Wednesday, 2021-01-20

« Tuesday, 2021-01-19 Index Thursday, 2021-01-21 »
*** tosky has quit IRC00:02
*** MentalSiege has quit IRC00:02
iurygregorymorning janders o/00:02
*** ociuhandu has quit IRC00:03
*** iurygregory has quit IRC00:06
*** rcernin_ has joined #openstack-ironic00:19
*** rcernin has quit IRC00:20
*** iurygregory has joined #openstack-ironic00:43
*** openstackgerrit has joined #openstack-ironic00:46
openstackgerritJacob Anders proposed openstack/ironic-python-agent master: [WIP] Add support for using NVMe specific cleaning  https://review.opendev.org/c/openstack/ironic-python-agent/+/77023700:46
*** jamesden_ has joined #openstack-ironic01:00
*** paras33__ has joined #openstack-ironic01:01
*** pmannidi has quit IRC01:02
*** pmannidi has joined #openstack-ironic01:02
*** stevebaker has quit IRC01:03
*** jamesdenton has quit IRC01:03
openstackgerritJulia Kreger proposed openstack/ironic master: Bump oslo.log requirement to 4.3.0  https://review.opendev.org/c/openstack/ironic/+/76325601:07
openstackgerritJulia Kreger proposed openstack/ironic master: Write stub ACL test for every existing API call  https://review.opendev.org/c/openstack/ironic/+/76744501:07
openstackgerritJulia Kreger proposed openstack/ironic master: Attempt to slim down protection test base class  https://review.opendev.org/c/openstack/ironic/+/77067301:07
openstackgerritJulia Kreger proposed openstack/ironic master: Start populating existing policy tests  https://review.opendev.org/c/openstack/ironic/+/76813601:07
openstackgerritJulia Kreger proposed openstack/ironic master: Duplicate testing for system scoped ACL testing  https://review.opendev.org/c/openstack/ironic/+/77000201:07
openstackgerritJulia Kreger proposed openstack/ironic master: Introduce common personas for secure RBAC  https://review.opendev.org/c/openstack/ironic/+/76325501:07
openstackgerritJulia Kreger proposed openstack/ironic master: WIP Implement secure RBAC for baremetal nodes  https://review.opendev.org/c/openstack/ironic/+/76325701:08
openstackgerritMerged openstack/bifrost master: Add `bifrost-cli enroll` command  https://review.opendev.org/c/openstack/bifrost/+/77004201:18
openstackgerritShuai Qian proposed openstack/ironic-ui master: Fix unittest coverage bug  https://review.opendev.org/c/openstack/ironic-ui/+/77117601:39
openstackgerritIury Gregory Melo Ferreira proposed openstack/sushy stable/victoria: Catch errors when retriving severe index  https://review.opendev.org/c/openstack/sushy/+/76995001:53
iurygregoryenr I should push to master -.-'01:53
openstackgerritMerged openstack/sushy master: Secure boot support: enabling/disabling and resetting keys  https://review.opendev.org/c/openstack/sushy/+/77060702:28
*** stevebaker has joined #openstack-ironic02:37
*** mkowalski_ has joined #openstack-ironic02:39
*** mkowalski_ has quit IRC02:43
*** ricolin has joined #openstack-ironic02:45
*** tzumainn has quit IRC02:45
*** Qianbiao has joined #openstack-ironic02:50
*** zzzeek has quit IRC03:04
*** zzzeek has joined #openstack-ironic03:05
*** rcernin_ has quit IRC03:23
openstackgerritShuai Qian proposed openstack/ironic-ui master: Fix unittest coverage bug  https://review.opendev.org/c/openstack/ironic-ui/+/77117603:32
*** mkrai has joined #openstack-ironic03:36
*** rcernin_ has joined #openstack-ironic04:01
*** mkrai has quit IRC04:34
*** mkrai_ has joined #openstack-ironic04:34
*** pmannidi has quit IRC05:04
*** pmannidi has joined #openstack-ironic05:05
openstackgerritVerification of a change to openstack/ironic failed: Bump oslo.log requirement to 4.3.0  https://review.opendev.org/c/openstack/ironic/+/76325605:17
*** iurygregory has quit IRC05:33
*** ricolin_ has joined #openstack-ironic05:47
*** ricolin has quit IRC05:47
*** Qianbiao has quit IRC05:49
*** moshiur has joined #openstack-ironic05:56
*** gyee has quit IRC05:59
openstackgerritMin Li proposed openstack/ironic-ui master: Fix unittest coverage bug  https://review.opendev.org/c/openstack/ironic-ui/+/77117606:17
*** Qianbiao has joined #openstack-ironic06:30
arne_wiebalckGood morning, ironic!06:35
*** mkrai_ has quit IRC07:07
*** rcernin_ has quit IRC07:28
*** rcernin_ has joined #openstack-ironic07:32
jandersgood morning arne_wiebalck o/07:32
arne_wiebalckhey janders o/07:33
*** Qianbiao has quit IRC07:34
*** anuradha1904 has joined #openstack-ironic07:41
*** mkrai_ has joined #openstack-ironic08:00
*** mkrai_ has quit IRC08:04
*** rpittau|afk is now known as rpittau08:17
rpittaugood morning ironic! o/08:17
jandersgood morning rpittau o/08:17
rpittauhey janders :)08:18
*** Qianbiao has joined #openstack-ironic08:22
Qianbiaomorning arne_wiebalck08:22
arne_wiebalckhey Qianbiao o/08:29
Qianbiaoo/ hey08:30
*** mkrai has joined #openstack-ironic08:32
*** rcernin_ has quit IRC08:35
*** QianbiaoNG has joined #openstack-ironic08:38
*** mkrai_ has joined #openstack-ironic08:40
*** mkrai has quit IRC08:41
*** stevebaker has quit IRC08:41
*** Qianbiao has quit IRC08:41
*** akahat|rover is now known as akahat|lunch08:46
*** tosky has joined #openstack-ironic08:47
*** dougsz has joined #openstack-ironic08:52
rpittautwo very quick reviews if anyone has a minute https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/766915 https://review.opendev.org/c/openstack/networking-generic-switch/+/76625409:03
