Wednesday, 2024-09-04

opendevreview	Verification of a change to openstack/ironic stable/2023.2 failed: [CI][stable only] fix zuul config https://review.opendev.org/c/openstack/ironic/+/926637	00:43
opendevreview	Merged openstack/ironic-inspector master: Fix versions in release notes https://review.opendev.org/c/openstack/ironic-inspector/+/926994	00:49
opendevreview	Merged openstack/ironic-lib stable/2024.1: Fix invalid UTF-8 characters in execute output https://review.opendev.org/c/openstack/ironic-lib/+/926716	00:54
opendevreview	Merged openstack/ironic-lib stable/2023.2: Fix invalid UTF-8 characters in execute output https://review.opendev.org/c/openstack/ironic-lib/+/926718	00:54
opendevreview	Verification of a change to openstack/ironic-lib stable/2023.1 failed: Fix invalid UTF-8 characters in execute output https://review.opendev.org/c/openstack/ironic-lib/+/926719	00:54
*** dtantsur_ is now known as dtantsur		01:48
opendevreview	OpenStack Proposal Bot proposed openstack/ironic master: Imported Translations from Zanata https://review.opendev.org/c/openstack/ironic/+/927699	03:54
opendevreview	Derek Higgins proposed openstack/ironic master: Set node "alive" when inspection finished https://review.opendev.org/c/openstack/ironic/+/927828	08:25
opendevreview	Dmitry Tantsur proposed openstack/ironic-tempest-plugin master: Check inspection data and abortion in the standalone tests https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/927928	12:15
opendevreview	Merged openstack/ironic master: Imported Translations from Zanata https://review.opendev.org/c/openstack/ironic/+/927699	13:16
TheJulia	dtantsur: if you could today take a quick glance and see my comments on https://review.opendev.org/c/openstack/ironic-python-agent/+/927823, I think as is I could likely just add a reno and move it along, but wanted to see what you think before doing so.	13:18
TheJulia	Thanks in advance	13:18
* dtantsur puts on his queue		13:19
TheJulia	Much appreciated!	13:19
TheJulia	I also noted an idea we could use to detect a conflict, but it would be a PITA	13:23
TheJulia	and require the ramdisk to use a loopabck	13:23
* TheJulia walkies the doggo		13:25
*** vicent_ is now known as vicent		13:38
*** vicent is now known as vicentfg		13:38
*** vicentfg is now known as vicent		13:38
TheJulia	Iury sent me a photo and comment from the summit, sounds like it is going well	13:53
TheJulia	or did to be more precise	13:53
TheJulia	cid: quick question on https://review.opendev.org/c/openstack/ironic-python-agent/+/926973	14:00
cid	TheJulia: Actually, I ripped those right out of the log in the bug description.	14:06
cid	Now that you've mentioned it, let me quickly check	14:06
TheJulia	o/ rosmaita	14:07
rosmaita	good morning!	14:07
TheJulia	cid: much appreciated	14:07
opendevreview	Julia Kreger proposed openstack/ironic master: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927965	14:08
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927966	14:08
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927967	14:08
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	14:09
opendevreview	Julia Kreger proposed openstack/ironic bugfix/24.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927969	14:09
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927970	14:09
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927972	14:09
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent master: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927974	14:10
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2024.1: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927976	14:10
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.2: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927978	14:10
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.1: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927979	14:10
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.13: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927981	14:11
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.12: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927983	14:11
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927984	14:11
JayF	rosmaita: ^ I think thaqt is all that you need?	14:11
rosmaita	think so ... will let you know in a few minutes	14:12
TheJulia	It didn't list the unmaintained ones	14:12
JayF	yeah those go to um	14:12
TheJulia	https://review.opendev.org/q/I7fac5c64f89aec39e9755f0930ee47ff8f7aed47	14:12
JayF	or, uh, nowhere?	14:12
JayF	Weird, must have gotten turned off from -unmaintained and -stable too	14:12
JayF	that's unfortunate, I was using those to trigger reviews	14:12
rosmaita	ok, i should be able to find them in gerrit	14:13
JayF	I'm going to push the IPA UM patches now too, but they don't need to go in the bug or any text since it's just a warning.	14:14
rosmaita	ok	14:14
JayF	Apparently xena UM still hasn't had the gitreview merged in, yikes	14:19
JayF	I stacked mine on top of t hat	14:19
JayF	same with v + w	14:21
TheJulia	looks like unmatained yoga and xena for ironic are not in happy states	14:22
JayF	TheJulia: looks like mine is failing codespell in IPA; I'm going to fix and repush :( just two words	14:23
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent master: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927974	14:23
dtantsur	We can review and merge all this stuff now, right?	14:24
JayF	yes, please	14:24
TheJulia	yes	14:24
dtantsur	okay, I'm listening to something on a meeting, should be free in a few minutes	14:25
JayF	the idea is we get as much of it merged as possible before we put the official notice out in a couple hours	14:25
JayF	yeah, CI gonna have to run so no real rush as long as it's in the next 30-45m	14:25
dtantsur	This meeting makes wanna flit the table, so I might need to re-assemble it first :)	14:26
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.13: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927981	14:27
