Monday, 2021-06-28

opendevreview	Rabi Mishra proposed openstack/metalsmith master: Use project_id when creating instance ports https://review.opendev.org/c/openstack/metalsmith/+/798240	04:03
iurygregory	good morning janders and Ironic o/	06:23
opendevreview	Verification of a change to openstack/ironic failed: Cache AgentClient on Task, not globally https://review.opendev.org/c/openstack/ironic/+/797674	06:34
arne_wiebalck	Good morning janders iurygregory and Ironic!	06:37
iurygregory	morning arne_wiebalck o/	06:37
opendevreview	Iury Gregory Melo Ferreira proposed openstack/ironic-specs master: Event Subscription Spec https://review.opendev.org/c/openstack/ironic-specs/+/785742	07:06
opendevreview	Merged openstack/ironic master: Fix ramdisk boot option handling https://review.opendev.org/c/openstack/ironic/+/797517	08:27
cenne	Good morning ironic!	08:29
cenne	Hey janders, iurygregory, arne_wiebalck	08:29
iurygregory	morning cenne o/	08:32
arne_wiebalck	Good morning, cenne o/	08:35
opendevreview	Verification of a change to openstack/ironic failed: Refactor: untie IloVendor from validate_image_properties https://review.opendev.org/c/openstack/ironic/+/797872	08:40
opendevreview	Verification of a change to openstack/ironic failed: Refactor: untie IloVendor from validate_image_properties https://review.opendev.org/c/openstack/ironic/+/797872	09:05
dtantsur	morning ironic, happy Monday	09:10
opendevreview	Dmitry Tantsur proposed openstack/ironic stable/wallaby: Fix ramdisk boot option handling https://review.opendev.org/c/openstack/ironic/+/798268	09:14
opendevreview	Dmitry Tantsur proposed openstack/ironic bugfix/18.0: Fix ramdisk boot option handling https://review.opendev.org/c/openstack/ironic/+/798269	09:15
cenne	good morning dtantsur.	09:17
iurygregory	morning dtantsur	09:29
opendevreview	Merged openstack/ironic bugfix/18.0: dhcp-less: mention how to provide network_data to instance https://review.opendev.org/c/openstack/ironic/+/796655	09:44
opendevreview	Merged openstack/ironic-python-agent stable/wallaby: Coalesce heartbeats https://review.opendev.org/c/openstack/ironic-python-agent/+/798129	11:04
opendevreview	Merged openstack/ironic-python-agent stable/wallaby: Only mount the ESP if not yet mounted https://review.opendev.org/c/openstack/ironic-python-agent/+/798124	11:08
janders	hey iurygregory arne_wiebalck cenne dtantsur and Ironic o/	11:24
iurygregory	janders, o/	11:24
arne_wiebalck	hey janders o/	11:28
opendevreview	Merged openstack/ironic master: Refactor: untie IloVendor from validate_image_properties https://review.opendev.org/c/openstack/ironic/+/797872	12:24
opendevreview	Dmitry Tantsur proposed openstack/ironic master: Refactor deploy_utils.validate_image_properties https://review.opendev.org/c/openstack/ironic/+/797875	12:49
opendevreview	kamlesh chauvhan proposed openstack/ironic master: Upgrade oslo.db version https://review.opendev.org/c/openstack/ironic/+/796811	13:01
TheJulia	good morning	13:11
dtantsur	morning TheJulia	13:17
TheJulia	it feels... very... quiet	13:18
dtantsur	I think it's usually this way in your morning :)	13:19
TheJulia	sometimes, yes	13:20
opendevreview	Aija Jauntēva proposed openstack/ironic master: Upgrade oslo.db version https://review.opendev.org/c/openstack/ironic/+/796811	13:24
opendevreview	Dhuldev Valekar proposed openstack/ironic master: Update the clear job id's constant https://review.opendev.org/c/openstack/ironic/+/796432	13:25
iurygregory	good morning TheJulia	13:27
TheJulia	Anyone seen greenlet cannot switch to different thread errors in ci? https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_548/792275/15/check/ironic-tempest-ipa-partition-pxe_ipmitool/5483f40/controller/logs/screen-ir-cond.txt	13:31
dtantsur	Oo	13:34
iurygregory	woot	13:37
TheJulia	ajya\|afk: will https://review.opendev.org/c/openstack/ironic/+/796432 need to be backported?	13:42
ajya\|afk	TheJulia: yes	13:43
