| opendevreview | Merged openstack/ironic-ui master: Update Babel configuration https://review.opendev.org/c/openstack/ironic-ui/+/987506 | 00:02 |
|---|---|---|
| opendevreview | Merged openstack/ironic master: Fix RBAC field redaction when owner not in requested fields https://review.opendev.org/c/openstack/ironic/+/986723 | 01:03 |
| opendevreview | Merged openstack/ironic master: Fix redfish sensor data crash when redfish_system_id is None https://review.opendev.org/c/openstack/ironic/+/987557 | 01:03 |
| opendevreview | Doug Goldstein proposed openstack/ironic stable/2026.1: Fix redfish sensor data crash when redfish_system_id is None https://review.opendev.org/c/openstack/ironic/+/987780 | 01:04 |
| opendevreview | Doug Goldstein proposed openstack/ironic stable/2026.1: Fix RBAC field redaction when owner not in requested fields https://review.opendev.org/c/openstack/ironic/+/987781 | 01:05 |
| cardoe | both only go back to 2026.1 due to other changes | 01:06 |
| cardoe | oddly pep8 fails on those backports at 2025.2 and older | 02:13 |
| opendevreview | Merged openstack/ironic stable/2026.1: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987774 | 02:38 |
| blanson[m] | Hello ! I have a quick question to find out if I'm fighting an uphill battle or not. Currently trying to have the raid configuration work on some HPE Gen11 pizzaboxes, with megaraid controllers. Apparently the redfish api does not accept CapacityBytes argument in the redfish api ? is this something you are aware of ? that has been fixed on master ? (I'm still on 2025.1), or is it something you'd be ok to have a bug/patch for ? | 10:37 |
| blanson[m] | It's kind of specific but a quick talk with the hardware people here, apparently HPE mainly ships megaraid controllers now and has been for 2-ish years, so maybe I'm not the only one pulling my hair out on this ? | 10:37 |
| blanson[m] | (I have a couple of dirty live patches right now that seem to fix the issue, just asking before I send them to zuulius caesar) | 10:40 |
| frickler | blanson[m]: well as a test if you can apply your changes against master without conflict, likely the issue is still there? also I'd suggest to create a bug report showing the issue you are seeing with logs. that would also help to get a potential fix backported to your version | 10:50 |
| blanson[m] | frickler: yh that's what I'm trying to do my local ironic repo is kind of a war zone right now so it's taking some time hehe | 10:52 |
| cardoe | I assume the issue is raid.apply_configuration step? | 12:06 |
| blanson[m] | cardoe: so far I've had issue with delete_configuration and apply_configuration, i'm about to send patches for both | 12:25 |
| blanson[m] | https://bugs.launchpad.net/ironic/+bug/2151881 this is the delete_configuration issue | 12:25 |
| TheJulia | good morning | 12:56 |
| * TheJulia tries to wake up | 13:00 | |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2025.2: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987775 | 13:03 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2025.1: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987776 | 13:04 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2024.1: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987777 | 13:04 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2023.1: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987778 | 13:04 |
| TheJulia | Hmm, thats the second patch recently which was fine on newer branches but on backport got some extra lines... somehow?! | 13:05 |
| TheJulia | rpittau: does the metal3 job constrain the sushy version somehow? | 13:11 |
| dtantsur | TheJulia: until https://github.com/metal3-io/ironic-image/pull/988 is merged | 13:54 |
| * TheJulia facepalms | 13:54 | |
| TheJulia | okay | 13:54 |
| TheJulia | Thanks! | 13:55 |
| opendevreview | Bertrand Lanson proposed openstack/ironic master: fix: skip storage controllers without Volumes link https://review.opendev.org/c/openstack/ironic/+/987853 | 14:20 |
| Sandzwerg[m] | Hello Ironic o/ I have yet another question regarding the policy. How can I check that service like nova are using RBAC? Because we still give the nova user a global baremetal_admin and switching to the upstream policy from our custom one would remove that role. | 14:48 |
| TheJulia | Sandzwerg[m]: oh wow, baremetal_admin still being used | 14:55 |
| TheJulia | so, we're designed around the "service" role, or giving it admin in a project which can see nodes should be sufficient | 14:55 |
| TheJulia | ultimately "what" is tied to the user nova authenticates to ironic with | 14:55 |
| TheJulia | So you can configure that for example, such that system scope is used, or that a service project with a service role is used, or use a dedicated project with "owner" filed set for it's baremetal nodes | 14:56 |
