| opendevreview | Merged openstack/ironic master: Fix periodic tasks not running after pickle/unpickle https://review.opendev.org/c/openstack/ironic/+/988469 | 00:26 |
|---|---|---|
| opendevreview | Verification of a change to openstack/ironic stable/2026.1 failed: Fix healthcheck intercepting all API routes https://review.opendev.org/c/openstack/ironic/+/988186 | 00:43 |
| opendevreview | Verification of a change to openstack/ironic stable/2026.1 failed: Fix healthcheck intercepting all API routes https://review.opendev.org/c/openstack/ironic/+/988186 | 04:01 |
| *** elodilles_pto is now known as elodilles | 08:49 | |
| opendevreview | Bertrand Lanson proposed openstack/ironic master: fix: skip storage controllers without Volumes link https://review.opendev.org/c/openstack/ironic/+/987853 | 10:47 |
| opendevreview | Dmitry Tantsur proposed openstack/sushy-tools master: Drop pbr and WebOb from requirements https://review.opendev.org/c/openstack/sushy-tools/+/988752 | 11:30 |
| iurygregory | good morning ironic | 11:54 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: Science: try --ha in the IrSO job https://review.opendev.org/c/openstack/ironic/+/988760 | 13:00 |
| TheJulia | brraaaains | 13:13 |
| opendevreview | Julia Kreger proposed openstack/ironic bugfix/34.0: security: move file url validation up into deploy_utils main path https://review.opendev.org/c/openstack/ironic/+/988764 | 13:21 |
| opendevreview | Julia Kreger proposed openstack/ironic bugfix/33.0: security: move file url validation up into deploy_utils main path https://review.opendev.org/c/openstack/ironic/+/988765 | 13:22 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] Add a BMO job https://review.opendev.org/c/openstack/ironic/+/988766 | 13:25 |
| opendevreview | Dmitry Tantsur proposed openstack/sushy-tools master: Drop pbr from requirements https://review.opendev.org/c/openstack/sushy-tools/+/988752 | 13:30 |
| opendevreview | Julia Kreger proposed openstack/ironic stable/2025.1: security: move file url validation up into deploy_utils main path https://review.opendev.org/c/openstack/ironic/+/988357 | 13:32 |
| cardoe | TheJulia: https://review.opendev.org/c/openstack/ironic/+/987441 I think Steve's design there is good. | 13:40 |
| cardoe | I know it's a bit of a rewrite / feature change but I'm gonna backport it to our 2026.1 when we land it. Not sure if we'd consider it backportable to 2026.1 | 13:41 |
| cardoe | But without that behavior change it's really rough to use. | 13:41 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2024.1: stable only: cleanup 2024.1 ci jobs https://review.opendev.org/c/openstack/ironic/+/988767 | 13:42 |
| TheJulia | I'm hoping ^^^ cleans up 2024.1's branch enough that ci is working on it again | 13:42 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: DNM Science: try --ha in the IrSO job https://review.opendev.org/c/openstack/ironic/+/988760 | 13:43 |
| TheJulia | Just reading the commit message, I think it makes sense to backport upstream, fwiw | 13:44 |
| TheJulia | re-framing it as a sort of denial of service, albeit not of the service, but of the graphical console | 13:44 |
| TheJulia | I'd like one more core to chime in on the patch, but otherwise it looks pretty good to me | 13:50 |
| TheJulia | dtantsur: w/r/t https://review.opendev.org/c/openstack/ironic/+/985879, I've got a patch up for the client that I'll be revisiting later today, but it all really starts with keystoneauth ;) | 13:53 |
| TheJulia | as for the server, thats a super good question I just don't knwo | 13:54 |
| TheJulia | fwiw, it does lock the overall minimum, so should be okay | 13:58 |
| opendevreview | Merged openstack/ironic master: Add TLS hardening options for the API service https://review.opendev.org/c/openstack/ironic/+/985878 | 14:13 |
| TheJulia | oooh, ahhh | 14:18 |
| cardoe | TheJulia: now follow up removing that getattr() calls :) Imma call that trivial and instant merge it. | 14:24 |
| TheJulia | cardoe: dude, let me get to the consolidation patch first ;) | 14:27 |
| TheJulia | Anyone have any opinions on what we should to to fix unmaintained/2023.1 ci ? https://paste.opendev.org/show/bBaPUvpqpFbDYZjsUk08/ | 14:43 |
| * dtantsur hands TheJulia a torch | 14:43 | |
