| JayF | I just landed that. See you all Monday! Happy Zed! | 00:21 |
|---|---|---|
| opendevreview | Merged openstack/ironic master: Zed: Add a prelude for the release notes https://review.opendev.org/c/openstack/ironic/+/858582 | 00:31 |
| *** akahat|ruck is now known as akahat | 03:46 | |
| adam-rozman | Good morning Ironic! | 05:39 |
| adam-rozman | I am probably just missing it the docs but I can't to find an explanation, could somebody tell me please that what are the numbers in the name of the release note files? | 06:24 |
| adam-rozman | in the docs* | 06:24 |
| adam-rozman | Just to clarify not just numbers but I mean those hash looking postfixes . | 06:27 |
| TheJulia | adam-rozman: the file name requirement is unique, the Reno tool appends a random id to help enforce it. | 06:38 |
| adam-rozman | TheJulia Thanks! | 06:39 |
| rpittau | good morning ironic! o/ | 06:49 |
| rpittau | happy friday! | 06:58 |
| opendevreview | Riccardo Pittau proposed openstack/ironic master: Update release versions for yoga https://review.opendev.org/c/openstack/ironic/+/859015 | 07:02 |
| opendevreview | Riccardo Pittau proposed openstack/ironic-inspector master: Update release versions for yoga https://review.opendev.org/c/openstack/ironic-inspector/+/859016 | 07:04 |
| vanou | Hello ironic o/ | 07:04 |
| opendevreview | Riccardo Pittau proposed openstack/ironic-python-agent master: Update release versions for yoga https://review.opendev.org/c/openstack/ironic-python-agent/+/859017 | 07:06 |
| opendevreview | Riccardo Pittau proposed openstack/sushy master: Update release versions for yoga and zed https://review.opendev.org/c/openstack/sushy/+/859018 | 07:08 |
| opendevreview | Adam Rozman proposed openstack/ironic-python-agent master: prioritize lsblk as a source of device serials https://review.opendev.org/c/openstack/ironic-python-agent/+/855866 | 07:12 |
| *** vanou_ is now known as vanou | 07:54 | |
| opendevreview | OpenStack Release Bot proposed openstack/ironic stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic/+/859037 | 08:39 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic/+/859038 | 08:39 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic/+/859039 | 08:39 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic/+/859040 | 08:39 |
| opendevreview | OpenStack Release Bot proposed openstack/bifrost stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/bifrost/+/859041 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/bifrost stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/bifrost/+/859042 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/bifrost master: Update master for stable/zed https://review.opendev.org/c/openstack/bifrost/+/859043 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/bifrost master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/bifrost/+/859044 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic-python-agent stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic-python-agent/+/859045 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic-python-agent stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic-python-agent/+/859046 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic-python-agent master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic-python-agent/+/859047 | 08:41 |
| opendevreview | OpenStack Release Bot proposed openstack/ironic-python-agent master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic-python-agent/+/859048 | 08:41 |
| opendevreview | Merged openstack/bifrost master: Update master for stable/zed https://review.opendev.org/c/openstack/bifrost/+/859043 | 09:04 |
| opendevreview | Merged openstack/ironic-python-agent master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic-python-agent/+/859047 | 09:06 |
| opendevreview | Merged openstack/ironic master: Update master for stable/zed https://review.opendev.org/c/openstack/ironic/+/859039 | 09:11 |
| opendevreview | Merged openstack/ironic stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic/+/859037 | 09:11 |
| opendevreview | Merged openstack/ironic-python-agent stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/ironic-python-agent/+/859045 | 09:12 |
| opendevreview | Merged openstack/ironic-python-agent stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/ironic-python-agent/+/859046 | 09:12 |
