Wednesday, 2024-01-31

« Tuesday, 2024-01-30 Index Thursday, 2024-02-01 »
opendevreviewJulia Kreger proposed openstack/ironic master: Fix service role support  https://review.opendev.org/c/openstack/ironic/+/90714800:55
opendevreviewMerged openstack/ironic-inspector master: Remove dependency on pytz  https://review.opendev.org/c/openstack/ironic-inspector/+/90694700:58
opendevreviewJulia Kreger proposed openstack/ironic master: Fix service role support  https://review.opendev.org/c/openstack/ironic/+/90714801:00
TheJuliaI think that sort of does it01:03
TheJuliastevebaker[m]: hjensas: ^01:03
*** jph7 is now known as jph01:40
stevebaker[m]ack01:41
opendevreviewMerged openstack/ironic-inspector master: Bump hacking to 6.1.0  https://review.opendev.org/c/openstack/ironic-inspector/+/90704602:13
opendevreviewOpenStack Proposal Bot proposed openstack/ironic-inspector master: Imported Translations from Zanata  https://review.opendev.org/c/openstack/ironic-inspector/+/90693503:48
rpittaugood morning ironic! o/08:10
opendevreviewDmitry Tantsur proposed openstack/ironic-python-agent master: Trivial: avoid deprecated utcnow  https://review.opendev.org/c/openstack/ironic-python-agent/+/90729809:09
masgharGood morning!09:25
rpittauhey masghar :)09:25
*** zigo_ is now known as zigo09:43
iurygregorygood morning ironic11:12
TheJuliagood morning13:53
iurygregorygood morning TheJulia =)13:53
iurygregoryMetal3 Team Meetup happening now14:01
TheJuliaI feel only sort of here, yay for mild food poisoning14:03
iurygregoryouch =(14:04
iurygregorysorry to hear that, take care TheJulia 14:04
TheJuliaToday will just be a slow day for me14:05
dtantsurget better!14:06
arne_wiebalckGood morning, Ironic!14:08
arne_wiebalckFor the Ironic gathering before the OpenInfra meetup, suggestions on the title? 14:08
arne_wiebalck(we are preparing the event site)14:09
arne_wiebalckin discussions here we called it "Ironic Meetup / Bare Metal SIG / BM Operator Hour" ... not too catchy14:10
arne_wiebalckJayF: ^^14:10
TheJulia"Bare Metal Sig/Ironic Meetup" ?14:10
arne_wiebalckthe title should convey "all welcome" somehow, I guess14:13
JayFI suspect there's enough cultural shenanigans wrapped up in that assessment that you might be the best person to figure out how to say that where you're at14:14
arne_wiebalckthe bare metal event will be linked from the general meetup page, so everyone considering to come to CERN for the meetup will see this .. just want to make sure we do not give the impression the BM event is some "closed" event14:19
arne_wiebalckcan do this in the small print, I guess14:19
arne_wiebalckin big letters :)14:19
JayFI'm literally happy to call it anything. We can call it open source office hours we can call it a cloud party with the bare metal kids14:19
JayFSo if you want to go completely out of the box, I'm game for ideas14:20
arne_wiebalck"Cloud party with the cool bare metal kids" :-D14:20
opendevreviewMerged openstack/virtualbmc master: [codespell] Fixing Spelling Mistakes  https://review.opendev.org/c/openstack/virtualbmc/+/90680314:20
tkajinamo/ anyone mind merging this CI fix? https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/90705814:20
JayFAdd me as reviewer if nobody has gotten it by the time I get to an actual computer, I'll merge it. An hour at most.14:22
iurygregoryapproved14:25
dtantsurTheJulia: I wonder if there is another way to push (a bit of) data through Redfish to the OS...14:38
dtantsursome EFI variables? dunno..14:38
opendevreviewMerged openstack/python-ironic-inspector-client master: Bump ironic-inspector used in functionl tests  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/90705814:38
TheJuliamaybe....14:38
TheJulia"maybe"14:38
JayFI'll note that any such mechanism would have to be able to be trivially disabled for truly multi-tenant installs14:39
dtantsuryeah, unless we have a reliable way to clean it as well14:39
TheJuliaand a lot of hardware starts acting super weird when you touch uefi vars14:40
TheJuliaspecifically items in nvram14:40
dtantsuryeah, I can imagine14:40
TheJuliawe've managed to sort of identify the weirdness with injection of bootloaders, but those are also standardized records14:50
TheJuliaRemember that shim bug we helped raise visibility of? The one which crashed machines?14:54
TheJuliaJayF: commented on your comment on https://review.opendev.org/c/openstack/ironic/+/90714815:20
JayFWith that context, I think that the change makes sense. I also think we need to have a very strongly worded upgrade note about ensuring you change that value to something valid for your environment15:23
JayFEither that or default the service project name to none, but I can see value in aligning with many of those other projects15:24
JayFLike I said in the comment, I want to avoid a situation where someone can easily upgrade themselves into granting someone an authorized access15:24
TheJuliaYeah, we already grant access based upon role:service, just the filter gets applied by default15:31
