)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":21,"context_line":"encryption keys, one per guest.  Typical early hardware only has 15"},{"line_number":22,"context_line":"slots, thereby limiting the number of SEV guests which can be run"},{"line_number":23,"context_line":"concurrently to 15.  nova needs to track how many slots are available"},{"line_number":24,"context_line":"and used in order to avoid attempting to exceeding that limit in the"},{"line_number":25,"context_line":"hardware."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Work is in progress to allow QEMU and libvirt to expose the number of"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":23,"id":"7faddb67_c71e315e","line":24,"range":{"start_line":24,"start_character":27,"end_line":24,"end_character":50},"updated":"2019-07-30 22:31:07.000000000","message":"\"attempting to exceed\" or \"exceeding\"","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":21,"context_line":"encryption keys, one per guest.  Typical early hardware only has 15"},{"line_number":22,"context_line":"slots, thereby limiting the number of SEV guests which can be run"},{"line_number":23,"context_line":"concurrently to 15.  nova needs to track how many slots are available"},{"line_number":24,"context_line":"and used in order to avoid attempting to exceeding that limit in the"},{"line_number":25,"context_line":"hardware."},{"line_number":26,"context_line":""},{"line_number":27,"context_line":"Work is in progress to allow QEMU and libvirt to expose the number of"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":23,"id":"7faddb67_e158c88a","line":24,"range":{"start_line":24,"start_character":27,"end_line":24,"end_character":50},"in_reply_to":"7faddb67_c71e315e","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"dfb98db432afff01456bd6eb0572b159f5956c1c","unresolved":false,"context_lines":[{"line_number":20,"context_line":"the memory controller has a fixed number of slots for holding"},{"line_number":21,"context_line":"encryption keys, one per guest.  Typical early hardware only has 15"},{"line_number":22,"context_line":"slots, thereby limiting the number of SEV guests which can be run"},{"line_number":23,"context_line":"concurrently to 15.  nova needs to track how many slots are available"},{"line_number":24,"context_line":"and used in order to avoid attempting to exceed that limit in the"},{"line_number":25,"context_line":"hardware."},{"line_number":26,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":50,"id":"5faad753_203aea35","line":23,"range":{"start_line":23,"start_character":21,"end_line":23,"end_character":22},"updated":"2019-09-09 15:32:00.000000000","message":"N","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"}],"doc/source/admin/configuration/hypervisor-kvm.rst":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":384,"context_line":"~~~~~~~~~~~~~~~~~~~~"},{"line_number":385,"context_line":""},{"line_number":386,"context_line":"You may choose to enable support for nested guests --- that is, allow"},{"line_number":387,"context_line":"your Nova instances to themselves run hardware-accelerated virtual"},{"line_number":388,"context_line":"machines with KVM. Doing so requires a module parameter on"},{"line_number":389,"context_line":"your KVM kernel module, and corresponding ``nova.conf`` settings."},{"line_number":390,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_a7da1575","line":387,"range":{"start_line":387,"start_character":5,"end_line":387,"end_character":9},"updated":"2019-07-30 22:31:07.000000000","message":".","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":479,"context_line":"can reduce the amount of trust VMs need to place in the hypervisor and"},{"line_number":480,"context_line":"administrator of their host system."},{"line_number":481,"context_line":""},{"line_number":482,"context_line":"nova supports SEV from the Train release onwards."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Requirements for SEV"},{"line_number":485,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_8774b969","line":482,"range":{"start_line":482,"start_character":0,"end_line":482,"end_character":4},"updated":"2019-07-30 22:31:07.000000000","message":"Can we capitalize Nova here (at least) please?\n\nI skimmed for usages in the documentation as a whole, and it\u0027s not consistent, but it\u0027s capitalized in a lot of places, and it reads awkwardly here at the beginning of a sentence as lowercase.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":479,"context_line":"can reduce the amount of trust VMs need to place in the hypervisor and"},{"line_number":480,"context_line":"administrator of their host system."},{"line_number":481,"context_line":""},{"line_number":482,"context_line":"nova supports SEV from the Train release onwards."},{"line_number":483,"context_line":""},{"line_number":484,"context_line":"Requirements for SEV"},{"line_number":485,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_81dc74e1","line":482,"range":{"start_line":482,"start_character":0,"end_line":482,"end_character":4},"in_reply_to":"7faddb67_8774b969","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":514,"context_line":"  memory controller has a fixed number of slots for holding encryption"},{"line_number":515,"context_line":"  keys, one per guest.  For example, at the time of writing, typical"},{"line_number":516,"context_line":"  hardware only has 15 slots, thereby limiting the number of SEV"},{"line_number":517,"context_line":"  guests which can be run concurrently to 15.  nova needs to track how"},{"line_number":518,"context_line":"  many slots are available and used in order to avoid attempting to"},{"line_number":519,"context_line":"  exceeding that limit in the hardware."},{"line_number":520,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_87f919c9","line":517,"range":{"start_line":517,"start_character":47,"end_line":517,"end_character":51},"updated":"2019-07-30 22:31:07.000000000","message":"and here","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":514,"context_line":"  memory controller has a fixed number of slots for holding encryption"},{"line_number":515,"context_line":"  keys, one per guest.  For example, at the time of writing, typical"},{"line_number":516,"context_line":"  hardware only has 15 slots, thereby limiting the number of SEV"},{"line_number":517,"context_line":"  guests which can be run concurrently to 15.  nova needs to track how"},{"line_number":518,"context_line":"  many slots are available and used in order to avoid attempting to"},{"line_number":519,"context_line":"  exceeding that limit in the hardware."},{"line_number":520,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_2196e0f1","line":517,"range":{"start_line":517,"start_character":47,"end_line":517,"end_character":51},"in_reply_to":"7faddb67_87f919c9","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":515,"context_line":"  keys, one per guest.  For example, at the time of writing, typical"},{"line_number":516,"context_line":"  hardware only has 15 slots, thereby limiting the number of SEV"},{"line_number":517,"context_line":"  guests which can be run concurrently to 15.  nova needs to track how"},{"line_number":518,"context_line":"  many slots are available and used in order to avoid attempting to"},{"line_number":519,"context_line":"  exceeding that limit in the hardware."},{"line_number":520,"context_line":""},{"line_number":521,"context_line":"  Work is in progress to allow QEMU and libvirt to expose the number"},{"line_number":522,"context_line":"  of slots available on SEV hardware; however until this is finished"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_67fc1db5","line":519,"range":{"start_line":518,"start_character":54,"end_line":519,"end_character":11},"updated":"2019-07-30 22:31:07.000000000","message":"attempting to exceed","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":515,"context_line":"  keys, one per guest.  For example, at the time of writing, typical"},{"line_number":516,"context_line":"  hardware only has 15 slots, thereby limiting the number of SEV"},{"line_number":517,"context_line":"  guests which can be run concurrently to 15.  nova needs to track how"},{"line_number":518,"context_line":"  many slots are available and used in order to avoid attempting to"},{"line_number":519,"context_line":"  exceeding that limit in the hardware."},{"line_number":520,"context_line":""},{"line_number":521,"context_line":"  Work is in progress to allow QEMU and libvirt to expose the number"},{"line_number":522,"context_line":"  of slots available on SEV hardware; however until this is finished"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_41999c1c","line":519,"range":{"start_line":518,"start_character":54,"end_line":519,"end_character":11},"in_reply_to":"7faddb67_67fc1db5","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":528,"context_line":"- Ensure that sufficient memory is reserved on the SEV compute hosts"},{"line_number":529,"context_line":"  for host-level services to function correctly at all times.  This is"},{"line_number":530,"context_line":"  particularly important when hosting SEV-enabled guests, since they"},{"line_number":531,"context_line":"  pin pages in RAM, preventing any memory overcommit which may be in"},{"line_number":532,"context_line":"  normal operation on other compute hosts."},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"  It is `recommended"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_a71f7506","line":531,"range":{"start_line":531,"start_character":20,"end_line":531,"end_character":52},"updated":"2019-07-30 22:31:07.000000000","message":"nts: does this affect allocation ratio?\n\nShould we be more explicit about setting `reserved`? [Later] Ah, L540 ✔","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":532,"context_line":"  normal operation on other compute hosts."},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"  It is `recommended"},{"line_number":535,"context_line":"  \u003chttps://review.opendev.org/#/c/641994/2/specs/train/approved/amd-sev-libvirt-support.rst@167\u003e`_"},{"line_number":536,"context_line":"  to achieve this by configuring an ``rlimit`` at the"},{"line_number":537,"context_line":"  ``/machine.slice`` top-level ``cgroup`` on the host, with all VMs"},{"line_number":538,"context_line":"  placed inside that."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_c7e391d7","line":535,"range":{"start_line":535,"start_character":3,"end_line":535,"end_character":95},"updated":"2019-07-30 22:31:07.000000000","message":"Can we link to the real spec?\n\nIf you need to amend the spec to add an anchor in this particular spot, I can fast approve that.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":532,"context_line":"  normal operation on other compute hosts."},{"line_number":533,"context_line":""},{"line_number":534,"context_line":"  It is `recommended"},{"line_number":535,"context_line":"  \u003chttps://review.opendev.org/#/c/641994/2/specs/train/approved/amd-sev-libvirt-support.rst@167\u003e`_"},{"line_number":536,"context_line":"  to achieve this by configuring an ``rlimit`` at the"},{"line_number":537,"context_line":"  ``/machine.slice`` top-level ``cgroup`` on the host, with all VMs"},{"line_number":538,"context_line":"  placed inside that."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_e4e696b0","line":535,"range":{"start_line":535,"start_character":3,"end_line":535,"end_character":95},"in_reply_to":"7faddb67_c7e391d7","updated":"2019-08-19 20:04:31.000000000","message":"Great idea - submitted as https://review.opendev.org/#/c/677264/ and preemptively added a link to the new anchor.  However I want to keep this link to the review discussion, because it goes into (way) more detail and is a useful archive which I want to keep easy to find for anyone who really needs to go into the weeds and understand the details.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":540,"context_line":"  An alternative approach is to configure the"},{"line_number":541,"context_line":"  ``reserved_host_memory_mb`` option in the ``[compute]`` section of"},{"line_number":542,"context_line":"  ``nova.conf``, based on the expected maximum number of SEV guests"},{"line_number":543,"context_line":"  simultaneously running on the host, and the details provided in `an"},{"line_number":544,"context_line":"  earlier version of the AMD SEV spec"},{"line_number":545,"context_line":"  \u003chttps://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html#proposed-change\u003e`_"},{"line_number":546,"context_line":"  regarding memory region sizes, which cover how to calculate it"},{"line_number":547,"context_line":"  correctly."},{"line_number":548,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_47d7a1ef","line":545,"range":{"start_line":543,"start_character":66,"end_line":545,"end_character":120},"updated":"2019-07-30 22:31:07.000000000","message":"ugh, why?\n\nI guess we pared down the train one to make for easier reviewing?","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":540,"context_line":"  An alternative approach is to configure the"},{"line_number":541,"context_line":"  ``reserved_host_memory_mb`` option in the ``[compute]`` section of"},{"line_number":542,"context_line":"  ``nova.conf``, based on the expected maximum number of SEV guests"},{"line_number":543,"context_line":"  simultaneously running on the host, and the details provided in `an"},{"line_number":544,"context_line":"  earlier version of the AMD SEV spec"},{"line_number":545,"context_line":"  \u003chttps://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html#proposed-change\u003e`_"},{"line_number":546,"context_line":"  regarding memory region sizes, which cover how to calculate it"},{"line_number":547,"context_line":"  correctly."},{"line_number":548,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_c4727ae3","line":545,"range":{"start_line":543,"start_character":66,"end_line":545,"end_character":120},"in_reply_to":"7faddb67_47d7a1ef","updated":"2019-08-19 20:04:31.000000000","message":"Yes, the table in\n\nhttps://specs.openstack.org/openstack/nova-specs/specs/stein/approved/amd-sev-libvirt-support.html#proposed-change \n\nwas removed.  (I have a vague memory that someone asked for it to be removed, as it doesn\u0027t seem like the kind of thing I would have removed especially after the work I put into it, but ICBW.)","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":548,"context_line":""},{"line_number":549,"context_line":"  See `the Memory Locking and Accounting section of the AMD SEV spec"},{"line_number":550,"context_line":"  \u003chttp://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#memory-locking-and-accounting\u003e`_,"},{"line_number":551,"context_line":"  and `previous discussion"},{"line_number":552,"context_line":"  \u003chttps://review.opendev.org/#/c/641994/2/specs/train/approved/amd-sev-libvirt-support.rst@167\u003e`_"},{"line_number":553,"context_line":"  for further details."