Monday, 2021-01-11

« Sunday, 2021-01-10 Index Tuesday, 2021-01-12 »
*** JayF has quit IRC01:23
*** ricolin_ has joined #openstack-ironic01:23
*** iurygregory has joined #openstack-ironic02:07
*** JayF has joined #openstack-ironic02:40
*** rcernin has quit IRC02:59
*** rcernin has joined #openstack-ironic03:08
*** mkrai has joined #openstack-ironic03:08
*** rcernin has quit IRC03:19
*** rcernin has joined #openstack-ironic03:30
*** ricolin_ has quit IRC07:11
*** mkrai has quit IRC07:13
*** hoonetorg has joined #openstack-ironic07:46
*** rcernin has quit IRC07:51
*** mkrai has joined #openstack-ironic07:53
arne_wiebalckGood morning, ironic!07:58
jandersgood morning arne_wiebalck o/08:05
arne_wiebalckhey janders, good morning o/08:05
*** rpittau|afk is now known as rpittau08:33
rpittaugood morning ironic! o/08:33
*** dougsz has joined #openstack-ironic08:39
*** yoctozepto has quit IRC08:48
*** sshnaidm|afk is now known as sshnaidm|ruck08:57
jandersgood morning rpittau o/08:57
rpittauhey janders :)08:58
*** lucasagomes has joined #openstack-ironic09:00
*** Qianbiao has joined #openstack-ironic09:07
*** ociuhandu has joined #openstack-ironic09:18
openstackgerritMark Goddard proposed openstack/bifrost master: Update APT metadata before install debootstrap  https://review.opendev.org/c/openstack/bifrost/+/76921909:18
*** akahat is now known as akahat|rover09:41
*** ociuhandu has quit IRC09:43
*** derekh has joined #openstack-ironic09:44
*** ociuhandu has joined #openstack-ironic09:53
*** ociuhandu has quit IRC09:58
*** tosin has joined #openstack-ironic10:02
*** ociuhandu has joined #openstack-ironic10:09
*** ociuhandu has quit IRC10:14
*** ociuhandu has joined #openstack-ironic10:15
*** ociuhandu has quit IRC10:29
*** ociuhandu has joined #openstack-ironic10:30
*** dtantsur|afk is now known as dtantsur10:37
dtantsurhappy Monday, ironic10:37
*** mkrai has quit IRC10:54
jandershey dtantsur o/11:00
*** ociuhandu has quit IRC11:18
*** ociuhandu has joined #openstack-ironic11:23
*** ociuhandu has quit IRC11:28
*** ociuhandu has joined #openstack-ironic11:30
*** zzzeek has quit IRC11:33
*** ociuhandu has quit IRC11:35
*** zzzeek has joined #openstack-ironic11:35
iurygregorygood morning arne_wiebalck rpittau dtantsur janders and Ironic!11:37
arne_wiebalckhey iurygregory o/11:38
iurygregoryo/11:38
*** ociuhandu has joined #openstack-ironic11:43
*** rcernin has joined #openstack-ironic11:51
*** ociuhandu has quit IRC11:51
tosinHello Ironic! I proposed a change in ansible modules but it failed bifrost tests. Could someone please help check? I still have a lot to figure out o/11:55
tosinHere's my change https://review.opendev.org/c/openstack/ansible-collections-openstack/+/77003711:55
dtantsurKeyError: 'deploy'11:56
dtantsurtosin: I think because of module.params['deploy']. I don't know what you meant, but this thing does not exist.11:56
dtantsurcommented. I think you need to check what validation does, the whole patch seems not quite right to me.11:58
*** ociuhandu has joined #openstack-ironic12:05
tosindtantsur: module.params['deploy'] had already been used before I made changes. On line 315.12:08
dtantsurah, it's a boolean value. well, you don't need to touch it anyway12:09
dtantsuryou could probably add a new boolean flag "validate" to control the validation12:09
dtantsurthen KeyError may be because of node['deploy']12:09
*** ociuhandu has quit IRC12:11
*** zzzeek has quit IRC12:19
*** rcernin has quit IRC12:21
*** zzzeek has joined #openstack-ironic12:21
*** ociuhandu has joined #openstack-ironic12:24
*** nam-est has quit IRC12:28
*** ociuhandu has quit IRC12:37
*** bfournie has joined #openstack-ironic12:38
*** rh-jelabarre has joined #openstack-ironic12:41
*** ociuhandu has joined #openstack-ironic13:10
openstackgerritMerged openstack/ironic-python-agent stable/victoria: Fix default disk label with partition images  https://review.opendev.org/c/openstack/ironic-python-agent/+/76974813:12
*** ociuhandu has quit IRC13:14
*** ociuhandu_ has joined #openstack-ironic13:14
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Common framework for configuring secure boot  https://review.opendev.org/c/openstack/ironic/+/76996113:17
*** ociuhandu_ has quit IRC13:22
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Common framework for configuring secure boot  https://review.opendev.org/c/openstack/ironic/+/76996113:23
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Switch iLO and iRMC to the new secure boot framework  https://review.opendev.org/c/openstack/ironic/+/77012213:23
*** nam-est has joined #openstack-ironic13:31
nam-estHi all, anyone please give a review to these PRs? We really need this feature to go in ASAP.13:31
