| prometheanfire | TheJulia: got part of the way there at least | 00:58 |
|---|---|---|
| prometheanfire | fetched the image but tried to update the neutron port's dhcp opts and failed because a port is not being created (server is being started with `openstack baremetal deploy foo` | 00:58 |
| prometheanfire | not sure if there's a way to start a ramdisk deploy via nova (which would be preferred), since it seems to require an image I think | 00:59 |
| TheJulia | prometheanfire: you have to create the port before deploying with ironic | 01:00 |
| TheJulia | and then attach with openstack baremetal node vif attach <neutron_port_uuid> <node-id? | 01:00 |
| TheJulia | > | 01:00 |
| prometheanfire | ok, I'll look into that, I tried to create a baremetal port with a mac, probably needs more metadata | 01:00 |
| TheJulia | err > | 01:00 |
| TheJulia | there is the baremetal port which ironic holds data about the port in, and then there is the neutron port for dhcp | 01:00 |
| TheJulia | for provisioning we will create ports, but for end nodes booting we need a vif | 01:01 |
| TheJulia | There is a weird nuance there | 01:01 |
| prometheanfire | ya, I have the baremetal port created but no vif assocaited with it | 01:01 |
| TheJulia | ... we should likely just support a "assign from this" model | 01:01 |
| prometheanfire | so I'll create a neutron port manually and assign that as a vif | 01:01 |
| TheJulia | ++ | 01:02 |
| TheJulia | yup | 01:02 |
| prometheanfire | just the mac and baremetal type? | 01:02 |
| TheJulia | you just need to create a port on the network you want | 01:02 |
| TheJulia | ironic will fix the mac | 01:02 |
| TheJulia | and the type | 01:02 |
| prometheanfire | ah, neat | 01:02 |
| prometheanfire | then assign from this would be nice :D | 01:03 |
| TheJulia | https://i.ytimg.com/vi/LaiN63o_BxA/maxresdefault.jpg | 01:03 |
| TheJulia | ... which reminds me... the wife asked about getting a new board and display for one of the printers... *gulp* | 01:04 |
| prometheanfire | power on, progress :D | 01:05 |
| TheJulia | \o/ | 01:05 |
| prometheanfire | am I correct in thinking that ramdisk deploys can't be done via `openstack server create`? | 01:06 |
| TheJulia | so the idea was that it should work | 01:06 |
| TheJulia | well, within reason, but we've never tried it | 01:06 |
| TheJulia | ... and depending on how the image is tagged, nova might just disqualify it anyway | 01:06 |
| prometheanfire | ya, I have no idea how to tell nova to tell ironic to use a kernel/ramdisk only, so meh for now | 01:07 |
| TheJulia | https://github.com/openstack/nova/blob/master/nova/virt/ironic/driver.py#L172 | 01:08 |
| prometheanfire | ohh, neat | 01:08 |
| TheJulia | it is just a uuid in glance, so if there is not actually a disk image behind it | 01:08 |
| TheJulia | then ironic won't care | 01:08 |
| TheJulia | as long as the node is set to ramdisk deploy | 01:08 |
| TheJulia | the thing is... nova doesn't know about toggling that setting so a node has to be set to ramdisk deploy by default | 01:08 |
| prometheanfire | that part is ok | 01:09 |
| TheJulia | generally ramdisk was developed for the kind of folks that do scientific batch processing | 01:09 |
| TheJulia | as one of those "oh, that would help, sure!" | 01:09 |
| TheJulia | good will sort of thigns | 01:09 |
| TheJulia | ... which turned out generally useful in other was as well | 01:09 |
| prometheanfire | yep, makes sense, cern would like that at the least | 01:10 |
| TheJulia | I did it after the scientific sig inquired, it made tons of sense | 01:11 |
| * TheJulia takes her remaining amount of energy for the day to the kitchen to make pizza | 01:11 | |
| * prometheanfire waits for the baby to wake | 01:12 | |
