Tuesday, 2026-06-16

opendevreviewDmitry Tantsur proposed openstack/ironic master: Stop reimporting middleware modules  https://review.opendev.org/c/openstack/ironic/+/99352608:52
opendevreviewEsther Domfeh proposed openstack/ironic master: feat: populate node_history state fields  https://review.opendev.org/c/openstack/ironic/+/99320809:58
zigoHi there! Will there be an OSSA for CVE-2026-54421 ?11:09
zigoFYI, Debian is all up-to-date for all the recent CVE, from Zed to Gazpacho.11:10
zigoJust that one isn't fixed in Debian proper (ie: without osbpo.debian.net add-on repo, on Bookworm and Trixie).11:10
iurygregorygood morning ironic11:21
TheJuliagood mroning13:07
TheJuliazigo: I believe that will be going out today13:07
zigoThanks.13:08
JayFCan I get an Ironic review on https://review.opendev.org/c/openstack/ossa/+/993465 and https://review.opendev.org/c/openstack/ossa/+/98685014:44
iurygregorywhat is the link for the midcycle?14:59
iurygregoryok, found in the etherpad :D15:00
TheJuliahttps://meetpad.opendev.org/ironic-2026-june-midcycle15:02
TheJuliacardoe: *boop*15:13
opendevreviewEsther Domfeh proposed openstack/ironic master: feat: add state, target_provision_state, and duration_seconds to node history  https://review.opendev.org/c/openstack/ironic/+/98999415:14
opendevreviewClif Houck proposed openstack/ironic-python-agent stable/2025.2: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99302015:15
cardoesorry15:22
cardoeTheJulia: I had to drop cause of a neutron issue locally15:36
TheJuliadoh!15:36
TheJuliano worries15:36
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.4: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99346315:45
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.4: Fix a couple of tests so they pass in both tox py3 and cover  https://review.opendev.org/c/openstack/ironic-python-agent/+/99362115:45
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.3: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99346415:50
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.3: Fix a couple of tests so they pass in both tox py3 and cover  https://review.opendev.org/c/openstack/ironic-python-agent/+/99362315:50
opendevreviewClif Houck proposed openstack/ironic-python-agent-builder unmaintained/2023.1: ci: Pin setuptools to a range that still ships  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341916:00
opendevreviewClif Houck proposed openstack/ironic-python-agent-builder unmaintained/2023.1: update .gitreview to point to unmaintained/2023.1  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341816:00
opendevreviewClif Houck proposed openstack/ironic-python-agent-builder unmaintained/2023.1: Pin setuptools in the requirements.txt copied from IPA  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99342016:00
cardoeMy update is I'm behind on everything this cycle16:07
iurygregoryack16:08
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.3: Fix a several tests so they pass in both tox py3 and cover  https://review.opendev.org/c/openstack/ironic-python-agent/+/99362316:31
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.3: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99346416:31
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.4: Fix a several tests so they pass in both tox py3 and cover  https://review.opendev.org/c/openstack/ironic-python-agent/+/99362116:32
opendevreviewClif Houck proposed openstack/ironic-python-agent bugfix/11.4: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99346316:32
clifcardoe: that seems to be going around :)16:33
JayFpoop rolls downhill16:34
JayFand cardoe being an operator, lives in the valleys16:35
JayFwe are a low level tool so we're pretty deep in the holler as well16:35
cardoelotta muck around....16:35
JayF( https://ahdictionary.com/word/search.html?q=holler a Appalachian term for a small valley)16:36
JayFhttps://xkcd.com/1172/ (reference for the "spacebar heating")16:45
TheJuliaThat is good16:50
*** ildikov_ is now known as ildikov16:59
dtantsurTheJulia, JayF, this is a fine balance though :) If we teach people to use *creative* workarounds, we may end up in this situation too17:08
* dtantsur actually goes get dinner17:08
JayFyeah, I think usually with stuff like this there's a place to draw the line17:09
JayFI don't think "just run this iso" is a good one. Maybe the idea of in-band non-agent cleaning could exist though? IDK17:09
opendevreviewMerged openstack/ironic-python-agent-builder stable/2025.1: ci: Pin setuptools to a range that still ships  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341317:21
opendevreviewMerged openstack/ironic-python-agent-builder stable/2025.2: ci: Pin setuptools to a range that still ships  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99315817:24
opendevreviewEsther Domfeh proposed openstack/ironic master: feat: add state, target_provision_state, and duration_seconds to node history  https://review.opendev.org/c/openstack/ironic/+/98999417:50
