Wednesday, 2026-04-29

opendevreviewJad Haj Yahya proposed openstack/ironic master: Fix Lenovo SR645 V3 boot loop after RHCOS install  https://review.opendev.org/c/openstack/ironic/+/98659705:27
opendevreviewJad Haj Yahya proposed openstack/ironic master: Fix Lenovo SR645 V3 boot loop after RHCOS install  https://review.opendev.org/c/openstack/ironic/+/98659711:11
opendevreviewJad Haj Yahya proposed openstack/ironic master: Fix Lenovo SR645 V3 boot loop after RHCOS install  https://review.opendev.org/c/openstack/ironic/+/98659711:33
cardoejanders: you hear from iury? He was going to send an invite to me but I haven’t gotten anything11:44
janderscardoe yes, let me resend11:44
iurygregorygood morning ironic12:07
cardoeMorning.12:22
cardoeiurygregory: I’ve got a naughty box with a BIOS update… https://etherpad.opendev.org/p/cardoe-bad-bootprogress12:23
iurygregorycardoe, OMG12:24
TheJuliaewwwwww12:56
TheJuliacardoe: did it stay that way?13:06
TheJuliawas it having an OEM party in setup?13:06
cardoeYeah and that's normal.13:06
TheJuliaInquiring minds must know on the bare metal sitcom.13:06
TheJuliawut13:06
cardoeSo when its displaying their graphical progress bar of stuff (like doing the BIOS settings change) it reports OEM13:06
TheJuliaoh, okay13:07
TheJuliaThat... is sort of expected13:07
TheJuliatranslation: they have sub-states that they couldn't build consensus on13:07
cardoecurl 'https://10.97.16.13/redfish/v1/Systems/System.Embedded.1' | jq '.BootProgress.LastState' reported 'null' when I expected to see Ironic print a log message.13:07
TheJuliaand they are hiding in that, so the oem data might say something like "memory checking"13:07
cardoeconductor needs to be restarted to even attempt to poll the state of the box13:07
TheJuliaoh, we break down there? :(13:08
cardoeyeah the box is stuck in "clean wait"13:09
cardoeand has booted into the previous OS13:09
cardoeWe tried to use custom runbooks for cleaning to add a step to ensure that the right BIOS settings were always on the box to ensure we could get into IPA13:10
cardoeWhat I'm wondering is if BootProgress was null instead of a dict and an exception was thrown inside of the function and our @node_periodic wrapper doesn't catch any exception and then stops checking?13:20
cardoeor if our code to check if any pending changes are there is bad and throwing an exception13:20
cardoeI just cannot believe an exception is quietly swallowed.13:20
cardoeBut I just don't know where it's going13:21
TheJuliaThat is possible13:21
TheJuliaWe HAVE seen some weird edge cases like that in the past, where in state change we catch it literally in that transition so what we get it sort of out of spec or doesn't make sense13:21
TheJuliaThis would be a more egregious example, but yeah13:22
iurygregorywow, that is crazy .-.13:22
cardoeoh wtf13:23
TheJuliacardoe: big words please ;)13:23
cardoeIt's not swallowed. It's just not passing the check and we're coming out of an unlogged case.13:23
TheJuliaoh, that would do it as well13:24
cardoeSo I'm visually comparing the step data which are the settings we expected to be changed.13:24
cardoeTo what's actually on the box.13:24
cardoeAnd HttpDev1Interface and HttpDev2Interface are swapped.13:24
cardoeFrom what the step has in it.13:24
cardoebah and it just logged that13:25
cardoeoh but (not on IRC) restarted the conductor. Lemme got smack them with a noodle. Cause they ruined my test environment.13:26
cardoeBut yeah if a setting doesn't change (or cannot change) there's no way to abort out now.13:27
cardoeI feel like we should have a timeout value in that to just fail the step after a while.13:27
TheJuliacardoe: that seems like why wet cats exist, although instead of tossing them, I suggest you dry them and let them cuddle with you on your lap/sholders/head while you are on the needful "why did you do that!?!" call ;)13:27
cardoeohhh I see why13:28
* cardoe shakes fist at Dell.13:28
* TheJulia notes step 2 is ????? and step 3 is feline world domination13:28
TheJuliado tell!13:28
cardoeTheJulia: doggos are nicer. cats come at me with hate lasers13:28
cardoeSo we set the HttpDev1Interface and enable it. We're "clearing" the HttpDev2Interface to the default but also disabling it. When the field is disabled you cannot change the interface value.13:29
TheJuliacardoe: you have to let them sit on your head so they may capture your brain's thermal output.13:30