| TheJulia | cleanest path might be baremetal_admin to system scoped admin account | 14:57 |
| cardoe | TheJulia: imma poke you on https://review.opendev.org/c/openstack/ironic/+/986806 cause I think that's addressing your review comment | 15:08 |
| opendevreview | Bartosz Bezak proposed openstack/networking-generic-switch master: Fix missed batch result watches https://review.opendev.org/c/openstack/networking-generic-switch/+/987867 | 15:16 |
| TheJulia | cardoe: sorry, I thought I already reviewed/approved that | 15:16 |
| opendevreview | Bartosz Bezak proposed openstack/networking-generic-switch master: Fix missed batch result watches https://review.opendev.org/c/openstack/networking-generic-switch/+/987867 | 15:30 |
| Sandzwerg[m] | TheJulia yeah it's finally time to get rid of this 10 year old config :D so there should now be a role service, similar to baremetal_admin before? Do you by chance have the example ready were ironic itself has defined this role? | 15:31 |
| TheJulia | Sandzwerg[m]: all of the magic is in https://github.com/openstack/ironic/blob/master/ironic/common/policy.py | 15:32 |
| TheJulia | so, in a sense, its just a role, but we also expect a service project to be "service", but we've also had folks do separate projects as well | 15:36 |
| TheJulia | I realize, that doesn't help as much as a clean example, and that is largely because folks have taken different end implemtation paths and we're trying to keep options as open as possible | 15:36 |
| cardoe | TheJulia: if ya want another easy backport... https://review.opendev.org/c/openstack/ironic/+/987780 | 15:46 |
| TheJulia | uhhh... what backport </innocent> | 15:52 |
| Sandzwerg[m] | I don't that helps me make this thing "click" in my head yet but maybe I ask the wrong questions. So how does a service project is "service"? | 15:54 |
| Sandzwerg[m] | Right now we have a ironic and a nova user, each called like the service respectivly. They both get a custom role called cloud_baremetal_admin that gives them baremetal_admin in any context. These roles get seeded (not sure if seeding is a OpenStack or a "us" thing) to make sure that these services always have these rights. Both users exist in the "Default" domain and IIRC they get these roles currently seeded in the "service" | 15:54 |
| Sandzwerg[m] | project there. So if I remove the cloud_baremetal_admin role altogether how will ironic "know" that the "ironic" and "nova" user are services and should have the SYSTEM access? Is there a default assignment of the system scoped access to the ironic user? Do all users in project "Default/service" are service by default? Do I need to give them the role "service" in that project, or somewhere else? | 15:54 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: WIP repair the ironic-standalone-operator job https://review.opendev.org/c/openstack/ironic/+/987673 | 15:54 |
| Sandzwerg[m] | Like https://github.com/openstack/ironic/blob/master/ironic/common/policy.py#L91 says for SYSTEM_SERVICE they need to have the role service but where does the system_scope:all comes from? | 15:55 |
| Sandzwerg[m] | It's probably very obivious if one knows what to look for but for me it's: whaaaat | 15:56 |
| Sandzwerg[m] | Maybe there is some more generic OpeStack documentation that explains this that I'm missing? | 15:57 |
| TheJulia | Sandzwerg[m]: any consistently utilized "project" to facilitate the service project is a service project, often just named "service", that being said we have a config knob for that name specifically if you wish to use something other than service as well. In terms of the scoping/access, again, its all about the configuration used in the nova.conf file for talking to nova.virt.ironic's endpoint. | 16:00 |
| TheJulia | so, system scoped is a user which has a role on the system-scope of all, with no project ID or domain ID. | 16:00 |
| TheJulia | so its sort of like this: openstack role add --user <username> --system all admin | 16:02 |
| TheJulia | that system-scope then gets embedded in the response from keystone which is evaluated in middleware to apply policies to | 16:02 |
| Sandzwerg[m] | 🎉 | 16:02 |
| TheJulia | That is the gist of it, but you need to have pretty hefty access to do that in keystone | 16:03 |
| TheJulia | Often, keystone when you do the original install, your actually creating system scoped users then | 16:03 |
| Sandzwerg[m] | Okay, now I need to figure out how to do system scope in this seeding stuff and if that even supports it, but that was the missing brick | 16:03 |
| TheJulia | and then as you create more and more, you end up shifting to project scoping because your creating a project with users with rights inside of that project | 16:04 |
| opendevreview | Merged openstack/ironic stable/2025.1: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987776 | 16:09 |
