| iurygregory | good morning janders and Ironic o/ | 05:53 |
|---|---|---|
| arne_wiebalck | Good morning, iurygregory janders and Ironic! | 06:44 |
| iurygregory | hey arne_wiebalck o/ | 06:45 |
| cenne | Good morning ironic! | 07:51 |
| iurygregory | morning cenne o/ | 08:00 |
| cenne | hey iurygregory o/ | 08:00 |
| janders | hey iurygregory arne_wiebalck cenne and Ironic o/ | 08:21 |
| cenne | hey janders o/ :) | 08:26 |
| * dtantsur slowly blinks | 08:56 | |
| janders | hey dtantsur o/ | 09:01 |
| *** sshnaidm is now known as sshnaidm|afk | 09:24 | |
| opendevreview | cenne proposed openstack/ironic master: Add `boot_mode` and `secure_boot` to node object and expose in api https://review.opendev.org/c/openstack/ironic/+/797055 | 09:36 |
| cenne | yay.. Seems like first part (read states) is done. Review anyone? ^^^ | 09:37 |
| iurygregory | cenne, I will add to my list to review | 09:42 |
| dtantsur | I'll also get to it as soon as possible | 10:01 |
| cenne | Thank you :) | 10:06 |
| *** sshnaidm|afk is now known as sshnaidm | 10:47 | |
| janders | see you tomorrow Ironic o/ | 12:34 |
| opendevreview | cenne proposed openstack/ironic-inspector master: Fix broken links in CONTRIBUTING.rst https://review.opendev.org/c/openstack/ironic-inspector/+/799047 | 12:37 |
| cenne | bye janders | 12:38 |
| TheJulia | dtantsur: slowly blinking.... I guess is better then snoring at the computer | 13:23 |
| dtantsur | somewhat :) good morning TheJulia | 13:23 |
| opendevreview | Aija Jauntēva proposed x/sushy-oem-idrac stable/victoria: Revert "Add get PXE port MACs for BIOS mode" https://review.opendev.org/c/x/sushy-oem-idrac/+/799061 | 13:24 |
| opendevreview | Aija Jauntēva proposed x/sushy-oem-idrac stable/victoria: Revert "Add export system configuration" https://review.opendev.org/c/x/sushy-oem-idrac/+/799062 | 13:25 |
| TheJulia | Any chance I can get one more core review on https://review.opendev.org/c/openstack/ironic-python-agent/+/798732 so I can hopefully get the downstream ball moving forward ? | 13:28 |
| TheJulia | dtantsur: thanks! | 13:39 |
| TheJulia | much appreciated | 13:39 |
| dtantsur | np, I was about to review it anyway :) | 13:40 |
| opendevreview | Merged openstack/networking-baremetal master: Update min version of tox to use allowlist https://review.opendev.org/c/openstack/networking-baremetal/+/796395 | 13:50 |
| TheJulia | sweet, my puppet-ironic change got reviews. Now to just figure out the headache with xinetd | 14:02 |
| JayF | it's existance? | 14:02 |
| * JayF has never liked [x]inetd | 14:03 | |
| TheJulia | long story short, xinetd/tftpd are going poof in rhel9 | 14:03 |
| JayF | like, gone-gone? | 14:03 |
| JayF | That seems like a bad idea to drop tftpd when so much stuff still needs it | 14:03 |
| TheJulia | like, won't be shipped anymore. The plus is dnsmasq can be a tftp server as well and you can turn off the other stuff | 14:03 |
| TheJulia | *but* I'm sure that won't make *everyone* happy | 14:04 |
| JayF | yeah, that's going to confuse the hell outta a lot of people... I know that, you know that, $average_openstack_operator is going to have lots of WTFs/minute trying to figure out why they have dnsmasq running | 14:04 |
| JayF | lol | 14:04 |
| TheJulia | We're seeing an increasing demand for just getting the frak out of classic network booting too | 14:04 |
| JayF | demand internally, I'd assume? | 14:05 |
| TheJulia | demand from customers | 14:05 |
| opendevreview | Merged openstack/networking-generic-switch master: Update min version of tox to use allowlist https://review.opendev.org/c/openstack/networking-generic-switch/+/796397 | 14:05 |
| JayF | Why would they care if you supported, optionally, bios/oldschool pxe booting? | 14:05 |
| TheJulia | Security compliance rules and regulations | 14:05 |
