)]}'
{"specs/wallaby/approved/ephemeral-encryption.rst":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":106,"context_line":"The format will be provided as a string that maps to a disk encryption format"},{"line_number":107,"context_line":"constant as provided by os-brick, for example:"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":110,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":111,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Optional encryption format options could then be provided by the following"},{"line_number":114,"context_line":"flavor extra spec and image property:"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_03f2239a","line":111,"range":{"start_line":109,"start_character":0,"end_line":111,"end_character":34},"updated":"2020-11-17 15:45:13.000000000","message":"Can you say what format will be the default if the user specifies neither \u0027hw:ephemeral_encryption_format\u0027 nor \u0027hw_ephemeral_encryption_format\u0027?","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":106,"context_line":"The format will be provided as a string that maps to a disk encryption format"},{"line_number":107,"context_line":"constant as provided by os-brick, for example:"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":110,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":111,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Optional encryption format options could then be provided by the following"},{"line_number":114,"context_line":"flavor extra spec and image property:"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_19c56c3d","line":111,"range":{"start_line":109,"start_character":0,"end_line":111,"end_character":34},"in_reply_to":"1f621f24_03f2239a","updated":"2020-11-19 17:33:08.000000000","message":"So I was going to leave defaults to the actual computes using the [ephemeral_storage_encryption]/default_format configurable. I wasn\u0027t going to provide a default for that as it could end up being used across different virt drivers but we *could* if you think it\u0027s worthwhile.","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":110,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":111,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Optional encryption format options could then be provided by the following"},{"line_number":114,"context_line":"flavor extra spec and image property:"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"* ``hw:ephemeral_encryption_options``"},{"line_number":117,"context_line":"* ``hw_ephemeral_encryption_options``"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"An additional host configurable will also provide defaults for each supported"},{"line_number":120,"context_line":"format per compute."}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_63e837b2","line":117,"range":{"start_line":113,"start_character":0,"end_line":117,"end_character":37},"updated":"2020-11-17 15:45:13.000000000","message":"I\u0027m not sure about this one. This feels like we\u0027re getting very much into the weeds. Is this not something we could choose sane defaults for?","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":110,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":111,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":112,"context_line":""},{"line_number":113,"context_line":"Optional encryption format options could then be provided by the following"},{"line_number":114,"context_line":"flavor extra spec and image property:"},{"line_number":115,"context_line":""},{"line_number":116,"context_line":"* ``hw:ephemeral_encryption_options``"},{"line_number":117,"context_line":"* ``hw_ephemeral_encryption_options``"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"An additional host configurable will also provide defaults for each supported"},{"line_number":120,"context_line":"format per compute."}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_390af089","line":117,"range":{"start_line":113,"start_character":0,"end_line":117,"end_character":37},"in_reply_to":"1f621f24_63e837b2","updated":"2020-11-19 17:33:08.000000000","message":"We could hardcode sane defaults into the below configurable but I also wanted to provide some flexibility to operators/admins who might want to change these per flavor/image.","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":116,"context_line":"* ``hw:ephemeral_encryption_options``"},{"line_number":117,"context_line":"* ``hw_ephemeral_encryption_options``"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"An additional host configurable will also provide defaults for each supported"},{"line_number":120,"context_line":"format per compute."},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* ``[ephemeral_storage_encryption]/default_options``"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"These will be provided as a simple dict of encryption format options. For"},{"line_number":125,"context_line":"example the following default options could be provided when attempting to use"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_6301576a","line":122,"range":{"start_line":119,"start_character":0,"end_line":122,"end_character":52},"updated":"2020-11-17 15:45:13.000000000","message":"I\u0027m also not sure about this. If there\u0027s a legitimate reason to make e.g. the hashing algorithm used for a given format configurable, then can we expose those via flat config options, e.g.\n\n  [ephemeral_storage_encryption]\n  luks_hash_algorithm \u003d sha256\n\nThat assumes that these kinds of knobs are even necessary though. I don\u0027t think you\u0027ve touched on why they would be","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":116,"context_line":"* ``hw:ephemeral_encryption_options``"},{"line_number":117,"context_line":"* ``hw_ephemeral_encryption_options``"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"An additional host configurable will also provide defaults for each supported"},{"line_number":120,"context_line":"format per compute."},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* ``[ephemeral_storage_encryption]/default_options``"},{"line_number":123,"context_line":""},{"line_number":124,"context_line":"These will be provided as a simple dict of encryption format options. For"},{"line_number":125,"context_line":"example the following default options could be provided when attempting to use"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_ad2176a2","line":122,"range":{"start_line":119,"start_character":0,"end_line":122,"end_character":52},"in_reply_to":"1f621f24_6301576a","updated":"2020-11-19 17:33:08.000000000","message":"I just wanted to avoid an explosion of new configurables in order to support each new format tbh as the available options for a given format can also differ between hypervisors.\n\nI can touch on why I think these are useful knobs to expose in a respin.","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":150,"context_line":"the instance:"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"* ``encrypted``"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"A simple boolean to indicate if the block device is encrypted. This will"},{"line_number":155,"context_line":"initially only be populated when ephemeral encryption is used but could easily"},{"line_number":156,"context_line":"be used for encrypted volumes as well in the future."}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_23191fd6","line":153,"updated":"2020-11-17 15:45:13.000000000","message":"style nit:\n\n  ``term``\n      definition\n\nto render a definition list, which is what I think you\u0027re going for here. If you want to keep the bullet points, you need to indent the paragraph\n\n  * ``term``\n\n    definition","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":150,"context_line":"the instance:"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"* ``encrypted``"},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"A simple boolean to indicate if the block device is encrypted. This will"},{"line_number":155,"context_line":"initially only be populated when ephemeral encryption is used but could easily"},{"line_number":156,"context_line":"be used for encrypted volumes as well in the future."}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_8d2632b7","line":153,"in_reply_to":"1f621f24_23191fd6","updated":"2020-11-19 17:33:08.000000000","message":"ACK thanks","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":157,"context_line":""},{"line_number":158,"context_line":"* ``encryption_secret_uuid``"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"As the name suggests this will contain the uuid of the associated encryption"},{"line_number":161,"context_line":"secret for the disk. The type of secret used here will be specific to the"},{"line_number":162,"context_line":"encryption format and virt driver used, it should not be assumed that this will"},{"line_number":163,"context_line":"always been an symmetric key as is currently the case with all encrypted"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_e3ec47bc","line":160,"range":{"start_line":160,"start_character":43,"end_line":160,"end_character":47},"updated":"2020-11-17 15:45:13.000000000","message":"nit: UUID","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":157,"context_line":""},{"line_number":158,"context_line":"* ``encryption_secret_uuid``"},{"line_number":159,"context_line":""},{"line_number":160,"context_line":"As the name suggests this will contain the uuid of the associated encryption"},{"line_number":161,"context_line":"secret for the disk. The type of secret used here will be specific to the"},{"line_number":162,"context_line":"encryption format and virt driver used, it should not be assumed that this will"},{"line_number":163,"context_line":"always been an symmetric key as is currently the case with all encrypted"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_032b3194","line":160,"range":{"start_line":160,"start_character":43,"end_line":160,"end_character":47},"in_reply_to":"1f621f24_e3ec47bc","updated":"2020-11-19 17:33:08.000000000","message":"Done","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":166,"context_line":""},{"line_number":167,"context_line":"* ``encryption_format``"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"A new ``BlockDeviceEncryptionFormatType`` ENUM and associated"},{"line_number":170,"context_line":"``BlockDeviceEncryptionFormatTypeField`` field listing the encryption format."},{"line_number":171,"context_line":"The available options being kept in line with the constants currently provided"},{"line_number":172,"context_line":"by os-brick and potentially merged in the future if both can share these types"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_c3294be6","line":169,"range":{"start_line":169,"start_character":42,"end_line":169,"end_character":46},"updated":"2020-11-17 15:45:13.000000000","message":"enum","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":166,"context_line":""},{"line_number":167,"context_line":"* ``encryption_format``"},{"line_number":168,"context_line":""},{"line_number":169,"context_line":"A new ``BlockDeviceEncryptionFormatType`` ENUM and associated"},{"line_number":170,"context_line":"``BlockDeviceEncryptionFormatTypeField`` field listing the encryption format."},{"line_number":171,"context_line":"The available options being kept in line with the constants currently provided"},{"line_number":172,"context_line":"by os-brick and potentially merged in the future if both can share these types"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_63195d87","line":169,"range":{"start_line":169,"start_character":42,"end_line":169,"end_character":46},"in_reply_to":"1f621f24_c3294be6","updated":"2020-11-19 17:33:08.000000000","message":"Done","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":172,"context_line":"by os-brick and potentially merged in the future if both can share these types"},{"line_number":173,"context_line":"and fields somehow."