Wednesday, 2021-11-17

opendevreview	Steve Baker proposed openstack/ironic stable/train: Fix redfish-virtual-media file permission https://review.opendev.org/c/openstack/ironic/+/818183	01:50
hgy__	Good afternoon, ironic!	06:53
arne_wiebalck	Good morning, hgy__ and Ironic!	07:07
rpittau	good morning ironic! o/	07:33
rpittau	if anyone has a moment I'd like an opinion on this https://review.opendev.org/c/openstack/ironic-python-agent/+/775391 since I rebased it already a couple of times :)	08:26
opendevreview	Merged openstack/ironic-python-agent master: Move manage_uefi from the image extension to a public location https://review.opendev.org/c/openstack/ironic-python-agent/+/815651	10:14
dtantsur	good morning folks	10:50
rpittau	good morning dtantsur :)	10:50
dtantsur	my eventlet fix has been merged \o/	10:56
rpittau	yep, that's great	10:56
dtantsur	and even got into 0.33.0 \o/	10:56
rpittau	yeah, so hopefully we can just skip 0.32.0	10:58
dtantsur	yep, updating my requirements patch now	10:58
dtantsur	also a partial python 3.10 support is in the new release	10:59
rpittau	yeah, saw that, was going to test later	10:59
rpittau	well at least unit tests in ironic and ironic-python-agent look kind of ok on python 3.10 with eventlet 0.33.0, I mean no errors related to eventlet as before	11:08
dtantsur	sweet!	11:08
dtantsur	rpittau: I think I've already asked you whether centos 7 is fine with --json in lsblk?	11:11
rpittau	dtantsur: heh... not with the basic util-linux (version 2.23) unfortunately, same story as blkid, I originally tested with the version from virt7 (2.29), so I guess we'll have to wait	11:26
dtantsur	le sigh	11:27
dtantsur	until 2024, I assume? :)	11:27
rpittau	that or we convince centos people that having json output is a mission critical bug fix	11:30
dtantsur	for 7? extremely unlikely	11:30
rpittau	yeah, I'll set a reminder for July 1st 2024 :)	11:31
opendevreview	Merged openstack/ironic master: Reduce the number of small functions in pxe_utils https://review.opendev.org/c/openstack/ironic/+/817991	11:36
opendevreview	Dmitry Tantsur proposed openstack/bifrost master: Revert "Explicitly trap on ERR" and fix exit code hanlding https://review.opendev.org/c/openstack/bifrost/+/817978	11:48
muellerbe	hello ironic, hello @all	12:35
rpittau	hello muellerbe	13:05
muellerbe	hello rpittau	13:09
dtantsur	okay, I'm puzzled. https://zuul.opendev.org/t/openstack/build/a43fb0464e60421094020ace2ac60da7/log/job-output.txt#23716 and then https://zuul.opendev.org/t/openstack/build/a43fb0464e60421094020ace2ac60da7/log/job-output.txt#23717	13:25
dtantsur	how it is okay after "exit 2"? what the hell is going on?	13:25
rpittau	something odd on the script controlling that	13:27
dtantsur	yep, it's because of \| tee in ansible	13:28
dtantsur	fixing now	13:28
rpittau	ah!	13:29
opendevreview	Dmitry Tantsur proposed openstack/bifrost master: Revert "Explicitly trap on ERR" and fix exit code hanlding https://review.opendev.org/c/openstack/bifrost/+/817978	13:33
TheJulia	It is good to be home	14:10
dtantsur	TheJulia: welcome!	14:10
rpittau	hey TheJulia :)	14:14
* TheJulia caffinates		14:14
TheJulia	properly, with an espresso based beverage	14:14
TheJulia	So has there been any consensus or thought on tinycore 10.x?	14:40
iurygregory	OpenInfra Live: Keynotes will start in 3 minutes	14:57
TheJulia	https://www.youtube.com/watch?v=sXkpjvX54ug <-- The link on eventbrite just sends us to youtube. And it is publicly viewable if you search it up.	14:59
TheJulia	so... I guess we could update the ussuri devstack plugin to sed edit the tinycore build script	15:11
dtantsur	okay, https://review.opendev.org/c/openstack/bifrost/+/817978 now works and shows the correct CI status, i.e. completely red	15:12
dtantsur	who do we bribe to land https://review.opendev.org/c/openstack/requirements/+/818062 ?	15:13
TheJulia	hmmmmm	15:18
TheJulia	the release team?	15:18
TheJulia	well, requirements is a team on it's own	15:19
dtantsur	I've pinged #openstack-requirements already	15:19
TheJulia	Yeah	15:26
TheJulia	:(	15:26
TheJulia	Could everyone be watching youtube?	15:26
opendevreview	Julia Kreger proposed openstack/ironic stable/ussuri: CI: Get tinyipa build working for CI usage https://review.opendev.org/c/openstack/ironic/+/818241	15:35
