)]}'
{"id":"openstack%2Fironic-python-agent~927976","triplet_id":"openstack%2Fironic-python-agent~stable%2F2024.1~I5254b80717cb5a7f9084e3eff32a00b968f987b7","project":"openstack/ironic-python-agent","branch":"stable/2024.1","topic":"ossa-2024-003","attention_set":{},"removed_from_attention_set":{"10342":{"account":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"last_update":"2024-09-05 01:30:42.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I5254b80717cb5a7f9084e3eff32a00b968f987b7","subject":"Inspect non-raw images for safety","status":"MERGED","created":"2024-09-04 14:10:29.000000000","updated":"2024-09-05 01:31:40.000000000","submitted":"2024-09-05 01:30:42.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"927976-ossa-2024-003","meta_rev_id":"728d68b1ca22b645162f76bedf060e540240f174","_number":927976,"virtual_id_number":927976,"owner":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2024-09-05 01:30:42.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2024-09-04 23:20:01.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":2,"date":"2024-09-04 21:00:29.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2024-09-04 23:20:01.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true},"Backport-Candidate":{"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-1":"Do Not Backport"," 0":"Backport Review Needed","+1":"Should Backport"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2024-09-04 14:56:47.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"CC"},{"updated":"2024-09-04 19:17:17.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2024-09-04 21:00:29.000000000","updated_by":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"reviewer":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"state":"REVIEWER"},{"updated":"2024-09-04 23:20:01.000000000","updated_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"reviewer":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"state":"REVIEWER"}],"messages":[{"id":"f3e830f4ce9b4ff3e898e0581baf087c9aaabdcf","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 14:10:29.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"9663bb982d6c54b6cd749a9b2d4109097db3b29c","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 14:56:47.000000000","message":"Patch Set 1:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/4b5bd1d56b7d4ea9b58210797d520a38\n\n- openstack-tox-py38-arm64 https://zuul.opendev.org/t/openstack/build/f74a796a2c9c4b619c1307f22434225d : SUCCESS in 7m 32s (non-voting)\n- openstack-tox-py311-arm64 https://zuul.opendev.org/t/openstack/build/0ede02e2e869490c8fd375998b0afa1a : SUCCESS in 7m 22s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"1b0ca5a07f978793fa1c3aff91ac10a7e8858a92","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 15:02:36.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"8891208d6cac145cdc3a9a60e2fec890169b91a9","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 15:28:32.000000000","message":"Patch Set 2:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/23fb8923ee1e4cf9966327303bc5a9a4\n\n- openstack-tox-py38-arm64 https://zuul.opendev.org/t/openstack/build/156f1205733c4152a25fd0d04032c708 : SUCCESS in 6m 16s (non-voting)\n- openstack-tox-py311-arm64 https://zuul.opendev.org/t/openstack/build/002888053b2e4866a6127b72a500d782 : SUCCESS in 7m 27s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"80e2bf493519b548d23fb15deb7ade4c6e6b60ff","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 16:15:17.000000000","message":"Uploaded patch set 3: Patch Set 2 was rebased.","accounts_in_message":[],"_revision_number":3},{"id":"35b2dd3d0b68a7346ba4eef5febb703cef5993f1","tag":"autogenerated:gerrit:setTopic","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 17:25:49.000000000","message":"Topic set to ossa-2024-003","accounts_in_message":[],"_revision_number":3},{"id":"2abb907ad35948df53a0f1269e234575d957ebd9","tag":"autogenerated:zuul:check-arm64","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 17:44:07.000000000","message":"Patch Set 3:\n\nBuild succeeded (ARM64 pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/8ade1996fd604817ba22a8b8c81b9155\n\n- openstack-tox-py38-arm64 https://zuul.opendev.org/t/openstack/build/cc607b694cba441a81d501f03790cf29 : SUCCESS in 6m 29s (non-voting)\n- openstack-tox-py311-arm64 https://zuul.opendev.org/t/openstack/build/6d74cb5bba9348d4a7e0463c366ecfed : SUCCESS in 7m 00s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"5c466c1c5acb48e86b609a0c8c1684d89adb399f","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 19:17:17.000000000","message":"Patch Set 3: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/af5ef040e202424b92c696f5d091f9dc\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/02dde8c3ff1548d5ad368111e3f6da06 : SUCCESS in 4m 29s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/6ac8601de3064caca04d46f43ecbbd89 : SUCCESS in 3m 03s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/d0e5d7fb3cef4f9497db28ab5d80a7c5 : SUCCESS in 4m 04s\n- openstack-tox-py311 https://zuul.opendev.org/t/openstack/build/ab56bba2aa174a8481814b454f9e62c3 : SUCCESS in 3m 58s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/6f172a77012848be9c18ab855e398c5c : SUCCESS in 5m 