| Sandzwerg[m] | TheJulia: hmm. But the role I want to give out here is called admin? In our installs (not sure if that is normal or not) the role named "admin" is equivalent to keystone admin. Or would I do this with "baremetal_admin"? | 16:09 |
| TheJulia | well, system scoped admin is "admin over everything". Delineation is a bit weird. Maybe a question to recalibrate, are you using the "owner" field at all? | 16:11 |
| opendevreview | Merged openstack/ironic stable/2026.1: Fix RBAC field redaction when owner not in requested fields https://review.opendev.org/c/openstack/ironic/+/987781 | 16:13 |
| Sandzwerg[m] | Not yet, but this would be the reason to introduce that. My idea is to let all nodes be owned by a administrative project, and then give some-admin-group, baremetal_admin in that project. But that is only for humans. The ironic and nova users should be system scoped and shouldn't care about that | 16:14 |
| TheJulia | Okay | 16:14 |
| TheJulia | so, then what you would do is something like have a separate project, call it "service" or "ironic_service", and inside that project create a user, say nova-user-for-ironic, and grant that user a role of "service", *then* for your ironic config file, you'll need to set the "service_project_name" value. https://github.com/openstack/ironic/blob/master/ironic/common/policy.py#L233 is the rule this relies upon | 16:15 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: WIP repair the ironic-standalone-operator job https://review.opendev.org/c/openstack/ironic/+/987673 | 16:21 |
| Sandzwerg[m] | aah okay, so something in the config needs to be adjusted as well. That's another puzzle piece I was missing. | 16:22 |
| opendevreview | Mithun Krishnan Umesan proposed openstack/ironic master: Add TLS configuration to agent lookup response https://review.opendev.org/c/openstack/ironic/+/987887 | 16:24 |
| Sandzwerg[m] | Hmm shouldn't one also need to set the corresponding domain to that project? Or is it only looking in the default domain? | 16:26 |
| TheJulia | default domain, I don't think we ever modeled domains in that | 16:34 |
| Sandzwerg[m] | Makes sense, but wasn't obvious to me. So if the project is using the default name "service" I wouldn't even need to configure it. Or should I configureit still to make it more explicit? | 16:36 |
| TheJulia | Correct, and it really depends on your preference. Some folks want customization | 16:38 |
| Sandzwerg[m] | At least for now I had enough of customization, to much trouble to keep up with you lot 😅 | 16:44 |
| TheJulia | we're not that bad... are we?!? | 16:48 |
| Sandzwerg[m] | No, you're great! But now I have to adjust this 10 year old policy.json and everything else around it that I didn't even write myself. And all the custom stuff means stuff I might need to adjust on changes. (Now I need to touch it because with the next version jump the old style is deprecated for good) so instead of implementing something custom again I rather stick with your default, making my life easier, especially on upgrades | 16:51 |
| Sandzwerg[m] | and such | 16:51 |
| TheJulia | ugh, custom on the outset ugh | 16:51 |
| TheJulia | ++ | 16:52 |
| TheJulia | well, hopefully we've made it easy to make that jump | 16:52 |
| Sandzwerg[m] | What I understood so far looks good yes. Just using the current policy instead of inventing my own is certainly easier | 16:53 |
| Sandzwerg[m] | I need to check if all this works how I imagine it right now next week and might return with more questions next week if I run into issues. But so far I think I have no more open questions. | 16:54 |
| Sandzwerg[m] | But thanks again, I always like it that I can come with my questions and you all try to help me as best as you can <3 | 16:55 |
| TheJulia | cool, good luck! | 16:56 |
| opendevreview | Verification of a change to openstack/ironic stable/2026.1 failed: Fix redfish sensor data crash when redfish_system_id is None https://review.opendev.org/c/openstack/ironic/+/987780 | 17:02 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: WIP repair the ironic-standalone-operator job https://review.opendev.org/c/openstack/ironic/+/987673 | 17:05 |