openstackgerritRiccardo Pittau proposed openstack/ironic-prometheus-exporter stable/ussuri: Remove lower-constraints job  https://review.opendev.org/c/openstack/ironic-prometheus-exporter/+/76797709:07
*** lucasagomes has joined #openstack-ironic09:12
rpittau well ussuri is almost ok, need a coffee before even thinking about checking train09:24
*** pmannidi has quit IRC09:36
*** pmannidi has joined #openstack-ironic09:45
*** derekh has joined #openstack-ironic09:49
rpittauone more for the glory https://review.opendev.org/c/openstack/ironic-prometheus-exporter/+/767977 :)09:56
openstackgerritDerek Higgins proposed openstack/ironic stable/victoria: Add a delay/retry is vmedia insert fails  https://review.opendev.org/c/openstack/ironic/+/77124310:00
*** ociuhandu has joined #openstack-ironic10:07
*** akahat|lunch is now known as akahat|rover10:09
*** ociuhandu has quit IRC10:12
*** tosin has joined #openstack-ironic10:18
*** mkrai_ has quit IRC10:18
openstackgerritAija Jauntēva proposed openstack/ironic master: Add import, export configuration to idrac-redfish  https://review.opendev.org/c/openstack/ironic/+/75942810:19
*** rpittau is now known as rpittau|bbl10:20
openstackgerritAija Jauntēva proposed openstack/ironic master: Add import, export configuration to idrac-redfish  https://review.opendev.org/c/openstack/ironic/+/75942810:21
*** ociuhandu has joined #openstack-ironic10:26
openstackgerritJacob Anders proposed openstack/ironic-python-agent master: [WIP] Add support for using NVMe specific cleaning  https://review.opendev.org/c/openstack/ironic-python-agent/+/77023710:31
*** priteau has joined #openstack-ironic10:31
*** rcernin_ has joined #openstack-ironic10:34
*** rcernin_ has quit IRC10:41
*** sshnaidm|afk is now known as sshnaidm|ruck10:43
*** dtantsur|afk is now known as dtantsur10:44
dtantsurtrandles: I thought I made bifrost install DIB images if no --testenv or --develop is used10:45
dtantsurgood morning folks10:45
jandersgood morning dtantsur10:46
openstackgerritMerged openstack/python-ironic-inspector-client master: Move pep8 dependencies from test-requirements to tox.ini  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/76691510:48
*** mkrai_ has joined #openstack-ironic10:49
openstackgerritMerged openstack/networking-generic-switch master: Remove pep8 dependencies from test-requirements  https://review.opendev.org/c/openstack/networking-generic-switch/+/76625410:50
*** ociuhandu has quit IRC10:54
*** ociuhandu_ has joined #openstack-ironic10:54
*** ociuhandu_ has quit IRC10:54
*** ociuhandu has joined #openstack-ironic10:54
*** pmannidi has quit IRC10:59
*** ociuhandu has quit IRC11:14
*** ociuhandu_ has joined #openstack-ironic11:14
*** uzumaki has joined #openstack-ironic11:22
*** rpittau|bbl is now known as rpittau11:24
*** iurygregory has joined #openstack-ironic11:27
iurygregorygood morning Ironic11:28
rpittauunbelievable https://review.opendev.org/c/openstack/sushy/+/767988 is green :)11:29
iurygregoryrpittau, you almost gave me a heart attack now =D11:33
rpittaulol11:33
rpittauhey iurygregory :)11:33
iurygregory"sushy-tempest-ironic-partition-redfish-src-python2"11:33
iurygregoryI was like "WHAT?!"11:33
iurygregory5s later... "stable/train" oh ok11:34
iurygregory=)11:34
openstackgerritRiccardo Pittau proposed openstack/python-ironic-inspector-client stable/ussuri: Remove lower-constraints job  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/76779511:34
rpittauI doubt bifrost will be as easy to fix :/11:36
*** ociuhandu_ has quit IRC11:42
*** rcernin_ has joined #openstack-ironic11:42
openstackgerritDmitry Tantsur proposed openstack/ironic master: Refactoring: move vendor caching to where it belongs  https://review.opendev.org/c/openstack/ironic/+/77159511:47
dtantsurTheJulia: ^^ (I need it for redfish too)11:47
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Prevent redfish-virtual-media from being used with Dell nodes  https://review.opendev.org/c/openstack/ironic/+/77161911:53
dtantsurrpioso, ajya, wdyt ^^11:54
*** fgofurov has joined #openstack-ironic11:55
*** pmannidi has joined #openstack-ironic11:56
openstackgerritJacob Anders proposed openstack/ironic-python-agent master: [WIP] Add support for using NVMe specific cleaning  https://review.opendev.org/c/openstack/ironic-python-agent/+/77023712:00
openstackgerritMerged openstack/ironic-inspector stable/ussuri: Fix database migrations and disable the non-standalone job  https://review.opendev.org/c/openstack/ironic-inspector/+/75982612:01
*** pmannidi has quit IRC12:01
*** QianbiaoNG has quit IRC12:05
*** QianbiaoNG has joined #openstack-ironic12:05
ajyadtantsur: could be useful, potentially for other interfaces (e.g. RAID) too. Is this related to the bug you mentioned yesterday?12:07
