Thursday, 2022-09-22

opendevreview	Jacob Anders proposed openstack/sushy master: [WIP] Retry BootSourceOverride request when SettingsURI is read-only https://review.opendev.org/c/openstack/sushy/+/856597	01:11
opendevreview	Iury Gregory Melo Ferreira proposed openstack/ironic master: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841	03:01
opendevreview	Vanou Ishii proposed openstack/ironic-python-agent master: Fix failure of bind mount in _install_grub2 https://review.opendev.org/c/openstack/ironic-python-agent/+/857271	06:11
rpittau	good morning ironic! o/	07:02
ajya	Good morning Ironic	08:12
ajya	if any 2nd reviewer available - https://review.opendev.org/c/openstack/ironic/+/855872 Thanks	08:13
rpittau	ajya: done	08:17
ajya	thanks rpittau	08:18
*** akahat\|ruck is now known as akahat\|ruck\|lunch		08:39
opendevreview	OpenStack Release Bot proposed openstack/ironic-inspector stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858869	08:52
opendevreview	OpenStack Release Bot proposed openstack/ironic-inspector stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858870	08:52
opendevreview	OpenStack Release Bot proposed openstack/ironic-inspector master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858871	08:52
opendevreview	OpenStack Release Bot proposed openstack/ironic-inspector master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic-inspector/+/858872	08:52
*** akahat\|ruck\|lunch is now known as akahat\|ruck		09:31
opendevreview	Merged openstack/ironic master: Fix idrac-redfish RAID controller mode conversion https://review.opendev.org/c/openstack/ironic/+/855872	09:38
opendevreview	Merged openstack/ironic-inspector stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858869	09:38
opendevreview	Merged openstack/ironic-inspector stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858870	09:38
opendevreview	Merged openstack/ironic-inspector master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858871	09:38
opendevreview	Riccardo Pittau proposed openstack/bifrost master: Convert keystone integration job to jammy https://review.opendev.org/c/openstack/bifrost/+/858880	10:05
opendevreview	Vanou Ishii proposed openstack/ironic-python-agent master: Fix failure of bind mount in _install_grub2 https://review.opendev.org/c/openstack/ironic-python-agent/+/857271	10:20
opendevreview	Vanou Ishii proposed openstack/ironic-python-agent master: Fix failure of bind mount in _install_grub2 https://review.opendev.org/c/openstack/ironic-python-agent/+/857271	10:37
opendevreview	Merged openstack/ironic-inspector master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic-inspector/+/858872	11:02
kubajj	dtantsur: I think I have an idea about what the inspector is doing and have some questions. Should I ask them here or in a private chat?	11:03
dtantsur	kubajj: all technical questions should rather go to the chat, this way we can engage more participants	11:04
dtantsur	(and arne_wiebalck knows that you're working lol)	11:04
kubajj	You mentioned two subtasks for the first step of the story (access introspection data and provide introspection data from elsewhere). How does it work now? What happens when inspector gets the data from the ramdisk now?	11:06
dtantsur	kubajj: the data gets validated, then gets piped through a number of plugins called "introspection hooks". Then so called "introspection rules" are run against this data (these are admin-defined rules written in a JSON-based DSL that may already be familiar to you).	11:08
dtantsur	kubajj: finally, the data is stored in a local database or Swift (an unprocessed copy is stored too).	11:09
dtantsur	kubajj: task #1 is to replicate the last step in ironic. So, all the processing happens in inspector still, ironic only gets the result and stores it for its own usage.	11:09
dtantsur	task #1.1. is to provide a similar process for other inspection implementations (even if no-op for now).	11:09
dtantsur	task #1.2. is to provide an ironic API for users to fetch this stored data (the same way it's possible now for inspector API).	11:10
dtantsur	I think that's it for the start.	11:11
dtantsur	We may ignore unprocessed data for now.	11:11
dtantsur	the data itself consists of "inventory" key with the standard data from IPA. and other keys that are generated by plugins.	11:12
