)]}'
{"id":"openstack%2Fironic-python-agent~927981","triplet_id":"openstack%2Fironic-python-agent~bugfix%2F9.13~I5254b80717cb5a7f9084e3eff32a00b968f987b7","project":"openstack/ironic-python-agent","branch":"bugfix/9.13","topic":"ossa-2024-003","attention_set":{},"removed_from_attention_set":{"10342":{"account":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"last_update":"2024-09-05 01:30:45.000000000","reason":"Change was submitted"}},"hashtags":[],"change_id":"I5254b80717cb5a7f9084e3eff32a00b968f987b7","subject":"Inspect non-raw images for safety","status":"MERGED","created":"2024-09-04 14:11:10.000000000","updated":"2024-09-05 01:31:45.000000000","submitted":"2024-09-05 01:30:45.000000000","submitter":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"total_comment_count":0,"unresolved_comment_count":0,"has_review_started":true,"submission_id":"927981-ossa-2024-003","meta_rev_id":"1ee50bf2d08c851f8a2a676ed72b3968e5a25165","_number":927981,"virtual_id_number":927981,"owner":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"all":[{"tag":"autogenerated:zuul:gate","value":2,"date":"2024-09-05 01:30:44.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":2,"date":"2024-09-04 23:25:54.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":2,"date":"2024-09-04 21:02:33.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":1,"date":"2024-09-04 23:25:54.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true},"Backport-Candidate":{"all":[{"value":0,"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},{"value":0,"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"value":0,"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"}],"values":{"-1":"Do Not Backport"," 0":"Backport Review Needed","+1":"Should Backport"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2024-09-04 14:56:23.000000000","updated_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"reviewer":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2024-09-04 21:02:33.000000000","updated_by":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"reviewer":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"state":"REVIEWER"},{"updated":"2024-09-04 23:25:54.000000000","updated_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"reviewer":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"state":"REVIEWER"}],"messages":[{"id":"0e01a3bde869ab03a20fb2fd0439c930005ffb53","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 14:11:10.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"c8895198fcb2d9273cc4e4101c9eb6b30a093d8e","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 14:27:15.000000000","message":"Uploaded patch set 2.","accounts_in_message":[],"_revision_number":2},{"id":"e4c693f68c6a05cba6d958a3fcf87c82e24a89a0","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 14:56:23.000000000","message":"Patch Set 2: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/1b8ba1756a1643a28bf6ff00bd986de4\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/28694cf5f1304c47af455246ef919631 : SUCCESS in 5m 40s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/9a1a73a2c8d245f0a7ba023943c11437 : SUCCESS in 4m 35s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/8e5b18e1bc114bcea544376ca06037e6 : SUCCESS in 7m 44s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/175ed4bfed9f4aa7bfdfacf58d49d859 : SUCCESS in 2m 36s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/f45dbc0c2b074c9c84e80c473d3773ca : SUCCESS in 3m 30s\n- ipa-tox-bandit https://zuul.opendev.org/t/openstack/build/a1dc7506976e43108d60ef1c669749dc : SUCCESS in 5m 38s\n- ipa-tox-examples https://zuul.opendev.org/t/openstack/build/17efa074f0254c6797706bda5dffd4c3 : FAILURE in 3m 20s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/9efa7ba29fb34771ad9644ef4981cb36 : SUCCESS in 3m 11s","accounts_in_message":[],"_revision_number":2},{"id":"1094c0d48fbe8947375daadf84b887e97d4ff5ca","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 15:09:39.000000000","message":"Uploaded patch set 3.\n\nOutdated Votes:\n* Verified-1\n","accounts_in_message":[],"_revision_number":3},{"id":"ee11c1a2aebee92606cf7449fc740caba3ec02a2","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 15:20:16.000000000","message":"Patch Set 3: Verified-1\n\nBuild failed (check pipeline).  