)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"0b362d426ee48b1a9a664befde41b5480c3f2c82","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"2dbe2b7b_d4e444ff","updated":"2022-07-18 09:37:32.000000000","message":"Dropping -2 before abandoning.","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"a8791d2b9caf1eca5514ff5076685325ad41a5c0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"62804f57_d2227135","updated":"2022-01-14 09:10:14.000000000","message":"Procedural -2: We hit spec freeze [1]. If you are still working on this the please re-propose it to Z release once we have the directory created (we miss the Z release naming).\nDetails of the process of accepting feature requests can be found on [2].\nIf any questions left about the process, feel free to ping bauzas on #openstack-nova or please attend any Nova meeting [3].\n\nThanks.\n\n[1] http://lists.openstack.org/pipermail/openstack-discuss/2022-January/026530.html\n[2] https://docs.openstack.org/nova/latest/contributor/process.html#spec-and-blueprint-approval-freeze\n[3] https://wiki.openstack.org/wiki/Meetings/Nova\n\n\n\n","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"44051231ea68bc102e350aa4c1a6554df9335c13","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"44cf0934_f65c7c36","updated":"2021-11-16 09:43:59.000000000","message":"Sorry, but while I think the usecase is totally legit, this is a way larger scope than just Nova and I\u0027d appreciate if we could start with a cross-project brainstorming session about what we could do.\nMaybe the TC could help with this.","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0a6564444c202a392439e35c16be765b253dc0ce","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"b71fad76_4838388e","updated":"2021-11-16 09:58:06.000000000","message":"This feels 1) like orchestration 2) overly complicated while simple alternative exists.","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"}],"specs/xena/approved/migrate_instance_between_projects.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"* Add a Nova API to set the project ID of a server after it has been created."},{"line_number":42,"context_line":"  This functionality will only be valid on non volume backed instances to avoid"},{"line_number":43,"context_line":"  issues with attached volumes. If requested project migration involves a"},{"line_number":44,"context_line":"  volume backed instance an InvalidRequest error will be thrown. If the"},{"line_number":45,"context_line":"  migration of the server to its new project causes a quota to be violated, the"},{"line_number":46,"context_line":"  appropriate QuotaError will be raised. It should also be checked that the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"09b17a2c_4bb966f8","line":43,"range":{"start_line":42,"start_character":3,"end_line":43,"end_character":31},"updated":"2021-07-27 22:21:49.000000000","message":"unless you want to also add instance that do not have port to avoid issue with netruon ports/networks\nand instance that dont have snapshots to void issue with glance or vtpm to void issue with barbican and swift  i think we need a solution that can supprot all services.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"* Add a Nova API to set the project ID of a server after it has been created."},{"line_number":42,"context_line":"  This functionality will only be valid on non volume backed instances to avoid"},{"line_number":43,"context_line":"  issues with attached volumes. If requested project migration involves a"},{"line_number":44,"context_line":"  volume backed instance an InvalidRequest error will be thrown. If the"},{"line_number":45,"context_line":"  migration of the server to its new project causes a quota to be violated, the"},{"line_number":46,"context_line":"  appropriate QuotaError will be raised. It should also be checked that the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"7aacc293_c5ad9352","line":43,"range":{"start_line":42,"start_character":3,"end_line":43,"end_character":31},"in_reply_to":"09b17a2c_4bb966f8","updated":"2021-07-29 19:25:32.000000000","message":"I did not realize ports and snapshots were owned by projects. I suppose functionality to provide migrating ports and snapshots would be required as well. Since I propose that the attached networks required to be shared between old and new projects then all ports should be valid in new project. Any idea about how difficult implementing this would be?","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"438059cf69d1e5b149b3e0e1706eb6f9c3f682f2","unresolved":true,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"* Add a Nova API to set the project ID of a server after it has been created."