)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"2d81ef7318aec2468b21aed6fbbea5ea4ff4a9f6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"8d514f4f_c712ace1","updated":"2024-02-06 23:28:22.000000000","message":"recheck https://review.opendev.org/c/openstack/nova/+/908182 has merged","commit_id":"7c4e7d0e3e73ac65601d1457b52b0ec6b0a295ef"},{"author":{"_account_id":16207,"name":"ribaudr","display_name":"uggla","email":"rene.ribaud@gmail.com","username":"uggla","status":"Red Hat"},"change_message_id":"f6f2e8dc9021f365fe8d33edfa40a06af3f482dd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"e1577c75_3b70437a","updated":"2024-02-14 14:29:18.000000000","message":"Looks good to me. I enjoy the steps explained in test_ephemeral_encryption.py.","commit_id":"ae0f54ca74324e35b359e271f56baa2527782674"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"c164cd9ef8ed158e8ea97e7c061dc9434a9c7226","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"fe90091a_5d3ab731","updated":"2024-02-23 12:30:45.000000000","message":"I assume that this still implies, that admin user, who is allowed to execute live migration, has access to specific user secrets in Barbican, used for encryption?\n\nOr this somehow intend to solve this operational issue?","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"806e609d00f0b8ae0798a2082f8046e09692b4dd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"81a19561_4c35d022","updated":"2024-02-23 12:25:29.000000000","message":"recheck nova-next","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":28619,"name":"Dmitriy Rabotyagov","email":"noonedeadpunk@gmail.com","username":"noonedeadpunk"},"change_message_id":"1ed4b43b3f978e64e29f7146d9b88c5486b62d1e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"e8572a73_5c54dd6f","in_reply_to":"2b4bcbe0_a0c12ec0","updated":"2024-03-15 16:28:38.000000000","message":"yeah-yeah, I know how all secrets thing work with encrypted volumes in pretty much detail, so was just to double-check it\u0027s going to be the same :)","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"23db60f810b5472343e21666c09292885b832a17","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":16,"id":"b3cda49a_5a44ecf0","in_reply_to":"a0aca122_441444ff","updated":"2024-03-19 00:28:52.000000000","message":"@Dmitriy: ack 😊\n\n@sean: I said this inline already but just for posterity, Cinder volume encryption today does require Barbican access for live migration.","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"80af2f9dfdff5d58f1367086c2a3292439975015","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":16,"id":"a0aca122_441444ff","in_reply_to":"c2989b2e_85cbdb34","updated":"2024-03-15 17:50:37.000000000","message":"as far as im aware we dont rquire that for cinder volume encyption today and i would not expect use to requrie barbican access for live migatoin with local encyption either.","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2095e1a41c1f577056a09e88e78554da76084b6d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"c2989b2e_85cbdb34","in_reply_to":"e8572a73_5c54dd6f","updated":"2024-03-15 17:49:14.000000000","message":"well no. live migration does not require the admin to use custom barbican policy of have acces to the barbican secrete\n\nthe libvirt driver will need to copy the exiting secrete form the souce to hte dest.\n\nwe shoudl not need to have any access to  the barbica secrete for local or volume related encyption or migation to work.","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"361a85e4186fbc3cfbd6d5a00261de7f4c7242ee","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":16,"id":"2b4bcbe0_a0c12ec0","in_reply_to":"fe90091a_5d3ab731","updated":"2024-02-23 20:55:00.000000000","message":"Yes, it does. By default Barbican secrets ownership is scoped to projects [1] (perhaps with operational issues in mind), so a project admin could do live migration and access the project secrets out-of-the-box.\n\nBarbican also provides an ACL API to enable cloud operators to enforce more fine-grained access to secrets though. If an operator were to set up user-scoped ownership for secrets, for example, then an admin user would not be able to live migrate an instance that was not created by their user.