Thursday, 2026-04-30

opendevreviewDmitry Tantsur proposed openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98673706:43
opendevreviewVerification of a change to openstack/ironic master failed: Fix RBAC field redaction when owner not in requested fields  https://review.opendev.org/c/openstack/ironic/+/98672307:10
opendevreviewVerification of a change to openstack/ironic stable/2026.1 failed: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98672508:29
opendevreviewVerification of a change to openstack/ironic master failed: Remove deprecated configuration molds feature  https://review.opendev.org/c/openstack/ironic/+/98670308:38
opendevreviewcid proposed openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98673710:29
opendevreviewcid proposed openstack/ironic stable/2025.1: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98676710:30
dtantsurif anyone has braincycles, this is a very confusing bug https://bugs.launchpad.net/ironic/+bug/2150735 where I'd appreciate any hints11:01
dtantsurrpittau: hey, could you more or less urgently release fixed sushy at least for 2026.1?11:37
dtantsur(I guess master as well to get u-c updated)11:43
opendevreviewVerification of a change to openstack/ironic master failed: Fix RBAC field redaction when owner not in requested fields  https://review.opendev.org/c/openstack/ironic/+/98672311:43
iurygregorydtantsur, this SameFileError is really strange o.o11:48
dtantsurVERY strange11:49
dtantsurunfortunately, I don't have the beginning of Ironic logs to see what caused that. But it's repeaed in the logs over and over again (together with sqlite locks)11:49
iurygregorywondering if is a crazy race condition.. , maybe the scenario for this to reproduce  is a setup very slow where things didn't finish to clean-up?11:50
iurygregoryif I recall we from time to time we remove the boot-<uuid>.iso right?11:51
dtantsurMaybe. Supposed to be a new lab though. I've requested new logs.11:51
dtantsurWe do remove it. I just don't understand how it ends up being the *source* file11:51
iurygregoryyeah, the logic we had I always though it was enough lol11:51
iurygregoryis there a chance someone is trying to adopt a BMH and it has the same UUID from one that is being provisioned? (just collecting some crazy ideas XD)11:52
dtantsurIt is supposed to be a routine deployment..11:53
iurygregorythis one will require an ironic coffee machine11:54
dtantsurindeed :D if you have any cycles, could you ask Claude about it?11:54
iurygregoryyup, will try that11:54
rpittaudtantsur: https://review.opendev.org/c/openstack/releases/+/98678412:13
dtantsurthanks!12:14
TheJuliagood morning13:36
opendevreviewDoug Goldstein proposed openstack/ironic master: fix: drop version from runbook traits v2  https://review.opendev.org/c/openstack/ironic/+/98680613:52
cardoeTheJulia: ^ is that what you were looking for?14:14
TheJuliaI think so!14:17
opendevreviewJulia Kreger proposed openstack/ironic stable/2026.1: ci: stable: disable metal3 CI jobs  https://review.opendev.org/c/openstack/ironic/+/98681214:23
opendevreviewJulia Kreger proposed openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98673714:29
opendevreviewJulia Kreger proposed openstack/ironic stable/2025.1: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98676714:30
opendevreviewJulia Kreger proposed openstack/ironic stable/2024.2: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98681514:43
opendevreviewJulia Kreger proposed openstack/ironic unmaintained/2024.1: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98681614:44
opendevreviewJulia Kreger proposed openstack/ironic unmaintained/2023.1: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98681714:49
JayFcid: gouthamr is going to run CVE paperwork for the drac molds issue, if you need help/reviews on the ossa he's your guy :D 14:51
TheJuliaJayF: Thanks! Have a good rest of the week14:54
