| opendevreview | Dmitry Tantsur proposed openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986737 | 06:43 |
|---|---|---|
| opendevreview | Verification of a change to openstack/ironic master failed: Fix RBAC field redaction when owner not in requested fields https://review.opendev.org/c/openstack/ironic/+/986723 | 07:10 |
| opendevreview | Verification of a change to openstack/ironic stable/2026.1 failed: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986725 | 08:29 |
| opendevreview | Verification of a change to openstack/ironic master failed: Remove deprecated configuration molds feature https://review.opendev.org/c/openstack/ironic/+/986703 | 08:38 |
| opendevreview | cid proposed openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986737 | 10:29 |
| opendevreview | cid proposed openstack/ironic stable/2025.1: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986767 | 10:30 |
| dtantsur | if anyone has braincycles, this is a very confusing bug https://bugs.launchpad.net/ironic/+bug/2150735 where I'd appreciate any hints | 11:01 |
| dtantsur | rpittau: hey, could you more or less urgently release fixed sushy at least for 2026.1? | 11:37 |
| dtantsur | (I guess master as well to get u-c updated) | 11:43 |
| opendevreview | Verification of a change to openstack/ironic master failed: Fix RBAC field redaction when owner not in requested fields https://review.opendev.org/c/openstack/ironic/+/986723 | 11:43 |
| iurygregory | dtantsur, this SameFileError is really strange o.o | 11:48 |
| dtantsur | VERY strange | 11:49 |
| dtantsur | unfortunately, I don't have the beginning of Ironic logs to see what caused that. But it's repeaed in the logs over and over again (together with sqlite locks) | 11:49 |
| iurygregory | wondering if is a crazy race condition.. , maybe the scenario for this to reproduce is a setup very slow where things didn't finish to clean-up? | 11:50 |
| iurygregory | if I recall we from time to time we remove the boot-<uuid>.iso right? | 11:51 |
| dtantsur | Maybe. Supposed to be a new lab though. I've requested new logs. | 11:51 |
| dtantsur | We do remove it. I just don't understand how it ends up being the *source* file | 11:51 |
| iurygregory | yeah, the logic we had I always though it was enough lol | 11:51 |
| iurygregory | is there a chance someone is trying to adopt a BMH and it has the same UUID from one that is being provisioned? (just collecting some crazy ideas XD) | 11:52 |
| dtantsur | It is supposed to be a routine deployment.. | 11:53 |
| iurygregory | this one will require an ironic coffee machine | 11:54 |
| dtantsur | indeed :D if you have any cycles, could you ask Claude about it? | 11:54 |
| iurygregory | yup, will try that | 11:54 |
| rpittau | dtantsur: https://review.opendev.org/c/openstack/releases/+/986784 | 12:13 |
| dtantsur | thanks! | 12:14 |
| TheJulia | good morning | 13:36 |
| opendevreview | Doug Goldstein proposed openstack/ironic master: fix: drop version from runbook traits v2 https://review.opendev.org/c/openstack/ironic/+/986806 | 13:52 |
| cardoe | TheJulia: ^ is that what you were looking for? | 14:14 |
| TheJulia | I think so! | 14:17 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2026.1: ci: stable: disable metal3 CI jobs https://review.opendev.org/c/openstack/ironic/+/986812 | 14:23 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986737 | 14:29 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2025.1: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986767 | 14:30 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2024.2: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986815 | 14:43 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2024.1: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986816 | 14:44 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2023.1: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986817 | 14:49 |
| JayF | cid: gouthamr is going to run CVE paperwork for the drac molds issue, if you need help/reviews on the ossa he's your guy :D | 14:51 |
| TheJulia | JayF: Thanks! Have a good rest of the week | 14:54 |
| TheJulia | cid: slight issue on the OSSA-2026-008 item. shouldn't we have done the same fix on the shellinabox invocations? | 15:23 |