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* ``encryption_options``"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"A simple dict of encryption options specific to the hypervisor and format being"},{"line_number":178,"context_line":"used as listed above."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Populate ephemeral encryption BlockDeviceMapping attributes during build"},{"line_number":181,"context_line":"-------------------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_437b7bf3","line":178,"range":{"start_line":175,"start_character":0,"end_line":178,"end_character":21},"updated":"2020-11-17 15:45:13.000000000","message":"I guess we should store this even if we choose sane defaults, just so we can change those defaults in the future without breaking existing instances","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":172,"context_line":"by os-brick and potentially merged in the future if both can share these types"},{"line_number":173,"context_line":"and fields somehow."},{"line_number":174,"context_line":""},{"line_number":175,"context_line":"* ``encryption_options``"},{"line_number":176,"context_line":""},{"line_number":177,"context_line":"A simple dict of encryption options specific to the hypervisor and format being"},{"line_number":178,"context_line":"used as listed above."},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"Populate ephemeral encryption BlockDeviceMapping attributes during build"},{"line_number":181,"context_line":"-------------------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_431ed970","line":178,"range":{"start_line":175,"start_character":0,"end_line":178,"end_character":21},"in_reply_to":"1f621f24_437b7bf3","updated":"2020-11-19 17:33:08.000000000","message":"Yup correct.","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":181,"context_line":"-------------------------------------------------------------------------"},{"line_number":182,"context_line":""},{"line_number":183,"context_line":"When launching an instance with ephemeral encryption requested via either the"},{"line_number":184,"context_line":"image or flavor the ``encrypted`` ``BlockDeviceMapping`` attribute will be set"},{"line_number":185,"context_line":"to True for each ``local`` device. This will happen after the original API bdm"},{"line_number":186,"context_line":"dicts have been transformed into objects within the Compute API but before"},{"line_number":187,"context_line":"scheduling the instance(s)."}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_6384b7d3","line":184,"range":{"start_line":184,"start_character":20,"end_line":184,"end_character":56},"updated":"2020-11-17 15:45:13.000000000","message":"``BlockDeviceMapping.encrypted``","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":182,"context_line":""},{"line_number":183,"context_line":"When launching an instance with ephemeral encryption requested via either the"},{"line_number":184,"context_line":"image or flavor the ``encrypted`` ``BlockDeviceMapping`` attribute will be set"},{"line_number":185,"context_line":"to True for each ``local`` device. This will happen after the original API bdm"},{"line_number":186,"context_line":"dicts have been transformed into objects within the Compute API but before"},{"line_number":187,"context_line":"scheduling the instance(s)."},{"line_number":188,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_037503fa","line":185,"range":{"start_line":185,"start_character":17,"end_line":185,"end_character":26},"updated":"2020-11-17 15:45:13.000000000","message":"*local*\n\n(I assume this isn\u0027t a symbol)","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":182,"context_line":""},{"line_number":183,"context_line":"When launching an instance with ephemeral encryption requested via either the"},{"line_number":184,"context_line":"image or flavor the ``encrypted`` ``BlockDeviceMapping`` attribute will be set"},{"line_number":185,"context_line":"to True for each ``local`` device. This will happen after the original API bdm"},{"line_number":186,"context_line":"dicts have been transformed into objects within the Compute API but before"},{"line_number":187,"context_line":"scheduling the instance(s)."},{"line_number":188,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_e36f2725","line":185,"range":{"start_line":185,"start_character":75,"end_line":185,"end_character":78},"updated":"2020-11-17 15:45:13.000000000","message":"BDM","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":187,"context_line":"scheduling the instance(s)."},{"line_number":188,"context_line":""},{"line_number":189,"context_line":"The ``encryption_format`` and ``encryption_options`` attributes will also take"},{"line_number":190,"context_line":"their values from the image or flavor if provided. "},{"line_number":191,"context_line":""},{"line_number":192,"context_line":"Any differences or conflicts between the image and flavor for either of these"},{"line_number":193,"context_line":"will raise an error in the API that will result in the failure of the initial"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_23675f4f","line":190,"range":{"start_line":190,"start_character":50,"end_line":190,"end_character":51},"updated":"2020-11-17 15:45:13.000000000","message":"nit (below also)","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":209,"context_line":"``block_device_info`` dict understood by the virt layer that at present"},{"line_number":210,"context_line":"contains the following:"},{"line_number":211,"context_line":""},{"line_number":212,"context_line":"* ``root_device_name``"},{"line_number":213,"context_line":""},{"line_number":214,"context_line":"The root device path used by the instance."},{"line_number":215,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_a3524f65","line":212,"updated":"2020-11-17 15:45:13.000000000","message":"same comment RE: definition lists","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":273,"context_line":"Introduce new compatibility traits"},{"line_number":274,"context_line":"----------------------------------"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"A new ``COMPUTE_EPHEMERAL_ENCRYPTION`` compute compatibility trait will be"},{"line_number":277,"context_line":"added to os-traits and reported by virt drivers to indicate overall support for"},{"line_number":278,"context_line":"ephemeral storage encryption using this new approach."},{"line_number":279,"context_line":""},{"line_number":280,"context_line":"New ``COMPUTE_EPHEMERAL_ENCRYPTION_$FORMAT`` compute compatibility traits will"},{"line_number":281,"context_line":"be added to os-traits and reported by virt drivers to indicate support for"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_c3b30b97","line":278,"range":{"start_line":276,"start_character":0,"end_line":278,"end_character":53},"updated":"2020-11-17 15:45:13.000000000","message":"Is there any reason for this when you have the specific types? I guess you need this in order to support for the \u0027[ephemeral_storage_encryption]/default_format\u0027 config opt, because without this generic trait you\u0027ve no way of requesting a host that can provide _some_ kind of ephemeral storage encryption. If that\u0027s the case, you need to document this. If that\u0027s *not* the case, you should probably remove both this and the idea of \u0027[ephemeral_storage_encryption]/default_format\u0027","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":273,"context_line":"Introduce new compatibility traits"},{"line_number":274,"context_line":"----------------------------------"},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"A new ``COMPUTE_EPHEMERAL_ENCRYPTION`` compute compatibility trait will be"},{"line_number":277,"context_line":"added to os-traits and reported by virt drivers to indicate overall support for"},{"line_number":278,"context_line":"ephemeral storage encryption using this new approach."},{"line_number":279,"context_line":""},{"line_number":280,"context_line":"New ``COMPUTE_EPHEMERAL_ENCRYPTION_$FORMAT`` compute compatibility traits will"},{"line_number":281,"context_line":"be added to os-traits and reported by virt drivers to indicate support for"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_bec19e83","line":278,"range":{"start_line":276,"start_character":0,"end_line":278,"end_character":53},"in_reply_to":"1f621f24_c3b30b97","updated":"2020-11-19 17:33:08.000000000","message":"Correct that\u0027s the case, I\u0027ll add an explanation about this now.","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":299,"context_line":"is encrypted at rest through the metadata API, accessible from within their"},{"line_number":300,"context_line":"instance."},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"  .. code-block:: json"},{"line_number":303,"context_line":""},{"line_number":304,"context_line":"    {"},{"line_number":305,"context_line":"        \"devices\": ["}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_636e7700","line":302,"range":{"start_line":302,"start_character":0,"end_line":302,"end_character":2},"updated":"2020-11-17 15:45:13.000000000","message":"drop","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":299,"context_line":"is encrypted at rest through the metadata API, accessible from within their"},{"line_number":300,"context_line":"instance."},{"line_number":301,"context_line":""},{"line_number":302,"context_line":"  .. code-block:: json"},{"line_number":303,"context_line":""},{"line_number":304,"context_line":"    {"},{"line_number":305,"context_line":"        \"devices\": ["}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_3e092edd","line":302,"range":{"start_line":302,"start_character":0,"end_line":302,"end_character":2},"in_reply_to":"1f621f24_636e7700","updated":"2020-11-19 17:33:08.000000000","message":"Done","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":325,"context_line":"                \"serial\": \"disk-vol-2352423\","},{"line_number":326,"context_line":"                \"path\": \"/dev/sda\","},{"line_number":327,"context_line":"                \"tags\": [\"baz\"]"},{"line_number":328,"context_line":"            },"},{"line_number":329,"context_line":"        ],"},{"line_number":330,"context_line":"    }"},{"line_number":331,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_c3614b07","line":328,"range":{"start_line":328,"start_character":13,"end_line":328,"end_character":14},"updated":"2020-11-17 15:45:13.000000000","message":"This isn\u0027t valid JSON.