| opendevreview | Dmitry Tantsur proposed openstack/ironic master: Stop reimporting middleware modules https://review.opendev.org/c/openstack/ironic/+/993526 | 08:52 |
|---|---|---|
| opendevreview | Esther Domfeh proposed openstack/ironic master: feat: populate node_history state fields https://review.opendev.org/c/openstack/ironic/+/993208 | 09:58 |
| zigo | Hi there! Will there be an OSSA for CVE-2026-54421 ? | 11:09 |
| zigo | FYI, Debian is all up-to-date for all the recent CVE, from Zed to Gazpacho. | 11:10 |
| zigo | Just that one isn't fixed in Debian proper (ie: without osbpo.debian.net add-on repo, on Bookworm and Trixie). | 11:10 |
| iurygregory | good morning ironic | 11:21 |
| TheJulia | good mroning | 13:07 |
| TheJulia | zigo: I believe that will be going out today | 13:07 |
| zigo | Thanks. | 13:08 |
| JayF | Can I get an Ironic review on https://review.opendev.org/c/openstack/ossa/+/993465 and https://review.opendev.org/c/openstack/ossa/+/986850 | 14:44 |
| iurygregory | what is the link for the midcycle? | 14:59 |
| iurygregory | ok, found in the etherpad :D | 15:00 |
| TheJulia | https://meetpad.opendev.org/ironic-2026-june-midcycle | 15:02 |
| TheJulia | cardoe: *boop* | 15:13 |
| opendevreview | Esther Domfeh proposed openstack/ironic master: feat: add state, target_provision_state, and duration_seconds to node history https://review.opendev.org/c/openstack/ironic/+/989994 | 15:14 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent stable/2025.2: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993020 | 15:15 |
| cardoe | sorry | 15:22 |
| cardoe | TheJulia: I had to drop cause of a neutron issue locally | 15:36 |
| TheJulia | doh! | 15:36 |
| TheJulia | no worries | 15:36 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.4: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993463 | 15:45 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.4: Fix a couple of tests so they pass in both tox py3 and cover https://review.opendev.org/c/openstack/ironic-python-agent/+/993621 | 15:45 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.3: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993464 | 15:50 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.3: Fix a couple of tests so they pass in both tox py3 and cover https://review.opendev.org/c/openstack/ironic-python-agent/+/993623 | 15:50 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent-builder unmaintained/2023.1: ci: Pin setuptools to a range that still ships https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993419 | 16:00 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent-builder unmaintained/2023.1: update .gitreview to point to unmaintained/2023.1 https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993418 | 16:00 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent-builder unmaintained/2023.1: Pin setuptools in the requirements.txt copied from IPA https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993420 | 16:00 |
| cardoe | My update is I'm behind on everything this cycle | 16:07 |
| iurygregory | ack | 16:08 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.3: Fix a several tests so they pass in both tox py3 and cover https://review.opendev.org/c/openstack/ironic-python-agent/+/993623 | 16:31 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.3: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993464 | 16:31 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.4: Fix a several tests so they pass in both tox py3 and cover https://review.opendev.org/c/openstack/ironic-python-agent/+/993621 | 16:32 |
| opendevreview | Clif Houck proposed openstack/ironic-python-agent bugfix/11.4: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993463 | 16:32 |
| clif | cardoe: that seems to be going around :) | 16:33 |
| JayF | poop rolls downhill | 16:34 |
| JayF | and cardoe being an operator, lives in the valleys | 16:35 |
| JayF | we are a low level tool so we're pretty deep in the holler as well | 16:35 |