| opendevreview | Mithun Krishnan Umesan proposed openstack/ironic master: Add TLS configuration to agent lookup response https://review.opendev.org/c/openstack/ironic/+/987887 | 17:09 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening options for the API service https://review.opendev.org/c/openstack/ironic/+/985878 | 18:09 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening options for JSON-RPC service https://review.opendev.org/c/openstack/ironic/+/985879 | 18:09 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for agent client connections https://review.opendev.org/c/openstack/ironic/+/985880 | 18:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add docs for TLS hardening options https://review.opendev.org/c/openstack/ironic/+/985881 | 18:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for Ansible stream_url module https://review.opendev.org/c/openstack/ironic/+/985885 | 18:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for HTTP image service connections https://review.opendev.org/c/openstack/ironic/+/987906 | 18:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for OCI registry connections https://review.opendev.org/c/openstack/ironic/+/987907 | 18:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening options for Redfish BMC connections https://review.opendev.org/c/openstack/ironic/+/987908 | 18:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Consolidate duplicated TLS code into ironic/common/tls_utils https://review.opendev.org/c/openstack/ironic/+/987909 | 18:10 |
| TheJulia | UGH | 18:12 |
| TheJulia | I didn't catch it, but claude has been rewriting my commit IDs | 18:12 |
| opendevreview | Bartosz Bezak proposed openstack/networking-generic-switch master: Fix missed batch result watches https://review.opendev.org/c/openstack/networking-generic-switch/+/987867 | 18:15 |
| JayF | TheJulia: claude-code LOVES to just make up BS change-ids | 18:39 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2024.1: stable only: ci: drop grenade jobs on 2024.1 https://review.opendev.org/c/openstack/ironic/+/987916 | 18:39 |
| JayF | TheJulia: it's a big reason why I do not permit it to commit | 18:39 |
| TheJulia | Yeah, It did fine on a number of changes, but then screwed up some others.. *facepalm* | 18:40 |
| TheJulia | of course, I'm going back and like re-ammending them anyway, but still | 18:40 |
| TheJulia | lesson learned | 18:40 |
| opendevreview | Mithun Krishnan Umesan proposed openstack/ironic master: Add TLS configuration to agent lookup response https://review.opendev.org/c/openstack/ironic/+/987887 | 18:46 |
| TheJulia | mumesan[m]: you'll need a patch in IPA which attempts to read that data | 18:48 |
| JayF | I'm going to lay the groundwork to release an OSSA related to the non-embargoed anaconda security issue on Monday | 18:53 |
| TheJulia | ++ | 18:55 |
| TheJulia | The change on 2025.2 should land today | 18:55 |
| TheJulia | the unmaintained, I feel like thats a weekly meeting becuase I'm seeing some weird things in run logs | 18:56 |
| TheJulia | likely more a sign, time to dial back testing in general on those branches | 18:56 |
| JayF | TheJulia: bugfix/ fixes for ks? Should we put them in OSSA? | 18:57 |
| TheJulia | afaik, the consumer side of those branches doesn't use it | 18:58 |
| TheJulia | We can always do it though, *shrug* | 18:58 |
| JayF | that was my thought as well, but also we document a 6 month support lifetime for it | 18:58 |
| JayF | so I think someone could rightfully be upset if they were running it | 18:58 |
| TheJulia | yeah | 18:59 |
| TheJulia | easy peasy | 18:59 |
| JayF | you wanna mash the buttons and I will approve after I steal their URLs for this OSSA? | 18:59 |
| opendevreview | Julia Kreger proposed openstack/ironic bugfix/34.0: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987920 | 19:00 |
| opendevreview | Julia Kreger proposed openstack/ironic bugfix/33.0: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987921 | 19:01 |
| opendevreview | Julia Kreger proposed openstack/ironic bugfix/31.0: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987922 | 19:01 |
| TheJulia | sure! | 19:02 |
| TheJulia | heh | 19:02 |
| TheJulia | anyway, I'm likely going to go get some lunch soon | 19:02 |
| JayF | RFR https://review.opendev.org/c/openstack/ossa/+/987764 | 19:07 |
| TheJulia | k | 19:09 |
| opendevreview | Merged openstack/ironic stable/2025.2: security: Use sandbox rendering for jinja2 https://review.opendev.org/c/openstack/ironic/+/987775 | 19:52 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Consolidate duplicated TLS code into ironic/common/tls_utils https://review.opendev.org/c/openstack/ironic/+/987909 | 20:38 |
| opendevreview | Julia Kreger proposed openstack/ironic master: WIP: Default TLS minimum version to 1.3 https://review.opendev.org/c/openstack/ironic/+/987953 | 20:38 |
| TheJulia | well, lets see if that explodes <insert evil laugh here> | 20:42 |
| opendevreview | Merged openstack/ironic stable/2026.1: Fix redfish sensor data crash when redfish_system_id is None https://review.opendev.org/c/openstack/ironic/+/987780 | 20:50 |
| opendevreview | Verification of a change to openstack/ironic unmaintained/2024.1 failed: stable only: ci: drop grenade jobs on 2024.1 https://review.opendev.org/c/openstack/ironic/+/987916 | 22:01 |
| TheJulia | well that seems remarkably successful given a default change | 22:35 |
| TheJulia | (tls 1.3 | 22:35 |
| TheJulia | ) | 22:35 |
| *** kinrui is now known as fungi | 22:44 | |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!