)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8877a85256f62ee8ac36eaade0a85955b0272e43","unresolved":true,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2021-09-24 13:11:28 +0100"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Repropose Add libvirt support for flavor and image defined ephemeral encryption"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: I9fe4e8615c23776d090d6c81fc9703de31f3fc6a"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"959ffdab_e0d4f01c","line":8,"updated":"2021-11-16 23:59:47.000000000","message":"Previously-approved: Wallaby\n\nhttps://specs.openstack.org/openstack/nova-specs/readme.html#previously-approved-specifications","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8877a85256f62ee8ac36eaade0a85955b0272e43","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3b3b8160_bd774fdb","updated":"2021-11-16 23:59:47.000000000","message":"Aside from the old link Sylvain pointed out, looks good to me. Just a few questions.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64c4c0fc0e6bb097e943abddad18422f684222a0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3807ab4a_905cc3cd","updated":"2021-11-16 09:07:44.000000000","message":"Just a nit but as you now depend on the Yoga spec, please say it.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"097b89458d6c1e2da1d9bfbfc5dc059fd5f63a23","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ffacb032_b2369c01","updated":"2021-11-17 21:03:15.000000000","message":"LGTM","commit_id":"886c4fd0d8ee2bbe0e414ed64aea908dfcf51449"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"b87090ec9e42891383a58f1e482a3eee6169db46","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"2a96938b_d97ae6a1","updated":"2021-11-22 13:16:33.000000000","message":"Looks good. I let Sylvain to approve it as he had comments on PS1","commit_id":"886c4fd0d8ee2bbe0e414ed64aea908dfcf51449"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d4b665e259a66f95bbf7be7fa0e2c02722e5b47b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"70ad15c2_527f891c","updated":"2021-11-22 13:23:10.000000000","message":"ill leave +w to sylvain but this looks good to me","commit_id":"886c4fd0d8ee2bbe0e414ed64aea908dfcf51449"}],"specs/yoga/approved/ephemeral-encryption-libvirt.rst":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8877a85256f62ee8ac36eaade0a85955b0272e43","unresolved":true,"context_lines":[{"line_number":127,"context_line":"backend.  As highlighted at the start of this spec this initial support will"},{"line_number":128,"context_line":"only be for the ``LUKSv1`` encryption format."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Generic key management code will be introduced into the base"},{"line_number":131,"context_line":"``nova.virt.libvirt.imagebackend.Image`` class and used to create and store the"},{"line_number":132,"context_line":"encryption secret within the configured key manager. The initial ``LUKSv1``"},{"line_number":133,"context_line":"support will store a passphrase for each disk within the key manager. This is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3a7f8b5e_50eb9035","line":130,"range":{"start_line":130,"start_character":0,"end_line":130,"end_character":46},"updated":"2021-11-16 23:59:47.000000000","message":"I\u0027m not too familiar with this but I thought we have existing key manager code, like in nova/keymgr/conf_key_mgr.py. I wondered if using castellan [1] would be a good idea but I see that the content in ^ is derived from castellan.key_manager. I\u0027m asking about this because when I first read it I thought it meant something new would be implemented into the base class. \n\n[1] https://docs.openstack.org/castellan/latest/user/index.html","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"684ca12d578a28de692fb8691943a487385e9361","unresolved":true,"context_lines":[{"line_number":127,"context_line":"backend.  As highlighted at the start of this spec this initial support will"},{"line_number":128,"context_line":"only be for the ``LUKSv1`` encryption format."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Generic key management code will be introduced into the base"},{"line_number":131,"context_line":"``nova.virt.libvirt.imagebackend.Image`` class and used to create and store the"},{"line_number":132,"context_line":"encryption secret within the configured key manager. The initial ``LUKSv1``"},{"line_number":133,"context_line":"support will store a passphrase for each disk within the key manager. This is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9b4f5901_1b195e24","line":130,"range":{"start_line":130,"start_character":0,"end_line":130,"end_character":46},"in_reply_to":"3a7f8b5e_50eb9035","updated":"2021-11-17 10:54:55.000000000","message":"Apologies for the confusion, the generic code in the base imagebackend class I\u0027m alluding to here is wrapper code that will generate, store and later fetch secrets using the APIs provided by Castellan.\n\nConfKeyManager is just our in-tree configuration based Castellan key manager that\u0027s used for testing when we don\u0027t have Barbican in the env. \n\nLooking through the codebase again this should likely live in nova.crypto with the vTPM stuff that\u0027s caching an instance of the key manager already for us. TBH some of my encrypted volume code that predates this could also move there.