iurygregorycat with lasers do exist13:30
iurygregory:D13:30
TheJuliaso do sharks!13:30
iurygregoryyup!13:31
cardoeI have a little welsh terrier that is the more cat than some cats.13:33
cardoeyeah so the API accepts that change for pending. And then the job that's created drops the interface name change cause of the disabled.13:33
TheJuliaMy corgi was basically raised by cats...13:34
cardoeStill don't know why the main interface name didn't change either... I can understand the disabled one.13:34
cardoeBut yeah... we need an escape hatch when the BIOS settings haven't applied for a while. Cause right now the only thing I can do is edit the DB or manually change the box until ironic is happy.13:34
cardoeAfter restarting conductor to make it restart the BIOS settings checks.13:35
cardoeSo some sharp edges be here.13:35
cardoeAnyone have any further on https://review.opendev.org/c/openstack/ironic/+/984663 or can I +W it?13:36
cardoeI wanna write some tempest tests and the client side today.13:36
TheJuliaThere are always sharp edges around firmware/bios settings, unfortunately we have to find them the painful way :(13:38
iurygregoryI would say is ok to +W13:38
cardoeTheJulia: yep that's my goal this cycle13:39
iurygregorywas about to mention releasenote, but up to you cardoe o/13:40
TheJuliacardoe: one comment left on that, please take a look, but otherwise I workflowed it13:40
TheJuliaiurygregory: I think he needs to revisit it anyway but it can be in follow-up13:40
iurygregoryTheJulia was faster hehe13:40
iurygregoryyeah, I also didn't want to re-run full CI because of a releasenote, unless something was really necessary 13:41
cardoeTheJulia: so can you point me to an example of what to do with the version?13:41
TheJuliaI'm seriously wondering if you even need to specify the version13:42
TheJuliayour just doing object hydration right?13:43
TheJuliatruthfully, objects should be hydrated at the object layer, not the db model13:43
TheJuliaand interaction layer13:43
fricklerthere seems to be a regression in ipa for raid setups, see https://bugs.launchpad.net/ironic/+bug/215050213:51
TheJuliaso, distros are now shipping singed artifacts which don't grok software raid13:53
TheJuliagee, sounds like software raid is on it's way out then.13:53
TheJulia(kind of a hard take, but it means caring has dropped to zero as computers are disposable then)13:53
TheJuliaproblem 3 on that seems like it needs to be addressed in the dib build process. problem 2 seems like something Ironic can fix13:54
frickleryes, problem 2 specifically is the regression I was referring to, should've been more explicit13:55
TheJuliafrickler: looks like that is non-secure-bootable as a result of problem 1 in general13:55
TheJuliato be fair, and focus discussions, it might be worthwhile to futher delineate that item since we can't really fix #1's base issue, #2 doable, #3 much more a starting state issue which is distro specific i.e. likely a dib element fix13:56
fricklerwell not sure how much influence the larger ironic community could have on grub packagers regarding #1, but I agree only #2 is directly actionable. maybe some better documentation for #1 could be helpful and could see some future where I do that myself13:59
TheJuliaIronic basically has no pull. Some minor respect at RH, but they are focused on minimizing the cases they must support and trying to direct to systemd-boot14:01
TheJuliabetter docs on #1 would be totally fair14:02
fricklerso maybe switching to gummiboot would be the path forward. tbh I never looked at that before14:05
cardoeiurygregory: I still think we have a bug because the settings change that ironic via sushy would have done return back a 400 error... so before we can even get into that deadlock case of checking... we should have seen the 400 and not proceeded.14:06
TheJuliaI'm not sure we can really force/assert that forward at the ironic level. The issue seems more rooted at the cases folks contributing on that level care about are reducing in focus to the most common use cases and software raid I guess is becoming a fringe approach. That itself likely needs to be a doc callout though.14:10
JayFI was hoping to land https://review.opendev.org/c/openstack/ironic-specs/+/986018 today but there are still members of the community who haven't reviewed it 14:27