*** uzumaki has quit IRC12:09
dtantsurajya: nope. but we do have people constantly confusing the two interfaces, I'd like to give them a clear error12:09
ajyadtantsur: yup, I can see that happening12:11
iurygregoryyeah a lot of people try to use redfish-virtualmedia instead of idrac-.... =(12:13
*** zzzeek has quit IRC12:18
*** akrus has joined #openstack-ironic12:21
*** zzzeek has joined #openstack-ironic12:21
dtantsurcould someone please request a sushy release?12:24
iurygregorydtantsur,for master only?12:29
dtantsuryep12:30
iurygregorydoing now12:30
iurygregorydtantsur, done https://review.opendev.org/c/openstack/releases/+/77164112:35
dtantsurthanks!12:35
iurygregorynp!12:35
iurygregorydtantsur, quick question do you prefer a separate try catch for the self.detail?12:38
*** mkrai_ has quit IRC12:38
*** bfournie has left #openstack-ironic12:38
dtantsuriurygregory: likely yes, although I don't care much12:40
dtantsurI only care that raising an exception never fails and ends up with at least some message12:40
dtantsur(even if we have to do str(body) in the worst case)12:40
iurygregorydtantsur, ack =)12:41
*** ociuhandu has joined #openstack-ironic12:42
akrusHello everyone! I'm trying to prepare Ironic for bare metal deployment (Dell with idrac driver). While I can manage RAID config, prepare the image, I somehow miss the part where should I specify the partitioning layout? I've got these two errors: [Unable to find a valid partition table on the disk after writing the image] and [Installing GRUB2 boot loader to device /dev/sda failed; mount: /tmp/tmp6mk8k9c5: /dev/sda2 already mounted on12:43
akrus/tmp/tmp6mk8k9c5]. Could someone please point me in a right direction?12:43
*** ociuhandu has quit IRC12:44
*** Nisha_Agarwal has joined #openstack-ironic12:45
Nisha_Agarwaldtantsur, hi12:45
*** ociuhandu has joined #openstack-ironic12:45
dtantsuro/12:46
openstackgerritMerged openstack/sushy stable/train: Remove lower-constraints job  https://review.opendev.org/c/openstack/sushy/+/76798812:46
Nisha_Agarwaldtantsur, i am facing one strange issue...Need some help with that12:46
dtantsurakrus: I wonder if you're using the right image type. "unable to find a valid partition table" sounds like you may be using a partition image instead of a whole disk one12:47
dtantsurakrus: https://docs.openstack.org/ironic/latest/install/creating-images.html12:47
Nisha_Agarwaldtantsur, http://paste.openstack.org/show/801767/    I am unable to understand why lookup fails12:47
*** bfournie has joined #openstack-ironic12:47
Nisha_Agarwalmanually curl on the baremetal endpoint works, but IPA says resource couldnt be found12:48
dtantsurNisha_Agarwal: ironic cannot find a port matching any of these MACs12:48
Nisha_Agarwalneutron port u mean?12:48
dtantsurironic port12:48
Nisha_Agarwalohk12:48
Nisha_Agarwallet me check that12:48
*** Nisha_Agarwal has quit IRC12:51
*** rh-jelabarre has joined #openstack-ironic12:54
*** ociuhandu has quit IRC12:54
*** ociuhandu has joined #openstack-ironic12:56
akrusdtantsur, maybe, but still, regarding the actual partitioning e.g. if I need to create separate /boot, /usr, /tmp, etc., what's the proper way to handle this?12:57
*** rcernin_ has quit IRC12:58
dtantsurakrus: currently you need to build a whole disk image or use the ansible deploy interface which allows any customization12:59
*** bburns_ has quit IRC12:59
akrusdtantsur, okay, thank you!13:00
janderssee you tomorrow Ironic o/13:00
*** ociuhandu has quit IRC13:00
*** rh-jelabarre has quit IRC13:01
*** bburns has joined #openstack-ironic13:02
*** rh-jelabarre has joined #openstack-ironic13:04
*** akrus has quit IRC13:06
*** rcernin_ has joined #openstack-ironic13:08
*** rh-jelabarre has quit IRC13:11
iurygregorydtantsur, do you think the fallback to index = 0 is a good idea in case we can't retrive the severe index?13:14
dtantsurI don't remember the exact error, but it may well be that indexes don't make sense in this case13:15
iurygregoryif we fail to get the index it doesn't make sense to try to get detail, so I will put in one try/except block13:17
iurygregorysince we would need the index in normal cases to get the correct message13:18
dtantsuryep. just let's make sure we still have *some* error message13:18
iurygregoryyeah13:18
*** ociuhandu has joined #openstack-ironic13:19
dtantsur.. and add unit tests to provde that13:19
*** moshiur has quit IRC13:20
*** rh-jelabarre has joined #openstack-ironic13:22
*** rh-jelabarre has quit IRC13:22
*** rh-jelabarre has joined #openstack-ironic13:22
*** ociuhandu has quit IRC13:26
iurygregoryI will update with some logs so I can ask people to test and will work in the unit tests13:26
*** nam-est has joined #openstack-ironic13:27
nam-estHi all,13:27
nam-estPlease, any reviews are appreciated since we are needing these PRs to go in urgently.13:29
nam-esthttps://github.com/metal3-io/ironic-image/pull/23013:29
nam-esthttps://github.com/metal3-io/ironic-inspector-image/pull/7013:29
nam-estT13:29
nam-estThank you.13:29
nam-estAlso, thanks very much, Dtantsur, for the outstanding reviews you have made.13:29
