13:02:04 #startmeeting 13:02:04 Meeting started Wed Oct 15 13:02:04 2014 UTC. The chair is alinefm. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:02:04 Useful Commands: #action #agreed #help #info #idea #link #topic. 13:02:04 #meetingname scrum 13:02:04 The meeting name has been set to 'scrum' 13:02:05 Hey aline 13:02:18 #info Agenda 1) Status 2) Open discussion 13:02:18 anything else? 13:03:03 good for me 13:03:19 #topic Status 13:03:19 #info Please provide your status using the #info command: #info 13:03:41 #info YuXin Design UI of 'guest clone', 'serial console', 'new UI header' 13:04:16 #info alinefm sent patches to use installed spice-html5 code when possible (opensuse13.1 and rhel7 don't have this package so Kimchi must be build with --with-spice-html5) 13:04:54 #info royce investigated about integrate LDAP with kimchi, sent an RFC to ML, now implementing authentication part, will send v1 before this Friday 13:05:02 #info alinefm is working on vm template refactor 13:05:23 #info worked on the cloning feature, reviewed patches on the mailing list 13:05:27 #info vianac worked on the cloning feature, reviewed patches on the mailing list 13:05:27 ops 13:05:30 #info rotru sent V5 of patches to fix help 13:06:09 good progress team! 13:06:28 #info wenwang sent patch of PCI passthough UI 13:07:19 #info wenwang working on designing UI to allow user adds disks from different pools to a Template 13:07:53 #info danielhb sent a patch that revamps the use of the console log 13:08:04 #info wenwang working on redesigning "Edit Template" function 13:09:01 great! 13:09:05 shall we move on to open discussion? 13:09:36 ok 13:09:39 #topic Open Discussion 13:09:45 what do you want to discuss today? 13:10:08 for serial console, seems like virt-manager enabled it by default 13:10:54 YuXin, I was reading zheng zhou replies on it 13:10:55 why not enable it by default in kimchi? 13:11:03 ok 13:11:08 yeap! I think it would be the best solution 13:11:29 baude, have you had type to check the ML about the serial console? 13:11:45 YuXin, so user will always have serial on their vms in addition to vnc/spice 13:12:00 yes 13:12:11 YuXin, do you know some open source project to enable the text console on web? 13:12:17 by using websockets... 13:12:30 not investigated that yet 13:12:36 alinefm, no i hadnt seen it, i see it now 13:12:45 about the "Edit template", I think we should move "UI to allow user adds disks from different pools to a Template(wenwang)" and "Move iSCSI/SCSI volume selection to VM creation instead of Template view(wenwang)" together since we are going to enable volume eidt in the new "Edit Template" function 13:13:18 if enable serial console by default, then no UI is needed for that 13:13:24 ignore my design 13:14:05 looks like my work isnt needed alinefm 13:14:08 alinefm YuXin, I heard from zhengsheng that there is some emulator of console of web, he tried it before 13:15:13 royce, yeap! I've just read it on ML 13:15:21 we need to think about security first for web text console 13:15:30 some kind of wspty 13:15:43 baude, yes =/ 13:16:08 wenwang, agree - I will remove the seconds from wiki page 13:16:15 the only security control there is the login of linux command line 13:16:25 YuXin, seems Zheng Zhou has provided a solution for the security 13:16:50 the kimchi login isn't enough? 13:17:00 alinefm, I will warn you, its a bad assumption that serial and graphical are complimentary. 13:17:23 alinefm: Thanks 13:17:35 distro installers, if they detect both, will send information to the graphical console that isn't available on serial 13:17:39 web socket -> serial port -> guest console 13:17:58 with the current proposal, there should be an off option for graphical 13:18:00 kimchi can be bypassed to access web socket 13:18:03 alinefm: also, I think now "Guest disk hot plug UI(wenwang)" is enabled after talked to royce 13:18:27 so only guest console need login 13:18:31 yes, we wandered why we need this task 13:20:15 wenwang, royce, AFAIK I am not able to add a disk to a running vm 13:20:22 only when it is stopped 13:20:33 baude, most of installers do that way? 13:20:44 and boot time as well alinefm 13:21:00 if (params['bus'] not in HOTPLUG_TYPE 13:21:01 and DOM_STATE_MAP[dom.info()[0]] != 'shutoff'): 13:21:01 raise InvalidOperation('KCHVMSTOR0011E') 13:21:03 its a simple add alinefm 13:21:12 so need to evaluate exposing serial port of guest vm without security control 13:21:54 YuXin, even the serial port exposed the user will only access it through Kimchi web text console, right? 