},{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- A cloud administrator will need to define one or more SEV-enabled"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_270ce5a3","line":552,"range":{"start_line":551,"start_character":6,"end_line":552,"end_character":95},"updated":"2019-07-30 22:31:07.000000000","message":"So yeah, I don\u0027t like this much. If there\u0027s information in review comments on a spec (but not in the spec itself) that\u0027s relevant to an admin doc, we should just copy/summarize it directly.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":548,"context_line":""},{"line_number":549,"context_line":"  See `the Memory Locking and Accounting section of the AMD SEV spec"},{"line_number":550,"context_line":"  \u003chttp://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#memory-locking-and-accounting\u003e`_,"},{"line_number":551,"context_line":"  and `previous discussion"},{"line_number":552,"context_line":"  \u003chttps://review.opendev.org/#/c/641994/2/specs/train/approved/amd-sev-libvirt-support.rst@167\u003e`_"},{"line_number":553,"context_line":"  for further details."},{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- A cloud administrator will need to define one or more SEV-enabled"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_8426c2ca","line":552,"range":{"start_line":551,"start_character":6,"end_line":552,"end_character":95},"in_reply_to":"7faddb67_270ce5a3","updated":"2019-08-19 20:04:31.000000000","message":"The docs and (latest) spec already did copy/summarize it.  I just left the link in because\n\n- based on past experience, I can basically *guarantee* that someone will question the summary and want to know *exactly* why we arrived at that conclusion by diving into the weeds, and\n\n- it\u0027s a real pain wading through an old review to find the pertinent conversation when you know that it\u0027s in Gerrit somewhere but can\u0027t quite remember where.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":553,"context_line":"  for further details."},{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- A cloud administrator will need to define one or more SEV-enabled"},{"line_number":556,"context_line":"  flavors as described above, unless it is sufficient for users to"},{"line_number":557,"context_line":"  define SEV-enabled images."},{"line_number":558,"context_line":""},{"line_number":559,"context_line":"Impermanent limitations"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_c2efff1a","line":556,"range":{"start_line":556,"start_character":23,"end_line":556,"end_character":28},"updated":"2019-07-30 22:31:07.000000000","message":"where?\n\n[Later] :ref:`extra-specs-memory-encryption` (from flavors.rst) presumably?","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":553,"context_line":"  for further details."},{"line_number":554,"context_line":""},{"line_number":555,"context_line":"- A cloud administrator will need to define one or more SEV-enabled"},{"line_number":556,"context_line":"  flavors as described above, unless it is sufficient for users to"},{"line_number":557,"context_line":"  define SEV-enabled images."},{"line_number":558,"context_line":""},{"line_number":559,"context_line":"Impermanent limitations"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_674ce8c7","line":556,"range":{"start_line":556,"start_character":23,"end_line":556,"end_character":28},"in_reply_to":"7faddb67_c2efff1a","updated":"2019-08-19 20:04:31.000000000","message":"Yeah sorry, looks like a cut and paste error.  Fixed.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":560,"context_line":"-----------------------"},{"line_number":561,"context_line":""},{"line_number":562,"context_line":"The following limitations may be removed in the future as the"},{"line_number":563,"context_line":"hardware, firmware, and various layer of software receive new"},{"line_number":564,"context_line":"features:"},{"line_number":565,"context_line":""},{"line_number":566,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated, or suspended,"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_62e08b27","line":563,"range":{"start_line":563,"start_character":32,"end_line":563,"end_character":37},"updated":"2019-07-30 22:31:07.000000000","message":"layers","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":560,"context_line":"-----------------------"},{"line_number":561,"context_line":""},{"line_number":562,"context_line":"The following limitations may be removed in the future as the"},{"line_number":563,"context_line":"hardware, firmware, and various layer of software receive new"},{"line_number":564,"context_line":"features:"},{"line_number":565,"context_line":""},{"line_number":566,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated, or suspended,"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_27003001","line":563,"range":{"start_line":563,"start_character":32,"end_line":563,"end_character":37},"in_reply_to":"7faddb67_62e08b27","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":563,"context_line":"hardware, firmware, and various layer of software receive new"},{"line_number":564,"context_line":"features:"},{"line_number":565,"context_line":""},{"line_number":566,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated, or suspended,"},{"line_number":567,"context_line":"  consequently nor resumed.  Support is coming in the future.  However"},{"line_number":568,"context_line":"  this does mean that in the short term, usage of SEV will have an"},{"line_number":569,"context_line":"  impact on compute node maintenance, since SEV-encrypted instances"},{"line_number":570,"context_line":"  will need to be fully shut down before migrating off an SEV host."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_a248c32c","line":567,"range":{"start_line":566,"start_character":47,"end_line":567,"end_character":26},"updated":"2019-07-30 22:31:07.000000000","message":"This is awkward. I would just say \"or suspended.\"\n\nOr if you really feel the need to be explicit/complete, you could rephrase as \"Live migration and suspend/resume operations are not yet supported on SEV-encrypted VMs.\"","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":563,"context_line":"hardware, firmware, and various layer of software receive new"},{"line_number":564,"context_line":"features:"},{"line_number":565,"context_line":""},{"line_number":566,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated, or suspended,"},{"line_number":567,"context_line":"  consequently nor resumed.  Support is coming in the future.  However"},{"line_number":568,"context_line":"  this does mean that in the short term, usage of SEV will have an"},{"line_number":569,"context_line":"  impact on compute node maintenance, since SEV-encrypted instances"},{"line_number":570,"context_line":"  will need to be fully shut down before migrating off an SEV host."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_87a32443","line":567,"range":{"start_line":566,"start_character":47,"end_line":567,"end_character":26},"in_reply_to":"7faddb67_a248c32c","updated":"2019-08-19 20:04:31.000000000","message":"Yeah good point.  I guess it\u0027s obvious that it can\u0027t be resumed if it can\u0027t be suspended.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":564,"context_line":"features:"},{"line_number":565,"context_line":""},{"line_number":566,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated, or suspended,"},{"line_number":567,"context_line":"  consequently nor resumed.  Support is coming in the future.  However"},{"line_number":568,"context_line":"  this does mean that in the short term, usage of SEV will have an"},{"line_number":569,"context_line":"  impact on compute node maintenance, since SEV-encrypted instances"},{"line_number":570,"context_line":"  will need to be fully shut down before migrating off an SEV host."},{"line_number":571,"context_line":""},{"line_number":572,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_226613c3","line":569,"range":{"start_line":567,"start_character":63,"end_line":569,"end_character":44},"updated":"2019-07-30 22:31:07.000000000","message":"this chunk of text is unnecessary.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":564,"context_line":"features:"},{"line_number":565,"context_line":""},{"line_number":566,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated, or suspended,"},{"line_number":567,"context_line":"  consequently nor resumed.  Support is coming in the future.  However"},{"line_number":568,"context_line":"  this does mean that in the short term, usage of SEV will have an"},{"line_number":569,"context_line":"  impact on compute node maintenance, since SEV-encrypted instances"},{"line_number":570,"context_line":"  will need to be fully shut down before migrating off an SEV host."},{"line_number":571,"context_line":""},{"line_number":572,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_47352cf6","line":569,"range":{"start_line":567,"start_character":63,"end_line":569,"end_character":44},"in_reply_to":"7faddb67_226613c3","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":580,"context_line":""},{"line_number":581,"context_line":"- Operators will initially be required to manually specify the upper"},{"line_number":582,"context_line":"  limit of SEV guests for each compute host, via the new configuration"},{"line_number":583,"context_line":"  option proposed above.  This is a short-term workaround to the"},{"line_number":584,"context_line":"  current lack of mechanism for programmatically discovering the SEV"},{"line_number":585,"context_line":"  guest limit via libvirt."},{"line_number":586,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_8274a769","line":583,"range":{"start_line":583,"start_character":9,"end_line":583,"end_character":17},"updated":"2019-07-30 22:31:07.000000000","message":"described","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":580,"context_line":""},{"line_number":581,"context_line":"- Operators will initially be required to manually specify the upper"},{"line_number":582,"context_line":"  limit of SEV guests for each compute host, via the new configuration"},{"line_number":583,"context_line":"  option proposed above.  This is a short-term workaround to the"},{"line_number":584,"context_line":"  current lack of mechanism for programmatically discovering the SEV"},{"line_number":585,"context_line":"  guest limit via libvirt."},{"line_number":586,"context_line":""}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_b213005c","line":583,"range":{"start_line":583,"start_character":9,"end_line":583,"end_character":17},"in_reply_to":"7faddb67_8274a769","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":589,"context_line":"  removed altogether when nova\u0027s minimum QEMU version guarantees that"},{"line_number":590,"context_line":"  it can always be detected."},{"line_number":591,"context_line":""},{"line_number":592,"context_line":"- Failures at VM launch-time *may* occasionally occur in the initial"},{"line_number":593,"context_line":"  implementation, for example if the ``q35`` machine type is"},{"line_number":594,"context_line":"  unavailable (although this should be rare, since ``q35`` is nearly"},{"line_number":595,"context_line":"  11 years old), or some other required virtual component such as UEFI"},{"line_number":596,"context_line":"  is unavailable.  Future work may track availability of required"},{"line_number":597,"context_line":"  components so that failure can occur earlier, at placement time."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_020677cf","line":594,"range":{"start_line":592,"start_character":0,"end_line":594,"end_character":68},"updated":"2019-07-30 22:31:07.000000000","message":"Is this true? I thought we detect this in the virt driver and only expose the inventory/trait if all the stars align.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":589,"context_line":"  removed altogether when nova\u0027s minimum QEMU version guarantees that"},{"line_number":590,"context_line":"  it can always be detected."},{"line_number":591,"context_line":""},{"line_number":592,"context_line":"- Failures at VM launch-time *may* occasionally occur in the initial"},{"line_number":593,"context_line":"  implementation, for example if the ``q35`` machine type is"},{"line_number":594,"context_line":"  unavailable (although this should be rare, since ``q35`` is nearly"},{"line_number":595,"context_line":"  11 years old), or some other required virtual component such as UEFI"},{"line_number":596,"context_line":"  is unavailable.  Future work may track availability of required"},{"line_number":597,"context_line":"  components so that failure can occur earlier, at placement time."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_52a5ecb3","line":594,"range":{"start_line":592,"start_character":0,"end_line":594,"end_character":68},"in_reply_to":"7faddb67_020677cf","updated":"2019-08-19 20:04:31.000000000","message":"Yeah that\u0027s old text; the code got way smarter since then.  In fact I think this whole paragraph is now obsolete - removing.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":594,"context_line":"  unavailable (although this should be rare, since ``q35`` is nearly"},{"line_number":595,"context_line":"  11 years old), or some other required virtual component such as UEFI"},{"line_number":596,"context_line":"  is unavailable.  Future work may track availability of required"},{"line_number":597,"context_line":"  components so that failure can occur earlier, at placement time."},{"line_number":598,"context_line":"  This potentially increases the chance of placement finding an"},{"line_number":599,"context_line":"  alternative host which can provide all the required components, and"},{"line_number":600,"context_line":"  thereby successfully booting the guest."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_82f907c9","line":597,"range":{"start_line":597,"start_character":21,"end_line":597,"end_character":28},"updated":"2019-07-30 22:31:07.000000000","message":"such failures","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":594,"context_line":"  unavailable (although this should be rare, since ``q35`` is nearly"},{"line_number":595,"context_line":"  11 years old), or some other required virtual component such as UEFI"},{"line_number":596,"context_line":"  is unavailable.  