)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"7d6da8469898bc88ba5c582bd1ab1641f12a559d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"b26a905f_f5da8e9a","updated":"2025-07-29 14:09:59.000000000","message":"I think we should handle the confirmed flag differently...","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"adf611590d61fee211eec01db8a819282155510e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":19,"id":"f82d5b89_cc6c1e15","updated":"2025-09-24 00:34:23.000000000","message":"recheck nova-live-migration-ceph \"Error: copying system image from manifest list: writing blob: storing blob to file \"/var/tmp/storage3672894770/1\": happened during read: unexpected EOF\"","commit_id":"85a941bd87e8e079cb6ce0dcfaa126f4a90f7678"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"74b4a954c91e8bcf39943ab8d6f9fdab34965237","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":21,"id":"ab5f0409_7f9599b5","updated":"2025-10-03 05:49:11.000000000","message":"recheck controller compute service took too long to become enabled during evacuate tests","commit_id":"cb27a4096d07cdc5441e4ec15ffe665ee099d173"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"bf107a1f76606decc7d5ecf27d8035fa27e450fc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"fc49c07d_c06afef1","updated":"2025-11-03 18:43:43.000000000","message":"I re-deployed and tested this patch this morning. With the recent changes to it, I\u0027m now able to boot a host-security instance as a regular user and then restart it as admin because the secret is persisted in libvirt. That is already an improvement over the current state of the art.\n\nSo, I\u0027d propose we go ahead and merge from here down in the series and help cut this series down by several patches for melwitt\u0027s benefit and to avoid us continuing to re-review the lower bits in place.\n\n@sbauza@redhat.com you okay with that?","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64d5bb9fce46845aa473f45c5bf78d174a38233e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"87586d20_f6143244","updated":"2025-11-05 17:31:11.000000000","message":"So, thanks for the hard work @melwittt@gmail.com !","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"453d9d89734059203239368dbe8a54dca59c071e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"fc5be265_caa43297","updated":"2025-11-02 19:59:25.000000000","message":"recheck ERROR oslo.messaging._drivers.impl_rabbit [None req-94b27dcd-7d0a-4b19-8b62-457492f9f3fb None None] Connection failed: timed out (retrying in 29.0 seconds): TimeoutError: timed out","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"7e0df74188d9bd11b943c6d0a40342d88e59eb38","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"9fbb8253_960de79a","updated":"2025-11-02 23:42:00.000000000","message":"recheck guest kernel panic","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64d5bb9fce46845aa473f45c5bf78d174a38233e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":25,"id":"eec4f185_198865f1","in_reply_to":"fc49c07d_c06afef1","updated":"2025-11-05 17:31:11.000000000","message":"\u003e \n\u003e @sbauza@redhat.com you okay with that?\n\n\nYup, let\u0027s merge the first patches because we can revert them if we need, while the upper change changes an o.vo object.","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"82ca4d1ab77fc723285c588aac667dce25a18f73","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"45542b74_6e05ff47","updated":"2025-11-10 23:23:09.000000000","message":"recheck guest kernel panic","commit_id":"e801a2810e7942921fcdbb7e6070def9fc8193d6"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"8e7d83079009d66dac119c0c95b0884cd86ecdf9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":27,"id":"7993da7c_c1f8a59e","updated":"2025-11-11 02:30:14.000000000","message":"recheck guest kernel panic","commit_id":"e801a2810e7942921fcdbb7e6070def9fc8193d6"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"75e1474a4c358baee7ae0b4d468b10fe9b57696d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":28,"id":"197d152a_ee0c3529","updated":"2025-11-18 18:24:01.000000000","message":"re-tested this after tweaks and rebases and I can still start an instance as an admin in host mode.\n\nProxying sylvain\u0027s previous +W since this is basically unchanged.","commit_id":"245a321e433d1c7915004a8ddfdfe0db359c29e8"}],"nova/compute/manager.