| TheJulia | or increased operational security needs due to the machine not being in your local data center with an guard watching over it | 14:06 |
| TheJulia | think cabinets in yards :) | 14:07 |
| JayF | Not-shipping legacy boot material is /not/ going to eliminate that risk in any real way. Firmware security, forcing use of secure boot (or even just UEFI) is the route to that | 14:07 |
| TheJulia | or my favorite, embedded things on telephone poles | 14:07 |
| JayF | I just don't like it when folks try to remove flexibility for everyone else for their obscure use case; especially when "not supporting something" is just adding one more easy hoop for an attacker to jump thru | 14:07 |
| JayF | unless you get the firmware locked down, Bessie the Cow is going to go hack your farm datacenter :P | 14:08 |
| TheJulia | That is partially true, the issue is they don't want unauthenticated networks or dhcp/address auto-assignment to be in places where they don't have absolute physical control of the port unless it is past a CPE. | 14:08 |
| JayF | I don't understand how that's anything different than a switch configuration? Unless you're talking about the server itself rejecting the ability to DHCP | 14:09 |
| TheJulia | it is more a maintainership issue with regards to xinetd/tftpd. Nobody is stepping up to maintain packages from what I understand | 14:09 |
| JayF | That was my iniital assumption when you noted that | 14:09 |
| JayF | nobody wants to work on boring background C programs anymore | 14:09 |
| TheJulia | Switch configuration, or even the wire running into a data center | 14:09 |
| JayF | Go ask Pottering to add systemd-netbootd ;) | 14:09 |
| TheJulia | oh my | 14:10 |
| JayF | I need the folks in my sysadmin channel to have a new thing to complain about anyway (I <3 them even if they hate systemd) | 14:11 |
| TheJulia | ohhh ahhh systemd hate :) | 14:11 |
| TheJulia | http://memecrunch.com/meme/154ZY/emperor-good/image.png | 14:13 |
| * arne_wiebalck just had to disable http and go back to tftp for some (relatively new) servers since the nodes were not able to download the image provided by PXE ... | 14:18 | |
| opendevreview | Aija Jauntēva proposed x/sushy-oem-idrac stable/victoria: Update virtual media boot-related constants https://review.opendev.org/c/x/sushy-oem-idrac/+/797065 | 14:20 |
| opendevreview | Aija Jauntēva proposed x/sushy-oem-idrac stable/victoria: Update RETRY_COUNT for virtual media boot https://review.opendev.org/c/x/sushy-oem-idrac/+/797066 | 14:25 |
| opendevreview | cenne proposed openstack/ironic master: Add `boot_mode` and `secure_boot` to node object and expose in api https://review.opendev.org/c/openstack/ironic/+/797055 | 14:37 |
| opendevreview | Merged openstack/ironic master: Skip port create if MAC is blank https://review.opendev.org/c/openstack/ironic/+/798844 | 15:02 |
| opendevreview | Merged openstack/ironic-python-agent stable/train: Train only - Fix py3 support for bootloader default config load https://review.opendev.org/c/openstack/ironic-python-agent/+/798732 | 15:02 |
| opendevreview | Aija Jauntēva proposed x/sushy-oem-idrac stable/victoria: Revert "Add export system configuration" https://review.opendev.org/c/x/sushy-oem-idrac/+/799062 | 15:28 |
| arne_wiebalck | bye everyone o/ | 15:32 |
| TheJulia | goodnight arne_wiebalck | 15:32 |
| *** sshnaidm is now known as sshnaidm|afk | 15:46 | |
| JayF | I'm going to work to build out CI for the anaconda driver, see if I can knock it out today/tomorrow. | 15:47 |
| JayF | Is there a job I should integrate that into, or just make a new one? I'm assuming standalone likely won't work as it won't have Glance... | 15:48 |
| TheJulia | uhhh hmmm | 15:49 |
| TheJulia | I think we still load up glance on the ironic standalone jobs | 15:49 |
| TheJulia | the only most restrictive jobs are tempest functional | 15:49 |