Future work may track availability of required"},{"line_number":597,"context_line":"  components so that failure can occur earlier, at placement time."},{"line_number":598,"context_line":"  This potentially increases the chance of placement finding an"},{"line_number":599,"context_line":"  alternative host which can provide all the required components, and"},{"line_number":600,"context_line":"  thereby successfully booting the guest."}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_729b4872","line":597,"range":{"start_line":597,"start_character":21,"end_line":597,"end_character":28},"in_reply_to":"7faddb67_82f907c9","updated":"2019-08-19 20:04:31.000000000","message":"This paragraph is now removed.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":622,"context_line":"     \u003chttps://docs.openstack.org/nova/rocky/configuration/config.html#DEFAULT.config_drive_format\u003e`_"},{"line_number":623,"context_line":"     ``iso9660`` to ``vfat``.  This will result in ``virtio`` being"},{"line_number":624,"context_line":"     used instead.  However this per-host setting could potentially"},{"line_number":625,"context_line":"     break images with legacy OS\u0027s which expect the config drive to be"},{"line_number":626,"context_line":"     an IDE CD-ROM.  It would also not deal with other CD-ROM devices."},{"line_number":627,"context_line":""},{"line_number":628,"context_line":"  #. Set the (largely `undocumented"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_2234d392","line":625,"range":{"start_line":625,"start_character":30,"end_line":625,"end_character":34},"updated":"2019-07-30 22:31:07.000000000","message":"OSes","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":622,"context_line":"     \u003chttps://docs.openstack.org/nova/rocky/configuration/config.html#DEFAULT.config_drive_format\u003e`_"},{"line_number":623,"context_line":"     ``iso9660`` to ``vfat``.  This will result in ``virtio`` being"},{"line_number":624,"context_line":"     used instead.  However this per-host setting could potentially"},{"line_number":625,"context_line":"     break images with legacy OS\u0027s which expect the config drive to be"},{"line_number":626,"context_line":"     an IDE CD-ROM.  It would also not deal with other CD-ROM devices."},{"line_number":627,"context_line":""},{"line_number":628,"context_line":"  #. Set the (largely `undocumented"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_92960449","line":625,"range":{"start_line":625,"start_character":30,"end_line":625,"end_character":34},"in_reply_to":"7faddb67_2234d392","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":649,"context_line":""},{"line_number":650,"context_line":"- Snapshot, since it only snapshots the disk"},{"line_number":651,"context_line":""},{"line_number":652,"context_line":"- Evacuate, since this is only initiated when the VM is assumed to be"},{"line_number":653,"context_line":"  dead or there is a good reason to kill it"},{"line_number":654,"context_line":""},{"line_number":655,"context_line":"- Attaching any volumes, as long as they do not require attaching via"},{"line_number":656,"context_line":"  an IDE bus"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_22d93356","line":653,"range":{"start_line":652,"start_character":41,"end_line":653,"end_character":6},"updated":"2019-07-30 22:31:07.000000000","message":"By \u0027dead\u0027 you mean powered off, yah? Might be worth clarifying that.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":649,"context_line":""},{"line_number":650,"context_line":"- Snapshot, since it only snapshots the disk"},{"line_number":651,"context_line":""},{"line_number":652,"context_line":"- Evacuate, since this is only initiated when the VM is assumed to be"},{"line_number":653,"context_line":"  dead or there is a good reason to kill it"},{"line_number":654,"context_line":""},{"line_number":655,"context_line":"- Attaching any volumes, as long as they do not require attaching via"},{"line_number":656,"context_line":"  an IDE bus"}],"source_content_type":"text/x-rst","patch_set":23,"id":"7faddb67_b2cc606a","line":653,"range":{"start_line":652,"start_character":41,"end_line":653,"end_character":6},"in_reply_to":"7faddb67_22d93356","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":504,"context_line":"In order for users to be able to use SEV, the operator will need to"},{"line_number":505,"context_line":"perform the following steps:"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"- Configure the ``num_memory_encrypted_guests`` option in the"},{"line_number":508,"context_line":"  ``[libvirt]`` section of ``nova.conf`` to represent the number of"},{"line_number":509,"context_line":"  guests an SEV compute node can host concurrently with memory"},{"line_number":510,"context_line":"  encrypted at the hardware level.  For example:"},{"line_number":511,"context_line":""}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_1351f30e","line":508,"range":{"start_line":507,"start_character":12,"end_line":508,"end_character":43},"updated":"2019-08-30 10:22:25.000000000","message":"the :oslo.config:option:`libvirt.num_memory_encrypted_guests` option in :file:`nova.conf` to","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":504,"context_line":"In order for users to be able to use SEV, the operator will need to"},{"line_number":505,"context_line":"perform the following steps:"},{"line_number":506,"context_line":""},{"line_number":507,"context_line":"- Configure the ``num_memory_encrypted_guests`` option in the"},{"line_number":508,"context_line":"  ``[libvirt]`` section of ``nova.conf`` to represent the number of"},{"line_number":509,"context_line":"  guests an SEV compute node can host concurrently with memory"},{"line_number":510,"context_line":"  encrypted at the hardware level.  For example:"},{"line_number":511,"context_line":""}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_e41c8867","line":508,"range":{"start_line":507,"start_character":12,"end_line":508,"end_character":43},"in_reply_to":"7faddb67_1351f30e","updated":"2019-08-30 16:37:34.000000000","message":"Done for the option.  :file:`nova.conf` syntax is inconsistent with the rest of this file, but I agree it\u0027s more correct so I\u0027ll use it anyway.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":522,"context_line":"  needs to track how many slots are available and used in order to"},{"line_number":523,"context_line":"  avoid attempting to exceed that limit in the hardware."},{"line_number":524,"context_line":""},{"line_number":525,"context_line":"  Work is in progress to allow QEMU and libvirt to expose the number"},{"line_number":526,"context_line":"  of slots available on SEV hardware; however until this is finished"},{"line_number":527,"context_line":"  and released, it will not be possible for Nova to programatically"},{"line_number":528,"context_line":"  detect the correct value.  So this configuration option serves as a"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_53420b3d","line":525,"range":{"start_line":525,"start_character":13,"end_line":525,"end_character":21},"updated":"2019-08-30 10:22:25.000000000","message":"IMO you should add a date here (September 2019) because it could be years before we remember to come back and update this","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":522,"context_line":"  needs to track how many slots are available and used in order to"},{"line_number":523,"context_line":"  avoid attempting to exceed that limit in the hardware."},{"line_number":524,"context_line":""},{"line_number":525,"context_line":"  Work is in progress to allow QEMU and libvirt to expose the number"},{"line_number":526,"context_line":"  of slots available on SEV hardware; however until this is finished"},{"line_number":527,"context_line":"  and released, it will not be possible for Nova to programatically"},{"line_number":528,"context_line":"  detect the correct value.  So this configuration option serves as a"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_c4370ce3","line":525,"range":{"start_line":525,"start_character":13,"end_line":525,"end_character":21},"in_reply_to":"7faddb67_53420b3d","updated":"2019-08-30 16:37:34.000000000","message":"Done","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":535,"context_line":"  pin pages in RAM, preventing any memory overcommit which may be in"},{"line_number":536,"context_line":"  normal operation on other compute hosts."},{"line_number":537,"context_line":""},{"line_number":538,"context_line":"  It is `recommended"},{"line_number":539,"context_line":"  \u003chttp://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#memory-reservation-solutions\u003e`_"},{"line_number":540,"context_line":"  to achieve this by configuring an ``rlimit`` at the"},{"line_number":541,"context_line":"  ``/machine.slice`` top-level ``cgroup`` on the host, with all VMs"},{"line_number":542,"context_line":"  placed inside that.  (For extreme detail, see `this discussion on"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_137a5387","line":539,"range":{"start_line":538,"start_character":7,"end_line":539,"end_character":132},"updated":"2019-08-30 10:22:25.000000000","message":"Can you use anonymous references instead of this?\n\n  It is `recommended`__ to achieve this...\n  (For extra detail, see `this discussion on the spec`__).\n\n  __ http://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#memory-reservation-solutions\n  __ https://review.opendev.org/#/c/641994/2/specs/train/approved/amd-sev-libvirt-support.rst@167\u003e","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":535,"context_line":"  pin pages in RAM, preventing any memory overcommit which may be in"},{"line_number":536,"context_line":"  normal operation on other compute hosts."},{"line_number":537,"context_line":""},{"line_number":538,"context_line":"  It is `recommended"},{"line_number":539,"context_line":"  \u003chttp://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#memory-reservation-solutions\u003e`_"},{"line_number":540,"context_line":"  to achieve this by configuring an ``rlimit`` at the"},{"line_number":541,"context_line":"  ``/machine.slice`` top-level ``cgroup`` on the host, with all VMs"},{"line_number":542,"context_line":"  placed inside that.  (For extreme detail, see `this discussion on"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_44ed5c23","line":539,"range":{"start_line":538,"start_character":7,"end_line":539,"end_character":132},"in_reply_to":"7faddb67_137a5387","updated":"2019-08-30 16:37:34.000000000","message":"Done","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":591,"context_line":""},{"line_number":592,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated or suspended,"},{"line_number":593,"context_line":"  therefore they will need to be fully shut down before migrating off"},{"line_number":594,"context_line":"  an SEV host, e.g. if maintenance is required on the host."},{"line_number":595,"context_line":""},{"line_number":596,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"},{"line_number":597,"context_line":"  (PCI passthrough).  So for example mdev vGPU support will not"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_f3d0d755","line":594,"updated":"2019-08-30 10:22:25.000000000","message":"I haven\u0027t checked, but do we have a check in the API to prevent this, a la [1]?\n\n[1] https://github.com/openstack/nova/commit/ae2e5650d14#diff-d29c9372baf108a281712642550918dc","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":591,"context_line":""},{"line_number":592,"context_line":"- SEV-encrypted VMs cannot yet be live-migrated or suspended,"},{"line_number":593,"context_line":"  therefore they will need to be fully shut down before migrating off"},{"line_number":594,"context_line":"  an SEV host, e.g. if maintenance is required on the host."},{"line_number":595,"context_line":""},{"line_number":596,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"},{"line_number":597,"context_line":"  (PCI passthrough).  So for example mdev vGPU support will not"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_a4e5300c","line":594,"in_reply_to":"7faddb67_f3d0d755","updated":"2019-08-30 16:37:34.000000000","message":"No we don\u0027t.  At some point the hypervisor stack will magically start supporting that, and I don\u0027t think there\u0027s any way to programmatically detect support right now, but I\u0027ve asked for clarity on that.  If I\u0027m right and there is no way, do we still want to reject the operation even if that would require future code changes to unblock it once libvirt supports it?  That doesn\u0027t sound like a particularly good situation.  I suppose we could add a new oslo.config option but again that\u0027s not ideal either.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":596,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"},{"line_number":597,"context_line":"  (PCI passthrough).  So for example mdev vGPU support will not"},{"line_number":598,"context_line":"  currently work.  However technologies based on vhost-user should"},{"line_number":599,"context_line":"  work fine."},{"line_number":600,"context_line":""},{"line_number":601,"context_line":"- The boot disk of SEV-encrypted VMs cannot be ``virtio-blk``.  Using"},{"line_number":602,"context_line":"  ``virtio-scsi`` or SATA for the boot disk works as expected, as does"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_b3c6df9b","line":599,"updated":"2019-08-30 10:22:25.000000000","message":"Ditto","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":596,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"},{"line_number":597,"context_line":"  (PCI passthrough).  So for example mdev vGPU support will not"},{"line_number":598,"context_line":"  currently work.  However technologies based on vhost-user should"},{"line_number":599,"context_line":"  work fine."},{"line_number":600,"context_line":""},{"line_number":601,"context_line":"- The boot disk of SEV-encrypted VMs cannot be ``virtio-blk``.  Using"},{"line_number":602,"context_line":"  ``virtio-scsi`` or SATA for the boot disk works as expected, as does"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_64ebb8dc","line":599,"in_reply_to":"7faddb67_b3c6df9b","updated":"2019-08-30 16:37:34.000000000","message":"Same response as above.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":600,"context_line":""},{"line_number":601,"context_line":"- The boot disk of SEV-encrypted VMs cannot be ``virtio-blk``.  Using"},{"line_number":602,"context_line":"  ``virtio-scsi`` or SATA for the boot disk works as expected, as does"},{"line_number":603,"context_line":"  ``virtio-blk`` for non-boot disks."