| opendevreview | Steve Baker proposed openstack/ironic master: Set postgress password encryption for FIPS compliance https://review.opendev.org/c/openstack/ironic/+/803128 | 01:28 |
|---|---|---|
| opendevreview | Steve Baker proposed openstack/ironic master: DNM/WIP - Add FIPS jobs https://review.opendev.org/c/openstack/ironic/+/797739 | 01:28 |
| *** pmannidi is now known as pmannidi|brb | 03:54 | |
| opendevreview | Steve Baker proposed openstack/ironic master: Set postgress password encryption for FIPS compliance https://review.opendev.org/c/openstack/ironic/+/803128 | 04:20 |
| opendevreview | Steve Baker proposed openstack/ironic master: DNM/WIP - Add FIPS jobs https://review.opendev.org/c/openstack/ironic/+/797739 | 04:20 |
| *** pmannidi|brb is now known as pmannidi | 04:58 | |
| iurygregory | good morning janders and Ironic o/ | 06:13 |
| cenne | Good morning iurygregory, janders and Ironic o/ | 07:09 |
| iurygregory | good morning cenne o/ | 07:11 |
| cenne | hey iurygregory o/ | 07:11 |
| *** sshnaidm|afk is now known as sshnaidm | 07:27 | |
| *** rpittau|afk is now known as rpittau | 07:30 | |
| rpittau | good morning ironic! o/ | 07:30 |
| iurygregory | good morning rpittau o/ | 07:30 |
| rpittau | hey iurygregory :) | 07:38 |
| dtantsur | morning ironic | 07:57 |
| opendevreview | Dmitry Tantsur proposed openstack/bifrost master: Remove destination when doing copy_from_local_path https://review.opendev.org/c/openstack/bifrost/+/803234 | 08:14 |
| opendevreview | Dmitry Tantsur proposed openstack/bifrost master: DNM test the upgrade job https://review.opendev.org/c/openstack/bifrost/+/800673 | 08:14 |
| cenne | morning dtantsur | 08:24 |
| opendevreview | Riccardo Pittau proposed openstack/networking-generic-switch master: Fix tempest based job https://review.opendev.org/c/openstack/networking-generic-switch/+/803320 | 08:52 |
| rpittau | mmm I'm actually not 100% sure about this ^ | 08:54 |
| dtantsur | who can be 100% sure of anything about in our ever-changing world? | 08:59 |
| dtantsur | (on this philosophical note I need to go buy some groceries) | 08:59 |
| anyrude10 | Hi Team, I am trying to provision Baremetal Node using Ironic service. I am using Kolla-Ansible tool 12.0.0 for openstack wallaby release. As soon as i run openstack baremetal node provision command, it powers on the server and system gets IP 20.20.20.10 which is in the range that I have defined in globals.yml ironic_dnsmasq_dhcp_range: "20.20.20.10,20.20.20.100", nothing happens after that. Node goes in clean_failed state after sometime. Can | 09:11 |
| opendevreview | Verification of a change to openstack/sushy stable/wallaby failed: Removing optional fields from insert_media payload https://review.opendev.org/c/openstack/sushy/+/803197 | 10:01 |
| janders | hmm - first time I have a gate failure - what do I need to do about ^ ? | 10:07 |
| janders | logs show some GRUB related thing, I don't think the change would break that | 10:07 |
| ajya | janders: recheck | 10:17 |
| janders | ajya: does the -2 by Zuul'sneed to be removed by a reviewer? I tried recheck but it doesn't seem to be re-running gate jobs if I understand the status correctly | 10:18 |
| ajya | janders: no, it will be removed/updated when there are new results | 10:20 |
| janders | ok! thank you ajya | 10:20 |
| ajya | note, it will run again check jobs and then gate (so there is still room for intermittent failing in both runs) | 10:21 |
| opendevreview | Merged openstack/bifrost master: Trivial: fix a warning in bifrost-keystone-client-config https://review.opendev.org/c/openstack/bifrost/+/803196 | 10:27 |
| dtantsur | folks, https://review.opendev.org/c/openstack/bifrost/+/803235 and https://review.opendev.org/c/openstack/bifrost/+/803234 make the upgrade CI job actually test upgrades | 10:39 |
| opendevreview | Merged openstack/ironic stable/ussuri: Refactor RedfishVirtualMediaBoot https://review.opendev.org/c/openstack/ironic/+/801870 | 10:51 |
| *** pmannidi is now known as pmannidi|brb | 10:57 | |
