Tuesday, 2024-09-24

« Monday, 2024-09-23 Index Wednesday, 2024-09-25 »
kevkoanybody for second +2 https://review.opendev.org/c/openstack/oslo.messaging/+/928034 < ? 07:51
opendevreviewTakashi Kajinami proposed openstack/oslo.db master: Remove LegacyEngineFacade  https://review.opendev.org/c/openstack/oslo.db/+/79813514:01
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Differentiate raw-like images  https://review.opendev.org/c/openstack/oslo.utils/+/93036517:14
JayF^ Happy to talk about other ways to signal this; the addition of GPTInspector broke all our draft Ironic code to use imageutils from oslo_utils17:14
JayFand it seems like us keeping a static list would be the most painful thing possible in terms of future-proofing17:15
JayFClark discovered this https://bugs.launchpad.net/oslo.utils/+bug/2081872 while looking at that change, too. 17:29
tkajinamthe whole "you should validate image format outside of qemu tooling" pulls tons of mess...17:31
tkajinamI know you guys know it better but I couldn't stop saying it :-P17:31
JayFI mean, yeah. It's been a very unpleasant set of time working through these issues, and I think Ironic devs got one of the less annoying versinos of this fix to write17:33
JayFbut I'm really nervous if we're saying a GPT image isn't raw, that makes that inspector really scary for Ironic use unless we do something like I've proposed there17:33
tkajinamI wonder if it saves our life to allow disabling gpt inspector now. I know it has benefit but we may still face some wired variations we should consider "normal"17:33
JayFIf people want to identify subsets of raw, I'm game for that, and we might even be able to do cool things with that info in the future17:33
JayFbut we just have to clearly indicate it's a subset17:34
JayF(where raw == an image that can be written bit-perfect to a disk and make sense)17:34
JayF(I guess I should say disk or partition)17:34
JayFit makes me wonder, there must be some code around this in nova already, right?17:36
JayFbecause I don't think qemu-img can take gpt as an input type17:36
JayFhmm17:36
JayFhttps://opendev.org/openstack/nova/src/branch/master/nova/virt/images.py#L164 is basically *exactly* what I didn't want to write in ironic17:41
JayFbecause I can guarantee we'll be forgotten about if another exception is added, and even if not, it's not awesome to have multiple projects have to update before the library can update :/ 17:41
tkajinamdansmith, ^^^ fyi17:52
tkajinamI'll revisit it hopefully tomorrow (well, it's already today, though)17:53
JayFlooking at the nova code, we could probably centralize if we added iso to be "raw-like" as well, and Ironic could happily filter that in the deployment layer (isos make sense for only some of our deployment interfaces, but these distinctions don't exist for actual raw/gpt disk images)17:53
dansmithJayF: I'll look at your patch, but I think we definitely need to stop treating "a raw disk image" as the same thing as "I don't know what this format is"17:55
dansmithJayF: the "if gpt, then raw" thing is what we need until we can transition to a known format of course17:55
JayFIn theory I agree, but I am highly worried about edge cases that might exist only for hardware17:55
dansmithI think we have to bite that bullet17:56
JayFe.g. I've actually known folks who used Ironic to provision images onto switch gear, and I wouldn't be surprised if the "image" in that case wasn't something we'd be able to detect17:56
dansmithand the qemu team has recommended this route17:56
dansmithright, and I think it's correct for nova to say "sorry but I dunno what that is so I won't even try to boot it"17:56
JayFI am fine with Nova saying that; my concern is with ironic's ability to use the shared format inspector code17:56
dansmithif ironic wants to allow bootable raw (in the "I don't know what this is sense") then that's cool,17:56
dansmithbut I think nova cannot do that17:57
dansmithJayF: so all you have to do is allow raw, full stop17:57
JayFbecause, as noted above, Ironic had code written that checked that17:57
dansmithand glance will, of course, continue to allow ra17:57
JayFGPTInspector was added17:57
dansmith*raw17:57
JayFand it broke because that's "gpt" not "raw"17:57
dansmithright, well, it's not :)17:57
TheJuliawell, realistically it is17:58
JayFI doubt we'd have any users who would use the term "raw image" to mean something *excluding* something that can be gotten via dd if=/dev/my/disk of=/file17:58
TheJuliagpt is just an underlying data structure which is block aligned with a flavor of partition data.17:59
