)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d299a3dba0d1a4d042290b13cb67e3e49501551e","unresolved":true,"context_lines":[{"line_number":12,"context_line":"implementation to support snapshot and shelve for ephemeral encrypted"},{"line_number":13,"context_line":"instances. The encryption secret is needed in order to boot a new"},{"line_number":14,"context_line":"instance from a snapshot of an ephemeral encrypted instance and to"},{"line_number":15,"context_line":"unshelve an ephemeral encrypted instance. So, the spec is updated to"},{"line_number":16,"context_line":"propose an additional flavor extra spec or image property to keep the"},{"line_number":17,"context_line":"encryption secret UUID from the key manager."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"Related to blueprint ephemeral-storage-encryption"},{"line_number":20,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"8d493bfd_5e9ccbb8","line":17,"range":{"start_line":15,"start_character":41,"end_line":17,"end_character":43},"updated":"2023-07-06 12:30:45.000000000","message":"i discussed this breifly on irc.\nhttps://meetings.opendev.org/irclogs/%23openstack-nova/%23openstack-nova.2023-07-06.log.html#t2023-07-06T11:30:14\n \ntldr im -1 on using a flavor extra spec or image property to store this\n\ni understand why we need to record this but i dont agree that that is the correct way to do it.\n\nspecifically i really dont like the falvor approch and i dont think this is required for the shelve/unshelve usecase \n\nfor shelve we can store the secrete in the instance system metadata.\n\nfor the second usecase. boot a new instance form a snapshot created form an encrypted ephmeral instance i see why you would want to use an image property.\n\ni could be conviced to add the image prorperty for that usecase but i want to chat about some of the details of that.\n\ni think if we were to do this we proably want to consider flattening the image and rencrypting it for the new isntance so that it can use a different secert.\n\ni dont like the idea of having to have logic to decied when its oke to delete the secret based on which instance is deleted last.\n\nso i woudl either prefer to not supprot creating new instance form the snapshot in the initall release or see if theere is a way we can simplfy.\n\ngiven you are on pto until after spec freeze im ok with approving this as is and defering this to the implmation reivew but i woudl expect use to update the spec to reflect the outcome of that discussion.\n\ni dont think you intened to provide an interface to allow admins/end users to share keys or specify the key to use espcially since the end user should not know what keymanager is used as the castalain backend. but i dont wnat to hold this spec on this since i agree with everything else.","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"cd4c33be5d3e760b06b8c2df2a05efccd9f6a91e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"18e6eaf2_9ca32397","updated":"2023-06-27 09:11:36.000000000","message":"Just a short fast-approval, nothing was changed.","commit_id":"b2a3c3495a3a188b79f17c8173ea1b24d5ef7bdd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"d299a3dba0d1a4d042290b13cb67e3e49501551e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"355209f0_5b1489e6","updated":"2023-07-06 12:30:45.000000000","message":"+2w with caveats inline","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"accd208f4b17be145c379287b3224eecc334223b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8512c32f_ef57d481","updated":"2023-06-27 09:17:56.000000000","message":"Catched at the last minute the diffs between Antelope and Bobcat but those look good to me.\n\nI just highlighted them in the file.\n\nAccordingly, unfortunately due to the additional paragraph, I can\u0027t fast-approve.","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1a61e442134ea5f13e011961ecf9ea45065ff82c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a89ed502_c27b88f5","updated":"2023-07-06 12:07:17.000000000","message":"im conflcited.\n\ni think the orgianl spec was fine\nbut i have some issues witht he updated content\n\ni think we could mege this as is and fix up the added content when melanie and other are back or leave that part to the implemation review.\n\nwhat do others think","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"}],"specs/2023.2/approved/ephemeral-storage-encryption.rst":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1a61e442134ea5f13e011961ecf9ea45065ff82c","unresolved":true,"context_lines":[{"line_number":120,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"To enable snapshot and shelve of instances using ephemeral encryption, the UUID"},{"line_number":123,"context_line":"of the encryption security stored in the key manager for the resultant image"},{"line_number":124,"context_line":"will be kept with the image as a flavor extra spec or image property:"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* ``hw:ephemeral_encryption_secret_uuid``"}],"source_content_type":"text/x-rst","patch_set":2,"id":"a8a35aa4_9c618273","line":123,"range":{"start_line":123,"start_character":18,"end_line":123,"end_character":26},"updated":"2023-07-06 12:07:17.000000000","message":"nit: secret