\n\nStupid JSON. :(","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":325,"context_line":"                \"serial\": \"disk-vol-2352423\","},{"line_number":326,"context_line":"                \"path\": \"/dev/sda\","},{"line_number":327,"context_line":"                \"tags\": [\"baz\"]"},{"line_number":328,"context_line":"            },"},{"line_number":329,"context_line":"        ],"},{"line_number":330,"context_line":"    }"},{"line_number":331,"context_line":""}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_9e0e5ae3","line":328,"range":{"start_line":328,"start_character":13,"end_line":328,"end_character":14},"in_reply_to":"1f621f24_c3614b07","updated":"2020-11-19 17:33:08.000000000","message":"Done","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":326,"context_line":"                \"path\": \"/dev/sda\","},{"line_number":327,"context_line":"                \"tags\": [\"baz\"]"},{"line_number":328,"context_line":"            },"},{"line_number":329,"context_line":"        ],"},{"line_number":330,"context_line":"    }"},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"This should also be extended to cover disks provided by encrypted volumes but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_03586353","line":329,"range":{"start_line":329,"start_character":9,"end_line":329,"end_character":10},"updated":"2020-11-17 15:45:13.000000000","message":"ditto","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":326,"context_line":"                \"path\": \"/dev/sda\","},{"line_number":327,"context_line":"                \"tags\": [\"baz\"]"},{"line_number":328,"context_line":"            },"},{"line_number":329,"context_line":"        ],"},{"line_number":330,"context_line":"    }"},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"This should also be extended to cover disks provided by encrypted volumes but"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_7e13b60e","line":329,"range":{"start_line":329,"start_character":9,"end_line":329,"end_character":10},"in_reply_to":"1f621f24_03586353","updated":"2020-11-19 17:33:08.000000000","message":"Done","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":405,"context_line":"Other deployer impact"},{"line_number":406,"context_line":"---------------------"},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"This feature relies heavily on operators and admins providing sane defaults to"},{"line_number":409,"context_line":"their users either during the initial deployment via configurables or later"},{"line_number":410,"context_line":"through images and flavors."},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"Developer impact"},{"line_number":413,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_e32727c6","line":410,"range":{"start_line":408,"start_character":0,"end_line":410,"end_character":27},"updated":"2020-11-17 15:45:13.000000000","message":"...unless we do that for them...","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"be4890a3789e518eda5168d4e956df5a3829ac69","unresolved":false,"context_lines":[{"line_number":405,"context_line":"Other deployer impact"},{"line_number":406,"context_line":"---------------------"},{"line_number":407,"context_line":""},{"line_number":408,"context_line":"This feature relies heavily on operators and admins providing sane defaults to"},{"line_number":409,"context_line":"their users either during the initial deployment via configurables or later"},{"line_number":410,"context_line":"through images and flavors."},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"Developer impact"},{"line_number":413,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"fffc6b78_5ea072a6","line":410,"range":{"start_line":408,"start_character":0,"end_line":410,"end_character":27},"in_reply_to":"1f621f24_e32727c6","updated":"2020-11-19 17:33:08.000000000","message":"Removed.","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"b12ae2cfc60d57728b220e65fb0cfbf3b4e1f2d0","unresolved":false,"context_lines":[{"line_number":510,"context_line":""},{"line_number":511,"context_line":"History"},{"line_number":512,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":513,"context_line":""},{"line_number":514,"context_line":"Optional section intended to be used each time the spec is updated to describe"},{"line_number":515,"context_line":"new design, API or any database schema updated. Useful to let reader understand"},{"line_number":516,"context_line":"what\u0027s happened along the time."},{"line_number":517,"context_line":""},{"line_number":518,"context_line":".. list-table:: Revisions"},{"line_number":519,"context_line":"   :header-rows: 1"}],"source_content_type":"text/x-rst","patch_set":7,"id":"1f621f24_6315d748","line":516,"range":{"start_line":513,"start_character":0,"end_line":516,"end_character":31},"updated":"2020-11-17 15:45:13.000000000","message":"nit: drop","commit_id":"7756c820c555c3b264ad0ba563510e2dab2111d2"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":107,"context_line":"requested an additional host configurable will be used to provide a default"},{"line_number":108,"context_line":"format per compute, this will initially default to ``luks``:"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"The format will be provided as a string that maps to a disk encryption format"},{"line_number":113,"context_line":"constant as provided by os-brick, for example:"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_a04ccd76","line":110,"updated":"2020-11-20 12:26:40.000000000","message":"Note that this is will lead to different behavior for the same request (a flavor with \u0027hw:ephemeral_encryption\u0027 but without \u0027hw:ephemeral_encryption_format\u0027) across clouds. However, given flavors ops are admin-only by default, I don\u0027t _think_ that\u0027s an issue. Worth noting all the same though","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":107,"context_line":"requested an additional host configurable will be used to provide a default"},{"line_number":108,"context_line":"format per compute, this will initially default to ``luks``:"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":111,"context_line":""},{"line_number":112,"context_line":"The format will be provided as a string that maps to a disk encryption format"},{"line_number":113,"context_line":"constant as provided by os-brick, for example:"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_5bfd1639","line":110,"in_reply_to":"fffc6b78_a04ccd76","updated":"2020-11-20 14:39:39.000000000","message":"ACK done.","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":116,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":117,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Optional encryption format options could then be provided by the following"},{"line_number":120,"context_line":"flavor extra spec and image property:"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* ``hw:ephemeral_encryption_options``"},{"line_number":123,"context_line":"* ``hw_ephemeral_encryption_options``"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Again when ephemeral encryption is requested but these options have not been"},{"line_number":126,"context_line":"provided an additional host configurable will be used to provide defaults for"},{"line_number":127,"context_line":"each supported format per compute:"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* ``[ephemeral_storage_encryption]/default_options``"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"These options will be provided as a simple dict of encryption format options."},{"line_number":132,"context_line":"For example the following default options could be provided when attempting to"},{"line_number":133,"context_line":"use ``luks`` encrypted ephemeral storage when using the `libvirt virt driver`_:"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":".. code-block:: json"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"    {"},{"line_number":138,"context_line":"        \"luks\": {"},{"line_number":139,"context_line":"            \"cipher\": {"},{"line_number":140,"context_line":"                \"name\": \"aes\","},{"line_number":141,"context_line":"                \"size\": 256,"},{"line_number":142,"context_line":"                \"mode\": \"xts\","},{"line_number":143,"context_line":"                \"hash\": \"sha256\","},{"line_number":144,"context_line":"            },"},{"line_number":145,"context_line":"            \"ivgen\": {"},{"line_number":146,"context_line":"                \"name\": \"plain64\","},{"line_number":147,"context_line":"                \"hash\": \"sha256\","},{"line_number":148,"context_line":"            }"},{"line_number":149,"context_line":"        }"},{"line_number":150,"context_line":"    }"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"BlockDeviceMapping changes"},{"line_number":153,"context_line":"--------------------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_406081cf","line":150,"range":{"start_line":119,"start_character":0,"end_line":150,"end_character":5},"updated":"2020-11-20 12:26:40.000000000","message":"I still don\u0027t like this. I could probably live with the config option if I had to (though tbc, I don\u0027t want to), but the extra specs feel like a massive case of YAGNI with a serious BDMv2\u0027y vibe about it. We haven\u0027t described what it would look like but it\u0027s going to have to be a CSV list of key-value pairs, presumably? That\u0027s going to be a PITA to validate too, fwiw :(\n\nHave we discussed this with customers/operators? If so, is this a must-have or nice-to-have. If the former, have they explained why it\u0027s a must have, as opposed to us selecting sane defaults for them?\n\nAlso, if we have to kee the host-level config then does it make sense to keep it in a new-group? Are these options not hypervisor-specific, i.e. should they be in the \u0027[libvirt]\u0027 group?","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":116,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":117,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":118,"context_line":""},{"line_number":119,"context_line":"Optional encryption format options could then be provided by the following"},{"line_number":120,"context_line":"flavor extra spec and image property:"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"* ``hw:ephemeral_encryption_options``"},{"line_number":123,"context_line":"* ``hw_ephemeral_encryption_options``"},{"line_number":124,"context_line":""},{"line_number":125,"context_line":"Again when ephemeral encryption is requested but these options have not been"},{"line_number":126,"context_line":"provided an additional host configurable will be used to provide defaults for"},{"line_number":127,"context_line":"each supported format per compute:"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"* ``[ephemeral_storage_encryption]/default_options``"},{"line_number":130,"context_line":""},{"line_number":131,"context_line":"These options will be provided as a simple dict of encryption format options."},{"line_number":132,"context_line":"For example the following default options could be provided when attempting to"},{"line_number":133,"context_line":"use ``luks`` encrypted ephemeral storage when using the `libvirt virt driver`_:"},{"line_number":134,"context_line":""},{"line_number":135,"context_line":".. code-block:: json"},{"line_number":136,"context_line":""},{"line_number":137,"context_line":"    {"},{"line_number":138,"context_line":"        \"luks\": {"},{"line_number":139,"context_line":"            \"cipher\": {"},{"line_number":140,"context_line":"                \"name\": \"aes\","},{"line_number":141,"context_line":"                \"size\": 256,"},{"line_number":142,"context_line":"                \"mode\": \"xts\","},{"line_number":143,"context_line":"                \"hash\": \"sha256\","},{"line_number":144,"context_line":"            },"},{"line_number":145,"context_line":"            \"ivgen\": {"},{"line_number":146,"context_line":"                \"name\": \"plain64\","},{"line_number":147,"context_line":"                \"hash\": \"sha256\","},{"line_number":148,"context_line":"            }"},{"line_number":149,"context_line":"        }"},{"line_number":150,"context_line":"    }"},{"line_number":151,"context_line":""},{"line_number":152,"context_line":"BlockDeviceMapping changes"},{"line_number":153,"context_line":"--------------------------"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_3ba8121e","line":150,"range":{"start_line":119,"start_character":0,"end_line":150,"end_character":5},"in_reply_to":"fffc6b78_406081cf","updated":"2020-11-20 14:39:39.000000000","message":"kk I\u0027ll drop the extra spec and property while leaving it to the virt driver implementations to provide sane defaults and host configurables to adjust things like hash algos etc. The virt drivers will also be responsible for storing these in the bdms but that should be trivial to do via block_device_info.","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":157,"context_line":"the instance:"},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"``encrypted``"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"    A simple boolean to indicate if the block device is encrypted. This will"},{"line_number":162,"context_line":"    initially only be populated when ephemeral encryption is used but could"},{"line_number":163,"context_line":"    easily be used for encrypted volumes as well in the future."