| prometheanfire | hmm, need to boot from disk on reboot (not pxe) | 01:26 |
| TheJulia | We don’t reassert so if the ramdisk changes the settings locally it should work | 01:27 |
| prometheanfire | ya, I think it tried to boot from disk when it rebooted (went to pxe, but the default was local) | 01:28 |
| prometheanfire | it requires some special grub stuff for whatever image is laid down though I think | 01:29 |
| TheJulia | if uefi, efibootmgr | 01:34 |
| TheJulia | grub-install used to launch it... but not anymore | 01:34 |
| prometheanfire | hmm, tried to do the ramdisk install again, not boot from local disk | 01:35 |
| prometheanfire | maybe because I selected it | 01:35 |
| prometheanfire | and it remembered | 01:36 |
| TheJulia | so we do send the boot from as a persistant override, but the host can change itself back | 01:36 |
| TheJulia | at least.. I think | 01:36 |
| TheJulia | it is all a bit fuzzy at the moment, not feeling that great :( | 01:36 |
| prometheanfire | ya, the docs seem to say that ironic remembers the last manual selection | 01:36 |
| prometheanfire | dos magic invalid, so it's doing something else, back to google | 01:47 |
| TheJulia | :( | 01:48 |
| prometheanfire | https://paste.openstack.org/show/819363/ | 02:06 |
| prometheanfire | found that, but for now I'm gonna manually select the boot | 02:06 |
| prometheanfire | I can chainloader to it at least, have to edit grub manually | 02:14 |
| TheJulia | Ahh grub pxe template? | 02:18 |
| TheJulia | prometheanfire: https://github.com/openstack/ironic/blob/master/ironic/drivers/modules/deploy_utils.py | 02:21 |
| prometheanfire | ? https://github.com/openstack/ironic/blob/master/ironic/drivers/modules/deploy_utils.py#L446 | 02:33 |
| TheJulia | Yes, sorry the line highlight didn’t copy on my paste | 02:33 |
| prometheanfire | there is an option to force mbr and efi installs, trying that for harvester, if that fails I'll try that | 02:34 |
| TheJulia | Enjoy! | 02:34 |
| prometheanfire | thanks much for all the help :D | 02:34 |
| prometheanfire | I could edit the template https://github.com/openstack/ironic/blob/master/ironic/drivers/modules/pxe_grub_config.template | 02:38 |
| prometheanfire | also notice that the boot_whole_disk assumes mbr, so maybe that's it (who knows :D) | 02:38 |
| prometheanfire | https://storyboard.openstack.org/#!/story/2004525 is where it was added | 02:43 |
| prometheanfire | can confirm the pxe_template works, now seeing if I can make the template boot the whole disk on second boot, I don't think there's a way to override the boot line | 03:49 |
| prometheanfire | it hard codes without ability to override on the fly it looks like https://github.com/openstack/ironic/blob/master/ironic/drivers/modules/deploy_utils.py#L130-L189 | 03:50 |
| prometheanfire | guess what I'm really looking for is a standard deploy bits to disk, but is managed by a tool other than IPA :| | 03:55 |
| prometheanfire | looks like they are working on generating qcow2 images https://github.com/harvester/harvester-installer/pull/457 | 05:17 |
| prometheanfire | would make things much easier :D | 05:17 |
| arne_wiebalck | Good morning, Ironic! | 06:15 |
| jssfr | Good morning, Ironic, arne! | 06:23 |
| rpittau | good morning ironic! o/ | 07:29 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: Remove all references to the "cpus" property https://review.opendev.org/c/openstack/ironic/+/878421 | 09:54 |
| iurygregory | morning Ironic | 12:02 |
| arozman_metal3 | Hi Ironic! I have been here quite some time ago :D, I am planning to join the PTG I have also registered already, do I need to do anything other than joining the IRC channel ? | 13:36 |
