute indicating the user and group that should own vtpm data on that"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_cb42db68","line":90,"range":{"start_line":90,"start_character":43,"end_line":90,"end_character":47},"in_reply_to":"3fa7e38b_a880c59d","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* To enable move operations (anything involving rebuilding a vTPM on a new"},{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"},{"line_number":91,"context_line":"  -- that of the swtpm process libvirt will create -- but we can\u0027t detect a"},{"line_number":92,"context_line":"  priori what that ownership will be. Thus we need a pair of config options on"},{"line_number":93,"context_line":"  the compute indicating the user and group that should own vtpm data on that"},{"line_number":94,"context_line":"  host::"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_a8a9a525","line":91,"range":{"start_line":91,"start_character":17,"end_line":91,"end_character":22},"updated":"2019-12-04 15:46:17.000000000","message":"``swtpm``","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":88,"context_line":""},{"line_number":89,"context_line":"* To enable move operations (anything involving rebuilding a vTPM on a new"},{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"},{"line_number":91,"context_line":"  -- that of the swtpm process libvirt will create -- but we can\u0027t detect a"},{"line_number":92,"context_line":"  priori what that ownership will be. Thus we need a pair of config options on"},{"line_number":93,"context_line":"  the compute indicating the user and group that should own vtpm data on that"},{"line_number":94,"context_line":"  host::"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_eb455770","line":91,"range":{"start_line":91,"start_character":17,"end_line":91,"end_character":22},"in_reply_to":"3fa7e38b_a8a9a525","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"},{"line_number":91,"context_line":"  -- that of the swtpm process libvirt will create -- but we can\u0027t detect a"},{"line_number":92,"context_line":"  priori what that ownership will be. Thus we need a pair of config options on"},{"line_number":93,"context_line":"  the compute indicating the user and group that should own vtpm data on that"},{"line_number":94,"context_line":"  host::"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"     [libvirt]"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_88ae292d","line":93,"range":{"start_line":93,"start_character":60,"end_line":93,"end_character":64},"updated":"2019-12-04 15:46:17.000000000","message":"vTPM","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":90,"context_line":"  host), nova must be able to lay down the vtpm data with the correct ownership"},{"line_number":91,"context_line":"  -- that of the swtpm process libvirt will create -- but we can\u0027t detect a"},{"line_number":92,"context_line":"  priori what that ownership will be. Thus we need a pair of config options on"},{"line_number":93,"context_line":"  the compute indicating the user and group that should own vtpm data on that"},{"line_number":94,"context_line":"  host::"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"     [libvirt]"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_ab575f27","line":93,"range":{"start_line":93,"start_character":60,"end_line":93,"end_character":64},"in_reply_to":"3fa7e38b_88ae292d","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"474f823ddf3cf98e06f7765a9229cbadfe9075b3","unresolved":false,"context_lines":[{"line_number":94,"context_line":"  host::"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"     [libvirt]"},{"line_number":97,"context_line":"     swtpm_user \u003d $str (default \u0027tss\u0027)"},{"line_number":98,"context_line":"     swtpm_group \u003d $str (default \u0027tss\u0027)"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"* (Existing, known) options for ``[key_manager]``."},{"line_number":101,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_b1d90c57","line":98,"range":{"start_line":97,"start_character":4,"end_line":98,"end_character":39},"updated":"2019-12-04 17:38:42.000000000","message":"maybe vtpm_user and vtpm_group woudl be better","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":94,"context_line":"  host::"},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"     [libvirt]"},{"line_number":97,"context_line":"     swtpm_user \u003d $str (default \u0027tss\u0027)"},{"line_number":98,"context_line":"     swtpm_group \u003d $str (default \u0027tss\u0027)"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"* (Existing, known) options for ``[key_manager]``."},{"line_number":101,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_7152b46a","line":98,"range":{"start_line":97,"start_character":4,"end_line":98,"end_character":39},"in_reply_to":"3fa7e38b_b1d90c57","updated":"2019-12-04 19:09:12.000000000","message":"Considered that, but these config options are specific to the swtpm implementation. If a different implementation were used, it could have different eccentricities that might require different configurables, and it would be best to keep them distinct.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":106,"context_line":"-------------------------------"},{"line_number":107,"context_line":"In order to support this functionality we propose to:"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"* Use the existing ``COMPUTE_SECURITY_TPM_1_2`` and"},{"line_number":110,"context_line":"  ``COMPUTE_SECURITY_TPM_2_0`` traits. These represent the two different"},{"line_number":111,"context_line":"  versions of the TPM spec that are currently supported. A summary of the"},{"line_number":112,"context_line":"  differences between the two versions is currently available here_. When all"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_68788dc0","line":109,"range":{"start_line":109,"start_character":18,"end_line":109,"end_character":47},"updated":"2019-12-04 15:46:17.000000000","message":"1.2 is \u003c 2.0. Why do we need to support the former when we can support the latter? Note: \"because we can\" is a poor reason, as a lot of the cruft in the libvirt driver will attest to :)","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":106,"context_line":"-------------------------------"},{"line_number":107,"context_line":"In order to support this functionality we propose to:"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"* Use the existing ``COMPUTE_SECURITY_TPM_1_2`` and"},{"line_number":110,"context_line":"  ``COMPUTE_SECURITY_TPM_2_0`` traits. These represent the two different"},{"line_number":111,"context_line":"  versions of the TPM spec that are currently supported. A summary of the"},{"line_number":112,"context_line":"  differences between the two versions is currently available here_. When all"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_ab051f17","line":109,"range":{"start_line":109,"start_character":18,"end_line":109,"end_character":47},"in_reply_to":"3fa7e38b_68788dc0","updated":"2019-12-04 19:09:12.000000000","message":"2.0 is not backward compatible with 1.2; they\u0027re like different things. I thought I had stated that explicitly somewhere, but it\u0027s explained at the referenced link (L147). I added words.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"474f823ddf3cf98e06f7765a9229cbadfe9075b3","unresolved":false,"context_lines":[{"line_number":106,"context_line":"-------------------------------"},{"line_number":107,"context_line":"In order to support this functionality we propose to:"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"* Use the existing ``COMPUTE_SECURITY_TPM_1_2`` and"},{"line_number":110,"context_line":"  ``COMPUTE_SECURITY_TPM_2_0`` traits. These represent the two different"},{"line_number":111,"context_line":"  versions of the TPM spec that are currently supported. A summary of the"},{"line_number":112,"context_line":"  differences between the two versions is currently available here_. When all"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_51e8d8dd","line":109,"range":{"start_line":109,"start_character":18,"end_line":109,"end_character":47},"in_reply_to":"3fa7e38b_68788dc0","updated":"2019-12-04 17:38:42.000000000","message":"they present diffenrt apis in the guest and different feature set so an application that works with 1.2 may not work with 2.0 so we need to support both. 2.0 is not s stict supper set of 1.2 with backwards compatiablity.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":124,"context_line":"      requested version"},{"line_number":125,"context_line":"    * used by the libvirt compute driver to inject the appropriate guest XML_."},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"    .. note:: Whereas it would be possible to specify"},{"line_number":128,"context_line":"          ``trait:COMPUTE_SECURITY_TPM_{1_2|2_0}\u003drequired`` directly in the"},{"line_number":129,"context_line":"          flavor extra_specs or image metadata, this would only serve to"},{"line_number":130,"context_line":"          land the instance on a capable host; it would not trigger the libvirt"},{"line_number":131,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":132,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_482b5194","line":132,"range":{"start_line":127,"start_character":0,"end_line":132,"end_character":66},"updated":"2019-12-04 15:46:17.000000000","message":"Well, it _could_. We handle \u0027resources:VCPU\u0027 and \u0027resources:PCPU\u0027 for example. I think this should be an error at the API level if it\u0027s really something you don\u0027t want to support (like we do for combinations for \u0027resources:VCPU\u0027 and \u0027resources:PCPU\u0027 right now)","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":124,"context_line":"      requested version"},{"line_number":125,"context_line":"    * used by the libvirt compute driver to inject the appropriate guest XML_."},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"    .. note:: Whereas it would be possible to specify"},{"line_number":128,"context_line":"          ``trait:COMPUTE_SECURITY_TPM_{1_2|2_0}\u003drequired`` directly in the"},{"line_number":129,"context_line":"          flavor extra_specs or image metadata, this would only serve to"},{"line_number":130,"context_line":"          land the instance on a capable host; it would not trigger the libvirt"},{"line_number":131,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":132,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_963886cb","line":132,"range":{"start_line":127,"start_character":0,"end_line":132,"end_character":66},"in_reply_to":"3fa7e38b_482b5194","updated":"2019-12-04 19:09:12.000000000","message":"I considered and rejected those options. I\u0027ll explain in Alternatives. (Note that there\u0027s not super strong motivation either way; this is just better/simpler enough to be the chosen path.)\n\nI\u0027ll mention here (but not in the spec) that the possibility that placement-ese syntax would \"work\" is not something that would even occur to operators. It only occurs to us (devs) because we\u0027re so indoctrinated in the implementation.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"474f823ddf3cf98e06f7765a9229cbadfe9075b3","unresolved":false,"context_lines":[{"line_number":124,"context_line":"      requested version"},{"line_number":125,"context_line":"    * used by the libvirt compute driver to inject the appropriate guest XML_."},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"    .. note:: Whereas it would be possible to specify"},{"line_number":128,"context_line":"          ``trait:COMPUTE_SECURITY_TPM_{1_2|2_0}\u003drequired`` directly in the"},{"line_number":129,"context_line":"          flavor extra_specs or image metadata, this would only serve to"},{"line_number":130,"context_line":"          land the instance on a capable host; it would not trigger the libvirt"},{"line_number":131,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":132,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_f18b0414","line":132,"range":{"start_line":127,"start_character":0,"end_line":132,"end_character":66},"in_reply_to":"3fa7e38b_482b5194","updated":"2019-12-04 17:38:42.000000000","message":"it should not however\ntraits should not alter the way that we emulate a vm.\n\ne.g. if two vms are spawned on the same host and the only difference is one has the trait and the other does not they should be identical.\n\ntraits are for capablity not configuration.\n\nin this case teh COMPUTE_SERCUREITY_TPM tratis are descirbing that hte host is capable of emulatinge a tpm but it is not a request to do so.\n\nso we __could__ but we __should not__ do so.\n\nthis is also a little different the the PCPU case as that is a resouce request. we discussed that we could model the vtpm as a resouce if we wanted to use unified limits to apply a quota in the future but im not sure that is a usecase we want to support currently so its just a trait.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."},{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_dc9b8614","line":137,"range":{"start_line":136,"start_character":4,"end_line":137,"end_character":59},"updated":"2019-12-04 13:58:07.000000000","message":"I feel a contradiction here? Why we reject the config that is the only compatible combination for CRB?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."},{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_eb08f727","line":137,"range":{"start_line":136,"start_character":4,"end_line":137,"end_character":59},"in_reply_to":"3fa7e38b_dc9b8614","updated":"2019-12-04 15:46:17.000000000","message":"Yeah, think you got this backwards.\n\nAs above, any reason to expose this to the user? Can we choose one, possibly for each version if we need to support multiple versions, and use that?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."},{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_f610daad","line":137,"range":{"start_line":136,"start_character":4,"end_line":137,"end_character":59},"in_reply_to":"3fa7e38b_eb08f727","updated":"2019-12-04 19:09:12.000000000","message":"Whoops, yes, this should be \"...requested with version 1.2...\". Done.\n\n \u003e As above, any reason to expose this to the user? Can we choose one,\n \u003e possibly for each version if we need to support multiple versions,\n \u003e and use that?\n\nNo, again, they\u0027re different things. These are the supported options, all mutually exclusive:\n\n- 1.2/TIS\n- 2.0/TIS\n- 2.0/CRB\n\nI added more clarification of this.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"474f823ddf3cf98e06f7765a9229cbadfe9075b3","unresolved":false,"context_lines":[{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."},{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_d18288c7","line":137,"range":{"start_line":136,"start_character":4,"end_line":137,"end_character":59},"in_reply_to":"3fa7e38b_eb08f727","updated":"2019-12-04 17:38:42.000000000","message":"no we cant choose the tpm version\ncrb vs tis maybe but we shoudl expose this.\n\nim not sure it the crb vs tis model will be user visable but the version 1.2 vs 2.0 would be","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":141,"context_line":"associated with this feature."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_dcb4e684","line":140,"range":{"start_line":139,"start_character":0,"end_line":140,"end_character":37},"updated":"2019-12-04 13:58:07.000000000","message":"Do we have size limitation on such a file? If not then this is an attack vector to use up the host\u0027s local disk.