JayF	we have codespell voting on bugfix/9.13 and master; I fixed the patch both places and am leaving it elsewhere	14:27
dtantsur	Unrelated side note: I have problems with IRC recently, so it's perfectly possible for me to miss pings	14:27
JayF	I can follow up on stable branches to get codespell re-passing, but it looks like stable/2024.1 needs some config as well to get it passing, so I'm punting that until post-CVE	14:28
JayF	fungi: can you make the queued jobs on 927974,2 start running? https://zuul.opendev.org/t/openstack/status#927974	14:31
TheJulia	dtantsur: joy	14:31
JayF	TheJulia: https://zuul.opendev.org/t/openstack/status#927965 master ironic patch failing tempest-funcional-python3 and tox-cover (which is post_Failure so probably not you?)	14:31
JayF	looking at tempest logs	14:32
TheJulia	yup, downside of dropping a ton of patches on CI at once	14:32
JayF	> 2024-09-04 14:27:14.723231 \| controller \| The specified regex doesn't match with anythingERROR: InvocationError for command /opt/stack/tempest/.tox/tempest/bin/tempest run --regex ironic_tempest_plugin.tests.api --concurrency=1 (exited with code 1)	14:32
TheJulia	we just DoS-ed ourselves	14:32
JayF	that doesn't look like DoS, that looks like real-failure	14:33
TheJulia	well, in general, we just slowed everything down	14:33
dtantsur	JayF: oh, so it's not just on my patch??	14:35
dtantsur	see #openstack-qa	14:35
JayF	oh no	14:35
TheJulia	Did we suddenly just stop merging plugins?!	14:35
TheJulia	err	14:35
TheJulia	merging is the wrong word	14:35
TheJulia	pulling in	14:35
dtantsur	sorry, I should have brought this up, but I was sure I was doing something wrong with my patch..	14:35
TheJulia	no worries	14:36
TheJulia	https://zuul.opendev.org/t/openstack/stream/8e4588458fa7459b9ddfb98d73508a98?logfile=console.log	14:43
TheJulia	err	14:43
TheJulia	wrong channel	14:43
fungi	JayF: taking a look	14:50
JayF	fungi: dont	14:50
JayF	fungi: see #openstack-qa	14:50
JayF	tl;dr tempest is broken	14:50
fungi	oh fun. well, that's always how it goes, you know?	14:51
dtantsur	JayF: could you run a quick sanity check with me?	14:52
dtantsur	https://review.opendev.org/c/openstack/ironic-python-agent/+/927974/2/ironic_python_agent/extensions/standby.py#368	14:52
dtantsur	Is it me or do we call qemu-img convert even after dd when is_raw?	14:52
dtantsur	there is no "else" or return?	14:52
JayF	#%#@$#@!@#%	14:53
dtantsur	:(	14:53
JayF	I'm going to fix it in each patch separately	14:53
JayF	if I have to rebase these again my brain will leak out my ears	14:54
dtantsur	understandable	14:54
dtantsur	you may want to fixup the "cherry-picked from" lines after that	14:54
JayF	I'm going to be honest, dunno what you mean	14:55
JayF	can you be 100% explicit with what Ineed to do while I do this change?	14:55
dtantsur	ah, you don't have them. that's one way :)	14:55
dtantsur	I mean, normally, you cherry-pick with -x flag to generate "Cherry picked from: <commit ID>" in your commit message	14:56
TheJulia	dtantsur: cherry-pick lines only apply to clean cherry-picks, almost none of this is clean	14:56
TheJulia	fwiw	14:56
dtantsur	mmmm? I always leave them	14:56
JayF	and also it was done using text patches and am and all	14:56
dtantsur	anyway, ignore this one. let's focus on important things.	14:56
JayF	yep	14:56
TheJulia	AIUI, your supposed to drop them when it is not clean	14:56
TheJulia	anyway, just a minor detail for tooling which I don't think even gets used in our ecosystem any longer	14:57
dtantsur	I was under the opposite impression. Interesting.	14:57
JayF	my understanding == dtantsur's fwiw	14:57
TheJulia	(HP magical rebase walking tool which used the tagging heavily)	14:57
JayF	and that you usually put the Conflicts:\n\tfilename stuff	14:57
dtantsur	TheJulia: `git cherry-pick -x` is neither HPE nor openstack specific though	14:57
dtantsur	anyway. finishing the sanity check of IPA patches, Ironic up next	14:57
TheJulia	in our ecosystem, it is not used anymore afaik, but whatever	14:58
TheJulia	Anyway, I have a meeting/call to jump on in 2 minutes	14:58
TheJulia	will be slightly distracted, I guess we're pending QA to force push whatever is going on	14:58
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent master: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927974	14:58
JayF	dtantsur: ^ can you have a look before I push that the rest of the way thru	14:58
dtantsur	looking	14:59
dtantsur	seems good to me	14:59
JayF	ty	14:59
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2024.1: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927976	15:02
fungi	JayF: i can enqueue security fixes into the gate pipeline if you want, now that the tempest fix has merged	15:03
JayF	fungi: start with master? 927974 IPA, 927965 Ironic	15:04
fungi	are they all patchset #1? i need to know the patchsets, but can look them up if you're not sure whether they got revisions pushed	15:04
JayF	not for mine, at least	15:04
JayF	927974,3	15:05
JayF	this does not bypass CI, correct?	15:05
JayF	just moves it to where it only has to pass once?	15:05
JayF	Ironic is 927965,1	15:05
dtantsur	we do lose non-voting jobs like bifrost in this case	15:06
fungi	correct	15:06
fungi	you do lose feedback from jobs that are configured to only run in check	15:06
JayF	I don't have a strong opinion on if that matters here tbh	15:06
fungi	or rather get a limited amount of time to react to them really	15:06
JayF	I'd rather get them in and fix fallout	15:06
JayF	would rather have a broken, secure bifrost in master than a working, insecure one IMO	15:06
JayF	but it's not just my call	15:06
fungi	also make sure the changes have all the necessary votes to go into the gate (code review +2, workflow +1)	15:07
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.2: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927978	15:07
JayF	fungi: good call, we're missing those	15:07