\n\n[1] https://docs.openstack.org/barbican/latest/admin/access_control.html","commit_id":"de6e3ea486c61c7f78c6a6e0a46f2392d05b2349"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"dbcdb813864608051df62b0163a435fdba7faa2d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"130c0f00_0c7780d6","updated":"2024-06-10 17:03:59.000000000","message":"recheck tempest timed out waiting for http response 90s on create_server\n```\n  File \"/opt/stack/tempest/tempest/lib/services/compute/servers_client.py\", line 117, in create_server\n    resp, body \u003d self.post(\u0027servers\u0027, post_body)\n  File \"/opt/stack/tempest/tempest/lib/common/rest_client.py\", line 312, in post\n    resp_header, resp_body \u003d self.request(\n  File \"/opt/stack/tempest/tempest/lib/services/compute/base_compute_client.py\", line 47, in request\n    resp, resp_body \u003d super(BaseComputeClient, self).request(\n  File \"/opt/stack/tempest/tempest/lib/common/rest_client.py\", line 744, in request\n    resp, resp_body \u003d self._request(method, url, headers\u003dheaders,\n  File \"/opt/stack/tempest/tempest/lib/common/rest_client.py\", line 610, in _request\n    resp, resp_body \u003d self.raw_request(\n  File \"/opt/stack/tempest/tempest/lib/common/rest_client.py\", line 659, in raw_request\n    resp, resp_body \u003d self.http_obj.request(\n  File \"/opt/stack/tempest/tempest/lib/common/http.py\", line 115, in request\n    r \u003d super(ClosingHttp, self).request(method, url, retries\u003dretry,\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/request.py\", line 81, in request\n    return self.request_encode_body(\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/request.py\", line 173, in request_encode_body\n    return self.urlopen(method, url, **extra_kw)\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/poolmanager.py\", line 376, in urlopen\n    response \u003d conn.urlopen(method, u.request_uri, **kw)\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/connectionpool.py\", line 799, in urlopen\n    retries \u003d retries.increment(\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/util/retry.py\", line 550, in increment\n    raise six.reraise(type(error), error, _stacktrace)\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/packages/six.py\", line 770, in reraise\n    raise value\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/connectionpool.py\", line 715, in urlopen\n    httplib_response \u003d self._make_request(\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/connectionpool.py\", line 469, in _make_request\n    self._raise_timeout(err\u003de, url\u003durl, timeout_value\u003dread_timeout)\n  File \"/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/urllib3/connectionpool.py\", line 358, in _raise_timeout\n    raise ReadTimeoutError(\nurllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host\u003d\u002710.208.224.248\u0027, port\u003d443): Read timed out. (read timeout\u003d90)\n```","commit_id":"51571b8f4d74e98ceabfd849b3bd3da77d013dba"}],"nova/tests/functional/libvirt/test_ephemeral_encryption.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":true,"context_lines":[{"line_number":365,"context_line":"        # Verify there are no secrets in the key manager."},{"line_number":366,"context_line":"        self.assertEqual(0, len(self.key_mgr.list(ctx)))"},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"        # Create a server with ephemeral encryption."},{"line_number":369,"context_line":"        server \u003d self._create_server_with_ephemeral_encryption_flavor("},{"line_number":370,"context_line":"            networks\u003d\u0027none\u0027)"},{"line_number":371,"context_line":"        src_host \u003d self._show_server(server)[\u0027OS-EXT-SRV-ATTR:host\u0027]"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"        # There should be three secrets in the key manager, one for the root"},{"line_number":374,"context_line":"        # disk, one for the ephemeral disk, and one for the swap disk."},{"line_number":375,"context_line":"        keymgr_secrets \u003d self._get_key_mgr_secrets(ctx)"},{"line_number":376,"context_line":"        self.assertEqual(3, len(keymgr_secrets))"},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"        # The flavor we created has ephemeral\u003d5 and swap\u003d128, so we will have"},{"line_number":379,"context_line":"        # three disks, the root disk, an ephemeral disk, and a swap disk."},{"line_number":380,"context_line":"        bdms \u003d objects.BlockDeviceMappingList.get_by_instance_uuid("},{"line_number":381,"context_line":"            ctx, server[\u0027id\u0027])"},{"line_number":382,"context_line":"        self.assertEqual(3, len(bdms))"},{"line_number":383,"context_line":"        # Verify that libvirt secrets were created for each disk."