Wednesday, 2025-04-09

opendevreview	Julia Kreger proposed openstack/ironic master: provide host_id to neutron early on https://review.opendev.org/c/openstack/ironic/+/946378	00:28
opendevreview	Queensly Kyerewaa Acheampongmaa proposed openstack/ironic master: Remove architecture.rst after merging content into get_started.rst https://review.opendev.org/c/openstack/ironic/+/946615	00:51
opendevreview	Queensly Kyerewaa Acheampongmaa proposed openstack/ironic master: Remove architecture.rst after merging content into get_started.rst https://review.opendev.org/c/openstack/ironic/+/946615	00:53
opendevreview	Habeeb Babasulaiman proposed openstack/bifrost master: bug: remove an unknown flag https://review.opendev.org/c/openstack/bifrost/+/946724	03:34
opendevreview	Habeeb Babasulaiman proposed openstack/bifrost master: bug: replace outdated release version with a latest one https://review.opendev.org/c/openstack/bifrost/+/946725	03:48
opendevreview	Habeeb Babasulaiman proposed openstack/bifrost master: bug: drop the mention of baremetal introspection list from the doc https://review.opendev.org/c/openstack/bifrost/+/946726	03:56
opendevreview	Habeeb Babasulaiman proposed openstack/bifrost master: bug: indentation length fixed https://review.opendev.org/c/openstack/bifrost/+/946728	04:15
rpittau	good morning ironic! o/	06:49
AmarachiOrdor[m]	Good Morning rpittau and everyone!	06:50
freemanboss[m]	Good morning rpittau:	06:53
queensly[m]	Good morning	07:34
opendevreview	minwoo seo proposed openstack/ironic master: feat(rules): add `api-call` action to trigger external GET webhook https://review.opendev.org/c/openstack/ironic/+/946740	07:54
freemanboss[m]	rpittau: I made some reviews this morning.	07:56
opendevreview	minwoo seo proposed openstack/ironic master: Add `api-call` action for ironic inspection rule https://review.opendev.org/c/openstack/ironic/+/946741	08:00
opendevreview	minwoo seo proposed openstack/ironic master: Add `api-call` action for ironic inspection rule https://review.opendev.org/c/openstack/ironic/+/946741	08:00
abongale	Good morning Ironic!	08:55
opendevreview	minwoo seo proposed openstack/ironic master: Add `api-call` action for ironic inspection rule https://review.opendev.org/c/openstack/ironic/+/946741	09:47
opendevreview	Vasyl Saienko proposed openstack/networking-generic-switch master: Add support of OVS VTEP devices https://review.opendev.org/c/openstack/networking-generic-switch/+/946558	09:57
queensly[m]	Hi Outreachy applicants, just wanted to share some helpful answers I got from rpittau regarding the final application, in case anyone else had similar questions:... (full message at <https://matrix.org/oftc/media/v1/media/download/ATjicuCvxi48fpgRYteCtHiOpWnabLq4mg7FUhVIMQOfeGhHw1_jVvPZNg78PqOYb6aSDpiblhhigSfFTKavqVRCeWYiF_vwAG1hdHJpeC5vcmcvbGh3THlSamZrT0FodFJ6aGRLWlhuc3l4>)	10:11
AmarachiOrdor[m]	Thank you so much queensly, it really helps thank you so much!	10:12
Ayo[m]	Thank you queensly	10:12
queensly[m]	You're welcome.	10:13
freemanboss[m]	rpittau: how can we best make the project timeline?	10:20
freemanboss[m]	Should we focus it on what we have done already or you've a template we have to follow? Thank you!	10:20
freemanboss[m]	queensly: thank you	10:21
opendevreview	Vasyl Saienko proposed openstack/ironic master: Allow to use internal APIs during deployment https://review.opendev.org/c/openstack/ironic/+/946321	11:17
TheJulia	good morning	13:03
opendevreview	Nicolas Belouin proposed openstack/ironic-python-agent master: netutils: Use ethtool ioctl to get permanent mac address https://review.opendev.org/c/openstack/ironic-python-agent/+/946562	13:28
rpittau	3rd day of Ironic vPTG starting in ~ 30 minutes! https://ptg.opendev.org/ptg.html	13:32
opendevreview	Abhishek Bongale proposed openstack/ironic-tempest-plugin master: Fix: fail fast on deploy failure in Anaconda jobs https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/946765	13:36
