#openstack-ironic log

16:00:03 <iurygregory> #startmeeting ironic
16:00:03 <opendevmeet> Meeting started Mon Feb 21 16:00:03 2022 UTC and is due to finish in 60 minutes.  The chair is iurygregory. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:03 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:00:03 <opendevmeet> The meeting name has been set to 'ironic'
16:00:07 <iurygregory> o/
16:00:07 <dtantsur> o/
16:00:08 <rpittau> o/
16:00:16 <erbarr> o/
16:00:19 <iurygregory> Hello everyone, welcome to our weekly meeting
16:00:36 <rpioso> o/
16:00:36 <ajya> o/
16:00:44 <ameya49> o/
16:00:47 <iurygregory> you can find our agenda in the wiki
16:00:55 <iurygregory> #link https://wiki.openstack.org/wiki/Meetings/Ironic#Agenda_for_next_meeting
16:01:18 <iurygregory> #topic Announcements / Reminder
16:01:40 <iurygregory> #info This week is the deadline for Cycle Highlights, Client library freeze and Yoga-3 milestone February 24th, 2022 (R-5 week)
16:01:56 <iurygregory> I'm pushing the patch with the cycle highlights today for feedback =)
16:02:11 <iurygregory> #info Yoga final release: March 30th, 2022
16:02:38 <iurygregory> Does anyone have anything to announce or remind us of this week?
16:03:52 <iurygregory> ok, moving on
16:04:25 <dtantsur> I need to mention that I'll be quite busy downstream the coming weeks
16:04:28 <dtantsur> :(
16:04:45 <iurygregory> ack
16:04:56 <iurygregory> #topic Review action items from previous meeting
16:05:04 <iurygregory> no action items from last meeting
16:05:13 <iurygregory> #topic Review subteam status reports
16:05:21 <iurygregory> #link https://etherpad.opendev.org/p/IronicWhiteBoard
16:05:32 <iurygregory> starting around L62
16:07:51 <iurygregory> rpittau, do you need some help in https://review.opendev.org/c/openstack/ironic/+/819121 ?
16:09:07 <rpittau> iurygregory: let's see how this week goes, in terms of time, the change is actually not as trivial as expected
16:09:21 <iurygregory> ok no worries =)
16:09:47 <rpittau> are we actually tracking that in the whiteboard?
16:09:59 <rpittau> ah yeah, found it
16:10:27 <iurygregory> np =)
16:10:47 <dtantsur> mmm, it shouldn't be under "drop privileged operations"
16:10:59 <dtantsur> mkisofs is not a privileged operation IIRC
16:11:13 <TheJulia> it is not
16:11:34 <dtantsur> rpittau: let's track it somewhere else to avoid confusion?
16:11:39 <rpittau> sounds good
16:11:59 <dtantsur> the privileged topic is mostly to solve the rootwrap-vs-privsep problem
16:12:02 <iurygregory> https://storyboard.openstack.org/#!/story/2009704 so we probably need to remove from the story =)
16:12:12 <iurygregory> or change a few things
16:13:49 <rpittau> I think it was mostly for the mount part ?
16:13:59 <iurygregory> yeah, I think so
16:14:04 <rpittau> mount requires root
16:14:27 <dtantsur> yeah
16:14:32 <dtantsur> everything else can go separately
16:14:32 <rpittau> I can concentrate on that and then take the full conversion in another patch, if needed (but maybe not since it doesn't require privilges)
16:15:18 <rpittau> ok, I'll re-review the patch to just convert the mount part
16:15:28 <iurygregory> ty
16:15:28 <dtantsur> ++ thx
16:16:22 <iurygregory> moving on
16:16:38 <iurygregory> #topic Deciding on priorities for the coming week
16:16:48 <iurygregory> #link https://review.opendev.org/q/status:open+hashtag:ironic-week-prio
16:17:16 <iurygregory> 2 patches have been added, related to iRMC driver https://review.opendev.org/c/openstack/ironic/+/826576 https://review.opendev.org/c/openstack/ironic/+/823790
16:17:24 <ameya49> Can we add : https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/829665
16:17:28 <dtantsur> I've got a ton of bifrost stuff and some CI backports :)
16:17:40 <dtantsur> and https://review.opendev.org/c/openstack/ironic/+/828746
16:18:37 <iurygregory> ameya49, sure, feel free to add the hashtag on it =)
16:18:45 <rpittau> 18.1 does not digest the backport :/
16:18:59 <iurygregory> https://review.opendev.org/c/openstack/ironic/+/828746 this does sound interesting =)
16:19:33 <iurygregory> I had the feeling it would be a bigger change, but this is just the deprecation =)
16:19:43 <dtantsur> I've added the tag to it and *some* bifrost patches (mostly fixes)
16:19:49 <dtantsur> yeah, the deprecation itself is not overly excited
16:19:59 <dtantsur> the whole cirros partition business was a preparation for it though :)
16:20:14 <iurygregory> worth an email to the list, just to give a heads-up right? =)
16:20:16 <dtantsur> and I'd still love to have an image with grub-install...