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"097b89458d6c1e2da1d9bfbfc5dc059fd5f63a23","unresolved":true,"context_lines":[{"line_number":127,"context_line":"backend.  As highlighted at the start of this spec this initial support will"},{"line_number":128,"context_line":"only be for the ``LUKSv1`` encryption format."},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"Generic key management code will be introduced into the base"},{"line_number":131,"context_line":"``nova.virt.libvirt.imagebackend.Image`` class and used to create and store the"},{"line_number":132,"context_line":"encryption secret within the configured key manager. The initial ``LUKSv1``"},{"line_number":133,"context_line":"support will store a passphrase for each disk within the key manager. This is"}],"source_content_type":"text/x-rst","patch_set":1,"id":"83b7259f_031d33f0","line":130,"range":{"start_line":130,"start_character":0,"end_line":130,"end_character":46},"in_reply_to":"9b4f5901_1b195e24","updated":"2021-11-17 21:03:15.000000000","message":"OK cool, thanks!","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8877a85256f62ee8ac36eaade0a85955b0272e43","unresolved":true,"context_lines":[{"line_number":145,"context_line":"``nova.virt.libvirt.imagebackend.Image.create_image`` using the provided"},{"line_number":146,"context_line":"format, options and secret."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Enable the ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKS`` trait"},{"line_number":149,"context_line":"------------------------------------------------------"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"Finally, with the above support in place the ``COMPUTE_EPHEMERAL_ENCRYPTION``"}],"source_content_type":"text/x-rst","patch_set":1,"id":"09caa333_33fd612e","line":148,"range":{"start_line":148,"start_character":13,"end_line":148,"end_character":46},"updated":"2021-11-16 23:59:47.000000000","message":"Probably a dumb question but this intentionally does not say like \"V1\" in it, does that mean the same trait could be used for a theoretical v2 and it just means LUKS in general?","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"684ca12d578a28de692fb8691943a487385e9361","unresolved":false,"context_lines":[{"line_number":145,"context_line":"``nova.virt.libvirt.imagebackend.Image.create_image`` using the provided"},{"line_number":146,"context_line":"format, options and secret."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Enable the ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKS`` trait"},{"line_number":149,"context_line":"------------------------------------------------------"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"Finally, with the above support in place the ``COMPUTE_EPHEMERAL_ENCRYPTION``"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e00c547c_d0081a25","line":148,"range":{"start_line":148,"start_character":13,"end_line":148,"end_character":46},"in_reply_to":"09caa333_33fd612e","updated":"2021-11-17 10:54:55.000000000","message":"I think I\u0027ve gone back and fourth on this a few times but yeah initially this would default to v1 and if v2 support was ever introduced we could add version specific traits. The actual format used by the disks is stored elsewhere so this is just used for scheduling and compatibility checks etc.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"097b89458d6c1e2da1d9bfbfc5dc059fd5f63a23","unresolved":false,"context_lines":[{"line_number":145,"context_line":"``nova.virt.libvirt.imagebackend.Image.create_image`` using the provided"},{"line_number":146,"context_line":"format, options and secret."},{"line_number":147,"context_line":""},{"line_number":148,"context_line":"Enable the ``COMPUTE_EPHEMERAL_ENCRYPTION_LUKS`` trait"},{"line_number":149,"context_line":"------------------------------------------------------"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"Finally, with the above support in place the ``COMPUTE_EPHEMERAL_ENCRYPTION``"}],"source_content_type":"text/x-rst","patch_set":1,"id":"88266720_c99e3427","line":148,"range":{"start_line":148,"start_character":13,"end_line":148,"end_character":46},"in_reply_to":"e00c547c_d0081a25","updated":"2021-11-17 21:03:15.000000000","message":"Ack","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8877a85256f62ee8ac36eaade0a85955b0272e43","unresolved":true,"context_lines":[{"line_number":191,"context_line":"Performance Impact"},{"line_number":192,"context_line":"------------------"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"QEMU will natively decrypted these ``LUKSv1`` ephemeral disks for us using the"},{"line_number":195,"context_line":"``libgcrypt`` library. While there have been performance issues with this in"},{"line_number":196,"context_line":"the past workarounds [2]_ can be implemented that use ``dm-crypt`` instead."},{"line_number":197,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"e81af26f_e4807ff5","line":194,"range":{"start_line":194,"start_character":19,"end_line":194,"end_character":28},"updated":"2021-11-16 23:59:47.000000000","message":"decrypt","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"684ca12d578a28de692fb8691943a487385e9361","unresolved":false,"context_lines":[{"line_number":191,"context_line":"Performance Impact"},{"line_number":192,"context_line":"------------------"},{"line_number":193,"context_line":""},{"line_number":194,"context_line":"QEMU will natively decrypted these ``LUKSv1`` ephemeral disks for us using the"},{"line_number":195,"context_line":"``libgcrypt`` library. While there have been performance issues with this in"},{"line_number":196,"context_line":"the past workarounds [2]_ can be implemented that use ``dm-crypt`` instead."