16:00:03 #startmeeting ironic 16:00:03 Meeting started Mon Feb 21 16:00:03 2022 UTC and is due to finish in 60 minutes. The chair is iurygregory. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:03 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:00:03 The meeting name has been set to 'ironic' 16:00:07 o/ 16:00:07 o/ 16:00:08 o/ 16:00:16 o/ 16:00:19 Hello everyone, welcome to our weekly meeting 16:00:36 o/ 16:00:36 o/ 16:00:44 o/ 16:00:47 you can find our agenda in the wiki 16:00:55 #link https://wiki.openstack.org/wiki/Meetings/Ironic#Agenda_for_next_meeting 16:01:18 #topic Announcements / Reminder 16:01:40 #info This week is the deadline for Cycle Highlights, Client library freeze and Yoga-3 milestone February 24th, 2022 (R-5 week) 16:01:56 I'm pushing the patch with the cycle highlights today for feedback =) 16:02:11 #info Yoga final release: March 30th, 2022 16:02:38 Does anyone have anything to announce or remind us of this week? 16:03:52 ok, moving on 16:04:25 I need to mention that I'll be quite busy downstream the coming weeks 16:04:28 :( 16:04:45 ack 16:04:56 #topic Review action items from previous meeting 16:05:04 no action items from last meeting 16:05:13 #topic Review subteam status reports 16:05:21 #link https://etherpad.opendev.org/p/IronicWhiteBoard 16:05:32 starting around L62 16:07:51 rpittau, do you need some help in https://review.opendev.org/c/openstack/ironic/+/819121 ? 16:09:07 iurygregory: let's see how this week goes, in terms of time, the change is actually not as trivial as expected 16:09:21 ok no worries =) 16:09:47 are we actually tracking that in the whiteboard? 16:09:59 ah yeah, found it 16:10:27 np =) 16:10:47 mmm, it shouldn't be under "drop privileged operations" 16:10:59 mkisofs is not a privileged operation IIRC 16:11:13 it is not 16:11:34 rpittau: let's track it somewhere else to avoid confusion? 16:11:39 sounds good 16:11:59 the privileged topic is mostly to solve the rootwrap-vs-privsep problem 16:12:02 https://storyboard.openstack.org/#!/story/2009704 so we probably need to remove from the story =) 16:12:12 or change a few things 16:13:49 I think it was mostly for the mount part ? 16:13:59 yeah, I think so 16:14:04 mount requires root 16:14:27 yeah 16:14:32 everything else can go separately 16:14:32 I can concentrate on that and then take the full conversion in another patch, if needed (but maybe not since it doesn't require privilges) 16:15:18 ok, I'll re-review the patch to just convert the mount part 16:15:28 ty 16:15:28 ++ thx 16:16:22 moving on 16:16:38 #topic Deciding on priorities for the coming week 16:16:48 #link https://review.opendev.org/q/status:open+hashtag:ironic-week-prio 16:17:16 2 patches have been added, related to iRMC driver https://review.opendev.org/c/openstack/ironic/+/826576 https://review.opendev.org/c/openstack/ironic/+/823790 16:17:24 Can we add : https://review.opendev.org/c/openstack/ironic-tempest-plugin/+/829665 16:17:28 I've got a ton of bifrost stuff and some CI backports :) 16:17:40 and https://review.opendev.org/c/openstack/ironic/+/828746 16:18:37 ameya49, sure, feel free to add the hashtag on it =) 16:18:45 18.1 does not digest the backport :/ 16:18:59 https://review.opendev.org/c/openstack/ironic/+/828746 this does sound interesting =) 16:19:33 I had the feeling it would be a bigger change, but this is just the deprecation =) 16:19:43 I've added the tag to it and *some* bifrost patches (mostly fixes) 16:19:49 yeah, the deprecation itself is not overly excited 16:19:59 the whole cirros partition business was a preparation for it though :) 16:20:14 worth an email to the list, just to give a heads-up right? =) 16:20:16 and I'd still love to have an image with grub-install... 16:20:23 I *think* I did email the ML last year 16:20:28 after we have the patch merged 16:20:37 ah, okay 16:20:42 #link http://lists.openstack.org/pipermail/openstack-discuss/2021-December/026224.html 16:21:17 as an aside, I think we dropped the ball on the attestation interface. this is not great... 16:21:54 oh right =( 16:22:02 totally forgot about it 16:22:30 long time I didn't see the people working on it in the irc, so I forgot =( 16:22:55 yeah.. I wonder if tzumainn and other folks are still interested or they've already given up on us 16:24:35 dtantsur, there's a bit of a story there 16:25:15 the biggest holdup for us wasn't an ironic issue; it was keylime not packaging their code, making it difficult for any integration to be done in a satisfactory manner 16:25:20 and then we got pulled into other priorities 16:25:40 tzumainn: so, is this something you still care about? 16:25:46 oh right, I do remember something about packaging =( 16:26:20 dtantsur, yep, the hope is to circle back to it once these other, pretty unrelated priorities are resolved 16:26:33 ack, thanks for the update 16:26:59 tzumainn, feel free to ping us if you think there is something we can help with on the ironic side =) 16:27:05 Mark Goddard proposed openstack/tenks master: Use ansible_facts to reference facts https://review.opendev.org/c/openstack/tenks/+/830182 16:27:22 iurygregory, you guys were very helpful already, and I think we were reallllly close - it was honestly just the keylime packaging 16:28:04 ack =) 16:28:17 #topic Discussion 16:28:31 Does anyone have something that would like to discuss? 