}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_809f09b3","line":160,"updated":"2020-11-20 12:26:40.000000000","message":"You need to remove this line :( With this line, the below is rendered as a quotation. It has to be\n\n  term\n      definition\n\nnot\n\n  term\n\n      definition","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":157,"context_line":"the instance:"},{"line_number":158,"context_line":""},{"line_number":159,"context_line":"``encrypted``"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"    A simple boolean to indicate if the block device is encrypted. This will"},{"line_number":162,"context_line":"    initially only be populated when ephemeral encryption is used but could"},{"line_number":163,"context_line":"    easily be used for encrypted volumes as well in the future."}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_9b62de15","line":160,"in_reply_to":"fffc6b78_809f09b3","updated":"2020-11-20 14:39:39.000000000","message":"/o\\ have I told you how much I love rst?!","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"When launching an instance with ephemeral encryption requested via either the"},{"line_number":191,"context_line":"image or flavor the ``BlockDeviceMapping.encrypted`` attribute will be set to"},{"line_number":192,"context_line":"True for each ``BlockDeviceMapping`` record with a ``destination_type`` value"},{"line_number":193,"context_line":"of ``local``. This will happen after the original API BDM dicts have been"},{"line_number":194,"context_line":"transformed into objects within the Compute API but before scheduling the"},{"line_number":195,"context_line":"instance(s)."}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_c0f751f5","line":192,"range":{"start_line":192,"start_character":0,"end_line":192,"end_character":4},"updated":"2020-11-20 12:26:40.000000000","message":"``True``","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":189,"context_line":""},{"line_number":190,"context_line":"When launching an instance with ephemeral encryption requested via either the"},{"line_number":191,"context_line":"image or flavor the ``BlockDeviceMapping.encrypted`` attribute will be set to"},{"line_number":192,"context_line":"True for each ``BlockDeviceMapping`` record with a ``destination_type`` value"},{"line_number":193,"context_line":"of ``local``. This will happen after the original API BDM dicts have been"},{"line_number":194,"context_line":"transformed into objects within the Compute API but before scheduling the"},{"line_number":195,"context_line":"instance(s)."}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_5b07d61d","line":192,"range":{"start_line":192,"start_character":0,"end_line":192,"end_character":4},"in_reply_to":"fffc6b78_c0f751f5","updated":"2020-11-20 14:39:39.000000000","message":"Done","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":228,"context_line":"* ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKS``"},{"line_number":229,"context_line":"* ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKSV2``"},{"line_number":230,"context_line":"* ``COMPUTE_EPHEMERAL_ENCRYPTION_PLAIN``"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Introduce an ephemeral encryption request pre-filter"},{"line_number":233,"context_line":"----------------------------------------------------"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_803b899a","line":231,"updated":"2020-11-20 12:26:40.000000000","message":"These will be used where the ``hw:ephemeral_encryption_format`` flavor extra spec or ``hw_ephemeral_encryption_format`` image metadata property has been defined.\n\n?","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":228,"context_line":"* ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKS``"},{"line_number":229,"context_line":"* ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKSV2``"},{"line_number":230,"context_line":"* ``COMPUTE_EPHEMERAL_ENCRYPTION_PLAIN``"},{"line_number":231,"context_line":""},{"line_number":232,"context_line":"Introduce an ephemeral encryption request pre-filter"},{"line_number":233,"context_line":"----------------------------------------------------"},{"line_number":234,"context_line":""}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_1b0d4e3e","line":231,"in_reply_to":"fffc6b78_803b899a","updated":"2020-11-20 14:39:39.000000000","message":"Yeah correct, I\u0027ll make this clearer.","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":248,"context_line":"contains the following:"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"``root_device_name``"},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"    The root device path used by the instance."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"``ephemerals``"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_6054a5cb","line":251,"updated":"2020-11-20 12:26:40.000000000","message":"same (drop newlines)","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":248,"context_line":"contains the following:"},{"line_number":249,"context_line":""},{"line_number":250,"context_line":"``root_device_name``"},{"line_number":251,"context_line":""},{"line_number":252,"context_line":"    The root device path used by the instance."},{"line_number":253,"context_line":""},{"line_number":254,"context_line":"``ephemerals``"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_fb096a31","line":251,"in_reply_to":"fffc6b78_6054a5cb","updated":"2020-11-20 14:39:39.000000000","message":"Done","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":270,"context_line":""},{"line_number":271,"context_line":"For example:"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. code-block:: JSON "},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    {"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_806429bb","line":273,"updated":"2020-11-20 12:26:40.000000000","message":"nit: extra newline","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":270,"context_line":""},{"line_number":271,"context_line":"For example:"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. code-block:: JSON "},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    {"}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_b60d3739","line":273,"in_reply_to":"fffc6b78_806429bb","updated":"2020-11-20 14:39:39.000000000","message":"Done","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":271,"context_line":"For example:"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. code-block:: JSON "},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    {"},{"line_number":277,"context_line":"        \"root_device_name\": \"/dev/vda\","}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_e059b5fe","line":274,"range":{"start_line":274,"start_character":16,"end_line":274,"end_character":20},"updated":"2020-11-20 12:26:40.000000000","message":"json ?","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"ff55bb6f000fd61850157653701237af0a2fec5b","unresolved":false,"context_lines":[{"line_number":271,"context_line":"For example:"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. code-block:: JSON "},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    {"},{"line_number":277,"context_line":"        \"root_device_name\": \"/dev/vda\","}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_4051a1d8","line":274,"range":{"start_line":274,"start_character":20,"end_line":274,"end_character":21},"updated":"2020-11-20 12:26:40.000000000","message":"whoops","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":271,"context_line":"For example:"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. code-block:: JSON "},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    {"},{"line_number":277,"context_line":"        \"root_device_name\": \"/dev/vda\","}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_7603cf0e","line":274,"range":{"start_line":274,"start_character":20,"end_line":274,"end_character":21},"in_reply_to":"fffc6b78_4051a1d8","updated":"2020-11-20 14:39:39.000000000","message":"Done","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"959125f5e724c88cdceabe599504aeda41c96699","unresolved":false,"context_lines":[{"line_number":271,"context_line":"For example:"},{"line_number":272,"context_line":""},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. code-block:: JSON "},{"line_number":275,"context_line":""},{"line_number":276,"context_line":"    {"},{"line_number":277,"context_line":"        \"root_device_name\": \"/dev/vda\","}],"source_content_type":"text/x-rst","patch_set":10,"id":"fffc6b78_d608bb29","line":274,"range":{"start_line":274,"start_character":16,"end_line":274,"end_character":20},"in_reply_to":"fffc6b78_e059b5fe","updated":"2020-11-20 14:39:39.000000000","message":"Done","commit_id":"f17580103ce23755c4ac13f200a3a27c1dc7c730"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":18,"context_line":"by Cinder where user selectable `encrypted volume types`_ are available."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Note that this spec will only cover the high level changes to the API and"},{"line_number":21,"context_line":"compute layers, implementation within specific virt drivers is left for"},{"line_number":22,"context_line":"separate specs."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Problem description"},{"line_number":25,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f478894f_99504186","line":22,"range":{"start_line":21,"start_character":16,"end_line":22,"end_character":15},"updated":"2020-12-01 11:17:43.000000000","message":"Ack, any other open spec for libvirt or not yet ?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":18,"context_line":"by Cinder where user selectable `encrypted volume types`_ are available."},{"line_number":19,"context_line":""},{"line_number":20,"context_line":"Note that this spec will only cover the high level changes to the API and"},{"line_number":21,"context_line":"compute layers, implementation within specific virt drivers is left for"},{"line_number":22,"context_line":"separate specs."},{"line_number":23,"context_line":""},{"line_number":24,"context_line":"Problem description"},{"line_number":25,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4c4c09ad_2d540eb4","line":22,"range":{"start_line":21,"start_character":16,"end_line":22,"end_character":15},"in_reply_to":"f478894f_99504186","updated":"2020-12-01 13:22:09.000000000","message":"Not yet no, I\u0027ll try to get the WIP of that posted today.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":31,"context_line":"compute are forced to use encrypted ephemeral storage using the dm-crypt"},{"line_number":32,"context_line":"``PLAIN`` encryption format."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"This is not ideal and makes ephemeral storage encryption completely transparent"},{"line_number":35,"context_line":"to the end user as opposed to the block storage encryption support provided by"},{"line_number":36,"context_line":"Cinder where users are able to opt-in to using admin defined encrypted volume"},{"line_number":37,"context_line":"types to ensure their storage is encrypted at rest."