TheJuliacid: slight issue on the OSSA-2026-008 item. shouldn't we have done the same fix on the shellinabox invocations?15:23
TheJuliaIn other words, not just backporting, but expanding the scope on backport to meet the reported issue15:24
TheJuliaI guess the flip side is shellinabox is really moot, and the prime needful is socat which is easy for users to turn on and use15:32
TheJuliaI guess the OSSA is good in context setting since its setting that it just shouldn't be used (that being shellinabox)15:33
elodilleshi ironic team, just a quick question: i'm about to approve ironic's stable/2024.2 to EOL patch ( https://review.opendev.org/c/openstack/releases/+/984974 ) and i see that there is a security-related fix that landed recently to ironic. don't you want to do a final release of it? (not necessary, but this is the last chance to do that o:))16:15
elodillesalso I see that there is another sec fix incoming :S https://review.opendev.org/c/openstack/ironic/+/98681516:18
elodilles(note, though, that you should take extra care with the final release as we are deleting the branch afterwards, so there is no possibility to fix/re-release 2024.2 if the final release has any regression :S)16:19
iurygregoryelodilles, we have a few security fixes incoming...16:21
iurygregory=X16:21
iurygregorymy plan was to change the hash on ironic for the 2024.2-eol to include all security fixes (instead of doing multiple releases) not sure about the best approach..16:22
JayFelodilles: ideally we'd capture what's already committed, but if we wait for no security bugs in the pipe, we might be waiting awhile, judging on the number of OSSAs issued already16:22
* iurygregory was afraid of this ^ 16:23
elodillesJayF iurygregory : does it mean hours, or weeks? o:) just asking, because if the latter, then i think the best is to EOL now o:)16:25
JayFelodilles: I would suggest to not wait on us, make sure that what lands reflects the end of the branch when it lands. Likely that should include the config molds fix.16:25
iurygregorythere is one afaik https://review.opendev.org/c/openstack/ironic/+/98681516:25
iurygregorythis one right JayF ? ^16:25
opendevreviewMerged openstack/ironic stable/2026.1: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98672516:26
JayFyep, landi... ^^^16:26
JayFI'll approve 25.2 now16:26
TheJuliaiurygregory: we'll just end up dropping them on unmaintained in that case if it exists :)16:28
TheJuliain other words, don't wait, do the needful, we can always also repropose sort of what JayF was saying16:29
elodillesnote that 2024.2 will be deleted (EOL) as it is not a SLURP branch16:29
JayFwe can't repropose TheJulia 16:29
JayFit's gonna be gone gone16:29
iurygregoryoh wow16:29
JayFthat's why it'd be ideal to get the molds fix in before 2024.2-eol is cut16:29
TheJuliafine with me whatever the outcome is16:29
JayFiurygregory: yeah, it's the real benefit of unmaintained+slurp: we end up with half as many old branches16:29
JayFiurygregory: it's sorta WTF the first time you notice, but the more you think about it the more it makes sense16:30
iurygregoryJayF, yeah =)16:30
TheJuliaJayF: I was saying generally, but also fine with the branch just going *poof*16:30
JayFyeah sa16:30
JayF**same generally16:30
JayFbut this one is close so ideally we could land it16:31
iurygregorycan't we just +W https://review.opendev.org/c/openstack/ironic/+/986815 ? I know ideally we should wait on the "backport sequence" ...16:31
JayFidk how ambitious that is, honestly might depend on how much we care about ... ^^^ yep iurygregory is pointing in the direction I am16:31
elodillesi need to commute home soon, probably be back later today for a while, or i can take a look tomorrow (i'll be on PTO, but will have the chance to take a look some time during the day) if needed16:31