JayF	I think dtantsur is still looking at the ironci change, I just +2d it	15:07
dtantsur	yeah, gimme a couple of minutes	15:08
JayF	it's OK, I need to buy you a schnitzel or something for catching that in review for ipa	15:09
* dtantsur does not object to a Schnitzel :D		15:09
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.13: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927981	15:09
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.12: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927983	15:09
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927984	15:10
JayF	all ipa patches updated for code review	15:10
JayF	and I learned the syntax for "patch exactly one file" :)	15:10
JayF	(diff file1 file2; patch file-to-patch mypatch.patch)	15:11
JayF	I've only ever done the full directory syntax	15:11
fungi	so enqueue --project=openstack/ironic-python-agent --change=927974,3 and --project=openstack/ironic --change=927965,1 at the moment?	15:11
JayF	looking to see if they have the votes	15:11
JayF	TheJulia: https://review.opendev.org/c/openstack/ironic-python-agent/+/927974/ needs your +2A	15:11
JayF	and we're waiting for Dmitry to finish on the Ironic patch	15:12
JayF	and he caught something in the IPA one, so good to get a review in	15:12
* JayF going through stable/um/bugfix ironic patches and reviewing		15:12
fungi	oh cool	15:12
JayF	TheJulia: https://review.opendev.org/c/openstack/ironic/+/927968/1/doc/source/admin/security.rst you have erroneous stuff in your stable patch[es?]	15:14
JayF	only in the bottom of a doc, I +2'd anyway in case we don't want to lose CI progress	15:17
dtantsur	TheJulia: 2 quick questions for you as well: https://review.opendev.org/c/openstack/ironic/+/927965/1/ironic/drivers/modules/deploy_utils.py#1455 and https://review.opendev.org/c/openstack/ironic/+/927965/1/ironic/drivers/modules/image_cache.py#369	15:17
JayF	I think you found something real in deploy_utils	15:18
dtantsur	Could be	15:19
dtantsur	Sigh	15:19
JayF	and btw; I think the bug is not in requests	15:19
dtantsur	I guess this proves that I cannot really review code from someone's screen..	15:19
JayF	but in like, some keystoneauth middleware	15:19
JayF	dtantsur: +++++++++++==	15:20
JayF	dtantsur: secret gerrit when :)	15:20
dtantsur	Yeah, true, I like that you can work on advisories in github	15:20
JayF	I know even for me personally, with code I'm writing myself, often I'll push it, self-review in gerrit/github, and find stuff I missed otherwise	15:21
dtantsur	Happens all the time	15:21
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	15:25
JayF	btw, I think after this experience, we could probably use a refactor around the ipa image handling code	15:34
JayF	and maybe a rewriting of the ironic image cache too	15:34
fungi	okay, so just to confirm, there's no need to direct enqueue anything into the gate pipeline just yet	15:34
JayF	fungi: yeah, I don't think so, Ironic patch has valid review comments and https://review.opendev.org/c/openstack/ironic-python-agent/+/927974/ not yet approved	15:35
fungi	i'll probably be disappearing in another half hour, but maybe frickler can help if needed	15:35
TheJulia	dtantsur: replied on https://review.opendev.org/c/openstack/ironic/+/927965/1/ironic/drivers/modules/deploy_utils.py#1455 and porposed an idea, please take a look	15:35
dtantsur	TheJulia: yeah, "call it again" is probably the simplest thing we can do	15:36
JayF	TheJulia: will there be something else to catch a redirect loop?	15:36
JayF	or will that blow up the conductor with a recursive call stack err	15:36
dtantsur	it's not a loop though: we only handle one redirect, it seems	15:36
TheJulia	JayF: the underlying code only allows a single redirect	15:36
TheJulia	and ultimately IPA will catch, we just need to double check how far ipa patches go back	15:36
dtantsur	(which is weird, but it's the existing state of things)	15:37
JayF	oh yeah, you're right	15:37
* JayF was thinking something else that was wrongish		15:37
TheJulia	so it can easily be a fix after the needful thing as well	15:37
JayF	TheJulia: IPA fixes stop at the UM edge, so Zed is the first unpatched IPA	15:37
TheJulia	I am aware of that	15:37
JayF	Then what did > we just need to double check how far ipa patches go back < refer to?	15:38
JayF	the only reason I'm like, -0.5 to a follow-up, is the OSSA references the patch URLs directly	15:39
JayF	so I think my preference is fixed in place, but I can be convinced otherwise	15:39
TheJulia	I get what your doing, I get what your saying. I'm a single person righ tnow	15:39
TheJulia	I already said we need to check where redirect logic went in and then figure out the rest from there which includes fixing or following-up	15:40
TheJulia	So, lets just take one step at a time, I'm trying to write a response to dmitry now on his other question	15:40
TheJulia	one item at a time.	15:40
TheJulia	dtantsur: replied on https://review.opendev.org/c/openstack/ironic/+/927965/1/ironic/drivers/modules/image_cache.py#369	15:45
TheJulia	okay, redirect logic merged in Zed. So need to get fixed and rebased	15:46
TheJulia	joy	15:47
TheJulia	that is a painful amount of work	15:47
TheJulia	dtantsur: would an inline comment on https://review.opendev.org/c/openstack/ironic/+/927965/1/ironic/drivers/modules/image_cache.py bring more clarity to it?	15:52
JayF	<not-urgent> https://review.opendev.org/c/openstack/ossa/+/928005 was posted by me just now, adding Ironic repos to official VMT oversight. I've marked it W-1 pending review from Ironic cores.	15:55
fungi	yeah, notably, the repositories are expected to adhere to the requirements enumerated in that file	15:58
JayF	Yeah, I think the only pieces we'd need is consensus from cores, and the buttons flipped in lp so VMT sees security issues first	16:01
JayF	I'm putting it on next meeting agenda	16:02
dtantsur	TheJulia: probably worth it.. What I don't understand: it looks like force_raw=False no longer has effect unless the image inspection is disabled.	16:03