16:20:23 <dtantsur> I *think* I did email the ML last year
16:20:28 <iurygregory> after we have the patch merged
16:20:37 <dtantsur> ah, okay
16:20:42 <dtantsur> #link http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026224.html
16:21:17 <dtantsur> as an aside, I think we dropped the ball on the attestation interface. this is not great...
16:21:54 <iurygregory> oh right =(
16:22:02 <iurygregory> totally forgot about it
16:22:30 <iurygregory> long time I didn't see the people working on it in the irc, so I forgot =(
16:22:55 <dtantsur> yeah.. I wonder if tzumainn and other folks are still interested or they've already given up on us
16:24:35 <tzumainn> dtantsur, there's a bit of a story there
16:25:15 <tzumainn> the biggest holdup for us wasn't an ironic issue; it was keylime not packaging their code, making it difficult for any integration to be done in a satisfactory manner
16:25:20 <tzumainn> and then we got pulled into other priorities
16:25:40 <dtantsur> tzumainn: so, is this something you still care about?
16:25:46 <iurygregory> oh right, I do remember something about packaging =(
16:26:20 <tzumainn> dtantsur, yep, the hope is to circle back to it once these other, pretty unrelated priorities are resolved
16:26:33 <dtantsur> ack, thanks for the update
16:26:59 <iurygregory> tzumainn, feel free to ping us if you think there is something we can help with on the ironic side =)
16:27:05 <opendevreview> Mark Goddard proposed openstack/tenks master: Use ansible_facts to reference facts  https://review.opendev.org/c/openstack/tenks/+/830182
16:27:22 <tzumainn> iurygregory, you guys were very helpful already, and I think we were reallllly close - it was honestly just the keylime packaging
16:28:04 <iurygregory> ack =)
16:28:17 <iurygregory> #topic Discussion
16:28:31 <iurygregory> Does anyone have something that would like to discuss?
16:28:49 <Nisha_Agarwal> iurygregory, Could you look at RFE for ilo drivershttps://storyboard.openstack.org/#!/story/2009118
16:29:16 <Nisha_Agarwal> and add it to this week priority , if possible
16:29:35 <Nisha_Agarwal> iurygregory, patch for same is https://review.opendev.org/c/openstack/ironic/+/804486
16:29:37 <iurygregory> yeah we can talk now and skip in the RFE topic =)
16:29:58 <Nisha_Agarwal> Ohk, i can wait for RFE topic :)
16:30:10 <iurygregory> ok =)
16:30:20 <iurygregory> #topic Baremetal SIG
16:30:27 <iurygregory> #link https://etherpad.opendev.org/p/bare-metal-sig
16:30:35 <arne_wiebalck> NTR, I think
16:30:47 <iurygregory> oh arne_wiebalck is around :D
16:31:11 <iurygregory> #topic RFE review
16:31:19 <iurygregory> #info Adds add_ssl_certificate clean step to iLO drivers
16:31:25 <iurygregory> #link https://storyboard.openstack.org/#!/story/2009118
16:32:00 <dtantsur> first and foremost, s/ssl/tls/ please :)
16:32:24 <dtantsur> Nisha_Agarwal: could you expand your RFE with at least inputs and outputs of the step?
16:32:32 <dtantsur> as well as some details, e.g. whether it keeps the existing certificates
16:33:12 <rpioso> Is this intended to support secure boot?
16:33:28 <dtantsur> Nisha_Agarwal: I don't feel very well about passing the private_key or pass_phrase this way. We definitely log steps input in several places...
16:34:01 <dtantsur> and ++ to rpioso's question: what's the scope? The BMC's HTTPS certificate, secure boot certificates, virtual media certificates all/none?
16:34:32 <Nisha_Agarwal> dtantsur, it keeps existing certificates
16:34:40 <dtantsur> overall, I think private key may be something you keep locally on the conductor to avoid exposing it anywhere
16:35:00 <dtantsur> I guess you need a CA certificate as well?