dtantsur	one of the things I'd change when doing this in Ironic is to hide or plugin-generated data under a new key ("plugin_data"?)	11:12
dtantsur	so that the top level only has two keys: "inventory" (standard) and "plugin_data"/"extra" (plugin dependent)	11:12
kubajj	Is the RootDiskSelectionHook (part I modified to match root device hints logic from IPA) one of the instrospection rules?	11:12
dtantsur	kubajj: correct	11:12
dtantsur	so, you're already familiar with hooks :)	11:13
kubajj	So the API that I need to create is for the result of the inspector processing to be passed to ironic, right?	11:14
dtantsur	kubajj: yes - for now.	11:15
kubajj	dtantsur: Is there anything already passed from inspector to ironic, so that I could use a similar approach?	11:17
dtantsur	kubajj: introspection status (see drivers/modules/inspector.py), but it may not match 1-1 to what you need	11:18
kubajj	dtantsur: thanks	11:18
dtantsur	kubajj: since inspection may be asynchronous, you cannot just return the resulting data from InspectInterface.inspect_hardware	11:19
opendevreview	Jacob Anders proposed openstack/sushy master: [WIP] Retry BootSourceOverride request when SettingsURI is read-only https://review.opendev.org/c/openstack/sushy/+/856597	11:19
dtantsur	on the other hand, out-of-band implementations (redfish etc) don't have a built-in storage. a dilemma.	11:19
dtantsur	so what we probably need is a new call somewhere e.g. in conductor.utils that will be called by InspectInterface implementations	11:20
dtantsur	push model instead of pull model, if you wish	11:20
dtantsur	in terms of Inspector, it means that once the driver detects success, it asks Inspector for the data and stores it using the new conductor call	11:21
* dtantsur hopes he expresses himself clearly despite being a bit sick		11:21
kubajj	Oh, it is from ironic and not inspector. I see. So, the front-end calls the introspection and waits for the introspection status. Then my change should come in.	11:23
dtantsur	correct	11:24
kubajj	dtantsur: Do you mean push from inspector?	11:24
dtantsur	kubajj: no, from the ironic's inspector driver	11:24
dtantsur	so, you said correctly in the previous sentence	11:24
iurygregory	good morning Ironic	11:25
kubajj	dtantsur: Do I need to modify inspector in any way?	11:28
dtantsur	kubajj: not at this point, I think	11:29
kubajj	and for testing purposes, should I deploy the devstack with the config from ironic-inspector docs?	11:30
dtantsur	kubajj: that, or bifrost (it has inspector by default)	11:31
kubajj	ok, thanks dtantsur	11:38
dtantsur	you're always welcome	11:38
shukun	Please review the next three backport patches:	11:42
shukun	- yoga: https://review.opendev.org/c/openstack/ironic/+/850553	11:42
shukun	- xena: https://review.opendev.org/c/openstack/ironic/+/850554	11:42
shukun	- wallaby: https://review.opendev.org/c/openstack/ironic/+/850707	11:42
shukun		11:42
shukun	I understand the three patches are backporting a feature patch (https://review.opendev.org/c/openstack/ironic/+/845347), but that patch aims to support FIPS, and FIPS support will be necessary for some distributions which does not use master branch. So we want to backport that patch to every still maintained stable branch. FYI, for wallaby branch, the backport patch assumes that the next patch is merged: https://review.opendev.org/c/openstack/iro	11:42
shukun	nic/+/852803	11:42
iurygregory	rpittau, except for the two patches in bifrost do we need something more?	11:51
rpittau	iurygregory: which bifrost patches?	12:27
opendevreview	Merged openstack/ironic master: Implement a DHCP driver backed by dnsmasq https://review.opendev.org/c/openstack/ironic/+/851681	13:22
iurygregory	rpittau, the ones to supprot the new ubuntu	13:34
iurygregory	jammy I think?	13:34
rpittau	iurygregory: there's more to that, I think we nee to exclude the change from zed and go to antelope directly	13:37
iurygregory	ok	13:38
iurygregory	so I will request bifrost release now =)	13:38
TheJulia	good morning	13:54
kubajj	Good morning TheJulia	13:55
opendevreview	Riccardo Pittau proposed openstack/ironic bugfix/20.2: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858895	14:03
JayF	Those iRMC backports (https://review.opendev.org/c/openstack/ironic/+/850553 being yoga) seem like a little extreme for backports -- including adding config options	14:08