13:22:06 this web text console will be protected by kimchi authentication, right? 13:22:55 royce, hmm.. so we need to enable it on UI 13:22:56 the web socket that host opened can be accessed out of kimchi, right? 13:23:19 YuXin, no - it connects to localhost 13:23:33 if I remember correctly 13:24:06 alinefm: I think we have it enabled in earlier patches 13:24:32 wenwang, let me check 13:24:36 I resolved a bug about UI passing bus type, I deleted the bus type, backend pick the right one, so backend will pick virtio if vm is labled 13:24:52 alinefm, you mean only kimchi UI can access the web socket? 13:24:55 alinefm: Now we can not only change the disk as well as clear the input 13:25:44 let me verify wenwang, alinefm 13:26:03 royce, wenwang, on a running VM, I select "Edit" then "Storage" tab and there is no button to add more disks or change the current vda 13:26:18 royce, wenwang, with vm running I can only change the cdrom value 13:26:29 alinefm: I see 13:26:33 YuXin, yes 13:26:51 ok, I think that is enough 13:26:56 YuXin, I need to test to confirm, but I remember the web sockets connects to localhost 13:27:07 to prevent others to get its connection outside 13:27:39 alinefm: I will have it done ASAP, thanks 13:27:46 alinefm, so you tend to make 'web text console in kimchi UI' to be contained in 1.4? 13:28:19 or it is low priority that we make it a run-at 13:28:20 YuXin, if it is easy as Zheng Zhou said I think we can try to do it for 1.4 13:28:48 ok 13:28:51 we can test what he said and see how it will work 13:29:01 if we identify a lot of bugs we drop it for next release 13:29:07 YuXin, make sense? 13:29:08 ok 13:29:11 sure 13:29:39 serial console and vnc/spice can coexist 13:29:47 yes 13:30:03 so in vm actions, connect need to split into 2 actions 13:30:27 ok, I will try more about it 13:30:30 we can add a new action "Text Console" or something like it 13:30:37 yes 13:30:49 baude, is there a way to choose between the consoles on installation time? 13:31:08 yes, console= on the bootloader, but most people dont understand that 13:31:35 and most distros autodetect consoles, but usually if they see graphical, they assume graphical 13:31:35 isn't there a libvirt config to do that? 13:32:19 alinefm, think of it like this ... you have two consoles open, if you boot an iso, its very likely the graphical installer will open on the graphics device, meanwhile you see little after the kernel boots on serial 13:32:23 royce, about the disk hot plug, so the backend is done? just need to enable on UI? 13:32:26 how can you predict which on the user looks at 13:32:52 yes, alinefm, I checked, and I have added testcases for it 13:33:09 royce, great! =) 13:33:11 wenwang, if you have any problem, feel free to talk to me 13:33:56 baude, I mean, if there is an libvirt option for it, we could enable user to select which console he wants to use for installation, for example 13:34:31 no there isnt, libvirt just makes the devices available 13:34:40 the kernel will see both if present 13:34:55 royce: thanks 13:35:01 yw 13:35:42 baude, hmm got it 13:37:20 for guest clone, whether pre-check will be added to see whether enough space for storage pool? 13:38:07 YuXin, I was talking to vianac about it yesterday and we have agreed to don't require any user input on clone 13:38:43 we will check the space in the current storage pool and if it is full or *SCSI we fallback to default pool 13:39:00 what do you think about it? 13:40:16 I think it will work and any failure, kimchi UI will report that 13:40:18 shall we reject it directly? 13:40:47 YuXin, yes 13:40:59 royce, if rejected, we also need to give user a way the perform the clone 13:41:01 royce, do you mean reject clone? 