arne_wiebalck | Good morning, Ironic! | 07:33 |
---|---|---|
rpittau | good morning ironic! o/ | 08:32 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/20.2: Fix selinux context of published image hardlink https://review.opendev.org/c/openstack/ironic/+/871052 | 08:48 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/19.0: Fix selinux context of published image hardlink https://review.opendev.org/c/openstack/ironic/+/871038 | 08:49 |
opendevreview | Riccardo Pittau proposed openstack/bifrost stable/zed: Fix CI https://review.opendev.org/c/openstack/bifrost/+/871041 | 09:01 |
opendevreview | Merged openstack/sushy stable/xena: Fix volume deletion on newer iDRACs https://review.opendev.org/c/openstack/sushy/+/869313 | 10:04 |
opendevreview | Verification of a change to openstack/bifrost stable/yoga failed: Fix CI https://review.opendev.org/c/openstack/bifrost/+/871042 | 10:15 |
kubajj | dtantsur: should I remove the redundant brackets or is it not worth it to re-run zuul? | 11:30 |
iurygregory | good morning Ironic | 11:44 |
kubajj | dtantsur: I also looked into the swift client api and you were right, it raises an exception if it doesn't exist. Should I wrap it in a try? | 11:59 |
adam_ | Hi Ironic, and happy new year I wasn't here since last year :D | 12:08 |
opendevreview | Riccardo Pittau proposed openstack/bifrost stable/yoga: Fix CI https://review.opendev.org/c/openstack/bifrost/+/871042 | 13:11 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/20.2: Use cinder from stable/zed for CI jobs https://review.opendev.org/c/openstack/ironic/+/871604 | 13:15 |
opendevreview | Riccardo Pittau proposed openstack/ironic bugfix/20.2: Fix selinux context of published image hardlink https://review.opendev.org/c/openstack/ironic/+/871052 | 13:15 |
opendevreview | Merged openstack/ironic-prometheus-exporter master: devstack: fix plugin for local usage https://review.opendev.org/c/openstack/ironic-prometheus-exporter/+/869385 | 14:16 |
opendevreview | Verification of a change to openstack/ironic bugfix/19.0 failed: Prevent pxe retry when agent token exists https://review.opendev.org/c/openstack/ironic/+/868027 | 14:57 |
dtantsur | kubajj: nits are usually optional to fix. only if you need to create another revision | 15:10 |
dtantsur | kubajj: if the swiftclient does not have anything like ignore_missing, yes | 15:10 |
opendevreview | Jay Faulkner proposed openstack/ironic master: Clarify release docs: bugfix releases optional https://review.opendev.org/c/openstack/ironic/+/871537 | 16:13 |
kubajj | JayF: or anybody, could I get a second review for https://review.opendev.org/c/openstack/ironic/+/870799 It would make it easier to rebase the other change I'm working on | 16:20 |
JayF | lookin | 16:20 |
JayF | if TheJulia is around; it'd be nice to have her look since she's had review comments on that before | 16:21 |
JayF | if she's out today, I can approve it | 16:21 |
TheJulia | Still sick :( | 16:21 |
TheJulia | Although, on the mend…. I think | 16:22 |
JayF | I had to cancel my office hours due to a sore throat | 16:22 |
JayF | hopefully not getting sick | 16:23 |
JayF | you keep mending, I'll land this for kuba | 16:23 |
TheJulia | Ack. My throat wasn’t sore until last night. :( I think I’m going to go back to masking in public. | 16:24 |
JayF | I have chronic stuff that can cause acute sore throat. So I'm hoping it's just that, and not actual-sickness incoming | 16:24 |
TheJulia | I hope so | 16:42 |
rpittau | good night! o/ | 16:45 |
JayF | Is there any way to split quotas for Ironic? | 16:52 |
JayF | e.g. if you have a single nova cluster serving up both VMs and Bare Metal | 16:52 |
JayF | and you don't want, say, someone to take the giant BM quota they have and use it to run your VM cluster into ruin | 16:53 |