JayFwhich basically if I have a BIOS booted MBR disk: dd if=/disk of=/image ## returns raw, if I have a EFI-booted GPT disk: dd if=/disk of=/image # returns gpt17:59
JayFwhich is expectation violating for me, at least17:59
JayFto be clear: I think it's cool that we can say "this raw image contains GPT partition data", and I can even think of cool ways Ironic could use that information, but it's *additional* info beyond 'this is a raw image' (using the definition of raw image we've had for ~10 years+)18:00
dansmithJayF: you just said you would have users using raw for something other than that18:00
dansmithJayF: the definition of raw that we've had for 10+ years is exactly the problem though18:01
JayFMy intention in saying that is that I want to assume it's a breaking change if we start saying "images that we can't detect a partition table inside are not permitted to deploy"18:01
dansmithwe can redefine raw to mean "has some structure that looks like X" if you want, but then we need to start rejecting people uploading kernel images and calling them raw18:01
JayFwell, my concern is reverse of that: us shrinking what "raw" means can have a negative impact on ironic18:01
dansmithwell, right now we have both structured things we expect (i.e. a PC disk image) and things like kernel, ramdisk and anything else (switch firmware image?) in raw images18:02
dansmithanything we do here is going to be disruptive to multiple communities for sure, but I don't think that's avoidable18:02
JayFI think the overlap of "multiple communities" is going to be giant in the BM case, and much less so for the VM case18:03
dansmithand TBH, I think it's an indication that we're moving in the right direction (i.e. side effects prove the vaccine is working)18:03
dansmithare you arguing that we should continue not tracking the actual content of the images because the risk is worth the pain to change? or are you proposing some alternate shift in the definitions?18:04
JayFwhich is part of why this is a bit scary from my perspective; going from "we detect what type of image it is so we can run tools safely on them" and "lets redefine the basic definition of what these terms that our users have been talking about for years" is a huge leap18:04
JayFmy patch, above, adds a property to the inspector18:04
JayFwhich indicates if an image type makes sense as to be bit-copied onto a disk18:04
JayFe.g. right now, GPT, Raw, and (maybe) ISO would be the ones to get it returning True today18:05
JayFif at some future date, we detect filesystems inside images, that might get tagged with that too 18:05
JayFor maybe even images with preexisting MD RAID metadata on them (I did this at OnMetal like 10 years ago)18:05
JayFthe scope of what you can put on a disk to do interesting things is MUCH larger in a bare metal world 18:06
JayFmy goal is that if we start saying, "hey, this image we used to call 'raw' is now 'vfat'" that we have a way to signal that to downstreams, like Ironic, which want to know it can still treat it as a bit-perfect image that doesn't need conversion18:06
opendevreviewMerged openstack/oslo.utils master: Avoid detecting FAT VBR as an MBR  https://review.opendev.org/c/openstack/oslo.utils/+/92844818:07
JayFlol thanks opendevreview for the timely comment :P 18:07
TheJuliaquite timely18:07
JayFreally I toyed with calling that variable "conversion_needed" or similar18:08
JayFwhich might be a better way to describe it18:08
JayFbut I took the sign I'm having trouble naming the property as a sign that maybe it needed a finer point on what exactly we care about18:08
JayFdan is right the "everything else" nature of how we treat raw makes it hard, after the fact, to figure out what goes in what bucket18:08
dansmithI think what you want is a a list of formats you think you can write to a disk18:08
JayFyes, pretty much18:08
JayFimage_format.just_dd_this (bool) lol18:09
dansmithI don't think a property on the inspector is the right thing to do there, but a list of those that you can use and we can ignore would serve the same purpose18:09
JayFwith maybe separate properties for filesystem stuff (dd this to a partition) vs partition image / raid metadata / etc (dd this to a disk)18:09
dansmithI dunno that it needs to be in oslo, because it's ironic policy really, but... whatever18:09
JayFI implemented it that way first, deleted it, and redid it my current way18:09