JayFI'm going to land it sometime after 9 today my time (~90-120 minutes) ; if you haven't provided feedback please do so14:28
JayFas I'll be recording my PTG summary video based on the contents of this very soon14:28
TheJuliaack ack14:39
opendevreviewArmin proposed openstack/ironic master: fix: oci image service handling webserver_verify_ca when it's string  https://review.opendev.org/c/openstack/ironic/+/98666814:53
opendevreviewMerged openstack/ironic master: build runbook traits via ORM relationship in create_runbook  https://review.opendev.org/c/openstack/ironic/+/98466315:00
TheJuliahttps://bugs.launchpad.net/ironic/+bug/2150628 sounds like a fun one, I bet the vendor is not being captured/identified as we expect for lenovo gear :(15:27
TheJuliaI requested baremetal node show output, I guess this is coming out of Red Hat's own work, but we're going to need that output to understand15:28
opendevreviewArmin proposed openstack/ironic master: fix: oci image service handling webserver_verify_ca when it's string  https://review.opendev.org/c/openstack/ironic/+/98666816:09
iurygregorycardoe, yeah if we get 400 we should not proceed, but I seem to remember places where with 400 we would retry some operations, not sure if its our case here16:49
iurygregoryTheJulia, Jad is from my team16:50
TheJuliacool, but we can't reproduce in upstream context17:03
iurygregoryyeah ...17:03
JayFTheJulia: https://bugs.launchpad.net/ironic/+bug/2148317 is now public if/when you wanna push to gerrit17:46
opendevreviewJulia Kreger proposed openstack/ironic master: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98669817:48
TheJulia^^^17:49
JayFcid: can you please work with TheJulia to draft an OSSA for this issue and get the patches backported. This is another public security bug, like the console one we did the other day.17:50
JayFSince it's not embargoed, you can propose the patch to add the OSSA directly to the ossa/ repo for code review by Ironic+VMT17:50
cardoeI commented on the release note about wording.17:54
cardoeI don't even know what molds is.17:54
TheJuliafair, I'm going to start working on a follow-up patch to rip molds entirely17:54
TheJuliaI do want to verify CI passes, but really its way outside the tested path as well17:55
cidJayF, Alright, let me see to that. 17:56
cidiurygregory, when you get some review time, I had proposed release cuts for a security fix the other day. I believe we need a vote from the release liaison, and I also need the review since it's my first release cut PR.17:56
cidmaster, and the 4 maintained stable branches17:57
TheJuliaJayF: I'll revise that patch as soon as I have initial feedback from CI, doug's feedback is solid but I need to wordsmith it a little18:03
JayFI will be heading to the airport in mere hours, so you may have to get +2s from others, but there are others now :D18:03
TheJuliayeah, I don't think that will be much of an issue in like an hour18:04
JayFI said hours but I haven't packed so from upstream POV I'll be gone sooner lol18:04
iurygregorycid, sure, on it18:05
TheJuliadude, go pack.18:05
* TheJulia goes and retreives frozen pizzas for the wifey18:05
iurygregorycid, Dalmatian went EOL no? or it was other branch /me checks18:05
cidDalmation is 2024.2 which should be maintained.18:06
iurygregoryhttps://review.opendev.org/c/openstack/releases/+/98497418:07
iurygregorynot really... 18:08
iurygregoryin theory we probably won't need https://review.opendev.org/c/openstack/releases/+/986449/ since we can update https://review.opendev.org/c/openstack/releases/+/98497418:08
iurygregoryand include in the eol tag..18:08
iurygregoryat least I think it would make sense, not sure what others think18:09
iurygregorywould you be ok in updating https://review.opendev.org/c/openstack/releases/+/984974 to include the right commit ?18:09
cidI am a little confused about what you mean18:10
TheJuliaso, until it has merged and the tag is set, we still need to18:11
TheJuliaTruthfully, odds are we'll backport on unmaintaed as well18:11
TheJuliabut only once we land it18:11
iurygregoryhttps://review.opendev.org/c/openstack/releases/+/984974 is not yet merged so we don't have the tag in place18:11
iurygregoryso we can just point the tag to the latest commit (which is the one with your security fix)18:12
iurygregoryand we won't need "26.1.6" tag18:12
iurygregorywe would have "2024.2-eol"18:13