},{"line_number":42,"context_line":"  This functionality will only be valid on non volume backed instances to avoid"},{"line_number":43,"context_line":"  issues with attached volumes. If requested project migration involves a"},{"line_number":44,"context_line":"  volume backed instance an InvalidRequest error will be thrown. If the"},{"line_number":45,"context_line":"  migration of the server to its new project causes a quota to be violated, the"},{"line_number":46,"context_line":"  appropriate QuotaError will be raised. It should also be checked that the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"49a1ea0e_167e9956","line":43,"range":{"start_line":42,"start_character":3,"end_line":43,"end_character":31},"in_reply_to":"17129465_f970e7ac","updated":"2021-08-03 18:48:14.000000000","message":"So you are saying another requirement would be that secrets, floating ips must be checked for validity in the new project as well as snapshots on the glance side? I see now that you mentioned there is no current way of transferring secrets so the instance would be required to not have associated secrets I suppose.\n\nI feel it would be reasonable to require the image to be shared between both projects if that is implementable.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"36aa77a68d40cb0179809b83f3b8c1caf5137540","unresolved":true,"context_lines":[{"line_number":39,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":40,"context_line":""},{"line_number":41,"context_line":"* Add a Nova API to set the project ID of a server after it has been created."},{"line_number":42,"context_line":"  This functionality will only be valid on non volume backed instances to avoid"},{"line_number":43,"context_line":"  issues with attached volumes. If requested project migration involves a"},{"line_number":44,"context_line":"  volume backed instance an InvalidRequest error will be thrown. If the"},{"line_number":45,"context_line":"  migration of the server to its new project causes a quota to be violated, the"},{"line_number":46,"context_line":"  appropriate QuotaError will be raised. It should also be checked that the"}],"source_content_type":"text/x-rst","patch_set":11,"id":"17129465_f970e7ac","line":43,"range":{"start_line":42,"start_character":3,"end_line":43,"end_character":31},"in_reply_to":"7aacc293_c5ad9352","updated":"2021-08-03 15:30:58.000000000","message":"yes for the most part all resouces are owned by the project not the domain or user.\nthe main excption being keypairs which are owned by the user.\n\ni see you have updated the requirement for shraed networks which simplifes things but you also have to consider security gorups and floating ips on the neutron side.\n\n\nfor glance there are two thing to consider first if the instance is running form an snapshot or not and second if the new project has acess to the image.\nglance has image visableity so the image would likely need to be public, comuinty or shared visablity not private.\nthere may be some geo fenching or tenant restrictions on image beyond the visablity also but we proably cant move a vm if its booted form an image that the dest project does not have acess too.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Users can currently achieve this functionality by snapshotting an image from"},{"line_number":55,"context_line":"an instance and transferring it to a new project through glance or by direct"},{"line_number":56,"context_line":"database updates. Neither of these solutions are ideal since they are multistep"},{"line_number":57,"context_line":"and not well safe guarded."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"Data model impact"},{"line_number":60,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"da1b309d_086a5c0a","line":57,"range":{"start_line":56,"start_character":18,"end_line":57,"end_character":26},"updated":"2021-07-27 22:21:49.000000000","message":"how will this proposal guard against creating instnace that have resouce owned by multiple projects?\ne.g. how will you ensure that the ports, snapshots, vloumes and secrets are tansfered with the instance to to the other tenant.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"36aa77a68d40cb0179809b83f3b8c1caf5137540","unresolved":true,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Users can currently achieve this functionality by snapshotting an image from"},{"line_number":55,"context_line":"an instance and transferring it to a new project through glance or by direct"},{"line_number":56,"context_line":"database updates. Neither of these solutions are ideal since they are multistep"},{"line_number":57,"context_line":"and not well safe guarded."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"Data model impact"},{"line_number":60,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"56379450_fc43ed9e","line":57,"range":{"start_line":56,"start_character":18,"end_line":57,"end_character":26},"in_reply_to":"14d1d0cd_651d7f47","updated":"2021-08-03 15:30:58.000000000","message":"admin do not hacess to barbican secrets so if the vm is using them even admins wont be able to transfer them\nit will require an actual user token form the source project to acess them.