TheJuliaso really, go back to a boolean knob *and* allow default, so it can be entirely disabled15:34
TheJuliaeh....15:34
TheJuliasetting something to None is a little awkard in a configuration15:34
JayFI like the idea of having a boolean knob to turn on and off service access, separate from the configuration of what project15:42
JayFThat way we can allow deployment methods that are going to set up the project's properly to have it working by default, but don't have to worry about upgrading someone into insecurity15:42
TheJuliaI'm just not going to do it for all role:service access, just this higher level "see everything"15:43
JayF++16:19
TheJuliahttps://review.opendev.org/c/openstack/ironic/+/906914 and https://review.opendev.org/c/openstack/ironic/+/906913 are two relatively clean/quick backports which would be nice16:21
JayFlookin16:21
JayF+2A to all16:22
TheJuliamuch appreciated, thanks!16:23
TheJuliaI'll revise the rbac one a little later16:23
opendevreviewMerged openstack/ironic-python-agent master: Drop usage of run_as_root  https://review.opendev.org/c/openstack/ironic-python-agent/+/90637516:29
rpittaugood night! o/17:18
opendevreviewMerged openstack/ironic stable/2023.1: Fixes Secureboot with Anaconda deploy  https://review.opendev.org/c/openstack/ironic/+/90691318:05
opendevreviewMerged openstack/ironic stable/2023.1: Kickstart: Don't error unit tests ksvalidate is present  https://review.opendev.org/c/openstack/ironic/+/90691418:06
JayFFor tests in ironic-tempest-plugin, are nodes I create cleared *per test* or *per class*18:25
JayFI'm pretty cure it's per class but not 100% sure18:25
JayFyeah, absolutely per class I think18:25
TheJuliauhh... it is invoked per class per test I believe18:29
TheJuliabecause it is in setup it get created, tests are executed on a one-on-one basis multiple runners may handle all tests in a class18:29
opendevreviewJay Faulkner proposed openstack/ironic-tempest-plugin master: Basic API tests for sharding  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/90674918:34
JayFyeah, that is where my logic fell as well18:35
JayFI don't have my devstack to test that, so if you're around and want to poke it with any obvious issues it'd be awesome, otherwise I'll wait for zuul to tell me18:35
* JayF working on auto shop wifi getting a tire patched18:35
TheJuliaerr, I'm thinking tempest default, but I think it is similar18:35
TheJuliaYeah,, I think you need to refactor your setup on the test level with unique shard names18:42
JayFin the first class, yes18:43
JayFthe second class I did it right18:43
JayFbecause second class I create a set of data, tests are only querying against it18:43
JayF(yeah?)18:44
TheJulianah, I think it is wrong because setup gets run per test18:44
JayFbut cleanup doesn't happen per test18:44
TheJuliaat the end it does18:44
JayFcleanup happens at class teardown18:44
JayFjenkies :( 18:44
TheJuliateardown is called for each test execution18:44
JayFSo this is fine then? I'll set nodes setup and torn down each execution18:45
JayFI don't care what the names are, right?18:45
TheJuliayeah as long as you have unique names to avoid collission18:45
JayFbut teardown deletes the nodes(?)18:45
TheJuliait should if they are created in the test18:45
JayFI don't understand how that works with my current understanding of setup/teardown, but that at least gives me a pattern I can mimic18:47
JayFif setup gets run N times, and teardown gets run N times, and after each teardown $stuff is leftover... I don't get it18:48
JayFbut I get my car back, bbs18:48
TheJuliawe go to execute a test, to setup that test the class setup gets called, test run and then teardown18:48
clarkbHACKING.rst documents these behaviors though I'm not sure how up to date that doc is18:48
JayFThen what names could conflict with what names? That's where I'm stuck on?19:08
JayFif teardown has run, nodes created in setup are gone, setup re-runs for the next test19:08
JayFunless there's parallelism and operating off the same ironic instance to do so19:08
JayFhmmmm19:08
opendevreviewJay Faulkner proposed openstack/ironic-tempest-plugin master: Basic API tests for sharding  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/90674919:32
TheJuliaand this is your regular reminder, that StrOpt by accident set to boolean False, still returns True :)20:06
opendevreviewJulia Kreger proposed openstack/ironic master: Fix service role support  https://review.opendev.org/c/openstack/ironic/+/90714820:08
TheJuliaJayF: Revised ^ with release note20:09
TheJuliawell, upgrade note in the reno20:09
JayFTheJulia: Sorry, but I had to -1 again. I think we're still not on the same page. I was under the impression we were going to default that elevated access off 20:30
JayFI am going to have a hard time finding a +2 for a change which could be done in custom policy, but without custom policy will enable additional access for operators unless they do something about it :/ 20:30
TheJuliawe can do that, ultimately everyone will just flip the setting by default which is not operator friendly20:30