dtantsurnam-est: could you please make sure the CI passes before you ask for reviews?13:30
nam-estdtantsur: that is another issue, these PRs and another PR on Baremetal-operator side needs to go in together before they can pass the CI13:31
dtantsurnam-est: I don't think we can merge anything without the CI passing on them13:31
nam-estI'm also wondering if we have a way to solve this problem13:31
dtantsurat the very least, it needs to be globally coordinated (but I think github will simply prevent that)13:32
dtantsur(note that nobody in this chat has approval rights on BMO, so it has to be coordinated with the other folks)13:33
nam-estshould I add an option to toggle the use of wsgi, and make it false bu default, so it can pass the CI?13:34
dtantsurif that's the only way - yes. I wonder why it cannot pass the CI the way it is, but I can imagine it's complicated.13:34
dtantsurdo you know what exactly prevents the CI from passing?13:34
nam-estyes13:34
dtantsurdoes apache need more options that ironic-api? what exactly is happening?13:34
nam-estbecause I also make change to the httpd instance which is used for ipa to download images13:35
nam-estso with my PR, we have everything in a single httpd instance, and this instance is in the same container with ironic-api13:36
nam-estso I need a PR in baremetal-operator to make that work with the CI13:36
nam-esthowever, the PR in baremetal-operator also need the PR in ironic-image side to go in so it can pass the CI13:37
nam-estso it is like deadlock13:37
*** akrus has joined #openstack-ironic13:38
*** ociuhandu has joined #openstack-ironic13:38
*** QianbiaoNG has quit IRC13:39
*** paras33__ has quit IRC13:39
dtantsurokay, I'm completely lost now as to what exactly you're trying to do, and why it is breaking..13:39
*** QianbiaoNG has joined #openstack-ironic13:39
dtantsurcould you tell me what precisely breaks if you don't update BMO?13:40
nam-estit could be more easier if we can have a call and I can share my screen, but if not, I will try to explain here.13:42
openstackgerritIury Gregory Melo Ferreira proposed openstack/sushy stable/victoria: Catch errors when retriving severe index  https://review.opendev.org/c/openstack/sushy/+/76995013:42
nam-estpreviously, we already have one httpd container that allows IPA to download images to the node13:42
nam-estnow if I want to have apache serving as WSGI server, I can add another httpd instance13:43
nam-estand as we discussed before, we should make use of the existing httpd instance13:44
nam-estHowever, the ironic-api (WSGI application) and the web server (httpd) need to be in the same container13:44
*** ociuhandu has quit IRC13:45
*** QianbiaoNG has quit IRC13:45
nam-estso I add an httpd instance inside the ironic-api container, and remove the old httpd instance. Also, I move the image hosting function to the httpd instance inside the ironic-api13:45
nam-estso now this httpd instance serve two purposes, the wsgi server, and the image host where IPA can download images.13:47
dtantsurokay, so far so good13:47
*** ociuhandu has joined #openstack-ironic13:47
nam-estbecause I delete the old httpd instance, we need to also change the BMO13:47
dtantsuryou don't need to do that and don't actually do that13:48
nam-estotherwise, we have two httpd instances opening the same port that is used for IPA13:48
openstackgerritVerification of a change to openstack/ironic failed: Bump oslo.log requirement to 4.3.0  https://review.opendev.org/c/openstack/ironic/+/76325613:48
dtantsurso, just default to a different port?13:48
dtantsurwill it solve the compatibility problem?13:49
nam-estno, changing the port for IPA will also require to change in BMO and Metal3-dev-env. That means it cannot pass the CI13:50
dtantsurchange the port for your new httpd serving files13:50
dtantsurthen the old httpd will be used until BMO changes13:50
nam-estOk, that can be a good option13:51
*** ociuhandu has quit IRC13:51
*** derekh has quit IRC13:51
dtantsurit seems the best option right now, because it will allow the CI to pass AND won't need you to rewrite your patch significantly13:52
*** QianbiaoNG has joined #openstack-ironic13:53
nam-estyes, true. That is good idea. I will do that and come back when the PRs pass the CI. Thanks for your help, dtantsur.13:54
*** ociuhandu has joined #openstack-ironic13:54
nam-estbut wait13:55
nam-estthe follow-up PR that fix the port will see the same problem13:56
openstackgerritRiccardo Pittau proposed openstack/python-ironic-inspector-client stable/ussuri: Remove lower-constraints job  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/76779513:56
dtantsurnam-est: ironic-image -> BMO -> ironic-image13:56
dtantsurBMO can override the port via the HTTP_PORT variable13:56
dtantsurthen we can fix the default in ironic-image13:57
tosinHello Ironic. I accidentally pushed to master branch. Is there a way to revert this?13:57
dtantsurtosin: to master branch of what?13:58
nam-estdtantsur: how should we override the port via HTTP_PORT so the PR in BMO can pass the CI?13:58