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"82fccd9cda593afffd4c607f5c6383cc76b677cb","unresolved":false,"context_lines":[{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":141,"context_line":"associated with this feature."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_7194f48c","line":140,"range":{"start_line":139,"start_character":0,"end_line":140,"end_character":37},"in_reply_to":"3fa7e38b_6b2de78d","updated":"2019-12-04 17:14:20.000000000","message":"this is contoled by the tpm implemation but i thinkits of the order of a mb or two\n\nit emulating a phyical peice of hardwar so this will not grow unbounded as such i dont see it as an attack vector anymore then the instance console log growing is.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":141,"context_line":"associated with this feature."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_71ccf489","line":140,"range":{"start_line":139,"start_character":0,"end_line":140,"end_character":37},"in_reply_to":"3fa7e38b_7194f48c","updated":"2019-12-04 19:09:12.000000000","message":"A physical TPM has a certain number of buckets of fixed purpose and size. It\u0027s not an arbitrary data store. Therefore any emulated solution should behave similarly. If it doesn\u0027t - if it\u0027s possible to blow up the size of the backing file - I say that\u0027s a bug in the swtpm implementation, not something we need to deal with at this level.\n\n \u003e Would a\n \u003e startup check that fails if the TPM is enabled and there\u0027s no disk\n \u003e reserved for the host be too much?\n\nDefinitely. We don\u0027t worry about the user DOSing the host by finagling ways to blow up the domain XML. This is (or should be, per above) similar.\n\n\u003e the order of a mb or two\n\nOn the order of 4K in my testing. Though I only \"hello world\"ed the thing, I haven\u0027t really tried using it extensively and seeing if/how much it grows.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f55ab0fca4273b78f9195ea7a3dbbfb4f45d8c23","unresolved":false,"context_lines":[{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":141,"context_line":"associated with this feature."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_da9295fc","line":140,"range":{"start_line":139,"start_character":0,"end_line":140,"end_character":37},"in_reply_to":"3fa7e38b_71ccf489","updated":"2019-12-05 13:17:29.000000000","message":"If this is on the order of 4K / vtpm dev then I\u0027m not worried. But I think if the size is unbounded then we cannot simply sift the blame to the swtpm implementation as we nova are exposing this capability to the end user. Anyhow I assume that it is bounded to the 4K level and we will deal with the fallout if it isn\u0027t.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 2.0, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"Note that since the TPM is emulated (a process/file on the host), the"},{"line_number":140,"context_line":"\"inventory\" is effectively unlimited. Thus there are no resource classes"},{"line_number":141,"context_line":"associated with this feature."},{"line_number":142,"context_line":""},{"line_number":143,"context_line":"If both the flavor and the image specify a TPM trait or device model and the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_6b2de78d","line":140,"range":{"start_line":139,"start_character":0,"end_line":140,"end_character":37},"in_reply_to":"3fa7e38b_dcb4e684","updated":"2019-12-04 15:46:17.000000000","message":"Yeah, would be good to comment on the size of the file. Would a startup check that fails if the TPM is enabled and there\u0027s no disk reserved for the host be too much?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":154,"context_line":""},{"line_number":155,"context_line":".. _vtpm-ops-by-owner-only:"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":".. note:: Because only the instance owner has access to the key manager entry,"},{"line_number":158,"context_line":"          lifecycle operations performed by the admin cannot result in a"},{"line_number":159,"context_line":"          running VM. This includes rebooting the host: an instance with a vTPM"},{"line_number":160,"context_line":"          will not boot automatically, and will instead have to be powered on"},{"line_number":161,"context_line":"          manually by its owner."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"          Other lifecycle operations which are by default admin-only will only"},{"line_number":164,"context_line":"          work when performed by the VM owner, meaning the owner must be given"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_cb6c1bd2","line":161,"range":{"start_line":157,"start_character":0,"end_line":161,"end_character":32},"updated":"2019-12-04 15:46:17.000000000","message":"So this will have to be documented as part of the \u0027resume_guests_state_on_host_boot\u0027 option, I guess","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":154,"context_line":""},{"line_number":155,"context_line":".. _vtpm-ops-by-owner-only:"},{"line_number":156,"context_line":""},{"line_number":157,"context_line":".. note:: Because only the instance owner has access to the key manager entry,"},{"line_number":158,"context_line":"          lifecycle operations performed by the admin cannot result in a"},{"line_number":159,"context_line":"          running VM. This includes rebooting the host: an instance with a vTPM"},{"line_number":160,"context_line":"          will not boot automatically, and will instead have to be powered on"},{"line_number":161,"context_line":"          manually by its owner."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"          Other lifecycle operations which are by default admin-only will only"},{"line_number":164,"context_line":"          work when performed by the VM owner, meaning the owner must be given"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_36e1929c","line":161,"range":{"start_line":157,"start_character":0,"end_line":161,"end_character":32},"in_reply_to":"3fa7e38b_cb6c1bd2","updated":"2019-12-04 19:09:12.000000000","message":"That might be a bit ambitious. The existing docs for that option [1] are (deliberately, I imagine) extremely vague.\n\nHowever, I\u0027ve just found out that this assertion is not wholly correct -- see below.\n\n[1] https://docs.openstack.org/nova/latest/configuration/config.html#DEFAULT.resume_guests_state_on_host_boot","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":160,"context_line":"          will not boot automatically, and will instead have to be powered on"},{"line_number":161,"context_line":"          manually by its owner."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"          Other lifecycle operations which are by default admin-only will only"},{"line_number":164,"context_line":"          work when performed by the VM owner, meaning the owner must be given"},{"line_number":165,"context_line":"          the appropriate policy roles to do so; otherwise these operations"},{"line_number":166,"context_line":"          will be in effect disabled."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":169,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_cba17bf9","line":166,"range":{"start_line":163,"start_character":0,"end_line":166,"end_character":37},"updated":"2019-12-04 15:46:17.000000000","message":"Can we enforce this at the API/policy level? Perhaps there can be a policy specifically for move operations concerning instances with vTPM that defaults to \u0027owner\u0027 instead of \u0027admin_or_owner\u0027, if that\u0027s a thing?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":160,"context_line":"          will not boot automatically, and will instead have to be powered on"},{"line_number":161,"context_line":"          manually by its owner."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"          Other lifecycle operations which are by default admin-only will only"},{"line_number":164,"context_line":"          work when performed by the VM owner, meaning the owner must be given"},{"line_number":165,"context_line":"          the appropriate policy roles to do so; otherwise these operations"},{"line_number":166,"context_line":"          will be in effect disabled."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":169,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_16f01666","line":166,"range":{"start_line":163,"start_character":0,"end_line":166,"end_character":37},"in_reply_to":"3fa7e38b_cba17bf9","updated":"2019-12-04 19:09:12.000000000","message":"So yeah, I just found out that this is really going to be up to the admin. I\u0027ll reword this accordingly, and relegate it to the Security section.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":168,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":169,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":170,"context_line":"          migration, unlike other operations, would actually work if performed"},{"line_number":171,"context_line":"          by the admin because of the above.)"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Spawn"},{"line_number":174,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_3c1ada7b","line":171,"updated":"2019-12-04 13:58:07.000000000","message":"Does it mean that the admin cannot even delete the VM having a vTPM?\n\n14:12 \u003c efried\u003e The admin won\u0027t be able to delete the secret in barbican, or the backup in \n                swift\n14:12 \u003c efried\u003e but we don\u0027t have to make those error conditions.\n14:12 \u003c efried\u003e So the instance could still be destroyed, but those artifacts would be \n                leaked in that case and the owner would have to go clean them up manually.\n\nI hope there is a way out of this situation. It feels bad that we leave junk around that nobody can clean up when the original user is long gone.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":168,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":169,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":170,"context_line":"          migration, unlike other operations, would actually work if performed"},{"line_number":171,"context_line":"          by the admin because of the above.)"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Spawn"},{"line_number":174,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_4519fa77","line":171,"in_reply_to":"3fa7e38b_3c1ada7b","updated":"2019-12-04 19:09:12.000000000","message":"As we discussed, I need to go confirm, but I would assume that both keymgr and object-store allow (policy settings for) the admin to delete anything, for just this reason.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":168,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":169,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":170,"context_line":"          migration, unlike other operations, would actually work if performed"},{"line_number":171,"context_line":"          by the admin because of the above.)"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Spawn"},{"line_number":174,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_4bb58b31","line":171,"in_reply_to":"3fa7e38b_3c1ada7b","updated":"2019-12-04 15:46:17.000000000","message":"wdym they can\u0027t delete them? I get that you couldn\u0027t _see_ them, but surely it\u0027s possible to eradicate something?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":168,"context_line":"          ...except live migration, since the (already decrypted) running state"},{"line_number":169,"context_line":"          of the vTPM is carried along to the destination. (To clarify: live"},{"line_number":170,"context_line":"          migration, unlike other operations, would actually work if performed"},{"line_number":171,"context_line":"          by the admin because of the above.)"},{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Spawn"},{"line_number":174,"context_line":"~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_d69efe04","line":171,"in_reply_to":"3fa7e38b_4bb58b31","updated":"2019-12-04 19:09:12.000000000","message":"As above, I was wrong, this is shuffled around and fixed.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Spawn"},{"line_number":174,"context_line":"~~~~~"},{"line_number":175,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":176,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":177,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":178,"context_line":"   instance. (Alternatively: consider an extra spec / image prop like"},{"line_number":179,"context_line":"   ``vtpm_I_promise_I_will_never_shelve_or_backup\u003dTrue`` or"},{"line_number":180,"context_line":"   ``vtpm_is_totally_ephemeral\u003dTrue`` which would remove this requirement, and"},{"line_number":181,"context_line":"   error or simply not back up the vTPM, respectively, on such operations.)"},{"line_number":182,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":183,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":184,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_cb7adb75","line":181,"range":{"start_line":175,"start_character":0,"end_line":181,"end_character":75},"updated":"2019-12-04 15:46:17.000000000","message":"Why do we have to do this on spawn instead of those other lifecycle operations?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":172,"context_line":""},{"line_number":173,"context_line":"Spawn"},{"line_number":174,"context_line":"~~~~~"},{"line_number":175,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":176,"context_line":"   present in the service catalog (and reachable? version discovery?) to"},{"line_number":177,"context_line":"   minimize the chances of subsequent lifecycle operations breaking the"},{"line_number":178,"context_line":"   instance. (Alternatively: consider an extra spec / image prop like"},{"line_number":179,"context_line":"   ``vtpm_I_promise_I_will_never_shelve_or_backup\u003dTrue`` or"},{"line_number":180,"context_line":"   ``vtpm_is_totally_ephemeral\u003dTrue`` which would remove this requirement, and"},{"line_number":181,"context_line":"   error or simply not back up the vTPM, respectively, on such operations.)"},{"line_number":182,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"},{"line_number":183,"context_line":"   manager, yielding a UUID, hereinafter referred to as ``$secret_uuid``."},{"line_number":184,"context_line":"#. Nova saves the ``$secret_uuid`` in the instance\u0027s ``system_metadata`` under"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_1ce91718","line":181,"range":{"start_line":175,"start_character":0,"end_line":181,"end_character":75},"in_reply_to":"3fa7e38b_cb7adb75","updated":"2019-12-04 19:09:12.000000000","message":"See previous discussion https://review.opendev.org/#/c/686804/8/specs/ussuri/approved/add-emulated-virtual-tpm.rst@175","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":211,"context_line":"#. Retrieve the passphrase associated with ``$secret_uuid`` via the configured"},{"line_number":212,"context_line":"   key manager API."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"Then perform steps 4-6 as described under Spawn_."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"Migrations and their ilk"},{"line_number":217,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_0bcf93b3","line":214,"updated":"2019-12-04 15:46:17.000000000","message":"Out of curiosity, what\u0027s the plan, if any, for fully encrypted instances where the admin can\u0027t decrypt things? We talked about it at the PTG but I can\u0027t see the spec. Surely both things would benefit from a new state that suggests the instance has been started but needs some user input before it can transition to active?