| opendevreview | Riccardo Pittau proposed openstack/bifrost master: Move vmedia job to jammy https://review.opendev.org/c/openstack/bifrost/+/859073 | 10:41 |
| opendevreview | Riccardo Pittau proposed openstack/bifrost master: Upgrade from zed https://review.opendev.org/c/openstack/bifrost/+/859075 | 11:00 |
| opendevreview | Merged openstack/bifrost master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/bifrost/+/859044 | 11:25 |
| opendevreview | Merged openstack/bifrost stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/bifrost/+/859041 | 11:25 |
| opendevreview | Merged openstack/bifrost stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/bifrost/+/859042 | 11:25 |
| iurygregory | Habemus Zed \o/ | 12:15 |
| iurygregory | Congratulations everyone! | 12:15 |
| opendevreview | Merged openstack/ironic-python-agent master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/ironic-python-agent/+/859048 | 12:35 |
| TheJulia | Good morning | 13:10 |
| rpittau | good morning TheJulia :) | 13:11 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/ussuri: CI: Fix/Update a few more jobs https://review.opendev.org/c/openstack/ironic/+/858994 | 13:25 |
| TheJulia | ^^^ passed, fixed commit message | 13:26 |
| iurygregory | good morning TheJulia | 13:54 |
| * iurygregory thought TheJulia would be out today... | 13:54 | |
| TheJulia | wife has an interview that prevents us from getting going early today | 13:55 |
| TheJulia | so... | 13:55 |
| TheJulia | might as work in the mean time | 13:55 |
| JayF | We're just here today for a little bit to put on an episode of Sesame Street honoring the letter Zed | 13:57 |
| iurygregory | gotcha =) | 14:00 |
| iurygregory | happy birthday JayF o/ | 14:00 |
| TheJulia | "Z is for Zed" | 14:00 |
| * TheJulia wonders how to turn this into a zombies reference | 14:01 | |
| rpittau | traditional zombies or any zombie? | 14:02 |
| JayF | TheJulia: I've been pondering t-shirt or sticker designs that would say from I to Zed | 14:02 |
| rpittau | bye everyone, have a great weekend! o/ | 14:11 |
| TheJulia | rpittau: dunno | 14:11 |
| TheJulia | JayF: cool | 14:11 |
| opendevreview | Merged openstack/ironic-inspector master: Update release versions for yoga https://review.opendev.org/c/openstack/ironic-inspector/+/859016 | 15:07 |
| opendevreview | Merged openstack/ironic master: Update release versions for yoga https://review.opendev.org/c/openstack/ironic/+/859015 | 15:15 |
| erbarr | JayF, fungi, TheJulia, dansmith: thanks! I've forwarded the filed bug to security. | 15:22 |
| dansmith | fungi: were you going to comment on that with your official VMTness? I was waiting for that before I close with explanation | 15:23 |
| erbarr | question though, so third-party CI should not run devstack then? | 15:28 |
| dansmith | erbarr: if third party ci wants to not install the dbcounter it's disable-able | 15:30 |
| dansmith | erbarr: https://review.opendev.org/c/openstack/devstack/+/839820/11/lib/databases/mysql#153 | 15:30 |
| dansmith | just set that to False and it won't install and won't configure sqla to load it | 15:30 |
| fungi | dansmith: yes, got sidetracked last night but am pulling it up now that i'm at a computer logged into lp | 15:30 |
| erbarr | i can't know ahead of time what could pop up that i would need to disable though | 15:31 |
| fungi | thanks for the reminder | 15:31 |
| dansmith | fungi: cool | 15:31 |
| erbarr | thanks for that flag, I'll set to false | 15:32 |
| fungi | dansmith: JayF: so just to be clear, before i post my comment, the concern raised is that someone might run devstack, end up with its "dbcounter" plugin package installed (system-wide? i can't immediately confirm whether the pip_install function there is using a venv or not), then later do something like `pip install --upgrade` and wind up with pip incorrectly picking a malicious | 15:58 |
| fungi | dbcounter package from pypi and installing that automatically. is it unusual/counterindicated to run `pip install --upgrade` with devstack, or simply that systems you've installed devstack onto shouldn't be trusted and you have to assume they might contain malware? | 15:58 |