| cardoe | lotta muck around.... | 16:35 |
| JayF | ( https://ahdictionary.com/word/search.html?q=holler a Appalachian term for a small valley) | 16:36 |
| JayF | https://xkcd.com/1172/ (reference for the "spacebar heating") | 16:45 |
| TheJulia | That is good | 16:50 |
| *** ildikov_ is now known as ildikov | 16:59 | |
| dtantsur | TheJulia, JayF, this is a fine balance though :) If we teach people to use *creative* workarounds, we may end up in this situation too | 17:08 |
| * dtantsur actually goes get dinner | 17:08 | |
| JayF | yeah, I think usually with stuff like this there's a place to draw the line | 17:09 |
| JayF | I don't think "just run this iso" is a good one. Maybe the idea of in-band non-agent cleaning could exist though? IDK | 17:09 |
| opendevreview | Merged openstack/ironic-python-agent-builder stable/2025.1: ci: Pin setuptools to a range that still ships https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993413 | 17:21 |
| opendevreview | Merged openstack/ironic-python-agent-builder stable/2025.2: ci: Pin setuptools to a range that still ships https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993158 | 17:24 |
| opendevreview | Esther Domfeh proposed openstack/ironic master: feat: add state, target_provision_state, and duration_seconds to node history https://review.opendev.org/c/openstack/ironic/+/989994 | 17:50 |
| opendevreview | Merged openstack/ironic-python-agent stable/2025.2: ci: Disable metalsmith-integration-ipa-src-uefi zuul job https://review.opendev.org/c/openstack/ironic-python-agent/+/993377 | 18:23 |
| opendevreview | Merged openstack/ironic-python-agent bugfix/11.4: Fix a several tests so they pass in both tox py3 and cover https://review.opendev.org/c/openstack/ironic-python-agent/+/993621 | 18:23 |
| opendevreview | Merged openstack/ironic-python-agent stable/2025.2: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993020 | 18:30 |
| opendevreview | Merged openstack/ironic-python-agent bugfix/11.4: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993463 | 18:30 |
| opendevreview | Merged openstack/ironic-python-agent bugfix/11.3: Fix a several tests so they pass in both tox py3 and cover https://review.opendev.org/c/openstack/ironic-python-agent/+/993623 | 18:30 |
| opendevreview | Merged openstack/ironic-python-agent bugfix/11.3: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993464 | 18:30 |
| opendevreview | Merged openstack/ironic-python-agent stable/2026.1: Add a flag to disable installing bootloaders https://review.opendev.org/c/openstack/ironic-python-agent/+/993016 | 18:30 |
| opendevreview | Merged openstack/ironic-python-agent-builder stable/2025.1: Pin setuptools in the requirements.txt copied from IPA https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993414 | 18:32 |
| opendevreview | Merged openstack/ironic-python-agent-builder unmaintained/2024.1: ci: Pin setuptools to a range that still ships https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993415 | 18:32 |
| opendevreview | Merged openstack/ironic-python-agent-builder unmaintained/2023.1: ci: Pin setuptools to a range that still ships https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993419 | 18:32 |
| opendevreview | Merged openstack/ironic-python-agent-builder stable/2025.2: Pin setuptools in the requirements.txt copied from IPA https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993176 | 18:32 |
| opendevreview | Merged openstack/ironic-python-agent-builder unmaintained/2024.1: Pin setuptools in the requirements.txt copied from IPA https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/993416 | 18:32 |
| JayF | clif: TheJulia: So I think we forgot the second half of the change https://review.opendev.org/c/openstack/ironic/+/990724 | 19:01 |
| JayF | is only back to stable/2026.1 and not referenced in my OSSA at all | 19:02 |
| TheJulia | Oh yeah, that would need to be backported as well | 19:03 |
| JayF | I think the choices we made may flip this from OSSA->OSSN as well cc: fungi | 19:04 |