JayFwell, I'm mainly worried that we'd get silently broken, similar to how we did when GPTInspector was added (that's a weird case as it was code under review that got broken, but I'm taking it as a timely warning to be careful about this integration point)18:10
dansmithJayF: the VFAT thing is a good example of why that's hard though.. that format literally can be whole-disk or partition.. it has the same structure so that it's bootable from a whole disk (floppy) or a partition (chainloaded from the MBR )18:10
dansmithintentionally that way because 1980s18:11
JayFyep, I agree it's super hard to define, but I think it's a case where if we kick the problem down the road the first complaint will be from an operator, and I'd rather try to figure it out before that bug gets filed :)18:11
dansmithalso, the firmware in the machine could totally support qcow2 written raw to a disk without any hypervisor at all, so saying you can't dd it to the disk is also not really accurate18:11
opendevreviewMerged openstack/oslo.utils master: Squelch irrelevant format complaints  https://review.opendev.org/c/openstack/oslo.utils/+/93007418:11
JayFcan we delete that from the logs before some hardware vendor gets ideas /s /s 18:12
JayFlol18:12
JayFYeah, that's what I'm stuggling with too, you're right that in a way it's a policy statement18:13
dansmithyeah, so I'd put that into ironic for that reason personally, because nova will have some of its own things,18:13
JayFbut I don't know how to put that policy statement in ironic *without* having to worry about a rugpull breakage by new inspectors being added18:13
dansmithlike you can't boot iso by dd'ing it directly to a disk, but if we know it's iso we can do the right thing.. and we won't allow raw18:13
JayF(this patch was as much to get this conversation as it was to merge; I'm happy to find better solutions)18:13
dansmithand libvirt doesn't allow vmdk, etc18:13
dansmithJayF: well, InspectWrapper (changed since you copied from glance) allows an "list of inspectors" so you can easily provide it with a list and it won't detect new stuff18:14
JayFso a question: if we did that, and say, we found some security issue in the GPTInspector (like, a specically formed partition metadata can cause your disk to kaboom) -- yes I know it's a stretch18:15
dansmithso having your list of allowed things passed to it will cause it to detect anything not in that list as RawInspector such that if we add a BsdLabelInspector (which we probably need) you won't start seeing it before you expect it18:15
JayFif we didn't pass GPTInspector as a possibility, it'd never run that safety check18:15
JayF^^^ That is EXACTLY why I want to have this conversation -- because I know the tail of things to add will likely be long18:15
dansmithyep, well that's exactly why we need to stop pretending this stuff is unstructured in the first place :D18:16
TheJuliaI personally think locking projects into patterns that never change is just building technical debt disguised as stability. There has to be a middle ground.18:16
dansmithbecause I think there are probably theoretical attack vectors where the complex GPT (the actual one, not what we're checking) is exploitable with string buffer overflows and such18:16
dansmithTheJulia: isn18:16
dansmithTheJulia: isn't that "raw has always been like this so it will always be like this" ?18:17
JayFTheJulia: one thing I like about Ironic right now is with whole disk images, you can basically use an image of some homegrown OS written in a completely different architecture as long as the machine boots it18:17
JayFTheJulia: it's going to be hard to fix dansmith's concern with losing that flexibility18:17
JayFdansmith: YES18:17
JayFdansmith: re: GPT scariness18:17
JayFI made myself scared with just that hypothetical18:17
dansmithJayF: it's really not if you let the op control the blessed list and/or let the driver define the formats it can take (i.e. a rando dell server says "no thanks" to qcow2)18:18
dansmithwe had to do that with nova because vmware won't read qcow2 files and of course our users are better off because of it18:18
dansmithJayF: that's exactly why I want nova to NOT boot anything called "raw" because all that means is "shrug, good luck"18:18
JayFThe hardware vendors don't even support the things they say they support, much less cool stuff like that (/me glares at uefihttp boot)18:18
TheJuliaJust support modeling on larger device block sizes and I'll be happy w/r/t gpt18:19
dansmithwell, letting them define the things they want to support (or you of the things you want) would be a good way to avoid people saying "it's broken, but it kinda works, so fix it!"18:19