13:41:15 yes 13:41:29 in which scenarios? *SCSI? 13:41:39 I'm not sure fallback to default pool is expected behavior 13:42:09 default pool will not be expected, at least user may want to create a new pool 13:42:42 I was reluctant about it too but we can document it as well 13:42:53 so user can be able to easily clone you vm using scsi disks 13:43:35 royce, vianac has noticed virt-manager reject it by default, ie, you can not create a clone from a vm using *scsi disks 13:43:47 which is bad IMO 13:43:55 maybe, we can add a feature to move volumes between pools 13:45:02 that's true, for scsi disks, if you don't input we can only choose default 13:45:30 royce, YuXin, or we could add a confirmation dialog on UI, if the vm to be cloned has *SCSI disks (we can know it on UI I think) we display a dialog: "The iSCSI and SCSI disks will be cloned on default storage pool. Do you want to continue?" 13:45:31 so default behavior requires fewest user actions, but if user really want to ajust the pools for volumes 13:45:40 and after confirmation we do the clone 13:46:55 YuXin, hmm... are you saying to allow user move the disks around pools? from default pool to X pool? 13:46:58 all SCSI disks will be cloned to default? I remember it will be read out and copy to another volume in the same iscsi pool 13:47:05 yes 13:47:08 alinefm that can do, and we may want to allow user to clone to scsi pool because technichally it is easy right? 13:47:53 YuXin, royce, both iSCSI and SCSI disks will be clone on default pool - it is just a copy/paste of the disk content to other file 13:48:14 YuXin, I think it can be a good feature to have - we can add it to backlog 13:48:27 ok 13:48:58 I know, I mean, pick a SCSI volume and copy the content of another SCSI volume to it is easy technically, but need more input 13:48:58 I want to guanartee that user at least have a way to make a cloned vm to have diskes at their expected pool 13:50:14 royce, yes 13:51:53 I'm ok with putting scsi pick to backlog, I suggest for full pool we reject 13:52:46 royce, do you mean fallback *SCSI to default pool and only reject when pool is full? 13:53:04 alinefm, do you wanna talk about LDAP authorization 13:53:12 yes~ 13:53:18 if default pool is full, we can reject and leave a message that move volumes from default pool to other pools 13:53:40 as we have feature to move volumes between pools, then user can try to adjust 13:54:21 royce, and if the pool is full and it is not the default, we fallabck to default too? 13:54:59 if we could allow the user to move existing disk files from one pool to another one, they could do that after cloning if Kimchi created a disk in a pool they didn't want to 13:55:26 full pool reject I mean, alinefm:) 13:56:30 if reject, I think let user select whether to copy to default pool 13:56:34 is better 13:56:44 vianac, royce, YuXin, alright! let me do a compilation of what we have discussed 13:57:00 :) 13:57:04 - iSCSI and SCSI disks will be cloned on *default* storage pool 13:57:13 vianac, YuXin, royce agree? 13:57:23 ok 13:57:25 yes 13:57:28 yes 13:57:33 should we display a confirmation dialog in this case? 13:57:38 no 13:57:50 I would say yes... 13:57:55 doc it will be enough 13:58:23 the confirmation dialog, if user select no, what is next? 13:58:45 YuXin, don't clone the VM 13:58:46 IMO there should never be a confirmation dialog. Kimchi will always clone to a new, working VM, it should always work (unless an error occurs, of course) 13:58:47 Cancel and Yes:) Hehehhh 13:59:06 the user should be able to edit the new VM (name, disks) later in "Edit Guest" if they want to 13:59:07 Cancel or Yes 13:59:09 vianac, so your vote is for no? 13:59:13 alinefm, yes 13:59:21 don't clone the vm, so a vm with a iscsi volume will never have a way to be cloned? 13:59:44 YuXin, if the confirmation dialog it will be possible if user selects "Yes" 13:59:53 *with the confirmation... 14:00:22 I am fine with both solutions 14:00:30 so only one way is given to the user, if he/she want to clone the vm with iscsi volume, he need to agree to clone it to default 14:00:36 I mean, the doc would be enough for that 14:00:46 (but who reads the doc? =)) 14:00:52 yeah! 14:00:56 YuXin, yes 14:01:12 clone to default, no harm at all I think 14:01:51 especially when you have interactive UI, no one reads doc at all, UI for user, doc for admin:) 14:01:58 YuXin, vianac, royce, ok - let's do without the confirmation dialog for now and collect feedbacks on it 14:02:05 OK 14:02:16 seconds point: 14:02:42 - if pool is full, rejects the clone with an error message 14:02:49 vianac, royce, YuXin agree ^ 14:02:58 +1 14:03:18 alinefm, which pool? 14:03:24 if I still want to clone the vm, what is the way as other pools still have space 14:03:31 the default one? the one from the original VM? 14:03:59 I think we have 2 views on it: 14:04:00 yes, YuXin.. 