},{"line_number":604,"context_line":""},{"line_number":605,"context_line":"- Operators will initially be required to manually specify the upper"},{"line_number":606,"context_line":"  limit of SEV guests for each compute host, via the new"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_73c4e792","line":603,"updated":"2019-08-30 10:22:25.000000000","message":"Ditto","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":600,"context_line":""},{"line_number":601,"context_line":"- The boot disk of SEV-encrypted VMs cannot be ``virtio-blk``.  Using"},{"line_number":602,"context_line":"  ``virtio-scsi`` or SATA for the boot disk works as expected, as does"},{"line_number":603,"context_line":"  ``virtio-blk`` for non-boot disks."},{"line_number":604,"context_line":""},{"line_number":605,"context_line":"- Operators will initially be required to manually specify the upper"},{"line_number":606,"context_line":"  limit of SEV guests for each compute host, via the new"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_84e834df","line":603,"in_reply_to":"7faddb67_73c4e792","updated":"2019-08-30 16:37:34.000000000","message":"Same response as above.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":632,"context_line":"  architecture of attaching the config drive as an ``iso9660`` IDE"},{"line_number":633,"context_line":"  CD-ROM device will not work.  There are two potential workarounds:"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"  #. Change ``CONF.config_drive_format`` in ``nova.conf`` from `its"},{"line_number":636,"context_line":"     default value"},{"line_number":637,"context_line":"     \u003chttps://docs.openstack.org/nova/rocky/configuration/config.html#DEFAULT.config_drive_format\u003e`_"},{"line_number":638,"context_line":"     ``iso9660`` to ``vfat``.  This will result in ``virtio`` being"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_33baef0a","line":635,"range":{"start_line":635,"start_character":12,"end_line":635,"end_character":40},"updated":"2019-08-30 10:22:25.000000000","message":":oslo.config:option:`config_drive_format`","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":632,"context_line":"  architecture of attaching the config drive as an ``iso9660`` IDE"},{"line_number":633,"context_line":"  CD-ROM device will not work.  There are two potential workarounds:"},{"line_number":634,"context_line":""},{"line_number":635,"context_line":"  #. Change ``CONF.config_drive_format`` in ``nova.conf`` from `its"},{"line_number":636,"context_line":"     default value"},{"line_number":637,"context_line":"     \u003chttps://docs.openstack.org/nova/rocky/configuration/config.html#DEFAULT.config_drive_format\u003e`_"},{"line_number":638,"context_line":"     ``iso9660`` to ``vfat``.  This will result in ``virtio`` being"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_64c41861","line":635,"range":{"start_line":635,"start_character":12,"end_line":635,"end_character":40},"in_reply_to":"7faddb67_33baef0a","updated":"2019-08-30 16:37:34.000000000","message":"Done","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":634,"context_line":""},{"line_number":635,"context_line":"  #. Change ``CONF.config_drive_format`` in ``nova.conf`` from `its"},{"line_number":636,"context_line":"     default value"},{"line_number":637,"context_line":"     \u003chttps://docs.openstack.org/nova/rocky/configuration/config.html#DEFAULT.config_drive_format\u003e`_"},{"line_number":638,"context_line":"     ``iso9660`` to ``vfat``.  This will result in ``virtio`` being"},{"line_number":639,"context_line":"     used instead.  However this per-host setting could potentially"},{"line_number":640,"context_line":"     break images with legacy OSes which expect the config drive to be"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_53b76b22","line":637,"range":{"start_line":637,"start_character":5,"end_line":637,"end_character":100},"updated":"2019-08-30 10:22:25.000000000","message":"drop this","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":634,"context_line":""},{"line_number":635,"context_line":"  #. Change ``CONF.config_drive_format`` in ``nova.conf`` from `its"},{"line_number":636,"context_line":"     default value"},{"line_number":637,"context_line":"     \u003chttps://docs.openstack.org/nova/rocky/configuration/config.html#DEFAULT.config_drive_format\u003e`_"},{"line_number":638,"context_line":"     ``iso9660`` to ``vfat``.  This will result in ``virtio`` being"},{"line_number":639,"context_line":"     used instead.  However this per-host setting could potentially"},{"line_number":640,"context_line":"     break images with legacy OSes which expect the config drive to be"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_24a060a5","line":637,"range":{"start_line":637,"start_character":5,"end_line":637,"end_character":100},"in_reply_to":"7faddb67_53b76b22","updated":"2019-08-30 16:37:34.000000000","message":"Done","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":649,"context_line":"  Some potentially cleaner long-term solutions which require code"},{"line_number":650,"context_line":"  changes have been suggested in the `Work Items section of the SEV"},{"line_number":651,"context_line":"  spec"},{"line_number":652,"context_line":"  \u003chttp://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#work-items\u003e`_."},{"line_number":653,"context_line":""},{"line_number":654,"context_line":"Non-limitations"},{"line_number":655,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_534c4b3e","line":652,"range":{"start_line":652,"start_character":0,"end_line":652,"end_character":115},"updated":"2019-08-30 10:22:25.000000000","message":"Same comments about links here and below","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":649,"context_line":"  Some potentially cleaner long-term solutions which require code"},{"line_number":650,"context_line":"  changes have been suggested in the `Work Items section of the SEV"},{"line_number":651,"context_line":"  spec"},{"line_number":652,"context_line":"  \u003chttp://specs.openstack.org/openstack/nova-specs/specs/train/approved/amd-sev-libvirt-support.html#work-items\u003e`_."},{"line_number":653,"context_line":""},{"line_number":654,"context_line":"Non-limitations"},{"line_number":655,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":38,"id":"7faddb67_a47c5020","line":652,"range":{"start_line":652,"start_character":0,"end_line":652,"end_character":115},"in_reply_to":"7faddb67_534c4b3e","updated":"2019-08-30 16:37:34.000000000","message":"Done","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":528,"context_line":"  At the time of writing (September 2019), work is in progress to allow"},{"line_number":529,"context_line":"  QEMU and libvirt to expose the number of slots available on SEV"},{"line_number":530,"context_line":"  hardware; however until this is finished and released, it will not be"},{"line_number":531,"context_line":"  possible for Nova to programatically detect the correct value.  So this"},{"line_number":532,"context_line":"  configuration option serves as a stop-gap, allowing the cloud operator"},{"line_number":533,"context_line":"  to provide this value manually."},{"line_number":534,"context_line":""}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_cc0f8d2c","line":531,"range":{"start_line":531,"start_character":23,"end_line":531,"end_character":38},"updated":"2019-09-09 17:55:53.000000000","message":"programmatically","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":528,"context_line":"  At the time of writing (September 2019), work is in progress to allow"},{"line_number":529,"context_line":"  QEMU and libvirt to expose the number of slots available on SEV"},{"line_number":530,"context_line":"  hardware; however until this is finished and released, it will not be"},{"line_number":531,"context_line":"  possible for Nova to programatically detect the correct value.  So this"},{"line_number":532,"context_line":"  configuration option serves as a stop-gap, allowing the cloud operator"},{"line_number":533,"context_line":"  to provide this value manually."},{"line_number":534,"context_line":""}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_c03d11bc","line":531,"range":{"start_line":531,"start_character":23,"end_line":531,"end_character":38},"in_reply_to":"5faad753_cc0f8d2c","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":548,"context_line":""},{"line_number":549,"context_line":"  An alternative approach is to configure the"},{"line_number":550,"context_line":"  :oslo.config:option:`reserved_host_memory_mb` option in the"},{"line_number":551,"context_line":"  ``[compute]`` section of :file:`nova.conf`, based on the expected"},{"line_number":552,"context_line":"  maximum number of SEV guests simultaneously running on the host, and"},{"line_number":553,"context_line":"  the details provided in `an earlier version of the AMD SEV spec`__"},{"line_number":554,"context_line":"  regarding memory region sizes, which cover how to calculate it"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_ec6fe9c2","line":551,"range":{"start_line":551,"start_character":2,"end_line":551,"end_character":15},"updated":"2019-09-09 17:55:53.000000000","message":"it appears to be in the DEFAULT section","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"95a48d6f9c51f7d2270ad134fbe56d68a5a7a7ba","unresolved":false,"context_lines":[{"line_number":548,"context_line":""},{"line_number":549,"context_line":"  An alternative approach is to configure the"},{"line_number":550,"context_line":"  :oslo.config:option:`reserved_host_memory_mb` option in the"},{"line_number":551,"context_line":"  ``[compute]`` section of :file:`nova.conf`, based on the expected"},{"line_number":552,"context_line":"  maximum number of SEV guests simultaneously running on the host, and"},{"line_number":553,"context_line":"  the details provided in `an earlier version of the AMD SEV spec`__"},{"line_number":554,"context_line":"  regarding memory region sizes, which cover how to calculate it"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_79464a7f","line":551,"range":{"start_line":551,"start_character":2,"end_line":551,"end_character":15},"in_reply_to":"5faad753_e0a4cd0a","updated":"2019-09-10 12:43:59.000000000","message":"Haven\u0027t checked the follow-up but I\u0027d drop this section since the \u0027oslo.config:option\u0027 role above would indicate the section if there was one","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":548,"context_line":""},{"line_number":549,"context_line":"  An alternative approach is to configure the"},{"line_number":550,"context_line":"  :oslo.config:option:`reserved_host_memory_mb` option in the"},{"line_number":551,"context_line":"  ``[compute]`` section of :file:`nova.conf`, based on the expected"},{"line_number":552,"context_line":"  maximum number of SEV guests simultaneously running on the host, and"},{"line_number":553,"context_line":"  the details provided in `an earlier version of the AMD SEV spec`__"},{"line_number":554,"context_line":"  regarding memory region sizes, which cover how to calculate it"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_e0a4cd0a","line":551,"range":{"start_line":551,"start_character":2,"end_line":551,"end_character":15},"in_reply_to":"5faad753_ec6fe9c2","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":637,"context_line":""},{"line_number":638,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"},{"line_number":639,"context_line":"  (PCI passthrough).  So for example mdev vGPU support will not"},{"line_number":640,"context_line":"  currently work.  However technologies based on vhost-user should"},{"line_number":641,"context_line":"  work fine."},{"line_number":642,"context_line":""},{"line_number":643,"context_line":"- The boot disk of SEV-encrypted VMs cannot be ``virtio-blk``.  Using"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_8cb51534","line":640,"range":{"start_line":640,"start_character":49,"end_line":640,"end_character":59},"updated":"2019-09-09 17:55:53.000000000","message":"I don\u0027t know what this is, but should it be ``literal``?","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":637,"context_line":""},{"line_number":638,"context_line":"- SEV-encrypted VMs cannot contain directly accessible host devices"},{"line_number":639,"context_line":"  (PCI passthrough).  So for example mdev vGPU support will not"},{"line_number":640,"context_line":"  currently work.  However technologies based on vhost-user should"},{"line_number":641,"context_line":"  work fine."},{"line_number":642,"context_line":""},{"line_number":643,"context_line":"- The boot disk of SEV-encrypted VMs cannot be ``virtio-blk``.  Using"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_60e69d47","line":640,"range":{"start_line":640,"start_character":49,"end_line":640,"end_character":59},"in_reply_to":"5faad753_8cb51534","updated":"2019-09-09 23:29:51.000000000","message":"Possibly but it\u0027s debatable either way. I\u0027ve hyperlinked it in a follow-up commit.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":644,"context_line":"  ``virtio-scsi`` or SATA for the boot disk works as expected, as does"},{"line_number":645,"context_line":"  ``virtio-blk`` for non-boot disks."},{"line_number":646,"context_line":""},{"line_number":647,"context_line":"- Operators will initially be required to manually specify the upper"},{"line_number":648,"context_line":"  limit of SEV guests for each compute host, via the new"},{"line_number":649,"context_line":"  :oslo.config:option:`libvirt.num_memory_encrypted_guests` configuration"},{"line_number":650,"context_line":"  option described above.  This is a short-term workaround to the current"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_ec7da96e","line":647,"range":{"start_line":647,"start_character":30,"end_line":647,"end_character":58},"updated":"2019-09-09 17:55:53.000000000","message":"Oh, did we change direction on the \"default to unlimited\" thing?\n\n[Later] No [1]. As worded, this implies that the value must be set. Suggest adding words like in the conf help about \"otherwise the underlying hardware will enforce its own limit\".\n\n[1] https://review.opendev.org/#/c/666616/50/nova/conf/libvirt.py@863","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":644,"context_line":"  ``virtio-scsi`` or SATA for the boot disk works as expected, as does"},{"line_number":645,"context_line":"  ``virtio-blk`` for non-boot disks."},{"line_number":646,"context_line":""},{"line_number":647,"context_line":"- Operators will initially be required to manually specify the upper"},{"line_number":648,"context_line":"  limit of SEV guests for each compute host, via the new"},{"line_number":649,"context_line":"  :oslo.config:option:`libvirt.num_memory_encrypted_guests` configuration"},{"line_number":650,"context_line":"  option described above.  