*** ajya\|afk is now known as ajya		13:43
TheJulia	ajya: also, do you know if oslo is going to somehow backport a fix for the duplicate key issues?	13:44
ajya	ajya: yes, we talked about it with oslo team, it needs to be backported wherever can run mysql 8.0.19. Have to check how far that would be, for now looks like till Ussuri	13:45
ajya	eh, TheJulia ^	13:46
TheJulia	that would be problematic for train operators	13:46
ajya	can you elaborate?	13:46
TheJulia	well, say someone is running train with the newest mysql	13:47
ajya	then backport it to train?	13:47
TheJulia	it might not be feasible though	13:47
ajya	then could apply a workaround in Ironic by checking port existence first	13:49
opendevreview	Julia Kreger proposed openstack/ironic master: Deprecate [pxe]ip_version parameter https://review.opendev.org/c/openstack/ironic/+/797984	13:59
opendevreview	Julia Kreger proposed openstack/ironic stable/wallaby: Remove redundant/legacy is_admin logic https://review.opendev.org/c/openstack/ironic/+/798316	14:07
TheJulia	who is running the meeting today, is it me?	14:15
iurygregory	me	14:16
iurygregory	\o/	14:16
iurygregory	at least from what i remember from last meeting :D	14:16
iurygregory	TheJulia, if you want to run let me know (I have no problems =) )	14:18
TheJulia	iurygregory: ack, okay, go right ahead :)	14:24
iurygregory	ok =) next week we need someone to run the meeting (seems like is holiday Mon/Tue in CZ.. - finally holidays during the week :D )	14:24
TheJulia	Umm,, maybe we cancel?	14:26
TheJulia	It is a holiday in the states next week	14:26
TheJulia	Well, Monday is	14:26
iurygregory	makes sense to me =)	14:26
TheJulia	ironic-cores anyone object or agree ^^^	14:27
dtantsur	no objection	14:27
iurygregory	dtantsur, the discussion about privsep do you want to chat during the meeting or should we do tomorrow in the Review Jam?	14:28
dtantsur	I cannot promise to be at the review jam	14:28
iurygregory	so let's try during Discussion, does it work for you? =)	14:29
dtantsur	yep	14:30
TheJulia	iurygregory: I now have meetings scheduled which co-incide, seems the review jams are like... ideal slots for humans	14:31
TheJulia	so, discussion today is preferred	14:31
iurygregory	TheJulia, good to know =) I just want to check because we had the idea to talk during the review jam	14:31
opendevreview	Aija Jauntēva proposed openstack/ironic master: Redfish: Skip non-RAID controllers for RAID https://review.opendev.org/c/openstack/ironic/+/796592	14:42
opendevreview	Dmitry Tantsur proposed openstack/ironic master: Refactor deploy_utils.validate_image_properties https://review.opendev.org/c/openstack/ironic/+/797875	14:47
iurygregory	TheJulia, just to confirm you want a discussion about Secure RBAC Tempest Testing ? I remember we talked about it last week	14:51
opendevreview	Verification of a change to openstack/ironic failed: Cache AgentClient on Task, not globally https://review.opendev.org/c/openstack/ironic/+/797674	14:53
TheJulia	iurygregory: I thought I removed that	14:59
iurygregory	humm to me still shows in the Agenda	14:59
iurygregory	I will skip during the meeting =)	14:59
TheJulia	msut have missed the line	14:59
TheJulia	removed	14:59
iurygregory	np	14:59
iurygregory	ty!	15:00
iurygregory	#startmeeting ironic	15:00
opendevmeet	Meeting started Mon Jun 28 15:00:04 2021 UTC and is due to finish in 60 minutes. The chair is iurygregory. Information about MeetBot at http://wiki.debian.org/MeetBot.	15:00
opendevmeet	Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.	15:00
opendevmeet	The meeting name has been set to 'ironic'	15:00
dtantsur	o/	15:00
TheJulia	o/	15:00
rpioso	o/	15:00
iurygregory	Hello ironicers, welcome to our weekly meeting!	15:00
iurygregory	o/	15:00
vmud213	o/	15:00
rloo	o/	15:00
iurygregory	Our agenda can be found in the wiki =)	15:00
iurygregory	#link https://wiki.openstack.org/wiki/Meetings/Ironic#Agenda_for_next_meeting	15:00
TheJulia	hmm, do we have enough quorum?	15:01
stendulker	o/	15:01