\n\nso really without direct support in barbican we could not transfer instance with securets.\n\nto answer you last question no there is no existing way to transfer ports. snapshots or secrets that i am aware of so thos would have to be added first or we would have to block instance that use them.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"438059cf69d1e5b149b3e0e1706eb6f9c3f682f2","unresolved":true,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Users can currently achieve this functionality by snapshotting an image from"},{"line_number":55,"context_line":"an instance and transferring it to a new project through glance or by direct"},{"line_number":56,"context_line":"database updates. Neither of these solutions are ideal since they are multistep"},{"line_number":57,"context_line":"and not well safe guarded."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"Data model impact"},{"line_number":60,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"8ceef81d_198a0f5a","line":57,"range":{"start_line":56,"start_character":18,"end_line":57,"end_character":26},"in_reply_to":"56379450_fc43ed9e","updated":"2021-08-03 18:48:14.000000000","message":"I would be okay with a first implementation requiring the instance not having snapshots or secrets. I think ports would be somewhat necessary however. Would a next step be to propose a spec for port migration between projects?","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":53,"context_line":""},{"line_number":54,"context_line":"Users can currently achieve this functionality by snapshotting an image from"},{"line_number":55,"context_line":"an instance and transferring it to a new project through glance or by direct"},{"line_number":56,"context_line":"database updates. Neither of these solutions are ideal since they are multistep"},{"line_number":57,"context_line":"and not well safe guarded."},{"line_number":58,"context_line":""},{"line_number":59,"context_line":"Data model impact"},{"line_number":60,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"14d1d0cd_651d7f47","line":57,"range":{"start_line":56,"start_character":18,"end_line":57,"end_character":26},"in_reply_to":"da1b309d_086a5c0a","updated":"2021-07-29 19:25:32.000000000","message":"I am proposing this change for non volume backed instances to remove need to transfer volumes. Ports, image snapshots and secrets will need to be transferred to the new tenant. I also propose that network needs to be shared between old and new project if one is attached which to ensure ports are valid. Are there any existing ways to transfer ports, snapshots and secrets to new project?","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":87,"context_line":""},{"line_number":88,"context_line":"      * If the instance is volume backed"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"      * If the instance network is invalid in the new project"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"      * If the specified destination project ID is invalid (does not exist or"},{"line_number":93,"context_line":"        the same as existing project ID)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"02faa2ee_9196cde8","line":90,"range":{"start_line":90,"start_character":6,"end_line":90,"end_character":61},"updated":"2021-07-27 22:21:49.000000000","message":"the only way a network could be valid is if it  is shared or if neutron rbac api has been used to share access to the other tenant. how would nova determine that is is valid without trying tor update the the resources. openstack has always disucaged probing for capablity by trying to do somehting and handeling if it does not work so any attempt to modify the neutron resoruces to determin if it can work shoudl be avoided.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":87,"context_line":""},{"line_number":88,"context_line":"      * If the instance is volume backed"},{"line_number":89,"context_line":""},{"line_number":90,"context_line":"      * If the instance network is invalid in the new project"},{"line_number":91,"context_line":""},{"line_number":92,"context_line":"      * If the specified destination project ID is invalid (does not exist or"},{"line_number":93,"context_line":"        the same as existing project ID)"}],"source_content_type":"text/x-rst","patch_set":11,"id":"648a6fb7_bf7e862b","line":90,"range":{"start_line":90,"start_character":6,"end_line":90,"end_character":61},"in_reply_to":"02faa2ee_9196cde8","updated":"2021-07-29 19:25:32.000000000","message":"Yes I think having the network requirement for shared between new and old tenant should suffice. I will update spec to reflect this.