TheJulia | So, technically that is resource class based quotas. I don’t know what the state of that is since prior flavor matching scheduling has changed quite a bit. | 16:54 |
TheJulia | arne_wiebalck might be aware of the state of nova quotas. | 16:54 |
arne_wiebalck | JayF: TheJulia: this is indeed an issue and I have raised this many times | 16:56 |
arne_wiebalck | a similar problem is access to different BM flavors in the same project | 16:56 |
arne_wiebalck | or flavors which are shared between projects | 16:56 |
arne_wiebalck | a constant source of issues :) | 16:56 |
arne_wiebalck | unified limits is the official answer | 16:57 |
TheJulia | What if we were to quota check requests ourselves, at least for allowed bare metal nodes? | 16:57 |
arne_wiebalck | (similar issue for nodes with GPUs) | 16:57 |
JayF | TheJulia: that explicitly doesn't help this case of a mixed cluster; right? Ironic can't enforce user-facing quotas when a nova user is doing all the work, right? | 16:58 |
* JayF not sure if he's missing something | 16:58 | |
arne_wiebalck | TheJulia: this would only solve the BM case, not the general case with GPU nodes, for instance | 16:58 |
TheJulia | The originating project id still gets sent to us | 16:58 |
TheJulia | It is in the auth token payload | 16:58 |
JayF | ah | 16:58 |
JayF | hard to transmit a reasonable error message back in that case, unless the driver cooperated | 16:59 |
arne_wiebalck | ... and the quota would be on what? | 16:59 |
TheJulia | arne_wiebalck: true, but something is better than nothing | 16:59 |
TheJulia | Oh, super difficult to get a sane error back to the user | 16:59 |
JayF | yahoo ran a quota patch which measured things at the intersection of AZ, flavor, and rack location | 16:59 |
arne_wiebalck | TheJulia: I understand unified limits is close to or arrived at "working" | 16:59 |
JayF | what is unified limits? | 16:59 |
TheJulia | arne_wiebalck: ooooh ahhhh | 17:00 |
arne_wiebalck | our nova just moved to train | 17:00 |
arne_wiebalck | so, we are not in a position to test | 17:00 |
arne_wiebalck | JayF: keystone unified limits is supposed to manage quotas and get rid of all these issues | 17:00 |
arne_wiebalck | (is my understanding) | 17:00 |
TheJulia | And be at the higher level abstracts | 17:01 |
TheJulia | Aiui | 17:01 |
JayF | I don't understand how something at keystone-level could solve this problem | 17:01 |
JayF | given the kind of primitives exposed | 17:01 |
JayF | but I'm also weakest in knowledge of keystone/quota management/ this whole problem cset | 17:01 |
arne_wiebalck | second weakest | 17:02 |
JayF | what am I weaker in my knowledge of? | 17:03 |
JayF | Oh I see, going to judge me for my weak particle physics | 17:03 |
JayF | typical CERN :P | 17:03 |
arne_wiebalck | nah, I am weakest when it comes to knowledge in this area | 17:03 |
TheJulia | Ahh, so the tldr aiui is it stores maximums and utilization of resource counts, so user create a vim from flavor bluebaremetal, which maps to resource class say baremetal2, and baremeral2 should be stored as used in keystone and counted | 17:03 |
JayF | this exists in zed? or antelope? | 17:04 |
JayF | or is an *idea* | 17:04 |
TheJulia | When new user tries to use a baremeral2 resource class again, it *should* be consulted | 17:04 |
TheJulia | That is the general idea when it was proposed back before train, but I don’t know where it is at | 17:04 |
JayF | ack | 17:04 |
TheJulia | I think arne_wiebalck’s last chat with nova early on in the pandemic was 2-3 cycles away or something like that | 17:05 |
arne_wiebalck | yep, that is about right | 17:05 |
arne_wiebalck | but members of my team have checked recently for GPUs in order to decide if we do sth downstream | 17:05 |
