Friday, 2026-05-15

opendevreviewMerged openstack/ironic master: Fix periodic tasks not running after pickle/unpickle  https://review.opendev.org/c/openstack/ironic/+/98846900:26
opendevreviewVerification of a change to openstack/ironic stable/2026.1 failed: Fix healthcheck intercepting all API routes  https://review.opendev.org/c/openstack/ironic/+/98818600:43
opendevreviewVerification of a change to openstack/ironic stable/2026.1 failed: Fix healthcheck intercepting all API routes  https://review.opendev.org/c/openstack/ironic/+/98818604:01
*** elodilles_pto is now known as elodilles08:49
opendevreviewBertrand Lanson proposed openstack/ironic master: fix: skip storage controllers without Volumes link  https://review.opendev.org/c/openstack/ironic/+/98785310:47
opendevreviewDmitry Tantsur proposed openstack/sushy-tools master: Drop pbr and WebOb from requirements  https://review.opendev.org/c/openstack/sushy-tools/+/98875211:30
iurygregorygood morning ironic11:54
opendevreviewDmitry Tantsur proposed openstack/ironic master: Science: try --ha in the IrSO job  https://review.opendev.org/c/openstack/ironic/+/98876013:00
TheJuliabrraaaains13:13
opendevreviewJulia Kreger proposed openstack/ironic bugfix/34.0: security: move file url validation up into deploy_utils main path  https://review.opendev.org/c/openstack/ironic/+/98876413:21
opendevreviewJulia Kreger proposed openstack/ironic bugfix/33.0: security: move file url validation up into deploy_utils main path  https://review.opendev.org/c/openstack/ironic/+/98876513:22
opendevreviewDmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] Add a BMO job  https://review.opendev.org/c/openstack/ironic/+/98876613:25
opendevreviewDmitry Tantsur proposed openstack/sushy-tools master: Drop pbr from requirements  https://review.opendev.org/c/openstack/sushy-tools/+/98875213:30
opendevreviewJulia Kreger proposed openstack/ironic stable/2025.1: security: move file url validation up into deploy_utils main path  https://review.opendev.org/c/openstack/ironic/+/98835713:32
cardoeTheJulia: https://review.opendev.org/c/openstack/ironic/+/987441 I think Steve's design there is good.13:40
cardoeI know it's a bit of a rewrite / feature change but I'm gonna backport it to our 2026.1 when we land it. Not sure if we'd consider it backportable to 2026.113:41
cardoeBut without that behavior change it's really rough to use.13:41
opendevreviewJulia Kreger proposed openstack/ironic unmaintained/2024.1: stable only: cleanup 2024.1 ci jobs  https://review.opendev.org/c/openstack/ironic/+/98876713:42
TheJuliaI'm hoping ^^^ cleans up 2024.1's branch enough that ci is working on it again13:42
opendevreviewDmitry Tantsur proposed openstack/ironic master: DNM Science: try --ha in the IrSO job  https://review.opendev.org/c/openstack/ironic/+/98876013:43
TheJuliaJust reading the commit message, I think it makes sense to backport upstream, fwiw13:44
TheJuliare-framing it as a sort of denial of service, albeit not of the service, but of the graphical console13:44
TheJuliaI'd like one more core to chime in on the patch, but otherwise it looks pretty good to me13:50
TheJuliadtantsur: w/r/t https://review.opendev.org/c/openstack/ironic/+/985879, I've got a patch up for the client that I'll be revisiting later today, but it all really starts with keystoneauth ;)13:53
TheJuliaas for the server, thats a super good question I just don't knwo13:54
TheJuliafwiw, it does lock the overall minimum, so should be okay13:58
opendevreviewMerged openstack/ironic master: Add TLS hardening options for the API service  https://review.opendev.org/c/openstack/ironic/+/98587814:13
TheJuliaoooh, ahhh14:18
cardoeTheJulia: now follow up removing that getattr() calls :) Imma call that trivial and instant merge it.14:24
TheJuliacardoe: dude, let me get to the consolidation patch first ;)14:27
TheJuliaAnyone have any opinions on what we should to to fix unmaintained/2023.1 ci ? https://paste.opendev.org/show/bBaPUvpqpFbDYZjsUk08/14:43
