Thursday, 2020-08-20

« Wednesday, 2020-08-19 Index Friday, 2020-08-21 »
jandersdtantsur|afk I'm happy to give https://storyboard.openstack.org/#!/story/2008038 a try00:19
janders(just reading through)00:19
jandersJust so I understand this correctly - what is the relative priority of FIPS work vs MAC-fetch work? I will allocate time accordingly.00:20
jandersmeanwhile I will do some prep work for both00:20
*** ijw has joined #openstack-ironic00:35
*** ijw_ has quit IRC00:39
*** yolanda has quit IRC00:55
*** xinliang has joined #openstack-ironic00:58
*** yolanda has joined #openstack-ironic01:00
*** rcernin has quit IRC01:19
*** rcernin has joined #openstack-ironic01:28
openstackgerritJulia Kreger proposed openstack/ironic-python-agent master: Update the cache if we don't have a root device hint  https://review.opendev.org/74707201:50
TheJuliabfournie: there you go^01:50
TheJuliajanders: I suspect if there is remaining fips items, they take priority01:51
*** gyee has quit IRC02:03
jandersTheJulia ACK02:05
*** rcernin has quit IRC02:28
*** ijw has quit IRC02:29
*** rcernin has joined #openstack-ironic02:29
*** ijw has joined #openstack-ironic02:43
*** ijw has quit IRC02:48
*** ijw has joined #openstack-ironic03:14
*** ijw has quit IRC03:19
*** mkrai has joined #openstack-ironic03:20
*** rcernin has quit IRC03:24
*** Qianbiao has joined #openstack-ironic03:26
*** mkrai has quit IRC03:41
*** mkrai has joined #openstack-ironic03:44
*** rcernin has joined #openstack-ironic03:47
*** mkrai has quit IRC04:08
*** mkrai_ has joined #openstack-ironic04:08
*** xinliang has quit IRC04:40
*** ociuhandu has joined #openstack-ironic05:09
*** ociuhandu has quit IRC05:14
*** Qianbiao has quit IRC05:53
*** sri_ has quit IRC05:56
*** tzumainn has quit IRC05:57
*** sri_ has joined #openstack-ironic05:57
*** JamesBenson has quit IRC06:05
*** JamesBenson has joined #openstack-ironic06:09
openstackgerritKaifeng Wang proposed openstack/ironic-inspector master: Identify accelerator devices during introspection  https://review.opendev.org/74528906:09
*** JamesBenson has quit IRC06:14
*** hjensas has joined #openstack-ironic06:17
*** xinliang has joined #openstack-ironic06:24
*** Qianbiao has joined #openstack-ironic06:34
*** mkrai_ has quit IRC06:40
*** mkrai_ has joined #openstack-ironic06:40
*** JamesBenson has joined #openstack-ironic06:49
*** penick has joined #openstack-ironic06:50
*** jtomasek has joined #openstack-ironic06:52
*** penick has quit IRC06:55
*** JamesBenson has quit IRC07:08
*** mkrai_ has quit IRC07:10
*** Qianbiao has quit IRC07:12
*** ociuhandu has joined #openstack-ironic07:15
*** belmoreira has joined #openstack-ironic07:18
rpittaugood morning ironic! o/07:20
*** mkrai_ has joined #openstack-ironic07:32
*** dougsz has joined #openstack-ironic07:34
*** dtantsur|afk is now known as dtantsur07:34
dtantsurmorning ironic07:35
dtantsurjanders: what TheJulia said. thank you!07:35
jandersgood morning rpittau dtantsur07:35
rpittauhey janders dtantsur :)07:35
jandersdtantsur noted, thank you07:35
*** johnsom has quit IRC07:41
*** gregwork has quit IRC07:42
*** buhman has quit IRC07:42
*** buhman has joined #openstack-ironic07:44
*** vdrok has quit IRC07:44
*** vdrok has joined #openstack-ironic07:46
*** rpittau has quit IRC07:47
*** buhman has quit IRC07:50
*** vmud213 has joined #openstack-ironic07:54
*** buhman has joined #openstack-ironic07:54
*** gregwork has joined #openstack-ironic07:55
jandersheading our for a walk, back soon07:55
*** rpittau has joined #openstack-ironic07:56
*** johnsom has joined #openstack-ironic07:57
*** rcernin has quit IRC07:58
*** vmud213 has quit IRC07:58
iurygregorygood morning everyone08:00
*** ociuhandu has quit IRC08:02
*** Qianbiao has joined #openstack-ironic08:10
rpittauhey iurygregory :)08:11
*** vmud213 has joined #openstack-ironic08:12
*** lucasagomes has joined #openstack-ironic08:13
iurygregoryo/08:14
*** vmud213 has quit IRC08:17
*** mkrai_ has quit IRC08:17
*** vmud213 has joined #openstack-ironic08:18
*** mkrai_ has joined #openstack-ironic08:20
iurygregorydtantsur, release team didn't like ussuri release08:27
iurygregoryI'm wondering if it's ok to do 15.1 (but we have 15.1 in Victoria...)08:28
*** vmud213 has quit IRC08:28
*** sri_ has quit IRC08:30
*** sri_ has joined #openstack-ironic08:30
*** vdrok has quit IRC08:30
*** vdrok has joined #openstack-ironic08:30
*** buhman has quit IRC08:30
*** buhman has joined #openstack-ironic08:30
*** gregwork has quit IRC08:30
*** gregwork has joined #openstack-ironic08:30
*** rpittau has quit IRC08:30
*** rpittau has joined #openstack-ironic08:30
*** johnsom has quit IRC08:30
*** johnsom has joined #openstack-ironic08:30
dtantsuriurygregory: I don't think we should, why is that?08:31
iurygregoryhttps://review.opendev.org/#/c/746926/108:32
patchbotpatch 746926 - releases - Release ironic 15.0.1 for Ussuri - 1 patch set08:32
iurygregorysee Thierry comment08:32
rpittauwe have a new feature in the reloease note08:33
dtantsuriurygregory: well, Thierry is wrong08:33
* dtantsur wants to opt out of stable policies in the moments like that08:34
iurygregoryhehe08:34
rpittauok that was actually an extension of an already present feature08:35
*** ociuhandu has joined #openstack-ironic08:36
QianbiaoHello ironic.08:37
rpittauhey Qianbiao :)08:37
Qianbiaohi folks, :)08:37
Qianbiaolong time no see.08:37
iurygregoryhello Qianbiao08:38
Qianbiaohey rpittau iurygregory dtantsur08:38
dtantsuro/08:38