TheJulia	hmm, maybe	15:01
iurygregory	I was about to ask that TheJulia =)	15:01
TheJulia	maybe just roll forward and if we have any consensuses or decisions to make we might need to be mindful	15:02
* rpioso wonders what comprises a quorum.		15:02
iurygregory	yeah, privsep discussion would probably need some consensus =)	15:02
TheJulia	rpioso: generally >8 contributors to me	15:02
iurygregory	we can try to summon arne_wiebalck and JayF :D	15:02
TheJulia	using the magical ironic dust of summoning	15:03
arne_wiebalck	o/	15:03
TheJulia	lol	15:03
iurygregory	it works :D	15:03
rpioso	TheJulia: When did that become a thing :-)	15:03
rloo	JayF is OOO today (AC issues)	15:03
* arne_wiebalck does not know how he ended up in this meeting all of a sudden		15:03
TheJulia	rloo: not good :(	15:03
rpioso	arne_wiebalck: lol	15:03
iurygregory	rloo, oh I saw on twitter about the AC =(	15:03
rloo	yeah, i think it is sweltering there...	15:03
ajya	o/	15:03
iurygregory	seems like we have enough people :D	15:04
TheJulia	rpioso: quorum or magical dust?	15:04
iurygregory	#topic Announcements / Reminders	15:04
rpioso	TheJulia: lol quorum?	15:04
TheJulia	rpioso: been a thing for a long time	15:04
iurygregory	Anyone has anything to announce today?	15:04
TheJulia	iurygregory: are we cancelling next week's meeting?	15:05
iurygregory	good question, +1 from me since is holiday in CZ	15:05
* iurygregory is not sure about other EU countries		15:06
arne_wiebalck	I don't think it is a holiday in FR or CH.	15:06
iurygregory	is also holiday in the US according to TheJulia	15:07
arne_wiebalck	Or DE.	15:07
iurygregory	so I don't think we will have enough quorum	15:07
arne_wiebalck	I am totally fine with cancelling the meeting ofc :)	15:07
TheJulia	I think we should just cancel next week's meeting	15:08
TheJulia	unless someone wants to run it next week	15:08
iurygregory	yeah	15:08
rpioso	Independence from Meeting Day?	15:09
TheJulia	rpioso: +1	15:09
iurygregory	lol :D	15:09
iurygregory	I don't see any objections so ...	15:09
iurygregory	#agreed no upstream meeting on July 5th	15:10
iurygregory	#info no upstream meeting on July 5th	15:10
iurygregory	I will send an email to the openstack-discuss	15:10
iurygregory	#topic Review action items from previous meeting	15:11
iurygregory	We don't have any action items from last meeting, skipping	15:11
iurygregory	#topic Review subteam status reports	15:11
iurygregory	#link https://etherpad.opendev.org/p/IronicWhiteBoard	15:11
iurygregory	starting on L65 =)	15:11
iurygregory	zer0c00l, you around? =)	15:13
iurygregory	just wondering if there are any plans to test anaconda deployment in CI upstream	15:14
TheJulia	iurygregory: he typically is not up for another hour I think	15:15
TheJulia	I know, he wants to though	15:16
iurygregory	ack =)	15:16
rloo	if there are no plans, then we need to add plans. if i remember, i'll ask him	15:16
iurygregory	rloo, tks!	15:16
arne_wiebalck	TheJulia: for the nova ironic driver item, I will check with our nova experts if they would like to follow up upstream	15:16
iurygregory	we have updates on every item, should we move to the next topic?	15:17
iurygregory	moving on	15:18
iurygregory	#topic Deciding on priorities for the coming week	15:18
TheJulia	arne_wiebalck: ack, there really is no reason for it to hit ironic for that query at all given the cache should have it and be able to properly fulfill it	15:18
iurygregory	#link https://tinyurl.com/ironic-weekly-prio-dash	15:19
arne_wiebalck	TheJulia: yes ... Belmiro plans to follow up	15:19
TheJulia	arne_wiebalck: ack	15:19
arne_wiebalck	TheJulia: with nova upstream	15:19
arne_wiebalck	TheJulia: no timelines yet	15:19
TheJulia	I'd like to add https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/797521 to the list for the week	15:20
TheJulia	There is a dependency on a tempest fix, but the tempest fix already has a +2	15:20