TheJulia	dtantsur: ^^ a little more expansive, but includes a reno warning which should get rendered in	15:35
TheJulia	and the reno builds, so that is a goodsign™	15:38
dtantsur	k, +2	15:52
dtantsur	need to go now, see you tomorrow	15:52
TheJulia	o/	15:52
dtantsur	oh, the requirements patch has just been approved! please recheck it if needed	15:52
TheJulia	dtantsur: sure	15:53
NobodyCam	Good Morning Ironic'er, Happy Hump Day!	16:52
NobodyCam	err, *Ironic'ers	16:53
NobodyCam	;p	16:53
rpittau	heeey NobodyCam :)	16:55
NobodyCam	o/ rpittau	16:59
TheJulia	gah, looks like entirely unrelated failures for my last change	17:14
arne_wiebalck	hey NobodyCam o/	17:21
arne_wiebalck	rpioso: I have some new hardware I am trying to use with redfish	17:22
NobodyCam	morning TheJulia and arne_wiebalck	17:22
arne_wiebalck	rpioso: I ran into some issues and now I am testing the profiles to see if they would flag issues	17:22
arne_wiebalck	rpioso: and they do, e.g. the endpoint does not provide allowable values for Reset (so Ironic has to guess) and the interop profile reports this as well \o/	17:23
arne_wiebalck	rpioso: I knew the endpoint does not provide this since sushy issues a warning "Could not figure out the allowed values for the reset system action ..."	17:24
arne_wiebalck	rpioso: one question, though: when I run the interop validator for the power profile, for instance, it seems like it is checking all kinds of things, not only the profile (which is short), it runs for a few minutes in fact ... is that correct?	17:26
rpittau	good night! o/	17:31
arne_wiebalck	rpioso: it seems it is :)	17:38
TheJulia	good morning NobodyCam	17:40
NobodyCam	O/	17:40
opendevreview	Merged openstack/ironic-python-agent bugfix/8.1: Fix UEFI record regex https://review.opendev.org/c/openstack/ironic-python-agent/+/817470	17:44
arne_wiebalck	bye everyone, see you tomorrow o/	17:45
TheJulia	Details: {'code': 403, 'message': 'Quota exceeded for ram: Requested 333096, but already used 0 of 51200 ram'} <-- wut	17:48
rpioso	arne_wiebalck: Apologies for my delayed response ... If memory serves, it does a significant amount of preparatory processing before analyzing the profile, including GETs of the Redfish resources offered by the service/BMC. Time for a server upgrade? I have recommendations :-)	19:40
rpioso	arne_wiebalck: Glad to hear it flagged the issue. Consistency can be good.	19:41
stevebaker[m]	Good morning!	19:47
TheJulia	good morning stevebaker[m]	19:47
stevebaker[m]	TheJulia: welcome back to civilization	19:50
TheJulia	Thanks	19:51
arne_wiebalck	Hey stevebaker[m] , thanks for the SIG video !	20:06
stevebaker[m]	arne_wiebalck: you're welcome :)	20:11
arne_wiebalck	rpioso: I tried different profiles from the proposed patch with the validator and they come back with different results, so seems all good. Quite pleased to see it found the ComputerSystem.Reset issue! Runtime is several minutes per profile (which I did not remember).	20:12
arne_wiebalck	rpioso: I guess we should try and move the interop profiles forward, i.e. get the patch merged. Or is there something fundamental missing?	20:13
arne_wiebalck	stevebaker[m]: almost 170 views already, seems popular! :)	20:19
stevebaker[m]	nice :)	20:22
stevebaker[m]	Why is there blockchain in this openinfra keynote, grrr	20:54
admiyo	an openstack command to list bm nodes by flavor would not be amiss	22:43
TheJulia	Ironic, and ultimately even the command are unaware of flavors or understanding them really	22:43
TheJulia	flavors match data supplied to the node properties and resource_class field	22:43
TheJulia	I believe you can filter by resource class, fwiw	22:44
admiyo	THat would be nice	22:45
admiyo	I am sure this is all due to a typo I made, but dang if I can see where	22:46
TheJulia	give me a couple of minutes and I'll look too	22:46
admiyo	We have two types of baremetal nodes here. jades and mystiques (internal names)	22:48
admiyo	the jades work fine	22:48
admiyo	I suspect mostly due to dumb luck	22:48
admiyo	my call to openstack baremetal node create has --resource-class $ironic_resource_name \	22:49
admiyo	and for the mystique it is	22:49
admiyo	baremetal-mystique	22:49
admiyo	however, on the bm node itslef I see	22:49