},{"line_number":384,"context_line":"        src_driver \u003d self.computes[src_host].driver"},{"line_number":385,"context_line":"        self.assertSecretsMatch(src_driver, bdms, keymgr_secrets)"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"        # Set stuff LibvirtMigrationMixin needs in order to work."},{"line_number":388,"context_line":"        self.server \u003d server"}],"source_content_type":"text/x-python","patch_set":12,"id":"08e2041c_63379c25","line":385,"range":{"start_line":368,"start_character":7,"end_line":385,"end_character":65},"updated":"2024-02-13 07:19:57.000000000","message":"you repeat this in most of the tests or at least something similar to it\n\nwe may want to factor this out later.","commit_id":"b1c2b7b9137d2c12313b186f89830c081bd47cc7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67ddc1b42f9183a4fd09937aa955f09555637de8","unresolved":false,"context_lines":[{"line_number":365,"context_line":"        # Verify there are no secrets in the key manager."},{"line_number":366,"context_line":"        self.assertEqual(0, len(self.key_mgr.list(ctx)))"},{"line_number":367,"context_line":""},{"line_number":368,"context_line":"        # Create a server with ephemeral encryption."},{"line_number":369,"context_line":"        server \u003d self._create_server_with_ephemeral_encryption_flavor("},{"line_number":370,"context_line":"            networks\u003d\u0027none\u0027)"},{"line_number":371,"context_line":"        src_host \u003d self._show_server(server)[\u0027OS-EXT-SRV-ATTR:host\u0027]"},{"line_number":372,"context_line":""},{"line_number":373,"context_line":"        # There should be three secrets in the key manager, one for the root"},{"line_number":374,"context_line":"        # disk, one for the ephemeral disk, and one for the swap disk."},{"line_number":375,"context_line":"        keymgr_secrets \u003d self._get_key_mgr_secrets(ctx)"},{"line_number":376,"context_line":"        self.assertEqual(3, len(keymgr_secrets))"},{"line_number":377,"context_line":""},{"line_number":378,"context_line":"        # The flavor we created has ephemeral\u003d5 and swap\u003d128, so we will have"},{"line_number":379,"context_line":"        # three disks, the root disk, an ephemeral disk, and a swap disk."},{"line_number":380,"context_line":"        bdms \u003d objects.BlockDeviceMappingList.get_by_instance_uuid("},{"line_number":381,"context_line":"            ctx, server[\u0027id\u0027])"},{"line_number":382,"context_line":"        self.assertEqual(3, len(bdms))"},{"line_number":383,"context_line":"        # Verify that libvirt secrets were created for each disk."},{"line_number":384,"context_line":"        src_driver \u003d self.computes[src_host].driver"},{"line_number":385,"context_line":"        self.assertSecretsMatch(src_driver, bdms, keymgr_secrets)"},{"line_number":386,"context_line":""},{"line_number":387,"context_line":"        # Set stuff LibvirtMigrationMixin needs in order to work."},{"line_number":388,"context_line":"        self.server \u003d server"}],"source_content_type":"text/x-python","patch_set":12,"id":"22030226_1fdb8ad6","line":385,"range":{"start_line":368,"start_character":7,"end_line":385,"end_character":65},"in_reply_to":"08e2041c_63379c25","updated":"2024-02-14 10:11:21.000000000","message":"Done","commit_id":"b1c2b7b9137d2c12313b186f89830c081bd47cc7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":true,"context_lines":[{"line_number":409,"context_line":"        self.assertSecretsMatch("},{"line_number":410,"context_line":"            dest_driver, bdms, keymgr_secrets_after_migrate)"},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"        # Delete the server."},{"line_number":413,"context_line":"        self._delete_server(server)"},{"line_number":414,"context_line":""},{"line_number":415,"context_line":"        # Verify that there are no libvirt secrets on either host."},{"line_number":416,"context_line":"        for bdm in bdms:"},{"line_number":417,"context_line":"            usage_id \u003d f\u0027{bdm.instance_uuid}_{bdm.uuid}\u0027"},{"line_number":418,"context_line":"            s \u003d src_driver._host.find_secret(\u0027volume\u0027, usage_id)"},{"line_number":419,"context_line":"            self.assertIsNone(s)"},{"line_number":420,"context_line":"            s \u003d dest_driver._host.find_secret(\u0027volume\u0027, usage_id)"},{"line_number":421,"context_line":"            self.assertIsNone(s)"},{"line_number":422,"context_line":""},{"line_number":423,"context_line":"        # Verify that key manager secrets were deleted for each disk."