cidOh, so, instead of the 2024.2-eol tag.18:13
cidI will push a patch now that you're still around and you see if that's what you mean :D18:14
cidGive me a moment18:14
iurygregoryI'm still around all day, just my working hours aren't normal :D 18:14
iurygregorylike, I'm going to the gym in 15min and I will be back working at night :D 18:15
iurygregoryso I will check things again later18:15
cid++, tks.18:15
cardoeSo question on policy and service users.... working on some of my mapping stuff.18:24
TheJuliawill I cry?18:26
cardoeIf I have my service users "nova" and "ironic" for example in service:service (domain:project) but then I have the owner of my nodes as infra:baremetal (domain:project form again). Should the "nova" user have the "service" role on infra:baremetal and authenticate in nova.conf with domain:project of infra:baremetal because I've changed rbac_service_project_name to "baremetal".18:29
cardoeWhich initially felt correct.18:30
cardoeBut now I'm looking at adding some other Ironic nodes with the noop driver for example which I don't want nova to interact with.... again... seems to work fine...18:30
cardoeBut then I theoretically want a "nova like scheduler" for those other devices....18:31
cardoeSo those other devices maybe live in infra:gavinbelsonsignaturebox So I don't know how my other thing would get the service role permission to those devices. Am I abusing Ironic too much? Or am I off the rails here?18:32
cardoeDo I need to go sit in the time out corner?18:34
TheJulialol18:36
TheJuliaNo, no timeout corner for you.18:36
cidiurygregory, I have updated the commit18:37
TheJuliaSo, the issue is merging a "service project" view of access, which is a weird sudo elevation of sorts which is configurable in ironic and the policy (yay, projects not wanting to do system scope) I think the "ironic" way is to scope limit both and leverage owner concepts18:38
TheJuliaso bifrucate on owner and have the rest of the fleet in the other "owner project"18:38
TheJuliadoes that make sense?18:38
TheJuliaor do I need to go to the timeout corner?18:38
cardoeThat's what I'm trying to do is bifurcate on owner and not make nova or anything else mad18:40
cardoeit looks like the endpoints nova hits might be "(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role" with the rule expanding to "(role:service and project_name:%(config.service_project_name)s)"18:40
TheJuliaso, config.service_project_name is not int the filter18:41
TheJuliaservice_role rule is booleanified if memory serves on startup18:41
TheJuliaso, not do that, and not really rely upon the service modeling at all but have the service project it uses be the owner18:41
cardoeIt's copied from [DEFAULT]rbac_service_project_name to config.service_project_name on startup.18:42
TheJuliaIf I'm properly groking the question18:42
TheJuliaoh, cool18:42
cardoeWell if I let nova see the gavin belson boxes, it throws a fit that they don't have resource_classes and properties and other stuff.18:42
TheJulia.... huh18:43
TheJuliathat seems... odd18:43
cardoeThey're essentially stand ins for networking automation.18:43
cardoeSo I have a project "julia" and you decide that you want a Gavin Belson Signature box so I assign it to you as a lessee just like Nova/Ironic interaction with a real device. But as part of that I can create Neutron ports on your network and "vif attach" through TBN can do the magic.18:44
cardoeSo I guess in a round about way we can blame Clif and JayF for this idea cause I was like hrm... I wonder if TBN could do the heavy lifting here.18:45
cardoeI might also need to step away to have some lunch and be randomly pinging people on IRC cause the welshie believes she's entitled to sit in my lap right now and moving would ruin her day.18:46
TheJuliasounds like the welshie is a cat ;)18:48
cardoesphinx-build: error: unrecognized arguments: -W -j auto -E -b html doc/source doc/build/html19:03
cardoeThat's weird when I run "tox -e docs"19:03
cardoeWell I let Claude rewrite my personas and deployments docs. I don't love it yet. But is there some way to see the rendered version when built with Zuul?19:07
opendevreviewDoug Goldstein proposed openstack/ironic master: docs: add deployment scenarios and user personas guide  https://review.opendev.org/c/openstack/ironic/+/98670219:11
cardoeI'll push it anyway since I've gotta take the kids for braces.19:11