TheJulia	okay, you re-phrasing it has me feeling the need to look again	16:04
JayF	IPA tests are failing for examples ?!, looking	16:04
JayF	I'm pretty sure those tests are invalid...	16:05
JayF	dtantsur: you got a sec to look at this with me?	16:06
dtantsur	I have 5-10 mins before I need to go afk for some time	16:06
JayF	dtantsur: I think https://zuul.opendev.org/t/openstack/build/b31966d670cd4d428693c52424c096b4 is failing because it's trying to import the hwms directly	16:07
TheJulia	dtantsur: okay, yeah, It does kind of look like that but I think it is context. I know with the tests that was the happy path to move stuff foward as well, so I think I feel pretty good there. Anyway, I'm runing the tests with the other changes to see how much testing I need to change/fix/add for the redirect stuffs	16:07
JayF	dtantsur: but because we need to have the cmd run first to setup the conf, that's not happening, so it kabooms	16:07
JayF	tl;dr: we would never in the real world import a hwm into a process that didn't /already/ have IPA and it's config setup	16:07
dtantsur	JayF: it's quite unfortunate that we cannot simply sanity-check the examples..	16:08
TheJulia	okay, one test it looks like. Not horrible	16:08
JayF	dtantsur: I would argue we're not sanity checking them even right now.	16:08
dtantsur	Possibly. Feel free to disable.	16:08
dtantsur	TheJulia: force_raw=False not working any more has implications for networking traffic though. Do we at least mention that it does nothing? Potentially even deprecate?	16:09
dtantsur	* mention in release notes	16:09
TheJulia	dtantsur: so you realize your looking at the conversion code right? We would have already downloaded it	16:10
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent master: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927974	16:11
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent master: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928011	16:11
dtantsur	not sure if my message came through with my bloody internet:	16:11
dtantsur	I thought the idea behind force_raw=False is to deliver the original format to the node? E.g. if the throughput to the node is very limited and the raw image is very large.	16:11
dtantsur	it's separate from the question of whether or not we download image to the conductor	16:12
TheJulia	well, we would have already done so, the intent behind force_raw was largely around streaming and keeping it as raw on disk to begin with, so everything still hinges on force_raw, but has two separate conditional paths around image handling for compatability further on	16:13
dtantsur	force_raw pre-dates streaming by years	16:13
TheJulia	oh	16:13
TheJulia	OH	16:14
TheJulia	I see what yours eeing	16:14
TheJulia	the intenting is wrong	16:14
dtantsur	I suspected something like this	16:14
dtantsur	Thanks for looking into it, now I can do some exercising. Will check with y'all later.	16:15
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2024.1: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927976	16:15
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2024.1: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928012	16:15
TheJulia	k, thanks!	16:16
JayF	dtantsur: if I caught you, we need +2 on new IPA patches I just pushed	16:17
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.2: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927978	16:17
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.2: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928013	16:17
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.1: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927979	16:19
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent stable/2023.1: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928014	16:19
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.13: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927981	16:20
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.13: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928015	16:20
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.12: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927983	16:22
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.12: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928017	16:22
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927984	16:23
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928019	16:23
opendevreview	Julia Kreger proposed openstack/ironic master: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927965	17:06
TheJulia	dtantsur: JayF ^	17:06
JayF	ty, lgtm	17:13
TheJulia	cool cool, I'll roll-out the local diff against the rest of the branches shortly	17:16
JayF	TheJulia: https://review.opendev.org/c/openstack/ironic-python-agent/+/927974/4 and friends (including the "remove examples job" patches attached to each) need review/approval whenever you get a second. CI still running so not urgent r/n	17:19
TheJulia	hoping k	17:20
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927966	17:20
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927967	17:21
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	17:22
opendevreview	Julia Kreger proposed openstack/ironic bugfix/24.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927969	17:25
JayF	I put a topic on all the ipa changes needed for this: https://review.opendev.org/q/topic:%22ossa-2024-003%22	17:26
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927970	17:28
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927972	17:29
opendevreview	Doug Goldstein proposed openstack/sushy master: fix spelling and make codespell pass https://review.opendev.org/c/openstack/sushy/+/927444	17:34
TheJulia	toxtopic reset on the ironic patches	17:37
TheJulia	err	17:37
TheJulia	topic	17:38
TheJulia	looks like metal3-integration is failing on stable branches (why is it even there, since that job doesn't grok stable branches?!?) on artifacts in the nordix docs	17:43
