opendevreview | Jacob Anders proposed openstack/sushy master: [WIP] Retry BootSourceOverride request when SettingsURI is read-only https://review.opendev.org/c/openstack/sushy/+/856597 | 01:11 |
---|---|---|
opendevreview | Iury Gregory Melo Ferreira proposed openstack/ironic master: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841 | 03:01 |
opendevreview | Vanou Ishii proposed openstack/ironic-python-agent master: Fix failure of bind mount in _install_grub2 https://review.opendev.org/c/openstack/ironic-python-agent/+/857271 | 06:11 |
rpittau | good morning ironic! o/ | 07:02 |
ajya | Good morning Ironic | 08:12 |
ajya | if any 2nd reviewer available - https://review.opendev.org/c/openstack/ironic/+/855872 Thanks | 08:13 |
rpittau | ajya: done | 08:17 |
ajya | thanks rpittau | 08:18 |
*** akahat|ruck is now known as akahat|ruck|lunch | 08:39 | |
opendevreview | OpenStack Release Bot proposed openstack/ironic-inspector stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858869 | 08:52 |
opendevreview | OpenStack Release Bot proposed openstack/ironic-inspector stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858870 | 08:52 |
opendevreview | OpenStack Release Bot proposed openstack/ironic-inspector master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858871 | 08:52 |
opendevreview | OpenStack Release Bot proposed openstack/ironic-inspector master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic-inspector/+/858872 | 08:52 |
*** akahat|ruck|lunch is now known as akahat|ruck | 09:31 | |
opendevreview | Merged openstack/ironic master: Fix idrac-redfish RAID controller mode conversion https://review.opendev.org/c/openstack/ironic/+/855872 | 09:38 |
opendevreview | Merged openstack/ironic-inspector stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858869 | 09:38 |
opendevreview | Merged openstack/ironic-inspector stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858870 | 09:38 |
opendevreview | Merged openstack/ironic-inspector master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic-inspector/+/858871 | 09:38 |
opendevreview | Riccardo Pittau proposed openstack/bifrost master: Convert keystone integration job to jammy https://review.opendev.org/c/openstack/bifrost/+/858880 | 10:05 |
opendevreview | Vanou Ishii proposed openstack/ironic-python-agent master: Fix failure of bind mount in _install_grub2 https://review.opendev.org/c/openstack/ironic-python-agent/+/857271 | 10:20 |
opendevreview | Vanou Ishii proposed openstack/ironic-python-agent master: Fix failure of bind mount in _install_grub2 https://review.opendev.org/c/openstack/ironic-python-agent/+/857271 | 10:37 |
opendevreview | Merged openstack/ironic-inspector master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic-inspector/+/858872 | 11:02 |
kubajj | dtantsur: I think I have an idea about what the inspector is doing and have some questions. Should I ask them here or in a private chat? | 11:03 |
dtantsur | kubajj: all technical questions should rather go to the chat, this way we can engage more participants | 11:04 |
dtantsur | (and arne_wiebalck knows that you're working lol) | 11:04 |
kubajj | You mentioned two subtasks for the first step of the story (access introspection data and provide introspection data from elsewhere). How does it work now? What happens when inspector gets the data from the ramdisk now? | 11:06 |
dtantsur | kubajj: the data gets validated, then gets piped through a number of plugins called "introspection hooks". Then so called "introspection rules" are run against this data (these are admin-defined rules written in a JSON-based DSL that may already be familiar to you). | 11:08 |
dtantsur | kubajj: finally, the data is stored in a local database or Swift (an unprocessed copy is stored too). | 11:09 |
dtantsur | kubajj: task #1 is to replicate the last step in ironic. So, all the processing happens in inspector still, ironic only gets the result and stores it for its own usage. | 11:09 |