arne_wiebalck | and IIRC the understanding was unified limits was the way to go | 17:06 |
arne_wiebalck | but let me check with them ... | 17:06 |
* TheJulia goes back to trying to feel human and failing miserably as cats observe with the “human” why are you laying there look | 17:07 | |
arne_wiebalck | heh | 17:08 |
arne_wiebalck | one of our cat is a master in that look as well | 17:09 |
arne_wiebalck | *cats | 17:09 |
arne_wiebalck | I sent a message to my colleagues but since EOB has passed here already, I would not expect a reply before tomorrow | 17:10 |
JayF | when I went into the living room earlier, one of my cats was sitting on the chaise, on top of a pillow, looking extremely regal | 17:10 |
TheJulia | Of course, it is their bed on their chair, in their home. How could the cat not? | 17:12 |
TheJulia | You know, we will need to dedicate a release to the cats of ironic… | 17:12 |
TheJulia | Also puppies that think they are cats… most of the time :) | 17:13 |
JayF | This cat doesn't deserve a dedicated release. He's a bit of a jerk. lol | 17:13 |
dtantsur | :D | 17:19 |
opendevreview | Michal Nasiadka proposed openstack/bifrost master: CI: Rename kolla-ansible-ubuntu-bifrost job https://review.opendev.org/c/openstack/bifrost/+/871647 | 17:34 |
opendevreview | Verification of a change to openstack/ironic bugfix/20.2 failed: Use cinder from stable/zed for CI jobs https://review.opendev.org/c/openstack/ironic/+/871604 | 17:51 |
opendevreview | Merged openstack/ironic master: Reorganise Inventory Storage https://review.opendev.org/c/openstack/ironic/+/870799 | 17:59 |
adam_ | Hi, do I understand correctly that this https://opendev.org/openstack/oslo.service lib implements the SSL/TLS related functionality for Ironic and this supports up to tls1.2? If that is the case, do you know whether there are plans to add tls1.3 support this year? | 18:52 |
opendevreview | Merged openstack/ironic bugfix/19.0: Prevent pxe retry when agent token exists https://review.opendev.org/c/openstack/ironic/+/868027 | 18:59 |
JayF | https://opendev.org/openstack/oslo.service/src/branch/master/oslo_service/sslutils.py AFAICT you are correct | 19:36 |
JayF | and AFAIK there are not any, but that sounds wrong to me | 19:36 |
JayF | I would recommend, and this matches what I've seen/done in most Ironic installs I've done, letting a local proxy handle SSL for Ironic | 19:36 |
JayF | adam_: ^ I'm asking in #openstack-oslo | 19:37 |
adam_ | JayF, Thanks, I'am (metal3 project) also using local proxy at least on Ironic not on IPA, I was just wondering whether something official is brewing related to tls1.3 inside oslo, and thank you for asking it on the openstack-oslo channel :D | 19:45 |
JayF | yeah, IPA is going to use the TLS in there | 19:45 |
JayF | which is why I'm pursuing | 19:45 |
JayF | dtantsur and I didn't do all that work for TLS on IPA to let it languish in squalor :D | 19:46 |
adam_ | nice, is there a story board issue or review branch or blueprint that I can track (related to IPA tls)? | 19:47 |
JayF | The feature I talk about is done | 19:55 |
JayF | as of like X or Y? | 19:55 |
JayF | IPA supports TLS, via the oslo.service sslutils module as you discovered | 19:56 |
JayF | and supports automatic configuration and generation of certs on demand from Ironic IIRc | 19:56 |
JayF | looks like it was in V / W | 19:56 |
JayF | so even earlier than that | 19:56 |
adam_ | yeah I get it, I phrased it incorrectly, I meant I'm looking for a story/blueprint in relation to tls 1.3 support if there is any | 20:49 |
JayF | Oslo is one of the least-populated functional teams in OpenStack, and we may be the only group using that ssl+wsgi support. | 20:52 |
JayF | I would not expect it's being worked on, and it'd be a new stream of work to do it | 20:52 |
