| mnasiadka | sean-k-mooney: I'm aware of the CVE, will have a look | 07:25 |
|---|---|---|
| mnasiadka | supamatt: fix is in progress, you don't need to define anything additional in the inventory | 07:31 |
| *** atmark is now known as Guest1107 | 07:51 | |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: always add service_user section to nova.conf https://review.opendev.org/c/openstack/kolla-ansible/+/882893 | 08:03 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 08:35 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 08:36 |
| opendevreview | Merged openstack/kolla-ansible stable/yoga: Remove RabbitMQ ha-all policy when not required https://review.opendev.org/c/openstack/kolla-ansible/+/876830 | 08:55 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: DNM: Debug Ironic CI failures https://review.opendev.org/c/openstack/kolla-ansible/+/882923 | 08:55 |
| opendevreview | Michal Nasiadka proposed openstack/kolla master: mariadb: Bump to current LTS (10.11) https://review.opendev.org/c/openstack/kolla/+/882924 | 09:03 |
| opendevreview | Merged openstack/kolla-ansible stable/xena: Remove RabbitMQ ha-all policy when not required https://review.opendev.org/c/openstack/kolla-ansible/+/880833 | 09:13 |
| SvenKieske | mnasiadka: I'll check something regarding the service token config in keystone, please do not merge just yet the service token usage in nova | 09:39 |
| mnasiadka | sure | 09:39 |
| SvenKieske | i commented on the changeset, maybe I just don't have enough information :) | 09:46 |
| sean-k-mooney | o/ | 09:51 |
| sean-k-mooney | so by default the nova user should have access to all apis. | 09:51 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 10:24 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 10:29 |
| mnasiadka | SvenKieske: are you going to work on extending sean-k-mooney's patch? | 10:44 |
| mnasiadka | (because the upgrade jobs are broken already) ;-) | 10:54 |
| mmalchuk_ | the nova patch looks good | 11:03 |
| *** mmalchuk_ is now known as mmalchuk | 11:03 | |
| opendevreview | Maksim Malchuk proposed openstack/kolla master: mariadb: Bump to current LTS (10.11) https://review.opendev.org/c/openstack/kolla/+/882924 | 11:05 |
| mmalchuk | lets check the upgrade jobs ^^^ | 11:08 |
| SvenKieske | sean-k-mooney: just to check: will you adopt the necessary keystone config change in your proposed nova change, or should I go ahead and do it? just want to avoid that 2 people are working on the same stuff :) | 11:47 |
| SvenKieske | I can take care if you don't have the time currently, just asking. | 11:48 |
| SvenKieske | sean-k-mooney: mnasiadka: I'll add the cinder keystone changes now | 11:54 |
| sean-k-mooney | sorry on multiple conversation at the momemt | 12:00 |
| sean-k-mooney | SvenKieske: if you can take it over that would be good | 12:00 |
| sean-k-mooney | if now i can maybe look at it next week but i wont have time to get back to it for a while | 12:00 |
| SvenKieske | no problem, already almost finished with the intial cinder stuff :) | 12:01 |
| opendevreview | Sven Kieske proposed openstack/kolla-ansible master: always add service_user section to nova.conf https://review.opendev.org/c/openstack/kolla-ansible/+/882941 | 12:01 |
| SvenKieske | just fighting with git /gerrit again..why did it not update the correct change..args | 12:02 |
| mmalchuk | SvenKieske previous patch didn't helps: https://zuul.opendev.org/t/openstack/build/c0bc3f7f6e1d4aa7b3692d09652b47d6/log/primary/logs/ansible/upgrade | 12:03 |
| mmalchuk | Service user token configuration is required for all Nova services. | 12:03 |
| mmalchuk | SvenKieske I've added to https://review.opendev.org/c/openstack/kolla/+/882924 depends-on https://review.opendev.org/c/openstack/kolla-ansible/+/882893 | 12:07 |
| SvenKieske | I'll come back to this in some minutes, am in a meeting for now | 12:08 |
| opendevreview | Mark Goddard proposed openstack/kolla stable/zed: opensearch: move to yum/apt repos https://review.opendev.org/c/openstack/kolla/+/882785 | 12:59 |
| opendevreview | Sven Kieske proposed openstack/kolla-ansible master: always add service_user section to nova.conf https://review.opendev.org/c/openstack/kolla-ansible/+/882893 | 12:59 |
| SvenKieske | mnasiadka: we should probably chat on how we go about configuring additional service account tokens for other services as well, see #openstack-security | 13:06 |
| opendevreview | Pierre Riteau proposed openstack/kayobe master: Speed up calls to Bifrost https://review.opendev.org/c/openstack/kayobe/+/882951 | 13:33 |
| spatel | sean-k-mooney does nova security issue going to impact up coming release correct? | 13:42 |
| SvenKieske | spatel: what's your question here exactly? | 13:44 |
| spatel | did you see sean-k-mooney post earlier related https://bugs.launchpad.net/nova/+bug/2004555 | 13:45 |
| spatel | I believe he already submitted patch - https://review.opendev.org/c/openstack/kolla-ansible/+/882893 | 13:46 |
| sean-k-mooney | spatel: it will impact current and future release | 13:46 |
| sean-k-mooney | without updating the relevent configs in teh services the CVE will not be entirly fixed just by the backport of the patche to nova os-brick cinder and glance | 13:47 |
| sean-k-mooney | closing the CVE entirly requried operator to update there configs too | 13:48 |