dtantsur | task #1.1. is to provide a similar process for other inspection implementations (even if no-op for now). | 11:09 |
dtantsur | task #1.2. is to provide an ironic API for users to fetch this stored data (the same way it's possible now for inspector API). | 11:10 |
dtantsur | I think that's it for the start. | 11:11 |
dtantsur | We may ignore unprocessed data for now. | 11:11 |
dtantsur | the data itself consists of "inventory" key with the standard data from IPA. and other keys that are generated by plugins. | 11:12 |
dtantsur | one of the things I'd change when doing this in Ironic is to hide or plugin-generated data under a new key ("plugin_data"?) | 11:12 |
dtantsur | so that the top level only has two keys: "inventory" (standard) and "plugin_data"/"extra" (plugin dependent) | 11:12 |
kubajj | Is the RootDiskSelectionHook (part I modified to match root device hints logic from IPA) one of the instrospection rules? | 11:12 |
dtantsur | kubajj: correct | 11:12 |
dtantsur | so, you're already familiar with hooks :) | 11:13 |
kubajj | So the API that I need to create is for the result of the inspector processing to be passed to ironic, right? | 11:14 |
dtantsur | kubajj: yes - for now. | 11:15 |
kubajj | dtantsur: Is there anything already passed from inspector to ironic, so that I could use a similar approach? | 11:17 |
dtantsur | kubajj: introspection status (see drivers/modules/inspector.py), but it may not match 1-1 to what you need | 11:18 |
kubajj | dtantsur: thanks | 11:18 |
dtantsur | kubajj: since inspection may be asynchronous, you cannot just return the resulting data from InspectInterface.inspect_hardware | 11:19 |
opendevreview | Jacob Anders proposed openstack/sushy master: [WIP] Retry BootSourceOverride request when SettingsURI is read-only https://review.opendev.org/c/openstack/sushy/+/856597 | 11:19 |
dtantsur | on the other hand, out-of-band implementations (redfish etc) don't have a built-in storage. a dilemma. | 11:19 |
dtantsur | so what we probably need is a new call somewhere e.g. in conductor.utils that will be called by InspectInterface implementations | 11:20 |
dtantsur | push model instead of pull model, if you wish | 11:20 |
dtantsur | in terms of Inspector, it means that once the driver detects success, it asks Inspector for the data and stores it using the new conductor call | 11:21 |
* dtantsur hopes he expresses himself clearly despite being a bit sick | 11:21 | |
kubajj | Oh, it is from ironic and not inspector. I see. So, the front-end calls the introspection and waits for the introspection status. Then my change should come in. | 11:23 |
dtantsur | correct | 11:24 |
kubajj | dtantsur: Do you mean push from inspector? | 11:24 |
dtantsur | kubajj: no, from the ironic's inspector driver | 11:24 |
dtantsur | so, you said correctly in the previous sentence | 11:24 |
iurygregory | good morning Ironic | 11:25 |
kubajj | dtantsur: Do I need to modify inspector in any way? | 11:28 |
dtantsur | kubajj: not at this point, I think | 11:29 |
kubajj | and for testing purposes, should I deploy the devstack with the config from ironic-inspector docs? | 11:30 |
dtantsur | kubajj: that, or bifrost (it has inspector by default) | 11:31 |
kubajj | ok, thanks dtantsur | 11:38 |
dtantsur | you're always welcome | 11:38 |
shukun | Please review the next three backport patches: | 11:42 |
shukun | - yoga: https://review.opendev.org/c/openstack/ironic/+/850553 | 11:42 |
shukun | - xena: https://review.opendev.org/c/openstack/ironic/+/850554 | 11:42 |
shukun | - wallaby: https://review.opendev.org/c/openstack/ironic/+/850707 | 11:42 |
shukun | 11:42 | |
shukun | I understand the three patches are backporting a feature patch (https://review.opendev.org/c/openstack/ironic/+/845347), but that patch aims to support FIPS, and FIPS support will be necessary for some distributions which does not use master branch. So we want to backport that patch to every still maintained stable branch. FYI, for wallaby branch, the backport patch assumes that the next patch is merged: https://review.opendev.org/c/openstack/iro | 11:42 |
