| masghar | JayF: There are efforts to get Metal3 incubated into CNCF, if thats what you mean | 07:27 |
|---|---|---|
| JayF | masghar: that looked to me like an effort to create reference architecture for cncf ecosystem. Something that in most real cases includes ironic and/or metal3 | 13:33 |
| opendevreview | Riccardo Pittau proposed openstack/ironic-python-agent master: Silence modprobe loading errors for IPMI drivers https://review.opendev.org/c/openstack/ironic-python-agent/+/937042 | 13:38 |
| opendevreview | Riccardo Pittau proposed openstack/ironic-python-agent master: Silence modprobe loading errors for IPMI drivers https://review.opendev.org/c/openstack/ironic-python-agent/+/937042 | 14:09 |
| Sandzwerg[m] | Morning ironic. Has anyone experience with ironic being unable to find the image if it is not public? Ironic is part of a OpenStack with nova glance etc and suddentlz stopped being able to find any image that is not public. I thought it might be related to CVEs from october and looked over the changes but I can't so far find the root cause. | 18:54 |
| JayF | That's a documented limitation of Ironic. | 19:18 |
| JayF | It's never been able to do that. | 19:18 |
| JayF | https://docs.openstack.org/ironic/latest/install/configure-glance-images.html#instance-end-user-images | 19:18 |
| TheJulia | heh, it sort of occurs to me it wouldn't *that* hard to sort of support private images at some point, but I suspect some operators might freak over the idea as well | 21:04 |
| JayF | I was thinking automatic_lessee and/or owner/lessee could be used for that | 21:06 |
| JayF | but without a way to "authenticate" automatic_lessee as being sent from nova, we can't trust it | 21:06 |
| * JayF notes he's working on finishing "excise ironic_lib from IPA" | 21:09 | |
| TheJulia | well, to handle the whole need to be able to authenitcate to a remote image_service, I've got an idea in my prototype code that enables for us to do per class instnace overrides. So there may be an enabling way to do it then | 21:17 |
| JayF | wouldn't we need to match tenant to private images to support that in glance | 21:37 |
| JayF | which means needing an authenticated way to know what tenant is provisioning | 21:37 |
| JayF | I guess we have that in standalone; with the standalone automatic_lessee implementation | 21:37 |
| JayF | gets a little more confusing with nova involved | 21:38 |
| cardoe | Couldn't greater scope / admin let you see that? | 22:44 |
| JayF | Yes, but the issue is knowing /when/ doing that is authorized | 22:56 |
| JayF | e.g. if we just trust lessee or automatic_lessee, anyone who can set node.lessee/instance_info[automatic_lessee] could privileged escalate against Glance using Ironic | 22:56 |
| opendevreview | Jay Faulkner proposed openstack/ironic-python-agent master: Remove dependency on ironic-lib https://review.opendev.org/c/openstack/ironic-python-agent/+/937743 | 23:00 |
| JayF | existing unit tests pass \o/ I'll poke at it this weekend to migrate over ironic_lib tests and/or fix whatever I almost certainly broke in functional tests | 23:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!