TheJuliaJayF: just remember, your only glaring at *one* of the two UEFIHTTP boots ;)18:19
JayFTheJulia: part of me wonders if part of the fix for this is the other direction18:19
TheJuliaThey have similar outfits, entirely different jackets18:19
JayFnevermind18:19
JayFI typed in a bad idea and deleted it18:20
TheJuliaheh18:20
dansmithTheJulia: you need to explain the block device thing to me (on the bug) because we're not *actually* processing the GPT structures at the moment18:20
dansmithso there should be no reason there's a problem there unless you've got an invalid GPT18:20
JayFdansmith: on a 4k sector size disk, the GPT metdata is at 4k, not 51218:20
TheJuliaand each block is 4k18:20
dansmithJayF: cool, but we don't even look at it, so why does that matter?18:20
JayFdansmith: and there is hardware that exists which can't even read a 512 block size GPT partition18:20
TheJuliaand so per gpt standard, the *first* block of data is in block 1, of a 4k block size18:20
dansmiththere's no error or log in the bug so I don't even know what the problem is18:21
dansmithTheJulia: sure but the MBR is only 512 bytes and since that's all we look at there should be no issue18:21
TheJuliadansmith: issue we've got customers screaming about is the hardware looks at block 1 per gpt, because it is block aligned, not byte aligned, and reads the contents, and doesn't see the gpt table header18:21
dansmithand we're reading from a stream, so the reads aren't aligned or anything18:22
dansmithTheJulia: we're not reading the GPT header AT ALL18:22
TheJuliathen what are you reading, exactly?18:22
dansmithwe're capturing it (so I can look at samples) but we're not doing anything with the data18:22
dansmithwe could remove that line and nothing would change18:22
dansmithnotice the only check on there is looking at the PMBR structures, which is only the first 512 bytes18:23
dansmithwho is screaming and where?18:23
JayFspecifically clark pointed it out when he was looking at my change18:23
TheJuliadansmith: we have some customers internally which are screaming to boot baremetal which only groks 4k block sizes, so gpt structure has to be differently aligned on the disk image contents18:23
TheJuliaotherwise the hardware doesn't see it. This can be reproduced with VMs by forcing the disk device block size to 4k18:24
dansmithare you all just theorizing that there's some problem with the assumption that it's at 512 bytes there or experiencing some actual problem?18:24
JayFhttps://github.com/openstack/diskimage-builder/commit/2df6d9b91415241b9d16cd96dd78f9b15e4e8e26 is the code added to DIB to create images that can be read on that hardware18:24
JayFdansmith: the first piece. We should build an image with ^^^ that can point the inspector at it and see what happens18:24
JayFI'm going to JFDI that now18:25
TheJuliaI *think* pmbr is also optional18:25
dansmithTheJulia: it's not18:25
dansmithhttps://uefi.org/specs/UEFI/2.10/05_GUID_Partition_Table_Format.html18:25
dansmith"LBA 0 (i.e., the first logical block) of the hard disk contains either" ... a real MBR or a PMBR18:25
* JayF wonders if the MBR itself is 512 bytes or 4k in the case of a 4k disk...18:26
TheJuliamay contain a legacy MBR pointer *or* PMBR18:26
dansmithJayF: ack, if something about it breaks let's discuss18:26
TheJuliaJayF: first 512 bytes of a 4k block18:26
TheJuliathe rest ends up being whitespace until LBA118:26
dansmithright ^18:26
dansmithyup18:27
JayFso then it seems like the code as written is probably A-OK based on my re-reading with Dan's enlighting comments18:27
JayFbut if we go the next step to inspect GPT structures, it'll need more logic for block sizes18:27
TheJuliaif just looking for pmbr likely18:27
dansmithmy bad for leaving the red herring in the code :)18:27
JayFIt doesn't help that I'm specifically reviewing for "how will this break on real hardware" :D 18:28
dansmithyour bad for falling into the trap18:28
JayFexactly lol18:28
TheJuliathis reminds me, I started the work someplace to wire us up a 4k block device CI job18:28
TheJuliaI don't remember where I put those brain cells18:28
TheJuliaso, since it is only looking at the pmbr, and you can have an mbr or pmbr on gpt partitioned disk, it basically means ironic is going to have to still grok "its a disk, its bootable" somehow becaue we can't change how we handle that as operators today *have* dual boot images18:31
dansmithI think you mean s/can have/must have/ if you're talking about gpt18:32
TheJuliayes18:32
TheJuliathat18:32