| JayF | fungi: in our backports, we flipped to the less-secure default to avoid breaking people. I have an OSSA written with updates to tell them to flip the config if they can... but is it OK for it to still be an OSSA (and not an OSSN) in this case? | 19:05 |
| JayF | fungi: I want the answer to be "yes go ahead with an OSSA" so I don't have to redo work | 19:05 |
| fungi | requiring operators to configure and enable the fixed solution has generally meant it's a security note rather than advisory, especially since it needs additional instructions beyond just applying the patch | 19:07 |
| fungi | i can take a closer look after i'm done chairing the opendev meeting | 19:08 |
| JayF | I think you're probably right. damn | 19:08 |
| JayF | clif: if you could get those backports going I'd apprecaite it, I am updating all the paperwork | 19:08 |
| clif | oh the ironic side | 19:09 |
| clif | yep I'll get on them... | 19:09 |
| fungi | JayF: i'm not going to tell you to redo work, and am happy to figure out an exception if it makes sense, just noting how this has been approached in the past | 19:28 |
| JayF | fungi: this is where I'm at now, if you have time to take a quick gander and give any feedback. Not going to push until clif gets the stable backports in so I can finish filling it out. https://www.irccloud.com/pastebin/80RN0zcx/OSSN-0100.txt | 19:29 |
| fungi | of course! | 19:29 |
| JayF | fungi: I have bugfix/11.7 listed there specifically because the matching Ironic bugfix/37.0 branch DOESN'T have the fix, so we have sorta a mismatch just based on when the releases changes landed | 19:30 |
| JayF | ***bugfix/11.6 | 19:31 |
| fungi | a minor tweak, i'd probably drop the `>=1.0.0` and just start with `<10.2.3` (i.e. **all** older versions are affected) | 19:33 |
| JayF | I like that *a lot* | 19:34 |
| JayF | since technically Ironic 2024.2.0 was impacted | 19:34 |
| JayF | from when we used the numbers as the release numbers | 19:34 |
| JayF | the original openstack datever lol | 19:34 |
| fungi | well, it's also our default to leave the minimum version unspecified if we think it affects all older versions or if we don't know for sure how far back the bug goes and want everyone to assume there's no version old enough to be unaffected | 19:35 |
| JayF | yeah, with Ironic it gets a little muddy | 19:36 |
| JayF | because Ironic (original releases) is probably vuln to ALL THE THINGS from a modern POV | 19:36 |
| fungi | JayF: the "this ossn" line at the bottom has the one you copied from | 19:37 |
| JayF | how dare you suggest I plagarized from myself to start ;) | 19:38 |
| JayF | hehehe | 19:38 |
| JayF | OSSA-2026-023 is out (Volume props unredacted) | 20:05 |
| TheJulia | brain, where is brain? | 20:14 |
| clif | JayF: for bugfix branches do you want the bootloader install enabled or disabled by default? | 20:16 |
| JayF | I'd say treat them like any other backport and keep existing behavior | 20:17 |
| clif | alright | 20:17 |
| JayF | https://review.opendev.org/c/openstack/security-doc/+/993668 is OSSN-0100 draft if anyone wants to review | 20:23 |
| opendevreview | Clif Houck proposed openstack/ironic bugfix/33.0: Add an agent flag to disable installing boatloaders https://review.opendev.org/c/openstack/ironic/+/993682 | 20:25 |
| opendevreview | Clif Houck proposed openstack/ironic bugfix/34.0: Add an agent flag to disable installing boatloaders https://review.opendev.org/c/openstack/ironic/+/993683 | 20:25 |
| opendevreview | Clif Houck proposed openstack/ironic stable/2025.1: Add an agent flag to disable installing boatloaders https://review.opendev.org/c/openstack/ironic/+/993684 | 20:26 |
| opendevreview | Clif Houck proposed openstack/ironic stable/2025.2: Add an agent flag to disable installing boatloaders https://review.opendev.org/c/openstack/ironic/+/993685 | 20:26 |
| JayF | clif: bugfix/37.0 is gonna need one too, it's a shiny new branch that just missed out on your original patch | 20:26 |