nam-esthttps://github.com/metal3-io/baremetal-operator/pull/72813:31
nam-esthttps://github.com/metal3-io/ironic-image/pull/23013:31
nam-esthttps://github.com/metal3-io/ironic-inspector-image/pull/7013:31
nam-estThank you13:31
nam-estbtw, the first two PRs need other to be merged before they can pass the CI. In detail, the first PR can pass when the second one is merged, but the second one cannot pass if the first one is not merged.13:33
nam-estAre there anyways to solve that problem?13:33
iurygregoryI'm not sure if can just remove the support for http_basic in  ironic.conf.j213:34
iurygregorywe would still need to configure things in ironic.conf13:35
*** ociuhandu has joined #openstack-ironic13:35
iurygregoryI think it would end up with auth_strategy = noauth in all scenarios (please correct me if I'm wrong)13:36
nam-estiurygregory: the basic authentication is moved to the Apache server, so in my PR, Apache will handle the authentication13:36
nam-estiurygregory: that is why I put it as noauth in ironic.conf. Any idea how we can configure in this case?13:38
dtantsurnam-est: mm, no, you're using "WSGIPassAuthorization On"13:39
iurygregoryno idea atm, but I don't think we can just move the auth to part to apache and have ironic with only noauth...13:39
iurygregoryI would say some variable will control if we need to set in ironic.conf or not like before13:39
*** ociuhandu has quit IRC13:40
*** ociuhandu has joined #openstack-ironic13:40
*** ociuhandu has quit IRC13:40
*** ociuhandu has joined #openstack-ironic13:41
dtantsurnam-est: https://github.com/metal3-io/ironic-inspector-image/pull/70 has outstanding comments since early December13:41
*** ociuhandu has quit IRC13:41
nam-est<dtantsur>: I forgot to remove that `"WSGIPassAuthorization On`.13:42
nam-estdtantsur: However, it is also true that moving the basic_auth to apache means that we cannot configurate it using ironic.conf. Should we keep it on Ironic, or still move to Apache?13:44
dtantsurnam-est: I don't have a strong opinion here, but probably handling it on the httpd level makes more sense13:45
*** yoctozepto has joined #openstack-ironic13:45
iurygregorywe just need to make sure everybody the metal3 community is ok13:45
dtantsurI'd like to get our openshift folks involved in this as well13:46
*** ociuhandu has joined #openstack-ironic13:47
iurygregoryyeah, zaneb maybe you would like to look at this ^13:47
nam-estOk, I will tag him to the PR13:49
nam-estIn the PR in ironic-inspector-image repo, I added a httpd as a reverse proxy to handle TLS since we have an issue with Eventlet handling TLS.13:56
nam-estHow do you think about that approach? Since this is a new approach, so I would like to hear from you.13:56
dtantsurit's probably the way to go, yes13:56
nam-estdtantsur: Cool13:57
dtantsuryou could also try an eventlet-compatible wsgi server, like uwsgi (?)13:57
dtantsuror gunicorn13:57
nam-estdtantsur: in that case, do we need to separate the inspector-api and inspector-conductor13:59
nam-est?13:59
dtantsurthat's an orthogonal question, let's not involve it for now13:59
dtantsurthis split currently requires rabbitmq which we don't want13:59
nam-estdtantsur: that is true13:59
dtantsurwith an eventlet-compatible server you may end up with only one process, yes14:00
dtantsurthe best way to decide is to build a testing lab and test a few approaches under load14:01
nam-estwe can use the reverse proxy for now, and think about the way to use uwsgi or gunicorn in the later versions.14:01
dtantsuryep14:01
openstackgerritAija Jauntēva proposed openstack/ironic master: Add 'deploy steps' parameter for provisioning API  https://review.opendev.org/c/openstack/ironic/+/76835314:01
nam-estAlso, we are worrying that the same SSL problems can happen if we let ironic-conductor handles TLS itself. We haven't seen the problem from log of the conductor, but cannot make sure that it will not happen14:03
nam-estshould we also add reverse proxy for the ironic-conductor?14:03
openstackgerritAija Jauntēva proposed openstack/python-ironicclient master: Add 'deploy steps' for  provisioning API  https://review.opendev.org/c/openstack/python-ironicclient/+/76835414:04
dtantsurnam-est: I feel that it could be an unnecessary overcomplication14:04
dtantsur(even the switch to API may be premature, unless you actually handle hundreds or thousands of nodes with many API consumers)14:05
TheJuliagood morning14:07
*** rloo has joined #openstack-ironic14:08
nam-estdtantsur: I see from https://bugs.python.org/issue31122 that the SSL issue happens when the SSL handshake is disrupted for some reasons.14:08
nam-estNot sure if this kind of disruption happens when ironic-api and ironic-conductor talks to each other14:09