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	17:43
dtantsur	TheJulia: it should not run on stable branches, at least for now	17:43
TheJulia	vi know	17:43
TheJulia	err	17:43
TheJulia	i know	17:43
TheJulia	people don't remove it	17:44
TheJulia	dtantsur: what about bugfix branches?	17:45
dtantsur	TheJulia: I don't think the job is smart enough to figure out the required ironic-image branch..	17:46
dtantsur	and BMO branch..	17:46
TheJulia	k	17:46
dtantsur	so, not today	17:46
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928047	17:47
opendevreview	Julia Kreger proposed openstack/ironic master: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928048	17:48
TheJulia	rutro	17:48
TheJulia	that was not what I intended	17:48
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928049	17:49
TheJulia	https://review.opendev.org/q/If04a5b97722cc1a8e125c3348e09339c3a7ce0eb to cleanup Ironic CI so we can merge things	17:52
dtantsur	TheJulia: master change approved with nits to follow-up	17:52
dtantsur	TheJulia: you need to remove the metal3 job from the gate as well	17:53
TheJulia	right	17:53
TheJulia	fuck	17:53
* TheJulia hates CI right now		17:53
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928047	17:54
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928049	17:55
dtantsur	Unfortunately, I'll need to drop now. I'll continue approving whatever is not approved by my morning	17:55
opendevreview	Julia Kreger proposed openstack/ironic bugfix/24.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928054	17:56
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928057	18:01
JayF	https://review.opendev.org/c/openstack/ironic-python-agent/+/927974 master patch is V+1 and needs +2A	18:08
TheJulia	speaking of things which don't show up in terminal windows, tailing spaces on the yaml	18:17
TheJulia	JayF: I can approve, or you can revise on master branch, up to you	18:17
JayF	please just land them as-is, I will fix if it is bothersome	18:18
JayF	my IDE has started doing that, I haven't found the setting yet to make it stop putting trailing spaces in	18:18
TheJulia	ok	18:18
opendevreview	Merged openstack/ironic bugfix/26.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928047	18:23
opendevreview	Merged openstack/ironic-python-agent bugfix/9.13: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928015	18:26
TheJulia	sigh, this is going to be a very very long day	18:28
opendevreview	Merged openstack/ironic-python-agent bugfix/9.12: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928017	18:31
JayF	we need to approach it shift-based: we can handoff to the next TZ. This has been broken for over a decade, it's a marathon not a sprint (as someone once told mE)	18:31
opendevreview	Merged openstack/ironic bugfix/24.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928054	18:33
opendevreview	Merged openstack/ironic bugfix/25.0: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928049	18:33
TheJulia	we still have centos7 node-set usage on unmaintained/yoga and likely older branches	18:36
TheJulia	err, centos8	18:36
cardoe	ugh sorry you guys are getting beat on with this.	18:39
cardoe	JayF: does your IDE respect editorconfig? We can add a pre-commit check for trailing spaces and put an editorconfig	18:39
JayF	it's pycharm	18:40
JayF	one of the most annoying things about it, it doesn't natively support our import ordering	18:40
JayF	because it won't split [openstack packages] and [other packages] as we tend to do	18:40
TheJulia	looks like I accidently pulled in an extra test on backporting 2023.2, fixing	18:42
cardoe	JayF: so that's where we setup pre-commit with tools that auto fix this stuff (instead of pep8/flake8 griping at you) and let your editor run on save.	18:44
JayF	cardoe: we have pre-commit configuration in ironic	18:44
JayF	cardoe: as long as you can also ensure anything configured there is in our tox-based linters, I'm game	18:44
JayF	.o(and wouldn't hate pre-commit being spread to other repos, too)	18:44
JayF	tbh I should add something to PTG notes; I think we should move to running our CI through pre-commit similar to how nova does	18:44
JayF	it's a really nice setup	18:44
cardoe	tox should just run pre-commit	18:45
JayF	that is how nova's setup works	18:45
cardoe	well I'm gonna be touching sushy first.	18:45
JayF	I'm onboard as long as the consensus of the core team is too :D	18:46
cardoe	I don't care what the choice is. I just wanna see you guys (and all OpenStack projects) worry about actual technical issues and solve those.	18:48
cardoe	And stop burning cycles on bad CI and code formatting.	18:49
JayF	You overestimate how fast I'd go without barriers in my way :D	18:49
JayF	my brain is usually the first thing I trip over when trying to run	18:49
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927970	18:49
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: trivial: fix odd pep8 failures https://review.opendev.org/c/openstack/ironic/+/928071	18:49
cardoe	Well on a positive note I do think you're good on https://review.opendev.org/c/openstack/ironic/+/924887	18:50
cardoe	https://review.opendev.org/c/openstack/ironic/+/919779 as well	18:52
TheJulia	JayF: thoughts on disabling the snmp job on master branch (https://zuul.opendev.org/t/openstack/build/b380b3bd38054234a73db1c50ff4bba4/logs)	18:52
TheJulia	?	18:52
JayF	I'm OK with it in general	18:52
JayF	but would like, for this change, for us to be 100% certain it's noise	18:52
TheJulia	well, it is definitely not toggling power on the job	18:53
JayF	ack; just -nv it then	18:53
JayF	if you fully remove it lmk so I can help cid re-enable it in his patches (he's trying to tackle that problem now)	18:53
TheJulia	I'll dig a little further to see if I can figure out what is going on at a high level, and then nv it	18:57
JayF	My main concern is the security patch not regressing it	18:58