*** ociuhandu has quit IRC08:41
QianbiaoOur customer has a new requirement, need experience from ironic team. Basicly, what i get is they want to provision bm which has no disk (not swift AFAIK).08:42
openstackgerritRiccardo Pittau proposed openstack/ironic master: [WIP] Replace retrying with tenacity  https://review.opendev.org/37657408:42
QianbiaoIs it possible to do this with ironic?08:42
Qianbiaoos in memory?08:42
dtantsurQianbiao: https://docs.openstack.org/ironic/latest/admin/interfaces/deploy.html#ramdisk-deploy ?08:43
Qianbiaothanks dtantsur, reading.08:43
*** priteau has joined #openstack-ironic08:50
*** k_mouza has joined #openstack-ironic08:51
Qianbiaodtantsu Can I use neutron as network provider for this ramdisk deploy? And as i know the ramdisk is very small, will this limit the to deploy OS image size?08:52
Qianbiao* dtantsur08:53
*** mkrai_ has quit IRC08:53
*** mkrai_ has joined #openstack-ironic08:54
iurygregoryyou can use neutron as network provider it shouldn't be a problem08:54
dtantsurQianbiao: you should be able to use neutron as network provided, but note that PXE booting will happen on the tenant network08:54
dtantsurso you'll have to expose the PXE infrastructure to it08:55
dtantsurwhich may be a security concern08:55
* dtantsur has dropped a bomb on the ML in the meantime :)08:55
Qianbiao<dtantsur> thanks, big help08:56
dtantsurQianbiao: as to the ramdisk size, its only limited by your RAM and network throughput.08:56
dtantsurit may be wise to have only basics on the ramdisk and download other components on demand08:56
Qianbiaogot, Ironic team always surprise me, problems always solved soon.08:57
Qianbiao:)08:58
* iurygregory liked the bomb08:58
dtantsurQianbiao: we're glad to hear :)08:59
Qianbiao:)09:01
*** Qianbiao is now known as Qianbiao|afk09:01
*** brtknr has joined #openstack-ironic09:06
brtknrhey all, does python-dracclient expose hardware error logs that is viewable on idrac interface?09:07
dtantsurajya, rpioso ^^^09:12
brtknri want to grab the system event logs via the client09:13
brtknrfrom what I can tell, this is not currently available09:13
*** ociuhandu has joined #openstack-ironic09:17
ajyabrtknr: currently there is no method for that, can try to check if "raw" WSMAN request can be constructed to get the logs09:20
*** ociuhandu has quit IRC09:22
*** Lucas_Gray has joined #openstack-ironic09:35
*** ociuhandu has joined #openstack-ironic09:47
*** k_mouza has quit IRC09:48
dtantsurcould anyone understanding TLS at least bit (i.e. better than me) provide feedback on https://storyboard.openstack.org/#!/story/2007214 please?09:50
*** mkrai_ has quit IRC09:54
*** mkrai has joined #openstack-ironic09:55
openstackgerritKaifeng Wang proposed openstack/ironic-specs master: Snapshot support  https://review.opendev.org/74693509:56
*** mkrai has quit IRC10:11
rpittaudtantsur: not sure I know more about TLS than you, but I'll have time after lunch and meeting to check that :)10:12
*** k_mouza has joined #openstack-ironic10:12
dtantsurthx!10:13
*** JamesBenson has joined #openstack-ironic10:14
*** JamesBenson has quit IRC10:19
*** xinliang has quit IRC10:20
*** vmud213 has joined #openstack-ironic10:25
*** mkrai has joined #openstack-ironic10:25
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Accept and use a TLS certificate from the agent  https://review.opendev.org/74713610:27
openstackgerritMerged openstack/sushy master: Add a CI job with UEFI+vmedia and clean up the job definitions  https://review.opendev.org/74696210:30
vmud213Hello Ironic!10:33
iurygregoryhello vmud21310:54
iurygregorydid you have any luck using dhcp-less?10:55
vmud213Hey iurygregory !10:55
vmud213yes.Ido10:55
vmud213ther's an issue in the ironic, minor though10:55
vmud213i think u'r asking about the Glean stuff?10:55
iurygregoryyeah10:55
iurygregoryfeel free to report the issue on storyboard10:56
iurygregoryso we can work on it o/10:56
vmud213yes. the path to the network data  file is wrong10:56
vmud213moreover the networkManager on the deploy OS also need to be reloaded10:57
vmud213Sure. I will10:57
iurygregorytks!10:57
jrollmorning10:59
jroll>RFC: deprecate the iSCSI deploy interface?10:59
jrolldtantsur is making my dreams come true after 6 years10:59
dtantsurmorning jroll :)10:59
jroll:)10:59
dtantsurjroll: feel free to respond re iscsi, it's a bit quiet now :)11:06
jrolldtantsur: I like the idea, but I'm not informed enough to say if the plan is good or not, sorry11:06
vmud213iurygregory: Created a story here https://storyboard.openstack.org/#!/story/200804211:11
vmud213will upload a patchset soon to fix this11:11
*** Lucas_Gray has quit IRC11:12
vmud213dtantsur: Mind taking a look into this patch when u get time https://review.opendev.org/#/c/742936/11:18
patchbotpatch 742936 - ironic - Allow HttpImageService to accept custom certificate - 5 patch sets11:18
dtantsurwill try to11:18
vmud213You reviewed it once.11:18
dtantsurvmud213: did you have a chance to check stendulker's comments?11:19
vmud213yes.11:19
vmud213But i have one point to discuss11:20
vmud213so inviting more opinions on that11:20
vmud213basically, what i am trying to do is to use the certificates provided in the configuration and if it fails try one more time with standard certificate bundle.11:21
vmud213stendulkar's comment is to ignore calling the second time11:22
vmud213But IMO, the deploy and user images may be using different certificates.11:23
vmud213some using custom certificates and some using standard root CAs11:24
dtantsurnot sure, maybe we should use an explicit configuration? like deploy_verify_ca/instance_verify_ca?11:25
dtantsurwhat if they use different custom certificates?11:25