| TheJulia | In other words, not just backporting, but expanding the scope on backport to meet the reported issue | 15:24 |
| TheJulia | I guess the flip side is shellinabox is really moot, and the prime needful is socat which is easy for users to turn on and use | 15:32 |
| TheJulia | I guess the OSSA is good in context setting since its setting that it just shouldn't be used (that being shellinabox) | 15:33 |
| elodilles | hi ironic team, just a quick question: i'm about to approve ironic's stable/2024.2 to EOL patch ( https://review.opendev.org/c/openstack/releases/+/984974 ) and i see that there is a security-related fix that landed recently to ironic. don't you want to do a final release of it? (not necessary, but this is the last chance to do that o:)) | 16:15 |
| elodilles | also I see that there is another sec fix incoming :S https://review.opendev.org/c/openstack/ironic/+/986815 | 16:18 |
| elodilles | (note, though, that you should take extra care with the final release as we are deleting the branch afterwards, so there is no possibility to fix/re-release 2024.2 if the final release has any regression :S) | 16:19 |
| iurygregory | elodilles, we have a few security fixes incoming... | 16:21 |
| iurygregory | =X | 16:21 |
| iurygregory | my plan was to change the hash on ironic for the 2024.2-eol to include all security fixes (instead of doing multiple releases) not sure about the best approach.. | 16:22 |
| JayF | elodilles: ideally we'd capture what's already committed, but if we wait for no security bugs in the pipe, we might be waiting awhile, judging on the number of OSSAs issued already | 16:22 |
| * iurygregory was afraid of this ^ | 16:23 | |
| elodilles | JayF iurygregory : does it mean hours, or weeks? o:) just asking, because if the latter, then i think the best is to EOL now o:) | 16:25 |
| JayF | elodilles: I would suggest to not wait on us, make sure that what lands reflects the end of the branch when it lands. Likely that should include the config molds fix. | 16:25 |
| iurygregory | there is one afaik https://review.opendev.org/c/openstack/ironic/+/986815 | 16:25 |
| iurygregory | this one right JayF ? ^ | 16:25 |
| opendevreview | Merged openstack/ironic stable/2026.1: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986725 | 16:26 |
| JayF | yep, landi... ^^^ | 16:26 |
| JayF | I'll approve 25.2 now | 16:26 |
| TheJulia | iurygregory: we'll just end up dropping them on unmaintained in that case if it exists :) | 16:28 |
| TheJulia | in other words, don't wait, do the needful, we can always also repropose sort of what JayF was saying | 16:29 |
| elodilles | note that 2024.2 will be deleted (EOL) as it is not a SLURP branch | 16:29 |
| JayF | we can't repropose TheJulia | 16:29 |
| JayF | it's gonna be gone gone | 16:29 |
| iurygregory | oh wow | 16:29 |
| JayF | that's why it'd be ideal to get the molds fix in before 2024.2-eol is cut | 16:29 |
| TheJulia | fine with me whatever the outcome is | 16:29 |
| JayF | iurygregory: yeah, it's the real benefit of unmaintained+slurp: we end up with half as many old branches | 16:29 |
| JayF | iurygregory: it's sorta WTF the first time you notice, but the more you think about it the more it makes sense | 16:30 |
| iurygregory | JayF, yeah =) | 16:30 |
| TheJulia | JayF: I was saying generally, but also fine with the branch just going *poof* | 16:30 |
| JayF | yeah sa | 16:30 |
| JayF | **same generally | 16:30 |
| JayF | but this one is close so ideally we could land it | 16:31 |
| iurygregory | can't we just +W https://review.opendev.org/c/openstack/ironic/+/986815 ? I know ideally we should wait on the "backport sequence" ... | 16:31 |
| JayF | idk how ambitious that is, honestly might depend on how much we care about ... ^^^ yep iurygregory is pointing in the direction I am | 16:31 |
| elodilles | i need to commute home soon, probably be back later today for a while, or i can take a look tomorrow (i'll be on PTO, but will have the chance to take a look some time during the day) if needed | 16:31 |
| JayF | elodilles: unless it'll give you heartburn, I think we'll approve the 24.2 change r/n even if it skips the line so it can get in | 16:32 |
| iurygregory | ++ | 16:32 |
| iurygregory | and we can update the hash and have the release patch ready to go | 16:32 |
