| opendevreview | Verification of a change to openstack/ironic master failed: api: Add schema validation framework https://review.opendev.org/c/openstack/ironic/+/928920 | 02:11 |
|---|---|---|
| opendevreview | Adam McArthur proposed openstack/ironic-tempest-plugin master: Testing bad microversions on v1/allocations https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/937213 | 02:23 |
| opendevreview | Steve Baker proposed openstack/ironic master: Utility functions for graphical console drivers https://review.opendev.org/c/openstack/ironic/+/939505 | 02:47 |
| opendevreview | Steve Baker proposed openstack/ironic master: Add ironic-novncproxy service https://review.opendev.org/c/openstack/ironic/+/939191 | 02:47 |
| opendevreview | Steve Baker proposed openstack/ironic master: Add VNC auth type to novnc-proxy https://review.opendev.org/c/openstack/ironic/+/939192 | 02:47 |
| opendevreview | Steve Baker proposed openstack/ironic master: Create idrac graphical console driver https://review.opendev.org/c/openstack/ironic/+/939193 | 02:47 |
| cardoe | stevebaker[m]: you were making driver_info_internal hidden entirely in that series? | 03:27 |
| stevebaker[m] | cardoe: just the keys which match the hidden patterns, as for driver_info and instance_info. Check out strutils.mask_dict_password for the implementation. It catches anything containing | 03:28 |
| stevebaker[m] | 'token', 'password', 'secret' for example | 03:29 |
| cardoe | Good deal. I was fixing up the node cleaning docs and it says to parse the internal info to know what step it’s on. Which feels awkward but then seeing you post that series made me remember that. | 03:30 |
| stevebaker[m] | hmm, you might want to confirm those keys are not affected. Most will be unmasked I think | 03:33 |
| cardoe | TheJulia, keekz, cid, JayF: https://etherpad.opendev.org/p/ironic-cardoe-inspect-hooks-and-rules first swag. | 04:40 |
| opendevreview | Merged openstack/ironic master: api: Add schema validation framework https://review.opendev.org/c/openstack/ironic/+/928920 | 05:13 |
| janders | Hey Ironic'ers. I think I found a bug in bifrost which I am happy to propose a fix for but I first wanted to confirm with you if it's indeed a defect (as opposed to an user error) | 06:46 |
| janders | I tried deploying with a command like this: ./bifrost-cli deploy -e @baremetal-install-env.json --image $URL --image-checksum $IMG_MD5 --configdrive '{"meta_data": {"public_keys": {"0": "'"$(cat ~/.ssh/id_rsa.pub)"'"}}}' | 06:47 |
| janders | (trying to use bifrost for image management in a small lab, drinking own champagne so to speak) | 06:47 |
| janders | I hit this: https://paste.opendev.org/show/bUA79JmSBwHo3HqIo5vt/ it seems like we | 06:47 |
| janders | are looking for uuid in https://opendev.org/openstack/bifrost/src/branch/master/playbooks/roles/bifrost-deploy-nodes-dynamic/tasks/main.yml#L41 | 06:48 |
| janders | but I tried to debug-output node_info and there is only "id" instead: | 06:48 |
| janders | https://paste.opendev.org/show/bWS60flSG37cz0ykzg7V/ (see L60) | 06:49 |
| janders | is this likely unnoticed regression in some rarely-used codepath (it works if deploy is called with no params) or is it more complicated than that? | 06:49 |
| janders | In case of the former I am happy to push a trivial patch | 06:49 |
| janders | (while on the topic https://docs.openstack.org/bifrost/latest/user/howto.html#command-line-parameters has an example of --config-drive CLI parameter while we only have --configdrive - once I get into fixing mode I can push a trivial fix to that too) | 06:51 |
| rpittau | good morning ironic! o/ | 07:44 |
| janders | hey rpittau o/ | 07:44 |
| arne_wiebalck | Good morning, Ironic! | 08:01 |
| arne_wiebalck | I was about to ask about bootc, but now I see https://review.opendev.org/c/openstack/ironic-python-agent/+/940178 and https://review.opendev.org/c/openstack/ironic/+/937897, wow! | 08:08 |
| frickler | JayF: TheJulia: cid: I followed the advice on the lp bug create page and found https://storyboard.openstack.org/#!/story/2011154 , which exactly looks like my issue. so a great chance to make even more people happy ;-D | 08:17 |
