openstack
/
nova-specs
Code Issues Proposed changes

Update patch set 7 

Patch Set 7:

(11 comments)

Patch-set: 7
Attention: {"person_ident":"Gerrit User 4393 \u003c4393@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"REMOVE","reason":"\u003cGERRIT_ACCOUNT_4393\u003e replied on the change"}
This commit is contained in:
Gerrit User 4393 2024-03-28 14:37:36 +00:00 committed by Gerrit Code Review
parent edaa33a6c2
commit 5e08192c9e
1 changed files with 198 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

198
6940b7f76b9e415fd0ab75cbea9c0b001a68272a
View File

@ -185,6 +185,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "22ac8780_0012ab12",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 260,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Okay, but why? And who are you going to \"charge\" that secret to? The first user that booted an instance on that compute node from that image? What happens if they delete it a week later not knowing what it\u0027s for?",
"parentUuid": "d57210e8_abc3d71e",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -220,6 +238,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "170b5505_de86ed29",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 280,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "If the rescue *image* is encrypted already, then you need to use the secret provided anyway. But the actual disk for the instance does not need to be, IMHO, basically ever. The rescue disk is a throw-away thing (could even be readonly on a lot of OSes) with no sensitive data written to it, I\u0027m not really sure why we would want or need to go to the trouble to create/duplicate keys and encrypt the tiny delta that is involved in booting something, personally.",
"parentUuid": "a32ad2f3_81833dca",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -360,6 +396,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "9db30112_8f7a4833",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 317,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Okay, weird, but they\u0027re always empty? That seems really strange to me, and maybe a bit of a risk (unrelated to this work). If someone\u0027s swap ever got `commit`-ed to the base then their memory contents would be visible to anyone after that happened, but for absolutely no reason.\n\nTo say it another way: being backed by an empty disk is the same as having no empty disk, but with the added security risk :)\n\nAnyway, unrelated to this I guess.",
"parentUuid": "2209b0ba_65bdfe8a",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -464,6 +518,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "979f1f49_9e5c543c",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 441,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Gotta fail late I guess. Or at least for the moment, maybe we can come up with something better.\n\nIs the snapshot RPC a cast?",
"parentUuid": "200f9e3d_54497020",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -499,6 +571,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "1c21c6de_3e3a05e4",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 474,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Acknowledged",
"parentUuid": "7fd0487e_997e4f4c",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -621,6 +711,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "cae4f797_482e4573",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 591,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Yeah,I know they are, it\u0027s the duplication or added keys for the other pieces that seems undesirable to me.",
"parentUuid": "93211b26_b417b339",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -656,6 +764,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "b4330112_d832cb38",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 615,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Well, clearly that will have to be the case, but I\u0027m calling it out because we might want to have a more helpful behavior than just it failing in whatever way. Also, it\u0027s quite possible for new versions to drop support for a cipher, so even upgrading and migrating from old to new could bring problems.\n\nFurther, this not just about old and new nova, because we support a range of libvirt/qemu versions in a single release and lots of deployers are much less rigid about upgrading everything about a node all at once. Meaning, they could have upgraded their OS (or even just their libvirt container) without having moved nova, such that we don\u0027t have a service version or anything else to go on.",
"parentUuid": "6e236efe_64b62f3d",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -726,6 +852,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "9dc15400_e99bd7ad",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 776,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Ah okay, I guess I missed the distinction between \"volumes\" and \"Volumes\" (i.e. volume as a general term for a disk and Volume as an actual cinder volume).",
"parentUuid": "a4f476f9_a41d1a37",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -761,6 +905,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
"uuid": "4a06bee3_3314bdf7",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 785,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Yeah, I\u0027m just saying that things that prevent users from doing operations that are expected to work suck. So, especially if the user doesn\u0027t grok that two flavors have two different encryption schemes, it will suck to just strand their instance in the old configuration for no real reason. I get that there\u0027s no second format now, but \"unencrypted\" is a sort of shadow extra format.\n\nSo, someone says \"ooh, I\u0027d like this new secure flavor, boot an instance\" then a week later realizes \"oh the disk encryption is probably why we\u0027re having perf problems, let me resize to a non-secure flavor\" and then is stuck.\n\nNot a huge deal necessarily, but it does kinda suck to have those sorts of bait-and-switch pitfalls.",
"parentUuid": "1fcebc9d_d568d673",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -796,6 +958,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "f6e22b99_2c0ab6d9",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 805,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Acknowledged",
"parentUuid": "65057910_c90b8661",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {
@ -831,6 +1011,24 @@
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": false,
"key": {
"uuid": "154d9e81_6a0a97ec",
"filename": "specs/2024.2/approved/ephemeral-storage-encryption.rst",
"patchSetId": 7
},
"lineNbr": 844,
"author": {
"id": 4393
},
"writtenOn": "2024-03-28T14:37:36Z",
"side": 1,
"message": "Acknowledged",
"parentUuid": "1f92668c_9640e3ef",
"revId": "6940b7f76b9e415fd0ab75cbea9c0b001a68272a",
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
},
{
"unresolved": true,
"key": {