| dtantsur | mgoddard: side note re https://review.opendev.org/c/openstack/kolla-ansible/+/793664: you should consider using HTTP basic auth when keystone is not used. | 10:58 |
| dtantsur | janders: the vmedia failure on your patch looks like a broken CI :-/ | 10:58 |
| dtantsur | cp: cannot stat '/usr/lib/shim/shimx64.efi': No such file or directory | 10:58 |
| janders | dtantsur: agreed | 10:59 |
| dtantsur | I see the same failure on an ironic patch, so it's not your patch for sure | 11:00 |
| dtantsur | bloody ubuntu, where do you put this file now? | 11:00 |
| janders | I wonder if grub version in repos has changed or something | 11:00 |
| janders | maybe it's /dev/urandom now? :) | 11:00 |
| dtantsur | the shim package is empty, wtf | 11:01 |
| dtantsur | okay, we need shim-signed | 11:02 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803327 | 11:07 |
| dtantsur | janders: hopefully ^^^ | 11:07 |
| janders | thank you dtantsur! :) | 11:08 |
| dtantsur | janders: re WriteProtected: my question was about sending WriteProtected unconditionally with the PATCH method | 11:09 |
| janders | looking | 11:09 |
| dtantsur | (just to be clear: I don't suggest to change the backport) | 11:09 |
| janders | I misread your comment, sorry | 11:10 |
| janders | looking at the original code too | 11:10 |
| janders | ok, I get it now | 11:12 |
| janders | so - now we are sending it unconditionally | 11:12 |
| janders | and given the previous version of my patch broke Lenovo due to changing things not affecting SuperMicro (which I was trying to fix) I tried to make the least possible change for the PATCH-based code path | 11:13 |
| janders | what is your thinking - what's the alternative? | 11:13 |
| janders | (I'm happy to tweak it further in a follow up if we come up with a better approach) | 11:15 |
| janders | only send it when it's False? | 11:15 |
| opendevreview | Merged openstack/ironic stable/ussuri: Fix redfish-virtual-media file permission https://review.opendev.org/c/openstack/ironic/+/801871 | 11:19 |
| dtantsur | janders: I suspect that Lenovo only requires Inserted, not WriteProtected | 11:30 |
| dtantsur | although you can never be sure | 11:30 |
| dtantsur | so yeah, I wonder if we can only send it if it's False, similarly to the other code path | 11:30 |
| * dtantsur -> lunch, brb | 11:30 | |
| janders | dtantsur I probably need to test this, need to ask Dan again about the Lenovo in our lab | 11:53 |
| janders | will try do that tomorrow | 11:53 |
| *** pmannidi|brb is now known as pmannidi | 11:55 | |
| janders | see you tomorrow Ironic o/ | 11:59 |
| rpittau | bye janders | 11:59 |
| rpittau | weird, shim should have /usr/lib/shim/shimx64.efi | 11:59 |
| dtantsur | rpittau: only shim-signed now | 11:59 |
| dtantsur | I've tried installing shim on a fresh container, it came empty | 12:00 |
| * dtantsur checks zuul | 12:00 | |
| rpittau | super weird, according tot the official packages list, the file should be there | 12:00 |
| dtantsur | *shrug* | 12:00 |
| rpittau | https://packages.ubuntu.com/focal/amd64/shim/filelist | 12:00 |
| dtantsur | maybe it's a bug on their side? | 12:01 |
| rpittau | maybe, let's see if the change works | 12:01 |
| dtantsur | anyway, shim-signed is what we recommend in the docs. the change it running tests now, so at least it's past devstack. | 12:01 |
| rpittau | yeah | 12:01 |
| opendevreview | Derek Higgins proposed openstack/ironic-python-agent master: Output verbose info from efibootmgr https://review.opendev.org/c/openstack/ironic-python-agent/+/803331 | 12:03 |
| dtantsur | rpittau: ironic-tempest-partition-uefi-redfish-vmedia passed | 12:05 |
| rpittau | ok | 12:06 |
| dtantsur | Do you remember where we use Focal? V+? | 12:06 |
| opendevreview | Bob Fournier proposed openstack/python-ironicclient master: Include BIOS registry fields in bios setting list command https://review.opendev.org/c/openstack/python-ironicclient/+/803332 | 12:06 |