14:04:27 1) if original VM pool is full -> fallback to default pool and only rejects if default pool is full 14:04:29 and even default pool would be full and others empty:) 14:04:30 so here, default pool is just like a backup pool when other pools are full 14:04:39 2) if original VM pool is full -> rejects 14:04:50 I think 1) is good 14:04:54 I vote for 1 14:04:58 o/ (1) 14:05:06 royce, ? 14:05:35 I'd like users to pick...:) 14:05:50 hehehe 14:06:00 But I respect you guys opinion 14:06:12 after all I'm not the user 14:06:33 I think all we are trying to achieve is to make clone without any user input as default 14:06:33 yes, you are 14:06:39 I don't know if specify pool would bother him or benefit him 14:06:42 at least I hope you use kimchi =P 14:07:15 if a dialog for user to specify, then the whole story is different 14:07:23 For me I don't like people make decision for me,hehhe 14:07:46 when I'm not aware 14:08:21 royce, you will be aware about the "default fallback" on clone as we will doc it =) 14:08:22 we can popup a dialog with default assignment of pools and user can select the target pool for any volume 14:08:32 I think we can try that way and collect feedbacks 14:08:37 hahah, ok~ 14:08:51 from my user view, the only thing I want is to clone my vm 14:09:01 honestly I don't care where the disks are in the first moment 14:09:23 yes, I only worried about some pool would be slow 14:09:26 I agree default can be this 14:09:56 vianac, ? 14:10:13 2 clones: default clone and customized clone 14:10:29 now provide a defaut clone withouot any user input 14:10:33 So if like a pool in nfs I might want to dir, and because scsi's faster than dir, I would wish use scsi 14:10:51 if there is feedbac to customize, another clone can be added with full user confiuration 14:12:19 Just my opinion, I'm not very insist on this problem:) 14:12:54 clone -> default clone(no user input) 14:12:55 customized clone(disks -> pools configuration) 14:13:00 YuXin, agree 14:13:07 I still think the user should clone and change the VM configuration if they want to; that's how it is now when creating a new guest (it uses a lot of default values); that's how it is now when creating a new template; that's how it is now when cloning a template 14:13:43 alright! I think we get an agreement on it =) 14:13:53 we are over time and think there is more topics for today 14:13:55 when I check virt-clone, they allow to pass a customised storage path 14:14:03 the common behaviour in other parts of Kimchi is creating things and then editting them later 14:14:05 still you can use default one 14:14:33 vianac, so we need the feature to move volumes between pools 14:14:40 YuXin, sure 14:14:50 alinefm, shall we talk about LDAP? 14:14:55 that'll be useful even for non-clone situations 14:14:58 YuXin, I will add it to backlog because I think we already have a big feature list for 1.4 14:15:05 royce, yeap 14:15:08 ok 14:15:36 Have you read my mail for authorization today? 14:15:38 royce, I think we are diverging about it because you can use LDAP for authorization and I think it only for authentication 14:15:41 ldap authentication or ldap authorization, just confirm? 14:15:43 yes 14:15:58 I'd like to use it for both 14:16:32 why ldap is involved in authorization? 14:16:34 authorization because LDAP is already able to cover, write this part ourselves seems no benefit 14:16:39 let me check your email first (I lost my internet connection yesterday afternoon and it only came up again this morning) 14:16:54 LDAP has role maintainence, YuXin 14:17:24 If we don't keep user roles in LDAP, we need a dedicate db for roles 14:17:29 but now there is no role in kimchi 14:17:41 also this cannot share among cluster of hosts 14:17:47 there is YuXin 14:17:55 now just user and admin 14:18:05 for each tab 14:18:21 so ldap is integrated into kimchi rather than linux os? 14:18:41 def get_roles(self): 14:18:41 if self.has_sudo(): 14:18:41 # after adding support to change user roles that info should be 14:18:41 # read from a specific objstore and fallback to default only if 14:18:41 # any entry is found 14:18:43 self.user[USER_ROLES] = dict.fromkeys(tabs, 'admin') 14:19:10 you see, we already planned to do distinguish the first time we add role 14:19:17 yes 14:19:23 my first question is that whether the ldap user will be a linux os user after integrated? 