dtantsurnam-est: is updating Python an option for you?14:15
dtantsuryou're pretty much building a complex work around for a known and fixed bug14:15
dtantsurnam-est: also (forgot if I've asked) do you have eventlet at least 0.25.2?14:19
nam-estdtantsur: we cannot update Python to something more than 3.6, unfortunately. Otherwise, my life is much easier ^^14:20
nam-estI will check the eventlet version. Is the problem solved from 0.25.2?14:21
*** tzumainn has joined #openstack-ironic14:21
dtantsurnam-est: it might. re python.. you're not tied to Red hat technologies, are you? I think you use Ubuntu for base OS, you could probably use it for containers and/or even build them from source.14:22
*** bdodd has joined #openstack-ironic14:24
nam-estdtantsur: Yes, we are not tied to Redhat. But still, we cannot use something other than Python 3.6 because of some technical reasons.14:26
dtantsurokay, if eventlet 0.25.2 does not fix the problem, you can try newer versions as well14:31
nam-estok, thank you, dtantsur.14:34
*** tosky has joined #openstack-ironic14:39
*** kaifeng has joined #openstack-ironic14:43
arne_wiebalckanyone ever connected to a KVMIP endpoint (retrieved via Redfish)?14:45
* arne_wiebalck apparently struggles to do this14:45
*** ociuhandu has quit IRC14:45
*** ociuhandu has joined #openstack-ironic14:46
dtantsurnot me, maybe dell folks?14:53
TheJuliaDid we like merge everything and not post new patches?14:55
TheJuliaarne_wiebalck: I think you can on hp gear, but you need to use a specific vnc clients that grok the reversed encoding if memory serves14:55
arne_wiebalckdtantsur: TheJulia: thanks14:56
arne_wiebalckI have a server and Redfish provides me with a port, telnet reports RFB 3.8, so this looks like a VNC server ...14:56
*** spotz has joined #openstack-ironic14:57
TheJuliaYeah, the secret is the encoding is completely swapped around14:57
arne_wiebalckreports == returns "RFB 003.008"14:57
TheJuliathe recommended vnc client for nova virtual machines is supposed to work if memory serves14:57
arne_wiebalckoh, yeah? I tried different ones, different encryptions, but so far without luck14:58
arne_wiebalckcould be network, though, as I do this from home via tunnels and socks proxies ...14:58
arne_wiebalckI am just not sure if I should expect a VNC server on the other side14:59
arne_wiebalck(also: Redfish tells me the service is disabled, but I can still connect)14:59
*** stendulker has joined #openstack-ironic14:59
TheJulia#startmeeting ironic15:00
TheJuliao/15:00
openstackMeeting started Mon Jan 11 15:00:25 2021 UTC and is due to finish in 60 minutes.  The chair is TheJulia. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
*** openstack changes topic to " (Meeting topic: ironic)"15:00
openstackThe meeting name has been set to 'ironic'15:00
stendulker\o15:00
erbarro/15:00
bdoddo/15:00
rlooo/15:00
TheJuliaGood morning everyone, and welcome to our first weekly meeting of 2021!15:00
ajyao/15:00
rpittauo/15:00
arne_wiebalcko/15:01
kaifengo/15:01
rpioso\o15:01
*** nam-est has quit IRC15:01
TheJuliaOur agenda can be found on the wiki, as always.15:01
TheJulia#link https://wiki.openstack.org/wiki/Meetings/Ironic#Agenda_for_next_meeting15:01
TheJulia#topic Announcements/Reminders15:01
*** openstack changes topic to "Announcements/Reminders (Meeting topic: ironic)"15:01
dtantsuro/15:01
TheJuliaRight before the holidays, we performed another release. Thanks everyone!15:02
dtantsur\o/15:03
TheJuliaThis week is R-13 on the OpenStack release schedule. It appears requirements freezes go into effect project wide on R-5 this cycle along with R-6 for client libraries. In other words, Time is starting to run short for getting things into Wallaby.15:04
TheJulia#link https://releases.openstack.org/wallaby/schedule.html15:04
dtantsur#link https://owlet.today/posts/ironic-2020/ dtantsur's top picks from year 202015:04
TheJuliaDoes anyone have any other items to announce or remind us of this year?15:04
dtantsurwhen is our next release?15:05
TheJuliagood question15:05
dtantsurthe week of February 8th, 202115:05
*** MentalSiege has joined #openstack-ironic15:05
dtantsur4 weeks to go, let's make them count :)15:05
TheJulia#link https://specs.openstack.org/openstack/ironic-specs/priorities/wallaby-priorities.html15:05
TheJuliaCorrect15:05
TheJulia++15:05
TheJuliaIf there is nothing else, time to proceed on to the next item on our agenda.15:06
rloowhen do we think it might be time for a mid-cycle meeting (maybe this is an open discussion question)15:06
dtantsura great question15:06
iurygregoryyeah, zaneb maybe you would like to look at this ^15:06
iurygregoryops hehe15:06
iurygregoryo/15:06