},{"line_number":424,"context_line":"        self.assertEqual(0, len(self.key_mgr.list(ctx)))"},{"line_number":425,"context_line":""},{"line_number":426,"context_line":""},{"line_number":427,"context_line":"class EphemeralEncryptionLiveMigrateFail(EphemeralEncryptionLiveMigrateBase):"}],"source_content_type":"text/x-python","patch_set":12,"id":"203b858f_40023574","line":424,"range":{"start_line":412,"start_character":0,"end_line":424,"end_character":56},"updated":"2024-02-13 07:19:57.000000000","message":"this is also repated pretty often\nthis might also be worth putting in a helper function","commit_id":"b1c2b7b9137d2c12313b186f89830c081bd47cc7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"67ddc1b42f9183a4fd09937aa955f09555637de8","unresolved":false,"context_lines":[{"line_number":409,"context_line":"        self.assertSecretsMatch("},{"line_number":410,"context_line":"            dest_driver, bdms, keymgr_secrets_after_migrate)"},{"line_number":411,"context_line":""},{"line_number":412,"context_line":"        # Delete the server."},{"line_number":413,"context_line":"        self._delete_server(server)"},{"line_number":414,"context_line":""},{"line_number":415,"context_line":"        # Verify that there are no libvirt secrets on either host."},{"line_number":416,"context_line":"        for bdm in bdms:"},{"line_number":417,"context_line":"            usage_id \u003d f\u0027{bdm.instance_uuid}_{bdm.uuid}\u0027"},{"line_number":418,"context_line":"            s \u003d src_driver._host.find_secret(\u0027volume\u0027, usage_id)"},{"line_number":419,"context_line":"            self.assertIsNone(s)"},{"line_number":420,"context_line":"            s \u003d dest_driver._host.find_secret(\u0027volume\u0027, usage_id)"},{"line_number":421,"context_line":"            self.assertIsNone(s)"},{"line_number":422,"context_line":""},{"line_number":423,"context_line":"        # Verify that key manager secrets were deleted for each disk."},{"line_number":424,"context_line":"        self.assertEqual(0, len(self.key_mgr.list(ctx)))"},{"line_number":425,"context_line":""},{"line_number":426,"context_line":""},{"line_number":427,"context_line":"class EphemeralEncryptionLiveMigrateFail(EphemeralEncryptionLiveMigrateBase):"}],"source_content_type":"text/x-python","patch_set":12,"id":"94d7d0bc_28988b8d","line":424,"range":{"start_line":412,"start_character":0,"end_line":424,"end_character":56},"in_reply_to":"203b858f_40023574","updated":"2024-02-14 10:11:21.000000000","message":"Done","commit_id":"b1c2b7b9137d2c12313b186f89830c081bd47cc7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":431,"context_line":"        conn \u003d self.src.driver._host.get_connection()"},{"line_number":432,"context_line":"        dom \u003d conn.lookupByUUIDString(self.server[\u0027id\u0027])"},{"line_number":433,"context_line":"        dom.fail_job()"},{"line_number":434,"context_line":"        self.migrate_stub_ran \u003d True"},{"line_number":435,"context_line":""},{"line_number":436,"context_line":"    def test_rollback_live_migration(self):"},{"line_number":437,"context_line":"        ctx \u003d nova_context.get_admin_context()"}],"source_content_type":"text/x-python","patch_set":12,"id":"9a5d6704_cac86710","line":434,"updated":"2024-02-13 07:19:57.000000000","message":"ack, so this is simulating a failure from libivrt after we call migrate in its api","commit_id":"b1c2b7b9137d2c12313b186f89830c081bd47cc7"}],"nova/virt/libvirt/driver.py":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":4728,"context_line":"    def poll_rebooting_instances(self, timeout, instances):"},{"line_number":4729,"context_line":"        pass"},{"line_number":4730,"context_line":""},{"line_number":4731,"context_line":"    def _create_ephemeral_encryption_libvirt_secrets("},{"line_number":4732,"context_line":"            self, context, instance_uuid, flavor, image_meta,"},{"line_number":4733,"context_line":"            block_device_info):"},{"line_number":4734,"context_line":"        \"\"\"Create ephemeral encryption libvirt secrets on the host."}],"source_content_type":"text/x-python","patch_set":8,"id":"320d890f_3467b6ea","line":4731,"updated":"2024-02-01 09:51:38.000000000","message":"so this would be done in pre-livemigraton on the dest to ensure we can create the secret and fail the migration early","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":4728,"context_line":"    def poll_rebooting_instances(self, timeout, instances):"},{"line_number":4729,"context_line":"        pass"},{"line_number":4730,"context_line":""},{"line_number":4731,"context_line":"    def _create_ephemeral_encryption_libvirt_secrets("},{"line_number":4732,"context_line":"            self, context, instance_uuid, flavor, image_meta,"},{"line_number":4733,"context_line":"            block_device_info):"},{"line_number":4734,"context_line":"        \"\"\"Create ephemeral encryption libvirt secrets on the host."