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":211,"context_line":"#. Retrieve the passphrase associated with ``$secret_uuid`` via the configured"},{"line_number":212,"context_line":"   key manager API."},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"Then perform steps 4-6 as described under Spawn_."},{"line_number":215,"context_line":""},{"line_number":216,"context_line":"Migrations and their ilk"},{"line_number":217,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_9cbd0705","line":214,"in_reply_to":"3fa7e38b_0bcf93b3","updated":"2019-12-04 19:09:12.000000000","message":"Is this [1] the spec you\u0027re looking for? Though I think that one is just for encrypting images.\n\nOr this one [2]?\n\nIn this case, however, it\u0027s not a matter of \"started but needs user input before it can transition to active\". The libvirt guest creation actually fails if the secret isn\u0027t present.\n\n[1] https://review.opendev.org/#/c/608696/\n[2] https://review.opendev.org/#/c/693844/","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":219,"context_line":"``/var/lib/libvirt/swtpm/\u003cinstance\u003e``. Certain lifecycle operations require"},{"line_number":220,"context_line":"that directory to be copied verbatim to the \"destination\". For (cold/live)"},{"line_number":221,"context_line":"migrations, only the user that nova-compute runs as is guaranteed to be able to"},{"line_number":222,"context_line":"have ssh keys set up for passwordless access, and it\u0027s only guaranteed to be"},{"line_number":223,"context_line":"able to copy files to the instance directory on the destination node. We"},{"line_number":224,"context_line":"therefore propose the following procedure for relevant lifecycle operations:"},{"line_number":225,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_cbc89ba9","line":222,"range":{"start_line":222,"start_character":5,"end_line":222,"end_character":8},"updated":"2019-12-04 15:46:17.000000000","message":"SSH","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":219,"context_line":"``/var/lib/libvirt/swtpm/\u003cinstance\u003e``. Certain lifecycle operations require"},{"line_number":220,"context_line":"that directory to be copied verbatim to the \"destination\". For (cold/live)"},{"line_number":221,"context_line":"migrations, only the user that nova-compute runs as is guaranteed to be able to"},{"line_number":222,"context_line":"have ssh keys set up for passwordless access, and it\u0027s only guaranteed to be"},{"line_number":223,"context_line":"able to copy files to the instance directory on the destination node. We"},{"line_number":224,"context_line":"therefore propose the following procedure for relevant lifecycle operations:"},{"line_number":225,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_3cbc1305","line":222,"range":{"start_line":222,"start_character":5,"end_line":222,"end_character":8},"in_reply_to":"3fa7e38b_cbc89ba9","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":227,"context_line":"  to match it."},{"line_number":228,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":229,"context_line":"* Change ownership back and move the directory out to"},{"line_number":230,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Since the expected ownership on the target may be different than on the source,"},{"line_number":233,"context_line":"and is (we think) impossible to detect, the admin must inform us of it via the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_02b9b8ea","line":230,"updated":"2019-12-04 13:58:07.000000000","message":"... and remove the vTPM file from the instance directory on the source when the move operation is confirmed.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":227,"context_line":"  to match it."},{"line_number":228,"context_line":"* Perform the move, which will automatically carry the data along."},{"line_number":229,"context_line":"* Change ownership back and move the directory out to"},{"line_number":230,"context_line":"  ``/var/lib/libvirt/swtpm/\u003cinstance\u003e`` on the destination."},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Since the expected ownership on the target may be different than on the source,"},{"line_number":233,"context_line":"and is (we think) impossible to detect, the admin must inform us of it via the"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_45b57a31","line":230,"in_reply_to":"3fa7e38b_02b9b8ea","updated":"2019-12-04 19:09:12.000000000","message":"Done (though we get this for free)","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":235,"context_line":"different from the default of ``tss``."},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":238,"context_line":"the device."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":".. todo:: Confirm that the above \"manual\" copying around is actually necessary"},{"line_number":241,"context_line":"          for migration. It\u0027s unclear from reading"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_8b47031f","line":238,"updated":"2019-12-04 15:46:17.000000000","message":"Is it just me or is it weird that libvirt doesn\u0027t provide this functionality for us, given they provide the migrateToURI functionality\n\nLater: Ah, just saw the below :) Maybe it\u0027s not so","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":235,"context_line":"different from the default of ``tss``."},{"line_number":236,"context_line":""},{"line_number":237,"context_line":"This should allow support of cold/live migration and resizes that don\u0027t change"},{"line_number":238,"context_line":"the device."},{"line_number":239,"context_line":""},{"line_number":240,"context_line":".. todo:: Confirm that the above \"manual\" copying around is actually necessary"},{"line_number":241,"context_line":"          for migration. It\u0027s unclear from reading"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_bc10035b","line":238,"in_reply_to":"3fa7e38b_8b47031f","updated":"2019-12-04 19:09:12.000000000","message":"Yeah. I would prefer to defer this to the implementation, since it\u0027s going to take a nontrivial amount of work to discover, and then come back and update the spec accordingly after the fact.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":247,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":248,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":249,"context_line":"we convey the virtual device data as described above."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":252,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":253,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_82912856","line":250,"updated":"2019-12-04 13:58:07.000000000","message":"I think during revert we need to move and chown the vTPM file from the instance dir back to its original place and owner.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":247,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":248,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":249,"context_line":"we convey the virtual device data as described above."},{"line_number":250,"context_line":""},{"line_number":251,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":252,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":253,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_1cbcb7d9","line":250,"in_reply_to":"3fa7e38b_82912856","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":263,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"},{"line_number":264,"context_line":"   the instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":265,"context_line":"   ``tpm_object_sha256`` keys."},{"line_number":266,"context_line":"#. Create the appropriate ``hw_tpm_version`` and/or ``hw_tpm_model`` metadata"},{"line_number":267,"context_line":"   properties on the image. (This is to close the gap where the vTPM on"},{"line_number":268,"context_line":"   original VM was created at the behest of image, rather than flavor,"},{"line_number":269,"context_line":"   properties. It ensures the correct version/model is created on the target.)"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"The unshelve and rebuild operations need to:"},{"line_number":272,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_0b0233bb","line":269,"range":{"start_line":266,"start_character":0,"end_line":269,"end_character":78},"updated":"2019-12-04 15:46:17.000000000","message":"Huh? Won\u0027t we still have access to that image when we unshelve? What image are you talking about modifying the metadata of?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":263,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"},{"line_number":264,"context_line":"   the instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":265,"context_line":"   ``tpm_object_sha256`` keys."},{"line_number":266,"context_line":"#. Create the appropriate ``hw_tpm_version`` and/or ``hw_tpm_model`` metadata"},{"line_number":267,"context_line":"   properties on the image. (This is to close the gap where the vTPM on"},{"line_number":268,"context_line":"   original VM was created at the behest of image, rather than flavor,"},{"line_number":269,"context_line":"   properties. It ensures the correct version/model is created on the target.)"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"The unshelve and rebuild operations need to:"},{"line_number":272,"context_line":""}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_5c6f8f5f","line":269,"range":{"start_line":266,"start_character":0,"end_line":269,"end_character":78},"in_reply_to":"3fa7e38b_0b0233bb","updated":"2019-12-04 19:09:12.000000000","message":"Let\u0027s say on initial spawn we used a flavor with no vTPM extra specs, but the original image had them.\n\nNow we backup/shelve. If we don\u0027t do the above when creating the snapshot, then when we rebuild/unshelve, all we have is the sysmeta pointing to the secret and object. But those don\u0027t tell us what version/model it was. That information needs to go into the domain XML (see L49-50) so it\u0027s not sufficient to specify the secret and restore the data file. (And as noted above, there isn\u0027t a catch-all we can assume.)\n\nWe could store the version/model in the sysmeta as well, but why add that extra code/complexity in the API when we can reuse the existing mechanism of image meta?","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"37d414605d6c9a825dc41cebdf926f9e149393fe","unresolved":false,"context_lines":[{"line_number":293,"context_line":"          and make horrible things happen on rebuild. For example:"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"          * The flavor specifies no vTPM properties."},{"line_number":296,"context_line":"          * The *original* image specified version 2.0."},{"line_number":297,"context_line":"          * The *new* image specifies version 1.2."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"          We will happily create a v1.2 vTPM and restore the (v2.0) data into"},{"line_number":300,"context_line":"          it. The VM will (probably) boot just fine, but unpredictable things"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_2bd36f39","line":297,"range":{"start_line":296,"start_character":0,"end_line":297,"end_character":50},"updated":"2019-12-04 15:46:17.000000000","message":"Because I\u0027m dumb, how are these changing and why can\u0027t we do something like [1] to handle this?\n\n[1] https://review.opendev.org/#/c/687957/","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":293,"context_line":"          and make horrible things happen on rebuild. For example:"},{"line_number":294,"context_line":""},{"line_number":295,"context_line":"          * The flavor specifies no vTPM properties."},{"line_number":296,"context_line":"          * The *original* image specified version 2.0."},{"line_number":297,"context_line":"          * The *new* image specifies version 1.2."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"          We will happily create a v1.2 vTPM and restore the (v2.0) data into"},{"line_number":300,"context_line":"          it. The VM will (probably) boot just fine, but unpredictable things"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_9cf18799","line":297,"range":{"start_line":296,"start_character":0,"end_line":297,"end_character":50},"in_reply_to":"3fa7e38b_2bd36f39","updated":"2019-12-04 19:09:12.000000000","message":"\u003e how are these changing\n\nThis really only happens through abuse of \u0027rebuild\u0027. You should be using rebuild with a backup of, or at least an image that\u0027s compatible with, your original instance. If you don\u0027t, you deserve what you get. (For example, we don\u0027t (can\u0027t) make sure your image contains a resolv.conf compatible with the networks we\u0027re preserving with your instance.)\n\n \u003e why can\u0027t we do\n \u003e something like [1] to handle this?\n \u003e \n \u003e [1] https://review.opendev.org/#/c/687957/\n\nSame example as described in my response at L269: if the properties aren\u0027t in the flavor, we have no way of knowing what version/model was on the original instance, only what\u0027s specified in the image.\n\nWe *could* work around this (specific) case, but I\u0027m asserting it\u0027s past the point of diminishing returns and not worth the effort.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":323,"context_line":"(It may be possible to mitigate this by mounting ``/var/lib/libvirt/swtpm/`` on"},{"line_number":324,"context_line":"shared storage. That, of course, would bring in additional security concerns."},{"line_number":325,"context_line":"In any case, it would be an exercise for the admin; nothing will be done in"},{"line_number":326,"context_line":"nova to support or prevent it.)"},{"line_number":327,"context_line":""},{"line_number":328,"context_line":"Destroy"},{"line_number":329,"context_line":"~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_c2fc0074","line":326,"updated":"2019-12-04 13:58:07.000000000","message":"+1","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":331,"context_line":"   identifies."},{"line_number":332,"context_line":"#. Delete the key manager secret associated with"},{"line_number":333,"context_line":"   ``system_metadata[\u0027tpm_secret_uuid\u0027]``."},{"line_number":334,"context_line":""},{"line_number":335,"context_line":"Limitations"},{"line_number":336,"context_line":"-----------"},{"line_number":337,"context_line":"This is a summary of odd or unexpected behaviors resulting from this design."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_a2f1c498","line":334,"updated":"2019-12-04 13:58:07.000000000","message":"Will it happen on the compute side or on the controller side? I\u0027m asking this to make sure that the local delete case (when the compute is down while the server is deleted) are considered","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":331,"context_line":"   identifies."},{"line_number":332,"context_line":"#. Delete the key manager secret associated with"},{"line_number":333,"context_line":"   ``system_metadata[\u0027tpm_secret_uuid\u0027]``."},{"line_number":334,"context_line":""},{"line_number":335,"context_line":"Limitations"},{"line_number":336,"context_line":"-----------"},{"line_number":337,"context_line":"This is a summary of odd or unexpected behaviors resulting from this design."