TheJuliaAnd an item already noted on the Discussion agenda item :)15:06
rpittauI think it's in the meeting agenda15:06
rloo++15:06
rpittauyeah, that :)15:06
* iurygregory need to get used to new keyboard15:06
zaneblol15:06
TheJuliaSince we dind't have prior meetings this year, and it has been a while, I'm going to declare action item bankruptcy and move directly to reviewing subteam status reports15:07
TheJulia#topic Review subteam status reports15:07
*** openstack changes topic to "Review subteam status reports (Meeting topic: ironic)"15:07
TheJulia#link https://etherpad.openstack.org/p/IronicWhiteBoard15:07
TheJuliaStarting at line 29115:07
TheJuliadtantsur: commonizing the secure boot interface seems like separate from the work of *just* trying to cleanup the headache of the UEFI code, perhaps a separate item?15:09
dtantsuras you wish, although it's kinda related to cleaning up this area (just not the very bit you're cleaning up)15:10
dtantsurI understood this topic as a wider one15:10
rlooso i understand -- the only thing left (so far) is the common interface for secure boot?15:11
TheJuliaYeah, lets break it apart, I kind of just want to mark whole parts done15:11
TheJuliarloo: it was never defined as part of the initial work15:11
TheJuliaBut it is a logical item that should be performed15:11
TheJuliaI'm fine if we track it as a separate item15:12
rloothen yeah, lets break it up. would at least be easier to get the status of the new thing, w/o reading all the old stuff :)15:12
*** MentalSiege has quit IRC15:12
TheJulia++15:12
TheJuliaarne_wiebalck: You do have a UEFI + raid question, and my comment on the etherpad is that I *think* the patches covered that, but I don't think there was ever a reply.15:12
rloo(what sprint are we in now?)15:13
TheJuliasprint 215:13
rloothx15:13
arne_wiebalckI have a question on the whiteboard?15:13
TheJuliaarne_wiebalck: line..... 33315:14
arne_wiebalckah, right15:14
arne_wiebalckthis was mostly about the technical debt we added when we merged UEFI RAID15:14
arne_wiebalckwe had foreseen to clean this up "later" :)15:15
TheJuliaSo w/r/t nvme secure erase I got an email from janders, he expects to work on that this next week or two15:15
arne_wiebalckso, I was wondering if the ongoing work would remove that debt15:15
TheJuliaarne_wiebalck: so you may be "off the hook" of needing to do that now15:15
* arne_wiebalck feels busted15:15
TheJulialol15:15
TheJuliaNo need, it happens. :)15:15
TheJuliakaifeng: Any update on node history?15:17
TheJuliaOkay, looks like you started proposing the work15:17
kaifengTheJulia: yeah, have proposed some basic db code15:17
kaifengbut I'd like to get batch ops in the patch, so it still a wip15:18
TheJuliaNoted, adding notes15:18
TheJuliaand the patch to the review list15:18
TheJuliabdodd: ajya: I saw the redfish raid patch was being revised this weekend, will that be good for general review soon?15:19
TheJuliaiurygregory: Thanks for updating the oslo.privsep item15:20
iurygregoryTheJulia, np!15:20
TheJuliadtantsur: network manager with ramdisk unchanged?15:21
bdoddTheJulia Still some work still to do. I didn't get as much done of the holidays as I had hoped. But working on it mostly full-time now. I'll add some notes to the whiteboard.15:21
TheJuliabdodd: awesome15:21
dtantsurTheJulia: I haven't done anything about it afterwards15:21
TheJuliak15:21
TheJuliawho is medium purple color today in the etherpad?15:22
TheJuliaEtherpad says "Anonymous"15:22
rloomight be me.15:22
TheJuliaAnaconda?15:22
rlooyeah15:22
TheJuliathanks for the update there!15:23
TheJuliadtantsur: and I moved the secure boot interface stuff to line 41915:23
dtantsurthx!15:23
TheJulianp15:23
TheJuliaOkay, that was a lot!15:24
TheJuliaSo next on the agenda is priorities for the coming week15:24
TheJulia#topic Deciding on priorities for the coming week15:24
*** openstack changes topic to "Deciding on priorities for the coming week (Meeting topic: ironic)"15:24
TheJulia#link https://etherpad.openstack.org/p/IronicWhiteBoard15:24
TheJuliaStarting at line 12615:25
TheJuliaWorth noting, MANY things have merged15:25
TheJuliaSo I guess first I'll delete those items and delete the struck through items.15:25
TheJuliaPlease add new items below line 21615:25
TheJuliaLooks like a fairly long list, but a solid number of items have merged and new items proposed15:29
TheJuliaAny objections or concerns?15:30
* TheJulia hears crickets15:30
TheJuliaI'll take that as none and that we can proceed to our discussion topic15:31
dtantsurI cannot object since I added half of them :)15:31
iurygregory++15:31
TheJulia#topic Discussion15:31