opendevreview	Abhishek Bongale proposed openstack/ironic-tempest-plugin master: Fix: fail fast on deploy failure in Anaconda jobs https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/946765	13:44
rpittau	cardoe: you crashed :)	14:17
cardoe	dtantsur:	14:35
cardoe	bleh mis-click. I'm tinkering with a keystonemiddleware that can use TokenReview to use k8s service accounts	14:35
cardoe	Might be something you're interested in.	14:35
cardoe	rpittau: is it time to revisit https://review.opendev.org/c/openstack/ironic/+/942520 ?	14:39
rpittau	cardoe: yeah, can you please remove the depends-on there?	14:47
rpittau	actually it doesn't matter, let me recheck it	14:49
cardoe	okay	14:51
opendevreview	Abhishek Bongale proposed openstack/ironic-tempest-plugin master: fix: fail fast on deploy failure in Anaconda jobs https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/946765	15:26
opendevreview	Abhishek Bongale proposed openstack/ironic-tempest-plugin master: fix: fail fast on deploy failure in Anaconda jobs https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/946765	15:45
dtantsur	cardoe: that's curious indeed (use k8s accounts)	16:00
Ayo[m]	rpittau: masghar I created a bug earlier on launchpad, can you give it a review	16:06
rpittau	Ayo[m]: can you please share the link?	16:07
Ayo[m]	Ok	16:09
Ayo[m]	https://bugs.launchpad.net/bifrost/+bug/2106653	16:09
Ayo[m]	rpittau:	16:22
rpittau	Ayo[m]: so the issue is that after you restart the host where you installed ironic the services won't run automatically? that's expected	16:23
Ayo[m]	Ok, but at the time I didn’t know that you’d have to rerun the bifrost testenv command, I simply just sourced into bifrost and tried the commands, even after restarting the ironic service, one would still have network errors	16:28
freemanboss[m]	rpittau: please I've patches that you've not reviewed	16:28
freemanboss[m]	It's 3 different patches please	16:28
rpittau	freemanboss[m]: I think I've reviewed all your patches, you should double-check before asking	16:30
freemanboss[m]	rpittau: oh alright thank you	16:33
Ayo[m]	<Ayo[m]> "Ok, but at the time I didn’t..." <- @ I initially worked towards resolving those errors one at a time but the above command would’ve simply resolved the issues rpittau	16:35
* freemanboss[m] uploaded an image: (25KiB) < https://matrix.org/oftc/media/v1/media/download/AWnn0CEw6y3SNK1ocdoZWVtGFIEaJ5LyDpmNrf-iAbgrKU_tQxRS4g0QNWZgG-9KURERD2WWHekUXLLG6ljG79ZCeWY5AxBgAG1hdHJpeC5vcmcvQ3ZGaGdUbkRrZExjZHNyV2ZrbWVGaGRL >		16:51
*** dansmith is now known as dansmith_pto		16:52
freemanboss[m]	rpittau: cid: please I got this error when I tried to rebase on top of the master branch. I was following the reply gotten from rpittau:	16:52
opendevreview	Habeeb Babasulaiman proposed openstack/bifrost master: bug: drop the mention of baremetal introspection list from the doc https://review.opendev.org/c/openstack/bifrost/+/946726	17:02
TheJulia	Anyone know a HJ-KIM?	17:02
TheJulia	https://etherpad.opendev.org/p/ironic-ptg-april-2025#L608	17:03
freemanboss[m]	rpittau: cid It is a success now	17:03
opendevreview	Pavlo Shchelokovskyy proposed openstack/ironic master: Fix ISO+GPT image handling https://review.opendev.org/c/openstack/ironic/+/946235	17:07
freemanboss[m]	Amarachi Ordor: queensly: Ayo: who knows how to rerun a build process when it failed for a commit?	17:21
freemanboss[m]	On Gerrit?	17:22
AmarachiOrdor[m]	Honestly not sure, but maybe the rest would be more of help. I usually make a slight change maybe rephrase a word and commit it again, because I think since it's already up to date that the way to go, someone else can have a better suggestion	17:25
freemanboss[m]	Amarachi Ordor: alright it seems I got it just now but I don't even know how I did it. I still have one more commit I need to rerun the job for it actually	17:26