| JayF | Hmm OK. I'll try for standalone then | 15:50 |
| TheJulia | And those are just ironic and keystone if I'm recalling correctly | 15:50 |
| TheJulia | Easy to check, fwiw | 15:50 |
| JayF | I was mainly asking about "is there another job with duplicate testing matrices that I can hijack to be anaconda instead" | 15:50 |
| JayF | because I didn't think it'd be ideal to add even more resource gobbling in the gate if I can avoid it :) | 15:51 |
| dtantsur | standalone jobs are also at their limit | 15:51 |
| TheJulia | true, extending the timeout wouldn't be ideal really | 16:01 |
| JayF | I'll do a PR to create a new, passing job... then we can argue about where to put it once it's working :D | 16:04 |
| TheJulia | JayF: ack. I've got a change to add a couple new jobs as well, but they are semi-transitory in nature because I'm hoping to change the overall default in the gate as other projects implement scope enforcement | 16:08 |
| * TheJulia is super thrilled it passes and ironic/ironic inspector can work together and nova can call ironic with scope enforcement enabled | 16:08 | |
| JayF | https://review.opendev.org/c/openstack/ironic/+/780398 pretty easy review to land Anaconda configdrive support if anyone has time. It'd be incredibly helpful for my downstream work if this could get a review today. | 16:29 |
| TheJulia | JayF: I can look shortly | 16:31 |
| JayF | thanks! | 16:31 |
| * TheJulia goes and makes coffee first | 16:31 | |
| JayF | Hmm. Anyone know where you can get pxe boot material for CentOS? I suspect that'll have what I need for CI | 16:36 |
| JayF | http://mirror.hostduplex.com/centos/8-stream/BaseOS/x86_64/os/images/pxeboot/ | 16:36 |
| TheJulia | from packages or published artifacts? | 16:36 |
| JayF | not on the website, but you can navigate to them | 16:37 |
| TheJulia | ahh, yeah | 16:37 |
| JayF | TheJulia: I'm looking at https://docs.openstack.org/ironic/latest/admin/anaconda-deploy-interface.html#creating-an-os-image and trying to determine how to get kernel/ramdisk/stage2 and image | 16:37 |
| JayF | preferably without building them customly as the doc suggests, as that'll be painful in devstack | 16:37 |
| TheJulia | I'd just wget them from a mirror. the infra folks may have a preferred mirror url to use | 16:38 |
| JayF | Yeah; I'm saying I'm not sure the artifacts actually exist I need | 16:38 |
| TheJulia | It is worth asking :) | 16:38 |
| TheJulia | oh... hmmm | 16:38 |
| TheJulia | JayF: it *could* be that the image may be a composite initrd | 16:40 |
| TheJulia | 78mb seems huge | 16:40 |
| JayF | You mean, no stage 2? | 16:40 |
| TheJulia | Yeah | 16:41 |
| JayF | That'd be a pretty bad thing to change mid-stream... our driver doesn't support no stage 2 | 16:41 |
| JayF | And I know the driver works on rhel 8 :/ | 16:41 |
| TheJulia | hmm.. | 16:41 |
| TheJulia | rhel8.4 ? | 16:41 |
| JayF | I don't know what zer0c00l tested it on | 16:42 |
| TheJulia | so, I think I see an issue with the config drive patch | 16:44 |
| TheJulia | but I'm okay with it merging as long as we note a limitation | 16:44 |
| JayF | What's the issue/limitation? | 16:45 |
| TheJulia | and maybe put a warning in the doc until it is fixed | 16:45 |
| TheJulia | that field can be a url | 16:45 |
| TheJulia | if switft storage of config drive objects is enabled. | 16:45 |
| TheJulia | swift | 16:45 |
| JayF | So we have to fetch that url if it's a URL | 16:45 |
| TheJulia | yup | 16:45 |
| JayF | that sounds like a -1 not a merge with limitations to me | 16:45 |
| JayF | tbh | 16:45 |
| TheJulia | the kinder forgiving human didn't want to -1 without discussing it first | 16:46 |
| JayF | same as me yesterday morning, I get it | 16:46 |
| JayF | but it's best for that to be working for all cases | 16:46 |