}],"source_content_type":"text/x-rst","patch_set":11,"id":"3b9f61d4_0dd38564","line":34,"range":{"start_line":34,"start_character":68,"end_line":34,"end_character":79},"updated":"2020-12-01 11:17:43.000000000","message":"nit: it\u0027s rather opaque for the users, right ? 😉","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":31,"context_line":"compute are forced to use encrypted ephemeral storage using the dm-crypt"},{"line_number":32,"context_line":"``PLAIN`` encryption format."},{"line_number":33,"context_line":""},{"line_number":34,"context_line":"This is not ideal and makes ephemeral storage encryption completely transparent"},{"line_number":35,"context_line":"to the end user as opposed to the block storage encryption support provided by"},{"line_number":36,"context_line":"Cinder where users are able to opt-in to using admin defined encrypted volume"},{"line_number":37,"context_line":"types to ensure their storage is encrypted at rest."}],"source_content_type":"text/x-rst","patch_set":11,"id":"a42c3515_37bdb3e3","line":34,"range":{"start_line":34,"start_character":68,"end_line":34,"end_character":79},"in_reply_to":"3b9f61d4_0dd38564","updated":"2020-12-01 13:22:09.000000000","message":"👍 I\u0027ll switch this back to opaque, for some reason transparent made more sense when I reworked this last but you\u0027re right opaque is the better term.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":66,"context_line":"Proposed change"},{"line_number":67,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"To enable this new flavor extra specs, image properties and host configurables"},{"line_number":70,"context_line":"will be introduced. These will control when and how ephemeral storage"},{"line_number":71,"context_line":"encryption at rest is enabled for an instance."},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"da265fb2_88523a8b","line":69,"range":{"start_line":69,"start_character":60,"end_line":69,"end_character":78},"updated":"2020-12-01 11:17:43.000000000","message":"nit: first time I see this wording (pardon my French), but I understand you.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":66,"context_line":"Proposed change"},{"line_number":67,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"To enable this new flavor extra specs, image properties and host configurables"},{"line_number":70,"context_line":"will be introduced. These will control when and how ephemeral storage"},{"line_number":71,"context_line":"encryption at rest is enabled for an instance."},{"line_number":72,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"9b032d8d_3aaba195","line":69,"range":{"start_line":69,"start_character":60,"end_line":69,"end_character":78},"in_reply_to":"da265fb2_88523a8b","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Seperate image properties have been documented in the"},{"line_number":81,"context_line":"   `Glance image encryption`_ and `Cinder image encryption`_ specs to cover"},{"line_number":82,"context_line":"   how images can be encrypted at rest within Glance."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Allow ephemeral encryption to be configured by flavor, image or config"},{"line_number":85,"context_line":"----------------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"8b2764dd_b3aae59d","line":82,"updated":"2020-12-01 11:17:43.000000000","message":"thanks for clarifying it, this helps.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Seperate image properties have been documented in the"},{"line_number":81,"context_line":"   `Glance image encryption`_ and `Cinder image encryption`_ specs to cover"},{"line_number":82,"context_line":"   how images can be encrypted at rest within Glance."},{"line_number":83,"context_line":""},{"line_number":84,"context_line":"Allow ephemeral encryption to be configured by flavor, image or config"},{"line_number":85,"context_line":"----------------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"eef8103c_b248c91b","line":82,"in_reply_to":"8b2764dd_b3aae59d","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":105,"context_line":"requested an additional host configurable will be used to provide a default"},{"line_number":106,"context_line":"format per compute, this will initially default to ``luks``:"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b9d878e9_4bba5340","line":108,"updated":"2020-12-01 11:17:43.000000000","message":"nit : I do get the default for hw:ephemeral_encryption_format but what is the default for hw_ephemeral_encryption ? I guess this is False, right? (as we don\u0027t want to encrypt storage by default but only when users or ops opt-in).\n\nThat said, this looks to me obviouss so I don\u0027t think we need to amend this spec for such triviality.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"1d4816762cc8d025eee282dcee049c67ee4f2665","unresolved":false,"context_lines":[{"line_number":105,"context_line":"requested an additional host configurable will be used to provide a default"},{"line_number":106,"context_line":"format per compute, this will initially default to ``luks``:"},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9538e990_cb75f515","line":108,"in_reply_to":"b9d878e9_4bba5340","updated":"2020-12-01 14:38:37.000000000","message":"Correct this is disabled by default actually via the BlockDeviceMapping.encrypted attribute defaulting to False.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":true,"context_lines":[{"line_number":107,"context_line":""},{"line_number":108,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"},{"line_number":112,"context_line":"user from within the instance it shouldn\u0027t have any real impact."},{"line_number":113,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"b0229234_ab1b72a0","line":110,"range":{"start_line":110,"start_character":63,"end_line":110,"end_character":77},"updated":"2020-12-01 13:22:09.000000000","message":"in different","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"1d4816762cc8d025eee282dcee049c67ee4f2665","unresolved":false,"context_lines":[{"line_number":107,"context_line":""},{"line_number":108,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"},{"line_number":112,"context_line":"user from within the instance it shouldn\u0027t have any real impact."},{"line_number":113,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"ca95dac1_9a482cbb","line":110,"range":{"start_line":110,"start_character":63,"end_line":110,"end_character":77},"in_reply_to":"b0229234_ab1b72a0","updated":"2020-12-01 14:38:37.000000000","message":"Done","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":true,"context_lines":[{"line_number":108,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"},{"line_number":112,"context_line":"user from within the instance it shouldn\u0027t have any real impact."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The format will be provided as a string that maps to a disk encryption format"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6e807e35_3b1e7b6c","line":111,"range":{"start_line":111,"start_character":55,"end_line":111,"end_character":66},"updated":"2020-12-01 13:22:09.000000000","message":"opaque","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"1d4816762cc8d025eee282dcee049c67ee4f2665","unresolved":false,"context_lines":[{"line_number":108,"context_line":"* ``[ephemeral_storage_encryption]/default_format``"},{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"},{"line_number":112,"context_line":"user from within the instance it shouldn\u0027t have any real impact."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The format will be provided as a string that maps to a disk encryption format"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2192cea1_702de61d","line":111,"range":{"start_line":111,"start_character":55,"end_line":111,"end_character":66},"in_reply_to":"6e807e35_3b1e7b6c","updated":"2020-12-01 14:38:37.000000000","message":"Done","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"},{"line_number":112,"context_line":"user from within the instance it shouldn\u0027t have any real impact."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The format will be provided as a string that maps to a disk encryption format"},{"line_number":115,"context_line":"constant as provided by os-brick, for example:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"63911931_b6c58dc0","line":112,"updated":"2020-12-01 11:17:43.000000000","message":"I agree with this statement. Different clouds have different storage strategies, and we\u0027re all good with this, as Nova (and Cinder) is just an abstractional API.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":109,"context_line":""},{"line_number":110,"context_line":"This could lead to requests against different clouds resulting in a different"},{"line_number":111,"context_line":"ephemeral encryption formats being used but as this is transparent to the end"},{"line_number":112,"context_line":"user from within the instance it shouldn\u0027t have any real impact."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"The format will be provided as a string that maps to a disk encryption format"},{"line_number":115,"context_line":"constant as provided by os-brick, for example:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"22bbe8fd_3177ab21","line":112,"in_reply_to":"63911931_b6c58dc0","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":118,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":119,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"BlockDeviceMapping changes"},{"line_number":122,"context_line":"--------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"87551f41_db885b49","line":119,"updated":"2020-12-01 11:17:43.000000000","message":"nit: you could have shown the config object here as an example, but that\u0027s OK.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":116,"context_line":""},{"line_number":117,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":118,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":119,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"BlockDeviceMapping changes"},{"line_number":122,"context_line":"--------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"55e4b55b_6cec5180","line":119,"in_reply_to":"87551f41_db885b49","updated":"2020-12-01 13:22:09.000000000","message":"Yup good point, I\u0027ll reference it here instead.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"48bfed446794cf0c9a8d38fc7b3ed4e53ec077ad","unresolved":true,"context_lines":[{"line_number":117,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":118,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":119,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"BlockDeviceMapping changes"},{"line_number":122,"context_line":"--------------------------"},{"line_number":123,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"a40632f0_783992a1","line":120,"updated":"2020-12-01 11:37:14.000000000","message":"Resize can change the format and turn on / off the encryption?\nRebuild can do the same if the image is changed?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0813ff4765223df4d9aae970f575c71ce33e6cd0","unresolved":false,"context_lines":[{"line_number":117,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":118,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":119,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"BlockDeviceMapping changes"},{"line_number":122,"context_line":"--------------------------"},{"line_number":123,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"cefe4efc_989dbf4f","line":120,"in_reply_to":"1e502b6d_b7b7fa01","updated":"2020-12-02 08:48:17.000000000","message":"thanks looks good.