16:28:49 iurygregory, Could you look at RFE for ilo drivershttps://storyboard.openstack.org/#!/story/2009118 16:29:16 and add it to this week priority , if possible 16:29:35 iurygregory, patch for same is https://review.opendev.org/c/openstack/ironic/+/804486 16:29:37 yeah we can talk now and skip in the RFE topic =) 16:29:58 Ohk, i can wait for RFE topic :) 16:30:10 ok =) 16:30:20 #topic Baremetal SIG 16:30:27 #link https://etherpad.opendev.org/p/bare-metal-sig 16:30:35 NTR, I think 16:30:47 oh arne_wiebalck is around :D 16:31:11 #topic RFE review 16:31:19 #info Adds add_ssl_certificate clean step to iLO drivers 16:31:25 #link https://storyboard.openstack.org/#!/story/2009118 16:32:00 first and foremost, s/ssl/tls/ please :) 16:32:24 Nisha_Agarwal: could you expand your RFE with at least inputs and outputs of the step? 16:32:32 as well as some details, e.g. whether it keeps the existing certificates 16:33:12 Is this intended to support secure boot? 16:33:28 Nisha_Agarwal: I don't feel very well about passing the private_key or pass_phrase this way. We definitely log steps input in several places... 16:34:01 and ++ to rpioso's question: what's the scope? The BMC's HTTPS certificate, secure boot certificates, virtual media certificates all/none? 16:34:32 dtantsur, it keeps existing certificates 16:34:40 overall, I think private key may be something you keep locally on the conductor to avoid exposing it anywhere 16:35:00 I guess you need a CA certificate as well? 16:35:08 dtantsur, yes 16:35:13 there are two approaches 16:35:24 one is to split the clean step in to two 16:35:31 1. create_csr 16:35:38 2. add_https_certificate 16:35:50 Isn't this generally useful, instead of just for the ilo driver? 16:36:01 rpioso: we'll probably want a similar thing for Redfish 16:36:08 rpioso, ilo has the redfish URI to do so 16:36:35 rpioso, not sure if it is DMTF standard or not 16:36:57 mraineri: ^^^ ? 16:37:04 there is a standard for it, I've seen it 16:37:19 I believe I have, too :-) 16:37:28 When we do it in two steps , then after creating CSR user need to create a self-signed certificate and then create the https certificate by itself and then import that to ilo 16:37:29 https://redfish.dmtf.org/schemas/v1/CertificateService.v1_0_4.json has GenerateCSR 16:38:13 iurygregory : Thank You will add the tag 16:38:17 dtantsur, thanks for the link ^^^ 16:38:41 Nisha_Agarwal: my memory on TLS is a bit rusty, but I think when you create a CSR, the private key stays on the BMC's side 16:38:59 the whole point of CSR is to avoid transferring the private key anywhere 16:39:10 CSR generation doesnt require private key 16:39:27 CSR will take the inputs of Common name etc 16:39:45 dtantsur, hmmm 16:40:10 dtantsur, so suggestion is to do above without passing private key and passphrase? 16:40:24 so, if I remember it right, the idea is that the private key stays on the server side (server being BMC in your case) 16:40:27 is it OK if we split it into two clean steps then? 16:40:32 Would the proposed clean step(s) be better defined on the ManagementInterface base class? 16:40:34 while the CSR is generated, passed to the CA, passed signed back 16:40:55 What about deleting certs? 16:41:04 rpioso: clean steps inheritance is quite hairy (see the boot interface) 16:41:21 Nisha_Agarwal: I'm not really talking about how many steps you have 16:41:26 dtantsur: Don't we do that for BIOS and RAID? 16:41:39 we do, it's hairy :) 16:41:41 dtantsur, yeah i understood that point 16:42:01 when we do in 2 steps, we wont be passing private key or passphrase 16:42:13 not in 1 step 16:42:21 thats where i suggested to split in 2 steps 16:42:46 is it going to make the user's life any better? 16:43:46 well, if you don't want to have your CA files on the conductor - yes 16:44:50 there are pluses and minuses to both approaches 16:45:30 if you split, the ironic implementation is quite trivial: for create_csr you only need the csr parameters (ON, CN, etc), for add_https_certificate - only the signed file 16:45:45 dtantsur, yup 16:46:07 but then the operator has to do the signing between clean steps.. which, I suspect, may be how things work in reality, given that the CA will probably be managed by some software 16:46:14 (freeipa etc) 16:47:31 I guess in the end splitting the step is closer to the production reality 16:48:35 dtantsur, hmmm 16:48:56 Nisha_Agarwal: it could help if you expanded the RFE with more details and also outlined the expected operator's workflow 16:49:15 dtantsur, ok 16:50:37 we can re-discuss in the next meeting after we have more details 16:50:46 iurygregory, sure 16:51:44 I think we can move on to the next topic 16:52:13 skipping Open discussion since we don't have any topics 16:52:20 #topic Who is going to run the next meeting? 16:52:58 Do we have any volunteers? 16:53:55 I will run the next meeting =) 16:54:00 Tks everyone! 16:54:14 #endmeeting