dtantsur	I'd appreciate adding https://review.opendev.org/c/openstack/ironic/+/797508 and https://review.opendev.org/c/openstack/ironic/+/797875	15:20
TheJulia	dtantsur: seems reasonable	15:20
iurygregory	++ a quick look to all patches they are ok to have the hashtag	15:21
TheJulia	done	15:22
iurygregory	more patches? :D	15:23
iurygregory	last call XD	15:23
iurygregory	sounds like we can move to Discussion	15:24
iurygregory	#topic Discussion	15:25
iurygregory	we have one topic today from dtantsur and I about oslo-privsep	15:25
iurygregory	#link https://review.opendev.org/c/openstack/ironic-lib/+/745536	15:26
iurygregory	dtantsur, if you want to give context about your concerns re privsep it would be good =)	15:26
dtantsur	IPA has half-monkey-patched stdlib	15:26
dtantsur	I don't feel easy about launching a new process with a clone of IPA and using it for execing other processes as root, although IPA is always as root	15:27
dtantsur	so I wonder if we could have a global switch to turn privsep into regular calls without forking	15:27
TheJulia	hmmmm	15:28
rloo	so replace rootwrap with privsep and add an option to turn off privsep	15:28
TheJulia	This does make a lot of sense	15:28
dtantsur	rloo: pretty much	15:28
iurygregory	I know nova has a few commands that they run as non-privilege	15:29
iurygregory	I don't think they have a config option	15:29
dtantsur	as a bonus, make dependency on privsep conditional for the sake of smaller IPA images	15:29
dtantsur	note that I don't mean a config option in a sense of oslo.config, but rather something like a global variable that can be set early	15:30
dtantsur	(it could go through oslo.config as well in case someone wants to run IPA as non-root (LOL)?)	15:30
TheJulia	dtantsur: ++	15:30
iurygregory	I'm trying to understand the part of global variable that can be set early...	15:31
TheJulia	likely just something in the ipa code very early on which declares the global	15:32
rloo	i'm good with that. as long as we default to privsep on.	15:32
dtantsur	import ironic_lib; ironic_lib.USE_PRIVSEP = False	15:32
TheJulia	++	15:32
rloo	Any security issues with turning it off? security is not my forte...	15:33
iurygregory	if it's off it will use rootwrap by default no?	15:34
dtantsur	let's drop rootwrap maybe?	15:34
dtantsur	I don't see why we would keep both	15:34
iurygregory	only after we have all the support in privsep I would say =)	15:34
dtantsur	if privsep is off, a command is executed as it is. if the service is not root - touch luck	15:34
arne_wiebalck	off is only for IPA which is running as root anyway, no?	15:35
dtantsur	right	15:35
TheJulia	arne_wiebalck: I think that is what we're all thinking	15:35
TheJulia	at least, that is my momentary perception of consensus	15:35
rloo	based on this, i think the idea is to remove rootwrap support: https://review.opendev.org/c/openstack/governance/+/718177	15:36
iurygregory	yeah correct, we can drop rootwrap after we swtich all things to privsep	15:37
arne_wiebalck	my point was to answer rloo's question: since off is only for IPA, and IPA is root anyway, there should be no security concerns ... but then security is not my forte either :)	15:37
rloo	we can either 1. replace rootwarp with privsep, then add some global thingy to turn off privsep; or 2. do both at the same time.	15:38
TheJulia	So we need to consider use/purpose, the driving purpose was to secure and delineate access for services which live for a long time serving/supporting user workloads. IPA... kind of not that at all.	15:38
rloo	(wondering if someone has some weird usecase with ipa)	15:38
TheJulia	rloo: yes... kind of	15:39
TheJulia	But that would be a highly restrictedmode which doesn't yet exist	15:40
rloo	I think we've agreed then? replace rootwrap with privsep, add a way to turn off privsep	15:40
TheJulia	so I think we're safe to proceed and move forward	15:40
rloo	++	15:40
dtantsur	yep	15:41
iurygregory	sounds like a plan	15:41
iurygregory	I will update the status with the info of the discussion =)	15:41