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"      * If the specified destination project ID is invalid (does not exist or"},{"line_number":93,"context_line":"        the same as existing project ID)"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"    * forbidden(403)"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"      * The project migration results in a quota violation"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a235ea73_e8edb240","line":94,"updated":"2021-07-27 22:21:49.000000000","message":"what about the isolated agggreated feature and tenant isolation filters?\n\nthe host may have been valid for the orginal tenant but it may not be for the new one so unless this is a move operation like cold migrte or live migrate the current host might be invilad.\n\nif it was a move operation the move could fail but since this is a long runing operation not a simple db update we cant really block in the api until after the schduelr has run. this would need to be an async api.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"      * If the specified destination project ID is invalid (does not exist or"},{"line_number":93,"context_line":"        the same as existing project ID)"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"    * forbidden(403)"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"      * The project migration results in a quota violation"}],"source_content_type":"text/x-rst","patch_set":11,"id":"ef1c78db_48aea71e","line":94,"in_reply_to":"a235ea73_e8edb240","updated":"2021-07-29 19:25:32.000000000","message":"Can we check if the host is valid for the destination project using compute API? If so I would be happy with returning error if this occurs.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"36aa77a68d40cb0179809b83f3b8c1caf5137540","unresolved":true,"context_lines":[{"line_number":91,"context_line":""},{"line_number":92,"context_line":"      * If the specified destination project ID is invalid (does not exist or"},{"line_number":93,"context_line":"        the same as existing project ID)"},{"line_number":94,"context_line":""},{"line_number":95,"context_line":"    * forbidden(403)"},{"line_number":96,"context_line":""},{"line_number":97,"context_line":"      * The project migration results in a quota violation"}],"source_content_type":"text/x-rst","patch_set":11,"id":"663f2525_04d54736","line":94,"in_reply_to":"ef1c78db_48aea71e","updated":"2021-08-03 15:30:58.000000000","message":"there is no api for this today we would have to ask the scheduler to validate the host effectivly but make sure that we have it validate with the new project uuid.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":153,"context_line":"Security impact"},{"line_number":154,"context_line":"---------------"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"None"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Notifications impact"},{"line_number":159,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"8ee457f3_5132b9e2","line":156,"range":{"start_line":156,"start_character":0,"end_line":156,"end_character":4},"updated":"2021-07-27 22:21:49.000000000","message":"there is certenly a security impact.\nthis api woudl potentally allow exfultration fo data that is aviable within one tenatn but not to the other.\n\n\ndepending on the policy applied to the api endpoint e.g. admin only vs admin_or_onwer there are other implications.\n\nlikely this would have to be restricted to the the system_admin or perhaps domain_admin although domain admins should only be able to transfer between projects in there domain.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":153,"context_line":"Security impact"},{"line_number":154,"context_line":"---------------"},{"line_number":155,"context_line":""},{"line_number":156,"context_line":"None"},{"line_number":157,"context_line":""},{"line_number":158,"context_line":"Notifications impact"},{"line_number":159,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"2bc1a888_67e24cb4","line":156,"range":{"start_line":156,"start_character":0,"end_line":156,"end_character":4},"in_reply_to":"8ee457f3_5132b9e2","updated":"2021-07-29 19:25:32.000000000","message":"Ack","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":158,"context_line":"Notifications impact"},{"line_number":159,"context_line":"--------------------"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"None"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Other end user impact"},{"line_number":164,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"1d6c5e24_b080af7f","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":4},"updated":"2021-07-27 22:21:49.000000000","message":"we likely woudl want to have new notification for transfer begin and end.