| erbarr | could things like these be set by default to False in devstack? From your CI perspective you can add the flag in the job definition and third party can not even be aware of it | 16:08 |
| fungi | well, looking at the implementation in devstack it explicitly installs the package by local file path. ci jobs wouldn't/shouldn't "upgrade" that package later. i think the only concern is that a human with a persistent devstack environment might manually do a pip upgrade on it? | 16:10 |
| fungi | which then leaves the question of whether a persistent devstack install can really be considered trusted anyway | 16:11 |
| TheJulia | even then, there is the insider human aspect to consider | 16:14 |
| TheJulia | if developer accidentally does x, does that open the risk to the an entire infrastructure? | 16:14 |
| erbarr | I'm thinking you can add it to devstack-base job, your CI infra inherits from it, https://opendev.org/openstack/devstack/src/branch/master/.zuul.yaml#L322 | 16:15 |
| fungi | well, we don't want (and can't support) devstack installs in sensitive environments anyway | 16:15 |
| TheJulia | I'm not even thinking a sesnitive environment | 16:15 |
| TheJulia | look at uber | 16:15 |
| fungi | er, what about uber? | 16:16 |
| TheJulia | vpn + dev + social engineering + vpn with unknown access controls | 16:16 |
| erbarr | ohh, uber... yea I'm glad for that keffals win | 16:16 |
| fungi | pretty sure someone can pull that off without needing to leverage a python package name collision | 16:17 |
| TheJulia | well, the overall event is going to drive posture reevaluation across the industry as more details come to light. Just something to think of | 16:18 |
| fungi | the report boils down to "should we forbid embedded python packages even in our test tools, and instead require every python package to be published to pypi?" | 16:18 |
| TheJulia | it is a valid question to ask | 16:19 |
| fungi | which isn't really a decision for the vmt (we can at most provide insights), it's up to the tc to decide if that's a requirement for being an openstack project | 16:19 |
| TheJulia | Agreed | 16:19 |
| fungi | and it's a convenient enough design pattern that there would probably need to be a common linter rule to catch it | 16:20 |
| fungi | the alternative, i suppose, would be to have devstack install the dbcounter files into the library path without relying on pip | 16:21 |
| fungi | if pip is oblivious to its existence, then it can't accidentally be "upgraded" by pip | 16:23 |
| opendevreview | OpenStack Release Bot proposed openstack/networking-generic-switch stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/networking-generic-switch/+/859138 | 16:37 |
| opendevreview | OpenStack Release Bot proposed openstack/networking-generic-switch stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/networking-generic-switch/+/859139 | 16:37 |
| opendevreview | OpenStack Release Bot proposed openstack/networking-generic-switch master: Update master for stable/zed https://review.opendev.org/c/openstack/networking-generic-switch/+/859140 | 16:37 |
| opendevreview | OpenStack Release Bot proposed openstack/networking-generic-switch master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/networking-generic-switch/+/859141 | 16:37 |
| fungi | anyway, i commented on the bug and recommended escalating to the tc if there are widespread concerns about this particular design pattern | 16:37 |
| Nisha_Agarwal | TheJulia, ping | 16:39 |
| TheJulia | Hi Nisha_Agarwal, whats up? | 16:39 |
| opendevreview | Merged openstack/ironic stable/ussuri: CI: Fix/Update a few more jobs https://review.opendev.org/c/openstack/ironic/+/858994 | 16:39 |
| Nisha_Agarwal | TheJulia, Just busy in the inhouse projects...was trying anaconda deploy for redfish drivers and needed some clarity | 16:40 |
| TheJulia | oh my | 16:40 |
| TheJulia | sure | 16:40 |
| Nisha_Agarwal | TheJulia, I have tried two approaches: 1. Downloaded the iso dvd1 2. Mounted it. 3. Now when i am populating the url fields in instance info, i am confused what need to be given as the deploy doesnt go thru in any case. | 16:42 |
| Nisha_Agarwal | TheJulia, second approach: i gave the url inputs as given in documentation for centos9 stream but with that i get "scheme less href error" during href validation itself | 16:43 |