| frickler | while we're here, I have two more questions related to node validation: a) why do I have to specify a cleaning_network even if automated_clean is false? I did end up just adding "public", but this feels wrong | 08:29 |
| cid | Sounding like a bug | 08:32 |
| cid | frickler, re: <,,, on the lp bug create page... found ...> Great spot, and the bug is recent too! Fix should be up in a bit. | 08:32 |
| frickler | cid: cool, thx | 08:35 |
| frickler | issue b): the redfish_password option is marked optional, but treated as required in https://opendev.org/openstack/ironic/src/branch/master/ironic/drivers/modules/redfish/utils.py#L215-L218 leading to something like ironic.common.exception.RedfishError: Redfish exception occurred. Error: 'NoneType' object has no attribute 'encode' | 08:36 |
| frickler | should the option be required or does the session cache code need fixing? | 08:36 |
| frickler | (I only noticed this because I typoed as rdfish_password, didn't spot that, and went on a long deep dive into the code to see what was happening, since in contrast to the license issue, the logs in this case are pretty minimal) | 08:38 |
| rpittau | frickler: I think that's another bug, the cache mechanism needs some adjustment as the password is indeed optional | 08:45 |
| opendevreview | Dr. Jens Harbott proposed openstack/ironic master: Fix redfish session cache on missing password https://review.opendev.org/c/openstack/ironic/+/940431 | 09:52 |
| frickler | thx for confirming, ^^ may be a bit clumsy, but fixes the issue for me, feel free to amend if needed | 09:53 |
| opendevreview | cid proposed openstack/ironic master: Log secure boot access failures at INFO level https://review.opendev.org/c/openstack/ironic/+/940433 | 09:58 |
| rpittau | thanks frickler! would you mind also opening a bug in launchpad for that? we will also need a release note | 10:06 |
| frickler | rpittau: actually I do mind, does the ironic community not have a policy that would allow for an exemption for almost-trivial bug fixes? and if it doesn't, is that intentional | 10:35 |
| opendevreview | cid proposed openstack/ironic master: Log secure boot access failures at INFO level https://review.opendev.org/c/openstack/ironic/+/940433 | 11:01 |
| cid | frickler, kindly take a loot at ^ when you can. | 11:02 |
| rpittau | frickler: we don't have written rules about almost-trivial or trivial bugs or bug fixes, but in any case, even if the fix is trivial, maybe the bug impact is not, and this looks one of those cases to me | 14:30 |
| rpittau | I would not have asked otherwise | 14:30 |
| frickler | rpittau: ok, I'll update the patch | 14:51 |
| rpittau | frickler: thanks | 14:54 |
| opendevreview | Vasyl Saienko proposed openstack/networking-generic-switch master: WIP: rework bond methods https://review.opendev.org/c/openstack/networking-generic-switch/+/940457 | 15:08 |
| * TheJulia semi-waves | 15:15 | |
| * TheJulia makes more coffee | 15:15 | |
| TheJulia | arne_wiebalck: yeah, its slower than just streaming a disk... but your sort of making a trade-off of deploy time actions when using it | 15:22 |
| arne_wiebalck | TheJulia: good morning o/ | 15:23 |
| TheJulia | Thanks! | 15:23 |
| arne_wiebalck | The model of using the container model for doing updates on baremetal infra may be interesting for some of our use cases. | 15:24 |
| TheJulia | Yeah, definitely | 15:24 |
| TheJulia | We're thinking it can specifically be a lot cleaner around upgrades since it helps prevent "other" modifications to the system | 15:25 |
| TheJulia | the downside is bootc's update model, everything is a reboot | 15:27 |
| TheJulia | It is all tradeoffs, all the way down | 15:27 |
| cardoe | I like it for that immutable OS model like CoreOS, Talos or Flatcar. | 15:34 |
| arne_wiebalck | TheJulia: right ... the impact of the "everything needs a reboot" model varies between use cases though | 15:45 |