dtantsur1) start with HTTP_PORT=${HTTP_PORT:-<random>} in ironic-image13:59
dtantsur2) update BMO to stop launching a separate httpd container and to override HTTP_PORT for ironic-api13:59
dtantsur3) update ironic-image again to use the real default13:59
tosindtantsur: ansible collections14:00
dtantsurtosin: I don't think you have rights to push to master, what exactly do you mean?14:01
*** rloo has joined #openstack-ironic14:01
tosinfrom my local, I did not checkout to a branch, I was on master and I pushed from there with git review14:02
*** jdandrea has joined #openstack-ironic14:02
dtantsurtosin: does you review looks okay? if yes, you don't need to worry14:02
tosinok then14:03
nam-estdtantsur: ok, now I get it. Thanks you very much14:04
*** moshiur has joined #openstack-ironic14:09
*** rcernin_ has quit IRC14:13
*** derekh has joined #openstack-ironic14:17
TheJuliagood morning14:17
iurygregorygood morning TheJulia =)14:23
*** Nisha_Agarwal has joined #openstack-ironic14:24
Nisha_Agarwaldtantsur, thanks the response resolved the issue immediately. :)14:24
openstackgerritAija Jauntēva proposed openstack/ironic master: Update iDRAC doc with missing interfaces  https://review.opendev.org/c/openstack/ironic/+/77165314:25
dtantsurNisha_Agarwal: great :)14:25
dtantsurmorning TheJulia14:25
ajyadtantsur, iurygregory JFYI - a tiny update to add missing interfaces, including for virtual media boot, to iDRAC doc. Maybe it contributed to missing that in config, but does not cancel the need for better error message.14:26
ajya^14:26
dtantsuryep, thanks!14:27
Nisha_Agarwaldtantsur, centos7 image works in dhcpless environment end-to-end without any issue using glean. We tested on HPE SuperdomeFlex systems. CentOS8 ramdisk still has the same issue14:27
*** irclogbot_2 has quit IRC14:27
iurygregoryajya, tyvm! =)14:28
TheJuliabrraaaainnns14:29
rpittaugood morning TheJulia :)14:30
*** irclogbot_0 has joined #openstack-ironic14:31
dtantsurNisha_Agarwal: thank you for testing! could you update the warning in https://docs.openstack.org/ironic/latest/admin/dhcp-less.html with CentOS 7?14:37
*** rh-jelabarre has quit IRC14:38
*** rcernin_ has joined #openstack-ironic14:40
*** tzumainn has joined #openstack-ironic14:42
*** rcernin_ has quit IRC14:45
* TheJulia gives cookies to gerrit14:47
* TheJulia starts to grow concerned14:48
dtantsurZuul: -1 Give Me Too14:48
TheJuliaZuul gets cookies once I can upload an updated rbac series14:48
iurygregory=O14:48
TheJuliahmm14:50
openstackgerritJulia Kreger proposed openstack/ironic master: Write stub ACL test for every existing API call  https://review.opendev.org/c/openstack/ironic/+/76744514:50
openstackgerritJulia Kreger proposed openstack/ironic master: Attempt to slim down protection test base class  https://review.opendev.org/c/openstack/ironic/+/77067314:50
TheJuliathere it goes!14:50
openstackgerritJulia Kreger proposed openstack/ironic master: Start populating existing policy tests  https://review.opendev.org/c/openstack/ironic/+/76813614:50
openstackgerritJulia Kreger proposed openstack/ironic master: Duplicate testing for system scoped ACL testing  https://review.opendev.org/c/openstack/ironic/+/77000214:50
openstackgerritJulia Kreger proposed openstack/ironic master: Introduce common personas for secure RBAC  https://review.opendev.org/c/openstack/ironic/+/76325514:50
openstackgerritJulia Kreger proposed openstack/ironic master: WIP Implement secure RBAC for baremetal nodes  https://review.opendev.org/c/openstack/ironic/+/76325714:51
dtantsuryeah, uploading patches takes a lot of time recently, even for a single patch14:51
TheJuliait is a variable of load I think, when I do late afternoon uploads like that it is almost instant14:52
TheJuliabut by then most people have gone home14:52
dtantsurmakes sense14:52
*** rcernin_ has joined #openstack-ironic14:58
*** ricolin_ has quit IRC15:00
*** lmcgann has joined #openstack-ironic15:01
*** rcernin_ has quit IRC15:03
*** MentalSiege has joined #openstack-ironic15:04
*** rcernin_ has joined #openstack-ironic15:07
*** MentalSiege has quit IRC15:09
*** rcernin_ has quit IRC15:12
*** bburns has quit IRC15:14
*** bburns has joined #openstack-ironic15:19
arne_wiebalckTheJulia: Good morning!15:21
arne_wiebalckTheJulia: I have cleaning failing as there are 1k partitions to clean :-D15:22
arne_wiebalckTheJulia: That does not play well with https://github.com/openstack/ironic-lib/blob/master/ironic_lib/disk_utils.py#L50315:22
TheJuliaWUT?!?15:22
TheJulia1k alignment partitions?15:22
TheJulia\or devices only wanting 1k blocks?15:23
arne_wiebalckTheJulia: Seems so, anaconda creates them15:23
TheJuliagot an error from the agent logs?15:23
arne_wiebalckTheJulia: There are not in the kickstart file so I think anaconda does some padding.15:23
iurygregory1k WOW15:23
arne_wiebalckiurygregory: don't fill it all up in one go!15:23
iurygregorybad anaconda =P15:24
* TheJulia surrenders a desktop monitor to the home office viewing of the news this morning15:24