admiyo	$ openstack baremetal node show mystique01-r097 -f json \| jq '.resource_class'	22:50
admiyo	"98:03:9B:AD:49:0D"	22:50
TheJulia	does the flavor just not work	22:50
* TheJulia blinks		22:50
TheJulia	that seems horribly wrong	22:50
TheJulia	is that really what is in the field?	22:50
admiyo	let me see what a Jade that works has....	22:50
admiyo	Ayuh	22:50
TheJulia	could the import somehow have had a json error or something?	22:50
TheJulia	because resource class shouldn't be a MAC address	22:51
admiyo	$ openstack baremetal node show jade11-r097 -f json \| jq '.resource_class'	22:51
admiyo	"baremetal-jade2"	22:51
admiyo	I bet a command switch got ignored...	22:51
admiyo	my typo I bet I bet I bet	22:51
TheJulia	if I remember correctly, you can change it	22:51
admiyo	Counting by adam. 0, 1,2,5	22:52
admiyo	$ openstack baremetal node show mystique01-r097 -f json \| jq '.resource_class'	22:54
admiyo	"baremetal-mystique"	22:54
admiyo	much goooder	22:54
TheJulia	give it ~2-3 minutes and I guess try to see if your flavor will match it with nova	22:55
admiyo	I still think it would be nice to be able to do a baremetal node list --flavor bm.mystique	22:58
* TheJulia grumbles about RBAC tests		22:59
TheJulia	that requires ironic to be fully flavor aware, and do in-house filter	22:59
admiyo	RBAC? That is like my favorite thing!	22:59
TheJulia	and there is no guarentee it will match like the placement service, so it would be an unreliable indicator I guess	22:59
TheJulia	I'm adding a new role today because of indecision and scope creep	23:00
TheJulia	so as such, I hate the world	23:00
admiyo	Well, it isnot goingto do worse than Error 500: No valid host was found. That my user is getting	23:00
admiyo	A new role?	23:00
TheJulia	a manager role	23:00
TheJulia	https://review.opendev.org/c/openstack/governance/+/815158/14/goals/proposed/consistent-and-secure-rbac.rst	23:00
admiyo	SO less than admin, more then end user?	23:00
TheJulia	yeah	23:01
admiyo	scoped to a project or no?	23:01
TheJulia	project scoped	23:01
TheJulia	in this case, in ironic, it will likely be the same as owner/lessee admin	23:01
admiyo	God that sounds so yuck	23:02
TheJulia	to update, yeah	23:02
admiyo	"if an operator uses a system-scoped token to create an instance	23:02
admiyo	for a user in a specific project"	23:02
TheJulia	mainly all in test code	23:02
admiyo	Dont	23:02
TheJulia	admiyo: ++	23:02
TheJulia	yeah, don't. refuse	23:02
admiyo	It is a mistake	23:02
TheJulia	that, specifically yeah	23:02
TheJulia	there are so many different nuances	23:03
opendevreview	Merged openstack/ironic stable/ussuri: CI: Get tinyipa build working for CI usage https://review.opendev.org/c/openstack/ironic/+/818241	23:03
* TheJulia dances		23:03
admiyo	System scoped tokens maybe hould be able to clean up other people's messes, but they should not be allocating new resources in projects	23:03
opendevreview	Julia Kreger proposed openstack/ironic stable/train: CI: Get tinyipa build working for CI usage https://review.opendev.org/c/openstack/ironic/+/818162	23:03
admiyo	TheJulia, I'd pocket veto that role If I were you	23:04
TheJulia	manager on it's own, in project scope is harmless to be honest. Just lots of test busywork	23:05
TheJulia	anyway there is a way to query placement, but I don't know how	23:05
admiyo	THat is what a project admin is supposed to be	23:05
admiyo	this smells alot like "We didn't really fix 968696" to me	23:05
TheJulia	admiyo: indeed :(	23:06
TheJulia	or people want to be able to abuse system scope	23:06
TheJulia	and keep project admin unchanged	23:06
TheJulia	which is insane, but hey	23:06
admiyo	Anyway, if operators need to do that kind of operation, they should do something like this: https://adam.younglogic.com/2018/02/openstack-hmt-cloudforms/	23:06
TheJulia	I only work here some days	23:06
admiyo	So you treat the top level domain as a project, and use project scoped tokens to do project scoped work	23:07
admiyo	look at it this way, Kerberos doens't let you use a TGT to authenticate to a service, you need to get a service ticket for that, no matter who you are.	23:08
TheJulia	I also think some operators fear changing anything, preferably people just use ironic with system scoped tokens except in limited cases, but Ironic is a weird case where the whole model is kind of flipped upside down	23:08