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"9b22fe299580074a70409ed76f9e8bebc2c9ff33","unresolved":true,"context_lines":[{"line_number":2699,"context_line":"                        accel_uuids) as resources:"},{"line_number":2700,"context_line":"                    instance.vm_state \u003d vm_states.BUILDING"},{"line_number":2701,"context_line":"                    instance.task_state \u003d task_states.SPAWNING"},{"line_number":2702,"context_line":"                    self._set_tpm_secret_security(instance, confirmed\u003dTrue)"},{"line_number":2703,"context_line":"                    # NOTE(JoshNang) This also saves the changes to the"},{"line_number":2704,"context_line":"                    # instance from _allocate_network_async, as they aren\u0027t"},{"line_number":2705,"context_line":"                    # saved in that function to prevent races."}],"source_content_type":"text/x-python","patch_set":15,"id":"a38f1530_32827020","line":2702,"updated":"2025-08-05 17:09:46.000000000","message":"So to remind myself, this looks at the image and flavor to determine what the policy is, and if none, sets it from the default in config.\n\nBut question:\n\nWhy is this added here and not in the patch below?\n\nAlso question, which maybe should be on the implementation of this:\n\nIf we get here, we\u0027re assuming that the policy matches what is supported (i.e. the scheduler did its job). I wonder if we need to sort of do a check (like the late affinity check) to make sure that the instance\u0027s policy is reasonable? I\u0027m thinking of situations where someone live migrated an instance by force to a host that doesn\u0027t support the mode it needs. Like, with security\u003ddeployment, I think we\u0027ll need to have a nova-owned deployment credential (IIRC) which may not be configured on hosts that don\u0027t support that mode.","commit_id":"d8f70e29abbac1f3b597c7bd3791bf09ef55a35c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"250d386628b009a6b68eca9517537381f9d159ea","unresolved":true,"context_lines":[{"line_number":2699,"context_line":"                        accel_uuids) as resources:"},{"line_number":2700,"context_line":"                    instance.vm_state \u003d vm_states.BUILDING"},{"line_number":2701,"context_line":"                    instance.task_state \u003d task_states.SPAWNING"},{"line_number":2702,"context_line":"                    self._set_tpm_secret_security(instance, confirmed\u003dTrue)"},{"line_number":2703,"context_line":"                    # NOTE(JoshNang) This also saves the changes to the"},{"line_number":2704,"context_line":"                    # instance from _allocate_network_async, as they aren\u0027t"},{"line_number":2705,"context_line":"                    # saved in that function to prevent races."}],"source_content_type":"text/x-python","patch_set":15,"id":"e4367108_a0bb08d9","line":2702,"in_reply_to":"9edcdfb4_275e1185","updated":"2025-08-05 19:30:50.000000000","message":"\u003e This was here when I took over the series and I briefly debated whether to move it to the patch below but decided to defer and not change too much prior to review. My guess is that since `user` security is essentially the legacy behavior, setting the secret metadata doesn\u0027t do much in that case (below patch). Since you mentioned it though, maybe that\u0027s a sign to go ahead and move it.\n\nYeah, and an argument to move it is that if we were to only merge up to that base patch, at least we\u0027d be creating new instances with the policy stamped.\n\n\u003e I could see a late check helping for the force live migration case. That actually comes up later in the series [1] and I wondered if/how to avoid a guest being forced onto a host that doesn\u0027t support the TPM secret policy it requires.\n\u003e \n\u003e Might want to make that its own patch to avoid making the next patch (that begins live migration) larger.\n\nYep.","commit_id":"d8f70e29abbac1f3b597c7bd3791bf09ef55a35c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"32ba811d1b07decb431867e8f0392021a2790c6f","unresolved":true,"context_lines":[{"line_number":2699,"context_line":"                        accel_uuids) as resources:"},{"line_number":2700,"context_line":"                    instance.vm_state \u003d vm_states.BUILDING"},{"line_number":2701,"context_line":"                    instance.task_state \u003d task_states.SPAWNING"},{"line_number":2702,"context_line":"                    self._set_tpm_secret_security(instance, confirmed\u003dTrue)"},{"line_number":2703,"context_line":"                    # NOTE(JoshNang) This also saves the changes to the"},{"line_number":2704,"context_line":"                    # instance from _allocate_network_async, as they aren\u0027t"},{"line_number":2705,"context_line":"                    # saved in that function to prevent races."