| arne_wiebalck | TheJulia: a file server is less suitable for this model than a node in a k8s cluster | 15:46 |
| arne_wiebalck | TheJulia: as you say, "tradeoffs" :) | 15:48 |
| arne_wiebalck | TheJulia: definitely good to have it as an option, though! | 15:48 |
| TheJulia | arne_wiebalck: yup, related I did a patch to support image artifacts from OCI Image registries which might also be interesting | 15:54 |
| TheJulia | cardoe: yeah, bootc forcing that model *really* helps | 15:54 |
| arne_wiebalck | TheJulia: oh, I'd appreciate the link if you have it handy? | 15:54 |
| TheJulia | arne_wiebalck: https://review.opendev.org/c/openstack/ironic/+/937896 | 15:55 |
| arne_wiebalck | TheJulia: ty | 15:55 |
| cardoe | Run your file server on a k8s cluster so reboots don’t matter. | 16:12 |
| JayF | Oh that's neat, I didn't realize that bootc used ostrer | 16:13 |
| cardoe | I’ll poke about https://review.opendev.org/c/openstack/ironic-python-agent/+/940185 cause that enables running the lints in CI that we landed the fixes for. Just wanna get it enabled before other changes happen. | 16:46 |
| rpittau | good night! o/ | 17:02 |
| arne_wiebalck | good night, Ironic! o/ | 17:27 |
| opendevreview | Merged openstack/ironic master: Fix agent from being locked out with complex steps https://review.opendev.org/c/openstack/ironic/+/940413 | 18:39 |
| opendevreview | Jay Faulkner proposed openstack/ironic stable/2024.2: Fix agent from being locked out with complex steps https://review.opendev.org/c/openstack/ironic/+/940471 | 19:00 |
| opendevreview | Steve Baker proposed openstack/ironic master: Utility functions for graphical console drivers https://review.opendev.org/c/openstack/ironic/+/939505 | 19:35 |
| opendevreview | Steve Baker proposed openstack/ironic master: Add ironic-novncproxy service https://review.opendev.org/c/openstack/ironic/+/939191 | 19:35 |
| opendevreview | Steve Baker proposed openstack/ironic master: Add VNC auth type to novnc-proxy https://review.opendev.org/c/openstack/ironic/+/939192 | 19:35 |
| opendevreview | Steve Baker proposed openstack/ironic master: Create idrac graphical console driver https://review.opendev.org/c/openstack/ironic/+/939193 | 19:35 |
| opendevreview | Merged openstack/ironic master: doc: define the shape of inspection inventory https://review.opendev.org/c/openstack/ironic/+/940277 | 19:57 |
| opendevreview | Dr. Jens Harbott proposed openstack/ironic master: Fix redfish session cache on missing password https://review.opendev.org/c/openstack/ironic/+/940431 | 20:02 |
| JayF | thanks frickler; +2a | 20:18 |
| JayF | stevebaker[m]: thanks for the work on console; a local PoC working with iLO is super exciting! Let me know if any point you get blocked on reviews for this stuff or need someone to rubber duck at or anything :) | 20:29 |
| stevebaker[m] | JayF: Thanks for taking a look! I have Supermicro running in a browser container too but it is not pretty. I wonder if someone could be motivated to resurrect the change to upstream NoVNC to support its extensions | 20:32 |
| JayF | You need my super advanced double premium license for me to update those patches, sorry ;) | 20:32 |
| JayF | joking aside; I have zero supermicro hardware or use case for it, so that's not something I'm interested in personally | 20:33 |
| stevebaker[m] | :P | 20:33 |
| stevebaker[m] | yeah we need to find someone who cares. browser container will be better than nothing in the interim | 20:34 |
| JayF | I'm assuming the container proxy shenanigans won't prevent us from doing, as in the spec, a read-only mode? | 20:35 |
| stevebaker[m] | JayF: Also I think read only support will be important early, these browser based consoles have UI for other management functions! The web socket proxy is a natural place to implement that, I don't think it'll be hard | 20:36 |
| JayF | yeah, my use case is basically "interactive consoles require super-duper security access with 14 approvals" vs "non-interactive access you can push-button-receive-console" | 20:37 |
| JayF | so without read only this is not useful for me :D | 20:37 |