| TheJulia | oh, you need full urls, you can't just do a path to a file | 16:44 |
| TheJulia | the first approach your taking I'm not sure I understand | 16:44 |
| Nisha_Agarwal | TheJulia, openstack baremetal node set --instance-info image_source=http://172.17.1.37:8010/RHEL85mnt/images/install.img $NODE | 16:45 |
| Nisha_Agarwal | is this correct | 16:45 |
| Nisha_Agarwal | openstack baremetal node set --instance-info kernel=http://172.17.1.37:8010/RHEL85mnt/images/pxeboot/vmlinuz --instance-info ramdisk=http://172.17.1.37:8010/RHEL85mnt/images/pxeboot/initrd.img --instance-info stage2=http://172.17.1.37:8010/RHEL85mnt/images/install.img $NODE | 16:45 |
| Nisha_Agarwal | This is what i have done for first approac | 16:45 |
| Nisha_Agarwal | TheJulia, ^^^ | 16:46 |
| Nisha_Agarwal | TheJulia, is this correct? | 16:46 |
| Nisha_Agarwal | TheJulia, RHEL85mnt is the mount point for RHEL 8.5 image | 16:47 |
| TheJulia | I believe it is correct | 16:50 |
| Nisha_Agarwal | TheJulia, This doesnt work :( | 16:53 |
| Nisha_Agarwal | The documented centos urls doesnt work as it gives scheme-less href error | 16:54 |
| TheJulia | :\ | 16:54 |
| TheJulia | what version are you using? | 16:54 |
| Nisha_Agarwal | ironic version? | 16:55 |
| TheJulia | yeah, because the tempest test I wrote passes | 16:55 |
| TheJulia | and it uses the same urls in the docs | 16:55 |
| Nisha_Agarwal | It's latest ....i pulled up the ironic yest again and brought up ironic conductore | 16:55 |
| TheJulia | *sigh* | 16:56 |
| TheJulia | okay | 16:56 |
| TheJulia | well, first step, rebase the tempest patch | 16:56 |
| Nisha_Agarwal | it gives scheme-less erroe during cache cleanup | 16:56 |
| Nisha_Agarwal | I do not have the tempest in my setup | 16:56 |
| dansmith | fungi: sorry, I'm back. I totally do not get any of the parallels being drawn here, but perhaps we need more specific language around what devstack is and is not suitable for, if those don't exist | 16:56 |
| dansmith | fungi: nobody should be running devstack for any reason on any system other than a completely trusted development machine. I think we make plenty of other security concessions that are more severe and less discoverable | 16:57 |
| Nisha_Agarwal | only ironic , glance, swift, keystone and neutron are there | 16:57 |
| TheJulia | Nisha_Agarwal: it hasn't merged yet, it is in merge conflict as of a few days ago | 16:57 |
| dansmith | fungi: like, IIRC, all the services run as the stack user which has unrestricted sudoers permission.. game over. | 16:58 |
| fungi | dansmith: not sure what parallels there were. the main question is whether it's likely for someone to `pip install --upgrade` in the environment where debvstack has installed that dbcounter package, but also whether anyone should trust the security of a devstack system any farther than they can kick it | 16:58 |
| Nisha_Agarwal | TheJulia, ohk | 16:58 |
| opendevreview | Julia Kreger proposed openstack/ironic-inspector master: WIP: Use declarative reader/writer separation https://review.opendev.org/c/openstack/ironic-inspector/+/463768 | 16:58 |
| dansmith | fungi: the uber parallel is what I meant | 16:58 |
| fungi | yeah, i didn't get that either, it was probably mentioned in a news article i haven't seen | 16:58 |
| fungi | it sounded like someone compromised uber through social engineering, or something | 16:59 |
| TheJulia | someone owned all of uber | 16:59 |
| TheJulia | like.. scraped the dbs, their slack, the entire thing | 17:00 |
| fungi | fun times | 17:00 |
| TheJulia | it was huge in the news last week | 17:00 |
| dansmith | right, I see zero parallels to this | 17:00 |
| TheJulia | developer triggers an upgrade to a malicious package which then deploys an entrypoint or even a bot to scan/attack/extract | 17:02 |
| fungi | dansmith: my most specific question, because i don't do a lot with devstack, was whether that dbcounter package is being installed system-wide or in a venv (it was hard for me to tell tracing through the function calls), but for the most part it's immaterial since someone could theoretically tell pip to upgrade packages whether it's system-wide or in a venv... i just also don't know | 17:02 |