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":true,"context_lines":[{"line_number":117,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":118,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":119,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"BlockDeviceMapping changes"},{"line_number":122,"context_line":"--------------------------"},{"line_number":123,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"c7cc4bf0_54b80159","line":120,"in_reply_to":"a40632f0_783992a1","updated":"2020-12-01 13:22:09.000000000","message":"I\u0027m not sure that we want to enable that with resize unless we agree to convert existing data between encryption formats. I\u0027ll add a note about that in a respin.\n\nI\u0027m fine with the underlying encryption and/or format changing with a rebuild however as we don\u0027t expect ephemeral data to persist.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"1d4816762cc8d025eee282dcee049c67ee4f2665","unresolved":false,"context_lines":[{"line_number":117,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":118,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":119,"context_line":"* ``luksv2`` for the LUKSv2 format"},{"line_number":120,"context_line":""},{"line_number":121,"context_line":"BlockDeviceMapping changes"},{"line_number":122,"context_line":"--------------------------"},{"line_number":123,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"1e502b6d_b7b7fa01","line":120,"in_reply_to":"c7cc4bf0_54b80159","updated":"2020-12-01 14:38:37.000000000","message":"Updated.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":143,"context_line":"    ``BlockDeviceEncryptionFormatTypeField`` field listing the encryption"},{"line_number":144,"context_line":"    format. The available options being kept in line with the constants"},{"line_number":145,"context_line":"    currently provided by os-brick and potentially merged in the future if both"},{"line_number":146,"context_line":"    can share these types and fields somehow."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"``encryption_options``"},{"line_number":149,"context_line":"    A simple unversioned dict of strings containing encryption options specific"}],"source_content_type":"text/x-rst","patch_set":11,"id":"53829c0c_e01fb142","line":146,"updated":"2020-12-01 11:17:43.000000000","message":"This is an Enum, so I guess we won\u0027t need to bump the BDM object version if we need to support a new encryption format by the future ? \nThis looks OK to me, but we need some solidly defensive code to be sure we won\u0027t get exceptions in this case.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":143,"context_line":"    ``BlockDeviceEncryptionFormatTypeField`` field listing the encryption"},{"line_number":144,"context_line":"    format. The available options being kept in line with the constants"},{"line_number":145,"context_line":"    currently provided by os-brick and potentially merged in the future if both"},{"line_number":146,"context_line":"    can share these types and fields somehow."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"``encryption_options``"},{"line_number":149,"context_line":"    A simple unversioned dict of strings containing encryption options specific"}],"source_content_type":"text/x-rst","patch_set":11,"id":"e785c10c_3292413e","line":146,"in_reply_to":"53829c0c_e01fb142","updated":"2020-12-01 13:22:09.000000000","message":"Yup that\u0027s easily verified by the hardware module in various places.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":160,"context_line":"transformed into objects within the Compute API but before scheduling the"},{"line_number":161,"context_line":"instance(s)."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"20824e36_b649cce8","line":164,"range":{"start_line":163,"start_character":0,"end_line":164,"end_character":19},"updated":"2020-12-01 11:17:43.000000000","message":"what if the BDM Enum field doesn\u0027t support yet the new format ?\nDo you think we should have some API validation schema for the encryption formats ?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":160,"context_line":"transformed into objects within the Compute API but before scheduling the"},{"line_number":161,"context_line":"instance(s)."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"de1c5201_8a341c2c","line":164,"range":{"start_line":163,"start_character":0,"end_line":164,"end_character":19},"in_reply_to":"20824e36_b649cce8","updated":"2020-12-01 13:22:09.000000000","message":"I don\u0027t think a validation schema would help here as the format would be part of the flavor and/or image. I\u0027ve posted a PoC where I verify this when updating the BDMs in the API:\n\nhttps://review.opendev.org/c/openstack/nova/+/764486/1/nova/compute/api.py\n\nhttps://review.opendev.org/c/openstack/nova/+/764486/1/nova/virt/hardware.py#2553","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"48bfed446794cf0c9a8d38fc7b3ed4e53ec077ad","unresolved":true,"context_lines":[{"line_number":161,"context_line":"instance(s)."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Introduce new compatibility traits"},{"line_number":169,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"3d473463_a70e65ac","line":166,"range":{"start_line":164,"start_character":20,"end_line":166,"end_character":16},"updated":"2020-12-01 11:37:14.000000000","message":"Does it mean that if the flavor has no encryption enabled (i.e. hw:ephemeral_encryption is not specified), then the image cannot enable it? Or it means that only if the flavor explicitly state hw:ephemeral_encryption\u003dFalse then the image cannot enable it?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Introduce new compatibility traits"},{"line_number":169,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6569fce4_7eade512","line":166,"updated":"2020-12-01 11:17:43.000000000","message":"Which kind of error ? I guess a 409 Conflict ?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":161,"context_line":"instance(s)."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Introduce new compatibility traits"},{"line_number":169,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"d3014f2c_1db6786d","line":166,"range":{"start_line":164,"start_character":20,"end_line":166,"end_character":16},"in_reply_to":"3d473463_a70e65ac","updated":"2020-12-01 13:22:09.000000000","message":"I\u0027m reusing stephenfin\u0027s _get_unique_flavor_image_meta helper in hardware.py that should allow the case where hw:ephemeral_encryption\u003dFalse is set but hw_ephemeral_encryption isn\u0027t. The result being that ephemeral encryption is disabled for the instance:\n\nhttps://github.com/openstack/nova/blob/16cabdd100b88aa72f93a0c5c87ed8a186be786d/nova/virt/hardware.py#L1205-L1231","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":true,"context_lines":[{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Introduce new compatibility traits"},{"line_number":169,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"737adf05_2d51d969","line":166,"in_reply_to":"6569fce4_7eade512","updated":"2020-12-01 13:22:09.000000000","message":"It\u0027s currently raising a generic 400 Bad Request but a 409 Conflict might make more sense. I\u0027ll update this in a respin.\n\nhttps://review.opendev.org/c/openstack/nova/+/760456/2/nova/tests/functional/test_ephemeral_encryption.py#69","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"1d4816762cc8d025eee282dcee049c67ee4f2665","unresolved":false,"context_lines":[{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Introduce new compatibility traits"},{"line_number":169,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"49202d4f_6fe12999","line":166,"in_reply_to":"737adf05_2d51d969","updated":"2020-12-01 14:38:37.000000000","message":"Done","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0813ff4765223df4d9aae970f575c71ce33e6cd0","unresolved":false,"context_lines":[{"line_number":161,"context_line":"instance(s)."},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"The ``encryption_format`` attribute will also take its\u0027 value from the image or"},{"line_number":164,"context_line":"flavor if provided. Any differences or conflicts between the image and flavor"},{"line_number":165,"context_line":"for this will raise an error in the API that will result in the failure of the"},{"line_number":166,"context_line":"initial request."},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"Introduce new compatibility traits"},{"line_number":169,"context_line":"----------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"dbb20374_d4b66376","line":166,"range":{"start_line":164,"start_character":20,"end_line":166,"end_character":16},"in_reply_to":"d3014f2c_1db6786d","updated":"2020-12-02 08:48:17.000000000","message":"OK, so if a value is not defined in the flavor then and only then the default value can be overridden by the image","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":198,"context_line":"are provided. As outlined above this will always include the"},{"line_number":199,"context_line":"``COMPUTE_EPHEMERAL_ENCRYPTION`` trait when ephemeral encryption has been"},{"line_number":200,"context_line":"requested and may optionally include one of the format specific traits if a"},{"line_number":201,"context_line":"format is included in the request."},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Expose ephemeral encryption attributes via block_device_info"},{"line_number":204,"context_line":"------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4c348b91_6b0954f5","line":201,"updated":"2020-12-01 11:17:43.000000000","message":"++ with the whole Placement strategy, this should also work with rolling upgrades for free.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":198,"context_line":"are provided. As outlined above this will always include the"},{"line_number":199,"context_line":"``COMPUTE_EPHEMERAL_ENCRYPTION`` trait when ephemeral encryption has been"},{"line_number":200,"context_line":"requested and may optionally include one of the format specific traits if a"},{"line_number":201,"context_line":"format is included in the request."},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Expose ephemeral encryption attributes via block_device_info"},{"line_number":204,"context_line":"------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a170dd1b_707b9aa9","line":201,"in_reply_to":"4c348b91_6b0954f5","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"48bfed446794cf0c9a8d38fc7b3ed4e53ec077ad","unresolved":true,"context_lines":[{"line_number":266,"context_line":"configurations are handled between the different layers. In the long term we"},{"line_number":267,"context_line":"should plan to remove ``block_device_info`` and replace it with direct access"},{"line_number":268,"context_line":"to ``BlockDeviceMapping`` based objects ensuring the entire configuration is"},{"line_number":269,"context_line":"always exposed to the virt layer."},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"Report that a disk is encrypted at rest through the metadata API"},{"line_number":272,"context_line":"----------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f4160088_7dc420a3","line":269,"updated":"2020-12-01 11:37:14.000000000","message":"+1","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":266,"context_line":"configurations are handled between the different layers. In the long term we"},{"line_number":267,"context_line":"should plan to remove ``block_device_info`` and replace it with direct access"},{"line_number":268,"context_line":"to ``BlockDeviceMapping`` based objects ensuring the entire configuration is"},{"line_number":269,"context_line":"always exposed to the virt layer."