shukun | nic/+/852803 | 11:42 |
iurygregory | rpittau, except for the two patches in bifrost do we need something more? | 11:51 |
rpittau | iurygregory: which bifrost patches? | 12:27 |
opendevreview | Merged openstack/ironic master: Implement a DHCP driver backed by dnsmasq https://review.opendev.org/c/openstack/ironic/+/851681 | 13:22 |
iurygregory | rpittau, the ones to supprot the new ubuntu | 13:34 |
iurygregory | jammy I think? | 13:34 |
rpittau | iurygregory: there's more to that, I think we nee to exclude the change from zed and go to antelope directly | 13:37 |
iurygregory | ok | 13:38 |
iurygregory | so I will request bifrost release now =) | 13:38 |
TheJulia | good morning | 13:54 |
kubajj | Good morning TheJulia | 13:55 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/20.2: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858895 | 14:03 |
JayF | Those iRMC backports (https://review.opendev.org/c/openstack/ironic/+/850553 being yoga) seem like a little extreme for backports -- including adding config options | 14:08 |
JayF | in the past have we been more leniant about backporting for stuff like this? I'm just a little leery of sending new config options back to wallaby by default | 14:08 |
JayF | Also, even though it doesn't raise the requirement in driver-requirements.txt, the new functionality only comes into play if folks update that package | 14:09 |
opendevreview | Julia Kreger proposed openstack/ironic stable/ussuri: CI: fix ussuri branch https://review.opendev.org/c/openstack/ironic/+/843515 | 14:09 |
TheJulia | JayF: adding config options has been viewed as generally okay, and adding new driver capabilities as long as it as an operator benefit | 14:13 |
iurygregory | good morning TheJulia | 14:13 |
TheJulia | JayF: it is new config options that break things that is not okay | 14:14 |
JayF | TheJulia: a warmer, more cuddly backport policy <3 lol | 14:14 |
JayF | I dig it, cool stuff | 14:14 |
TheJulia | yes, that was a fun one to argue for :) | 14:14 |
*** vanou is now known as Guest1149 | 14:15 | |
JayF | Honestly with stuff like this; I just find myself wondering how many people who are running e.g. wallaby still care and feed their environment well enough to safely execute a driver lib update | 14:15 |
TheJulia | anyhow, I just uploaded https://review.opendev.org/c/openstack/ironic/+/843515 hoping it will fix ussuri's ci | 14:15 |
TheJulia | looks like it sclose | 14:15 |
JayF | like, not "we shouldn't do this for [theoretical reasons]", but more curious about the practicality of if it's actually consumed | 14:16 |
JayF | For some reason, I find myself trying to understand operators in different situations than I've been in a little more in the last week :D | 14:16 |
TheJulia | consumed, it is. rhosp 17 == Wallaby | 14:16 |
JayF | You all will do the driver-requirements.txt upgrades in-cycle too? | 14:16 |
TheJulia | we accept updates to packages, we functionally ignore driver-reqs and track branches for the most part | 14:17 |
JayF | It feels weird, but I almost wish we had an official upstream place we documented people who consume and package openstack downstream, with details about versions/branches/etc | 14:18 |
JayF | there's probably no way to do that which wouldn't instantly bit-rot, but I have no problem with upstream priorities being aligned with folks who are getting software in front of people | 14:18 |
JayF | I just like being explicit about why we're doing things :D | 14:18 |
TheJulia | JayF: that would be nice, but politics :( | 14:19 |
TheJulia | packaging politics are saddening | 14:19 |
JayF | I've started to get a glimse into some of that in my on-my-own-time effort to become a Gentoo developer. And frankly, that involves a lot less money lol | 14:19 |