}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_7c24cb0e","line":334,"in_reply_to":"3fa7e38b_a2f1c498","updated":"2019-12-04 19:09:12.000000000","message":"All of this is up to the virt driver, thus compute side. In the case you describe, if the instance is deleted while the compute is down, the swift/keymgr objects will stick around... until the compute is brought back up, whereupon such instances are reaped through the virt driver\u0027s destroy() method, right? And at that point the artifacts will be deleted as usual.\n\nBut yeah, if the host never comes back up, the objects/secrets could be leaked. I\u0027ll note this in Limitations.","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"f9e5e974280f691c3bbc0a90921cb4a4a24a0dbf","unresolved":false,"context_lines":[{"line_number":478,"context_line":""},{"line_number":479,"context_line":"Testing"},{"line_number":480,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":481,"context_line":"Unit and functional testing will be added."},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"Because of the eccentricities of a) user authentication for accessing the"},{"line_number":484,"context_line":"encryption secret, and b) management of the virtual device files for some"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_a21f84b6","line":481,"range":{"start_line":481,"start_character":9,"end_line":481,"end_character":19},"updated":"2019-12-04 13:58:07.000000000","message":"So there will be a nice swift and castellan fixture added to our toolbox... :)","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7c7dbf16c3f6234fa96f4579c9d410777d9fd53e","unresolved":false,"context_lines":[{"line_number":478,"context_line":""},{"line_number":479,"context_line":"Testing"},{"line_number":480,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":481,"context_line":"Unit and functional testing will be added."},{"line_number":482,"context_line":""},{"line_number":483,"context_line":"Because of the eccentricities of a) user authentication for accessing the"},{"line_number":484,"context_line":"encryption secret, and b) management of the virtual device files for some"}],"source_content_type":"text/x-rst","patch_set":9,"id":"3fa7e38b_fc2d1bae","line":481,"range":{"start_line":481,"start_character":9,"end_line":481,"end_character":19},"in_reply_to":"3fa7e38b_a21f84b6","updated":"2019-12-04 19:09:12.000000000","message":"Done","commit_id":"2d93e19afd50436588d13f76a8d1de5bbf8e1535"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":159,"context_line":"Descriptions below are libvirt driver-specific. However, it is left to the"},{"line_number":160,"context_line":"implementation which pieces are performed by the compute manager vs. the"},{"line_number":161,"context_line":"libvirt ComputeDriver itself."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Spawn"},{"line_number":164,"context_line":"~~~~~"},{"line_number":165,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_6eaeeee4","line":162,"updated":"2019-12-11 19:53:55.000000000","message":"add a paragraph about the baremetal philosophy informing these decisions (see Alternatives)","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":159,"context_line":"Descriptions below are libvirt driver-specific. However, it is left to the"},{"line_number":160,"context_line":"implementation which pieces are performed by the compute manager vs. the"},{"line_number":161,"context_line":"libvirt ComputeDriver itself."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Spawn"},{"line_number":164,"context_line":"~~~~~"},{"line_number":165,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_24649548","line":162,"in_reply_to":"3fa7e38b_6eaeeee4","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":164,"context_line":"~~~~~"},{"line_number":165,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":166,"context_line":"   present in the service catalog (and reachable? version discovery?"},{"line_number":167,"context_line":"   implementation detail) to minimize the chances of subsequent lifecycle"},{"line_number":168,"context_line":"   operations breaking the instance. (Alternatively: consider an extra spec /"},{"line_number":169,"context_line":"   image prop like ``vtpm_I_promise_I_will_never_shelve_or_backup\u003dTrue`` or"},{"line_number":170,"context_line":"   ``vtpm_is_totally_ephemeral\u003dTrue`` which would remove this requirement, and"},{"line_number":171,"context_line":"   error or simply not back up the vTPM, respectively, on such operations.)"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_553061e9","line":168,"range":{"start_line":167,"start_character":53,"end_line":168,"end_character":35},"updated":"2019-12-11 19:53:55.000000000","message":"unshelve","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":164,"context_line":"~~~~~"},{"line_number":165,"context_line":"#. Even though swift is not required for spawn, ensure a swift endpoint is"},{"line_number":166,"context_line":"   present in the service catalog (and reachable? version discovery?"},{"line_number":167,"context_line":"   implementation detail) to minimize the chances of subsequent lifecycle"},{"line_number":168,"context_line":"   operations breaking the instance. (Alternatively: consider an extra spec /"},{"line_number":169,"context_line":"   image prop like ``vtpm_I_promise_I_will_never_shelve_or_backup\u003dTrue`` or"},{"line_number":170,"context_line":"   ``vtpm_is_totally_ephemeral\u003dTrue`` which would remove this requirement, and"},{"line_number":171,"context_line":"   error or simply not back up the vTPM, respectively, on such operations.)"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_84d9c9f4","line":168,"range":{"start_line":167,"start_character":53,"end_line":168,"end_character":35},"in_reply_to":"3fa7e38b_553061e9","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   present in the service catalog (and reachable? version discovery?"},{"line_number":167,"context_line":"   implementation detail) to minimize the chances of subsequent lifecycle"},{"line_number":168,"context_line":"   operations breaking the instance. (Alternatively: consider an extra spec /"},{"line_number":169,"context_line":"   image prop like ``vtpm_I_promise_I_will_never_shelve_or_backup\u003dTrue`` or"},{"line_number":170,"context_line":"   ``vtpm_is_totally_ephemeral\u003dTrue`` which would remove this requirement, and"},{"line_number":171,"context_line":"   error or simply not back up the vTPM, respectively, on such operations.)"},{"line_number":172,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_8bb0fc8c","line":169,"range":{"start_line":169,"start_character":55,"end_line":169,"end_character":65},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":166,"context_line":"   present in the service catalog (and reachable? version discovery?"},{"line_number":167,"context_line":"   implementation detail) to minimize the chances of subsequent lifecycle"},{"line_number":168,"context_line":"   operations breaking the instance. (Alternatively: consider an extra spec /"},{"line_number":169,"context_line":"   image prop like ``vtpm_I_promise_I_will_never_shelve_or_backup\u003dTrue`` or"},{"line_number":170,"context_line":"   ``vtpm_is_totally_ephemeral\u003dTrue`` which would remove this requirement, and"},{"line_number":171,"context_line":"   error or simply not back up the vTPM, respectively, on such operations.)"},{"line_number":172,"context_line":"#. Nova generates a random passphrase and stores it in the configured key"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_a4d405bc","line":169,"range":{"start_line":169,"start_character":55,"end_line":169,"end_character":65},"in_reply_to":"3fa7e38b_8bb0fc8c","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":186,"context_line":""},{"line_number":187,"context_line":".. note:: Spawning from an image created by snapshotting a VM with a vTPM will"},{"line_number":188,"context_line":"          result in a fresh, empty vTPM, even if that snapshot was created by"},{"line_number":189,"context_line":"          ``shelve`` or ``createBackup``. By contrast, ``unshelve`` and"},{"line_number":190,"context_line":"          ``rebuild`` will restore such vTPM data, which is saved when the"},{"line_number":191,"context_line":"          snapshot is performed (during ``shelve`` or ``createBackup``)."},{"line_number":192,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_6ba1003a","line":189,"range":{"start_line":189,"start_character":20,"end_line":189,"end_character":40},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":186,"context_line":""},{"line_number":187,"context_line":".. note:: Spawning from an image created by snapshotting a VM with a vTPM will"},{"line_number":188,"context_line":"          result in a fresh, empty vTPM, even if that snapshot was created by"},{"line_number":189,"context_line":"          ``shelve`` or ``createBackup``. By contrast, ``unshelve`` and"},{"line_number":190,"context_line":"          ``rebuild`` will restore such vTPM data, which is saved when the"},{"line_number":191,"context_line":"          snapshot is performed (during ``shelve`` or ``createBackup``)."},{"line_number":192,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_04ef1987","line":189,"range":{"start_line":189,"start_character":20,"end_line":189,"end_character":40},"in_reply_to":"3fa7e38b_6ba1003a","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":186,"context_line":""},{"line_number":187,"context_line":".. note:: Spawning from an image created by snapshotting a VM with a vTPM will"},{"line_number":188,"context_line":"          result in a fresh, empty vTPM, even if that snapshot was created by"},{"line_number":189,"context_line":"          ``shelve`` or ``createBackup``. By contrast, ``unshelve`` and"},{"line_number":190,"context_line":"          ``rebuild`` will restore such vTPM data, which is saved when the"},{"line_number":191,"context_line":"          snapshot is performed (during ``shelve`` or ``createBackup``)."},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"Cold Boot"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_2b65481d","line":190,"range":{"start_line":189,"start_character":67,"end_line":190,"end_character":22},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":186,"context_line":""},{"line_number":187,"context_line":".. note:: Spawning from an image created by snapshotting a VM with a vTPM will"},{"line_number":188,"context_line":"          result in a fresh, empty vTPM, even if that snapshot was created by"},{"line_number":189,"context_line":"          ``shelve`` or ``createBackup``. By contrast, ``unshelve`` and"},{"line_number":190,"context_line":"          ``rebuild`` will restore such vTPM data, which is saved when the"},{"line_number":191,"context_line":"          snapshot is performed (during ``shelve`` or ``createBackup``)."},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"Cold Boot"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_24f25570","line":190,"range":{"start_line":189,"start_character":67,"end_line":190,"end_character":22},"in_reply_to":"3fa7e38b_2b65481d","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":188,"context_line":"          result in a fresh, empty vTPM, even if that snapshot was created by"},{"line_number":189,"context_line":"          ``shelve`` or ``createBackup``. By contrast, ``unshelve`` and"},{"line_number":190,"context_line":"          ``rebuild`` will restore such vTPM data, which is saved when the"},{"line_number":191,"context_line":"          snapshot is performed (during ``shelve`` or ``createBackup``)."},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"Cold Boot"},{"line_number":194,"context_line":"~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_cb67d423","line":191,"range":{"start_line":191,"start_character":50,"end_line":191,"end_character":71},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":188,"context_line":"          result in a fresh, empty vTPM, even if that snapshot was created by"},{"line_number":189,"context_line":"          ``shelve`` or ``createBackup``. By contrast, ``unshelve`` and"},{"line_number":190,"context_line":"          ``rebuild`` will restore such vTPM data, which is saved when the"},{"line_number":191,"context_line":"          snapshot is performed (during ``shelve`` or ``createBackup``)."},{"line_number":192,"context_line":""},{"line_number":193,"context_line":"Cold Boot"},{"line_number":194,"context_line":"~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_c4e4a1aa","line":191,"range":{"start_line":191,"start_character":50,"end_line":191,"end_character":71},"in_reply_to":"3fa7e38b_cb67d423","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"},{"line_number":239,"context_line":"or remove the vTPM from an instance that did have one, and those should \"just"},{"line_number":240,"context_line":"work\". Resizing from one version/model to a different one will also \"just work\""},{"line_number":241,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":242,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":243,"context_line":"we convey the virtual device data as described above."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_4b7be4bd","line":240,"range":{"start_line":240,"start_character":58,"end_line":240,"end_character":79},"updated":"2019-12-11 19:53:55.000000000","message":"If same-host resize: we need to make sure we tear out the old one first.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":237,"context_line":""},{"line_number":238,"context_line":"Resize can potentially add a vTPM to an instance that didn\u0027t have one before,"},{"line_number":239,"context_line":"or remove the vTPM from an instance that did have one, and those should \"just"},{"line_number":240,"context_line":"work\". Resizing from one version/model to a different one will also \"just work\""},{"line_number":241,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":242,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":243,"context_line":"we convey the virtual device data as described above."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_2497b5ed","line":240,"range":{"start_line":240,"start_character":58,"end_line":240,"end_character":79},"in_reply_to":"3fa7e38b_4b7be4bd","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":240,"context_line":"work\". Resizing from one version/model to a different one will also \"just work\""},{"line_number":241,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":242,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":243,"context_line":"we convey the virtual device data as described above."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_0b4bac86","line":243,"range":{"start_line":243,"start_character":3,"end_line":243,"end_character":33},"updated":"2019-12-11 19:53:55.000000000","message":"If some-host this means leaving the existing file alone.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":240,"context_line":"work\". Resizing from one version/model to a different one will also \"just work\""},{"line_number":241,"context_line":"(though may not be what you meant to do, as the data can\u0027t and won\u0027t carry"},{"line_number":242,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":243,"context_line":"we convey the virtual device data as described above."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_c499011e","line":243,"range":{"start_line":243,"start_character":3,"end_line":243,"end_character":33},"in_reply_to":"3fa7e38b_0b4bac86","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":242,"context_line":"over). If both old and new flavors have the same model/version, we must ensure"},{"line_number":243,"context_line":"we convey the virtual device data as described above."