*** Lucas_Gray has joined #openstack-ironic11:27
openstackgerritMerged openstack/ironic master: Remove qemu-img rootwrap filter  https://review.opendev.org/74673111:28
openstackgerritvinay kumar muddu proposed openstack/ironic master: Fix network_data path for dhcpless deployments  https://review.opendev.org/74714411:40
vmud213dtantsur: They can all be kept in a single file11:41
vmud213Actually i was considering the option as u suggested until stendulker suggested to have a configuration option.11:44
vmud213 I liked his idea as it would make things simple.So i implemented that way.11:44
vmud213The user has the option to either refer to the root CA's from standard path or has the option to configure custom certificate.11:46
vmud213If the custom certification validation fails then tries the standard path.11:46
*** belmoreira has quit IRC11:49
*** k_mouza has quit IRC11:56
*** belmoreira has joined #openstack-ironic12:05
*** belmoreira has quit IRC12:08
dtantsurTheJulia, filed an RFE for the obvious missing bit in deploy steps: https://storyboard.openstack.org/#!/story/200804312:09
dtantsurI won't have time for that in the near future, but maybe someone does..12:09
*** k_mouza has joined #openstack-ironic12:12
janderssee you tomorrow Ironic o/12:15
*** JamesBenson has joined #openstack-ironic12:15
rpittaubye janders12:15
*** JamesBenson has quit IRC12:20
*** k_mouza has quit IRC12:24
*** JamesBenson has joined #openstack-ironic12:25
vmud213TheJulia: Hi12:28
vmud213Mind having a look at this patch https://review.opendev.org/#/c/739174/12:28
patchbotpatch 739174 - ironic - Decouple the ISO creation logic from redfish - 7 patch sets12:28
vmud213if you get time12:28
ajyadtantsur: in relation to deploy steps, currently the docs read like if I create a flavor, baremetal resource, deploy template, tie them together and then add deploy template name as trait, then it should pick it up during deploy process.12:36
ajyaBut it does not work for me. Am I missing something? Using devstack. What works is adding deploy template as trait and in instance info, then it works, don't use flavors at all.12:36
dtantsurajya: how do you populate flavors?12:39
dtantsurnova is responsible for populating instance_info, including adding traits there12:42
ajyadtantsur: devstack creates a baremetal flavor and I added trait manually12:42
dtantsurajya: how exactly?12:42
ajyayou mean the flavor or adding trait?12:43
ajyaif that's supposed to work, I can take another look, maybe something wrong with my setup, but for now I only add traits directly to node as it's too many steps to overwrite deploy step priorities:) `deploy_steps` addition will be useful12:45
dtantsurI mean, how did you add the trait to the flavor?12:53
*** uzumaki has joined #openstack-ironic12:56
openstackgerritDmitry Tantsur proposed openstack/ironic master: [WIP] Accept and use a TLS certificate from the agent  https://review.opendev.org/74713612:56
ajyadtantsur: following this https://docs.openstack.org/ironic/latest/install/configure-nova-flavors.html, e.g., ` openstack flavor set --property trait:CUSTOM_TRAIT1=required my-baremetal-flavor`13:00
ajyaor same given in https://docs.openstack.org/ironic/latest/admin/node-deployment.html#example-of-use-with-the-compute-service13:03
*** ociuhandu has quit IRC13:06
openstackgerritRiccardo Pittau proposed openstack/ironic master: [WIP] Replace retrying with tenacity  https://review.opendev.org/37657413:13
*** Goneri has joined #openstack-ironic13:13
openstackgerritRiccardo Pittau proposed openstack/ironic master: Replace retrying with tenacity  https://review.opendev.org/37657413:14
*** Qianbiao|afk has quit IRC13:16
guilhermespmornings! quick question: does inspector works with nodes using ipmi drivers?13:20
guilhermesphttps://www.irccloud.com/pastebin/lmqpxltv/13:20
guilhermespwhat i have defined in my ironic.conf13:21
guilhermesphttps://www.irccloud.com/pastebin/ZVOlrioC/13:21
*** ociuhandu has joined #openstack-ironic13:21
*** ociuhandu has quit IRC13:25
openstackgerritAija Jaunteva proposed openstack/ironic-specs master: System configuration within whole clean or deploy step  https://review.opendev.org/74072113:26
TheJuliagood morning13:35
dtantsurmorning TheJulia13:36
dtantsurguilhermesp: you need to add inspector to enabled_inspect_interfaces13:37
dtantsurand maybe tell the nodes to use it explicitly13:37
*** Lucas_Gray has quit IRC13:37
dtantsuror set default_inspect_interface13:38
*** Wryhder has joined #openstack-ironic13:38
TheJuliaguilhermesp: it should, looks like your missing a setting conveying the introspection network. Take a look for inspection_network in at https://docs.openstack.org/ironic/latest/configuration/sample-config.html13:38
TheJuliadtantsur: email w/r/t depreating iscsi deploy interface. I'm feeling deja vu13:38
TheJulia:)13:38
dtantsurmaybe? :) it has definitely come up already, but we didn't have swift-less operation back then13:38
*** Wryhder is now known as Lucas_Gray13:39
*** k_mouza has joined #openstack-ironic13:39
TheJuliayeah13:40
TheJuliawell, for nova driven correct13:40
guilhermesphuuum thanks TheJulia and dtantsur ! yeah when i enabled debug yesterday and saw the first error regarding missing introspection_network i was confused, coz in ironic.conf it is defined under [neutron] session, such as13:40
guilhermesphttps://www.irccloud.com/pastebin/uZC51csa/13:40
dtantsuryeah, it's for neutron13:41
guilhermespbut i guess is not inspector13:41
TheJuliaits not inspector network, it is introspection13:41