iurygregory	moving to our meeting topic	15:42
iurygregory	#topic Baremetal SIG	15:42
iurygregory	#link https://etherpad.opendev.org/p/bare-metal-sig	15:42
iurygregory	arne_wiebalck, do you have anything for the SIG?	15:42
arne_wiebalck	Next meeting is Tuesday July 13, 2021 at 2 PM UTC	15:43
arne_wiebalck	with TheJulia on Bifrost	15:43
TheJulia	\o/	15:43
arne_wiebalck	(announcing now as we do not have a meeting next week)	15:43
* TheJulia puts calendar items on her calendar to remind herself		15:43
iurygregory	#info Next Baremetal SIG meeting is Tuesday July 13, 2021 at 2 PM UTC - TheJulia talking about Bifrost	15:43
iurygregory	tks arne_wiebalck and TheJulia !	15:43
iurygregory	#topic RFE review	15:44
iurygregory	We have one RFE from vmud213 - Add a clean/deploy step to add 3rd party CA certificates to iLO	15:44
iurygregory	#link https://storyboard.openstack.org/#!/story/2008784	15:44
vmud213	Hi	15:44
TheJulia	hi vmud213	15:45
dtantsur	vmud213: the idea is great (modulo s/ilo_ca_certs_dir/ca_certs_dir), ideally the RFE should spell out the clean/deploy steps names	15:45
vmud213	does anyone has any questions or any clarification needed on this. Please let me know	15:45
vmud213	dtantsur: Ok.Sure. i will update.	15:46
vmud213	one question.	15:46
TheJulia	vmud213: quick question, by add is it just replacing or appending ca certificates?	15:46
vmud213	there are 2 steps for adding and removing. Should i pursure both as part of the same patch?	15:46
TheJulia	vmud213: That answers my question then	15:46
TheJulia	or my next question. Yes, ideally both at the same time	15:47
vmud213	ThJulia: It's appending the certificate	15:47
iurygregory	++ to both at same time	15:47
vmud213	perhaps there is lot of confusion on the naming	15:47
TheJulia	Also, it looks like you've got a wired-in do on deploy anyway step, which I'm not sure we want by default	15:47
vmud213	actually we need these CA certificates to be added to iLO.	15:47
TheJulia	So, you may, but maybe just run the steps anyway as part of the step framework instead of always invoke?	15:48
stendulker	@TheJulia: without matching certificates ilo-https boot inetrface will not work.	15:48
TheJulia	maybe that means a third, hybrid step	15:49
dtantsur	you seem to have a chicked-and-egg problem then?	15:49
TheJulia	"check-set-certificates" or something which could be enabled by default with a deploy_step value	15:49
stendulker	dtantsur: kind of, yes.	15:49
dtantsur	you need IPA to use cleaning but the UEFI boot cannot work without the right certificates	15:49
TheJulia	I guess the thing we want to avoid as much as possible, is things requiring custom boot interface code	15:49
stendulker	but these certificate addition is kind one-time thing	15:50
stendulker	unless one wants to remove/replace them after teardown	15:50
dtantsur	you probably need to rework it to become a step that doesn't need the ramdisk	15:50
dtantsur	otherwise its usability is questionable	15:51
stendulker	I think, it does not need ramdisk, bit needs a reboot to become effective.	15:51
TheJulia	hmm, it was being done before too, I guess if we can use the step code it becomes more clear for operators, and it can be ensured to be in a working state	15:51
dtantsur	set_async_step_flags relies on IPA	15:52
dtantsur	additionally, the only way to avoid IPA right now is to explicitly mark your step as not requiring ramdisk AND explicitly request cleaning without IPA	15:52
TheJulia	ugh, yeah	15:52
vmud213	dtantsur: the steps can be executed as part of different boot interface	15:52
dtantsur	so, start with iPXE, then switch to UEFI?	15:53
iurygregory	O.o	15:53
TheJulia	vmud213: we really don't want different boot interfaces, it complicates support matrixes and hurts adoption of driver specific interfaces	15:53
dtantsur	going to be confusing. and if you have iPXE working, why bother with UEFI?	15:53
vmud213	dtantsur: that is the capability of the hardware that we are leveraging	15:53
