Wednesday, 2025-02-26

« Tuesday, 2025-02-25 Index Thursday, 2025-02-27 »
cardoecid: JayF: why do I feel like Iā€™m reading an ebuild?01:10
rpittaugood morning ironic! o/08:09
opendevreviewRiccardo Pittau proposed openstack/bifrost master: Remove ubuntu bionic support leftovers  https://review.opendev.org/c/openstack/bifrost/+/94276709:38
frickleromg, is only supermicro so picky or what? ironic: shove this file into your vmedia floppy slot. supermicro: eh, 100KiB, you kidding me? floppy images are 1440KiB. and also don't do this to me without prot^Wa .img suffix10:25
* frickler prepares a patch10:25
opendevreviewMerged openstack/python-ironicclient master: Drop remaining use of iteritems  https://review.opendev.org/c/openstack/python-ironicclient/+/94261310:36
Sandzwerg[m]Morning Ironic10:39
Sandzwerg[m]Has anyone ever tried to use a HPE Superdome with ironic?10:39
opendevreviewVerification of a change to openstack/ironic-python-agent master failed: Fix the way qemu-img is called with prlimits  https://review.opendev.org/c/openstack/ironic-python-agent/+/94269010:49
opendevreviewcid proposed openstack/ironic-python-agent-builder master: More reliable TinyIPA builds with network retries  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/94236911:58
opendevreviewcid proposed openstack/ironic-python-agent-builder master: More reliable TinyIPA builds with network retries  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/94236912:02
opendevreviewMerged openstack/networking-generic-switch master: Add support for Neutron routed segments  https://review.opendev.org/c/openstack/networking-generic-switch/+/93921112:09
opendevreviewDr. Jens Harbott proposed openstack/ironic master: Make floppy images more floppy  https://review.opendev.org/c/openstack/ironic/+/94278712:16
opendevreviewVasyl Saienko proposed openstack/ironic master: Do not review debug multinode  https://review.opendev.org/c/openstack/ironic/+/94272513:15
iurygregoryfrickler, well it's supermicro :D13:23
iurygregorythey have all sort of things :D13:23
iurygregorydo you have the license for vmedia for it?13:23
TheJuliagood morning14:07
frickleriurygregory: yes, and with the above patch things do work for me14:08
iurygregoryack, tks for the patch o/14:09
TheJuliaSandzwerg[m]: I've never had one. I know HPE made a "driver" for it specifically but chose not to upstream14:10
TheJuliaSandzwerg[m]: checkout https://support.hpe.com/hpesc/public/docDisplay?docId=a00038168en_us&page=GUID-91FD8D1A-4032-4FA2-8666-F295E18F986E.html14:10
cardoeI can't +W, frickler's patch but yeah that's something that needs to be done. frickler a lot of vendors have that demand from experience.14:13
cardoeI feel like somone has a requirement on like .flp or .fpy14:13
fricklerwell we can make the suffix configurable if needed, but I'd like to avoid the complexity unless there is a real demand for that14:15
cardoeNo. That vendor can go <censored>14:15
* TheJulia blinks14:16
cardoeIf someone else is available, let's land https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/94236914:16
* TheJulia needs more coffeeeeeeeeeeeeeeee14:16
cardoeTheJulia: what I'm not allowed to be mean to hardware vendors with silly requirements/14:16
cardoedtantsur: poke on https://review.opendev.org/c/openstack/ironic/+/94033314:17
TheJuliacardoe: Always be nice and polite, while your preparing to lead them into the meeting where they are told "we'll be using the alternative vendor" ;)14:18
cardoelol. yes this.14:18
TheJuliaafterwards, all bets are off14:18
TheJulia"Oh, checkout your server SMELTED!"14:18
TheJulia"Your servers make AWFUL slag!"14:18
TheJuliaAnd so on, and so forth14:19
cardoeYou implemented an ethernet controller as an AGP extension to get faster unidirectional bandwidth. While novel, it has made me vomit up what I ate last year.14:19
TheJuliaIt occurs to me now we should have never shredded hard drives. We should have melted them.14:20
cardoeThat A) shows my age and B) was a real conversation I've had14:20
TheJuliaugh14:20
cardoeSo even though https://review.opendev.org/c/openstack/ironic/+/942496 failed tests (cause tinyipa timeouts, I'm waiting for cid's fix above to land first to recheck it). I just wanted to mention it before I get too heads down again today.14:21
cardoeSo once again trying to follow commit history and read code to divine the expected behavior.14:21
TheJuliaso taking a glance at HPE's docs, it makes me think nobody tested them after they last updated them14:21
TheJuliait makes me wonder if we need a warning about vendor docs in our docs14:22
cardoeIf we merge that change and backport it. I think that's the "safer" option.14:22
cardoeBut afterwards I've got a much bigger non-backportable change that's munging how image_properties are copied around. Do we have any set list of what we use or want to actually copy to the instance_info?14:23
cardoeCause no promises I won't break someone's weird use case.14:23