},{"line_number":270,"context_line":""},{"line_number":271,"context_line":"Report that a disk is encrypted at rest through the metadata API"},{"line_number":272,"context_line":"----------------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"c6fe8528_6efc2197","line":269,"in_reply_to":"f4160088_7dc420a3","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":292,"context_line":"                \"address\": \"0:0\","},{"line_number":293,"context_line":"                \"serial\": \"12352423\","},{"line_number":294,"context_line":"                \"path\": \"/dev/vda\","},{"line_number":295,"context_line":"                \"encrypted\": \"True\""},{"line_number":296,"context_line":"            },"},{"line_number":297,"context_line":"            {"},{"line_number":298,"context_line":"                \"type\": \"disk\","}],"source_content_type":"text/x-rst","patch_set":11,"id":"fe0c222d_d041a317","line":295,"updated":"2020-12-01 11:17:43.000000000","message":"I guess because you\u0027ll lookup the BDM object relative fields, right?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":292,"context_line":"                \"address\": \"0:0\","},{"line_number":293,"context_line":"                \"serial\": \"12352423\","},{"line_number":294,"context_line":"                \"path\": \"/dev/vda\","},{"line_number":295,"context_line":"                \"encrypted\": \"True\""},{"line_number":296,"context_line":"            },"},{"line_number":297,"context_line":"            {"},{"line_number":298,"context_line":"                \"type\": \"disk\","}],"source_content_type":"text/x-rst","patch_set":11,"id":"77e46ae3_ecfc6afd","line":295,"in_reply_to":"fe0c222d_d041a317","updated":"2020-12-01 13:22:09.000000000","message":"Yeah correct.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":313,"context_line":""},{"line_number":314,"context_line":"New ``nova-manage`` and ``nova-status`` commands will be introduced to migrate"},{"line_number":315,"context_line":"any instances using the legacy libvirt virt driver implementation ahead of the"},{"line_number":316,"context_line":"removal of this in a future release."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"The ``nova-manage`` command will ensure that any existing instances with"},{"line_number":319,"context_line":"``ephemeral_key_uuid`` set will have their associated ``BlockDeviceMapping``"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6c5a6011_46cc121f","line":316,"updated":"2020-12-01 11:17:43.000000000","message":"From the above, I guess you\u0027re thinking to have for some time (at least one release) two different feature supports for encrypted storage (legacy and new).\nI\u0027m OK with this and I\u0027m OK with providing a nova-status check for communicating the removal in the foreseenable future.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":313,"context_line":""},{"line_number":314,"context_line":"New ``nova-manage`` and ``nova-status`` commands will be introduced to migrate"},{"line_number":315,"context_line":"any instances using the legacy libvirt virt driver implementation ahead of the"},{"line_number":316,"context_line":"removal of this in a future release."},{"line_number":317,"context_line":""},{"line_number":318,"context_line":"The ``nova-manage`` command will ensure that any existing instances with"},{"line_number":319,"context_line":"``ephemeral_key_uuid`` set will have their associated ``BlockDeviceMapping``"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f629efa1_38f671d7","line":316,"in_reply_to":"6c5a6011_46cc121f","updated":"2020-12-01 13:22:09.000000000","message":"Hopefully just a single release but we could leave it longer if people don\u0027t feel comfortable with that.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":327,"context_line":"---------------------------------------"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":"The legacy implementation within the libvirt virt driver will be deprecated for"},{"line_number":330,"context_line":"removal in a future release once the ability to migrate is in place."},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"Alternatives"},{"line_number":333,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b5cb9adb_18d3b839","line":330,"updated":"2020-12-01 11:17:43.000000000","message":"++, I don\u0027t see any conflicts in between both encrypted storage supports which would require us to migrate from legacy to new during upgrade time.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":327,"context_line":"---------------------------------------"},{"line_number":328,"context_line":""},{"line_number":329,"context_line":"The legacy implementation within the libvirt virt driver will be deprecated for"},{"line_number":330,"context_line":"removal in a future release once the ability to migrate is in place."},{"line_number":331,"context_line":""},{"line_number":332,"context_line":"Alternatives"},{"line_number":333,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"cd5d9c6c_c029251d","line":330,"in_reply_to":"b5cb9adb_18d3b839","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":344,"context_line":"REST API impact"},{"line_number":345,"context_line":"---------------"},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"N/A"},{"line_number":348,"context_line":""},{"line_number":349,"context_line":"Security impact"},{"line_number":350,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4f5a3127_20068e41","line":347,"updated":"2020-12-01 11:17:43.000000000","message":"a potential API validation schema for the formats ?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"48bfed446794cf0c9a8d38fc7b3ed4e53ec077ad","unresolved":true,"context_lines":[{"line_number":344,"context_line":"REST API impact"},{"line_number":345,"context_line":"---------------"},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"N/A"},{"line_number":348,"context_line":""},{"line_number":349,"context_line":"Security impact"},{"line_number":350,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"c61b2ec7_f835dd96","line":347,"updated":"2020-12-01 11:37:14.000000000","message":"the metadata API will change as described above","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0813ff4765223df4d9aae970f575c71ce33e6cd0","unresolved":false,"context_lines":[{"line_number":344,"context_line":"REST API impact"},{"line_number":345,"context_line":"---------------"},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"N/A"},{"line_number":348,"context_line":""},{"line_number":349,"context_line":"Security impact"},{"line_number":350,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5c934ce3_3c744409","line":347,"in_reply_to":"397d8d86_9607ca73","updated":"2020-12-02 08:48:17.000000000","message":"I\u0027m fine not listing it here as it was described above.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":344,"context_line":"REST API impact"},{"line_number":345,"context_line":"---------------"},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"N/A"},{"line_number":348,"context_line":""},{"line_number":349,"context_line":"Security impact"},{"line_number":350,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ca36c0e4_08817314","line":347,"in_reply_to":"4f5a3127_20068e41","updated":"2020-12-01 13:22:09.000000000","message":"As above I\u0027m not sure if that makes sense given the way in which this is stashed within the image and flavor.\n\nI\u0027ll introduce extra spec validations and checks in the API unless I\u0027ve missed the need for something schema based.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":344,"context_line":"REST API impact"},{"line_number":345,"context_line":"---------------"},{"line_number":346,"context_line":""},{"line_number":347,"context_line":"N/A"},{"line_number":348,"context_line":""},{"line_number":349,"context_line":"Security impact"},{"line_number":350,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"397d8d86_9607ca73","line":347,"in_reply_to":"c61b2ec7_f835dd96","updated":"2020-12-01 13:22:09.000000000","message":"Ah true, I didn\u0027t think that should be listed here as it isn\u0027t part of the external API but I guess it\u0027s still an API... I\u0027ll add in a respin.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"48bfed446794cf0c9a8d38fc7b3ed4e53ec077ad","unresolved":true,"context_lines":[{"line_number":365,"context_line":"---------------------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"Users will now need to opt-in to ephemeral storage encryption being used by"},{"line_number":368,"context_line":"their instances through their choice of image or flavors."},{"line_number":369,"context_line":""},{"line_number":370,"context_line":"Performance Impact"},{"line_number":371,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b868e5ae_cfc68ca0","line":368,"updated":"2020-12-01 11:37:14.000000000","message":"But the admin can still force the encryption by only providing flavors with hw:ephemeral_encryption\u003dTrue? Or the image can override that?","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":365,"context_line":"---------------------"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"Users will now need to opt-in to ephemeral storage encryption being used by"},{"line_number":368,"context_line":"their instances through their choice of image or flavors."},{"line_number":369,"context_line":""},{"line_number":370,"context_line":"Performance Impact"},{"line_number":371,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"fdda84eb_91ae83c9","line":368,"in_reply_to":"b868e5ae_cfc68ca0","updated":"2020-12-01 13:22:09.000000000","message":"True, I can reword this.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":372,"context_line":""},{"line_number":373,"context_line":"The additional pre-filter will add a small amount of overhead when scheduling"},{"line_number":374,"context_line":"instances but this should fail fast if ephemeral encryption is not requested"},{"line_number":375,"context_line":"through the image or flavor."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"The performance impact of increased use of ephemeral storage encryption by"},{"line_number":378,"context_line":"instances is left to be discussed in the virt driver specific specs as this"}],"source_content_type":"text/x-rst","patch_set":11,"id":"c23b9d01_211cb6f5","line":375,"updated":"2020-12-01 11:17:43.000000000","message":"yeah, we don\u0027t really see this as a penalty.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":372,"context_line":""},{"line_number":373,"context_line":"The additional pre-filter will add a small amount of overhead when scheduling"},{"line_number":374,"context_line":"instances but this should fail fast if ephemeral encryption is not requested"},{"line_number":375,"context_line":"through the image or flavor."},{"line_number":376,"context_line":""},{"line_number":377,"context_line":"The performance impact of increased use of ephemeral storage encryption by"},{"line_number":378,"context_line":"instances is left to be discussed in the virt driver specific specs as this"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1c71d097_277cd5f0","line":375,"in_reply_to":"c23b9d01_211cb6f5","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":376,"context_line":""},{"line_number":377,"context_line":"The performance impact of increased use of ephemeral storage encryption by"},{"line_number":378,"context_line":"instances is left to be discussed in the virt driver specific specs as this"},{"line_number":379,"context_line":"will vary between hypervisors."},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Other deployer impact"},{"line_number":382,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2ace130a_0047ce16","line":379,"updated":"2020-12-01 11:17:43.000000000","message":"++","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":376,"context_line":""},{"line_number":377,"context_line":"The performance impact of increased use of ephemeral storage encryption by"},{"line_number":378,"context_line":"instances is left to be discussed in the virt driver specific specs as this"},{"line_number":379,"context_line":"will vary between hypervisors."