}],"source_content_type":"text/x-python","patch_set":8,"id":"cff1c5cf_28c55dc5","line":4731,"in_reply_to":"320d890f_3467b6ea","updated":"2024-02-13 07:19:57.000000000","message":"Acknowledged","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":4753,"context_line":"                        \u0027volume\u0027, secret_usage, password\u003dsecret,"},{"line_number":4754,"context_line":"                        uuid\u003dsecret_uuid)"},{"line_number":4755,"context_line":""},{"line_number":4756,"context_line":"    def _destroy_ephemeral_encryption_libvirt_secrets("},{"line_number":4757,"context_line":"            self, instance_uuid, flavor, image_meta, block_device_info):"},{"line_number":4758,"context_line":"        \"\"\"Destroy ephemeral encryption libvirt secrets on the host."},{"line_number":4759,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"d1c259fe_aae8a305","line":4756,"updated":"2024-02-01 09:51:38.000000000","message":"and this would either be used in post live migration on the souce or\nin revert on the dest to clean up in failure right","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":4753,"context_line":"                        \u0027volume\u0027, secret_usage, password\u003dsecret,"},{"line_number":4754,"context_line":"                        uuid\u003dsecret_uuid)"},{"line_number":4755,"context_line":""},{"line_number":4756,"context_line":"    def _destroy_ephemeral_encryption_libvirt_secrets("},{"line_number":4757,"context_line":"            self, instance_uuid, flavor, image_meta, block_device_info):"},{"line_number":4758,"context_line":"        \"\"\"Destroy ephemeral encryption libvirt secrets on the host."},{"line_number":4759,"context_line":""}],"source_content_type":"text/x-python","patch_set":8,"id":"a2887899_dd0973a2","line":4756,"in_reply_to":"d1c259fe_aae8a305","updated":"2024-02-13 07:19:57.000000000","message":"Acknowledged","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":false,"context_lines":[{"line_number":11378,"context_line":"                                instance\u003dinstance)"},{"line_number":11379,"context_line":"                    greenthread.sleep(1)"},{"line_number":11380,"context_line":""},{"line_number":11381,"context_line":"    def pre_live_migration(self, context, instance, block_device_info,"},{"line_number":11382,"context_line":"                           network_info, disk_info, migrate_data):"},{"line_number":11383,"context_line":"        \"\"\"Preparation live migration.\"\"\""},{"line_number":11384,"context_line":"        if disk_info is not None:"}],"source_content_type":"text/x-python","patch_set":8,"id":"a7f6bfef_583a7ea9","line":11381,"updated":"2024-02-01 09:51:38.000000000","message":"yep you added this to pre_live_migration like i was expecting +1","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":11711,"context_line":"        self._fetch_instance_kernel_ramdisk("},{"line_number":11712,"context_line":"            context, instance, fallback_from_host\u003dfallback_from_host)"},{"line_number":11713,"context_line":""},{"line_number":11714,"context_line":"    def post_live_migration(self, context, instance, block_device_info,"},{"line_number":11715,"context_line":"                            migrate_data\u003dNone):"},{"line_number":11716,"context_line":"        # NOTE(mdbooth): The block_device_info we were passed was initialized"},{"line_number":11717,"context_line":"        # with BDMs from the source host before they were updated to point to"}],"source_content_type":"text/x-python","patch_set":8,"id":"2ffb2a43_e516795e","line":11714,"updated":"2024-02-01 09:51:38.000000000","message":"and post live migration for the success path\n\ni may have missed this but i dont see where we clean up the secret on the\ndest if we revert a live migration due to an error form libvirt when we call migrate_to_url3 or whatever its called.","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":11711,"context_line":"        self._fetch_instance_kernel_ramdisk("},{"line_number":11712,"context_line":"            context, instance, fallback_from_host\u003dfallback_from_host)"},{"line_number":11713,"context_line":""},{"line_number":11714,"context_line":"    def