cardoeCause now it's literally JUST going to be image properties set by the user.14:23
cidtks, cardoe, TheJulia for the review ;)14:26
* cid waves iurygregory, a welcome back wave :D14:26
TheJuliawhat we extract for kernel/ramdisk with partition images (even though we don't actually use the artifacts), checksum fields/values, and what we download for glance. I think that about covers it for glance. That shouldn't conflict with anything specifically populated from nova though14:26
iurygregoryhey cid o/14:26
TheJuliacid: o/ I need some clarity on https://review.opendev.org/c/openstack/ironic/+/942112 when you get a chance14:35
cidTheJulia: I think that particular header was from ironic/common/utils14:38
cidit appears a few other places as well14:39
TheJuliaBut did the places it came from have it originally14:39
TheJuliafor the code it has been paired up with14:39
TheJuliaI guess I'm trying to figure out does it really apply at this point since it as been 12-13 years since then...14:40
cidSo, I replicated that header since it's inside of commons and the entirety of inspection rules is located within it as well.14:41
TheJuliaso the file where the content came from had the header. Was the other content substantially modified in this process?14:41
cidI don't think I made any changes at to where it came from.14:42
cidI just took the header 14:43
TheJuliayou mean preserved the license header with the content?14:43
TheJuliaI'm being pedantic because this is a touchy area (the early copyrights)14:44
cidSo, ...14:46
cidWe had a function in the utils file14:46
TheJuliaand that function was wholesale copied yes?14:47
TheJulialike, copied and pasted14:48
cidBut I had to move it out into a separate where every aspect of inspection rules code and logic is self contained in a subdirectory /inspection_rules/.14:49
cidSo, in code in `ironic/common/inspection_rules/utils.py` and `ironic/common/inspection_rules/validation.py` have been different places before where they are now.14:49
cidRe: wholesale copy: added, and then moved out14:50
TheJuliaokay, cool14:50
TheJuliaThanks!14:50
cidShould I change the headers? I think that was the result of the carryover of the code from originally `ironic/common/utils.py` into separate modules.14:51
TheJuliaThey should only be used if the file was copied in whole or if the content of the file substantially originates from a file where that was the header.14:55
TheJuliaHopefully that made sense15:02
cidIt did and that's not the case here either. So, I think it needs changing. 15:04
TheJuliaokay15:04
TheJuliacid: thanks!15:05
cidTheJulia: Yep! Are there any standard headers I could turn to, in cases like this when I'm uncertain.15:07
* cid have seen at least 3 different ones15:07
JayFIf I was creating a new file today, I would just put the Apache license at the top and not include a copyright line15:10
JayFI have no idea if that's correct or not. But I think it is15:10
TheJuliaStandard, just the license header.15:10
TheJuliayeah, exactly what JayF proposes15:10
TheJuliaThe fun thing is copyright is basically enforced through analysis of content. Most companies/orgs that stamp it at the top of the file is much more "this is org policy that I must do this"15:11
TheJuliaWhen I was at HP, it was stressed internally to "always add an HP copyright entry" if appropriate15:12
cidGot it. tks15:15
TheJuliacid: no, thank you!15:20
cid;)15:22
opendevreviewVerification of a change to openstack/ironic master failed: Trivial: Enable disabling tftp setup  https://review.opendev.org/c/openstack/ironic/+/94174215:29
opendevreviewVerification of a change to openstack/ironic master failed: ci: focus ironic-tempest-bios-ipmi-direct-tinyipa  https://review.opendev.org/c/openstack/ironic/+/94220415:36
opendevreviewSatoshi Shirosaka proposed openstack/ironic-python-agent master: WIP Add ContainerHardwareManager  https://review.opendev.org/c/openstack/ironic-python-agent/+/94171415:44
opendevreviewcid proposed openstack/ironic-tempest-plugin master: Test double encoding of error message  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/93574015:51
Sandzwerg[m]<TheJulia> "Sandzwerg: checkout https://..." <- You gotta love vendors for not upstreaming things šŸ˜ but that might be helpful, thanks for sharing. We try to use the redfish driver right now and some things work but deployments fail. However that seems to be a network thing, not entirely sure and haven't had too much time to look into that. I think I need to make some time eventually as we will get some of them (we only have a15:54
Sandzwerg[m]single node for testing so far).  So far, not a fan.15:54
TheJuliaI think the challenge is the took the line and merged it with their flexline15:57
TheJuliaso in essence they muddied the waters15:57