16:35:08 <Nisha_Agarwal> dtantsur, yes
16:35:13 <Nisha_Agarwal> there are two approaches
16:35:24 <Nisha_Agarwal> one is to split the clean step in to two
16:35:31 <Nisha_Agarwal> 1. create_csr
16:35:38 <Nisha_Agarwal> 2. add_https_certificate
16:35:50 <rpioso> Isn't this generally useful, instead of just for the ilo driver?
16:36:01 <dtantsur> rpioso: we'll probably want a similar thing for Redfish
16:36:08 <Nisha_Agarwal> rpioso, ilo has the redfish URI to do so
16:36:35 <Nisha_Agarwal> rpioso, not sure if it is DMTF standard or not
16:36:57 <rpioso> mraineri: ^^^ ?
16:37:04 <dtantsur> there is a standard for it, I've seen it
16:37:19 <rpioso> I believe I have, too :-)
16:37:28 <Nisha_Agarwal> When we do it in two steps , then after creating CSR user need to create a self-signed certificate and then create the https certificate by itself and then import that to ilo
16:37:29 <dtantsur> https://redfish.dmtf.org/schemas/v1/CertificateService.v1_0_4.json has GenerateCSR
16:38:13 <ameya49> iurygregory : Thank You will add the tag
16:38:17 <Nisha_Agarwal> dtantsur, thanks for the link ^^^
16:38:41 <dtantsur> Nisha_Agarwal: my memory on TLS is a bit rusty, but I think when you create a CSR, the private key stays on the BMC's side
16:38:59 <dtantsur> the whole point of CSR is to avoid transferring the private key anywhere
16:39:10 <Nisha_Agarwal> CSR generation doesnt require private key
16:39:27 <Nisha_Agarwal> CSR will take the inputs of Common name etc
16:39:45 <Nisha_Agarwal> dtantsur, hmmm
16:40:10 <Nisha_Agarwal> dtantsur, so suggestion is to do above without passing private key and passphrase?
16:40:24 <dtantsur> so, if I remember it right, the idea is that the private key stays on the server side (server being BMC in your case)
16:40:27 <Nisha_Agarwal> is it OK if we split it into two clean steps then?
16:40:32 <rpioso> Would the proposed clean step(s) be better defined on the ManagementInterface base class?
16:40:34 <dtantsur> while the CSR is generated, passed to the CA, passed signed back
16:40:55 <rpioso> What about deleting certs?
16:41:04 <dtantsur> rpioso: clean steps inheritance is quite hairy (see the boot interface)
16:41:21 <dtantsur> Nisha_Agarwal: I'm not really talking about how many steps you have
16:41:26 <rpioso> dtantsur: Don't we do that for BIOS and RAID?
16:41:39 <dtantsur> we do, it's hairy :)
16:41:41 <Nisha_Agarwal> dtantsur, yeah i understood that point
16:42:01 <Nisha_Agarwal> when we do in 2 steps, we wont be passing private key or passphrase
16:42:13 <dtantsur> not in 1 step
16:42:21 <Nisha_Agarwal> thats where i suggested to split in 2 steps
16:42:46 <dtantsur> is it going to make the user's life any better?
16:43:46 <dtantsur> well, if you don't want to have your CA files on the conductor - yes
16:44:50 <dtantsur> there are pluses and minuses to both approaches
16:45:30 <dtantsur> if you split, the ironic implementation is quite trivial: for create_csr you only need the csr parameters (ON, CN, etc), for add_https_certificate - only the signed file
16:45:45 <Nisha_Agarwal> dtantsur, yup
16:46:07 <dtantsur> but then the operator has to do the signing between clean steps.. which, I suspect, may be how things work in reality, given that the CA will probably be managed by some software
16:46:14 <dtantsur> (freeipa etc)
16:47:31 <dtantsur> I guess in the end splitting the step is closer to the production reality
16:48:35 <Nisha_Agarwal> dtantsur, hmmm
16:48:56 <dtantsur> Nisha_Agarwal: it could help if you expanded the RFE with more details and also outlined the expected operator's workflow
16:49:15 <Nisha_Agarwal> dtantsur, ok
16:50:37 <iurygregory> we can re-discuss in the next meeting after we have more details
16:50:46 <Nisha_Agarwal> iurygregory, sure
16:51:44 <iurygregory> I think we can move on to the next topic
16:52:13 <iurygregory> skipping Open discussion since we don't have any topics
16:52:20 <iurygregory> #topic Who is going to run the next meeting?
16:52:58 <iurygregory> Do we have any volunteers?
16:53:55 <iurygregory> I will run the next meeting =)
16:54:00 <iurygregory> Tks everyone!
16:54:14 <iurygregory> #endmeeting