This is a short-term workaround to the current"}],"source_content_type":"text/x-rst","patch_set":50,"id":"5faad753_809b9970","line":647,"range":{"start_line":647,"start_character":30,"end_line":647,"end_character":58},"in_reply_to":"5faad753_ec7da96e","updated":"2019-09-09 23:29:51.000000000","message":"Right - it\u0027s a mistake that this wording makes it sound like a hard requirement.  Configuration of this optional not mandatory, and I\u0027ll clarify that not only by changing this wording but also the corresponding section above.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"}],"nova/conf/libvirt.py":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":841,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":842,"context_line":"               default\u003dNone,"},{"line_number":843,"context_line":"               min\u003d0,"},{"line_number":844,"context_line":"               help\u003d\"\"\""},{"line_number":845,"context_line":"Maximum number of guests with encrypted memory which can run"},{"line_number":846,"context_line":"concurrently on this compute host."},{"line_number":847,"context_line":""}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_42746f36","line":844,"updated":"2019-07-30 22:31:07.000000000","message":"somewhere in here it should say that this setting is ignored if we detect that your host doesn\u0027t support memory encrypted guests","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":841,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":842,"context_line":"               default\u003dNone,"},{"line_number":843,"context_line":"               min\u003d0,"},{"line_number":844,"context_line":"               help\u003d\"\"\""},{"line_number":845,"context_line":"Maximum number of guests with encrypted memory which can run"},{"line_number":846,"context_line":"concurrently on this compute host."},{"line_number":847,"context_line":""}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_322cf000","line":844,"in_reply_to":"7faddb67_42746f36","updated":"2019-08-19 20:04:31.000000000","message":"Good catch - fixed.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"74b9225585bda4f01a49437376fea11af7ec2460","unresolved":false,"context_lines":[{"line_number":842,"context_line":"* ``ram_allocation_ratio`` must be set to 1.0."},{"line_number":843,"context_line":"\"\"\"),"},{"line_number":844,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":845,"context_line":"               default\u003dNone,"},{"line_number":846,"context_line":"               min\u003d0,"},{"line_number":847,"context_line":"               help\u003d\"\"\""},{"line_number":848,"context_line":"Maximum number of guests with encrypted memory which can run"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_70cf0057","line":845,"range":{"start_line":845,"start_character":15,"end_line":845,"end_character":27},"updated":"2019-08-30 05:51:57.000000000","message":"I think the default should be 0? this doesn\u0027t sounds like a feature we enabled by default","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":5754,"name":"Alex Xu","email":"hejie.xu@intel.com","username":"xuhj"},"change_message_id":"ea414630fd11c528789e9d62eee2cd6a1b9dec9f","unresolved":false,"context_lines":[{"line_number":842,"context_line":"* ``ram_allocation_ratio`` must be set to 1.0."},{"line_number":843,"context_line":"\"\"\"),"},{"line_number":844,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":845,"context_line":"               default\u003dNone,"},{"line_number":846,"context_line":"               min\u003d0,"},{"line_number":847,"context_line":"               help\u003d\"\"\""},{"line_number":848,"context_line":"Maximum number of guests with encrypted memory which can run"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_50642bb9","line":845,"range":{"start_line":845,"start_character":15,"end_line":845,"end_character":27},"in_reply_to":"7faddb67_47931e50","updated":"2019-09-02 01:35:16.000000000","message":"auto-detection makes sense to me","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":842,"context_line":"* ``ram_allocation_ratio`` must be set to 1.0."},{"line_number":843,"context_line":"\"\"\"),"},{"line_number":844,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":845,"context_line":"               default\u003dNone,"},{"line_number":846,"context_line":"               min\u003d0,"},{"line_number":847,"context_line":"               help\u003d\"\"\""},{"line_number":848,"context_line":"Maximum number of guests with encrypted memory which can run"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_f303f7bc","line":845,"range":{"start_line":845,"start_character":15,"end_line":845,"end_character":27},"in_reply_to":"7faddb67_70cf0057","updated":"2019-08-30 10:22:25.000000000","message":"Yeah, given that the auto-detection isn\u0027t possible and we have nothing wired up to do this, I don\u0027t think we should be handling this. We can always change the behavior of the option in a future release, but for now I\u0027d make 0 and None equivalent and drop references to this imaginary (for now) auto-detection feature.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"3bdb698bca095c11adadb3f8b5688cad06626715","unresolved":false,"context_lines":[{"line_number":842,"context_line":"* ``ram_allocation_ratio`` must be set to 1.0."},{"line_number":843,"context_line":"\"\"\"),"},{"line_number":844,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":845,"context_line":"               default\u003dNone,"},{"line_number":846,"context_line":"               min\u003d0,"},{"line_number":847,"context_line":"               help\u003d\"\"\""},{"line_number":848,"context_line":"Maximum number of guests with encrypted memory which can run"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_47931e50","line":845,"range":{"start_line":845,"start_character":15,"end_line":845,"end_character":27},"in_reply_to":"7faddb67_84dcb4e1","updated":"2019-08-30 16:52:50.000000000","message":"I agree with everything Adam says above. That\u0027s not surprising considering I was heavily involved in coming up with it in the first place; but Alex \u0026 Stephen\u0027s comments didn\u0027t change my mind at all.\n\n@Alex: We\u0027re enabling the *capability* by default, but as Adam says, you have to ask for the feature explicitly to get it on your VM. Enabling the capability costs us nothing.\n\n@Stephen: We do auto-detect that the feature itself is present. The only thing we can\u0027t always auto-detect is the limit. When that\u0027s the case, assuming \u0027unlimited\u0027 is the reasonable thing. There\u0027s nothing to say we\u0027ll bounce on a SEV slot limit rather than e.g. a RAM limit as Adam suggests. This is kind of like the fact that we don\u0027t try to limit the number of neutron ports you can get based on the system\u0027s total bandwidth capability (until bw qos). Absent an actual resource we can track, we have no choice but to treat it as unlimited.\n\nMore I could say, but Adam said most of it already. Hope this is convincing enough.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":842,"context_line":"* ``ram_allocation_ratio`` must be set to 1.0."},{"line_number":843,"context_line":"\"\"\"),"},{"line_number":844,"context_line":"    cfg.IntOpt(\u0027num_memory_encrypted_guests\u0027,"},{"line_number":845,"context_line":"               default\u003dNone,"},{"line_number":846,"context_line":"               min\u003d0,"},{"line_number":847,"context_line":"               help\u003d\"\"\""},{"line_number":848,"context_line":"Maximum number of guests with encrypted memory which can run"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_84dcb4e1","line":845,"range":{"start_line":845,"start_character":15,"end_line":845,"end_character":27},"in_reply_to":"7faddb67_f303f7bc","updated":"2019-08-30 16:37:34.000000000","message":"This design was already carefully considered, e.g. in discussions in April while drafting the spec:\n\nhttps://review.opendev.org/#/c/641994/6/specs/train/approved/amd-sev-libvirt-support.rst@192\n\nand also later in May:\n\nhttp://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-05-28.log.html#t2019-05-28T18:44:14\n\nIt was Eric\u0027s idea to default to None (meaning \"auto-detect if possible, otherwise leave unlimited\"), and I see no serious problem with having this default, because:\n\n- It won\u0027t affect compute nodes which can\u0027t do SEV.\n- By default it won\u0027t affect *any* compute nodes or VMs: VMs won\u0027t randomly boot with SEV, because you still need to specifically request SEV via a flavor or image property.\n\nAdditionally it avoids requiring operators to manually tweak nova.conf on every SEV machine they deploy before they can use SEV.  That might not be too convincing an argument in the short-term, but in the long-term it means that some nova-compute upgrade would make compute nodes automagically detect the correct limit.  If the limit is set manually in the short term, operators would then have to manually remove that limit as soon as auto-detection arrives.  IOW that\u0027s two sets of manual configuration, probably for little to no gain (see below).\n\nWe definitely don\u0027t want 0 and None to be equivalent, because for sure we need operators to be able to:\n\n- manually disable SEV on a machine which is SEV-capable, by setting to 0\n- set to \"auto-detect if you can\"\n\nand it\u0027s probably still useful for some operators to be able to set it to unlimited.\n\nIf you\u0027re really worried about the unlimited case, I could maybe be persuaded to change the default from None to 0.  Maybe we could even use -1 to indicate unlimited and None to indicate \"auto-detect if you can, otherwise 0\".  But that\u0027s getting complicated to understand.  Also please bear in mind that on the latest Rome generation of EPYC hardware, the number of hardware slots is something like 500, which on many machines (and depending on the size of the smallest flavors available) could easily be more than the available RAM permits anyway, meaning that it would be impossible to exceed the number of SEV slots available.  So I\u0027d prefer to give the operator the option of \"unlimited\", even if it\u0027s not the default.\n\nIn summary I\u0027m not yet convinced this should be changed.  However if you can persuade Eric otherwise then you can probably persuade me too :-)","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"7f2cc15d3cbf5af4eef2028395cd1904273efb92","unresolved":false,"context_lines":[{"line_number":858,"context_line":"future.  If the machine does not support memory encryption, the option"},{"line_number":859,"context_line":"will be ignored."},{"line_number":860,"context_line":""},{"line_number":861,"context_line":"A value of ``None`` means auto-detect the inventory, or if this is not"},{"line_number":862,"context_line":"possible, set the inventory to 0 on hosts which don\u0027t support SEV, and"},{"line_number":863,"context_line":"on hosts which do, don\u0027t impose any limit."},{"line_number":864,"context_line":""},{"line_number":865,"context_line":".. note::"}],"source_content_type":"text/x-python","patch_set":47,"id":"5faad753_5d829651","line":862,"range":{"start_line":861,"start_character":0,"end_line":862,"end_character":9},"updated":"2019-09-06 11:45:25.000000000","message":"This still reads poorly to me. We\u0027re not auto-detecting the inventory but rather auto-detecting the capability and reporting unlimited inventory, right? Could you rephrase if so, as the way this is currently written means this conflicts hugely with the admonition below","commit_id":"f8283ad9b2435f08da7495e750a70b6c8b209f76"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"f4e13dbe6a2a72b1dd6890d0499a7e243f19f460","unresolved":false,"context_lines":[{"line_number":858,"context_line":"future.  If the machine does not support memory encryption, the option"},{"line_number":859,"context_line":"will be ignored."},{"line_number":860,"context_line":""},{"line_number":861,"context_line":"A value of ``None`` means auto-detect the inventory, or if this is not"},{"line_number":862,"context_line":"possible, set the inventory to 0 on hosts which don\u0027t support SEV, and"},{"line_number":863,"context_line":"on hosts which do, don\u0027t impose any limit."},{"line_number":864,"context_line":""},{"line_number":865,"context_line":".. note::"}],"source_content_type":"text/x-python","patch_set":47,"id":"5faad753_d3c19730","line":862,"range":{"start_line":861,"start_character":0,"end_line":862,"end_character":9},"in_reply_to":"5faad753_5d829651","updated":"2019-09-06 13:53:44.000000000","message":"Ah, I see what you mean - excellent point.  I\u0027ve significantly revamped this; hopefully you like the new version.","commit_id":"f8283ad9b2435f08da7495e750a70b6c8b209f76"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":850,"context_line":"concurrently on this compute host."},{"line_number":851,"context_line":""},{"line_number":852,"context_line":"For now this is only relevant for AMD machines which support SEV"},{"line_number":853,"context_line":"(Secure Encrypted Virtualisation).  Such machines have a limited"},{"line_number":854,"context_line":"number of slots in their memory controller for storing encryption"},{"line_number":855,"context_line":"keys.  Each running guest with encrypted memory will consume one of"},{"line_number":856,"context_line":"these slots."}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_4c0b9d8d","line":853,"range":{"start_line":853,"start_character":18,"end_line":853,"end_character":32},"updated":"2019-09-09 17:55:53.000000000","message":"Virtualization (since that\u0027s how the marketing material spells it) https://developer.amd.com/sev/","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"95a48d6f9c51f7d2270ad134fbe56d68a5a7a7ba","unresolved":false,"context_lines":[{"line_number":850,"context_line":"concurrently on this compute host."},{"line_number":851,"context_line":""},{"line_number":852,"context_line":"For now this is only relevant for AMD machines which support SEV"},{"line_number":853,"context_line":"(Secure Encrypted Virtualisation).  Such machines have a limited"},{"line_number":854,"context_line":"number of slots in their memory controller for storing encryption"},{"line_number":855,"context_line":"keys.  Each running guest with encrypted memory will consume one of"},{"line_number":856,"context_line":"these slots."}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_b931220e","line":853,"range":{"start_line":853,"start_character":18,"end_line":853,"end_character":32},"in_reply_to":"5faad753_208ae51a","updated":"2019-09-10 12:43:59.000000000","message":"Also American English in our docs","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":850,"context_line":"concurrently on this compute host."