Sandzwerg[m]I'm not sure how they looked before but I'm sure what we'll get would have been considered a Superdome even before. Iirc hpe is the only vendor to offer 16 socket machines and for reasons I don't know and don't agree with we still try to solve developing issues with bigger hardware instead of a different software architecture so no way around them. šŸ« 16:03
Sandzwerg[m]But hey apparently my company is one big reason vendors still offer 8 socket machines so, yay.16:04
cardoeAnyone know where in the config drive creation we'd prefix the path data with /var/lib/cloud/seed/config_drive ?16:31
dtantsurcardoe: I don't think we do. It looks like a mount point of cloud-init or something16:32
cardoeokay cause the anaconda kickstart stuff prefixes /var/lib/cloud/seed/config_drive to the data it gets from configdrive when it parses it.16:33
cardoeThe tests validate that the path is prefixed with /var/lib/cloud/seed/config_drive16:33
cardoeBut comically stuff is being written to /var/lib/cloud/seed/config_drive/var/lib/cloud/seed/config_drive/<blah>16:33
cardoeSo the tests pass.16:33
JayFSandzwerg[m]: I do know people who have versions of that hardware in production, but I don't believe it's running the off-the-shelf HP config w/r/t BMC.16:34
cardoeah ignore me. I see it.16:34
JayFSandzwerg[m]: so that's /probably/ not helpful for you but at least any data point at all16:35
cardoeWhen we read the ISO data we prefix that path. Then when we create the kickstart metadata we always prefix that path again.16:35
Sandzwerg[m]JayF: It's certainly interesting. Did they wrote their own BMC or is there a possiblity to use something else like openBMC or so_16:37
Sandzwerg[m]s/so_/so?/16:37
JayFSandzwerg[m]: I'm going to dm you.16:37
opendevreviewcid proposed openstack/ironic master: Follow-up: Apply Inspection Rules  https://review.opendev.org/c/openstack/ironic/+/94211216:38
opendevreviewcid proposed openstack/ironic master: API/Testing: Inspection rules migration  https://review.opendev.org/c/openstack/ironic/+/93921716:38
Sandzwerg[m]hmm  cardoe are you still looking for something to build vmware images?16:44
cardoeYeah that would be great. Cause right now I'm tweaking the anaconda deploy interface to do VMware ESXi16:46
Sandzwerg[m]OK I'll DM you16:47
TheJuliacardoe: docs please! :)16:54
rpittaugood night! o/17:07
opendevreviewVasyl Saienko proposed openstack/ironic master: Do not review debug multinode  https://review.opendev.org/c/openstack/ironic/+/94272517:15
JayFcardoe: your comment on 2099276 is concerning17:22
TheJuliait actually makes sense mechanics wise17:27
JayFhow is it okay if it bypasses an authorization check though?17:31
JayFthat's why I'm concerned17:31
TheJuliathe top level object is controlled by the entity who made it public. They point to ID values which they would need to know17:33
TheJuliabeyond that, it is up to glance to enforce that access or not.17:33
TheJuliaour check is purely around community comfort.17:34
JayFthat makes sense17:34
TheJuliado we "trust" glance, do we "trust" users using community images, etc.17:36
JayFIs it wrong of me to assume Ironic is responsible for image security when we're using an ironic credential to interact with that image?17:37
TheJuliaso, you have to delineate when ironic is using it's own token, or if it is re-using the requestor's context.17:38
TheJuliafor example, user request comes in17:39
TheJuliawe have their context (\o/)17:39
JayFI assumed at that stage of a anaconda deployment the user token would be gone; that's a bad assumption then17:39
TheJuliawe download items and things using that context17:39
TheJuliawe then release the lock and go into deploywait17:39
JayFso in cardoe's case that is either his token (standalone) or the nova compute's credential17:40
TheJuliawe front load all of that artifact work stupidly early on17:40
JayFwhich calls us in an admin context unconditionally in the nova driver17:40
TheJuliaThat should be correct, yes17:40
TheJuliaGoing back to the policy check, that was a human preference of making sure rando user doesn't deploy rando artifact of evil17:41
JayFthis seems circular to me then; are we saying it's the nova compute's job to enforce use of that token being sane?17:41
* TheJulia creates CentosForEvil1.017:41
JayFI'm more concerned about I published an image with secrets because I am bad at cloud17:41
JayFthen someone in another tenant sees the secrets in that image17:42
TheJuliaWe can't be the ones to defend against that if a user does something stupid bad, which is in part why the public check requriement is there17:42
TheJuliaso the admin has to be okay with the public artifact17:42
TheJuliawhich the *user* has requested, that admin can then say "this also needs x,y,z things as well"17:42
TheJuliain this case, nova uses an admin context to ironic which means it does run with admin privs :\17:43
TheJuliabut, we require public in the fall-through17:43
TheJuliaor the owner to match17:43
TheJuliadoes that make sense?17:43