opendevreviewJulia Kreger proposed openstack/ironic master: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98669819:13
clifcardoe: huh, docs is failing for me locally now, there's a bunch of warnings now about some api docs not being included in any toctree19:25
clifis that what you're running into? my main question is how did that sneak in without the build failing in gerrit19:26
cardoeI dunno. I didn’t have api errors.19:33
clifalso I have seen this error before: `sphinx-build: error: unrecognized arguments: -W -j auto -E -b html doc/source doc/build/html` but it shouldn't fail the build19:33
clifit's like a spurious invocation but I haven't been able to track down where it happens19:34
clifhmmm maybe my tree is unclean somehow19:34
TheJuliacardoe, iurygregory, clif: https://review.opendev.org/c/openstack/ironic/+/986698 could use quick reviews19:35
TheJuliastevebaker[m]: thanks!19:35
cardoeReviewed.19:36
clif+219:39
opendevreviewJulia Kreger proposed openstack/ironic master: Remove deprecated configuration molds feature  https://review.opendev.org/c/openstack/ironic/+/98670320:03
opendevreviewJulia Kreger proposed openstack/ironic-python-agent master: Preserve ESP filesystem label during software RAID relocation  https://review.opendev.org/c/openstack/ironic-python-agent/+/98670720:39
guilhermesp___hi ppl! aside from my saga with software raid ( i made it to work with ubuntu at least ) -- im still facing a blocker with supermicro deprovisioning process.... tried to put together what i observed so far and things ive tried https://paste.openstack.org/raw/bfcnkrwJYFWrmvHBDeA5/ 20:54
guilhermesp___thanks for 986707 btw TheJulia . I might try it as soon as i uncover this issue ( which happens with raid or non-raid ) 20:55
TheJuliaI didn't try it, but its what claude is thinking and seems straight forward20:55
TheJuliaguilhermesp___: are you using ipmi or redfish?20:56
guilhermesp___i tried both20:56
guilhermesp___so sticking with ipmi right now 20:56
TheJuliaso, basically with ipmi, supermicro doesn't really convey reality20:57
TheJuliaand they are super opinionated yet also in the club of "not investing in ipmi"20:57
guilhermesp___i was thinking that there was no investing on redfish actually lol 20:58
TheJuliaso, if you could collect data with redfish, likely better20:58
guilhermesp___ive even read some release notes from latest bios version 20:58
TheJuliawith some supermicro gear, I've literally had to query raw data out20:58
TheJuliawhich is a pain20:58
TheJuliaeh, I doub't it given DMTF is active and IPMI is a dead standard.20:59
TheJuliaThere is totally this pool of folks who want to just send raw data and not document it21:00
guilhermesp___yesterday i read this https://www.supermicro.com/Bios/softfiles/28082/H11DSU-iN_BIOS_v3_5_Release_Notes.pdf , specifically BIOS R3.0 (07/12/2024) changelog, item #25 and i had hope. but hope was destroyed on the subsequent test 21:00
TheJuliabut... redfish is more about surfacing allt he details21:00
opendevreviewJulia Kreger proposed openstack/ironic master: Document software RAID image compatibility caveats  https://review.opendev.org/c/openstack/ironic/+/98671821:09
opendevreviewStephen Finucane proposed openstack/python-ironicclient master: Add missing py.typed file, typing classifier  https://review.opendev.org/c/openstack/python-ironicclient/+/98671921:10
iurygregorypoor guilhermesp___ =( good luck bro21:21
TheJuliacardoe: that audit discussion might actually bring about system scope ;)21:21
TheJuliaat least, more adoption of it21:21
guilhermesp___thx iurygregory lol im persistent, i might try more tomorrow. Enough for today 21:26
iurygregory++21:40
opendevreviewMerged openstack/ironic master: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98669821:50
iurygregorycardoe, we lost you22:10
TheJulia?!?!?!?22:11
iurygregorywe are having a meeting22:11
TheJuliaahh, didn't realize22:11
opendevreviewJulia Kreger proposed openstack/ironic master: Fix RBAC field redaction when owner not in requested fields  https://review.opendev.org/c/openstack/ironic/+/98672322:55
TheJuliadtantsur: that is exactly what I thought was going on when we were talking22:56
opendevreviewJay Faulkner proposed openstack/ironic stable/2026.1: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98672523:05
iurygregorydinner time now :D 23:12

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!