| * TheJulia looks at the torch and feels great sadness | 14:46 | |
| TheJulia | 2023.1 was such a fine release | 14:46 |
| dtantsur | Don't be sad, we'll give you even finer releases! | 14:47 |
| TheJulia | And Massive Attack - Dissolved Girl begins to play | 14:47 |
| opendevreview | Julia Kreger proposed openstack/ironic unmaintained/2023.1: DNM: See if this makes ci happier https://review.opendev.org/c/openstack/ironic/+/988778 | 14:48 |
| opendevreview | Merged openstack/networking-generic-switch master: GenericSwitchNetmikoConfigError error details https://review.opendev.org/c/openstack/networking-generic-switch/+/985029 | 14:48 |
| * TheJulia wonders when the bot will update the channel log so I can note the honor which feels like it needed to be posted to bash.org | 14:55 | |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: DNM Science: try --ha in the IrSO job https://review.opendev.org/c/openstack/ironic/+/988760 | 15:02 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: DNM Science: try --ha in the IrSO job https://review.opendev.org/c/openstack/ironic/+/988760 | 15:08 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] Add a BMO job https://review.opendev.org/c/openstack/ironic/+/988766 | 15:10 |
| opendevreview | Julia Kreger proposed openstack/ironic master: novncproxy - Standardize ssl->tls for parameters https://review.opendev.org/c/openstack/ironic/+/988546 | 15:14 |
| opendevreview | Merged openstack/ironic stable/2026.1: Fix healthcheck intercepting all API routes https://review.opendev.org/c/openstack/ironic/+/988186 | 15:25 |
| dtantsur | Folks, does anyone remember why webserver_verify_ca is not in driver_info? TheJulia maybe you remember for oci images? | 15:34 |
| TheJulia | I think that was intentional because it likely ought to be a deployment [of ironic] owner decision, but I could see the case for delegating trust | 15:35 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add initial docs for TLS hardening options https://review.opendev.org/c/openstack/ironic/+/985881 | 15:38 |
| opendevreview | Julia Kreger proposed openstack/ironic master: novncproxy - Standardize ssl->tls for parameters https://review.opendev.org/c/openstack/ironic/+/988546 | 15:38 |
| dtantsur | TheJulia: yeah, I'm thinking about scenarios like disabling TLS validation | 15:38 |
| TheJulia | dtantsur: if you keep it up, you'll have to put 3 WIP labels on a change | 15:38 |
| TheJulia | maybe worth the meeting on monday? | 15:39 |
| TheJulia | It is, after all, Friday | 15:39 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] [Another WIP for TheJulia] Add a BMO job https://review.opendev.org/c/openstack/ironic/+/988766 | 15:39 |
| dtantsur | TheJulia: don't challenge me, especially on Friday ^^^ | 15:39 |
| TheJulia | And you should like... be looking at a mountain ;) | 15:39 |
| TheJulia | lol | 15:39 |
| dtantsur | I was supposed to, but the weather was so bad we decided to stay at home.. | 15:40 |
| TheJulia | :( | 15:40 |
| dtantsur | It's snow mixed with heavy showers closer to 1.5k meters | 15:40 |
| TheJulia | light to heavy snow might be nice in some cases, but showers != fun | 15:41 |
| dtantsur | in the mountains, stable snow = fun, wet unstable snow = bad time | 15:42 |
| TheJulia | yup | 15:42 |
| dtantsur | Back to the WIP-WIP-WIP topic, swapping the integration job for a BMO one should (hopefully) eventually make it both more stable and more useful | 15:44 |
| TheJulia | cool | 15:44 |
| dtantsur | BMO functional tests touch some rather exotic corners of Ironic like adoption or forced deletion using maintenance mode | 15:46 |
| dtantsur | and with https://github.com/metal3-io/baremetal-operator/pull/3246 we'll cover BIOS settings for the first time | 15:46 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for HTTP image service connections https://review.opendev.org/c/openstack/ironic/+/987906 | 15:50 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for OCI registry connections https://review.opendev.org/c/openstack/ironic/+/987907 | 15:50 |