| elodilles | JayF: i won't look, do as you see fit :] | 16:32 |
| elodilles | iurygregory: +1 | 16:33 |
| iurygregory | only zuul will look :D | 16:33 |
| elodilles | fingers crossed :] | 16:33 |
| JayF | okay then I totally won't tell you that we should have that new sha in 2 hoursish | 16:33 |
| JayF | lol | 16:33 |
| elodilles | :D | 16:33 |
| elodilles | +1 | 16:33 |
| JayF | Thanks elod, I appreciate the reach out :D | 16:33 |
| iurygregory | AI is starting to write things on irc | 16:33 |
| elodilles | :D | 16:33 |
| iurygregory | there is no human talking on this channel =) | 16:34 |
| elodilles | JayF: no problem, thanks for taking care of the dying branch o:) | 16:34 |
| iurygregory | I`ll be back in about 2hrs, I have a doc appointment o/ | 16:35 |
| JayF | iurygregory: you're absolutely right, I'm a language learning model made of meat | 16:35 |
| JayF | :D | 16:35 |
| iurygregory | lol | 16:36 |
| kelvinasante[m] | Hi, I realized I accidentally submitted my Outreachy application under the wrong project. My work is for the Ironic project. I’ve emailed the mentors with the correct links. | 17:11 |
| TheJulia | iurygregory: the idea of AI enabled IRC makes me super worried for the human species survival. | 17:13 |
| gouthamr | hey cid, i've a question on the affected versions for https://bugs.launchpad.net/ironic-python-agent/+bug/2148310 | 17:18 |
| gouthamr | cid: grub-install is ancient in the agent.. would >=2.0.0 be appropriate? | 17:19 |
| TheJulia | gouthamr: grub version has nothing to do with the bug | 17:21 |
| gouthamr | TheJulia: not the grub version, i'm trying to locate the code that is affected, and when it was added | 17:22 |
| cid | gouthamr, I am actually seeing that bug for the first time now since it just went public | 17:22 |
| gouthamr | https://github.com/openstack/ironic-python-agent/compare/1.5.2...2.0.0#diff-2ac3e3f56d389db15b980c3471cb49965be083d4221667e009a4916595ef8a40R119-R131 | 17:22 |
| TheJulia | Oh. heh | 17:23 |
| gouthamr | ^ this is where i landed.. but i could be completely off :) | 17:23 |
| TheJulia | hmmmmm | 17:24 |
| gouthamr | cid: ack, i'll let you investigate.. my current thought was to find the first use of "grub-install" and find the version of ipa that shipped with it | 17:24 |
| TheJulia | technically, 1.0.0 had the same basic issue | 17:25 |
| TheJulia | so, this has been around for *ages* | 17:25 |
| TheJulia | But, there is a mitigating factor | 17:27 |
| TheJulia | In those days, you could deploy admin set public images | 17:27 |
| gouthamr | i see, so i can use '>=1.0.0 <=11.5.0' as the affected versions. | 17:28 |
| gouthamr | super low chance that someone is running these really old versions still and would care to fix it | 17:29 |
| gouthamr | it's just proper documentation at best suggesting that this is an old vulnerability that'll be patched in 11.6.0 | 17:30 |
| gouthamr | does that make sense TheJulia cid | 17:30 |
| TheJulia | well, let me get you the details on the mitigating factor as well | 17:31 |
| TheJulia | trying to hunt that down now | 17:31 |
| TheJulia | since it is important contet | 17:31 |
| TheJulia | contet | 17:31 |
| gouthamr | thank you TheJulia | 17:32 |
| TheJulia | okay, found it, doing the archeology work to provide a concise statement | 17:32 |
| opendevreview | Verification of a change to openstack/ironic stable/2026.1 failed: ci: stable: disable metal3 CI jobs https://review.opendev.org/c/openstack/ironic/+/986812 | 17:45 |
| TheJulia | still working on it, switching brushes to a more fine detailed brush at the moment ;) | 17:45 |
| opendevreview | Merged openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986737 | 17:46 |
| TheJulia | https://www.irccloud.com/pastebin/WwfEuGAO/ | 17:49 |
| TheJulia | gouthamr: ^^^ | 17:49 |
| TheJulia | you may want to re-order that for an OSSA, but its the nuts and bolts of it | 17:49 |
| TheJulia | hopefully that makes sense | 17:50 |
| * gouthamr looks | 17:51 | |
| opendevreview | Merged openstack/ironic stable/2024.2: security: validate molds url against swift in keystone catalog https://review.opendev.org/c/openstack/ironic/+/986815 | 17:51 |
| TheJulia | so, basically, the bug has existed in IPA since the beginning of time, however there are mitigating aspects because IPA is driven by Ironic | 17:52 |