dtantsurwell, a neutron network to use for introspection13:41
dtantsurit's not strictly required though, your problem comes from your node using the 'no-inspect' implementation instead of 'inspector', I'd assume13:41
guilhermespwell yeah13:41
guilhermespinspection, not inspector lol13:41
*** tzumainn has joined #openstack-ironic13:42
TheJuliaI really need to spend time on code reviews today13:42
guilhermespyeah let me fix that first13:42
guilhermespthanks TheJulia and dtantsur yeah shame on me13:48
guilhermesptypo on inspection_network13:48
guilhermespit is working now :P13:48
TheJuliayay the bugfix I uploaded last night randomly fails on py38 in unit tests :(13:50
TheJuliaguilhermesp: \o/13:50
TheJuliaThere is no shame though! glad you got it working13:51
guilhermespo/ o/ i think was part of my excitement to be back working with ironic, it's been a long time i dont do ironic deployments :P13:51
*** k_mouza has quit IRC13:54
*** Qianbiao|afk has joined #openstack-ironic13:54
*** rloo has joined #openstack-ironic13:54
rpittaudtantsur: re: TLS https://storyboard.openstack.org/#!/story/2007214 it all does make sense and seems reasonable, wondering if specs are needed13:55
dtantsurdunno, doesn't look too complex to me, but I'm the author :)13:56
rpittau:)13:57
*** k_mouza has joined #openstack-ironic14:00
*** belmoreira has joined #openstack-ironic14:06
*** belmoreira has quit IRC14:07
*** ociuhandu has joined #openstack-ironic14:12
*** penick has joined #openstack-ironic14:12
rpittaudtantsur: the specs doubt was just if we want/need to discuss on more details, I think it's good to start with the implementation, discussion can happen on patches as well14:13
*** Wryhder has joined #openstack-ironic14:22
*** Lucas_Gray has quit IRC14:23
*** cdearborn has joined #openstack-ironic14:23
*** Wryhder is now known as Lucas_Gray14:23
JayFdtantsur: a warning: hooking up SSL with oslo.service in IPA will be broken14:27
dtantsuroh14:27
dtantsurwhy so?14:27
JayFdtantsur: I am writing a very similar patch to https://storyboard.openstack.org/#!/story/2007214 downstream right now14:27
JayFdtantsur: without https://review.opendev.org/#/c/746774/ -- when IPA starts up with TLS enabled, using oslo.service, requests hang14:28
patchbotpatch 746774 - ironic-python-agent - Eventlet should be monkey patched as early as poss... - 2 patch sets14:28
JayFdtantsur: I'm fairly sure it's because oslo.service is creating an unpatched socket before eventlet monkey patching is run14:28
dtantsurthank you, oslo.service, thank you, eventlet14:28
dtantsuryep, sounds plausible14:28
JayFdtantsur: I was planning on upstreaming support for listen_ssl = (bool) and cert/key/ca (for client cert verification)14:28
JayFdtantsur: would that be usable for store 2007214? Or should we sync up on that?14:29
JayFdtantsur: yeah, so just warning you, but I'm already looking at it as you can tell14:29
JayFvery happy to get help on getting to the bottom of tempest failures on that PR though :(14:30
dtantsurJayF: ideally, we should sync so that we don't end up with incompatible proposals14:30
JayFdtantsur: absolutely. For my use case, I'm setting up IPA to use a cert/key embedded in the ramdisk -- although in practice, for me, that's going to be self-signed, so that's not a strong requirement14:31
dtantsurJayF: is there anything you would modify in my proposal to cover your case?14:32
JayFdtantsur: I can't tell for sure, but it sounds like there's an assumption that all agents would be running unique certs, and that Ironic would be using different certs to connect?14:32
JayFdtantsur: for my case, I want to tell conductor "always use this cert/key for TLS to agents"14:32
JayFdtantsur: and in agent, tell it "listen for TLS, use this cert/key, and validate client certificates against this CA"14:33
*** akahat is now known as akahat|rover14:33
dtantsurJayF: it seems covered by "To support agent builds that handle the TLS certificates some other way, IPA will look for files called /etc/ironic-python-agent/agent.crt and /etc/ironic-python-agent/agent.key. If they are present, they will be automatically used for TLS and the crt part will be sent to ironic."14:33
JayFthe IPA stuff is simple -- just needs that eventlet bug fixed, and an option added to IPA to flip on the use_ssl call to oslo_service.wsgi14:33
dtantsurand the ironic side will be covered by the recently added driver_info[agent_verify_ca]14:33
JayFaiui agent_verify_ca is about Ironic API validating the agent's identity14:34
JayFI'm talking about the other direction: agents verifying that ironic is presenting a valid client certificate14:34
JayFand honestly, it'd be a little spooky for me to configure that security via kernel command line or API return from ironic -- it's the sort of thing I'd want embedded in the image14:34
dtantsurFailed to connect to the agent running on node e2f11e94-1835-4d15-933d-5a2e908da34f for invoking command clean.get_clean_steps. Error: HTTPConnectionPool(host='10.1.0.48', port=9999): Read timed out.14:35
dtantsurJayF: I'm looking at the agent code, and it seems that IPA->ironic direction is actually already done14:36
dtantsurJayF: https://opendev.org/openstack/ironic-python-agent/src/branch/master/ironic_python_agent/config.py#L203-L22014:36
JayFThat's not possible; without TLS support in agent you can't have ironic provide a client certificate to ipa14:36
JayFyeah, you're still talking the other direction14:37
dtantsur"agents verifying ironic", no?14:37
dtantsurI think these options are used for any HTTP requests in IPA14:37