opendevreviewMerged openstack/ironic-python-agent stable/2025.2: ci: Disable metalsmith-integration-ipa-src-uefi zuul job  https://review.opendev.org/c/openstack/ironic-python-agent/+/99337718:23
opendevreviewMerged openstack/ironic-python-agent bugfix/11.4: Fix a several tests so they pass in both tox py3 and cover  https://review.opendev.org/c/openstack/ironic-python-agent/+/99362118:23
opendevreviewMerged openstack/ironic-python-agent stable/2025.2: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99302018:30
opendevreviewMerged openstack/ironic-python-agent bugfix/11.4: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99346318:30
opendevreviewMerged openstack/ironic-python-agent bugfix/11.3: Fix a several tests so they pass in both tox py3 and cover  https://review.opendev.org/c/openstack/ironic-python-agent/+/99362318:30
opendevreviewMerged openstack/ironic-python-agent bugfix/11.3: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99346418:30
opendevreviewMerged openstack/ironic-python-agent stable/2026.1: Add a flag to disable installing bootloaders  https://review.opendev.org/c/openstack/ironic-python-agent/+/99301618:30
opendevreviewMerged openstack/ironic-python-agent-builder stable/2025.1: Pin setuptools in the requirements.txt copied from IPA  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341418:32
opendevreviewMerged openstack/ironic-python-agent-builder unmaintained/2024.1: ci: Pin setuptools to a range that still ships  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341518:32
opendevreviewMerged openstack/ironic-python-agent-builder unmaintained/2023.1: ci: Pin setuptools to a range that still ships  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341918:32
opendevreviewMerged openstack/ironic-python-agent-builder stable/2025.2: Pin setuptools in the requirements.txt copied from IPA  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99317618:32
opendevreviewMerged openstack/ironic-python-agent-builder unmaintained/2024.1: Pin setuptools in the requirements.txt copied from IPA  https://review.opendev.org/c/openstack/ironic-python-agent-builder/+/99341618:32
JayFclif: TheJulia: So I think we forgot the second half of the change https://review.opendev.org/c/openstack/ironic/+/99072419:01
JayFis only back to stable/2026.1 and not referenced in my OSSA at all19:02
TheJuliaOh yeah, that would need to be backported as well19:03
JayFI think the choices we made may flip this from OSSA->OSSN as well cc: fungi 19:04
JayFfungi: in our backports, we flipped to the less-secure default to avoid breaking people. I have an OSSA written with updates to tell them to flip the config if they can... but is it OK for it to still be an OSSA (and not an OSSN) in this case?19:05
JayFfungi: I want the answer to be "yes go ahead with an OSSA" so I don't have to redo work19:05
fungirequiring operators to configure and enable the fixed solution has generally meant it's a security note rather than advisory, especially since it needs additional instructions beyond just applying the patch19:07
fungii can take a closer look after i'm done chairing the opendev meeting19:08
JayFI think you're probably right. damn19:08
JayFclif: if you could get those backports going I'd apprecaite it, I am updating all the paperwork19:08
clifoh the ironic side19:09
clifyep I'll get on them...19:09
fungiJayF: i'm not going to tell you to redo work, and am happy to figure out an exception if it makes sense, just noting how this has been approached in the past19:28
JayFfungi: this is where I'm at now, if you have time to take a quick gander and give any feedback. Not going to push until clif gets the stable backports in so I can finish filling it out. https://www.irccloud.com/pastebin/80RN0zcx/OSSN-0100.txt19:29
fungiof course!19:29
JayFfungi: I have bugfix/11.7 listed there specifically because the matching Ironic bugfix/37.0 branch DOESN'T have the fix, so we have sorta a mismatch just based on when the releases changes landed19:30
JayF***bugfix/11.619:31
fungia minor tweak, i'd probably drop the `>=1.0.0` and just start with `<10.2.3` (i.e. **all** older versions are affected)19:33
JayFI like that *a lot*19:34
JayFsince technically Ironic 2024.2.0 was impacted19:34
JayFfrom when we used the numbers as the release numbers19:34
JayFthe original openstack datever lol19:34
fungiwell, it's also our default to leave the minimum version unspecified if we think it affects all older versions or if we don't know for sure how far back the bug goes and want everyone to assume there's no version old enough to be unaffected19:35
JayFyeah, with Ironic it gets a little muddy19:36
JayFbecause Ironic (original releases) is probably vuln to ALL THE THINGS from a modern POV19:36
fungiJayF: the "this ossn" line at the bottom has the one you copied from19:37