arne_wiebalckTheJulia: Shall we check device size and adapt the 33 to sth smaller?15:24
arne_wiebalckTheJulia: 33 is the GPT size.15:25
TheJuliayeah15:25
arne_wiebalckTheJulia: Like if<33 use that, otherwise use 33.15:25
TheJuliapossibly, just surprising the kernel is not sythasizing it15:25
TheJuliais this through the sata layer in the kernel? special block device driver?15:26
iurygregoryprobably worth make it configurable? (just wondering)...15:26
TheJulianeeds to be automagic15:26
TheJuliaand handle 4k blocks too, realistically15:26
dtantsur++15:26
dtantsurconfiguration options are a last resort15:26
arne_wiebalckthis one gives an ENOSPC15:27
TheJuliajust super super super surprising that the kernel is not doing the requisite "read/write" operation to override15:27
* arne_wiebalck checks the error log ...15:27
TheJuliawow15:27
iurygregoryautomagic <315:27
TheJuliaarne_wiebalck: dmesg output from a ramdisk or a boot look would be super good to have too15:27
*** QianbiaoNG has quit IRC15:28
arne_wiebalckthis is lsblk http://paste.openstack.org/show/801775/15:29
arne_wiebalckthe ks file does not mention this partition from what I see15:29
TheJuliaOH15:31
TheJuliayeah, logs15:31
TheJuliaIt *looks* like somehow we're picking that deice15:31
TheJuliabut we should be picking the actual device, not a partition for that operation15:31
arne_wiebalckI think we also clean partitions15:32
arne_wiebalckfun fact: this is BIOS/MBR, with UEFI there is no such partition (using the same ks)15:33
TheJuliayeah, its creating a spacer partition to force alignment15:34
TheJuliawonderful!15:34
TheJuliayeah, if you push a patch for that, it should be easy for us to approve15:34
arne_wiebalcksure, so we check size and take max(size, 33) ?15:36
*** Nisha_Agarwal has quit IRC15:39
TheJuliasize if size is the number of 512 byte blocks in the device15:41
TheJuliayour basically just stropping out the header data in that case15:41
arne_wiebalckhttps://storyboard.openstack.org/#!/story/200853915:45
*** MentalSiege has joined #openstack-ironic15:47
rpiosoGood morning, ironic..15:48
rpiosodtantsur: I like the idea of making it easier for users. I'm a bit puzzled, though. The idrac and redfish hardware types only support their vmedia boot interfaces, idrac-redfish-... and redfish-..., respectively. How does a user configure a node with the wrong one? Doesn't that fail before the new logic?15:52
arne_wiebalckTheJulia: this is maybe not a spacer but the marker for the extended partitions15:54
TheJuliaoh, yeah15:54
TheJuliaI guess it does put another partition table in a 1k partition15:55
openstackgerritVerification of a change to openstack/ironic failed: Add a delay/retry is vmedia insert fails  https://review.opendev.org/c/openstack/ironic/+/77124316:05
arne_wiebalckTheJulia: other tools report the size of the extended partition(s)16:05
arne_wiebalckTheJulia: only lsblk says 1K16:06
arne_wiebalckTheJulia: ok, I will try to figure sth out and propose a patch16:06
*** moshiur has quit IRC16:06
*** akrus has quit IRC16:07
TheJuliagah, I was on a roll last week and restarting these tests is like trying to move a mountain from no momentum16:10
TheJuliaarne_wiebalck: okay16:11
*** ricolin_ has joined #openstack-ironic16:22
*** paras333 has joined #openstack-ironic16:23
*** ociuhandu has quit IRC16:25
TheJuliahmm... interesting16:28
*** tosin has quit IRC16:33
arne_wiebalckTheJulia: $ blockdev --getsz /dev/sda416:36
arne_wiebalck216:36
arne_wiebalckTheJulia: so, we should be good using this16:36
*** ociuhandu has joined #openstack-ironic16:36
arne_wiebalckTheJulia: I was afraid, blockdev would do the sum just as parted or fdisk16:36
TheJulia++16:36
*** Nisha_Agarwal has joined #openstack-ironic16:47
*** gyee has joined #openstack-ironic16:50
Nisha_Agarwaldtantsur, i had built the ramdisk using " disk-image-create -o centos_deploy_image ironic-python-agent-ramdisk centos simple-init devuser selinux-permissive" instead of "ironic-python-agent-builder -o /output/ramdisk  debian-minimal -e simple-init"16:51
Nisha_Agarwaldtantsur, are the images built using both mechanism are same?16:54
dtantsurNisha_Agarwal: pretty much, IPA-builder is a wrapper around DIB16:55
*** lucasagomes has quit IRC16:57
Nisha_Agarwaldtantsur, ok..thanks16:57
Nisha_Agarwaldtantsur, will raise the doc patch for it16:58
TheJuliaSo question of the day: Should an reader/observer e able to get the boot device from a BMC?16:58
dtantsurTheJulia: keeping in mind a possibility of DoS since that's the only synchronous call to the BMC16:59
TheJulias/\ e/\ be/16:59
TheJuliaThat is exactly what I've been thinking16:59
dtantsurI'd rather have us introduce Node.boot_device with a regularly cached value16:59
TheJuliait is an operational command in my view16:59
dtantsurand deprecate the synchronous API16:59
TheJuliaif a reader needs it, I can agree with that16:59
dtantsurbtw, if you haven't seen, I'm expanding detect_vendor to redfish17:00
TheJuliaI have not, carrying on the first patch I created for detect_vendor?17:01