JayFIronic Conductor -[presents client certificate] https://[agent]/v1/commands?do-cleaning-stuff -[validates client certficiate against ca]-> IPA14:37
JayFTo prevent a malicious actor with access to the nodes that are  running agents from sending rogue commands14:38
dtantsurah, client certificates. right. I think in master agent tokens play the same role14:38
JayFYes-ish, although in my environment, we have a strong certificate infrastructure14:39
JayFso we'd likely want this even if we were running an Ironic with support for agent_token14:39
JayF(I'm working on this with IPA Ussuri, Ironic Ocata)14:39
*** penick has quit IRC14:39
dtantsurlemme think a bit and ping you again in a few minutes14:40
JayFhow about I get you some example code14:40
JayFassuming I can fix the eventlet stuff14:40
dtantsur++++14:40
JayFoslo.service has *all* of this, we literally just need to flip a bool when we're calling out to oslo_service.wsgi14:40
JayFuse_ssl=False -> use_ssl=True, then oslo_service configuration handles literally everything else14:40
JayFThis is also how I discovered we are no longer honoring listen_host / listen_port14:41
* JayF a little hamstrung by not knowing the way around the new zuul ui / storyboard14:42
JayFhttps://storyboard.openstack.org/#!/story/2008016 -> IPA doesn't respect listen_host/port since oslo_service migration14:43
dtantsurJayF: I've updated https://storyboard.openstack.org/#!/story/2007214 to hopefully add what you want14:47
JayFI'll look after I finish with this draft patch. Literally <5 minutes.14:48
openstackgerritJay Faulkner proposed openstack/ironic-python-agent master: If listen_host is true, enable TLS on wsgi server  https://review.opendev.org/74719314:50
JayFdtantsur: ^14:50
JayFwith the caveat that it's broken by some kind of eventlet-shenanigans, that's essentially the code I'm planning to run downstream and was going to push up. I had no idea there was something else going on to enable IPA TLS \o/14:51
dtantsurJayF: the commit summary seems wrong, but the patch looks good (and is compatible with what I'm proposing)14:51
JayFand I've tested it working (with that draft eventlet patch), and it validates client certs14:51
JayFI was pretty thrilled with how easy it was to plumb up the oslo.service work to ipa... until eventlet struck [dramatic music]14:51
dtantsurJayF: a random guess: are you should about select=False when monkey patching? in ironic we do os=False instead.14:52
JayFdtantsur: if select=True, select.poll for heartbeat explodes because eventlet-patched select doesn't have a `poll` method for somewhat-obvious reasons14:53
JayFdtantsur: I suspect adding `os=False` will be my next change to try and get tempest happy14:53
openstackgerritJulia Kreger proposed openstack/ironic-python-agent master: Update the cache if we don't have a root device hint  https://review.opendev.org/74707214:53
dtantsurI wonder if we can replace select.poll14:53
JayFlonger-term, I'd like to make heartbeats not use select.poll, as I strongly suspect it's a cause for some of the high IPA cpu issues that have been reported14:53
JayFbut I'm trying to get one thing done at a time. Making eventlet not blow up for TLS is a big enough bite of the pie for me right now :D14:54
dtantsurif we leave select.poll unpatched, it means that the heartbeater thread freezes everything for seconds all the time14:55
dtantsurno wonder API times out14:56
*** penick has joined #openstack-ironic14:56
TheJuliabfournie: above is the updated patch for the bug, it behaves far better now :)14:56
dtantsurI'm afraid we have to replace it if we cannot monkey patch it14:56
JayFWell, I'm a little confused why you wouldn't be seeing that behavior already14:57
JayFeventlet *is monkey_patching* IPA, just via a library14:57
JayFso it happens late14:57
dtantsurI wonder if we do monkey patching at all now...14:57
JayFmaybe so late that it impacts *nothing* in the heartbeat thread, perhaps, but it's happening14:57
dtantsur(my bad, really)14:57
JayFyep. both oslo.service and oslo.concurrancy call to monkey_patch14:57
dtantsuranyway, the eventlet bug recommend us to use https://docs.python.org/3/library/selectors.html14:57
bfournieTheJulia: awesome, thanks14:57
JayFso our code is getting it, just very late down the path14:57
dtantsurI can give it a try, unless you want to14:57
JayFdtantsur: you think that's just a drop-in replacement?14:58
JayFdtantsur: I'm happy to try, I just don't have a devstack setup so got a little bit of long testing cycles14:58
dtantsurJayF: it's supposed to be more high level and to automatically pick whatever is available14:58
JayFbut API-compatible14:58
dtantsurso if poll is removed, it will use select14:58
JayFif so... that's potentially a trivial fix14:58
JayFand will be a big win all the way around14:58
JayFdtantsur: you going to give it a shot today? or some other time?14:59
JayFdtantsur: if not immediately, perhaps a hybrid approach: I'll take a shot at it today, then if you wanna look at it more normal-hours for you "tomorrow" and polish up if needed, that'd be excellent14:59
dtantsurworks for me14:59
JayFI absolutely am thrilled to have more than just me poking at this stuff, it's a little scary TBH15:00
openstackgerritRiccardo Pittau proposed openstack/ironic-python-agent-builder master: Fix finalise tinyipa  https://review.opendev.org/74719815:00
JayFI spent literally a dozen+ hours tracking down that eventlet was causing the ssl hangs, and then more hours that I could monkey_patch early to fix it (and break lots of other shit)15:00
dtantsurright :) me too15:00