For information on how to proceed, see\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#automated-testing\nand https://docs.openstack.org/project-team-guide/testing.html#how-to-handle-test-failures\n\nhttps://zuul.opendev.org/t/openstack/buildset/a7ae749e4df449b58839ae60e672ed22\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/5a28e94bab2c4ec3be6c0fff88c9ac4e : SUCCESS in 4m 25s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/4ca931cb0a0c449a958cc500a4206a30 : SUCCESS in 3m 25s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/8d517fb32f904ad181a257a92eee0b96 : SUCCESS in 5m 31s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/3bf9bcba818941cfba8057660c6b31b1 : SUCCESS in 2m 53s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/58c2f397a0824360b9a5e650609276b8 : SUCCESS in 3m 27s\n- ipa-tox-bandit https://zuul.opendev.org/t/openstack/build/ca8fd2f8656d4b87bf80f4dcc1c92171 : SUCCESS in 3m 20s\n- ipa-tox-examples https://zuul.opendev.org/t/openstack/build/fa34e30154f04b0b95e2b45b5fe442a8 : FAILURE in 3m 40s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/65ff2bb085e648719e5187ff39be72a2 : SUCCESS in 4m 26s","accounts_in_message":[],"_revision_number":3},{"id":"96bb23f672c95558fa15e504de455e689e11d2f9","tag":"autogenerated:gerrit:newPatchSet","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 16:20:50.000000000","message":"Uploaded patch set 4: Patch Set 3 was rebased.\n\nOutdated Votes:\n* Verified-1\n","accounts_in_message":[],"_revision_number":4},{"id":"564db1fd67cffe6bba0d67c0b784e83b5a949434","tag":"autogenerated:zuul:check","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 16:35:03.000000000","message":"Patch Set 4: Verified+1\n\nBuild succeeded (check pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/60383b5d7fe74a7692e5b0eef199bffb\n\n- openstack-tox-cover https://zuul.opendev.org/t/openstack/build/89af0241f25e47e9b20cebc5f454362d : SUCCESS in 5m 33s\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/1078e3ebdd3945e7b3c74f8b48d81b36 : SUCCESS in 3m 14s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/81d058be898142a0b10dca2a832bda53 : SUCCESS in 6m 06s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/2dbef80db65246eda386a9795eee5a7f : SUCCESS in 2m 43s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/96ec9d4c70b14e43b79976788cc06d1b : SUCCESS in 3m 42s\n- ipa-tox-bandit https://zuul.opendev.org/t/openstack/build/311e42a28da84a3eb0a6a7cbd28b83b2 : SUCCESS in 3m 26s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/2d9763ca03654863a018341e2e6ed344 : SUCCESS in 3m 42s","accounts_in_message":[],"_revision_number":4},{"id":"5c37dde05addd47a8f06874a7de9aab109ce9fe6","tag":"autogenerated:gerrit:setTopic","author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"date":"2024-09-04 17:26:00.000000000","message":"Topic set to ossa-2024-003","accounts_in_message":[],"_revision_number":4},{"id":"e3591663275aab93cb7851a76d7ec530e9da7af7","author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"date":"2024-09-04 21:02:33.000000000","message":"Patch Set 4: Code-Review+2","accounts_in_message":[],"_revision_number":4},{"id":"eb97a870dbe50d6470a795fdabb860b840dd9157","author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"date":"2024-09-04 23:25:54.000000000","message":"Patch Set 4: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":4},{"id":"39fc255bbb52c84c6dce0bae3b92aef398c498b5","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-04 23:26:18.000000000","message":"Patch Set 4: -Verified\n\nStarting gate jobs.","accounts_in_message":[],"_revision_number":4},{"id":"c8ad6292795b50e136ff97679ce724b97299a446","tag":"autogenerated:zuul:gate","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:30:44.000000000","message":"Patch Set 4: Verified+2\n\nBuild succeeded (gate pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/4c38582eb4ac44b4a2371aa190aa1312\n\n- openstack-tox-pep8 https://zuul.opendev.org/t/openstack/build/ea2a13a9afbd4b39bd9a6c0b68eabdf7 : SUCCESS in 2m 59s\n- openstack-tox-docs https://zuul.opendev.org/t/openstack/build/5bcd7589fc5f403bbe0223fed71779e0 : SUCCESS in 5m 06s\n- build-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/587961ee119d4c8a9d729b8ac9f4aa84 : SUCCESS in 2m 22s\n- openstack-tox-functional https://zuul.opendev.org/t/openstack/build/f4a3461c20c74955b7f56623649872ae : SUCCESS in 3m 35s\n- ipa-tox-bandit https://zuul.opendev.org/t/openstack/build/37ec200314d24694953b75c4f0677b58 : SUCCESS in 2m 53s\n- ipa-tox-codespell https://zuul.opendev.org/t/openstack/build/645c211dd6dd46bca28e0ce432f04d67 : SUCCESS in 2m 41s","accounts_in_message":[],"_revision_number":4},{"id":"5a6cb4af6c1f7a80479fe68ba4d0d13f3a4b7c72","tag":"autogenerated:gerrit:merged","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:30:45.000000000","message":"Change has been successfully merged","accounts_in_message":[],"_revision_number":4},{"id":"1ee50bf2d08c851f8a2a676ed72b3968e5a25165","tag":"autogenerated:zuul:promote","author":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]},"date":"2024-09-05 01:31:45.000000000","message":"Patch Set 4:\n\nBuild succeeded (promote pipeline).\nhttps://zuul.opendev.org/t/openstack/buildset/fbae40cbc4fe4dad9f761b47a80e608e\n\n- promote-openstack-tox-docs https://zuul.opendev.org/t/openstack/build/659c9df8bd9649eca9f8f91d1dc6bc4f : SUCCESS in 40s\n- promote-openstack-releasenotes https://zuul.opendev.org/t/openstack/build/a3c34365929842a28797e528be580eba : SUCCESS in 33s","accounts_in_message":[],"_revision_number":4}],"current_revision_number":4,"current_revision":"9be29ad1dd1ce7ddeec1c6c4498b99d17fd42625","revisions":{"274bb5b43e59ab24f1289dfc7209bab12beeb8f3":{"kind":"REWORK","_number":1,"created":"2024-09-04 14:11:10.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/81/927981/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/81/927981/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/1"}}},"commit":{"parents":[{"commit":"d5b5d4c62e55aae964a1147e580e4ddc6defd8c7","subject":"Update .gitreview for bugfix/9.13","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/d5b5d4c62e55aae964a1147e580e4ddc6defd8c7"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 14:11:09.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/274bb5b43e59ab24f1289dfc7209bab12beeb8f3"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/274bb5b43e59ab24f1289dfc7209bab12beeb8f3"}]},"branch":"refs/heads/bugfix/9.13"},"622d0a7193b2db7319a08701332111cff2adc8ff":{"kind":"REWORK","_number":2,"created":"2024-09-04 14:27:15.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/81/927981/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/81/927981/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/2"}}},"commit":{"parents":[{"commit":"d5b5d4c62e55aae964a1147e580e4ddc6defd8c7","subject":"Update .gitreview for bugfix/9.13","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/d5b5d4c62e55aae964a1147e580e4ddc6defd8c7"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 14:27:09.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/622d0a7193b2db7319a08701332111cff2adc8ff"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/622d0a7193b2db7319a08701332111cff2adc8ff"}]},"branch":"refs/heads/bugfix/9.13"},"4cd16b604637ccbcd53a3985ce826e99ef66bf9e":{"kind":"REWORK","_number":3,"created":"2024-09-04 15:09:39.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/81/927981/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/81/927981/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/3"}}},"commit":{"parents":[{"commit":"d5b5d4c62e55aae964a1147e580e4ddc6defd8c7","subject":"Update .gitreview for bugfix/9.13","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/d5b5d4c62e55aae964a1147e580e4ddc6defd8c7"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 15:08:24.