},{"line_number":380,"context_line":""},{"line_number":381,"context_line":"Other deployer impact"},{"line_number":382,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"70dcd84f_793b1c99","line":379,"in_reply_to":"2ace130a_0047ce16","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":395,"context_line":""},{"line_number":396,"context_line":"The compute traits should ensure that requests to schedule instances using"},{"line_number":397,"context_line":"ephemeral storage encryption with mixed computes (N-1 and N) will work during a"},{"line_number":398,"context_line":"rolling upgrade."},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"}],"source_content_type":"text/x-rst","patch_set":11,"id":"cd17b715_264f55a9","line":398,"updated":"2020-12-01 11:17:43.000000000","message":"Yup.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":395,"context_line":""},{"line_number":396,"context_line":"The compute traits should ensure that requests to schedule instances using"},{"line_number":397,"context_line":"ephemeral storage encryption with mixed computes (N-1 and N) will work during a"},{"line_number":398,"context_line":"rolling upgrade."},{"line_number":399,"context_line":""},{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4113b3a9_6a447d70","line":398,"in_reply_to":"cd17b715_264f55a9","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"48bfed446794cf0c9a8d38fc7b3ed4e53ec077ad","unresolved":true,"context_lines":[{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"},{"line_number":402,"context_line":"implementation. This should be trivial but may require an additional grenade"},{"line_number":403,"context_line":"based job in CI during the W cycle to prove out the migration path."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"Implementation"},{"line_number":406,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"61f06d50_5c9d6e2a","line":403,"updated":"2020-12-01 11:37:14.000000000","message":"And we might need an upgrade check to see if all the data migration is done before the X upgrade. \n\nDo we want to have an automatic data migration? When an instance with the old encryption data is changed(e.g. rebooted, migrated...) then the libvirt driver could trigger the data migration for that instance, making the data migration a lot less impactful.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"},{"line_number":402,"context_line":"implementation. This should be trivial but may require an additional grenade"},{"line_number":403,"context_line":"based job in CI during the W cycle to prove out the migration path."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"Implementation"},{"line_number":406,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"4558f412_0a95d39c","line":403,"updated":"2020-12-01 11:17:43.000000000","message":"Yup.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"f0d9ad65686bf57b5758909bb194dd538d85d8a7","unresolved":false,"context_lines":[{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"},{"line_number":402,"context_line":"implementation. This should be trivial but may require an additional grenade"},{"line_number":403,"context_line":"based job in CI during the W cycle to prove out the migration path."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"Implementation"},{"line_number":406,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7c386884_bee85e5e","line":403,"in_reply_to":"04498b85_e7b1a44c","updated":"2020-12-02 15:35:18.000000000","message":"I\u0027ve added this under the ``Provide a migration path from the legacy implementation`` section in a respin.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"},{"line_number":402,"context_line":"implementation. This should be trivial but may require an additional grenade"},{"line_number":403,"context_line":"based job in CI during the W cycle to prove out the migration path."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"Implementation"},{"line_number":406,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"9c6eeeac_fd83a018","line":403,"in_reply_to":"4558f412_0a95d39c","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"},{"line_number":402,"context_line":"implementation. This should be trivial but may require an additional grenade"},{"line_number":403,"context_line":"based job in CI during the W cycle to prove out the migration path."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"Implementation"},{"line_number":406,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a5de393f_e7ebd25a","line":403,"in_reply_to":"61f06d50_5c9d6e2a","updated":"2020-12-01 13:22:09.000000000","message":"Yeah that\u0027s entirely possible given we are just moving metadata from the instance extras table into block_device_mapping. I can add this in a respin.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0813ff4765223df4d9aae970f575c71ce33e6cd0","unresolved":false,"context_lines":[{"line_number":400,"context_line":"As discussed earlier in the spec future upgrades will need to provide a path"},{"line_number":401,"context_line":"for existing ephemeral storage encryption users to migrate from the legacy"},{"line_number":402,"context_line":"implementation. This should be trivial but may require an additional grenade"},{"line_number":403,"context_line":"based job in CI during the W cycle to prove out the migration path."},{"line_number":404,"context_line":""},{"line_number":405,"context_line":"Implementation"},{"line_number":406,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"04498b85_e7b1a44c","line":403,"in_reply_to":"a5de393f_e7ebd25a","updated":"2020-12-02 08:48:17.000000000","message":"I think you missed this in your respin.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":453,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":454,"context_line":""},{"line_number":455,"context_line":"At present without a virt driver implementation this will be tested entirely"},{"line_number":456,"context_line":"within our unit and functional test suites."},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"Once a virt driver implementation is available additional integration tests in"},{"line_number":459,"context_line":"Tempest and whitebox tests can be written."}],"source_content_type":"text/x-rst","patch_set":11,"id":"70577499_1438f6ae","line":456,"updated":"2020-12-01 11:17:43.000000000","message":"We have the FakeDriver for functests.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":453,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":454,"context_line":""},{"line_number":455,"context_line":"At present without a virt driver implementation this will be tested entirely"},{"line_number":456,"context_line":"within our unit and functional test suites."},{"line_number":457,"context_line":""},{"line_number":458,"context_line":"Once a virt driver implementation is available additional integration tests in"},{"line_number":459,"context_line":"Tempest and whitebox tests can be written."}],"source_content_type":"text/x-rst","patch_set":11,"id":"ff87940a_22651a1b","line":456,"in_reply_to":"70577499_1438f6ae","updated":"2020-12-01 13:22:09.000000000","message":"ACK yeah using it heavily in the PoC code I\u0027ve posted already.","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"1a06d7303172cd7f34041208fbd0b8e79ac87990","unresolved":true,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"Testing of the migration path from the legacy implementation will require an"},{"line_number":462,"context_line":"additional grenade job but this will require the libvirt virt driver"},{"line_number":463,"context_line":"implementation to be completed first."},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"Documentation Impact"},{"line_number":466,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ee9e3f7f_e45638e4","line":463,"updated":"2020-12-01 11:17:43.000000000","message":"++","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"2fd42db50c6c508ac72f75ee8e76439e57147926","unresolved":false,"context_lines":[{"line_number":460,"context_line":""},{"line_number":461,"context_line":"Testing of the migration path from the legacy implementation will require an"},{"line_number":462,"context_line":"additional grenade job but this will require the libvirt virt driver"},{"line_number":463,"context_line":"implementation to be completed first."},{"line_number":464,"context_line":""},{"line_number":465,"context_line":"Documentation Impact"},{"line_number":466,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7d4227c4_0c81ccec","line":463,"in_reply_to":"ee9e3f7f_e45638e4","updated":"2020-12-01 13:22:09.000000000","message":"Ack","commit_id":"e3ca9b55ca8a6a0eb2af4c8afc275cb9a9cda364"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0813ff4765223df4d9aae970f575c71ce33e6cd0","unresolved":true,"context_lines":[{"line_number":314,"context_line":"between flavors that differed in their configuration of ephemeral encryption"},{"line_number":315,"context_line":"(one enabled, another disabled or formats etc) would cause us to convert this"},{"line_number":316,"context_line":"data in place. This isn\u0027t trivial and so for this initial implementation"},{"line_number":317,"context_line":"resizing between flavors that differ will be blocked."},{"line_number":318,"context_line":""},{"line_number":319,"context_line":"Provide a migration path from the legacy implementation"},{"line_number":320,"context_line":"-------------------------------------------------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"eef013ce_0bdb698e","line":317,"updated":"2020-12-02 08:48:17.000000000","message":"+1","commit_id":"6e18576fb4928be8486ccc16225f9dd3ad04991d"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"f377077986d37bb58ab7f65365c83b73b08a98ed","unresolved":true,"context_lines":[{"line_number":77,"context_line":"   relate to how ephemeral storage will be encrypted at rest when used by a"},{"line_number":78,"context_line":"   provisioned instance within Nova."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Seperate image properties have been documented in the"},{"line_number":81,"context_line":"   `Glance image encryption`_ and `Cinder image encryption`_ specs to cover"},{"line_number":82,"context_line":"   how images can be encrypted at rest within Glance."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"56091435_3db221c9","line":80,"range":{"start_line":80,"start_character":3,"end_line":80,"end_character":11},"updated":"2020-12-01 17:31:58.000000000","message":"Separate","commit_id":"5498d395968b3b9ef9467009b9ecb50ff81bd4bf"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"f0d9ad65686bf57b5758909bb194dd538d85d8a7","unresolved":false,"context_lines":[{"line_number":77,"context_line":"   relate to how ephemeral storage will be encrypted at rest when used by a"},{"line_number":78,"context_line":"   provisioned instance within Nova."},{"line_number":79,"context_line":""},{"line_number":80,"context_line":"   Seperate image properties have been documented in the"},{"line_number":81,"context_line":"   `Glance image encryption`_ and `Cinder image encryption`_ specs to cover"},{"line_number":82,"context_line":"   how images can be encrypted at rest within Glance."},{"line_number":83,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"138d2d5f_205db0ed","line":80,"range":{"start_line":80,"start_character":3,"end_line":80,"end_character":11},"in_reply_to":"56091435_3db221c9","updated":"2020-12-02 15:35:18.000000000","message":"Ack","commit_id":"5498d395968b3b9ef9467009b9ecb50ff81bd4bf"}]}