40s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/5860f19dd56041f68248337e1cc1d105 : SUCCESS in 2m 52s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/c8a16031f6d542488904d58306dbd203 : SUCCESS in 3m 56s\n- ipa-tox-bandit https://zuul.opendev.org/t/openstack/build/4aeddc9c1630434c98e9425322088fc7 : SUCCESS in 3m 19s\n- ipa-tempest-bios-ipmi-direct-src https://zuul.opendev.org/t/openstack/build/eb79ce232daa4c95a757413d6810e55b : SUCCESS in 1h 12m 57s\n- ipa-tempest-uefi-redfish-vmedia-src https://zuul.opendev.org/t/openstack/build/c801abfc59a0411c8e90cfcebca37100 : SUCCESS in 1h 11m 10s\n- metalsmith-integration-ipa-src-uefi https://zuul.opendev.org/t/openstack/build/670219a9cd8148efa728941763937406 : SUCCESS in 1h 23m 56s\n- metalsmith-integration-ipa-src-legacy https://zuul.opendev.org/t/openstack/build/4f6cc2b6b9924af68fc4dcde5c28cd72 : SUCCESS in 1h 29m 52s (non-voting)\n- ironic-standalone-ipa-src https://zuul.opendev.org/t/openstack/build/d414d39199774c9ea4285b97a2178d8b : SUCCESS in 1h 27m 28s\n- ironic-python-agent-check-image-tinyipa https://zuul.opendev.org/t/openstack/build/050d569c5a2646f8ba5721207ab6fa3b : SUCCESS in 22m 17s (non-voting)\n- ironic-python-agent-check-image-dib-centos9 https://zuul.opendev.org/t/openstack/build/d3ffebf378674fc5903454788d911a26 : SUCCESS in 10m 49s (non-voting)\n- ipa-tempest-ironic-inspector-src https://zuul.opendev.org/t/openstack/build/48305db39f684310bbf0c36b25445256 : FAILURE in 2h 55m 10s (non-voting)\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/302289356ff34b479239fd267bc3b115 : FAILURE in 3m 13s (non-voting)","accounts_in_message":[],"_revision_number":3},{"id":"c77700e4782ec3473aa5683974081f714a25db63","author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"date":"2024-09-04 21:00:29.000000000","message":"Patch Set 3: Code-Review+2","accounts_in_message":[],"_revision_number":3},{"id":"7b8a5d902fefafa448e32b1e99c1776b5fa94449","author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"date":"2024-09-04 23:20:01.000000000","message":"Patch Set 3: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":3},{"id":"08d94ac099c4c0e20e3b2ccbc89d283bd5fc1a08","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 23:20:34.000000000","message":"Patch Set 3: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":3},{"id":"afb0852732d3b5de853f87d8e43c6ce8e2ea4fc5","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:30:42.000000000","message":"Patch Set 3: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/9d1bd6b0f7b6409e9bdff458e3f1f293\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/992a93867834444c8eadd2d31b2f217b : SUCCESS in 3m 10s\n- openstack-tox-py38 https://zuul.opendev.org/t/openstack/build/924ce6dee3b6414fb31582d77f076fe3 : SUCCESS in 3m 44s\n- openstack-tox-py311 https://zuul.opendev.org/t/openstack/build/6fb93e47f2b84be4bc389cdd6291af0c : SUCCESS in 3m 26s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/b51a0195604a414d98d6d159713e887a : SUCCESS in 5m 38s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/9b00a6d8ec9241359a471d97a87e6eef : SUCCESS in 2m 36s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/48827367ab1042208161384969b74b61 : SUCCESS in 3m 18s\n- ipa-tox-bandit https://zuul.opendev.org/t/openstack/build/f58562e783f9468bb1702dcf06712766 : SUCCESS in 3m 14s\n- ipa-tempest-bios-ipmi-direct-src https://zuul.opendev.org/t/openstack/build/5d9f45809fd549f4866006e83fe83eb5 : SUCCESS in 1h 17m 40s\n- ipa-tempest-uefi-redfish-vmedia-src https://zuul.opendev.org/t/openstack/build/95163409f3b8425b9882863c269794e3 : SUCCESS in 1h 22m 19s\n- metalsmith-integration-ipa-src-uefi https://zuul.opendev.org/t/openstack/build/859ced857c124a6387fd02ec1613ac33 : SUCCESS in 1h 25m 56s\n- ironic-standalone-ipa-src https://zuul.opendev.org/t/openstack/build/f093cd6750844a4c9315e85a9369191b : SUCCESS in 2h 02m 24s","accounts_in_message":[],"_revision_number":3},{"id":"20acef1bde2f5f1f5e6365b344da1521c067c88b","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:30:42.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":3},{"id":"728d68b1ca22b645162f76bedf060e540240f174","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:31:40.000000000","message":"Patch Set 3:\n\nBuild failed (promote pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\n\nhttps://zuul.opendev.org/t/openstack/buildset/4020c92ad65e4292aa1905d4fb6dc9e6\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/a2cd03d086dd4b37bbcc0abffb52808b : SUCCESS in 39s\n- promote-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/59701417b60343689148b694468a9a4f : FAILURE in 35s","accounts_in_message":[],"_revision_number":3}],"current_revision_number":3,"current_revision":"06fe5ff1782551e6f94640d47ea942ab81f18909","revisions":{"7f7b37a366132ccc5c25347751fcc972e340bba4":{"kind":"REWORK","_number":1,"created":"2024-09-04 14:10:29.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/76/927976/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/76/927976/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/1"}}},"commit":{"parents":[{"commit":"e9c0578c7d30ae97ad01ea52029cb7368433c0dc","subject":"Call evaluate_hardware_support exactly once per hwm","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/e9c0578c7d30ae97ad01ea52029cb7368433c0dc"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-03-11 16:29:58.000000000","tz":60},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 14:10:28.