iurygregory | TheJulia, I was looking at the prelude "to support to enable greater separation " of duties, since I'm not native speaker the "to support to enable" sounds a bit strange to me .-. | 14:20 |
TheJulia | oh, just s/to support// | 14:21 |
iurygregory | ok o/ | 14:21 |
TheJulia | sorry, it is a bit strange, I must have been interrupted while writing | 14:21 |
iurygregory | no worries | 14:22 |
iurygregory | in 38min PTG topics meeting | 14:22 |
* TheJulia looks at coffee and hopes it completes its task | 14:24 | |
JayF | TheJulia: re: ussuri CI patch; did we recently land those partition image tests in tempest? | 14:24 |
TheJulia | iurygregory: when did the combined tests land in tempest? | 14:24 |
TheJulia | I don't remember | 14:24 |
JayF | I was pretty sure I'm had something merged to ussuri fairly recently | 14:24 |
dtantsur | I think we need to add the bit about config options in backports to some docs | 14:24 |
* JayF asks git | 14:24 | |
dtantsur | somebody asks every time | 14:25 |
TheJulia | dtantsur: ++ | 14:25 |
dtantsur | driver-requirements is very hairy | 14:25 |
dtantsur | like VERY | 14:25 |
JayF | last commit in ussuri is 8/9 | 14:25 |
dtantsur | we've done that on a few occasions, but every time it's a chance of issues downstream | 14:25 |
JayF | dtantsur: TheJulia: and never take me asking a question as like "I think X", I ask because I wanna know and usually it also means I have no strong opinion. Just trying to avoid being a human rubber stamp :D | 14:25 |
TheJulia | JayF: sometimes some stuff worked, it has become a pile of failures due to the queue tag removal, so now everything together | 14:25 |
JayF | TheJulia: yeah, I think I was remembering my patch to *nova* for the ironic driver which landed in ussuri more recently | 14:26 |
JayF | TheJulia: this timeline makes more sense and I shoulda checked before typing in IRC :P | 14:26 |
TheJulia | heh | 14:26 |
TheJulia | yeah | 14:26 |
TheJulia | next ussuri patch is likely going to be to turn off a bunch of jobs that are really no longer needed or just won't be fixed that are non-voting | 14:27 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/20.2: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858895 | 14:27 |
TheJulia | low risk ultimately because things around the jobs have broken/changed as time has moved on | 14:27 |
JayF | good stuff | 14:27 |
JayF | I mean, if we're sending something back to ussuri there's a good chance it's: 1) minor, 2) security or 3) driver | 14:28 |
TheJulia | And, backports only... so we *really* only need base sanity checking stuffs working on the branch at this point | 14:28 |
JayF | in which case coverage also matters less | 14:28 |
TheJulia | JayF: bingo | 14:28 |
JayF | The biggest CI thing weighing on me right now is that we have 3rd party CI systems that -- overall are good -- but still have broken jobs running and voting | 14:29 |
JayF | and it makes it super easy to ignore results if it's constantly failing | 14:29 |
JayF | I should put that on my list, to follow up on that | 14:29 |
TheJulia | kubajj: so your looking into merging inspector into ironic right? | 14:29 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896 | 14:30 |
kubajj | TheJulia: yes, correct | 14:30 |
TheJulia | so I took a look at the db interface code in inspector yesterday | 14:31 |
TheJulia | I would highly advise you don't copy/paste db related code and you re-implement in the sqlalchemy2.0 style we've already started to work on in ironic | 14:31 |
TheJulia | tl;dr, inspector is very not sqlalchemy 2.0 compatible | 14:31 |
iurygregory | TheJulia, I don't remember from top of my head .-. I can check later today | 14:32 |
TheJulia | iurygregory: doesn't really matter | 14:32 |
TheJulia | I'm thinking, overall, that for inspector, we can fix it, but it is going to take a lot of rewriting of the db layer which will take some time to just fix inspector | 14:33 |
