| opendevreview | Doug Goldstein proposed openstack/ironic master: anaconda: more flexible config_drive in kickstart https://review.opendev.org/c/openstack/ironic/+/942849 | 00:13 |
|---|---|---|
| opendevreview | Julia Kreger proposed openstack/ironic-tempest-plugin master: CI: Dial back the non-voting jobs https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/942846 | 00:19 |
| opendevreview | Satoshi Shirosaka proposed openstack/ironic-python-agent master: WIP Add ContainerHardwareManager https://review.opendev.org/c/openstack/ironic-python-agent/+/941714 | 00:26 |
| opendevreview | Verification of a change to openstack/ironic-python-agent-builder master failed: More reliable TinyIPA builds with network retries https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/942369 | 03:51 |
| opendevreview | Merged openstack/ironic master: ci: focus ironic-tempest-bios-ipmi-direct-tinyipa https://review.opendev.org/c/openstack/ironic/+/942204 | 05:27 |
| frickler | humm, so there is a unit test affected by the floppy defaults, will try to amend it | 07:10 |
| opendevreview | Vasyl Saienko proposed openstack/networking-generic-switch master: Add vlan aware VMs support https://review.opendev.org/c/openstack/networking-generic-switch/+/928490 | 07:12 |
| opendevreview | Dr. Jens Harbott proposed openstack/ironic master: Make floppy images more floppy https://review.opendev.org/c/openstack/ironic/+/942787 | 07:33 |
| frickler | ok, so the unit tests were actually helpful, because I had missed the cleanup call | 07:35 |
| jssfr | aahh, the good ol' contribution cycle for projects with unit tests. (1) make stuff, works locally, be happy; (2) have CI fail some unittest, be annoyed, begrudgingly fix it; (3) find three edge cases along the way which you need to fix, be grateful for the tests, write some more. | 07:38 |
| rpittau | good morning ironic! o/ | 07:56 |
| opendevreview | Verification of a change to openstack/ironic-python-agent-builder master failed: More reliable TinyIPA builds with network retries https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/942369 | 09:37 |
| TheJulia | good morning | 14:24 |
| mdfr | Hello :) | 14:32 |
| mdfr | I'm pretty new to Ironic and I'm using the multi-tenancy node feature as described in the documentation. I have set ownership of the node to a new project_id and I'm granting the "member" role to a user which belongs to the related project_id. The user can manage the node and create a portgroup (according to the Ironic policies). | 14:36 |
| mdfr | Then I try to map the node's port to the portgroup and I get rejected because it tries to fetch the "cleaning_network" UUID, which is not accessible from the member role. (as expected) | 14:36 |
| mdfr | $ openstack baremetal port set c4c62010-f85b-4b1a-94cd-8204aca1690d --port-group dfad6a5f-7b52-456a-81b1-337ef82f9e58 | 14:36 |
| mdfr | cleaning_network with name or UUID <redacted> was not found (HTTP 400) | 14:36 |
| mdfr | I'm not sure why it requires the cleaning_network to bind the node's port to a portgroup :( | 14:36 |
| mdfr | Of course, it works fine if I grant the admin role to the user, as they can see all networks. Am I missing something? | 14:36 |
| mdfr | Is it possible to let node owners configure ports without sharing the cleaning_network with every project_id? | 14:38 |
| TheJulia | good morning mdfr | 14:51 |
| TheJulia | mdfr: what is the provision state of the node? | 14:52 |
| mdfr | I tried at "available" + "maintenance mode true" and also in "manageable" state | 14:58 |
| TheJulia | same error each time? | 14:58 |
| mdfr | yes | 14:58 |
| TheJulia | hmm | 14:58 |
| mdfr | and it works everytime as admin :s | 14:58 |
| TheJulia | what is the network_interface set to? | 14:59 |
| TheJulia | for the driver | 14:59 |
| mdfr | neutron | 14:59 |
| TheJulia | okay | 14:59 |
| TheJulia | oh, I think I see what is going on | 15:00 |
| TheJulia | your making a structural change to the port, so it calls the network driver validate | 15:00 |
| TheJulia | the inherited role/access from the requestor likely can't see the network | 15:01 |
| mdfr | yes exactly | 15:01 |
| TheJulia | can you confirm the cleaning_network is set to a project which is not the same project as the user | 15:01 |
| mdfr | yes | 15:02 |
| TheJulia | yup, that is exactly it | 15:03 |
| mdfr | https://pastebin.com/BA3CUQLb | 15:03 |
| TheJulia | Can you do me a favor and file a bug in launchpad? I need to wake up a little bit more first before I whip up a patch | 15:04 |
| TheJulia | (and also my corgi overlord demands his morning walk) | 15:04 |