},{"line_number":851,"context_line":""},{"line_number":852,"context_line":"For now this is only relevant for AMD machines which support SEV"},{"line_number":853,"context_line":"(Secure Encrypted Virtualisation).  Such machines have a limited"},{"line_number":854,"context_line":"number of slots in their memory controller for storing encryption"},{"line_number":855,"context_line":"keys.  Each running guest with encrypted memory will consume one of"},{"line_number":856,"context_line":"these slots."}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_208ae51a","line":853,"range":{"start_line":853,"start_character":18,"end_line":853,"end_character":32},"in_reply_to":"5faad753_4c0b9d8d","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":872,"context_line":""},{"line_number":873,"context_line":"   When deciding whether to use the default of ``None`` or manually"},{"line_number":874,"context_line":"   impose a limit, operators should carefully weigh the benefits"},{"line_number":875,"context_line":"   vs. the risk.  The benefits are a) immediate convenience since"},{"line_number":876,"context_line":"   nothing needs to be done now, and b) convenience later when"},{"line_number":877,"context_line":"   upgrading compute hosts to future versions of Nova, since again"},{"line_number":878,"context_line":"   nothing will need to be done for the correct limit to be"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_6c4f79bd","line":875,"range":{"start_line":875,"start_character":22,"end_line":875,"end_character":30},"updated":"2019-09-09 17:55:53.000000000","message":"...of using the default","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":872,"context_line":""},{"line_number":873,"context_line":"   When deciding whether to use the default of ``None`` or manually"},{"line_number":874,"context_line":"   impose a limit, operators should carefully weigh the benefits"},{"line_number":875,"context_line":"   vs. the risk.  The benefits are a) immediate convenience since"},{"line_number":876,"context_line":"   nothing needs to be done now, and b) convenience later when"},{"line_number":877,"context_line":"   upgrading compute hosts to future versions of Nova, since again"},{"line_number":878,"context_line":"   nothing will need to be done for the correct limit to be"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_e0836d03","line":875,"range":{"start_line":875,"start_character":22,"end_line":875,"end_character":30},"in_reply_to":"5faad753_6c4f79bd","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":890,"context_line":"* :oslo.config:option:`libvirt.virt_type` must be set to ``kvm``."},{"line_number":891,"context_line":""},{"line_number":892,"context_line":"* It\u0027s recommended to consider including ``x86_64\u003dq35`` in"},{"line_number":893,"context_line":"  :oslo.config:option:`libvirt.hw_machine_type`; see"},{"line_number":894,"context_line":"  :ref:`deploying-sev-capable-infrastructure` for more on this."},{"line_number":895,"context_line":"\"\"\"),"},{"line_number":896,"context_line":"]"},{"line_number":897,"context_line":""}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_0cbda564","line":894,"range":{"start_line":893,"start_character":2,"end_line":894,"end_character":45},"updated":"2019-09-09 17:55:53.000000000","message":"TIL\n\nI was going to complain that these sphinx roles wouldn\u0027t render in the sample config, but apparently it only uses the first sentence.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":890,"context_line":"* :oslo.config:option:`libvirt.virt_type` must be set to ``kvm``."},{"line_number":891,"context_line":""},{"line_number":892,"context_line":"* It\u0027s recommended to consider including ``x86_64\u003dq35`` in"},{"line_number":893,"context_line":"  :oslo.config:option:`libvirt.hw_machine_type`; see"},{"line_number":894,"context_line":"  :ref:`deploying-sev-capable-infrastructure` for more on this."},{"line_number":895,"context_line":"\"\"\"),"},{"line_number":896,"context_line":"]"},{"line_number":897,"context_line":""}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_c09f514e","line":894,"range":{"start_line":893,"start_character":2,"end_line":894,"end_character":45},"in_reply_to":"5faad753_0cbda564","updated":"2019-09-09 23:29:51.000000000","message":"Actually no, it uses the whole thing - and I did multiple iterations of testing the rendering to get this right.  You can see the results here:\n\nhttps://99bf2271056ae706db89-afd92f42827c905443f6faed27a01096.ssl.cf2.rackcdn.com/666616/50/check/openstack-tox-docs/a623536/docs/configuration/config.html#libvirt.num_memory_encrypted_guests\n\nIt makes me wonder why we aren\u0027t taking advantage of this in the help text for all the other options, since being able to navigate via hyperlinks is very helpful.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"c684834f34b2271750ef22542fc244cb54d8a40f","unresolved":false,"context_lines":[{"line_number":890,"context_line":"* :oslo.config:option:`libvirt.virt_type` must be set to ``kvm``."},{"line_number":891,"context_line":""},{"line_number":892,"context_line":"* It\u0027s recommended to consider including ``x86_64\u003dq35`` in"},{"line_number":893,"context_line":"  :oslo.config:option:`libvirt.hw_machine_type`; see"},{"line_number":894,"context_line":"  :ref:`deploying-sev-capable-infrastructure` for more on this."},{"line_number":895,"context_line":"\"\"\"),"},{"line_number":896,"context_line":"]"},{"line_number":897,"context_line":""}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_ea4fb68f","line":894,"range":{"start_line":893,"start_character":2,"end_line":894,"end_character":45},"in_reply_to":"5faad753_390e923b","updated":"2019-09-10 13:44:39.000000000","message":"Oh, I see.  OK, so I got away with it accidentally through not using roles in the first sentence :-)  Maybe I can help out with [1] sometime soon.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"95a48d6f9c51f7d2270ad134fbe56d68a5a7a7ba","unresolved":false,"context_lines":[{"line_number":890,"context_line":"* :oslo.config:option:`libvirt.virt_type` must be set to ``kvm``."},{"line_number":891,"context_line":""},{"line_number":892,"context_line":"* It\u0027s recommended to consider including ``x86_64\u003dq35`` in"},{"line_number":893,"context_line":"  :oslo.config:option:`libvirt.hw_machine_type`; see"},{"line_number":894,"context_line":"  :ref:`deploying-sev-capable-infrastructure` for more on this."},{"line_number":895,"context_line":"\"\"\"),"},{"line_number":896,"context_line":"]"},{"line_number":897,"context_line":""}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_390e923b","line":894,"range":{"start_line":893,"start_character":2,"end_line":894,"end_character":45},"in_reply_to":"5faad753_c09f514e","updated":"2019-09-10 12:43:59.000000000","message":"@efried\u0027s referring to the sample nova.conf file that you can find at \u0027doc/source/_static/nova.conf.sample\u0027. So yeah, we probably shouldn\u0027t be using these here until I close out [1]\n\n@efried: RE: TIL, look at commit 3e0fb203dbbca2718f2c3d43b0b5dfe182be7f4b\n\n[1] https://review.opendev.org/#/c/640057/","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"f0350a447c7e4b9a483589d097bb8ef8415a7906","unresolved":false,"context_lines":[{"line_number":890,"context_line":"* :oslo.config:option:`libvirt.virt_type` must be set to ``kvm``."},{"line_number":891,"context_line":""},{"line_number":892,"context_line":"* It\u0027s recommended to consider including ``x86_64\u003dq35`` in"},{"line_number":893,"context_line":"  :oslo.config:option:`libvirt.hw_machine_type`; see"},{"line_number":894,"context_line":"  :ref:`deploying-sev-capable-infrastructure` for more on this."},{"line_number":895,"context_line":"\"\"\"),"},{"line_number":896,"context_line":"]"},{"line_number":897,"context_line":""}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_64b8d6c7","line":894,"range":{"start_line":893,"start_character":2,"end_line":894,"end_character":45},"in_reply_to":"5faad753_ea4fb68f","updated":"2019-09-10 16:57:05.000000000","message":"Yeah, at some point I tried doing something fancier with the oslo.config roles, but Stephen\u0027s thing superseded (it\u0027s a better idea).","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"}],"nova/tests/unit/virt/libvirt/test_driver.py":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":23526,"context_line":"            \u0027Host is configured with libvirt.num_memory_encrypted_guests \u0027"},{"line_number":23527,"context_line":"            \u0027set to %d, but is not SEV-capable.\u0027, 16)"},{"line_number":23528,"context_line":""},{"line_number":23529,"context_line":"    @mock.patch.object(os.path, \u0027exists\u0027, return_value\u003dFalse)"},{"line_number":23530,"context_line":"    def test_get_mem_encrypted_slots_unsupported(self, mock_exists):"},{"line_number":23531,"context_line":"        self.driver._host._set_amd_sev_support()"},{"line_number":23532,"context_line":"        self.assertEqual(0, self.driver._get_memory_encrypted_slots())"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_a2c9a359","line":23529,"range":{"start_line":23529,"start_character":4,"end_line":23529,"end_character":61},"updated":"2019-07-30 22:31:07.000000000","message":"nit: could pull this mock to the class level and use new\u003dmock.Mock(return_value\u003dFalse) and get rid of the unused mock_exists params in all these test methods.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":23526,"context_line":"            \u0027Host is configured with libvirt.num_memory_encrypted_guests \u0027"},{"line_number":23527,"context_line":"            \u0027set to %d, but is not SEV-capable.\u0027, 16)"},{"line_number":23528,"context_line":""},{"line_number":23529,"context_line":"    @mock.patch.object(os.path, \u0027exists\u0027, return_value\u003dFalse)"},{"line_number":23530,"context_line":"    def test_get_mem_encrypted_slots_unsupported(self, mock_exists):"},{"line_number":23531,"context_line":"        self.driver._host._set_amd_sev_support()"},{"line_number":23532,"context_line":"        self.assertEqual(0, self.driver._get_memory_encrypted_slots())"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_52672c26","line":23529,"range":{"start_line":23529,"start_character":4,"end_line":23529,"end_character":61},"in_reply_to":"7faddb67_a2c9a359","updated":"2019-08-19 20:04:31.000000000","message":"Weird, I previously saw problems arising when patching the class (see below), but it seems fine here - done.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":23542,"context_line":"            vc, \u0027_domain_capability_features\u0027,"},{"line_number":23543,"context_line":"            new\u003dvc._domain_capability_features_with_SEV)"},{"line_number":23544,"context_line":""},{"line_number":23545,"context_line":"        self.patch_exists.__enter__()"},{"line_number":23546,"context_line":"        self.patch_open.__enter__()"},{"line_number":23547,"context_line":"        self.patch_features.__enter__()"},{"line_number":23548,"context_line":""},{"line_number":23549,"context_line":"        super(TestLibvirtSEVSupported, self).setUp()"},{"line_number":23550,"context_line":""},{"line_number":23551,"context_line":"    def tearDown(self):"},{"line_number":23552,"context_line":"        self.patch_exists.__exit__(None, None, None)"},{"line_number":23553,"context_line":"        self.patch_open.__exit__(None, None, None)"},{"line_number":23554,"context_line":"        self.patch_features.__exit__(None, None, None)"},{"line_number":23555,"context_line":"        super(TestLibvirtSEVSupported, self).tearDown()"},{"line_number":23556,"context_line":""},{"line_number":23557,"context_line":"    def test_get_mem_encrypted_slots_unlimited(self):"},{"line_number":23558,"context_line":"        self.driver._host._set_amd_sev_support()"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_22e373db","line":23555,"range":{"start_line":23545,"start_character":0,"end_line":23555,"end_character":55},"updated":"2019-07-30 22:31:07.000000000","message":"ew ew ew ew ewwwww\n\nIs there seriously no way to do this with decorators??\n\n[Later] Yeah, this works just fine:\n\n +@test.patch_exists(SEV_KERNEL_PARAM_FILE, True)\n +@test.patch_open(SEV_KERNEL_PARAM_FILE, \"1\\n\")\n +@mock.patch.object(vc, \u0027_domain_capability_features\u0027,\n +                   new\u003dvc._domain_capability_features_with_SEV)\n  class TestLibvirtSEVSupported(TestLibvirtSEV):\n      \"\"\"Libvirt driver tests for when AMD SEV support is present.\"\"\"\n  \n -    def setUp(self):\n -        self.patch_exists \u003d test.patch_exists(SEV_KERNEL_PARAM_FILE, True)\n -        self.patch_open \u003d test.patch_open(SEV_KERNEL_PARAM_FILE, \"1\\n\")\n -        self.patch_features \u003d mock.patch.object(\n -            vc, \u0027_domain_capability_features\u0027,\n -            new\u003dvc._domain_capability_features_with_SEV)\n -\n -        self.patch_exists.__enter__()\n -        self.patch_open.__enter__()\n -        self.patch_features.__enter__()\n -\n -        super(TestLibvirtSEVSupported, self).setUp()\n -\n -    def tearDown(self):\n -        self.patch_exists.__exit__(None, None, None)\n -        self.patch_open.__exit__(None, None, None)\n -        self.patch_features.__exit__(None, None, None)\n -        super(TestLibvirtSEVSupported, self).tearDown()\n -","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":23542,"context_line":"            vc, \u0027_domain_capability_features\u0027,"},{"line_number":23543,"context_line":"            new\u003dvc._domain_capability_features_with_SEV)"},{"line_number":23544,"context_line":""},{"line_number":23545,"context_line":"        self.patch_exists.__enter__()"},{"line_number":23546,"context_line":"        self.patch_open.__enter__()"},{"line_number":23547,"context_line":"        self.patch_features.__enter__()"},{"line_number":23548,"context_line":""},{"line_number":23549,"context_line":"        super(TestLibvirtSEVSupported, self).setUp()"},{"line_number":23550,"context_line":""},{"line_number":23551,"context_line":"    def tearDown(self):"},{"line_number":23552,"context_line":"        self.patch_exists.__exit__(None, None, None)"},{"line_number":23553,"context_line":"        self.patch_open.__exit__(None, None, None)"},{"line_number":23554,"context_line":"        self.patch_features.