is","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"accd208f4b17be145c379287b3224eecc334223b","unresolved":false,"context_lines":[{"line_number":119,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":120,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"To enable snapshot and shelve of instances using ephemeral encryption, the UUID"},{"line_number":123,"context_line":"of the encryption security stored in the key manager for the resultant image"},{"line_number":124,"context_line":"will be kept with the image as a flavor extra spec or image property:"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* ``hw:ephemeral_encryption_secret_uuid``"},{"line_number":127,"context_line":"* ``hw_ephemeral_encryption_secret_uuid``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"The secret UUID is needed when creating an instance from an ephemeral encrypted"},{"line_number":130,"context_line":"snapshot or when unshelving an ephemeral encrypted instance."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"BlockDeviceMapping changes"},{"line_number":133,"context_line":"--------------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c7aa60ed_7286232e","line":130,"range":{"start_line":122,"start_character":0,"end_line":130,"end_character":60},"updated":"2023-06-27 09:17:56.000000000","message":"this was the additive content","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1a61e442134ea5f13e011961ecf9ea45065ff82c","unresolved":true,"context_lines":[{"line_number":119,"context_line":"* ``plain`` for the plain dm-crypt format"},{"line_number":120,"context_line":"* ``luks``  for the LUKSv1 format"},{"line_number":121,"context_line":""},{"line_number":122,"context_line":"To enable snapshot and shelve of instances using ephemeral encryption, the UUID"},{"line_number":123,"context_line":"of the encryption security stored in the key manager for the resultant image"},{"line_number":124,"context_line":"will be kept with the image as a flavor extra spec or image property:"},{"line_number":125,"context_line":""},{"line_number":126,"context_line":"* ``hw:ephemeral_encryption_secret_uuid``"},{"line_number":127,"context_line":"* ``hw_ephemeral_encryption_secret_uuid``"},{"line_number":128,"context_line":""},{"line_number":129,"context_line":"The secret UUID is needed when creating an instance from an ephemeral encrypted"},{"line_number":130,"context_line":"snapshot or when unshelving an ephemeral encrypted instance."},{"line_number":131,"context_line":""},{"line_number":132,"context_line":"BlockDeviceMapping changes"},{"line_number":133,"context_line":"--------------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"89b55a41_fed44836","line":130,"range":{"start_line":122,"start_character":0,"end_line":130,"end_character":60},"in_reply_to":"c7aa60ed_7286232e","updated":"2023-07-06 12:07:17.000000000","message":"i dont think this is correct\n\nwe can store this in the isntance_system_metadata\n\nbut i am not sure we want to store this in the glance image or embded flavor\n\ni also dont think it makes snese for this to be user/admin specifyable","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"accd208f4b17be145c379287b3224eecc334223b","unresolved":false,"context_lines":[{"line_number":406,"context_line":"storage encryption while also allowing the libvirt virt driver to increase"},{"line_number":407,"context_line":"coverage of the feature across more imagebackends such as qcow2 and rbd."},{"line_number":408,"context_line":""},{"line_number":409,"context_line":".. note::"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"   Internal base images stored locally in Nova will not be encrypted at rest."},{"line_number":412,"context_line":""},{"line_number":413,"context_line":"Notifications impact"},{"line_number":414,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"434718fc_cd204586","line":411,"range":{"start_line":409,"start_character":0,"end_line":411,"end_character":77},"updated":"2023-06-27 09:17:56.000000000","message":"this was the additive content","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1a61e442134ea5f13e011961ecf9ea45065ff82c","unresolved":false,"context_lines":[{"line_number":406,"context_line":"storage encryption while also allowing the libvirt virt driver to increase"},{"line_number":407,"context_line":"coverage of the feature across more imagebackends such as qcow2 and rbd."},{"line_number":408,"context_line":""},{"line_number":409,"context_line":".. note::"},{"line_number":410,"context_line":""},{"line_number":411,"context_line":"   Internal base images stored locally in Nova will not be encrypted at rest."},{"line_number":412,"context_line":""},{"line_number":413,"context_line":"Notifications impact"},{"line_number":414,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"70b3504a_31b1547c","line":411,"range":{"start_line":409,"start_character":0,"end_line":411,"end_character":77},"in_reply_to":"434718fc_cd204586","updated":"2023-07-06 12:07:17.000000000","message":"that makes sense.\n\nif that was a deal breaker for operator i guess they could use the flat images_type backend instead since that disables the iamge caching so there will be no base image in that case.\n\nwe should docuemnt this. but i think kepping the image cache woudl normally be the correct thing to do.","commit_id":"ea0cf9579f16c93d23c4e7210a6bc3d8ec87792d"}]}