| TheJulia | o/ | 13:37 |
| TheJulia | arozman_metal3: one moment | 13:37 |
| TheJulia | arozman_metal3: Checkout https://ptg.opendev.org/ptg.html | 13:38 |
| TheJulia | if you click on the "room", it will launch a meeting client, generally zoom | 13:38 |
| arozman_metal3 | ooo, so it is a zoom meeting, I thought just IRC :D, nice | 13:39 |
| arozman_metal3 | thanks | 13:39 |
| * TheJulia attempts to wake up | 13:41 | |
| * TheJulia does not recommend the current chest cold she has | 13:44 | |
| dtantsur | the one we got here is also pretty nasty :( | 13:57 |
| TheJulia | Nowhere like the times I've gotten covid, but I've never had chest congestion build up without a fever before, and now I think as of last night I finally have a fever | 13:58 |
| dtantsur | oh | 13:58 |
| dtantsur | some bacteria is coursing around here.. together with the general shortage of antibiotics, it provides an unpleasant result | 13:59 |
| dtantsur | I hope you recover soon TheJulia! | 14:00 |
| TheJulia | yay | 14:00 |
| knikolla | Hope you feel better soon! | 14:01 |
| prometheanfire | TheJulia: sorry to hear, hope that will be the extent of it | 14:27 |
| dtantsur | ade_lee: I pasted links to IPA certificate generation in the etherpad | 14:35 |
| ade_lee | dtantsur, thanks - will look | 14:39 |
| dtantsur | JayF: storyboard migration simplified: maybe just switch to launchpad as a place for *new* bugs? and let old stories be fixed/closed/rot? | 14:44 |
| TheJulia | ++ | 14:44 |
| TheJulia | I can go push the button if I still have access in launchpad | 14:45 |
| dtantsur | let's just do it? then we can at least have working bugs from now on? | 14:46 |
| prometheanfire | ++ | 14:46 |
| * prometheanfire has a feature request ready :D | 14:47 | |
| rpittau | launchpad it is then :) | 14:47 |
| dtantsur | arozman_metal3: not sure how much metal3 benefits from sharding.. it's more to scale listing operations. the only listing operation we have is to filter nodes that are in-progress. | 14:47 |
| dtantsur | it could be much more interesting to support the concept of ownership | 14:47 |
| JayF | metal3+sharding could be interesting for running multiple metal3 off a single Ironic :D | 14:48 |
| dtantsur | not sure? | 14:48 |
| JayF | or for carving out a section of ironic for metal3 only (this is probably better off using node.owner ?) | 14:48 |
| JayF | it's a tool you could use for those things if you wanted | 14:48 |
| dtantsur | yeah, my thought is that we could benefit from ownership | 14:48 |
| JayF | IDK if you want or need to | 14:48 |
| arozman_metal3 | there is strong interest for multy tenancy and many different deployment modes of the Metal3 stack downstream | 14:48 |
| dtantsur | arozman_metal3: shards are not a multi-tenancy instrument | 14:48 |
| dtantsur | owners are | 14:48 |
| dtantsur | we'd need to support Keystone or find another way | 14:49 |
| dtantsur | I don't know if folks are going to scream at us for suggesting supporting Kubernetes authentication :D | 14:49 |
| arozman_metal3 | okay good to know, in any case I will mention this as it might be still usefull for us, also the owners , but nowadays Metal3 is being planned to be used in very special deployment envs and configurations thanks to EDGE use cases | 14:50 |
| arozman_metal3 | I have even seen POCs where Ironic manages the machine it is running on so everything and anything will be asked from Ironic, (as I have lerned in the last 3-4 months) | 14:53 |
| * prometheanfire may drop for the osa room | 14:53 | |
| dtantsur | wow | 14:54 |
| dtantsur | arozman_metal3: honestly, we need to have our own PTG and dedicate a lot of time to discuss 1) multi-tenancy, 2) multi-conductor, 3) edge | 14:54 |