| JayF | the IPA bugfix branch that got cut had it, but not the Ironic one | 20:27 |
| clif | joy | 20:27 |
| JayF | Yeah, just that + um/2024.1 and um/2023.1 and I have what I need for the OSSN | 20:27 |
| TheJulia | ++ | 20:28 |
| opendevreview | Clif Houck proposed openstack/ironic unmaintained/2024.1: Add an agent flag to disable installing boatloaders https://review.opendev.org/c/openstack/ironic/+/993686 | 20:29 |
| opendevreview | Clif Houck proposed openstack/ironic unmaintained/2023.1: Add an agent flag to disable installing boatloaders https://review.opendev.org/c/openstack/ironic/+/993687 | 20:29 |
| clif | JayF: e38ae0c579f8f05a85fc3266910525f96877dec5 is in bugfix/37.0 | 20:30 |
| JayF | \o/ | 20:31 |
| JayF | does https://review.opendev.org/c/openstack/security-doc/+/993668 lgt-you? | 20:32 |
| clif | pretty much except for the dup link | 20:38 |
| JayF | good stuff, ty | 20:39 |
| JayF | it'll be announced as soon as the review is done from vmt | 20:39 |
| shermanm | digging some cobwebs out of a corner, but I think we've run into an edge case with the ipmitool management driver with supermicro servers. We have some H13 servers that seem to dislike the override here https://github.com/openstack/ironic/blob/62dc38f151fc7ceee749794ae919757cbdd77fb7/ironic/drivers/modules/ipmitool.py#L203, introduced in Change-Id: Ie19db9e0cf1eafdfc9bb46248f4d457337821f94 | 21:08 |
| shermanm | I'm happy to make a bug / change-request, but open to suggestion on the shape such a fix might take. Adding yet another config flag or per-device property to turn the behavior on/off? | 21:09 |
| JayF | I... don't know :( | 21:13 |
| JayF | probably but that's terrible. | 21:13 |
| JayF | Probably would help to know if this is "supermicros are fixed moving forward" or "h13 is special" | 21:14 |
| JayF | either way still dunno how I'd shape a patch around that | 21:14 |
| shermanm | Mostly i'm trying to get my downstream to move to redfish and dodge all of this | 21:26 |
| shermanm | > probably but that's terrible. | 21:29 |
| shermanm | tbf this is how everything that touches a BMC goes | 21:29 |
| JayF | yeah | 21:29 |
| JayF | the main thing is like, vendor gets populated in inspection for most folks | 21:29 |
| JayF | same vendor; different behavior | 21:29 |
| JayF | we have nothing to key on but driver_info[decoder_ring_supermicro_behavior_change]=yes | 21:30 |
| JayF | which my disdain for is obvious :D | 21:30 |
| JayF | I think it'll just end up being like that, because there's no other way I can think to shape it, but maybe someone smarter than I can come along :D | 21:30 |
| shermanm | could just expose the hex override directly in config? | 21:33 |
| shermanm | ipmitool_default_boot_hex=`0x08` by default, and allow that to be overridden in driver_info to `0x24` if you have one of the affected machines? ... but that's backwards incompatible for everyone else using supermicro+ipmi right now | 21:33 |
| shermanm | not like supermicro documents this anywhere, their FAQ linked from the above source 404s now | 21:34 |
| JayF | oh so it's not even like | 21:34 |
| JayF | you need normal behavior | 21:34 |
| JayF | you need some OTHER ridiculous behavior? | 21:34 |
| shermanm | I personally just need to turn off the workaround, but the way the workaround was written seemed to imply that we might need other special cases in the future. | 21:36 |
| shermanm | right now the code does "default=0x08" and "supermicro=0x24" | 21:36 |
| shermanm | but exposing the hex code might be more maintainable that making ironic maintain the decoder ring | 21:36 |
| JayF | ah | 21:42 |
| JayF | I see what you mean | 21:43 |
| JayF | I'd likely +2 a patch that added such an override, barring further ideas | 21:43 |
| TheJulia | wait, am I reading this properly, did supermicro finally fix their special override case need? | 21:50 |
| shermanm | maybe? maybe at least just on the one system and fw version I happen to have? | 22:06 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!