AmarachiOrdor[m]	Okay that's good! Well done!	17:27
JayF	I am beginning work on https://etherpad.opendev.org/p/ironic-2025-2-priorites-draft	17:34
JayF	if you have a new item that needs adding I haven't gotten to yet ... you know what to do :D	17:34
opendevreview	Satoshi Shirosaka proposed openstack/ironic master: WIP Add allow_ironic_project_image_access https://review.opendev.org/c/openstack/ironic/+/946575	17:39
satoshi	TheJulia: JayF: I have a question on 2099276.	17:54
satoshi	https://etherpad.opendev.org/p/jqeQ6qI6PpW-9VVPqxyx	17:54
JayF	satoshi: do you see that ID in `openstack project list` on your devstack?	18:00
JayF	you can maybe map that back to the name of the project	18:00
JayF	which might be useful information	18:00
JayF	the other thing I'd explicitly test is manual cleaning	18:01
satoshi	Sure. WIll do thanks.	18:01
JayF	so do a full deploy (even just one that fails fast is OK) and undeploy it	18:01
JayF	er	18:01
JayF	not manual cleaning	18:01
JayF	automated cleaning	18:01
JayF	ensure that you don't get different results for an automated_clean after a node tear down vs an automated clean from manage/provide	18:01
JayF	they are subtly different code paths	18:01
TheJulia	and may have no user requested value because the conductor is doing the work and has to use the conductor context because it is administrative	18:05
JayF	I'm honestly not sure exactly what the goal was at this point tbh	18:05
JayF	> 3) Update the check in is_image_available, if possible, to check for ironic conductor's project ID versus the one in the keystone request context. (default: on, needs to be disablable via CONF to reduce risk of aggressions) -- this is going to be significantly more difficult and invasive than steps 1+2 and should be done as a separate change, and likely not backported	18:06
JayF	is what I originally wrote	18:06
JayF	I think we're still stuck at "how do we know if it's the conductor project ID and not proxied from some API request somewhere" point	18:06
TheJulia	I think your fear/worry was unprivilved use but there are cases where the conductor has to use it's own limited access	18:06
JayF	well I would not want us to make an ability for someone to pull in a private glance image just by making it the service image or something	18:07
JayF	so IIRC I wanted that to match so we could ensure it's our private image vs tenant:supasecret	18:08
JayF	but maybe the conf item is enough guard against that? IDK	18:08
TheJulia	I suspect so since the call entry path drives the path and ultimately what task.context is	18:08
JayF	so the only way we could know if it's the conductor's admin token and not a user would be to like, actually auth and look at the project id there	18:09
JayF	which is /probably/ not acceptable	18:09
TheJulia	correct	18:09
TheJulia	well, could be acceptable, but it is extra work	18:10
JayF	So what does satoshi do then? Just bypass that check if a conf that defaults to "off" is turned on?	18:10
JayF	just check project id and don't care about where it came from?	18:10
TheJulia	dunno, my brain is semi-fried at the moment	18:10
* TheJulia looks for the patch		18:10
JayF	I have pointed a less-fried brain at this and haven't figured it out; I suspect we just have to make a compromise somewhere I don't wanna make	18:10
JayF	https://review.opendev.org/c/openstack/ironic/+/946575	18:10
TheJulia	muchas gracias	18:11
JayF	yeah he's doing the extra auth via system pattern now, it seems	18:11
JayF	I actually think his change, as written, looks good, although I think the check on line 166 might be wrong (we want `project_id != ironic_conductor_project_id and project_id == image_owner` ... right?)	18:13
JayF	hmmm	18:18
JayF	the data added to the etherpad gets more interesting, it looks like conductor_project_id is the service project and image_owner is the demo project	18:18