TheJulia | that may end up helping, since it will be in a very similar style to ironic, but it is much more something to be mindful of | 14:35 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896 | 14:35 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896 | 14:36 |
kubajj | TheJulia: should I do the rewriting? | 14:36 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858896 | 14:38 |
iurygregory | JayF, TheJulia thoughts on the name of the step in https://review.opendev.org/c/openstack/ironic-python-agent/+/566544 ? based on NobodyCam comment the step makes sense so I'm ok with it or maybe we should change | 14:39 |
JayF | bluntly, I think that whole mellanox->nvidia rename is just going to confuse the hell out of everyone | 14:39 |
JayF | but it's also unreasonable of us to ask them to not rebrand | 14:40 |
* JayF just tosses his hat in with `update_nvidia_nic_firmware` as the best of not-awesome options | 14:41 | |
TheJulia | I think that is actually a better name, but yeah :\ | 14:42 |
TheJulia | still needs a reno/docs and the actual code change | 14:43 |
TheJulia | kubajj: if you focus on api/high level db object aspects, you should be able to avoid the pain points, but I think we should discuss further once we each have more clarity | 14:44 |
TheJulia | I guess the question is, what will the migration look like. Or at least, that might be something to ponder | 14:44 |
* TheJulia makes more coffeee | 14:45 | |
kubajj | TheJulia: should I focus now on what I would implement on the Ironic side and then discuss my plan with you to figure out what needs to change on the inspector side? | 14:48 |
TheJulia | kubajj: I think that is perfect | 14:48 |
TheJulia | since I expect I'll be working on sqlalchemy 2.0 for inspector | 14:49 |
iurygregory | If any core have some time https://review.opendev.org/c/openstack/ironic/+/858841 we need this to cut the Zed release o/ | 14:53 |
iurygregory | I'm pushing the changes for releasenotes in Julia's patch to add the prelude after my lunch | 14:53 |
TheJulia | +2'ed | 14:54 |
TheJulia | iurygregory: ack | 14:54 |
TheJulia | Well, so far so good with the ussuri patch | 14:57 |
TheJulia | about 70% of the way there | 14:57 |
JayF | looking | 14:57 |
TheJulia | at least on check | 14:57 |
iurygregory | PTG call in 2min | 14:57 |
iurygregory | Link https://meet.google.com/ivs-qwyc-kpo | 14:59 |
TheJulia | janders: What time would work for you and Moshe for Active Steps ? | 15:33 |
TheJulia | janders: we're thinking splitting it so there is a 7am utc session to do requirements/initial thought gathering | 15:36 |
iurygregory | JayF, operator-hour-placeholder on Wed 13 UTC essex room | 15:40 |
opendevreview | Verification of a change to openstack/ironic master failed: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841 | 16:34 |
rpittau | bye everyone o/ | 16:37 |
* iurygregory goes for lunch | 16:49 | |
opendevreview | Verification of a change to openstack/ironic master failed: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841 | 16:58 |
opendevreview | Merged openstack/ironic stable/ussuri: CI: fix ussuri branch https://review.opendev.org/c/openstack/ironic/+/843515 | 17:03 |
JayF | It's time for my semi-daily stable review request funtime: https://review.opendev.org/c/openstack/ironic/+/857771 https://review.opendev.org/c/openstack/ironic/+/858468 (wow, I'm down to only two) | 17:29 |
opendevreview | Julia Kreger proposed openstack/ironic stable/ussuri: CI: Fix/Update a few more jobs https://review.opendev.org/c/openstack/ironic/+/858962 | 17:43 |
TheJulia | okay, that should clean it up the rest of the way | 17:43 |
TheJulia | ussuri that is | 17:44 |
TheJulia | boom | 17:45 |
JayF | I'll wait for zuul to respond on it then go vote on the change | 17:45 |
JayF | would prefer 2x+2 on that since it's changing test coverage | 17:46 |
JayF | meaning like, I won't +2A it like I did the direct fix :D | 17:46 |
opendevreview | Jay Faulkner proposed openstack/ironic stable/yoga: Redfish: Consider password part of the session cache https://review.opendev.org/c/openstack/ironic/+/858903 | 17:50 |