| TheJulia | My background music today has been an excellent mix | 15:58 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] [Another WIP for TheJulia] Add a BMO job https://review.opendev.org/c/openstack/ironic/+/988766 | 16:06 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening options for Redfish BMC connections https://review.opendev.org/c/openstack/ironic/+/987908 | 16:12 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for Ansible stream_url module https://review.opendev.org/c/openstack/ironic/+/985885 | 16:12 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Consolidate duplicated TLS code into ironic/common/tls_utils https://review.opendev.org/c/openstack/ironic/+/987909 | 16:12 |
| opendevreview | Julia Kreger proposed openstack/ironic master: novncproxy - Standardize ssl->tls for parameters https://review.opendev.org/c/openstack/ironic/+/988546 | 16:17 |
| cardoe | cid: How does https://review.opendev.org/c/openstack/ironic/+/988371 fit in with the changes you've made? | 16:24 |
| JayF | dtantsur: then anyone with access to edit driver_info can circumvent CA validation checks ... we almost need a way to limit what fields in a JSON doc like driver_info can be edited by whom... | 16:26 |
| TheJulia | sounds like field level rbac | 16:27 |
| TheJulia | or, just trust owners themselves. thats a weird line to draw but was the intent, owners are very trusted | 16:27 |
| TheJulia | lesses, oh hell no | 16:27 |
| opendevreview | Julia Kreger proposed openstack/ironic master: follow-up: getattr cleanup https://review.opendev.org/c/openstack/ironic/+/988787 | 16:29 |
| JayF | stuff like verify_ca is sorta on the razors edge | 16:29 |
| TheJulia | yeah, I sort of view it as *site* configuration/defaults | 16:30 |
| TheJulia | but... hmmm emmm... ugh | 16:30 |
| TheJulia | dunno | 16:30 |
| JayF | and projects are not aligned along sites :) | 16:30 |
| JayF | yep | 16:30 |
| JayF | it screams "put in a knob default:off" | 16:30 |
| TheJulia | yeah | 16:30 |
| TheJulia | a "owner can define this override" knob so admins can intellegently delegate maybe | 16:30 |
| TheJulia | or, the system_admin is the owner | 16:31 |
| TheJulia | but, that might not always hold true since we have users doing weird collaborateive things and loving it | 16:31 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for HTTP image service connections https://review.opendev.org/c/openstack/ironic/+/987906 | 16:31 |
| opendevreview | Mithun Krishnan Umesan proposed openstack/ironic master: Add TLS configuration to agent lookup response https://review.opendev.org/c/openstack/ironic/+/987887 | 16:32 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for OCI registry connections https://review.opendev.org/c/openstack/ironic/+/987907 | 16:32 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening options for Redfish BMC connections https://review.opendev.org/c/openstack/ironic/+/987908 | 16:32 |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for Ansible stream_url module https://review.opendev.org/c/openstack/ironic/+/985885 | 16:32 |
| TheJulia | Okay, time for the lab vampires | 16:33 |
| JayF | I mean, I think with stuff like that we have two choices: put in a bool() enable/disable flag in the config to accept the risk | 16:35 |
| JayF | or enhance the RBAC model to make it where custom policy can apply there | 16:35 |
| dtantsur | JayF: that's the point. If I have a private HTTP/OCI server that Ironic cannot verify, how do I use it with Ironic? | 16:48 |
| dtantsur | The current assumption is user == admin, which is the assumption we're trying to get away from | 16:48 |
| JayF | who is "you/I" in terms of Role? If you are the system admin, you should have access to do it | 16:48 |
| dtantsur | I'm a user with deployment rights | 16:48 |
| JayF | a user with deployment rights, running an https server with an invalid cert, and wanting to ignore that invalidity *feels* like something that should require the operator of the cloud to opt into | 16:50 |
| dtantsur | JayF: s/invalid/self-signed/ | 16:50 |
| JayF | what's the difference? | 16:50 |
| JayF | I mean that philosophically | 16:50 |
| dtantsur | it's not invalid, I just cannot make Ironic trust it | 16:50 |
| JayF | a self-signed certificate is useless for validity checking | 16:51 |
| dtantsur | 1) no, it's not, 2) I cannot opt out of validity checking | 16:51 |
| JayF | I guess it /could/ be useful for validity checking if you saved and checked for the same cert each time | 16:51 |