TheJuliaor should I abandon that one?17:01
dtantsuroh, you have a patch? I must admit I haven't checked17:01
TheJuliaI started one, it was super simple I think17:02
dtantsurwell, the initial one merged long ago17:02
TheJuliayeah17:02
TheJulia$time17:02
dtantsurah, https://review.opendev.org/c/openstack/ironic/+/76067517:02
dtantsurno, I started a new one17:02
TheJuliaok17:03
dtantsuralso I'm moving the boilerplate into the conductor with https://review.opendev.org/c/openstack/ironic/+/77159517:03
dtantsurso my redfish patch ends up a bit different17:03
dtantsur(and it's a part of https://review.opendev.org/c/openstack/ironic/+/771619 which has bigger goals)17:03
TheJulia++ yeah that works17:04
TheJuliaI think that was kind of the basic consensus after the initial "Ipmi hates us" moment17:04
TheJuliaor well, ipmi implementations hate us17:04
dtantsurthey do17:05
rpittauother 2 quick fixes for ussuri CI when anyone has a minute https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/767795 https://review.opendev.org/c/openstack/ironic-prometheus-exporter/+/76797717:05
rpittauonly bifrost left17:05
dtantsurlooking17:05
dtantsurdone17:06
rpittauthanks17:06
dtantsurfor bifrost start with https://review.opendev.org/c/openstack/bifrost/+/76674217:06
*** rcernin_ has joined #openstack-ironic17:08
rpittauok, I'll work on that directly, I think I'll just remove l-c as for the other projects17:08
*** rcernin_ has quit IRC17:12
openstackgerritRiccardo Pittau proposed openstack/bifrost stable/ussuri: Fix two CI issues  https://review.opendev.org/c/openstack/bifrost/+/76674217:14
openstackgerritRiccardo Pittau proposed openstack/bifrost stable/ussuri: Fix CI issues  https://review.opendev.org/c/openstack/bifrost/+/76674217:14
openstackgerritDmitry Tantsur proposed openstack/ironic master: Prevent redfish-virtual-media from being used with Dell nodes  https://review.opendev.org/c/openstack/ironic/+/77161917:22
dtantsurrpioso: re ^^^ a user may pick the wrong hardware type17:22
dtantsurespecially since normal redfish supports Dell machines, but not for virtual media17:23
dtantsurwe had actual people making this mistake a few times already17:23
*** dtantsur is now known as dtantsur|afk17:23
dtantsur|afkhave to go, see you tomorrow17:23
rpittaubye everyone, talk tomorrow!17:26
*** rpittau is now known as rpittau|afk17:26
*** dougsz has quit IRC17:32
openstackgerritMerged openstack/ironic master: Bump oslo.log requirement to 4.3.0  https://review.opendev.org/c/openstack/ironic/+/76325617:34
*** ociuhandu_ has joined #openstack-ironic17:38
*** ociuhandu has quit IRC17:42
*** ociuhandu_ has quit IRC17:42
rpiosodtantsur|afk: I see :)17:46
openstackgerritMerged openstack/ironic-prometheus-exporter stable/ussuri: Remove lower-constraints job  https://review.opendev.org/c/openstack/ironic-prometheus-exporter/+/76797717:48
*** derekh has quit IRC18:01
arne_wiebalckbye everyone o/18:05
TheJuliagoodnight18:05
TheJuliasoooo many policy things18:07
*** ricolin_ has quit IRC18:15
openstackgerritMerged openstack/python-ironic-inspector-client stable/ussuri: Remove lower-constraints job  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/76779518:17
*** Nisha_Agarwal has quit IRC18:22
JayFFYI, folks running dnsmasq, it just had a big set of vulnerabilities dropped:19:05
JayFhttps://www.tenable.com/blog/dnspooq-seven-vulnerabilities-identified-in-dnsmasq19:05
*** rcernin_ has joined #openstack-ironic19:09
*** anuradha1904 has quit IRC19:11
*** rcernin_ has quit IRC19:14
TheJuliagoodnight:(19:21
TheJulia\err19:21
TheJulia:(19:21
openstackgerritJulia Kreger proposed openstack/ironic master: Implement secure RBAC for baremetal nodes  https://review.opendev.org/c/openstack/ironic/+/76325719:24
*** rcernin_ has joined #openstack-ironic19:25
*** rcernin_ has quit IRC19:30
openstackgerritJulia Kreger proposed openstack/ironic master: Start populating existing policy tests  https://review.opendev.org/c/openstack/ironic/+/76813619:55
TheJuliaokay, orphaned file removed up next19:55
openstackgerritJulia Kreger proposed openstack/ironic master: Duplicate testing for system scoped ACL testing  https://review.opendev.org/c/openstack/ironic/+/77000219:55
openstackgerritJulia Kreger proposed openstack/ironic master: Introduce common personas for secure RBAC  https://review.opendev.org/c/openstack/ironic/+/76325519:55
openstackgerritJulia Kreger proposed openstack/ironic master: Implement secure RBAC for baremetal nodes  https://review.opendev.org/c/openstack/ironic/+/76325719:55
*** rcernin_ has joined #openstack-ironic20:12
*** rcernin_ has quit IRC20:23
*** fgofurov_ has joined #openstack-ironic20:39
*** tosky has quit IRC20:41
*** paras333 has quit IRC20:42
*** tosky has joined #openstack-ironic20:42
*** fgofurov has quit IRC20:42
*** stevebaker has joined #openstack-ironic20:42
*** rcernin_ has joined #openstack-ironic20:48
TheJulialbragstad: you around?21:48
lbragstadin a meeting currently - should be free in about 30?21:48
TheJuliasure21:48
TheJuliaif you have spoons21:48