| opendevreview | Bob Fournier proposed openstack/python-ironicclient master: Include BIOS registry fields in bios setting list command https://review.opendev.org/c/openstack/python-ironicclient/+/803332 | 12:11 |
| rpittau | dtantsur: should be from Victoria | 12:15 |
| rpittau | I'm really wondering if we should not use OVN in the networking-generic-switch tempest job | 12:59 |
| dtantsur | we likely should not | 12:59 |
| dtantsur | cc lucasagomes | 12:59 |
| dtantsur | https://review.opendev.org/c/openstack/ironic/+/803327 is green, please review to unblock the CI | 13:02 |
| TheJulia | approved | 13:15 |
| dtantsur | thx | 13:15 |
| * TheJulia kindly requests a new body that has no pain | 13:16 | |
| dtantsur | same :( | 13:16 |
| dtantsur | I hope our current ones get fixed asap instead | 13:16 |
| TheJulia | I almost stayed in bed. My neck is killing me | 13:16 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic stable/wallaby: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803337 | 13:23 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic stable/victoria: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803338 | 13:23 |
| dtantsur | let's see how backports behave | 13:23 |
| TheJulia | That is a wonderfully breaking change :( | 13:26 |
| TheJulia | #ThanksUbuntu | 13:27 |
| *** pmannidi is now known as pmannidi|AFK | 13:54 | |
| anyrude10_ | Hi Team, I am trying to provision Baremetal Node using Ironic service. I am using Kolla-Ansible tool 12.0.0 for openstack wallaby release. As soon as i run openstack baremetal node provision command, it powers on the server and system gets IP 20.20.20.10 which is in the range that I have defined in globals.yml ironic_dnsmasq_dhcp_range: "20.20.20.10,20.20.20.100", nothing happens after that. Node goes in clean_failed state after sometime. | 14:15 |
| opendevreview | Riccardo Pittau proposed openstack/networking-generic-switch master: Fix tempest based job https://review.opendev.org/c/openstack/networking-generic-switch/+/803320 | 14:17 |
| dtantsur | anyrude10_: I've responded on the ML, but in an essence, we cannot debug networking issues in your environment from just an extremely generic error message. | 14:21 |
| dtantsur | Somehow the packages from the nodes don't reach the Neutron's DHCP server or something similar happens. | 14:21 |
| dtantsur | Possible causes include misconfiguration of the network interface, firewall issues, MTU issues and many more. | 14:22 |
| opendevreview | Verification of a change to openstack/ironic master failed: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803327 | 14:32 |
| anyrude10_ | Thanks dtantsur....I can't find any relevant logs in dnsmasq and tcpdump...I'll just update you the logs as well | 14:43 |
| TheJulia | If the packet is getting to dnsmasq, it might be ignoring it due to a misconfiguration | 15:26 |
| TheJulia | if it is configured for a network that doesn't align with the addressing on the available interface, depending on the config it can still launch, but it will ignore everything | 15:27 |
| TheJulia | unfortunately, those are the sort of problems you have to get tcpdump out for, begin sniffing ports, to understand if the traffic is making it to the interface the service is operating on , and if it is not responding, then looking at its configuration and properties. Also, you may need to just turn on debug logging for dnsmasq at which point it does log the errors indicating it is ignoring a request. | 15:28 |
| dtantsur | I wonder if neutron allows ^^^ | 15:32 |
| opendevreview | Verification of a change to openstack/ironic master failed: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803327 | 15:32 |
| rpittau | gotta love fake zuul updates from arm64 tests | 15:39 |
| dtantsur | yeah | 15:40 |
| TheJulia | dtantsur: I... don't it does which typically means base networking configuration issue, in my experience | 15:44 |
| TheJulia | like the port doesn't actually bridge through | 15:44 |
| TheJulia | or the wrong interface is set or something like that | 15:44 |