| JayF | but we don't do that | 16:51 |
| TheJulia | We well, to do self signed properly, you enable permission model to say “use this ca” | 16:51 |
| JayF | yes | 16:51 |
| dtantsur | Exactly, and I cannot do it with Ironic | 16:52 |
| dtantsur | without having rights to modify the global Ironic configuration | 16:52 |
| JayF | and I'm saying if we want that kinda override, it's OK, but it's not something I'd want to enable by default and we could hide it behind a config | 16:53 |
| JayF | just like we do for allowing driver_info to override the cleaning runbook in automated cleaning via runbook -- disabled by default, but you flip the bool, accept the risk, and get the feature | 16:53 |
| dtantsur | then why not hide any non-system-admin actions behind a config? | 16:53 |
| dtantsur | I don't get it... | 16:53 |
| JayF | I don't get a world where you'd have a *project manager* be running their own web server :) | 16:54 |
| JayF | but we have to be flexible for the use case where a project manager could be an external customer | 16:54 |
| dtantsur | JayF: have you heard about kubernetes? :) | 16:55 |
| JayF | as well as someone operationally-involved enough to run their own a web server | 16:55 |
| dtantsur | a regular user can and will run their HTTP servers/OCI registries in my world | 16:55 |
| JayF | and so you can flip that default for users in your world | 16:55 |
| dtantsur | and they can and will create their own CA using cert-manager | 16:55 |
| dtantsur | I don't like getting in the world where the only way to use Ironic and keep your sanity is to use Metal3, but I if the community insists... | 16:55 |
| JayF | I don't wanna get in a world where we've advertised "Ironic is multi-tenant" everywhere but give project managers a loophole :| | 16:57 |
| dtantsur | again, there is no loophole, you're making this part up | 16:58 |
| JayF | So I think our chat in DM knocked loose the bad assumption on my part: | 16:58 |
| JayF | we have no mechanism in Ironic to say "https image_source only" | 16:59 |
| JayF | so we have no mechanism in Ironic to say "only use images with valid https certs" | 16:59 |
| dtantsur | Yeah, right now the choice is between plain HTTP or HTTPS that Ironic can verify. Even if a user managers their own CA well (which is trivial with cert-manager), they must modify Ironic configuration to trust it. | 16:59 |
| JayF | which means in this case, someone could just use http, downgrade, and avoid it all | 16:59 |
| JayF | that means I don't think it makes the status quo less secure to add this | 17:00 |
| dtantsur | I guess I can imagine some folks wanting to limit which CA can sign images. I dunno if it's actually the default scenario. | 17:00 |
| JayF | BUT that we likely want to add an RFE bug for something like require_https_with_validation (better name needed) which would disable ability to use http (no s) URLs + enforce ssl cert validation | 17:00 |
| dtantsur | Here we have a conflict between "most secure by default" and the principle of least surprise | 17:00 |
| TheJulia | I think it could make a lot of sense to create a capability where we could accept overrides for certain and crypto controls from a a self service standpoint, but we just have to map it all out and allow operators to be able to say”no, trust delegation”. Issue is it all depends on the personas and security posture modeling which is going to be all over the place | 17:01 |
| JayF | well in this case, it's the other way | 17:02 |
| JayF | we need to add the security if we want it | 17:03 |
| JayF | because today, since anyone can just http:// in the image_source | 17:03 |
| JayF | https validation is more about avoiding MitM than it is "only use images from a webserver signed by my CA" | 17:03 |
| TheJulia | Agree | 17:03 |
| TheJulia | We should likely consider that as yet another knob overall, but maybe more global. Dunno. We have the checksum control aspect as well | 17:04 |
| JayF | to be explicit: that means I'm OK with this being overridable by a project manager | 17:04 |
| JayF | because to get the real security, weneed an actual feature which, if we implement it, could lockdown this behavior as well | 17:05 |
