JayF | basically, took a cloud image, used it as the base for a full qemu image, booted it, got a user password inside with virt-customize | 00:00 |
---|---|---|
JayF | dnf/yum-anything fails with a no repos message; what's inside /etc/yum.repos.d/ is a comments-only redhat.repo telling you to run subscription manager if you have entitlements and want to get packages installed | 00:00 |
JayF | I'm getting offline for now; I hope I see tomorrow I did something wrong versus this being the current state of centos | 00:01 |
kubajj | Morning Ironic | 11:17 |
kubajj | JayF: I was just writing something about the API in my dissertation and I found out that you did not include the comment about node sharing in API/controllers/v1/versions.py on line 122. I don't know if it's needed, but I just thought I could point it out | 11:18 |
JayF | kubajj: if you wanna put up a quick follow up correcting it, I can land it. Otherwise I'll take a look later this afternoon. | 16:28 |
kubajj | JayF: I can have a look at it | 16:29 |
opendevreview | Jakub Jelinek proposed openstack/ironic master: Add a comment about node sharding to API versions https://review.opendev.org/c/openstack/ironic/+/875224 | 16:40 |
TheJulia | kubajj: approved | 18:24 |
JayF | thank you kubajj | 18:41 |
jlvillal | Hi all :) I was trying bifrost stable/zed on AlmaLinux 9.1. It got to the part of trying to start `ironic-inspector` and got an error: ERROR oslo.service.wsgi [-] Could not bind to :::5050: OSError: [Errno 97] Address family not supported by protocol | 19:19 |
jlvillal | Just curious if anyone knows a simple fix for this or if I will need to do a deep dive to try to figure it out... :) | 19:20 |
jlvillal | More details if useful: https://paste.opendev.org/show/bYITNQTbfRsRCunUKn0x/ | 19:21 |
TheJulia | jlvillal: o/ | 19:23 |
jlvillal | o/ :) | 19:23 |
TheJulia | jlvillal: insmod ipv6 or set up addresses to bind to with v4 | 19:24 |
TheJulia | :: is the default for v6 | 19:24 |
jlvillal | TheJulia, Thanks. For sure I want to use ipv4. | 19:25 |
TheJulia | :: with v6 is also ipv4+ipv6 so it will still work with v4 | 19:25 |
TheJulia | just, fyi | 19:25 |
jlvillal | So I see in /etc/ironic/ironic/conf it has endpoint_override = http://10.76.108.18:5050 which I'm guessing where 5050 comes from. | 19:26 |
TheJulia | well, inspector | 19:26 |
TheJulia | so ironic-insepctor.conf | 19:26 |
jlvillal | Ah okay. I guess I will try the `insmod` first. :) | 19:26 |
TheJulia | heh, okay | 19:27 |
* TheJulia goes and recalibrates 3d printer | 19:27 | |
jlvillal | Good luck! I guess our default of `ipv6.disabled=1` on the command line is breaking things. | 19:28 |
jlvillal | kernel command line that is. | 19:28 |
TheJulia | jlvillal: yeah, likely | 19:29 |
TheJulia | listen_address in ironic_inspector.conf | 19:30 |
TheJulia | set it to an ip :) | 19:30 |
jjy | Hi. I asked a question yesterday -- where does the authentication take place between ironic and an external HTTP image server | 19:30 |
jlvillal | Thanks. Will do. Reading the docs now! :) | 19:30 |
opendevreview | Jay Faulkner proposed openstack/ironic master: DNM: API-Ref rendering science https://review.opendev.org/c/openstack/ironic/+/875253 | 19:38 |
JayF | jjy: okay, I'm going to give this 15 minutes undivided, we'll figure it out | 19:38 |
JayF | jjy: AFAICT, from reading in https://github.com/openstack/ironic/blob/a48af6b5f13598ef83fff6dfd5a01480ed23743d/ironic/drivers/modules/image_utils.py, the conductor caches the image, then serves it up for IPA API | 19:41 |
JayF | jjy: if, at that point, you want some kind of authentication on that image download, I believe you'd have to bring some of that yourself (e.g. client certificate validating https proxy + configuring ironic_python_agent_tls) ... there may be some pieces to automate this | 19:42 |
JayF | dtantsur: when we did the auto-tls stuff for IPA; did any of that include making sure image downloads from conductor->IPA were secured? | 19:42 |
JayF | jjy: there is support for using swift to store images too; if you were using that, we create a swift temporary url and hand it off to IPA to download directly | 19:44 |
JayF | I think that's the only case where IPA is reaching directly out to a remote server to get an image (and not the conductor) but it's extremely possible I'm wrong | 19:45 |
JayF | dtantsur: also, in case you missed it: https://review.opendev.org/c/openstack/openstackdocstheme/+/874957 appears to be the fix for the api-ref issue you identified; ty for sparking that | 20:13 |
jjy | Thanks! It concludes that the authentication is between ironic and the external HTTP server. Currently I did not bake any certificate in the IPA ramdisk OS, thus there will be no authentication betwen IPA and ironic. Also I did not use swift to store images. | 20:15 |
JayF | So lets be clear | 20:19 |
JayF | there are different /kinds/ of communication | 20:19 |
JayF | IPA communicates with the Ironic API in order to get commands to run and to send node information (e.g. inspection results) back to the API. | 20:19 |
JayF | These connections can be trivially configured to be TLS secured, and use a methodology we refer to as "agent token" to identify and authenticate IPA connections into the Ironic API | 20:20 |
opendevreview | Merged openstack/ironic master: Add a comment about node sharding to API versions https://review.opendev.org/c/openstack/ironic/+/875224 | 20:20 |
JayF | During deployment; IPA downloads an image to put onto the disk when using the `direct` deployment method (default). These should be TLS secured if you have TLS configured properly on the conductor and the external_url; but we currently do not perform authentication on these requests. | 20:21 |
JayF | That's the state of things as I understand it now. | 20:21 |
JayF | If you're using TLS; there is extremely minimal risk in the image download portion. In fact, if you have "secrets" you need, instead of putting them in the image (and needing to worry about putting the image behind authorization), you can use user data communicated into the node via configdrive (and usually parsed/read by cloud-init) to inject secrets in a more secure way | 20:22 |
JayF | jjy: ^ | 20:22 |
* JayF hopes that context is helpful | 20:22 | |
JayF | everything after 'during deployment' changes if you're using a different deployment driver; such as ramdisk (which just boots a ramdisk image of your choice on the node) or kickstart (which configures and launches an automated kickstart install of rhel{-like} OSes) | 20:23 |
jjy | Thanks!! | 20:34 |
JayF | Is there a reason, generally, why Ironic doesn't participate in the OpenStack VMT? Is there something historical there? | 20:54 |
JayF | I'm reviewing vanou's proposed doc on vulnerability reporting, and it seems like the best "fix" would just be to put in with the OpenStack-wide process | 20:55 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!