post_live_migration(self, context, instance, block_device_info,"},{"line_number":11715,"context_line":"                            migrate_data\u003dNone):"},{"line_number":11716,"context_line":"        # NOTE(mdbooth): The block_device_info we were passed was initialized"},{"line_number":11717,"context_line":"        # with BDMs from the source host before they were updated to point to"}],"source_content_type":"text/x-python","patch_set":8,"id":"56d5e0cb_f3a941fc","line":11714,"in_reply_to":"2939d0bd_0e9117e6","updated":"2024-02-13 07:19:57.000000000","message":"you coverd this with the revert live migration functional test so yes it is","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8fe4b145b0d56a6871d82675e447b8a7e8844e99","unresolved":true,"context_lines":[{"line_number":11711,"context_line":"        self._fetch_instance_kernel_ramdisk("},{"line_number":11712,"context_line":"            context, instance, fallback_from_host\u003dfallback_from_host)"},{"line_number":11713,"context_line":""},{"line_number":11714,"context_line":"    def post_live_migration(self, context, instance, block_device_info,"},{"line_number":11715,"context_line":"                            migrate_data\u003dNone):"},{"line_number":11716,"context_line":"        # NOTE(mdbooth): The block_device_info we were passed was initialized"},{"line_number":11717,"context_line":"        # with BDMs from the source host before they were updated to point to"}],"source_content_type":"text/x-python","patch_set":8,"id":"2939d0bd_0e9117e6","line":11714,"in_reply_to":"2ffb2a43_e516795e","updated":"2024-02-02 01:56:08.000000000","message":"That _might_ be covered by the self.destroy() or self.cleanup() paths. When either of those is called with destroy_disks\u003dTrue (which is the default) it will delete libvirt secrets for ephemeral encryption for those disks.","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":11738,"context_line":"            instance.uuid, instance.flavor, instance.image_meta,"},{"line_number":11739,"context_line":"            block_device_info)"},{"line_number":11740,"context_line":""},{"line_number":11741,"context_line":"    def post_live_migration_at_source(self, context, instance, network_info):"},{"line_number":11742,"context_line":"        \"\"\"Unplug VIFs from networks at source."},{"line_number":11743,"context_line":""},{"line_number":11744,"context_line":"        :param context: security context"}],"source_content_type":"text/x-python","patch_set":8,"id":"d9defaac_a8035a83","line":11741,"updated":"2024-02-01 09:51:38.000000000","message":"we could also do it here in post_live_migrtion_at_source\n\nalthough i think post_live_migration runs on the source as well. so that is ok too","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":11738,"context_line":"            instance.uuid, instance.flavor, instance.image_meta,"},{"line_number":11739,"context_line":"            block_device_info)"},{"line_number":11740,"context_line":""},{"line_number":11741,"context_line":"    def post_live_migration_at_source(self, context, instance, network_info):"},{"line_number":11742,"context_line":"        \"\"\"Unplug VIFs from networks at source."},{"line_number":11743,"context_line":""},{"line_number":11744,"context_line":"        :param context: security context"}],"source_content_type":"text/x-python","patch_set":8,"id":"b7a8be21_0acbdb65","line":11741,"in_reply_to":"d9defaac_a8035a83","updated":"2024-02-13 07:19:57.000000000","message":"Acknowledged","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":12205,"context_line":"            connection_info \u003d vol[\u0027connection_info\u0027]"},{"line_number":12206,"context_line":"            self._disconnect_volume(context, connection_info, instance)"},{"line_number":12207,"context_line":""},{"line_number":12208,"context_line":"        # Destroy libvirt secrets for ephemeral encryption on the source."},{"line_number":12209,"context_line":"        # Volume encryption libvirt secrets were destroyed in"},{"line_number":12210,"context_line":"        # _disconnect_volume."},{"line_number":12211,"context_line":"        self._destroy_ephemeral_encryption_libvirt_secrets("}],"source_content_type":"text/x-python","patch_set":8,"id":"44be9e40_a34aeb41","line":12208,"updated":"2024-02-01 09:51:38.000000000","message":"ok this is migrate and power off so this is cold migration","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":12205,"context_line":"            connection_info \u003d vol[\u0027connection_info\u0027]"},{"line_number":12206,"context_line":"            self._disconnect_volume(context, connection_info, instance)"},{"line_number":12207,"context_line":""},{"line_number":12208,"context_line":"        # Destroy libvirt secrets for ephemeral encryption on the source."