*** openstack changes topic to "Discussion (Meeting topic: ironic)"15:31
*** anuradha1904 has joined #openstack-ironic15:31
TheJuliaWe have one discussion topic this week, midcycle call.15:31
TheJuliaIs anyone interested in having a midcycle call say in two weeks?15:31
rlooyes, if there are things to discuss :)15:32
TheJuliaI think there are some, I suspect we would only need ~3 hours15:32
TheJuliaHow do others feel?15:32
iurygregory+1 from me15:32
arne_wiebalck+1 for havin a call15:32
rpittaulet's do it :)15:32
dtantsur++15:33
TheJuliaAwesome, I'll create a doodle and etherpad later today15:33
TheJuliaThen I guess that leaves us at the BareMetal SIG15:33
TheJulia#topic Baremetal SIG15:33
*** openstack changes topic to "Baremetal SIG (Meeting topic: ironic)"15:33
TheJuliaarne_wiebalck do you have anything for us?15:33
arne_wiebalckMeeting tomorrow at 2pm UTC15:33
TheJuliaI guess, w/r/t midcycle, we should maybe dedicate some time to the sig as well15:34
arne_wiebalcktzumainn on multi-tenancy15:34
arne_wiebalckwill be the topic tmrw15:34
arne_wiebalckTheJulia: sure15:34
TheJulia#link https://etherpad.opendev.org/p/bare-metal-sig15:34
TheJuliaIs there anything besides that this week?15:34
openstackgerritDmitry Tantsur proposed openstack/ironic master: Common framework for configuring secure boot  https://review.opendev.org/c/openstack/ironic/+/76996115:34
arne_wiebalckotherwise NTR15:34
TheJuliaOkay then!15:34
TheJuliaWell, we have no RFEs listed15:35
TheJuliaso off to Open Discussion we go!15:35
TheJulia#topic Open Discussion15:35
*** openstack changes topic to "Open Discussion (Meeting topic: ironic)"15:35
rpittaujust wanted to point out that stable/v CI is broken in inspector15:35
* TheJulia wonders if this is a record, to open discussion in 35 minutes15:35
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Switch iLO and iRMC to the new secure boot framework  https://review.opendev.org/c/openstack/ironic/+/77012215:35
rpittauthe ironic-inspector-grenade job seems to fail consistenly15:35
rpittauan example here: https://review.opendev.org/c/openstack/ironic-inspector/+/76753615:36
rpittauit seems the wrong kernel options are sent to ipa15:36
rpittauI did some troubleshooting but couldn't find a solution15:37
rpittauussuri and master work just fine15:37
iurygregoryso far I couldn't figure out a way to make it work also =(15:37
rpittauthe reason why it'se getting wrong kernel optioin is because it's loading boot.ipxe instead of ironic-inspecto.ipxe15:37
rpittauas show here: https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_761/767536/2/check/ironic-inspector-grenade/761e24d/controller/logs/ironic-bm-logs/node-0_no_ansi_2021-01-05-09%3A19%3A30_log.txt15:38
TheJuliaI'm sensing I'm going to need to spend a few days on stable branches15:38
TheJuliaIf there are issues fixed in victoria, please backport them further if needed15:38
TheJuliarpittau: so it doesn't handle managed introspection?15:39
rpittauTheJulia: from what  I can tell this is the only issue in Victoria, ussuri still has some interesting failures in other projects15:39
zer0c00l\o15:39
TheJuliaYeah, ussuri-> train is a bit of a disaster at the moment :(15:39
rpittauyep :/15:39
TheJuliacare and feeding of stable branches is a thing, and many cross branch issues the past few months :(15:40
rpittauI'll give ussuri another look this week, but for inspector in Victoria I definitely need help15:40
TheJuliaI bet that will need to be dtantsur or myself taking a look15:41
dtantsurcould you ping me tomorrow with all the details?15:41
rpittaudtantsur: will do15:42
TheJuliaOkay then15:42
TheJuliaDo we have anything esle to discuss this morning? Recipes to take over the world? Baked goods to cause all to deploy ironic?15:43
rloocrickets15:44
rloobaked15:44
dtantsur:D15:44
TheJuliagently roasted on a cleaning compute node?15:44
rpittaummmmh crickets15:45
TheJuliaWell everyone, Thanks for the great first meeting of the year! Now onward to taking over the world... well... taking over it even more!15:45
iurygregorywell done for me =P15:45
TheJuliaHave a wonderful week!15:45
dtantsuro/15:45
rpittauthanks :)15:45
arne_wiebalckThanks, TheJulia !15:46
iurygregoryo/15:46
kaifengthanks!15:46
rpiosoThank you!15:46
TheJulia#endmeeting15:47
*** openstack changes topic to "Bare Metal Provisioning | Status: http://bit.ly/ironic-whiteboard | Docs: http://docs.openstack.org/ironic/ | Bugs: https://storyboard.openstack.org/#!/project_group/75 | Contributors are generally present between 6 AM and 12 AM UTC, If we do not answer, please feel free to pose questions to openstack-discuss mailing list."15:47
openstackMeeting ended Mon Jan 11 15:47:21 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:47