},{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":247,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"},{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_eb43b069","line":245,"range":{"start_line":245,"start_character":15,"end_line":245,"end_character":34},"updated":"2019-12-11 19:53:55.000000000","message":"Split.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":247,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"},{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"},{"line_number":249,"context_line":"the image itself, as it\u0027s data external to the instance disk. So we propose to"},{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_6b4fc08b","line":247,"range":{"start_line":247,"start_character":38,"end_line":247,"end_character":45},"updated":"2019-12-11 19:53:55.000000000","message":"shelve-offloaded","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":247,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"},{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"},{"line_number":249,"context_line":"the image itself, as it\u0027s data external to the instance disk. So we propose to"},{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_84b0e98c","line":247,"range":{"start_line":247,"start_character":38,"end_line":247,"end_character":45},"in_reply_to":"3fa7e38b_6b4fc08b","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":247,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"},{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"},{"line_number":249,"context_line":"the image itself, as it\u0027s data external to the instance disk. So we propose to"},{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"},{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_cb3594f7","line":248,"range":{"start_line":247,"start_character":52,"end_line":248,"end_character":7},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":244,"context_line":""},{"line_number":245,"context_line":"Shelve/Unshelve and Backup/Rebuild"},{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":247,"context_line":"Restoring vTPM data when unshelving a shelved server, or restoring a backup via"},{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"},{"line_number":249,"context_line":"the image itself, as it\u0027s data external to the instance disk. So we propose to"},{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"},{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_e4b51d7e","line":248,"range":{"start_line":247,"start_character":52,"end_line":248,"end_character":7},"in_reply_to":"3fa7e38b_cb3594f7","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"},{"line_number":249,"context_line":"the image itself, as it\u0027s data external to the instance disk. So we propose to"},{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"},{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"},{"line_number":252,"context_line":"an existing instance record will restore vTPM data."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"The compute manager\u0027s shelve and backup operations need to:"},{"line_number":255,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_2b330815","line":252,"range":{"start_line":251,"start_character":47,"end_line":252,"end_character":27},"updated":"2019-12-11 19:53:55.000000000","message":"just unshelve of an offloaded instance","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":248,"context_line":"rebuild, requires the vTPM data to be persisted somewhere. We can\u0027t put it with"},{"line_number":249,"context_line":"the image itself, as it\u0027s data external to the instance disk. So we propose to"},{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"},{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"},{"line_number":252,"context_line":"an existing instance record will restore vTPM data."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"The compute manager\u0027s shelve and backup operations need to:"},{"line_number":255,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_a4aba51b","line":252,"range":{"start_line":251,"start_character":47,"end_line":252,"end_character":27},"in_reply_to":"3fa7e38b_2b330815","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":250,"context_line":"put it in object-store (swift) and maintain reference to the swift object in"},{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"},{"line_number":252,"context_line":"an existing instance record will restore vTPM data."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"The compute manager\u0027s shelve and backup operations need to:"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"#. Save the vTPM data directory to swift."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_8e724a7b","line":253,"updated":"2019-12-11 19:53:55.000000000","message":"Explain (here or somewhere) how we\u0027re going to need a new virt driver interface (possibly just careful inspection of the instance sysmeta by snapshot() and destroy()?) to prompt the virt driver to manage the swift object.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"},{"line_number":252,"context_line":"an existing instance record will restore vTPM data."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"The compute manager\u0027s shelve and backup operations need to:"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"#. Save the vTPM data directory to swift."},{"line_number":257,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_eb3890ed","line":254,"range":{"start_line":254,"start_character":22,"end_line":254,"end_character":28},"updated":"2019-12-11 19:53:55.000000000","message":"offload","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":251,"context_line":"the instance\u0027s ``system_metadata``. Thus, only operations which boot based on"},{"line_number":252,"context_line":"an existing instance record will restore vTPM data."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"The compute manager\u0027s shelve and backup operations need to:"},{"line_number":255,"context_line":""},{"line_number":256,"context_line":"#. Save the vTPM data directory to swift."},{"line_number":257,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ab1e1871","line":254,"range":{"start_line":254,"start_character":29,"end_line":254,"end_character":39},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":257,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"},{"line_number":258,"context_line":"   the instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":259,"context_line":"   ``tpm_object_sha256`` keys."},{"line_number":260,"context_line":"#. Create the appropriate ``hw_tpm_version`` and/or ``hw_tpm_model`` metadata"},{"line_number":261,"context_line":"   properties on the image. (This is to close the gap where the vTPM on"},{"line_number":262,"context_line":"   original VM was created at the behest of image, rather than flavor,"},{"line_number":263,"context_line":"   properties. It ensures the correct version/model is created on the target.)"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"The unshelve and rebuild operations need to:"},{"line_number":266,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ae3aa6c0","line":263,"range":{"start_line":260,"start_character":3,"end_line":263,"end_character":78},"updated":"2019-12-11 19:53:55.000000000","message":"I think we don\u0027t need this anymore","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":257,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"},{"line_number":258,"context_line":"   the instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":259,"context_line":"   ``tpm_object_sha256`` keys."},{"line_number":260,"context_line":"#. Create the appropriate ``hw_tpm_version`` and/or ``hw_tpm_model`` metadata"},{"line_number":261,"context_line":"   properties on the image. (This is to close the gap where the vTPM on"},{"line_number":262,"context_line":"   original VM was created at the behest of image, rather than flavor,"},{"line_number":263,"context_line":"   properties. It ensures the correct version/model is created on the target.)"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"The unshelve and rebuild operations need to:"},{"line_number":266,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_64a12d3a","line":263,"range":{"start_line":260,"start_character":3,"end_line":263,"end_character":78},"in_reply_to":"3fa7e38b_ae3aa6c0","updated":"2019-12-12 00:48:20.000000000","message":"Oh, yeah we still do, cause the unshelve still needs to know how to create the XML in the scenario described in parens.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":262,"context_line":"   original VM was created at the behest of image, rather than flavor,"},{"line_number":263,"context_line":"   properties. It ensures the correct version/model is created on the target.)"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"The unshelve and rebuild operations need to:"},{"line_number":266,"context_line":""},{"line_number":267,"context_line":"#. Look for ``tpm_object_{id|sha256}`` and ``tpm_secret_uuid`` in the"},{"line_number":268,"context_line":"   instance\u0027s ``system_metadata``."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_0b196c86","line":265,"range":{"start_line":265,"start_character":4,"end_line":265,"end_character":12},"updated":"2019-12-11 19:53:55.000000000","message":"So unshelve (non-offloaded) should \"just work\" for the most part.\n\nThis list applies to unshelving an offloaded server.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":266,"context_line":""},{"line_number":267,"context_line":"#. Look for ``tpm_object_{id|sha256}`` and ``tpm_secret_uuid`` in the"},{"line_number":268,"context_line":"   instance\u0027s ``system_metadata``."},{"line_number":269,"context_line":"#. If present, the API should validate that the flavor and/or image properties"},{"line_number":270,"context_line":"   call for a vTPM. (This is so we can trigger a failure in the API if, for"},{"line_number":271,"context_line":"   example, the original instance\u0027s vTPM was specified by image, not flavor,"},{"line_number":272,"context_line":"   properties and you attempt to rebuild with a random image lacking vTPM"},{"line_number":273,"context_line":"   properties. Note that the scheduler will also fail if vTPM properties do"},{"line_number":274,"context_line":"   exist in the flavor and conflict with those in the \"random image\".)"},{"line_number":275,"context_line":"#. In the compute manager, download the swift object. Validate its checksum and"},{"line_number":276,"context_line":"   fail if it doesn\u0027t match."},{"line_number":277,"context_line":"#. Assign ownership of the data directory according to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_8e3faab3","line":274,"range":{"start_line":269,"start_character":3,"end_line":274,"end_character":70},"updated":"2019-12-11 19:53:55.000000000","message":"don\u0027t need this, since we\u0027re always using the image from the shelve","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":266,"context_line":""},{"line_number":267,"context_line":"#. Look for ``tpm_object_{id|sha256}`` and ``tpm_secret_uuid`` in the"},{"line_number":268,"context_line":"   instance\u0027s ``system_metadata``."},{"line_number":269,"context_line":"#. If present, the API should validate that the flavor and/or image properties"},{"line_number":270,"context_line":"   call for a vTPM. (This is so we can trigger a failure in the API if, for"},{"line_number":271,"context_line":"   example, the original instance\u0027s vTPM was specified by image, not flavor,"},{"line_number":272,"context_line":"   properties and you attempt to rebuild with a random image lacking vTPM"},{"line_number":273,"context_line":"   properties. Note that the scheduler will also fail if vTPM properties do"},{"line_number":274,"context_line":"   exist in the flavor and conflict with those in the \"random image\".)"},{"line_number":275,"context_line":"#. In the compute manager, download the swift object. Validate its checksum and"},{"line_number":276,"context_line":"   fail if it doesn\u0027t match."},{"line_number":277,"context_line":"#. Assign ownership of the data directory according to"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_845ea942","line":274,"range":{"start_line":269,"start_character":3,"end_line":274,"end_character":70},"in_reply_to":"3fa7e38b_8e3faab3","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":276,"context_line":"   fail if it doesn\u0027t match."},{"line_number":277,"context_line":"#. Assign ownership of the data directory according to"},{"line_number":278,"context_line":"   ``[libvirt]swtpm_{user|group}`` on the host."},{"line_number":279,"context_line":"#. Unshelve (but not rebuild) will delete the object from swift, and the"},{"line_number":280,"context_line":"   ``tpm_object_{id|sha256}`` from the instance ``system_metadata``."},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"The common scheduling and spawn code paths will take care of ensuring a"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_4e453243","line":279,"range":{"start_line":279,"start_character":3,"end_line":279,"end_character":35},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":276,"context_line":"   fail if it doesn\u0027t match."},{"line_number":277,"context_line":"#. Assign ownership of the data directory according to"},{"line_number":278,"context_line":"   ``[libvirt]swtpm_{user|group}`` on the host."},{"line_number":279,"context_line":"#. Unshelve (but not rebuild) will delete the object from swift, and the"},{"line_number":280,"context_line":"   ``tpm_object_{id|sha256}`` from the instance ``system_metadata``."},{"line_number":281,"context_line":""},{"line_number":282,"context_line":"The common scheduling and spawn code paths will take care of ensuring a"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_5f12ba56","line":279,"range":{"start_line":279,"start_character":3,"end_line":279,"end_character":35},"in_reply_to":"3fa7e38b_4e453243","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":283,"context_line":"vTPM-capable host is selected and the appropriate libvirt XML and secret are"},{"line_number":284,"context_line":"created."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":".. note:: There are a couple of ways an admin can still \"outsmart\" our checks"},{"line_number":287,"context_line":"          and make horrible things happen on rebuild. For example:"},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"          * The flavor specifies no vTPM properties."},{"line_number":290,"context_line":"          * The *original* image specified version 2.0."},{"line_number":291,"context_line":"          * The *new* image specifies version 1.2."},{"line_number":292,"context_line":""},{"line_number":293,"context_line":"          We will happily create a v1.2 vTPM and restore the (v2.0) data into"},{"line_number":294,"context_line":"          it. The VM will (probably) boot just fine, but unpredictable things"},{"line_number":295,"context_line":"          will happen when the vTPM is accessed."},{"line_number":296,"context_line":""},{"line_number":297,"context_line":"          We can\u0027t prevent *all* stupidity."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_2e78f68c","line":297,"range":{"start_line":286,"start_character":0,"end_line":297,"end_character":43},"updated":"2019-12-11 19:53:55.000000000","message":"this goes away","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":283,"context_line":"vTPM-capable host is selected and the appropriate libvirt XML and secret are"},{"line_number":284,"context_line":"created."