dansmithjust checking :)18:32
dansmithif ironic wants to make raw images bootable, then that's totally fine for ironic18:33
TheJuliaI'm on conversation number $ERROVERFLOW18:33
JayFI also will abandon my oslo.utils change; I'll write code downstream in ironic similar to what nova has18:34
JayFjust please make loud noises if/when that changes :D 18:34
dansmithJayF: I just -1d with a summary here, hope that's okay18:34
dansmithgood for posterity at least18:34
JayFI would've done it before abandoning it18:34
dansmithack18:34
JayFmy memory is pretty bad so I try to ensure conversations are documented18:34
dansmithtkajinam: thanks for ninja'ing in those fixes18:56
JayFbtw dansmith, I whipped up http://github.com/jayofdoom/disk-image-checker based on the oslo.utils code -- if you know of any operators who might need something like that19:06
dansmithah cool, I have something local I've been meaning to push up19:06
dansmithbut making it like blkinfo is cool19:06
JayFthis was mainly whipped together for the video I did on the ironic security issue19:06
JayFand so my downstream could be 10000% confident their images would pass muster :D19:06
opendevreviewDan Smith proposed openstack/oslo.utils master: Clarify GPT structure offset  https://review.opendev.org/c/openstack/oslo.utils/+/93037419:06
dansmithJayF: TheJulia ^19:07
dansmithJayF: yeah, I think a tool to run safety checks on an image is something we should have19:07
JayFI'm happy to propose that, or a similar modified version, to oslo.utils if it'd be desired19:08
dansmithif you're really going to put that thing on pip that's fine19:08
JayFmy idea was to put it on pip if anyone gave a crap19:08
dansmithmine is left over from me writing this code years ago, and dumps all kind of info to make sure I'm not storing the whole image in memory, etc19:08
JayFif you're saying you give a crap, I'll setup proper publishing and CI for it :)19:08
dansmithsince this was for glance to use in a stream without storing the image, the "don't just store the image in a variable" was an important design point19:09
JayFand make it actually install a binary instead of being a python -m blah19:09
dansmithJayF: I give a crap.. one thing though19:09
dansmithyou might want to consider making it so you can install it without the oslo.utils dependency, or at least without it being too opinionated about the version19:10
JayF4k image validates as GPT, jfyi https://www.irccloud.com/pastebin/3Ctea18L/4k_image_out.txt19:10
dansmithbecause what some people will really want is "does *my* oslo.utils think this is safe/allowed"19:10
JayFI think I have => the first version with a format inspector as the requirement19:11
JayFif that's not the case I'll make it that way before publishing19:11
dansmithokay, but just try to keep it tolerant of future versions i mean so people can use it with multiple things19:11
dansmithalso,19:11
dansmithI mentioned to tkajinam at some point that I had a messy thing to include,19:11
dansmithand I think he was open to allowing `python -m oslo.utils.imageutils` usage,19:12
dansmithso if you did that, people could test their even-distro-packaged version without extra stuff19:12
dansmithbut anyway, whatever you want to do, but I think it's good to have regardless of where you put it19:12
JayFif we're OK including it in oslo.utils, I'm going that route19:13
JayFthe reason I didn't push to pip already is that it's an anchor to support it forever or be a meanie and let it rot, and I'm bad at both lol19:13
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037919:44
JayFthere ya go dansmith, I can drop the pbr dep if we want to but I thought it'd be a /very/ nice touch to print the version in the output for future bugs19:45
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037919:45
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037919:51
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037919:51
JayFand my favorite kinda change for my own version: https://github.com/jayofdoom/disk-image-checker/pull/6 (deleting it all with a message to look in oslo.utils)19:54
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037920:36
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037920:40
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037922:34
opendevreviewJay Faulkner proposed openstack/oslo.utils master: Add image checker to imageutils  https://review.opendev.org/c/openstack/oslo.utils/+/93037922:38
« Monday, 2024-09-23 Index Wednesday, 2024-09-25 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!