openstackMinutes:        http://eavesdrop.openstack.org/meetings/ironic/2021/ironic.2021-01-11-15.00.html15:47
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/ironic/2021/ironic.2021-01-11-15.00.txt15:47
openstackLog:            http://eavesdrop.openstack.org/meetings/ironic/2021/ironic.2021-01-11-15.00.log.html15:47
*** ociuhandu has quit IRC16:16
*** eagereagle1 has joined #openstack-ironic16:22
*** ociuhandu has joined #openstack-ironic16:23
*** stendulker has quit IRC16:39
*** Qianbiao has quit IRC16:39
*** gyee has joined #openstack-ironic16:55
*** lucasagomes has quit IRC16:57
*** ociuhandu_ has joined #openstack-ironic17:02
*** ociuhandu has quit IRC17:05
*** ociuhandu_ has quit IRC17:07
rpittaugood night! o/17:10
*** rpittau is now known as rpittau|afk17:10
*** tosky has quit IRC17:24
*** tosky has joined #openstack-ironic17:25
*** dougsz has quit IRC17:25
dtantsurTheJulia, lbragstad, I'm looking at https://review.opendev.org/c/openstack/ironic/+/768135/ and really puzzled that we even try to test the memcached bits17:26
dtantsurcannot we just stub them out completely?17:26
openstackgerritMerged openstack/ironic master: Support configdrive when doing ramdisk deploy with redfish-virtual-media  https://review.opendev.org/c/openstack/ironic/+/76433317:29
*** ociuhandu has joined #openstack-ironic17:36
*** openstackgerrit has quit IRC17:37
*** ociuhandu has quit IRC17:41
TheJuliadtantsur: we need to test all the way through to the policy check itself since there is an implicit logical OR statement in oslo_policy, so the idea is to mock out memcache, let to run the check and compare, and if the result is is appropriate or as-expected.17:55
TheJuliahopefully that provides a little clarity on why?17:55
*** dsneddon has joined #openstack-ironic17:59
*** derekh has quit IRC18:05
dtantsurTheJulia: I guess I'm confusing why cannot we just check its memcache object to a fresh dict and call it a day18:05
*** dsneddon has quit IRC18:08
*** kaifeng has quit IRC18:12
*** mgoddard has quit IRC18:14
*** mgoddard has joined #openstack-ironic18:15
TheJuliaWhy would we check it though?18:17
TheJuliawe're updating/replacing it as-necessary to run the tests based on different data18:17
dtantsurmm, I need to re-read the patch with a fresher head18:20
TheJuliano worries18:20
TheJuliaI don't think I'm going to be doing anything to steve's two wip patches, but I'll be looking at lance's reply and trying to sift those changes in with the additional testing... maybe. Still not 100% sure of how I'm going to proceed there, just trying to piece it all together in a way that makes sense and that allows us to not break anything and expand the rbac matrix as we go.18:22
TheJuliaFWIW, there is also a spec which proposes hyper-specifics, I'd like to nail that down as well, but it may also be a little too specific in hind sight18:22
arne_wiebalckbye everyone o/18:24
*** mgoddard has quit IRC18:24
*** openstackgerrit has joined #openstack-ironic18:33
openstackgerritMerged openstack/ironic master: Register all hardware_interfaces together  https://review.opendev.org/c/openstack/ironic/+/76491118:33
openstackgerritMerged openstack/ironic master: Rewrite existing ACL tests with ddt, yaml  https://review.opendev.org/c/openstack/ironic/+/76743418:33
*** dsneddon has joined #openstack-ironic18:38
openstackgerritDmitry Tantsur proposed openstack/ironic master: Follow-up for ramdisk deploy configdrive support  https://review.opendev.org/c/openstack/ironic/+/77017219:03
dtantsurTheJulia: ^^^19:03
TheJuliaThanks!19:03
openstackgerritDmitry Tantsur proposed openstack/ironic master: Common framework for configuring secure boot  https://review.opendev.org/c/openstack/ironic/+/76996119:14
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Switch iLO and iRMC to the new secure boot framework  https://review.opendev.org/c/openstack/ironic/+/77012219:14
*** dtantsur is now known as dtantsur|afk19:15
dtantsur|afko/19:16
*** gmann is now known as gmann_afk19:25
*** paras333 has joined #openstack-ironic19:30
*** tosin has quit IRC19:52
guilhermesphey there! Is there any additional parametess when cleaning nodes with nvme drivers? It looks like it is failing to run hdparm and smartctl... https://usercontent.irccloud-cdn.com/file/hTgdHxJI/MicrosoftTeams-image.png20:07
TheJuliaguilhermesp: interesting! I've never seen that before20:48
TheJulialooks like we're going to need to explicitly go "oh, well, run the nvme specific commands, we'll just need to identify what20:52
guilhermespTheJulia: yeah, i tried this `openstack baremetal node set ac167bb9-3278-4941-809a-2c277157947b  --property root_device='{"rotational": "false"}'` based on https://docs.openstack.org/ironic/latest/install/advanced.html#specifying-the-disk-for-deployment-root-device-hints20:53