JayF	in the past have we been more leniant about backporting for stuff like this? I'm just a little leery of sending new config options back to wallaby by default	14:08
JayF	Also, even though it doesn't raise the requirement in driver-requirements.txt, the new functionality only comes into play if folks update that package	14:09
opendevreview	Julia Kreger proposed openstack/ironic stable/ussuri: CI: fix ussuri branch https://review.opendev.org/c/openstack/ironic/+/843515	14:09
TheJulia	JayF: adding config options has been viewed as generally okay, and adding new driver capabilities as long as it as an operator benefit	14:13
iurygregory	good morning TheJulia	14:13
TheJulia	JayF: it is new config options that break things that is not okay	14:14
JayF	TheJulia: a warmer, more cuddly backport policy <3 lol	14:14
JayF	I dig it, cool stuff	14:14
TheJulia	yes, that was a fun one to argue for :)	14:14
*** vanou is now known as Guest1149		14:15
JayF	Honestly with stuff like this; I just find myself wondering how many people who are running e.g. wallaby still care and feed their environment well enough to safely execute a driver lib update	14:15
TheJulia	anyhow, I just uploaded https://review.opendev.org/c/openstack/ironic/+/843515 hoping it will fix ussuri's ci	14:15
TheJulia	looks like it sclose	14:15
JayF	like, not "we shouldn't do this for [theoretical reasons]", but more curious about the practicality of if it's actually consumed	14:16
JayF	For some reason, I find myself trying to understand operators in different situations than I've been in a little more in the last week :D	14:16
TheJulia	consumed, it is. rhosp 17 == Wallaby	14:16
JayF	You all will do the driver-requirements.txt upgrades in-cycle too?	14:16
TheJulia	we accept updates to packages, we functionally ignore driver-reqs and track branches for the most part	14:17
JayF	It feels weird, but I almost wish we had an official upstream place we documented people who consume and package openstack downstream, with details about versions/branches/etc	14:18
JayF	there's probably no way to do that which wouldn't instantly bit-rot, but I have no problem with upstream priorities being aligned with folks who are getting software in front of people	14:18
JayF	I just like being explicit about why we're doing things :D	14:18
TheJulia	JayF: that would be nice, but politics :(	14:19
TheJulia	packaging politics are saddening	14:19
JayF	I've started to get a glimse into some of that in my on-my-own-time effort to become a Gentoo developer. And frankly, that involves a lot less money lol	14:19
iurygregory	TheJulia, I was looking at the prelude "to support to enable greater separation " of duties, since I'm not native speaker the "to support to enable" sounds a bit strange to me .-.	14:20
TheJulia	oh, just s/to support//	14:21
iurygregory	ok o/	14:21
TheJulia	sorry, it is a bit strange, I must have been interrupted while writing	14:21
iurygregory	no worries	14:22
iurygregory	in 38min PTG topics meeting	14:22
* TheJulia looks at coffee and hopes it completes its task		14:24
JayF	TheJulia: re: ussuri CI patch; did we recently land those partition image tests in tempest?	14:24
TheJulia	iurygregory: when did the combined tests land in tempest?	14:24
TheJulia	I don't remember	14:24
JayF	I was pretty sure I'm had something merged to ussuri fairly recently	14:24
dtantsur	I think we need to add the bit about config options in backports to some docs	14:24
* JayF asks git		14:24
dtantsur	somebody asks every time	14:25
TheJulia	dtantsur: ++	14:25
dtantsur	driver-requirements is very hairy	14:25
dtantsur	like VERY	14:25
JayF	last commit in ussuri is 8/9	14:25
dtantsur	we've done that on a few occasions, but every time it's a chance of issues downstream	14:25
JayF	dtantsur: TheJulia: and never take me asking a question as like "I think X", I ask because I wanna know and usually it also means I have no strong opinion. Just trying to avoid being a human rubber stamp :D	14:25
TheJulia	JayF: sometimes some stuff worked, it has become a pile of failures due to the queue tag removal, so now everything together	14:25
JayF	TheJulia: yeah, I think I was remembering my patch to nova for the ironic driver which landed in ussuri more recently	14:26