*** rcernin_ has quit IRC21:49
*** rcernin has joined #openstack-ironic21:50
*** jamesden_ has quit IRC21:51
*** jamesdenton has joined #openstack-ironic21:51
lbragstadTheJulia ok - what's up?22:07
TheJuliaif a policy filter says to match a field value of None... say project_id is none and the policy is project_id:%(project_id)s...  is that a problem?22:08
lbragstadare you referring to a context object where the project_id = None?22:10
lbragstadand what happens when you use that in a policy with `role:member and project_id:%(project_id)s`?22:10
TheJuliaspecifically in that the owner and lessee fields can be None in ironic22:11
TheJuliayeah, basically.22:11
lbragstadoh - ok22:11
lbragstadyeah22:11
lbragstadso - if target = {'lessee': None, 'owner': None}22:11
TheJuliayes22:12
lbragstadthen project_id:%(project_id)s will turn into $project_id_from_token:$lessee or $project_id_from_token:$owner22:13
lbragstadso - if we have a token scope to project_id 'foo'22:13
lbragstadand we pass target = {'lessee': None, 'owner': None} into enforcement for `(role:member and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s)`22:14
TheJuliaand i guess the middleware should be guarding against a forged token with incorrect values going in22:14
lbragstadsorry - my last snippet didn't make sense22:14
lbragstadwhat i meant was this22:15
lbragstad`(role:member and project_id:%(project_id)s) or (role:member and project_id:%(project_id)s)`22:15
TheJuliaI think i got it22:15
lbragstad`(role:member and project_id:%(lessee)s) or (role:member and project_id:%(owner)s)`22:15
TheJuliayup22:15
lbragstadyeah - then it would evaluate like foo:None (which fails for lessee checks) and foo:None (which fails for owner checks)22:15
TheJuliaokay, yeah, and if htere is no project_id with a system scoped token, could that part of the rule still be hit22:16
TheJulia(if yes, this may explain some of the oddness I've encountered22:16
TheJulia)22:16
lbragstadbut - yeah, keystonemiddleware is responsible for validating the token and setting attributes from the token as request headers, which get picked up by oslo.context22:16
lbragstadright22:16
lbragstadsystem-scoped tokens will result in context objects with ctx.system_scope = 'all', but ctx.project_id = None22:17
TheJuliaokay, that is what I was suspecting22:17
TheJuliafor https://review.opendev.org/c/openstack/ironic/+/763257 I did some minor peeling back of project scope ness since we don't have project level testing enumerated completely yet22:19
TheJuliaand I think I was hitting this with the testing because I was ending up in a weird state where "wait, this shouldn't really be working"22:19
lbragstadmmm22:21
lbragstadwas it one of the tests in https://review.opendev.org/c/openstack/ironic/+/763257/11/ironic/tests/unit/api/test_rbac_system_scoped.yaml ?22:21
TheJuliaI think so yes, and if you look at common/policy.py between the revisions you can see where I peeled back system and project scope to just system for now22:23
lbragstadok - so you're ignoring project persons for the time being and formally porting existing administrator functionality to the system users22:24
TheJuliabasically yes22:25
lbragstadbefore you start writing more complex checks to handle both scopes (project and system)22:25
TheJuliaexactly22:25
lbragstadok - i see what you're doing22:25
lbragstadthat makes sense22:25
lbragstadand that started failing because None essentially equals None with a system-scoped context and a baremetal node without a lessee or owner22:26
TheJuliaI'm also trying to be very methodical, for obvious reasons there are lots of moving parts22:26
TheJuliaone test at a time, going sequentially down the list in each group22:28
lbragstadso https://review.opendev.org/c/openstack/ironic/+/763257/9..11/ironic/common/policy.py ?22:30
TheJuliaSYSTEM_MEMBER + permissible scope including project22:31
*** lmcgann has quit IRC22:31
TheJulialbragstad: there is also a distinct possibiliyt I'm loosing what is left of my mind22:36
TheJuliafwiw22:36
lbragstadso - i'm trying to find an example test case that's failing because of what you're describing22:37
TheJuliaI might have a better/more concrete example once I finally get into the projects specifically22:37
TheJuliahundreds of tests later, my brain is kind of jello at this point22:37
TheJuliawhich reminds me, I need to start dinner soon for it to be ready in time.22:37
lbragstadok - maybe sync tomorrow then?22:38
TheJuliayeah, likely for the best then22:38
lbragstadok22:38
*** fgofurov_ has quit IRC23:07
*** lbragstad has quit IRC23:13
*** lbragstad_ has joined #openstack-ironic23:13
openstackgerritJulia Kreger proposed openstack/ironic master: Implement secure RBAC for ports  https://review.opendev.org/c/openstack/ironic/+/76326723:20
jandersgood morning Ironic o/23:22
*** pmannidi has joined #openstack-ironic23:22
*** rloo has quit IRC23:26
TheJuliagood morning janders23:30
*** tosky has quit IRC23:44
*** hoonetorg has quit IRC23:48
« Tuesday, 2021-01-19 Index Thursday, 2021-01-21 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!