JayFelodilles: unless it'll give you heartburn, I think we'll approve the 24.2 change r/n even if it skips the line so it can get in16:32
iurygregory++16:32
iurygregoryand we can update the hash and have the release patch ready to go16:32
elodillesJayF: i won't look, do as you see fit :]16:32
elodillesiurygregory: +116:33
iurygregoryonly zuul will look :D16:33
elodillesfingers crossed :]16:33
JayFokay then I totally won't tell you that we should have that new sha in 2 hoursish16:33
JayFlol16:33
elodilles:D16:33
elodilles+116:33
JayFThanks elod, I appreciate the reach out :D 16:33
iurygregoryAI is starting to write things on irc16:33
elodilles:D16:33
iurygregorythere is no human talking on this channel =)16:34
elodillesJayF: no problem, thanks for taking care of the dying branch o:)16:34
iurygregoryI`ll be back in about 2hrs, I have a doc appointment o/16:35
JayFiurygregory: you're absolutely right, I'm a language learning model made of meat16:35
JayF:D 16:35
iurygregorylol16:36
kelvinasante[m]Hi, I realized I accidentally submitted my Outreachy application under the wrong project. My work is for the Ironic project. I’ve emailed the mentors with the correct links.17:11
TheJuliaiurygregory: the idea of AI enabled IRC makes me super worried for the human species survival. 17:13
gouthamrhey cid, i've a question on the affected versions for https://bugs.launchpad.net/ironic-python-agent/+bug/2148310 17:18
gouthamrcid: grub-install is ancient in the agent.. would >=2.0.0 be appropriate?17:19
TheJuliagouthamr: grub version has nothing to do with the bug17:21
gouthamrTheJulia: not the grub version, i'm trying to locate the code that is affected, and when it was added17:22
cidgouthamr, I am actually seeing that bug for the first time now since it just went public17:22
gouthamrhttps://github.com/openstack/ironic-python-agent/compare/1.5.2...2.0.0#diff-2ac3e3f56d389db15b980c3471cb49965be083d4221667e009a4916595ef8a40R119-R13117:22
TheJuliaOh. heh17:23
gouthamr^ this is where i landed.. but i could be completely off :) 17:23
TheJuliahmmmmm17:24
gouthamrcid: ack, i'll let you investigate.. my current thought was to find the first use of "grub-install" and find the version of ipa that shipped with it17:24
TheJuliatechnically, 1.0.0 had the same basic issue17:25
TheJuliaso, this has been around for *ages*17:25
TheJuliaBut, there is a mitigating factor17:27
TheJuliaIn those days, you could deploy admin set public images17:27
gouthamri see, so i can use '>=1.0.0 <=11.5.0' as the affected versions.17:28
gouthamrsuper low chance that someone is running these really old versions still and would care to fix it 17:29
gouthamrit's just proper documentation at best suggesting that this is an old vulnerability that'll be patched in 11.6.0 17:30
gouthamrdoes that make sense TheJulia cid 17:30
TheJuliawell, let me get you the details on the mitigating factor as well17:31
TheJuliatrying to hunt that down now17:31
TheJuliasince it is important contet17:31
TheJuliacontet17:31
gouthamrthank you TheJulia 17:32
TheJuliaokay, found it, doing the archeology work to provide a concise statement17:32
opendevreviewVerification of a change to openstack/ironic stable/2026.1 failed: ci: stable: disable metal3 CI jobs  https://review.opendev.org/c/openstack/ironic/+/98681217:45
TheJuliastill working on it, switching brushes to a more fine detailed brush at the moment ;)17:45
opendevreviewMerged openstack/ironic stable/2025.2: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98673717:46
TheJuliahttps://www.irccloud.com/pastebin/WwfEuGAO/17:49
TheJuliagouthamr: ^^^17:49
TheJuliayou may want to re-order that for an OSSA, but its the nuts and bolts of it17:49
TheJuliahopefully that makes sense17:50
* gouthamr looks17:51
opendevreviewMerged openstack/ironic stable/2024.2: security: validate molds url against swift in keystone catalog  https://review.opendev.org/c/openstack/ironic/+/98681517:51