JayFhow dare you suggest I plagarized from myself to start ;) 19:38
JayFhehehe19:38
JayFOSSA-2026-023 is out (Volume props unredacted)20:05
TheJuliabrain, where is brain?20:14
clifJayF: for bugfix branches do you want the bootloader install enabled or disabled by default? 20:16
JayFI'd say treat them like any other backport and keep existing behavior20:17
clifalright20:17
JayFhttps://review.opendev.org/c/openstack/security-doc/+/993668 is OSSN-0100 draft if anyone wants to review20:23
opendevreviewClif Houck proposed openstack/ironic bugfix/33.0: Add an agent flag to disable installing boatloaders  https://review.opendev.org/c/openstack/ironic/+/99368220:25
opendevreviewClif Houck proposed openstack/ironic bugfix/34.0: Add an agent flag to disable installing boatloaders  https://review.opendev.org/c/openstack/ironic/+/99368320:25
opendevreviewClif Houck proposed openstack/ironic stable/2025.1: Add an agent flag to disable installing boatloaders  https://review.opendev.org/c/openstack/ironic/+/99368420:26
opendevreviewClif Houck proposed openstack/ironic stable/2025.2: Add an agent flag to disable installing boatloaders  https://review.opendev.org/c/openstack/ironic/+/99368520:26
JayFclif: bugfix/37.0 is gonna need one too, it's a shiny new branch that just missed out on your original patch20:26
JayFthe IPA bugfix branch that got cut had it, but not the Ironic one20:27
clifjoy20:27
JayFYeah, just that + um/2024.1 and um/2023.1 and I have what I need for the OSSN20:27
TheJulia++20:28
opendevreviewClif Houck proposed openstack/ironic unmaintained/2024.1: Add an agent flag to disable installing boatloaders  https://review.opendev.org/c/openstack/ironic/+/99368620:29
opendevreviewClif Houck proposed openstack/ironic unmaintained/2023.1: Add an agent flag to disable installing boatloaders  https://review.opendev.org/c/openstack/ironic/+/99368720:29
clifJayF: e38ae0c579f8f05a85fc3266910525f96877dec5 is in bugfix/37.020:30
JayF\o/20:31
JayFdoes https://review.opendev.org/c/openstack/security-doc/+/993668 lgt-you?20:32
clifpretty much except for the dup link20:38
JayFgood stuff, ty20:39
JayFit'll be announced as soon as the review is done from vmt20:39
shermanmdigging some cobwebs out of a corner, but I think we've run into an edge case with the ipmitool management driver with supermicro servers. We have some H13 servers that seem to dislike the override here https://github.com/openstack/ironic/blob/62dc38f151fc7ceee749794ae919757cbdd77fb7/ironic/drivers/modules/ipmitool.py#L203, introduced in Change-Id: Ie19db9e0cf1eafdfc9bb46248f4d457337821f9421:08
shermanmI'm happy to make a bug / change-request, but open to suggestion on the shape such a fix might take. Adding yet another config flag or per-device property to turn the behavior on/off?21:09
JayFI... don't know :( 21:13
JayFprobably but that's terrible.21:13
JayFProbably would help to know if this is "supermicros are fixed moving forward" or "h13 is special"21:14
JayFeither way still dunno how I'd shape a patch around that21:14
shermanmMostly i'm trying to get my downstream to move to redfish and dodge all of this21:26
shermanm> probably but that's terrible.21:29
shermanmtbf this is how everything that touches a BMC goes21:29
JayFyeah21:29
JayFthe main thing is like, vendor gets populated in inspection for most folks21:29
JayFsame vendor; different behavior21:29
JayFwe have nothing to key on but driver_info[decoder_ring_supermicro_behavior_change]=yes21:30
JayFwhich my disdain for is obvious :D 21:30
JayFI think it'll just end up being like that, because there's no other way I can think to shape it, but maybe someone smarter than I can come along :D 21:30
shermanmcould just expose the hex override directly in config? 21:33
shermanmipmitool_default_boot_hex=`0x08` by default, and allow that to be overridden in driver_info to `0x24` if you have one of the affected machines? ... but that's backwards incompatible for everyone else using supermicro+ipmi right now21:33
shermanmnot like supermicro documents this anywhere, their FAQ linked from the above source 404s now21:34
JayFoh so it's not even like21:34
JayFyou need normal behavior21:34
JayFyou need some OTHER ridiculous behavior?21:34
shermanmI personally just need to turn off the workaround, but the way the workaround was written seemed to imply that we might need other special cases in the future.21:36
shermanmright now the code does "default=0x08" and "supermicro=0x24"21:36
shermanmbut exposing the hex code might be more maintainable that making ironic maintain the decoder ring21:36
JayFah21:42
JayFI see what you mean21:43
JayFI'd likely +2 a patch that added such an override, barring further ideas21:43
TheJuliawait, am I reading this properly, did supermicro finally fix their special override case need?21:50
shermanmmaybe? maybe at least just on the one system and fw version I happen to have?22:06

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!