TheJulia	lets take a step back	15:54
TheJulia	I think we generally agree the idea is good, it needs a little more verbosity to explain the problem and what is going to be done to solve it. The patch itself, is going to take a little more back and forth and context to understand, because ultimately multiple things are attempting to be done here	15:54
iurygregory	agree ^	15:55
dtantsur	++	15:55
TheJulia	and if one of those things is distinctly or drastically different or the problem cascades, then we need to cover that in the RFE, or maybe a separate discussion	15:55
* TheJulia hopes I'm making sense		15:55
dtantsur	yeah, and we need to keep in mind the dependency between cleaning and IPA	15:55
vmud213	TheJulia: I think i understood what you are saying	15:56
vmud213	But the point is	15:56
vmud213	in any case this is all about adding the certificates	15:56
vmud213	which is needed in any case	15:56
TheJulia	Apparently it is needed, but there are different ways to approach that, and ideally if it is required, it shouldn't be a deploy or cleaning step set to 0	15:57
TheJulia	well, priority set to 0	15:57
vmud213	the iLO or any other BMC can not accept the certifciates unless it is properly configured with root CA who issued them	15:57
vmud213	so i wonder in the case of iPXE how this solves the problem	15:57
TheJulia	The step framework should be used wherever possible to facilitate these sorts of things	15:57
dtantsur	iPXE doesn't use HTTPS	15:57
TheJulia	I'm really confused where ipxe came into this discussion	15:58
TheJulia	this is basically like virtual media booting right?	15:58
dtantsur	actually, a lot of virtual media implementations don't verify certificates, but that's another story	15:58
TheJulia	BMC needs to validate the certificate of the webserver? yes?	15:58
dtantsur	the UEFI boot interface already calls add_certificates. I wonder why it's not enough.	15:58
TheJulia	dtantsur: well, apparently a reboot is required based on what stendulker said	15:59
* dtantsur is interested in this topic because we probably need to do the same for Redfish eventually		15:59
TheJulia	I guess, all the confusion is just more evidence we need a more verbose RFE	15:59
dtantsur	TheJulia: booting IPA is a rebootr	15:59
iurygregory	we have less than 1min, I think we can just end the meeting and keep the discussion right? =)	15:59
dtantsur	yep	15:59
TheJulia	dtantsur: true	15:59
TheJulia	dtantsur: which makes me wonder...why the clean steps?!	15:59
vmud213	dtantsur: the boot interface calls the certificate only to booot the deploy_iso configured ehind the https	15:59
iurygregory	tks everyone!	15:59
iurygregory	#endmeeting	16:00
opendevmeet	Meeting ended Mon Jun 28 16:00:00 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)	16:00
opendevmeet	Minutes: https://meetings.opendev.org/meetings/ironic/2021/ironic.2021-06-28-15.00.html	16:00
opendevmeet	Minutes (text): https://meetings.opendev.org/meetings/ironic/2021/ironic.2021-06-28-15.00.txt	16:00
opendevmeet	Log: https://meetings.opendev.org/meetings/ironic/2021/ironic.2021-06-28-15.00.log.html	16:00
dtantsur	vmud213: I see add_certificates called in prepare_ramdisk already: https://review.opendev.org/c/openstack/ironic/+/783133/9/ironic/drivers/modules/ilo/boot.py	16:00
dtantsur	why doesn't this pattern work?	16:00
vmud213	but what if the webserver hosting the instance images changes or is configued with difrernt certificates later point of time.	16:00
dtantsur	it's called every time you do an action, no?	16:00
dtantsur	I mean, cleaning, inspection, deploy - they all go through prepare_ramdisk	16:01
* dtantsur is even more confused after checking the code		16:01
TheJulia	dtantsur: should we start a #confused club?	16:01
dtantsur	we should have long ago	16:01
dtantsur	and your corgi should chair it?	16:01
TheJulia	dtantsur: we'll need a bar tender, in addition to the corgi to chair the club	16:02
dtantsur	bear tender, you say?	16:02