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":158,"context_line":"Notifications impact"},{"line_number":159,"context_line":"--------------------"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"None"},{"line_number":162,"context_line":""},{"line_number":163,"context_line":"Other end user impact"},{"line_number":164,"context_line":"---------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"94c2cb1c_31e2f2f2","line":161,"range":{"start_line":161,"start_character":0,"end_line":161,"end_character":4},"in_reply_to":"1d6c5e24_b080af7f","updated":"2021-07-29 19:25:32.000000000","message":"Ack","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":163,"context_line":"Other end user impact"},{"line_number":164,"context_line":"---------------------"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"* A client API for this new API will be added to python-novaclient"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"* A CLI for the new API will be added to python-novaclient. ::"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"    nova set_project \u003cserver\u003e \u003cdestination_project_id\u003e"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"Performance Impact"},{"line_number":173,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"b6685702_822841ba","line":170,"range":{"start_line":166,"start_character":0,"end_line":170,"end_character":54},"updated":"2021-07-27 22:21:49.000000000","message":"we would have to add a new command to the unified openstack clinet which is now requried for all new feature but we should not update the python-novaclint cli. we coudl add python lib support for the api but we shoudl avoid extendign the legacy nova clint going forward.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":163,"context_line":"Other end user impact"},{"line_number":164,"context_line":"---------------------"},{"line_number":165,"context_line":""},{"line_number":166,"context_line":"* A client API for this new API will be added to python-novaclient"},{"line_number":167,"context_line":""},{"line_number":168,"context_line":"* A CLI for the new API will be added to python-novaclient. ::"},{"line_number":169,"context_line":""},{"line_number":170,"context_line":"    nova set_project \u003cserver\u003e \u003cdestination_project_id\u003e"},{"line_number":171,"context_line":""},{"line_number":172,"context_line":"Performance Impact"},{"line_number":173,"context_line":"------------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"a7a2891c_7d877569","line":170,"range":{"start_line":166,"start_character":0,"end_line":170,"end_character":54},"in_reply_to":"b6685702_822841ba","updated":"2021-07-29 19:25:32.000000000","message":"Ack","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3ba4f33e688848d9575327731455e8096994c1ba","unresolved":true,"context_lines":[{"line_number":177,"context_line":"Other deployer impact"},{"line_number":178,"context_line":"---------------------"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The default policy for this API is for admin and owners by default."},{"line_number":181,"context_line":""},{"line_number":182,"context_line":"Developer impact"},{"line_number":183,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"144e2843_0493c82a","line":180,"range":{"start_line":180,"start_character":49,"end_line":180,"end_character":55},"updated":"2021-07-27 22:21:49.000000000","message":"so i dont think this is correct.\n\nas i noted in the the security section i do no see a usecase to allow normal project_members or even project_admins to be able to use the api unless we mirror volume transfer api\n\nhttps://docs.openstack.org/cinder/latest/cli/cli-manage-volumes.html#transfer-a-volume\ne.g.\ntenant a: openstack volume transfer request create \u003cvolume\u003e\ntenant b: openstack volume transfer request accept \u003ctransferID\u003e \u003cauthKey\u003e\n\nso something like\n\ntenant a: openstack server transfer request create \u003cinstance uuid\u003e\ntenant b: openstack server transfer request accept \u003ctransferID\u003e \u003cauthKey\u003e\n\n\na keystone token only ever has at most one porject assocaited with it so normal project member token does not have permission to add or remove a server between projects.\n\na domain admin with a domain scoped token potentilaly could have right to do that but we dont have support for domain token in nova yet so would require a spec all by it self.\n\na system admin token would have enough permission but that reuiqres https://review.opendev.org/c/openstack/keystone-specs/+/787640 to be completed to be usabel with nova.","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"b72c7646f89be8c95270c8babdb5a0c7620e8c63","unresolved":true,"context_lines":[{"line_number":177,"context_line":"Other deployer impact"},{"line_number":178,"context_line":"---------------------"},{"line_number":179,"context_line":""},{"line_number":180,"context_line":"The default policy for this API is for admin and owners by default."