},{"line_number":285,"context_line":""},{"line_number":286,"context_line":".. note:: There are a couple of ways an admin can still \"outsmart\" our checks"},{"line_number":287,"context_line":"          and make horrible things happen on rebuild. For example:"},{"line_number":288,"context_line":""},{"line_number":289,"context_line":"          * The flavor specifies no vTPM properties."},{"line_number":290,"context_line":"          * The *original* image specified version 2.0."},{"line_number":291,"context_line":"          * The *new* image specifies version 1.2."},{"line_number":292,"context_line":""},{"line_number":293,"context_line":"          We will happily create a v1.2 vTPM and restore the (v2.0) data into"},{"line_number":294,"context_line":"          it. The VM will (probably) boot just fine, but unpredictable things"},{"line_number":295,"context_line":"          will happen when the vTPM is accessed."},{"line_number":296,"context_line":""},{"line_number":297,"context_line":"          We can\u0027t prevent *all* stupidity."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_1f4f626a","line":297,"range":{"start_line":286,"start_character":0,"end_line":297,"end_character":43},"in_reply_to":"3fa7e38b_2e78f68c","updated":"2019-12-12 00:48:20.000000000","message":"Well, I found another way the user can be stupid.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":296,"context_line":""},{"line_number":297,"context_line":"          We can\u0027t prevent *all* stupidity."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ce6a82b3","line":299,"range":{"start_line":299,"start_character":35,"end_line":299,"end_character":41},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":296,"context_line":""},{"line_number":297,"context_line":"          We can\u0027t prevent *all* stupidity."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_7f969696","line":299,"range":{"start_line":299,"start_character":35,"end_line":299,"end_character":41},"in_reply_to":"3fa7e38b_ce6a82b3","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":297,"context_line":"          We can\u0027t prevent *all* stupidity."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_8e680aba","line":300,"range":{"start_line":300,"start_character":57,"end_line":300,"end_character":64},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":297,"context_line":"          We can\u0027t prevent *all* stupidity."},{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_9f91129d","line":300,"range":{"start_line":300,"start_character":57,"end_line":300,"end_character":64},"in_reply_to":"3fa7e38b_8e680aba","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."},{"line_number":304,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ae6386dc","line":301,"range":{"start_line":301,"start_character":66,"end_line":301,"end_character":72},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":298,"context_line":""},{"line_number":299,"context_line":"As noted in `Security impact`_, if backup/shelve is performed by the admin,"},{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."},{"line_number":304,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_3f8c9e7e","line":301,"range":{"start_line":301,"start_character":66,"end_line":301,"end_character":72},"in_reply_to":"3fa7e38b_ae6386dc","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"createImage"},{"line_number":306,"context_line":"~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_4e5e9213","line":303,"range":{"start_line":303,"start_character":14,"end_line":303,"end_character":21},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":300,"context_line":"only the admin will be able to perform the corresponding rebuild/unshelve"},{"line_number":301,"context_line":"operation. And depending on the `key manager`_ security model, if backup/shelve"},{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"createImage"},{"line_number":306,"context_line":"~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_5f871a5c","line":303,"range":{"start_line":303,"start_character":14,"end_line":303,"end_character":21},"in_reply_to":"3fa7e38b_4e5e9213","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"createImage"},{"line_number":306,"context_line":"~~~~~~~~~~~"},{"line_number":307,"context_line":"Because vTPM data is associated with the **instance**, not the **image**, the"},{"line_number":308,"context_line":"``createImage`` flow will not be changed. It will be clearly documented that,"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_0e9adac3","line":305,"updated":"2019-12-11 19:53:55.000000000","message":"add createBackup in here","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":302,"context_line":"is performed by the user, the admin may not be able to perform the"},{"line_number":303,"context_line":"corresponding rebuild/unshelve operation."},{"line_number":304,"context_line":""},{"line_number":305,"context_line":"createImage"},{"line_number":306,"context_line":"~~~~~~~~~~~"},{"line_number":307,"context_line":"Because vTPM data is associated with the **instance**, not the **image**, the"},{"line_number":308,"context_line":"``createImage`` flow will not be changed. It will be clearly documented that,"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_bfa5eeb5","line":305,"in_reply_to":"3fa7e38b_0e9adac3","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":346,"context_line":"* The ability of instance owners or admins to perform certain instance"},{"line_number":347,"context_line":"  lifecycle operations may be limited depending on the `security model"},{"line_number":348,"context_line":"  \u003csecurity impact_\u003e`_ used for the `key manager`_."},{"line_number":349,"context_line":"* Since object/secret management is done by the virt driver, deleting an"},{"line_number":350,"context_line":"  instance when the compute host is down can leak those artifacts. If the host"},{"line_number":351,"context_line":"  comes back up, those artifacts will be reaped when compute invokes the virt"},{"line_number":352,"context_line":"  driver\u0027s ``destroy``. But if the host never comes back up, they would have to"},{"line_number":353,"context_line":"  be deleted manually."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_0ee89a13","line":350,"range":{"start_line":349,"start_character":60,"end_line":350,"end_character":40},"updated":"2019-12-11 19:53:55.000000000","message":"or deleting an offloaded instance\n\n...unless we delete the swift obj from the API, which we could do, but that\u0027s kind of icky.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":346,"context_line":"* The ability of instance owners or admins to perform certain instance"},{"line_number":347,"context_line":"  lifecycle operations may be limited depending on the `security model"},{"line_number":348,"context_line":"  \u003csecurity impact_\u003e`_ used for the `key manager`_."},{"line_number":349,"context_line":"* Since object/secret management is done by the virt driver, deleting an"},{"line_number":350,"context_line":"  instance when the compute host is down can leak those artifacts. If the host"},{"line_number":351,"context_line":"  comes back up, those artifacts will be reaped when compute invokes the virt"},{"line_number":352,"context_line":"  driver\u0027s ``destroy``. But if the host never comes back up, they would have to"},{"line_number":353,"context_line":"  be deleted manually."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ff884622","line":350,"range":{"start_line":349,"start_character":60,"end_line":350,"end_character":40},"in_reply_to":"3fa7e38b_0ee89a13","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":382,"context_line":"* Use glance or the key manager instead of swift to store the vTPM data for"},{"line_number":383,"context_line":"  those operations. NACKed because those services really aren\u0027t intended for"},{"line_number":384,"context_line":"  that purpose, and (at least glance) may block such usages in the future."},{"line_number":385,"context_line":"* Save vTPM data on any snapshot operation. This adds complexity as well as"},{"line_number":386,"context_line":"  some unintended behaviors, such as the ability to \"clone\" vTPMs."},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Data model impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_eef09efe","line":385,"range":{"start_line":385,"start_character":20,"end_line":385,"end_character":32},"updated":"2019-12-11 19:53:55.000000000","message":"Beef up this bullet to include backup. Justify not doing it based on the complexity and being hard to explain to users; and basing behavior mostly on how baremetal is expected to work.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":382,"context_line":"* Use glance or the key manager instead of swift to store the vTPM data for"},{"line_number":383,"context_line":"  those operations. NACKed because those services really aren\u0027t intended for"},{"line_number":384,"context_line":"  that purpose, and (at least glance) may block such usages in the future."},{"line_number":385,"context_line":"* Save vTPM data on any snapshot operation. This adds complexity as well as"},{"line_number":386,"context_line":"  some unintended behaviors, such as the ability to \"clone\" vTPMs."},{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Data model impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_7f7c561f","line":385,"range":{"start_line":385,"start_character":20,"end_line":385,"end_character":32},"in_reply_to":"3fa7e38b_eef09efe","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Data model impact"},{"line_number":389,"context_line":"-----------------"},{"line_number":390,"context_line":"The ``ImageMetaProps`` object needs a new version adding:"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"* ``hw_tpm_version``"},{"line_number":393,"context_line":"* ``hw_tpm_model``"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_6edcae70","line":390,"updated":"2019-12-11 19:53:55.000000000","message":"The notification image meta obj needs to be kept in sync, as it turns out.","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":387,"context_line":""},{"line_number":388,"context_line":"Data model impact"},{"line_number":389,"context_line":"-----------------"},{"line_number":390,"context_line":"The ``ImageMetaProps`` object needs a new version adding:"},{"line_number":391,"context_line":""},{"line_number":392,"context_line":"* ``hw_tpm_version``"},{"line_number":393,"context_line":"* ``hw_tpm_model``"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_5f6dda64","line":390,"in_reply_to":"3fa7e38b_6edcae70","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":431,"context_line":"The object store service allows full access to an object by the admin user,"},{"line_number":432,"context_line":"regardless of who created the object. There is currently no facility for"},{"line_number":433,"context_line":"restricting admins to e.g. only deleting objects. Thus, if a ``createBackup``"},{"line_number":434,"context_line":"or ``shelve`` operation has been performed, the contents of the vTPM device"},{"line_number":435,"context_line":"will be available to the admin. They are encrypted, so without access to the"},{"line_number":436,"context_line":"key, we are still trusting the strength of the encryption to protect the data."},{"line_number":437,"context_line":"However, this increases the attack surface, assuming the object store admin is"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_eec97eaa","line":434,"range":{"start_line":434,"start_character":5,"end_line":434,"end_character":11},"updated":"2019-12-11 19:53:55.000000000","message":"shelve-offload","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":430,"context_line":"~~~~~~~~~~~~"},{"line_number":431,"context_line":"The object store service allows full access to an object by the admin user,"},{"line_number":432,"context_line":"regardless of who created the object. There is currently no facility for"},{"line_number":433,"context_line":"restricting admins to e.g. only deleting objects. Thus, if a ``createBackup``"},{"line_number":434,"context_line":"or ``shelve`` operation has been performed, the contents of the vTPM device"},{"line_number":435,"context_line":"will be available to the admin. They are encrypted, so without access to the"},{"line_number":436,"context_line":"key, we are still trusting the strength of the encryption to protect the data."},{"line_number":437,"context_line":"However, this increases the attack surface, assuming the object store admin is"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_cec6029d","line":434,"range":{"start_line":433,"start_character":61,"end_line":434,"end_character":2},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":430,"context_line":"~~~~~~~~~~~~"},{"line_number":431,"context_line":"The object store service allows full access to an object by the admin user,"},{"line_number":432,"context_line":"regardless of who created the object. There is currently no facility for"},{"line_number":433,"context_line":"restricting admins to e.g. only deleting objects. Thus, if a ``createBackup``"},{"line_number":434,"context_line":"or ``shelve`` operation has been performed, the contents of the vTPM device"},{"line_number":435,"context_line":"will be available to the admin. They are encrypted, so without access to the"},{"line_number":436,"context_line":"key, we are still trusting the strength of the encryption to protect the data."},{"line_number":437,"context_line":"However, this increases the attack surface, assuming the object store admin is"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ff8da629","line":434,"range":{"start_line":433,"start_character":61,"end_line":434,"end_character":2},"in_reply_to":"3fa7e38b_cec6029d","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":431,"context_line":"The object store service allows full access to an object by the admin user,"},{"line_number":432,"context_line":"regardless of who created the object. There is currently no facility for"},{"line_number":433,"context_line":"restricting admins to e.g. only deleting objects. Thus, if a ``createBackup``"},{"line_number":434,"context_line":"or ``shelve`` operation has been performed, the contents of the vTPM device"},{"line_number":435,"context_line":"will be available to the admin. They are encrypted, so without access to the"},{"line_number":436,"context_line":"key, we are still trusting the strength of the encryption to protect the data."},{"line_number":437,"context_line":"However, this increases the attack surface, assuming the object store admin is"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_1f91a246","line":434,"range":{"start_line":434,"start_character":5,"end_line":434,"end_character":11},"in_reply_to":"3fa7e38b_eec97eaa","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":437,"context_line":"However, this increases the attack surface, assuming the object store admin is"},{"line_number":438,"context_line":"different from whoever has access to the original file on the compute host."},{"line_number":439,"context_line":""},{"line_number":440,"context_line":"By the same token (heh) if ``createBackup`` or ``shelve`` is performed by the"},{"line_number":441,"context_line":"admin, the vTPM data object will be created and owned by the admin, and"},{"line_number":442,"context_line":"therefore only the admin will be able to perform the mirror operation"},{"line_number":443,"context_line":"(``rebuild``, ``unshelve``)."