TheJulia	++	16:02
* TheJulia notes we've hit peak silliness twice today		16:02
TheJulia	did everyone not sleep last night?!?	16:02
dtantsur	I woke up quite early	16:03
vmud213	dtantsur: my point is when the user wants to configure third party root CAs which can be used to boot instances images from different sources the only way would be to add a clean step	16:04
dtantsur	why would they do it?	16:05
TheJulia	its theoretically possible with ramdisk boot_iso	16:05
TheJulia	theoretically	16:05
dtantsur	I think boot interfaces that rely on HTTPS should just call add_certificates before rebooting (i.e. in prepare_ramdisk OR prepare_instance in case of the ramdisk deploy)	16:05
TheJulia	I can see the point in being able to manage certificates in the bmc, I think we are all onboard for that, but there are intertwined interactions we need to tease apart	16:06
dtantsur	yep	16:06
dtantsur	as long as we don't say things like "to make cleaning possible with custom certificates ....."	16:06
TheJulia	like, I'd also be okay if the add certificates step just had a priority	16:06
dtantsur	because updating certificates has to be done before cleaning	16:06
TheJulia	but the async action there is problematic as dtantsur pointed out	16:07
TheJulia	since it requires ipa up	16:07
dtantsur	having priority!=0 won't work with the current implementation of requires_ramdisk (mechanism to suppress booting IPA)	16:07
vmud213	dtantsur: so you think, the certificates should be added only part of the deployment	16:07
dtantsur	vmud213: I think there are two problems that can be solved:	16:07
TheJulia	dtantsur: sigh	16:08
dtantsur	1) How to make virtual media or UEFI boot work with custom HTTPS certificates	16:08
dtantsur	2) How to update certificates just because the operator wants it	16:08
TheJulia	++	16:08
dtantsur	The problem #1 is already (partially?) solved by the existing code	16:08
dtantsur	Your patch is solving only problem #2, but I'm not sure if you actually intend that	16:08
TheJulia	and these are distinctly different things which sould likely be handled in separate patches	16:09
dtantsur	if you do - fine	16:09
dtantsur	but the problem #1 is critical for ironic operation, while #2 is nice-to-have	16:09
TheJulia	s/sould/should/	16:09
vmud213	dtantsur: but i agree. But we also want to remove the configured certificates	16:09
dtantsur	so if you end up solving problem #2 while thinking you're solving problem #1, it's a problem :)	16:09
vmud213	:)	16:10
vmud213	ok..we add certificates only on demand	16:10
dtantsur	I'm not saying that problem #2 is not worth solving btw, I'm just trying to figure out which one you want to solve	16:10
vmud213	but removing the certificates which are configured and revoked	16:11
dtantsur	makes sense. it even makes sense to remove revoked certificates as part of automated cleaning indeed	16:11
dtantsur	(as Julia suggested)	16:11
TheJulia	(well, to be honest, I'm all for automatic things)	16:12
vmud213	i think the #1 is solved in as part of the boot interface already where we are adding the required CAs to iLO which are used by iLO oto boot the deploy ISO and instance images	16:12
dtantsur	vmud213: if I'm readying the code right, problem #1 is only solved for iLO HTTP boot, not for virtual media	16:13
dtantsur	* reading	16:13
vmud213	dtantsur,TheJulia: what is your suggestion.	16:13
vmud213	should i remove the add cleanstep and may be include the cleanstep to remove the revoked certs?	16:13
dtantsur	From your RFE: "When deploy and user images are served from a webserver configured with a certificate issued by 3rd party, the iLO while booting these images needs a way to validate the certificates presented by the webserver. This requires the 3rd party CA certificates to be loaded into iLO."	16:14
dtantsur	this sounds like problem #1 to me. If you're solving the problem #2, could you rephrase the RFE and the documentation you're adding?	16:14
dtantsur	vmud213: ^^^	16:14