| JayF | ironic already holds the bmc keys so it's a natural place to rbac that too | 20:37 |
| stevebaker[m] | I've ended up using Selenium to drive the login process, so I think javascript can be inserted to prevent non-console portions of the UI from being accessed, but it is not a 100% mitigation. I think read-only should be the default actually, operators should be able to choose to enable keyboard or everything | 20:39 |
| opendevreview | cid proposed openstack/ironic master: Log secure boot access failures at INFO level https://review.opendev.org/c/openstack/ironic/+/940433 | 20:40 |
| stevebaker[m] | Nova will be "interesting" too. The driver is expected to provide VNC connection details but we can only expose a NoVNC connection. I might reach out to mel | 20:43 |
| stevebaker[m] | Nova will be "interesting" too. The driver is expected to provide VNC connection details but we can only expose a NoVNC connection. I might reach out to melwitt about this soon | 20:43 |
| cardoe | I’m reviewing it. It’s big. | 20:44 |
| cardoe | Jay you happen to peek at my rules use case? | 20:44 |
| JayF | nope, \I've been so scattered+busy this week that I don't even remember exactly what you're talkign about | 20:45 |
| cardoe | JayF: https://etherpad.opendev.org/p/ironic-cardoe-inspect-hooks-and-rules | 20:48 |
| cardoe | Since I can’t make the demo. Just wanted to see if this fit in your approach. | 20:48 |
| JayF | the approach is "port over the inspector rules as already specified" | 20:48 |
| JayF | I'm not a great person to engage at this level on inspector stuff; I'm basically helping cid implement the spec as written | 20:49 |
| JayF | I don't have my head fully wrapped around all the inspection corner cases tbh; part of why I was pitching an interactive demo/review was hoping we'd catch someone who could backfill that info | 20:49 |
| cardoe | Okay that's fair. I'm just trying to ask if we should make changes as it goes. | 20:57 |
| JayF | Given that cid is working on a patch that, at this point, is over a cycle old, I am as -2 as possible to changing requirements on him when it's close to mergable. | 20:57 |
| cardoe | Cause as I referenced the iLO driver, it has a bunch of code to create capabilities on inspection which seem like they should just be implemented as built-in rules that run by default for ilo devices. | 20:58 |
| JayF | ilo driver is deprecated in favor of redfish | 20:58 |
| cardoe | uh huh and his whole implemented doesn't work with redfish | 20:58 |
| JayF | we are relying on https://specs.openstack.org/openstack/ironic-specs/specs/not-implemented/inspection-rules.html to be accurate | 20:59 |
| JayF | I'm not trying to be cagey I just don't understand the moving parts in whole and quite frankly don't have the time to pull in that context in the short term | 20:59 |
| cardoe | That's fine. Just returning back to this from the PTG. | 21:02 |
| cardoe | I'll just wait until after it goes in. | 21:03 |
| cardoe | I'm just actively trying to use it vs ironic-inspector | 21:04 |
| cardoe | The spec doesn't really cover what was removed / changed to bring it in and it's those changes / removals that's leading to my questions. | 21:05 |
| opendevreview | Merged openstack/ironic-python-agent master: migrate lints to pre-commit https://review.opendev.org/c/openstack/ironic-python-agent/+/940185 | 21:07 |
| cardoe | My more immediate ask was also around how you'd vote to see the config option change. dtantsur asked me to change the config options in my original series and asked the other reviewers to weigh in. | 21:25 |
| cardoe | It's labeled (SOON) | 21:26 |
| opendevreview | Merged openstack/ironic master: Fix redfish session cache on missing password https://review.opendev.org/c/openstack/ironic/+/940431 | 23:15 |
| JayF | Honestly I hate how many driver-specific args we have, so I'd vote for [inspection]/whatever | 23:33 |
| JayF | but I think just the technical reality will end up dictating if it needs to be scoped to driver or not | 23:34 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!