| rpittau | good morning ironic! o/ | 08:00 |
|---|---|---|
| opendevreview | Merged openstack/ironic stable/2023.1: Make sure we eject media from DVD when CD is requested https://review.opendev.org/c/openstack/ironic/+/899338 | 09:50 |
| opendevreview | Verification of a change to openstack/ironic bugfix/22.0 failed: Make sure we eject media from DVD when CD is requested https://review.opendev.org/c/openstack/ironic/+/899337 | 09:50 |
| opendevreview | Merged openstack/ironic master: Remove outdated pysnmp reference https://review.opendev.org/c/openstack/ironic/+/899624 | 09:50 |
| opendevreview | Merged openstack/ironic bugfix/22.1: Make sure we eject media from DVD when CD is requested https://review.opendev.org/c/openstack/ironic/+/899336 | 09:50 |
| opendevreview | Merged openstack/ironic stable/2023.2: Make sure we eject media from DVD when CD is requested https://review.opendev.org/c/openstack/ironic/+/899335 | 10:50 |
| iurygregory | good morning Ironic | 11:15 |
| TheJulia | good morning | 14:48 |
| drannou | Hello ironic ! Quick question : How do you manage IPMI (or redfish) user/password on your side ? We are playing with ironic to manage tens of host, automatically enroll via ironic-inspector, and to be completely automatic we added an automatic IPMI/redfish user creation (in order to not manually register the users for each hosts). How do you do on your side ? | 14:54 |
| JayF | This is a topic we talked about at PTG, actually. | 14:56 |
| JayF | There's a few ways to handle it. | 14:56 |
| JayF | Some BMCs will hook into a centralized store, like LDAP, for creds. | 14:56 |
| JayF | Some people will rotate passwords using an external script (Change BMC password -> call Ironic to update driver_info to change password) | 14:57 |
| JayF | One thing I'll note is for IPMI, it's not super secure even with great/rotated passwords, so make sure you focus heavily on isolating the IPMI network if possible for maximum security there. | 14:57 |
| JayF | Most places I worked in the past actually paid most attention there: to locking down networks with BMCs on them, monitoring them for intrusions, and ensuring only Ironic conductors and BMCs could get access on that network | 14:58 |
| drannou | our IPMI network is compeltely isolated, and we are not using IPMI but Redfish. The user management is the same on that part | 14:59 |
| clarkb | in a past life not only did we isolate things but we ran all of the management networks on a completely separate infrastructure. Different routers and switches. The idea there was it could be made more resilient to outages | 14:59 |
| drannou | So there is no "automatic user and password creation" actually ? | 15:00 |
| JayF | That is not supported in Ironic currently, as I mentioned, it was a topic at PTG | 15:00 |
| JayF | there should be some notes from there but I'm not sure we settled on an action | 15:00 |
| JayF | https://etherpad.opendev.org/p/ironic-ptg-october-2023 | 15:00 |
| drannou | clarkb: yes, exactly the same for us | 15:00 |
| JayF | line 354 looks like where it starts | 15:00 |
| drannou | JayF: ok thx | 15:00 |
| JayF | drannou: it's one of those things that sneakily has a lot of edges, so I think we decided to take a pretty small action | 15:01 |
| drannou | ok it's more or less what we did: create a default user, but for each host put a random generated password that is given back to Ironic (conductor or inspector, depending the case) | 15:03 |
| TheJulia | That is not a bad pattern, we've historically avoided it because of ipmi's quarks | 15:50 |
| TheJulia | Also, major vendors tend to not ship default passwords anymore unless you ask kindly | 15:50 |
| dtantsur | TheJulia: https://github.com/openshift/openshift-docs/pull/47205/files | 16:25 |
| dtantsur | (I promised to undig what exactly is causing issues for assisted installer folks) | 16:26 |
| TheJulia | the CD to get saved? | 16:32 |
| dtantsur | Sorry? They need to purge all CD records in advance. | 16:40 |
| TheJulia | shim adds whatever device it loads from | 16:43 |
| TheJulia | by default | 16:43 |
| dtantsur | Possibly that's the source of the issue | 16:44 |
| opendevreview | Riccardo Pittau proposed openstack/ironic master: [WIP] Generic API for attaching/detaching virtual media https://review.opendev.org/c/openstack/ironic/+/894918 | 17:10 |
| rpittau | see you on thursday, good night! o/ | 17:10 |
| iurygregory | that moment you notice that you will be the only one working tomorrow from your team .-. | 18:43 |
| TheJulia | heh | 18:46 |
| iurygregory | TheJulia, it's ok to be the only one (unless you have two escalations on going :D) | 20:08 |
| opendevreview | Steve Baker proposed openstack/ironic master: [api-ref] Complete port name and shard documentation https://review.opendev.org/c/openstack/ironic/+/899097 | 20:49 |
| opendevreview | Steve Baker proposed openstack/ironic master: [api-ref] Add firmware fields to driver API https://review.opendev.org/c/openstack/ironic/+/898862 | 20:49 |
| JayF | https://github.com/systemd/systemd/pull/29748 This *is* as bad of an idea as I think it is, yeah? cc: dtantsur | 21:27 |
| JayF | dtantsur: hopefully nobody tries to implement an Ironic driver using this... | 21:28 |
| -opendevstatus- NOTICE: Gerrit on review.opendev.org will be restarted to pick up a configuration change required as part of Gerrit 3.8 upgrade preparations. | 22:01 | |
| opendevreview | Julia Kreger proposed openstack/ironic-tempest-plugin master: WIP: Add test for dhcp-less vmedia based deployment https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/898006 | 22:06 |
| opendevreview | Julia Kreger proposed openstack/ironic master: WIP/DNM: Advanced vmedia deployment test ops https://review.opendev.org/c/openstack/ironic/+/898010 | 22:10 |
| opendevreview | Jay Faulkner proposed openstack/metalsmith master: Metalsmith in maintenance mode https://review.opendev.org/c/openstack/metalsmith/+/899761 | 22:18 |
| JayF | fungi: So, it came up at the vPTG that apparently ironic-python-agent-builder never had a launchpad setup. We'd like to set one up, but I didn't see anything about it in the project-team-guide. Where would hte docs be for that and/or is it an admin task that one of you all needs to tackle? | 22:32 |
| opendevreview | Jay Faulkner proposed openstack/ironic master: Add pyproject.toml to support pip 23.1 https://review.opendev.org/c/openstack/ironic/+/899765 | 22:44 |
| JayF | going to see how this looks, then kick them out across all the ironic stuff | 22:44 |
| fungi | JayF: it's never been documented that i know about. we don't run launchpad, but basic guidance is make the project "part of" openstack, and make it team maintained/driven with a team that is owned by ~openstack-admins | 23:03 |
| JayF | Okay. I didn't want to just go do a thing without making sure there wasn't any special magic. | 23:18 |
| TheJulia | JayF: I guess rather similar to booting from a volume | 23:28 |
| JayF | TheJulia: no, reverse. this is a kernel command line that turns your disk into an nvme-over-ip target in the initrd. unauthenticated entirely. | 23:34 |
| JayF | TheJulia: basically lennart implemented the bash ramdisk in systemd/initrd !!!! :'( | 23:35 |
| TheJulia | ummm | 23:35 |
| TheJulia | Could someone provide me a *giant* table to flip? | 23:35 |
| JayF | well, it's not merged yet | 23:36 |
| JayF | so if the most educated of us about why it's a bad idea could go flip a table in that PR, we might be able to change a mind, or at least make them wait until it's authenticatable (but even then I am not convinced it's a good idea; but as it stands now it's borderline-dangerous as written) | 23:37 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!