JayF	which /seems/ like it should be disallowed if the image is nonpublic?	18:18
JayF	to prevent someone abusing our service credential to fetch arbitrary images from glance (?)	18:18
JayF	satoshi: thank you for the detail in https://etherpad.opendev.org/p/jqeQ6qI6PpW-9VVPqxyx -- even tho we don't know the direction to go yet, this is great information to help us figure it out	18:19
TheJulia	I think we're hyper focusing in the wrong way	18:20
TheJulia	I commented on the patch specifically	18:21
TheJulia	because the logic which pre-exists is doing exactly what is being through through, and ther eis sort of a disjointed apsect to it which also need to be handled. I think in other words, we're focusing at A, when A + B is sort of the thing.	18:21
TheJulia	If that makes any sense at all	18:21
JayF	honestly, after reading this chat and your comments on the patch, I'm more confused not less	18:22
JayF	which is probably more indication I'm barking up the wrong tree	18:22
JayF	can we say, in plain english, what the access to grant/prevent is?	18:22
TheJulia	yeah, 165/166 is a bit weird	18:22
TheJulia	yes, we can	18:22
JayF	My thought is: (conductor is service project, image is not owned by service project and is not shared/public) <-- disallow	18:23
JayF	(conductor is service project, image is owned by service project) <-- allow	18:23
JayF	(we have user credential from direct API access which would grant access to the image) <-- allow	18:23
JayF	but something in that smells off	18:24
TheJulia	more comments added	18:30
TheJulia	so sort of yeah, partial issue is the existing code assumes "if you have an auth token, you can just get at it" which is wrong, and such a similar check shoudl be behind the project scoped access knob	18:31
TheJulia	I guess what feels off is were setting an explicit kernel/ramdisk for internal operations	18:34
TheJulia	so adminy	18:34
JayF	you have a node override for that	18:35
TheJulia	but we're doing it as shared	18:35
JayF	which means a less-privledged tenant could put in another tenant's image and pull it in	18:35
TheJulia	but rbac-eyed adminy field	18:35
JayF	oh? I didn't realize _ramdisk and _kernel weren't given to lessee/owner by default	18:35
JayF	if so that GREATLY reduces the problem space	18:35
JayF	and makes more sense why I was focusing on the wrong thing	18:35
TheJulia	well, they are driver_info	18:35
TheJulia	so, an admin owner could set the field	18:36
TheJulia	that is where this is hairy	18:36
TheJulia	so, taking a step back	18:36
JayF	which means having admin owner access to an ironic node, if we don't validate here well, could == getting someone elses' image outta glance	18:36
TheJulia	the explict case to deny is if it is accessible, not explicitly public, and the owner of image != the requestor's project	18:37
TheJulia	where the existing code is wrong, is it has this weird assumption that any request with an auth_token makes the image visible	18:38
JayF	and it's safe to not care about if the project_id is "requestor" (human) or "requestor" (conductor auth)	18:38
TheJulia	which is wrong by default and it lets the check pass but the actual access fail later on	18:38
TheJulia	... I think	18:38
JayF	yeah, I agree	18:38
TheJulia	unless it is public or shared	18:39
JayF	yeah, I think I'm here, let me try to restate, with an assumption of DEFAULT DENY	18:39
JayF	allow if:	18:39
TheJulia	its like we have a matrix which is semi-dissimilar to another matrix and we're trying to do matrix math between the two	18:39
JayF	- image is public or shared	18:39
JayF	- image_id == project_id	18:39
JayF	- image is a ramdisk ** IF A CONFIG OPTION IS ENABLED ALLOWING THIS (I'm thinking we need this for backwards compat?)	18:40
TheJulia	yeah, possibly	18:41