guilhermespbut is seems had no effect20:53
TheJuliaHints don't get pulled in there20:57
guilhermespbut yeah, i think hdparm and smartl goes good only with ata devices. Maybe cleaning up nvme devices is somthing not implemented yet?20:59
*** ociuhandu has joined #openstack-ironic21:01
TheJuliahdparm oddly works for a lot, and I even think it works on my old laptop's nvme device21:01
*** gmann_afk is now known as gmann21:13
JayFDid anyone have a desire to put a review on https://review.opendev.org/c/openstack/ironic-specs/+/748503 before it's approved? It's got +2 from me, rloo, and rpittau21:20
JayF(and only has one line of change since Julia +2'd last patchset)21:20
rlooJayF: I suspect it is good to +A.21:21
rloocould always update later if need be21:21
*** hoonetorg has quit IRC21:22
JayFYeah I'll approve it before EOD for sure. Just wanted to give folks a chance to squeal first :D21:23
TheJuliarloo: JayF: I was going to +A it sometime this afternoon21:27
JayF\o/21:27
rloothx TheJulia!21:27
TheJuliaguilhermesp: yeah, explicit nvme cleaning is not implemented. We've got someone signed up to do it, and I evenhave hardwware to test with on my desk right now21:28
JayFI'll note we have an example of how to write a custom hardware manager to configure disk wiping for a specific kind of disk21:28
JayFso if you need NVMe wiping support now, you can implement it using https://opendev.org/openstack/ironic-python-agent/src/branch/master/examples/custom-disk-erase21:29
guilhermespoh, if I can help in any way to move that forward, let me know!21:29
guilhermespeven to help testing it21:29
guilhermespi have 4 nodes available with 1 nvme each21:29
TheJuliaguilhermesp: so one of the concerns is appropriate information or commands to erase them manually. If your able to identify make/model and appropriate command if they are different, it would be a good data point21:31
TheJuliaguilhermesp: we've got an entry on our whiteboard that your free to add information to21:33
guilhermespcool TheJulia I will try to find out and let you know21:33
TheJuliaguilhermesp: much appreciated!21:34
*** ociuhandu has quit IRC21:36
*** hoonetorg has joined #openstack-ironic21:40
TheJulialbragstad: you still around?21:52
lbragstadi am21:52
lbragstadwhat's up?21:52
TheJuliaDoes assigning the values to an intermediate dictionary to pass into the policy check make sense for basically 3 checks, if owner or lessee matches considering we don't have a project_id on physical hardware and it is dependent upon mode ofa ccess21:54
lbragstadthis was on one of the patches, right?21:56
TheJuliayeah, let me get the link21:56
TheJuliahttps://review.opendev.org/c/openstack/ironic/+/763255/3/ironic/common/policy.py22:00
lbragstadTheJulia ok - i have some naive questions22:02
lbragstada baremetal resource has an owner, right?22:02
TheJuliait *can*, it is not required to have an owner22:02
lbragstadok - are owners always projects? or can they be users, too?22:03
TheJuliaA project22:03
lbragstadwhat's the difference between an owner and a lessee?22:04
TheJuliaa lessee is a node an owner is surrendering over to another project for use, but an owner can have that node back at any time.22:05
lbragstadok - so a lessee is also always a project22:05
TheJuliayes22:05
* lbragstad nods22:05
lbragstadowner and lessee clearly aren't mutually exclusive, correct?22:07
*** rcernin has joined #openstack-ironic22:07
TheJuliathey are not mutually exclusive22:08
lbragstadfrom a policy perspective, would you let a project admin of the owning project do more or less things than a project admin of a lessee project?22:09
TheJuliabut the whole idea being if one doesn't have the rights, they shouldn't see the node(s) they don't have access to.22:09
*** rcernin has quit IRC22:09
*** rcernin has joined #openstack-ironic22:11
lbragstadi guess i'm think that if a baremetal node can be loaned to another project, then the project admin of the owning project can pull that node back and that shouldn't be something the project admin of a lessee project can do22:15
TheJuliaproject admin by definition if matching22:16
lbragstadTheJulia going back to your original question - can you clarify what you mean by intermediate dictionary?22:21
TheJuliabasically what your noting on your line 57 comment https://review.opendev.org/c/openstack/ironic/+/763255/3/ironic/common/policy.py22:26
TheJuliajust both variables added to the target dictionary22:26
lbragstadoh - ok22:27
lbragstadso my example probably doesn't work since they're not mutually exclusive22:27
TheJuliawell, I think it would still work22:28
lbragstadi was trying to make it so that the policy check string was "role:admin and project_id:%(project_id)s"22:28