__exit__(None, None, None)"},{"line_number":23555,"context_line":"        super(TestLibvirtSEVSupported, self).tearDown()"},{"line_number":23556,"context_line":""},{"line_number":23557,"context_line":"    def test_get_mem_encrypted_slots_unlimited(self):"},{"line_number":23558,"context_line":"        self.driver._host._set_amd_sev_support()"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_6d8e097a","line":23555,"range":{"start_line":23545,"start_character":0,"end_line":23555,"end_character":55},"in_reply_to":"7faddb67_22e373db","updated":"2019-08-19 20:04:31.000000000","message":"It doesn\u0027t work fine here, and I have no idea why.  This is what I tried first (obviously), and what happens is that those tests just vanish.  stestr can\u0027t find them, either via run -n or using its test discovery.\n\nFurther investigation reveals that moving the @mock.patch.object to the class is fine, but it breaks as soon as I move the patch_* decorators I wrote myself :-(  Bah.  If you can\u0027t reproduce this then that\u0027s even more odd and I would really like to hear about it.\n\nHaving said that, I\u0027ve changed it to apply the patch_* decorators by duplicating them on each method.  I hate violating DRY, but in this case the __enter__ / __exit__ stuff is probably even worse.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"87a9121f5187da0367a001564819fc3a75181357","unresolved":false,"context_lines":[{"line_number":23542,"context_line":"            vc, \u0027_domain_capability_features\u0027,"},{"line_number":23543,"context_line":"            new\u003dvc._domain_capability_features_with_SEV)"},{"line_number":23544,"context_line":""},{"line_number":23545,"context_line":"        self.patch_exists.__enter__()"},{"line_number":23546,"context_line":"        self.patch_open.__enter__()"},{"line_number":23547,"context_line":"        self.patch_features.__enter__()"},{"line_number":23548,"context_line":""},{"line_number":23549,"context_line":"        super(TestLibvirtSEVSupported, self).setUp()"},{"line_number":23550,"context_line":""},{"line_number":23551,"context_line":"    def tearDown(self):"},{"line_number":23552,"context_line":"        self.patch_exists.__exit__(None, None, None)"},{"line_number":23553,"context_line":"        self.patch_open.__exit__(None, None, None)"},{"line_number":23554,"context_line":"        self.patch_features.__exit__(None, None, None)"},{"line_number":23555,"context_line":"        super(TestLibvirtSEVSupported, self).tearDown()"},{"line_number":23556,"context_line":""},{"line_number":23557,"context_line":"    def test_get_mem_encrypted_slots_unlimited(self):"},{"line_number":23558,"context_line":"        self.driver._host._set_amd_sev_support()"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_cce9357f","line":23555,"range":{"start_line":23545,"start_character":0,"end_line":23555,"end_character":55},"in_reply_to":"7faddb67_6d8e097a","updated":"2019-08-20 09:53:05.000000000","message":"so the decorator works and i have used it before on python 2.7,3.5 and 3.6 but i think it breaks on 3.7 at least in think that was my issue in \n\nhttps://review.opendev.org/#/c/666914/7/nova/tests/unit/test_utils.py@266\n\nbut the correct way to do this in not to call __enter__\n\nyou use the patcher directly\nhttps://docs.python.org/3/library/unittest.mock.html#patch-methods-start-and-stop\n\n\nso in my case\n\n@mock.patch.dict(utils._TRAITS_CACHE, clear\u003dTrue)\nclass TestTraitsCache(test.NoDBTestCase):\n\nbecomes \n\nclass TestTraitsCache(test.NoDBTestCase):\n    def setUp(self):\n        super(TestTraitsCache, self).setUp()\n        patcher \u003d mock.patch.dict(utils._TRAITS_CACHE, clear\u003dTrue)\n        patcher.start()\n        self.addCleanup(patcher.stop)\n\n\ni cant reproduce the py37 failure locally with the decorator so maybe the gate just has a broken py37 in the rackspace vms.\n\nin anycase the recommended way to do this is\n\n\ndef setUp(self):\n        self.patch_exists \u003d test.patch_exists(SEV_KERNEL_PARAM_FILE, True)\n        self.patch_open \u003d test.patch_open(SEV_KERNEL_PARAM_FILE, \"1\\n\")\n        self.patch_features \u003d mock.patch.object(\n            vc, \u0027_domain_capability_features\u0027,\n            new\u003dvc._domain_capability_features_with_SEV)\n\n        self.patch_exists.start()\n        self.addCleanup(self.patch_exists.stop)\n        self.patch_open.start()\n        self.addCleanup(self.patch_open.stop)\n        self.patch_features.start()\n        self.addCleanup(self.patch_features.stop)\n\n\nsince you dont need acess to the mocks in the test however\n\nyou can do\n\ndef setUp(self):\n        patch_exists \u003d test.patch_exists(SEV_KERNEL_PARAM_FILE, True)\n        patch_open \u003d test.patch_open(SEV_KERNEL_PARAM_FILE, \"1\\n\")\n        patch_features \u003d mock.patch.object(\n            vc, \u0027_domain_capability_features\u0027,\n            new\u003dvc._domain_capability_features_with_SEV)\n\n        patch_exists.start()\n        self.addCleanup(patch_exists.stop)\n        patch_open.start()\n        self.addCleanup(patch_open.stop)\n        patch_features.start()\n        self.addCleanup(patch_features.stop)\n\nthe reference to the stop function keeps the mock alive until its run so you dont need to assign the mock to an instance varable if you never want to use it in the test case but just want it mocked out.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"dfb98db432afff01456bd6eb0572b159f5956c1c","unresolved":false,"context_lines":[{"line_number":23741,"context_line":""},{"line_number":23742,"context_line":"    @test.patch_exists(SEV_KERNEL_PARAM_FILE, True)"},{"line_number":23743,"context_line":"    @test.patch_open(SEV_KERNEL_PARAM_FILE, \"1\\n\")"},{"line_number":23744,"context_line":"    @mock.patch.object(libvirt_driver.LOG, \u0027warning\u0027)"},{"line_number":23745,"context_line":"    def test_get_mem_encrypted_slots_config_zero_supported(self, mock_log):"},{"line_number":23746,"context_line":"        self.flags(num_memory_encrypted_guests\u003d0, group\u003d\u0027libvirt\u0027)"},{"line_number":23747,"context_line":"        self.driver._host._set_amd_sev_support()"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_8b189f1d","line":23744,"updated":"2019-09-09 15:32:00.000000000","message":"It seems this mock is unnecessary","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":23741,"context_line":""},{"line_number":23742,"context_line":"    @test.patch_exists(SEV_KERNEL_PARAM_FILE, True)"},{"line_number":23743,"context_line":"    @test.patch_open(SEV_KERNEL_PARAM_FILE, \"1\\n\")"},{"line_number":23744,"context_line":"    @mock.patch.object(libvirt_driver.LOG, \u0027warning\u0027)"},{"line_number":23745,"context_line":"    def test_get_mem_encrypted_slots_config_zero_supported(self, mock_log):"},{"line_number":23746,"context_line":"        self.flags(num_memory_encrypted_guests\u003d0, group\u003d\u0027libvirt\u0027)"},{"line_number":23747,"context_line":"        self.driver._host._set_amd_sev_support()"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_ef3fd6d3","line":23744,"in_reply_to":"5faad753_8b189f1d","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"}],"nova/tests/unit/virt/libvirt/test_host.py":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":1136,"context_line":"        self.assertFalse(self.host.is_cpu_control_policy_capable())"},{"line_number":1137,"context_line":""},{"line_number":1138,"context_line":""},{"line_number":1139,"context_line":"vc \u003d fakelibvirt.virConnect"},{"line_number":1140,"context_line":""},{"line_number":1141,"context_line":""},{"line_number":1142,"context_line":"class TestLibvirtSEV(test.NoDBTestCase):"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_a26a0317","line":1139,"updated":"2019-07-30 22:31:07.000000000","message":"Seems like the changes in this file should be earlier in the series?","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":1136,"context_line":"        self.assertFalse(self.host.is_cpu_control_policy_capable())"},{"line_number":1137,"context_line":""},{"line_number":1138,"context_line":""},{"line_number":1139,"context_line":"vc \u003d fakelibvirt.virConnect"},{"line_number":1140,"context_line":""},{"line_number":1141,"context_line":""},{"line_number":1142,"context_line":"class TestLibvirtSEV(test.NoDBTestCase):"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_6dc6096b","line":1139,"in_reply_to":"7faddb67_a26a0317","updated":"2019-08-19 20:04:31.000000000","message":"Yep good spot, looks like I must have squashed a fixup into the wrong commit at some point.  Fixed.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"}],"nova/virt/libvirt/driver.py":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":6888,"context_line":"                \u0027max_unit\u0027: 1,"},{"line_number":6889,"context_line":"                \u0027step_size\u0027: 1,"},{"line_number":6890,"context_line":"                \u0027allocation_ratio\u0027: 1.0,"},{"line_number":6891,"context_line":"                \u0027reserved\u0027: 0,"},{"line_number":6892,"context_line":"            }"},{"line_number":6893,"context_line":""},{"line_number":6894,"context_line":"        # If a sharing DISK_GB provider exists in the provider tree, then our"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_2268531b","line":6891,"updated":"2019-07-30 22:31:07.000000000","message":"✔","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":6939,"context_line":"        slots \u003d CONF.libvirt.num_memory_encrypted_guests"},{"line_number":6940,"context_line":"        if not self._host.supports_amd_sev:"},{"line_number":6941,"context_line":"            if slots and slots \u003e 0:"},{"line_number":6942,"context_line":"                LOG.warning(_LW(\"Host is configured with \""},{"line_number":6943,"context_line":"                                \"libvirt.num_memory_encrypted_guests set to \""},{"line_number":6944,"context_line":"                                \"%d, but is not SEV-capable.\"), slots)"},{"line_number":6945,"context_line":"            return 0"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_a253e36a","line":6942,"range":{"start_line":6942,"start_character":28,"end_line":6942,"end_character":32},"updated":"2019-07-30 22:31:07.000000000","message":"no translation of log messages","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":6939,"context_line":"        slots \u003d CONF.libvirt.num_memory_encrypted_guests"},{"line_number":6940,"context_line":"        if not self._host.supports_amd_sev:"},{"line_number":6941,"context_line":"            if slots and slots \u003e 0:"},{"line_number":6942,"context_line":"                LOG.warning(_LW(\"Host is configured with \""},{"line_number":6943,"context_line":"                                \"libvirt.num_memory_encrypted_guests set to \""},{"line_number":6944,"context_line":"                                \"%d, but is not SEV-capable.\"), slots)"},{"line_number":6945,"context_line":"            return 0"}],"source_content_type":"text/x-python","patch_set":23,"id":"7faddb67_6d9b6972","line":6942,"range":{"start_line":6942,"start_character":28,"end_line":6942,"end_character":32},"in_reply_to":"7faddb67_a253e36a","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"bfd5cf3c387d3b1dec648698ca7607f557e750e1","unresolved":false,"context_lines":[{"line_number":6951,"context_line":"                            \"%d, but is not SEV-capable.\", slots)"},{"line_number":6952,"context_line":"            return 0"},{"line_number":6953,"context_line":""},{"line_number":6954,"context_line":"        # NOTE(aspiers): Auto-detection of the number of available"},{"line_number":6955,"context_line":"        # slots for AMD SEV is not yet possible, so honor the"},{"line_number":6956,"context_line":"        # configured value, or impose no limit if this is not"},{"line_number":6957,"context_line":"        # specified.  This does incur a risk that if operators don\u0027t"},{"line_number":6958,"context_line":"        # read the instructions and configure the maximum correctly,"},{"line_number":6959,"context_line":"        # the maximum could be exceeded resulting in SEV guests"},{"line_number":6960,"context_line":"        # failing at launch-time.  However at least SEV guests will"},{"line_number":6961,"context_line":"        # launch until the maximum, and when auto-detection code is"},{"line_number":6962,"context_line":"        # added later, an upgrade will magically fix the issue."},{"line_number":6963,"context_line":"        #"},{"line_number":6964,"context_line":"        # Note also that the configured value can be 0 on an"},{"line_number":6965,"context_line":"        # SEV-capable host, since there might conceivably be good"},{"line_number":6966,"context_line":"        # reasons for the operator to want to disable SEV even when"},{"line_number":6967,"context_line":"        # it\u0027s available (e.g. due to performance impact, or"},{"line_number":6968,"context_line":"        # implementation bugs which may surface later)."},{"line_number":6969,"context_line":"        if slots is not None:"},{"line_number":6970,"context_line":"            return slots"},{"line_number":6971,"context_line":"        else:"},{"line_number":6972,"context_line":"            return db_const.MAX_INT"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_f32c574b","line":6969,"range":{"start_line":6954,"start_character":0,"end_line":6969,"end_character":29},"updated":"2019-08-30 10:22:25.000000000","message":"As noted on the config option, I don\u0027t like us doing this. It\u0027s a loaded gun and it\u0027s cocked by default. We can\u0027t do auto-detection so I\u0027d much rather require this be set to do anything, else return 0","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"7b429d449ee293378b4681fad15eec9b0c4b0ada","unresolved":false,"context_lines":[{"line_number":6951,"context_line":"                            \"%d, but is not SEV-capable.\", slots)"},{"line_number":6952,"context_line":"            return 0"},{"line_number":6953,"context_line":""},{"line_number":6954,"context_line":"        # NOTE(aspiers): Auto-detection of the number of available"},{"line_number":6955,"context_line":"        # slots for AMD SEV is not yet possible, so honor the"},{"line_number":6956,"context_line":"        # configured value, or impose no limit if this is not"},{"line_number":6957,"context_line":"        # specified.  This does incur a risk that if operators don\u0027t"},{"line_number":6958,"context_line":"        # read the instructions and configure the maximum correctly,"},{"line_number":6959,"context_line":"        # the maximum could be exceeded resulting in SEV guests"},{"line_number":6960,"context_line":"        # failing at launch-time.  However at least SEV guests will"},{"line_number":6961,"context_line":"        # launch until the maximum, and when auto-detection code is"},{"line_number":6962,"context_line":"        # added later, an upgrade will magically fix the issue."