JayFI don't think that's generally true TBH20:31
JayFIs there some other path?20:31
TheJuliaonly to configure services as service scope, which folks don't really want to do20:32
TheJuliaor are not tooled to do20:32
TheJuliaThis is really all fallout of the openstack wide rbac position change20:32
TheJuliaeveryone who wants nova-compute not to care about the owner/lessee fields will either need to flip the setting or use system scope auth, or write whole custom policies which is not viable for distribution users really20:33
JayFI think today most folks use system scoped auth20:39
JayFI just forsee that at many large installs I would've worked, they would've wanted to set the service_project name to something non-default, and isolate Ironic service project/scope users to Ironic only20:39
JayFthe idea of "this token is good for service access to read from (for instance) neutron" all the sudden getting Ironic admin access would be incident-inducing in some of those environment20:40
JayFThe real solution I want is somehow to know on upgrade it's an upgrade, set "false" and for new installs to get "true"20:41
JayFbut I can want that all I want, we have no way to get there AFAIK20:41
TheJuliaI don't think that is actually true, but the patch enables that to be setup. What it defaults towards is the generalized defaults leveraged in deployment tools (tripleo, kolla, airship, devstack (see lib/keystone SERVICE_TENANT_NAME)), the only variation I've found is DIY puppet deployment where the default value is "services" instead of "service" for the project name which an admin would need to create.  Yes, one could 20:45
TheJuliaisolate ironic to it's own project, but that is not stock sample template configuration.20:45
TheJuliaTo completely disable service scoped access would require it just not to be somehow enabled/present in keystone, and depending on level of paranoia, require carrying custom policy to strike out the default capability, but that is separate from the service project20:46
TheJuliaI could see it making sense to merge as true, and backport as false, fwiw20:46
JayFSo to be clear: current (master) RBAC model is -> Service role, on any given project, has service access to that project20:47
JayFproposed change would take us to RBAC model is -> service role, on a SPECIFIC project, has a big chunk of what I'd consider system scoped manager/admin access20:47
JayFthe fact that specific project *is* the same as what is setup by the other deployment tools is exactly what my concern is20:48
TheJuliayes, basically20:48
TheJuliaI'd note, we're the only folks in all of openstack to do that20:48
TheJuliaeveryone else is just "role:service" is just shy of admin or is aliased to admin20:48
JayFwe are also the only folks in all of openstack to migrate from an admin-only API to an RBAC-aware/user exposed one20:48
JayFso I think it's reasonable to be more aware of how things migrate into it20:48
JayFTheJulia: https://us06web.zoom.us/j/81323207222?pwd=ltnb7rKfYitDKZWJgzzib2mIfboybb.1 sync?20:49
TheJuliaTrue, I do agree with that statement, I think the challenge is a willingness to or ability to leverage a system scope20:49
TheJuliasure20:49
opendevreviewMerged openstack/python-ironic-inspector-client master: Bump hacking to 6.1.0  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/90704522:07
opendevreviewJay Faulkner proposed openstack/ironic-tempest-plugin master: WIP: Basic API tests for sharding  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/90674922:56
opendevreviewMerged openstack/python-ironic-inspector-client master: [codespell] Fixing Spelling Mistakes  https://review.opendev.org/c/openstack/python-ironic-inspector-client/+/90711523:07
JayFadamcarthur5: I think all your changes are 1) landed, 2) have valid comments with a -1 or 3) are waiting on gate fixes ... good work! 23:12
* JayF goes to check to see if adamcarthur5 has more commits in Ironic projects than him this cycle before workflowing anything else ;) 23:12
opendevreviewJulia Kreger proposed openstack/ironic master: Fix service role support  https://review.opendev.org/c/openstack/ironic/+/90714823:12
TheJuliaJayF: ^^23:14
JayFI clicked away from gerrit opened to that page to acknowledge this ;) 23:14
TheJuliaheh23:16
JayFTheJulia: https://review.opendev.org/c/openstack/ironic/+/907148/5#message-c4789466f934d57540ce4110f1adde68c6804c6d a suggestion for wording in the config description, but +1 to indicate overall general agreement23:18
TheJuliaJayF: maybe just drop the last sentence?23:20
opendevreviewJulia Kreger proposed openstack/ironic master: Fix service role support  https://review.opendev.org/c/openstack/ironic/+/90714823:28
JayF+223:29
opendevreviewJay Faulkner proposed openstack/ironic-tempest-plugin master: WIP: Basic API tests for sharding  https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/90674923:33
« Tuesday, 2024-01-30 Index Thursday, 2024-02-01 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!