lbragstadbut that would mean you can only have one value for project_id, i think?22:29
TheJuliayeah, that is how I interpret it22:29
* lbragstad double checks22:29
lbragstadi wonder...22:30
lbragstadif we can do target['project_id'] = [baremetal.owner.id, baremetal.lessee.id]22:31
lbragstadthe context object accepts iterables and substitutes them22:32
lbragstador - the policy engine accepts context attributes that are iterables and substitutes them22:33
TheJuliabut will that imply or22:33
TheJuliayeah, if it subsitutes them in place, then nope22:33
lbragstadwouldn't that mean we could do "role:admin and project_id:%(project_id)s" and then we pass in target = {'project_id': [owner, lessee]} ?22:35
TheJuliait could22:35
lbragstadand that would all project admins of the owning project or project admins of the lessee project to pass that policy check string22:36
TheJuliaif supported and expanded internally22:36
lbragstadcorrect - i'm basing that on an unproven assumption :)22:36
lbragstadotherwise - we could do "role:admin and (project_id:%(owner)s or project_id:%(lessee)s)"22:37
lbragstadand modify the target accordingly22:37
tzumainnTheJulia, hi! I asked the question kinda badly on the PR, but maybe it's worth asking here - with the proposed changes you're talking about, is there a way for a user to be an owner of one node and have PROJECT_ADMIN access, and a lessee of another node and be limited to PROJECT_MEMBER access to that second node?22:39
*** paras333 has quit IRC22:41
lbragstadi think that's possible?22:44
lbragstadmaybe something like "(role:admin and project_id:%(owner)s) or (role:member and project_id:%(lessee)s)"22:45
tzumainnbut for the second node - if you have the admin role, wouldn't you still match PROJECT_ADMIN?22:45
tzumainnif it's PROJECT_ADMIN = ('(role:admin and project_id:%(owner)s or '22:45
tzumainn                 '(role:admin and project_id:%(lessee)')22:45
tzumainnor am I misunderstanding how that rule would be interpreted?22:46
lbragstadok - so node 1 is owned by project foo?22:46
tzumainnah, yeah - node 1 owned by project foo, so foo has the admin role22:47
lbragstadok - what about node 2?22:47
tzumainnfoo becomes the lessee of node 2; would they have PROJECT_ADMIN over node 2?22:47
jandersgood morning Ironic o/22:47
lbragstadtzumainn who is the owner of node 2?22:48
tzumainnlbragstad, some other arbitrary project22:49
lbragstadok22:49
lbragstadso - "(role:admin and project_id:%(owner)s)" would allow project admins for foo to manage node 1 (i think?)22:51
tzumainnbut wouldn't (role:admin and project_id:%(lessee)s) give admins for foo PROJECT_ADMIN access to node 2 as well?22:52
TheJuliathe intent, is not for exclusiveness, as the node needs to be able to be reclaimed22:53
lbragstadyes - i believe so22:53
lbragstadi may need to look at some of the policies and where they're invoked in ironic to get a better picture22:55
lbragstadbut i get the feeling something isn't granular enough if we're hitting this22:55
TheJuliaI'm not sure text based chat is helping us in this right now22:55
tzumainnhaha, perhaps not :)22:55
TheJuliaoslo.policy, maybe?22:55
TheJuliabut at the same time, very very few are experts in it22:56
TheJuliathis is also not cloudy given it is a physical resource22:56
TheJuliaso it is harder since its not an ephemeral single thing22:56
lbragstadmaybe restrict it to system administrators and open it to project administrators later?22:57
*** tkajinam has joined #openstack-ironic22:57
tzumainnor would it be possible to have PROJECT_ADMIN just be 'role:admin and project_id:%(owner)s`, while PROJECT_MEMBER be `role:member and project_id:%(lessee)s`?22:57
TheJuliaI suspect that is going to be the pattern anyway, but we need to see the path before us to chart a course22:58
TheJuliaI'd prefer to try and avoid that because members in projects shouldn't be granted any level of admin rights22:58
tzumainnwouldn't members be restricted to PROJECT_MEMBER with my suggestion?22:59
lbragstadi have to run, but i'll read scroll back a little later tonight22:59
tzumainnoh, I guess it means that they couldn't be an admin for their project, which might be needed for other projects23:00
TheJuliahttps://review.opendev.org/c/openstack/ironic-specs/+/764070 is where that really needs to be settled23:00
tzumainner, for other openstack services23:00
tzumainnokay, I'll add some comments there!23:02
TheJuliaokay23:30
* TheJulia orders groceries and goes to exercise23:30
*** rcernin_ has joined #openstack-ironic23:54
*** rcernin has quit IRC23:55
« Sunday, 2021-01-10 Index Tuesday, 2021-01-12 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!