},{"line_number":6963,"context_line":"        #"},{"line_number":6964,"context_line":"        # Note also that the configured value can be 0 on an"},{"line_number":6965,"context_line":"        # SEV-capable host, since there might conceivably be good"},{"line_number":6966,"context_line":"        # reasons for the operator to want to disable SEV even when"},{"line_number":6967,"context_line":"        # it\u0027s available (e.g. due to performance impact, or"},{"line_number":6968,"context_line":"        # implementation bugs which may surface later)."},{"line_number":6969,"context_line":"        if slots is not None:"},{"line_number":6970,"context_line":"            return slots"},{"line_number":6971,"context_line":"        else:"},{"line_number":6972,"context_line":"            return db_const.MAX_INT"}],"source_content_type":"text/x-python","patch_set":38,"id":"7faddb67_049f6402","line":6969,"range":{"start_line":6954,"start_character":0,"end_line":6969,"end_character":29},"in_reply_to":"7faddb67_f32c574b","updated":"2019-08-30 16:37:34.000000000","message":"As per my other reply, it\u0027s not cocked by default, because you still need the flavor extra spec or image property.  I could be persuaded to change the default from None to 0, but it\u0027s still useful for operators to be able to set to unlimited.","commit_id":"5ae6d9b84f7ebc4deeae4733ed6eaf5557ef9b54"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":6929,"context_line":""},{"line_number":6930,"context_line":"    def _get_memory_encrypted_slots(self):"},{"line_number":6931,"context_line":"        slots \u003d CONF.libvirt.num_memory_encrypted_guests"},{"line_number":6932,"context_line":"        if not self._host.supports_amd_sev:"},{"line_number":6933,"context_line":"            if slots and slots \u003e 0:"},{"line_number":6934,"context_line":"                LOG.warning(\"Host is configured with \""},{"line_number":6935,"context_line":"                            \"libvirt.num_memory_encrypted_guests set to \""},{"line_number":6936,"context_line":"                            \"%d, but is not SEV-capable.\", slots)"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_2c63c11c","line":6933,"range":{"start_line":6932,"start_character":8,"end_line":6933,"end_character":35},"updated":"2019-09-09 17:55:53.000000000","message":"nit: these conditions can be combined","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":6929,"context_line":""},{"line_number":6930,"context_line":"    def _get_memory_encrypted_slots(self):"},{"line_number":6931,"context_line":"        slots \u003d CONF.libvirt.num_memory_encrypted_guests"},{"line_number":6932,"context_line":"        if not self._host.supports_amd_sev:"},{"line_number":6933,"context_line":"            if slots and slots \u003e 0:"},{"line_number":6934,"context_line":"                LOG.warning(\"Host is configured with \""},{"line_number":6935,"context_line":"                            \"libvirt.num_memory_encrypted_guests set to \""},{"line_number":6936,"context_line":"                            \"%d, but is not SEV-capable.\", slots)"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_40304157","line":6933,"range":{"start_line":6932,"start_character":8,"end_line":6933,"end_character":35},"in_reply_to":"5faad753_2c63c11c","updated":"2019-09-09 23:29:51.000000000","message":"I don\u0027t think so, because the \"return 0\" is still required when the host doesn\u0027t support SEV and the config option is unspecified.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"95a48d6f9c51f7d2270ad134fbe56d68a5a7a7ba","unresolved":false,"context_lines":[{"line_number":6929,"context_line":""},{"line_number":6930,"context_line":"    def _get_memory_encrypted_slots(self):"},{"line_number":6931,"context_line":"        slots \u003d CONF.libvirt.num_memory_encrypted_guests"},{"line_number":6932,"context_line":"        if not self._host.supports_amd_sev:"},{"line_number":6933,"context_line":"            if slots and slots \u003e 0:"},{"line_number":6934,"context_line":"                LOG.warning(\"Host is configured with \""},{"line_number":6935,"context_line":"                            \"libvirt.num_memory_encrypted_guests set to \""},{"line_number":6936,"context_line":"                            \"%d, but is not SEV-capable.\", slots)"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_8c2502ae","line":6933,"range":{"start_line":6932,"start_character":8,"end_line":6933,"end_character":35},"in_reply_to":"5faad753_40304157","updated":"2019-09-10 12:43:59.000000000","message":"yup","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"f0350a447c7e4b9a483589d097bb8ef8415a7906","unresolved":false,"context_lines":[{"line_number":6929,"context_line":""},{"line_number":6930,"context_line":"    def _get_memory_encrypted_slots(self):"},{"line_number":6931,"context_line":"        slots \u003d CONF.libvirt.num_memory_encrypted_guests"},{"line_number":6932,"context_line":"        if not self._host.supports_amd_sev:"},{"line_number":6933,"context_line":"            if slots and slots \u003e 0:"},{"line_number":6934,"context_line":"                LOG.warning(\"Host is configured with \""},{"line_number":6935,"context_line":"                            \"libvirt.num_memory_encrypted_guests set to \""},{"line_number":6936,"context_line":"                            \"%d, but is not SEV-capable.\", slots)"}],"source_content_type":"text/x-python","patch_set":50,"id":"5faad753_24b2dee7","line":6933,"range":{"start_line":6932,"start_character":8,"end_line":6933,"end_character":35},"in_reply_to":"5faad753_8c2502ae","updated":"2019-09-10 16:57:05.000000000","message":"my bad, I misread the spacing.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"}],"releasenotes/notes/bp-amd-sev-libvirt-support-4b7cf8f0756d88b8.yaml":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    requirements regarding the kernel, QEMU, and libvirt."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    Memory encryption can be required either via flavor which has the"},{"line_number":11,"context_line":"    ``hw:mem_encryption_context`` extra spec set to ``True``, or via"},{"line_number":12,"context_line":"    an image which has the ``hw_mem_encryption_context`` property set"},{"line_number":13,"context_line":"    to ``True``.  These do not inherently cause a preference for"},{"line_number":14,"context_line":"    SEV-capable hardware, but for now SEV is the only way of"},{"line_number":15,"context_line":"    fulfilling the requirement.  However in the future, support for"},{"line_number":16,"context_line":"    other hardware-level guest memory encryption technology such as"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"7faddb67_42e1cf9a","line":13,"range":{"start_line":11,"start_character":65,"end_line":13,"end_character":16},"updated":"2019-07-30 22:31:07.000000000","message":"This is not in the docs in this patch.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    requirements regarding the kernel, QEMU, and libvirt."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    Memory encryption can be required either via flavor which has the"},{"line_number":11,"context_line":"    ``hw:mem_encryption_context`` extra spec set to ``True``, or via"},{"line_number":12,"context_line":"    an image which has the ``hw_mem_encryption_context`` property set"},{"line_number":13,"context_line":"    to ``True``.  These do not inherently cause a preference for"},{"line_number":14,"context_line":"    SEV-capable hardware, but for now SEV is the only way of"},{"line_number":15,"context_line":"    fulfilling the requirement.  However in the future, support for"},{"line_number":16,"context_line":"    other hardware-level guest memory encryption technology such as"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"7faddb67_2d07b184","line":13,"range":{"start_line":11,"start_character":65,"end_line":13,"end_character":16},"in_reply_to":"7faddb67_42e1cf9a","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"4eec5777d91c43ebbfefa671df446eb90886e225","unresolved":false,"context_lines":[{"line_number":14,"context_line":"    SEV-capable hardware, but for now SEV is the only way of"},{"line_number":15,"context_line":"    fulfilling the requirement.  However in the future, support for"},{"line_number":16,"context_line":"    other hardware-level guest memory encryption technology such as"},{"line_number":17,"context_line":"    Intel MKTME may be added.  If a guest specifically needs to be"},{"line_number":18,"context_line":"    booted using SEV rather than any other memory encryption"},{"line_number":19,"context_line":"    technology, it is possible to ensure this by adding"},{"line_number":20,"context_line":"    ``trait:HW_CPU_X86_AMD_SEV\u003drequired`` to the flavor extra specs or"},{"line_number":21,"context_line":"    image properties."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    For information on how to set up support for AMD SEV, please see"},{"line_number":24,"context_line":"    the `KVM section of the Configuration Guide"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"7faddb67_8204a74b","line":21,"range":{"start_line":17,"start_character":31,"end_line":21,"end_character":21},"updated":"2019-07-30 22:31:07.000000000","message":"This is also not in the docs.","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"4915fdc28f5c4055fbb315f9238e585c5ce794af","unresolved":false,"context_lines":[{"line_number":14,"context_line":"    SEV-capable hardware, but for now SEV is the only way of"},{"line_number":15,"context_line":"    fulfilling the requirement.  However in the future, support for"},{"line_number":16,"context_line":"    other hardware-level guest memory encryption technology such as"},{"line_number":17,"context_line":"    Intel MKTME may be added.  If a guest specifically needs to be"},{"line_number":18,"context_line":"    booted using SEV rather than any other memory encryption"},{"line_number":19,"context_line":"    technology, it is possible to ensure this by adding"},{"line_number":20,"context_line":"    ``trait:HW_CPU_X86_AMD_SEV\u003drequired`` to the flavor extra specs or"},{"line_number":21,"context_line":"    image properties."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    For information on how to set up support for AMD SEV, please see"},{"line_number":24,"context_line":"    the `KVM section of the Configuration Guide"}],"source_content_type":"text/x-yaml","patch_set":23,"id":"7faddb67_cd84ddb3","line":21,"range":{"start_line":17,"start_character":31,"end_line":21,"end_character":21},"in_reply_to":"7faddb67_8204a74b","updated":"2019-08-19 20:04:31.000000000","message":"Done","commit_id":"87b57864e91e8741e0820291d8b7fa592a1e6b4e"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":7,"context_line":"    Virtualization) is supported, and it has certain minimum version"},{"line_number":8,"context_line":"    requirements regarding the kernel, QEMU, and libvirt."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    Memory encryption can be required either via flavor which has the"},{"line_number":11,"context_line":"    ``hw:mem_encryption`` extra spec set to ``True``, or via an image"},{"line_number":12,"context_line":"    which has the ``hw_mem_encryption`` property set to ``True``."},{"line_number":13,"context_line":"    These do not inherently cause a preference for SEV-capable"}],"source_content_type":"text/x-yaml","patch_set":50,"id":"5faad753_ac76d1d7","line":10,"range":{"start_line":10,"start_character":49,"end_line":10,"end_character":55},"updated":"2019-09-09 17:55:53.000000000","message":"a","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":7,"context_line":"    Virtualization) is supported, and it has certain minimum version"},{"line_number":8,"context_line":"    requirements regarding the kernel, QEMU, and libvirt."},{"line_number":9,"context_line":""},{"line_number":10,"context_line":"    Memory encryption can be required either via flavor which has the"},{"line_number":11,"context_line":"    ``hw:mem_encryption`` extra spec set to ``True``, or via an image"},{"line_number":12,"context_line":"    which has the ``hw_mem_encryption`` property set to ``True``."},{"line_number":13,"context_line":"    These do not inherently cause a preference for SEV-capable"}],"source_content_type":"text/x-yaml","patch_set":50,"id":"5faad753_af21deb6","line":10,"range":{"start_line":10,"start_character":49,"end_line":10,"end_character":55},"in_reply_to":"5faad753_ac76d1d7","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"99adbf9a515862ae7b6fcdc4fbd465e167334464","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    In all cases, SEV instances can only be booted from images which"},{"line_number":24,"context_line":"    have the ``hw_firmware_type`` property set to ``uefi``, and only"},{"line_number":25,"context_line":"    when the machine type is set to ``q35``.  This can be set per"},{"line_number":26,"context_line":"    image by setting the image property ``hw_machine_type\u003dq35``, or"},{"line_number":27,"context_line":"    per compute node by the operator via the ``hw_machine_type``"},{"line_number":28,"context_line":"    configuration option in the ``[libvirt]`` section of"}],"source_content_type":"text/x-yaml","patch_set":50,"id":"5faad753_8c7d15b3","line":25,"range":{"start_line":25,"start_character":46,"end_line":25,"end_character":50},"updated":"2019-09-09 17:55:53.000000000","message":"The latter","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"},{"author":{"_account_id":2394,"name":"Adam Spiers","email":"aspiers@suse.com","username":"adam.spiers"},"change_message_id":"bfe7f520c1e4a82c4d7b3d707ab27fe0f210642e","unresolved":false,"context_lines":[{"line_number":22,"context_line":""},{"line_number":23,"context_line":"    In all cases, SEV instances can only be booted from images which"},{"line_number":24,"context_line":"    have the ``hw_firmware_type`` property set to ``uefi``, and only"},{"line_number":25,"context_line":"    when the machine type is set to ``q35``.  This can be set per"},{"line_number":26,"context_line":"    image by setting the image property ``hw_machine_type\u003dq35``, or"},{"line_number":27,"context_line":"    per compute node by the operator via the ``hw_machine_type``"},{"line_number":28,"context_line":"    configuration option in the ``[libvirt]`` section of"}],"source_content_type":"text/x-yaml","patch_set":50,"id":"5faad753_a03ed526","line":25,"range":{"start_line":25,"start_character":46,"end_line":25,"end_character":50},"in_reply_to":"5faad753_8c7d15b3","updated":"2019-09-09 23:29:51.000000000","message":"Fixed up in a follow-up commit.","commit_id":"4a6f748aeab0b7b6f92612276893fb8859ea2a9c"}]}