TheJulia	a separate conditional for https://review.opendev.org/c/openstack/ironic/+/946575/2/ironic/common/glance_service/service_utils.py#173 is likely wise	18:41
TheJulia	could sort of be considered with https://review.opendev.org/c/openstack/ironic/+/946575/2/ironic/common/glance_service/service_utils.py#173	18:42
TheJulia	err	18:42
TheJulia	https://review.opendev.org/c/openstack/ironic/+/946575/2/ironic/common/glance_service/service_utils.py#184	18:42
JayF	ok, that is the config for ramdisk/kernel then	18:42
JayF	right?	18:42
JayF	that line 184 is basically the "image is a ramdisk" case except more properly genericized	18:43
TheJulia	CONF.ignore_project_check_for_admin_tasks ?	18:43
JayF	yes	18:43
TheJulia	no	18:43
TheJulia	So, basically the challenge is line 173 short circuits most of the later logic	18:44
TheJulia	you'll basically be guarneteed from a user request of any type to have a token	18:44
JayF	yeah	18:44
TheJulia	that token disappears	18:44
TheJulia	so if the conductor has to do a thing in any deferred fashion	18:45
JayF	e.g. cleaning with a reboot	18:45
TheJulia	yes	18:45
JayF	which is how satoshi stumbled on this in the first place	18:45
JayF	ramdisk image was private, not shared, and cleaning started after a provide but didn't continue after reboot	18:45
TheJulia	so 184, with the original user context of the request, is "is this person an admin of any project"	18:45
TheJulia	and if so, then they are granted access under the model	18:46
TheJulia	me hopes this is becoming more clear	18:46
JayF	is_image_available ... does that even have the information needed to answer the question of "is this a ramdisk/system-tool-image or is it a image I'm writing to disk"	18:47
TheJulia	It is written in the latter context	18:47
TheJulia	the former gets applied for first pass activity	18:47
TheJulia	so, doing the check as proposed to gain the conductor's context itself, works, but that also has its own access, that would allow a return true	18:48
TheJulia	I think the idea is to move the new logic to way down just before returning False	18:49
TheJulia	so we do the first pass, we do any additional negitive case checking which we identify, then if necessary we apply the conductor access context	18:50
TheJulia	to handle the reboot case	18:50
TheJulia	and likely, the intermediate negative casing to explicitly test for is if we'll loose access to it somehow	18:50
TheJulia	that should be detectable, but it would be private image	18:51
TheJulia	in such a case, we likely need to return false and fail early on because that makes the failure case discoverable upfront	18:52
TheJulia	am I making sense now that I've completed the context load	18:52
JayF	I'm a little lost but I put the method is_image_available in the bottom of satoshi's etherpad	18:53
JayF	and am trying to express what you're saying in python since I can't understand it in prose lol	18:53
TheJulia	k	18:54
JayF	shared images are a rough case here too	18:56
JayF	satoshi: we have some code and comments in the bottom of https://etherpad.opendev.org/p/jqeQ6qI6PpW-9VVPqxyx	19:00
TheJulia	yeah, they are	19:01
TheJulia	let me move to the table with a microphone	19:01
JayF	I need to step away for a few minutes, so if you wanted to sync now() I need like, 10	19:02
TheJulia	sure	19:02
JayF	TheJulia: satoshi: now?	19:12
TheJulia	https://meet.google.com/rpp-tuec-cth ?	19:12
JayF	TheJulia: satoshi: https://docs.openstack.org/api-ref/image/v2/#list-image-members	19:23
JayF	team photo in case anyone wanted a copy https://usercontent.irccloud-cdn.com/file/UzlXQTPJ/ironic-ptg-team-photo-20250409.png	20:37
opendevreview	Jay Faulkner proposed openstack/ironic master: Mark SNMP driver unsupported for removal https://review.opendev.org/c/openstack/ironic/+/946843	21:43
opendevreview	Jay Faulkner proposed openstack/ironic master: Mark SNMP driver unsupported for removal https://review.opendev.org/c/openstack/ironic/+/946843	21:44
