Friday, 2022-07-22

« Thursday, 2022-07-21 Index Sunday, 2022-07-24 »
opendevreviewMerged openstack/ironic master: project scoped manager support  https://review.opendev.org/c/openstack/ironic/+/81829900:53
opendevreviewMerged openstack/ironic master: Deprecate syslinux  https://review.opendev.org/c/openstack/ironic/+/84222900:53
opendevreviewMerged openstack/ironic-tempest-plugin master: Add iDRAC Redfish virtual media boot deploy test  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/84535600:53
opendevreviewMerged openstack/ironic-lib master: json_rpc.client: log the URL and exceptions  https://review.opendev.org/c/openstack/ironic-lib/+/84966100:53
opendevreviewMerged openstack/ironic master: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/84534700:54
opendevreviewSONG SHUKUN proposed openstack/ironic stable/yoga: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85055301:27
opendevreviewSONG SHUKUN proposed openstack/ironic stable/yoga: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85055301:31
opendevreviewSONG SHUKUN proposed openstack/ironic stable/xena: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85055401:41
opendevreviewSONG SHUKUN proposed openstack/ironic stable/xena: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85055401:55
opendevreviewSONG SHUKUN proposed openstack/ironic stable/xena: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85055402:21
opendevreviewSONG SHUKUN proposed openstack/ironic stable/wallaby: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85070702:37
opendevreviewSONG SHUKUN proposed openstack/ironic stable/wallaby: [iRMC] Add SNMPv3 authentication functionality  https://review.opendev.org/c/openstack/ironic/+/85070702:40
*** akahat is now known as akahat|ruck05:00
*** undefined is now known as Guest569305:12
rpittaugood morning ironic, happy Friday! o/08:01
jssfrgood morning ironic!:)08:50
jssfris there any integration for Ironic to use Smart NICs with NVMe emulation as alternative to PXE boot?08:50
timeuis there something in the openstack client tools that replicates: ironic node-set-provision-state ? 09:55
opendevreviewSwapnil Machikar proposed openstack/ironic-tempest-plugin master: Add iDRAC Redfish sync boot mode test  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/84870912:47
TheJuliajssfr: no, and I'm not sure anyone has even tried to wire it together or even asked the community about something like that before now. From everything I hear across the industyr, basically everyone struggles with the pre-baked OS on the cards.13:05
opendevreviewMerged openstack/ironic-python-agent master: Remove unused lines of code  https://review.opendev.org/c/openstack/ironic-python-agent/+/85049813:06
TheJuliajssfr: most people who just don't want to touch PXE boot tend to be using the BMC with virutal media these days13:06
TheJuliatimeu: openstack baremetal <state verb> <uuid>13:07
jssfrTheJulia, myeah. The folks I'm talking to don't like BMCs.13:08
jssfrnor do they like PXEs13:08
jssfrthey're super into smartnics though13:08
jssfrin their setup, the smartnic is the only thing they trust13:08
* TheJulia tries to not laugh13:08
TheJuliasmartnics have some huge security issues which are inherent in their design, unfortunately13:08
jssfr:shrug:13:08
TheJuliadirect bus access, and all13:08
jssfrI'm not going to argue with them.13:09
TheJuliabut... I guess if your paranoid about the admin doing things to your BMC...13:09
jssfrI'm not so sure about that, I think they simply don't trust BMC implementations.13:09
jssfrfor authentication and authorization.13:09
*** Guest5693 is now known as rcastillo13:09
TheJuliaoh, that is valid too, but is kind of the more common lesser evil really13:09
jssfrthey have the smartnics anyway, so it makes sense from their perspective to see if those can be used to solve the issue of non-trustworthy BMC implementations and the inherent issues with PXE security13:10
TheJuliaso, how would they suggest these smartnics be configured?13:10
jssfrthe idea would be that they pretend to be an NVMe and provide the IPA that way to the machine.13:11
jssfr(they = smartnics here)13:11
jssfrthe code on the NIC would presumably have to talk to ironic in order to get boot configuration and whatnot13:11
TheJuliaI guess, at present, I think an agent or something would be needed to live in the card's OS, and have credentials stuff. Somehow the bios settings woudl need to be toggled and all that13:11
TheJuliawell, the boot configuration via the bmc13:11
jssfrthey have a whole bunch of agent stuff on those already13:11
TheJuliayeah13:11
jssfrhm, if an EFI system partition is on the smart nic NVMe emulation if and only if ironic wants to do something to the node, the bios configuration *could* be static?13:12
TheJuliayeah, that is a possibility, it would have to be written of course13:13
jssfrack13:13
jssfrI told them that :-)13:13
TheJuliagood! :)13:13