14:19:52 I point of view is the same described by Zheng Zhou 14:19:55 http://www.ibm.com/developerworks/cloud/library/cl-ldap-keystone/index.html 14:20:07 we can't compare openstack with Kimchi as it is 14:20:19 we still want cluster, right? 14:20:23 Kimchi is for small environments and need to coexist with existing applications 14:20:39 openstack has it own dedicated applications and so 14:21:31 most of time, the LDAP server will be already setup for someone and if the admin wants Kimchi to use it he doesn't want to change it configuration 14:21:46 I can't connect AT&T, so can't see his comments, alinefm 14:21:46 think about a company (for example IBM) 14:22:11 then how can we setup the role information? 14:22:16 if I want to user its LDAP server for authentication, it is fine because I just need to match criterias 14:22:31 but if I need to change its setup it will be a nightmare 14:22:34 we need user/role map 14:22:44 first, I doubt anyone will allow me to do that 14:23:15 if we are a small cluster there would be small number of people using it:) 14:23:22 royce, for the authorization schema, I think we can follow the same approach for PAM authentication 14:23:48 ie, have a objectstore to hold the user/role map 14:24:03 how can it spread to other host? 14:24:25 about the cluster concern you have (to share the same information between hosts) we can use the peers as Zheng Zhou suggested 14:24:50 for example, we can have a new tab for kimchi configuration where admin will assign user roles, etc... 14:24:55 Haven't read it, could you explain 14:25:09 and in that tab we can have a "Import authorization schema" 14:25:20 current kimchi authentication and authorization are all based on linux, so if the ldap can be integrated at OS level to make ldap user to be the host OS user, then all will be streamlined 14:25:27 that feature will allow you import an authorization schema from other kimchi server 14:25:50 so they can share the same config without requiring any manual intervention 14:26:43 OK, acceptable 14:26:45 YuXin, it is not possible - LDAP does not communicate with OS level 14:27:25 YuXin, example, you use your intranet credentials to login, right? the idea is make you able to use those credentials to login into kimchi 14:27:47 but it does not have any relation to OS 14:27:52 makes more sense now? 14:28:43 royce, I will add Zheng Zhou's idea to our backlog 14:29:03 ok 14:29:03 (about this configuration tab and import authorization schema) 14:29:29 royce, YuXin, what we need to think is how we will present the user/group information in the "Permission" tab 14:29:39 today we list all the system users and groups 14:29:50 but it is not feasible for LDAP 14:30:00 we just list logged ones 14:30:24 because we store in objstore about role info, we can add this, is that OK? 14:31:04 log in ones 14:31:15 but I would need to ask a user to login into Kimchi prior to assign him to a vm 14:31:22 I don't think it is good 14:31:29 I thought in do it in a search process 14:31:44 example: user enter "alinefm" and click on "Search" button 14:32:04 it will produce a request GET /user?username=alinefm* 14:32:25 and then we list all the mail address in LDAP that matches with "alinefm" 14:33:00 but in that case we will need a different "Permission" tab when the authentication method is LDAP 14:33:53 http://www.howtoforge.com/linux_ldap_authentication 14:33:53 if I understand correctly, linux can leverage ldap for authentication, then ldap user is just like linux OS user 14:34:33 if a user does not tagged with group and role, only list the user does not make sense, resources and permission is related with roles 14:34:55 YuXin, this is a doc about how you migrate linux system users to LDAP 14:35:03 it is another way to setup LDAP on OS 14:35:33 royce, the admin user for LDAP authentication will be listed on kimchi config file 14:35:46 all others users have "user" role 14:35:48 yes 14:36:14 let's say I am a normal user in a LDAP setup for kimchi 14:36:23 and you are an admin user 14:36:27 I will investigate more about it tomorrow, I exactly remember even windows, there domain users. 