JayFthis is where I cricle around to why is it okay then, in cardoe's case, that we used a nonpublic image? Just because it's ID was included in metadata on a public image?17:43
JayFsince the token/context used to access those nonpublic images was the compute token from nova17:44
JayFnot a user token17:44
opendevreviewKaifeng Wang proposed openstack/ironic master: [Trivial] Fix typo of exception error message  https://review.opendev.org/c/openstack/ironic/+/92702417:53
opendevreviewDoug Goldstein proposed openstack/ironic master: doc: updates to anaconda deploy interface  https://review.opendev.org/c/openstack/ironic/+/94283918:03
cardoeJayF: I'm just reporting the behavior. I don't have enough know how to say what's good or bad.18:04
JayFClearly I don't either :)18:04
cardoeTheJulia: ^ there's my initial take at the doc updates. The standalone section and the standalone repository section aren't something I've tested but just reading how it says it works, I would strongly doubt it.18:05
cardoestage2 and/or stage_id is a HARD requirement.18:11
cardoeTrying to figure out if https://zuul.opendev.org/t/openstack/build/7d5bf59e260a469286999d53ee8e1af9 is really a failure in that patch? I don't think so because it seems like things just timeout based on the error but reading the conductor logs that instance went active and it's just failing waiting for it to teardown?18:18
opendevreviewVerification of a change to openstack/ironic master failed: Trivial: Enable disabling tftp setup  https://review.opendev.org/c/openstack/ironic/+/94174218:37
opendevreviewJulia Kreger proposed openstack/ironic-tempest-plugin master: CI: Dial back the non-voting jobs  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/94284618:37
opendevreviewVasyl Saienko proposed openstack/ironic master: Do not review debug multinode  https://review.opendev.org/c/openstack/ironic/+/94272519:02
opendevreviewDoug Goldstein proposed openstack/ironic master: anaconda: more flexible config_drive in kickstart  https://review.opendev.org/c/openstack/ironic/+/94284919:10
cardoeAnd there's more docs and updates to give me enough breadcrumbs to make this work.19:12
opendevreviewDoug Goldstein proposed openstack/ironic master: doc: updates to anaconda deploy interface  https://review.opendev.org/c/openstack/ironic/+/94283919:22
opendevreviewDoug Goldstein proposed openstack/ironic master: anaconda: more flexible config_drive in kickstart  https://review.opendev.org/c/openstack/ironic/+/94284919:28
cardoeDid I do the co-author header correct?19:32
opendevreviewJulia Kreger proposed openstack/ironic master: WIP: hooking in an external network simulator  https://review.opendev.org/c/openstack/ironic/+/94229819:44
TheJuliacardoe: looks like it19:48
TheJuliaJayF: that check only runs against the image in image_source, not subsequent images retrieved to support specific interfaces/uses. In large part around the contracted behavior of image_source19:49
TheJuliacardoe: most likely there is some sort of networking problem we've not pinned down which is causing the jobs to log aggressively and because we have jobs... like that one, which are running everything and the kitchen sink, its near imposisble for us to figure out what is really going on19:51
cardoeSandzwerg[m]: don't tease me with VMware info and then not message me. :(19:51
TheJuliawhich is also why I put in a change to turn  down what that test executes *and* turned down the aggressiveness around short retry intervals creating large amounts of logging19:51
TheJuliabut... something needs to pass first to get those in19:51
opendevreviewVasyl Saienko proposed openstack/networking-generic-switch master: Add vlan aware VMs support  https://review.opendev.org/c/openstack/networking-generic-switch/+/92849020:04
Sandzwerg[m]<cardoe> "Sandzwerg: don't tease me with..." <- I did, didn't you saw my messages? I'm not sure how good it works as I'm in via matrix but I could read your messages. And JayF was able to read my messages as well. You should have a email20:29
JayFyeah, I was surprised it worked earlier tbh20:29
cardoehmm nope got nothing in irccloud20:30
cardoeah I do have email. thank you!20:30
Sandzwerg[m]Weird. Hope it helps you. It's Apache licensed but I'm probably not going to follow the proper open source process as I hope I don't need to use it anymore sooner or later. Might be more or less adjusted to our use case but should at least give you some ideas what could work. I might be able to answer questions but the main work was done by an es colleague, I just try to keep it running20:35
cardoeI'm totally appreciative. This is definitely helpful. Anything that either shows a similar path or a dissimilar path is helpful validation as well.20:42
cardoeJayF: I can confirm with the latest version of my glance metadata fix patch the image_properties is much shorter now21:56
« Tuesday, 2025-02-25 Index Thursday, 2025-02-27 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!