},{"line_number":197,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"da6c54bf_ed2f06b7","line":194,"range":{"start_line":194,"start_character":19,"end_line":194,"end_character":28},"in_reply_to":"e81af26f_e4807ff5","updated":"2021-11-17 10:54:55.000000000","message":"Ack","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8877a85256f62ee8ac36eaade0a85955b0272e43","unresolved":true,"context_lines":[{"line_number":198,"context_line":"Other deployer impact"},{"line_number":199,"context_line":"---------------------"},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"N/A"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Developer impact"},{"line_number":204,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"66ffe18a_3beeb220","line":201,"updated":"2021-11-16 23:59:47.000000000","message":"So with this new encryption support, deployers won\u0027t have to configure anything in their nova.confs? (I was a tad confused about the wording \"this current implementation\" on L24. I thought it was saying this new way would require that but after re-reading it sounds like that\u0027s the old way).","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"684ca12d578a28de692fb8691943a487385e9361","unresolved":false,"context_lines":[{"line_number":198,"context_line":"Other deployer impact"},{"line_number":199,"context_line":"---------------------"},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"N/A"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Developer impact"},{"line_number":204,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e6e6d679_b99c8e84","line":201,"in_reply_to":"66ffe18a_3beeb220","updated":"2021-11-17 10:54:55.000000000","message":"Yeah the old way was config driven, this new implementation isn\u0027t. I\u0027ll make that clear on L24.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"097b89458d6c1e2da1d9bfbfc5dc059fd5f63a23","unresolved":false,"context_lines":[{"line_number":198,"context_line":"Other deployer impact"},{"line_number":199,"context_line":"---------------------"},{"line_number":200,"context_line":""},{"line_number":201,"context_line":"N/A"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":"Developer impact"},{"line_number":204,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":1,"id":"66a2b3cf_83181198","line":201,"in_reply_to":"e6e6d679_b99c8e84","updated":"2021-11-17 21:03:15.000000000","message":"Nice, thanks.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64c4c0fc0e6bb097e943abddad18422f684222a0","unresolved":true,"context_lines":[{"line_number":268,"context_line":"References"},{"line_number":269,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":".. [1] https://specs.openstack.org/openstack/nova-specs/specs/wallaby/approved/ephemeral-encryption.html"},{"line_number":272,"context_line":".. [2] https://docs.openstack.org/nova/victoria/configuration/config.html#workarounds.disable_native_luksv1"},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. list-table:: Revisions"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ccd38517_e8831c7f","line":271,"range":{"start_line":271,"start_character":0,"end_line":271,"end_character":3},"updated":"2021-11-16 09:07:44.000000000","message":"You should modify this link to be using the Yoga spec.","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":10135,"name":"Lee Yarwood","display_name":"Lee Yarwood","email":"lyarwood@redhat.com","username":"lyarwood"},"change_message_id":"684ca12d578a28de692fb8691943a487385e9361","unresolved":false,"context_lines":[{"line_number":268,"context_line":"References"},{"line_number":269,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":".. [1] https://specs.openstack.org/openstack/nova-specs/specs/wallaby/approved/ephemeral-encryption.html"},{"line_number":272,"context_line":".. [2] https://docs.openstack.org/nova/victoria/configuration/config.html#workarounds.disable_native_luksv1"},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. list-table:: Revisions"}],"source_content_type":"text/x-rst","patch_set":1,"id":"745d70f0_cda16569","line":271,"range":{"start_line":271,"start_character":0,"end_line":271,"end_character":3},"in_reply_to":"ccd38517_e8831c7f","updated":"2021-11-17 10:54:55.000000000","message":"Ack","commit_id":"df9d07c357c9ac90d422a4a5fb8ea8f35115d5f9"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"d6215bae898470764a5e7393799e6669d4f35337","unresolved":true,"context_lines":[{"line_number":268,"context_line":"References"},{"line_number":269,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":270,"context_line":""},{"line_number":271,"context_line":".. [1] https://specs.openstack.org/openstack/nova-specs/specs/yoga/approved/ephemeral-encryption.html"},{"line_number":272,"context_line":".. [2] https://docs.openstack.org/nova/victoria/configuration/config.html#workarounds.disable_native_luksv1"},{"line_number":273,"context_line":""},{"line_number":274,"context_line":".. list-table:: Revisions"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1629dc68_01615c83","line":271,"updated":"2021-11-22 15:15:14.000000000","message":"thanks","commit_id":"886c4fd0d8ee2bbe0e414ed64aea908dfcf51449"}]}