| fungi | how likely that is (and whether we tell users not to in-place upgrade python packages in a devstack install) | 17:02 |
| dansmith | fungi: it needs to be installed in the same place that all the services are, so if they're not in a venv, it can't be either | 17:02 |
| opendevreview | Julia Kreger proposed openstack/ironic-tempest-plugin master: Tempest test for anaconda deploy https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/854031 | 17:03 |
| fungi | the concern there could be more of a stability-related one. pip install --upgrade could replace devstack's dbcounter with something completely different from pypi since it doesn't know any better | 17:03 |
| dansmith | the package is just a package so we can hook an entrypoint which is how sqla works | 17:04 |
| dansmith | registering that on pypi purely for that scenario seems almost unfair to pypi | 17:04 |
| dansmith | we could name the package a UUID | 17:04 |
| dansmith | we could generate that UUID on every devstack run | 17:05 |
| fungi | pip sees "there's a package installed called dbcounter, i should check pypi to see if there's a newer version of it" | 17:05 |
| dansmith | it would be massively inconvenient, but.. | 17:05 |
| dansmith | yeah I know | 17:05 |
| dansmith | maybe this should be a security concern against pip, a production-ready tool, which should have a way to not upgrade locally installed packages that have flagged themselves as such? :) | 17:05 |
| fungi | yes, that's also a valid position | 17:06 |
| TheJulia | Nisha_Agarwal: so your missing 'stage2', fwiw | 17:06 |
| fungi | dansmith: it implies that pip, in its current state, is not a good choice for this purpose anyway | 17:06 |
| dansmith | yeah | 17:07 |
| TheJulia | Nisha_Agarwal: if adding it clears that up, then we've got an easy bug to fix in validation, except stage2 is also optional if you hand it a URL since anaconda itself can take a mirror URL and extract the mirror information from it | 17:07 |
| fungi | and the reliance on dist package entrypoints rather than something specific to import packages basically means you're stuck with that shortcoming | 17:07 |
| TheJulia | Nisha_: ^^^^^^^ | 17:08 |
| fungi | dansmith: erbarr: JayF: TheJulia: anyway, this is probably more of a topic for #openstack-qa if further discussion is warranted | 17:10 |
| dansmith | yep | 17:10 |
| TheJulia | Nisha_: for that it is worth, the anaconda capability is easily one of the more complex interfaces | 17:10 |
| TheJulia | fungi: ++ | 17:10 |
| dansmith | heh, TheJulia is like GTFO | 17:10 |
| TheJulia | heh | 17:12 |
| TheJulia | nah | 17:12 |
| Nisha_ | TheJulia, ok let me try | 17:13 |
| Nisha_ | TheJulia, it doesnt work ... Willsee it on Monday | 17:56 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Phase 1 - SQLAlchemy 2.0 Compatability https://review.opendev.org/c/openstack/ironic/+/856336 | 19:33 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Phase 2 - SQLAlchemy 2.0 Compatability https://review.opendev.org/c/openstack/ironic/+/857516 | 19:39 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Phase 3 - SQLAlchemy 2.0 Compatability https://review.opendev.org/c/openstack/ironic/+/857932 | 19:39 |
| TheJulia | I'm going to jet for the weekend, I've -1'ed the second patch in that series | 19:56 |
| TheJulia | ... hmm maybe not the right thing | 19:57 |
| TheJulia | anyway, thing to think of next week | 19:57 |
| iurygregory | enjoy the weekend TheJulia =) | 21:21 |
| opendevreview | Merged openstack/networking-generic-switch stable/zed: Update .gitreview for stable/zed https://review.opendev.org/c/openstack/networking-generic-switch/+/859138 | 21:31 |
| opendevreview | Merged openstack/networking-generic-switch stable/zed: Update TOX_CONSTRAINTS_FILE for stable/zed https://review.opendev.org/c/openstack/networking-generic-switch/+/859139 | 21:32 |
| opendevreview | Merged openstack/networking-generic-switch master: Update master for stable/zed https://review.opendev.org/c/openstack/networking-generic-switch/+/859140 | 21:51 |
| opendevreview | Merged openstack/networking-generic-switch master: Switch to 2023.1 Python3 unit tests and generic template name https://review.opendev.org/c/openstack/networking-generic-switch/+/859141 | 23:15 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!