TheJulia | https://review.opendev.org/q/If69ce1cf2789d9d60fb8e544596cf7d29eab514d <-- could also use some stable reviews | 17:52 |
TheJulia | yeah, all of that is non-voting that I changed for ussuri, so better to stop/see/then approve | 17:53 |
JayF | TheJulia: ack, it's on my list | 17:53 |
TheJulia | i did recheck the ussuri patch in that series | 17:53 |
TheJulia | since it's ci is now happier | 17:54 |
JayF | Yeah; I'm slightly disappointed that we landed the stuff in yoga before it went into bugfix/ | 17:54 |
JayF | I know policy doesn't require us to put every patch everywhere, but it's nice if we do | 17:54 |
* JayF is super guilty of approving patches w/o checking for this | 17:54 | |
TheJulia | rpittau: https://1db75cf0b12d832dc11e-0da77774ba1e870a646f19d85e727a87.ssl.cf5.rackcdn.com/858896/4/check/ironic-tox-unit-with-driver-libs/7523b5b/testr_results.html 8\ | 17:55 |
opendevreview | Merged openstack/ironic bugfix/20.2: Redfish: Consider password part of the session cache https://review.opendev.org/c/openstack/ironic/+/857771 | 19:08 |
opendevreview | Verification of a change to openstack/ironic bugfix/18.1 failed: Do not reboot into nowhere after BIOS settings with fast-track https://review.opendev.org/c/openstack/ironic/+/858468 | 19:08 |
TheJulia | so now the standalone job fails on ussuri :\ | 20:21 |
opendevreview | Merged openstack/ironic bugfix/20.2: Fix iRMC driver to use certification file in HTTPS https://review.opendev.org/c/openstack/ironic/+/858895 | 20:24 |
opendevreview | Merged openstack/ironic master: Set stage for Zed Release with 21.1 https://review.opendev.org/c/openstack/ironic/+/858841 | 20:29 |
JayF | I see all the reviews up for releases -- I'm going to assume we don't need more time, and just let those go in on 9/23 as scheduled (tomorrow). If anyone needs me to put a -1 on releasing an artifact, please let me know (today if possible) | 20:43 |
* JayF wonders if they honor anyone's -1, or just the PTL ... I hope it's everyone core on Ironic? | 20:44 | |
JayF | NobodyCam: You or Waleed likely going to get around to this? It's only missing prose (release note) and a name change to be mergable, but you've got less than a day :| https://review.opendev.org/c/openstack/ironic-python-agent/+/566544 | 20:47 |
erbarr | what's using dbcounter? I got a notification from security that a 3rd-party group compromised it as a proof of concept and I got 90 days to fix it... | 20:51 |
JayF | I did the math for a daily internal update I curate for GR-OSS team --> Zed will be the 18th release of OpenStack that contains Ironic (if you count incubation time) | 20:51 |
JayF | erbarr: if there's a concern that one of our dependencies, or dependency-of-dependency is compromised in a way that could impact OpenStack, please open a private bug at storyboard.openstack.org about it | 20:52 |
JayF | although consider me effectively nerd-sniped | 20:52 |
JayF | TheJulia: are you working on a revision of https://review.opendev.org/c/openstack/ironic/+/858582/1/releasenotes/notes/zed-prelude-09fe95b11ad2459d.yaml ? | 21:16 |
JayF | we have to get this merged, and I know there was talk around it but I'm not certain what status it's in, and don't want to dupe work | 21:17 |
* JayF works on a revision just in case | 21:17 | |
TheJulia | JayF: I believe iurygregory was going to | 21:19 |
JayF | ack; it says "please edit", and I think he's (hopefully?) asleep | 21:20 |
JayF | so I'm going to put in a revision and let him edit further if he wants | 21:20 |
JayF | and trust him to get it over the finish line tomorrow | 21:20 |
TheJulia | Eh, late afternoon in brazil | 21:20 |
JayF | oh, I forget he's in brazil | 21:20 |
TheJulia | iurygregory: o/ | 21:20 |
TheJulia | erbarr: Oslo.db I believe…. I think it gets pulled in as a dependency of a dependency, so storyboard as a security story would be most appropriate against the particular component and then likely ping fungi | 21:22 |