},{"line_number":181,"context_line":""},{"line_number":182,"context_line":"Developer impact"},{"line_number":183,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":11,"id":"54734927_d9114202","line":180,"range":{"start_line":180,"start_character":49,"end_line":180,"end_character":55},"in_reply_to":"144e2843_0493c82a","updated":"2021-07-29 19:25:32.000000000","message":"Ack","commit_id":"02315c387f51d53d0e1583f3c4ed3d94435ff635"}],"specs/yoga/approved/migrate-instance-between-project.rst":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"44051231ea68bc102e350aa4c1a6554df9335c13","unresolved":true,"context_lines":[{"line_number":15,"context_line":"Problem description"},{"line_number":16,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Nova does not currently provide any method for migrating an existing instance"},{"line_number":19,"context_line":"between projects. An API endpoint is desired to provide the following"},{"line_number":20,"context_line":"functionality: reassign an existing instance to a different project while"},{"line_number":21,"context_line":"ensuring project quotas, volume and network configurations are not violated."},{"line_number":22,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"b14add35_d30b8a1f","line":19,"range":{"start_line":18,"start_character":0,"end_line":19,"end_character":18},"updated":"2021-11-16 09:43:59.000000000","message":"this is not only Nova. Other services lack this feature too :)","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0a6564444c202a392439e35c16be765b253dc0ce","unresolved":true,"context_lines":[{"line_number":23,"context_line":"Use Cases"},{"line_number":24,"context_line":"---------"},{"line_number":25,"context_line":""},{"line_number":26,"context_line":"As a user, I wish to have a maintained method for migrating instances between"},{"line_number":27,"context_line":"projects."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"Proposed change"},{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":16,"id":"17bebab3_67e6ba91","line":27,"range":{"start_line":26,"start_character":0,"end_line":27,"end_character":9},"updated":"2021-11-16 09:58:06.000000000","message":"But why? What problem this solves? What is the case when a server needs to be moved between projects instead of maybe created in the target project in the first place?","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"44051231ea68bc102e350aa4c1a6554df9335c13","unresolved":true,"context_lines":[{"line_number":30,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"* Add a Nova API to set the project ID of a server after it has been created."},{"line_number":33,"context_line":"  This functionality will only be valid on non volume backed instances to avoid"},{"line_number":34,"context_line":"  issues with attached volumes. If requested project migration involves a"},{"line_number":35,"context_line":"  volume backed instance an InvalidRequest error will be thrown. Any associated"},{"line_number":36,"context_line":"  ports, image snapshots, and secrets will be migrated to the new project. If"},{"line_number":37,"context_line":"  migration of the server to its new project causes a quota to be violated, the"}],"source_content_type":"text/x-rst","patch_set":16,"id":"0a71961a_4b52dd88","line":34,"range":{"start_line":33,"start_character":2,"end_line":34,"end_character":31},"updated":"2021-11-16 09:43:59.000000000","message":"and what about networks that are used by the instance ?","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"44051231ea68bc102e350aa4c1a6554df9335c13","unresolved":true,"context_lines":[{"line_number":32,"context_line":"* Add a Nova API to set the project ID of a server after it has been created."},{"line_number":33,"context_line":"  This functionality will only be valid on non volume backed instances to avoid"},{"line_number":34,"context_line":"  issues with attached volumes. If requested project migration involves a"},{"line_number":35,"context_line":"  volume backed instance an InvalidRequest error will be thrown. Any associated"},{"line_number":36,"context_line":"  ports, image snapshots, and secrets will be migrated to the new project. If"},{"line_number":37,"context_line":"  migration of the server to its new project causes a quota to be violated, the"},{"line_number":38,"context_line":"  appropriate QuotaError will be raised. It should also be checked that the"},{"line_number":39,"context_line":"  networks attached to the migrating server are shared between the current"}],"source_content_type":"text/x-rst","patch_set":16,"id":"9be0ac53_7bf83402","line":36,"range":{"start_line":35,"start_character":65,"end_line":36,"end_character":74},"updated":"2021-11-16 09:43:59.000000000","message":"what if the port can\u0027t be in the new project as the underlying network is not ?","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"44051231ea68bc102e350aa4c1a6554df9335c13","unresolved":true,"context_lines":[{"line_number":47,"context_line":"Users can currently achieve this functionality by snapshotting an image from"},{"line_number":48,"context_line":"an instance and transferring it to a new project through glance or by direct"},{"line_number":49,"context_line":"database updates [1]. Neither of these solutions are ideal since they are"},{"line_number":50,"context_line":"multistep and not well safe guarded."