| sean-k-mooney | which is atypical from normal cve fixes | 13:48 |
| spatel | last week I have deployed yoga in production. | 13:48 |
| SvenKieske | yeah we are still working on the kolla-ansible side on the patch, including service token validation in cinder, which I just added to it. it should basically be okay now, if CI is green. It's still up to debate if we want to enforce service token validation for all services in this same patchset. I'd vouch to split this up in a separate patchset though. | 13:51 |
| mmalchuk | SvenKieske its ok for normal deploy but not for upgrade. see job I provided above | 13:52 |
| SvenKieske | spatel: we will backport that. If you have an urgent need, you should be able to easily backport it yourself, if you don't want to wait, depending on your threatmodel. | 13:52 |
| SvenKieske | mmalchuk: right, that's the next thing, looking at that upgrade job, thanks for the reminder | 13:53 |
| spatel | SvenKieske I don't have urgency for that security so i can wait until that patch properly land with CI and upgrade plan | 13:54 |
| SvenKieske | cool :) | 13:55 |
| SvenKieske | thinking about it a little bit: the upgrade job might fail until we backport the patch, depending on the tests I could envision some breakage there, but need to find the error in the logs. | 13:56 |
| sean-k-mooney | actully it only matters if you are usign iscsi/fiberchannel | 13:56 |
| mmalchuk | sure | 13:56 |
| sean-k-mooney | if your kolla does not have either i.e. your useing ceph | 13:57 |
| sean-k-mooney | it wont impact you | 13:57 |
| sean-k-mooney | also the api chnage on cidner i gated behind setting a config option which kolla does not currently set | 13:57 |
| sean-k-mooney | for anyone wanting to close the CVE before the kolla supprot is there | 13:57 |
| sean-k-mooney | they can simply use the config override mechanium | 13:58 |
| sean-k-mooney | kolla should still fix it by default but it flexabliy enought that you can jsut add the config snipits in /etc/kolla/conifg and run deploy with the fixed images | 13:59 |
| sean-k-mooney | spatel: the backport have not to to yoga yet either | 13:59 |
| sean-k-mooney | we only started merging them yesterday | 14:00 |
| spatel | In my case I have only ceph :) so it doesn't impact correct | 14:00 |
| sean-k-mooney | correct by default qemu conenct directly to ceph without hostmounting the ceph volumes | 14:01 |
| sean-k-mooney | so purly ceph deployments, that do not use the removed nova workaround to host mount the volumes are not impacted by the cve | 14:02 |
| sean-k-mooney | i belive this really only impacts iscis but the dtails are in the advisory/bug | 14:02 |
| SvenKieske | fibre channel was at least mentioned as well; I didn't look at the nova/cinder patches yet myself, though. | 14:06 |
| opendevreview | Franco Mariotti proposed openstack/kolla-ansible master: Clarifies misleading error on ceilometer role`s precheck task https://review.opendev.org/c/openstack/kolla-ansible/+/876599 | 14:25 |
| SvenKieske | I guess if you rebase https://review.opendev.org/c/openstack/kolla/+/882924 on top of https://review.opendev.org/c/openstack/kolla-ansible/+/882893 it might work | 14:59 |
| mnasiadka | yup | 15:02 |
| mnasiadka | SvenKieske: seems we have cirros baked in the OpenDev images, so we don't need to download that from github - https://review.opendev.org/c/openstack/project-config/+/873735 | 15:24 |
| SvenKieske | yeah, but the code seems to want to download the local (?) image via curl, I don't know how that works - I believe in general curl supports that, or how that should throw an error? | 15:27 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 15:28 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 15:29 |
| mmalchuk | SvenKieske you can't rebase kolla on top of kolla-ansible patch. I've added depends-on to do work for you, as I said above. | 16:20 |
| mmalchuk | I'm about https://review.opendev.org/c/openstack/kolla/+/882924 | 16:21 |
| SvenKieske | mmalchuk: ah sure, I somehow missed that it's in a different repository, thank you. | 16:25 |
| opendevreview | Franco Mariotti proposed openstack/kolla-ansible master: Clarifies misleading error on ceilometer role`s precheck task https://review.opendev.org/c/openstack/kolla-ansible/+/876599 | 16:26 |
| SvenKieske | mnasiadka: so, this should suffice for now, please review: https://review.opendev.org/c/openstack/kolla-ansible/+/882893 | 17:11 |
| opendevreview | Franco Mariotti proposed openstack/kolla-ansible master: Clarifies misleading error on ceilometer role`s precheck task https://review.opendev.org/c/openstack/kolla-ansible/+/876599 | 19:33 |
| opendevreview | Pierre Riteau proposed openstack/kayobe master: Speed up calls to Bifrost https://review.opendev.org/c/openstack/kayobe/+/882951 | 19:45 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: systemd_worker: do not compare unit when restart policy is no https://review.opendev.org/c/openstack/kolla-ansible/+/883034 | 19:55 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 19:58 |
| opendevreview | Michal Nasiadka proposed openstack/kolla-ansible master: Revert "Revert "ansible: bump min to 2.13 and max to 2.14"" https://review.opendev.org/c/openstack/kolla-ansible/+/881018 | 20:16 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!