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/4cd16b604637ccbcd53a3985ce826e99ef66bf9e"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/4cd16b604637ccbcd53a3985ce826e99ef66bf9e"}]},"branch":"refs/heads/bugfix/9.13"},"9be29ad1dd1ce7ddeec1c6c4498b99d17fd42625":{"kind":"TRIVIAL_REBASE","_number":4,"created":"2024-09-04 16:20:50.000000000","uploader":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"ref":"refs/changes/81/927981/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/ironic-python-agent","ref":"refs/changes/81/927981/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/ironic-python-agent refs/changes/81/927981/4"}}},"commit":{"parents":[{"commit":"2d232c2914d677bda721e9fed519584eeda13151","subject":"Remove and disable examples job","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/2d232c2914d677bda721e9fed519584eeda13151"}]}],"author":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-07-30 18:18:14.000000000","tz":-420},"committer":{"name":"Jay Faulkner","email":"jay@jvf.cc","date":"2024-09-04 16:20:40.000000000","tz":-420},"subject":"Inspect non-raw images for safety","message":"Inspect non-raw images for safety\n\nWhen IPA gets a non-raw image, it performs an on-the-fly conversion\nusing qemu-img convert, as well as running qemu-img frequently to get\nbasic information about the image before validating it.\n\nNow, we ensure that before any qemu-img calls are made, that we have\ninspected the image for safety and pass through the detected format.\n\nIf given a disk_format\u003draw image and image streaming is enabled\n(default), we retain the existing behavior of not inspecting it in\nany way and streaming it bit-perfect to the device. In this case, we\nnever use qemu-based tools on the image at all.\n\nIf given a disk_format\u003draw image and image streaming is disabled, this\nchange fixes a bug where the image may have been converted if it was not\nactually raw in the first place. We now stream these bit-perfect to the\ndevice.\n\nAdds two config options:\n- [DEFAULT]/disable_deep_image_inspection, which can be set to \"True\" in\n  order to disable all security features. Do not do this.\n- [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types\n  IPA should accept.\n\nBoth of these configuration options are wired up to be set by the lookup\ndata returned by Ironic at lookup time.\n\nThis uses a image format inspection module imported from Nova; this\ninspector will eventually live in oslo.utils, at which point we\u0027ll\nmigrate our usage of the inspector to it.\n\nCloses-Bug: #2071740\nChange-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/9be29ad1dd1ce7ddeec1c6c4498b99d17fd42625"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/ironic-python-agent/commit/9be29ad1dd1ce7ddeec1c6c4498b99d17fd42625"}]},"branch":"refs/heads/bugfix/9.13"}},"requirements":[],"submit_records":[{"rule_name":"gerrit~DefaultSubmitRule","status":"CLOSED","labels":[{"label":"Verified","status":"MAY","applied_by":{"_account_id":22348,"name":"Zuul","username":"zuul","tags":["SERVICE_USER"]}},{"label":"Code-Review","status":"MAY","applied_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"}},{"label":"Workflow","status":"MAY","applied_by":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"}},{"label":"Backport-Candidate","status":"MAY"}]}],"submit_requirements":[{"name":"Verified","description":"Verified in gate by CI","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Verified\u003dMAX AND -label:Verified\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Verified\u003dMAX"],"failing_atoms":["label:Verified\u003dMIN"],"atom_explanations":{}}},{"name":"Backport-Candidate","description":"Backport candidate status","status":"NOT_APPLICABLE","is_legacy":false,"applicability_expression_result":{"fulfilled":false,"status":"FAIL"},"submittability_expression_result":{"expression":"is:true","fulfilled":true,"status":"NOT_EVALUATED","passing_atoms":[],"failing_atoms":[],"atom_explanations":{}}},{"name":"Code-Review","description":"Code reviewed by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Code-Review\u003dMAX AND -label:Code-Review\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Code-Review\u003dMAX"],"failing_atoms":["label:Code-Review\u003dMIN"],"atom_explanations":{}}},{"name":"Workflow","description":"Approved for gate by core reviewer","status":"SATISFIED","is_legacy":false,"submittability_expression_result":{"expression":"label:Workflow\u003dMAX AND -label:Workflow\u003dMIN","fulfilled":true,"status":"PASS","passing_atoms":["label:Workflow\u003dMAX"],"failing_atoms":["label:Workflow\u003dMIN"],"atom_explanations":{}}}]}