},{"line_number":12209,"context_line":"        # Volume encryption libvirt secrets were destroyed in"},{"line_number":12210,"context_line":"        # _disconnect_volume."},{"line_number":12211,"context_line":"        self._destroy_ephemeral_encryption_libvirt_secrets("}],"source_content_type":"text/x-python","patch_set":8,"id":"5ae7b476_bce57311","line":12208,"in_reply_to":"44be9e40_a34aeb41","updated":"2024-02-13 07:19:57.000000000","message":"Acknowledged","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":12416,"context_line":"        # Handle the case where the guest has emulated TPM"},{"line_number":12417,"context_line":"        self._finish_migration_vtpm(context, instance)"},{"line_number":12418,"context_line":""},{"line_number":12419,"context_line":"        # Create libvirt secrets for ephemeral encryption on the destination."},{"line_number":12420,"context_line":"        self._create_ephemeral_encryption_libvirt_secrets("},{"line_number":12421,"context_line":"            context, instance.uuid, instance.flavor, image_meta,"},{"line_number":12422,"context_line":"            block_device_info)"}],"source_content_type":"text/x-python","patch_set":8,"id":"2800d3d5_2cdcc4a9","line":12419,"updated":"2024-02-01 09:51:38.000000000","message":"here we are defineing it in finish mighration for the resize/cold migration path\ni guess that is fine although it woud have been nicer to do that before copying all the data incase this fails.","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8fe4b145b0d56a6871d82675e447b8a7e8844e99","unresolved":true,"context_lines":[{"line_number":12416,"context_line":"        # Handle the case where the guest has emulated TPM"},{"line_number":12417,"context_line":"        self._finish_migration_vtpm(context, instance)"},{"line_number":12418,"context_line":""},{"line_number":12419,"context_line":"        # Create libvirt secrets for ephemeral encryption on the destination."},{"line_number":12420,"context_line":"        self._create_ephemeral_encryption_libvirt_secrets("},{"line_number":12421,"context_line":"            context, instance.uuid, instance.flavor, image_meta,"},{"line_number":12422,"context_line":"            block_device_info)"}],"source_content_type":"text/x-python","patch_set":8,"id":"bc65fc3f_d906f6a1","line":12419,"in_reply_to":"2800d3d5_2cdcc4a9","updated":"2024-02-02 01:56:08.000000000","message":"I might be missing something but I don\u0027t see a place where we could run this on the destination before copying all the data for cold migration?","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"75e82a565e668a2258a34b57d137562041e7386f","unresolved":false,"context_lines":[{"line_number":12416,"context_line":"        # Handle the case where the guest has emulated TPM"},{"line_number":12417,"context_line":"        self._finish_migration_vtpm(context, instance)"},{"line_number":12418,"context_line":""},{"line_number":12419,"context_line":"        # Create libvirt secrets for ephemeral encryption on the destination."},{"line_number":12420,"context_line":"        self._create_ephemeral_encryption_libvirt_secrets("},{"line_number":12421,"context_line":"            context, instance.uuid, instance.flavor, image_meta,"},{"line_number":12422,"context_line":"            block_device_info)"}],"source_content_type":"text/x-python","patch_set":8,"id":"68c4dcab_bd04d21a","line":12419,"in_reply_to":"bc65fc3f_d906f6a1","updated":"2024-02-13 07:19:57.000000000","message":"ya we might not have a clean place to do that in this case.\n\nperhas as part of the move claim logic but thats a very different codepath","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"082655fd63b0378e20a37cace801cc829d3a1dda","unresolved":true,"context_lines":[{"line_number":12483,"context_line":"            # the destination side"},{"line_number":12484,"context_line":"            crypto.delete_vtpm_secret(context, instance)"},{"line_number":12485,"context_line":""},{"line_number":12486,"context_line":"    def finish_revert_migration("},{"line_number":12487,"context_line":"        self,"},{"line_number":12488,"context_line":"        context: nova.context.RequestContext,"},{"line_number":12489,"context_line":"        instance: \u0027objects.Instance\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"2a5fb2df_446e276e","line":12486,"updated":"2024-02-01 09:51:38.000000000","message":"ack this is restoring the secret on the souce node for revert.