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nThis is a backport of two changes merged together to facilitate\nbackporting:\n\nThe first is a refactor of disk utilities:\n\nImport disk_{utils,partitioner} from ironic-lib\n\nWith the iscsi deploy long gone, these modules are only used in IPA and\nin fact represent a large part of its critical logic. Having them\nseparately sometimes makes fixing issues tricky if an interface of\na function needs changing.\n\nThis change imports the code mostly as it is, just removing run_as_root and\na deprecated function, as well as moving configuration options to config.py.\n\nAlso migrates one relevant function from ironic_lib.utils.\n\nThe second is the fix for the security issue:\n\nInspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nCo-Authored-By: Dmitry Tantsur \u003cdtantsur@protonmail.com\u003e\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/7f7b37a366132ccc5c25347751fcc972e340bba4"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/7f7b37a366132ccc5c25347751fcc972e340bba4"}]},"branch":"refs/heads/stable/2024.1"},"8f530836e3e6e088de9e1e9598c2908875927765":{"kind":"REWORK","_number":2,"created":"2024-09-04 15:02:36.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/76/927976/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/76/927976/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/2"}}},"commit":{"parents":[{"commit":"e9c0578c7d30ae97ad01ea52029cb7368433c0dc","subject":"Call evaluate_hardware_support exactly once per hwm","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/e9c0578c7d30ae97ad01ea52029cb7368433c0dc"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-03-11 16:29:58.000000000","tz":60},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 15:02:30.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nThis is a backport of two changes merged together to facilitate\nbackporting:\n\nThe first is a refactor of disk utilities:\n\nImport disk_{utils,partitioner} from ironic-lib\n\nWith the iscsi deploy long gone, these modules are only used in IPA and\nin fact represent a large part of its critical logic. Having them\nseparately sometimes makes fixing issues tricky if an interface of\na function needs changing.\n\nThis change imports the code mostly as it is, just removing run_as_root and\na deprecated function, as well as moving configuration options to config.py.\n\nAlso migrates one relevant function from ironic_lib.utils.\n\nThe second is the fix for the security issue:\n\nInspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nCo-Authored-By: Dmitry Tantsur \u003cdtantsur@protonmail.com\u003e\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/8f530836e3e6e088de9e1e9598c2908875927765"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/8f530836e3e6e088de9e1e9598c2908875927765"}]},"branch":"refs/heads/stable/2024.1"},"06fe5ff1782551e6f94640d47ea942ab81f18909":{"kind":"TRIVIAL_REBASE","_number":3,"created":"2024-09-04 16:15:17.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/76/927976/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/76/927976/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/76/927976/3"}}},"commit":{"parents":[{"commit":"46744b1a747d4e524bee2e9bb7e766e1ac09b7aa","subject":"Remove and disable examples job","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/46744b1a747d4e524bee2e9bb7e766e1ac09b7aa"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-03-11 16:29:58.000000000","tz":60},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 16:14:51.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nThis is a backport of two changes merged together to facilitate\nbackporting:\n\nThe first is a refactor of disk utilities:\n\nImport disk_{utils,partitioner} from ironic-lib\n\nWith the iscsi deploy long gone, these modules are only used in IPA and\nin fact represent a large part of its critical logic. Having them\nseparately sometimes makes fixing issues tricky if an interface of\na function needs changing.\n\nThis change imports the code mostly as it is, just removing run_as_root and\na deprecated function, as well as moving configuration options to config.py.\n\nAlso migrates one relevant function from ironic_lib.utils.\n\nThe second is the fix for the security issue:\n\nInspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nCo-Authored-By: Dmitry Tantsur \u003cdtantsur@protonmail.com\u003e\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/06fe5ff1782551e6f94640d47ea942ab81f18909"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/06fe5ff1782551e6f94640d47ea942ab81f18909"}]},"branch":"refs/heads/stable/2024.1"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"}},{"label":"Backport-Candidate","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{}}},{"name":"Backport-Candidate","description":"Backport candidate status","status":"NOT_APPLICABLE","is_legacy":false,"applicability_expression_result":{"fulfilled":false,"status":"FAIL"},"submittability_expression_result":{"expression":"is:true","fulfilled":true,"status":"NOT_EVALUATED","passing_atoms":[],"failing_atoms":[],"atom_explanations":{}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{}}}]}