JayF | (that being said; if it's easy enough I could be tempted to JFDI if oslo folks are onboard) | 20:52 |
adam_ | what I can say is that at least I see interest from downstream on my end from time to time, so there are enterprise users who are interested in this, but ofc all those things are up to openstakc-oslo + openstakc-ironic I don't know enough about this topic to implement and propose myself :( | 20:58 |
JayF | You probably know more than you think you do :D | 21:16 |
JayF | that sslutils.py module is exceedingly simple | 21:16 |
JayF | literally just creating an ssl socket (monkeypatched by eventlet) and wrapping the existing wsgi server in it | 21:17 |
JayF | about three steps beyond "hello world" in python ssl sockets | 21:17 |
JayF | adam_: I'll make you a deal; if I get a patch that I believe should be working can you help test it? | 21:36 |
adam_ | yeah sure | 21:37 |
JayF | I'll warn you; we might be too late to get this in before A is cut | 21:38 |
JayF | I'd have to check when library freeze is | 21:39 |
adam_ | For me it is fine | 21:41 |
JayF | ack; yeah I'll see what I can do | 21:42 |
JayF | I think it might be as easy as adding them as potential cipher opts | 21:42 |
adam_ | cool | 21:43 |
JayF | hmm | 21:43 |
JayF | so what exactly are you looking for? | 21:43 |
JayF | TLS 1.2 is supported in sslutils.py | 21:43 |
JayF | which is the least TLS protocol supported by python ssl library afaict | 21:43 |
JayF | yeah, checked all the way up to python 3.11; ssl.PROTOCOL_TLSv1_2 seems to the be oldest | 21:45 |
JayF | er, newest | 21:45 |
JayF | aha | 21:45 |
JayF | PROTOCOL_TLS_CLIENT represents it | 21:45 |
JayF | for TLSVersion.TLSv1_3 | 21:45 |
adam_ | well my/our goal is if possible make everything communicate via tls1.3 in our metal3 stack, but at the moment we are just writing up all the components and their tls support and when we reached ironic we have seen that 1.3 was not supported and I thought you are the best people to ask here. But tls 1.3 for both Ironic and IPA would be good because I don't know how we would solve tls support for outgoing traffic , for incoming we | 21:49 |
adam_ | arleady use httpd proxy but I thought that native support would be more elegant than to mess around with reverse proxy or whatnot and putting proxy to IPA . | 21:49 |
JayF | so what I'm going to do is the following: | 21:50 |
JayF | - I'm going to spend a short bit of time seeing if I can make support exist in sslutils.py; which would fix the IPA server | 21:50 |
JayF | - I'll add an item to our bobcat PTG page to evaluate TLS 1.3 support across the stack | 21:51 |
JayF | - I'll follow up the oslo chat in that IRC channel, if/when someone replies | 21:51 |
adam_ | well that is really all I can ask for and more then I hoped for so thank you very much :D | 21:52 |
adam_ | more than* | 21:54 |
adam_ | I have to go now, but thanks again for the help! | 21:58 |
kubajj | JayF: if I catch an exception in a try block, but I don't really care what happens with it, do I just say try, or do I say try: something, except <the exception>: pass? | 22:09 |
JayF | except UselessException: | 22:11 |
JayF | log.Something("Please log something") | 22:11 |
JayF | pass | 22:11 |
JayF | with my suggestion obviously inline :D | 22:12 |
JayF | usually should be accompanied with a comment as to why it's OK that exception threw and why we don't care | 22:12 |
JayF | (and log.debug if it's a relatively-normal thing) | 22:12 |
kubajj | thanks | 22:14 |
opendevreview | Jakub Jelinek proposed openstack/ironic master: Erase swift inventory entry on node deletion https://review.opendev.org/c/openstack/ironic/+/871394 | 22:30 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!