JayFsweet, thanks for this chat, I needed the jolt of bravery to go tackle the heartbeater :D15:01
dtantsur:D15:01
dtantsurbtw I think you can ignore https://opendev.org/openstack/ironic-python-agent/src/branch/master/ironic_python_agent/inspect.py and only bother with agent itself15:02
dtantsurJayF: I hope the fact that the 'selectors' module is Python 3 only is not a blocker for you15:03
JayFI was ignoring it, entirely by accident :D15:04
dtantsurheh15:04
JayFdtantsur: we're running IPA Ussuri, inside CentOS 8, using very minimal downstream patches and upstream IPA-builder15:04
dtantsurgreat15:04
JayFdtantsur: and the goal will be to keep IPA as close to upstream as possible15:04
dtantsur++15:05
JayFIPA-builder is pretty great. I'm calling out to dib directly, and just using the elements, but it's been super easy to use.15:05
rpittauabout that, please review -> https://review.opendev.org/747198 :P15:05
patchbotpatch 747198 - ironic-python-agent-builder - Fix finalise tinyipa - 1 patch set15:05
JayFdtantsur: in fact... if you think it's worthwhile, I could upstream the dib-element that generates cert/key and enables ssl in the config file15:05
dtantsurJayF: why not, sounds useful to me15:09
dtantsurI'm thinking of having more optional elements in ipa-builder15:09
JayFso then a prereq question15:10
JayFour docs say right now that /etc/ironic_python_agent/ironic_python_agent.conf works as a config file location by default15:10
JayFspoiler alert: the docs lie15:10
dtantsurI suspect you need dashes15:11
JayFSo part of this has to be making some sense out of having IPA-builder add a config file, and spit out reasonable values for them when an element needs them15:11
JayFI tried with dashes, underscores, under the venv (/opt/i-p-a/etc/blah)15:11
JayFnothing worked until I modified the systemd unit to pass `--config-file [blah]`15:12
dtantsurmmmm, damn, I need to remember how oslo.config does it15:12
JayFbut that's not bad -- we can ship an empty config in ipa-builder and pass --config-file [blah]15:12
JayF but I'm thinking it's not super sustainable, for instnace, if I upload a dib element that adds tls support and overwrites the whole config15:12
dtantsuryep. then I'll have to figure out how to do the same for RDO (but that's my problems)15:12
dtantsuroslo.config has something like --config-dir15:13
JayFoh, of vourse15:13
dtantsurwhich is similar to /etc/stuff.d in unixes15:13
JayF+++15:13
JayFokay, so I have gotta stop talking and start coding if I want a chance of even half of this getting done o/15:15
dtantsurbut damn, oslo.config is supposed to have some default15:15
dtantsurI was pretty sure it somehow picks /etc/ironic/ironic.conf15:16
JayFMy hunch is maybe that behavior changed? Something disables it in a venv?15:16
*** mkrai has quit IRC15:16
JayFAlways possible I was screwing something up too... but I think I tried every combo15:16
dtantsurshouldn't.. but who knows15:16
JayFBut either way, sounds like using .d/ in the ipa-builder is the way to go15:17
JayFwhich is going to fix all my issues in practice15:17
dtantsurJayF: it really has to https://opendev.org/openstack/oslo.config/src/branch/master/oslo_config/cfg.py#L281-L33915:19
dtantsur"the program name, defaulting to the basename of15:20
dtantsur        sys.argv[0], without extension .py15:20
dtantsurshould support /etc/ironic-python-agent...15:20
dtantsuranyway, tea time15:20
rpittaufriendly reminder: Vote for the Ironic Virtual Meetup! https://doodle.com/poll/pi4x3kuxamf4nnpu15:27
openstackgerritJulia Kreger proposed openstack/ironic-python-agent master: Clarify connection error on heartbeats  https://review.opendev.org/74721015:28
TheJuliaspeaking of heartbeats^15:29
TheJuliaSince apparently the error is a red herring :\15:29
iurygregory=(15:30
TheJuliawell, really it is people not reading to the end15:30
dtantsurheh, why would they15:35
openstackgerritRiccardo Pittau proposed openstack/ironic-python-agent-builder master: Pin pip version to install in tinyipa images  https://review.opendev.org/74721815:36
openstackgerritIury Gregory Melo Ferreira proposed openstack/ironic master: Add tempest default_boot_option and altflavor  https://review.opendev.org/74188615:44
openstackgerritRiccardo Pittau proposed openstack/ironic-python-agent-builder master: Remove old proc before finalising tinyipa  https://review.opendev.org/74722815:49
uzumakiquick question, where do I find ironic conductor logs now? can no longer see them in /var/log/ironic15:49
openstackgerritRiccardo Pittau proposed openstack/ironic-python-agent-builder master: Build centos8 on centos8  https://review.opendev.org/74690115:50
dtantsuruzumaki: depends on how you installed ironic?15:50
TheJuliadtantsur: *sigh*15:50
rpittauipa-builder definitely needs some hugs15:50
*** mkrai has joined #openstack-ironic15:50
dtantsurwe all do15:51
rpittau:)15:51
*** Lucas_Gray has quit IRC15:52
dtantsurTheJulia: an interesting request born in a downstream conversation: https://storyboard.openstack.org/#!/story/200804715:55
uzumakidtantsur, well, I have it as a container image, that pulls the tripleo ironic master branch15:56
uzumakiit's the metal3-io ironic-image repo Dockerfile15:56
dtantsuruzumaki: I think you can use 'podman logs'15:56
uzumakithe conductor logs are going to be dumped into podman? interesting..15:57
rpittauuzumaki: really depends how you deployed that container, using podman logs <container-name> should work15:58
uzumakilet me try that..15:58
uzumakigot the logs. thanks!16:00