* dtantsur hands TheJulia a torch14:43
* TheJulia looks at the torch and feels great sadness14:46
TheJulia2023.1 was such a fine release14:46
dtantsurDon't be sad, we'll give you even finer releases!14:47
TheJuliaAnd Massive Attack - Dissolved Girl begins to play14:47
opendevreviewJulia Kreger proposed openstack/ironic unmaintained/2023.1: DNM: See if this makes ci happier  https://review.opendev.org/c/openstack/ironic/+/98877814:48
opendevreviewMerged openstack/networking-generic-switch master: GenericSwitchNetmikoConfigError error details  https://review.opendev.org/c/openstack/networking-generic-switch/+/98502914:48
* TheJulia wonders when the bot will update the channel log so I can note the honor which feels like it needed to be posted to bash.org14:55
opendevreviewDmitry Tantsur proposed openstack/ironic master: DNM Science: try --ha in the IrSO job  https://review.opendev.org/c/openstack/ironic/+/98876015:02
opendevreviewDmitry Tantsur proposed openstack/ironic master: DNM Science: try --ha in the IrSO job  https://review.opendev.org/c/openstack/ironic/+/98876015:08
opendevreviewDmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] Add a BMO job  https://review.opendev.org/c/openstack/ironic/+/98876615:10
opendevreviewJulia Kreger proposed openstack/ironic master: novncproxy - Standardize ssl->tls for parameters  https://review.opendev.org/c/openstack/ironic/+/98854615:14
opendevreviewMerged openstack/ironic stable/2026.1: Fix healthcheck intercepting all API routes  https://review.opendev.org/c/openstack/ironic/+/98818615:25
dtantsurFolks, does anyone remember why webserver_verify_ca is not in driver_info? TheJulia maybe you remember for oci images?15:34
TheJuliaI think that was intentional because it likely ought to be a deployment [of ironic] owner decision, but I could see the case for delegating trust15:35
opendevreviewJulia Kreger proposed openstack/ironic master: Add initial docs for TLS hardening options  https://review.opendev.org/c/openstack/ironic/+/98588115:38
opendevreviewJulia Kreger proposed openstack/ironic master: novncproxy - Standardize ssl->tls for parameters  https://review.opendev.org/c/openstack/ironic/+/98854615:38
dtantsurTheJulia: yeah, I'm thinking about scenarios like disabling TLS validation15:38
TheJuliadtantsur: if you keep it up, you'll have to put 3 WIP labels on a change15:38
TheJuliamaybe worth the meeting on monday?15:39
TheJuliaIt is, after all, Friday15:39
opendevreviewDmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] [Another WIP for TheJulia] Add a BMO job  https://review.opendev.org/c/openstack/ironic/+/98876615:39
dtantsurTheJulia: don't challenge me, especially on Friday ^^^15:39
TheJuliaAnd you should like... be looking at a mountain ;)15:39
TheJulialol15:39
dtantsurI was supposed to, but the weather was so bad we decided to stay at home..15:40
TheJulia:(15:40
dtantsurIt's snow mixed with heavy showers closer to 1.5k meters15:40
TheJulialight to heavy snow might be nice in some cases, but showers != fun15:41
dtantsurin the mountains, stable snow = fun, wet unstable snow = bad time15:42
TheJuliayup15:42
dtantsurBack to the WIP-WIP-WIP topic, swapping the integration job for a BMO one should (hopefully) eventually make it both more stable and more useful15:44
TheJuliacool15:44
dtantsurBMO functional tests touch some rather exotic corners of Ironic like adoption or forced deletion using maintenance mode15:46
dtantsurand with https://github.com/metal3-io/baremetal-operator/pull/3246 we'll cover BIOS settings for the first time15:46
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for HTTP image service connections  https://review.opendev.org/c/openstack/ironic/+/98790615:50
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for OCI registry connections  https://review.opendev.org/c/openstack/ironic/+/98790715:50
TheJuliaMy background music today has been an excellent mix15:58
opendevreviewDmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] [Another WIP for TheJulia] Add a BMO job  https://review.opendev.org/c/openstack/ironic/+/98876616:06
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening options for Redfish BMC connections  https://review.opendev.org/c/openstack/ironic/+/98790816:12
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for Ansible stream_url module  https://review.opendev.org/c/openstack/ironic/+/98588516:12
opendevreviewJulia Kreger proposed openstack/ironic master: Consolidate duplicated TLS code into ironic/common/tls_utils  https://review.opendev.org/c/openstack/ironic/+/98790916:12
opendevreviewJulia Kreger proposed openstack/ironic master: novncproxy - Standardize ssl->tls for parameters  https://review.opendev.org/c/openstack/ironic/+/98854616:17
cardoecid: How does https://review.opendev.org/c/openstack/ironic/+/988371 fit in with the changes you've made?16:24
JayFdtantsur: then anyone with access to edit driver_info can circumvent CA validation checks ... we almost need a way to limit what fields in a JSON doc like driver_info can be edited by whom...16:26
TheJuliasounds like field level rbac16:27
TheJuliaor, just trust owners themselves. thats a weird line to draw but was the intent, owners are very trusted16:27
TheJulialesses, oh hell no16:27
opendevreviewJulia Kreger proposed openstack/ironic master: follow-up: getattr cleanup  https://review.opendev.org/c/openstack/ironic/+/98878716:29
JayFstuff like verify_ca is sorta on the razors edge16:29
TheJuliayeah, I sort of view it as *site* configuration/defaults16:30
TheJuliabut... hmmm emmm... ugh16:30
TheJuliadunno16:30
JayFand projects are not aligned along sites :)16:30
JayFyep16:30
JayFit screams "put in a knob default:off"16:30
TheJuliayeah16:30
TheJuliaa "owner can define this override" knob so admins can intellegently delegate maybe16:30
TheJuliaor, the system_admin is the owner16:31
TheJuliabut, that might not always hold true since we have users doing weird collaborateive things and loving it16:31
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for HTTP image service connections  https://review.opendev.org/c/openstack/ironic/+/98790616:31
opendevreviewMithun Krishnan Umesan proposed openstack/ironic master: Add TLS configuration to agent lookup response  https://review.opendev.org/c/openstack/ironic/+/98788716:32
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for OCI registry connections  https://review.opendev.org/c/openstack/ironic/+/98790716:32
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening options for Redfish BMC connections  https://review.opendev.org/c/openstack/ironic/+/98790816:32
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for Ansible stream_url module  https://review.opendev.org/c/openstack/ironic/+/98588516:32
TheJuliaOkay, time for the lab vampires16:33
JayFI mean, I think with stuff like that we have two choices: put in a bool() enable/disable flag in the config to accept the risk16:35
JayFor enhance the RBAC model to make it where custom policy can apply there16:35
dtantsurJayF: that's the point. If I have a private HTTP/OCI server that Ironic cannot verify, how do I use it with Ironic?16:48
dtantsurThe current assumption is user == admin, which is the assumption we're trying to get away from16:48
JayFwho is "you/I" in terms of Role? If you are the system admin, you should have access to do it16:48
dtantsurI'm a user with deployment rights16:48
JayFa user with deployment rights, running an https server with an invalid cert, and wanting to ignore that invalidity *feels* like something that should require the operator of the cloud to opt into16:50
dtantsurJayF: s/invalid/self-signed/16:50
JayFwhat's the difference?16:50
JayFI mean that philosophically16:50
dtantsurit's not invalid, I just cannot make Ironic trust it16:50
JayFa self-signed certificate is useless for validity checking16:51