TheJulia	"Hi, we have actual real things here"	23:08
admiyo	Nope	23:11
admiyo	Metal is just another resource	23:11
TheJulia	I mean, we basically had amodel which was the system scoped use model	23:11
admiyo	What openstack lacks is the ability to have one project own a resource, and lend it to another project	23:11
TheJulia	so for us, it was about formalizing real project support while adding explicit support of the system scope	23:12
TheJulia	admiyo: so, we actaully have the capability for that, but it has to be delegated through action	23:12
TheJulia	which doubles the tests :\	23:12
admiyo	I mean, it is a one of for each resoure in each of the various services	23:13
TheJulia	hmm, and delegate out from there	23:13
TheJulia	so you build a tree	23:13
TheJulia	of sorts	23:13
admiyo	it should be like inodes and dentries. If I mount the same inode in two directires, I can make one readonly, one read write	23:14
admiyo	same thing should be true of any openstack resource, but we don't put project names into the URLs we use to access the resources, only global identifiers	23:14
admiyo	and the project name is then read off the resource.	23:15
admiyo	well, the id, not even the name	23:15
TheJulia	well, the couple instances where project-ids were used in urls, it has been basically a total disaster for them to adopt the system scope	23:15
admiyo	That means it is working	23:15
TheJulia	because, well, project-id has to be known	23:15
admiyo	and this is why I am not longer excited about RBAC and it is no longer my favorite thing	23:15
admiyo	I blame termie	23:16
TheJulia	unfortunately, the huge operators needing system scoped readers for accounting/auditing/support desks don't want/need to be project aware and scope themselves into a project to pull a list	23:16
TheJulia	lol	23:16
admiyo	Ha...such PTSD from the termie years I actually scrolled to make sure he wasnt' in the room	23:16
TheJulia	Cute puppies. It is the oly way	23:16
TheJulia	only way	23:16
TheJulia	or kittens.	23:16
TheJulia	Kittens work as well, especially when they are a bonded pair and they are playing.	23:17
admiyo	Then make non-project scoped APIs for them. Make the API react differently to a project scoped and a system scoped token.	23:17
admiyo	I mean, I am kindof in that boat myself, and I only have 2 projects	23:17
TheJulia	++	23:17
admiyo	Baremetal nodes are treated like hypervisors AND like end resources	23:18
TheJulia	yes, in part, except we don't record a node owner explicitly	23:18
TheJulia	or a lessee	23:18
* TheJulia needs to put that patch in		23:19
admiyo	But for the RH undercloud/overcloud split, the undercloud probably should just be one big project	23:19
TheJulia	++	23:19
admiyo	and...that is probably whey they want this, because they really do want to treat baremetal nodes as system resources, not project	23:19
admiyo	Hrm...so, Adam, <MR. Smarty pants...which should they be?	23:20
TheJulia	them, nah	23:20
admiyo	BM nodes? Probably system scoped, right?	23:21
TheJulia	I don't think the manager role idea came at all from rh but seems to have come from community interactions	23:21
TheJulia	admiyo: originally, the right way was to create a dedicated baremetal project and grant explicit baremetal_admin or baremetal_observer roles	23:21
admiyo	A project owning a node would be too restrictive, but I bet that is a common pattern, where different organization want the API to manage their HW, but want to own it themselves	23:21
TheJulia	but in ironic, operating mode wise, it is like the system owns everything, unless access has been explicitly permitted	23:22
TheJulia	easiest way to describe it	23:22
admiyo	I have not yet implemented quota in my tiny test cluster, but I am so tempted to. I have one guy that just grabs up all of the nodes	23:22
admiyo	and breaks them	23:22
admiyo	damn firmware testeers	23:22
TheJulia	ugh :(	23:22
TheJulia	I will glady review/approve quota support	23:23
admiyo	It is not the right mechanism, though	23:23
admiyo	I should be able to make BM node a global resource, and then assign them to projects	23:23
admiyo	that way, if he reprovisions, he does'nt lose it	23:23
JayF	You can implement something-ish like that by having a project designated system	23:23