TheJuliaso, basically, the bug has existed in IPA since the beginning of time, however there are mitigating aspects because IPA is driven by Ironic17:52
gouthamr++ yes, that's super useful context.. admin-only before 17.0.0 - so less impact, a bit more with the owner/lessee model from 17.0.0, and really broad-surface from 30.0.0.. i'll note this in the CVE.. cid, would you like to take a stab at the OSSA for this still? i can share the blurb from the CVE if you will17:53
* gouthamr will note that these versions pertain to ironic itself.. 17:54
TheJuliaAlso, fwiw, owners are expected to be trusted operators in the ironic context as well17:56
TheJuliaThey could be subdivisions of even the cloud operator's own cloud, or a partner institution with elevated access, and at that point, they "own" that hardware and are responsible for the entire scope of that17:56
cidgouthamr, Oh please share. I will use this opportunity to work on the OSSA for the molds change as well before my EOD.17:57
gouthamrack and thank you both17:59
gouthamrCVE Request 203397217:59
cidI will ping you once I have a patch up18:04
gouthamrcid: sure thing18:04
gouthamrcid: here's an excerpt of what went into the CVE request: https://paste.opendev.org/show/b8i1lBSP00bwyL5SibNV/18:06
cidack'd w/tks. First draft on the way.18:12
cidSo, none of the patches for https://bugs.launchpad.net/ironic-python-agent/+bug/2148310 is public yet.18:15
cidin gerrit18:15
cidgouthamr, Do I use 2033972 as the CVE id?18:31
gouthamrcid: nope that's the receipt number.. the CVE was filed today, 2026-04-30, you call call that out in the notes section.. 18:33
gouthamrcid: ack, the OSSA can be WIP until patches show up.. 18:33
gouthamrcid: here's an example of an OSSA with a pending CVE: https://review.opendev.org/c/openstack/ossa/+/984129/2/ossa/OSSA-2026-007.yaml18:34
cid+++++++++, alright. thanks!18:34
gouthamrbe aware though, that at the rate we're publishing these, you may have to change the OSSA number on your draft closer to it merging18:35
cidTrue. Not a problem18:36
cidgouthamr, TheJulia... https://review.opendev.org/c/openstack/ossa/+/98685019:23
JayFcid: I was hoping  you'd write this up for https://review.opendev.org/c/openstack/ironic/+/986815 this set of bugs19:42
JayFcid: since those are landing now we need to release OSSA/CVE once we land all the stable patches19:42
cidTheJulia, I missed this, re "on the OSSA-2026-008 item. shouldn't we have done the same fix on the shellinabox invocations?". 19:42
cidThat was likely the better fix. My thinking was that we already ripped it out, so :shrugs:  19:42
JayFcid: we'll use that ossa eventually (the proposed one; Clif and I literally just paired on it some IRL) 19:42
* JayF back to irl meeting land19:43
cidJayF, I'm am working on an ossa for +bug 986815 at the moment19:45
TheJuliacid: I guess I might be over thinking concern of somebody thinking the fix is incomplete becasue in older branches it is still there, *shrug*20:25
cidI mean, it's a quick and easy fix that I can get something up and get it backported as well, since we won't need a new OSSA/CVE.20:28
cidActually, I think I will just add that to my todos for tomorrow or weekend.20:29
elodillesiurygregory: thanks for the 2024.2-eol patch update. and you are sure, that you don't want to do a final release, just tag the tip of stable/2024.2 with 2024.2-eol, right?20:30
elodilles(now it's still possible to cut a release, in case you changed your mind o:))20:34
cardoeSo I see we're doing releases20:47
cardoeWe need to do a release of sushy 5.10.120:47
cardoeironic 2026.1 is incompatible with sushy 5.10.020:48
cardoehttps://releases.openstack.org/constraints/upper/2026.1 lists sushy==5.10.020:49
iurygregoryelodilles, I would say it's fine...20:53
iurygregorylike, people can go and get 2024.2-eol it's a valid tag no?20:54
elodillesyes, it's a valid tag21:06