JayF	I think that's exstremely unlikely so you should set the bar pretty low for "what is going on ata high level" imo	18:58
TheJulia	Sep 04 17:40:53.590540 np0038391085 ironic-conductor[108063]: ERROR ironic.common.images [None req-4736d2d9-36f6-427b-9ee1-4f3549630743 None None] Security: The requested deploy image for node image cache is of format image iso and is not in the [conductor]permitted_image_formats list.	19:01
JayF	ramdisk support regression?	19:02
TheJulia	looks like it	19:04
TheJulia	looks like it explicitly asks for an iso to boot and the way the logic is now formed it doesn't accept it	19:04
TheJulia	I had no idea it did this	19:04
JayF	I'm happy to jump on a call and help you out with it if you want, or anything you need	19:05
JayF	cardoe: you really want a thing to track down for CI?	19:07
JayF	cardoe: curl: (28) Failed to connect to download.cirros-cloud.net port 80 after 130732 ms: Connection timed out ## happens all the darn time for ironic	19:08
JayF	and I think it's because we don't use the same cached cirros version as other projects	19:08
JayF	if we could get that cached, or somehow make it so the ones that are cached worked, that'd be a big removal of intermittant failures	19:08
TheJulia	so, We do have a ramdisk iso test	19:09
TheJulia	BaremetalRamdiskBootIsoSNMPIPXE	19:09
TheJulia	so... Two options, we could permit iso in the list, or I'm wondering if we're going to need to extend the list	19:10
JayF	https://review.opendev.org/c/openstack/ironic-python-agent/+/928019 bugfix/9.9 IPA CI is broken at HEAD	19:10
JayF	TheJulia: I would just say add iso	19:11
JayF	TheJulia: or allow ISO separately from that list	19:11
JayF	only big downside to adding it to existing list: you enable ISOs in IPA even though that's not required	19:11
TheJulia	I suspect since we're catching stuff in the image cache, and it gets cached	19:12
TheJulia	we need to explicitly permit it	19:12
JayF	++ do it. I'll do a followup to IPA in master to make the default match	19:12
TheJulia	running unit tests because I'm assuming it is going to break something else	19:14
JayF	good call, I'm fixing the IPA bugfix branch	19:14
JayF	it was never pinned to stable/2024.1	19:14
TheJulia	yeah, I guess I'll need to edit the release note and maybe even docs :(	19:24
TheJulia	it actually makes a ton of sense where it was wired in at	19:24
TheJulia	and I have 51 failing tests	19:24
* TheJulia cries		19:24
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Pin jobs to stable/2024.1 deps https://review.opendev.org/c/openstack/ironic-python-agent/+/928079	19:27
TheJulia	JayF: thoughts on adding in at https://review.opendev.org/c/openstack/ironic/+/927967/2/ironic/common/images.py#866 ?	19:27
JayF	I mainly am :( at the fact you'll have to rebase again	19:27
JayF	you mean, instead of updating the list?	19:27
JayF	do something like expected format in [iso]: allow it for $reasons	19:28
JayF	maybe even check the node to see if it's using a ramdisk interface?	19:28
TheJulia	well, in those cases, we will never have an expected format	19:28
TheJulia	it is all special casing image retrieval	19:28
TheJulia	like "oh, please boot this iso directly, kthxbai"	19:28
JayF	I am not concerned about ramdisk path	19:28
TheJulia	and we're just downloading it at that point, and it gets caught because of the caching ation	19:28
JayF	we never touch those isos, shortcut away	19:28
JayF	I'm more thinking about what happens if I send a rotten iso as the image_source	19:29
TheJulia	okay, now to figure out why my local copy of the branch is failing 51 tests with no changes	19:29
JayF	on the OTHER drivers, where we might convert it	19:29
TheJulia	yeah	19:29
TheJulia	where we'll have some input signaling otherwise	19:29
JayF	I am +2 to it, +999999 to it if we load it into a devstack and make sure a bad iso is rejected on deploy	19:30
JayF	but we can do that test while the CI is running	19:30
TheJulia	ugh, what in the world is going on	19:33
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Pin jobs to stable/2024.1 deps https://review.opendev.org/c/openstack/ironic-python-agent/+/928079	19:33
TheJulia	it has to go into the list	19:37
TheJulia	because it is going to detonate before it reaches the ramdisk exclusion check	19:37
TheJulia	because it gets cached out	19:38
TheJulia	... which of course, doesn't explains the python issues I'm having	19:38
JayF	is there something I can do to help?	19:40
JayF	if not might step away for lunch + dog walk	19:40
JayF	but happy to help if I can	19:40
TheJulia	do me a favor and just pull down master branch and make sure tox -epy3 works cleanly for you	19:41
TheJulia	I just deleted my tox env	19:41
TheJulia	and are-running	19:41
JayF	I'm using -epy311	19:43
JayF	so it doesn't run under 3.12 (my default python)	19:43
JayF	TheJulia: passed	19:44
JayF	9538 tests in 52.1454 sec	19:44
TheJulia	still running here, but so far I haven't seen any obvious test failures	19:45
JayF	rerunning with -repy311 just to ensure I didn't get any cache help	19:45
TheJulia	I'm guessing maybe I just had a very unahppy tox	19:45
TheJulia	okay, yay	19:45
TheJulia	clean here	19:45
JayF	aight, I'll be back, going to walk the dog then go grab lunch	19:47
JayF	if you get a patchset posted, drop me a text and I'll get to a pc faster	19:47
JayF	(also; don't neglect your own sustenance o/)	19:49
opendevreview	Julia Kreger proposed openstack/ironic master: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927965	20:00
opendevreview	Merged openstack/ironic-python-agent master: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928011	20:04
opendevreview	Merged openstack/ironic-python-agent master: Inspect non-raw images for safety https://review.opendev.org/c/openstack/ironic-python-agent/+/927974	20:04
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927966	20:08
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927967	20:09
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	20:11