\n\nam this should not be requried as we should not undefine it until confirm","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"7ce746c95a9e009e7275093a3ae535f10c00a7fe","unresolved":false,"context_lines":[{"line_number":12483,"context_line":"            # the destination side"},{"line_number":12484,"context_line":"            crypto.delete_vtpm_secret(context, instance)"},{"line_number":12485,"context_line":""},{"line_number":12486,"context_line":"    def finish_revert_migration("},{"line_number":12487,"context_line":"        self,"},{"line_number":12488,"context_line":"        context: nova.context.RequestContext,"},{"line_number":12489,"context_line":"        instance: \u0027objects.Instance\u0027,"}],"source_content_type":"text/x-python","patch_set":8,"id":"80ef4dc8_82dd34a9","line":12486,"in_reply_to":"2a5fb2df_446e276e","updated":"2024-02-14 08:06:09.000000000","message":"Done","commit_id":"ce1049fee6896d13b09d5e8fc344e7203148be46"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"584100a00618d193dea86b3d3fb4b9c8b9669529","unresolved":true,"context_lines":[{"line_number":11401,"context_line":"            instance, network_info, migrate_data)"},{"line_number":11402,"context_line":""},{"line_number":11403,"context_line":"        # Create libvirt secrets for ephemeral encryption on the destination."},{"line_number":11404,"context_line":"        self._create_ephemeral_encryption_libvirt_secrets("},{"line_number":11405,"context_line":"            context, instance.uuid, instance.flavor, instance.image_meta,"},{"line_number":11406,"context_line":"            block_device_info)"},{"line_number":11407,"context_line":""}],"source_content_type":"text/x-python","patch_set":21,"id":"211afa8a_0a6b59d9","line":11404,"range":{"start_line":11404,"start_character":13,"end_line":11404,"end_character":57},"updated":"2024-03-15 17:58:59.000000000","message":"oh i just looked into this again i tought we were passing the secret data in block_device_info\n\nit only has the secret uuid in it which woudl mean we could not do live migrations of vms with local storage if barbican was unaviable.\n\nim not sure if that is ok.\n\nwe will alwasy have the livrt secrete on the souce node if we are doing a live migration so i was expecting us to pass it from the souce to dest in the migrate_data but i see that is not implemtned.\n\nim not sure i like requiring barbican to be online to have live migrate work.","commit_id":"0967ddd7d296a3f3f61bef24b796dfeca62c7241"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"23db60f810b5472343e21666c09292885b832a17","unresolved":true,"context_lines":[{"line_number":11401,"context_line":"            instance, network_info, migrate_data)"},{"line_number":11402,"context_line":""},{"line_number":11403,"context_line":"        # Create libvirt secrets for ephemeral encryption on the destination."},{"line_number":11404,"context_line":"        self._create_ephemeral_encryption_libvirt_secrets("},{"line_number":11405,"context_line":"            context, instance.uuid, instance.flavor, instance.image_meta,"},{"line_number":11406,"context_line":"            block_device_info)"},{"line_number":11407,"context_line":""}],"source_content_type":"text/x-python","patch_set":21,"id":"ddf6744f_ca3b0c6e","line":11404,"range":{"start_line":11404,"start_character":13,"end_line":11404,"end_character":57},"in_reply_to":"211afa8a_0a6b59d9","updated":"2024-03-19 00:28:52.000000000","message":"Cinder volume encryption also requires Barbican to be available -- every call of _connect_volume (L11398) retrieves the secret from Barbican:\nhttps://github.com/openstack/nova/blob/8f3976d4cc5390fe649f2ff94afc971c5d6f7bc0/nova/virt/libvirt/driver.py#L2157-L2158\nBased on that, I had been thinking it would be OK to use the same pattern for this.\n\nIf we were to directly copy the passphrase from source to destination, are you suggesting we would do that over RPC or SSH?\n\nI do notice though that for Cinder volume encryption it checks whether the libvirt secret already exists on the host before retrieving it from Barbican, so that would save a call in the case that the secret is already there for some reason. I\u0027m not sure when that would be the case considering we destroy secrets on the source after the migration succeeds but either way, I will want to change _create_ephemeral_encryption_libvirt_secrets to check for the secret locally before calling Barbican.","commit_id":"0967ddd7d296a3f3f61bef24b796dfeca62c7241"}]}