JayF	TheJulia: this timeline makes more sense and I shoulda checked before typing in IRC :P	14:26
TheJulia	heh	14:26
TheJulia	yeah	14:26
TheJulia	next ussuri patch is likely going to be to turn off a bunch of jobs that are really no longer needed or just won't be fixed that are non-voting	14:27
opendevreview	Riccardo Pittau proposed openstack/ironic bugfix/20.2: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858895	14:27
TheJulia	low risk ultimately because things around the jobs have broken/changed as time has moved on	14:27
JayF	good stuff	14:27
JayF	I mean, if we're sending something back to ussuri there's a good chance it's: 1) minor, 2) security or 3) driver	14:28
TheJulia	And, backports only... so we really only need base sanity checking stuffs working on the branch at this point	14:28
JayF	in which case coverage also matters less	14:28
TheJulia	JayF: bingo	14:28
JayF	The biggest CI thing weighing on me right now is that we have 3rd party CI systems that -- overall are good -- but still have broken jobs running and voting	14:29
JayF	and it makes it super easy to ignore results if it's constantly failing	14:29
JayF	I should put that on my list, to follow up on that	14:29
TheJulia	kubajj: so your looking into merging inspector into ironic right?	14:29
opendevreview	Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896	14:30
kubajj	TheJulia: yes, correct	14:30
TheJulia	so I took a look at the db interface code in inspector yesterday	14:31
TheJulia	I would highly advise you don't copy/paste db related code and you re-implement in the sqlalchemy2.0 style we've already started to work on in ironic	14:31
TheJulia	tl;dr, inspector is very not sqlalchemy 2.0 compatible	14:31
iurygregory	TheJulia, I don't remember from top of my head .-. I can check later today	14:32
TheJulia	iurygregory: doesn't really matter	14:32
TheJulia	I'm thinking, overall, that for inspector, we can fix it, but it is going to take a lot of rewriting of the db layer which will take some time to just fix inspector	14:33
TheJulia	that may end up helping, since it will be in a very similar style to ironic, but it is much more something to be mindful of	14:35
opendevreview	Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896	14:35
opendevreview	Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896	14:36
kubajj	TheJulia: should I do the rewriting?	14:36
opendevreview	Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896	14:38
iurygregory	JayF, TheJulia thoughts on the name of the step in https://review.opendev.org/c/openstack/ironic-python-agent/+/566544 ? based on NobodyCam comment the step makes sense so I'm ok with it or maybe we should change	14:39
JayF	bluntly, I think that whole mellanox->nvidia rename is just going to confuse the hell out of everyone	14:39
JayF	but it's also unreasonable of us to ask them to not rebrand	14:40
* JayF just tosses his hat in with `update_nvidia_nic_firmware` as the best of not-awesome options		14:41
TheJulia	I think that is actually a better name, but yeah :\	14:42
TheJulia	still needs a reno/docs and the actual code change	14:43
TheJulia	kubajj: if you focus on api/high level db object aspects, you should be able to avoid the pain points, but I think we should discuss further once we each have more clarity	14:44
TheJulia	I guess the question is, what will the migration look like. Or at least, that might be something to ponder	14:44
* TheJulia makes more coffeee		14:45
kubajj	TheJulia: should I focus now on what I would implement on the Ironic side and then discuss my plan with you to figure out what needs to change on the inspector side?	14:48
TheJulia	kubajj: I think that is perfect	14:48
TheJulia	since I expect I'll be working on sqlalchemy 2.0 for inspector	14:49
iurygregory	If any core have some time https://review.opendev.org/c/openstack/ironic/+/858841 we need this to cut the Zed release o/	14:53
iurygregory	I'm pushing the changes for releasenotes in Julia's patch to add the prelude after my lunch	14:53
TheJulia	+2'ed	14:54
TheJulia	iurygregory: ack	14:54
TheJulia	Well, so far so good with the ussuri patch	14:57
TheJulia	about 70% of the way there	14:57
JayF	looking	14:57
TheJulia	at least on check	14:57
iurygregory	PTG call in 2min	14:57