opendevreview	Julia Kreger proposed openstack/ironic bugfix/24.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927969	20:13
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927970	20:15
JayF	fungi: rosmaita: JFYI; we will be merging a different version of fix to Ironic than we sent out for embargos. I know that's nondesirable but we caught a regression in CI.	20:15
rosmaita	JayF: it happens, and it will be documented on the gerrit reviews	20:16
JayF	+2 on master version, the changes lgtm, will see how CI reacts	20:16
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927972	20:19
opendevreview	Adam Rozman proposed openstack/ironic-python-agent master: WIP - root device encryption https://review.opendev.org/c/openstack/ironic-python-agent/+/926425	20:22
opendevreview	Merged openstack/ironic-python-agent stable/2024.1: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928012	20:36
TheJulia	JayF: stevebaker[m]: fyi, our unmaintained CI is broked on older bifrost jobs with a deleted nodeset	20:51
TheJulia	https://review.opendev.org/q/Ib82833168efc2a6e2b4f1178258840d08deb78ef+project:openstack/bifrost need reviews as well	20:51
stevebaker[m]	ಠಿ_ಠ	20:52
opendevreview	Merged openstack/ironic-python-agent stable/2023.2: Remove and disable examples job https://review.opendev.org/c/openstack/ironic-python-agent/+/928013	20:54
JayF	I greatly approve of the look of disapprov..ing confusion :)	20:55
stevebaker[m]	lol	20:57
opendevreview	Merged openstack/ironic stable/2024.1: CI: Disable metal3-integration test job https://review.opendev.org/c/openstack/ironic/+/928057	21:02
TheJulia	stevebaker[m]: I guess you now have a nice idea of why I've been so heads down the past month and a half :)	21:03
JayF	TheJulia: my openstack team meeting today w/Adam and C.I.D. was basically "here's where I've been" :D	21:04
TheJulia	heh	21:05
JayF	I made a slide deck about this, going to record a video to post once everything is merged	21:05
stevebaker[m]	TheJulia: yeah yikes. wow test_format_inspector.py creates all the image types!	21:07
TheJulia	stevebaker[m]: well, that was lifted from nova, but yeah	21:07
TheJulia	ugh	21:09
TheJulia	the iso logic on the snmp job is still problematic	21:09
TheJulia	https://8033075ee4587cf67d00-eeaf584229491d7ea79dcd495ddd4db1.ssl.cf1.rackcdn.com/927965/3/check/ironic-tempest-ramdisk-bios-snmp-pxe/2745a8f/controller/logs/screen-ir-cond.txt	21:09
TheJulia	I'm going to step away for a few minutes and clear my mind since I guess we force raw as well	21:10
TheJulia	so we almost have a default job state which is quite broken	21:10
opendevreview	cid proposed openstack/ironic-python-agent master: Check for the existence of an IPMI device https://review.opendev.org/c/openstack/ironic-python-agent/+/926973	21:17
TheJulia	i guess the cleanest thing to then do is if source format is iso, skip	21:19
JayF	is there ever a case where I could ask Ironic to write an iso to disk?	21:20
JayF	I guess if it's safety checked, that's irrelevent	21:20
JayF	as long as it's safety checked I do not care if we respect the allowlist in the ramdisk/iso case	21:21
TheJulia	to disk, no, boot on the other hand, sure	21:21
TheJulia	yeah, we're past the safety check there	21:21
JayF	when I say "to disk" I really mean "touches qemu-img"	21:21
TheJulia	I tyeah	21:21
TheJulia	err, yeah	21:21
* TheJulia steps outside for a couple minutes and will update the master branch patch		21:21
JayF	I'll take a gander and see if there's anything I can sus out	21:21
JayF	please do get some lunch if you haven't, too	21:21
JayF	it's 2:20pm; the day is flying	21:22
TheJulia	I actually ate already :)	21:25
cid	cid 's EOD o/	21:26
* cid forgot this :(		21:26
cid	o/	21:26
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Pin jobs to stable/2024.1 deps https://review.opendev.org/c/openstack/ironic-python-agent/+/928079	21:26
JayF	you don't have to wave every day but it is nice :D	21:26
JayF	\o	21:26
* cid noted		21:27
TheJulia	:)	21:27
JayF	It's nice to know people are doing good ironic things :D	21:27
cid	😄	21:28
opendevreview	cid proposed openstack/ironic-python-agent master: Check for the existence of an IPMI device https://review.opendev.org/c/openstack/ironic-python-agent/+/926973	21:30
JayF	TIL about https://docs.python.org/3/library/glob.html	21:30
TheJulia	https://www.irccloud.com/pastebin/q4tRf8ka/	21:32
TheJulia	thoughts ?	21:32
opendevreview	cid proposed openstack/ironic-python-agent master: Check for the existence of an IPMI device https://review.opendev.org/c/openstack/ironic-python-agent/+/926973	21:32
JayF	I think I'm good with that	21:33
* TheJulia runs tests		21:33
TheJulia	in a sense, it is already raw for any and all ironic purposes	21:35
TheJulia	?porposes?	21:35
* TheJulia expects a picture of pixie boots riding a dolphin		21:36
JayF	hilariously enough, I'm about to upload a short about bears to the yt chan	21:37
JayF	(pandas / polars the ML libraries)	21:37
opendevreview	cid proposed openstack/ironic-python-agent master: Check for the existence of an IPMI device https://review.opendev.org/c/openstack/ironic-python-agent/+/926973	21:39
opendevreview	Julia Kreger proposed openstack/ironic master: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927965	21:41
TheJulia	okay, lets see if that works	21:41
JayF	https://www.youtube.com/shorts/4tybImC6KJc /me cheating on pixie boots with polars and pandas :P	21:43
JayF	TheJulia: that lgtm, +2 awaiting CI :)	21:43
* TheJulia closes some browser tabs		21:45
JayF	Only IPA patch that seems in peril is bugfix/9.9	21:46
JayF	and that entire branch CI is completely hosed	21:46
JayF	hilariously enough, my CVE fix fixes the tests because it uses less code from ironic-lib (and the wrong ironic-lib version is what is blowing up ci)	21:47
JayF	but I don't care, I need CI to run properly and pass, so https://review.opendev.org/c/openstack/ironic-python-agent/+/928079 has to get in	21:47
* TheJulia puts loud music on		21:49