dtantsur1) no, it's not, 2) I cannot opt out of validity checking16:51
JayFI guess it /could/ be useful for validity checking if you saved and checked for the same cert each time16:51
JayFbut we don't do that16:51
TheJuliaWe well, to do self signed properly, you enable permission model to say “use this ca”16:51
JayFyes16:51
dtantsurExactly, and I cannot do it with Ironic16:52
dtantsurwithout having rights to modify the global Ironic configuration16:52
JayFand I'm saying if we want that kinda override, it's OK, but it's not something I'd want to enable by default and we could hide it behind a config16:53
JayFjust like we do for allowing driver_info to override the cleaning runbook in automated cleaning via runbook -- disabled by default, but you flip the bool, accept the risk, and get the feature16:53
dtantsurthen why not hide any non-system-admin actions behind a config?16:53
dtantsurI don't get it...16:53
JayFI don't get a world where you'd have a *project manager* be running their own web server :)16:54
JayFbut we have to be flexible for the use case where a project manager could be an external customer16:54
dtantsurJayF: have you heard about kubernetes? :)16:55
JayFas well as someone operationally-involved enough to run their own a web server16:55
dtantsura regular user can and will run their HTTP servers/OCI registries in my world16:55
JayFand so you can flip that default for users in your world16:55
dtantsurand they can and will create their own CA using cert-manager16:55
dtantsurI don't like getting in the world where the only way to use Ironic and keep your sanity is to use Metal3, but I if the community insists...16:55
JayFI don't wanna get in a world where we've advertised "Ironic is multi-tenant" everywhere but give project managers a loophole :|16:57
dtantsuragain, there is no loophole, you're making this part up16:58
JayFSo I think our chat in DM knocked loose the bad assumption on my part:16:58
JayFwe have no mechanism in Ironic to say "https image_source only"16:59
JayFso we have no mechanism in Ironic to say "only use images with valid https certs"16:59
dtantsurYeah, right now the choice is between plain HTTP or HTTPS that Ironic can verify. Even if a user managers their own CA well (which is trivial with cert-manager), they must modify Ironic configuration to trust it.16:59
JayFwhich means in this case, someone could just use http, downgrade, and avoid it all16:59
JayFthat means I don't think it makes the status quo less secure to add this17:00
dtantsurI guess I can imagine some folks wanting to limit which CA can sign images. I dunno if it's actually the default scenario.17:00
JayFBUT that we likely want to add an RFE bug for something like require_https_with_validation (better name needed) which would disable ability to use http (no s) URLs + enforce ssl cert validation17:00
dtantsurHere we have a conflict between "most secure by default" and the principle of least surprise17:00
TheJuliaI think it could make a lot of sense to create a capability where we could accept overrides for certain and crypto controls from a a self service standpoint, but we just have to map it all out and allow operators to be able to say”no, trust delegation”. Issue is it all depends on the personas and security posture modeling which is going to be all over the place17:01
JayFwell in this case, it's the other way17:02
JayFwe need to add the security if we want it17:03
JayFbecause today, since anyone can just http:// in the image_source17:03
JayFhttps validation is more about avoiding MitM than it is "only use images from a webserver signed by my CA"17:03
TheJuliaAgree17:03
TheJuliaWe should likely consider that as yet another knob overall, but maybe more global. Dunno. We have the checksum control aspect as well17:04
JayFto be explicit: that means I'm OK with this being overridable by a project manager17:04