JayF	and leasing nodes out to the tenant projects	23:23
admiyo	tenant projects?	23:24
JayF	just a made-up term for "a project that has a bm node leased to it"	23:24
admiyo	is that like Dollar Yens?	23:24
admiyo	Shekel Rupees	23:24
TheJulia	admiyo: this is why we have owner, and lessee with differing level of access	23:24
TheJulia	owners "own" the nodes forever, lesses just have them on loan	23:25
admiyo	what are valid values for owner?	23:25
TheJulia	owners can rip the nodes away if needed	23:25
TheJulia	project_id	23:26
admiyo	Acha. That is exactly what I want	23:26
TheJulia	I'm almost... done with this patch for the day	23:26
TheJulia	it might semi-click if you look at it once I post it	23:27
TheJulia	Its wrong, I need to revise it some, I found some tests I need to fix where I did stupid human things when I conjured them originally	23:27
JayF	admiyo: I just got your joke. I forgot that "projects" in openstack used to be a synonym for "tenant"	23:27
admiyo	I'm old	23:27
JayF	As are we all :D	23:28
admiyo	and I was the one responsible for implementing the code changes in Keystone for that	23:28
JayF	I think I started on Ironic back in Icehouse. I don't really work on it anymore though, which TBH has been a little refreshing.	23:28
JayF	Although I miss the people so I hang out in here, and it looked extra spicy this afternoon so I unlurked :D	23:28
TheJulia	Can we just start a "troublemaking stackers who need coffee support group" ?	23:28
admiyo	I think we already have, and you just named it.	23:28
TheJulia	Too early for spicy beverages!	23:29
TheJulia	;)	23:29
admiyo	Not where I sit it isn't	23:29
TheJulia	heh	23:29
admiyo	https://pics.me.me/half-the-day-i-wonder-if-its-too-late-for-coffee-51534164.png	23:29
JayF	admiyo: who are you?	23:30
admiyo	the artist formerly known as ayoung	23:30
JayF	aha; makes sense	23:30
admiyo	But I blew up my laptop right before leaving Red Hat, and decided to go with the old Nickname when I set up nickserv	23:30
TheJulia	heh	23:30
TheJulia	admiyo: was this like a.... literal detonation of the laptop?	23:31
JayF	What/where do you do now?	23:31
TheJulia	Inquiring minds want to know if so and if there is high speed video	23:31
admiyo	And by blew up, I mean I meant to write to an SD card and instead wrote to the NVME device and wiped, amoung other things, my key file	23:31
TheJulia	admiyo: doh :(	23:31
JayF	There are benefits to the new kernel /dev/nvme0[snip] device names for nvme for sure :D	23:31
admiyo	Its kinda like burning down your house when you move so you don't need to pack	23:31
JayF	makes writing USB images a lot less scary	23:31
admiyo	Oh, it was namde nvme. I just was brain dead	23:32
JayF	😱	23:32
admiyo	I am now at Ampere	23:32
admiyo	I'm on the software team, and I am setting up systems for Dev Ops type functioning. I inherited an OpenStack cluster, and ,well, I need to learn how to admin now. I am a poor admin.	23:33
JayF	Good luck :D	23:34
opendevreview	Julia Kreger proposed openstack/ironic master: Fix some of the SRBAC tests https://review.opendev.org/c/openstack/ironic/+/818298	23:34
opendevreview	Julia Kreger proposed openstack/ironic master: WIP: project scoped manager support https://review.opendev.org/c/openstack/ironic/+/818299	23:34
admiyo	I can probalby use reservations to test the flavor node matching	23:34
* TheJulia found more project scoped rbac tests to double/triple/quadrouple test		23:34
TheJulia	soooo many lines	23:35
admiyo	This is why I wanted to pull all of the RBAC out of the projects and enforce it in middleware	23:35
TheJulia	I'm just glad we do it all in our API because having to do some in API and some in the conductor/past rpc code path is bonkers	23:38
admiyo	It really is two distinct checks: does the role on the token match the role for the API, and does the project on the token match the project on the resource. The first part can be done in MIddleware, the second needs the object from the Database for read/mod/delete	23:40
TheJulia	yup	23:45
admiyo	What is the command to create a lease?	23:45
admiyo	reservation: null	23:47
admiyo	OK, so if I modify a node to set the project_id as the owner, then a user needs a reservation in order to be able to access it?	23:47

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!