JayF | TheJulia: erbarr: FWIW; master branch of ironic with all deps installed (for unit tests), that package is not installed. | 21:23 |
JayF | TheJulia: erbarr: So we may want/need to isolate which branches it's happening on as well, if Ironic is impacted. | 21:23 |
erbarr | yea, I'm seeing the plugin on pretty much every service from the devstack log, I tracked it down to this I believe: https://opendev.org/openstack/devstack/src/branch/master/tools/dbcounter | 21:23 |
erbarr | security saw it on pip3_freeze.txt and saw it wasn't a public pip package and made a malicious one to proof of concept it seems, I think I gotta yell at them or something | 21:24 |
JayF | I mean, it's a reasonable concern if that's meant to be pip-installed that we should reserve the name even if we don't release it. | 21:25 |
ashinclouds[m] | Ahhhhh name conflict too wheeeee | 21:25 |
JayF | erbarr: I'd call that a very, very, very low impact security bug against devstack | 21:25 |
JayF | erbarr: but they would likely be able to tell you for sure (and I wouldn't be surprised if someone argues it's not a bug) | 21:25 |
erbarr | yea, agree JayF | 21:25 |
JayF | erbarr: I do feel for you, I know when the eye of security-sauron looks your way, it can be hard to get them to look away without a patch or something to point at :| | 21:26 |
erbarr | *shrug* lol | 21:26 |
opendevreview | Jay Faulkner proposed openstack/ironic master: Zed: Add a prelude for the release notes https://review.opendev.org/c/openstack/ironic/+/858582 | 21:27 |
JayF | iurygregory: ^ I kept edits to a minimum, if you already have changes locally and need to dunk mine, it's not a problem | 21:27 |
fungi | erbarr: JayF: TheJulia: if it's a dependency of oslo.db that's the problem, then launchpad bug reported against that (i and the rest of the vmt will be automatically notified, but feel free to give me the bug number via privmsg if in doubt) | 21:55 |
TheJulia | So, sounds like something devstack does with a same name as something else that caused a security team to freak | 21:56 |
TheJulia | At least, that is my take | 21:56 |
* TheJulia will actually be able to look for realz in a little bit | 21:58 | |
JayF | TheJulia: I' | 21:58 |
JayF | TheJulia: I'm looking at it for reals, and I sent fungi a concise (as concise as I get) summary in DM | 21:59 |
JayF | TheJulia: going to try and keep it outta the main channels now until fungi says otherwise; even though I think it's probably OK it's not the project I work directly on so going to be extra careful :D | 21:59 |
TheJulia | K | 22:03 |
fungi | yeah, https://review.opendev.org/839820 seems to be the origin of the code in question, so probably would be good to loop dansmith in as the author | 22:03 |
JayF | fungi: is this public bug / ML safe? Or should I keep communications about this direct | 22:04 |
JayF | fungi: I kinda feel like if we're going to make noise about this, someone should park that name first before someone gets any ideas :) | 22:04 |
dansmith | so.. what? | 22:04 |
dansmith | is there a real concern or is this a naming clash? | 22:04 |
fungi | seems like it's low-risk and already public | 22:05 |
JayF | dansmith: https://review.opendev.org/839820 added a python package, dbcounter. We had a report from an Ironic operator that their security team flagged it as a pip installed package that did not have a reserved name in pypi, and theorized that could be used as an attack vector. | 22:05 |
dansmith | against devstack? :) | 22:05 |
fungi | dansmith: erbarr was notified by someone that the dbcounter package devstack embeds doesn't exist on pypi, so has been cautioned that it could become a problem if someone registered it and then uploaded malware | 22:05 |
dansmith | etiher way, I don't think there's any assertion anywhere that every python package has to be registered in pip | 22:06 |
dansmith | er, pypy | 22:06 |
fungi | pypi, but i concur | 22:06 |