*** Lucas_Gray has joined #openstack-ironic16:00
TheJuliadtantsur: I don't see why not, just $spoons and $time16:02
TheJuliaI feel like we need a SPUC again16:03
dtantsurquite likely!16:04
*** lucasagomes has quit IRC16:06
*** penick has quit IRC16:07
TheJuliaHas everyone been thinking of midcycle topics?16:07
TheJuliaand then possibly forum/ptg topics?!?16:08
JayFI believe zer0c00l was aiming to get the disk data spec up in time to discuss there, but I don't think that's been committed to you all yet16:08
*** gyee has joined #openstack-ironic16:08
dtantsurTheJulia: the new Dell spec may be one. the dhellmann's proposal may be another one16:08
JayFkickstart/partition/whatever you wanna call it16:08
dtantsur++16:09
* TheJulia tries not to let sarcasm take over the items she is typing in16:09
*** penick has joined #openstack-ironic16:10
TheJuliaJayF: I thought he was going to head in the direction of trying to ramdisk boot with an argument to the kickstart file...16:11
JayFI think that's more from a code perspective: using most of the ramdisk driver as a jumping off point16:11
JayFusing solely the ramdisk driver has a massive downside of the node going active several minutes to hours in advance of the install completing16:12
TheJuliayeah, it would be good to kind of be able to mentally picture where his head is at16:12
JayFIt's a priority to get that spec to you all upstream16:12
*** vmud213 has quit IRC16:16
dtantsurTheJulia: do you have an etherpad already?16:18
TheJuliaI'm typing one up now16:22
TheJuliahttps://etherpad.opendev.org/p/Ironic-Victoria-midcycle16:22
openstackgerritVerification of a change to openstack/sushy failed: Include extended information in debugging output  https://review.opendev.org/74594416:23
openstackgerritVerification of a change to openstack/sushy failed: Remove auth token header completely when error occurs  https://review.opendev.org/74676816:23
TheJulia:(16:27
*** ijw has joined #openstack-ironic16:30
*** dougsz has quit IRC16:31
*** penick has quit IRC16:34
uzumakiAny ideas what could be causing this?16:35
uzumakibios interface implementation ironic.drivers.modules.drac.bios.DracWSManBIOS is not supported by hardware type IBMC16:36
dtantsuruzumaki: do you have default_bios_interface set?16:36
uzumakiyeah, I set it to idrac-wsman, should I remove that?16:36
dtantsuryep. the default applies to all hardware types.16:36
uzumakioh boy, alright16:37
*** k_mouza has quit IRC16:38
*** Lucas_Gray has quit IRC16:38
openstackgerritJulia Kreger proposed openstack/ironic-python-agent master: Clarify connection error on heartbeats  https://review.opendev.org/74721016:47
*** Qianbiao|afk has quit IRC16:55
*** dtantsur is now known as dtantsur|afk17:04
dtantsur|afko/17:04
TheJuliagoodnight17:18
uzumakiA Dell R740XD keeps rebooting when trying to PXE boot for introspection, what could be the issue here? I see the PXE boot screen when it boots up, and immediately reboots, stuck like that for almost half an hour17:28
uzumakicould it be a metal3 thing?17:29
*** ijw_ has joined #openstack-ironic17:36
uzumakinevermind, it was a misconfigured HTTP server that hosted the boot images, fixed now17:38
*** ijw has quit IRC17:39
*** mkrai has quit IRC17:53
*** gregwork has quit IRC18:04
*** belmoreira has joined #openstack-ironic18:12
JayFglad to hear you got it working!18:12
*** ijw has joined #openstack-ironic18:14
*** k_mouza has joined #openstack-ironic18:16
*** ijw_ has quit IRC18:17
openstackgerritJulia Kreger proposed openstack/ironic stable/rocky: Retries and timeout for IPA command  https://review.opendev.org/74726518:20
*** Goneri has quit IRC18:21
openstackgerritRiccardo Pittau proposed openstack/ironic master: Replace retrying with tenacity  https://review.opendev.org/37657418:23
rpittautenacity is.. well.. tenacious18:24
rpittauan with this pearl I wish goodnight!18:24
rpittauo/18:24
openstackgerritJulia Kreger proposed openstack/ironic stable/rocky: Retries and timeout for IPA command  https://review.opendev.org/74726518:26
*** belmoreira has quit IRC18:30
openstackgerritJulia Kreger proposed openstack/ironic stable/queens: Retries and timeout for IPA command  https://review.opendev.org/74727118:37
*** k_mouza has quit IRC18:43
*** Goneri has joined #openstack-ironic18:52
*** rloo has quit IRC18:52
*** rloo has joined #openstack-ironic18:52
*** rloo has quit IRC18:55
*** rloo has joined #openstack-ironic18:56
uzumakiThanks JayF =)19:14
openstackgerritMerged openstack/sushy master: Include extended information in debugging output  https://review.opendev.org/74594419:15
*** dustinc has joined #openstack-ironic19:16
openstackgerritJulia Kreger proposed openstack/sushy master: Remove auth token header completely when error occurs  https://review.opendev.org/74676819:22
openstackgerritMerged openstack/ironic-python-agent bugfix/6.3: Update TOX_CONSTRAINTS_FILE for bugfix/6.3  https://review.opendev.org/74679519:50
*** uzumaki has quit IRC19:50
openstackgerritMerged openstack/ironic bugfix/15.2: Update TOX_CONSTRAINTS_FILE for bugfix/15.2  https://review.opendev.org/74679719:58
*** rloo has quit IRC20:06
*** rloo has joined #openstack-ironic20:06
openstackgerritMerged openstack/bifrost master: Validate that the services are running after installation  https://review.opendev.org/74356920:07
*** Lucas_Gray has joined #openstack-ironic20:21
openstackgerritJay Faulkner proposed openstack/ironic-python-agent master: Eventlet should be monkey patched as early as possible  https://review.opendev.org/74677420:24
* rpioso is on staycation20:29