| gouthamr | ++ yes, that's super useful context.. admin-only before 17.0.0 - so less impact, a bit more with the owner/lessee model from 17.0.0, and really broad-surface from 30.0.0.. i'll note this in the CVE.. cid, would you like to take a stab at the OSSA for this still? i can share the blurb from the CVE if you will | 17:53 |
| * gouthamr will note that these versions pertain to ironic itself.. | 17:54 | |
| TheJulia | Also, fwiw, owners are expected to be trusted operators in the ironic context as well | 17:56 |
| TheJulia | They could be subdivisions of even the cloud operator's own cloud, or a partner institution with elevated access, and at that point, they "own" that hardware and are responsible for the entire scope of that | 17:56 |
| cid | gouthamr, Oh please share. I will use this opportunity to work on the OSSA for the molds change as well before my EOD. | 17:57 |
| gouthamr | ack and thank you both | 17:59 |
| gouthamr | CVE Request 2033972 | 17:59 |
| cid | I will ping you once I have a patch up | 18:04 |
| gouthamr | cid: sure thing | 18:04 |
| gouthamr | cid: here's an excerpt of what went into the CVE request: https://paste.opendev.org/show/b8i1lBSP00bwyL5SibNV/ | 18:06 |
| cid | ack'd w/tks. First draft on the way. | 18:12 |
| cid | So, none of the patches for https://bugs.launchpad.net/ironic-python-agent/+bug/2148310 is public yet. | 18:15 |
| cid | in gerrit | 18:15 |
| cid | gouthamr, Do I use 2033972 as the CVE id? | 18:31 |
| gouthamr | cid: nope that's the receipt number.. the CVE was filed today, 2026-04-30, you call call that out in the notes section.. | 18:33 |
| gouthamr | cid: ack, the OSSA can be WIP until patches show up.. | 18:33 |
| gouthamr | cid: here's an example of an OSSA with a pending CVE: https://review.opendev.org/c/openstack/ossa/+/984129/2/ossa/OSSA-2026-007.yaml | 18:34 |
| cid | +++++++++, alright. thanks! | 18:34 |
| gouthamr | be aware though, that at the rate we're publishing these, you may have to change the OSSA number on your draft closer to it merging | 18:35 |
| cid | True. Not a problem | 18:36 |
| cid | gouthamr, TheJulia... https://review.opendev.org/c/openstack/ossa/+/986850 | 19:23 |
| JayF | cid: I was hoping you'd write this up for https://review.opendev.org/c/openstack/ironic/+/986815 this set of bugs | 19:42 |
| JayF | cid: since those are landing now we need to release OSSA/CVE once we land all the stable patches | 19:42 |
| cid | TheJulia, I missed this, re "on the OSSA-2026-008 item. shouldn't we have done the same fix on the shellinabox invocations?". | 19:42 |
| cid | That was likely the better fix. My thinking was that we already ripped it out, so :shrugs: | 19:42 |
| JayF | cid: we'll use that ossa eventually (the proposed one; Clif and I literally just paired on it some IRL) | 19:42 |
| * JayF back to irl meeting land | 19:43 | |
| cid | JayF, I'm am working on an ossa for +bug 986815 at the moment | 19:45 |
| TheJulia | cid: I guess I might be over thinking concern of somebody thinking the fix is incomplete becasue in older branches it is still there, *shrug* | 20:25 |
| cid | I mean, it's a quick and easy fix that I can get something up and get it backported as well, since we won't need a new OSSA/CVE. | 20:28 |
| cid | Actually, I think I will just add that to my todos for tomorrow or weekend. | 20:29 |
| elodilles | iurygregory: thanks for the 2024.2-eol patch update. and you are sure, that you don't want to do a final release, just tag the tip of stable/2024.2 with 2024.2-eol, right? | 20:30 |
| elodilles | (now it's still possible to cut a release, in case you changed your mind o:)) | 20:34 |
| cardoe | So I see we're doing releases | 20:47 |
| cardoe | We need to do a release of sushy 5.10.1 | 20:47 |
| cardoe | ironic 2026.1 is incompatible with sushy 5.10.0 | 20:48 |
| cardoe | https://releases.openstack.org/constraints/upper/2026.1 lists sushy==5.10.0 | 20:49 |
| iurygregory | elodilles, I would say it's fine... | 20:53 |
| iurygregory | like, people can go and get 2024.2-eol it's a valid tag no? | 20:54 |
| elodilles | yes, it's a valid tag | 21:06 |
| elodilles | however it won't be listed on pypi and tarballs.openstack.org | 21:07 |