JayF | I agree in broad strokes; but I've worked at large companies that had similar policies (you cannot install python packages that do not have pypi names reserved, or you had to block that name from being synced at the proxy) | 22:06 |
dansmith | okay, I strongly disagree that we should need to register it on pypi because we use it internally to hook into sqlalchemy | 22:06 |
fungi | with my vmt hat squarely affixed, i'm inclined to not care about this | 22:06 |
dansmith | fungi: same, although mine is a paper vmt hat I just made myself | 22:07 |
JayF | fungi: dansmith: we might make erbarr's life a little easier if we documented this in a bug? My main concern in light of the facts is that I don't want erbarr's security team leaving with the impression we didn't take their report at all. | 22:07 |
JayF | I'm happy to write the bug so one of you can WONTFIX it :D | 22:07 |
fungi | companies with that sort of policy shouldn't be installing devstack. it's a much bigger security risk on its own than a non-registered pypi package | 22:07 |
dansmith | fungi: agree | 22:08 |
dansmith | JayF: sure if you want to file a bug I'll be glad to "I understand but disagree" it | 22:08 |
JayF | I don't disagree with any of this, I just like writing it down in a more pemanent place. | 22:08 |
fungi | yep, happy to add a vmt stamp on some bug if you file it, for posterity | 22:09 |
* TheJulia reads, and feels like there is a positive outcome | 22:10 | |
JayF | dansmith: fungi: https://bugs.launchpad.net/devstack/+bug/1990589 | 22:12 |
fungi | thanks! | 22:12 |
JayF | I put most of what we need in the desc, but it's probably better just for posterity if someone else agrees and mashes the close buttons | 22:12 |
JayF | IDK if I even have power to do that in devstack anyway | 22:12 |
JayF | erbarr: To summarize for you; we've filed https://bugs.launchpad.net/devstack/+bug/1990589 but it is not expected to recieve any real action as OpenStack (and generally, python) does not guarantee that every python package we ship in git (especially for dev purposes) will exist in pypi, or should be installed/upgraded from pypi. | 22:13 |
JayF | erbarr: you can feel free to share that bug link with your security team if they'd like to make a different case there | 22:14 |
fungi | that is an excellent and accurate summary | 22:16 |
JayF | I wrote it like I was writing it to the Paranoids back when I worked at Yahoo! :) They taught me how to speak security-team a bit better | 22:17 |
fungi | space paranoids? | 22:18 |
* fungi loves tron | 22:18 | |
JayF | I'm not familar with that term; I only saw tron once and I was drunk and it was over a decade ago lol | 22:19 |
JayF | from yahooinc.com > We're the information security team — widely known as The Paranoids — that defends the things you love the most about Yahoo from cybersecurity threats. | 22:19 |
JayF | basically just a really good marketing name for an internal security team | 22:19 |
fungi | in like (kevin) flynn | 22:19 |
* fungi fights for the users | 22:22 | |
opendevreview | Julia Kreger proposed openstack/ironic stable/ussuri: CI: Fix/Update a few more jobs https://review.opendev.org/c/openstack/ironic/+/858994 | 22:45 |
TheJulia | so looks like there is an old inspector patch I can resurrect from the depths of abandoned state as a first pass to clean up db access | 23:14 |
TheJulia | rebase is not... too narly so hopefully forward progress in the next few days | 23:14 |
opendevreview | Iury Gregory Melo Ferreira proposed openstack/ironic master: Zed: Add a prelude for the release notes https://review.opendev.org/c/openstack/ironic/+/858582 | 23:26 |
iurygregory | TheJulia, if you are still around ^ | 23:27 |
iurygregory | nothing to change in releasenotes, so I just fixed a few things in the prelude | 23:27 |
TheJulia | Ack | 23:27 |
* TheJulia +2's and takes her migraine back to the bedroom where blahaj is waiting | 23:30 | |
iurygregory | tks! | 23:30 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!