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927966	21:52
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927967	21:53
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	21:53
opendevreview	Julia Kreger proposed openstack/ironic bugfix/24.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927969	21:55
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927970	21:56
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927972	21:57
opendevreview	Jay Faulkner proposed openstack/ironic-python-agent bugfix/9.9: Pin jobs to stable/2024.1 deps https://review.opendev.org/c/openstack/ironic-python-agent/+/928079	21:59
TheJulia	now, ci	22:00
TheJulia	and annoying the corgi through RATM	22:00
JayF	some of those that make images, wanna hack your 'puter ... SOMMMA THOSE THAT MAKE IMAGES GONNA TAKE YOUR FILES	22:03
JayF	[headbanging continues]	22:03
TheJulia	lol	22:04
TheJulia	ugh	22:05
TheJulia	pep8	22:05
TheJulia	I ran you, why you dislike me	22:06
* TheJulia sighs		22:06
TheJulia	i guess I didn't	22:08
TheJulia	easy enough fix	22:08
JayF	at least it's not something more substantial to track down 🥲	22:11
opendevreview	Julia Kreger proposed openstack/ironic master: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927965	22:19
opendevreview	Julia Kreger proposed openstack/ironic bugfix/26.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927966	22:19
opendevreview	Julia Kreger proposed openstack/ironic bugfix/25.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927967	22:19
opendevreview	Julia Kreger proposed openstack/ironic stable/2024.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927968	22:19
opendevreview	Julia Kreger proposed openstack/ironic bugfix/24.0: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927969	22:19
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.2: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927970	22:20
opendevreview	Julia Kreger proposed openstack/ironic stable/2023.1: CVE-2024-44982: Harden all image handling and conversion code https://review.opendev.org/c/openstack/ironic/+/927972	22:20
TheJulia	I am Julia, destroyer of CI	22:22
JayF	that's an oof on that change	22:28
JayF	I did the same thing before gerrit was open, locally	22:29
JayF	literally almost identical, not having it tabbed in enough	22:29
TheJulia	it was a fast fix once I just typed out a loop to fix it all	22:30
TheJulia	but yeah	22:30
TheJulia	looks like the snmp job failed and auto-retried on master	22:34
TheJulia	ughhhhhh	22:34
JayF	it failed on setup	22:35
JayF	network issue, not actual failure	22:35
TheJulia	ugh	22:36
TheJulia	Looks like we could use a second review on https://review.opendev.org/q/I5254b80717cb5a7f9084e3eff32a00b968f987b7	22:44
TheJulia	at least, some of them. Stepping away for like 10 minutes and then I'll resume on the rest of the happy ones	22:44
JayF	bugfix/9.9 CI is not going to be fixed by me today, I've worked on it a while and am stuck, if someone can look overnight that'd be awesome or else I'll resume tomorrow	22:46
JayF	oh no https://usercontent.irccloud-cdn.com/file/L1KHirVe/image.png	22:47
JayF	it was the arm64 job	22:47
JayF	but that's a frightening old "friend"	22:47
* JayF is just going to assume some solar flares hit the CI machine		22:48
TheJulia	We can disable the test_iso_9660 job	22:48
TheJulia	realistically I bet they are just the slower tests in the grand scheme of things	22:49
JayF	I am OK with that, but I also am suspicious it's actually broken vs just arm silly	22:49
JayF	yep	22:49
JayF	exactly	22:49
JayF	esp. since arm clouds are in flux (opendev lost a donor)	22:49
TheJulia	JayF: bugfix/9.9 for ipa is broken?	22:51
JayF	yes, on master	22:51
JayF	er HEAD	22:51
TheJulia	oh	22:52
TheJulia	I see	22:52
JayF	https://review.opendev.org/c/openstack/ironic-python-agent/+/928079	22:52
TheJulia	funky, one back it is fine	22:52
JayF	is what I've been poking it with, it's still running I haven't checked status in zuul because tbh my brain is fried	22:52
JayF	the bugfix branches that are for the next release work, b/c they still use master constraints	22:52
JayF	9.9 is 2024.1 based, so it needs the older constraints	22:52
TheJulia	okay, well, we just need to start merting the ipa side of the fixes	22:54
JayF	yeah, they are good afaict	22:55
JayF	even 2023.1 the failure was network	22:55
JayF	stevebaker[m]: can you please approve https://review.opendev.org/q/I5254b80717cb5a7f9084e3eff32a00b968f987b7	22:55
JayF	I'm going to ensure all openstack/ironic patches open for the CVE get my +2, obviously pending CI being happy.	22:58
TheJulia	thanks	23:00
TheJulia	looks like we might be in for some rechecking on master branch	23:06
JayF	Can we 'follow the sun' on the rechecks?	23:07
JayF	to use the ops term	23:07
JayF	meaning like, go have an evening so we'll be fresh tomorrow in case real issue spawn again?	23:07
TheJulia	ugh, might need to nuke some further tests, py36 failing on https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_376/927975/4/check/openstack-tox-py36/37664f0/testr_results.html but it might be entirely load related, dunno	23:09
TheJulia	I'm going to keep an eye on on master branch and hopefully things will begin merging soon	23:09
TheJulia	it is clear we're not helping ourselves CI load wise	23:09
JayF	yeah, we should probably just focus on each branch as we go	23:14
JayF	btw, spent a little time while waiting poking at the new oslo.utils format_inspector by doing this https://github.com/jayofdoom/disk-image-checker	23:15
JayF	seems like something you might find useful for downstream use cases, fwiw	23:15
JayF	I'm stepping away from IRC for the workday; if you need something from me ping me directly and I'll be checking periodically. o/	23:20
JayF	also if it's not after 9pm, most of you have my cell, sms me if you need a re-approval or are blocked on reviews	23:21
JayF	(PDT)	23:21

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!