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_8ec48a93","line":440,"range":{"start_line":440,"start_character":27,"end_line":440,"end_character":47},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":437,"context_line":"However, this increases the attack surface, assuming the object store admin is"},{"line_number":438,"context_line":"different from whoever has access to the original file on the compute host."},{"line_number":439,"context_line":""},{"line_number":440,"context_line":"By the same token (heh) if ``createBackup`` or ``shelve`` is performed by the"},{"line_number":441,"context_line":"admin, the vTPM data object will be created and owned by the admin, and"},{"line_number":442,"context_line":"therefore only the admin will be able to perform the mirror operation"},{"line_number":443,"context_line":"(``rebuild``, ``unshelve``)."}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_5fe95aa8","line":440,"range":{"start_line":440,"start_character":27,"end_line":440,"end_character":47},"in_reply_to":"3fa7e38b_8ec48a93","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":440,"context_line":"By the same token (heh) if ``createBackup`` or ``shelve`` is performed by the"},{"line_number":441,"context_line":"admin, the vTPM data object will be created and owned by the admin, and"},{"line_number":442,"context_line":"therefore only the admin will be able to perform the mirror operation"},{"line_number":443,"context_line":"(``rebuild``, ``unshelve``)."},{"line_number":444,"context_line":""},{"line_number":445,"context_line":"Key manager"},{"line_number":446,"context_line":"~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_0e365ab5","line":443,"range":{"start_line":443,"start_character":1,"end_line":443,"end_character":14},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":440,"context_line":"By the same token (heh) if ``createBackup`` or ``shelve`` is performed by the"},{"line_number":441,"context_line":"admin, the vTPM data object will be created and owned by the admin, and"},{"line_number":442,"context_line":"therefore only the admin will be able to perform the mirror operation"},{"line_number":443,"context_line":"(``rebuild``, ``unshelve``)."},{"line_number":444,"context_line":""},{"line_number":445,"context_line":"Key manager"},{"line_number":446,"context_line":"~~~~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ff2926f1","line":443,"range":{"start_line":443,"start_character":1,"end_line":443,"end_character":14},"in_reply_to":"3fa7e38b_0e365ab5","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":492,"context_line":"  operations to define, set the value, and undefine the vTPM\u0027s secret in"},{"line_number":493,"context_line":"  libvirt."},{"line_number":494,"context_line":"* Additional API calls to the object store (swift) are needed to create"},{"line_number":495,"context_line":"  (shelve/backup), retrieve (unshelve/rebuild), and delete (unshelve/destroy)"},{"line_number":496,"context_line":"  the vTPM device data object."},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ce3b6298","line":495,"range":{"start_line":495,"start_character":9,"end_line":495,"end_character":16},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":492,"context_line":"  operations to define, set the value, and undefine the vTPM\u0027s secret in"},{"line_number":493,"context_line":"  libvirt."},{"line_number":494,"context_line":"* Additional API calls to the object store (swift) are needed to create"},{"line_number":495,"context_line":"  (shelve/backup), retrieve (unshelve/rebuild), and delete (unshelve/destroy)"},{"line_number":496,"context_line":"  the vTPM device data object."},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_ee3e5e88","line":495,"range":{"start_line":495,"start_character":37,"end_line":495,"end_character":45},"updated":"2019-12-11 19:53:55.000000000","message":"x","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":492,"context_line":"  operations to define, set the value, and undefine the vTPM\u0027s secret in"},{"line_number":493,"context_line":"  libvirt."},{"line_number":494,"context_line":"* Additional API calls to the object store (swift) are needed to create"},{"line_number":495,"context_line":"  (shelve/backup), retrieve (unshelve/rebuild), and delete (unshelve/destroy)"},{"line_number":496,"context_line":"  the vTPM device data object."},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_df0b0a79","line":495,"range":{"start_line":495,"start_character":9,"end_line":495,"end_character":16},"in_reply_to":"3fa7e38b_ce3b6298","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"a89c958882e8740ad087ca9159954fb8963521de","unresolved":false,"context_lines":[{"line_number":492,"context_line":"  operations to define, set the value, and undefine the vTPM\u0027s secret in"},{"line_number":493,"context_line":"  libvirt."},{"line_number":494,"context_line":"* Additional API calls to the object store (swift) are needed to create"},{"line_number":495,"context_line":"  (shelve/backup), retrieve (unshelve/rebuild), and delete (unshelve/destroy)"},{"line_number":496,"context_line":"  the vTPM device data object."},{"line_number":497,"context_line":""},{"line_number":498,"context_line":"Other deployer impact"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_7f269618","line":495,"range":{"start_line":495,"start_character":37,"end_line":495,"end_character":45},"in_reply_to":"3fa7e38b_ee3e5e88","updated":"2019-12-12 00:48:20.000000000","message":"Done","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4b2f810d9bb78cef15180ab5e12b9c777e777ec4","unresolved":false,"context_lines":[{"line_number":562,"context_line":"- Cold migration"},{"line_number":563,"context_line":"- Host reboot (how?)"},{"line_number":564,"context_line":"- Shelve (offload) and unshelve"},{"line_number":565,"context_line":"- Backup and rebuild"},{"line_number":566,"context_line":""},{"line_number":567,"context_line":"Documentation Impact"},{"line_number":568,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":10,"id":"3fa7e38b_4e4f7234","line":565,"range":{"start_line":565,"start_character":0,"end_line":565,"end_character":20},"updated":"2019-12-11 19:53:55.000000000","message":"...which gets a fresh vTPM (how do we prove that?)","commit_id":"c0800ea9d1957c636e4e129eba90b8a8b192c299"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":63,"context_line":"  should add suitable version checks (in the case of LibvirtDriver, this would"},{"line_number":64,"context_line":"  include checks for both libvirt and qemu). Currently emulated TPM is only"},{"line_number":65,"context_line":"  supported for x86, though this is an implementation detail rather than an"},{"line_number":66,"context_line":"  architectural limitation."},{"line_number":67,"context_line":"* The ``swtpm`` binary and libraries on the host."},{"line_number":68,"context_line":"* Access to a castellan-compatible key manager, such as barbican, for storing"},{"line_number":69,"context_line":"  the passphrase used to encrypt the virtual device\u0027s data. (The key manager"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_0d40ae5e","line":66,"updated":"2020-01-08 12:43:17.000000000","message":"References to this would be nice","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":107,"context_line":""},{"line_number":108,"context_line":"* Use the existing ``COMPUTE_SECURITY_TPM_1_2`` and"},{"line_number":109,"context_line":"  ``COMPUTE_SECURITY_TPM_2_0`` traits. These represent the two different"},{"line_number":110,"context_line":"  versions of the TPM spec that are currently supported. (Note that 2.0 is not"},{"line_number":111,"context_line":"  backward compatible with 1.2, so we can\u0027t just ignore 1.2. A summary of the"},{"line_number":112,"context_line":"  differences between the two versions is currently available here_.) When all"},{"line_number":113,"context_line":"  the Prerequisites_ have been met and the Config_ switch is on, the libvirt"},{"line_number":114,"context_line":"  compute driver will set both of these traits on the compute node resource"},{"line_number":115,"context_line":"  provider."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_6d328211","line":112,"range":{"start_line":110,"start_character":58,"end_line":112,"end_character":67},"updated":"2020-01-08 12:43:17.000000000","message":"++","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":129,"context_line":"          flavor extra_specs or image metadata, this would only serve to"},{"line_number":130,"context_line":"          land the instance on a capable host; it would not trigger the libvirt"},{"line_number":131,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":132,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_cd2296ba","line":132,"updated":"2020-01-08 12:43:17.000000000","message":"Why? We allow people to request CPUs this way? What\u0027s different with this?\n\nI feel I\u0027ve asked this question before...\n\nLater: yup, considered and rejected https://review.opendev.org/#/c/686804/9/specs/ussuri/approved/add-emulated-virtual-tpm.rst@132","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"65fc467c8f0342a313bfcfd027e28fdddb51312a","unresolved":false,"context_lines":[{"line_number":129,"context_line":"          flavor extra_specs or image metadata, this would only serve to"},{"line_number":130,"context_line":"          land the instance on a capable host; it would not trigger the libvirt"},{"line_number":131,"context_line":"          driver to create the virtual TPM device. Therefore, to avoid"},{"line_number":132,"context_line":"          confusion, this will not be documented as a possibility."},{"line_number":133,"context_line":""},{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_9620df9c","line":132,"in_reply_to":"3fa7e38b_cd2296ba","updated":"2020-01-14 10:52:09.000000000","message":"well we dont cpu are requested via a resouce class not a trait.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."},{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 1.2, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To summarize, all and only the following combinations are supported, and are"},{"line_number":140,"context_line":"mutually exclusive (none are inter-compatible):"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_ed1d1277","line":137,"updated":"2020-01-08 12:43:17.000000000","message":"I assume we need to care about CRB and can\u0027t just choose a sensible default? Feels like a lot of knobs\n\nLater: also asked this previously, but the difference between 2.0/TIS and 2.0/CRB isn\u0027t entirely clearly to me still https://review.opendev.org/#/c/686804/9/specs/ussuri/approved/add-emulated-virtual-tpm.rst@137","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"502cf4cfd4b575c59657bfa2732db4a175693300","unresolved":false,"context_lines":[{"line_number":134,"context_line":"  * ``hw:tpm_model\u003d{TIS|CRB}``. Indicates the emulated model to be used. If"},{"line_number":135,"context_line":"    omitted, the default is ``TIS`` (this corresponds to the libvirt default)."},{"line_number":136,"context_line":"    ``CRB`` is only compatible with TPM version 2.0; if ``CRB`` is requested"},{"line_number":137,"context_line":"    with version 1.2, an error will be raised from the API."},{"line_number":138,"context_line":""},{"line_number":139,"context_line":"To summarize, all and only the following combinations are supported, and are"},{"line_number":140,"context_line":"mutually exclusive (none are inter-compatible):"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_d17f8cdb","line":137,"in_reply_to":"3fa7e38b_ed1d1277","updated":"2020-01-08 15:20:56.000000000","message":"I don\u0027t know the difference either; just that there is one.\n\nAs noted on L135, we *are* choosing a default (TIS, which is the libvirt default if you\u0027re setting one of these things up by hand).","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":151,"context_line":"two values do not match, an exception will be raised from the API by the"},{"line_number":152,"context_line":"flavor/image validator."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":".. _here: https://en.wikipedia.org/wiki/Trusted_Platform_Module#TPM_1.2_vs_TPM_2.0"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"Instance Lifecycle Operations"},{"line_number":157,"context_line":"-----------------------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_76281897","line":154,"range":{"start_line":154,"start_character":0,"end_line":154,"end_character":82},"updated":"2020-01-07 22:17:56.000000000","message":"nit i would still prefer this to be in the reference section but its fine.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":246,"context_line":"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"},{"line_number":247,"context_line":"Restoring vTPM data when unshelving a shelve-offloaded server requires the vTPM"},{"line_number":248,"context_line":"data to be persisted somewhere. We can\u0027t put it with the image itself, as it\u0027s"},{"line_number":249,"context_line":"data external to the instance disk. So we propose to put it in object-store"},{"line_number":250,"context_line":"(swift) and maintain reference to the swift object in the instance\u0027s"},{"line_number":251,"context_line":"``system_metadata``."},{"line_number":252,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_514e466e","line":249,"range":{"start_line":249,"start_character":60,"end_line":249,"end_character":63},"updated":"2020-01-07 22:17:56.000000000","message":"nit: in an ...","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":256,"context_line":"#. Save the swift object ID and digital signature (sha256) of the directory to"},{"line_number":257,"context_line":"   the instance\u0027s ``system_metadata`` under the (new) ``tpm_object_id`` and"},{"line_number":258,"context_line":"   ``tpm_object_sha256`` keys."},{"line_number":259,"context_line":"#. Create the appropriate ``hw_tpm_version`` and/or ``hw_tpm_model`` metadata"},{"line_number":260,"context_line":"   properties on the image. (This is to close the gap where the vTPM on"},{"line_number":261,"context_line":"   original VM was created at the behest of image, rather than flavor,"},{"line_number":262,"context_line":"   properties. It ensures the proper scheduling on unshelve, and that the"},{"line_number":263,"context_line":"   correct version/model is created on the target.)"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"The unshelve operation on a shelved (but not offloaded) instance should \"just"},{"line_number":266,"context_line":"work\" (except for deleting the swift object; see below). The code path for"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_d16236d9","line":263,"range":{"start_line":259,"start_character":0,"end_line":263,"end_character":51},"updated":"2020-01-07 22:17:56.000000000","message":"+1","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":307,"context_line":"and virt driver:"},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"The ``ComputeDriver.snapshot()`` contract currently does not specify a return"},{"line_number":310,"context_line":"value. It will be changed to allow returning a file-like with the (prepackaged)"},{"line_number":311,"context_line":"backing device data. The libvirt driver implementation will open a ``tar`` pipe"},{"line_number":312,"context_line":"and return that handle. The compute manager is responsible for reading from"},{"line_number":313,"context_line":"that handle and pushing the contents into the swift object. (Implementation"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_f1ec1229","line":310,"range":{"start_line":310,"start_character":46,"end_line":310,"end_character":57},"updated":"2020-01-07 22:17:56.000000000","message":"you mean an io stream right\nin this case it will be an input stream","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7f84c12ae0f399d0f14686eccc80434bb4dcddca","unresolved":false,"context_lines":[{"line_number":307,"context_line":"and virt driver:"},{"line_number":308,"context_line":""},{"line_number":309,"context_line":"The ``ComputeDriver.snapshot()`` contract currently does not specify a return"},{"line_number":310,"context_line":"value. It will be changed to allow returning a file-like with the (prepackaged)"},{"line_number":311,"context_line":"backing device data. The libvirt driver implementation will open a ``tar`` pipe"},{"line_number":312,"context_line":"and return that handle. The compute manager is responsible for reading from"},{"line_number":313,"context_line":"that handle and pushing the contents into the swift object. (Implementation"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_110bee7b","line":310,"range":{"start_line":310,"start_character":46,"end_line":310,"end_character":57},"in_reply_to":"3fa7e38b_f1ec1229","updated":"2020-01-07 22:38:48.000000000","message":"Yeah, something like that.