| TheJulia | Well, I’m thinking maybe we finally do subfield rbac | 17:05 |
| TheJulia | Fwiw. I dread it, but it could make a ton of sense | 17:05 |
| TheJulia | And by dread, the more so mean my plate dreads it | 17:06 |
| JayF | I mean, we put that in the eventually bucket | 17:06 |
| TheJulia | Yeah | 17:08 |
| opendevreview | Dmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] [Another WIP for TheJulia] Add a BMO job https://review.opendev.org/c/openstack/ironic/+/988766 | 17:16 |
| dtantsur | TheJulia, JayF: quick draft https://bugs.launchpad.net/ironic/+bug/2152718 | 17:16 |
| dtantsur | names and values subject to bikeshedding | 17:17 |
| TheJulia | Alternatively I replace my plate with Kevlar and carbon fiber enhanced composites… but making composites puts me on a path to either be like the bps.space dude, or the sail life dude on YouTube. | 17:18 |
| TheJulia | Will look when I’m back to the desk | 17:18 |
| dtantsur | Note: we wouldn't have to do subfield rbac, if we had proper deployment API instead of JSON fields ;) | 17:19 |
| TheJulia | heh | 17:31 |
| dtantsur | dinner time, have a nice weekend folks | 17:41 |
| -opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily while we restart it onto a new patch release | 18:03 | |
| opendevreview | Julia Kreger proposed openstack/ironic master: Add TLS hardening for kickstart configdrive and inspection rule connections https://review.opendev.org/c/openstack/ironic/+/988804 | 18:59 |
| cardoe | TheJulia: while you're talking RBAC to steps and security... can I left shark a little? | 19:17 |
| cardoe | What if we allowed safe jinja for steps | 19:17 |
| TheJulia | well, fields, most likely steps, but.... jinja in steps | 19:17 |
| TheJulia | .... | 19:17 |
| opendevreview | Doug Goldstein proposed openstack/ironic master: Add Zuul job to test inspection rules tester https://review.opendev.org/c/openstack/ironic/+/981423 | 19:18 |
| TheJulia | ERROR | 19:18 |
| TheJulia | Did someone just drain the oil from my brain | 19:18 |
| TheJulia | why would you want a step to be furnished with jinja | 19:20 |
| TheJulia | please give me a user story to work with | 19:20 |
| cardoe | Well in a runbook not actual steps. | 19:22 |
| cardoe | So maybe less scary. | 19:22 |
| TheJulia | computer, please activate the emergency code hologram | 19:23 |
| TheJulia | I guess I'm still missing why and now I feel the need to understand why as well | 19:23 |
| cardoe | So like BIOS settings reset and then ensuring that the BMC is on the IP address that Ironic communicates with instead of going back to factory default. | 19:25 |
| TheJulia | so, maybe rbac-ifying specific steps and if you could have args or arg data supplied their in? | 19:26 |
| cardoe | Well I don't want end users to do it. | 19:26 |
| TheJulia | owners you don't trust? | 19:26 |
| cardoe | that's why I'm using runbooks cause I'm actually trying to delegate operations down to less privileged folks. | 19:26 |
| TheJulia | or, want to keep a possible footgun out of range of their keyboards? | 19:27 |
| cardoe | Yep. | 19:27 |
| cardoe | Just random neuron that fired. | 19:27 |
| cardoe | Not saying that someone just footgunned themselves and disturbed my quiet reviewing of my VXLAN spec.... | 19:28 |
| TheJulia | woudl you have a few minutes to allow neurons to fire with higher bandwidth? asking to try and make sure I understand your desire/challenge/context correctly | 19:28 |
| TheJulia | well, thats good | 19:28 |
| cardoe | yeah we can. | 19:28 |
| TheJulia | https://meet.google.com/wts-ztiy-jbw | 19:29 |
| JayF | jfyi the Ironic PTG summary video should be going on the @oss-gr youtube channel on monday | 19:52 |
| cid | cardoe, with the follow-up now merged, we will not be needing this one https://review.opendev.org/c/openstack/ironic/+/988371 anymore | 20:04 |
| TheJulia | cardoe: you mentioned your neutron spec, I can check it out next week | 20:28 |
| *** janders2 is now known as janders | 20:32 | |
| *** jcosmao is now known as Guest9508 | 20:44 | |
| cardoe | https://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_996/openstack/996670ca72114523b2691262de4b5b0a/docs/specs/2026.2/underlay-vxlan-support.html | 21:33 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!