| arozman_metal3 | yes I already have a doc, we have had a long discussion with ESJ team on the 17th, I wanted to bring it to the Metal3 community but I have got sick last week, I will start the discussion this week | 14:55 |
| JayF | dtantsur: arozman_metal3: if only there was someone planning ways to tie in Ironic to external, non-keystone auth systems <.< >.> | 14:57 |
| JayF | dtantsur: does k8s support oauth2.0? The next session is the glue you seek :D | 14:58 |
| * dtantsur is researching | 14:58 | |
| dtantsur | JayF: it does https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens, dunno if it can serve as a provider | 14:59 |
| JayF | even if it can't provide, being able to back ironic + k8s with the same backend oauth2.0 server would give good behavior I think | 15:00 |
| samuelkunkel[m] | Not to my knowledge. It can use openid connect for its own layer but it only serves as a client. (afaik) | 15:00 |
| JayF | and even if not, keystonemiddleware that does k8s auth is probably possible? idk | 15:00 |
| samuelkunkel[m] | Not 100% but openid connect is just a subset of oauth2, isnt it? | 15:01 |
| JayF | I'm not sure, I'm not really an expert on auth tech | 15:03 |
| JayF | just excited for interoperability \o/ | 15:03 |
| samuelkunkel[m] | But kubernetes auth should be possible (it uses a JWT Token). Just touched it for some hashivault stuff but we used hashivault approles in the end ;) | 15:05 |
| dtantsur | JWT's should be easy to support | 15:07 |
| dtantsur | stevebaker[m]: I'm looking at my KUBECONFIG (from an openshift cloud), and it seems to use mTLS | 15:09 |
| dtantsur | sorry, wanted to tag samuelkunkel[m] | 15:09 |
| stevebaker[m] | :) | 15:10 |
| dtantsur | stevebaker[m]: I'm impressed you're awake though :) | 15:10 |
| stevebaker[m] | I'm feeling good! considering | 15:11 |
| samuelkunkel[m] | dtantsur: https://developer.hashicorp.com/vault/docs/auth/kubernetes | 15:12 |
| samuelkunkel[m] | I was just scrolling through the hashivault documentation as I found it pretty good describing the kubernetes auth | 15:12 |
| dtantsur | samuelkunkel[m]: it seems to be dependent on the exactly kubernetes distribution and the way it is configured :( | 15:12 |
| samuelkunkel[m] | (Like mentioned, about a year ago since I touched it) | 15:13 |
| samuelkunkel[m] | Yes and no. I would assume that BoundServiceAccountTokenVolume should be in anything kubernetes alike | 15:13 |
| samuelkunkel[m] | So, from the back of my head, you create a SeviceAccount, associate it to your cr via crb and this Serviceaccount also has a JWT implicit. | 15:15 |
| samuelkunkel[m] | And this can be used for k8s auth | 15:15 |
| dtantsur | I'm reading https://kubernetes.io/docs/reference/access-authn-authz/authentication/#users-in-kubernetes which is not specific to vault/openshift/etc | 15:15 |
| samuelkunkel[m] | * So, from the back of my head, you create a SeviceAccount, associate it to your ClusterRole (or role) via ClusterRoleBinding (or RoleBinding) and this Serviceaccount also has a JWT implicit. | 15:16 |
| samuelkunkel[m] | So, I agree. This is something which can be used for machine2machine auth. I personally would not use it for client authentication. | 15:17 |
| samuelkunkel[m] | (We also did not use it for machine2machine) | 15:18 |
| dtantsur | oh fun, kubernetes (or at least openshift) supports keystone :D | 15:19 |
| JayF | you can use the keystonemiddleware we're talking about to get k8s support for oauth 2.0 /s/s/s | 15:21 |
| JayF | (I know that's not how it works, but it's a funny joke) | 15:21 |
| dtantsur | Just Rewrite It In Go \o/ | 15:22 |
| JayF | s/Go/Rust/ | 15:22 |
| JayF | 2019 called, it wants its cool new language back dtantsur ;) | 15:22 |