| JayF | I know our feature matrices are complex, I don't wanna add another thing to the list of stuff that's "different" in a given case | 16:46 |
| opendevreview | cenne proposed openstack/ironic-inspector master: Fix broken links in CONTRIBUTING.rst https://review.opendev.org/c/openstack/ironic-inspector/+/799047 | 17:52 |
| opendevreview | Leo McGann proposed openstack/ironic-specs master: Add attestation interface spec https://review.opendev.org/c/openstack/ironic-specs/+/576718 | 18:53 |
| TheJulia | lmcgann: I guess it made sense to rename it? | 19:09 |
| lmcgann | yeah. I'd gotten a couple of comments on previous iterations about the 'no-security' interface sounding scary. Also the interface wouldnt be the place to implement other kinds of security related stuff in the future so claiming the name 'security interface' seems inaccurate | 19:12 |
| TheJulia | sounds good | 19:18 |
| JayF | This is a hugely positive change | 19:34 |
| JayF | I didn't realize how much my opposition to the spec was that it was called "security" so much until many of my complaints dissipate when it's for attestation | 19:35 |
| opendevreview | Leo McGann proposed openstack/ironic-specs master: Add attestation interface spec https://review.opendev.org/c/openstack/ironic-specs/+/576718 | 20:30 |
| TheJulia | I think the big difference is if attestation fails, then things fail for good | 20:39 |
| TheJulia | well, for_good() sounds like atoms_for_peace() | 20:39 |
| TheJulia | but not as permanent as it sounds nor as explodly with high energy particles... | 20:39 |
| TheJulia | Zero Rapidly Unscheduled Disassembles in Ironic. | 20:40 |
| JayF | I also think calling it a security interface implies things it won't deliver :) | 20:40 |
| TheJulia | well, the original interface name was to provide a hook location into halt processes in the name of security based upon if $nebulous_other_thing started screaming nope like a cat running from... well... ... umm... well.. it just being a cat. | 20:47 |
| stevebaker | good morning | 21:00 |
| kkillsfirst | Hello, I am creating a node using fake-hardware for the driver. I keep receiving the error "Service Unavailable (HTTP 503) (HTTP 500)". I used the Developer Quick-Start as my guide to setup the configuration. | 21:55 |
| NobodyCam | Good afternoon Ironic folks | 22:04 |
| NobodyCam | any one happen to know where Nova-compute kicks off the port reattach on a restart? | 22:08 |
| opendevreview | melanie witt proposed openstack/ironic master: Suppress policy deprecation and default change warnings https://review.opendev.org/c/openstack/ironic/+/799120 | 22:19 |
| janders | good morning Ironic o/ | 22:43 |
| NobodyCam | morning janders ! | 22:43 |
| janders | hey NobodyCam | 22:43 |
| NobodyCam | :) | 22:44 |
| janders | stevebaker TheJulia (and All :) ) I'm trying to familiarise myself with the bits of Ironic code responsible for actions taken in Enroll and Verifying states (I need to understand the code better before I can complete the RFE I'm working on). Would you be able to point me to the relevant parts of Ironic code? | 22:47 |
| stevebaker | janders: I'm not that familiar tbh | 22:49 |
| janders | thanks stevebaker :) usually I can find my way, but this part of the codebase seems very... invisible | 23:02 |
| janders | and not many seem to know either | 23:02 |
| stevebaker | forbidden code | 23:04 |
| janders | haha :) | 23:04 |
| janders | Enroll is mostly referenced in Inspector, and Verifying is not easy to search as it is mostly used in the context of cert verification | 23:04 |
| janders | I wonder if this is the section I am looking for: https://opendev.org/openstack/ironic/src/branch/master/ironic/conductor/manager.py#L1231 | 23:40 |
| janders | https://opendev.org/openstack/ironic/src/branch/master/ironic/conductor/manager.py#L1146 and this | 23:43 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!