}],"source_content_type":"text/x-python","patch_set":15,"id":"9edcdfb4_275e1185","line":2702,"in_reply_to":"a38f1530_32827020","updated":"2025-08-05 17:55:27.000000000","message":"This was here when I took over the series and I briefly debated whether to move it to the patch below but decided to defer and not change too much prior to review. My guess is that since `user` security is essentially the legacy behavior, setting the secret metadata doesn\u0027t do much in that case (below patch). Since you mentioned it though, maybe that\u0027s a sign to go ahead and move it.\n\nI could see a late check helping for the force live migration case. That actually comes up later in the series [1] and I wondered if/how to avoid a guest being forced onto a host that doesn\u0027t support the TPM secret policy it requires.\n\nMight want to make that its own patch to avoid making the next patch (that begins live migration) larger.\n\n[1] https://review.opendev.org/c/openstack/nova/+/941483/21/nova/tests/functional/libvirt/test_vtpm.py#485","commit_id":"d8f70e29abbac1f3b597c7bd3791bf09ef55a35c"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b54b39c0263b493b6ae743f454c1349e2d7f9788","unresolved":false,"context_lines":[{"line_number":2699,"context_line":"                        accel_uuids) as resources:"},{"line_number":2700,"context_line":"                    instance.vm_state \u003d vm_states.BUILDING"},{"line_number":2701,"context_line":"                    instance.task_state \u003d task_states.SPAWNING"},{"line_number":2702,"context_line":"                    self._set_tpm_secret_security(instance, confirmed\u003dTrue)"},{"line_number":2703,"context_line":"                    # NOTE(JoshNang) This also saves the changes to the"},{"line_number":2704,"context_line":"                    # instance from _allocate_network_async, as they aren\u0027t"},{"line_number":2705,"context_line":"                    # saved in that function to prevent races."}],"source_content_type":"text/x-python","patch_set":15,"id":"47749022_e76d7e0b","line":2702,"in_reply_to":"e4367108_a0bb08d9","updated":"2025-08-09 01:26:46.000000000","message":"Done","commit_id":"d8f70e29abbac1f3b597c7bd3791bf09ef55a35c"}],"nova/conf/libvirt.py":[{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"b4a2d339826a58396fb7d3b9807527700418b0b6","unresolved":true,"context_lines":[{"line_number":1607,"context_line":"* ``swtpm_user`` must also be set."},{"line_number":1608,"context_line":"\"\"\"),"},{"line_number":1609,"context_line":"    cfg.ListOpt(\u0027supported_tpm_secret_security\u0027,"},{"line_number":1610,"context_line":"        default\u003d[\u0027user\u0027],"},{"line_number":1611,"context_line":"        help\u003d\"\"\""},{"line_number":1612,"context_line":"The list of TPM security policies supported by this compute host. If a value is"},{"line_number":1613,"context_line":"absent, it is not supported by this host, and any instance that requests it"}],"source_content_type":"text/x-python","patch_set":21,"id":"c02aa7f9_6222dd3b","line":1610,"updated":"2025-10-02 21:08:50.000000000","message":"Maybe should also add host here, i.e. `default\u003d[\u0027user,host\u0027],`.","commit_id":"cb27a4096d07cdc5441e4ec15ffe665ee099d173"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"db71bd172fcdcbfa5ff2bd5c09225bd0f1ba30c4","unresolved":false,"context_lines":[{"line_number":1607,"context_line":"* ``swtpm_user`` must also be set."},{"line_number":1608,"context_line":"\"\"\"),"},{"line_number":1609,"context_line":"    cfg.ListOpt(\u0027supported_tpm_secret_security\u0027,"},{"line_number":1610,"context_line":"        default\u003d[\u0027user\u0027],"},{"line_number":1611,"context_line":"        help\u003d\"\"\""},{"line_number":1612,"context_line":"The list of TPM security policies supported by this compute host. If a value is"},{"line_number":1613,"context_line":"absent, it is not supported by this host, and any instance that requests it"}],"source_content_type":"text/x-python","patch_set":21,"id":"20f3339b_062c3215","line":1610,"in_reply_to":"c02aa7f9_6222dd3b","updated":"2025-10-08 06:21:09.000000000","message":"Done","commit_id":"cb27a4096d07cdc5441e4ec15ffe665ee099d173"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"92dec39ca2ab8d7747a9893ddf2c31f087a56a38","unresolved":true,"context_lines":[{"line_number":1619,"context_line":"  accessed by anyone else. The Libvirt secret is private and non-persistent."