elodilleshowever it won't be listed on pypi and tarballs.openstack.org21:07
elodillesbut otherwise yes, people can take the code from 2024.2-eol tag and package it themselves21:07
opendevreviewDoug Goldstein proposed openstack/sushy stable/2026.1: Add missing __init__.py  https://review.opendev.org/c/openstack/sushy/+/98686121:08
iurygregoryoh, interesting, I wasn't aware it wouldn't be listed on pypi..21:08
iurygregoryTheJulia, do you have thoughts? 21:09
TheJuliawho what huh?21:09
iurygregoryif we should do a final release before 2024.2-eol 21:10
TheJuliaI take it there are patches there?21:10
iurygregoryyup 21:11
TheJuliaThen, ideally yes21:11
iurygregoryelodilles, it's ok to update adding 26.1.6 and the eol on the same patch?21:11
elodillesiurygregory: nope, a separate release patch is needed, as validator would fail if they are in the same patch :/21:12
TheJuliaotherwise, since its getting deleted, there is no release point to draw from21:12
TheJuliawe should have just pulled the release trigger a while back :(21:13
elodillesiurygregory: this can be updated i guess: https://review.opendev.org/c/openstack/releases/+/98644921:13
iurygregoryelodilles, ack21:13
iurygregorydoing now21:13
iurygregoryelodilles, done21:14
iurygregorydo we need to rebase https://review.opendev.org/c/openstack/releases/+/984974/ ?21:14
elodillesyes, that needs a rebase21:15
iurygregoryok, doing now =)21:15
elodillesthanks o/21:16
iurygregoryelodilles, done, let me know if its ok =)21:20
cardoeTheJulia: can we update Ironic 35.1.0 to depend on >=sushy 5.10.1?21:22
cardoeLike straight up didn't realize the two are busted together as released.21:23
TheJuliayou mean the master branch state?21:24
TheJuliaI can't believe we still have root_gb checks21:46
cardoeTheJulia: no I'm talking 2026.122:01
TheJuliaoh shoot22:01
TheJuliano, we can't really...22:01
TheJuliaat least in the repo, we can still cut 5.10.1 and allow it to be pulled in22:01
cardoeTheJulia: ironic 35.0.0 aka 2026.1 depends on sushy>=5.10.0 aka 2026.122:01
cardoeBut ironic stable/2026.1 isn't compatible with 5.10.022:02
cardoeIt needs 5.10.0 + patches22:02
cardoeWe released 5.10.0 of sushy and then continued to test with sushy master22:02
cardoehttps://review.opendev.org/c/openstack/sushy/+/986861 needs to land into stable/2026.1 as well22:02
cardoeSomeone was working with the straight release packages and found it was broken and initially thought that stable/2026.1 worked and then hit a Dell issue.22:03
iurygregorycardoe, +W simple fix22:10
iurygregorygoing to drop now, see you monday everyone!22:10
* cardoe waves.22:11
elodillesjust a heads-up here as well, that ironic's stable/2024.2 branches are tagged with 2024.2-eol -> https://review.opendev.org/c/openstack/releases/+/98497422:18
elodillesand now i disappear too o/22:18
guilhermesp___TheJulia iurygregory JayF  btw lesson learned... keep your supermicro bmc firmware up-to-date :P  ps: its working better with ipmi 22:21
cardoegarahada why is tox-docs so broken?22:24
cardoehttps://review.opendev.org/c/openstack/sushy/+/986861 I don't understand what's busted.22:24
opendevreviewDoug Goldstein proposed openstack/sushy stable/2026.1: Add missing __init__.py  https://review.opendev.org/c/openstack/sushy/+/98686122:28
opendevreviewDoug Goldstein proposed openstack/ironic master: fix: drop version from runbook traits v2  https://review.opendev.org/c/openstack/ironic/+/98680622:32
cidSomeone should snaity-check this for me before I submit https://usercontent.irccloud-cdn.com/file/Vtcd9CSL/image.png22:47
cidhttps://usercontent.irccloud-cdn.com/file/xzgKSLla/image.png22:48
cidJayF, TheJulia, I have initial draft for the OSSA https://review.opendev.org/c/openstack/ossa/+/98686322:52
TheJuliaSo, its not code execution. Just information disclosure22:54
cidOkay. thanks. Submitting now23:13

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!