rpiosobrtknr: As ajya pointed out, python-dracclient does not offer an API specifically for obtaining iDRAC log messages; however, they can be enumerated via its WSManClient member: https://opendev.org/openstack/python-dracclient/src/commit/b84667750ee091bfd8e9e1c804dd6489dd8d9373/dracclient/client.py#L71-L73.20:30
rpiosobrtknr: Please take a look at its lower level, generic enumerate method: https://opendev.org/openstack/python-dracclient/src/commit/b84667750ee091bfd8e9e1c804dd6489dd8d9373/dracclient/client.py#L1233-L1235.20:31
openstackgerritJulia Kreger proposed openstack/ironic stable/queens: Retries and timeout for IPA command  https://review.opendev.org/74727120:33
openstackgerritJulia Kreger proposed openstack/ironic stable/queens: Fix for failure in cleaning  https://review.opendev.org/74728820:33
JayFTheJulia: +1, fwiw. Those are clean backports, I took 'em back to ocata (along with the response-code-checking from queens) recently20:35
TheJuliarpioso: staycation sounds epic right now :)20:35
TheJuliaJayF: thanks!20:35
TheJuliaJayF: I'm really surprised we didn't backport them upstream immediatley but it is easy for things to get lost20:37
rpiosoTheJulia: Yep. Long overdue, though :-) And too short!20:37
TheJuliaJayF: are you guys using the iscsi deploy interface?20:38
* TheJulia is thinking direct, but wanted to make sure20:38
JayFNo. We have an anaconda deploy driver that looks suspiciously similar to what was discussed and will be proposed soon. It was recently enhanced to boot IPA and use IPA for cleaning.20:38
TheJuliaahh20:39
TheJuliaok20:39
openstackgerritJulia Kreger proposed openstack/ironic-python-agent master: Clarify connection error on heartbeats  https://review.opendev.org/74721020:45
openstackgerritJulia Kreger proposed openstack/ironic-python-agent master: Update the cache if we don't have a root device hint  https://review.opendev.org/74707220:46
*** sshnaidm is now known as sshnaidm|afk20:47
openstackgerritJay Faulkner proposed openstack/ironic-python-agent master: Eventlet should be monkey patched as early as possible  https://review.opendev.org/74677420:50
JayFTheJulia: dtantsur|afk: ^ I believe that ( https://review.opendev.org/746774 ) will pass tests and is reviewable now.20:51
patchbotpatch 746774 - ironic-python-agent - Eventlet should be monkey patched as early as poss... - 4 patch sets20:51
*** priteau has quit IRC20:52
TheJulia\o/20:52
TheJuliaIt is going to have ot be tomorrow unfortuantely, i'm about out of spoons already20:52
JayFIf the "high cpu usage" complaints are reproducable, I'd love someone to validate we need sleep(0.1) still. I removed it in favor of sleep(0), I believe having eventlet everywhere should settle down cpu usage.20:53
JayFbut TBH the high cpu usage was unreproducable for me from the beginning so *shrug*20:53
TheJuliathey really shouldn't be needed.... but yeah...20:57
* TheJulia is stuck while c select behavior restores into active ram20:58
JayFThe behavior we were seeing makes 100% sense given the interactions I was seeing; now that it's all under eventlet that problem should disappear into the mists.20:58
TheJuliayeah, it should, in theory20:58
JayFTheJulia: it's not c select, it's magic eventlet select [waves hands wildly]20:58
JayFAdmittedly I understand the exact amount about this to be dangerous20:59
TheJuliastill! it triggered the restore20:59
jandersgood morning Ironic o/21:00
openstackgerritJay Faulkner proposed openstack/ironic-python-agent master: If listen_ssl is true, enable TLS on wsgi server  https://review.opendev.org/74719321:04
JayFmorning janders21:07
openstackgerritMerged openstack/sushy master: Remove auth token header completely when error occurs  https://review.opendev.org/74676821:20
openstackgerritJulia Kreger proposed openstack/ironic master: Guard conductor from consuming all of the ram  https://review.opendev.org/72648321:28
TheJuliagood morning janders21:28
*** Goneri has quit IRC21:35
openstackgerritMerged openstack/ironic-inspector master: Log outcome of `check_conditions` method.  https://review.opendev.org/74566321:55
stevebakermorning22:07
*** jtomasek has quit IRC22:08
jandersgood morning stevebaker o/22:08
stevebakermy local test_node.py "only" has 269 failures now, down from 350. progress!22:18
*** Goneri has joined #openstack-ironic22:25
*** Goneri has quit IRC22:32
openstackgerritJay Faulkner proposed openstack/ironic-python-agent-builder master: Add element to configure IPA with TLS, use configdir  https://review.opendev.org/74730922:41
JayFdtantsur|afk: https://review.opendev.org/746774 https://review.opendev.org/747193 https://review.opendev.org/747309 as promised this morning. Admittedly the IPA-builder changes are mostly untested, but I'm going to port them downstream and test with cleaning tomorrow.22:45
patchbotpatch 746774 - ironic-python-agent - Eventlet should be monkey patched as early as poss... - 4 patch sets22:45
patchbotpatch 747193 - ironic-python-agent - If listen_ssl is true, enable TLS on wsgi server - 2 patch sets22:45
patchbotpatch 747309 - ironic-python-agent-builder - Add element to configure IPA with TLS, use configdir - 1 patch set22:45
*** rcernin has joined #openstack-ironic22:48
*** Lucas_Gray has quit IRC23:05
*** rcernin has quit IRC23:06
*** rcernin has joined #openstack-ironic23:08
*** hjensas has quit IRC23:41
*** sri_ has quit IRC23:55
*** rpioso has quit IRC23:55
*** ildikov has quit IRC23:58
*** rpioso has joined #openstack-ironic23:59
*** pas-ha has quit IRC23:59
« Wednesday, 2020-08-19 Index Friday, 2020-08-21 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!