},{"line_number":1620,"context_line":"  The instance cannot be live-migrated or automatically resumed after host"},{"line_number":1621,"context_line":"  reboot."},{"line_number":1622,"context_line":"* \u0027host\u0027: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1623,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1624,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1625,"context_line":"  be live-migrated and automatically resumed after host reboot."}],"source_content_type":"text/x-python","patch_set":25,"id":"9aac432f_163fcc87","line":1622,"range":{"start_line":1622,"start_character":2,"end_line":1622,"end_character":8},"updated":"2025-10-31 21:36:23.000000000","message":"\\`\\`host\\`\\` for better docs rendering","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64d5bb9fce46845aa473f45c5bf78d174a38233e","unresolved":true,"context_lines":[{"line_number":1619,"context_line":"  accessed by anyone else. The Libvirt secret is private and non-persistent."},{"line_number":1620,"context_line":"  The instance cannot be live-migrated or automatically resumed after host"},{"line_number":1621,"context_line":"  reboot."},{"line_number":1622,"context_line":"* \u0027host\u0027: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1623,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1624,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1625,"context_line":"  be live-migrated and automatically resumed after host reboot."}],"source_content_type":"text/x-python","patch_set":25,"id":"afae0011_b946a766","line":1622,"range":{"start_line":1622,"start_character":2,"end_line":1622,"end_character":8},"in_reply_to":"9aac432f_163fcc87","updated":"2025-11-05 17:31:11.000000000","message":"nah fine","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"82ca4d1ab77fc723285c588aac667dce25a18f73","unresolved":false,"context_lines":[{"line_number":1619,"context_line":"  accessed by anyone else. The Libvirt secret is private and non-persistent."},{"line_number":1620,"context_line":"  The instance cannot be live-migrated or automatically resumed after host"},{"line_number":1621,"context_line":"  reboot."},{"line_number":1622,"context_line":"* \u0027host\u0027: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1623,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1624,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1625,"context_line":"  be live-migrated and automatically resumed after host reboot."}],"source_content_type":"text/x-python","patch_set":25,"id":"e3b3294e_3ba2865e","line":1622,"range":{"start_line":1622,"start_character":2,"end_line":1622,"end_character":8},"in_reply_to":"afae0011_b946a766","updated":"2025-11-10 23:23:09.000000000","message":"Done","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64d5bb9fce46845aa473f45c5bf78d174a38233e","unresolved":false,"context_lines":[{"line_number":1622,"context_line":"* \u0027host\u0027: The Barbican secret is owned by the instance owner and cannot be"},{"line_number":1623,"context_line":"  accessed by anyone else. The Libvirt secret is public and persistent. It"},{"line_number":1624,"context_line":"  can be read by anyone with sufficient access on the host. The instance can"},{"line_number":1625,"context_line":"  be live-migrated and automatically resumed after host reboot."},{"line_number":1626,"context_line":"\"\"\"),"},{"line_number":1627,"context_line":"]"},{"line_number":1628,"context_line":""}],"source_content_type":"text/x-python","patch_set":25,"id":"1a065032_296a8d74","line":1625,"updated":"2025-11-05 17:31:11.000000000","message":"\\o/","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"}],"nova/tests/functional/libvirt/test_vtpm.py":[{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"057232f7951332cbcd3c3152b57622b200ad08e0","unresolved":false,"context_lines":[{"line_number":362,"context_line":"            self._reboot_server(server, hard\u003dTrue, api\u003dself.admin_api)"},{"line_number":363,"context_line":"        else:"},{"line_number":364,"context_line":"            self._reboot_server(server, hard\u003dTrue, expected_state\u003d\u0027ERROR\u0027,"},{"line_number":365,"context_line":"                                api\u003dself.admin_api)"},{"line_number":366,"context_line":""},{"line_number":367,"context_line":"    def _test_resize_revert_server__vtpm_to_vtpm(self, extra_specs\u003dNone):"},{"line_number":368,"context_line":"        \"\"\"Test behavior of revert when a vTPM is retained across a resize."