jssfrI did not expect anything to exist in this space, honestly. Just wanted to make sure.13:13
TheJuliathe overall idea of using like ironic's storage interface with cinder to somehow orchstrate cinder volume attachment proxying has been floated before13:14
jssfrI'll point out BMC virtual media though, I had not mentioned that.13:14
TheJuliabut nobody has really come forward with a "hey, xyz" or a solid case13:14
TheJuliaEven though we discussed the base challenges and the internal os in the first generation of smartnics, the embedded OS still seems super challenging for everyone... which makes me sad :(13:14
jssfrthey already do storage stuff on the NICs, but I honestly don't know how proprietary that is so I'm not gonna go into details ^_^13:14
jssfrthey *really* like those, so I think they overcame the struggles.13:15
TheJuliaI mean, it is actually a kind of awesome solution if you can maintain the security barrier the card needs to hold13:15
jssfrmy own experiences with smartnics are ........ well, let's say, the offloading did not work as expected and they fell over once the traffic reached a few 100 mbit/s :)13:15
TheJuliaooouch13:15
TheJuliathe big security concern I have with smartnics is you basically have a fully open pci bus attack surface, designs that largely predicate the base OS can do whatever it wants with the card, and agents that need credentials internally to communicate with services... and in order to perform various actions, those credentials almost need to be privileged or have some elevated permissions in the infrastructure 13:18
TheJuliaanyway, in the grand scheme of the universe, I don't think anyone would say no to some sort of agent on a smartnic, but it is a radically different deploy model and authentication, and I think that would be the challenging aspects13:21
TheJuliaGranted, we did create the agent token framework, and this would be very similar13:22
TheJuliaat least in terms of authorization/access for a limited scope agent13:22
timeuTheJulia: I can't get this to work. Currently due the virtual media bug the node is stuck in deploying state and I want to move it to failed state so I can clean it again. openstack baremetal node abort does not work and also delete didn't13:35
timeuI can also probably update the state direclty in the database but I believe for that the ironic client had the ironic node-set-provision-state command to manually set it. 13:36
TheJuliatimeu: hmm in the active state...13:37
TheJuliathat sounds like a bug, I wonder if the lock is stuck...13:37
TheJuliatimeu: because, sepcifically, abort should work.13:37
TheJuliatimeu: but can't work if there is a pre-existing lock :\13:37
timeuI get this error: The requested action "abort" can not be performed on node "d77e4414-6a9b-41c5-9ecd-32b1920c73b2" while it is in state "deploying". (HTTP 400)13:38
timeuwhen I ruyn abort13:38
timeuI think the problem is that the error message from redfish caused an exception ihe database layer and thus the node was not moved into failed state13:38
TheJuliayeah, i bet the original task for deploying internally crashed out13:40
TheJuliaso there is likey an exception we're not catching/handling there because the job does not fail :\13:41
TheJuliaoh, that would *definitely* do it13:41
TheJuliawe've seen one of those before someplace13:41
timeuyeah this was because I believe the redfish endpoint returns a non json output and when the error message is stored in the database by ironic the json.dumps call fails13:44
timeuI was wondering if I can just simply update the state in the datbase of the node and then remove the node and re-add13:44
TheJuliatimeu: set the node to "deploy fail" provision state13:45
TheJuliaiurygregory: you around?14:00
iurygregoryTheJulia, yeah14:00
TheJuliaSo, apparently the anaconda driver change broke unit testing for a packager14:01
TheJuliaspecifically, something was getting called which was not mocked.14:01
iurygregoryRDO? 14:01
TheJuliayuyp14:01
TheJuliapatch inbound in a moment, if we can just approve it, I think the world would be happier14:01
iurygregoryhappy to do it14:02
iurygregoryif is just unit test ofc =)14:02
opendevreviewJulia Kreger proposed openstack/ironic master: Fix adoption unit test image check  https://review.opendev.org/c/openstack/ironic/+/85075414:04
TheJuliaand then iurygregory ^14:04
iurygregoryack o/14:05
iurygregoryit's green locally so I will +W14:11
opendevreviewMerged openstack/ironic master: Fix adoption unit test image check  https://review.opendev.org/c/openstack/ironic/+/85075414:35
TheJulia\o/14:46
iurygregory\o/14:55
rpittaubye everyone, have a great weekend! o/15:02
*** undefined is now known as Guest575115:26
*** Guest5751 is now known as rcastillo_15:26
*** kubajj_ is now known as kubajj15:27
*** rpioso_ is now known as rpioso15:27
*** johnsom_ is now known as johnsom15:27
*** rcastillo_ is now known as rcastillo17:54
« Thursday, 2022-07-21 Index Sunday, 2022-07-24 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!