| mdfr | I try to find a way in the codebase to skip the validation when it's a port mapping to a portgroup | 15:04 |
| mdfr | ahah, sure :) Thank you | 15:05 |
| TheJulia | I'd check the request context and only go down that path fi the user is an admin from ironic/drivers/modules/neutron update_port all around the validate method's call around get_cleaning_network_uuid | 15:05 |
| TheJulia | at least, that is the first pass idea | 15:05 |
| mdfr | ok ! | 15:06 |
| TheJulia | task.context is a representation of ironic.common.context which is based upon oslo.context's RequestContext | 15:08 |
| TheJulia | there should be a list of roles in there :) | 15:08 |
| mdfr | that's incredible that you understood the context of the issue and found the root cause so quickly. I've been digging into this since yesterday | 15:10 |
| TheJulia | The alternative *might* be to remove validate. I don't think it makes sense to treat it as a formal RBAC rules since the front'end request for the update was already validated, this is the driver code trying to go the extra mile when it can't see the thing in glance | 15:10 |
| TheJulia | err | 15:10 |
| TheJulia | not glance, neutron | 15:10 |
| TheJulia | see, I need more coffee | 15:10 |
| mdfr | ahah ! | 15:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: WIP: hooking in an external network simulator https://review.opendev.org/c/openstack/ironic/+/942298 | 15:44 |
| TheJulia | patch inbound | 16:07 |
| mdfr | :-O | 16:07 |
| mdfr | Do you know if I'd be able to reproduce the issue with devstack? | 16:08 |
| TheJulia | you likely could | 16:08 |
| TheJulia | you'd need to create a user and populate all the values | 16:08 |
| mdfr | ok, thank you :) | 16:08 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Only try and do deep network config validate if admin https://review.opendev.org/c/openstack/ironic/+/942921 | 16:13 |
| JayF | NobodyCam: o/ you got a sec? | 16:18 |
| TheJulia | JayF: he rarely looks at IRC and is also off this week. Need me to prod him? | 16:19 |
| JayF | TheJulia: mainly still looking for field reports on the MegaRAC BMCs based on openbmc, which I just discovered are shipped in NVIDIA servers | 16:19 |
| TheJulia | heh, okay | 16:19 |
| JayF | I just filed an RFE; tl;dr automated cleaning via runbook : https://bugs.launchpad.net/ironic/+bug/2100545 | 16:32 |
| JayF | (think about the power of this when combined with satoshi's in-progress container hardware manager -- which he's working on an RFE bug for now that he's done a PoC) | 16:32 |
| opendevreview | Julia Kreger proposed openstack/ironic master: WIP: hooking in an external network simulator https://review.opendev.org/c/openstack/ironic/+/942298 | 17:17 |
| cardoe | so https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/942369 keeps failing on the same test only in the verify +2 step with the same failure | 18:46 |
| cardoe | So reading through the anaconda docs... it mentions the liveimg_url stuff which I don't really understand but I think "image_info" is wrong and its's "image_url" you need to set. But I needed to ask if "image_info" is a special field or "image_url" is a special field on instance_info or driver_info that gets mutated in anyway by other parts of Ironic. | 18:55 |
| cardoe | So thinking on how to make this more generic... today we have the ipxe template with some hardcoded sections. I'm needing to replace the "boot_anaconda" for this to work. Should we have a way to have additional named sections and allowing a way for instance_info to select the correct one? | 19:11 |
| opendevreview | Julia Kreger proposed openstack/networking-generic-switch master: WIP: Allow config of simulated switch https://review.opendev.org/c/openstack/networking-generic-switch/+/942942 | 19:45 |
| iurygregory | does anyone know if this year we will have a regional OpenInfra Summit like the one in Asia last year? <thinking> | 19:46 |
| TheJulia | There is discussion underway for one in Europe, for the fall specifically, but I don't know the status of it | 19:49 |
| TheJulia | cardoe: so liveimg_url is unrelated to image_url | 19:49 |
| TheJulia | it should be the stage2 image if I'm remembering correctly | 19:49 |
| opendevreview | Verification of a change to openstack/ironic-python-agent master failed: Fix the way qemu-img is called with prlimits https://review.opendev.org/c/openstack/ironic-python-agent/+/942690 | 19:55 |
| iurygregory | tks TheJulia | 20:09 |
| opendevreview | Verification of a change to openstack/ironic-tempest-plugin master failed: CI: Dial back the non-voting jobs https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/942846 | 23:41 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!