vmud213	dtantsur: virtual media behavior is not necessarily the same. It may not care about the certificates by default. I still need to explore that path.	16:14
dtantsur	vmud213: janders investigated a few hardware models (I don't remember if iLO was among them) and came to conclusion that virtual media tends to ignore certificates.	16:15
dtantsur	but okay, my suggestion: 1) change wording on RFE, 2) consider if pruning revoked certificates should be done automatically	16:16
dtantsur	(both the RFE and the patch are titled "add certificates", there is nothing about revoked certificates, at least nothing obvious from a quick read)	16:16
vmud213	dtantsur: the removing of certificates is a separate patch.	16:17
dtantsur	okay. you can cover them with one RFE and two tasks	16:17
vmud213	i will add the removing part to the RFE and refine it as per your suggestions	16:17
vmud213	dtantsur: Sure.	16:18
dtantsur	great, thank you! TheJulia has this discussion addressed your concerns?	16:18
TheJulia	dtantsur: very much so	16:18
TheJulia	Thanks vmud213 and dtantsur !	16:19
vmud213	Thanks TheJulia, dtantsur	16:19
vmud213	Have a great day	16:19
TheJulia	you too vmud213	16:19
TheJulia	I need a very big thing of coffee	16:22
dtantsur	have a good evening, everyone	16:36
opendevreview	Merged openstack/ironic-python-agent stable/victoria: Fix getting memory size in some lshw output https://review.opendev.org/c/openstack/ironic-python-agent/+/798168	16:39
opendevreview	Merged openstack/ironic-python-agent stable/ussuri: Add function to calculate memory https://review.opendev.org/c/openstack/ironic-python-agent/+/798170	16:40
opendevreview	Merged openstack/ironic-python-agent stable/ussuri: Fix getting memory size in some lshw output https://review.opendev.org/c/openstack/ironic-python-agent/+/798171	16:40
opendevreview	Merged openstack/ironic-python-agent stable/train: Add function to calculate memory https://review.opendev.org/c/openstack/ironic-python-agent/+/798172	16:40
opendevreview	Merged openstack/ironic-python-agent stable/train: Fix getting memory size in some lshw output https://review.opendev.org/c/openstack/ironic-python-agent/+/798173	16:40
arne_wiebalck	bye everyone o/	16:48
opendevreview	Julia Kreger proposed openstack/ironic-inspector master: Add rbac scope enforcement handling to devstack plugin https://review.opendev.org/c/openstack/ironic-inspector/+/798359	17:09
opendevreview	Julia Kreger proposed openstack/ironic master: WIP Scoped RBAC Devstack Plugin support https://review.opendev.org/c/openstack/ironic/+/778957	17:11
* TheJulia crosses her fingers that all ironic stuff just magically works		17:13
opendevreview	Arun S A G proposed openstack/ironic master: Add support for configdrive in anaconda interface https://review.opendev.org/c/openstack/ironic/+/780398	18:04
opendevreview	Julia Kreger proposed openstack/ironic master: WIP Scoped RBAC Devstack Plugin support https://review.opendev.org/c/openstack/ironic/+/778957	18:50
*** stevebaker_ is now known as stevebaker		20:08
opendevreview	Julia Kreger proposed openstack/ironic-python-agent master: WIP: Another grub headache https://review.opendev.org/c/openstack/ironic-python-agent/+/798394	22:36
TheJulia	stevebaker: ^^^ os.path.ismount workaround I mentioned downstream	22:36
* TheJulia thinks we need a giant "The rules are different in a ramdisk" sign		22:37
stevebaker	thats unsettling	22:45
opendevreview	Julia Kreger proposed openstack/ironic master: WIP Scoped RBAC Devstack Plugin support https://review.opendev.org/c/openstack/ironic/+/778957	22:47
TheJulia	stevebaker: i know right!	22:48
TheJulia	stevebaker: in other goodish news, ^^^ mostly works except ironic<->inspector	22:48
stevebaker	cool	22:48
TheJulia	inspector devstack generated config looks right, so I'm wondering if we've got a client library bug	22:48
TheJulia	I can dig at it tomorrow	22:48

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!