| dtantsur | LOL | 15:22 |
| JayF | if I know how to write code in it, it's officially uncool | 15:22 |
| dtantsur | you don't need to convince me to s/Go/Rust/ | 15:22 |
| dtantsur | arozman_metal3: what's your typical identity backend in your kubernetes installation? | 15:23 |
| dtantsur | I wonder if we should just support LDAP.. | 15:23 |
| samuelkunkel[m] | Wasnt the ldap backend in keystone deprecated as no one maintained it? | 15:24 |
| * JayF just realized he's never worked on an OpenStack cluster running "vanilla" keystone (or anything even vanilla-adjacent) | 15:24 | |
| arozman_metal3 | dtantsur: do you mean what identity backend is used downstream ? | 15:25 |
| dtantsur | arozman_metal3: yeah, if there is any single typical backend | 15:25 |
| dtantsur | because it seems like kubernetes itself is not really opinionated | 15:25 |
| arozman_metal3 | dtantsur: I can ask, I don't know tbh | 15:25 |
| samuelkunkel[m] | JayF: what is a vanilla keystone? | 15:25 |
| JayF | as in, not heavily patched | 15:26 |
| arozman_metal3 | dtamtsur: I am not allowed access it directly, I always work via intermediary folks | 15:26 |
| dtantsur | I see | 15:27 |
| samuelkunkel[m] | Ah, hmm. I think we use a pretty standard keystone, just run in container. | 15:27 |
| knikolla | vanilla, that sounds like a pretty tasty keystone :) | 15:27 |
| samuelkunkel[m] | I think we dont have a single patch in there | 15:29 |
| samuelkunkel[m] | https://gitlab.com/yaook/images/keystone/-/blob/devel/Dockerfile-train | 15:29 |
| samuelkunkel[m] | * I think we do not have a single patch in there | 15:29 |
| samuelkunkel[m] | https://gitlab.com/yaook/images/keystone/-/blob/devel/Dockerfile-train | 15:29 |
| samuelkunkel[m] | Currently running yoga release | 15:29 |
| TheJulia | I pasted a simple IDP (literally named simple-idp) into the etherpad | 15:30 |
| TheJulia | which gave us a drop-down on the UI | 15:30 |
| JayF | Yeah, other places I worked had custom plugins to plugin to custom backend identity things | 15:34 |
| * JayF has written some really baller internal-CVE-style bugs against them which will never be seen by anyone else :( | 15:34 | |
| knikolla | The more layers in between you and the root of the identity the more fun it gets. | 15:39 |
| JayF | Breaking until 1615; then going into DPU orchestration | 16:05 |
| JayF | we're a little ahead | 16:05 |
| opendevreview | Riccardo Pittau proposed openstack/ironic master: Exclude all files starting with . from flake8 tests https://review.opendev.org/c/openstack/ironic/+/878788 | 16:11 |
| * prometheanfire wonders if redfish allows setting a boot override (pxe boot ramdisk normally, but set an override per node to boot from disk, or something else) | 17:00 | |
| dtantsur | prometheanfire: cannot you use efibootmgr for that? | 17:12 |
| dtantsur | some people use ironic in this fashion: use ramdisk deploy for one-time boot of an installer, then inside the installer, change the UEFI boot order to local disk | 17:13 |
| prometheanfire | could do that, if the installer supported it lol | 17:15 |
| prometheanfire | honestly, them generating a qcow2 image would be best, and seems like it's in progress https://github.com/harvester/harvester-installer/pull/457 | 17:16 |
| prometheanfire | can we set values through redfish for random bios values or is it mostly read only? | 17:18 |
| dtantsur | prometheanfire: it's called BIOS settings in ironic | 17:18 |
| dtantsur | https://docs.openstack.org/ironic/latest/admin/bios.html | 17:19 |
| prometheanfire | lol | 17:19 |
| *** sfinucan is now known as stephenfin | 17:20 | |
| rpittau | good night! o/ | 17:32 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!