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Data model impact"},{"line_number":53,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":16,"id":"ec00f599_7c39c133","line":50,"updated":"2021-11-16 09:43:59.000000000","message":"but this is not part of Nova mission statement to sync all projects between them too : \nhttps://docs.openstack.org/nova/latest/contributor/project-scope.html#no-more-orchestration","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"0a6564444c202a392439e35c16be765b253dc0ce","unresolved":true,"context_lines":[{"line_number":48,"context_line":"an instance and transferring it to a new project through glance or by direct"},{"line_number":49,"context_line":"database updates [1]. Neither of these solutions are ideal since they are"},{"line_number":50,"context_line":"multistep and not well safe guarded."},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"Data model impact"},{"line_number":53,"context_line":"-----------------"},{"line_number":54,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"615b298e_c473ab2e","line":51,"updated":"2021-11-16 09:58:06.000000000","message":"This alternative looks good to me. The multi step problem can be solved with an orchestrator like heat to provide a single command for the end user.\n\nRegarding safe guarding I think the proposed solution would need to implement a lot of safeguarding that this alternative automatically has. Like this alternative will already checks quotas and network-project access out of the box. While the proposed solution needs to re-implement those.","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":33670,"name":"Samuel","email":"samuelrnoguchi@gmail.com","username":"samuelrnoguchi"},"change_message_id":"6a784ab4ddc89ea7bb08bd08df3c2ff87cdc66fd","unresolved":true,"context_lines":[{"line_number":215,"context_line":"Work Items"},{"line_number":216,"context_line":"----------"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"* Add neutron API for migrating ports between projects"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"* Add new REST API"},{"line_number":221,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"5fa12c1f_76c980d3","line":218,"updated":"2021-08-02 22:21:12.000000000","message":"I would be interested to hear feedback about creating a neutron API to migrate ports between projects as a prerequisite for this feature","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"44051231ea68bc102e350aa4c1a6554df9335c13","unresolved":true,"context_lines":[{"line_number":215,"context_line":"Work Items"},{"line_number":216,"context_line":"----------"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"* Add neutron API for migrating ports between projects"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"* Add new REST API"},{"line_number":221,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"07e813a5_892c2517","line":218,"in_reply_to":"1fd90b0e_0e0d68c0","updated":"2021-11-16 09:43:59.000000000","message":"I honestly feel this is a large multi-cycle effort that spans across a various list of OpenStack services and communities, like Barbican secrets.","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"e8aab9d6ba302fa454a2ef4c8fa3aa7770b7bc58","unresolved":true,"context_lines":[{"line_number":215,"context_line":"Work Items"},{"line_number":216,"context_line":"----------"},{"line_number":217,"context_line":""},{"line_number":218,"context_line":"* Add neutron API for migrating ports between projects"},{"line_number":219,"context_line":""},{"line_number":220,"context_line":"* Add new REST API"},{"line_number":221,"context_line":""}],"source_content_type":"text/x-rst","patch_set":16,"id":"1fd90b0e_0e0d68c0","line":218,"in_reply_to":"5fa12c1f_76c980d3","updated":"2021-08-03 15:22:21.000000000","message":"i think we would need to add a prequirest for a similar feature in each of the main project that direclty impact the vm\n\nglance (for snapshots mainly)\ncinder (optionaly for volumes)\nneutron (port/floating ips, maybe bandwithd qos?)\nbarbican (for secrets which admin normnally cant retirive)\ncyborg (optionally for accelerators)\n\nthere are some open questions about heat/magnum/trove/manilla however i feel like those higher lvel services would have to be enabled after the fact  consumeing the nova functionality.\n\nso while nova would not be the last service that needs to be enabled i think enabling this in glance,cinder,neutron first with barbiucan and cyborg as close seconds make sense before enabling it in nova.","commit_id":"d7c867f2becf3fff8ebb6f00f81b369612c70d02"}]}