}],"source_content_type":"text/x-python","patch_set":28,"id":"9d3cdacb_7639b6d6","line":365,"updated":"2025-11-19 14:39:06.000000000","message":"++","commit_id":"245a321e433d1c7915004a8ddfdfe0db359c29e8"}],"nova/virt/libvirt/driver.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"7d6da8469898bc88ba5c582bd1ab1641f12a559d","unresolved":true,"context_lines":[{"line_number":8185,"context_line":"        secret_security \u003d (secret_security or"},{"line_number":8186,"context_line":"                           CONF.libvirt.default_tpm_secret_security)"},{"line_number":8187,"context_line":"        confirmed \u003d instance.system_metadata.get("},{"line_number":8188,"context_line":"            \u0027tpm_secret_security_confirmed\u0027)"},{"line_number":8189,"context_line":""},{"line_number":8190,"context_line":"        kwargs \u003d {}"},{"line_number":8191,"context_line":"        if secret_security \u003d\u003d \u0027host\u0027 and confirmed \u003d\u003d \u0027True\u0027:"}],"source_content_type":"text/x-python","patch_set":13,"id":"ce8d8fa2_12774457","line":8188,"updated":"2025-07-29 14:09:59.000000000","message":"So, I thought we had discussed this before in the spec or something but.. this seems kinda gross. We need a separate flag in sysmeta because we might have set the operator\u0027s new default as their policy but the user hasn\u0027t confirmed it with a hard reboot yet right?\n\nWhy can\u0027t we have the absence of the key mean \"unconfirmed\"? I guess because the API has to expose the new default and it can\u0027t know the compute node\u0027s config - right?\n\nWhat sucks about this implementation decision (IMHO) is that we basically have to keep the policy and the confirmed\u003dTrue in our sysmeta \"forever\", as well as always check the policy and the confirmed flag before doing anything. That seems like tech debt that will be hard to get rid of.\n\nWhat if we stamp `provisional_tpm_policy\u003dCONF.whatever` into sysmeta on first start? Then the API can have the \"show the policy or the provisional one\" check and all the rest of this code can just assume that if a policy is set, honor it. Later when we decide it has been long enough (and maybe with an upgrade check) we can just remove the check from the APi and we don\u0027t need to change a bunch of things on the compute node and worry about cleaning up the confirmed\u003dTrue flag on every instance?","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e2562bfe7c0b8eef27e458cec89d33964ebd897f","unresolved":false,"context_lines":[{"line_number":8185,"context_line":"        secret_security \u003d (secret_security or"},{"line_number":8186,"context_line":"                           CONF.libvirt.default_tpm_secret_security)"},{"line_number":8187,"context_line":"        confirmed \u003d instance.system_metadata.get("},{"line_number":8188,"context_line":"            \u0027tpm_secret_security_confirmed\u0027)"},{"line_number":8189,"context_line":""},{"line_number":8190,"context_line":"        kwargs \u003d {}"},{"line_number":8191,"context_line":"        if secret_security \u003d\u003d \u0027host\u0027 and confirmed \u003d\u003d \u0027True\u0027:"}],"source_content_type":"text/x-python","patch_set":13,"id":"781770e3_4214fe2e","line":8188,"in_reply_to":"466507e4_9e7f4b4e","updated":"2025-07-30 01:16:56.000000000","message":"Done","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"53bab07c491afc93a6917752581c91d4dca745a1","unresolved":true,"context_lines":[{"line_number":8185,"context_line":"        secret_security \u003d (secret_security or"},{"line_number":8186,"context_line":"                           CONF.libvirt.default_tpm_secret_security)"},{"line_number":8187,"context_line":"        confirmed \u003d instance.system_metadata.get("},{"line_number":8188,"context_line":"            \u0027tpm_secret_security_confirmed\u0027)"},{"line_number":8189,"context_line":""},{"line_number":8190,"context_line":"        kwargs \u003d {}"},{"line_number":8191,"context_line":"        if secret_security \u003d\u003d \u0027host\u0027 and confirmed \u003d\u003d \u0027True\u0027:"}],"source_content_type":"text/x-python","patch_set":13,"id":"466507e4_9e7f4b4e","line":8188,"in_reply_to":"ce8d8fa2_12774457","updated":"2025-07-29 16:43:18.000000000","message":"When I picked up the work, the \"confirmed\" flag and how it works was not described in the spec at all unfortunately. The patch series had the initial step of setting confirmed\u003dFalse and I got a brief verbal explanation about the confirmed flag during the handover. I proposed a spec amendment with my interpretation of it so it\u0027s also possible something got lost in translation.