opendevreview	Julia Kreger proposed openstack/ironic master: provide host_id to neutron early on https://review.opendev.org/c/openstack/ironic/+/946378	22:08
TheJulia	^ == pain	22:08
TheJulia	but hey, should be a better case now and I think would largely address johnthetubaguy's thought of concern because if the vif was bound previously on the wrong segment, because I think that is a hard fatal failure case we just need to allow surface.	22:12
TheJulia	JayF: re https://review.opendev.org/c/openstack/ironic/+/946378/4/doc/source/admin/networking.rst#183 can you clarify your comment ?	22:18
TheJulia	I'm not sure I understand what your talking about	22:19
JayF	> binding state can generally be relied upon	22:25
JayF	I'm reading this from an operator standpoint, wouldn't an operator see the port bound even when the instance wasn't yet active?	22:25
JayF	or am I in wrong context for that section	22:25
TheJulia	yeah, so it is the job of the ML2 plugin to be succesful or fail	22:27
TheJulia	for ``neutron`` network_interface, that should be handled	22:27
TheJulia	for ``flat`` it basically is binding fail unless networking-baremetal is running	22:27
JayF	so just because we tell it to bind, doesn't mean it actually binds? so the initial, "fake host_id" bind will still show as failed to bind?	22:27
TheJulia	networking-baremetal has a noop for the flat case to force it to be listed as successful	22:27
TheJulia	because... yeah, ML2	22:28
JayF	ack	22:28
TheJulia	does that make more sense?	22:28
JayF	Is this a proper response on the review? > I talked to Julia about this: essentially even though we tell neutron to bind the port early, it should not show as bound because the ML2 driver will not bind it. This means it'll only show as bound (in the neutron case) when the bind is successful.	22:28
JayF	If that's true, I get it :D	22:29
TheJulia	I'm still revising text, fwiw	22:32
JayF	okay but my understanding is right?	22:32
* JayF wants to mash the gerrit button		22:32
TheJulia	the paragraph above the note indicates it will end up in active no matter what	22:33
TheJulia	or at least, should	22:33
TheJulia	that state may change	22:33
TheJulia	the second note is much more about "reliability of the state"	22:33
TheJulia	For lack of an acutal state	22:33
TheJulia	It is sort of like we're doing a soft bind with no backing data	22:33
TheJulia	aside from the host_id to allow placement/network mapping stuffs to do the thing and IP addresses to be allocated	22:34
JayF	oh, I grok what we're doing, I'm just pleasantly surprised that in the neutron case the states remain mostly accurate	22:34
TheJulia	yeah, its... nuanced but yeah. It feels like one could write a book on this alone	22:35
JayF	Last time I was operating ironic clouds, the binding state of an ironic port was 🤷‍♂️ more or less :D (again: this is old experiences in highly patched clouds)	22:35
opendevreview	Julia Kreger proposed openstack/ironic master: provide host_id to neutron early on https://review.opendev.org/c/openstack/ironic/+/946378	22:36
TheJulia	yeah, fun times	22:37
* TheJulia wants ice cream now		22:37
JayF	+1 that I'm happy to update to a +2 when the time comes :)	22:39
TheJulia	ack ack, I'm calling it a day	22:41
TheJulia	it might have been best when I wanted to apparently rename neutron to mewtron	22:42
JayF	you can, but only the star, not the software project	22:43
JayF	then it'll finally make sense how cats can weigh infinite pounds when they're laying on your blanket	22:43
TheJulia	awwww :(	22:43
TheJulia	but mewtron needs scritches	22:44
* TheJulia goes and provides scritches to the feline employers		22:44
opendevreview	minwoo seo proposed openstack/ironic master: Add `api-call` action for ironic inspection rule https://review.opendev.org/c/openstack/ironic/+/946741	23:06

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!