| elodilles | but otherwise yes, people can take the code from 2024.2-eol tag and package it themselves | 21:07 |
| opendevreview | Doug Goldstein proposed openstack/sushy stable/2026.1: Add missing __init__.py https://review.opendev.org/c/openstack/sushy/+/986861 | 21:08 |
| iurygregory | oh, interesting, I wasn't aware it wouldn't be listed on pypi.. | 21:08 |
| iurygregory | TheJulia, do you have thoughts? | 21:09 |
| TheJulia | who what huh? | 21:09 |
| iurygregory | if we should do a final release before 2024.2-eol | 21:10 |
| TheJulia | I take it there are patches there? | 21:10 |
| iurygregory | yup | 21:11 |
| TheJulia | Then, ideally yes | 21:11 |
| iurygregory | elodilles, it's ok to update adding 26.1.6 and the eol on the same patch? | 21:11 |
| elodilles | iurygregory: nope, a separate release patch is needed, as validator would fail if they are in the same patch :/ | 21:12 |
| TheJulia | otherwise, since its getting deleted, there is no release point to draw from | 21:12 |
| TheJulia | we should have just pulled the release trigger a while back :( | 21:13 |
| elodilles | iurygregory: this can be updated i guess: https://review.opendev.org/c/openstack/releases/+/986449 | 21:13 |
| iurygregory | elodilles, ack | 21:13 |
| iurygregory | doing now | 21:13 |
| iurygregory | elodilles, done | 21:14 |
| iurygregory | do we need to rebase https://review.opendev.org/c/openstack/releases/+/984974/ ? | 21:14 |
| elodilles | yes, that needs a rebase | 21:15 |
| iurygregory | ok, doing now =) | 21:15 |
| elodilles | thanks o/ | 21:16 |
| iurygregory | elodilles, done, let me know if its ok =) | 21:20 |
| cardoe | TheJulia: can we update Ironic 35.1.0 to depend on >=sushy 5.10.1? | 21:22 |
| cardoe | Like straight up didn't realize the two are busted together as released. | 21:23 |
| TheJulia | you mean the master branch state? | 21:24 |
| TheJulia | I can't believe we still have root_gb checks | 21:46 |
| cardoe | TheJulia: no I'm talking 2026.1 | 22:01 |
| TheJulia | oh shoot | 22:01 |
| TheJulia | no, we can't really... | 22:01 |
| TheJulia | at least in the repo, we can still cut 5.10.1 and allow it to be pulled in | 22:01 |
| cardoe | TheJulia: ironic 35.0.0 aka 2026.1 depends on sushy>=5.10.0 aka 2026.1 | 22:01 |
| cardoe | But ironic stable/2026.1 isn't compatible with 5.10.0 | 22:02 |
| cardoe | It needs 5.10.0 + patches | 22:02 |
| cardoe | We released 5.10.0 of sushy and then continued to test with sushy master | 22:02 |
| cardoe | https://review.opendev.org/c/openstack/sushy/+/986861 needs to land into stable/2026.1 as well | 22:02 |
| cardoe | Someone was working with the straight release packages and found it was broken and initially thought that stable/2026.1 worked and then hit a Dell issue. | 22:03 |
| iurygregory | cardoe, +W simple fix | 22:10 |
| iurygregory | going to drop now, see you monday everyone! | 22:10 |
| * cardoe waves. | 22:11 | |
| elodilles | just a heads-up here as well, that ironic's stable/2024.2 branches are tagged with 2024.2-eol -> https://review.opendev.org/c/openstack/releases/+/984974 | 22:18 |
| elodilles | and now i disappear too o/ | 22:18 |
| guilhermesp___ | TheJulia iurygregory JayF btw lesson learned... keep your supermicro bmc firmware up-to-date :P ps: its working better with ipmi | 22:21 |
| cardoe | garahada why is tox-docs so broken? | 22:24 |
| cardoe | https://review.opendev.org/c/openstack/sushy/+/986861 I don't understand what's busted. | 22:24 |
| opendevreview | Doug Goldstein proposed openstack/sushy stable/2026.1: Add missing __init__.py https://review.opendev.org/c/openstack/sushy/+/986861 | 22:28 |
| opendevreview | Doug Goldstein proposed openstack/ironic master: fix: drop version from runbook traits v2 https://review.opendev.org/c/openstack/ironic/+/986806 | 22:32 |
| cid | Someone should snaity-check this for me before I submit https://usercontent.irccloud-cdn.com/file/Vtcd9CSL/image.png | 22:47 |
| cid | https://usercontent.irccloud-cdn.com/file/xzgKSLla/image.png | 22:48 |
| cid | JayF, TheJulia, I have initial draft for the OSSA https://review.opendev.org/c/openstack/ossa/+/986863 | 22:52 |
| TheJulia | So, its not code execution. Just information disclosure | 22:54 |
| cid | Okay. thanks. Submitting now | 23:13 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!