\n\nI think your point about the tech debt hanging around forever is true and I like the idea of using another flag to capture when it\u0027s \"provisional\" instead. I will go through and change that and see how it goes.","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"7d6da8469898bc88ba5c582bd1ab1641f12a559d","unresolved":true,"context_lines":[{"line_number":8240,"context_line":"            return guest"},{"line_number":8241,"context_line":"        finally:"},{"line_number":8242,"context_line":"            if libvirt_secret is not None and not ("},{"line_number":8243,"context_line":"                    secret_security \u003d\u003d \u0027host\u0027 and confirmed \u003d\u003d \u0027True\u0027):"},{"line_number":8244,"context_line":"                libvirt_secret.undefine()"},{"line_number":8245,"context_line":""},{"line_number":8246,"context_line":"    def _neutron_failed_callback(self, event_name, instance):"}],"source_content_type":"text/x-python","patch_set":13,"id":"4459c1c9_c5250533","line":8243,"updated":"2025-07-29 14:09:59.000000000","message":"This \"is not None and not True and False` sort of logic is what I really want to avoid putting everywhere we need to decide what to do. It also means that if we later remove the need for the confirmed flag, we\u0027ll still have old computes on one side of a migration still checking them until after an upgrade.","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"53bab07c491afc93a6917752581c91d4dca745a1","unresolved":true,"context_lines":[{"line_number":8240,"context_line":"            return guest"},{"line_number":8241,"context_line":"        finally:"},{"line_number":8242,"context_line":"            if libvirt_secret is not None and not ("},{"line_number":8243,"context_line":"                    secret_security \u003d\u003d \u0027host\u0027 and confirmed \u003d\u003d \u0027True\u0027):"},{"line_number":8244,"context_line":"                libvirt_secret.undefine()"},{"line_number":8245,"context_line":""},{"line_number":8246,"context_line":"    def _neutron_failed_callback(self, event_name, instance):"}],"source_content_type":"text/x-python","patch_set":13,"id":"b649f36a_b7f3b8a4","line":8243,"in_reply_to":"4459c1c9_c5250533","updated":"2025-07-29 16:43:18.000000000","message":"Yeah, I agree it would be ideal to not have something like this scattered throughout.","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"e2562bfe7c0b8eef27e458cec89d33964ebd897f","unresolved":false,"context_lines":[{"line_number":8240,"context_line":"            return guest"},{"line_number":8241,"context_line":"        finally:"},{"line_number":8242,"context_line":"            if libvirt_secret is not None and not ("},{"line_number":8243,"context_line":"                    secret_security \u003d\u003d \u0027host\u0027 and confirmed \u003d\u003d \u0027True\u0027):"},{"line_number":8244,"context_line":"                libvirt_secret.undefine()"},{"line_number":8245,"context_line":""},{"line_number":8246,"context_line":"    def _neutron_failed_callback(self, event_name, instance):"}],"source_content_type":"text/x-python","patch_set":13,"id":"f0dd8c82_386f40da","line":8243,"in_reply_to":"b649f36a_b7f3b8a4","updated":"2025-07-30 01:16:56.000000000","message":"Done","commit_id":"d688ea6340015bbc7ec195f43eff7a5624906ca9"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"64d5bb9fce46845aa473f45c5bf78d174a38233e","unresolved":true,"context_lines":[{"line_number":8149,"context_line":"        finally:"},{"line_number":8150,"context_line":"            self._create_domain_cleanup_lxc(instance)"},{"line_number":8151,"context_line":""},{"line_number":8152,"context_line":"    def _create_secret_for_vtpm("},{"line_number":8153,"context_line":"        self,"},{"line_number":8154,"context_line":"        context: nova_context.RequestContext,"},{"line_number":8155,"context_line":"        instance: \u0027objects.Instance\u0027,"}],"source_content_type":"text/x-python","patch_set":25,"id":"88eab549_b627449f","line":8152,"range":{"start_line":8152,"start_character":8,"end_line":8152,"end_character":31},"updated":"2025-11-05 17:31:11.000000000","message":"femtonit: could be _ensure_secret_for_vtpm given we lookup at the host.","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"82ca4d1ab77fc723285c588aac667dce25a18f73","unresolved":false,"context_lines":[{"line_number":8149,"context_line":"        