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":319,"context_line":".. _`spawn during unshelve`:"},{"line_number":320,"context_line":""},{"line_number":321,"context_line":"The compute driver touchpoint for unshelving an offloaded instance is"},{"line_number":322,"context_line":"``spawn()``. This method will get a new kwarg which is a file-like. If not"},{"line_number":323,"context_line":"``None``, virt driver implementations are responsible for streaming from that"},{"line_number":324,"context_line":"handle and reversing whatever was done during ``snapshot()`` (in this case un-\\"},{"line_number":325,"context_line":"``tar``\\ -ing). For the unshelve path for offloaded instances, the compute"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_b1da1a76","line":322,"range":{"start_line":322,"start_character":57,"end_line":322,"end_character":66},"updated":"2020-01-07 22:17:56.000000000","message":"and in this case it will be an output stream\n\ne.g. these \nhttps://docs.python.org/3/library/io.html\n\nwe also probably expect it to be a binary stream.\n\nthe compute manager will just be reading/writing to it but we don want it to be a text stream/handel as the data shoudl not be decoded/encoded as text.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":350,"context_line":"responsibility is placed on the user to avoid scenarios like:"},{"line_number":351,"context_line":""},{"line_number":352,"context_line":"* Using the TPM to create a master key and not saving that master key (in your"},{"line_number":353,"context_line":"  rebuild image, or elsewhere)."},{"line_number":354,"context_line":"* Creating your original VM with one TPM version/model based on image metadata"},{"line_number":355,"context_line":"  and rebuilding with a different version/model."},{"line_number":356,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_714ee239","line":353,"range":{"start_line":353,"start_character":20,"end_line":353,"end_character":29},"updated":"2020-01-07 22:17:56.000000000","message":"such as in barbican. that is out of scope of the spec but that is just where i would store it. if your cloud provides a secure key store then you might as well use it.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7f84c12ae0f399d0f14686eccc80434bb4dcddca","unresolved":false,"context_lines":[{"line_number":350,"context_line":"responsibility is placed on the user to avoid scenarios like:"},{"line_number":351,"context_line":""},{"line_number":352,"context_line":"* Using the TPM to create a master key and not saving that master key (in your"},{"line_number":353,"context_line":"  rebuild image, or elsewhere)."},{"line_number":354,"context_line":"* Creating your original VM with one TPM version/model based on image metadata"},{"line_number":355,"context_line":"  and rebuilding with a different version/model."},{"line_number":356,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_1180cebd","line":353,"range":{"start_line":353,"start_character":20,"end_line":353,"end_character":29},"in_reply_to":"3fa7e38b_714ee239","updated":"2020-01-07 22:38:48.000000000","message":"Or on a post-it note on your desk.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":361,"context_line":"* If there is an existing vTPM and neither the flavor nor the image asks for"},{"line_number":362,"context_line":"  one, delete it."},{"line_number":363,"context_line":"* If there is an existing vTPM and the flavor or image asks for one, leave the"},{"line_number":364,"context_line":"  backing file alone. (As noted above, if the user messed up the version/model"},{"line_number":365,"context_line":"  or used an incompatible image, that\u0027s on them.)"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"Evacuate"},{"line_number":368,"context_line":"~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_d16c769e","line":365,"range":{"start_line":364,"start_character":22,"end_line":365,"end_character":49},"updated":"2020-01-07 22:17:56.000000000","message":"we coudl perhaps add an api check for this usecase at some point in the future. i think its ok to defer until we know if this is something that commonly comes up.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"502cf4cfd4b575c59657bfa2732db4a175693300","unresolved":false,"context_lines":[{"line_number":361,"context_line":"* If there is an existing vTPM and neither the flavor nor the image asks for"},{"line_number":362,"context_line":"  one, delete it."},{"line_number":363,"context_line":"* If there is an existing vTPM and the flavor or image asks for one, leave the"},{"line_number":364,"context_line":"  backing file alone. (As noted above, if the user messed up the version/model"},{"line_number":365,"context_line":"  or used an incompatible image, that\u0027s on them.)"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"Evacuate"},{"line_number":368,"context_line":"~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_51f2bc6a","line":365,"range":{"start_line":364,"start_character":22,"end_line":365,"end_character":49},"in_reply_to":"3fa7e38b_28b3180b","updated":"2020-01-08 15:20:56.000000000","message":"Dah, I forgot we still have access to the old image meta during rebuild. Will fix.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":361,"context_line":"* If there is an existing vTPM and neither the flavor nor the image asks for"},{"line_number":362,"context_line":"  one, delete it."},{"line_number":363,"context_line":"* If there is an existing vTPM and the flavor or image asks for one, leave the"},{"line_number":364,"context_line":"  backing file alone. (As noted above, if the user messed up the version/model"},{"line_number":365,"context_line":"  or used an incompatible image, that\u0027s on them.)"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"Evacuate"},{"line_number":368,"context_line":"~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_28b3180b","line":365,"range":{"start_line":364,"start_character":22,"end_line":365,"end_character":49},"in_reply_to":"3fa7e38b_7170220a","updated":"2020-01-08 12:43:17.000000000","message":"Who says we need to check the backing file? Can\u0027t we just check the image to see if the vTPM-related metadata is identical? If not, fail.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"7f84c12ae0f399d0f14686eccc80434bb4dcddca","unresolved":false,"context_lines":[{"line_number":361,"context_line":"* If there is an existing vTPM and neither the flavor nor the image asks for"},{"line_number":362,"context_line":"  one, delete it."},{"line_number":363,"context_line":"* If there is an existing vTPM and the flavor or image asks for one, leave the"},{"line_number":364,"context_line":"  backing file alone. (As noted above, if the user messed up the version/model"},{"line_number":365,"context_line":"  or used an incompatible image, that\u0027s on them.)"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"Evacuate"},{"line_number":368,"context_line":"~~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_7170220a","line":365,"range":{"start_line":364,"start_character":22,"end_line":365,"end_character":49},"in_reply_to":"3fa7e38b_d16c769e","updated":"2020-01-07 22:38:48.000000000","message":"My point is precisely that we can\u0027t do an API check. There\u0027s no (reasonable) way to discover the version/model of a backing file by itself.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":372,"context_line":"TPM is left behind even if the rest of the state is resurrected on another"},{"line_number":373,"context_line":"system via shared storage."},{"line_number":374,"context_line":""},{"line_number":375,"context_line":"(It may be possible to mitigate this by mounting ``/var/lib/libvirt/swtpm/`` on"},{"line_number":376,"context_line":"shared storage, though libvirt\u0027s management of that directory on guest"},{"line_number":377,"context_line":"creation/teardown may stymie such attempts. This would also bring in additional"},{"line_number":378,"context_line":"security concerns. In any case, it would be an exercise for the admin; nothing"},{"line_number":379,"context_line":"will be done in nova to support or prevent it.)"},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Destroy"},{"line_number":382,"context_line":"~~~~~~~"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_b11f7a07","line":379,"range":{"start_line":375,"start_character":0,"end_line":379,"end_character":47},"updated":"2020-01-07 22:17:56.000000000","message":"yep if you mounted it on nfs or cephfs then it would give you the ability to preserve it across evacuates but would also have the same issue with running nova with the instnace data directory on nfs. it can be done but its really up to the admin to decide if the added complexity is worth it.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":432,"context_line":"  ``resources[$S]:COMPUTE_SECURITY_TPM_*``. Rejected mainly due to the"},{"line_number":433,"context_line":"  (unnecessary) additional complexity, and because we don\u0027t want to get in the"},{"line_number":434,"context_line":"  business of assuming there\u0027s no use case for \"land me on a vTPM (in)capable"},{"line_number":435,"context_line":"  host, but don\u0027t set one up (yet)\"."},{"line_number":436,"context_line":"* Use physical passthrough (``\u003cbackend type\u003d\u0027passthrough\u0027\u003e``) of a real"},{"line_number":437,"context_line":"  (hardware) TPM device. This is not feasible with current TPM hardware because"},{"line_number":438,"context_line":"  (among other things) changing ownership of the secrets requires a host"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_a8be28cb","line":435,"updated":"2020-01-08 12:43:17.000000000","message":"There\u0027s another alternative: support both, like we do VCPU/PCPU. It\u0027s still unclear to me why we\u0027re not doing this. It seems trivial and provides some level of consistency.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"d6ad47d9179ff6ac8396c0b1660b99ca282ba7dd","unresolved":false,"context_lines":[{"line_number":458,"context_line":""},{"line_number":459,"context_line":"* ``hw_tpm_version``"},{"line_number":460,"context_line":"* ``hw_tpm_model``"},{"line_number":461,"context_line":"* ``tpm_object_id``"},{"line_number":462,"context_line":"* ``tpm_object_sha256``"},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"REST API impact"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_489f7464","line":461,"range":{"start_line":461,"start_character":4,"end_line":461,"end_character":17},"updated":"2020-01-08 12:43:17.000000000","message":"These won\u0027t be exposed via the API, right? i.e. someone won\u0027t see them when using \u0027openstack image show $IMAGE\u0027 and won\u0027t be able to set the via \u0027openstack image set $IMAGE --property tpm_object_id foo\u0027","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"545fc2eab66e27167d7cdc37dff8b1ad2930bf3f","unresolved":false,"context_lines":[{"line_number":458,"context_line":""},{"line_number":459,"context_line":"* ``hw_tpm_version``"},{"line_number":460,"context_line":"* ``hw_tpm_model``"},{"line_number":461,"context_line":"* ``tpm_object_id``"},{"line_number":462,"context_line":"* ``tpm_object_sha256``"},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"REST API impact"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_3359fd5b","line":461,"range":{"start_line":461,"start_character":4,"end_line":461,"end_character":17},"in_reply_to":"3fa7e38b_111be47f","updated":"2020-01-14 10:41:14.000000000","message":"Mostly because it seems like internal config that\u0027s not relevant to the user and that we wouldn\u0027t want them setting themselves","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"65fc467c8f0342a313bfcfd027e28fdddb51312a","unresolved":false,"context_lines":[{"line_number":458,"context_line":""},{"line_number":459,"context_line":"* ``hw_tpm_version``"},{"line_number":460,"context_line":"* ``hw_tpm_model``"},{"line_number":461,"context_line":"* ``tpm_object_id``"},{"line_number":462,"context_line":"* ``tpm_object_sha256``"},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"REST API impact"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_b67ddb71","line":461,"range":{"start_line":461,"start_character":4,"end_line":461,"end_character":17},"in_reply_to":"3fa7e38b_3359fd5b","updated":"2020-01-14 10:52:09.000000000","message":"if its stored in the ImageMetaProps object it will automatically be exposed in the payload as we recently refactored that and the user will be able to see it in the glance image too so one way or another its going to be visable to them and since this is the only place we store it i dont see a way around that unless we decided to store it in the nova db. i think there was a reason not too store it in the system metadata however.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"502cf4cfd4b575c59657bfa2732db4a175693300","unresolved":false,"context_lines":[{"line_number":458,"context_line":""},{"line_number":459,"context_line":"* ``hw_tpm_version``"},{"line_number":460,"context_line":"* ``hw_tpm_model``"},{"line_number":461,"context_line":"* ``tpm_object_id``"},{"line_number":462,"context_line":"* ``tpm_object_sha256``"},{"line_number":463,"context_line":""},{"line_number":464,"context_line":"REST API impact"}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_111be47f","line":461,"range":{"start_line":461,"start_character":4,"end_line":461,"end_character":17},"in_reply_to":"3fa7e38b_489f7464","updated":"2020-01-08 15:20:56.000000000","message":"Why not?\n\nAre we concerned about exposing the object ID/sha?","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67b52c3a6d0c59249f066a4d5cb78c4c8ba19b97","unresolved":false,"context_lines":[{"line_number":626,"context_line":""},{"line_number":627,"context_line":"- Live migration"},{"line_number":628,"context_line":"- Cold migration"},{"line_number":629,"context_line":"- Host reboot (how?)"},{"line_number":630,"context_line":"- Shelve (offload) and unshelve"},{"line_number":631,"context_line":"- Backup and rebuild"},{"line_number":632,"context_line":""}],"source_content_type":"text/x-rst","patch_set":12,"id":"3fa7e38b_b1cd3a87","line":629,"range":{"start_line":629,"start_character":1,"end_line":629,"end_character":20},"updated":"2020-01-07 22:17:56.000000000","message":"zuul actully can support this you just need to have an ansibel task to reboot the vm and then wait for it to start again but before validating the effects. that said im not sure if we need to do that.","commit_id":"2a3984a22f5c659f86cb9756ba80ef5603c79ffe"}]}