| opendevreview | Julia Kreger proposed openstack/ironic master: WIP: Record Errors in history https://review.opendev.org/c/openstack/ironic/+/803292 | 15:54 |
| rpittau | have a great rest of the day everyone! o/ | 16:13 |
| *** rpittau is now known as rpittau|afk | 16:13 | |
| kkillsfirst | Hello, I am working in agent_base.py. I was wondering how/when is the tear_down_agent is used/called? I can't get a response in the logs from my outputs in the function. | 16:37 |
| dtantsur | kkillsfirst: it's a deploy step, noticed the @deploy_step decorator | 16:37 |
| dtantsur | deploy steps are collected by the conductor and executed sequentially | 16:38 |
| dtantsur | https://docs.openstack.org/ironic/latest/contributor/deploy-steps.html | 16:38 |
| kkillsfirst | Thank you dtantsur. | 16:39 |
| dtantsur | np. you just reminded me of another topic to add to my internal presentation... | 16:41 |
| cenne | TheJulia: Can I pick your brain for a bit. Re RBAC / policies. | 16:51 |
| dtantsur | o/ | 17:17 |
| cenne | o/ | 17:28 |
| cenne | bye dtantsur | 17:28 |
| NobodyCam | Good Morning Ironic folks | 18:12 |
| TheJulia | good morning NobodyCam | 18:41 |
| TheJulia | cenne: sure | 18:41 |
| NobodyCam | :) | 18:41 |
| NobodyCam | o/ | 18:41 |
| TheJulia | cenne: whats up with rbac and policies? | 18:42 |
| cenne | TheJulia: I have actually two questions regarding policies. Wanted your opinion on the best way add the ones I adding. | 18:45 |
| cenne | * I am | 18:45 |
| TheJulia | okay | 18:46 |
| cenne | Q: Would it be optimal to use the same policy for secure_boot and boot_mode like in my current patch | 18:47 |
| cenne | or have them as different policies? | 18:47 |
| cenne | My logic is that disabling secure boot is security wise about halfway there to BIOS anyway, | 18:49 |
| cenne | And at least on the consumer devices I've used 'BIOS' when enabled is just a compatibility mode with UEFI always available. | 18:49 |
| cenne | 18:49 | |
| cenne | And there's also the dependency. One can't turn ON secure boot without essentially disabling BIOS (right?). | 18:49 |
| cenne | So turning on secure boot means you can force boot mode to be UEFI. | 18:49 |
| cenne | In reverse, If you can change boot mode to BIOS, you have essentially turned secure_boot off. | 18:49 |
| cenne | I am not familiar with how this works in enterprise grade devices though, so I would like if your input. | 18:49 |
| JayF | IMO you absolutely need to make `secure_boot` and `boot_mode` separate policies | 18:51 |
| JayF | The boot_mode change to bios is only an effective attack if bios is setup to work on all on those servers | 18:52 |
| JayF | hopefully we can document that somewhere; IDK how easy that is with the policy in code (e.g. no config file to comment) | 18:52 |
| TheJulia | cenne: that is essentially how it works one enterprise devices, and as JayF suggests, two policies are likely ideal | 18:53 |
| opendevreview | Merged openstack/ironic master: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803327 | 18:54 |
| cenne | okay. Thank you. | 18:58 |
| JayF | needs one more +2 to land, it's been outstanding since 7/16 https://review.opendev.org/c/openstack/ironic/+/792873 | 20:50 |
| TheJulia | stevebaker: ^^ | 21:04 |
| opendevreview | Merged openstack/ironic stable/wallaby: Use shim-signed on Ubuntu, shim is empty now https://review.opendev.org/c/openstack/ironic/+/803337 | 21:05 |
| stevebaker | looking | 21:26 |
| opendevreview | Merged openstack/ironic stable/wallaby: Ironic index docs/command check backport https://review.opendev.org/c/openstack/ironic/+/792873 | 22:55 |
| opendevreview | Steve Baker proposed openstack/ironic master: Set postgress password encryption for FIPS compliance https://review.opendev.org/c/openstack/ironic/+/803128 | 22:55 |
| opendevreview | Steve Baker proposed openstack/ironic master: DNM/WIP - Add FIPS jobs https://review.opendev.org/c/openstack/ironic/+/797739 | 22:55 |
| *** pmannidi|AFK is now known as pmannidi | 23:47 | |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!