iurygregory	Link https://meet.google.com/ivs-qwyc-kpo	14:59
TheJulia	janders: What time would work for you and Moshe for Active Steps ?	15:33
TheJulia	janders: we're thinking splitting it so there is a 7am utc session to do requirements/initial thought gathering	15:36
iurygregory	JayF, operator-hour-placeholder on Wed 13 UTC essex room	15:40
opendevreview	Verification of a change to openstack/ironic master failed: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841	16:34
rpittau	bye everyone o/	16:37
* iurygregory goes for lunch		16:49
opendevreview	Verification of a change to openstack/ironic master failed: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841	16:58
opendevreview	Merged openstack/ironic stable/ussuri: CI: fix ussuri branch https://review.opendev.org/c/openstack/ironic/+/843515	17:03
JayF	It's time for my semi-daily stable review request funtime: https://review.opendev.org/c/openstack/ironic/+/857771 https://review.opendev.org/c/openstack/ironic/+/858468 (wow, I'm down to only two)	17:29
opendevreview	Julia Kreger proposed openstack/ironic stable/ussuri: CI: Fix/Update a few more jobs https://review.opendev.org/c/openstack/ironic/+/858962	17:43
TheJulia	okay, that should clean it up the rest of the way	17:43
TheJulia	ussuri that is	17:44
TheJulia	boom	17:45
JayF	I'll wait for zuul to respond on it then go vote on the change	17:45
JayF	would prefer 2x+2 on that since it's changing test coverage	17:46
JayF	meaning like, I won't +2A it like I did the direct fix :D	17:46
opendevreview	Jay Faulkner proposed openstack/ironic stable/yoga: Redfish: Consider password part of the session cache https://review.opendev.org/c/openstack/ironic/+/858903	17:50
TheJulia	https://review.opendev.org/q/If69ce1cf2789d9d60fb8e544596cf7d29eab514d <-- could also use some stable reviews	17:52
TheJulia	yeah, all of that is non-voting that I changed for ussuri, so better to stop/see/then approve	17:53
JayF	TheJulia: ack, it's on my list	17:53
TheJulia	i did recheck the ussuri patch in that series	17:53
TheJulia	since it's ci is now happier	17:54
JayF	Yeah; I'm slightly disappointed that we landed the stuff in yoga before it went into bugfix/	17:54
JayF	I know policy doesn't require us to put every patch everywhere, but it's nice if we do	17:54
* JayF is super guilty of approving patches w/o checking for this		17:54
TheJulia	rpittau: https://1db75cf0b12d832dc11e-0da77774ba1e870a646f19d85e727a87.ssl.cf5.rackcdn.com/858896/4/check/ironic-tox-unit-with-driver-libs/7523b5b/testr_results.html 8\	17:55
opendevreview	Merged openstack/ironic bugfix/20.2: Redfish: Consider password part of the session cache https://review.opendev.org/c/openstack/ironic/+/857771	19:08
opendevreview	Verification of a change to openstack/ironic bugfix/18.1 failed: Do not reboot into nowhere after BIOS settings with fast-track https://review.opendev.org/c/openstack/ironic/+/858468	19:08
TheJulia	so now the standalone job fails on ussuri :\	20:21
opendevreview	Merged openstack/ironic bugfix/20.2: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858895	20:24
opendevreview	Merged openstack/ironic master: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841	20:29
JayF	I see all the reviews up for releases -- I'm going to assume we don't need more time, and just let those go in on 9/23 as scheduled (tomorrow). If anyone needs me to put a -1 on releasing an artifact, please let me know (today if possible)	20:43
* JayF wonders if they honor anyone's -1, or just the PTL ... I hope it's everyone core on Ironic?		20:44
JayF	NobodyCam: You or Waleed likely going to get around to this? It's only missing prose (release note) and a name change to be mergable, but you've got less than a day :\| https://review.opendev.org/c/openstack/ironic-python-agent/+/566544	20:47
erbarr	what's using dbcounter? I got a notification from security that a 3rd-party group compromised it as a proof of concept and I got 90 days to fix it...	20:51
JayF	I did the math for a daily internal update I curate for GR-OSS team --> Zed will be the 18th release of OpenStack that contains Ironic (if you count incubation time)	20:51
JayF	erbarr: if there's a concern that one of our dependencies, or dependency-of-dependency is compromised in a way that could impact OpenStack, please open a private bug at storyboard.openstack.org about it	20:52