JayFbecause to get the real security, weneed an actual feature which, if we implement it, could lockdown this behavior as well17:05
TheJuliaWell, I’m thinking maybe we finally do subfield rbac17:05
TheJuliaFwiw. I dread it, but it could make a ton of sense17:05
TheJuliaAnd by dread, the more so mean my plate dreads it17:06
JayFI mean, we put that in the eventually bucket17:06
TheJuliaYeah17:08
opendevreviewDmitry Tantsur proposed openstack/ironic master: [WIP] [No, really WIP] [Another WIP for TheJulia] Add a BMO job  https://review.opendev.org/c/openstack/ironic/+/98876617:16
dtantsurTheJulia, JayF: quick draft https://bugs.launchpad.net/ironic/+bug/215271817:16
dtantsurnames and values subject to bikeshedding17:17
TheJuliaAlternatively I replace my plate with Kevlar and carbon fiber enhanced composites… but making  composites puts me on a path to either be like the bps.space dude, or the sail life dude on YouTube.17:18
TheJuliaWill look when I’m back to the desk17:18
dtantsurNote: we wouldn't have to do subfield rbac, if we had proper deployment API instead of JSON fields ;)17:19
TheJuliaheh17:31
dtantsurdinner time, have a nice weekend folks17:41
-opendevstatus- NOTICE: The Gerrit service on review.opendev.org will be offline momentarily while we restart it onto a new patch release18:03
opendevreviewJulia Kreger proposed openstack/ironic master: Add TLS hardening for kickstart configdrive and inspection rule connections  https://review.opendev.org/c/openstack/ironic/+/98880418:59
cardoeTheJulia: while you're talking RBAC to steps and security... can I left shark a little?19:17
cardoeWhat if we allowed safe jinja for steps19:17
TheJuliawell, fields, most likely steps, but.... jinja in steps19:17
TheJulia....19:17
opendevreviewDoug Goldstein proposed openstack/ironic master: Add Zuul job to test inspection rules tester  https://review.opendev.org/c/openstack/ironic/+/98142319:18
TheJuliaERROR19:18
TheJuliaDid someone just drain the oil from my brain19:18
TheJuliawhy would you want a step to be furnished with jinja19:20
TheJuliaplease give me a user story to work with19:20
cardoeWell in a runbook not actual steps.19:22
cardoeSo maybe less scary.19:22
TheJuliacomputer, please activate the emergency code hologram19:23
TheJuliaI guess I'm still missing why and now I feel the need to understand why as well19:23
cardoeSo like BIOS settings reset and then ensuring that the BMC is on the IP address that Ironic communicates with instead of going back to factory default.19:25
TheJuliaso, maybe rbac-ifying specific steps and if you could have args or arg data supplied their in?19:26
cardoeWell I don't want end users to do it.19:26
TheJuliaowners you don't trust?19:26
cardoethat's why I'm using runbooks cause I'm actually trying to delegate operations down to less privileged folks.19:26
TheJuliaor, want to keep a possible footgun out of range of their keyboards?19:27
cardoeYep.19:27
cardoeJust random neuron that fired.19:27
cardoeNot saying that someone just footgunned themselves and disturbed my quiet reviewing of my VXLAN spec....19:28
TheJuliawoudl you have a few minutes to allow neurons to fire with higher bandwidth? asking to try and make sure I understand your desire/challenge/context correctly19:28
TheJuliawell, thats good19:28
cardoeyeah we can.19:28
TheJuliahttps://meet.google.com/wts-ztiy-jbw19:29
JayFjfyi the Ironic PTG summary video should be going on the @oss-gr youtube channel on monday19:52
cidcardoe,  with the follow-up now merged, we will not be needing this one https://review.opendev.org/c/openstack/ironic/+/988371 anymore20:04
TheJuliacardoe: you mentioned your neutron spec, I can check it out next week20:28
*** janders2 is now known as janders20:32
*** jcosmao is now known as Guest950820:44
cardoehttps://storage.bhs.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_996/openstack/996670ca72114523b2691262de4b5b0a/docs/specs/2026.2/underlay-vxlan-support.html21:33

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!