finally:"},{"line_number":8150,"context_line":"            self._create_domain_cleanup_lxc(instance)"},{"line_number":8151,"context_line":""},{"line_number":8152,"context_line":"    def _create_secret_for_vtpm("},{"line_number":8153,"context_line":"        self,"},{"line_number":8154,"context_line":"        context: nova_context.RequestContext,"},{"line_number":8155,"context_line":"        instance: \u0027objects.Instance\u0027,"}],"source_content_type":"text/x-python","patch_set":25,"id":"171dfd8d_06c529dd","line":8152,"range":{"start_line":8152,"start_character":8,"end_line":8152,"end_character":31},"in_reply_to":"88eab549_b627449f","updated":"2025-11-10 23:23:09.000000000","message":"Done","commit_id":"fb9f4139c84f8901e90f86f3a0a3cfdbda279156"}],"nova/virt/libvirt/host.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"0da73b93b24dea3b5c6d08c55dd79bd78edf9e2d","unresolved":true,"context_lines":[{"line_number":1080,"context_line":"        elif usage_type \u003d\u003d \u0027volume\u0027:"},{"line_number":1081,"context_line":"            usage_type_const \u003d libvirt.VIR_SECRET_USAGE_TYPE_VOLUME"},{"line_number":1082,"context_line":"        elif usage_type \u003d\u003d \u0027vtpm\u0027:"},{"line_number":1083,"context_line":"            usage_type_const \u003d libvirt.VIR_SECRET_USAGE_TYPE_VTPM"},{"line_number":1084,"context_line":"        else:"},{"line_number":1085,"context_line":"            msg \u003d _(\"Invalid usage_type: %s\")"},{"line_number":1086,"context_line":"            raise exception.InternalError(msg % usage_type)"}],"source_content_type":"text/x-python","patch_set":24,"id":"58775532_6e6be14d","line":1083,"updated":"2025-10-20 17:12:13.000000000","message":"Looks like this is not covered in any of the unit tests...but is tested in functional, so I guess that\u0027s why.","commit_id":"e6917044de930d381ea24415b3058c536ebb6fd9"},{"author":{"_account_id":4690,"name":"melanie witt","display_name":"melwitt","email":"melwittt@gmail.com","username":"melwitt"},"change_message_id":"cf4d7da088ec8e99ee9248604fbafb4849818522","unresolved":true,"context_lines":[{"line_number":1080,"context_line":"        elif usage_type \u003d\u003d \u0027volume\u0027:"},{"line_number":1081,"context_line":"            usage_type_const \u003d libvirt.VIR_SECRET_USAGE_TYPE_VOLUME"},{"line_number":1082,"context_line":"        elif usage_type \u003d\u003d \u0027vtpm\u0027:"},{"line_number":1083,"context_line":"            usage_type_const \u003d libvirt.VIR_SECRET_USAGE_TYPE_VTPM"},{"line_number":1084,"context_line":"        else:"},{"line_number":1085,"context_line":"            msg \u003d _(\"Invalid usage_type: %s\")"},{"line_number":1086,"context_line":"            raise exception.InternalError(msg % usage_type)"}],"source_content_type":"text/x-python","patch_set":24,"id":"99d3e5a0_f56d46db","line":1083,"in_reply_to":"58775532_6e6be14d","updated":"2025-10-20 17:27:04.000000000","message":"Generally in this series the testing is covered by functional and my intended pattern was to add unit tests only when a thing was not clearly covered by functional for the most part, in an effort to avoid duplicating everything.","commit_id":"e6917044de930d381ea24415b3058c536ebb6fd9"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"186db36013b57e9bf8fffcff9c0fb9a254f13659","unresolved":false,"context_lines":[{"line_number":1080,"context_line":"        elif usage_type \u003d\u003d \u0027volume\u0027:"},{"line_number":1081,"context_line":"            usage_type_const \u003d libvirt.VIR_SECRET_USAGE_TYPE_VOLUME"},{"line_number":1082,"context_line":"        elif usage_type \u003d\u003d \u0027vtpm\u0027:"},{"line_number":1083,"context_line":"            usage_type_const \u003d libvirt.VIR_SECRET_USAGE_TYPE_VTPM"},{"line_number":1084,"context_line":"        else:"},{"line_number":1085,"context_line":"            msg \u003d _(\"Invalid usage_type: %s\")"},{"line_number":1086,"context_line":"            raise exception.InternalError(msg % usage_type)"}],"source_content_type":"text/x-python","patch_set":24,"id":"8e911ff3_566859c9","line":1083,"in_reply_to":"99d3e5a0_f56d46db","updated":"2025-10-20 17:33:19.000000000","message":"Yep, sorry, I should have marked this resolved (or just deleted it). Was going through and looking at the coverage report making notes and then went back to edit this with the \"...but\" after realizing :)","commit_id":"e6917044de930d381ea24415b3058c536ebb6fd9"}]}