JayF	although consider me effectively nerd-sniped	20:52
JayF	TheJulia: are you working on a revision of https://review.opendev.org/c/openstack/ironic/+/858582/1/releasenotes/notes/zed-prelude-09fe95b11ad2459d.yaml ?	21:16
JayF	we have to get this merged, and I know there was talk around it but I'm not certain what status it's in, and don't want to dupe work	21:17
* JayF works on a revision just in case		21:17
TheJulia	JayF: I believe iurygregory was going to	21:19
JayF	ack; it says "please edit", and I think he's (hopefully?) asleep	21:20
JayF	so I'm going to put in a revision and let him edit further if he wants	21:20
JayF	and trust him to get it over the finish line tomorrow	21:20
TheJulia	Eh, late afternoon in brazil	21:20
JayF	oh, I forget he's in brazil	21:20
TheJulia	iurygregory: o/	21:20
TheJulia	erbarr: Oslo.db I believe…. I think it gets pulled in as a dependency of a dependency, so storyboard as a security story would be most appropriate against the particular component and then likely ping fungi	21:22
JayF	TheJulia: erbarr: FWIW; master branch of ironic with all deps installed (for unit tests), that package is not installed.	21:23
JayF	TheJulia: erbarr: So we may want/need to isolate which branches it's happening on as well, if Ironic is impacted.	21:23
erbarr	yea, I'm seeing the plugin on pretty much every service from the devstack log, I tracked it down to this I believe: https://opendev.org/openstack/devstack/src/branch/master/tools/dbcounter	21:23
erbarr	security saw it on pip3_freeze.txt and saw it wasn't a public pip package and made a malicious one to proof of concept it seems, I think I gotta yell at them or something	21:24
JayF	I mean, it's a reasonable concern if that's meant to be pip-installed that we should reserve the name even if we don't release it.	21:25
ashinclouds[m]	Ahhhhh name conflict too wheeeee	21:25
JayF	erbarr: I'd call that a very, very, very low impact security bug against devstack	21:25
JayF	erbarr: but they would likely be able to tell you for sure (and I wouldn't be surprised if someone argues it's not a bug)	21:25
erbarr	yea, agree JayF	21:25
JayF	erbarr: I do feel for you, I know when the eye of security-sauron looks your way, it can be hard to get them to look away without a patch or something to point at :\|	21:26
erbarr	shrug lol	21:26
opendevreview	Jay Faulkner proposed openstack/ironic master: Zed: Add a prelude for the release notes https://review.opendev.org/c/openstack/ironic/+/858582	21:27
JayF	iurygregory: ^ I kept edits to a minimum, if you already have changes locally and need to dunk mine, it's not a problem	21:27
fungi	erbarr: JayF: TheJulia: if it's a dependency of oslo.db that's the problem, then launchpad bug reported against that (i and the rest of the vmt will be automatically notified, but feel free to give me the bug number via privmsg if in doubt)	21:55
TheJulia	So, sounds like something devstack does with a same name as something else that caused a security team to freak	21:56
TheJulia	At least, that is my take	21:56
* TheJulia will actually be able to look for realz in a little bit		21:58
JayF	TheJulia: I'	21:58
JayF	TheJulia: I'm looking at it for reals, and I sent fungi a concise (as concise as I get) summary in DM	21:59
JayF	TheJulia: going to try and keep it outta the main channels now until fungi says otherwise; even though I think it's probably OK it's not the project I work directly on so going to be extra careful :D	21:59
TheJulia	K	22:03
fungi	yeah, https://review.opendev.org/839820 seems to be the origin of the code in question, so probably would be good to loop dansmith in as the author	22:03
JayF	fungi: is this public bug / ML safe? Or should I keep communications about this direct	22:04
JayF	fungi: I kinda feel like if we're going to make noise about this, someone should park that name first before someone gets any ideas :)	22:04
dansmith	so.. what?	22:04
dansmith	is there a real concern or is this a naming clash?	22:04
fungi	seems like it's low-risk and already public	22:05
JayF	dansmith: https://review.opendev.org/839820 added a python package, dbcounter. We had a report from an Ironic operator that their security team flagged it as a pip installed package that did not have a reserved name in pypi, and theorized that could be used as an attack vector.	22:05