14:36:35 royce, you want to assign a VM for me 14:36:49 how did you find out me on "Permission" tab? 14:37:32 YuXin, you can integrate LDAP authentication to OS authentication too, but it is not what we want for Kimchi 14:37:33 got u, alinef 14:37:37 alinefm 14:38:08 YuXin, the OS will continue using PAM for authenticate the users through SSH for example but Kimchi will be setup to use LDAP 14:38:40 royce, because that I thought about the search process 14:38:44 but in that case we will need a different "Permission" tab when the authentication method is LDAP--You mean not list users? 14:39:01 it can work well but we will have 2 different UI according to authentication method 14:39:10 royce, exatcly 14:39:17 *exactly 14:39:23 I still think admin need to see users, at least tagged ones 14:39:39 others not tagged can be ignored 14:39:51 but if someone is store admin/net admin 14:40:11 Admin would like to know or deprive there authorization 14:40:17 alinefm, if there is not a layer on top of native and ldap for abstraction, but kimchi integrate ldap by itself, then there will be 2 paths for native and ldap authentication separately in the future. 14:40:35 search does not able to fulfill this 14:41:43 if a power linux already have a ldap authentication configured, will kimchi leverage that? 14:42:06 yes, YuXin 14:42:08 YuXin, the LDAP config will be on kimchi config file 14:42:19 royce, not sure I understood your point 14:42:41 royce, YuXin, I am worried about the time for you guys - it must be too late for you 14:42:59 I mean, in permission tab, you use search for adding user autorization and assigning vm, right? 14:43:05 before kimchi is installed, a power linux already configured ldap authentication, then kimchi installed, whether kimchi will have those ldap users? 14:43:19 royce, yes 14:43:21 Still we need to delete/ change these authorization 14:43:49 then we need to know, who is in a group, who has the role of network admin 14:43:57 then we need to list users 14:44:07 there is no network admin by now 14:44:12 alinefm, we can hold on for a while 14:44:28 alinefm, the role is per tab 14:44:41 royce, yes - it will continue like that 14:45:06 there is a network tab 14:45:44 point is, we need to know what users authorized of what role/permission 14:46:07 royce, I am talking about this Permission tab: http://picpaste.com/_7530EE84039C7ECD-YUzIEaN9.jpg 14:46:15 on guest edit 14:46:48 royce, the admin users for LDAP will be listed on kimchi config file 14:46:56 all other users are normal user 14:47:21 so if a LDAP ID is listed as kimchi admin on config file it will be admin on all tabs 14:47:48 this is the same, like we have a group, br group and china goup 14:47:56 each group have some machines 14:47:58 my concern right now (to enable LDAP authentication) is we need to change the Permission tab (on guest edit) to get the users on LDAP server 14:48:48 alinefm, I understand, we can't list all users on LDAP server 14:48:57 royce, yes - I also think the "group" in LDAP will be handle as a LDAP domain 14:49:36 and if tivoli and LTC group? 14:49:58 there are filter for ldap domain that can be used for it 14:50:26 as you said we can't depend on it for role, group neither, because you don't use it for authorization 14:50:36 example: "o=cn.ibm.com" 14:50:44 or "o=br.ibm.com" 14:50:59 I understand this 14:51:17 royce, why can't we use it? 14:51:25 after user selection we will store it on VM 14:51:30 we can't manipulate group then 14:51:45 if we don't have a w3 LDAP 14:51:55 LDAP can be whatever LDAP 14:52:37 the user/group mapping cannot depend on LDAP server query 14:52:57 it needs to go to objstore, right? 14:53:16 on guest edit and Permission tab: user will input user as "alinefm@..." and group as "o=cn.ibm.com" to a VM 14:53:28 we will store it on VM metadata (as we did today) 14:54:20 when checking if a user has access to this VM we will search if the user is "alinefm@..." or if it is on "o=cn.ibm.com" result 14:55:09