dansmith	against devstack? :)	22:05
fungi	dansmith: erbarr was notified by someone that the dbcounter package devstack embeds doesn't exist on pypi, so has been cautioned that it could become a problem if someone registered it and then uploaded malware	22:05
dansmith	etiher way, I don't think there's any assertion anywhere that every python package has to be registered in pip	22:06
dansmith	er, pypy	22:06
fungi	pypi, but i concur	22:06
JayF	I agree in broad strokes; but I've worked at large companies that had similar policies (you cannot install python packages that do not have pypi names reserved, or you had to block that name from being synced at the proxy)	22:06
dansmith	okay, I strongly disagree that we should need to register it on pypi because we use it internally to hook into sqlalchemy	22:06
fungi	with my vmt hat squarely affixed, i'm inclined to not care about this	22:06
dansmith	fungi: same, although mine is a paper vmt hat I just made myself	22:07
JayF	fungi: dansmith: we might make erbarr's life a little easier if we documented this in a bug? My main concern in light of the facts is that I don't want erbarr's security team leaving with the impression we didn't take their report at all.	22:07
JayF	I'm happy to write the bug so one of you can WONTFIX it :D	22:07
fungi	companies with that sort of policy shouldn't be installing devstack. it's a much bigger security risk on its own than a non-registered pypi package	22:07
dansmith	fungi: agree	22:08
dansmith	JayF: sure if you want to file a bug I'll be glad to "I understand but disagree" it	22:08
JayF	I don't disagree with any of this, I just like writing it down in a more pemanent place.	22:08
fungi	yep, happy to add a vmt stamp on some bug if you file it, for posterity	22:09
* TheJulia reads, and feels like there is a positive outcome		22:10
JayF	dansmith: fungi: https://bugs.launchpad.net/devstack/+bug/1990589	22:12
fungi	thanks!	22:12
JayF	I put most of what we need in the desc, but it's probably better just for posterity if someone else agrees and mashes the close buttons	22:12
JayF	IDK if I even have power to do that in devstack anyway	22:12
JayF	erbarr: To summarize for you; we've filed https://bugs.launchpad.net/devstack/+bug/1990589 but it is not expected to recieve any real action as OpenStack (and generally, python) does not guarantee that every python package we ship in git (especially for dev purposes) will exist in pypi, or should be installed/upgraded from pypi.	22:13
JayF	erbarr: you can feel free to share that bug link with your security team if they'd like to make a different case there	22:14
fungi	that is an excellent and accurate summary	22:16
JayF	I wrote it like I was writing it to the Paranoids back when I worked at Yahoo! :) They taught me how to speak security-team a bit better	22:17
fungi	space paranoids?	22:18
* fungi loves tron		22:18
JayF	I'm not familar with that term; I only saw tron once and I was drunk and it was over a decade ago lol	22:19
JayF	from yahooinc.com > We're the information security team — widely known as The Paranoids — that defends the things you love the most about Yahoo from cybersecurity threats.	22:19
JayF	basically just a really good marketing name for an internal security team	22:19
fungi	in like (kevin) flynn	22:19
* fungi fights for the users		22:22
opendevreview	Julia Kreger proposed openstack/ironic stable/ussuri: CI: Fix/Update a few more jobs https://review.opendev.org/c/openstack/ironic/+/858994	22:45
TheJulia	so looks like there is an old inspector patch I can resurrect from the depths of abandoned state as a first pass to clean up db access	23:14
TheJulia	rebase is not... too narly so hopefully forward progress in the next few days	23:14
opendevreview	Iury Gregory Melo Ferreira proposed openstack/ironic master: Zed: Add a prelude for the release notes https://review.opendev.org/c/openstack/ironic/+/858582	23:26
iurygregory	TheJulia, if you are still around ^	23:27
iurygregory	nothing to change in releasenotes, so I just fixed a few things in the prelude	23:27
TheJulia	Ack	23:27
* TheJulia +2's and takes her migraine back to the bedroom where blahaj is waiting		23:30
iurygregory	tks!	23:30

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!